From 6b3f7864ddcdf23d891c272cb7d4537ce6c2a0df Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Wed, 28 Sep 2016 09:44:03 -0700
Subject: [PATCH 001/115] rename for hello

---
 windows/keep-secure/TOC.md                    |  18 +-
 .../enable-phone-signin-to-pc-and-vpn.md      |   2 +-
 .../keep-secure/hello-and-password-changes.md |  54 +++
 .../hello-biometrics-in-enterprise.md         |  91 ++++
 .../keep-secure/hello-enable-phone-signin.md  |  90 ++++
 .../hello-errors-during-pin-creation.md       | 239 +++++++++++
 windows/keep-secure/hello-event-300.md        |  54 +++
 .../hello-implement-in-organization.md        | 389 ++++++++++++++++++
 .../hello-manage-identity-verification.md     | 127 ++++++
 .../hello-prepare-people-to-use.md            | 116 ++++++
 .../hello-why-pin-is-better-than-password.md  |  76 ++++
 ...microsoft-passport-in-your-organization.md |   2 +-
 windows/keep-secure/index.md                  |   4 +-
 ...y-verification-using-microsoft-passport.md |   2 +-
 ...microsoft-passport-and-password-changes.md |   2 +-
 ...oft-passport-errors-during-pin-creation.md |   2 +-
 windows/keep-secure/passport-event-300.md     |   2 +-
 ...repare-people-to-use-microsoft-passport.md |   2 +-
 .../why-a-pin-is-better-than-a-password.md    |   2 +-
 .../windows-10-enterprise-security-guides.md  |   4 -
 .../windows-hello-in-enterprise.md            |   2 +-
 21 files changed, 1256 insertions(+), 24 deletions(-)
 create mode 100644 windows/keep-secure/hello-and-password-changes.md
 create mode 100644 windows/keep-secure/hello-biometrics-in-enterprise.md
 create mode 100644 windows/keep-secure/hello-enable-phone-signin.md
 create mode 100644 windows/keep-secure/hello-errors-during-pin-creation.md
 create mode 100644 windows/keep-secure/hello-event-300.md
 create mode 100644 windows/keep-secure/hello-implement-in-organization.md
 create mode 100644 windows/keep-secure/hello-manage-identity-verification.md
 create mode 100644 windows/keep-secure/hello-prepare-people-to-use.md
 create mode 100644 windows/keep-secure/hello-why-pin-is-better-than-password.md

diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md
index c43b7b759f..e05c37aaec 100644
--- a/windows/keep-secure/TOC.md
+++ b/windows/keep-secure/TOC.md
@@ -1,14 +1,14 @@
 # [Keep Windows 10 secure](index.md)
 ## [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md)
-## [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
-### [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
-### [Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
-### [Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
-### [Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
-### [Windows Hello and password changes](microsoft-passport-and-password-changes.md)
-### [Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
-### [Event ID 300 - Windows Hello successfully created](passport-event-300.md)
-### [Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
+## [Manage identity verification using Windows Hello for Business](hello-manage-identity-verification.md)
+### [Implement Windows Hello for Business in your organization](hello-implement-in-organization.md)
+### [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
+### [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
+### [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
+### [Windows Hello and password changes](hello-and-password-changes.md)
+### [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
+### [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+### [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
 ## [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md)
 ## [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md)
 ## [Device Guard deployment guide](device-guard-deployment-guide.md)
diff --git a/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md b/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md
index e3c6cbddf6..fab4f26f07 100644
--- a/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md
+++ b/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md
@@ -6,7 +6,7 @@ ms.prod: W10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: high
+redirect_url: /hello-enable-phone-signin/
 ---
 
 # Enable phone sign-in to PC or VPN
diff --git a/windows/keep-secure/hello-and-password-changes.md b/windows/keep-secure/hello-and-password-changes.md
new file mode 100644
index 0000000000..128f1ffe29
--- /dev/null
+++ b/windows/keep-secure/hello-and-password-changes.md
@@ -0,0 +1,54 @@
+---
+title: Windows Hello and password changes (Windows 10)
+description: When you change your password on a device, you may need to sign in with a password on other devices to reset Hello.
+ms.assetid: 83005FE4-8899-47A6-BEA9-C17CCA0B6B55
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: jdeckerMS
+localizationpriority: high
+---
+# Windows Hello and password changes
+
+**Applies to**
+-   Windows 10
+-   Windows 10 Mobile
+
+When you set up Windows Hello, the PIN or biometric gesture that you use is specific to that device. You can set up Hello for the same account on multiple devices. If the PIN or biometric is configured as part of Windows Hello for Business, changing the account password will not impact sign-in or unlock with these gestures since it uses a key or certificate. However, if Windows Hello for Business is not deployed and the password for that account changes, you must provide the new password on each device to continue to use Hello.
+
+## Example
+
+Let's suppose that you have set up a PIN for your Microsoft account on **Device A**. You use your PIN to sign in on **Device A** and then change the password for your Microsoft account.
+Because you were using **Device A** when you changed your password, the PIN on **Device A** will continue to work with no other action on your part.
+
+Suppose instead that you sign in on **Device B** and change your password for your Microsoft account. The next time that you try to sign in on **Device A** using your PIN, sign-in will fail because the account credentials that Hello on **Device A** knows will be outdated.
+> **Note:**  This example also applies to an Active Directory account when [Windows Hello for Business is not implemented](implement-microsoft-passport-in-your-organization.md).
+ 
+## How to update Hello after you change your password on another device
+
+1.  When you try to sign in using your PIN or biometric, you will see the following message: **Your password was changed on a different device. You must sign in to this device once with your new password, and then you can sign in with your PIN.**
+2.  Click **OK.**
+3.  Click **Sign-in options**.
+4.  Click the **Password** button.
+5.  Sign in with new password.
+6.  The next time that you sign in, you can select **Sign-in options** and then select **PIN** to resume using your PIN.
+
+## Related topics
+
+[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
+
+[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
+
+[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) 
+
+[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
+
+[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
+
+[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
+
+[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
+
+[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) 
+ 
\ No newline at end of file
diff --git a/windows/keep-secure/hello-biometrics-in-enterprise.md b/windows/keep-secure/hello-biometrics-in-enterprise.md
new file mode 100644
index 0000000000..ca368e846f
--- /dev/null
+++ b/windows/keep-secure/hello-biometrics-in-enterprise.md
@@ -0,0 +1,91 @@
+---
+title: Windows Hello biometrics in the enterprise (Windows 10)
+description: Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition.
+ms.assetid: d3f27d94-2226-4547-86c0-65c84d6df8Bc
+keywords: Windows Hello, enterprise biometrics
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Windows Hello biometrics in the enterprise
+**Applies to:**
+
+-   Windows 10
+
+Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition.
+
+> **Note:** When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
+
+Because we realize your employees are going to want to use this new technology in your enterprise, we’ve been actively working with the device manufacturers to create strict design and performance recommendations that help to ensure that you can more confidently introduce Windows Hello biometrics into your organization.
+
+##How does Windows Hello work?
+Windows Hello lets your employees use fingerprint or facial recognition as an alternative method to unlocking a device. With Windows Hello, authentication happens when the employee provides his or her unique biometric identifier while accessing the device-specific Windows Hello credentials.
+
+The Windows Hello authenticator works to authenticate and allow employees onto your enterprise network. Authentication doesn’t roam among devices, isn’t shared with a server, and can’t easily be extracted from a device. If multiple employees share a device, each employee will use his or her own biometric data on the device.
+
+## Why should I let my employees use Windows Hello?
+Windows Hello provides many benefits, including:
+
+-   It helps to strengthen your protections against credential theft. Because an attacker must have both the device and the biometric info or PIN, it’s much more difficult to gain access without the employee’s knowledge.
+
+-   Employees get a simple authentication method (backed up with a PIN) that’s always with them, so there’s nothing to lose. No more forgetting passwords!
+
+-   Support for Windows Hello is built into the operating system so you can add additional biometric devices and polices as part of a coordinated rollout or to individual employees or groups using Group Policy or Mobile Device Management (MDM) configurations service provider (CSP) policies.<br>For more info about the available Group Policies and MDM CSPs, see the [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) topic.
+
+## Where is Microsoft Hello data stored?
+The biometric data used to support Windows Hello is stored on the local device only. It doesn’t roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data, it still can’t be easily converted to a form that could be recognized by the biometric sensor.
+
+## Has Microsoft set any device requirements for Windows Hello?
+We’ve been working with the device manufacturers to help ensure a high-level of performance and protection is met by each sensor and device, based on these requirements:
+
+-   **False Accept Rate (FAR).** Represents the instance a biometric identification solution verifies an unauthorized person. This is normally represented as a ratio of number of instances in a given population size, for example 1 in 100 000. This can also be represented as a percentage of occurrence, for example, 0.001%. This measurement is heavily considered the most important with regards to the security of the biometric algorithm.
+
+-   **False Reject Rate (FRR).** Represents the instances a biometric identification solution fails to verify an authorized person correctly. Usually represented as a percentage, the sum of the True Accept Rate and False Reject Rate is 1. Can be with or without anti-spoofing or liveness detection.
+
+### Fingerprint sensor requirements
+To allow fingerprint matching, you must have devices with fingerprint sensors and software. Fingerprint sensors, or sensors that use an employee’s unique fingerprint as an alternative log on option, can be touch sensors (large area or small area) or swipe sensors. Each type of sensor has its own set of detailed requirements that must be implemented by the manufacturer, but all of the sensors must include anti-spoofing measures (required) and a way to configure them (optional).
+
+**Acceptable performance range for small to large size touch sensors**
+
+-   False Accept Rate (FAR): &lt;0.001 – 0.002%
+
+-   False Reject Rate (FRR) without Anti-spoofing or liveness detection: &lt;5%
+
+-   Effective, real world FRR with Anti-spoofing or liveness detection: &lt;10%
+
+**Acceptable performance range for swipe sensors**
+
+-   False Accept Rate (FAR): &lt;0.002%
+
+-   False Reject Rate (FRR) without Anti-spoofing or liveness detection: &lt;5%
+
+-   Effective, real world FRR with Anti-spoofing or liveness detection: &lt;10%
+
+### Facial recognition sensors
+To allow facial recognition, you must have devices with integrated special infrared (IR) sensors and software. Facial recognition sensors use special cameras that see in IR light, letting them tell the difference between a photo and a living person while scanning an employee’s facial features. These sensors, like the fingerprint sensors, must also include anti-spoofing measures (required) and a way to configure them (optional).
+
+-   False Accept Rate (FAR): &lt;0.001
+
+-   False Reject Rate (FRR) without Anti-spoofing or liveness detection: &lt;5%
+
+-   Effective, real world FRR with Anti-spoofing or liveness detection: &lt;10%
+
+## Related topics
+- [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
+- [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
+- [Microsoft Passport guide](microsoft-passport-guide.md)
+- [Prepare people to use Windows Hello for Work](prepare-people-to-use-microsoft-passport.md)
+- [PassportforWork CSP](https://go.microsoft.com/fwlink/p/?LinkId=708219)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/hello-enable-phone-signin.md b/windows/keep-secure/hello-enable-phone-signin.md
new file mode 100644
index 0000000000..e3c6cbddf6
--- /dev/null
+++ b/windows/keep-secure/hello-enable-phone-signin.md
@@ -0,0 +1,90 @@
+---
+title: Enable phone sign-in to PC or VPN (Windows 10)
+description: You can set policies to allow your users to sign in to a PC or VPN using their Windows 10 phone.
+keywords: ["identity", "PIN", "biometric", "Hello"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Enable phone sign-in to PC or VPN
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+In Windows 10, version 1607, your network users can use Windows Phone with Windows Hello to sign in to a PC, connect to VPN, and sign in to Office 365 in a browser. Phone sign-in uses Bluetooth, which means no need to wait for a phone call -- just unlock the phone and tap the app.
+
+![Sign in to a device](images/phone-signin-menu.png)
+
+> [!NOTE]
+> Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
+
+You can create a Group Policy or mobile device management (MDM) policy that will allow users to sign in to a work PC or their company's VPN using the credentials stored on their Windows 10 phone.
+
+ ## Prerequisites
+ 
+ - Both phone and PC must be running Windows 10, version 1607.
+ - The PC must be running Windows 10 Pro, Enterprise, or Education
+ - Both phone and PC must have Bluetooth.
+ - The **Microsoft Authenticator** app must be installed on the phone.
+ - The PC must be joined to an Active Directory domain that is connected to an Azure Active Directory (Azure AD) domain, or the PC must be joined to Azure AD.
+ - The phone must be joined to Azure AD or have a work account added.
+ - The VPN configuration profile must use certificate-based authentication.
+ 
+## Set policies
+
+To enable phone sign-in, you must enable the following policies using Group Policy or MDM.
+
+-  Group Policy: **Computer Configuration** or **User Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**
+    - Enable **Use Windows Hello for Business**
+    - Enable **Phone Sign-in**
+- MDM: 
+    - Set **UsePassportForWork** to **True**
+    - Set **Remote\UseRemotePassport** to **True**
+
+## Configure VPN 
+
+To enable phone sign-in to VPN, you must enable the [policy](#set-policies) for phone sign-in and ensure that VPN is configured as follows:
+
+- For inbox VPN, set up the VPN profile with Extensible Authentication Protocol (EAP) with the **Smart card or other certificate (TLS)** EAP type, also known as EAP-Transport Level Security (EAP-TLS). To exclusively access the VPN certificates on the phone, in the EAP filtering XML, add either **EKU** or **Issuer** (or both) filtering to make sure it picks only the Remote NGC certificate.
+- For a Universal Windows Platform (UWP) VPN plug-in, add filtering criteria based on the 3rd party mechanism for the Remote NGC Certificate.
+
+## Get the app
+
+If you want to distribute the **Microsoft Authenticator** app, your organization must have set up Windows Store for Business, with Microsoft added as a [Line of Business (LOB) publisher](../manage/working-with-line-of-business-apps.md).
+
+[Tell people how to sign in using their phone.](prepare-people-to-use-microsoft-passport.md#bmk-remote)
+
+
+## Related topics
+
+[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
+
+[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
+
+[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
+
+[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
+
+[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
+
+[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
+
+[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
+
+[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
+
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/hello-errors-during-pin-creation.md b/windows/keep-secure/hello-errors-during-pin-creation.md
new file mode 100644
index 0000000000..3e4fbfbedf
--- /dev/null
+++ b/windows/keep-secure/hello-errors-during-pin-creation.md
@@ -0,0 +1,239 @@
+---
+title: Windows Hello errors during PIN creation (Windows 10)
+description: When you set up Windows Hello in Windows 10, you may get an error during the Create a work PIN step.
+ms.assetid: DFEFE22C-4FEF-4FD9-BFC4-9B419C339502
+keywords: PIN, error, create a work PIN
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Windows Hello errors during PIN creation
+
+**Applies to**
+-   Windows 10
+-   Windows 10 Mobile
+
+When you set up Windows Hello in Windows 10, you may get an error during the **Create a PIN** step. This topic lists some of the error codes with recommendations for mitigating the problem. If you get an error code that is not listed here, contact Microsoft Support.
+
+## Where is the error code?
+
+The following image shows an example of an error during **Create a PIN**.
+
+![](images/pinerror.png)
+
+## Error mitigations
+
+When a user encounters an error when creating the work PIN, advise the user to try the following steps. Many errors can be mitigated by one of these steps.
+1.  Try to create the PIN again. Some errors are transient and resolve themselves.
+2.  Sign out, sign in, and try to create the PIN again.
+3.  Reboot the device and then try to create the PIN again.
+4.  Unjoin the device from Azure Active Directory (Azure AD), rejoin, and then try to create the PIN again. To unjoin a desktop PC, go to **Settings** &gt; **System** &gt; **About** and select **Disconnect from organization**. To unjoin a device running Windows 10 Mobile, you must [reset the device](https://go.microsoft.com/fwlink/p/?LinkId=715697).
+5.  On mobile devices, if you are unable to setup a PIN after multiple attempts, reset your device and start over. For help on how to reset your phone go to [Reset my phone](https://go.microsoft.com/fwlink/p/?LinkId=715697).
+If the error occurs again, check the error code against the following table to see if there is another mitigation for that error. When no mitigation is listed in the table, contact Microsoft Support for assistance.
+
+<table>
+
+<thead>
+<tr class="header">
+<th align="left">Hex</th>
+<th align="left">Cause</th>
+<th align="left">Mitigation</th>
+</tr>
+</thead>
+<tbody>
+
+<tr class="even">
+<td align="left">0x801C044D</td>
+<td align="left">Authorization token does not contain device ID</td>
+<td align="left">Unjoin the device from Azure AD and rejoin</td>
+</tr>
+
+<tr class="odd">
+<td align="left">0x80090036</td>
+<td align="left">User cancelled an interactive dialog</td>
+<td align="left">User will be asked to try again</td>
+</tr>
+<tr class="even">
+<td align="left">0x80090011</td>
+<td align="left">The container or key was not found</td>
+<td align="left">Unjoin the device from Azure AD and rejoin</td>
+</tr>
+<tr class="odd">
+<td align="left">0x8009000F</td>
+<td align="left">The container or key already exists</td>
+<td align="left">Unjoin the device from Azure AD and rejoin</td>
+</tr>
+<tr class="even">
+<td align="left">0x8009002A</td>
+<td align="left">NTE_NO_MEMORY</td>
+<td align="left">Close programs which are taking up memory and try again.</td>
+</tr>
+<tr class="odd">
+<td align="left">0x80090005</td>
+<td align="left">NTE_BAD_DATA</td>
+<td align="left">Unjoin the device from Azure AD and rejoin</td>
+</tr><tr class="even">
+<td align="left">0x80090029</td>
+<td align="left">TPM is not set up.</td>
+<td align="left">Sign on with an administrator account. Click **Start**, type "tpm.msc", and select **tpm.msc Microsoft Common Console Document**. In the **Actions** pane, select **Prepare the TPM**. </td>
+</tr>
+<tr class="even">
+<td align="left">0x80090031</td>
+<td align="left">NTE_AUTHENTICATION_IGNORED</td>
+<td align="left">Reboot the device. If the error occurs again after rebooting, [reset the TPM]( https://go.microsoft.com/fwlink/p/?LinkId=619969) or run [Clear-TPM](https://go.microsoft.com/fwlink/p/?LinkId=629650)</td>
+</tr>
+<tr class="odd">
+<td align="left">0x80090035</td>
+<td align="left">Policy requires TPM and the device does not have TPM.</td>
+<td align="left">Change the Passport policy to not require a TPM.</td>
+</tr>
+<tr class="even">
+<td align="left">0x801C0003</td>
+<td align="left">User is not authorized to enroll</td>
+<td align="left">Check if the user has permission to perform the operation​.</td>
+</tr>
+<tr class="odd">
+<td align="left">0x801C000E</td>
+<td align="left">Registration quota reached</td>
+<td align="left"><p>Unjoin some other device that is currently joined using the same account or [increase the maximum number of devices per user](https://go.microsoft.com/fwlink/p/?LinkId=626933).</p></td>
+</tr>
+<tr class="even">
+<td align="left">0x801C000F</td>
+<td align="left">Operation successful but the device requires a reboot</td>
+<td align="left">Reboot the device.</td>
+</tr>
+<tr class="odd">
+<td align="left">0x801C0010</td>
+<td align="left">The AIK certificate is not valid or trusted</td>
+<td align="left">Sign out and then sign in again.</td>
+</tr>
+<tr class="even">
+<td align="left">0x801C0011</td>
+<td align="left">The attestation statement of the transport key is invalid</td>
+<td align="left">Sign out and then sign in again.</td>
+</tr>
+<tr class="odd">
+<td align="left">0x801C0012</td>
+<td align="left">Discovery request is not in a valid format</td>
+<td align="left">Sign out and then sign in again.</td>
+</tr>
+<tr class="even">
+<td align="left">0x801C0015</td>
+<td align="left">The device is required to be joined to an Active Directory domain</td>
+<td align="left">​Join the device to an Active Directory domain.</td>
+</tr>
+<tr class="odd">
+<td align="left">0x801C0016</td>
+<td align="left">The federation provider configuration is empty</td>
+<td align="left">Go to [http://clientconfig.microsoftonline-p.net/FPURL.xml](http://clientconfig.microsoftonline-p.net/FPURL.xml) and verify that the file is not empty.</td>
+</tr>
+<tr class="even">
+<td align="left">0x801C0017</td>
+<td align="left">​The federation provider domain is empty</td>
+<td align="left">Go to [http://clientconfig.microsoftonline-p.net/FPURL.xml](http://clientconfig.microsoftonline-p.net/FPURL.xml) and verify that the FPDOMAINNAME element is not empty.</td>
+</tr>
+<tr class="odd">
+<td align="left">0x801C0018</td>
+<td align="left">The federation provider client configuration URL is empty</td>
+<td align="left">Go to [http://clientconfig.microsoftonline-p.net/FPURL.xml](http://clientconfig.microsoftonline-p.net/FPURL.xml) and verify that the CLIENTCONFIG element contains a valid URL.</td>
+</tr>
+<tr class="even">
+<td align="left">0x801C03E9</td>
+<td align="left">Server response message is invalid</td>
+<td align="left">Sign out and then sign in again.</td>
+</tr>
+<tr class="odd">
+<td align="left">0x801C03EA</td>
+<td align="left">Server failed to authorize user or device.</td>
+<td align="left">Check if the token is valid and user has permission to register Passport keys.</td>
+</tr>
+<tr class="even">
+<td align="left">0x801C03EB</td>
+<td align="left">Server response http status is not valid</td>
+<td align="left">Sign out and then sign in again.</td>
+</tr>
+<tr class="odd">
+<td align="left">0x801C03EC</td>
+<td align="left">Unhandled exception from server.</td>
+<td align="left">sign out and then sign in again.</td>
+</tr>
+<tr class="even">
+<td align="left">0x801C03ED</td>
+<td align="left"><p>Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed</p>
+<p>-or-</p>
+<p>Token was not found in the Authorization header</p>
+<p>-or-</p>
+<p>Failed to read one or more objects</p>
+<p>-or-</p><p>The request sent to the server was invalid.</p></td>
+<td align="left">Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure Active Directory (Azure AD) and rejoin.</td>
+</tr>
+<tr class="odd">
+<td align="left">0x801C03EE</td>
+<td align="left">Attestation failed</td>
+<td align="left">Sign out and then sign in again.</td>
+</tr>
+<tr class="even">
+<td align="left">0x801C03EF</td>
+<td align="left">The AIK certificate is no longer valid</td>
+<td align="left">Sign out and then sign in again.</td>
+</tr>
+<tr class="odd">
+<td align="left">​0x801C044D</td>
+<td align="left">Unable to obtain user token</td>
+<td align="left">Sign out and then sign in again. Check network and credentials.</td>
+</tr>
+<tr class="even">
+<td align="left">0x801C044E</td>
+<td align="left">Failed to receive user creds input</td>
+<td align="left">Sign out and then sign in again.</td>
+</tr>
+</tbody>
+</table>
+ 
+## Errors with unknown mitigation
+For errors listed in this table, contact Microsoft Support for assistance.
+
+| Hex         | Cause                                                                                                 |
+|-------------|-------------------------------------------------------------------------------------------------------|
+| 0x80072f0c  | Unknown                                                                                               |
+| 0x80070057 | Invalid parameter or argument is passed |
+| 0x80090027  | Caller provided wrong parameter. If third-party code receives this error they must change their code. |
+| 0x8009002D  | NTE\_INTERNAL\_ERROR                                                                                  |
+| 0x80090020  | NTE\_FAIL                                                                                             |
+| 0x801C0001  | ​ADRS server response is not in valid format                                                          |
+| 0x801C0002  | Server failed to authenticate the user                                                                |
+| 0x801C0006  | Unhandled exception from server                                                                       |
+| 0x801C000C  | Discovery failed                                                                                      |
+| 0x801C001B  | ​The device certificate is not found                                                                  |
+| 0x801C000B  | Redirection is needed and redirected location is not a well known server                              |
+| 0x801C0019  | ​The federation provider client configuration is empty                                                |
+| 0x801C001A  | The DRS endpoint in the federation provider client configuration is empty                             |
+| 0x801C0013  | Tenant ID is not found in the token                                                                   |
+| 0x801C0014  | User SID is not found in the token                                                                    |
+| 0x801C03F1  | There is no UPN in the token                                                                          |
+| 0x801C03F0  | ​There is no key registered for the user                                                              |
+| 0x801C03F1  | ​There is no UPN in the token                                                                         |
+| ​0x801C044C | There is no core window for the current thread                                                        |
+ 
+
+## Related topics
+
+[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
+
+[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
+
+[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) 
+
+[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
+
+[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
+
+[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
+
+[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
+
+[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) 
\ No newline at end of file
diff --git a/windows/keep-secure/hello-event-300.md b/windows/keep-secure/hello-event-300.md
new file mode 100644
index 0000000000..25c9b86986
--- /dev/null
+++ b/windows/keep-secure/hello-event-300.md
@@ -0,0 +1,54 @@
+---
+title: Event ID 300 - Windows Hello successfully created (Windows 10)
+description: This event is created when a Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD).
+ms.assetid: 0DD59E75-1C5F-4CC6-BB0E-71C83884FF04
+keywords: ngc
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Event ID 300 - Windows Hello successfully created
+
+**Applies to**
+-   Windows 10
+-   Windows 10 Mobile
+
+This event is created when Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request.
+
+## Event details
+|              |                                                                                                                                                                                                                                                                                                               |
+|--------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **Product:** | Windows 10 operating system                                                                                                                                                                                                                                                                                   |
+| **ID:**      | 300                                                                                                                                                                                                                                                                                                           |
+| **Source:**  | Microsoft Azure Device Registration Service                                                                                                                                                                                                                                                                   |
+| **Version:** | 10                                                                                                                                                                                                                                                                                                            |
+| **Message:** | The NGC key was successfully registered. Key ID: {4476694e-8e3b-4ef8-8487-be21f95e6f07}. UPN:test@contoso.com. Attestation: ATT\_SOFT. Client request ID: . Server request ID: db2da6bd-3d70-4b9b-b26b-444f669902da. 
+Server response: {"kid":"4476694e-8e3b-4ef8-8487-be21f95e6f07","upn":"test@contoso.com"} |
+ 
+## Resolve
+
+This is a normal condition. No further action is required.
+
+## Related topics
+
+[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
+
+[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
+
+[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
+
+[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
+
+[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
+
+[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
+
+[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
+
+[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
+
+[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
diff --git a/windows/keep-secure/hello-implement-in-organization.md b/windows/keep-secure/hello-implement-in-organization.md
new file mode 100644
index 0000000000..b9e72308cc
--- /dev/null
+++ b/windows/keep-secure/hello-implement-in-organization.md
@@ -0,0 +1,389 @@
+---
+title: Implement Windows Hello in your organization (Windows 10)
+description: You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello for Business on devices running Windows 10.
+ms.assetid: 47B55221-24BE-482D-BD31-C78B22AC06D8
+keywords: identity, PIN, biometric, Hello
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Implement Windows Hello for Business in your organization
+
+**Applies to**
+-   Windows 10
+-   Windows 10 Mobile
+
+You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10.
+
+>[!IMPORTANT]
+>The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. It still prevents or enables the creation of a convenience PIN for Windows 10, version 1507 and 1511. 
+>
+>Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**. 
+>
+>Use **Windows Hello for Business** policy settings to manage PINs for Windows Hello for Business.
+ 
+## Group Policy settings for Windows Hello for Business
+
+The following table lists the Group Policy settings that you can configure for Hello use in your workplace. These policy settings are available in both **User configuration** and **Computer Configuration** under **Policies** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Hello for Business**.
+
+
+<table>
+<tr>
+<th colspan="2">Policy</th>
+<th>Options</th>
+</tr>
+<tr>
+<td>Use Windows Hello for Business</td>
+<td></td>
+<td>
+<p><b>Not configured</b>: Users can provision Windows Hello for Business, which encrypts their domain password.</p>
+<p><b>Enabled</b>: Device provisions Windows Hello for Business using keys or certificates for all users.</p>
+<p><b>Disabled</b>: Device does not provision Windows Hello for Business for any user.</p>
+</td>
+</tr>
+<tr>
+<td>Use a hardware security device</td>
+<td></td>
+<td>
+<p><b>Not configured</b>: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.</p>
+<p><b>Enabled</b>: Windows Hello for Business will only be provisioned using TPM.</p>
+<p><b>Disabled</b>: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.</p>
+</td>
+</tr>
+<tr>
+<td>Use biometrics</td>
+<td></td>
+<td>
+<p><b>Not configured</b>: Biometrics can be used as a gesture in place of a PIN.</p>
+<p><b>Enabled</b>: Biometrics can be used as a gesture in place of a PIN.</p>
+<p><b>Disabled</b>: Only a PIN can be used as a gesture.</p>
+</td>
+</tr>
+<tr>
+<td rowspan="8">PIN Complexity</td>
+<td>Require digits</td>
+<td>
+<p><b>Not configured</b>: Users must include a digit in their PIN.</p>
+<p><b>Enabled</b>: Users must include a digit in their PIN.</p>
+<p><b>Disabled</b>: Users cannot use digits in their PIN.</p>
+</td>
+</tr>
+<tr>
+<td>Require lowercase letters</td>
+<td>
+<p><b>Not configured</b>: Users cannot use lowercase letters in their PIN.</p>
+<p><b>Enabled</b>: Users must include at least one lowercase letter in their PIN.</p>
+<p><b>Disabled</b>: Users cannot use lowercase letters in their PIN.</p>
+</td>
+</tr>
+<tr>
+<td>Maximum PIN length</td>
+<td>
+<p><b>Not configured</b>: PIN length must be less than or equal to 127.</p>
+<p><b>Enabled</b>: PIN length must be less than or equal to the number you specify.</p>
+<p><b>Disabled</b>: PIN length must be less than or equal to 127.</p>
+</td>
+</tr>
+<tr>
+<td>Minimum PIN length</td>
+<td>
+<p><b>Not configured</b>: PIN length must be greater  than or equal to 4.</p>
+<p><b>Enabled</b>: PIN length must be greater than or equal to the number you specify.</p>
+<p><b>Disabled</b>: PIN length must be greater  than or equal to 4.</p>
+</td>
+</tr>
+<tr>
+<td>Expiration</td>
+<td>
+<p><b>Not configured</b>: PIN does not expire.</p>
+<p><b>Enabled</b>: PIN can be set to expire after any number of days between 1 and 730, or PIN can be set to never expire by setting policy to 0.</p>
+<p><b>Disabled</b>: PIN does not expire.</p>
+</td>
+</tr>
+<tr>
+<td>History</td>
+<td>
+<p><b>Not configured</b>: Previous PINs are not stored.</p>
+<p><b>Enabled</b>: Specify the number of previous PINs that can be associated to a user account that can't be reused.</p>
+<p><b>Disabled</b>: Previous PINs are not stored.</p>
+<div class="alert"><b>Note</b>  Current PIN is included in PIN history.</div>
+<div> </div>
+</td>
+</tr>
+<tr>
+<td>Require special characters</td>
+<td>
+<p><b>Not configured</b>: Users cannot include a special character in their PIN.</p>
+<p><b>Enabled</b>: Users must include at least one special character in their PIN.</p>
+<p><b>Disabled</b>: Users cannot include a special character in their PIN.</p>
+</td>
+</tr>
+<tr>
+<td>Require uppercase letters</td>
+<td>
+<p><b>Not configured</b>: Users cannot include an uppercase letter in their PIN.</p>
+<p><b>Enabled</b>: Users must include at least one uppercase letter in their PIN.</p>
+<p><b>Disabled</b>: Users cannot include an uppercase letter in their PIN.</p>
+</td>
+</tr>
+<tr>
+<td><a href="prepare-people-to-use-microsoft-passport.md#BMK_remote">Phone Sign-in</a></td>
+<td>
+<p>Use Phone Sign-in</p>
+<div class="alert"><b>Note</b>  Applies to desktop only. Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.</div>
+<div> </div>
+</td>
+<td>
+<p><b>Not configured</b>: Phone sign-in is disabled.</p>
+<p><b>Enabled</b>: Users can use a portable, registered device as a companion device for desktop authentication.</p>
+<p><b>Disabled</b>: Phone sign-in is disabled.</p>
+</td>
+</tr>
+</table>
+
+## MDM policy settings for Windows Hello for Business
+
+The following table lists the MDM policy settings that you can configure for Windows Hello for Business use in your workplace. These MDM policy settings use the [PassportForWork configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkId=692070).
+
+>[!IMPORTANT]
+>Starting in Windows 10, version 1607, all devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP. 
+
+<table>
+<tr>
+<th colspan="2">Policy</th>
+<th>Scope</th>
+<th>Default</th>
+<th>Options</th>
+</tr>
+<tr>
+<td>UsePassportForWork</td>
+<td></td>
+<td>Device</td>
+<td>True</td>
+<td>
+<p>True: Windows Hello for Business will be provisioned for all users on the device.</p>
+<p>False: Users will not be able to provision Windows Hello for Business. </p>
+<div class="alert"><b>Note</b>  If Windows Hello for Business is enabled, and then the policy is changed to False, users who previously set up Windows Hello for Business can continue to use it, but will not be able to set up Windows Hello for Business on other devices.</div>
+<div> </div>
+</td>
+</tr>
+<tr>
+<td>RequireSecurityDevice</td>
+<td></td>
+<td>Device</td>
+<td>False</td>
+<td>
+<p>True: Windows Hello for Business will only be provisioned using TPM.</p>
+<p>False: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.</p>
+</td>
+</tr>
+<tr>
+<td rowspan="2">Biometrics</td>
+<td>
+<p>UseBiometrics</p>
+</td>
+<td>Device </td>
+<td>False</td>
+<td>
+<p>True: Biometrics can be used as a gesture in place of a PIN for domain sign-in.</p>
+<p>False: Only a PIN can be used as a gesture for domain sign-in.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>FacialFeaturesUser</p>
+<p>EnhancedAntiSpoofing</p>
+</td>
+<td>Device</td>
+<td>Not configured</td>
+<td>
+<p>Not configured: users can choose whether to turn on enhanced anti-spoofing.</p>
+<p>True: Enhanced anti-spoofing is required on devices which support it.</p>
+<p>False: Users cannot turn on enhanced anti-spoofing.</p>
+</td>
+</tr>
+<tr>
+<td rowspan="9">PINComplexity</td>
+</tr>
+<tr>
+<td>Digits </td>
+<td>Device or user</td>
+<td>2 </td>
+<td>
+<p>1: Numbers are not allowed. </p>
+<p>2: At least one number is required.</p>
+</td>
+</tr>
+<tr>
+<td>Lowercase letters </td>
+<td>Device or user</td>
+<td>1 </td>
+<td>
+<p>1: Lowercase letters are not allowed. </p>
+<p>2: At least one lowercase letter is required.</p>
+</td>
+</tr>
+<tr>
+<td>Maximum PIN length </td>
+<td>Device or user</td>
+<td>127 </td>
+<td>
+<p>Maximum length that can be set is 127. Maximum length cannot be less than minimum setting.</p>
+</td>
+</tr>
+<tr>
+<td>Minimum PIN length</td>
+<td>Device or user</td>
+<td>4</td>
+<td>
+<p>Minimum length that can be set is 4. Minimum length cannot be greater than maximum setting.</p>
+</td>
+</tr>
+<tr>
+<td>Expiration </td>
+<td>Device or user</td>
+<td>0</td>
+<td>
+<p>Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user’s PIN will never expire. 
+</p>
+</td>
+</tr>
+<tr>
+<td>History</td>
+<td>Device or user</td>
+<td>0</td>
+<td>
+<p>Integer value that specifies the number of past PINs that can be associated to a user account that can’t be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required. 
+</p>
+</td>
+</tr>
+<tr>
+<td>Special characters</td>
+<td>Device or user</td>
+<td>1</td>
+<td>
+<p>1: Special characters are not allowed. </p>
+<p>2: At least one special character is required.</p>
+</td>
+</tr>
+<tr>
+<td>Uppercase letters</td>
+<td>Device or user</td>
+<td>1</td>
+<td>
+<p>1: Uppercase letters are not allowed </p>
+<p>2: At least one uppercase letter is required</p>
+</td>
+</tr>
+<tr>
+<td>Remote</td>
+<td>
+<p>UseRemotePassport</p>
+<div class="alert"><b>Note</b>  Applies to desktop only. Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.</div>
+<div> </div>
+</td>
+<td>Device or user</td>
+<td>False</td>
+<td>
+<p>True: <a href="prepare-people-to-use-microsoft-passport.md#BMK_remote">Phone sign-in</a> is enabled.</p>
+<p>False: <a href="prepare-people-to-use-microsoft-passport.md#BMK_remote">Phone sign-in</a> is disabled.</p>
+</td>
+</tr>
+</table>
+
+>[!NOTE]  
+> If policy is not configured to explicitly require letters or special characters, users will be restricted to creating a numeric PIN.
+ 
+## Prerequisites
+
+You’ll need this software to set Windows Hello for Business policies in your enterprise.
+<table>
+<colgroup>
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Windows Hello for Business mode</th>
+<th align="left">Azure AD</th>
+<th align="left">Active Directory (AD) on-premises (available with production release of Windows Server 2016)</th>
+<th align="left">Azure AD/AD hybrid (available with production release of Windows Server 2016)</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left">Key-based authentication</td>
+<td align="left">Azure AD subscription</td>
+<td align="left"><ul>
+<li>Active Directory Federation Service (AD FS) (Windows Server 2016)</li>
+<li>A few Windows Server 2016 domain controllers on-site</li>
+<li>Microsoft System Center 2012 R2 Configuration Manager SP2</li>
+</ul></td>
+<td align="left"><ul>
+<li>Azure AD subscription</li>
+<li>[Azure AD Connect](https://go.microsoft.com/fwlink/p/?LinkId=616792)</li>
+<li>A few Windows Server 2016 domain controllers on-site</li>
+<li>A management solution, such as Configuration Manager, Group Policy, or MDM</li>
+<li>Active Directory Certificate Services (AD CS) without Network Device Enrollment Service (NDES)</li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left">Certificate-based authentication</td>
+<td align="left"><ul>
+<li>Azure AD subscription</li>
+<li>Intune or non-Microsoft mobile device management (MDM) solution</li>
+<li>PKI infrastructure</li>
+</ul></td>
+<td align="left"><ul>
+<li>ADFS (Windows Server 2016)</li>
+<li>Active Directory Domain Services (AD DS) Windows Server 2016 schema</li>
+<li>PKI infrastructure</li>
+<li>Configuration Manager SP2, Intune, or non-Microsoft MDM solution</li>
+</ul></td>
+<td align="left"><ul>
+<li>Azure AD subscription</li>
+<li>[Azure AD Connect](https://go.microsoft.com/fwlink/p/?LinkId=616792)</li>
+<li>AD CS with NDES</li>
+<li>Configuration Manager for domain-joined certificate enrollment, or InTune for non-domain-joined devices, or a non-Microsoft MDM service that supports Passport for Work</li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+ 
+Configuration Manager and MDM provide the ability to manage Windows Hello for Business policy and to deploy and manage certificates protected by Windows Hello for Business.
+
+Azure AD provides the ability to register devices with your enterprise and to provision Windows Hello for Business for organization accounts.
+
+
+## Windows Hello for BYOD
+
+Windows Hello can be managed on personal devices that your employees use for work purposes using MDM. On personal devices, users can create a personal Windows Hello PIN for unlocking the device and used this PIN for access to work resources.
+
+The PIN is managed using the same Windows Hello for Business policies that you can use to manage Windows Hello for Business on organization-owned devices. The PIN can also be managed using DeviceLock policy. DeviceLock policy can be used to control length, complexity, history, and expiration requirements and can be configured using the [Policy configuration service provider](https://go.microsoft.com/fwlink/p/?LinkID=623244).
+
+## Related topics
+
+[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
+
+[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
+
+[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
+
+[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) 
+
+[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
+
+[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
+
+[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
+
+[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
+
+[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
+ 
\ No newline at end of file
diff --git a/windows/keep-secure/hello-manage-identity-verification.md b/windows/keep-secure/hello-manage-identity-verification.md
new file mode 100644
index 0000000000..71b7ad88c9
--- /dev/null
+++ b/windows/keep-secure/hello-manage-identity-verification.md
@@ -0,0 +1,127 @@
+---
+title: Manage identity verification using Windows Hello for Business (Windows 10)
+description: In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN.
+ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E
+keywords: identity, PIN, biometric, Hello, passport
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, mobile
+author: jdeckerMS
+localizationpriority: high
+---
+# Manage identity verification using Windows Hello for Business
+
+**Applies to**
+-   Windows 10
+-   Windows 10 Mobile
+
+In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN.
+
+>[!NOTE]
+> When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. 
+
+Hello addresses the following problems with passwords:
+-   Passwords can be difficult to remember, and users often reuse passwords on multiple sites.
+-   Server breaches can expose symmetric network credentials.
+-   Passwords can be subject to [replay attacks](https://go.microsoft.com/fwlink/p/?LinkId=615673).
+-   Users can inadvertently expose their passwords due to [phishing attacks](https://go.microsoft.com/fwlink/p/?LinkId=615674).
+
+Hello lets users authenticate to:
+-   a Microsoft account.
+-   an Active Directory account.
+-   a Microsoft Azure Active Directory (Azure AD) account.
+-   Identity Provider Services or Relying Party Services that support [Fast ID Online (FIDO) v2.0](https://go.microsoft.com/fwlink/p/?LinkId=533889) authentication
+
+After an initial two-step verification of the user during enrollment, Hello is set up on the user's device and the user is asked to set a gesture, which can be a biometric, such as a fingerprint, or a PIN. The user provides the gesture to verify their identity. Windows then uses Hello to authenticate users and help them to access protected resources and services.
+
+As an administrator in an enterprise or educational organization, you can create policies to manage Hello use on Windows 10-based devices that connect to your organization.
+
+ 
+
+
+## The difference between Windows Hello and Windows Hello for Business
+
+- Individuals can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Hello provides a layer of protection by being unique to the device on which it is set up, however it is not backed by certificate-based authentication. 
+
+- Windows Hello for Business, which is configured by Group Policy or MDM policy, uses key-based or certificate-based authentication.
+
+- Currently Active Directory accounts using Windows Hello are not backed by key-based or certificate-based authentication.  Support for key-based or certificate-based authentication is on the roadmap for a future release.
+
+## Benefits of Windows Hello
+
+Reports of identity theft and large-scale hacking are frequent headlines. Nobody wants to be notified that their user name and password have been exposed.
+
+You may wonder [how a PIN can help protect a device better than a password](why-a-pin-is-better-than-a-password.md). Passwords are shared secrets; they are entered on a device and transmitted over the network to the server. An intercepted account name and password can be used by anyone. Because they're stored on the server, a server breach can reveal those stored credentials.
+
+In Windows 10, Hello replaces passwords. The Hello provisioning process creates a cryptographic key pair bound to the Trusted Platform Module (TPM), if a device has a TPM, or in software. Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. The two-step verification that takes place during Hello enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account. When a user enters the gesture on the device, the identify provider knows from the combination of Hello keys and gesture that this is a verified identity and provides an authentication token that allows Windows 10 to access resources and services. In addition, during the registration process, the attestation claim is produced for every identity provider to cryptographically prove that the Hello keys are tied to TPM. During registration, when the attestation claim is not presented to the identity provider, the identity provider must assume that the Hello key is created in software.
+
+![how authentication works in windows hello](images/authflow.png)
+
+Imagine that someone is looking over your shoulder as you get money from an ATM and sees the PIN that you enter. Having that PIN won't help them access your account because they don't have your ATM card. In the same way, learning your PIN for your device doesn't allow that attacker to access your account because the PIN is local to your specific device and doesn't enable any type of authentication from any other device.
+
+Hello helps protect user identities and user credentials. Because no passwords are used, it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Hello credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are protected by TPMs.
+
+Hello also enables Windows 10 Mobile devices to be used as [a remote credential](prepare-people-to-use-microsoft-passport.md#bmk-remote) when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Hello on the user’s Windows 10 Mobile device. Because users carry their phone with them, Hello makes implementing two-factor authentication across the enterprise less costly and complex than other solutions.
+
+> [!NOTE]
+>  Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
+
+ 
+## How Windows Hello for Business works: key points
+
+-   Hello credentials are based on certificate or asymmetrical key pair. Hello credentials are bound to the device, and the token that is obtained using the credential is also bound to the device.
+-   Identify provider (such as Active Directory, Azure AD, or a Microsoft account) validates user identity and maps Hello's public key to a user account during the registration step.
+-   Keys can be generated in hardware (TPM 1.2 or 2.0 for enterprises, and TPM 2.0 for consumers) or software, based on the policy.
+-   Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (Windows Hello). The Hello gesture does not roam between devices and is not shared with the server; it is stored locally on a device.
+-   Private key never leaves a device. The authenticating server has a public key that is mapped to the user account during the registration process.
+-   PIN entry and biometric gesture both trigger Windows 10 to verify the user's identity and authenticate using Hello keys or certificates.
+-   Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy.
+-   Certificate private keys can be protected by the Hello container and the Hello gesture.
+
+
+## Comparing key-based and certificate-based authentication
+
+Windows Hello for Business can use either keys (hardware or software) or certificates with keys in hardware or software to confirm identity. Enterprises that have a public key infrastructure (PKI) for issuing and managing certificates can continue to use PKI in combination with Hello. Enterprises that do not use PKI or want to reduce the effort associated with managing certificates can rely on key-based credentials for Hello.
+
+Hardware-based keys, which are generated by TPM, provide the highest level of assurance. When the TPM is manufactured, an Endorsement Key (EK) certificate is resident in the TPM. This EK certificate creates a root trust for all other keys that are generated on this TPM.
+EK certification is used to generate an attestation identity key (AIK) certificate issued by a Microsoft certificate authority. This AIK certificate can be used as an attestation claim to prove to identity providers that the Hello keys are generated on the same TPM. The Microsoft certificate authority (CA) generates the AIK certificate per device, per user, and per IDP to help ensure that user privacy is protected.
+
+When identity providers such as Active Directory or Azure AD enroll a certificate in Hello, Windows 10 will support the same set of scenarios as a smart card. When the credential type is a key, only key-based trust and operations will be supported.
+
+## Learn more
+
+[Introduction to Windows Hello](https://go.microsoft.com/fwlink/p/?LinkId=786649), video presentation on Microsoft Virtual Academy
+
+[What's new in Active Directory Domain Services (AD DS) in Windows Server Technical Preview](https://go.microsoft.com/fwlink/p/?LinkId=708533)
+
+[Windows Hello face authentication](https://go.microsoft.com/fwlink/p/?LinkId=626024)
+
+[Biometrics hardware guidelines](https://go.microsoft.com/fwlink/p/?LinkId=626995)
+
+[Windows 10: Disrupting the Revolution of Cyber-Threats with Revolutionary Security!](https://go.microsoft.com/fwlink/p/?LinkId=533890)
+
+[Windows 10: The End Game for Passwords and Credential Theft?](https://go.microsoft.com/fwlink/p/?LinkId=533891)
+
+[Authenticating identities without passwords through Microsoft Passport](https://go.microsoft.com/fwlink/p/?LinkId=616778)
+
+[Microsoft Passport guide](https://go.microsoft.com/fwlink/p/?LinkId=691928)
+
+## Related topics
+
+[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
+
+[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
+
+[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
+
+[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
+
+[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
+
+[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
+
+[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
+
+[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
+ 
diff --git a/windows/keep-secure/hello-prepare-people-to-use.md b/windows/keep-secure/hello-prepare-people-to-use.md
new file mode 100644
index 0000000000..f6419c6ced
--- /dev/null
+++ b/windows/keep-secure/hello-prepare-people-to-use.md
@@ -0,0 +1,116 @@
+---
+title: Prepare people to use Windows Hello (Windows 10)
+description: When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization.
+ms.assetid: 5270B416-CE31-4DD9-862D-6C22A2AE508B
+keywords: identity, PIN, biometric, Hello
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Prepare people to use Windows Hello
+
+**Applies to**
+-   Windows 10
+-   Windows 10 Mobile
+
+When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization by explaining how to use Hello.
+
+After enrollment in Hello, users should use their gesture (such as a PIN or fingerprint) for access to corporate resources. Their gesture is only valid on the enrolled device.
+
+Although the organization may require users to change their Active Directory or Azure Active Directory (AD) account password at regular intervals, changes to their passwords have no effect on Hello.
+
+People who are currently using virtual or physical smart cards for authentication can use their virtual smart card to verify their identity when they set up Hello.
+
+## On devices owned by the organization
+
+When someone sets up a new device, they are prompted to choose who owns the device. For corporate devices, they select **This device belongs to my organization**.
+
+![who owns this pc](images/corpown.png)
+
+Next, they select a way to connect. Tell the people in your enterprise which option they should pick here.
+
+![choose how you'll connect](images/connect.png)
+
+They sign in, and are then asked to verify their identity. People have options to choose from, such as a text message, phone call, or authentication app. After verification, they create their PIN. The **Create a PIN** screen displays any complexity requirements that you have set, such as minimum length.
+
+After Hello is set up, people use their PIN to unlock the device, and that will automatically log them on.
+
+## On personal devices
+
+People who want to access work resources on their personal devices can add a work or school account in **Settings** &gt; **Accounts** &gt; **Work or school**, and then sign in with work credentials. The person selects the method for receiving the verification code, such as text message or email. The verification code is sent and the person then enters the verification code. After verification, the person enters and confirms new PIN. The person can access any token-based resource using this device without being asked for credentials. 
+
+People can go to **Settings** &gt; **Accounts** &gt; **Work or school**, select the work account, and then select **Unjoin** to remove the account from their device.
+
+## Using Windows Hello and biometrics
+
+If your policy allows it, people can use biometrics (fingerprint, iris, and facial recognition) with Windows Hello for Business, if the hardware supports it.
+
+![sign in to windows, apps, and services using fingerprint or face](images/hellosettings.png)
+
+## <a href="" id="bmk-remote"></a>Use a phone to sign in to a PC or VPN
+
+If your enterprise enables phone sign-in, users can pair a phone running Windows 10 Mobile to a PC running Windows 10 and then use an app on the phone to sign in to the PC using their Windows Hello credentials.
+
+> [!NOTE]
+> Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
+
+ 
+**Prerequisites:**
+   
+- Both phone and PC must be running Windows 10, version 1607.
+- The PC must be running Windows 10 Pro, Enterprise, or Education
+- Both phone and PC must have Bluetooth.
+- The **Microsoft Authenticator** app must be installed on the phone.
+- The PC must be joined to an Active Directory domain that is connected to an Azure Active Directory (Azure AD) domain, or the PC must be joined to Azure AD.
+- The phone must be joined to Azure AD or have a work account added.
+- The VPN configuration profile must use certificate-based authentication.
+
+**Pair the PC and phone**
+
+1.  On the PC, go to **Settings** &gt; **Devices** &gt; **Bluetooth**. Tap the name of the phone and then tap **Pair** to begin pairing.
+
+    ![bluetooth pairing](images/btpair.png)
+    
+2.  On the phone, go to **Settings** &gt; **Devices** &gt; **Bluetooth**, and verify that the passcode for **Pairing accessory** on the phone matches the passcode displayed on the PC, and then tap **ok**.
+
+    ![bluetooth pairing passcode](images/bt-passcode.png)
+    
+3.  On the PC, tap **Yes**.
+
+**Sign in to PC using the phone**
+
+
+1.  Open the **Microsoft Authenticator** app, choose your account, and tap the name of the PC to sign in to.
+    > **Note: **  The first time that you run the **Microsoft Authenticator** app, you must add an account.
+    
+    ![select a device](images/phone-signin-device-select.png)
+     
+2.  Enter the work PIN that you set up when you joined the phone to the cloud domain or added a work account.
+
+**Connect to VPN**
+
+You simply connect to VPN as you normally would. If the phone's certificates are being used, a notification will be pushed to the phone asking if you approve. If you click **allow** in the notification, you will be prompted for your PIN. After you enter your PIN, the VPN session will connect. 
+
+## Related topics
+
+[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
+
+[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
+
+[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) 
+
+[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
+
+[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
+
+[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
+
+[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
+
+[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) 
+
+
diff --git a/windows/keep-secure/hello-why-pin-is-better-than-password.md b/windows/keep-secure/hello-why-pin-is-better-than-password.md
new file mode 100644
index 0000000000..4fb387f147
--- /dev/null
+++ b/windows/keep-secure/hello-why-pin-is-better-than-password.md
@@ -0,0 +1,76 @@
+---
+title: Why a PIN is better than a password (Windows 10)
+description: Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password .
+ms.assetid: A6FC0520-01E6-4E90-B53D-6C4C4E780212
+keywords: pin, security, password, hello
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Why a PIN is better than a password
+
+**Applies to**
+-   Windows 10
+-   Windows 10 Mobile
+
+Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password?
+On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than a password, it's how it works.
+
+
+## PIN is tied to the device
+One important difference between a password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your password can sign in to your account from anywhere, but if they steal your PIN, they'd have to steal your physical device too!
+
+Even you can't use that PIN anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Hello on each device.
+
+## PIN is local to the device
+
+A password is transmitted to the server -- it can be intercepted in transmission or stolen from a server. A PIN is local to the device -- it isn't transmitted anywhere and it isn't stored on the server.
+When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, it unlocks the authentication key and uses the key to sign the request that is sent to the authenticating server.
+> **Note:**  For details on how Hello uses asymetric key pairs for authentication, see [Microsoft Passport guide](https://go.microsoft.com/fwlink/p/?LinkId=691928).
+ 
+## PIN is backed by hardware
+
+The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. All Windows 10 Mobile phones and many modern laptops have TPM.
+
+User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Because Hello uses asymmetrical key pairs, users credentials can’t be stolen in cases where the identity provider or websites the user accesses have been compromised.
+
+The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked.
+
+## PIN can be complex
+
+The Windows Hello for Business PIN is subject to the same set of IT management policies as a password, such as complexity, length, expiration, and history. Although we generally think of a PIN as a simple four-digit code, administrators can set [policies](implement-microsoft-passport-in-your-organization.md) for managed devices to require a PIN complexity similar to a password. You can require or block: special characters, uppercase characters, lowercase characters, and digits.
+
+## What if someone steals the laptop or phone?
+
+To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the user’s biometrics or guess his or her PIN—and all of this must be done before TPM anti-hammer capabilities lock the device.
+You can provide additional protection for laptops that don't have TPM by enablng BitLocker and setting a policy to limit failed sign-ins.
+
+**Configure BitLocker without TPM**
+1.  Use the Local Group Policy Editor (gpedit.msc) to enable the following policy:
+
+    **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **BitLocker Drive Encryption** &gt; **Operating System Drives** &gt; **Require additional authentication at startup**
+    
+2.  In the policy option, select **Allow BitLocker without a compatible TPM**, and then click **OK.**
+3.  Go to Control Panel &gt; **System and Security** &gt; **BitLocker Drive Encryption** and select the operating system drive to protect.
+**Set account lockout threshold**
+1.  Use the Local Group Policy Editor (gpedit.msc) to enable the following policy:
+
+    **Computer Configuration** &gt;**Windows Settings** ?**Security Settings** &gt;**Account Policies** &gt; **Account Lockout Policy** &gt; **Account lockout threshold**
+    
+2.  Set the number of invalid logon attempts to allow, and then click OK.
+
+## Why do you need a PIN to use biometrics?
+Windows Hello enables biometric sign-in for Windows 10: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN first. This PIN enables you to sign in using the PIN when you can’t use your preferred biometric because of an injury or because the sensor is unavailable or not working properly.
+
+If you only had a biometric sign-in configured and, for any reason, were unable to use that method to sign in, you would have to sign in using your account and password, which doesn't provide you the same level of protection as Hello.
+
+## Related topics
+
+[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
+
+[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
+ 
\ No newline at end of file
diff --git a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
index b9e72308cc..207fb70b38 100644
--- a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
+++ b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerMS
-localizationpriority: high
+redirect_url: /hello-implement-in-organization/
 ---
 
 # Implement Windows Hello for Business in your organization
diff --git a/windows/keep-secure/index.md b/windows/keep-secure/index.md
index bae0757612..df9cc36137 100644
--- a/windows/keep-secure/index.md
+++ b/windows/keep-secure/index.md
@@ -18,7 +18,7 @@ Learn about keeping Windows 10 and Windows 10 Mobile secure.
 | - | - |
 | [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) | To help protect your company from attacks which may originate from untrusted or attacker controlled font files, we’ve created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are any font installed outside of the %windir%/Fonts directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process. |
 | [Device Guard certification and compliance](device-guard-certification-and-compliance.md) | Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isn’t trusted it can’t run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when. |
-| [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. |
+| [Manage identity verification using Windows Hello for Business](hello-manage-identity-verification.md) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. |
 | [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md) | In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. |
 | [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) | Digital certificates bind the identity of a user or computer to a pair of keys that can be used to encrypt and sign digital information. Certificates are issued by a certification authority (CA) that vouches for the identity of the certificate holder, and they enable secure client communications with websites and services. |
 | [Protect derived domain credentials with Credential Guard](credential-guard.md) | Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets. |
@@ -29,7 +29,7 @@ Learn about keeping Windows 10 and Windows 10 Mobile secure.
 | [VPN profile options](vpn-profile-options.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. |
 | [Windows security baselines](windows-security-baselines.md) | Learn why you should use security baselines in your organization. |
 | [Security technologies](security-technologies.md) | Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile. |
-| [Enterprise security guides](windows-10-enterprise-security-guides.md) | Get proven guidance to help you better secure and protect your enterprise by using technologies such as Credential Guard, Device Guard, Microsoft Passport, and Windows Hello. This section offers technology overviews and step-by-step guides. |
+| [Enterprise security guides](windows-10-enterprise-security-guides.md) | Get proven guidance to help you better secure and protect your enterprise by using technologies such as Credential Guard and Device Guard. This section offers technology overviews and step-by-step guides. |
 | [Change history for Keep Windows 10 secure](change-history-for-keep-windows-10-secure.md) | This topic lists new and updated topics in the Keep Windows 10 secure documentation for [Windows 10 and Windows 10 Mobile](../index.md). |
  
 ## Related topics
diff --git a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
index 71b7ad88c9..2987351774 100644
--- a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
+++ b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, mobile
 author: jdeckerMS
-localizationpriority: high
+redirect_url: /hello-manage-identity-verification/
 ---
 # Manage identity verification using Windows Hello for Business
 
diff --git a/windows/keep-secure/microsoft-passport-and-password-changes.md b/windows/keep-secure/microsoft-passport-and-password-changes.md
index 128f1ffe29..3afb9ba4f4 100644
--- a/windows/keep-secure/microsoft-passport-and-password-changes.md
+++ b/windows/keep-secure/microsoft-passport-and-password-changes.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerMS
-localizationpriority: high
+redirect_url: /hello-and-password-changes/
 ---
 # Windows Hello and password changes
 
diff --git a/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md b/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md
index 3e4fbfbedf..9241b0611d 100644
--- a/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md
+++ b/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerMS
-localizationpriority: high
+redirect_url: /hello-errors-during-pin-creation/
 ---
 
 # Windows Hello errors during PIN creation
diff --git a/windows/keep-secure/passport-event-300.md b/windows/keep-secure/passport-event-300.md
index 25c9b86986..0ff7b55583 100644
--- a/windows/keep-secure/passport-event-300.md
+++ b/windows/keep-secure/passport-event-300.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerMS
-localizationpriority: high
+redirect_url: /hello-event-300/
 ---
 
 # Event ID 300 - Windows Hello successfully created
diff --git a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md
index f6419c6ced..974d8cda4c 100644
--- a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md
+++ b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerMS
-localizationpriority: high
+redirect_url: /hello-prepare-people-to-use/
 ---
 
 # Prepare people to use Windows Hello
diff --git a/windows/keep-secure/why-a-pin-is-better-than-a-password.md b/windows/keep-secure/why-a-pin-is-better-than-a-password.md
index 4fb387f147..fb142b629d 100644
--- a/windows/keep-secure/why-a-pin-is-better-than-a-password.md
+++ b/windows/keep-secure/why-a-pin-is-better-than-a-password.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerMS
-localizationpriority: high
+redirect_url: /hello-why-pin-is-better-than-password/
 ---
 
 # Why a PIN is better than a password
diff --git a/windows/keep-secure/windows-10-enterprise-security-guides.md b/windows/keep-secure/windows-10-enterprise-security-guides.md
index a5c487491c..0ed2aa1d28 100644
--- a/windows/keep-secure/windows-10-enterprise-security-guides.md
+++ b/windows/keep-secure/windows-10-enterprise-security-guides.md
@@ -34,10 +34,6 @@ Get proven guidance to help you better secure and protect your enterprise by usi
 <td align="left"><p>[Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)</p></td>
 <td align="left"><p>This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and reporting the health of Windows 10-based devices.</p></td>
 </tr>
-<tr class="odd">
-<td align="left"><p>[Microsoft Passport guide](microsoft-passport-guide.md)</p></td>
-<td align="left"><p>This guide describes the new Windows Hello and Microsoft Passport technologies that are part of the Windows 10 operating system. It highlights specific capabilities of these technologies that help mitigate threats from conventional credentials and provides guidance about how to design and deploy these technologies as part of your Windows 10 rollout.</p></td>
-</tr>
 <tr class="even">
 <td align="left"><p>[Windows 10 Mobile security guide](windows-10-mobile-security-guide.md)</p></td>
 <td align="left"><p>This guide provides a detailed description of the most important security features in the Windows 10 Mobile operating system—identity access and control, data protection, malware resistance, and app platform security.</p></td>
diff --git a/windows/keep-secure/windows-hello-in-enterprise.md b/windows/keep-secure/windows-hello-in-enterprise.md
index ca368e846f..d4cb4df71e 100644
--- a/windows/keep-secure/windows-hello-in-enterprise.md
+++ b/windows/keep-secure/windows-hello-in-enterprise.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerMS
-localizationpriority: high
+redirect_url: /hello-biometrics-in-enterprise/
 ---
 
 # Windows Hello biometrics in the enterprise

From eabadc71f7c2d73345f8fc3658b0182d83d06432 Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Wed, 28 Sep 2016 09:59:07 -0700
Subject: [PATCH 002/115] fix redirects

---
 windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md        | 2 +-
 .../implement-microsoft-passport-in-your-organization.md        | 2 +-
 .../manage-identity-verification-using-microsoft-passport.md    | 2 +-
 windows/keep-secure/microsoft-passport-and-password-changes.md  | 2 +-
 .../microsoft-passport-errors-during-pin-creation.md            | 2 +-
 windows/keep-secure/passport-event-300.md                       | 2 +-
 windows/keep-secure/prepare-people-to-use-microsoft-passport.md | 2 +-
 windows/keep-secure/why-a-pin-is-better-than-a-password.md      | 2 +-
 windows/keep-secure/windows-hello-in-enterprise.md              | 2 +-
 9 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md b/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md
index fab4f26f07..38fb8a9fef 100644
--- a/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md
+++ b/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md
@@ -6,7 +6,7 @@ ms.prod: W10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-redirect_url: /hello-enable-phone-signin/
+redirect_url: /hello-enable-phone-signin
 ---
 
 # Enable phone sign-in to PC or VPN
diff --git a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
index 207fb70b38..a8ac5e3d46 100644
--- a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
+++ b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerMS
-redirect_url: /hello-implement-in-organization/
+redirect_url: /hello-implement-in-organization
 ---
 
 # Implement Windows Hello for Business in your organization
diff --git a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
index 2987351774..2b9656fb8f 100644
--- a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
+++ b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, mobile
 author: jdeckerMS
-redirect_url: /hello-manage-identity-verification/
+redirect_url: /hello-manage-identity-verification
 ---
 # Manage identity verification using Windows Hello for Business
 
diff --git a/windows/keep-secure/microsoft-passport-and-password-changes.md b/windows/keep-secure/microsoft-passport-and-password-changes.md
index 3afb9ba4f4..7eddfa84a4 100644
--- a/windows/keep-secure/microsoft-passport-and-password-changes.md
+++ b/windows/keep-secure/microsoft-passport-and-password-changes.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerMS
-redirect_url: /hello-and-password-changes/
+redirect_url: /hello-and-password-changes
 ---
 # Windows Hello and password changes
 
diff --git a/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md b/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md
index 9241b0611d..a0d5c75f85 100644
--- a/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md
+++ b/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerMS
-redirect_url: /hello-errors-during-pin-creation/
+redirect_url: /hello-errors-during-pin-creation
 ---
 
 # Windows Hello errors during PIN creation
diff --git a/windows/keep-secure/passport-event-300.md b/windows/keep-secure/passport-event-300.md
index 0ff7b55583..1c0937e186 100644
--- a/windows/keep-secure/passport-event-300.md
+++ b/windows/keep-secure/passport-event-300.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerMS
-redirect_url: /hello-event-300/
+redirect_url: /hello-event-300
 ---
 
 # Event ID 300 - Windows Hello successfully created
diff --git a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md
index 974d8cda4c..4cb911fcc0 100644
--- a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md
+++ b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerMS
-redirect_url: /hello-prepare-people-to-use/
+redirect_url: /hello-prepare-people-to-use
 ---
 
 # Prepare people to use Windows Hello
diff --git a/windows/keep-secure/why-a-pin-is-better-than-a-password.md b/windows/keep-secure/why-a-pin-is-better-than-a-password.md
index fb142b629d..7eac794a90 100644
--- a/windows/keep-secure/why-a-pin-is-better-than-a-password.md
+++ b/windows/keep-secure/why-a-pin-is-better-than-a-password.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerMS
-redirect_url: /hello-why-pin-is-better-than-password/
+redirect_url: /hello-why-pin-is-better-than-password
 ---
 
 # Why a PIN is better than a password
diff --git a/windows/keep-secure/windows-hello-in-enterprise.md b/windows/keep-secure/windows-hello-in-enterprise.md
index d4cb4df71e..39a3d66e35 100644
--- a/windows/keep-secure/windows-hello-in-enterprise.md
+++ b/windows/keep-secure/windows-hello-in-enterprise.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerMS
-redirect_url: /hello-biometrics-in-enterprise/
+redirect_url: /hello-biometrics-in-enterprise
 ---
 
 # Windows Hello biometrics in the enterprise

From ce99cd5ace1566496998ed2e12c6133ec82da2bb Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Wed, 28 Sep 2016 10:10:55 -0700
Subject: [PATCH 003/115] try no slash + .md

---
 windows/keep-secure/windows-hello-in-enterprise.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/keep-secure/windows-hello-in-enterprise.md b/windows/keep-secure/windows-hello-in-enterprise.md
index 39a3d66e35..4de96f0e5a 100644
--- a/windows/keep-secure/windows-hello-in-enterprise.md
+++ b/windows/keep-secure/windows-hello-in-enterprise.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerMS
-redirect_url: /hello-biometrics-in-enterprise
+redirect_url: hello-biometrics-in-enterprise.md
 ---
 
 # Windows Hello biometrics in the enterprise

From 0285a32c9f14909c55311adb0e4fda20f18bc74d Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Wed, 28 Sep 2016 10:40:41 -0700
Subject: [PATCH 004/115] try with folder name

---
 windows/keep-secure/windows-hello-in-enterprise.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/keep-secure/windows-hello-in-enterprise.md b/windows/keep-secure/windows-hello-in-enterprise.md
index 4de96f0e5a..149b94e6f4 100644
--- a/windows/keep-secure/windows-hello-in-enterprise.md
+++ b/windows/keep-secure/windows-hello-in-enterprise.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerMS
-redirect_url: hello-biometrics-in-enterprise.md
+redirect_url: /keep-secure/hello-biometrics-in-enterprise.md
 ---
 
 # Windows Hello biometrics in the enterprise

From d573f75324addf29a154f25feb5f6a7af3ab726e Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Wed, 28 Sep 2016 10:50:21 -0700
Subject: [PATCH 005/115] last try

---
 windows/keep-secure/windows-hello-in-enterprise.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/keep-secure/windows-hello-in-enterprise.md b/windows/keep-secure/windows-hello-in-enterprise.md
index 149b94e6f4..39a3d66e35 100644
--- a/windows/keep-secure/windows-hello-in-enterprise.md
+++ b/windows/keep-secure/windows-hello-in-enterprise.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerMS
-redirect_url: /keep-secure/hello-biometrics-in-enterprise.md
+redirect_url: /hello-biometrics-in-enterprise
 ---
 
 # Windows Hello biometrics in the enterprise

From ff21abb8fc811821078e1cf1e2d883028252ca7d Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Wed, 28 Sep 2016 11:40:29 -0700
Subject: [PATCH 006/115] add new topic, interlinks

---
 windows/keep-secure/TOC.md                    |   1 +
 ...ange-history-for-keep-windows-10-secure.md |   6 +
 .../enable-phone-signin-to-pc-and-vpn.md      |   2 +-
 .../keep-secure/hello-and-password-changes.md |  25 ++--
 .../hello-biometrics-in-enterprise.md         |  13 +-
 .../keep-secure/hello-enable-phone-signin.md  |  24 ++--
 .../hello-errors-during-pin-creation.md       |  62 ++++-----
 windows/keep-secure/hello-event-300.md        |  38 +++---
 windows/keep-secure/hello-how-it-works.md     | 126 ++++++++++++++++++
 .../hello-implement-in-organization.md        |  29 ++--
 .../hello-manage-identity-verification.md     |  25 ++--
 .../hello-prepare-people-to-use.md            |  25 ++--
 .../hello-why-pin-is-better-than-password.md  |  13 +-
 ...microsoft-passport-in-your-organization.md |   4 +-
 ...y-verification-using-microsoft-passport.md |  41 +++---
 ...microsoft-passport-and-password-changes.md |   2 +-
 ...oft-passport-errors-during-pin-creation.md |   2 +-
 .../keep-secure/microsoft-passport-guide.md   |   2 +-
 windows/keep-secure/passport-event-300.md     |   2 +-
 ...repare-people-to-use-microsoft-passport.md |   2 +-
 .../why-a-pin-is-better-than-a-password.md    |   2 +-
 .../windows-hello-in-enterprise.md            |   2 +-
 22 files changed, 275 insertions(+), 173 deletions(-)
 create mode 100644 windows/keep-secure/hello-how-it-works.md

diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md
index e05c37aaec..03e7c2cb11 100644
--- a/windows/keep-secure/TOC.md
+++ b/windows/keep-secure/TOC.md
@@ -1,6 +1,7 @@
 # [Keep Windows 10 secure](index.md)
 ## [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md)
 ## [Manage identity verification using Windows Hello for Business](hello-manage-identity-verification.md)
+### [How Windows Hello for Business works](hello-how-it-works.md)
 ### [Implement Windows Hello for Business in your organization](hello-implement-in-organization.md)
 ### [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
 ### [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
index 6dc8ea8b8c..fa21d8f325 100644
--- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md
+++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
@@ -12,6 +12,12 @@ author: brianlic-msft
 # Change history for Keep Windows 10 secure
 This topic lists new and updated topics in the [Keep Windows 10 secure](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
 
+## Octoboer 2016
+
+| New or changed topic | Description |
+| --- | --- |
+| Microsoft Passport guide | Content merged into [Manage identity verification using Windows Hello for Business](hello-manage-identity-verification.md) topics |
+
 ## September 2016
 
 | New or changed topic | Description |
diff --git a/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md b/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md
index 38fb8a9fef..064dd48a63 100644
--- a/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md
+++ b/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md
@@ -6,7 +6,7 @@ ms.prod: W10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-redirect_url: /hello-enable-phone-signin
+redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-enable-phone-signin
 ---
 
 # Enable phone sign-in to PC or VPN
diff --git a/windows/keep-secure/hello-and-password-changes.md b/windows/keep-secure/hello-and-password-changes.md
index 128f1ffe29..4388fd73dc 100644
--- a/windows/keep-secure/hello-and-password-changes.md
+++ b/windows/keep-secure/hello-and-password-changes.md
@@ -36,19 +36,12 @@ Suppose instead that you sign in on **Device B** and change your password for yo
 
 ## Related topics
 
-[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
-
-[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
-
-[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) 
-
-[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
-
-[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
-
-[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
-
-[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
-
-[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) 
- 
\ No newline at end of file
+- [Manage identity verification using Windows Hello for Business](hello-manage-identity-verification.md)
+- [How Windows Hello for Business works](hello-how-it-works.md)
+- [Implement Windows Hello for Business in your organization](hello-implement-in-organization.md)
+- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
+- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
+- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
+- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
+- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
\ No newline at end of file
diff --git a/windows/keep-secure/hello-biometrics-in-enterprise.md b/windows/keep-secure/hello-biometrics-in-enterprise.md
index ca368e846f..98a4f449cf 100644
--- a/windows/keep-secure/hello-biometrics-in-enterprise.md
+++ b/windows/keep-secure/hello-biometrics-in-enterprise.md
@@ -75,10 +75,15 @@ To allow facial recognition, you must have devices with integrated special infra
 -   Effective, real world FRR with Anti-spoofing or liveness detection: &lt;10%
 
 ## Related topics
-- [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
-- [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
-- [Microsoft Passport guide](microsoft-passport-guide.md)
-- [Prepare people to use Windows Hello for Work](prepare-people-to-use-microsoft-passport.md)
+- [Manage identity verification using Windows Hello for Business](hello-manage-identity-verification.md)
+- [How Windows Hello for Business works](hello-how-it-works.md)
+- [Implement Windows Hello for Business in your organization](hello-implement-in-organization.md)
+- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
+- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
+- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
+- [Windows Hello and password changes](hello-and-password-changes.md)
+- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
+- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
 - [PassportforWork CSP](https://go.microsoft.com/fwlink/p/?LinkId=708219)
 
  
diff --git a/windows/keep-secure/hello-enable-phone-signin.md b/windows/keep-secure/hello-enable-phone-signin.md
index e3c6cbddf6..e6cd471753 100644
--- a/windows/keep-secure/hello-enable-phone-signin.md
+++ b/windows/keep-secure/hello-enable-phone-signin.md
@@ -63,21 +63,15 @@ If you want to distribute the **Microsoft Authenticator** app, your organization
 
 ## Related topics
 
-[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
-
-[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
-
-[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
-
-[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
-
-[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
-
-[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
-
-[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
-
-[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
+- [Manage identity verification using Windows Hello for Business](hello-manage-identity-verification.md)
+- [How Windows Hello for Business works](hello-how-it-works.md)
+- [Implement Windows Hello for Business in your organization](hello-implement-in-organization.md)
+- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
+- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
+- [Windows Hello and password changes](hello-and-password-changes.md)
+- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
+- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
 
 
  
diff --git a/windows/keep-secure/hello-errors-during-pin-creation.md b/windows/keep-secure/hello-errors-during-pin-creation.md
index 3e4fbfbedf..6d2998ebfd 100644
--- a/windows/keep-secure/hello-errors-during-pin-creation.md
+++ b/windows/keep-secure/hello-errors-during-pin-creation.md
@@ -197,43 +197,37 @@ If the error occurs again, check the error code against the following table to s
 ## Errors with unknown mitigation
 For errors listed in this table, contact Microsoft Support for assistance.
 
-| Hex         | Cause                                                                                                 |
-|-------------|-------------------------------------------------------------------------------------------------------|
-| 0x80072f0c  | Unknown                                                                                               |
+| Hex         | Cause     |
+|-------------|---------|
+| 0x80072f0c  | Unknown    |
 | 0x80070057 | Invalid parameter or argument is passed |
 | 0x80090027  | Caller provided wrong parameter. If third-party code receives this error they must change their code. |
-| 0x8009002D  | NTE\_INTERNAL\_ERROR                                                                                  |
-| 0x80090020  | NTE\_FAIL                                                                                             |
-| 0x801C0001  | ​ADRS server response is not in valid format                                                          |
-| 0x801C0002  | Server failed to authenticate the user                                                                |
-| 0x801C0006  | Unhandled exception from server                                                                       |
-| 0x801C000C  | Discovery failed                                                                                      |
-| 0x801C001B  | ​The device certificate is not found                                                                  |
-| 0x801C000B  | Redirection is needed and redirected location is not a well known server                              |
-| 0x801C0019  | ​The federation provider client configuration is empty                                                |
-| 0x801C001A  | The DRS endpoint in the federation provider client configuration is empty                             |
-| 0x801C0013  | Tenant ID is not found in the token                                                                   |
-| 0x801C0014  | User SID is not found in the token                                                                    |
-| 0x801C03F1  | There is no UPN in the token                                                                          |
-| 0x801C03F0  | ​There is no key registered for the user                                                              |
-| 0x801C03F1  | ​There is no UPN in the token                                                                         |
-| ​0x801C044C | There is no core window for the current thread                                                        |
+| 0x8009002D  | NTE\_INTERNAL\_ERROR   |
+| 0x80090020  | NTE\_FAIL     |
+| 0x801C0001  | ​ADRS server response is not in valid format    |
+| 0x801C0002  | Server failed to authenticate the user   |
+| 0x801C0006  | Unhandled exception from server    |
+| 0x801C000C  | Discovery failed      |
+| 0x801C001B  | ​The device certificate is not found    |
+| 0x801C000B  | Redirection is needed and redirected location is not a well known server   |
+| 0x801C0019  | ​The federation provider client configuration is empty    |
+| 0x801C001A  | The DRS endpoint in the federation provider client configuration is empty   |
+| 0x801C0013  | Tenant ID is not found in the token    |
+| 0x801C0014  | User SID is not found in the token       |
+| 0x801C03F1  | There is no UPN in the token       |
+| 0x801C03F0  | ​There is no key registered for the user   |
+| 0x801C03F1  | ​There is no UPN in the token          |
+| ​0x801C044C | There is no core window for the current thread     |
  
 
 ## Related topics
 
-[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
-
-[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
-
-[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) 
-
-[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
-
-[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
-
-[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
-
-[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
-
-[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) 
\ No newline at end of file
+- [Manage identity verification using Windows Hello for Business](hello-manage-identity-verification.md)
+- [How Windows Hello for Business works](hello-how-it-works.md)
+- [Implement Windows Hello for Business in your organization](hello-implement-in-organization.md)
+- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
+- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
+- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
+- [Windows Hello and password changes](hello-and-password-changes.md)
+- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
\ No newline at end of file
diff --git a/windows/keep-secure/hello-event-300.md b/windows/keep-secure/hello-event-300.md
index 25c9b86986..a366e3a402 100644
--- a/windows/keep-secure/hello-event-300.md
+++ b/windows/keep-secure/hello-event-300.md
@@ -20,12 +20,12 @@ localizationpriority: high
 This event is created when Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request.
 
 ## Event details
-|              |                                                                                                                                                                                                                                                                                                               |
-|--------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **Product:** | Windows 10 operating system                                                                                                                                                                                                                                                                                   |
-| **ID:**      | 300                                                                                                                                                                                                                                                                                                           |
-| **Source:**  | Microsoft Azure Device Registration Service                                                                                                                                                                                                                                                                   |
-| **Version:** | 10                                                                                                                                                                                                                                                                                                            |
+
+| **Product:** | Windows 10 operating system |     
+| --- | --- |                                                                                                                                
+| **ID:** | 300 |
+| **Source:**  | Microsoft Azure Device Registration Service |
+| **Version:** | 10  |
 | **Message:** | The NGC key was successfully registered. Key ID: {4476694e-8e3b-4ef8-8487-be21f95e6f07}. UPN:test@contoso.com. Attestation: ATT\_SOFT. Client request ID: . Server request ID: db2da6bd-3d70-4b9b-b26b-444f669902da. 
 Server response: {"kid":"4476694e-8e3b-4ef8-8487-be21f95e6f07","upn":"test@contoso.com"} |
  
@@ -35,20 +35,12 @@ This is a normal condition. No further action is required.
 
 ## Related topics
 
-[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
-
-[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
-
-[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
-
-[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
-
-[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
-
-[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
-
-[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
-
-[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
-
-[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
+- [Manage identity verification using Windows Hello for Business](hello-manage-identity-verification.md)
+- [How Windows Hello for Business works](hello-how-it-works.md)
+- [Implement Windows Hello for Business in your organization](hello-implement-in-organization.md)
+- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
+- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
+- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
+- [Windows Hello and password changes](hello-and-password-changes.md)
+- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
+- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
diff --git a/windows/keep-secure/hello-how-it-works.md b/windows/keep-secure/hello-how-it-works.md
new file mode 100644
index 0000000000..d8b890e784
--- /dev/null
+++ b/windows/keep-secure/hello-how-it-works.md
@@ -0,0 +1,126 @@
+---
+title: How Windows Hello for Business works (Windows 10)
+description: tbd
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: jdeckerMS
+localizationpriority: high
+---
+# How Windows Hello for Business works
+
+**Applies to**
+-   Windows 10
+-   Windows 10 Mobile
+
+To use Windows Hello to sign in with an identity provider (IDP), a user needs a configured device, which means that the Windows Hello life cycle starts when you configure a device for Windows Hello use. When the device is set up, its user can use the device to authenticate to services. In this section, we explore how device registration works, what happens when a user requests authentication, how key material is stored and processed, and which servers and infrastructure components are involved in different parts of this process.
+
+## Register a new user or device
+
+A goal of Windows Hello is to allow a user to open a brand-new device, securely join an organizational network to download and manage organizational data, and create a new Hello gesture to secure the device. Microsoft refers to the process of setting up a device for use with Windows Hello as registration.
+ 
+> [!NOTE]
+>This is separate from the organizational configuration required to use Windows Hello with Active Directory or Azure AD; that configuration is discussed later in this guide. This configuration must be completed before users can begin to register.  
+
+ The registration process works like this: 
+ 
+1. The user configures an account on the device. This account can be a local account on the device, a domain account stored in the on-premises Active Directory domain, a Microsoft account, or an Azure AD account. For a new device, this step may be as simple as logging on with a Microsoft account. Logging on with a Microsoft account on a Windows 10 device automatically sets up Windows Hello on the device; users don’t have to do anything extra to enable it. 
+2. To log on using that account, the user has to enter the existing credentials for it. The IDP that “owns” the account receives the credentials and authenticates the user. This IDP authentication may include the use of an existing second authentication factor, or proof. For example, a user who registers a new device by using an Azure AD account will have to provide an SMS-based proof that Azure AD sends. 
+3. When the user has provided the proof to the IDP, the user enables PIN authentication (Figure 1). The PIN will be associated with this particular credential.
+
+When the user sets the PIN, it becomes usable immediately 
+
+Remember that Windows Hello depends on pairing a device and a credential, so the PIN chosen is associated only with the combination of the active account and that specific device. The PIN must comply with whatever length and complexity policy the account administrator has configured; this policy is enforced on the device side. Other registration scenarios that Windows Hello supports are:
+
+- A user who upgrades from the Windows 8.1 operating system will log on by using his or her existing enterprise password. That triggers MFA from the IDP side; after receiving and returning a proof, such as a text message or voice code, the IDP authenticates the user to the upgraded Windows 10 device, and the user can set his or her PIN.
+- A user who typically uses a smart card to log on will be prompted to set up a PIN the first time he or she logs on to a Windows 10 device the user has not previously logged on to.
+- A user who typically uses a virtual smart card to log on will be prompted to set up a PIN the first time he or she logs on to a Windows 10 device the user has not previously logged on to.
+
+When the user has completed this process, Windows Hello generates a new public–private key pair on the device. The TPM generates and stores this private key; if the device doesn’t have a TPM, the private key is encrypted and stored in software. This initial key is referred to as the protector key. It’s associated only with a single gesture; in other words, if a user registers a PIN, a fingerprint, and a face on the same device, each of those gestures will have a unique protector key. The protector key securely wraps the authentication key for a specific container. Each container has only one authentication key, but there can be multiple copies of that key wrapped with different unique protector keys (each of which is associated with a unique gesture). Windows Hello also generates an administrative key that the user or administrator can use to reset credentials, when necessary. In addition to the protector key, TPM-enabled devices generate a block of data that contains attestations from the TPM.
+
+At this point, the user has a PIN gesture defined on the device and an associated protector key for that PIN gesture. That means he or she is able to securely log on to the device with the PIN and thus that he or she can establish a trusted session with the device to add support for a biometric gesture as an alternative for the PIN. When you add a biometric gesture, it follows the same basic sequence: the user authenticates to the system by using his or her PIN, and then registers the new biometric (“smile for the camera!”), after which Windows generates a unique key pair and stores it securely. Future logons can then use either the PIN or the registered biometric gestures.
+
+## What’s  a container?
+
+You’ll often hear the term container used in reference to MDM solutions. Windows Hello uses the term, too, but in a slightly different way. Container in this context is shorthand for a logical grouping of key material or data. Windows 10 supports two containers: the default container holds user key material for personal accounts, including key material associated with the user’s Microsoft account or with other consumer identity providers, and the enterprise container holds credentials associated with a workplace or school account.
+
+The enterprise container exists only on devices that have been registered with an organization; it contains key material for the enterprise IDP, such as on-premises Active Directory or Azure AD. The enterprise container contains only key data for Active Directory or Azure AD. If the enterprise container is present on a device, it’s unlocked separately from the default container, which maintains separation of data and access across personal and enterprise credentials and services. For example, a user who uses a biometric gesture to log on to a managed computer can separately unlock his or her personal container by entering a PIN when logging on to make a purchase from a website. These containers are logically separate. Organizations don’t have any control over the credentials users store in the default container, and applications that authenticate against services in the default container can’t use credentials from the enterprise container. However, individual Windows applications can use the Windows Hello application programming interfaces (APIs) to request access to credentials as appropriate, so that both consumer and LOB applications can be enhanced to take advantage of Windows Hello.
+
+It’s important to keep in mind that there are no physical containers on disk, in the registry, or elsewhere. Containers are logical units used to group related items. The keys, certificates, and credentials Windows Hello stores are protected without the creation of actual containers or folders.
+
+Each container actually contains a set of keys, some of which are used to protect other keys. Figure 3 shows an example: the protector key is used to encrypt the authentication key, and the authentication key is used to encrypt the individual keys stored in the container.
+ 
+![Each logical container holds one or more sets of keys](images/passport-fig3-logicalcontainer.png)
+
+Containers can contain several types of key material:
+
+- An authentication key, which is always an asymmetric public–private key pair. This key pair is generated during registration. It must be unlocked each time it’s accessed, by using either the user’s PIN or a previously generated biometric gesture. The authentication key exists until the user resets the PIN, at which time a new key will be generated. When the new key is generated, all the key material that the old key previously protected must be decrypted and re-encrypted using the new key.
+- Virtual smart card keys are generated when a virtual smart card is generated and stored securely in the container. They’re available whenever the user’s container is unlocked.
+- Secure/Multipurpose Internet Mail Extensions (S/MIME) keys and certificates, which a certification authority (CA) generates. The keys associated with the user’s S/MIME certificate can be stored in a Windows Hello container so they’re available to the user whenever the container is unlocked.
+- The IDP key. These keys can be either symmetric or asymmetric, depending on which IDP you use. A single container may contain zero or more IDP keys, with some restrictions (for example, the enterprise container can contain zero or one IDP keys). IDP keys are stored in the container as illustrated in Figure 3. For certificate-based Windows Hello for Work, when the container is unlocked, applications that require access to the IDP key or key pair can request access. IDP keys are used to sign or encrypt authentication requests or tokens sent from this machine to the IDP. IDP keys are typically long lived but could have a shorter lifetime than the authentication key. Microsoft accounts, Active Directory accounts, and Azure AD accounts all require the use of asymmetric key pairs. The device generates public and private keys, registers the public key with the IDP (which stores it for later verification), and securely stores the private key. For enterprises, the IDP keys can be generated in two ways:
+    - The IDP key pair can be associated with an enterprise CA through the Windows Network Device Enrollment Service (NDES), described more fully in Network Device Enrollment Service Guidance. In this case, Windows Hello requests a new certificate with the same key as the certificate from the existing PKI. This option lets organizations that have an existing PKI continue to use it where appropriate. Given that many applications, such as popular virtual private network systems, require the use of certificates, when you deploy Windows Hello in this mode, it allows a faster transition away from user passwords while still preserving certificate-based functionality. This option also allows the enterprise to store additional certificates in the protected container.
+    - The IDP can generate the IDP key pair directly, which allows quick, lower-overhead deployment of Windows Hello in environments that don’t have or need a PKI.
+    
+## How keys are protected
+
+Any time key material is generated, it must be protected against attack. The most robust way to do this is through specialized hardware. There’s a long history of using hardware security modules (HSMs) to generate, store, and process keys for security-critical applications. Smart cards are a special type of HSM, as are devices that are compliant with the Trusted Computing Group TPM standard. Wherever possible, the Windows Hello for Work implementation takes advantage of onboard TPM hardware to generate, store, and process keys. However, Windows Hello and Windows Hello for Work do not require an onboard TPM. Administrators can choose to allow key operations in software, in which case any user who has (or can escalate to) administrative rights on the machine can use the IDP keys to sign requests. As an alternative, in some scenarios, devices that don’t have a TPM can be remotely authenticated by using a device that does have a TPM, in which case all the sensitive operations are performed with the TPM and no key material is exposed.
+
+Whenever possible, Microsoft recommends the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will have to reset the PIN (which means he or she will have to use MFA to reauthenticate to the IDP before the IDP allows him or her to re-register). Resetting the PIN means that all keys and certificates encrypted with the old key material will be removed.
+
+
+## Authentication
+
+When a user wants to access protected key material — perhaps to use an Internet site that requires a logon or to access protected resources on a corporate intranet — the authentication process begins with the user entering a PIN or biometric gesture to unlock the device, a process sometimes called releasing the key. Think of it like using a physical key to unlock a door: before you can unlock the door, you need to remove the key from your pocket or purse. On a personal device that’s connected to an organizational network, users will use their personal PIN or biometric to release the key; on a device joined to an on-premises or Azure AD domain, they will use the organizational PIN. This process unlocks the protector key for the primary container on the device. When that container is unlocked, applications (and thus the user) can use whatever IDP keys reside inside the container.
+
+These keys are used to sign requests that are sent to the IDP, requesting access to specified resources. It’s important to understand that although the keys are unlocked, applications cannot use them at will. Applications can use specific APIs to request operations that require key material for particular actions (for example, decrypt an email message or log on to a website). Access through these APIs doesn’t require explicit validation through a user gesture, and the key material isn’t exposed to the requesting application. Rather, the application asks for authentication, encryption, or decryption, and the Windows Hello layer handles the actual work and returns the results. Where appropriate, an application can request a forced authentication even on an unlocked device. Windows prompts the user to reenter the PIN or perform an authentication gesture, which adds an extra level of protection for sensitive data or actions. For example, you can configure the Windows Store to require reauthentication any time a user purchases an application, even though the same account and PIN or gesture were already used to unlock the device.
+
+The actual authentication process works like this:
+
+1.	The client sends an empty authentication request to the IDP. (This is merely for the handshake process.)
+2.	The IDP returns a challenge, known as a nonce.
+3.	The device signs the nonce with the appropriate private key.
+4.	The device returns the original nonce, the signed nonce, and the ID of the key used to sign the nonce.
+5.	The IDP fetches the public key that the key ID specified, uses it to verify the signature on the nonce, and verifies that the nonce the device returned matches the original.
+6.	If all the checks in step 5 succeed, the IDP returns two data items: a symmetric key, which is encrypted with the device’s public key, and a security token, which is encrypted with the symmetric key.
+7.	The device uses its private key to decrypt the symmetric key, and then uses that symmetric key to decrypt the token.
+8.	The device makes a normal authentication request for the original resource, presenting the token from the IDP as its proof of authentication.
+
+When the IDP validates the signature, it is verifying that the request came from the specified user and device. The private key specific to the device signs the nonce, which allows the IDP to determine the identity of the requesting user and device so that it can apply policies for content access based on user, device type, or both together. For example, an IDP could allow access to one set of resources only from mobile devices and a different set from desktop devices.
+
+Remote unlock, which is planned for a future release of Windows 10, builds on these scenarios by enabling seamless remote authentication from a mobile device as a second factor. For example, suppose that you’re visiting another office at your company and you need to borrow a computer there temporarily, but you don’t want to potentially expose your credentials to capture. Rather than type in your credentials, you can click other user on the Windows 10 logon screen, type your user name, pick the tile for remote authentication, and use an app on your phone, which you already unlocked by using its built-in facial-recognition sensors. The phone and computer are paired and handshake via Bluetooth, you type your authentication PIN on the phone, and the computer gets confirmation of your identity from the IDP. All this happens without typing a password anywhere or typing your PIN on the PC.
+
+## The infrastructure
+
+Windows Hello depends on having compatible IDPs available to it. As of this writing, that means you have four deployment possibilities: 
+
+- Use an existing Windows-based PKI centered around Active Directory Certificate Services. This option requires additional infrastructure, including a way to issue certificates to devices. You can use NDES to register devices directly, Microsoft System Center Configuration Manager or later for on-premises environments, or Microsoft Intune where it’s available to manage mobile device participation in Windows Hello. 
+- You can configure Windows Server 2016 domain controllers to act as IDPs for Windows Hello. In this mode, the Windows Server 2016 domain controllers act as IDPs alongside any existing Windows Server 2008 R2 or later domain controllers. There is no requirement to replace all existing domain controllers, merely to introduce at least one Windows Server 2016 domain controller per Active Directory site and update the forest Active Directory Domain Services (AD DS) schema to Windows Server 2016 Technical Preview. 
+- The normal discovery mechanism that clients use to find domain controllers and global catalogs relies on Domain Name System (DNS) SRV records, but those records don’t contain version data. Windows 10 computers will query DNS for SRV records to find all available Active Directory servers, and then query each server to identify those that can act as Windows Hello IDPs. The number of authentication requests your users generate, where your users are located, and the design of your network all drive the number of Windows Server 2016 domain controllers required. 
+- Azure AD can act as an IDP either by itself or alongside an on-premises AD DS forest. Organizations that use Azure AD can register devices directly without having to join them to a local domain by using the capabilities the Azure AD Device Registration service provides. In addition to the IDP, Windows Hello requires an MDM system. This system can be the cloud-based Intune if you use Azure AD, or an on-premises System Center Configuration Manager deployment that meets the system requirements described in the Deployment requirements section of this document.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Related topics
+
+- [Manage identity verification using Windows Hello for Business](hello-manage-identity-verification.md)
+- [Implement Windows Hello for Business in your organization](hello-implement-in-organization.md)
+- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
+- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
+- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
+- [Windows Hello and password changes](hello-and-password-changes.md)
+- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
+- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
\ No newline at end of file
diff --git a/windows/keep-secure/hello-implement-in-organization.md b/windows/keep-secure/hello-implement-in-organization.md
index b9e72308cc..7429667875 100644
--- a/windows/keep-secure/hello-implement-in-organization.md
+++ b/windows/keep-secure/hello-implement-in-organization.md
@@ -300,6 +300,8 @@ The following table lists the MDM policy settings that you can configure for Win
  
 ## Prerequisites
 
+To deploy Windows Hello for Business, in some modes you must add Windows Server 2016 domain controllers to your Active Directory environment, but you don’t have to replace or remove your existing Active Directory servers — the servers required for Windows Hello for Business build on and add capability to your existing infrastructure. You don’t have to change the domain or forest functional level, and you can either add on-premises servers or use Azure Active Directory to deploy Windows Hello for Business in your network. 
+
 You’ll need this software to set Windows Hello for Business policies in your enterprise.
 <table>
 <colgroup>
@@ -369,21 +371,12 @@ The PIN is managed using the same Windows Hello for Business policies that you c
 
 ## Related topics
 
-[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
-
-[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
-
-[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
-
-[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) 
-
-[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
-
-[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
-
-[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
-
-[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
-
-[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
- 
\ No newline at end of file
+- [Manage identity verification using Windows Hello for Business](hello-manage-identity-verification.md)
+- [How Windows Hello for Business works](hello-how-it-works.md)
+- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
+- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
+- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
+- [Windows Hello and password changes](hello-and-password-changes.md)
+- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
+- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
\ No newline at end of file
diff --git a/windows/keep-secure/hello-manage-identity-verification.md b/windows/keep-secure/hello-manage-identity-verification.md
index 71b7ad88c9..d1c4c0da7c 100644
--- a/windows/keep-secure/hello-manage-identity-verification.md
+++ b/windows/keep-secure/hello-manage-identity-verification.md
@@ -79,6 +79,7 @@ Hello also enables Windows 10 Mobile devices to be used as [a remote credential
 -   Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy.
 -   Certificate private keys can be protected by the Hello container and the Hello gesture.
 
+For details, see [How Windows Hello for Business works](hello-how-it-works.md).
 
 ## Comparing key-based and certificate-based authentication
 
@@ -109,19 +110,13 @@ When identity providers such as Active Directory or Azure AD enroll a certificat
 
 ## Related topics
 
-[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
-
-[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
-
-[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
-
-[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
-
-[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
-
-[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
-
-[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
-
-[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
+- [How Windows Hello for Business works](hello-how-it-works.md)
+- [Implement Windows Hello for Business in your organization](hello-implement-in-organization.md)
+- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
+- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
+- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
+- [Windows Hello and password changes](hello-and-password-changes.md)
+- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
+- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
  
diff --git a/windows/keep-secure/hello-prepare-people-to-use.md b/windows/keep-secure/hello-prepare-people-to-use.md
index f6419c6ced..2991666df4 100644
--- a/windows/keep-secure/hello-prepare-people-to-use.md
+++ b/windows/keep-secure/hello-prepare-people-to-use.md
@@ -97,20 +97,13 @@ You simply connect to VPN as you normally would. If the phone's certificates are
 
 ## Related topics
 
-[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
-
-[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
-
-[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) 
-
-[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
-
-[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
-
-[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
-
-[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
-
-[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) 
-
+- [Manage identity verification using Windows Hello for Business](hello-manage-identity-verification.md)
+- [How Windows Hello for Business works](hello-how-it-works.md)
+- [Implement Windows Hello for Business in your organization](hello-implement-in-organization.md)
+- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
+- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
+- [Windows Hello and password changes](hello-and-password-changes.md)
+- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
+- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
 
diff --git a/windows/keep-secure/hello-why-pin-is-better-than-password.md b/windows/keep-secure/hello-why-pin-is-better-than-password.md
index 4fb387f147..ad4f77ab13 100644
--- a/windows/keep-secure/hello-why-pin-is-better-than-password.md
+++ b/windows/keep-secure/hello-why-pin-is-better-than-password.md
@@ -70,7 +70,12 @@ If you only had a biometric sign-in configured and, for any reason, were unable
 
 ## Related topics
 
-[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
-
-[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
- 
\ No newline at end of file
+- [Manage identity verification using Windows Hello for Business](hello-manage-identity-verification.md)
+- [How Windows Hello for Business works](hello-how-it-works.md)
+- [Implement Windows Hello for Business in your organization](hello-implement-in-organization.md)
+- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
+- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
+- [Windows Hello and password changes](hello-and-password-changes.md)
+- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
+- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
\ No newline at end of file
diff --git a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
index a8ac5e3d46..8939418730 100644
--- a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
+++ b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerMS
-redirect_url: /hello-implement-in-organization
+redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-implement-in-organization
 ---
 
 # Implement Windows Hello for Business in your organization
@@ -300,6 +300,8 @@ The following table lists the MDM policy settings that you can configure for Win
  
 ## Prerequisites
 
+To deploy Windows Hello for Business, in some modes you must add Windows Server 2016 domain controllers to your Active Directory environment, but you don’t have to replace or remove your existing Active Directory servers — the servers required for Windows Hello for Business build on and add capability to your existing infrastructure. You don’t have to change the domain or forest functional level, and you can either add on-premises servers or use Azure Active Directory to deploy Windows Hello for Business in your network. 
+
 You’ll need this software to set Windows Hello for Business policies in your enterprise.
 <table>
 <colgroup>
diff --git a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
index 2b9656fb8f..b73f0dbc9d 100644
--- a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
+++ b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, mobile
 author: jdeckerMS
-redirect_url: /hello-manage-identity-verification
+redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-manage-identity-verification
 ---
 # Manage identity verification using Windows Hello for Business
 
@@ -37,7 +37,14 @@ After an initial two-step verification of the user during enrollment, Hello is s
 
 As an administrator in an enterprise or educational organization, you can create policies to manage Hello use on Windows 10-based devices that connect to your organization.
 
+ ## Biometric sign-in
  
+ Windows Hello provides reliable, fully integrated biometric authentication based on facial recognition or fingerprint matching. Hello uses a combination of special infrared (IR) cameras and software to increase accuracy and guard against spoofing. Major hardware vendors are shipping devices that have integrated Windows Hello-compatible cameras, and fingerprint reader hardware can be used or added to devices that don’t currently have it. On devices that support Windows Hello, an easy biometric gesture unlocks users’ credentials.
+ 
+ - **Facial recognition**. This type uses special cameras that see in IR light, which allows them to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major laptop manufacturers are incorporating it into their devices, as well. 
+- **Fingerprint recognition**. This type uses a capacitive fingerprint sensor to scan your fingerprint. Fingerprint readers have been available for Windows computers for years, but the current generation of sensors is significantly more reliable and less error-prone. Most existing fingerprint readers (whether external or integrated into laptops or USB keyboards) work with Windows 10. 
+
+Biometric data used to implement Windows Hello is stored securely on the local device only. It doesn’t roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there’s no single collection point an attacker can compromise to steal biometric data. 
 
 
 ## The difference between Windows Hello and Windows Hello for Business
@@ -67,8 +74,9 @@ Hello also enables Windows 10 Mobile devices to be used as [a remote credential
 > [!NOTE]
 >  Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
 
- 
-## How Windows Hello for Business works: key points
+
+
+### How Windows Hello for Business works : Key points
 
 -   Hello credentials are based on certificate or asymmetrical key pair. Hello credentials are bound to the device, and the token that is obtained using the credential is also bound to the device.
 -   Identify provider (such as Active Directory, Azure AD, or a Microsoft account) validates user identity and maps Hello's public key to a user account during the registration step.
@@ -79,6 +87,7 @@ Hello also enables Windows 10 Mobile devices to be used as [a remote credential
 -   Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy.
 -   Certificate private keys can be protected by the Hello container and the Hello gesture.
 
+For a detailed explanation, see [How Windows Hello for Business works](hello-how-it-works.md).
 
 ## Comparing key-based and certificate-based authentication
 
@@ -109,19 +118,13 @@ When identity providers such as Active Directory or Azure AD enroll a certificat
 
 ## Related topics
 
-[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
-
-[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
-
-[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
-
-[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
-
-[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
-
-[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
-
-[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
-
-[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
- 
+- [Manage identity verification using Windows Hello for Business](hello-manage-identity-verification.md)
+- [How Windows Hello for Business works](hello-how-it-works.md)
+- [Implement Windows Hello for Business in your organization](hello-implement-in-organization.md)
+- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
+- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
+- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
+- [Windows Hello and password changes](hello-and-password-changes.md)
+- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
+- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
\ No newline at end of file
diff --git a/windows/keep-secure/microsoft-passport-and-password-changes.md b/windows/keep-secure/microsoft-passport-and-password-changes.md
index 7eddfa84a4..3fa30f4786 100644
--- a/windows/keep-secure/microsoft-passport-and-password-changes.md
+++ b/windows/keep-secure/microsoft-passport-and-password-changes.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerMS
-redirect_url: /hello-and-password-changes
+redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-and-password-changes
 ---
 # Windows Hello and password changes
 
diff --git a/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md b/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md
index a0d5c75f85..61f8335040 100644
--- a/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md
+++ b/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerMS
-redirect_url: /hello-errors-during-pin-creation
+redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-errors-during-pin-creation
 ---
 
 # Windows Hello errors during PIN creation
diff --git a/windows/keep-secure/microsoft-passport-guide.md b/windows/keep-secure/microsoft-passport-guide.md
index d4bd6e4d33..d921444e45 100644
--- a/windows/keep-secure/microsoft-passport-guide.md
+++ b/windows/keep-secure/microsoft-passport-guide.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: plan
 ms.sitesec: library
 ms.pagetype: security
 author: challum
-localizationpriority: high
+redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-implement-in-organization
 ---
 
 # Microsoft Passport guide
diff --git a/windows/keep-secure/passport-event-300.md b/windows/keep-secure/passport-event-300.md
index 1c0937e186..80298cf4fe 100644
--- a/windows/keep-secure/passport-event-300.md
+++ b/windows/keep-secure/passport-event-300.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerMS
-redirect_url: /hello-event-300
+redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-event-300
 ---
 
 # Event ID 300 - Windows Hello successfully created
diff --git a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md
index 4cb911fcc0..cde8099b99 100644
--- a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md
+++ b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerMS
-redirect_url: /hello-prepare-people-to-use
+redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-prepare-people-to-use
 ---
 
 # Prepare people to use Windows Hello
diff --git a/windows/keep-secure/why-a-pin-is-better-than-a-password.md b/windows/keep-secure/why-a-pin-is-better-than-a-password.md
index 7eac794a90..5fccb990f7 100644
--- a/windows/keep-secure/why-a-pin-is-better-than-a-password.md
+++ b/windows/keep-secure/why-a-pin-is-better-than-a-password.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerMS
-redirect_url: /hello-why-pin-is-better-than-password
+redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-why-pin-is-better-than-password
 ---
 
 # Why a PIN is better than a password
diff --git a/windows/keep-secure/windows-hello-in-enterprise.md b/windows/keep-secure/windows-hello-in-enterprise.md
index 39a3d66e35..09380ebe1f 100644
--- a/windows/keep-secure/windows-hello-in-enterprise.md
+++ b/windows/keep-secure/windows-hello-in-enterprise.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerMS
-redirect_url: /hello-biometrics-in-enterprise
+redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-biometrics-in-enterprise
 ---
 
 # Windows Hello biometrics in the enterprise

From 1bbc16e3b30e5fcf152823f13cf5527294bd6a8d Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Wed, 28 Sep 2016 12:22:35 -0700
Subject: [PATCH 007/115] tweak how it works for rs1

---
 windows/keep-secure/hello-how-it-works.md | 41 +++++++++++------------
 1 file changed, 19 insertions(+), 22 deletions(-)

diff --git a/windows/keep-secure/hello-how-it-works.md b/windows/keep-secure/hello-how-it-works.md
index d8b890e784..c8100862aa 100644
--- a/windows/keep-secure/hello-how-it-works.md
+++ b/windows/keep-secure/hello-how-it-works.md
@@ -1,6 +1,6 @@
 ---
 title: How Windows Hello for Business works (Windows 10)
-description: tbd
+description: Explains registration, authentication, key material, and infrastructure for Windows Hello for Business.
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
@@ -14,42 +14,40 @@ localizationpriority: high
 -   Windows 10
 -   Windows 10 Mobile
 
-To use Windows Hello to sign in with an identity provider (IDP), a user needs a configured device, which means that the Windows Hello life cycle starts when you configure a device for Windows Hello use. When the device is set up, its user can use the device to authenticate to services. In this section, we explore how device registration works, what happens when a user requests authentication, how key material is stored and processed, and which servers and infrastructure components are involved in different parts of this process.
+To use Windows Hello to sign in with an identity provider (IDP), a user needs a configured device, which means that the Windows Hello life cycle starts when you register a new user or device. When the device is set up, its user can use the device to authenticate to services. This topic explains how device registration works, what happens when a user requests authentication, how key material is stored and processed, and which servers and infrastructure components are involved in different parts of this process.
 
 ## Register a new user or device
 
 A goal of Windows Hello is to allow a user to open a brand-new device, securely join an organizational network to download and manage organizational data, and create a new Hello gesture to secure the device. Microsoft refers to the process of setting up a device for use with Windows Hello as registration.
  
 > [!NOTE]
->This is separate from the organizational configuration required to use Windows Hello with Active Directory or Azure AD; that configuration is discussed later in this guide. This configuration must be completed before users can begin to register.  
+>This is separate from the organizational configuration required to use Windows Hello with Active Directory or Azure Active Directory (Azure AD); that configuration information is in [Implement Windows Hello for Business in your organization](hello-implement-in-organization.md). Organizational configuration must be completed before users can begin to register.  
 
  The registration process works like this: 
  
-1. The user configures an account on the device. This account can be a local account on the device, a domain account stored in the on-premises Active Directory domain, a Microsoft account, or an Azure AD account. For a new device, this step may be as simple as logging on with a Microsoft account. Logging on with a Microsoft account on a Windows 10 device automatically sets up Windows Hello on the device; users don’t have to do anything extra to enable it. 
-2. To log on using that account, the user has to enter the existing credentials for it. The IDP that “owns” the account receives the credentials and authenticates the user. This IDP authentication may include the use of an existing second authentication factor, or proof. For example, a user who registers a new device by using an Azure AD account will have to provide an SMS-based proof that Azure AD sends. 
-3. When the user has provided the proof to the IDP, the user enables PIN authentication (Figure 1). The PIN will be associated with this particular credential.
-
-When the user sets the PIN, it becomes usable immediately 
+1. The user configures an account on the device. This account can be a local account on the device, a domain account stored in the on-premises Active Directory domain, a Microsoft account, or an Azure AD account. For a new device, this step may be as simple as signing in with a Microsoft account. Signing in with a Microsoft account on a Windows 10 device automatically sets up Windows Hello on the device; users don’t have to do anything extra to enable it. 
+2. To sign in using that account, the user has to enter the existing credentials for it. The IDP that “owns” the account receives the credentials and authenticates the user. This IDP authentication may include the use of an existing second authentication factor, or proof. For example, a user who registers a new device by using an Azure AD account will have to provide an SMS-based proof that Azure AD sends. 
+3. When the user has provided the proof to the IDP, the user enables PIN authentication. The PIN will be associated with this particular credential. When the user sets the PIN, it becomes usable immediately 
 
 Remember that Windows Hello depends on pairing a device and a credential, so the PIN chosen is associated only with the combination of the active account and that specific device. The PIN must comply with whatever length and complexity policy the account administrator has configured; this policy is enforced on the device side. Other registration scenarios that Windows Hello supports are:
 
-- A user who upgrades from the Windows 8.1 operating system will log on by using his or her existing enterprise password. That triggers MFA from the IDP side; after receiving and returning a proof, such as a text message or voice code, the IDP authenticates the user to the upgraded Windows 10 device, and the user can set his or her PIN.
-- A user who typically uses a smart card to log on will be prompted to set up a PIN the first time he or she logs on to a Windows 10 device the user has not previously logged on to.
-- A user who typically uses a virtual smart card to log on will be prompted to set up a PIN the first time he or she logs on to a Windows 10 device the user has not previously logged on to.
+- A user who upgrades from the Windows 8.1 operating system will sign in by using the existing enterprise password. That triggers MFA from the IDP side; after receiving and returning a proof, such as a text message or voice code, the IDP authenticates the user to the upgraded Windows 10 device, and the user can set his or her PIN.
+- A user who typically uses a smart card to sign in will be prompted to set up a PIN the first time he or she signs in to a Windows 10 device the user has not previously signed in to.
+- A user who typically uses a virtual smart card to sign in will be prompted to set up a PIN the first time he or she signs in to a Windows 10 device the user has not previously signed in to.
 
 When the user has completed this process, Windows Hello generates a new public–private key pair on the device. The TPM generates and stores this private key; if the device doesn’t have a TPM, the private key is encrypted and stored in software. This initial key is referred to as the protector key. It’s associated only with a single gesture; in other words, if a user registers a PIN, a fingerprint, and a face on the same device, each of those gestures will have a unique protector key. The protector key securely wraps the authentication key for a specific container. Each container has only one authentication key, but there can be multiple copies of that key wrapped with different unique protector keys (each of which is associated with a unique gesture). Windows Hello also generates an administrative key that the user or administrator can use to reset credentials, when necessary. In addition to the protector key, TPM-enabled devices generate a block of data that contains attestations from the TPM.
 
-At this point, the user has a PIN gesture defined on the device and an associated protector key for that PIN gesture. That means he or she is able to securely log on to the device with the PIN and thus that he or she can establish a trusted session with the device to add support for a biometric gesture as an alternative for the PIN. When you add a biometric gesture, it follows the same basic sequence: the user authenticates to the system by using his or her PIN, and then registers the new biometric (“smile for the camera!”), after which Windows generates a unique key pair and stores it securely. Future logons can then use either the PIN or the registered biometric gestures.
+At this point, the user has a PIN gesture defined on the device and an associated protector key for that PIN gesture. That means he or she is able to securely sign in to the device with the PIN and thus that he or she can establish a trusted session with the device to add support for a biometric gesture as an alternative for the PIN. When you add a biometric gesture, it follows the same basic sequence: the user authenticates to the system by using his or her PIN, and then registers the new biometric (“smile for the camera!”), after which Windows generates a unique key pair and stores it securely. Future sign-ins can then use either the PIN or the registered biometric gestures.
 
-## What’s  a container?
+## What’s a container?
 
-You’ll often hear the term container used in reference to MDM solutions. Windows Hello uses the term, too, but in a slightly different way. Container in this context is shorthand for a logical grouping of key material or data. Windows 10 supports two containers: the default container holds user key material for personal accounts, including key material associated with the user’s Microsoft account or with other consumer identity providers, and the enterprise container holds credentials associated with a workplace or school account.
+You’ll often hear the term *container* used in reference to mobile device management (MDM) solutions. Windows Hello uses the term, too, but in a slightly different way. Container in this context is shorthand for a logical grouping of key material or data. Windows 10 Hello uses a single container that holds user key material for personal accounts, including key material associated with the user’s Microsoft account or with other consumer identity providers, and credentials associated with a workplace or school account.
 
-The enterprise container exists only on devices that have been registered with an organization; it contains key material for the enterprise IDP, such as on-premises Active Directory or Azure AD. The enterprise container contains only key data for Active Directory or Azure AD. If the enterprise container is present on a device, it’s unlocked separately from the default container, which maintains separation of data and access across personal and enterprise credentials and services. For example, a user who uses a biometric gesture to log on to a managed computer can separately unlock his or her personal container by entering a PIN when logging on to make a purchase from a website. These containers are logically separate. Organizations don’t have any control over the credentials users store in the default container, and applications that authenticate against services in the default container can’t use credentials from the enterprise container. However, individual Windows applications can use the Windows Hello application programming interfaces (APIs) to request access to credentials as appropriate, so that both consumer and LOB applications can be enhanced to take advantage of Windows Hello.
+The container holds enterprise credentials only on devices that have been registered with an organization; it contains key material for the enterprise IDP, such as on-premises Active Directory or Azure AD. 
 
 It’s important to keep in mind that there are no physical containers on disk, in the registry, or elsewhere. Containers are logical units used to group related items. The keys, certificates, and credentials Windows Hello stores are protected without the creation of actual containers or folders.
 
-Each container actually contains a set of keys, some of which are used to protect other keys. Figure 3 shows an example: the protector key is used to encrypt the authentication key, and the authentication key is used to encrypt the individual keys stored in the container.
+The container actually contains a set of keys, some of which are used to protect other keys. The following image shows an example: the protector key is used to encrypt the authentication key, and the authentication key is used to encrypt the individual keys stored in the container.
  
 ![Each logical container holds one or more sets of keys](images/passport-fig3-logicalcontainer.png)
 
@@ -58,22 +56,22 @@ Containers can contain several types of key material:
 - An authentication key, which is always an asymmetric public–private key pair. This key pair is generated during registration. It must be unlocked each time it’s accessed, by using either the user’s PIN or a previously generated biometric gesture. The authentication key exists until the user resets the PIN, at which time a new key will be generated. When the new key is generated, all the key material that the old key previously protected must be decrypted and re-encrypted using the new key.
 - Virtual smart card keys are generated when a virtual smart card is generated and stored securely in the container. They’re available whenever the user’s container is unlocked.
 - Secure/Multipurpose Internet Mail Extensions (S/MIME) keys and certificates, which a certification authority (CA) generates. The keys associated with the user’s S/MIME certificate can be stored in a Windows Hello container so they’re available to the user whenever the container is unlocked.
-- The IDP key. These keys can be either symmetric or asymmetric, depending on which IDP you use. A single container may contain zero or more IDP keys, with some restrictions (for example, the enterprise container can contain zero or one IDP keys). IDP keys are stored in the container as illustrated in Figure 3. For certificate-based Windows Hello for Work, when the container is unlocked, applications that require access to the IDP key or key pair can request access. IDP keys are used to sign or encrypt authentication requests or tokens sent from this machine to the IDP. IDP keys are typically long lived but could have a shorter lifetime than the authentication key. Microsoft accounts, Active Directory accounts, and Azure AD accounts all require the use of asymmetric key pairs. The device generates public and private keys, registers the public key with the IDP (which stores it for later verification), and securely stores the private key. For enterprises, the IDP keys can be generated in two ways:
-    - The IDP key pair can be associated with an enterprise CA through the Windows Network Device Enrollment Service (NDES), described more fully in Network Device Enrollment Service Guidance. In this case, Windows Hello requests a new certificate with the same key as the certificate from the existing PKI. This option lets organizations that have an existing PKI continue to use it where appropriate. Given that many applications, such as popular virtual private network systems, require the use of certificates, when you deploy Windows Hello in this mode, it allows a faster transition away from user passwords while still preserving certificate-based functionality. This option also allows the enterprise to store additional certificates in the protected container.
+- The IDP key. These keys can be either symmetric or asymmetric, depending on which IDP you use. A single container may contain zero or more IDP keys, with some restrictions (for example, the enterprise container can contain zero or one IDP keys). IDP keys are stored in the container. For certificate-based Windows Hello for Work, when the container is unlocked, applications that require access to the IDP key or key pair can request access. IDP keys are used to sign or encrypt authentication requests or tokens sent from this device to the IDP. IDP keys are typically long-lived but could have a shorter lifetime than the authentication key. Microsoft accounts, Active Directory accounts, and Azure AD accounts all require the use of asymmetric key pairs. The device generates public and private keys, registers the public key with the IDP (which stores it for later verification), and securely stores the private key. For enterprises, the IDP keys can be generated in two ways:
+    - The IDP key pair can be associated with an enterprise Certificate Authority (CA) through the Windows Network Device Enrollment Service (NDES), described more fully in [Network Device Enrollment Service Guidance](https://technet.microsoft.com/library/hh831498.aspx). In this case, Windows Hello requests a new certificate with the same key as the certificate from the existing PKI. This option lets organizations that have an existing PKI continue to use it where appropriate. Given that many applications, such as popular virtual private network systems, require the use of certificates, when you deploy Windows Hello in this mode, it allows a faster transition away from user passwords while still preserving certificate-based functionality. This option also allows the enterprise to store additional certificates in the protected container.
     - The IDP can generate the IDP key pair directly, which allows quick, lower-overhead deployment of Windows Hello in environments that don’t have or need a PKI.
     
 ## How keys are protected
 
-Any time key material is generated, it must be protected against attack. The most robust way to do this is through specialized hardware. There’s a long history of using hardware security modules (HSMs) to generate, store, and process keys for security-critical applications. Smart cards are a special type of HSM, as are devices that are compliant with the Trusted Computing Group TPM standard. Wherever possible, the Windows Hello for Work implementation takes advantage of onboard TPM hardware to generate, store, and process keys. However, Windows Hello and Windows Hello for Work do not require an onboard TPM. Administrators can choose to allow key operations in software, in which case any user who has (or can escalate to) administrative rights on the machine can use the IDP keys to sign requests. As an alternative, in some scenarios, devices that don’t have a TPM can be remotely authenticated by using a device that does have a TPM, in which case all the sensitive operations are performed with the TPM and no key material is exposed.
+Any time key material is generated, it must be protected against attack. The most robust way to do this is through specialized hardware. There’s a long history of using hardware security modules (HSMs) to generate, store, and process keys for security-critical applications. Smart cards are a special type of HSM, as are devices that are compliant with the Trusted Computing Group TPM standard. Wherever possible, the Windows Hello for Work implementation takes advantage of onboard TPM hardware to generate, store, and process keys. However, Windows Hello and Windows Hello for Work do not require an onboard TPM. Administrators can choose to allow key operations in software, in which case any user who has (or can escalate to) administrative rights on the device can use the IDP keys to sign requests. As an alternative, in some scenarios, devices that don’t have a TPM can be remotely authenticated by using a device that does have a TPM, in which case all the sensitive operations are performed with the TPM and no key material is exposed.
 
 Whenever possible, Microsoft recommends the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will have to reset the PIN (which means he or she will have to use MFA to reauthenticate to the IDP before the IDP allows him or her to re-register). Resetting the PIN means that all keys and certificates encrypted with the old key material will be removed.
 
 
 ## Authentication
 
-When a user wants to access protected key material — perhaps to use an Internet site that requires a logon or to access protected resources on a corporate intranet — the authentication process begins with the user entering a PIN or biometric gesture to unlock the device, a process sometimes called releasing the key. Think of it like using a physical key to unlock a door: before you can unlock the door, you need to remove the key from your pocket or purse. On a personal device that’s connected to an organizational network, users will use their personal PIN or biometric to release the key; on a device joined to an on-premises or Azure AD domain, they will use the organizational PIN. This process unlocks the protector key for the primary container on the device. When that container is unlocked, applications (and thus the user) can use whatever IDP keys reside inside the container.
+When a user wants to access protected key material — perhaps to use an Internet site that requires a sign-in or to access protected resources on a corporate intranet — the authentication process begins with the user entering a PIN or biometric gesture to unlock the device, a process sometimes called releasing the key. Think of it like using a physical key to unlock a door: before you can unlock the door, you need to remove the key from your pocket or purse. On a personal device that’s connected to an organizational network, users will use their personal PIN or biometric to release the key; on a device joined to an on-premises or Azure AD domain, they will use the organizational PIN. This process unlocks the protector key for the container on the device. When that container is unlocked, applications (and thus the user) can use whatever IDP keys reside inside the container.
 
-These keys are used to sign requests that are sent to the IDP, requesting access to specified resources. It’s important to understand that although the keys are unlocked, applications cannot use them at will. Applications can use specific APIs to request operations that require key material for particular actions (for example, decrypt an email message or log on to a website). Access through these APIs doesn’t require explicit validation through a user gesture, and the key material isn’t exposed to the requesting application. Rather, the application asks for authentication, encryption, or decryption, and the Windows Hello layer handles the actual work and returns the results. Where appropriate, an application can request a forced authentication even on an unlocked device. Windows prompts the user to reenter the PIN or perform an authentication gesture, which adds an extra level of protection for sensitive data or actions. For example, you can configure the Windows Store to require reauthentication any time a user purchases an application, even though the same account and PIN or gesture were already used to unlock the device.
+These keys are used to sign requests that are sent to the IDP, requesting access to specified resources. It’s important to understand that although the keys are unlocked, applications cannot use them at will. Applications can use specific APIs to request operations that require key material for particular actions (for example, decrypt an email message or sign in to a website). Access through these APIs doesn’t require explicit validation through a user gesture, and the key material isn’t exposed to the requesting application. Rather, the application asks for authentication, encryption, or decryption, and the Windows Hello layer handles the actual work and returns the results. Where appropriate, an application can request a forced authentication even on an unlocked device. Windows prompts the user to reenter the PIN or perform an authentication gesture, which adds an extra level of protection for sensitive data or actions. For example, you can configure the Windows Store to require reauthentication any time a user purchases an application, even though the same account and PIN or gesture were already used to unlock the device.
 
 The actual authentication process works like this:
 
@@ -88,7 +86,6 @@ The actual authentication process works like this:
 
 When the IDP validates the signature, it is verifying that the request came from the specified user and device. The private key specific to the device signs the nonce, which allows the IDP to determine the identity of the requesting user and device so that it can apply policies for content access based on user, device type, or both together. For example, an IDP could allow access to one set of resources only from mobile devices and a different set from desktop devices.
 
-Remote unlock, which is planned for a future release of Windows 10, builds on these scenarios by enabling seamless remote authentication from a mobile device as a second factor. For example, suppose that you’re visiting another office at your company and you need to borrow a computer there temporarily, but you don’t want to potentially expose your credentials to capture. Rather than type in your credentials, you can click other user on the Windows 10 logon screen, type your user name, pick the tile for remote authentication, and use an app on your phone, which you already unlocked by using its built-in facial-recognition sensors. The phone and computer are paired and handshake via Bluetooth, you type your authentication PIN on the phone, and the computer gets confirmation of your identity from the IDP. All this happens without typing a password anywhere or typing your PIN on the PC.
 
 ## The infrastructure
 

From 52e4a2523385625917db82fd8b676bd7f6e242fd Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Wed, 28 Sep 2016 12:48:09 -0700
Subject: [PATCH 008/115] done

---
 .../hello-implement-in-organization.md        | 44 +++++++++++++++++--
 1 file changed, 41 insertions(+), 3 deletions(-)

diff --git a/windows/keep-secure/hello-implement-in-organization.md b/windows/keep-secure/hello-implement-in-organization.md
index 7429667875..42ecfedf3d 100644
--- a/windows/keep-secure/hello-implement-in-organization.md
+++ b/windows/keep-secure/hello-implement-in-organization.md
@@ -363,11 +363,49 @@ Configuration Manager and MDM provide the ability to manage Windows Hello for Bu
 Azure AD provides the ability to register devices with your enterprise and to provision Windows Hello for Business for organization accounts.
 
 
-## Windows Hello for BYOD
+## Approaches for a Windows Hello for Business deployment
 
-Windows Hello can be managed on personal devices that your employees use for work purposes using MDM. On personal devices, users can create a personal Windows Hello PIN for unlocking the device and used this PIN for access to work resources.
+Different organizations will necessarily take different approaches to the deployment of Windows Hello depending on their capabilities and needs, but there is only one strategy: deploy Windows Hello for Business throughout the organization to get maximum protection for the maximum number of devices and resources. Organizations can take one of three basic routes to accomplish that strategy:
+
+- Deploy Windows Hello for Business everywhere according to whatever device or user deployment strategy works best for the organization.
+- Deploy Windows Hello for Business first to high-value or high-risk targets, by using conditional access policies to restrict access to key resources only to users who hold strong authentication credentials.
+- Blend Windows Hello for Business into an existing multi-factor environment, using it as an additional form of strong authentication alongside physical or virtual smart cards.
+
+### Deploy Windows Hello for Business everywhere
+
+In this approach, you deploy Windows Hello throughout the organization in a coordinated rollout. In some ways, this method is similar to any other desktop deployment project; the only real difference is that you must already have the Windows Hello infrastructure in place to support device registration before you can start using Windows Hello on Windows 10 devices.
+
+You can still upgrade to Windows 10 or add new Windows 10 devices without changing your infrastructure. You just can’t use Windows Hello for Business on a device until the device joins Azure AD and receives the appropriate policy. The major benefit of this approach is that it provides uniform protection for all parts of the organization. Sophisticated attackers have shown a great deal of skill in breaching large organizations by identifying weak points in their security, including users and systems that don’t have high-value information but that can be exploited to get it. Applying consistent protection across every device that an attacker could use to access enterprise data is excellent protection against these types of attacks.
+
+The downside to this approach is its complexity. Smaller organizations may find that managing the rollout of a new operating system across all devices is beyond the scope of their experience and capability. For these organizations, users can self-upgrade, and new users may end up with Windows 10 because they get new devices when they join. Larger organizations, especially those that are highly decentralized or have operations across many physical sites, may have more deployment knowledge and resources but face the challenge of coordinating rollout efforts across a larger user base and footprint.
+
+For more information about desktop deployment of Windows 10, visit the [Windows 10 TechCenter](https://technet.microsoft.com/windows/mt240567).
+
+One key aspect of this deployment strategy is how to get Windows 10 in users’ hands. Because different organizations have wildly differing strategies to refresh hardware and software, there’s no one-size-fits-all strategy. For example, some organizations pursue a coordinated strategy that puts new desktop operating systems in users’ hands every 2–3 years on existing hardware, supplementing with new hardware only where and when required. Others tend to replace hardware and deploy whatever version of the Windows client operating system ships on the purchased devices. In both cases, there are typically separate deployment cycles for servers and server operating systems, and the desktop and server cycles may or may not be coordinated.
+
+In addition to the issue of Windows 10 deployment to users, you must consider how and when (or if!) you’ll deploy biometric devices to users. Because Windows Hello can take advantage of multiple biometric identifiers, you have a flexible range of device options, which includes the purchase of new devices that incorporate your selected biometric, seeding select users with appropriate devices, rollout of biometric devices as part of a scheduled hardware refresh and using PIN gestures until users get devices, or relying on remote unlock as a second authentication factor.
+
+### Deploy to high-value or high-risk targets
+
+This strategy takes into account the fact that in most networks, not every asset is equally protected or equally valuable. There are two ways to think about this. One is that you can focus on protecting the users and services that are most at risk of compromise because of their value. Examples include sensitive internal databases or the user accounts of your key executives. The other option is that you can focus on areas of your network that are the most vulnerable, such as users who travel frequently (and thus run a higher risk of lost or stolen devices or drive-by credential theft). Either way, the strategy is the same: selectively and quickly deploy Windows Hello to protect specific people and resources. For example, you might issue new Windows 10 devices with biometric sensors to all users who need access to a sensitive internal database, and then deploy the minimum required infrastructure to support Windows Hello–secured access to that database for those users.
+One of the key design capabilities of Windows Hello for Business is that it supports Bring Your Own Device (BYOD) environments by allowing users to register their own devices with the organizational IDP (whether on premises, hybrid, or Azure AD). You may be able to take advantage of this capability to quickly deploy Windows Hello to protect your most vulnerable users or assets, ideally by using biometrics as an additional safety measure for the most valuable potential targets.
+
+### Blend Windows Hello with your infrastructure
+
+Organizations that have already invested in smart cards, virtual smart cards, or token-based systems can still benefit from Windows Hello. Of those organizations, many use physical tokens and smart cards to protect only critical assets because of the expense and complexity of their deployment. Windows Hello offers a valuable complement to these systems because it protects users who currently rely on reusable credentials; protection of all users’ credentials is an important step toward blunting attacks that seek to leverage compromise of any credential into a widespread breach. This approach also gives you a great deal of flexibility in scheduling and deployment. Some enterprises have deployed multi-use smart cards that provide building-access control, access to copiers or other office equipment, stored value for lunchroom purchases, remote network access, and other services. Deployment of Windows Hello in such environments doesn’t prevent you from continuing to use smart cards for these services. You can leave the existing smart card infrastructure in place for its existing use cases, and then register desktop and mobile devices in Windows Hello and use Windows Hello to secure access to network and Internet resources. This approach requires a more complicated infrastructure and a greater degree of organizational maturity because it requires you to link your existing PKI with an enrollment service and Windows Hello itself.
+
+Smart cards can act as a useful complement to Windows Hello in another important way: to bootstrap the initial logon for Windows Hello registration. When a user registers with Windows Hello on a device, part of that registration process requires a conventional logon. Rather than using a traditional password, organizations that have previously deployed the necessary infrastructure for smart cards or virtual smart cards can allow their users to register new devices by logging on with a smart card or virtual smart card. After the user has proved his or her identity to the organizational IDP with the smart card, the user can set up a PIN and proceed to use Windows Hello for future logons.
+
+### Choose a rollout method
+
+Which rollout method you choose depends on several factors:
+
+- How many devices you need to deploy. This number has a huge influence on your overall deployment. A global rollout for 75,000 users has different requirements than a phased rollout for groups of 200–300 users in different cities.
+- How quickly you want to deploy Windows Hello for Business protection. This is a classic cost–benefit tradeoff. You have to balance the security benefits of Windows Hello for Business against the cost and time required to deploy it broadly, and different organizations may make entirely different decisions depending on how they rate the costs and benefits involved. Getting the broadest possible Windows Hello coverage in the shortest time possible maximizes security benefits.
+- The type of devices you want to deploy. Windows device manufacturers are aggressively introducing new devices optimized for Windows 10, leading to the possibility that you might deploy Windows Hello first on newly purchased tablets and portable devices, and then deploy it on the desktop as part of your normal refresh cycle.
+- What your current infrastructure looks like. The individual version of Windows Hello doesn’t require changes to your Active Directory environment, but to support Windows Hello for Business, you may need a compatible MDM system. Depending on the size and composition of your network, mobile enrollment and management services deployment may be a major project in its own right.
+- Your plans for the cloud. If you’re already planning a move to the cloud, Azure AD eases the process of Windows Hello for Business deployment, because you can use Azure AD as an IDP alongside your existing on-premises AD DS setup without making significant changes to your on-premises environment. Future versions of Windows Hello for Business will support the ability to simultaneously register devices that are already members of an on-premises AD DS domain in an Azure AD partition so that they use Windows Hello for Business from the cloud. Hybrid deployments that combine AD DS with Azure AD give you the ability to keep machine authentication and policy management against your local AD DS domain while providing the full set of Windows Hello for Business services (and Microsoft Office 365 integration) for your users. If you plan to use on-premises AD DS only, then the design and configuration of your on-premises environment will dictate what kind of changes you may need to make.
 
-The PIN is managed using the same Windows Hello for Business policies that you can use to manage Windows Hello for Business on organization-owned devices. The PIN can also be managed using DeviceLock policy. DeviceLock policy can be used to control length, complexity, history, and expiration requirements and can be configured using the [Policy configuration service provider](https://go.microsoft.com/fwlink/p/?LinkID=623244).
 
 ## Related topics
 

From 5209f44deded2d1df74fa772f0ee3164a09e3905 Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Wed, 28 Sep 2016 12:52:24 -0700
Subject: [PATCH 009/115] save again

---
 .../hello-implement-in-organization.md        | 21 ++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/windows/keep-secure/hello-implement-in-organization.md b/windows/keep-secure/hello-implement-in-organization.md
index 42ecfedf3d..581174a4f4 100644
--- a/windows/keep-secure/hello-implement-in-organization.md
+++ b/windows/keep-secure/hello-implement-in-organization.md
@@ -400,11 +400,22 @@ Smart cards can act as a useful complement to Windows Hello in another important
 
 Which rollout method you choose depends on several factors:
 
-- How many devices you need to deploy. This number has a huge influence on your overall deployment. A global rollout for 75,000 users has different requirements than a phased rollout for groups of 200–300 users in different cities.
-- How quickly you want to deploy Windows Hello for Business protection. This is a classic cost–benefit tradeoff. You have to balance the security benefits of Windows Hello for Business against the cost and time required to deploy it broadly, and different organizations may make entirely different decisions depending on how they rate the costs and benefits involved. Getting the broadest possible Windows Hello coverage in the shortest time possible maximizes security benefits.
-- The type of devices you want to deploy. Windows device manufacturers are aggressively introducing new devices optimized for Windows 10, leading to the possibility that you might deploy Windows Hello first on newly purchased tablets and portable devices, and then deploy it on the desktop as part of your normal refresh cycle.
-- What your current infrastructure looks like. The individual version of Windows Hello doesn’t require changes to your Active Directory environment, but to support Windows Hello for Business, you may need a compatible MDM system. Depending on the size and composition of your network, mobile enrollment and management services deployment may be a major project in its own right.
-- Your plans for the cloud. If you’re already planning a move to the cloud, Azure AD eases the process of Windows Hello for Business deployment, because you can use Azure AD as an IDP alongside your existing on-premises AD DS setup without making significant changes to your on-premises environment. Future versions of Windows Hello for Business will support the ability to simultaneously register devices that are already members of an on-premises AD DS domain in an Azure AD partition so that they use Windows Hello for Business from the cloud. Hybrid deployments that combine AD DS with Azure AD give you the ability to keep machine authentication and policy management against your local AD DS domain while providing the full set of Windows Hello for Business services (and Microsoft Office 365 integration) for your users. If you plan to use on-premises AD DS only, then the design and configuration of your on-premises environment will dictate what kind of changes you may need to make.
+- **How many devices you need to deploy**. This number has a huge influence on your overall deployment. A global rollout for 75,000 users has different requirements than a phased rollout for groups of 200–300 users in different cities.
+- **How quickly you want to deploy Windows Hello for Business protection**. This is a classic cost–benefit tradeoff. You have to balance the security benefits of Windows Hello for Business against the cost and time required to deploy it broadly, and different organizations may make entirely different decisions depending on how they rate the costs and benefits involved. Getting the broadest possible Windows Hello coverage in the shortest time possible maximizes security benefits.
+- **The type of devices you want to deploy**. Windows device manufacturers are aggressively introducing new devices optimized for Windows 10, leading to the possibility that you might deploy Windows Hello first on newly purchased tablets and portable devices, and then deploy it on the desktop as part of your normal refresh cycle.
+-** What your current infrastructure looks like**. The individual version of Windows Hello doesn’t require changes to your Active Directory environment, but to support Windows Hello for Business, you may need a compatible MDM system. Depending on the size and composition of your network, mobile enrollment and management services deployment may be a major project in its own right.
+- **Your plans for the cloud**. If you’re already planning a move to the cloud, Azure AD eases the process of Windows Hello for Business deployment, because you can use Azure AD as an IDP alongside your existing on-premises AD DS setup without making significant changes to your on-premises environment. Future versions of Windows Hello for Business will support the ability to simultaneously register devices that are already members of an on-premises AD DS domain in an Azure AD partition so that they use Windows Hello for Business from the cloud. Hybrid deployments that combine AD DS with Azure AD give you the ability to keep machine authentication and policy management against your local AD DS domain while providing the full set of Windows Hello for Business services (and Microsoft Office 365 integration) for your users. If you plan to use on-premises AD DS only, then the design and configuration of your on-premises environment will dictate what kind of changes you may need to make.
+
+## How to use Windows Hello for Business with Azure Ad
+
+There are three scenarios for using Windows Hello for Business in Azure AD–only organizations: 
+
+- **Organizations that use the version of Azure AD included with Office 365**. For these organizations, no additional work is necessary. When Windows 10 was released to general availability, Microsoft changed the behavior of the Office 365 Azure AD stack. When a user selects the option to join a work or school network, the device is automatically joined to the Office 365 tenant’s directory partition, a certificate is issued for the device, and it becomes eligible for Office 365 MDM if the tenant has subscribed to that feature. In addition, the user will be prompted to log on and, if MFA is enabled, to enter an MFA proof that Azure AD sends to his or her phone. 
+- **Organizations that use the free tier of Azure AD**. For these organizations, Microsoft has not enabled automatic domain join to Azure AD. Organizations that have signed up for the free tier have the option to enable or disable this feature, so automatic domain join won’t be enabled unless and until the organization’s administrators decide to enable it. When that feature is enabled, devices that join the Azure AD domain by using the Connect to work or school dialog box will be automatically registered with Windows Hello for Business support, but previously joined devices will not be registered. 
+- **Organizations that have subscribed to Azure AD Premium** have access to the full set of Azure AD MDM features. These features include controls to manage Windows Hello for Business. You can set policies to disable or force the use of Windows Hello for Business, require the use of a TPM, and control the length and strength of PINs set on the device.
+
+If you want to use Windows Hello for Business with certificates, you’ll need a device registration system. That means that you set up Configuration Manager Technical Preview, Intune, or a compatible non-Microsoft MDM system and enable it to enroll devices. This is a prerequisite step to use Windows Hello for Business with certificates, no matter the IDP, because the enrollment system is responsible for provisioning the devices with the necessary certificates. Set Microsoft Passport policies
+
 
 
 ## Related topics

From d4a6d04cd317e6c8d8accdeb7dcf91628ec6c24f Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Wed, 28 Sep 2016 12:59:17 -0700
Subject: [PATCH 010/115] remove passport guide from toc

---
 windows/keep-secure/TOC.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md
index 03e7c2cb11..6b32fa5ae4 100644
--- a/windows/keep-secure/TOC.md
+++ b/windows/keep-secure/TOC.md
@@ -841,7 +841,6 @@
 ###### [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)
 ## [Enterprise security guides](windows-10-enterprise-security-guides.md)
 ### [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
-### [Microsoft Passport guide](microsoft-passport-guide.md)
 ### [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md)
 ### [Windows 10 security overview](windows-10-security-guide.md)
 ## [Change history for Keep Windows 10 secure](change-history-for-keep-windows-10-secure.md)

From 477ba51a8840907c1f03c7cfadcb90f043079d5e Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Wed, 28 Sep 2016 13:09:10 -0700
Subject: [PATCH 011/115] fix heading

---
 windows/keep-secure/hello-implement-in-organization.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/keep-secure/hello-implement-in-organization.md b/windows/keep-secure/hello-implement-in-organization.md
index 581174a4f4..3b5dc82dca 100644
--- a/windows/keep-secure/hello-implement-in-organization.md
+++ b/windows/keep-secure/hello-implement-in-organization.md
@@ -406,7 +406,7 @@ Which rollout method you choose depends on several factors:
 -** What your current infrastructure looks like**. The individual version of Windows Hello doesn’t require changes to your Active Directory environment, but to support Windows Hello for Business, you may need a compatible MDM system. Depending on the size and composition of your network, mobile enrollment and management services deployment may be a major project in its own right.
 - **Your plans for the cloud**. If you’re already planning a move to the cloud, Azure AD eases the process of Windows Hello for Business deployment, because you can use Azure AD as an IDP alongside your existing on-premises AD DS setup without making significant changes to your on-premises environment. Future versions of Windows Hello for Business will support the ability to simultaneously register devices that are already members of an on-premises AD DS domain in an Azure AD partition so that they use Windows Hello for Business from the cloud. Hybrid deployments that combine AD DS with Azure AD give you the ability to keep machine authentication and policy management against your local AD DS domain while providing the full set of Windows Hello for Business services (and Microsoft Office 365 integration) for your users. If you plan to use on-premises AD DS only, then the design and configuration of your on-premises environment will dictate what kind of changes you may need to make.
 
-## How to use Windows Hello for Business with Azure Ad
+## How to use Windows Hello for Business with Azure Active Directory
 
 There are three scenarios for using Windows Hello for Business in Azure AD–only organizations: 
 

From d3e6ef44dcf221cda000adfc903c6da1daa06161 Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Wed, 28 Sep 2016 13:11:56 -0700
Subject: [PATCH 012/115] added missing section

---
 windows/keep-secure/hello-manage-identity-verification.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/windows/keep-secure/hello-manage-identity-verification.md b/windows/keep-secure/hello-manage-identity-verification.md
index d1c4c0da7c..6321911004 100644
--- a/windows/keep-secure/hello-manage-identity-verification.md
+++ b/windows/keep-secure/hello-manage-identity-verification.md
@@ -37,7 +37,14 @@ After an initial two-step verification of the user during enrollment, Hello is s
 
 As an administrator in an enterprise or educational organization, you can create policies to manage Hello use on Windows 10-based devices that connect to your organization.
 
+ ## Biometric sign-in
  
+ Windows Hello provides reliable, fully integrated biometric authentication based on facial recognition or fingerprint matching. Hello uses a combination of special infrared (IR) cameras and software to increase accuracy and guard against spoofing. Major hardware vendors are shipping devices that have integrated Windows Hello-compatible cameras, and fingerprint reader hardware can be used or added to devices that don’t currently have it. On devices that support Windows Hello, an easy biometric gesture unlocks users’ credentials.
+ 
+ - **Facial recognition**. This type uses special cameras that see in IR light, which allows them to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major laptop manufacturers are incorporating it into their devices, as well. 
+- **Fingerprint recognition**. This type uses a capacitive fingerprint sensor to scan your fingerprint. Fingerprint readers have been available for Windows computers for years, but the current generation of sensors is significantly more reliable and less error-prone. Most existing fingerprint readers (whether external or integrated into laptops or USB keyboards) work with Windows 10. 
+
+Biometric data used to implement Windows Hello is stored securely on the local device only. It doesn’t roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there’s no single collection point an attacker can compromise to steal biometric data. 
 
 
 ## The difference between Windows Hello and Windows Hello for Business

From d8ed643be770d31b7c681cf34717e004e96919ef Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Wed, 28 Sep 2016 13:55:11 -0700
Subject: [PATCH 013/115] fix list format

---
 windows/keep-secure/hello-manage-identity-verification.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/keep-secure/hello-manage-identity-verification.md b/windows/keep-secure/hello-manage-identity-verification.md
index 6321911004..ca6b032a8f 100644
--- a/windows/keep-secure/hello-manage-identity-verification.md
+++ b/windows/keep-secure/hello-manage-identity-verification.md
@@ -41,7 +41,7 @@ As an administrator in an enterprise or educational organization, you can create
  
  Windows Hello provides reliable, fully integrated biometric authentication based on facial recognition or fingerprint matching. Hello uses a combination of special infrared (IR) cameras and software to increase accuracy and guard against spoofing. Major hardware vendors are shipping devices that have integrated Windows Hello-compatible cameras, and fingerprint reader hardware can be used or added to devices that don’t currently have it. On devices that support Windows Hello, an easy biometric gesture unlocks users’ credentials.
  
- - **Facial recognition**. This type uses special cameras that see in IR light, which allows them to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major laptop manufacturers are incorporating it into their devices, as well. 
+- **Facial recognition**. This type uses special cameras that see in IR light, which allows them to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major laptop manufacturers are incorporating it into their devices, as well. 
 - **Fingerprint recognition**. This type uses a capacitive fingerprint sensor to scan your fingerprint. Fingerprint readers have been available for Windows computers for years, but the current generation of sensors is significantly more reliable and less error-prone. Most existing fingerprint readers (whether external or integrated into laptops or USB keyboards) work with Windows 10. 
 
 Biometric data used to implement Windows Hello is stored securely on the local device only. It doesn’t roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there’s no single collection point an attacker can compromise to steal biometric data. 

From 94a68957be304c0eded2890899e66d05b69bec46 Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Thu, 3 Nov 2016 10:17:09 -0700
Subject: [PATCH 014/115] fix bookmark links

---
 windows/keep-secure/hello-implement-in-organization.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/keep-secure/hello-implement-in-organization.md b/windows/keep-secure/hello-implement-in-organization.md
index 3b5dc82dca..7afc1c03e9 100644
--- a/windows/keep-secure/hello-implement-in-organization.md
+++ b/windows/keep-secure/hello-implement-in-organization.md
@@ -131,7 +131,7 @@ The following table lists the Group Policy settings that you can configure for H
 </td>
 </tr>
 <tr>
-<td><a href="prepare-people-to-use-microsoft-passport.md#BMK_remote">Phone Sign-in</a></td>
+<td><a href="prepare-people-to-use-microsoft-passport.md#bmk-remote">Phone Sign-in</a></td>
 <td>
 <p>Use Phone Sign-in</p>
 <div class="alert"><b>Note</b>  Applies to desktop only. Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.</div>
@@ -289,8 +289,8 @@ The following table lists the MDM policy settings that you can configure for Win
 <td>Device or user</td>
 <td>False</td>
 <td>
-<p>True: <a href="prepare-people-to-use-microsoft-passport.md#BMK_remote">Phone sign-in</a> is enabled.</p>
-<p>False: <a href="prepare-people-to-use-microsoft-passport.md#BMK_remote">Phone sign-in</a> is disabled.</p>
+<p>True: <a href="prepare-people-to-use-microsoft-passport.md#bmk-remote">Phone sign-in</a> is enabled.</p>
+<p>False: <a href="prepare-people-to-use-microsoft-passport.md#bmk-remote">Phone sign-in</a> is disabled.</p>
 </td>
 </tr>
 </table>

From b41c487dd345624379ff4cbf5f4a7f84d06f55ad Mon Sep 17 00:00:00 2001
From: GITMichiko <kmichiko@msn.com>
Date: Wed, 18 Jan 2017 09:31:22 -0800
Subject: [PATCH 015/115] Update credential-guard.md

Add new requirements section
---
 windows/keep-secure/credential-guard.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md
index a92cf8f9f5..96afd50094 100644
--- a/windows/keep-secure/credential-guard.md
+++ b/windows/keep-secure/credential-guard.md
@@ -38,7 +38,11 @@ Here's a high-level overview on how the LSA is isolated by using virtualization-
 
 ![Credential Guard overview](images/credguard.png)
 
-## Hardware and software requirements
+## Requirements
+
+For Credential Guard to provide protections, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as "Hardware and software requirements". Additionally Credential Guard blocks specific authentication capabilities, so applications which require blocked capabilities will break. We will refer to this as "Application requirements". Beyond that, computers can meet additional hardware and firmware requirements, and receive additional protection—those computers will be more hardened against certain threats. To keep this section brief, those will be in Security Considerations.
+
+### Hardware and software requirements
 
 To deploy Credential Guard, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements. Beyond that, computers can meet additional hardware and firmware requirements, and receive additional protection—those computers will be more hardened against certain threats. 
 

From 28429c18d5c8750c08f692c2e538ae28c3194347 Mon Sep 17 00:00:00 2001
From: Jan Backstrom <v-jaback@microsoft.com>
Date: Wed, 18 Jan 2017 12:31:22 -0800
Subject: [PATCH 016/115] Surface Data Eraser updates

---
 devices/surface/images/sda-fig5-erase.png     | Bin 282123 -> 75757 bytes
 .../surface/microsoft-surface-data-eraser.md  |  41 ++++++++----------
 2 files changed, 18 insertions(+), 23 deletions(-)

diff --git a/devices/surface/images/sda-fig5-erase.png b/devices/surface/images/sda-fig5-erase.png
index cf8abe7dced1b0accee901076d142d788e2bf051..8ac3e174a7f5a026d2683a4152f83336999cdb50 100644
GIT binary patch
literal 75757
zcmY&<Rajh2wCoVvNpJ`RcM0wuoIr4QcXxLS?rtHtySqCCcXxLNx%)r&+=u(X?9DgB
zp6=D%wW?|@!hgw%BO~A;fIuK*Nr@i{Ake365C|d%4hDD)3FV~%-hj80P<I4@Q2PJ-
zfk>i7!3Tj5<jh4xe*H4Db+UCdv$Z3V6cHh^bFeirw=xES+*Yy_O_danvG^W0?u4bo
z{1T;Y6)@q56oe!FFybg^h~d$s!ie*hG39$ci;6<w59fwKMo0Vo#+0W+ia=O`-6PJA
z4lD?Z7zJ;87FaH{KORiHH!SiWmfvR8O~H1<Atg(&$g}w&l?W4l-U=M*AKcz!5cEeN
zvjd^Q)fo{xzL7$Jo_u(DX-T?aJ3$a`bBJ)D?w=Xm-@k@_pq>b)X+ih}L3BICaZ1Da
zVSofZqJ{s01jQiyvQjA&LAg*My)i?BUC=LjkRGM)!5qjh>nY6>0;HKpj0uq&2O>f@
z4*LNz;{laVsYHl^)V_l-Or-m{Kuh$X?~<w}5}@iPQ1>JnVl4;`3G`h)ESMSu<q6Uo
zCM9(P1*L&7#BNl1uW2jM4rzc$rPcDbka3CnYr@gn!>Xz>5K>J_V$))<>wnTu7i8#l
zPs3&QXGPt*9S4DO<1m5Q-oCj_qEt>!vPU<f=+d8b!F-Sy80^09PnFpTf<W6&J~Quh
zjCFW^JTQLN@A>2xP-Z%axz3M~Cbg)74WQiP71dk2|6(JW7u&MDyuY`%B-JmhsXwaf
z{chT;+pYR$_3Xp@`gp(9xkKj9tnDuj^|aMHekW7-bt)b{$YAXtM*Ou2@#B?Xj-+4G
zphb-aV^{u*ee{p?-?z+#B;msG)C1(RA4WTybYMvSO*T-q1wVvm9DT92A>@NJC7PO3
z_s$~-bkk<r^N$J+($6e#d&>3WQs7NImmK70A{lQF0_pr9V^A8c6BvR6fqvxr(^L!L
z-}T_ob;Eq^fnMuDeAQzQ5+>{K6-E<AF!KBAphsOEAWRi9QB6Rj$M{c>fVErREF{4W
zg`rou8HLXd^+g{pyN9aXA0A3*7!F;ZcqI(NAVQ5a8V)-x_=&hj0_sa78PP}>hCGRM
z9Ge7_LWB~LvIM~mpTj4vP%W|6IG$k;bHHmzyEs##f2};<KcohcmSPUPAhCSJX(K15
z^cbw%jA@5@Jig!Td56<wW~eJM{31i&yN_^SS^BNMGYs|#*KpFoCm4>^kdz~p4dPX+
zltZ?K-y2TVxI%sL7wv{;hjJAr(kB#>P?J%UU6Lp!`bx(7c?F&W9x_P2my#r*Sh}8~
z_49K-jsY`MsG0;F>B5&7bVfAKFp+)^vM=Ex%#<y$pCoJkD9wJE6`QqDAU&ol$zYYh
zBTX1tF|w?M<w~R@q8$$2%i8PPW7)&sBfil@$TASL|MR4{L!~fkA%(k-w$Hi`W1Pw?
zq+F1$uwI;}^qDP2L%1TZQK3pcv>2V$Ih|`F5KB_Jup&Qc4$lnR?9sgH$f@=7dJ>^*
z%Cze2*s=Ig$`Rz9D-v=DX5dhmDHU!84lIr-t}9Mes?1;9xk%h0rSBX}r>Tc&sA;y!
zYBY^BUYK#C2uV^&6iN6rj7lY?e@iz?5tVP1$CP49bQHZS#gthTcT3>^C6_6eX8k%<
z#8)&e;VBL+H7&MP68Phz{uU0S-Y3&1C-O%=w?=ojeUJ#z5Vy{aj@S~pEX3KLt)HT1
zV%f`urY-f2pe>TGv?Py9ghh%)wNBwS(L?}tH`V?r(@7Tokg6!<)+b^E<C1!Z8vie=
zObe5-mSt&jO0rs+M45b<_-O}w<#|!o-wx3>b+A8*(2x|R7Nxjp%p`Qyq2jXQdJ#eq
z)=xg}`$~pV%R>CTwjZutHboby*_}Fm*)q088}1#4FJHYG-<000UyAO<k<?)7kjP+G
zktT6?2iWXwc?lSYR<GqnwEF}_3iXrpQ?`TRT4s0)=Eb7KP=A{bYVDHkS`S(e7Er)Y
z5K~D1Jo$N%uJE(vFZEv@86KITiSdd2iG?(_3_hks=EID`jKz%2COr)|4Z6nS#%5#5
z+C7cG>KBdeHo+QP>V;~`8rpSY6<HPJ3vCr`MW2gWWD{h|vKLJIs;?VI8cUjRtM`{+
zRx2B=8@=^S4X{m{1}gh55;_vRTfL*+_+XJkmr=?HGzfeg>m4w-Rk%0OCo?Yuya(=*
zj~PwXrqHIASauuH$Ef?wvlKJt#7(hHTO0##!y?0_1I8Fq_!%<r2iJ!?_N1Kd?X|Z(
zX795y>N0xIi&v{I*e}d4Lf3M}S#zkf)ma>;`-Vlf<o9O;5Ob2gTW*&7$cf1Ln>HMh
zG8!_*sa7mjHx;^;KI&g$^FQ!A<m~eA@^Wl2Z>Z~zb96TiH;u{l*=FkoZ;JSmei(gt
ze9VA~{Kz3pA;bNJ{53y;pFF&XyP^fSSB)QPm(PWM=e7u83dICe1nl=z5StC3#a0kM
z9;QylO`4+w|MEFnn1<Cq(2wl%L81%}4OR^ih_(w;!<%7BVRM~X6LH-9@$w`2$3})J
zlN?tSy%ZY_e<_0n?+QmNYpcK@gNge1yjqr;q?PnnE(V%Pb{nhC&DZnW(4DLu#9dG9
zRK{U#JNLZF-n-x;tP+MVblk~;GGVfuiC02sG{soI$#2kI$)ge6dkK0?Nf>9?XTp|5
zv}g!rZzO1bdc>c_wX?aC4X_l_?Y9I`mc+KpAj_<0aA#wsyAWA3^Ko}D1;)q4+6$Kw
z|4e8!Juy8naTzN&4z7J4u!(G9Bus)Gv8;<NhgPRYXcYc?q@+Q$NCR7IYOHF~H4#3_
zm0XrhJ8?c<H@X_jk$IW(asH+E%XWNYVTiOUJ%QRmN4W)8Ew8=%D#9)%G;N3qOgV3J
zL?ey$yj<D2YD%R~2ZhH^OMji7(SV)?2+LDMWrY1;@6)x#b8R^_M)l1G{g;p|e16RE
zh)RrA>=aDjC8{;Ief&_{(XO<$#QKu5{uZMtlUbAFgAMv@O_b!)l!Fu$8|3AcdgM)&
z`t$n-(N)Hj398k$z($dlf-c_XcH^Rv$q60-r9Vn{N-s+67qjaP`ioCCGZ*-t?GLPH
z^Q)Tek8k`VovX?a%0K5#=8eIU;JQbF%J9<Tr)03Tc7?39{rM2&EaV$3DN5sF%fESo
zSw1C&m<8HXag?ENo$pzfuJp+4$jVWfgFB>lKiv0@AK^D236Z&1Tz-3&Z^O=gb0IJ#
zV6+fUzeyL%P)rAF8fdo4jq}eeoNRc!im!e{&1B_OcbB?V8Zlov4wy?Yy_x!*m6YY}
z!|=SOx0>JRd1yGfX@P2c*^1`0JuCVVdC1ewGpTjc>~vGRx{t2fteRfMt!sVabi(_d
zFef+Emf4nG*`j6Ha^ca@;A!%BjGxUhxqjE-evS39FrUrEx88B<Vf#4nc)y9Y?&CoD
zHaXU|>`Hl2(Jt4ndnb4<v@Eh7IxnF4zP5C^=4;XIntMC5CjJN$960qJcOQc)0v(eU
zGZumza+=M_&&9PP;P7_*S|l=MG)0k({ht3mR*8+p=<_sxx;QzLI+K@jlakP7?N#`8
z(tV0swK~{4NZ2{z#=@j?rvg6jab0sIxGdO2mD}?o@}>GPd#<@xoGt<<;3gz|KtZP7
zz8bR7uL69N$WTJzCkW(04g&cFf<Vt7!1Wjea{dkio#=r;+^HZCwr#xbfEWmZ07vqN
zkdoWVS*Epwk~+?iZzrZKw_*hA><V)Y71>!j1DN=$Ovw2_@<5bMn3H<guwG50oI*__
zraUK{bh4%j#-07qe5>MEq4l5F`qu3SQK_O#XG)szc<l>TkH@~W(+)!mtd;a^0j=y?
z-p5Qw)Az&e%v)Z^3$h^Lyc7Zgg1T5Y#_HAcxF9>ua;~gN^-$Dr2LqAV7?_wfCKGrJ
zx}7p2B9K{GS;eJNy1L)k*w}y@PfwmU*UN*I21}3|FQI~h!WH-pRIbqwAwd>UTAG-Y
z^f^ilqS<~IhA;*;V`8wo8<hSRBDa+0=g*%{Ui>sPG;Xg?Oy=h1O3KRenwrukCKU7Y
z^ItjbK%ss9WBWTxHHJS5<Qr|)rHIhBW(%dE0(<fpQ{v-$%T%jEoT?V3y}kK5IywyF
zcU;<lr-awxdMhg_#pdM55upjnC%Teo%VQ+m9UsVdLA(hv$D-6Hr4;D2OCVoi$HKoN
zzQTFIC_!X(Q+8t~JhfnmhNE2^&wvP~M@DC<>HgVsI(>r3>Jidsq@JOsnLR$AH@CrR
z%>0_?>WcXM+7c_KdxLkafFYXEn9Z-8M<qojKYR5~ESYojhl3-=`{Tj7uHEB)$@%dj
z>5rn0jRq>g7llRra}7mCx*$Qpqp56oP3^4Zi%9}b52eH^o#5ReQSE{bd46xag(_@g
zOEB)Ime|o?rOD$j31S{(pYYjJlMAJT&n~cP8?m$)s)Ls7kIue=;l<kY(4xPFH!-Rk
z@WT?(B5G*#2M{0$tEObmky9ATE;{4jpzX7m2A!RJaq+7&4feW|7(QJjkDQ$oV3phK
z(j8vYBEG$y;JV-7Bj&IPay;DeteI>>B@`47t;WUf&KJG*pfWnCsb_3ynchGd7%=Jh
zOL26{l2hl!HJ-zGXT3V^p>uh(SzC_8%={PYcH3@goH^Phi<|AG<L<5`VPLgW+XR=~
z$c`+KRI;@nR=Bk$rm1(SOS+x>_;ex7KOPeqxyp6`G&@T~DV~VUkobFa>qum|1IJXf
z9KI6#D7s}>vHK`uT!?#yG$g@JdV~j`hh}6F5wxgwURWe8^Sh`@i+XQoptmiGEX5y_
z_J<n-(}=lWc&mfMo<6DQjLzeocAMT9mLsg=4cS*-ILE`@zEG1aO1Z7x;3oX-Y{KJx
z2icSsY}`008H(f2xt5=j!*VF?TDVwba+0$<iT+|jbU|)H+7NyFj-vMlZv?43aA)fu
zW5Dj$!jy*ms#oI+>qhq|7Qfj)I;r-S6(+K;3t6-$Ohb&V&=M;pF-v~@MP;^NhN`fz
z5LDmTxO4jqvg6Joqok}e975qGta+1=lIk_7+kOO7)6*Mow7Y}q8yW_jPwY5%_O5Ou
zUVis(CI>Bkn(p%IW8g-;OUm^{@hJ7uyvX{ZGXlvZ*X4do(Yc^9nIkY&mE1(iONgpd
zmD1YE&CJYvba_e1$QWbCIbOu5n{SR+Qc`l%8vWONJex10r$;E8-+MHPR<+sr6pNgk
zoRytDJ~cJ$uep+{>eSgYIR=WQa_(ZlJM0lpAxCHEKO5Fj#%?)5h+hJ|-Bv60$5DZ%
z<KTjxeTS&k&+N7vNP>ojyUnX>9iFaQ_qBC(AHH(m&c%`1*7+;rz)K2^l5##n-<S+I
z?RWZ%A&t-MK!h4+A8Ndv&p)dKCimzI_|Lq?YK_N0OHH=l1_lN|7#J8^E^VQAe4Y<_
zO{<b}a+FN+zcr1G$>HJQMc&BB$(c+izxw6*4#md8Gp1d|n}gsbU!3}U0l@wEILp!n
z@bl}CK(b+hoVskuytMkS$ZBGtz{*ro8QjQZ8C23gJx76z6{sbKK^Q0~!f^DBs6x;s
z5_tM~Vn=k4{1VnL)xyG>WLV(u!p4jhN?qQZx0fdt(JjdyK6adk*`AkaJe$uGTwR+j
zhmU;rZ*OlO<wcCI&$owHTOU9BkDa8nv@$urqL^D*VF+4SS{61pt5s^XkPya*i;0U5
z*fb#$F{DTXVS<iLPR0s+OG{3spr)pdtX1Z)-LT^1_j;-Z#iyiDLPA0+$jcM^edY5|
z8XOwx^XXe!N^M@ZsadxAB=PfS)ZOEww5Dc89$(WcJv215LEUn{Nu8v<ea(^;`?VYI
zr?7P!)F%6_ZU|~RIwW6l`GZUV$|aqh8@}?m$RHph4ge$d_I_JjIo9o@5)klJ<{|{P
z=?&~~#a3bn_8x5PreKI5x8OTe3C#27KZtv-u@{)`odi5e+x_s{Z=O9Cm<o!daSpJk
z2%1fJTrFQwdaP9T|B#()5614OB}C%Y7v__jbm#DAX&&C1L!}V)uD7-NYUll7eO>2i
zc9rYdoPn_2EDe6sVXSW|djUUg?+i?17!LmpI<Zh@pbdO|9i9TR!;Zm)cIEy4(~*!O
zYC4`B{TTAoSju;Hlf5YmYh`y`-5|x!-RB{catDofM{(CnyZ(Hhov%<FHsckv)c$`d
z!aPRuz;^Vy%Y{!~zkcP8q7qUeTU-4O%4%xtU9Ov+FN}tS;B;3YEoSp#GkY3}vAZwb
zS^D%nW4jj`Q|J9EZ>P1@dCaY7x!fUC#NNr-MOa>b&r3aR^qYXnN8&SCe+9mZzxrF_
zeCZ9^riyaX=;MX5v$ZvifHOiiU!)c`-1t5$Sk?_MWwHY^OQ-$mA$#rq)T8lNWMd!O
z7BCxH(32PG(^l^FQx{$I7BdHZWZa4dTR`-09Pxh~wn2we%FnapyDf4#P@j7a=P-y?
zq|}kMM^6_AZOC~vxr9~9c68ISRqm^FN>b2BNzpn4G{cCV)>@YM`MA+e$8mRCrXx|$
zS1i@Dg&a3K;RYU#idRYx9<0Mq#M3gBoI&Ez#q_A4`1q}9;)V`k3yc2!#lT|(v!}tR
z&kw%zw`Nbzw-#SUE@RqdT)5}|olRueJv#&)*L4y;T;_C%A~#<2H58RVEY{ZgO+AGA
zJWsyXu|c~{N9>wn9ODR5TGZ_lvACq}p73pfUO<Qzjz)g5s7{_Lr*$c$?`%_wuLR1I
zpar|VJVI7gtv=DjXAY*knQ6Sr3Jm%(%&WAtw0n3rNlEzg^K-Wj9Xc#T(DCu{zxnyN
z*jPWdW(G2T{_Kkj8w(2yGc&W?f`Y#3>8cq|_fPx#`;OqMVm3;O1at4wW@@u@8w3X(
zdZW*mP|wuEc@2sc2fDS+1QBssw$zoCm9p(RjD3B5cXxNw|Ni{|Fh*TnT}DoB_Yu6@
z>CNNr?oLKQF}u1dEh~#MGBP3~BeQk;%<28Ys;H>=^yUKt3kwhR33Rs75II8i$*pdA
z9AHfgu9O?_3ZIxkv(Eyr`4bZpFWLuZ5_`axxid=0$?2lWw5>CUh=`26{8Cm{X4<Sn
zB3=%0I$vo>y=-wjoSYTzYO-E!TneLG#-Pg(e6T!^Lbgj8YuF2E*Qo*lIEjUPB1}z5
zNjbiQRtjKl6Ucx)gPen7(JpYnAPyOyUBblVuaS|_xcRgZv-z+4R*Z9Vi|z)q?!`Z^
zi2oNMJ!LQ!35UAc%6YMVj9k#6B4eq~eSsFrkHb+2kgEK$6KGO^hVGxcUMQcSz*=J#
z9-@R^g_<ZvB=!>;E9+{SsF(?d9&g1Gf2EZp%6kpV+48mE=Xc~mw~KG4hYfA*7|`2~
zlCqPAlbLB;ha9Gp<C(YM?d`r$$kW9tQ+auL+gAu6-3(i?XUKU73H3Dd{kyrjQ3Fsj
z#-g}K%ggIkn!vOt0J>m<l7k}!LJt7Pf)zOho(A)|zj^cNUEs>iy9&*wPKB(_+ex0?
zvSgL2#Xd9E-gB3+6BB45Kb@-3b(<6cl23vb7BpYJe3@QdMT{H>FdT~RF=NfIt3x-b
z!!<TGE-oue7>jN8{ot3);@&U#(^6avCn_o`AuSy^V$=)3xqgirQ3MH;kf5F2ci`2?
z=udmhvQ=_lO-)VpvQ;`WJ=R#P{qc$n1v+TBvwyx!_4+98CWnoWj{x|BHkb1NA~-k%
zgxS5An3&K310hRGT9=D8>LQ-6C^$$koLRC~o1FxR*bM*vUG5IWe8$CvFPo1D34uvW
zOw27Rf?Z!<=RYJPjv!&sX%E}j&`C^A7Dj`j(`-ZvAR=OA#h^%l2e@*zMg_<Zb9Pn}
z_2Zh31RDxsW@g3#U$V2+rtmH{7VS?_5hQ5Mrpcr&QGk*X)}uqmrbxZcME~XP7!3+S
ztl%>+mvnZoIi#w%hgI98k_@Qp<Q_H<SaH4Dh5k|CL+kTZI-YUk>*J>7?a<&2H7FF7
zw(brh`>#r9mCg;)mHV{Cyx{K*pYZFW5%`^o%aM5r%L+oi*@M>;+O16*N9w~V$WkT_
zA8^!aU-Hv-XkH8*K~b4>#w3m^KN&T?1Lu>X;e*vCb9)X2ln@`65MN7c=)~x3Wk`p8
zVA)l>C$_}TeOeRWXVK#c+s%Vr%kWpP?&G~}<+8-PGpnr|V{$@Vcqo_~=g<u@GNi7T
z2jjm^CBOecfJjK5?mz!aK=0oJ#%1tDSXfpDf;eR%#K@Ssgp_rY+eS$RCFk%+-a<QI
z_x)C`i^8WU$TQr1XKzC+Vbt(BrKVm9p2NLjDy4G`w8F@-D{0Sk@1STS^L{(E_OS(d
zp{hh>9&blM37IXariT<3F5kF%&g-jB{K5LP;mPasT&u#iJf0TOTQm?^f*H2Rt7YG&
z>(hL*Y`XF^n)H4<|L=Esdv5OH<IxTOVvQ4NM`w*gL8b-Id?>93@#W>BNjj4VehzyS
zEi}J<z)(U$%g3DDiWdX6h$4DlH>fX~pc6Lbci~2J&(%8^>6>?duFmxQT;H1<zy4Bl
zoc@0Sb>b#}y<c4WxDwg)^5A<!M}Jf8*Y!o#mUn6U!ayzG3j?Vd{d!y!c-dwE9oY4J
zaALS(^@<Y}#rr<=t$hs^)s4^9$?Wm`(zLkz&bPgtH{`ODbo=3p!wc>Y8H*!RG$v?W
zUig5ZOd^S4c!L0hmU__R(6<)GH=<Tg)r_{5G_bwB-xxHndv8%?D{n;VRQ5i&RZ9vl
zH>gMs_66+zG=jc$@H4k5MUL98rTJdg4}ZYECDGXJgjtKhg3Z9Geb&{%)^!igyOD$g
z!uPc7`R#H0G9vFT>2gV^1BR(*XfHmiFfWzm@VvEmMZ?1Q%Z>goMqPaRm~Sy3n6qSb
zUmSkQ)c&EoKEu7*3I6f{w%s52Rh#~}pW@YpjK8I*@&iil<H^u^85){5J1*~M3ahxW
z@%7!f%!Rl(?eoe?^S;2b=tDQe$Du4ACsRK5l>4pDWu(8j_%|*G+lzrY&wEdo#`wPr
zZ6x<cUGJlBi5Qi#vQ>u<RUgkok2dM-$T&D4JpAYHCVen^Q-p<HF<b}%IF@DsSWG2(
z@EZMz-F~J-wCIL6GJj}Nn{`!T@QZ^$M>j#LZq}Ng1Qm=cG#02c%#*1gu8{o1)9Bw}
zw{$@PAXdoYt5IFJt;8HhT%5hHABcKssw@1;PZ{$6elTI&PKEx{P38UMl^L{uPLS}}
z0-Nul;~+x_ox8a!wt6c1$xbdmT}!T)Reop>2B+9RY=mEn819Qh01+`|SUCOORE_{F
z$jIG^I5{Q7@M5i{+4VA8?f}pdfF!V-bwOh4Xe=mz1jVMLz=Hl$4GxZu-Z%8>wNRD|
z<?e-uBa@Sa_8Xm@{1(q8{e7^gFraE&d;9UqS>js9OP%D*^wH9;Ct=yhhzJ9Ugm6G|
z)NF0(HTr(|G+NBl!1!fx+6T-pEYy;g2BSw?ud3Z;av_0OLPBbh@i|6UX;28_`y?eL
zYu{c(vhN}y5GKAtjc_*Azr|Ykf^O_%z6nf%s##1Y&2Ik7r=ar2#$-P4m&5~S8PR>=
zc;g4Xn4KKljfh|n79k-&NkP%cO>b{6>oH8AKZIUhULF!CGAv9Fl)7wnz!5kz4606J
zF}0W_-!x(#F`l?y6STlaLlcaWmZjbE_V$LnQX{Oas!HM5==9DoHZgfQ`?s;d5c+t&
zIs~c)vNsdR>i%Tj>iK4W+@!8%B7>uDZ_mi2K||f$or}lqifC+V$`mCukY1-fm7Id2
zHYf-R#!sCN3&s!N-Zh2NDYZc2VFA%mP=r9}`TP6(FcL8^L<6-gGn-FEbCOZg(X3{l
z6=8GWHR9E+KxXFVJsTaKd2`3pYime=XEHu6lgaD;#r0xsW-p7wmJkqv)9dR|K$amQ
zCx`ZYIE!mKJUoO1d3boRf(iJ&a3%<mK}ktTM@L6~vPFFt>utml`I&Oo+*(<L=;#IE
zkb(i?nw3-${1ij;P*70A#-~o)VfkTKS9UG!$;rvYv{irqilOB2duyP$y13+5R3Q8N
zw{MzRS@qwaF7Dsb(9?^Ghy-SK0dD{_&Y``u6oESlVjD7Bl$chv5(?DP>BLQNa(Y^$
zQZb{KYDs|PoFU<iU9g~Xru-Oh{=BfD(zPEP94u5cw++ZuAe#!Ss$zeFgq->JFUWGS
zl9-ef(xc;{PsiS#X)>FyOwy4%i;9l!j`}0hh}Hei?_-O%#Vss)jUO@E4poh2JAj=<
zMMZVx32C)lD~jHvQ2~tf2jFTgRA`1ur!eTRHd^1fw5_9nngL-A(38KE*rM{CkfQQG
zG&Jy{3Hc&oV`GVJd&9!u)abAPcWb2MQLh75=qYe;um2w&kZz2E07xXJ{O??)ZoPi{
zU$$kZJm1poOBss(JvE3|_RCz*k551H1#KbrjoqQ(MQB234B%B1#`I{z<`vkam~u&p
zh@mjX1&yi`LlBU50)Ii#@pD5k!YM<Ll58p8ZTJNQQ}w!jsF_~YO_4GYQH5M`)R~;$
zuT|OR)GcgmzVI&sc3ju&ST3ukSQH+4fmoEqEO_wm!s$i_*!9E~{BZs$EG+YyXGT@W
zeZPFONK90e?fL5zJHQoIN3Bd}8CX~pLAdNzY6&MFs<E!kA(Lh8?OGuBlaiwJQ%{Gw
z>lMo?Nq}O?Wb>*6C;(k;NUPRLDiVSOPxXz}EH>-g=g-8ESoHBvPi}46Iy%`PX8m5M
zV>F|vveHtizcOhgW6AUhJ%O-@M7|&3P3Tx))32n50Zg0O`^9Ow&9!R1vAkU7<?)g+
z5}PskdUt3n2p)Z}<uJQ$jFyJxPh+FX!Bh_8^Yim;m9Bt#lT8*tm?T_W8fDU1B>`Sz
zxF{zroe+$OEv2lSwB|JT)8TnPB~%OX6z7_{ip{Aa;I`_v#XFPLJib|rK@<O`mB=+#
zBormd<$Psi=$r4?*pDHBcX`n9*{zN#{8`S&t7&*dL_9#uM;onI_g+q`Qg|-g6@ekx
zZek0@CnOkm`#~_<tZ^>a7={8{LQ+a9q9V+6eNMa0WjQ@Zu}BvA*Iz`GzEISrDJBXE
zu@Dpj8b3gYk33!P0;F9vzo0;*asriP%Wpi3M^#Enij10Cveo4rFL(ctcjnI@GV}S;
zB)5(YP%ss3hv(x3NR)<FfD;fz;bCF1OooFJ1_t>RnGGKI77%+iLxgo~@I%oAv;Zi>
zAB~;fOZoV8_74m!_qOZzg@F9CxSdOtR8$a%Y&-6g$;imU7EhCE42PsL*sZOgzY7BU
zhEk_WHJMSDVR?D^lSGrvIvFV`>7IsKUU4y%V9of;{hde0Y`$oupO@gqZHr$yK$(Y|
zP5?L$AKHyePfz!|Sy|Bl6JlUvkI8v6klVJMv)i|=GkZQ*T?6Not>f)s6|z!URyJBD
zi(9$Tc9S7IJRES1N$52j6YJ|)f#2eQDND-8B)Z=oNQ#OE177kd|DoMVrX25e5Ri(b
zg@pWp$*XtybO0{eSSFVv88NZYMav-}IP(JT(B{SyfkArIbSis-?{Q585Eo4+=C5j3
zZoB|2)~X{@>q0F+R6!Q`Tl$^)A#G9Fp*3R|BKJeS;=94S;fF!KK)(5@ZTb3h6G1d1
z6~pR4E<k=j8bO$&Q!;n8zy6M40W3A=(}lOI1Q|RQ(t7W<8uMZ*ffdzYe2(-ANZ2jx
zuJ5bge387t!Va|p1Yg^FQ$uP;Pfve((ptx5qr}BcckuKN_6mHM-=GrSHN`|Q|II*0
zzrUb5gwo%a+J$+w^+hBYVy&jio3Y#KPHVDf=sj9dZrEeZTxDv`XPpATx!5m<d|~Nj
z)vi37i?lN`hh(1w^QxTg>9Gs)wzqJ1N7(b0UK>)cA8z+&ucUHPxbKVNZaLOgA1Wj`
zi)+rR>yglEdB-(`XF@-~<y3_Q!e(ypPsIR6XE2V{3Y2Yoo~x?R&{hPBJccNAJCnyf
zciqcn`<$J+;zaBD8g6<~c8+rQwMQTfQ#2~~By^W)?b9M2E$mzY?AbD;?-S(R+3{3N
z)V;0i2^6JVZzN;-T_htOW$p2CwM)fFS&6@#z<pC1D||FTpzqt5TL_Q)?C<@<ai;x6
zEyJCE|GK@YC$zeY<T!MRisUHCzHN;$z8$}K`1*+4S1i>ce$l$z@FeEJA05pVMf822
zEqs3|lIx2j_3v6!SEu->o66PXxW#n2Ht>C});A&X+yW`7;BkZz#vI$eIN|WE^mo0I
z^IrK$`O7k6iUO0&|5Qmu^ZzcRqKsQ?Y}1`@&&M6aA6($a(5b45x9uv4t1_8=afU4$
zj(_uMu4A(2T}NgGS9|>>IGCRyJRe~We4q4-1C+nJyT6}%g9D-mXCAhMQrXJ3eP(CJ
z#YqlDm>embj=wBz2EmJQA&z@KqEn88Z_`+|?-wDb%s<|*Xp_3jzpvC$UTGyEW=G!g
zJ%ywDApa1B){=LMhqpU#@DNQxRO@bYxwk#sV_l=+!B<cazGYz%x&8WXA$+vD_&W}B
zpVvTz$n}Km^}_WXbEHBO5rxHEP>-9WH)o?`wLcUUc44(mm5SQDIfsD9X}<|ZTe*tr
z&<2U$VQ=|yAy4G#wZ8suL)UKft?OUYw(4iAm-Dq}a9bd%K)J#i8HDe>^3xV%^F9`O
zpa4u=?BY&d=<i?}#IkH-c-rO;N2|;J<IoyuY#i2MtFEhn@J-LD@{5)mse-nwSiPH%
z+iz|k-a|yvTdG|*9oP;+=G3pRhX=}f#)VwbHtRAin7&sKbh<V>vkGqS?ng^AzT*o#
z?{<s5Qm&^50w$4=u;aoJgDd{-%4r#=a#Ps^tzFcL<4hrzIoUQlnl{%dd^d27g|%C6
zI(LS4wB;J)&04)-pZ%W^vDtYSmRsifIW}-Q+o=y6J@3%Gu#_OSpAUa}UFB}omHbpm
zUIsFyzxD1;5WdZK$FM1WbRBPHw_RjK747q?Ci{Xk#;*c|OFsKj`X4?$rs=7Hu=oNh
zp_X^C-`%S9mUkY~C~WT1v#i~#bSQMHiN2pBscPlzUOCQ=%*mYw^Db^57vaD6Oy?%Z
zh{6kuC}CjQiONH${{I)HZp=b1geO-foXuL}-Tn18j*4$%-4r<981qHHCe!?i3UMJa
zc$fd6qw6nLcCV;#b2efjUalA?W<?Vq+R`s9Gw>16h1Q8jr?!_>G9OoUu`?jAHnJUu
zqvz#+dcQ{PFdW4->|FJ|i?e&X-+Tl6{s^+$lhD(d%8qKPS<|>&Hr#mw|2%W-nXvUe
ztpZPQlp5v<IRl5EGHq0pYO74e+t+imgU9O~m8r!GY@HMmDcr5ifPQm>$KG*}smA?$
zL~7Uec04X~+s*nfW`ACPv$NY+XOf@WnYlM5)r?M#fE(&@(^h4Ild`611EK4K&+8^!
z;A5Ittr1BqD&Wa&*W3W?GCT~&8*Q4yHbk=1q;_AI^E?K=W4aFgmX66Y8WVEB2jkkd
z{g1k1?7zdBF#h*8rOV6L)b8WW1fnY6tIY55%$&biu$ZSu506C$mteiV!_+v<{w9v}
zU{_W-37$|c_kLkiiqmIJEpWYK^{Lo)b-~RL{rcM&We(1zt!*cK2FK~T^4CxN9`!ZS
z@mbasY4jSbR*r@f>4HtZmJ31A-dTT10>&zwl#`esntVE#MC`}tDd;p!D2gl>1hq2V
zmtOAtH#(x;E*dN+n6R+$AbgL>-L8aEc@~S2U-u~eeONFF0y$`T32(PJ&$DQ`e{2up
zPfh83LGL>pbN6VJ%~sl0>4kej=16UBUTW`SV0b9X!obcTma=PMnVfuBWTZzvcYU(!
zx~CH5ioqF3MCJd!ps!km)o8`!-u2$Fbq)9S!dCh33&FbE^I=ZL((Y#x(w|?^4Ikip
zbKd_%2;nI$OUZYxqKV1_`|Uqu0WSMqbHYWbhoBUl0K`Y^S1LQ?>DZLGgy{1R)|$nQ
z!=s~+Ed93@(_gNmO^F{(2;#SBS2}`Gm#SuvdhSz|_DBZhqWnVy^f7F+mhpz*5L@@}
zJAHfWhdhKiLthwRZ-8DfBk>OFZn!PzT*zM+V;`7Xud&alxtP-<s+TIc4F&C{zuE*q
z_T9pmvEKxWJ}aQrqUrqL+?LL{8_*^73M7IX=~P3DCjG-TyHmypCr4uC@+WX?4y{ud
z$M5R)`#z7iJzXzE(4yCI>v!+>PkE%mzMDQgq+j7nIc8mbpyBvFKM;*OCt|<sG@)IH
zKYiKOg}d+c*>JvFoWu6~TI2Jp#ZTa_`~{`p3S(>fap^*MKjnqTomei$DZPYs_rGN8
z3E_JupHQpP75QEaESWq8K|WOkLNkznY5(_v9p`ts+Jx$Na$*7Ex9-j!t~Z|pQ8i$p
zh3a2z^$@$G@?L>JfN2a;13N1G`UUDv*8@}k+&jpyJ-BGQL>al9FH70jj@0fhD=Q2C
z{o80bmiTO~B>|v}^6Ki6DGb_S4O%fEO4-a@z`FF>soO}8k2gqBzwdv1Upsf%b!fTr
z==dQjI<s&Xu~*r4k>A;wy|ko8=yfI3=I!jvX490x*!4O)2|m^R80`;7SFbgK2dvcB
z1CFkq)B9SZ5x^S#;<g=(eb)M)FS}T&4balKw6u}1&!lSAdJwi?84^?iZVbQLTIMhK
z%=&q(ayIxZVlXIpWPTXYg!GOF6Lpx%6e-Cot9>EJ=z?Ouafk~$UteFnApQUZ9^`&j
zGbEg-?XkZ<(&u=HP*d}F3YW#m#JvUSx&iv^otH3X@8Dn*U~o{eLY=!FfV?mQsPum&
zFI0ioY9xGi8A9Jz`?ijTkFE3BSp}eqg(3J?HVdzs5g9wYR@pQbhX{`o*(-V`@I~NL
zgW*)j4_)6)&Km}Zb{y|A`WJA1rmcZ@SNRP8DuunhJu*M?_4W0qVLu2+Ja3CH=;)9q
zlw@R3dz#0osW=dSjK`88o)?%JEapdfgBeoZ@yt2P(Bu^qK6L~9_-L(#1?YDu*KWh|
z10(|Pmj2O90W1ixT7QU%)jAz3fJ`Qs%g6w=1>L=<>pL;8syhML-7NsyJ!fhTvzu2|
zl~+|A0vJD+#~sxa?=6z9_dR9?hwb0W%IN%jlFp|c#Q#(((9M9)Ve{k1QoB0~P_G4=
zB9@0(JnqaG+Rm75I-gBO$HvkGeEI84CP>K1gIzb=LwEEdwMIolEdjT@)_Rp4i$QBR
zo?N>5qV*K05Ry|;hPrNgb66D+i-auMYG(rRuGQ~@0qyMWa(O*{$Hm1x+w9t`L`O&O
zn<)@CU#uhmv;!#{TM}R+Xfa>|O%@cSq=A431PB9hDJcYCN6}Wb&tB946j&ycbLN5(
z7=}pbr=&4UOUvWwyg)v6dOEs)Jl-`3Zsf!ETh>G{&3H#}UI<o$<qxgXL!)CUjHY|T
zaUL8=zaYdL;FC;b`T<SuTb(6vH!T88m&t6J2<Y}e=#D1f>0Kb;aVhVx_I9#B0BSnK
z?zAf9W_N+g-))K(n;e7KZ0)~bW5af5*mk-PzBSlx5)$b}&*FH4AFLHR08eCf^D`bP
zE$wNhZUH<x#dohKJ03oOQ?p=S0RjIjbG`b@Z7)u|7XeC8Azq!K%VA$iqXDRB+U}1g
z0X0^QCL4n3Np+j3s4Q@4adEDA4B_71UTk7we*`A2Fhz5bT#gA~^8kWm_uB0&Z{+XK
zjOM#pX~+|s<=S9OS{0yt%>}60qs`>8fsV%w%OXn)3$+>pXkb-;<8z>-j145n@tddQ
za68kSrOamYd4_brfG)c}_~|w3tLKQZHx5IXn!SKf^$!k)Xz@@2Rq=M<`7STZra28&
zLO*aGqYVdt6LWE;iAG`pDi8^jpPvtMJ4iEiyPFXonVN#tJ6))N0C(=iOBYvE6z1mo
zrKjT^u5x61UbMi(FwxLN?2n~DRs$84>O+h5$Pl-kaLP}!adB}EE;>3J!2&<Rd(>>3
zKbf8Kq&E4-cnirpAyraEA<Jj_ItsA9z1-I|9ZqDJ+D@f1k)BOU%6BSvn@(m*hD<d$
zUv6}yv0G~t?2`Bak=AImGA{}o+64+LcbA(2R;z%;q^PEb^FTTdv;}>lz`=T4cl~yM
ze~(N!HOAQWm03p-!;+mIII4iOHuU9g>TOum!7t_npz^I`<J?6WurHuv`MqD@h~B`D
z*n%)9U#YBD>T6cjpZ{C>yE+TN!@;Mkdq9=|JTAesq1~COS-gM2;SQf;dj4PT``;A!
zzZZa)nTNazc$yNL8ZPr+UDDyO?Ba}nU*&QfjIT*5#H41bZIobC%rCcXJljx3PGBRB
zE36?K(?cO{kD@cy2-A&Fph}`|cTZA4=z9b2@=rOKOd^e@pYr5@9WTdjGfgXRGd)`v
zqQ7!EAgEt|p}dH1?eFiWUD=#h3RP%vFn%7diXR&t<u>jt#KHT=K>om|o)QqrHSWlN
z7V5pyXzeNF%u5Iqg7YUX*ZTJlgi%iZ+X}uVG2(>od$qdaz-m+-d20ejNKA4sP~5q`
z8DrF~eL#*1b2$Tlj;bSmAARoId@hXK1_HcS(X?^nxp5$6PYgTt{vf~>6)5AvZnFmW
zL};Q3Bna0vdssv)y6)ZUYU9X{gvZ;%sl$IIiU*QCLV+-8?k%Y45be(g89=j_;%%-s
zq_v%0^;F++3}v<($)>NCuP(&{q%~lA9(IB+SgOo-2cw_~N0}vlHdxK!g}#8eUCzu9
zbYq74R&Be^o8AFS4`@_iHJ^p*=Dp%@K2ZYQDjE1>q(=GT?IOAXUXGu0{M~Mhz#uRh
zy`E2iRZ^l*h(H(<ibB8*`c<k#tx~S0|B!;8G-jYECI$oISa(WDGx<saRs1XO6M$~O
zC~yB%Fg+*~N<E+VZ92kES8BKMngc1B-yVEB4YaEOweNV)CVFX04o91yGj|qfJc9$(
z&-eW{$In^H060RxBLGm9sL*I&ILfgA@*Mw^4FHlqjcHphoyU?plc^#xX$OJk4`3oz
z8|`V>x?VHmEQ4;HDWtnWm!aQ$;JQ68J4|%~^Gc4qlq$8Bk?@OBqiVXq7j6GNnqI@G
z6U1h{a+e?U1oXG5w>XgJvZbu3H(IF^s_$I84UdoS1!L>z0f~|SeCfm0h<o4wXt=Qo
z5&w;2Kj2H@bn;KqhatR;K|2rzSqX66#@)<+_2ho(xGvTCK&jI0QK{rC7T)-t%Nq#u
z{I6vDUfS)=AlE<$S@Nec2mTzs&IfyyZ-TwwC#6J=ub20>Q_4d}lwXyIiqU?}Y}Aug
z`4%lQ+O{14AfsIa=F#g0xldZnQA3CWn;DaUKwC`(7D@=MlCie7Ru<Ob0I6IZ5|cLI
z(R2xVTU>rlH{V#AFXVBP(X95mchz!Tqe-=f<aK~cKnN|!GD#2tGe9hgh#T*B3q@aq
zcO;g|NC<KiJni}6-czGe5elm%42$VWvua!O$VvlumyLE<*f3B0WoO`eTb|rEf|%d`
z_G1VeMl<=(HH*|)hHYzDhy<IOJUL#kL#v2<FSyP(eFf?*3j6L)dNgg1*`qqs*#h^B
zz8^5H+nh6MQOQLU!7YZN33y_OMgI#}YqJyeYL~5J9QFoRJRoD{ww#05tr2>9^v?b~
zb$!fP<D}CiB;>hRo6SPWzA(W9>FT=y6wZkXt;)as^GL!ho>TTHZS)4qQ|@;_ENi>$
zNqF;_PO7<!WqI6pPxHH<;ds52*r4ay=@WE5>ReeQ_kTxDi6{A=Q9v<MGQb7cW#u3C
z-->7(8{5{I^gKVHVH*vAdtmi1)(|flxo~B(T5A{0R+HU+t~mlB=LvZG`*6I=bNF^Q
z=P^?!@wpmT<XZn&;px?JsSW#89Xg%!bM&{x+p&)~Mmk-T)uz6e`>PF4Zrhz7aHyd^
zZ+GqO-hjOSZiVA?2KTrQJCPxxfhUs+(roPZecxTxok;&xUu^p(nUL%4sn&pCV7T3f
zdXF(}+jUHx%;o5{3W)V)uni6$UbZ(@=hLTF=Ri_%A_^ER`dP;dNy+J^Du$1@M-M5p
zeJKJC9Bzz*sZiU_8AB8}Kl3@gArxBQJG0IAk2hPs6ak|!hL6*#?>@YoSzGI;^l-h%
z(VN~o5D*a}q4l=?h$~fQR9BUX;@7j%&?)O(x}U$~t99u#S=M*h>TWRATU+j5u9fs1
zA4lYiI%~*A+v2yJnwn_119fVf7SYhd3B~r?=t)FW)kNxoIn(j#(H!36)s1BO6;uQT
zueXML5!eAmIrV3k!h;9z`y8+Q)vqjKLwtl~T@*htL_#&ZLqcA3rltf=uO801-+N$J
zHtQuHh9l4^Wq}5QtX3bVqW1TfLhDPKlXNtIsB`XB#}L8wM*Vz8%n%atu;JjuLGp(4
z_vhBxLh`K6ZetsTg*G>xY6^91GOfzd1-p#pJX}M=_CccVofi-V1e7yFK&<Sm9?r>m
z@4gS3|Kqs%ZOMA!-{qMKPG{UBv|4e}-+wDS?7V#N1ir>O)R)-jfi9D$2%BRnYc4WY
zY;B1)OY^(cQto3&*JHNqYKLZ%<3oA0Tx#xZ6yJ{J!cnuT{%6g`qbK0M(8OB}LoYU$
zgcPc>8M>@9q7V1Frvx++YdbtoUk!&|o0{|k2{mO=UY|&vj`Ohv938fzd2W)c<VC<C
zfb;fN!7HL3%Oqx)A}Jf~Vmc-Kd{gaQrZXHB9a5@X!7TRtxVdQfKtnjz*LHbwGnoB&
zW~IGRb`&;}Kum{(WF0Bx|I_~qEQ*@pr#EB0wa2x{(f}eY>|v(}U|yRx+@feuLe0@d
ziU7Jmeck~YDFWc^fm@-V=KtQ84?Em5ds{kP0CLiE%2&3N75uk9lGr+pnj9U_*9NIP
zs;Bk<`R?LZ$<ROO>Q9i<c?O>~tRG{`uaLv3s)yz9z+%#v6`-CjT1Il_vYp{>8w}JF
zUe6Xb)WA%S=97>%Fw^*2trg!!d9RzBPd8TBkkZLq!p8g#sxfqae|yxl4pc$G#4W)T
zTSi5~{UO#{5OeYnfjKu?D3!7>S|W(=Nu{lEDp92@O}oMEvsT(=5Ii|G<i{v4@4@)e
z?(V_pyxq&KQ$qr5O@`aks@ACWwznqv*82U2Gyh6$XHIsNZ~g9v1l|OcvQJe4Zq<_<
zDCda`755n_3_y#;Va{o_{;}5tUd2<H1{=ZUvf?7gL)PU=;aJyQyb6j+^Y=BcI+wAO
z!}E`1O(*vZd2<wkS#x0Vr|eHvXfF>k8XhF4J(m%&Lz+3?9KJi#{3!zSivZ!zKTfPQ
zzQ^C#?pp!%o-MBo2j&G|_QO{cR%`PV>*{J=yFY4IC{Mqm+8my#SC~&%Yh1cm3W57j
zlVjfx1?V9#(F?|kicZ~v5xDuinm_p89|e|L6l3b7Fe@4x%@v<+q_c9;OLxho%!Cr+
z^P@y?Y-@K1k6*PG27g8qLWlO@*?zp+P4Q_MS6mOU*=A2xsm=J}3%usCv9nv3qCWj8
zI<4Q*qaXKqmDe?#%6>on#{K6O*^mJE#O}`w3+ou=vXiU5kp;f@J#_jtp>G-%8(%Nl
z=U#Tol%?^<pWa;G1~i%~v0mr??w@}osXBpC`HTwZi}QwNisSgZjn?LbgSYCY?nV}X
zMfTeHVYa4bsjXEFG8vyfXS2Qdh*U=liWEZuubJT_$1|AFNC8PKzP!AAZn1Lqw{Y+s
zezU#RX0F|Kdn5aKP>|XjqDutUyloB#H%UA6wk>DYPK<2Uot#PFmY((QZ1?``b@wOs
zW~YntBHiCP+YJ`ajWaEE?<HB9Zh`ON*`A%Pj;7LbVN7CRVco+?52@jAo)1T_8VyeE
zI()R3@8Eq&G^p*D{wn@!^EnJY4=S;k##us-VFZCIzkF>T?Sq=3*VERHN1gK&`m#4_
z#q#!@fr=|&O>H-{K4TV|t^6DHe6^>2eLh^t;ZX&{q8z<@-u)sYr+#^8n0<>noF+bR
zvM?^BSIgye6ubKp2>{+*_+g$7pLD@?Ls(y4!;^9a&FUU-NEuq%9d{OML9kEz*d1lS
zx!vZb_<*+tlK}nt*qb-gc^;nI`JzDIjOj?H23rUHrGeQ7??-zq8eev$_S-4q)K5FR
zp3oeId+gOk-M(65?$_%f55~tFV&d(cQQh-_4MeUVCR&P8qlL$}338RM&R9lEFJ2#r
z0aryqPcZ@-`h{K<{k%`P8;j?5-S2Pir<IyTkEumPeTa-l^&<%t9X$h)mXOdcNTl$a
zK4ouH0*{#agZ_AJ#@|9A2|dSMGofqj@?2IM|04;OG#W~WxZq_W#OKVfn+Xx$yp4h%
z&t|}bkdXJiC+}}BAUUsg!nu`();0PjvyVu|dfn;pncboL&gWIzP(r@?>)*o?>l-r#
zt-tkWhH#|SQXiuF#2;8m&+N<$F>_I6G4HtW2gzK{Yx&W4-|tSKSDQ|!7)W}VH)fiu
z?pu^AN*@DxzP?x4FVLOhK3)1YTuu#3*dUSOND0M}aA#(gcco^@u5Y%xzn^CFrn&My
zi0Hbm7rtT9mz(z6(3k!q*7lvJ$ujv$;kgBI>Q1LDmBMs$hBH<7RxZ*P(m5r%JE)=~
z2=aQ&LXpcVMfOdk%DV(-^S!vAu5x^M(yh5+m{D=@XfonFoTe<Eco&Fq3-GM^u8$;m
z-*P)u_lic+EL6-r%kk#THQLNy?~he<s#Z0wxE+(9KVF>kbQV+5wwpv5^uc`W!lN_}
zt~Qj(YBo(irq|YCUSCHbU}D&IRjAeWpKRhpGIe6n*XtHV8=NQ+L`U9sP=+XjYYZ#+
z7b=z8!8RM$QFw)Lh;!STw)2RCZ!gD<6mkp4Qvy|Q+kFjPCQ<B9naL&%yAJBxZ5Olm
zuqbyOgKIhJE{&Z)Z_i2fOm+u-Uxil5*l(P?-H{O$o#k3+0rbJt^JjX^Y+ne|6;|yc
z2V>d_4YqS^Y6ZI-F&(qwB$dJl*)nZSCYwy#b<^zYif`xzw~7i*ui(oHcFV;DbH=Xn
zT}12y0hp%Mh)t)2OBg>)S|{9HpSJY{VLqyZiMi*wztrh$JRf{ml!zHXzUpm=QG56d
zoR7)R!~nS?64nB;7ux^ahM{5q|F=KF5P`oS>4z3Vdyf`w|3&QfpneVu)!h@gcwn~a
zaeA}Bbmn;wD!|7Cd`wk4EQhNAlRt}Vx9rF0F9fLMYwhU}|Ht#Wg{4~&>dn{XI`7-A
z7b&nDpK;-G5(n}(n_y&1fx`lI7FwVqY=ai*jzDg+Q)5KlrBN0YwdrIj$xBElSiS|*
zie61GI7`;r-0VuPqIh_d@4p<}uhy!#X0z0$T7(Bfke^=<(~-{B;QX*NK+J+Zn&|I&
zId9Cu^47H0>b&9Qsj=R=a?;8tNBwk6SpjV~Pg9XLsUtuloT0E<-7_0tTIKsvkM%?t
z(>U;a)u(Y@OgtU+?t1ZWAJ|SB_h&A=-+a^-`5a+<z&{_&e{Wy3ZNEJ_FP$&E4EOcj
ztNDU|S}w8B^_iNybio3FND2E7eDgul|3MDc&NHJ`qqSu)ht<<<$DXOvmd5w+<oHjt
zD&2|H*edVWL$<#u`zj4zy~50SgqlmAuy>;H`})JDYsr<WDv_D*j<zlRjh30SY;$Ov
z4EKP{vTHcloh!sWvF-OyY4c{a(R}k);>Vg}Yq`Qgdt+9P@4~|A<7FtvW{_lp(=)Ic
z-dh~GZPc({&N<FqPyW2E+RQCD>i810x-ObWVjXiQ(Hy&tC9n9i6JFhnaqDz-UOpiQ
zVo4nX%F!7}<)?Tcly46NhBh1SLrt$ef!v*5Egv^!s+#8komigUeetnOP2awu0`=K3
z-e;qY2X2>t?t|F2B?=2}_^i{te7ssyAHFZtWaRtWP`Yg@i{arj*9#T*9eCdb-&diw
z9b&8G!$`$3!owpJ3hRkMZSrBQ&Y0*FX8ZRp#*Z#ViTPSw15KMJZXT^k*f_-%lav%R
zBqZf`t<Du!J%P|oAAP8;{8T0r3ctUWjL{U%bv_A$0rCWNB|1NU^Q~W5>e@sQxDKim
zFpb_x*2LKKE*iu4_S*?Wtrz}SQX2s3VeRD7^-NH|0Lp!d<EYy=od-?pt}4~kVv!X6
zcwF!X5Y7}p(TPF-c9V^+{5UT9F96Xwe3rQQRK*|Yluquuggze~Z0}cgmOu;ak=>6V
zgH?8I%J0A868`{vZ%9N0^RlZ7*{XTnqddP~H<ObIf!HmLS@a{{eFwe;JHRf`!M$P~
zF$LQYK>{rZKm8S(omOdj&{xQojZRUl2sbGB*v+B#<AsSSHWiK`B|3%9ybvE;bAH~U
z)oJg$J2JW8V^*9US@C}edkd(lx2}EkM<XF1sURRo2?(eNNQx4I5{h(-ba%%QkPr|l
zgYFJVB{m{RcS(n&bT{0&-}8NAy!YP!xc7|VIh@V*7i-Nm=d<Q~p1G8MeD>gPqdA)&
z4y=thbiEkH9uo0f=ZodpK#BfDYy${JeT!<J8l~TNrX`yh)3q%Qr~MVUW;M1$Oh7%f
z<&S-x3j5)vFx&aS3-`j|k6(1Y54b3tGF%k5-M3!#sbf7j-Lxn&yT~ibKYFS3^i%4Y
z&zbzeNTJTTgG77mQJ26QD881V+)4{kM!^@~r+hYOD`{2E_te%DldLmh*k`o7Cmu){
zXIfA3(utac!&~IoJ}CIgscJekQ~XX&{H!d7fuSf{b1;PDn$gww6$c}Ear-0;6$_g(
z;VK>R96NrqjloeuTk;|Om+&rYPm0~Q>Z>+F%!dQRXy@w)8;IZ0$kjz_TVq^~MexX`
z|6xQH`wi7At<T-Q9k}Tc4itLX%@bc|gVpK7c>`kpD35Z3+{x<Q0*A)>!h8b#9pi+H
zKKXNx2j1F?HY2Ijti)cdzYKMy1G_Hf$gf{?`#9F9^IcbKYqOag_hH!I@;=I-R8R;c
zXUng$qme-`beRRTn=E``qyP>T{ujL=_^-Xezm9h17ujr9tH(zN5^9&jo%p1(+Io$`
zi#G-0RPQTSZtb6`jrXF|FAhBW6fu*|0-SLk9+FFn;L}8N?$IYxZ{~7yUtcl{wK@28
zfGIRt#^5VZJ7ZUWRqIHxW<KnzXzltpPwD+afeW9CZR;Y`SnN<YZ5OugPB^XB`S7>d
zH^@)cpY7k;7Bks4laucGc1i?tpHXWaihpb4+3Mf7)5qr>U0Jkd&`%uRh~o5Fa{Fbu
z87|<>rRLr5`8OOF*W=`5LiK#A;?4!;=-BM13b9bkk!?lTwotslh&|)!S}EE*zL40u
z5n@RptmJARBfhq$H7|GZgUY*YB~Hrjij+{%SW;eit@Zs74=Xe7(|5`#rtzGLDOFQi
zs0so4<+Y*=fl2%(yvaMlXS)o4_WG^N#_VIBv{EL88*+p^syK;Tt9AKy;rx44c0W)p
z#g#!y$L5ruqH^T#z-C2U*er>-Rrvmbl*gZEHQsyL2bM-+2dBzf2|wAdSh}Uv94L;g
zt0_{@)_Pq#Scvf)t$Q!7Y<g2+JW0v7{GuhtbdgeQ)dBOcjW%)C>rLJG_?p)at~yZ-
zqu%r|9fmz2_KabV^bG<%tP7FSA|>(4(S}!Z7%<PrGR|2LME{MP{}nF(>qmdi8;vpl
z{CKk!Y%^uuBz~rnbqUOHnCOQwJL9nN*7(*n{yA&-NW0W#RxS8})8E5qAW6f9%Fy;D
zN(o5m@l>q>DQ!OR(!cx5IbP!q8rEl@u_YkC8XOkJ!pr*}${>Gi1%HDs1WF^ur-xgh
zg}dYnWgn=T1-H+)^)F5Tcr#LFM$RG^oow9snTSD*&Nn}wE0(KwG}+M55VCpcH3sZg
z)oWb&y2UR<kZ#cfI#A(txl9Aq4P8(`(lavnpm2bw7HCR+y7T&Q`VEQcXc-5T1*SuJ
z>X7L$fl2+r+?U>C9-9yKo~Z%h^ff%6k+Jc1&m$5HUSQfeoFbqBF@i5We*73wD%2L5
z^ggk=>+^RY2fp^za^%j7C1Yb_sQt~l5V6z*CPLZ4`|et&z?9KK$EO7^{-Ds%G_(Gi
z&-t<3TE?+>>ZQiSz}1|CEbw+2VZ&798$6Q4&-bl9W2ykvEmy555p$p+fN&5Bc@)Wz
zm^Hek4MPx>t6Te>fP|!5jiVg~W$>B6L^?8W|4jwueKs)H8bz55nO7ARm1z413Aebo
zo<i9`2P4<+&o8%8VETD<Y;MoDzm%2^Y-?#zdYPyCQa+YT+4tH5$87W;OqFl;^C~br
z=syEcN9g!2?6R(sr&{n`KjRMi>%N+`?&Y8ELt*5u2$X(svaKh+e=>uD9f8urhYxe1
zR6w8v3F5zd!+L7IfBP~*35bZeil;y^fs<`hcO;FG>vM7L)>dXUrpganCX8I$nFcX8
z;NR^BcYhJ+CW5-JA_Z<R`GJdy@7`G?bJnqp4E1`z5dGMtrLZ9qexicA=43q>hnGcz
z>BEK^Mz0iHs$f-<ejAg(S8r8+Ihjf`^l$%UNd%5GCJ#ot@BR84(<F>Pgom_z>Eqnq
z!3eX0xs{r9-*Mkv$~$}g%+s@`rW`UK|G_-}lYaFID5oJn1EI%3cnfoL#olM`4%XG)
zXU7XQcD<=m%Tp-vu}T|(#jG%)tsP~^oXbD>4GC!)Uznt6TS0V=9D!05=$itS)1;RL
zcKI|#4S)%VEKSx58yFZY9D<cAXlv8mjw8(Kza#;aX5bu72eTz2j8J&evi^qCLs-Pe
z#|QN?CT8YK1O%zt-|VAry$k{4#ju6C4mlm2Wq1lyCXkxr+=^U2=hfdL!+)Hsd6vG1
ztx!N9lwqt_)AN#odXT`B=UoH}2PPncGBPo_3xrCjXa$9bFKjh4;3b<6=I$={za1D*
zsQ~&~<xGOGOW)Vm@=zW5B14K5&86|->RscHTR?II7NR-9%=qr#!BEH!p}DH?a>TGk
zrGU-&yVgShszoW10R$qDI3>E4-bvxKHW~xp<a^yl0VYW!>VB`*ea{f8NM$xtiCqc8
z{rMVqB{uwXUglB3p!mOi+h6iZCXj?d0a(w6n?Fg8fG+wlf?gC|coXv2=Rz;+a*JWs
zJ9j=XNrh~7-0g<J7KFNQ%&nJqTn0~}I&;rrsAI#>+}Db5@l}K<Zaol6A3c7IT~xCj
z^2tOG+Y3^sPo6!?aM_rQ=2Qy@dkiFFmTq~$g)eXi<Yi)%SFh$E^R|L2N|8(iN*S+S
zy@bi_XnOJvr{=dhPIhWa%B{&YRj6q13D4+4B_ZbHN7G+WdM%1q$hxIfkxzh+uLQcE
zwl(KGU^16J1<zEsHltHTL`=;8$GTE0=C;mgmZAsDcY7Yw<O<)YKq2LZp^>EIKUYae
zNYtQ0x?@&k)cV0#<o<nCp#+7y>$ZZPZFso2$BkiPXFBpqO7HEfC)#FgKbi#)P(BCO
zw$GuKtCAyf&<nSmo}S*B<N+!01b(d7zhV6QO(@hlGD;{Zk%EeU+-X?H*cfU&g-iN@
z#I(PP4SwFv?E>=cxuZ|mHGZaBw+MXq*T!CC$WbOOhrtYe*$Pegx-?RnHMI)`742QY
zSB8dNTE;{98q@=-MY^@1==w9HWmC(QWN@%P(Jj0WbZ@;qyeY8)HBzAeizR7*P7DDv
zt<C=v3eFG4eRnyH+erLqE(#~sXRC?&s(|%4PGwSb^kbOxrHSeTmXoPx^75R;Pvzv=
za4OYmT<!Y$`rtlkP(&V1--NO{>gxT>6o*%F9C1++e;yU+R9Ad6y-G{ljzuEk+rNB|
zBpHl=D678}+$zTJQWFxWt#iD{M0mkvfopz>;XLJaFyr_@qr@=aC<AEc^-w53qj&xU
zq<)}Ur?~I^&18HkE6ckA_0}<pDs<fr<`iAe&lk6ymVj$?G_`?Ykynm&LgZL-NN!1f
z62%%X>=NG7qxAWnSp$@+9)dSUTsLYDOh>-5I4pD+{4O?tl2WT>sr`K0ku`PveXDB<
zSy7PvLEa}OhW9TU0ZRnE1d0tFfiVgFf-Ay90`(aW0sRGNpRa(7ZK<gnDtli-yP(hp
zzJXOS@u{UH7qAu@mL0eI6~%RW-g-gg1NE~sc=%5hhD`*(HUN$b@Q4FI5CNhEd=e59
zsQ-aTZihFDZ*pnL6t$-K=}y3Ho$o!c{6Z)=8h~Kowav`LWZIX0Ng=CWTYyH${w6#u
zIFS=8hX(&k@R!k@BV=Xqr@T+NVcA2ue8h7-UV#mC5E#=jYPuj`|Mco~7<G=b^hOr}
zarr&-0enzdfcNa|UWICDN54xXlT@}IN(>9{@|+(YeKN4Rp?EtdbT(RL_iE>E!HcZR
z@KMv6^NVuxm;bzZWA{zF%zQ8eEG#NEHn4quTPREf%4Tp=kSm}u#I2XPo4;sncpVm=
zf`c>dO~rv{zVo_m?&>Qrf3zEfP<F5Xokh}Jlgr5@U4uC<-ZnNqhD+xtr{O{v<RfY6
zj29x0Yky7OMtk3q1|EAMcHmbSEjZRs!0(>oSy)}Q1as_&ON9!tKMd#&0t%6IsP)5;
zH2nPe>_^;GyZ_IbWVx7IDml*sz_PHWw_Ihxnwo!SKBI-nxN+l#O0LSKxc2!{jrzkW
z-o(%d@pGEEb}1;T*YQa1Z{IcUVC3KkhC1$q%@M4v7`PR7&)ZXbcnY+ugqQO5Mc`%q
z$JSW+`3Ixz;+_U^X0WT~(}4N%DPq$<a14SeC!?m80oMohRVIi-AQ^C2Yyt+$?`jvG
ziE0-%cJ`o=Qj-^Xs@w$Bw=K_qKA^jt=(Vr0L)<ZM&*y#W+7&MpWx~jBF_aE2d>qIw
z3tD;Y^M(W2%Ai(JDlwEY1}3<o_*vsZ=a=B{aMpYGqQ5(>VD=<G#A2A?g>?e&3c`>1
zmPlr|V@}O7b^wBZ0G=!`z0%ibL>IpSyr2!f&dVc^=&EFiVUsH)C_61Qi}fESLe8I4
z+R%{cVA7+=?ZF)`u6OVP04*DfKokZuV)ncE1^`TSNYwK_3aF|Q+)2d6!TIEd0Fj?X
zRCJ;yQ@7TA#{Sz!VD*Tf?UM7G4<v&J0jkNzKj>x%fK`s_H2#_Febtj8Prbh})eZC|
zQ{d^`jtd3#Mu7PF;Ts?vCBT&v-T!jz{0I*X{Zlb!-G1QrS<LGJ&^f#ngXqP*<0Hh5
zgFf?H0PX1!JTEv3i24gB6&ipJ!8D=I!c7=ySi!}ny-d1ZduU4*a@)QM55K_E3|F6>
zoqg)(vcIbFcQDVyI}+ee_jn4$l`E31A6SATBC=o%-HtEg<JZsFZqA1Ce1#>A9ver;
zduSlxF#O%gLQ+!lso$clASj?sz-O)gE_nmQ6;fJS`QR%ofQ&(D@CN8>4k93=Wqa`8
zGZ;N60|Z^x>Ckgh?}rr+8nHB)2oO;wfdpKi;7O9tbiD)^`XPuiI>~DQ@uq<loSvU-
zAV7=Tnt98xJ>fDH85Q*tVseKc7M>uy5(1OT#=+4_QCtaxLExDH!v?b_O@;(40nqe3
zkhI)>DM5B{y=F(@cz=y>DU1ZY#HiQc0)R(YL5@{i%!{@{^impm{{_JBT`<L85e(fx
zFF=+Ca>#+Cf~HYLM^n^YoO>j?EnG!l@)W@f-i~Xh_zv=fJvZlzvkjk8P{4uM<MW1=
zgQO%TPfap+b{xC%Kj2d4tL>P<padpe-vD0w$YbTazdq64lkzAyG?bZ<(HA{-*RMYV
zD0ALN^pE)Mv3S>=g-)>X1!$VHP_knY{KT}n70)lpFL&wZ!&<+6i3dG6>Oo@ayIjRM
z>{!vDgZTMcPJz@vPlT;2l37L}(xPbxh-<Y*d08(qpMFcW2d}RJ@%y;_EF&vRuWwNA
zWXsE^5JvcDp{cR4h2T5%^SHgT9xahU;WFVw4QMqJpqB6CPf?2@E{Am&*dHx)%lkqo
zDD^zDhlLo{{AcTgSh?2S2{syUe$MdvEZo-k+8EDp-@6Y`HHmLai!5lnycVLNkqOKN
z{~}u)x7II+^_@vx&TVl#ipIv7LgJLyuC;**9$pg<qBoH8hPZ?Q<3pI~0Oq3Se(uSa
ztV$mJ)sfP-YtGkK?#sp94g)8|$JZNQ318%G3ZdN5U@QQpOx+pS8p-BMM;82llo<B~
zwtxl4SwEhqUF~dzlO3n$t$|@aUGKLbAd#hz;JF{M=p6XG0Q7mB5?%oI#Ez^h$5blj
zyS>08h;0E|jp8t@3|b}OWP|waBwF#w6VSRVn{UlFnFD4rht!Js?ozKggeG^CM{nv;
z#SxhD{1YG+x4DuF?B}WFt1H*;4QUyl1LWzj1+vM@e3v9I@2)x?9Wegct^?L}mj_bu
z^Yk98CE}t9pqJVuTsP_X$af1QTkGH8EB{k}{#wit_yL_KdG((i^8e?)xn0IqL7{6I
zwyEF9(L3g=m*4)`y(o2A*y6u#MRzeVXH0qNiS?B^){;ie^76<2OoqV)hI$rL2hVc{
zsI-F1gGOWChmKaJavSEAXVhe?=SijQv$X7-^Bq_UEJ~MA?0N3EiQRQD23PH1lX%yq
z>+TK>Xsz~^fC)BEOSBUx`S@B=L5G%qli^H89v2sn`g!M>4Pa8;<=Sgu(&rs|k%F$S
zuE{W8*;<viVGn-LKu^TrxrqUr4n1|RKI0Rf5ZG+DPR`%`2@KrnwKeXnYR6?Jk6qW1
zn%v%(0Ox!1HA;z4)b6^*iErbeO@MQyER*~4S%ue$^LUjVmana4PmS9SwWbfynOF;)
z3$Kuo`N1VqAV7Y~wSZ^=(shP&Wd^J9Dl!F7`Z_Wmr`FEZ@NwyUk4Acc5_&3`L<9)i
zC*_Oa>$3KlsYsw4ks*J9hnU$7KE{njQRB^zO}Rp0pYv0bSU1=kUG(w;hTD6-VX)Mb
za$%kn5E%Fz_&alDtw!i=RBexiN|CNk6nK;hy14Vj@rj8XXjAYh7fn#SsCouFSg#D`
zUhqkE3Cy;wPH_NS^9O)}fR8{+A?QdkSxXBW;U-`JV<PM?GKqjZRRY}4k&85LSgF6@
zb?0^=n2-Wqqo$@76c$c{$H`Vs3yjyRwAMj$vS26n2)04Ju+IXTt6^XI6I&OT=93Ln
z1gz7M`DpHm?@o`<O%WE4TBF#=u3xtr9{E~Ugx)q_;Ja8uEUO35{+{1L6~tbY5Q|!p
z#8K-<un9LE$c~H`gDsKyKz7QAO%3eMO#3s#)@4x=ewg56W4*)*^-%OLb5(lZ4UJaX
z*c_;J0HRU`#1FebJRs>}BIwi$tgf$L@&E`j-??*zDijC$89=znhRlPu3`B#wbU84p
zhWo1{_6#7gg_zKKpbncs$cwaC!DdGa!c**Roe)qWTaHx_!|h5|jH=;bS`vf>z_{i`
zXCS2z0$HJU>!ShxfPfnh9%!CVLh}YlH4sA(WmhYtL;E#|tZiNIpkGfUr`l~8D<*gx
z==QM$y8!JeKv!s&2dEM8WmVi}zD7;`76#BQ`tQt)Ul^^x=vpb@2NJZ_u^$5QW8m3B
zDB+24O-oHRa<PVYM9<3UH`s9DfV*l2bV7FRTFA36_tEAl=&<naw3bsj6&oJdX=43J
z+TzK<MjDvkc2N`D2BI62TA?-!YQ>3<O0on-r!KVOn1S6A8(4%gpcv%+g}_ZO1Ya-p
z??n^5$>>@d#1=-_WntkGA;>+ONjkV~+(hLwNT)j&;Uj?Bq>PMi0zVT2|KcNzGf1#x
z5d5ShKr2D--bH)a);T#$10U@}`7vCN9YC+)t5=s0DH$1Z#NN*C2I6?QY4BB@D;lD>
z%f)7Wy@XriC?JGqlkoL>%K-SInhbA*Hc3JpN`b^ptJ{?4PFN<f`}T5HQYI&l+tk+H
z-k@j}yyWLo$d!C(GE8BSkA2^2)HZ-$12M>6`<R6}>~SoYh9p&J0DvAd0EEkb?|kVr
zDp6m8<$4pj>2>*aTXgU0A8Q-zLVAA4n7u=k0Qb*(b#SU=OF+bjug-amk<g3C0#Q4*
zTMOneFs%rfaLev2npL(bo?J{!lHm*w9A(dSDL7T177C}Gjo=Z{Fg6bt>G3r0d6Ox?
zfJNz6I~UMx049KaNd)p9g+h6bS8RwwV$bm)j!lssQ$o~z_x(;yO%40an~%@wNazIL
z=a4B!u|9JYXItKh-v1N#_?RKe2zIXUM5fDq8IS_eIJ(RKrPKb?@!rbVbw3`hil^a<
zP!ay_vY`OtT4oqJ5P(LavaW{J529)Y&R%9dy=w31m=5}97}^v-)>$X0_IE%<4u`%v
zozM~tQG%V_yh!cEFgo1;AHseq7%}ypsmayTEDDnic?If(?T2b=YPX)J2gL);ndQ?{
z)+2_w&6%G@cRsZ=H@~I3e%;B(oi<GR&b2U@S_yDJ8R*<-s}U0(9^PoN0TyU>TQ5w(
zelo_tIYdQ7khr<KKVR%hXf?VMnUs`tdMDd)xo@D-Mz2$xO~u0lp6Cn630fv55|AF)
zCnp`vHiIVrq7k5Sl&9k5%a`xDtZU!-^mJ}!<_2dIl+xPQwhj)m&`Mqf2H=K1M6w}`
z_w{RQ3@7!`;h_>_1p0M+AP~V5F9AOI?Bfei4pZX#1IJ|8s`NmFT0LLo|MZjskQH1W
z+jr7qLsSUTF;iK9Lg0xbP8DbV{CUJ0^~77^`1trkQBjf3uoHNGwy4&d2X3;mL8rDK
z+8|g<dQY!SRL7woABN_g^sDc9<%y>NRMCTFdha=)a2P-H-^D4OisnN0bNELmC+%w*
z)y~}Lk0-wKUnRml`f-JnlrgFQn}bQNdP(Z(L>}xm;n(&~P8qPP!;}DxY|Qn~het=f
zAn)LSDW{;Jkxla2|1@sXH_-SG4&mygVuoByHl)SuN1K`g-bph<51l}y2MFgaFp^Vg
zN#4i7r)OvL8@;eWn%_u?iXxYimj2Lc)VKQ3XQAUN4DR+Dor3y|?$xX$Z}dEx!_0%H
z4EFT&Y#AH-0x7e5UQ26h&wwi%RkSfP^AMKK_8APma-lHbS1<|=F)`hKHpCP>g?$Ye
z1v+_4l*I$?avrY<koi+@Z*TOd^!G=xKK&?x9^1_#t;%puFR%HPy`|nqX%Pcn+f3R*
zb&&+)s<<TdT+QH?kBjchiDH_#x$VSq@yI|Hh>iaJkfWJ}Iw_-!uXg?{wvxAnF2<85
znm@;fiu0Z3)-Ed*@2TG~d(3rKG?aaV{&8OoyF}v9=Jl15hWl2nudPCbC8W*Hbq5uk
zv_hVs>XA0g_p}lt8G0X(g2M$`x9MFQ+5XIDM;@7;Lz)mO1HkDqLH<h&tgYO~NplgV
zz;f!-C3(Dsy_?W~fgN1(BnBx-J)$q{JBoxO>cslYzFx>R%tI<)65l3d9YdWkna)=S
zG3@WNMd~jjNyzU@j10c7k#$5CyV$0mbrqxMQoZ8P*BxXPhxD>OF=AqIhON)(`)jB|
z9kIl+#h18ikyuo|s<ZM9r{E~9V0a2c|6RFP2I6QsMSrj{buoN=0MX}^C5meRR&<Wu
zFFvB5yf(O(53BG0vKoc%U&zCU<Du|b(PO{2ftWZ1_-^!avDk9ah;CyyG{I=x%X?X>
zm-*=JV&2Z?49Z0h{ny`Ny4WJ?Q^U6m85qc*pHag`9ae=USqK$Us7=Pa$*J~uv{$*&
zq<iR=5(fj4`HXz|3QJ$*EHr!>;IJdkvtnE5B%i-d=Ue0E$5TgYmebXvM5a~{KCn6M
zSH)vyy*?|Y>^;O4c^RM7Ok6y2z4uXido1Ph!6f;zki+BSL%Zp$Bwq%fIU8blY`oa{
z_9oiSH+YwX973v$HsYgiO14hEu(~W@^?5(cwDU7|Yksr&HMaJ}B=TEoRIlkp<u2~;
z%{^i9o(sZfW|nemRmri^S`*5U4?VRS+nwsM9!Y(sSI5<`&?)s%ph)nd5*i{$h(8`3
z`J~TF+7?4@mgA$4a3y8X_#<?sz$qFhm~SP2-8k~SJSZzYD6*(b-azv+{>FH(4*@9#
z?R{iu(86_>-RsjEJgKXLA&T=ZzJoNzzj^i7we^>u>z_FD-BH_US4t1Ma<L_&Jk_7I
zKbGzi#v=dtqj065o;x0_{=VVDU<Zde(&a$n@;wc;H!y=W$7F{UR{qLq{<5FFHuWW&
z!?DdWQaams5bQw$Ze-STkLgRDSGkjFVf^`n4~>mMfBsUcJ{KzYTCVqN+q&@xe{GD@
zsw^f#d`P$38GEWMr=|3E@%#2%pV!&l!y0Ez&>Lm@RzN5I)j)$urQhY(e)1A=+6EfX
zEDUmP`WW<|m~7|YU$V?Niddid%~$`ucAoIjohM~7C5A<MsJnpYIX8!Ype9R4^}CPf
zHYOkSrutT&gx0>L<h;{Wxvq1rxhD)(L?k_t_Np0ERR#<3{jHwDD-(wK{6&A<!8Ydc
zKF(9tWQ*b5BYq3a075K!`ud&}No8VM*6qN{lrt_<7}d@gBn+6s&dACzXQ*QcCDsEc
z%tAdp^8rLIj>;;!gEHg6P5U{7iz?akXg6&vj8@8He*^En4X)UQww_&~I>zaCXca@$
z6CrUi`lUXcY&8;gUG4adzqdw34YA+f%~IzdE$5tGzC^@un+gL58>y@FMTz%(D;3l&
zPR6I^p|T1I?LYtek)QDJ4~c>Mr)ccQ(wLPtSnYA453UBfRrgLP41LF|;9^rC4Zq(0
zJAM8)U&97!Wf2FPbbaE*-zq0gud6&fWSTk&GthFY<^xO2;ZOn7?rukwXst(<xbrOb
zL;G{3yjc8F6SeKPBx<uyo}|`ta4_i<(#^C{HVAL9AK0$a7<AK1R#^Ja8QFO*Jk7Z5
z<a5uAsVyt>R<kAb4V`bPjRjwZu}DM1{touv{%lBoi;7CO<(13v!z&W+5<{sd384?{
z6SAYOuHz%0Qw*b4rnb3G&e^}m7<`&IzK`Da=_ScNkzY?t6vL^zm^?3gV|9l6hGs&J
z*^Gq5?y3EfxyQ3N56jd>RV8lmD2fRMoo?DfJEzxkmL7`F6DV&5ZC}p4&7-I5A-cC0
z6%}*(Jj2yH-r(cY@OnJ~4&~XVVKW;HQbIz)c3M$PpNZm1|BEEsvj^g}FnVcjcPS2w
zP<4k7P#1~fUV#Sces|FhDiqVj!NW^y9ECdHIy{W?m<S*Y(3sgNHh9BJGBAd9mb5wZ
z_7i6_kJ!}(Zk6fVw|#rrA2*l|Xe#|SyqBqWJx6Rxzokk{M#ieH)*`zyH>OQk5MRr#
z_P%(YSPpT;TIuUvrZs5kR33EfxyOI~dcZJKc@)9e@!sf{UV;}nVG#^jJVopBcyD)A
z1^187G?F;MhCgB|KBM%ollKU)nYcCkL55x{gp&MdFqebS_x$h?UDST}`lL?!&H`nq
za-xXx{?+bJFFr22xrgA0RtO4XSq$G=!|)aLc<kOyudJx~xuTPhDyXWg`5Sk&bMUD=
zpuTgj$O?hB^^q6Csb|L)WQk(j4gcT-$fU9<`igl)$D}^@_!UOJMM(YlySJB>hr|4p
zt<xi^F)KS4YC@0n?H@mwbZZ1R=i^e(i+Ow1ro7ljAv>&kv@wyl=EC81E^@)f+u<Ya
zHx}MP#Y1Ian(fW~<cVRlka=`!&#jkN3=%~oM=L0AkJ5`%g)@ZHVbmSVMQhY*vL~#K
z1xQxRC%E`Na4KWgk&&6XIXlYF!W}7E?V7zh!faW#M<cA7Lrcp1T0+^nVxWMt&}$=c
zzbZX@VuBKt5XHL8ISo`KYU?zaET3dLA<UaM@m(A%RPt~gSF?A2)On?z#tStJYF(T+
zaL62OOEiUy)?xau)vir)NvCCl8t72m&tOtwcaex*^a?W+e;b3`_bro^Zj=z!Jo~ac
zzt~AG#*Wb>qA1G$o+nA^y{@igFQ`@fMoKx;Mv@s*i1tJ#wZGroo}G;*TMfT1IU?6S
z|L0HBn}uOLDKD*xp!>hari{+q?R*jw4M(a6sPv}ZQJx=eF?nuE(6uM&r6<JqB{6eY
zm}#1~Q}G$bdJoDvU8ci_X2{W8h<06kU15^<6|ZX7l5CT8?TiSY3myL??_1lIHq=RK
zdw*xIy~ql2h~pyj`eyazeScPr9wRt(yW&T9fd(Hh1}F%?+5RMmH=qeL!0Cb?i!n|9
z??3)$IsE(SzbhlZ9{e<o>NGku7h?*1itY@%!(=l#oHyUS;%GS6vdGCmig=!uyhpW{
znaO$fruuky@2#Ld*HtWXz1lOMDgMXcquM`YLiRzm`4}aS^a?b2qz&pU(<eyows(B$
zR-4o(t!6lX5ipkaHfXB$q<iC=Qi@vtaD~>AoYBx-(x1FMX4r+!&l#<1-RFXSt2*_w
zM(*!mVPeIsDUX$t9|=1z4gXywioVTF(e*1V1aoJHT<aq)PVi3iJ2E%%bNr7_+hPl)
z(|%8l4pSfQD4wA3Pfz`6!XzrKnY@=j{O<NVbC0Z8?5%sjcB0jc*<kQb62p7`JlTy&
z?!FHK@ekklm*R_ypSjo6HVu7yew|w@1oF2`C_^c`$!HD<6_w*1=&v}mw#xN4dVOR<
z$Df!s#OpT(Ba4(rm_}*i(aeltp62qnKXxR_2i4+psC0o*;e%r5S#yIHeuuC7(u22a
zl{oEkY*-a>+hShS$@Kkn{>>XXv_sLz+p+UX$n67yFXXB253ar|fjM8dV2+YAv$5KV
zIbK|`%12KqGuCRX@o2G|JeG^BSvu_bc6$uDo6mU;ov=@$?X+(Y35|rHhbp=s@5Qym
zL^;oOZ5Hnx)|odX(Yuk%OdX$Ic$~)zrJh3=TOlDH%;Z$1FgQPDiWgLd60<fq`7A}X
zb#g`#_nWhDkG8mBad9CH4iZwsS9>eE<#PTnbJ?3~Y8t;~DU!>@Fd4N<vMWorv_z)9
z+r63~9Ctp7fgvYyTfsl>b_UPE%v(8;TOrenGU_Fg>D}>Udu(i+Q+_*(mssS*syEct
z)e|`ym?c(*B=S@ZjfjJkQ%XynyY`lpXF3diU@|gEzRO(b==Hg^I*OC8!7PnZD>9ck
zKzgbH$6OPVmI-yNuw?SuzNue=WGQf@iEG`=BDWe1Iy%82^kwiSb(-tqrV}T+P5^1U
zHUTrt@v0l+4QrF!HTWzn7;o@as&z{Do<R@5Sxu+E2p?a_PQW`sM_Jevq(9d^jw$h~
zu9A_M3I@VVeGplj=||ZzkIrlQgSYIwSB4rCO={g!<41EEJvM^Hh)LAK@vu!7|M;AA
zo}0LCB-(!DGxWC=$g-|}4BrjYs<2GGsI;cE9%WTj^(M<+?1rJRI-VncP0`KUAx`7R
zc5^do)rxeFC-!LPo4C6AIXUyDiJP^_Iqi5IH{D&V5G_G~O{VG|sAt)=0|1A9?Hu2p
zD>12PLD9fU)^)(~J}f@pD%80v*8TI*MO7%F&nS2R7J`~bcr3alsp@vaxiR-qcCXGH
zn3)4I0*wYS@xK^2C4k_OTQjI?^zwr{SJ*XG)Zb^f#y*QrtI$~Q!C+T?+SndPZC0*R
z{aGfWY=|{6@pKt(ZTzZ4y$>~UI!E3VPR*FFr)X=ZybaV~|Ct%h6Wb@=hYu~Lh}rkY
zABSAGPm%QR7Go~6QN$;@Nx>y+I`Vw3Kr5^K$@;KjqsIZ&%wkfg?Vh>8flgVrtcU9o
zswCll*z{ky-``)B{EQv_X;Z49u0AQz%it&OhUvJ@WtoFf-!A`7pQYia-};2#2Nu6l
zlm4V4`U$!HDU0Ed9(^V01~$czmmv-dNJ&Wp>&Z${zoOe*$EBwqlWTtk5T+8Z3<c|9
zHiy4HP5(Qr_-?Yc=J9uDD+6lo5hcI_r)<*G%@O1kmN!<%*!u8D%y&YmsX1A?6IuNI
z)5U#OR3lw>v+XTUU0HMsKDVe9CD%B}ysO9HV`97Vx~2xdtBdJuIm<s$G$tnUIqm6b
zBSD8|`D#RccLKBJRH5iT>SF6fd_cf_C#4R~x#E0QlJ3SAXD3QRExG7v9t4eB>Y~r3
zm}}KNb=(e>pmuml{?6c|0G0DnJulHtlIk>2stk+%E?@H8RsQulkhtB`%jqvW?W<b$
z#Kq$xauENYc5&*m%*>>AezO;?UM;P=TXeVc^D+aEj;5u^FJ7Lfe)1mr@**45mK`)D
zQ_d*w<D&=$EZ}-+H<#wi4dm-^I?Hz8Gxb6{gga`BJKEx<MrHWHva7FjlYPCk_D$^8
zuJx2K^BT!6bVugf>ry5>2)=)@|Hb=!ZH!0NPr&Bfontea;s()<OOIDD$Jz|n+8^z#
z@GEK?FAFB+wYjnI%nQU3$*1oGoBLn*n-fyx)RmfCBBa9Sj3#G`u8|Dz4+znvO+QQ&
zy{dQ!*FE<hoATkAeUW8;FeK)os&!vaOxgP<Zd2iz&jtDXSL2s|g`MOY1#GBP1)m?y
z88z&!FgZFaOi?izu#~!&8-A(N_p^_PjBMDJmXlvA)Yb6^W`gXq!Tl%I&ZCZn+DzOd
zeex$^Y;2*mH5v9e1VOwv9?m_fIO-GXvkrWbNow4oRH$526(nG0c;O(cpt_%+s6aI&
zQ<0Q+b8E}LIYP=?64PMh4jGS@s@BwU|5ZK3TyeGA4TE{3ufTM~SL9+IC-$=Ufh26q
z<+MsR50%u~>OWDvSG2K^c~)1X$s$&resg{tm$-~d`+1F*N5;Fd+mgpm2`OjeT)CX{
zmBz=*mg~HvT-QG1yR4Fi2r^3e+)(V#lsk>ndn{=155CXYOMmf;{OHJYjGcv-;Z`H5
z{94hY19@@yoyNVm%M3Fb1khkt%FRq`FhZ>FmUF9HK-o0ABK_LY-rwM2M>De9TCCCc
zBsTY{LK8(qFR_xRc(}}qwMQ%eHJupsJ_+)-KU^1<@;f;UdO(aTIq|*CFjupj;_c-y
zT23cf5|StObEJ!Ea1z&prBCX{txS@wA}`iz9%;6K#tNTPjcTvljJc0fEu`Yf;slCk
z`}+004Z9x3`MTYByQSdKl%}o(CJ{&3t8}jJA;-VM<b6Q@><?NOt>s^h=`Q;z_hVvk
z8O$>_mY*#3Nu_6W>kr>1+h1YZ4y7Kp@!4N(GZZWjP_-?7F0C1ji@!+QcM;kvYdZ9F
zK(F9)MTCZ1$#0#OKTG&??OEw8aq1r&aBOUVCL1B{o8&F$<E``_zw|ZvdLQ!o#(NbT
z&Ck!ze-TeFCIv8Gy5v;%Bf0G1XWc5tCuI-q|Ge(rdh@+*tTHBPPRO3!N&bL{J)C-g
zFfKjmJMx|_0zXNl*E;|8o#5|9dU$oG&vS+!4mS0D+jm{Oo^1b`Os`B<`-OdjJ}<i!
z)ALb{WM6L`o$m<h;&RpZ5Dx*G-J**wVW#MKG5^3@UOWL-W4HRbVaErRK&!7#tu80`
zi``1SzodIadKTxNOwkt>%AK~7TUCQ+*?ayRsw}%xcu&8uw#go>PbXL9yijCF5Mq`z
z%L^27^DhmV@+P0+ULJjWIe5eTXnRyl$Xx|>=I57c^WsJM0VnqdtZ0#(^9135_IftO
z=;KPu-hDpBYF_8X`i)7PU*Ru3b<dCU?hF$J)yg@ql3t<tcz$a4=ketDw}#NLwfODu
z>xMX4DySdG>0aDNk0Q;N`T3rQN^>Tix3(=Wdhc6PT*N<lBKbobb-QhBtjv5-A*1ud
zo!=#olyS*f*{xzJmcp-xyqM)dQ7pf1f9yUbHiIFX%c*rg1H}7&#I$803`(Qf`|-??
zAG5<M%~{%DlM<e@7zD8Q^wq|1jE=+ty13H_%!c3{fZDxNRX4<5<aB3rKmHsyRq{yC
zcCzG=tMZ4_pxhNKe>O%ZhV{vU&baN>T13qL@myYa6#eEtK0fK0$m@{J5N!Nz@xGs`
z-;LkkE_WAbskO${&=;uRpqCJK#%DPLa8PPJsxl{k#_jbBK9Ta?N)>e8$vhOht;^N-
zDA4qzF%~*}ogC8%GWLC7Qa#Xsu?CG#G-X5IBKy4j*7!FK4?bS#>j_1v-aIR*#jaT^
z5oC4b)l}zj`}A`E?t1@j_6r#|Up^b2odpgQ=4j>Ox&FT(oX4CX;QxWy|Ia}E|ApEA
zO|AR~zW@7UAf@2{CS3mg@!##he?EoV+Lo)?1zV1kE%TtTw-<fBaYx2?)h+G3GSt=f
zl8Lz0WhLyaLf3r<AO!(edmMRuJe&;_M9O%07_{m10azd&i{<7qM_(VkHIBb{u#et@
zYjGN4pC6WNcEP`T{_>k6Y>Jp0HOzhR9~L=wO_YtEUH)^Hvn<K2*?JxnQtiyqOm&-L
z5gQwE+rb1(;;7H~{yoyk;}=Zs_ay4Eci1(F_3`?Td;s^1jv;^R=ZLx~9ZvDuW>Q6Z
z7B1>>5VC8M6uf(~!Flkzwi^HJ)YoCLY%f9N(&`wV<w$C}u#4(8F|HjKKjr2=u3QYJ
zLOe2*KckHKpRI;<3BFaGsj@q9QgnJFxWL)Bm&tI6zlt-h4Tkc*CIHVENiU%AC5b2L
z3dnE$)e700S)V<hMV+xWR9M~hzP2`!)|jXAL>zNt;7OU=Pu$2t&6ir@5;S7k!EXaI
zQPN%Uqr1%voOVpgJ`wbQ5H9@;B$Ix3c!Ht>2&|rXLt3X`{SQ`px@m+Cs<2T$=E_V{
zDDW1Kce0-LX4*_*1Kxoxy{4$9E=t#5G3l?k0jq+_w)i0eOA4iJo_odTkThG5K~^4X
zeVnXWQqosZ{AHU_ccHkRm}7R3UhVN})>MJkDDVW9+vhr3)35<E65v8X2bhmn`dOMI
zLemr!3?Iy&9YE>V_g9!7o1*{h*#d1Ot}ijIZ?#MRux1M8duBY_3$bGB1VIo3gN|R8
z90Sh1m}h3jNK>v6dG-|B@Ri@I=Eu5*sm}|Yt?DOqJcvlG1ioM>D(W{8q^w#DQCPXy
zV}cATI%+iGBYUPjq%+E#78UG7T&$BF&Ggqa?dsB)ZIAES&IPr&*kRC%KL6`}NNVf!
za+G-x<-((s{k|$m`~theX3+-Hhdg!!^G+Xv$&VJv&<1x`&#*3hcdcDf752O)^@MJK
zi_c#WjJH1dvOc`AF-U(U)dy|_`cXBX15VYTqxFv2^>b%W&Pfj*hxws=vJC>7KsS~p
ztrXe)=_`M!!@GaRa2_{zCy?`8*W(AE>~j`#v`xZLcYP{^P4SLep|#FAiQ&g#YwXGV
zPrNx%u_*^@oU?hV!Hxx*OkPKK-gCxzcY?Ps(BfRS7;Y2-<heP(!Lo5M6`+xXLfN0T
z^GFHp88Y%emSlZOy1eyA%1uBZ`RP^tE;_XJ%vDzf@p3%z=i`&uS&(onlXY3U75;?K
z#(9Hk*=6cwTcuUrZtwv0hi?YGsfH!bpAtc)YF2$`0a|((_V$#S)i*PQdggFf+_S`g
zM}x7ujK!siy}QcMMoV;jK!UKyV?ti>u->oXig7Pf$$(y}{p<Pok2Jjk?p(TD+blSV
z(KpdK;@y--OwnS@d$pJiH7aMdBNfjY_bM#(X%>>wECOa{Ql3@X@H9;MP|y5n_HU27
zwAe*PKq2dM4x42nqNgZXX-%RXkn1>LVqL-^3^`1G=)ber#7{5M<Ab#_D=Fv^+f$w=
zt5+pa<rqA@Af2sr<4lsCnwrddGJh^-Y_cq;O4mI1tg;Rw?^aW&l<UGfeEFEZeE?gj
zb@FilGOjFit8Ehp?mFq!<~9mgk}evl=zfT%AoD&*uwR{(l3W>*)BGDTXGG@ikyVtX
z$iSkTPxE6~ZFgh7-M`wUX{$X>>ad+hZiGZ!WtL6BbR}Bs(OzvyadC|iXEdb4;9<4-
z87&hq>PIxLK9hMIl(FmnMGUHh#YM5wmVX~WWn$0Wm3<G(FfAL>>mn>TGy)3RY5EV(
z*djthN%8QKeSAt<7RQD7G@X<tV$;&_A4xWvp8O(aQ55}Jpr@zZZK^UFC0waKke+zu
z!)Sag>+I2XM$yW;4qr0^B~COCPwcq-no>mK;7zvB@1F&zciN=?lqS_Jc5`}p?q<`h
zQL!^psR6ng6)*`8%JT`xK9LYD;J0HccFg&B%l()FvH-imWf_wC$+FZOOnu)R2t9mq
z6l-c8Ys=AwrFwq4Bl6tvW1R2T_ix>H82gfRAsf$~h-ISdqgrG<-^rU_|4HD=Ui+i}
zO_$n)V#eKfI~FkQd;Dc+?AhkC$F+QMYwLlKB=V7mQqL{BH03X`+t(9QE;1ZMM9ZCU
zu!BU(uUsZBN7?s}XsF)@oZ}?soo^MDq<4J(Z+Y{S-j}Y(M~$^L{<2QLEnZ3Z26?y!
zl^Ko9Z1D7%w|}m23qTAhvve8chJ<e1FvNRwNl!0B!Re?+DMJCa!`6;#^(?eTt&?i@
z6`PwW_{|a2GwT!kRuqZ}SAfdz|Km-}AGd9MVS8UvTF!<q0!daozq2FndmR=VD(Y78
zf((?hnZSL~W~%Vn#pWCQgEevkaL%LUlqQ#-)3PZJjYi1t5B0fyklp{Yw?aNz&K%9n
z3Hd%k7bgMhpfZa6r5g?39AX{}C~zBhQ5>+0_~mV&Jl!h%UK<zyiR^rrquBDQ?aV*2
z5p*1qW+UIq9`L16I`_#}<ZF~S6XU*qon#~x$xW+Y5@a#@NHhemk$$$X>`}F|#Kxqd
zP1M$(z3#X+`FB^D8*aUfCMzm)Ir?<Bji7z9R_f#DTYuw5C)3`_lF+jD^;KYSsu7IY
zwPv0bp&Dh~m!C)0d1?7id=KX3euk=Ljk0acOw_%~FBg<}UEn9LNC1<fMtWw5*(Idq
zgVZP0_t8D0<%YdMq637=0Ndu_a1M4avulr@x9NG_$h=}H(EEI6t+Kw>qix|u-)>k@
zky5N;Qi$`48~z7+NsD33TKC}H&-_dig$d_xq(vdEU?bVp)fTAwC@`q3Y<0X_aUkwJ
z<N9KhqHpJyrVl5#UN-K&`>va#crz)!)FgD7Zuz{XwtSfF%JAk+dweA$OluzpMeHKA
z*{9?755L0p;wDOqi;ESXE-*a*zS~|P&Zj)`L)m?+jkiOKm~)f5Daohq)S~9HM>b?8
zM&FlQPoA4oC-M05w3dSz^1;zz+2}CfK%o8gV^7+%FT*Pe&=v2fEsi~9;>LS0cj8Ar
z1h1E$Pygnd?z$dHFRuIX=X}eJjzwJJD`QQUuVFVf6TYY_)bWcKf`r3fQJK-D&32v!
zjE5KJ_0vBLtNW6CaEFShRhe+#2u`L47rWZI;7LbNE!zBMjOQ9C;-SOK&QW^Em3;Lc
zzUwZ2P$)U89{`mC4M^B6cmXs&o}wByg~UT;Z@FY-Ji|?vVB1aohSsQ29D)8!vu+``
zzB;GJ8<YObGLNq^m3)+0Yk8=7&v8G0R&ZwDN|~OKf<sc!RwBK>Z?~w#B;rbuwnp&S
z?W*NL`Kc5vbWrp$ywM#%C^6H}7W$1=pz)4Pc>**gV6x)Hubz_(pm<ACF^(d6n#k2g
zLo{jyM_o|e{vJZ192=uod&{zskn)OiH%zwBie$hl&(y^q66Lp1QHSNc7O_FyU)Z)G
zhqVlw+|kx2WWg)Lew()5xiAUR^_Q>1m`^IX3Tymt3i<yZgZ>LgkJKn!ueksu>-Z8x
zc66gc3X;fA_z-ai0mzGn)$c_g^e^Vm=XaI7xQL|xZn$_zj8y9VaMHuR7+~9W6K;+`
zs?G&g<{o1IJSE0i$4_SPy@MR9M@)KlX)-y6@A>@TPB;&7&#p}PBaR5}UMU*eVHpyg
zV@TBN@7lV8JlGPa{CVm@Ac7--ft+AG{Yt-w+w(Kihy)?G>T`dM=;I>gZ%cI$=dtJw
z41H2xQD@D}!i#IZFCPrAV(6FhCmKe%bg@n}f2KEf@RlYCq(^G<w_K4Vtm5Oi`UB+j
z<!h6iS-kuiHsp9T$K&1JkE7u70;H#X)Wtk7Z??I>%3VLJ%PjZprZU22b<EiLxhvCQ
z{Stzezjn<`biZEnJpEZx)mZu~{wa2_X>Kk;F6=Rs-B585|Edk~u-4Dx`}3u~J);Zi
z?{CrLHJDkP-ov*Za^;deC=$k3vkcd;?0b=K;9&8)<yylv`ij82R$X~k#BbGqVkfL*
z`SDII=uVXfqH^23QbHoi0uv;vuq72=>Y6239KI>W^rs-D$_c;7&t;Q#@)XBs%eUhZ
zKFd7UB51f_;Yo{6qB3lj^+Jr^e}&Nz_XdT(R&HJ7x|cscmnm_z#!swV_rE5oR_;Dh
zZVuj5R3ep+@JtfS{&5~sx|Sn^@%vJJe-}k)T-Uvj(eLwOzDgG3Wc9C*BSgDP|EAld
zdnfJCtBRdYoqPi+3w0^}ICq-*>xg*nX#BAIvt>1DDvL8?VJlNBVwNfL2$j91u=^*P
zCtDo85(sSpO2iqncxfPM&^=;u$lYAMeZ6c!504k4J}K92MR@3R?ZKW?>B3rRCIcpW
z&haTdmZ_P8qB%XrX1PL!=-0%lfzN8cuX!6ec<1hYK5%1f<SjDB_WmuYjw9)7KJdwq
zm{aQ~?a(P=am@3@(b_`r*R}g4;cXeGCApERcksg*vHy8b=&zE{`}^t3Gqa&r5f3+2
z2A8eErYbTQbGm#iJGHW}N#SZ{R3~_RJ#)aAVJ6ko>~FH%#!|6*e=hQ{$|h_I<3<EO
zDoWvO!<ScsU$f4NySmdoKPR`SU&0l$p^RwMbJ+cq+Tz&a<>YOPB?3tvQun2JaUCaJ
z?-l-ud?&Hug?XG5Z2XMXT?5}vlU;0Vwl6D!8r?6lxJ58c432~ii|M{9rG2>gDwAlt
z!mjn1XZ@5%+aby6=Jz(^u2?rwSL%Acb=*KV`gc_(FU>Dlu?oad7+Xx6Q&n}Sz0Wav
zKhExSFWh&*_$h+Iyud=L8;t-$|Itt5`9CcD4j(N)$icri7f9jKC^M5tFEyU0e+Az!
zpg8>c+V^3($i}3o)iu&(VVA0AbWWS|ze-jAwZZ+bAOEL5Re)KfrdVy;JfY)rBjPRI
z0S)*Mi+{+FV)Gd1nXa>w<NxdhJ`P)A|4;2pR}l`^0ylFyOmWzsrKmU3GzEmLi9bNy
z`@xpv*^s1w3vA4LR-^a&=llEms`_abP?_~_{`qGUnCuw7baE;Mnv@``{fXwJLZZ1u
z_UThk;|yr6D+#Pn;6XxxqkD`St>2pX1H4HY`1EeguM6m0gh&AYy0<_};OG#Vd)k8Z
z;hyz44N`0|eEVbPf=R_uX*Xcdzk@StYs3f~OmeIy9t3R8RG<cdKtm_98~T6V^LcZ1
z!Af<ytE=nlY#kh^laGy&482o<M=JyJ5_mVD<*ZNE5+a9i`c?@DI49&luNDGS=NtF$
zQvvr7K|oDJ0LLP17HfXB1okn|@*=xG@mo;U9WBrbt<B9v8^GyxKQR#KEQ)U03qna8
zWC{2Spq=OeAdP-#I5`J>s99bfCr}}KE3C98jzvU7irsdM(d1`@*R1a*$U$a7%M;U{
zul?-`oJNNCAKoWW7MnpXGj|HdGbDqs)ZQJq^Xe6rSKSZRxu;5N@uq=ESOV99qbsOE
zD}wlfI^c(434#DKl_l=_U1Oq5#iVc$<(d8kbyoUmF^(_DTW;|2ktITn;+e_E3nskF
zbd1P7===Iv(2fZs*#>nMi;0P83Y_bK+?SlUK$1hrtr-nmFtgDzvwI+ohNI$`^z`)F
zz6kJO^vK%V-|76!9}0qkN5Iif1$jzTS{gG(GN`KiprPU=1f-bZ2%6c)4z-<VZms*D
zg<WoABtuWwmObFu0W0#RjEoFW7O{PyC9)*+zDx!MPs=b`r`c+HuW##5GY1pXKi?gf
zC4pIY6)23#Fm-TRi8AO(`^u>iAwfZ<?nKcXpe|zj+AnnEw1P;I4MB5lF(p9A!2+Z?
zObK{jBVL-8_V!RQ=!bwQ0aN;U8#uB|JUl#T2IK7PhxKEsP^s{U>%y^UrP1W%<lOwc
z6p;FEy!jykri<-+3y7(RDe$Yeg`oLs?*KI=rBq#A9r|l<z)w1yX|p^j09fJ+=eB$Y
zkh~jA@3p;Pd+ZOY1}p^ldbX>-`NmN`43DuH7#N^q3!I^F#D+dL=R_YZS^=UpPxtWm
zs;ZWLPBAet1Q=R7ZD~`$ew_t!;5NlS?$%<Aj0lj_8{h<xVh}oP_5b*R!7Tkw0z|n8
zuyKmsR#yurinw8-Ip_@?pYBEu{`GI@>?DSvY5?Z;S{IojP{Dza|6!#&lKE{s107xd
zC1Tt+B1N9iycKQV@XZfnJJUa~;G9}o;%oO1<nZ`-7RcXK-e(W!Mcs`K{6;~%MJMh}
z2MlZU$<ja&4ge$lC+K~A{5zl%(t&;s8+qTRIyEwK_44I5VY9T}AXwXf;39`hX%W*)
zOD$=Xfk#DKK<jKD6|rukAQQN@9NHRn35f{{O7@iuXtXmiF$Z9V0ipww{^BaZ?R%g4
zL@7Z8HFt<sO(Lcsrl(+F;9*D-a$to<x{3<WC_5T{pAF<z6_A|?t*x&Yp3K=fIk6!3
zT1UGc@bN*iL>5!x=gYL->|bFV)s>awg?4&g8Cp|l+XPV&m^i;xlBmahjAU>)z_yQ?
zs{vA~X_t$=eJbe6+(9&O3E@^R_J#W_fjBY!V9F;6QS$T@f$qSqD5inFatpN((62(*
zf|h1<%Vt=T_Z*j$FeT9a2w=`aJm|#Yfk62blwQ&8E-ORN`hS6v<~eA*!x+R9znXM+
zF;h{+UVL6HR?nu8sK&U4^mzLYVeIltcwm?l_f#U37)!JkRo9avkO%lZhJ5cX)MzKj
z8TEXJFjXc;yHb!fEK_oc9b^<siQM--mP*U$z6-`NMlwC(hMK!S1bkkxi&KYdVxEG)
zGOgPt83k@EYL$!Yf?va|MCqkP>P?AtWFDIxn~~bLA>Zx!C-c5|UI_(c-c5?Q=ru8O
zfq|W`2trU?(K<3J?erysca{4z8IB}BYVT^;W*~?2FH?YVyrq2w0t;>6n>TN;KsSMb
zK<D#Fy`CpLzby5_-HhxXaf1CH1<)g>;B_y`Qa1PYp1BYQb7_1v?F$bNzZyF%e{y`>
zc91x-U17HTnj10dPMj#bGzCJhB)4w*8aIerS4%t&tgrFv`?}sR^}^T(o-oKg`m;!Y
z<lYbJKRE>53gYW0J!x<%AE=M-{umsLL61C=4a9wHU*nFCU`3GS1L7+jSoIF+L2JO*
z*VhM7K0cU?C<?Ul79$xg`{sFx(UKVjYlaEA=entH@9dn(F+~0SgT^$hDE|43V~~U^
zz+-RAccR(Wm6es2x}TV3E)!h3^u$FG*tp#_Hp@7-V3QG=C<r=_SKvTg!IoZUh=KkQ
z@g1=YOiE&aKm?jUWuTTrK%MLOL=LJI&=dKKxT`_8Z`Cr(k>?6=94~M|ahMhlib4^%
z7o1rh(cTO?$G1gw#{@t$mIO5#NNw(-rOnSi-}4)>lm^KgSR&h(tDt{lfb}c^dRirr
zSFJ+hd=Py$fQl=UM^Ee>gE;-#SS7UC7DW(vS4rp`to+sJ2~rOpUAfNF4IUheG&2Nr
zsjhHhJQ!^tC?`|Unjoc=e?$!7eC4kqx11du9+{f5!{ZSFQQdK=2gBOhdUJnY8ualX
zG$cfV;3TI`jzL#<cP1bu(+6)%p%`%AV2pfy{Ro!P-=Ts~klq-8aE(U9l@~#G-KBw7
zg&xyE5YW({gH{JCLXu{|DnSy%7Y=qqYfAE10dSDg(Y*slz|74}3@-a2u<&OV76PkX
zHVon7hijEnXhdRWnZZKErS1y`qN$n)KB*bax;{NWJ7MPKCEcjmxr{JEY^=1If)Y4&
zPo5f2JRIf*QwY-BdU)r}!>w1lt0Uwf4ZnVwL5xe>==^wvhfBQ}0mAV^AkvqBd^0^W
zlZl_75+ZXm_z~CyqYwlF%0JM<Lm!?6@r7{A2;ZlH?k7k|AE1t78UbrMAZl-c91S$m
zSAkuPi9qWMs`K-68ewNHBpE_WHi&vb#xcK~0A83;OpG4>fgbZxfOXJ!9ih_cO!7Go
z1|s$!XpX=ANa1Vk2DHrw%Ke)upNs3ztXl?b0VI=KOTEnFbzZd4IAU{ivmQD**zPPm
zJEywaF&0vG<u2$@LFmXy(pg(j(GM1q3Odp&h`ozTR?ds8zUBU`yZkjS4h~U&Kt>FB
z9S<A(cY-~-_XLPtLf*Yghlx@K;l~_h^mD;J^Bqy>hyuEguV+rsWa4$_=a>iTYl9hs
zi66N4Ab8*-kXDzw8`B4^pxp?-jY?S;l^xr`y8OHi;=0HzBcRL==4(VDN)W4Crlyk6
zs#XNJ^UBb1zkjb2oGL!zb-bLlT>`kS7k)dp3)+TOecqOXm!MN}+>^b(z{SO7lj6D4
zDPZ3~M{#o&7Yj#g(MnWAq^0${DK0M7r+h+}?S)SHh4-ZPj`nhDIVhAk$l%|PSh6C~
zpq_%(B<awY1g+lyr4lUbUap@4Upmq1TbQ8l#7_41a+Q|iAON{0Y~nOJGNMtc)KVdW
zv?T~vvce&Nx^8Zs#_jS1s&XE#uBP;lL2b}en^a$4?|2XeN2e9We`lB&AD{D%I&M!d
zeIEk62W~#*ahsB!uhL<p$n<qY7ZJfo$E+fn#`XO(v`dNjA@LYBgp9(-UEkT$M+*$4
z{}*F#0aexdwTo{$6;zN0Q3M6)Qt1#R1Vrf;kdWAv)TUHILQ1*}uxKQuI|T&^=|-fx
zHgM-U=l6a08~=O%W85*&!*R10Yp?fx=X~Zf=X|Ea*llQUngpmcN=M#kK|14!iY;d`
zz6IE8UJW?t3bd(u0#cy%3D<9bofWG5FRjU(5%=a@rMai7N)93q>;}0Ogx-~x9>>F|
z0+hcUtLE3o_im{V*D|0sXWO5H<&|=;_JW!|l)#+RN5GItN1rW)9)Vmzk>^ZU%K(ld
zpg-460z$%?US3QM=0LzmdxiSTqvp`{jg9snGVNjSOlp1q3>97>rMiYfef#jOG~)??
zSwSOc5IOz{GahI*^^h(%<cgoOnQ?G%dbAdx>6qVchz~{`Y?M4q2J5`Z^B&sTJW6Um
zfeZ(>gJZh(<nYNY9zFLeI~(ZPfZmLQtVL*sBSE>XjwV58z#V9dxPo%s`KuNB>Q%RE
zHQ>RL6b`*D3+<YsuP*QOGmkr?mBKDT2cGA--mrLRGP!`V{rN7i${;frMsl9U`3`2@
zu}zAG#;~>lMd%y8x2Jhz`O<4p4fU;3N4W@^6c_R)p04ftUG8lV`E;@Rw=x>N?$Un?
z`V0pTo8Lk+Aw&c=7YT<$Ew1hrHBW)h82aXx{kWKho}TpU?;C4A5|5gQ@rj5!k2G|k
zs|`+^EGQ;`FPNH}3w-nDQnAArJ&Nz?vMxRW!CU#4=hwHk@KAtt31G%CNE+PRqrAWN
zggZhL<TK8E{T&Wn+n_k`2A(Pk(t6!EDAJ2JK7E$cU%$c~$O2}j>#-oTGiM%6-iF3*
z@F7=C42F-YRFeeCVa*UTb^faIC3bc~6rbm&MdJ6zzt4`v!{&!;)=f;9NXAR~`9k~N
z8<6NACLxhAHGMPM0%9(#Fv$b#L9|h)((&~OYa=5gGm(^NK`S*>9rP!`_k~tH%%}!q
zDK@s*3g#hL_(l`IV*(V|Rq636&$*ul6E!}_kHK(la1ORLc>V=(J#7+Wu<?FE6qTsT
zE)H4qvPjsBS1Pl!bqg;;J3F6c2UR7{GT1bvk1m`}kdVb^``qQrm(kEULmQ#s;pxeG
z^Cm5XY%<Vkh?=s}`l3?p&j}bB+%@spvq3OS`Y88q^yO<t--@d|?nOX^20I{F#D3Vc
z<Mnlj+2p{X3Rxnq7FJ@mBaRHUzLZ~k89r?+hdLn&3A-MD)jMehji!6|SU|>~791qf
z4nKE#MO0L@!l%Bz{+e#Vo3Rs^=a~37q8Xa8=X&&}p=2q_kOPL7L+B{CRZVjC>;N|A
ztNjf09h<^a0CfWLQ}?W9e^9-UhuyHb&_nUO9*GBR4>2v_bbKk_69p_oS0$)99}+|J
zQ!CsxPRJd1<X+;i?Hn1G;A2AoLWqKeg^i*&PTB;K0_+$FnB_nSgwJ{Q?(6FhT2}LU
z;WlCSy@ysNL`(+<1s$hyARyzwaE1^Mh6sp_t&v|Ut&2MG%k)i!X&Eq7wTfr%j+rYO
z4dtCw;I)22IFO@Th?~G`5>K;(dc@idzEcC#I4S}lREgPgnd=AynUZ=70W+}KZRrwX
z%#xT8A`0e7047LBF(Og{e<t<RUNbQ=BKYN3jvh$454Hg1;B<n8vb3ZNNINIUBB7>e
zWse{1fuPEdYif%bZR4^u5Z<}2j_Qq1%tANbHIo`~7!4T-;A9HiU?Rk{Kq)*2d4#vn
z+L|ctDZpb=lVdOeu;*u{(uLnwN1#h<b}<Q*rKX{O4e5{_U4>_XOgp`F*>0!+2Oh5?
zFcEWyh^rU(#p?2y04}1sp-Tx{patF+m6#X;80-nv@>jI0YZIbjrd0^dYd1lQ2!gvX
znA`}ht8W3=fV*x6kOdkRq&IKgd;{&o$nbNBcJclE{1Bc2f-hyAQ$Tf23*Af*zA5e<
zF7#vsfBeV+GsuahH>`#Ml6c-vNQQ{AQ+W~`oo+dr6)phvKwgtz_jF-?0mNejmmA>V
z@H>u+M|6tsxJQJnZ!bOot>FykjF#5c&Z7w!g(1Jk;sy=Ge|odXs;aBa_-K25PQ;!r
zN39Vd+Gl~l%e+_5kVIX|XFS1f_27gMnEt09*$L1B6^|h;M9_$84Ro(LZA{+*)YI`m
zn1;vDAMVy+q9%9bqv9(@8Q5<>VM?fKBA-m@BTWOrGmJMWX?Tt00V_p=J_|tSjva4L
zPcsO&U~mo@#IesngW|hu8`9<shNXR?(#ogS(9jUsP_J+3ori|G>mkHC`NsX&+7DS-
zW?&FDPeZw39*hFOrrB*+6!c>6)rvJ1*kms+aCCTcL&%0g)(Rd;;nNlU9OG*Jnp0@0
zg|mkT7_e+)6`J{efe-=Qy)@V%928)p7HHKJ?)zLiu>*)(&OLe@@Z1K3#RusS)%^Tw
zrH=X`Zf6pL>+a@;$Y-UdrA5cYTy`IV!8v>oB`gn@kii_OJJ3v=Eb0i8YrQg4uB<`R
zFS}Z52mq-L7U-6ZsjdU1gEL^co52AJrQA^hlntU2<iIA#2jCKDeAc|01AW-wT4OTS
z;m7WP!UR9GTzY0=PEULg@~AbEMG?+35_&@u{5fbkYlTY{z$l{1tpjMs20150$_41R
zU?7ubK>Vi}I@)J%wbu9?y#qlSw2Mn4XnIi6(0m;6RicB*qs*YA&;+(&z4r8&0`PMS
zY{xm@G>Eg24+1c92F^(${IBMN2hs3rL0E+Vh&(jd15M2sq3S?5)iZE<kQvoynZ-lE
z<JPyglR(!w(ygr!$s7SUgNK6O^a>W_Jy_pw9c{Z)pVJNQDJj*%<SBm`)!GQw3ho{N
z?XA?*R74E~=8%#CH-tjDu8lLnNZsBQBAX|;-pD_LHeVey`rj|MzK<L<puqkN=4Y&W
zzk**q1yH{M&Ky6oCJ=0Z2?X4G)9o)6(s<6Ho<0dT0qmhH*fP*V2nIht2@wyX&Gtn*
zmopLysgB*dl7-1Y_@^GgZ!{csFkOEn{{ViJmQUn2530f~19uGLx|xCULp;y+>KFrb
z3(JA1)mg@yC@`?!+qMD9{OS7`nPUgjL&Blk`3=A!B*+0G<2lkw4t>p=lk#8W9s!jF
zWKirXaXDBFn8ETHTP+T^3r>z7s07c4+{YAmnKKQIjD)vVF0iXcO++wCcu|4iMJrHl
z1@3Fc2(bjD9<mzCg`L_q!GVEh;4`l26|r^1bB94MDyz7-;mK(&a5tbZ7zDy?rf?jG
ziY&<xDhC3HC0|A8o3%(Qc3Dt6@aEk4yp2laGkb=;1tbMC(gF`l?6f(n1fmXvu))fm
z=SX3}6Q<lZVQGoU$mBqjX3o?7^U7Zn+P|k)7wb1>+b^i5h}_$&2f;W4=+4E3^V$Me
z;fLrTf?|y3*=)w<ozP*O8Cd`I;qPX1MM3sCW?WBnaW5%me+{WZS>jx4_@HWUV;o6y
z4ziq8kN9iIO<uxte4R^~zOb@idxzdX7j+x8e^y!t6^v5F<70R<6+_l^Im;8(f@e);
zS}8nAbSa!W5oq-OPt|X~if6#01s(+e+V1zxDoZ=^J~wn*x{Y{o<v{9=MD3nBh=HjF
z?XBNPdF0Kzg|O`SXLpU;B*MCGe2X?twg>`eQyaxlv=_5cA=XllWAx2c1`azpaB0*J
z5jy(`<4rWm*w`554~#T)TRr<_{1Um$CtP>%63`Yp=aY|f>GEY<*jX|VG^5()?cs<M
zT)II5x>S6ACzyz_ugS3GfNG?3_5wZ@5h((Z0ZTy<pihwC8bYE5ILAT@6bvHdV6YSH
z#o!7NAdu3zJ6Q_K1CLIy2b*&5VY)K%UeLKAl`eb*N)KmHW(hSgf6i!27}b^}_|a}q
zP5v4*D*-F50a8z6qJ3~ORIQYp_EwFWz+u=_Z?S=PAkOo8l)JmTYKCN5Z4!B-cnUoK
zA8-S%I+VUJ;~C!{0(ceF-Rhm3*=OW*x^JN|y4^bzq}vjKI+g<#{Pk6pi{FjMP}ZQK
z;XL{@%M?C0?59ZNWe`48cCVgl41S``7|*Gttfq40URhb$2l(+iJG+8z>g#LKtKSNK
zulDZ_fvknlBB&zWssT04e<<o3x>0a!IavIRxmau_oG${4X7#cW?6`$kH<)Bx>D!7`
zG54#6&GL(B{F!6wYl}6n162U`^v_cT$Ot)=uGCu(zUr$=j5&k*_1xx-FoX#DIXup#
zRS7iw6QEGU`pCZk8AQ(xIenZ2aABa}*e3G3CwchNWlv6dS;vjgWZ)oKK~mEgAI8SB
zoj!~5y=u_}2tnAVfsZ_v6+n9y$o_o+#w4eoiHT`0nm6YaDZ(uSZi?>&t}6{7tdOz$
zFHPWG?hV_CJOF{NJM!|BC{CTc)YLtgU8o6?O`pI$(l3ylJ9lnVk`iL0#o^EH678&V
z9v<Z%a*D0)f&(E&fe2v)3S<iJEK807-pEoKiPws(%c_Ak{e&f8ii<u}&3gP!2epzE
zMQVtXlW0V)bWJY2e2#~R>O9@*Cl&wN$G2+%NMUwqsq?tIp&`aIQXEtr=!I>Yr0yX3
zYd*$uGWhTRk#71Qol*ZkRhIvwwDR9?|82VZAN^NVLgbZCSG-(dBd(G_xteG=DB}!l
z+-F3TapqQ?e}-}3zoYtCF2+q+RbELDD%Pxwrcgt>4^F<8cH%le`iy`iK-zHr*xbS0
z(S@d5V>qE<>${a?MOqTm#F*7%s|>|+baY7`K+NBR=JL<NAaYAQed@39K0rJB4ur<S
zgfbYS7ePVn*Kz#$6>?=T=RgN79Aq*OjTnv357}oRTzLna2inc;`0-yO@Iiku)7gzJ
zErei>6<|!$$(Gy3=4Jz^h5(<|?pTx$*%d$tlYSBtq|}^mz&Nl}2hRb*1$oM6B_%sj
znn7Tq11{peTsx-)E(DMTKd39Aq+zw*^ev(fw{3=ohaUlyhKtneX#D{Jj%moWApP!u
zqPP2nZNV-eaLILPU?rPt1gtbjKKg?cX_#*$i&P76BsF&rAqCd}gWn5)IzVs)sGKM`
zjgF3Ld~>yd_-+zT<wR4U5Cq@wXT37%$Kk<&8IWp7?E1&b$|@LsU<OXy<By<JsC>hu
zh7r)-LG3SuM+1_p5rm*lzWVUP+;MQpX7Feg%(S(&k$Z$q24^Yl)Q)MS*ycGv&9@Nk
zDD0q}oa(`eBXIvyzbydzgKVx-P!mGH93ZyaeG8DMV*q83R)B18H9v!RVGzipB08Za
znRcK$gYrj`Wbo+NXZH8^VGc+G;+KG`ukkoSM*ac!SqGTze&*fiHSJ4Jzz6~p0j1%D
zQLcy8#8Y4~K%=Dv;sP9K^eOhw&*w!{V8TEeQXNtu2J;JRYms2J%^?=B9xdkwqY?y>
z{aeuQLvk$;sqjM<^!F_|!!3Y0IBT34_#erC;Qb3z)gitzhmTB5PL60oglkjL3t9UE
zfl=4ndmb*=2q+7M($BpJntsy2(Jim6AWA`upltH=1UgyHLWF~=g9|q?Sb>HE;!Gj3
zMQ~0?L_{+@4u0ET*HHctyaKv91Ct<c-o72`20U~tz&ML%YpvGfRkuLBD-x0z5JD0H
zwR-_c$OgmCn1*nLR>(R^cO1Blq`0TB;Sfv!kTBGDU|@h4M0$XsldlEx^Buscke4qJ
zF9(EC5NNCMV^&8iAcXhN&E=MrlPd%@Cp}4cknCH$ATtQ=CKNuTbgni-;F9ZYNHL;-
zjJeP{0$9NbyYKYA9FS$Ob~e(;|B6NG72wkpi6C%6i10J24xSVmHpBZuNgyJ0_4KB|
z;R5BruZ*~}YnqwFpnPEp=%W<HlL=|8aCpwJaS+@M_>5}Cb$RF<><<M1VpB^?VWN)X
zAv3CPAQymS+Cbb2**^#rx_(`WJr#5>>*2)08=K(MTP*A?4N^b`&NQ5rlT+D_!bO8K
zZXe?QrXvL}-{T#ft_&%b+S3y;fTolnR0VK8bP9Ae?to^@<m~JVxWqfy*BaNTAluyp
z303wByMaqOS(;{`xi{T(&$<;L7d)03i0~j_%hH?M+u3ObWjV7aPsmhMR5tWW3JYaG
zj51xy&*9fA`UpahnXH3Yrpw_YDB8XO9}nvgke0^O@`@=8T*)F~j;0xexgZ?<T;Y8^
zEUnX20|81J&UgVh$nBL88X)TL0K|n2!kumaVl)VR;Nju<1cD|=syGNv2l4LiE`o$%
zeH}*2%^sFQpzvs_A&?fbMG%0&WS<MF>Ee0=ije6pBGCk#S_ly0x5UWE2*VY{S5!yV
zAh1@n+h;BG58V!l{2P!w?xXmO2zfy~j-c9{6?}O1>(~Pq<V?WX1+A#tKwfZ!!2x2~
zKRQDAd&lvr=#nd_*AR;!)D2i+J3Bjsv8civXp)zelr)1~09Zg|Ekutj1tO;eOt*HP
z;Y)z<jc_~R{D!r@OrYpQh<bhPJ}zLhfUjQ#5%X4#HrqI)6R;qLOuUrdDeO;EkU90(
zm=64-1Evq|_^!wlD5X#%qID1!R{0*&1Ings6qk@VM@97lX4U?2y^RbhgeaD(u|$7G
zktPl-I!FPY$?Dx_C=&PFtZQv00)D?fidF87#x+WK7er|cV}giM6<iYT8i`uqyiqqo
zz#j^{$uu<0egZtO?0H2z7Mx2EFc3+MJ@c1FBN4#2az!KGSOVn8m>>-eP6v6uO@(=V
ziwFT$<#);qE2j%>1vdluQ&r)p&`HGF4(3IyucNX1Gm*r^#C%?*R^OAUVU=D)M4W-A
z*>n_*Y#+!RLB=P#_%Ih_W0Qc7S0MDqF$MEy3TKQul3-zBp%p@yy4T8A@#?_wbwTjb
z1)&EWN(7ce1kzU@w6mLCz>hV-_G?5H03BZh@uvV}^!Y~z2I7G-2(yIb-L=~AQAqzL
z1qT!1)h#bC55Zw>E&v)C3|$aE_>=crIk~yNfx^=TlOm|<4Vrp6KpqR!B0mFp9YItM
zu$gwi%5@D4Xp_T%v4j}Mlrv6wI~zt)GD!JW{dPNV2q01y3OFnl;pwKWOw^i)=RqWA
z01E0Z?(Q_la0{)lu=d)_z{}-;#IAr8;MqbZm~7hyzPcUmtO=c_)(XZf322NI;JZ3g
zMAtaBewRDFZ}+7fg(cMmXBL44hVwT>N|xsDfN9MENH@I!Yp4gX%whoq%TvFni4Eq6
z6qJ@;Y^6j&mb11HNX3v=ILM}eeJ@0Yfq*VVpq$L^pneUkxj?Qq*P%VkuDwo0`n44e
zLRih_S(@#TvFv*G?3sLRh08(_+<j+W9IOmKDhGJI8<444biK_#+THzX1+*5SB!a(0
z|2slci9qIzyc4MqD1{hbHS&I=Q!Oy7+E6$ClbY8!_13Lh{3tuPksLUiMf-49e9Bf(
z!jS_9LE!}SzpNnmF@xOQyNs-?t0U!3SGcskydHXWCzR@3BhV}zkivTX*$dK);X7*+
z6Ba|jYU=^%-((Iq0O3lk8AeX$oji$%)3kg%WKd$KY)g^}h={(z=?L-F&yBwaAq4WN
zQFef1zzsbvT0(=$sDe!dvqUlhKE8!+Jcx@Gf&>oz0jO(*_d~mpcz3dJww)^E-yS?2
z!!d=WKHr)K8dmU4^0IN}PitgTK~vG3<%}38u64DxE_`j#2XbTxY{k7GJ$?Pq9$FM4
zqx1+2_4!DU3abN3qZ<H;YPt#342Zy_XFVqJH1K9*XU{%{*iGQ{mdktrxcNd5#&6Gi
zfVu&~pScEQYV)E%+G_(Z6FKk|U^Ns@I4PV!{e>u}2|QIjG@1{u?zZcnIw09^koClK
zGmL=3G;BdD*moJ27TXg2Qb6XBEsz+0+3xKJf=ojY4O{O00vezY#EAJ&T@9c$K}00z
z=;-*{69NiLP$}c{^b^9QlY*@COX_PH(z|vY;akwp?*|t6E8JCRE7U(d2Fln1*hhs0
z*c&1savTq}2IPH^lCAPEId2G?R}TnfygH~LLRP8~j-4Q;6wkC4yQvano;F&x0Gt1U
z);#GFR6j`rfm?u{l0~R>p!a3Kf1iUXI4F(mek5H03UtjbaOE3$9wS3Tbx>yl&i}`v
z>!Va8#VH~(kRuSzEI|*{Es`tH*Qci<B><nv2lY<m%;K~l<On_zP?t!B^TN!`b3igy
zi8ZjIaNViN$xC^*>A(~KMR;*(ADA~<+shui%XH&4K3pn_?|&lTNjd90Ab`i}Ay8!i
z`iI;qrw}hsbJi3zU^nMfet)?Oe3_u|hJaxqc+`5p9nD%~Vq#*zvdO*w*>?CDRuz0^
zBSJa>21`C}x!kD3cR2WE@jl!aya4R3#hfss4y5@2<i*4}f^Ke6?m0TBIg0?9ySKpM
zz{drP41X74;nRU?A`f$RzbzXZTSzNx>t^6(?np%_m^%mlF<)^kw|veY1Qr*>EPbO&
z)FD!{6V3tuTO_HO-CrbPJ&;2uiP=ZB&_dFN7;Y3?%{3}gL=+pq^Ylm{APd>-{?G+0
zkRk+eKtvU_%a{Z@C>p^;-U~9&)omNrfKN93gD*WdH#fQ#PA{aWNLvzf0Ixo!TBB+B
z^1corpQYo4E}2|yx$J(~w;Ht7?duQ@+WR2sWO?})dPk2|mX}SRJPCu8ZtN6kATAU+
z6>Z1H!~oi1%|m@)!PC#xuA2Bz8xO8T;6|9jd;WuXb{`fvVjYKf;esV`Z!;9$%K)1T
zFpGWZJy^<4?G7jqL_@N#wnR%MOEak|1DJS5I0;p|{kFoefImTj5OIv-<KxKY0($Y@
zho#9$RD{BFfc;iCUmatyz_nk?o&l(Ij)5VJ@C<$1FeM5pO8TV^JC9}Meb=Z8xQPga
z(gI)&Red!G%x-U2%0W~ae}ZH<D4Es)@jJ_a@3Ph(G>B1{`2)|cs4zV>^+x=iw;GV;
zn)q}E=nuPJYPKb}8@(4{XCPqXJ+-q7vW-DvF3}I-It%k({r%L}uU{{+%AFd5&}c-l
zYz`#p==&XkL!M@MRH7dNkxl!i>ZzURYbMpP$Ph<YvCz*t-hglT=?;KNZG#fJ52{Je
zkb0p8P=ovlwI@iS2RkDv?js<TK?sVHlF}c_6T+Sqf#XK3iMP)|VG4rmEb`w$#Zq(i
zAW|(*x2FYOhY_gFAGRgd6EzZ$RC^BQ@CuMix-eCGyw;Bbq6nx|kgf_Sv*{y5A;%ix
zgv)@pU~k=oT1g0ZB0=XJ1~-rar$JTb1SqTJ6E_qCgh4?B!b>8k6N>u|_ts9^tBb%z
z$bjuFfI1wYni}9Z0&s}RVxgho@V=L<2RVQUC~ZKdPrxbnI6aX7nAEfmG`cxpa;PuF
z0jc3;k|5ZkU?~xjtbTl)8H(K$pb`WLfuI`GN&VoB%ySK(L8`p>&H}>~te@KgRQ``j
zcSjTm(@-OkF`&ZpfS2w7DQs$QAAt<lfZ!DNvM@avu+H$Ct5t{aVP2eeT}KCLIRDVl
z&?M|2pl(|fmskM5gOJ=K;5Xnd5n7wau>4ZxElKZP)!iRzckf2s^HK<>4FHWyB(w<U
zhxOTvrKs4R@c?WCza%g&jv73G<+klMM3?M=+NhygKPf1-iG;Mw8-O9xB^H*Jfyi9}
z4Xq1PQLgd*{{7nwg0P|$3sCHY^x!1`qY%Lc0HjRh_QykFKsZ?PGAI;cEg>3$7<vk5
zsG^q-fYenAC<YTk3m6t`ctmC<8!&Y5?MF&MvR@JGwFZ!nP|agp#Q_cgp`wx6Kgb21
z>^=uariGM|AQ>^p6f|~spM{tXjy(R~!F-tBsSPFpVJ-k!)qzv)Qr?4&e-pD`u<ZM>
zZxPYx9<BDK0nQ8zRnm}pX=y2p;;FR5!W4myQm({rBKQHY8&-!ZTsWp@X6k9>U~3}O
z1Mm!>)OQi$2FUK?A)g84x`DO+^(hiez2#yL@aqt~%UfH2Dj%DI?f$OrDbQ_DR!jwm
zqaG^pnk1bezX0c|ndAi^PM|OlzK)#fwoso>F>Dmqm0@aF{|3+iv>g1K{plKH)0Cf9
z4;;_Y+$^uaLBZ~7rU8X&g;f?`|I6HGdQ7Tid5;CbuQDMr*0!Q{A<RbKE*-8ISlikE
zEOD`_^4cW_V=o7#P?L*ufv|Zd-BihYQ5H_lvZpwB>-+s&;YmUyEaO!&$(k<*9Vgyd
zEp$V1((|0Na38WGb<%dfOUSM}IhiV7O)jy)qa}X(l9Ygo9sh?n1<U1|Z1|zCsjT~L
z4QrmBAt1X*)%cHaFfE@cszWO$#NEkBgDWm1@}&&i-_I&fm)WBYMb!+EGraHKPyLyF
z@lr-+|3Pi8ZOdpy+u!-1#C?w(NK~E`5g``ydN_Li=Ua0{A-iA1J@4PGkF3?oWk0;k
z&T}?xxa2~Hl6tR1EOWI-0PXQH*VU^8;PuItnV1T_c5JJ{!sO^t?uv>?;ivc0mGd-j
z5heg)gcPb`0JsrAl^_LKAb6|#p#@PZMF<a|cp*k61r92HEE0;TI9d>mOvH)BDF*^g
ziwp|^miPtGDUh&VUmX(zqw@%W2V|x4%M-7ul7gRVw(5m5$OpB>2tAQ@+wFWACfTbL
zuMX;`Ah3!6HymmZ?6tdmka3d!ylwU=)q^|$z&Q|P=Rl2z9q?f6Gmu}15Ox^dPw{p8
z0U5`y#&=?`?D4x#*5N$1w7g?4^U9Fj5Kj4Te;hoRPRileOi>Vz`ieK?<)4P9tLT4B
zTrh(YBPpmtk>L-~`RC##lGVlIE$5tI8Bs@aEXMK~<8=P^1c_XA^GlJzs4g1Q;O&KY
z0^KwI&GS7yC%+cql@E(EukduW{a5gYJpHu@bWwF`c*}1j?NU!}(wZ`(M#u{WYijHs
zwa4Uy)GYg<x`<3`7iWV0bQbGnIH>qj;|*n?#Bd5yQA=5om9i#-!iP^6aSJeqPj3+v
zU{On%k(DwTtB-uf4sn->{F(X(Ki;fMUi5PuY)#9SVm`~~=u?@Br%T}9|MMfmm;4bb
zpHULj7XFa2&p|d`4o@9BZjLPk4c1tX$2K+x_g;-bZ6mGy%4J0!At9lkH&|04Cp_C0
zeKc&S=O2NSm{IUin^#^RS2gR@NN1l1$MgzLJWPc+Qy_!-N|=aiDuEi1XNe~;y|Rrf
zfznpu4H;RA#KRd-I31DU4ZqmOl0Z1b=YMM{a%72v2$cwGu-blxx*3td>-J=I-*8kv
z^A1w_A7@f@e&nr9I4M6@=Y^}9o4<zg@BbBi{3bHR$j^|$^ceMlAd#T%5S5cI*=4{Y
z8o6#CSYu?j-CB#A^ZBGKxTcCA(DC(lEPmQaxnSKesdxF#il(fep{C#RJ1K|k3}R~=
z#@M4*foPCRwg88k$bS6f91y(!eAS4*D`akJ!PP55xvweb`5gJN4;okdA8ZAXQnOiE
z?zk1V^=8%O8fY?L@>Zu!d~td|yI>!^zCmJGad|Df(jDiy#4{Kp3SUiw5u{2=(jb0R
z<KrLjl<-Qi{w4l%l#(xs3Q!L@SFLC{SOduVpQT&N^aTeJ?CtFkP?1XixKGbQk$LKD
z^dmm%b(4`-PA<+A-o=)Ewg$?GATbp5r+4+s8GjS{QO-}}Oz`&?4&hlChVx*N!CD|d
zv%NE3m<!sbA5uKnp=!|7^hikx%V1gGy!vMFb+nnuRW?i&)4iQ&{~tPZabpG8@C|;`
zeb$Jm+K4l2OI_PI|K7E`|9Sc|=)Y7nA}o^l<F!O04*1(Gw(_gvfYCE&l7(@q|4K#+
zKPmVBv)WA{CO5?;9Cy^*?DTfEk!Y1XP|V5-j@I>@CpvXMNK-Rd(7QKygDG1zQ0{I7
z&{bb*pS6A`to)6&m6dT=rl`QyNwr~Ox;Wh@9d%_XftW!Z%6%ye>d~WeQ_dzOlOCy)
zC~Ri}QFoePZR@-D0Y#RcCUm#Wt{T3dT4cU;d5#}_$<*4&eo0&MK4k-xNIhLU`y$Zk
z?byTLVHXL`GQ~8IUc^tAA|j74VH6`2_hv5%j-*(R&~0J+XQ}tkqp1T22BhWjO|mWy
z6%mx9aqe2(dcel6pdWD&?Sl8sbxM}Cj$n2Bwwo5`YWN2{Wl%V&sPo=rqro*YntOIq
zYL7|jisksw`K$PP2IFiS>x9}@7Y@@mp<E9he!<t(-<&wu!rR@I&X63f_UVl5%YIN)
zEM$D^;wR&@{IeP2?K8Ui&a4B5jEwu4AfPRfsD1rFzKw6RZkoL#Zl<BoRBwGu>|i9k
z!X-c@!GEkWtG#s~w=U)?1{b~0hn~jgtp(z`H{}fK$D%*IFx!rSsKa{AzaQ<=wycLT
z>Ev`nAg`Qp?L1d0?$^gS<}K@5bF&tg+#P1L%xP$9sHe<_MmlxkVcT6Yk>o+)V#MT<
z1UCEkZ2HQhdJ>Dd=bOoFsCQ?TU_4~anakCtcCRGO7#K{Oh<T_C4DeQlani)LoN=JZ
zz_5+FBQd@u@cVXb^aT!>W46y(VakaaxKT4vC5<zA==PauYqmYrKRLdo?0e=~{`Cj@
zvx;w{wCC?d3v#T_pK%nG`6L={QqBisUrj$H{2ECqyXPvDuUKj)?IrjvNP%W_6m@}p
z5g8l^U)6sY4yNxs8j8M>%$`*I?JjcG;7fjfYWO~_pz%-ke-AS8G>e?lJ?a0vddl-f
zwYfVbVNI#VbL+^SpMs)h?|4eiyx;efu(TA5H$0eskiNwm5qsgZK$t&z?da936Un1n
z>dZBcr{2s<|NIK9xrM`3%pZ-s)m85gwpymYuJL^G<++_^bG$GgB_Y;R>$T(e!Pjvd
zWz~&d5jZ~d8S{ybCZu<<o-oe)c~zqJn2?-V)&1YQJ2}^7LXyE3kdLLe{eD+HTif})
zh=g}X|3p$}Lm>7v0MBql>G8D(K~IFw5tHJkOUAwGx2<>_y)qI|?VUAK;}bAxnnxg?
zP2ey=_(3fWAI9=|GBh>OF03rJNBmhHsxOH{84^r(CB^7Bzr0W(5;JS@IUR-Gz6Ob%
z)}{HC?>iof@)kKCKv1Yge|5S+i&|gLNjOC8>ALuB*Gc=~8i~Qf23j4~o902{Ok7-f
z&o&<TP|>ss*D*?UN2Z7_1ci={?%PV#bvkccF7POH^)0cLey@Pt%hstYFzdz7vUy<o
zTi|mB=!1M~B~W-ZORs<a{H(plD&rs-1=?s;_{ru(KtRk>MjD#Dr-I&3jTIWVtiI#s
z8O?Aq&CFCdU?YF#G7Pfgt&3iHcDtv_^MGyTua;>W<*Mjo^7VcGF{ghX;v^J?vI8d_
zjl<U?;bS}OHz65Rd-6!*bC)_-_19vHPlkH8q1@AKkY}rhML3l8b}}pMeLe;T$WzcJ
z3mtgS@2&Ea(_Lmt;O?Zna3vDB7=WfN3n%+m<Sf`=IE{+$Ef)cCucjZLqQzHdS~Dip
z(!>NUep&Gv^Zm+cpPZ^c`rFDvciYuew>mj^ZMYepL{*0GaU3hBa(Z_|Ai0c;vsB<S
zvpMCU4Bwa|;7IxWBu|+xw(vbBKRuo$ky{xi*DK;1t!O;{J7}d_lUm=eHLlR!POhdV
z?(mRGE>~Z3{}};!--jfri(wZn3(68+nbbaB--vGgY?Q((v^}$eT~4wA*y-VumUgvv
z{yW|I^ZRS`!uvNljSWd_U0)6!yBz(;e_z@AUjF09kESkrMgFV_gEwAotEAMph^Tbj
zbUe*><5(Rhm2f8~EcQ`zIghiMa6c4*P9J6E=6cd!RoSF|C{yeHyJ(dDPisNJBv(GJ
z-$}b$3d1|?lmW3kO(jBme20m7@9Z;YsD6*Q_>5<SMVy&PaSZ+S@RHE${L)&#9vyQd
zqpW=q5g-|yCH@+e(k^NBg!rRsoVkk~+hZ_u9!<o|4mRyOnRr#-<>V@^K73n^@j0+9
zPDpSCMH7uoViQlD&mI+f%h8)%ZOhf4MV9-+mY(*+27fdvxa7wWTjRUC+j2P8S4+|s
z(wh}fdlF+nKUSsJ8wVHV4x-nWjfgzOa^L;u7-L)#YnkRoZ}D{L8>n1l-do1G?KWN8
z8ku1586Om^g=*QZUzd($@0A=&6RX%rE3*8q{@zl>W+_BES05urYK}>fFML#&XQa8`
z^b%7UQWs1?M^<iBiCcTxUG|xZ=f+%|nCQgQ^DGqD_2;9w^Djt7y|Ug?(q6!On9~+`
zZ)&F7vU5NEC^A|~isntfEsr$mL9xSk4nElff_h<*_)|6IX#>&yY>G>4^25F{QFUjC
zNeI1d`=>_~gy_c~8+}8ccElYhhMt^Y7(p_LcjN^LMoiHz=b_F6%Or^uN4kR*(Hh~F
zD8^fC5B7rC*b>JF9u~Z*I^(`PDZ3xVib;v)yA>WTlrCgHRJTOS#9eZ)GrlhRO5I|g
ze`F*kXKjQdVr~9=1;I~#^UQA-dAc|*H0Y{H*@T1%`n{7wjA@f-B+Ste;0JoN4@xC%
zBWhKCz8h_-jO-aSXnF9_|CY;a_VGUtnzE@@!P?q7CNz19%z3I|5Mo#i7fioFUfl2t
z4Bz>WZN?{=nxMraT=yAhl4@*^jbV^DT;g7U&sEu*@J^Y!X6LgS6FuHP?_yzd8M$v~
zUy)}%g(o!K2elubxwJIA&i8o5+)wuYR+{0RdTjSz^-Yaw5PpfhP~}5*^CnhwIP1|J
zr6*kplUUCa*0s(A*9e#ZPub*0xuw(4lQz?$vb<8!LR^0@^;&b`SG=cd@eS|Zm76@i
z_VDiQ)9(zX!$Nt@vXdRuc~i58Zp;g_N)><Q!4Dp~UXPe=u3$eGh})JFtA6=KL7{oX
zmOFZq&;US(an<BbX=%577-vO14J$<bvtO1`m!4=}$1JEBKlW!B_B=^_BBNJh80xYV
z@0zF37;%oojOjMo{(4gVcsj!>^72_vtgdb2S*CKFl<u@F@h{qQUl_jEHwW&GGzMd;
zGHL3Lb_wEn;*N}}JA?;mUj@vx1}Mj63b?NEL_EKuSe}uVM&)4rt9>Az;qY7oDRoTt
zm50~L`B@sBQcoH!+}-oE77kqUVw_sf=25pA{<6*ceCKYhE`LP;2Mf#f<((&>Cv^Qd
zP0aI%q0}?aFlGa$eU=AgJ@{B2kQ07QPt&*+2QR$!us^$3x7LH-#XJr1&LKS<4_dtJ
z>;*-l&eM1N_#8W`o;y!y(4}OM`#2=b{F>&Ax3UDQ$_eudHXqazrpKx~Cs(+c7TOyl
znu%L?cge4+DBFnpbWARFzWK@bB3Q7>k2lcMv%M2^ljOoKlFxN)tUJ%q;^NVPQfL0z
z=1_idk4t+a<<W0-c+KBS%F+d$wY-VZW%k|79Mz3@`+(C^vf%*Su^j(AXNZ)~@Q`)*
zSHZ@{V66LK-sUboZJzO*eX^eAwqm3+p4!2tk}n>Sa?o>p_l2`-ij7aJytJ6DhJ}JY
z+?(_5$w=uQte24_Oqa51OV+YIQm0c64V@-T=tx*t00+Y7z$kjxQmvXnczPxEenv|Z
z-|OpF;__ALf|3O1R($73drWTn9u3^g`2CfRU0r0i?5iM?lut^T12@YOlbFD0xr_o8
zlz&6HM1^0yuKIk*dk?S8xbkhUcd;@19gscf-3@aX+b4Zjp{s|ZrWVuv#6N$Rt|775
znS7mErXG8cqld+qxq*O&1NP3_Nz0BDo%Df3e!~RMYOmhES^2ysaa2H?>lV~iZGQaV
z{NN8L7{P=2x?bVDu|gL#Cn_ZHpe(P@*f}C-?Lb&a7Y`+Di}smjX4W*()k_j#e0{FH
zz3Q~oJ{Ei1EvB@Fk6rY}wmW#(-e&IYq>>WxWBro-U3NL9;cz;J-o=TDD)EFHQ*O({
zaV!Zu-?uIdU*nD_Gl-xcjf%Q{gBwRmDv#G_vPVjAuw{H4QxzEOVzif@-s|?Z-`Qv>
zDCoUf`s<JP-=Iv=cpio@obX#FUXvUzK6j-Bm3G#8fLym$awg8p!~~>d4|Gk6UTFUV
z`KC=Kx3*tIGPdXP;bKPoFR4Dv?=IsZ9wGGF#a3y4Pv@2zFO6`NL6xIRJY8Dig;e5S
zzgWk?E5B6a!Xf%cz~`Iz>grhC$#IJfXvR!D!ORfyIi`DB4%$|*(sOX|@I5IptP}Uv
z4i)qiph;gFpEHn37Q)faiTc=Ae7)@U7fmO#CqFK&t}S=%h2dd3?+oNraSME1`zC|;
z#_$$T$knUu1fvas0n5MVM#MlEe|L4RVe%s}`Rs@dL|LLDvJZ=|O=#kwo)c|tf_UoA
z=U}3Vmao=7Teo0hu6kAPgPN-1>P&T(H}(d`ER8Fd92{ce)KLID)KkfmZat8syXkpe
zx2(HL<f;3@jLFBDW1~-$qEB5H)LLe+f9{_YW=W@rR7oA~#<g~4WRz`Hx*Oi4x$#Xc
z8DHG<a`V@MsBi%sOmCrkzIg7>_j3~-qu-i$+AjQKb0cA_QL=oC*MGrklZy>XcUb>5
z<1*OJC`z^e*m1TO|GWWSA(=wniG2OvUX_u(`G36nKi=}+uVS`7z0p8jzy9m|1SuH}
z?!Z7@e|BA_(y5`OJ~s$7xmKCs6_~f4)}DYkp0;+~K(5fmlY4&$2x#%1t_Yl_9_~QE
z7yyC0_ui*75IcmdsS>NJ;*-)48rQ;}cr6Rdcaa+w;=5t!xpN>AR+r(Yx%Bvj8j-j+
z;m{D~ptuqu!2Jk@(^SfIF;UR=pIkjTwQt?`;6XEJ<}prAuDcOWJ@|<0-~i8d;v_Ne
zA<12p&QwZ}il(F?l2`1L2mq6~zZzBgUK~T5W57`Xw^aW;;37A<{8MV0qAQpE@1@LM
zkDzNjmJlyTu{DXgC@|;S8(h!P%<AFV$?#LQ0S`~XAd#GK>)PGWnd!@cAhR@kdbHMJ
z!*c6#V1{^7A^K`lg<l3)^}O>uIcW8p+FZ{%cdmX!-LxLJ{d8QSu0b|kA?>#2{&OOj
z6TOKh3XV)L>*rj=j+Eg9LN;vT8v&yP>CIb8HsSP^jB7*u*I~1GLS|ID@+lyBO-2fe
ztxohLN=h+T#G#Rf*MFfW!1tKV&(U#4s3ShE0Vo3BgR3s)=y_Go@zPRF-Ork%`7Tzz
zOmr<rQ$)<I!}^=v+r)_?_tH;ZF+r)CrV+1+2#?%go+f>kN@pYak>aNrxV5E$O^<~h
z6{n|b-G&UaJ-lfnpD(O$W^K6r{oAn>5rPtNjBoJTBivnE$exr<p@m6Div&>DHM<v4
z>7FHGSR~Kv-a+Nb@W<7)l>@eE4fEwIm(Poim)E0D#PKe<Luy>eo|DPjThPPHd9akb
zabu=s!LYhR<K2rwsXBOO>NA^`P`0JoDm>SnYGyqU&I*n?;<g(tbiGe^B{lLnU4Aah
z${SlPak{d^l_vJ&V&n2}&8li|I?V@kq!(wW92_>W9IB?eRf+YTD$0!`DN`#3geAjR
zuc2W9aUa{|S~P3pr~8{l+5P0a#_JPvoq~o{ZKh_dfm~GNG(3C{KVLrZ^ny^s;`Uk;
zWzej}_-cAO#0H5b4)vBj-RQOS#e!H4I@^KQM^ICNUU=myZci_VE~rZPJ8qs_POWej
z_j6c=Hm*h}>@8-Ic+?gjaoQaloG{j^_*agXH>mF;oqnkh?*z#O+VdCal7*ss`KTSY
zt)ZYK{Fp`R@sGt>-{T`eyP-==8Dgy()!$r~=UdQ=F|Kx&S8L<*OcrM3Xia+3+xsAl
zGHXA-xZis<$iz3=L?wcr->`Cb@zC3YPaM<sMzj6M_3y(OFZ$AZah&9D-)`P)jTHQq
zZIv1<TfZj3q1Kk)Qzy;*bdN`Fu~+l=*T<HB1|uiFzBpuO7bv#f*^s;p?hok36AFZU
zyieet|Kh_3<(P`Ef+lBr(hP>P+Y>R(zrKIpHg;A~si~e@)|;VTPnQUI)VyC<DfZ^)
zy3Wx2qbHp@0}wA`(<NeSacTZGB+l;5L}D!YxX)<NW5T}l;W&=pZ54h(pU+P3;Q7PW
zb41)XwIa^y{T>AbZIM!&)gwWU^jNG113MeK)_KmKj3)D2MJ1lGF~;%&ij)dvT#Y+k
z9oy@9DmeorbDWr5?_Tb$xgO%&i)|@7HKBUN*U%f&tw*0s>$`d`F)<y4el{CczM5ZY
zHXKyTeZymf%)Ax7Gi>O46j8Zt|LI}JmL?~TiAmi!bI8l+gh~z8lTy^=6sT};KW7aZ
z9PCWMe#7-=mOvyWL#Yo6fuZKQwC$-+pFgwM*L$Fn&@rJqG{Rt_k|NrvlPwjL%@rlc
zLCM@bAq4woVm*`NmfoSyA4>PdC0ZIQ46`{_43CKD5*vO<#GGUF#T!w1w?su@0MKIU
zVqXQGhf!bcTeENz10|*6Ls_ui*opfxpJyA|VmV?ax2N#<9=*VDy_ChV8*L+)T1T5M
z>+;Bd<giln1;=Sf?70(4Hp!)pHq&f-ufuB!?2k{K;pW`TDGl%Zv*5a&rMkKR>|T4U
zAzBTlidKoso-l}RVgrS6YOY>VXI|W2d~lEs%*Mefz?^tWIhpsqK3g1A{QQQxMupGF
z1W}IpXPNwi&IFV^@hs=#rz~|rxIV#~y63Tq;ixY<3BBV50c*k_vh_KSh+@+PHLe!N
zrLuA1f*^-K+1y0=PgmXO%aEw3>rTUHZtQYTFk6&sO?J^$6dYDqmp~hL@A$S+rN7US
zzuoWI4H3IZSw@s$Wy?tS;GjokV_P)FyXE7b;W)n#>yXbPjFOD|2Ua{NGJ|+ryaQpX
z^9^O*B<7`leg_p|Pun<1g1~4H*uBL<SoqayYwb3EZ}04dF0Y+(%3AAl8O0Vo-N!n4
zuN?=!Vd!XYZ(qpoxqLu-p&LG@pWo!nmB=#RYM~@m^{si#ldhT8Dy+{T`V@N22G<U@
zFh}j(X`3hKJF3iyGW=;t5BomiF^O#!OZF@N<E{N<k;-M-ix)rGzyR(Ns8c5U)Q{<L
zdwJgZ^pCZq4Zk5PVj_vBO*r6;Dc$)lO*ui^-j1Cy`-fet(QnhG_;2rg5+~@!Ink4P
za-}<5x7Ik%PvWb%?+uXuyq+#T#gc(UQSim~!cP#2W~9~y21D-K{%tLJiP>P*@=c0l
z{+F=}@eA)-Avs+^#5s9pn_D)ujO8B8Ep$75zfMXpC><T&qLrR&{Jqg-c5+x8|2wnW
zUv%!-#^6q^a?7UgDRmn&hJw#?x!vQqT<%dnOKt#x|DgD#!3sihe}+j2dC8jkK5RIn
zu#F{0djY#E6<*~p@bf&O5GU_#J%m13>t7*H_&@7JKH>YUMP~gwW>8Av?Af~6_Lz;N
zcXuMrkkXaD&*vT723?uaa;3D}hAH81JX?O>a<OIPzES@69p<1sJ}UKA#r3_JR!<L)
zo9H>xAJt-%)Xg&#EZzMT(YycRqL6$I7?(23xq@;CEO4=^piF<=)L%$)7|G3jH7sRk
z$wliigQ&8X7aRry;fru0ras=iJK0cdX2`;l7vHU+v;S7E?gdG&)6s4WXna5JUg#!B
z7MY6|DbZJwxKbB*{NY|j4H`96lU9jG6rQU~DtlaNFFlYGGtm;^tl~pLVo31z$E(4-
zjfw9mTOtsd$kx{NeM~Y?Qdf#zDma;=G0w2<-*+0XGHmrIwG+>uG@TqYQ9}K*7oP2N
z2BPJj^C({x6}UisH8M87g}^PKNj~rVnaS)QrKN__CMC+DFz;?&+3p(FR><&;{fM@4
z(6;xd1n!v@rDA=D<tuzqNA7>>jz6kKPY(|}H;VfD8nP5!pAx#2#L%RqjuAKMXXbyF
zqT%>EW@%j{^-|^s+>;aMz7brP`E{lC@#;DgKc@?04h~5MB%(JQYcPhVMQ@(#)eR=3
zJmuB!Pl?otj$!;~gNFFUb}f?Z?JdZn;i7NdTw)nUoLpuaK3_M#6(s8rf5W*pm|`w|
zM__vNmg&4|dx(ZIsmYi~)6ZzK+@OnWXEt`@B@Hph$xCW#>H|6Apl;P-Q(3+qhan@g
zkp)M~c8!ZloFXEK?AtSqRAXzJ(k9|6pUyK3zel#jZ`|+~bKftGr{V3ISV$AjwxDI_
zQFA!=Gb)UxV&meIrN}*+e~-?_o%X8q^=(-juP0E(>3chZf~6dNaI4C*kzhPB%~AQ2
z2;1f9z5@%kas@@d+deJ+ijk6OiVAMv0@flU!@CR_EFV5a?H{|pQK2~zyX5Z}$olUt
zJ8?TPIHJVG{nUDL7G}i#=K!AS-2HDrj_H>z&&o1f3SosYa>qxfTUXQhWO_A=Ty5sN
zclH)W?l4Q8V6lTaQ#L~OhjUB2ed?I3+ad!PbLqvxf=POl7a~Zxq{)ZyvuCSLo;^*-
zk2CR`v%MtP8O2&x<=JxbyU6MEo7-vi?Qr_$ej`#xKChiat2~a}-J@!}floL$^w~<B
zG$<!m(<_8pUd8!Eokd5e!T??-w;P7Ee@6C>{`9PlReTxjGPVlGX$*>%mj;$d1@dsy
zkWr>XZH>;femE|3u>3PVhIJKK3L-Z%4S$O^s{qw!8035Ea&RIw+8#?@V(T+rq0ime
z_i;ko8}n-9Tijcv*scudU1zZhSMt3RrtE9pdgARyOkuUYd1$rO_Q&hQ7>a+P9qP1N
zXm!G>pd{|7#IAk4mBmDn2@jX{EaSf9;a8;#LDk-iCrA*UKMpf$*^_I}ug($7_E3E4
zH}uJvOilCL52G<0+~uuBLvL>0<DMvBXOv}3Ojcpy`;%)MTSu-ZTG_Y}40s7V?Z@hA
zxS=!&uM{KalkX0fC3JYqkq-8+EVR0zO==x(N1C_7Tc@gQ`~9tY*c!!T=|8Hw>^ujZ
zg5dm5Fsvo3(1Gbk;d}A%xlZw}!Gvt$(bAR9?_YX*Ju<|7INjxfm7UHqqUePtE!#3O
zo>=l5%8Y+iOrOs+kY4P?mO;Q@*z;$m50A(rBc7|Zk5}_W*-KNiVmTt;(K22grgmD<
z^6l;GgL7xm{VzGxm1itk$WIEt6p;EXU1V|e+}Z@$6@s%Y^JcrdqdoNj8BcC%3%)0-
z*5x1H^V~#{(QJCr7TH`_(|H^2cYHPLbgReEMIBx6dhe~=D9hxEx%ri>{;CQKRg%eJ
zAeHw?-D)scXgv@=O_w-Gxx@<1%mJENvs`;Lyd6u9<@zaC$@U&(2eA0Po-VK0px)ay
z-#qbw*-?u(70-^lFAb_J<mutLu5dQra(|WIaCnHT^##3?8b+fs6?SohA}!E62%U>N
z+ScD5+v_&HL^kx>a#dfq?ChU`d&*+00omFF9wUbbPWH00-emR;Jgci%#)zOuJ=TaD
zdi%m!RX26~IQLICh%{=du-Gt~ti$77hCyqnOZPmWpsgFxxH&PHu=mklxq0h*dRkf9
zlrE*vwKR#&6^8u-r;^X%ARnu2)0NgKEGq19Bh7o~OXk4#LPo%IqAaYa!|PhNN{{FX
z^A|3a?hC#RE_joih6crx3!v%LiT?ZA)Ba8W<`eb16N7`geFN>WRZ=g!;(2@4rckwK
zkFn*qA<Grf2YzLa<V+kE7q24dhD^V`E-lMMO-=8ynuf|qHcbJhqAC(!&JJG&vzK^k
zHb2vf4X{z>ezPu3Cut}!{$699=$mwjEjEamjwJPF{W0wf1(S<Lc0}N{tQfMkAg{c%
zv;e)YY{#?DG>Fh8fy~T?w0wbI1t*-ZWVX_x_wq8|&W?$#3KXq=?sv{k55oNx7-%@T
zxjjo!2M+O&liKet=K5>pygMyFOruy8BR6-?y|_`LFOZJEUaE9TsiOM&A)h3stw%|T
zKdnZsmF1Hxi<Acn1`Fw(aeF%7ppWLGQH6|>rLxM5XJsWG4G)@IM3x>!gO4v9!AYG#
zMLg^!F3yHy{DbELOOKX(GJW<udXGl~X#d2E+#LjW-uf^y9mKPm9mzhr++%VrBaMmX
zGI<$F*FXg~-OQV8<;hTbzKKghY8MB`;?kw?k3eFosLemi_~8hSEy7B{95rcw<=4Wl
z{mjap4=w(0lT~x$GX`^#X02|n@)}Jm<dM70N_n#ndIGb<5gbHV`{Kz?1Hl^;DV|B<
z!Q<E04MQR$j$Kc4^%@Df4z{jJadD03p=jDz#3%QJ6kB^3IG#QI^qNZ2n7l+z>r2y-
z>7=x0Ey>^e!t|2SK8Ft_yWhX-DkI}_<76=pS}3z?FEh`~yu0^TCx72Z#D~doY<lK!
z{@$W~?!%W8EaXSlzphCxQtfXjeulCh?4hL7vxS9eT)Qz&Kb}why%LbQd{TbiPW6US
zN8rpef~)T>)YC06k!n59iJargdNLSBBnnFAKzuemuKOH&PGMp1O};y>LK)~hy~g~F
zAzkAMe)ID0FMW>on_w`DO)7o7AHetmCu}*@cqzBZdix({WrW>fS5lr9rELK;o<&{M
znJ`B|D;J<T+0O+8`((=*-x+}>^i`27oDV0tgnWIm0UViNAEfgPoy}T*`C7(><|od7
z@6;h-5Sl!hn(CDc;Xk1~=kWLX^-Z5=x186BqH3iyN^>$zya#!Bigk6@<A%0zW6dhN
z66;xP0q5MM6H&d*;b`ppd~XAXQ~P!INMR#3_<SA9McHE{55-Bcx3)mhZr12gtr#9<
zFpJp@m$H7bwKOp2cJW2gH#g4%kR6*It>(%#WoO^iLf4zdR7?EGB#~029LHzv9nk*r
zUahq=I<YM<gn}h}4@>4Kv%E5=kn)go=BboxNMr)zt^IwA@UoeY_>5*H{SD6|Ri@0i
zbNJZVK&pN#xVk{G(nLy<otz_lQOAB|Ia5e2eO6XR^E`{ATyV0lSZqx?F3{M=tFkAM
z1{EcLwjTYuNz0U3vWuezSJVM*)wbAIrPi>6-Mm`ca^ZaDiTw}%NENyI(O<gi84m3+
zh8n7OqayRe^CGt0_O|i8_TsVh!qYQDXf1&&;DpE~jg4cXhRgCX1lqKb4PVw5oVTyh
zKuPI>{pnw77RSYipx?ihd|t=5jD+wz5DZbe<PhOux+J{VPPI+zP`*YCUm~l$6IvyF
zlKsq4>q^rBco=cl<u;BAh)HuF)<2uyi3Z<NLUZ^@p5%=p#mqi4b8pjPJzh<)@#J5v
z8qJ!=5m*Bz7k2#y2^kM&PmguS+b^^n8VfD<gX*Gk^bT%*Pf0KdYe<yx&?s7glg#JA
zm+>(0#X89gjo__?15fBuCO8mv%oGU?e;tX$gZO{iFT_X_PkVFpc{kKr(okDgm2CyH
z&`!_Pj@>pe@cS(>yU@)~#id~W637Gc_VyOvm0^Cvs=M}b;K$c|)o=dh5^egO#PIdp
zE@Ysx+B^P^<hnQun9Ln$hO;=@HN6CC@Ipy)z8b^ob4mB^eFidwER5<(%KaA|L$Kud
z|K&h~UZDShqX5fTQ~y&sbeH(Qe*W42<yGSI4gV=%_#dzS@3;KFzWV?A>;CtZr&%Z)
zU?#kY$>f2{s&Ngzadpfqu7{KSFm}RfA@XCX8D3N}>1@yGgncxFs0UN=a1WC2G@WVb
zft(s99l8+ao26Wdtp`^-%jD2}d=?>vwP{Se6U|{PQl}l%ldUW`qN1x%98>_AX!>0J
zpVa@9WHh<IB()V@UuV^LhrdTBPTQ71Vcn;|EO?dR?p+k*o~cMD$HXR2e6EWdh?q{x
zPwq|3odiK{qryd{b#HCURRC7cKbQM7EtTA`@-buU7}NUp>sR?kGfu+vb&Yr)*u+7+
zNw>&X^R+JX`1-}D>1qEa`5D)-QIEukh}XUtar74Zsl5%!?Dx*jKZ_)gm`(HE<5@pB
zZe5DMN>+eo<$H2*eNv`nBPTb&up)CpNvXx@Mb(1`0aiW!Pz+L7Cb~XLGPyuBG=gVi
z1L29%!mXR@e2$LkrDjY}s9<&{6y-RP%#%_p^`;LeFRx0HliIO!9nHKti_a+8MX(Lb
zSKj+T0*yERzk1;Fl)@QID04rQ{CBhL^HTnIYgJ|ab2{z3*RKd@&efw2i(Nrig?wtN
zWrN4)(KW4(p;}9optie&1_m>HE=Cq?auYRl!3%Bm1&_}_wZezS>MDfNd;C2HTWV*P
z$S=pd)_#GIfnjDVnB2@`<JsFsciMT`UIg$H#wl+;`4wU|QreThP-sqG@`T|?OiU1Z
zJ@|aS&6c@vfO3AXQ?5RFwzg91t5@WM`GVj^B1P>?%iSZPG9ffJ(K>aoD~bF$VG>V9
z?1jeTBbI#li=6&m%alrj06C-evZH15k6Z>ICTDfN2{opOk_QA}Zwe#WyvNZ5DI@$R
zzjgYa?97>a50kiax#A$FzS%z{>ZqENn~iD-KOW4%dBsB15;4P-g)+I9Cd@Sxx3%rz
zfr2?8D)H-ank_I>BA~*>(*w8>E$<!MzJ(`380vBz-u8Smxjr}Hz%a6WkUEJm8O(z=
zh)owp#*^``ySXA`K~Rf@gVSq3R(Eq83i!Tg)osqjO#FOb_lgNymd(ZIdTqiPf4z*f
zfwO|Ov=kFJO4Z%{p)<kv>PT~7enX0Ews0C$BJi2vB1Il&I}`9Y)b83)(4uY_v`lpH
z5n>NGq=Nrh+G#2Oj?8sS<q%hwSh8gOTuh|L+PHMJm!XDXF>y%f^a#G~!0Z(4p1u$5
zeVF~IR{n(c*nsKgteGbHgZLn=Y=7mr@~G7{-UCsahCnqkGULebM8ROkW@zphDvNZi
zukc}jw9(Z4`*r!X9c9*xx0^VagO<n09_Ds*x^J@WElr&E9eomWMd_CjDkl(rP+xe)
zj)GiRA9R4FGn?13_^r1~cc(fB><^lFj)h%}`{*+l$|lXQ>aKH5wXD6^24mvAHjd#s
zgA#He&(W<fJK8^TnPNtj+D+Lf_*Ov!!bb+my1nFt>v#|I$baQ=-+OcUiYJ5nTKAHr
zE)fe$`uxrk=H1i+M__XkN<E{uUlk#Vn*0d=tK9Mf$Ugm|&v-N}R3r8K7g5;1EE2vM
z;oG-wl{jsKRQc>^Oa84!#NQ}mWfd1>W7A+jE&^XB(UitTY=itK{QX`g^iZ1AiaGV&
zn$gMc-U}vUIq>Nba=5W_8u^M)#PNd&tLlR+QuM0fyjG}h_%nioGJ@8~l#`o@$U@ba
z30Uzz;QRF`wElU8|B>VLH0}*uQ(sI;vfpxoAjb~&XzzcOb|%nVu5Z78%rl9MNp=Hi
zFcp%FrClkM3{mFDkQ7px%8()&5F#NYV<huDRvHK;GBrq)A!K&GcYD9@yVg1Hde=JV
z?6q3||K9N%p69;r>$<+z^?X0`HP11uIM+h!p+VdGW%rNyOlezAh3}K=#>V^KCB=#4
zOOcPH;SuQA#q1w==DJuz=-w<d)m5h~stl|4goamZ>m^^~#VmZ+t;8Z`ds+o2S@}nA
zi{x}4@xHUOG~&z`dY>PBMNnv52E~`vrOFyVlyMIXr8fL%V$D7~aOOoKYWSgdzvSOn
zh}w0c^XU3;P`>FdzrfZY2S)Dd{SmhsSXlbpRy@?blqxRmsi>-x+<(+GRD|y7scl<q
z{TL6eGR_maA{=_@-p+MPEIbd+ICn|Z85iD|YfGb>_$H>~fUeD|jy$?GTBF{}UuEk*
zD`eN0;S&9NTMev+BKdpWWvVKCs&(KfcEP>MZKbrYaGa3*@UIpw7MZDyhMeCz4Sy;)
z@afEjseZow^4f~)s+{+>vNYb_qvY=Pr9N-?N3yKE-HoC%@=lU*LqD8KMPAhHX6-34
z%+1;uek|!`!|%y2lKW^>x|uk`g^$VZuDU$_II{cJaFt)z(i^c)Q)_USg0cnISnU)&
z%gUf&Z6)cra3L`5@E69TP~g1{)9Z5_?sWYf;zw7LXUopO7IOz8Df_YF#_RRUo)Td^
zE1Rx!baXts-mIuJ-V?woV_Igf<mKZN_|5KAE0cNS?JIp>_A{E9c`KV!HL=^-BO_b3
zqwDhcF}r>Kc{h)7{{-v3jQr4F91H^6GuM4m@%Cot<2y9}P$F%M%?nwKZN1pwFRE0F
z>3&xXVwHM2eUKjRv^5RwEJ(hPat@vIi!|&C&a&YfYJ9E)$nb6$AH0A<=>A*5Ij)tB
zIT!M~MqY_@w^!q#Y<8|y(wG+dT;Nk-t!y`PT;(47+i%T&eV_L}^KD7o&EDRA$m7th
z`Dv@4l{DvPSs7}+HKV&S@A2d4sorNfaXn?9#+vpnVHQor^G2x8OaSbSJWA*wcF3^{
zudj%Fq~B-7-CG|$^>ds2ts@DSU59_X9G%~;*<E_8=XnGM%)E*{Hy@RTtlyB*%fD*N
zvD7VF*olX1LI8uPEhck5iF%tuo67o~xLfd^%9k&)O+#U-0^i>$Y|*T`%)Tc~_VaU_
z;*h!Da{7<f{uY+@?Q7(grB(ma%PE(!+DR$A%Q85-^X;Hv-BzLA?w!y4i#5a)<WAX&
z4~9N181O!M67xeArC~SaQoDSEOG;c&oeyy;Y~^+?Y)NUhcJ%+c=(TulzJGUbYW(!`
zqIgl@XujAwy&U@M!Au{WnVa@O`3e!|u3l&A)~!Ns2NRR5H5Y4{%QZHCJN$0YqxkZw
z(`;<_;uBnw!g+tfXyU<UO;&~;Cg<llp@*Ig-MSYlQuOoZQ>XK)9UsPB{guZ*_Z7cY
z4cJ%Lxo%;VW%8|5aXdfdxN>jWXDf|2I-I8$`f1OPkB+6j-RoxZSmUVEJG+pVU8!af
z3j#Cag73y=&YoP!JSbcqAajnL4jpUL_{HS?Xs3GC6`!^kj2ZtuU{Re<PjPeKa@iE1
z(H(d+)4Ft@T0-w&z?J>pP9LHSRrvY6AqI|HZQNMIy(QwBS;5}DE&1%HYYa6+es+Ix
zmfd37>s-;E`RQHuo4`OXC;Q;L`P+QhCcoVrlx4N5lwM+Bn`TueC(}GrW9+iUK05wo
z_!X`bzRnziG8$XfGIy13Sm@3TD2d#BNyh5)nD^{e;h!_S0c^jn%*1Z*YSft-$8%eG
zwr6O%Miab$2=Q0)@T^mJ|FHF0e~NCy!0VZzNj#^Ris|bmRSR05BT|@DXDA4ndLevf
zh)+uMOs@Wvg0qK^RXqVUnwB>$1oID6M@gSV&xuDwbJfoN$UPk5>kFLEst<;#dVFjV
z{z>BzJ7IF3I`!?_#~o?xZbN72)Gwd@^8LB$*R8S4o6I;vR&CZ1H<4exDP)PC{<WER
zU+4M{Pa|GsAC2%CwKa;I_9&w6t*X*}-InfYDUowgp+|CJBF&n6;%s9~gh_AHtpHK9
zHRmoadV0g8SV1zp*+}6^f%7Ge0AHuh&w<JQEDagPr5xe=R1D61={GT_PHmWYDV)Y3
zyp8r?e57!>>`Jp}oAymxe6L(NYf-Aj(K~FMh9~fgd}HOrN31kwe-F4V&q^+Eo^gv`
z+z|qWYwD&yy*J0JsH%lu0|PuU7@4|%EdP<`#)IaodoK6?*qmR|NAK{0Z%}F7pCe8{
zwq0}C()t5;$M=R9ya;H@I+k_-f5F_p!w*ApwG}S|Ia(S2gg@&;|0(n?TXGTe{HO#E
z;F0t?F40IIZLRsGXhm*J8~;4_omb(nKht{jV=r0ypvBMC7ii5*nWh$Rz&DK96qF5@
zk0PyQnvw?e-iy&60!c&+%2s2RG7NPXK*Hz1_3Yj;*3R-cVJYL1$SXY+&KVIkRhJz2
zxLYLj8=tJd9mdT~v(=$KKd`H$;pJ<#7=Ep=uOE)Gld-k!kMqBzbPToL9FJGfIkk4Z
z;g+oPeLs(_x_A6nP3q|Hfq?@twH$YtXSzz5a5jFDuFo%KUWAcqXLC=y@N4dBLAq-z
zUYKrwWDqg1^W-gMW#{9kdOvsXJY{}WChN>W^9j4Gapx|@4cCj^iuhQWn6jdi+?_T!
z{xmJ3c_8ZZ`GeBWkDnG+@Qb%Kzr60?TXg=g63j^lO{Ju=ypoRZ+@QRHB}(PkB4fhe
z+*#kpx_7QxnsUl|xmF^`!6RBxPpRU>fg+kU5!Zy-msbz9-FDb9^NA~~ZhaXe@1;zW
zBE3g#>B(E!=Nh~3IV?#J)72N&^VO99Gk!F;4wG-+TP?nI#|dj8E^8g|&k@-naP(=o
zu;TeeQ>9aF*ZNvFoWEfEN*YhHAFP`BSkh$_lyFI;ih4HM$BtI+r=F6APh?`idlQ$i
zLa4=0(?O3`3C4N>t&m=~tr<EeOs{a(*Xy%ipA=a2F1>*xo`NQRHfg7b(&+rf33Iy-
z;bPm`=1XtiR$b*iBa8XrGf<<7nv)>v$OzRa=GmUD*{CD}W54?PW1wVKWFNPQlD;G+
zedEs3JF}uot1LE!OTC`!n|4VH4XnRfT6R7j0P+v{>}40mdSqm}-rTnE`0||Hq(F9J
z_?fiLwa0x}d~4T8Uv3tzLjUeXRQZ8>JLNtGc0P6S+a8FCx&62v?-b;P&d%hXOxpTy
z`oCSa{g<A=ZDHn)Cwos#tlu{I>0;cc{%Kanx@(>*o}NEjE@}6$^L^Ku!eZKNvtOWp
z6rHm46>ioO)K7CZD<78>h|%-5?DJ`r_{nal{q|kw%9a-2<?DP~l4rX6ClKk6oImXL
zYpic$MquDk*(5#9<o*k-Z|?^3d;I2{o-{OH@=iPUwTT8p^LJFs#6+tcOOlet++*?`
zzPL3;uucC^I3J706QEDe*cXVUrFpKKX<7HyCd)7^6%T%>9z6KfS-;rrw!ys;w@=RM
zXFf|i`TxCodvsX*iI={ULo*62HZO!mmO{f`8;#7R)?e^c_DPa)jQVU?m~%2|@1HH~
zdB^&oj>k~DX~o#D0ngWGXU6B-c2anNsMPaWfdX^uL$My=%(r8iG*6#aetl`m>@&VA
zx5<|CNcwmtr=XM7Odk`#xQiDD50wXeoj-rd?!mql<~=GKPIZ@h-mNzC8T(Z1_QgQ4
zr~J$9>#wVzdK}{pc?J^>4wfU?uT)?0ZgM>FteRm@O{UZe$<yivt2bPA=6c2+w_|^W
z^T%7MW~GWfw26nt&IlY8V<=p-&uo99n_=*)tR?V=-L*iDq9eMOpiD+4uiTC*<+ID3
zEfIh>8lU$OU>&otDCG>)Pp{{AD#2SB%#SvE${cU+!ZN<~@uS;LRyTZVPBK+ANPD1+
zt|m|MH@h@WF46JKeN?<TyxKX$1w$u=wiQ<0eRlhcP1Yd>0j1XWz03b({5>m3U0|JY
zWx9BD>TA2;PUXcCx12n>qxrOqT#<8JLbc*-mnZf9X<wU&#p1{`<LBmHa-vz;>wNO-
z>pM+d|IDR5`1C8_bX=(O$3m~WN5?95{p|9L_jKHJdh(Iy$o4;PML(83I&+~K>d3|O
zaxc1yqI-Jg%Up)|-rTQJy*>5vuBXq$hy3|Z>i<YTXrcew*!LoGEUd4zv@qrR#Kd6D
zqz@fp{VgBd4IRhk#Q8OfHDNSNTwg`su`pZAO}TLJMJJy+wl~OY=GFk)XxO^DTl)st
zOc)|J$+U-XuWZWq-K9mV8Q56!$Z#NL8$BNG5)~2Z|H6PO-KXLrV8!(X#-7(0IXpT<
zM2Z-1;{^1<ATSGk?}g?ooL?$%*Jn%L-ch%!@uxR$;I#Ur&d2v4)9;_UbSa?YLiL@^
zR^Q(1DP`$jMRIvQR@UZo!`N8;;QV6A<5jj*#z$qtH;Rj#``LuddgcN@RKp9^9BzL@
zZn$x)deVPxTDtT?oo@0q(}BE%gTv1wl6#JB*3=JoUAeMpncy>YHI$ZyJBqTt(=x18
zH8BY^DG(4+kgr%}VPP8Yeqjl%bQSj+*{`o&zF6COa?(Dlpi{SJve>OlwXA&7wCHa`
z@juTRLL}%i%oH!RKeE?wD`j-_x#6LKrasAO`faDLURBc$aZze-KQk22A5(fQeaHNy
zVb<a8+aj{3Pgv)_;Z;%TN=&-L-#Z{aGw}NLZ?%$=U$P=fYXjP{r4~3j82F?jU6sIC
z9$dpz*gbZC^*!&t>MrM>rl$hrB(J3(-=rUO=NL0n;k}_NTrab)9DR9&KBb`}dcbSq
z;pcO|)*A|L_@=frD4rFqxmsmap~p>=sDGcgTD02OC&Zz-i@t!p&{<S7fb~rJ4f}01
zx7I1c)2RHY=R&cI5+5HP2<fs<urT$ldU;^{u4=qV20M$4&j|~Zi`n7_!&|sxlh^rW
zOVvPG%l;JaGd_)We#F4pfd`{m$F9G9c~dht{Gsls=lAw)p|<umJJzHc$PM?rHU!gk
zVB?_1Y}=!;w)0{ipE?PK@0)o(mu`4y`a^!{agAvtb*hs4_AQOue3G4?60Yei=!)39
zKhNMl6&b0*<p(ePhdkMDww6qW?8RirKPC6lmj7<D^FPNlG5_&@JNG$1_wWXLrEuj=
zdv<K4R{GPyF@HuSQv*&js&Q1t3t`F93fa?=94P*Z^B#-Yq_tE7<^TQT4!<aO>iCl1
zy1k6%Hd@L$6f5Oi-f!T=(p!H{_Hv4E_R151eX}aDOQM-)-Mq?{_OsKz`MwmjWK128
z4)PIJTSbLZAKqM#!Iqfj3pkzP^X3?%Im_zhY8+*EX;y2C9=_t^%~a$k=yGpRoa3OG
zOL`!Uz-(N|YJRFcTG=+EoU3GE&yZt!g~6i3!h;3XuOp9~70y0Oi*F32S++;Po_yd=
zO@__Ban$A2nL%vxr$#$z)pk%b6JwS%^VIzU_1L}C&u^mB)ng-+)?nD{?+a%HVt;L%
zzUL~yJR?Q9GTdNO+r8jVQIVIkZycZ<eZE@s5(~vg*;(Fbzepub(pL7mUT$1PjZy8i
z5*AtxP7J3tRE?L>`>8YXTsEXqXbM?-*ZYbw4!E}z@KaBidb5^9IL$?UIjHY+57V=K
zZ2Zoym@THM+&g;Yz3J?ycN8rR?>kX0x*LhAOw=oyLdtySG;7wIY^h0}^tDtKwf=i&
z!^#+%(YB>>s#5$|VL`cP-GtRT7T>&bM}EqYHiuQshgxWfoBKO{%8}YR;eCZ_rIqHa
zq{__BjVg#sQruMg;M@6D`;lV{({E{~clZ3XnLMdY|3*VJ+wb^k{cm$0xYW$Nj2@N$
zxc_@UozLN|?W^O1XUAEsydIS=+!=hkz^h4>wuNm=$sSPjdN1i!{$pa1@{!vrpyuwk
zRY-UxNITD)7LO(9l<@lQqV7;n+6U%%=biNb^8I?jLU8sXGnK)pyKAZBig#{ed)VNF
z#x(7M$1BUz72i0`IX_1InG5!9Y;3H({z6`Mo_VUdBE$S|8O3gvz+A?L&6T}efy>P$
z9-OnOGSB2PqYIQ3-K#3de#$(GopC@Xe4Vhs@t9FATFrN^-izjiOo6{=f3YtGUP^c=
zJ}x^SOx5U^pO$`T6?@fVf2HmkzpajyH)38nZx`@xUdl>#-q<I_!R{llvWH3Yyx;tf
z%AAj@mG>7vdFPi9Ugg3e{h3iyW??3vN_RPX)`?bC4t9gV`4g8DT$CzeXV0+uj8vWe
z>sahp^Qahgl|J)PSw&9znm4WsW{1qCG|VL)z0S)ObSr!m_M%dnh23eg!iTZO-p^x_
z{lj}v_H7*1M=x3Umj4iqX<Wn0ZZ91!_jl4t0V?ptiO_r*bBQd~0`uZUW7fdp!G3<)
z8kvQWbLKe*_*Is($GvR2$S831yN@AVjn;y*l(h1@9ea2N^4rWRw9UF37%c{>ZoKO)
zR25L3T#$I8x6VsgaPcLhW{tLKl3D-A9<S~H@rXksnXZt$$$tN#_m@mvC6=<ZDpvlt
z*-bY79KHfn@We*jI}_>7k7rNwFFbP8WgL)Oc=Sna;ZX-WwORF6yewVCE}lWw^k;i#
zBXp}cTC-=PgZX`Hs6>wM-!i4L#W<<Z%87D|Iag;|&TlaA7Hk!h|0wCPdtoGrviEa7
zS44l`srZO<LU|vfTLyb?xO!oxcbjXH%JpFC;E-XxYJf%stLby|Bi;|H9+iv9432NQ
zt9~J+G08bhXtu3ot=|#zZ-#O4Lod8pD$k#G;@cyu$JF=Z;H|4;pJ~mLReqGs7OV@j
zxz2RsfY~0#`}Y^G2m5M?Ruoq$Za=l`_hJ2(?9%wQcn1sJ6A7Hp1Vhe#Gi*?$9ww@C
zwpIKXl|CE0k^Mv6UmrbqzyCH^TCZ*%viL*o{^I+?OYR$v`;@i%dzM7!FLKm)_{l5T
z_dCV*ulb_gX0~62`fj}}HB+UFY24YAzFp9N1X>L_j(Rk?1-YXIrX=yW*55ooZ{PZ9
zvE@eOL0xX^nThJtG2MbHyEeDP*-Gdd2`JmCM(lZ1<q~ssBKj&*!HusbqlN>60WYU6
zT(W&2m>E%iYOu30{6?khL)(~3qp8|=uJrR%@42QPGZ?Ufzs&cMJo8=pURK|2g5fXq
zRioc>?(-|x^|sEa+_ki^WindQZ|bn;+Du*^+PeYKUkp=(r3O29wwYVn-OM_eGAq%x
zt9!8F!mNw=Pou-hFM3+@@90Ip-!sc1I=H50NZaC#);_uVbF)fO_BA@k4hvrAVdHuC
zyJ7v;cvjoN`b)HGG^3ksNVpo~BCWayvKJI>*6K?hU{=1y-tRT6o;@vm-pI56(xd6W
zV>mC+lxi1`CiJGi_&S<aT;*RG(cudH%<A%z!)V0Wnur#@LHg6y8olzV^Ut+g)yJ-m
z+ops(s?b}U__TZGYH39L!}z+M42KgR-nZu49*k}hDG40hDA%kNEg~*j!q?=q<4X^_
zLR+NIz=uDXmz-YJa#J?-zL6&k-#wY!lo{@ebGYNykcyij`QdpI`u_Zz&))yBgBT<g
z=&4YcCwD_tb;)aF)#&HFN;i+OpkyPdp=r5etYw0R??LB-qqQunw?!O{{`X~Nd8_lR
zX^?eS6gbN8Rd3$(V6^1i0k*z~jda^5+U*X;{q>(6OchCgvl7PnS%><^q=@9Cs;XKa
z{gVXHk8#`S{GZQl{8#M%pP%X&Gh0@@{|;lQ=)l1@Os9g9lX+FnWexJ$zK-m-%Wtjz
z_dRZM7Tp^S=D(zMeR|~g$aO36b$k1sJxe*fa{KZ(cGDxZyX^m&Qbq87xa?jObE(Ho
z7sq-Pe9-3R|Luc%YU)4KrLoVC5&Cm&NjtQ^#}ei|IRyo&|H>W5n03Hk1dS|^OEeS@
z1wW^~3zJ3Q6X+<A>lim~+-U3pBRX!FEzvTt5_ksSN?L;Om*K?=&2=(l!Zl~T&OLUx
zb4FKaBviudPY*tW+Nto$)4`9m4o?#cBAC3opw$TI<z(J>!mgYc=`s6i2-`iv!Njv&
zc<$aN<oi4P&3kwN!Q^oI%N?_jmW*R1@)(O_+OwxYN>+kcv%>Ai3QUA31?N=&EZFn`
zSOQYR3x$h%uq|gGGy}Ne5at!UhrBw152n?^vXz+67t{TD<ni|=e|WBXT)enu%N9;}
zF7eaB35pQbf-ZN%*9pFq6ot>;0K=6VJ1@Fhzlh{eU6|lG7^^78`h$XbE<<bDVJ0|Z
zEp;-0pRn3{c2L~3)I-m7@U4A*A^NM2^wTcG?eT=tOPE6e=G8qs4IfUUCwAO0Ak2Q9
z)u5xg;1Am&OIYJ2#>3Q&d@EqAh)<~mdZhyLuzn|SO!(fymZ%1HOvK_-Mp;6FnSc|(
zZh{)SP|#TfpIbYyeQ=`!;av9VotaM^ytA(NA9<+TcehM}d=R*XTfqe8TW5h3JYfQG
zO^EH3+1dq|!V)uJ*uJ_l{YCcS$Ps3y>F1{KIE5pVKg_}I19G9o?Eq>gsF6lSMid37
zPXe?c9-nYXJ?-wU1=~9rcwJ7<&RW7h@8O~3YaZnq32ImxgicggTwD#(Aq-3#;6B$k
zIC#>)0=C}G5B1h;I#$dJXKuJYZQB>Qi6!o!_*ZTLfuJqNiiueseDTQNz;7?1*{*kR
z@G2~RuUUXq3R|fNA<Z;GenI9=131y=mv{LwU|RoBFR4i~9`-fFU<#H=ja}%p?y5SP
zpxX-zXrpq^?R;BICGHIk4~M{cZq3%Mys&PwJP#`7Rd_?IrRi6H_#gy6V=c_7iJucJ
zqB&qagcj)wVm@0hpf9<CPwM!lsl94y6r4Ey;941V<PQ}AyG8NBgaq+DhH>Vz>SLy+
zy<fgC<R9e#>Wy53j~|c4QW6pSh<^~iNg(`)2^$39R_!>YBic#umnu9vzzGv71|Sg%
zi;67Z)!6^}c~6fhJlj^h9eI~6di1H|hI<uwrU_rzkX;JE2$)_nUA%Y^Hh6%7(ZS|w
z#heFheBJ}Km@>7m^Zomv3LYMwF}Tg*MhCgURcb4I#(L4@!(}7H2cTaVDBcZ+=n0a+
z-28r2Jxn~8ty;wi6Me<)+r=(U4Z~0V?qKktG=ja*#bc|FLkTd}Aq^IP#2Z;ap4eCi
z237-4CZF<WwqsgJPf+Fk?c28r%Z2#s!g;YCcEi>;tt>5b02yJ2pRS0KtJ>Vu51Y$=
z#N*6;I0$BvtEHuNO>IK|H64TnPcKZbqa5yA%@fbE{rlz8bKtiJr!2eHhupZAL0}J6
z!O@l?)=3151JkW27+z}kc9whXh=n(}RXzLGlP$a0gF{0D@qs*)ZC|bQ@bG9fNL%yQ
zUpH>tFgKWi`ECHv4uWkB)z!3E?-6aE;K&C6QawzTb6f`xjd9>nSuPp)GMbiMSWy9M
zW8hZ*N=em~z=P|=*7=EDGp&8T5HUyw;gg;E8>kK(ST}Fn@Wr`z6$<A$F8G3-XaibS
zFIJhE@PNo6g+(|vJLzDTe{`+5xbSr@iX3R*^GKC%_L%&>LP*|GVu&a1;1zJyhCA~1
zOz=G2WNc)lmiqSUWe@m8mX?+hS16e*SaQOf6_gUD01X;AOTqLQz_a`CZzP_Ha7Moj
zpV+Gd#3e4|@#}J3*a_CDeE(RYK!_J`YEOXE7v&4jv*1q)F!6>H_b#}UlO>OTU<a85
z-%XE+Z`{;sko(~2xBgcQP(kh^-Pdz+q;L1ZtFsQiQ8;4gcsCkoPx$=$%JH$81oQri
zwf-9;_H{frgXbqByMQk^Q62m2;JHRX#jr3w{#2n8)_8E_)J-eY?!lg;JhwH&=?<Q~
zu%_EdXjM3E{I6VDqnE8|ntVuX{ra!B8S-;;fdKO>TrM@d*FZ7?{*pO)c{RAqGO$j=
zKj!d4gA3<F<Gl4T@=n)a#=UFLo=><pwV)pL_4i-KJ+~O^ud`eQqb@&q{kCVDg@Fww
zU2hJfIUFUl6sSKpA()e+KY(?G#y|F)WP1avh`V*StJoq4=3Ej@AK?!V8`WwMnF!j3
zs>Bu4gUcL=X)rM59@^M?*vRF0iF;;LN`C$}S0xeR@&4ucio(J|b2ykKj%GF65q?4*
zqyOEz!Z2@JKNSXhNchfm3xB)rgR6jJ2R_5T1QUgeg+Sr~OdXE#0N9%L1GBov+Inq9
zMh0=G@A$kYz3qhJSZ-dPCOjTxU`IxwU&Ayz^@GhxsYVA^8mp7WiXD6+a=cQ#IF-Sj
ztj0-6+`6sHR4&#>b==-5EG(@5NS}pZ5GN*f!EQT{Q$%vA8D?Xc9l8jsZn|u<3N09-
z^Rfmw=DL4-BZd>k93I!?6eAQDkfG=(_^NZk?HFt5(?GmW;J)N)tozdovu+fe7E+tR
zYr;t<rlcekBC~egx~m%J;lh1S#p@bEBcbYAn#t6|<B>|fRbD{43qjfUNR665)GkA@
zQ|X*Je6u~2(GK5;H%qS=bG|ZKsM2IyuX5S%8}V+*oymyHH*K=PhNiu0^(hYD6|GC|
z^hSGqH*i!}?7p+{<H%1cuSL|5)`-V%l#%+?zBI+~KAX|v2u=IGC6hE&sS?y0JwG)}
zzS0?OUU1%4xsRr4P_;W0N0!|9M&0{VCqk~mPVXicASRkRI%Z0onf?)yemb~AslECL
z&&cudF*BHRnXm9Ip<aEv^Q@DyV=))<m7pqU-!oNmS29wmldqPm*-~wkHZ@A4#zdJ=
zh2LLyoLp8Q?z@lrO7l1E8(y^!3Mzej8FE;Bd3;l;Ksvl4lR2O7yIJ=F>J6=$6t#|~
zlzJmvsZMcH22^26SUTgIgFQN`G#*U%*?d3F!oF6~^36{_n)!DMn~6)d+faKzTwGis
z*CG-II89caQ%!pXx>V*L{i@c7A_FS@k8`9C9QOM``)^9BJ}>tV=Rs|Z<H)`=eT__m
z;JGXo4f&x~pT@m^6tXd&2xB-fl28rq;Qo|Lv=sc4*V%WI0Mgvx0yJSIsIz*h2SrLf
z#%Mucz3G)R2yOtJE3IH!X!an7c;VvQg)<((f5UFPQQ{!NnG2TN(p}CIINAtLiJY_e
z=*{I`7uT%W1Ff_YhwWp~cwoRTh=js2Dma)8zR)?K>ftvvQ{-0mitZ!$xhtF^)d`wc
z-oP|)4V@MOYz-C}LFEzz0^U4#6gi+dte)ZAxC3m^HTF^5Ir;g!abTT>pBG`)ARD`V
z!2TNVhRZOAw15dBK&AfLUaKmPY<mT_b(pr-U<)JmuVcfY|DJdiuN<ExZ^Dy>OX61h
z1|%9mGvEV?xVyXOo(5hU_y!^JTR7o&driex!<aevdINq~VDg_Q(EN?z3%zy>Tq#E&
zUNh{P6QQW@?oSy*STHC$W5ejnu}V1#zJS-@j?L&BA)$8}XOiEMEYs+=Y_s@<$#-VM
z@E**-A>Y)}a%;sF)2IWniZ{tGY&Oo_rTrG{-?p^FSCD~RU%=2^^oQDV#OO#QLhLnp
zHZSVIt$BewvKrQu))sJ*B{t9GhyVO}q<@wCQWK0}CF1bSbA5d&zGcfQK_0Vmp8+c7
zC6c7IzkZF5nj@F60LH_TdXKwz{W;cyggj<#+d(&N2Ta}A19tiy;B-|{IWY3iLC6<w
zo56}fxU^)acED+KlWC?w9zbq+NDZVZN1WgpNceLV@lxh6qCG(w!Cvw`vAOI6DTxlz
z%L-(3$EC%ETxpas@(BLz1<q!SzM03%VvxS;@TDS1_V2lkWR>TI<@-~xqPNA3Y5Mpv
z4*zLC-_POUCVc){ASo)T92|bK@EtaeRq>k5K@H-Q8#X^b{~ozzG$;+k+L4W!*<2~^
zAYUrLU0MSj$iJ+_V0Qn<hY_Bp<Q~Ap*Z$8H%rMe(N2<e?Zc>n?*dE}(L=mrc@(SA=
z+N}|Clf(4?)rm%iYqZx@9=Qu=a$F-eMelh<kkT6OJmXLqjoEr~IZ0t~9Fg=Dc9Od=
zn+B#DD?VyrNl6kMlqHTl;)Q9f49rqpY<7a7i(Nv>0c4<$5s1mUM!kkd3I~AlbkAGQ
z4zF4@xV1~;7Il@J(@9A+RZT!EYlj|e%k{HNjrk&DVy>ai2u@GO{*ykm!KlRDiFo58
zpw+;l^fA^vF(?Jqm!1ljJi^K&ey|pHsWzt?Z-`Na>uQ0htHP%RcBKK?@O?x;kXvNJ
zurX*TM4D^Z<AebCzU*SbL;Ddd1qqX<o6y|53fiV=u`3IL58n{%zV^cenrtq3J!>2~
zw4B(}rig+zKoMy0&z_1f>^F0m^CpH4gPd3DHOGhJuMRg-8s4~Ih%kd0K>5NZmK;gm
z-rn%<WG9IYQYhl)${L`d?E?rIsp<BGOI-4ro4PvFP+#AV?@l-;<Q=dWNWPKC`GdTS
z=ge~Wl~=><me4v0Z46};Z>KbzKCyK`!sN(0R>FuBAFj1m)5j2B5s%ezz>JReX%fmI
z*6}Odk*8uv7#kxt@*@c(khnfvd}0c!9bk#V!v&?ROXt2<vD;nxYgv#;P!zc~NPyNL
zmXh=F5*-sccUJCj*EUTa0r?xT=@NiX{UEKu#-0IZ6&K9YV^w`tA)|)-a|1GMn}t2(
zB(ME_sc^f&vKE4jz)mIb%b=j38%~-eJ^fJN9EQ6J*Ju{J9A8aKOUn(AOo5~k#9i8h
zT~qgC<FjYaK&(;6{v@cz=t?<w$1D3Rb`8_A(T<@?Gl%Ezn>V_x5A`(p2CObTEGsJ`
z>yUhXEQ|=Wsmw&Nk~FbpY>G?I4ZjylLDA-DeO@m|w^4v#M|<Ij4%^zReI&(t?c(aX
z3ustkoJ&yM)VnDQyaP(_M3l#5q2nCde9zfV_aVMJpnjSFFWL;U(Iz3`0yQcGm<0=%
z?^1ZYTsU~P?ug_H?5fL1R)@Qa4rkm!su^`02R|`g?ucB4iVg)As%8e8=iybze5G-U
zQEK?Wb(<AX2OzRlK_7U0^6mOD)2c@stk`j7U|MJbx(>ID7w-MzmjwHX6a7Vo_0v-y
zkH&@oT9k-gOmJH$0Jta#AYvSyoK&}ax7u$bL{OAav=muxSa~ldK4%{*;gd2e-(_yT
znpjZ7Lzn<)5^4UTft`8_rHkN20Ohx>c4FZnxN73yee>kx;fMN?&{q2JB4jCky!j_f
z-=Pj_&h1(lEZc!p{+EgIPZXPQq4k3&{3pbv#2okOQ47Gt`|w2)^D!&DgP7DlG^<d7
zPOvt`!ph1Issy2e5&}8VG6;zU*WP1pDpMd8{<uLQA@kN2SeYS&perUugH;CxB_8$V
zA$0?#2Kk4m2&jc%*!&4*&^b?@?1Ex626OQYlLAgu>V@z<N16-FQ;x@&rDIRI2xV5~
z3c@6k_}y}&kV;@ET?gf-$zB)s;!v^@vDqnK5~yFsY?HN8fM2pYf`P@!lUMOk%wYp=
zDS|5MP4a$z;EY94Sd#PuT*VD{%~3Ye<G1K2#}7|fz<^LQHH{TW1<;7Br&h>3iL2oE
z9=HT7EQ$&y7|CA)bFEn@#TO>vK(_fk!V{1bSl@riEgnYMOw6Wn0+25O|Npgl%rV$D
z<Ub<sAf-;q!MJO}3a5hlAgd6Mav;xObq`x$LM=S0E6EEOY?k6Pgh6S83?s2T=4i09
zNg)jo5w316EU8bUh}W6Yfw4R(uTV7Appt@hw$W3^Xo+6oDLh6pN2o!-!kC$+=}0+B
zL4k2`aR~|wYk;*lkvzahApuK5|KTzrg;Sf#@t{=xZXB-Cc#s_DOwgwxq!MJ6qN>z5
zx0Z;C)12TS9jN|=#N0_(UfRKTka|j)chY=KQJ~H)GgqhHe&?86NoVBSJ^Di1_eZnv
z*fZ7~UEc%E!uMww%*81KE^|rW1JrvO-<ctf8ArPJ?7k-_0xuR*O_!&bZ_cUixUN;R
zY4hgjva+3owUPJuae_OZ>iuKL>vi60=SgZSD}y(kF0Yy>B}LQ3ILfDXj8dh2Ph-yE
z`<yBs{KP>&x=bzS_#<c9O0G%+ulZ}eTGms(!YM4Y3bR&h_jgj~s7`8S%fOv|JZt)w
zv=K%K=U(q=g#RDuxPN~luCF#b8{69(mH*5~s4rVm{xhXbS-<~kmI9Okp<H2yr^z(k
z2Zj1?ZSAeI(&HvoVBH`--tf{<U)IA4gwq}k4O(QkQ}J0>4yJ12cEPEi4W$-Y%&6;@
zqQ`AfaDwZ@{Q@?c_8kQp7+(|x=kjDfR6Jv(o5nCPH$r7+3{QPyT!fIRY$FpB;lZNC
z$S#~-#)#v8{u+r8V)Bpo$e$`aR7l!|9X40d>H@_vM5Z3AepdyOU6RvWQz{eJjxu-c
zCWH_?+F#-^_SewIl7esXD1h;4<)^;B6gI#M`#fk`n4Po&E1{`%J26dfcy6V59ORq%
zg12d=MY7<6ELwia&CRtWc@#1cYw`!7-x@pAipZrprdQ<U<p~icgD8s@Nbarh2~MCa
zJ&~Lb+L}S)uB#&#dPtu59))y;T?{xF!w7!EsNSt{2u60SBtqN8*@+Ev07cY}9m8^8
zauw#=XwcNC<(GhrLiDVQ%QM$vrMOVMeF&WYO+BYh)XN7HWf41UWcOw^od}(`uZ!$3
zC^g%5vc;c)fx$*84swrB$Kdp#El5-e_GDAi8^gfYdS~LxZIOZ3J`985c0Kq*k!iLi
z=5q8s)%Q-<3#?qZQWtn_5TnF2Exd5-o<4W(%AqvgBWc9P9*I5Kd;%i{J>Hs7!w3x-
z#A8BfVJF!h)Bqepe#n@hwY&e2e9LM9dK~0OjWm5rTr{InkH;A+Azo`?zugEAr>_?f
zup-F_${XvAQY1|S0E)^gTPG&gcbn%H07@v+`f<Gy&G5pH?b{^vI$0>!@2xCu-&?Cd
z3n46AAf^0d7!m#n=L!quR&po!QUp8-o-%)@46vJ!J*AC9@9n(UkGh@D?Hpq1@vd}s
z3TbH_JmJT%BCzbNdMhuTILSy;C?A6>WR6qs8z8>NOFb?@T7H~KA`>KZOZ*go+^m#2
zVkptT32GC1GGGDABO@b;#rz|~>`(}{_mS!6${qxjySuyFJcJ}YD6e*<tiOVPC#MeZ
zCTyyzs&F%ZDS?`GKN1OOtk+eS=6MJn4zes<|2dKmv7oRb@;POg(19{h?~VtyiZsL!
z=s-2??R@ysgzslPm<^-`I4L+o6<zxMjRLXU6CrGZ6Coh)h$o7867(gxSF8vCMk8nd
ztqPh7JQR&9ONVlT+{M<vl5{1Ar1>B@xvH)0ND9rsev+0#%V(f+kO9W-ILC>1svrB*
zP^U<;U<3;phxSd#Tf54=O!OUCPDjKMs4()r`-jrrq#YL5dl81Sj$~g*S@Cn|fAC?)
zL_`o=JMx`NhtdEc^nchgei&#8f?G!lU5`cb2C^@rCn=@@>59nU6hxuOM$}1MW}?-;
z-$Pvcv99VoNa_L%VXZ?NHX_75y_63ZP_vCrPVR=Nvr5^+7lm>np@MI7;5*S2C1!7i
zI#3vYg0YMGkl*&hl`3K*iO*n0nB$!Q0}R`=0J=ye(9yW4NPKIN1W>1kDzU#4KNuwF
zq=M&x^-rWP6f*s8Qe6dT1`tjK+9%u;;kttTT?ru;v}x)6JiJ!gtrD#Oe*hWdD??gQ
zWR;?(Bm5a~cWwZgs_Z#Enq=i!8^ldu5#Zht9tr6KQA7~KxFsDJtII~lkh|AGFsnTa
zph|nzv0!BDWC`OeHLCC~6Hu{kT*fPPd?kc2K>MU;Vo{fE0fb|0>W2x?c_hKb#q)!N
z2Qn3F#6AWHvnbRmo13}8(WwDjjpQ%T$Qh9Wp8eXSj?1`Jhy!HeG0?hwaz!$s&}A6O
zKx)`hqZsHV*;PW2(S%igPX;$%i*PAXUf~8NA#EY(X_R_Z0^}WWtk8*zi-(BpXn&}R
zlb8eQ3-mQBs2f^eq&=TDG&BT%XeNM5e<WQ*PeU>USaU57X_XE}NVeq6<P=rebej&O
z+DlMTc2A^39W6dL!Wp1(iL7pUl_y6xldp!J1z;#Hu{*YJw*XO0@yzF-sCsN;bPX;8
zOq>XSOLXz8k)8^v?!$7$Tp{R6qI(7+XdUWDf-E+U#p~Ti*-0uJge&XU+BLR7S@57{
zmH2RP83@Ids8(?ju>;45^lESE2=vWmB*_9Yg&e22rB#iQ&r^X2s|QDuV3iOhAp~el
zF*@K|M}a*?VA+UZz1UfVXl;BlU0;$^vcOkWV_`O@91tG!j*p6(e)j9FYA0S?qC1#W
zFA#9^;(wT}xOwyDRs7dwwqJnvGe-qxN&XipnpVsj#1zXziJ~|H98l#QmW)V@FDco9
z)BLVS*L`(5Lhb_FZFdEB_VWyb;-VrMBq_Mt4j+s2n~Di=)EIE#IxA?O>%&DThYwFS
z0C-9N7W5|}1T;r%L6F*}Zs*;?Sua#ZLwbI8yPptw0D^B*clUAao{o-a0xnC_mrT)@
z>_Ee?7Rg}kFTcx|jc}E$ozmLuJCKZBA4hr2KlJ`_l3ocLph2FF*jW%HjhoC;-#$jd
ze%HyZ`3>uLT=6K}gR^JPS^>qy|EU$)5a1>`I7M@D&gY`2%OME?ni6?L=s=nB6cii;
zWEOe!@rcqig(*IRNBSG&AqyA)p$c@wI(wlF$4eE_PmDAEa@Nhw2C%prC)YvT4Rc)Q
z3DR{2ju0X{o!lyfAFspBYyjzRbA2?PAxuABR;)LRqa8!fE1J+ha@0gK>nR#s<kcB{
zH=C7rWvmFrStD%B#88P9Rfpew2_33d8FBYL;&Bwv879T9X^w3Kh-c=yt_$xaqT(6l
z^szVsh`V?W5v6dTUOL>wCn|D|viN?1uL$9*;kt(+0f^kLs2KDG%xP=LUDmiYxGj-!
z%I9x^E*9+N=<$)xTue-C7>9OKbMsAniKNn(Zu^pNxxrC;a`3Hq%}~G9DMD#OXKcNp
zJPMGPC{e6`D;(xClRJZ=$Od=77U9Km2fA##N+W^6a_Goiw*yF_IRecbI@sudG9z~`
z4hSRR?Pu1qv9nuK?_;;0g^6IYY*Ph}El2ouX*p-0ZDZq&EJ|T}IaY!Z^qDAwbQ_`T
zfhY5iqOrRzy6tmFEQ*g3*TLm?ad|i5#t3h<TZY&nl8zoaZo6m+)OkWh>$x9O+(ToI
zIB1C*t{?=<v}qg`ClDwSd$8GS6?7fiGj5ix0PAZLx^kX=$YcL@2W~cU%^uFjaU5^6
zaeN5Noe0_Fg|`1wM7pnEzplT?xyiI}G|9QH#iaY?@HGzv<PwnX$u~ZnrY|^k64>RC
zZbxnCkI?M?e)1f9wgYLa%@4)%<DbL2&jrk#M7zbh{mOxzogBx|h3WtX^!m?pC{N^P
zw04$Z<;UEdbOaNzBk$w$=ldcTvDL3<y+!)bm~l4s9EzuYqt`drT<LhdmVzi5pJ|*I
z*wNV;{Hm%--QBFS^t{}!iHY!?Ozb@>%mXZL5PC~ImY&^Q!&KtEpd_s9k>epH^CXA8
zY}<E)@T&tRCMJ0}+VcpAk#YnKGXttr?!^!bVecl$txo|FjE;SvFG*5!8|QLEQkhBo
z`0}L=HJXLNDnJ4)&!Z5m2gIrtZ5%dM)<4&~L~6ZuRHc1;#>vkk_+g-A*54Mv-`|z9
z4V`vek~FO5U>JuOW`X89pu!uG?t$id6>;I&2@7P<qobqJEkjODPNcmYJ+>U1wd0-~
zPI4rGF7>o(rV+rdK`)ZRd#?}NzGKIWjMXUq_#migy1H%!v629_pa;lczbwbHM?B^E
zg{O%*Aa+@``|nE7Z9HMUZeMsME^l3%N2UQA;tx(`_10(+q(guDiKxKnfnNpst_n*B
z4{~oXNuw<s`|GgQar&g~fKP6v!oB&15jN0(b771N5BJA1^_n{V5(Se5%8}f0$Iho5
zsO(R>y85FbPUx|aiGV#5LizxCgV*rUt9v_x(dE6G{t~@iboqETThms8_eeDSytzt1
z#<02iyLap8=tQqNi@=2n_SvjG+BE&wlHM2qQ>ZnF79=`QelqJFYCx)z3B?}4ULr_J
zoma!qo@{J*488*5iUfP@3r(X4P%lxQ)nLCQ=t}gCj5xP^NJS3~MQD}4i`MP~$%n2Y
zAHKGcLDa!Pb72zcg<6I8!W)b<;BD5Zs2n#~#A*B7;0DKFci9g7+U|`-f$1-+y<357
z^v=~D+`E52PeV$YLv?H$Khkj1a?g%$N6(x+>xZ!2@CceP823#_BWPBKx@n3m5SFUj
zH1Kt+!A6Ucv*on3vU&^!gtYuog_?&{VZZ`$D_36L^y3rM>ku7Ojw;lQoClYfG1I`o
z)mcw60toIE*EIxxx;%aS_-5HU-c77`gV8ufihTtG23NfYd+1NNR`A>tMs_9WeP?ag
zZH~Fm7$=E1mJUVx$&Q3J`?`Wd)prlq$TRptKU%YTwOXmc$F454OvM7hqF*B`dq}=J
zeBYNn6>%+gTSv#ns&L4v3>}|GbDqo^5M31VBk9`^lB{QzU{=)Z+??<+w#y&c6XF2C
zv;GjLVz7u4F9DsSez})OsHZ}3-?fkcArU_yRCPGL4KpY5#XT&q8P5Kk37o`XR)Z*5
z=WLD8as|>;u=8uAly!5Kvo1eBf2KzSZkG3}#111^w6P!8@7}!&`I_TJ6p(i1GOw6x
zhK9iBOw1o9;|9njFeXyu;jAzmhJdgd;Z)1Hl5>@^M7iKuEK;qcoB3my^|)T|s|MJZ
zw#qCoHV<a0_}?yL9~JyC@b^-a2Oh5bfJ|X<%o{x;2wIpZV%(Q3d-(TM*v?L%QOT7&
zMvs{#$UbEr^V<^t)b~hDw+7bhqaq|-Goit~uc0AA#$><|gqrSJ_9Dr>!NCmXCpwSK
zK*W|~LclQR8U_rqu&`VL`wbF-%lPNL;hT(?BeA(r*3EY+M>2vHM-!4<Ve6C%oF>8e
zf7kr>Cg|Qr9vAOf=#J8m=!1Vcx!`D&6Fi_m9m!bi@eq!?BZh&{Jl@!SA9F1MD2*&|
zC~I*&0mrr)8ZZ!YiPAHu5y5R*XBmsq0OBkw1SKXbcHGB^kGw#h_~C;EbFD%@0?A^_
z1NG>MC*R-D+<{n!rn&zPiFzi6zQtbyM#>kT3S|GCypIrupFDdepn7uoJ!Q|Jdwz^n
z>gjb+u3Y)^$@`NI54<wk=Dcc4tm<nsy)c1GD~<F1lHax>&3@ZoBOhyA<v3O$WzvpU
z5mAcc1Y)fkia_7DZ$W@?J?}qoSDpa<`qSG{iZy;9d|d#5)y|xeg^v9Ot)a2{yPHkq
z5udnm)p#1_p-)=VPC{G5DyJdk$M&;~Y<!!fB^>}6)P<faT~8QXsFki+kjschfK6Z;
zz_cOQwdN4G(LJxlx6FZ>1IBly-Ov$8w&)rWCE))3`|O#OG0T||SNzb{^4WSE>LlSt
zKlU6<GsqOeF}tqY6>>C`nJXx%F%qZgxF6RMABYj6{T(M7uqpT8<0Ez;>0Wy@=;fv(
zkMu7AyN6pbX*>Y!oE!NQ?glyy0?HoJ)Txv57$PGI{pr({(BiF4nwxAOeveK~Y2jW&
zZbr#MdKW0NIY=D?GL%38?j`BK5T+iAQlq0sQFiX){p_YBg2U!A0iqAkGcZ(PZVM-O
zn5b%`(~5`sX}1bD-$(Xg2b?^_G27NutXBaQPel}IP;sR(QPXTWigsPX+d-f(|CD!V
zNT8gWdoT*3D>^JLn!J1rg!v4LvN^<MWcs49adD(5L!lT|dXVNm!enE-swxT$g1toJ
zgO&myGzi60aCPto0)0oeKy*z=I(!94u_Z7#)!*Mw=+mO2QmkhKf4_wQvqnaS8&fAx
zce8JfZGp&uoA)W{hb+oM3<_!{AL@f_g1Y0octa@4bL5`uSq<<D1R%LM{fW!C6s^Rn
zx;h4Y`+98MW>oUXUG}g$<J)JU-`MBy8(Sm6yy`Mkj@^MK8<4`1xetGT|N9uBA@ueb
zJCwZw==`kj!~x&`4I-R}PCjZN3}w}38VWX}_MoSy5Bhx@Z4$u)pILb&Rv#|_>$DQ;
zSO|u3lImDUoroR?v}|&N(POA{iU$=r0Ese@ny}&%aK-u)FKws&j`pHWd#=dJm1I`(
z*Q{+f%5`asb9K;$ixK!8+Mdv$@tys#xQJX1ne+0UJNzK4Z+yN9MSYaC#pQ`ud3+~^
z+>0YPWZ^{4NmM0Uj`$z(RoFe|&dyw@@=%zmJ!Rf#nhJ@#DLmq=W>GGpPVP`5K*nT#
z5#u~^M}A_NBO?{+&np8vwx3VLLO2s~80W1E(voZgiVH&XtWKIlhGF)qT-(>AbVX``
zxkTST;8-u$Y`&_r<a0?BJKYT)H6h=hl>eT7ZYs6Pt=NH@VAK^hy;3TKF$*>t37S}@
z9G*&jN|Mr~38#Oz&Y2}^jrUWPxK7G|P9X7I!NVP-HFA0S;LK~5zS^EWOsgq1MPG+r
z#@o;76j@jAlX5Jfd(TvUGL6sImfAvlx}EKP0|qg4DPJyMxV2M{=sf6pGgRUwse^;B
zUnlX;a?u7Qo%%;m-oalT(aPS#KSDXSvh}`UdwX}1R*^ELa`-(1VrkxI@>eE=<r({M
zQl>Pc31@6vM?MO_Vf$&zG2W5LUrE!;Sh(VdCXFW~%v@(mmRz0${gzSk3^fL>u67)1
z!d|m*c3vuwgRHz0naI>`){(DY19A9yH8UDRkDPY-@~#rgxsGdX`Fj7b8wBT$)P$BI
z6TsMQG4s?z$k_eIH($b3R1%jgmg*=Dd7-qmD^)xThv_<z6I&5|GT(m1vARDqBJ%^f
zG`HH}T{zE;wTJZ6WBl{g;q>>dt@;@45!1P+tScD-M(WLzVWb16p>cV52%pk<tcC@p
zz4hyRBA6<M?go!8sdxs7h(fQqr^7?vbVx^9kLOyN6t;aF=0`U~&fv{~BW(omT3dX3
zrNRhXi~(S;GH&1XqunDy{Cx<u{3AyC*72<0Cd7f>-*v1KJstNG<+Wtc1ut|nGV;VB
zOz-74M$3sGI&=u9Paxt%u;`ET7cYK77LY5|fU^x1J!!3@EM6@uyBxVB5>OH;(QJ)Q
zQ~%W0cZu|tNG2P$$)BqplLG$ePtT7vh@zmU2r^b^o4xgPLbe$4WGD>Pm<i5t?2y%a
zora-DeaUE9Q3M5wL@5MzBGws`*%cJHn8mV)4E4~2P9L&0$!@C<hA{<CGLR`<EXtMP
zIKLa?b|{d6G}N48%E~JN^}fl{OBtTu3hX@&PC8(LucW7^Yfm0W|632``<M~3`mMpx
z4EvGQBk4$s0%Tbc{pb@<spE)c^h`{!(@q5{wE@%5HYUqGJw2uW8SU*yc0~}X(6Gt)
zGgL|Tm5RD4_4s9XMb~f35YZ@#2!5z0WzLUVBSHv$8NqN5^sSnn9y4uKWo1*|N|2M^
z<l5}t3K}myuR7ix*)f?X#w_6C?a3Fo8@Os*C~8bg+&Rz@$$iRQzU9=rthlIh9AJn{
zdKed{Ofzq4B=~A1sG(M*C@9<N=oHeN#*8@FtkBZPgjrYV`NJpHR%Jxr-4}ouWHUYK
zgX)LO^y#M?a3DykUl-aY8&Qt3oAl1noC*HGtbITWnr}1I@Y@zpNYxR}`@VjS91JF+
zFlGZnBqj!)N3i)UO!8mjmpXWkJhulA9cD?0(0G#s6lmYjY)3Q(qL%28m`%{p?|^_~
z(?0R!=#M>aCs^Azy|u#ZcJq<1VHl@72L||2(+=(I+)V5^qF^F4S@T>*)17o_Nwh>3
z5P)^mi#nOiTjOr-e&N#JwAQbz9s*=7y8gRA#t)*8r;eTwnMaLwtAsEWlRTRN#IWMI
zpQeGuC%nA8$fb+^-hfcvhroobW_g#)N@AYi8x$ncX~fVKVqNfM%o%;!z3mV(CBa7z
zUoflNes72Z{FkU=PrXMcte7awsnen4A|(h&=+Yfh1lzp9f26C32YK^+h6^7e3I-`j
zQ@ikVA1x7F&3qP)q{xT<a|SxI^x>HJvxf)J|KEwzYz?bD)syZZF$}r2W7Qb0WdhVp
zv^}?gc1@lfKy`JOHxw#j5bDT21dGHi&3KQPbt|2^3b|2|)uUu{nHjf1H~m^48lNbQ
zFh7k;xx($#?97Y>+Ww@~is6`R=rCIiwj^V~L;<U+?$;bLES#h@=-6Ra9UYunB#gV{
zUP1FCk0nUEe$ypVGR8$9U#cNZ<L2kT0s=U$Boj1wbqE`^d#~Y(U|?OfD1vmh&`Z`r
zvUg9_ClvPxSZz)A3bbxWHy>-IFHCjO7tsycJ*iCeZn#77MYm4oRF@)|Q^AVH1GFo4
zy?sh1#TI^|VUB<sEwmMNaV?TXk|wTsTNn61RPO72tgkP|=&V4mCY51xWuO?g0+5Sd
zA@gYE1d%ZgBov9O-ZkZ5EMd62Oc)(hb#wDx+vI;*nm5G)PYgY~DfbQ<SNl^Z6M1xj
zUmvUqFY0e9M0yuvbA0jaM@R^0XLUTRfMD{c18dghxO0$2d=b?rACCMJcW32yB{gGA
zcrvf)rirn!ja~Hc2+rBvYjgv@HvVJ$SI+yVb!yMpKQdaRvDH`mWbNM9s$#x$@Y7iF
zXFmnKzLXL7?^Cz`9TDaK;ZfWF9{|gLy<P2+4zq2D-u{0-TWv+{5+lXlckA~3FPcph
P{@J_x;I1qU^UMDW=MVsB

delta 281617
zcmV(&K;ggb&jgE{5s()jRR{tA00Fs{maPB)010qNS#tmYA=Ll?A=Lo{oV1;>Hi!y;
z1Vc7SL_t(|+GLjh%VcF4#?N`~>$>jyIp@sGIcL7S@4S9lO<l`Gg%%+!LdqpkiC79@
zX*Vh@FeASpVo?(2h9+jNQe>E<Y2vpnw4@&v><1MD*+3|W>QCv1XXbUI!!Vo~&Uxl~
zKKFH9XR18y`(bY}KX;t3`*FQkuKUG*dbK!zn6HOncQ#-4{c<)e#`(^2ykM%G+%6}x
zVHkF2!(ukBhQ)b(znBe+em0+u!)!J-eLv0*%onTKFdyc7!?+mctLZrJhh;Yo{V-1Z
z<#ZhSzMl;JVmPmv5A)S}T<**l>*+Wjm%GvJ_LGYi>vMPa){DLK=j-$P)p|XDKRE2{
zj61vY)!w+XH!Svs<=$krn2d{lvFgTEw_Hxf#kkxV#?@?COy{fVeAy2>T|aiS`J^Aa
zan`n7JL$S<-%a}Ibmnc>wv)E)+O~_P$z9iVowrSHCKY{n{nU#))xn!Sb!gFC{ql>?
zeDm1h!-uYU|I8~*)4cW9XLc`tbhVSme{uV#4}JdH12=r|?i)`&^1#OqtR8yg#GQBD
ze9!S)qMcoG>EihpeskaPJ5K)S-st+a9v91lFFpGcdgR70U0>L=lUHB;*&m;O;`IB!
z3N~+_dF9#PKKR^|4@xdfPdxUm*WY~XwPznaa{YA^^?j`V^xDIJc=e}$mwoh-E3drj
z*T1{}wLd>{-~Gqh+#NlB<f#{a{Fis0ICbjLFMjDWlgZGvtv6XsxHrnJw-e-01S2a4
zb7l@Tt>=Kt-6@q50CXi7NrM3}Gm>UzW)-bRh#BAi_h|%;mK4)#Z}990LcHwm2hGJM
zGpM$S9C9%ST?(hmqmg@mL@-=AD_ri1pi3SISGeaa&z?i!BqhnEa7mODZXTW^w@q#v
zM9xj;xnU0Grfpk!_NG<SMANFto+FwpZxBHjBP)Wrv2c0FGa?(^qoJ!3NzpeiBPb@(
z00Kr75Xq96C7PMlbzNP2^yXXt@m}RsHEHdlgZT^JPNA!R|M2C1KfkL!=MZvp<C`y8
z!{IB3v3K27-}{CUbU~CmT_!@LtA^2KE|Rq<cZfzL5u)cv1OSD@Rc;|ruJIgnxx43p
zlQ}#*a+bSC<2ej!x)zZ)P{KX3M-$N~T;6yz5<!O?Vnj%yLg6m2iSmmEqbn5_MV_T(
zmQn(c&N?b&UUBz-6PFzM8aydks;^jGee0py9!QZE7az6oFTZp8g0J7pbM_K0yYh|`
zH@<x8v%h@2yXNwno_gcfcmH<FdvAU2<OzxpK_o&_f=M#7jTDJwf|*cT@`B8)wq!se
zASNQgHoW8tj~sL*vDnJJ_%4_OqPwVoQyx%ppdb>2m}qc+d4v%pAu2q<2&80iZGJSR
zIwdnp|94busF>4RhMZE{(|gLTxwvh!xij~i&b({b1e?sJ^_(q>?r2-&jv<H!O9g?e
z><~b*l!!7Ph$YoEVP=$SOEou6F5nVjM1m!<6oH8dkB$4NaE8kzZ9*XlWs@+uyE|PG
zK^L||+UOyFTr#s7W-x54B&B4w>6d**l_t9L?;rF(ya#!v8?Ij+{lQn?dGjMrKb`V{
zYVX32pM37X$rp=aQbrh2!77*$auqiMFru~u074B*L~W^%N@gPKRPSGtU;rQ%;}jMo
z_rHX}2=K$j-QCPUNL~zRA_yboZce(FjHG0BVX@_Z^5M!rkz_!E)mx*KPDv@%b-n3b
zOrW3<Fqn*zA}AN#XmB?Ygq7jL%nYQY$`Xobn4~%-0A=hdy3I&d*i;&@-6v6w(srZ@
zrj1izMi^i;6B9wQtX5-FZFJS55vAP#B*Mfb)-ZRE2#9i3*f?=B3?k7=vWld_rQV|1
zw@k%<j88uFTs5;JufKiyqu;&lUuSOr&p)eA+%*5ru~JLr(gIjgNrA92AqW;_Db<#W
z%JOboHOUNQvdv^tIm3shC22r1OJ)!y6@2^2sx8?zVx_i0mIrOAm4sA^ykIRw3m3L4
z8&JcNSt;6L(*5xivlLaE9M!qnq(e-yM6|1a!{#&>#Hs<gDGL+#GilnMob}94L`s_t
zY++)H)#`eaqw;YRY~XAg??<M@jfA#lDGgermwz0|k`d{DsYxpL?h7bIQ#jUVH|$n_
zmFl{#0n~N952)gQ*|Pd)t*R=#zV~_G`^A0V>xD$G%143XTmwxgM#PLDgfK)b{Ym<N
z08tyNshGrwhL6$09Gs$Zh(H<SmM{)YRQ4fe6EjMojAmgCLlZfcKlB&$!`f$`ea^jS
z?ho(0cfaTCz1Fjy=UMBt_|t!R6^a>V128me^^qUk@xt-jPd;<S`sHl+(W8ey`?nVc
zmyC{VSjw|jTTp+hnR&302??25xIA-ziGm1Jso+|MDC%O`y{b|&5k$^JDehd71*woS
zC7xzt=X;ezpQc7!22R)^?7Q`xNy-EvW#v=bGZAp`MdUg0MKLqZLqx#jsg62do<AxM
zv#O?~IduJCn6Jz)sVqZve2JU(vhoZQ5ekbcsW1^TF_VgV9e4?gDhZ)b#jGNKKo}!p
zqNQLt98wgp{@iqAA_8h-qyX{FGBL+=m9gNYAgUyiE1#p6IdUxuu_|gLY0spiG+mAS
zq*SLX<-@B?P0=|i8L+ZK{n4p5N!Zy0nW#L1lOQsspww!gCh&EL2p@Z7+k(T#Z~n=*
zHvIQ2z`SJ##%6u*nW60ueCFJLF9()=e*1qe3_rAK<i6W<+Th~v9@y~aOYhmaIkftr
zJO8eIV@0sm*S-Wx7xsO8#qg>JhrhA?+NZ~;m;_hOgT?pqqJ_7eJc*ZGCL$;`)Z|oG
zWiN|Y4y7F7NGKvKrAUbok#Jm`M9@EY?8HOkdY2bYR^Y@GIROy>5E0maNX$@J)KHj>
zQAJHyl}#)JFcuXu|FII2s)!0Jvx<hGYOE@v+#ccJO048t55}tFt2dI1h(|}uHIA$b
zHD%>S7sFBl1e2h|#ZpN@JbeAPDw-5fMN_>r<T-r<+%I1~|2lMgZXDYK#ga8g#$eiv
zWiLJt(iymW<GM4yH3`#y*KUD9AXjCL+T`_xL?jGMk^kH;32V6_XTJDZI3+fN11BU)
zI$KFV3Gk{as>n_;tY)!<RRDm?<g-+g!xRw|Ng(49=Xk2ClM9He5^ygu5;ABoQbZLU
zm`W~cs`EELqQQ7*iUgA)#6GYHB+Sa%YLhaWXb=cM#vmj`U}X(|%7UWCL1DPvKRgUU
zSkTObNK8REs00l{?ClM7`b{`kOE~IFswN;z+xM#R|01G?7`QqgvFE9VJ1GSyXPLY+
z!t&y%M=hDL;|T~?-T8-o*uDAA!-u#0>$P=fPcC|X4=lWO)49JxK@a@z^y2;Bp1OSP
z?sw1Ma_rdh-;Z^FK0KS0p%<3??&#-E{hUVz=k7bW{M2vOUpTqo+3#a_(LE=gUh$`2
zSP;H;4w>2wD}Xu+f3}ynkJ^{M|Ih&}+E+Ze`}!xo4nY<?cLaLE?4yrSYoveWN(#m*
zDSK((9te_Hcj%DF3dboK7^(c1h%$4|>RvVI#7+bV4ah`)ykLlJWfaA-!jp)wB?^o_
zs^ob=2Ygv6YUX?xMY<%lDB*QcjAW5oyUK@Y<jahD^IdUff1)Z85fkPbm;ErAHz%_3
zBZYMTgeD>a3Z$h|XtYm}LDJ{c5Foi@b#3;m;)}Fcg_*sFj++BWvKlv43VBX``4;oD
zamLxXoOx1zt4(H(QA9{6MWpedcoVJ};OJktkXX0nZqo3olDbkCC1HWkc~r|5L47iy
z;<}K?KSey{M^#-58~&v_f9_)H2B%CWCMC|awps}Q-k^~%Ng~?n&Z?Sjo`OY0zA;1u
z)adJzOr#i-IxI+4MMX?Nl}t!QSlo%nfV!>nqDZHI%3xXR;>V4GQq6On2!xuhj}oE*
zGu@%w?|G9`vqA}>mD8nKH&o^+MHq-WOAqb6|NNiVo_Q8~uDk!t+0m`*KKaM}5B>8M
zQw5k0a_RhIht?e5!+q1PTfb-1#lOxw_#|K1(IR-f;&h{Im((JrB4p~&8$a)881P1<
z>MdS>O>P^la0G&Bb(0dX=~?;tQ^afWDuV?wNeLMQ;^0GtLtp$Hl!dJb99kdR{Z;cB
zdJ!m?6vo1!LgteyL18vkvlY8Giz$#OvzX;Yn?JZAlX<Z6B1%#)UR-mCRUcf%C`-O@
zPLVmr8h6Xp8rXFD!;eGnHET{CfbK0H`SDYK-@N$xy{8V&e*C_98@Jzn_B0G$vi6N%
zQ+uY({lv&u9=+oqFI(Rf=uRcGyDq$<L)U20lFm&x?myhUX(kDM@TteJJ>~9muio?4
zi>u#w&gF2zV$Q?l$;<~1jY4b8U-KWP-luBW>m7WafJSSUdV+=|ffk0qX6;pHUy=}i
zLeU2#)a_#1df$61BZ_Kk`ZQrs4XC}nqjPM^kQRlqUA<%1z}$KL*N?_QQ8|<xKbnb~
z5N=dZ9*ZQ#RX3CcF~xMkdi22%F*#D4chk!BZYZ&GPA&~B$Nq={(v$_-8Nv3T_FZC=
zKcGEB&_CINwI*MslW!0a?4Qhi9qC+uj@`L1X}b0fY4>vJ%z>c=p*wZusj=Mevs8XG
zjla0@76M>=ZUG>vY5w0_k{S?*l<(cpIJs@E%tGmuo(HATz5)gQ!dtIhedLF;4}B3w
z2NpiKZQDC<&iv_*CT&~-9aw(iSMMA9&a%@dB!IuokPxTeWa^Xc^cEtDlrT$wWl~bE
z8Uy!6DK+FE@vdi&>kOLbId^~!+O7;sN>9BfYA|<In23M{in5rXDH4-039>19Pi!h7
zh#H6Bl|owjf;1&`vs(ns#@e-PXD*|`6b=89t45=I^7LYzV#<kZW$+uGuwfJsk-7Oz
zlBzN;1`Uig#y0+fhRWAt9*AIn!QaFBbUw6Otm44&Z=%Q7H~>eklGPaBjgM4=L>m^o
z@j|0fIC-$r)N#DxG$P)JAR>Yml0cq6FAm=&P5`y2-tSrw*i_7lqDb#m<6kf~Em|!r
zf=8-0sjZW4qr%gd&OUke@-sL1VnQV5Yx1Mz&z+!?%uExo61sU;@d=oJTHyuabz#9I
zsK<hXX{(STND-{v3O#Kp0vBpMEo~LnYFWEw?UwZfZ5KsPj}$>dV5|BsSH$r+ZvZ3@
zN}`oUe~^c`0kQD~NE4atM)dP#uy*gKMqggF^_^YY-rl+8?VVdMZr}CpqYwXk$Nvep
z*5@k9Gyd*-d7k%uchByB+1+z;PRIol!Y#s7I@UqKOSM!7>_`PiF4_VWL5B{Pj+720
zA><@nl8^)f9RY2NP$|_0f#OsPf-r+tifyGAKXv><$ffjO=!bXD$+9QXd`dQFH@nY1
zx8EhL!@HVCcDLN#*>-#Hj{o+wjqKh&xVtdY`Tc*rQW)uOxz*W!Hrm-T+}%Ff*EHDG
zdaJYf=I*xJJ*^{qns0YE4|W#*(>vwjg0`W~?Sp&igJZ)x(f01rapD_YJZs`7maoN$
zl!;%8QY$|D%8PVtsUw6e+_$LZR-yS;q4ieBw!zMpp{_^2c(vtbM`5^o$4GbU;I6ij
zuIX2nwhwm~ZgsVP4|nYx?b>m(d*{%;ouhjTgWYW-dpm}^J4SojhPv8E`r3#4b`1Bn
zkMy(;^%O>WcaHQHMtkUN7L`>Q^Pb4?u`zk)!e0LJ69t$kuEZxz6cQUiqL-O)ls-?G
zqJ~BnTu@HU&@m2yQr9po79^rXA(4U*5-EUCQ9%hMxss-TvRLVeDL08!L=stiE{=Pn
z<=cJY;mhNaNTtM&i6n}&p%|JkkEw|cvA9JUEx*bg%urE;k7Qj0fr3k<rsJ5vDQQeD
zCWusU;~I)|!XkB+=zJEVrMGkkJRziXyqq*C&$4k_Ok#CR1gkuJrN3)g7GcPkU=pyD
zY;lAhhp>i!f8jzzO}gkkDp`?4aWDyq%qYkb4I>xl?&E7{d@C=-BA(t~2b2=+HohFj
zGci8eN*7Gja{S!bi{ZpL1t=R6Xc?u95Y8=&lcvopxS*6$4T6?6xpGt%Jr!e&G2|2&
z6Mz8VYQ;D)$fd&8ky(f__Wx2K{;T+GN@VxA@G{YVQ_H7PiAYSGPUb)T(6aBXv~|@l
z-fk+LF9h#D&|6=9&-Uh~OP?H_T7Pd#$Ep*j`+jw#n|{q#ISD{1edG9!swtVdk37bK
zpFGoX=;(SyfH8jTRN=%xpVW*~-qgC8k2j|hn5cZ9CLXnfGfVn>JTJ<3!bHTAfOgKD
z8H=BPf7l`<?I0_r3>UEQM{^nD)UpV%&YkP=Yn%$tzxL^|-F>T1oNZ#jIkQin+0(J_
zB_Sif2?b&NPY*vj+Yg-eYrh-X2s}~<X~|F(7r*by!X!A&yS#?@7DqWNA7NG*fQomS
za&DV2hvf5<P%4df{6-~u71@R`Hwn4OXKSQ?N~PS&stHr``9^I!Qm1Xlt*o4yt7u?C
z2t<PbjJ+!rOnm>sFY9V&Rs^+DYNPVRw`xXNVj_$?zY{adkg}zLS|ZYm`Uxv1U!oRy
z$4-=ltnpGBtD}S#K`FKPm@ry0`~W~<!`7p3wY+y~|Cw{mgwS=Xmw$HkcN^9|`K?EP
z8VMoiP95gR8S+C1Hf25U%GKjP-ZW1D)2_8<?aH40s~P7XUffLx+5Flo=`^l?ZT|6-
zn~g-ug<!y0(F>Kba_7(W-8-{Z5Pt3Yv2`1txqP8tFt*|4C7kn3Tb6$K(E$gfq^VD?
zzqMuCQp%XtdSIaM{H4Q;@v{Sarqow|KKAVgwzj|6zyDQ>vIX-VTDEL<Q`-xI3ng>Y
z>gx_4`N@){&n#d2Xgttk<O?Ch0z)~*I1bK?>xP=1$fJriQXdn>(uAUjjF{kpMgGr7
zaz$axZ5C&gQvtvQD>{ofV}c7#7^9pTEqzQ35}X4!Lb&1iI0#}{48W`i5z&8t$1-6u
zj&lKoQj1wUGQV&xfC;cD6#xtb=ZsPo`V$DX7^BtI4JOCN9rh%fs|qtUekLD;HK{NY
zX7X-W>3E?ZWc+m23o^c+O=t3cSmF8EFwCce39gs%{J{47FsyQejGNB7LFoD!Cmp1`
zj2BEuc|j_jPWu(EAK0#+^1~p1TTv0#x<TODL6FM0L6Gu%*AE>(SibOiKgfESFv#Xy
z-*>`XE?bqGFfq(k|8&)g$yJl{x!QcLwz9G=ldH<+YW>QpFjwQ}CgigB_}OeK6MEUK
zo6V<!Ogfu)(t#UR*y&6v2!pV~34GTN(&^CmeaG{)?dWvMc3hQmUC(!aTu*6R+m6zX
zZKptM)LLpyKoUaIXWl&u$bNtRV8)(YpPhT-&maHw^WQR*S1upbw*B^z?aw|r=l<&H
z)#=Q}HR~>1d=pU(ef80EiyuHKdbj_KFl>E!h2{j6_v<&?YEv~YEm~Yfw6^v2f1Ezn
z--&i=THTC4eR1-$8^_Oo|8eixkN3@(S*MkUwyyQ;zkE4RSv~perPtp*zGvW_4vVO#
z<~?!Zy<IoH{LKfKf8N~nLg-~@+}9`_=i;Y_r%tb%zu@U>pTG0|#eVI0Xgi>7P!g4`
zv@5k#+D0isOHfiN+t|NBNkEB+9KkYh1bEE#Q{ssjV~ptP1{5HFU=m765jg^7-#`hC
zbDv<yxK><pWorvipcE3#3WrJ>ssRuM2%)4v<NyLeD#fKlt)x~UrE$8WRH!6sWsrn{
z7l0^)1OzUXQnt2TR1$10lmt}D)<Q|`ILfxA)=Jw-JIb+zk{~503EGxgNo7+70wgFY
zKmuwm6-X2)jn$rife;`CfB>L^0~)&l=f&<>Zpk6vd}C|+*?C0Yx8iSCfAH_i4J}LT
z$&04#JlNQGaC(2MWmk!+DYNz;TJXW~#@Dx$V!<T}1ml!7Yd$y72_rvt^u3hAyqU;u
z42Wn<ZeR$l;w>`4l~O1Xq~shp3Z=C`rECon1w>|l<MdX4$`*)#ilh1W0x;}{#Tge!
zL2!)dcYzSeSb_@>R?$*kbgRZxYR+QbREa{T7?<@=tq0{eQznAQ)PHAN`1qRHds{7K
z*UVZrb4_96KmR^!TT8=p3u+!*)i?ar5C3rX#mfUsR^GpI7nicgPDK`W!6U~xEgoSp
zvnYlC(Q)>Fv09dO9KWvL>vccRd4m%NQ0a);p^cYNA=8LpwoFekU8qFJ%Sa$P2?N70
zZN7|YtCeYmTCL^m<quuU28^;mEY{{*gu@w)%B0Of>yNhn?vLMfUH5h0&m({E$HO@1
zxv$sX@B96HZw?^<AxPw$L_|AP%m;)(_Ec)*u&_#h2&z@Ya9LGUg*jAR7G_aWW)-gj
z8c^8QGB8O9B$7K7<^YLzE1|<ymt+E+(7+%IOBhuN*y&PG?2fpLl&TH|fuPrY_d$|D
zuDaY&4idUm=yXEW<xUjh?3uL+(H@aF6}D-CAToGF%&e-$+EHRkbBw?zT9-x0`0UE|
z1$#n&BGQ!3u)$JIDzdOeQ>;yk_n@%FH1anjB1oNG#uG|N!M2jafmtwmC6K%B$f3?%
zcYOK$Yi?kL2A;8d=d!~G{iPGG>yXJaX7n1Ej6{s^KE%e_!2e95Mz4}0kDMvMs1^$u
ziW?izG>0Utp?*})Y`=(uiYf}D4O~i|ctjF^_Dqf~i=al3iAH>ig>BFi0i2Lu;!;wm
z^-AZQvJj()#Z8z*IjE|Dh=J272VnL)0AhsNg+;`aWMcMNVG@qChX}J71vM}rB0jml
zInlz*2w-hD02*{`LMJn8(3qIAScF9U6PZXwLdZu(`q#wuVx-%xE;g1e`bxPiz&<^H
zgwsyf)3tlfo}PKv16p;zcK-Cdb)SFe{68bPo`_qUWHNLy(X=`2P}j?x0e{SRU*x(0
zBAZA=1wUYs5(6XwFeg1QC2Y_J7Qk?J61FD?CO|N~IcY#-2^RaA9)LAY4kgA9(7pzH
z^hnJ<BMp!XApj!~x`7F+DMu$4d5TDX)0!vtv9jljNtuF_QhPk25}}Joo={l8L*hR<
z(}8t10f2}~3dmX*Njp40p`F1-L5MJ?&J!amjA&bfBK}UcDl;-=$~<!fs}T_()+V;!
zBlu}GIW|Sy&Zrw3_vrSXd-LX(pM}6QHaWKazAygcB@&tc$lZQm?j2`NY&!FQ$D4lt
zBpC9|RI=G=P~zne06sDG@$-aLmHl1`Sfq|FGAx!DqUgtPKBOT<lj0dE95)dWF?l8?
zvStm5JR(uekwmmNHx|mantJJJ0B}^}v#H%KNNH8^2%eA<-s&;hd0C@VRg7?X^in)W
zSC~x|?qLl2C}XM9t-EIg!WcV$vdwGs73A^bxLifmhA(>W9M^0F)B#fR%thb_Auq|&
z9;y{wklHzqQKb}f@isWd-DA2$(>-s+kKF<hpJVcr&XMdW_S2S2H@b9`%YF~cuJaHt
z0kX{z4@;}a?f$kg@+s(pOu#7dZUVc=pupBz+CV8L#6g*V@BV>xH_lssyBCDUfAHv+
z{`aOEo%@C3uan~NJ-1A~any~-xBq+2E3G{I_>%n(J9fKYKjn7qy7xb49L%My4`2My
zJ#OQsyU)Gq-oKQ(irY5o&K*w12A8jT@SU@gz1n2gmX1t|L&(xd9OZn3w<>XfI+}%X
zlX~wd9mz4|lLTWsfEs>(X7gk<U8e4mB`7h0sT(3l3?!^fjJ9b(K(!(kB#u4?3n|5e
zjR1wMro>Qr`-l*db5g24Ep4qlQ{u4)m{VId`~)?Plj)eKHYLp69y`JUhNMx0HS`77
zi^-6FH?7x6RgG<2z4gV{JfY*|e#VNy8&^2@VK+Q}<x@Y}^72oAXWww=<blHu6BleP
zgAt3FCS&$Y4txx05PAgLO7>xtIg*i5VsAOPm&=EG_F7>rh$N3~q>Rkuq(iP4h{&Y2
zf&gydEp|gE*)6NWc~GPR7`9{CVHLwjGK@qh>KITesuT!y)`+*MVBoF-feuU~6;j!9
z{76s+<ruzIivc5l2wr>t*O7?1;=ruLNWdtpF(N@8nZ`bGm1BjDnmSeP`D95Ha01q$
zfs#O|5%zQ+*I|lc$+V$^mho)(6fq55d(HG6_aVrx^RHkvhzqa(+|gq&=i)Ud4lH?M
zE6$zVc>2WDJAc~y?-OofahTjZvF)}kZ@=O?v*zu4;4?3O9NhBOiOvV#clC3RxoUXn
z{vYb1Ijc`Tt6`9tE_v*GSAYK-NI1CuhU&s)EVAtQGb@fi<z~+BuG)O-3(sHu+h<4+
z7B89j%AQMZpSt|e(_#DVwtRe(sm$Ss-iE~{GQJx?a<x+b$C9ancS%2&=e@If#<$(8
zv^aYZ2NpJehR51)yM1!(Okxt;T5^o0QXwGQE$+P+6-=c_%xPG{kQ%X|(pT%XkmFv+
zp_#m10CH}~lnP%Metqey25ySj5K4RT8=C>!@K&t_RY)wiHLtM%Yd%jad|ltT#oq44
z*!rNM^`l0loQmqvp(m!6)rr{1<v{bk>q}^s_OTOxuB;eqwTxvQ5uJ+SoX@3A4*pn@
z(on2&!{-b|FOAVMk6ST>#)>E|+N=qcv)Cd(>YrRfr^TXcgo&EMH4!<~P`{%it4~Jm
z3rB>V35h%rshEDlIU5}dTe4QY9#AW76Nz8Wp7c2It?w7<dulWO6f+k+CjvIZpgo?M
zb@Nz%8gEU=sbxqy{J_wM9@(r{toMwcJ$1~%1u`^q?^}P{cH((tc5coEyT7{O55HRe
zojsjv#${;wnqU5U*8PuCim#?dIfD3E`^6>~?6ClenpSR$OzQ<ivtLz0TdieMChv0S
zrw{z#y+?4^_@zi>S%DfuBT*8ySC%*&LSzkp0ureM)1rY#VkM>w23H!Kp$hgk5+X2)
zosn690MLVVXifH{?|#XLS}S_c>XrKbX?viS!Y*R7<!v381EqHcfbR=+I#!-`^W@O(
zeMGYUjbqeN92r~uv*%Dcqf<LS{_MBhqLr6jzkSo+Pp<px(ZR`&E||J=!<j$3%K7ep
zh?}-RL{=X>vg2PTZ+Yn#sPwVl9h!Rk)%R}y<oLa7abgt}g=6`5$)xo4j5Cto3!(Hu
zR0@N&m95AFU7n_m4y$>_CsUc32r($LkPZln3Io%I)5m#yHiBbi=PIa1h9)i}0vUP_
z42%sgSa|2Tzfjd>7X{}eA5o4?17X>J@>$-m_58gAW$WJU3stnJ-1tI<)Xv0*MCj!x
z%OpvOdbQTFV`dt@P-b3k>)#K|<dJbyakG|o$HpN99GvaPuA)w*ol1trKK<m=e#R9%
z{URE^&`+Op+o_WjG?preko<oiWhCF4mR=sB#j5mzv+ovCC=1^#0G2&oqwS=BXw+wo
zw!DK&sMUM#q|&*&Z(8`{pRfGQL1A8d_C;NG>8HN=_%#Q9f`JEbT}ca8x}lHQIbt<J
ze7Qx^nN6*&B|?Dz^Kov^Q5;topPBAHr!TX!D~XlZMO*?VfWS$tV2Huk<xoxqaDbR3
z#BqTMu3(2-K$rvzkane&gl=Ac5pEJOv4CK13LqRTmjx6FU@*j~a-38-PL<zMmR91y
z|3Mylc9@-6u@8C}>0#8{efpg9{k{{xv;D1;0-CrG2MniG0Twn8fX4#fOkX>~@Huq@
z)+tSN`z>V;c|k&{?tNQKCzV7GNg;ZI3NXScASFPkHz!2P<a+QHcl8Q?E3bIDZEdRW
za;EG0a5fnT4FMu9?6xh)K`b-OG6%v|81?YBm3RGxLHWGy!wSNTE*t_Ww%&hM9;h_E
zi8`)M2%11}2eo)z!n^=vSf<~M5GIoX2u;!D^A3yWq4B?AAWt_#u9AQ=Ah31;5YFI;
z`ivE9W0ucTU4x@*?Z{Jqkf4=QS5D^W;ij6S)ZA%408{@kfIu1&n2l1DiyVvdDpCjJ
zKYka2zfIwVn6cnOz2XLA=yes{1`@ami#wSLL6f3PaK@2It|!hBM34fdqyi`h#yQ%8
zD1k~a2}B^1pebACL)9PQ_X!^OF|O^R_QfE*6(Yg{wO^P!_IE0OjQOAaqIRfp_fYFI
z|9)x3f7YdQox6uy(nD?YZm&#_X450B^+T-<58CVgw{PLSpQVP|)1w`k(XNJ(w$x}_
z>w_bWxsLR3OMR}radcnv*IkXdjy<`KRsY)3n#-n!+A~9)4Y_vYf-z=>dT!zGs%RY?
zrpd!6E>O`u{0}{UKlIqZet2<>y5Z*ZP|M!oOy;Zhy~CZ&!yUC>x2J~o)qmBN9`4NK
z+BSZf$_!^SqaEqtw#K3M%y2f7%Qoe*O(WT+k&c#;{h5)LmRz=Zq_g=!S7s!e8R=@u
zbu{PpH;-hSa{Kp<bOKP5l7Q)=sB1Ue^$0jjiw1=-u%6$4FTT2lJ}j)fS~mc^`JAf0
zkri%N!quFJ2N5%E^I+5hpd6UsAUFzvQlJ#5Bokc!WP)ov-2xySX&xH@(6^fvu;GMt
z|L|Lm<@Fsa@e4rH{@z8{B@>QWrfC}b$_xUTg-Ew)nmTG~3Np`q0B{7sx!|b7jrIgd
zq5r_hj}_E^!n0=x4U1vna`_Q1yzu@X%l=Yyp^J8v0;UFo0GNegPe*URknDDA+$))R
zrYYoTXl*4A1)9Wi5fWewm=<I$MlFPJ6DVw03cIJmZ(r2K6CCVNIQ(cVS4sGjUl*X3
zX#pjnRElsWEMN@XvePn63PGkLY;Sb!`<6vG7=~egb0#?eFp3(n@+25*>Xb@taPTh#
z^=Yi0>O59AC}3^zU-SNn3gHap5r@&TETixEu_#ac;F(4K`nA4e^O<vpj-9Aq_M<1_
zWr^)uR)6x(f$F)7oEZ4is-o4c_we~8i`ov<UL5E-eR>at*e_q(aJKKz>X%<+OvIha
zc-f49_do1CdpWc8g?ZuX#!tBVzvRG13nczwqpL-UX_(%8nxa0wA}46h>{<Qi4jYC+
z$itd4Ra=vO^VKPd5@r%dmEOK}@=yJH&-B$2PL?cw?%MUEU4Pj4^Yu>~h9MA4ouMI^
z#G(imz~o8gQ^t=6KqZCdv9%IJ7-2qy=n<)ZM8Ief@Op<ArD!Ay+DHnUECKsR!9<0M
z_|#Z5VaF!>tMYhq`s9hT<MAY-h*wOjNLD2i(}gU-NIagLSza+CK5l9xGEO<=UVPPB
zC!vHgT2eZZaT$pv63MDCMHT311g6o9brX5P&Y$f2F+Q&yNdn7l6<qoLo4&w^>aTr&
zyw`HYYC<eVfkFNWA%vKW0>CS4R?M9{<NFJ$8L%zeR$m>=8iuiH!z;J%^w!p{>iy#m
zlUP@-ywlvd_U+zn@e;vNUVQHWrR-N*epp>KuAzS0iIb@}wk>&n+5B%mk?cFyY35~P
zT{`LzZWv}F3h#f=y`^RuA<QA9YEtEY$-cTBJ6^c-VV7YTyS8tn)LOrOF(IU^G{PzC
z=v-G@x8~AcS|%iu$4{j;Zd&@&7ne9(O`K4HRPNlls{6#QWAE;D7~j)SbEJFg>pxlC
zlikZn)Us$1Ta;lKrmw-}2?#`MJ0y?sSte!7poTjXk`Sur&LU;Vbc<Whuhg}FG9m(U
zLWs#MVp)1btad`XiIZl+00{BTFVs@G9{K5o55_Dlyt*oqJ88xh>Me^<lIQx+A{Il&
z0Ch!gF|8^9Lqr5hiAAYtno}#M>CtY1e#*lGRlQ*DikGJ+%bdq&e|O#TRVDb?tjY=o
zRI2h@cMnEz+H(uPwS3W!6_m7p*8FDO@(tgc`OVKhxonySNSrhAsafTvTUV|X787>#
z^x5W%mzw)}x+5_4?D5oiHP^P|H?Q~3pSS$aCz^J=`bL5?p;R(nb+Bb?S1KJvxIcK#
zwk6o=P*Xz;@PqS*XO?~Et@fJ13#Y&mAKyEQN{SM@vvE5$;ve5TefQRX)iW1%{{7n7
zQiI(7=%}q6Q1LIm>?a1^yx)s<Ova-3?_A)<xWC;$eD|Y)^zYVu@!yNoFg9*p`Hwq;
zbvxF^EEI-u?XO3qib=|p9R(JPD17Jb-#<PxaqUhIGwjos>jwMJyt(<M^Y1m(Y<lfP
z-!4fL+$fJb@%b~S4-E8w4D`Rd;MwY%H%?Vm&0o4?;isPuZ2R@f1KqzJFUJq`AFP`5
zSS(hmN@A10G5N+|&-EMUpM1LdWMAs3IZqDsANch1{#0tim8*v$B?&tcQ%;l#TRAZ)
zZ7!6u9jPKrNl;4I4k(4n=5`d70BK8Gab=^jg|xY}QA(5wr6fXsFv%I`AS9Op1xICr
z;9LkmH*Ew2A*JS+K@WO$y`wIXO7fdq6NZ*Xa2Q2IJ($A)M5&y%?$-g51c(rlBWD^Q
z2Sm;ZV-z_><ibwBwVQC@f-_`*fC#{maM$-krC@?f5kV=qu(@<V@~Be+h#)vh#U)2B
zrEN=PqYzvvsgy>4)~8ILfQq9KAUT(uazKIlSHf1xwwXjO1s4K2q7on^7m5p|n-*LM
ziVUOxDJcgg72`-afD|YM2;@po&bbhv1S*M2aw#ZB#sx}DOq?X7)Xz~$9#P7U3EPR3
z#<)_Eh;qs*?T90lvLlX+L~O^AP89yn*V%>GbyabE@AbWZ&pCIJrkN%o38|?GVvy1#
zLMp9jB1L>K_|jJBN1~9Vnl@BS)Fu_95U~#$B}JtKi<nZYRw#&~r4($e78*aW4{5-L
zq*l;3!55!=SZnWd?#$rZFn8wObI;v(f2{TY|NdQPvzZOEGMn|Y)nzuDtzK(GKg@=1
z=*uv4!=U|ttQ!_=Hq)UShK14%n>KINzUzk0`rb-!rQ>3tW?kur1+|W>uodeHS&?GS
zsTVOTeJQTPS1ra;kOQkuVkk<&qD9nLjaWleUH96K*v?Ln=FrK+d`1LSndUl{<!)6V
zOdIdMchjdH*!7*$TONLRc=X77&py55?6Gxcew=oH-=02t$H~85Klk6abHP<R9!RV1
z84f=2*xQ#*z4Hdyp8XeJl~UN=^Vs!Qc*`fsBaf^<e&L?yzkA1pAKm`Yw@+OD%lZHO
zWABAiWL5$6tZrehhXu#^t94?^76&Rv)%)4OOi@TAxD;wi%%Wp~%eCt6i{PSCEDjwL
za7FxoFtK1$Rn3d3nzb6D6_XMdP`W{^i;J;Ry1{?2(n|?4KD#fwSl9Jz=Ai_w@}{Mb
zDyc|U!c(E*)P7O3QnYlUg_uPPn~D__6EQP?)EwF(rY>+cHP1$H3J0q&S4xAh+oOpU
zI8LfwIS(a%l|zK=$z_sFHCFk)OC&u@YM{w~im@3hxjxyCf@};S!Xak&3Mz?6r&*bV
zNW{;?j?@QcDMh-TlpvXpeXe(nRZx635;CQtYF5m#^VSBwTV6t;?=?*#kjkTrJ|u_4
zT*c*?Z3J*lPH6lStTkg+A>vW99GG%yPV-#*6YWYo0KtcvS-2rol}y#=CpEQB&A6C<
zsj`Y{r`9=E1XQ#uYRXzzRIOtX=?b&9@nl``CuCKx(zq`J#YBz8NZeEyoDNoD(?m!d
z<qB{@C@YDCBZCM<aueN-$Z>2id#p;DrY&2J>{}v3hz*_e!lJnSe(iRC;MXr8vFhSo
zKYtE(FRGOEu0uz!{$cCUPo~u$%YB!B(*7jt(~f;<^VW3JS`Z>D_rHAUuBU&w?)b^W
zmtH;m@-v4oU-`(_zHf(5Z94V%qgUQYM<4&-+3$V&g%^)pyqM^={Kd1WzcX*yal`%-
zdCi^aw!?>BdF@MoyXK#67$7J{xD!npu^uat4l0RYv`26ZDMI4f5cjR1-&5~@*)<CI
zRJ%NCP8=*#hs)Fk;=;ACLy}KsDl9030jK8XB5@6Hc6n8dV*@5N)y{}Hk{C=`B{jHy
zOn8&8jhDHFeGHK@Fln)d@ys>Rz-<g%I|k&ud)HT1;!SXqYT!h`2AN$v7VUV5UUVy7
z&si*~V^LvQL(F2)A`aP!G76!82nnJv2%;A$yTxP)gstBIMZ_qJf38BxZJG2&k;{*<
zvN#-f!)?B)^qYi0b#ES13v)~)!G*@U=sJKOBkX}F6D9=jPK_9Tx0SFkksAk^o=sQ+
zwnGF&NR+~<$|+|bK4VrwLz*#Vf@lW%grxC~!aeAnkUH%{or>B#$INDb#$x^?{*Zru
z%}*w#nMp-GaKKMV;bLMBm{6|$Hpq~hph%ef+9Zx$kbOH6{Q1!_K#>rz6mIV7a$1?M
zmvc_gXOVLA=gutb`_O0p{u&EGf5U-4T}+GXNz;xe&VT&Hr;cC!V_N<G&tCftnqt54
z*jvA+ZF~0o^htd8y}Q4Eb?nHcmq1gE@4!&R)m!F)4la{+l$u{mtOXcC1^+LPb!c)(
zS8lV0rraHaSbceO#I@?&P*w6T7KIDV7v^S{Yhg>R1(<~s`5}}2Xv!j4s0r4%YVO<Q
zAyVBFVcM2}$i(bOgyf%`h>&Txzb0raA8^p-9_F@7YilJ`j9OHGNb0H@Gp=w1HgWJv
zDknAm-iuk(A}uHiwbML{X(ewt`f*9!GRXp?+O1#xVbXrs{$a=)U~%JY=RW8=GWq(o
zD<`hJm2O_O_54#i&zwtXTPm}FJgBq?9M_PKMjsA}xUZo8mcspk$h8MQcJ3z<M5?~0
zka7b!Ke!1LRRpVlg{GC9S{w#Vau=rSuD^u8bk(@T^Sf$IL~_nt9aWg2G2GpCMohwz
zJiMm9FV9VK^j84Yy)R$kak*;yqbld0v2b$-#ukbQ5W+7x<_U#yXbg=(^loky!pAN%
zOd9|pji->t`xWMun6GW|b)nb)5j0J(5Ct+5>Vozi5^{fkQ||g~3n&6YEQZ`;Sw&s3
ze#qS_(voTPOt|B=C6Q3Iz>L8kv~<%n6*J>R58C9xOzi5P0E1K9%Ahb*w7=hwun#(e
zs-6Q^ZhyEbfO%T}jfa?;mv1D0Qq$EylPG0h-3i-vI5$mVO}q#<Smc#VXhdxj?bBPM
zTD7P0!kut`dwvfX@nnk}`%pyYOb8rHZOa&OK@rrGP9`M4gc%q`W%PGVh^ejIySyj2
zyoZ};MpPCay8OG%$G@=gn_mV_&~Nz4zuwHeOV{q&|C3*w{`Zw{ymJ-SZQl0mGY5Y4
zdfB`8mh(SI>#``E{O9$9zkPo3$#V<$J$T=<KkM&*K9R~TH-7%X_Z>KW@Xgm*6qc#1
z$EDDJ8C$RsQrSkBH(uL>0VBkcTnN+R2&NiuS9KAS*I$D;wT$RERq@W%66Uoq)JAF@
zSnY$K8crBvCmW1v0PspH6F_`(SeTGlrI@jL9hREIBKDgc;Sag(Uj5!UE~~!NM94BS
zUPL5+(?|~YZc2-!abwsh$DT08J<=eDq#stqtIc)gz_OU4ugY!@CSRC+6^OkaFd=he
z>E{eU;3wGF0wZMtU?fIhpz1fB3p2?XCr9>p5A%XBUtF7)G}D~SaZYwc5oypuF>u~>
zuw-|(GORTO${FXQG+-WMp9vvP^p|eFWJ-{KgPP48+i;En6sx4)w+d)#eOA9(QOSN}
zt9DMT{v@pbIO@tdwqaP)+}ftw&pzWk>Wal_yA&a{sd_%zqwQMS9J3;IFQw#2TblNk
zn-9Ui{&^nyIr=joTIv}Ay+<O1#5g(#C!#uGZ`{QT)nmP*>b=K8s$nsm6adBo3Da_a
zmo(Sqc^W(6w`tVa;tJchC7{X`Rb)$K9b*bb-C(uXMMQ6#wV*4gow*io=L^bcai8jE
z0D-YNAX@B(|LK@argg3&Y(=&)(yA`^qoI{}+9S*aqczXX(+Ep^HY=Eb>WSLpJ~~X9
zRYXT?M|{Z`y=Il0?Y^cnFiS3kLhKQLV!Hjty|?<-Arp`dhyMH$3g)WPK!$}in=)=l
zoJhpo>VC{i)RX;>v2zdZ>Zs!Q?w-fq`+MX82?^vuXm|?^&p}>c2=eGa<kcChtyC$}
z3ZpO;3rvw#>l8`{sv{y$Ye8y@D5i~wRt6@mXvG$!1JRnI;s{jGR{rvD|G0a9_wL<$
zVa(sj%+0;KXU{o%zMrpVO{|$U>wr-+2E>|?5r`0gsU!-50v57TpafLR2&5z_K(KX<
zH=rV-RKrynrboeZA!1gen#|X@gSiNH@g-jrQQ6yWPhh4J<s`-&4Ri1z+F%$fHkGv!
zF$tU-E@Q7eBliLor7Whu0I?T;453NV?K+6IGGSKvn;<OgR>`Bfo47LXtDEO^@7Z*%
zuY7OYrjIU--u1oJS5GNqEY0}hKYqL9$U!PJJ@(J{L|y%ct7lpd92))f3Z*3$S~uVN
zU3=GS!R#q(KkTh&Tkz=3H&$MHSBx2eq!l%bP;{Q_5d#}VK>#73u77xco0>XSa9#PH
zHFLVQlV+fr2YP!ToV@t_k$c{GQ*eXQs%7V%@kjQ5^4G5y7j-P{J%O4Ey13#(kEp9h
zjZ04dqV<^v7r%N;)Qp*X>fnUE`^2agqmzqMzc`|#kFE5~u!nQV(l0$WLCWJyIo>oT
zou!C_0EBk67zMcrMdUeu^_lWDGS*2Q!RGI+zAV|L@v=xs*o@beZN7nwi$0-buDgY6
z>t&olKq;sEi9&dG0#PUi4p3q}Q4tC?KxGL4ND2cQI282&SzUpZtwdGCMXqQU1%ZR^
z6*VFlJyFQPE6=`w8k##Ft(h{TqIt-m(PLsZLvl<&>^2l*M&c@e!@e5JejwC=jv_6^
zl$4~pi#uuVtcS%dxH*bv1>)x}c?Lq>nvijlXoE-65dZ~X=2NATGRn~Hmq<g8+@iy>
z25mweB@j`+RVr!fTV?9CDA+^~5Ooc#O$AVD%G_{RAZ4*AopBvkA7m@OEX7nQC8a<}
zy0>X9Y8gpuQEr8QidxAiOHC?Zr9gyJ0gI|w&4jYtgvBE1P?SedsU#{I!>T$FR?1Sd
z)EXI~JdncLC;$6?<hF$1c>BdBZ?XOs1R*GM082wGGC;w2x1rZCH6Dg8ipHj*?i{=!
zTY#A@ha}@M>?mba`6?RPz*Ng2GB%^gU(?b{BEz$^U6BWW`nQrb^YJJ(q+~JsN&1o&
zl^Y8%Gy;3KVh2nlr%}JkmUV{S00~^e^)8Q7@~F%~3Gxn7Jdf#`MU=<Vmm+Xjy|(Xy
zXl=jy*q*l4Pu%yfbI3Xzze-fiU$FnBjkkK|96u)H^!cZcw{G4pilxpoM@9es(@u8_
zJy~c0#MJnI=@n;>Z~M<*=N#H4WH}f*uHW3@yFR)+c=tCp-Ml<;)7QRyqxXp`7iv~6
z8++hMKvac>w(g^2cB~)#;*0Cgo!|2B3zhRHg)5hLoczJam5*<{{?^Q{?^4?m^@aPk
zUhms>^{si`hq+_c$A9*doqzxH`YUH9AA3O-KqGE{_~8AAF7-Tpy-$UT!?69QCq(0T
zv2N|%Yd5U@)7wZWxY)S&88Pd#V)4R`A0L`|@LOWd8Z~0ZQy>0i-mhN8MGM=0bVO(d
zrcryg*REJ5KKFTOoi2tnEIV;nOq(>Zt9#6@XT_4GNNgGT*`YkoK+qdqHi#G#Es!+Z
z{(7>1+S1y#EPGc%(m{}MaEiQ=$Z2CjTv&Tqyf<cvaR!~5BF(zw#LFmZR0`0DtbjnF
zO=k>|BjQ#>ZSSyZsHketXo^V%(fx?2hN2D>FzRA4vVsMzkxPmhm?=OBAQcj6#ps%)
zqo%lAk2rRu%xyc9*1!lH-Rz-a<iMz}VmTLoBAez{LcEKwPNE9|c7X7vv^F|Osfvv%
z2yG+L1}zJ#u^!Zp&JnU6Rartz+UO^dzDGvG-m&QA*EV+%O4_csd#a|jUsh)c#Eb}1
zL9U)AYS0NGq9=2G0p0MH6~?CKuQ4EIvhd&BdNOyh+c#pn=H8gF6+4=K5h#Tz!(w}X
z9HcOLkqRvuBE&d-i`^l?E!v&IR5y(^xnArWo;*Jqs6v#JdO_H&y0a;5HW|tqM%<2d
zo(ryao6Fhex+}{xUs|QqZ?-+Cq6e0SXyeT*XGLO86!95acSep!R@Q*1U1f*2KRl<A
z+&WW%@-jH@ox0Q<h%feRiz309r1w^Ta=<&CB^L?qR>|%%&E9Tg9V_h2v9~62bv5?+
z?FhX)`c6b9hsk(8ByUgUKp=AVo>XprniWFX7C^pt9fFdkJa%WhZzuclZCSG_7;v!i
zDnO-@)W%z1&bv^a<E!bWCx)iRD%j-Y@oM0hX=NQL+1`(1(%p(pL}S>XbF*cC|6$Mc
zEtkCEaYfC!fvJ6&-OX8N&RhYWcO_{zeXelb_Of!21qLr3Z%7B6YuH<sSO+=l($mD*
zJ?XwKvqWTK#g)q*a`M&`q&62<Bqps}yX4}}=fAQ8DVY76!^|3r0fItCIba|&$g;+u
zLUN&H_m_03S`=v2#Z!b*A?QJW(}4vycZj0UErY3Fg9r+<U*4@$Jx!=>x__&zu5Iu6
zp~8adUjsEwjAqH3i(+#rh8`)Em@M81C?)Mt&X+cGfti^<Pq=3rWx2Z4TtQDRmLaSD
z$xS$JCr<aYVX0pRCF7_pl(hF7Ms-Dy)k9?k?7raNK;Dx6jpugo{~$?!e5EilQL!Y0
zN+>mmy5T%v9O!}sr3y8o+<+CMAnYeO;Ob$bYWU+fK2XK7to)cFDVbz>9F}TiFogOw
z%5Z=ROOiub)rM7LWmrqqjTBah>d{=)1Y991huOr_SUJa+@)A^ZB?}Q2(>kCbKrElP
zcZ%MRbb1CdPif?eaI)xsPuFnKTQpgNvxJ$NwrrHQS&L?`OH;AN{dH-N5<<#~!V*xc
z%8^(@CQ(azd@*6i1|H!$nVY6F<STle(CbDQ``<|^g(^s0s$6&RZPhk?;xG3#E_!(B
zwKI}Ph}N+$?V0}Uch=oJ+j+7}*G<*U<CnkOeShC;Kr~{-`Un1h*faC+;f|x<oca3q
z>*g<*^4O-;?_C_Z{h_7<`_;f{EzfOz<l;M`Wuy@O8XsK0yzkAW=X=VZnAWs^yCA_~
zq5ae=Ja<;(^Se=N859RBn<ehLt7h+xEjKQ0zV(MsojW0h1*mDuwZDDlY*)>`Z&xl@
z)bZ5Ls*T$O=^@X5f4zS4!p`5HCbR?tl`Ern!;Gg{&J~&4^d)O4l7fMyaW9^kaW*IL
z+<a_b*juLFA?tU^V$qn}W26Krt8#6*asd;!BOm2=c<oFAXcL}*%-ymAkOWA?(fla~
zKp>-e2vX797qCLj7%*#Aj1+KW*#XR`nV57Tpnx%8#lRtdDMr-HVW`aLC_=~_XwU?N
z5LRHRijjy}F-k^^o#dmb6hcx&lFUswGf7ma2?-SeD9Fu4a+4d6<dM>9XL2?7HY6(s
zyn{1Osw#A?-!n&*N6*U_VM9JHFURaOu7Pu^FfbG=Z(t?Yg)<IMX-io_5(E8}E0>3C
zd_)u{biQ$aa#ioU#PmPD&Ml~_>x|=T?{(e#+_<VyW74LEng+)hV^YO<iAMyH2*@1;
zK}A6`aYoZ<L^OZ_Ql>LjYwJCkN$reHjhT$i)Mhk_b*h<a(#hCKK&?>&s369^bo$VT
zwf8#fthEj^JTM&4bNTk#-|heV1DFL;#y6Zl^X8p@Ye@^T;nNw_Jr@XtI1t{@bB<=#
zj9avNXaDty&8rZj6QcDtOnqs0Tf;xQ!Q*LTq75`-e&d(t+`I(~yHDjGc)#T1(`mVL
zo@sBk!kG<MFK)iqlOC-Hk=b<IE6e_VHe>rT#HeWY^GTRT$Aq@fB>+!Au)m07S>%J_
zP7FM!Cokhxf0EV_Y&VsPS1yrsq@F_LQ=IYQNJ9QBQLlGI&a2C_<zXb0H(_OoxQ}Z!
zdMAjzEj`(nidkFNrW%FM@<n1<7691B7+J_3`}{MAQcMX#6o}@xSWicgqyD|MBg(hA
zywyO$C`52xQxo!iA-J%G?-F?C9gOm>CFDW`|9eD<e~n3Ozl&Gku~f!~7DHsA*zldN
zXu$YIC%N!ba6F1@m)=N_Yw1LGqPhdC43yR5FOdPcfx&44VJa~lH?@u}3|I<tJ#M2f
zLGf>_ANAEqb%n)pEa)Uv^j?0fae4XW^HwCY{F^`5_k4}A#@NJqvg1hB$NQ&jD}tjJ
ztnB$>e^&eci96S?@4W&junCU5RQ=-ntt+ly3e2orJMhJ8JvYX^k=^mX9!`qmLs8)4
zo%meP=BR0kZK<6qyA@+XEChveoX_gKMHvhgE}p2y6Q!tLl=wW#5gKK(&|7&2V@8X%
z<u~*UuHQ!YRh_S+WIrR9A*xlKW$1{=YhH=se@xDhbjpHm>|&%30K_1nOjP`WVyTR?
zJzr+g6v4=&>(iK2DfY$p>b*U6U%^EQ|3|nw#`cvZG1q47(NALm#3-iJLY`FH_7)Aj
zoptChBquUH)pwVSCyGu$(m!Llv8#6=^fcDkw3L%;CAf_Rwwzb#P0@r*O4(5_L6!qC
ze^fY0Mq7E6(PLAaLTm)@#;7X(R)m3(PcXzDIZlKQ@w7kjIvQvrOvGlgxIM)fYrcq!
ztNkEG*kS&O5>vK{KjEW!zN#auaAN~r+tMcz$`x-sg!S9Jp%0sYoTC_mDB+mMWm{=`
z=%tEWs2kBDdQz+hmfjyyYD3*dUOpy)e~m59W{R<o1>@dhJYbPd`m52{^5rVA;T#uO
z6X9e?WbrWZ1<c&QjX%Uyu80!C2xg494s{r!gt&|_iX3Wl*}m&=%S6bn%X}F#mr2XQ
zA8%6?L8D)&PKQ!HSNYfUH&Hno64AGms!C4+l&e-wM~nwXT<AcrkE;MzmD5z7e?%G&
zOJl=O=QXP5%Iubzv%bxqbM@uf-$rL&oj2?HqO6`JbFbyiyIz=mWAVc83ZlJ5bN^i$
zy;(H(M)86h1v%dp=H4vMy;ZvSR$>0F(j@~WdHtn}`<A}iUsNzqvgl69;=aNqedUFH
zi%ae<%fC}pd9S!)u%hgKS@A&mfAXQ?vcb}dp%tZrmBsg~s~%KU4ObWRR~6l>S~gr;
z_HcdK@QRWLD=U9kRrW(&$-_0JL-l13>PjCrlnkvdyI)g2+)(ylP5Fb><%6rLhwG{z
zt*aVdSut2wHB^f;5hnv6iCvf|qg0w~qC2jaIZBnQbJj+1%huUKiF(Awf6dMjs8D(@
zP8!)*l5P;{#A)$|v7m=4T1}?&$mbt;u6fQIx3^EZRFvPlF8Xz2$-g#i>uXOvxv2U3
zcQVe-e)&@6<j-@aU#xDv-`;$;?X}x2g}rMhewNdCXItB&-~8-M_SXK6+-tAze6;I{
zQ_=CK^J{Ky+%eFWeWiAKe|LH2g`DProl`%{-O}GN|ErpL-@LwQprz$*$K=yX3NEjC
z@k(9me-C6`sTq4>UO~_L*1lhMKHOd0`__|xdFA<Yg<bzS&^h$$=I=Yodzv!OE$tfI
zQ+K;5?{ed$zb&o5y=Cf|f*p6eb_{gA-QTsXzjJF}yZv)W9V*1Se~RnP2+?Eo?UoxY
z`t3lmD3)s?t}-zm_)29PYjF7&vD_h5_DFPYnLPc`fltP5b3KdKUzbw;$XPG|0N6p>
zjf6<hA>jZGhn$GZA`T8xmK-2qhejM04$*Lkh8-Gq-J}2xGa7Q7h|7|LH0+R&OCv50
zxlSbLCIy`2pqmsRe@QM)ah<T^q=smc>m~<DB;X_mog{~)1l{B?O$oVa;ZS-cI4Z)D
zT{ksAQi4u;Adnt%)5C6B5=(Pgipx?0EG@uNf^KSnCA)!9;b2<CNez-DCzui@;b0)y
zq2YiN4q(^Q1B-6Aah*WNKkJPzMJAI7Zmxj!6x6QHFB2>~fBApmu_Zqw_jq(7udX2#
z6>?mO3k?uY9U3<Ra7{+jNtzFA!3hzZKH9Ru3mcaUF^X6{5v#nyctwa9e6u`HIL^hJ
zm=ff}RCvBZ9mWB`wwIky%pFe|qpsuq#9`QBh*8K0qL?`hQbJt^Qi7Og@k|^{9R~fp
zN6>{aC7$OCfA+dqLZ6|x7W4tNqP<IGsH7a@Mk=N`$uNBevUt`X)Z4m{*tTpeb>!rc
zjr?n}EH^F!pm~C!53uBHOn=l1UyE1>Vr6F~(ZwV=cUeO4=k2Nc0tNom0g7eEe90ML
zgfWpDDm*XdB3_ZJV&Tc_Fi44opc8OK5riqRDRCSJe-R8MpoUi;aSVy5oT06EGW0u$
zJkU|vBuW;n8_39GAmuJ*EJ>8cj}eZpr>J`4SP>*ZP3EItA<ANj{E#>oM@WHr-xeT(
zP{6e;zWj{zT{?p*+P37~HX#MYBxcvjEtCXdU7!Xe)`$<A@DCv$IznPRCJ*(4A>}Xu
zA6D)gf5h_Xv^Tx*0QU$A5shVWP>&w&`VCv(MmDmj^?);;C`!^`tZ7FmNt8VV%cor^
z+grv_lwJTTbDu;^_C%C!FPN6*%~_H=^P>}8<rNF}?QMJNvGjw7HyE!c%L2#$bojuY
zH{0K>qX4w;Y&`bf?tO<g?dsg}lgB3<{bc(ee~z>q`(QT!;J5pCz0*|t`KJeG&CJkW
zm2%DL=2tPrbKJ|0JJL&+*GzkA+{zUTEt>Y$##i0oSPB3nnA$0$oS#mAZZZJi_s3gp
z06#k3h7h78kRAv{=RVuCweZx1y(dm~9y$Cr0HASG?x&yZJ9Kb^(1I(OpyK&q^x)9(
zf3UhRSb@{Z`*lhwq<_-#Erx$D7R^Sm;8NCjjUzB4-dBl!DP<vmgDbfcGV&L7m7<Z?
z_P#ETD<y4&`CP{0v_gzAB8W0d5O0@ZzX#)S5D7myD8YnKMlqwzp_o!m`1G1FR6=r7
z&oKluMk(P9Uk>UalrlyU#f&lR*~EKPe<nl_p%`Q2xXgc^F?bVyjTm#qB19Nl2<r!f
ze9WjhgqCS4i?_xrl@n1%Sm#qV7IaiIQsmhfTiPrgnvO$b;3`$Ia<5cE$BXaWoUCI<
z_q@0FR{((eRn^-!SMO-87XFcOZGId6c>L7vv%jmWD072jGN+9B@~e}jWznM_e{=!>
z@^hY@{PYX0oi)>bl)Cj7jT=|gO_@9+x@c1OUw6%q=AAx&Xx*BHrNuL*P0G0Vj}K3E
z?|QqnGB<lh=GZ3~g+e}QBglQH38Ro8n?vykf*8)8lUrL+_TeA*69?3kFKF4ed3)>H
zwX14Jr@Dku+b1k@JdQ}rl|_OWe;!?0{_ytr<BLqiVpiXj)1mLmXJfnz7(J4d>7ddX
zSK?BCK8hEy9%ROh%J?+&@+U6bEer5>hO68>e|YHG8FKNXN8%&@r|aCGqbkohe)hcY
zdCz(8x3lMLc5}r*u^<91!%Y;Gi%zW|5@9MT3c*mWY2{KN2?T-BV7LSje+f|mvk8%q
zgrI1_#4;8ySfrilW!jnA-}_JWhqDPG&|h};$Fn=T&-*^l^ZkCl$b}Gq0<6Y`!1EAD
zY!+UD`0F9$0@s58BIx@*qd|ZIKLJTX2tChn90*-6K!OK_kuE|ILdK};C5e&XrI(*~
zy#zH7P=W#U6N*@(ckz&qe-ca(LO$}O<SqmV0T1~FE<xhnP3m@GK|i$6hlNYjNQlNT
zyvZ#Dt|s6{G;%7FmNe<G2q7sq<+=smm*$v2=(;HY3h7ouC@lcMo$Ojza3m)Ca+uTu
zKfsAvH-WSP2vK3;3?TrN&|z`zYs(h9pfF8wQmzLfK*$9y@Vr#Ye@#KxaU37Ia46E<
zEhI+6l<Q_fo=^#%nKuc!t_RTUhbmJ;hW1fM(tQGP9B25rbcW09U9G%#=cj!~r#WI*
zH<BAL@-Lgv(spjCz4U2*<x4eOL_tve)WTmLI=(UGrZCN&KHE^Ua@FpAukGHmg>cr@
z-?C~|_0x+cpE$WUe^e#;z9UVC_UvkS_4C2^f#)ILKXl?P8W_iOrq6u(qmF&8rw?aK
z@r4T~5%N6`R#r?60^jpI%(Lwm_k7UVlnnz9c`v@Ys&41%HPuT?D{XsUOVzR!i&o6+
zy?Q)_ot`VrJL<MCeQr)F1xEM@;fVY}kV?pGeqm<gIBt92fBxBz%srcLUb5ubhaWEc
z;A~UM0RVvCUwuEa6nXB-mCJj2kAIkNF3pbV=si(g{VRkp0Kjoc_vMz__3JQZ00P0q
z+{fpk6b1;^9jG;&<UellJq92=)3v{{w4yRww(WOo^IdN?9jl`ZK@Ze7Z)j_)>*zmH
zY%3cNY&g`qf1`Ho@^k&~=&&^3aok0L2Vuv>cOIWJ{Y2ZYj*G|Zcdnf>cHFqJWdMK~
zbEXAQHXo~pNYyM}(6IC6)^m+5C-)E#u6}Jk@SJ<=&3$XnkR|~+1;g0=r10(tyjX$i
zmPlCszvOQ8wcH&Nodb~g<Pr|^@EI|RE#M9D<=hdbf91Q#Ja;*@;3%!yD1BkU*X`Y5
z(A~QVzOVNp*?uK&?p)LE=_7_e?x<_QsPB4Mfpu@AG%EghSgC*C=NuI>4DNpHk%3jC
z#4ZVB@UC8cs8WoY*p5tP8(m<+D8p@RO-|dK4s+J#l*vjP3mYm^6q=aph^yG>a;-B`
zhe}66e}zhgOlqmpVVKo6R3?-rt!$)J#@INt<=n&+5v8p*5mQE)NSe@?jMA1#!*wWi
zY;`$CQrl4Iw6w9-AyvwzV-v>GT4mB)TN}nIjD#pNIxS2nRazR$m9eTs*)-EeD9e-<
z+Aw9fvdYA1U8bxh%1CX6Hquy1HB(ZWP#S5pe`Q(;ZPH<h)M=u$kQpj8^{p_5D8o%C
zY$&Z&VVW9?i4tMlb?$)SrE&Tvx~L@17N?`!{K=2yY-v$kp3as;+44-b+!mGZSii}}
z#U{?i*<6$<%0#)MY+0Nwwoy*TMd`R$MI|E4L~&UrQ=&2%5r)E8ZX+GX#8{C|%P?Z0
ze^p^5Y^=gag|RfDw4n}jTt~vjTpO;f)K-~DnV4v!b<A}rm6gUyZKY8}NG_DrT52Vg
zBvK^EZps9el5<6v@F@u}WmI6n85fLkObDiwFwVFLDDw$H7!$?<j0vGm_r;Ut*-}9&
z9-I1f%*fg$E3hA6Olwwb29C4srHvSme`(mf`iV&kI3)Y3H*R}n*YT#c0bw3hoyQJ7
z^3c4d?KOycmQP*2WN{8pSTuLa&R4d0!0)`&uxa&Hgo53hHU&;JaQPJB5@Ye@m2<?)
z-oDZK!lP9edK(dAp&kGIjrP7%`CY$V{@q}w?}T4mYu@|Do-t!XBG{xcGpDGDe|??j
zfA(PUH-G++rHTfwwp{P;S-Ij#p+wv1W7mH;G5Bfzk@4k}3j)j9Ki~Jw;Dt%Kl500k
zcH~?72lrpSaRxv>aQ(e^TN=N(a{7;hy%n+g`@hczRB~Z%-TX}QqNbx;r%!mi@x<%5
zZe37;$#*w?lyCd;+qS>{*k3x<fAn@9`r%Lg17DuM*xgbg?WwM<Brt~I3zrV~LHfgw
zcfVa%cjd~-Y;K%l#qE9dOlhjZ=A&DR0^Ri9=GvN#tJW{+=r}NI>`&XyZGWqI>xSB8
z0ppYj!d1XH6`D|<kobMdd`bxw0b>E<m<dF9z!+u}Glm)WDI<&rln0bxe@Z=yJ%W8g
z5TU^Hy}%Cw0x%8;2`~);ob2;`gb+dr12-7j^CxX%!pZfL*TM|TcN5$YDqKIDQ_V*h
z8Q0Tu;QIB>FRr#Od1e|V2oZeyA3g2ud&`9P%>1PmMpv)3PA;AhI~Bmm2nRrfP*6G1
zpS-zd8Nocjft6F9pH=nse^>oga~8I|wSnWJE0+$AQ;(L0wxT$CaD2Rc#{7U`#xvE+
z7mtaeXQwUv%k59P`x|`1r%rsL>)pfu`tegtb350)Xi@IluTIxhZ+qqS8JLst5Bz-n
zFRIS>?LOGDX5d=ub5%=^Zh7PDo2`U#La7JS_3K{v!{F(s7EL5ve=K}%(Z1UCgM+7L
z&920bn{x2s{l95%JsJrKoK$`N=KuWn^4H&;DT&43{`s*_8K(G?%O6ab`0%_1Pp<j(
zvZlQo2fjZg5$SG!`?E`(=X&1k=sgr!)}3#<dHa8So&W2eWfjNo=f19U-tTj+>v=w(
z>9*YFzNMQwUCZf)e@@MEO`{E4ELMXWO(PVW+hk~~NGC}P)H$f8b6TSo4Ju;jC|cPZ
zR8ka?VEJ1JWd=e01^saD`~G~^Ab5WHd>(k<xv%R!_w}6j`@CPL4t?`;zc~N=yi4Z2
zeCF^YkL*7Ft%uLQc6`agIm<6!{M6wC&m7vn?)nXLCYPN&fBmKL)D$O^v*(W8uzK0q
zSC8&J@Zf>{JI|bZZpDIy=gz;da@kc!k9}ThwPN&wQcye-YNl?WvsU;7tYQ`vGnmmG
z<}99#tc3)vD5zdCNUPDqOi-l>NCvL~tx6`kEimLmX_tkWyBW|6=lX{8Mt?MDd@|np
z;cYG2BhNpof2PI98R0(?a}%Q#69UB*(<8R@q9gzi<~}5Yt5eK;Qb7Zq=A}-n7x$`W
z^lEOR$e_X$W?n&yVD~GoT%)XXgN?OR7z0%xP`IhXj4;xT?(W5EP$3G8J}xX4A@l-8
zF)fDbnGiFUYSri^0qQP9sa3uEd^HzZsdIenRw~C6e>F!jt5v*QdEK=>u0ENvI$5%G
zd8t#ZR>zZCr%>qQQl=(lYD!B%E#t|=CzE$ASjswfcXgKHHl9MM;*M%4W<H*ty3B0s
z<0|H*PU0(wTQY;uyn>!UD-L%thauC%JT9py&><>H1_gwHMx_f>!9<fjnSHjuEV4x;
z++pGGf1iCg98!k5Q)!>tGHb58vBe*1J4HrRb=9X1wM$5b;KGcYRkYTHAK8}$*>YRv
zwiqRJe#f%#uJ=6ffVrztfJ6}|+{Gv?IiMqCc$(Utv*6}U6g@&og@Fifb`TBBTvU|=
zk)fa|Ed|Yi0FeloiGl7Q=_Zk9uOyHMEy-wRe<W2k!pFP)r%+YW6Bx(_brW+j_ga+d
zrP7VXVboI9U5ua$-P~YgDe9ihQHvG#Qq3J+yw*U5&<cCnp}Nmd{fG<(9W<CNYA)u<
zBC4NVJHT9F2!shsLdSzJ7Nx0Zt3so~G8obA89D$gI`vc}iOhti_WvBBlcJe9dp2O0
ze@z@+_}ip8`0qE%H6L5L<+D$`^S8Zk{r2g9yfK=;VcTo39{$h2ngzGc`}zwF8ZGlz
zKe_jbcm8noiI<w2?r&~famACTm)~=<5*rUb`<d5&^w^(Xx%`uxKXCeIcYgba&AQvR
zpZTe5-r9U{Ys-d2+x1wXoRNiNn}eQue{P5N(Ans`!KeTLI-?P+{YrPmqhEC)5TD$4
zcvEk;8`{1w&i3=ht`+SN4_Sn67hpN)iJ@#$VX>ld$7h<-XeCjFpqr98%zFfji&06T
zWkQT<o(1aW#px!5dC7td!dw&`a)%C>!T^TCWyO_HnwWR29{?l>5lyNZ=ML><e^e1w
zjwBP^eJ{OpIetzGbTlh)d(bgP7wIjdiw38gJ%9a8JH7svA3VGBm*00UAN}#sbnT9H
zC%<y(LyzXGm+$)XE3GAP`s2Sl+f0_e|0myTdEJ&@pV)Ht4Bk5z&Xu3ozxF#{T(JG7
zG`VrbGY9AG*xPPcx&GvdrY;>}e+CQLnP=lBAX>>7_DYX!=``W+*!D*5h}RxUXtX!b
zLtrAJK1ojKb;tgImOBG)cRXu*Vn=rybxD>T6QE-s^qd)orJN(O)y#xYFq_Y!yU>d(
zEo)X%2^IrQNd*-qR$|`_9OkGft%@i?R{=Wk3qZ>P*bIwClmaRt8U>F^e-NF9Dr%u`
zB*{=@l~%j26PH>Q!7dmu(NWrmPGc8q)n1rMmec>SYBVq(W_H@t_GGF&gKk&Jk@E}{
z&8>=1gVLNNCuTLmJd*&jRxuT7hQe*A5NZ@6Q&f>G<q&*`@WysiLaLFg(5kfkI7pV<
zMjICzV~)e6AF}Yf;Q2v3f6BQXGG6;hgJHAA3_$$Zge$j?I}fsWt1@WXAQccuh6ZXT
z4rihgYnfFw-ioK5Td+FX9%U0x6Vj4i;34l`WL8Dbz=;=NNd!ivfF?i;yJRA(4)~e?
z?6jf^OC5R+p|R(Fyk;h{B&VFZ46|-DI;E7m@r=PuH@gS(KPq%%e`ce+dg`8y4c6xA
zC}i(mv}JQ#yEXTHIoqPuJMWvj>E3qkvfIy`n!jS}s$KU!{`TLoa+w0-6+4>wSherz
z(V}baK6<>VcQmEB?F-N0(zWw<?HgTk*PQp=vTD!QCTq5Dd->E=civxa*m&fhe`%UU
z%lCbH;jIti`t_TRe|<Nlb}$=6nqFMc$Ph%2_lVJu5F?x1C5GpIT|3%%2Q|(ETYlg^
zq~02l2BuWNHhKv&X&z|?5Ze(zPs@NvzluccErG_e#WPMjeh{U9lD4VU;G08ZtS*j9
zN+iMH$Ps1Iu1b;27<?D1w3%`ngg11y4e4k3x_H4^^D#+sf6AJ24CCcC^)QIsC9^kO
zFjp42pnG}o@KJ;scNzkS?2B%HYInYQ_l9rmf#d~u?7#b0zZca!wRrK77gs#=STmaU
z_**}hvhb^KzrOj!mv*1~<HK*f*#fOf(`;&%t(@~;zRo{n&#H{$=bY=;x$ozF_r7hj
ziPfe#Qwz;8f17hS)|gUMk}hd1H!<h1<+e(5wHj8aR3>arLkvtZrOX6LWl*yr{lp~`
zQ>twdK`K@tAwhrk$Mxer&-1=D_RpR@&$~VMeeUaguj^db_jAkFFTDR?Ub#J`52l67
zRy^?S(>}Rx)gzDG@%mp!*YD=@&Q0$)BVD}m!T-FmfA7yf-TTVP%xA8D@Xjy4dg7+z
z&!tn|nHD6|7WQpz>PIuTXl)6re%81O5n4GzLGuffa9|$}AM7xPTF*$Xq7Gq3rD})?
z?TE>6lWcAE#ML%<M{&e3N{A%A!G<p4Y6ny@u(EQ1tm44DY248k9NP*tzqLSOo2D?M
z4C8isf6ByFP#8%ONT`D^z{n!HD00aK3LzDyp~DifU@3OAIk=Nd{7SVG>K6mgBF`3N
z0Khs$JQ8NANHUH6h`JGqU_X+6=F<DVlSU$=>C7b)N<V{LUph$(R-_K8e+zYe?PsX(
zu<NLw;o5-+)k?K?qmlH2{fIlR{WSI+_9Okmf6`S2^6GL)KHX!~16LSKre;#fPVI3c
zNgrvm-(i#$&7J5QxsD?VHJw&w1c$LGwI0O=H!I@E4MJ+*cLfm~UZwRcMf|AVVq!pK
zVi49-an`{UC3!gPMRi7tY0!awBAbRWvE~1+)T*;~WBe^&h~}Wr4SJdh9irif0>f~^
zf4q)YbB7ZW_kvPOMX5qU8H$QTof4%=EG)fXB~qq9#~TkmfR#%pGCc*As0yfVATBOo
zvkE8?Q;|9r<l8|!ujZ=K!Yx2iCm3_igDHrkGW3Kt>}AxvG?xtCPMe(dLuhoegg_pv
z(VfQ&0t#hE)e^IYD~m%KW}0Wc5jsPOe_~MU{)Q@5<&ItxV7vVyf+R>438jj8ArrDv
z4?Xo$CwlXXU=oq+AJ+yyUBSNFS|714P;E;M=CUHGVtT>c`n{hd`k~A-RximM6FfWa
zk=if1bkFP;KK`|TzP97|q1ugR&fC7>m(Sey=4+pN;U{nX)&o;3Hul$Cx%+P?f7jl-
z6PY%A<KgT7^!&2hA3Js1<}<#!ZQ;7l-Tv<rL=t!t6_VM>d0GR`icNC(i7{(%7?h7-
zFcu`x5G#7;G8Aj2^2cbP7SqrTu8T~=J}VXyfSA!`e|+3BAm7o{G9JmcJS|`sGtafA
zZmE($%|x0;VCG_JHlp$u5jlE<e-%nuD+kqxiAiB)jQR#PFkxZJgxSY?fk_O0DuoQh
zrHUuGI?1Pf6%3@Y%E}?ScKwi3SjOsXP5bTKQRj(P-z0s7{;bdb<GJ_!@X`MLXEAd=
z{Uh7|aA@n1@8#*$Hyr<koPWt>kAHLhp(o0@T_+41wy${nz;!SGYP9Bzf2}VbUbf@b
z^-u249MA+p^|B@mM@f|zssz;_RC`~HJb{W}qcGJB89``o(EC(K1t}%4mmQL!4KzOQ
z7)P?ftMG;B?u-yb4P?sXhq3l_l41@4hDHl51Deq?nK5_Vwl=63xRP4BMp&m33P)*2
zuMY_aI*S@rq-LrE{LU&Re;BYbOKQduZQ#$0Fc<X3uJ}~gLeF7O{I5ao!BD>IDvO|?
zY6UO>2o9hX5Gl+cgq2ZZ3>`pN6*V|Vk(j}`X-;rsJI8lAh1UKcz7+t{KvMzd-L#(c
z*i73uC^{^;n5TwT5>tx5!oa_nr}S{_t__8T=^<-73P)~KWd|O{f6&=tPEsJItlK4H
zfdcUz+4fE?{Ivb#wy}9|id$}cDKGZuLQ&^4^r8`%{^eK!g^<lv1klfJ(94Eqx(P)w
zRLZuqHUkUN!><B>&H~kT?uo|G7&=76B)uTLw`}_8Xvu|T@uDT`Hcg*$j=XCX5vF|6
z%$Cj9{QlR=FW>u>e^*|*>dF1@-m+6mTbV%p2U>qN6Aik#s420d5TfzIPo}7pY<(v*
zv_3f+!1zf~_%YU?wpM_}lGd!Ygf(Sj1{}+4?&yu0Kv~L70}N<D#6S=ejM0OPN)Zjd
zswzb5juR%GbE?%Yhz1zfH#L%2#d5}usbl@Bg{usu4vQR7e-MH|1#4IhH~IJop+R!O
ztv`n+&3tZQ)^ZDwoAh{YYo=9ZMf%*YOy@7$ck*ajur|Tj7d-lKzxx(oO1OI2t@os*
ztFC?F(Bj>n*mdmLMR(jr<Xw{9bY#&xh=6Ez#UUNgy8wr^q7+*&WJ)TzIBaQ{O4moQ
z`FbrAOy8_xe=z3OEIti;kZwR_=)Q{GCn{0CN{HBE^5E@ht+f{3b?+b?1B^BWo8b7m
zTB5k$Ll(`(BTP6(=D-HTYuPvv0Jf=Ln0PDP3z=bn#2^JKC>L$JjGa_nwTJH7GQfi-
zELhuDVi?iHtU0iCm87CDjut~VOQRVSK@pmo#i<$We|xAR{WNqlnpKWL5WF6$#oS;Z
zqu2jhS8nAb=_0dLtlkz5zzl$x{Xq4swvIRtT@eP*CVj#U%iC9nF_}<2_6EY}=Clh3
zWnvoHezHGy6i5sehD6ysd5f+LhgCv2t%IWq3j&d1dKE%UU?&Hhlq=+st$2{mN=R<F
z&7Lqbf4SO&2xk5jtht1u;(|yNfWzEiXWB44?*RP-ht9+-*E&2a2n7pD$EPk;7f@h=
zZuYvPN7(n&Ojxu8N}S5sfQ71VsIX?wO(;bRhywxF+m)jsFaAjSO`2wAYmp@IIaWx1
z4}uOAmdO)N1rg_*w`6{#ts`>lPak1#?)*{He_q)b56^+OYJDnJi7ses`b3B<Oog^?
zG1-F<IODr57KjKTNv)m<YQl)EWr@RKjU!?fc}74iEw(S5T8DiE%7lBWrUI$td6|Xr
zW=)TU7hQhA;}75c<{MWWxtm00*6m!n{pxKmAK7&Hk=5V7Yx#ZmtUq*c`ToaF-?eec
zf8K4E?79Clum7<SrMy}`y>IJ}es<fx{<7xIFQs$de)EZ^uYTw$TD#`rAOE1dXBJ%#
zP7F-6R;`+Y1T85!aF>KzLSgG*psx%vdCqt`Iu&TbEO~-o5YseG%dWf7HpgS=0U&&W
zp{-@<i(~``@-5HF*Ms~bKhQTd24yHIe`x??Dh`_iA{17KqUaY!LJ@WV4x-R-Mx#*)
zoUG&vw3UzcC?btbis0C`{(ok}(o|pbX&?UltG~J7`KLej^Lqu$!VOnld+doVFCD$;
zz@D@?mHwPG$~T_)-P^W&VAtP&E9-B(^4SALAoVLgboimEjk{NW_vRIM-IHkfe~uTQ
zT5!d#Grzcb>#=82pAwdk3kh;|!}u{@r+8p34}t+H+-R-<)Ca07*hpakqT7G#73lX8
z#)E{Ra6=KdGcs|sfo*i5VX?M_huBi>a=SRwG7?n*-yMi3mxdLfT7)f0R%bHP$hPAk
zxq13PDMkSFvJ*9Mzy`7~cHIc)f7&?*;kY2Qa;+W4nBVlERsnQ~rviAX6u?YSn2l!&
z2nu5%^N%D%7Rf+JT*%JkfiY_yMyy9rdMAees86;rF>2;n#t~rvk&CwXZxU@gZq@}j
zaI{+clW2c$1BpvE6P3<*(d9Nwai(#~MQOSNEm;VVoRV8gLC;MLlBU|ze^q}Fqz6O=
zmW<;&1)Khb=Iobrt!pC$diZfoU96BzZK42;e@yYm37V#)1oKSix8uk2l<=!mbsGt5
z)Z$m6WyFk`)xdbI#^n-;B{Eh|i`10<OV_yuS5;kceDA#;`<$C61QSSr0Ky<(og$P+
zjq->j>M(_A5z-EAfE3A0e}w`WaF9?OhEl)^+6gcfoE9vP;$Q$RpfXUvTChbP!<!Lo
zZNLIm+s<^_Z~d?zXP<N9$2*go+?%r>YyH<+{~v}{Z2sEwV+XeOVUi<rZM!|{F$4mn
zXV)tmA$M}2gp&=KjRMqpgrD!b7w$Iimtmly$=9}?%ABNl00IHDf8naRr*6NX<$Ze&
zfUOnyLyIwi?5Z${BXf9Itf`eHlL;G-Cik#Bd&s%l*}s&I^=lrWKZ!dvl+T|g6cNWM
zRv#!4nohY*<Cl>;`|Y~6{T~*j3|=j@(v}aNT{Be}RXC>;M;$dgRY_A2_DPKu=%ht*
zS^SHqE2o3=ltrg=e+JAS*bH5)It4dmy|PoGj3;M0t3(&z2lpK&oy-V|tj6kB06PKN
zL*@LAXU+B?F=QpOIZlF3v~+8k6v)tRIkyju@pB^Bs|11w2*UKRK_^~feooya)&98)
ztz(ndq1*S?BuGi2l(gVx<&!b#JgAjR4o#iHCK^^qwZWGHe~?CUwM872gr$ZQ?wXH$
zgyHdOE*-V40*R%MV}A)HLefy@o@@X@$jorLpR>w{G%2eRe@`g~+zszL1Va}kH{)+J
zAZa(72`x?EsU(mHndRt_>bA<^G!-K^3v~9(+D1{n_+^hV^O%EGty}@z{7ysM4zt{h
zIO)5lB|^s9f38#aR3UU1t+irQZsppNlB0l2PslLa!W0-GLNuPD8W?8%@wj#>Eiy&j
z$KF>zC?YnAu0l{+3oV)szKyJbjoA)L0${ATe;^V8BSjh*Nh2^5BgSlUXlDBEuI&(U
z6vd6ZcM=mYgE7ixl9)Vof3_!9i(lcvkw3SWjCw-`e{&GL*X<~$-l`B>Y@VMLn$u?z
zI+CvPNIOJ{0U6fRv=ii<^_vO#@m}Hdv^1;SBPvwB`6gj_`YRZ~3?%zip7J*cVN`i`
zFM-EQW$*6OpBVk#zQ@}S7C$+-*M?0(3(&Ce)?Xj_^~!OFUW*<a*?jZ-`u}_(%KKKn
zx<Qd(e=1#a?TYC7V3*eCr|vnl;2#&OYnz39ps;l=6G`s2y5p)CQrqLD7Z;wpu=vX}
zim`B5qiCAA?qBzQc>0a1jcuY(u;yQUc^d}|X*{)mSo5k;J9cdR@7;!@TYGNWHn6#6
zdB^nyS1*ow`NtU1q>Zo7zIg7%FK&!pw`l3ze=}oVZd>v9j~h;&sF*dSbnVY<t-vY5
z_Ci%MLzv8*BKbm7W)?N;DTH7w8B-1=ncT;7GR)snuIW(Q2+Rw8W}w{BB+R?e7a+|c
z4WKZX1NUVe3NCbT=Za1AJQCjhK)#z-z_3r5|D^s`(20$Tc;=Ho$Aju-UOAc@);MOz
zf13Fn=R_>9pm6-rBV`jG6=kA(!{X*^hvwY8uB!XZ?f8&2YmWLnzb1Zc)cnuSmM&QR
z^>uTX+`cAycW?RZLyQnLO*{IIDz0h1bGqTsUR&ud=-qhhSi|96wOdwCzxoHkf|w?}
z^OhXcd;H<wVgE-*x3@j@#w!q4O+3E;f15wuJoC!Qhj;E414=m3di1mhw!Sia&9efE
zCm!A|xmr{e581U{6qnY$w~LLDziqd$6VIOR73M6-)NZC;8USlUtDH{PlTZ?z$qxqG
z-468TjZBAWd2;DEm?s7blWm!Ed_5^8JCWX$IFwDE&^sA>c$NYsq>w>)V6nStf1B=9
zEN^g+E^rny@gB>t8<P$<*Mnm_9?W_NTW~^Pga}z9X>IBc3V~v+5HTVmM%HM2g^3K;
zOM$WxA8X$vVEQW*ffIsVk0+Yayhdgn$E*qCZWwn#L`9?sNNdxXV1#OqelR_ufHndM
zP4WEm%a}{smuSynuUGn+sLafLe?n)3G`<3p#s<4hA<^$0^-(2@()SbjDnpveZPBP!
zQwAx7ZSQr#ezNAQ7re`WoNa)~%Myou6NLKVKbfLiW%T<@xR&pFr<4*pVu&JHT&lQO
zG0Bo%ri(xq^^_oG)Pti!D(OZ=1%*}BBM$E%>@w@ZX%!D5R?&ooKoWFWf7cn)0E-ls
zD6)%Oy7G<xdj5k1vJx;mRR96VY%-LVobCEZ{6C1$`wWDm1ol2o^DQ#EOSqG=;z}M`
z$v#@MaS<@XB?f7vRX~t=dL5vHkh%ml<x7yxAC;FkOcqB${DhGF!Z3;gB|(udikU;i
z$338gd(bLS(o(!Uw8>zne}3BNK4G>WMY0mPaZmmJK-0A=qWtlZyElshNxI<K3rA+0
zJt3+}>h~P%F@5Fii<d-&_|fglO~*f2aOQf`2m5gRWKlT<nK<rw-;~MaQzz9Pf0KZH
zUL)OBu#_oK7P1Z&8SVoM(+~u~jD_@&WHUnHI{B>GAN%MPlv|X-e>TDq0Z6CX1@PmP
zaegM9mY~9tlPNMtB_V4s4*p~oN`|idDa$K^W4Agw`g8`+HqE%^J=5ix)GvLo2`*M3
zB110?{fUk6q#RdHS*TDJ29a;iB!rMbcy6>c=NcM<W36<VvR+aVQAr<BST1!=>6|F4
zRs;~mvo9ReMMXfYe~YSs;;2g{<hqK&-m;_$b0xB<pDykua}|;a2}G_k?lDsIicOZA
zfa}RgcD7Lsy}Tv?lt(JKHdWi}gtmJDoj1SloAhzM6}$~5)iyOEI@*WN8<p#!v_NeD
zC9PDW$YT$|sT~AC^qNF=0aVm;U?6R&l9VUio_6U;;<e=Oe;o`^Pf2PW6qq~&T%}d%
zWRBcIaD#)>owZ&qG)=_9*#~FvoB4F!uQIT7tnD00M&{_TS&gU}866!ZR#E_=ikM4F
zq-NGs`HdPwg(FSCW#e9bK@oyR=vvL%%p(D5F0OirH7h3JoY_DdJY3G)9>84%6sp*i
z>`l8Q3t2hof35Yz8jwg+uB_aQ-T<K15g?jEH!w&x*cMQ%5Q`W6^DIOfh@c=h<G=wX
zCQat-K|*2}T3-i*s8NDILI8=HAwtCn#HJ|G`-usfnHU>>wMiqfMr2YNBnY2%=X?L9
z8LTOD?4Xg)cJYNrf)AvOJ}ITjHwE<tjRbP!X2-Lse|~T{WgzRFw!tQLZF!)n)YlB(
zq9W-3ouxy!wXV3+QTOh~5xX}F7L+R(+%jv~otyPXx2eHHOY8fsxch1U=f2(g@5>{W
zZ<u-O?2w)N3hMeT`|La-Qm$z6r4vFAs93*t-i?n|{O`uFH-96`YAb%ZZtcB}#=o4r
zf7=#0f3o&#+qVpTy<I#qfQX;m*gj<E)`4x?YT8~XTeYO`yq2-6);@jYNa+v0Rlec1
zo;6eAhNl}pIxV^l5YTJz?3TJ?d%u6?RNwh?RLh)!^A_>cdekJaO3Zww@}&(u*S8|+
zxMFxTuW8xG*Pgp~sb>EkHM9@uXvVt-#IWH%f4P05Y{Yn4w6yi|`Nm5p9{TOuV))oG
z2M?|O{BNzF{E3iyjGa92=WQ$Remd#>_V1l~KlgCW^u6uN?_B>sU*{HFRdvSkwZ6;R
z`<#=QoFrT$ml;$-DhVP10#*trUID=-7Dfb&9g)H)6oFCE(bmznwo)$`t+h(qv18S8
zf3XPlQf*WU6tqY?j=+$LWooA#ee7c&)@84~);_#C<}l~%wbyt1fB)aDAHFen&nrT6
zV_b3T7nym+QUU5IUwgYgSOCck!bDK78uTv{<>RB#1lp;VkpmYY82!<`OTv85RzPqL
z*ny9z)uSW{l*X?<_3rJb4y^j<%~k(6e}F8YRCm>14<<7wiDof+#)=K6|M<v%PPE^9
z+mFs1?s=~N`rq%`{KfIQxn1|4IgE&0YS{SikHqkf`G?<`@_2vW-}Y?z;<y;seao4{
zGk*5$+_!hG96Zu+{-v$+`^uA-jNjUqsM5lhU!;*!dyX9V+5>BZ7zX3Ir|sR|f8M)R
zs8I_Ky$)k$U-QAU!*AYHn$tP&gWt8U{I)F9?6-D^YO6@G@ybOb@985%$)m3Q%PzsA
zK>{g;QsvqYch7tI`8hB4&w6K%D5p|k>-vqj`0Dnp+eFKlj@O>Qq<?EtN-i1LRlR0K
z_uidN8@`7(Tn&n0$i#CV`N7wJfAJV5>BX=8T9jJqmh}$XbRS+mr*rQwsZ?j)Gs?Pe
z@$)DIh&l61m)F~saST>CO?E=)29SF4rDISQfLzk!vkx)c$H~NO{&X<Fml4*&;RXFS
z01$~{KnZ9>TugdkM1WG-x~^O*i)sfcLPjJ8ButoC0fEt0Faj|*w;&TRe-nXf8mYw-
zoR;+31TjdZj7XMPv7$sJiC%lrVjp81N=oT#R;3C|$&HjSqFxg;>Ta`!jtB&<J_0L$
z2Sy3Nb~TlmL0NsIQe3HG(qhtQJwmdDw^66E^%P;2ASHmL(0el&9r$Tub{_<pK|Zns
zEFSV6r!PCoDM%1pi9puZe?-g7WepAhA_^(ZC|8E4nb>Zw&>2-A*~*Yyg^%%Q-k-Pz
z>M7@o=bDw|WS&gECQUE+AfZZ(^Ma`h_59g38;Hy(fOJ>N7Drl+l>JifQuXE_G3mya
zkN9;KWPCi5HpevCH&{89=N&>tEZei-Q2c<B8@oo9f4Tn-C`~|#f6Qu~bRqhL+z82Q
zL&tO%{fUKqu)yj)IHN*o?Mxn36C(iPZRVi&pzC2m^5q0ZcBQ{}c5X8LM5Ya9&MHO#
zBQ!@uCZTguJ6orG4=QkDb_J?$3*)G|A;laCYfLwSryKO3d^g7+OZCra{BsxbbaVPk
zqyiUsrf|4Tgn1uqe?rnZN_;Z>KD~K!WKBwLOx89zihdqK3ZKpq6NZ9x+SeX9ODF4w
zuAe~0w9F9nQabg98;*k&54ew2N`dVnWWq$dE?P(>h|9TLn~Orqy?+__!rOSEp%4ul
zzR(m!A3GLs<uoxBa#x)iGPt}mZVW=qe9A5Wo5Z;9=DudOe^yrnXvl&NW}fC)w4QDb
ziuRT+qyYv0M(|q%f}n8A##@Tl*Non|0?rl~O+!|(AEeP<x_-#;kE~Cij`1VGQ4ZR&
zS_Kj}4}92Oe5=PK+Jc@Y<$zEAaV*G1BDhL^)(C-ZZZN#mxrhK6uoWEZ2cx^tC$-lC
z+XXxX=SXYHe`8YKt6xN5^&8&tujV8?VL5L9z<ZM9){N1v+e_V?vw4GSc9Bt~m?Lj8
z6;FW?y8_iB{0Slaxv?3G<c~{C=Bq^k^v_Vx!h)zr0vJIc2{DS=ISwRdc<z{{?Gh2A
zPIp2G$G1RhPwzb`Gkdb2A|D-|)z!6a{w*Y#IsT3Oe+U}J_2}iWGe4sWCe(rqLd6b%
zirJ0f_Bv&5JJ1UCoG>iwG32F<el?;0JjfVAe|Ix6z(7A7UmG#3J<!7WuZIN#L+oW`
zR0rBgJ#Vb-qKO+pGn4j^w#h6wX|11H`u*QvJ{8C$^2glP=VyJX^#4$Jp=R%!N(cyy
zev`;ze^sSh$utkzSvuKOO0!IdC{eoo0NrEKDktMePN>ZnkQs~)->5MxgV}DxxSI(9
z6+?av$NbzJ+PoA7olqI+-5GJ?vJkftoS0nOim=vwkV|f`AYhq&>D=cN1cA(#Fh-%j
zn2wF;;(N?-vjg)`lNE=a7;%|V6_<SSK3+ASe;S*iJPAl({ZKTqEJbEfKU65f;Umh^
zmXugQ%Sch~!t+}7{`B<S{g6~Pe*SlE7!Bp5VPa>)w1v%WZJj@V4pl?_`o3hybeV|y
zwn?g7YPh%)wN%&zSFhD*q&-@=Z<|ipT;2(T{qD8*Lih@ufNxxw?FJ_x)FISJlVhwv
ze{fsWI&HPE*JcNn$Rr$AnP%!+8&(QoPBr*gUK<`k=83kx)qS9MECg-m_;FniKLaBc
zr;~d{GK-k6cy}L=V4@-G9vpgOuc(N0^73?ShbYe$*d;`pNTx^-M3j`u>jw94I(cOC
znUix~|BaY7Uyit@+<qM(x2?S|txik7e=$*r=|WW7w?BzZ6L0<esNOOJr_m<_%+!HS
z%johRJ!B^<53_HKv^(Ogf5&*-6$rP21SPJUVgX7a)W%mf#m*72pg-nQ2Z*{X`9+GS
z&;mj(Ao!LG`Oyp!$0Y9Dc`bs<=aM-o3MoalJZ>DC4jZi+M~l{(GO38B^R;9cf2tj-
zQikS<X-g|GiE5XCF41s~DvuE5W<bf65u&LrX`Ud<LqxTcn$As|&gF(yQE3*99ayQO
zN?A5chPoD6-^LBYA#K!)lM*0F5`ktpTNggY4g}F!MHscV)`M}XU1A_88G;&B<oTY3
zz^g*0VE8W9_)T5m;FBj~$Y0pGf0E#a((V;^k{7qO;@?B&&mo8NBBpq|B5adjmOmk9
ziL(|?6n1-E6&V0IgBww>0%np4Pq=m=XxligEL3Xzf-5LN$;kC70iq?rxm{()mQ;y?
z6fV8z-c)ICYL%p^Ht@$JG3t;+q1N^pV^XEk6qGfVv1m$3W~s?+!pVA2f20ydW>kD(
z@3)B9^(g(dBmdkKgz%^VQ!6}6DP#Mgn6@4toj8;5)8v@B8{A$l1p9TYbMBClyw_&a
z2vN`8)lIp>2Qt9yP+oN6ho@lrBZLs8N>aUi^+m5dc-P>m%XZ&CeaCiD7No?+lb>Gw
z+aE4EyaU@WZ0YS-_UB*CfBDJ!3to7fKwzbM)&3nbp1O0?bK4f}-nsnC!$TI#tgc@6
zosVCe^uVJ_Ki#$b*n8((wrtF{Eq9+jde>)fUw`mb(caea*3O5{46gZXfLPT}`sR#*
zT~GY)zuix*;e^NDzWJt|udX_AsPoayLa4DlE9M>AlTaeW@X|vMf6m?d*mu7=KJ};T
z#ndr(oE(_3<;V56^mM)c5_GnhEg_}=y%;lP&jRs`y+8_cj<8xrC~UC=mrx;`G`J39
z%ZYfqGww?G5aZxvyGEi{z2?^5;`T}W6$0F)Pzhr?Vddb!>f?V}d2H`(gGVI`O46k#
zj!t{#`(mW1bSzx+f6q4?mu-=yaebe>&kUH3YPxyF>=&M1e*Dmlf7rL`*#322o=z?r
zQ(fFOYu_6^NB7-u`jAYU*M4>6%6)J3y#G?tHI&9)xAtEL?>PQ06JyHhl;tZ2KbW_x
z|MI8rR*9mt9lOUZI5Hs4>sWH~z4qRlNHHb}s0$W+yr+KYf1UH*-q!u_lLCgUKk-h>
zqO}vA*s%22eo;@7DSiO@Eev?0XGiYUx;*@rWxx&;ApLwf$c6pS%vmTDaj=Z>LLS8y
zECU3EmH&N><DrdW{?iTq#7D~qo1|`x6SGa7?F9lUrCs+GGb?EfKTvBBi4|ya9V_EM
z{(r)*Ew-xTe~QkT*?VTrxwgTE7!V<Zlt+S^Qq+jhK&=E~qLvb{@iPWWcoaybd^JLd
z7(Xu9=3)a$lU996?MGB8i7KTnX&R|gQ<SO+NuNrrst5uoT>JXPBWk67^<(DDnL9I=
z{Go&4UZ1ni?7i1sdo4hQ2*8*C;EI*aKp^7)LNI}hf1~0SG0u?-5lbcjWa=s@1dk;s
zfjmGI9O_p>E>;E&OmdJy2$51{8RsaZW^OC-2$UQ}DifCyy@J4xD{W{QAp6_^-zC@?
zt_Dvjf8OMNZn_&`1gGpMbUwmnx0qd?pmVLAZ7adJWvE~ZJ9&24#9t=$yF4N!f&fw#
zb3jHSe<D_qm@s6V^9U&80s*4gbtFPgX~cnurDWmUrG4KKLeM4m6CoHEB;v@aSh}3&
zYFK?O<B5n_Zp9K30nIT|J%{Hcu2>@K>nUS$`3Axxv1wVna8ZQOtcTVB2c!CGlu^tG
z38kP+_dZ51Rf!fmm1fztAETA(gP>cj6C9N?e~~kPH?4ReH_<X9RC_TXfUl&vEE`Q=
zN~NYzSw4k8>uwhu4$CCyky@!%3!1B%69ovY-E#h|1E2i+$mRD)Za%3c!1<BlD4D;3
zkcIUJpIbZd^0L!EN!HwrToP!EqWJ!v!}lCH{K#)#r;=e(yX4SQd}$MbhFx#J0V^67
ze;;bDd2rY2H(rq)-CzA)H<`a|(ZGqS<?RP9|9$VDenZF?NUmm1%lg)L-~Q$=e%f;3
zcP!SLyA%y&1eu~4qzlSshzJ16HI<sYt{4Iqnr!>p27|-L59|`bc{}}9*&Zv}4Y`ll
z`k&(Dsq&*MvdH>nThq3Zg_0+7_hbz(f7nVi*|@lZmR-<o*H6<*;vB{7rBUr-63-@b
z0hzUu2?Q<(#F(2+X01%>@5MQHNAuQz;E0IT^U16Qkefqm?jm*f5e|qvs#_IR)syN)
zta=^;PGrog>!aGmbk4)H`a!b%UOsCfRL!SJ9jTf}W`Bvz{bE$Tj3#x2e`WVSe=bC^
zR+chi;!0prpD|d*UZ7OzJRpS(YBOp_zPqnetoeYf57_%1ihoaogCXal8Z%k72-unl
z`U?PaaSN;PG(r_-=I21w*$Qzv-6@cQ8MXN&rn_-cvyJzZr=COtM_@G!A|W^-5e2Fh
zp1F}I1*82<8Rb$CMk%6dn3a-$e}uVJ&vu|NKbGo}3$5_4$_~w!1}(me0;P-rwbzOs
z0Hs>i<|gWSp<e&VM9J)DW6wV9M#kwHeA=IlLpYDwH;lF;FMH&)tOjx#8K+1rD+sL7
zZt!P(cqTisplp~>Y24#0DEaS_^J}VP>U7RTN+9Hc^>4kl;YUAj`1OyEe_s25ikfxr
zycQvYq;BP_FVlNgKlF#!xBmXk#m_#m;+6b@hqrv=;&}iWFId-b?#0amKR7V`*R~JO
z$+Zji{pD8-Q!#1;il97bG?iR%W+}~Qn}Vq2<hc||+*gaqq~cP*x!#nd+3p<xIvA)e
zh!X6IgGQ|mnrWk`iZ0~Tf17?iTWL5FMAn_>?JGz-j4+$V;B;YSsR6UlG*kCVWs06S
zmhUC`g}hTsktCM%p3N=)dbjDlzqMWXS=&c{&TVKrc=7!R1yrs6)};@VFE_FzIq>PF
z700>`jebyjsK5Q6=YS(7bN7Gx{<4ALhF|{h>8qoprsnza^Mu_;e{w{N-&>&osX+ik
zBwA?`Y-vq~z*0{fZKR>%1~YL^dyOwc{h6*~>|VeyhSKFFw`*`jg`85u2R~A%l-jfF
zVD_nG3hk@Q2mh5*d6fNc5v86?lJgyWQl|3-Ox^7qwD$FE5NHJ@;as8+$OTgkEoyx*
zN+UpwAOfxqiHIUlf25gxg<4}2+IB?50tA9K2;h464wzQKPx&ay5=8B5QL{yCVukBv
z91|RvdRLTDbW?&H%P1^mu&MLB?R@N<D*#+Tqrbt%*e4h`*rmxee)4iQF|9Y4Is`GN
z)Ud!-j|T&R$&`-*2kAsX@t9zh?MJPhPe~?Pni0Wiw(YK!VQG|BQh$o4XbcfjnR!l)
z!Y5Z+4xqfuw4%3Brb~r1S?Wt+qQtmX7*S0n1s)-qC2y@FuP_P0ZNdK_av%KV?KjnL
ziT!n4=Nt~s;)8U|N?niBYB{^j!7{>8y7N&Je;q&F$ae=rHuup!!~Bz`jE{m`n9U!*
zHMhT<9h*jxA=`-smVfECC~a!gO0|$G!3!yjL6&3jraUT)AUM_f28gLHw7O_q-i$7s
zzD=49lWAC}d1++U6e@J225vGMUH0t@76g?FKqpXaErsC1rh}#W_(~u*0SyopLarD-
z|G_!@90FT#)KIp2EV%SNe%$GXS|Ts+yE6T5qg0lP7iy_)%YVWQ5LHc@Ic}w1nYK5t
zZLMb%m`#StP849;0D}W4qJomJqErZBl#+su5w=Fz9qN@}OxW~Fhh^+E&ko_&Pjmiz
zd<Wx4M+ep+dOFNS|Mc?z?2s(Yspf}H*7XRPvpJqV0XT~cvw#E{K4@|Wm)cx6TP078
z7QwR2GNSTIWq(z<n^BIom8`N_qp1z8@%qfXO*j~#6z%X)VWrABMf}pwrZ?L`W8Zz}
zqANv2h}~!TkH@)a$7S%Svn#EjQe%+PVE0PC$h{HZxC77LIaCa$qNm3~$Y9PhzFYQ8
zOTYT5K`c$90gS<!@*5SLTb5Slz_6cpX37~$Atj_C!he%kn;|7q<Pt78NWo*tgmy30
z{xE468PlIAiWGk1NGAEMjq_K|N#O8`D}_j~2DHm(zu|PIQGQu%lkA<vpGX6@k<&N%
zEs|e~`JkeoSw1(n62_$|7bq}Q87Qu+lv4RQDw%IBu8MjtlNmD#&JaW_QF4?5guqw`
z<r5uCCVx1O1;&yIWI~8s!jl-3p?EArE};^6B6%*3s}qn2Qt({Nt0d1!p2QeSkOE@l
zIf=QL=Ms!1i;*WnnUO;*C_<Dj$+>IXEWE4YcL7cf>o6&UDX9`avQnD=T<U9Zv}DWD
z+t8}dCNT|~6OMk|2RD_Ro8aJ$<ZB;oZ20)GM}J2jT|e6R$moX0u54R(v3b+g=1rHM
zY`ogk_(@aamFC84+aABNedDF3C$4Vae69WKS6Vk;Yu;9D+A`MOGTyRfto6yU?c2s$
zw@vQcT5M_>Yu{RI-a5X$`Fh*-iT2j<rp}qpuIaAU(o;Kbw07Ry-7&MXV`^9PRA=kt
z&VTmFolTRwJ7;!u+}PhXvw!EU{T(;=cYU^h*X?IIZ|rHG+1GVzZ~KjdEv2Vhrw+DE
z>~5bv&^o?n$IRZYsb_ZF+|x0=Z^w<j-~QioQYJ?FAuJSY0R#Sf>~E+9!HG)z5+@FP
znn7?d<S<JdQc@W(?*T1-ff6JYILRmwI)6&LEd)I~$_8Zdn;Q?`9L!G+9V_;C7mxRp
z3cWXmdrHH7Q>VJehX$ucdWr+bCkj2+hkA;G`HA77n=cGZzR+7d)i+icD4ppWEA*BI
z2d76)OceU2MtX~d-eTdz^h<rW3VoBq`N`Ay;_1H9$kFk^{6rx?G151F>Uil?zJGYS
zr!@4yA2;`o5A{wI@}-gf(y8Ys3df3t-qOkZ_?hMJZ0;@%^^Bi9Ien(Tbh>}yY`%21
z|Fbj4O2bEsg%dL`=1ZsZ<HLQ$;oj>bC;#)3NMh}&1(~R-&zCk^kCnPszfBDyn+|Wt
zZx$-Soj!}v_HJ;FH=i@$mnq>b=zq{gu)__llx_m!K!u|mm^|7$Rp_1?y6e@3jUVs+
z?(Kp6?X$bC93GfD(?51<@W0>h|36<>8yr=2hVS0<eeZ5|Hygr-1T4k|sDfxGRa*oZ
zEklE;G*YKfD;+@mpg^r4jV0OaZgw}>?B;`y5L7@J0fpe;z))yGETv<A^nXvssjWXc
zo&GS{-K09L({`Nx=#O*n-E+@57k==ANtR9a-1ofi^E~hK{OjPnE33LE^F0%NZ6CkT
zJAI(HTzYmY`N${FWd5=Lho9`8aq&C%{o(22mt&8A{L`MvLia>p>Wlq-|2@(@(Vw3l
z>75?j`1j7emHx;6w7sX?pMReodGO|j^p~ScZazKdVq5mJgPZ^MN~YSEs`Ry7f8vFy
z-uxGbzVUuX%jHLt6aCqL4z2iT%i^nTtsg$Q=krqTe`6c}vL{_BW<T4XstzP8#jZ-O
zXR?(4&j_)IGe5gbvZ@@DdO+>f6EyFrNQ1Tk6zhRnW~5@KN~~{P-haHiM!XiKtvs#5
zMp~2B-jYEeWQ{M}{b{OmBH1~a>Y7L;Cvsiod~zbcubk<g?9WUVQsv^0|Jr%S`|Zh3
zbIHkEs#5B%6q4mqPo>y1+236*q|1fgss0roZQcEOK2sS^SBk0fK&D#Elm{}EQm$Ic
zREpVZv9~gqDi5ZsgMYb7v9~;sDG%qW1F6Y;rd-NZhw{_KY_*iF4ri)^>2e`8S?aBn
z(&a+FQp`>br7FX{mBDnmn5_<Fr-oCLrA(!mpDN|22h-(Jt}<Nw_ZYKTEjm5q6L17|
zouUe^=Kd(KV%pJKdfI{(KBR|Od^K(FqTMOK1&GY|JS0|JG=ECfD&o|JNm^G>D`>5m
zwGv?~R!5@|7@;^~(U@h$!z9W`l+l<)B4HG<NuAB&7LGC+WhBCoO=#4zqhTCjRxHe-
zHjG%Lj@j{u6|-qPf@92zhFQH$;x>yjt079`ww17HeS{`#5)Y%O9c~QMc$g-_I3A&i
zh}Bp}6E>~4P=DOE<6+hqwi0!AW87+}V~L2BuxO&rst>ccZ8g@h`Y=mGtVE1OEjt#b
zb#^T$RE&4>YoWEvUFvFr1hlKzzgio#`a*x02UPbFMQl{PzdXDyXm?z4&+?s4U`mVl
z5*Mxg0aako2e<)BLS7m-f;<M*b>qik#IEb64Lv-=%YT+f#0?9lPS&$C{W1zEhKxc&
zF#k$Q0Ku4HObMiXEOO@;N&vx#QDQNZU_>cm)T9_&jM$bpE<s8lqkv*SFtr$e1D**W
z5Us<N?oXA`t6!$#Z|btD_5i7foJSI=*PNDgl=j(f!Td>7u&EP2$n>-S0T4CC-upBR
zLlsvzIDg8lm8%d2E$bdKFfo83B3HHl)wLqxdP6VJjzg}<H6!Hks}syZkawOO=?Mqi
z9QXtgMhK<AMN=Gadybm8=LYlHn4dfz*3SPOW9XtOUZ^=o@Vw|xiG>gqrt&86EhS6h
zZ&UrqwMu67*7w%LgVbf-da#@YB98081pbhSAb-?Es4h@Td`cBgZND^Nv;(CB!1HKC
z`KL%g``{huID*z(eoWwSI+P$GwbM)96#vF9S%@hyF(QPRE*u9j;)TcIgS=zpo(YH%
zwO9xv=*MauS2VsbFEA3O5-h2L_YzYo9VV@0KS=eW5r+Bi7pYKb#|`z5^k$?%#-}n7
zK7TS*nCJ6@^dANBporzLHv3=~nbnSV(reXzHSY2+UuG1{%7EvU<xqG0^HVTcLa6Ct
zwTK{<M#hvFu37~Ns4kEH#r&RfF<-}M7Svp2xc#?kjik;6>awwldurkNp!qpyuT$Ds
z4r)Q93rnSw#0sa*&q1Q`ApSv1Rf-4Qm46u^3-B!s|J<eSLyPo5ZI?uVC`1h~^m6hr
zGF^hui<I|xW03|z!Ur$H|G;(PL;PYQ1oEh8i~w-YBHupb9-BhoHAJ$RTaZ71Ivq%*
zR9nNf51+PoQPB=@P*M-EmMj!4qI}z?3OZN&;GwB%R=gig?UvM%;}BlqNIeHLDSx5d
zuHSnhwf~n6jhOD}`R?&k!WC<XAVdfcmdChug8&cv7f2sSFrm~b7`Vm|IVXnqH||B_
zIrH$0M=p!uDTdI^1NBU>C5;5|^FgB3jJH{%6~Ad0xV2_gVpZ@lCVo+^)EKF|(6t%c
zpF}H7<C2+!)`mkx=d`6kTY*BMkbl7-rH}v~KWzddWQx12UgZgeLJ$B*O@J^@Ai4YQ
zW)q;MSu@?_0DurTMF}yA2_ZaBL+gJkb(BGZBj69&40+-K2nhg)5SyToX(9l^j1YtY
zf)*ywG?#pBp@|Rx@FzPrAxt2I3}b8<2tmw!S%8T#;K9pU4YPz}O21Rp6MseYUlEUm
zc*SU~(zJlDT4{oOje<}<Emf|vk}9{LUP;bDN$=aZde!0uGn!AG89jP<M_=C-uc7mL
zBBwnJ%|7~SU+a>Vlka4&Tt4=|19!Z*Yjwm*7>03fynpWO_;Xv=o;cNi^~#xCcH3Qx
z=j`ij_tYV(?Yg$o3eSpWw0{%sL3;e{fkj`vvmrM7)P>jL5S~5p26sppJ-GKbzd!lQ
zYX=a*+n!l^?c%G8?u|kSyE=c?zNY=cc%l8VR>Lrw=g+N+u@8PdW)t(J?Q5~?sVPmW
z(tIQh2&!g4t6$N&B8ZQT`m)*vS-M}e9+v7k2(oLFFdlWJm)YanW`EYtxjk|8tzUHK
zHxCV_&yFAV%)We&LMTM=49sS>wJm@1?d<uBhnL=a=lG?ej&<u#oqu`h!uy*NO&dF&
zZA#o{7zRM(+iO>yzchj|RmpBGk)~}eJ@-1PDnf`)pDQ)Q=byZk9zCAz*tGmtH%}NL
z!-VFg8)IL;zvc3cV}Hzwy!lr8*x~+NUEf6r?%1`xF!KD^(cIjxG~W2|)QXkgJbfWk
zJhT@;^v=5@7(p{wGo}^($O16`WgR2~2-1>i7Z#-oC;Fi~-v~^TTif}yL|P|EsUZvM
zg@Z)IhRtl=XK*pBblXXmb9}!CKnQu=h7cfNBGXO0fQTSWD1RXYQ;aB&Jwt>NM4iT#
zQUVDkln_cFC4^%nj<f}0-l-5mD0PG^2qH=_#Tauag+PoTrHoMk0diX+69PgAB#38b
z01PnS2yw-{nA=}NCxwkK8WPOYGojSPh{%LiHlT(EOBAs>bBYmfYRU0DFC=(Fy%t@3
z#j*ZUO_WsASbyzJr=DhMH%!(sr3+7ezoXSKtlwQb_UAvIh*%Z^Q0tQc0m=>k2%DJ1
zLi1+Nh}yKdX;#QI48u5mwqO{>!04vM&CTskwVpZCZ5T%1p{++=&wOvggZTqn48!Oe
z`9X5ebMqF?JUc$pSQmZc^v`cxJ-&L)BH&KNh6fOPpnr>_mc^LTWeXcI!Vsg@dzRkS
zGWYgb4TzzI3vL6%Ngj3pH`m6P8}Ho0JW>t65*r9r%q31bTK3LVa&vuLi6U$ZdIgyj
zG)>@#|3!BU`MZQu;*~e?;tt}&MKDnMF`a4Xk>$&lFKanCyl3>a+`++~WO_5gAypS{
znkHr8b$=@##VC@PX+6HC!!qV{r?>6gwtaj&lYD;rjQE0e4?TS2gY#FepWM6iiTQIP
z8`ihQV3Yv%N@~Zq?peHk&6;c1UVrbsp>yvJzWmbWO;4`>?e$~D{uhClHqX8M9Bno-
z5a0q^fH9=ur7cYjjqJ$b|1);3-%T867~h?F-+!5%*_oYPNtWa*7zY}{t&|XsOMy`C
zkPreG3=KZu5Sv@T!K4r{7Xv1avB4%_IHBfZb4h@hOHAAr8rtR@{)YZJ{je)pmPAi|
z{K4|^2U*h0?mX}F{GPVS)iYw;oI2hRNHKW(IL#E-M^m2gAV$UlK4VRw1-7>+0Yr*B
z(0~5Na(t6IQfS%FJx1mEQj6Z5<asm;FGG0<vAhp-p%tNURTK?&6ncU4&ua;<+;x2^
zJjRGNRi)`EVQ8grz{rFuE1yzX{&uP)RZ%w6^J1}*YRV9qteH4lnY8aGgZKm~O{#oa
z5U+BzUtKZF1f{W9l?hToP?;{D;z${bm46wp+|{wN@)?{<;9+tnlU<E`bU4;@gFqco
zTJcVKMP;H~89!N)C@(FWY5ZhG*>A!GNj40SyH|%s(cD#Dct|d4KX{X}Qq<1)Cf-ir
zu_C;(<keA*Gh=5v1Pa8G!dOOrZ&)!{;W!Hf#lnwEo_t)m)s4w+Szz=SLpSq8vwtcU
z34>M)NtQ8>02C0AhJ_Xw@j}ByphPYiqa1t(V@icYVaAxl`Symjj5CKbWQ=A~WCVaS
z2Y5($1KTE)L0CAM@C4&D9QP0&-N#T$5K#!h9VaYsGM<V=*j#LUCQt|nh(LfU<wiO(
z%>)Jjkg>2jfo9ykn7xEiN(eEow0|udb8IdoL&uG4Cwgex*+g*oAPXh22(<|%6bK=b
zG2yW6yBlThkx>9j?G;OF2}DdxJEzSJ5h6k;(7DqmXPTFhKvW^LZPVH?C}R@>goX|1
z0Crv7O0;dDtgdb~A_u}IRHYa&n-mdwi;f+}ep#3p$mGJK`mr#r9;U5w=YL5NiX$RX
zkNu6~1fA!a=FgeB{P%PJa;xj!;EA@cKC~<gxby18ot}$LhYqY-w_<){%e;S%UTtc8
zzxCMahK7cn`{qCWvFF{|sy+KR14jF@WvQw0bjzNG$D?PvIvXv^`fPXYSBIPCzh8|E
z0)Ntzk@K7*0sQI3rMU6Ve1EeY0T>f4Ez2r`^o!B+Bcm4@KV5O?_`0<lmYg}Y=h^e?
zRaL2${fm*XjDaIVPRp3I^Ja|{;MZU8y?lAI_29bdvXa9`wya)Jd;i{XL?kx!_nrRh
z^Zt=n7x(R6W?9zWmZc9KclCAe>ge6+Fw3T7_*wU*o~F*u9SkjGFn@UK$k5;^LP+g`
zxd&S725y`<xc_5Hp?YHZu3f91zr4I^`8(XQmMolo;Lr68xn)_OA6V1eu=d4hZ+m<F
z%8k?h@#@kCA1&S6THkhZ)2vxlHnonQ+WW89*E>3PY}zn;;qPXAH`F%zOSc8KP05zJ
z#p~;qA3L<8acf<f=YKWtSXOE(nwr-fZr@D^&zm`Cx4lA_IHlAoYC{j3xpVi)aDy2)
zqXL?T_zm?d$~8mR1kRDujSbBoTpzmpaQKQvECSfqe{$b}4c|ZO7g+lA#hLDlofVbw
zAD*4nZsntq)8Ad|4t(+b-45I47PTl+n`l?Yj~@L3xW4nC*MG9Ck-uHrxpRBn)>>e|
zxLC4$E~ShD8@S(HQ#oaLxC@anH20qNFPJ;;R7XqCmG-G`O}hJY&-Cf@Zrne+eq(+0
z<lz3JJ|K|WNEuRk#tFWN6o4{B#)f|$*tPfL;pYQNil?KOE_{3X_TV|&wvqCOPkV3Q
z{}ursKe?%q4S(D@_w|LgjjR4R?Y9--7SeU)L__`ZnyKl~rg5yT`Ns8Q6p&c-*~pcv
zH`+ICSVak$P*d7__3)YYy`Q&yGC0&jEqVL?*Mv~ZqP>@oEO>A6g|4HYG;ibRJ$ZRy
z_N+Ny9Q*X<qmBhr=OAEx<41!--`stCe(}P2tp`7A?|<yLbgcuZV*@#TbgN~<d(+?E
z_NVnJ72CA=Lm!h{*Dd<;WRtLE1XC|I4=N(Kapn+)fI!BRpQHDlu@L`?3`3iKsG(8F
zfsBI<Ktlj-bgBeuW7u3v!;xON(=*N~MvIj)#uy_&!dgLw03ivCvnVQ-DZ#a)I%x-y
zGR_Hvb$?QnAhRh!WRyiA_$(?ijK~8(c&BUw$sqsj=s0a>8hNr!!ed_BC>bANJ3?bl
z_!8NKF(iawrsT+`(V~ic-3SE6E;^a|3frc+jXV)41EQ^%g#EbTehe7O3;@WZ@Kgve
zW1J!qV9XK77zMN`Q09aj-snYRh#@$fNB>R`lz#y*3J~{v;2aR7&|CyztDOCRe??Vs
zMeP*Pc>%{dF*BBwe2p?sKhAfK5j(rXk7bi6$*B(?-*leIWTV5gT%qiQk03+^3faNa
z_}kB{#~@QlPr^Fbys%xKWSPfP8E28tDpUo^Y*8(>=xn9%TwSQs6vdq6L7>KdrqqVw
z+<(eEG3HHX@~qkAO%vw4XKvM$PF!5`hlNw-c!~?@a#uJq`WCJbQVJ=A6hb;uN#VMV
zbdsuO(ahOOIZR4NNk=Imr6Yyox~`{%5>jbLNuia{8YMTnbkV!DO1Z*yl{P2^cLj5W
z>uI5sqoh>Iky0v`Ng-TUikcIR2fy6BHGhp<cuIJlqqS>Xt~}vsA(Eqi9~$_fRcWbZ
z#p_=lSj6&-(O#f*;A*Xm;lfoW@I0f9=eVxp8R5mGXI$fJlTa$Ad{62Ct;s(P_n~r>
ziMhsiO<eg2M+Z76;jU3SA+%9}0VmKpt^%K_fXhG|U-?O3M*A^oH1nkP6A3x#^?&HY
zf4}P24)whflyMzT$Dpct%UaESKUN}S!nkP>H^NOIi)rI4&nTmn@hw{N=;kdAZaiKh
z-2}sg@O*BR_I#<0V~mg~&W!er;7KiFK`iNTAE8W`6k4S}-t5zmF!A(~g-f^XUgP^I
zE|Q9+w3`+(Vf=*S1o0rrSgFU7u796Wu@qri8c%zk@{I^QFNiN&v~u^s)rn;KtqIfr
z^IxXUyh*C^3gbP~_rC9Y&Uu%6``+Grx_hR3c6yqbVK!hEmSM*PMa3vpF|vpQnG|6(
zfGdPTtWtIaSprA^Wtjn`96(B@2t-7Ih^0{ztCFfz@-gy9gZdp#)j4&Z=YRJ+-(3oE
za{QPF*$`!o@1u;ypw<s17=@Eqr=5g0Nl)a%m~vRv*hi<5JmdLsN2WeF`Hm=$-nce0
z{PETk2RC~v<x)C<SwB)KWwcV&`=+w1d+OND6TSrPrq&G&PM$H|i=;i1$+-<7r&2nx
zjNjmktO_MIZhL;=f@xtdDSzEqJW?wipInbZE_lA@#VfsroZA?RBmiPHv965CksC>d
z#-&5`Za5Ls)oEwEH0h{YTkW@aP}M(a%G(>(7yM$#q;$wd?UEBB69Vm^aX~p;O46E1
zM5CqDC>_*>D~GfJrO9zYIViOtB1eHSOd@EF(qU2xt-u)6T1Y9Rl7GfSrBO*xnv_AQ
zNgIJAlmaP{P)Nx%p;kbIl8}s)hNKdbH~<n7NtBwAv;diu42dCdM3Tf&*&r-n0*MPk
zl1$tu<`@W0$N_B51cCqnKn{4{J}S5ktVGo@0LDcr!H5aLI2Q<|urndRvTPK<g($P`
z!!4F=Ggf+r^U@Y!Hh<%cmrNqIWeHy5K3M>Te`wcU%MN5SEn9c5{{8Z$@wEB=`%ikO
zHk>}U^}yD*US752-o3+tK!Aa;z-GbB?XgQs9($y#rS{mqgROnhY;~@^X4d)*iz=%V
zG05HgWMtPLht|FH)Yo5L>u9U`?2D82=?T}a9f?J30a(tM#eeN!pysdFkJjYszPf#8
z=r@ZW|8>{qt!v650H6e-C!6-{Tw(0Oy*n3fj-EZb?Un!j?@Di>ad6H2R5GEBiOQN2
zXI^DQ@kHD88^;4><tvsA&YRtQ^w8@K>G0j_XD*(8d*#qfBmyE(UMA9g?!du+|MN;d
zlH9p>?c=i-EPtHSdGpg#VXPlMw+%Q0lBC1+^_?%j_Dp}@tS27o`Qh8Kh!<M1^4ZIy
zr!I`_{>OiY!&2S4efE{*i=BXbe)P!Uy|1MtAQ@CBq^Zete{gC0i#wkR2HeY6_7^G|
z-r6xxtn6O@{9@Nh53X8!`RcyA-wih;!=K+h6Za~n&wuL_q=5`5Q&yh+^ww#jP-k=h
zGfz%0RJ0vE^nxoTpq9#CyZ#S_aWNH2%$z!R@h>K|<$L$<S@*@AONp}Z)mw*Uz#qG`
z&!>=aBZX|s>Y+t}fPd$2m!dp9a$)bW<2(Iw>(;gR7A@$#{@I}`pT9fvm*ah}sw&<f
zNpd2N1b<Qm0^;7+7gZUv0{UOyj2+mvX~&zZM^3y`6H9pE^yEoXR<HO~SY;iI|M2a_
z;fuRBZCUm4M`x0<;?o-!FrdD=GwOlk`Z0$^Klt+-EZ}~5b5sWK%H>lVUtWIp!kh1p
zZlByy82jWzQf9Q51m@kieo{&FBble4STukB1b>Ce3m+aVCK`9|Sbg{Ixx>dd?SFTj
zAM#Y0xjMFA0>;CchS)fAJRvn0M>?jjz3cqQ?!VkTJ+ZBB^rItjR&87U^)E*2+<K*Q
zuWw%S{_w`5CpJ#$Yd?Q(Pfit&9ogDb?A^6xRhU<xG)y8R<Rlr&AR<Req_s92QIO^+
z8Gn)>#YuwHND5E_Dh4E!5`+SQq!d6v$^v3YoFqpQpad#F1t=K@j>M1zDnum&*&MhK
z3?V2uL*fF2KmlZN!2r1c0Ahdwz~&|Ciwi>g0ho_~97LIIF^)lt*-Y4iF%UmD{QYF_
zE8*Il|6I2CQTwnS#LkrRjDGY7+3bElUw^6OwfsS?=lw_1gR_WncE6*-3I>AZKUG);
zgF(v*0O+ALD}$okhRm`>zn$}N5v}|;f4{i<_+TiiJ340Ud2j8Kp=p+7+qMv(Iwwy|
z)_R0BFK!;Ftt-BHa83K%LO4?Y!iJTr-*`-m)Y8GFTmJN%(c#;7uWs1;bR-L;Dt}fC
zEPHj^6D3U95*Dg>|Lld&Z&~VldS?F=;aIldL1r@`CP2G&>t0>@=!!mVoSKI2l`k!6
z@2_;jRg0HBwrF6Y#PHzSfq@qmR@FwAt$cQ1&7-p(DRfQlF|L_0tJ~<voQD=X`CPxy
z0trf^kgsija{0U|Q;VroMOAe=Uw=K$PsS(r&+MLFn9!LMC^#A+bzS4c?Yn;0+)=5d
zH>szMO97-RDvHw|?r$t6qi$x}{JuhKRy&d2Dg9m33(^pg6ePHURHAXl+^Ictno;@r
zrn*!-7f$)w&2;tjHB87lUZ$&OdeekjWBkh6j19m5Y!D0pBydoL#@6=Uf`2iIwwCUu
z)@qUpCD;OO0BK^y_O5JWR_R1jv8!fWwKS26d^NezbXATVzq-0<d~0(olIrN{XziHb
zN5Z*$mDb^8WkocWYc95?Gg)IIO~v+>mI4yGUOb<#lSBfD3lxA-IxU@@AAa~o()Xj0
znBzoq`Ftqkk85m>rz^<(pMR@!dy(v_!uaVrd#&&L);?8T)7{fubM5Y#zRXN|?jgb`
zi9^O*)c9aPLNeZniHR5?l3-+rV`PX-CS)>bh?!s{BJm2tBq%ESqA2D?5TByHNz6bD
zh<||(`<$wFpdPDgSDn4jx7OKveZMt(VD-S-+6{x5(YD2XM~)nx8Gmm7_3y48KejeM
zzq>!29qn8?c=*uF%uJ*CAH8;VdN9Ab|H#tnMt^RhKb%`x-M6^1(hL_C78aNH9-Nuq
zy|`y%ef`Mdp7puW;(>jK_pPqa&hMBTEzd9P-ny`JX6w$?{YT~(cBDFf{>vA4>|AL2
z!{O}wXxpynHzq~DQGfJ@)1&33wQalh%*@Pg-Lka2xPNxbXgHi-TwEWGmh*7y?!D`K
zRyJm~F1-4audnP{8%%E<OwY`Zw(s1%PUTQQIYEdVIoGsAH_1bazDtR4h$;zq;|f<O
z8Y+xL&K}t#C(1(}tuAyiUl2>OplE8)B#$T%21bAYf{J2HDStP4f_jb`bO?-c25vBj
z$;)<dn6owjaCdfx=MFdbvafAsB+abwHA_y>o>Zi|aJ)Cyv5(IxCdCiEUfp?F#@hkz
zK6%h<D;DZ8QK9Nh)m<0AWT`SFDIj_?tsJ!_mq?|K&{vbGr$jHeeG9*6tDu=+b;mfV
zQ=$O6QHi1gpnrFs9V1iuhGNdZI0tix4l6iQ6KivV$^o%((hW!iLKZ?qThbsVxdA44
zW}=(uRN-z&a==NK%nhO!hY?|LiV%%}y7W%~>A@r<!a^=GWS!wC0ZxKc4u(?sQ=$=N
zpai)hfntDRPKOvQbKis4<%fmLY0hNrdh(D9wHri=PJeV6DS8f*JaYML<lJ3P)Nl`Z
zM+QkoPz;5_=_X2Y!a_B?EWvRxa?7Maxq3wBf9S3TK|!IMoroqoQKmy7=J4Dwq?{EQ
z4CTz6ElbTnk)z4cWJRB96#d)`6pbQ#ZcIdu+zcZ6$k`*5L%CsYkTY|W`_oWv`oSh!
z&bb+wSbuI>j{)+)BU71?5gGlQf=PgYoLzy4)(aK^29=}9P<fEgRvbS$7~voy8;cNl
zf;&ZJb0YT>l?Y0Z6p<8AHqxME1j8B5K&YK8s0;^+5#|NuQI>~{GN~?O0p<nxf>QqL
z?j&kAlZ*i6pgEJn;O;22vH~UpS(bO}tt-=NHh<Nz$;R17uLE1PY&^FbEw(I;tq0yV
z1Fvn;BYAU)?c}&=+<Sa89H%2_UDt@Oy6KBwKK|-6>lg0t+3b#uLmccIE*~7-eBZ*I
z4{G1RsnPw9UwgY++ep6WhI`Mfe)=<(V#+`GzHdBh^K(`2rdytTv0mHTgFCIK;q-w=
z?tgmy$46iL{s%5S*5Cf&+b(`LtsXw{$jj&d_4hkoxL9HC#G@BaUiwxd5~F59EPd#y
z%X5!C*gJl-(!u42zV_Ll{;HZD9X<W@y;onax9_Ur&QHDZi<SF6I+YH7<kHVhU4DM5
z+I{1>@7#U$x6O@*YIqGB--HwEV39dYXn#)Ev3$nW{tkx#sW8P5DvgOGd8d8tm$)S;
zIURDRDI9V*$yQ(B#l6%z5zq~>2`4o+tc~l+OM%yBM3uowxEI=H7q!Z!u~>Gz$BC{3
zZdP|T2a@Qpy`=(uGxE&b%M&jEH#0Cf5@|%wt%yqzeFvR1Fo8guRVBJnwF40)Eq@1@
zbB3Z#d7?42mc1ky1!Yh@hlNt8P59Lyf;n7FqGy$j07=CHsvOGU1Vcq5a+8a)D~AI{
z7D;7@Ih2FSHJL&tf~}rT0!H_ONJR}I=b9?P&*|=hRE&r2a>yZsAQp`%2||(*WePBo
z0nBY|E1MU^zgkR-WjM0LvjmiR1b+h%nGLMXlKW)dy|pSilnk|d8>ii;d@{x5orQ-v
ze$tuXczu)6Ax(;Iiu0gq9T9cArEUL*b=Z7PF*ZK6y>L@6ZEAp8Z!)}G*Alwd>s3?O
zQO(_R`Y&&$Pu%nVmtNTa@N-LFdf?1E|ET&^#X+TyedXF;r=r<@%cG~RTz|RkkAJ9c
zzxC|9Z&i75N_U)l_r3J^6V1a9I2=~HhQp1|9eVD<^zCO){_v$||MTzaiStjr{pTv5
z_~tu*s|I_Ujnk+9^!sCP{ATeBC+m<22`i`0UB+D>uV#+;uDfsj!PE6%Sn=jd@BMRd
z;d`IF^8DbyL)BNm{mg&gI)C=$`NOZgQh)wTwdKTxYj2{d4cUY4Zfvb%V>M~>NwX54
zArz@5Y4EDBZ|Nk>QJZ_G2xBuNhzWQO0MOcyif75KZso?uADOa*(n_W?o4DwJ!3=J6
z5bh2!(Q8X0%R&KA4zB8CfB;!XOf)m=mR->`?<zyfN-A}%aCdhQC4XL(G<ed3G1ZAa
zaY>C8&1{pGuHym!kFKi?)~c$)=j^@Kv)0<@z3;ui!0;g%iDQNW*(F3JFz=*XH3KOk
zlt{-Rpp=*hZHzH=%s@+YMpPOcA#0qnCc>;Re)vJzWY&~ck}*w9+K+zpx0z=8vGzXi
zxsZ3xoFDI;x$imW-G6KCXMH^nd{8etqnx+vjGMQvQ<Jgg&$ak;R%KO~L5#%$6iG#u
zOsV`s5%FntYZ8G~8`eZ>?E!(82-<sK%|kscD1fRcNCn9V3^7Ny#hI#a04x%HAPDL(
z#LrL*5XU2t1!^P;HBl8&Kp`nGkt(aPsn^w@5{UfQan~s-EPo<uA_g%MxQp?FRYb(K
zK%y$C5QIfpGU*(fx@(|z@~vzDfhZJ;UM?eTfvIMy+hybJKE4uY&}8G4FL*TMWFMSs
zXU?n^{x2OZ#jb?%pc5~IK+)^PJdp<Bl&Oi_asV^3J~fT>`_Mj8pUgy(PgSuh0|6{e
zkEEg0kP4+qjDKDL$<Q#+kZM4FHfctnBi1yeqP^jmhOFsFFnWDhqGXhMl#-Zbq#zVh
z6SW_tA#1YnnAuRD8{;O~P*0m4CleDJ8X-&3H2O9*k$%#TE~Q{BXr;ZtO(nKNXq4xo
zTjUaoVxqf-kkzUX21AYHzj5?ib^oI}zyh7K*N5A0cYkin0UTvwlu_9ZpDIlx_wIh4
zB`xw?T>0aCy}-GgDU{nIkE=89JOdq?RwiQd$UI}_;-|Xfn}w3IY@~pi5!l1n>=PlP
zQr@IOj8vVIu|<e&;sB}yK}w_o6X&mRz~z{N1PoD2Zs+9oPh?FaW*&a#Jwt^c1Yro9
zMRqm}Pk%8OasJ-!v$Xln$n0o>m_;)>^G9&!MIb2wGO>_a^az)k%ZgG{r`aCNxe79L
z<-8TeJbRyij+U*mOO5NYtMC}d?}W%pECdz-%8+%S7=$Z|fug5TBSk`%ANLK&DRy1r
z$^}sB5EvXvGBq;QrGt-3Q)o@O@2;wA=WafQhJWW2PR!H!cv}Bbkua-3K*DkIf-^4}
zjjGHb<${_#=%Rq=zJtMTS^><;H8U}wnW2JBYx6$CS*!QlSEC9^*eE6nX=KWr(ZCGL
zoTCDYJnO1m4_1>&&7w)_B{mJlF-h#tT(t9nz5hK~rHWIsCIO6OQ6Nns(^?`7P>6zs
zV1FEJWbQ@RM6uX2GgVQf6nWOgpV|yC_eQ3if5p-}wgjcrB&f0}OdyCH*^G*Py6FaX
zEj^}uCbR)mfu?S33dzGEf*51Yw{th>01Dkl>DA1uD$80ik)R&%(&b@)2x^XzBLk7B
zZNvy3(-x-Rm^J+}osBncK+sP8x;Rpx=zoaD^>V^McgJ-Ikolk`7YLXsGUxsu5h{qu
z?Zk@?1B6)M9tq%8#&Q9-!KSGnZTwGQ(FuOpxeQb_L}C$96;lF}C~JzMq@u~xlvyJo
zLYbAJo{4~%M*&&YML^61a!?5vBzZE6RS1X#VqwviKp_XtHW-KZVyb7sh~dRoKz~^*
zg3U4mZsulTj>0TZQ53)ugaZ%Ql3Cy(iPvJqldK}a=ZR2M&s;?U?0v$%EL;7WNW{qX
zmpX<z25u!Qd;u4YJ<d|Vu?{tZJ;NGe<ca;<ZASL(*r!h)hVD+j<k*KAhKe*parlBs
zx7~BugPQ{0`?bIQ9bddf&YlWDqkjZxWb*jbJqK6*>Ug!F&p-^QWbP-P{K@otclDNE
zIJ9)j$|H~Hl^0b*R~-D$n_<(9<KO*yT(<GcZ@yghW{f}jgL%8ZwD#o}s<Abn`}4_a
zd`ax1=13y25zJk^_Lt99vu2F%Km6`*99VE*-}(C=+x^ywYTZp6UwEQU3xBu${x{Vm
z8NG4O*x|#UdG)um_uRAesc*0Q#qmvlcxm@vPo8(^JA40qV&46apSgX@nwMUz7A)QP
z%4^l=yn1NP@VfgidHUIHuRdEXxc&=&`C~O_dK{UXuKxUo_HV6d*^ZO1REs})`#)aa
z@U!F9hu3a@>y4@xVwM)kT7MC(aE$9#xt9sW^8HE=H&6<4ZnrtTT{Q4AWpDIez}!BV
z<?fimV4X>aScWrK5e@jR0_RYcTjm)QYBE>dj@}^`-L)||_z)aWSn3B}EEJigSSaf2
z5WLqsP?Q48MT8<z7UmkbR2I1EIaC<p_J+<QxHXD^iCdQ;+3(~~u77scu8Bm}W|n11
zTOO|t7HBh(rO4uZ2w;e+WnH;a4Z*-$apdTF+)lTVK|#@CaPFsp-*?k3P&dP2<QRkt
zn2nwL?}Ew}?&Wt_py=T3m5`(j+e29`t#m-w-PcSZ2go@&ns>e!Tyr23>AF-769mjT
z&yvqwjmpA<eL7K3)qje;w7qaK)Nw%a^me=r13Gw0q>Tm}mNPEj@y|cq^2RZK-#H)q
z(N8~l;+VdFCNl|y(j?5k?xqtzAA9=IYHot1$W%A8&b|GsAAkM1$*V7xnJcb-{>U}Q
z9;$}tj6ZQ_l)yCm`WKI{|MfE$KK_*zk34n5?~cA>>zdfSbAR@R+t$B!BrTj4MHx&w
zd-2_SS3Upzl}GoTbH~mp*RJg?zii~X?f3rc<fTU+t|p%`_SnHIkACk1hqi^8%P;-m
zlZ(H3*NkN=Z0xF$Yge6n>&>+4)0hAFz|cpQoOQ$IdfL>{t(&W!r6udfp4mt9-!t>p
zyXN1wYucvO)PI~cXUClv9N5{LeclJZbzsrKyTjS<nz~{8qC*c<)2EJpc1I;s7H+?}
zQW|KQwX8nH;Oo-p%E&uR8Lfpk^M{sD$UC@;<M4G5LjYw-KA&l7gIg+10j)k!H>`C$
z=zc8}wKM`M3Kg<qmg5WG@7fGph`~9@J*|>wh%%P(Y=3`r5bFD|3zj%MsYC7DY!O_y
zj&)*K<lp6u)uNi8y;y0@`MCneToV;3^f{nHk>vMGOe&gVGyxbs7#O^*N|goCag&!0
zI~#r*(d4W_CT0iZe|%lvi(OY0K70M#_uiRICNnfOK2(|-YHF~BR<tcK0WAhKC8*Tj
z#nwisO@E{zFNUa9Yby$E1s??8q@cDwi4~L}zJyAxp|wpdN+9$>>VqKYAK=5c);eeI
zj2-fjnYnZ4%sG3ny}oa)^?lxi6@;`!vVhcyRjl{r@Z_$J`iQZL#jx`hO*re$!T`~d
zp}G8HNZHiblp-@SJQwROB3n>rWUtC)K$QQ%1%EW*GQb*`)U7EKoHg^2mEjE*NhlJj
zx*MkrXUs5}4%`N6jbiR%s&AyC@C6R*#%(DHR_5453oqTRQD#fSHFfUp-JF$K*-YFz
zn+~<FLI{gF56p&<brUo3t{k+JR5&LSF(D@D&hFA@KHp_31|Hr)P@DE>s;~MBh(np9
za(^aG72e(EDrN?>?l?D$U8Ec12i0b?g}SRdtE%G+H|ZuO0b5Yd&#_eOitboU4hNwY
zUR2=_pfcLuMIBwjqPVmvQD$qxb@GS7Zth_WCaCHl<E#NE#wqwSdiYwLs8H}kENeoz
zYz$??rnO)i$SmOJ@N~^?CFoE!YH;R4dw)V}O;l8L5~Sd=#^`ZC+SRa{F-4FlDfwM#
zM59e<CTJ`izDyF4g_8iDf}NVAaCdiCGjnYo%(rTA-nhv=>&R%J#x(sWZZ_*E$Kn}*
z;gWhm<`<*3sktPrEs|hX6$1`K?(JfNg5q(DQ9SUe97BtsTFW|u!QZP4Op=sVnSW^#
zVlJX;UQY>WA{mJkSjE&>xCyryZ?PtXg@;ee5CVS)fe&f1PB5fj4JmKoroOWn3(<~v
zXS>AZ4tjGum)UGpX2y2x!Pj1y9lqVxH->g-<H+5OyeX3ltEq3y_uswt{-dg!yAOTj
z+7Eq+_v|LRW&fwY%A4!r*X=#><$ry5ec0#gzW4Bf`yOo6x^yxlHy#e$aN>!F-?%dD
z-nIW@r{DdRQ*Ai(*<W3_<Ht`P{M7M5Z@ul2r`B$}+11!Z-3MVeV-Z2X#yMPt^xTT>
zj<7xQn&b9>AL{6rJ2l5-6{K^6#`LqfnL9Co_XwC;FBYb-@fNA=fjlB9Cx4#)>d@{D
zCX92aE=?C{$-*~ge^hEBIY<z<8azS1GhknB9ZbSFR%{GGq~OLB2Wh5G1oKyAgqhaD
ztqT<a32<(r8fPC;B;m#sAqI>f3Xmd^jFd)-#p|I%Ea_a1jqQjyk&}b*jU=vRh0D!}
z$i1toc5kLb5=QFgs@*%{mw%d~phMX05>|0dMY=a(?H;nWs?!?3bq_!R#<{zobUy0?
z6XF**vO-&_NEnEcvf{(tk%CpqgYUYUXxP_~L=G}0u(edu&`ekcYE&yNy%M7(B!fal
z6VAD~k^*T&q%!qcm&{yB&2{wZWElmsvi)S#S_6ARJ9vS-g@JgD+JC2y&s?m#&sS6r
zKXB=VVKxja$M65sg<&}M(A5{452oH$uD|h%k01TzPu}sJZw~J~`u#Uw7*^+l-}=Z)
zuWUT}#AE+@by&Y+{p?fc{(W`0{luA<|G4+--;nnnK!@KjyXgzReSWy^&Ts$Y4gbKg
z`=9^Aoxl0rzR%qCu7CT!cg^QM+W6o@zkkus|KPj-y*jK88s$2+oC*usAG10n8;I_l
z2_=(Y?A=A<ERj6Go3Q56#Gc7sAfOlp6BZ~SNBC89pi*O-<vVlrCzB)@fw4tZOlrli
zjxXY1Gs06x>XFGgMkmWGWQzhSaryg_N(`f`RwA03(OP5oxPRKAI*~H&xcfLP%v>m@
zEcUSGB15#TK`lckVL^LzE8sQ|lT761W4F73EUbV9w3wAFsqsS2;+MfTJqbm0*(B6L
z8OXx%cB|DOt9b7S)~M*=r%=|BWHH3T;T;R6yCYu9Bz>?d1*U;n2jP;*R2>PpEt+$#
zktdo!4ZaFY;D27GCs_k*$xrKLn20U)Aj-T0+U)hb5DwHL;*Y@s&;hcCnd<Vydj{VM
zsDbsltq)~K-RmV6kEuGxl5^dXq5Pl=?(@zr+7~w4kiN?E1uZrPStT<vQB`xN*_zBY
z*jIhAV9{nK-FS7AeARufD|?!+>3q(!MeBRC@1m||LVqeYb6e~g`Z~|&I^V^<i~C%=
z+v<w<HJx{vuW8>!W-@oq)Sc3kvYtAt5)&u#2MnnR;+A%%X3k8iCKdIQFNkL&!U!=Y
zREb8;GPKrMqzTp8BGsXstVf&%I2$K3@Qqq*B#!*E6ggn)RbeT55GS?|so)`OIfI*D
zj95clD}O0s3PZ`8fL0JaCFgfr>Nkvnufk)^Xo9FAc!JwfM`g$eSLz|?;xoKCP*nxE
zs78r!!97vX$&fx$GoA)SMTAxqG7;RfFDnv?ptqyv0;__esxq-DbvJcu2nr(82d$<|
zq}$8$k`wDHOD(7B4!Ec3co*-MdS4O81F($V&3_F5Q<y!7{NQmX2$x-(P|Nk)CKPOh
zClUNDm1~TH_P84y&8&D*4N`OyJ;E^FPEDBXG*H<|d8}L_qt||$DQ-2h{lD4eQpH$O
zt{QAbw0D%^2Yb&apMLh%^Y^+5bwW`sSU|_Egg3FM2`|=s_l?w7ZRL8uc0Z|b-|U+Q
zd4JEQ>Dw2ZZ)<ZU7n#WBS24dzeKj(`#44$Ykg04v#oE<ORaW1!<sw&)-Ofu^&Ql^I
zhz}y>abGo}AQbC*gn=WlXofV6Ck@+FJX+9NfCGpcm@cQ{J0*X%CetSu4@x2mG?dn`
zFzLaihE8`PpmG%^g4R2v0O|u(z$HVLC4c=VMjHzd*97Afut!Xp-ovSG5!5J(|HHzH
zLvT_Kiw8H6R6%l7m?%jr$<v<E;0p<-yq>^Bp=p!kNMIS@7Yw$zS0V<rw*VbkMw$Au
z7g7$>Z56RjDVsyWD1HqSd=VbYOw}vcgjtoCqi0&jev_;{kGQy1dg5a@&@}hN{eP(-
zUgzHyypN72MFdBa+vqsWCJle7q)?M8F||o3DMy-dNpNJfa3<bvV>ETW+U`HLqkitt
z7UZrp-@EUgubutdpFe)_XN%*XIDh5!8-DcYnSWkB@$7TgJa+csH(z_-Pk(;o*Uuck
z@Qa%sKiN!Gb&wC9di5{&UViE1>wkaclc#U_)|pe6Uf%t{>6@Q<`tz4A-gEJ}bAP|G
z`^g`k`_JXp2eL_(q~;Ft+%_|qkWLluTHF@Ju|MUyV{|f7y9Q3N4&=r}3gw(FlA$=v
z8&hMBBp+ZwbDyh3tt2_E!Xv6<#EE?}VZY*0W%#cxSm}L5#=4SfB8vA%S$}8p8$pcL
z7M<o7OHzQsG9&_@67}`}CGooHHR#p^I1CV|p%+FbDrohA2urcwHCuIwlxY$%1KmhO
z+sI#3Cs}zG0is#Qq9B#DG!Ye>R-022u0k?0T7hK*M3I>$4-$JDNRvp+fP<plBddG4
z|D!{iGRufEe0B+x4LH&(cYo)E)nICHk%6_d>Wozvj#t6};A52+c_k5#z%BC1tldaz
z$51I|N_H?vEnOltMWkQqF`4>|{Ex3|`SG(V!{@x0bH3kY=uA69ZKWM-hbb_GlvXqn
zZHy>t)P<1>Q9&iOB;JsqEe3*$@e)kjXf!VBg5aWIL&5?~*r-htyMHkeYC=p!<Bo-Y
zgNyfa-tT-<STrQP%*^kc^Io3!d7o!0-O}V~#^%-?59NBk;#1xHgbOqSrkmgQ>@U-i
zlFA)tue_9MnlHE49)0@zZ~yhyUp#*AZ!R1>dv?!5r+3cWE9iL|jy>?&3wi&k^Z&Y>
z=EuJD+MgC5Iez>rUw^K5ZKUDk1F!ty;L|_)_J1yIKK4nH>|{<mF<xpIE^P{{E)7Jj
zF&>L(%3YThWAq5gMknK5ktk#*Yg5g`vaLd8FM-UV$khcMHY;4Ttsr6|;I=?jj4kG?
z-}>*zCxj!=L?8)`ar#rEUjh?M<p!_Xo0n(oS;fnWkqedNKz~!RZAFJ&5noqr`N{&5
zbZyhCX17e=LxK$2m}qt8-=5bj&?Z?*^USs_;`6EYg?tihxMtQ<!;EbsPU4Hae}U?o
zC{!&1qDk-L@EJ16;Eapr6+aibmokw7dC6qc*`iWh*&AV><4Wy-$fXdIcz{44*L!i1
z4U+dWRXHyv7JtClFNl;O#0u40sgfkz*xH_ikBlH=W|tZDJR}8pr&^40j)UN6S{FNZ
zwd;0Igm)HE^#VD;Jc}p;Ga+MUFTe;(0TxVAAxdD0$}+)XpY{<KDu4x{poqF~DO?7w
zwUmJhfr$wdp{^t$W5G%kdtGEAMy{0yF2uR$q!y#oF@J*h^SUc(YzuEA$p8iIFC3K!
z&m+D-|6PZ*S_o5k6{8Y-Y$$YSQdCz{gAO;nvWTBk7^Zkx(f#N3r+lBa)@IaVZQjU*
zgV}#r07c{aEz)rlG}Tt`q<mv-9Hr0N&C`(<b}URSf+$d0tSAFS3L(a01U3#0xxj~1
zk&c>a_kZLVvyHd2KsExVGC?U>Upo*sFHMD42(^nO%o6S;+Z*>+(uVM5G6E1NIAVQe
zHHRvV6f#9-vPJ`?2r`~Xb(v&?SVdLPIEVfj5=1+1!&CjHu^p>?A!24UsND4jA`;*A
zttlnf?(QspbIy*qXYA$RcJ&0C3jB8zl>{>wYJVwp;9&*kw=B2s9B47zcw%|`sbN?^
zAtdIyva<8gBUk^t^WsmT^1dUtaa~<Kyt#T{hi*Dix3*LM@HeksOSj*a=Bvxi5AHwp
zF{(Au;f)V{emMMYDu*^sJ~$jbhJ{KUkeDjxdiQ}dzx(Rt7ZPu6-TxiFWoPX@ckyCD
z!++-L(Yv=F`SH%LpFzSzM>oIl-Tn8xKg|!{{F!fT-1pIpK!q}gpulZjBX?X9LXeQD
z-Zy%Qgou!{(iz7OZxm|~SpnCk!5^E8hS3^;;`@7Y_HoYQN20Ved8=bb(5W<VD_*Ec
z0Pkw!W@K5)G)h4pp4|A)a#|>(LY#HcMt>7<L_ola0|gPs8B^3`M1&G?SyFIOFTD+q
zkd?$`8*HP_Q60R%I2R(@Y3ON#feHcW+w&os)B;ZSiA(~C6y&h9%;SiJC-2pbq9;XL
zEkftouuRhgT2eJ5>2YMGi`e)2B$SX5*z{sp`y)S~gdRaj%vi;Ppn&aK79nY6<bSYQ
zOcEKg{9)CO#SDbm)PSd5yxb3Q>Bxi`GmNdET^qD>WR0~+bSgD|$|5t*XmRMK)92P7
z{wy5%+C9%-_}*Kur`gH#|9%lmPL;|~b2*;Y?!WW*7x9aqJNu6-c=Xc`{_(=;S6@vB
zDX;9u;l9VOzL6FQ_I%<8|NZ-ki+>ky{o%Ks{NLM&A(i(&{K}=RU;XURbI;-m;lNaD
z8b0v#H!kBHXCD2_%TK)d=K4>bIq>8YX>sD*wYMI-b|o!qqEDUs=cSak&j0Q8w100d
zJ0Jh~^V`3DZvCmJ^4cud;y@G<c6<%+?oo0`6z|j>a4qA#2&8~r8PQN5l7G3RqIXyg
zi`6-+(pyIvz*T31;7uYq_0D?(y!-%BK(4=WJ!psVW5SvGuLLDji0b1VQ8ISUvGbbR
z1a%7S{%?lhV#RiVVB{MngUKxxN2Cedcu;=ziruD8Hi2UT0G%%DGCndJ&(I+`W}my+
zUkuDT|Io&c0`gt8p_`Q(jW*&YsfB-QsbGkcK;oIHM%7!7N8CPDvwqe^s%(@cCpx)2
z5|!eWh;YpO$eilxq-tsE1rrd)lST?hTXw@i^j|ZGtA%@_1i3l3jIHLc=S$~*AlmtM
z41Fz&a3)n;sq<Bu9nP~QE|y%DG+!31h%yx$>g>i`_ChVC-T-wSmV0@=Ogw*+GMDEI
zq8V4N%Y86xz;cZ$m*oc5J$Y8jd@sy4ur8=7l?#SS^EI69sYAi}4Y=5gwPGDW^s?ql
zn!O8#)m$sh=QQl2`HY5DnypivK~YQZ&QOhm$@FygjuRs=hg!%`n2fE$mjYW9x-&wC
z3`{b(^-5j|?3zHRXA>bhkja0Rv9rlCdyNry{6;P!03aoaXlh{=n8R;d=V%!nTe<=#
zLa=g~9CI1@V1{_-;eZS~_Z<*K%vn>@NLd<!TV9(S^=(mu729OAMF$Cv$rftaW~FMx
zWAO{K3I!>>J-7B&9m=d>@lQs83@v$V`pe9a^|-V3T(wpN$kbXVw^o0aWjtY2BI}(|
zJ@-Ht)^dZ;>t+8{#w#+W2~-IsOamcg@Y@odugCJ;=(K%ABtY%{L~?C>ta^3==w#>$
zkj^W&lhKazofvT%y)7k|fNMUBP?74u%zpeCboSX9<z&B(k<y9)DYr>v84dismX*4<
zaB1&cIZ=qD#U7e?Oh$i5)b{s855RM5sRaRrDLoAqe#;xY8oB@-cD5XDq!M{=DRo$;
z?uHia_Oq!}c-gE{@1X>Zwq0n%Fj<k1Pv7cu%64x|rJ|=HO>KsHC+bP;Fjqo3jyBTP
z+uv=J20e5RIvN52;y7^o2NiGml$xE1a2(eCTLSyI1VBN1?V^7YBS91V@3!%DYpKXm
zcY^GbZ!%VN+pZR}vJ3iKWc0yysTCNpP!0pE`2TI!PR^wSW)QQ-;t0bj>Wq-vt!_&g
z*erJ%;~{orDr*8Dq$#POmB_=SrKrgF#6!VGq#C6b3&b4oFTmc}s`EO02Ord_W9XEa
z@3%4KAyX|-DEoizys}^{pxC^#5F=>MCYdTD#Bv(coI*XL#`6Ne#zD1VxZYib)4iyR
zhOh#C#gsTr(IVRofI?Enkg>a|YM10=_y+`Q>;VnW=UNhE<KQc!)bF1X+bkQjsK+V`
zEDIX#Wy)O%aEu_(-g#vJ`Eu<PGbpV_ETTIzI%-Yz)SZ7@l1Xf!IzmB*_D@~u<6LQK
z{k`jzqKR(U)X5yiU7;Ll=e5>md`?-Eur2_E4V83iYq*t<!<0o5;9(GM0UI@jL+rMr
z)L85>s7=H$$?|8|)|H(p8|$#6zk=*`)DqOugkE2?7y;BqZ)ki-t$h%>d5V=?V?>`?
zBk60zZeV}n8VKF2012<>)h$(p)U(|nxwDaj$xe{*Q)Zd!P=Yd8`$`@N5q7;I7J&P#
zCHXmGND*DojYiWbLt_$y^~`Yq$-bj4?X)b;_{t29T6Z4X@hPBff||}-6;TomC@{)4
zI^`jhft=7oMI79zC^m1_p|anbWIS50@MVcBA;^DrZ`|=w5MGFLa^ZHP55<aLbgrnv
zTwrfrtW~C!3yqt^UCk@I+|@aSjmlubi3QgSW1tK<0Z3Yk7OLUGH9ui3SD94B!^$W`
zg|V7MyRZsMi}ikFKDTa(!3#YhZiJ?oP2|13F~Si!kg%;s_<lKpvRcMtb>~2EVS~(l
z6AFL*DmFlrP|UvBs3<Z{mhxsw8ftIE%Xx_@s9>LvA(h<3tvS^sjaK`|=nUcoNjYUg
zN;%0r(@)77_G#?s%q=^YU)c<buD!CCoQByVGYT;|L{{==DX@c@F>2rkSNCXY+BVQ_
z1BhS&r4K++1VjPJ4Oq>HP$}d8`MS2?s;+-Byw-nNYwxqq$@PSggoKb78K4c90to`5
zX$>s{C}Kfq2f4H)*qQ(xTCoVEkyZw);#8+I=+um~)sB`bPNiO`c$u*(P>Dzpm1dj{
z1A{Y;Pd@svE_>~LGQQ>I<XraN>;M1n_6uoC3K(Y57Ivjj5iv3dU?kSUPf|o|%Nc(G
zNwCYo6e$3Z#s-Q`^MYRWz!v2))Bq?nN(FzGnQsTdP;IsCZpp5>Y`(=Xe1QZ&7g~X?
zWi>A`f<1O7Z@{#p4n@Ej(1$RTKO0e#u>(j~@i^=Y3@{Wv>QbgW7p02HP;i}@*MjyW
zoW@naP=?Nq%Fcqa`j>PD4BK+15cz)!K^f`Wfn3XjgbrshG_!QZNEdFv{!YturpDSE
z*dVl0<^c;AfO*VSVt%!-$K6z<06~C6x6#guDiO0A=M9w{>_qkLiR(u!g5xTyS2=-W
zg(1WT!hcSgofv5oK!6T62)WC!BzX8ETU|&ZfP`>~eA+f53Xqa4^p-<aD#w2x%O$Tp
zGSdIcS01@N4h5j%Y;JBtYHHbhpmEoR;<Q$va?&vmqJkhGROX`#*__O|3y`>a22{;Z
z%}q?T#jYM|X@OWn)Lu1jArng3RI}(Ffn?@F)EeVOyDwiZt?J`)wV)YI_kB#Vl2~r;
zTaQg`QFV92{ZDiZuHgb<;r)Ld>o$^+_EQ8}0W2IGza|zg#JHrJ7EJ&6Clo~uvzJ!)
z+*_J6i;;;@##%S5`0T{Bj!$pLriFXoz1F_vVJO#uoI3k~eR@`x$#6hGVA6H-=ML?W
zN$s73U)uJ^H@XLQps4OxKQR4)O^T}9R&SlZ`$^s2&h>M8jvS3=&y;`IG;jFe;)92Z
zcg$>Dv}WnCQNbu8CZ&;4$mSIXPmJ97o2ajE-LSp?_%}p#&HTa9zMsD;NUa!tTwvU>
zVy!6E&)vRf>G3a0m6T?Fc+HD1sLn>CssP69!aa}(o{mWiWcGfV98UoVjSC@4pUEGc
zOj?qI_xz&{0XLMLuBCr#xF`8P`3c_+bTaG|ChhPmXRDmT2+{A<wOt_)0fD1PC<7Br
zih?`TNiqsMJ^(QK9os2ZDl<A`AJzq4Ht7a!+k3LjWUO3!ZvQsL(v@)J{DSn91M*ft
zg79KxQV2|=2U4XXDMZ(^_!cH3FUlG?3=0v;@N<1iNLQxChR}aH;{ZdnL99FWv?x#g
zz_F8R<EF<ZF5Uf$A5PiS->~6O(<gfoXMSY##Ihfp-2bn4L?W1(qdGC=!KdE4a@Wfz
z8n<n`|I`^VwMv#c+gCra_Uvmru3v(#S@pvsJFopAx%Z>b-oDlS?dLi^Hwc8J2(&`A
zc-O`AB9@r+Z~A}rX@U3bzW&!o{yr|m`!=6BCmO4pR}8f6SW9uYUUy*iZ_Z4As1KNl
z5L6_2@xIGfL{(H=zODD@Zc*N_>bu|i%++yG%b1keuy>IJnlm&$E~-d~d5^vO7eVue
z-ab2g;X=*R2kQ>(mjz9lF;Wmuqh&*LfAsyiN4G&!-=}}xd`ZfNwO<+IWgqN%=$X3B
z8@_Pks;sUP`i?K(m=OC9kKTHxYv`%Li|3ZSd_3x0z3bAiX!t4W?NNn@btIC8O=r%C
zuI10%x-B}pAN|uQsGCYvwL&iV{LSkksprPNtyh0H|JlPGs~=wX(^G2rknCDeTJw1O
z*o#ZQIii15sv0mC#>TSQhuA3yvRXKg(U7y!K*bi(Tr@_m%}#GGPFda%e5qVVU%8Mp
zRm21*PH0y2R{F56I;IyVC9pllk@EMh&muoRA{r7mw=6ZcvDEIg_v=b+B#=jf*;7u2
zMUqbXT&WVw5&Y>@U}EhcHZQPIEX^+U+;8Q$LhFAL)CydXnrkOXgy0C-&o2YQ4!y<9
zQNrN`4YN@^TNm={!h8mIYvqAku=y#DvH*b~0<~`CEs>ke1=N%&ZqmgXu9+@WyC~GF
zs7R$&sarwSP^nWy%|aDXF(81_7?mJy6I|wE9Y-ZH8z*XKNY#p5lBKeY+DRuAYfM^2
zVG4hdwiZ>BX;Nqss!YWq6sJQ}j*2lQjY2nYF`-h6h+BlN!D1CeEt0BCQU;oB!G$8K
z7?e_R38HC26;xb8l>nm=R09(#AQeMgk6ep|5-P3Yg5(&JIvLebR6v&(51N6?po<tW
z#|cM`GETTqijzk37NjHAF=*CN9qAGl+8TcbMs`kI*m&_LqMXP=L#%70X2UjvR#B3W
zN;od4I3^u~W>#9oWmIKWu_|b#BZ>+Tk<xXfVu}!TiBuvOZA}Uh1g``ShxxSA&X2ws
zIJ}}AwaU>T<143yv*!^)#mgmT{RESy_+$nm$~P=R3R}>O<QJql0Sy}Mv&AxB$Jc*q
z_sP@w8bF%85C-#>8Jr><Ritg9Y~Rj)w)Fr%lh609)ER`mmO<quWl1;l#hunxIzy9r
z%u{TbT!I&3xOvNawG5OaP<nx%`xaThNS0Ji--1wp42PXu+3-V6DkjXzwZr?w%iBT>
zC7dY36QnXE!Iluz5@Qu9O=kZC*<F8!CLtot@+b5_7b)gQrBuB0XrK>C(+V`nsJ^+k
zj|iob7}YG=`lwJsYBCu(7y*bW{iFLONv#N!DomNvu;fmu8G}3|N=?Zs_4s+AXI8dv
zKay59Xp6|YdtHEqzra2}(YT7NT+)%vKFbdk3m1FAN~0oRKnBv5skQNFWVL^rCRRFh
zdDut-r3gv6+uDohoUEH5#Iq|#fKYm45zVabsA3+OL_HlQUwEaQ<t($PYK9KW?d6sL
z2*R2VFxN%rB>y?L0id0eLj9HZZK3xoAPUoJds~(b^tOP#^kp1u3j+wG%r?ACGKiOo
zxd9<12Q04S0?qty8<K1Od^CU3?X<R=ACeFl1xW9-^aos;0qWeXfsvI+aVU>WM-oF*
zc<~{+;lijM7^UCTmHmmsOBUimdEg^(nR<C-`oiEQ$(=Qo!0rFnVG2^FBr{;=^4Cr;
zdE=G%?qvh#-|qeK3p*#ybq_o_?|aX0y?I_Lfr^!m1owXJzc*)`JhFfC)#p}zeXRfN
z*xvvAxnbRo`+oMFE&q5+tXa9`_oqv<S9OnUZyp-i_wUOhiRNxOy!fT(hbP8G`^;@u
zF7&*9YRcyIqwoE*W%THSza6vvOH$joa_`<tZ!Ug)Os!wFXX35unIG!;>MmeFt66rY
zSQo15pEOfLyh}Jdq$z(5WVM`*QMR}nF14$f@z|$Ef{A)`M~t;lGpC_*Zh2C;|BYR;
znT?f1@RqjFb)D8Ua}^mefEdl?XQeQ!J~FR2ScDDZqC9c|G6T{1W6OjpgsE{EUeGC$
zDvM!`GYX%a)YF8SF`-h|V0@do`WBYoQ04JIzRvtPisOpoue*O=chBs7A;IcoS0D+5
z039G?f;b{%E+H;KgfURuSQ09eSh%?4fQc$LHWdzoO@KH>C}S7KRdK2e=5PfRh$A0>
zAPC3iu;K!{NXq3uAV2iX?CgxlFZw|xkal<a^*g@b&vQgTMy;lj5{6MbFd^*>+v8x0
z`)f?x9Z!F%CuM*1aaG!4F8x)y0Sm!HiS-%{JD7rsn}57v0;bH-0J5B-h@7OW2h-kO
zp7OO?;htLL0ZbcUyXSNcp_Y1)R)K?v1i+4ubZbGa`-z})T8ysR&2gW(Qx%{-<dR7}
z$P4GK>$|=5*13#jv)0_Y0A3KDq0#j_TEFd{bKwob00n=e(hFK`=i|POKXi+#kuy#l
zhB#m#CpvL`^S{4X(fc9sgfbf2=YO;hcxcJFE4%u-r+xh9pk;0CKivAo^>a`#wyF0Y
zt>1M)-iZ3k=bJt~JLSZ7jsztWo}jO0NlRbP;?LfPV5T;vrKS56)q!!fQYX!>szL*^
z*)+{tPOX1{rG!yp;tMSzoT3n0_6<9d$1dSBo;DM1&KOne4vYmriVkayjZK;vwb9I#
z5yn2GwEj-(R4a3b)h|#lAyuf`(itQ3H>GPFIdd>#FeOM$>%$qnRciN1sxxC{{*F$n
z(UnAQKB?$<a4Atn8C&<nh;K#)o-Vzk_QPy3$LxPPZo4uiMdx<q+qA!$%aVuM)ftAl
zCcUSt@R!D6U@6g%or94&V5Vt9P2}uvk-J{7ohu|Pt>0vQ)^-I`>a(NiBQr$RAGNDj
z+>LWbpA~Ii-SNWVz;F+S9T3TWQp+dgEDpJ?-2ucH0}N88X^e9<i$aYv&XgRMq0;Rs
zcbtE^PN@iHg49v%b~XpGoC{=}7=8rCI0vqZ4o;LoLvY3=LrMi<LJD00J`vTqMMecx
zEIqCXUm%;vkopyr5#*dwMkwRRDH=2|YI3nuzRGNj0wJWKeG-anz)hSwH|S+T5{V2c
zU}`583Qjm@!dQubLLd@Gs2U*)DO1J}6Rm%4LCo#A&{TvntHl(sj!{&_lqs2`%8$X2
za{>T_5n_qB1V_mkLqdol&@ds7?%|7B_akMLOG!<Ug0(qFF=dRam{BHBnDrgCGz03k
zM5HJPGAdQ6tMV*Lka8gmW1$&7j7Ed0Ky{=u_7m$?VY>B~X+K~VGESo=F>pCnSJ{7f
zzLBaj#6f;{+No`AOJb@^?Yukd6Qr&+eU`7+{r{^pklJFCQM0(}L9+%yYk`Ix1Zyv5
zk)e$^?M$*PFKCK!f&D~;R03j)<7ss<C91b&y$=pe<C7$g|Hr!w+{cASQe=cBXP-U=
z@c|%*xAy)W{2odWg&%@(pynmaDL{X5`~9zKx;_|nXrt7lM8rraOjvTn!2?(k*QJkO
zNGl#8lKDJ5uJ-b~pi@ncQh!_w&f{7@W|a7bmr@yqVU1h9zYYQzV<=DvooCi>`0C^G
z_g;Z0C3HZr=I7qLLDAd-<XSvgL|A_1+sD|*2;l*lRhV5@N2u^5O8C&xv9W*Uj0H2Q
z>u7E^V}6k=jn9}v*q{l!j}&*bWsWVU9Fa@Zf;F38n|1oob6s7zEi--DrG<+Y67C5P
z9~-HesSQc`!h`fk)SH>$zO2&L&YX^R63^wq!KG~*F(ZP~8?LM?U9(DrMz!7eym-?F
ze?j)}IgOOb()tE1n$Jtd7qx$^WKzV+YKody1JjbVvkMll2$qioh?ci+&#SLtrh}ey
z?#&ugy>k}?LjJ;;8y|e_n>3etJQNXy<e|i>uI`D4I%736TkiB0{<1w|%Fh^$RQ&42
z;&m&9+6yC)AeZ66laC*cRg_h>b!_SDdHU@`Aob#9&rLkI2V}5x)%t(Z_RTqsvvn<V
z+8>V&S+xSGXV|)plMn76*1R;3EPML+F)S`(noyxf5^wnn+m~Iwl+iT3?D-d;+P61%
z(cDPI_=R8m72>)1<0fl~LQgDv;H0X|G1KP%<vm_l%z1SFhbIcxG*Pt`O@WK73y>Rr
z=zbcpYL|dH5^~t^?WTWFyDQRhPRz7|xCi9MBwiISE|b1PO=Dz&obe~yrYxFos+x8>
z!mZpbrMd)4s4X2JhS-nxW36D!6y~7=g<<M?(eB)Hv`gJF+75Pn5;Wfp!FN!X96c0g
zxFLqL)gE5}h2Xl7x=!_{>d#yPF95A+yZbqK%GdW^Uv=r~xc7gLjDKe@^$>;<Ju$s%
zdDZJ}028)8x?gwl9g-iW83`IlCYN{kCl)}sVcVl`p8w`k80sT1Y1`vFz&um-yhVye
z%{_AwN~+p!{B7#FGqDAw02P}a_5cBjNH`aIKqMB{9)1}@g^*Lb;Dfh<qn@4khu1gV
z?g5_j@=tfc8_9oPxid0pC>uDl;oSoyxw!iHvFR5tF8S=s#_QLopZ#da(Y-_W?g>;Z
z9{WmryuLZHa{B1C+vD@90VryMBL^*O;i=Qwyarl1YxLp$J0JH&_8ysfbboXAH4p>0
zJiI%ob#rh=!`zc+*s$E9<-ZNjssf(u`0g(LrgO`KYo&i%JA;i=m>#44tksvULQDfF
z-t_&q5Ut*N?`q|SZQ;5~nNc!e{4=x9p7d?q0mG-fbnhmF0yLbZW!L(5z1sfcZ4iK5
zXhMg`=x45+fk5@zo96+F+wT4oq|Oxam{Uy;RquNftIG&UwA}j|_~7=3H!BYxP5l0V
z_odws9l(DWM<zjfJe5tbwR8QoKLf-&{(BEX`2!~}8TZC(z6r}qez)`2_isQb2$8&|
z6MypT+O_*}A55Cv+H<9@>pTQUb^i1SUfAYo-as@j<BUl?YtiDw_7|6)y%1hFcgN#<
zpoL^8hsoSUmp&oo<sdVk{nw2p*FFL7kR3lhfX#oMa(QcLbOYb<>gNCSpxW4ELI4O-
zmfl-&gV*gCV8_$%_`bUjl7a^lV&91598xGTWI8U#4Tx~}m2I<|G>5L6#c7|ugP{dA
z{3s-Sd`?^>db1U6f;dbyIk9Q;dAiotX#_K;zmC$zu7-#7%^OCJX8X6!E-WzwEe<(?
z+i-u_uXrDrWST-ZXdWIa0#BU#Bgl0TjDa4)&=3;HB|=l^2P&A<f+SoBJjnF`@rH@y
zLJBQX1l|JhCOu^<*FL<nq4&%9>ZuSLL41R$7NUBP`U2nyif|6`=Mz1X_%n&WfCchY
zy~7ZhCaFIM{7I@unLkWCBfN<P6Lz=pV1j>n<LHb0kFTr$)w(R>_kCU0ec#{j_j#Vf
z;dsswQ4|E$m|>R0q)`+QleN*yU{JZW%2K2nF>21GPMXc;nk__=T8kR4{2`lLKa?$L
z$<pR&)d*W8;b>MkXIuRN{cyis_jTWg=cls+&&zqf_xF1JyukD-)vs0K6?FBE?Z<x~
z(r#?0W^tI;!vy=W9xqdNISnH_nlXc;VTtP<4O6;XPR3ynA4YUzZLOP3*~u&o%kAh&
z9L*Xx?uJ3RF;30Ec)96ks2kyE+76ET&Wz@%pHsba-2{eta#ObJVORqFoE;6in*%#b
z-Gusyb`G4uuEWtXpcx!G?8koikHdd7xH+&Ra?W-Z$dD!KXV5Oi&Z2c_JM0{Tb%PxS
zYiG!fa2T1sH*RG69^Je(W3X}mYyi5Ep*ho8u;BV>a8q4B*nYZm6LbblA7qpJ3Aig@
zG(W7rb=ShFoeRHIn>XRG6zm*zy+`*DIolcPrfD>7`w?18t|M!Vo3h<p*Uf)`Lu>o4
zAER@9H>Q4;Y_IIl^|LsPdjq~)An(l>G~v?SRlwoHoX4+YG%VJta2#-5J0xZ`l;cT{
z=Fpghj(`fyDt;3R^cP=&VPwEz#5$*D0SyUI3>m6%t9jZg;JFMtFDY!5T9_DG3r!Oq
zvmjy*siLIwhJ_D_IO1M_q<Mce#Mjb*pyH;W)<)1;E7MWeb<TBppcskp;s0S=o>f*u
z+2J8oR)l`(#aA#zUropfM2VV}6Iw(ldi5<xc+jLCN<b!qP5F>DGD@Q;xeeua1~{gI
z(2zz5=5@)wAo?wsXqOG#;)gjC#))sVoA65<FZz}2KK#U&JzaqgoFIQhZ&C$G;RQka
ztz@!iW0?IU^TlyZ!AJl(w3IOG6%zw)XTBLA8fTK*Zj#sY=#@OMWT0;yAs$pdbk>^8
z|ArLN+!Yk6R$b?AyS`iT+X{g?t@S%Zx394nwH9kHDg<<Da9s^fEgC4$fnlh%v1!3X
z5cxO>4$mKc9;_>qispabJy$>!qNE2&1VU^KAD1btik8QprBqf#O(rpp5z;4h=&9q8
zFktskM*gK`%$u1+kHu1zpJSh!+LQc(6|*H)@rti94djdb0Js=o#7{8;X^pA6254a9
z115Tomy%EVj6`9GXoB@5B~8BY6lcMB;f!FmkknX{T6)%PD1CpMl1YuF;0hR)*$L}e
z$;W{~o-l<Jle~&7Q`M0CJb3fRkSU(0>cIcx{~VQJW04-MG(~SsezC+vLy%%T#R)1H
zWzu}$@?X$;V6_$%XIF40MO!3J)M9-6R82s|(@)G7#`lk5J;^e}3?x>+e5WJWwqy$W
zd+Z+K=m!#VUq^on#|W^>CJH(rfY>U!Mm7pl1hLr_eF|&J!WrOrC8d-Id3>5%Gg`Sp
zM{Nd_e&h91ELM;Nas7C<5z&NScoAiSzFFkU)_Ef>CYud&d7J6r;D;oHozo6KQ|WA2
z>@nh2)TXs$N+L%3*?;Mo$DB+jOtHHKA|3QQkPA~M(wBel;WdL`2fdGSuAX=$^||3H
z4f#$WOu9B+NvM%YNa~^UkzQdIg&_23IpU6AulfMh8n?BZcasd=EU>AZhVZwR#~?%I
zbiK`GHYQYmlB|2i#Y4k}1-)DoMDesZb4895t7$u2gjMXD#r?vSrFc3?aoj}T3}EGd
ztw+sQ{>^{sY2+eivd>~4rnp8WYqVA}tG7Hg+9gFO1r|H!ymT(t{;HKYYFuUwzY`-U
zzfsd=)5O8iJ~;^BCNGH-=Zd0P3`R8yQ9arq*T!6OqRWXW`Ld!fk#R1AIEb-eFkoId
z6HI79^6+Y%EuCvosM_QP&@Y3nDVzXXmrxWhP27J0uV9;C1b?OLDWgEX)mL0Zji!@}
zS4aj5Xv3z&93Kj#oL0jna+%y3=<?JpCB9i43>tBzBDX*!bET+~qKOGxT;x;@8UvX?
zV3Bhi@m_yOLR7f89Wc&}3579B&V@<IEwTqOeGmS)mL6U48<QtZa4G8O&+p~%I@QFg
z`I~<xK1HAe6n4fsi>4S*dF)`?^Kr>Z{x%|@)YE%jPK&=#v`c|HNgz<LLh8LHJ_M1J
zB+g(>Dbya|WO;-hH+hYf1iQ(-%VZF0v)PRS0*C{WaVI;hCXrJDBAc@1O>Jk*OX&JQ
zG%MI<R&Ua}Qm;!TL${e>((&@|k{OKUp%H&qvp#=?=Po-T9Q`G*vjseye<T)MF8`2$
zgBl<UIUX)OB}9*zkBYB1O8{<`0j&llwHkn+I24|Kd?E>%xadV{qS6Rv38g3vm0&XI
z(>B3Ai{1QnFWD5<5|dz2q10YKg%2TFR8A9FcD;*d25d4FK_{6`Xcpl-MqYsm$~S*4
z^se|z3JSSc*LgE4R&5rbqv!z^<!z9wtAas~qX#xG;JUCWGh|&TYZPkloRD4eV$#r<
z^)x+;JVh%@Cc-z%ii4sNdOCtZZZbbNx&@&~YxPXN38`+Q#mY{qK2<yi2up3ApX=6I
z)W8DZ-&E3W>c5GNuPC<pM-nYYu26pvH3n;ox)BpmG7qHUUPJ`S+E9WA2+ySmhLa)L
zH2S;6)I6E=YW(UzhJ&b5UeMD;dstt@Hq1X#6YBA;5Hqi_uxXFM+Z-|6@MSMgU3KJA
zV9^+|T`ySA&0%lqOB86%C>6(=m`J}Epz#!~5t1k=GC*o!ZR3@PqoPuB8YF)gJlvu}
zb;JcAfH8?B$bs7lyX`$avu8MgW{p4+5c8FYp==KhvA6QzTCTdrb%yHxHm-755+Kr&
z3x@R_!n<yf9QZ91WzeBMf{poQ`D%4_DXM_lF*osRxhP!iB61n-8GnNsYPHxNG$;JH
zpw(6MNjH^_SPT(K>UO|4!XAHG;@wW9FpY*NG6Jcj;=~2cDrmv>+ufWPMKxQ|3YQ$P
ze4K1i_9jL6RuHIgbs5s+m*zPu(+m^=NEG;WF{?Cc4NhrLYFM>(lQw7!80tq?T}`MJ
zQc|zullkz2R|ZY9dS{3%z-W5SbwC=t*?>hbM)_MFDQ<8Knts{M@6>+=$fCBB&7ZkL
zfkJCNOg^k&j5D?;L&lP^G+c3wSvsNKYBjU%*c0!5@Ghib_4aLO4N%ewwt-lje0c&e
zzp(z~y_M`X0nm^&R!6m)#56P31`bYWo#Qa2<enCUI&91)_%u$CIK-f&cCM|Fkr_@J
zU$d@h#Uq7)n#{sa70-Y6;>0&W*>!s>=WDI;9$zKYrgrsR$`@hHKB!sr33Z4x2h}Ci
zLhO<WNfi8nM~C@p<zZ0VvO!BuT+DHr@<=M`KPs=pTm_ntjFnE#3L;uHXLI$YCTzPG
zsnMDplPF$94aLu-QvJ#eUw;zU&#UDhz4!IM-TaFalYJXEeDi<g!GFG_dNsfKQ(J!i
zoz;)rhDwpKXh5lJ4xM{><#+E{a?ADWK6uZLQzus4x3^pOf&2gammM!Y)!(va!^!XO
zKJ}=AwGUi4f5X#{efE`K-*EK!{r@<7?Xd&kl<6$FUeVmThadm^`Db-E*?Q#I4L>+~
z@b$B_@}>_h{APdK^FO1_?>Y9rODj(tUHiya-txU4?fLCbroXs*>05VfdgiIA_gz1`
zWzU^2zjWKeGxPhmF2DP0hu=J-#_nyO_|oc=-~Qxl3u=7jgKzwO>fu8;Xy=@lr(_cR
zHd>H?NurP@7y~l_1VBSdtEADJYOCZE1c1g^&D6Y&$9I2~Sf1>=9z$56>|f(|I8&?4
z3}S0mYzpJzR>Y$^htv-3^`NKjlNZwp6tub~QLR3mP3y(_Qx#ueHE|SCtftuUhE8l1
z_yQ~UM_OBBVUgK{(C)4c9@F@lHyVmp0ab^~zjF~gxCDXF9*?M*0^lFVkq8X?&p{~7
znd{{Vf%SjHO*E&%+$X)VQg*WC8^`t9Nw;F#dmleCZ2a(z_kC>N)6YKe<{#em<NN2f
z-?9JfA9w!hQH2T#z!+s#>^l9syIwurzyBRq9sKIYFP`3b;>h@>TW>tHOFL4q;_!u6
z?z{N>(%rkieD3_6uP$8sg+038y!THFpT6{*a*BV*k|m|Cxc%&3@4fWm`o|7m_t3Wv
z{OiyA&OL{3|H$WFJ9GPm7u5WkT|YgJD>m(X@@`zV{lLG^?Ed`^S8v~Y<c*8_|MP;H
z{y$;Y{$tfq$7kmInse^C=RWrCvb#K%*TRDAE-yi#Ae6;QkTh+f){;sSBN1qW+Mt29
zv08uHm?ow#gEVMcYl;FjMXL)2(b&cUwuUCQmM&Fkq)OxCZ}5k6A9H8UU6cJ~H@kQ5
z<D8lKexB*FdmqKonzFUKUw`BN5C3?>>8E?PfAtI3{<QV&mlgMY>DqgrzxsPsWh3?M
zSOq5Q(+1OO;Wdq}$*iqe14tJ1UC-|!Wm<o}ta>m)wz)MN&#iLh#>i#@Lu#0)*epN@
zgV9~VwbO}#xx8KObdVcmkej39;fU@8<hHtWQmkd8mI~}4*zni7G<H~3=LrbBajerb
zZ$^HE5kalAv|KoYuv62M|K7Gkyy4u}x>p-|OK;%|*Zo{dI|uC0#_JgMMR7spK(>FE
zGy&r<S<-!DUCPB<;yq|7{7K07dCN*0Mhk*c5Mrr=6a+v_q5#DZ15v#-Hfy`hBBKeQ
zq4Gi|Vgb^?WU!ue&uqBVqtlue0t3KQryGd?QLK<qrXoQ?5CS2?B$kj7nT#;8umz^b
zFrttlL~FC;BoZJN76Bp>21|xWtR;UT6eMdiud^XS;ks8CvXpFY6<ju|59(sJhD*5F
zhMnmYnw>J)?32AZBqHK^NHr4(8m$enZdF6ntEEgMqpptdXJKDRZZWM(B{&@e#=G=A
z!-aQD=yWN&`Y!MM;+;p_kVkLccJUEcuNY#eA!_69Zy`VE6&`w}-_0L-d$@m#3wAQO
z`I1X$<9$tV+c^D1t&+*sk_QIRSDiIlnObMkHj=yUmaYd!7zY3fOaJPjEg=`vP(-(q
zfU*L1rNdtBmX^N}Bk#c|O>#q<w)f8W5SmsttvBKN474*Nx8<im0yZKR0qPw){G6(w
z;kozx<qt|w3<<Heu{K%*8PtEoV#pX(QuDTqoqQOWz(f$mhWbYydxF+XK}n1iptz70
zjY90|QCa~KARAI7i7r-^O~A6oay&2(z)+g%Vh@&!#4N>#pv-YKUa@oT<M*qcs^-Mb
zA68&6Vr@(DoY@Aa-gfFZET11$lFHO+N~k(xI>xC<x|6}#7zrfZc5r_V3m5tZX!>kj
zj9DZzD`6B-&w$LF35?V?y}W$6)=Du7GBTyTeOffw)K)7|wXbW#I<299;X=cOzTuBS
zT-N1jU2E47pcV^&AgEQT`{vy{E*{q)U28X*TDe&3qe85;t<4>(t=}>C*msQx8tPiN
zsl0d*GL)CCEv;IGsI`9qw{gy+X>%)hIx#-(x)VaM?$Y4?ng`Um;@3{n>`n>=SAOCi
zQgXNJkZ^VHQui9og_hlbvRs|Jw_vp?jN8{K&)w^xvpG%z<45zGT)HRF!h5u4+ich#
zB{R7|9`o3`HV_KyF%jq%__o6$lOQJHWiv_UTdp}sYpsBhElGb=(1mpyUOug2rFi|m
zD-$YR`Q>+B+cEyD8-Mx2mR~%B1;c{CsV;5$%-Q2=>eic1J-h1plWMRR21l_tIB@${
zYFkHi@#A;C`{%J&PN>TK$NzbC-I){1zJHJi4HFioto-7m>8`I;_CGXs@|g$Tomg_>
z=XacY@vgJKRpo!7{g>XXe)g8y_AP4;Jylx$iRqia-n(<FDJ<N3=Jny9{OH~f&M!W2
zsI*~)mQ>QwZR6uAQVLcaxH_TCq62@wFzcQNlJz4z`02T~?A!jEpRN4y57o$;NB(tL
zCpG9BAZw8gMBO)j`=~5gK4rt+%Km-ZE}Y};Ww-wHNoIe85@AfLxbk!FT)gel*<{tW
zkq7sxbkpXSp51r-ugcDO_`g>c?%dsX>ssm`#yH6cMa8r4yK+%gH{5;x^qx1~>^=P0
zg2PX$Xn4=HiJk9Vg2*T}yzl)BO7-kI_nPYK)w+N6{zIe3elY9k5jAUC3)#h-ra><(
zKBJ<Q(cXVyVR8^Y*QFKSGp<-W_dMLGT*?cb^sdy<z2@E+m`8GXC+e__(N*7sPJg#8
z++)N&4mE^My##<<b3h1_d&jZx!99s>uCT}huygI&;kTV0A)IQPrwMP6%-tcfQ;fHK
zg#I9pBx*Zm8bJ|eCXT9HTdIpQq14MsmCFNKx~P9^RP~GiCx#%4=b@w@YD-OJj!tTr
zb{i&&Ep@L{T}xH58<Q&a4rv?fIMtOUsx;3?BuvPJHZjG1EYE_<3|*LJ%F9)8NZD>v
z?155EM?I!8Usp!CYZj)dR0b%HC@$;rQdORB;tHlSbk|}P7a=a#+OVq5hEgx2L#nbs
z6)S&KnhJ4*mblcfx)<wsDyBWUPz50rVrH=xn58rgl2IdlrrfKO8kVORn}84#gA}(M
zIXZUc1t<`uHL5I9@pLQ}xiUzV1(;N^R0W9)Wiucmv9_!WgC<@eg)*l7CLLC`idH!7
z$2g{_Ow~oYFvv-j(<vsNXKa@(mUUss*nWQ_f(;W>C~x)VZC6g-Nnz-LtllCuNvf#3
z-FXXB^Zz!*xRV6-ctl2XhVMjXdDFi83_ZFh7xDEp7uj^9@@{Dl4eb;u)CpkDF)IfH
zX5D`6rQ3D_M5y6P3r-^52bY;eJcooUvkc{kO*y~TrWxKGMl^*0imRB{jWr_o?Q(xV
zK6egn0XG^AGXVh$lSs4ZFZ1;R6AI5*^GSoM9`HqNZJO)^VrLdU-RSxPLduXALSsO&
z1}V?oxEcgBGcZvkna4MaAZun#10h)fCc^~6hKZOp69}WQVPfH|!wE%DgoK-4$drXV
zvK6+LgvE+5k)$^r*snm@VsD|Z3uAvITmM^RMqyxLE5yvUj?^?=$k@o-HjXDCOyw~I
zx*@J*;btT%H2N!>dYL+%)N0i-8X?z%mm6IXhU?@eZiTyjsIw0D|Ip{2YgF?hon6S#
zTfCZ^Snfa(j_Z^70K9DXPzjwo>G<cYEV7?++NpCD94`6dYFI<S)x&WdZdHG|X3<c(
zmWwonXT1;$&pmFqBAxIh{NL=QZ~|(PWneOIy|*IgXx_vk2^ya9sqr(be|@63ZT*A)
z_~3@q-y1vkoq^4}w!C_3_lIw*L=g)zC^c~K`rlT*a`^VQ#_#;yxRU7LN0&?6@7nYJ
z`8zI;t8(!h|M_U)i{Hdq1x<fwENI=k^vFw(T%TC<+(SHa^SAyzvG&ztrH!Nay>)5&
z^G|I)`!v!2_`23$t*SD-)_N~%ec!or&Vd651wt;K7!D*xTtpabIzt1RVUrLkIjAU*
z3{%z^O*1vqj53*0lMRsBPz^eoWMNp0*iZxn%E2KFBb`L)GW_dD|N4KiE_;1zt$p~x
zz~N(mx4qx}zR&Z#&m&kfXb@)p!~c3~Xz!N<PTG0(($I5HF8kT{?|Ayh%Mb70di8wU
z%_Cob@6St*9T3B_H~sDGj2E7seD9|p`2DegAAYUp)@38R_APy7&xXrq<jmo<r++*1
z@c!=GS3L3Ge-G~c_Nspucdh=xp20m&?)c|Lm@@q%Ki%Jd=SM}`?A`zSU||35MUOtX
z>D6Ps-+OH5l{2bC+62;If9><@AOx^G;5OVnTmTE%bYx+@i2OHA*b=7U7UYxYb?^b{
zt;|aiz%K^Y7Ps}1ZP7Y;QZCQUS=az@6ltR>Dasd=<au+cesX^<=IBq{X~&7zN~+w3
zGA^%mnz3BNo*$vbk;wWC5Xy>(tI&#MnKr)g@|Maeya|dRS27A!Fsj!aIVMP@CP~Sc
z9`vQP@}<)Lck-d-m9!3ODZ=m(Mr#xsV@!A3lr{HWd~?%ZPEOo@&qME=6O9?$|8eq~
z9pAY3?bDks9Tk6_LIILig64hY$_ar&=?@Qo_b1!lJ@w`P{Bg#%hdNgb-@NN7F|qHi
z(F<EIzs_^V0kdR8qeWx!x(g@nzVu4Ryye$Fa{q^Jy=!p&ZA*_F{rsgrT)Snp(Fjav
z+Qrn7+s+@`{QeO!e*UUAPHn$BN;fatc<7+$5!~#bc*}qK3F{ZjW;;z>^V#!nJaGAp
znl<o=1BbS~H#&af?IVvrbN9vL3!mL>hE}b6XLQSzQPDGN!-<zg`?NJLJ#*dT-}%D(
zqZ=;#t~qzf)(`%=`O0xIWyZ+Cz0JWnOP<>G;JI^a&mP-w=`~@5VnWR_cD?q_DOHLU
zp(JEtZFGO|7Y1nMr!8n7Y)U-qte}cz34uF_YBq$c=Q@bI1YqW+mZJ#?UXXOHNvBgs
zNGAky!X*_emy-fTjdW2am(<Nfr4}QFNefUE3cI&s!z)SyOVYzf#iA9mg-qez`kK8$
z8tdS5#LD%$0Kr%hFuJ^SDP@#H;IzLvH&@&Ph-rVsqOL@MOB#$n(z?}zM8TNv`sIH}
za9n{6V2#9t4Xw1Ynp9$ANn8mM2^C0}*hoQPu7D6V5)&{I6WQxWYto1WtQnO3CoKs;
zOJoh~Or%L`)C8KWvxxve0$?VVWSBIu(P$VNj1~|vtO!_Z8{dP>Xb??<P*Ibqy_*MS
za(jQ9F$|<pqhdf!tnD+p366{bLyD2LCI-+14b&a|(7#YzvxqwTq#@L7&9|K@S98em
zYMFpS#i0rWA)7$tw?c?HEJZq^(Vn>8@hskBiWi-$GcsHDsXKLw=EjKxE@z{Q)J8r=
z)vX%kH^W?q5}qQSfRZ!5rSN$llLQAzCZm6N4?AB)$#oX-EZOp|!LK!x6mCVLM+g!7
zLKJ-fay@R#WB~=)QPEQ-+2IIxpd1s)BO+tC-G{nY=9T%XaSpU6A8gLn#dLDmS+#u%
zu|_}wLsIl~tk^i?;nhMJZtp|@LDN5X`bF8@0fvAYvb|}y<*efoFv|8Wr9d$P6OVrz
z2Tdb^MQ?9IqEf6T^eYW)P&7N0%d$|c4d{-++wW^%yO{fWWW(UVB*{iMjcWE_e?N2#
zijliEpM2i10$us4**~DSp|_xk3YKgBhYA6hC^-9TR!q8KY%39?B=&%;1CCQYz#b&@
zDJsOF*`0Lf#s=0hs!D_l*jv~%1(kmYqCi#CjS#}-P6?28Il)CHB3G2wiRG&ebT5Io
z28j7+om`gr5R`2viXwtj9JP`es<`7*ob2*}C8s%xx~yW&&7FjbGSehIr}&Prw5b#t
zk_5j<XTUfXwuG1zSD%VRSO9AhdGQ$1*noWH@M>P9iu6!ULbv$lOOm>2xY>W%J#@$L
zH^17o=)S4jH>~^Rt4m&f;hxc7i=L4?PrW3K6rIaAUwrdZfBF@zoCL(A5pdp)(X)$w
z^X$rB?BN^NEPd>Y%{jLSnz!@azb`*>aKWQnIydgT?f7d8fAp=9eb3!==;xn2`n(v2
zy1@!Hbj_ahnMc}J&KER)^ILy!3z~B4fx|<4_u=)kn#=E>w(;WvhVOg*5Q0F~Z4)L-
zlw>?sT3M<)EICve*FktN)hgDkpe~dl^o7ZKxP|}gk!J7G5*?5<D?;fX5S-J&C2}cZ
zwy-o3*^*(Cx}6Ve<mB!S8wKCWINmz*UXJZc5<aLHja;NH3bLhAzmR`(!1+O{#8Q9T
zk0mWRTvx<y@@Bg@_9sOuJbR2{6w6Rf7#F*?1cS`2XNr4|trf)e?{3p4BjCnp?h^H2
zY?qf~Lse4{b%MzYE^^^P#Msi}DQB$h6Vz3a`>TWSVl`8~0VJgqij~n?H5%AGRSYcT
z?wQm%O$;uTy|YEL0d0TN<fM;@t^w$sF9sK>j>$@E2?$I|w{icCV!{pB-q)CLEg&-?
zcTX1si?DY{cZ}z2ZxTJ%L0cF1%@qR+WU~(#Z6Fpgz_>Z0e@Hd^RL@+|cLQ|wo9<a+
z!UEMcVEU%W{$;Xnj_T;4u4$ruyvoA8oKFgq@*IujTofVt@ST6qbf9KSBsn%pyUbSd
zMv&om35uekgVtOYT^f#!??%5U6lz?whL7MMX3wgyt{Rdh+@4X0Xt5#cK5aX-2+Cl*
zqQs!+2%qc9bM7`qVO!!9qDdh>catkQ-ZM&WZZSt&y*zJ%QFqg;o5hMgRXMVocs|wf
zO@XNmC_~8WN?3pDa9K+w0U@`=j=!T8Hx|t@8mwZ%D7Sa0BjfVb%GhvsjJ3?95QlY;
zVrNmO#7VxRa$gqJmvAx&NrFvNq7?RujUhv*;6{b1JkhoZR^cApPeZgFY8D{<RHD#%
z!J<p3rqCuJ5^3*XB-vfDsF@9e{i}_zCLhckG#%C+fk}T6vSw$+M2PGOX=a6hcIL8R
z5TUXj@k~Z*CPpUm0fTXUv3aIM6hS9GvdbqTx|C&vP!wFwY4C+2v<ak&FkVN*D8MB)
zXLDZ_0YE_j8aL#5i(b6Lheh5TOi9*c^SgI$ahQ99#;&e)(^+B&lJmz2eUO7Px%*MB
z@@$ztN``*}bz5+CS7x!yB}OnwK`;7#IJXUiB9K(a!R2M5C^K>Ig)nycbBh6>LM(T1
zfhtyzWC6Ws^)|-TlT$@PvDDhwgmY&^q#!o4%*BrGdX668J|JuMoydXQ&UkCf?TtBI
zTCGy3S=mU?V5H*R=aCuw4WF5<VG3E~l_|EEx3PbFHi}eQWs%XKnV6khwY|>m!)){7
z3q;5*wbcYH;NnN5F!k8*Ll;!&s}C8rAWMb#gd&9)#r=Ub^$ND$aT=CeU-tGt3Ar=I
zO)2&<%hg=TL{O&|EsCIu*MHG2%-*TO27S_d$2ZBMF@nW$lKilkV2aP_{3nU$b5UQD
zXP$rOJN}8<H6O=voo+FNJn0JSaO<K=*%&lm9S2mD4woH2q2*hSeMRde)I}_>NCvfP
z^R;GfV3q=z%Q_S9sbD}KZn?@y-Ke<O7Jp~eg=CKqqKHFCC;@49rOLG`Xn7*^Iy8k~
zm2&n;9h%DoOkr991hh&vZpllxD!a-C!DxRrthFYiWo(-70T=s3{;<ybnzU=Q!g1nB
z%Cbd1q#3l<e%L{~9_=R}0IIxfE%Kr=)BKzcNF-0f|4MAi>hvl3Z8-@%NUpS)^{5)%
zXkstUGDVm<2OV=~()@+x%}(6_RUDD>XUt1X{@^hn$pp9=!y=%F%j76~vT_+OvKN0n
z#*_W59CFU<S6!L-KVet)BgJvX>-ws?$4a6|dB{spq{L1f5u+GG#1WAY8*Fo*>ovm0
z++b|7m<?W-qq}EjyXV*e%UAL@<ROY=DNk0|7_dXaS`dsaFg9S=J{GWnMHX*)sF~T`
zs_Kcf8m&fi)O6SJec$i+j3zr-bU1&7SFKzqggFwz=B8%1>A9kG*f2=H<u9MobTH@=
zw{$b~P8>mGN|b_ir1Y7!Ma;B&^0(KytcF-(s#cQfxzk?ElDP|v31D*BQzqB5EW5~H
zB)#}$WC4N;+v*l;yWCuE2}!h-Hu~IZL)7ig%ANR#$yatcxRUkT0iGo7rJH}swe`@@
z28QIA4TuAD`e{s$3Ux$4aUfUF4c)O(UpdCIXqHh^4|Pu#{FKI4mARBIH|UC3T|=M{
z|CR7cp{^UZ07cr@17A;Ti<DbnG^5q8tpbWGxsS5xr-eC2UZSoHN*iD3S4r1%8zUg&
z9-$|s)3|M^8f_PW!Wg&r6ajxcE!j-dC3<io(g=k-W~Vlq4m8qscx3I2LmC3Kov8t+
zH2duO19VXs4l;J=W;BEY?nD_%?=G4`WV-uBms8)}fE4n6J3|qiS)v<;bYIYpN;*%r
z|FNxh#F4YCoDHeL$hQdF61K%S0Oyp0u)F>YoLfTb7-%<R5}W}OmPLOVX=h#lQdp>L
z!P3{usP64?5b0*3#tkT|^R7~A?Y>b?%`7sAQtnO9KRub!_da8VA}g5cA;3vrkn}#N
z6o7QFT%oa~0gf!8cDfNy>M|0F2|-vHiH@UZ6))0tUt_S4#cWRJGI|uFoIS=lU_{51
zTWPey=<rj3G7yY)?1+E5ay8j6y3?wz>p9e|3rzW>b(;854j=&)&OvZYDF-fvax!g^
z3yClaj0u>^U%H_O$cR92!l<w<mKO2=6Sf7GkRMJh!8?DlXd)j82a&U_oXt~<SuSk3
z!i9X7;9PK?vx#7kvzcXyhjJh|wHUP+vpE%<S^{!5vjkW|<b;2)xv)921lU&hk>_kV
zDsEfY;*hhj0I)5vEyxM}ki~4EwgB7WwnYV(;}o4C$z+NP0nqky0nVk*Hf=+F?IN4r
zs73c5OQ-$%WHLI9XA!rv@`Wq|HwAo2BM$%9j?jqpD1o=4BvOWIOjY!#q=)U0t`$_H
zwoZ*RZFZ?!oK1i2bkl>89@=rG_pshLF^fm5GvD;fqU;@69ZQY6>a5_!s0NzuM@z6x
zzeBMABq$a@1Q0<GV8j6lKpYSdL@5G{I6=S=$B0oR2x5Y8K%5}}3=A=b1x1V^$`E6i
zQ^cYD4C7cZ#5ooe3yL{KoFU*u01^ZNAe$jhF>qo5=74`WMU-I<hyw;j1VM}<U>Fz%
zhB!q4*y6+@?Joj~86yG+Cx~$@DB%n-Muhw{i{^j|h6P~GFaY5MaUcMgQv?iiPB<sP
z5M>M)0fGppoKX-A7-lxJ00Tu#5TJ+wW)uNIlw%GEFb2Sc5g>>$Bsk%MGLAuhg6zO5
z2@Jr1QXqerV?-Eb6ahvABT5iZL<z!-bJAfXxA6jC>7Hap!&jqdEsJK7#ospy1+#q4
zjSXLnQ&2hWjkJ;U8LlVl#?qjXmeM07A=5im8Ko;mYL9|LrNxB$s?&S9BU7%S1Gjo7
zuxa9EQ{6YKQ-baktKTn;qK4DmX|j-hBh6aB`v`v_wCv5bPUw~5>XFdd@zuc4xHA;G
zN22oUp>rhij*OS`Q6(Riixa~yNBLq{DMnQ{@()LDDXtcxN<Q?8QQ1xWd^lW;s)eYM
zA9ssk)s3reR4K-ODXu$7P)=%vXt*#wTnhbS7!+f#lnm#`eJ84x!eKYAyK%iV9u%X%
zOB#R0(0Ajymo%KH?nJ&92X5@U@vsvH197o<D{$hP7u8C!UrGF-$alv5ViGuU;KWro
z^4+NFM7|R?N@2r^0w)UGiKa8&aKm~j^b0pCUQ#P2Bm1ts<|ZRv)GSA}{Eccc3`$|c
zO<JX>UQU|c0BS&$zeKYX)|{~Fh7~6cyrkwOftS>Oc3c@M-E3ASf^t+VMZS~N-MHo?
z&0<t_<G_i6VpK1M!Qi-4_<Go#s5wd9i(0Q<E3Cb^uNVhj+;rla7dM=E#EBcuc+HC&
zURZT+)*JVZ()pCz0>F~d9O<}=E1kNP#z0CCk=7O)+rMQc=XxE%*w;x9m9wOPz4dHq
zc8sonFw8nLjgwnp&={E@#tg#PJF&MQIDOh1mHtZpXzY8Ha!bNkBNiJP&b7NWFe3v^
z2?-UXKg%i7$o=Wf8#3N#oxF=?78VUo`uV6_y50ERUlu-daqre}|C3`|`mVk<_iW$r
zH?2obE?<9fmvg7J{KCFRMxQF(@wZ$Y_{l$io+`)wl5^XC|LOLbr<M%gf9HuaeGeaB
zUz}`}l13q{mBZS)3ok!EF|_Z-(ALj~zWdkTZv0|k<nCKP9bLKR!tULnJ8N{+hO38X
zpIAK@xm&LvnKioFyZ6qle{FpHqYZ`o#~vMBw<Gd4e)&o{uDWrv6g3V_1W$jq<5&NG
zT+@2+=kLEa|Ap(XufMcs&*l8X?>`$P$5wx~Gk>==_r$6<9=!YOvCSL4{NsV!WjCyQ
zNz=d8n(^M!M^E)XadumI^6f3x1{ROKRQUGjoD<JIKDs)8x3TKuox5Xi!RbCHX}U?n
ziCg8HBQIPY?E7l);4S|Le_OciR%PLTSpSa8gPX1$p7Hl*syC08qq-M0{rhkH;?%|&
z@2{P8a%11QS9Xr)A3M3+zjO4-^Sc)P`=#20Kh6H&`K?L0|I#14s6OlXis5fsZdj`(
zEjMbpQPYb@yr}7hH8-p|QN1?#CY{H?=E7>{dK~zaRXWC!FqU=<(@mQds8~6FevKz~
zZ$D~XA*Oe7=z-}dA-Cc)s83B|YDr~;hx9K}vYQ@e&N|&AJwgS!S7h0G5y4o7Fgn+#
zD-nt&Q!jHEb2lSirW_c$j58}$>2Wq>WlVaMC!xmlwL&Z2S~vH@b#u=29lSq0@4qV#
zCFS+k_b&hR)p=(&J$qrxzzuhQ?wPf}8CzTYy1wG`UCTe&HjosSp56B2(KVZ{>|cCl
zeK2`!=E)@oZr5ji^y1QU+Yd%%Ck)&qD98ThOZ(?s=<mOJz)wbgH`c#!?771?M;46r
z|NQt$Z?ZZ2^z!QMmKTp~{$gPMe>VT<gC&RWw0?Ga%i?oe58n2deX?tR-nkd|M2DOx
zaFW1@n*-M?3qIcb*y%MR-@d)@{029vRif6a^Lu|d`gGrweQwhH<%i1(_Zo$`w&;J1
zUCWOgM;Y&~`W{u?J^P&LU9Y|C_1c>g2P9AwD<%?1AOs3h0#TxffQ`v1!iRu_rAWlF
zAtp8iW4tf#Vtbuk?<V4ZU*Lqq!6ewg!Qv&Mh=XmckVqWh#-XZfYO1Qo+0$w?v(xJB
z{`&jA-|M{>4&Qq2)W2VU_3pV-_s;+D!OxD|eE##dk3Dtg_{opXKX&WcM}G6nng1<)
z=8s?h&Ocsx_Wcvz{`>cj{NWo<|K+9E?wvn%_xzdrZ=QK@;j!C)M?ZD*`IjI3_|cnR
zIs3scKKrNVPW<z=Cw}+BCvQD-`h%amdiUJv`){23@WS!CC!hZ7iNnAD>WTMHKYr`z
z7w^3I%7gPq-aYo{?Qfp`&&8+ioH%m(*!S-J;OL)U-v8?_efiF@AKkz3<eeA4`_Y-#
z|8?%<y|bVD+ws$X_ue@B;hTqk`-PwWcUe3Rs<N9PgMu5JK9?eIcvBhJEX$;aellDx
z8BZD8JH=$Vn2<JHRFWjW`U}n&92p{FOnP6(^qJwS%H%-?8_*bvO5*6r&G(QgENM5H
z%vAANNX9k7Pf+wVL2<PTs(kX00^&~+qz}$s65tD*J!7SRl{xZk|F`DGw-5H-IoREq
zuXh(GcMf&mIXLn5!q|<udiP-OSBrag4o%+J-`k#_+&M6LePR6ie0O`U-kRxd&rRQ0
znAo1}ZOwPDFVs7q*tfe_Z_W0$=DS;S_3lEwyU^P@(A{3>?jGpAeW1IuIB{cf;;p&K
zo%zwtJri4h`$jkG(YN-FUfnl(ZDI7<^!T;Ku`35Au0Jxly)bfpYV7LXv8%IV*Jj5z
zXC}92$2RwjZA_1D&W>E29ogJBa%Eq&F;iWcDKFO}>w7yJvz@i6a;>hG>(1)r$kKFm
zx$dk@mKP_>jk)rddpjF5o%PvbrB|)>ij|3Sy<1*?nJ(6*_4;(RUXQL%kF54O8{_5L
zRA;5GR>q5qW96l8xw=O$kE^9Ay;Rfcc(q)2E>0FdpD0&qwbY~anR02OTIrT+y>hkI
z%TwjbOnIs9tj`onb+OznFHaTAy=rZ$TI%YR3BA<QmutN=rB`ZRnJ!jm)bd`vI;}5F
zRO?fJ#ig#81Jnb8Nt=vnA`N2~sKHAoR;&aZ)>zEa_IunR2X;+KvQtt(>?kwIS}?@J
z-M?Xcu4e$9w)uJlI^(vfs*So5Z%LACpyBqh$wRWTo&I}7QcvW!oVNB2u4d!Vr8Y=A
zHl}dHQIa2!q&T-ZImHaREayyXtylr~qxpb;02n0!Fd`A4aaUtW2+YDHdokyTphz?l
z;Ra_>24N9~jcPw-NUMlUtP~I+6ELwRYTVwC4Q~}C6KIx-h5dy<kt(!-ODq<n6=<Y_
zK_gcR3!+M4L7)*dQps2l7TQ2CR5DkJN-}ST0#!#*QDDVbkm@L^6cj`q%_VcCuwd?g
zR8$q*DY#NtGIzA<6i|@V$Q2hI&1FedAq%BDno6dUs8pz#D-8u>si;({RNT?3qoo3_
zm`X*Z;!<OwrDiHLYBKJYV9$mkt$d8!)sakEmmmose9qyZi;DlxHcvd$;{=z#jC`Sn
z@U_~&#dwDDudOy<C>}k6Cv9wn>o1{ygGXiDAjGWsIQJvzPL`Y~lVEnhLUcE0pz~}?
zj1I>Z_w8PYaJ*s%ge3LO$G`pWYO~7=&QDw~V(dS7(P!TV2I<X+$628ZW|b2lfFPrS
z17ymDq~`dncu9hvW@N?w=K98lBj2!Tp%MNy!W{6ld40{EwG^;)HOrKD3P6E>(nnsg
zVa*!g*}ZNGqG7BVvWcUXNG2>bC}mM(tx%Cv2pU1LBm~9ML!&`4mxY0fL9t-;@ndT0
zlmUhfNKA#s=Chz!5Q5^|lvKs$&4x9{g|+~>Vc&SP8bfSht-#5hnXChL<0fZJ<dWL6
z*g;-I>6w135;I?i^B|JY?-2ce`^Q}Pwf+6%<?iE00dAcfqhd;Epl3;1mIa#y=jI#G
z^9Q~wO15q@YDfkK#csGsYwP}f?f{`wP^sgd#cUl{{sK*TeDagfTk?X5+nh`mpvn>e
zn55K&Kok;KD*<RzNxXXLXGFXC&=;y1<kKn(8d;s22@MaHh>UnQYf{sHk=Rn;3~$})
zdiwNP!v+JV@v*K2=o4NgA&?dF^et(bNGaoxBAFahmJ}CNY42e|!8Q@q)&)mhV^W2d
zOr(|V#T+S4Yt#ywLcpd5nbKp9N-NoLVJwx-5rrM2uc7Bz=8h3PH?J5AD~Iw77{Nso
zO|ZrbtWSe+Ajr-0=bAQu<Hg`g^)IH_#ol{lWo_)tB!{Xk89o{7JH#)3h*4%hFi!@g
z1z`q3`5PD^r7&(4$sta9lDA~PmW;9wSnO@q4SC9CCQfDX6YSfzS8Y#}<gV?ZS*V%7
zoRn(hz7T_6LE9D(4Sh5|RtEXf)qr{ngJ#jf^BDn$l_FS!STfOnfMhERNK|ZEBhln|
zNdRyPoko0YN%ze?Y$$x#bP9b5a^q}(fTY-ZYlAdjhfIjbT8Tm0zE8<Di&fG}dNkaC
z-Al}XR&CJd@*+5c1wYiX(I`U>G6xYDGWS)8A~#WZaS~mUYv0!sMcmCeI61jlh|Qn#
z)K4tQPkJ&1WVW_{4NFiQ{ZbYBBu3vd97r0%{R_4gNlC;I6sgTxJYK8ExOmLyiS_9I
z>=RHT+x*6p|JH|UorVMX@t~CDm`kMyl@!(_A};^Km65~zGFr~BA1>jy?yfeuFs=UU
zASGdDKHIDt+%RQ)s12Rh-1!bYaovq@Jr0vVP+A*Lf8!T_>HEL=MomDd%fc@W=>KJ}
z%RoY{H3IrFqJbKR_ApEl1jHO<-bjaXlsSTtTw61zW^yDZA198(0R1aFwhjqgNZb5b
zWAoQ|Mbb9l1aEjK@xkA@w#i%C@}2{OTk)`Dyd;6O%^WkiNb+%_Snx80eikVEhxk+_
z?Hz&?j`Tc#mAAs`A5)W+gxg~rJvh((jjZ>tw66%rW}i5Mb0ZQ!)b;$6hjS@})SrIo
zYZ+vDo=G8N`D1)WVmHHV(32|e(*3K}C6fmfFEsW72vS1dqomoq*eAS^M>jWlAB#1;
zgY6^OM0_BV1nH(2H-@-5$mx$sHTJj72FHz5s?Y#`KxS9cG#yB2#~d?cF}p%$1{p(*
zHTkW^vB4jOfJuOL?KgdyZ1k4030D=aMi|+|VD3+FRs*x>cw%xRkH2<lGZRe0LrKf)
zcu;Q}L;L}%4XYMjrfMur3JCQ+!6aBlwB0R1r3j9ENKS=lPoWORL!;pe2+D|<=OU@6
zi%BSdZ8j0{lRM5=OgebAt-5^c*|uupgUazEC(rW?6d*E^b}r#yl4!uXRJBDk1T)*f
zQ_=L-gO`Y(Z{i2X32FV!OpB4D)f^(AbLI0T$i|#0m%^y>OuVsq?3?k(cqx(b-A3CT
z7*{tULLxvUW@s!C%nur!anoNQ5faMg;}X$-k6U()1~iLjKtv)YMk0v_F7^ofMM@$7
z5orQKR?J!vF%S@u1VAK#C;&(?NQp!_fH{q(_W>YgYlv&SV3^tM#+{54041TwGqd69
zhxi&7D6{cJ$nrdwLP|(Z)Ir*2yrA{FYd>o}E(gKGJW0n)+AJkKq5{rHyo-%pb(4mF
z32h@lo3G_S`zAzY{IMe&{l*X}opTasCWfR4`q@eTO4Zr%O9Uy?s^$2$kKI3G5p&XX
zHm;!q9Q>5yL6&9zXY5R$syMSSe)`?J@7DKnH|}L$To4z;B^Z}NMNwmtVWOkxltwY4
z7#&5&xI{51E+~tDBH|866a<YETrkOh7;CJW`7o7nzRdE+%!j@g+U~cRRPlwXW+~`?
z`<&-I=l8&ZlIisgo2O;xY}_#KH|rK+V8f5PfBdNn0RHul9sp1&b#Y3tB!Ssp8X-fO
zB?v(M<?r7Cz`y_53jkiX+r=@V3@K>iishw?^8i6+B!V%XIdwrxTP-MH+@%12paK8y
zyW0S8=WfH(ktT&G?U(ESc&Orog}JZ3?@EohF~T{iVQyl(N>{C%<VGp^T}sxPAY#I<
zA4$y%?@6izm&}{hcD?#o+hzb5{pnWS<*n1_=RJAQey(Z9!qrn3FE4xk{MONvYY4%N
zbIPd#Wc2mb*6wZ9J68CGySaUT7a(9*gaW=P*)a@s<W(~OOv%Zhlv7Gn;o85a^7y%R
zPez)(6a-_1nQ?;9r0h(JX;xMyNA%c{N<F|RBMgz5ld?2M0F<JFEDj0L+yJ{+cuw{O
zKPQKkbYx(0`b!-yPCI^PhlP|;W`?;~`fDkcMcVyI&mig7+KVQqjC!emiDoR**6ty)
zuUT81yG~3$DR<J2J}_@@*g0>%=3gnb9a_3tShaf5;`uWM`!3C!k==Ezt@UCp0l0Fr
zp?XKvm6l^CPgK{P+HvN>4otxe;FLO`Oz36|5V+RUP*bz>N?YCa_QM*&`?u`+WaaGg
zvRUgESCp0H{pXiI)t#$<-n8{Yl>{0ajsQS@Mp1uHQ*U2=UL<t3VbASb?RRf}^V^SC
zA3E^6rOS%@2XAiveEkPSQ>wO?J^TLBg)_B9bE23LY2D~V%CZPx|5r}4fTrKOhsN^_
z6e;N3-X2rV1OALfa~2H^HWkmxJaA+^0jzscqA3L*EnE5IWh(=J_u#$j000JSiV{kE
z%@_A*z(#+#u0nXQuN447{_F$0w+}wPqyW7AdEndO(-a_4HZj+^69+hk+CAG=mKKgY
zYd><hrlNfDwym40wwINzD0DOb!J3V_k7}B~<-%SKya?2H??!6(Z>#-sBPWW2Fd^7!
z)6Z!+NIH?Vx5G|<3XY{3vdBPoU!T;YCGFIlK(<mb#lARWf8|Jdo%Wfr6LQ5euXxX8
zixb9KoCIjw)toUQQi=qZ3ZNE_rxYk5H6Kak9;qB=sa$}$vD+7oMsvNMU?iNUYCb)n
zQ^pzBQc}|WdRAI|iqKqyP|I$$(}p$17$L0dUM5t`gx8;ckrK>`r59*!zwo96qlGDf
zxb6vs!ujEFI#)${d~!TB&+iWr#+l%hi9kw<$EAm(IWA9F3xor~bj|Ja`GQ<?>A|?>
zi^S5VN1}1YRl>2Y0Ksy+=&x`?VuYO#6_$f$j1e<Ff=T{}iCn4#2SRD_^l5HA?DmF2
zDS2sW`7UpNC>AS-rxglUC>))XnKmOek|~5Rf)F)NC^L6fJU&@yzECVbCu3$foS}K5
znHfcqaJK5w{ehUS$NYhiVUQDohr{`q=|vuISXKRzV18EGG*xv8%^Qv86UJTsaC*Eb
zGoCLrx9-nQi{)slHzkl8j~A+%Zp2nOnN97+7U`IO({iQxksEsznF|W1^`D6cG<HE+
zy8Y~Q*~I==bJ1Z3DZN+28XM&ASIP>(7C@9~+-cq6B(lvwbG>6$3@lh;r(FcgU}yqV
z-B`CcaVuo0Pc0Xi1v?|^2RtfMFxG@B7{?eRq!2)yF+~ANFeLLCrRuC>w5p;Yf{}ta
zrI;drpWCB*1tJ6tJ6r<SN{kscHDpLe6;K3LFsBSNK@`CmVgvv*l_N?N1qp<hAe>-<
ziAxorC@x9`=ZrB<2q#2v6(OP$Dg-B-X#{&Ul?qNU@@Xp71W^#hNN^P)<e^juLAk(`
za3PohwI##|{UMTJGd1&{k{^t5PLsZvcr22CnyOPW4!C5TQARv&H=&dp>CTK%N;&7_
z`YuVt01!r#o*iSlj1q>x<T7F6#xl5Y1d}8>8znRGlAkJ=5Ja&da+`hq##qg)%O-Ad
zMN*2};n>oFkyL<?+C80^a&}3@zN&B00-S16Cw#ZPBeqN`?P(s;r^^v>La-%p-fn4s
zvrDRWY|8jw7)$1Q=EKM`Y(};~5+`@Ew79b(3v2^>CvTB8n7zDw(ebY~tSc{Bv%GlV
z;iZCjUd3mn_j@|Jx=wet{vkUf{rs6NcW&)M9Fo5)vkS<!Z3Tjnez&{rtGY^EBQpx-
zv|T<NjCnOZyl;Q?o4?)yfWhA8nwk}V9o+}^f3fZ1Kz-liqu8ZUHS^hv+X}#&(T68a
zZi;X``d!cI`l^ps&S|@NrZ7AF=Fhi_r$&GN@y_uRl_3|8#HP&8`LJ?p*^}YBX<jih
zbS*C<*wS?HQo~*X@a)C4rVD!~W%(;sm96`9PSvh87f&6Zl@)pY>fWaHbGKA~F28^K
z>XokDm?C0~fs(;vLI^?#=bSQTNXUj1$~hmySth_#I2lw%DdvO;ZDGlZ8$GqHH}(Z}
zwd3Z&u&%G&F#qu3omZ~zUR5!BPI2Lhlb;O?9|eHFyuDNPWr^@4!M6k(Q9;H7PbpC_
zCP|jKWuTL|l}#N!Cdt$^OpMTfO#2|ya>tK%vIr>%>>R`K)5LbHjK3|7P;M+~`s_qC
z%d}+z{*&~LWp=enEw&Z`NQy+50AgZXV34})lOuCeW?x4fJDbL&aWgE@Liv`qNcQ&4
zyn}9snVTO#i`m!lka7@Bq_#kdiP3Cvlp?an&!e*PlGN15?VBCx+1^io*M8pFbI{|7
zoov|aam6mQG%a1a<o<(>>pe$6kw7kxEeFqN1PMhLyX)$Y4h*+%tywf}Qt|88{SQaJ
z27tGJd)7OAGAB3kb=`^kPg|F*nvtJ7bMoX_>G61KYR(UD?)5+ZCJ@y6dOIJ#X!Hm9
zo-cL{J?-3ATe)({st5gl%{T5H0bq}Zx`v*f2L(o7e%m{6_Wb3Y#d8-7J?~tyyl`gz
zygS|JpT6qwdVO`L4?TH#t+c#oYTo>Xb4xe=zI;K+$9MZK_B=YT`_dbmz8-ni9#3@%
z&JvRs!3n_$X6={@h9!bHFeNxiPNiedJxiQ5f^#N>P~9a9%6lJwHQww$C0zQV+2!>u
z+o>kPsrfyFXX_icEL*&`Z@9Dj&T$G#|AUT!r;Yv~=3F3CRJ-xL4JFSk=$L7e|KsaS
zo1;3eFnqfEobJ2KoqgucrqRAtgeW$b!Nxd&7>GA8c7Q?<+nB|~AY+g)t0IH|L5wl0
zg(U$3gu$3VAS{A^2qlyYl1de><PYUT&y0pUgXfb<Dveaq?bBy@&->(mK6w%l5Bttj
z4;K{ArLG9YTD#KoQ#Mh5k#lv~9h_4ASm_+3bk~lTpgg?D&gVx(rGmGzR%sqPh|)U3
z6TV+GCobJ`<}XI=6kf&NOJ$`c&td1w=}SG6CQnx7X$uyA!cAGBeW|*nR8m;h!lra%
zV4{*@CKR&q0^^F17-N*%-;s=YSK|w##IkmEoOA8{q0t#yaUoD3>c1D~f{2g{uGfpC
zma9r_D9@3EG^9W-iKKQCky4W8D{D_$LaBs8l4Mv0O4KAE?Srq~7`6OgDn%qw+wm(Y
z4Qc2QB1uSpff7k7?E<Sy9_`ehb8jRel|n>8LLf@1h@{AiMx-P}lu8K_Ib&KPB_&Et
zCX&fyZ8}|JC?6t9Ly~0}rXop(Y3R2y3?-H3iYUy7Fit{CR0=S5UgEtv5l4s$5CWyt
z#DPIkNF0hE(Bf%m?yEUdPbytXER`MU?A{aR^3S(_Ebvl2p{;amnSX!I7zpj$TCz!8
z)+MBL8(S}(dA6T^xqIpXEqe+FAv7Bt8PB76igL9VAu=ZZSt!a9$ev4uCKUZSfN^d_
zr5R&5p`|WcfqFl~crhH(woK%liK1de`#&-MqODF3)4J@~*z>W6n&4^Qf@iTh_q!H%
zr1b-T$Au_dn~02aLJ~p<DRW5RB1A@xSgvn)QFO)Sy=x1QAjWkon+t6ypFh|lkNC?=
zLgYtF-`c!o{=#{$x3$fF`Sp4M=K0~CCqJJ8fPeiw2*7JHiIC4E$u;bU5po7|>Z*=>
zwOS(8WaB<51C}{9`b|wXW}2u_G}WewI0|fks>-AyW;_`A``v?0^%c@kCQ@T%!jK%8
zn4GN`xzJ7qBjScsTnI+U5di4X)8PY$Ki>GoyAgjNsElMhfKrD1PBQG6hG{9It}-qq
zC#1%jbjUAJDnw4ooc-%5i<iv|`uuA<enY5qdXi4Wei+`|RFx#caL`|!45Q#kN{~Q*
zLIBoOoiUKRv8W|^(6XZrnL@PIrX+HK*qC)=e%tn0KHG@L!X)_FfsV;_amSV%U`k`9
z0FY8K!9?DcoQU+QC(#7gRTd;XL`vp_JR&bamPOoxoW_p`03QEyXiwj&;j<kQprJaQ
z2?b0;^`HE5_T*I5A0WbMjWvofloP#wfSV5w?mN7)vdUkTjMZjbTM81axxT_roRmt%
zqjeb<1!IggG^7wjG7^XxG8450pJ-tyqUIXc;Jm_(g$<PoIV3n|43VLb|9RHW0FIsB
zV6xo7i^pO&uJyIlr3lgI^EG8%0szi(2bMuqHj#+>ZOb~`x4xyOQUa^0$VkqA(}`#*
z9=&q5qoq2@a!NKKhy-U16^RQY9Tu>f%7h}}hC>0<Fi1p$f%>$&W$W((j?D$nL_)4(
z6Jj)IM{GlB<+l(V1prG%13zB-s=hK93EHk@_$|XALLp+&NHpj~!;TLH)2%eYITzW=
z)b?G=(_!m}TYG~XhOYEYZAmSE`{3>M%YGXqynm-JWa7cTl|jbN{bf(18&`sSK2zjU
zfin6xkFCTnX!FaeiVEKgW#@uI2&SW5J}4Bo^m1h<$pWLV^a|B9jJ%IFEA>?^1X?Mz
zPol`*35B~Zr@-TcQU&(5Z=N-|?#``&=4ANB)&3u^9s*!p`!}>LUvX)F<k;6oI=lC*
z*wOVNO2}nBJUVizFJff+`ZnCYHPq3${PS(U7Z85>_%Z-E6n*eupsRb`oL5`N9$X;+
zt}F@J@zDVUl}%QST;AK=wSMxivN!McJKzoucannY%7jUr6X%E=IY8j?ldHRXKB>+&
z_Uzj1cg)t7neQ!Hx^Mq~hMxWH$yj*Jst=E!-Z7~m@%G$>`+Gm%_ovkYIhV*u`h2lh
zUwd=SrwbJt3_&1Trlp{AWT4jot8K}W>5cBB?6f8CO;?JTKn~{U{R^EPD|YW*Bfxxg
z@9L@JYZaKI<NZ5#em4KDm&YD{ZvrTE{;+CkGGtvHI$%mZc>1`10l>id-+%9I-}+I<
zwiS{<AQcjm9Hl7V`YldaFqfw0ajtsdTNbse5mBPll@zd_9$f^0pPqdG&bza^_Ixrn
ze$kQG|Lw7a&lX_bxpQGld)wIklgM<vMgZ*kt;2I#T7ypf;Xf`04SPoGD_c9)bnRL9
z?Adh_<%W$bZr?k9ZUFrI*_B;8KI`mUy}Nz&)F}-$)iWZIn4Yznh8#S#jew8-^_!#J
z>t;=BoYeSADC}|)Ot5eu_~!$g&Ye3ne5T9drbI#^0PyMfH3xjvRdt8DR=XlH`0WlK
zHyGz6StuCk=vY2>_q=P^M^5Z$t!Vh7eeuHwXM6w;$4>))!2O#;DVFkC5iN8EfZKPD
zRtn#>i$~54cK7zI@9o)IQ&oH8#?j&Py)&my0>IIG-}%XR;Be=H*)PSNrnzs-?Eh|4
z&))Wx%N7xZ1OfoNcKt|0D185K=MV1Mw07~_`Lh;o{^R=tC%T8ue0ivM<K;^y7tEOT
z;MPz}Z3Uu#lG0$n4u0J^fA&jK1pxS?@!|IuEO6||$E%iqx@cZJ;B@V58$8!LbfPO0
zNY8uYwe4F!unjX2jZIHiD`j#HoD0u}ciC;J;$BJFC{t>qKe6D4C1qQo{4Q8daTK0T
zHI}^eb}|wHPNdm|d?#nVpNFXzmsG{wfn1|YH@8rKNTtHzgzb+;BGsnt#N8&#4hH;j
zGE6kgNGuzU)F)F-{y>Cu^`xX>h1^7QC|qkgt{ZJkry6{|kg|i(cyl6N=lCP>WRvUG
zDm&m0X49Ew%eG7-SW(dsi&i*}n@s(mu50I!V=Ka*e)oCQsj5@wobI0PdF<@lYp=aF
zzBX5XzCywRM8ZQPa1){{kq{A*kdPoDk@FY$HKhC)f}Win@7l>EGnyXtqo(Ss?{OW%
zx>hcY*W!1|KwhgfY|FY?6nRlsc~KaH*2c1~OV#?gs;aiC3vIgP_`L5Xqj4IZ_vxf+
zt;Dl&{oH8Gi?XQ7EYHiTCSF#JDGrhBMNu|?DCu%JoHjP~!;KFoS)~?5nU`f*HyW4y
z=7y+`VGGcESt%GKo=?-2GX&6`tZopy%A|g{?b3NsD~IEDb!|ZiH=EUKXTz*(IOHNe
z%6osf3i~*O&ybqEQlNM!F*Dv&mStWxtMTf5_r^hoW<1}%>*c~4wjkT}jiDv^?Rva_
zOJO(9jElvhEUT04>x<Jj<U*fTb=_pe!nxt{<ilpT28h$?&3gCJXacuBJ^xXViG61b
zEoNcbUjANqp03XBz%7XeKs=sws<KUSMBD97?ut?^vSPNjax|Qsyh4|fKYMfW4Z1$7
z$}B63qO7a->g@S$`&OG6yIrGPH=H<s8m}(jt=G4W;uyErS9eCsJP1~G<z;nw@oKYq
z)tY#A`pwztEr2&RP3z0LrRBJL{o>=r`Ael_cXoGv_OfY1KVH3h{hoO&_kDd;Yju0`
z;pY4u(faiC)$NOS23PCNO$s-syVp~?wXW-j4Y^oV`QGv`H~;$gUoTJB&$3K^($qRC
z^8EMT|L*(W{!~@8-fS(buU>rn_U`QufBx0Y?z*X4#JJm@RdusiWM2~*e3AQq*aRIT
zwO`Y4JzF%3nP+}19(gixWe05UAp-V+!+O6+J1F<7YG%jpb+=V9W9eTD$9z<tzUU9K
zAJFc-6z(5}dGgHm8SM9Y%7>hPtp`)`YR{v;_erSc&ghWqKFbJaM*lHZy8nhO-@8oZ
zc~w<;RUTvVkNE7z0BTuPiy}LOnank1uRl7hPKrD)_xUHYdT<sx9Xg2pQOe@DZJf*W
zaRYeVDjw4r4qB=&dSV}fu8&Xtp|U^nSjgw275hZD{XO%gSkGg&=y7g;*<&lSyvP=d
znHBSS;@3Xa=org5M)ZyaA72YpKE^MfntMNm2p`;xvPE&^E}rFC{!n%oS^hZ?Gk4Qj
zRupCSd2Z*tMJn#!y$6HtnYi=5|H%qzzI(Iz-}m7he)ibkKTuCBa_-|>9suUOSKtG>
z@>C7<HA|F72=1Y6IW}j1ddlZ|=3?hVBI%v)k(Nw@mkFtNG>{A|J<@=jkVn9T(xD$f
z1UPvan4?Gs936K+31g4E3cT^WG)@3L`GlO10&#E{h?8?-9V3gQNFfq;;s^BNeRL$m
z!BKD$Ed}xkF*y|G82lLcgn6(O2`94<#(*e*;%Fd_#w9>@C=MfkiGT~92joCL0FiNQ
z(Hmq-LY&wS<VN-@fF6k*3v)ycj+5gE^Uq*0#K=Mv(Fc|U>@6XXI2J^4<beWEG{}Y+
zIFes6ZJ9enG02VuP#k*4j3hwp$TRiiCgNm~4KaCf<Shn^>`2H5i{27jWJ?~1Ed}<S
za35(y6oJu@C_+bnp4cOi15Xs4Bj=+kQCNVSBM&Tw0Lc+Du~*0nG!Q!$AG$zm&z<9-
ziCaP=($VVq^(Am}ARZGiBYWUr*#mj<i6nvdED=SV2p~EyMg%cv8w@8C(m((4x66)X
zdFJ$r;B>h>mvQZfF%DB0rZ}woVHs)pmp}aR)0-cse#_l|c(Z-k$BCDd@1~emshh$u
zQa4FA{o>OvKfZh~-LC7`A&%I0lDgO}L$~A*Q$MC|)eq~`ui`LL>U}qcIJl4?bump8
zdPx(;5hPjPNf?oqAxt5T-~)!>#9Q`0^_Cezus%8;A&4fnl8hG!31eqNRGzGelMcLq
z55OIUgpx>ql0kMpa7g5nWp6n-N{$msr#V_q&If}CKF*&+7DoX&5hsIOgVRI~1Ce(u
z8U@fJGLi@O))BH;u$IseYKIok7;BvahXyR5v(8$8)|nQJHejr)8)YqO3(DBWT4S9t
z0Du747*lJlz-Z%IWvoT5O>0c8m9e0-wHA!AN}E=H>vn!sx>ed(&=#6jH`>%nHLX%w
zH%iw^wMI8eHEpA`YL$BS-NpM)Cm&yIS6ZuD)s5D5+cc_el~P(aZLO42N;SGx+P0?F
zTE4ydK&ouCZb3IjH%d2cQ|q<`+vrwV(`wV`rUj^tQWmDLi^#230N83<wsoV8a;DX$
z)~YpsS{b9PX|1VL)0*_%?XUm-!=HX~a_)`Q=voUJYzwBg#sK~NXTSOH|Nc{%1>*mi
zI?v{+jxzvXq;q!PecyL?&pEg1UUeja0V$F|G*jaQ6Pk$##U_S{u|f1|2qhRSFdzh2
z2nmTIA;5rv5CI0OQ4FR8Y-|(H7-uqZeo8)nT!!%<*qQyXv$N%Sp4jMN6Bhh=B5P!$
zS^LPAjYe%z8)JReL|UWOpnYJ2)??2%HcG~_XSFWewq_%eOO~WD?D=FOihcINXu@cG
z1%?6-*ar-g=d&MVD&N|G{lJkPq6OAqh}mN=r|F|ZJ=Yu8t*s7BOq-bGi1Bh7w(rt^
zA;(zXcrhhn<OgWOq+^+xWCKrWZ9QXx>@mY8l_XOh`!<MxhzaFMtBEZKRvDvgR5*dv
zf$<{JiE6UGpHM2^&y5-{ciFoiB(?E5Dl_7D9$j#xi#Ea{TZwo$NJ{YiAj%XNFF_)u
zF^-;bF^t+r%V;!u#sq=m`cI!+i^Vm6a=fSO@AIq2Mf`;IQc)}lyts}gB3KfoB>Pzr
zDDWZIhI3dZ<1`@fQsXKnFP%Rp+xBNa(Q&kKP%3L^#kjkV&)j~{GUl~1<7XGxAyJd^
zW2vah%QFL`Sw(LzoL67JEE361M)OX5R%aqM9LbI7{1gt*i5x?T0y{VoE*MyUUU~i2
z;fPN7;bb@{2*TNDeD(ts_%;&vF;SL1BC7LEI3CjjOM=R<7Y9fd#VTWw9Ds01d_<HA
zgK$xtiu?OzR_66yIyIqqc%EO9-d)fJXgp<n$wp~UX)B4@vtU@UCNiXbsjV_ru_o)W
z4NzNT4NRa(vIb3PJjGUO24l#7TBWsQA|0^t*%~w!*%<2sF=?ZSm9fOEh+IZ#h*(2<
z!D^4lDrO)=Ce|8}fwiNQAa)TYGcW-vMJ$jql`D}zkpyxT0ICcn0Tmz$B>^Fg&MQz7
zAgv{Iq;$arQW?S#N(lu5lq&=%<+!dwB^6}4u9P68RG>hrbZzP-Sns-jLI?m5!cFt8
zAR$fOx@qI9kgn^7-di%i_uk=(kvS8G4@U@w4;z;q9#~me{>O>q0}5B<ja^(lgM<SB
z00=0ZQ1LfUF27&%dqatetkF9*ESDgZTU__ywjl*s<mB#IwduE2rExQ$x@zja_3M%u
z+4sKeJl3$LdfM>x<Xu#M!pYsY{^O69FZ4q8qa~Zp?B6paH!M*pWl-my?`RuVUfA1r
zCT_%<xvS4N?J|x`QAKx0)0o!>TU*p}V3#x@>82j{T$%LdFh|A??QXtvqhn-QPM#gr
z)7i0M(R2o6;~_FCzkcVwulia_60uLVHe79Q*tE7foSC}We(Jw}Ki|}TKh&f&IhbtT
zcl73^mhGDtl;sX>-nr%3<Igyxj@5p8_fAV*JU(UY>?dEh&758lfx?G(E}Xl(Im02g
zS{WlC|JkGNQCWpa&Rw^1Yv;x0t}l<xnmpy-zx3RCSYOcJ-}K(bJ9isv=1f}j*1K0f
zKlI(RcF4%ke!$j$i)ZD3|NO?i$4xcsX1+CM#)EH9-?(_txFEG<Z5)h#xODTq?~e~2
zn*aXH#a}&Xy?VKBLgk3wTPL6Y`1y#^!XN&1{m#SssdLI#u37xk|Nar`mpS##>5uN8
z{^7-iAk?p|V{f6&+EcrD{i5X;JL@iVe5|B7d8T&sh<svyP3*Du$qP!0%hzo9lV>BE
zg5zzwZ{6*nP_*a9`E%X1{Y!IKEn0T9t8VFv>Z(Dbu7A;Z??GEk(|0ev=<L})d+O*b
z*FNpKcVz9B+15*(XgN42D?a&mQ~t8(55tFzIeTiy>DH#!*3FmB9vl!K)OY{n?jtqU
zj}9(*t#1E+@&J?DcC7gJ`6ZA+?cVL3T@8<(os4C2Z_n8aox9%{RTZ&0?d=Vv#d$(T
z`yL)I8xlbqC~G<JB>KDdZamnquDx-~sName(p|T{cA<2<rw=dfZd{v6#CortI(l^T
z`PN-c4Li<X+}U-%`R#c#zIlHAK-22Vp@YH1P+MkyjariqfUVM=VnfE0s99SgqmYp_
zu^~1BP-+cKN*iESq!nvm2CXGAuyz%Z^(B!c6i5=406=DiEENHgKt?tSStwGhg+d^b
zh)AT6TvRTxqm)Yu2nB!(;DU0ca;1`}Bq~=*7nGw=5K2^10Vq<)!UgfGEN?ot3jk8S
zWbFZe;HAVPP4NH9yzwdxETj}dys}5Xe7#K%n@);Kk>=fn5dEC=IsN4a%M90jbw%L1
zZYax)Jkhq^a`N=$MiuJUcl+erS#x*nns?yn-%3)+2fb(Nx2>pI^@c0Kl|txXbm`=G
zrcHbP&npxPclWjC42+U2dH(cvelcfd7oBT=YTvVQ#m_IUjH#-sKfHY9@&)6^m+jrY
zbL7aF(cnmMq$_3OuPZmbJ~n6P)(zv!3xD}fcgdjSvQ4uPwFC!r?&VX>O3Dx3SzEJU
z*4Nz^Zk#`|ddZ}pe!LZli~mz~u75RWdmR6@_wTpX`mVKpzkRD+yIs3<p)1{EG%-kj
z6itd$3N;i;t_>z-%4JBTRJsV=@1#N(B^B~QMwsK}%$#!`ob!L22bI%#x}JYO4?dsI
zdVg$9cCyw|SDG&}m11LB9U7UkFI-YNfBrn+<>=Pjd~T}0r=z~)-~Z_qtOQ_;a0=A%
z#NN|`U3Uuewoi=pn{9QU-uL~Ili}@uYhQlx3fBmXG2jei%iH%)t+nR&Z~Ha`t~_@1
z$GEsSzvV$Q@47|?>rdoI-n>%W-BujxU<nCYH#yz7Cw9Fa6eKfQ(Guz~`TTxSS!!5R
zKutxZr;BNFtQ`w<>S>RTiz=1*&wou04b?oEEYClZ9USbOkgyXpm{J8~jiPsdKA4f?
zyTTr;9lw5@utU}lyQ;OsigU^pSrBwD-gIg>S4pP7K8_kyHsgbx>8Wusk*kVMopG}0
zD~m6=*;0+(T2Gy(Cwc@mPD|gvAw0PB(j_l%b4y#XkFCeW!rfoKj6NBwdi=Tyi^SE@
z-_Bsim_j&5lz~RsxocPCdVhm|-Yz{cwV@*a%il(p7;SpmuN!4YjPx_J!$z<+XqGnC
zl=VHjKJdIYEGV$1qR4N_cjt<-x2}!bzdOR9vnYy9WBFB2TYXf-*0jXUE~aITcP`9+
ze%$ilx3aq28#gY6t?<<`v({kpboVH}dO)i;5kdc9_5rri)YV^K?(9B)KGd8XA2B>u
z(J^o%cKd2;o&ANpBf&uyt<LCe@--TqK-LmPLo_m0DU(k->*_B)?7CTZyZi^=P#cYh
zUtmbZwE`n{B}hB_rTboEVL{Qprq;S3XP>^Fc2A>a{8@vi-qoNn5zY~(gmX-}8mJm5
za9L5b02DC>Ou>|4$_SHx36}{l%4Eu9Ol8ElM1e8}j1md}G6E(6!;E9b5irU%h_Ja+
zCv@(SQm(-m2rv;7OhE*qCKv++$`J;HK_rw?jxb1s5?~lG1_VF}1rg?n@jxl1RK${6
zL<oa~h(xeNutbo00b{&)z!woL&bgUr9z{9_byhD@lW#cZc@)uqJfcWK2+a{*7dNC9
zXM&hut3^!M|2dnYDA;KN8ya#svsoD&bGN#{H_$#cA=|^%e5<H*eVAwO<EpJ;Azm&z
zARu7??9@_!yKm&i%%=`77svLN%Q}HdD)*0{9vKA5R`!3;(Yj+xSoEr}h>)n%xJ|$8
zFLL*`J&}EQb$~^G7O_OI8e@ss{d^)fGH7}E*~@ND%GhLugfRfe1QW_Ab8Nm_yG(EQ
zVR|qq*sJ$JSyW*7Qrl%8KMVz!9laeq?D&d-+G-y+1DDLHYm*DkrZT}a{i4+%IJS3Q
zc{I?NwrxXZR5T`P${1k`Bg^~Q{);&|h368dp7mM@R)73|K5%e<Oh(F<e|{aJS^+Zv
z$|cD>^Lk?Es>oL}&Fg~0HpK)`t<J{a`|@SW(H%QN+?@CA$S69H)7F*m@8nnb)3L8#
zI|Q{rIAJok67Anj_aBIkidgYoWp#-bRO6#{f*^GD)E`URX04cJ{^%<@u>V*>!iAFu
z%u5(yl*t@_7y$~5Yq!L1Yr1!O+v@K-+se=9X1;mfpq50+Dac$v)>CgE{FZlcg~g}y
zepTtOIj^Sbe%uxrveKb2FU!s%|8y{^wKf0yAdh{C`~LcS|M|RKDZ5hw{g+(7deXs7
zem&bg^tkrqx$W&;<!yJ)mlWh6BsaB`1O!?r(_zMcDQB`Gdo1<oXu1S~{Ob4K=&j)=
z&Ss{jtsR`Yd%yLn*=T>|*4csX;>_f@-TU{9jaNTxDRs4VemC9y{CU&bb>0DfLC>da
z&Yelqa^0O<B@Q<7=BN$N#>yw&-C6Fxw5k0{e_z>=?8NBkn4!sQ&G#--rXL=uoqAjA
z<K<X?U32NfpWVNnO|Pska<bF(kKPIjbse0z_3-|+<sL3pDrNd*ugPRoOKjv#y^p6o
zmldYbfJTu-)bphJ=}6`6#=Q8QTSg|zs_M>I8<(^WmyC|zG|KwQ<_iPERhfHZ8}42m
z9;&+C@{2*Szg~KJ^hH%ruqR<!kTsNX#({Hx1yP16QxgQ7NsMAjCBTTzVTLg<PJm%T
zF{Ox7L^&`G0T~mf#y}XA2$Cou3WPCW3<HrcCIFZK28JjFPUof(=H|395JDLSpp;{v
z7^p~q07F1km;hDgRE7YVr-d!h*Cm8SgfS+V!2D-1j1a~uQJfzLmqay^tVA_J2xI(z
zfANB-o{#(&8kOQg?Mqxx3WShat&${3P%Y#h3t*#fjqPs+IYLMh7tmshoO{7y^4@cB
z6L5xv;IIF<F9;+#?m*v2(XK<`3U@x4pH<qH#SJP^A`(Iv+vFCci=Yo%8@|lXJu@r)
zaznNX^R??@ZnT~<xp9A=@XPh5QnJ>6tn!cV87fZ7T0=NEyMz{39u4`yi4ed95T#~I
z$j|4GN5%*1s4;HWI`y1PN*ED}xJ^=W%JITPCm+3DaZlKnawtC@%fv4<{Af{<tv%Zq
zz4h>!-Fpv37_2RabN6N(-$)g@VRN`%Zw_1I=j!Ia_h6F$8VjScgb^?*bNiTo<oHd|
zey;A0o40JlL?02mMrZAklo7uw+>^@;0mgt-lEb@?&ti83{Fkk3*|8+2g431uIT3N}
zywA$Ib?aTXUVW<{YO1RrGy(zB%?JiGJ3wN=h7CW#7B+0zfCj{lPhi2fv2a%R3_?oj
zO1@5Irqd3ejAKXi)5+D<)qHP%Zq#D2e)0Op@4tGzn9uHC{^0#D?)ybOJ$?G&%kQr@
z3rP$bn6&)j!%sf{`Mb02!PA#-IGNnty=3iAHcx)^#k(?JUO&G7-ut)9p})Spt&8dC
z)-E{1=zGiKS8v}QZdM2D?b~<vd#fR0f?(&Fr5>F<fA;3Ze0TTY<oelv{p-cBw?4g?
z?hZ%iH<QJDIh;KI&fR)AxVwM#=JlJ4C!6Er&3ra&E+5xAyM6xR{Pc2veJ~8?uU_3B
z9_<<9=JE6CWKPmYsw_kMU;pz@_uJL!=|$hq*Xy(O!TRESdwH|1)9GS$aQFOvwSS`7
z`s!wTvAJ5Uj{oxYA1=>-uIG!@WU+U>y*)cSFERh?-~PDX<FJ2r_4sbNK90#^y?=Ur
zyPXf~$z<4^KixaHSPsY6H+NUpPbSNQ%j;*4FSp0Xr;GiQe!hQraNf^{<FoDg<#smP
z`}Hrs`rYq;)=!qTpC6u_Pv>(}pcF<ZX2(ZYhezkTd#l-WI61g~IX=29F<Y&VHs`mK
z*|1n0on36F^TWUY>(8J6@NRGSu+-^nIUJu{&SrxYPO<bE1f>$4r%WcmBg~ma108aL
zrMM!4Y@7vYk}2AefJ~SoL+Jr5%-sP-xDzU!BaL1wBeh}f?s9STX0U9|9pI6<Lu1(T
z5J5cXt9#1sP)fOf;l;;bBwNmAZ9f`-+*pnL>DS#;&P{vtn?@9m9`bwN+Vu1dk=Fbm
zhxRGcH##@8RMf|G*SMs*>$=ZkT1c4>|NhTEHg`j*yB~h~<?3YOq{GN6C|OQGh9^tr
zo;^VVJi)WOgGM*7bMt^v5!1WZ-`%`8Na2|zH8x69GlM&S%;6L}SR!^TLmcJQh#W|x
z$A#CJ0+HOHP}J;*(kpt05()KvojQ<67o9W;q!Y$QEk);`!Xam*JWe>27zIswns5;u
ze)HR3B?IJ$f{;N*S}7(O05QR-##jeLYaJ-$0!m0S+E^&6h$;png&>NIk>HG=3RMi=
z8i6HTaJfQ%CK%lav<ZzcG0`oe0~kv5q~;2OOd81|qh$b!%!l$;8Kx2j&t!tR*a*A?
zcPTkCm}!iDIqWZofk7}lh*Db^pGlPPB1EW6P^y<Ytk$c|N$GnQq133gmg=RRUf#?X
zyHYKswl?V}GnG;&lc*CH*!QYcwV)J~@KRX9OVOl%SFIkU)QS3@ePz`3;aSufqNtQw
zdnsH%C~8%aO7EpdRMtKLs6C3j1cC^Wg(_g2o?h2FhXN&{gi9T%Qo#TNDiE7@N=J4;
z2RcEG@5o)*nW@eJu^pL8peZ0Ug9KxAj%0AqDMfJz7)@G0n432{Dr2USGnr?HVT2e5
zvmqOQA2q_l-9`c>vU@U5<|%uZEW3Z?KEAE5ZcS#Pdw`s_`g|viO9%X+!cH0&0OXvT
zyg=J7)8d!^^<zlg!zrIuY;^z6)3Rl<KZ{aCxF(3=o>K#e?D>;WYgopk+$C$G&DP~6
zu;|HiGW)35YHp%~zGKK_Hm8)#b}VHwxA@I}EyKn@4i2ib9fKLn!Q|NhGf*_R0ZzIa
z_AAk{1h&7F=^57I(gbUR&>ThwA%?*r<@U~+GlpBT+_1n}=kU>ZtQE3E=a%VN%<gD>
z7?A)Y%nXtXhSAw)$Hs40NR34U1SlI*b_d&~lUqk0v4*YdAj2Dl&QKnuB)#3<s9y_z
z@7ztwWO5sU5^iGm;38u1&Mm{u+epwyq-&411JCXPnsEO|+aQCxH)Esm##)8ehG0ag
zt-SFC5Gg9cqZr8$C38SQ$%09Y(nDlOr6?*`N}Y_{A;T0NYGkKWb73YJ;fw^j0#VSu
z!X`C~P=Uh41V`yTrXGb+sDh{{(KR=JHM$9=Fe-~aa+cu~qdb6nK+IwmO>)W=CUs~-
z8b)LTRDdu=*QOcJNmpdbq?BPG5!sO;S3IyAVNNidGW?gVYm2#~tfF(~`}SIE?>RqB
zDHq#BZqf>k3cWzlR0@ccO9?6AK_~(yia;the`zdUKxk?VAOr+_Xkr2)0ThjYCC1i}
z7;nTFQNu-p2vUvFD#Qyu=$j9FX8uDU`5*qA%sH8J=G%L(eOt>x6`*E0LtcPNSwta?
z0$Blyl1xDU12b2?4!VH`RRVy!_mvSCL`roih`<t+^g~$XjR0i9cfbmgfVGY@?$$FO
zThBOI%Ug0a<OWt92A~$E$%c7<wA3w|ePc7h$<vh^a&dzp03ZydveZyh&baZ}UvA#J
z+t8A#R;pNNg*38SsT>*S$v9%Ve9O|!*EEX`hf`fGsOZE)j`hWJ21lTv6d05+&l((k
z(#LkK+HtdvKSm*|2A4Wlcp<BEB2~$!Q3ZG?9O3Au7!YQv6eh?VOH+k^sKRJM>GI@~
z%LWt53Af=B9Q10ew6vl^B!U0{S0yOQ-ADsL8j#MSN1g=xv^h+w{Yj;F!SKEUp9Ua;
zG7_Ow6r)5ZrHptAHyY$7Qa))5K)F{DF1YBjQBI7A2s5~Qj?C3;@41r%!GxB|pw}-(
zf{B{FLY6-rdX|5PRecbDHV@F<yNtu#bm}qfol9@Gy~n8@)x$h`VDH{n9DNG!Kt&hn
zoe|l^^h_Bvonsg3Vs35@k|N~cF_p^{^iJKJM?n2s=s_j8@E%;a6hU`$N4TVXC~(ze
z9VZ|Myin$DuEOlFdW9*%n7L<H<wagQRlxwNqr&9urrt%B6{2{5E^K9DqHNq|k)?p<
zQJJ^ot<^$-E=EmEPA6H2i50p?k}PCP736UR;ME9vP153AdYCD-CJl3IHJNl$cY$Kk
z?(}~|Yqjkef07ryw59DQKQq(mM<sh6;@Q>8*+I$Kz0(CEs9^&0&CE5;7yf<l=v`OG
zsmH!!{W%3oj{m@aMHS0&!lrj!zrC&RK5^&6i$1w^a`+KE?94Sc?rN7FKH-VWF4*y&
ztsf~o>d18;KWXQVrnD6(Qq!J3|I*98{hBZR@6S!QY|Z>VYd(Er>DF)i`LECZ`kv)i
zZt_JNF5dG<Y*>%zT2xasbDM7a>kI99o3ME4+7Itqb<_QSr{1uw;p)pC``)^ncQ$qT
zd#}Iu%I`ed_*BPjxqAQp>DtwATXXr*TW`Jen-4XHYV^SjMxCveW`xFgJENyF>SHVj
z>v$iWv(v`#)+$__(Gtt}U__w+P(ZK0(vG1p1xO8Qt!3oaCrT|GmC1(SpO;ZgEUIuD
zWWz>?*DJufBpG2+f1gep2K88Ek8mXM_q?*t!zn4({PN;D^JUvw0D`cdx*Ih+kz$6E
z{sx@6zAbqnE2s#Dr?O%JD^Nuy66rcha`%`sI=y3fg_&d?@Bm#NHN1xBD;`tG5#D=&
z&TFV-?04_xruoU<MI>-@&#Y~Di#Uiqvg>mY(iL5iTPL`pf9qzu9^)}kINhlzRJzMT
znafDR$BKqQ)u@Q!P`N=BM07=7<c9PkVQ>S+FwirW4`D+t0Ccsmv7rMvATzH(1;_hL
zhhAW{CP-0%!I|^cW#&1iEJUwYHR@-N^cv{5E85ZystN`}u{vx@_LbVUEX=!?Hx^SC
z2<WU%`jzt;f8Lq0z`Xlr<=kferDreM`%tswl=&B5X|U{;S6`X?;76~2=E+kY-E-(?
zw_UXVhv$6j&O<h?TXw}=N8J0^_CNmkxXW%{`<0s}XTF~+uDI&?XVyQl@0~j~L7>!>
z_1k`Tpz&iadF1;%_rl}8{M{|T`bBra#<L#YAJ<*je=a?Ky7AT%zP9h4|Ge0EBeD3j
ziOmnZe&AF8c&e^jd+pQD)=Mwh`uvmSsPj*L@CUcQ_J`)}EAIZ+U&{7vO<8^a>;GKy
z__uF=?YZ@zzwg9b=TG1JV6$}6Ym$;>FvZ?z(_n<u_ZsbOK};hdgQ7w$24{o?v99s5
zIwM_Je|wV#VCgcFqDfsC2RkP~P_!g@17>rLypxPhHY49LraXOKMies$3)Og7brq|0
zQCj%4@u-P)beC2uP-c`vdQLgfU`-N2<c$p+bUC?XF!+MZ>-Zz|hn~pDY(uw#IWE;Z
zjx1DZ=w*b*R0?^QRRb!hAvJJSCtNwQp-?yNe=1o;M4x<(aEt@upo{L1Drr>BC+;#2
zlLP9ZVi)P2GUbG5Bq(`+q`OHKFeDh1M+b-zbO%B2icwvcV3l+jAW@!W{t8Rk@A3D6
z+~^3efFwyE+`Z<Lg+W4U%Vo|&<bnl;&h7|6#?w*^Su~kgZLL-_DWw$b%`#GTXz})T
zf8K|XnpBm;ehGTbPuMKa&bXe^4up-f4V^bEd|928w-A||-9>1c?!3tbH(m9kC+2_i
zLbK$I+g|^ZpL_YL&uuAlhoW1#;+ne`ow2;ZhC5z8IQh&SJ70ck)m`^3-hAGKYZslh
z{X;+9r%&84S#f0RY-N+lX<J|XeY5!Vf87TT9D3dSIgfwi;-CE_Hmp4Rwy!R_=**^^
zcIUyrHS@c__}^EWXdo}$wBh-;9QbW>*y^^v@7kxIYmRJ7oN(m>d#AVDzWeV7oBy+Q
zJ+Hb}Rrq`NTI+e%+V6KxKeStU(?O_6-NICwG*IzJ7=@W>Bm@x{6j(%oL<14&e+MB{
z<S>b-5R?R?fjF=rD2l*p98IE0lc2w#!L#@Kz4u<>4DLDiocBB5*?X_`tY@wLJQuFd
zN1lD?Prt8+AN<jO|8sc!n|%23`<{7rz3(FWJ3w+>x104suu2Fmyg^t##fJ~^M^d9Z
zT93>Ev&FC|-MB8!v@h`xOw%t5e<ujSWJNd(n1?%$V%do*Q-++uD+uMQ?VLNuX_xzl
zBNV#8I$4_T9=`W`J^`)>_vqCDIH5XOdv|OvDN8D+h0BU)<H(2Q$YwA?IFY*w=tPih
z@1nSUy8WY91re1k5Sf@jz*5<}%i}eBF%t<RI3iavyRkgWt4G$D+Um7&e?3UD3*|9D
zX3xHYV9yvPvsCiWs`)MoS*-Qs`Y7B{BTSg^W@oSriQK9ZX08DSGm_3SQUNr8<^vs!
z!jqISuF!`fl*q3Zj?B%S(vqG;rU$`nfL27CBobHH%Q<2(55R!Ud}?vi?rqzonLO<j
z3tXq)gg%CWOpMO1RK#>We^tO_uZDBQt>CM#eKnuqW2ba=wT4b>?eN4u|Mr!Cy?(gu
z(skc>=J9|0;qKr4?EKDquKUdGk!QW%aN`%A@b|y9<?XjT_xz{-{OenP@}$4_-UnWL
z`OX)<b2z`_Bd@&p*k4~dTxcHIIxOFJ|4XlY>W$yT$L{bOKl$iie|~%OkDqEcU2Grt
z+(UnS@xm7$y!K1qy64qj-1OYnms(imnFri@->Wa*`})uA*6Z*3;nVHh?ED)0@aOM+
z^_LgF|K#E9;@!V`;nMR@+xd0%$k*<F?WcbGEjK>;+2x%p*!S>Z@7%uG7&k=Z0F%>^
zXZrFGJ~5=e|72Gvf5oPxoS0<**d$UvPxyimG_W}cv~}i2xyt}3#&k6QlAOf5?;PNL
zN7tMDQsZQ<D#Nf-r8e&zZrLd_U3Nvuh;WTU`p`WYj;o}b%U)Wt*n(qvR3NU1DRH^~
zSpWf4Rf>A496@#_-pn)xRiPj~6TR;vj!;HcF>{WG_Xutsf3YoOBbn9J9}TkRGZhXR
z=~*rp>ZFLRS=xX#<*wMXDgdxN2P?+x9?a}OR;`0aBe=y!Y-G6#zAoQLW>S+NqBfk0
z7eVMp%#n(xlduzeh00+kl{8PV$Ue|6As$3D%Epx})9B9N=04mh-9}A>ae39k4?afJ
zw0~rbC+5`%f2o~~h=9>Q-by5iK);Dz)K!XBTmSfQmC?r)g1#qNgSzHg)LE{_I$jez
zqPndeofcsXCnM8(ppJ$f)xD?l%)pkc<J;V6$t7$F@rZA)^^8fJoqIov^^DnZT#X&a
z?#J`!D{Ar@N$;@!mZ-ik(aT{`$>Xt(N30#kUh5Inf4L@WjXa`<)lqGZEobg>sc+?p
zxjDg}1h;P(-8BJ+>G5v!c>CNFf}o;fHaqvr(1B2cn9kU$kGNda`mzD%u}kK;-Q1nA
zE3CGNwuP9Jzw%BrKpRop#NA~xHqw#X5`LJzg+qzXy{Y`#y;gGr#y-B<gLPl=$*M7O
zaJQJ<e>zPMiMUbpVI^3Gj1A(6P)s^U`H3vgvK+TdjEsRFYcNm<FsrWvJFo-<sOu-p
zW;RwTU;*=B?*<|(N+kxt8fan=nQC@~AkU}}rw`<wEZZ1#Boyo%0Mn?eE~jTkQgN{D
zkeWCw4TgBkA=F)f-g4WlYfhKokqnH1cZmTae`#(c4WmAiv+ZKd)u2J>zXUo42HE6_
zW-io+L~bPFf6@@ye2B(f=(e<G;caPG7@kO1WDiO9+P&Lt^}~9;BG-Yv8OYQuov7Vm
zqX%EYgWkf7)ThqTtQiLe5r||uyaADnifw=o6$VBW2%lVrBP`+NzOGJqAgVm+RhAJ+
ze_wextj*CF=w#AnfRALYeb2Bu>16h--VF%ifTsF6Gt~04GzA){OSMbL7#V)@UQ^j@
zkmp((qS;uF$)X_`i);e{i5oPxWdKocGs9eF!wvx0ToX^!TDV4abl`nzrj1`Lcjbu`
z7_9klfRC*msQsix)N4ttY8z*g=%j6rf07S@WcSr~-2Y;5Bn6tr*;5Woa#k^$J*%ts
z%%qI#=ZVdpnm+;u+yKhpRn-)glF8Hw3{EOqeK8E;d>&n>VJEH67!fBuNLG?aHiYUC
zk3l41YhWQpcw$DvlCGKsr|U3ky`6}Bz*!y)GRO#8STK+P(<7Gfk*g*nrkZH}e=H;?
zI@Usbhnrr-D54~UapaIq4(42;To&4=fmDR>$ecR!02XUaU)O$%LCtD=EHiO7Yt0N1
zK8f2mwQAm5o$aj=ukbm$TH=3MmIKcUm5ye(aQkClUf3*jq9$PzO`7ZmZ*$`|?NKxv
zo}Sp69Z?Byww}G~(gW|l^ETI)e=C>rhWA{!`Gc9eY}|Y6A9~<>PobOjeq7h;-8(JW
zdmVVocmMbAkN)7RQC`(ElLZYXh`@`E?1@AsoQBRrTz}~kACJuJ)hn}itmhYQzRS+n
zR<L%%x8L~tp&u+GdlycQP9nn5aH@KQ9z~0^$y%vFqa+ZjAO`oLKLJ$1e*%N7SGOhP
zfDz+ew{0MLN4VOwNtXRclXi**sJCKdrvdD936^QwJ_1C9U|O@G;lIy;3MeUWW=YuW
zk(2^Ta+xySQiwVEG@m4IE=#tXeCMg57EaO`D4wdt34GK_+k-Mi6Gf;Nu9A?M9zf<+
z)dmaMeex`1nZv;5qzVe8f5;ThD=^AEJ0M1|dvKHnl@V-G3Ep8|CdF!HFAEQfVo!4f
z#^_3n*)vV7B$CUlZO0r6$2_YKAQQt>TL2`<q`M0za&~#N$|T$W*}B%?Dyu7czOx_a
zeD}c(5Rd?g5GtU7NI(n`Aw0rEGSCu<2pSXu1tlUygaHf++A8rue-)v%U=SlCFB`11
zj+TPuEi#B>D^*)TZPjUK`WUDE-5>j$bH4=tWHOnXo15H|eb!!k?X}3?C6emx>{b&E
zGD0{@njj+aa0Vbbub6OFM0p=0a5`6gMPf-OkC-Hx(kU>cL(U|K2}>ffC!OhHEs^aS
zm&~bnbB{_Zq~fBgf5u*8Zbrj^5hChzCeBX0u5ktAx-cVIM2kRu3U6$@cHul=RC@S`
zrpMByrP-2k@yOYO?`%|5F{SMdt{DPc+;h^>s#Q-xw?SiD_Afg9=FpW(BL<Y>P2Zck
z<>1hkl?qA*E?D1Z;rhx)HuM=;-?#pOF^{a#abHz_XYH;Hf6%3ndeq*!`<K|iyrOAi
zRm=A2JKL1*HR8T46Si$tQBhU%_WIWk#n)8S??1Zn&*y8~cPd>pcmHoD?fjYPQ@#0%
zOLLAK9I&|Vx`vI5KYm|XRC@TFeTQpyZB^=;o1T1m*@gF@Z&xtxy_c4Ut#KA@(j$O4
zd!cMnX?MvJe;G2yfVaX;tVMvN`2c`htnj;@kz3Qmu#`n^j_X?w7b6eCzzHDo)dvGw
zmbxa#&RDC(rq=^nW{0OD(BY24MEmW$mxTAle4k}Ju|lFbB0!|DVCG62vztsaA(Jtd
z*%Fx!@kWN(vMj%%M}J0Oys+8`$$#VESu2xhS(7C{e<t%ag+pIvJfJYKHL(HT@RCee
z0Hpyj(sQ9PHYGW8Qn?)2%$7|YQGyn=?6`b4{9>nU@?@Mg24vcAt;A+`BB3-vo)ja5
za5-_f9$X2Q%Z4ZcR7G7Pb%))p<3Kc9BtuAmC<MHCJ4GG>YjhiZ&OqDWB_U!w@8sm%
zp>(I%f6VW+`0nJkpV!DLB`s11e<qubP1<5yn4PrZ{x8m}0@d}##vhz~J<~W{b3`#C
zv*ME8OP(v-(su7h2elz)0wNtx_{ley^t}rdmOcLEU$MT1231XM*<HPRbHl|Gs&r7%
zs+PgaYE^dHFaG<bx@TF#;REKbAJ6#pPF2<)e;70&#j#EeP?MJ}INqjmHO-elS@*Zg
zcm3(yh}{QE)-7*1^E=fqrw89ryM3*q@mv1$?}4pt8^8K!!==x@fA;jS_FX+zte$`B
z#2u&36yCq$segW|>Kf<&woOf0KIiCbs!wmW<0{&YJouN3deo?zmkwd=Xe#Kc`qe%B
zfB6S0mzvx92F;jx)Am<P(*vtNJk7T)uiCs;Tbrjp0nvE0;@}v8C%s%PkgrH9(NP5;
zq#80Q0w2ll+7N{xSjIW;Gm%HaVcR0lq!3A!$+ONPbM%K;WR4*QMEk1YCW1`hs~h-{
zp=-Gb#p#Yc#VAnO_&ZR5iCb)Ex6&R`f8qnGa>pH+IF@@}9^;u#aaT0?5r*8z))?ue
ztdW-_3<WyIniV0+Zih8VG!*_0Yz>g(9W;|{&9R@LgVU87qWos9>)jkp<Ld>JfHKke
zAR>E`UWgK3BTz={#u)8qe@<W)Sd~Osluu+rk3?a*kH)vgB4+g^RS>azJ4CuBe{GRJ
zeo7iuk(q_<K9Prjz)^1k?+&Eve>H&|yeNt^y3k0Ss3x7`K_FP?`#l|yEZz?3y;o*G
zy3Qz*OA{MP#R_h||NRe?Rl1<Ac-_`@|GT7e3J5VKrN=(=&EL}-o^1N$ZOw`eS!=;o
z+u1F5Tz*fFnb7j>*UA*4EuZ$xf3{3zcg}X#sq2brA1eFN?U0(h_}zC@|9MM}w9?@E
z=?8Zx%0>)mZA47z5>@oW1t<4YZrbeQXP16>q3Ob@iUaLx#N?*4AE@Hq(eMXrUV2vL
zZrSqfKh)CIFl%M=A3v>q=l9qDd`I!7Cnmq~nz^@G4H&of<5Q||!lGj@e`3+3rgLvm
z(a4btn}=?Bq3Pl$Fr;+C=GIi*Oz7TQXQw^(`DN9=yt;L7&$}1ReDzJdZSL&Dd*ZUX
zG0(39>n<)GBEI~8xKIqvzL}X=>>WV@00nj?=R|?W0tCldc=l8a@^oH`80ZYa7t+GG
zTg#zWIX&`hLdSaBdZs|ce?*RZ%kOltS0xC^kACqqR5wD0Wn4EdI0Yc^FG-3gNhb#~
z$dNJ<U}6pWKUc^$Vzz)%Zv3>%7>Aw+l4UCdDw6SgD1<EJv2{I~==~tUae^?`$jmWu
ztl80CYz-Qx0}QYQykdYtRW+>rG(9goWir;H!~i6g6{Hj(l9uv8e?DH4<kvw?SrXjM
z2t;J9d>uR%148!LE&Nbnwd7SvMUc0^Sficuh+Ddm8z}PoHF7wkAa4uDMxF;D(&7@2
z&d!-BpVdncfsRm1v<mn$8AXwkq7Zf%>vYUcN(R4nN-tEYOd4a>e0A;qx9|Jx<n%M!
z(nD+R`QrSz_Lj&he<nlBl)hp7tNUiWdua5YX3eB1Ld(>3RKtg7W*%vavR8Gx@1gl$
zpERQ@#;#rsSEo&!?OJ(j<HZy6{_wggo4V~^U(Gnzu6m^)H+JITUrlU(SR2J`C{F9l
z(1x?eXPw@ky>05XtJVx#|M2yXZ>ni+pL1+)&%38(N~&%@fAQ9gqdUxyfmbbQo^fn1
zRo^)F+0FgdtSVhFpZX1}Y;CPP@TAK19k^<-E-WowGF=x8Df{Vj!?!k3$@p=5U+%Mh
zh3*m4;8~+~Kbx*DD{p!FhF6{+_{1VCt}J`;g&qs*<6h<6>!;X~kp(qn5$UAFBl2mg
za?S*X<P$%ce*nPAl9<IxK6I@p50-JDXpO+FS2;d{2#Lf|A|DI{z{Vt#E}g`{W$Wqy
zixhz(h<vFEv4<QIOC>MHiIy<ZI&60M=L86^RyNi>?21C%j31m!*-Gk+r56xyo*>PF
zq|VBhn4rPYK6HisM?kc3EU<|E{D_Q^qAA1>8VaBWfBeub2nCYrVND<ugUq}%f_7ps
zCZ<Sigrs$13|&tiPca*7BKdZ&jSPyu#306v>ceUbJ3kROAr?`*%;R-nh(b3cOE=QX
zNJLU%`^HB#c>{0+DR6GM<J)BSNbLwa@L*FeJLiv!;DRU#0p0n*L`0!jGRq+ewkB8d
ztlwcZe+@d)Q3MeJc5<uMTB~$6ZDTf>48%Q=yP?fdHb+zdWJu;!2pC(k-K^~f#2mZf
zJQ>TJ1DisdGTH9L8Hz0%i^j4slqs;O?y=3OE|s_J+e8$ZIF8e4Fe!I4Fli=Er_tmf
z&T=LLqE<)`81v}Us)#WCf3~i!$F8aj@AZDJf4$E+ZKt$Fffhw3v=drd9TU{Fp&|{|
zR;-v<LQzmiW2~X3Dg_c5J}fPXf<a@v!77QyB1)}tp%+a^jqyT0G$Ep`LgYe>UhogR
zct7?&XPk>>+RmJrefHY#dfw-G-t~;7>!{ALj%3o+(TX}+MQ!D_<*uW)f_BtSq;2bX
zf6OXeTd9?+)NTZ=O2=(C*0yqGtXjtttv19wA{FjB>PFm+QB|sNrzA4$S950`=pEcZ
z=>e@dP;7||xa!`vXsrQa_9-@|ReW+Bh`A7=ilJ5-OloC8F+QK-k!H>e9dCL?xFA5R
z(IJbL3CgBA<@}froA-fAn5~oH8c3ype~^dTL`af$$t60J%x|`P3i(zL5{p$&YdwIF
z!;Iq;vbrD7{+&Wuv-pHOM$9hISZXs0YkUAvRTYy+qOEYJkJ<L5cLt`}&x@ell%UcL
z_enHgJncgj4~+9a?W#FM{j@I#3s1WZDBVv{VywL8H1P0%k}@zf`u;(P;ud-{e>xEM
zn^4~C#vlnHF#{tISo53R&<wGfsis4$F+<Z1E6Y&gnTZn|rja%6*mN^%<~`4wlH*~r
zh93z<)z~2D;VZK;N|h>HMQUtcmHm2Ds2huRGBUHXwDyTIF{2PFu~rc_yE;{sN-ULC
zNfB9GpQ}QqIjXQZg;YQYYfyTkf95wq5m7-wt(B@utDGE!3agTPPaS@n|I3y_gAm%S
zAQ4X=a)r`^Nf-9R$zrUhJxlH=V@^1lc{h1-z2jB(%nD)_WhgLo5acJM(z~af5M?H}
zJmw?hKaL2Iz+rQQB{Mcr>5S(u032$Oc_r*g=na&y#2uT2$to+O?XK3Ve<us$LuZjH
zPbOLgH<<=-VrFk~+z@Cpjm3Bw>qn*y<|dsQMNM%=VIDqKRmI#!CX}<d+8VNpkv@hy
z%-x^^VC8Q`SdE9HRW{>i7{sJ;un9g97NIJ(4kfsxGEmciiB&D(fa3HcTLbPzNbH%i
zZt!S+2#FonsN!Y96{5jbe*uu@eUH-<p9!>!@+rP$$+N?nGECiC9!fD27ri_vdM3@H
z(Q%cwN-M-GyYXsZkgDb~O7lOfu(%?HOr%Vzzzl-Ywa7MaEu@0Vr0j2;GOJKqxgzqG
z9ZO%LmQjgX<#uk(rY#}}VNf(rap7s3mi?^MCYea3*xCxKj}>)_f7(w(DLp`NW-w@E
z9Bc<lOt#gXCTY!>2^D5vCG5vW_;=Y8WpRk6pP6^ap7!2B6p<J1Tb+J!WCp~n8WcOa
zDMXQq<0!*AcB5L&nt+jBYVrXHA&2$A&+0-|u`*$c)h9KG(Bnj?@g|JD%EUOC^*&4v
zp#6G<rPh2T(#x9-e_A3nziZ1FnJgAwn$-+=n7xeEseBJDB9;QJL`9RT6)`21GzU3&
zWOjQilGL`^5304gMVQ$HIG@H~rZ7fmTaCMsH~=Y4$-q?De_@|p;MjX|3e3**7~qa*
zEvW?8&dh}<flO{f#(se{o58bsN25|AQ`WwNh*=mI-BWKff5g#8GmF7qKrB#zrjnBL
zV>VYL4nVQiW|%fTL%}W|P%fo3ZCACc!0(y+$d~v2`sr2MHX~m$-gHwpzW`J$lekfA
znoS$_94w<boLq&M?YMN$O+@R~Zu{JZy`RK7YH)GmT}R5?h?|WI2fj*|tw$o(%3Nw)
z0h61z9{cgGf2STq-nw|-H~HOH&F?yT{H?#f|B)qZ-+B4Y!|%QSzDAW)NeK-YhjGI<
zZF>S$%7EJ7KEPNDg5<aq5wcs$Xwd)LQ*Csbfp&L8kQ?)Q(7_yG$<8lQ)q;?IA=h6p
zp1{El?7Iy_dJ&^aF9%p7;1|^w3okHfYP5Aw;<}xye+$f*fjfO%j$v}+Sqs>Kpmx?y
z|BzeSY-B}Ie=Ros5wJFM9Ra+{i$)zBoA|7%rLoydWw9>4<&vl*hT=gZDJkeM8zor+
zAE{`xAwpFf1W50>urSxQB0H@>RY9gUn}!e#&GmjoHeH$3hZ0z0xXH?@4OmsRrDYIi
zb_&5~e<|Gzh6Z_58ml;A>hXgzL_MN+@SfP9P2$`_4h)^_rvWifQ~nVLzmbHMY)e4^
z4po?__-rxt;XdBmB2(Xf=GP4Sn&rv%fLNNw#sp`+a+o*xe^Z|Upy?)++7Ze%mn?n%
zwm+O6f9i&-?^xRU)bUTebhd6?$1MwU!E2Ace|ll%x4wPPe_y%cuA{e}`^CQBpJ^7h
zY<S}5A3F2=WcSW*y!mGP^}E}J#RI3#UHskeJ@ob)&A1V5snv$A``YWT@S&xT{qV#^
zpE<GS$!8vT>(9FL_Q(G9m*$4|mAY~5v7auUKE3IleNqV}#|_Av2wNW^&Zm*N1f7A>
ze?NysoIN!MdLkVw;S?GNNZ3H)o~4V_x=K;Ev6g6p^0ZF$K8OO5dYu9Q5w)A$zb1mM
zFh?;_+G52RNnsp{CxqJJ6q)svV_gLbn=3b7B#p3yecE;^N1;er78gL^f+?0qByEv7
zB;r$Kwl1aDstW)O)hj0GK?L_m)?0nof2y66?iokURMYI>%+BLpTMb)>!7C!`WQ$FE
ziXu_%T7PJT0l~B$a8r!fm@nGw5=6_H;+-(D(^w|`g8$W9T_(=K0*K~?vS2Y)w-ou5
zgSFej;U0_C;v!CHg<91yLpbYwSu*+A@iu-H8XOD^O>r0!B_gKa(E^t_yv$HHf9F*s
z#*1@$7_m%e!VN3JaM*A8;NS8<^sFqywBttGk+j0&weYT6KKk_WhBxo|$uFDvEmwU0
zvB{o=BB&~j?0)<||9Hp44_<um;QXEUZrFcynQUn158UzM+3nB&YTYf@!}delo_lV`
zkG^yG)z{XXcxd&JFJQ~migYVvfA#L0e|u(b*S&jBKJn<^Uat>4^61+a8rgd6-{+fl
zuDR&rU-|osSDt)!^TW4G6{?x7Ck9z<K@=X)lL6-4vX$p<X8fHQ$wJuAi3Z~ofDw&M
zMGxQe6>QR4MDvxVP~56K`+HceT?R5h<YWOQTIr7hwtj)g!v~@OsVFcte-vrZ(>Ko>
z8N#%~IzB>l*>!m8r~Q)s7egMRGoAj2fJlA)4F)&Rxa&tyj6Y(P$f50bOUKe8mU`z<
zF|gGXx#$G5H)u&z_x}~FBok-CscXhYqsE3IDb3p0M9knJ1$`4+MPXv$TKzZ+uhBv!
zy7fHCf&9tG#$37T`i`ADf1#>obS7pB02rr`06RJ^-h*37GFHe((tU&~L8WOlP1+H%
z=OW*$?ADY>zhtsKHGFR9_#)&*K<slbO)G3n2SiNsQEn3cJCx$}E8MPA(Ui+r*x?C}
zL(*i%EIVtx=Z>|uG+J3!efYDloxAnrQ}x<?cb@;_-m@p06%7-Ee=3cyS%38LFaGm)
zmmaz8%KiISU3WQ-=4kz=51s$hjlcOpyM4=z&pdng8!zDE!g%kY!xvt-{?z@{k_vL2
z;OK+<&Yt<e&;G~O^}p&_mht<(zTMCBzGvs`oSiwhQ8uDt&KViAmToPEMlQA*qFIhD
z!>GmxjVOu25oTmXf2|_RYAO9<1e%qE%HmjLU;JUjidbPo!?OCVKcIfNzTDUQP8fro
z^S<Z2d!FaMzI?9F=W~5?+owLV<K$P4{Ql?rAG@y%uiXCm`;VXhN!fbUEx-Q7o`+9u
zzHyhdu{D=7SwG0tnOf+Shib+R=n01b!DvEI+2IBq-Ko!=f7br!(OSEzh*N#DujbOc
z%iY1S=uEnkc=(B1NogEsGNFWHu88QUN9+|w!Ym$FstCIIxF(3M^(6aeJOO%6bhx7%
zEzzh=T(#n0BgphDL<zmO^_1vrI;_G~tXZ=MH>MjDB$@_9m64bLkcBCks<Y3?IiUtt
zDiWg06qyype`oNNK+fzmqXxx#o$=+uC3cX7NEn;rSuU-{v|F~*h(puhSj-%b11VDI
zIc6`QAOsDB)VdnW8f_x4Ytp?|Scf{j)zs?#Y~<e#2$~oaF^g5R$bEY(rEn0mLnD|Z
z>Y7geDnjvgsX#R;AhS++V>fwJA9E<|T+NbK+0F%ye+<fISCj}qWn36!5FnuGdYo)v
z8F;!}+X}W;EjbIwAkz)d*3&qpaRNj<G?^}ywj`5vG)!r_THA!jDNUDQSmj~BCM3ur
zGMUtIrH%_Yneuc4PnM9IOoSJf+ps|6fa7|eF1k?4LA#+LqZYuGNp-rFkcLKy#$!gi
ze!0nce_0+%3^pg>f;A?i1>M6Atui!J!l263$NKtMa+IN$f{sVn*x$1*5X68C{Nb>(
zLH(G4GmfH&uw(Do?M(18EQR_9MzX@e%aC~BRCcKCj71;qlF}OK?9k;Ke0#<tN17E^
zLP8rVIdGE~t@i~B`uxR!$s!R(K(y;jBsO#>e<D^gg(e1d{m_vL=#^xvH%+_b#DDO^
zY;GgW!G+V90$z1dA|l)6Qumoe-is5P8T37Tcm)TDHnK7HomE>pXRH9A8faHb5E1xL
zzj8;f)uf^(MQE^TA%NK6H~Rx=u&X9N4R$l6lFmp3L=95CKAqhljsTS)QmHQ0e%bEk
ze_{gu+>~d|(?DAu8CqkeHZ&SYgv=&3_H`=+Km-KHC}swup?x4`GOg4=!Y~LAx{Ih$
zBaznHfSxg+Q5T`KMrsAr8c^gbsZiCg%-C76z1-=ZK#;LXH^_7VOj5OvzJ%O{ntd_2
zRs>;V2kDSlA?iWh;9Ka6j%IEl+9v@rf5Y*J@i8ch6KJdow6!J(07^?CVkQ7bYEyDh
zaMZ9*+nSD1q*&*pG!`u`nDQd`?v8^Hp~rJ3YGGv`l_~g_@js0LlQn}$3r{xkL}DiD
zqLp~NS1wjNpiU?pM>M9a@=%?RX9E{ST4wjrDXs*epJvKSt&)OVB02;Hm&1e-e}4??
zW%BW#pzzQJMP8!%LjyQm)oHDb=m&@yu-U1Nqe5Wp91{@{Z@t+(4eXJtn!X%nvc^+_
zh(svSlJskClNx0n2p1IuN`E$5Ylh$^%q2G|+0I_yRSE1T>uV6;<>tp1w?a85<<L{w
zR83MFjvKe`{qW6C{GhB9;zo_Se|sPyHzu1LV__Cy7%t;=o2qP}^{=JHMH;8$(rb9-
zRXi;6>Z?H)g$y#o_zKNP_@NQal=q0tTs>s;6Aq{?eV%n?+)>jw`laQ$_QC6R=Rw<R
zBRS{rpD%jQNfZh#02*yI8|zTb)~tCpw#!Xc!Z5S)0sv4%w2uWJFzY8Fe<L#X;)sYU
z0D50w=Q%<lQY{5%>)1G!S(gFezQhi`_C`;kKF4u0n|m%E#m~2k$!O3(dX*4Y1Z-9q
zlKo*PR1k|e>@7O{sR$%}M~pFy0@U<zvIZJT1Xdz)3qIBJO4LooSsvm%dJUQs>ZIsC
zT#uuEs~{~~Kv;imf*P6Ge~jgJIn@HDH699JN68a&U2`pALQZ}Z8lLo?I$YYBvV`2`
zhdve}LtbpfEIF1(VM8x$Nh@l@`D!%ZUrUg#@zHNlU%C_VV#dEZeX*31yQeZP4lDyt
z7E5{O2VeMeS>1}`=5oo-E!SS(Xi7_O*m&K+3Jc@*edG4Mn|EI$f5<2!jVsI79{==9
zzmcmBUHPNaxBcpeg?63%_lqC@`vpAwo(KQ;-|~vK{JKM1Za9P*7J@?V!xRMxLyF?J
zVWyDw#fVLz6PhJokz<(|dW;YgjZ8r0dgOXn$;8A3Yn5&b&<7ld%yzc=9wVkg0BJwt
z9H_2qkVx3!Ow`g!f6IhUJjtB`&IAQJ^U9QGnw#78XTs67{H>Xijp*W;pT{EyZrJU1
z9Q5rKf#EWmwY(;(m0U(-b(!JEYP10ukd}f_Y!gjouOXZ2TAXtgA}O13HY2}qDqHM^
zQm_0gf=c_e9S-L`Q~EWL=!u+~XvUY#oR%`rJ%(TG;hUM8f3)V)sIHnph^e2w%Mw@;
z2dA3IwZ$%y^6406Cb5vpY9g>|*UZF9CH2RMDw*~Ij2HkUq;LrU8uKkZ3E65u?|zi7
z9gK5Kt$@XnOp}dBF|!8D39=V=LpC;UlR+k}$mO@JJ^SSs|8&EX-&(i(*1Mno-L9WL
z)Q%jv^THo4fBX6uuK4Z)_x$VmyZ`gt&3|1hlY%0(UAnyI&V4_AaOK|5?fBAtpM2@L
zvhy9+Km5Jh&!0c>x4*pUv4^I|j=t-eC*OYNsSO8qfT}!IyWq@@X!4a%Z0d$M227B6
zAKe@%NE>8yF2Kan5w1`n)gV!usg|FZE4ghiVF?Wzf3u^i7*@RjVc53U=ybdh2%5Z;
z!3@!~xZt#ILehsd|IFw=JClVl{DJj%DBBGggHu1lbVNs9v`Z(brOb&hB0%J!png}J
zHJ2+Ir=L&^bn+0u+8>>rIrm?SJGT+*5zU5ZWFVrQA^=XeSPg+h5fB!|&H`NQ>^SyC
z5aAtVe@(Z2y-RzNQyB%TSXdQOO3w)*d`@QU`aN*@5;E#KK62v-6<+InH&RqAvd9bu
z9dcvHrkprila|W=7W8Wc{vQD{b|oM}bfCs(qoAco6DF>;>P7Z`*2?F&x%s~20ZqnV
z$c7R$*WhHcrQo4lJlUDyp$y|h#?}^AOFQ`fe{*ZFaLMw%6R-cojj-v8rM<^@eesU6
z>DYlYPu;Zk^wG2D4xIgMSy!ZuFmB$s=R>P^eDtmt{(1RlKX&!k9y$EX6J`4w@4fKs
z^w{lhzUQmkzHw^*Bj4Y2@+56rQRA%49L0I8h$9J@*&IR0Ogeo7JCi-lJ2~xYw)S2l
ze@&DC-LV<E%vb3Z26_X;hO}Jr<jl`3)%L9ESV7b8OgTU~#6)#K4y0W)%C&adTJe6%
zRjSu@;{L(<8@=C&;ERckqSYTD#t2!T14Cp~B?Qj+p6w7rh>#h>6~LZUvRH<MK#HLd
zlXV%|-<h^3=yuYKyQvTco9BaOk+7K4e_tA>C0w1l&<0(QDFU;~sqoy3xo>sGvr`bg
z{BhbrYz2?WPG9{g4brrA&XGU^v4vODWZ7#98epd|keSg?&}yyc3d@^-2$h=LbCn@q
zP90DK*q-e$Y;GLEoyGpJ0|@qv=_oML63t^GYRHz&P=aHUbvj)fh#k|-Fm0{1f6$br
zjnJg7d&|MczXJ=)8+PBc?E}}qIDt#|zxV9ZC;qWkuDtrKr|&=fvqulEJy2R<ZZNLj
zviIFf`}giRb$ZkL-qv;=IdSgs!W)mC`F2@c-Fw$(%5?{BJ^Rbs{`hEJuHe4Pa|i_@
z=9nFf*wB)6fY3`0CpGkQn}<8-e@7_eM)5QoRn#JsSaxO13|B&@oW-SAv{XroV7ziI
zMq;qi=f^xVK>0si*BWbARfN}CGqd*I=bYQy*UjydM`<Z7#arkDw5ap}L@Bf&^3V{C
zq(CXJQjl6CjYgz^)R0(20>MbMB@zt{5QTt2L)A7CX+ZG_DX0O(1b_L%e;@vs$C|xQ
z`FC>9Is4wb_S&;%zWKgyhM<U6j)2x%fii*3U{p1yV3Moczv821y<~*pB3Te0-XG9P
zWuX(8Y)dHxlf^#Jo=0i&MX?<Pf&KVswcdgBn|M3gr4)dmOyUM))hH9vp!C<tiO2%4
zFnXz>FkDgXV>mR3G|`-Ee@G`(WMSNK>o=OuNR><QRW1^6aYUpbw~C}wD#V%GnlxTo
z<s`juUl6rG5c#J{r7YYz^P0#K!G-srEiEo@MJsHyZ!S^@BLee=T(JXeLp!V$maIhY
zOXmX}dq?|<H;y$jn-4wyH2?(a5$2q#jExLH%1w`{UsR94U?%1se~wH^y-A@S<hqX)
zCW6Gxo&HGEOrib&2GgKwu-C(?&b>PK1~3?n^<=1ekTX_f?E@p*n9UD3hO!>Zy4w&s
ziG!#ul@k)Qt=pmKl<flDxn}^7Fkwb?Dh9ANjXvQX<{*8Le7q3yi)%CGx^k%|6w<V|
z`eKX>?2{_TnSlznf9-U8MQ9bnE<|DnSM%hQvU}VgCb|smI)SU6T3__ToDlpT^$Ayu
zQJM(O;HxAcw!-=Zihw0W8HMSMY%P0t-6;9hz-*e5ffic^;2eh_Q_M~ZKoI3|6hFNp
zhcS3q6;cM2B2g3}OcDzMRqld}&M6i)NySYj+74p=jLi2<e+ZIqBB2hlh%s`ZL{$dG
zvs<%r_;j)8qnvCV*2T49jP7xe1yn#FKuQF;P~aTm#)Wf=;7CKA_ORbzohoLSS#L3A
z7@ZaSf;`A9g#t{N3q}<a#f(&GSCeE2NZAm@k+iDooN~g9JVyeMs;VZo3nxn1Q4*w7
zfe112ggv!Ee-tt+5>}8a!dwACu3X<#r7KXX9%Uk8D;Uc(RxCTo|NnJem&{*_$x?%)
z6n!NL5VNqJ7{#(%;!w%fFeKSAtw5lNh8~r^pV#5Ya!ui_v20i*5)~$!U7rzO)DuR_
z>0$1pg~$%wz(`QG3%N2kM6jh3Q5_>UkSs9yf{TL%e`keeGzHquL~nyYE)#MH2m=|E
z{oADv1)L$89Etni2r=t355>hU>U3UGGY26Gn<rit{-ih(pt2l5@+knQ>zYHCcS}o(
zA6wf#>03?Hlreqc|C(esX0ke$X%K+IfnxrFa2k-n-AZ2&InV$Rz*oc;c|EtaV+uPQ
zK@cFhf0j_!0L68AJPP9(_x3tegIw!0Gj48iw?)B!NI7F2Ll}oSOJZi42>`K97a{>s
z3~=IxZ|(iefqf~5GRr25VPYgmS#++Tu0Pb9{^6^(hsilLlro@o-3U@M`NZ?SkjEzl
zX56v=fasVrXrT3dbsu-jFaf=zCeyanBr!Kif0jeq>iY+SYXPDh)UMSLF?98{CQq7^
z8;h}XJ5gst=A1(aoK6qTrj|~&9n>ZDU|uF98G68h$sH-3NY`rRl#6480{wX8f4Eib
zf9M%;B}2w!u$L;B!2kji(RUhKF-C?GvXmQOD`W7vW)r0-u<IvgeC0ynXN5izW)`>`
ze^(GoFNxg50!DVo<aPue11_JDohBZ72BsGL#daP44S>EZmC}rj5elgX?ffhJDPb=H
z0zyWyzp}cMtP21}V&wQ`j3jC^29gS|ICR=J=-f~~k|U;we2BJ;Q94`8$Bv_t^rbgc
z4|1kV4I<1MIcW{_8|=-FlO{$_o~Q{Ee<i9Qrim}U_U6Lx>^S~QpXyDX2fe|hnF|8-
zM~*#pY}Eyc#^b~_XaDfgFqjH(!uVMir|}s%Pl73@&p7-1D)(bPZRRI0OH`$ta&BTy
zkjJO5xaG444#v4nf7a@`mtT`;+JZG}u^yYZ=KL^v#@gqe4Rd;_8qL!_x@gO7f6!FW
zU-qG`cZ7bE2ogqvFg-jePZR;TS&Fi;QcCTvFsd45c#v8lxglQ*eOloIg#MOjmS`Zw
ze&J<F?8nyO;7CEKJHX8nfpTl3!6kA~cLuxp7mV-PBwFnyby?Lhbz0Zm(+QGqY#9WY
z9Hk|xtkL$XFQZx)*BB8~A~kA3e;qlZzCrwR<A6pK3(Kq?QD~#^j8Ve8EdELmr%ryB
ziWrioDV79B;XKxYCCz!+B&7_*V(iR5VBC3CR27cD3A=<8n$5F{({O==baSAZZ!+GR
z)qjVVn=uY9hqJjFTbCh|^obpAMMNQlq^)JHOr_{nKa@gN1_&W=_8Em4e~<$A<A!2H
z$GqAHrVeUr0i{<p81a<NKl#;+yKdk9-?wIN*?#$<{TKc2g)ln;P;RP}&p7|!!ApPs
zWEfw3_CtHayyG{&_-vSe+5`Xl*R0(;SA2KZ`d=Kl>Ghu-fA^JhHf$Zc_mQpdzZRyi
zy!p>BP1$r|z-71p<L_e+e?ENaGxx~>UQM5W$z2O}@7(axi{a$cx4!Y$lYX#o<({wI
z@}DDN@^RZ<eY%>rcI}V%)5-lXIA_OOFV`2Z3$*l}_ud(M_@NtLeI`_)44`TI{aZKG
zj)<1<3Cc66at0}$MXzPtS&;n^F@ZzNnKA%w=uxQxQnXS$s`Abwe-}2bp6lvz+YnMa
z3mBenAg<+_7Ii2_K6mI;yu))6j%sCYVU(!{8kf=D<;GJn)3*~CB^LM~(&EBsag^F`
zS#!<dP!tf7bb^qHb7D~kz<L=`it-ApNV?LL1RycPHcKJ^RLg)HAx1J(p$N1jELrj(
zE^8A2Rul=NT1<0{e~!%F^CAx=?_?qX<Pakynk=OabNoZG+G2n#8XL%0&8^NIw0jPu
z>(9P?+LUBu$8zu(qZP}xaaeoR*#>4>o|M4Si3`5c`5+QX=QGlvtooUnCem5AzI!Bu
zrB@y}JicS+<d1)B!=7*F<%67ZO%z9Fgs?iCdBd&m{o&llf4(11Tz2zs4uyqFu06C5
zrXCY|bK#Ut>%Ms%jx64^_qqA^@4oZ>H%Bh|-14tn7h!gqy7A7x{qdMxcaE-Kiy49H
zP#?G9;m5<GW!D~hHGKN=Ew8*ZcH38bA31Zujk_kEcyx5#f`H3c?Rf%@oz$Cu$;Kxi
z32{mqtiJExe{a`!?5r>T1XNX`m`IrBouyA!GN|)ibSo%=ajiZA%JUpuy<>SMs4XiW
zl4{kN%3E@JgE)iRvI2Glnqu>dGFJAeL}qKyB!n1RB5|+j^5=uZ0)`Bow}sb|b_T3;
zc(neqAEaA%eR_&RK3%2=_o2=6o=bPYQgp72M7Kaif4)RTsi29ykkey~rupXHO3TSf
zz*>ZiW{wFW)f5g<atN2%%BMD_W6eGys_P~}Du{J1ls}Q}s_#)C!Hh$UMmZ4#SE_jR
z08?a#U+2sfesOpOcXy<dXbce){b!-ZfpD^iS+FG+j!KpG@P|q2Q{>HmRKbqVM>=E^
zKOW2@e<>-YFc|cy&SCV_xnJLN!#gi8x##*t*KTW8E?#}_H}Kdh<&-LndCnED{QCNT
zzB2y#_0!J1YWuq{Uv~IMVeae;zPAGiu^H_z-FU(c>me^(_~rX=dgI`wzuX(gmYsLt
znN3HY4!y-I_wL*L_VdlESwuNfj=kx<i3_(Le>t?`@dx9aiPcX%b@iW~j*CXaly#eb
zyFWCe%eLLU<?!=YyuLTo$F11+*wue|Ar6jNbk74<{r;y@&sl&KBtP#C!5|V)`yx-`
zaODJwv?nDK7AJm&V~pBaH`lUO0-}jbv}Zd>@{(d|aTCb#3tYdAulawvt{lmlqX<{7
zf7SiooB89{{Op8S3@l7Jl8;G1;No!#t^g;%#Q=vJa070Ik!w}AJcTr&dDE{tEA!hD
z09?Rl^8)+Uf@-GPWU*oF*K^~dqX^@=hG_Na%!(Q{#BP(i<>6=%4U6x~{~RQH<_mV?
zKs%;$FHI%9TBYyBb++DxQ0<<GQ34Pof1Nzy+OXV+L}B^w)(zHtz)c@So|e`kteBz<
z`M+$*X|+==vv@*=M?^EeZg*ywsfWq1+tA~XC5L;SUb-cb4250%C@Px@F>goY`ZnVM
zhEHO3t8R8aKW|jKxav?ziQl%qcpINhFS}0Pc>P67V%zbWq=y_+USFer$nl29e;c3A
zsV`I!V-Sva;4d^Ecs}&?Lq0y!e9G&6pgnHY^PP3-am@Fh!2Al&b3R}4_G6q+dOZ2@
zBh*iP%!o%8Jm2y0S&l;<r#wIC^@)y&&y&xmoacOg@cBiaFFdC_zM}cAj|V+|K*uLM
zJTeoT%ww7AW7ymtO&<#Czebl!f6Rc+#<|c)B^%MmRb6CkMg~Q?668TFBW5t=J@9eZ
zonT*&i#t3^Ei(=L+p>iQgr?~PqH*agwmk;DZMlv`kuq!kFGh4^rgts?;1#3NQanyQ
z>99^1ZRkmOj)Yn(w1AY&mWC7(UabHjK-WzL*K1fvgbak4g^_Gr3X;NSf3d`XjZU`D
zpphe09=vA!a@5JY2^CegRQIGixzzf$1<kC(!WKjC(%7{2ZDJz#Z%RXLD6Bdy#U8Yx
zJU7*RmJ+`X!@D>L2fD&M>oP`e<I=4}VZzIT^etlAD#*4A{ffNaBC@eY<1x*tNi2{(
zRm1-s{9$BKBe)`fnu)=Ge?o}N9;Pm<Cn6;Aa8p~mmwh-hPi9sSLJOgh3ghuNRuvc>
zUiD^=S(FHv8MS8ee1#fBigj(G>kK=pls`$hL~N#iA#Vx4VeC(K^tI8<Zm6m6Z-XS=
z4af`ankw>|bpwXT8Oo}gy9Bengq!^a`DwH1*hB;=OuBA|qfpa0e?1&m-geH`9tW*Y
z?#JDqe=uvCB)8=wR4fqY=&=&d=?vmp4)4!F$P*+}@^5=~fC;elME(rbr?X8+Y5fj)
zAH<lpG6QSSn_NFU!BxANaJq|c*b3p)KnEFweP~77>LEr~1G<c*TG42fyisL}L<;FT
z$UKTVXOtUAy?l0|e~8f)nn^0`rj_Al#^O6(=2{?n%X8cN+(Ifo^61-SnaomzrPMut
z?P@r3x=~{GmfE&$baL%yDDss%8SXeGW2SziFWziXk6Od|qI6)#>K1<2at=j0C~Maa
zlzJ`VY7+R2Y%xQ#b_jD-xSNu_62l3*WNvdmJAPj2^H|M4e-SB<Hs$~!f@@E<Wd&V0
zzu^>HSb6{AM?6xDej9iX-SUR^qE@J|j2Ile<)NioC9}}$R3N6SDKQL_F;d!zmtZI;
zgOPzS&tZTmLQSLPe=qg6u>^7*7U`3V`8=_|{EL=S5-3S8uj9ULZH)mu_KI(ie<#Ih
z6~EP9H-mdEe_&L#Yr!k(iO8}{oW>?s!5IhCLz3#n4)G*%&-x46xDCQUcnxQ}HuC+3
z*s@M;ojW(?!1H0dGdQUP06-xo-lir;C=9W01VsD{CH%9EWTy7*`ms*Rc;azD?wLB}
zmMtPf&Ih@y>v~H&ebX`=rDdJ;#)O#qL#dh-%%WE=e-#5D6HCu;u6p=o`%E?S7`uci
z#Q3-(ro;qXE0=nK$gXgcGt(+7+H^NJ3TUbCr!z_$kk$*+a>8J_MFtGQ5<Xp{(l^A%
z*_jJn<!&aCZb_&d7Uq<?o2UdliArn~vh-XRK*c>Ixfzei*HaJ?BB|Ss@+wjrpv(t6
zkEIHbf1mag)LS&SyHBk^Sm3vbIpgk;whYu%u%uQ2c~}>(9tYu3K5M|ZTiHdxr%%j6
z;~6DkNyDV2n7iUU(@4vn!!%Yc$s#Q=%|0(9b4OU05Yl#&ZIJCPm=a3ahte^_<U&Z?
z6SQk!mYBb(grv5hcORu1{MPL43!7kJx%Pkpf1i(-*gDFL?B8T(4RH00Wb%ONyFC|j
zmB4N}16xi~P{KUOv-9jgyXwh?7Zdh0hL0o7?3OX@Lh=%qSgncA?_esoSDJI|sERxg
zAmTz7M4c948?VBX4LrK#iT3NRxi&hE>%Rr>qtCCca_8MPQRbCqN*=oZOn;IRf)3wh
ze?ugVlySFV{3uBn&9#Cl4L%2M`>v>++X(u!uhl<H_;(>1cHk%q{qL=2JmfI369);~
z!X2Nafb7-vd&tOdZ>ysfO10jV1mqQd&I;mTI)NePsjx2F_4s|%K-vz;_KOAr(!vej
zBKKRYL8RV4pQ2%QY(M1pC%~Y{3D_ctf5_j%g*|fk2RokBvx^dE?v^}P*GQQcsK;=$
zW+Z1qA7Wek9SG|pJk3IzQbG>PthXUCjMyL=TPbElC|UaxMI`sj5h0Z9GBb)23aK$|
zDmy$;bX`e!2~D@^!UV)?lNn}$YW}kx075#R`#sa!oJCW=n!frsvUeG@cn-H&e<^Fz
zrt~o@>Q=imRX1%u*`n_sz)ZBb;DvP_5U?d7F1al!Es1kAxc2q>-QLz>i3qiSE(cRQ
zE<4`IAGwb-A5N1F71G>Rc5%#2er1Nx$$Y0ip}V!R+lvX=Bh)JFW@Yy(@zX^p<foLW
z<F5n8euXd%06>5klm?<zmbGSaf8S)>iT@7C<rM4@w%yA!U#FaU$gxRCV@3N?(wd(g
z>Y~`<_R*hs3E_hmjEp(Az;4dh6f&l(G6N0W;}A<yu;*)tB>G@8SO2J$x)!fvE_w36
zE8e08m{l?n&-$N~W>y{ov+FyfLB$q#<{T$dnqP+vLE=@|aKT7&W#oIDf2`m08~LAK
ziZ7Z)FnVu8Qm>M>#qrcIk!#i1biM7<^0w;9M)YoJ->OgRssemLFzq~4ZXTK)soNCD
zVp&&~w8sGVNfyCTQk|LrS8>%gFB=fn)(nJ)pfP|hFu{yyT{=)~c}Uj&WZ-saqcje!
zQ4r9EFQh#DT%mcZ0w@)jf7ry?dEGz*L@**F{hf_F(bZJ|Ui2|$x|Bqf78<W~&-a0~
zCDgpj07^i$zr?SQYI`D9^V0RSNwdlbi#QNHDvA;O{udzZLJV9R1d5nN79J@imqJo3
zG%yzzd0n5n+(k^I5O_~!^f$J_V76AicaOE&!txFBx}dZyMJ=1!O%s)u(SNd_qZ!6p
z4JqYbscpfbTj7u)abF?CI91b_*Xh+RY3tKzr?Kk05AuiZ7{@-IT;KCe;J?9g8!J>t
zif(L;#I%jy)qMa^iw+os1FN+$dy<nKk-FmB%32w<UXn2Y3sVoqt;Efqdlh<dbB9XH
zZSCe7%XZ28fLZ{eLm6$cY=6G4oYvudq?w{7Zir)FY%TrmSX|331I$aUR48Y6y}GuQ
zutQW^Msz1JZU)#(ov^+lr=<SB>eq&G$rkwdeNolEmq(wrt5_)0Pu=N6X-rDkb%`vq
zL^bqqz~0xHUpsPD3#IQ-tjIJtG(x`VZVUtzCQ-7+&vywkF&``-gMWoUnPrl&2!my&
zMlLJ~y57k$*loEaOGXXk#!s7>2cs>7N1-`qCchU8Ae0ISe;&D?P%5*NViPEW%dSKP
zxiWM;>BI9)1>*wEw8{<a$UDCunh=E64c6DYAyx?BraDVmU3v?zWAn9DshsVVUFx&a
zWyt4i!Ri_+^EBK_^?$opn~9)1KZ#8#JAz&XVahz(2#&`EezJ}LZRf^_R7(3}R5aPy
z;@xHORqy_6iIlm>g1yFo#s=EzQ1WJN>^t@728<lyUYDH!5#C(srhMI24rJ6Qu15UZ
zWa%waIzM6WH9GQTcQepV<=isLUV32uY_J}tdY($EG6exaD}Na*=?oxbQ4%+3`odjd
zngW@Aa44zBp(#&Jid5t&Z?6oYInF~=&1X!<=kNad_doylUmydg>Y-SXpTf$3KmWr&
z{{5H#{b%st^RNZrwu=j$1|kpydVKl%7gL`<{pR<dzWI%^;zUtqWm}3Y*#}J~Ro40V
z_$8_`6YG>iM1NH+q3ci<=7U8AEXhKMm1K%c+i@r8lN0la@b;@e{_}4*SyX7MoX=nX
z?oS`z{+3i_vc)*?RA&4?UuPCo)p>^DfByGA12aeTAkzT>8H6Z<2+j%?!~t<YV?ZKU
z#DEY$jUgHZjZ-m+Sy3DssdcuEx=^gqU^QxrEs?6x8h@P7I%HUFdey65?6dzp92zdT
z+KaW<;p~5Z-}}Aq^C_Da2*r@Pt-X3NLQvZDNIrL&fV5exVhPd85H+QuS3}JkurV^d
zSUf2Q`izn$a8T0kc3Ythdyce4Zc~)5`mllk*_h50!x}?{IRb&EI*B^bZA74^vAqzv
zv1$@EnSYNIO;m(^6-0nW;UfBvSA7VTZ@AJSsG^M6q2swx#L)DqzGv+M#l@%6lJtK^
zS)nVG3t=h|{ibLj%phSAdUBts2C+<~FQfkFdXy@oA5#cJ;{+MidSQDr0KIfyB+&Su
z-YI`+cdaO*Y#<#RgD{6YqxR`{*cF0h30oq#D}Ndzq_~R^C760i!NZZ=mq<1i5bZNG
z6;ldnuq`<iLP)W%S3;KTa1hzf9V2*nG*%J}3}faD%&why_!CFQNJMSkiP_!>N!Vhe
zK5+xHa}f&wVTCIm-2qlWY2d)og?_{0FhQJ2m?41uq}P^=Il31NZ~)|tDkvdgPQ(MG
z*nf=ZqJ<D+z!jIIe_Z9}xfhQ|EhrAJTxTsV37<2QQoHQT98y{i34wx23;kl|E)B_@
zDEp^1+`k)LTWN_5!Cpg$uUv}<1X`Vma@y2{r4<O;hZV0#Zdi^i78W!zeSK3#V;um2
znd`R%WTp^K2$uk5T(bE@<xJdpsNlqoh<~&^XF+NFvNxgR$~}L9X2oHz5LaF{ppNuq
z<=7ID`}+gd)C7nfS(`seYp%sa;Sv&M@t}z|WCW3DLq5H*;wh<$Ydk?1CM&IZuY&P;
z(2X0BsT<OXEL2p~`U*wE#2|Bv1l8npzgn+iZxN#(Q=U*e>C~x>!g&|@U96@Vlz$sj
zN=3b1u1ugcGZ9nm{B9GLLH^Vq;^GE0n~x%J5~Q~R>(#n`&^g$!j!TdG7F)YSd`ZvW
z)o0@M|7%L90u@9CeuZNHA^P22NC$1y+Z{#AV=|r?EKwfqk0RLs43$q?qnFNX-vfeY
zuleCyS5<XbYirp*I-PaRtG~Y;zJIM0Ft4nm9SH{y1}zzjDdUU*$vbw|yNSp47eDO=
zgOghS`zn0j2MO;k$@uhG@Sfedr$3IZ*qC%^dw5*|a}^X`KR@BC4moWQV;nJxEK#9N
zduMeXw9Xzsw0LdOXX~fmIEyD0l-<4R+`c9Kqe{Sr*F5?b*m2a<Wn=%i&wsl#2Qh{z
z<6O3dq)fYT?yc^Q$aU2V+dJik%Gy`AKvLf3XWbFITS69(CX`78V;(A3Z7#ZY5>K8S
zQNCgP(Opxobb#2QHGSWOw(T3Us{vDjIj6GKId*=2$1z?~WJ%7ixOEdQnhvZnO+P&W
z3(Ho$yp#CWd*j+#Cja>?h<^wT+J11#r9WA6#;^aekJL5i{dQ}~sV^gT?_Be9AMgee
zlVnB#ivIQEF1)xV|9ES`;nR-B`b7_}f<Z&V)_yo>b~?1j*F5QV<rN2(FKq1Xb?raU
z{Np{ZNpniBT_i<sAO;yVj2kq}8aA?U2sULm^iEk5+s$)fif0tv<bS3&nfiYLlG5+>
z>YYQe3B&*g(og6;h?c^Us7-TCp#ee+5IJ3eCb%aUW4E1@Qq9w>wz|p~5vqd~H|JSr
zm{c(*)H5p}>LwMzuMjPW+K*#T$;LFO(w=|j_6R9sAT{@l#kM99q$DDlA&}k1DX(cc
zvEGnvc)MVPO<7P6)qmCeCNLiHn&^(8DG=yc-h!ett-w07{@FLVpPk4&(YE~Y*MO(h
zKf41k05s$M7rhy$PYi2bfVqt@N?BrI+u76uJ4Wo?2Ew!EUphnrA^=I*`21n~p8X}4
z+hAm2=BbmF_dBDPHRZM+NN)QShx!mMVM3woi$ms&`e+59F@Mt!o&n)8u~j>~H*FcV
zauIOM%{$ftKuS$tFJKS_=Y?(CQ~&SVzy=_}m?Fr$S<;*7A1nquY2~x~01cUU?h44t
z8`t^{^&f;SHpmbnlyVt`<WD=^0%1^CMU&UKapSk_1oLLs-0gBSZe*i}BP)ZH5}7mW
z7_U_=Yk$56h=0AJ>#tyd4A_Xe$K3#AtbTDnp`qDt(g@-c?3bKB>-^{0XFIJk3N}1_
zRDSOYh|hSt=O%w=jiq`8mSiMziCchAQt9<`0n^`}ab(x)?O%W}JN6!kt---d8iN+(
zL*~l<{7l)SzXQp!_2mOtx7t!uZ}lAos<*ED=`rw=41a({<Mc$`nSlF8pQwg+bq<0}
zUnWf|(*g0#1RZtm=II<Uahp8%QM%hGV(<!^L}im{N=4EcCdVcb2V?EYr|PO%wLV7*
zOjAE$)I+57jx|xY>sf6gv8A$O+|3bH!-vLrx0uNoc%WMK;a1s^FqOCsBP!X*?DZg;
z(jnaU!hc8tRY!&XdQWv+fN#ZdromNp60GPAwUf?$Izac{41!Ikl2XAztkH0wT8Us?
zF1g>L*gZC0{jUd0UwuPT5{Dl?S=raMp!YPe51DfARP7JfKt$@YCwJ%HxfonEo)C;U
zkuBlYf_JK4^c3AX4*X&Z4mER5pe3!a=j%6ae}6IV=-SXl4Rud?()QHx=$VxdyB9y}
z00EFtP9=#-GWH!?{IF|!_wQ_(vnpQpOuM+B2V@o8xLWz*G8pJA>AAhK?{dzCZC=?$
zb>H6^b#xsikWfZBCEO|}=7v@L3faP(<?mO#x*4~1Id`SS*3MK2SA=sn)Ym?$@W!QC
z*MHk$mMoQDi=EWC1`bY0K7OS1(RmW@hbf^FC6a7UobdX+>&dN6*cLco{;CBJIxU&0
zK^s1tckc=woswKu#bW)LMP?y6^SZu@YWocuId#)NpHDb{y8ij!z}OkHZ(WN1xQa=X
zFhpezEs>-Da5#Q%OZd{#tWEC$2gb53Fn=>A|7v^g)dL_<@=hs?TUSkGf9tf$?8`?2
z%ckPU^hsYH3tGR-%4EeOBP3O#gA%!OF&GK04k5Q-sdow}(`abK+-mM@1o8j*QG<x?
zUna|+XRM<iToW;e#|&k;(%PuywrQ%ZhqG%vyc-OT1m#F?VsvK$FwtkSlu@XuI)5|l
zNL5^CI`TOYK`rC!UE6G}z%;osY&LJA&`UYm&L(ZSB2hCzRFBTlbEn)ls%#w~>Uk$p
z2t*6Gi|#`Vo;`i^o=3L+wV|sGG4eFB>k<-(5|ay7>9kE@RB?Qm{0A6g0DWB0>LXdb
zxqT?$PE0wr`4F!-i0sIBFqA?8^MAu!R*cAqO3dyAk`r?;YV*OABSyK^3t1xo^M}-e
z?U7I(z%3SH_XTn&q;?gYi6J4(;sYfolB~?`_#a(o7Hd~k#__ejX{~+sId|x7xg9BX
zpp;8m!XVmWs<fpgYGpDE5-bTdMiXkSh@yrd6ce#NG$_gtQ3gSSF|m>W5`RJiCX#}p
z#56(*Z7BrN2VZ^iVNKs&`}o@1d+#~-?7j9k{QtkdZI*M>y3rK3%fJn3V#fHz#?M;U
z(rDKBS&#u0*%-=T3fM6-`1ytwkn^sc1oj*QtI;w#@4<QWvmhfLjKq0tT5N{U%vd);
zPAn4(0ecya3{7LxkS9Mp#ec{oGz~RV+)Q%gsTq=MP@D{g&d-Bp9yS+T`tqSK9DikY
z_toMj*e_r=0Ea}*GGpUKT4{!EFmO!^UXX;F)-{X4O~}BBZ^$utkijImDRxYQhGl|$
zgB%ll)cQ7}$vPxz;;R3sVy-KXPv^o?-BW*|6J<^b<{iIk>;18AzkjtSwNFlgipYyV
zE@uFBsN>qhp|zBnZc`zbBP`ll=t{Bk7&TY*DtjOYawRoQYP+-`pb}X`OKg%s0+;e6
zpC&<0nUWYIu^!Yt9N)We^~VWsmUO^tzY<jbqyEY!C8Y#mB#b>)bTOqbCoLYS`r^v=
zp}XU;zSGM19(X8|Ab%uYSVX*IAqa7*F2)o95wRfIs1OMOOF4jon8Ut97+4U|xh5=(
zB%rinb_v8BPbVY-F@8zNF)<rqbj0Gg@fO3l#-k%*%!xc<{cZzHFi4x3K{zZ3Ar!MQ
zxsE7ke}kbz;;BTeV4Ota90o6jkVqr(xDiaL-6SE5!7+2wHh<Wj3VtCpEqccieXc<T
zLqa0Xi7-p#wyAuX5RS_%nP5zL_v|E&@w+_wylt%ni(2+tX;^FCS})%qsGe+hF<cEq
zvUn8Ipsrf(mfw!lUuxuzJzj9w(Wij5kg@FLmB)i1PEVjz-F5h3;uR3F3eYP$Zs8D1
zZ1aP?vk2!1bAQS5lb9r@1+Nr1lC~&`N;*o>KvI-ALwu=filXyL^3j>2<1+2F1E8m3
z#_8DHLfL|Vh{jrA%ygB4w(7Dw0%!${t)2vZOl)O09h+OMYmkb}RvkuNVO!HUCsra`
zm`Z|l8bJvgus|eS7F_`x9hu!xGnyjSg)OsnM1vK6*?&S{0<ngcZrF8=6|#)ZJI{iH
z>2+7$0Mm%B0SAcFJMP|Z#DFWQOQ@8x+KiXXlmu0#ces*NqAf`*L<>iUQ+`EOrU?h+
zLQLKcVVB;8rFaN`AaNvw5)x{oA2jMyl-xFCP=zZ=0>=cvc^`uYgZ?d+oe80?83L+O
z?Z^Gan}0kIKo$0;KQYlLgTCsqJZfU0OZ^EScQ3V4?1cLyv8nqAsJ^hOyz;JlBa{gN
z5R+?}993nk4TFiW^oe22X_2XZLi*4#;+?X$t0Y@T>OF=hoIxOrmN5;HKq8~dG0M<|
z*oKt800GdVlmvoG?V2SX$t10|=E5C14+3)+f`1kN;8;R4lD^y|Sj<@4R6N~!&i;7A
zCo<s}Z*BJ@?o&?UPgZ4b_2KHv&$!03^C)C#0;f(z0C6M0DVUxmZ@|vunWYv?s1{I=
z{Cw*c)8u@R7Kf+!C2NJy*lE9d4h_o85)kKx^N?39|N1_E$yq#PV^)r~?Ah}8U6$sL
z)_-p|-f=t6E&B9lo_o%&5)e-!hS%S8{4IapN9<s<aK)LHNZN%kaFGUFB!&f0mM@+1
zYz$IVt#Qztl#+27AQVyL8tH8b<`_tV(PSvhDK9ENNdhRm#BL}5s7?;jIBQhdK>1Ef
zH9L|b48#**T>3%W0as&J8nZ{J#I@CySAWaWwBJ-WIMuZh4zCDsh?p|SIF;xy=!WK2
znlZg3hAi+6){@9-M7`A1(ysvM?OJ}+t=qGhReE2Yj#PUW6sIEpy3hpaEn8lird=sU
z{}(184q+dBMMO55A+Vq%s3RZmFz8Y7y_5z&%u~W^NZS8!_#!d&*KJk$Uw(r&oPXWp
zqIUE%CXev*ZkRBiL|BdFt4Cn`-r;B<zNNwJ+MVB6^T1DUIDSaxKK1SQU*Gi1&uR0f
z-N)Wo_t=ALZo3NEi?H#F&foj}9nb&r#&=&dOXlwV@4wG@_y=d)wfDOxPb|N0-}Qfe
z`pQ2%WtN_H+k0=C*_CHM^vJ4PKYwZH{5#$`vGhj=wm-K2x+kAqa{qy^{pXFvmt240
zZy)^JUtTgR#1M)XW6#<5!9N!rxb>zJhd=(vgZA9Dx1T&}h6b2P*nkyc5-$C!Y73(V
zEGeTqb+V!dpo&4r|Dv;#)p-#cV@@i}SiZ#|i_8dPC|ysa2ip>46{c$m5r34Al9W%L
zvt}T%EHkb-5<^sXnw$2rt|JW6l}e?iCuH$5z#2)}sjlO*%U1j5u^Zx!PCshjp(d*I
z?{Iy}t7ERh*=o#qw2zljF68xa=F#@Gw&i?DnSrsOAk-^fJ>|{v=rV=jh;vF7u=3GJ
z80B(-5Ced7E_XD#Aq8bCw|_+T|MA1qgHXGKflIpXm?3(vzUT-JL&zKyU7v-{p1yLN
zm!lz-KOJMS#uW6Lrv4PhIOkXzbZf3S@Z`k@AHU_~;r4>d=I-3(mYgSRuetT;YZw0J
z7xORMz~n3w4%ckC^Cx!g+?F5z&V2ZzpMT*|S#*wBuyyCF2aVbA)qi8JPi(q$-J|z!
z|J4s+;<VufyH4M|!%lCz{Pz#|RXZ<!;<4|&^Y+;f-#fSe?u`%q+N?Nh=Tm>QtC<D3
zafUYRdFQAx>+d-64|C>4J6?Kv>%(`!z#58sczqrtC$2n}C>%Aki=g1xY-4duMRgNl
zRzQ`2yQEw+iRc%SB7Z|`6PVb6K4%di)iv>}0Ue%vfbm(B@Q%5W&L3(7mzSku2!9J#
zaEzhE9L~^XlxM7DUgPOBbL>XvWQAKl9-xv=m)u;!>QL6<QYG9^J7RmRz+BOU#N5uK
zm_lW4EBA9%_UlZg_`fJmRrBA|2Fo>4Z=ln~K4p7as6acSGJht0SLj_5Crf?OZp7D<
zp>v%9IhI4S@-(IKGchU{VCHxLP>jru9lZftMVi#<PTfyXPsH`}ARfwC@-cMVG6vKJ
zXnQeW72v*_nDqGurV%gVad7sw#}9t#%~x+c_WWq$Csyy>2JI9s*mBjM|McZ!hlU?p
z&f=^Pw5M<S=6^k3JaXvjmwsj@&b;=S12SOSY}owl!M!J6UU2P3Gqv$s?;kNAYA2U$
zz4^Vr-~8?iX7yP&9(nDvuRMM3-M1{e{hmE<AKv`L{?V4}_I_~W@>dR;#b8<3JK(jK
zz4-iB{`I%v73TqN{LWi%o0Tl$K`6!*6N+;-1yCawNq=HSS7pa~n7s#KHKzDvOJI{s
zNM+DzS4Fh3#wZh3L50$xjc1!5sTwB^eN;j_Mw1w2)%I8eOT@3}??O!4LpAZqrM@am
zu<RN;mXO$?AXLpr$r5GiCy*p_Dx|E}UhG*nq_tQ9LTTTf2ZySsgS^Et;1%7b)l8Z0
zZ7@dLu76JI>i=YvY|T1Lho;td)+YNjyr?!TeSl#}bWRH0yu|7Ay<<mAb>>#_G($uP
z>-|o(JJT4w@K*bi(T*Lo*I{Y3Yc<{1jgJPM^euu_;6_OfY}*lu!*&Aa&6&Y6+f2Ku
z#V7&-ww-~=GmM`?heQl4wq3b(-+gx7a@$VH#D9#X0eg{VLMB(5W<Gk6(Tw>YUuPQ}
zRdvSkbI$W}?!IO>$!^Goypli&AwWn%2#ldbga8)8L>!7B3WZQ;07D6(OdCrnFbJaZ
zqP#SyKmi#`ojQd<D;=g%3$?AFb*L?)QF-|w)6toZGo5KaoO|!y+)e$OWODcJ-t+7^
z&wu~_{Qf$ogAs_Ais&d6&V_JHL`yK7$HAzMmx@pk=m14iB2b`$S;}HtkPC+(Tqblv
z>g1A(mzoZ3LJdl5qs1|?{V{tOr3N^xyw)a6<Gjh9C{K5DHEXoHVm30v4xMzSfeeno
z371udlw*H>ZVas>6|tq=kx(}R%AF*3V}AxoGdRJw?t@O4wrnW`u(a9Y8sJzu^w&Y1
zx+zn(3QJ^iHk3h=**V_qVmH&_5>ojlYuxfD9V)i_)Vk&<Hzv{JbF&X?cFvv)_i^xa
z-pQju;0E>sYIfBAM|KdJsm~B>HgQV27fv4*T&p`mW`#;`$2=P%?}GFhG3*#%2Y+th
zC*3&)wltL6BY|fQc1uv+v^fV22TqIBrq8>451%#JMag-+cAnO{!&O4aY*hK)Ti?6w
zlY4xSb00{_*DLYoB4mJ<L@*da(vnSziHR9TKtp*T05qU!rIaL16rxy;3IsKRA~wea
zNkG8LkuZRrS#L&QVrC~o6o6Q1Kz~gX&`2PW*nq`J5oy-MT5~w25`~I`z&1@Y&HF@_
z2&}bobyh-?FXt`}8$?P71c)eHBAnS-*sF#mD<JYNFq5tA3<nbjw2}gek%_goi->8d
zXf_Gk(i8UXqJ7+r4;f;hqaxXwl(tKiC(HqmPzoWXkO;_Z4own)EHeOYi+|AWF3I&K
zNhMv>g#snXk;WZ|7-)7gqSC3=ptPm!ztj%R-&iUTC9x1fpj3|AO4zyA<TOw{abM{f
zyg{O2GMy}$23#Nh%lWMdSH?lhjlBY8I=V<YMJH2T^1U8!XV;O3l(%!~2Bi4Dz}>!&
zFW_x}AJ=V2Bcz)knWlJW`hQs}2?Hapy&Dh@0#RoA#|8;n8LUC}|BS8Pe=a?tl)g<$
zCey$-FP0hoB?5sUGqcvnBoz=rI9U-XPNJp3q)BLUDdZA?0+tY#kjezy8zq%7Ysi>!
z5<%F>Z43+)D9S2Mp=NTE?oH~wwjfm5e(H3vGDk8I6ImKbNzPHZg?|`{Xssz|p~cD}
zEwQBqWQ}fXBap}>8KvoQu)UsbT&QNn1PsWeEi0OnP$-GC$$ui$!DI<AM~f<y?R;VL
z<*zgW0WzCec;Zm;^v9O}<D5uo<rtP&Ye5PvR5}zZER^OP#5VT;7@5t57#N8)X_F^!
zgk%#91;(DHP$^W35r3H}z|tyR-~WEg*{76N#M*R)OC~lTA!e73>0XUYng}%@OFPw+
z9Mljoks{<+Zl0ALLq=&ph+2VV*-Uk2GPB>zL<nrk97~cwW^faTi8K>}kZRqHKME9J
z5fY-MF`Pa9;C7*bEUk%vmAOr2u+2mYh0VSg$mMfGMZ8a;8-F%}gUQwQu1BTGZ(g}7
zeS+|CzdeJqeqfy%n46WEYUEq$>AsSu5&KQ_T!*4!yJi$1qL4y41;vK}wGSrF&3W(L
zRinHHSzlf7t!;0a^X<7Z`=*(b6E3dUyzFn@(b$r(2Zmx7BWHx&y*m*Ogjs9UVUgWD
z<J2ydC>gf!iGS$KS`|-_rKE_;+<Z_<fC2<zg;UL|+CDhH@~i72CR8k+3q}YGQ1XGM
za|dKVkctM&#;B2_WT<%954Q(fD^*ZKc2TINQKC?gj5SOZ9Iy(elyBY|pEbfPV;~T^
zV(sO(8&2=cSu}|#H&oLYpWGmcBdG!jv0ywAul-K_*?;|@DUx3vEFKjsFA1kg17n+l
zWi_ZR$@xR(v`Ny5^14{lG)fhOE8BbTepE1buCNFgBugQxj{WxwsBPZypPPcIa^Aww
z=qjWv9zL$((IraivgU6Ag@?7YsK~@8@7)p&jgqq~<}4oh_#=uzi0qnm-8#2u?9$$)
z?_OwJ`+vPiBrjA{s1wDMlN>s|eZ;a3NaYEURkxuBONvx5Y1L0@*tk)!6|0_B*Sj7<
zmSD+9z#wF_cFj+QE_j%%<bBT_%h~t?N|g&DA`(D#om<v?^5>~f?X>D=j61TgWzQa=
znG#j^zpx+jlbS&xNt8la6V`2<xVu+`Qk_>W&42pk%f*k(kzCMv;^p}C=@`h(Td=sb
z@307j#x7bht?vbu6PNL_mV<{{`}PS6P5#-|v0F9^)XLD6HDXrj1IJEo`TPS;mgOy3
zG4ITA!O?G@eP!f<9Rfl#pLs?It8M#MAtJL6_l<vYlb}F-N5}kM9TVYzHu2#e{l$C(
zyMLy&%zVN@5wn>nTpx^bfbUyMF96kRdoh>xsvDV?8=#nY2*K{pjaSevj;?Vj!;9f2
zuK4w1hc@D#eO%C#PpmNpe+L4u+|(hrCkQkMnLKm6%U4zg873O&uFfns2sZc42a6pv
zHNjWHjIqr^vLG;K%8A!I-@j14ZB=3WhJO{;-&}a(qDYl=_y2SF$%ExxbJ?~hk6U^3
zh6of?ckakpzVf-RZ;d_q?1-Ml)w>RD{OppTc+0lF>X-IC|K&|pR9t)d_{gqVf+z3#
z_wDi%&(=P_zPfWu;n5@C@4qZUxmBw+$7c*D%_giw=<yxDyVQ36%&49<jqA1zKYzM=
zdH<ha!j$pb))YOoyy(%Ec=wJU-@PLAkjGy8&G47@tiAL1X|Eig^xDbUZ=A{Rd7|fw
z&+`r+nDvYOoB#4|_U@jZe|;EQyl(rwyVTjP!Uz_!MM6!OcjfZx&pw`a?GKT<=E6hA
zSKqnDRZSZ{{%g_U{qcupbl<rqRDWvqdlyF>JMr|rPpeNo4OzvBeLsKj_itJEP3*nh
zj~xqS)%d`&EsL(6lWj8!+m|LEo>|xRq@L7x;LBTbeMkG%U$4FTPGaAIpMKpRpK$+*
zcg~MKx|gRm@A&FAZ(0x8(Ew>+1`5pC^J1uL&78O2h^$;T`^~q;ytqrxtbbRghoWO*
z=F09*{w5x5jnvHk?xk}jd-q1?xAxw<Q+o7B*N4BA%w~s;S!J6(y)GVKs*{!VeXmBl
zR)~t4AKm##EMB;_|2;i*_Oh!NhVI;%J%4VZcX!k4uQvRTuQPwD>ORBxcYD9fId|W}
zridUSN<;~`VH8{uC5#4*0)J7!f|^EAsm3L72{uept7+64Z0ee-P^6S`i6SbgQlp>^
zYK$9dHQJ`>wB{e^58UP4dr5zUnKN@?=Dz1$p6B!I_;5+rRaCxW{nHymm#@ohX)3$f
zAx0*H5Fj{0YW?%usGxM+(=I*l&B@IN5`X)No;40lDV+Uf9TpKkyMK8O^-rDIaWZ@R
z?(7qd%b#?iS2EW9_o2P|m*9+K0vHc?MvPPr<ITI*BdGCC(QB?y_~O<mNDb(AjY0H`
zdR3QUT}DVb3(52eHw5_%jX&vcFvPh~f8e?IOho)wEoMMT2Qn3V#<vg-X&_G`fMtP@
z`7y*P9`cV3_hbboM1SVBZ}qBs^figZ2tetzFd13p{&opTrIb>jM^blw*5O|vh)pco
z;L4r+a?Nf_QR%90uT1=+-uYS@fMAqTp1!F2CKBfKs%@sy((((3wLXK1&4y5B)uRqX
zW3u)ipL^-d)VdGA65*Wic5>wmq-8DYXvUt&)0_4#Y-u0zhkt_`|8X5@_Qb`TO%wWK
zMiHYNBvL~wJK9n5U?heVw_il2n6-Di#kidGE$ib;HpZ2XLul-}e|I4gwfJ-^l1WQC
zzZu!s7`6Tb_48lE?W%q6$?e!(zcJ4#TXXAc1Ti%~-a{z5`o#l;5M!JQpo}1uy5LN`
z?ad{not+umwtpq=+FAMZ0U4P$e#aL3__Fwlg_X}9AXnCkn=Oc@t$y|xY093O|5|h1
z^z&_eYTl;rA0ni<#YNnsidv5#=82rOBC51->b@q(9JS$}cc|5d^t9?H_tg9ETGy;~
zj(;O%RgrSWF_oart{U5V!c#PXa7rX#?w)b#G)hXJw12l54NDrm`V&5O7?$8&g$h8d
z-^$0=k@Q$nXAP@)H+n|7r*i4m7vGV0Hj4!dvE+mT1wurBGJoys*Dj%W$MDTH&Z0cT
z64reG6h)3$-F@3MEoWlwChF*qwZv7=Z@Fp@jIaH8QAbz7l~z@@Xms`V;fMBX?`=hq
zeHa%+0DnTZjX&IHnX^Cq@vftwD0xK*cgADQO$LmgbFP8teO-Blb2~4vnbY%se=z=c
zyR=OoV|%h(vSHGN<JN*~%7Fp*cESdVXsB5+IP=A*j0h0LgKsP00{<Z4R`7Sm_=@(o
z6~=idqyq|pZw8s9eNg2P3qr`G78E9F@Ln5W^nc)o00dVb;^T4$$dx_eA(-{T(=?We
zfXFEL5Eg!u3b_RPKbU`7G4^79=uVF|Hk^9lPn8SVd<AGJ(qy8XQ%w;^&fCwr%DVm(
zS6t%AN`H0xr*zb-b8lR$__kHghytN7!$KQiUs_%I`0F<=euiv=XE)UVWr)O-b#_%h
z`+q9s)6In~?aR8(FTVd5ZTPtLkFKwJdKRY)oO5a~@ucPM-S%qZ7v=Y_7T!8OVCLMl
z&u&*eKa1>$GA0CIHei11*@`C@)Ans~mo8uVuRA68uAqJ|ul-MV!L=q!PR8>4cUOPc
zIq=tO<~N+J=x*!xepSK#`q)L4V&1&iC4bA(j-M$0`(MTA^pdu72-)AdaT1C6F%3r-
z{Lqdph;YsXMYcg>wk;=G-+8Cb*cPuWd3betdxIq<J?X7tN7gJ)Ue?6Ah6!zr+4VID
zq6<zoV99wx&ip&qMm6t&lqC21kIJ82hV*En4bA)V^z_TSai5F@_d8OL)slgU`G0@@
z3?yNyk7L2=ncuWVY$%M%$c~sbmPtU;lXLDwZrfoLYsUhZ1gz=y)VxVwo$j}DBbV-!
zid8td4+hG6(l!}oEIRGLzTE3aw6qZsB?U1P^X1sg$aNo0>paP(rD5Jf$)v>6FZ<lF
zl%uuS>eQ2_Ou5wPST<A7Ey=vp%zw*E9f_H?qFfM?@V+DJ>joUD)r%Lt^Qb%dSlyNv
z5AmQeDaQ^a9NmfSHo`d-z=YYkv?^}@o|vuGuFMH?Vg?9K9WM=U`QxZlpF{3QWR4ql
zbRV)tl7#GGO`k{AZb9bgSL*llKez+O4a9~>6aS9W%ak)HT*A)~;pW$nAAdu<t)UJb
z77+Ct`3c^(h%xY;0)uj<gFXA<u-*U(iIN~~jyD94VBg8F=P&hQ1VT_UUd@g{;!J}O
z?!BJX!>KpnY#QIg1P7mE{3i9l3_>s>p&M53q9+)*6&m8xTjZ1PkpOI|=LO(@9BI1Z
zTrvQrMKEh3QdVYjag&8voPR`*pq2!rIec<Y22wIT4w<4c*QmvTK~fIV>cRRTWR0bK
z<m>0J6kol({81ZnMG(snVu}Qtn@F8moJ85FHJ)fONLYy@ftVAKvN7<bmS}clilgQ@
zBsH+bBR;;Q^D;6^qW9;PmzdduR3b9PAX7@k=@w+OFwG1mH!(SgZhyzRm1r>-T%enT
zu7hr-TuQ~UipE?AE(s$9K<HKk08$Cf#H^7*MPc2=%ub=1z~TT+N2X|^xuj-e!bEfv
z=M>Bi%-u|P5DlnsFwISb0;P!VAyN}&C*m$DY*e#QsW1noNv6Aqj382D%FKkqlz`H)
zvNP$%TvDI_f(pu&iGOex;~D`<ga%46f6N#F0W75pgU-1|r2?UYrU_|f!YPCzzz8Fp
zQ?4m0oB(Dj5R(G9g9;^dO-dI537TYF5fD@eCTvo;DfCU*dno^Jt$laZP_qMs8!J1P
z08&r@00B}l&BcXcO6#$2f>c5{nD9^mAS741;0h!M>EPVLrGElt2QV`Zm@(+NlK5V*
zfq+*(I>697_+?ba6GljA!~gkG83GtcKvUkc>FY`JfS|l|e|S^4Z7Muqz~DdfE?fip
z-9Q2c7{LM|G7x{Xi+?o}Tm(aR!{Kt6UUO0WzYniCepnm}uEor7f%_?cMtJR@VI?nU
zM5SKQjd6zcWq%v%f&wR$QXpQRv2o}kRB%QJMg;kA3>g29uq#QH9JaAZOjQ1==yuqS
zu)|mI!uP+O7Z?ZvP`S31U#XNhfDdngg)HXxAWEPFV)^;?SNYq2K7arB+CT7+2qCLs
zGy@VKEscyIAttp`MQ|pohEHg(TA05-``7=WN)SbWNq@E=k$ivSU;cq##=SuY@gpQm
zo6tGt%*s(?+@hKt)}RAnW|l1|BF`pK_i5t2pP!9PvYA<c5Ljo^<B1ALn`LijxG^%(
zv-uI+LPWHgMF^3EKxjWZk`0JSL?V5Xoc<r|6|h+ZK>)o31TIRBjxTO;=P}+afS?_^
zNQ6N?7JvVU=Kc$WONeCe-~U?AKk@m0*d~L_@fY6kBJ{sfS(DQ9B3{SB3B`=sz58h1
zDrWoM4l*=tv!&mh%>lZ8cgzM_ku)6chifgjco`DoC##1-2|F3=4kF}KM$2h(_HcoU
z^4I0{F}X=lPwI>CP=kX+;{=Be?i<Let#5UrIDdbVoXq29-XPo3r27-Q|1KW$WBmO3
z{{HTV<Y+E3^)U3202enoi>9xTO$1;B-;Sy+XplZa+r|`TpBkrRhhFVsMlyEFqh&S&
z_edSoIdk~t2q+w(2Vs$Q#VQBsUR{4Zlv`Cf>e?S1li=p_7IWB6+!GREzlg;<MM8*^
zWq)*zWlAoKrP5i1puYK&Jw_tJPJwe`tC{gA34A$FXLw=q`&dUf6Eb{t8zkcmZ(fMu
z7Oq@mbx0Ey^lUxn>|S;FA^xKo_9PqX2$3?%e_>mWkq!qMa6)jPeV5TjLI<xy5Y;P>
zB(8!ZlqII9<Bnx7f=bCUfN~tdT^n64Ykv{ZjcJ;J-jG~o9<5C=g?`vvvu7^<ZA213
zVR<H5*!Ql9<C_(IZ%?dzpm2!d6_gCHk9;5GtxQ7ehr@!b4S(?;4AA}!HY+bIgjgiE
zVT>DFWPgVe^cybc<`~MJ&XE$Ej`mDPfG{Dc5kHU#h)EbSr4_BL4MB5`(GH!?@qcHa
zoU`FsDw?`N5E=5m@Esp%ohp%rTTk--<iR89Aeq+}Ell0q5VEc}M1YZeqVzd(>xsxD
zBi5i1GjomKez}1;2hU$0M2Lzxq22hXK@4l)susumBBcI9GDBy_7k*a|{L3gEeZ0$w
zsV^=@PF?FFj}QP?sZqa^Bwxm`eSappHrFmSE|zX^pb%WJJ_vm>7pKmP&vGMEMfg+x
zw>+6lHO!wJ<;AheS8e+9JSb0C)mYi;nUbR-s93gCtb0{yQ;eHjQ>FEO;r({AfL-&3
zZ?*2S%Fv6$IFzEZj4b?|<zliThG><9Q3#B8uW4b3sfIeSwM<%=0HS(OWq)f@J+Oq<
z8O5h1;oub_yw*xV*;uWN8yP9LTJr<E{wn1~ls-iq`1L%Z;DVOZjt+vwB>6i!y0u<o
z6NX1=kt1jB*%-2&FFShklzKbHYe8hk@9mD3_QSb)&7BmUbe%ZV#I7E)%+Aoy&Xt)(
zlHZitbY9anP>=9xaGS`BLVu!Qwm-dmWBr#F!^aVFI`J276I*nc#+OgpoMO#afRbWr
zQJ`)B_&h(qSvH%k-s{={Q#@VCWatWOXyU~%)b0G7%aOp(;UNsqM{CY_8y+=E#3Nm+
zOq?1n>l~{~HG$BI`6%i67@*kU2vS5InVe5kFSQ^7H}XSGP4;ihtA9WU*fY_q4B3(5
z1<4I4;<5s&D4+Z!51y<;qg3>DC;DppaL?X6&kOy$G);O`SlJ}{UR}7}g>V%<_#Huf
zV}*~0tk}{jsZ<r-DOsYgK?S%S(cByZ)Z-sh=}iEz?g?z$cZ{xS42(#MX|H_UNj_LO
zrmSF7IrjG1Ny%uw_J5sd-;F6h{QW`ML>1Ki0~nJ_@xBkgvG+PX@xov37cVz5SGLFC
z8b<x9qWIkH1H7t1#b416Tzm}5DXB%>C(Si)q0KRGMD;`9&=x1OBD~tsqU}yTUL?b(
zf1J)HeV}wLh88&S<W0X*R4RCQnK}QVFwg@^%yY8jc=Tzn1AjLzIPy5MqU^2G>E+De
z>V9`I4z%GY?AWjfQ@C!L-9>u&nr0&eKujOJyr8WsoX%oBwz(rOr9wBg0hnN-dMpB(
zZrgb)X<HrABfD+dK+@r(Hq0wg=MDD9SU~a4M(J0`AlHYtkZht0vv`Zte$yrm*2i}Z
zcKM{AfQWi?=zsYs7JqDcPSy(1rr<H-bj;ZFZ~jHXVzJe9GU8%71wa$0s-<R^#GU1x
zf1nu)Y6av*^ERFM07b52WTj&}b@~b|jnLc>wv?qLAFBTlPMm|d)-is;!P7kL|3}T-
zaGAdUWM}!zQmq5A`I`*eV=E#KX~l+6HT9?@RDh)_kbkLe0(&pE1gIOs$RfSw1A156
zA?-3-vb}RA<6ql5-PvHBFVhy^aN+cx+U+0C)XfuW>@-$kVKxS(7LVNzkEaJro_ydZ
zpkmIJar9hyb(^Kn^ZWt_pvH4!5Lddrt$uN!)1};S3(T2N6r94mdD;)aJIn=vL@YVQ
zZ~x30-+vFy4Zww@0giT4k7#zp&Y&yBwF4j`55amPK3d7(O>TQWBXp+p4IGSHN8bAS
z+=u~`)goO{-a`fZFzrFvg%X+<iwpRmt4u2glcLHipkOVY5kIi<NiZj1x}i0WnaVZ*
zZdu(ZR_;cs=dq}pS9vc8+NUp~mFrH}61$5>e1G4cEM)r5P7c?dD7VG+ljkS_tI7p$
zj$Ad7eK%6-r2CGA2ddJm1ncIgb=HE*A_L&_{r<2>!NU-2C4SpvN=4c;lZ(^ju)gL|
zt}R2qLTO0%B6;kY2cmxVRd<Kg59qNa%%ZhBtNAR}%(~%EitJuBXGZK_-PgFhO?CGg
zQ-74gLcl97tF;^6WL^2O6!f7yoT$P^4Q^RGa?7CXPGi-R>w*zz>!?sq8qE9CF++QK
zzgJjqgZ#(&GX^1ceNdTKxqW$l3SsYh7#UAEzskJ1o(JyGET-tsE|t7)l1>1a9qR9@
zzdy#(-WpfHagTWu{*6r89Kd4M+1Uc}`G5YVy=|RMHNxzk@PeCk0Kb5>Z@s`Q30pJ}
zYz9G>r#fA*%NF<bAa=9gh?R`xPYEVv7R6B3B}7DsNsrfSEfiYH)KI55&sE4d55BV4
z!sJHB7=?5h(>+(XV1c8TM==(uE7~ow@0RxkU+ksOXkXl8TnZ@D<6TDfR9^y0^M7KM
zv=_Qua`P`LOtY)XP^ZpP3&Shy(z*XxXtS^a1UaCuQ{&#=#d$ud1oq@pxkh`6RZZQ4
zL+L1Ln!JjYfl&@Py*1M<rpE!0*P3n(7Y1&pVI<#&c%Mxb%vQc{o8#AyDAa0`=S^^Z
z<3^a#_#A?l9DPw+bikyhZR(mCVt)#4uY7_FK)3xDT2Cigc%~DL7@;Uf$!Z{rI+7Wg
z+P(Y^b<%w#GuPX^@8#I0b!~p3gpS>`{=^Djqiip|u{y3G{VU2&(D9Vw57_Up6Sp(^
zSjx%q*cEGmhT|09!}GWj0rWbNrCwNeSL}kFF)|`|PeWO^$aKbVcS<@)S$__XdNrH>
z9z23RvsQrU&T^ojy5M!_3zyGA!2O@ijWOc7^!0P|cns+2yH3;fTwH+<KacPZ+lb{h
z6L5#WWy5Pb4WXeVSL!9gB3LvmY2yjpli#Y@s<BSe*{360#x#$}SUfpQVW%9ay*UN)
zj80GX3G24-77RP<IFUgVTz^iA(H?<{_8}P;#_a)}^~<bYC0T(vEjX8Ty>2hByt5BR
zORhdQ`dTx-k$fBdz>Cwl?~Q%e!@YB<l}Q$Tq>fe3*$I-B|C^pI*Z-r|8Q!<OOWlJu
zo=+}ULqkVRz_k;TGiwuoeQc=k(l?Hn?uZ2C`8CRL#^F(TKnMP~$$zh9l^LU2P6DYH
zDWB)(7m(!Zp5EjXAQBZ|Stc{S{no(mpwS^>p`qpE$BGE4VBvB=K)JHDx-+;kS%gK&
zsbQR9Ts1^ki_!)t!f-c$H89u=BRzA6n6q_o?$qVoL)jBi#Gcubldjt|8~ev&<ub~*
zR8$JhCZqTRbew-&S$}$Wu$)`7P_2Kaq{C$O{WUin8mQ3q1aC)Rs8$KaoT77!HAu9q
zWonN?*kL$yrC)sCRcmCcMBf--npA(_Mr8e7NrNutb>muGXo1%f)1sORI+h=MsWdAP
zgVxxNE>AxZj{_io{<FVd@GL95xlaYnzMvOerPk{HPPsi4uYbu$16w3$cyNXUhAGU%
znRzh+69{2QTHG7e6g`oW<$SY`t9bm#19`DiGP>pI5b{3u(edc5iV<5H^yFgM3z12f
zhRz3JL{g6hv@+jQV0dWxd#Lre#N>`!>Ax&kAJyiy>0MxmekLkAQg88ebT+q>-Y5yB
zfa<MQ>rVk>NPnxN!f$=(Pq-yw9jiu}ar`@<P-?d&up7cf_|Zr$gkE~A&(d@BN(QtY
zq%R29OZ*My_c#LH8ThL?#IUkUc4R!4IHXg6p!Lp56EOFN`#leBtVSuwyu|#1KF{}y
zdk2w}y#q(gpf*#0y}$E;RSvx&u3bx2UQ0J;cFX8k5q~s{Ol8f4K*UJP{q@*-t4PeW
z;6qFZ$V{}=5Sy7q<BDl}Zkx7mwm6nSEMjX1xoVEw=~_7QP;^ip5SJMiXqI5uYC)W1
z)x1yTzjWD=W_|i;VR~avNlj~VB+JZ>H>z7<4E70ZcJm7uO$m~{D&B19N6KTabqlQ9
z1$dp4mVY6n$~y4~;@*E5`-9_&{nW@~(;<sZ^xGD^nZH$qVUmXAwdrW#JcnQm^jiOA
z?8<_)Dz0#MpL4qJfB$uu^=F1*nHgY)#TjteQec5>CZsSR5M&Z0AQ2)E5zuH1LeNxY
zv9d{_39c125)l%_(kcyBg`j`~3R*w}l>k<TB!7>2&O_gO|GwQllg#7PtoQbE&Ue0r
zN8{6q)0(g9Os;`M8R&9z8E1rK%_}Oe%+P9jy4M7wh;xFx@#fx~9Y4P*U2nSAkE`)v
zj7cUGW7Ir#DnkZHpa3u@^Pxt9v~bq+gVTx_4uYiAP^Dhhk_!y7VMCLUoTC=c0Yd?R
z1b@UTLR-ld1yxN{$^j~nAcDqW^Ck<DIz^l$X=@EmgdBxJ3M4?bZRVFGNfD^}3Afz(
z+VgA>r$S@Cxgm-gh(eboNFph<<9rg<qod)H62J_mx1_WJ<KW>KTZu5>i0H3N8?2;=
zrgy9nixm@UA<cTicz&E-npO+x?OnaQi+^(-r~i5QZ0?pbfi#!Q?((cHdV*WyxMM!I
zr1h?8H`}GZF|a$uaIa8rC~t+q=!?aQ?D`RzQzu%^)nGo-NLdQDH&UD`X+eJWk8+rV
zVB(d!-ULseS5oqu5y<YXGeEwz%LDQbhP;$0Q(k1f#1#8%>4)#{{P!ml{`lmg{eSye
zNeCj8Lxw%LJv*lzl>nB(+8PuL0RcD?N+OZ1=f#i$#TmiidP2Z3&$EL#1wxFN_ST<R
z4MVB8DqusifYO8qek^B=m$gMMQ6MlB5*lxKYOm<5QW<2>H0T>!#_w3pxhjpFfC5yu
zN>nw3O^u*h?>cir-q=F<TsUHW*MEUMEaZ%}Z@zw&b#$=IkTE-VWNzueoCK;Wc27YN
zf^wyalSL^+QV@Hi15^af5v~yjB%5RnJ9iEY>JcFr?^u5q18!Lmy9v9(aWK_5ib(rq
zBs)BTga)7zSbNN>N4$<Wk>6)p1=k<fpg(?xC3|;46RU(VTWjmz{C^-uvwwrLsJgaC
zS^DpHVF>rMasV3C6F`VTnF^PmQYQYkmm-0n6w2d*zV0)3F_HM(v3pxD&YD>5i&!r2
znnhbazTRWqQcGCQ1_Nt@-NrfYqza4IeE4UMqvrko^%?K%U)lFw(AGKa;LCMA-3&(F
zcje;9CpTeBffEraMk;Juuz%#_fv(@)&sg)We_n2X`axDbWZU@*lMg?>@%mpI7c5%+
z@jGldRd@E>clGrA4-RF&dE2sg|1$n}yMpO0s1T&2APmQR`KDK23}+2yIDXre^KH*O
zJ92B!hNH)8_WX41Cr4-h<QH?^dSTU-(+w-uZ2A2B;N4qUb#>FDzkhkCua{wN$+6?V
zymn#9xqYg(x&684hHjk8c+0lF&uX6i_4K_v7VUnj?ui{$JvZwFtf;cko+imySLb-?
ztOF1_h%dtPW6KhOV2T<vgcI2T5s64gh=~+{05uQ7T-FJW>os$5jWA5kaeul5FW1XE
zzc&ZK14FYGF~^<6xqkyYo0{mrH(r>=gc$o1M!KIdAIre}S9h<vMV340iOdQ_1>sE{
zbBw$2xhI^=RWK$aQ9w&%<bvYfquB!2qxZt&aSWv1wZ5q$U&x3=?rC!@h{|=zw^oQt
zcp0Em1^~tiv(}z{mE}f#{m>h%X6X70@3B&`cHSM0-<n3bsegli_{5q|doweJgHi%H
zsDf%=HsiH}t3Ep>hIW5t-(w(447<Pk#RZlth}yxTaO0eP2UsJOXWrAYdRfC)x0M&)
z+_n8zIIadDnth-o3P+A!@j!OQ@Y1-&Qy#guYTkyC4{v$oUwva<dZz71+ZX)&1>QPt
z>5;ctUDMVxr+=7YGE-z?(w2Xm;X%mc!n-eh3}KGvTXVD4HLsq{s^>p^@$A@_pD*0L
z5GUU;@!%^fj=ciNbTpUd;A^{@L~aw2M6>~Ad@e{SW2KhRD35;nQc6ul(gtIR8$iNR
z!I-3!4AD(VZlps^A$AZkCgZ3lFHJV#R$0Cfe)hLx;eThrX08;Vzc#^}=aTxRTzE12
zRBoO@X|-g^u1Bov!{pL!tPaTK3Yx?}cPtvQ4UJ!I5?(72#OW@~-(CT5-~v7MniZ4E
zEwVgD1{!8cR`Qgh`cc@FPPYk#$T=~7q&lJuuo7>Mz!?MX={j9ujz>=ncEo6ZBOdc3
z!hl3>%73a8FS1Pg@;BdLnew_zC&cLX`#(Ro;o_UDwtV}$AKm?FFHI}~C@xV1DmV7l
zwP$;m_r4_ZqZjuc-E{dFD-7Lw<v1gzf>P(Y9gki=xAM}V>`gtJE`G57+DVqLF5kBG
zJ6GRt-MJJ%kR%8)#YtcL-rqmk{KXM!p0w%8g@3un4-dI>)wrksu<`1N)`!+F+`X68
zH})KPot5f3ezxbH|D0lD%XeM8{DZ!eH$1+c!Nirv4-3VMqh{XQ_qWa0Pq1O*rXP9x
z&TFUgvnO}$dhFYmPPcx4C1sRGWTM9%5060_K5Vf%E3zz$)q@qrfdFlE9HBq4Sq>T*
zQGbaC9i%}Svre%r-Q%bP?#^zsik)$mOjW&5rF*@583gVb<Sq!;zsJ4UO`tc{#fl`#
z*StTy$#q@?#5}*Ot!~LiTor<S{wDS!j*U}9PIC$b_dEqh&gN>bjixwZCkaoOhL5T2
zR*vQlkF`7%jhj_USZ)&5UE)$;UA{>&Yk%{Sag1*f=E`(=u~sap)z7l9rU_IQawW>u
zL9vd>2GuZ;)pfE$S(eJYx{KxORiLy7hfoTuI#{WlWS$BQqPmM^%2=ocDsTxH7NKqu
ztLbK8OVixVP3u;OumJfY6x&&;MJS0V1R+;}s_$f_E}km@SwN=0L$Q&EZIB;<#TqDe
z@O*!}$d;f~#zHk_t1&D<sht%^V6KrDI$3cP1X(QB^Pog3i&eu|RW~n`sZa~W(OlJ0
zwg~y*yf6eaS(H(<aAZjdAf>7#87mnVDbf5W8YF8r8pX!05>b)1N=&@wOusnoAQ|!E
z;+)XP`zbbCcgG(lF~`lU6*1`JPFuX1U|WBc>pNde_K~YhcRjJJGssJD^0Kfkk#5p9
zdW&SMX?M4`3jw&v;T2A`PZ-4`g=)%)-V~aqC#IFa^R$-Q63z%NxRn!{YRWX(#OWp7
zxsM0>i5oZlpJ+~<RhQ`!iKoR!DQq<+osv)V<RuLyW9G=S(YaI@W6An4$(HssI?R9N
z1InO8l&HO<1qnprBvDEL!6R-6a*d~IQ?h6nOgg5U69-a)BuPmMMJ7;n!!ZbX#rFsV
zA}J}Alu8QZB&9$>86_l$0DzRt01^pBASEeM8HGfsBuJ!;0+OU8N|Z{;AW(rKsX!8D
z6p(g%C7Dqm^_NLO6h)e2B}<$nA!&bBYvk>$&DLVaHtoBu4WBU)h9-t=f`BCH?np$g
zv;YzX0Y_x|xJ*(PP|MOu#)<2Rv6Db>$#~x61lI*}U<HF$5Ai?MrB)qbdbqnRDGPlt
zc}-pkS;9kctDynJ99}B03GujU02hLZEdnZZl_Yv1RUH_RfhJhFIfP!rFhqY_ca|y*
zVwQG%PgHW0tpMZ5CN52qjxuM{s#-2mD45?6%bXdxMIWTXlI^xp2;ProX8<!d^KCMf
z$)F4bqEN*7e;K>hps3C>{GRWA&e<!w?6SauA|kMg;0+YTOB9k273mm7Vxm<fh?lCd
zYQ0R&)W(T1+S)jxX{r-VrLljQ#7oj3(O@gq3trG_5s4CS;Iww8nf7mg99WlgzGeE4
znPqm*&Ytsr@B6&ZML~jN?(w818H5W1VhB_3yJrWg_0Jmz0x-gqGle2VG*?oRYB&H1
zN*Doy<Z7&eDa8~kJx0(5U6uBDK66!IN|@k;QN%Fj9P7d!$ei-K543-vi>ZQgZoEnb
zV}dirxe$m_#Hf+Gju}-LF)o-ghB?Qa8u6N8^KHy1VpL%iQEF5iA{gQfQK~Q!cC;sq
zDdEdz3{i?0L5v`SoI)vPOfeWVhMBBj=`WTlE{r)>Re=ds!g&#l#OCA@kIg7ks5_zs
z6Vi?8nkXk$Co~gF&;);@NTtJ(Ev^+SvC79y=Zu*~WufXzg@V%IOL`tgR)lDxQ|b0v
zDsvBiDO1BAE!kHlA45`tk7?a2^}Fiks)vV!p8dVjqh-Ug@Cu8;O^?xcggeahAJkO+
zEvSuE&mCqY^dYd4#|6rWKan*~Y7%b3YmKmUT~NVP4lFdeZU=v|x#LQzV@tBJL&uyU
zVAyHHN{@##rI;~bL#8%<1s))(iX0w>2&kjRHtfd~gleaZV<d<w0BOi+$BbfX9OjhT
z-Pr9X9yehckL|D6T}%^HcWVPu8O55*MRdUeK7jsJ9S>k|nxfmOJB}m;G3N+To|-{)
zJ5MPn`SO4>V*r0<gxj206Wr$1;u0NcnTkpf;r6Uy3Q>@7Vy92b$fQQz4I_kM1e$%s
z2tW#Vx`-!<CnqukPURd?>h70BRUXJ33YdBe3a}@J2)polg~LOgc6(~3D|aktI;ETt
zf+@p7bq|_YQvWpx+L0~RSNt+y)GsezQAvE(2%v$igP(suC{9rsQhkXte*`L06h~lA
z8F1E}8`67{H#uWk;R7pRY3c&35DAjy-J&Rg*x^5{e3NJtY$;Ldd1y|bR21u?#QG*y
z&Azp!n7)OSpJMVDjbwIM_11lKcBY!x`=fhy$;2#4k%}#>Qc3HIC$b95g8?I{B|TWu
z^D`;J4>W(09V;aYh252;76+01TB%yN+p$d(LRakyOCA3E6RTQJr|($dow020jfQEr
zPJ-XP;Kr3fhicMRmtc-DCJNQ#^X3#ce7@-JS%?q3|KF~hx?MxI{5X5pzBQfafV;}R
zJq3Q(=C)>tO?>rgV}9f3e58+1hA0J;_TImrRDXYe<@NScG&ErF!H-^T`zxfTZ~M>V
zjL-J@7rppaS36+m=0{hGPW)*{=be%}wTj!9edtJD{ZSl>TU7t&fxms5jvb%6|HzV?
zje+$G;)-U*&&<t#Yb_f&Wcv?K{d<1-@|pd!k01B!-d_E$7Vns%<@cM$pFhDy1hC+Y
zaZrB(%m3cy-L|2!<HAcdd-6{lsO)M64KQPf5kSE;&#r>#S9)S!*&mMj-(9<?>w3)e
z;=sH~=~YX$F*)!5(B;^+uA=2L!hmqj1WhO`&-(P^8GktgDS>&9S`+v08Mbrds;=9>
z)D;~Uwa}RS<A+&Z0zl%rf8KX)tcKX&%8q|l=kA@$+D|Fsxk(jZ1u#NH^1Ox5-pCb+
zX?@d&<AJG1HEoWiCd|0E3e?oOShtDNX4u5CH&+&nO#4gI7Af+^?Sp_LZE8&BK-Ls-
zE6!qFc!%dcQ_8xD+9Oxo;a;<b#C<jb8jHNzUQ&B&EWD+PN%FU3jbSvPJ(?r0m4JV5
zDxFdqOW5lRger)tb1eaRXBQsX3Tkrf>`lID#o6oL)n1#mvHkKZr|W$4#}P&;MW7Cv
zRC@|M>E&n6Lvr@aOUG#cEade9<ga;r4Y=+YUzPS@O>y1cq`B*7ojzRD@JF8ILyS;W
z12Ve$+SRh=w!&ja?Ndvqo;|+w?j?W7n^07{TMR87{EL;VJMRFbt$%n?v5l*~*9N)+
zdtX>|>(VQY^|Yv9^}|*LG-iv1*eNB4cL8&GOIG-c3np&gC&mn4-hLB#lEF9by{8XC
z2liy_*b*#!BXh|#5e#A7MmR%UfD&5Xei0yR*>`P|KCXr2jEZj?!3#(TRi%H#o;soC
zU|#J3NC~Zc@Et(HtS`^$3+MSO%k$p(jhHlMYv*ljO9W34Q%VR@)!5RVdr?N#{QC1y
zSi1ag7gF}s*k;WhxOBt7{kuJ7laU%6`m^nHSR(h2ntt*VP@JHo{Q4jFJv)BoU%QI&
z9{MJc5HU<l_U@n1;`Cwi6E=VGO{_?&bh0o`q{z*sb)t#3_mO%U^#RlL)RXS@+5e*n
zup*bzflInXmoh%WA3=L-*^w+#&#I|2xiner+^t3}(Q18|%WKWPkQ;Ye3}UPiC8i8R
zD@-2Epdd_g2|LwW$vdX964}XyZ$;2-Hbgnnbns3tzjtMJ^U=7nH@ts^x#Kr)Q^ys}
zXt`e1dQKmmKnZ1nDQbUj<)+15H_Gpvg}BtxuRcHwW9)mg>GC^WS4Y;a2G<Kee{v7f
zTxxDbWk<_`wnp$1N-0qVC|MOv=gJ$KrhRe5Uh$J<_uCfVIim~@P55xLYsl2lPpb-!
z)xXwpxvaSk@Q{j|O`v~KKB|1>_jl*tI>&QI<{Uh-<k@w{_`%>QsC?A2;QrS<rC`~!
z2UA-bl+4h=t0zInNDl?K?yY=uC1=m3fm3G1&lo{f0ZgGn1x|@QlzH&*!p>{%s=3o^
z4ncgvypzYl1(XZSICFR)P`s)A0;qxbm0RBIyq>=IZI&=$MdyF*iH)DKVZ#<Qe}M#2
zs6q@EUSa2B%hx|`nRvDiQZgqse6#pL6Uy={w$U4&+yGsTpZ@yd_KOt{zX6dv_Sn&?
z$4%f$NZt9-oYuzps+TZj-P>zSq=0L$o+85KK>FxPJzS$Tu2R*h^+}fM#7yl*G)74@
z`dRlqi_O*0blQI#FG;JFX{?jtAXXkq_@BcEsU+=`U}HIgElFcm-dE(fih8TGOg)iR
zmSIAXqft&I8^9>${#M4l)m+YMIWG0(!v<=rAgSO}%1JQ;@Iu!q<&+U&OC{c+iY-RO
zBvG3Od;4K$GV<ksBOVb(2v!(D!bZK>;2eZhAM+$Aj01n8+#OV6^1+*qxr007!4<?p
zQyl#uCI@sM7VLj~oojGaR~d%a<-4r4&owzoNFdFHBtVD=LMTv>duh2C6r^eqs8EKW
zMhGC&>9qC2v{Qy6Vx2mzEsSNxmd;dd$I^~;hSuHyD<Ig0i^?F->fj%z<9~mwv-jEA
zYoFxT$xMIF<eYu>S?gQh`+m=hgg{8eMwz)y=9*Qund_#A%p{R-#?o!l)|yhY$~Hs8
zR9TpyGDTZ#61KzvLSd{ZPSLfkl&ew2iL%h8GXWGEWO0fpmY}9X6eh@gi>_&aprDy4
zo7KfGSs16Y4Z7H%f-Ev15nBU<7z9}SyfmHC*2sTClgbt_-w4)ft<kaynjiSz4KZyz
z<t-JvM5YsR^;8_K^F5dwql>j*3lfJb#QAzb-8$0}<ZE=UTV%Tw8_X7^ts!f%*sijZ
zM0N}WISe{v&`Lo@XIqsWCpoJDUG!vPmMk@EB0kui2$b>5<J90z--Vfa_xsk5YBZf_
zUrK+aKqn3zJ~zZ45l+0Mgpe^pVIRrEskK1LynospZE8A4;>#bWw+*{);drR<hNPlj
zBcG8|bCnkrkkUDJBeWqL(;pM{=W!xXzVl29DRH;~zXCJzwgi8)s@loAnxQFb$`T+c
zCIE7pC=e?^Ak?71<xv7i=QKrBsEGhw0<M2ET%Z9)WRL{qAWlGZNm^P1qjX*Y($3SN
zv?j}nkxW@_L1xXQNCOivY9tMynKUsP)@4Tt0;6U?W@H2c46HznhJcBkjg0{eYt&>3
z*&>r7_Y^{6WB|j+gihi?aQ1w*hS^|ko5;6<2>=mDyFXI|l0cwVh`_{ToS_x~h*^It
z%}h#3<Z^m3FiLa+6G5m_qf@nzGyxE3D*s=l6);BOK?=0bRr1g92|t*xBlsQoR05#i
z2#m^Ce`F@n;;pt@`p!B($SD;EmpTWSYK`@K!)08ft1P_AMWv<ZrM3h7+9ws3obGm$
zD$;BHz|(|B4n0ht-;OC0v#ZSV_+@`=LgbE2cd2oI{?d^6eEmjP1;Z$nKQ9{pxP`TW
z1VX3dQaO~{$)8T~6;N!QH(gUXi!+MIiUoQ*X9{4*C<}x26c8vRrKKj6)=pl%Qh-1*
zZY&tx*PF{)G8xu{3bjU5L<&JODFi4h%FdI5nt-igW6%&7)`Vmj!ZHL1-2;ENhAfj|
zU=vuPTx0XXUSX+Y@dC*b3@T(K)P$O_tP?XMQ|M};a+tYe6}W1G5QewJV$3I02m;DU
z%oxU@t1=D+BP6BUbC|huuY@5R31~=S5UUy~I<<&RG&NI^7O9Jre-;=42o}xS_yoyR
z<vUe9@dfF`b?`-;3UxgV;NpK{L5B5%L!X<Uo|Q64?Y-GVqELJc(toG%nk!x=_=2vl
zd{qNnC03u*Yvrzs&@y#w$1g@wyIqL}ypSU9VTqm?--nb^!Uh(Q+`yaWtdJ6jm6oay
z081fi^zC2k-hV$3Dp0P15L)S)8l}NntC=Wk(PTufPH0VlDqo|F1x9~W1}BxKKJqBe
z>Cv^F{Z}rC+PpH%nXJl|WL*)Rvjb5XL}G4k<4i^|Q_ENxSTcl#nq22N1eqz;Qr#%c
zWY}iAx`bB5r0N@T9nH)JOAW!q9)(gVW2byUprl+u=IgP&(HNFoKWghEZCjU`rrC4e
zJfd>K){WMsF+8RbG68>;n(VY`xt2ymB5PDQie4_k5QIzcB8<Y@V=<sQic$}2jq)jm
zm?~J)5E@pFF89>LxPFOoU;prgJrxE9CUl>~JWC}0`6r8nF+5QS#B(`PHNsRJhQIYC
zzBY-LZ~|&sts|2vock`jsO(C(^+zBoB!C79R-qc^=_n&y;$DB!%9Rh>E<UqnSlt17
zINnbs_;uA9rRAm5#RjEu4-zJw_<EPRd?!wnaZ{qd6GXfMzeF9OoDnv#8c4J0+OTWV
zONUoqJyE-G+0Gkh?z!})7+wFpD<Aj%=EaHo?o%KESlfK#+<SLiJ>7Tyn4Uj((bEqX
zdY5+XSohF>Zry+W#<R;`f2{Sc&5MscH{qx2T@EHOXS(~=zW?4GuN}zFTej`|(461>
zqW{yA*{OFde)so%LvPEmsDQOWg>`p6ad`U6Pt@GI<ck9j&Hn9E8*ZHw&0UXwcD?<j
zpLGsy{^7O1PB^-M%g`Hhf3&ad$ie<w=S89Q+ZRu@9Nd2?Y}<j)K5aj=f9k>ATTXpY
zI=E-xzZWL#9$fX_(e+o~5v5VvuU~BY)$=X=t2!Tka@!~8L=M+HeQ3_Bhd2HEPolYF
z{l_O)oqQ{^Vw^VCO$<6po2-lz0y4_bvK<23%K3yu<OY5u0x(M<+^0^6I_5x^VT_dq
za2ZsUQviRVtgiT`suhXH@%t>g!w}K;uqO7s_&)EC9mZRjzA~LUA2f2>NqoVI?`-jW
zsl?jk9|uyap2TY9hiZ?2bWcExKxrYRaA{ESCC?EBK}Vo!UsH<@@5SkpLW<M|c0Avz
zGI<!jRwPP90wj3U=~K>C1g1Cx$*0(iFy4{s>q&ny^un&0AWO&rXGTvO*tg>CW4mvj
zD{dI5`|9eM5AH2&T08rfj|M$o={YcfXc$qNx|S~wwys-}pSU#WTsi-#9~2gD>e%(2
z@BaOg$W0$Odn_~mTYY~#e$UyXpaqa&gEBXH-eb=Nlj;P{*naVEB0GNY`p~SsPtJSw
z$fAGaM|Bf18?r25;)6FY3(G=uZ~WlT!i-t)lV9sQ7p?olv$>95VP_6rzbcB2V$70V
zXU_J#aCqhm&!~nOUC$iZ{;%_5)cE_}dPU?HtbG0D9XE!A=-ztq!sqtv*VAXLdGQE;
z^Xrp$ZfW|`?)HJZgqYfY<Fb(XZ#@5+XzPF7bmDzAZPw0zoZo%(w8$wSM#GMA?T$i~
zZ6`$G%NP^i%@8AEBF-vgWmj-JWw$QIz8jDt8C1;gu~H~r04Eq3K5yMGfKx@B_)oN^
zR14FHKR1qaNF;K_m624kTs(C_Rf%&-?TLmF=+ebD3$3cLITCJ^BuF{NPaHXsGs=IB
zR*8UggsA5CgF%xQ+@(i^-qbjeFNVeN)V(O^E<B+59rS8xXQ}vzGIrAIb5&cT{e>fy
z^Ol$itTcU%4ZyGtx@R4FW#dPu`#<@xVeN)e-`tsd_U7-td&9M%ReyPR{Et^5DGj89
zhOx`n-nOP!1SP0nK6vZ$hAStUwyb~HcKM{BahpyZZCcac|IwLc$A69>6rwh$Y<tW4
z@Av=nov{zxzwOdlVH$Q^{gC=LZoc+^!p{Cjs;i9S=bY!|oO@??c6WA%-C=<&?6NNu
z)-5lKZE1p}q?H1#Ay_3+C@dh93N}DV&?smVVvM0pOiR>I6cUROt7y|!QeJ-)N}=*r
z5SAAcsuc?{{tNza?!9y8o^z+akYOk6%r5sn^PK1Tem~#Kt8V>Sh5~g18!+KO?<+rF
zclZ3b7nZhvYv;QETw8qnfT|45-~T;s&>|SzIC@4IAshQD-`~6T?#GLc@6+v5H~j17
zn$eS@d1&YV?!0jSx|lLJu<w7s%KMim?%Mj$4}MJD-B17W4b?wm)4iK>P9AA_=1bo=
zeP+kqi^GS1@|8E=6k{suj=iH7EZKPLqh~LkX<s%+8dii70X16#p*_oB<U+v6F-WKg
z17m<AY_cU;W1Oj+ida@PdFJtBj2=rjdr(!QEtOZ~nx~a?XO`}=)AfIhx&n$iNCfZv
zCEae+k)mWebFbbcBb4wC5i+aLyxoLKaiqNjlgxQ4W8sPHCW*2monBbY`b2LEc>H;R
zvbG##dL;|fuc`q6Br1xb7H&?ndrXVoTYM;UOLKyf6HYRbJ8^df*2<Uu<66}-M^_Ox
z7}BJ}rm*7?(fWWalzD&51PIEi*rke-pfX)qqj1Ea52<yWWFpek(j!`@%k~~Fj+f1C
zT<VlzGqleV<vtM>iEP6Ls0+|GO;o0-Vg;JYVX0GwB~|Q}l^G&vQd&n*6k$;|^@`SB
zC^V_k6wx-M8rrxtUIq=46ctLcp(G7+*Z|G_*fCueO4!^Z+J=9jsUnIqSG@n0XztL(
zRxVEyEq$h`1DZNbO9fgwRj~`(9)y-&XdEZYUldIb%7#vC?bMB}ve;i)v|;4t$D99o
zL(l8hL4k}WCZw7olBAtmGch9C&5qrF*%@|CfQF+u$~fPngbm+^c@jT_gwp9<y{4Ny
zxulml?A?;M^bmjVhgjxt<cj6etw$Y7n9C6Gx<%aUJ`?nrJ~gCowkQVM7jTh%W7ZZ7
z*@_^Q64kH^NPIQfwYR0r*WzH(0b_|4(QPrZg&vd*Gp(^xr+9H0>vpY7#@YUWl6LS{
z3(9lT>0MG^-c~qoE0k_L0YC%=jif0EB}=8PXHO$(MGAizfj~iohKD5f)nY*ywPA(I
zu0<6{2^s@nqgh*L9Rd;%DJG?bBD<-zW?~JDV4@blV(TphmKezp1)2gajWq-^Y7$Dt
zcQ}z|Hd<-Y8o_W_nh1?0QwRx(LIMJ%fix>kOaw-wCeXx2V?fBv2H7xZ=8(DV0WtPb
zQSPHc0QP?k5CKMDeP*`!Ziy;sRcZ=N>h7|6g9s6PAEH4^LVk<qwN&Fab~$6|y=gib
zUOAb;nNdYvXHoxZa2F!!0ls(mnt`Wy6>i>9U!4Rgn+au43SJkIw<+@`7N*ApdG}1!
z1Pt}UCA|9Aj8@2917*Z!HO|Ro&7`uYiOgEMdia0xF*>~;51E|o>P$*TFPe5;dqn_s
zfNU9FWG*7Z6hh?C3OyhQ`sdCSD1eZ)X3Yu!Ndsb}=>mvwzGR8@09wZeVzRf2O&(#R
zlU)hMBmtF#X=#>9Dvmt67%y&tNQI_x?Bsc`?S@idpR(VCjaJD*nqxG9-RT+w6qOs&
z%vygV0c(!VEJiCP)|xD{I$l33%~sMv#vn7=Rk3vv#`PjSLm|yp5o2FH+5yLadl}PG
zY+Eaol<}`ZM2L$xX$Wi5?OaHD8cpiu19%hvT&tLCWAlzSykl3_OXiKX$m@{3XBPKj
z&3gZA_O?|1=#11rH}A>@uVFtmyUmOnGOB;My!n*!MdW$c$u4Nl6_3Q}779|3^9)8a
zOT)LcH|5#HyNv!iagm?P;>!Cm-Ql<QOcW1gNh1^LK){q$S3VF0!4wK(NSBAU?2v=)
zK~Ru@*isf!FtSuiA^?LFl3LpUCF@X9Ac+`RHn#}`HY73RmL?=nLPAFeDIp`h2?>8S
zal`dfva=lxNrk#&91}@k9zRJag2Bh<9NG_4i#BFBIdP<016yKjYa_9`yM;9SUPodU
zHk#wYm$VoZ4@xW>0hv%&pH(q(DcT3y<|Ww^b8K2AkQlM@fk+_`R%6K&){yAa*$A<w
zK1w4}4&F60?^M1#P_Nk0d(mg7hM<4kE7A)<$=q+r5)lycpk8@mfA{6md?4@9z}+0x
zIg5Gia~bJy@_S2<Y+WOwH>f+W?W*}n5%MAmYQ0R6x>qQf5dmfxnt5i6IytZ^l{c(>
zc{+I>D{r(`W(S|4-lv!M(F0x3VOW5mY1-0lj~@Na$lY@=cI;#C{%-z-qhf#Y(_j1G
z)bJm7^Wzi0u;b;PgFk)h!mou90DvYCqI3P7(Z1ilUS7R$<S&06K6+s7r>DA?JT-9O
zwdMalEuggh-i68gwhJz9yz;lofma^>#Wq2p4Jayi{b=v5yH|VO*eV*vZ~g3c-{F0|
z-&wo<!;6!DwR`RDw?#1F$ya~(!jxu7fSQp2*d(<;#ei5~yLuv9ERsSa5NtKEB}T?|
zArj!FWh3!Fv0vAL0i_}`3jq=Vp->XzjSs|)hDA?H8x0lrCRXED&Az0#2*yWo!fJL0
zGrNGC#NnDSncPppJd(RtSL%<^P%@1g^WK?W(0N)|At7t1afhtlNR59??~~lj8AFQ8
zPjFEWUd@XaN$qwn?kpqkME1D={e&o<BrDe`tTmk!C~3#Hag~?gw^JwMRpqNwbvi*0
z4O>BSj8eXe<F%*fWnH_v7-2$#0SlV4`pP9?x<^LOiAmE({(fP}rQ>?`;Oss7MOP@e
zXYtS8n*ZLR_1E7PD42hd3S$}vzP{=5@h6TQ2^TDU>C!n-ZilYfvqoNCaPr8Odsjv0
z)ENg4t-gIi_B_1n(|<g6^zei&&!_-3lMEUK%v*csyfCUXV`cA4&x__K7ry`QH?N%)
zYUYchmqpO=<vp*<t^hR)E>J^3F(>4Dg%MNQN<|<hHbuoE`Ky0j=-L7l<(3mLDa0zz
zG1c!NQ^cT+Miezqso1}RQRX4UfSBmJDLX(xs6vJb>{!nBERh--Q+<9M9F-ZSxUzb0
z%%$hlkmLHxv$WJV6MNT$UOHSR$~W`sd1_tv#FPOJy4SAjh4T_BGpRJ*1BeR&$e8`S
z5lCrvr<6&Gg)M&s(iPz3?Y7(lsVhHAAAD-VMln5<%{UD6{!eTE1SKItrDS>;FKIY4
zQ_IVrj0y@jur?YSrw+Wjf7$5SRkuzwEL*eu>gDyHd`SJ3whcdAb?0>F=I7=fJGSh`
znWZ=XAV>fZm^R(HWa*8ID{h??Lo+vDIxYf%Jb8G}!4-cu&b|2Gk3{3RHKRAaegC|y
z3@to)V%4=1EngkBSVjz3=xI+JeQ)H>2^yHSWc2)|&n}9=hi3lio#*bH@7l3^^2+DG
zd++MApZs1Jd}Q0s{_TqtqeLJkKp@RB4nnpKLc)AaMU+}SepG0PNofKiGFlKoe6C5R
zJnH|1U0HvR9LEjr;#oawOFksa@d3jRF_Hj&vUB+*`TxHv4`fwWldO&)EToy;*}=>d
zoBa44gwl0B4ltuI%_XrlM@$CUvdS@BubH^Dwyc2|+?cNRj$LW8R#PsH!+k6&Rr#4v
zbe%vmPpu4MGvrYUbAp3O9<rW4uK|2@mp{Ubl!1Rxvd%+-Pg&_oSR@z9mEK;KvrK*q
z!%OxzEDc|xgxbs#!!K=MYMiY)CM%xrE5efMS_lHu#bAEqf(|3#P|$9mNy$9OuiiTK
z1bWeN9LL*dFA&goU(2_DKfeC8y?w{u{MJ7G1HSqWUhnbaZ^y?!A8$X<_y0Y<{Oci~
z`xSp)nLhvd`1G&i)6eq7H|=~c=ZjwN`A`3BU;GMR{wN>*c6|H$@%jSaeUIP$aeVcQ
z>I=~^2zh;=PrtW!KjBwD;HUqz_dn6QkMQC5<Lh7Ki;u5w{|%r1IKKLk-`>%OzqHq9
zfa{^9W{DiaZT2H7)<iV_Hl$%ODP0>Onnr)gpj<?k?Je%pVSRJCSX<n>nOCYCT+jHP
zIqXcz+2wsrkuJ?{MvHApR6#<!ados_tva&8EmO-g?2-urWgtT#14&kI`9o%(oE@?K
z2DRLRJBo=QyOU->0jfmzGEsC*`ODAkRwE2Jht{BoI*-02Y3;r9#P`<HvQsRP>u!G<
z5a`Ikm$O8Ov(#{>AfKi-t7#tGv(U2XcUjQ$25J_g(zyRBH|J-aRm{Nv34jHKSlJAx
z(J$8m2w>@Ii0wEK37A0Ifk=!%;7d~>WN3b2hh{&{4NSPqz6TXmQAR>OI|)md#+^GN
z33ur)6(vv>RZ=!>uDMLlbqPB!hOB?4fL-Hhq@N6EmY7(CS%6VRO{ll@Ak4P(8O6oQ
zf$xuO88oeMnMHLSh35COZ@5N?>F79CG{pAGBm{I_K!|UKugDbAf7d1PgWA3H{&=u!
z%xv0+=?3<h$ECSJ@J|Vt$nGj_MJh|?OP0!$9RXtSlrH_cgDvAOF%K5YSloYDF%3%V
zg-x_nE(67;BnR*8T_3hf_KHRR%isgg6@2M_lKsY?3D#lo+09eO`RYyZFug3!py_+x
zH9)xOQb+7%c*>Rxz8;b34u#ql#xYc+^#RA8c+fP)_gkl68{8%Td_-F?v5`~7ryCe@
zVHQ8h!vx!xIHU|i=0_@KBCUU2l|{t+m)V=lb&^dq^Om+$kZUXCEzBrVqcLG-G0BhZ
zFBnDDD$8|NM=6=;tlw)XLTSeta@6y#B)18{7djB_bChR5Ndwxy;-DGnEL~j#wG=ji
zL8YvICqc|vpBa&T*aYR!oZOM+ikS^1!$`RLLPUP>;2*3mx#gZNo4J2wI$ZEZuo$^3
z64U9k1RjTorQy~ZsFH8V^2^d9FD!R1i=6XyHg06CI9y!d($)bHC!IW40pdz9Cv1c)
z;tf2E{m3K*F}2ZL7}5!d?pc3<uh<ZVjR2WZJd3QGnpsK$!piFVW~Y|eUtv~h!lEJ~
zUSd{S{lHu<@Wt>Nru=^^q$_s?#%8j>5kEL*C<{4dm9|Vqqu?$vhLy!eFwrSpWAj!b
zFtvl*@XlguC(yW2&X%Tkw>l{Sh%kBO8ExGeuYQ7=6P#Im|5t#&17d>7YZxShi=sWT
ziO#HTROt+mG2Lw7RNC}I3M~(>c6MN!JEoGBeS33hYt0wxxO;z1-`z!F$>qtw`K`8|
zuNQV)1^9q)EbnxvScAs}fiH+eFcc7h1my~arN;pWBYkgT1a=xr6A}gl6gG;7B?Mau
zAh#@X|HR29<3W~hgsSQkJM&T*3^yDd2X}?BT3(CDY>w<M8+;;r#r`oe3DKONm_spg
z#vQXeClSIDE=7MxmJPU4s@<W7iZHrTM0?%7NWVg$*8|z9v`sn2pH-InfYN26T}iLZ
z66$$2G9P4qsPboeca05B4w+z5##!VlJawMg(mgkQ<#-r&b3qTebK4GhYS?g<OywKW
zzbF#2MDRxBCu;YBW%ZYaC6=U2%-E5wZ<`=}jVmg|Hzt3iOl3A902sF-0F&VgFgraS
zgMd?j?WdMt1kWdQ9;$13ZC*0_H89*mL{GKDKUOg8(5diYd|4JF`x^Ml11NDXD7`wA
z;jZKrM7oLyEA!>v#6W1iO{juI%=ZTzrNmk)9JAh>u-0K}G)KJPvP4AC8ZZNsN4=yJ
z&f77d)qZ~+kuamAc}u$6*Az<G#5XN5&Jw*VwH^;Vm-5@zinFs;jj4AVkNA>%8mjFI
zm(HM{(#@#!yROrJ@n-m(Yfb5oowvoaC)zEfGrhHB^xu$<dvmc1ek%#JCEmaAP~JL;
z8;Iqdc4qb5RtZGSI*?f}3Gu#<$k_Pxb!c81`TT!!H4Ecd`T}xrTW7mLgSs}Y)r?l#
z5NG)S+cXd0Bd}@33dFdVRkV*EoWW!4LCCY{&;{Zut5|uX@f_xEXsnrirnCNQ4n#O5
z2u_D%yVu`%fYneZI~e*pHU;05)4`5tpBsu@F87KQ>_WD8+ku@?z|QjifeaQF7Ud%R
z!HR#W^r_67*BpDkQ%IMmG3Py&*{}JP-(@Fe|CF5(Wa&p8)J%E24J}@|KYDO5C?H#X
z)3Xb+Wb3Nn@fD@zOn6bq2eM5FSQu^Hl6_(9O${qC6EjcMBN$ZrdGZ~gWe(to)rfi2
zM=fwZh?gYuwPY4CyGgP0Jj)Q>>V-NJf4P5m_8`*L^h91GR$Nx4nMvh%G(&}H=nSW?
z_1sTQN4V9x&C3TN-8~I%H60o-?F{=e$hQL;a?D_fjO5s-P?ds@e0k}6=#w9m&AU9X
zyrjs}(0WPFj}t)IyiDDx{vJ4ixkT=$cR3s*h%NI~A=_dF3eO5ftuNF{%qcDMLot5}
z3GF#OuJpBDEwT=MQxVDeW~B_jM4nCCO?WvwfWtr}B5fInX1p)5<0G~So=pcT`)YY!
z=N;W-!#;4h&(5=LKWm#H^u4S-l$RJ05fMXkX;hzCs%B4QP0CtC=8cA`Sb4H?Gym%)
zNw_h|*~MLH{gKgJvW44PfaV0`+h~6mA2#-35SFc(|99a>tkxk9#`Gn@JbYrxsbu$1
z&vQyRrJ2jSUYvr^CfHU!T+eqEaHqQsRWkGaLjo+Mc*gmnO|$r&a48d)Gi(GYjCEzc
zOz0{&b>_yctbmy`fE!aKOr8ciHTmv+-#J2>Nwuo>K-MH81f0g%C50(OoUMQTIUzQ7
zc03L7i?{lCyYOCXl*uu(9>k?LvL5d#<ii1rz#<FevCYxm?c8275sLvLEUbEa1PfQT
zl0haTy#Jl-xU1-#-L!&WRu3wu0?Pe$x^?zap5{MHtbFn11_zHtydz^;0ouW~Ec`z5
z)*u^>tY-#Nv~YgF9iF=LJt%)yq&ul`sStTs8C*)UyA&;;tr<^wPCgCf_wbR<JCtx>
zvfIn<c<-bSnOGDYB(h;bcn%NJzDemQ-<NV^+i_3I*Bnw-X<1XeLn(=gA~Mt7Go~E?
zEx1RMF%y~th+lY-hfWW~tyRf7i!lz&UcmSxZa{B*Hg!_$ilMGwXMKN}Cx2ZAudLZw
z!o)*11X4>fzs?)IF|l9NrN5oh`(*1&SF1|)RaB&_o~N;3{3)p*Umc1iE=yNHu&>5^
zxr*{Il+S##=vO#k%W%xHFbwWiKsyfpjurCIy+7BE9b~W@UUrCJDM84#kGpu|(g-$-
z44yl<wZ+K5<icuiGjV?+C?3lofl%qn#In-M=D~&{Pm$%Yli8Aa%qfdVSOU7iQvd8U
zfA%?*tUzG&iJ?I=Gp#Bjv&@UCSreg$kFfV9hLx}j>OA_VOCx9qeD6VQO(SEii^?`u
zn01xOi$#VtfsH)Ec9Q+r->bt~Am&~6%{Ho#u$)~_?Y&D^RMCIe=@_lWgPk3^6&GO@
z>dL25S3WzckV=1@e0HPZA(OmL>PlT36RKcWeVy}pvI>tUIiIH?EU>WkajFvuv$I)-
z%7WA)??iG+c4klH4kgr`kY$^nK={=q?J~3&`O3fJwr!7YRd?0|vRqYjEhr_t>z1cf
z^ydmV&)8w&L4<!}!@&zfS!UmdYrwk9E+bH{U%j+-t4N|Crv!tmiep{=d2k~>^aNI6
zBTb<71Trbiwp+a@B!tt(9T=zD#n_@W@~+en1ap2jc?%*hjf09Pi{*Yz{MF7sI?F?>
zBk*f}SMrvDq$`aB&nkR&5VkW6!ty%Lx0fvA#??N&P8okc)nBKc9lOw})H|JB{zurg
zHK%di@w4Z?i@!@}`p}m&cASx~v5aMb02xKL<;qq%Zj#Bgi7l~LmSq=2;*Zr%AKSWh
zoZ6Nn_Uu^@LT)FoeON^CUgS3h&cd*8{^x)BU6M$l608!$8RiTzhBY;b2u!6+rIb^m
za;mAUq!EA4FlW4^5k?WCSY?n?#2I2NSwl+<aY8hP)x@rhpk(Fy0gf^{m-b5@6G9M#
zbLef-jmp{vo;IV%B7rrvEE|ckL*ML^*+K*6*#@355-Q@ArSKz*^pFpVm}XsjV1c(;
z4nsGOppe?(i-HMh2^)lSr#XvVkGTMCs<h13fZ2b0p5>I!W7(qTQ8vv?d8eg*nk;<*
zp6P;;tNfTNmsiA1Pq;kEX^$ZxN`f~}Z1GM3?2NHQbrBIfLzL4Q79%0H;lv$}5JYj(
z{-mcv8B7V`6r~0$r`1H_vqc%joF!I%r`wDWnkYX~%xRLCU`{b-tfVE`0n^mPDhzQ-
zG){jso<tU^sYGQ&<yd8yF{){-q!G@O3t35{n#RwS2v1&B`MDC}6sweIjFwcaGNLhl
zPNf>hoDh{0jn6)@q#?%WIhB++Epc8d5sj0QN;NfEHjf}wOWsW*no2YktDI^o=9FlR
zo#R+dq7`K-N0gG&P&gAwz^9}EjFVC{JDY!;Ba-L%{h||iF*@Y-*Ry3yk*Z@hN0?_B
zsiDaSD}pm5i_QpSx!FptqHQiN<_v+7Y?+hRVTMpC*hobxN{jMZSuwpL-KHX}O>UK%
zb(PJ<(HD*RQ?qlJ5#r9qnv^+oO4(q>8Z9wSFriSz3Wb0&q(VR-AP7(jIR%sf3ITso
z08s$JfC7LNfDvF=!4yyo5LE~S2m_1&K>!gzFdzsp2rvSO0Ez*@fD*tkpbEfHp=h>-
zV!#k!7;pwT0Tctwp^5;ZkR@v{q!e)sC<25ilmbQ-h5^BlAwU#>As|?x3cwH`0yzSh
zC=>yV07eQyfKY`~#1Nnia)vloFjjw90+?rzBY+v=Gov$z2_i%x6e0u(#e_giAmNB2
zKnSE%K?ooM34sg(1Oc8&ttf~<iUGrrFhq!gIOa%!7!jmEf@lJj#h75kpn@TU7-Fbk
z1t18J0x$#+06;mzgpkwJZ#F@HU$QXUgD8U1=Sl}<#m#c1m{JA#V#p}UjkA9bQoH4Y
zBa&2Rlv^<^l1Dx`3tt3%rhsI*u_ntWT>SdUTP68>F4uW6Tbzd>nCEkvh1I1DQs&YY
z7~$Mw;0%~@Zil5P8=Y$y<Wfx2iuUiD1m+jB<%8Ap|N7+P=Svs<e*WU~-(L9V()k~+
zoPU1#;)|t^UR?g<P5Jz*@<)F!S3Z8ZeBtG1OK&Qd-jtVq{Or=}<!e8$T|c~i`JjH~
z^~!~xDi;q{m)_jEba4CA*Q=kts$6=ta`m8k_2AakgX;CSm1}P**AHsf-d4)P>dJ7n
zd|0^|HkL(oMXZ)Z<z`eb%i7Agz8v1V8Lr+8SIe??L#*Erm6fP+OICkZ!rCpdwtRS_
z9Nt`s*4AXRD(fq8ZGGIR#pU{_u{N$Yjv9?oy*{ef;*I9yPV;D`IjyaY*XxtJwQ;jL
zZrnNAtQ~FE|FhjVuGeIvGH%x6Ms2)#JKn5L?lq1-uOBtnkGCpE+qLNzmC4<W>HXTf
z?fS{@*57U4IeAb&*{Xj|?ypaG*4{nZIC*gA-S2CYt>(#A<!Ebd`lveDu1&V@{dcE+
z{IGufc>Van>S$|KZq+9{>ywAg=}z-_dt-9H5pOldJI#07&FTH-bf<Z;{rU9a=5%ZA
z=t1Rgb*xg%D5CWL^$vbd#4wc)XVnQ7m1xh7GO*aiHaAaB{oQ|)6DiBGOUuL-FpRUA
zS8jWy$bA*&*$HN$^tt1ztj6VHpLLPRvIu6+aV993C8h3a7MPPIH|9s!#1{djElpEX
zs#G}3qH^cUQj`J!z|2#<0JfK%vK3{E@3n7@UwT$-w?gL+;dg(G_nwCKlhAw;T2DgD
zknY~lY>9R&a=(8(+-=33C&Fokt}Q(y_Vz-1FLYYM*&Eur@Sgtc7?Il&Z6osZp<_j^
z5qrAu^~f`Zt{%Fk3~bpm!mb{AhIDk{?H;;j<k`}<gm25fKJ*RYnIh1Kt{M5puxkq6
zj=Hw&8lh{5t{HW9-hS6Q?C4RqEqnIJbK>4p(a}R!7oLA1JyW=P*s(;%41F`&H^QzF
zcFZU+Mc~MR9R-&3t=Koi?l+;aJL(ui-wJzf9GH=Bggt#2=wZ-0>{v1|L|_ZwiCio4
z9NDu%*AyKi@*cl6Y~i<K-;seSeM@xpFwmo}DLPivHKV|c0(%tP|Myq=(A9-!h@Llk
zw)XPNuY`YT$-XH9E9x3UzZLqn2;6wkjssJ;?Ze>C^G#U7SjCu7%IHkvn&5;IF=v`&
z_1uc!7+GLQYMPj94V5h`Qq0sMQ`_v8NHK$pQje7HSMEuh+nP-sk}1^2yxEtl>77yu
zN^SKb*^wdvy6ok-S>Yn&WCk6`-2as8Tk=|NZgqdQ{Xh{V;tV5%T=;Ktud)Q6+_?{g
z5NuEOe)ZSN<>z;={NtYS%Rmp?dy#F9x_a#G9=3HEm~mi+onQZDSwHD@!hKtM8!sO}
zIc}SwXO9DGv~P&66LlTwIWjP!V0Y*`vZse#chs{-eO+|EIN04i>6_!g6g@ra+p=$m
z{kDJft)oB}-S%kUj0cwN*s|xu-+SY}9(h*WvqoJz+_$5?83vXJEIDwe&wlgg+m`gY
z@xYGvZP9=9cK1&cuN@9d+0}=EA$yMOIkN8@4XkM2mOWGWt<ZDhzCG$W;~(15Gke_M
z8~PhBzW#PPaN>Py6m-Ym>tf)<eKQQ~$hUu^o+JB4<nN6KrtEc&elSGGjsjQie=7&&
zpB~$x-;M)ac(&}B|0C?mf}%+8IL9EGY}|E0O{n$4=xX9_wA2V{l=TFHf`SSRHzFu2
zB8(u%Odnr&&-6KimYd2}<s~X;<*Fo4sq%<!QXnXY0-_R$0@L63^$eHpmX)VGfM$Q}
z?jiF&QxsMG@BjaIB7yQtv?|h?yFrrxlAYMYzxry;?E@6#9Y~^l3hQqo$CT`sHcC?{
zC;=o=Do?2*Kr#ho61oAB0g|l!$0I(NYx%y#GWV?{Cn93TUifw`wiwLyx((k{lk$JX
z^0UaRjr-0ll(6ZGOV_zMO8~0r&@q1|q3ACEU{6J`Qixe%y#xPR<F6UZMocR{j0WOB
zgu>J<VVcGF-n@Gov!VmMOl^clcS0~=UiWpK@Xsic41`Ne4G<wAAt67$v)`@)yGkcN
zJhi#2a7|kh|H{4j{^8_-l4|UTZ_i12URr@1oBwg}j0!SG%4=0Jp}(+ZoO6FpDL?pA
z{NWenRhZdyH!W+laoOEeQgbn0$&Lkf!oBu(%CW)n`f)y?rz~lxvRWn6dQWGM)NH($
zK~G+axt)~UUs^NHSf8FfHhiuWQro_<79qzEZ|$pm366}^?dd6GrX(7>99|J<@=tCi
zma2~J_p<W_t9JGu-`Jk&n38`pp4%#X455i}?WxYmru3omgWYAN8WZ1^MPnBU1q$-D
zkl8g@xuL5tvF}9DQ(L8<iSIa;J6Kii^Bj0uB91rh?kmX}uC5+q9V$;j$>9~w4wL1O
zSa&zouE{_B=aC)vv!pk_UVS^MY?RzL@FjyKfF%IMZTB+w{_EWS7q)+fSIU+SYwpXc
z5?H_aZraH)=c>OSIQ4HLbA;U9nd6*P=<y51BULmOfGSd|M0iCS%K$2@Poa@WX*}f>
z3kHr`=7-Gr;Co>a;bE5W$jHdR(5;!^sP{FprfP28J{%}WHD>A<>u=tXFSEb6X4lsn
z7mzSRkC*AKJ_~IWOhA8O`WTyfql1y$rVSFoKw=}vGX2q|E}ClmOkFd<$bKDYYV_*{
z6QLPzJspK->U%O(sTjQ!Mvh!BPWh}o#jbIU5F~Wv5#K3mZtbo>{D#irP3^f2lXC3M
z-3$^NA+zO<^|SVT$D~L?;pC{TY67t1mlArdHpt|o#??0tB@Ta_&K$7;ji)phiJXm4
zIQs1Dj-LElzsov!u69xYe)pOiNrHAEt}WaC-Gyv#bv<-4<Cj+4N=kiFV}04M@y^kd
z{)#+rZ9-da#;|=?Uoki4A)%A@@$AIKjctcr6JN)*XQuU@;J&>`s7?m+XCPfQMw3Y1
z*_xI7q=J9*)sla|?#ml;WDK1lArCZ>@VctJ4%?)Xt=8}9F8usvdOl`X-AK=VbZ*nb
zQesT0fn4&lsv`quYJDsPd4L2G@hROWaz~k%zwE8kq>6F6V4w>8=j&a)MYPtGHdN{G
z3KSM-DDP^`IWlzq)N7$^iphOhE57>GzJZf#?;KEG|7L&f?bMyEIabwvc<?Nv@!aI4
zg5g>ci3H^9RVSf}6qE?f#rQ-D$+RX@NX~g&5I#R7Y;I)u9Lt=@$Z0*!OflVCT4(yA
zeplBNxX%Y_SWJET!Ia}hWm>Q#x4?I7upYu-W+GGBm1#DzF@!bP(lHC;6K2+qs@p+y
zFr+baKX88@8JXZfeMi{)J>-GxuQ7W`r)>!wI;I#|pe7)gb=zpTGvchK=bI_XWxNM<
zb6lrDd2gT`_t$Od%1-Dxy1Os4?lrT%{Xm^xi0`y+>^fBM6AnH;9@mq83ZLK6amYR?
z{;VU_;d3s(mHLav1<bci$%9s#3d(TZl0PT!>?wacHh7xWWEye~jdNgj&!gN=Ztfz-
zq&i4%>dq({sm&j>#Xl<gqA#lkGx_*j!ze@f<gE`fH?(CHVSDV~61Vo0rVNx-BM{%2
zx4koyMotpDNX%1EN$AYm+L4{|^u(dw0{WHPi9L2rT+^DqzULU25YMXg=KE<3l8c_(
zwmpB!OMhC*`dkEbkw~ia5|tBNF|0fEtYmLb@%9J#ab0;iPfnkol78Nv&P*!19~N$X
znCI}h2qcoKNFq6FplbX5f_1GKHsq|FqOzZT>6lUydaOGi73Ynd15h9lPh<D~?);n=
zwhBK{;U{)?7k}QCQ8y)|J}&>F^LRo}e&v4%6aSzvv9ExclD0m`i|fs;^>Z9*T6_PO
z91>i9d41afdP?Rs**bVCUp=4qq%`8AFw4Ao5s{JMGu(UtG&`O4Z24d8voZQqCqfC9
zfnt=y2Gh=))-@P=ZA=*--Q6AxSe?ak5{!p7oq9%DifPlGQL{HoQj{@LAlPU#HFkd+
zwR1XkT;MfiTF)998X9T|4>QAAOnuD8#YCs>52gb&whPRjFJVe@PfwW;`i*iPk&P;2
zhjfFNBvsCVSpqT+=%f&5$4tX8OG4m49N~2lh->spBoZi1AykQmE@G79{7vibW+pza
zi0{Y-UV+kh8uA2kQAh$<CRBkyJOzIh3Mv#5DNUxKLO_X9c^U~cc5#}U(Ij5;tpDan
zV*i=-ty!$k&0sf+6o5pa$utreBm*Q-Pyk2(NMw<R!2*jF4oj>iGPns~kwFTJ-2l5;
z&BNd(7I^@6vq<KU#6gk8GC&>{HMukyAc0YNfCU;#Kvg*GarxX%pTue|fCPU4B^J9m
z>~Ufbz%qamr%4Q!0rUW<u$n?+iNT5!D;$!6<_6eJV-M@|u$qU{JS=uIn&LzffNshw
zv6{!}yTE83R&%ph;e2iu%A8N;u$$8^0>1)~!fS38HI)pMSw0N4%$plACt_OiH{I4a
z-TOTgC}W8*jm9wbp6T*_OwWG`-QDpnUnf|7l&LpF_ntRxH8stwH7)(nJuSfyP}8S+
z7Hq;)vK1`8KNu)ugs6<`Uf_%{D$}P!5kn26{<~%Ky<;RSJS-r|EbuGSIZQfCYQ`>O
zc;I!YifIvoF3!r-C}29@b^orArGH!#-Lh)I)nzfi|1|3Q>Zq33MSp)-{qgTsM7P8)
zY>8cXZPkyOmquM*8P&3U!Ecu=y7uY(D@&s<$1G@$iN5^F!Yj+7t}b14dHI5?s~25a
z8*?poar26WS5`z{UADM+#p3HL7hhTVadT|+wPn#QE25fLfAn9*&Sf`_-3Y^Kl6B#&
zXL>HWT0RI2WRXRXMHYW~lpxz6n><YrTOL`FeSACbnMJWVY?3`VfM8g1&qd>Av8q`A
z_y6{8`gS+{{AKs^ar5(b`{RE5^KE>6+<bd8eg9?p`p50B@Alu{O+Vhm?{~-Ve;B{M
znZ7+v-|wd%57U>s-Pbqcx5xPFoA~8ne0>{V@8XyH&FlU6zsG;@a=&@K4WDk}=`OtA
zZ=Ubs>vcTs!}9~b-1?XM`1x%--Nl!iaN7IV<M{c8UatMio&9_lUk>BxIKCdk%RYR%
z4Ntr9ap#_P?&;c{CU-i}`&;_7=hH5pZrpz+e>&O^M|{4qPY3sOaL-5g>F8e`?E7o?
z;U=7p{^c$_UAuqhqkFz~ryKj<ZFoNNhrK%;?DLKNaHP{Mf4t$3kM8-woo@Z78~Spf
ze_G>>u_zQ3gMdUL(o{_jQcZ<-cgwa`zkFPBVbJSBfzyuRch~S*f8m04PBqPSdF6NW
zuY8hPerRP(EI~@$A-#$g)@|QZV?kZ$?*cy1o3(FG)^dM{N%6fWM{0QvZ7f^+kFE~s
zx+WnP8tv7?&z&+ly0{zdCQ@`f1{^(%4ADaHej0gWdF#L<jg~f^HkPM=qlL&gGDgSa
zh-1JIjJG&CH+kARjBF<#Hr|YkksvT{90j7$*^TEZ*o}w4y!E_sb{jA-MvG&x+knyf
zDf-FtHb8&$VHfNac#1GGZJnE<+jtCwlXLrsljF&`T?mIr+sIpQC-3&r?Y-MYo&rtY
z??;{j??&83f7s&W!oj)y#vOt^1e_dg9Z#P3o&aG$p1%)UK8&<?@pj`5fp^{>f<2Bj
zMZ5KO@9d6oZ|&smF5(pIag4WH+Ie@__(O1e?+?N5MtdB8!y)>^==RZWgFB8eIe!@4
z6v95zCg2$C<m|?}DdNV*P2d<PvLOUS%}Kr}ll6k#&aB_8x2gnht>%5f99!P*d1q_c
zWz|t`Rnk`!wW?!R-ehaZMXUEI@6K|Cw5~L5W_00*wAB-@Rex*U<+Wk3E<UcSA?%tE
z)#24F`cqwhX|hu4O80ZIGMaZA$-f6Z(QSBDq?=ai-J<-5VYs3|-uX1=E-HQmF|R;I
z(f+3!9RQd#(SV?d#ED{Nf*7=-PeDKwNsjn$B<e?oMWZN#XB<I#lrfa#bA|vN4Fup=
ziByNcFwSrQ0?S|-J%dA$-k?YHjGn+Dc?OGM0Ud#VV{~jRpl5I(7l0%5K*1VkAs~7}
zPs###qG-_*Is|XQTM7<6VPFhQfzgw3h=C|DJEq{YV+zcHDG+%^&*%uf<!I&Y+0k*d
z;BfvT3YNSzj?p{A2$nQ~5yi7elbEvZ(PWgtY)&ZJ%k0xo`VF>YtY>_$PFR(yv(Vy2
zst)ddh2Cd1++7vkYcTpQlWpykp_?gmo3-soP8CzS16tksrJ@Q{4t^yAc<uDPWE#~3
z{G~6Cn%z0l%i)am=>gnS;U2rjB2kSSe5)r=>n@QkQmd_ly3~U5;w$u+{Pe)6*-0<y
zT*Z0Q7?JiRQLHEijYdMz1Qrf8A|{q+0IfBDF=by1y=0&*pwKhWL{xKX<`_v}GV?Oa
z0zx1h089!lWEhPlMW{p?Lu8oHGFc{PH77|PFrp(vK$gL#*hJ2vd}~=$IifQ(Oz5nh
z)qv?eFlk0~mYfw;F<91?L`ejeIe1b1WDTJR0?~;|$bvgd8T0Q#mPOgD5E2LqLF!?D
ztu>05h*5)58Qj}ybE*by26^S%K{XbI?M!M}hLolmZLhA(iPq+EFLzi=SE@=BUxMIT
z0b#}T@6NVWqJi#U?%DxxJLXpz-?X&%7XH>X18mQy${~PC+_1Dg?NoVZQ{?r+qzbZ?
z5cvY3qIxrnT&b~PUxXEoz}5nS5Rw&t$bhCwwwp`yI-||GdvxZBiQss)6E<3zWDlHZ
zCWYr-$wm?yo6yw+1X)@60iiZps6}dKwWWuH0bxp8%J?;;gm=vfV@;@pHo$~T>?|^C
z2F2P~khPtIh$b{l9J~Yq$r?m?EZ2auvq~_935hb0^o{8m<X<&{;M!7z62^jmWndyE
zp(vD=9kUq_$QGj{lqe-C@PyP}x(HV6-i0&f{KM8mx4eT}6<Jrl@q12c+sddrKh`~v
zUegv{P_?cdKX>)VYtW!BJgn;h)*ZKR$NbyO<pQRAZOXY4?3HSU*;c)7>$bmdMOs)3
zH*3}3g(=4i-buqST$#=O&;R~^`=At}{p-K}am80!nZw`y;{WtuloCozi<mxp-{p-_
zt3);wRke6K=(+4K$nW`UFhWk4eZY*-gpdrl5N0+CAY^nK(gJ$20Ll^$U?lGll2Zm9
z%;5=;L8>icW@iOi0tMfoj0^cM;5buMgvn%>I9-e>h#;H=&}e{-KoSyvLPhXSVk*?5
zOeR+LOo|fNY%Y0(cL#)3_oN(`s>CU|+tQvsbOrw1o3d;7ol~1Nx@x!M*rGHlcfmDe
zK{aN!)^WUWrrY*A%VuzAwP>9kAX@9M#lpK9M1S7_GO9r%47$_VU2{|F`fqemuVUgQ
zPu`xIb%*`BHc4xEinYss)<%;SeKa4Vv8X_6q5%zP7!b50rHxVxYHsOH)<$%#^>8%^
z$54*PBmqe_z!GOtaG9$oqs?48CEs6}Hy6~C*bgFH$yyS?QbD@UjKwobno!gE8e&E!
zG1JiVS{1Z)rlJS|dq5b(dz27oz>-{+V#JKamT!>>ogL&=q+lt3k!}KKnrSRKtICER
z2?{f3C^;QVn!qC5D0A+@W^qbIKV9R?Ry#~CVOn#%Ru^B<(pBTXrIvo9-Qk56(ox~d
z+T{5%tEHRXuZf=5#`C%?h`Om+IAFB#YjJ%+HfTfen%QHuNw<|?)x_y5tyIT6B(L!5
zY1=xqJ>R(yLAuR<TD7zsnwzqYfMh>3%IFfa-VMwx>ZauSv>!yeK>>2NNoOqZYy+mj
zh_#qDdH{2dQZoiEZ_z2c!338BQ=}?0GIGvYW`Z=K0V60`Nf6F;6QOilFw@v(ql^S_
z;uMT>86|&8zrz%kV3{42VYIpcvZ3Tn!f-3#xJ&FlroM@PczqdNxt9(NUsg1!d2qHh
zMOqW`$bz{%j<Gg$-x`Tss3z8KzOFG~)je&OL_4h6op7r%uWsn+CSQx*fnG?EtJ(Pq
zzFkr5*HDrzDYh*%DzC`$6s$e{x!lQKvqoxruHCuBH8oJ)462UI98d@lQ0sou)s?Zg
z+Raix-50rk&YR?H4`#I1L^PL6=a-j6CaoMX50tV905Q92B}~6Gl8ITHWS}G6-$Ya_
z_y5AvFLBbcDbJjP7&9A;5(;bjoCgs}y_5Yqq$8749zjV$0i(^N+nkc50TX~S0A-tJ
zgV~^TR+r9}&uYa^LCt=Ql@k8~*+31$m97UI%L1f-_1Wr{1{X#`*Zga`6EUq{>gDCJ
zhNP}$#;eP^q{}X9pgMrB(v!-XuX{9`OTy{{`9EXl{#<2o#_`>KF8iM3gaimsE)j$R
z#Tn3!s9@EZdK+4yTuf6aLZApG1PI|Kk%EAbAW7vSmr#eXwY5zLu%aNeQc7Ek{^Hml
z`UmxYhuwG2p51+4;0FfC$>HQZ=Y96Me4p<p$sP@c)~@U6FI5C@sB4P(rIvZTj|~VG
z2=D8+5a@}LJLSpaCk#@$k$vp0N`Xa6hKR{ITyRL%0<%(>8%l<cQ9wjONzD0PfGCwx
z(sm_H|3&1u4BL)jLbRX^YeSn?MpzHu;Y_oCHAzFwHa#KDm8_Cw8F~CL$SGencWduS
zTt%bIP{s=xHH26mR_rUxz4(bqXWAe&@>r(*rmTG#Ie=B!h#8`J%-}4r<cYh9$sGH>
zs?%f}CAnE!l-I;AWF@Cxvht5TD3fVdQAbuq*z>qoU2=v8=}!^ZFm{{|a3w`^Za?FH
zi1o5X>X_tGa?-v#@Mnm1gXIo&$=H$nQZhpnR7I87=PE~wCO<LBzHX6uZ&Je(sHC7i
zF>%*4uzk1xf`)vYw_tJ@m_-h{iM6wsB+CyqzzWFy^nuV!f^?=056p1_U3749!9@p$
z2lIoDKkYWpP{}gP^AShPkom~mbdF4agkoliAPHrT4Ks-qpr;=}00d<8F|Y18N}>n?
zDM|n&k5S%5jfS{tD9NakLhRsU9aKq0n>g;@jf6ZX0g}CjB06fagOk+n#sK4_5H@L~
z5Q}~N1gEIPi{GyzSz4TyMrB$UBYZ)c{{jLSSh@W|N&aGYc2cMlDWyOyIAdvlEik1c
zcQJ8HY>dy7U;yNs*~JJ&zqx3(W{uUmv-WjC#Q&>d9vj1bAY!YsLt;YA8?@Gt6?6^&
zbF*i6^VgcSZt!e;Z9VRfBa_zROZ_a#FQfeLGF=$Q*>K?oHM7>lxuTCrA)0}-QqnY@
zB_W#Wme#h$Ap}H8Xe=Nd=fp*S+n8Yz<b%Qe7JH5rY2K5{u@WhLFfIu;gNhs*lcbL1
z4r?5(;z>}PQr%Zj7o_AxK+mF`CV%TXwm3<q`Eg<*q;!*-B3f%w)K_-_JuO@^B0LDM
zD;60hfIIbqx43tn3)`AUJ-NAEf&|o$uI&&N0gA`ZpVv5Zyp$qY)FfAbr%P5UR6QoH
zZizcDe`+aG9*=z2Z~xFX=eAYT<!;zOBne0}lY@tn?T;`!;*YLmwjGmc)NG9VeTbKB
zg5<G78AS=9Nm85zzp0Yg%z*3!$1vQjr8a5SnRaMoM^-kv8$%<N2rlj@1k~CPS`DNb
ziHyJp4S~e`ybgh+*<qxA&2_V^f_kl#KW0wm-pXUzyU#>CPEJZflMhI)$;ajz4`PNA
zzsRKQN|jPggK2k=D;0?^l5VX2fgj)D_FJM`H?|$A`_TZD2gysyYE?0X-jJ|M))&iH
zx?_K)WF8v#R)S-|S0RdQRHN2f0f5%T<|adIsF+!=@&;hBxn@y+KRLNq3J5_&uT?jM
z{+3FOTbiqE6#_6iRjwfx8#tD!ag^csF|pR>)&{Cmd{~@lE@p9~9N;=sm=E_cf3~oW
zd|QvK7`HZBGG8^h3FhryGi>5K!LglSgAhQlHIxCW=TBvh8bTyQW#?k~r7#$21opUs
zb_PT)fkR&f>#N9r<N7Gx4=!p<#FigLzSFU5LAe1(eEO+koO{wxDp01BH+qWx>+-dL
zAoSSFSl_RyD<KWF3Jj+ki(a$Szs74pN%Bc}Rm&<M8B?qM10a~Y#YR)f_)_%N$17kW
zYa(I-s%6gh{DfLK!1}}_5F-WbBJ)jBN;Fmu(me_KoJ7cfSwBc5?H^E}qKxf<X>8v?
zxmJZy_q)jmXPkFc5DCc|#-nMwFfnTeL<{I5Vr?PE=7xtH;$hLwOv>ENhOh3bD#KmZ
z4CHlBO&}veHlS6sYCL9S_edsYW=*vwu{K{~tvSmonXQHZrPdiUDJ06Y1chW}DMs-J
z2*jGmOt&n5mIM&8EHg7PB1=RfVq}(5#9d4yH3UK_C25xVd*FK)#}MM8TO#>sj`w|H
z@3<oIrLUgwPiB8S={|J<LO8B69MvJ7r^M|c|6#%X=4TCc83ZUHrIUTe8#+M(6`St|
zW11M}oa`{zn>3$nBp)Alnt~2mY(QJyW(uNq68hzTDP;*b(+Uu!K+;w*52TdJv<3xA
zp;TqkgJ6{&0F+b&ppm3B@Nza+RVl5MTC;ko5JCYVDWTwvts8!_^l2gh)PMve2$9jq
zQ#2B?#?0Kgj7$th_-3+_s3jT4`&f|?i%pZyV7r@27MX?yts?(Kvc+xwyZxnENKws9
z0)?!9R0V;xMx`2=SnEors}<egydO0+5H)2LloAM;Y1YiCN}DL7n0WTA>D5u1Nh8_r
zH4%-eWGxjEQkl}pG__60RiKnq3m1GJlr$Sz3Q<Vun&a{Aa#4~TsNIUr!{l6`s7(+9
ztC9vt!R=jQun-hn!7L`(@~q3LQwA$R3)x?PdWgMX{l0jzpB1kcm$QeGX^SsKN$w35
zElIm(P<j`!pw0@KCLt{S-hY1E+@L-l8NT|-Q6c1_7oT0W^vT`(+IMYTzvPwgDWS%;
zG=fNgDg9)x?r;MF<OTDe*uB5wjjpwe7SEGPOd2<a02T0es$;&ndr>ISz&yH|H8o9t
zcxL_&hTiJ}CMlH=LJ1t&zhza&6Wv|Eczxqb<0mx<!9#;R-~R7XwV`t7iy;6txwVy1
zvEk>`r=9gvYDXR^?A|9sQqa_VkUiHT%b(gC3?PKKb7%PQ>CRd6CqDn|f=eIu9XPvo
z(ztOS{_eow`<sNoBgYPWersUP+|k;9>`5{n=<7K&xa#^BhqMsSJ^k2<*B;Nfs)U#`
zb81VLtyuoTlxZ!~CQdN4Xl5;h`0}gsM^A6wzjFx+cw~B86`{FhR8_N-a_s2VxwB^M
z?OUcbGvarrwM}ZSDx@hB#!Md5qzNGxwj}AL!Dl!2UMmrym2BwTcOBMGUXoIOu3*qm
zM9&K3nsGxUX($^nJ;#&yB5%j|)%t+P<m@@Qvgk+EV56d_i(Eo$_b;q(4C=pG!6hvh
zyw&Y?-oAQjaG?9fwevf=JEpX?{^Qo=m8+Na>|S+du%~O&q8lS;xAZK2^Wb6tj0g4p
z<@5KxSvPO!?Ao=b^Zdzun>t^Ax_5V^ci-}3{hd2Du7B&u`Y-==esrbb((s;(7q>Mw
z!}!LB&z#$Z$RC`4=fjbMC*SY+&Ct=|bK4K@-8O%2+rj=d8&|KLHGA@zv->~0JbY#3
z$o7rxdw2f$_TT!25RlR-2iMo9PbBY<5>aX3t{B^DBoCQbF>S*djJf)M*AKckENc+*
z-dCTrWYwmY2@8Mt;?*1PKL6;{hDt*<Ya2SWwK1!p-KfmY4ZV{AulxC`IrAp%+_7%Y
zuU@TWjqhFP+tmHkg2yLsT)DEh>y<+%+Bp+M8bArbmp^)UG*18an~|-XR=l};$(?_m
znlWc$`_G=~?)qu#1lYWPw&UaL1ITK_Ys=s2Z+~^=!f6jpIq~+okw5e`W&(i`p@{oi
z;-p`0!;#z#DN;Jb;<{KQ?kl+B{h(wMI$0w5<DR6aO!-LFmyEkZ+nL1#qLLD?fBz@-
z51}A92H8;2R(H{es(dS_yf0SNCyfO=;>w>-AMWe@{L_>3<~%lkaBTPB@h!c*TNf>T
zZg$&4{r%g&{`xNi1KVEs(Jb_I5Xo@mH?BDw{mY)M&%Zo>#=}#F2DY6$-8)uJzWLe3
zySFbXq5u2uD_tE+j}N|n^w-_3E!==(&s^BYIO@WwlYjdC@xjwOFPu2M;HgJ$-W+ai
ztlawhAFo|I)zVmh?b+AazI?^C>%+G`J$c~3nzs+H2NKR9!uyn{k_x3r(-l`hLBld_
zjgfDBB-82tQ+8#~O`TW#Th8)bE!JX5mMq%>8ymAYIFJSs%1j6}KuOrrLV(P4AS|Km
z`@T8BWhogj*kDKtAtfdbU<^2M36!>EGM(vLU;EGW;a<sq*LU$u-~1p;nyc@gd(Qc7
zzJ?R5c(Sps?YE15b*XFbtDo))AxNuqtg(IaoSxo;skFtA{_N0tR1VFTOuXmv2_eMM
z9oy>1#WGkpbbJ+4{Db)mE?n5Ree05SD?hw(=g_Pfb%e%V=Az)fuR4SfKfk*BUEjq$
zdsm-6u_cLrxxuI1LqGH&D<R}xht3HBef>QdArPzAuKLaC)0<8l-PBy4SK8}W>i16z
z^lkOK3I&ewVaRA$N~ynP2%}W_@!dds)Ii<J7$9-rxDi-S!|rp>-(%T6X)U$#Bxd-j
z0D<v9ekeAqvktVF4r3|?mh7<n4F^Q)={+!a#{7YQCs(u4=4UVdQkB4tj@`hfP}6kq
zz`9H4&h<aMFuA=R0M+Q!IDh1I`PR~g5=T1@N|ZI(*8N8|U+wA~e(~khX@z}zJ{|nN
z`|kbDU(T4@|KxK2K&KGm`{Dk_&o9iJQ<~g7v#oi0Aw9n5{4om?KmY5A(r|d+$qm~U
zH#W6@ELu8?x%l;io4;GLdSLMKsm^suLRe5^n5H(&VrvWl%Rlapyi5lpl!2@yDFssW
z_BUtmKe@VK!OW%0SKWPh?n>Y8iR~@-pLE?BxTH~hJ8*0GW$*O%8fKds7dv!n*S*2c
z^Ie}x#SeeD{piJ&mMPhN`*%GWy1snb+gsLutbgP6DZPD%!6>bf2(*q5zr20#>G^lw
znYMbx%KJmT9cOnSC666Hu<GM?h0x#J>wfyYd*Ra8mwm9J@6qS$w#=VA>8)=cUj5To
zrz}H=0qYMB_Uvy?Jr&2VH1T+s`VX-`U?^-U6WD`z4CwrI$2~RpdGUd*gr8s%csAUB
zTV&@Wl$1Wl`~WamE2*S(>#(3aZNf;tmkJ3;^-t?zp(24McwwdrW9WCnOeDOE^GG69
zQ)rGxlZmR@T&BT9;>mOh857BDB$6){CS|g9Y*;Jp=k^3zeklzIkg84-Q#@6O#_~1!
ziRoOOF^TGYOLe9(5zEC>wZ%efBpyqDrEA93Pt9iP*%&egnWB+sRaG*X$YpX(CR&xw
zkBdfAsp=XNiJMqFQJqg_nre&9u~^Ku3mIKd0`6+1q#DblB9v3)S<8=<6|E}JowFTr
z|9;>Tr<WfTCKfN$wdV3oCYp#>)z%kVtFy&Ky1rCuk0<IVnktpr8yniH;t6|yYm3Y^
zg~_GyQ<90CiD&BT+ZyU7Sn*7*rnOYp7L8R`rE6pHY&P3K76BmuL?X#j{q%gkB@#&{
ztBR#!TP{-|W2JNB6S16T%+^k9D7K}OS&pRYiY?XYe8fuE=BE~Fn{8@L7}o3YN$@**
z1X83tG*FNIN|@)f-&83qk;}b*+VgkpZUF25y<0py3D4M7=_wo_(hbU#*;VdB<~N!S
z#GCx~_kPGp`7%8`8}u=FG-0aZK%Q|RV<<2w-3|T<jsi0?vyG@~)I{hQZsQ2AEbw@R
z1qInx&-t!kyELh?I!*&25o?07R1XwLh1!wl5d#2{gX<6jG9eN(6WLOK8V1%C@g5)p
zA{!zi+q05wwut?5!^{kZ94${-3JiwPkTFcm$P7eC$Ym)o5L8Sm!5Cm-V@3>FY$<cu
z(bDF{*wv5>5i%J9=bgzxpaC=?Tb8jbV;Mlu1Vm^IvoXrHXd!mM7#o^l(tyYckTqx|
zL<Y29LWqn=q-?f6ffKlY;V2bsn=6HYHW>m4m6Ak&NVeusgK{o1qDIyTh#;l%@Z9~~
znZIOs0L3s2BFt&U0~?LuhVKcl^I)<50^yI&3fznYCiS_6tnP{#D0lE|=nzJ(q#q2j
zLzOB;XN)llg1{P2sSOiMkC92@5AF)vJp~#;`bFMeN|Dqu5+SXB6)FUfN^yiKYP6Et
zBBQi)k9O{F>9z<QHJI7g%04SXF#!O+Hg$s5%FgSxc`mlATiJ!cD3nqv(u!C!GAbD*
zQlzEQs5KdoN=JwdBC?KYj2c2>kTL>bETe@ogce1N#Y)O}%m9)QGHIA17BewYEW!dH
zYRa~^2u5ijW?LM8Xw%^U+%9SrFQ|$**v-DTi7L!&Q}}HG(dLaSP%$FdQ5Z->28}Vs
zFd`t4Wm#GSvr7tuh*UPa2fM10gG@QHX&TWq*-01RaHmv-m_K@FTxJ8J`|;>;QE`4g
zB>~E{r+jZzp6%{Pjj*S>|4HMCk5D0j#DPtsUk(>0-V02B5gvo39>^tg+hT?(?88vo
zQQfO{YI;S*<0%tmQ_fMM!3w`Qz@%15sg;Ll?zaR8%aaeYcMMZq23l%{(V#15!;O?V
zP3TXrZj&Vj2JZCt9}`0Sdf}oqOMh|b@JB~>tY5NpniQg#OKYK&6oK|x?pDotzA34+
z1_95WT|3o(y;ifBkZ;;?@LjES#BgIV+f-MLNGU6lO<RO4gc3q(iRaIqxYE6I)yH#Y
zw@<zC=bc+mE&{>*-(Bjwu~tYq*mvdp<ux0&EZDT>ql?|^*KC;`jYYrgJ32W0xe(&z
zKfb<nbNjRz4YOyq-|RauZ+V+h^tb1|J5DS`hGHRq|DXTf5klO$b>{3BpBz82cHWzB
zT)w{j!O&?C8pt8YD{_>3j+$n)AjsDE>9Q!XLaTR54;#%Sm3jW`dMTGgtxBa@U`(e{
zxn%6|gFm*Gvau+khN+DO0If;2G}dJjmUfyEKtoz70AOZYT`j?Jesq3y1PNtN190qQ
z+%TknXQK>&5Hii#|K)~b1O3@ON6_!&<QD|_g~EZt7Juf8e~DOGPxt{H{~P+Z0G_$P
z!)NjIT!ATz?&VrwYv$U}gbI1a7_>d+lAd@#4O;mCU_E+i=o$zhEPZM0Ex3nU6t>~=
zv?qbAH0J;e4fb3<zjx^I&0U*69A8ZTIQ(#b?drw5_O9ysV&|syiwExa?%6u;=;<Ze
zk<pXeH#88z2Caec&9-+Q3|*Y{R>^|+zHPf744)B_makm7bNA}aJKig%YkIE!{?fH=
z5f;NwdhR|rHh1xqSf;T)Gil?VMJpFB>+0I~{=7*Oat*!R`#U;5iA#O);{F@wKKt>1
z#f4)#H+24C<E)vb`h0^0<Ny8lfvQCO+O;EZPkQa-(Y614e(%DWz3;#GKfccXxr*wH
z<7dzFa?ahmcawW_liZt-1jrkCqd`TaLW{Io%ZoUc8D54uWu)Lx&;*Q-CWsal3PA@@
zG=V8#fdIx369h$|QmE5$oW9Mp)BZPq{o(9xHoJS1pY9JknZ0{=&pzjQzTeNc>o+fN
zee1xl2KzT!LVR=U^5l)<LWrvuhu$CTzkm1C=hsiI{^7C*4=<1s#0nI9Qg<VhB|=1|
zfMbFljRn1eMIsQB(b*c{lOzI-LOB2W$E{ua)}9>hIWn|cgBYJ0S^m@`4<B5A>gii4
zwEXJkaBuI=1`n>^_>1TE_OE{Cxi%s;wnlT8u~)CKL~oO5S(ZnlVluq@U>_PrVR@hf
zBJlZ1VM|oJMLqq<`P!4j+B?qInDI^nX@L~dl2-C~C@xW(MQs%!MaR7@fn_$#_()W*
zm0HW<?SOcQXIz35@eM?VfRUbmQP`4Z4l^ZWxE~khtt9UCBAOR}%mY^GG9(dfHhU^t
zxStw-8N_S40J2vqN8Pe4@%g7G2KshSjeqc1Q^&C*dyX7=dFRgEKVP$~t8xC}cXodF
z-RR+WdsnUN05D}RCSJ<$Hz5EdtjNt>(*ESYD_fsf(v-3qZr}OP5-3G~_19mX6#}+z
z+40WMjyDhO$U0?H<0E5Njy}C=QMt_g_3k+kqOE!9lIBH|6DNMqI)6{k+UI|=ytilb
zfBt=|t62Pca-^fR^O1#%zWx5J5aRg$!KYR>))p4*>Un8kaNC9rEB^Vnn;rEP4<C&6
z_r0`yasBbb{jcs?d+FML(eM9$`L(|F|NY-&M{~`e|8#x)+VF;Ti~l(Md$5E=3G7Md
z{p$!wXdx(8hzJM*0X?HLA))Y`IE3i&oRAd|TC(E){i{O2-3RBo+dBsbf7#pfg01TB
ze03g$$jIEc4@cj8W5=c~E0=aJKlE15+2Pkg3e@ZYsL3bM`K~2@3#7M@1-8JM?1Jgg
zxxmNnZ*xj{zQg(p6XRe!uVIvYT(DP)$sDYAiFb2Q{KqA&iTaUQhGmJ$x>7CPNF6kb
zSSAeFkE|(iZhm}Z8+U$(6(|w%W?Ww%{$SRfc&B+5!(=IpV|@3Q2y=|P!y~^-qTfm;
z#cND=WKN#$U%vQ%>9HF_uG4tq_W6_xzdg8Dr8t*s>D|Bm$l*g*Cx+U)YZBcGkyG&_
z&QPLkZtnVY>ddWsCxjHE7tY=O=H%vWKkj>N-zT3PIyc(?#N#V3Pkj8z_}k@WPHXF<
zjdNQRWp3WOa&i3d=`($gbuXUy;?$mjwaxP$9UeJ0_2o!^O)>xWn*(?5ecaSmwef|`
z6H_O)Y+csewBX+Tb7NEQa!Opee)05${blLuo?ma9nEYtRtLuLB<WDbu_Wt>6hwA6H
zE^J<Qb@U9|6$cLV-?%f<y=1|L^)FtVd~fiL7t@;9=uAD5o3c!Vh)D=xG_FDmXJ8qW
zQsldtl~T-qjEqWYiTOWVc<<_s<13$Cl#+Ar|78?iq0^On`+LT|IOsU`(V^d68b7&Y
zaoxIAYp#r)?AiA`^R%hjY<2<>eO!PLR3+x-3k$jv5m^zmcw|HxW+p~nu<=*u>{!XT
zg)Bj!RC@S2%R4qcflgGNCxYX{-#5HKM1pk^>!$F3vKy=~k%mje9TNe4gd07<c?P|(
zQv0Czbg5J}Yn)<P%55C11#!u8ss48&-=NeOXvQ*>cFPLYtr;ihxP@GHj%_>HTn>@4
zxjJPRinSfp`8q<9N$;!3rZjMHBe9z+)Yi9`yM?my>iG=|Yl}@~PF3BU?qZ=ao2|%{
z)fMZ1J2Gz0Oqhs3+xeQB_PMpK88@G;oL60FPH9)!WyNAkMXolT&Q=u`Wb^Zs?Nk?9
z3e}A|?G}n{b;ZtHex94Ht*%+%WGZwzU0F51P~DQrRJz%ky1MqV@_fp+olLGWUuQdR
zRptDOss`K1y4m_-u`_MwS&=jWW<H|H_y&=GS(<h%Ga;E?GKIJ#%q#(rn01hjra4`f
zE40<j=|FNm_~_W4fz6<FDxE17nj7Y{Ic`O+qOq>nkxA$BmGkOrI~+UbdljeuGx#)F
zv!)P{Qp$8{gG+68M)7e&0w5yE$r>+Sf}uvDk}AQ60?F;tM7Uw%hj^Z5DgAh)*AQuc
z1jf_t;v19ja*%ky43v-b*H#1}EfYm-nK-Htk|uh!3FGGwzJRk}vBGNI$mBRK`H4q)
z&0LzT<b1*saf^xItGN6xQB@c&nx@+;m}b@#+`(pQ8w|h*IS}0^j^7fSK!~VR3Q-~;
zF?kR}l%7)!Bp@Jy0BIPG#^Z|wKm;UzRZ2^=jP;)s5wTVZ2qYQPEio&pfD|ijXeJ1n
zQIQ{Y=(&4YE2R{tv}v-kCY@4BDMHXG1q7r_8^m+#dC@<94+WW&QWC*J>6IiNPk_xs
zPDJdnSHOHVR!m9(flg<do4Q=LQn4W(FfcN+)>>(s6l$G90%kOJ<Z!^qG=>U)(WD53
z^?MlllK_?_!>f<?4&<P6fiRtPx&Q$H^KT_$C=n$BqlueS;sB>GH#l;;mjV~~NG%I2
zi4r5t#Y9U^Vzm-9Fa0B};1o+C7ZQP((LuFDA`-^i8H_Dq27M;#{2~gbJdss63?B4B
z`Iawi^9G&XgKBhcn4m)|Wqh@Nq=cFMu3ULWT4;g!I^L<9qr$$YuqV6JJUA{#j5JV^
z=gI&Q!YB=oeJ^Je-h_dAhx{x-=~I-wyPL`58yc>nc|s(ZS*f=?GYX&GVcz`Gj4cR(
zfQS(ZnN2(el80QC2t=6HT9dLhxsC&j62WE6C}PBNJ8kf5Mr>l3teO;mFg^Rs3QGuL
zFaw&DN;!^3MW}*cEmTSyAT|*z#Y9RHN;WfH1Xi7$ZNw4~EhO~xItm$(RE1+R0uoCm
zP-F%}WTHGYf$~m?LVXY<WW`R}PT95uskQPiCNN`4r;L=uq{A3KinJsWB6w-Xfq)7O
z%^xG-fx(0boV1n_!ucnE232e1F4D)rnU=Gc?B;i!Jw1$JyAYYvHlKq<Dp=`AQKg$^
z|G5huIoEL{NHi@T|5-Apkz&eaQkAv>gg`531zJ(xw(fH<KnP2k_Eu!~EkR5dOrE)0
zN=pK|b_y)1wGJ!==7}d_|8kk1MEYldfdYEdhSh29m4xISfkX&@fI-NXf9unVWsm1<
z8xVm4JB9@a60otMkTo1qH1Sj3_{OC6fUk>_maNKWyIL9$*^>&fK@|FJFZ2sT2>`%E
zwyoB#S?Z9M76?#jLLtQPhp*=|jv|Goz7g=s_D!zwrW(;*jC~as<Ch}lC8`9Y2*|`{
zPXLuee{4BDGDNU{LR^M${;uWk5dxC?bacl5`8u<wrm_T#pZ(tKAtVwKvXF#Tc5uOF
zWNCK{vb2Z@hz-ahs~7|fAtYf7pa{}v&~if%+io_UYFx&)r)z5Zp|`63gXZCeV5>E6
z_a&z)b?-g*`_B2!??V_<j4-AjcHCj%Be_k74WiyL6lg|&JL3=n_&@)+3juh!`QXh@
zvjD)$9raZ;`PCP*Z{8Tl$Tne2;w^d%;dZQpLW*r_&E`EHM1Z3-!5Ya?T3GOpB73UE
zq+t}BbP+NUp_FlyB-@Mx!b@M5X7ADKbYY0#M2ktvA<A(Yxjf+Sl1Krg9AzSoGKew6
zgz?<b6FHuL$=Z#VJ_vw5Ocig|aU6jN$C<P|B$RR%gH{(Vp^Oh#N^PcH9K)1xgb@Jf
z+N&u5z{=VLV1RAMOvb%+S-aH{VNwWbe6)@tNC-s&*o|O`h_e~hjIsoa2}6_-Z^jrU
zm~|?i5{5ZKl5JW9u*GU1gy^*q2{F-gQ#HG7QH0We2$|HNQ3`v_DAd*#47QP-&<z%#
zy;Oj?2wIE;SDk67^^u0UkT}XXju4WwH|54$)6(itv`!`$iIQzb0zj<QcxSFT&0;_p
zS&dOvjgkoSA|U|6p56xM=vVFCN5u>&8BMeqI0V(<^0;U%M+t-|$!3sHj1bal)e0%c
zFf}ND<;i9(k3US);dqNyE#?tIW|bl_I*LJn5hj=+gvR~d7cb<v+#Ob(7zh6~tvG$S
zq9jAFQ9*=aEhZTY#?26c2w|R)IE$VDFdy*d?y-jPBB@v^mx#iZ3NcTdj;fMFF=~Ze
zxML7PLa1IHHsNc^IbfAA5^c~R2ouavJi&T@?JfzURTT#g9p23`5rxpI*HR2I05L`_
z27n2KAc8T*JjagYXSB7R<N&Z5BE$fw!&MApo)<|)OhiePR)rygj37b~L;!%ffV=Ee
zR$=k}#tR3nR#VSl2?glsgW(u;`0VV}w%R<8r!_k%GA}>PJygj95u;Qg5kZJB397k&
z&%$><Yj!>*$bNcCGpJ%dI`s9So%?8gZpUd0b3rJh6U@~LY*a$Gzj$OD4g1kJJDX}4
zA%X}c!5bR%MFQ11sB0KwloAy)Y&@Ioah(6>#>2_+4jzO5{^vVKZ{sy*o!3)$x@iB8
zukLlWpJ=>vgffCCVN9Hvn&cU&TV0)h0RX&QpY81~Dm<PzHq<^bRlB#qcDD4ywVslH
zZFvCz@81WSyNfiMsM*>6j;jSRi4lX&j?UJjTkobK)tag6ZBHJLh&jj@4+urUw~iws
zN%i@fRO7Do$8!{c-+q7EcI8Y(<=z+111)Wb<^zpcS*e4*lJd$l0KgBgr<>b<@-Tsv
z5lWdzqO{wKe4`gyyX->vjWA}4j$eFwz4`J{lU1?uWV)m0*qbds0RRiQHi(y(-2JYy
zgE>~e|7u%<{oJ|qb7xOo=|29$)&u}xb8EV>>m&eRX>}9=aAT&azOM4y)sgc}1-b~e
zf1>K)<93-0V@fF5*>y%33Aj9eL8=I$ULmlHSP)tj!r}?Dd?@u7qWKcc9X|49ZgzaC
zE!{m>Q&)AO&r#mrU0z#Nyz$~@ePa>Nxb_bFqvdOn;XDqu*;0?Yec_JN(OPTP?pog*
z^-VRz$Lbnuk30J+$_i5kyv?0Gg(YSC_w7&X>n~ngb4dXB?XQ()NAaM4x0)h?DS-%9
zSC?LKmalJ&i2(TZ*Tt?YrI#<4V!{Z<1k=Fm(9;#y*jQU~tPx`hA(YD$?%|fn=_dQB
z1HK_gM|au#p969N2;~sL0D!gio0po7?BADiYr#9{x%kt+zd4YRP*ss#UUtN8PoBRs
zFh1F2FDalzOei9h%g9WBba~G#E_!pbVs78=?d>_;*;2Ipe2RzQ?z4dyv)(^*snos)
z0QzWU#4%Wto@Se$ceY+Sy1X(Zyw;dt%HiqRPVZQKS6k`*d&6DMua=&;9z1ZKDak!{
zXirgj@{_eO|Bd>x;tYl<!W1J6Ah>mRz#M6&RPyY_=)(N9@}hiy0@$+${#bd$%+2oa
zpZjLU`_2^}1VFaBIcwad=0&o(r9O>L34{LX|8=2-<_ncd^=bL^XRm`l3FSvV4)!4!
zl)j&wLD=RqZUb^dPJ6p)P>{`lAcRn8oR89e5JE;7p~2qL(At3@XLdY1B>+Pe7r7i5
z`(|?N#rISBDY?Uc-sakKCq~AH?8RTiSfZ~u&cA!R;PEtN=h`U4gi@YUc!q{V7(Raz
zFl#l-&qrN@7t^xLd6~!Z@{$-)JPb_t_E)-H4TeZ<Ytu<FlJK&q`m;6qNGS!PcW<Be
z_f`+O8=4v_!{pMyjd4y4F~V_H9b;JF?{Xq(WmT2W-%wJ2o-YRK<t2|^8z-0Q|NLvK
zzptgSwK&C+>2$TMZ%!zws=NK`)$b;F1`)%MV#*PPEbixDHbgww_8*w%!iQZ$N(vAV
z|MKG!1&a5t7a;(caG2l-jdo>u^s2Ky=ZmDwxXj=GSP2)C`wM<YPi6mLQ<PTca@0rx
z4}j>+tGhCPfbIm^#8@{s+06q<k^SVfzjeUfY_q8_<^E<}$=_FHK4girVDl;7j_`e0
zP9h-V7$;a$W<Qp{FV(m=J-Mx;c<b$=yRT(o!NGy>NB2i~Ac>8Qy)|=n?b};Pv1&n{
zB1DIW9fbvHsd4d9QAS5^MT{;rOcJ)XIp_0q^mLVfWTo$&xPEzLxba%&#bJMg$J-Sb
zseS$Cwo+n?-<>Wzeh8x53%*#T!qwYekP`Xw#dV$Re~eveSJYS<PVRl*dy`77Nu`!l
zl3GBDqF6+5!=+tNTaRnIbmO$$?K0E08>lcS(uxXhXoH{#xV0PFpa{5o<{ZDwnJ@FF
z=0mD~00(={<OkfGoFq4SpS3WPsRU%sC+^|B?oD6UeERgDx+n#dAs}PY<_+t1ZCt?x
z_0_w(1<e2Wes6W!0E&cCL|9e3aB%R<&b3Pi?_MoWm415rVB6-!2Yy^x|MSjO>q?I`
z9N4yOd5~F7#1#SB*tloY^0Hf(+BSSu{`^&cXY0v>M;rF7Tes%qiMskj-vkx=r|&lI
z*s>Tve)6nCXEqc3|M*w$xzmTvUT82vHlYXzg+<BJ&2^hs)c&$}!`RR@TMWK^{c!N+
z`CHc;AOC)K$JS-nue7YLTzsNwy9ay}fdU}_w+CDOijE*}SiidW+7T<976jqhy~`zk
ze)ION)?>$aefZG3qjr@jNFy)0s*B^u-3toSNi`}EffD$$?&tr9&G{mFGBxtdEExT=
zS_X5zxX<)dGcwsHvtY>#b}a|jPeTE}m`6Rej-yGXM3F*mZAX?ZTYqD)MfIfq`R@rq
z5PJG93xt|hdgq>P-B&waO#Buv@QH+f5{l?@uUfrn{QZr)4}Udu^Y-AiXRo?7T`DQ6
z85-_5+PZDa*1D0gf$o7OT}^iPof`YlArf&(&8k1fJGN}EIlTMu&{)@r)_n`+FMK)H
zfB$X^mmpI*>s0$r5kx`}Il5f_A9nvOp!r?0hg0?Rg@c44aJ{wd%;@WDYt~eM%&A!T
ze7vXq$`39nFfwv)bo>gUfQ&KD0SH5NXlOtX1n0Fy#*oRY*KZho*ExUTtma>jjZJhN
zIk-_m<Pt+90X5Zow{v)`C#c}7H;?Ddo;~oSb;Zi1kH-2hU#a)WcK4lgkKT3&0`0%w
z+4uX|=5xD62s|0-8hp@HP>_9p`m*o&XpdLU!4qT}A~uPX0RYJ>_oi@JM_I&>0A)Eu
zJlBzy3-?7t<TZ;H55K$GbH6DbOFn#hy|@2j`=wtP@jZTe{mz3^@wolw<HP$8E~e8l
zL{2Fsgq>_W@N~GV<LaS;L~`H$jf`;yp68=|{R5X84sG34xB2P#%@cor-(Q@m7=Cl>
z_U$$wxCb7b7Kzh{Mx8XA`Ab#~zq!`gb;S0CyY4h|Q1Tn2D2lZGLbKoPd-LH@Sz#QJ
zJ2A--%X<0d=Fj`rZQQhW<W<j^vkg`xMo<Kxf*_u`aNyA&SHJtV_Tr_s63g!IJD*C%
zCteS9-)P>xZE>cwYU0Cx&24on5g4T+rJ|XNPkg%BeWPW0Rdr`y+wl0{+OL){&_~`4
zE?vB6?t-~PqgUR4ydLyw?Y}h-z3#PbbKjA@qpy1o@7)z~g^_bYDRBN|qO;?2edEy|
zPn~IaF?Ox~`1gDN`j_KPKaD&as9mw_c*~(V>9U5#Z(Wj4BovT;3W6~HvETBkltVh3
zZmO?yyTXDXJiB)(<BhdnJYG|l7=AzS&DvVqOr1TyCmT!1ZvWs=ODe1(Ws}hF|B&1N
znN57UuxMt*nm}flET(^^KBLDFX6l_Lr4!RP0%vk@A{u9|laIgt?4M|os`z{zN{|W&
z9*<9wy#dWql%V2&jc7qjmfeb5qlkXhaC^dGqgW5cCGJ8-C?H5YpeCcya=&J{d{HA*
z8i^*5Ns=dO7-b%h<_}mgJL~a<xJ$LnvOpj#$u3Q^O=FhV8}#@L(=1h#fIDDDq9s8s
zff83kmaGIs01>E2DMiqAi%SZVxy!5jygDFZk`mNsC6Xn7K5sChr{ZSDqiC{6v*Hy2
z&6Fe$0ZIV@fpd?ln~cl3#v#Tig4drkVkKU$?hPdDcm;Q9gh{{v5K;1J(PA?(%j*e6
z!v!u+PzxnI0n0G6A>C3WcQjmJ8AT}jH9c)avuYrQvSLIsrkPZfpb@P|T3N>Aob;9f
zq2x<xFS&_-XKL`t-@(aaijA6N*#Z3iXi;I6WfZ%WP|B(-v@65G6yq)<S{Sp6QP!;3
z>_{l%_XYD3elZw~7ZuF2&6L}vs(~=2gaS`kvkR>1SU3?-?ZRxOs@aO7MeNd4vO;$G
zA`zQXHu<+JiXxZX>B6d5v{06Vx*h|Z&LuHTjrcu(!B{k-1rrW-ODILgV@6pjQRH@o
z(ut}<E6cb-04OCuSVWH&7taalX`g2LykSi@6^~v}SdmIpYav^91qzbosbmI01^`Mq
zcgaOXa}riokIeD~l4aSNXe1#?zC<$XQ)6zAR$4N@vV4)M8fwriFRKabw#ywWDV>)p
zDv`K<*KxEF#HdwNUOYEtmwEkG<?I^MO#AhsWGZVKrB*0o#!3_=YQ=1cD<TzuazHw7
zLDk8&?~(W<*&VSGz$HNt`fi?z2aG_#P=khPXG5WQ+qq+#H!e}VF~;SBWLi`8N%#F1
z!}q3_A5PyEzF5RFGaO%FGN(u=pa|%A#K??)=j^|24%0x{9Pa>txt=PR9J3uUI3jaA
zv^isU9&dMmcjuf0L_$RhBu`j~xpeU<agk$_qXH0MQw3p&K#(%dCv%&LNHJd$42T4f
zB4v`~RBbqRJ^_(Q$hZs)fB~U2k2?YYIEG;Y1UWdYFkuWiij;~-$rMKj4yBM|xE!~C
z9wIR0Tt*}mfODD25_QH0&P2z~hg75>A`uWNh>qjN84?|9avnaSPSIj683O?j#C(i4
z=Nu5IW6?$gL_$F%B4GZCkci@c__~%?Nv<+}`#kF2?mFjtpHtP3o0+*zWTHWb31Nm&
z5H~&;5)l~}6O))A@r8>ZDvBr(#f>|E5kXvtD_w~T6L8}n;oASjMOAlKci%g^rn{@F
zs!yHoobUU75AUO&1s9swG}{(~4@0YU3Z?bIyWo!6#s`so7fp5sCNU0_?jctl#I#4J
zq-GCkiQD?$(1kz1;D#8Q;6t2wH*>Q+S0Kh&aA(eik#W9FqWukm9YbF!I3EXpeOx~g
zQuEt8o%XZ$4f1_@?q)-2wrS$PpNg>=3|B%3p*i<Ho}bTWez@#$xW~~ykInhHkJ0%M
zn~MSZFmu7h=wlO_^XB}*hY-&%ocBID7n}>xH5WcMZi{mXP4FW}H2OFI3gQ^n!%!pN
zGx&!-SZwCEFJD^B!8_-JKXbEx5d7WCk1^Ufk7I0_c~>uqH%**7=VvoN^Wj=skE!SE
zbG%JXRc4PXETI`%z1Is>ZY#i(qU=tL{;<3<ba}$|r^Y(VK$hK_2J94=j!+41Yi@jy
zWF17b@fyMj_-d%!43`uK$ok;2eps~$O&p#%7rcw!$Fa#h3*+H_)N_u1yRz}H`P$`T
zv1tY%{J1zDLQ79U2R`hVaTolk-qHl;Ts$-q9sZ(G&}G}jAAEWCNRWY)7=!b(7{kGR
z?YSP|NLKC$c{#;O?UT*nER&7oDd1(Y#~csw!4LJXDKlj!I<>3cAE|hpK);-ux!Kv7
zpD69kMw^8294YDDB6*X4P~J^I_30LSN(i2QdgjiYpZSS+-7W_lBImL5srP4RTQ+9c
z*>mpzDQ+9b{T@0qj&E?+`Gq_0hUWATWCvq|Q?1qAh#%?Ego$|j5UHp7ET_DOBWd1i
zG4-eKAMtwj76r}4g^PZdQ(bG<GzGv6qZnfxR==rh*&aU-M=s2NZhPzw72a-goVwPe
z{#y9v0l9YEH_bu}&X1(bDNSqF*!G9BYhTCNYQG&(#rMaC(Oh{bG&t{etM@77ao7JI
z$;y+Ze(G*LMY1-Nt-%Pj*aE<I_|B=g@#NIQ>}^KOLf9|ArxWH#r{@&<d@2!kD(inl
zH5|Hi`v-a`w0U=bYK=TS#WA7&hFEZuqxR8vree-VRMqEz>!)_Yr~38R{w+u1CR0ws
z5s79mG_kEXOdpI{@a{US+BD)Hv5>FTWI93^9vLc6C)xpA(D~>1Sl?86Jrb|JmZLnR
zJPVM@w8Fefsa&+2sU)^J(gG+WAqkNY8<GJilO@0eL{e0LJ7y!KoGE8YndS)=$cd;$
zN+86H#E2y!pQjYt1+V}Mi4bu{L}VmFA|Of`G7yqvBp?;7Ey@CT0n`d+VgSvEnJ_aa
z=FE~=G7*pvSEjzbAmRe7832G2Dv~i9ATKh^5f*?gQYOkk#6qk{LaaoBNX$aS2n0aH
z0!Rr6h=GxRWd)1d=dMCiQXpzo#WGPMY5|59^9+d?RWnJ8oEQ>Q<_=)<={t{p{EhGa
z^qcQJ`TQ&GJhOBtinQwa;}7n>daG<8BN4G0h$SWz1|mQrQ9y11Tj2#$i=0R^8Ilo>
z*Pjqugci9)O3ZVD1?McBL^E4PW9d|uNQTPUFo`68?l0Q)=N^CY+i$+12>>|@gGeGu
zNWhxePz#78<|NVzCuXw3R!9_-vvLw7ArWCQ5Cf}O1&ost7-!>Tl#75Eupt-X!rYNs
zVoItl%7V0&+HwKp1<{<V;_VmfD-YJ6eYkn_@bbakdWW%?RMXB%FQrdx*$UJi_13Ky
zKDAzdUNI{Off5NLb0W^FNhGT#<(3ebKsgyFp)3q4#Fj`vg#=jzv?g7uUcG$vpir00
zK#FKZHIz!$ft94v5{-|X$nXM0k}#NIsa$&yLl!Y(7FI=7G{K^v3Z_|vijfMcfEjAl
z+6gc3Zti{N{-Z)_rLT2`+9g`ux$}wN{_2;1PhbBMr9`SIjHXyhR!u5kf-K{dBxN?y
zj<ujj5=u%7&QK(al2#;Zk)f2Vg`}_w8lzfbPApliHO*F&8I*OtSpV$(AAR`YpC3NH
zVq>z~MXtW^_{lq8dG}uTVlOMJz1FUDE9o}LR;l*6bXY4|$;EQ*q}y0`sr8b|nz|K#
zcWW*ysw=8J+mdPrU4?#0{TgeRijl2W-Mz0q`TG5r9ssPsUP#s@+vIlrmp}gQqrd;*
z<#pk<zg&It?bqM<`FDQ!!S{ah-jipquJ3Q)%IXSMhTW2M4cbe$H0!DKs2%rf>egJA
zR+d8g{tw>$_kaHM-~avX*B`vCxm8_%TiML#>8-b(e)O-uzV_N<qSm@g={8iCyj)|q
zp}OI2C4Dco*KR|lN2^+vV(TpRYtO#?kAMFDH^2DS-R^}VSJJQ5mPkG7vbEA$&00W8
z%LTM%wOkdtf~9cjwX9h-XqQk{QkQ78wbB;LwHLcYS+!cgDsx9t6L$+;rLsnU>(y4Q
z9avpZmw3sx<g(7%wbn1RET|+dNxFurQ2qY1ciw#Mso@&(8hO>CW>#dLBP<9PgbRc$
zoR~qZMLN%UL9`%B{C^g%?YYY8j^^@xd;hL`@9%Pwb53${k`Qi5AUR+FLx=%X?nVsI
zibiS*3awal0BZ?&Yef`P<Yq;GAa&FZRD^;SXRNiwX@`-aJhXl5__y>SomsPHJ*<cI
z^n3Wtnw3#V(R=h>)07iW!EsPdyre04Pu@}R=o54SoJa3C2^0ePpwkz_C*m^>8HW_T
z!{E>batVjPA-FVUpRfjYL6clUh8oZ%=sY^dA>k0%2lhcis!5_rit12*9coINNXR5)
z95Qx^_>_GrNeZeQyd=S;8T)|htSWhrq99J3cRmpfBu;(ed{FN|5FMi`dym5EoM=FD
zEW)a!iYlmrA}qq9tUAp|!mPwfE^tUd)e>1EU@^=wGdi_Qmf0X8Gpn*VBxP~HWEqVh
zAQLOH01+S|i)FNg2Eht{#e~RAEPx1vKx7du0uTX_u|Ukoj7%cJ%tXX0(>8;E%+sRL
z#t|CJ*l10IF^0$x$4JH^AR`JfTLg<>34t&MW558}X~Z@L1OOl+Bt+)vF~a}H0GMu`
z$7l>13kJY|H2~HkAfW}YV3E*(F%VfaaU21Fv9=+OB5S7q1P0N6AQ*z!#!=h|))E3D
z0w4fbYwLDDJ8}E_Yq!7q<j&uxZr(ic{`uX$5ZBcJQ9!Q0)e|Z)ph|s&QA`$neS{4W
z*EK-YV3nP!0=d{ErZGUHKup3)M2G+Y))FEC0Z;<AT5DT=>+9?PxpQ&B+}5bR4$!E2
zf+9pk+Yn465TPYD7^22tf9lhyj*KM|v8*QcY%+;FL?q&cQ;0o9g<y&lc?2K0P3x*V
zH|_ZL@<(&Z%`O5l0*FKeh=wsj8?yxg!xGtyZ8@W&Mhb>lQ{qgp;G$AuO2Gs{F)WP$
z5t^9ThyYdD%=_Tf*&lxR`sx=){`~E!TQ{d3T|4OG1}B98)i#;ae?qMiv#5ulpapMc
zRIszmxkH~Ntuwop4lUj=b>Z-**AIZJ0|eAc(B3B=nYjG<$)WpaH$?T$XK859bygP7
z=}v3y(xO(_<t(ipW_E>nb3<nq36ZD|PCc=*IATRscHU|^gV}xgz@p;ZcFF^#?8|vN
ztBKlXYHzJHKeYkbe@iGNRPAz$?rm9f?ya}4U3**71{6XOqheK1Jo|zRZIxnQvz^sl
zn7^o_ufl~~n-kww>m2BiYOPpXGNZrM1t+PYa_;BeJ7aiw&XSTgJ4h2>5pHWQ_73+9
zF74{Ay3D&ow3JKdg3f`JearegJ91(I2SP>(6-85a!qhUmf3^SC->zP{adh7+TXrA%
z@!+Z+_My_;H@7^{UtYBGp4C0=eJ*NhDb&W-PTc*=A3r|x(&nWD>lfBq(_FNi@yzAj
zE4L1f-q%?xQ699|UhW;7eP2&g@54hIRxccB)8<?g3XT&mPEZAX6JhI;?ltF+9KU<}
z%e^}v+rE13e~SJ-&v|Cs7FHKOv1;qq2S?|ZIuje1J*tojsfQ3uU~mdtBIp|FU$=AY
zr(-Kuw<gU><&<Zxn78KVn|JIQ{n0>WRuUJ>O+EJyZycC?->%KOc5EJRFSImabz<Yr
zZ?0Xs^W7&$_CGoK^u*x&c~I|$YRljI%^TM*p4+f?f5b#aIGa(O|M-JXjMY{h-2Uuy
z;}boluFzOmy=-*LhRr$ql$sx1yJ_{{3XMWAm36~oho3*N_tEjbmWmn`-vpeGEE?Xk
zZK9fIj6^KRtifv%*gFuxAS8iJK6UQIrOyv{cNa6CWm!jKWB%CV<2UbI{rdY0$4~4}
zB+f#Me{i)nYvk44FPwe-@N*MSw&hJJmr|LrX=Loo!I#gzHaWIpWq>@Fj-|aT-km&n
z{>?+%9~o^=s%pwxH$Js({rKe5&zyhjjh{U9P>U@*wrb0bOCSFC-(P+4*~zIBFHi1y
zs?;2kq$JSx;hB?He*fN_auYQaRz0xhpLcH@e|Y7Y(T7(}zVYn$|GIo||9GJ;Ebd(P
z`rcn&{^004FYLL$e<*itjIFg<LvQYz{Oq?!PQU)E#k~u>D>~oO*E8^szkdGq(LF)A
zDeGv;+9&rt|J9YLKYaTB(uIqHD*-pJTfgZSPd)SM-o2lledp+l`xbWgB~hi4cklbz
zf1Zoy-u>P2SGKJit%S}jw7aDBf%WUZ{O0`WQ!kd%Vj;{BS4x^nzkcb^u|tQtD;=V#
zq&bIx!Aq7>nqrc%FR1!$kB@ykb@WeHPJeXlr7eTQMXETij@+~I!m&5Mx_a*9vB}~7
zfnZBPD*q$uOrNScvH<>g%kAy-z4x&Qf1-v>P(Z+iJV9B)h#*36qJm0L1SN<#Mi5Mp
zRYhDt9<qtDzp$?Y0t!S{0YQ)@CXT6@N@k{J{*C$YAnEFF-PPTnPMzvH=l6>{alXB#
zVxZ&6&6HRND_c>u=?kxbisA>)+e@DnWFPkmHdEWgM8xH!CKqO>^fy<O=Vg1_f4W5-
zIX=`=wYJi_Fx&9Due`DJR-jI2&NoY1YbMKBlrV@O%9M+k1C?X~G6oqjk#a2+wN#R+
zC}IE%K)6UH5i^DX2xXK40}dcj%7IHD$pl0SB5;{9jwm1i0RV|2<{&VJffFVI$P`4%
zfr^}Ppdw%q1kMlu0zeE11>h3ne=-J%a0zosU?Kv*KrsLYQDCA#MZzU2$^<0NW#AH_
z9239<5aEc41SBF#YDO{Vl#7@!V|Zj-q976qlmVuop-iBFfMei@QA8P{fGA)PDHkyX
z!Z@aYFcl~f7|~FwAylADz?3ph87G7xOfhAMG8Mu~0U<^)FbyFZf{jy6e+XiLfomug
zC{tmiCRm_EjgbZ+0V9D>fly2tCJZ5hF)>#73D^ia7StOyY@_?yn7(K*LIh(<jC+jf
z1tu5~tPuo6ut2aH2?9ZgU;(3bz7|GmB$%wjiZ|HBf_me|bqlxgC~TxHqjf2_Qe$jo
zTbFesWW*{Xqc>M+lxeTSf0H*JF9?4?cQ$;wnm;YgM!K?EjW(A40FD`}lGc0SHGd9;
zhFDsec~_U!)EP1`Q*dJC?dml((fHRBUJ3>F*sdEJYdiIIaIjC{+{oaoLH+22{_S#o
z{N+HkLKWl@`ntP$_+|O4(W36Yyq(Tg3WZX@L_lf*Yt%$Qlw)MAe`W55r*-8e*~O2q
zwzTD$$wX4v2kkvI-Pb-fTh=_1m3-$U;vz9|x|x{u^K$p#>-&c18UDd;SRse%j?E1}
zf6@QAd!S%!qQYOd!`*)O?D**0IYZCTt;xlz9~yHGxH(qni^gU;S3dRC_uQyxyL9Nd
zvx!EjL0E&R3KKO^f2%PU1bYv=z>!|V$ke0C*3|LYs=BfiYnAeE5i$S%I5qaBvabE+
z^lD97&PfxMf-xWr6G|BXfUTvpr>)`1)AD3dAa<tvGq2~od*6Lf=bU*td1-pEqAabm
zQ$P2n#(%G!rNX-8_QTb+&Qe2ser3E*sEdZGm}I?)x>o6Lf3@^vYCwTOD{Jj8BqWyB
zWWE1;%b8ezg;J$dTAz(h`q%%K21W}D%j0KO>$2`fsuhadq}wa=L&b&HYoF$>Ew+UO
z?$Rigz-0zND8Y;prX|F3m#g2S;?g_!(u(!hmls+Sq7QFj7Q-+5*M99SD2sX4oVxI#
zM(46wXX7$If7MspoSm8;Juvj7wf8QS6^JMi5P{2xF(Qg;w9Ua$xA1OccA?=$PIO7_
z^*4*pbnc%8?DF~Tr#Iu%)!(L{tZm7CIay)5)vO>lYi_(V>qhLO``12x>^mEMh$v83
zQ}e`R<CUb)OBX^81?(0~O!v6@uC0t$*Js6F2#k*Qf3b105GXJ%695c=86%Q}h}|xS
zFJ{Jj7G_)en;s7LJ-!$lqEZOu1x3I8KAx|?d^PR#;z~z$X4F1cx5W6wxuy2%#`M$Y
zJ^hZjiC`Y;`_+fV@ye3StZ$QE_EwAxl-M(to|yEX|IX;kE}e??>m0dXQ1gwFs0G3)
z0OJx!f2JC2w%Nu#An17EqrBC%{!3Rv{ExcZJ33j(c0a!CXzsWZ9=ZQY%DK6BP1!f2
zkco*15@U>mBuZSAwF;Hl;X|Px*QRss#sx*}^$*`~wawPX(q(pRsJcEQEZjRe<@_%n
zdcRAGj0_F>^pDAk>hDfQ`qtLo9Ugh&xyK>MfA5f?RzLHm{>*7zK!C?*j$19vws`LG
zJAUG;nWg5d-=9#Z)Fui!D(dX7zfa$Pc=bg1U)q}Wt(_0-ZDfN%Z)m-5AqdW!w!EEg
z$iE%4-^FohW@MnN>QQc5m!asNzq|-LvRAFpY%;gWx_3RVG|7Ia1*KG!v<xK5M9M@=
ze;A0eq%~D4dDzjg)t?4KLv<KoNo%fBYn^v^OpWy?e{(J_GHQPIMcnD58U-%Nzc)A6
zbSBF8^Mh_~`}b(gw{Ekxo0w{?s=pZ;;^XUkz}dx9L{_&mzFS*<QC*t#^zohfg|5!t
zLLbi^!voDjBURzy-d{%_n_ccm&p7A4e|>jCZ0yR~P;TaVKQDI|7uQXjtz@kg7c6Tl
z3ZAzVxLR9i6msz4kfnv*n3zChB3M}1bamJDb`^hrEoyPTucNuBx+HJ>$Ht|_7C+CO
zsh6*;F7_u~I(E=|pR1djjr|UDi)}<ObJ^)KKGAUR!9^`#3sY<BEly4jZfPm;e=8q4
zj)i+NA_KRqtS)-{uIF6Tml0ovOpe!-6eI*6bf2H<eD&&C-Lw3`-lso*dY+JQ#9HJQ
z@>X+Zc`rM4X0pM@(@{&cgqXRwyI)I>i;M}hakK%gx$$e0$y%nBm{ugFG6D0gmfJ5z
zoc}>z)Muz%UFh%aEZpT_ou8RKe>T;AG47b(KHUKi@6G1+wl)r<BP~sa2VsZ(Ki}u&
zw9^Z)S;mdTwfCJvUHaa}lI4Z&k<s#qu!D_F|EKEAo}x<9D1NEBH#5I4^WIxURk2hR
zRLQ0yiwn|%pkfb#Hi9A!Ob4jI2nMp)Dm17q3OHhGxFIem2r4~_U?Zr|f6~x`f?E%p
z*vve1#JtS^F%O0IOhmqAMn=Bni7$TVoGZhl9l1MFGm=w!pR}}h{4FLdA~QMT)mV3H
z^LKxWjf)6d;b#xwx|MQ4R1H*B(@mOY=0c+=n9x0oa*d)2TqjI$p>d%D7Zi{Sl?xTQ
zid;jkQs4kWs5)}hqb&dhf1vOP0_5taEfs{I90&)6GlGCzMJ|vF&nyAB0HIMX2y!9>
z;X>hD22=nka)z9tASe_-iUNd2fHMH(oB<F31(9-25Gdyq5rse@5Cx&&c@G6nC@2hM
z00n>`8Yz=0r9cUzfXD@Bz!5nh(gk6`6pmB~0-OR;0E);EQE))`f8+Z{B!DtygaM&U
zp??SkhCmnv0AxrNN*PlalNloburLb&03?*jj2S7DDI)+zLI?xOfdC_nQlJbNWmHxa
z28;m^N(rT&tPA3)VIV|S6i>qhThJAs4748hL|LfsHWJ0)F;6ine+orkNJsySBP^f^
zMi2SrNlKTAVo*N8f98tv*$rnTikBiAJl8Vn@mqX4LOx54|0SnoLOgi1m(k$mNjsNi
zqij?tSzuP>|4YVLfSWuqgR)TqW^tHe+b&&gZ?7U$66j~rBg-nv-%NCGO<H}grSZtI
zTuG91a|&O*Ymbcdu^I!a_E$~3dX$}#_|wDo$=L@_2QCf0e{36_y_H+CMlwh;1p~?o
z1qxI~A1Z|(+;iafk7M5-J9xeByZ_7$9W2iD*KMOiy|u@3y(Gybe1veyhS1#fg1MPz
zD^|J`iEz~qX~<%~xZ%F;>Dh<9gXj83nx0QI7Zj&&h+jAJkLNqG)}rK{w*Kq4?;j_w
zTZWQP?SVt%e=k}B9E=hfxkfq4l*$Sv$P_>Z4yG)=eC|xo{RT}jnxyFLwBnCbKc^-}
zRqWmQV(e-_5Slbg_|hn6pg-d>MMjY;j2Qt?bz0TP2OZZgTrM#fnMsPSD{q{B|Kr~L
z^x292v6pT4ADy`W^h`@v{f3P(nW-87njKA9y9_15f5C>_qzYB%Ax;|Adj90Sp5rq0
z0z@#GH5#$fwf_BhPhMe?BpE>tK2Tcq=5?3bVYM3UH!q!eaQAHDs-^G7pT3-EYi>T&
zbp6}&E&IOM=vIgkIiTPSI7Pv@k0kl;&MN%)VX&>E{?e7|+248^8VW=F9HS%MRaLu;
zl9I7{f6G6opXBANYpg5(W#qQQjCLuqv#F*3@ddNlpdta}fI4!)RSTs7QIUyL(=QA2
zGiAw?5|i;^c5Hk4#tpG+=I8sjq_0q@>a;JlTcVc)#J?Es9~!=PqIS=T+I^KZS+R*O
zo9awlzUgpz*^Sn^H^1Jwc(zm{O0ad+_SBrZf8&R{d(ThJ+}XK3M)8smRi<*T2`)4y
zOoRsnyVt%N?>}<1z~OE32D@2=su0@Te6j0MgH3n^3irrh=h@~WNs<HYF~dWTYHNyA
z$*4+BN%F6#Iz0FLV0}YzNlA8jX<p{G4KDPnttcIzxVgx!nT5$}_0`Q*)HxS|tAe3M
ze?c%LLNgmA-{OM3Q?rj(FL!YXQF6vDPyTK4c}-EKP12(*YhDg?eSfw9LDDpns%cE9
zOaSHHlB88uSI*20q{T;DCA26`lwC<1Qs$-y%Jystki0hrC(lg$bmHjl+?>tte|?w~
zzeq^R$;w0HlkG0I$sl3<$?Df*9nmg}f5o6_VB^A9^K!3QlrS~YccP|%8<;`z$;&I6
zoE(ac3^Pci@zjyt!Rw*nzU_A}Jn6p~p}VsacK&;Qtp4Pl9qDW5=AYl~tSiplp1&=t
zU`P705Ib_6f^}2;=EHd<VOG1!5Rg;OK~)*&AUNXys^;azQ&UoAX9r4)wrY~Wf6VPB
z^zXdYJU!jj^X&A)!PBoMZx4;MZCbyw_1fuQMt(?L6&J#Smia}SATaieb>nZkTd#b#
z!nP=cFAKNDI)(Gb<<s*YpVU?6?@mqIzcV)@;j4(i=;47!Ef*T1O%VmD1@j+9E56A=
zN!gV6<@D5Gef8dO%^svK@-_RLe}u)%Y^_(%JpSQKkWFWjmY$k2^Zwbv{J+F#5y$se
zf0*qp+4oh&{+yZVzU!Bd@6F2Imz9^BmKAIZuCCetcJlA#dv+{0Es1l*2RS2k)#;0_
zw6z=Gjr3f*_-%wc&`))EV}M%=sVy!0I5kkTJ0nmyE!1)2*0~=aH--8*f5L1*!#{Ui
zxKg%#+q&_IuD-r2C3)Eeo3kqZoR<(0?Q8bcHD8U`@7%uF)!P`h*jJ#=xY^I@XsoF|
zf3#|`k3(=BG#ykObQ9Bbrs<mQEgO`|%EFlseRVY@N6Yq2y?gSsrzviE(5c2F@7{LR
z73U`eu1<>B?652i4Uc{}f6(6F*R(4+Imw-nuq4^Ue2yId=FQCg)~4!%*}D#B7yWhX
z*HNy;_d1)q@1M<y-&~ei^7eJ#sm2P2*)JwCc4+8&SLgAZ#4qDqtDL%9aEs7PT-7NT
zOjQ}@i~}Hm5R?n!f4REyr>c@O3cTCh-}iOjxA5R0!ebE?6$FBge+$6{L1o-g#|0Nq
zQQiX=77<YqP(Wk^S!Htp(a50UgeWSEsD-0~3*#h}Oe(2LRq~JIhYM;_)xX`Y@5kGx
z&pCY#0FzQEC5%6d(xuXYq>z#;$%q(Ah9smEl7u8siW4zHhA5;$sRK$RWrzeM&7gE4
zb%vw?F(e>mKnIe#e*nn^F(Da9j)rC-IRd8%eMCrUAP*#oq`=@UPzoSp2%rR10wtG9
zD4i1tK$1!zY9PEg(*!U9K*R|d2o3@W4YdN4&IK9+0f-A^95_c42ZqFv5D1KgQWL;{
z0F|+SLd*~x0Duhf1vL<#JDQB6T}*y8s0a>1GdiIJY77_$f5w3u1y&%q;1jh=j2T>o
zi8GVnrpZ{I&uuGQ2&2Ktz#?4m&jDVOZ|RM|nF*Wpm%y1x<Y7P-6Z_KLVo)F+CNEE>
znFKegnY>IUjceko;S=7;NgK1_VK!c3ecj0N75BmZC!~1N#l;vivMdZcp5d?ZFim>h
zHSPcM0w*dJe<b-#wZwEb*LQXwXTn357DXX`zDr6<%K!bJ!Rm%X9^6wih3?vt{ma-;
zeN}!#dH&lE-I=)?eC^hX^QT5X-o4g-s`gBF{kfyj;ekeOkr09dkhFjn5F3^7;nTyz
zr`FA!J1utJ($mG+<Dc#(tcY<P-8=T{z24s9wx)vpe+RZRK4sd>*p8mM=Wp6?-Z*)!
zy*N2(nVAQiK9T=^{QlkE>N~CFw;RsH&5l?Ux$@5+MxXX~_1via<x|g@s?D161Rk<+
z{f^gTy~EGydTyOa*|0#<G=ao8H!*HP&XqT(;AIJ$`iE{mAL$(EZ+<)0;XV>io*ubb
zX^%!4f2>aKY4QXVKmde7fWd8oG;0`yG^?|-_3ytu_|u~cuYc|8dRP##&|$HL7N0AA
zJO1FwVB3=?H687_&Ok@N)Y+Gt%0|aKpA9!Z9lE$8DZ;};+qr$$^WnRH`D@?b{&8zy
zs3bXgt}d+YjScTc`~LZ_{x{=|O&v#-F5FqEe*=S8{Cq9S<XcyJqV4)|vyC0h+%@#_
z`pCPh!>=2z-!629+BBvKL;(Uxl2W?vkm$^GXN<i2;q`diPcJUL8SltEmgMJa8+g*4
zma)pi!*j)gCC^8@7B8O@Jum7H{Vi{Q>v{B|rhlmPa$5$NO+q3g6r?i}Oj$iyNW`3F
ze;?irfBbmw=QnLnUVgtVJs!}sG;YyPuddDi{R|IH1D#OXt>&5AcBFUrw+xP78~Sji
z{%V#p*lg1sl@&!V-*%3?zkYw{T=Mp4FQ$DHJOBQJ))#NDKN+q2{%S_(9EB19bs-TX
zA`zET<36*e|E{m^%8Rkq$FD9ve}CC^e{2o&@+zr1S>Bips5$L{H@hk_bJlus&DUr8
zp{)H6U$i|Pt82NF;~(Of9v*wLEVutz)8OmcI}cB<S`}&5=%_obx+%*Vz!@M&B3*(c
zA&HY<2%Jzz!AWY|HY;LrMNRRKFY9_o&g?w2#HQ@qx2Cq;tbF{cw(n_qTGlF`e<>u%
zjFNx^DhueqiA&`(ZD!PgoCB>tR`&i}Q{H@FdiYeEcW6rL)~2rWJ;Rq;?-qQwH_qy9
zjbE8iT3-+v5vX}!+M%6=)fqm4N=nDPZx)u;=HGZ+b+x}_$(osVhqa>aWbf13I|Jq2
z10@wLd;9{$hRy4Ws$BlleT62Ef8}K4mF}_onU^n5thrv?)mL@C##P?rTAdQ-ZS&i*
zCFN54+4et{b=*I(Gh?xCWdLSxd%)>)Ii;5}gTw785m9lHTq;mfAdn(yMv&gR)tOgt
z=>6yq?p<q@hu7k`1t-g0OP9wuyn~f=#wV;iQ+X_IMO1iHc*fy9)vW~$f45Ghx)Y}a
z*sQjoxWwgor_-A{PgS-bS+*)lm-cDli}oE(tL`{n-&IghwtH4YSfGFC)4_WqV_nT%
z`9&26lh(yMoxx`F6#u}m)O|ZD8}k~v^9~$Ko*H1*rA>0*8!eamZe9xXwJ^;Vvv5&y
z_0j5<{IVujdj7`91#=yaf1u#tSsPL|6rIm3Z*}EXrY=m3_VEn}3W{8xvaYBsyR;^I
zZ`P)O(2%L2GhD|r${X`58V^@Ax!r|ZoU{C6<6{deUFFS(E1PmkYTa9RFAEOy-<G~(
z!;W=R0{nx6!_wWUOOhA)O?9qFOv)}yKU<%5qH6D&9g72l{k)~0f4B6x)^g$TK>f1i
zkrv(VZS$AP7Ct8;t1xqIYNCITLz)#Rl4f05EXraf-6EtF(Havy?|>_<=v>y3yzTql
zo7SczgoT7TgJyiYas81Kdy1>Fw(Ly`nh|KR`p3j9+_P_IVVUcA+3uC==KJ^r1O?4q
zziso8v+n#0u8iZ`f1?*f+U<VbJ(pjOUAuTW%boLG(wexCkZ`Ltz~Km7y>@kG&feVf
z`?nlSo)H<Q%yv$SNiL)mBsmh&1V};B0i_^hD7X}yfDueMDu}pL2s(fcq!^+`f&p-j
zTp$n`SAUceNg*1{gf5VPkR+ibAc>?HN-oVHEkf!BJHkn7e~1jp5J$KqjfhL7A#ual
zF=?9soH*|}aQ?+G0Z1@`icm5nhEfAyD1;=<sC1m5B|v<hfWQ%f5J>_^0mOw6_+PfJ
zokx<ZjLvl3`@J9cR`qLM>sfY?Y>*H*!E!(Z2`htO06AG9+Y%262?7GcPv8fT5R;J*
zSo{NoL;wLle~92#_m0;twMweiRaa1@>Qm=@=Nu|f3&Dg?36Z!U7v_RAF;7HDJg^ra
z14>02(BZr<gcHK}6vBdtq!k#DD{v_YE9LQeTb)!xra>4C2Qr;il`|YEFdR4|6L2Ia
zub=^*SfuKSR#{Ua5H@G0P(3v;)iN}f^Y>>!a8_r|e<RiB$?nUwth1ccE1%|iezDi%
zOEQE{hNbCb;@V7WMa#wI<=IC1rPI^XG+k7L`TBTuf8XX%Ro30Z;r&lO_~mDR`^%sI
z`di*#knU=E@w1<P{O|w%{X5_LYTJp3s%qrY=llKDJBQmB^I^v>z%XIi08W4t)I!AC
zm)(tJe*+U#5S#mQ@TFVKJ+HRAhyB%Cu_TGJy8F`F-ERMtzS~P6iMlN@U+Mh3@9q!#
z>t)_^z5n)mKm6DK{_&Gf-lzFO)5IE!sAc5U@%VhVJG2&N!pulW%t!<@qGio;+w!f$
z{CvqJJ()wZds`wKYb}U{2$(idC%_4D8a1c_e;$XW-?qN@K7%rPV@tKPycWO9ew}SA
z;w<8k*^fEjMq47fXjpD@z7;!WyP4<fdEP~9o=5LD7I*H)-ge<VVzJy;Q82eiGgGma
zOT<3&rsuU<7fV)0Mq)rB7GoA5Mh%JC`_XgnF-vyM-da~l)pYL`^Tff?J-Yf5u?yd3
zf9^6nv5*i5ffz6X8{o~?zwzEb|MS_aSKrmT*~VT~Ei_vb6*Uu6VnYe>Q0rnx^P~Ba
z(Zka;Jr5dt_F1E=nYei@ZcF&iy_+X8lkkwMSP6werBJACTOLfeCUeG;+1OP)Nu4b;
zns{Rk)-dnpi`k;q&6}EgcJo<vG24aDf2uKN+(3lQiS_CGlc)|Jb&#~Is@lw(aF~X>
zBMWJ`H`f$4b0r~GAz@UhJRX7yqU?d<WSzZBc2Z|^(bn?N@}SmH6I96^O+kjlZYT;O
z63G^#5z#Yevv5u2G+kIaa<DbBEF>f*5+bH%gEJQ~)lh3{jm6cSOhHw&nKbtle-jc0
zVPs`-QD+gBL71zI=Q|3LAd{$~wq<|!qsNz@{_)kj@7|lDSwj_4QBP81GjS7h@tJLr
zSlE+H$&^&XdstUZ)|8kvyF^ILVsq<z)pqmZ;nP3;;ql||x24a1Y;7CaI84&KcaN=D
zvo>2amWX!q>)-$Cqu)I4uOmF%f4cabecy6t(XAz?bEapH>>5p?**b>rnW^5`n`Cl?
zMK|B7@5L91wAQ@M?47OmzT5U~i)QW`&go=s*~LSmSuSQxJ=(mDzG%+cwrHKa{owI~
zAAk7r#XI*LjlGT04fED=4omkmcNSq47G)2K)Im0k*$#6w)11Ydc!;@2e~5)x6Yr!!
zVw$ck$dav-hA6QqTZ)B8dd$puyn6PF-+lD>^Otw`_oh3~*&@x;JWSoqGiSA2Z#H$2
z7(4{4RhB{w%&fw~C|rmtb7ih9g{Tk}CQu<2U_udAB^44Gj0lU8Ffs#66&>@Kg}C7O
zUuV`qSaKx<We};%s7mIQf4LA9L}0E1J&;snV5vxz7>EaeAQoZ;6e1lA$G}4s5Qvcl
zm@82wth|nHkO~S{!itE*Kw|+7J^>I5K*3rGQFx$%fo3WKkrY_jj;Z2Qp&}IkBwFJv
z5do<HYyc{8L8`=+cmkZpD=`27m5LRpR4f&Ns6d^{v^Kz<beS_Le^Q`c4*p}b+2ZR&
zyJ7EKixcW=Rb?e5M$`65VR<7GX#B!D3sN>`DDc$3`i22=^>D3}$;npt1de>MSL|$M
z`n)^rb2Wx<WQM=lYA|g^+1v1uT}+o3r;5>w&E*9Vngz3nh<Iw=KD_<SuYK$7SOl4v
ziAdb{ch4TKpIuoZf76iJumaYKfQ-narhHuH%Q{U^fYvK9;z(cT%b&340JbM#teg?$
zrc6L9t{em!GU2)sNqv8~zPh>1o~Q&&z*LC}(gbii#G$>dX=8--31e0USU#N&7=hOX
zqc#2iWL?X0<j4)2CV_ka#g=Bhu@R2-#drG~eDeSQk`E|Sf0}hfA0#zJ7V7~dfCMmH
zq}VSvz}zVY6T>+!KjR-S;=WQ$d0e0q|3f(~mMMXl^CcI=G@>$`G+kDkr8Kh?#y0V*
z(sj~F(X2HRL9}xp-;x(pVcYU!yV$VCm<S=PELV50o?)|{{>2o4DBHG+_WF4L@$={J
zbzNM25@~Hle^?t`VTMS%%Cgjr-n6n5Qwky_+FuNC8zq$0+xxmVfaX>jG#O-wm`StK
z4hs}1yWB0;*i~aj$(5p|uF`%=WmQy#eUiZ;nb$@qZqT5|7@EzH1j}iSC3H{z5aW5;
z*%jXial>LekOvUbNrs%RlMDe}Sq>3PBiwT~LswW~e+_|--H<%<<Ne}egaxT8mS|R&
zESMwcL&IC!!S9J-55|)1Dp#d-n)4!jK4RV;>6!K^@wta8j<TWM?{}|jqcI7Z``6q=
zWp&l+(LJ*v=i;=~H6NDTtJkM%X@U!@YYnpetiIIcu6b^))$3hDBdF$DSQq=<*U#>^
zTo37Ce|X}qMNLTJV}5;D2(G1dX}#Giy`2HR-n!me7u@Qr-fyn)rMXtuYW0E})x56k
z#&uyWuH|+0dcWVFs@mxlwct`;*Zb$Xe%AW%b+OmD==yrQFW+now8LTz)AZ`KYOTJm
zet&2!tUd=2RH@t5(T-*Is_WfrsT`%*jh=D3f295%@2L9d_1XO~ds{Bf*449NG=7Ww
zf*!UeYtfx5$g>bzY??!rI4M+z9CXTX<uE6PrSaw4ASDc|bYqlC)%YF~8e1ymxIYIN
zGOKSVhak!t69VJPt_2AKM0fe#ErEphu{w~aFvk|wbWGdZ`~Jc1?R%jCQ#A-<AXI>X
ze=ilYqchSBGCkr~=W|=&=6_f$zzIQHyzdCh6hNVKUWYydQ+@D}w;QS4x@MD0Mh9g~
zzm{Feo4Z`hkU5TwBhRPM-SITb{#IUQ*RHs0glwRLJaRW>xQlaU-t8eLuX~`$G{}9r
zal|)YOZ;C?p)XI#UH{{Va{@Qt>dE}lf5zi=?gAUT0l>H1=D+kr{3;}y&X1435i3!7
zG=N|P5>S$7Cgn&*W+u+aiIydfvoh?&-+#RRRe%2X`uBg<KmK`64=mz99GK}ol1UI`
zh$k|UkOB-waB8hYlHXQ^BxIh~C(qwrKR#YRIu3^wO2~(dJTm|qB1}{T{o^=~f5ZkQ
z;#6EZhqE(!LYxJAoktQ7!XGdG{(60$uRmYMAFtO+n#Mr;6X(ec4jz|8D%lJH_NbFI
zVTQmK%ri3xl(O;^!cHTdY0el@PAkL|WetZ5zY?||*Wazn2W|&AbSgan?m<Y89dKq0
z;E)A!Lvkb@nPSljVieDFs%b$Rf9Z^)W*!IYBo5|K(?>~f{Ul8;8E?&f&Jxe@8xEB?
zsBR{Im%G-tWwM^JK@0#eV7aAE$X<4XN>$JYI8Il{D*LvXW(?;y47y*?O7ac^?~pL{
zNLVJ}Ep|zB1Io!y+kCX-9d({&lNd~X1J*NR((P<-?)$*3CoFA^LpUP9f4vIhjvgWV
zwGa?hBRXe>%k}JvbE4O|t+8hUXFH{-vZNg>CPB`AfS3YH7%rYPw@6?T4H5t`)534d
zF(@QSu%M!wZmJ;B4wCk8%Xfrck`3VTQPEC`)$<^C)hf5$hNNm$?M#Grtj6l>^14)O
z<}km(*6MZ@WZE9zKz~%fe@7p<deSnXF<^|6+GxR2FZGpG*_Bo3&Z_LzY7F-3zSed1
za<?q^s&&z=n(y8$!D2gTP8w%5s!;`z)$A+O>1#4a9&q5g=%w*y_3~P<v%Ue}61|ah
zs=|dTc5QOQ&M{F~Ta3(+FOR`6e`M{)1vR)ic77tW2s7`DkK5W2f2I8|coe+A`igF-
z(v=>Bp_4k3q+M(FDpl}KexX&XzbL4#fF5oATrW4jWYOlDB=luMKxEzKgzsaE$F@v@
zHr(^=M0^4|sG!dzRisJMjLaZdI=3H$lNL+SRU_5|8RQAPGDiF+!O2p&hcpjLA~|LC
zb_z_AcTgsim`6Mue^MZa9}02WM~yN8aGvoCH6&v*JTf0qi5t6omAbq6r_cYM87Fq#
zpkc9`cN@2j67G&XI~J4Md9#bZ-;I=}h0k#lLH^R3?=O{v?&4Y-HvNyS>yOpCD&yyS
z&hzt}_vIpRk(<DkyQ`v=5DL{88D^1Vg^EgM4n+`|W8Czje<m%20x~VzoGYhp*~)(^
zC#{9G6=EpRRjinUd%2g`KroB3Hf#RbAI~}8_sfm#{pW7HFW(>MJm>R#p3n1n>Um*C
z=bYDV#e7`q0bRZnp3I@^yklj(_l_oi{Mv0l9X#@vO($Mk{nm@^YkDhkm9IPmNiC67
zIS+^wTfr;Be*}OFyeA*n$0^QzcGCR8?I%WWef1|Zx38LV%YtgEpk6>>8ic8?BESHG
zC`2;ZSCgEJ&H<B3Od)nvzRS6;%0<AUKnC<I6>F8c9A3fGZdtu+|6^xH9yqyw@YJEt
zzxb5z??IhNvA1$FDmTqn3e@&-wsZ66tlaw0+Xv(mf0sLl5ID9Xwl1owna)jju3ZHp
zHdG-2u>uc_!aWWbUcK%+&;9rG#`pFP{$uwYM}EOeW>phZu*X%s&R+`97jR-sk=xU~
z?{{Igqgj=2LDG=gK3?cTzoUK!GXPpFk<&z=Ugu{!>T_Wla-wz@({zWuRdq?lmwW9&
zRuKt;f1X*1K?q9Um7SWlf^Ci4xc0imi&RodmPyweBk!nkv_O__ag9H0*iVgPvXZNS
zLeq+u4V4e78Zy=gvy|vy!n6v3RP1caNYO|(5fNpM#F1Em#3GcDpMfP9Rv@hN61(w$
z5SRiZ3W?@syn=qvFp%+Nc2#wp9f#8FPeX5(e{a=|d<BiM#ZYLldiFePke6w;GLcA<
zmh+oI2!ud{Ibyjx;%EUzRLNM1@?HDQI%Vv9l!+NTag&Leh%&ge8)Rl;0I(&&%n~&)
z+C?^#Gc1AC&<v~8je=R*)@cM#=A7mtNg(kh&$HP}fzZ&EU7N`OvAn@tXy=?3XE`Cq
zf6S)jS7Xf%c04D09h#yf&6G@eypq&bV{AnfF#u#~w;hcXGb2b*ftgriW)Tc3MNf>X
zoRpJN5{$<7DW@n&CB|$`p@}52vZj{A7D<%YVvU+wnj%F-Gbs?(lwxX&BrAimGKq>L
ziLFd8sc1AcgQ42eOComsGbh2AZ-KI!e?eJPW2DT;5-Y2@Q<$GbiYysbgK#ij&7Pa8
zEm9G&jt^@y@#oS8nb6V<;7FCC)l)K@s*q5lm_StpMQrA42GgQQqMDF}RDs14p(?0)
zB94(%NyMrP5)%?5F)|}_Ao0W$qxG-^W{e6do++q!m7rql#E=cK5Jx~oQkJ~4e=>8-
z%px%+Q7x$~8v#kNK@T&bGI8GT`5%iwF1rZU>J<{}z6rzuiAazHNI=v$5|0=-3rc`X
zG03)+a46|bUi>Hl$(Laukh3rbM2`Tu`4;Q_Xar9gT7>qS&Zfr{2$HuRHl(kZL;5))
zl0vZ<iDIHw5$zcI1*ol&tKeO6e+6t7ak711@Me>ah>iKH9kafUtzyF+@*K{?45110
z<%L3!*i4&nu485hm9Zx_;}Luw*mQ0gsEJFObtt!V>!UmV{ciWh4Q^_mYj->D=k7)K
zAK1V6`;Ry`Y4U=bHjVtPZ_Ubh+4bv(4zC@0WA(_sO&=Wo;wwLI-F(;bf8Xrcd~Eo~
z?;Tlp;J0fI{l4#8_qeY9#g9ERFgm<y<n;&NA71pc$KAvWLtK8{<G+05%<#ICZ`?ex
zv%Tyy&dr&<V#na<v3riax&GwAJBMD@t1b#qkw~S;B-HM9uxP>+s|Sysxbg>E+_brF
z{@Q!@4h;<d(apK)(@#D-e=zdS?FaX+KRb5)uV3KLEnD%sKW#sC{Dpsx-8cNoSI1tO
z_3$#sljaP5@9Sfux4pIdzSD=-9{xkR`Xd#4R0cs54zUe-iIXo~_vmv^oErV;wk;R0
z9=z;pYkBIt(7ojDJqMpY^Y=AldsZENefxh7PyX`4Df5@C96EUWf1mf=@b;_U{$OP8
z=5-ExKe_(tC(fR}_063t4(*)x{6;rnMx1`ry}S0W8~f|h*LDq@IkJ5BuUyZ9Pi^?_
zk3Rg@L&t}{aNy<bACBGd(huDf@ESZ5F`*DOMBo;rfC;2b?X%<ApaUUi`8NavDn0Qv
zOsOGA=xn4sXQ!^Of7t+LVq*gYiA`gbPitl)1G#WEISA%KtH|XD_Xs#X;Vyh8Gcb8H
z7D^;WVipmN(P}qTQVlycL#fU-p+@FxZAx^haUkXJQFq_fhjf$XMJBeKUbvoKhD0J#
z*L2GnPDD0dHnV`82i2fD?C4dsnulb{$8O&m0=ZCGwPwx!e_wl>9R*wmQ|8`6qo7J5
zvPPLCo#)^Y0#RTxuhsEx3Z<XWuuJD#W=m?d@LbYHGf@X7o6_sc+URr;lm}?f&1gTW
z;b6?Q*BaPmJ!4dg>Iut3Q`Bh0KC)z&2w`Y|%a~$8sF5{E1AK_KM6<zEuC5y8mRi<-
zk?EZ5MwL)vf89j_tSFI7Qf`$IWXV8Bxz<#oFxdOek_c8avtqImFsF!7NyWGyW6sn{
zcr^v6LMoY5D}-4Ml#RQRsJ1Go$(^W3E7d<`ECR9ui`7=J)_xYQF%Vecuh}+Ie>7%f
zuVpjV^*AhCi@j`;Xwp+;@wS#&%&P-MFiMbI21O<+e@HX{*#kGITGvmRl^P#rE9FE$
zMp2H5CEAKNLIRK*(h#)kw0y;QbSz#V2F+AeMWmS#u|*Lnp-IdW%!)gROe{#uqPESL
zML7zqO&qCvVKR^xwnkiw1*R0CB7g<t02Y1~kUUagW>t$YMn;z6Z=q5U0nr9nnwSAg
z6b0MMe+ZVkRKW*;k{fhrm0AvB-)+vewvODYz=e8}6=a+KPzCQ0JYfLHZr+dqNX8j?
zW&}1>EHyiVh#_QIYvt>~&Ew~$n9u)s&1`_CGkR5gwyXbh89whk`|)PMhEYP_$0pqQ
z;M`}Qx$DrrZ=QW;&bBS#nj0S&K05Eo%`RQqf4g-3*3-vl4Qz-@@BYU7?_Rm%e%C#{
zz4*qSuiOE%7P_9>W^R1`;S-}>%dY(&Th|(6)m4S}IeV|i-sfJpGsDclz%VmBW@woX
zg@I7s&k`sizL1JWTQ$5CEv2QVAWWeIT3XWtQ(IG15^K?>whgAK3N}JfXhjMXIt&@X
ze|8F%N{u!8!x-a_wf8=Usmc8@lbrk7_w2pC^?l!3OI17N#_7`SQ@8wdeNXR(?h6lG
z>At`Buv)nImdBsj_@_VOgto+0rEaXE1q0`8+Ii*u-F;`i-u>E^zSBG2J3f5<q9jXG
zHo)3gN^P|=)2nX$>Nk2Wj(hl<%8pd!e-&SO;kTQ6kE;crne*feJ1$=Q*7=h=ue|x-
z+sCrm<5YRUyzlJa)OVsZwMjeD1KN%K`1GyMcJ*D}aPCA`@0ln5b$;a9*(y_zIU<Wp
z+GZMBl>OL(9p8WC@>`8tzGlC;6z9%XRh>9|#oAMEE&cH$s;(YKO)O2hRaMVue_FEn
z{?ol1dQPrAb$rj?FMa;GJ*v4i`_zWzhYsC$>5Y5-{MyW?_NWna=Iq$J?;n5JaPs9<
zClB6p_LXJ7_+c{n);SOD+5P^RZ0=a78G++&(W4u6CTDJD#Hoz|cKA8;6i0x@Ha>Z2
zJ0TE|B@}wl-}+FDF%o?x36^*ne}zdP1V&<xCyN0}MYjq8-XMtoCKpf(LDA>I;o}uz
zDiyhhK+>T1e93_u{pzA37i3rOOD_a+T?n7Zz7v3e6+}$6mP0BoR6aB{{OiLx0WlMi
z)aIcq2!ho5YXmX1$O+|{RWQaFW>517$0O{KDZl~|ed5CAo!Svn6dZ)|e~lnCEGjOV
zMgSt2Ivp`nWG}S80Kv;<a-?z?X$webAfglLg<#~XNy_C_03mh5j9Hl(5lal1@^uRg
z91Ghl{7YyaN!Bukf!9&LD?TE9CGZPl$0{ZuFH7|!lYFcd1C#U3tb_nVE2=0PVohu~
zGh~G>5C#R<VMxKjGB~TPe>BT-U|Ay~v&+OvVu1(<LfXv{C$Y2Q#3Xj2XJKB%Av!`v
z)(X8}fZ#ckSET5m@HaatRh6jB#2IlGOblKV!Pwf1DM}vl6sb^+`-PoF%J(dhBl5(R
z>~X^cEIOuFPcVoq;fn~bi3S<a0+E=d#5!$lNjM=OXGH5E3sM?Oe^yLChS-ob@*5$D
zD-KDTj8gH4h{snya<|Cl7N24e@Oq#lH@oONavO_&XA1t-D4WV2l)fDpIZ*^-AP^^H
zNbaRP8Str{Xe$6QGf6`l5Es9Q;I#$-)&{jf17wi$@nr&i2xDV3*++&@flg&Zg(4pr
z+maw8gbCz>7yTO*e})@*GQ*?-V&tgIi+-hSN2iI=iOh@eBYA@RwJ=iiqcb;)MKt0U
z(cp(%^_z{7hFJ<9eKi0uVERqv(K<CCa~^cRksnbN>NlXI-!<~$s$<y~7CySaedA+O
zzPEq#wF}et?NXEHuK3N7)jg*>p8C=1vnTfa_hRE+ceur$f8BoV!uYP`DpTYvJIAGw
zisrPf+_mYi-Q@+Nz&d4S*DtxR>vG?+qlaf7cxn69OW*E0tY%EC|J<5QSI@6JcXZxQ
z_AY*AUuEXvq+`kLhhFXa+dH2=@cjH|_bq(!$!vT>!YP7fG@8Mc>Qk6nb;F%^_gq|c
z`VY4~_x!!@f4;e~_Yf{xFnIaeZCBo2bLRI;4*v4dYZta%J;F1`D%UY~<%2sv>|6cD
z%S#VD-Mn@kPyXbF^W9tD>0NT<S6lkdJ@%jTjcaDAOljwkEtlAo${Jf0%$ncz#CQMs
z?w5|ewEWeB%YOZHo;=MApLW-&*BAY)OVuh}E*oxBe{Slm-9LEv!z=5~99!4(`s4rZ
z`NWI6RNatiJNMq(eR0*XV_V<rx#Q^5>A10#g<rn&%-L-pTv~tfmAku-weQ@hs@vvn
ze_;0qzbnmZP);#fK?z8C_>WmpjA3MDWSJ>)xkd33f}O$>0R=yb37Y{3yro=%Yk{S}
zprJ~Rf7Oq@h{9)amkPy_?^QxWsL~__6Z4xK7NEF3I0QKYLLJ&2h86IFmf!|JBn}?<
z=%NUN+WjjS4Z)sf3SmQdBmYDpY^>#gU{a&g5QasJl61;5C5&EaLKBdjbU>0BT%Z9=
zSgyD-@_{uNp(0Y>lhH&5OQLxEiK99bQz)S~e}X69;}9soJ77w|D5GPF=BL<)T0v$e
zW(6jN>kz8{^)dgI`;jgwLSjrRY%PKbpQp&gh_lKsQBVSjsOVvmuL%YFR54)787+1t
zw4Mg{CaS`%mEZqzap;!?j*%Q73GFA&Ep{2$OcROQG_|A|5y>(O(IPJOyi!AOvbPg4
ze_97j$jr_ansquOFK8`hLSR_%7hAAal4cM_&^i$!#ajb;ThD0Wa>Nz{^ox&MDpq{A
za7Ihu$gudznFCQI%$YohEjvq&z$Xl-k$?i<h6H5EW<rJmp%`XCocRIkKqzFhf$9Lf
z&VMFY&~JS9)dR@hxy3e<Cg<YXCT0Kve{{qS7;{I9H^2Md9v+<&i;+>39TS+^+=GP(
z6fI(;4FqIH68Mp<2OL5~5gW|Y9!XRp4G;lhij)8vwuYT%HnJHJ*jZvBJJAGt2a@kd
zmJ6onLBH2xL<x#pUd|ao`2q3A8l3zQWEwdTWS1pIOOlWpt)qig_FZv|eDH-7f6OA{
z_J}-)iLKH+6%yY)SX^b=lpLG6;{^SD*kb>Zex*A7<^&bHoBUt5Y!s4`BoUjfS9}Uj
z(S-qfMHHg1AG{ZdlQ_O7T5gpY+KN+e)3fI5NfT6kt*O*OO-I^1Go3J7jh~`Mk4c)F
zU_h;@Z-J(fX_XacyP-67nJG8gf5tJUt`;(DT&4%q<G_hY;}mt%bT#T`)i5-vtutAj
zsUDd&Oj4u9tF}%xs9w8)X{jl#>r^9VsE%o>rCC+V+L2~31O`zAW>Xr%mCmGPx@w)F
z+QzGz!D@gtRW&fET@US4Et6H_&8lH^T3bs4E4DNkt2)xbooeKbs-Y>Vf37i==442x
z8ahr5zd;RYQ8hJCicWHi#D*BGgK~qeZdDEKs%erMHd@sVN-Gtr3`?qNDRZV=LPp~N
zDh;NlBdNPd4Q^HSBa%VG(o(gq41=2XbjVoM)SOh+L00Cf3RfC+WlU1tt_HWN>bkUC
zjg_Hk%@E}VCgl>6nBzEtf080dkFX%Up3g5{EX7J`NQ)y5C~6!rz=Ws+vb{x{kkd9=
z&5PWAyrCn{FFs9=D&%kopH>;|0S5vzn=mXjrXUy(g@VB0RbBxEXbb|$Z1$X)ApRd)
zXRmA7QAFYHu3A;qd+&4a+_~fV!2=F#Av*!{0uGRHg2a!Ak&uN*e+V2xfRM0=aA5HU
zM8rfq0STc4cm@*0D-f*e-hIxDG=X(>ednGtXLnbv^{uK=SIO{S*3M@AX*wR}`8(&!
z*Yhj$_SNAB^U!Z&y(Cd?z5cWQwCR{!O=+~N3hCxwkOD8aSpzA?+IUa$MtA2Zq!?1l
ze9x(^&83t&wGc=ie^khk2<Em$%=#wrer0#4s~k073wP<7Vc(C-{&0zRF7e{np7l5g
zOiYuDn={5$bZQ0!tNXS^k5t_U4;1^h???2$@B4o2z3*GU?E8K6?tA#|k$XvedKMhM
z**DJO4DWGVE*p1_ME4|Qci(qxarKE^Y{wHAr^gqO5sZkwf9+1|Bx!~bdF@?1tTQ3p
z^^M1El>vC2r*Pt?q%w!%;)AKotKB;icZh0E!%HUlL{j^@aI^?y{Wq#-2g4}i*>_GK
zG4G<vPF*sX=CFw9sTmCFg0r6Z8I5E}d-e(8iE1sccf8o1iCGVLWWF~#l`sM*n7%Mi
z1JGCLHUQF5f1{WvSf<PtYrF}J!??m5Ow4b>o>VSrH|J-J)%<jb43^64^m$q4hIzm&
zVzc$c7~Rg<=~*r!&ho`fE!815PW0L5X*U0tLGFPwNOE8E6q20}dU&{KLL{kfstBN}
zMWqbHq(a3M1{Iyt%(w`fG7PCw${h`wF<lh^34-uCe<03cd5mXiqFPC+a?Go=2H{%d
zC0TqjD-8_Y$jZhd7bMHNiF5^NZ&nY^b&T@1b?1|Dx!IL`vl{bU{p#H>50^N0+jish
z8+S^qVn)3bnMW`KgmMr&PAGd>?=fx^G!t=a5zV{;;)d?RG<o-m*1U;h^r@z14S69o
zO|yeve>eK&rV{RbhjlRTaBSEN5h=rV;-8=%n<M!Q2%rN_uENdpcARHigG!io*B%nE
z4s~y7)f)>>JuiNEw`})&j0k?p!@hUlH|-(ab$975;pox2Ri<5>pry-@#7}O(aFa}%
zPd@E`xMg;9XcZc6qt=0$M_BjdWZh%y(Sx=Hf4Grh25Yk|hI?KTr`0mp7uvlXU`&%@
z=I<Gm;w@W;c)-0=9L9Ve2Sc%!rHp7Q)zAPY+!*?q77q*vZ>CLCn8`jVd&g||r&LQy
zW980PspDiy+@?dE|3T6obMhh9k&YRXpY$Bk^0=u{WW3D$I$+@}7N_0A`=A-Bp$*oU
zf2dkMgeu8I&v!{AopR1&Ab_%*s#O{vMp2HGG`3R&_s8cykE&Unti=<9$Blcd$C>M+
z2<D;LrhI)}lg+yAJhG?umQOC!7M~k3@0&WDGCL_Cn;8cRf~tC&iA(fpzAkq^oic{?
z7(E*w-8pL@Pb4$%C)y0_@PJ$I!4Ou1f1-zsyR&bdBAiW^YU8Yq(=mZ>n)=E%XpD%B
z@b9RW271i2m#X^sJqNBHlg}WAY<)v)Rbbw8`bZ@DlZcPG!eFju-0r5PzJTzH<9S6U
z%>yU%Xc04iKKUo)5o$O8=qbxB#>a|jXT|0&<{DisG#S-d3JjljDwk6W;ZLSAf5Gfw
zcm|<8Puk?o!##or2)|#3lv{_FU7>WVXC*PQy!GYWn9)<z#P#Ua83V4+N(G2<x>2I=
zBR(Y6#M1M0B8WERRWWO(;#OMKkq{gfiB8Fre`ArsqUJt&dcNnwIQ7@cDrdeGWBYN{
z#?r$8W7n8%i`GRQNuK0d<N#?vmcQVx?|&*yf!4B&C_^BrtyU7YwcSV{S3_B@wV4}#
z=gsBhZ|<GGsa=YN`*DuAX%G!~gvC)ytF<DsZf(kWbHWCZRT%3{ez9p22wW|c`6FYu
zYS~^_%@nmjm9A(o$0aFDv%P?*sSKY_q2^H20<AC&#c_x|EybIJgf|m0D9ijUq<@<_
z%nV^wT5FYX{z`02u%kIzM2kn!XBBtNjXGpDDB;#;=+v!;c89AShQ3vM{p8(GKlst-
z@Bi$xyAMB7RdYxnP4jIdBRYb$45Sc-bwo^DV9l6~!&fDst`=_FQ6*Y4j{_05MM4;E
zOn!RbG{P^J=ntiusKcR0$G*jOZ-4&HyVu{1r_XCZB0&~#TLh)o<XsrQ@??0!c~!%6
zMf<#IrU;RYg=#KwSmOArkG?jGE$1|Yga<zxt5~W~8(!?3sF=+V26{GjR%Mg1+@`vS
zAJcR39tx<4jcm(olJuH=(fK=!0%$TTEJp~~Q@`QCs;Nw<j46;*P_jKzHGg-dRGYT9
z&Nqss08bprC?J|!HFh%@(YqRQFpe-*hi$3b#L*1Rt*Wf<($JI7>W#kj1cVd#9p5k$
z1egaR<Bmg5o?*qramM>RwuERl8>$nRnQ{6RZJyrZq^&*J>KNQ9p`G`No0?&?rz{`&
zWMyP&@WtjvR4XImbDj<I(SN3Gx0<IJZ+4p>57^0_<fRpnz?PdkXM8!$ohussbPb%m
z0xX#1=Y!@wjN}s>aB3ULtT1?zb30;A5`!h4GNJ4&L(fHVnY`mww6s8sqV|<>Ikil;
z=GM#_?G?Df0gt}T+#KW07~h{~*LaNrr2(g~)`-~$2~!x;!Xq{evwxt4N_kHsIuP(a
zYR%M0@>tGme$?5tg$G<U7uVfFa_+F4_sW|0JQ>Dkn>9LzFC@aHFw1#sP~*b91nCUT
za{Jw!zIuj%=TDvkNb(uclXXRQAXD2&QFaifw#;>%<KbuJ!R9BQxN~Bfu6duCtV!-<
zoS#!ck;F$NU2knNhJUP7=6ja%;&w!AyQN~^YSX-RV%y5SuHwoXEuJCgL{CbY0isj0
zvE7c#9s@yF2mD#7-~Ps@zxe(C{`JY9e^vI<wx(uo_pKbYcqzpJb5C5@(6p+lIwB6k
z(^f8}SSeK%3PrHTlA3*$2&5rOy(=Y3DOI#N)J1%2?Y@@16n_)d*bmrIOK<f_DTfr%
z-s|>3Dc||<*MIokfB*g7FMm*?U_W5@Qg+nmr9Q0%H6E&bT>O)t|Ml<R|LTv$tP}|N
znECKcRYKt}O8FS?|KziO{^O^A`?9>2cG)*PEA5?H-u3!Q%3~?J;7PT|QXWfrRrIme
zOWVKY+xPB&_<#A!FaGqK|9t)9zx=j56g|xMJF{1<y;ty}mM3mK_WN2NN_k%7rOL}<
zk0SqP>q>*Fyw331-gD0PT`r)4h{l+xk%?kJ#l}kNBpMggng(q{)NzY8#uX3)?h7t4
zPNLRUQ<vIKjW%(nBz40?W6%~{VnAhe0WrAH+QgcfjDOQ#{qdf2?ssYU#W44Bx9^_!
zd7tNbpI1WI<2sSi&Lq^GsU*e)#KeP4V!R`v-AJe>(H%gwBaljBM@~I)A?LG0q;of-
zlZ5Ace!O5^iRwe*(unS)Xo7%e3A~)SVNc=pYL=c(;ySBPJorx&GAJRZa7O**o`qA0
z&$!RQi+|_zDdP8~iRsi!U`&GF9=skbltNW1OG=|EPH~TG53GULbU(NWB6^BMNO0?~
z0Dy6h@(oHkR_-xDho;J6MK{fj!V-&9xR$38LFz@w;HoOKt;%@5+zrqj7ffJu=bd%M
zN=I)9?#_!K>&qlio72pN@!>mK#Tnw9mrVvd8h=Ll;?}K(1zvE<DC5ixcw?W<K@dh+
zAnm}`VAIPQ94|!>KXDMCr3jc&AYk=3M=)oYng9}*ea{VtVG|UM$;l=hM$nIYnfMu@
zfUQjDh%cCP4nge<%ZbB?0e>z?sXPw?b{w3~k|^p~P6ez*(OgSdSq)zz5#qFw)$H#e
zw0~quQsXf<=tM?n{|F=k$BG#iFiQT5a$FhPblV{;p%vGWL4Bp9_B6r|3<pDQ#w>6_
zfG8COKm<SqPymKtNJ(WV97GISc%HzGcT!1-;Zz!=LUNBw3@q`K=PNrzCT$Hi<F9r_
zoRE?O-~<<#)wNP-9O6X+1{|6PtE4CgVt=&9l?I!U<7y-_8J_QXCKCZL+Z5;QP_@*7
zSa*}~X#`~{qy(k8)Ivv+%>Wb*3`^vjQ7;a(G~AMTOmJtbf*?jw*5PE25d+*Uj0ONl
ziU?~~<${A{hK%rPgXDvI@zBp<jy^DBaoA=s&IAa=svLj|A(UBygU^$L<e-GoOn*ow
zBnQoKaz_fxfWR%p6a=$+H@EFd1pO!}04QUWG1PpcqGK)NV)qDIn8FwrNVEbIQN|IR
zO*W^W9Ve!gI(teRsKKItf}p`6j35OP^x;BuIGekp8)J^pCn!G&gHC=F))4R^6b_rY
zGd~1=C!*5^uGzNoPW`5T*ACn?oqvP~_j_^w<;>N)iy9m9@12|4SduulHvuAr<Wfk`
zQVHq_raBSTXT-)2idyOmnl3N?PhIA=ToOw_0tW_CC>;V1sO-qt3n{NGTYl?C{x|36
zKPb=Gvxvrr2^*0*?Ki9MH!k`1%KX-f9{IBf@BWj#t!rAE<~3bd@UN;>kAJWCT{ed#
z_s%-->FSo+tq-p}J#Q%S+YuO&xpx1C`*-IzR1~yUZT#Uz&!XJ!i`M4fyt(V!JHKnW
zG`IO^&c)rK7rIfPOd<E^38lDdM`W)))0fVvuiWyee#Ys&<cV0K(uchJ;pT_;@|voa
z-)+ioxw__IL&t*r0l(e5^MBEI1x@91n@?@{p*myZOcLW$)sLj)6jaxY-M5N_DbcAS
z>6cRumF3;O^4hu5x9`;s`|E*r6Mwy~`P%ARl`C88*S1uzd2o4R*+G($Idbb?^1r#3
zU4C><!-biZCrH}Qo-5w5^YNp+rt>+K$2UE^K6u*-Z|cnKFVDVzw|`+{^SSKPyIv~U
zC<i<xI;8yK<72<7`1|lvpRBxpZOmr}V#d8X`f%y;8<o3SYjRHS%PQN^e*7R3>e^?+
z&WYtGwtau~rR{knUK5huDRcfiw{Ok7_IcLngGJw6%{loINgpxgZ)f)Yw{`lJBjYa}
zDSq78W6mo?6RtcSJ%7}Sr<Gms5LpI+e1HM<cA|tqL<cpz3;JvX7r-Gp6PnpAmw4<t
z<|e|{TBnP!i@Yro0)|?N^_DYks7_b;3|(O)9z+j;?=}d69E&t7%Z1e}B8``Gas(W3
z)R{s8CyNs+4dOB7Utoa@rZD0Er-Cynxp`*<M_Zgt9l(Q(Mt=@p!6igmI;Ws<#w{Xo
z3^4LN9I0OHfSnM7!;ne}d-!q%D3BYG3#97;xqZDHy*u`Lpdgq9C0NOveGd>92Do&m
z)JTU&l%)R`rb#(x9L$yz&;qp78o{o^i$S-OP@tS23o!TG3u+3^d2K-zfRkJie@hdH
z?gIUST84|vF@I)ZWo}@{wq<ZCt&LgO4F(5?w1bKRX6{9TGy)MFm@o!b#Ec3Dv-WVC
zyl0DQK#M^_4luz_0_JKmtBFW0K^wn0zEPgm7SKyf>vkU;SndQ#7xXow;oXG_ax}VG
zsTUtB%Ak#_ZWUhVhFZe8JY!G=!2(wOphvY0;$(J0P=9%v3r;{#3D#6D%$S~=Gmr+#
zC?j42wfZJ^pd5(@5JGV5Zm7ld+&*&`B7g)WvsVraoO=O>tReL|NMwD{OCq>=Xv1RK
zWLVBQiZjL@Vvill854p7m{U}mZN?V2F`;CTo3VG{*v1$Hz!)aFMhZW-d9wI$>_^0x
zA5Vr2{C_<V$tK$HB0+-0;S3j+9|Ru;l<>9~2oVzA%ZN=P26T*vrU#)t;fEl$JBc3!
zX)|(bE)LuN770`74e-*ZWFIMA)_QH)g_G&)id45`Dv3hpzZ6V@f*2xGNof3_<sUAr
zs$JYr``*193+hVfz>Z8&kXmX`(pM@*#PnpLp?^;nzPF&cuCVd)gi|G5CQTxterfYJ
z7e8o9%pOdXPeSdv*Pp~r7_s$F8*ZQXUhGS|q;-7tweXPVd52^Y%IY+#VDp{Iz6-~Y
z*kl?zcFZ4-=T(16(|$^lM`!=}_=1X~^w|uNIytxD=8JpRlUSy-f{@3x;2KQBr#$J0
zM1MGu_=8Epgej-a%&pi@k`h_m@KJk@O+I@eymZrBbv21gir=iN9JqT=`k_x}e|?6g
zK2MUe#{J=wMPHS&)MVmiuxDOhSa)gk?o}ilN8)}yqIloF@9!_G{vx;T^zx?juYX?h
z#QM!e4L7^4SwHH`xr~D!_x@n_yz8}H-+$k-rM0oRt~|G<tl-AkH!qgN=1l9qWB-bV
zuXVrvBzfc;hfmJ_Vjt<!gFQKJetA{S;op<?OzH&UXM}rA&M&*N;&#ofugZ#V*B4$r
z#(F<P{9#$!4$Zw@#d>uC0TAcua3Yt3VxF7yPGi-`UAe@I<q1P)pD3Sku9S36A%Ajs
z|5@vn{Il76d+8hhsF+y#5lQOprA}Dfcr$Z*F^Lh(ixE1aPn$YqxqY`MGs<IYzk8;g
zHB-ktSdxYDNkr;8VhH@2N!t{*;W@0vY%QNcxY=C_f(XX#I5FZI3DP|!B6v`Ta_q55
zG_ry;9zAIB5NHz#@F*-o$J)M12!D<pi<C&8NYirJr4<H{38@VEf$->mY+Y?^)zuk4
z=RD7O&iUWo-j}wwrSCv%>q@CW3$=j40GkM+CW8;KOxf5#6chvrY_KKxf}3M;Gmaq>
zBpaxiCb|t}RhAGyHW?vX5F99!Fyh-bU9x0f_u)C`{Lj5L;S=e7>Fqt|{D02x?Q!o!
z>oBhiqamV1X&<%#rN|L8;k6v$%p5Y`jR0K98^;p7{EQme?4>|aDAm@;RZD5;fEf!P
zo77&b@>AEDqat0N{c+U}++yXDL}{vAMt{DsRw3{&9anubCE%~!&iEV)DDF@(q!a5N
zYx#6!kEBJ-Sx^dH($3nYoqvM>5VUKv(BzHM+LJmEHG49oNLeKhRgD`iV=4mnx?<`*
zx86mh1&r}rvlEA0*36JGh{Smuu0jUw5-407t%-nK<{33Il=1O(T>*d?p=xi`FqwoU
zMOPIV1-^oy8Kgr@ZQwe@;3=}r1qT?KG|g95*yH219KcJgMbaWl>VIi}r!TX=c!x)-
zDMvJCRGpx?ciYu9RWM#-&F|i!2!2ufl5xY!R+o1NIO<L#3nCR?UH^tLzPvGQtTZyk
z<u<(lAUu@eB@@SaK%>;aeF4miFz7_(drI8fa1<}Q=p4@j5Ky}VD<MY%3N?b(j(O2q
z0tCjw0~*)&nhG@KUVo6(q2lNNIYowB+I;Q30wt6L@8o4b6F^ezhpp&7sc@oH{Cq6;
z2wg?lY=#XVXcA@XkY-G{?Ypy|I<#Z-gB5Qd>UwYqHFf7E+;!Wdul4VIY0AEX+dn@)
zwEqE7BQ$Dhj3Lws=}en2b32x9`^l#tEq?Qj!Ixgy`RPA4Uw=NV28v1xZL~trXvu1s
z9S3%3%7ecce*Wmp-LI_r@Nf5j@CTUQSAECo^`q}^z4*>8&;4}q-e<-yStgQci+;Z6
z$<L1GhH51#%w{lYR)x8<Hy-@fkz>F7*X8?;{bu?TTSU+B{5`Mkyn1!f%P)TOkH;VT
z&xP(y3q__)Hh(Nye&nsk|9N5g;e(5w|8Z_=yFh_9F(v^7uojYf0h9W_{?v-M&i?G<
z(WkGUS$^bD@t!sFUw-}GQ}2{EJ+k(~`NmBTZTS12ryqE(|KOorpIu-1_V4dMcWV15
ze`#L5P!>C9ZQJ+oyYKD&;`)=<PJH9definLbxR*!cYo=^j*s43acpGWsgbTH9&P>3
z+8x)fj{m{dJ5G)a9eiPM@9wQvPurFEEIxMh@y{<m@b1xdXOGP~uuF9J&wF<F_ePJK
zzKNnV<=bz(zUtH-(bOPvgLC%o|Iz=hJaTDd)tTQG<_)*ryMFV>m%e}T?0x5s@A~5X
z^%q}LJ%1&UncB2w+qQpS+A@0lp$jA38<vS&=iU2XeQfmH3;(_H!)qs&oqQ2z-dg(F
z%C%Siy7}svjUWDL+b3r_wyzQ01Dj5sSTgc!k!zzHhqqilKl|y`A}9D7z`Oa_or3L|
zWt0H74f3()kwiR2GaTnE8z}`mrGmV_gdG72(tjf%R6cY3l^yiF4$C?jeV8be2$2uA
zNaZRTgFT+HK%hxd+~eh<SV9g%D3DS&YgpKB?1kU%rDua!7U4aES2AzG3fyJO)fhyV
zFfR}U<l*p#9@~_lAj}AL|DzF!Bq$*TGs7`Hh+DLS&_iLUy0_r4?T>4-(}C>af$8U<
z1AnRrd$a^45#rcntfBDH6*g0{ghp%6Dk)zR&Sxzd=NsdGLMV^2d#sF_v~{D@NNaYI
z2FpcsBllfF+|6%nB=<0UbX|Xjtl=EEk8DJmrnBsLnC|#C-}vWV!Uk%PyoeU3#|4|j
zLo1Ar)u`C=NyMUz`)4$GlQpjnXSkpgQh!58qB@_4j;8NA2bhY)4)z`eZX<xFn4of>
zl5vusiW-xBk)uh=07<hyJ^rJ!uHlfS_fE0x7rdjT%%AS3;l!B0?F`{6LK=-lV?i4U
z8ngjz&}Z2=x<nqFg}fvY@rJ-~4ZJ$(*idhA{Zf>P#)(`GD<JSURuhGDI*=l%V1Mep
zApUo8UNnd431c6LS83hKiZ5p9r}U*3S6_1?KuT2JuNI>U-}lOV4=>^J$$uEN!^P}K
z#YjKaiBh;w4lKY;+$p0;;x`#*iMh;;5gYS5at!YhKY2y%ENeYjRh?x_YBRZPzCF`4
zWacc#g-g`!cfx|Xa!RKvwLocVGJkNFoVQTS85Hd$skJ0T0;3T$DT7#TY*h>92SnEb
zF}P6l4T&4NMQejK7Of>?l~qUyQG!)DQ|y!-GgaSwF*Hj|XcI|RRhK9`K{d@3J@aJ$
zOwlo3Ws6kXmTT*hrGn<EDVZvhYt1y@tonw<jN8SGugczOqIHU>U9|L9hkrMYo>q6y
z6&<ZIpU14BT&>A>V8ejym?e69MRP$`Ta_S?MI=B4L|}_h+X2l3qI0g8G+Xpe6K!o+
z90$$qqPEqJ>sB?*P}?p_H;bADcOLlNhD)dAg6X2QQRZqe(@6D`pk=z4c#G({Rorls
zXlhcmB`CCu#(pt=P;}iS8h^*jLIafAWuaBpw8~-&6kAk%n<&)l!Z@s-ESsl^36n%a
zyDZjFzCkxkl*Kxg&0)R{Ya3*BK~-fiUq{6o#kfAv-X)58SuA3HqN?u|t$m`dLlhfT
zu0Yi}Q(e&2oub$yN?#GRZK}FXmpWzLWKlm^G*1>S9imW_)p;y7>3^DT(a<C6J7lh;
zGI^|NRJnSU&B<KR6q_+yD>GHfSV<7e!|reb@UdYHQCcVEw>in;{jf4R9aDp?;}M*{
z0lme{nNbkq6m-SO7ilF3=ndqNAp^p~_8X9NwTynkI4bl*LjfT5%3#@`^RTYiSFb2-
zF5*)GFb%)>dyESAiGSdFakPX_{DRgz-ogz&4LT7z5tlb~{@h&QZ!qimq>MxW!my`=
zZAbw~B~g2GelP%eC0qKUr#ROTo`)YIm1K7gw@x{|$tN!uo@(y9B&RefjiITp;`$pT
zkFvn0A%%#(i4I9yV_2*Sa8rU32vD9OLbiGO?||_qZoojO(SQ1EDyB9gpH!ldAB4c=
zpa}zMgQP;C)Q6o${8}MG#X%(U0!KQE#sBR>RK%$a?slFw<!JA2aZ?J2jPcLuO{3r%
zgKP+xgkQls{LoEK@cn+)_bQR$PQqZHAt2<VtHMtfcQOGXb1f9=d<+G})-7}5>9Ll{
zm@qHaIW1yC34fbt$*{_oNisGX9~O-VqPX@gSf;{j@w6Q@gghLF$d^B{yWDxV89k<<
zHU|{6a#(~onauZ!06ODUQ08e3%!&^%3SN~FHxnqsNS%R@O9i5^+yn%3h~Fr<#LSyj
znHq7JkF;>0-+>#Ram!9Vwz&CSu}uF0$DHag4M(c9(trNTieh~v2XzSgFv<!h+4$kH
zsW#Sh;-?A**qDsrC{Wp;<A}4V_{p)=_yQ70vNp*i&XAQ55*q)NC6|4-Hc7ayit8GE
z#s}R6lrLmNU<{A}qrv*tDWj2`RL{qQ&z))tjS(iy{Npsd<z<{sC~#~fe{axOO{A42
zN;G8hkbj?OduPb@W~egCkTNd1X_G{=_-fse_J6vrCPdGx3g3Ir&%N(A(}|>7O+#!^
zL<%hu>_St2Kt&OXxDX0zDMBh*(^|2nNllP~APU7*H!h@DS7H}#EaJi}3Wl_m65E8N
zt;HtR3Po_?-o<myx#xQahgl^v^L_Kq``&ZTbAO(nEoJOL7FVavG?*8m0Y@XG)2R#<
zWg0}AT{(DUx%IYs=uq3;P#0Q6HVgMIkR}a5%8V`x37$O_+gJ}7qvJFCxObHSX(br%
z1X?|82D+Uu3X@apSXi}nX)4fKlgQYF?z)o#ePtN}gkP6MhK!v)mfri|F&d6|8x4mn
zU4NEvh!Tiy{LD>@WG}<jcdqscy}m!30Y%IvJ(_oyAX2jW2#cZ6?oZ0wHcZNZI>>)!
z%p8V2l8uJb2~o+98*zIT2=iKOF_K)x?bnO~?qOG!DGKx@2ri&aRB8ZVTVA)Pk<_Xt
zQSY5y;A5QsI1rU9Y!7_f-NO17szu=%(|?BbJvh{yD(k*Z=*gPz%U2?T2sp*QT)Hw-
zV}k!)bs9?GBF(jnX!uY9q79lYqf9t`rk=XTE=9MhzEc-6Qi34AEvP~UKFK70GGc=&
zQ&nz(+@Pj=X+iht9A~riT`8^+X9~oH$%M}UkyM>W<0;T#KMFU5X_`l*D$BAMihpJe
z(-ydx{e|&+Mero}D9z0_y7NdPQOo>8VQ{xBqYrDM(I<(p@6_Cqb<6cpU8o{SY#&lJ
zwbJhD;%JJ@R@u7>Xqp^l46i@hj;FAv28)URlNH6;VY%C84VNzZJTaGKfBZw^7A&RF
zYpkMxc&SzgGa#a|Zc@Z20bke!0e?=U`eTb7Q`pJR^{zj*v51LXq0w*ARAIdW{z@X?
z$N8CAbT}JHT|>tbAGR9y+8+W&oG^`BX@*M1M1;S~N*sg}c#>6V4O(aZN7m-VM{W^v
ztFhvpWI{>)`uvTV7#mT7`vpELnQ{KE{JptfskIhbXxUjT3<cK0z|e$-Dt|8nMhccG
zFgL6ceo%y%fZ!sz5D`-&n9tyF!9C0a%q&=ol}X8EqEpVE{luL9HqyTbt;AB$w2SO)
zXuNwlc*}wJ92S+<Nru8Lijamdn7WiwEOpsjF3j4i!>nU;g(GU0)+LD~B|9Ytn9SkK
z6ArLlk|+IO-zEls!b)!kqJOJlua2P#gAt2l2x0$0(CoP9ZLS=zT%5zKHdgE*s>}|p
zlo;mN(KdG(vYmGv?*0K31oh7r1ZiRpA2T-snepQ2NZ3~`K|D;oj<_P1E4UQddb!b-
zNs-Yt$b!4@wAU);pC+|6_NFSD|4bZV!ERTGsJ0rNcVHp0Vqn{VaDOAh!-D(Y$OlZU
zlWbevf&~R1C9N8WO5l!kRqdLPSmTlSx|b$vH4$s3U`H6q=y=;0`oTCMnVpISwI?tZ
zN4=-5Pjd*rq#`UiMa-p4(ptl+1@$1%DFQ`?*lu0&h7~LS1doyPY1D?@NlQe{i0mqI
zF@o*9bY7gGX9kDS@P8p!#pmLkpCHT$G3A@hj0ZZxi%e9S5OoPpQqD#}?uE1UG-cxr
z%W5$xcws83Z$rTg6`SQo84e%<GmPN#ioiY#4NZ!PFv}nKm4zugfQxKrj3dQ5Fe6`W
zy|fkG*<%?mM1}?dHVbN2(i;O{Qrbpvx``+o7U1qi7i62J(SIvcHkgOQgwWBu4D$qN
zfrh|fo^6?4aJpegU0aP+7mUlgQP(G8vGQGX-!qCWXYm@8mX+P9bv|)1RjNUQ4HzcQ
zD7HhRO%@u{x=r!hJMMV{TX+I6!S)NrTct+cU^Qw?`*Ml5GjaBtq^-U<^fg&&49zA8
zxLe_WsU2ByW`8r{lA9j<S1DzG+q556@w}cLmQ9CGhHg6dUgefjZu`PxPki?DL#32j
z8+Xyo=*zCs4i^=Il6=O3xakv((Nzc2rWUD%MMl>R=|Xid?bf=K(x_=0+WMx}ol>+F
zZY(-RAC|6MN-L!i3vF1&U|C90F3POD87fk`A|-)^n}2lf%!?L1T*{s0<}ZKy`4_+V
z^qF#?u<lj4q14?{deyF*L#5nt)5q?6<oQ3}_^G3%v`W%98`|vEwpZ$bQb!|c+*#o&
zX1O^t9FAGY<nru8zl%GJLvAbuUj`RDf~V=Yu{8~lq>10UcqCA0bt7llCd6fbF!J>(
zjKV6D4u6Ds+OR%-;<Mw0ioG{m4|hsPxVa<=hcw?e$KD`<;b8V>5>)vjWI7b*&o?3$
z^Vu}P!s;cHz3~^^#AF7D!V=^FNd*rk1i3<o3AD8W!qTS;nbqB93^a-nDh&aVYSCbS
zgoTlC<(64y)l#^8_XGj~9<4@cHsO#9<&bw9iGN^I;Jwrqnrg=l`1VYZiveiC)?p%m
zTSA`g3G7B{gErWA$??wPK#V@GI@8TmRIVzj)GD_K91HS|h^%}jn*X8EOL?Y2GQUay
zTOi~B;im>caB$<rI_|e9v8x@QsIVIAaOz8w;$vm18(+4Pi5VEs=e^VtYunyTpUm!1
zFMk_#+C9XoKfE;!5^$LlmTuBtmxiesZx~0rEBXG&uA4{>E+Fp@ss}|;j1$7aJ`vSQ
zY`S9U;;QM0Yk(QNDY-rP2|GkoP4ktvd<<)$wp=AuR{^D~M0Bh7(Z+i87J3oeTd7Tw
z2D1UE>#(rsxa7oh@S|Y=unaX6!Srar6@Pk9h9C1zu#?cymuP&eH~Q7rF;3MtMpvA=
zl_(tU=ZKi@tLzuWi3Pt}Pvhd$5G@)8+#(}zb~9M0#b#O79Y%0k^K2GkM#A7n4X|iv
z{V+ad)y#_77X3%CN%Fsw9rNK=OVw#Bb)wphWO|&e^g;W(78um-hfh{r)CzGavVX`8
zyUXtGp6)Dlxv{jPx8M7dlW)BK<U3b>_SRn?zW&_TUwLZh<43C=`{=1({P6YHPQLY*
z<Cp(*1oBkjsv^`$m`9U-YbnP*bkE}tU3}@0YZp&kKY#3}-!FSdKJb}uednbsUw!V6
z4_?1?=08{O{PBshbLfuy9zFf{SAS2vapAFdUb*`>KX31SUzN{&;_;`>UVHfmZ=b*a
z`tJ^Z?N}}EKlqX3$IrcR@*fw!cm2hCUwG!gT^}x7hA0hcqB4kgHbl4g!(aKvGw06y
z>&mIuE<E|)tDpbX+48QNk3MkrN7pVr`s#&~|GfC6XP+*|K7G$`fB(eWZ-4&!-&arn
z?c9lL&))URhs)kgx7_{B2QFXw?v?WozIoyP%YWGY<Oj<r+I#Ct+At-6bUl3kJvYRd
zc+eC0l0q;!>U=6@0E9{dyzTYgK$P^bh1X$#=c3BKSTTwK84)QcTH=LYM8Z2L=%N$7
zOz^vHLqt>q6fvu`OtVted4D%MV-Zyx{)r?~oekPrV-`w_81oTQE=<Mwm^`iC%v&W8
z3rr3nO01dTk#SCid4SFOD(32DdlnoBVpm3FUS1Tf07da~-YXg6ic=C*e4bw*<jM@(
zp-2<$THyOa=)ICQ+X?W|{n+24RoLm~rEi96owYh8+`vdAnY7Np4u7_Lse0b&MEfS2
zb;}qA07E0Qk;=hi*1(BXaopJX6|KT;tEH?1W79ZzESaROl+@PXwn>)ivZXkkGcj1k
z&Z(TK4oum7!OVYqO!?D{IN8sro4ob-f!%#RFj6<4+N0k^m1V-M?n{&2LF1kKspw$b
z$DP!k1@?K@=#y?$41YZ^cdcSv)JS!}co06<qHcPYj9&WaV_Cpn;KW>(X?Hd`8Tj41
zTDyQ-$b2~AYy`rSb417!wOS6P^7b@hMArjPC~^F=g&DMwoz<}$?I}+?wBO;^oYnqQ
z!z?1IO{L5XoymvWqN(Ai6rm8Q0T=@e;Pp71PS_lu*@hE5Vt<)$o)9}be}vsDji(BU
zxwgih?9-C7OEmQ8WkECvKl|uNn0=EDPQrF5&;RJUwiqj`E4=@`*IIj@GmJQ+D2$Yg
zI!H(8c!7w63V3C7h`m^?H>zULL~0P5P_0d<ni9kdRii#MX{$DEZJIP1+ceRK+B8}b
z1q)6PXw^t#Y=6{;ripL%VO{q6&)|6?Vb09C{Quf(t?y=anC(*PauJa=0d}XyCi>wg
z8945CHa%caPY=;!`P!qwv0V#$;ZL<Q`7&||0Ps^h8^+t=`xQ>lBfvDw-I6;QO9#5g
zrlS@#{Z}>%*WLKW&WoPi9tJ|wSrq!$T>aY@H|=>PjDIc;Llg7AxBc$J`v<RF8gd{^
zSPD{XI&%Y#FS!0EkN)R_&3pfL>)xGPKisqJqu2YdzGm)iKYZwu$@#ZTgjow`uU$9i
z>TAMLV<%s=^~P8C-SLmz_x@|&L!Z5M>~}7J(ed#Y|NMi)2iNWV%h@{~z(uRzlxsJ<
zedxgt_J7{C_qDs;d-JFNom~3pEny&}4p29j4nXM(v<L^+-1PDr6EFNG3@r@{*50`D
zwM&2bWSB8Jy#DcxyWZKj|E>Gp+w;h$`;PzaWr5CGaO-1RKAs$$I5U(K`%etG>eS1(
zZrHPL^FJr=KKSNS|2r^x-?gDHP^NCqSRiTiT7PSHSFV=s6(rd~e;|34zjX1+&SPAx
zo^#gt3&zhIhW56AU4}|Ae=T7$LNsgSU}O<U7AYwxjN{J>=TXI+o{=t`5055z9U6B#
zfIRex6M#E2<n(G)5R95r<GOzSNZtIZ_RNULc8NM+iwByV#4PrWv34qsNh;Dftkjdn
zn12wiWYlS!(<=;bt|=Hml8EEDV6nbUTZ{*NdXr*=XrD8;k0K6{Rj}COLZw`wDSPD$
zt1&xLN@7Z(X?Qgffn!2ZF>&w&UR$Lygu&x1Hy=KRsfq)Q+7A$8%qr8cp-OD^9V@7D
z8K(^Q$cLh}5>$_EQD<DH>gSe_kmMUwdVdp`CBL+-&@+#M_01M>z~iZ6OrR!zwo($a
zL0MIzh{&8bZpAOWe`rz=$`%85#;^!n?Pro2a4BG&S=ZX$GXWryqN}LlI7_Nyr_m#t
z7V@PP5F$Y%>^-8AK@bYf#mt4kfiJdkY;%@@gh^^$NH2lLEgiXAH4c+7AzTCu`+vK$
zXec3=Ej<#JTm+*;h-?(A5<eo$l+A1~A~e)4fNW2|tCWht)sj_>2Zax$h*CR8LaA)B
z2jyjkhim1gtMV%n+*2h{F|*cRh?q@EP2xP5A}la;IS)L=`8_vpQk98Xzivd{wpQh^
zEq>TRiXlBPL9#PPsD-G`jXasK(|@B@Y~{OZ?cypOR5t8kogP)N4<GKyI=25Zeu+1S
zJ>tW6D%H<k`;V5Y+5PpNhRL@+0lJC0%(tT4>2x{+shl2WO{{(CueTk1b^h%)&A(zD
z4v(L5*Zp^X{Qk1XA3OPu2iCu{d*bCCaegF%rsNC=L`~nUrn_SB{M+w5bbsiEw_jg)
z|AVLAyM4~)d&1C?k+mBi`fS(GbzcJt&^;!UbEcoM{+>ezZhrICktcs~`~H1Tem;5Z
zRp)kRFI)M@^J6=nU-s<pw|shF#m}~ekriKm;ZOH}{QmjB{?*vF9b-R#c<{o-0Yf8%
z)<T_r>OUp+UAX*_XEuNG?tdlEJ-dF_-=Fy6-<LkKt^2Jjest*FO?!5(_}z1N9X{~X
z=aVyUI4|Vk6DGd@<B#6EdDlzdc>0OaO&h}S#n-*^+LprySO4LU8zy%@{l$l8Zo57l
z9SAVwETF8<E|Dw8NiCF*!o4oDvZI2*#_*DUnNMhl;AoN_K?ldX6n}41K+HKBuTZGw
zsfIY{%A}4IBzT0U&KQo1g#_btCwEd~d*v%|>bHWmSc{+ltID~F$TUfaj_1{*Kx=WV
z6fF{o4X+B6sg8wQ8kRz_1j(Nnb=sC|omq`mpp*Kiv7M`kkb%Jk%#>BHt7fdI>{MM3
zh{sWC-SdVPi<*uJ@PDlIbA((b(143X_q7IE@QM~ku6~UD#hMqPmMyZk5O-RrA0{W~
z^|(XIHG|ls#&3`OzfrqB#_A$KfLPg!TKLS=LH%G-PYivF^RMV<qt19iM@EJ`k_`Qn
zv^-VRKp)!VP4U<z>T%0p{((ptMSg{r(-zquLbo8OyHEaGjDL3N7Y7_xrxXOmaNTl3
z9BlPqh!Wl=EqG*h4$DtKbizo)eI95qXKZ)LKH;+Q!7Bg>Wu=jfYK9<tAQu8<N?IP!
zEgZYGm(oR!btJ9vNk2DxRk^U&Z6y@vT<X$`s8dQN0<7-OST(e@za*C;)b0`hhyZnR
zQ``Hfv=wHJuzylO`f(H}oW)<su+)qVLF3^VXmz)#eF>QZGU^fT)PIC(P-I`deLmK9
z8|bN+5gE-twIzQ3_P4*)SXK^zTu7?;O_mPm!vAUtpu1)wRDf8{^%zaMY+O34y}q65
z$<wi=>6bMbQ`sR?NwQP*!#xiAJ^uIp=~DxJeA`s}n}0Md<~}NYnRHVMeKVSY(Rk8o
zxcJ-o$~AG>S8-rA9=9}{c4@rqn`!)lFg!$^PAU{L0CCq0xv!MIna$v6Sa3;Nc6qvR
zO<b}x%$${{&BT*O;_!*hbb^wxuZ#W1(a}qq;fru=O&VJjhDXA@lbV5<FzXCBZ9JX3
zI-PTNn16Eu^&cOnp9nLTH;c#9+2hUfrOnU)6iB6$awl~nWz5v2X<eE=8wby9MplN?
z&I>1vgt>FW@$=%q!e-uzaMr4D`dFB=Ae?Yqb96sWJ0=Y*3UgOBi<UQwN5arhoHjSi
zSP~Yl42zb9`J>@0^Fn_&7D%}pomWqlysB@69Dgc^fs~G;#-rlhN!8vUnJKDLs3IeM
zAQFulq+%iqy*I=vkQo&utV2Ep8zn}hOnj{JfXkz*(L6=8NwxSYEP~0VcE{hgem|+M
zRf}C}Qna~NNu3p{Fs>Q6yV}w$h1@`uMB<KrwD&9SXM{|zjxE;;9-EkVoPeN4N2&Fy
zu78>|uFv#xDS^_^G-<1bcJfx=Or>o18+B16+_hLI5_`dV^K)Bwg#N5n2YmrN>P2)h
zr}{2<Y6rHV^9*GWt*?((_l}S$NkhOJj@n6UY^ly^2u=$l>>Qc$z<lBC?F;(ujp<D1
zWgU#3{q?{yu9a>9d&W3yUm;S;osW)Dcz;M}9B8<S2hpUPv8*MBTX|O=BP1r>7T5~V
z4A4RJEHx|6QDN#XrwYM1uOLegR7xe6FeVE%-;NMlWR9fPCKhAfXq1(O=%VLCC=*r`
zr_Af(cp8=jJ55u|E)NnpK&{8g5T?Q<d_3C$mXh#S+^Az6d4nxQn@_w`gi8bjVt+TM
zAccXj4(PPx4P?PEcjr`!fpkomHU4sPDmGz7U^Tf`U5_*|u|+o_6A2=M?E4go^&XM}
zS%MK)Q`NCX)!C*B+@mIoNyH!vjEOjnPi_kJj`G((87TySn|Po)t?_)tj1aq|h5wrp
z0>s#wrkXa<#5E!*#M&{W7<oRFp?@nTOfWTkxMzbh)!Tk*BH&b4`yOBXo?kK*A@aX4
zKo_V>h`>tS$ZcQFATVK}PJu#LD0j1Ic{EbaQ{E_|^86VjE@FRV6fnNBB~rLhEEouY
z5>XU$#ZJLeQbFht2PQ*7$VgpEIYTZr(?krhuu#dFs3Qi?i4qj%wNc6tDSzcoHk}bs
z#zH9rmXdRqp=gv4QKW*^Nt$bfI_t@1l68r$f~zALnpwLPTpiS$5ur;7LCMUkRa+69
zMC$F)J`d!H?!m`F<5C-RBO-2QMy-fSz?OAo7DkJwN>%%fwvyhE2uW3lG4=4(tGN)U
z#}Ok|^*-^(hMk@E`Ixhi{C_~E29hy4(Y<Rn7N~2<ln7B@h&Z%{*d*C5p?S426;w=}
zxmVK>q=}W;<L~DX|IgO>|7=~Aar~TfUDr9En}>(T2?*K>A~2h*Evb}ISz=Qvbjm{4
zoW=Sgj~QYErb0wzIc?Symo{^=S*|Zk%nH}kngm28l#dx9M8#T*>VJ>uhwIC^&beX!
z@ciKO-1q&tKc921b6xNE>m7sP0su@f?<c$Vp%k7`A8Z07Knq6|{G#wD(J*VtH*eec
zF{N}{8-_%rhTsLirmJN~bm9?Po7a`B$~38gzwwM5L(M$MN2Vo5xz%1b`BE&U<VoT7
z7iu+=Wd+TK-7|?mZhy=;)hp!t8S?62su2;&@K{rw?LqHACSW206$^}%TqlVUP|Lav
z68+gXn=rGAU9xWK<ea1={RX#5Cv}t<-MDDBjwNz)5E7e-Ou;}7mgu#>wFyB089Dfq
zQ4VaFAFn*Ppkeo%lw~S}_fsbu6{T^?AA6K?X2_w*t6iIc1%I|kD%-btM;Qj6PTU1|
z_k>ncXz>r6R>4OvlyeA)HwS|Xm1J1Sog{?77T-)#lW~z(!~o^XCQ)z`@yW=ZKI7jA
zOj`R}Q6<l^c9q;sx4F4kVMP}3Ze2_%ZMBQZAyX#*A_84o$PJQE=k>B0CsA`t^-kCk
zN<7rW&shC2hJTN>A*F<gK}smpX-H~!ux^LcF<58rwl8oE(V2$2!O%DjrNiyp3EcY!
zO;qbo&LL0IFngd<N*NJlAfln<iA=*p3{wFXggg}!<uVAUAm>IWF=Weo#GDh7Hq7}y
z$(c-)LjlY<6v_jofnjx&2TFy7oC%2!WLzI4%84V$5`Pel3XPC35n&#UFcV}A8TV>)
zhk`bbz7OE2WG6SDCY5a`NYVpW4JO}$F-EZIgMuk4BgBdLq%C6lz9bwA8-iM6zdhHo
z9#hSR9Q~}7fiDFlS=TA5QW6Djbd6m8yEP(54|Aqn0QUe?bf6nBS-qllOr2{0Ntzv4
zCswVt5r4s75V;x}WFx=cp8kEGgH>-4Mfo36OisEhf0o~g)2>_T<`3fNsuq86u@@~l
zCk@0&*%C*2bH#*W)#YQ8Tw4>mr)It@hbjPBE2Vf<xrsvCk|RPIWu!~~^jJym8zg8R
zZ(dA2!CEhyu1Ao%DvC7j(Rq)g$(-DfNdF+(+kdNADm|xm;7i};@zdq{anzh#DMus_
zD*ke<?WfOzx-K>SHB|thC>(h{<-cnHAs0(S$aGG6C=wQv-Pn9fB#81!F=-H^anKpm
zMwB^0Nx_}c;jgSxeY6d6f!4h+1Ccdy+U=Q!f{tdJ6+~8LM*0W~m%(I1$~Z7(jJ+9+
zu7A{~OKZiFXQ4GE@uE|h5JM&9lAKZmblhN96&zq9D|wIY++9d#Lqg-D|7Z|ApuT$2
z)(9BKg_;Vc4qS9Bm;_`YSEI5SwPj)pJ8INo(x;MzKI#AhKb5ZbmUf`*bNf66im}mL
zIPhZC$Y2Rs8?J+0h8&{(Z+fj7{$ye}0)M*vWGB&O=MEzlsR#(Tb1B+7IgV@dAGR(a
zsOyr1`K0kq20HU#<NzO6srb3f_`t{ycf1s4JQ&$GT6}>LV+>^u4U+>6Ln)j>ne%9V
zNSDmJY~x+W|GMGzpReBc<wdu=KTbi;1x6DYO9}yV&I6TMM5BQMiYscA^Dsipgnv-@
z#26x#f`uYcAfh2bE&<*$%)4^>$Iq>O{DCkvKTj>c>9M^_zx360&;9gW+c$=ZfMprX
zeecar?p?n7k?Wq`v;O;!g>x63v-pFzzp(#``?rQU0j6e0oD~B=Kp-Jtg426~%d|rm
ziI+=J>63&iIf{dvQ^mzj2m}Vd(tj}9Y??top{xyFZ6le<p5aoBSP8{NMi%Qjrs42<
z7mx6>TDxnJc}u;Q%UCZ25hEr86k6Y+rh5~`_ILfBBqRKk41uq0B(VNJD=TB0GH8@D
z84LkvxC2xhGb*^=ef-*Nbk=z`E=70dFmp%kC-Kf_%66uZmEzHdwfAG&Ie*kMN)_Q+
zuSgdH-ZnytLXOcpM{5d&6C}vqAmfVNB!(=7p1IQrpH(_{kB>X==E_})I*bWusy4-<
zk@PBcjD#dqx=Nch^$e+!(HBzk>M?c9O8f3uAw(cjA**E@UbtU66%dCFUPXscI%ENP
z3Nx#qV#cKMAnR*5M>+?@41d&?fT$c#9EvbNT{MqWe0+U`aU#@t9b}nUGRyc9aL5vE
z$oq=Pjm4U)Qfu=b=b-?((F|cVd0CeWl{d(GV>ghJhLan#fpWp3#Zj^F0&54ilK1pG
zHNliD2t-kIQQ~!%H>|Hd48y?PU(SLa%V6?2t40N7u49)s$$#JCyMHZjvI`gNrhBLs
zvtbyrti3YnwH&TyG~=Yobq-**0K_W#cEQ3prtI<aYqxZ;9K4t1Cf$NTH7Le7uoInk
z#p{tEiX;U@Y}d6(bh48~$e$oP5ux8E_|EjfH@^Adrt`{^H2sIXfo4t}TMkN>K6qCC
zeRTh9NAuR6@d41dwSR|SI>2lwvxZ!V27+Nuq&H2y^~P%-`Nig$SGS*f?doT~yZ%Ry
zp1<a*ykON0Pd$Ilo*#Z<=J1{WJ9hb_JHxz-Cf|I+M}P3bmNUoh{LjqVpF9C8R=s=k
z7p9LM-T23s*B}1n$A9zu=l^+l&WBdS97-ATFhQlHVPT-F&VT*D-P>mVbldAMt={)+
zyng!jW5+Lk_@QM_d}rIgkDqhpsxW)ywY#6W<1a@hcYNiO$4+iIdf?*kJ@t`8hi-Xw
z|26xb42zdsxNhsFnVBu8|1f>}=%u^2hYMz5A<Bby@Us%WLLs#j@Dj@|*`!;lKw+kx
z+PT{j<YH=+Zhx(&Gj^f}?F8_I0=qBU*YZ`LrJ4_^qFgMbmstCUr=FGFJyiSoO+qFa
zJvL>mItJOK!MrwN#sTTL)T|t2qI|V`2r<RP4WJwp-JH~%(g1wM3;Y@qq2dWP%ZOM^
zD<t{)7&6#y;nkJkW*_6ibzkRoL=azL)Dp)Hr+uj;WPh`>NzeSZ!<e}4MG=KwZ_!_I
zOv~b3JbvNuy|K>G*M)uf`>nRM^><@kGWve36^JUisd{Rzw)vXyH{19gQxaJ#r0BvE
z?5nh!v$o3J<U*YMD$BK!%OqS0Qbb^8ztLS;;lVr`U)k4hp@qY04+gMCDk>*bO%@gk
zErJ7Xjen?%6>^p1*l#rr3?9E`RO|;r&7BszX~G7^*pW!M^Fc#KY9=PV2dbL1(I%>9
zN|MdkoiUoxQq8H!wQEwU#n)rpd|I`Qjp~~*gPR%3_z=M4Pk>ws_h8U%)txeijocn%
z?X6zoKGU;kQgybSm&VPQOnB-B+?1W1*~|^DpnvxtL=<BHfFLj%$rOtcK$t0Nqcq4c
zg<S>mu2AnTIo5(54<IFZ2D?6JN>TXtTHJRY927lSEfhR9ZJa&dopvfIU*SM@aO%p1
zaYSq<r#&m@e%#M|R=jMNFWBVu;4B&@hBB+bXvnkAE0Y(};&oy9t(Sd!?`KXN3D>R+
zOMjMy$t&ir-n8o<e_rw6U17=6g*R?oy7S)2PjB1tufM-%_ub(Q7lpTPSo5=AU3c)%
zrBCnq*uewm-E;q^j-QybW9OPz4qx*1EnzamLfpoPqYFa5eD3>h+kAZHjo;XH^{@AT
z_`plI{_VB5-McHibM4K)efjzqpIx}^i+?-MoH&1adeKdHY&~^y!S1hZI(1~_;}5>$
zTMvEi_b)E~=6w(R_vFqKzx(X5L-(A1<-Riq=dW8HCIS#Klq~Dnr7ne<^a$E`9G^go
zN<gJEw({CNEo)F!ZkvFh7j-jk+!}FxCY;?IEc?PlnVLx3?8Z!rJ>{mKKphe=(0|j{
zH2!A;zgmWi+2Q=67OE2!ed{7=q9#8)s2p@a<UvDMOmr>Ny7TGuA+@WFOojAkU&G0i
z3SBQD6VX{32K=PSQib(slC+=HfkwPX*Sa-Lv7$=bs4NrzJU5O$H_r+(vQ3W20)E)k
zp+`VwW&L%7)_?<TP25tbd2@~ip?~a#MB@YL@hnqqyj8P$l?J=_R{w}YXPUgG@hj;F
z3G|{SND5~F0908bs9^yjK#CD{f+>wO?Ta+?ENt3o(nxa`Fw1QqX=;Kf1RbLDjM1jg
zjpw#8>m~)-f>)I~v6mXuYlIEEoz3{;N;-j)R@p%&&iBw@kb0UoG=Q%*jDMGE1U$=0
zFo0~WX8b?y7EsM4AkC^2f4g=pBz!ni0`S5whKraUpAjaY3}2h_R9%jbu*u@bwqdrE
zQ>{kIvwBf;6RpA%feTf3OLRgdmX~2hMV9NBi4)g(`&R^%ulZuz1|~-(Hq^Ze3Yjuj
z)6rv$CLiH?6)jEE@IQKNXn%Ehjj`_ke4Wj!-bWS3XU@yaJTG~2lic>UhQykerg_oc
zBn>fX&`@kkAcBPmE`%6UMJra2Y)VVpMUl`&tB5P9Zi>37TMY<;3royKkdoAeZ%}ok
z|9~4^oH=LC%<rjPl%~nOd7k_HX6DTIe9z|_5ybD`L>(XRm76EVM1Kx1t9wb<U7Te2
zj&K67w|m#L0py1yZ0Gko?ch5xCd$wW8bW+b3u%RjchN%o+MxgV5uxeyP@p-ac`oxs
z$|aSY7IT~*4~t9ZZ@%^Hz2AiGjkwws()nGFUw`$lx3^!o9F_r>TQon5N5638)~~;O
z_uU7dzj6BYAHMX@KY#7J`O1Z#{^aVN+aG!HwQKj@FW<WH%-!ET_U7|p87PxH+E{i6
zI(grxuYLQ2-)~*}B0hfgD|g=i*?<3j?B(lWdHjJZuf6=iKYsL|zg_tLjj*xz(PzJT
z^Ivy%UOpCf><#6KCtv;U3wPgLyz<g>fBwr?-@E<sH{Sf@8-L$Bb@N63=pL5I5v91A
z;nNNbBT(56N}Bv)!aGhV8o=UUca=UjuuoNt2i3a2c8`HfI65}`4bRwFwpQ8O1WaDT
z@w{=vCiXV#X6bK)9vcse9c&M%L%*BQB4r9v=jw7ub+Rd^Zsn+8=s_=H^$;s)eRs~y
z;15V}LU%-%s((cO&-?E%o)aplbT=pWw_2v4cAfN0Ll`<Hvbv;EWevFK3ZpLfTy8$S
zbET@UYHU*at!~P)r1fitH`sNl49Mmb+5t5^b=}*K!e0Ee;WB)!|2dnJ&Ofe=SlTO6
z{*EpNQjv%tLZVg&N5r6R6&Xk3K0uL~fe7T^I?`-L3V)*}MpE!4AlgU*SMzlwgv>es
z!eCHcoBpV3C72bLxEp(c{+8d8TrAsCeuhlO*Xo$aYLHio3^i!7oJk4;1Z<fGq;&b{
z8YNURG|+H2hTSc28)$d)*p)9rogdDcCQNL4bDlMzEij@+2_^mL>t}&j6RL5{lJssr
z2bd>7G=J+TYTwO1P?_8ltFmQBbl*+W#7HNEhg>T3qi2aL5CNPh==xlwhL7%)t+9Yi
z+Wpj`xe7&M&V{Uq2W^!$3zvXx)O#+1x&@)jpa<wBtziih^F-gREf{qrnithqC$^mB
z6KtVlOc5eF*L+pfV04fSAhjtvW!NG->}1I3!GFHQX+0(>O(51M9P5EHo$;B5{s2J0
zIi_XioS8G_1S!L81MfS$eDvb{=s}!Q$}3oGl>^6CXSVUd6(yunV6m&Lj`M-1`Qnuw
z&wQRQo)4Q_u>0`p)RTB<I~_cgj-BTH2Un*6NkF#0Pvp%N&NHXX44etdf|gseeGivM
zj=<)=w0VCrAAe$Y=4{;B1Izueb*`Lws%)PO8~5{${fi?<^TQvDtNCoTQFb0EN4Lwt
z6LIrM*nf^5yIekViOz0^-783$6C#73^_POwKFDG25sf9~9&~H&`neVMP7zJEtRreR
zo}i`T+S63mOkEWghNlxH3UhQHuyrUZvwYn>zPo>9H=q`Qw*N(km#s4x#uy@4g`}n&
zX{HR7KI({_ojOyGXS0u3E8XNDLt-QrGnN%+z8o|hldmw$zED3J-D1peDnN*U5UEb;
zcC2?ZyP3OY68qWqwNzDs*t<l*^%rFKY)Ew*_K}qq0y)w^y?OLMqON*~-6AyWv>z2Q
zo@0NzUVsa3r2fKTDtGTkmPBIdIgYJBY`U?(llgS$DJR!54%fQy2A52I?=ebVRg)DH
zYc^ynCF`uF<X&-u*!oXah?>G4Y;ulsHTr=2N)Pg^^u*a+a7jl_f-b9U;hhfH<N5mN
zXvMJ&wIU4&90dwk>0f;hHD|8Qu=w=mYzBV|!%q`pi=L>*qzxEaY_GonbTCFY59QI=
zklL0-8q1&qu4n<*V3b(%gjuDiPAnq`C*<}Kt1959rl$^%w%LjczUqO_E1lXiQ#EPV
zh&M5ebvnU~={lDyp?{=N5p%+oscC=8khBLte7J_0kfAdP5RC?YbQB43aZ6JyAozb<
zu76bm&9XL%Z8eo)PnGjo!x~fVS7LPm*1yYNw>)uV+FV|nay;~6Z26BF#UBzz=pk%F
zVIlcDM!R3js~x&I0|aH5?&<LPxB!|<GFF9;<x*;<D>G=Xu3Fd#fG85x<Weyr6-nM=
zE}04oju2B#@ip}xxa}G><~I@5Kf`~VYp5~`y>XV6Vx)msB~fA-MV1+3&YW_}SviuK
z1Iy_ZMSt^3d!+)Wn$zKidL&e=h4A&WmvSpI`xx8g4tTxSnZU8XtdrW-{EV5Y1)f)C
z8Ya+(MqSqe1;Cqgs~xrP9r&7HI6RD1C9kJfFD9tL>QW)gP;Jw3{efgwM_GSJA~|?f
zV{P9-#DkV#Ts1A(xWGABHFQ_XDZi-n4GfsV`oBdC1J|!rE2yvbs)k{RclBp<bOEeJ
zlGuMVwtBmF2gnM^w%?t~70pv3X8?9KcroSa<S-gRZURa|BKGgSSw;wBzvhkkwjL`<
zIN(*<OI7hef{j|8N(cnRG&p~X+FmnkI(}vca5~WBH`y@-&2<d5lx+1Y=!{U1S7@dR
zg9y7h5lYtRA^+mNzSR_XY0D~i+|G5*>vcP#N{}-MdZYYVl7r^e)hmH^K*;873H{B%
zDlLJ<f#w7`(N`GBUE4Q_e?rTGpa-^<4$%pyHCR-mDyVrsG+4L~Kd*n`rm2b?)qkq6
z{G3a@&`WKkt(FEa77$S)(m5TG<(ll;6Xz;TUrlDi^CoEH0ila-E)3A-PuWF+r{R$s
z)+se}u`Fk_WCwJ8VOgMt-e@Kp&7i0dUL#5y=?8Jlw^DvLStp<$C)B11Sfwrwwg~Wl
zoOT|YHuyzs6KjloC&YhFJt%&$ObIB{Ury(feM@MqbEPYQ;v(i{7F3RrgAHdAxn<n9
z7C;LE&^$9jqC~`)5HnGd8a5&m3cr~f)xhfg=F*b(=L~UP2sc978}=N+jR&A)$Rv@%
z7K!Ww5hMb%<E3&H5@hS_<|h-%8p1-5chX{Owy^<;sb*jjl*)fjcE;Ppi2*rfPK8pQ
zBhEsI#3fMz6uzWh4YfwGK4NRxxLCLr`6kr}Km>@x`T-n_(^XtaDazPU)%R#>>TdJW
zy;3K!JAPJ39vOMK?Or=Hp}ccy@Kt#7SS>6RU{8}Z**5*YOJ(0EIrcLvQd);S+Lwqg
z)z7|qm+07qC7pjQswcVqM<d2s2|r9k+mQ*b`BLvO;IT;19rJ2>5dU49=9T*p;Q$h7
z1~I5A*XZQezYAS}pP%RhfVKCedbFFsqh1+Uw~-B)rlDQk*>c5IYdZ_pVJj&Q<TC0H
zkB+x3)Iz2I;p8Rx#;825apFz!m(+-0Re~P}8w)RPdEkEv+7jZ6dQ-5<_0|#4+=pZz
zYt50?QEyW64RJT?UTL}J2U7ZeY?=`Hi+;yXvnVTBi79za*KcuFh=7}qt)b%F0-iu&
zrX7wCQB)n!Jn$O%WYm92u8~+JCdsR};z{XqhViIB3}6)Ki`mGAgskYqT1!NCHgK|{
z4RlINaczIf{y~^H=b-&Gj7IMsKi1}#oaLgqqElkJN#HCa(9(F(V;Ei6Qc_w|GV{1s
zJ-f=Ld8o+XM&4=eB@mwgYP}~fd=4fOdDMr<Vn0<ky?zYI!-fV01W<649ME+-n$|;O
zhwG&;dc2BbrdQEatk9WG26+v}TV?&$6tKjy$g_X>%wjP?Joq_dKtjlwxduHX!W08S
zjL3{70~25*;+P2wW!?;MV)x0fefI5NT>HasumADZp|4*GB_z%alJdaS!dVcQ5EyfY
z5F!U!Cgw*%`PAor@XqW1zIXA~cRumfbLHIqSRx={;1~cAX+GmbR2VtMfH6cwiit2$
zOeKE=3IPBJtC5NTA*Cc?1|$~xvJByHpr@bu@jG9-^LBWMX_kQth7<xb(rlJ9ml#53
z;zgbj#}ERgkRA#<FI@fQufFl#&+*ufNDvEh&WV;G6bK;fJDd@eIfP{hIR>a$RYFRL
z1hs?B)ZKSYgb?kNco08ioygG*0~<r>7v_J|TdVI)@2O(ft-l-p$JdnxS5@8dbI*3~
zdr2N45FrFfC`&*Vfq(>oG=wC;$WkgG3}Gok*%TrYAhn?lL5CTZDocSP*n;8&3pmPR
zheCk}0Tsn0Ws7W;0%4i9&>1@&XW9>E`=4`PoXLj_A@9Asckem>^INgx<ZU~9xXphO
zzA8O<iM$cQWqy}pVN`(@z*;GHlV_<Z#8P{(xZEjLO)>CLYbpg?WJtAm5Ifx&I;fkn
zXla-cs$5-votnTf@eo!zS&ZHKVjZ2Q+R`z_9`R)Ifnwa`;fY{)lS9nUkdjoi*l2#l
z@<YKidT2^_K07Iy)Wd*%UUXKUu+D$U3pKDqpjeMG*eOc`&NAovF&_<})xu8!vS%oi
zG=}Zjj)L2YoY9ICA*wZ?Ak(QlT1&(^C&Vx{Of^fua5;G>B7|xhCFGkE*ns%-HD<s?
zyeS6Car@SgNq3xapZh_ejU>L$sp^@N9iI?_1(tF(KT(s0PKm%durB3Lvk`w2k$1Xd
znG#S<id7;M^_)LVQM6dcK>^T03oM{s#59hHdOvY7For4hWFm-+mnAT4i4ao`p!r|U
zm7LjR=TK3YW9JJ<Tn$RmMGB6V$k+^}ObDb#PODS1&6i4YQhr?(HV@uj3mPHD%B#za
zD6ory6Cjavy-m}EfoH*_YfyhvFSFW(>fF~3$mdJ|S|%XFSE$5^<*`jIH(_I7Q)Pr<
zCMXQCgnvD5;EIvfl0+ONMmY0@{g_3QJ=!DIVbb_LhZo(dpMSNw|N3&2-XT5br!x+I
zI{c##OKyHu`nS^=Q}dCJm`|DSbKmEjc|0BAfn6r7c<Vp^?7MLt>Y9Irnk9R&cF60H
zJGXrH(fueb75N<|?b<bV_Xd>MYSio7i_e^%TzzQS{mVbA`y`?0xt>eb%&7Tl-R)~H
zoj)=D&-)6ttwOEawauBh_<Y@x8=o(|UNh?C&Y;_q2z8Ejnl<6Ti52%RF1>fMd&M*q
zY0Z)gMy%iai|dz4ub+RNS^H7ysArImm`^y5Qs!fhJ?>-wN#y4iyz$=h#v4noo!Ri9
z_QjL$ptLp#S;f;1SHE(*zT{SI@%f`HZ_rco7QB9^q2;h=5Nh3d*sPU}7t=-$i{*`(
z-*92=!%HQf@Ao>zP!L17Ppr$-myg%1cwATZ=v=|R3Y3yU5(a-3{$^)c<K=}nYD(^%
z>sk3SN<_#<Sgd}~CZo4Nh4qPyRHB4MX5ki#0<}7&tT9>Ii`331tOsJ^rYwAInd@Gh
z`$fT<(zQ9Of5;DF<|=U!16~NamSi}owq}QSAcC#v7xBWZ#6}Y$%am2mlF)+6L*il2
z=;Uo1i<1j!iA;Z0kP&09&L#~1HYG~cl66bNK@A(FA*=9)?T{mIcy(q6A&GZH@6N>F
zX#Sxl&UsJ5y<g7z;~b$FsHYYbC$j@u)Ov>nya5Aa;&L}kArk^Pgir*0kq&ML(}OTJ
zhD;6Xl910lJe$g&YN}MQLNYR2!2sHQ3Z%_)0~TU7B^-a&w6a#zA`z9Q=LXTR11l{V
z^;DgTZUWM8zCNjo{A-0InFv9XOs|W#sM1LKZu2uydn8qit&ELVn>SLnSh2~eK0!;n
zqmyGqo*NRRkNn(ZF{%W}K`@DS?g-H+7^5YbVcbcg1zP3X5|y233V?KpG?n%%ou>(*
zGBFk)Rq%ff3phnMme#jAVN@`WklFOK70PV)W5~ua7_K8IEoGf!;J~RbMW$<6i2^u@
zyS8hDQcZs5hE?l~_{529s;5Q>1%-6*dEts7BOFyOi-t1=geKZdJ$*~t^boZ9z}4G&
zd<BsFaFKFc5sVX=k8py=qAc*EJi=+T4MI5?g)e`txPPbJqUk8LAJ1PftL|dKp53i0
zDu4Oyl@?Q;N0~$Ow`?oDzR%B2LfoT-d5qA2;Yf@{yV10fbZlvdEt@CSRWJHi!|(&|
zq3*eZx4&OpcM^5%jMJa}`H2$~kL*NQeI|T-WYMK#s7rg?XL#3Tr7fN-MCl{(h-LG>
zxt@Qw;|<g)g{EX6mJ{neZ_FQ0&8$0LdgaTF|Gt)0KDXJ(@fD97dz8;c$qA@grWegd
zNuwrxczXTan{&UeF1d7e-FM$i`s6K?!MM*^lvCyhLE!NWL<fxi-QGEMr%+aJ^u)Lk
zdk#;jK8QvYzxws%H}74ZSATrz&DxFMUFm<nwj4d3KjAOOUp#w^j~lnV;jaTLXQJkm
zB=twJG0$$=v+U{-)-{U!&e6<q<@FbecC11vQ5;S260%S*q;TcCTOKzqxo~RH)!NmM
z8fMh&!abXl2xbBIBEmDG5__;0?xKX~IyCg!C?bWhp1#eTTwxs~YK|4Q8(t831jv8W
zOpS9WO4-nsYJ^9M_@fdCHTGSivIk^fE-}T5)Ykk`7)fN%Rg*y^Rc{oWznvQ%+FzMv
zrq$9>s5o{Kqp><ez*w5N!7a|X2ETWr_Tv73XG(CtQ80;&%L|=R;)XUh6-eOVG0s26
zomw2&){)d%!91e%(C!tpMnH)bS%QB%(u9Xd9D}t2krGNm;;OjNpvi_In1D0A`4tgq
zsGvK+sA6K^ba~^b$XfBZOkL#Kc&v*RtP`r(PPCGjGDaB@Gn3}8p^*?iCdglb;UapJ
z22x++{*ag@W4h{=aRyfmUEpjWJu%I2$x|@SgyPr(9o>-Z5FkISAaGJKF=&5&MyiNZ
zY`JPwBA)1yq(<E(W=|*)6B((3VHcux!sJG69gS=)k&5mmx_^`c&5#@@O=pno5|&r8
zGU*U(5k?NfD^C=PWYvSOVQuWVBXI#6iHw$M12K(u8xYk>K~<8FCl4@^5_i;B)?)5i
z&I!kiBW<c70$2Z{Ge8JZSx0}zdQ!{p!9_K^u!PsHAI?E>P!lIo#mPZ&lqm2rKrDiz
z3DIZ}<&gj<wnd49lb@b4x%R^FLm#)8Fn8eE9k1TI+<g9=^pfSTHC}2yY%q%U`pM>P
z%WfUuePSL(gfik2;xon~m_3o&by(k$by?FYGv}<EeEPEm4aZPn?tp*Qzg_<D+w3>j
z7w-Pxo$v3yaA*_i(y{pHfra%|sEx-Wfgeqv(G(P92Tx62eDh-N#`!1-5!%&HAN$I=
z3nf>+$Xv7eg;QVr;eY?=T`>#w%b#9XS9bHWPAix8eXXqhl-Vd{Xzr$}UqAl)@O@RC
zSFRnjX+!&QMJR%ZFUo(-1Ijsyv_t;D?u%EJJ!lwOwR8NRj&A<%omn+|QQpwe`w#x=
z;hjNMJA16zl=u6ssYSV%bo6>mn)2zHt>51+*i(sG`pC~r%bNP*RaFbWtX+M#zG(Z3
zv@y@4)SRMSA5=cNG4%bn^EPehRkj4B^vax9QU2iejI+o3zrBAo|J_|bT09*!qd1_1
zF(k@S)iKmq_7(f?1o)U3b*k2=P!1bb8e3PLK&jIo0d5k>Hw#i$%Xh+T2n$sM>S-N1
zes!4+(VVME;E*rCIF-PaD$bB%A(Q@oCOfVyxJ8M_v~D2oeF$Ano>Nv%>@k9v^jL#z
zs{zhk4zNVvF?N4dKF-@7#-GBj;4p)x=_;*9f#M8@{dM3_2>if%8!Wy}A}9_g5*D>I
zC9}6OV~DHCH3JP}M3#dnA|u2+YQ{%p(yQ8M1<RP3L(^fDYWXv@Gm&9dgghwQZ-_@c
zB;v3fXiy_|N&rC_(@~oMWa1PQO?Xi2X78-Jhze$fG0uO0XGg-Kau5-P#vp)^`;4hx
zZe^Nd+~+hD#OzRnM$Dw1NWLDQ%TycCkKwp%v}H-0KxBgls5n;lEEnUTDfeKql9O;5
zJfj<D;)EuP=n<}}Dx{@|cxoUJV;}ZBk^X2_8^)kfK*JTl(C6mf>QGw3s4UP?hb!q;
zBNUX7FoS=Qgd!!K*dZMO>Pbq?4I8xb3@Mc{7Wzy4;iAc0MRbPKiQ@L{fm@7f7zV=C
z4$4a~Fl>gz`;1#j84d~MP&TktCv56*yvK3<JK;G-FS+3)H~IK1APGqk&M9L73zBG3
zt4MM$+-+=h#I)GdVp22&wQNUXZIk*9iDu`}<W_&AMaP8f0klho7a^323;;|xVf_Dm
zooSC9M-_&v&QjIBGZP#K2Ztz8Fc!p^SSDu4W*|g%7NRIf81nyr2_Mc{r+WAnMb^yR
zzTMSldEe)~fj1uFqZfBxzP|eDzt^vS?9U#<_1$sv@anz4^Q-@i@BY=Ef7(9#s6YIG
zfAN3l?jJwJci+NGr+IaZW6m48esJ~h+2!dU+Wl*|;JCVf+<Oime#>9~G{63_J^Q3R
zecFG1f82Zs@4keOzv1t{?|*#`cW?0K*ZkHCc=`i=^BTVUvOWG4TwQQVqB-ImGzjLz
zt9R($lm5{^`ipPd<7e>XBYgjTzWxB-{-l3Be%b!^s(t?F_RF{XafhxS(7oS}CttMR
zKE|Kjh0B}c<`F;nwtx2T_Tq>3<*WAeckSLAe0c}&ecYdX(?9=bfA*(-|K7ZM0B?Q_
z?|p%P`L4bAs{Q66+!=5Tfw$0{@^TEhmM(WFSIWyCXDPSi_1s!7uNJSt_uc=}&?A41
zF)@o?g(P9tdE-J7jzu}os%&>L7!OT&W=O2LZade8UHN9~d%~F$q0I0hCxu!q4`3y>
z#t=hs^(f^fEhD1H5~2o8cH7x@;d0t+VRg5T&tY6?;jjO)QgtazejDxM&9Vv3#F4U3
z$z_MrqYJ5})Dr<~*`9n!gOl4V*ROx2NGg*4GEMO$nq0aW$cI81xZaAHbeShHUZ>{k
zuqbJaO`OFyi-VLR`3R_zzw;%^gT`W!lPBevhpAJ!Bsoh34~P;^2OfCqAUjii>cB{O
zyFp3MxN6Z}Bz>*b2kFwqkUu{!!e3db7`zUdd`Bh+g&G5GiI(ASoe7fE$*+HTH*2d4
zZz*N}CU4L3Y>pAoTZf&n8y*LNC7e5fH^ZyM#1u+!xBr+e$Xx;_UK@^4nfQs!ZEpGF
zrX>PBW7Q=jDwB}(GBw0T)HL8zg)-eV=01Wg&>$^&p*w?Qsg=>;;AsBM;NkWJu_Uty
zu(^d?mljNs^?b;;I(THUC3Ju0TIA$FSOYprP)^<l<*Djve^vBqxrsW3;_sXBEXQ>G
zU18xXAip2&xD1}NGvSoTZ{~qK5C`JGP5{Yd&w~kJkK0h)IwK6CF@UjC2bKt~$(KQg
zsy=xPnyi3iOHAm5#K=S5J#qsf%>iT3G3n0WAztN4V*qxfhC^njvlD;702l}pVIU3*
zfuocjJeZFI2Ll6+F4kq!UIB8)0W=5kq&Z=X#)<&|1ROZ-j4^mJ3(A1TARaKNQ%6Rg
zFeU>J7z6`p3?4*`z~CVfvN3HoW~+<*(%2=>*y*g>N9T*WW4#y4v%PiLP=hN;wKCp)
z7tKfJeu5o>NpeVC?gM}HIKebrp=$S4>3|`Ceeztc23Bz!b=9PhFMvunxj0jZy5-6^
zn<NK&TBR=?2}c4j^m3CMa2n&k<ybcdbyq%^4sUIC6`QHN9?q>pa?irvcI*q90>j?9
z2zjGdIzki}-RiRlp>gVEQDfM;=3Ys2DYNO`gEi;yt0LM*^$35cG!mhZ>2Evl$P(0?
z;0ZP>q)jMLWJYBcSRW|4$ZMcuKD*`mu-b+(3q>U*4s86;33-N%Ru#A@o+cxM>u60^
zz2I8ToPOoxTo+p`h1Zl<DNZw66;gl(KPiw`^a|v%o1Wuu5Qhb%tLNW7veJwpMkzAP
zkiS{>K{*LILs@^Edn=`r({3Veb0~hgn@}cZBnAjE7f(EER(l!Fk`U5C=kX@yERZc8
zWs88*stTXUe|0A{MzzGp%H2XysFWdrd}cW}1~I`hhc>$aK=x7E>S%#J&@!EkFu!$L
z2I~{Cyh`+PLEI8swQ(D~v3xWaniL1+ZR?(*ipzD$uA+aH0gU_#cL42bl?D^$^*k;Y
z9!F&6MHqby(7H7@d0^YS=xf3sp~H09GU^i&kaDpEd!!stm@?3Pym}`==s;C}PTj%k
zPJvQE0FS}W4FlHEag<Od)R!AwRcy(*r!*8L=P0mp&KY2M!p4{Zl(HNhTLuIrYXE5|
zE4x<9Q}lmMzuICX+ZEcrUiCvk$!z(n^}8Hlh;?uonQQD035yWJ${-JUt|}5b)@vhw
zZIFm^gO7x&hjUu1j~SwWLNGxC^ewQvFkOn3ZiyPs(?!?b`Uiy7dTmY$JA<kWh{z5m
z(jJ7*U^6{=mG^EV9bQn9f$_|`;y>!P`DcF4$-aNk*g)k`aOiU(yLn6dvd^L`DN@(}
zx)9VCUe`Q>nB<XO>%2~0PQ8S9-sIG{i)LJZ=XgWW@ySzR><2M$EXl5{y9RyJ$a=`F
zyqGNg(kMG|A{O}CxyIW^d=r#5IAnbEl7}U#PYQ;i<dEBlaSbTwI^1GI+bKg92RS;W
zWA}ggKM*xUk2Myw$()1AX_GB}20<Xxy(-_<3_G3Fc%NM%fpH?U`dbkbLLb}P+Qs2K
zmukH$7S@lBW5_Vorm&28#b$`2Oj`2$K^993`ftV6Xg-&XR59_lx`Q(`Bxs2u0a!+-
z*&v-`mg9o}Vh5iWx?(!_Ot=PjxV|Uv`}TiFPZjjG-0UhJ)XpJ=KBAE}$@Pl`#I?}t
zWuJu+R{Vb;)VHA}PA9=TGVYXyk}0%#8C1Hd@>dn{N<I@>YYivRWsKt>9{Eo!CwL-{
z0U?!R?$jskvZED;45~wx{=qx5G>wt};p%rYcTkR(gB0P>yDkm16<#OOdAy94b*z6X
zEwhzoo^eDLo1|a3hmbhjed#{kdZP=%RQI5-Gc3z6_@o)r?j<v%aJ8iaOLO=smR(f#
zh`BOpUrWbf3|Rdso+!qY=P|ln*;FY~NA{IS8zIk33i7J^U@mm?WXe@q5uM3G)6iRq
zYDzjmJzL4++03!6Kh{M1DfU^&`f-2kmI^FyBC=s*pCsi%s(9y44}$z$cv|6UMN-2A
zHh|KS{+g&HDB^2_I6>-xigIPIlgd6g{+NX1FP}7tIhMtI90C|Hj8n#C4Ru<VGU1md
zf-Yh7T6Gd=rOb)y>veFqSnS|Ak@$te8BrFgxuMXP&>+Z?RZ{tdF<rnLHv4~3@gf(-
zpGtClVv;X{)C95$VJ(v-WjR9~Bj=fjd3bO+OQ`Q0w4xEW-R`n|z+?~B6PT&nx#USM
zYvy9ub9f|nB}Vda$vY!53cH<K!^^cfGcCHrd1niKI%H%yqEHzvPf1~PnVh-Iv21pu
zFCAt`q9R}FsfOB6Rr$zrAVPl@!VO*+|2`WNte@h7y4{3665G^i#cj8@oi;{_*OZ5E
z$P^0JoA&et?+;Y%piXTH+u3!hY&~rwPldGQ#K>o0u5b2gq5QMh^0bDC4GuW2#xV~%
z4!Q2CuHsml%CtP2k@m%QIgMP!u*7k#ppMcv7jjEA3!JHJmdli8VljU-&fkZ=!YbL!
zpAhe0Xe3#gtp<&0fx(28xZp?`BtEkt(6&FmZI@vX4rv>KSctlDMwBF=?R8F`XqAl*
zd6nQJJ95>1iqX=8UUpJc5nDB5nN#0@(PyARfjagDD+e7{Ca<0QE?kYKWVujGkP=*T
zEuw6IwK-t(2;}F)i1UAxHxbCuUT2=YFL&MV;}6WD2ooQmJr`herqVF!oTjyS_+4@V
zc$#v4uD4y^3VR(>=1gT)v@;3zCU0*`c5ZAv6B$*MMp#(aw?#~secY}@-lN`6OBr1A
z3W`iG$D!?q@`@J%2#Ps$T=r%8w?{{Ady3*Hj!MYygiNi>6?}h6E)>)(*q+hy0XUKx
zO<xtxyRwM%`+u4~gHQx8`dye!sj`;<Xw3)KX$q|76uF;A^l!e8lv1manYq$2XnJHd
zTBpAmDRP?B3`jz)O`t-sIB`s}Az<ocv7@58b#1jooN0*IB3Ua3CiB4b;$Tv6Uut6@
zy9Jk&43W-gCQg5d>Vz{ZTkoZd<0vW0V6`kpwfe~$TS9QwRKh2EQLFE!?Q!q`4K!Ah
zZ_-cY@NQJzYZogl6f)VNmz1CKUM`-*GCRo==v{$(THmyG>Em)RPd-K`^!0UdOwfwI
ztUoBLD+qU|WwkJA*ckYFXeWF6?pD{I8``C80UXM?AVGh#^V3(SOxbjox6UpLHFAb9
zON;|Tx!0s!r+JDyQ!gtn%7D^P=0n!2rJPGrth0IC9p9AWP<dpN?SlR2b<AE0!I;^o
zw8GSj30NX2wh?hagcv!rda7y=n$gEuwJP=#;<1s&tZ-~k<L(?<-*X{b7%htZfuN7u
z<liS5F4ccbaXCw-k4qwa`?LFN<OU^TuwcAqT1!XL?Qi!K5sd9Dk*f&V_QaoZDC`!>
z+c+-!P&W%^%bi>fn!;YoHIT7<`e{qIn-6`inLC_H-A%LDZs`a9P{T$*(SJ$M(>aKV
z?CFTMVdZ;qrNzdO>WiON4^(VCF{zs!W?HRPCq{oTtD$2Ss<Q-TwkpG;BLMx6v8(sJ
zHJifgd%x#gb6xji$mGU+WEjy5laMG-3=t+XM3h>^ppqz%DTGiUG82V}iAX4PI{pC~
zQP3&;3sic=+H38#_kK^f#m&vl&AI2C-@Dgd>sikSb-8{CVUA?exr0oj3$80ES>_6!
zcYJ@7Vm~$=Vd&n?Jz6Fh7q-MmKMf3n3Jn%JqOGTXJjH}pdsd$epFIh4Hejs19aZsE
z#LHJjQWYTs<4`KekndH?-EJBiyReLxVpk`{?-{96FN^YQoUr{$a_wlKM~B4B6u@u?
zL@8a=s;hD(jFU>SDB#6byFTz63Q`XK+*^O_rD<Wi=X-|83#+_>-Ft1#1KFGra!y;0
z{4MFSPliB^u6M3SyST=?Y1;z}_Ti})aR-?>i~_gMy!RZV#S1ILoK{c4vHT=}fYN;|
zb_z(pS^M}-qiM<?PVI{+IggV3vg~jA^plR6-7m5qhI;eC9OSmtpus3igW(Kj8!LY;
zUfkF$!ufW#?0yxkaBINS?y$7<Ls-<6eaT{)&5)RQ<xJ=$6{P*+3u8C^WET-Qw#rH4
z2(H=C$iymoGIx(jXau^Js)0P!f{e=JdARShNUZG_=QN6-lib(jVW{;8dt1ku7Di)0
zT=)HpBJLC(JAL?<Aj3#e??oy<qtkyBvexXZl;zDV$oc8MX<0Du?{g%J1|4J}{MVXt
zYYDv@+yyC0mWFu$T24J$rnXEafsGw~oDEB8;i!)Pl!9HCeI%2^{<-8uLRnZ-@iam}
zv(shc{dQ<TJe_A5+=nQ)@NpJxR|P%`i>ohOI-y}TOSNJD#lnTClr2@>f1Q7i8F_@M
z+@2gh;?E8WCR=v=P@*B|p<}{ph<d5CQiy<c?C}DEOk@h3^<MZZzEcYXBNH^UY>t4#
zawz<#)_2flQIZXrTcq^YsjA})l~-AUU@OHxIeNLSnlJ;RN~xSQ`Af@EvLmLP9nUMS
zHM}08aJ34*wGkb<vs=dOVcLHQpbqnNg<3CkzyuL7ak|P``hz`%cppEisYIouoKoWY
zPKOAHAOhm)hP^_6HM~RZ?p2QqHX<PvZEbV_{+-YaaXSo-v~PH5$#B2L`*kHc6nasp
zC3{Oq^I^_iOn2D}*lJ3jnb%NU$1EL<!sIW)v{<F3)pQ|#OD0sg>`#Bwp4oi@=HhD+
zY*dT~RJ)_Vj4Hd8vd2vHSW&?-XA_6OFOUoxyyJLqgOD*H$r%`%93AN&t@YVO)nBDM
zH#B3(U0#X*l^&Kfv>r2|b?}j+X`m(3Cq_&)Z)oDm8GwpZOnz)M2CYx1SYvUw+wWFU
zUBG3^p0XA+Kp5dol*xaEp;1(ng5-0T+bm?U-IE|6-NnUq=aKDj+H$q~Ls83I4-mLv
z$W}*|Tg#W)OD%Gt+Dx40ik-S3EOXVebzWX7F_QVZ?VuW#yrg9bJMn_^n9GTZXU{X+
zGp)J_EK{d~MQy1Lp_UOpIPwm?ok+WmP;}}d2~NIF5Ixf4L_&Y!#E205@p$oo8Dd5n
z==#*#4MBcHVCrbo>z;REk!O)ymI$5tCQ@Vpy69;;N50CP%J=Et(y-na;Yc|^L`~eK
z<fzs`V&Zma*C#uJ$_vLx5>CGvo}wNSW>{2>{+HHTLQxu#&eemFLS9GCQw|q}^l#1Z
zjnnO9TE2=7-a>y6D+d@uXS;&jN9Tvt@K9bkVNNECb1?}mr{o}-<Y^`7qnIJhqb#LJ
zVLRQU+Zk4wyEj!WbW5#U>_hjOx$k{yG|#dPuVBow9s<6QUF|sT$Z<dj=N3g-B7qPx
z&Qo6Pj{j6&qlov6H0s#q`Ys=PR<Srs$b0$W2b`{jQT2b)=wf*|(yluML6Uk=%fRc%
z9Zlz)^n0MBuRGVo#QEwYFEBSyOqg&5#njZzJYwc(2Fw(>V)-KG-8}_yhl-h%3N`It
zwbVE(Oqa8fMPAZyT<=Z7K<TK+#UP7O9WaOuSJS-IeTS;8#G3_eusb}4Kp@+ioKb3t
z%w<Z{c8h;nFq{Coaa>6I7SevWKF0^w5ezBKtXW7J&AD|l97QW3W@O}!QOxV9AB-Cs
zlbut!AXsI=L8o@Hi}zYxA@vU1&qdO<=w!XJI85KNh~4{%dP(<_g%hM$U6N$mJTA3n
z*BK@$XZNn%GvZH}D`z0^+LM(iS60~*Tu+%RevyCl<C9jQ`N}1&Z2`tk6H>;Lpxs~|
z=LJCpOC}a!j1WE|yG2b}x`oERgNP~f>8ZkAsXULyI(D+$_cctaxcU~ybX^tQqhgHU
znC?O}E*Ot1Z$=?4f%p`)=v7MG;*3z>B|pyH=A@o(AnagF=|2)PPEe)d;-LzZu+Hy2
zMznufBk(Bj4mpL`b6Ruq&9WHckYX(vBX!jRgjmv%sE|B5w_0rpb}i`03VbeNz+0i7
z!fV6yzlWdAQg-P8mQ7G~=5%%a&RyL}U8S)IHjIxVnXm(J`Zku&zGod*ed`DvlnY-j
zCRb_4rOBbqEkIgw%f%RlP=$m@2!l`18}NV3oeCS!E-olil$t!5{Hzp}^rX*@hz^d(
z@FYl1M!Ct{JsQh?al?^WMM!{zM4QhTV<p)^5k1<`T8o@s5fwR%<sQp>@ZMv5=R;Bx
zV=*N&u^zaS{B|nw=yAJ~To1y#VDE-U@8yS2iXF~$m!pvyYQiw_Rdl3eY<7`>1jBz$
z&5MSLHCB?=)E-_RJVnO^mC1w;lV)zC>7JhK5hSLl%sS*wqxn!F-y92ZV>U!@_oZoT
zzV|V+9!x!0evuhg)YnsTSP)h;7Ri-PIFvZ$1?$bxT5GLoQ?(1p6ZfBa|D$K0M^<!Q
zRa0)}(;_#a!<e6dcAxFgcqCj)<;#C85|L)48R9MD=kB&zy^j%XLn)eA+UaI(D3F;*
zCQjLM<T{0Kn3_gw?r*@q4PEVOM5L$CCCa$jFjTL<WJXtm$f;RzLDN~j@vSarcXqnf
z4DA-2QrMC7fBah31p5rPz}g#IrEASPKvL8$)BPkof?A3)e2G(7VDn)$F~@&0qmSdU
z>_{!W-)}v5N2I11J886oBTfP(%CJKYx}t1q(!g9h35J5aPq_&Vx|oJoayKeXzh(b7
zw=9$<3$m0_=F}JS&+zc&IgLE+dWo3(W`{JqTxF8`hQ9;5k^E$PT3h^7P0u~Yh<(n;
zEeBI0#G?cw_wUMUD;E}v55s?>?U>1V4*6gZc$crV(itgCp~k6M?*238c&#m3a^qb~
zpZW|8Cn5=x-?|66xl`U^ztVtYGv)GsfI})6CQ=LCqMph;gb?z~K2+RT?kx7=J21R^
zG1Sru&%ON0Yrp#4r+@S7PyF(&C%^C+ct=wqIXswLj77!ldI#;1z3YDiuYK#=k3RH1
z06-Ek(L>CX5DCB;-pIo7NcEMJvNUF6MiM}E4>#kUMXw@&D8%lGse}j!K!~KqCf10I
z5C8!LMa`OtG!f?hmqh5(Hi7S|Ohru1?gBjh(XW5=rPsd<00_X^*htJL1u){KO_li~
ztjd4{U?gmh^}$D8_~Cz>pZ(JxzW<-UJ@?g5!5uKwOS`J600V#k8M)1d6GlnQ4X2sx
zDbSC7>CNB%;NO4$`0s!G!JmJvy>!o%s0oAH29q`=Q$TR69|0IWbWoK;Qq)WiMSTeP
z^ylAt`*T0}E&w3h1$g24*T3_|zy5Lm<re_}fP_sO*&(b~00Msi0yI0M9blrW7j@OM
zVdK`6RRI725y2WOJp_2>m7o6N)wh2HBmiWhdTC-8!3%%_pfVlTi`fN1m<|E~AZ2T<
zu^s>hZ~+iul}l@vMrr^J;10oE1U*FCaTPiU41pMk%=n_JN@iq+#%SnCY(Q6l$M)nW
zzwy_<eDRMzg9m>`WQ+~*0Bi&#P1qg)Jp1As-}}lx|9t<|4?_ddD}oZyVaCS={>#^y
zMOAg(Vf?@MKKq=@a6x7&D$b}(ViZk+!32X+5Cs(^AVCxnyo{nOvDS#F4KbpvLu_K&
zI@KYqt*nNM8blOiP-GI6*(;!+*sd&B*J@w-aE80@ITwFlc!PDg_nfo${(s;1`-p%r
zN33*25D-w{^gwh3W5Oe>qZnHuum|2AA<AI_0^vBUIAg{F!%K1lYkbk9b1f!{S-+~b
zJy?6nQ2|%jC0}`gYGXKB5H-O>Rnuj`ylKwSAIq+*vhHfR2qITQQTi1ndn`7#nIVP{
zWl*64x3GV`A!a90iS@3u0?CpArxpgx>W2shf-H7NXg6D`DjW;AMH%&Bu~(d}u@qCv
zEK?Oz6IG0z|C`6Sm|u}`YRU#eSsfYG(q#8m(6m&-KuffCiNCH=R~4k9iSWx|Qw)-0
z$xm7*glQATjll;K_n+)km<13JQ>m89qr);3Bo}`!M_Dg{Nv3DYZp`Kl%I6~kZ?I~-
z%C-S$TwkgVa0bA^d}{1%BW1fR@K`PWO;y>5jK?IP2>o(H7Kf!;SuDw1rb}g?Yw<{r
zSc*5cfa78wXK9G8Qd_k1RMpGP6o!?8J{EW?7Iky;T@*r^vRhSH2O$KJ#f5Q|r4SSX
zG1-4B?p1Dn@+0RvL+|@(?1di_nyO;!%DoD*V7$-!`@Y@P+kfcglg*E=Cv}wtf4?1U
zZJehsi#~fTt+hU`r84kXA(>!@bU+D5slf3()e$TRz_|kr^iC>DYi&sHx%<iGqc-n(
z158|$RT6RSM(D+h+0Q#-YtLB)cmkQSbkBd0-QA7ZeRtQ_{M9XDArKepvOKcnY;Ip$
z`tzEPe<(mMdVtyPL0eMp)Z`eO;#+P`PG5y=f#Z0>3j#+m&tYB<XoBb3+%JsA)1$^O
zpV#HStlH50gZ@Jwu<~EB`}DTKmi*DCwC;*Y>CvE@s`pwGQ+jLXXxH{v%@NnX<Nbdp
zg0(YP1x*Py?C5_oWorc30_I(@(}$5qFYJ2Wp7**Ty5<D&wdW|9654_QI%h<^LUta{
zeb8Jy)Vr<e-e*;R`Q_zf;OXPwADdWNv;9qH&YRY?)faUEbBTSxroY`vsIQ1?tIq$q
zKfeA7@9)N8AObJd{Oarhxz9@3ll^~U@b{zrhlbm;2dg)>m+2ON<gsPXuEGBJ#>$kJ
zZF}E#&Oe+5)X~8!a$`lEVW=~;w=S;vhF$0a;DMt&<~YQ2nCAtZK#3c1n3s5|EN}R!
z;aN>o$KOft+==li$vwR%M*5BpHEkZKSl?4>zhoiU`h*?7l>g>gvavDqZF_&n`QL)$
zv^lXk1;+l=r}sAu)D`@<d+Dhn(A#~wyU1YdOl+^te$f(j`vOe%v>E?NeEFSiqg{sH
z```S}xU0LI51!|?G+}E;S5jBQ`kvYi-FNJlFA!<uL`SiXCsfA?0wykweydY!TMWbP
zNo_Za|J@aF;dkIMGxFs5!dHL2={@&0^;PWqPsjAk^<=8|vVUC7>TTHn@`1~$K%jc!
z;bW++`0S^1;Oqu2zFTXn!Y&^Jx2Yc&mE;dRj;=3F>aAN-UkX0H!lb~|+m%_y+UUDy
z!yo<0Zgl`6!0W7~UN?~)&Z#8^Da|P2#^t3>wFWDIY9!BxRr3Z_6Oe!QmGKUSqiV;%
zD*bG^hARBUc425U#@ch0cFw_$pjDP(t%@)D<rJaX;y47Gliy5985uUhZcvmwq(wPK
z;Tvfi997(5D%bo<224$*z*y%|E#`l$G=S-vDgTbaj51Lm=7e=33&f(wRw}jOI8FpP
zQ41L;#Q}y*TAM^+7r%cb%2SRr+i!`7WGa^wD*jEgpR!dG%aae4vcoQ`)Vys`WtuS~
z=%|Raj0~!^RI6@RL@?nww$GgXa@k;-s!u?Ea5#?9>!mwErsXOF9+o?z%~7fp7Nu(2
zOvR9SxZ3sDqHSCyA1kCVGXfCPt8OM=%8d|g*D+BVLsTOc*&u(R-H5QB80~~il_AxF
zm)M(MjQ=2l5mGbl#X*j!6eGzhE8El<1zA<-Be__X7Z*jB9RqhK&_{Zw9o+w_!{hT<
zIzPtu$km8j_fzU?z8Gw9O<V!4q0Y(0IfI?<8^gg4V;eW3U!<Fr7*Kp^b!Gj!y6P`~
z?(#dB05(7*SOR}Vye$$YgMLNqcV%C_9*U|ek7=kn^15@~t+OzHN#xbioCmida31$j
zc+io<E@2VWY3cN=Q_(*)B|m&vINX^~a|UL5P0l=+J8Vp8s|z@B#6Bbxi0}0Hy<d%t
zq&>Qq+*F_cykqz11E)wo5D+C4Q-mnTTUlZKB+!Q=ug!m(8r$AGz8f4VvY(A?maRTt
z9#>Zme)GU1dd|+{seSEEB_+87odJ6@!O<W5*RQ=%vF@KIVZ0Ss2Tlk{&FSm#+_D1f
ztbw2F7M{AXt#ya7HLUE)WJ5Cgg)=Acl$UC>c!A@s$6*Iw7{7)_<Y#tu1)kam-gCfp
zkzMe{qM?8O1%+Ed?+-H)R+W~;-@FE)YqMKh!mb<#&pEb1YdrGOt!7OG0WePy<tav-
zz#+Xm=05<h_{`?EmFJ4V9)s;P&;`v%|4qR_pWT``a0v-Md4AiY3KFw2<9@^8k-m(!
zy1bsY;<ufPPv?OXCIS|86zeF@3q)rP{0w{Vn2>)Pw=xFWH$1Lh{A~%HIUA@qo)BYr
z*c4lK5}bHq;|aR?iGRFmXuS=-zCeQ}MeNuy*zIme_uFxxaJYNi%203)aE;nv6B-WV
z<_7KmKEL}}Mtj4a-lpP_M!S`(CT`yTs~3Gi=l;C#{G|i`>YcIEfC82mG(A4l*R-YO
zPF{a!<Nl$Bg$Gl>4ijsErvm0F)p5wm6*;{BdDWe`vNPZ`OE)1Zqp@w(wbL+VUhLJI
z*{#>XYbHPK1IMTs;_F51JOBrJB<AlKZXF*R2!b92AN%E-w)H*r`uafNAI_yUSHY|R
z@5t1zM~u53-%oD2o7q#J+Eg|!Dhzx>{l0%WlhR(FVQfrjD02u~0#uOFR6J!XWYzB`
zN@Xn)n@;fJaF?O)U~JMWwUJAe@T{^KDv(^0KhE4+s#xe*?ZaX{sS2i~<>i}AVi}*A
zHZiDLZ?v60>^n<U45peVS?pNG3XenE5Gfn><*FAocR^J-q>U_@?fIm+f?BZ9mP>!D
z`Y4otTx<rARtWRW5aOh+9PtRNxV21L5|KD>vTwt}+(k)oOA8^DeWMykxzwvbIU<?5
z#I;`{g(${+i8s$PSE87}m~k3rlV3zM%*lyX@y<l}-Mvv3VJ+GcB6%A}krE}N3Z6jv
zY6z9XE(|A76mfXj-H#buki|^^BVB(<5e<Y9GL`(9!4%9)DnvW)#4>o-)Y~UQti-7p
z<*CG)Q?wO~wBB<<2v2!&x~cM?vS$pf^@Po!SRmgMu{c6fTeRSErG*WYZ4P4`vE;oq
zE7@VO0v5scCYhEQ;Q&E^&6Qb3&>3rXqB^}uJD8}V{qc8ia-l0cl778&pnHGm|M@!8
z*r={E44>`$&bhOAW<0hTFW8J%Ft)J)$7Zz+UI7PFFxc2(GYOkPm=LytQ4+$UrUXhr
zQBny4l@cOCD3H_y1yKY^n<i2gD1rcqK<N^eLaMeu@~1!U+-2?^^3(sUtGVZX=l$OI
zeU9#@jcv<r-Dvw@fG^)L`SgFl^N%j4bdDifad=way1TbVAJ`nK8<#wyN#xY^oc(0k
z)vtM9|EPmUcmH&|bVob!5iTW1<cbP!P-^8Y<;jM9$DjM>_qng`;XSJ|SFcZLYA2~<
z=A3+g;m3!_AOb!gYJ~*Hj(*|5wtwFn^2)xPSKfH(;q9fL93s)dX_bGAhOT=pdF`*N
zj~(Co<F&MfZK1hK*8c7GjPs}cYc>q(+myX(8IL4$6daKw6M%roG(VBWJkqr2+_|35
z&t|P$oH1vS$g3~@<*xO2zb$`tPtKa1t1n-kbM_c{vSa$0GmE~ul)kaQ`oQ7-`_~5d
z%_7M~(bg>!UOTq^?yY}GzuTSO-AaPd<kIe{9VeqZj*NZh_|~6p7OZZeiU<i5kOOe!
z41voeg2QE5*ShQ1tM)D-0m@W~$el6w!uh^$KO45|<;h3h-TbfX=}WuF$cBwKuQVKd
zj)Vx;03>oHb&IahWe+Kth7_YDt)_EeVDmq|8vDk!aoe`?{K|ja-c36nTu+(y1cAIM
zzkYqq)pMk=sqwA1H$A*L?fB8E1Ftt7eRELrI3lUg5S6}_Q$hmaDZ#=iO~3uaghQtq
zJ~*@eKi>`8GMD&*Bx&4?6KDGG-D)|yzxg-YRe4QD*NRm?eA9mEZ0(W5>+W3r#Yaa-
zLCL6f{ktArO>KWEWg19NGKIWI^^E@8*L$!0rSbH8>%Y6Q=h3yKj*ik754`-t{l#Bi
zT=>PMsee2f=~)iZnz3&l-g@s&=fyMAPyK$%`|o(`Dw(26LsSYR3QZF-m58$HoqJ#W
z@kZCD1B<`@)4u=RX+5!@MDyo=cxu&OPmo;6eG)uLMEHLLxm6uU-h1}T&-OmN(f7rN
zW!smNlvDzxdCOne{on65-?<<g$_b=-il?=l|7hcbZ=U*i;OReKtbS`B$<7Q_G<KZ5
z*nR2K1)pDf{=wy<^&P~=g+x=IK(JDd=C?ax!qz&$Eo(nZ=xGH*rsl4+xnB2aw3rKX
z;mu7JbUc6C!n}5vLa|%?FgLqy5h9__-8^V0V}w!t)^0yB9U_X`mEu0XTtuX}WxuuR
zHn4VP4~jc<?OrxHjCGD&m0hoLTuEb#2}-PHao48CL0Gi2AgrQ#8}Qk&M?*wC!WI|7
zGu_+(_L?$>N750_`We7V+#G<G`Xaz`j@zA{Mj?N_?OSg1^Vx`N!m2j0y5NL++A!Q6
zz+w~veO+RWZVs0ye@xiIO7PlBER8B&BP{`Dl>j$Gm(=*nVRE-tdvVu&BZqAM4D^;J
zmLN-Fn~xa-!3@-5tR_RahxnLHlZhBBfOF;!?{JGC#7(>xvqiTY5}o6q_?c(ukp1Fj
zbR&OSPmQX{SZgJ>QdDt;Y(}EnG?EhiWibXd%Ba&Jr(3P{HB+n*S|r@~*yj)XI@lbQ
z+)HG}7>U$36m02_Zrb3VH<RS$h(M-Do1l%KKcshKWW_2mwV5?liL5m6NBQ6;)v`Ei
z`O3(OZZ&?S2$y2T>|oEc8Ov6PmMNmChGu_;n1><g13Pj}lPV;<1$1yDtLY9b?M;1p
z9!@Nwfi#&uEV-dx4v&JyQA(kOR8q0XZ^edrkp;atwUyUQVx`64&5^^Whq_j#ELrBA
zHHBuR3U5S&s%Yt~Kzna!Nsnh{Ez9r;DVXF8B}K{+5i}`Ldcz`6PK#PR)8;2VHJg7|
zm(tX96?lS;?DWrGs<q7`LyMR<B)!8)ZUd|9O6u$p&9x+w!L)3ZUmKd)tId2y&Yq{*
zTcL6&4QBA1detz`*SP>&>q$m3l_(S_rTaiZN<=Ayl-v{cWtIghs!1fsmEhhW_Z860
z$)swgXzS*aYiU{-l2R}=Un{Gok+6SILZUR;B6_Hu0dU<~=M8aRAsbvzs@q9@BN<Uf
z16iKpQ6j&9_`^Jq;Vm4&3WhQ75EdHEMzqp~c3M+M@}kV6F~O*y0+EB{zyXEuCc~f#
zK6(b7+)gIck&JAn`9Sl5zkm#?BW10mwuzJ%(_ktM7Lm+}v~oHf-$e3qnLmGwp-g{H
z8OzCMJ|B~UX~;A`3l)oK9W7}gC6h>gHOZ}pl!?<1zPsc8-^U$4QStVPXKr3zd;5Z_
zD`KG{lHW{5O(i48knADE=hLrr3_wUJHGvxE-mnapvceitTtlK2B)62L4WYpdno~qG
zvzgDQ^C_h-8M8*PvSu=>jg)^ilHsFiPOk7LNpDD`6hc8IOV4FqKhuDFQ+TMHL?@Dx
zI#N_YBU!=|#z2%u$B>dbQcy`!bErxZh@iW$ZOE}0(+;duh@Hw|CIaHhjtqlvoSzPK
z{vtDdf>u*sqLgyN-K{+roj|HJ;u!ij#+1GRoKulqyN)Z4GtV7E6Lx=FXA(*dZeoUe
zkK>Ru+}T1#spB#i=htIAp;Lq#j7Dmf59#K8y@|{G$BYlKLEGkfYpNr<?BE6@tdp{q
zQeasz9Em^sX9*01p=l>~v~#-cLEMP_Gh5q-rS8OQ`(|p-4$9$1x1>IiFwO;9$ro$w
zqRSHTAYA*yckl}0AHILpbccX~$5fWsml&<KRyQp<uFl79KaWw{tPB)45z0naja9R0
zrGoYC7@7cf2f@^Ag?DsJ#9DY|>~6q8=&U*u^k^Dc;$BIke~THcH;XsN#pC7%%jm-x
zWi$?6W==vbtBRZa>aGZKB<~!6v&Y3}5{B|@r-~u0nj=d*)>wc4Z6s81A16$@`$z1D
zn7gIZaf}e*75-pYdOciIsQH8h&`^0j%IgtIL(MCc;)qO`Q4WPtaR87K6oN!1C6kir
zhAghL>hzZuxIhk4=qVwITmm3MEVhc2a{@pBC<u<g5V(|}X@C+?aAX`oD9IHF4VV<V
z*auR9LeQkpqyT@82mmOAG|3Cpz<i^op;7{oA?KQ83PDrSqd)?eLU^Rm6lh9F1WgJh
z^&kubApkKz&cBod4Z$P8gF^kEu=9`EvMS^FIoGdq?)Q24B}-fa8ssDz1Quf%-~tgy
zYz7z-B&kDJpiPjFLMxlKX?w@ovZd3>7P7$-`$4+pf(cXdj~pm}Hfp^6aMM*=Yis@A
zALpFwKKD8IQ``H;`^Wn}Kknzb&pFq1eZQZtpm1n!xJG1*$uWokr539qNn)mtwG0r`
z2N}gtY_u>t32b{vAsQSYX30YfnybzbV9&vCi;V18oP>D<2?>WQBjHJnAbKJ%F(pwP
z2I@($Iy(^&aUO|(kS&lw2}v9x&IfW|2)jm4)?r|oP~)WWUL1>9&sJC*i%X^|5ek+l
zBoZQT$qSB6ZYIy+SvQ*HpQrWP?1s%|$x<_QIu6I2cg{Dy@#GwPK~E5}QCL945+NfC
zig)B)yjD!&#5JD0Kr{|8idaSx5Fzpe9@rrXhwhz>IcbD{C72l)#gSunz@EiBc1(=K
zNRHS`FjlY=V1fXNNGz;Q%1WCd-10r4q66hiuoeUwm)Z+ruk{Uu>8{tfTTCU|nM<mn
z+oA_-F+wh?^P)Qv2HDpBFJQI>$T=4M0+BxA-2VmS_rtKW=$}%Qmnc})T5LCqth16D
z7&%c|rJ72AORA$!>cH@_b(GocsdqoH02rkSxihi-Jz__4oD&t+l~Tl$v{2D$qJLA6
z7ZR5!A=gj=qlu3kYx+7Aebh&p88-FI7c){)yCsV*5g9S)Nt>~Tm?n`>AVDPGAFG%m
zKWF#b*Rxze&4MlOvh<HRX1XJmD&;tBluK`%UfxE3!Yo6(2ToXl6WfQ)_z`L}s{^)j
za!t{gsl)#YHBWxZ85M|=E7*D=>2=C!O%~`e+>Lhd<wK}iomM<}WVoS&!Ehjrh;SoK
z*g=UIqCFc#*f~eR@-9RYJ*a_!C@hfy5RZfeh#>_u=2wL%imo>`IzqFgtAI0!-&&!#
zIg22Fl5@^^&w?EHdrOW;TwMK`(#c)O5jKn{LJg=hR$a0jvu{wC2a|}02;Q;<C*T;w
z01GyRV?@3oY{KRp)<0lW*jnI-L^2X{uKb5~UP;`N^;`Z=Oohk-JCwH;Z=qaO7wQQ@
z5Hf@&EvYS(nnO|s**09M)%>dnH2QwygcoyvzjOyo6o(EHf|`j~lh%Pyyi?<MWMGF!
zcA^esb|Su!#!<uE2#F(N79kOcycvMBB(?UX)RqWVVM+v)2wc%+h%sPeVkkU823ARi
z;Xo+2k%Jsv$HMV@n?>LflbR2+tiDcgS2yd2ilCEx&Vp4`VbQ4Xwe$4i3W^<~_E6M+
z5|aXTpCdy?W&34nHLK>;-osG7U|H3~VQa9g155L)=2nqsZK2++8MwvyDcPr?S1gI)
zyxyhwGfNs;S*?ldgs;$^De$j}_Z{o|mbjSBYZQxaAqFgWq$FWn#cV^77FWcy^JSAe
z)xf6I!&uEDWw@Y3gi0GWsgpuG1Vv$g4I!MNn_`wCJ}MkeSNG7l@(`);aaE~x#QJSX
zkUE?2cShOG01(Kx6oCbn&_X9fNk=)zRL8&Pk!o6DbGlZUf<(ts?MK=|R)XB5iVz7j
zaBDTAEfwLyHM691JkraR@#R!At8|}e$^{$3qD`hDtLfGKPNEUc|GLs>A+`vA9ZYED
z!Yi2cy&U;MHPXu+=)4ka0jdSqzAlYM^;3JrD6x+MVtvz4!{XS90|`6{Btb&Uh+&nt
zWGzD2o&YSzI81iJ77Q4pk?!G^(13M|78npM3xyT~s%4x35QA@-goy#jG9#fuW33Q4
zGS&cr6($#2e-`~^#?1ck+Pfcr{o6b9cC9mFkdYin<1JlHlb76a>Xo%eA2-tsI0Ozh
zNXx?LocGQR27oh-nZM!C^Y@%TX6LXa1MHXyJ%bw>oO$^TU)b~hpJr@X9;L{FGVp|G
z!3wi@as<{`i2R|5ABvnMCwe4L>smyIK_8MKtdwQl#$_s1jO<CgS3*sH6e7UB%CD{u
zLIXK8dsO8v@z2;vSXsj13Gzcsn8-5O4DUu60VPoF$-9Eama$mk=)|@o@J`NWF@4An
z1j@Y65xU``xBGgVN(#}N!>r_;q77RhC_1D;XhU>s0ZLt<6dJcqhz!KuHD;fMt?qNR
z=hXQ)y#|L-0fb2hSQ?Uldt*3@Xu~=`tPs%EUEEPGtjF=o5e0-PuFtdy%{@zDp#{m`
za&7MItZ3He(In9345T@F%0`X>Oesk_A}ESjX^c#&V%aUYa6sBn0yRzt-a=<uuaMT_
zDpg>o!X{IkQ*+&P>NB-eXf@O3fJc=P<Q(4kq#F0pp***=x9VJfNSgCUN~`N$9EED?
zWJ+_1b*_QQcGQ+_nM)=A+;gjrHUlCG9DuSxl2zeF^x9G&?}c(JERwaprw9^i?>H*&
z3w1=taF6hID8`PqE){HH=fS<AUAibEMO$YS_u|pY0Tb9!=r+};rRUFjkYEd4*C=&b
z?|oOCBu26sGjUdbJfCI4`QqeJjH+weLT~`(@6>Q3&9Gs|Mm%|hW{5C*ID7Smrw`xt
z+OIbL=E%IS-)*K}j#Cz|I52+Q_a3|T_|fgZed(i*>@b&2H9YSVJHPYg*I)VKn=daq
zxEJP3F=PV7#IbkG;HMZf>#EiFe)h;OR~>qG=lRoHUq3c~`G$qY%$UFZp<A9my7tgh
z4@~@S^Qq_jqHB$rd)3CT?mBaJ_rz<rpE>fuO>6ATYqlSMVd1_V#*G=Az4`k;So7=?
zX6(up<In7W|J|JvXFjlPsTmp^%rW+p*WEY1>)h|}zjWcr|NMFVPrhL$jZOa0+S^|I
z#omdx?zwb-cER|5bH$YgKQjN$$9BDSao@z-<Nx}@w$o3WIS$E!H0+rj+h(dUi)OCd
zv-dB5-E!*0y_e1&_{aH=Kk=ZMIqUYHKDX)UlV*w-nDyyL9>43?hs>1%VAX1<snGcW
z1ro0v6mFKPaD}&4dO({~?6hXh{q#kTy*3~K#$!i++xf`a!Yb&~JTvTs)W;vzQ&g&`
zEXLVZoEZnhg%ZyK=t5(_gfZ(t#AZCFIOUAE&m!Vo2pNdIlYqktCybOslt%+5fK?od
zQ6^EO?n1AUOl_8gH_WJl%E%JcTF_G45bGV95@;~Ht+fSp5TKTT8Qvqw12d6-?oa6@
zGv?TT65Uk7D%p}Ay3WI1-DP1Di0IpB@?=$P<f{7?htO>`_l5)oAp`&xp{%icA40EE
z*{5}<g*K%``}2}!2YT1k{Fv~SjxEn_Fs#}dl?Pq!0VyG}2q~)*+H)wJZLzHhmrUhh
zqNBR#<}MYX<wgEzLBH*M2Qs~Ft2R~mDR-=YH#H);gO^SFnL;%J$}+?0rp19{UseY(
zkg;@Az7c@!Br=AVBF^b#EpleNN3k|Eqw?vLp+8;edPn4>#Tdi_qexMx6TJITE@71l
z4V5A>4XV2vBj{GEwN4sKL4ZupZc;v1q3W$iz`0g^R3KNUz=&k?IO@&M7Ilxa*F4{U
zA=amN)C;IBrayUFq0M~K^+~0m$rS}pK~jjCSs0-AjvRY8=DcG+3*0il_$v#?f42I?
zS2v$M`OUw-dBxUE?)uN|yztJ7LkG=*kImSzYw?es@~gIPIdSsgcmKHR#PM5CzWm*P
zU%c_~J~Q1gg}xcFAK>5`Gq`Exqd(q%f9agN`6jbq-O9r+Y(Mv^S+e4mBS&|iKV_CJ
z;p^8g{oyl{?%cWR*v}uh_y&Dyxw-l?bH8=)!S^l<@3?L5!w0_h&r8Ei8yD^V_MVA1
zWZ7JrHXo<0^K0(E@4dILeduO0oNgwq{L)LOH~*KgbBoccI>Yc@-)XJ=|1*q#Gk^m+
zq6{;j9Z*scYzrDH&<=uV4WO+eXQ=~nus|sa)e`J&tAv_1y{NX0u_kRydtpsX+NMbj
zMoUvdL>q{u);3LgNSZY1MK9KIueHY}1cosGf!X_C>s#OVzVGw;PpYvcYV4s0esN~`
zOV4-Leg5dhKODXA+xvg@`o0T)XTR~EKMfy0viRHI+kgHy)vcebhVHrNN3ZU9>qRvx
zz|IgP9gUqU6?|gG_@OWV`SP3t6V=e-YquUbaq0ZfBb)lauyx|{??;Xuyl(G-ue|?u
zy?nUpR2sDsRzm3823CNTjyc`5Tu32Qs<M6cv_TCiTO@b^ER~JGo&#ckBf%qv-PH}T
zyvat02)6TKn<8XKa>QxIQFw<GwtuhpOxq!jY-~A*zD4AQQ!F;RJ|_RhLdPX;hHgqg
za!>*<EjvASk=0te{A|m?@|jm5$H`?JCn4zB)F$Lj*+1-41>73D!;lBZ6GG_3U}Rp{
zzqsQOU`1esQ(>$I%>>eaxY+q{BEOtrIr>!y*}j+`@(?H)g=Ev^MocQjB&ZfFU(r%7
zmwT1Cd=n=E`lDe}1X^TUm7K-c$w)YP$YgnDvB%aX1SuEd%&Ae56hqIZj0O%(4xfz?
zhhKS>Q&_CC0IpU`MSQHXTcm5xVC?N>v`b9xG)SM<`l}1um%B87fj;9Plv)&~p~IAJ
zvZ4O-G7u>4nFhHA60NS!oKGq(B4SpQBx@z>RSX$V$Tg{{6#&AL0KOc7LIGMS6#xi<
zHqZ)bO0P?LV_UHl60$$%xISf@Wx64fa4<#o#v=3`BRA_OKT&cd5X7?RNm+HR(p1|7
znoL{MkiNBj;zC7#9iF#@&!o{iSrI&064Im*i|7c_fKUcOrSqc<(x;TFK)J$~pn^)N
zDg$v$CZ}y(!7AuuZ44UJx@$U9kQdf-?>_X-g}Z+Ks@{2c>C3M?`S*7QH?OCqYqwqa
z-NL80R8uPInT7ghxq9{LpT4&Jy|V*fJyvgfba3~cdeIGkN-7Zzj1`fRE_6mJbI0vZ
zJoE6mH+whln6c%FLzgan`iIX{BV+4c{K2+gzffHR(9;K<8>@Qx!Y5B1{^!M!r=I9v
z^T_?L{c`KspH*YS)zHeZQ!gI8bndagymjT4rBw%r7xa&A8$EF9@eeL8d+zv@+g4Q5
zZ(sZT%lqDcd;6+=`&WJcmGAubUw6IqEU(?L>)gBB&z+fh;^g4o<D-YahVz%-{P@WO
ze|vY%$rFoDzwoVpf3Wk7?^YuWqR`Z$g^f@>P{E?XJNF*>@cmm(KRdMJ(55%uxc|(L
z)!1CsbIY84-#q@;%g6ut=D>Z6s!jz0AmRkSjKQaWmpkqpfs<0EOc>IqDu<X47=j1`
z3Db*I6rmEfrhK=rdp$?GYNQ9F7|NM^TlW0{50uK#kV7;(1t1@an>xpJk)ph&<h+Mp
zsW>K`-ME}6zkDZ%B8cz7GpJpa7H2@s0dSB;HW9dKo}>GLvu7`Wieynx!C!}Ne@!U3
z0eeP&zO`xjM``Dlm{~BWN>hxjgDN(xH(0WZz5OpNZ+T>b_bHSysqGLMpF#niH3LoK
zMz%(TSPt;x#a7sIDX(e6d8ig0fJkHY1k7gh>64WIq(B9VxFX1U;3cHGg=f?@<IhB+
zSv*~udYNBA-<S-UE1?0NdWoHi))yR{e8lX3C#3>~NRpi0gG4phLeLL5GMA~X+k;lx
zam|7kDKyx^$jQUWq0lV1<_@RPb9P)?y1rBNU50{kR{>MSC}jq64=9bKEft;kSn5@?
z?Yt}>eMw{&pSUEJLiM1_rXr}Vq<LpA@ey&)F8I|eKhh>y);i6Squaf23EeXx(?z|1
zumbge30djuW?GOI1${yInoPW()f`qyQ^w9_uU^szCsWQ=*rkr{P|YC1rbB(hG`QTX
z*fIU^ks15<@%p>XJ>%+{k^a#oGdGU&@Bj*9Evh>e`WC2p<FbC&^n(Yc?b{@u8dY6;
z3K1oUnn-t5JzCYDUGda&M?XA2^XdJ60}tPaqqDglqJafh-Fa8%<JW^>GJ<s%d*{hD
z<FInm6<>VpioH8=$ryCWbo+72{N9_^PTTwd-8jm1mwB+hY3+<X$ENN-G-c03&+dn0
z%`%)i8|IGpZJd}kF@Y=B;HuBy$HusS0nc66y?1BtuH8L5?p0&6v7Uu9m+>8cTY9%X
z3M<yovfE_dFx7xUiWvof5KJxIA(^$TvubnCecQVau2&1MS3LtDH}qb&Ve!$^U;oFY
zkwc%WIu)^q)F>Dost94mY{^8B2$uqf*(yR=3kjicm5g%2sF*m47{J@@>@?k}Ak)U9
zAF_lazE!G*7LFB^IQWRuER#cjI0}2dPc-#e_#%195kkZivj^@t+)Pqnk&ng<N?5y0
z+L2RAkj~DR3S0n@3SE%I!5e&@-ZKfD5rSf@I7cLH!j&z(CvGJbmt^G*{RuTX-FhRw
zHGM^&f|X)ckeUuJe~@*VPE4xo79i&E&gR%I?(S(aI>mei<VJDeyERsSJ)qn$+m^Oo
zjTB0cESfW&1Z99$=gPL*u)Uzzv__|iuAwfmd8SP0QI}yMbzCIBI$K4Eip_>ZMP3Ac
zmq9h9Z^&vj0!D<2ZH9c-co|8TohjQ#V;LwQWPBx^yi7(@rek?zFNG#hxka@C7FtMh
zeqMtJtwm&`peY(rY4xdpVxp-Brg*(hat}kfJ-5~?+0UxodY#&WJUs{6k^`e?2JA2q
zO3O^6#zn`KOTs^Vg_LMV!e<x=tLCBK9xN290H1fOP>T45P#VHy=$!Bd+}JA+xjkVw
zJW_cn31YiPz0o>K20E#uFq`jWC41QfO@IH0`!H*wWPOzM8%hd)M=3zbqT5RCzncwV
zFVuAxwPw+z#qM*gweEDdu2D2;<LPwa_$#b6YfYNiFd0!|jqC~#fT2P{Hmn8eL7YB+
zc;n`2>sD9&ngvv?#Ta8m8_oXIZq2URXwgK*0_3!%g8~z2Z+2xOMif@8(R8RbWQ2rC
z6KDWUTpQGaTG)tx7}kbSBi2GjYY}6NHb!?f8dQS7jMfn?ZqpUxNQz=ucf@o$Y*=bT
zovG93-FofeFZDgRp}Klz)zK(Sre>|JU?L=w3O6=05UvQ**+g7oK)J&WCyO0gHHK?i
zkoEEVUCL!cd9_{TrzhZkCb4vgr3S@zi<^810YQbJ?7TUD$XbO-OVrGIQ#2c~qUo@O
zix$>wWhFsR6F=l>Cq}7|CE&U6$=NZS?flnH*AmIqluB-^@Kk};=5NSAcvpTrWN&nf
zM|K+qdb}kyM-o<Hhc4YyL<4zBv-s9@II^G{z4=xXA&H}YrPI2sl;H+{wUJ0`wfhLj
zz6nGWOFHj=^9;(HK*@Hh7$V!*4&wk@CnYVYmI8>Hxp3IzwYvS-`ePjk-RY6-e;J6Z
z`<6m}ox9?k3c6jVkN_#Awlq^*J!0K@{ai-92iuk+$C7s#mbTI@oUWB+=4|WgU&edK
zgIysJi|0|_W)Cer<r74*#!{wFg2XXozlhCFf7`Tw`oLQ~7ipiotZy1!t8h~_vD@|m
zE;F}@cXfTi$wQ4BRTTS**6TeHCzV$RcT8F`=3#^AISFC#q?AgAp;-x=WhB~msdAkp
zFPX9EqEtxHWQ=FkK$$6$yh$%ip=Rr-Y03+$gmwB*q2Bc{jVJ^uJ2&Y_x8*KvbJ%4e
zhi%b+203t}EGt`s>eH&iPWLkJUaK29i<+HGkQ?C16;1(Dcd4UUgxR1F5-L(;m2;Yu
z?NA%B!ZN!oTE&IdBDRSwLUG=~hyuilfQ4*!32Cxnh$O_?4r|%%g+j`T#u3Q;kFRU}
zvEr=5&+k6xvR#(Tax3?RautwJ3lz$hLMT{&G_}%7T2d8^P}&LvQ%J;6sr7D*CKVH_
zQ5$NDm)3@2A{J_>Sdr9XaWSnn+E{~r(Z9eC^Uj>JbI$Vl%<h>p^PclQ^ZcHRx-bF4
z%DD(GWizTprlw-7rjcc80)UuvORBo(=b(jOS6s-1-7G>q)XXx~EF*4!YXFl8N6O)U
zNa74rF_v(x)uad)$(c#7WmXGu=gcMZoR&@B5No-7EsT|OeF*?z3C}ECa*!8}V$)4b
zMq#39sZdSD(nD@;Ofh#+D~&MfYN6sn3{oOj_Fx%itYsBa6=fl4vgeQzshMbqx_Y!C
zTgp1(gxC^lDHS$ppLSzsjUe>!n3*<zV_tpI6bU0^aZ`78mS9ygw;cAhu#Tw~bsHM4
z;cTkz5|&DU!xP;i#l;M_0y5@e7uL4s<Xpj*U%D<Au$c9f&i3@TUQUsyXm`sIxrey~
z$*8`?tNPb%=wG;y+)0_+WJV&&<`4mqMHX32%t`9wXD=K*eHLq&7H1MxDs|F-2F!Wq
zX8!KfdZ{#YB)_+sDhmUEDZCURanVz6T#!}Ca96AfX_FRtx;P@P?anN9O$M$)-E3J_
zdf;<7lCF6gGAMhdQMbPSIqNrN<N9Iw@=FEaQv7qMN~6z4jb#bR*G{gk$bUT|PbVXD
z3lG)Y-e;sD<|%qWg;O_;CF@py2hF3y;Z)ZlQ71Rh`I{>p$yA*t-m2ZHbO3djaoYKt
zbO*bsJ`>p0R%xGfo9>rmk+j*5T&r}APhBRMb^SQ)`sJ>1HKpjWe4t8%N})55;V`Jw
zT6M;xRyMzOlTL*UNL|EkW!H3j&p-hUN!?Vf?A0su@-0$u7#7S8U(}j^qvgW<H2%)-
z=5X>1CA<(OX{E|`<waVqz><jS*2U8fOh+0FRh%^yhOet%w^J4~5^(7Zm~LSULc#2%
zrlE?awS9e-Ch(Cw!=)s)6OOcBxAK@0-;@xilY@aarCD!!%_BGCgiF=~^v+s++v2-7
zi^4sFTt8#oJqNG6JZ8gx4Y}%*)zwvv*~N@mz#>!xD=`ZziGt18`hZ#ES8ToGi6?JA
z@%=fE+>gn14>b=c%t)A&SlqZV2AFcoq0b$9^GtJa8XRVBY7%0`3Z%7E?*%3gY~FG7
z>ZN(RH^RV~m}{78FeAYLkBEAvZUhj>qe(HLXa1(ar=Q<GbpGIf|1R`xngav5s9PeC
z!Zp;R0h@Q@r@pxB+?o4cec=<YpI-i@hta2IZnaDa3Kj@6OQy^$1Thw`5s|rBeH?K8
zEuTH|=)W%ZtsQ{DG7S}WbxwWD?nWjGV&pmpF|b8sVQNa0Kj5lIX6`~TQzizW!kRUK
zzTUYjcAfg^#AS1T0WhEzq9O)}Ls>EfMo(XT&!InFn7{KwKz-4+2M%8PL;w0^$iVIj
zB0!iW%tBb95Xx(rnKc)kfZW~cq80>by$+q)JLA^Ff4TIr*MBkh2L~qa{{Z@f-Sci_
z0III8?q)S7CIEyy*P#a(yXENPo4@x}C;*6&x&aVn%UqRz37}fAIf0CfK>%Rp;TDS2
zNCjrnNUsZP{=Up4Ar{5%Ui3k;v8u2bQWmGOu!J#Nag?gF)*Ki=Y2$rI|NHLBA0He2
z=!1Uutr%UWP&PLUa~D_gI?!CQYwxy;CwbBsfPpbFZ_UGh8(Q}GBhUbx#KSdnV{?G>
z8tRm7YQm|1N4zCcW)?s|8AyqZy$SRT+_inr(D~Y`r9d!+T98G)iowCeF2U|Z5D1_^
zjaWHc)d>Q2a7OTmuuR#Epx_#G6u5^pvdq;TaBvN9RrjRS@zQrDt`=qzKodH7;jRM*
zul{+$_Vw@#RtMFHuY)v*#i9XfHfAqf_p29{JpDC)Odn5;9_1dQx>=J$Boq+!kSss~
zYQRQ=YRs--Yzi=<iD-fq7Gha30FjD6tFup}V&klY;*T_ss7M?t9A{;Y(>kWy*G0RU
zEINOYyEYVdDhBcs1p!jPARQitG(60$eGj8D?WALD*BP<Z>F}!hMB1y~IwDnC6UMfY
zQ~T6^pe5i<^yILSO-ocEiAXMFVM1*{$I}dj%BZx0ZfrC2i<A<d95ND-YBl(-rNdPr
zsrC<a354aA(X733Fqyhd(sOvZNGe22aWdD)o$I6)I!&4tGOUs+R6!424N&dv8J*vV
zis-81{V8u#g_yZ^K3m0%GZH{4bEVs*irf}|%+ZN&AU&EzrZrV}@f!2=u}kjS`QmRM
zyZYAt%P(#D_3@3Tf0(V=IP>1UpM2x;;wQdw$1hK8efgP*w=aV=;Y*i&{P0K4oZ5Ew
z<l@io<*5y2hzPrysAWnvfa?bDf9~{0fAe#!U5&x*gQs5H`_3zN)BHs{_HOv@kJfyD
z=hy?6UfJ^8w|)Kqk6Q5l<0tq0^|h_%pUrNZLc!z%*0*;37oOZTbYaKkbNjAbT=~?O
zF=ghuuOB<`?wkAGIy>Rs_o0VDQ|H~ed&@H?HavU$p?9u)__gP2tL6Z`6PA8(``MTF
z{QXZm-#)+SvE3M7^X6>$iurqveCFSOLw%cWKtN4Q%TP5o55&@#y7i$~&)xRaxA30j
zn6d!96UC;XansF*zq#k_H+KBv!l(aparsyFVceu0Kl{mh_wR%@#x1$|$nQ^2+p>}-
zEV%RZ?+*R*@`FRC{!iDLhBb9yVfftKHG!}r*nl9rMhPe&6+{e?$Sy+IL==L5?8vSn
zf?5=pvDUE_$EA<jaU9ecDT`A#2q0nKw?IM&pe$-pX`RmB`GKS%=)e2_KF_`1Ip=%7
zPt%QskW9dAcqOHRr%wY#)p_qEVRd(bZReg>5Y^PMyR()5v?}Vwvs8tM>An%sW^*t6
znEFy89Bbd%T(0Nk37V@S?)@Bp^P(nZqW$oD`Hp{I13QQ9|9n*RVYc+GJa4jHINxJ`
zEfeT~U^I-tFoM7+8cMN%=H_+oPUiR^PxRRQ%Js<J&NxMfO+h?nX%}5nlkrBHG||4h
z_ZMBh8)(~v-K&ajsfm@hr~WY-`s5av7@G&~%$77Vx2yxuauH@Fwmcz!y|xL;A03>O
z{xB_1?5+_G)pO3~0Hw)2dOT-hc%Qr}>-~WH?NeZ)516%M(l-aE<f*^)?0r?o2=rtI
z2=<SRT$~&Kc6K0nqBeT0lJMmiZ}rMk^cjYD0%+KV$LGpKB**$I|CkJ^T+k`nGbYae
zIOK7)7&Hvn{`>d$x5bWswhHA9{?BiLot?IYb6QhVY_B*@+LZO7FQVZtm|5u9dnJoo
zgo>t^@hYC^TijY3!-2v{f}&88qG1R|(P*HnYscIBLY(<d7CRw6@LvhLAj`lvFma%(
zcvgO8MwTgU%6i+kDt#9a0OTjE86_EjFq!MUeA}9eCPps5mL!dT)kaMIM>k18xbU+F
zhYDT}1P|3@&ke+PS0n4K83r8wzbaxzI|4f&r@kI^E<FKEIzbR9i6ftu2Pj5r0IJ6;
z`R>@;QU8vILA{l$kH^#2vfV2x56cEFzmx3ie;g>SW|iy%1EbAH&*aQa`pIfSCYw`c
z`}KBt)6F@_&EmX&X-QC@D0-$dd$O5wcQAJ4hKg&pv_Id`S(oxbVw@lV`bv+J-=$3T
zd3Qd^o@y)opUkE>jkeBFP*oi*Yjzh`#Y}d4J-h+ND;CrkMv*j<APEw~88imV`}?cu
z@1!2B6?^&`N@fRj!-6%o`xVHCGN!t>^;8O{I}%1}Q5#!-qtJ-WbrreOeZi0a4y#N7
zW!gpv3jUB<<q83`Y@_!cnUgR>xjL?%yPF$5x<t;k6|vL9&NnWA=2x~cDfw?kwu$fY
z8p}9krw|(!LeOvmM=3f<P-+wTg2((*2HGNoq8y-AfnK%$kaAvE)f~#Ns@f%mwzT44
z`Kd+q=b>bOp;a3nRYibWaoT5GiZldhpv2{rpY>10b!yDiLRs-*xAvb_^ri7aUt(*Q
zqfDxQO(nyx+6kv-&G}OQ;*wkwl|9FTyXmu%Xt~#NkqUw3-mK522dNe#E3G6-&RjY7
zE6sAMv9oFmgXP@Kk_{7$wpa#<F5)wPI*}0?@~J6*a8cQyUpNmfuR2$i8lTN$RZ|bk
zU#sdtQ+2DS_LgY~O?f|Bz7A1KZ(A}0ERf8LpdY$4Rd%_MTAseIRyDf(K`j|YO&$SG
z;0y*uG6*_dlVa%5bsZ5_II!b_YFoU2z7CdppkoCX&n)~{!7G_*h7dM*ue*9HTH1m8
zgb1pC>vP6NHdmGh*3}k$lyh(9fgX?~K@bE*V7R6cN^a8JoRFxHu1*UEiV5V_wR;K=
z&dlm$9N|Bx$Qi6hJX~nJAh#Q(2H||fkPZ4iR+%LQFFUmPRzPQgj!$Sst+1m7B2qb5
z?wp(-(ib=)2IjCLL?`6Xkq<I<?oOa<0ma>adhSMwybJdUfK9ssMIyiIYhYxd$Ias2
zYlv*^%pB@DJ2$u@%mK7@0Cie>;8@YGeL6l?KmtnQ7=|M_hLI$lWRM!VKsr%od()d5
z4@*T`o?hD`Dm4~{g0bs9QQPk4_rcm8<%Gw#w)1|vOnCa`NV_(k%mreF@vfAkzsbyh
z;&@<S0Y*E`bIugb53bn078oX&v2WThqDWC0*n7a{xY)KX*ZcqQsHg~QX)*lfT*`<{
zzwnfQU$@DnOZ<oBr{7G(_p~NTx-R~%2&}pZ{*hS&{T|oPgYgE#eTBz<m#r4=0{TWy
z=B2aqGbRELpc9xT6Qh$DiDMK-k|a)l;RxLXaEFkam0{ur%j*|%C#B4+wD2CW^Z8TA
zdfv91<r$-j#G#JTd4=y!KcMb@>D>dKx37ZP*IEIYxzkd!<akzke)i<BmbVLFHrz9%
z83T=|lM`4Atg=gwzMeKphy+VpFk}P6dBdU02{MUrxT9!%py*W_?!|RJe6nbNMnT`P
z1!bC|%+;ti3uA5o*3P)5uF$GmV8}#t%>ZGWhGiX|9ybUL1jNiK_gvmYH|FN)n0EZs
z8-@Pv5MXh11xZvyvSEPmw0x*=v^`1El0DjTVy4F=HBpZna(Zgi<?KN)S*Pt4t``%F
zuv~QfVk27XGG6vZ^)|52oWNFp8Y7H_kq*ZQj3P+D^biA1biLTO`T-c*0q*Wta`Vts
zuLhqFEN|yCchVIyJb(`?tq}twlp+wEz;HT-V<>@Q6ooM@fbQ;gr7U@*1!b?rDI*lO
z*5U+ZjgN1-cph}^O`;AIz8x^kPI9>R<M$t4B@Bu84mKZsH5gf6hHkWf06IpZI7;9P
z1}`9(G)*hZ+~TN#POs(~&qw7}8Syl_5uocfow%GkBhheo1#BhIOf3WAisxolWhDb{
zO_**^Y-{qVxXTER$d?cEZvPdG>=^a|x}mXP?y@Q<K5KM1VX!NrzrJ)%!M%D3zUId?
zHm6B?oXYNID~3XAAAsY3R=2-g`P;`CVMmRi`$f`dN9gl1%#{NS3Zp1u;b=<`fM~52
zW*q-jrng4`z~-bD=g*GlM+EBxMIU)Tw&r*)7&u@KK1^Q$ZOwWFH36;lQO}-+iSB`^
z2}+rOww=?(i}BKKW`04MV%X|J0hq6exO4x~{CN0_s=(G~`}?1NZ+rNEzRoqMsWT7b
z?|ILA-uIl7kUJ0(1PLH=OC=D3-0z6o?{X1Al#3!aQCJp5yW6eS)=Q^$t5w%^t+jZm
z3RXL|wne1^u9kwLE?%gXh3&R>ot@d~%+Bt9NC+Vb`!OFfnUkE!`<(y(d4A7f7#zc9
zRqA_Bm)+}M|M+%)(%B=>!y6DDVgikwDrR+JY1%OE^61%iS@R>f6}Z-JR>HPy$TnqQ
zt3@miQR8P>{=-@cBfF(b)`NOv;wDp&0yFk-+xObCXDkygMx|mkahb1wZcc(`ZexR`
zva#ZV%$H!d-HX{p&sq7DZPCnDehbUx1(;ddQnaPPe8y0J#@G+Cndd#GxT1ym9nF}%
zAZ<}}WeTn{l##|}TRuh4V7oCk)t=8ylUW`4w&a`n62G?5U%NWkN{Cq9ROZ{>G9_vS
z#)KBYK)dQ;zRq)_L^18lAZ=tK+A=5YUc!7T&FWtIKmF|{jRG+u9FGV#mbVaI1W6$6
zxGekPmHhsHvs|=R>=!~QqP&XRH$A<hNRI)mHe~nFmWdI*q%`%?=d}-p1s&~lakX$|
zInsL33}x)@p$SEEGK7}^O?FbxrFBnk%T}(D7SuOB8czS@I0(??eR!<u+Ckt-aV$YB
zPxA`MY9+pFb+7-a<@v~h4J)v3BvPlBT^Z;cACA9&a!T8Kf~(8}0vS#F3Ovg+?Qd`S
zaXj?xMp3u{$_=US9;_efL4N+gIj-RIYk55%h_VW{Pkx{K*~eVR&XTW(-uma5b8aYb
z&^Sdkh95e)ZR(*<*BbFsKZ+&5xC6j6CJZBxQYZi~%xdbtnSJi4qGY9dMUBLe1C)l$
zQ)f1RJQ`MYY{}^9J@CulQ;zHap)s|$Z>_v>#kF<I`r8BV|93)DnTQ46o>{GFAD(~h
zr~6Cyw94YrfI6YFr?2w*Rpo|_(SJPEHvLr6SeM#!F{iIj(b-ixJSuExU3qud>z()X
z$BuRV{C(7!Zuf0Fb^8uD=dYG7PU(6)YS_Df2_U6QX8q28J<?Pp0pRSJw{FYJiInq)
z{5IFSX2b$aA%YOWm=KyEO5g@WLB*FZmwoXEpp*fjmU2s4J9JBb=4g2LiLR+h-$RGv
z&wqB{-_z+Qb|b^G*0FEn_HPH+Nt{&m=F3U{rfOkPP4izLCw+W!>G8umf0}5&e*p!5
zx&W}qzv{J)e>{_A1Ov<fdZBA<+3%*G7hk)oJ9fNd;{L85h6Rbyj@d<RlMkwHU5wcO
zYQlSOh?64#E2l+)nIE0*dNG#x!Tz}2ukwLmTuedBqx<CppC+E|-uAb#-#+WZQDOS#
z_Kp{$;uI~#K`fF(?9F;*=JyY_OpV8XcArf7s9Sq%Kk(8!M`i5zVN};y2800fEY0x%
z$dt>=GkU&EKG|D(d!TXhrXV*MZ~zeoGYrik%+P>H0a+B(wQJ*xhk4g8ru3d{pB@j`
z+X@s;0Qf|9z0*25ilY_*LIHwk2AldBOqhR$VZ{Kt1Z>*6<>hzz{iid}9a3d~<?@Dv
z&C?G;-|PfP?U7gA`C?pEvszW#R6B8Z-S|-YCl~ViuDUnX0wF{3G-g;DVTfsjA;oY|
zs50!@Q+WMGcHh;uAODhaVIOdp1KM?ARqfX4@wHF-$_LJQHdFykaD4CCwx8}7-ng`S
z{7&w@FLB0lnIZZ&lOr+jwgC};19=`15#+pL-#@VR=O?9iu9bg#Yu7K2!w>ERskt@x
z9&CMbuV!ShWb{_V>25YGU75G0V(iZ5r{CmUzg#*r=)L3DKq8<CAx3Ws$0AGs5IF?L
z<PTnIp1M~&a%1hIo4=a;vp6?RUQoFG<wM_=BES(LFJ^cQ8G&JQ+lrxozOJdeuTOnb
zeB+E{Sqwl5Mj4uYu6yr)CL@l%0T%jDSmUy`t>ocQ<MWZy{;vvdUUgo#1_&HITQ-yo
ze_c9st>xKh{$LMG4x>3C%`gOG8Zop{b5NAAkl7OdV2owh4hGDq4D0OcJV*xH-M_6-
zU_OSG71zP?rI}T4*WYS?wSF?UTUecQmXmzDaUOFm(F{~+PVt+4gN_Ya)K**Ap09JC
zjAu?evucDUo3NEoGwV5IM#7j3u+VJQo}E`2!L_rOHnW;B<^>r%Cj@T%63omxBb<hs
zwV}+EKhF|eEYo4evlp4$noLRUxw#}$i?7iYM43B;?fRh2!p=N@#;}B?+QN;H$&(Ie
zwUmwP$nr<AvKHCU;!WQ_Wf3K_nyZ=aMmU3Go(U+;SFB@I!EHv?!g&nrc9}8r%~$O1
zyewlrbLVOVvb>PREW==eF=1H9sgOLHGL)%mH@bDMcU+Z9yE>|)V%6Epp<GFeJzUcA
zWhu!};!XQz2}>J)R2`dDEtP^OA0RXqftpez5YsHDU>pJ|pKPw6*12_)x~>ZOdD6t0
zD16m<g@ParzyM*65D_hOT^L*B*1pZLrP;Bi+NrLTgd{qIuIe27u5|DV$)0`E-ydk6
z94r3n2$LM^-qfYs)Zy4ruV^S^6T+d3r)z2!rw;;RCxKFbtH{Y>bs<P;;1X6l)wYQ%
zDq&VSPD})jUZRLxm+Cf2O|!JFURs_;{FMxWh#-U!U?75sCOqI5FsgXR>>5c;lb~ju
zWK{vy`9Y~4TAV4$X>cfRV~RRf-5E_d`WBFDIDL_%VxzFI0>&jXk+HzlM;M$YEpFk<
zo7jpqg0dBVbYKi{O{@O2uWsNnsVhOtlY!ckR`|*zve2Rk-aiHf$0Cm<#1IeEeo!6`
z^(82;66O|C20f6vaBd-dOfsc%2SOKtcbG^Yf@BgbbfJ~uC@6<yma&<Mz}J;xS;!y?
zAw&pGXe1C}`2tx)H1u$TEWrXfr_{)zQ=wNV<&ngH#I0gdia~fXFvJ5*0I%|qgvC*6
z4eg-hJaxj5XyD?36|Zn%c{sC-icACgXt>xHish78E%I5)YV|-YMl7ZUQY6<=+B6tf
z0%9|PAsYDkQBp_7ApoiqsK{KBk^_TY0TKz~#f;D$xP?<o3t&<P6}bdDD_LOx)Min!
zML?H-40JJ+e+VU6z<CFe03DFZ8IC{(LRLr%-Jm>z3QPrwxl~dz_#a>A^IO+Z#qpUr
z=X=h~^>geb#*UrD`QbEm;v{wBG@&GJDOGSIs?d@R8-xTBWz8NWHmne^<PSmo5eOvy
z0d}mA_#arDnYnZ4-iK7Fs?z7&_ulo~nRCv6_w%`b6o%d5;CS`)ncv%EO(e`QVzq~Z
zXY}HS?tAatho89Xw`kZ_NhW+I;s9`z7%$7#u{-+QJ%8t(zjlX5w7NoRlehNu=3}~j
zkFH#`{sEcUpt2|cQig8(?Fa7u=kCRY`}mv=-;Y=C$%E6de>V)*_{MR3_%!U?467r5
ze|YZBzH~1x+>_^i|G=vRB384nDI+)qZS2$GciiI(cY5KDzwNGG_i;en;_V}U_Y-&a
z#+|)%w{C~kHNJG>?w-3B7w&^|zxSRWuJM&axqHIbZ-=zOB8cGCuHQTJ$6xplzi`K|
z-2Kno&e^T6zWMck|NYB<{{7Rx{PjnF|M=VQ{`0T<zxjo`dNW)<cTeB?kG^uJ=X`KP
zX~PMJ4B{gKAp)x_eDKIWdhOo-zPs_UKYS8)Z^xaZ;r>(FKV(T>I3&f^j@*6f&)&GR
zx9-Ug+>@97;0`t}V{=CjKcJIWVeg)%E#BDBja}S$93Fk<PhY!}m*HD?+~zKS?H-4d
z@46Rn-0`R3+9N+~GvI`nP$9xp8W0w|4;9&Nm|dH{qj9+(BgX}+IyXd460}Pm`Q?K7
zk|d!!_%4W()-2YO*Dk3dyA=8yHZuY?L`Hk?1kRMn2xWUWV%8S0>q`Zp?ol+Uvg9!x
zGH+U*uW!0DnHle=yRn-3sSoCVV$8|&A2S2PyfB8M=n5e?@*d<szDeTrI)$oGUNagp
z*F`z+^SFJp`RL}X+pS4EhP=)`F@ay(bKT}`yCQ_odFC<y97ab+m$$EDNq&~K>DoY3
zQ+i)GY>i-TeWe{kp8vgV0H>Si8ml8Tf&gk>p>4Od7d)?MI#M1sG^&VyC?hzcAP6F?
ziWpfVYohWC01zQSi>fWgAj*<NlV|emM!bRf_C$dgH9^$FS}Fi+PMZkuoc)4`Nn(-|
z5ff{|YDb2LxbZf<`_+4Y{L|^5e}D3a-(LFimAkwVh9M$hwL%&Ym9j`q7@C6{M2K0g
ztAjupHpr=pn2;i;NUBtS#_^C-%^(JgLIGtNB1hG<5>Y5Y!KxfL!|K-N;YWAA`T6GQ
zJr>6iG7N~qDkMS>#H2Bruor1dHg4+vvztHuiJm?23XW=FX+%X-j*ui){}2Uh2%rEZ
z6}GpKgSggxw-AJ~5Wz_#i3$|~qH5jyn?}*pO3chD1{DUA2%;c=K~j{I5Tm3B6;ft}
z<x5Q)Ndi)kKvZ)=gn~q6(Lf}T7(x=g5-XFMm6`%fu&jWjlypczO$4YMV-REJ5+X>1
zL?j7`rx;`qv2sOHmB_F(I6+ucSi#Di1QBBOf5}F5UlsNig$1!PNulnV{E{e;_qoU<
zW}sw25GJt<5(065pa7%4NRAo%kXs2h;%AX#4-esp$jmH6f}k8Yc=JxHU5NQF15|=A
zfdU7I;PUA)FbE<{Y!+}RlLQv?N)t(j&~V;8i{)I*IBnkxB1;4@0ZeRx5%EM4Ra7L!
zq{8r=w!_tj?!lXI@l*NwXYTda?$L91<wl4rR)}(tj2&ZtAe3K8s<0bjitO3j9l}QK
zi^5jP0DI0^uprDrP>_O!S%_62s(=bgPCN_S$ZlZ;OZ6U*W&RlDFrB#?;~b|8-h&<Y
zh?IV$bT$pzF-6*VXN~x_<%fArr`vY4#fiBPp!-YP2U2&bV_T}kqs%ik(H}NEMhhjF
zn4Q-5mFBvC=6M;v+f>yP|NN)f6Ss_)&+OA&{5$#IJr&T--v%Sd%)O#RHQ8@hFldz#
z^H5S(tg^%<1jRi`fdZxjyyFisN*<P*O%;pRZVeadI31OwgUrtB5M8fruG;BlsK;0F
z*yqZEOj?lk)vb273t3cE%r$<C4VrEbH!nkW`^7nbXuso~OzzK-!@c~ub=Skpjw8om
zV3nvzfI`m+p1cte%BVTpr`F!d20`_OraZmB+c#V~$6@5Ic4PKb03lRB9xAGuB(0Dx
zA#GC>FC38X@e!fpeZ7~fxwI@H6WTh1r^Ft1oH_KKd?V``gZlyqBnQ<54n)Ed#p1-F
z2z4ue^qm^v@CbnwAqYbth%t()t&A<|qwxu&f;dC4g)0lDYqp+Mf@aZZQL1Jj8w#d<
z;n%E!QVPPP1;SQUGM6ZC!IN0DJ0Fr-cv=OSK*i4AEmMC~D>wgH&CF1NYR0A4KeeAK
z(uNNq5{f6eYTL5+wG0eqAGH|}%h+B%la*$FO*>#{SQ_K*aJ3X!?6yAq%B%7xmI-!-
zwaZ#&BY7A$w7c1SO{g+eP+JLcaV5|CY7DKb6_1%-N2PdO%;COZb|=zf8ee7D8)A!m
zTi%UDqol-<gA$imim0@goxi*4<7E?=qt_yuh?ombv>eT=p*Q0!iY>BP;;HHpvWK#N
z{8RbMIk@O2EW`;Pnf{-<WU=$z?kBn+=;F{{rF8hRj<yJyu%?C775~>2OS<95%08?|
zyS8lJdbrkE?`i#WVh)O37y4aixtpg#MlhXScSGOF8jaF$=?Ey*c}ZnY)6%ZnVU$JS
zTemA+EL_dqH;d%^`7ymk1u|LhY{J@qu6lt0@*rQ-m^{tK&j(7nN?7~UUkt;~hdj(*
zmAjm?uvitQjzs@iacFVac^z4}8^&sfaBHDxuA#6x${e7Qlf$hrt7Aq_K`HBKvyKzT
zG$3ix6jd2^7mdZ$&;ppkbe_dNl(Mj{gCVx0#d+ANt&EMkOE9q)$@`U1&U^WPD+jOR
z5Km^WW>iq>NXE75lZ!Fb5tnPbcN9znYViYY+&`OBrgm=z2M%miguH>M9Cr|4yw~yQ
z0Pgz1g}Gkf^!6MQ7`dyqT{B8Q1Tv5s5fQ0srj`|IGB*T$S3EW2x6C<Q=ZmI?1ismP
zWFmgEuWFxgMTwG;`IC^XU9(Dmy?!dLdGp4#1lS31HUri|ery{-0al;LlI@VIrj4$>
z0hig{u~b&urC*r2lip?PDQIL^)jPA?E%mGKzy{q&<6Pr6&Y+c@^!zAnq`qv_E4s>Y
z&23&XK1&*dbbeogdd6UZ(W}sIqeUP>H7b(J+Efyr;8IMgOIkNE+PVOLCv%9ik&afT
zm_M|-GcJRop>zzonayz-p)kkx&-EXz`k>29wky*7fW8<L?RG(n*oiKp++#D=)ODs*
zO{!9b_J8iIUh`9Ompfg2FWsA+KQ-qGovte}7G{XS$c>$85vW3t=Ovsx5m}A6)OXE%
zQK;HEw%f){F7JPYUE7v_9IFm1u%T)u=l{R=JlGf`nb}$UAuBu6>FxqwWLX-+UI#y5
zn*C)S10WW=FJD<RZfg{#cY4#Y+0;^U^kYox=q!#5IMD53)x_JO$n#j&GEXgYZF;mZ
z=VXc{>Y+k{VGWlK?DBKd>;YyB|9D9pjvslR=jp%dmb34xL-r4UE`E%G-cD~0%5-ny
zLa34}rgBd@*U0=<xR8&+_769NtVUOwGwCv|SR>L|65_V@-yH4aX|pLqrkF*_+1~3z
zbI-Ts!WPlb{%<$C_z2u48}G=<@)TTZ1Xi4lB|c`LMOT&9-!+7O#7*$LM6hn#0eR_D
z`%;NjfNiY8Sh-<;j`_|vL>PNA7t9|@hT4qDe*Y}TU8{A%Pb9!<Q}696`i_urHKQ)W
z(}s>Y=KH=G{mS2}B*VW2vnj0dn+)2*Cv>sxl=Y)nzT!k&CCjIFam~WzEP9|*&}zWS
zLq?U^24&gZNvOTK!fYyEptC$KQBt<uTJ`JEXE^5x0|c^vJcR<{U?BkAQZNGMo4`5J
zstR`ln8Rv5?%oOmsr#k_+xPGWX}L$kuK+@{H_*P6qUR3YE%BZwi-nXM%iPGaR!4pu
zA$4Ur$*GIWRVuUrOO1S1F=yYn;sbVJ%j<qfS%@gstU5e%1fmV!B-j+(EQsxrS||XR
zDgw1B$D{LqoVbbOO|s0&`@O@m^majygtG&55iIM@lM%*sa?J-4^-xAf`YXG7K1li8
z?#j$&L$t6BRSQVw^N<K2mYY7xZDpyXT?g(0n@23hxc|QV%J0v=cTUx*GS@(19Cj*q
zJ!$SOluQ?IKgFUk0E(98Wbn#m?ZV?&&_LuGFq{^D$`!la&~zv9xr1N;;L=6K#xl9n
zjZ2$5cw8eKj+*XnWlozhwS)>p(c?o6kuJ^2G)sNe^eeMa#LjAY+BFT&(NJD*)5Zh_
z{fvbP4fhmx(c7V^xXJ(RN@XFpKCucls=4J~r@Q&=YGC^l*=##JkbS3S?g7&rj5Ecz
z9o9B~c80?-C&M0j)vZ)gDyfUG3Q>9h-N5t1od;s>sZPNd^)6M1;$L2E++o7pCA^HC
zF&X2Pz6B3-jD&)0@%o$^jUbt!?A+NylTcc3-10OGBBKN>V>hSOQbUuY6X40&yzS<O
z1DfC9DaeB2(2kc8rqr~J9nn(l0}=@g0-~6Iu#zQ5Cs69VC0e3BY-7=I9?qCeX+xcV
zZ`@T_a)FMne1iF&I7Slw+lqC$>xf8AxN+l+Y%JXO60(JYO}lpI9U~&N+&1LXyLy3r
z*#mJY8BwK-EKAz++<?Vl!#Mhcokq!#@^huTp9~9RcFDO>ybqe{q9~QthHybxtohb|
zX`rf2Yd0cSe$P*v{r&#UIp6P_bC}CYuH68qVuUa=d&}nmV@_rZmx}#N=jInLgHb*r
zrKKd0^KashkYLQfMQH&Y2dIm1<M{bj!d@efG-i$%ZHxkA4?fH9W2-UF<Zqd-@#5dO
z4tku?o;VQi(j-6Ry2rTLm5pSVlS{OJ<*ntEj^IFqWuUV_D04fUt&v9$%Hf#PUL^j}
z=+$<E9^|-1jCj^gpp|CXsa%s}A!~U-jhGW~t`b;qJy$2UCVP)H4bte135?4K-h=Wj
z2Ola3vVKH`nHKR@V=5emc~DQpjb=FqP(RCW075EkwEiap11cM~K4D=^=%qM+PhS>d
z3)Rk>HVL3#@Qn66i`vJspXQPx{PbcN0UM+@@1c0Pr?pNkRwqd}_@cr%j4?b$NA`JZ
ztv}6mFP^98D7s8-@Qd~6)ZMy>o+;lx7<_<DW4^p@;9QC3K{?1z)@tfy#y&(f7Lv<l
zt9X4YK7b6H118LKcbk!n5ujLqWQYio9X!^o=f=akwcxGUWeFtUxEjuf1hA7EM~a)Y
zoH2o|kr%1hda$IJ++3wfX`<fy)4ne6H-A3;zP{$uEClq259dwjmlHX|K3sgjC(qwV
zAfJ2ALW(hkCwLVAT0o`0@1PrCh>ta`W3aVd=1-IxRgxBI)aWy@8^WgKR@ASNf2!l8
zd(;}{#@lBu9mkU{;JZAcxk(!DjCyE{A^C`}d8*_@wTPLJz0`mr6SX`!1R^@$Ip2Al
zR5PL*8v)X}X*a<~2_eWX8(LU@LiE*TFTCbZJ$6uKO$`Drf|@n926CUrrsSm;Ifr1_
z#4F_;SyVJrAj|pg@m#jQwJ>7<e<lm1p9q?;L@Oz1cF*}NC+Qm@Gz0!O9D>`ao6r--
zPyjPZd3%0>Fj>wYBu|K7_Fv)_CFznC)e3dazL!Fu-X1L~41V<MYYoM%&|L4m6^IKL
z!8c`eSV$>4z}~ipWnjaL_i$K;=3p)z=2I|-h0$kzpPZ1uYnu0B7<Ph@e@YOvn{*kj
zvQny|rLVEI{ZJ%R?luL@%#+s)w4aQ|CYaILK)c*v&(P@~I8(MXvRKV6Jw$^}a=I`W
zDyh?9d3|_}mI{RD6Uj`E63OFt8^5x5Pl>ENZMOOS4BI5sF=VfhxhE(4iC@r*KSod)
zKCyWld<L*{<T3(Zb``Lle|T76#&K{*68W)})}V>Kd_-_tUDG(!>uD|J9D`V%H3)Qy
zt~21Z%rTf7bg56Cz-%_Dw{giMz4g8vO|&Pr8bk5XSNV#d`X-L^j)ydnuKFbXX21_}
zUv6Nq(ytPGI7~oJC>1OB=FDpui)fKrme3f*u`X*otU5;N@Z|3tf3TCAG&m0^%Y_jk
zN@=-?S3-=C<RV2$<-7`jKYMzWT8&4pbyjS@?fd1ugZyfdgi1X$9+N?%a#KIcdfR<z
zSCo#aywF(k-XK*#R$yb;tNEF3W14bI%n6eDA4fbqxty@ZlA|BA_|CUmuJXL>gCHpB
zfR(`h@eL%5HhAL3f9+qPvgJi(==4I#)U5|a9%7$FbSk^bklhPTQvL>*>B-Z7sQEU@
zcMPqlsYu8j%UL;8-Jpv$fmPkI`ne}$Vn<MDS=MDgU)QaX*4xut3D3jXW0rmVKAy|%
z7Z5h^BHIF8+UzSGkAqDD@!_VQo3V!5bTyYajPA779(ncOfA9Z(zSsP9a~3Tdmm5lX
z^Uu6Zo(ciuyI6GwnQ!Bv60Ksc(EbuB3NJ2>h!#ep5dtzQxQ}4#C9=|5bHk)@bSDgV
zA79J5Fio0_?dxmHEMeFi5Xemq0bkkPVcH7L^xp1`lrPI5xY`rip<=txEgkwiT!8kD
zqkP~QtiTA>e-*>6CB=c~8qW3~z7^>yFflqyJdZ6T$|+B|I&tGJzz~5$40Il4xqs^;
zSy+k18*YLS5WJ!;FQ?axrrhB7@{N`6GYF5H3QDAka)lD&T8SK#F@!O&KU`Ft&7j9t
zXRdgB2fms>-JVX_zvk}c(5knYX1W45jr@a$aSyHafAEo-{;eqAd!sX7vK<#_<N|sO
zikIcZj?8^6EfbJgI{k9+&#JOXvu^pKtFWyM6m~#vOP@<&SIfs+HrV&b5*r`t?$%VS
z=d2Nra(g>h9SC<Re8S@v+{ojl;}71!*0~u7?3oRHxQ+xC3o}#@m045or#+1zpQB9I
zpYi?tfBb%P%&9VkvPA-duw&zzou^R$$tP!8FVm6YW5e|4_6p@!Q|7h<NFN)_5EaJo
zIST9L7Z++Uw*%VX_GBNY!M9OI*GpM>G{Zhkb<7!^apsNscC4-Q7}51iFqse&uV!y2
z76osgD>hV}RAKnX&^FY>a*Shd$Z3W~gP_+{f7^-GZ$-sbqQNnM(afHnh{g^Y4BC%F
zCAu-~YVQ{`7MX#;k_I=utddy?vv8O<-Kz8QEalh9LALY_Db*p%sZcgB<LtttQqCo}
zu@Uh5;HKX!a>{=cl4}Wy+;|M-?3{-tK5vb|2Wg1Kw>{^~QI%^Q-bpT3y_hUgVk$sa
zf4YHltZf<x1I$@?10_D7&BEY(o;hYci;h5Mm*W6)=N4a!3&oO?Tv-)CtzS|FGJt`p
zVI@Vo(YE2Ao1c8&om#H`VS0C)9tR_3%K$#@$<n>8d(v&v!aI7La7*6d=RtGH7s*No
z`Q!6NVCP|oEl>yWjJuRAxdD?o(F4Jmf1?Bp_*$z$T%-@TDdYRmp?$vHnMMN)x?sVb
zFBN>znVDR&^kJS|@?lHYqLM5EMCg)Wd<%c2x?)@WcINq(@(*m>a5l1Nc!uN#*DqOQ
zPw7qjBYW3q>kIWHWTG~KvR7C3>vCXY$)iDtga~+iG*jN(M<~#p4TNsiTkL<0f3+6a
zZAH*!T}<q*nMuMbUov{!Vh$>ss4LRL3Ix>x5{cL`A*~03OiAJKB1~Jrbe`p+x!lY;
zK+G~@rh17+02paUC8+52JmSLe;F)nI;+1Q?f3VR(4Xi|2N|cnLW**F!m$a<RBADFZ
znQ~u%CruoPW83oxYipqcOQNMde+K~&*4i@<qio6exkIsTsCvMhC1py)_+fLY1!~Z_
z;)It^Hluxp1|iGj)aGK@)}z{x<pFcqc7}ee%n{}0NSSC$>AbxhB)v&%(x3i7w(>VH
zROT?rhNOhlHu^FSfu*(<o}2XEg~70(9GO|P^I%+bs>haPjPu|oLbU<le@D(xH@%$F
zxVz*b-IjZK)##7CymE!@MkTrZVObAlP5oRsJo@VRzW&Ll?>jzM>WuttI^nT6d9Ix8
z=Tw0o8OAT?<s55D+H=r_tUhJNco~|xV_;#Nvc&{6=m1(>y<_ZESn?9v^m03tv5_%c
zyi$kGIn!G2icP(>MU**Ce?#9&A$_QOL8U7c!m_|f_f5GZ#&wV<f`uyjzV9)PkuB@#
z-m|7+z7~(4NXc>%-Tj`oP}~a*)sQqjs>}tJ+D@G}D?xodd(idH$6mP2>U<T;WIqL3
zQZ1WW_~*(E`SJ#Gf5V%Hycc>a#LFU*w?9~t<mQ`tEb^_y!;R)ue{B0QpXOWh2S{)W
zf;^kB4+8VSGS@<c$?fJyIz1)JuasKhpwufHKbY(Bf&+Nrs%mR}ZQI#`h6jX_x|i8t
zc1KDAZw56*wIopgktfP0o>yKux<b=@$f_jQz@t!GiY9Qvm1rL~ve&Kj;VFFUy%~Gv
z@(Orp<JxxVB2RBmf3iLnx`u$z99N^>29?;s$(;`a47CVKYr2;=rJeO0d)z?E`{TCe
zkrQ|I{x@CQ76V|wFu-*!yQUJ9y@|E~4QroCo%;U#%BS!ARA*<3_*jw~;;lS*TSUQV
zBf9o~!mj++uBr;Jy@q}6dykd^tx#seP^IAkg(655QUeh&e^BP3Sfx~h%n=b$f)-H3
zph47-NK`P05d@hE5;ZAm5Lzn%LO^Pupok{?1ODa@dpP^7waztZn%CF&?mhPmd$0Aa
zZy?>rwC!LoTNuP=n<-jv9XNcnh7<%hQ`8zcxT<M&^Hqa<ZrvuRonz*OuNBu|x!5sA
zF7w-#RMj-xf1K><xeQjk*$`D5$APav``nhQB^1L@F0Qf_J87o?^~GH;MQ-gNO9z0J
z&~7XvlNWry6qb&Gifq`rSSnYmS~sX4=xae1mt5SxX(iAU#MNeAgoaOD*UiCo=fr`?
z&>(o}VrnkX);jeE#(Z~N)~#zOsa6~;%+`<_c}*f|f74aQRwebEtJpJ_Fl$LUuJqR(
z^tcqXG3i{3QMry=Q%HYWrZnP<Z&eIq<1K63<!)(K_v^BiE!9J-Nh`mhS<F;g(3H*C
z6;@bJ*b2Y~3}eWaC6ZHH^*{)9lQ1qmx`W4Flh_-8QUx~p=qpztg(k4j*1oD7ckh8z
zYE&^`f8Lie<c!75-goTa0<pMFi!^={E_>SX)g5_KTGP2e6dVO@IWq|+FMDgngvOx3
zDSm@)W#9@31{D$!q;9h;aaMri%8SN8l(7*~+dH{#Z-5<lGjk#lDT>58(z7+JJ3Ci1
zB(;{gh8(R-z;az()K`^YV>2d~BBYq%`7vW(e|20Es`}iS)@~$W9!bR$yT~GeDF~&E
z8yxoZmEg@HDY2;cp)X-5#2gcbfrax`Mwt16^@_5PbicVI>N*ywdD)stnhoV5)vy)L
z9xaW<SvHeRd5Y;?Y<aI^ZaiFy18xebRJ#;ps8D1It)#8D>RXslkIdDzeQLWPTKGCj
ze@tE!RAhm{G(G*MMO4e;zWFxhvx;cqO8>`r0MpfNHjbojRG6Z08cMJ7Kd}4>cW7c?
zzg;M&^Z#A&*22!V0csyfwd&c39EU3~?6*`DpIQnOZei)eu91VQw5*wJW0tjJO`-C%
zv^$n9q0;;m0<;;hP$+1wq(Hm*Dc}Lgf2B$FeVt*6+8698lY~GBB?kkUYkYKjFl~uE
zIAAVAlk#RELlSw(P0wAWwem0^rS<i(AAIb#9OIHJ5AoK&*md4g@?HDnx{_}#ku|<&
z6$z`@%wRK34L{~ay<}Z@lUCx?t*DlxbXg%7RkLLgsmf^#9_t^mTxgON^{6?xf2Gd2
zlO6S3jKR{j%7+kXGBYb3@yvwcq*tJMR@oKTQZ{og0A&}Ez&Vf!haoBH>c%EZPdO^K
z`*(Kcz@YW6*?JXgJ{c7|4VHd9k$|7T#fFfY&YrnRd*RRrr!h6wAZ=JrOfW_&UxcMA
z*~>zdwrwFGq7(rb1q)6?rAipSe`)r@=T0(jgOSQF)~LS#Ay7^GljO~svRxXEOId$&
zF0Ld<EX#R{CJ2iwTJmpIGC#%5Oe3LKoNbXY0Ax^|DFqT$FO&3ls>IU=gaB$LH4s<V
z*;C=KDalXkYoa>Ho-4x?gah|vv>{P|tDmNSr<u-4@jtAm$XMpou&QHae_ddEfa=bd
z8{vRlli0k9%@zliw&D)9r<5<#?T*Is#w_pEvhdW(HN`e+Y~@k{t7)Fx&14e;rct#$
z3Dbp|>dd%Bs%1W@3S$7YV1N=#)0%<0Zn^f@T95NuV^$-RHaNz0p|oZ*gQdGk?Woj>
zy#H}7Q>?MQS|X~qTUr4Ce<8E_h+T_bi{)6ItxE~0<e@30jD6zV%B;ddN@F<PT(v#;
zYWgx}jzXMANK^QcE!sUeOXVuGS)N%r)!#o3Vcd-g^jo80wXJSl>t*7W6fQw+%n)VF
z!DNi#i-^Dz>1HRB32~P+u0%qBKmmo4%tAs6JK#V<2*3e_By|HAf3N}r3SzaxymEOl
zr^kx0lE{~3NJOAo6&D5>rtpzmg=D#Ura>`c+T$dp^b!q~y)2xvn<X+*2mm>fCSzGl
zOd=D29A6e9G6FG&VpQLF%qP=W4vZL+*epfdC6|;)g{+=Hlo(^jh!ci@fRli;7?>hc
z>_|EQKt}E&iKJ9Kf9i6K4hz??8;LP?v50lDWqq3|)n_}W5+R+;rlK0m!dm=eXjbh4
z$T}34atW9tgo<b=p(&|S%u4B8t}%B)jh4rap|K-d<&~$0!GtJ1<wZGl+GctTVQ%Xo
zdmhG2kX85KBL5avQ8EyvNzPy7Sx>H0#w<x(jCagZ$U>~Xe@@=`i2Ps21*KH9%~>rv
z?P*b7i;6?%dP2B6$KZ011{+*ycWbJl2pR2bR(^&nL28@JG4itAd)k{M{cd%cvs50<
zHbBZkwvwaf!a4Q(Zr^M#kP?_EX0&n<R5;n-D%aCu2or6QsvhSdq7$lsIlEa6<y7|e
zu%wC>4^vuVe{1ol{Kxu*s5aFJ{vpKVH*XZ3Qwlf*_Nz;;JO<le&mXz4v)OY?A9J3x
zO@&(J+EvJp8U|=dtYdCWRv@MpB85@egd<l6pzeRzf7Pnh-@1Lp%{LwK^^GgPed~&i
zH}FxbKKb(>e&U|5!W^I=2O<HQTS&0S`%gam@)v)*fAsXDfq)5FqRg-eQO-@xw`qF)
zve~410yzKz5I_=j<pe$qOh_T*sMX{p!x#tzLg*$eOK{OaYk&2?+Q)tbdr&7RJYfuz
zNQ{I4Ari}M2#Xf%J%98S7xQj2`2t8cjO$}&!fqDA&PQK+{k5-bUU1xAAV6J|NIZ!U
z-Zyi=e@DOk#?}=#T?i3yhLMp0QYMacF?*gxA_z!9x`=TOVBtqDyK=?4(*Xbhsbij9
z0I>TBH{Q7Moo9DBe%}y*x`?uLvgfKxpWk-r+s~c&*PqRQcRehg0odc<HJ`fqKQHWm
z(eW?=j*&#96J$UDLc|zFBzDXal3z6ugorF1e-$^EOh?DsuAyahw81MWk`RcXU=~w6
z5c|a|Kj>6)E{YL;p#({k7$Y%5@@`2b3o;W&i98hG<&H3iogxObN^G|QDlmo&lMWf1
zj7B%T3>g*OSS`U-{Wyi+;M(n|iH2<m?Dxk8>I#pki<Aw;a3^tX(EONftIIZZ*)#Tk
ze^t!7>no!etg19|5eOGJ8KY&4DHRn;Y{8W_AE!md>`>eu$&@=mb>6PNN%^3+LpN3Z
zwB?1hGq&>}^}%gl>xQX0GmbviF%$!*s&I5DK{%W!sZ-Rl76w<j&&{DaMM6Z5+}ii0
zqfD$Uz>pYk#lQ&_j%D5SEeEqbOFBi|f2gkXFrprL;RT13Y9c&lN2XL1johU9_;rp@
z!s@FtrVa6M^EYfC<xZa~$-|zFDO3&B)U_c#IE?ki@knIrPU-sG>*<xJng%@Za5(Xj
z`5*uC^RI59GmnA&=5fE1&Uoml)sNr5>^t8$>kp3}@y)AX@vhV@JMs(PJ8#Q#e<wZr
z;M{44Lj>%01zEQ5sq0VO^w4>Kdf>Rbuc3V+6Hw$Bg)lNx;1J?0;GPG4eBHTE{pOr)
zn~r^WV|VBxmYo6|a=<AUoxl0XPrvf?hwi$H7VRW6`<#5s_Yb@EmQx<Q_u`j+|ADVv
z26GD+A9>1#tuJ4){VzxT<a$^fe?S)OyyVa|ciyx7mfKF-{KRKo-+a)Q*2B^R&%F21
z+ur-<t^a;?-OEpW?v1Aoxb6&yfRSV(ES#|o*%f!0zu>;dzVfdf=WKaIR_-1;K-nD^
z9=Y<yJJ-GR;+1c`_JjX!KjgYIKxTJ4^u!Avef)|ywqCI9vAs5&29vqve`l{h^}$D0
zKYahy@4mM7kG~G{%a@;Z$<=SZdB=NiUibGcpWX5N+7}+^4%?fT&Y!#K*=ye3zTxHH
z?R4xufxDR{hn;ZqUF)Cu^Y#CD?U-NOb==)|E<Jw@%<lEEJAV4bcm8(OThA;xXC=%6
zcDqow?D!jQU-$af^*gqmfBf`)vmahAFthN3tJgfa>GB;fZFu+jgEy|jIhag@V@xxe
zHtD9tY}*jE%)=-m<ZjXxpn;3?uO#AaZ@I>O8b$J!ri?jJ#+8RQ`BFXj%lajedyP`a
zX-8>TmZ7iwhg1Y(Kj83$jx>^5>{`bT?Xk;0xp#C*<QUgrqn1tWf0JpkOE){yexfmg
zXRA1MVFs(*nZhk?cZIq<xlmB+r=)!6#_(9X#@Sj;<=a_ma7z)hMoMZTlfI}%9sgtO
z+=8mQ&N#mAYo8l%JRA-exg&z*rl=@jBPgh)-gA&BifF+B0R=(8C?S{xN2S`@q!VM)
zcG9%Tlg1=A56Ku~e;Tz;#?)w1lQ!OFVoYW_eQe+Qu=d{Uv)0;YI>Ru`z#KN5wb%aE
z_x=CBzt$3{&H}UteUWA3W_y;N@lvLYR_LG-)l~mN{Q5~13AzazCF`{_#L*3~D=7fn
zL`Z5%)bz6lK|3f)oz4(S%w`Ef7$dD%&{;-kw1yZtk~AE2fB9I)gPUbtm42HiG39>L
zqUTihj}2>4K{)o(GT$=A!l^|W#fM)=(*vi9T=nZYxpq<qT6@E4!+KSatCs8I{GUr5
z6zA1Sjbs3Ty~g4L5#0RbPO*zrKLJdWL7-v&<ZpI<eioJo04oA%EvwJHAN}ahU}*!4
zcD3HQT0Yqhf6{Y7{x)B9Py54Lscp5u%K@&KwRNoT;r+&o?*yM6;0sErfhmH7FhmI=
zkWvb10)VBVnvR`ce%<`p$2mvFd}~&LKql~1cE5L}_3~LzUI-$2AeakCC0(?0^x^$w
zuT6nDC7JsMR{ilMPe~D+xfm3zX*hp=^R?fCTn>z?e^Bl2vHN!y9y<ie>Qj0S4c@zv
zylFj1TQUFSpSo}U71fl2q#!Z;*ux1GO%#r~ff&cWWN%6>NLxL-XJY?9E(Yq-08RDh
zG>m-l>5`X^gPba3W&gmvuZo}UPjA~h@x%8|UA?^W!%GAIym|CrcYHfL>R<jt->tvE
zhLxatf6K-zm)5-XBFLRf7j^dDy0hf;b09m262jO&6NeXqw6${vkBokI(_fbdePLsE
z6#RH!;j!2IA3X5x+6*d7U?hWvDnRN_e9^swk8bC6F9Y5L;ICc(+FO&4A8fq*{<fPp
zj{W;?(}hzYyQq5V%+R-AZ~W}TvY$_}%1TT*e_@1jX6tzgqm-LM5F*69mTtzWpFr01
zdb*}zjtoL#j*ep`J`^I$+iZmmiD86uPGs}tVy4}WoM$sgkXbHhQ(9#HkPMK8NQ@B0
zga}cMW-vx0Wm?Zn2LZC;7}cqKjG{#-14QJq_#!q^#Eu}4?Zl$}OE8Q(0a0(uIJuQl
ze*$V8g}f9mC(Q+%Eo<Z+E2@%mv=@w(h<4}BrEQ|bk-5YH*kfI4yqjtjDe2R$_*xgD
zjQv-*$v?GHeXWO6<r=6=RTVoXwE>WOa-o|zS{p<!p|qr9t~BXTGk7Hix0E5L<}PVV
zF>U8bdU5f>@ns)UFrli172+O*k)#DSe=*!x?_P-m?$c^urJs~~Flqxs%?O-+cg#Kt
z6oP#ley_4I#dodPWufRs0LKIcKnO9^+-ULXZ7TmzI`2tSOKaw3Eg_vxSVh;w5wbW7
z5h;^PyFXYJHVJ~jvc=E8+I8zZDN6*r7^baldFS1xH%@_2rl+#G`|hVzr*;5ue<BMt
zrFR_Yd-!?waMZ|(KwptRbA52#A-dyW(XU_K`=8sHUA2G$N*SgIGK>f#h8KDBS$bne
z^Ell;K4a=+@3*(-A0GypB|km??yhgH2U?nZ<yFbG^)OgwRBYJ)-4_d9Xa{~keLm{r
z#0WE^*1x!G-3J$&uf9Q-mx1u2e@I<-|5smTJu?KCJlXW-dwcF*=T#+uR+jELy!ZQC
zX+0Z^1;yUNOhOQ)f^3g5MbyIy^&?hnl(v;mof*1!BfYPMR#y9p8{4mbvf<L(eCy8j
zZ-4O8e;?%!_l7!$hadg0^uk%*KOEdM7U|pvGHTbJ`2DtP=RjdTNvm)Df9Ud)7fyg+
zgcLS*esZPx+SwUf8d4goQ7DN01>q%~HD_KQdi=LpqpgVxi;*`A(AovNj`!WW$)Cu@
z24KDbWLYT-w$Gb<<-p^=FZ|VLxM2m%s9N#Ln}d(;&pG{K%7McLlSh-*L?JFHi%#S{
zb2>6Uwc+}u{s$kUxj{q$f1+lYLOByR0Okxc3Ms)%3|wsau-P~jLRZQewC({h(h)cT
z!YF3MZaGRqX*+X7uoIyWf-s65tv@PKMg{$rQbs9;LgpieEJC6yM~Nbgp$)DUSIDSf
z>6)JveT)i0kz)3wBF5apFoD*n8`!N@O!R3`amk@hij3L3bx3C<f7FNi7`Bg?c5s#Y
zSaqH)+~5%E-sDE9cT>q|MRO9dP0MBZe>A7k&Mp%j5JoQScGUu)p2FRd^WvBVv|}mh
zeOChlwP}%3Wgta9sX`EE`J&ZV#@uTbDN(qM2-a9BomJYjx+wM<q&|=n6r^U$>5Z%y
zQ=x)avZCTIA=T6^fADw6!ea^vBQ)d5Fj0J?YJ$Bi5i=*YnqkwlSWPDhlI9WWf|;ge
zT0TLOn}X$Oj`I&!2T$7Pw}f+?UU*noFCj*n;0q_3&uJw=E(thsbh2?|c4|k{8q!$^
zJHeh2CVE}VB#zlwJ)XHWT{K`^L^zL>7qoUHH$4FZ0p!gNf8^E{Z0qz^R05VBDsRZ&
zv4a#9CRML2I`YfX6DPBej$|L)mAHB#N=oz0+n6zWIDc{?XMY#^(M;??B2Wer2q}e_
zK!X6!Oi$j@NcUjD#CXnFk5MxZBqYN?8Je@1Z|V&{J(4xl#pV@3ni?#x%WZ3+vm%5N
z%o+BCNvI;bfBjI-3%^J|G?p<w5b4<tGZ%;Jca1&xrt#eGB8PkV>N=1Vgn<xFnvaTF
zlG;Wx$3`Oin(^FJ%po8cQ${#}6k{WS(9FczXzu=_sl($lhI-Tb+SsBBl2pR0TSI*l
z;f{TH#X9erD9I_IkqTV1J+XTva&Uj3brZ<RBjMQ@e`_}z<&`KQo9E2Sif%C~3V}bB
zBrhS=TZ6kt!Xtg2jmtr3W=hS5%)aMmj6Rz**ze!{6t2p`{s0M-q%Dhv>gr+854{Ga
z5mvq`xnn$G@3?1AzrU{?*H@#+Y?|GOS9bB<1K!>pc=<vQjNrsMMs+mtXT9Em9<qKF
zNKJ+we@?hz<_Izia&H=mryHRZV<sZ67{!bN662;e2Sb(*S^5whmuYyVH9sPZ63!4M
zwpWt~?K5M<iZTWmL9;@_Vs|q|5|r5XB5U`=m=HuUVh$pU^RtL3A{ZkalaP$<HVn}=
z#+?O<@_>O(6ulhS<S2a{20zj9HibCQvI`=|f3K5NZ(0?bYJ79kQL2wj6`v}dS+zz=
zw=zOHxTu|5w@pnerg5uURJ;l@0mRUDS7|}=5<yWV6xjc5$qXzN9ClYp6*D@|i;_x4
zWw}aZ7xnoRr>E@(L{I|+%!P{OoL-gt8FPY%2m&a8K*EFLY*DB(AnJh2sn@0oKP{{o
zf6@vsVx|eY7j)i$z?7hwZU%^;@IP8!1gxd6I+g5khMU@iGARX9>loK0k3xjNH1WZi
zK(5+|#IXkxtPR6+V)zk40LBc?;*4UY6(WXEaM}|Lu_aGdSD-qma>Fxf2P;xvjZiZ*
z3OYbOZbCQY5^?J029oFiTH!5(5HQAkfBr=5^BCMqIm4V_P6;=N;h~0)a1ZnPn9om)
z0Og6qlR!NIYWN_d)MId;pL!Fp&ySda2u1dOf+!)Fb3!N~+@Rb~4Ief<h%sVtOfmH^
z>M_{=2s^(YyQ(UVuf5j#uC@2MccwqmLamlsizZl0gBH^uN?SmOwl;<e25Bilf22Zf
zh%qrnq4fn#G*P6aga=KVP!J6^Z6NhWX{x?hQlb?@8xs@K2NPrB-{8YO=ggV2&l!_>
zxS9L=-kH7EUhDh)eAC2YB^DW`F~Xz56xP^_RD5ca<(igqwbarQOjlC8@%pV_-tg2@
zy#9m1E!#%e%&qb?L7J#l@T5@Yf1p}J#>8AbB352arJ7<owaJX83el`eHks;V8d73U
z>XD;qWtOT`EwwbO(KMN-$}Fk_$<z&Qo?=W9m2rxQ6H8GXn%q<6)r?MNB~4LH)ZL<~
zt43&q02Y%**d*F?7S+_MSyU5Ek)vt_B-0c%B~K|<5e`JN$;7G&+){LNf2dn_IOq8e
zI?~|KW(S&ahs0W6&i`zvbB}9AZF5!Vl3TMEyS_`~?1cshnj}I1t=U*qg0gxY50s75
zVhYRklD6Qr+^xysK5UT2x}06s0rT+bE=ZSA$Asoau9{{SHyWvS8}wMtWwnV`?@oMr
z4TC{he&e!fgf(G!`{{P_f3tX^TyX}|?@H=xDMwhOR_OH}#`^7JGTuSY@Svu(B#w-g
z6pK_^W0;vz3NskL)h#P~Asb~ge-Qyt@4Wth0d8Zo{;^!WQU_BeV3*}fx!tOwR7aIt
zi>Q)>+Tou8j72A(8gYHDW7-Y12Yu;D9UIOVv&tBGdES33^Va3Af7`#ezxLetrCO_$
zp7g7bTE;7?s69^owq-yIcWA=W2fKjX5|$SYjvk14s?B$y#Xq**rLOF$`+y5n<hgad
zuqGZEifL)TZ_iHM8g~(a>R7U4IhW~r2q;jSgH5#yx}Wecs3YmEE#=gyJYDn_$^Ljq
zmS~*JSX73qMW_Z<e?X&y4d!kJaVUg{M4@J(*(wCc;c)q|&MG7#Kxi{&vwuhO_vfOZ
z8e)W6-vBgQqp{|VHUuJN;ppOGtwIT^W^hMzbraL9S7^3Lkw#k}P*M>{-ZCX`rBHR_
zhHMs;GqucP^yn7dqUT35caJWaJ_5juP4Y0q9HLr(f6PFHf5+So%|D)E{ZK9X-ISAQ
zG?>7k(Im4^4C)3mcUMEk#kLpV1~+vJ2F|y1L#_Z!GchGUg~e#@mML&K*iSfQACm#m
zTP<yFs%AfPt}1H1Z5Peb%!Bgnv&z+?wK+SI?a)v&t7%I$7{=g`HX@*X`}O$7)U-v|
z)$cC91v9fKe`;D)sxD~nh_<MrhPG1Y6soB~JOm~pn#bt3Toa&y)*wUPYVxcu0M2p|
z8s08O?ml1fFms2qUXC-$pp(G?N=u*X8LE4A#$b+o@1Ro-3kKZ{CC6-RUcSh@W)M{0
zmHH0~^u{WfvT;?CUI!h;gN&2%*xkO=uA`xM@+$`le}l#4;x6Le2RjT#TbOn`*b*Dd
zBr4}$V=VmoHFv_b#uT`%Evt7`x4i4UhAt3mOmR5~RvyeJ>UJDM<0onbYBbbW=*1Y#
z$3Zs?i&7U-#|jGTLW*OlZST)tnlg*Syl%J0J}AL}gQJbyH0l!Y%C}bf*Gj{AH%dD5
zr8@G#e|buA$(xy{*=j=zYz#_euv961>r;|Nd)mJ8-)FGwF1yHMQunc*ZU}*7Mq;c|
zLiEZsx;m#As9N>$+itpdj+DqO@O8^?oqOc+`IWnFCZ+&EbTI=&OepuiRV2?uMHF>l
zWVVK?vKnC5k*?i){P^zIen_*VrY<Tmm<j^3e+Bj_(TXkm4t(d`^UHQ^U?npIC0EVJ
z5N*o301nC=NF)TQy8<E%Gcmwa0Jt*;RRN@K@#I;9t0*f46;V@|D#UXuA&{wQGBijM
zjx6S)!IN=XP1B8E{MpIx{`czctEaa7>WHqJ#DoY_4q$?+xCsOfC^8QTQ8YQx%tv<a
zf8O@wV?;zuVkQYBLB$ygci|A6)m4PW1c4+FyLpU=X312Ti6pzAEob~l;E-L)YHsHB
zTBFP+3^piIBxNBAOkxU)WM+XOL5Q;5KbQz4n86|x3>Jr|C<`2Uh{HrMF-H()A|^5b
z26Zq6Wr2YqOe9g^B7wvhL_{PZsIY*8e<+Kwf>js_bGQ*Z(aNpQ9ov8LRaz^QL={97
zh*T72qD(}p5Oc{<K^j;pqGfl#c=WNWfAmkTrWi6zPc$C^D1;!Ezj~?T*@&8uNETx(
zBm#F2^ke4U@|@R;04&85V@W{e!KHiOvb|qQRtGh$gKCMf6V)JYu?&1EPiDisf2oDQ
zkDftbkp#q&VmUUq?zKS5UQ2I+GsxjBC*S2aJGQV6CUXt;$xDfD&q&-$r5<CbmyPiS
zjPQ;Xy!#a0^0%a!m48URbfI!aIi~yR8d4VFXOz0m0g3d&@j;uiQrnB_>LCpJm`dZ-
ze5}O6Uk+v|)M*&4OtsVh=z3wgf0bzOQym8XWWVu97SA9ur>i9*q85SQ1_||<Ow64R
zr%pC0+Y*Dy^m4^0HLc|m(fdHg7PPWEGFG6Me~sm{lT0PXXfDZ;PbO@uXKuJ_&nssS
zU%PVf${*%_cl`cyCsy3OWBGkg9C-KghkyLNxicsBoquV?u8$Fjc<l#vf9?O$+0*x5
zIJN$nM|n+>kbxxtA`IfjKBcg3_4bGEJ9F;Aix<BCpTFOE@-Qvso96c3e)Q-ko;mW>
zi@)9R>T}q*Hl!PF`}Xr+zw*xgZ@so;`+9=&(slQ~@WL(MdYBRuE&KG>4(|HNVTv(c
zzj5dDFCKXN!p`3xU$b``e>n-jc}FsEO2o4(Hg4N-;>2fO`S~5c{>7$efAr|3*H`Vi
zohWU7;v0|u<*l#0b79Bp$ChoonRxk@Lr;I|#EH+He)-93m$sk$0ljZ#`MMhqoq2iH
z_Dw`_)g7OG=#7`An>XL`_|tpdc=PbTuHAX+_+7`I-E?Rl#p(OEe}4YqKfQVA%B2S`
zpZm}^AEa3cv}(zQd%p0?(+A)C^CMS&vutkLid*kF^w+=r^xywH^4{AI{NvpID`%&3
zA6>TQe}tWBP!!h|$4~d|zTML^0|<=BzKATt4oU=N4~q&4iXeyvhD{Je7zF_%f(sgr
z%QMDjMMJqkJzU<ye;oysB}POIh{`6Y2uL(BRi^5FejhM6>F${~->0j3x#ymH&j0-W
z4%yf0X9g(&utnJ7jFviyy{*D0Xw}sQznY_&&+n^-+AY!+0m4$ppoH@m^9CO#KW}!~
zTL=mxxw*^I`b$CQYZAI{tKK~H{U#q|fG|a|7&8ooF~u+xe=7l)Wf`SP?dr&y=t_Co
zWLKIF7=MwG8`F4wS>xsG*S)K|uW$j@2my&Pn#x94hGsZGQs0e*t8dnVl^%fpoY;ii
z2hFUz6KCt4eB*k~c<;K2M^V?0lS*5;z0<}A*Js5C0+6<0;f1}8GB<nU`QfWtTZ1p0
zOCGwH^{(4vf2#`QfH94*1WoxVGBhUjfi#_)Q?g;OFLU_e-rojNJ5GazAvSXfsX3kT
zqAT^)-NiRgQr@l(VUe5rJM;rxfJCNl3pPJ(w@Hp*mG1HP+6u;>W<9uqJWWZ4B4|C@
zP#JaNY~FZx)?{;N!)|0P15)25N1ZXy6+dz}{l#66e{I=dfEb#b>PUTF&jd*!>JwN~
zgH=HPRd45c{|eU?Z=cY1V$j?PkQnn&bDfLM4u}Q<UIfux=hG)w&4E>+GEOLb5f+C<
zooIyZa2^>?8=+D()6%i!i`oSXg%sKt+q?(M8}HQp(;+PsZ7k~0ZSWm~wOA<d=sweO
zS0Pgie+gKHqNFk%G-O^ELzsn=VrD&>cv;@ZAX=y4l?t?3H;A;`rV<nCGuDV#Y0&I~
zX;V)N>6ARCnW!I&wpx)838;;gqWRExD?&K2rETPm=i4fl*OJq23)96aVTV_nAEf3w
z;&rApOKYN~P~HVa@XBI0C47=XiMnPV90)1Fe@Qu3f-x&+SbZ#4BKsup%=_|k+v2My
zz*#{koCr2#=8COfzaF>Qu7)on<{UbZ)qRT&3tN8X-zB31{^#q$t~YG^^;y`tEie-(
znxHVI5Jh2{WK4nf4>(qz{;&=FBf&puWm8kcg%e<{4Ega~;Yb%=5<*1B1)l!FLKTaQ
ze;o<?So7>M^;oweVIIg8<P1NDs&9+l_R3=-Z8O#vk3EwFdz*zN?izcOeE)XP&C9Bu
z&Z<8j8z;I029lyE7GsHok(mJU^-@)o4G$PpRH%jqZT9aCY`n1O{6VmuW1X`*{8m$3
zYkT>4|H`I1@LQ15a!1v21?Gpql8kjvf4e*@^NkW$7EQi1ULFRNt=Hzt($~KjBqhL?
znX}aUH;uottX9K9Pq1}HthZuWNl^Wb*!I@E-p=Becj!Pb*VKZ_-zQAgCV;g)SU8gk
zC1DZ@Zt3wiJC<EO19oO$Yz4HBB5vK5H~r?Z0RYy)Wjo4Wv@m`?cKMYR<F8G=e~Jg^
zAjdubuq-YySh05Nn-_UcIwOB>-q`ne@5erawee=*Dc`&w@~Yklc0T6oi@gr-M)tD+
z1Bq!0Q#8vWRu8}?u;OsZL_ZTA1vU|e$wm321GCDDBkF1k`yLSCG2j!M@>AQ2ONU?v
zP%Mcsq8W<e7{uujq!XUELN#zdfB4J+E;_DY^qECk65|`WWAcsf&JwWl2KVIHo6Ygf
z=Va^B3nqt6Q)2;{DDz88e(Pt0gPf8wcYJthz99|l7uu;Sm0Q*mCJdq}nqn!82%2PA
z8DN`;eMgH%dPu)0FpG{nbv^m#Td*KBtF3*<#9(~a9aYc0qaQ~DP8|T3f4M7fH>P&p
z27kY_w%cK+s=-7~8hV3KsMoF|MT7V8Jab@-u)c@tR%`6lT5xqEj9fwP1W4(dz3ss7
z!&yD;iQQf0Z-)v7nyCd2zz|b2+QLC0>MvuXPl1v8jF1r(&-2ine^WV-NVt>ffZ6My
z8wnARqAh355hrmYQ;l;ffA8GPJMQa1t4))~bOaq8V>P_OlJGRii+b9Iq(p~$cwtT>
zk3<NOh#;qge*i!TO4cIQT^c%Q;VvSo_9eBuD2rBxgl==9q&v}4kSI7rXnG<FZQ~1R
zH4LJ4ccw(ICIk=iW_q<bZfdih)<MMQy)03d&-5400~Lzev*-Xbe+m<Bp3aG9l^~jV
zh(g#zQF6jpEQ)^=EwcV!KL^oM6W@+Q)U`)!Fh>(XtNC|LHy>f}nJ)hQt&{cl+Y~iP
z28zKPC&dg+vl5D-5T{2m-e9;m{OrZV&I`nRTh7*zF!VP{ROgR$o5ThI=Qh85zq+r3
zTOGHw;i_uj5mQ!7f33-urLE<>94MNkXqv(lVi02VNzNGzg8h!yuIcOGRwXOT4(<Bm
zedNCmf|b(m$J+SE^<Xa{Ss9WVNH`-3JIQSmJik6%JlSKlVX4H<l9nn-i)AkVtjiqi
z&wcaAG(83g2b1{H((zZJH)<g#k4-BuN=u+;$uOpAhDDe`e-Z{s&48ZgomI8D|A}Ev
zUP4!|Vac|bYZoG~)i_m`?RfuMv3s9E<@e>IgR7fQ!#tmqmbR!%hd|GiagE;eynF7>
zVtMS+O=GV;j(sOj$}8;a+4H_r8e#|7%OXNuF#6IgEfl0I$vEoyrc_Lfg*N<$F0D?v
z*SY=OQ|Y2$f73MudGE#o&m1<4j+`C8!r04$kXVCJP*mN;obE<NYK-NgXv)&xFd{=e
z{%Y>`hi4X5tsm&E9R7)2IM*S+Y}0tJG{}aSA(6_QLFQ{3kiB8JKlzt?Gb<|0%eLEY
zuOdx-EW#7_eCTt{jRGkkeK~_U#7t>cXqu%EBSD-Ae}O!0GAeT?N4$SHY?PEA+t`xX
z*Fl6uE;(Dj`cV_uInxUFjMkRr*S-S<uo#n=rf7!bD2ihk&J-l>MltG?=TCNg7;&h~
z1&JwZ6ScCfIjy_JW<##ufurho!`7Q}xv-eL(ZQI8I;+a<MX#Ri|MM9a<mdR+x_y82
zS*-FRe<d`->64rkaSUP+g+HlRXqgEx_HIR0>JP8{j_mTQIkoTOuUVb-urMIz;^m^r
zA)lJ#%00(i4<3;(3;}93c8Oct)>Qr9moYa_!fX?SWt^FplWN=Y8#i`N^myzmHV6zs
zoKwWf)1~hQJ&#xWY~A9XzaI1)ER#1Dz8#6bfB!$e&aF9$>x#mC&fa_NeNNAeMxzTi
zO9%r6$T7FrGA0-UCLstg!L~p$0nA0nE(lN%uu}w-vR#2HS5nDCp5p(Kzmm87jXZQq
zYPwHPl}e?OMl++HGdlb1z1Fw>v-cnWI`s3;yIwrWdR?y~Yv2=F@5;99F-@pw^Gx=}
zf8^L_B}Z~Sc=^pkZIZ{@R*np@?X@WZeJWEl$zo|!-8T!DAyb>=(;H$VYO@p94pLS5
zb8|G4+*(@OSJg=Yt=V7S?8+pA<C}5EHP=J4;%r7>CPh5W5~tdzXjAhfU9z=Tq}FI@
zs$`PPn--xGl@Vr?o|M)2G}TwRhM#F`f5RjfN$oh^Y;`odBegoIR+&}bbWIU!bCO$A
zR@FKRRZUNGY?Pd-CC?{qRN~>Y=A^Z_S`(}@?1wM{+6v|7#a~-zYeessHQB`BCsk<4
z)^hd4Rm0g;^eDm>A|M14Ff{snng++@`0}P_t9$<W{p267x&ynn{O0WR)k|*ke-sa9
zcU@Z<zj(n-yi13#jNN;_>!%-f{Pdu6;Xu~&0wxv~urh;vnDk?FIJ`LVaCPsi*PUxi
z^!e}T;Cr3PJ$r60=g0PCF(a_IoNOxp`10F7{C(!tk6ZuxbYk^-{PjN9>-+w}-iM2`
z&sX!)?`NIh`nzQ78UM-h=y$8ze_y>E`}V5eH|c|jimG}sZ^U7Odb2w}z0v#a0`{LA
zEL`&kj!oZO>3ncncV8T={AK$4*PWFIZfVJ%IH}wB@3?U%96Fqhyft?4%*@I+e#d@4
zadc$y+0@I|qknjaFBfJ0G>!Ht|3&}(vm>8g$hM73o=bNp?KrC!A8z{df8RRy9`oXt
zc7EPZ?2v6o{juxaN8gP<e;gLixbePpHp|!{ytmX_eme2|UhnpKH@!n9Kd{dqZ+iAB
z+*<Zmmi+t)H<+3{b#`q2q#HK|Qw-GEteZaahZgPD<B=!N;>vY*;6T>jKJm`+!MXF<
zcs~ma4JyjUYQ~}rA!W9Jf9_V^d<wr>k-Jax`;Tb;Lbhc$_4jU?U*fqV*<dra?VY)>
zfZ07RvV*dL)w2K^y^iwuFK2%L;@SWH`_aE&XX8=wF+VuWZ=cgI?vFfpA(yXZyJlT?
zM*2tc<2UWAr*e5Yn_tLIeUgn&PaZfna{5Fz==)#<5X6fVz<keef6QXU`4$=+#o1dU
zcOLn3OWE1aXzoKE?9ARe<4&yT-N*LL9d~@r4@P|$<L*28@hjodLbhv)@;=#??vZo7
zufNsX&*=8o;rbVJaIfo4$MIwS<F9c2e!OwR&CSus78^N42d~h=Bf0w|`|MISGffJ1
zWy+FcDn1HvbaQaie`X18ic#L&lQ-b{)doy6hdC)<Xl|U%ilmv8QJeS-IRMq_gW<^P
z=BTSCGN}77-@IH+r&Y2ROvatGxnPFaq}#USrgEa~eAzZNueR&k3bo<UlF6Y`8<E|w
z#SArFqfJ72EvKg1605>|n~1GsV<Xu}BcGU6C5dfS`f77Mf45PHipZ3D?bYz)H_dcS
z-+oOpQk)!WBih1xQ_W*<W=FR*c&hAIs`P2vFad3_=^=m7I`F2({H+din`KsVTG#Xk
zG<E$$2#Td#nkXw&*^O~bn+q>lnzy}e+ve9Bl{bN79@T_J8BB0&kkHZ4(|iOWS2Y$@
zH8mp<g0cv!e^5~5UBteR(F4Uob{>x4JUR9mJ5pf{q!0^0ghm2+Wv6gOL@g09n~AEi
z_SgmzMp?UzKmdVAnH8k)${s>2uqZKd>`Lr<Db22)3oj3=0)QyI2%AZWY=PAfqlO$7
zE$>R~kVS-?RlUNiZ~z;VvJ>GDCFX3AESKEaK*DMPe=$f10`*`YAbE}uC3d9Kqdez4
zXEQO?7)8xO)I4aeq{4t0Lbs!#XR#|GN6bSfA{ZHbFg8O}L=_9HKrl8fEJAETfjFAw
z9fS^9a0ZGf{LD}$@ea%o02)moj)_f?2gIPA+&UfYMC5@K5(5V#Q!?fNQY94+Ap@H_
zBNJxne}<{qcUNC-`qRVg(0=OlB##pF5F%oSEHVHCn@|8n<sc!qm>bMQp-~YPp<F7Z
zABR~00YpWVMI%E=oHr$lqRNGG888h9K!_5eL}8EsUPToQc!da<ofui(LEb~iVFnEh
zMNo~<U<7qwf)I-WVyehZBeQ2w&+zPsymwyKe@HEF3`Zyp?o1M#hPW`2!{#=0O0}9v
z3Ky#M`nFB9wsWi>r)vD!BpSSS=udKEo15YgyJJ!`)BHDA6Y;bW!IRIwX^W^u`?gW<
zl620bUn!YqRO=ZGu`RR(ur(dmB}GHna~Wb>1luNwz)fvXZKFz};+vPQSr8`!y4!|v
ze{H(p+NG#D+G@YJ@wi01p{yt^KgmGNB=)0fP_Nwo8qR+$YF;4Cnxl$fX%2SR-(MT=
zK`yaowd~bozc9&tN!HU%jePl|B17JnW~efr+GRC3Y*W0oK9{Ub$Eq(uEnhIXoC*zZ
z(s`aNIBG@na2|2e_gDQo^B@ZbFhM=Ue+w5UOIH#vxQtMeB2l=!LGhA{hzf*>3loPI
zP?<VhSk%j9P+-+j<Qx}pblw>M6UmxG6{aL23Mx;xOiaZidiGv?#*S6QKm|06iv>i?
z<e7`enT(l4V91>F&H+lM%tB05x_{xAJW3yI;g2nxw@`=z3fi#LZrq^cr$S06f6<y#
z7p81*QX)pwR7{<SS9k@jd5NXS2(*Hj0)mjKE3YkzqNMn|e$R~J_FCRU@$^hZp=Rax
zAzoo>0<cLGIOl|+28zT=S(XVgpkn5WvJ7C=H3M+z^@TwU5{(QF|0nERgKWC8IKK8{
zt$psj`b9=-OnZ(;qrHRB;@x!6e>B=#A+0sy(J_&9(vlz)AvIJ@W+JI#2va&}lV&hP
zAwpDw7_WG>NO_E8rlu-i=JR~m=bS$G?0s(f3#G1eU%U5N`@h!z_ZQM}1jaZjZKx5R
zzgj!1^-AD~?i+DgHIlgz&_cVKk;r!`n>23ERE~(`l1sGPnUo7z@hC5Pf6LY;b2p68
zgS&7kNRc8!kKC%acrSO*vp~DNd=Gvvxn98T8uK_PF4EDJg{9T45NvguVr+1_Ed*Oj
zVeho!rL8JU)If|iBPP@ZNYR?H`hKm-N^n>t6t@vIoDm#)uudtOpweH>UXF4fL@DZK
z8c66Vf~(Xzh7y`RO7Zfne+k?6;HQwX<r#^s#20Jf8>O!_2>#k~ubqHidY@m!MAbl{
z-iKL&ht`a#XZUIgHv+d!w0vkKxK~Sl8D;=-kPc$HnXJGSYm|BjtZWV04v9co=m{ZJ
zQYcI&gFmWaXL|SicjbeveT^dpLf$&O5~b&v>)dP@nG4w5uYx2ze-?=COl|)Ox#B|)
z06`dwCzPWE5+VvhiQ0Lq;pbeU<R~N|cQ=2=I4~(VA)w$S1vP<2U8f$e?YChzC}7GB
zKw(1Y#2h5=iwEEU8g#-K==+hbGbBnR<eVdNE|>t2LUNQSB|{-46AXklG)t+$>JkMP
zoD)i=gp9|Vw;S`?e~R=LjfDWgo6>K(FTZ^1`E?7y0U?3NA?2W>$Z@T^$Qde$5(PHg
zfQ4T%IB{}FF%W_&BqBj^B1N151CWHAkPxLJCOAhX7;wooCWJ|*%P++^DTQ(6XbZ96
z4&$+S3}X&ajN&n&lb;zwlBgs{fr29;34xOH7?FmyAxGfEe<a2b<Ae@r#w=qXIg<{d
zqsWo5m;=x>o;RxU!PWMQ#zF!B8ugetZ}rcYo0jAQ0gsVHk|;Q7=$ar>nt(!52*$Vo
z#zA9SP)Ut%QA&}{9ZUwFa4B?w!pSAR2=^iS5At&gLnx{wQ-BZxb!?9eUYSWDHK9%T
zSh|MXL|v!_e*kn+=N7qplUKp`m5K-eqk>68L5?*BK)vQvpqX4~?fWDR_i<rbErOe)
zc{2{~?;(?pHG?DArU}(UrtcthY)vsT652SdASUb3TnebRdEhgrE23upf7N7Rb+nps
z@Fvqe>X2tnr9|;h{SPWci7@wNGcnOT)N)&<U2w3&f9$PTHInenAXrt%RPs{Pq;sg7
z$%SPK$LwReYd8Sx4}~NIL@Bp;3cY2sr)e(T;B$s&DGZKcupIHzyHapb%`TE@Y|$SH
z3)Br!MYd_Ci)zT4xj9Kt1KH4NN^y*_n%YdaomDzD4a_OrZN}HZ+=du;%Wl)s9Cdgw
zG5Nrdf5#KCSR9>L9F?YjHc2$@`oik<qmJ$?`g}*b#gie88fCX0x^{h+$`!>2c9i~O
zSCetwfEb9j%?r!NA3QPZ;#Y6{aw~7c97q61j_62~=x`BpK%^(K^M`-1wf(9U#fSbf
z`Rr%ev&VpNhE=~cVA)JyfN8m<n>Tfy@?u(>fA$4iKkmAE&6Jb1<4^6*7?Teuxzo1O
ztmRX_I5PRd{vIDJ;LQ-F#={{~LJ|UIQD)b1f84X-$?bO@U7LJyf9bWl-&R&o*O6t{
z?-bPjb@=DI%5I$Kxp5IZ#{r&e-oJS2kwY`CeOYkmPqD!rxdN#KkP-?>3XUk^4v8$8
zf7N;Dd)q2*URZGVXvfNNK*&_<{1tCk)L)%@_x!-!?>XICflTkQWaW^LJ}%g`v#kEg
zsM-%@yJi4EK)%0DcKhN_wh#EjrqWY~%I=-%yka^KiHy8K@4R1r`~37<N4soTC~`7D
zHf}MnWZJ1O${${sd95aULN5T(ZO)S7+Jl2X{eNiw58oD@*yZ$U4d7(-8e3d<bk>7Q
zCAW@sT2ls%<DG^S74JVdV*ic>_s&hdc{r;mA0#DO^ck^p&+I$b=H372mS4VaRbB{b
z8AaO<EPir#{*5zPg<V7%fXo`OtZLkm+QPb;@~1bZov(3vwgr}vGjRO0lPBlgzf^Yb
zyML;muJ*2;3TdDeGAS8Kp@<{8lO<k?p{@*c$)l9U;z^;9p#UkkS04lw1@t^JdUqfq
z*XXN>u|yg%hl>34L8%$FK6PHA_ZR8w8NyALm;M2fh=h-f6G;V%>2yf?cl1tjUMjuW
zz6qV7t#-<WUpc`WFbUi~qZ)JrMZxAnYJX}lbT_K2VkQAum4EXwp?b?ocku7Z<`Y>v
z)7Gv^3Y1(Fo6`CdRO3UVpk|ZBdYp~APneOAR<uJXXeM<!QVLRt=_N^x1F?qPo9w<o
z6^<ru*c7z<GCFj>ck2dyIMD+-USpJ-*Azm>@#tw~Kb0q`pb>%#_g2Ou=y1Ua41enk
zgn!i0!hh(SjcUZ0f-X-^tPBPr`MX%s=O4NPdPgHJQVd0f6c;n2+lpg}eAfm)Ei@Kw
zE<AruE~*qu0qe8=@}~Yxw_3H$Opl=7$Gj9U;^-hp&XI_u6HAksJ)NFYTCUoXzq@wm
z-|H&=b*a_w7iP|Rx$4=E9oAPvzkgw!w{3mp{`s_`Ati@uOO79ao`YaydGWPNd0StB
zOyIgHBuSzai6$WW<`yqs`=5v1*S`wg`*+y5wfBx4YIy1VvnNM<SPf3o^ug1Y{dlL%
z>r0z1So!9&XKgB%z`)V{cJ8RSQVY2)J1<>V_47}oPan=%Tc!GSU~z~ck$)sE1u8Bb
zN5pek^RdvrtpB!}%DY#b!XA*53yBw0_u19A?@!vd6Z*cGwP@ASN7q{}p5OWPs(1hW
zL(%DDg=bH{_VmuH^~Yq-Oh&*IDy2}x$Vmgyx^ef3Z$GN<v9Su;wuanJkkvzG7gU@+
zH{ox)q1yoHQ#x?pXY;O{WPig)&OKbW@bYmOG)NWC>07fmed3I)QKfG@t?#p`8uI$(
zytU@}PyS59#x4Bv+=|=Z4LN>n;x}J!{@>${8<+Fn^_g_`tIGPDgX(tYtgPT|y0G-#
zleX8CfB!9vE`q+3CLKFD_Q<DgtKNM3zYm+un+2_hCMGT|dvK%6mVdQ*>)&7b<W79r
z4Cww+$-%vIFCIt~j;XwPx%av%XgfSnvU>63`rKs`AuAV}PiQv1s`ByernCEllLncC
zXY8$8cJpf(J`M_I%>U-XOM5o+zI|W5esyTwL72XD@~JZmZyslPnW7O<EFm1_L2uFj
z;X0mBcc}t3hYs#(Ab;*_%%Z2S=+m1fj_Cizyl9?a_$Lt|krr26BCu#!&3^K*PsR0l
z*uF^9AXNBehZMma*U-3VgSzWV;+*MLkpajLZ75M5S}X3!N|6ehB+cOlt8Q$K42{Ya
zi%RPVX)Pu^&6-maRXs$_c~}|${;p&tZ(5(xidHl001*KfPk#|362*(Nnj_3l$z*~h
zy<ow);7G^=@G+e{6-C+i@5iANc1R%$-EM=>yrf%NQeS{uXLroOXR|zF$pVUZSx@6h
zmWvu{o&Pg-X0cISXB<EGobP;Rx%ZBZJ+|>~upt<Xao8a&F(j-u5XTsU*^D79P67!A
z2eXuxohCF*BY%`qiAHJ(X-g$YAF7I?rX{Ibkv0)+5>W+OsG>AcTd7Z7)Q3LYJJ&P!
zoI9%DEDL7l&dj;r^8f#T5W*`W9G&UKwKnMHsM5mS3?oA!Tz^o9X3|uxnlMvGWnEn*
z7O6oJJfjZHan%M32PX?Rn3O$jbt9Xko0tkMyGFFu^nXd=)JYO`Q`?(As4!1%y;WLg
z4N$R09VUH)tQ`oUl1U}B7AQ4HpUDPZ(z@-P_quQ0B)$D(zxCb0e>`Y7yr;NpTmSt#
z>5j!jHqSV8=Fp#S`MsU3KX|kA-M84|%ch<>fBHY4O*prn6cQ?eKv&5)Qn!@AwA!|(
zj(l;uZh!M5#0RcN6EOp;R&2cf^R^p5gw~Gv7cam3&j$^A`-*lx|IGalMl732RP(Hp
zuRi^|YqY*nH?Az+c*NT=H2%_e4*u)onx5%|6J(qsQe+?~*TQidh?q6!(2M*2_F>ts
zcGc2?l{3_Yj%V(E(s*Kk=$fjwEeAjS!>Gai4Sz?^?f?Aq`qwWweNPuYJ5b!c3VdV|
zl<NV46b#)G5X}YC)@=RogU(-E)9tNgkIpTf*G_5{EV^>F=l3`LwHpgp_wT)XZ}A(i
zk@1tZUBA}z(^pA_<Bmu<ZY|-nix%#D?*5(XU5iN}bKDx@&GPG3Z@hVH>z&&pjvn*-
z2Y<>2hV+biASTvrJX`wwOQmPd?fT<yJAZP4)IGHP8y9<jeZ$|pZrlsU4}9_9;j>4*
zwSAlKeYD`}>$+>>+}FOn@6(S|d)xS-<2(QKK2B{Rsrn7ydt=vcevIvlHr#sqi5pka
z{d-pZ?44KseYbY|V?>n{PwQ+sePQq~_kWts>@I1YP14OBm#=mF>Mc_Dkf@%$^Ox_g
zyn4}HvUK0axBK3^zVPiIO}lnUuU<wx$%1WEMh6qt3IGw9FhnkAR69<1Yp28Ol}x`C
zlr@Zl6EF&*uP%hJf*43;7|?3e0RfjMDn~*!T<#BY9%8^U?8BV%2tr&y>`cinZhwL&
zVk+_iG&JLolu2M3UaU@>n6%JbC73N&er1NW3ZcnZK{N5zDx|QUK2buHb?_T2fbzct
z^FmoEkJO+iT8}xagTRWFPST^q205{J*^;?#sEm_Tgb}ya99HEA5m;=uj3(JbLNQkM
zgJ$KNnsr`|93%sLu-3R4gA8?8$bZi=al~d38OgS+Wd}7_;?{|sb&JO`AR&iZ($<-c
z(UX(KoVhYVx;$gKlLm(bolnk8D1fC0S@N7CA`f0vfIX*)`x?`CZI*xz4gPZr+cMjO
zo!!jDFAmG-tV6Is$OMQznOO3ywfHbiMln%s9(Qr9AIScPNh&cj5XF=n5r0PzsU->o
z<VqH3zd=+k(JKe)kAH34i)Y*&o4oa%&@{R1vE?=E*FbeGEvg&a-B-DO9WR@NkMz_Y
zIy2_jN!+lhY*V*rs&)k72n4_ZK;)=Ku+-S{N0&GDt`QZ5f>B5Mj$4iC)`FD-jmOT`
zA3o^zZAw42-f0})u)L%E$$wSO$k9%^sdn9tl9h{Ss#4EgQ+ML*=yS(L9^A#o*Ao>;
zFa;BwaYP}cLeM4DZ^nro=^Y0~ef4Ph;3he9a%$q-x-DC<aXfLWYUa0B_O5qo#_`(4
zqHA~gm%mhZdaz{EB2wmZ4j{OLzyJUxN-e!gS~8P9yvE<WxBA49bbtSoPD733H(^V+
z>>aE=cB<;Yb9DN2>Nn`BDGfb+YDy!x=(t=+kGi$xQy;J2&`s+~krPa5EU3T{vz<vj
z1zU$o4<1er^?R+8SwR7>o|5j~Q-0)VdT3C#wUhKj;?G%e{>_0;-Y-73$J@4<G&a$K
zQKDoH%<b{E?@hmOP=BxKB9-H~H>PxPSK-p-PP&?xG*zrvE9Ng?#go*uuA=Qj1^s)-
zvQAjtMQR#V%fgZSP81EEObs6L_wQkg7C2QCDwcGqd2>jr!mn(u?c7RQ+QxM4KKb{*
z&b)F-z4UV9<?kQ;?`JJ%dWlN{aWQ0+A2is)a3IuyT=`D8uYW-vRWMPR5-5`>uz&*S
z00qv24_i2E$$*3cNFmGG3<a82W)5R%*c}Fp*z8G6sK7;ptO6w?&89(Ee%J*<2plt4
zKhyxJM{xN-avQ3(^X_p?U!S!*F{8=ycNk_isC6rZh%v{b6;*1gVv}Td=9!zP_ex5D
zU<N-WPy22)7JnrTa?GYVPgRuvYFl+M)`!lYW@}bg`3+D>#@8HSG7Z61*%^Z|y>?Rh
zYr0G`;pxoD@Qou=n|1vZMP(2=%y5a=zd=}g1ec)+(LOm(4+7jNV?0C>2K1S1ABq{`
z$D)cMqscHs2xHLz)}|tKJ3AKhFbgai2G=6V$7G^OBY(=NwK|Mm3nEg+h(khAb2f20
zOT3ly$)q`p<A|%Al>kKlpYz1}fwT&wl5C0Atk|TA-?{)w`fI$j0>!i|ltQUoMBsvh
zkX-tpQdD_VDXukFI<Oq0KrSQ$M5(#*P<cZ6pj;*e6%>#$Kn6j($w5el$hZI|feXs1
z!w5$%gnvXSLAl@+fSUrPh1Oh2CXh?P1fzn15CMLfNf%U#X%D18!Fiy-1>jr)7nCvJ
z$he>=xOSOzLAhKhp`}og2>}?$KP4y$Qh-wErMU7@`8=Ex2qussrx<vJ5QJb-F{Q!t
zxb{IQM<P>_YfrcZT=`sTjuNFrSA*n?GepU`0Dt6E00<c%4?%Fs0Z@X_s63FK)V`D&
zmE>BYc9mPK{37XTRGOqJuy8`tmS<B>ETvvbXqPJif^(^ac2R5Td8jnk8nvR5qu`)8
zSBL_+mZ+6bnkx^a&x40>H7HlO1;QP{-9k_<YR$C-DNre)1#^MADe5<3b7$d>uT*{g
zn}2oZUnxIz#91(#78f!hs6ehH4_!RLojymh$}^<~<B%;n9xhWj3vEys@QIm|OEV72
zg;2yA%~5~{w^-|)j0ZaF+_h`eVMG+x@XP6BqOvmuQ)Cfxa>vd=c@!OI)`+&@?@##5
z?L(0yHJO<jnY~EP4t~uO7Gf3EXFG;sG=JCFi4z@Fv5v|-Eb>G|*r{UyVZ@kEm|o)O
zZ8D9uG0mwtIyMWJ*xfhjR81OmnfW5&6{B`fQ<8zgnvZGzYHD|^CTi=DZ1_G(9L6j=
zAZuW;^=EjT0O4BG3LG|zt!PwZ-B3i??b-Lp*n4ERI%km!t*M4ddm`&X&{Tbf+JCZ)
zLJk;2G-fjgHs-^M@wVbkLT23@9V0PTXzUvY8SkMPB|x)S8A<qs|50|W!B$pfc&+tb
z*0=XQhjTm#aZ{MMV^9%-U^?6a5k!)K2vHCtCKN$vOv+-UA9$sEniEZ=(TD>o7Pkg5
z1&@w+FozLo$QmZ8X_}^){`9jS?|=Hfz4p3nYv%meXYaGu`SxY4^{(fAF1jjJTcN4u
z*HRSG=&&E1GF6K4k|1+5_f<^VIkutI#}mg-`pnfy@$^@^fLceL3L;xKV1S8=LK7Jg
z7PHY>p*B<q)j;C?030FF5f0E8bo>C&&0t2SPeudaCrLW#GLkeD34jq9Nq>@5ECB(M
z%iv|pmKad>JQTYv+5ZfIGFpfW<;fnA(WzmXG=U}%0D!GU1Yj}@$N&t+lE|t>4*~#O
z=J5iN$d3^Tt=Q(GLDX&!&_txI1qNoawW10omh?jTCN_H_g_9oxp{-f6B3CZtA5qOh
zK~NOf=)_tb3PMX&1t2$o$$ykvtRz1(Gg%9Wz^D+xGSv!6NH$Dh8Ee*9(g+Gsk_g=^
z60;d5V;Ks|1sC;(?dY-n264Y0ZuH|?-3?MUbg&Y_5Q)O8RP(wl7%3^LW(s%;9l!76
zq&Gg$!Wf)9O69QY8Oe7^s)p)`63eW?kY#|X+yFo{;3lv`q#2<l)qfd+td{14EWNJd
z4I^e$#J(v>ckO_};zz#u>Yn6mj~C+P78pCp%HE%&(ItWOm<W=@U1E$k;6}vB&%s)s
zT#tNJMQqTL#34*3BQP!meWW1?SHzW#^DC2(HtApr9ijE|V&jKocwP<@ihX92pKs3H
zq>X4OZifZR-sbg}NPncT#A0KvBtR8MJ_THvxN=I0ykZ~yq*-5%>K@$V6GFqwb}thY
zn2H~x;iHkiWcpG#Nn2S~f^Z0eo8*w@fTd)+Gj7ZNkDm9rcRq&>CcDPT&UMmNGG<5l
zb3b>c3f2=}#u$923J|QdTrg0<OuzuhL<TG>^Re2{8S73SzJKbgOH`pW8$u*Ni^P_R
zt%63s;bSM?u@bwjQc4+XkbtC?)&NEuKnZ3O4x^K7AQPjAFN`uqRcXn9MuSEIqZAP#
zTZ5o2g3)LcF^S(7kU<788jY6C5-g!bFq(`JNiY&Q(;gzWmYIkNO<i{lnzrf7-B%6Q
zQePthkwF8XSbuA>M1?Kt1r-Dc+9*;A>kVxO4xGJoY42+r{{H*5Z~fAYX`ofiMOBMb
z8*s(afL5ih{Hk5!qX{_x5wZnl!>9>?nF}jhEEiTbR}zan(Z&$5wSsDh1iJc>r`V!k
zl#&8lS}@|{QvO<2V~CcK0WAWPMguH5b3}3#n>dS5*?*mJjx|h5;1F!O%gAU#VL`$s
zFhV4TH*&vkDuAx^befv7e1PiE6njC6)fEsb!KX`gKoxc>5=5z-D$a^i&SUFg(P$7u
z7ck;EYY<|(Xwot(X9AnEUyLVn8^^Q%tA~<o)5I(dr&B;`V}>0UC~?Y304ybSjKQ%f
zwqb3*uYc#{nr#;AK;IZ>r2U7IKC@XoMuoIuA9ZNcit@L4|9wb?H07FKZM@WyU`8^6
zILBv7TG}KHf!ZjQk`X__3`)AVCIv4+`k>$fF`X-j<B4fQ3AZssWy%hbbP%-Cp2d4i
z-%fT>gJ9v7@0)hel)%F#l}8g4wbfe}Ty~Pt9Dl#GfSH?Ie3DpKoEDh`NP-y4<Q&f_
zkK%9!lTSVm{>Jx<(^@OVn(ADybEDCL)<RJf+@;j;F*k0yW#6$?XL`5)^X$kii&UWp
zeR9t7U+r1)+Wy)5zTbcL)oQ@Fg^%yv_P6)8UF=<a{Fzm!4}5&{d_}5j%+w{n*t7EW
z!+*1m{cO;xd8)3cAhHBP0$?(hkUO-wV#00r+<x-t@;9Czv2nS&j1BZm|Hi|kx7|N`
z_mgY-ULO0cwW`jxXXt_*J6F8=;?1WHeCpx5&4{{Dokjm~b9Ozly6@<+-aVJEoT3@E
z>KQeE`R9+k^u^P^owEA@9N%ACW!M5RTYm)7$PEQo%(!pI_KO!D`|$mhXI@<W{-J3<
z-J*IrpmXf?+aFqUw)YF~oS5*~W;Lu+sh;kM^OisV!n!}adBdsa2HiSebribmGpcj`
zO+VVb{_PiVd>30yHFvD%f*t*noKXjPlnZA@S03m!7$Da!k%vTZOU&eK>kw_Jk$(}`
zKt^UVOqxj(YC?ks37MHK8zKQw1om)tAEk&_E~aYGNIg+8VdZvJVEO$T2U#Ih_qd@*
z04OwwPMgCdu!lfC#t9Ccw<DC+e})h(xo3F@hYTVGk4C3n)(DzFW0*DXOZOaCw{^NE
z9jq(8ZquYeMngAFwYXGFj(`jwxPO}j{ieV+D&}6~%<Pjw-<;t`jvE^+ZGjY4>^6-t
zT6`$L#A1gWF(tTDMvg5FlCCH5XCZ_{UxuA?SjhniF%pyObI1Ei(n9njwLks{G3zkr
zfF46@$uZ+nGI?ZAF6C|hzz2}xVmg=U7^vQ=4I}427H^ONMI%XIN_vMRYJYl1x^Z#G
zL1QkKy9ZOl@7tPGDl(Lizkp<c&3u&r5T`mMi?gKRTN|`8&OuBToyk69u9S}p=oaWJ
zljqewlRSAKX=7K|MqQudy|vLQmy3qgwMKy!vBq4lYZ^wE&s+P-=~;W9RFh}&(yh0h
z?;E}Kb~A8PzeV>>dSc&<gMTmG@$MV9_WcGvH&;zr|LGq;yQc3Im^ncW>(m{Cq5JCk
zb?Ya7ci**#jxKxq#O4dfXx0$L%CH54NMMSF#*ud5+>O6GdC$4GrX6^8;fZ5A|8sug
z&dqAZoUQMkS^V5n>a*7l*!1<;`=4%HGr4QR;^7ZIb^Wi8E_n6$H-G<iZt9~O)Zmdz
z_8;1M>5tP6KHYuyN;Phzf^oAR{rR{5a&g|FgEt&I`oM=DtbX$uHG&jsU?w(DuR(oC
zZNN-5>dqlw*>%^S&vvX>q=pYujY+l93-5jJ+>{?aq()CxbJpH;{N=ev4vc$b*ZmjI
zcPzV6jhWlMVf&`PzJD`f-5k|1SanQY@SUHm?>lV9Uq-CRS|Uq?#wcYp5Fk6_TG5Y`
z9StF-l<g|n|AfNnJ>+T;PZ!f{m-r)qGsHw9u>&^NRV~^FPMi~+MIzDQ`n5>)FMQOe
zqP{vmS<7rKGn3r*5F`JIK2{`6A_Yc^ot-mtbMCaRS6H2aoPUjq@kbMjVFN}SRDwuy
zxAj(B7I8$tmTewIfK$d7%NzyF1_AmjLD1{*BhZ3}szH2Nf1vpA#VN5*b`n+2*?#*u
zZ9(6}WKzDGPz@Mor0w}`2~#JxzT_fylMX03-hQB;EZ<WUi}$3=B#?mwXj9HfB}jzN
zfjV*F)!xV?M}O0)py_14Cf2wH3<iIYSoa%$paJbMcZE4rCb_}*=hVPd(6lCa=TeK~
z5+VNVa{aZkd}-Rc%ls7LZB;Y`J5_sKZn9|3p*t;htGY$ITPn&>s(D#tOg@b~M;>?2
zt)`w>#Y88NWHZQ*Sx&NZ;xE5x8>HpNEJfo@FS|_OWq+IgQB0~!Y6*jmPY$w8);;kg
zRZy718KGLNb*uWM`q-OqIraK=`}U}7=1zZN?~Z?eaOIXY1Mgh>;6E;n`ra<J@oP)Z
z^xk#h2u~ZK`c3`BjvsvKLT_W)bRK&p44u$DeZ_s3{xoCn9`#?wuJ6aLqK==L?~j=|
z_wMf9ZhyBerDYqtu%Oh6U<nmSX-#ZW(6+%EL1}5Ev@8WvTCGquR4BsIf*~47jE}@u
z<;6rXMkMK@_#?guF)<|k2|oJpotZmlX3i-|H)%Ha?mcJjnVIi=zMmhb&+Y%iJ7+$6
zm-lRJsL{lTfDG7f)^^w2_HP`&`q#sMdl$}}ZGVoRnmu(IZ~n5m`QVxN|9tmrk2I6U
zj5p|ZrJ3x0^f$j-{owEF%=wjHz4hY%KEC6%Cz|n=P4_)De(c534_`fU^_`>t_<ghc
zzPo<$)`gG%bHmTpniHpIpFTUje~&Vtj3GnTS|Em&d1ednu1ya-_4I%LwRGvpnR{=a
z`+wY?nVkm@z4zY1KfVoLIegu*^XESN_l_$sES~$`;~#yna_L#U_rZIA`RkJ(UZs0(
zq{&S)Uwq_&w}1P@KmXJ|xSN+2w82I#F6}#X;r+kdcKUE*8*M!RARh3BnG#Gw<YCgl
z@C<p-(j|o{-Gozg!J`zReDSTHPzE89v46%{D|WGDSTiX`#Yo1Wc#tqDLy91RIw_ix
zu|@(cWH4CA#!3sp*At-}AtXcyC`+KQq(oYAQi&$8K4yW?2PJ@qkfIdX7ay^0BtVWI
z1eAYB7=VE3wCn&ag0G+t9|oM7ophXwy0<U==~4xdnYd@i-vPg}>}BOPpKW7d_J1~F
zcol^Y8a}B`HDk+GEx$5!y1JB<0l%ep$iQM<jW!&vAxi(TYQF|_=<5aXh%dZC>6WjU
z#ZaVNq5*1)>XMU&8(XETceZU0`}$W^NZGJNRG=!+Dw)66L~b(5$glt>{a!jYMYYu2
zVRO7Xg&cISg#nQlDb-|8+H?$6GJi^q8m?c<zRWN|M85RQ1*hcwl(f?-)wFalO1U+q
z-m2s^SKWuJg|)o6bo9xI_Fns=BX6bzX8NpU`m7YoS)UGg+P)daL<gG1jbhb~UF(<_
zv>Wkwi8kzM4?Ma2^6NLQz2c63d-kzowBt_mnZu)}f3p13H`f2?yS#dIe1GUmFt>=4
zFTmX==f89DmN(b7zp#osZ{y|tv&WxXS$kvYrRVv?L;SV9YU5ZDAX_r585FlTvlSQb
zR(C$S@XYheS6*Gde8JtbtC`<CfBU{$Pd!dMuUAH~CDmRJi~HIGXE$AZ{Znf%&z*c?
zeCnHY({{CK$KvrbD{GgRe}DeUhSi7k)*E<shracQJNE1iFRg7|J3oJXKP)(8DF_e%
zkP!{>$kJ##Z96dj*4d?(FK+n3N#1)GZ2YXd<6*b@{N^i{7oR!Z?7RaepT;fw_5G`h
z-+y7-<xAtQe^oDR(e2WfBd2azdvoKDFKxbfe)Dq=^XJ!toiwvMw|^aaeCz6oX5~6y
zt(iQkAvg+C6Up<08o@a0b)if^*hpU^X%7Km)9t?i2Y)oFdyFyGL>-MpGfENDAb^x0
z)+mGqG?*!M7d-TWKGq<l5#{#wA(2NTkZ^qjv=G({A(}{}WdUQw)Kw>?NxXham^UJa
z0V%KuJqs8D`&O9Cp?|tZqF|?nDzv&}a3Up5cSF>&pq!3fW^{$5E+T?}(+egb$u$Ec
z%y_lw;WG16$v!K)jB3J2$&JlV618otPu*JW5LJ6FeUg(tC2e)%%&saX+-9Bi%-6h+
z6`TF#s!v*udx2MK*6F2M$Go?acrlQ1Q_U~zgJCl5RY^0v=6|t18@JSIGv{q+P>sq^
zoU&Rf5tl3iFcdmo=qpXPMm3FUN?X!$lu}Fnsv%fu<X@h}vr^tqmZHMWzOUq6{uPay
zZn4$CtN}`muEkoVbGAxm*Ml)heU3W=dwe>WMHHecPaq|fTN2%>)n{M4PG4Upo5-oD
zbc&ReOt0$VlYhOSoFmzhrkr<;w#tnx8wZAg04+m1qL~F6t><>pj^>SP(T>4QuwB6M
z20fZ^+ae=bW85sddFAH7v}7H*F`8NJ)@ip6+c|b43RX9=--Olx03*5??I!5vfUF|J
zt|e;#3A7LPBkQo8fp!Az0=Nm;5gAL?ns#j6#Ej?3j(^awX4b}N=Xf+{MiXsDz?Mj3
zk{B0KT{K!o*P78Rw{vJm+7ONy+Zl2T;O3yU*c!CNt>bnU-5j)Iw9d5FjmOx|(0HAj
zSv2ho8^^|ywQQ|*4wzB+t-j;affIl_>Jkhc5OD`l6!zE9pz-!0fpG!|n!IOGrvgao
z4^601-hb=!2z@nU*jj6hK?;aSP`kuvz*woIs^Hw?Bz$P3wvb`bAF(k~SWvejiRz?S
z_hcF$-(3pQp=lE;sNf=rM0#5iF($Etu@s0V1RcQ+k*3Il=>!l?56AKwL1>Cpvr<c0
zGET}xEqarr$ISslwqd4Q->O&j!059&sJc^UPJg>``O9jN%%wZUpZg3*`oP;NhAf|(
zI<{pj%kri&yrf*Fv$flscGRrjvx8|FKQ!PpRY_2*fkUOsTnV;iVKL<b?Y|=d>XY`O
z?unet-q?rUCr@KXt(F=Ar*VCKRNN`oA=-$6YILKq?uFQAnkS(aqN@$oXi$-m5JtGA
zV}IaV0FxQ^nLVx|f2)=w<<ncftaQaKclYXi&m5~ur~mRf$-d<jFfPY4TcG-~jneCk
z$E{S1(*<|0(J;->nz~h8t=&@<AC=f%qglDu5Ib#18w5sVR)FAzrqi$j|Hyi`QB-2D
zr!<PVi?nQhFcrJ|c%f(^tdv5Lr%0~>0e=FeKua#SunmHYSxYJ*l9-Nqe?S5ydk^}3
zQG#|G^w>U<cvxYg3lWhE#Jw3rOTt1r^^v(uEPh{rfQ-N_q9EDt<%gMp2$+#MGGsM*
z?-2AKJUyLzsDRlR16>WR4wO>gE{RA0f*(n#6$)=OWCGDw6C#tf){{kuz{dp>8h;`q
z0&Md5ieV%)){4bh)b~TkD^4jU5nPEX=+5s$&@m>ZSbBvzVjBrQ6yu|F5wg%@g`ScW
za|*O3(A0rOM4#MI@P^r`yP1WAxx`lh73q1GewSJ5sg7BO04OZrS`yd*##_=7(^8;%
zQcTOBs%d?nTS-~#lui09({+GgTYv2qm!Dp(P6jMoOD(`PPgi~RXnjqD0Ux%i2BcJm
z$KFbxJ6y>Y)II67@rlZqw!<BVj#~zT0^P_T>_X^$`@uj5r}RM|&{kAwnAHRN^me*^
zjmX66vz04lJ}Npih8dj>UB$*XzD3Mc5vnxOGJSVI;9YvLl(&#gr9M_uAAj34&4Li7
z2oR_uDkyK`N`of2{x^DvYB~&yX4pm+zoq+wIEDrDRZFK&9=z2@OldSL+ZtpR#-&gY
z$Z#r!$excn8U{X~L1~qg2D0^fhptTZR1)!~U;i|83L*tH9=<cn4IpVtAjp`iARrBg
zaeo?yP{gngi}CFeS*-{Wk$(*XqtG~X!pV?cgOa4*z_h?1yY+OW;P|dWBZEQ`uh23;
zyx{{EWV&IC#3oQN*cw1&Hd0lHW?O|@CgNa;hSMGjp*E}qbOB(BE;2q85ZHI11h*iu
zR|)noQk}$lA}c9UOhqaooZeSg$t?fz>=}&##)trn0xh+Obfbg_?0;(}k97&K;RAG}
z2Q+n?1xXnM4LXRJd`NP<wG_rkgO0O)aH-1aaOP<07y*gTTh_`cXL9CeP*rx6ar0S4
zQgQ>Ui$Y&vQC;TBqh7U<lvzs+(CDfT_gQmc0LvLx(pFDeX&hRKd30#P{r0lDh^5WQ
z3RyS3&y+JAu7S!UVt-V9X0m;@n|(Ur(mJnC5>?%zs^e2;F_z$5R@4p%=BwK2)V!x^
zwp+~#&Wfbmtt1K6!eTH7IwKjUyBax}?s3^<86b(5%HBR@Q%a1BeYXt4tgbVe6-~}Y
z0v#D_*^J9z;J)&-q+XQ)?8AEdsvzK+1m_GQ?UYcOwQ-i6C4WaqtZ}N;&?)gSMnd;6
zs{YT|l`S`p!$6C;D0}|@d-nk(1mR#dm72;VvTVze05<xtR@wqKUk#~xj6zgl1i9LC
zWMLpJ$i}n@%Un+<An9(-d)>UcC3m{4i2yF^xn-$h)pzqbG&|SMZ$gUF6<jlyr{bzS
zhY*E8>-VmUqJLkTfBJ$M_ERr7L7X(kH3znVOyLc3?12#)K~;MW7Fi<|?J{Z6SU`PZ
zLc)%-m<y<hiH!VTJ(NNUFYO#3{~cN!utsg$&g#Pz4l%D3-5cwBM2r@2in6GGiF(jk
zkH}<);yF0*vc@+{m32C)zYDf^qTGMy0Z^AL=y~{lFn@fYhCDy7;Ey7OI2ZM@0qQ7|
zr5wQDdTgy<4uiAW`C#Z?2BH=N=52PK%VC-Dl9#P{7<7O-4wymi3`$p<KlRVKzX_I_
zXK(&4Q6X2jL-tS^I#{Z6%hi9NM1&ix2bQ|__rO}Ui!snk?G4&0qH6-8DF|Q~TV$4Z
zAU<~{et%_Tcc$9dL@W>Zx<rfeXa{+A$ym<}^pYp*yRm0%q>@HmsUt+=K6g&$Myi|*
z9T>6)zDqc7yHv95eUMFAJ}}|_3G=)Fh#8139M^6v;wL(;PAXYOvzAJ0{~_hcpPFwh
z%dNLPQ8w5KyUqHvm)L9#5yl1An$Ez&Y;2{zHh*@HS6PbI$j_cfTrfT`uKk2d47@Kw
z5g}q=8aslHh^7c@ZGPO_9I;fr*qKCRF-UlkRX<7>-H?WQs34OX&e9Zc4TLory0P5T
zH$%n_K~Z(FpecTxNZ6B3v>{VTu)#Sz#po=)kMSIr=U-+sc2mSlhhp{{eUx^4M%N9U
zoPT-Po0fZQcxJqLGuz|%QtB%jBiH#Qc!b|~vCjs8199-e!#=RGf1c$Rphf~c3{6cY
zN-hX-)LMCwDc<Yl!QJGdwAjjv*D~X+Ges?RjHQ`UXK|ZdGV>m~l2azv=lgypVdTCf
zqzYV)*pwlVQbyZRWxF@->x5Qud!3$P9e>Q+0#z`qyn|6khp2Z>wV?)hL-$;h4$P;p
zdiJMuVEc}SJCgCd4lwJ+YWaTtFv@YMf)7Kkj17doBs-#(^PoHo3b<70b+R)}RvMR#
z;Jh~I&eHOYcj4zbf5Y=$OZsg`tM9y#!r2lgl6DDXz%uvQ{;{jw2Z8xdSSB(eDSx{H
z%KL2KJX>yAiH~*XYv3E|%+*Z#{AlUvIW}_zpXm(-<AG7-Q<T{&+Cx0PUd&5NLdyJ5
z50Vx9y*QIwU!ypOB0AC0Tq6?p#>1RZmXj=92xBD-@XH(Cvrw4^4i)hLEmG}ZycpHM
z{vt$XKonu#fP^p``eN)?-z#Wmqko5hMMyn&6-wET`}#e<x4t|bn#dyG5D?;&K}gKD
z0ZmzY<0&BgAq3&jsemvDD+PpgrsLkMB0%a?yLvJ=V6rW}?;NRD?^XtxD*M{{DfPVH
z<k=lCv=?9c6vGaP-BVx~Ln!+(7`C@K#qXPDhLi)o`dt6`NGkFw(}OYoj(>UZna#6?
zERFd;Yu}E&ajq`i3N<V}y*+=~Cw2DN!62k8JXv*IrmcqF)ITa{dOJ?8Utih7{VhA2
zZ-%P#5}H-;$)PPc`+bFpOz1@dX*d5hAFEtQI(7P=Ap>P$E>eEpo!m(I3@L2rwTLa}
zj{)`U;v~DB1X^n;2F~-c+<&R(f>l~4=W$8dC5Kf+2@T})HfZ}tllj-dBw1HHT)NP3
z5ga*i@o)~5^0Yvdu~`ox2@)d;?GToL@0I3>rNLh&Jip^G#(=#(b{)w87_f@X$06RT
z1{yF*hw_YjdjQQA$L8)u7Cp1W;gCqF?aS$G%_7JE24Xe~5WmD<<$qs|>U9i+FdRQr
zi6$!5L0V%VW>yY|AEpGds`e=AvJXs`R?tNdUJR8Ff*Q*je+U>&9Ya3hPgn<MO9f4f
zZDT_dd*0zx&~nR)1GFw-(@g?Z1>H1f+2(GvMni&Zl%wPrd(GNvfFf9gG(~eIhnwAm
zQPg@;TvBZPDCy0KQGel>`tQ;{&7K};IlnFAne|~mF;Z*q*#veOPa=dOlxN1-6l+Dv
zFF$^;K;}_}5e7`6O9MV!dZqt|udf|2S=QQeOmlW{%Kj)F+doWsayiLK#htZDnUIp<
zhtV)k%V|Xp9`b@}ACA*$vJM%-9X8epxcr(m$e=<Y2`lWfDSydAXn*iCO)5Zf`LoEp
z;10~|CUl*&d!$gRz$-dadUKO%`wWmkwt>(7dtu|SPzm;l!AR!+<ROG<NIoY^gCY;-
zlz-|*9JwFOC|9^JvsHgM6UuE46qW-#Y(BFeoG9`YnOaK&nWzMj!c`R9Y_dUNK3%f0
z)r<WED<fBP7JtG?=B1~37HBj{k8r9>*b?y?#bj4#5;m)`_aMgms*MW<Fw*3Z%VSg$
zRosMO2k^tySj3Ad9wZ=F)IEdM?U{_yOU!1I|Ikq#M8sRY?1wl$sW_;JBkyEudE}ld
z7}hBaGR^PppVapDjECk5kp^MZA=KW?!VzJEE3Y{e5r6E|p=Fq>0Ymr1WV-^cIa4Wh
zm}eo=<qr-aF%Nn*m)p7xz(76#MZC<uRw+IYM>~MeM0%AIqUE7`y1qxnmw{$unw}$7
z56ZoR@HJP0Ok@d_BcKjpwVm&bp?C4dsd+GzZ=G4@aNzcrB|rPGm$-{Pb@t@Vs7!#M
zJ3J|@aeogl_*_}Tla~CF&}xLym@Zq(d4FdT>S-V02JU~E&$^P*Q7*d!C96~OhL6vj
zHcAiE5DA`BBf7kZ9CH);KkutldL#y8-0sDfXIGc)m96^2Au0*)2Z>EMRWcA2dgU@Z
ztb|n0tDv&y@bKhWomVb_%2DhX<1^&Cf8RNOntw5zU9hr@YW-DL-g|Xe25Q@<8_W+Z
z<2$b#>|FP0x^6A28Z)(U+Ak7~i-7199M_woYwyaaCl_f^gr_dP^Y*SS>rk^1?G^TL
z2MrLiZeY!K6l<Xs=Ipr|By5%5pbKMWkgMpc{EHCtoRfvkNp>iacJ~m-G({8vV-XEN
z27e)#qQe)NLVKV1PVn({-6DZ}%aXU$=e4HC7$n+z`QPggYv)WC6Yk&86b&9y6*q~1
zMiB`OVVWXS_@2tn(T8ZhbmsZ$F~@ymRDN~6r$x$x8P36Wcne+JL4uZ>NTlkb+=Bb1
z7$RO9Um2BJZ=}56pe@Q1<t{SDUq_u|fq%WiG8o0*noFzMgQru+EGdIdN+9G6_T*xg
zJ)Lq7)U6A<rlDg5=PK15VJoN|g`#AN1O`C1HywXvse~dO@|;U%Wl3cy74n^GEFbo+
zTy+!4ZU%SuOC3#8oe8Oek8J^4R_I7s9m{D*=}mWCmoHn2)0fl0Ab`z1TzN3dFn{o_
zTgr^xG6&oDD;+_ngp{%|;5cTmALu)s&@4<gyT1RruFseke@W&KiIu95$<^7`^K)G$
z{25K!MUJ`8GBX1_x=5`EjxFwjvI@2v*kYE@B1g_8x>=TGyQNtAVtCZZpz0xjp*MGW
z>fc&A`|m9aGA4vMlq?KJm-tR2BY*d_${O;Jt-Y`|#n<34yf9x{YhTF0Ey%<=C3%xc
zb<{#kETVhxeAv~p=({l4unnQ)A-aZkBm*$^8-+#|)G<Y=Dz-zKqS?#ZjoHTf#_iql
zJ>BaU7M3aY#moahw0XI2nUmg1qGcH;;xm%G>}Yi=`=Yld=9OP9gxlT0Q-7e!7&dfV
z+Dt$T_(~~)2v=O58kC%g@=7VqG0Qlf4u1}QDw+IV4$%YfTQVLFeqv=kD_uS_5zkAe
zOC>_-u^sU6U`l&PB*_P}jIho$!xs&3_c|R@HH$2Kq4Hy<PGgnfF<%=p{E(Ggp@9e_
z#gbA`jwDL+n`~}YFcCYEc7N5rA53Th2G$8!^5tm`hh@`H&SXm}`k95DLC{iR)alR5
z^R{E#bV_f7vi#jFgETo(<8WdZD&pOv|Luw5FBue=zngh_2hYqu%@eqxIqw5XdcVj0
z03SBu=emY#cV70OZxeBI>k26<``=AOS|PeR3!#-Bhw4N(1`JOkv45rW1xvxZrVOr<
zSuGE%_An4ZBHnfP)l%qxHC=C;c39_OCExce{<*AR`-xA%fqh%PdZw!39Qr+X>tjP1
zcJn4<%le&ID<k(5{aF}==l8Z|MSr%9`JT@^CDd6DPJxLq5pTkq;3m46Wm;ci&#vF1
z@X3A(eIs&D`Q3V)Nq;+-d(xDLHamr1BwRv5kq59rr*$d-Btm7^J_H>`5Jtyv^g~7?
z!RYCy0M<hI{)(n6oukUHGHs^=70%pPTl|IFR<_E>Wu`QXD~+D~T`#lb4ywgGknZ60
z@Pf|~&85nzyt$XGjuJ~Kt6-LOgr2FS7nIO_X8U&Hk?!zjIe+e`a@{h^$8he0e|$F$
z$<#o9=7v+cn`LC?P*KC&9y`)QCgdKh4!f2pUuEN+eoXI`{GVFa!{u2P>@H6`*aYMO
zR(D-@C}X~+I%aDQ!YnW3(1IMiWe;NJ_yPvQ{f|X%VnSlOM}*1CYi_6SaEH10*$w!6
zs~N1BNrlc{UVqWPr2Z?+jISHt8u`Ok|H6JQ^Y!w?6F>|8C7i6HUz6!t0-u_yF|o>M
zpFCdIop?vGu~Pa7pDIXr3r^AWKE5Av2{`;iHW+|Jb4~?mXoC}hJn=9^RB$szF$T2^
zQLT-AhZe+_bKB4S-uLett?T!mSA!xlc$e@guz4PG&wu-Si%gzEx6my^2qxn#AY>4W
zA|mtmrF+7Z{|LL*<+hD0yxcwavmkYAXZi|_Q`@mD-zK#ss%dP;m8HaXMN4jc%k=%9
zpg$IbAuNDuIQl^WAPA8-XTS4ZKsYj?F)OPptFSV1VV`hfVplRn6%Zy<GA+AMc{x*1
zDQ8l)Nq@{Bj6#vIBe;Mth=33%fgmV>QW6AZGG$W~Mn+)j7%hbXgEy7Z*i$pz=vub4
zq=Yx*>o;`E9s0HHYZo!bMeJ;C2NRjPSk{V(QJa&&lLHOiyyeDV*-*C^Gvb|kX*f!E
zt(h(Z@2nZFNgp>IEseG0VNgE?*~n81zEMr=6o0Q`#tO53zP6L8Hy*GhYHHyO);)T!
zA4RsN+Ookgag@n4Lp7-F*J?%dx2qjv42#sJ)h)Wz&nefwDF9<2)EH&37Rq^_V=&sL
z4_dVDoV)L4ZD=++d>Npp^?0REI~zqV`_!n8y-;WCjAkkHo88gD>*&9)CbriUu_;DZ
zcYmr=GtJSaWVEyFBX(0c;RBF3^nSi|iV>nX05LK#32v1wWhzpv%sPP#K!-PM#R7y8
zv6X;sXDj_klvb#Mg`t`{xo`U|B5YfStu<<=-9_Op1&^r@^~WxDu1s%=+J%^@6%|M5
z*_5@-N&zRjG#tXV;%)~YExltaKQ0I4c7J^@AdJE+Qfyv3+Yi{zLCOlgEcZ(zLMphe
z{V3cP^6i*|ghfS6#k3UQZEgOxd)EylLNaAHC~!pwJg7+V-(x~1+x8_L*np)Wa3d8_
zF}JcYtB7f->za+r!G%i$0m8rxLZFC7NhmQxIi^Y3An~@<P$t##LIqqYp@yh}N`FZR
zRm7cCK?GIAlvS`CL<m*Lv<#}CYnVEXPnj7p;<ke+*P%P%c6Xw3GUa*#Q-D<3ul9X$
zdnro4(o%Zc?v1%e_i6j)zEf~9yeSjC?PtEE55i4*tEmN6T~Pobe6vG_870D$$a9d!
zQUf!C(e>ypdvGI;(*ek}l~H}yu73woeP-e)!>0C27@Y*gDn)jRJTdwzeVdSZPyH$T
ztgcjax6UbCeae1q6ncrX0dG@IboHgK!Gqc#wqJWjZAb>koPs5${A0=hrj6B2vE&pE
zbS^dgHe*veMcL_d6LD)x(^tSw%@Iah>Ol`QufU%obBuDOJNZ@r3<o}YwSS#m4Rh8h
zn>9326W~TUH?`QORtb$t;YI<x(Y|~zoSHE$oOxfvh72fKgTMkpq$Z|Y2m!ks-ERTB
z!iz20u$27Hb+l&+LWytzslXVx&AIK2KoXVcoRlb$5=!f}O3EliN>nPG2$cd{JW0Fd
zy9x?LrpOeDI-N))OhO=p+JANi#014aOeOXB8LiuCOW;6MAr(*tV^BoHqzHyd5e-2B
z94Rv>f&eL@0B8b*D3BDQ06KG{$q*D#k)6>9jL?u=*o{n4mEFjUvymyef(e>}2^eCx
zixatkGP$7}y0V)##+k_(oyZv!lX6myLP?2S(UlrQSIU-*DVsJ~8-LejW>+%dY-ozv
z&=p;%F>)nWZZbDc?eolyQWkCmGf|^pf?2syUMe@DOS6@u3%XEda^@z337ANeIXk&x
zR>~%gY2%t*8t2BTQE7~_%F-ztICEo=1((K+v70rnjgtwQP!@LPESyCe<)zBfY~|$4
zS#)XSLRl#bFO{>h3xB$BR(9pAl8uaYspX1sRxl!0G^MOyl#J1sO;8z4P!)u?{|Mo1
zsN8aN+RqrKGT7r*<<!!p5dg8w6GtP#rfzMW4^=8&h0~P7QJ081^KbCi{z7evFgSG+
z?+#8x|Ca?h6TMq6x#~E;K59J`fH$gInx7esZZpH!m{CPdp?^EI9=lHWopGwI0kA0r
z<y2<j=wzW*M%0yfO58hBfa7$`WKFv2e-cK=Kz%7_Uj#J6ZyhM$3d-Kb)=cytqvOT;
z>odjN8kilA7Tp_6vJ?kCVe@g>gW*~o=~a94*U1lcYdhr<ThotbMp`pgd!ys#Q4QMY
zt)mvQO$m~RP=5{nCCP1u?;zd^;Z_WP4dJ`c{w|O2L%6dDw?nwKecTS=`w;#X!reu<
zn-+%<en{a?40ltwlfvyqxEsP@2uCs8OW}vOI85<g40l4fw^$se_#nlHDcw(Sgz-Ma
z`xx%Ua1_J+7!EPqr^OM*M-(1FcmUxMg$J-W!o?AX!+*3m!f*tOBY;P;c!=>arpK6`
zFg&L8Fya%yCzu{XdIInx;*WrT2RcSNMtqjw>4Hy?*GOx`HSj6Q8u1w5X`(gKKM7AU
z9jAC4@gK-PBb+2SPI!vxS&B~q){st8TqB%vJi&BI@f6_%;8~(m(w_vMA{{dxGpsQl
zr}Ql08h`Nw`2={4b}Dj0a2#ok{1eG@@fT{(*`JfYK>j)UOUf^)dByn^*)O2K0KZIj
zMt(;6O6Ud2nfitMnfMvyU&Sw2UXxyk{ibrJexCI;>xIY#%elzEM9)nxR9>rHxSWe#
zP`(g*O@5(#PWGnJ^Q;#QpF5ppI8*#p^qtEa(SJ9pZ&co>ymfu&^49rn&R2VUnc-6D
z+T?@t#`vAlrOAhe-aBvHt{Z!w?K1N_(@mqBESqeXE4kc}s~vv7(yNticJ$u|zB#bX
zzP{h{4+nm|?^pYN{U`tMXT3V`s{?z#W1FRKc68J1e%#L=md*8EzTR)H5AyYH{?Cs8
zzJFsMcj<b`*Q@;bKtJu}k9+y|J^!?4A9wSYz11HF`O{AGb;mz1^OxQH>0tSJzxlM2
zKQEgvP4jiR{JLts?&dGc)qi(af2>wtcmBuN+5Nb2m0{d#JG)8RA|$TL6&L&mARwh6
z1f_)vLX%Jhh2~2oKm#<Sn`GDaoX?r_F@H05HYft|&v1i;P=#nptBqRG1Sr`#=Y7xE
zyKO1GfD101EY5rwZY|69*vIF*^S;mXdmj72#~wZZ=;1Su96a;bCtiH~@nfIteZ1E@
z-0vM+J+L~jlKcG!L67?>%J)^e3u!)$XHOlbQg4H|$x7;*Y@-~Z4PjYnx-9xU7k>e%
zbtLq1Xj?@&(MTDoHz(@a(h6VoArV_s4r)EYxUB`%HnLd~Mby~EX+z&OS|yic0@R6W
z-KFWTi$6+Z_10K<%zxarN^yzux2+>pKhG+z={i2Y@oZky8rF;HMuB;^DTA<0h+2=N
zXvBwBzR${^u_E_gf<^AH9_Z|UKY!isoI~1{E8eYTUoW>rwLMbtW49G{jf&u9VT$(?
z3cH<7r`xiDRC;fVw;Yvu+~S<5O_IMvOSd=}+JB4A(O(_i_!qwl!_9KAJ{?^xN7uqI
z+T|O8z5;_Q7_B4OnDTWX!<pOwvJQi*foujkEZLx>!ztfDu~~}EGTsRBW`BsIpxB;`
zf~3=A5acMt17vhJku$?lN2MZD&88{}f|Mc(GAh*&L{v()tA?0FrHMikm12m3P8FFZ
zWE#`mWQc;y5;9Hro*`u%p`@jXFs7v%p=71vQxgRhVa%qQ&NQ1DT51xK`4i|&@lsP%
z3=Ip0pxNAsBd{cBJ~gbgbbp$OGGnNDX=u>2G*M8rOjv0MstA*z<8o$2&>S^G!-8g0
zO)(Ku8$nEhCYaDt(^7M=@yw8t@R<}-LogYD7=k63kr0cSB|c`Q8hXJX5vUkyv73*A
zCZ!pHqQUUe^3pI+3^ezaqmgCGKoLk-(7e<PHAN+7mUtyXPB9xg9e;rlWya95V3MgN
zUhy&`n2u1>peV*9s0d6vop7`q5*{=|%R)-QM5tIW@hqpH38+yaI3{sW)W<BCkyDYk
zBWH=XqD&bo2AX*#f*~$pU?Q&xDB^TfD29fDrl^Nba<n33QK2aq21#6M;gvv5AR$gl
zP!bh`WUwPgpb47DCx4?NVP#5#9XZ9&MmvgOHYyZBLqPFhL`bRE94$l3L(0%{una9h
zD`yjqDFIDfB7+rRnA0qzk=Gnk;uHr%or%i{hm?B5(J;^=Smw1183!wz)&HEFe*1jy
z3%&l~18b{?daJ#Df3>%|TA}jqhY)oi-mDj+6e>i^D$=`V?SHFF7Ao|ldKzMVe%~f(
zY(r1hg|79jq!G!ryi>BIY0+pWskc}f?+6<!u*RFqwyc0gi*+NZtPY}RGgP+)xGZ-u
zw2js3$gDQEV`D>Qu{G6J)HbqYDlLuuen2Hkv;JWg8v_qFJi6VM_{l{b`jYdwaxL}c
zT33~}K}zn=Uw`_&mF`MsWo4hLU+;v~mwmNfnP(1n9;|`61gE7$TO2i3F1AfUU%%M;
z?$IVLZj4`OT(k>%kzRMc0-NT!b#+VSH7j%5Ho<J$-?@=dw5a#$Ja_Yi{rAmFj-Pnv
z;&<=-^u>3tMtk}3KmYKFTi@CIhaMI2un>`t0BAs$zeiq<oQ!{5Od+9=j0zdKI4abr
zh>1_QOX!ZIJ`sD_SKc`J)b?rq!I<rs$QkMlafvFo&i?iCkz3DQ-V+=QbqNQ<K~t}&
zQydNRi9{>BmS6;E35L6bJI%adPE)6eQ`9LAI!41?%s_KU$&TSZ6PSu%haq|K?v+8%
zF=QNb;w|$jDGYyylshXS=cqXtj+Q!23&Wk2V5n2vSpm6(NemO|Gl^qT7~%|fX$)hD
znFJ%ja-T7uQ?MK}<}7oDdn+*KkWputv(#DcQsHv~MnIbEZhd?E>{nlZo_}zi?HJ-T
zMI&7v`z+eAiQh`Y){l$97ytPD&jRIWSfS>hIfe<xOhA7oeJXLBz*vG6U}<4EWCC-E
zV~G>)ZCs|*DGnI}E6~zHOUPmviy~(`6MD}IpE9Rad0k>k?!|U`^W5JqfA;s!UU^>&
z%$duCn+QMV&c>KApT@8y+(cr|A!ja+al&0LU_y3M0TYRq2P<4Eea0~th2h>XmnJxg
zVJvaNF=c;+mXHgdCgpWG+xq;g$4}h37{518Le9}9m`X4)rovkRnZ%qronXp}RD|pF
zUP@igFpGVr!*v0<3}XgXK+21B^8PO`ytDqqt4EU$Q|VLcQ|dE`6XtX7a$Vkd>F(g<
zolBqk?bB!PUFFjW!(2elAroONA(t>_K4U%;m@$8E=I<_GLVYg7MEEgt8N*cgH2vtt
zsoQ6JM|#~y4y+zJ*gM=`TRXJ6wz{^qwl4#JkhI*N1N!#Ux#yhwMK@3-r+#1h+8Fx1
zXbI^*JZo<>!M5EYEy_^px2p9qN*&QwZ{aR+5ijm9jd8@4l4~yPsOSOPV54mZSjBTu
zCv<<cHJ=+PFO623#p0t;uh2Glsx;3VjTp;^@yk&$b<l8KU%bTd)o8N)pWu^9&AMb|
zw#iEB^N2RoawC_vKBZc$avB#yt7&DW+wFBb-A<?1U1?9Z?$*+9D!T9g77g=^i~ju}
zq28RFv=o|LuTJU(=>ItuSz<eH<m*&kq%wc@S~7WA+;*1Wl$K0O>(=E;yi@}V|Ct*n
zKK+}oKY8o)EAOS33jXtgMKk;KpU!{gwHHqPefYIMeDC<(3)l7pb&~GoC*OYg%dee&
z=FRgza+?Gb=1sJ_b!_|PFTHu@*|*NEmrQ<m<8#0J=9Akm{Nkfuzx3|rw{D-i90q@E
zYLDIi$&uGjePjC^-PHn2Jk2itW#jzLwd30to_gc-_y5D!nLV|2o?$#O#x^sZ*2%P;
z)>*tX-X;@|>$tW9*ug9jASjD5n?WEpBX$H>!icj=XO|E-j#E#1*Nfb=9XnoXf|qzD
zwH*YA#TXM7>nzfd1P0<{a?uMsRMCGq(qEu6-#Ple_kF+T`904XjBYdHp-dig=5S?_
zLz^&IdStk?!3`pA0^rF`o&ZD=5-G?<AOa0aZ27a(iH@RAMo!dlMr6TS@zn6AYiYl|
zm>lP<jr&fcoozzA4C1vHj_Z#)N>$GC^0_uhA`uT$JlRm{I-NG$5c{}TGh=^%JS-^C
zMPrRBXUQi{ZQ-*f&_`l|)#SCRhpJMXRYwO(q6doV1(5RFo92L|?@AJ#l|@hMA&&(W
z7?87|ZW?saFwZ~&3Gp}~b+yi*DT5UWL#2PX5Pzh<1Yfe(&vxWbHfiRJNsh7<XN6Is
z5U;&(M1R;(c6dm8O2Sc|1wDUM!GumTr9<Xz7Qt3EZ8$bjgU-{C#AFWXjtmqhIZJA|
zc32`o4hJ~`5ouUpAf7@+s$IZx#~RWn8dIG$xzjDNj|)z^+AND_>ZbwKU{T_TCUr<#
z!vWYrPsv36zPoA2a*v6p(j1y{uF2wKA&$u&s*Qi7O&r#i&9!4bJIa4E5Qjtj%CFEc
zPh+Chz+tJ5ilYuqyhBqk)eL)SP-L=)YcikcQirr3KR!{-cbFxsS+W<8H^)BK92u^9
z<KJ=VPxQF&jD@#?0*wk3#8VJYB0g3-*`^-TB@XKfXF3ub<tfgSfX|9b_8ezJ{9|pB
zvm$q*5%#lYi9O{)(guI4)e{ZduV=j1mw_#vh26Hw$&UDevZF&Kxf43TV>WwOOkgoD
z`@v1McD5Dsv5-ij0*Q$f=B7c8fCUC}k(kIJB7?XYvuHzk*5dAhc^2lZ2*;R3*6e0b
zjwY76H6v9K2iLCq)w&H)QEN7=S-URswaADSuh2?5;fm#Wg(83Ws`v<Ol2&1HvJ}Ih
zd!JBeRUlDRaqo~H#&S%6B9|hJs57vj3F9l4pSX&rV;GT#qLWAwr>%Iq5vJdjgKp&&
zhFs_)*B*x9_bV!R6r~=DVa4({9>^tAlzE0~&E;KeDE7Hr=No1*6{|qS=~pPdv!aG$
zl}a4mjvlDV2rPd-6iLUSZZyL9w143#Tl0(Ar~HqjSR%+vD7jEQ)XXx}lY~0#6|)8v
zFRJ8kN50x&gk@oD{9%Abaxq+xV_$9(RCGHl7Bv6=4tE(o+Iug}=toT)c8W(kp2M);
z8t*9EbS18JfiQaUUAGdlrgWzly0(0k5<OCzHE!7ZsC0khrI<P|QaRWD`wIsuq)x=g
zw7U?a3+<Gwv3Ip^{U>YF)s(`ymQEjziev|eViH?6)3W1cT+2KH^A^P49sQtq=Z$n=
z`CN;e+|ieGQZxheJ#Sr&E9H#cKmGmCt^9rcMc4~FC=h^%n*|yY7*L=Q7Xe7LYM^r0
z?d;rXLmhvIf|Aw55tw8vo-%B`k*r@NA)bOo+UO-Wf0d9u(?ZODYVxoL@8_z=YCB(i
zw)vVWVXT^5KChcOoi$dj_n?^9UNsG8jW)*(R{#2+ahm5q`+{}*mDK!cll{jp58p4@
z_aMLP=P%U#<(qD19GeC*M)jL-r|o}~3oSB`i-Laz8hSNcp)KC-oRQjhuO|V^-Gu+M
z*oT_^|2<~?@!au|nm_i&v@cpa1-fXmwqm9k@iDk)Zx+xGzD{oRq87ImbX%)uJNNXd
z+x%>+2Y>&DN<VKl`|aB<r|x%D=0EK?G*I^DrRZ}06y~Eqj(`Om5lN6EaH*%&g>Jc=
ztn+`82X5zOJZniEZisV~(u-&7I4pIzI&)ON^?KH}8|mQ7Gbct`xAh)-r}tQ*vj*|^
zV4iM}C$?Qu9T~3A95WmosQBI0geo3HL>A&1NMJyYM%*@lqcD#R6o|Yry?U_m!-wS?
zFC;X3nNG25<G-RyI2d34B5$Z}|2LV`PoICs-aCG9pn!RK9`RUrUQbS*thIPqKp;UE
z0eNUhBw?N=mh91YkE=(Ua-Ow+c)zG-k=}PZug-7Y-K)-?YBc-0V1L)4{(|Hu)pZiQ
ztv9jGhg+6D&vUlyx|wbM`Mj#Xa%*3<>PcJTVB_0;=`oH%%L^9eS=igN@0;|>*(QIB
zzY7v+glB*`5^~X~U`0h6%rh|0LL3XaXqaaafkNCgEKsn(KpX|}BqA^<$C69kMI)uJ
ze-sh%o7dN_kBp3p+7PuNa((35b+4c)k?Ys3iHL}dRLHJcO&?sL>4#x#hXGEk=F|u6
zM1kIBxzQ%bBPzeUkq24@o+zs`n^1oQ_fX+#;fW4mT)tr%K}F<znD$XV<OuXSDtfbn
zR1u+uB7v_aaL-i?^<9;Ngd*H4GV~O8=Rm5jV)Yi}mI`{9z&N2Gv{k5_>QE8Qilo6H
zkyBui7Zi{ZYB58B-4t^H<(Yr-N-+#gbrrQ0DpXH?X&B}kRwS~>i`}3RX&8U~nPP%w
zP{W`|5D2dp531Bd+4>agupkXtP*b$xp9&?)4$rJpT+bl8T+mGAwM1)1%y41Spw{3e
z3?8Izs^zrDoH(l8^Dx7-Om=wi?Kcusle$I^^WGJ8{HV_0qxF)xmN%N*WZC!aJ8r4+
zrkhL>qvxPDuG9QO*TFm4F^_*rD?Hd=?&ais-vGGHh(Mr{z3^%4makRyUb2&;%!@s-
zk8)z1Irz&@4Fa+IdUA<qGWxpSzWCR;r~0JvTFq=5>|;QYf<zkNa745~0tN{dfVTi{
zvT+7z<l$2bwxa_TyYHx*7c98cT{dOhdQDZqgC>y$M7EW)L_a7{kDY(S=DX{kBkx@P
zxZGvHm%8@cO3a;Yz`XWO7m4sT%fi_s{rP+DXM)S;O2^@-e?*^f0pOy2>&2wFi6-?#
zYyM0d<fT}DPo}eG=bfxdk?8RB=y_bv!H}DT1RN4@fF~e<LPXZ=vlomvzJD{VWr41q
zgx>fv=D@cFwjchMIaGi4=Wo-<<uiyt!#oA>IO=8~o-LU%?dVOf<iU0~2?;bR*-lL8
z_dY0mw=cDf{~urH7URZQhT-n6cS8cA+#<vU6i|^WdQqs<q9%v}Y9k6H*(6PqwAt=%
z_TclJJ;#5}Gd^s#ZHPcfy{BA(l#5Cn+Cnd&>On<S6#>bv?HPa1Kj#^{MJh;ekxeij
zk9}pymOUQ*o_YW8``+i}%;YKw&4>PY>gc;GWU`CFol;K*p((k#2%7+!z%hZ-RQ+Al
z5g+`+iBi;h_{|F!9qxzkUw-V}XR%TH%fJ4?rLMpR*Y1Dy^nJfQq5b>i3pcQ@{{F}1
z;gzF*dG5P!uTXzcn~Pt3=(Tf?f3QvX9o#dw_Gm6JMW-#;P1$XUj;VMZ!D*W5)kofV
z`dja;G088UdJjMHt8Z_4BJFkVd-Z$UA!w%8&U{#Z;I*H~pZx6j+pFLF^BFd}y8M3i
z@GB3Wyirra7X+s*I87Ovz&0eOEhoE=z4^@9zmsS8$YXzhT`i8Zuf6_6X{3Dro%Lhy
ztq|_c+D-n8*T3_;FVqIw*I)n9xh{)atuI|ae*f>DY=3fX`Gd*>Z=AZ&6Oe(q-Q!Rw
zC~>=CDP^d9<@%FP{i9AnO>|As-BH5bQ#ZCBeCq@j>Wb4AJW~!@lHWP@)|n?hTvLWG
zaD%2Y*fD>i7dQ9GZ~W=_s@=Hqub)5r;rha(g@w<~9s11S!r@OX9V#pwT3k4^G<O>V
zc-LuPSeRd2xMyL0uCOpy81rxz4nhQPQ-bF1pn>KKQ^w`Sd+qa?fbpz9;;sXBV#}CU
zQ^~_xWG{T<x9u5Zuq={wVxS>gKbW}aPhj=4o5Ft?j^Y^}r5P-Tsd{BLV>C;z$}8TC
z6FDcOOrHNJk2I4VwVoiOOhxKVo!*`L?b&se=futyZ1M^@d0KO-6v(p|WmR?FVxH(V
z%pUvA&NfXoG3AZ0%rM*?{0;BWVX}%a8;F=Et!C@^ykXe9?1jAM&WzB_?5P{SB4uZ)
zvUz{S<7+;zTsL)=Wn7wMUpjd8#7~#Wk-FZa&hA&AzKN7wfe6I4z4E4wl2FBMX|;#f
zJ&tzdiY=^miSxHA7rNCd<T=NrEE(yGmwV*t{jF6Cqdm0&<@Fv`cL4*{vc+7yS;HI|
z=?NEam7cR|D?Myw53NIv_Kb4BLAnfZ4cvbg*1MRTbk_Iy&;9b)8CyhP``ljR3)hdX
zx((Skfu#c1<ZVNAO~FxlPep8gwM(4et8dy3F=`8TOMpA9V;~mue7AaGuS&QY4Vw+e
zD0TUjeQI@|WIS2-TDT?G>;^Lsfny4eCb>=Cl?g{G^|_5MNkFa!2{r6gdeXhGJhFe>
z;}QSLrJnTp-#q?|g>zw>w6)EBc4eO~_Zi^p0CohYCBi0f4bd|NrwN=k2b+~Xv(cxE
z1HNW44V%~ePJN$398z*yf}`Iak7zi`>K?w@BQ`8zy@y~fFFK~`bSPV{Koa!;@3z6f
z1g;8v1L<=`i{9!|jHd#xDZnOh3=w}e0c`Pumh9~kJ+bHrqN`&zpgaY$1p+F>KqG9W
zWHBYkBaTwDH9p*}-(u@7;9yI1T4jsFps0Br-ZfF1FLkN<fTy7%c_wf)5$Yl|fMZCo
zCAn=SxI#L5u@8!U0d+MLDwL}e(5TtG;28>RqkRr{0PnO|$E@|lx}}$Gq1=C`8=flq
zEpcE90|P(<3=A2zWT=;WH0>Ekk0X4A?8^vL*n!5tR@IU=x{Z>}vaTk2ZEj#vj$Ybl
zk%54_5@PYd-{I^g<(S(&v22T|#RF&puT$%SavyA4LK%W;k7XQ{^Ev=_$bp0mSTWE6
zG!(C;x^3DqQ48QuR)RL;=rVt7N$wTQQYseBK(+PHmoEKnZT`{u!o72cKYe8B$dRR`
zrG-OF2XLLm#oHOw3yX!h#fAAo;hsA-pYb@SgDXX$a5qD0{{Jf(Qwayz`T424uBraj
zJZ9HaN`1D0GQRVkItq}@)ykumWn*+^cW`DXr)*DTLU2snL8n6Wr#62_@@}G80?K&J
zU_5bthUl3}bD7El$sX9$I@84P%?wlV3{&*fWs|L8<cZzcw6__C=c%%FK9gaYCs-#k
zho>IT3`l%d;!Fs&`JB9-i4UCEOB_6(zisR(WP7sNGd7+>mxUQl2)n#I?HL)u*|t|U
z1uU!W#uv$W)nwv_&j5eI=5ZJE-jiqPpE#=jJx;!KTKrGD9x7O3)?*n<B_vU>RHHu9
z(L}(95;0WqR6|n@O*AYuYLSAaI+5sjq7kWv4OKjmnURi<R3uf%kw%UbEK$)|!$&HS
zYFJ{HA_GZHBGsuxr(=UkG%{5hBb^!<c%l)hPNXK88t6y*d6$1&c94^U+OktcK315a
z#-s*0Y%(8rh*+l*gB}{}$Yh5aH`2JF(TFsD)NCXwJv6AKNhL-j(aFT1QlpU?bgI*d
z(ugD`k?EmArwW}YbgB>`pkhEqfC?olR*6)@6QdUDWZI-+g-q3IsI2?!*+FI5s-1HX
zWGM29(ugHG)tG-srelFlMJkc;NF`&rk&0BpHzJM-IVKj_SYaZm5rRex$QTe2AR~#0
zL?RTaSSAw*iG*6f;faWbJQ{Ln#9=W&L$U4)h|gmoN2CCWxth<SkyHz$dMMQb8czf?
z7SUKnW2qj4dLkk*KqG)g0uq602x_rdk7XoLs-aYkWHf)4>!FB701bIE5$YjR4LK~9
z>Jg}fd@<nbky;Ivk}p+4sTPQ6B-a9fC34kc5ud{&z8-Lu08|385{RWhs6>1%W-B3G
z4wz!Vlw+<Gag~tY^6Bl6-43}@$Q48Wa=@<n%$m;@W4Y){)ff~5cH8I6v9#d{TOrs8
z=nbFQ^x1!61hzt9E8wcBSc*U?0-OIO>|AymN3JmZ*X7)*NYU%8GGj|5C3zAc$V+6C
z=a`GyGXo@;hTHD$dA+<xfbO>4nML+lP-1gbqylh3NK~=JOI4lQ|9yJ+{^i&2U*3QF
z^!VNL<Kg-3-RJi|{r2n6pC1oTZ(hATzWV&|^M8Nd-90}ZK0Vw$zx(dv!{O!q;q$w@
z&u@QtdUJSw^V4td4o~-YFAsOmk3T-Y`Qg(qhv)md=g03pyuN$6KRo?%cz%6&et7lr
z_VD!X+kd~l`*i>6<Lkr6`yW5t|MYbK>iPBI!$1D{--o~b>+kL_K4vc|LzJ0B<ag@8
z6i<Jy^B7MKl|i_Wh^F%MXQ+qSfwBY?Ul7%v)nYHJE-%>qvr(tn`MWG4SYnTz8Hi^j
z+of`wCD-?ba-La{`~S-)D+ksxD|S|6ch(0mHTy2h(U!RpWun7{jF#D%cu78MRwLxB
zG-GK!v?O)9l&Mhud?}DI`+sK_H?wu`<x782!i_HrzznsuE*!I2ou7FE%O(EobX!Kg
zVj*C2W;4vfmi<Kt*KF-iS)w(3GUlF719r1e<?`j7m230MK+vV?u%)-vUnCnZ=`)qp
zTX25_{_3%hXgzig--NIiv=Q6r{uJCUp!e8$>^*i4JLhgAI)q*HTknn<D$ex*w*h~9
zxP3tH&;ompUBKSscF<gL*n4apS_}vHU39(2)}wRiffnckT8Gx5i@uNOP691kU=Mr)
z?12ux_h^9**m>+cb`D#ItvjA~*y(X>vjz6R4(Nalum;vZ@6b)UI&8he2Dkyf_PB{y
zlj{UG9@pM&qH6;-4y{8AY#go~)*gSIcfAjLLhsNA>>_pn9k6%9WkEMI>#&9!dbM}x
zfDUM#Z-d(gv<@4f_h^IbgKvYo@xEhRpU!gaaP4v9apSQ${r4W&z_kuHz_mYiZ{x9c
zSbJ<dI*+x-jdyLtHu^q>O$=@HU2t7++kkyU=UgA$He$FDYmY9vouG?Y6E=T@KB5h1
zBl_sN=ynl1j}B;o&iS6G6SpPw9xcVS#!k_Ou!+76XuaFOt%L6fUBCudd*3s9LL1OU
z><N3g-lGrboZEWrJ$e`a%>J8*y~EDCUBK46+vs*7-cr~H?10;Vtw$GJ=UpGLXKcxJ
z(RC4RaJP&-xovb??|SdH4n2Q-=Wy+D9evB#c(-x*I=T(JHDT?rap>XO7{20g!|tmP
z|B$3H&JrX<j$YUcja0%TO)17mgH?0_OO1qw2{LoopN<-%9`^X{Y>md!fK?j1vpKV+
zHC!rH&z6uZ$x)nDjn1-R&s;1QxNA!_pR;0UvxD8z3_7(zXVVnQ4$OaMr7Q`e%sK#;
zbn#~$T1!ckC7<sMgE!4?o-Jf8_0TRCF)azoo!x@c1Gg0Zn}#N*b8y+_2o0WHC!Hm=
zl=R@UYSpqp=6Ci$IQ7bh#rl`%{qHGqXOH5vxO%!@R=>Ns%X@aerl9hrAmdrs=q!nN
zR(ra9q^J9X1ko9V>cW3&yG*N^EdpAKHZGMiO`rDJT&wfMGH+h4lI1GpY;{GZgLo^M
zM$@QDYEd}IAmPfKm9hpQPRhnnh>Qk(STZIh5)u<l8ac2LNt7g{>^VdwNy14yN6#T>
z3_@gs*txJt6e1fmK#5MGv7|gm&<3GsLP<C&tFVbAm84`Ggo1xYGNvR!D5{XLWMLB;
zVJ=K3#Ee7}GL|GUaWo+_O_@w386}M-Q8_AePL!0BlCfqZBT6Kda+0GOtg%$eSvi|j
zNvkZCY0{L_&=hBtO0_acB1tF<CyAN4R;q+6<t$ojt}P|8tWv4eMp-$l)FQR&O0`nW
zBAF$N)oLrFO0<7ATP3Y*xFAxen1r%Yov1Rc6KB;rrK^-0%U4-zO^v22qs&}cYLYdo
zjcTn{X{yv}m8@20t<A2?8q?aO)_j$%$y!@(vNkI9pyH}pn>A)lvL<t-T*+`eRbnek
zwMnH^i>@R$mYbBDtd(k=Y?Y->TpO>FU8QuTR!eFuHKu=++Uj^ZsZ=V_+H{p{l?Lfp
zS((%(m8GV#rjpuHlT%~160JpRwZ?R%!;#t~X_7V-)ro79Y@AhBNoti^xe{F^&cc<-
zz!EYZphBZqeqajBo++HD$S(LJcQAhOjvSXA@u=rE6bwWfq-c+9DT*|Xyi?Zq)VexL
zhGphK?{$AM&vcMBh{3tjG4O*_!>j_z1#@#Ycr;s+ayhZI48hC}KxGhpbk~>JDkZab
zK5kuP-j#u#CC|rFia@EUUxu{G{w(RnmWimdbuO3H{b!|LmXvKT;0304b{bDPJMv6!
zwFDn7g^<Rbk_cO_u*+2LGFmk2th%7DUwSys<Ya$Fj@<B4&*p8oiI<|Z4bC%~y?4<M
z8n|J?Q1r{7#3e@YnW0i*5H85{&3aP(0_M7Wt}Y~LEqN=?mK~)a+Xc_-5*Tvq6`VP(
zg;YpHSb2c@p2Y7X$H)}vI64oO;;@YrUpWQozbJ2>IK5L^Tby8o1JlsLXqB?a6t*|+
zOo@NNVmfSNH;#5~jAK*B>d+%>Pb0IBVFU+`Ef268;x7c?k-b;ak3B`tOlBieXV^wG
z&qxG}6Y}2|=ARu!{aKY%$mF#45=zS1hBZ?h*J{}~4dgrt!|C)mcOF02<Jrmd2&_>a
z=2tc)6Uio(#N(okIk6b$Dy1ru9)A)|I7xprlB}sRJArrxKA+}Hrds9yQFbjmj^swL
z$b7QY>(?$|uP?I;ui-fu@X0st!GN#+|KIT;$P|mO9yf$Wk4CC0Nfa53jEtyvy6TOE
zydWh<ZkOWnDs&r_nwwKTUUnD%cxiFHU2o^2fMvj-eiwh;cHjQ-YH0ufkuEo!=?#BZ
z=pQe=Z++c*7j`EzL<(^68rjnl25@;?wEiv@v4yy*nuO4P*W^MsWDp`3sg8%1(Wq{S
zd@7}w8Iqe~@E{5bAyx>qsv9rii}J;k<eh?<IWxRyfp1nSw%+p!b9(QmvTRj&bVgu?
zjq3O$m|Zqa><ZPhh56E~eeS6q%<F&7Yk#;}Etlt^FtIZjoy#uE=Ab@rXt`6Im!F;;
z*){$QqQaf*W5<Wh#&-u^WZ0g5qbw#aerdF`ETzrKO>^(hAo1Q&eKUhH*MpYeZwXuu
ztw~F$Jvj6a%~tbQ>2c*bUpXa8i4w{~(WN|pQ+md92?4j7p0uDAhB0~Q(LH|{?JOD4
zrPg)Xy1X-3%f~ROen>A_$^1+fT$<=Fd$6x$NnTpYOI^vBM3V?HE3TPS7J?}ai4b!F
zcUEJE-$9P5$}P4&6EPDi_K(2iXVxH`ufn_YjWdL~Ya3&J`;N0n&V-M*g}~Klm1e6Y
zStUJ#g?lAIK#)LMJq!X~A;o`E^hQWM@S+w%M8d3!-8Qz}Je@9J7M4JSFLDG7nQ}3C
zsTAS3xz^4R<Q=xPvtLA!%ooSWCfREOpTBO4=wMT6X@z(g(3Rfar}Wj-;?iJB!(sR%
zc!hWBVf)=bAOJy)?n4G)y8&4E$1TN^FrKb=$;fwXX@bBO?IMd52ONKi1VQeDnj7Yb
zMCE!b#>K@wE;8~R@rK|n4I~<glK7;6O+lQ9o0_R9G1URU6j5Oq&50UnXAJHP|25)w
zSaF!qE~)HYTk;Gb`mYkMVZo;6wA^OJ1hLB#83>6b+p+VZU(PiLh2~7{EL$gLZ_~M4
zbx`o_c798)W%rT~#`b?pc51k`xz05x6L&9RZu;FZD7%J>r4iYz%KTJ7u>5Ea3g13s
z;s4SV&61{FSoE@IZO8U4&2Rb&$lSWWOtCnmObiB$BW_65ay~O%IU!GUr#+g9hg}V2
zsR5enr_pOR)Ds8Y(oj{LyVD03<DQoqEE(rr#1L`(slUJj^kjcYT<kYL{rvSmzm`A$
z;o_7yGts5|<zN5&`PYA3<;rw%N}0L*_`}!#{`=#nKV9j<7LuO$V*ss#X?LBnk*mF#
zi~^Q6;b9ULQ3Y7ZOz8Q%C}-wO)zpufMTMADB(|+RCDQ|-N7xEiyNgU2ZKdFikX$8R
z*_}9=)(3FQI#z#Eb$4sGx(d1l$_Y#ptDw1QM;Zl`soQi@R@LH!_{K)?7%)U5Z(0G)
zvMCqSyRtPkHrdrtJSwIx;x)37O{A!JePUn{ZcoG#t{@m11o4koAQ%(@>l2G7lcY@U
zd^@{J4T!dSoDQP^kyIMS&5GMy{B=_UQqmz0DK2-B;@N+c9DGv6aA4g6SZISLwNzK>
zE3x8=>r??#g4Y#HNe@^7BDIkv1E|f+Bn+V}tY)(c07x6#TE7n6V8g?Or61li_~?68
zVs_~3;>+N-o~{^7DTe%=*@l1kw)T6<xv^;37`&|792VU}E7QR<ZKoQZJxFG%{9JF^
zHInQS4G(`#FguiX=x!LUHb{=0$K9@#W43D>rv7Ea`5+mI#_63Nc2*4^x<&db;jY@a
zV2N_3CtzC2t@?I3uH<E2N`{wqh)YA1Lq_J(6fsY^JTvdOR{X?anE_guIX_9hgMMpg
zygQ$3cq<O$DnFC7mj&X!rEaOa3Pg4Oj_kgM{osF})hhLOvV4F4$KU_$?;pQ>$+srK
zD)ajI{>R__^%wr(x0U)}C4asC^5wg)U($Ca6Dc|xC@=NZ%e<1^K5PhF#kMmeQI>1r
zzdo$VvopFnRagbC6)4P$iU`<u=mj7Pke-Z*n3W2f1X6?d=0F=HLR7M<3bUYX3{@%>
zQb~WpU~Wh_1?^$R!fGAJXviaqM^PS%0@Gs$-?W)g0t*@jh^q2Ers!ldGmW|u?(gbW
ztfKB>7RN8IyS#2x%^Zt5R(g|Qk^%$8O#le`%XYK7SaI-JKmbvd^Sg*jHob&_LdeZu
zcPT~9*ewZXH){0Bn+Q><2nIw^duPl|l+Aw?BuBhnaYGt5wfjL}s2bvm86V=as24CL
z?uqyI9pa7AqH-~%22!yBB4$xRvoVl&>qX3nL?)?<+FoHd_Yn*@eu!h8dtV21G8d<J
zF>*_{l0yvru)@U}7IVrn0(X`IL_+<}{H>pl&i&Op6OJV%FmEwq!#8h;=cvWynm2#U
z?EN&l3qRUr(9G>Hhc=>JA5FhM{+7ssCD1$owZ{>V^AKq@=@VLIxcKF(!_pxlL`+~I
zpFF`ZysvbjnwfGf!Q?4Cd1>=M2x$krKBM7byMHjCo7b<r38QX*Ul(2ijqK*qUwEfW
z?d8KWY@Kt_cQI8vG&8V$0}eZolskVmZrNrykd8a|{fjL7ZRVyX9CZ-oEOc?E)?$fO
zKTlC!)XllWOtiBH9<b+(;AUj{9IOOdy@IF8q!8HnOoV|O%R{v-2kv2_=DyVqLCmb8
zD$0$(&-`9yvhXEL%DMT9iZnh(g#am3xISBZQUvVF07}fAgw4&0*H<DO>m`47^Pr9@
zed2D#gKint*LGNa|I>uJ2fu+xd!jZRP^(C8Y??tf1S|l#(*8H(M18Rdr|^#d$nCs%
z018s&bq6@(R(t_NlUpGyND;%)gh?2e7teizr&c7QiX5eXO#NI`vM`ED`FZhuZ%(gy
z3RD-z$&^KvMa14%lU3NHl5Ky=kVBzn7^ANL34k)l9hQ{x@a-KE2Yc+Y%wf-)<ic?w
z$*J*}`5?DEu>HG6mHZ5?{dBRPA;r?{qz{i>CcGRPkCz?A^L})IT!F4;t?t1Tyr0~c
zVZ}R_svUOODQZ7;%3tEkgQI_MFFW5kcIc$qb2|^MPo2abe^Yw^b*O)5qidO)gO=xo
zoNM-NJ8M*z8s2k_=`aj-5}XI&kw?+V+@rMXHQSXS^FBdy8D6n_LzXT+XA*Iim<-1m
z=$6>P?4qn5&n3;}<*cG6qPh%4Td0aYlcO)~76u+=+1k*v&`YIW)G0#>Gm~#Kf5pt$
zUgw&o!t=J3fw6MpzPo=6XHv=3GU2E)F=Coxw=E30aY%{lV%g-qM1)*AAy!c^Mk<=y
zqKK`0X3CUV1gj%4qsJBNdNxTWq&gBXD2JIUWGil{s$iYII^jiNf?iuAZeCp5dfe7*
zGqbmFSmjctVyW>W74!hIyzU2PdZLOq=h1-xyGsC_dd7+X6pVienc`gLHXxN=^wZa6
z;w)?uWx>ZOnyjanBBe=|B&Iz(LQ}FaJ{5wHoH-Nq-<nxYI1JSH)*th|R2@s-(>TyA
z%Sm&XyasdhVZKi}r<|{@H}a4QHnb+@RS?X<XXRk-eh3QLu?5REjd?#8@749}#aPB4
zF3au9d2`qDF!z5~pK;Q%A?RR<c37^KE9LC0Ixk2&E7kM*n!n*^pp@o;G1M7n2bW$+
zJxiDeZevCjJB`T0X``bVmdpG+#`+%V9p<L#XI2i)@y^Ra>du)yclkTJD(3+_ed_r4
z>DO~tJnH9%ff4z%$$95LJ6z0_B>8P(b>}|hvhMsV=P-YQzPh;_wX-h$9BDRa{+IC$
z!_a>K4&t5$44F?rqQSd@nMttZQ0radM$&NOCUaMEB34Pl7ZC|Tn*t9(W>zzm+7A^4
zrX-wD8j#wHgn|No+`W-Bl9(z7fZ{^yedSu5;$AaRyP4cTx`-;+BcLlF4>Rj11Y+gB
z@C2Muk%51(Hle791Yr}^9Dm(fjF?4rXulE>cLxXn$dImO2IP&n0TzI;i8IQRrwM#x
zjZFzDNv|EQ_)moZ!c5Ifp%7}Hh)R_wzjewr8c@vZfEU$KUae9~nL?n-{>RwW^jcaJ
z;qLnCb1%#cqcbWH2N}l<2BHHJ3628+*_dcFCMJJ|WQ4^yVc}Qe#)K^z7sj}8<;vgS
zf~9}WMRoV7x2n1?Hz#CrIp@9aN1yJe>-nfT!uxci{vD?IXk7n#$NKlw><Mdnz*Jr`
zj9a3WYrtAVox{`5i6KfgwV`gxC+T)M%042faue1nD03yGSS`;RxR(CkmAGeBV@Qkk
zZVrF7=*@MmNz-Q2K70|#IxJ;{is_mZOZ2gg;wr!Ei==G1IouAm2;JOaU7X3vB<!x;
z;d_@kyNMdxAfyO?H(dx;-;qrNfmP7(rv70M<#yfi=5IO#S@<=TzZ*~T>bYN8U)e~=
zH&w<o3284wIS=XDpgl{(4T%WFUY@girE`BrYUsDly;X0aluD2LPB)TlK+Q}P&cApF
z)48M7h_e?XBwSft_p~DofiFxJ35^!aA+z&_n+Uk$k~+5X2g}k>KL8=M{$~{2bRA6B
z$KVv(PUS2KX&uK>KMDxc%~YA72@2O?o*LF};Zf$%<sX=JiEXD7H{oN!!`5{y5V3#9
zwA9H&74yw!YQ~Z*hDovD#!6OsP*?48V4ZQ!mijrAQjD`*Zy-$c&_pg8$r(&YYouN<
zVfBJd=?M&V5eiR&ld0Q`M-&Q8La>fc0fI13&+tq-apjN-UD!WIxITBsl2|0<stD<V
zn#ML*ap-D-OVS{+Fp1UXc;7Z`HIIMC{%SGX%B}jTh%Xgbta3Y2A}MW+yJ=;d=ArFN
zK`TU(N?Y7%q)8YS!fsS7tMqpWeNr4?-Lq+Fu4|h6XLp{PbiVYeof0d>Jy8N;N73AW
z+T^iKoSprSTse>&R7z_w(JMYzt3*Yv=>dT{h_EJ4p9}od9yZ0o-j&c{BNl&gb(GC6
z0<x~!DdXvZOO*<jNPIyJfdH@qRFyN8*~ArrDiBiFD*+M!0_x380pmWsd&9p*!=ZhT
zErG<DF3kmUN#tiW3?YdiQ(ZV69R5%wVM8FM{$N_H0Re>$9-<D7&WmwJC(K0Dq#YoL
zF3E%>G-NJpb)7><D|#Gj1v-Ctr%fViMIa_>%%}bvIW?`U5K&iDXr0CYh=Y1`pe4(O
zoGvdc|6;wnQ48#ZAX7nNFX13b5kbOUmXhwiwq=!roqJ$DYpdxtsD4T^Z(8TAXgC9!
zAX7mA;o1c*Ox*Rb9cUr~lWL_a!5L+a=7QblH4w0c9afT(f?CLWh0K4DH%DQ(9>uPy
zhZ7I3de_-)eGHjM%lj$)zhb`AVvI#Xc1erU$TUN2mCCS^tgfuZF|cH#)mRxL<Mp~`
zF<-<@9fhlD+HbUbq)U4$AV^E}aaK&%_?S0utvaqRQfk7o{gqOT>na2hi&*z^RBmmg
z1!-=Z{ouUnqUmk86#sv^g(JeX7}2(>UZe=Me;g60>v6PJpN6eDn#qAbmr7!5S9=xq
z%6hhH%jIZ|O*;q+M{Id7^#-~IMwW6d#K0GD<L<pze)0~#_@zpqHkER5`SQcJ?mT)>
zPC6W^5TCw!`_-Smf8(XEm0I-gLr6+aHxR1^<xT_W0B<aJyKa94X?u~Ftl-j%`<PRy
ztq>s6(Tn69dNYfH!cSl6$9r_dDQyHyRS2ZlQF!jG2baVuw`5`y2-f{a^F2+F*+$49
zQzgK`{%{jzlsZxon(*bU&k$*?G52-462j5yJX2U~t-{qy>;gYC>+mFWYIthOMn%h#
zOR1SE*M3DIQD%P@Gn5tL$v};lRlUG?Y4t^GIWzob9vKJ=q1Kt;n8zb0@nJdLr^EAp
zf<lxgB-FElI@fl1DE+C8f4JGr)kvWCMn)uD6%j4OiPcRG)KUx#jT`#7$fYo7qcdIg
z{7Y-XY4cv^A9guWo2b@(lc1P|1;+-<5kgrzk4u`_xMP1@$s{JeTgK<gXiir$Nok8z
z1h7I>F)nt~5oQy06Ir<wDy2y$Q6lYD$J9XNrd;>bTw@wXi0JfgMT)73$vS~Y6Q9n3
zrUXrVxM^F&$hW4YphTdpqZDe7rUf4d;5Ob4;JR{1WCm7#nY8lfn*LZ-ll>;H`dxd1
zCis=own2ZfiJ)UDODP4UUfjI){Qdhk@7{q+K|&&ycG+&-x_<v2-M)?t6)PZJoSuE|
zrLW)k=JW6jYf=;-T$%8byUwnXOsDd$s8);Fh=+=qjyAy586TGr)k4n9ay#PfM-G0C
zv0xXdeG^ZJYNpd<bnF`4I@Biv8ECyhrL{DrrZ9iRC>;|BtH45S&$>rP?xG4SHJ#W(
z?Z-A)g$I9h){UOJd&mk-ZC%8XJ}UKKqg|akn28T2VKliOE79$*)<n*XQs-jkAL?3Q
zMM%R3)GvXhiK<4_Ydsap$jt44T@Hc8L@Ja)fYzD^Pb2W2ns9#>9mA=cod$(ta48PS
zY=3_o-Pt~klr&%v0-FrODJ1G@qyb!U95f9%jd3Q9ri?8-QWka7yvD^?r7;Hk)DWxB
zh+Du-)^(~lai*Shj@yLD#r4&Ge`8{1y0LS0nkXuaLF|s6-hd3(O*gJ9tGRR)pa;i}
zwQ&rjxeuGCuqx7|p3+q=UtHjw1|XGN9qNB8sz$FBsYg-7b;NQmR|eAfRbbtYz+x0v
zcTCmOX)a%yO}Em+x-sAeu){YixtQDGr~QmlMSQA*Sp^=hCJIX(&Xb8s6!>EO2+sj@
z!1dy~h+JxfNVi2X0b}=rA)w~Bszn~b#^l-Drx=mBnhN*y*q-8zv59H(tvd851$uu{
zxI@Q|$5H7CbaF<JXc)w>XN!)NhPm(l$#e#=(hV!Nn7eZvwG$fgEuEntn#-ixhS3lu
z-KujsDN@n@vUGbepBf$G{O8iEE@FLk_suMF4E@Sj{zajK7zyoEnViX*VY(5`fHCgq
zj$>Mr)@Bw94FmH`P8)V7MrH?woDF|?#N0J%f);-a_woccEUbBMv)w^IXJ(Rq&i!qt
zrWWquuJ3YPl>zZ^_sqYg;-1n&dXSi!%4ikB_R&EWzBFlbKQ}c^s$UkCA!Rw|_w<Pg
zK*1R@&VkD2$CZ>_aI@Q8^@-cAWSVg~)#A{5l+2?{^-Nj>jY(FUfVIuWI{tq?=3_<&
z?}~g$XVO%R>4=GR4PKRMqF#9J=40?$jOg8Td3E*{Ydmo)WlCz;DR-`CsYf)L(&Gxc
za#Y2wzugeVWoFV135Qs^Y@n#FFIymVsM`d>^YBntT6XvBBaSP}s!wE$?v1f*5SkOk
z9*QergZn)p_0?0;F|sd?W9WZeJuIc|BEEE`CWkyCk+%Y=Ddt;+B3cyUWI8FKlLjI?
zKivT#fmD75rJbZPO6x+x9@jIg%B)E#KvY3HkEoOs=Webi=^@3&9BF{Glbxp>9Zm8I
z>0H~tmbI2zwNO%fNe7r^PR_MfLPXFi2oN$>Akqb=A_)-_0WooFM67=|h!KSv6Coop
zqd+C9V~>k~#DdI7z)gU$OHWk9Ak2-Bp)vw1)xs*9MJAG_odf`(N0Mm8#a^k|C`2<`
z{QcO}_nHlv?YP<UV-(hmWEq_HC-)vWXXv3_^ZY5zgqr>u$DH|l=W|7fpA9E7KGidM
z4zg485gRVtLEh-RaQ=S?5sH8awMMN~tjIvZ)KqgL!bsE*8!~cZJ~d6`>y;j1Vq_6e
z$?Qo0f#@vssonNf5kYS=Gb0NUYqkv{l>&%D#1(3#I@?rHubm(>iJV$%Bff_b8{)Cp
zi>P6RggU&rRuJjLr5yQ3{i-5rC6DGq)UO*8vWRw28yi!!St)<c927T;QHJR>3T}bi
zr$||5M5&gQ&@z=q#;*6))R0;cU3nvAmp1;=Sl@D6#*J$u=GLeEjbouG7DdvZH0?K)
z$n0_0N)8+|AZ8$V+9g;?@ED$^M;VE5xdbF_H5K!09HDQetnT*4hK06{o+?u3M`9en
z3Y|w?^WiFbE)jpmp*s)dDBV;izEZcu%HKwbyi&ENLo_y>NJ-3<ygfzg`&blrwDRR!
z*M9fOhd+Mz4X)+dwP&9^{_xHFcR%^)XW#zTol**toGwlu{rZ>Ref1kpKmNsgKYUP1
zdEw^GPyg`oTMzEmQV_V*S>AzKi$dl&&AHTDcXwQwDA0dHLX3b=i`=^L+^2tf`oW{u
zODT80a{IGCKl$Ekda4@#py`7`!hli%YJrzueBtx|{_DLTeW#RyQ~|LRB1DlB){FPw
ze)yk%|Mm0#{qryX_)RGV2`iO~h<rjKYL#1qf*(A5^Y5QMz4OAgQp$tZUwi!c=Wl=i
zl|TOeR~LU5h(M*3ci;KJZ=XDV^v1ov{hzTj{c0jh!}wdvtx5=xu&)siL>Ada77=K`
z7E}}z7#9>7WY`o$P};DFvPf9M5|#k62niq{i=ecMTRV2oY1`A|9D6?XA2T1KW2}3t
z?5~_0l2mTpdhh!@@9$|Ta&xw20CEqf*4GxPY&m}hF%;r~W+<9MJWsQqJ1fjr*FkWc
z#Urx5{Dq;3MT}q{Ar7Mo7+<2mX%Q$B@g2n=PGT>>?aa8uD>x6~Txy2?T-@MqhgdVO
zCNVBp*LB4(R&%52w4<wn<vEV!<D!DwZ&wWHue5a*?euj9fQa2YI~vNzhHJWY7lK3G
z0U&>JZ&+_%v%bG}NMAXqzZ4qcPE$0?GCa@oG8y6!!}9=aN@C2&kfy({vbX0S*@uIi
ztr;uCQVi?hXlJ^wEvwA}08S=n5TY3dC>nqPiblK)fXX-+zxKG>#a+R&=A}=uX44SI
znFT$L;{YHjHhjjQ86Bz650+g#ljLqImr;Kd&&wIa1JD38%`hB7<|8%wtTa+I#UPqx
z7yxMNsGK(4QmSMWfVt#h83bV7DL&Of49ie73-BqQkfuJRC$lWeFzo;H&nypWe}yw9
z))^*F@mS7Y;#x2<$3z06MVvX3{*c6odAyS^W?#U~c4Ddb5+)Vm7sq`?5?FL;CJKM9
z;^FFmggHs#8WK&1!e}bytJzN+8icnZh=L;#oKGYoS`t&fPyjII3Q-gj09z%l5Ahlj
z6Op79F5;M**m#j;c`A?*Bn}A@dEF9)g#>Gn#*&J~0?CQN8pJ@*uhghx=?Sm421kd>
zk7YzAMTb3pIC3&4ba14)wY!jFKmmWYgSw{S;ieOLNgGcMjduzX;zMR9JD+Ub$<L1m
zfW$p}20E@!PSiEkpA7VMpn)=<y2U!f#3?d-QcloHHA{yqvI0=%<(zx|e5tLYBsDp5
z;a<n)YRmak2>_6OVE^=ZyUEyatNBz|kP`xMklWXmmM=^XKG_)i`2KFfel>pp1pE09
zb>3W>zoXR^#>A-Q9I{vWI;(>E+BF0EOF#o7<E#+crB;Xf`-BGg1_$_r1^c_(I!x*s
zUOd+6x{KVL<PFzr7EA+KnGrv3_ot?Z13;i}(90K#xo6^Z1DfUa-rBm81^F2pD?O_Z
zH2!{0HZ;0cUc5NlJ~LHUTAF{Nkh6$Eoa|HH1hKC!W(*{bFMjEfVDU-B^-bKlq>B=X
zrw*}R5z8Z$zVUF;P&z$?I08m9G{YhQuIzI0yASvC^Y#XMI|K&oaCLQ*b7*>^dt$ae
zIW>51OmIY0xJv1onwI$c9}jD*jz{@Ah6Va~c&imECr_X7sEFj%`Fnqcff_$wg^P<l
zFGpr03d<n|(JYe5C|kX@#dNPFGQ|C8O5(sk?b>6lQi;Bcjay#QKl`WQOhGCD$mMbh
zsQ7&$qhpQ6#fGVws=eVJ08o%~;@Q@ax4X^JgR!&5o4NUkfWRyfF^n1Es{}v|n##?!
zzWtHA6Jz7ry05<ZWoUo5pPQq?MpIL8f4;>y-&l7eSI)Eh_601gXnp)#0APpOZE~{H
z%ge>j%X4y2`*eGJc>J1`HKGy6A!M(RUoAbgu+(~grMdQ69%3l~$jta|e4^2`&^TtO
zPD${m01(5{W-EX>9t&ehi@ET`3<1QGsGtLkR~vX&LxLhoWW|39DEP#ZMKGu$$etCb
z8${*aa;wFkwG!N0;s`M@ni2O#(BGob<A@qDv!s|o7(eq!Bh<uZHpL*tmOvEZekD+I
zEY~5<cEe4$IJHPH8g1!P!i^nbupGe&Q2OMC_g4f9OzguG)37DLvczp!OxXISgk(vB
z6|~}r_r5@{!Bu}qBE<*yhY4$xqZtVg@Asa~OEC<!)z=kmKIlu03Cv1Q+T0w=JQ{!e
zP}263DQ_RAlCq1FroJ<UN1nf2J$o`<-&4}4Ia^wk{oAiAy}GKwzWVJK!$T7#oQy(<
z6NCs5&DDZ|^>1*R83wVejJE^ErLd%YZej4;`6F-Ntet;5lQz&(^TXA@b+=zK8gK9L
zw22G|X{fDuu-uar?epsCSZQ&ZubXFfYUb;$nYhSZ$5Ib`e7`<1skwW%@yRp&`tv)E
z9#%5W&R*ux-=)zFU!xeXmaC$IBCnJdR9!l8`Eq*c<%GjoL0(F`iO%+szUr%&PEL($
zyR=oNX{~?S$@Yi(lJzHsooYKne`{CA4W*pFch8_{D%SSYt}TydABtFA>CHJFwqk64
z^=$aAL9;a1{o#*=Q~CP=03qJ2?%)VQu>p5nI>j^61he~MPz{OwU1I6uO<f{`K_W2y
zt1pZB;D|ccHw!5OXa~t<3fGXxl)}=o4t>MyvUY!Ywf#_PSZrkQ`}b>^*|7k~T485x
zt+0|i`s|81TTs~1t(jZvT-<0ayqL}*S|xX|;++@fCT=$sGXRLC%|u|<>>}b=#LIYE
zq3^BlAF2dkIdIQNJ^ZiV=A-th-E7oRzENw715GWb0042eDwSJT?~SJ~rbmYA$_vv1
z-Bf>8fc~DB_v_mS+dmBs7>YuJ6)tu%8872`4k4ap8H8w_x2A!+-B>+0+p3iFGH^_e
zjs5-Idj9Fy*-6dMKg}AayBC*7-~D^JvLegb-fnV6*VR{Lqd@Z}-K{$ptd+EzgL<da
z&Sp*7;~#tM?5$YDAeNt+>Krj#-52V!$8UeHr{^vN-0{O{|M{@CwAf{u(Y<;-v++ph
z?WJTWK#Ux*EX#s<lNSIdh-59X<P;*=Q=nesut$LqBM9I5ru$WFq*(%HFYzc9`1Hl9
zXTgDz*!vNql}L|I|CQc`U`~oiC?@_BJTDNhb%<?U{Fk+y8ODn?e285js7Xwa3C@2c
zmVFU1Hm>Ds@bD~L1~OxqKTZ9Rwqmn_PQ13nt=sIZCsy8;5CJhjh}hh(<*$r~b>n7v
zVxp%6a!qjeNe5Wsc2ay96P>0KCY3LB&yk}C)*k4Cd_B)*=WIWkef@ScFx11%A>dj?
z-NxGF%hzKE4~8?q-nd>dKGWi=c65Jp^iw<R8q&9Q>S}7LFFbuTS6h*rlM;3A$o`mc
zFO~rdV}p=4PrUss?_{C?VeX<(G;q91#=6vLs)vkCN*8NemA8|_?t#9}-rnmCb?4TX
zdX6MVq((+=EsXZ+D#QF;Or{>Kwlpm|V1A_MzaQ5Q#QB~+mihM0Vpn%bUS@w>L1uE^
z_i-wY^;CJL#U(8oduJA!qoO@`xG1B8qFb6YO*bnVno2acF65p+=watD*4NnHTI}xR
z-0(xgpMSnK8k=ooTx>|f*x1m|zbqP;Z(7^%9xfi6TVof?v;N1}dHu$5U15CZmUGU%
zGh10iQf#7Vh7_Abk!lnviK2g4Bo?vPWm$1aHN=5n<i&~XI8k6DK#<t7l)wpM3rb=*
zFc1W3jvza-kp%Exm4`dKTuzhtv=3WmmoszEJ?Hy=Uqxk2Wu~pC`_x~*cyc2@`>V$f
z{`U9Bd%4lg>EXL;6HPT4!MH@hxy2X{99OfTRF|-YKa4{V*6m;+0TX|LDzLDAi8pG%
zyf8@9;JtK>qPZYIF_MVDHfBT<D57g>S(ZuFIeoI{`sm0=Uw?jj?%OXvd-tbz8XGDe
zK798d|9rH)a=!m$)AV$IQ*&*5Yuo(P<Y3>~`AgS6|I?!<e*joOr@wwnCs<Nv#x4$h
z^_Sm0ef-AQKx=K87J>r^A-Mp5X$eb6+p_fg58wI2@822dZMw5`_1ka$_~wtYf?`J-
zT4u(F|MkVA#~;0ZslTbFBAHB<ug$OASzG!3?X@qTeemGH7K_Dp*0TS8{@KR%&__?-
z{^axf9o;oNW|=Fdz#=9qhHw4g?z3kfOpl(}SRDTP>)-zPXZgCis$cwn{3kD7Jh^{w
z{oeZggL}8mbhT(%(cRVa^wamhdhy9GKYZhGU0hmFTUmGY^1#QB-~8V<AFiyPt*)*h
z(C@wX!{^U`lV2H}80sAy=(S>ee02D~|M~ReU*G>;Ztm^ZbNR*DN;{zh=iG92-yy?9
zf1qv{Sv3M>=8<{?-l<D}m!fFc!Ao6{VSbhf@KkX{F<V3bm>^KS5tbbo2+Ij;@Oaje
zS1AYmdRR|}c3?A``C^R&0UHr@M&Ja*FWW5LP3@D-IFB8iR+K)i^z4ba*F}qvN-N9a
z=W^klK}#tO|I#QKW1Phbeh7nFbCo4No}NcC<>x*J#$2<YSf4O|%}1b#ELuoZ>TB`K
zLxX|TA;rC?Xbzkn`iDDyN=leUEljWyYwK+2JJViPR(ImqU~ctB|M}iTGF6#qyL9^c
z*7inwcPlDcQ{8ZNYWTH|!$K)rSJv0JUmc(6Ja(eJxp#DEW_x>WJ$I#Vpi##;3)wt*
zijtSAqP!3xVH}-*c2!l=#O%zGwg!e$VB&CX%gpR@Yg_lR){|GqXYx0<H+SdSx|*GM
zc~y1$nf~!?E<e9IH#9OhFnG42yr!YP=hD#3>c&DgKR!BrJY7zSc;)!`?B4AgySEmy
zJ0m00$IGi7ZI{L4RgRN!>~uU{5w|Pq4j&mCz1-T;nvOSr44$6c%I3OGbb?)0S#f-F
za&dEerK!0Nq;6^Jm{^=hSEr?|DPG>y(?2>n*?6S2xBJ54+)6ILw3Z+3=&eD;5R^pp
zY)48L_Xu=>cSCki)*7bgVk{uID=_dgLPOvu9QcKS0Ukf!M5Z)bEAXiNft+DS?t&V<
zAV{g5O#AVFp83_8&E18Kow@UudTZ<J)2YU$roQ1TQ(GJJ>wD7|r%z@o4>dM-Ow7-&
z=H^$nr$?_1H#9YZF7G*WVQVjU^Sj%*{NlpmNJD)Y6k~i`^OQ=J9UUH-+uB{;zB#|N
zHhJ#!sY97MCsA|p+C+9YyLWrz#_ieb%Y#*Q<*9Uk&Be=CHg*<sd&^_jE*@=aPO93o
zeM2LcuT@vJyw=h?F*kPZN*AS!e;ZAW0zgTpdT3xgcVjcVv#_`}eeU#`n#!XU&e5*s
zQ?pYG*{$V`{M3b^Qx%7*BszAy{@lRC=GJCsXNRJM1iP)Pb3K>cyStmewY;%4*4bI_
zIGNgi+OEr2CO3ALR=216&UQF<d0Fz<>AsPrrIq#U((KIWcUl@;a*R9xzY2ti_;*hJ
z-L^++76Ewm>j_>O91{VU_xm2B2dVxBL)iNVg3|q6Mt}3eFK!LPG??qrL)48f^<JvR
zjgZYoELWbIsWigIqbKw9fx;TA?y(tJx0^42$o*58eMtxBR>3=2x`uh<DSU#q!dI|3
zW3qT}H4=U)j9rMAz?A)FD-XCOj4v7n@$*3H!aCw!)Ad0SdSI?XU<n&RLkYa}SWpgE
z1SQY^XChqugB#Cz{wh+Kzy_*iSuqPNm9Vv)QcjBOB$6W1q_onGQVtMGL?A=xKrV!T
zB_#)tfD#lb+qP4V&Jf1A*spi}vmQ^;7Z`aJ@vFIFaKTH76ha6ABtUbtB{`%MsNxb(
zNP!4|q_m@Sf^-~6ArYX`c3jyhw3Cu-lgy`VTibDMCrKqqIY5eWQRK&)To<i1DFtA#
zB7{myr3DfvkhTJ?B`H#hltM%y07xT$X+VXfKoKa7Ize^{?YLB0DJ7&ZKPWFT(Qwz9
zEZ70lP0{8eiphv!?jG0wTzHD>^O5`h*rEl7nN31L!D2ii`#vMi4j5_}E4BZW`fN<j
z05hLc0*p6iUH272x^M21MT`?>A9S|Ql5tV<1s>Y|cXX2+jgd$AczOnjX3iIX_m=~S
z+EzND?UZ&hWXDk{K`0OfDXHRUrzOQv$4S}dJkd@@*(r%y0HRXbPCHJS?PRo_B+>vT
ze@TiGd$|Ne+a@PXDy>w4v=)StG&xD_q)DZ;P9Z6Y5)eqol}c-sAf<o=2f@+!v_Sw$
zBx8d%@j$FV%12U2HtB@2Q$SjOAPOnmxFsS<wge5JBuW8Xq7*;?T1XU<b14PdlF~pK
zqBMXbBnc@2q%x-{X&?l2F9jlpC@w%*LKG0dGSHS%n*A0i?hYIm2D*F$B?Yg-!Hn2z
zhV{(-H=<(w6lPeBCX_^g^CRSU#XF>5ln|&y33EsL>FLo3Q5GIJ7byFGji|c(bxB}H
z(~s)juRj=bw-&`DsiJYu*P<&th+1m{lLU<MzDUim7~_H$_e6fpzJEtlI*|z^)I}Sw
z{0!p2c2@+4*CU1voG=zo<FIona3PKma{0>||I{*UJQV2U^*2$XFX4ml3^AdFQrdVR
zkpKWV7Zzg%Ol1|RA%F#cjEKdhDMgv!+-Uwi_Zq*bDy$gv|4UeKlBz-4npPV-;GUIS
za7h4Ma4W{ZJxa4?TZ~&0ganj80Kf%ff^mtAbMx4&d5m)b1*(cPEEC{GXu1?A5QIWP
z2~2{NfZUWzAS6gGr0Wuu5`;+^L<th4<Ptf80L}$xQZiv8=tO~ki~<sfkc?>+2~9bL
zN})2i5duI&;!?7GvIwEe7eS?z$=opr5G0MHv?5R_$e_t2M-)T?Q2<CpPzahxDFh@S
zR0@dpac!m`MKm^A^AeL5BtW?IIr)Fa&ipBgD-YnW-__l7a1Ds@U{DzlQ4#{ENbp<`
zMG-GRjR6!8P*GHW2uS3ROSy0G0vRJHD2l77L@iClO4dznwkrS7{_uKwntt6=Tg6Wd
zJxtH^y#BuL@%a$SJcSaavV<jy2*Q+zk|fF!_8hf{0;l1>d4VWixEw>dNTMXO10{<j
z$&$q?+bmX#EK|m7S?nex9>^Q@&|(n5SR{;6FUpcAvv-Prs?HrY@uQO=LyxsbA;Dn9
zj)X8`W<u4bM5v;wMi@~_Fr^IjCQt&QDu~2h`x5pB)rb(N@b%e6sE7!#2kfTH{OfqK
zYFo7O{lZ@Su{UV*gpk^mSNpW=s|+<+bc`|dkbVTD-^fCrV0#^GO&7K3oH%ByybcIq
zMq%OGw)hr*1nmHhA;w-eKWtdb*JU>iD^@<-?}qeP!#O5s;!QMUeDN&;I)S_n5^CsH
z^N}3o$4U5cT<xdKZ?*Z)*X(q3;i;jTN;llD_Q^scv5sLTSi6(qgFp65ZAS>=1fN=s
zw)V=wnD8Y$J~ZdUbloe|CCRic$-alcefSg&$Krf{bXgdRk<D0+J^)49nR(qF;QyIJ
z<^v{g&#a$Ax=@<4cYCY=fYol#JDL0Ky702onK9Af00Kyfzdhh=(TSw>tIB`azdJb!
z0<a>)QB!d|DQ=Ab0H&A;-<kV>FCLrCEb%eB4|A#JlM?^{R*UsmPUiL2vfAeFlXt9z
z5MU910)Wa2vLDa>6tq+X06>fcj0J=cCIW<lfFMGQRxdE13L@-A;@Qn(1PLJmCI|rR
zTH~y&%<t<tTUNX)#6htDLM*oWiZes)m%H0b+in&vcLo870T9BSE6dJhcMo33FUbT5
z001JL&gQEnqh03;kEMk8Qw+emHLH7Ds(RXgin}@sul$&4vxovfak0^LwS@yc7fXu&
z5f}(5CKQSL_w4BFywY)_I4w0=qEMDCgrN8s*N<272S&>C&+J4L5h}?d&CW{g={nyx
zc=4OK2mpa7iVz4J6V?w6R;Fx?0)l`rTDAPE`pbnw{T1aG_N-hXi4<Z1Wu$KHx>0d|
zqop7-Bi3#OB87w!%mN5Tdn1G;4Hy)aZK<^i9<S`sLxR`J1y!FPT&yl)hiDOML=v$`
zy;eU;7<GoR+9X*90*;A^n19o`#^qoO1)-D>s=AJeBqC8HR3elB08XFE*|Pa-004%>
zDq3Voq#{Oy3If5HP$lXTA;JI%5E4v(C57ZhsVFj32|*ZPLKHlVCV9jFdPu?8LlrTs
zya|-3(Swpn#-7n=jHn9cXJ_iMNGglIHwn4O$-ur2%B#}UJt?IEgg^j{BBuh8d1WTw
z*5_3+m}Ef|rGrt9TKC#?n-J|S#PC*Rm_9MQRU2ky3_COU&JQz$KQt%Y^L-V6hOSrs
zTnx<~hLj8A;dzsGOLksrvI=s#ctZ!I?s;?sTYlD3H*ckdYcDRFYC)I!b2pULo3%>t
z<4*dmENf8HAeRUxhBtWa|1xWX<+<{P6*ogX9iJ&#^dTYy*e!*VdoTK0agm3%8%CQ8
z=L-vleW`{$VLk#B!^DQ!{JHOctecs()5oYLze&*I0}M;XyrmdI2==6<ykEFAFjSg(
zaN~EIH@uv8A3eNfu<u-Rdm$EpMF{9@ZyM;mns;>9>$%akwxW!*#OblNg(od}$CCj7
z-z9uA+<R?o{OYCZjMXlG1OdU?p>2c^HjDLi(kVlvta|BULWw8|z#bWY7W3!lx%STd
zn6)IzWm~$;E{Yb1HKebl<(GHEH%E%>!LlGAAjo_7?R_*e;(k~^J6k{4UleF30>B$0
zR^92TnVD&A@6Jn3jzj<~cLXLzuTF|~CPc4{-{4%a#6KcDGB@``a?++<@tdaI?TxJ`
z0RV^6_I>zeB5h}Qgi{QE4wC)t4vPH;JDc1SbsOWCxK`K#Z4v@<PWGXN4-<*8%eKcw
z&Q5nsKD`!T6B;j-%s=h?c0-WM84wsC`pNz-SIps@L&-@==_%W$A9q#P=K}yH#=A#u
zS4FPz-<P&+db*?R>_Gs)gR!oGzDsfI9T8#vezFJ!F)=Rww~vp1PMl2Iur|oK)b4Mw
z*kpeRTiP0bdiJE}#p~wNrRe~GWBd1f{xZEa#g!c6a*s6p`hGMj%<ooT{b+x6RCsXq
zfgS(;W3sU^7XUyhE23e_B#Rg!k*anZhLmLwd2qUjFe)y=3}mPNusb(Vq5*;_VOdu7
zA;qW2Q1=?cGlSZHVS)uh0fAV;qGScYvU7XtyEpgS8jp{SUAjM6mAo|q2%xd$Tz<h`
z2ml1a<#VTsPaQ~4+x+DD?SK9E@!XrH>1WkV9R*SV#sFq#q)k3-dHATNsVyfuItT)=
zB6LY}efiW>^UsfJb55i{3@9av$%v&48QPx^)|0Q47l{{tiqDGM!XlrJ=dKSC@q}&=
zFG}R9hf_ikR^BdERH^28ux9b4glgAcytq$UOQF^6M9ro#`Fo)Xm{POe{L~nW<IPB{
zhO4Jxb0vc-YPk_?*8vr_6@o^UewAKoh@#gP5e&!N__f$@B-l*1W;o!(Gak$amsFJu
zzoFze>t=m_pt|x0?}qfTy*BKu=OuZD00^D5#jKQIR!A~KD(EDId?=|4thGJDx>0c5
zqiPhw_djW$P1n<^`%5hfk{?&m5`J}+uSMY(D=i^G84fV&Fx7R`>WXE&7=iaO=@Nmu
ztHP`R%6CKa*f+zl#;l`UH;=;u3HgB?-9@Dvol)I?J<2cB(ziT)(swL-`)FT7T~*QC
zOz-Zbbs5Q<UOc;#m6dWRW5=7<4?;tO^7Hd<yZerx%KZ3o?nKVk{>}?ESB{qyWPSPL
z`A~o5<ek>fpN2;#&Qm+9c&IBL5d`EzUF~DqTXX3M2(eNRwOJi&SI2*UB)|1W&E2Wy
z2eS=-SL=?11WU_8ozdYNFP<q_csCTX(hp!1;8-3Op0LCb*W6HhfAV@zs2u^@;q?7~
z|L4`%y?Xa}%fkD+Pv3TiMFt%?kWo>3<a}vbS;?-GKO}~`{D@ViB-kp1cGfq1`gGS7
z9V|lI!PKmQ?i<}h)dTl0zj|{s_dxvDE5m+&|1|sfd1GgP;qXM|<Ch(Kb|>_AT%Vrm
zot|kOA8)Fz%z6KIC^2?b{?WsCMjCr>Ul@K^{pg=f>tdH8Ofa?E>9Tvh?QiFYzjE4^
zgoHKL)jWMRcxR%;?QZ?^@5zcQncET~{`&H2e4@U!>&(3e*XLezua5|=swn*Zuc?-Q
z{-XAg@~Ib1bxnCu;i2=-Z&zQ;P2C*%;q|Sm$}ESCblq%NczJ8)=N7lSx%~X0xAP-s
ziqoG=_qfNdy?WkXd#$j4;QalGTG1k4iU^@dq<~rRm~W3#r40lj(G#O!j73T*B}{B2
ziXy=nBFN$uqD8>7N(xIDh?IE)08$En9PD`*t&Dou`H=jNu`7LU;ymN4-F=_;SRE_L
z@+sdJV0?jZ8(Wye@&P_&EKB&1ZI0kLP9UThCnRZ_rpcs+Qid}f1`=j~5ExQ2P@0KJ
zI1-W`-#h(Z`e7w`{qC+Bk3V>1TPy9Zp7(iw&+m{$02u)gB!MIW6$D2|NARbAU+#_U
zYc0&nKX^F&aP_mYLT_X|`1jRIb+x&DU9Gq7t>l;6vop(D>vn$k=;p%VJsa{|C0ThO
zIF8K6p1-(x>x++XUHkCoe|&!C;(|>QqLIkM$Jei3eedW(ux)Fm9RwL68^{s{AXp>x
zNZRX+Cmx{n>DFs;j8fd_R*TSo2K|;!UkbTNyxs&TSt#R}iWrwWCER{BCr(jL@cTq5
zRT_&C9=Ece(N|#&n^_y!8*C)>lV)RfiIwid6oFs2F6ulCIZt%aEL+v+>23@;v$Ae8
zf)M{#cy9!0tav9zdlf6N-PB#)l&)^7JmQdmWLv}e%@~)x)K0siAvuVDLw&fr+L(=C
zMUpT!i^d|ahiCNhnOqPXCnPlGDVw^Ctn2d4Uc4!AlI;FPi)aY$6P?2QmFp>u-EC?+
z94l)RZs27_Zsm|UWAkb?#No7Bzfw`GM@mvS&srtk7{{PCn@#BIYQBH>+?LH{BmE-}
z9(?ii<&~<+%p6bgZx-Kwx_9^7ljj$=@7Qb;@X=$hUA+4Hj4V%vH#gf`{Ku6)eDvuX
z3-h7JkFFhmV=UCy67Fy6XemOHO-^t;wL_aakeP<Oa~rsItSeE{*pf1$synM|_dsh^
z-R_F5XWn`J#m|>YHu;diww5-oyua|ncPl$~mzR`e3WB_`xcb?D>Ye3x!!?_88f(fj
zJ=x<!(bd&kpRBwV8f=e*f<wVTo|^H>%-q}Wz53?T+_96>M;7-K6?+6hSe%Rf=igty
zyENEd=WnSl$@8RTx%?fKt=&}(Zy%og*FSIc^;cFDZMc2o%7wG1I;+Y~&c|N-_~ouZ
z?V+jY58vNBIyW$X*wXOiuUD5(P1{7lpI+Kj69{Z+{?msiR-d2CDR2pb@WJtg|Nipe
z{o{Q-ZDl(fs<P733$m+1!Jz}Ap&OS!`s)4}e_lpoRo(qNm#>^%3f5QrZt2j|pRU)`
z=1xyWzWw&b;fda!mZpbyubw-9qJN<M#L2~_<;A7t1K<CDc>OOomYcR!ME8w8e|G1c
z<;kA*y034YKYQksKPUV2%5NWib78o<;g#_4%V*aH25Kci0H7k4Fi9rTXt)WM6W3B(
zP9#y%ek&qblr@wEv~Qc1=mbatWRpZ0$$)Vp&JQ5~NtQKsOM;B44R>S&iH1fa-r_iI
zMUo{1RIoXJ+dF!mKDj+H+TKxL@zu>Uf4+2-farG>z4_|v-#os2|8FassxknB!m|B2
z1z+Aiec}AV&TYjl)f=6XXYtU&%jb7K{@}>L@xEh+!~MIOnILsF?pmCT9i0k&{@Gg(
zAD#B+sy3T|DMdKW8rI&vHbzNi3nYW7*Wv{LC2MGZ64H>&<Ov)M!;2~t`!GGT#7H(Y
z<@a$@15<V?XOyW?aZO~C(ps_wX9=x8A^@1|^3Ak(rn4l|LTp;IxO5eLu&tHA(ljJi
zFOe_}-A&<&%h74AEPPByFjlG`qfUowag3|7@yzJosUDh28dX~*8JR}*aEm&Jb)~kj
z;#zHgPI=2QXZ3A?zI8CZ7gN_)ePeCvKEREoxSzR11x_|^MHA-kwB%D+oklBSrG6FX
zvPVo`Sc=x)R9b8$lQDKtR^Icb&CNPb`t?bNDJ(`)Q%p>?{ia8cD{MAa`x~0eeeV3K
zje&hb(ZKdrw^wz!@*10h6S2w4ni7PtKc~EZr?;!DJQov+shXWvy|ZVuu)HR}pkY_%
z@OWf2Jh8jJrI;#`EZZbW<RCci17PJXmb`d+#3?z{lO$1;Y=E7GC7bsS4^AH(o1P2p
z4mSIID#6aSrX7b4%pI7Un3@?J9&0Tw%k+8k$Hr!2vojMj{n42n+j}Zqp0u)}mOxv7
z?|3*InHk#AQ}6L9)ZxHPWe%U>N~ek{V+X?C>YBFM*#lG4(a6+5Bo=HA)KHhJy1q3!
zIkA6gIN00j_h&in>FK_r`r1G!6q=bG@9GX@`Tc3W!lJ_ZKwxiVDiWO;-c(&`R~+eT
zQO~YDvFVYCsloQnnzZyZ!qV%v2Igmf56(@F?VlVP+238)QHh<dy0*@Jv(f%Ych!~(
zubSzx=lC-=G}d>H3=K`}AMNT6<mMK*)q>*OhMj?)=tOvYa&$}6CYRf-s6L14SJjg8
z(x$%NP(fjd!;zbpQ`gqo8Qnh~n;UCxt4&MGcB`f3r7e5+3{6cAg(JP?8%pheiVF~u
zkftF41W1%+8<Ispl2&>&N-2`#QNRhBr<926(+I_JQICd^;5b1wNx4`{-NP6q7|L;=
zLY8GDV~jCiP3bCvEFmoxQ32*FDcv?a9Gy87o}L>EbT(&a=GvJzFTM2m{QT1w*8<&T
z0ur%eCl04Cv$VOnZ#)v2ni&dzbk({%u3Z0??c4kJjfW>=<K4Zj`FUQqGrhK^c{DmY
z5etuv4OeZhaN3pRFeeTjtzVM4++&WW%2h^AZ)L=m<I|$``R~aRtgq2rzLL?VPrnW2
z{4J~s9JeVq<*Hjvh<*)#pIU-$x+J7FEVkNmnNF`w7g0UfU}Vc#{g=^y_rgjSlfp^J
zsDnsh#$~0iv2w^TYCue@t7yoXH*T!Ci(+hoxzn|VtgNAW`rBh2Z^<gCSu_M583Qpy
zGlT!+-)P;cp0#7Naxk_>Mj8;;UFj*hMw?nw8k6y(YUCkVh31(0NUeX+9LY;wbZ#<b
z3YMe*V66HKu2(bmzNwLaLOu9uin|!kr#?<{eP=@iq%egkisGQuAtOy=OR1)|)xHSD
z1SiF!7!!=CjDRqv*j0?37?^f<at*$b`(tHdonl{=ym$Z@Ap)RKsxrG96GcJ*gb=DQ
z#Z8%;GL<qX!W01|)Jd6}QZJ=$#qPocBLE-_Q>TROHpFZ)(k2>z7-Nh8BLI*IA(S#o
zos78&^CIezi9-YolqK}Z4!{I~j1XX8Oi`JlGR288LkI{alrlsdh`JDU$QUDn5hVyS
zOdXgqNiz{8geo3j9$+d_+`wEiA;2h6?3Ah)D+m)r5F!X+V2X<=UQAs;?LZX?K*9(s
z4r+H(=E8&`kO&2TOaKU`j8SF>ObNr7GODPAsfgGyr3ip23RRq#xe#>%Q8cv<000mK
zahVLn9|0|lS444=W;}UW8~T8(AubY<5}Fh#!8X-$qd~@i6625L97LOyXzPCbxilhe
zf?X>E5=GG_i3kH`3Rdix+S&gYyY?Tc>MMR;pL4!<X24~C6)n$2(bD(`3B(pmeWa<a
zQbJQIT|$aA0=5VhQHp&))Y_)Ts*zwttBE#E+JCb@obSDJ_uiRJC!5V?GqZE|-aFs#
z=bZC-%vNSw?<untEmQW%frlS{?dr=fT{!XJclOS<+~v_IG)jr4na;LOXDg+dMih8>
zDU;c@W_ovj(`+j-^@uWQCX=nx>1xxgl*ty4l9HknQETQX!4${|OVxI@^QmqnBBFle
z;h>3<|J_1%<h(1hv3=cdst?Sd`d%{q6?vHz_n^MlB@YovLgH9-Q_DNyk$I1e_nuAQ
zh}n>Wu!)Uw3Pl%MJ}eZ=EE~s+cf<v1;Ti^6!6J=+yiEEp88jybKaUMF7Fxe7v%2qh
ziI!#h40<gCis%5S4OkA#3>BA6^u~PW`j4b*S!-*Mq)~<CyIPg1RUK$@tri+lc1V3;
z#$kJh823un@diHt_sg*FfUDH6CF%!lqqBbh-K3uhW;$*tE)<;&C@%{;cJt4;8cS8u
z<rNrzc?26#&CM0%G@=;V#V+zN+#ClFtZA3|5dJ@6{>`ls7s8iKW>N#^n>l9SLN<Yi
zN8`<8(v$|RRYtBd-MqZJ+XwX`V13`c0VhjU2OeF$322RpSL-g-GLCW0Hp861m=r}<
zt;){M#-rYXrbsO@v{h+(O`8MET+GBxpqdeXv?)L}b+;1XQA!DSGtKy75kTF=jZ=H#
zY3AWxN~f&=kai;G*0L?&9zd9Rwk5Jfp-^~<Xd>JJR@FKI$rgpfOX_|F8W9mqcmOa{
zgCo;<J%BQsG^J_U<X#~Y4KuSS;YE=m9XD=U7wT^A>Ohi3+x7w48Ap}gn2MU2r|Btw
z5L~+{km?^3Y7onlBdikMlqhWwbTGh3J$BXB0vdtvM$HvY27{|PBM>1fbr^(7)a`h+
z7OpTa;l-QTN;6wU%)B&S9FgZZqA4gL+2Dca6-i_jUP^(7iZ~EatV~Mkj98>fplzP!
zEFy3d7>Q+*2l<q~JQyYcPE50*8bd#SD|NxjSOfp+3&%Z@e&=SshN3EjdA<s>iiCTF
z58B}UaX>%IDL+K>;f}S33&5e>n0CVhHp;#3Rj9*Xs`bQBHlLSuSyBUOMt{F_n28Vz
z39<|m;Q^~)zDfu$v)<Z-ZP1>7>1cT*T`c9&t$iHGyrFCrUgoizvD{phghPFQ^-v5l
zf=Ba<xDlGn<KKxzD~jrNoxUuneTgo#LYKAyqPdLb98LP2DiIMTVX-u8Fynwm7AQ$|
z?mQ$#TXQGrsNXaSUmSq)48Z~%hBOPxxuXI3x4p%P3p#>r(mN4XZ>W~#WCjt{*6AlT
z|I&HErH8C=zGyIFt8{i&w}6;`)hu>3%oEl&SnQ8rklL^z1egf3aO)bSlkk<<)YO<&
z(j<d9{j9pI@~5AC{K}<YJhXOqV?}{<e*z$!RQGgIi%C<MSaT<pJmGnUP1X9O+Oc=Q
z!anQ5q0G3+v5-EpiJROY7L<CAO{PDzu(LN>cXFl5+jPz+%KBI}mrmAyk)|>0@vKBs
zv1w-TG$VnSaw<-HQ|AN<7O)c98fl=j_R7qZBrU>JCD*}RMmy4gn5OvFI`6L@C(GK~
zkfnW&s=)+Cc|6u@X_`s8tCi5sQ6u39EDtrOA#hicg9q;a^rPP$dTcKd?cTln%}W=a
zIP}2Z-n+bg`xFqN^3a2S_rLe{l_Liqxb@+04n4Muh@N`l@aLc2+`o1&L<}GzW`zgf
zIUEs~q82FT089d;K|~+iy!`P;7gL)9<Q*wuMZ#2g5|iuKe);VKyNFl~9`40Gf<;NH
zdN!8;16YLBL=|u%*|%rc^=lWVQzs%3pt0;VsT#8=pauodz|atX(fM<yzWU~!m~gdK
z1FKc=P_?`61r5~Hn8^07?f&4yH*S6W+Gn?4y?FlV`?f{Ey||gdBPlIrW^QS?LSkz0
zQsCiHqG?2pNL1h@JiJ6vF=Z2hdxSeo-4o>)&=Ap+PaXQ}`&YN#<*6`#_POt0zwvT2
zbyc@kh?Iz#h>jkAdGyNVQ%1z3VhZzI*NB8z#Eey{<(iqgF(d&mE0a_?emmO|A{JIr
z7E@vMbV!4-8j-R<)WpQhgq6sc(&i+kiEOa+?;&C}CZhGz$4{?6-?_6#L|cGndW2SE
zA2&d`t74JZ4VJe{>*WGZlnQSVj~S}4s2%X-$ge7{VcCR#L@P>12@Tht>rDU4J%EaL
zTNl1uLg&qDBD#Oi&fD+5_4S?WUwroZ>z97|=)U`=D(P6mEW}dX|6oLPX8qWO7mo=M
z6N%(!TwCms6kz5>0dhb3;gK)yT)TDq(w(oa-uV6L)h%Y4F9NX;lOzRBl-obZHTjuL
z=c}!%WwHZ*6q3K}>M3O=PB6q-J&#*jEMS`-bJ}pIFcFJzMIlsEWLQK^plmFvO8nC4
zpZxvpS9Y!j5&it+@n4;NZZ;v|jSU7hB3fJ9@uxq$vTMiIdS-GP)0TLfByBeqN}5@g
z_@cS{8gmx(#H>-8+y8v`k2lWl+}@<fKd&B9?yuH=s+pXKzIXVMH!iO4SVeuC9;c*!
zgDYIr@|6De)w5rI{^r4lcep}SSd_%bl%ZnE((w|}Rudqi^S?g%um8Mr=(}sh#Ssim
z*&Pv!s91hTwc896md`<wo0zg`7QlHV`}gnp=HGu=KXde+?L{Q-JtkrGTG(g{&!oPQ
zFjJm?(gY&eQX-Y~8t4@*K}07`{@{}@-+JN9<B#lLIlKPs`InC0yCp)Dm`}a%{JFC~
z-nV0gh}KV?`0v+$e(~hd-78a9d*#KST|0N;!PQwIK6(6^^<z(dt7%rZ#Lail-Tud=
zXAVEGg&dltd3%>KccJCo*l3|8@j{2(xwvM31S1v#k+D2&+%g%9hL*9;>+?4;&g*yE
zMxeXrvLMM)Ks%ACP5ybk)%vZ;|M)udrzWy3j-T$n_jYFi0?KX>5fH(RML>~Ja2e1U
z5L6Zy26><$YgodP1PKuK#lWx%fuutg_7R<NfttZ_sTsza_oiOGzvunXNd|SwpHtO;
zRb5^8<a<8fbG~=?G}Er<>>j*wrExfROfW*Mqsem=KB1lx?AUS;KK#e253aywm)Ee{
z<98)pIqC^Q$i;OL!n?SUOB-Q=0Wp+wOV%}h;q3JVa3XOdehuZNKW~l9%qWgV?$60g
zd->Fub>-yh4?WclIRFsgwfFf`LwR|BT19o%lNTeMeMLEWsTND`@_K7}`cWF7^lq+=
z@3vXnw7T5j5Dx(1AQPuS!ZL`ZDLOyn;u_zxV$=Qkm$h%85CFW~q?)?oCA*Hdwp3Sr
z<IYlda<9GKTH5)2etA{3wAP?dXV5H22wPuTuwZVVF*UYnvP0xz0FX)CH8sV5E4D7P
zU3IJA3=N=ER&H(^-tJ7A>~+?)mdxu303i4EZBtcR?YcQ*UD^E$9uf)wzB+YkW}<u1
zJowvN!@QwX%mHE<j3k&KMqnzAy%z_Vp)rF+5&-trch`U1oH?C%FgfPfXup!@TL^-z
zODXz}I(6eso4uodv?%C+I{+kq$H$D1sZExqL49%3sSp~#T_SC$Ddu^N(XOm)x`HJX
z07Ql!7}qNoEE?X@{B>Fs0MMAjtPsK?;y5DaWQW3|dIlSo*8BWDamlTWm#;=6qCFTE
zh?7yVgk>1U%gb|QtZi$1^3D5^1&e~W)+Z#%0U#;<#MHRTZf`cuRo=XR7B8ZKFf7er
z8UceCOk>P)z%aghJUUcmwuO#4ld}B51u22!;bB(3H~VTV2I#E+Zlw3FhX_O%Rh8u}
z7&~lMRYzO?K3_KgYLAz!MO|uNX<J->c)Kta0Futc=|@}Kqyzx&6<uqryLIqj;Ph<o
z+YiQH-sqQ>)YFEB;9xI*3gB!~-1zq@t5y5>aqXpxku(5D#F$`)p|P_E{F~EYBy<jr
zoL^@su|WF>OI+MYpe(yajtJwRVon4nXgjBf5tNGKq_C{(z`C@{M<PbZ<--^;2mn%3
z65qa=%g;+nOgwR~Ea%rh=5uq;iYU5Par^PSis!Xcj}%8j{e$Iy0i$D@*Y9UvznNNH
z?VO%f#>9mHKxS6j%zPJbQCoQBwe%PXfWU+W+$(HL0YJO9YU62F_QlB5$dK5B@<2~7
zADLT!`-8TY+^NaBr4?OO`8O;DLGl1yU-hiHd2YVBQ*&pZCx-yyVj}d9>dd@)dZsDu
z@+knIDagHXdD75-%G)&k{e{O52LM3f^(zy-m7T3cR*Tj!Tb+135CIV6zy`EKB2b<l
z(pp8H(cEZX){G66oIV@?02M_A<Na0LZ6$U~*UXqACft_*AcoL_P{I^LBMBBwjka!W
z_M45$5V@>PTV~{&j)i%PX%WNx?Lx9FTcNnKxG}uFV_5rtX<%`!r?~WMF-L{U<=WP&
zd2_dkZ|`X@3HEVg0WiXVh3<ty2r)F`Fe)y}Fd8+yP1`s0AS~3M#bj*iq22b-Fx_Ia
zba$%ndW)IR{qoUAZC@pXBY^W~6Z!`$BM$A=w3ctY7~A@F{OPm)1&b~x|2!wc7;%IU
zgh4<p!ry;?c1F_o`kLuk)$`3!tF<ZR^x?fyam9oD;fcl>lUm)B6X-39i#{<srAduH
zzyJgV?HkfJrKCjp`^dDKlGXJt-qe_SCd@-3;fPes;ryIS6QfGAv9nWK9v18e0Er2Q
z`v&gM&#T5q>n@**5ivBuPKTGqLIVx}@_jxH4F!{b6H2qK<JB*t4K*3ze(ss)6Nd+C
z4D;$Kef_sdM<av%I@&AZW8_i>0N_wms76<EJa%tYMQ&qLVb5@d!KALM%#gctEKO)c
zQ4~#RPCzX{(*Tf@mtnRH6&Gckjyd8f@%Ihz*FUc3&CO?HgA^47<1^agic3j}hd7{b
z=3KRZ@IA%3DPb~Sf2mkMRQqhBcWzpd7#-NJQ;d(*WM7E#6?=(Ap6!Em{E9C9!bwje
zBMgTLQ(T(cp(~Avm19H$4HQGsH0u(?Uxpw5cvbS3v-Urq!2R+QKEE>aAN?kW2ln}D
zz$bSTe8f>1#+CFca5WbjWIl_2a$Z8~3~Oh9got!R(G<nd&bZZG(V0RY;aY|ibc1WF
z)7kSm(!+M6Cm~+JaRCJN`RvuF)AG)!b+pTD7OFPm{Ph!d?R;@cklW7pLYNT2juo+9
z-t7Lan&xH0U}4^Qi*cmAy>er1JSy0y;M&z!FD8=X4`>zlpDa$vq~eF#mi|ZT8fE@}
z^R2n`D<^oP?*6~7bZGAFytA7O8k=SCw-2VKwrl{vL@4%%aD?R~0Hn6Ia%EM2ICNiR
z(6OoEcKtx*9*M|e9{y=_!Z_FVWNq}rzwP<A6TKx~*Dq%OzP*~65$EGC^_2M$+I?iG
z^WC<2VNSQq5B=xAc17b25y4N_4Na<l?C@aku;4@P-T^Y7h(Mo{isH&QTgI4Z-@pK0
zvDj1Q8SulpVe94O+)V4zQtu!CGhfa+b|d@Ti_OXCn2->^BV8&bZ*CDwXiNZO5zsVE
zBaDzEa79p=3}Fb(aAE+Dyqh=Qy<eK1Xj(A!tga4cWh5bhhs{;bejJI8^^1*vj#aB`
zlar67p84v}ooCCof%)04pSNdLp6R4+keraP@nqU&@9a?D%{Uj~B_a|cZBdm!-<qDB
zZmg|Nj|`P^2sn|LA%r3nV2Z+sh(%IqVAz4U`i8Qdzg8cc6(JF<!vw+<gJ=e01|uSp
zdhH1bl_w8(_b-};q7M3p28W4%Ighl|v+rJ;FQ1P*y8p=4l(g5cCa-74F#s%K5#ksj
zDWCp7UuXK%M7D<U)7|HEC+P$TTS&kl>mbM~C<urkDj*1=5CkNGge4$5LI6P)A+jWF
zL3V*4VMmaCF|sH#j?OJ_)y%zht8U$Y<$g#|Kx;mBb${rpt~&Mf`#kS|@1cwgxeN2d
zo0|h_b=};8;`hHMV-o!+M281o9~)`@_kWh3H;U}6I254zI%_|DQmaSnre@ne{8KG!
zOg1#4H`ZP?Hl(_rvvIa}wX(Fs0V63fW^tv{+?a*{Z*DAj*`LodMov~P6GJ`S-KF;S
zCid1gOvDWd4*c?YZfQY(u6b3v^R8!QPig%N7hnKF3Ma^Ksh|^E50E&O5InW10gp&@
z-y0PW(gW*A{e%)7;r@uDUTFADg^=WlTO|4h^n>IPdIv#DA5|s+05`%zwfh<$Zy^RK
z6GMxY&9UZIselVBizO4|&GR!||M+97Lz!*PqMQT{nqk${NOPcn=Q%e=Hw#lC6Vl>)
z5t^a;=?UfT?(2<prK7D81mrg=C`nQTfiM8;>PodA23u4m%`czk6ek)Ru&wz5t#-6U
zk$utIG46I)Rh`t+#m40fUr}E;H{Le)y8Y{y8EM8f41kRM<kh|YshJl~pCkmj+aLh4
z(vv@YQomVxF*&1u-2JGYpKW$DH>}KixVt|TfB%Y~zi*~AJv}qlf@ehF5W_JX;<!H2
z1UppE`ua+vLVPYcd(>9vt*<EEtU1j!ncF+<NpV3TK7OS|ISJw@BU1xJQW%L75Ml_!
zaE!xX5B0PtTMOjRr33v{0|PZ<BekyfXDOV9kRk~EamQkRu?=YR^alyQzMpxV9`Eb!
z=^#93XJb3R*w;|^DBRyK;Jo{Ux@ovqW^ZA@#1MoG9AP@bG62BJ%A%vUZ0mj3uu7Jb
zc+1nu+Jr@`hMH6()p5}`qe8FlY!6E^u18$=TwHFKqz2Ihh`SrMwXM7x?IEPujg^mg
zmWFc0alzhye&_7njEw~p#nOF#0^$Tj0D$bQq{(S{y7)$*t7E&oY-y@BEWoa}BY$nP
zV|uD}O4E68sOeA?I#?UmHx_87YQ0=7+goJvR%t|pkEM~7DQ%gXouJhYBqv;DGbjLv
zh8JZ$BNYiL*F!@>f-VLMxcsYu7dN(4i;GROnzr?S)&33bfH>)z35&&m9E^ZC0t7(-
zfD5fHH5x@_Sz=76Z(?l3&icgT%-EWetVwlSUS?!ukXM>G`t9n=(!$uuktSJ@Xr#ZY
zy&=20STy*uG%?<9dP>pNDHF$qrzb^kZS_6Q4YT3#XoAKOfs-V}5rOL_QBc|YOwnB&
z9(>7v+)zL=xg^OpGZQ>(DmwVA9vXNe72o!E_p~y$#sMQOSu{J^niGH1$xy&E;B<G&
z<noMx{_>8N{E4CZeq}{mSdaym4>69vpV#WLO7<k?ybX^-8ZsEBo|i7fh(aQweC+H5
z6h#v_f$2uT82-~>=ucC$KXPDyw1ITlyT8wWqnrYwoVxrQp9sS+@KcuJDelc_#vDAM
zMNaLW5hsoCAJ@-x<BIQfEri}}IrZ47mIu9wcNCSt;IVABPF3ht3OpWW{IL=0r-^7i
zX7=b!bjSB`&ctzu#WDE>aYR585(okUhYSN68P}B+sE3*aCS1wGw69;+HnzHiW*ldK
zzRQccr~8NVtJ*G}fW`^Bt5+ebOEon!IAiW+EpV7#7%Y}a$}4iWHb-j8QY6VYb00<c
zxZC0wPLNQCRmBN{B-tzmKUZ3?vDTmVAf)(l%AbEN%G)x87UrXat?SFZCE4-W3Ac(f
zW6#+O7{Kg;tKa%oZ+VsITCj(&mm7zFVJvT~-`kxm%8!+Z!ivN(zK#w;v$F$(U32rz
zcW!xwU-R+zb!AX&3g^W}MIRizlB8Y<3v~9d71)~!C&yKbv&!O(n7owOlFSFTeEz+=
zksI2v)Rget2l2n{j}MF$AqK#3+}xb2nUpJ)S&#q-VMv$VA))TCn#nW*fSW9TPFvX?
z_qpic;^ZV0*ch|UvVcWhP0`TUQ%GV=7RSKQ0+HsoBJO-VSm<sqlO#nIW!_JW3^ahG
ztD|?mL@G^<Yi-IqIDC2Gq7VQ&F-DZ1mQtLay!NJTXt;u;FoFOii3mvQMKB_0+K@yR
zb~fJc-_1uy`{MwxC>Evn6G;ev5kv$5A%nq2$SfyEvh%JlA>Q{|fQO|C&(Akt>Fr2e
zby~2Wb5m8`#%h<FyD0`RlBAHXfR98ZX=q}?A06*p+vqPXOe#!^mt~3E&Ik+$R*ypd
zcD}cwJb7)cJwGdoCa~(K1@8~lH8q)e>7s_>jLYX;xh%e_uX%B$J1IVYDB*TMP=GrC
z;AZ4??QiPbjIg|iv4@}3y@R<75)i<szNu<wTP2RY93J4sMoiyJ0ek!Nnvv&4596z{
z#nSt?c}&EB1P&pN!Jk%DA7SIZllxDWKpn~Rqgl)GU=2LgZmwG?KeqgJH1gDYwMf4>
zc0#G>@x%~91WAen0ECBs`hPhbE0IP;hxtvvZk>D6bUD!JQD*$%?^E*H?B>e+&!6Ud
z`%4%I!vX!Qp?qs+Q1T!&G{Dt}LHS<t-1|7uqbjc|N!#BX{qVlm!-a<cLXg6B6;-<O
z3qUBE%e6awIrk%yt_0rlzQD$jwNSWsu#lg34`IN7ZO&qu;W(pzMN#%{r>~|swXd!E
zUw<xDJh@|l2+@tm(#(|dyu{_Dj!BK&#*8Dr7qS2A>sJF+C6dI3!t9&`ktxooE|F|&
zdz@YP2;<UB3yNt75k-8X@e(+W;Q)|1MUw4zeWe+Z$&o>evt24hsi(DBTSL*pa_cXS
zJT@}nuy`EWn8Bcb;Zc!-&LrX*ay07pj+O#@zDcDl?|=W@of)gYU~5I=Op;_G0wIJb
ziu^xcXZoDRdB^c(cb{jM`_uvG;1UP{LKa9!h(iK#iJN6%VOM|<x@^mK$98SU8K=H9
zaa_9{J5JKZZEV+ZdL@&L>v5WPY{zZh_C^1qzCe<(u=<XF;RVYz48Q01`F_3_4iJPl
z>2dt<`u^>kTZPD+b9h)Tl-~N}($i-*kCr0a)$)@kpI*GQZnx+FN&txAZHOJB2!fc5
z`Zcb2vRSx!<<yTa9-aSL*`ihd;o;r8zrJupXR@lbKR$nO{!BGA=Y00`v)_Mw<`^6M
z>fx0aKYbQ|NlzjOo-1TuzIyo4rM2R`Z%jQX#7GPU7=##(0TjalL=Yrf4E_D}y~`g|
zkF(il-+c1T*S`#TtQRkA{_yYn_imp&+pO%IK2=Lmx*m&Kt-JG^Uwr@K{++w$7&@Wp
z)oA;NeD1NU?=@e(ynFRRaauQsA;{JV?)j@vFP&R|PR)51-7^wG>X@+o<=L&Lf7`iu
zf<3=kzj$;jG#%(u3_?N-+M6aE<MDVseLWAJ>^yw@UaJzlb?xUrz5H^!m07Rlzx(#y
zoe#IObDkSl-hcGy2FHZ1@0|YUt1qu!-@1A0#J^tuap&^M=%VNGpFh9;;hAZZ-ZyH0
z_Vl-Zr_YvbCcT7I0!X453fndJJOn{_$4=G1{q9%Qlur(2IFz;*m!7G~e|-O7=hAx6
z<&{fxI4MC8gkz{b{qCcq`KX!Sua(Ll+`qhYsgVk~c5a;h&wu~=`122{;mDBKfFR`7
zcKwS7SGQYfkJ%)|rKCV`?tJUxn`h%w6Mck#6kvP=MKPSWuO#Y9&b~t}cv$)0JLAfo
zi=O`v)xOh<-+8%%%*ugSS2qOS-M`bh3faH?7FUd87z8}L9U49eavyM89SBbzh!4DB
z<@WalZD0k0ZYyG^M4>a~kG4Ih0Bh52-9TKo^0~XWul=<5otxMmQiA~;#ZU|a9P;IV
z^1ehoIcBr-h1xOOLZQgHW~ccwiCAJ<n6Gfl^%0AOFOUytjfvFKpizU703)S3(~(3r
zuOG3QjozgwT`U*#<)w*fvp@m?L7@9Rd<4Y#Bwy5P8TDrK3{|9q3&F*R&uX#BRYsRH
zmR@4Y%ej0dWOWQe0YQpXYVCM9oU5^axiYt4cN=6%wP|EFmY|p#&DQdsIfqoPl*`Qy
z`+PE!VU`owl5aq#AV`T=tQi~e<d-sBC0#5n>dhLF%wQc27bvc_LKm6P__#?a?;9L;
zgcDSSt!7i<WHLN4Y2ynZAjIY|JHyh>NfRWAT^mZ<th)D^iiFC5Kkf^Jr8231fG@!T
z#ut(ji8>a~xF#nEf`9}BBnkOSwR$}0&sSKcwUMEUev?rv7Rsz<Pl+zCZ<MQ*?6iAa
zA?;O2wR7IZMuS`3C?~T4!-$q3NE|0H90QO9fB*o;01tx@5b`0tGnPyZn{*f;aexBI
z+k^aY3<ns1kPr~Uexuow&e8RMRf;NyEEau_a=_yaGF57|K~sgq*r-*+7lD1df7|c^
z1p@Klh}D~-7_P-F*9&uAw?d+varsN7s$+agDKpG3EGCNaUcGKeZ;wTC3|C_~DjxL@
z^lBC2;W3jZlSo%;<untu+DApgKCRlBNwT#Xm(6E#bbfkn78miMSYx+;23VSHHmjLp
zV93}jmz!L!XrWlDt+I4AYqc7LBp*ZDPFtdzc<mlA4jQg@D;_(Ro*1@=RPULEyTU%`
z-kj2L7_-Zu?6(4;;7yDRhX4b+#3qjMM@J@BRvYWbS#C9($wjO-r%b9J8gl0H<+ZgI
z%hJ_qaVZv7O8fXgWidN{nNnq|#ZvTw#cGsGhT`+-&6Q@2Wvb<JE}hd28!(L6^Y>y1
z!b1=q0Yw3SthG^J*`S+Sd8!;7Q1@v1htip(KQJQ^i*Ou8a10VshuzIqYwNAm#xh%B
zii^QeuSDx|dKi{!Zn0dA3I+Xr3Y|(}^!gV|4W_ZlRoRT&X_pIsRqjboJQdNKhIVO9
zeE00RGw#bnVPB6S97-<N%k`BkRR~SkCRAeM)MOx;i5Lue2>3X_J2EWjE}F{2#Ujbf
z>{MvMuTc%@2kk7&HX0@Sh=ar>?cd5aFU7-96vqW(mB+VGZ!sI2R3<T_R}UHn#xj}0
z@(Q)mEEO_o$LP3!Orio%$U|`+isE2*^(m9d0t>EsE4k7tl<Ab$<<s_#cs#yXETS7Q
z^{a-00e?6W?APe#yy04ntJh2QTA5`_9`7_?*soL>V)5kaMzy(?kH&qf9wpc#VcX*&
zij#baa%SFFU#qaog+`^wQQ2w7tXg4PjO4hr%Ia~JW->E>p6MQy1_I@%Z7N3>vUJ8U
zVuSo%jm|Qk3^g_@r_QWwpKPSki+a6Dq0sr}qfCRTZ!(!uV$?Cg7imZBGo|Hn>ln9w
zjLT+XPLoX`P@#}$ul9L3#=~(Gk~)i#s;3&Q(n_6fa7-c=Ga9UJx1U`pZyw{C^;|X;
zH5=_mCIWPSi7sT)@nDLjsti>Ox<es<DjHw1n#TwFEa6Bv7N0X1^du<;INTHbx4-|m
zNTPiI`q8hSU#k=YQXZcKVgx6YJxYHh7>fqYdL2p102Cq!(p)Zm^~JRfdT~@apcHDR
zX1s}nZ^AleHo5a<rn$lSW@j|2{tFk5-@bQpZ9N))otxFE^dcyQP~@6&)0KF7$!i%N
z6cQo~11QF8_sSgxf*htx?)I-7*6Vq|Dtnj<zuS0w;98w`BKwTV{)4rF>V3+cx0jbW
ztoieupgz`F?$B{)anLZ>apuuElK}uAB+$1HqW4rjyA?3+R4H^1i*No90et@zy|H)T
zyGPc4?YH`X^rCZKB#1ZZ>$kF|7={6WLI5Bj+G&^n6?T3-a_mGDAJ_jXySry*XOrA3
z1V~5-=?V}63Bdyo<VHe*2fqKO;i2rFp6<?)r$ou_X4-DM>^kRnnAIZM1mdJhVr(JN
z#2tl2)8oTLtZHdGQ46&ivD9`mpUkSLB}I*YXr$f{6RB!7Yvz;1Bpx6}>Y`!3M16C=
zsRf&&D2j<y^@aULQjwI+v^Hxujk{=wny9jf+N5?9ok={m4G|M-7PG}<-rPggBBokz
zrnBfoq9`aHS{JKVt+RSnQ&#Sgerknv&En}tKt|w_D1B99^^ERg6%r$L6hpS$w@6rj
z&BdD4YfN{qH;*Z67xhW)&FVvaK~+*Ab+M&R5A~~P6ER{X;uP>_suUoyD6x<jh!wzu
zRSy6?At7t8J5@|I%ol5KBn{BmLSwSH#dKG1g%wDUg_3Pg*<=I~VXqRC#6sRkT{R-A
zdZuHCiW3`)nOE|Oe9}6LRr6pGR%2g(ByOk`lu>0E*JtxdwX!&|A)zRHEanfEiP%^*
zVyg8`^=7_^T8GvmY)%d-hJbBNf0Cj7q2KrvH@5+*237eLmc7IrW?{OCZCZOkFRh<c
zX)qQh)yec4es!-RrW(u^F}HTDZE5YM>MTr>DNA8Ki_IWf1VD{-@^*{3sW$2ol)WE;
zf5mFOxArOOn@D4EVr4aEO*2b3pOUCIZ&&rJ*uu)0EKTMdi^L*ci9LY`tZ(XX;<H$g
zh?=R|IK|0sg&YehAp)zK-D^A&rci*8NKJ@w%Q_pQzyO$pbz)5`j7WseVNErL+?4>a
zU@1_rd*L-=F~6$KDwWB@r-;S<;c+EVe_*{JCV&wUN`E(i#ntZW4~qxef?}j5=4Oq>
zSV)vv1jQsKZ}+J07H{H}MTn8v&F<6nOVq2dBMBgqbRkGS1B+Uxo7bDvTeOGTEYi&9
zT0ghxOPxQ7H4-He6j85i4K+{=h}EX4z0cDR^Zcbv5A)f*nOBQjt?%>vIbsp3f2hH}
zczbWl57ypLClZHIO#@;<L<S&Gn`(PZ)2CYBYkjj=SeyHGnm_yWKwBuTMJI}d>mqR%
zzgoSiU(N643#+SF@i27}ODK0{53O=$Kz)1s;^%Ka|LfoX{M}E#ji`u(D8x)=Y0oTB
zfcOu;|LMQ~`TFf2fBV(vU#bMNe|j{FNvx4Ij+@5)#~*+5*T4Mz+t;su`s1HJJ$`L^
z6OP>YRKsi{jsgtOF*c`&vLk}%h_m}%Qt=1a*(1mHgPzV&%hLU8;01$KZCGe2n+t$z
zz!>dZ>93uX)go9B3nHlM&XP`pld$>^cRiGi&yjno3)7`X!w~D!Tri}gf4mKdA!c*W
zjM@HZQt(m=lnY`RG>h&!M1(DP8i(+EwTGo$Xgp<tLZzgv{nF!2dR=_vSYY~r5HTM|
zAx05m>=9HzL@;FO(CJ5gLFu_Rg$O8<bqPvA02Veg8UT;+{HYY^%h6E$kaGH{`yf(Z
z&VaaZdaVfvfuFg6B+Sa3f4&wKX2tx&a9{{?jzhOp<ekW9j+k0+2IM6~zVn1#hQb7t
zI)HW1U&_0YM6)`^hk3HAt+(VfSv@GdJvWZu-FP(ucaW)Ixd5!HP8hoG&SDW-U5jf+
zBlU>c)L8R$((9Y%Pf4H4NYySYIb&?nPt6Cf&zaU?UH9oS5|8t4e+dQ>{#X!fEBh|&
z#uu7CA?=a^u?H8wgt>1Y__4Nl-klJx@BZ$(ad+3UGf1EQdcNaBk^+P%g2P5M2B%w%
z)`32yq3ljFn}74XqkTO%tvA@Pvkc^L_9d?8KEj%9+YP`y6@3#>*W(DrUsJDolg|9=
zpq6d2;1(^qw&72~e>wSI8^tbWR_hjhamu;ha)FPTIM3Y5vs~Zt4JoC6rF64*?xrtC
zO6*zpt5ABicBaq2FBYmBRK$9GEr4aU;}Y{LkB-J`%Y9B0A-=$M08;l@hCm7mAu?wb
z2x&*+?#d_y`{I=r&!-wPgWm{*OAkZEayjH%b#Tswm?YCYe^m0zvm@DOw@?|MEAO|4
z0R!o|q-<LdNF>5S4E<7#SS3VU)su^HAavyJ(cD|kDI#9|C(wr*k&(^W7M3~|SSkg3
z*#PANrO?w=cEtSb2&+dL+mVd2BkLcpNls<6AH*zw@3!W0xm+%GVb`9m3j68)y+ra;
zsLT2@4g%FRf5HcoF?uQKBpqADQ=77`8eO1@h+Q+An?Xm1(PivLBXyRDIrrmJWWw(0
z?C8teR@Clfxmz?(*~yz>D7(A#-N|W(dDup!tY_X;U)-;J*7WcZL5#!qcH9+mUxdR_
zm9H7)89KLwO%E;$(hK1QA#Xm)_$H?xXV=}^e3T8+e?z6$HAE#50=X+6@YP#i=n9oT
zn&H<oKCAR6#shvp{rs1|r(tr%yzb_HMNY3h$|L-gh*+L!f4SC-Gb`tuOv(amgx=e<
z;o+a}sjb@wxP{ohVBeCKwg#dmJ!O<Z+pS_-UL4OlyX3+hR`Q5K|9}{KMDL%{-~Vq$
z&t_t5f7mm-OPWsB=<|P<EK{HW0x$xND*V7q+o42ufx0Vh{CFJPOfwp=iShv+|CD!k
z8iw})T>k@!;_kj@S9|S5j;D@^9hhr7^v5sX#yD)xyGNYsmK$`+x;;5<zV`QzvvEaN
zq#OLT3)#1e(=g{#AYtD-UJ0tuU%@_$aOI~AWFq1&onXh0SwF=wX6P9c*pKJWh>7v)
z!GX0{jvwb3!}P(FJEq%gl^h3DU^&(zsXjfuJK25bW4_=nxp1dP*>#9c(S_ej89YW2
c?dppE0sD??8a?z4+5i9m07*qoM6N<$f}q2ABme*a

diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md
index ad68711a00..73ae8d9cc0 100644
--- a/devices/surface/microsoft-surface-data-eraser.md
+++ b/devices/surface/microsoft-surface-data-eraser.md
@@ -16,7 +16,7 @@ author: miladCA
 
 Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices.
 
-[Microsoft Surface Data Eraser](https://www.microsoft.com/download/details.aspx?id=46703) is a tool that boots from a USB stick and allows you to perform a secure wipe of all data from a compatible Surface device. A Microsoft Surface Data Eraser USB stick requires only the ability to boot from USB. The USB tool is easy to create by using the provided wizard, the Microsoft Surface Data Eraser Wrapper, and is easy to use with a simple graphic interface, no command line needed. To learn more about the data wiping capabilities and practices Microsoft uses during the service process for Surface, see [Protecting your data if you send your Surface in for service](https://www.microsoft.com/surface/support/security-sign-in-and-accounts/data-wiping-policy).
+[Microsoft Surface Data Eraser](https://www.microsoft.com/download/details.aspx?id=46703) is a tool that boots from a USB stick and allows you to perform a secure wipe of all data from a compatible Surface device. A Microsoft Surface Data Eraser USB stick requires only the ability to boot from USB. The USB stick is easy to create by using the provided wizard, the Microsoft Surface Data Eraser wrapper, and is easy to use with a simple graphic interface, no command line needed. To learn more about the data wiping capabilities and practices Microsoft uses during the service process for Surface, see [Protecting your data if you send your Surface in for service](https://www.microsoft.com/surface/support/security-sign-in-and-accounts/data-wiping-policy).
 
 Compatible Surface devices include:
 
@@ -100,17 +100,17 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo
 
 1.  Insert the bootable Microsoft Surface Data Eraser USB stick into the supported Surface device.
 
-2.  Ensure your system firmware is set to boot to USB. To enter the firmware settings:
+2.  Boot your Surface device from the Microsoft Surface Data Eraser USB stick. To boot your device from the USB stick follow these steps:
 
-    1.  Turn off your Surface device.
+    a. Turn off your Surface device.
+    b. Press and hold the **Volume Down** button.
+    c. Press and release the **Power** button.
+    d. Release the **Volume Down** button.
 
-    2.  Press and hold the **Volume Up** button.
+    >[NOTE]
+    >If your device does not boot to USB using these steps, you may need to turn on the **Enable Alternate Boot Sequence** option in Surface UEFI. You can read more about Surface UEFI boot configuration in [Manage Surface UEFI Settings](https://technet.microsoft.com/itpro/surface/manage-surface-uefi-settings).
 
-    3.  Press and release the **Power** button.
-
-    4.  Release the **Volume Up** button.
-
-3.  When the Surface device boots, a **SoftwareLicenseTerms** text file is displayed.
+3.  When the Surface device boots, a **SoftwareLicenseTerms** text file is displayed, as shown in Figure 4.
 
     ![Booting the Microsoft Surface Data Eraser USB stick](images/data-eraser-3.png "Booting the Microsoft Surface Data Eraser USB stick")
 
@@ -118,25 +118,20 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo
 
 4.  Read the software license terms, and then close the notepad file.
 
-5.  Accept or Decline the Software License Terms by typing **Accept** or **Decline**.
+5.  Accept or Decline the Software License Terms by typing **Accept** or **Decline**. You must accept the license terms to continue.
 
-6.  Select one of the following three options:
+6.  The Microsoft Surface Data Eraser script detects the storage devices that are present in your Surface device and displays the details of the native storage device. To continue, press **Y** (this action runs Microsoft Surface Data Eraser and removes all data from the storage device) or press **N** (this action shuts down the device without removing data).
 
-    -   **Enter S to start Data Erase** – Select this option to begin the data erase process. You will have a chance to confirm in the next step.
+  >[NOTE]
+  >The Microsoft Surface Data Eraser tool will delete all data, including Windows operating system files required to boot the device, in a secure and unrecoverable way. To boot a Surface device that has been wiped with Microsoft Surface Data Eraser, you will first need to reinstall the Windows operating system. To remove data from a Surface device without removing the Windows operating system, you can use the **Reset your PC** function. However, this does not prevent your data from being recovered with forensic or data recovery capabilities. See [Recovery options in Windows 10](https://support.microsoft.com/help/12415/windows-10-recovery-options) for more information.
 
-    -   **Enter D to perform Diskpart** – Select this option to use diskpart.exe to manage partitions on your disk.
+  ![Partition to be erased is displayed](images/sda-fig5-erase.png "Partition to be erased is displayed")
+  
+  *Figure 5. Partition to be erased is displayed in Microsoft Surface Data Eraser*
 
-    -   **Enter X to shut device down** – Select this option to perform no action and shut down the device.
+7.  If you pressed **Y** in step 6, due to the destructive nature of the data erasure process, an additional dialog box is displayed to confirm your choice.
 
-7.  If you typed **S** to begin the data erase process, the partition that will be erased is displayed, as shown in Figure 5. If this is correct, press **Y** to continue, or **N** to shut down the device.
-
-    ![Partition to be erased is displayed](images/sda-fig5-erase.png "Partition to be erased is displayed")
-
-    *Figure 5. Partition to be erased is displayed in Microsoft Surface Data Eraser*
-
-8.  If you pressed **Y** in step 7, due to the destructive nature of the data erasure process, an additional dialog box is displayed to confirm your choice.
-
-9.  Click the **Yes** button to continue erasing data on the Surface device.
+8.  Click the **Yes** button to continue erasing data on the Surface device.
 
  
 

From af798f4daad3a1a09caebf01adc705c030ecb679 Mon Sep 17 00:00:00 2001
From: Jan Backstrom <v-jaback@microsoft.com>
Date: Fri, 20 Jan 2017 10:45:36 -0800
Subject: [PATCH 017/115] edits

---
 devices/surface/microsoft-surface-data-eraser.md | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md
index 73ae8d9cc0..4e18fb9ccc 100644
--- a/devices/surface/microsoft-surface-data-eraser.md
+++ b/devices/surface/microsoft-surface-data-eraser.md
@@ -103,11 +103,14 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo
 2.  Boot your Surface device from the Microsoft Surface Data Eraser USB stick. To boot your device from the USB stick follow these steps:
 
     a. Turn off your Surface device.
-    b. Press and hold the **Volume Down** button.
-    c. Press and release the **Power** button.
-    d. Release the **Volume Down** button.
 
-    >[NOTE]
+    b. Press and hold the **Volume Down** button.
+
+    c. Press and release the **Power** button.
+
+    d. Release the **Volume Down** button.
+    
+    >[!NOTE]
     >If your device does not boot to USB using these steps, you may need to turn on the **Enable Alternate Boot Sequence** option in Surface UEFI. You can read more about Surface UEFI boot configuration in [Manage Surface UEFI Settings](https://technet.microsoft.com/itpro/surface/manage-surface-uefi-settings).
 
 3.  When the Surface device boots, a **SoftwareLicenseTerms** text file is displayed, as shown in Figure 4.
@@ -118,11 +121,11 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo
 
 4.  Read the software license terms, and then close the notepad file.
 
-5.  Accept or Decline the Software License Terms by typing **Accept** or **Decline**. You must accept the license terms to continue.
+5.  Accept or decline the software license terms by typing **Accept** or **Decline**. You must accept the license terms to continue.
 
 6.  The Microsoft Surface Data Eraser script detects the storage devices that are present in your Surface device and displays the details of the native storage device. To continue, press **Y** (this action runs Microsoft Surface Data Eraser and removes all data from the storage device) or press **N** (this action shuts down the device without removing data).
 
-  >[NOTE]
+  >[!NOTE]
   >The Microsoft Surface Data Eraser tool will delete all data, including Windows operating system files required to boot the device, in a secure and unrecoverable way. To boot a Surface device that has been wiped with Microsoft Surface Data Eraser, you will first need to reinstall the Windows operating system. To remove data from a Surface device without removing the Windows operating system, you can use the **Reset your PC** function. However, this does not prevent your data from being recovered with forensic or data recovery capabilities. See [Recovery options in Windows 10](https://support.microsoft.com/help/12415/windows-10-recovery-options) for more information.
 
   ![Partition to be erased is displayed](images/sda-fig5-erase.png "Partition to be erased is displayed")

From 99c2c8a938ae988f2ab5a0673cf6bbfe4475109e Mon Sep 17 00:00:00 2001
From: Jan Backstrom <v-jaback@microsoft.com>
Date: Fri, 20 Jan 2017 11:00:45 -0800
Subject: [PATCH 018/115] fix capitalization

---
 devices/surface/microsoft-surface-data-eraser.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md
index 4e18fb9ccc..4a39f0775e 100644
--- a/devices/surface/microsoft-surface-data-eraser.md
+++ b/devices/surface/microsoft-surface-data-eraser.md
@@ -119,7 +119,7 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo
 
     *Figure 4. Booting the Microsoft Surface Data Eraser USB stick*
 
-4.  Read the software license terms, and then close the notepad file.
+4.  Read the software license terms, and then close the Notepad file.
 
 5.  Accept or decline the software license terms by typing **Accept** or **Decline**. You must accept the license terms to continue.
 

From de791540a0ece9e5c4f78895c40e1b8622a9cff2 Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Mon, 23 Jan 2017 11:01:30 -0800
Subject: [PATCH 019/115] title changes

---
 windows/keep-secure/TOC.md                    |   4 +-
 .../keep-secure/hello-and-password-changes.md |   4 +-
 .../hello-biometrics-in-enterprise.md         |   4 +-
 .../keep-secure/hello-enable-phone-signin.md  |   4 +-
 .../hello-errors-during-pin-creation.md       |   4 +-
 windows/keep-secure/hello-event-300.md        |   4 +-
 windows/keep-secure/hello-how-it-works.md     |   6 +-
 .../hello-identity-verification.md            | 129 ++++++++++++++++++
 .../hello-manage-identity-verification.md     | 129 ------------------
 ...ion.md => hello-manage-in-organization.md} |   6 +-
 .../hello-prepare-people-to-use.md            |   4 +-
 .../hello-why-pin-is-better-than-password.md  |   4 +-
 ...microsoft-passport-in-your-organization.md |   2 +-
 windows/keep-secure/index.md                  |   2 +-
 ...y-verification-using-microsoft-passport.md |   2 +-
 15 files changed, 154 insertions(+), 154 deletions(-)
 create mode 100644 windows/keep-secure/hello-identity-verification.md
 delete mode 100644 windows/keep-secure/hello-manage-identity-verification.md
 rename windows/keep-secure/{hello-implement-in-organization.md => hello-manage-in-organization.md} (99%)

diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md
index 422542ea7f..d86fd9fc3e 100644
--- a/windows/keep-secure/TOC.md
+++ b/windows/keep-secure/TOC.md
@@ -1,8 +1,8 @@
 # [Keep Windows 10 secure](index.md)
 ## [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md)
-## [Manage identity verification using Windows Hello for Business](hello-manage-identity-verification.md)
+## [Windows Hello for Business](hello-identity-verification.md)
 ### [How Windows Hello for Business works](hello-how-it-works.md)
-### [Implement Windows Hello for Business in your organization](hello-implement-in-organization.md)
+### [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
 ### [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
 ### [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
 ### [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
diff --git a/windows/keep-secure/hello-and-password-changes.md b/windows/keep-secure/hello-and-password-changes.md
index 4388fd73dc..b25aacc596 100644
--- a/windows/keep-secure/hello-and-password-changes.md
+++ b/windows/keep-secure/hello-and-password-changes.md
@@ -36,9 +36,9 @@ Suppose instead that you sign in on **Device B** and change your password for yo
 
 ## Related topics
 
-- [Manage identity verification using Windows Hello for Business](hello-manage-identity-verification.md)
+- [Windows Hello for Business](hello-identity-verification.md)
 - [How Windows Hello for Business works](hello-how-it-works.md)
-- [Implement Windows Hello for Business in your organization](hello-implement-in-organization.md)
+- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
 - [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
 - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
 - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
diff --git a/windows/keep-secure/hello-biometrics-in-enterprise.md b/windows/keep-secure/hello-biometrics-in-enterprise.md
index 98a4f449cf..e3d1f50764 100644
--- a/windows/keep-secure/hello-biometrics-in-enterprise.md
+++ b/windows/keep-secure/hello-biometrics-in-enterprise.md
@@ -75,9 +75,9 @@ To allow facial recognition, you must have devices with integrated special infra
 -   Effective, real world FRR with Anti-spoofing or liveness detection: &lt;10%
 
 ## Related topics
-- [Manage identity verification using Windows Hello for Business](hello-manage-identity-verification.md)
+- [Windows Hello for Business](hello-identity-verification.md)
 - [How Windows Hello for Business works](hello-how-it-works.md)
-- [Implement Windows Hello for Business in your organization](hello-implement-in-organization.md)
+- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
 - [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
 - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
 - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
diff --git a/windows/keep-secure/hello-enable-phone-signin.md b/windows/keep-secure/hello-enable-phone-signin.md
index e6cd471753..f9e44256fd 100644
--- a/windows/keep-secure/hello-enable-phone-signin.md
+++ b/windows/keep-secure/hello-enable-phone-signin.md
@@ -63,9 +63,9 @@ If you want to distribute the **Microsoft Authenticator** app, your organization
 
 ## Related topics
 
-- [Manage identity verification using Windows Hello for Business](hello-manage-identity-verification.md)
+- [Windows Hello for Business](hello-identity-verification.md)
 - [How Windows Hello for Business works](hello-how-it-works.md)
-- [Implement Windows Hello for Business in your organization](hello-implement-in-organization.md)
+- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
 - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
 - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
 - [Windows Hello and password changes](hello-and-password-changes.md)
diff --git a/windows/keep-secure/hello-errors-during-pin-creation.md b/windows/keep-secure/hello-errors-during-pin-creation.md
index 6d2998ebfd..a362e1f253 100644
--- a/windows/keep-secure/hello-errors-during-pin-creation.md
+++ b/windows/keep-secure/hello-errors-during-pin-creation.md
@@ -222,9 +222,9 @@ For errors listed in this table, contact Microsoft Support for assistance.
 
 ## Related topics
 
-- [Manage identity verification using Windows Hello for Business](hello-manage-identity-verification.md)
+- [Windows Hello for Business](hello-identity-verification.md)
 - [How Windows Hello for Business works](hello-how-it-works.md)
-- [Implement Windows Hello for Business in your organization](hello-implement-in-organization.md)
+- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
 - [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
 - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
 - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
diff --git a/windows/keep-secure/hello-event-300.md b/windows/keep-secure/hello-event-300.md
index a366e3a402..b6f75fd82b 100644
--- a/windows/keep-secure/hello-event-300.md
+++ b/windows/keep-secure/hello-event-300.md
@@ -35,9 +35,9 @@ This is a normal condition. No further action is required.
 
 ## Related topics
 
-- [Manage identity verification using Windows Hello for Business](hello-manage-identity-verification.md)
+- [Windows Hello for Business](hello-identity-verification.md)
 - [How Windows Hello for Business works](hello-how-it-works.md)
-- [Implement Windows Hello for Business in your organization](hello-implement-in-organization.md)
+- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
 - [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
 - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
 - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
diff --git a/windows/keep-secure/hello-how-it-works.md b/windows/keep-secure/hello-how-it-works.md
index c8100862aa..2f2ef14ccb 100644
--- a/windows/keep-secure/hello-how-it-works.md
+++ b/windows/keep-secure/hello-how-it-works.md
@@ -26,7 +26,7 @@ A goal of Windows Hello is to allow a user to open a brand-new device, securely
  The registration process works like this: 
  
 1. The user configures an account on the device. This account can be a local account on the device, a domain account stored in the on-premises Active Directory domain, a Microsoft account, or an Azure AD account. For a new device, this step may be as simple as signing in with a Microsoft account. Signing in with a Microsoft account on a Windows 10 device automatically sets up Windows Hello on the device; users don’t have to do anything extra to enable it. 
-2. To sign in using that account, the user has to enter the existing credentials for it. The IDP that “owns” the account receives the credentials and authenticates the user. This IDP authentication may include the use of an existing second authentication factor, or proof. For example, a user who registers a new device by using an Azure AD account will have to provide an SMS-based proof that Azure AD sends. 
+2. To sign in using that account, the user has to enter the existing credentials for it. The identity provider (IDP) that “owns” the account receives the credentials and authenticates the user. This IDP authentication may include the use of an existing second authentication factor, or proof. For example, a user who registers a new device by using an Azure AD account will have to provide an SMS-based proof that Azure AD sends. 
 3. When the user has provided the proof to the IDP, the user enables PIN authentication. The PIN will be associated with this particular credential. When the user sets the PIN, it becomes usable immediately 
 
 Remember that Windows Hello depends on pairing a device and a credential, so the PIN chosen is associated only with the combination of the active account and that specific device. The PIN must comply with whatever length and complexity policy the account administrator has configured; this policy is enforced on the device side. Other registration scenarios that Windows Hello supports are:
@@ -112,8 +112,8 @@ Windows Hello depends on having compatible IDPs available to it. As of this writ
 
 ## Related topics
 
-- [Manage identity verification using Windows Hello for Business](hello-manage-identity-verification.md)
-- [Implement Windows Hello for Business in your organization](hello-implement-in-organization.md)
+- [Windows Hello for Business](hello-identity-verification.md)
+- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
 - [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
 - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
 - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
diff --git a/windows/keep-secure/hello-identity-verification.md b/windows/keep-secure/hello-identity-verification.md
new file mode 100644
index 0000000000..a76b8219ff
--- /dev/null
+++ b/windows/keep-secure/hello-identity-verification.md
@@ -0,0 +1,129 @@
+---
+title: Windows Hello for Business (Windows 10)
+description: In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN.
+ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E
+keywords: identity, PIN, biometric, Hello, passport
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, mobile
+author: jdeckerMS
+localizationpriority: high
+---
+# Windows Hello for Business
+
+**Applies to**
+-   Windows 10
+-   Windows 10 Mobile
+
+In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN.
+
+>[!NOTE]
+> When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. 
+
+Windows Hello addresses the following problems with passwords:
+-   Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites.
+-   Server breaches can expose symmetric network credentials (passwords).
+-   Passwords are subject to [replay attacks](https://go.microsoft.com/fwlink/p/?LinkId=615673).
+-   Users can inadvertently expose their passwords due to [phishing attacks](https://go.microsoft.com/fwlink/p/?LinkId=615674).
+
+Windows Hello lets users authenticate to:
+-   a Microsoft account.
+-   an Active Directory account.
+-   a Microsoft Azure Active Directory (Azure AD) account.
+-   Identity Provider Services or Relying Party Services that support [Fast ID Online (FIDO) v2.0](https://go.microsoft.com/fwlink/p/?LinkId=533889) authentication (in progress)
+
+After an initial two-step verification of the user during enrollment, Windows Hello is set up on the user's device and Windows asks the user to set a gesture, which can be a biometric, such as a fingerprint, or a PIN. The user provides the gesture to verify their identity. Windows then uses Windows Hello to authenticate users.
+
+As an administrator in an enterprise or educational organization, you can create policies to manage Windows Hello for Business use on Windows 10-based devices that connect to your organization.
+
+ ## Biometric sign-in
+ 
+ Windows Hello provides reliable, fully integrated biometric authentication based on facial recognition or fingerprint matching. Windows Hello uses a combination of special infrared (IR) cameras and software to increase accuracy and guard against spoofing. Major hardware vendors are shipping devices that have integrated Windows Hello-compatible cameras. Fingerprint reader hardware can be used or added to devices that don’t currently have it. On devices that support Windows Hello, an easy biometric gesture unlocks users’ credentials.
+ 
+- **Facial recognition**. This type of biometric recognition uses special cameras that see in IR light, which allows them to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major laptop manufacturers are incorporating it into their devices, as well. 
+- **Fingerprint recognition**. This type of biometric recognition uses a capacitive fingerprint sensor to scan your fingerprint. Fingerprint readers have been available for Windows computers for years, but the current generation of sensors is significantly more reliable and less error-prone. Most existing fingerprint readers (whether external or integrated into laptops or USB keyboards) work with Windows 10. 
+
+Windows stores biometric data that is used to implement Windows Hello securely on the local device only. The biometric data doesn’t roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there’s no single collection point an attacker can compromise to steal biometric data. 
+
+
+## The difference between Windows Hello and Windows Hello for Business
+
+- Individuals can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Windows Hello is unique to the device on which it is set up, however it is not backed by asymmetric (public/private key) or certificate-based authentication. 
+
+- Windows Hello for Business, which is configured by Group Policy or mobile device management (MDM) policy, uses key-based or certificate-based authentication.
+
+- Currently Active Directory accounts using Windows Hello are not backed by key-based or certificate-based authentication.  Support for key-based or certificate-based authentication is on the roadmap for a future release.
+
+## Benefits of Windows Hello
+
+Reports of identity theft and large-scale hacking are frequent headlines. Nobody wants to be notified that their user name and password have been exposed.
+
+You may wonder [how a PIN can help protect a device better than a password](why-a-pin-is-better-than-a-password.md). Passwords are shared secrets; they are entered on a device and transmitted over the network to the server. An intercepted account name and password can be used by anyone. Because they're stored on the server, a server breach can reveal those stored credentials.
+
+In Windows 10, Windows Hello replaces passwords. When the identity provider supports keys, the Windows Hello provisioning process creates a cryptographic key pair bound to the Trusted Platform Module (TPM), if a device has a TPM, or in software. Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. The two-step verification that takes place during Windows Hello enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account. When a user enters the gesture on the device, the identity provider knows from the combination of Hello keys and gesture that this is a verified identity and provides an authentication token that allows Windows 10 to access resources and services. 
+
+>[!NOTE]
+>Windows Hello as a convenience sign-in uses regular user name and password authentication, without the user entering the password.
+
+![How authentication works in Windows Hello](images/authflow.png)
+
+Imagine that someone is looking over your shoulder as you get money from an ATM and sees the PIN that you enter. Having that PIN won't help them access your account because they don't have your ATM card. In the same way, learning your PIN for your device doesn't allow that attacker to access your account because the PIN is local to your specific device and doesn't enable any type of authentication from any other device.
+
+Windows Hello helps protect user identities and user credentials. Because the user doesn't enter a password (except during provisioning), it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Windows Hello credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are protected by TPMs.
+
+For customers using a hybrid Active Directory and Azure Active Directorye environment, Windows Hello also enables Windows 10 Mobile devices to be used as [a remote credential](prepare-people-to-use-microsoft-passport.md#bmk-remote) when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Windows Hello on the user’s Windows 10 Mobile device. Because users carry their phone with them, Windows Hello makes implementing two-factor authentication across the enterprise less costly and complex than other solutions.
+
+> [!NOTE]
+>  Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
+
+ 
+## How Windows Hello for Business works: key points
+
+-   Windows Hello credentials are based on certificate or asymmetrical key pair. Windows Hello credentials can be bound to the device, and the token that is obtained using the credential is also bound to the device.
+-   Identity provider (such as Active Directory, Azure AD, or a Microsoft account) validates user identity and maps the Windows Hello public key to a user account during the registration step.
+-   Keys can be generated in hardware (TPM 1.2 or 2.0 for enterprises, and TPM 2.0 for consumers) or software, based on the policy.
+-   Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (Windows Hello). The Windows Hello gesture does not roam between devices and is not shared with the server; it is stored locally on a device.
+-   Private key never leaves a device when using TPM. The authenticating server has a public key that is mapped to the user account during the registration process.
+-   PIN entry and biometric gesture both trigger Windows 10 to use the private key to cryptographically sign data that is sent to the identity provider.  The identity provider verifies the user's identity and authenticates the user.
+-   Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy.
+-   Certificate private keys can be protected by the Windows Hello container and the Windows Hello gesture.
+
+For details, see [How Windows Hello for Business works](hello-how-it-works.md).
+
+## Comparing key-based and certificate-based authentication
+
+Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing certificates can continue to use PKI in combination with Windows Hello. Enterprises that do not use PKI or want to reduce the effort associated with managing certificates can rely on key-based credentials for Windows Hello but still use certificates on their domain controllers as a root of trust.
+
+
+
+## Learn more
+
+[Introduction to Windows Hello](https://go.microsoft.com/fwlink/p/?LinkId=786649), video presentation on Microsoft Virtual Academy
+
+[What's new in Active Directory Domain Services (AD DS) in Windows Server Technical Preview](https://go.microsoft.com/fwlink/p/?LinkId=708533)
+
+[Windows Hello face authentication](https://go.microsoft.com/fwlink/p/?LinkId=626024)
+
+[Biometrics hardware guidelines](https://go.microsoft.com/fwlink/p/?LinkId=626995)
+
+[Windows 10: Disrupting the Revolution of Cyber-Threats with Revolutionary Security!](https://go.microsoft.com/fwlink/p/?LinkId=533890)
+
+[Windows 10: The End Game for Passwords and Credential Theft?](https://go.microsoft.com/fwlink/p/?LinkId=533891)
+
+[Authenticating identities without passwords through Microsoft Passport](https://go.microsoft.com/fwlink/p/?LinkId=616778)
+
+[Microsoft Passport guide](https://go.microsoft.com/fwlink/p/?LinkId=691928)
+
+## Related topics
+
+- [How Windows Hello for Business works](hello-how-it-works.md)
+- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
+- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
+- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
+- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
+- [Windows Hello and password changes](hello-and-password-changes.md)
+- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
+- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
+ 
diff --git a/windows/keep-secure/hello-manage-identity-verification.md b/windows/keep-secure/hello-manage-identity-verification.md
deleted file mode 100644
index ca6b032a8f..0000000000
--- a/windows/keep-secure/hello-manage-identity-verification.md
+++ /dev/null
@@ -1,129 +0,0 @@
----
-title: Manage identity verification using Windows Hello for Business (Windows 10)
-description: In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN.
-ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E
-keywords: identity, PIN, biometric, Hello, passport
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-author: jdeckerMS
-localizationpriority: high
----
-# Manage identity verification using Windows Hello for Business
-
-**Applies to**
--   Windows 10
--   Windows 10 Mobile
-
-In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN.
-
->[!NOTE]
-> When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. 
-
-Hello addresses the following problems with passwords:
--   Passwords can be difficult to remember, and users often reuse passwords on multiple sites.
--   Server breaches can expose symmetric network credentials.
--   Passwords can be subject to [replay attacks](https://go.microsoft.com/fwlink/p/?LinkId=615673).
--   Users can inadvertently expose their passwords due to [phishing attacks](https://go.microsoft.com/fwlink/p/?LinkId=615674).
-
-Hello lets users authenticate to:
--   a Microsoft account.
--   an Active Directory account.
--   a Microsoft Azure Active Directory (Azure AD) account.
--   Identity Provider Services or Relying Party Services that support [Fast ID Online (FIDO) v2.0](https://go.microsoft.com/fwlink/p/?LinkId=533889) authentication
-
-After an initial two-step verification of the user during enrollment, Hello is set up on the user's device and the user is asked to set a gesture, which can be a biometric, such as a fingerprint, or a PIN. The user provides the gesture to verify their identity. Windows then uses Hello to authenticate users and help them to access protected resources and services.
-
-As an administrator in an enterprise or educational organization, you can create policies to manage Hello use on Windows 10-based devices that connect to your organization.
-
- ## Biometric sign-in
- 
- Windows Hello provides reliable, fully integrated biometric authentication based on facial recognition or fingerprint matching. Hello uses a combination of special infrared (IR) cameras and software to increase accuracy and guard against spoofing. Major hardware vendors are shipping devices that have integrated Windows Hello-compatible cameras, and fingerprint reader hardware can be used or added to devices that don’t currently have it. On devices that support Windows Hello, an easy biometric gesture unlocks users’ credentials.
- 
-- **Facial recognition**. This type uses special cameras that see in IR light, which allows them to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major laptop manufacturers are incorporating it into their devices, as well. 
-- **Fingerprint recognition**. This type uses a capacitive fingerprint sensor to scan your fingerprint. Fingerprint readers have been available for Windows computers for years, but the current generation of sensors is significantly more reliable and less error-prone. Most existing fingerprint readers (whether external or integrated into laptops or USB keyboards) work with Windows 10. 
-
-Biometric data used to implement Windows Hello is stored securely on the local device only. It doesn’t roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there’s no single collection point an attacker can compromise to steal biometric data. 
-
-
-## The difference between Windows Hello and Windows Hello for Business
-
-- Individuals can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Hello provides a layer of protection by being unique to the device on which it is set up, however it is not backed by certificate-based authentication. 
-
-- Windows Hello for Business, which is configured by Group Policy or MDM policy, uses key-based or certificate-based authentication.
-
-- Currently Active Directory accounts using Windows Hello are not backed by key-based or certificate-based authentication.  Support for key-based or certificate-based authentication is on the roadmap for a future release.
-
-## Benefits of Windows Hello
-
-Reports of identity theft and large-scale hacking are frequent headlines. Nobody wants to be notified that their user name and password have been exposed.
-
-You may wonder [how a PIN can help protect a device better than a password](why-a-pin-is-better-than-a-password.md). Passwords are shared secrets; they are entered on a device and transmitted over the network to the server. An intercepted account name and password can be used by anyone. Because they're stored on the server, a server breach can reveal those stored credentials.
-
-In Windows 10, Hello replaces passwords. The Hello provisioning process creates a cryptographic key pair bound to the Trusted Platform Module (TPM), if a device has a TPM, or in software. Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. The two-step verification that takes place during Hello enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account. When a user enters the gesture on the device, the identify provider knows from the combination of Hello keys and gesture that this is a verified identity and provides an authentication token that allows Windows 10 to access resources and services. In addition, during the registration process, the attestation claim is produced for every identity provider to cryptographically prove that the Hello keys are tied to TPM. During registration, when the attestation claim is not presented to the identity provider, the identity provider must assume that the Hello key is created in software.
-
-![how authentication works in windows hello](images/authflow.png)
-
-Imagine that someone is looking over your shoulder as you get money from an ATM and sees the PIN that you enter. Having that PIN won't help them access your account because they don't have your ATM card. In the same way, learning your PIN for your device doesn't allow that attacker to access your account because the PIN is local to your specific device and doesn't enable any type of authentication from any other device.
-
-Hello helps protect user identities and user credentials. Because no passwords are used, it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Hello credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are protected by TPMs.
-
-Hello also enables Windows 10 Mobile devices to be used as [a remote credential](prepare-people-to-use-microsoft-passport.md#bmk-remote) when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Hello on the user’s Windows 10 Mobile device. Because users carry their phone with them, Hello makes implementing two-factor authentication across the enterprise less costly and complex than other solutions.
-
-> [!NOTE]
->  Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
-
- 
-## How Windows Hello for Business works: key points
-
--   Hello credentials are based on certificate or asymmetrical key pair. Hello credentials are bound to the device, and the token that is obtained using the credential is also bound to the device.
--   Identify provider (such as Active Directory, Azure AD, or a Microsoft account) validates user identity and maps Hello's public key to a user account during the registration step.
--   Keys can be generated in hardware (TPM 1.2 or 2.0 for enterprises, and TPM 2.0 for consumers) or software, based on the policy.
--   Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (Windows Hello). The Hello gesture does not roam between devices and is not shared with the server; it is stored locally on a device.
--   Private key never leaves a device. The authenticating server has a public key that is mapped to the user account during the registration process.
--   PIN entry and biometric gesture both trigger Windows 10 to verify the user's identity and authenticate using Hello keys or certificates.
--   Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy.
--   Certificate private keys can be protected by the Hello container and the Hello gesture.
-
-For details, see [How Windows Hello for Business works](hello-how-it-works.md).
-
-## Comparing key-based and certificate-based authentication
-
-Windows Hello for Business can use either keys (hardware or software) or certificates with keys in hardware or software to confirm identity. Enterprises that have a public key infrastructure (PKI) for issuing and managing certificates can continue to use PKI in combination with Hello. Enterprises that do not use PKI or want to reduce the effort associated with managing certificates can rely on key-based credentials for Hello.
-
-Hardware-based keys, which are generated by TPM, provide the highest level of assurance. When the TPM is manufactured, an Endorsement Key (EK) certificate is resident in the TPM. This EK certificate creates a root trust for all other keys that are generated on this TPM.
-EK certification is used to generate an attestation identity key (AIK) certificate issued by a Microsoft certificate authority. This AIK certificate can be used as an attestation claim to prove to identity providers that the Hello keys are generated on the same TPM. The Microsoft certificate authority (CA) generates the AIK certificate per device, per user, and per IDP to help ensure that user privacy is protected.
-
-When identity providers such as Active Directory or Azure AD enroll a certificate in Hello, Windows 10 will support the same set of scenarios as a smart card. When the credential type is a key, only key-based trust and operations will be supported.
-
-## Learn more
-
-[Introduction to Windows Hello](https://go.microsoft.com/fwlink/p/?LinkId=786649), video presentation on Microsoft Virtual Academy
-
-[What's new in Active Directory Domain Services (AD DS) in Windows Server Technical Preview](https://go.microsoft.com/fwlink/p/?LinkId=708533)
-
-[Windows Hello face authentication](https://go.microsoft.com/fwlink/p/?LinkId=626024)
-
-[Biometrics hardware guidelines](https://go.microsoft.com/fwlink/p/?LinkId=626995)
-
-[Windows 10: Disrupting the Revolution of Cyber-Threats with Revolutionary Security!](https://go.microsoft.com/fwlink/p/?LinkId=533890)
-
-[Windows 10: The End Game for Passwords and Credential Theft?](https://go.microsoft.com/fwlink/p/?LinkId=533891)
-
-[Authenticating identities without passwords through Microsoft Passport](https://go.microsoft.com/fwlink/p/?LinkId=616778)
-
-[Microsoft Passport guide](https://go.microsoft.com/fwlink/p/?LinkId=691928)
-
-## Related topics
-
-- [How Windows Hello for Business works](hello-how-it-works.md)
-- [Implement Windows Hello for Business in your organization](hello-implement-in-organization.md)
-- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
-- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
-- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
-- [Windows Hello and password changes](hello-and-password-changes.md)
-- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
-- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
- 
diff --git a/windows/keep-secure/hello-implement-in-organization.md b/windows/keep-secure/hello-manage-in-organization.md
similarity index 99%
rename from windows/keep-secure/hello-implement-in-organization.md
rename to windows/keep-secure/hello-manage-in-organization.md
index 7afc1c03e9..26a10d5073 100644
--- a/windows/keep-secure/hello-implement-in-organization.md
+++ b/windows/keep-secure/hello-manage-in-organization.md
@@ -1,5 +1,5 @@
 ---
-title: Implement Windows Hello in your organization (Windows 10)
+title: Manage Windows Hello in your organization (Windows 10)
 description: You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello for Business on devices running Windows 10.
 ms.assetid: 47B55221-24BE-482D-BD31-C78B22AC06D8
 keywords: identity, PIN, biometric, Hello
@@ -11,7 +11,7 @@ author: jdeckerMS
 localizationpriority: high
 ---
 
-# Implement Windows Hello for Business in your organization
+# Manage Windows Hello for Business in your organization
 
 **Applies to**
 -   Windows 10
@@ -420,7 +420,7 @@ If you want to use Windows Hello for Business with certificates, you’ll need a
 
 ## Related topics
 
-- [Manage identity verification using Windows Hello for Business](hello-manage-identity-verification.md)
+- [Windows Hello for Business](hello-identity-verification.md)
 - [How Windows Hello for Business works](hello-how-it-works.md)
 - [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
 - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
diff --git a/windows/keep-secure/hello-prepare-people-to-use.md b/windows/keep-secure/hello-prepare-people-to-use.md
index 2991666df4..e1c079e7ab 100644
--- a/windows/keep-secure/hello-prepare-people-to-use.md
+++ b/windows/keep-secure/hello-prepare-people-to-use.md
@@ -97,9 +97,9 @@ You simply connect to VPN as you normally would. If the phone's certificates are
 
 ## Related topics
 
-- [Manage identity verification using Windows Hello for Business](hello-manage-identity-verification.md)
+- [Windows Hello for Business](hello-identity-verification.md)
 - [How Windows Hello for Business works](hello-how-it-works.md)
-- [Implement Windows Hello for Business in your organization](hello-implement-in-organization.md)
+- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
 - [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
 - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
 - [Windows Hello and password changes](hello-and-password-changes.md)
diff --git a/windows/keep-secure/hello-why-pin-is-better-than-password.md b/windows/keep-secure/hello-why-pin-is-better-than-password.md
index ad4f77ab13..f228aa93c2 100644
--- a/windows/keep-secure/hello-why-pin-is-better-than-password.md
+++ b/windows/keep-secure/hello-why-pin-is-better-than-password.md
@@ -70,9 +70,9 @@ If you only had a biometric sign-in configured and, for any reason, were unable
 
 ## Related topics
 
-- [Manage identity verification using Windows Hello for Business](hello-manage-identity-verification.md)
+- [Windows Hello for Business](hello-identity-verification.md)
 - [How Windows Hello for Business works](hello-how-it-works.md)
-- [Implement Windows Hello for Business in your organization](hello-implement-in-organization.md)
+- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
 - [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
 - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
 - [Windows Hello and password changes](hello-and-password-changes.md)
diff --git a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
index 0f8ca633e1..67bda0eb2f 100644
--- a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
+++ b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerMS
-redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-implement-in-organization
+redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-manage-in-organization
 ---
 
 # Implement Windows Hello for Business in your organization
diff --git a/windows/keep-secure/index.md b/windows/keep-secure/index.md
index b09b1a64e8..f258d43aa8 100644
--- a/windows/keep-secure/index.md
+++ b/windows/keep-secure/index.md
@@ -18,7 +18,7 @@ Learn about keeping Windows 10 and Windows 10 Mobile secure.
 | - | - |
 | [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) | To help protect your company from attacks which may originate from untrusted or attacker controlled font files, we’ve created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are any font installed outside of the %windir%/Fonts directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process. |
 | [Device Guard certification and compliance](device-guard-certification-and-compliance.md) | Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isn’t trusted it can’t run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when. |
-| [Manage identity verification using Windows Hello for Business](hello-manage-identity-verification.md) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. |
+| [Windows Hello for Business](hello-identity-verification.md) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. |
 | [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md) | In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. |
 | [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) | Digital certificates bind the identity of a user or computer to a pair of keys that can be used to encrypt and sign digital information. Certificates are issued by a certification authority (CA) that vouches for the identity of the certificate holder, and they enable secure client communications with websites and services. |
 | [Device Guard deployment guide](device-guard-deployment-guide.md) | Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isn’t trusted it can’t run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when. |
diff --git a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
index 55173ae2dd..c3ef3e00eb 100644
--- a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
+++ b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, mobile
 author: jdeckerMS
-redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-manage-identity-verification
+redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-identity-verification
 ---
 # Manage identity verification using Windows Hello for Business
 

From f5cb7bb147994549b3a0ad8f67175f0474f7c835 Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Mon, 23 Jan 2017 11:08:29 -0800
Subject: [PATCH 020/115] fix bad links

---
 ...ange-history-for-keep-windows-10-secure.md |   2 +-
 windows/keep-secure/hello-how-it-works.md     |   2 +-
 .../hello-manage-in-organization.md           |  45 +------
 ...y-verification-using-microsoft-passport.md | 112 ------------------
 4 files changed, 4 insertions(+), 157 deletions(-)

diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
index 3dd6114a0a..30de1e7cdb 100644
--- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md
+++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
@@ -19,7 +19,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
 |[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |Updated to include info about USB drives and Azure RMS (Windows Insider Program only) and to add more info about Work Folders and Offline files. |
 |[Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](recommended-network-definitions-for-wip.md) |New |
 |[Using Outlook Web Access with Windows Information Protection (WIP)](using-owa-with-wip.md) |New |
-| Microsoft Passport guide | Content merged into [Manage identity verification using Windows Hello for Business](hello-manage-identity-verification.md) topics |
+| Microsoft Passport guide | Content merged into [MWindows Hello for Business](hello-identity-verification.md) topics |
 
 ## December 2016
 |New or changed topic |Description |
diff --git a/windows/keep-secure/hello-how-it-works.md b/windows/keep-secure/hello-how-it-works.md
index 2f2ef14ccb..fa123026c4 100644
--- a/windows/keep-secure/hello-how-it-works.md
+++ b/windows/keep-secure/hello-how-it-works.md
@@ -21,7 +21,7 @@ To use Windows Hello to sign in with an identity provider (IDP), a user needs a
 A goal of Windows Hello is to allow a user to open a brand-new device, securely join an organizational network to download and manage organizational data, and create a new Hello gesture to secure the device. Microsoft refers to the process of setting up a device for use with Windows Hello as registration.
  
 > [!NOTE]
->This is separate from the organizational configuration required to use Windows Hello with Active Directory or Azure Active Directory (Azure AD); that configuration information is in [Implement Windows Hello for Business in your organization](hello-implement-in-organization.md). Organizational configuration must be completed before users can begin to register.  
+>This is separate from the organizational configuration required to use Windows Hello with Active Directory or Azure Active Directory (Azure AD); that configuration information is in [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md). Organizational configuration must be completed before users can begin to register.  
 
  The registration process works like this: 
  
diff --git a/windows/keep-secure/hello-manage-in-organization.md b/windows/keep-secure/hello-manage-in-organization.md
index 26a10d5073..87c3225316 100644
--- a/windows/keep-secure/hello-manage-in-organization.md
+++ b/windows/keep-secure/hello-manage-in-organization.md
@@ -28,7 +28,7 @@ You can create a Group Policy or mobile device management (MDM) policy that will
  
 ## Group Policy settings for Windows Hello for Business
 
-The following table lists the Group Policy settings that you can configure for Hello use in your workplace. These policy settings are available in both **User configuration** and **Computer Configuration** under **Policies** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Hello for Business**.
+The following table lists the Group Policy settings that you can configure for Windows Hello use in your workplace. These policy settings are available in both **User configuration** and **Computer Configuration** under **Policies** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Hello for Business**.
 
 
 <table>
@@ -363,48 +363,7 @@ Configuration Manager and MDM provide the ability to manage Windows Hello for Bu
 Azure AD provides the ability to register devices with your enterprise and to provision Windows Hello for Business for organization accounts.
 
 
-## Approaches for a Windows Hello for Business deployment
 
-Different organizations will necessarily take different approaches to the deployment of Windows Hello depending on their capabilities and needs, but there is only one strategy: deploy Windows Hello for Business throughout the organization to get maximum protection for the maximum number of devices and resources. Organizations can take one of three basic routes to accomplish that strategy:
-
-- Deploy Windows Hello for Business everywhere according to whatever device or user deployment strategy works best for the organization.
-- Deploy Windows Hello for Business first to high-value or high-risk targets, by using conditional access policies to restrict access to key resources only to users who hold strong authentication credentials.
-- Blend Windows Hello for Business into an existing multi-factor environment, using it as an additional form of strong authentication alongside physical or virtual smart cards.
-
-### Deploy Windows Hello for Business everywhere
-
-In this approach, you deploy Windows Hello throughout the organization in a coordinated rollout. In some ways, this method is similar to any other desktop deployment project; the only real difference is that you must already have the Windows Hello infrastructure in place to support device registration before you can start using Windows Hello on Windows 10 devices.
-
-You can still upgrade to Windows 10 or add new Windows 10 devices without changing your infrastructure. You just can’t use Windows Hello for Business on a device until the device joins Azure AD and receives the appropriate policy. The major benefit of this approach is that it provides uniform protection for all parts of the organization. Sophisticated attackers have shown a great deal of skill in breaching large organizations by identifying weak points in their security, including users and systems that don’t have high-value information but that can be exploited to get it. Applying consistent protection across every device that an attacker could use to access enterprise data is excellent protection against these types of attacks.
-
-The downside to this approach is its complexity. Smaller organizations may find that managing the rollout of a new operating system across all devices is beyond the scope of their experience and capability. For these organizations, users can self-upgrade, and new users may end up with Windows 10 because they get new devices when they join. Larger organizations, especially those that are highly decentralized or have operations across many physical sites, may have more deployment knowledge and resources but face the challenge of coordinating rollout efforts across a larger user base and footprint.
-
-For more information about desktop deployment of Windows 10, visit the [Windows 10 TechCenter](https://technet.microsoft.com/windows/mt240567).
-
-One key aspect of this deployment strategy is how to get Windows 10 in users’ hands. Because different organizations have wildly differing strategies to refresh hardware and software, there’s no one-size-fits-all strategy. For example, some organizations pursue a coordinated strategy that puts new desktop operating systems in users’ hands every 2–3 years on existing hardware, supplementing with new hardware only where and when required. Others tend to replace hardware and deploy whatever version of the Windows client operating system ships on the purchased devices. In both cases, there are typically separate deployment cycles for servers and server operating systems, and the desktop and server cycles may or may not be coordinated.
-
-In addition to the issue of Windows 10 deployment to users, you must consider how and when (or if!) you’ll deploy biometric devices to users. Because Windows Hello can take advantage of multiple biometric identifiers, you have a flexible range of device options, which includes the purchase of new devices that incorporate your selected biometric, seeding select users with appropriate devices, rollout of biometric devices as part of a scheduled hardware refresh and using PIN gestures until users get devices, or relying on remote unlock as a second authentication factor.
-
-### Deploy to high-value or high-risk targets
-
-This strategy takes into account the fact that in most networks, not every asset is equally protected or equally valuable. There are two ways to think about this. One is that you can focus on protecting the users and services that are most at risk of compromise because of their value. Examples include sensitive internal databases or the user accounts of your key executives. The other option is that you can focus on areas of your network that are the most vulnerable, such as users who travel frequently (and thus run a higher risk of lost or stolen devices or drive-by credential theft). Either way, the strategy is the same: selectively and quickly deploy Windows Hello to protect specific people and resources. For example, you might issue new Windows 10 devices with biometric sensors to all users who need access to a sensitive internal database, and then deploy the minimum required infrastructure to support Windows Hello–secured access to that database for those users.
-One of the key design capabilities of Windows Hello for Business is that it supports Bring Your Own Device (BYOD) environments by allowing users to register their own devices with the organizational IDP (whether on premises, hybrid, or Azure AD). You may be able to take advantage of this capability to quickly deploy Windows Hello to protect your most vulnerable users or assets, ideally by using biometrics as an additional safety measure for the most valuable potential targets.
-
-### Blend Windows Hello with your infrastructure
-
-Organizations that have already invested in smart cards, virtual smart cards, or token-based systems can still benefit from Windows Hello. Of those organizations, many use physical tokens and smart cards to protect only critical assets because of the expense and complexity of their deployment. Windows Hello offers a valuable complement to these systems because it protects users who currently rely on reusable credentials; protection of all users’ credentials is an important step toward blunting attacks that seek to leverage compromise of any credential into a widespread breach. This approach also gives you a great deal of flexibility in scheduling and deployment. Some enterprises have deployed multi-use smart cards that provide building-access control, access to copiers or other office equipment, stored value for lunchroom purchases, remote network access, and other services. Deployment of Windows Hello in such environments doesn’t prevent you from continuing to use smart cards for these services. You can leave the existing smart card infrastructure in place for its existing use cases, and then register desktop and mobile devices in Windows Hello and use Windows Hello to secure access to network and Internet resources. This approach requires a more complicated infrastructure and a greater degree of organizational maturity because it requires you to link your existing PKI with an enrollment service and Windows Hello itself.
-
-Smart cards can act as a useful complement to Windows Hello in another important way: to bootstrap the initial logon for Windows Hello registration. When a user registers with Windows Hello on a device, part of that registration process requires a conventional logon. Rather than using a traditional password, organizations that have previously deployed the necessary infrastructure for smart cards or virtual smart cards can allow their users to register new devices by logging on with a smart card or virtual smart card. After the user has proved his or her identity to the organizational IDP with the smart card, the user can set up a PIN and proceed to use Windows Hello for future logons.
-
-### Choose a rollout method
-
-Which rollout method you choose depends on several factors:
-
-- **How many devices you need to deploy**. This number has a huge influence on your overall deployment. A global rollout for 75,000 users has different requirements than a phased rollout for groups of 200–300 users in different cities.
-- **How quickly you want to deploy Windows Hello for Business protection**. This is a classic cost–benefit tradeoff. You have to balance the security benefits of Windows Hello for Business against the cost and time required to deploy it broadly, and different organizations may make entirely different decisions depending on how they rate the costs and benefits involved. Getting the broadest possible Windows Hello coverage in the shortest time possible maximizes security benefits.
-- **The type of devices you want to deploy**. Windows device manufacturers are aggressively introducing new devices optimized for Windows 10, leading to the possibility that you might deploy Windows Hello first on newly purchased tablets and portable devices, and then deploy it on the desktop as part of your normal refresh cycle.
--** What your current infrastructure looks like**. The individual version of Windows Hello doesn’t require changes to your Active Directory environment, but to support Windows Hello for Business, you may need a compatible MDM system. Depending on the size and composition of your network, mobile enrollment and management services deployment may be a major project in its own right.
-- **Your plans for the cloud**. If you’re already planning a move to the cloud, Azure AD eases the process of Windows Hello for Business deployment, because you can use Azure AD as an IDP alongside your existing on-premises AD DS setup without making significant changes to your on-premises environment. Future versions of Windows Hello for Business will support the ability to simultaneously register devices that are already members of an on-premises AD DS domain in an Azure AD partition so that they use Windows Hello for Business from the cloud. Hybrid deployments that combine AD DS with Azure AD give you the ability to keep machine authentication and policy management against your local AD DS domain while providing the full set of Windows Hello for Business services (and Microsoft Office 365 integration) for your users. If you plan to use on-premises AD DS only, then the design and configuration of your on-premises environment will dictate what kind of changes you may need to make.
 
 ## How to use Windows Hello for Business with Azure Active Directory
 
@@ -414,7 +373,7 @@ There are three scenarios for using Windows Hello for Business in Azure AD–onl
 - **Organizations that use the free tier of Azure AD**. For these organizations, Microsoft has not enabled automatic domain join to Azure AD. Organizations that have signed up for the free tier have the option to enable or disable this feature, so automatic domain join won’t be enabled unless and until the organization’s administrators decide to enable it. When that feature is enabled, devices that join the Azure AD domain by using the Connect to work or school dialog box will be automatically registered with Windows Hello for Business support, but previously joined devices will not be registered. 
 - **Organizations that have subscribed to Azure AD Premium** have access to the full set of Azure AD MDM features. These features include controls to manage Windows Hello for Business. You can set policies to disable or force the use of Windows Hello for Business, require the use of a TPM, and control the length and strength of PINs set on the device.
 
-If you want to use Windows Hello for Business with certificates, you’ll need a device registration system. That means that you set up Configuration Manager Technical Preview, Intune, or a compatible non-Microsoft MDM system and enable it to enroll devices. This is a prerequisite step to use Windows Hello for Business with certificates, no matter the IDP, because the enrollment system is responsible for provisioning the devices with the necessary certificates. Set Microsoft Passport policies
+If you want to use Windows Hello for Business with certificates, you’ll need a device registration system. That means that you set up Configuration Manager Technical Preview, Intune, or a compatible non-Microsoft MDM system and enable it to enroll devices. This is a prerequisite step to use Windows Hello for Business with certificates, no matter the IDP, because the enrollment system is responsible for provisioning the devices with the necessary certificates. 
 
 
 
diff --git a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
index c3ef3e00eb..81cef9cc41 100644
--- a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
+++ b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
@@ -16,115 +16,3 @@ redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hell
 -   Windows 10
 -   Windows 10 Mobile
 
-In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN.
-
->[!NOTE]
-> When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed Microsoft Passport for Work will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. 
-
-Hello addresses the following problems with passwords:
--   Passwords can be difficult to remember, and users often reuse passwords on multiple sites.
--   Server breaches can expose symmetric network credentials.
--   Passwords can be subject to [replay attacks](https://go.microsoft.com/fwlink/p/?LinkId=615673).
--   Users can inadvertently expose their passwords due to [phishing attacks](https://go.microsoft.com/fwlink/p/?LinkId=615674).
-
-Hello lets users authenticate to:
--   a Microsoft account.
--   an Active Directory account.
--   a Microsoft Azure Active Directory (Azure AD) account.
--   Identity Provider Services or Relying Party Services that support [Fast ID Online (FIDO) v2.0](https://go.microsoft.com/fwlink/p/?LinkId=533889) authentication
-
-After an initial two-step verification of the user during enrollment, Hello is set up on the user's device and the user is asked to set a gesture, which can be a biometric, such as a fingerprint, or a PIN. The user provides the gesture to verify their identity. Windows then uses Hello to authenticate users and help them to access protected resources and services.
-
-As an administrator in an enterprise or educational organization, you can create policies to manage Hello use on Windows 10-based devices that connect to your organization.
-
- ## Biometric sign-in
- 
- Windows Hello provides reliable, fully integrated biometric authentication based on facial recognition or fingerprint matching. Hello uses a combination of special infrared (IR) cameras and software to increase accuracy and guard against spoofing. Major hardware vendors are shipping devices that have integrated Windows Hello-compatible cameras, and fingerprint reader hardware can be used or added to devices that don’t currently have it. On devices that support Windows Hello, an easy biometric gesture unlocks users’ credentials.
- 
- - **Facial recognition**. This type uses special cameras that see in IR light, which allows them to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major laptop manufacturers are incorporating it into their devices, as well. 
-- **Fingerprint recognition**. This type uses a capacitive fingerprint sensor to scan your fingerprint. Fingerprint readers have been available for Windows computers for years, but the current generation of sensors is significantly more reliable and less error-prone. Most existing fingerprint readers (whether external or integrated into laptops or USB keyboards) work with Windows 10. 
-
-Biometric data used to implement Windows Hello is stored securely on the local device only. It doesn’t roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there’s no single collection point an attacker can compromise to steal biometric data. 
-
-
-## The difference between Windows Hello and Windows Hello for Business
-
-- Individuals can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Hello provides a layer of protection by being unique to the device on which it is set up, however it is not backed by certificate-based authentication. 
-
-- Windows Hello for Business, which is configured by Group Policy or MDM policy, uses key-based or certificate-based authentication.
-
-- Currently Active Directory accounts using Windows Hello are not backed by key-based or certificate-based authentication.  Support for key-based or certificate-based authentication is on the roadmap for a future release.
-
-## Benefits of Windows Hello
-
-Reports of identity theft and large-scale hacking are frequent headlines. Nobody wants to be notified that their user name and password have been exposed.
-
-You may wonder [how a PIN can help protect a device better than a password](why-a-pin-is-better-than-a-password.md). Passwords are shared secrets; they are entered on a device and transmitted over the network to the server. An intercepted account name and password can be used by anyone. Because they're stored on the server, a server breach can reveal those stored credentials.
-
-In Windows 10, Hello replaces passwords. The Hello provisioning process creates a cryptographic key pair bound to the Trusted Platform Module (TPM), if a device has a TPM, or in software. Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. The two-step verification that takes place during Hello enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account. When a user enters the gesture on the device, the identify provider knows from the combination of Hello keys and gesture that this is a verified identity and provides an authentication token that allows Windows 10 to access resources and services. In addition, during the registration process, the attestation claim is produced for every identity provider to cryptographically prove that the Hello keys are tied to TPM. During registration, when the attestation claim is not presented to the identity provider, the identity provider must assume that the Hello key is created in software.
-
-![how authentication works in windows hello](images/authflow.png)
-
-Imagine that someone is looking over your shoulder as you get money from an ATM and sees the PIN that you enter. Having that PIN won't help them access your account because they don't have your ATM card. In the same way, learning your PIN for your device doesn't allow that attacker to access your account because the PIN is local to your specific device and doesn't enable any type of authentication from any other device.
-
-Hello helps protect user identities and user credentials. Because no passwords are used, it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Hello credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are protected by TPMs.
-
-Hello also enables Windows 10 Mobile devices to be used as [a remote credential](prepare-people-to-use-microsoft-passport.md#bmk-remote) when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Hello on the user’s Windows 10 Mobile device. Because users carry their phone with them, Hello makes implementing two-factor authentication across the enterprise less costly and complex than other solutions.
-
-> [!NOTE]
->  Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
-
-
-
-### How Windows Hello for Business works : Key points
-
--   Hello credentials are based on certificate or asymmetrical key pair. Hello credentials are bound to the device, and the token that is obtained using the credential is also bound to the device.
--   Identify provider (such as Active Directory, Azure AD, or a Microsoft account) validates user identity and maps Hello's public key to a user account during the registration step.
--   Keys can be generated in hardware (TPM 1.2 or 2.0 for enterprises, and TPM 2.0 for consumers) or software, based on the policy.
--   Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (Windows Hello). The Hello gesture does not roam between devices and is not shared with the server; it is stored locally on a device.
--   Private key never leaves a device. The authenticating server has a public key that is mapped to the user account during the registration process.
--   PIN entry and biometric gesture both trigger Windows 10 to verify the user's identity and authenticate using Hello keys or certificates.
--   Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy.
--   Certificate private keys can be protected by the Hello container and the Hello gesture.
-
-For a detailed explanation, see [How Windows Hello for Business works](hello-how-it-works.md).
-
-## Comparing key-based and certificate-based authentication
-
-Windows Hello for Business can use either keys (hardware or software) or certificates with keys in hardware or software to confirm identity. Enterprises that have a public key infrastructure (PKI) for issuing and managing certificates can continue to use PKI in combination with Hello. Enterprises that do not use PKI or want to reduce the effort associated with managing certificates can rely on key-based credentials for Hello.
-
-Hardware-based keys, which are generated by TPM, provide the highest level of assurance. When the TPM is manufactured, an Endorsement Key (EK) certificate is resident in the TPM. This EK certificate creates a root trust for all other keys that are generated on this TPM.
-EK certification is used to generate an attestation identity key (AIK) certificate issued by a Microsoft certificate authority. This AIK certificate can be used as an attestation claim to prove to identity providers that the Hello keys are generated on the same TPM. The Microsoft certificate authority (CA) generates the AIK certificate per device, per user, and per IDP to help ensure that user privacy is protected.
-
-When identity providers such as Active Directory or Azure AD enroll a certificate in Hello, Windows 10 will support the same set of scenarios as a smart card. When the credential type is a key, only key-based trust and operations will be supported.
-
-## Learn more
-
-[Introduction to Windows Hello](https://go.microsoft.com/fwlink/p/?LinkId=786649), video presentation on Microsoft Virtual Academy
-
-[What's new in Active Directory Domain Services for Windows Server 2016](https://go.microsoft.com/fwlink/p/?LinkId=708533)
-
-[Windows Hello face authentication](https://go.microsoft.com/fwlink/p/?LinkId=626024)
-
-[Biometrics hardware guidelines](https://go.microsoft.com/fwlink/p/?LinkId=626995)
-
-[Windows 10: Disrupting the Revolution of Cyber-Threats with Revolutionary Security!](https://go.microsoft.com/fwlink/p/?LinkId=533890)
-
-[Windows 10: The End Game for Passwords and Credential Theft?](https://go.microsoft.com/fwlink/p/?LinkId=533891)
-
-[Authenticating identities without passwords through Microsoft Passport](https://go.microsoft.com/fwlink/p/?LinkId=616778)
-
-[Microsoft Passport guide](https://go.microsoft.com/fwlink/p/?LinkId=691928)
-
-## Related topics
-
-- [Manage identity verification using Windows Hello for Business](hello-manage-identity-verification.md)
-- [How Windows Hello for Business works](hello-how-it-works.md)
-- [Implement Windows Hello for Business in your organization](hello-implement-in-organization.md)
-- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
-- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
-- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
-- [Windows Hello and password changes](hello-and-password-changes.md)
-- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
-- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
\ No newline at end of file

From 37d12727f548379883685ef787e83a4389b32369 Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Mon, 23 Jan 2017 11:11:48 -0800
Subject: [PATCH 021/115] fix redirect link

---
 .../keep-secure/microsoft-passport-guide.md   | 382 +-----------------
 1 file changed, 1 insertion(+), 381 deletions(-)

diff --git a/windows/keep-secure/microsoft-passport-guide.md b/windows/keep-secure/microsoft-passport-guide.md
index 4a17fd3d20..faa85f4206 100644
--- a/windows/keep-secure/microsoft-passport-guide.md
+++ b/windows/keep-secure/microsoft-passport-guide.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: plan
 ms.sitesec: library
 ms.pagetype: security
 author: challum
-redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-implement-in-organization
+redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-identity-verification
 ---
 
 # Microsoft Passport guide
@@ -16,383 +16,3 @@ redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hell
 **Applies to**
 -   Windows 10
 
-This guide describes the new Windows Hello and Microsoft Passport technologies that are part of the Windows 10, version 1511 operating system. It highlights specific capabilities of these technologies that help mitigate threats from conventional credentials and provides guidance about how to design and deploy these technologies as part of your Windows 10 rollout.
-
->[!NOTE]
->For information about Windows Hello for Business in Windows 10, version 1607, see [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md).
-
-A fundamental assumption about information security is that a system can identify who’s using it. In identifying a user, the system can decide whether the user has identified himself or herself appropriately (a process known as authentication), and then determine what that properly authenticated user should be able to do (a process known as authorization). The overwhelming majority of computer systems deployed throughout the world depend on user credentials as a means of making authentication and authorization decisions, and that means that these systems depend on reusable, user-created passwords for their security. The oft-cited maxim that authentication can involve “something you know, something you have, or something you are” neatly highlights the issue: a reusable password is an authentication factor all by itself, so anyone who knows the password can impersonate the user who owns it.
-
-## Problems with traditional credentials
-
-Ever since the mid-1960s, when Fernando Corbató and his team at the Massachusetts Institute of Technology championed the introduction of the password, users and administrators have had to deal with the use of passwords for user authentication and authorization. Over time, the state of the art for password storage and use has advanced somewhat (with password hashing and salt being the two most noticeable improvements), but we’re still faced with two serious problems: passwords are easy to clone and easy to steal. Implementation faults may render them insecure, and users have a hard time balancing convenience and security.
-
-**Credential theft**
-
-The biggest risk of passwords is simple: an attacker can steal them easily. Every place a password is entered, processed, or stored is vulnerable. For example, an attacker can steal a collection of passwords or hashes from an authentication server by eavesdropping on network traffic to an application server, by implanting malware in an application or on a device, by logging user keystrokes on a device, or by watching to see which characters a user types — and those are just the most common attack methods. One can enact more exotic attacks to steal one or many passwords.
-
-The risk of theft is driven by the fact that the authentication factor the password represents is the password. Without additional authentication factors, the system assumes that anyone who knows the password is the authorized user.
-Another, related risk is that of credential replay, in which an attacker captures a valid credential by eavesdropping on an insecure network, and then replays it later to impersonate a valid user. Most authentication protocols (including Kerberos and OAuth) protect against replay attacks by including a time stamp in the credential exchange process, but that protects the token that the authentication system issues, not the password that the user provides to get the ticket in the first place.
-
-**Credential reuse**
-
-The common approach of using an email address as the user name makes a bad problem worse. An attacker who successfully recovers a user name–password pair from a compromised system can then try that same pair on other systems. Surprisingly often, this tactic works to allow attackers to springboard from a compromised system into other systems. The use of email addresses as user names leads to other problems, too, which we’ll explore later in this guide.
-
-### <a href="" id="trading"></a>
-
-**Trading convenience for complexity**
-Most security is a tradeoff between convenience and security: the more secure a system is, the less convenient it will typically be for users. Although system designers and implementers have a broad range of tools to make their systems more secure, users get a vote, too. When users perceive that a security mechanism gets in the way of what they want to do, they often look for ways to circumvent it. This behavior leads to an arms race of sorts, with users adopting strategies to minimize the effort required to comply with their organization’s password policies as those policies evolve.
-
-**Password complexity**
-
-If the major risk to passwords is that an attacker might guess them through brute-force analysis, it might seem reasonable to require users to include a broader character set in their passwords or make them longer, but as a practical matter, password length and complexity requirements have two negative side effects. First, they encourage password reuse. Estimates by [Herley, Florêncio, and van Oorschot](https://go.microsoft.com/fwlink/p/?LinkId=627392) calculate that the stronger a password is, the more likely it is to be reused. Because users put more effort into the creation and memorization of strong passwords, they are much more likely to use the same credential across multiple systems. Second, adding length or character set complexity to passwords does not necessarily make them more difficult to guess. For example, P@ssw0rd1 is nine characters long and includes uppercase and lowercase letters, numbers, and special characters, but it’s easily guessed by many of the common password-cracking tools now available on the Internet. These tools can attack passwords by using a pre-computed dictionary of common passwords, or they can start with a base word such as password, and then apply common character substitutions. A completely random eight-character password might therefore actually take longer to guess than P@ssw0rd123.
-
-**Password expiration**
-
-Because a reusable password is the only authentication factor in password-based systems, designers have attempted to reduce the risk of credential theft and reuse. One common method for doing so is the use of limited-lifetime passwords. Some systems allow for passwords that can be used only once, but by far the more common approach is to make passwords expire after a certain period. Limiting the useful lifetime of a password puts a cap on how long a stolen password will be useful to an attacker. This practice helps protect against cases where a long-lived password is stolen, held, and used for a long time, but it also harkens back to the time when password cracking was impractical for everyone except nation state-level attackers. A smart attacker would attempt to steal passwords rather than crack them because of the time penalty associated with password cracking.
-The widespread availability of commodity password-cracking tools and the massive computing power available through mechanisms such as GPU-powered crackers or distributed cloud-based cracking tools has reversed this equation so that it is often more effective for an attacker to crack a password than to try to steal it. In addition, the widespread availability of self-service [password-reset mechanisms](#password-reset) means that an attacker needs only a short window of time during which the password is valid to change the password and thus reset the validity period. Relatively few enterprise networks provide self-service password-reset mechanisms, but they are common for Internet services. In addition, many users use the secure credential store on Windows and Mac OS X systems to store valuable passwords for Internet services, so an attacker who can compromise the operating system password may be able to obtain a treasure trove of other service passwords at no cost.
-Finally, overly short timelines for password expiration can tempt users to make small changes in their passwords at each expiration period — for example, moving from password123 to password456 to password789. This approach reduces the work necessary to crack the password, especially if the attacker knows any of the old passwords.
-
-### <a href="" id="password-reset"></a>
-
-**Password-reset mechanisms**
-
-To let users better manage their own passwords, some services provide a way for users to change their own password. Some implementations require users to log on with their current password, while others allow users to select the **Forgot my password** option, which sends an email to the user’s registered email address. The problem with these mechanisms is that many of them are implemented such that an attacker can exploit them. For example, an attacker who can successfully guess or steal a user’s email password can merrily request password resets for all of the victim’s other accounts, because the reset emails go to the compromised account. For this reason, most enterprise networks are configured so that only administrators can reset user passwords; for example, Active Directory supports the use of a **Password must be changed on next logon** flag so that after the administrator resets a password, the user can reset the password only after providing the administrator-set password. Some mobile device management (MDM) systems support similar functionality for mobile devices.
-
-**User password carelessness**
-
-An insidious problem makes these design and implementation weaknesses worse: some users just aren’t careful with their passwords. They write them down in insecure locations, choose easy-to-guess passwords, take minimal (if any) precautions against malware, or even give their passwords to other people. These users aren’t necessarily careless because they don’t care; they want to get things done, and overly stringent password length or expiration policies or too many passwords hinders them.
-
-**Mitigate credential risks**
-
-Given the issues described so far, it might seem obvious that reusable passwords are a security hazard. The argument is simple: adding authentication factors reduces the value of the passwords themselves, because even a successful password theft won’t let an attacker log on to a system unless he or she also has the associated additional factors. Unfortunately, this simple argument has many practical complications. Security and operating system vendors have tried to solve the problems that reusable credentials pose for decades — with limited success.
-The most obvious mitigation to the risks reusable passwords pose is to add one or more authentication factors. At different times over the past 30 years, different vendors have attempted to solve this problem by calling for the use of biometric identifiers (including fingerprints, iris and retina scans, and hand geometry), software-based and hardware-based tokens, physical and virtual smart cards, and voice or Short Message Service (SMS) authentication through the user’s mobile phone. A detailed description of each of these authenticators and its pros and cons is outside the scope of this guide, but no matter which authentication method you choose, core challenges have limited adoption of all Multi-Factor Authentication (MFA) solutions, including:
--   **Infrastructure complexity and cost.** Any system that requires the user to provide an additional authentication factor at the point of access has to have a way to collect that information. Although it’s possible to retrofit fielded hardware by adding fingerprint readers, eye scanners, smart card readers, and so on, few enterprises have been willing to take on the cost and support burden required to do so.
--   **Lack of standardization.** Although Microsoft included operating system–level smart card support as part of the Windows Vista operating system, smart card and reader vendors were free to continue to ship their own drivers, as were manufacturers of other authentication devices. Lack of standardization led to both application and support fragmentation, which means that it wasn’t always possible to mix and match solutions within an enterprise, even when the manufacturers of those solutions advertised them as being compatible.
--   **Backward compatibility.** Retrofitting already-deployed operating systems and applications to use MFA has proven an extremely difficult task. Nearly three years after its release, Microsoft Office 2013 is finally getting support for MFA. The vast majority of both commercial and custom line-of-business (LOB) applications will never be retrofitted to take advantage of any authentication system other than what the underlying operating system provides.
--   **User inconvenience.** Solutions that require users to obtain, keep track of, and use physical tokens are often unpopular. If users have to have a particular token for remote access or other scenarios that are supposed to make things more convenient, they tend to become quickly dissatisfied with the burden of keeping up with an additional device. This pushback is multiplied for solutions that have to be attached to computers (such as smart card readers) because such solutions introduce problems of portability, driver support, and operating system and application integration.
--   **Device compatibility.** Not every hardware form factor supports every authentication method. For example, despite occasional feeble efforts from vendors, no market for mobile phone-compatible smart card readers ever emerged. 
-So when Microsoft first implemented smart cards as an authenticator for remote network access, one key limitation was that employees could log on only from desktop or laptop computers that had smart card readers. Any authentication method that relies on additional hardware or software may run into this problem. For example, several popular “soft token” systems rely on mobile apps that run on a limited number of mobile hardware platforms.
-Another pesky problem has to do with institutional knowledge and maturity. Strong authentication systems are complex. They have lots of components, and they can be expensive to design, maintain, and operate. For some enterprises, the additional cost and overhead of maintaining an in-house public key infrastructure (PKI) to issue smart cards or the burden of managing add-on devices exceeds the value they perceive in having stronger authentication. This is a special case of the common problem that financial institutions face: if the cost of fraud reduction is higher than the cost of the fraud itself, it’s hard to justify the economics of better fraud-prevention measures.
-
-## Solve credential problems
-
-Solving the problems that passwords pose is tricky. Tightening password policies alone won’t do it: users may just recycle, share, or write down passwords. Although user education is critical for authentication security, education alone doesn’t eliminate the problem, either.
-
-As you’ve seen, additional authenticators won’t necessarily help if the new authentication systems add complexity, cost, or fragility. In Windows 10, Microsoft addresses these problems with two new technologies: Windows Hello and Microsoft Passport. Working together, these technologies help increase both security and user convenience:
--   Microsoft Passport replaces passwords with strong two-factor authentication (2FA) by verifying existing credentials and by creating a device-specific credential that a user gesture (either biometric or PIN-based) protects. This combination effectively replaces physical and virtual smart cards as well as reusable passwords for logon and access control.
--   Windows Hello provides reliable, fully integrated biometric authentication based on facial recognition or fingerprint matching. Windows Hello uses a combination of special infrared (IR) cameras and software to increase accuracy and guard against spoofing. Major hardware vendors are shipping devices that have integrated Windows Hello-compatible cameras, and fingerprint reader hardware can be used or added to devices that don’t currently have it. On devices that support Windows Hello, an easy biometric gesture unlocks users’ Microsoft Passport credentials.
-
-## What is Windows Hello?
-
-Windows Hello is the name Microsoft has given to the new biometric sign-in system built into Windows 10. Because it is built directly into the operating system, Windows Hello allows face or fingerprint identification to unlock users’ devices. Authentication happens when the user supplies his or her unique biometric identifier to access the device-specific Microsoft Passport credentials, which means that an attacker who steals the device can’t log on to it unless that attacker has the PIN. The Windows secure credential store protects biometric data on the device. By using Windows Hello to unlock a device, the authorized user gains access to all of his or her Windows experience, apps, data, websites, and services.
-
-The Windows Hello authenticator is known as a Hello. A Hello is unique to the combination of an individual device and a specific user; it doesn’t roam among devices, isn’t shared with a server, and cannot easily be extracted from a device. If multiple users share a device, each user gets a unique Hello for that device. You can think of a Hello as a token you can use to unlock (or release) a stored credential: the Hello itself doesn’t authenticate you to an app or service, but it releases credentials that can.
-
-At the launch of Windows 10, the operating system supported three Hello types:
--   **PIN.** Before you can use Windows Hello to enable biometrics on a device, you must choose a PIN as your initial Hello gesture. After you’ve set a PIN, you can add biometric gestures if you want to. You can always use the PIN gesture to release your credentials, so you can still unlock and use your device even if you can’t use your preferred biometric because of an injury or because the sensor is unavailable or not working properly.
--   **Facial recognition.** This type uses special cameras that see in IR light, which allows them to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major laptop manufacturers are incorporating it into their devices, as well.
--   **Fingerprint recognition.** This type uses a capacitive fingerprint sensor to scan your fingerprint. Fingerprint readers have been available for Windows computers for years, but the current generation of sensors is significantly more reliable and less error-prone. Most existing fingerprint readers (whether external or integrated into laptops or USB keyboards) work with Windows 10.
-Biometric data used to implement these Hello gestures is stored securely on the local device only. It doesn’t roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there’s no single collection point an attacker can compromise to steal biometric data. Breaches that expose biometrics collected and stored for other uses (such as fingerprints collected and stored for law enforcement or background check purposes) don’t pose a significant threat: an attacker who steals biometrics literally has only a template of the identifier, and that template cannot easily be converted to a form that the attacker can present to a biometric sensor. The data path for Windows Hello-compatible sensors is resistant to tampering, too, which further reduces the chance that an attacker will be able to successfully inject faked biometric data. In addition, before an attacker can even attempt to inject data into the sensor pipeline, that attacker must gain physical access to the device — and an attacker who can do that can mount several other, less difficult attacks.
-Windows Hello offers several major benefits. First, when combined with Microsoft Passport, it effectively solves the problems of credential theft and sharing. Because an attacker must obtain both the device and the selected biometric, it is much more difficult to gain access without the user’s knowledge. Second, the use of biometrics means that users benefit from having a simple authenticator that’s always with them: there’s nothing to forget, lose, or leave behind. Instead of worrying about memorizing long, complex passwords, users can take advantage of a convenient, secure method for signing in to all their Windows devices. Finally, in many cases, there’s nothing additional to deploy or manage to use Windows Hello (although Microsoft Passport may require additional deployment, as described later in this guide). Windows Hello support is built directly into the operating system, and users or enterprises can add compatible biometric devices to provide biometric gesture recognition, either as part of a coordinated rollout or as individual users or groups decide to add the necessary sensors. Windows Hello is part of Windows, so no additional deployment is required to start using it.
-
-## What is Microsoft Passport?
-
-Windows Hello provides a robust way for a device to recognize an individual user; that addresses the first part of the path between a user and a requested service or data item. After the device has recognized the user, however, it still must authenticate the user before deciding whether to grant access to a requested resource. Microsoft Passport provides strong 2FA, fully integrated into Windows, that replaces reusable passwords with the combination of a specific device and a Hello or PIN. Microsoft Passport isn’t just a replacement for traditional 2FA systems, though. It’s conceptually similar to smart cards: authentication is performed by using cryptographic primitives instead of string comparisons, and the user’s key material is secure inside tamper-resistant hardware. Microsoft Passport doesn’t require the extra infrastructure components required for smart card deployment, either. In particular, you don’t need a PKI if you don’t currently have one. Microsoft Passport combines the major advantage of smart cards — deployment flexibility for virtual smart cards and robust security for physical smart cards — without any of their drawbacks.
-
-Microsoft Passport offers four significant advantages over the current state of Windows authentication: it’s more flexible, it’s based on industry standards, it’s an effective risk mitigator, and it’s ready for the enterprise. Let’s look at each of these advantages in more detail.
-
-**It’s flexible**
-
-Microsoft Passport offers unprecedented flexibility. Although the format and use of reusable passwords are fixed, Microsoft Passport gives both administrators and users options to manage authentication. First and foremost, Microsoft Passport works with both biometric identifiers and PINs, so users’ credentials are protected even on devices that don’t support biometrics. Users can even use their phone to release their credentials instead of a PIN or biometric gesture on the main device. Microsoft Passport seamlessly takes advantage of the hardware of the devices in use; as users upgrade to newer devices, Microsoft Passport is ready to use them, and organizations can upgrade existing devices by adding biometric sensors where appropriate.
-Microsoft Passport offers flexibility in the datacenter, too. To deploy it, in some modes you must add Windows Server 2016 domain controllers to your Active Directory environment, but you don’t have to replace or remove your existing Active Directory servers — the servers required for Microsoft Passport build on and add capability to your existing infrastructure. You don’t have to change the domain or forest functional level, and you can either add on-premises servers or use Microsoft Azure Active Directory to deploy Microsoft Passport on your network. The choice of which users you should enable for Microsoft Passport use is completely up to you: you choose the policies and devices to support and which authentication factors you want users to have access to. This makes it easy to use Microsoft Passport to supplement existing smart card or token deployments by adding strong credential protection to users who don’t currently have it or to deploy Microsoft Passport in scenarios that call for extra protection for sensitive resources or systems (described in the [Design a Microsoft Passport deployment](#design) section).
-
-**It’s standardized**
-
-Both software vendors and enterprise customers have come to realize that proprietary identity and authentication systems are a dead end. The future lies with open, interoperable systems that allow secure authentication across a variety of devices, LOBs, and external applications and websites. To this end, a group of industry players formed the Fast IDentity Online Alliance (FIDO), a nonprofit organization intended to address the lack of interoperability among strong authentication devices as well as the problems users face when they have to create and remember multiple user names and passwords. The FIDO Alliance plans to change the nature of authentication by developing specifications that define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online services. This new standard for security devices and browser plug ins will allow any website or cloud application to interface with a broad variety of existing and future FIDO-enabled devices that the user has for online security. For more information, see the [FIDO Alliance website](https://go.microsoft.com/fwlink/p/?LinkId=627393).
-
-In 2013, Microsoft joined the FIDO Alliance. FIDO standards enable a universal framework that a global ecosystem delivers for a consistent and greatly improved user experience of strong passwordless authentication. The FIDO 1.0 specifications, published in December 2014, provide for two types of authentications: passwordless (known as the Universal Authentication Framework \[UAF\]) and 2nd Factor (U2F). The FIDO Alliance is working on a set of 2.0 proposals to combine the best parts of the U2F and UAF FIDO 1.0 standards. Microsoft is actively contributing to the proposals, and Windows 10 is a reference implementation of these concepts. In addition to supporting those protocols, the Windows implementation covers other aspects of the end-to-end experience that the specification does not cover, including user interface to, storage of, and protection for users’ device keys and the tokens issued after authentication; supporting administrator policies; and providing deployment tools. Microsoft expects to continue working with the FIDO Alliance as the FIDO 2.0 specification moves forward. Interoperability of FIDO products is a hallmark of FIDO authentication. Microsoft believes that bringing a FIDO solution to market will help solve a critical need for enterprises and consumers alike.
-
-**It’s effective**
-
-Microsoft Passport effectively mitigates two major security risks. First, by eliminating the use of reusable passwords for logon, it reduces the risk that a user’s credential will be copied or reused. On devices that support the Trusted Platform Module (TPM) standard, user key material can be stored in the user device’s TPM, which makes it more difficult for an attacker to capture the key material and reuse it. For devices that lack TPM, Microsoft Passport can encrypt and store credential data in software, but administrators can disable this feature to force a “TPM or nothing” deployment.
-Second, because Microsoft Passport doesn’t depend on a single, centralized server, the risk of compromise from a breach of that server is removed. Although an attacker could theoretically compromise a single device, there’s no single point of attack that an intruder can leverage to gain widespread access to the environment.
-
-**It’s enterprise-ready**
-
-Every edition of Windows 10 includes Microsoft Passport functionality for individual use; enterprise and personal users can take advantage of Microsoft Passport to protect their individual credentials with compatible applications and services. In addition, enterprises whose users are running Windows 10 Professional and Windows 10 Enterprise have the ability to use Microsoft Passport for Work, an enhanced version of Microsoft Passport that includes the ability to centrally manage Microsoft Passport settings for PIN strength and biometric use through Group Policy Objects (GPOs).
-
-## How Microsoft Passport works
-
-To use Microsoft Passport to sign in with an identity provider (IDP), a user needs a configured device, which means that the Microsoft Passport life cycle starts when you configure a device for Microsoft Passport use. When the device is set up, its user can use the device to authenticate to services. In this section, we explore how device registration works, what happens when a user requests authentication, how key material is stored and processed, and which servers and infrastructure components are involved in different parts of this process.
-
-**Register a new user or device**
-
-A goal of Microsoft Passport is to allow a user to open a brand-new device, securely join an organizational network to download and manage organizational data, and create a new Hello gesture to secure the device. Microsoft refers to the process of setting up a device for use with Microsoft Passport as registration.
-> **Note:**  This is separate from the organizational configuration required to use Microsoft Passport with Active Directory or Azure AD; that configuration is discussed later in this guide. This configuration must be completed before users can begin to register.
- 
-The registration process works like this:
-1.  The user configures an account on the device.
-    This account can be a local account on the device, a domain account stored in the on-premises Active Directory domain, a Microsoft account, or an Azure AD account. For a new device, this step may be as simple as logging on with a Microsoft account. Logging on with a Microsoft account on a Windows 10 device automatically sets up Microsoft Passport on the device; users don’t have to do anything extra to enable it.
-2.  To log on using that account, the user has to enter the existing credentials for it.
-    The IDP that “owns” the account receives the credentials and authenticates the user. This IDP authentication may include the use of an existing second authentication factor, or proof. For example, a user who registers a new device by using an Azure AD account will have to provide an SMS-based proof that Azure AD sends.
-3.  When the user has provided the proof to the IDP, the user enables PIN authentication (Figure 1).
-    The PIN will be associated with this particular credential.
-    
-    ![figure 1](images/passport-fig1.png)
-    
-    Figure 1. Set up a PIN in the **Account Settings** control panel item
-    
-    When the user sets the PIN, it becomes usable immediately (Figure 2).
-    
-    ![figure 2](images/passport-fig2-pinimmeduse.png)
-    
-    Figure 2. When set, the PIN is immediately usable
-    
-Remember that Microsoft Passport depends on pairing a device and a credential, so the PIN chosen is associated only with the combination of the active account and that specific device. The PIN must comply with whatever length and complexity policy the account administrator has configured; this policy is enforced on the device side. Other registration scenarios that Microsoft Passport supports are:
-
--   A user who upgrades from the Windows 8.1 operating system will log on by using his or her existing enterprise password. That triggers MFA from the IDP side; after receiving and returning a proof, such as a text message or voice code, the IDP authenticates the user to the upgraded Windows 10 device, and the user can set his or her PIN.
--   A user who typically uses a smart card to log on will be prompted to set up a PIN the first time he or she logs on to a Windows 10 device the user has not previously logged on to.
--   A user who typically uses a virtual smart card to log on will be prompted to set up a PIN the first time he or she logs on to a Windows 10 device the user has not previously logged on to.
-
-When the user has completed this process, Microsoft Passport generates a new public–private key pair on the device. The TPM generates and stores this private key; if the device doesn’t have a TPM, the private key is encrypted and stored in software. This initial key is referred to as the protector key. It’s associated only with a single gesture; in other words, if a user registers a PIN, a fingerprint, and a face on the same device, each of those gestures will have a unique protector key. The protector key securely wraps the authentication key for a specific container. Each container has only one authentication key, but there can be multiple copies of that key wrapped with different unique protector keys (each of which is associated with a unique gesture). Microsoft Passport also generates an administrative key that the user or administrator can use to reset credentials, when necessary. In addition to the protector key, TPM-enabled devices generate a block of data that contains attestations from the TPM.
-
-At this point, the user has a PIN gesture defined on the device and an associated protector key for that PIN gesture. That means he or she is able to securely log on to the device with the PIN and thus that he or she can establish a trusted session with the device to add support for a biometric gesture as an alternative for the PIN. When you add a biometric gesture, it follows the same basic sequence: the user authenticates to the system by using his or her PIN, and then registers the new biometric (“smile for the camera!”), after which Windows generates a unique key pair and stores it securely. Future logons can then use either the PIN or the registered biometric gestures.
-
-**What’s a container?**
-
-You’ll often hear the term *container* used in reference to MDM solutions. Microsoft Passport uses the term, too, but in a slightly different way. Container in this context is shorthand for a logical grouping of key material or data. Windows 10 supports two containers: the default container holds user key material for personal accounts, including key material associated with the user’s Microsoft account or with other consumer identity providers, and the enterprise container holds credentials associated with a workplace or school account.
-
-The enterprise container exists only on devices that have been registered with an organization; it contains key material for the enterprise IDP, such as on-premises Active Directory or Azure AD. The enterprise container contains only key data for Active Directory or Azure AD. If the enterprise container is present on a device, it’s unlocked separately from the default container, which maintains separation of data and access across personal and enterprise credentials and services. For example, a user who uses a biometric gesture to log on to a managed computer can separately unlock his or her personal container by entering a PIN when logging on to make a purchase from a website.
-These containers are logically separate. Organizations don’t have any control over the credentials users store in the default container, and applications that authenticate against services in the default container can’t use credentials from the enterprise container. However, individual Windows applications can use the Microsoft Passport application programming interfaces (APIs) to request access to credentials as appropriate, so that both consumer and LOB applications can be enhanced to take advantage of Microsoft Passport.
-
-It’s important to keep in mind that there are no physical containers on disk, in the registry, or elsewhere. Containers are logical units used to group related items. The keys, certificates, and credentials Microsoft Passport stores are protected without the creation of actual containers or folders.
-
-Each container actually contains a set of keys, some of which are used to protect other keys. Figure 3 shows an example: the protector key is used to encrypt the authentication key, and the authentication key is used to encrypt the individual keys stored in the container.
-
-![figure 3](images/passport-fig3-logicalcontainer.png)
-
-Figure 3. Each logical container holds one or more sets of keys
-
-Containers can contain several types of key material:
-
--   An *authentication key*, which is always an asymmetric public–private key pair. This key pair is generated during registration. It must be unlocked each time it’s accessed, by using either the user’s PIN or a previously generated biometric gesture. The authentication key exists until the user resets the PIN, at which time a new key will be generated. When the new key is generated, all the key material that the old key previously protected must be decrypted and re-encrypted using the new key.
--   *Virtual smart card keys* are generated when a virtual smart card is generated and stored securely in the container. They’re available whenever the user’s container is unlocked.
--   *Secure/Multipurpose Internet Mail Extensions (S/MIME) keys and certificates*, which a certification authority (CA) generates. The keys associated with the user’s S/MIME certificate can be stored in a Microsoft Passport container so they’re available to the user whenever the container is unlocked.
--   The *IDP key*. These keys can be either symmetric or asymmetric, depending on which IDP you use. A single container may contain zero or more IDP keys, with some restrictions (for example, the enterprise container can contain zero or one IDP keys). IDP keys are stored in the container as illustrated in Figure 3. For certificate-based Microsoft Passport for Work, when the container is unlocked, applications that require access to the IDP key or key pair can request access. IDP keys are used to sign or encrypt authentication requests or tokens sent from this machine to the IDP. IDP keys are typically long lived but could have a shorter lifetime than the authentication key.
-Microsoft accounts, Active Directory accounts, and Azure AD accounts all require the use of asymmetric key pairs. The device generates public and private keys, registers the public key with the IDP (which stores it for later verification), and securely stores the private key. For enterprises, the IDP keys can be generated in two ways:
--   The IDP key pair can be associated with an enterprise CA through the Windows Network Device Enrollment Service (NDES), described more fully in [Network Device Enrollment Service Guidance](https://go.microsoft.com/fwlink/p/?LinkId=733947). In this case, Microsoft Passport requests a new certificate with the same key as the certificate from the existing PKI. This option lets organizations that have an existing PKI continue to use it where appropriate. Given that many applications, such as popular virtual private network systems, require the use of certificates, when you deploy Microsoft Passport in this mode, it allows a faster transition away from user passwords while still preserving certificate-based functionality. This option also allows the enterprise to store additional certificates in the protected container.
--   The IDP can generate the IDP key pair directly, which allows quick, lower-overhead deployment of Microsoft Passport in environments that don’t have or need a PKI.
-
-**How keys are protected**
-
-Any time key material is generated, it must be protected against attack. The most robust way to do this is through specialized hardware. There’s a long history of using hardware security modules (HSMs) to generate, store, and process keys for security-critical applications. Smart cards are a special type of HSM, as are devices that are compliant with the Trusted Computing Group TPM standard. Wherever possible, the Microsoft Passport for Work implementation takes advantage of onboard TPM hardware to generate, store, and process keys. However, Microsoft Passport and Microsoft Passport for Work do not require an onboard TPM. Administrators can choose to allow key operations in software, in which case any user who has (or can escalate to) administrative rights on the machine can use the IDP keys to sign requests. As an alternative, in some scenarios, devices that don’t have a TPM can be remotely authenticated by using a device that does have a TPM, in which case all the sensitive operations are performed with the TPM and no key material is exposed.
-
-Whenever possible, Microsoft recommends the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will have to reset the PIN (which means he or she will have to use MFA to reauthenticate to the IDP before the IDP allows him or her to re-register). Resetting the PIN means that all keys and certificates encrypted with the old key material will be removed.
-
-**Authentication**
-
-When a user wants to access protected key material — perhaps to use an Internet site that requires a logon or to access protected resources on a corporate intranet — the authentication process begins with the user entering a PIN or biometric gesture to unlock the device, a process sometimes called *releasing the key*. Think of it like using a physical key to unlock a door: before you can unlock the door, you need to remove the key from your pocket or purse. On a personal device that’s connected to an organizational network, users will use their personal PIN or biometric to release the key; on a device joined to an on-premises or Azure AD domain, they will use the organizational PIN.
-This process unlocks the protector key for the primary container on the device. When that container is unlocked, applications (and thus the user) can use whatever IDP keys reside inside the container.
-
-These keys are used to sign requests that are sent to the IDP, requesting access to specified resources. It’s important to understand that although the keys are unlocked, applications cannot use them at will. Applications can use specific APIs to request operations that require key material for particular actions (for example, decrypt an email message or log on to a website). Access through these APIs doesn’t require explicit validation through a user gesture, and the key material isn’t exposed to the requesting application. Rather, the application asks for authentication, encryption, or decryption, and the Microsoft Passport layer handles the actual work and returns the results. Where appropriate, an application can request a forced authentication even on an unlocked device. Windows prompts the user to reenter the PIN or perform an authentication gesture, which adds an extra level of protection for sensitive data or actions. For example, you can configure the Windows Store to require reauthentication any time a user purchases an application, even though the same account and PIN or gesture were already used to unlock the device.
-
-The actual authentication process works like this:
-
-1.  The client sends an empty authentication request to the IDP. (This is merely for the handshake process.)
-2.  The IDP returns a challenge, known as a *nonce*.
-3.  The device signs the nonce with the appropriate private key.
-4.  The device returns the original nonce, the signed nonce, and the ID of the key used to sign the nonce.
-5.  The IDP fetches the public key that the key ID specified, uses it to verify the signature on the nonce, and verifies that the nonce the device returned matches the original.
-6.  If all the checks in step 5 succeed, the IDP returns two data items: a symmetric key, which is encrypted with the device’s public key, and a security token, which is encrypted with the symmetric key.
-7.  The device uses its private key to decrypt the symmetric key, and then uses that symmetric key to decrypt the token.
-8.  The device makes a normal authentication request for the original resource, presenting the token from the IDP as its proof of authentication.
-
-When the IDP validates the signature, it is verifying that the request came from the specified user and device. The private key specific to the device signs the nonce, which allows the IDP to determine the identity of the requesting user and device so that it can apply policies for content access based on user, device type, or both together. For example, an IDP could allow access to one set of resources only from mobile devices and a different set from desktop devices.
-
-Remote unlock, which is planned for a future release of Windows 10, builds on these scenarios by enabling seamless remote authentication from a mobile device as a second factor. For example, suppose that you’re visiting another office at your company and you need to borrow a computer there temporarily, but you don’t want to potentially expose your credentials to capture. Rather than type in your credentials, you can click **other user** on the Windows 10 logon screen, type your user name, pick the tile for remote authentication, and use an app on your phone, which you already unlocked by using its built-in facial-recognition sensors. The phone and computer are paired and handshake via Bluetooth, you type your authentication PIN on the phone, and the computer gets confirmation of your identity from the IDP. All this happens without typing a password anywhere or typing your PIN on the PC.
-
-**The infrastructure**
-
-Microsoft Passport depends on having compatible IDPs available to it. As of this writing, that means you have four deployment possibilities:
--   Use an existing Windows-based PKI centered around Active Directory Certificate Services. This option requires additional infrastructure, including a way to issue certificates to devices. You can use NDES to register devices directly, Microsoft System Center Configuration Manager Technical Preview or later for on-premises environments, or Microsoft Intune where it’s available to manage mobile device participation in Microsoft Passport.
--   You can configure Windows Server 2016 Technical Preview domain controllers to act as IDPs for Microsoft Passport. In this mode, the Windows Server 2016 Technical Preview domain controllers act as IDPs alongside any existing Windows Server 2008 R2 or later domain controllers. There is no requirement to replace all existing domain controllers, merely to introduce at least one Windows Server 2016 Technical Preview domain controller per Active Directory site and update the forest Active Directory Domain Services (AD DS) schema to Windows Server 2016 Technical Preview.
--   The normal discovery mechanism that clients use to find domain controllers and global catalogs relies on Domain Name System (DNS) SRV records, but those records don’t contain version data. Windows 10 computers will query DNS for SRV records to find all available Active Directory servers, and then query each server to identify those that can act as Microsoft Passport IDPs. The number of authentication requests your users generate, where your users are located, and the design of your network all drive the number of Windows Server 2016 Technical Preview domain controllers required.
--   Azure AD can act as an IDP either by itself or alongside an on-premises AD DS forest. Organizations that use Azure AD can register devices directly without having to join them to a local domain by using the capabilities the Azure AD Device Registration service provides.
-In addition to the IDP, Microsoft Passport requires an MDM system. This system can be the cloud-based Intune if you use Azure AD, or an on-premises System Center Configuration Manager deployment that meets the system requirements described in the [Deployment requirements](#deployreq) section of this document.
-
-## <a href="" id="design"></a>Design a Microsoft Passport for Work deployment
-
-Microsoft Passport for Work is designed for integration with your existing and future directory infrastructure and device deployments, but this flexibility means there are many considerations to think about when you design your deployment. Some of these decisions are technical, while others are organizational or even political. In this section, we examine the key points where you have to make decisions about how to implement Microsoft Passport for Work. Remember, individual devices can use the individual version of Microsoft Passport without any infrastructure changes on your part. Microsoft Passport for Work allows you to control and centrally manage user authentication and device registration. To use the initial version of Microsoft Passport for Work, each device must have an Azure AD identity, so automatic registration of devices provides a means both to register new devices and to apply optional policies to manage Microsoft Passport for Work.
-
-**One deployment strategy**
-
-Different organizations will necessarily take different approaches to the deployment of Microsoft Passport depending on their capabilities and needs, but there is only one strategy: deploy Microsoft Passport for Work throughout the organization to get maximum protection for the maximum number of devices and resources. Organizations can take one of three basic routes to accomplish that strategy:
-
--   Deploy Microsoft Passport for Work everywhere according to whatever device or user deployment strategy works best for the organization.
--   Deploy Microsoft Passport for Work first to high-value or high-risk targets, by using conditional access policies to restrict access to key resources only to users who hold strong authentication credentials.
--   Blend Microsoft Passport for Work into an existing multi-factor environment, using it as an additional form of strong authentication alongside physical or virtual smart cards.
-
-**Deploy Microsoft Passport for Work everywhere**
-
-In this approach, you deploy Microsoft Passport throughout the organization in a coordinated rollout. In some ways, this method is similar to any other desktop deployment project; the only real difference is that you must already have the Microsoft Passport infrastructure in place to support device registration before you can start using Microsoft Passport on Windows 10 devices.
-
-> **Note:**  You can still upgrade to Windows 10 or add new Windows 10 devices without changing your infrastructure. You just can’t use Microsoft Passport for Work on a device until the device joins Azure AD and receives the appropriate policy.
- 
-The major benefit of this approach is that it provides uniform protection for all parts of the organization. Sophisticated attackers have shown a great deal of skill in breaching large organizations by identifying weak points in their security, including users and systems that don’t have high-value information but that can be exploited to get it. Applying consistent protection across every device that an attacker could use to access enterprise data is excellent protection against these types of attacks.
-
-The downside to this approach is its complexity. Smaller organizations may find that managing the rollout of a new operating system across all devices is beyond the scope of their experience and capability. For these organizations, users can self-upgrade, and new users may end up with Windows 10 because they get new devices when they join. Larger organizations, especially those that are highly decentralized or have operations across many physical sites, may have more deployment knowledge and resources but face the challenge of coordinating rollout efforts across a larger user base and footprint.
-
-For more information about desktop deployment of Windows 10, visit the [Windows 10 TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=626581).
-
-One key aspect of this deployment strategy is how to get Windows 10 in users’ hands. Because different organizations have wildly differing strategies to refresh hardware and software, there’s no one-size-fits-all strategy. For example, some organizations pursue a coordinated strategy that puts new desktop operating systems in users’ hands every 2–3 years on existing hardware, supplementing with new hardware only where and when required. Others tend to replace hardware and deploy whatever version of the Windows client operating system ships on the purchased devices. In both cases, there are typically separate deployment cycles for servers and server operating systems, and the desktop and server cycles may or may not be coordinated.
-
-In addition to the issue of Windows 10 deployment to users, you must consider how and when (or if!) you’ll deploy biometric devices to users. Because Windows Hello can take advantage of multiple biometric identifiers, you have a flexible range of device options, which includes the purchase of new devices that incorporate your selected biometric, seeding select users with appropriate devices, rollout of biometric devices as part of a scheduled hardware refresh and using PIN gestures until users get devices, or relying on remote unlock as a second authentication factor.
-
-**Deploy to high-value or high-risk targets**
-
-This strategy takes into account the fact that in most networks, not every asset is equally protected or equally valuable. There are two ways to think about this. One is that you can focus on protecting the users and services that are most at risk of compromise because of their value. Examples include sensitive internal databases or the user accounts of your key executives. The other option is that you can focus on areas of your network that are the most vulnerable, such as users who travel frequently (and thus run a higher risk of lost or stolen devices or drive-by credential theft). Either way, the strategy is the same: selectively and quickly deploy Microsoft Passport to protect specific people and resources. For example, you might issue new Windows 10 devices with biometric sensors to all users who need access to a sensitive internal database, and then deploy the minimum required infrastructure to support Microsoft Passport–secured access to that database for those users.
-
-One of the key design capabilities of Microsoft Passport for Work is that it supports Bring Your Own Device (BYOD) environments by allowing users to register their own devices with the organizational IDP (whether on premises, hybrid, or Azure AD). You may be able to take advantage of this capability to quickly deploy Microsoft Passport to protect your most vulnerable users or assets, ideally by using biometrics as an additional safety measure for the most valuable potential targets.
-
-**Blend Microsoft Passport with your infrastructure**
-
-Organizations that have already invested in smart cards, virtual smart cards, or token-based systems can still benefit from Microsoft Passport. Of those organizations, many use physical tokens and smart cards to protect only critical assets because of the expense and complexity of their deployment. Microsoft Passport offers a valuable complement to these systems because it protects users who currently rely on reusable credentials; protection of all users’ credentials is an important step toward blunting attacks that seek to leverage compromise of any credential into a widespread breach. This approach also gives you a great deal of flexibility in scheduling and deployment.
-Some enterprises have deployed multi-use smart cards that provide building-access control, access to copiers or other office equipment, stored value for lunchroom purchases, remote network access, and other services. Deployment of Microsoft Passport in such environments doesn’t prevent you from continuing to use smart cards for these services. You can leave the existing smart card infrastructure in place for its existing use cases, and then register desktop and mobile devices in Microsoft Passport and use Microsoft Passport to secure access to network and Internet resources. This approach requires a more complicated infrastructure and a greater degree of organizational maturity because it requires you to link your existing PKI with an enrollment service and Microsoft Passport itself.
-
-Smart cards can act as a useful complement to Microsoft Passport in another important way: to bootstrap the initial logon for Microsoft Passport registration. When a user registers with Microsoft Passport on a device, part of that registration process requires a conventional logon. Rather than using a traditional password, organizations that have previously deployed the necessary infrastructure for smart cards or virtual smart cards can allow their users to register new devices by logging on with a smart card or virtual smart card. After the user has proved his or her identity to the organizational IDP with the smart card, the user can set up a PIN and proceed to use Microsoft Passport for future logons.
-
-**Choose a rollout method**
-
-Which rollout method you choose depends on several factors:
-
--   **How many devices you need to deploy.** This number has a huge influence on your overall deployment. A global rollout for 75,000 users has different requirements than a phased rollout for groups of 200–300 users in different cities.
--   **How quickly you want to deploy Microsoft Passport for Work protection.** This is a classic cost–benefit tradeoff. You have to balance the security benefits of Microsoft Passport for Work against the cost and time required to deploy it broadly, and different organizations may make entirely different decisions depending on how they rate the costs and benefits involved. Getting the broadest possible Microsoft Passport coverage in the shortest time possible maximizes security benefits.
--   **The type of devices you want to deploy.** Windows device manufacturers are aggressively introducing new devices optimized for Windows 10, leading to the possibility that you might deploy Microsoft Passport first on newly purchased tablets and portable devices, and then deploy it on the desktop as part of your normal refresh cycle.
--   **What your current infrastructure looks like.** The individual version of Microsoft Passport doesn’t require changes to your Active Directory environment, but to support Microsoft Passport for Work, you may need a compatible MDM system. Depending on the size and composition of your network, mobile enrollment and management services deployment may be a major project in its own right.
--   **Your plans for the cloud.** If you’re already planning a move to the cloud, Azure AD eases the process of Microsoft Passport for Work deployment, because you can use Azure AD as an IDP alongside your existing on-premises AD DS setup without making significant changes to your on-premises environment. Future versions of Microsoft Passport for Work will support the ability to simultaneously register devices that are already members of an on-premises AD DS domain in an Azure AD partition so that they use Microsoft Passport for Work from the cloud. Hybrid deployments that combine AD DS with Azure AD give you the ability to keep machine authentication and policy management against your local AD DS domain while providing the full set of Microsoft Passport for Work services (and Microsoft Office 365 integration) for your users. If you plan to use on-premises AD DS only, then the design and configuration of your on-premises environment will dictate what kind of changes you may need to make.
-
-### <a href="" id="deployreq"></a>
-
-**Deployment requirements**
-
-Table 1 lists six scenarios for deployment of Microsoft Passport for Work in the enterprise. The initial release of Windows 10 supports Azure AD–only scenarios, with support for on-premises Microsoft Passport for Work planned for a future release (see the [Roadmap](#roadmap) section for more details).
-
-Depending on the scenario you choose, Microsoft Passport for Work deployment may require four elements:
-
--   An organizational IDP that supports Microsoft Passport. This can be Azure AD or a set of on-premises Windows Server 2016 Technical Preview domain controllers in an existing AD DS forest. Using Azure AD means that you can establish hybrid identity management, with Azure AD acting as a Microsoft Passport IDP and your on-premises AD DS environment handling older authentication requests. This approach provides all the flexibility of Azure AD with the ability to manage computer accounts and devices running older versions of Windows and on-premises applications such as Microsoft Exchange Server or Microsoft SharePoint.
--   If you use certificates, an MDM system is required to allow policy management of Microsoft Passport for Work. Domain-joined devices in on-premises or hybrid deployments require Configuration Manager Technical Preview or later. Deployments with Azure AD must use either Intune or a compatible non-Microsoft MDM solution.
--   On-premises deployments require the forthcoming Active Directory Federation Services (AD FS) version included in Windows Server 2016 Technical Preview to support provisioning of Microsoft Passport credentials to devices. In this scenario, AD FS takes the place of the provisioning that Azure AD performs in cloud-based deployments.
--   Certificate-based Microsoft Passport deployments require a PKI, including CAs that are accessible to all devices that need to register. If you deploy certificate-based Microsoft Passport on premises, you don’t actually need Windows Server 2016 Technical Preview domain controllers. On-premises deployments do need to apply the Windows Server 2016 Technical Preview AD DS schema and have the Windows Server 2016 Technical Preview version of AD FS installed.
-Table 1. Deployment requirements for Microsoft Passport
-
-<table>
-<colgroup>
-<col width="25%" />
-<col width="25%" />
-<col width="25%" />
-<col width="25%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Microsoft Passport method</th>
-<th align="left">Azure AD</th>
-<th align="left">Hybrid Active Directory</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left">Key-based</td>
-<td align="left"><p>Azure AD subscription</p></td>
-<td align="left"><ul>
-<li>Azure AD subscription</li>
-<li>[Azure AD Connect](https://go.microsoft.com/fwlink/p/?LinkId=616792)</li>
-<li>A few Windows Server 2016 Technical Preview domain controllers on-site</li>
-<li>A management solution, such as Configuration Manager, Group Policy, or MDM</li>
-<li>Active Directory Certificate Services (AD CS) without Network Device Enrollment Service (NDES)</li>
-</ul></td>
-</tr>
-<tr class="even">
-<td align="left">Certificate-based</td>
-<td align="left"><p>Azure AD subscription</p>
-<p>PKI infrastructure</p>
-<p>Intune</p></td>
-<td align="left"><ul>
-<li>Azure AD subscription</li>
-<li>[Azure AD Connect](https://go.microsoft.com/fwlink/p/?LinkId=616792)</li>
-<li>AD CS with NDES</li>
-<li>Configuration Manager (current branch) or Configuration Manager 2016 Technical Preview for domain-joined certificate enrollment, or InTune for non-domain-joined devices, or a non-Microsoft MDM service that supports Passport for Work</li>
-</ul></td>
-</tr>
-</tbody>
-</table>
- 
-Note that the current release of Windows 10 supports the Azure AD–only (RTM) and hybrid scenarios (RTM + November Update). Microsoft provides the forward-looking guidance in Table 1 to help organizations prepare their environments for planned future releases of Microsoft Passport for Work capabilities.
-
-**Select policy settings**
-
-Another key aspect of Microsoft Passport for Work deployment involves the choice of which policy settings to apply to the enterprise. There are two parts to this choice: which policies you deploy to manage Microsoft Passport itself and which policies you deploy to control device management and registration. A complete guide to selecting effective policies is beyond the scope of this guide, but one example reference that may be useful is [Mobile device management capabilities in Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=733877).
-
-## Implement Microsoft Passport
-
-No configuration is necessary to use Windows Hello or Microsoft Passport on individual user devices if those users just want to protect their personal credentials. Unless the enterprise disables the feature, users have the option to use Microsoft Passport for their personal credentials, even on devices that are registered with an organizational IDP. However, when you make Microsoft Passport for Work available for users, you must add the necessary components to your infrastructure, as described earlier in the [Deployment requirements](#deployreq) section.
-
-**How to use Azure AD**
-
-There are three scenarios for using Microsoft Passport for Work in Azure AD–only organizations:
--   **Organizations that use the version of Azure AD included with Office 365.** For these organizations, no additional work is necessary. When Windows 10 was released to general availability, Microsoft changed the behavior of the Office 365 Azure AD stack. When a user selects the option to join a work or school network (Figure 4), the device is automatically joined to the Office 365 tenant’s directory partition, a certificate is issued for the device, and it becomes eligible for Office 365 MDM if the tenant has subscribed to that feature. In addition, the user will be prompted to log on and, if MFA is enabled, to enter an MFA proof that Azure AD sends to his or her phone.
--   **Organizations that use the free tier of Azure AD.** For these organizations, Microsoft has not enabled automatic domain join to Azure AD. Organizations that have signed up for the free tier have the option to enable or disable this feature, so automatic domain join won’t be enabled unless and until the organization’s administrators decide to enable it. When that feature is enabled, devices that join the Azure AD domain by using the **Connect to work or school** dialog box shown in Figure 4 will be automatically registered with Microsoft Passport for Work support, but previously joined devices will not be registered.
--   **Organizations that have subscribed to Azure AD Premium have access to the full set of Azure AD MDM features.** These features include controls to manage Microsoft Passport for Work. You can set policies to disable or force the use of Microsoft Passport for Work, require the use of a TPM, and control the length and strength of PINs set on the device.
-
-    ![figure 4](images/passport-fig4-join.png)
-    
-    Figure 4: Joining an Office 365 organization automatically registers the device in Azure AD
-    
-**Enable device registration**
-
-If you want to use Microsoft Passport at Work with certificates, you’ll need a device registration system. That means that you set up Configuration Manager Technical Preview, Intune, or a compatible non-Microsoft MDM system and enable it to enroll devices. This is a prerequisite step to use Microsoft Passport for Work with certificates, no matter the IDP, because the enrollment system is responsible for provisioning the devices with the necessary certificates.
-**Set Microsoft Passport policies**
-
-As of the initial release of Windows 10, you can control the following settings for the use of Microsoft Passport for Work:
--   You can require that Microsoft Passport be available only on devices that have TPM security hardware, which means the device uses TPM 1.2 or TPM 2.0.
--   You can enable Microsoft Passport with a hardware-preferred option, which means that keys will be generated on TPM 1.2 or TPM 2.0 when available and by software when TPM is not available.
--   You can configure whether certificate-based Microsoft Passport is available to users. You do this as part of the device deployment process, not through a separately applied policy.
--   You can define the complexity and length of the PIN that users generate at registration.
--   You can control whether Windows Hello use is enabled in your organization.
-
-These settings can be implemented through GPOs or through configuration service providers (CSPs) in MDM systems, so you have a familiar and flexible set of tools you can use to apply them to exactly the users you want. (For details about the Microsoft Passport for Work CSP, see [PassportForWork CSP)](https://go.microsoft.com/fwlink/p/?LinkId=733876).
-
-## Roadmap
-
-The speed at which Universal Windows apps and services evolve means that the traditional design-build-test-release cycle for Windows is too slow to meet customers’ needs. As part of the release of Windows 10, Microsoft is changing how it engineers, tests, and distributes Windows. Rather than large, monolithic releases every 3–5 years, the Windows engineering team is committed to smaller, more frequent releases to get new features and services into the marketplace more rapidly without sacrificing security, quality, or usability. This model has worked well in Office 365 and the Xbox ecosystem.
-
-In the Windows 10 initial release, Microsoft supports the following Microsoft Passport and Windows Hello features:
-
--   Biometric authentication, with fingerprint readers that use the Windows fingerprint reader framework
--   Facial-recognition capability on devices that have compatible IR-capable cameras
--   Microsoft Passport for personal credentials on individually owned and corporate-managed devices
--   Microsoft Passport for Work support for organizations that have cloud-only Azure AD deployments
--   Group Policy settings to control Microsoft Passport PIN length and complexity
-
-In future releases of Windows 10, we plan to add support for additional features:
--   Additional biometric identifier types, including iris recognition
--   Key-based Microsoft Passport for Work credentials for on-premises Azure AD deployments and hybrid on-premises/Azure AD deployments
--   Microsoft Passport for Work certificates issued by a trusted PKI, including smart card and virtual smart card certificates
--   TPM attestation to protect keys so that a malicious user or program can’t create keys in software (because those keys won’t be TPM attested and can thus be identified as fake)
--   Group Policy and MDM settings to control Microsoft Passport PIN length and complexity
-
-In the November 2015 release, Microsoft supports the following Microsoft Passport and Windows Hello features:
-
-- Key-based Microsoft Passport for Work credentials for on-premises Azure AD deployments and hybrid on-premises/Azure AD deployments
-
-- Microsoft Passport for Work certificates issued by a trusted PKI, including smart card and virtual smart card certificates
-
-In future releases of Windows 10, we plan to add support for additional features:
-
-- Key-based and certificate-based Microsoft Passport for Work credentials for on-premises AD deployments
- 
-- TPM attestation to protect keys so that a malicious user or program can’t create keys in software (because those keys won’t be TPM attested and can thus be identified as fake)
-
-In the longer term, Microsoft will continue to improve on and expand the features of both Microsoft Passport and Windows Hello to cover additional customer requirements for manageability and security. We also are working with the FIDO Alliance and a variety of third parties to encourage adoption of Microsoft Passport by both web and LOB application developers.
- 
- 

From 3302bf396ae878d5c632d4557b4190fa98d1def8 Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Mon, 23 Jan 2017 11:41:17 -0800
Subject: [PATCH 022/115] fix typo

---
 .../keep-secure/change-history-for-keep-windows-10-secure.md    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
index 30de1e7cdb..f144437a78 100644
--- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md
+++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
@@ -19,7 +19,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
 |[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |Updated to include info about USB drives and Azure RMS (Windows Insider Program only) and to add more info about Work Folders and Offline files. |
 |[Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](recommended-network-definitions-for-wip.md) |New |
 |[Using Outlook Web Access with Windows Information Protection (WIP)](using-owa-with-wip.md) |New |
-| Microsoft Passport guide | Content merged into [MWindows Hello for Business](hello-identity-verification.md) topics |
+| Microsoft Passport guide | Content merged into [Windows Hello for Business](hello-identity-verification.md) topics |
 
 ## December 2016
 |New or changed topic |Description |

From 440dcd11a3f559dd3427195396f8a20674bfb74e Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Mon, 23 Jan 2017 12:03:12 -0800
Subject: [PATCH 023/115] remove head

---
 windows/keep-secure/index.md | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/windows/keep-secure/index.md b/windows/keep-secure/index.md
index f258d43aa8..5a4205583a 100644
--- a/windows/keep-secure/index.md
+++ b/windows/keep-secure/index.md
@@ -29,13 +29,8 @@ Learn about keeping Windows 10 and Windows 10 Mobile secure.
 |[Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) |Use Group Policy to override individual **Process Mitigation Options** settings and help to enforce specific app-related security policies. |
 | [VPN technical guide](vpn-guide.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. |
 | [Windows security baselines](windows-security-baselines.md) | Learn why you should use security baselines in your organization. |
-<<<<<<< HEAD
-| [Security technologies](security-technologies.md) | Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile. |
-| [Enterprise security guides](windows-10-enterprise-security-guides.md) | Get proven guidance to help you better secure and protect your enterprise by using technologies such as Credential Guard and Device Guard. This section offers technology overviews and step-by-step guides. |
-=======
 | [Security technologies](security-technologies.md) | Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile. For example, learn about AppLocker, BitLocker, and Security auditing. |
 | [Enterprise security guides](windows-10-enterprise-security-guides.md) | Review technology overviews that help you understand Windows 10 security technologies in the context of the enterprise. |
->>>>>>> refs/remotes/origin/master
 | [Change history for Keep Windows 10 secure](change-history-for-keep-windows-10-secure.md) | This topic lists new and updated topics in the Keep Windows 10 secure documentation for [Windows 10 and Windows 10 Mobile](../index.md). |
  
 ## Related topics

From 6ca3447688dd0cd14343010aa1ea837870fd1c73 Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Mon, 23 Jan 2017 12:32:14 -0800
Subject: [PATCH 024/115] format

---
 windows/keep-secure/index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/keep-secure/index.md b/windows/keep-secure/index.md
index 5a4205583a..c730d90f2d 100644
--- a/windows/keep-secure/index.md
+++ b/windows/keep-secure/index.md
@@ -15,7 +15,7 @@ Learn about keeping Windows 10 and Windows 10 Mobile secure.
 ## In this section
 
 | Topic | Description |
-| - | - |
+| --- | --- |
 | [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) | To help protect your company from attacks which may originate from untrusted or attacker controlled font files, we’ve created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are any font installed outside of the %windir%/Fonts directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process. |
 | [Device Guard certification and compliance](device-guard-certification-and-compliance.md) | Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isn’t trusted it can’t run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when. |
 | [Windows Hello for Business](hello-identity-verification.md) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. |

From 0dbce4ce5c3c5af2e02a5dac0483bcfb17da9e17 Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Mon, 23 Jan 2017 12:37:09 -0800
Subject: [PATCH 025/115] fix description

---
 windows/keep-secure/hello-identity-verification.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/keep-secure/hello-identity-verification.md b/windows/keep-secure/hello-identity-verification.md
index a76b8219ff..cd1b5984c1 100644
--- a/windows/keep-secure/hello-identity-verification.md
+++ b/windows/keep-secure/hello-identity-verification.md
@@ -1,6 +1,6 @@
 ---
 title: Windows Hello for Business (Windows 10)
-description: In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN.
+description: IWindows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. 
 ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E
 keywords: identity, PIN, biometric, Hello, passport
 ms.prod: w10

From 0bc7602df81da4e333b0cf4909c26ed5bc5755a8 Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Mon, 23 Jan 2017 12:37:44 -0800
Subject: [PATCH 026/115] fix heading

---
 windows/keep-secure/hello-identity-verification.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/keep-secure/hello-identity-verification.md b/windows/keep-secure/hello-identity-verification.md
index cd1b5984c1..73b4d394ce 100644
--- a/windows/keep-secure/hello-identity-verification.md
+++ b/windows/keep-secure/hello-identity-verification.md
@@ -37,7 +37,7 @@ After an initial two-step verification of the user during enrollment, Windows He
 
 As an administrator in an enterprise or educational organization, you can create policies to manage Windows Hello for Business use on Windows 10-based devices that connect to your organization.
 
- ## Biometric sign-in
+## Biometric sign-in
  
  Windows Hello provides reliable, fully integrated biometric authentication based on facial recognition or fingerprint matching. Windows Hello uses a combination of special infrared (IR) cameras and software to increase accuracy and guard against spoofing. Major hardware vendors are shipping devices that have integrated Windows Hello-compatible cameras. Fingerprint reader hardware can be used or added to devices that don’t currently have it. On devices that support Windows Hello, an easy biometric gesture unlocks users’ credentials.
  

From 5dc8876b90b79a369b50fde194a1e652a1ee3d5f Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Mon, 23 Jan 2017 12:51:41 -0800
Subject: [PATCH 027/115] clear redirect files

---
 .../enable-phone-signin-to-pc-and-vpn.md      |  71 ------
 ...microsoft-passport-and-password-changes.md |  41 ----
 ...oft-passport-errors-during-pin-creation.md | 224 ------------------
 windows/keep-secure/passport-event-300.md     |  39 ---
 ...repare-people-to-use-microsoft-passport.md |  99 --------
 .../why-a-pin-is-better-than-a-password.md    |  61 -----
 .../windows-hello-in-enterprise.md            |  77 ------
 7 files changed, 612 deletions(-)

diff --git a/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md b/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md
index 064dd48a63..b3077d445a 100644
--- a/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md
+++ b/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md
@@ -17,74 +17,3 @@ redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hell
 -   Windows 10
 -   Windows 10 Mobile
 
-In Windows 10, version 1607, your network users can use Windows Phone with Windows Hello to sign in to a PC, connect to VPN, and sign in to Office 365 in a browser. Phone sign-in uses Bluetooth, which means no need to wait for a phone call -- just unlock the phone and tap the app.
-
-![Sign in to a device](images/phone-signin-menu.png)
-
-> [!NOTE]
-> Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
-
-You can create a Group Policy or mobile device management (MDM) policy that will allow users to sign in to a work PC or their company's VPN using the credentials stored on their Windows 10 phone.
-
- ## Prerequisites
- 
- - Both phone and PC must be running Windows 10, version 1607.
- - The PC must be running Windows 10 Pro, Enterprise, or Education
- - Both phone and PC must have Bluetooth.
- - The **Microsoft Authenticator** app must be installed on the phone.
- - The PC must be joined to an Active Directory domain that is connected to an Azure Active Directory (Azure AD) domain, or the PC must be joined to Azure AD.
- - The phone must be joined to Azure AD or have a work account added.
- - The VPN configuration profile must use certificate-based authentication.
- 
-## Set policies
-
-To enable phone sign-in, you must enable the following policies using Group Policy or MDM.
-
--  Group Policy: **Computer Configuration** or **User Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**
-    - Enable **Use Windows Hello for Business**
-    - Enable **Phone Sign-in**
-- MDM: 
-    - Set **UsePassportForWork** to **True**
-    - Set **Remote\UseRemotePassport** to **True**
-
-## Configure VPN 
-
-To enable phone sign-in to VPN, you must enable the [policy](#set-policies) for phone sign-in and ensure that VPN is configured as follows:
-
-- For inbox VPN, set up the VPN profile with Extensible Authentication Protocol (EAP) with the **Smart card or other certificate (TLS)** EAP type, also known as EAP-Transport Level Security (EAP-TLS). To exclusively access the VPN certificates on the phone, in the EAP filtering XML, add either **EKU** or **Issuer** (or both) filtering to make sure it picks only the Remote NGC certificate.
-- For a Universal Windows Platform (UWP) VPN plug-in, add filtering criteria based on the 3rd party mechanism for the Remote NGC Certificate.
-
-## Get the app
-
-If you want to distribute the **Microsoft Authenticator** app, your organization must have set up Windows Store for Business, with Microsoft added as a [Line of Business (LOB) publisher](../manage/working-with-line-of-business-apps.md).
-
-[Tell people how to sign in using their phone.](prepare-people-to-use-microsoft-passport.md#bmk-remote)
-
-
-## Related topics
-
-[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
-
-[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
-
-[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
-
-[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
-
-[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
-
-[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
-
-[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
-
-[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
-
-
- 
-
- 
-
-
-
-
-
diff --git a/windows/keep-secure/microsoft-passport-and-password-changes.md b/windows/keep-secure/microsoft-passport-and-password-changes.md
index 3fa30f4786..fffa48b90f 100644
--- a/windows/keep-secure/microsoft-passport-and-password-changes.md
+++ b/windows/keep-secure/microsoft-passport-and-password-changes.md
@@ -11,44 +11,3 @@ redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hell
 ---
 # Windows Hello and password changes
 
-**Applies to**
--   Windows 10
--   Windows 10 Mobile
-
-When you set up Windows Hello, the PIN or biometric gesture that you use is specific to that device. You can set up Hello for the same account on multiple devices. If the PIN or biometric is configured as part of Windows Hello for Business, changing the account password will not impact sign-in or unlock with these gestures since it uses a key or certificate. However, if Windows Hello for Business is not deployed and the password for that account changes, you must provide the new password on each device to continue to use Hello.
-
-## Example
-
-Let's suppose that you have set up a PIN for your Microsoft account on **Device A**. You use your PIN to sign in on **Device A** and then change the password for your Microsoft account.
-Because you were using **Device A** when you changed your password, the PIN on **Device A** will continue to work with no other action on your part.
-
-Suppose instead that you sign in on **Device B** and change your password for your Microsoft account. The next time that you try to sign in on **Device A** using your PIN, sign-in will fail because the account credentials that Hello on **Device A** knows will be outdated.
-> **Note:**  This example also applies to an Active Directory account when [Windows Hello for Business is not implemented](implement-microsoft-passport-in-your-organization.md).
- 
-## How to update Hello after you change your password on another device
-
-1.  When you try to sign in using your PIN or biometric, you will see the following message: **Your password was changed on a different device. You must sign in to this device once with your new password, and then you can sign in with your PIN.**
-2.  Click **OK.**
-3.  Click **Sign-in options**.
-4.  Click the **Password** button.
-5.  Sign in with new password.
-6.  The next time that you sign in, you can select **Sign-in options** and then select **PIN** to resume using your PIN.
-
-## Related topics
-
-[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
-
-[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
-
-[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) 
-
-[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
-
-[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
-
-[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
-
-[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
-
-[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) 
- 
\ No newline at end of file
diff --git a/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md b/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md
index 61f8335040..aa890d3cd9 100644
--- a/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md
+++ b/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md
@@ -13,227 +13,3 @@ redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hell
 
 # Windows Hello errors during PIN creation
 
-**Applies to**
--   Windows 10
--   Windows 10 Mobile
-
-When you set up Windows Hello in Windows 10, you may get an error during the **Create a PIN** step. This topic lists some of the error codes with recommendations for mitigating the problem. If you get an error code that is not listed here, contact Microsoft Support.
-
-## Where is the error code?
-
-The following image shows an example of an error during **Create a PIN**.
-
-![](images/pinerror.png)
-
-## Error mitigations
-
-When a user encounters an error when creating the work PIN, advise the user to try the following steps. Many errors can be mitigated by one of these steps.
-1.  Try to create the PIN again. Some errors are transient and resolve themselves.
-2.  Sign out, sign in, and try to create the PIN again.
-3.  Reboot the device and then try to create the PIN again.
-4.  Unjoin the device from Azure Active Directory (Azure AD), rejoin, and then try to create the PIN again. To unjoin a desktop PC, go to **Settings** &gt; **System** &gt; **About** and select **Disconnect from organization**. To unjoin a device running Windows 10 Mobile, you must [reset the device](https://go.microsoft.com/fwlink/p/?LinkId=715697).
-5.  On mobile devices, if you are unable to setup a PIN after multiple attempts, reset your device and start over. For help on how to reset your phone go to [Reset my phone](https://go.microsoft.com/fwlink/p/?LinkId=715697).
-If the error occurs again, check the error code against the following table to see if there is another mitigation for that error. When no mitigation is listed in the table, contact Microsoft Support for assistance.
-
-<table>
-
-<thead>
-<tr class="header">
-<th align="left">Hex</th>
-<th align="left">Cause</th>
-<th align="left">Mitigation</th>
-</tr>
-</thead>
-<tbody>
-
-<tr class="even">
-<td align="left">0x801C044D</td>
-<td align="left">Authorization token does not contain device ID</td>
-<td align="left">Unjoin the device from Azure AD and rejoin</td>
-</tr>
-
-<tr class="odd">
-<td align="left">0x80090036</td>
-<td align="left">User cancelled an interactive dialog</td>
-<td align="left">User will be asked to try again</td>
-</tr>
-<tr class="even">
-<td align="left">0x80090011</td>
-<td align="left">The container or key was not found</td>
-<td align="left">Unjoin the device from Azure AD and rejoin</td>
-</tr>
-<tr class="odd">
-<td align="left">0x8009000F</td>
-<td align="left">The container or key already exists</td>
-<td align="left">Unjoin the device from Azure AD and rejoin</td>
-</tr>
-<tr class="even">
-<td align="left">0x8009002A</td>
-<td align="left">NTE_NO_MEMORY</td>
-<td align="left">Close programs which are taking up memory and try again.</td>
-</tr>
-<tr class="odd">
-<td align="left">0x80090005</td>
-<td align="left">NTE_BAD_DATA</td>
-<td align="left">Unjoin the device from Azure AD and rejoin</td>
-</tr><tr class="even">
-<td align="left">0x80090029</td>
-<td align="left">TPM is not set up.</td>
-<td align="left">Sign on with an administrator account. Click **Start**, type "tpm.msc", and select **tpm.msc Microsoft Common Console Document**. In the **Actions** pane, select **Prepare the TPM**. </td>
-</tr>
-<tr class="even">
-<td align="left">0x80090031</td>
-<td align="left">NTE_AUTHENTICATION_IGNORED</td>
-<td align="left">Reboot the device. If the error occurs again after rebooting, [reset the TPM]( https://go.microsoft.com/fwlink/p/?LinkId=619969) or run [Clear-TPM](https://go.microsoft.com/fwlink/p/?LinkId=629650)</td>
-</tr>
-<tr class="odd">
-<td align="left">0x80090035</td>
-<td align="left">Policy requires TPM and the device does not have TPM.</td>
-<td align="left">Change the Passport policy to not require a TPM.</td>
-</tr>
-<tr class="even">
-<td align="left">0x801C0003</td>
-<td align="left">User is not authorized to enroll</td>
-<td align="left">Check if the user has permission to perform the operation​.</td>
-</tr>
-<tr class="odd">
-<td align="left">0x801C000E</td>
-<td align="left">Registration quota reached</td>
-<td align="left"><p>Unjoin some other device that is currently joined using the same account or [increase the maximum number of devices per user](https://go.microsoft.com/fwlink/p/?LinkId=626933).</p></td>
-</tr>
-<tr class="even">
-<td align="left">0x801C000F</td>
-<td align="left">Operation successful but the device requires a reboot</td>
-<td align="left">Reboot the device.</td>
-</tr>
-<tr class="odd">
-<td align="left">0x801C0010</td>
-<td align="left">The AIK certificate is not valid or trusted</td>
-<td align="left">Sign out and then sign in again.</td>
-</tr>
-<tr class="even">
-<td align="left">0x801C0011</td>
-<td align="left">The attestation statement of the transport key is invalid</td>
-<td align="left">Sign out and then sign in again.</td>
-</tr>
-<tr class="odd">
-<td align="left">0x801C0012</td>
-<td align="left">Discovery request is not in a valid format</td>
-<td align="left">Sign out and then sign in again.</td>
-</tr>
-<tr class="even">
-<td align="left">0x801C0015</td>
-<td align="left">The device is required to be joined to an Active Directory domain</td>
-<td align="left">​Join the device to an Active Directory domain.</td>
-</tr>
-<tr class="odd">
-<td align="left">0x801C0016</td>
-<td align="left">The federation provider configuration is empty</td>
-<td align="left">Go to [http://clientconfig.microsoftonline-p.net/FPURL.xml](http://clientconfig.microsoftonline-p.net/FPURL.xml) and verify that the file is not empty.</td>
-</tr>
-<tr class="even">
-<td align="left">0x801C0017</td>
-<td align="left">​The federation provider domain is empty</td>
-<td align="left">Go to [http://clientconfig.microsoftonline-p.net/FPURL.xml](http://clientconfig.microsoftonline-p.net/FPURL.xml) and verify that the FPDOMAINNAME element is not empty.</td>
-</tr>
-<tr class="odd">
-<td align="left">0x801C0018</td>
-<td align="left">The federation provider client configuration URL is empty</td>
-<td align="left">Go to [http://clientconfig.microsoftonline-p.net/FPURL.xml](http://clientconfig.microsoftonline-p.net/FPURL.xml) and verify that the CLIENTCONFIG element contains a valid URL.</td>
-</tr>
-<tr class="even">
-<td align="left">0x801C03E9</td>
-<td align="left">Server response message is invalid</td>
-<td align="left">Sign out and then sign in again.</td>
-</tr>
-<tr class="odd">
-<td align="left">0x801C03EA</td>
-<td align="left">Server failed to authorize user or device.</td>
-<td align="left">Check if the token is valid and user has permission to register Passport keys.</td>
-</tr>
-<tr class="even">
-<td align="left">0x801C03EB</td>
-<td align="left">Server response http status is not valid</td>
-<td align="left">Sign out and then sign in again.</td>
-</tr>
-<tr class="odd">
-<td align="left">0x801C03EC</td>
-<td align="left">Unhandled exception from server.</td>
-<td align="left">sign out and then sign in again.</td>
-</tr>
-<tr class="even">
-<td align="left">0x801C03ED</td>
-<td align="left"><p>Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed</p>
-<p>-or-</p>
-<p>Token was not found in the Authorization header</p>
-<p>-or-</p>
-<p>Failed to read one or more objects</p>
-<p>-or-</p><p>The request sent to the server was invalid.</p></td>
-<td align="left">Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure Active Directory (Azure AD) and rejoin.</td>
-</tr>
-<tr class="odd">
-<td align="left">0x801C03EE</td>
-<td align="left">Attestation failed</td>
-<td align="left">Sign out and then sign in again.</td>
-</tr>
-<tr class="even">
-<td align="left">0x801C03EF</td>
-<td align="left">The AIK certificate is no longer valid</td>
-<td align="left">Sign out and then sign in again.</td>
-</tr>
-<tr class="odd">
-<td align="left">​0x801C044D</td>
-<td align="left">Unable to obtain user token</td>
-<td align="left">Sign out and then sign in again. Check network and credentials.</td>
-</tr>
-<tr class="even">
-<td align="left">0x801C044E</td>
-<td align="left">Failed to receive user creds input</td>
-<td align="left">Sign out and then sign in again.</td>
-</tr>
-</tbody>
-</table>
- 
-## Errors with unknown mitigation
-For errors listed in this table, contact Microsoft Support for assistance.
-
-| Hex         | Cause                                                                                                 |
-|-------------|-------------------------------------------------------------------------------------------------------|
-| 0x80072f0c  | Unknown                                                                                               |
-| 0x80070057 | Invalid parameter or argument is passed |
-| 0x80090027  | Caller provided wrong parameter. If third-party code receives this error they must change their code. |
-| 0x8009002D  | NTE\_INTERNAL\_ERROR                                                                                  |
-| 0x80090020  | NTE\_FAIL                                                                                             |
-| 0x801C0001  | ​ADRS server response is not in valid format                                                          |
-| 0x801C0002  | Server failed to authenticate the user                                                                |
-| 0x801C0006  | Unhandled exception from server                                                                       |
-| 0x801C000C  | Discovery failed                                                                                      |
-| 0x801C001B  | ​The device certificate is not found                                                                  |
-| 0x801C000B  | Redirection is needed and redirected location is not a well known server                              |
-| 0x801C0019  | ​The federation provider client configuration is empty                                                |
-| 0x801C001A  | The DRS endpoint in the federation provider client configuration is empty                             |
-| 0x801C0013  | Tenant ID is not found in the token                                                                   |
-| 0x801C0014  | User SID is not found in the token                                                                    |
-| 0x801C03F1  | There is no UPN in the token                                                                          |
-| 0x801C03F0  | ​There is no key registered for the user                                                              |
-| 0x801C03F1  | ​There is no UPN in the token                                                                         |
-| ​0x801C044C | There is no core window for the current thread                                                        |
- 
-
-## Related topics
-
-[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
-
-[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
-
-[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) 
-
-[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
-
-[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
-
-[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
-
-[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
-
-[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) 
\ No newline at end of file
diff --git a/windows/keep-secure/passport-event-300.md b/windows/keep-secure/passport-event-300.md
index 80298cf4fe..f516f124d0 100644
--- a/windows/keep-secure/passport-event-300.md
+++ b/windows/keep-secure/passport-event-300.md
@@ -13,42 +13,3 @@ redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hell
 
 # Event ID 300 - Windows Hello successfully created
 
-**Applies to**
--   Windows 10
--   Windows 10 Mobile
-
-This event is created when Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request.
-
-## Event details
-|              |                                                                                                                                                                                                                                                                                                               |
-|--------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **Product:** | Windows 10 operating system                                                                                                                                                                                                                                                                                   |
-| **ID:**      | 300                                                                                                                                                                                                                                                                                                           |
-| **Source:**  | Microsoft Azure Device Registration Service                                                                                                                                                                                                                                                                   |
-| **Version:** | 10                                                                                                                                                                                                                                                                                                            |
-| **Message:** | The NGC key was successfully registered. Key ID: {4476694e-8e3b-4ef8-8487-be21f95e6f07}. UPN:test@contoso.com. Attestation: ATT\_SOFT. Client request ID: . Server request ID: db2da6bd-3d70-4b9b-b26b-444f669902da. 
-Server response: {"kid":"4476694e-8e3b-4ef8-8487-be21f95e6f07","upn":"test@contoso.com"} |
- 
-## Resolve
-
-This is a normal condition. No further action is required.
-
-## Related topics
-
-[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
-
-[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
-
-[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
-
-[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
-
-[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
-
-[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
-
-[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
-
-[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
-
-[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
diff --git a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md
index cde8099b99..9594deccca 100644
--- a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md
+++ b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md
@@ -13,104 +13,5 @@ redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hell
 
 # Prepare people to use Windows Hello
 
-**Applies to**
--   Windows 10
--   Windows 10 Mobile
-
-When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization by explaining how to use Hello.
-
-After enrollment in Hello, users should use their gesture (such as a PIN or fingerprint) for access to corporate resources. Their gesture is only valid on the enrolled device.
-
-Although the organization may require users to change their Active Directory or Azure Active Directory (AD) account password at regular intervals, changes to their passwords have no effect on Hello.
-
-People who are currently using virtual or physical smart cards for authentication can use their virtual smart card to verify their identity when they set up Hello.
-
-## On devices owned by the organization
-
-When someone sets up a new device, they are prompted to choose who owns the device. For corporate devices, they select **This device belongs to my organization**.
-
-![who owns this pc](images/corpown.png)
-
-Next, they select a way to connect. Tell the people in your enterprise which option they should pick here.
-
-![choose how you'll connect](images/connect.png)
-
-They sign in, and are then asked to verify their identity. People have options to choose from, such as a text message, phone call, or authentication app. After verification, they create their PIN. The **Create a PIN** screen displays any complexity requirements that you have set, such as minimum length.
-
-After Hello is set up, people use their PIN to unlock the device, and that will automatically log them on.
-
-## On personal devices
-
-People who want to access work resources on their personal devices can add a work or school account in **Settings** &gt; **Accounts** &gt; **Work or school**, and then sign in with work credentials. The person selects the method for receiving the verification code, such as text message or email. The verification code is sent and the person then enters the verification code. After verification, the person enters and confirms new PIN. The person can access any token-based resource using this device without being asked for credentials. 
-
-People can go to **Settings** &gt; **Accounts** &gt; **Work or school**, select the work account, and then select **Unjoin** to remove the account from their device.
-
-## Using Windows Hello and biometrics
-
-If your policy allows it, people can use biometrics (fingerprint, iris, and facial recognition) with Windows Hello for Business, if the hardware supports it.
-
-![sign in to windows, apps, and services using fingerprint or face](images/hellosettings.png)
-
-## <a href="" id="bmk-remote"></a>Use a phone to sign in to a PC or VPN
-
-If your enterprise enables phone sign-in, users can pair a phone running Windows 10 Mobile to a PC running Windows 10 and then use an app on the phone to sign in to the PC using their Windows Hello credentials.
-
-> [!NOTE]
-> Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
-
- 
-**Prerequisites:**
-   
-- Both phone and PC must be running Windows 10, version 1607.
-- The PC must be running Windows 10 Pro, Enterprise, or Education
-- Both phone and PC must have Bluetooth.
-- The **Microsoft Authenticator** app must be installed on the phone.
-- The PC must be joined to an Active Directory domain that is connected to an Azure Active Directory (Azure AD) domain, or the PC must be joined to Azure AD.
-- The phone must be joined to Azure AD or have a work account added.
-- The VPN configuration profile must use certificate-based authentication.
-
-**Pair the PC and phone**
-
-1.  On the PC, go to **Settings** &gt; **Devices** &gt; **Bluetooth**. Tap the name of the phone and then tap **Pair** to begin pairing.
-
-    ![bluetooth pairing](images/btpair.png)
-    
-2.  On the phone, go to **Settings** &gt; **Devices** &gt; **Bluetooth**, and verify that the passcode for **Pairing accessory** on the phone matches the passcode displayed on the PC, and then tap **ok**.
-
-    ![bluetooth pairing passcode](images/bt-passcode.png)
-    
-3.  On the PC, tap **Yes**.
-
-**Sign in to PC using the phone**
-
-
-1.  Open the **Microsoft Authenticator** app, choose your account, and tap the name of the PC to sign in to.
-    > **Note: **  The first time that you run the **Microsoft Authenticator** app, you must add an account.
-    
-    ![select a device](images/phone-signin-device-select.png)
-     
-2.  Enter the work PIN that you set up when you joined the phone to the cloud domain or added a work account.
-
-**Connect to VPN**
-
-You simply connect to VPN as you normally would. If the phone's certificates are being used, a notification will be pushed to the phone asking if you approve. If you click **allow** in the notification, you will be prompted for your PIN. After you enter your PIN, the VPN session will connect. 
-
-## Related topics
-
-[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
-
-[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
-
-[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) 
-
-[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
-
-[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
-
-[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
-
-[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
-
-[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) 
 
 
diff --git a/windows/keep-secure/why-a-pin-is-better-than-a-password.md b/windows/keep-secure/why-a-pin-is-better-than-a-password.md
index 5fccb990f7..1640262ffd 100644
--- a/windows/keep-secure/why-a-pin-is-better-than-a-password.md
+++ b/windows/keep-secure/why-a-pin-is-better-than-a-password.md
@@ -13,64 +13,3 @@ redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hell
 
 # Why a PIN is better than a password
 
-**Applies to**
--   Windows 10
--   Windows 10 Mobile
-
-Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password?
-On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than a password, it's how it works.
-
-
-## PIN is tied to the device
-One important difference between a password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your password can sign in to your account from anywhere, but if they steal your PIN, they'd have to steal your physical device too!
-
-Even you can't use that PIN anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Hello on each device.
-
-## PIN is local to the device
-
-A password is transmitted to the server -- it can be intercepted in transmission or stolen from a server. A PIN is local to the device -- it isn't transmitted anywhere and it isn't stored on the server.
-When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, it unlocks the authentication key and uses the key to sign the request that is sent to the authenticating server.
-> **Note:**  For details on how Hello uses asymetric key pairs for authentication, see [Microsoft Passport guide](https://go.microsoft.com/fwlink/p/?LinkId=691928).
- 
-## PIN is backed by hardware
-
-The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. All Windows 10 Mobile phones and many modern laptops have TPM.
-
-User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Because Hello uses asymmetrical key pairs, users credentials can’t be stolen in cases where the identity provider or websites the user accesses have been compromised.
-
-The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked.
-
-## PIN can be complex
-
-The Windows Hello for Business PIN is subject to the same set of IT management policies as a password, such as complexity, length, expiration, and history. Although we generally think of a PIN as a simple four-digit code, administrators can set [policies](implement-microsoft-passport-in-your-organization.md) for managed devices to require a PIN complexity similar to a password. You can require or block: special characters, uppercase characters, lowercase characters, and digits.
-
-## What if someone steals the laptop or phone?
-
-To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the user’s biometrics or guess his or her PIN—and all of this must be done before TPM anti-hammer capabilities lock the device.
-You can provide additional protection for laptops that don't have TPM by enablng BitLocker and setting a policy to limit failed sign-ins.
-
-**Configure BitLocker without TPM**
-1.  Use the Local Group Policy Editor (gpedit.msc) to enable the following policy:
-
-    **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **BitLocker Drive Encryption** &gt; **Operating System Drives** &gt; **Require additional authentication at startup**
-    
-2.  In the policy option, select **Allow BitLocker without a compatible TPM**, and then click **OK.**
-3.  Go to Control Panel &gt; **System and Security** &gt; **BitLocker Drive Encryption** and select the operating system drive to protect.
-**Set account lockout threshold**
-1.  Use the Local Group Policy Editor (gpedit.msc) to enable the following policy:
-
-    **Computer Configuration** &gt;**Windows Settings** ?**Security Settings** &gt;**Account Policies** &gt; **Account Lockout Policy** &gt; **Account lockout threshold**
-    
-2.  Set the number of invalid logon attempts to allow, and then click OK.
-
-## Why do you need a PIN to use biometrics?
-Windows Hello enables biometric sign-in for Windows 10: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN first. This PIN enables you to sign in using the PIN when you can’t use your preferred biometric because of an injury or because the sensor is unavailable or not working properly.
-
-If you only had a biometric sign-in configured and, for any reason, were unable to use that method to sign in, you would have to sign in using your account and password, which doesn't provide you the same level of protection as Hello.
-
-## Related topics
-
-[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
-
-[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
- 
\ No newline at end of file
diff --git a/windows/keep-secure/windows-hello-in-enterprise.md b/windows/keep-secure/windows-hello-in-enterprise.md
index 09380ebe1f..379a453284 100644
--- a/windows/keep-secure/windows-hello-in-enterprise.md
+++ b/windows/keep-secure/windows-hello-in-enterprise.md
@@ -12,80 +12,3 @@ redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hell
 ---
 
 # Windows Hello biometrics in the enterprise
-**Applies to:**
-
--   Windows 10
-
-Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition.
-
-> **Note:** When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
-
-Because we realize your employees are going to want to use this new technology in your enterprise, we’ve been actively working with the device manufacturers to create strict design and performance recommendations that help to ensure that you can more confidently introduce Windows Hello biometrics into your organization.
-
-##How does Windows Hello work?
-Windows Hello lets your employees use fingerprint or facial recognition as an alternative method to unlocking a device. With Windows Hello, authentication happens when the employee provides his or her unique biometric identifier while accessing the device-specific Windows Hello credentials.
-
-The Windows Hello authenticator works to authenticate and allow employees onto your enterprise network. Authentication doesn’t roam among devices, isn’t shared with a server, and can’t easily be extracted from a device. If multiple employees share a device, each employee will use his or her own biometric data on the device.
-
-## Why should I let my employees use Windows Hello?
-Windows Hello provides many benefits, including:
-
--   It helps to strengthen your protections against credential theft. Because an attacker must have both the device and the biometric info or PIN, it’s much more difficult to gain access without the employee’s knowledge.
-
--   Employees get a simple authentication method (backed up with a PIN) that’s always with them, so there’s nothing to lose. No more forgetting passwords!
-
--   Support for Windows Hello is built into the operating system so you can add additional biometric devices and polices as part of a coordinated rollout or to individual employees or groups using Group Policy or Mobile Device Management (MDM) configurations service provider (CSP) policies.<br>For more info about the available Group Policies and MDM CSPs, see the [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) topic.
-
-## Where is Microsoft Hello data stored?
-The biometric data used to support Windows Hello is stored on the local device only. It doesn’t roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data, it still can’t be easily converted to a form that could be recognized by the biometric sensor.
-
-## Has Microsoft set any device requirements for Windows Hello?
-We’ve been working with the device manufacturers to help ensure a high-level of performance and protection is met by each sensor and device, based on these requirements:
-
--   **False Accept Rate (FAR).** Represents the instance a biometric identification solution verifies an unauthorized person. This is normally represented as a ratio of number of instances in a given population size, for example 1 in 100 000. This can also be represented as a percentage of occurrence, for example, 0.001%. This measurement is heavily considered the most important with regards to the security of the biometric algorithm.
-
--   **False Reject Rate (FRR).** Represents the instances a biometric identification solution fails to verify an authorized person correctly. Usually represented as a percentage, the sum of the True Accept Rate and False Reject Rate is 1. Can be with or without anti-spoofing or liveness detection.
-
-### Fingerprint sensor requirements
-To allow fingerprint matching, you must have devices with fingerprint sensors and software. Fingerprint sensors, or sensors that use an employee’s unique fingerprint as an alternative log on option, can be touch sensors (large area or small area) or swipe sensors. Each type of sensor has its own set of detailed requirements that must be implemented by the manufacturer, but all of the sensors must include anti-spoofing measures (required) and a way to configure them (optional).
-
-**Acceptable performance range for small to large size touch sensors**
-
--   False Accept Rate (FAR): &lt;0.001 – 0.002%
-
--   False Reject Rate (FRR) without Anti-spoofing or liveness detection: &lt;5%
-
--   Effective, real world FRR with Anti-spoofing or liveness detection: &lt;10%
-
-**Acceptable performance range for swipe sensors**
-
--   False Accept Rate (FAR): &lt;0.002%
-
--   False Reject Rate (FRR) without Anti-spoofing or liveness detection: &lt;5%
-
--   Effective, real world FRR with Anti-spoofing or liveness detection: &lt;10%
-
-### Facial recognition sensors
-To allow facial recognition, you must have devices with integrated special infrared (IR) sensors and software. Facial recognition sensors use special cameras that see in IR light, letting them tell the difference between a photo and a living person while scanning an employee’s facial features. These sensors, like the fingerprint sensors, must also include anti-spoofing measures (required) and a way to configure them (optional).
-
--   False Accept Rate (FAR): &lt;0.001
-
--   False Reject Rate (FRR) without Anti-spoofing or liveness detection: &lt;5%
-
--   Effective, real world FRR with Anti-spoofing or liveness detection: &lt;10%
-
-## Related topics
-- [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
-- [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
-- [Microsoft Passport guide](microsoft-passport-guide.md)
-- [Prepare people to use Windows Hello for Work](prepare-people-to-use-microsoft-passport.md)
-- [PassportforWork CSP](https://go.microsoft.com/fwlink/p/?LinkId=708219)
-
- 
-
- 
-
-
-
-
-

From fe36d0ca49f78254672d2ef243d653ae7747888f Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Mon, 23 Jan 2017 13:00:00 -0800
Subject: [PATCH 028/115] fix links

---
 .../keep-secure/hello-enable-phone-signin.md  |   2 +-
 .../hello-identity-verification.md            |   2 +-
 .../hello-manage-in-organization.md           |   6 +-
 ...microsoft-passport-in-your-organization.md | 362 ------------------
 4 files changed, 5 insertions(+), 367 deletions(-)

diff --git a/windows/keep-secure/hello-enable-phone-signin.md b/windows/keep-secure/hello-enable-phone-signin.md
index f9e44256fd..c77dfeeaf1 100644
--- a/windows/keep-secure/hello-enable-phone-signin.md
+++ b/windows/keep-secure/hello-enable-phone-signin.md
@@ -58,7 +58,7 @@ To enable phone sign-in to VPN, you must enable the [policy](#set-policies) for
 
 If you want to distribute the **Microsoft Authenticator** app, your organization must have set up Windows Store for Business, with Microsoft added as a [Line of Business (LOB) publisher](../manage/working-with-line-of-business-apps.md).
 
-[Tell people how to sign in using their phone.](prepare-people-to-use-microsoft-passport.md#bmk-remote)
+[Tell people how to sign in using their phone.](hello-prepare-people-to-use.md#bmk-remote)
 
 
 ## Related topics
diff --git a/windows/keep-secure/hello-identity-verification.md b/windows/keep-secure/hello-identity-verification.md
index 73b4d394ce..06c9fc138d 100644
--- a/windows/keep-secure/hello-identity-verification.md
+++ b/windows/keep-secure/hello-identity-verification.md
@@ -59,7 +59,7 @@ Windows stores biometric data that is used to implement Windows Hello securely o
 
 Reports of identity theft and large-scale hacking are frequent headlines. Nobody wants to be notified that their user name and password have been exposed.
 
-You may wonder [how a PIN can help protect a device better than a password](why-a-pin-is-better-than-a-password.md). Passwords are shared secrets; they are entered on a device and transmitted over the network to the server. An intercepted account name and password can be used by anyone. Because they're stored on the server, a server breach can reveal those stored credentials.
+You may wonder [how a PIN can help protect a device better than a password](hello-why-pin-is-better-than-a-password.md). Passwords are shared secrets; they are entered on a device and transmitted over the network to the server. An intercepted account name and password can be used by anyone. Because they're stored on the server, a server breach can reveal those stored credentials.
 
 In Windows 10, Windows Hello replaces passwords. When the identity provider supports keys, the Windows Hello provisioning process creates a cryptographic key pair bound to the Trusted Platform Module (TPM), if a device has a TPM, or in software. Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. The two-step verification that takes place during Windows Hello enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account. When a user enters the gesture on the device, the identity provider knows from the combination of Hello keys and gesture that this is a verified identity and provides an authentication token that allows Windows 10 to access resources and services. 
 
diff --git a/windows/keep-secure/hello-manage-in-organization.md b/windows/keep-secure/hello-manage-in-organization.md
index 87c3225316..f2a43b7df1 100644
--- a/windows/keep-secure/hello-manage-in-organization.md
+++ b/windows/keep-secure/hello-manage-in-organization.md
@@ -131,7 +131,7 @@ The following table lists the Group Policy settings that you can configure for W
 </td>
 </tr>
 <tr>
-<td><a href="prepare-people-to-use-microsoft-passport.md#bmk-remote">Phone Sign-in</a></td>
+<td><a href="hello-prepare-people-to-use.md#bmk-remote">Phone Sign-in</a></td>
 <td>
 <p>Use Phone Sign-in</p>
 <div class="alert"><b>Note</b>  Applies to desktop only. Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.</div>
@@ -289,8 +289,8 @@ The following table lists the MDM policy settings that you can configure for Win
 <td>Device or user</td>
 <td>False</td>
 <td>
-<p>True: <a href="prepare-people-to-use-microsoft-passport.md#bmk-remote">Phone sign-in</a> is enabled.</p>
-<p>False: <a href="prepare-people-to-use-microsoft-passport.md#bmk-remote">Phone sign-in</a> is disabled.</p>
+<p>True: <a href="hello-prepare-people-to-use.md#bmk-remote">Phone sign-in</a> is enabled.</p>
+<p>False: <a href="hello-prepare-people-to-use.md#bmk-remote">Phone sign-in</a> is disabled.</p>
 </td>
 </tr>
 </table>
diff --git a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
index 67bda0eb2f..20c4be5a7e 100644
--- a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
+++ b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
@@ -17,365 +17,3 @@ redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hell
 -   Windows 10
 -   Windows 10 Mobile
 
-You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10.
-
->[!IMPORTANT]
->The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. Use the **Turn on PIN sign-in** setting to allow or deny the use of a convenience PIN for Windows 10, version 1607. 
->
->Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**. Learn more in the blog post [Changes to Convenience PIN/Windows Hello Behavior in Windows 10, version 1607](https://blogs.technet.microsoft.com/ash/2016/08/13/changes-to-convenience-pin-and-thus-windows-hello-behaviour-in-windows-10-version-1607/).
->
->Use **Windows Hello for Business** policy settings to manage PINs for Windows Hello for Business.
- 
-## Group Policy settings for Windows Hello for Business
-
-The following table lists the Group Policy settings that you can configure for Hello use in your workplace. These policy settings are available in both **User configuration** and **Computer Configuration** under **Policies** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Hello for Business**. Be aware that not all settings are in both places.
-
-
-<table>
-<tr>
-<th colspan="2">Policy</th>
-<th>Options</th>
-</tr>
-<tr>
-<td>Use Windows Hello for Business</td>
-<td></td>
-<td>
-<p><b>Not configured</b>: Users can provision Windows Hello for Business, which encrypts their domain password.</p>
-<p><b>Enabled</b>: Device provisions Windows Hello for Business using keys or certificates for all users.</p>
-<p><b>Disabled</b>: Device does not provision Windows Hello for Business for any user.</p>
-</td>
-</tr>
-<tr>
-<td>Use a hardware security device</td>
-<td></td>
-<td>
-<p><b>Not configured</b>: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.</p>
-<p><b>Enabled</b>: Windows Hello for Business will only be provisioned using TPM.</p>
-<p><b>Disabled</b>: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.</p>
-</td>
-</tr>
-<tr>
-<td>Use biometrics</td>
-<td></td>
-<td>
-<p><b>Not configured</b>: Biometrics can be used as a gesture in place of a PIN.</p>
-<p><b>Enabled</b>: Biometrics can be used as a gesture in place of a PIN.</p>
-<p><b>Disabled</b>: Only a PIN can be used as a gesture.</p>
-</td>
-</tr>
-<tr>
-<td rowspan="8">PIN Complexity</td>
-<td>Require digits</td>
-<td>
-<p><b>Not configured</b>: Users must include a digit in their PIN.</p>
-<p><b>Enabled</b>: Users must include a digit in their PIN.</p>
-<p><b>Disabled</b>: Users cannot use digits in their PIN.</p>
-</td>
-</tr>
-<tr>
-<td>Require lowercase letters</td>
-<td>
-<p><b>Not configured</b>: Users cannot use lowercase letters in their PIN.</p>
-<p><b>Enabled</b>: Users must include at least one lowercase letter in their PIN.</p>
-<p><b>Disabled</b>: Users cannot use lowercase letters in their PIN.</p>
-</td>
-</tr>
-<tr>
-<td>Maximum PIN length</td>
-<td>
-<p><b>Not configured</b>: PIN length must be less than or equal to 127.</p>
-<p><b>Enabled</b>: PIN length must be less than or equal to the number you specify.</p>
-<p><b>Disabled</b>: PIN length must be less than or equal to 127.</p>
-</td>
-</tr>
-<tr>
-<td>Minimum PIN length</td>
-<td>
-<p><b>Not configured</b>: PIN length must be greater  than or equal to 4.</p>
-<p><b>Enabled</b>: PIN length must be greater than or equal to the number you specify.</p>
-<p><b>Disabled</b>: PIN length must be greater  than or equal to 4.</p>
-</td>
-</tr>
-<tr>
-<td>Expiration</td>
-<td>
-<p><b>Not configured</b>: PIN does not expire.</p>
-<p><b>Enabled</b>: PIN can be set to expire after any number of days between 1 and 730, or PIN can be set to never expire by setting policy to 0.</p>
-<p><b>Disabled</b>: PIN does not expire.</p>
-</td>
-</tr>
-<tr>
-<td>History</td>
-<td>
-<p><b>Not configured</b>: Previous PINs are not stored.</p>
-<p><b>Enabled</b>: Specify the number of previous PINs that can be associated to a user account that can't be reused.</p>
-<p><b>Disabled</b>: Previous PINs are not stored.</p>
-<div class="alert"><b>Note</b>  Current PIN is included in PIN history.</div>
-<div> </div>
-</td>
-</tr>
-<tr>
-<td>Require special characters</td>
-<td>
-<p><b>Not configured</b>: Users cannot include a special character in their PIN.</p>
-<p><b>Enabled</b>: Users must include at least one special character in their PIN.</p>
-<p><b>Disabled</b>: Users cannot include a special character in their PIN.</p>
-</td>
-</tr>
-<tr>
-<td>Require uppercase letters</td>
-<td>
-<p><b>Not configured</b>: Users cannot include an uppercase letter in their PIN.</p>
-<p><b>Enabled</b>: Users must include at least one uppercase letter in their PIN.</p>
-<p><b>Disabled</b>: Users cannot include an uppercase letter in their PIN.</p>
-</td>
-</tr>
-<tr>
-<td><a href="prepare-people-to-use-microsoft-passport.md#bmk-remote">Phone Sign-in</a></td>
-<td>
-<p>Use Phone Sign-in</p>
-<div class="alert"><b>Note</b>  Applies to desktop only. Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.</div>
-<div> </div>
-</td>
-<td>
-<p><b>Not configured</b>: Phone sign-in is disabled.</p>
-<p><b>Enabled</b>: Users can use a portable, registered device as a companion device for desktop authentication.</p>
-<p><b>Disabled</b>: Phone sign-in is disabled.</p>
-</td>
-</tr>
-</table>
-
-## MDM policy settings for Windows Hello for Business
-
-The following table lists the MDM policy settings that you can configure for Windows Hello for Business use in your workplace. These MDM policy settings use the [PassportForWork configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkId=692070).
-
->[!IMPORTANT]
->Starting in Windows 10, version 1607, all devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP. 
-
-<table>
-<tr>
-<th colspan="2">Policy</th>
-<th>Scope</th>
-<th>Default</th>
-<th>Options</th>
-</tr>
-<tr>
-<td>UsePassportForWork</td>
-<td></td>
-<td>Device</td>
-<td>True</td>
-<td>
-<p>True: Windows Hello for Business will be provisioned for all users on the device.</p>
-<p>False: Users will not be able to provision Windows Hello for Business. </p>
-<div class="alert"><b>Note</b>  If Windows Hello for Business is enabled, and then the policy is changed to False, users who previously set up Windows Hello for Business can continue to use it, but will not be able to set up Windows Hello for Business on other devices.</div>
-<div> </div>
-</td>
-</tr>
-<tr>
-<td>RequireSecurityDevice</td>
-<td></td>
-<td>Device</td>
-<td>False</td>
-<td>
-<p>True: Windows Hello for Business will only be provisioned using TPM.</p>
-<p>False: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.</p>
-</td>
-</tr>
-<tr>
-<td rowspan="2">Biometrics</td>
-<td>
-<p>UseBiometrics</p>
-</td>
-<td>Device </td>
-<td>False</td>
-<td>
-<p>True: Biometrics can be used as a gesture in place of a PIN for domain sign-in.</p>
-<p>False: Only a PIN can be used as a gesture for domain sign-in.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>FacialFeaturesUser</p>
-<p>EnhancedAntiSpoofing</p>
-</td>
-<td>Device</td>
-<td>Not configured</td>
-<td>
-<p>Not configured: users can choose whether to turn on enhanced anti-spoofing.</p>
-<p>True: Enhanced anti-spoofing is required on devices which support it.</p>
-<p>False: Users cannot turn on enhanced anti-spoofing.</p>
-</td>
-</tr>
-<tr>
-<td rowspan="9">PINComplexity</td>
-</tr>
-<tr>
-<td>Digits </td>
-<td>Device or user</td>
-<td>2 </td>
-<td>
-<p>1: Numbers are not allowed. </p>
-<p>2: At least one number is required.</p>
-</td>
-</tr>
-<tr>
-<td>Lowercase letters </td>
-<td>Device or user</td>
-<td>1 </td>
-<td>
-<p>1: Lowercase letters are not allowed. </p>
-<p>2: At least one lowercase letter is required.</p>
-</td>
-</tr>
-<tr>
-<td>Maximum PIN length </td>
-<td>Device or user</td>
-<td>127 </td>
-<td>
-<p>Maximum length that can be set is 127. Maximum length cannot be less than minimum setting.</p>
-</td>
-</tr>
-<tr>
-<td>Minimum PIN length</td>
-<td>Device or user</td>
-<td>4</td>
-<td>
-<p>Minimum length that can be set is 4. Minimum length cannot be greater than maximum setting.</p>
-</td>
-</tr>
-<tr>
-<td>Expiration </td>
-<td>Device or user</td>
-<td>0</td>
-<td>
-<p>Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user’s PIN will never expire. 
-</p>
-</td>
-</tr>
-<tr>
-<td>History</td>
-<td>Device or user</td>
-<td>0</td>
-<td>
-<p>Integer value that specifies the number of past PINs that can be associated to a user account that can’t be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required. 
-</p>
-</td>
-</tr>
-<tr>
-<td>Special characters</td>
-<td>Device or user</td>
-<td>1</td>
-<td>
-<p>1: Special characters are not allowed. </p>
-<p>2: At least one special character is required.</p>
-</td>
-</tr>
-<tr>
-<td>Uppercase letters</td>
-<td>Device or user</td>
-<td>1</td>
-<td>
-<p>1: Uppercase letters are not allowed. </p>
-<p>2: At least one uppercase letter is required</p>
-</td>
-</tr>
-<tr>
-<td>Remote</td>
-<td>
-<p>UseRemotePassport</p>
-<div class="alert"><b>Note</b>  Applies to desktop only. Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.</div>
-<div> </div>
-</td>
-<td>Device or user</td>
-<td>False</td>
-<td>
-<p>True: <a href="prepare-people-to-use-microsoft-passport.md#bmk-remote">Phone sign-in</a> is enabled.</p>
-<p>False: <a href="prepare-people-to-use-microsoft-passport.md#bmk-remote">Phone sign-in</a> is disabled.</p>
-</td>
-</tr>
-</table>
-
->[!NOTE]  
-> If policy is not configured to explicitly require letters or special characters, users will be restricted to creating a numeric PIN.
- 
-## Prerequisites
-
-To deploy Windows Hello for Business, in some modes you must add Windows Server 2016 domain controllers to your Active Directory environment, but you don’t have to replace or remove your existing Active Directory servers — the servers required for Windows Hello for Business build on and add capability to your existing infrastructure. You don’t have to change the domain or forest functional level, and you can either add on-premises servers or use Azure Active Directory to deploy Windows Hello for Business in your network. 
-
-You’ll need this software to set Windows Hello for Business policies in your enterprise.
-<table>
-<colgroup>
-<col width="25%" />
-<col width="25%" />
-<col width="25%" />
-<col width="25%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Windows Hello for Business mode</th>
-<th align="left">Azure AD</th>
-<th align="left">Azure AD/AD hybrid (available with production release of Windows Server 2016)</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left">Key-based authentication</td>
-<td align="left">[Azure AD subscription](https://docs.microsoft.com/azure/active-directory/active-directory-howto-tenant)</td>
-<td align="left"><ul>
-<li>[Azure AD subscription](https://docs.microsoft.com/azure/active-directory/active-directory-howto-tenant)</li>
-<li>[Azure AD Connect](https://docs.microsoft.com/azure/active-directory/active-directory-aadconnect)</li>
-<li>A few Windows Server 2016 domain controllers on-site</li>
-<li>A management solution, such as [Configuration Manager](https://docs.microsoft.com/sccm/index), Group Policy, or MDM</li>
-<li>[Active Directory Certificate Services](https://technet.microsoft.com/windowsserver/dd448615.aspx) (AD CS) without Network Device Enrollment Service (NDES)</li>
-</ul></td>
-</tr>
-<tr class="even">
-<td align="left">Certificate-based authentication</td>
-<td align="left"><ul>
-<li>[Azure AD subscription](https://docs.microsoft.com/azure/active-directory/active-directory-howto-tenant)</li>
-<li>Intune or non-Microsoft mobile device management (MDM) solution</li>
-<li>[PKI infrastructure](https://msdn.microsoft.com/library/windows/desktop/bb427432(v=vs.85).aspx)</li>
-</ul></td>
-<td align="left"><ul>
-<li>[Azure AD subscription](https://docs.microsoft.com/azure/active-directory/active-directory-howto-tenant)</li>
-<li>[Azure AD Connect](https://docs.microsoft.com/azure/active-directory/active-directory-aadconnect)</li>
-<li>[AD CS](https://technet.microsoft.com/windowsserver/dd448615.aspx) with NDES</li>
-<li>[Configuration Manager](https://docs.microsoft.com/sccm/index) for domain-joined certificate enrollment, or [InTune](https://docs.microsoft.com/intune/deploy-use/control-microsoft-passport-settings-on-devices-with-microsoft-intune) for non-domain-joined devices, or a non-Microsoft MDM service that supports Hello for Business</li>
-</ul></td>
-</tr>
-</tbody>
-</table>
- 
-Configuration Manager and MDM provide the ability to manage Windows Hello for Business policy and to deploy and manage certificates protected by Windows Hello for Business.
-
-[Azure AD](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-passport) provides the ability to register devices with your enterprise and to provision Windows Hello for Business for organization accounts.
-
-[Learn more about enabling Windows Hello for Business in an Azure AD/AD hybrid environment.](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-passport-deployment)
-
-
-## Windows Hello for BYOD
-
-Windows Hello can be managed on personal devices that your employees use for work purposes using MDM. On personal devices, users can create a personal Windows Hello PIN for unlocking the device and used this PIN for access to work resources.
-
-The PIN is managed using the same Windows Hello for Business policies that you can use to manage Windows Hello for Business on organization-owned devices. The PIN can also be managed using DeviceLock policy. DeviceLock policy can be used to control length, complexity, history, and expiration requirements and can be configured using the [Policy configuration service provider](https://go.microsoft.com/fwlink/p/?LinkID=623244).
-
-## Related topics
-
-[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
-
-[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
-
-[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
-
-[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) 
-
-[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
-
-[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
-
-[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
-
-[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
-
-[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
- 

From fcb360b4c6f7d846edc62a30c8ae34efea4be0ae Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Mon, 23 Jan 2017 13:06:03 -0800
Subject: [PATCH 029/115] sync

---
 windows/keep-secure/index.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/windows/keep-secure/index.md b/windows/keep-secure/index.md
index c730d90f2d..08a7f02fe1 100644
--- a/windows/keep-secure/index.md
+++ b/windows/keep-secure/index.md
@@ -17,7 +17,6 @@ Learn about keeping Windows 10 and Windows 10 Mobile secure.
 | Topic | Description |
 | --- | --- |
 | [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) | To help protect your company from attacks which may originate from untrusted or attacker controlled font files, we’ve created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are any font installed outside of the %windir%/Fonts directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process. |
-| [Device Guard certification and compliance](device-guard-certification-and-compliance.md) | Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isn’t trusted it can’t run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when. |
 | [Windows Hello for Business](hello-identity-verification.md) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. |
 | [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md) | In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. |
 | [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) | Digital certificates bind the identity of a user or computer to a pair of keys that can be used to encrypt and sign digital information. Certificates are issued by a certification authority (CA) that vouches for the identity of the certificate holder, and they enable secure client communications with websites and services. |

From 143d5fea0060ee62d89f76523a496c9b2d98e3a5 Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Mon, 23 Jan 2017 13:12:54 -0800
Subject: [PATCH 030/115] fix links

---
 windows/keep-secure/hello-identity-verification.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/keep-secure/hello-identity-verification.md b/windows/keep-secure/hello-identity-verification.md
index 06c9fc138d..0f73b11805 100644
--- a/windows/keep-secure/hello-identity-verification.md
+++ b/windows/keep-secure/hello-identity-verification.md
@@ -59,7 +59,7 @@ Windows stores biometric data that is used to implement Windows Hello securely o
 
 Reports of identity theft and large-scale hacking are frequent headlines. Nobody wants to be notified that their user name and password have been exposed.
 
-You may wonder [how a PIN can help protect a device better than a password](hello-why-pin-is-better-than-a-password.md). Passwords are shared secrets; they are entered on a device and transmitted over the network to the server. An intercepted account name and password can be used by anyone. Because they're stored on the server, a server breach can reveal those stored credentials.
+You may wonder [how a PIN can help protect a device better than a password](hello-why-pin-is-better-than-password.md). Passwords are shared secrets; they are entered on a device and transmitted over the network to the server. An intercepted account name and password can be used by anyone. Because they're stored on the server, a server breach can reveal those stored credentials.
 
 In Windows 10, Windows Hello replaces passwords. When the identity provider supports keys, the Windows Hello provisioning process creates a cryptographic key pair bound to the Trusted Platform Module (TPM), if a device has a TPM, or in software. Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. The two-step verification that takes place during Windows Hello enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account. When a user enters the gesture on the device, the identity provider knows from the combination of Hello keys and gesture that this is a verified identity and provides an authentication token that allows Windows 10 to access resources and services. 
 
@@ -72,7 +72,7 @@ Imagine that someone is looking over your shoulder as you get money from an ATM
 
 Windows Hello helps protect user identities and user credentials. Because the user doesn't enter a password (except during provisioning), it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Windows Hello credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are protected by TPMs.
 
-For customers using a hybrid Active Directory and Azure Active Directorye environment, Windows Hello also enables Windows 10 Mobile devices to be used as [a remote credential](prepare-people-to-use-microsoft-passport.md#bmk-remote) when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Windows Hello on the user’s Windows 10 Mobile device. Because users carry their phone with them, Windows Hello makes implementing two-factor authentication across the enterprise less costly and complex than other solutions.
+For customers using a hybrid Active Directory and Azure Active Directorye environment, Windows Hello also enables Windows 10 Mobile devices to be used as [a remote credential](hello-prepare-people-to-use.md#bmk-remote) when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Windows Hello on the user’s Windows 10 Mobile device. Because users carry their phone with them, Windows Hello makes implementing two-factor authentication across the enterprise less costly and complex than other solutions.
 
 > [!NOTE]
 >  Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.

From 28c6e773841219bf2b5bc30789ccddbc9cd61468 Mon Sep 17 00:00:00 2001
From: GITMichiko <kmichiko@msn.com>
Date: Mon, 23 Jan 2017 16:43:49 -0800
Subject: [PATCH 031/115] Update credential-guard.md

Update in Michiko to convert existing to Security considerations.
---
 windows/keep-secure/credential-guard.md | 25 +++++++++++--------------
 1 file changed, 11 insertions(+), 14 deletions(-)

diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md
index 96afd50094..024e1817ce 100644
--- a/windows/keep-secure/credential-guard.md
+++ b/windows/keep-secure/credential-guard.md
@@ -48,17 +48,18 @@ To deploy Credential Guard, the computers you are protecting must meet certain b
 
 You can deploy Credential Guard in phases, and plan these phases in relation to the computer purchases you plan for your next hardware refresh.
 
-The following tables provide more information about the hardware, firmware, and software required for deployment of Credential Guard. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, available in 2016, and announced as options for 2017.
+## Security considerations
+
+The following tables provide more information about the impact hardware, firmware, and software on protections used by Credential Guard. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, available in 2016, and announced as options for 2017.
 
 > [!NOTE]  
 > For new computers running Windows 10, Trusted Platform Module (TPM 2.0) must be enabled by default. This requirement is not restated in the tables that follow.<br>
 > If you are an OEM, see the requirements information at [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514(v=vs.85).aspx).<br>
 > Starting in Widows 10, 1607, TPM 2.0 is required.
 
+### Baseline protection recommendations
 
-## Credential Guard requirements for baseline protections
-
-|Baseline Protections - requirement           | Description                                        |
+|Baseline Protections                   | Description                                        |
 |---------------------------------------------|----------------------------------------------------|
 | Hardware: **64-bit CPU**              | A 64-bit computer is required for the Windows hypervisor to provide VBS. |
 | Hardware: **CPU virtualization extensions**,<br>plus **extended page tables** | **Requirements**: These hardware features are required for VBS:<br>One of the following virtualization extensions:<br>- VT-x (Intel) or<br>- AMD-V<br>And:<br>- Extended page tables, also called Second Level Address Translation (SLAT).<br><br>**Security benefits**: VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. |
@@ -70,13 +71,9 @@ The following tables provide more information about the hardware, firmware, and
 > [!IMPORTANT]
 > The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Credential Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Credential Guard can provide.
 
-## Credential Guard requirements for improved security
+### 2015 Additional Security Recommendations (starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4)
 
-The following tables describes additional hardware and firmware requirements, and the improved security that is available when those requirements are met.
-
-### 2015 Additional Qualification Requirements for Credential Guard (starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4)
-
-| Protections for Improved Security - requirement         | Description                                        |
+| Protections for Improved Security          | Description                                        |
 |---------------------------------------------|----------------------------------------------------|
 | Hardware: **IOMMU** (input/output memory management unit)  |  **Requirement**: VT-D or AMD Vi IOMMU<br><br>**Security benefits**: An IOMMU can enhance system resiliency against memory attacks. For more information, see [ACPI description tables](https://msdn.microsoft.com/windows/hardware/drivers/bringup/acpi-system-description-tables). |
 | Firmware: **Securing Boot Configuration and Management** | **Requirements**:<br>- BIOS password or stronger authentication must be supported.<br>- In the BIOS configuration, BIOS authentication must be set.<br>- There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.<br>- In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.<br><br>**Security benefits**:<br>- BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.<br>- Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
@@ -84,12 +81,12 @@ The following tables describes additional hardware and firmware requirements, an
 
 <br>
 
-### 2016 Additional Qualification Requirements for Credential Guard (starting with Windows 10, version 1607, and Windows Server 2016)
+### 2016 Additional Security Recommendations (starting with Windows 10, version 1607, and Windows Server 2016)
 
 > [!IMPORTANT]
 > The following tables list requirements for improved security, beyond the level of protection described in the preceding tables. You can use Credential Guard with hardware, firmware, and software that do not support the following protections for improved security. As your systems meet more requirements, more protections become available to them.
 
-| Protections for Improved Security - requirement         | Description                                        |
+| Protections for Improved Security         | Description                                        |
 |---------------------------------------------|----------------------------------------------------|
 | Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:<br>Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)<br>- The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).<br><br>**Security benefits**:<br>- Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.<br>- HSTI provides additional security assurance for correctly secured silicon and platform. |
 | Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update.<br><br>**Security benefits**: Helps ensure that firmware updates are fast, secure, and reliable. |
@@ -97,9 +94,9 @@ The following tables describes additional hardware and firmware requirements, an
 
 <br>
 
-### 2017 Additional Qualification Requirements for Credential Guard (starting with the next major release of Windows 10) 
+### 2017 Additional Security Recommendations (starting with the next major release of Windows 10) 
 
-| Protection for Improved Security - requirement         | Description                                        |
+| Protection for Improved Security          | Description                                        |
 |---------------------------------------------|----------------------------------------------------|
 | Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.<br><br>**Security benefits**:<br>- Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.<br>- Reduces attack surface to VBS from system firmware.<br>- Blocks additional security attacks against SMM. |
 

From 3caad49c682bf76f47d95035cb1ad56980983452 Mon Sep 17 00:00:00 2001
From: GITMichiko <kmichiko@msn.com>
Date: Mon, 23 Jan 2017 17:00:11 -0800
Subject: [PATCH 032/115] Update credential-guard.md

Intro update
---
 windows/keep-secure/credential-guard.md | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md
index 96afd50094..9490387f08 100644
--- a/windows/keep-secure/credential-guard.md
+++ b/windows/keep-secure/credential-guard.md
@@ -15,24 +15,23 @@ author: brianlic-msft
 -   Windows 10
 -   Windows Server 2016
 
-Introduced in Windows 10 Enterprise and Windows Server 2016, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets.
+Introduced in Windows 10 Enterprise and Windows Server 2016, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets & credentials stored by applications as domain credentials.
 
-Credential Guard offers the following features and solutions:
+By enabling Credential Guard the following features and solutions are provided:
 
--   **Hardware security** Credential Guard increases the security of derived domain credentials by taking advantage of platform security features including, Secure Boot and virtualization.
--   **Virtualization-based security** Windows services that manage derived domain credentials and other secrets run in a protected environment that is isolated from the running operating system.
--   **Better protection against advanced persistent threats** Securing derived domain credentials using the virtualization-based security blocks the credential theft attack techniques and tools used in many targeted attacks. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures.
--   **Manageability** You can manage Credential Guard by using Group Policy, WMI, from a command prompt, and Windows PowerShell.
+-   **Hardware security** NTLM, Kerberos and Credential Manager take advantage of platform security features including, Secure Boot and virtualization to protect credentials.
+-   **Virtualization-based security** Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system.
+-   **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures.
 
 ## How it works
 
-Credential Guard isolates secrets that previous versions of Windows stored in the Local Security Authority (LSA) by using virtualization-based security. Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Credential Guard, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using virtualization-based security and is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
+Kerberos, NTLM and Credential manager isolates secrets that previous versions of Windows stored in the Local Security Authority (LSA) by using virtualization-based security. Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using virtualization-based security and is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
 
 For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment.
 
-Credential Guard prevents NTLMv1, MS-CHAPv2, Digest, and CredSSP from using sign-on credentials. Thus, single sign-on does not work with these protocols. However, Credential guard allows these protocols to be used with prompted credentials or those saved in Credential Manager. It is strongly recommended that valuable credentials, such as the sign-on credentials, not be used with any of these protocols. If these protocols must be used by domain users, secondary credentials should be provisioned for these use cases.
+When Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP cannot use the signed in credentials. Thus, single sign-on does not work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault which are not protected by Credential Guard with any of these protocol. It is strongly recommended that valuable credentials, such as the sign-in credentials, not be used with any of these protocols. If these protocols must be used by domain or AAD users, secondary credentials should be provisioned for these use cases.
 
-Credential Guard does not allow unconstrained Kerberos delegation or Kerberos DES encryption at all. Neither sign-on nor prompted/saved credentials may be used.
+When Credential Guard is enabled, Kerberos does not allow unconstrained Kerberos delegation or DES encryption not only for signed-in credentials, but also prompted or saved credentials either.
 
 Here's a high-level overview on how the LSA is isolated by using virtualization-based security:
 

From 517d60ea67121c67a2eccf80685f5832a5386688 Mon Sep 17 00:00:00 2001
From: GITMichiko <kmichiko@msn.com>
Date: Mon, 23 Jan 2017 17:37:28 -0800
Subject: [PATCH 033/115] Update credential-guard.md

application draft
---
 windows/keep-secure/credential-guard.md | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md
index 96afd50094..289fe1ab10 100644
--- a/windows/keep-secure/credential-guard.md
+++ b/windows/keep-secure/credential-guard.md
@@ -48,6 +48,24 @@ To deploy Credential Guard, the computers you are protecting must meet certain b
 
 You can deploy Credential Guard in phases, and plan these phases in relation to the computer purchases you plan for your next hardware refresh.
 
+### Application requirements
+
+When Credential Guard is enabled, specific authentication capabilities are blocked, so applications which require blocked capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality. 
+
+>[!WARNING] Enabling Credential Guard on Domain Controllers is not supported
+> The domain controller hosts authentication services which integrate with processes isolated when Credential Guard is enabled. Credential Guard does not provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Credential Guard is enabled are also in the Active Directory database. 
+
+Applications will break if they require:
+- Kerberos DES encryption support
+- Kerberos unconstrained delegation
+- Extracting the Kerberos TGT
+- NTLMv1
+
+Applications will prompt & expose credentials to risk if they require:
+- Digest authentication
+- Credential delegation
+- MS-CHAPv2
+
 The following tables provide more information about the hardware, firmware, and software required for deployment of Credential Guard. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, available in 2016, and announced as options for 2017.
 
 > [!NOTE]  

From d046dee742de0e60cc3a3c372b08ae03bda54467 Mon Sep 17 00:00:00 2001
From: Dani Halfin <daniha@microsoft.com>
Date: Mon, 23 Jan 2017 18:38:08 -0800
Subject: [PATCH 034/115] manage\waas-restart - Add section

Add registry key summary
---
 windows/manage/waas-restart.md | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/windows/manage/waas-restart.md b/windows/manage/waas-restart.md
index e8a8394d2d..d825aab900 100644
--- a/windows/manage/waas-restart.md
+++ b/windows/manage/waas-restart.md
@@ -65,11 +65,28 @@ In the Group Policy editor, you will see a number of policy settings that pertai
 | Reschedule Automatic Updates scheduled installations | ![no](images/crossmark.png) |   |
 
 >[!NOTE]
->If you set conflicting restart policies, the actual restart behavior may not be what you expected. 
+>If you set conflicting restart policies, the actual restart behavior may not be what you expected.
 
+## Summary: Registry keys used to manage restarts after updates
+Below are quick-reference tables of the supported registry values, that correspond to group policy settings, used to manage restarts after updates in Windows 10.
 
+**HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate**
 
+| Registry key |	Key type | Value |
+| --- | --- | --- |
+| ActiveHoursEnd	| REG_DWORD | 0-23: set active hours to end at a specific hour</br>starts with 12 AM (0) and ends with 11 PM (23) |
+| ActiveHoursStart | REG_DWORD | 0-23: set active hours to start at a specific hour</br>starts with 12 AM (0) and ends with 11 PM (23) | 
+| SetActiveHours | REG_DWORD | 0: disable automatic restart after updates outside of active hours</br>1: enable automatic restart after updates outside of active hours |
 
+**HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**
+
+| Registry key | Key type | Value |
+| --- | --- | --- |
+| AlwaysAutoRebootAtScheduledTime | REG_DWORD | TBP |
+| AlwaysAutoRebootAtScheduledTimeMinutes | REG_DWORD | TBP |
+| AUOptions | REG_DWORD | 2: notify for download and automatically install updates</br>3: automatically download and notify for instllation of updates</br>4: Automatically download and schedule installation of updates</br>5: allow the local admin to configure these settings |
+| NoAutoRebootWithLoggedOnUsers | REG_DWORD | 0: disable do not reboot if users are logged on</br>1: do not reboot after an update installation if a user is logged on</br>**Note:** If disabled : Automatic Updates will notify the user that the computer will automatically restarts in 5 minutes to complete the installation  |
+| ScheduledInstallTime | REG_DWORD | 0-23: schedule update installation time to a specific hour</br>starts with 12 AM (0) and ends with 11 PM (23) |
 
 ## Related topics
 

From 251607fb328c8ffda1250322ea82c6f2fd0314f7 Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Tue, 24 Jan 2017 07:11:42 -0800
Subject: [PATCH 035/115] sync

---
 windows/keep-secure/hello-how-it-works.md | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/windows/keep-secure/hello-how-it-works.md b/windows/keep-secure/hello-how-it-works.md
index fa123026c4..970453d06a 100644
--- a/windows/keep-secure/hello-how-it-works.md
+++ b/windows/keep-secure/hello-how-it-works.md
@@ -29,13 +29,13 @@ A goal of Windows Hello is to allow a user to open a brand-new device, securely
 2. To sign in using that account, the user has to enter the existing credentials for it. The identity provider (IDP) that “owns” the account receives the credentials and authenticates the user. This IDP authentication may include the use of an existing second authentication factor, or proof. For example, a user who registers a new device by using an Azure AD account will have to provide an SMS-based proof that Azure AD sends. 
 3. When the user has provided the proof to the IDP, the user enables PIN authentication. The PIN will be associated with this particular credential. When the user sets the PIN, it becomes usable immediately 
 
-Remember that Windows Hello depends on pairing a device and a credential, so the PIN chosen is associated only with the combination of the active account and that specific device. The PIN must comply with whatever length and complexity policy the account administrator has configured; this policy is enforced on the device side. Other registration scenarios that Windows Hello supports are:
+The PIN chosen is associated with the combination of the active account and that specific device. The PIN must comply with whatever length and complexity policy the account administrator has configured; this policy is enforced on the device side. Other registration scenarios that Windows Hello supports are:
 
-- A user who upgrades from the Windows 8.1 operating system will sign in by using the existing enterprise password. That triggers MFA from the IDP side; after receiving and returning a proof, such as a text message or voice code, the IDP authenticates the user to the upgraded Windows 10 device, and the user can set his or her PIN.
+- A user who upgrades from the Windows 8.1 operating system will sign in by using the existing enterprise password. That triggers a second authentication factor from the IDP side (if required); after receiving and returning a proof, such as a text message or voice code, the IDP authenticates the user to the upgraded Windows 10 device, and the user can set his or her PIN.
 - A user who typically uses a smart card to sign in will be prompted to set up a PIN the first time he or she signs in to a Windows 10 device the user has not previously signed in to.
 - A user who typically uses a virtual smart card to sign in will be prompted to set up a PIN the first time he or she signs in to a Windows 10 device the user has not previously signed in to.
 
-When the user has completed this process, Windows Hello generates a new public–private key pair on the device. The TPM generates and stores this private key; if the device doesn’t have a TPM, the private key is encrypted and stored in software. This initial key is referred to as the protector key. It’s associated only with a single gesture; in other words, if a user registers a PIN, a fingerprint, and a face on the same device, each of those gestures will have a unique protector key. The protector key securely wraps the authentication key for a specific container. Each container has only one authentication key, but there can be multiple copies of that key wrapped with different unique protector keys (each of which is associated with a unique gesture). Windows Hello also generates an administrative key that the user or administrator can use to reset credentials, when necessary. In addition to the protector key, TPM-enabled devices generate a block of data that contains attestations from the TPM.
+When the user has completed this process, Windows Hello generates a new public–private key pair on the device. The TPM generates and protects this private key; if the device doesn’t have a TPM, the private key is encrypted and stored in software. This initial key is referred to as the protector key. It’s associated only with a single gesture; in other words, if a user registers a PIN, a fingerprint, and a face on the same device, each of those gestures will have a unique protector key. The protector key securely wraps the authentication key for a specific container. Each container has only one authentication key, but there can be multiple copies of that key wrapped with different unique protector keys (each of which is associated with a unique gesture). Windows Hello also generates an administrative key that the user or administrator can use to reset credentials, when necessary. In addition to the protector key, TPM-enabled devices generate a block of data that contains attestations from the TPM.
 
 At this point, the user has a PIN gesture defined on the device and an associated protector key for that PIN gesture. That means he or she is able to securely sign in to the device with the PIN and thus that he or she can establish a trusted session with the device to add support for a biometric gesture as an alternative for the PIN. When you add a biometric gesture, it follows the same basic sequence: the user authenticates to the system by using his or her PIN, and then registers the new biometric (“smile for the camera!”), after which Windows generates a unique key pair and stores it securely. Future sign-ins can then use either the PIN or the registered biometric gestures.
 
@@ -55,25 +55,24 @@ Containers can contain several types of key material:
 
 - An authentication key, which is always an asymmetric public–private key pair. This key pair is generated during registration. It must be unlocked each time it’s accessed, by using either the user’s PIN or a previously generated biometric gesture. The authentication key exists until the user resets the PIN, at which time a new key will be generated. When the new key is generated, all the key material that the old key previously protected must be decrypted and re-encrypted using the new key.
 - Virtual smart card keys are generated when a virtual smart card is generated and stored securely in the container. They’re available whenever the user’s container is unlocked.
-- Secure/Multipurpose Internet Mail Extensions (S/MIME) keys and certificates, which a certification authority (CA) generates. The keys associated with the user’s S/MIME certificate can be stored in a Windows Hello container so they’re available to the user whenever the container is unlocked.
 - The IDP key. These keys can be either symmetric or asymmetric, depending on which IDP you use. A single container may contain zero or more IDP keys, with some restrictions (for example, the enterprise container can contain zero or one IDP keys). IDP keys are stored in the container. For certificate-based Windows Hello for Work, when the container is unlocked, applications that require access to the IDP key or key pair can request access. IDP keys are used to sign or encrypt authentication requests or tokens sent from this device to the IDP. IDP keys are typically long-lived but could have a shorter lifetime than the authentication key. Microsoft accounts, Active Directory accounts, and Azure AD accounts all require the use of asymmetric key pairs. The device generates public and private keys, registers the public key with the IDP (which stores it for later verification), and securely stores the private key. For enterprises, the IDP keys can be generated in two ways:
     - The IDP key pair can be associated with an enterprise Certificate Authority (CA) through the Windows Network Device Enrollment Service (NDES), described more fully in [Network Device Enrollment Service Guidance](https://technet.microsoft.com/library/hh831498.aspx). In this case, Windows Hello requests a new certificate with the same key as the certificate from the existing PKI. This option lets organizations that have an existing PKI continue to use it where appropriate. Given that many applications, such as popular virtual private network systems, require the use of certificates, when you deploy Windows Hello in this mode, it allows a faster transition away from user passwords while still preserving certificate-based functionality. This option also allows the enterprise to store additional certificates in the protected container.
     - The IDP can generate the IDP key pair directly, which allows quick, lower-overhead deployment of Windows Hello in environments that don’t have or need a PKI.
     
 ## How keys are protected
 
-Any time key material is generated, it must be protected against attack. The most robust way to do this is through specialized hardware. There’s a long history of using hardware security modules (HSMs) to generate, store, and process keys for security-critical applications. Smart cards are a special type of HSM, as are devices that are compliant with the Trusted Computing Group TPM standard. Wherever possible, the Windows Hello for Work implementation takes advantage of onboard TPM hardware to generate, store, and process keys. However, Windows Hello and Windows Hello for Work do not require an onboard TPM. Administrators can choose to allow key operations in software, in which case any user who has (or can escalate to) administrative rights on the device can use the IDP keys to sign requests. As an alternative, in some scenarios, devices that don’t have a TPM can be remotely authenticated by using a device that does have a TPM, in which case all the sensitive operations are performed with the TPM and no key material is exposed.
+Any time key material is generated, it must be protected against attack. The most robust way to do this is through specialized hardware. There’s a long history of using hardware security modules (HSMs) to generate, store, and process keys for security-critical applications. Smart cards are a special type of HSM, as are devices that are compliant with the Trusted Computing Group TPM standard. Wherever possible, the Windows Hello for Work implementation takes advantage of onboard TPM hardware to generate and protect keys. However, Windows Hello and Windows Hello for Work do not require an onboard TPM. Administrators can choose to allow key operations in software, in which case any user who has (or can escalate to) administrative rights on the device can use the IDP keys to sign requests. As an alternative, in some scenarios, devices that don’t have a TPM can be remotely authenticated by using a device that does have a TPM, in which case all the sensitive operations are performed with the TPM and no key material is exposed.
 
 Whenever possible, Microsoft recommends the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will have to reset the PIN (which means he or she will have to use MFA to reauthenticate to the IDP before the IDP allows him or her to re-register). Resetting the PIN means that all keys and certificates encrypted with the old key material will be removed.
 
 
 ## Authentication
 
-When a user wants to access protected key material — perhaps to use an Internet site that requires a sign-in or to access protected resources on a corporate intranet — the authentication process begins with the user entering a PIN or biometric gesture to unlock the device, a process sometimes called releasing the key. Think of it like using a physical key to unlock a door: before you can unlock the door, you need to remove the key from your pocket or purse. On a personal device that’s connected to an organizational network, users will use their personal PIN or biometric to release the key; on a device joined to an on-premises or Azure AD domain, they will use the organizational PIN. This process unlocks the protector key for the container on the device. When that container is unlocked, applications (and thus the user) can use whatever IDP keys reside inside the container.
+When a user wants to access protected key material, the authentication process begins with the user entering a PIN or biometric gesture to unlock the device, a process sometimes called releasing the key. Think of it like using a physical key to unlock a door: before you can unlock the door, you need to remove the key from your pocket or purse. The user's PIN unlocks the protector key for the container on the device. When that container is unlocked, applications (and thus the user) can use whatever IDP keys reside inside the container.
 
 These keys are used to sign requests that are sent to the IDP, requesting access to specified resources. It’s important to understand that although the keys are unlocked, applications cannot use them at will. Applications can use specific APIs to request operations that require key material for particular actions (for example, decrypt an email message or sign in to a website). Access through these APIs doesn’t require explicit validation through a user gesture, and the key material isn’t exposed to the requesting application. Rather, the application asks for authentication, encryption, or decryption, and the Windows Hello layer handles the actual work and returns the results. Where appropriate, an application can request a forced authentication even on an unlocked device. Windows prompts the user to reenter the PIN or perform an authentication gesture, which adds an extra level of protection for sensitive data or actions. For example, you can configure the Windows Store to require reauthentication any time a user purchases an application, even though the same account and PIN or gesture were already used to unlock the device.
 
-The actual authentication process works like this:
+For example, the authentication process for Azure Active Directory works like this:
 
 1.	The client sends an empty authentication request to the IDP. (This is merely for the handshake process.)
 2.	The IDP returns a challenge, known as a nonce.
@@ -91,8 +90,7 @@ When the IDP validates the signature, it is verifying that the request came from
 
 Windows Hello depends on having compatible IDPs available to it. As of this writing, that means you have four deployment possibilities: 
 
-- Use an existing Windows-based PKI centered around Active Directory Certificate Services. This option requires additional infrastructure, including a way to issue certificates to devices. You can use NDES to register devices directly, Microsoft System Center Configuration Manager or later for on-premises environments, or Microsoft Intune where it’s available to manage mobile device participation in Windows Hello. 
-- You can configure Windows Server 2016 domain controllers to act as IDPs for Windows Hello. In this mode, the Windows Server 2016 domain controllers act as IDPs alongside any existing Windows Server 2008 R2 or later domain controllers. There is no requirement to replace all existing domain controllers, merely to introduce at least one Windows Server 2016 domain controller per Active Directory site and update the forest Active Directory Domain Services (AD DS) schema to Windows Server 2016 Technical Preview. 
+- Use an existing Windows-based PKI centered around Active Directory Certificate Services. This option requires additional infrastructure, including a way to issue certificates to users. You can use NDES to register devices directly, or Microsoft Intune where it’s available to manage mobile device participation in Windows Hello. 
 - The normal discovery mechanism that clients use to find domain controllers and global catalogs relies on Domain Name System (DNS) SRV records, but those records don’t contain version data. Windows 10 computers will query DNS for SRV records to find all available Active Directory servers, and then query each server to identify those that can act as Windows Hello IDPs. The number of authentication requests your users generate, where your users are located, and the design of your network all drive the number of Windows Server 2016 domain controllers required. 
 - Azure AD can act as an IDP either by itself or alongside an on-premises AD DS forest. Organizations that use Azure AD can register devices directly without having to join them to a local domain by using the capabilities the Azure AD Device Registration service provides. In addition to the IDP, Windows Hello requires an MDM system. This system can be the cloud-based Intune if you use Azure AD, or an on-premises System Center Configuration Manager deployment that meets the system requirements described in the Deployment requirements section of this document.
 

From 32e5530ecf8f5687a033374eea110df0b7a6bc2a Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Tue, 24 Jan 2017 10:03:25 -0800
Subject: [PATCH 036/115] fix notes

---
 windows/keep-secure/hello-and-password-changes.md            | 4 +++-
 windows/keep-secure/hello-biometrics-in-enterprise.md        | 3 ++-
 windows/keep-secure/hello-event-300.md                       | 3 +--
 windows/keep-secure/hello-how-it-works.md                    | 4 ++--
 windows/keep-secure/hello-why-pin-is-better-than-password.md | 4 +++-
 5 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/windows/keep-secure/hello-and-password-changes.md b/windows/keep-secure/hello-and-password-changes.md
index b25aacc596..b9937eeaa8 100644
--- a/windows/keep-secure/hello-and-password-changes.md
+++ b/windows/keep-secure/hello-and-password-changes.md
@@ -23,7 +23,9 @@ Let's suppose that you have set up a PIN for your Microsoft account on **Device
 Because you were using **Device A** when you changed your password, the PIN on **Device A** will continue to work with no other action on your part.
 
 Suppose instead that you sign in on **Device B** and change your password for your Microsoft account. The next time that you try to sign in on **Device A** using your PIN, sign-in will fail because the account credentials that Hello on **Device A** knows will be outdated.
-> **Note:**  This example also applies to an Active Directory account when [Windows Hello for Business is not implemented](implement-microsoft-passport-in-your-organization.md).
+
+>[!NOTE]
+>This example also applies to an Active Directory account when [Windows Hello for Business is not implemented](implement-microsoft-passport-in-your-organization.md).
  
 ## How to update Hello after you change your password on another device
 
diff --git a/windows/keep-secure/hello-biometrics-in-enterprise.md b/windows/keep-secure/hello-biometrics-in-enterprise.md
index e3d1f50764..162ff7d762 100644
--- a/windows/keep-secure/hello-biometrics-in-enterprise.md
+++ b/windows/keep-secure/hello-biometrics-in-enterprise.md
@@ -18,7 +18,8 @@ localizationpriority: high
 
 Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition.
 
-> **Note:** When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
+>[!NOTE]
+>When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
 
 Because we realize your employees are going to want to use this new technology in your enterprise, we’ve been actively working with the device manufacturers to create strict design and performance recommendations that help to ensure that you can more confidently introduce Windows Hello biometrics into your organization.
 
diff --git a/windows/keep-secure/hello-event-300.md b/windows/keep-secure/hello-event-300.md
index b6f75fd82b..ea19c3f794 100644
--- a/windows/keep-secure/hello-event-300.md
+++ b/windows/keep-secure/hello-event-300.md
@@ -26,8 +26,7 @@ This event is created when Windows Hello for Business is successfully created an
 | **ID:** | 300 |
 | **Source:**  | Microsoft Azure Device Registration Service |
 | **Version:** | 10  |
-| **Message:** | The NGC key was successfully registered. Key ID: {4476694e-8e3b-4ef8-8487-be21f95e6f07}. UPN:test@contoso.com. Attestation: ATT\_SOFT. Client request ID: . Server request ID: db2da6bd-3d70-4b9b-b26b-444f669902da. 
-Server response: {"kid":"4476694e-8e3b-4ef8-8487-be21f95e6f07","upn":"test@contoso.com"} |
+| **Message:** | The NGC key was successfully registered. Key ID: {4476694e-8e3b-4ef8-8487-be21f95e6f07}. UPN:test@contoso.com. Attestation: ATT\_SOFT. Client request ID: . Server request ID: db2da6bd-3d70-4b9b-b26b-444f669902da.</br>Server response: {"kid":"4476694e-8e3b-4ef8-8487-be21f95e6f07","upn":"test@contoso.com"} |
  
 ## Resolve
 
diff --git a/windows/keep-secure/hello-how-it-works.md b/windows/keep-secure/hello-how-it-works.md
index 970453d06a..c9bce0ea90 100644
--- a/windows/keep-secure/hello-how-it-works.md
+++ b/windows/keep-secure/hello-how-it-works.md
@@ -14,11 +14,11 @@ localizationpriority: high
 -   Windows 10
 -   Windows 10 Mobile
 
-To use Windows Hello to sign in with an identity provider (IDP), a user needs a configured device, which means that the Windows Hello life cycle starts when you register a new user or device. When the device is set up, its user can use the device to authenticate to services. This topic explains how device registration works, what happens when a user requests authentication, how key material is stored and processed, and which servers and infrastructure components are involved in different parts of this process.
+TWindows Hello for Business requires a registered device. When the device is set up, its user can use the device to authenticate to services. This topic explains how device registration works, what happens when a user requests authentication, how key material is stored and processed, and which servers and infrastructure components are involved in different parts of this process.
 
 ## Register a new user or device
 
-A goal of Windows Hello is to allow a user to open a brand-new device, securely join an organizational network to download and manage organizational data, and create a new Hello gesture to secure the device. Microsoft refers to the process of setting up a device for use with Windows Hello as registration.
+A goal of device registration is to allow a user to open a brand-new device, securely join an organizational network to download and manage organizational data, and create a new Windows Hello gesture to secure the device. Microsoft refers to the process of setting up a device for use with Windows Hello as registration.
  
 > [!NOTE]
 >This is separate from the organizational configuration required to use Windows Hello with Active Directory or Azure Active Directory (Azure AD); that configuration information is in [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md). Organizational configuration must be completed before users can begin to register.  
diff --git a/windows/keep-secure/hello-why-pin-is-better-than-password.md b/windows/keep-secure/hello-why-pin-is-better-than-password.md
index f228aa93c2..a7606f0264 100644
--- a/windows/keep-secure/hello-why-pin-is-better-than-password.md
+++ b/windows/keep-secure/hello-why-pin-is-better-than-password.md
@@ -30,7 +30,9 @@ Even you can't use that PIN anywhere except on that specific device. If you want
 
 A password is transmitted to the server -- it can be intercepted in transmission or stolen from a server. A PIN is local to the device -- it isn't transmitted anywhere and it isn't stored on the server.
 When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, it unlocks the authentication key and uses the key to sign the request that is sent to the authenticating server.
-> **Note:**  For details on how Hello uses asymetric key pairs for authentication, see [Microsoft Passport guide](https://go.microsoft.com/fwlink/p/?LinkId=691928).
+
+>[!NOTE]
+>For details on how Hello uses asymetric key pairs for authentication, see [Microsoft Passport guide](https://go.microsoft.com/fwlink/p/?LinkId=691928).
  
 ## PIN is backed by hardware
 

From c1534420ed97a81bf5b2242942ea59883fda4055 Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Wed, 25 Jan 2017 08:17:23 -0800
Subject: [PATCH 037/115] add showcase link

---
 windows/keep-secure/hello-identity-verification.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/windows/keep-secure/hello-identity-verification.md b/windows/keep-secure/hello-identity-verification.md
index 0f73b11805..a1e391508f 100644
--- a/windows/keep-secure/hello-identity-verification.md
+++ b/windows/keep-secure/hello-identity-verification.md
@@ -99,6 +99,8 @@ Windows Hello for Business can use either keys (hardware or software) or certifi
 
 ## Learn more
 
+[Implementing Windows Hello for Business at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/830/Implementing-Windows-Hello-for-Business-at-Microsoft)
+
 [Introduction to Windows Hello](https://go.microsoft.com/fwlink/p/?LinkId=786649), video presentation on Microsoft Virtual Academy
 
 [What's new in Active Directory Domain Services (AD DS) in Windows Server Technical Preview](https://go.microsoft.com/fwlink/p/?LinkId=708533)

From caa14c62ef3151d7d0905979d7df8171c97780dd Mon Sep 17 00:00:00 2001
From: Dani Halfin <daniha@microsoft.com>
Date: Wed, 25 Jan 2017 18:35:39 -0800
Subject: [PATCH 038/115] Adding content as listed in desc

- Registry details
- Active hours reorg and registry section
---
 windows/manage/waas-restart.md | 33 +++++++++++++++++++++++++++------
 1 file changed, 27 insertions(+), 6 deletions(-)

diff --git a/windows/manage/waas-restart.md b/windows/manage/waas-restart.md
index d825aab900..07d0c8ed00 100644
--- a/windows/manage/waas-restart.md
+++ b/windows/manage/waas-restart.md
@@ -34,17 +34,38 @@ When **Configure Automatic Updates** is enabled, you can enable one of the follo
 
 You can configure active hours for devices without setting the **Configure Automatic Updates** policy. *Active hours* identify the period of time when you expect the device to be in use. Automatic restarts after an update will occur outside of the active hours. 
 
-By default, active hours are from 8 AM to 5 PM on PCs and from 5 AM to 11 PM on phones. Users can change the active hours manually. Additionally, administrators can use Group Policy or MDM to set active hours for managed devices.
+By default, active hours are from 8 AM to 5 PM on PCs and from 5 AM to 11 PM on phones. Users can change the active hours manually. 
+
+Additionally, administrators can use multiple ways to set active hours for managed devices:
+
+- You can use Group Policy, as described in the procedure that follows.
+- You can use MDM, as described in [Configuring active hours with MDM](#configuring-active-hours-with-mdm).
+- While not recommended, you can also configure active hours, as descrbied in [Configuring active hours through Registry](#configuring-active-hours-through-registry).
+
+### Configuring active hours with Group Policy
 
 To configure active hours using Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and open the **Turn off auto-restart for updates during active hours** policy setting. When the policy is enabled, you can set the start and end times for active hours.
 
 ![Use Group Policy to configure active hours](images/waas-active-hours-policy.png)
 
+### Configuring active hours with MDM
+
 MDM uses the [Update/ActiveHoursStart and Update/ActiveHoursEnd](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_ActiveHoursEnd) settings in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to configure active hours.
 
-To configure active hours manually on a single device, go to **Settings** > **Update & security** > **Windows Update** and select **Change active hours**.
+### Configuring active hours through Registry
 
-![Change active hours](images/waas-active-hours.png)
+This method is not recommended, and should be used when neither Group Policy or MDM are available.
+Any settings configured through Registry may conflict with any existing configuration that uses any of the methods mentioned above.
+
+You should set a combination of the following registry values, in order to configure active hours.
+Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate** use **SetActiveHours** to enable or disable active hours and **ActiveHoursStart**,**ActiveHoursEnd** to specify the range of active hours.
+
+For a detailed description of these regsitry keys, see [Summary: Registry keys used to manage restarts after updates](#summary-registry-keys-used-to-manage-restarts-after-updates).
+
+>[!NOTE]
+>To configure active hours manually on a single device, go to **Settings** > **Update & security** > **Windows Update** and select **Change active hours**.
+>
+>![Change active hours](images/waas-active-hours.png)
 
 ## Limit restart delays
 
@@ -68,7 +89,7 @@ In the Group Policy editor, you will see a number of policy settings that pertai
 >If you set conflicting restart policies, the actual restart behavior may not be what you expected.
 
 ## Summary: Registry keys used to manage restarts after updates
-Below are quick-reference tables of the supported registry values, that correspond to group policy settings, used to manage restarts after updates in Windows 10.
+The following tables list registry values that correspond to the Group Policy settings for controlling restarts after updates in Windows 10.
 
 **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate**
 
@@ -82,8 +103,8 @@ Below are quick-reference tables of the supported registry values, that correspo
 
 | Registry key | Key type | Value |
 | --- | --- | --- |
-| AlwaysAutoRebootAtScheduledTime | REG_DWORD | TBP |
-| AlwaysAutoRebootAtScheduledTimeMinutes | REG_DWORD | TBP |
+| AlwaysAutoRebootAtScheduledTime | REG_DWORD | 0: disable automatic reboot after update installation at scheduled time</br>1: enable automatic reboot after update installation at ascheduled time |
+| AlwaysAutoRebootAtScheduledTimeMinutes | REG_DWORD | 15-180: set automatic reboot to occur after given minutes |
 | AUOptions | REG_DWORD | 2: notify for download and automatically install updates</br>3: automatically download and notify for instllation of updates</br>4: Automatically download and schedule installation of updates</br>5: allow the local admin to configure these settings |
 | NoAutoRebootWithLoggedOnUsers | REG_DWORD | 0: disable do not reboot if users are logged on</br>1: do not reboot after an update installation if a user is logged on</br>**Note:** If disabled : Automatic Updates will notify the user that the computer will automatically restarts in 5 minutes to complete the installation  |
 | ScheduledInstallTime | REG_DWORD | 0-23: schedule update installation time to a specific hour</br>starts with 12 AM (0) and ends with 11 PM (23) |

From 16bb7c2d600dbdeac3595e927640bd6a7044f139 Mon Sep 17 00:00:00 2001
From: GITMichiko <kmichiko@msn.com>
Date: Thu, 26 Jan 2017 00:07:48 -0800
Subject: [PATCH 039/115] Update credential-guard.md

Added missing Security Considerations heading and demoted subheadings to match
---
 windows/keep-secure/credential-guard.md | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md
index c40e90f58a..6465993ef4 100644
--- a/windows/keep-secure/credential-guard.md
+++ b/windows/keep-secure/credential-guard.md
@@ -65,6 +65,8 @@ Applications will prompt & expose credentials to risk if they require:
 - Credential delegation
 - MS-CHAPv2
 
+### Security considerations
+
 The following tables provide more information about the hardware, firmware, and software required for deployment of Credential Guard. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, available in 2016, and announced as options for 2017.
 
 > [!NOTE]  
@@ -72,7 +74,7 @@ The following tables provide more information about the hardware, firmware, and
 > If you are an OEM, see the requirements information at [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).<br>
 > Starting in Widows 10, 1607, TPM 2.0 is required.
 
-### Baseline protection recommendations
+#### Baseline protection recommendations
 
 |Baseline Protections                   | Description                                        |
 |---------------------------------------------|----------------------------------------------------|
@@ -86,7 +88,7 @@ The following tables provide more information about the hardware, firmware, and
 > [!IMPORTANT]
 > The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Credential Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Credential Guard can provide.
 
-### 2015 Additional Security Recommendations (starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4)
+#### 2015 Additional Security Recommendations (starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4)
 
 | Protections for Improved Security          | Description                                        |
 |---------------------------------------------|----------------------------------------------------|
@@ -96,7 +98,7 @@ The following tables provide more information about the hardware, firmware, and
 
 <br>
 
-### 2016 Additional Security Recommendations (starting with Windows 10, version 1607, and Windows Server 2016)
+#### 2016 Additional Security Recommendations (starting with Windows 10, version 1607, and Windows Server 2016)
 
 > [!IMPORTANT]
 > The following tables list requirements for improved security, beyond the level of protection described in the preceding tables. You can use Credential Guard with hardware, firmware, and software that do not support the following protections for improved security. As your systems meet more requirements, more protections become available to them.
@@ -109,7 +111,7 @@ The following tables provide more information about the hardware, firmware, and
 
 <br>
 
-### 2017 Additional Security Recommendations (starting with the next major release of Windows 10) 
+#### 2017 Additional Security Recommendations (starting with the next major release of Windows 10) 
 
 | Protection for Improved Security          | Description                                        |
 |---------------------------------------------|----------------------------------------------------|

From 7047eec1676376ab2ca738dbb74e30229ed0678c Mon Sep 17 00:00:00 2001
From: GITMichiko <kmichiko@msn.com>
Date: Thu, 26 Jan 2017 00:23:30 -0800
Subject: [PATCH 040/115] Update credential-guard.md

hardware requirements
---
 windows/keep-secure/credential-guard.md | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md
index c40e90f58a..12bd430f83 100644
--- a/windows/keep-secure/credential-guard.md
+++ b/windows/keep-secure/credential-guard.md
@@ -45,7 +45,15 @@ For Credential Guard to provide protections, the computers you are protecting mu
 
 To deploy Credential Guard, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements. Beyond that, computers can meet additional hardware and firmware requirements, and receive additional protection—those computers will be more hardened against certain threats. 
 
-You can deploy Credential Guard in phases, and plan these phases in relation to the computer purchases you plan for your next hardware refresh.
+To provide basic protection against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Credential Manager uses:
+- Support for Virtualization-based security (required)
+- TPM 2.0 either discrete or firmware (preferred - provides binding to hardware)
+- UEFI lock (preferred - prevents attacker from disabling with a simple registry key change)
+
+The Virtualization-based security requires:
+- 64 bit CPU
+- CPU virtualization extensions plu extended page tables
+- Windows hypervisor
 
 ### Application requirements
 

From 98dda53295b6ec9fe743b25d8c6c41dc53442b15 Mon Sep 17 00:00:00 2001
From: Trudy Hakala <Trudy.Hakala@microsoft.com>
Date: Thu, 26 Jan 2017 10:09:14 -0800
Subject: [PATCH 041/115] updates to offline app reqmts

---
 windows/manage/distribute-offline-apps.md | 41 +++++++++++------------
 1 file changed, 20 insertions(+), 21 deletions(-)

diff --git a/windows/manage/distribute-offline-apps.md b/windows/manage/distribute-offline-apps.md
index 74afc0928b..58da10d698 100644
--- a/windows/manage/distribute-offline-apps.md
+++ b/windows/manage/distribute-offline-apps.md
@@ -33,50 +33,49 @@ Offline-licensed apps offer an alternative to online apps, and provide additiona
 
 ## Distribution options for offline-licensed apps
 
+You can't distribute offline-licensed apps directly from the Store for Business. Once you download the items for the offline-licensed app, you have options for distributing the apps:
 
-You can't distribute offline-licensed apps directly from the Store for Business. Once you download the items for the offline-licensed app, you have three options for distributing the apps:
+-   **Deployment Image Servicing and Management**. DISM is a command-line tool that is used to mount and service Microsoft Windows images before deployment. You can also use DISM to install, uninstall, configure, and update Windows features, packages, drivers, and international settings in a .wim file or VHD using the DISM servicing commands. DISM commands are used on offline images. For more information, see [Deployment Image Servicing and Management](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows).
 
--   **Deployment Image Servicing and Management**. DISM is a command-line tool that is used to mount and service Microsoft WindowsWindows images before deployment. You can also use DISM to install, uninstall, configure, and update Windows features, packages, drivers, and international settings in a .wim file or VHD using the DISM servicing commands. DISM commands are used on offline images. For more information, see [Deployment Image Servicing and Management](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows).
+-   **Create provisioning package**. You can use Windows Imaging and Configuration Designer (ICD) to create a provisioning package for your offline app. Once you have the package, there are options to [apply the provisioning package](https://technet.microsoft.com/itpro/windows/deploy/provisioning-apply-package). For more information, see [Provisioning Packages for Windows 10](https://technet.microsoft.com/itpro/windows/deploy/provisioning-packages).
 
--   **Windows ICD**. ICD is GUI tool that you can use to create Windows provisioning answer files, and add third-party drivers, apps, or other assets to an answer file. For more information, see [Windows Imaging and Configuration Designer](https://msdn.microsoft.com/library/windows/hardware/dn916113.aspx).
+-   **Mobile device management provider or management server.** You canuse a mobile device management (MDM) provider or management server to distribute offline apps. For more information, see these topics:
+    - [Manage apps from Windows Store for Business with System Center Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
+    - [Manage apps from Windows Store for Business with Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/manage-apps-you-purchased-from-the-windows-store-for-business-with-microsoft-intune)<br>
 
--   **Management server.**
+For third-party MDM providers or management servers, check your product documentation. 
 
 ## Download an offline-licensed app
 
-
 There are several items to download or create for offline-licensed apps. You'll need all of these items to distribute offline apps to your employees. This section includes more info on each item, and tells you how to download an offline-licensed app.
 
--   **App metadata** -- App metadata is required for distributing offline apps. The metadata includes app details, links to icons, product id, localized product ids, and other items.
+-   **App metadata** - App metadata is optional. The metadata includes app details, links to icons, product id, localized product ids, and other items. Devs who plan to use an app as part of another app or tool, might want the app metadata. 
 
--   **App package** -- App packages are required for distributing offline apps. There are app packages for different combinations of app platform and device architecture. You'll need to know what device architectures you have in your organization to know if there are app packages to support your devices.
+-   **App package** - App packages are required for distributing offline apps. There are app packages for different combinations of app platform and device architecture. You'll need to know what device architectures you have in your organization to know if there are app packages to support your devices.
 
--   **App license** -- App licenses are required for distributing offline apps. Use encoded licenses when you distribute offline-licensed apps using a management tool or ICD. Use unencoded licenses when you distribute offline-licensed apps using DISM.
+-   **App license** - App licenses are required for distributing offline apps. Use encoded licenses when you distribute offline-licensed apps using a management tool or ICD. Use unencoded licenses when you distribute offline-licensed apps using DISM.
 
--   **App frameworks** -- App frameworks are required for distributing offline apps, but you might not need to download one. If you already have the required framework, you don't need to download another copy. The Store for Business will select the app framework needed for the app platform and architecture that you selected.
+-   **App frameworks** - App frameworks are optional. If you already have the required framework, you don't need to download another copy. The Store for Business will select the app framework needed for the app platform and architecture that you selected.
 
 <a href="" id="download-offline-licensed-app"></a>
 **To download an offline-licensed app**
 
-1.  Sign in to the Store for Business
+1.  Sign in to the [Store for Business](http://businessstore.microsoft.com/).
 
 2.  Click **Manage**, and then choose **Inventory**.
 
 3.  Click **Refine**, and then choose **Offline**.
 
 4.  Find the app you want to download, click the ellipses under **Actions**, and then choose **Download for offline use**.
+    - **To download app metadata**: Choose the language for the app metadata, and then click **Download**. Save the downloaded app metadata. This is optional. 
+    - **To download app package**: Click to expand the package details information, choose the Platform and Architecture combination that you need for your organization, and then click **Download**. Save the downloaded app package. This is required. 
+    - **To download an app license**: Choose either **Encoded**, or **Unencoded**, and then click **Generate license**. Save the downloaded license. This is required. 
+    - **To download an app framework**: Find the framework you need to support your app package, and click **Download**. This is optional. 
+ 
+> [!NOTE]
+> You need the framework to support your app package, but if you already have a copy, you don't need to download it again. Frameworks are backward compatible.
 
-5.  To download app metadata: choose the language for the app metadata, and then click **Download**. Save the downloaded app metadata.
-
-6.  To download app package for offline use: click to expand the package details information, choose the Platform and Architecture combination that you need for your organization, and then click **Download**. Save the downloaded app package.
-
-7.  To download an app license: choose either **Encoded**, or **Unencoded**, and then click **Generate license**. Save the downloaded license.
-
-8.  To download an app framework: find the framework you need to support your app package, and click **Download**.
-    **Note**  
-    You need the framework to support your app package, but if you already have a copy, you don't need to download it again.
-
-    Frameworks are backward compatible.
+    
 
      
 

From 30cb432233e6e0882ec0a9da4f4e5a6cdca71ec9 Mon Sep 17 00:00:00 2001
From: Trudy Hakala <Trudy.Hakala@microsoft.com>
Date: Thu, 26 Jan 2017 10:17:45 -0800
Subject: [PATCH 042/115] updates

---
 windows/manage/distribute-offline-apps.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/manage/distribute-offline-apps.md b/windows/manage/distribute-offline-apps.md
index 58da10d698..5583eabdcd 100644
--- a/windows/manage/distribute-offline-apps.md
+++ b/windows/manage/distribute-offline-apps.md
@@ -47,7 +47,7 @@ For third-party MDM providers or management servers, check your product document
 
 ## Download an offline-licensed app
 
-There are several items to download or create for offline-licensed apps. You'll need all of these items to distribute offline apps to your employees. This section includes more info on each item, and tells you how to download an offline-licensed app.
+There are several items to download or create for offline-licensed apps. The app package and app license are required; app metadata and app frameworks are optional. This section includes more info on each item, and tells you how to download an offline-licensed app.
 
 -   **App metadata** - App metadata is optional. The metadata includes app details, links to icons, product id, localized product ids, and other items. Devs who plan to use an app as part of another app or tool, might want the app metadata. 
 

From e9f8b71e91b9a13e52f17c5cbe0e9027f2f236f2 Mon Sep 17 00:00:00 2001
From: Dani Halfin <daniha@microsoft.com>
Date: Thu, 26 Jan 2017 11:50:28 -0800
Subject: [PATCH 043/115] Adding content - waas-restart

- Finished adding registry content in context.
- Re-arranged some of the existing content, due to added content.
---
 windows/manage/waas-restart.md | 33 ++++++++++++++++++++++++---------
 1 file changed, 24 insertions(+), 9 deletions(-)

diff --git a/windows/manage/waas-restart.md b/windows/manage/waas-restart.md
index 07d0c8ed00..5ad57725e9 100644
--- a/windows/manage/waas-restart.md
+++ b/windows/manage/waas-restart.md
@@ -18,25 +18,38 @@ localizationpriority: high
 
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
 
-You can use Group Policy settings or mobile device management (MDM) to configure when devices will restart after a Windows 10 update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts will not occur, or you can do both.
+You can use Group Policy settings, mobile device management (MDM) or Registry (not recommended) to configure when devices will restart after a Windows 10 update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts will not occur, or you can do both.
 
 ## Schedule update installation
 
-When you set the **Configure Automatic Updates** policy to **Auto download and schedule the install**, you also configure the day and time for installation or you specify that installation will occur during the automatic maintenance time (configured using **Computer Configuration\Administrative Templates\Windows Components\Maintenance Scheduler**).
+In Group Policy, within **Configure Automatic Updates**, you can configure a forced restart after a specified instllation time. 
 
-When **Configure Automatic Updates** is enabled, you can enable one of the following additional policies to manage device restart:
+To set the time, you need to go to **Configure Automatic Updates**, select option **4 - Auto download and schedule the instal**, and then enter a time in the **Scheduled install time** dropdown. Alternatively, you can specify that installtion will occur during the automatic maintenance time (configured using **Computer Configuration\Administrative Templates\Windows Components\Maintenance Scheduler**).
+
+**Always automatically restart at the scheduled time** forces a restart after the specified installation time and lets you configure a timer to warn a signed-in user that a restart is going to occur.
+
+While not recommended, the same result can be achieved through Registry. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4**, set the install time with **ScheduledInstallTime**, enable **AlwaysAutoRebootAtScheduledTime** and specify the delay in minutes through **AlwaysAutoRebootAtScheduledTimeMinutes**. Similar to Group Policy, **AlwaysAutoRebootAtScheduledTimeMinutes** sets the timer to warn a signed-in user that a restart is going to occur.
+
+For a detailed description of these regsitry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
+
+## Delay automatic reboot
+
+When **Configure Automatic Updates** is enabled in Group Policy, you can enable one of the following additional policies to delay an automatic reboot after update installtion:
 
 - **Turn off auto-restart for updates during active hours** prevents automatic restart during active hours.
-- **Always automatically restart at the scheduled time** forces a restart after the specified installation time and lets you configure a timer to warn a signed-in user that a restart is going to occur. To set the time, you need to go **Configure Automatic Updates**, select option **4 - Auto download and schedule the install**, and then enter a time in the **Scheduled install time** dropdown.
 - **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device will restart at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4-Auto download and schedule the install**. 
 
+You can also use Registry, to prevent automatic restarts when a user is signed in. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4** and enable **NoAutoRebootWithLoggedOnUsers**. As with Group Policy, if a user schedules the restart in the update notification, it will override this setting.
+
+For a detailed description of these regsitry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
+
 ## Configure active hours
 
-You can configure active hours for devices without setting the **Configure Automatic Updates** policy. *Active hours* identify the period of time when you expect the device to be in use. Automatic restarts after an update will occur outside of the active hours. 
+*Active hours* identify the period of time when you expect the device to be in use. Automatic restarts after an update will occur outside of the active hours. 
 
 By default, active hours are from 8 AM to 5 PM on PCs and from 5 AM to 11 PM on phones. Users can change the active hours manually. 
 
-Additionally, administrators can use multiple ways to set active hours for managed devices:
+Administrators can use multiple ways to set active hours for managed devices:
 
 - You can use Group Policy, as described in the procedure that follows.
 - You can use MDM, as described in [Configuring active hours with MDM](#configuring-active-hours-with-mdm).
@@ -54,13 +67,13 @@ MDM uses the [Update/ActiveHoursStart and Update/ActiveHoursEnd](https://msdn.mi
 
 ### Configuring active hours through Registry
 
-This method is not recommended, and should be used when neither Group Policy or MDM are available.
+This method is not recommended, and should only be used when neither Group Policy or MDM are available.
 Any settings configured through Registry may conflict with any existing configuration that uses any of the methods mentioned above.
 
 You should set a combination of the following registry values, in order to configure active hours.
 Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate** use **SetActiveHours** to enable or disable active hours and **ActiveHoursStart**,**ActiveHoursEnd** to specify the range of active hours.
 
-For a detailed description of these regsitry keys, see [Summary: Registry keys used to manage restarts after updates](#summary-registry-keys-used-to-manage-restarts-after-updates).
+For a detailed description of these regsitry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
 
 >[!NOTE]
 >To configure active hours manually on a single device, go to **Settings** > **Update & security** > **Windows Update** and select **Change active hours**.
@@ -86,9 +99,11 @@ In the Group Policy editor, you will see a number of policy settings that pertai
 | Reschedule Automatic Updates scheduled installations | ![no](images/crossmark.png) |   |
 
 >[!NOTE]
+>You can only choose one path for restart behavior.
+>
 >If you set conflicting restart policies, the actual restart behavior may not be what you expected.
 
-## Summary: Registry keys used to manage restarts after updates
+## Registry keys used to manage restart
 The following tables list registry values that correspond to the Group Policy settings for controlling restarts after updates in Windows 10.
 
 **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate**

From 8842dcf99a5ad35c25a16f2ab3c690087d95e936 Mon Sep 17 00:00:00 2001
From: Trudy Hakala <Trudy.Hakala@microsoft.com>
Date: Thu, 26 Jan 2017 13:47:41 -0800
Subject: [PATCH 044/115] updates for applies to

---
 .../stop-employees-from-using-the-windows-store.md       | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/windows/manage/stop-employees-from-using-the-windows-store.md b/windows/manage/stop-employees-from-using-the-windows-store.md
index 8f2d26753c..d09e5ae2be 100644
--- a/windows/manage/stop-employees-from-using-the-windows-store.md
+++ b/windows/manage/stop-employees-from-using-the-windows-store.md
@@ -29,8 +29,8 @@ You can use these tools to configure access to Windows Store: AppLocker or Group
 
 ## <a href="" id="block-store-applocker"></a>Block Windows Store using AppLocker
 
+Applies to: Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile
 
-Applies to: Windows 10 Enterprise, Windows 10 Mobile
 
 AppLocker provides policy-based access control management for applications. You can block access to Windows Store app with AppLocker by creating a rule for packaged apps. You'll give the name of the Windows Store app as the packaged app that you want to block from client computers.
 
@@ -59,7 +59,10 @@ For more information on AppLocker, see [What is AppLocker?](../keep-secure/what-
 ## <a href="" id="block-store-group-policy"></a>Block Windows Store using Group Policy
 
 
-Applies to: Windows 10 Enterprise, version 1511
+Applies to: Windows 10 Enterprise, version 1511, Windows 10 Education 
+
+> [!Note]
+> Not supported on Windows 10 Pro.
 
 You can also use Group Policy to manage access to Windows Store.
 
@@ -89,7 +92,7 @@ When your MDM tool supports Windows Store for Business, the MDM can use these CS
 For more information, see [Configure an MDM provider](configure-mdm-provider-windows-store-for-business.md).
 
 ## Show private store only using Group Policy 
-Applies to Windows 10 Enterprise, version 1607.
+Applies to Windows 10 Enterprise, version 1607, Windows 10 Education
 
 If you're using Windows Store for Business and you want employees to only see apps you're managing in your private store, you can use Group Policy to show only the private store. Windows Store app will still be available, but employees can't view or purchase apps. Employees can view and install apps that the admin has added to your organization's private store. 
 

From e511c0457411ba485d0601a8673c477109b3458d Mon Sep 17 00:00:00 2001
From: JanKeller1 <v-jak@microsoft.com>
Date: Thu, 26 Jan 2017 18:48:32 -0800
Subject: [PATCH 045/115] Added Failure event to parent topic for 4774

---
 windows/keep-secure/audit-credential-validation.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/keep-secure/audit-credential-validation.md b/windows/keep-secure/audit-credential-validation.md
index 5e54e23875..a6e23ecd47 100644
--- a/windows/keep-secure/audit-credential-validation.md
+++ b/windows/keep-secure/audit-credential-validation.md
@@ -42,7 +42,7 @@ The main reason to enable this auditing subcategory is to handle local accounts
 
 **Events List:**
 
--   [4774](event-4774.md)(S): An account was mapped for logon.
+-   [4774](event-4774.md)(S, F): An account was mapped for logon.
 
 -   [4775](event-4775.md)(F): An account could not be mapped for logon.
 

From 055ddd3ec00736edf95be68d1b3b53b366073404 Mon Sep 17 00:00:00 2001
From: Dani Halfin <daniha@microsoft.com>
Date: Thu, 26 Jan 2017 20:37:16 -0800
Subject: [PATCH 046/115] Add content - waas-restart

- Final changes after PM review
- Added a note and instructions summary at the bottom of the registry
part
---
 windows/manage/waas-restart.md | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/windows/manage/waas-restart.md b/windows/manage/waas-restart.md
index 5ad57725e9..33371c4c5f 100644
--- a/windows/manage/waas-restart.md
+++ b/windows/manage/waas-restart.md
@@ -120,10 +120,16 @@ The following tables list registry values that correspond to the Group Policy se
 | --- | --- | --- |
 | AlwaysAutoRebootAtScheduledTime | REG_DWORD | 0: disable automatic reboot after update installation at scheduled time</br>1: enable automatic reboot after update installation at ascheduled time |
 | AlwaysAutoRebootAtScheduledTimeMinutes | REG_DWORD | 15-180: set automatic reboot to occur after given minutes |
-| AUOptions | REG_DWORD | 2: notify for download and automatically install updates</br>3: automatically download and notify for instllation of updates</br>4: Automatically download and schedule installation of updates</br>5: allow the local admin to configure these settings |
+| AUOptions | REG_DWORD | 2: notify for download and automatically install updates</br>3: automatically download and notify for instllation of updates</br>4: Automatically download and schedule installation of updates</br>5: allow the local admin to configure these settings</br>**Note:** To configure restart behavior, set this value to **4** |
 | NoAutoRebootWithLoggedOnUsers | REG_DWORD | 0: disable do not reboot if users are logged on</br>1: do not reboot after an update installation if a user is logged on</br>**Note:** If disabled : Automatic Updates will notify the user that the computer will automatically restarts in 5 minutes to complete the installation  |
 | ScheduledInstallTime | REG_DWORD | 0-23: schedule update installation time to a specific hour</br>starts with 12 AM (0) and ends with 11 PM (23) |
 
+There are 3 different registry combination for controlling restart:
+
+- To set active hours, **SetActiveHours** should be **1**, while **ActiveHoursStart** and **ActiveHoursEnd** should define the time range.
+- To schedule a specific instllation and reboot time, **AUOptions** should be **4**, **ScheduledInstallTime** should specify the installation time, **AlwaysAutoRebootAtScheduledTime** set to **1** and **AlwaysAutoRebootAtScheduledTimeMinutes** should specify number of minutes to wait before rebooting.
+- To delay rebooting if a user is logged on, **AUOptions** should be **4**, while **NoAutoRebootWithLoggedOnUsers** is set to **1**. 
+
 ## Related topics
 
 - [Update Windows 10 in the enterprise](waas-update-windows-10.md)

From c6eac50aaa4690ba7758858cd78b280e1cccaa33 Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Fri, 27 Jan 2017 08:29:43 -0800
Subject: [PATCH 047/115] add link to user's guide

---
 devices/surface-hub/index.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/devices/surface-hub/index.md b/devices/surface-hub/index.md
index ce7c4f3c37..17f46092e4 100644
--- a/devices/surface-hub/index.md
+++ b/devices/surface-hub/index.md
@@ -13,7 +13,9 @@ localizationpriority: medium
 # Microsoft Surface Hub
 
 
-Documents related to the Microsoft Surface Hub.
+Documents related to deploying and managing the Microsoft Surface Hub in your organization.
+
+>[Looking for the user's guide for Surface Hub?](https://www.microsoft.com/surface/support/surface-hub)
 
 ## In this section
 

From 78c7cbd1aab994301626d4c4f46f18851ef5eefb Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Fri, 27 Jan 2017 09:36:51 -0800
Subject: [PATCH 048/115] add multi-forest

---
 devices/surface-hub/TOC.md                    |   3 +-
 .../surface-hub/change-history-surface-hub.md |   1 +
 ...e-and-test-a-device-account-surface-hub.md |   3 +-
 ...-deployment-surface-hub-device-accounts.md |   6 +-
 ...ses-deployment-surface-hub-multi-forest.md | 106 ++++++++++++++++++
 5 files changed, 114 insertions(+), 5 deletions(-)
 create mode 100644 devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md

diff --git a/devices/surface-hub/TOC.md b/devices/surface-hub/TOC.md
index 3c1ef3bcb3..a08087ffa9 100644
--- a/devices/surface-hub/TOC.md
+++ b/devices/surface-hub/TOC.md
@@ -5,7 +5,8 @@
 #### [Physically install Microsoft Surface Hub](physically-install-your-surface-hub-device.md)
 #### [Create and test a device account](create-and-test-a-device-account-surface-hub.md)
 ##### [Online deployment](online-deployment-surface-hub-device-accounts.md)
-##### [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md)
+##### [On-premises deployment (single forest)](on-premises-deployment-surface-hub-device-accounts.md)
+##### [On-premises deployment (multiple forests)](on-premises-deployment-surface-hub-multi-forest.md)
 ##### [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md)
 ##### [Create a device account using UI](create-a-device-account-using-office-365.md)
 ##### [Microsoft Exchange properties](exchange-properties-for-surface-hub-device-accounts.md)
diff --git a/devices/surface-hub/change-history-surface-hub.md b/devices/surface-hub/change-history-surface-hub.md
index dbf6b92769..a58c51ec66 100644
--- a/devices/surface-hub/change-history-surface-hub.md
+++ b/devices/surface-hub/change-history-surface-hub.md
@@ -19,6 +19,7 @@ This topic lists new and updated topics in the [Surface Hub Admin Guide]( surfac
 | New or changed topic | Description |
 | --- | --- |
 | [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md) | New |
+| [On-premises deployment (multiple forests)](on-premises-deployment-surface-hub-multi-forest.md) | New |
 | [Connect other devices and display with Surface Hub](connect-and-display-with-surface-hub.md) | Added graphics cards verified to work with 84" Surface Hubs and added information about the lengths of cables. |
 | [Online deployment](online-deployment-surface-hub-device-accounts.md) | Updated procedures for adding a device account for your Microsoft Surface Hub when you have a pure, online deployment. |
 
diff --git a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
index ec7e16757b..9930a748e3 100644
--- a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
+++ b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
@@ -46,7 +46,8 @@ For detailed steps using PowerShell to provision a device account, choose an opt
 | Organization deployment             |  Description                  |
 |---------------------------------|--------------------------------------|
 | [Online deployment (Office 365)](online-deployment-surface-hub-device-accounts.md) | Your organization's environment is deployed entirely on Office 365. |
-| [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md) | Your organization has servers that it controls and uses to host Active Directory, Exchange, and Skype for Business (or Lync). |
+| [On-premises deployment (single-forest)](on-premises-deployment-surface-hub-device-accounts.md) | Your organization has servers that it controls and uses to host Active Directory, Exchange, and Skype for Business (or Lync) in a single-forest environment. |
+| [On-premises deployment (multiple forests)](on-premises-deployment-surface-hub-multi-forest.md) | Your organization has servers that it controls and uses to host Active Directory, Exchange, and Skype for Business (or Lync) in a multi-forest environment. |
 | [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md) | Your organization has a mix of services, with some hosted on-premises and some hosted online through Office 365. |
 
 If you prefer to use a graphical user interface, some steps can be done using UI instead of PowerShell. 
diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
index cb9d732585..8914899056 100644
--- a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
@@ -1,5 +1,5 @@
 ---
-title: On-premises deployment (Surface Hub)
+title: On-premises deployment single forest (Surface Hub)
 description: This topic explains how you add a device account for your Microsoft Surface Hub when you have a single-forest, on-premises deployment.
 ms.assetid: 80E12195-A65B-42D1-8B84-ECC3FCBAAFC6
 keywords: single forest deployment, on prem deployment, device account, Surface Hub
@@ -11,12 +11,12 @@ author: TrudyHa
 localizationpriority: medium
 ---
 
-# On-premises deployment (Surface Hub)
+# On-premises deployment for Surface Hub in a single-forest environment
 
 
 This topic explains how you add a device account for your Microsoft Surface Hub when you have a single-forest, on-premises deployment.
 
-If you have a single-forest on-premises deployment with Microsoft Exchange 2013 or later and Skype for Business 2013 or later, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-on-premise-ps-scripts) to create device accounts. If you’re using a multi-forest deployment, you can use equivalent cmdlets that will produce the same results. Those cmdlets are described in this section.
+If you have a single-forest on-premises deployment with Microsoft Exchange 2013 or later and Skype for Business 2013 or later, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-on-premise-ps-scripts) to create device accounts. If you’re using a multi-forest deployment, see [On-premises deployment for Surface Hub in a multi-forest environment](on-premises-deployment-surface-hub-multi-forest.md).
 
 1.  Start a remote PowerShell session from a PC and connect to Exchange.
 
diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md
new file mode 100644
index 0000000000..bfabf99e17
--- /dev/null
+++ b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md
@@ -0,0 +1,106 @@
+---
+title: On-premises deployment multi-forest (Surface Hub)
+description: This topic explains how you add a device account for your Microsoft Surface Hub when you have a multi-forest, on-premises deployment.
+ms.assetid: 80E12195-A65B-42D1-8B84-ECC3FCBAAFC6
+keywords: single forest deployment, on prem deployment, device account, Surface Hub
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: TrudyHa
+localizationpriority: medium
+---
+
+# On-premises deployment for Surface Hub in a multi-forest environment
+
+
+This topic explains how you add a device account for your Microsoft Surface Hub when you have a multi-forest, on-premises deployment.
+
+If you have a multi-forest on-premises deployment with Microsoft Exchange 2013 or later and Skype for Business 2013 or later, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-on-premise-ps-scripts) to create device accounts. If you’re using a single-forest deployment, see [On-premises deployment for Surface Hub in a single-forest environment](on-premises-deployment-surface-hub-device-accounts.md).
+
+1.  Start a remote PowerShell session from a PC and connect to Exchange.
+
+    Be sure you have the right permissions set to run the associated cmdlets.
+
+    Note here that `$strExchangeServer` is the fully qualified domain name (FQDN) of your Exchange server, and `$strLyncFQDN` is the FQDN of your Skype for Business server.
+
+    ```PowerShell
+    Set-ExecutionPolicy Unrestricted
+    $org='contoso.microsoft.com'
+    $cred=Get-Credential $admin@$org
+    $sessExchange = New-PSSession -ConfigurationName microsoft.exchange -Credential $cred -AllowRedirection -Authentication Kerberos -ConnectionUri "http://$strExchangeServer/powershell" -WarningAction SilentlyContinue
+    $sessLync = New-PSSession -Credential $cred -ConnectionURI "https://$strLyncFQDN/OcsPowershell" -AllowRedirection -WarningAction SilentlyContinue
+    Import-PSSession $sessExchange
+    Import-PSSession $sessLync
+    ```
+
+2.  After establishing a session, create a new mailbox in the Resource Forest. This will allow the account to authenticate into the Surface Hub.
+
+    If you're changing an existing resource mailbox:
+
+    ```PowerShell
+    New-Mailbox -UserPrincipalName HUB01@contoso.com -Alias HUB01 -Name "Hub-01"
+    ```
+
+3.  After setting up the mailbox, you will need to either create a new Exchange ActiveSync policy, or use a compatible existing policy.
+
+Surface Hubs are only compatible with device accounts that have an ActiveSync policy where the PasswordEnabled property is set to False. If this isn’t set properly, then Exchange services on the Surface Hub (mail, calendar, and joining meetings), will not be enabled.
+
+If you haven’t created a compatible policy yet, use the following cmdlet-—this one creates a policy called "Surface Hubs". Once it’s created, you can apply the same policy to other device accounts.
+
+
+    ```PowerShell
+    $easPolicy = New-MobileDeviceMailboxPolicy -Name “SurfaceHubs” -PasswordEnabled $false
+    ```
+
+    Once you have a compatible policy, then you will need to apply the policy to the device account. 
+
+    ```PowerShell
+    Set-CASMailbox $acctUpn -ActiveSyncMailboxPolicy $easPolicy -ActiveSyncEnabled $true
+    Set-Mailbox $acctUpn -Type Room
+    ```
+
+4.  Various Exchange properties can be set on the device account to improve the meeting experience for people. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section.
+
+    ```PowerShell
+    Set-CalendarProcessing -Identity $acctUpn -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false
+    Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!"
+    ```
+
+5.  If you decide to have the password not expire, you can set that with PowerShell cmdlets too. See [Password management](password-management-for-surface-hub-device-accounts.md) for more information. This should be set in the User Forest.
+
+    ```PowerShell
+    Set-AdUser $acctUpn -PasswordNeverExpires $true
+    ```
+
+6.  Enable the account in Active Directory so it will authenticate to the Surface Hub. This should be set in the User Forest.
+
+    ```PowerShell
+    Set-AdUser $acctUpn -Enabled $true
+    ```
+
+6. You now need to change the room mailbox to a linked mailbox:
+
+    ```PowerShell
+    $cred=Get-Credential AuthForest\LinkedRoomTest1
+    Set-mailbox -Alias LinkedRoomTest1 -LinkedMasterAccount AuthForest\LinkedRoomTest1 -LinkedDomainController AuthForest-4939.AuthForest.extest.contoso.com -Name LinkedRoomTest1 -LinkedCredential $cred -Identity LinkedRoomTest1
+    ```
+
+7.  Enable the device account with Skype for Business by enabling your Surface Hub AD account on a Skype for Business Server pool:
+
+    ```PowerShell
+    Enable-CsMeetingRoom -SipAddress "sip:HUB01@contoso.com"
+     -DomainController DC-ND-001.contoso.com -RegistrarPool LYNCPool15.contoso.com
+     -Identity HUB01
+    ```
+
+    You'll need to use the Session Initiation Protocol (SIP) address and domain controller for the Surface Hub, along with your own Skype for Business Server pool identifier and user identity.
+
+
+
+ 
+
+
+
+
+

From 09d6e2a5db1702ede5af3c2af384f887c3a24317 Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Fri, 27 Jan 2017 11:00:48 -0800
Subject: [PATCH 049/115] proxy note

---
 devices/surface-hub/monitor-surface-hub.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/devices/surface-hub/monitor-surface-hub.md b/devices/surface-hub/monitor-surface-hub.md
index 9f45d3d355..4b96956704 100644
--- a/devices/surface-hub/monitor-surface-hub.md
+++ b/devices/surface-hub/monitor-surface-hub.md
@@ -101,6 +101,9 @@ This table describes the sample queries in the Surface Hub solution:
 
 For Surface Hub to connect to and register with the OMS service, it must have access to the port number of your domains and the URLs. This table list the ports that OMS needs. For more information, see [Configure proxy and firewall settings in Log Analytics](https://azure.microsoft.com/documentation/articles/log-analytics-proxy-firewall/).
 
+>[!NOTE]
+>Surface Hub does not currently support the use of a proxy server to communicate with the OMS service.
+
 | Agent resource              | Ports | Bypass HTTPS inspection? |
 | --------------------------- | ----- | ------------------------ |
 | *.ods.opinsights.azure.com  | 443   | Yes |

From 6070d5a68434545e12162159fcb07b722ccf83ad Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Fri, 27 Jan 2017 11:16:25 -0800
Subject: [PATCH 050/115] format

---
 .../on-premises-deployment-surface-hub-multi-forest.md       | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md
index bfabf99e17..8d66041c90 100644
--- a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md
+++ b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md
@@ -44,10 +44,9 @@ If you have a multi-forest on-premises deployment with Microsoft Exchange 2013 o
 
 3.  After setting up the mailbox, you will need to either create a new Exchange ActiveSync policy, or use a compatible existing policy.
 
-Surface Hubs are only compatible with device accounts that have an ActiveSync policy where the PasswordEnabled property is set to False. If this isn’t set properly, then Exchange services on the Surface Hub (mail, calendar, and joining meetings), will not be enabled.
-
-If you haven’t created a compatible policy yet, use the following cmdlet-—this one creates a policy called "Surface Hubs". Once it’s created, you can apply the same policy to other device accounts.
+    Surface Hubs are only compatible with device accounts that have an ActiveSync policy where the **PasswordEnabled** property is set to **False**. If this isn’t set properly, then Exchange services on the Surface Hub (mail, calendar, and joining meetings), will not be enabled.
 
+    If you haven’t created a compatible policy yet, use the following cmdlet-—this one creates a policy called "Surface Hubs". Once it’s created, you can apply the same policy to other device accounts.
 
     ```PowerShell
     $easPolicy = New-MobileDeviceMailboxPolicy -Name “SurfaceHubs” -PasswordEnabled $false

From 9f6a9895474eb6fb19c32b6762812fa6b3a5dded Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Fri, 27 Jan 2017 11:20:41 -0800
Subject: [PATCH 051/115] metadata

---
 .../on-premises-deployment-surface-hub-multi-forest.md        | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md
index 8d66041c90..08688230d6 100644
--- a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md
+++ b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md
@@ -2,12 +2,12 @@
 title: On-premises deployment multi-forest (Surface Hub)
 description: This topic explains how you add a device account for your Microsoft Surface Hub when you have a multi-forest, on-premises deployment.
 ms.assetid: 80E12195-A65B-42D1-8B84-ECC3FCBAAFC6
-keywords: single forest deployment, on prem deployment, device account, Surface Hub
+keywords: multi forest deployment, on prem deployment, device account, Surface Hub
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: surfacehub
-author: TrudyHa
+author: jdeckerMS
 localizationpriority: medium
 ---
 

From dbbb7004e4a088d26d23720ff0b7d8a96b91fdc8 Mon Sep 17 00:00:00 2001
From: Dani Halfin <daniha@microsoft.com>
Date: Fri, 27 Jan 2017 11:30:20 -0800
Subject: [PATCH 052/115] Changed owner on waas + added to change history of
 manage

---
 .../manage/change-history-for-manage-and-update-windows-10.md   | 1 +
 windows/manage/waas-branchcache.md                              | 2 +-
 windows/manage/waas-configure-wufb.md                           | 2 +-
 windows/manage/waas-delivery-optimization.md                    | 2 +-
 windows/manage/waas-deployment-rings-windows-10-updates.md      | 2 +-
 windows/manage/waas-integrate-wufb.md                           | 2 +-
 windows/manage/waas-manage-updates-configuration-manager.md     | 2 +-
 windows/manage/waas-manage-updates-wsus.md                      | 2 +-
 windows/manage/waas-manage-updates-wufb.md                      | 2 +-
 windows/manage/waas-mobile-updates.md                           | 2 +-
 windows/manage/waas-optimize-windows-10-updates.md              | 2 +-
 windows/manage/waas-overview.md                                 | 2 +-
 windows/manage/waas-quick-start.md                              | 2 +-
 windows/manage/waas-restart.md                                  | 2 +-
 windows/manage/waas-servicing-branches-windows-10-updates.md    | 2 +-
 windows/manage/waas-servicing-strategy-windows-10-updates.md    | 2 +-
 windows/manage/waas-update-windows-10.md                        | 2 +-
 windows/manage/waas-wufb-group-policy.md                        | 2 +-
 windows/manage/waas-wufb-intune.md                              | 2 +-
 19 files changed, 19 insertions(+), 18 deletions(-)

diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md
index c9e8313b65..a794ec798f 100644
--- a/windows/manage/change-history-for-manage-and-update-windows-10.md
+++ b/windows/manage/change-history-for-manage-and-update-windows-10.md
@@ -22,6 +22,7 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in
 | [Start layout XML for desktop editions of Windows 10](start-layout-xml-desktop.md) | New (previously published in Hardware Dev Center on MSDN) |
 | [Start layout XML for mobile editions of Windows 10](start-layout-xml-mobile.md) | New (previously published in Hardware Dev Center on MSDN) |
 | [Quick guide to Windows as a service](waas-quick-start.md) | Added video that explains how Windows as a service works. |
+| [Manage device restarts after updates](waas-restart.md) | Added Registry keys for controlling restarts. |
 
 
 
diff --git a/windows/manage/waas-branchcache.md b/windows/manage/waas-branchcache.md
index ec1296a2ef..6e44cbaaa1 100644
--- a/windows/manage/waas-branchcache.md
+++ b/windows/manage/waas-branchcache.md
@@ -4,7 +4,7 @@ description: Use BranchCache to optimize network bandwidth during update deploym
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-author: jdeckerMS
+author: DaniHalfin
 localizationpriority: high
 ---
 
diff --git a/windows/manage/waas-configure-wufb.md b/windows/manage/waas-configure-wufb.md
index 49db389072..9626d2e24f 100644
--- a/windows/manage/waas-configure-wufb.md
+++ b/windows/manage/waas-configure-wufb.md
@@ -4,7 +4,7 @@ description: You can use Group Policy or your mobile device management (MDM) ser
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-author: jdeckerMS
+author: DaniHalfin
 localizationpriority: high
 ---
 
diff --git a/windows/manage/waas-delivery-optimization.md b/windows/manage/waas-delivery-optimization.md
index e912602db5..9b3dc0a522 100644
--- a/windows/manage/waas-delivery-optimization.md
+++ b/windows/manage/waas-delivery-optimization.md
@@ -4,7 +4,7 @@ description: Delivery Optimization is a new peer-to-peer distribution method in
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-author: jdeckerMS
+author: DaniHalfin
 localizationpriority: high
 ---
 
diff --git a/windows/manage/waas-deployment-rings-windows-10-updates.md b/windows/manage/waas-deployment-rings-windows-10-updates.md
index a94ad97953..1277f71080 100644
--- a/windows/manage/waas-deployment-rings-windows-10-updates.md
+++ b/windows/manage/waas-deployment-rings-windows-10-updates.md
@@ -4,7 +4,7 @@ description: Deployment rings in Windows 10 are similar to the deployment groups
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-author: jdeckerMS
+author: DaniHalfin
 localizationpriority: high
 ---
 
diff --git a/windows/manage/waas-integrate-wufb.md b/windows/manage/waas-integrate-wufb.md
index bf9f2ebf78..26e1d2bb42 100644
--- a/windows/manage/waas-integrate-wufb.md
+++ b/windows/manage/waas-integrate-wufb.md
@@ -4,7 +4,7 @@ description: Use Windows Update for Business deployments with management tools s
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-author: jdeckerMS
+author: DaniHalfin
 localizationpriority: high
 ---
 
diff --git a/windows/manage/waas-manage-updates-configuration-manager.md b/windows/manage/waas-manage-updates-configuration-manager.md
index 12f1bf2fed..10a6565a03 100644
--- a/windows/manage/waas-manage-updates-configuration-manager.md
+++ b/windows/manage/waas-manage-updates-configuration-manager.md
@@ -4,7 +4,7 @@ description: System Center Configuration Manager provides maximum control over q
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-author: jdeckerMS
+author: DaniHalfin
 localizationpriority: high
 ---
 
diff --git a/windows/manage/waas-manage-updates-wsus.md b/windows/manage/waas-manage-updates-wsus.md
index b1255530c7..6fee51df69 100644
--- a/windows/manage/waas-manage-updates-wsus.md
+++ b/windows/manage/waas-manage-updates-wsus.md
@@ -4,7 +4,7 @@ description: WSUS allows companies to defer, selectively approve, choose when de
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-author: jdeckerMS
+author: DaniHalfin
 localizationpriority: high
 ---
 
diff --git a/windows/manage/waas-manage-updates-wufb.md b/windows/manage/waas-manage-updates-wufb.md
index 7f290e895c..8ad5a18ba0 100644
--- a/windows/manage/waas-manage-updates-wufb.md
+++ b/windows/manage/waas-manage-updates-wufb.md
@@ -4,7 +4,7 @@ description: Windows Update for Business lets you manage when devices received u
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-author: jdeckerMS
+author: DaniHalfin
 localizationpriority: high
 ---
 
diff --git a/windows/manage/waas-mobile-updates.md b/windows/manage/waas-mobile-updates.md
index a746f90a29..1352624cc9 100644
--- a/windows/manage/waas-mobile-updates.md
+++ b/windows/manage/waas-mobile-updates.md
@@ -4,7 +4,7 @@ description: tbd
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-author: jdeckerMS
+author: DaniHalfin
 localizationpriority: high
 ---
 
diff --git a/windows/manage/waas-optimize-windows-10-updates.md b/windows/manage/waas-optimize-windows-10-updates.md
index 2792edeed4..9563562c28 100644
--- a/windows/manage/waas-optimize-windows-10-updates.md
+++ b/windows/manage/waas-optimize-windows-10-updates.md
@@ -4,7 +4,7 @@ description: Two methods of peer-to-peer content distribution are available in W
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-author: jdeckerMS
+author: DaniHalfin
 localizationpriority: high
 ---
 
diff --git a/windows/manage/waas-overview.md b/windows/manage/waas-overview.md
index 160f38bcad..fca1c64ad5 100644
--- a/windows/manage/waas-overview.md
+++ b/windows/manage/waas-overview.md
@@ -4,7 +4,7 @@ description: In Windows 10, Microsoft has streamlined servicing to make operatin
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-author: jdeckerMS
+author: DaniHalfin
 localizationpriority: high
 ---
 
diff --git a/windows/manage/waas-quick-start.md b/windows/manage/waas-quick-start.md
index 1be2915c34..eef6aed2a3 100644
--- a/windows/manage/waas-quick-start.md
+++ b/windows/manage/waas-quick-start.md
@@ -4,7 +4,7 @@ description: In Windows 10, Microsoft has streamlined servicing to make operatin
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-author: jdeckerMS
+author: DaniHalfin
 localizationpriority: high
 ---
 
diff --git a/windows/manage/waas-restart.md b/windows/manage/waas-restart.md
index 33371c4c5f..725ea12d9c 100644
--- a/windows/manage/waas-restart.md
+++ b/windows/manage/waas-restart.md
@@ -4,7 +4,7 @@ description: tbd
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-author: jdeckerMS
+author: DaniHalfin
 localizationpriority: high
 ---
 
diff --git a/windows/manage/waas-servicing-branches-windows-10-updates.md b/windows/manage/waas-servicing-branches-windows-10-updates.md
index 2986743565..f42352f643 100644
--- a/windows/manage/waas-servicing-branches-windows-10-updates.md
+++ b/windows/manage/waas-servicing-branches-windows-10-updates.md
@@ -4,7 +4,7 @@ description: tbd
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-author: jdeckerMS
+author: DaniHalfin
 localizationpriority: high
 ---
 
diff --git a/windows/manage/waas-servicing-strategy-windows-10-updates.md b/windows/manage/waas-servicing-strategy-windows-10-updates.md
index 9b24e35dad..52c156bbeb 100644
--- a/windows/manage/waas-servicing-strategy-windows-10-updates.md
+++ b/windows/manage/waas-servicing-strategy-windows-10-updates.md
@@ -4,7 +4,7 @@ description: A strong Windows 10 deployment strategy begins with establishing a
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-author: jdeckerMS
+author: DaniHalfin
 localizationpriority: high
 ---
 
diff --git a/windows/manage/waas-update-windows-10.md b/windows/manage/waas-update-windows-10.md
index c87ec80caf..f257330910 100644
--- a/windows/manage/waas-update-windows-10.md
+++ b/windows/manage/waas-update-windows-10.md
@@ -4,7 +4,7 @@ description: Windows as a service provides an all-new way to think about buildin
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-author: jdeckerMS
+author: DaniHalfin
 localizationpriority: high
 ---
 
diff --git a/windows/manage/waas-wufb-group-policy.md b/windows/manage/waas-wufb-group-policy.md
index 50eb03bd68..87d3b8ba3f 100644
--- a/windows/manage/waas-wufb-group-policy.md
+++ b/windows/manage/waas-wufb-group-policy.md
@@ -4,7 +4,7 @@ description: Configure Windows Update for Business settings using Group Policy.
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-author: jdeckerMS
+author: DaniHalfin
 localizationpriority: high
 ---
 
diff --git a/windows/manage/waas-wufb-intune.md b/windows/manage/waas-wufb-intune.md
index 6b1c630072..c730a5edfd 100644
--- a/windows/manage/waas-wufb-intune.md
+++ b/windows/manage/waas-wufb-intune.md
@@ -4,7 +4,7 @@ description: Configure Windows Update for Business settings using Microsoft Intu
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-author: jdeckerMS
+author: DaniHalfin
 localizationpriority: high
 ---
 

From 21471933e5733de087b64072fd13c0b6fcbe9dcb Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Fri, 27 Jan 2017 12:54:19 -0800
Subject: [PATCH 053/115] Holographic for business

---
 devices/hololens/TOC.md                         | 2 +-
 devices/hololens/hololens-enroll-mdm.md         | 4 ++--
 devices/hololens/hololens-install-apps.md       | 2 +-
 devices/hololens/hololens-kiosk.md              | 4 ++--
 devices/hololens/hololens-provisioning.md       | 6 +++---
 devices/hololens/hololens-requirements.md       | 2 +-
 devices/hololens/hololens-upgrade-enterprise.md | 8 ++++----
 devices/hololens/index.md                       | 4 ++--
 8 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md
index a1e744e8fe..65aee042b5 100644
--- a/devices/hololens/TOC.md
+++ b/devices/hololens/TOC.md
@@ -1,7 +1,7 @@
 # [Microsoft HoloLens](index.md)
 ## [HoloLens in the enterprise: requirements](hololens-requirements.md)
 ## [Set up HoloLens](hololens-setup.md)
-## [Unlock Windows Holographic Enterprise features](hololens-upgrade-enterprise.md) 
+## [Unlock Windows Holographic for business features](hololens-upgrade-enterprise.md) 
 ## [Enroll HoloLens in MDM](hololens-enroll-mdm.md)
 ## [Set up HoloLens in kiosk mode](hololens-kiosk.md)
 ## [Configure HoloLens using a provisioning package](hololens-provisioning.md)
diff --git a/devices/hololens/hololens-enroll-mdm.md b/devices/hololens/hololens-enroll-mdm.md
index 87c565d59e..418252ff16 100644
--- a/devices/hololens/hololens-enroll-mdm.md
+++ b/devices/hololens/hololens-enroll-mdm.md
@@ -11,10 +11,10 @@ localizationpriority: medium
 
 # Enroll HoloLens in MDM
 
-You can manage multiple HoloLens devices simultaneously using solutions like Microsoft InTune. You will be able to manage settings, select apps to install and set security configurations tailored to your organization's need.
+You can manage multiple Microsoft HoloLens devices simultaneously using solutions like Microsoft InTune. You will be able to manage settings, select apps to install and set security configurations tailored to your organization's need.
 
 >[!NOTE]
->Mobile device management (MDM) for Development Edition HoloLens does not include VPN, BitLocker, or kiosk mode. Those features are only available when you [upgrade to Windows Holographic Enterprise](hololens-upgrade-enterprise.md).
+>Mobile device management (MDM) for the Development edition of HoloLens does not include VPN, BitLocker, or kiosk mode. Those features are only available when you [upgrade to Windows Holographic for business](hololens-upgrade-enterprise.md).
 
 
 ## Requirements
diff --git a/devices/hololens/hololens-install-apps.md b/devices/hololens/hololens-install-apps.md
index 0bd99695b0..294befa342 100644
--- a/devices/hololens/hololens-install-apps.md
+++ b/devices/hololens/hololens-install-apps.md
@@ -16,7 +16,7 @@ The recommended way to install Universal Windows Platform (UWP) apps on HoloLens
 You can also deploy apps using your mobile device management (MDM) provider or use the Windows Device Portal to install apps, if you enable **Developer Mode** on the HoloLens device.
 
 >[!IMPORTANT]
-    >When you set up HoloLens to use the Device Portal, you must enable **Developer Mode** on the device.** Developer Mode** on a device that has been upgraded to Windows Holographic Enterprise enables side-loading of apps, which risks the installation of apps that have not been certified by the Microsoft Store. Administrators can block the ability to enable **Developer Mode** using the **ApplicationManagement/AllowDeveloper Unlock** setting in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). [Learn more about Developer Mode.](https://msdn.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode)
+    >When you set up HoloLens to use the Device Portal, you must enable **Developer Mode** on the device.**Developer Mode** on a device that has been upgraded to Windows Holographic for business enables side-loading of apps, which risks the installation of apps that have not been certified by the Microsoft Store. Administrators can block the ability to enable **Developer Mode** using the **ApplicationManagement/AllowDeveloper Unlock** setting in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). [Learn more about Developer Mode.](https://msdn.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode)
 
 ## Use Windows Store for Business to deploy apps to HoloLens
 
diff --git a/devices/hololens/hololens-kiosk.md b/devices/hololens/hololens-kiosk.md
index 5ef67cb981..a618312ba7 100644
--- a/devices/hololens/hololens-kiosk.md
+++ b/devices/hololens/hololens-kiosk.md
@@ -18,7 +18,7 @@ Kiosk mode limits the user's ability to launch new apps or change the running ap
 1. [Set up the HoloLens to use the Windows Device Portal](https://developer.microsoft.com/windows/holographic/using_the_windows_device_portal#setting_up_hololens_to_use_windows_device_portal). The Device Portal is a web server on your HoloLens that you can connect to from a web browser on your PC. 
 
     >[!IMPORTANT]
-    >When you set up HoloLens to use the Device Portal, you must enable **Developer Mode** on the device. **Developer Mode** on a device that has been upgraded to Windows Holographic Enterprise enables side-loading of apps, which risks the installation of apps that have not been certified by the Microsoft Store. Administrators can block the ability to enable **Developer Mode** using the **ApplicationManagement/AllowDeveloper Unlock** setting in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). [Learn more about Developer Mode.](https://msdn.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode)
+    >When you set up HoloLens to use the Device Portal, you must enable **Developer Mode** on the device. **Developer Mode** on a device that has been upgraded to Windows Holographic for business enables side-loading of apps, which risks the installation of apps that have not been certified by the Microsoft Store. Administrators can block the ability to enable **Developer Mode** using the **ApplicationManagement/AllowDeveloper Unlock** setting in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). [Learn more about Developer Mode.](https://msdn.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode)
     
 2. On a PC, connect to the HoloLens using [Wi-Fi](https://developer.microsoft.com/windows/holographic/Using_the_Windows_Device_Portal.html#connecting_over_wi-fi) or [USB](https://developer.microsoft.com/windows/holographic/Using_the_Windows_Device_Portal.html#connecting_over_usb).
 
@@ -32,7 +32,7 @@ Kiosk mode limits the user's ability to launch new apps or change the running ap
     ![Kiosk Mode](images/kiosk.png)
 
     >[!NOTE]
-    >The kiosk mode option will be available if the device is [enrolled in device management](hololens-enroll-mdm.md) and has an [Enterprise license](hololens-upgrade-enterprise.md).
+    >The kiosk mode option will be available if the device is [enrolled in device management](hololens-enroll-mdm.md) and has a [license to upgrade to Windows Holographic for business](hololens-upgrade-enterprise.md).
 
 5. Select **Enable Kiosk Mode**, choose an app to run when the device starts, and click **Save**.
 
diff --git a/devices/hololens/hololens-provisioning.md b/devices/hololens/hololens-provisioning.md
index 9debfeb7b8..38b3e63fe7 100644
--- a/devices/hololens/hololens-provisioning.md
+++ b/devices/hololens/hololens-provisioning.md
@@ -14,7 +14,7 @@ localizationpriority: medium
 Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. The Windows Assessment and Deployment Kit (ADK) for Windows 10 includes the Imaging and Configuration Designer (ICD), a tool for configuring images and runtime settings which are then built into provisioning packages. 
 
 Some of the HoloLens configurations that you can apply in a provisioning package: 
-- Upgrade to Windows Holographic Enterprise
+- Upgrade to Windows Holographic for business
 - Set up a local account
 - Set up a Wi-Fi connection
 - Apply certificatess to the device
@@ -32,7 +32,7 @@ When you run ADKsetup.exe for Windows 10, version 1607, select **Configuration D
 ## Create a provisioning package for HoloLens
 
 >[!NOTE]
->Settings in a provisioning package will only be applied if the provisioning package includes an edition upgrade license to Windows Holographic Enterprise or if [the device has already been upgraded to Windows Holographic Enterprise](hololens-upgrade-enterprise.md).
+>Settings in a provisioning package will only be applied if the provisioning package includes an edition upgrade license to Windows Holographic for business or if [the device has already been upgraded to Windows Holographic for business](hololens-upgrade-enterprise.md).
 
 1. On the Windows ICD start page, select **Advanced provisioning**.
 
@@ -110,7 +110,7 @@ In Windows ICD, when you create a provisioning package for Windows Holographic,
 | **Accounts**  | Create a local account. HoloLens currently supports a single user only. Creating multiple local accounts in a provisioning package is not supported. <br><br>**IMPORTANT**<br>If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. If the user account is locked out, you must [perform a full device recovery](https://developer.microsoft.com/windows/holographic/reset_or_recover_your_hololens#perform_a_full_device_recovery). |
 | **Certificates** | Deploy a certificate to HoloLens.  |
 | **ConnectivityProfiles** | Deploy a Wi-Fi profile to HoloLens.   |
-| **EditionUpgrade** | [Upgrade to Windows Holographic Enterprise.](hololens-upgrade-enterprise.md)  |
+| **EditionUpgrade** | [Upgrade to Windows Holographic for business.](hololens-upgrade-enterprise.md)  |
 | **Policies** | Allow or prevent developer mode on HoloLens.  |
 
 >[!NOTE]
diff --git a/devices/hololens/hololens-requirements.md b/devices/hololens/hololens-requirements.md
index c141d31509..1f84c1706d 100644
--- a/devices/hololens/hololens-requirements.md
+++ b/devices/hololens/hololens-requirements.md
@@ -36,7 +36,7 @@ When you develop for HoloLens, there are [system requirements and tools](https:/
    - Wi-Fi network
    - Intune or a 3rd party mobile device management (MDM) provider that uses Microsoft MDM APIs
    
-## Upgrade to Windows Holographic Enterprise 
+## Upgrade to Windows Holographic for business 
 - HoloLens Enterprise license XML file
 
 
diff --git a/devices/hololens/hololens-upgrade-enterprise.md b/devices/hololens/hololens-upgrade-enterprise.md
index 12546b5f31..4833d42ac3 100644
--- a/devices/hololens/hololens-upgrade-enterprise.md
+++ b/devices/hololens/hololens-upgrade-enterprise.md
@@ -1,5 +1,5 @@
 ---
-title: Unlock Windows Holographic Enterprise features (HoloLens)
+title: Unlock Windows Holographic for business features (HoloLens)
 description: HoloLens provides extra features designed for business when you upgrade to Windows Holographic Enterprise.
 ms.prod: w10
 ms.mktglfcycl: manage
@@ -9,14 +9,14 @@ author: jdeckerMS
 localizationpriority: medium
 ---
 
-# Unlock Windows Holographic Enterprise features
+# Unlock Windows Holographic for business features
 
 Microsoft HoloLens is available in the *Development Edition*, which runs Windows Holographic (an edition of Windows 10 designed for HoloLens), and in the [Commercial Suite](https://developer.microsoft.com/windows/holographic/release_notes#introducing_microsoft_hololens_commercial_suite), which provides extra features designed for business. 
 
-When you purchase the Commercial Suite, you receive a license that upgrades Windows Holographic to Windows Holographic Enterprise. This license can be applied to the device either through the organization's [mobile device management (MDM) provider](#edition-upgrade-using-mdm) or a [provisioning package](#edition-upgrade-using-a-provisioning-package).
+When you purchase the Commercial Suite, you receive a license that upgrades Windows Holographic to Windows Holographic Efor business. This license can be applied to the device either through the organization's [mobile device management (MDM) provider](#edition-upgrade-using-mdm) or a [provisioning package](#edition-upgrade-using-a-provisioning-package).
 
 >[!TIP]
->You can tell that the HoloLens has been upgraded to the Enterprise edition in **Settings** > **Network & Internet**. The **VPN** option is only available in Windows Holographic Enterprise.
+>You can tell that the HoloLens has been upgraded to the business edition in **Settings** > **Network & Internet**. The **VPN** option is only available in Windows Holographic for business.
 
 
 
diff --git a/devices/hololens/index.md b/devices/hololens/index.md
index 7e12977ae1..007ce90759 100644
--- a/devices/hololens/index.md
+++ b/devices/hololens/index.md
@@ -13,7 +13,7 @@ localizationpriority: medium
 
 
 <table><tbody>
-<tr><td style="border: 0px;width: 75%;valign= top"><p>Microsoft HoloLens is the first fully self-contained holographic computer running Windows 10.</p><p> Microsoft HoloLens is available in the **Development Edition**, which runs Windows Holographic (an edition of Windows 10 designed for HoloLens), and in the **Commercial Suite**, which runs Windows Holographic Enterprise when you apply the Enterprise license file to the device.</p></td><td align="left" style="border: 0px">![Hololens](images/hololens.png)</td></tr>
+<tr><td style="border: 0px;width: 75%;valign= top"><p>Microsoft HoloLens is the first fully self-contained holographic computer running Windows 10.</p><p> Microsoft HoloLens is available in the **Development Edition**, which runs Windows Holographic (an edition of Windows 10 designed for HoloLens), and in the **Commercial Suite**, which runs Windows Holographic for business when you apply the Enterprise license file to the device.</p></td><td align="left" style="border: 0px">![Hololens](images/hololens.png)</td></tr>
 </tbody></table>
 
 ## In this section
@@ -22,7 +22,7 @@ localizationpriority: medium
 | --- | --- |
 | [HoloLens in the enterprise: requirements](hololens-requirements.md) | Lists requirements for general use, Wi-Fi, and device management |
 | [Set up HoloLens](hololens-setup.md) | How to set up HoloLens for the first time  |
-| [Unlock Windows Holographic Enterprise features](hololens-upgrade-enterprise.md)  | How to upgrade your Development Edition HoloLens to Windows Holographic Enterprise|
+| [Unlock Windows Holographic for business features](hololens-upgrade-enterprise.md)  | How to upgrade your Development Edition HoloLens to Windows Holographic for business|
 | [Enroll HoloLens in MDM](hololens-enroll-mdm.md) | Manage multiple HoloLens devices simultaneously using solutions like Microsoft InTune |
 | [Set up HoloLens in kiosk mode](hololens-kiosk.md) | Enable kiosk mode for HoloLens, which limits the user's ability to launch new apps or change the running app  |
 | [Configure HoloLens using a provisioning package](hololens-provisioning.md) | Provisioning packages make it easy for IT administrators to configure HoloLens devices without imaging |

From fb2a785b27eaa4908482a84b4ca49427db495f61 Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Fri, 27 Jan 2017 13:10:40 -0800
Subject: [PATCH 054/115] holo change history

---
 devices/hololens/TOC.md                     |  3 ++-
 devices/hololens/change-history-hololens.md | 21 +++++++++++++++++++++
 2 files changed, 23 insertions(+), 1 deletion(-)
 create mode 100644 devices/hololens/change-history-hololens.md

diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md
index 65aee042b5..49574aaf1c 100644
--- a/devices/hololens/TOC.md
+++ b/devices/hololens/TOC.md
@@ -5,4 +5,5 @@
 ## [Enroll HoloLens in MDM](hololens-enroll-mdm.md)
 ## [Set up HoloLens in kiosk mode](hololens-kiosk.md)
 ## [Configure HoloLens using a provisioning package](hololens-provisioning.md)
-## [Install apps on HoloLens](hololens-install-apps.md)
\ No newline at end of file
+## [Install apps on HoloLens](hololens-install-apps.md)
+## [Change history for Microsoft HoloLens documentation](change-history-hololens.md)
\ No newline at end of file
diff --git a/devices/hololens/change-history-hololens.md b/devices/hololens/change-history-hololens.md
new file mode 100644
index 0000000000..85fdf147d7
--- /dev/null
+++ b/devices/hololens/change-history-hololens.md
@@ -0,0 +1,21 @@
+---
+title: Change history for Microsoft HoloLens documentation
+description: This topic lists new and updated topics for HoloLens.
+keywords: change history
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: jdeckerMS
+localizationpriority: medium
+---
+
+# Change history for Microsoft HoloLens documentation
+
+This topic lists new and updated topics in the [Microsoft HoloLens documentation](index.md).
+
+## January 2017
+
+| New or changed topic | Description |
+| --- | --- |
+| All topics | Changed all references from **Windows Holographic Enterprise** to **Windows Holographic for business** |
\ No newline at end of file

From 1eec941e77bec3f11ceb5c7c7e370da5788b68ee Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Fri, 27 Jan 2017 14:30:20 -0800
Subject: [PATCH 055/115] format

---
 windows/deploy/provisioning-create-package.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/windows/deploy/provisioning-create-package.md b/windows/deploy/provisioning-create-package.md
index 51b609a8ea..f543e6d10f 100644
--- a/windows/deploy/provisioning-create-package.md
+++ b/windows/deploy/provisioning-create-package.md
@@ -35,6 +35,7 @@ You use Windows Imaging and Configuration Designer (ICD) to create a provisionin
     
     - The **Simple provisioning** and **Provision school devices** options provide wizard-style walkthroughs for creating a provisioning package based on a set of common settings. 
     - The **Advanced provisioning** option opens a new project with all **Runtime settings** available. 
+    
     >[!TIP]
     >You can start a project in the simple editor and then switch the project to the advanced editor.
     >

From 57210a05e098401ffa17e237df76d305d964bbb1 Mon Sep 17 00:00:00 2001
From: Dani Halfin <daniha@microsoft.com>
Date: Fri, 27 Jan 2017 16:27:35 -0800
Subject: [PATCH 056/115] Changed phrasing + added note

Deplyoment and validation groups -> deployment rings
gave note for more info about validaion groups in context
---
 windows/manage/waas-manage-updates-wufb.md | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/windows/manage/waas-manage-updates-wufb.md b/windows/manage/waas-manage-updates-wufb.md
index 8ad5a18ba0..790cb61972 100644
--- a/windows/manage/waas-manage-updates-wufb.md
+++ b/windows/manage/waas-manage-updates-wufb.md
@@ -22,13 +22,16 @@ Windows Update for Business enables information technology administrators to kee
 
 Specifically, Windows Update for Business allows for: 
 
-- The creation of deployment and validation groups, where administrators can specify which devices go first in an update wave, and which ones will come later (to ensure any quality bars are met).
+- The creation of deployment rings, where administrators can specify which devices go first in an update wave, and which ones will come later (to ensure any quality bars are met).
 - Selectively including or excluding drivers as part of Microsoft-provided updates
 - Integration with existing management tools such as Windows Server Update Services (WSUS), System Center Configuration Manager, and Microsoft Intune.
 - Peer-to-peer delivery for Microsoft updates, which optimizes bandwidth efficiency and reduces the need for an on-site server caching solution.
 
 Windows Update for Business is a free service that is available for Windows Pro, Enterprise, Pro Education, and Education.
 
+>[!NOTE]
+>See [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) to learn more about deployment rings in Windows 10.
+
 ## Update types
 
 Windows Update for Business provides three types of updates to Windows 10 devices:

From c6d1fdc11df4a14ba69d073998bd667bed17e7aa Mon Sep 17 00:00:00 2001
From: loosus456 <jason@loosus.com>
Date: Fri, 27 Jan 2017 23:16:07 -0500
Subject: [PATCH 057/115] Update windows-spotlight.md

---
 windows/manage/windows-spotlight.md | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/windows/manage/windows-spotlight.md b/windows/manage/windows-spotlight.md
index f6182e086b..b907247a8a 100644
--- a/windows/manage/windows-spotlight.md
+++ b/windows/manage/windows-spotlight.md
@@ -34,7 +34,7 @@ For managed devices running Windows 10 Enterprise and Windows 10 Education, en
 
     The lock screen background will occasionally suggest Windows 10 features that the user hasn't tried yet, such as **Snap assist**.
 
-## How do you turn off Windows spotlight locally?
+## How do you turn off Windows Spotlight locally?
 
 
 To turn off Windows Spotlight locally, go to **Settings** &gt; **Personalization** &gt; **Lock screen** &gt; **Background** &gt; **Windows spotlight** &gt; select a different lock screen background
@@ -44,7 +44,7 @@ To turn off Windows Spotlight locally, go to **Settings** &gt; **Personalization
 ## How do you disable Windows Spotlight for managed devices?
 
 
-Windows 10, version 1607, provides three new Group Policy settings to help you manage Spotlight on employees' computers.
+Windows 10, version 1607, provides three new Group Policy settings to help you manage Windows Spotlight on enterprise computers.
 
 **Windows 10 Pro, Enterprise, and Education**
 
@@ -52,11 +52,14 @@ Windows 10, version 1607, provides three new Group Policy settings to help you m
 
 **Windows 10 Enterprise and Education**
 
-* **User Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off all Windows Spotlight features** enables enterprises to completely disable all Spotlight features in a single setting.
-* **User Configuration\Administrative Templates\Windows Components\Cloud Content\Configure Spotlight on lock screen** specifically controls the use of the dynamic Spotlight image on the lock screen, and can be enabled or disabled. (The Group Policy setting **Enterprise Spotlight** does not work in Windows 10, version 1607.)
+* **User Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off all Windows Spotlight features** enables enterprises to completely disable all Windows Spotlight features in a single setting.
+* **User Configuration\Administrative Templates\Windows Components\Cloud Content\Configure Spotlight on lock screen** specifically controls the use of the dynamic Windows Spotlight image on the lock screen, and can be enabled or disabled. (The Group Policy setting **Enterprise Spotlight** does not work in Windows 10, version 1607.)
 
 Windows Spotlight is enabled by default. Administrators can replace Windows Spotlight with a selected image using the Group Policy setting **Computer Configuration** &gt; **Administrative Templates** &gt; **Control Panel** &gt; **Personalization** &gt; **Force a specific default lock screen image**.
 
+> [!NOTE]
+> Only in Windows 10, version 1607, this Group Policy's expected behavior does not occur due to a bug. Instead, the policy incorrectly prohibits users from choosing their own lock screen image. This behavior is corrected in feature updates released after Windows 10, version 1607.
+
 ![lockscreen policy details](images/lockscreenpolicy.png)
 
 Pay attention to the checkbox in **Options**. In addition to providing the path to the lock screen image, administrators can choose to allow or **Turn off fun facts, tips, tricks, and more on lock screen**. If the checkbox is not selected, users will see the lock screen image that is defined in the policy setting, and will also see occasional messages, such as the example in the following image.

From d67f116be29fffa9a0d0c738974fbf872e6c2ef4 Mon Sep 17 00:00:00 2001
From: Dani Halfin <daniha@microsoft.com>
Date: Sat, 28 Jan 2017 23:31:46 -0800
Subject: [PATCH 058/115] Fixed typo

---
 windows/manage/waas-restart.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/manage/waas-restart.md b/windows/manage/waas-restart.md
index 725ea12d9c..ffb43434aa 100644
--- a/windows/manage/waas-restart.md
+++ b/windows/manage/waas-restart.md
@@ -124,7 +124,7 @@ The following tables list registry values that correspond to the Group Policy se
 | NoAutoRebootWithLoggedOnUsers | REG_DWORD | 0: disable do not reboot if users are logged on</br>1: do not reboot after an update installation if a user is logged on</br>**Note:** If disabled : Automatic Updates will notify the user that the computer will automatically restarts in 5 minutes to complete the installation  |
 | ScheduledInstallTime | REG_DWORD | 0-23: schedule update installation time to a specific hour</br>starts with 12 AM (0) and ends with 11 PM (23) |
 
-There are 3 different registry combination for controlling restart:
+There are 3 different registry combinations for controlling restart behavior:
 
 - To set active hours, **SetActiveHours** should be **1**, while **ActiveHoursStart** and **ActiveHoursEnd** should define the time range.
 - To schedule a specific instllation and reboot time, **AUOptions** should be **4**, **ScheduledInstallTime** should specify the installation time, **AlwaysAutoRebootAtScheduledTime** set to **1** and **AlwaysAutoRebootAtScheduledTimeMinutes** should specify number of minutes to wait before rebooting.

From d39e15354c8b7a324d5568c972983861985c1176 Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Mon, 30 Jan 2017 08:44:10 -0800
Subject: [PATCH 059/115] fix note

---
 windows/manage/windows-spotlight.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/manage/windows-spotlight.md b/windows/manage/windows-spotlight.md
index b907247a8a..1b2430b14d 100644
--- a/windows/manage/windows-spotlight.md
+++ b/windows/manage/windows-spotlight.md
@@ -57,8 +57,8 @@ Windows 10, version 1607, provides three new Group Policy settings to help you m
 
 Windows Spotlight is enabled by default. Administrators can replace Windows Spotlight with a selected image using the Group Policy setting **Computer Configuration** &gt; **Administrative Templates** &gt; **Control Panel** &gt; **Personalization** &gt; **Force a specific default lock screen image**.
 
-> [!NOTE]
-> Only in Windows 10, version 1607, this Group Policy's expected behavior does not occur due to a bug. Instead, the policy incorrectly prohibits users from choosing their own lock screen image. This behavior is corrected in feature updates released after Windows 10, version 1607.
+>[!WARNING]
+> In Windows 10, version 1607, the **Force a specific default lock screen image** policy setting will prevent users from changing the lock screen image. This behavior will be corrected in a future release.
 
 ![lockscreen policy details](images/lockscreenpolicy.png)
 

From 3e3e2d1f958f01edaaaa182a3703d0d2bac81dc9 Mon Sep 17 00:00:00 2001
From: Justinha <Justinha@Microsoft.com>
Date: Mon, 30 Jan 2017 10:51:19 -0800
Subject: [PATCH 060/115] added account info

---
 windows/keep-secure/event-4774.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/keep-secure/event-4774.md b/windows/keep-secure/event-4774.md
index 5d919fd37b..3c71b36126 100644
--- a/windows/keep-secure/event-4774.md
+++ b/windows/keep-secure/event-4774.md
@@ -24,9 +24,9 @@ Success events do not appear to occur. Failure event [has been reported](http://
 
 *Authentication Package:Schannel*
 
-*Account UPN:%2*
+*Account UPN:*<*Acccount*>@<*Domain*>
 
-*Mapped Name:%3*
+*Mapped Name:*<*Account*>
 
 ***Required Server Roles:*** no information.
 

From 85a6706be7a5c7e1d723fb0c0691b8125f257f52 Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Mon, 30 Jan 2017 11:14:22 -0800
Subject: [PATCH 061/115] for Business

---
 devices/hololens/TOC.md                         |   2 +-
 devices/hololens/change-history-hololens.md     |   2 +-
 devices/hololens/hololens-enroll-mdm.md         |   2 +-
 devices/hololens/hololens-install-apps.md       |   2 +-
 devices/hololens/hololens-kiosk.md              |   4 ++--
 devices/hololens/hololens-provisioning.md       |   6 +++---
 devices/hololens/hololens-requirements.md       |   2 +-
 devices/hololens/hololens-upgrade-enterprise.md |   6 +++---
 devices/hololens/images/upgrade-flow.png        | Bin 48214 -> 0 bytes
 devices/hololens/index.md                       |   4 ++--
 10 files changed, 15 insertions(+), 15 deletions(-)
 delete mode 100644 devices/hololens/images/upgrade-flow.png

diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md
index 49574aaf1c..1c6e2264ab 100644
--- a/devices/hololens/TOC.md
+++ b/devices/hololens/TOC.md
@@ -1,7 +1,7 @@
 # [Microsoft HoloLens](index.md)
 ## [HoloLens in the enterprise: requirements](hololens-requirements.md)
 ## [Set up HoloLens](hololens-setup.md)
-## [Unlock Windows Holographic for business features](hololens-upgrade-enterprise.md) 
+## [Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md) 
 ## [Enroll HoloLens in MDM](hololens-enroll-mdm.md)
 ## [Set up HoloLens in kiosk mode](hololens-kiosk.md)
 ## [Configure HoloLens using a provisioning package](hololens-provisioning.md)
diff --git a/devices/hololens/change-history-hololens.md b/devices/hololens/change-history-hololens.md
index 85fdf147d7..fb1d9fe158 100644
--- a/devices/hololens/change-history-hololens.md
+++ b/devices/hololens/change-history-hololens.md
@@ -18,4 +18,4 @@ This topic lists new and updated topics in the [Microsoft HoloLens documentation
 
 | New or changed topic | Description |
 | --- | --- |
-| All topics | Changed all references from **Windows Holographic Enterprise** to **Windows Holographic for business** |
\ No newline at end of file
+| All topics | Changed all references from **Windows Holographic Enterprise** to **Windows Holographic for Business** |
\ No newline at end of file
diff --git a/devices/hololens/hololens-enroll-mdm.md b/devices/hololens/hololens-enroll-mdm.md
index 418252ff16..87a2cfa705 100644
--- a/devices/hololens/hololens-enroll-mdm.md
+++ b/devices/hololens/hololens-enroll-mdm.md
@@ -14,7 +14,7 @@ localizationpriority: medium
 You can manage multiple Microsoft HoloLens devices simultaneously using solutions like Microsoft InTune. You will be able to manage settings, select apps to install and set security configurations tailored to your organization's need.
 
 >[!NOTE]
->Mobile device management (MDM) for the Development edition of HoloLens does not include VPN, BitLocker, or kiosk mode. Those features are only available when you [upgrade to Windows Holographic for business](hololens-upgrade-enterprise.md).
+>Mobile device management (MDM) for the Development edition of HoloLens does not include VPN, BitLocker, or kiosk mode. Those features are only available when you [upgrade to Windows Holographic for Business](hololens-upgrade-enterprise.md).
 
 
 ## Requirements
diff --git a/devices/hololens/hololens-install-apps.md b/devices/hololens/hololens-install-apps.md
index 294befa342..ddd3a6d6b5 100644
--- a/devices/hololens/hololens-install-apps.md
+++ b/devices/hololens/hololens-install-apps.md
@@ -16,7 +16,7 @@ The recommended way to install Universal Windows Platform (UWP) apps on HoloLens
 You can also deploy apps using your mobile device management (MDM) provider or use the Windows Device Portal to install apps, if you enable **Developer Mode** on the HoloLens device.
 
 >[!IMPORTANT]
-    >When you set up HoloLens to use the Device Portal, you must enable **Developer Mode** on the device.**Developer Mode** on a device that has been upgraded to Windows Holographic for business enables side-loading of apps, which risks the installation of apps that have not been certified by the Microsoft Store. Administrators can block the ability to enable **Developer Mode** using the **ApplicationManagement/AllowDeveloper Unlock** setting in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). [Learn more about Developer Mode.](https://msdn.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode)
+    >When you set up HoloLens to use the Device Portal, you must enable **Developer Mode** on the device.**Developer Mode** on a device that has been upgraded to Windows Holographic for Business enables side-loading of apps, which risks the installation of apps that have not been certified by the Microsoft Store. Administrators can block the ability to enable **Developer Mode** using the **ApplicationManagement/AllowDeveloper Unlock** setting in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). [Learn more about Developer Mode.](https://msdn.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode)
 
 ## Use Windows Store for Business to deploy apps to HoloLens
 
diff --git a/devices/hololens/hololens-kiosk.md b/devices/hololens/hololens-kiosk.md
index a618312ba7..54d65e5489 100644
--- a/devices/hololens/hololens-kiosk.md
+++ b/devices/hololens/hololens-kiosk.md
@@ -18,7 +18,7 @@ Kiosk mode limits the user's ability to launch new apps or change the running ap
 1. [Set up the HoloLens to use the Windows Device Portal](https://developer.microsoft.com/windows/holographic/using_the_windows_device_portal#setting_up_hololens_to_use_windows_device_portal). The Device Portal is a web server on your HoloLens that you can connect to from a web browser on your PC. 
 
     >[!IMPORTANT]
-    >When you set up HoloLens to use the Device Portal, you must enable **Developer Mode** on the device. **Developer Mode** on a device that has been upgraded to Windows Holographic for business enables side-loading of apps, which risks the installation of apps that have not been certified by the Microsoft Store. Administrators can block the ability to enable **Developer Mode** using the **ApplicationManagement/AllowDeveloper Unlock** setting in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). [Learn more about Developer Mode.](https://msdn.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode)
+    >When you set up HoloLens to use the Device Portal, you must enable **Developer Mode** on the device. **Developer Mode** on a device that has been upgraded to Windows Holographic for Business enables side-loading of apps, which risks the installation of apps that have not been certified by the Microsoft Store. Administrators can block the ability to enable **Developer Mode** using the **ApplicationManagement/AllowDeveloper Unlock** setting in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). [Learn more about Developer Mode.](https://msdn.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode)
     
 2. On a PC, connect to the HoloLens using [Wi-Fi](https://developer.microsoft.com/windows/holographic/Using_the_Windows_Device_Portal.html#connecting_over_wi-fi) or [USB](https://developer.microsoft.com/windows/holographic/Using_the_Windows_Device_Portal.html#connecting_over_usb).
 
@@ -32,7 +32,7 @@ Kiosk mode limits the user's ability to launch new apps or change the running ap
     ![Kiosk Mode](images/kiosk.png)
 
     >[!NOTE]
-    >The kiosk mode option will be available if the device is [enrolled in device management](hololens-enroll-mdm.md) and has a [license to upgrade to Windows Holographic for business](hololens-upgrade-enterprise.md).
+    >The kiosk mode option will be available if the device is [enrolled in device management](hololens-enroll-mdm.md) and has a [license to upgrade to Windows Holographic for Business](hololens-upgrade-enterprise.md).
 
 5. Select **Enable Kiosk Mode**, choose an app to run when the device starts, and click **Save**.
 
diff --git a/devices/hololens/hololens-provisioning.md b/devices/hololens/hololens-provisioning.md
index 38b3e63fe7..c341d5ffb2 100644
--- a/devices/hololens/hololens-provisioning.md
+++ b/devices/hololens/hololens-provisioning.md
@@ -14,7 +14,7 @@ localizationpriority: medium
 Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. The Windows Assessment and Deployment Kit (ADK) for Windows 10 includes the Imaging and Configuration Designer (ICD), a tool for configuring images and runtime settings which are then built into provisioning packages. 
 
 Some of the HoloLens configurations that you can apply in a provisioning package: 
-- Upgrade to Windows Holographic for business
+- Upgrade to Windows Holographic for Business
 - Set up a local account
 - Set up a Wi-Fi connection
 - Apply certificatess to the device
@@ -32,7 +32,7 @@ When you run ADKsetup.exe for Windows 10, version 1607, select **Configuration D
 ## Create a provisioning package for HoloLens
 
 >[!NOTE]
->Settings in a provisioning package will only be applied if the provisioning package includes an edition upgrade license to Windows Holographic for business or if [the device has already been upgraded to Windows Holographic for business](hololens-upgrade-enterprise.md).
+>Settings in a provisioning package will only be applied if the provisioning package includes an edition upgrade license to Windows Holographic for Business or if [the device has already been upgraded to Windows Holographic for Business](hololens-upgrade-enterprise.md).
 
 1. On the Windows ICD start page, select **Advanced provisioning**.
 
@@ -110,7 +110,7 @@ In Windows ICD, when you create a provisioning package for Windows Holographic,
 | **Accounts**  | Create a local account. HoloLens currently supports a single user only. Creating multiple local accounts in a provisioning package is not supported. <br><br>**IMPORTANT**<br>If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. If the user account is locked out, you must [perform a full device recovery](https://developer.microsoft.com/windows/holographic/reset_or_recover_your_hololens#perform_a_full_device_recovery). |
 | **Certificates** | Deploy a certificate to HoloLens.  |
 | **ConnectivityProfiles** | Deploy a Wi-Fi profile to HoloLens.   |
-| **EditionUpgrade** | [Upgrade to Windows Holographic for business.](hololens-upgrade-enterprise.md)  |
+| **EditionUpgrade** | [Upgrade to Windows Holographic for Business.](hololens-upgrade-enterprise.md)  |
 | **Policies** | Allow or prevent developer mode on HoloLens.  |
 
 >[!NOTE]
diff --git a/devices/hololens/hololens-requirements.md b/devices/hololens/hololens-requirements.md
index 1f84c1706d..c12e090778 100644
--- a/devices/hololens/hololens-requirements.md
+++ b/devices/hololens/hololens-requirements.md
@@ -36,7 +36,7 @@ When you develop for HoloLens, there are [system requirements and tools](https:/
    - Wi-Fi network
    - Intune or a 3rd party mobile device management (MDM) provider that uses Microsoft MDM APIs
    
-## Upgrade to Windows Holographic for business 
+## Upgrade to Windows Holographic for Business 
 - HoloLens Enterprise license XML file
 
 
diff --git a/devices/hololens/hololens-upgrade-enterprise.md b/devices/hololens/hololens-upgrade-enterprise.md
index 4833d42ac3..9fb370dfb0 100644
--- a/devices/hololens/hololens-upgrade-enterprise.md
+++ b/devices/hololens/hololens-upgrade-enterprise.md
@@ -1,5 +1,5 @@
 ---
-title: Unlock Windows Holographic for business features (HoloLens)
+title: Unlock Windows Holographic for Business features (HoloLens)
 description: HoloLens provides extra features designed for business when you upgrade to Windows Holographic Enterprise.
 ms.prod: w10
 ms.mktglfcycl: manage
@@ -9,14 +9,14 @@ author: jdeckerMS
 localizationpriority: medium
 ---
 
-# Unlock Windows Holographic for business features
+# Unlock Windows Holographic for Business features
 
 Microsoft HoloLens is available in the *Development Edition*, which runs Windows Holographic (an edition of Windows 10 designed for HoloLens), and in the [Commercial Suite](https://developer.microsoft.com/windows/holographic/release_notes#introducing_microsoft_hololens_commercial_suite), which provides extra features designed for business. 
 
 When you purchase the Commercial Suite, you receive a license that upgrades Windows Holographic to Windows Holographic Efor business. This license can be applied to the device either through the organization's [mobile device management (MDM) provider](#edition-upgrade-using-mdm) or a [provisioning package](#edition-upgrade-using-a-provisioning-package).
 
 >[!TIP]
->You can tell that the HoloLens has been upgraded to the business edition in **Settings** > **Network & Internet**. The **VPN** option is only available in Windows Holographic for business.
+>You can tell that the HoloLens has been upgraded to the business edition in **Settings** > **Network & Internet**. The **VPN** option is only available in Windows Holographic for Business.
 
 
 
diff --git a/devices/hololens/images/upgrade-flow.png b/devices/hololens/images/upgrade-flow.png
deleted file mode 100644
index 127c3358f44d2dbc4b3767ee45d581a55ea7b19e..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 48214
zcmbrlWmH^Uvo1;k!QCaey95dD8a%-*NU%nNI|L6F+}+)2I(P^qxI^O-92%G4a2D^o
z_jmR^cZ_p?+#lUzthMH<X;sgxda720x~e<|Dk&-)92|zCf{Z2{9Q*(r+>2}Em%x7@
zHnJD+;Dw8(ycAr`=<7Y;0>MgBMG_9KJ{IlX^c8T8@>xO81r83g=lS=d&#}w`4z3NR
zC?om7)A;ZKEm3O*{1kIec*}QTuq%+4M~*{lOeRvAlQno=#F91rq|2gkFloKUG$Xb`
zBX6%FBT;0YM2Xtu{Z&0dE}EzgjoSFuCX|>STgW+NYR)j>3F0$Mfw|p!u>z{SyY=5U
zXxq;4scG5H0974R_#A?-a<0@8XtRzC|G4f9UQPMU+jl9l&B`JeZ!~YVmZ7bxU3J~x
zel~02pgAFh)QFTWF1qSFcZ~hqbN9?teOGg(x1Dno@n)y!^KBbipQ_5Ch)CesZ@<33
z-?9_D``vH?`7?zAaIzIhLLcNiW&c3)$4)$5*AM1S6+aYM*}xI-ExV&@{QTg_mk$V?
zG<JpYb5XTLUSNmv<5e#_h8it-uZ0+~{c$y~)xfLjE&N?D8>}RxW6dz-xri~C34?C&
zbD@<k{;}5wyU(T?s~7-Ma0Qmvs|&7sV69(&fb86ME8loVpLO#nLykOmslb}3-Tcp^
z{^sCiADs%Ld0AVpVDiTNL)hMtI&lAtAJ6BvZfH&;Mux+tRrh=NL;`Q<cMh65_Cwc2
z)z70eI2WxWF0BSTm$3|n<$l+i>8!xo-T1dEVt#IQ37yJ*z66$1se9_7w07*f<{Kuv
zR>sckDyN@BvM;7$24*6f_0Kk6%ocRI@-C+pLgCMsV+}eI^c3pM3-$Uh#onFmIrzDc
zOOQbdrQh#xe&=Xlth;pG^v<QfafQ*fZozRLiIo{>4bZdP4DSKU`As!z21~qHQawMs
zv9b~^*3ZwcVNP&GjyigzGH~4a;QFHSo3R8`cAgLaAe4X4aKNH<hts5X@f^P$jukIP
z{wDgZTyDUF2P6=^j%?C8PBz+W|6UfKD|r$(sw|15uYYTPtwwUPCE?L^tjjOkfz6FN
z*C|tx%u(8A02r;dWdrQTcZbQukT+7&sLniLIV~0H;)+C$QE}cu{!1LEAT=43&o(GJ
zNq+Uf-X!FEpe-oVH`<|T=nHv{UnYpIlu#=dM5`M~q5f6H5X3cO$j{|zU9nQ+Sw4F?
zv+jykXGAW^I!K)*+Ww-5e)f({v81i5i!#<;1%iw2UYSYpR0z^B^KbZrr(>HNVi_dD
zHt&k2Q0C~hO`H9R>FF~^2;G#Zn3$N5(87Q#D@OV!`t#I5eI6d32D^D4$T()!QOL!`
z#dl3%x^#zm&7M+WlISBtX3thm!~1Ynf|!GM`_H5P+=_&VD3tC%7lfv5H_rWMc_S9u
zevre8Odid&P3~A%&+<LRwPuraxm78eaOviL(_?1|Rd5|cngR28<Mj7(+cc3~)oS1P
z9+Y&?5SUs=M~A1KQ)>YD)9NKwtin51M@p)evyY)F-;G}mX9}o=#S^ZSXmvX^|2t!{
zw#dHgy>F-%f(OpjD$|3r@D83Ahk+wLhO_f)_8QZJ9fveNAF7JK1M9Y`T)@!kV&u14
zdF+2*yr^8^N%qs1nyQ)N?Ta_{6M3l?zbu-JV^LerI(O+GSW!ybYHK;gTD!Z)o?1^<
zbX<E_M6WgD>KAG;ynlun#_Fxx^Rl-9V#Qmf^*;AqQJ(g*tqNVF<6oTBUmp3E%oSv+
z>HubgtLhOD5MVH6KS3aBbhUPL>3HA~<J?E4+|DqX1v;gl22@3Lf_yNl4U2=q^Uae4
zrYs|q5g?e^xs^=e=ibqY(I<0Lz-$us<g7QillL4JCI;zRFUwuGylZ(#R3V+&ic~ED
z(yPBB43D)KV)rmh%F^T&R%iR0lzfDLO)7&7kLUBqRG!CT&4B4>;Cx52zxCMEVP1;O
zODfUbCV!e_7;|FwPDtnNGVnO9bE@&GP3mnAS1eC**)$rKb>VrG)CuXC^6F}$Z!5TO
z4T+n3%DzL2PP$jW`;J6ZafjrOJ?lS9A+`*+9O}QT6}*d?j1VF-TybcEAkD}G=q9;}
zNA^hx^M?e^0kGL|t9z2+apUJ!@)h3V=Y9Ma7?5^^#NW=|oIV)R+PnjRme_dcU!WZW
zU-2xot~34uEu|O|wXE3-5qQ1nX?ccOS(h=smA#?M7k+n+XbE#eYT=Q%V_?@Hv5v(O
zb=p_6vK+h6#bo1RRNJGL9H9V>+KRb%?D~JFZw+B|h@3f+!dPn7@bNGjq62s8^zJgF
zFxSXpY@rR8F}F6Q*Rw8zZt<c|!fpfHs_(L3pW9WWxg`&o_nTYkT$Ts0gneT2wK<X_
z{uvUfRIw2Jwy5izrVVBFLMCi&>m)DXmm90bMr;2o$EotN!|yq7&=W`8Se=bFgCKh!
zruPj&GK(#kqIwA<ZYS95A(t#hMD*rEk9alH48HcmSfg(KzT&fVAYe(lTSlKRKi8ZW
zuC+X_^+Rf=;ZQR{7Lf^aTI+qSn$*WF-)@{*uSGf#>2hJL+MQoeoYC0x0$<k_2P1JB
zw(mj*aL_r?0HsoRJIgacqeCD$tQPruh^(x*vhrQ$bRx|P^u30V3r0~}n&Y;y|6OCN
z7HdmGjQ~Pno$VdbS-I}6BTdL7*HM4}*ZUQ7{oU=04DdJg+V2DJ0U%bA6d#DX9he{9
zxh=Op-v4bzmx}|E6kC}Y%rpBbLf|T`2_4Exlh1yyT<=R$(I=geABcZawH#`<BXqGd
zJf&GOb!g8@u(e4&7wy2q6oDV{Dy!mD{L*>o4dvF!`NN8wY*~00b!71u(?Yftnl>sv
zrmuJ9hhLpDK!1AbYu$RZc^cOGUghv$SYSC$(GY(f1#3sX>sL8GV?$l(a*xtXgXQN_
zizs=Vx>Waux0Fgfy8a@QW>GS&+1gPoZX?{$uL~f@uMmM3<bLYhd#_`g*u0~UXON!V
zysdxw^ZqtmehClEV9=G5_{yWor5I8D#83x6Yl+e7^HBA~U&A4+yFi99H=cxE@VzYV
zPOA~|>`gpfP3VX1+oe#Ur)HPZ8#flG!!6%W3YCYRxS;h(kX82R<?e17eo-5A=XN=^
z%dp9|?HjF9^|0`Y@&HIKau;qBQQvE4xuzXW7-)KOQU^2@+*v>~Rj66eHNDzA3tH}x
zt@LQ;yKRBd|LE^maCAJrzW#1-M7-<}x$j!zc2(3i-eTN(3xSA``#TYg?SCT8a&k6B
ze~-RLzmcbp@)z^8nF$q&)FqXtGhS!1qOz4e3Z_~1a(Nj3c2(=M%f77JI_U6QO(kcx
zdRL>b_Ybq^jD@NjKfPFyv8vKt71Lr%^T&6sT54adMFw|0D005Gd~f~uE6n%N2fFCM
z0t~_66gw7;h;!8BG3y&#f?5KdZ%{5bhu2w8u4wZ}br#VIv8IN<6ZxRM8v2!Jy@|Ye
za<*(!kN~lor|4`di6B}>tyx&b8qf=q&T`{cqWIGYJ5i*ndL+w)p+HRYPR6V>?i8^2
z;W1xamN{PeAbWo<MvNOU9D2W3F~>$vfSLyKV<e=#yQ8BSy?pIL-abqxMK)YgQg+*k
za}2U@tCl2d@l3fi9NM1Lq7ck=V3XYvnXPONFb$Y~Ge_lVMD2N4741UqA}XWx(QspF
z5|QV!OoI{K*j&B%&FrqMkE<4<AIpb3tAJ7Do?m1p%B}-DLiL(apmYbwXJ&UFNiQM_
zgAa<^`ah){9CFWP#lS5!BrCkKirWiqR{~1USYo3jn+5y1W|-*xv!CHIBwl4-QNhBe
z+)QkLb0mLOOKk9VnQaeS&RuGTuc2d^t#KVovNFDUR@(kkTcn=ouYNg|-7%HkfG1HU
z4RcEiq8fBsVb802=o<GNfp+fKYj7Mst%0lEb{D6HF8CoTyYVS<Erwrik{xllpKwnE
zL3}eXw*O+kJ0{)A$PaL99<23+`{0U}2IG|&8ydCu<Fmn}#Pgnnv8186Be;3EwVs1_
z-wn*jO)F{(CUHmB-s)=X7i)@bB|n~4c{C&Z>K~Q4jIujOdT@AmlWbzKh(~H=YTZCa
zA3a$)AStBJ)cs}IcLvQ-K>FG1w2mMN-mCbf4}n5>`{B2~Wz=sZ-r}?nuJt)1VTOqP
zYLP9AbpmPl$1g_+q2Sk6`cBXFrx+Mb;0hwr#m8Vn0?Q}@uZ+5Vel-<ulEqy_^g|`&
zO-Dau#%D*6lFe^v4944=@LX(47iVR7PS28N^*M7yuA7+fMB0fSUwzA-tTqoJCPOu2
z7qX1T#-vk=2=Xti09lxKvCs+ZaxFyJ`Q2dKBo$JX6VUX8Il^i=PYa{_V1q2KQ7b5x
zebGGbGQq-y@9S;)qgz7TKk_H2M;|2g^s6$-xeuU3*h$&K(PmEL$?=ynM%!tsk&@4!
z8IQBac~30$Kb{5~5U#Xco-OA3IbBKW$lA&T)7*ubwAWc*Vs_XORoo2Cih~c0ATP^#
zLS_FFu$uJWCY)%o&OV(43bfDJze79neGF7_Y&lXWW}<314A7Ql{(TiB3<VquhefZ}
z{lfsKttrRvF*Ep%sY6xQ{R4ar-1zYVV)3A9OkG%*{MEvW$cPtXQE780YXmR(Kr5M&
zaR2IFbZqR^#f5^3*U4WEI!J}L2Szdd-crS{LPE+nuRQq?E&3p02eTZ7KUxJuALZM;
z+og7PbuT#i2iaoDb7iPY^vdFTX_GzRV<ZBWjfhE@mvg^+3)3gqoOb@L5O71JKMw;J
zNsB09c{Yh6uoiz@R1mz7_#oUc;W?0qWOrAA%>4K>*YR_k26=nOuKEJ?%jp%0tjG%T
zc~ofY;~$(hGnnSNdbj^U0b{L`fl^jM5`v@0I)O{7qk%r4+G#ppm}cl2L>IgpnQFa_
zRg_C6phPsFzs-}2ZR%bFh=kPX7UkWA{(CZ0DA_0F=R_LKtNUNYUu&?)TI7m&X+DMW
zCinmS0rL+hy4If!63(TZYwxrF?(QkPSR-_t@0R?lv8}DGI8N5WXX$<@ztZ5^YK;*5
zg>v;nT!kgAJvC*~V$5&Q<00%i-Y2rZsx`E|pSIyrbN0s%IEwRFJFKE#3f~Tixr&UC
zH1FV@G!aSv%om}rb)>LvN!8@Ab2VftAERr=Wkf%}Rq+*{c%BX^Ehf%8LEd7+4GCpn
zxN`ggP2G#e0CA15AN{QmK?0d8v6oD<A?}N<0Xg^fbCj^t9;B7)?&U7&KXbh{S27#*
z;U$|aVh!Eb*B5-?i3tsn?bq{HRd=Gzo>Lpg^D)0+3w*-$gV1<}g%$w<nuk}W9cq$d
z)U%~Q0{(M%xk1YdZ8z=0#TV~Ad}4d{jyVvH^VwxBg1br7`#Bnj9({YZAhnIzjCYP1
z>X)LYFXVEd>@?ES(w?sp@j5?v`oxgR<Rccyy^+!z^i<j~rlbA}H)9}aH-=|5YA^cv
zWu;F%OEy)8n}IiBesL05?n6rd(eW`Q1%+JxdH>@*tgA4w^2lrc?^KKHZ97Ty?3Rbf
zY}>k^KtszoTArw=DDqKfr<fia*2+q<-lqt=;_CjD`)#HLPKvotI?P>wbrJN4`EGt+
zjA8j=n%j1Q)kbt0L~qXS_QL0wBHHVCj+r?MsW9Dw+?t^>k7AVFetNljZQYs{6uPo#
z<ZHoc&^+w_IIV4AP_wt{Id4DqI8=)@KVzUV9-O$0{kj&2s%YI0J1^UoK37IS-p38+
zjOHVdn5oi`#p33rsl|xX5s-p2jQSgQ`(W4!{ZK6`K{X2_pHW=`%K0Du=;?18q`f{)
z8SI|??pvw%^KM8i<I5MLo(#q*rW89t<iEZ3$!(FGMs`#is#>QNeiANlCnxUHu4#F4
zYs<ITKctk>!CO^rt$}@m+@)9ai~v$81ZCWrN*PP*Y>ow}KR`szadJ9tQl)F$-k+Ax
z2W}2VR7);Y$Bt)lMzB}(_se;UIy0BCu{0>M&Pl&_CLoy)Lg0;yGK{uMfCrSyn3#D$
z080U{pLq;QruTw2b5kOCMG{ev&+D;&pwS_4I%-g+8KRvYn%^p!NMfPCBxU@8r{OX&
zwHirv2?&1tGl<*ChgtTooV4wq%noZfFPq8w{TqU<>fMZ{$2^L@yg+blt#GyQxzn`#
zHRb}QU3{->v6w4-uHDxXXvH|1HH8&^m}^TL^xS@tny%rKQMty<+lIy4OE!&2h=F&7
zsYR+G-#5GVpuI}%y87>5e6jJ)os^Tf%j=G^?DKGC-IZM*tw)AxG!O=846xuC-n}O0
zsDxq)2ckrj=V_Amv~TGhH*Y|-Hu^b|mGI|-hzebPH^s3v@Ckvj+nvz!*)RjE%cfkN
z8L4O&QSlra+wiqo`w6+K2+j2s2<Jn;#@mPLNcn9k>(Iy8X{xsGGB*;>7e#P2D2kd|
zB$EEDW8e!hRk20x$(Y6t<142|2Wd***LAX;G*;jA+jsi4`#UEtiZIhtn;!a=CB`mo
zFP1vPGYI~uQ)PnOcxy~sFeC!zjSdTO&a5Ruhb3+CuZp3=@J)3grGi~A{s31iUy3K8
zW$h+Q`|1t(852u&Viz+cH#xaWrH);H82QfV@$ol*``$Q5hPh48VlQtmG7>}eQ;vW3
zmsxN@Fjby-SWs_^i4{n9iEO`RXGodu{6SfiyVB=tJZ%MpH6!_`=1Ysvl$^VQ+K5?f
zXahOmrGc>8;)HlX`g3h5#7I~l9n_R0by8=Gu_T!>07*O`^1LKdR6p_IU4TDecx*#{
zBaO+Zh#O?tJ%IqCnx{`Q83iUA{I2VYJ`q%^RcuPmmps{MR7J@i=El0}8_)mtViyYa
zLG{n2Y?#2kJi{DFlm27y`=1ryPGrU?VxvYombjmv<qpYv)P1#(7nl}$r5`RJh+B1H
z9`TV^!q>p6_q}x(FAwjLEKiX-F%)Hs--M`6UVNVGAve{X@*Ri31=oM>J~bbyp~JNK
zthCvkGabWAuY5!MrjcG}cp=f7myrxGH2#v#YF*0fQJ{b-<cu4mHm|%3YgpNlt!(z;
z)0l(=^VlT|d<=7omf}R8dzbt7>`S|3Um+27e;4@ood!<Qgz@Tn-w=jS^rmUdZ|7e+
z8wM5|#L~l~)lV*cI3mqrAKN+OJy;rAp+4}Ix_!tv<&LPAq@l`rA~eLj7M~cvzoQV?
z2H!WU;e1PS$E5|_5lsateUk1hV63?a@W1tqRbCE2L2|5#dwy)M=7-9^D#U0wf!Gjx
z^mXE+=oT1JSLox3TO`9LG<40EbbnPUGt7IxTp;Bt(KR*|N?r8rP*}rxH3*Dvc$KFa
z(7C_mOJ9c2dxTWkOG>pJ&JU-cUpmw%h2w#i)@HgOWvZ)je5ENWm3*oY@Z*t3)UiFF
zQl-hXftH$aIA&#YM1E1UYNo>t@@3(5!KWVgz~B%W-k`DT)^}Gb$~ugjHsL_~x9GdE
zlr;TOa71Wiut)gW>Ix9m%K+VHwEV%sn;7&ByTLR@UR1o}>R2P8I#Ihnpmjl2imqX%
zTFdN@rkq9A<55tr_kVR=U6*ndMJ#BnOjmW7Rt#tQ!~2p&slknhu{MDBL8{}^6AB~?
z&1M^V`j?OsnBJbn5A}8Kwvj|aKq`;dP?`iV$@eWU1mf;XqfE2a9nOnho#k?bxk<JB
z+vdK`0Y7@w_oMC(YL5^lF|_4p-6&F+TMbv$d7x=FD?04|<56F3XHIANNpL#lGHp8W
zE<vlC7+00c`o-q-C&<G#fcxErl{D$yb)#9ul>t7Nezj%=)f`<LEziUdyTZc9Fe7Hp
z3|wd*gX)-9?dk|<wbaY%#Wpngte~zg=h}TTna6U%h>URgDFb6w5WF@T6WiW2TdgL9
z_<mo>OG8=r34p(MIiw@J4Oo<dD}Sozh^a?}3Aoa0l89b~@R{jvFhuotI^VcN&E6aH
z$4Az*gU<b69xW>%4Al*`5Wx#u&G=^zBOLs@iRo8Ag`g)wo2{^#&hyD~n=2&#P>bV6
zKZT-f1nli5Db!dwN+{Oubu^4}Wy38qyQXz#>p8-+Z!_kqTHI#Dvj0`(g?9xwC~<=b
z@g0YUv7Bv(dW(x$N~e8;ROojXn-{TE5Csp9s~<mp3?wpY{4mqeNu5qbI^M;v6byj<
z1T^)fGf0>x1YBv4H2fG7+hKkeL8KiYH2i@@T)U+8wo@my=CK;Riv4$ApHVq)Z#Z~3
znj<IYhKQ5Q_q2-yKTGXlfO@gIg4wj=G3Ft4^)$<<L)O%YxnKDYPD1%~hI>F28&hv@
zeZ&;cG;vsXxKX)p(-9Q6Q1{m(sdiLCR{%1`r%J&cli#nE_<oX3`JFFZ9Y)%th$>M3
zqGXMlEVwf<aGgaYao_ri3KF4ridIY{NnAyh6{RRfd{Yu1`86q3Y`8+1Ehm{Yo)=2_
zeahkVtC9`vp;J+TW?wpW`1}1j|IOkKw4){K#nKvg_7*p48B9vSqrXKoz%Wpfpjg|L
z02(p18JHJ1dS2MKDbXjr{lk%>+#}=$n7Kv_9bLC97VDnO;H?x&=q-}*8SZ9Oqfkh{
zHSA2G{3{mB-DKVlibF3vbEw(|?5mdd5Hi<swqb$X>vy^v$dbG2gPy%vwqncceAt!V
zhQkirRZiQW&PwrqPVwnjn<UCFDT34ea*{fd@B>BE>=MLZ=%Ai<Tlfjw;hObzgn!A!
zGS;><UoN!rwc>{Vpi{~>>WPb`05~Tm_(~y^B~m96${^ek>%x(u*IA#@C9uMIn~_+V
zNL-kb(Lu!?vWt*_-A$=o$=5=zDH~ctWU{y+;H%*K&t`6)kULq!V&orI35eSbH-ejR
zf5P=vPkbje?Xa6~00<rC#dtSjsML-C3|!;A3Qb+)EujJ6@(dYvdg^p1Sx>IVVp`4C
z>GQq~q7A9J84|d+9TI~SXZ);l!2147za$;@Phx=blR1Ajarl2KanWwScxur!-o%HV
zZ~Jvolkw_>fN^iZzo2{pH@BDfLFS|%c>vRNMg>J-WGnaR$8n}VJv)bozjwprS4%`o
z`_=e;gY+J*RB~Il4Et%T)N(}jl-|q{4^mep12%D3;Und6t!?DK*todzI0t6f3v6*K
zZZGRH@G<=EiDT&t@LhYvH36Pjhl2091^{#Q3IWqW0hhO->=a>(5;_Q&DRssbx!8V+
zqUH3PDp4g|DAm)R14EkC&1mnBA77>|FnTg9zGYjrPv|$>=|NAk?RCwO3<vVKF}SNT
zzYI5qI3J@k?Us(}NkACVY0ueAF(5}U7}@LBuSrPKy?F45p>!^1xmIC(16lVw>82_?
zj89&cx{1RB0XgT$u$&wUzb7=_lKhuFw?BUce1zNKxbI<4OecHah`l}kFWQe+4_r}c
zA51W}07?t2!8_;5#I20SnAGLJ2P&~oI7nwXZe1SWm~hkV*TM}VJ-6xPQzpn?Z`W@N
zv=&bf+9(6|^aXG^t2Vlnbie;A0<C>!k2Bzo@^uB}(t~i@grM8aA&l^`y+Zsg6ouQg
zy2}^)p0M%J_GL~&Ep)J!xu27@?4;_^;uWvkV}bvU4!=ciXpzBP$H%)ZlYRhByjw4U
z6h$;`lj}*|vi3`(rxWDc@&_H_<g_}6E#aF<#6W9vjZmv%=|k;|0U9ajV#wpmi2l1s
z;Y~zxIe*jY)w>4TcidHwZ^~WEo$e#5hlT+~Tm(jLV;ALTH?sjAi=f<<m6f9-hj!cK
z6UHyEIID^^2XS3a?B3RcwL(fp-z@B6vCQ#L#$Hfe*4bVZn#L%dT8`CCz+GyHuP`o$
zCCKY;=<Z*+1d{88n~L5n3%-tE)pls`tC%L(<kL{|P$q=RN-~hfLiuIh^1Dy$r<7uu
z6-ES@snxojSuHMVDlY5C7Le;T)EVDgTm%qbh@J)>vM{OqqO;Z7eG$ur$XO*S8w#FT
z58OMZvGYH_OLSM=tVJGFOz#n5`p1AkE#^b)bQmy*oOoXmr+!CIjaVsm+gY3B-%#`p
z8-{S5nUA`KxDiIIruJ@IMw#3{_aAHMc15Zdvw7n?_d>YPMFxdG9I`hV09Jm}0ydN9
zx6-|;@#L5n$Hp(CSEG>dz3<ytTo(KA0{w1Pz>ky^n!o{LB};g5XNegBrt3{W0Nu|k
zgn~Zezy=$2Wx~r&3$!UdanbDcHa8{2himTF0Zjf2ypE5*5Zjb)z^<Q#Zk~yiC5L|m
zLLZoUt1c&vcMGl<5I)INE3kHGeQ1tRLNpJB$bCWwab`Brf<#fg9y-Rj_N*Os)To3d
z*Cld3%4Q@%idP<qxPNLtij_2lgz*(9t<>0<t%Vk5KrozyA(Ip}$Fik|@;k44eiU{}
zCXEgeLtpaPG0(+=DWEBUfny+j97v>GsL@Yy!*r!5Dm}5r3Vt9N^EA2|Hy|E(BfOFt
zsFgil$5H*SUdzkL-QL|5qwh4+z9WPV_CgZh;&wbpH;*w5kT{O{Tu@D*FUCog1t9T0
zq{2rXuh5y7;i1De=bm9N1#lK}zcnLyEItM|pddnVAt?g9OuZqOKYdIjpOD0#D(z}g
zxT+G(<x|Xb4ICb~u)oDU?3Gxwp4NMekHKfII6pwi!`#UFRa9>UGTkjmLcwPPxlduz
z;FFana{-~!ZO#CPZgQ9*kqXVPy5F#zO`qF7_?!c+pBB!+n1wkG<b%?js;dzEOApVe
zqX3MtBO&$4Hoh}zBY@K5_MTE`1)9+=)?q$G;60o90!{AOg(!FSx7EKgUQgA6R+AX8
zsx82tnoWUtRMSRY`-3jp>H8@OV(36Ut+}p1;QfwZY+cF+nXZYlf6z<f@mv`It;8ph
z9UQ3htgrjiP+Ho3X<PcH_*i;4xMNCxJS~hEszUYTHOgOg_ylDpox<*EMFAd<V8Grd
z?r?vhWgKh$lt7YZr85{coES$1G+6$pK{5)cO?zNVPT6uGK$RG}Hx!dLobZ%2Enc;i
zDVr~zPt!%2(7N<>fbC{XajQq);eOTxe!+XKw>tF^Gwv!>P@#*v&S{nVPT0x2kYt~_
ziiyt}?>?d2-w`Wz#Sy0kM+bWaF9CqNrl0yD$ceRU2J>}t^BhWsQoFrAsFAmwO{Hs*
z4!r~+|6t<uvOc~m$V<kY`{M&HIL7F~k|QB8JDiaYda0-O8RX>cy1tBaEN3Wb_H$uD
z9yYkE3VQa}e23CHm%g$p`05TB;M{o=doL^^-g+~^_Q&Wx8Z^}KO6aMQ`JBx;W``;L
zehqlGe!#HeuIn%vJV`@IJ9Bt>JMbh3Pj^Gz41k>rHqHJ=7^@;O4@Znfwam5L7FoV{
z@K=gWfpK*?3SxB7htZo)^3QOA28(cHOcmkVk5P90HArMwXx*-*pL+emQk_9HfKheQ
z$?LgLL0NR6AB}!Lcze147$x#54+AxCgF%GNTJ=op0jw~|UIiw;HVrH?D{_wzwXp?+
zcuGRYMu+q}>Buc9>1y>=!(6My53Qo}y5<zqPvVpc?*R7`Kh6MT0il@saikVLXck%h
zJpV}37<|=3_(`4yNt>w~`S#~#*ig9mWo>16$J9YKfpye`Yy;Y=32{_wDto(e#>8mB
zB(t9xNr|pK`n5-rq`eA<z%i(Eof7{X!BcOA{_k*}I^+ZVE#Lp;Ke*+gRsU+ko#~)z
z@$mH@bUZ2jK!3l8-C4aTe<SM8b!E|;CErzcXH%I@MciLnr6ncG$y(+p`4W!Ta%xaJ
z{3K!6D$<BgFU8G$bpd<#;cMpSFhxO|4;I_yy;hQg{`LWy0{al8H^~mX^H4OW#A^~c
zc=ls*;pA(^?Khfj=Z5|0i55+6M^V^V4qL<ibo>{&I)%JD;zsxd!22uy)m^#FPu_ul
zCE+7&X#JE#EwI8Kb+Xx-VYCHOOLYEW6F)cxH$C6vov%HlT|nU(o9uQ5@1BT6ZJinD
zGEWG#{#$&|=@-(F$PBiZ#0g#BC0`d9zf{a26&7Re4g&)<7rz=wd%h}qDXG3-Ti1(G
zMqt04=t{#g#j%%Kl-{L`a^}dx&`wQZ8HS_a#%+q1^v+&$?J4-y<wh@t#&ZF>^MISP
z@~Nn_yJMQ?*M!>qIw^uv%<C`IL0)z(L;ZKoZA^C*SppH%ZKcL!wUo)KNi6drmFtY{
zaU=`_*03d_(BHxMA_7gO3@PF4wlRl&u=lrt9o8L26OSuGbTRf=`+H|ZHe7~!7tJpf
zA^MaD2$hU?Z85+S-Okq5W9g#B>IaidD8>^hvJH+R`5{HxY|MvG=hb)idL@DcmLvZe
zg?r57jT)y%+yNEwg?2*M*JNqyX#T(BU+GjN-k@|^;BjQQ{6tGPO^9|M^Xrd7GT6A`
zQ*{|Tu!Cn`w8r;(km%-TvA0_VNzDl}Bhcy@D3P_v8#5NHaf|_5{X*QaT_*H93ZNk2
zxpvo^0i_%YEkF8|KL!zKt~Y)GGz!%TZ}hXviDltt<SoRbLV9MZwj=geLDKp=r>T3=
zW5tdP_2TQXUW_Z)*|{U^(be{>J?T7p*qd=W2hgpS+slcFMl)<@X2MV0K|u9U@{sad
z%k>H80WGXQK>ZPKn1yT;MDD$8SIUTJ#|~@K`z+JpXhXc|O6RlFAwV%K3Rlo8*R9@e
z-+pWxv=39<DI!jHiS%DaZMo%Zmq3?Yn)i30`lO2z4KJ^XnL{DPzRSY2tAfl-vA47&
z!+(`4{4FnQ9o<}&YamU|Nq0FerGrHK*BIABYq~2%dWJxM>C!G<>|Z<^3=to-_#*tc
z2VXU)mQ9{ig6~{L*$JVdEzKvrA+pjB-nm)tSm3=n=+)O7sdTzhY-Cm0rveLU`rt8X
z_|A}}Q-e#-3trh!>9uGpIWTQuYJJTtdfS6*nnvQJs~m;TWj=?E`p-<}-u)KVpnjvA
z5U*tM^TlNf-9`E3nVh=$uzn*z@LrjJZBnyV?MktioOCHOnsZXp$uaRMRb~V%H);Kr
zuSCs6BT9?fA)yCd+N?XY@>vi28F|Rc0F^2icN{kPcQ60j*pvEe4;Rzbi#-YWltRBN
z7LG<rS*Fny{yz+#F6WORqs1umh)L)$m!h1*j{j8BHCz8+?H1k_;4t`YdBm9b?(+5p
zYf&zo^^5HW;P`o9`r-eZJ{R8eFaB-1M0oBW!gYp-F;vLofz?}m^>P!~4nI%0yK~Ta
z72o8rf76%3LL{d7C`n+}8E^$d$@}lZZumys>rv9&qD?A4KlYGLlV4zxDQM%@YRvwg
zJ4rjT`aW|8I(~(2G%u^bK9gw=o7Ff+_p0^!d_Il^UBrFJun0s<GpJ$SdT8g?yM^Xg
zY|WN4?Rb@#Bt}cPwrKk0o0!ntx<L#6`<l7dgs1@V)@}4ZcmB^7HUqU}^pHiMTqy6a
zbDN4n#dxh^wvCi;;<iK=gIk!t%09wF#x%(-Upd|dNYiR}wn+84MZQU*kmUcRf#`h0
z6GF&!N>C+z(ID`Gz2xVpB_3*maDNrsp=OA<oNsPUmh(`^hu45)ETF0kNCb4X-2b(5
z^gSRSsM69|y<*AH2eRwWTs$=71BOfk>kQGYo4wxC??;>9&W)Dm;w!fuK`@ZktMcsO
zG=9tPv~Ve_uqV0O`n(Ra;ib(TXt~*4zC8fH19@D`2k0EqRwLKhu(7Vkwnbd(E%^F<
zrORR`|A#_8&K|%0)89|=sejE(2$x!%fTUSfk7dO_34_*?9kOS-;J2g#io|C?xJ{f%
zPkF8GO;FlsLaAKk?gEybH|Td>Zr}AMdDPi;zOKHw8pF;bpz6T2kgf<BJErD?3F)6%
zXnD2L(E<^Nal7L~jg0`n2~BnfudEG~!zh+SA0nOmTH}M|mmJ~-gQWM!O;`v_&6e>Y
ziX#s~gXPtO8w)@cNR_Ymt*x}<QxrfH#S4tG?B9l8ee}pPLi)X|ny~)`eurHBzhAR|
zXeB6ZX6Xf+j*I))kv03wh;lxM(q7UPxelJL$DbggQ4h<1|MoecHkkVQ-fs>hY8p4&
zrQ<8KHEqo{3<5c+0}+uwq6Ec2Hm@T?stM5kT81(J$S!S#a2|xdrPba2fp@G5Fz*7T
ziUPS2|NAw<XsbUR1|9Kq<5}FU2h&M9?^%|w=Y&&N#q3vs9o}VN5|xvaJ9*2+l^2`$
zTrCI`qBSV2+YHrK!>X4riwQpt0tu}AcAy+a6D6Y59IwIiIg#z+x?aWh^CDQ=Ay}_D
zbOu84)>J2??yFn9kxj4*0;>}IJSs);R<(3)K7DgBEu@gZRF?OL_CZTncVYTBtAlI0
zLC<MK06NL#1N~z{{Py-&&ENp_s(|c`ZZ&h0UFfUZC{V8zQJGq)v4<3<&{u)wGWJ@K
zsCxna<D8LT`Qn<Avui_eSW92tVx@iWgm43Ma(Vesi7u$upFIk?(TgxM-P=}=A|h8z
zPTE96=GeflXGHf&7?F7qT&Ix+CU&j+^tq||H(8N82xcHoyF2T&xi<@NkE<t9M0LM_
zA`{O=B_m^WQ<yu>BwRx|hDETJ)O)(}aCcCq<YyN?*lSmS5Ch64W7B<Y7u$Fshcx~e
z023Fl*OLcuc_t<%YHDLZ0gK4H0)_2aWLy+F{PrKg*p3;0%<w!fG;RE#Q!DlFHOH6q
zw22gdI=siQDeSgGJ4-T##81(^)h8#;IUD68FH-T?o!yHoHwk#WTqRltn=a%X2aLel
zacxEWBWDsAvDm)5&~D!V7SdYINHUdTvcnlYURgi*24byq0eh=?1yind-mI#)2G0N_
zgofrZQgigt%|#~az$<lGrWO;Oe_MfK--*jsJ=s&-0IBlToPax_;m?G*$_Y#vYqKk%
z-+X1dzR`lZ{?>WyZMl<yjYZK1eOR2NvUkXaVU!dDJEP*b(v1G1R%!VGwI$eI{@G)T
zDz|R01@FLpp;1IG*M!RBwS3r@(q1-&I1%-KxUU0Iv_F8Fmz(`f>|dT{^3l_6_olzE
zi3)g}iV{+=JxOBQxAM?*lvZ7oINQs`(CJ@kNAS9mEVmQiU3HK$P%8FtpEDgQ2^LO}
zNYlN@g}Zgz_9v%{a!mKhHzxwWCXMHB*kU#)+$vK$#CzA((s_KMkxr<|FLVlmfmRB7
zsc%zdIkD>UEA8_leu%njJG0uJxZ}s~oViD>REB!ED?k9Ww!IkU5)#@^;VicEKjg0S
z5&|Eb=wx9F)wIn=%Q-&ImL<Fl(vqTNFQ$-;AXVv+epqPRV+q_$&G*(3x%x9V%cH94
zEOZL{5W?-rcd0)0uwefAv-)wzEBY%?tcm@6_=_=<PU<le#Sy7Ag9GFMFL3L4?HkRh
zht}HKS_nj^69cD6-~W*MNviJS&8_QGC>7d(I2pj|;XTdgQLI^Ok_@OgWlq28qM)Ft
zaquU{l8ahS@ACC)dpb)FtuY3Z2e$yZ(EA-OO|~atK0l|MrO<%yTN#>oU17pln3%1h
zaBgQHtQ(@`8%S;2p9x5Z(U8==m9eH&Z<Xw2^TF-r>{%f;JUl!A1}kbe({r_=%^eTi
z?tdE=b2@;^1V=Tzz44zukb)jc@$Xv~n@Nj^)WrxmFaWv5ZosS~1>*TA85^?{ZJ5zx
zb61W4w-*c9$Zy?BkF9C7x_x2~_&e7OK$szC$cGmQb*wX~8P{$nL@`^b-$H-ig8Mpq
z<cXHJAF7W45N2<~3O+gvz~N)f_22mUE2@T^ngHSS;JK$+=^wkhOq2TnDGCumdl14u
z=w!vw^vl2=BlrvY{$_HY*iiV^4Pnktho<P(S_Iaob9u-59rX_Uuo|~^3Hsk}*oh2P
zBQfoEY4!t#o6Dx1G-!g=Z3=e+V%9Z8`;UY<Pw15RzObuCmyw3Et=oeT>a82ozruN`
zb6^{@o=BTYsVlEv?#||ayfTW2+n);Ytf?~rYAu}U;IbByhiB~n=Nq5|69W%SsV>Y{
zZO2L>A95LbT~zM9KYoPUYc@cZ==%Hp;TLyyV8H4{`SWp2m1b1ld2;?cY<t#ho)?5G
zJsctJMx$Jnxz1l6YjS>-qi=QA<^rTdu1s=#a|2Qo%<@dEic0SI0*;v@>$|er4<k&6
z;aq1#4Q_L;e`LOxaKk$4y#KZ{ZVAvGIjcAM2I;(+X?RG^F_s)M7SwmE5iWyda{B=S
zw#5N;sn=>}T=hI|hkyb#uZj_oUi+viq&NcfiaVjc>k}yZiRcc<P`GRv)${;0$g0_b
zux6PI$>9k2a{GwClsAN!XlRMzv*PZyw(G-!Hy--adB#r{gvr)yQB2W5CC&UJh>39a
z=vEU{S2p_n@&^hVV)g4na8xUYP#>2C_gnOfFsqp*pn~aV<E?zjTx7Hiq1K#}J#7Q6
z45L1!p-xCdGKoW~zEPLM=&>mEs}z$3Y0WC}=G52}k()mNHPl^_|4c-$?F6`)(|~EW
zdjo^~4+)9_?HNX`pUe!&KzfU?g2(I@BMp0<kckD^TGravufs$@cTMo;kM88(4jxL|
zkdI>J?GL<K2^h33zZ==E&oZjz9Kc}Gs^q*NY&>`Rt7kr7Yjujcs8zx9a4nvbYI}TG
z&R9~&b>v~{sRoU`(`O2H?8mUdi5-D}AU7?LFp$-o^)}8;LIFb+Z9yVh`BRV9lxD3!
zzYs$RA`m7;LpcUpb4vTrd;YRruC!`T5|?lu(*?~M({W$1R0G@5bEsK)Pr7z*2)GDW
zS0A}ebtt;z3L;&#*sxI8CUqUla->8_<LQpC=@Mjgr+4ceQ4VjYK3zn-%=vZqwg`o3
z?)8h~*Y!0Q(HQv{wiom2&wL$F%pRBR{TGbo{1|cg=Z|S`FcqKk@~}TaN-ws{dJ+9t
z5-eZP0~HSj#Pj<bvvqq%M@QqiP7x?=Qum~Lj0x&a+(pF-svR2Of{!&g`)e$AM6sT%
zrL1AMV77(P;wrxV*@iTU=W42(L<H;0-^=q4I<>y2)s}}ix7yLVW~#3%@c#9&md`+6
zhDjMK9`+W~>V~Fk<5k5PH~hF6iqaMMJE}bjfM}q7$X0i{NyzgMedE;jq6fQ*uhhh+
z+?COvyrMX`@XV@nT#aJkw!741;B~^w2tg+yqT4H5sTrlBKQSM{XRgXs!=KxxduuOs
z9HfB>G~JUbt^=uth-E4-8Pq-duSzAL+54+!r%cc2`W)jqd7&aO5dCbCkH0*JBc@u$
zyL9j>1RsRhOXV60QZZyRE<B}^+1DpPvA+n<iIoqA5g;lU=P)X6)70VGyMPWnzsT+O
zapmF~AgeyK>2vv^_4&h(+7j6a`&T3HY&Y#+kJ46$H`RB7nsinUth`s;#4kaI>f${i
zy)K6eQpfxgveiw-2N+rl{qAlClVab8@}+iF?-cIFYo`Wk`yQR0Z{F8NL>Rh_4QZIX
zW0qn6tuFYftH1GPMCtLjFZdeb79hmuWjx5u_$^t8;k9;<%296|ngjoRQSmkT?X0{4
zxnAww{7mrG$1+!#E%?;G`jh=Jdx12k6I3#?2&v7;Xx4#AE^Th_#y(g71}M-yY4<uG
zba?{%9+DY^*XXwF0i|}{25K7If$O4Mp*D)HLsLjZ)$Xf3hCtNd7~_A$5RWhaKak7R
ze|dFvb!LW7NJ!}ITc%a#Xp}bP2cgK+tJnKR+}UrQOR|A{?FyMDPj`~habwGuZRY)1
zP4%vn6lf=X^>}Z0N-*U|2ErBJHFjio%Ac7D&v68LW>QQVUiiLDny$bvdjPWlCH;1*
zk8mK&aDaLWQ(t+w9-^#v;&8vLIDChM<t-hPnkutsAb$aRneT7kwLrEpI}ifF_cW&#
z4uz0<_D~DIV*$YIKX@Bqf)sE(@QCBAJeS;8D}6Jx`Y12Hcn?&fwe6i=wV$TSdlr6y
zpb_r?)qOw6kRk9zgMg(I5H#SmABUK6eBGh?7q`{?50x6{Ouj^-v?biRF#*AZ2v7uh
zfZqfpw`axM`xeWULwhOry6ngukx!a`U_?!SOT%NN99R_g3V!SEt68NjE;S7ayM0l}
zD<QeCD=Ttg-jxmKwW>0v_wURrVY6o{uAY#8(LuKBo7v(brO8y6({IJxU;bV`84?OR
z@zZ0j*JMRE3V)YV6yAIlbUMQ^)Z$#t&-+>6@j~67K#hXi*`C>}X{4ls01f9K@T)kS
zy`}%1{xo|TUn-$IH!}dN!RG^5uGqT2>hb=avC-LdnE*Tu-JZfs@jSr)%cCAc88H~P
zdk5qbaH1AfvjiEV6107qqe>4{JQLDtfiQ!&k+NrQRhV7rzXpCU6q#06*<ljyyq@`{
zQsAib^vTbqPdN8Gi_}Z}qggkC2O-S=I!x)%v)+D?bAG?XaCr)wn3(Wt^fXEDKG2PA
zE-=B<!~)y_zEhBA6YGd(*y;|e;D1hR(E9A(Rnk{?nHLu@^}4$n8HGz5DUsRzTQ?IE
zO5DRW5AwbLd5|}o^rZ5|9vvQHJh+fZ{LfPx3^;#wqFh{SN~uy^e~CRGb_0&y1}*o|
zZrY-h^L(|^so+e$0u{|Dd3ZorN7hIuYI~k7F@fYW5Nc;JAh=Z5n8?SMnwT4CO|Xyo
zZq6j>IryVQz?C-s6J6i>AKC})8(x5Ldr}@&pFF3|kA0t{PcDP~Rk}vC&dfy*BmGs@
zafWIjdhoYys{Yw~wLxACX~TF^$@e$LpXn}OsDU=MaWz0}tn=Qoh1mh`*3IAlP=DCa
zI`|?W<Fc=(eRVVW>Fb0g_nES~P}W<Q(aQK)bib{*pye`l*jrhRu44{SpBSxEe|FlY
zjcCpFYldv#Fi_9_3WRTp_Y0L8zwX>vGp1@~C%Y^<<Ioj}s2$<7HM*pjGk<?uRMKiU
z85$dgoQ=g@z@&g+sDT5s<{{vVMZ=RT1-;!X$xwF0;OeFVlRgc^t`Z=OZN*M_)woT`
zk0bc7{OUoN_#&FfhTD}6LxHV5CBrt4p5m0P0d+B$Wx8;JQApm$uRE?<_o}b4!5WWw
z4<oaOYn;N-e#;7cs9i*Ps7Jcn$PPrANDr<11tvsNjQ-UemLsYx6OC*YDhBzumHqmY
zll<q}^$x5JneT1hco9Z<r*lu&g5~Iw7jz$l(t)^eytb0#){WYAeO8?-kRacRIYfvS
zLBMXJ*0gQqlk}Z<jCc9SIVgD=bSL;gIsmR#X1l$-QuY;&*gM%ANk#QP1m90&q#DUb
zNMNlnR4{Q?p%GcmjBpObdn34@B)`o8Wtv2R<R6So)pe?T^QB7(&(NLRv{WcBP{}nB
z2ZVX`#to&>GPL_UDEYa&zpYKIWUMde&JG%}GDrFwAz#3vWx6m+31(G?%0tZ_7JPQB
zS0fi16jql8?5X)nQ+V9vL6HQ&qVCR;L;(Ah1S*A1ON~;03%R}UAgVIyvDGN|*vtPS
ztLrje8?UlaUWjLPxNjYSVAx?`d*R}xN8gRKPX64}rxV!6rLaLuvMr(qZ-*+7)t_mp
zdTNJrQ2gfTXZsFxP1%WBw0v~`!!VvZZBFae^=Sa9>nPC&!NP53f3{V-90<O<%c-)j
zDX8o91M|mGZnNUO8G2*gK_(*($~VE2QeeJsO#zHnN;AwqJAQXIBrYkiTK%6;XS^1L
zx`_1u_5X6b3b_CO>wnlDx}w$qHFkiw^pZ&&Zn<Y-PhzsCgRg3l__V3Df!svMFv`d+
z?nG51;YdcD#dsAb&WI3bqKXv(lQ21S>Av~-DSb|#>Kb~Y^JH27uu6p5i;PQpmR_Z|
zJw;i(EIcmn*WZ7!1la3(+)*xO#+b<ArKD^8JUx>Fsj84S%7co9G;ajx#a>xMQ_HYf
z|NP&?P^mPo1Z*0#c>+|9(Xf2OL~kZXuhP1e?gCIO_H(ocZ{@v4hETvn<$x;B3~_#S
z^grzG#BGZjxTd!h4j3tc8U5*-c7Qoz?`Z%V0@DI1!*)6ct8c~vEIn==ML++njF<pu
za$}W0O1`KT4p0cDUzm)V5hCC$X9)u}mwF+1f69Tc=qxlg!QC{Lue0-5%Oxd+W!`1F
z={Nr62l52<3D+demL0(7xB5S7Ojk9G!4GKVAr=(lrEF%H6LK2_?{P9*pDXC!WcMK8
zaTwTr`Zr|&9rGiAp4p0w%u^Z7Pch2PcQhd+U*q>LRZRp#=LF8yh0O%CyZQGy7jy+I
zN_D?QP9q2`7yQ%R-vSjvux2!|18bC75<sFG-|rPzm9*Am_y?h+vJaZKqdw;({^_70
z3K@&;Co<hY$H`YjQrWM@GKD2n8F+awSTvx>G8iwla*}^Y>*!94U~PS*2?CD?+l>w>
zaIqXxChO{Ccx{AZ-+L;l@h(Pe@~)5w0V%7O>6v_%?>!JZ6kp)Ro@fV}Eg+B?3~V11
zF1tnnI<RgvxA=-}!7I)>F(Rn<^8_PBVabpW5wi<@0+TY=pN3!B4F4u@9+q@W+1tt{
zijOCo0^f2Lt(2Zxnrmj*m@^TZFRbw6DViT6)Z@0zQna5+FO<#>WaU#7_m)b8Sys<-
zQ_Y)Rl<*a-VInQkoqSvCcF+jbRlG-EWX8?K$VNhlL&Ur7HNST)KQN5IRsL?LfiM2&
zAATL!c~sE6ESVARz`_r?)SZ0y>W^O(#S=<AQH@7aem6_sEqw9zQX=!*2)`)*$e7>&
zsRX*ru*4{DTr-O9OsNQB>~f>gsEdIj<TfOJijB;MHh=h<+&fmMinIOR_(>g^0r{(u
zpPNjs=fw)a!mMiLnjwAK=Xo<$7K<=No&}*RS=}Lyh24ZN6Nufrn)BeI*9Y>b`|TPH
z8n(sRo)117;jUTTs#J8_-Xx{6fQd{BfU3-DH>j3_W9QB(qr68!Z&+(%jC4@7ts_SE
zSSzx<9jB@RBZ|m1wFxG#M~w06F)q|J!Lgq%=)mU+7lOBr$P&1~%~Vce*hXP6Y@Qno
zA>!$wBeBoEqpA8tRNbw(MlEH*y-l8G^zJ9mT&w~=QSw)b$+;Sb&_t=6Ns4Lr%`@bp
z)7LYKAN-Ply=TsJo6-83{G6{;#7=h@A*mzg)!WS9pZzSS>wYpr4x%Re@jgQW;ZE{5
zoT7>{O#z>=T+mDH?vF)Qdy+X)l0$LiIfn=Xcz-9F?KJ);Ziv{;2mDNqj2d=#nXzR)
zWtM2{lnK>+PK_Z6Dx1yA$})@y;r}<vV033jp1~rMIX(G4>=fvg(q_0pZNKZaX-35N
zT-*y!d7%Cm3gt~(ithLcst+S|qX7Ga|F-AU!{MvGAZj&`yx~9rd?OZavneTuc#`&`
zz-k}9a;8FuMa}j1d1vWvt*MZ+`UI1wKb2jNV@U=~59koH-D=ic5)MY-y$a+#xsnx2
zTl#W|`C*}J(J=gH%bls(g35OI$Q`du1ifwqw{<2BB*=;kva}W~p^><y32TUHpIzkC
z)>S{j=EWmEmA>sc6O(o^9Zt)l7J9dWZVuBVdDFuSYx;52rYWny&9gxu5>@Y3%RumH
z+TH+wC;W6h7_0rskpefeV8~wyrFVD5lWV3&GUC2#T^$)!uZBj=!h-R(6fKGSh+<FQ
zC^xF20VI)D2qx{6oN65#cgfCoI#guw@;>P4*D9%(Jf6ah9qjt32^kXI?+Pacy;B?}
z<Z$H`@q*10V`x6%#3l^Ok($f$)mT)7>6trzB0OPw6`wNkV|xhreu&)(`4V~FN?1os
zn<ky_qO`U&AcSq1Bt;i;YPB`O)m-yQ<8xSHt5S)t<@YRrAS$N;l76_Ve=WkR=3k9D
zoyyo54N1;hyu^JoqcnzhP~gfMOCu~rUW$M4_7LsMY(N_@-%Ts1_oz847t!B}IDyMJ
z(GYiASAJ@zL`=rf_hQ;F8woQBCo@ci1$h=v4E4~rU-CH4wWi2+la%O{zH(npW|7*7
zXEx!PCi2G_^}rBho<nYmk07XLn*12no|cq1GY;;MoJ?jn|FBTK$+7ZwB3TrN%AT`9
z4g75N{+2P>M8Us7Ny;J07``%`$%EYEdv&oidJ{f6G-}1bSw>e)lA<FCq!)P-Gty*$
zDRV@fvEgT#3MvM<=PHK|e^&fwA9qD~=&>5bDscmn<{ELBF6V?O_#8w-EupxrafcWU
zoCK5ASL-jlHe_^+f0TO8>H+H44}!8}Z~X);ZIi2K3pmpZaRHD01CD0I@LDnYsbsx4
zAL#T`2TgSK1`Y+wc3y6J<@9HJA+}dzRTKF|uAWH_rbm<ce15{JdrHRqRNPKC)8sJs
zYvVVk%<8C(n4RMU#lY~xNmAaj2BW6`N%*qtQ5+d3ZNaY|p%zFpLRwqw$#-sy2qZhT
z6PD3wy}Hq;83e1Nh_nCOY$}lFWi1l{m1mN*G@<~`*sMQc{|FiXKO6##7XaHwkPjq1
zGXeOZ=Yd_vk_fk#tv(-Pa@n~5StM(q`k~}MC-#7)=P2kQ|LPsMcuoG~fArdteHR1R
z=fB=Xg2fw=QoX)0D-8f$-@W{2!+{KHA>eHE_f}m-v3U2TE%kg=R(Xvu%6i54!%3a?
zlb4cy0UN}0ow;12F=h19;l{PA%j9b^oiKfnCA&+IS6rKXwcgNsA)7R1-X8o{J0yJG
z(-wHnkaA_tjDh=i8wmgD>g9jALyFqz;H*Wim)w|62$|$V9W%QoppSUA|BJh?42!C5
z+ZE|9>5vpD>5yh<l+FR^5Ew$~kdRIZ0SQ4m2ap($mJmq^VdzpoQbIzJ*!Sr3z2EyD
z``gF<vw!U$#xb*It$W>h#d)3=8q%RCs%&^JtIk<T`0*E-irybHxC8dolAFjkISM&=
z<>U7o`nWz*UofKGYVgfeXl-%Duj4f}`e&>aCpLh-#%`wyG6fE@(?Y)^r~>>8A4{3A
zj_u>iHx{Q(!E0kDSH?xdEbkefmQxz=)}K1*14}^SzVYP!<Y}QmgL?9^`U;U2TzXo+
z6D9dpb#J9?dyP7|f+60?RDuzcddCxJyVT8?m`Vn@x40)T7)@QeXMx#(sc*KSf@r;F
ziAfeBQ0dl|FxIzO<cvnN$o#7%+XCpzNqH0AafAIeiJl=Q{|Nn&n;dNm1$p+XnIeoI
zh_us7#}a44;i3NR?^*Vymi2yJ1?3FWc1!i|WDaAMsNNaLLWqq{$gyduwQIt8=58A}
zJP?MZNQl0FWWX>m2$xJn#7h}4*J~>M8Ws8v^AlGM>)))>)Jb@p?&o1(`N9A5i+`D`
z|HqG&AJ{M6ZC?CD>UIP1YJP7+zWz=Qe-ji~;m_?gB)}h4%`vzd2e7mUaI-|VFtS9L
z@1w4ftG~m>;eae6cR+@(VT@#X-URJ?od<oXnFl3LAs2>C;0nVa?xFwhZn7wT<+I(L
ze#xO<dS|qiL$&X3yRvZ}DXdqho<3<rwKBW^O@|Dt=4Ds1n;FFb<DV9LDUjBC<FiqT
zucBJ3VGAPV*Jn0vQil@ltVVxdVZ?f;e|5<9_Xvph1@siU@wJ^%qy{%^tm{4g)KaRJ
z{`XOIXuH%U1h7c?AxsifO6?FZT0iJzFVlNfsfk)Pf}sCtK6IMim_MG{n?SFTkzsPG
zvaxV|q?2CaaD=8wP>teY9XIKOjPQ>C&7O$8?q^nA$mDO68i}1^!M{9=4>K9|TRT+M
zE&czw6JZ7qoH7!B9&vA>nzD*fSr*_SJ&%8iRl_D|G7LaoBhUdUf|ibF6VcvnTlLMm
ztb;?w_^ma1%jHyhpz8xR&I~QoMYNBRFPC#Xid$~bMPzpCTEUTzKTnCAb-t+Lx%d^S
zb#)=uWHoUoLm72#mK_qL_q(44HEh^5J+iaRdaJoh<UHBpR03j^Q2?(Woj~Ng^tDgk
z1dDuAJ-k6HY}n+r|A1a0%6pv%A}s8E@m|;}2dVaB5&`qJCTQo*{rzMYCdMO3l_B=$
z0oKUv$uA-X$FP|%X+zUie3q$oR1vVPm1FMPkq!P|UB%SN2<?Z{a2($#XCS^!7U2C7
zfs=gw7-IFpn`*G|19~feH&7&)_xV{yCyW~s<6ayaVxw-yEY|6w8(dH1<)kxkN!y40
zyJy8JVyS<q+%#8aW?nYX!{@rj$NZh|_#Rd!rrw%51zOYuBgp8F!+T<$I_cnE(u!i&
z_q?@w_Ey&IecG58aeKs}0xD#A8aoCrr?E0zyl7O*8S&RFr367gE0-@%`6b<w3?@Ou
z<~Xc1IBKzZFJ=`awH7o*sfS~@4KU~>1LVr}!=YY3=I<axb|`a9^nttGZ~2&-7fy)v
zEujhvkbGq=_w%Nge-H0@qysWCNEJ=+Ui^47l+No>T+pTePFLwYbN$C;b)^gg)az;0
zyAG8rMf?;Qe(;FEdn2Lrg#;?2^R`|#a4ikqnKd~z#UAneIT~jw+QU#(6W|XLEsGZL
zt}ng;j}EwoCapU|2J@W<T=?U)dV1ywrT<_D?58vgvnR*kRv2GGPymZaF$=C5JDH#a
z((bo!?`Kf)4AbexWeIgZ5%d+=a{|;kV1g|kY|g)06um5jo2t|a)+8sBa;lmne9X<w
z1qr!wkQxcghGj3j?*NwDdx1Lad&&;*b>KF-GMqo88mhstZ%3gQO1!KL?fmD9H*WKX
z0&H)h7;O3;)vnuh0IQ>shq5upVQQk_<yja&m8(^r2=@Q{DbD!g%mK4?SDk`66N-{U
zQb&t91;7Z^rM$E;fZ^ipnH^US2oVB7MxRaYGqHTGgvWHh9AYR$_-6fAFd9P>)al@%
zrDIrj&X|~P1Z7<t4GNMbIG7EuM0Hsq0s4a`z8)c>+B^GX4#;FU-*f24i_>81*(8bq
z+>ku^{sPMpliUd*jIJnq9E*nJdI*FDb8=G>Ivd{G)XS2^>;{piEiH(@y1Y@sW4|~*
z&n+UC0<%TdWeCkcfsGt9V#0#m#}Ri#sj*z<*Kuc+tIlm>Qdmj8-cW%`C@m?SmWJ4H
z9C6GU^Z2(Dsf3B@^i-+-c`D_ud2gIOgIcZq;<?*(6Src<eBZ7gS-d_J9GO;CU8OF0
zc^@8-%ujilCb?wB>Rz9rs})p1xx>Q33Jd+Ng@{haf$bM%??SFC;BY9v6KFo+^t(0)
z&#|o>8UQ%kr;uBISlb`qVF~RZ`{kCDbi6y&<f}XeXXWgLlV6_(@6?TN;G(}Tj3lBQ
zH)b1%E@2aGD{_W;lAqrr#@rjcBhSh8Ay_tA07hc)hG9k$yeVfELe+Ur`NeeK&PR1t
zy`G7eRj=F~_#YgRI`1a*-ox@y^grF++pt!wf5G;+UUR4E`dey(s1`LAqll-o6VC)w
z{VMyk800G*-i9Ky@<*`j*wE)Aw8BSijJI#U5py#Ku~exvju}qysDWV<p)ZyVE9}bw
z2_NU>1DaVK;<!fmJx%9~Z%##4H`I#E87or=!`vFEGuZAXv3)h1118_eLImhh8T*`Z
zx9g7%n)Q(+F77UhEELb#<?TmI&d2Nf`<kTKPu!VJvk^fN)e2Kv%fxRbfz3H52$SbE
zV7omF#V0BuI=Y|h&rVyI5cH%V#lEa5+07{2)~wA$m5y#W+E^+AtEDBL@Wedf1*Mi1
zX`1&13!Fugr7-lEW$kqVRHaVFrvB5nrfZ>;gpHI+tm~kV_9w-$V=d5E8c(!pN~FLg
zDalZ(qxtLdN{Bsg#c}6t%L~v1uE$9CRcpZMZkN!3jKf(6y5Z}LiNAc{tpMlVMpRim
zn2Fc~f%p#>XVM3QFNhQO0qCOwht&t|&u`O6MkG>p?}gbuJrky2Z4>^2Nk*Rgone*@
zFUyM(^~@6ym}SSSchfs>)Ri)Wrjr%NG3tqed@~SWO{`fWAzYn5lZ{<TgqrjNwA2#L
zl85HfgO#yI)_%Cw$Y8I2;M=hvWfou)-Jz%FuhLMJbziP9-*UY~zQ91;JR8a#agom0
zxHDA-5A<<Qmar#x<nCPl#wxHvf<dJ5U{KafgGX}mnM}9Z?tS5%;}MhoUq%(RN;USo
z6U*hvDwBDZZY$HhP;wWzyXO}kr?!jkrLnAJ_p5an88K0~Pl$>B7@RZ#hoirhln(On
z3u$vzFC9|pt~$+gE=)fgY#}Avf*V%8CN=ro%OA(x*2`?k9quG25|})L?&qi1vpOJY
zf0#tiCR3)(csL-TnTV9p>rP7r@A1A$ksV8Mr-YzUCCwYEkVm(q&~$HI>y^A-iS|{g
zQ0hW6qpG(mA7_7BR+rA9HTzo5%$R3hx#rkeVKRNMGQzhqb+4HzRshCOuZl&EV6Eb=
z{Wb;{5`!`C1RM6=*)2$5qsucFpUa3`gH}yKynU*UmT89wUc~vdnWRz~C1K@$durSO
z(RkQLD-2UzzEz<7yEey?w<=28CW^zZ+--d~dM+9Hr_uK_5l7!YTG$`HS>K$!H>aB7
zzO!1EW^#bsesppBSUo8Wid{8ZT}e}0gfB`YAjLcMfiN3t>d3+MTU1As%HKQO9;qWa
z(E>(0bp)O^MdxF)15S6VElav!SxR<K2PzjfH7H})^GayFc|TE>S8Vr#Tc@;qM!w@I
zeoV#ediBViad#S8!@ICquMY;}5Ao#d)AOeAXX~oXQw+C?DFi&>?4RPg`ne>yCg(la
zd`GhE7fA~X3x8~k?CkIR4877dsi!0gx|&|1_}q!(zn7J>G&7g7<BC--kHOlV#GtD0
z=)CGucrF;;uS{4ZQ1Lj9a;>jKGn|U8jmJvtkZfI9O<l{nzQlUcq23U18-b3+D_&Fk
z>xGsz`zooU33CGbt{l2oQor)W`qlCIATxYzOsjSSdtBu>!aF>Q^;fxvhlfi`=9fDq
z6&Z*Fz!34)xIQMPFgQQUXS)2r-iFg0$Z8N~pA+GL{2V+f?6xGuSA{ht2wU%L><FtJ
zvFPY<?`-4hw2OW9diyG!lN8LOvT=Lf>r1qHZ}4_H^^`9duQwts9$IXhHTXw~9o4B_
zv)|woay>5k0?<7mKJJ!1xtHYyIH6~1HpL?*$-(%o7cYjdd3l~6KtgL*mDmrj-AE^x
zfk@XX3fmKrrP~8T=GD|_T@xV~?RlSF%eI}hZ||vIW&L_Qe?tB6+qLrp)u;>G9uAb)
zQ<JvdwhfY%l@+k;`r*kItraxewn+8b>ma7i%fwfNZNBf&NOkE|D}jTW^JuyYZuMEU
z_~XZqi$}$i6Yz-F*Owukms*3k6Hd6}{v6XMZ3NckwNP&8^>4J`-)~YWH7b=vG^=6O
zNC1*Z{e24fK00#Md$|sgQ2g@0*CZWjlh=RW+Im_{gN2QK;<~euftWb#ynWDgjmyd4
z#Sb!hNe{~U>x#$Z>M6-C{@gcdLiZ&xwb_97km*^9z_))cmKA9x5JY9)gkA$x6StK@
zD1QER(EH^pjv}tfUN|;3_EgP!K)f!NFpT)}3_Th&T-Bf~28wSzyF@rGyraE29<Co}
zlIe99xGPy<fkst6G?QU?*<Nlu=N_7WKI^DGmHAkKHVk(}hEK)<V?;{5<<0=2Waj7%
z8&CkLGv?)T2JFe^uBfG!Qs5{#-r~pj<rVPT?7mt<yM<pR<x~d&i-lehaH@Ftv87nv
zWH;ZDNMM@-Q$EGVDA~yZ>$%2PO!EDw2b=l(p1_|HCVVHv*lv-p&9y!4_0E1|IE%!Z
zv>vN}{vbNs<Pk(BC|>X|MGw3F^orTY(q03noZO2a)@I@_rf;niycmP}1Py#*c{wK`
z0=zMZlbpsdE$ALH(Y^csd=N3>&-NZ<@K;vyQvGPcNpv~3UqV%YV;4Rdl9l1LNyrTR
zITBs;ZA&C;+bH;-k5dZt<HEXT{pq_Whqt}4oGzv>!zW`TG61R60SIvcD1hbc=gyn_
z=)o)^k@FVxFBh*-oKTRlUD?g6OUhmrUB!;q5Qb?~XBxhwe&W5E2`OgJ@?rx+kn~8X
z>dxU9yk7hB$T@($f{nlwFgb&RW${i~RkFO204L9)<^03-*@t$3Ykfq)jD}iLTlRZ_
z@5RN%%fx<+!y|0SOO4zX5-ubBe_OO|9m<-w0u?C0y5_kDoE#Uo;N3Y=L44~TNsF>i
zV3%|P)&w_AlHG&+Rr~f|BjZaHqgG-7Q`!t1jJ8E8UcaOF-2vCcb8=160?&T-KW!3p
z6phB_)7P*5K(M6exHV?<xGjs?Wx?m+kP62qr~6)8SJiV@A3zGmWVwYbK$Bru;#g*9
zY4&!5OCB`%V9Q9>&!IA7f9kBg#q-JJ{0=oBVCG`_$nfpRAodnfXt>fMKPIfU1MO94
zP2Xpfd9G1XXP;AU`_YZz99}g|#yz|}yxXXuaWAZ2E1nyytVvl@STq!1w*5ChkP6Il
z@6SC0o@+qBT(zs;Mj`Bbu$e^LDiz=Eh2^kIj4&3xKOdLAFY?}Z*`vKVGmBiHE?|pL
zy<hstLcfzyQs(~Cjn^Xz<79ial#ht*RJUvKxa>$VrM@#rMkpOK5snf2_nFj{)!FlM
zLuN2&73ww#(JNKm>Ts+STJG)?JeT24VQ3nV6pga~vM8ac>N7}g?`7{jUvkG@8Vpbn
zVfOd!?G!;{3t0UUKse(EcUbl5zG?R!2@VK&mF{Z(dx`jakfS|!=hpSfr^1h&PqR4?
zSW)wF7!<jPIO|qj%H;-4-UyWM;`BBh=-kacdn7g8@)luMbqjNZ_Urhk{1ssF)$w_M
zPV(L~)0el|SvjS^xq6|pC%es}W<6T|XTcwhN~>QEpC2TD1*6J?Y(7}3dXOu%vZr5S
za<TIL*H9^6DBn99hK*BzG;}pC@?N<cpkfj6c(34RA#ddwl>FAU?(KN!1DJDA1$Sc#
zG+={Hh`<jo&Z)-R5}C!k`%a^84@7pJ6NnF%=lABK7U;rkA)~#t*Hw40OCWY(j`x7%
zo6f6M>7^HIHNY|T1qc+uqT5w|e#@(cu5fm_W&0c{KS3EORRZz4C3&M&Xe+f%Yp$co
z2Y9gviMs)?-TQNa0h;_6+31YDq2~SQaxNQN)mdVj7AG8<le=(Qu4XSSEDRh$1fYwr
zjP4uE!F_`Gy#W@VM4@ftY8oYjD)|%mVMR1}jWWR~EO`4R-=H{HInsxFMFjA>$L34{
z^6?G$FG_s!48U~3axsz(#&0RY;}ub%^r=s9d850}-fSpeubiOqKCA~v1g2`(@Jbu*
z`O%KwJE;OF;$V0LQ~Vu#!&mY*CdvRU7<h%-SHIqme_e(@J0}$A0F>qlKmqvC#}n(f
zb<YrBe6Eh>r>zb^v>*T|gf$s8hfTYwRUU%H9ZlOz1L#w~wJ#Dy$U?$486Ks<1kfp~
z9;?x~7Bk1TQ6nka#^Td~A#P4ZlqDh|kA5O^9QI*F2}>;X0XF*Q-fgGDC4Q;;Q<;I@
z`WceBfJW|Y5;YrVqLJNVmyuQluorCGBYS#!78e(RRPOnPPawrGAbQ79e+!i?k#@a0
z`bH`HZl11`Lowfo71GP(Dr`Jnub6@*cEq4qWcy|AAwG__aHO`f(J5Q<yXoj&E}W-y
zdGfq|PRA${oKYU-oD+ZSNY5F;ZnI}4)6Njv|IHL7AGMUG1?hVJ<Ar0(#QVz3FK56W
zoa}-pbFaGaeNt1)ld=pg7TF1mO1#>+>?D_L^`ANgGiH;JPrd8RGbvE|)swC}wgQt2
zB1H{(juGCNVSTJiWEHTu@dtrBEvw`0MsUw*4@N)7eIPw+izTS!{;j&Ydh3nVYqTv<
zCoC+iV+q_CH0&YC7h4tS_Ej7@sr;3$LGwj-G7$^arLu8OoY_#VXOdfid-HU<+;}3e
zKvQfhg>wgXX#HIW<Px0%@61SyMifz=2t)U3QcW`oRs;Y#!^7%#qM;9h7%<#AAH^t!
z*xV9-reCVQd*7>-AXKaw*c+m5Trtqjcfa#~14W4)O5(OH!a}o%pn{oLsDi^CBc+r~
z#ND*lW&1IgKmifc<L2UN@4<`(%XKy{jWzP?*RLtsLuW;6f;dYFThk?~x5V!)F&9c0
zffb$&9m0<9uRGD_8H3Bx|2{8GY-6$a1VSVC{3;S^0!KNsS>tw#aRv0^<zet5^MEmm
z!r{3Nf@oa<Smjntb4`-l*~JEk!2N)Ix4ZGNTk;_kpYFsdG$ynZHK#`-1o7*+KF{A1
z5r7qG9%%`5B__Iy?tFf!2SB$*55Ixzo97i`pE`lzO@{)JVdbkL(ph7Djt}*^+8UW|
z%S#f+G_*`(--hALY+pB_RC;2tDG)kp*u0vyy$O)CW7X(w4_f%2;ItKfZeD{0>2xc%
zXWbu>sM2n@{VUp&-`#xWS(l~fMOQu+3=#oV8o~f`<)klB`$%AiVgH%C#&sV}oS(P7
zM^qc34z4E<JiA<RJww}--U+&X1#G%(*AyC{6tk*MF#!K82-}a!Ov>3T*^_+Gj*f>J
z03_{rU$BAsw<oBYv^#tbbSE`BPXqs;g=hA?G>gl2hNl<a0GO~O7MqK0<A*wdd5LR*
zP?v!b$QPe&f8CIXnDT)Sc>5_?)GQMQj$sM0>w656>>?94kdBf-AaZiAAR%6bu8^s+
zFkzvJbS|-~*V{|9P2hoh0+uLE)4t@_KaPuw7X6VVoE@cZ(oR$kN350WG-s|w5!;^h
z7^FIM<%|Z19FjHZ4*hWLp)xv&*J2<2axp<$3)#|35P#Q_g_sd=HhFEr_NKTp!HK!y
zwj;q7cNC9*f*q+@ex@tF-JX;=u9Qk1lw%Ywba|0<B>Y2R-aS7?wjqaEaDKGYgTU?~
z;!|+^O3@PuFYZG=F9C5TS|&O|5tw-Ei5^2pdNJdOHi;v8au%Y0$0BzM(Lmya^i6Fu
zm2sc$@=dUtF5-6NOzf(Sz^jkVC6}w$bVa5cUL_UZMNliS>o1f4-m{o_cJ!^YdFxIl
zvna3STstcn7vce&1#@jO%MkWct&hP|Em`<8Ba<WFN!Aan^-P3DWqzX|U_}#8#1Qp~
zrt5(8oD_TFoL?KTFf?Q=<Im4o`ai<c$d_MlT}blbhHC_faK$h;i<rs|omxvMyDO1R
zG!;M}T+<%`F^UV1{+nIQ2SgfWY&D7@<)+N~$CWqSMbN$PxNbHV>02v7sp!%uP69%7
z6N%O*!XJ<1iyY|Tx{VsUbkSiIU2dj15GdnKP@^YFQ#cyUnZv%I%&0Wz*~!Vtr>pE&
zDfLiOWg^CLx0gUXq431*B?pP<x2ZB`0!*6*uMf@z9;k@ndEjxBIsNK#^(!=b{C$3%
z9Q^w2jV28zUm9CqU+NfdnvPqAKo;b1c3OsnBMT74Kp=LVu+YPb+nY2q!uD=IRWE#9
zzyX=X<A7G)U@MT75nT`@%~czFS<E5G@pm&o;j4iEGy(@6%Sluf@cw{S_n;**{XJh^
z$37uvCJ<rvk(teowH}`PVR7itzF@U%+4o4;*(eTssqNy$*3NHm4$WWO2}ZAJTcP&*
z_+tA}jC84tJz-d+Mu0`qbGz&7@4+Sd_AV$jh23C$&m#lcV|%K-;za8D)9SN<dXw@9
z&3n1guKpK^r^~pS&pedvLsDtzdG^J1|9N4QS<T9NE~Y6@c`56YhJ>dL?0+&luQ3Zg
z=(}G!7Gp*bL^k1X&mg=5fO5Z2YR;}**H%bpp}G`LR@!XTz3vTH0D~Hw_6$Gbj_g_q
z1UaG->8}$%=6pn41-~;MzgG=Vl|PR_L==W3p`TsCBWnXUgI(HoQlN0&KVG%IvF%>_
zaoejB|3#k9lk!gye*)FO@j9eg=;ra~uvj0Ss{^`4K=^R(=e^F$S=jXMF_s16V%zB@
zIK9dGaI2o3C!j1fNx2FFl(A5G@7Jc%K0c2k=&L)g<bnRm*#R&=(m)0UWDHnceSv6(
z+cW1kO{~9m(jUvT0BgifRqWzRM9%H_=Gv5&5Y`<A&kB#fk#>}oTQg*O%;haTJa+^z
z+?PM)&$2H8M{Ikd>rv-M&}C1s@sn>q>Q1ib&NXF%$CU8UqGlw|{nYO*Y_UtKMTu}O
z$^O9fk>XBKZ^p%QDbl5NTkskFokr#+@c5rc3<I{!sCgqWOx=qmvJiGZvI~#IT7gv3
zf|tkTh^zHqAE3#adn{P0;}RH+Kr{=v@+2TRsdRU*lzbyS_}5+bpQI9O7GqP1BgMsM
z`Tn)ja(Te;Bd^B-qYDfQ;K=;A!bdFGSJ7vS2QHtReJOPe9JvHSl<Tl%U<5z6`0dIh
zer&F~#v=~gNGx;}%7L>RyNS0|p|Zr&=_HiW^+<aqPOvk7gcmwQLrs@xFQ1{<a?^QA
zl~MEOS%7!3*LqYvQuqD+hIHwt*Iqd(8_%f^x><uGf-)(Oq^RyA%omaj^mCz9|4f;;
z(4FAif{=zeg_>C5F?bqqJ#uFcJH+=xDUvNbEF^wjPIm-ftfUjmTn<)gWf6Yq!Uubf
zH@t)gvz=o~2o_*~@#&sX?S~HO`bHxoJkmdlO<%J9MRU7}V;$5~=K6ep=#Bfei!Y!z
zo=G2e0j9~ubcY&2G~xcUeAG$3YL`@!fmlB|lQDgER`MIUF9B$x2Bc&mAfS@vfc);S
zg3(3*QH?_RgXAMEO28pzLw}6@57;gX<=x&m5!mVI=<pNr^zi|~3vfjeEeI$?s<ciJ
z02`xP5#`5*0^by9YlU^T7=2yFVh$Hh0w1WN2YDruOgwRNr%}9SG%EkN5B%fkzrl$6
zen&;74ih!sNg=cl;4u>r5_T1S6FD(D!(l!tIkJ}qFm--@l8X?X{69`LVuZH5;ZYSM
z4NdJU86FTSP$evDgw6;5n6P+w^4IT<7?JS(n7dT{I3F7Dy7eIOdf};}7oepFgp%l5
zgIwe=;N300@x%fyZP9}MJbd+2dUf?ZqwT%D{ry+=!aGd;C3a_tuh%-gNp%S;0!LaX
z9FX~{?t7Ft%*9dmIVI4-rV59ySVE&Eku`&KsB0{)BbV?_>c|`_b_-hMfE3=ri?-LW
zew+WLVjBlU+RV_#;c5h?r*D$P{jPFssw-ZMfw)Gq)7K6ga}92g(Dr51T!3igL%-P~
zeUX)FI=>U2aYq29VpHOGJgnvcA2t0%IGv_W`HDyy?6X7$Zn90EXjY<)v>4hG+HH69
zZg2KNImh7Kge5tH5MWV;+ndEhZ%c|46Se+0=mnHed6-XNOx<MOu86{5yr}M}?FcPd
zr*b;)VnN6U1&f^I$HgJJb~<<|_%?;sC8eFMOrsS5de~D)aKpvcckZF+bIrCk8HW+-
zY-bn{a4t{QY#7xp4#-fA>+KavGZx-a9kfA)Qdj!3vuS=ah>e)dqV}`rjoZ$yyX%Ut
zHpeXu!{eC{%`K?&I<XF<=ps^=za<Rw6Cvx$scH_`F&T&BKmQZhOHLK7N7j9-U~x<u
zh8HWqE4vGRmbX;s`xka|hgVzwc;pE0*7JS-oD{o#W`}>~Ju)vod55yS%J|>zuneE-
zbk5BduSX6soO8axyWF``^q4OVNx%H^lyf5RaGTjpEX>|T&#}#Y<^whOA@g%6YqjlS
znX!{uKW?Z1{jH_b0m`8RN7TTm=rV)*+;pd)!<;A3ax~vn8>SsCXm5N@`T$BuyHtTz
zB|W6Z?k6nD99B!kt!TaDe$?M`7dzXpHRe;h04$+HQxz?3NrZ+w%Zr&!2*&$uCHK5s
zEdpd<irDNmyjZ};Aoi5?=<A6u=-0qmWi*kaIUX%F>2UR*HSHMK%vAF2d-AtV8VM4{
zt2!2Ylg7wI&Xq}OSY~1gw6Nj#$qf~4{Ak{Dc}s0#$7LB<nt8JDno@yO!-??DcAUK#
zPEH0wBFn$lzo~;+FZ*Svf31(7MnFiE6T7ViwLbFvLk%MH)UD<d=7@>PdIG&0I|AG9
z^H{Y;9Ed}Y!C^o<mzhlzHdAZvYDj*3WUczr!ubK7su_Dsx>B;}=g_;8@G8;=O^umS
zFbz=$WS5R#39%aSTplk-kbtDToG?J2J0p{5tG%?ea(SJ;?3yh{3+{};zEow1giohr
z3^C~@O(FVDS@Dn!pf5mJiZ=Rhqs@g6s?Ci38t*11HL0gU6}mpTAnApnuyx%UJ}&>o
zKDsm{hJ}{{l2f5xGtcsofA=SUk<8dXzZEI!z<m(Gfwj+Y<V?Ep!k%A)@1h}-5}w3l
z<K_I|$J2PUxH)kLq%S4i#E{_KLS?b-gh8Yw)tIhi5!7c8rPsCfHdYL#1yb_2f7@Dm
z)m+EM+H1(Ud}-EKryo8UhObV8$b46Jp)c?^8x%^h{IHr%^!y?|?#QNKwjC*)r!JU;
zmlhE+>ZD`2-%bf+<)j&#o3+4sK6XQ7?#50*!kVB-W|#vqLazQ3L>Ts_@j`;46e|Lx
zyfFBPxNql2PXgvO`|Zgx&O-97M|5$`^G&rgP~LB-!2sJcNF;?*qWDj!pCDCdO+3n=
zg)~k@6W$I(NskD7iJTJt{o2=nE2UJ53Y70zY1UI(VJi&XNA<CtD2!mVvOE?Hbnj2E
z7EMBTBG*fC(-9NcTDMXgH12Jz{va30Ym?!*-z=Gd0`Eb%4I3<${3rE&)NQnBQpFY+
z)5nk+jC4cc9dXE|gjXrneQdD>k1xZ`fF?ExCvDXe5|eeLOI__YC4P;Qg?M%vZO}j#
zXUuTQo6mRKs6crX10Kq2tuO;EA5Z}k<!&dmQdn__FYAQfHz+4UFU&e@-o8WL&(R&B
zSbr~^4BWx~#hOB{ZsIAP!yV4XJNHxt*Ej>Qp{Wi?k3s-m*9)u5L<DKvNUlgTxHZy3
z0<2HSK_D~NA+;T{1t+F+htu*6m!j}aI!WiJ{&M-%E;A$43lZ2eAnvZ;t#3Sv&$TzB
zS(&D}FY?|hPcS9hI)ydEd(^?5vd@xgkAlFDYY=`CrlKkc18|(8Mv$ffLBfX}?;}+F
z)N`m_@H9cxG!C*vP!U{HJh2@UFllhqX#S-4Q1JRc8ytYw=R+SegB!5fS#s-Bx&xpB
zI5EKC`hWkMIh+JC@w^#`0+B#)n77_9WTE~IPx7>M)d2sJKvX68o9_Jil8qt5lpOUX
zNea<$74Dy3s9|p)|9lx<gzf<ziTd#Wa=W4=Qw#5Tw=&uxh7FUidx8c+%{>pn4{f!a
znomGMDt-eY5e_~pf@y=17%Ol`cF;PC@{Kk2_|=w*`vTz7A~yb}5|*jgZQ%lsj6^sh
zaR<on*WayxxYuUm4_B3|uHSy4)J0ugnMK|czJ@FPvLfjym>Il}64&(;9=yIMW>c@J
z@33iYX6i?zUgM*Az_@gOMcL@^NA6T?^zt+NK}L(XiY_d0GEDW72W9EwLjUy`|2qcE
z>(>y_OR@S_tH!tfX%f)c6)MN$yr#Ojfh<OX5?Mf)ctR;vr!Wr6{r8bNM=bOoAw%V5
z;06A5b?DIs5}e8SerYWGC-3^KU2}+Ydif2Tu-8HHCs5VrIjhLijRg?lbqb7vH0hKo
z6n|LAO5&P`d92HcSA!2u)En!Wbo!dVI!XAO?jhQw?Obz6QFlm`xC=trNI_;z9rJJ-
zLB#9WKV6~5kvrS6LOhdhG+PZ0;vY`#NT6K+ibkv&l(4k*7G;yspKm|Ry|3&#cpZ^P
z)GRVMr&~?Ct!ML*gIRx2udZy=x(X~qXY|0q&#y0;dIboigP+{<`zDk-RW?PKPYy4G
z0shIn#}h4)?>46ryr^*)S0k`Fp%wyE2Avx7Ld%+ac_B)Hl-R<)B&14njC2$J^iQQC
z_&;YMdt~m`i1jj4K6P>kTVPrEZo@^o^k<kP4u_GL!S5T}2EC{Jh>Iy6>RK@A>TENl
zD}wi)WNuPEFQ{2J^xY%wV4Qc=i5|VLSalo*hrF3kce!CzAlyTeKR?El?rAZ&lsoq>
zac<{UTCg~!5{E$il+CazF%6{ufwGdZ8J>97l7Q01%r4ZFg@JfaUHI`k|8B~05B_xL
zw^obKSRS2`s<U@zqh{29ccUZbSxBbb7Ybj+S)ocx;=@<>nLO#*bVJms1<#EN70_o=
zPv*-gyiD&_x)eM&6MM&+BtyqFFBFbgX%R3|8>6n=%pH_6UOtrwhkRQ$ERa4`t;yf~
zX`>waSir4?S!%~c*bB@y?Uw-%k~|zzJ|2G2NsM9+#&cqOW_iSf){`=G_L~oeSUh*8
zqIZ}40%GeHyT;lzbx@PpldQ*B+8)%l@FfhDCo<ID_7u;1a+kAEi#Kj8?H1&#Muffj
zHJEnF5rkbEZG9|=?lE5fv~tCFP3qtNt>Yuemt96JU9dMuo{^r>qgOi6Kz`>z<r`@R
zMZez4H_a}s7|Zteos5;pEqj2q$@Y#lzYk^?pxiX$|JK7zRBDyeO{TqXX*b51eXgh2
zi!{rFEu(r&At?te$h&T?3|=?oe1)iJzmRm()^gjy8ROl#!}T8ymz!*H_}=tQi{=8Y
zt;$U@oDm6Zid~(hDAWYJ2~N~9j@7iLu2fMXC90K)@Xh_ff)P$&ytEVGifN^wD`#Xr
z=OO|IFcclDX`QnPXFBjWRs4S&Jc{$IO#^@F_lS+QVYK~;Q!Zf~fK)xHg5#hQn+v{Y
z(jnKM6d@(0b>O%=?3bpPVlt3tt0YzMTnazmSp_rVQ)iW8fLl^kJVy6(IU$0QDk``w
zYTdLoi-eQ(PJXrAq+`NW5AbE8XLbpxlOD!l{mpX|Uo9q*DEFxQuDZu5x*BxdfTf}V
z4$+@|4?$a;L%hXpWf}A?)CtH*KO+8Eu*nu#+mgUSuh`2`AndD1(vHLC65kV*-o-=X
zl4ofcOXvvIB%Duc4`7pd6xN;5{#iY;B5rde($2w-i`4ZDu$vMO{%mMq$7sCw6TNZW
zz+`s1w@keTJA>}w01|^@+rF%~#he|3+psj&L|`&#HOkm%@WAwB0BIM{M{W7_T)!;z
zC9Va+hKOkDdk#)q<L!o~bRvWxS>@PtmuK2FzI?d{tit#|He5BC+?Y1P`6I3>$Y;YE
zGQaFc;$!qrKMm1~F6!s&-lKGo4S3u!Q583#Jj5lLoACf^&z$^un{>_(F5Ed7V|<^n
zqK%~eZgSh<m{nfzak-zYL~q8PygWKzQ{)$wP_xgaZ<%-PH?z}kfye)EdpGo;Q;+J=
zmM-mPra8+41JyrUV+jjt$z$5Qt9H^PAWy+`XS@XIbKp3=_47uTe%b8h^*`QfB}Y4H
zZT812*=gZXTURr)|6${odU9+Q;~65It%y=(2Z2Xt;K3a~tl$C@A*9(0GVqGJZ7_=y
zHDB%f4!};XnbVoEGPFgZ>tUVYyRz9zwsqrvBHJ4o5x=FWBYzA7&OZ-n@l88@S#r@M
zp!dn_XB0Q4C4o=brIqZ25!Mt>q}tBk-(_o=s(;VqH5WgqPDUJ=#0Q=^4Z?4!#QhpR
zpO&iAyW+z@j8p+*VizPhpUlZc$E+lNE$9MqBq=XY&yhqB{k6V0!kJES0w4+}Zd|T-
zPL;OxxoZyA3@f^jmezVkJYIk7y7tZOZM1>*L8JLQFe4xO`HvdSl%qHv`3KY2neGUo
zRG~=bUV;LMHCBFEXIv3vVJ;7XzWc(3guExo<uy;_cz!%d3iYX|4%~^dr^pM{U$%0N
z()Hvq*#2p`Z}-hLG7YN6?MuONyZzcUAg&+FlhjfEK#-2>sneD<f1-TF^99IY*TURA
zh<Q4>$3&l$0UXtm<b^r)AG_+k{I)M`_I=b4WC0a%hXMq%ec=47F@0J0yl`Kg4IS_7
zVOu6~N5ZQ&2I+!W<tJ|ijc>c(XvQP?A@PFNlY5$Vj4^%3431cYOc?tUnYZCkV8z&?
zS6X_29lf>VUQcxAFez8_BuizU>F9gr$^MdYEZ)6+EgOL#nXoG$E*(^)&`Krf>&JCm
zq5TQ9_&=S6uc&^VVZBRA?jFxB*!EeC!X%MIzKuov;FkXwmbp!8``aH}I`65S?^Z&l
zdBaezg1dnn14QE^P*XBhG}1~fnnsZ+RFPg!&v-Xkv>p$s@`2x$E~*c30As9<YtXsV
z{;elha~(g+P&f(q^e`co(yLY+k;FQYBijY4&$OsqjLOcW$WL)f5hA&vm2z(#+^D@t
z@$3h3-<r8mlsCYbD^DNMdPEpu@O~WSIG;`~d{gFWaekcQ=saisdB6g7x(YR&vKWMW
zD6^m^c0FdUF`ut=ZbH37pH5n|)FkU<!<_~wO=_^Xee4D@MXPm=MxDCni)SuytS0FN
zoU5AZPX235JYc$_e+QpNioChdi#c^qGMGSj$UQ>D!LF<}h}y{~scPD_@F6kX#Is4g
zc&#}NK<;sJW@)WAG)eRVyur$Ytb&)6vTr0p%BmIfzxLuo`JayJ{cR<YGC$?sZzcL5
zI$;w>R;<<%JDjfP9?EpSs}b(}xe#upQ%(#Y{d#M#57?_uzH*ntwVA=^FPA5PSr%Fb
zYIE00wg5ke3QXBCHG-kyr-2nx6;Ohg$gXi8_7pVs!-pf+ZEYmoOnU{YkMu1rYaK56
z2fsVFd*gqEO&?nu)@I`{C{NBP=1bx`N+XqsO>P%w{F+4T^`VgcQ~*p&d6#|Mt~hB;
zW?QnX7rs#otr~cH?a}fqp))C14l$>V&!@$ObDi0j#0qcYFcg>uNR!z$q*^)Hp}Lk*
z>Anp$Gskl@wP9Z*oZ0CseJi<h$m6ho=6ZNjv|!4LMgS(tH2$+4*~<Azk-xwg#qIF7
zPBKqWe{*y}V%K^%w5I#Jr_OW)n)PR$S7n84g(qCe{r)}CO<(fb<N-$y<2Xc0g{ttD
z$Q$n)cU2a@J{Pqcvdu#+%V(Wltq{24B4qL*YNOZ5rY1V+y;J!g&zt4#``SJgrCn~<
zj`dt6z>g)vv{3opuzWrhsdE#_+<ctprj$6D))PmlQXlz3_=xpa?y9kv?{~0RTelJ@
zJ?!T5=%2Zfh`d?4;ptIE{2g<NxBpJj^B`^QRA4DMIJhRf{MhmQWjsb#zR0aVokC$l
zEsx)$D@p!Yks4dNb^x`r6Vn5QAR29@(IVPP&~V?y|FqKo_Rfv}gFnD1eqOC87?P{@
zKOP!?Z!PyP#~{k#6CYtOEcmzVh@K{@SCTylSl=&166S<Ix=LA&JK=gz29Dmt_kSkP
z{eU}4UIl+Vim2#j1gKrg6Z_hR8VzX`&LlG)W2A<O@<{%+fa&pQQJE%c(xkcX01kJ%
z#p4A@@4+FRw+_MHq@2-LGYJ=531{4Rs@iL%wg)^#X`)SiCg<cVS)cRB_QqWfrXL^N
zDvI;n2HXCaE^XA+@S8`Nskh<sT~|Cr-q1JQ9c#b1Nl+%@8f8zxeGeD`ZX&IXZ$qb5
z_!N7(cF3-tC{Mep!seG*givQ@0#-D8c`pl|w-R6OSEF0Z*6WI4V_2ixdhS7L?M<xr
zQU1)|ehqmIy=B1MJTnr(wT|???1R<c`yyg$UL`^-Cr_6rVE)M^mI>1RTv48CeCb|n
zlCY|Kh}4bjw>f!?t-HlPNest}&=}@q+6630(LXCS#GmWzjhV@1Suac3R$TPd-gS?&
zA}wI2_A;bSnZCjN*aOOkh#(0vCk#JO*5t8+hbm>CsIxax+#c28-rjJYCGVb^CyjA3
zeOV4XpI&s8<usgfA|Ur}^Wnku^0lVflcAz4{oP!WqWmoA7dtvX^og4z8ajp0o94Ui
z&T<g~QRxQ8RHj`v{340!tj^LYF_tpVi3Bto<g-E-AbpfCQ{{ZQ-r-Y|`5$lz>3STc
zNZC+#C+C3e(uv8GCjRx9!4rv<q9k{Rw@ONRRc>}4z(6whHY4S9a=t3|?`?bi*YVFx
zffjSp>2`iA|MyG6H~j6@!c(oww5GkR=8Yo7eLG_2lgW>VN~cU>L|Yu#rK2Ghzja~&
zRAIQ;5{o45-i&{?Y2h2ofXgwd3Ng~$*tv*jlds#@zESrjk8m_Kc5`(lD5IVaQ)-Kv
zj9b@nInw{vgAL@!VWgjT)b-jIOzz!am7by<sL-+D%g&FV{<#wIcwb?AY&uAvg;x$u
z8dksrk@kk>8VtBFws;-aWWTkml7BOY-dJq(MLIuWapVH{;;5&}pA~eIN3KoDHIgxZ
zi?}B->64ug5yuppQ<qYyqW1qTcglI|xUdK^`CqeLb?cA})rxK1_61sq>$aJWvMWOt
zyx-1-4bK=84>0nHwH@mTQ^&*FZ$+)4-<LRL2xPfDsl#^u;EFS<F2oQr-FY0T(XXwe
zoFEe?o#s_6?|QpLVPxQe`wJ_2l_o26E(97S0)E6rii?BW8yShwjfHlnE3)*7uCEn+
z{I%hi`yeU9ivO|kZ3{+4lSFRXLHc7IBwQLBgcV}2U!ZizTp@otDpq%3p+#;swcylA
z(|n?gy0IcqO6*@3aZ<O40D~{U+STj<Ek%#vaFv=F>hOSYVJb9X{b#u1pZos($$x}4
z{;Z@V^{%lhG*lepzr!G3Q07dyK3=3NAu5hhao-R3A8Yo{##E%s?+LqsierE`r|$7G
z_}3_>h31>0qv9B#(cOPTBLA$0TLg==NhYouQwHDpr)k|@!D;|qWZ7J!eVs_ik?f(i
zs*=?vGUS#!$b}&Cd|uA=FmX^s{J9zVg!txS(J6nw8tRf8AOIvx<S$k(P2jGp^QRj`
zm=nU5G@OXTUhCib+hWzP|KHvM=L*zCGWOQKyneiZU@B5(LXpS*8A4n~ysqP{7?E;r
z95=w2`e&3NwBZ^xnZ_?^doUvY)j{=1e=ZdJr{ht*I{BtY<pr_xlE>8G2`E27=WzHw
z+jrOOZ~@5Qp93b=baWDJ*T3C@P`)p|?bqP?4qK)<NT^O%&o%?t#k)qQt(8rno7!o;
zjz58w0Pta#08-v^52sx4-yepy*4rOn^XTd|+hBi2vKVUs@}a*bFN4%OU(4w<AD47S
z%7xnRpl%!}nBu?sMX8ApQh^Sc1KTQUB7uNd()RObR8T&53)}Z8c&r@C_VE|S9_vJ2
zKsc%<;E9jhbyCUPW#`g;_X8X~7hPPE9-z}xZ25Qo=-;qy=!YdQIteDgshar&Ek`1S
zP@o#mMFqE$)6To5QHC;?ePFB8%IRE*R8`HC8*3qB{%3BJ>nbPJvv??7RW$P)nb<b<
zKNVT#)u!${A>RK5l$<`VqHssm=wBZq)YRls|NVD(Nog!%N|6<_T!KbxHSB67-zM^R
zZeR5noVCHju4irL&4c%aO6H30lBEB4V?`c+nICu~)o`K$Ggt01NOlitBcJ7P*B((x
z&Sp_i$^}8S*zGaG#P99fxx8T5;Jb5LxBcvZUXxak&!;^pW|}Z@&wuR;)x4@D$-1mn
z&0uhjBw@pE<1jPXj~>`&rns`~E1t&CH&6~7(*qP(6V+0yf!-dFX|x0UMgUfFb;41j
zQ_KMy)IWO<VJ#GKRV08n{MG}jnN?7AEjdM-rCu>8hDYy(>PxS$Hv2qnXK6!jKINj;
zM;{ikwSc(aofk<j<TIN8)tA$NA~zRH<6Xiesrce<)D6h@XaX|7BA;7#wSd&y$IATx
z&<0TTsrA>0P9Mh>MsM1GKVKt5sIt*IGKVrl+V*)rCOfC1cQid|W`WqMzG;>w!pNob
zg6K?ET<qH2;gasR)-#Vj4GCu65IJ{XVY|BmsQlFxSz5uP-Hn?bJA<DM4P8DENTT&0
zBz<F^f9XN->vo;oozI!uB_Eef8~i_B%mO7u0Ev~V|9T1F!i&tzYy^rgxRVKzUXJIM
z-ZC&zd)G2Eg1LdDxC1Krfjcp-J?URd8XXvjAt3f+tdn-5Enn~i%CA&ajJci9+Ub)&
z__+B40a%s9;IBl~%tB21k78^?UI(7`7L`q?cTatAy~p2F%~ozZWjOqn!q%~WDyep0
zRy_C@maTjLw>FwW^#T-S6KE)+l=r?OHmeCc=j!%<)Lefj;&9}OCIpr#Q)#v|IcG&f
z$`h|Yk!o(`Z79M(NXU83s=qJk<-k@H4`DN{ps1UBnYzQkOKeaz@dVSyHMOuAh$N!`
zfE>YB*^)B`_Oo?%K-1IJD*YvgmbaHzLSka8ogjW_SDGqT|1Uc&>57)Qcl$Fa<gs1r
z98j6*ujGkgdt~;vYm*!eT?~E`&;d{ZudSJT2Q#sPXyohR?5JG~Dh~yL_ls@zcBr^8
zPz&};W1mdnki7s}#54K<mOpaAhSaK7L#tX76&bm3lYGbck4qQwTKn|T1EtMbiB*sl
zM%BoS#BGAM?mVd4*WPSwfLbySax{S|f0+g58*Go*J%50@L6{jA-xmNH!z`3lxu3bs
zH%rg>!wy>+t?f*IagvT1Vq!5r?jgS93;0lW!U6`>&e*J8Z8sL)K3$Djy$8ULJzzVo
z_Wce@$p(s_BJfkW#sEccON49(MKFZx06qc@J^gFPBQ1cVuYaP}1!|Spl8!nx_pLl>
zB^$VLKWuj(Eq2U9|J(~OkI28or)s$-Xn;hAfi;+$q+&51F!*<g3jF@`Bq6irXF0ER
zP_44_ukGX=$uza0I*1kp(Rco*8}y8zcJ$ceS_v+IzE(u5)7s+lJq4C`17m3U>MTkp
zW9ksXo@T7rRSksRjzC=B<dIGT&|oh6*g`UAjILy~slDCK!1?F_whC3vul8r^=**Ue
zf46A$TWOR<(*Vz^3QrccAx#7jl$UjwBWzKO3=B#YylEq7AE!|x&S^7Rq92}H72q41
zusH?0wZbt+jmfiJ{{#hhRE64A;es%`@2%W9NpE%7Zp&LfgyK^n)i;EA*+kz%jbf^L
za91n08)hU<iIgi`#%>f&&_1<vdo_+8Z#3s%R3`7%5<NaQeRDEEGEP(5=29xiHH>hK
zLo`-%EUgijOI&CoF;GWtcHWRH<w*|FLYt+l88%W(rb$^Q9KJa?`^HhBG5j@d=F6r|
zc2b@@OJQ$S%+Y^Y>Qk+1dy|H;`-vopa2~3R&b^Ix!L$e;OFK84jBUAZdWvCs=8eIJ
z?u%P1vOW%^yyLLF&HSeAV+sIcxD`lz12`?<06)DmsE(21*nS!hF*2eO++sS#N&&Q4
zVHD>;;X88|nipzwc`@^u1L%E?I>A?jj(B+RGhYX)hffuUI1|eh{$j^qt-~#D3|ENs
zX7ARM4^T7`z^V?5FYiUV(DJ4TJfOJ@pi)t6ynSnB_*_38E*tQf1!6R3|EU>~Q1zu0
z^XN`jfKGjP5azd1a<zBXRPJHTUJP>X@$VcpT@xN*(-0pq+RD0rV!9163}5J<?{deB
zB-@vtQK`YIOOyA(H^ba0eq{_H6c}W83FPKx%n`4ArKJzN1d$%|vb$BTe&;Iyb@P4C
zr_=6*<qkm90~PbZB&Yd>^R?j-W?ffIwgmuncFpft!D&IwYtG$YDY0Wh&w48LSD^#=
zt8Y|0E&1fPrZC>!eyBFMsRxn;>=8fXNk-bPl=5S0a7M9wx+*8D0w&JKG?`2jA)EZ#
zF>BP45m;XaS|}NHkm+2evfmbzM~wB`@ud6t6$SR%({mnlQ+&>*8?M@s+w*|g3iUfC
z%{mAs#AEvr*WGqY<YJ~)X~VX9)lS=Qh{Y@DNx=;#TX1-LI~n*P9{^r`Wyrcq$AzoH
zH22qLOVko5`K-f2V)E;l4sf((0KVQcej{$A3e^4;pMV9V`TP1B@1xT&Fd)v%S!?_1
z>x^xl^#9qKZ=PbPDQ(hptQy27@onp!R>;RE*$pDLS5C~FRq;eIiSg)M&Tew~E4(o;
zW{?W6!scU~=iZ!=3`jGx`z_DBIb3$gRm+@Xu>0T%7ZZVTyZ@)=ML%Db1~hv~aYk<E
zZcWJWuuW2%t48eOz&&@^8h5`*Qfoga8gr?<eb`0cd;}LBCHcO51{!K8-#*}TQHm0H
zrJJYCs?6Sk2*S?y2>50(8LQ)0ABY#RGW1Y7T)PeM1x}Y^+ybn9r=K4}bX~|WKK6qZ
ztU5d|!~!NLOyvnPDD3Fq%1@c?(2W=q%&5#KETXD6m`O?>r=TD8w)<fMCqh>&<|*KI
z{y;SG@@J{2T!3wXcNs~eYyD&31oK&aU=b~v|FHd5Z=M)0|C2Mhp7Tw;C<-s$cx*yX
z9Wj^7XP=rsu+VNAYQNuhAfZpBz+(MfCdnRFTSMyp4k2&yZ)?~{wn<qzv<+i6<~2G=
z9p&1+6V(#wuE+&fIyk~gXNaqYj1dDnsw<yK<bc(fE*>|{cQ61=?mm|iWq{IkUG*!%
zkMO&8)Z9Q+zP9>t>Jg8`tNbs})T!j1Vufkhi>S))nOA8K$443GPtOB<)9fnD2*mG#
z2#j3l#e`mnlR<_YkW=mQs;boERqr-{h~3UGoqm2oF<h1G!SqA!idmkRnNQw3l>P%9
zTUw5D?8D*;1u?0Xvx<PmN1#9**%At@54b{7p#GT8&7}A)ohM)`Ae(yCCpA^U{~Q3M
zz;-xjE>&XkD!ek>RR$dH=xO~`z$p5Cl&gTE_$c0YC$eSim(6%cb$0`aQbb)g_vH&+
zE}oMOdNLH(N}T(1BVJM(6ukTdV%j0$wFyruysU1vXXPcSX$?QS=?9|hh^t;cVzqbb
zn;YmJI}+MeJILEF0^9w+eqW-P`q?fOyRDetxpM~0@t`Mb^PrNek{#DKaW-_e+;)f3
zGWUO(9q3boRnjOLCD3FRp1L=G-KMQ?dUTbD^*q5RW$JuK1+t;oJ&zw0%T@Yc$Gn90
z*23IZ0CfbQcAwQzvHk(=pVu#qAZ>_3Im~MnhJA{|7vq@1%wCEGi;`4z$Sc<6mJzxy
z!Py1QC~blA2iL*1##X1h7}m~9ug0qeMSmjMSGQU2P@#rFVjao&=Hizd%EAF~WOvtL
zi;mT--xd}?1lLW)iPd&s23F&)>DPP$><FjeBYf@iTWqo%)-Z`_kZh17*6Jtb7^r#C
zd(C879O2_H{`8<)%bIK-{m_+UAD7)4*YPIV#Zq}P!tzm$h2r~__N+TYLseDVo&(DN
znhCVuKof#5&j4uj)0bAUfpWp%U*}3^oyfCZ?4=+Bqw+PRq0%p#(Du7k2j)ckn+F}5
z1w{MD2SLR9=k}14q&qC%LVZeXt3Uuu3jgCvP&2UPlSPBu(fX@g0beP|DJOIt$SS@a
z)cH|4K_b!XJ^lThtTHd*N*DXQtI!oc&KGZF4SF|7X}luyHvb1@=7uh=^IPFl0&L)%
zBx7%`W;U}@y7V&y>nr=EtAMZb%?T{(ig@6mrQemCO9T7S;Sl9GR$>?5BlRd96*e(&
zb{sT!Ewm89-5$E`Jq6MrS}p-+krwX)OsSZr%-g?iAoc@Vq0C*8Z!OG=DHh0y5Yrb3
zwAZ8}Z~3c8C0`2SopL5GVk{s%tWtGsEZE-SiVL3WET`_jg`sOX5D1-cakI6V_5?Iy
zaz7GGICJ+^i8}KVl2^gubaUMk39+&UH55$4OPN>e2ZY1vb)+dN@nrQ?4D#PtW<`@)
zn{k509HH$&*%cn9<=422JCA@0vbC1P<%h`^o8i+<iRSmz*Hg_gzh176sGC+hh+bpD
zHF6dcL(P`H4J0Ed$RG<$_3YsLY#bAyBDxRYO977}w`tmr5<a*W-{o&{V0Yu_A;~)B
z<@gVI?w=+06V!5>mC=vaNiL*)Yl|+re+#s6_XG&V(4$^Mw9Vt?FOG2E{>(2qDp34L
z@^vE?SfEZCbz6G=n88XdzZ_?j$=$V+!ijT3Ln(=;lt<Mkko=sUYLTaBw-CHP8>!vP
z%oNPqa}vg6yexGXAdTdvh7pGLT)0LAGN@LAg0=ate{K+XYv}F$8k)8UT&_fkUAvK~
zvx^fce>bRrj1V1dS9wHK7i2q(-&V-R<Q|u)XsW~Ae|OM<&&*u=oT;l-uuUu*mmbnj
z-yice#}JBtO6C;8wPW&M&4d>?kL;)vpSV=L^Vz*s=hx1|Fy)u}w(4hQmnsDN>(u-#
z&Ym7N<rK56ByP^q*x*C<)!43YSYRi4zX0URJ8~8-HZ~`wI@3NoUoq??IV}SY*wX7;
z+~P!$+XfY&fH|b5#28aHQtun2ONM<y!}3ERY4Gv7SrgHmLwr-Zwy#!1kIPHPaOvxo
zh$P#7zqK4YR9AWmRgM*nRK9+9Y%eOcKIIDu(=O~`!`P|iy<E9xuT-NPe%j(=T)X%?
zrS{&%LZ$wq#PO{D3WrS51kuDNirlHgvfY)vY_v2VvA8|{4naM&cbeF)<^Z9B4`{ML
z$pTP+T$=%wh+}0kvmTT#`3Wk-3_-=NPrdN>1K0moYi}7B<=S=+TePH<bR%5?5`xl#
zgh~iFbV^DMAtEj5fFP1?LJ?_@ZY&xUL~;P7yOI7MgWG%W`+4t=uiyL$&UKx0#&NE-
zj<sN$-F|(^y6J(SSm9Sy$EW4n;vNsl!iz=9v@buWsll7;NfPcL6&<1u*u^$x3y239
z>)`NyI0af%owFC2_v~lHj<%<D@Q$7c&P$T7q%H<toQVE_iONpna4{S9XBR%p%Q&nQ
zKAua*-f|Xv_x*snx%&D}phb-*ey)jPiydVH%Q-_Cm@p9~wgMs{XU*L&a*O#tZ$fMY
z5f$ID;ib=5WbYjaTIP`aplx!&1BJe4%8(_VN+LB(;(bl_EB4cY4Bv^z1`;e1D$Nvu
z-GtNqQ)j9~g%>dz=Z$H1BvJrsQ%}!<t5lud)BW_W-Y)myJ`dM=MUCcmM;{N!c-c)@
zr1;wLGQ1&RN5$pbS^?fl>MBtiy@{NPcZ>dXYG4!@M^kRPDi59>-snRpw@)i6D??v|
zx3@RSnRSVQhQ>v+qj^Nqoufgj0(Ad=do4UJ8Z6)H0gw1DE8VPJb6GM7DdTw@D9`#C
zcO_zV8FwXSgqbbKA|%DlzqI6fGaI-M+Okh@rzaD4<g0bAt~&eq`5}?wCG*e#*wl1=
za&TD!&a=EkNxuoue(wWPGD#kcNlwO~Cm82rb*}hCqKP^}^aK=!C!dA9zRW}_w=UP!
z)ObVnmStQ}Zp7$4cz8<4S`m%H+}Eh7an&>BO&wE3RLYR_)D4hxAYq;k9SSuN&HP?l
zO3_q!Z5eCD)Gc-mjlJS5xVtP!B8M-habqRr)jww?KNa-T($Ub&FDxv~&&!33{-~f$
zG^A>W0FyCL+)wrPKI4Lta}6p_v$vzqtzze{dM0G_K0yk262G@dLY1U*a>Z9~8t1-o
zn=%uJ(@yVHoyfVrNNUqMN2;}%zM+x7Y`}kr|HWZUIQl3Zf-QUj;i}tpszlxVNso&T
zZQ;G{=@)?H0(1QMAd;_a<%=(m%23~BlQ5J6ECNxO{w^1N(C60`KaI!RPxrIWK$a1t
z7V)c>6+&#$4}XLj4sF8ypQBi4^YPS>j<X!+R<5ne1hrmf4pK4WGxJ8+zA#L{s-m?3
z7yyAlxU{>^vd?S5lSV*uqEX!g<VyGq+s9f!l%N~)(cJhOq}zR_TEE5`+}Z@xRYlnS
zsXenNI08uITF#3VQwr4;@OR{c9NBK1aww?E{guS8U1J=vl`q;paL+cbv6_j^=1#o-
zll}~vb9^*lk-!6gg=N*Kd5Ifjf~T537<|~Q&VUzVT@UQ9E8X1L!SU-IY96W9pp$Vq
zfJ7VqgQ|VW_5dmIAA-<_A-^&Zui#1i7<tB1mMIhSFnFF7;~pU(G?Z%8LxgEl!ifBU
z&he`vk&%&=Z}nHnOO{~e1Rtrhx-QUcfQ7?$F5iB^+}Neog@Y+t3`PQxtgA$pj&jeR
z7G3`&@UzM1RPBYv{nO(2Ks`u*D%qX=wmyv56X=?hIG(7jsgd#|Os;Zw{dKU=aQwX=
zNjX+`<MuFY@&eVzWdP!=M%#zWF+8<rkf^gK)t7PcwK#CRhS4>iEm%;^D#2`I&=Uf;
zao;PGMx+&j1g;C8T>d$*_mlrQuyLySnC~dp7c>-yOEU~gyLeaJfM-fP4KWiZ&lC&*
z4ogMa#!Iv3e1`pFV=I(arjF`CfM~rOTs!J)aFcaG?$UQ7>hAA@wb%?jQnTe_Obn|)
zLK!ND)mXWIS&|*pm{hA4dMxq5RqkOZwePnof|+(96nOzG8QQU@``O~4r>v>zo3_u<
z`WB|^29shuDCXkGt9q4&iB;KXS(g<|14uk=|9&Q-$$sc}Q7NgZuAW57X<>thRm5J5
z%yfU&zm6QlUW+50n+19q58h|$lt5>J0ym5U985{?u!!n-Nab+3F7&?yvkozEbf7$s
z$=H~mPuk$PeVZIEj=)uXrM$9Ppa5ddo1RB>Hvtb%V4Uv9dVJ?hwyN1L+J{;4&a;Rx
zm=%e*d#+ASh4srmVWPJKAOHYToVBt2W=x!&NxIKSN6?Lai(NEzM4Y<9GmZ6#Oo7a?
zqK5<M7sK(M8Zwxn!ld)vv2b-%%HSQVZD!$~(#PtKj*eEn*o}Q08a)a7*qLjytQF6D
z<!#q?@?rl`A36gay&y=93%lf}RFD@YimQ&vRo~jX9E<;s_)(9#3ot!G<D0W{b4^wL
zrHZSR=Hn}d&xo4Rf$za(wq$90iNk+5Q`s-@36ME+MaWL&#4Iq7rHnNG^E1GBMKlpO
z2$>+zEU}o|^nVSC!ft7TVIWM8j1r&inn<|hi}`HVx6F=)s0zb3t>4J?rA=AP=4UG6
zah0eo0iCxV3w(<lv)vdPDvX+*K593euJ5P*A%0Qt|Mv&xP=yjh=cPDuDPI^qEC2IQ
z0Y~?MD@q`5Et=BEd68!TRMUUP0&mY1s3*j!^=C|B6Nml(d_8~3eh0F`{eL`#KJH=Z
zC(3^h=->YdB}#|20_>lV?MpCUKDcg=e3bR|RSK4OqB=&-2iPgYtk4?o{yn8!gaie9
zdV58n7rq}0wo40*ZD?0RZYpA$U=2X5%tbR$!V}X5I}R^6udx<8Vp*UaQ(?tF)5U%L
z{bn8>GhQPBPJE0bWZxBrs4DV%xB~u24=-o%;rG9{qAV0UgEHE9@${%_s-U)tjEs&Z
zI)8q%>+9GUW38?Oyn})AS33@9PWqryVrHy<=^qeRE$G1bJoUwk4|Gb$xh#fZTcBlN
z@X$F~c?47f3^FcspLb*##_GqT-G2!5K<%47^%Am{3E@7cciAJCR8EEW2LqY_Uorj;
zS;6mz3!9yv$5&6~gLPOtmUJ!=pi&4H-!(QI+XV;ukID)J%MXv{b%qQ5ei37GFO(Up
zr{)6T`b$L!*&VF~m@dO**m|SsqyrpBv2mF#D24F5H7~tQ`2#(-2OQ{U8a`24rg%V5
zDp=u24t)vrM`&vZ+gk`Ru4Q`8Jio+<Y3zf<z*N88E#{SL6*=;l3iyK(MC6qp16*!U
z_ds0C7h)Y8F9o5LSkg#}qN{@4#h0a~b;@5s|Ib`eC{fu~V^}0MiHO9Y1N7!dxi9os
z1FpOzEuAh31(Lg@^F{znW*b;}uvPro01<i^Q=O@+C#(-dZ;&7#^Edd8VtggmlE%hr
zw|!S0TfN1=?b55$K-Snham@iOww`S?3<dFw@$o1j#^z*lbB8yB!gQ3#^@Dl#Ywje=
zuADB;?4S~<U~?!bZ@+9)CoAanPo{zzC+J>vbT!|(R^&<E+f&%IDhebaOi&t*!k4~F
zf$)W?-@A6%Z#N`(r``ovsXr%~S{lvA)q?t!Z&*C_-ACy!W!BpuC*v4GG;%f$%xUE2
zLsF*GXy38q(LR&G*mc15x1|wNncv?AjrbK;4cco>z`qA)yy7)O@DA~0-nCrtzc71`
z@(aV$yV79Np5;B1ocBakKPW@DkA_^(BqwxH>6VfcI@+dP>*LMn(Mv&Av+A^&hK8T+
ztd;uLg;)rJbZyzaLnD85YYOc2X3Mo2S-8utYn9v?Q0QC6!8zM{=Ps$;4gKIwES{h2
z6O#0mUU2PnW2%6yRVj89j0YPo1PI>+0JV>?EzjB!K@WALxXWq_tH9FX_kBN3&f3}V
z_+-c?JA{lF^txM1)R%8xI~+!w1Prb|{Me?pY@iPrF~oIO*868?z~g1ajYN+7Ny-;=
z*jV_;9(I=Z9&d?c@}%u6bspFP2dO3TI2<r~;_Kw;nw=AQf~VAPX6p8>G2tk#=WFKl
z+;CPFWT+{<ZmPUkpg$O8=GoMx$k(Oh+);kLPa|FUa?VG}IvO5n0=Lz)9#dyS59{J=
z55yu($?iDOC$(lBrC6w8VQXD*!32;LHtY<}N7WQU^)Ry?nYILZWFmgOKm8VeeVPq#
z9r<*ar-92c11u+`q^%W)^*a7gdAzpvpmvbR7YV^2kHyiB{-}GXXWylo3`zT=R2i9*
zwH0-ScuC~Epwmhl`<1OwTa!Jnn;{A#`T+P}L4@rgy3Euf%JaPH@Hq+*3G|zcq_Qit
zP2cL;dQzKDX|dLMg;%-p0pgnO6RKLs6XUz_II-_&O}nE!gKZ+*VG6E$B~0Q$&>p$7
zv(vq6$IQ@?PcQ?#QayOxOlj8j*ZkP`iNW~Y<Su)8tu+>4Dj2J@+gn$QkE?NzV1If%
zFkDFm<ZU@;h|ntxY~vVCt7+ri`5}osASD}JH4<LrDA;t{%ht|@y@Y2t@Lo&bM=eu|
zLTtI0>3V)kIv`;W3?w&Yi``A18OK_YfVc3-oV{0==X3voSb!m3KKY!6sexSK=I8ch
z^67Iq4QS4@%ueMI>CGCZeB@>x(nkMTXZT<3*alr(Rg8_tdU~`vzSAWd&V1_IB>+_H
zup@fs<f>8~PMJ603~mn^W7LO`Kht`>DSKR3kZb>lcIuqbJw4#0JrCdeymtCo-)ppf
z-1(GoWWBE(Df??P*9!e93OT-duEN>YEGmW8l5GrHNSlo3gM1p5R`V|79tFrSJ21~=
zB8SRhMaI9so^G3~7q+M>EM1ooIe9+%{$X#84>Px-5=~V0<%;)>m!Fbj=pI22_nKR5
z0kg(06`O`*{xakEY)F+loJWo|>Kiwc5;d-CZ`q-7LvM&I^b~Eg<Nd(D0;Gc9hiYuD
zrbi-r6+2`lH+7plrWAX1%lYxX&oy=uO!vp176^4&5oJJp<6THJv~HYh&4Hj%M(+m}
z&=cI2$W@K0-gSw`pwa#$j`U?duFRR_Rqh<!AiRdPV&Cs0$9uramn%<B8xs-QqXPro
z=R5R~tMd`BzpLc=YqR9`moQOPz2fa>wv@YlUE}J?`TXb89d0@6DriB^_<Xg$8BKoH
z-*@uZ8$aF21ya_KVS*LQD5yUxU;#je7M4?FJy`p6k5DgZB7`R#kP(cwODVh1A}swl
z;dI|@vJWn61%0z`?T5pG94_Cr#_&Du*@$qxFn8vqdj)0fnbG*&8BuYH!uEC3{@5NJ
zcS)0b>?AylCBHyDiv&M7*~)!n!r0NFpC-oK>Bx9xMAGG#fZsl&L|fVED&ci2_1BrV
zXO4~@)p?JK%Xe5C2fYhUu|y}{<qIBS($Sc3S2orqQ~C2Y1TEQX-dqW<*39Pa8=7Br
zU3k7b+3n}^XeJbFf))>Pet{EIH-=F0F>4T4oNIfuOqnU4@JPg9st);i`CRWE?fbBh
zKlU7mZYqAvJx@dt;jzFneExmNCKqYiw*#qnp^@(<ThB&hJN-mU`t7n;JUIURbC`4$
zTJ{S!{c7J|>SG_O=8Y0x@~k1Mc+eiiCZ};}B`f#2oCAtGK3e0ZA9><0U6S~}5odlb
z&$Va!`Cg-v7s3Cuc7H7agZX_Xc8u9j#Y9J8s&!B?;2jdL<^}WiqOqx7y&$Knp)}C-
zig!s)`fiFD>5FuMov}KwfnF#!j#6$nSx?Qja{PJp9{h?0DmT1nDP#>c)(guQ<r}r9
zWYG?egeb#`BdpnSmj`lkF&92dHT<h8;5l2eR9`QHcA}pIXa+(bL4EQQMlBxM>i2j>
z&BNS{vf6!mziYcjI9=`xjrW4eYIWIjo%DE;{`f)z`B~`~KQmsxAECMWp~3Z9yNQPJ
z8Tx84vLxZIJCqlDM52MIE&wn{{^jAq(W4p!1ukr^`v|4DEh3U#7FOMu?4iSpEOG%Y
z5@c86FTIWYQ?00lAEuH>XDrsm86-V3Jf3noE_I)DhHE(X(b)qe2wl9uCdEtYt_JgI
z#iR%rscYqsJ(#T79@U-{%*v(gBT)7+Xh1P0{{y$TCT^S9OC`Oe>5R^SwN}vOl_}A@
zOE#1r2tsQRrazV`8!nmdpQ!d)+Q;0U_hiwX4kKV9VF(13z={OMvsr}shRTJQ-X<x_
zHm=?NP=2#jgS0!YVnpsA%h~j9$~mEV6t-V6tGdLr^mm;5xMT8kRgT0v2P?Hg*c{EH
z778yF*bd4B%hNd`UuWS`TAye<60t|{NozjA&=?#u0JNtb0BU>`O??&2qyZGOTnns8
zkoIaErV4Mnu9kMN3h0F#Ntf}XR=?Wg#bSr<`t7Es?qh?w;Yz%<E654P0yi$QZS>$R
zJkwPp^~h=a5iduFLYcVh1N5~Nc!%TK!F_}E2!Fv_={bUXYiJ1*>tcRkr+mEo_S4FH
zP&h-!P<UmIjpNnb(JG|u(Yl`D_MuH@yUUp;lq0(bFtd!0R~hfGGLCE4iEc2i_)z7e
zAAD?67YjMwIvTsW{uK=@<y#k8ab^ax32-Uw1@xoHt6ZTn?Mx~GWN{^q*`J{8j3vwx
z1ZZW>1Rr-&3A$LhJ`=>GgIFRo-JdsV?}3>19tN-|dso418!09%$eU5@aG@jr)q`0T
zX(%9>%|o;vXIYaMQLd|bsnTR(>q8j)qn^?P?>3d5vuUwnlA*EVZEpmn5$xKt=V;|P
zZ;Ag(zhIAbIIP-nQ=5BHRB2}5TnPCVp<>_9!EquF7C?T5Pw?t3iq?G2`qYPD3BoY2
z`5bBP=5*WxCfg4{LUVaZwlT+GL95TNwh&!O%X#MbXKLKbYuYu^hK_OTY4Zw3MB$3+
zEwz^of@tb?cwaQIJncI_pys!vfu*M)6aGPi>dS!DE{jEI64g+b5JTkP!X05n!=HF{
z*UPbMroa7lp%8oBk)ugP&>-~!u4cObC=&OgtM+Z4*bxK#rbS(zx`9TsqT)7>;4Vv*
zOXrZPJn|K3cYoATTR36}ES=W;DaW~Z&4veaqhGs^#+MTc5TzT_W#1|dlQImzxQ4L<
zU3}>4$cMBC-zKJ&0gkE91h%td{fBeA$Y{R1LQ50qJM{Qo%wM%8OImVK<Sd%s7Tel!
zZ*3R6WqGO)HR+&|S6nddFsl$NamzUy)1vrE+4?Axl;@K;rET33U9gGdCA<PX+gF2G
zZNqQGAMw;U+LVr?%)Bp5=r3Jht!S-I^>9MnJ-=MjMszlH;Z*HUo2M?$lc_4TRDm6U
zmAe1MUFCiW?jp+vCcJxkGH9;u!iQSgL6ZqelVn>vLbbn^)m_4>gBmW&sqm--smb_)
z14FL*ej15IMN<$lS4n5VW#ZC{)RTyM3g+uiRV9Ty`FxTe*TxKd(lv0B(tJ)dbZ~c4
zJ@~($Op2j)5Vbi(n=LMKH*yH+r1~Wc(U+`Q>z_{d&GZZ~Gbju*!wY!S=GNB718SA?
z@m=}yF~-?Ph50MzoSKa;`(E%6YS2gx9OrPvKi~gAZmNoGL~#1GWYvDBQPk|cS;9h(
zS<1|hnPuZibI-GhjgD7U`UEUiq#njq=suG)-LQ=aszZ9PJx{2(K`3k`P$NgUNPt(I
zzd53LA3Df4X-rnrEphQAC3k3WM$Z#&-p^g4vvji0zf`$`UcTo1eLRZY8Sx^&J_on!
zY!FS~a8i$zu4jL=azTx`U!9M6ZO;3Q3TE5|vq^OL><H~C%C&$gbp&SE0iwnX`xFLn
zTmNheXd<9Jc55rWC^}Zh`8Y%62ftd@p7`mEcq8~8NuP5J7~SNa(T+rP&1LE1K2I_c
zXnW1B`RK|<cXXlW@#3%2&*c+w6Pf`i4%X~IWSbj{g<i`9%EZ=yuA=~@Zq}Qm{ubq&
zDWn^O>PYujzk8Kff!N^rB=JRVplCMOKlXf@RUMig(7qn1NW<;pud^CwHF2v%p2CYh
z+~UnFWvaQhu)#1>-~6qgou)P-JkkqM%KWJVG%XsLyas|QS$*kx&OKhUR{}-REmAQ-
zxwQ8{vUP&Df><i{K9tW3FRy!!$1^<W4H}V*YdBc)!<6}8tmOo?<YKwC^`p(bhTQec
z?<|#g+by}9S%o-1#*4VS`M<?$U861bR6(GJgN)pjXyGXG%BYmhqYL3Lym;xH@r3qW
z`p()m;RPV+5CE9MO|=zG9pyX^f{lFEP%rb#%nUBko-?HXy5n0?GcW+`ohS}xE@0}1
zgo`0FKslwQ47r;eq*Ez79!;_Pl_SAwhideAi12AWqHDNv2I%i!-c%G>WVXfp8F?$e
z>fRYzi2JkMrOgdMwlKfkj<vN|YNB91Z`GwHs)&b!I0{&6t2t;ep&O{Rp20D%6-q+s
zqW;gRuZF)q4NmVjUi<j?-15+*MmeyyDkW!^FDs4+R-`=xTNxRst*t$3kDrB>x3zK@
z6q&sT_e)7v+MPGziV{3B6-4TB%!OdYZNRT$R~Ns;_D;X(HoyIF(wQ>1RVJd@j3V01
zmqXjjfMJB0yuibkQyFd<oJ@5i*U|VR)3ZF?`flXN-vW$$h`maE%=p1+mg-=^;R)?@
zf7r$S_SR0PX!Q06=aul4mApELJBIw}c7V!#H6M<58hXe{Myz?pzwJ@DxIQ1zmj4C4
zKcp%HF$ew&ubm>%;qtFTogf|A`5G9XO-!(Uwk8s0W)q#{-RM&I7iC`3)BiHXXEhDQ
zdqwPlH(221p)2<>^tM&k>>&DxO2`SLf#f}!!=B?3ThcLLo+3m)@K;T~HvH}v2)h>V
zu+)V0njU+Fs1KAGbmY5|yas!q<3q?4us)8m1P*?rba@BDXI~tDl2egs$(cz_`_~At
zXVldAn3y#31qp#UjT5?dT$~1TI|9=`unIZ>(h-M-5(q_%f%BJndO&+B-uu}kj7UD2
zZbOZD3yE&jZH0-<U^ZpzOcy)cFkzZZ%Rc1AGWmB+KL<LfmK*{pT^B%rQ&gRQBM+m#
z!6+I)u=wJxR5z$HXJOKL&{NA^m0%Z<$8BYlV65wX&K<w0Hh;y)v*Y--iWl48lu&zf
zOAGG0RRsxQ><W~NCkVJ%mGjz<P;+D1{UIEXUQkGcDsCibj(zey0ZZPF4_CJ5L6+|e
zmYZ=0y~*>O#16hzpZ6Ib?ol{Ja%9=J+?Y>o*G_b|<9kFSn)pW~s87wv=p<ADS)J|}
zl!~7d!}wDn8Sg<cmN4?kcfV9`bYmT~&D|Sf%ds|lvW=h;bML0~F~7`V4GFpqk6hgr
z1zMdVSb`?QQfkq7XgX%is~|+o8Dy;6J{qt*?qD2i`TQ8IrzN&56=MCp>wrm|rX`^P
zM18o2l$ATlYD*pqIWDqMNg02H6=XtyM2?QqyZ$V@H#~inIo=BNz>xf~2wFslhJKc^
zngMgAu<AI9meGeZVz|=vdwMd%F>8k1v}|KTgU}w#D9AxYuXS-^R--DbwcGdyr*Ofu
zMo}&MufuUK=0D2Dx&iHMSA8<ZH51H8;|(<W^SKB7GXFFDSY!*9?ax~^gU=HYu_R){
z?zV3J@bK`kVDuFRw}ONa$kdpHnxEk4^ZvKq<29MD6AmMTcxNFYzAi#{Wz{j#2p}4a
zG6by1j&QCpZ^>)8b`vIL!tCH^el*S~^7Gp@Fxcqfy_kEh)PgkD{IHjQg~pY0wC%fX
zZQJV`&F&m7u7KPDii%L<zgO!CzPfa&fRc5>Cmu|7^MTU%W7YBJ{n+f0s4p7{#xCZU
zLv|MJ7$08Q7Ck<jf(l`pskbI2jJqe;uh#tHqA$0$4dYg-T(ah{H0^wrp|nnmX6AEM
zvI3EqWT^Qt_>B@q6Je-Kv~%p8efV^z-N|no2if2TS4i<f^$A(DlhOVWM&&-Amayda
zc&EVAajMs;7OI?+k7G?6-&HaX#)~;aHu6hBi~}zOm1(|p;)Rq_v_<cs_D7^+hLXx&
zsvvvyn&KBii41cMl9HvS9jKiNF}~;G^eG-mh;Th#5SJ+z_#ulX?mWP$9HBluG=Mml
z&BoUi7{NGZJlUR5D>iB-v1B#eDU~&tXD`EKFDCVt8cSld2w{aXQr2XVY4W|ZA4XsQ
z>V5MKZiK(-P#mbfwLppDx${#1w#)(~Z3RWz9%R7m6ERLjeF;KQlJ2Y;Y5nWY_HWu?
ziM2J{S2X<}!7~5jey3yH;GH1U-|U1f;|<-#Ts*~i-9K0}1_=Kf<<IhE(@!tyA!hvL
z^bb((m3U;kaMA2YUFn}642t_3$>$FV37IT-3i;x@$BJzIDuw&|`@kD%F(z4yRB$->
z%R|=+iCo*c!z$>3;U`r|1)h3Dj=H5h#_MTxboCSlrT@S5LvT!@z?JG?8`Q&%n#ljl
zGgz9sxxM>1g7JIf1Csk+WYgvhbRkqLFgd}Y8n!$AV|7(<-KmOr_<#J+Jtik5Z$LUR
z&bm!aO^Gk@F2<zL>bv)i4*Z)qy6#s1Z8-lP->jQGFYRD1vVb0O379A(S6y9QQ;p1z
z|3Pw4LnS3|M(>RjO`8WQj)3pKsIlKqOFc=oV^*Mv@m<{6sR^$7A0vD|*03g6P|okO
zBtC}wNb{R{0o=#a#e-72>p+v(n6&?<NzCAP*EwGpi4=1Lp>ChH{!Qjly$2a($&3Z~
zpH&%QsKq~&N0xnK%5Spugt?)=0R$Z6w&MBA){y1!!dqWMxY|WVwaLK-TcRibik+$k
zh(_Gn%YXj4&ehJT<L~2(JqXqRYb=LAc5pRphBL#@a3}lDvl)ccZ4h~2gf!$jm6+X=
zOirae2*bGK{>>C-;Dh!q0wITMiz85HWrpFkF+ct`YCpOvp767Vx>u*_rSo42ks(ln
z+$u#b_JO?Ii%*K&8|^(Fq^D1j3Q?(VmyA8*g_`MD*lOD%*(T<r8JUCLg`Ip1(Fq}G
zz+P3Rr;o=>Fak>WLb7HCW?CcArWe-xH%k#pDdtahf|*V0nJ^D-_fF%Zk=Se{s=R^m
zZ+BALe{25FcI4~0PWP*nuRbAP0!<iGtA6nliV8Spli;{Ty}$7j%&e)UWVjMgYfnm$
zUoO8B$3>+38YZNC(Xnyl!+-s~<W?l5CjH)gWdE?~8$tU%HHjCFX79kEC4+I0z(<D`
zF?VM`w`k_C9wiR-PgY1(F*ZZIZ4Mlb9fGHzl^ei*6L)5Q>d9Z&SQ7Z@v8nNO*FsCe
zN3Y)s7(K6w*@*FSB=9;CGs15lO?O}fWY&&Xb9G(pEFKxLuS-~H8*xWoZg0QNoMkEY
zj9`f`u}9~oV^sF0ek<=57pW4@#dP&doi|^QSa<by2(T6_;{x%!PKia)_4VI1J+l-d
zjWuRF&gWkr<qvk17gw!@pN+;`N>_KrDSn=s;eix6*`w7|I&YYCk?X{*i(8*?fo1qN
z$aFWs0pfyia+MNThZ5&!A^GqTiVmbDKk-JdL)+yPtLVFnvTbj^C`wJgs0vRyo%QzC
zpes+Q|AP!eivk;I(GCB{G8B?8UXYfTRJ{>1cxfUICt&#L3%7m9UWh1CygKMiJUM{!
z<(h*i>Qs4>J91D6uZwrJ+pq@R_}*1m$m!iOtaYCi$w~+4@DYw;lBSQBn8jztUY(Bf
z3a#68<Rv;Q`YR=FvnFOr)D051v}yA-i;{1}I)8kOmvi;sLn>II%WT>lZuBZ%eOkMv
zAmHM_ToG+T%-bObIUh9+H;SZ5@W>6$>+An3v93u{Rrrw;LZw#~7oj+MK;jpu{HBLb
z7Z1J9ydF)EWNPnmMxOXy$CnRm=bk2UZZb+M4cPfM#Qgj1T!p<pJ-I`{Szp($^`vM^
ztHx2U$mSREVoQDhU-q)LS(19cziD`^8;<k}&x%Z5V>PkMmtOWvdH9h~pNV1Oaawxl
zHnxNMCPGQP|KbPdOc&(`9`9oOO;JtHJxS$cn}kf{jm!&q7S?UJM8Fc>r7N|$K9hZ@
zo%?Q_cixk$u>}@9vm+WzO1YLgHm`8$&D;mWcj8n%D9ur8CJRl0xa<R+f3e-mCT3uE
z=k%B0yr5y4^3;g^exAFwc0WVT&G-fh5x^q=+P<Ux1%u+LspPkIrpUY6d3EPSz@%o<
z{HFPGvQ%b&oBC`y6;sw#N_Rf587J`|>tc$!p2ug<p2NhIJ=xETS@x8DoX!t1U9#_b
z^h`=g(m?-%R<VQ=PO+`q8!93T<l^UKVL60iVMM#5D%h!*A?A#wAOy7FRD3nTU964F
zLwQ#Q^1OnVSBLg^<No(k#rRjLcRg0@6jp5MwkP9SFOkoCV@bNM$QEH_S(Hez_rajr
zhBi~?3byvpc3OZG8Mhnl5T1+fWJ&cCbU;Gm5(nyTs1fT92lqQ+H|3)J?Nn@w<T6jK
zS_UxTI9ZX<{`saE)U##@D1&Fo60EePVf1ZA8j;u+N*i2PZVa0=8c+@@Xjvxbr|y>E
zmzQm<23fpm>eFgZuM5_F+Y@gj9Zj0l+8<bQ7S~}~$Ly(AVC0D7_u-tLwjTPhm$&m|
zX22eW&pQA2ioi4<z)pV)3nL%qXD;IqcU2ObX7@mg-in*Kd0WV&(5ma9P$j;Y#U1%!
zrgs%Rs^9WO8jiAdQWWrL3G3Y1JV(8|MuzYg+Fnob1^ME~?q78ia#Q}1{VqPxOdPC6
z{$Asv@Yj@T_lY8J(K5Jg2k|p+!AFHGox4y2sH(%Ku$x4p-hrp_jU=C(w$q;!B^k8x
zsF@{+P@!~?w4n{%rZkwt^JRIjB;tcSciXTA2_g1+rOs?qHcrZCOogC<B(xe&d*~re
z-JoG{F*MJ7-F`}=LZ#@cF_(h#aX9$T9D_z#I`aEtOZcJRa&w|EHwU~N@yph4<=Vzl
z5)JhN!<;xF{m(M&=_U5AeDk0vvtCD%DpvE=Pd6#pr~B7po#T7hv(P;$;NRuvYUPMv
zzx=))$QK}Xw=$q>#Lz8Tojh5Gz(vNBHP0WFjx9^H!M)S{aP48o!3Pkr8sAKj2vv1(
zUFdLP9@Hc*ro3-2d&wzvH~E2n9PyEb;T|(9ezw4&7uPQNZM&XROJ6_@OHIp0|Kk?r
zmVV)Bww=|9qWghKH$d2&fbzbh=lc47&dK+<)pF@Qzm6_n%kFqoDfWG#itXDvq%L;q
zuZ0wos@~Q<(n{NqVkhbUdO(ZCXPC~@nIGeY<M*Ytz=qb)w8Kc<fo($aLRC;-N_CQm
zj@pz{S4V!XDs=YYmEOPJh2!*26qRrkqN~JSX}~yyH~B4-uA^b9W};;@#zPI;{=3|D
z?yG~|bo9K~uM)m}xrU#XF>l9&;jY-TmixY?<QQ<DjFp3AN0Hj^!7(rJXDi#{4wUt=
za5~nSGd`6E85(`N5ui%`{**6Qu)>J2{1qSjOn<gEb?J2fc65xEmw4h6)D(_5g7!vb
zmjXYtXm-K$$n%kV_rkw(TpG4ox#u^A`;7Pz^dIN`p4loW(*)^U%E^bTN=C%Y?r9s=
zPr>~#DV?S88zVbKtMAwO+F3#fn+}@pe-jrmMzZ&rCDwNM_THC?Rvia``0pxk4q*p2
zJuW*v|D_R45G}m-!Sq|wf5zV2)e-Rm$1aQyA6!Ja2kZlgawL9lWW;<{1Mw|yu_PF4
z*TfZ63`Gwe)M9ab;<btX-rH<TByt6bU0*jBt@Vx}UR-f?1Uk6N#J_A)zs#<x+F#5j
zEWrB;KANM4%%LaSZNc}`CHgjZN(b}8mdkf`lSNz?s!5-j>RrOTTv1IA9eaDeX^tR-
zwKD(L2MAS_?U??hYsQD@8!;g7$Z}A(2_-49b_kSn)()+ge72~n?(ln)<1`9EROK0<
zHkzbv&}2Y0FxdkxZd12$UK5lrAm0DA4gyTfihbQWo!2bwsh>xYwsl{joFTU&%~09h
zMrutmGROY!<6KF^{*8ft853*v8~j$xj-r$?+HR7>(Gi${ZwMJDN)`)sdEc$RHYL3w
za^N%y6^f7gU5Xqry(+k;3pRpT?*uDC1c{Bf?aO2rW%0Gb%G|!RdlUP*e_H67?uX-m
z4*H%nb2O6uw$@KR__xtuRv-KtW<Jy<Xx87kRI$W-7E)Nj)kR-m$oy9Q<4dAq6_n{0
z=G3dV9;H96a)0yBuf67GgAQtpI!F{Y2>h_$28XJI;8rDPcH(S^y3N{(uc)JPqPY40
h!TzvG_IURgM_umfu4hGf@G1CnLs3JaK+YuK{{i82oHYOd

diff --git a/devices/hololens/index.md b/devices/hololens/index.md
index 007ce90759..b57a42f178 100644
--- a/devices/hololens/index.md
+++ b/devices/hololens/index.md
@@ -13,7 +13,7 @@ localizationpriority: medium
 
 
 <table><tbody>
-<tr><td style="border: 0px;width: 75%;valign= top"><p>Microsoft HoloLens is the first fully self-contained holographic computer running Windows 10.</p><p> Microsoft HoloLens is available in the **Development Edition**, which runs Windows Holographic (an edition of Windows 10 designed for HoloLens), and in the **Commercial Suite**, which runs Windows Holographic for business when you apply the Enterprise license file to the device.</p></td><td align="left" style="border: 0px">![Hololens](images/hololens.png)</td></tr>
+<tr><td style="border: 0px;width: 75%;valign= top"><p>Microsoft HoloLens is the first fully self-contained holographic computer running Windows 10.</p><p> Microsoft HoloLens is available in the **Development Edition**, which runs Windows Holographic (an edition of Windows 10 designed for HoloLens), and in the **Commercial Suite**, which runs Windows Holographic for Business when you apply the Enterprise license file to the device.</p></td><td align="left" style="border: 0px">![Hololens](images/hololens.png)</td></tr>
 </tbody></table>
 
 ## In this section
@@ -22,7 +22,7 @@ localizationpriority: medium
 | --- | --- |
 | [HoloLens in the enterprise: requirements](hololens-requirements.md) | Lists requirements for general use, Wi-Fi, and device management |
 | [Set up HoloLens](hololens-setup.md) | How to set up HoloLens for the first time  |
-| [Unlock Windows Holographic for business features](hololens-upgrade-enterprise.md)  | How to upgrade your Development Edition HoloLens to Windows Holographic for business|
+| [Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md)  | How to upgrade your Development Edition HoloLens to Windows Holographic for Business|
 | [Enroll HoloLens in MDM](hololens-enroll-mdm.md) | Manage multiple HoloLens devices simultaneously using solutions like Microsoft InTune |
 | [Set up HoloLens in kiosk mode](hololens-kiosk.md) | Enable kiosk mode for HoloLens, which limits the user's ability to launch new apps or change the running app  |
 | [Configure HoloLens using a provisioning package](hololens-provisioning.md) | Provisioning packages make it easy for IT administrators to configure HoloLens devices without imaging |

From bfd101f39293fa61026abb525b65cbb048696135 Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Mon, 30 Jan 2017 12:25:12 -0800
Subject: [PATCH 062/115] style corrections

---
 devices/hololens/hololens-upgrade-enterprise.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/devices/hololens/hololens-upgrade-enterprise.md b/devices/hololens/hololens-upgrade-enterprise.md
index 9fb370dfb0..bcc472ca43 100644
--- a/devices/hololens/hololens-upgrade-enterprise.md
+++ b/devices/hololens/hololens-upgrade-enterprise.md
@@ -1,6 +1,6 @@
 ---
 title: Unlock Windows Holographic for Business features (HoloLens)
-description: HoloLens provides extra features designed for business when you upgrade to Windows Holographic Enterprise.
+description: HoloLens provides extra features designed for business when you upgrade to Windows Holographic for Business.
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.pagetype: hololens, devices
@@ -13,7 +13,7 @@ localizationpriority: medium
 
 Microsoft HoloLens is available in the *Development Edition*, which runs Windows Holographic (an edition of Windows 10 designed for HoloLens), and in the [Commercial Suite](https://developer.microsoft.com/windows/holographic/release_notes#introducing_microsoft_hololens_commercial_suite), which provides extra features designed for business. 
 
-When you purchase the Commercial Suite, you receive a license that upgrades Windows Holographic to Windows Holographic Efor business. This license can be applied to the device either through the organization's [mobile device management (MDM) provider](#edition-upgrade-using-mdm) or a [provisioning package](#edition-upgrade-using-a-provisioning-package).
+When you purchase the Commercial Suite, you receive a license that upgrades Windows Holographic to Windows Holographic for Business. This license can be applied to the device either through the organization's [mobile device management (MDM) provider](#edition-upgrade-using-mdm) or a [provisioning package](#edition-upgrade-using-a-provisioning-package).
 
 >[!TIP]
 >You can tell that the HoloLens has been upgraded to the business edition in **Settings** > **Network & Internet**. The **VPN** option is only available in Windows Holographic for Business.

From 5e765354a2bff25f7bd696d895ab4500a7383964 Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Mon, 30 Jan 2017 14:06:04 -0800
Subject: [PATCH 063/115] Update event-4774.md

---
 windows/keep-secure/event-4774.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/keep-secure/event-4774.md b/windows/keep-secure/event-4774.md
index 5d919fd37b..9883e97cc3 100644
--- a/windows/keep-secure/event-4774.md
+++ b/windows/keep-secure/event-4774.md
@@ -1,5 +1,5 @@
 ---
-title: 4774(S) An account was mapped for logon. (Windows 10)
+title: 4774(S, F) An account was mapped for logon. (Windows 10)
 description: Describes security event 4774(S, F) An account was mapped for logon.
 ms.pagetype: security
 ms.prod: w10

From ddf059038ad12ec80c785700770bc187ca02568d Mon Sep 17 00:00:00 2001
From: Dani Halfin <daniha@microsoft.com>
Date: Mon, 30 Jan 2017 18:21:41 -0800
Subject: [PATCH 064/115] Waas-Delivery-optimization - added content

added online requirement. Added to simple mode in order to better
explain it.
---
 windows/manage/waas-delivery-optimization.md | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/windows/manage/waas-delivery-optimization.md b/windows/manage/waas-delivery-optimization.md
index 9b3dc0a522..243665903d 100644
--- a/windows/manage/waas-delivery-optimization.md
+++ b/windows/manage/waas-delivery-optimization.md
@@ -19,6 +19,10 @@ localizationpriority: high
 
 Delivery Optimization is a self-organizing distributed cache solution for businesses looking to reduce bandwidth consumption for operating system updates, operating system upgrades, and applications by allowing clients to download those elements from alternate sources (such as other peers on the network) in addition to the traditional Internet-based Windows Update servers. You can use Delivery Optimization in conjunction with stand-alone Windows Update, Windows Server Update Services (WSUS), and Windows Update for Business. This functionality is similar to BranchCache in other systems, such as System Center Configuration Manager. 
 
+Delivery Optimization is a cloud managed solution. Having access to the Delivery Optimization cloud services, is a requirement for it to be enabled. This mean that in order to utilize Delivery Optimization, machines need to have access to the internet.
+
+For more details, see [Download mode](#download-mode).
+
 >[!NOTE]
 >WSUS can also use [BranchCache](waas-branchcache.md) for content sharing and caching. If Delivery Optimization is enabled on devices that use BranchCache, Delivery Optimization will be used instead. 
 
@@ -33,17 +37,19 @@ You can use Group Policy or an MDM solution like Intune to configure Delivery Op
 
 Several Delivery Optimization features are configurable.
 
+<span id="download-mode"/>
+
 ### Download mode (DODownloadMode)
 
 Download mode dictates which download sources clients are allowed to use when downloading Windows updates in addition to Windows Update servers.  The following table shows the available download mode options and what they do.
 
 | Download mode option | Functionality when set |
 | --- | --- |
-| HTTP Only (0) | This setting disables peer content sharing but still allows Delivery Optimization to download content from Windows Update servers or WSUS servers. |
+| HTTP Only (0) | This setting disables peer content sharing but still allows Delivery Optimization to download content from Windows Update servers or WSUS servers. This mode uses metadata provided by the Delivery Optimization cloud services for a more consistent plain download experience. |
 | LAN (1 – Default) | This default operating mode for Delivery Optimization enables peer sharing on the same network. | 
 | Group (2) | When group mode is set, the group is automatically selected based on the device’s Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use the GroupID option to create your own custom group independently of domains and AD DS sites. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. |
 | Internet (3) | Enable Internet peer sources for Delivery Optimization. |
-| Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable or unreachable. |
+| Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable or unreachable. In this mode, Delivery Optimization provides a modern download manager experience, with little optimization and no peer content sharing. |
 |Bypass (100) |	Bypass Delivery Optimization and use BITS, instead. For example, select this mode so that clients can use BranchCache. |
 
 >[!NOTE]

From 61f90939736f19d987115259048630974a5e38f1 Mon Sep 17 00:00:00 2001
From: jcaparas <macapara@microsoft.com>
Date: Mon, 30 Jan 2017 21:40:34 -0800
Subject: [PATCH 065/115] update min reqs

---
 ...requirements-windows-defender-advanced-threat-protection.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
index 55a3242e78..a189690013 100644
--- a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
@@ -24,6 +24,8 @@ localizationpriority: high
 There are some minimum requirements for onboarding your network and endpoints.
 
 ## Minimum requirements
+You must be on Windows 10, version 1607 at a minimum, and must purchase Windows 10 Enterprise E5 edition to use the service.
+For more information, see [Windows 10 Enterprise edition](https://www.microsoft.com/en-us/WindowsForBusiness/buy).
 
 ### Network and data storage and configuration requirements
 When you run the onboarding wizard for the first time, you must choose where your Windows Defender Advanced Threat Protection-related information is stored: either in a European or United States datacenter.
@@ -33,6 +35,7 @@ When you run the onboarding wizard for the first time, you must choose where you
 -   Review the [Windows Defender ATP data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md) for more information on where and how Microsoft stores your data.
 
 ### Endpoint hardware and software requirements
+
 The Windows Defender ATP agent only supports the following editions of Windows 10:
 
 - Windows 10 Enterprise

From 0eeb85b9a935ef4336093ddf6db6dce6060822b2 Mon Sep 17 00:00:00 2001
From: jcaparas <macapara@microsoft.com>
Date: Tue, 31 Jan 2017 07:21:04 -0800
Subject: [PATCH 066/115] Remove purchase

---
 ...-requirements-windows-defender-advanced-threat-protection.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
index a189690013..7125de6f76 100644
--- a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
@@ -24,7 +24,7 @@ localizationpriority: high
 There are some minimum requirements for onboarding your network and endpoints.
 
 ## Minimum requirements
-You must be on Windows 10, version 1607 at a minimum, and must purchase Windows 10 Enterprise E5 edition to use the service.
+You must be on Windows 10, version 1607 at a minimum.
 For more information, see [Windows 10 Enterprise edition](https://www.microsoft.com/en-us/WindowsForBusiness/buy).
 
 ### Network and data storage and configuration requirements

From f43e9544db11203f905872e8a68d96da7365f46b Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Tue, 31 Jan 2017 09:58:34 -0800
Subject: [PATCH 067/115] fix typo

# Conflicts:
#	devices/surface-hub/online-deployment-surface-hub-device-accounts.md
---
 windows/deploy/provisioning-apply-package.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/deploy/provisioning-apply-package.md b/windows/deploy/provisioning-apply-package.md
index 417c9e9e75..1125dd6985 100644
--- a/windows/deploy/provisioning-apply-package.md
+++ b/windows/deploy/provisioning-apply-package.md
@@ -94,7 +94,7 @@ On a desktop computer, navigate to **Settings** > **Accounts** > **Access work o
     ![Is this package from a source you trust](images/package-trust.png)
 
 
-#
+
 
 
 ## Learn more

From d6c7b32d1f24ca86cb98c7485aff4dc1e8af15f0 Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Tue, 31 Jan 2017 10:50:38 -0800
Subject: [PATCH 068/115] final correction

---
 windows/keep-secure/hello-how-it-works.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/keep-secure/hello-how-it-works.md b/windows/keep-secure/hello-how-it-works.md
index c9bce0ea90..089387f204 100644
--- a/windows/keep-secure/hello-how-it-works.md
+++ b/windows/keep-secure/hello-how-it-works.md
@@ -35,7 +35,7 @@ The PIN chosen is associated with the combination of the active account and that
 - A user who typically uses a smart card to sign in will be prompted to set up a PIN the first time he or she signs in to a Windows 10 device the user has not previously signed in to.
 - A user who typically uses a virtual smart card to sign in will be prompted to set up a PIN the first time he or she signs in to a Windows 10 device the user has not previously signed in to.
 
-When the user has completed this process, Windows Hello generates a new public–private key pair on the device. The TPM generates and protects this private key; if the device doesn’t have a TPM, the private key is encrypted and stored in software. This initial key is referred to as the protector key. It’s associated only with a single gesture; in other words, if a user registers a PIN, a fingerprint, and a face on the same device, each of those gestures will have a unique protector key. The protector key securely wraps the authentication key for a specific container. Each container has only one authentication key, but there can be multiple copies of that key wrapped with different unique protector keys (each of which is associated with a unique gesture). Windows Hello also generates an administrative key that the user or administrator can use to reset credentials, when necessary. In addition to the protector key, TPM-enabled devices generate a block of data that contains attestations from the TPM.
+When the user has completed this process, Windows Hello generates a new public–private key pair on the device. The TPM generates and protects this private key; if the device doesn’t have a TPM, the private key is encrypted and stored in software. This initial key is referred to as the protector key. It’s associated only with a single gesture; in other words, if a user registers a PIN, a fingerprint, and a face on the same device, each of those gestures will have a unique protector key. Each unique gesture generates a unique protector key. The protector key securely wraps the authentication key. The container has only one authentication key, but there can be multiple copies of that key wrapped with different unique protector keys. Windows Hello also generates an administrative key that the user or administrator can use to reset credentials, when necessary. In addition to the protector key, TPM-enabled devices generate a block of data that contains attestations from the TPM.
 
 At this point, the user has a PIN gesture defined on the device and an associated protector key for that PIN gesture. That means he or she is able to securely sign in to the device with the PIN and thus that he or she can establish a trusted session with the device to add support for a biometric gesture as an alternative for the PIN. When you add a biometric gesture, it follows the same basic sequence: the user authenticates to the system by using his or her PIN, and then registers the new biometric (“smile for the camera!”), after which Windows generates a unique key pair and stores it securely. Future sign-ins can then use either the PIN or the registered biometric gestures.
 

From 1580634b6347327a58204841d6c45c2b71df747a Mon Sep 17 00:00:00 2001
From: LizRoss <lizross@microsoft.com>
Date: Tue, 31 Jan 2017 12:31:00 -0800
Subject: [PATCH 069/115] Fixing typo

---
 windows/keep-secure/app-behavior-with-wip.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/keep-secure/app-behavior-with-wip.md b/windows/keep-secure/app-behavior-with-wip.md
index bf932d459d..7b8a41df15 100644
--- a/windows/keep-secure/app-behavior-with-wip.md
+++ b/windows/keep-secure/app-behavior-with-wip.md
@@ -38,8 +38,8 @@ This table includes info about how unenlightened apps might behave, based on you
    </tr>
    <tr>
         <th>&nbsp;</th>
-        <th align="center">Name-based policies, without the <code>/*AppCompat*/</code> string</th>
-        <th align="center">Name-based policies, using the <code>/*AppCompat*/</code> string or proxy-based policies</th>
+        <th align="center">Name-based policies, without the /*AppCompat*/ string</th>
+        <th align="center">Name-based policies, using the /*AppCompat*/ string or proxy-based policies</th>
     </tr>
    <tr align="left">
      <td><strong>Not required.</strong> App connects to enterprise cloud resources directly, using an IP address.</td>
@@ -96,7 +96,7 @@ This table includes info about how enlightened apps might behave, based on your
 <table>
    <tr>
      <th>App rule setting</th>
-     <th>Networking policy configuration for name-based policies, possibly using the <code>/*AppCompat*/</code> string, or proxy-based policies</th>
+     <th>Networking policy configuration for name-based policies, possibly using the /*AppCompat*/ string, or proxy-based policies</th>
    </tr>
     <tr>
         <td><strong>Not required.</strong> App connects to enterprise cloud resources, using an IP address or a hostname.</td>

From 2a60d977cf6ce6260a730650e32428930f889fc2 Mon Sep 17 00:00:00 2001
From: LizRoss <lizross@microsoft.com>
Date: Tue, 31 Jan 2017 12:40:33 -0800
Subject: [PATCH 070/115] Fixing typo

---
 windows/keep-secure/app-behavior-with-wip.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/keep-secure/app-behavior-with-wip.md b/windows/keep-secure/app-behavior-with-wip.md
index 7b8a41df15..c1d428463b 100644
--- a/windows/keep-secure/app-behavior-with-wip.md
+++ b/windows/keep-secure/app-behavior-with-wip.md
@@ -38,8 +38,8 @@ This table includes info about how unenlightened apps might behave, based on you
    </tr>
    <tr>
         <th>&nbsp;</th>
-        <th align="center">Name-based policies, without the /*AppCompat*/ string</th>
-        <th align="center">Name-based policies, using the /*AppCompat*/ string or proxy-based policies</th>
+        <th align="center">Name-based policies, without the &#47;*AppCompat*&#47; string</th>
+        <th align="center">Name-based policies, using the &#47;*AppCompat*&#47; string or proxy-based policies</th>
     </tr>
    <tr align="left">
      <td><strong>Not required.</strong> App connects to enterprise cloud resources directly, using an IP address.</td>
@@ -96,7 +96,7 @@ This table includes info about how enlightened apps might behave, based on your
 <table>
    <tr>
      <th>App rule setting</th>
-     <th>Networking policy configuration for name-based policies, possibly using the /*AppCompat*/ string, or proxy-based policies</th>
+     <th>Networking policy configuration for name-based policies, possibly using the &#47;*AppCompat*&#47; string, or proxy-based policies</th>
    </tr>
     <tr>
         <td><strong>Not required.</strong> App connects to enterprise cloud resources, using an IP address or a hostname.</td>

From 3eea7022c8e538642f280f8200f6ef132bbf13c9 Mon Sep 17 00:00:00 2001
From: LizRoss <lizross@microsoft.com>
Date: Tue, 31 Jan 2017 12:48:08 -0800
Subject: [PATCH 071/115] Fixing typo

---
 windows/keep-secure/app-behavior-with-wip.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/keep-secure/app-behavior-with-wip.md b/windows/keep-secure/app-behavior-with-wip.md
index c1d428463b..4a47cfcb9c 100644
--- a/windows/keep-secure/app-behavior-with-wip.md
+++ b/windows/keep-secure/app-behavior-with-wip.md
@@ -38,8 +38,8 @@ This table includes info about how unenlightened apps might behave, based on you
    </tr>
    <tr>
         <th>&nbsp;</th>
-        <th align="center">Name-based policies, without the &#47;*AppCompat*&#47; string</th>
-        <th align="center">Name-based policies, using the &#47;*AppCompat*&#47; string or proxy-based policies</th>
+        <th align="center">Name-based policies, without the /&#42;AppCompat*&#42;/ string</th>
+        <th align="center">Name-based policies, using the /&#42;AppCompat*&#42;/ string or proxy-based policies</th>
     </tr>
    <tr align="left">
      <td><strong>Not required.</strong> App connects to enterprise cloud resources directly, using an IP address.</td>
@@ -96,7 +96,7 @@ This table includes info about how enlightened apps might behave, based on your
 <table>
    <tr>
      <th>App rule setting</th>
-     <th>Networking policy configuration for name-based policies, possibly using the &#47;*AppCompat*&#47; string, or proxy-based policies</th>
+     <th>Networking policy configuration for name-based policies, possibly using the /&#42;AppCompat&#42;/ string, or proxy-based policies</th>
    </tr>
     <tr>
         <td><strong>Not required.</strong> App connects to enterprise cloud resources, using an IP address or a hostname.</td>

From 146fdd14e0e59700961a96a4fb533663cec8576a Mon Sep 17 00:00:00 2001
From: LizRoss <lizross@microsoft.com>
Date: Tue, 31 Jan 2017 12:56:48 -0800
Subject: [PATCH 072/115] Fixing typo

---
 windows/keep-secure/app-behavior-with-wip.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/keep-secure/app-behavior-with-wip.md b/windows/keep-secure/app-behavior-with-wip.md
index 4a47cfcb9c..1f83aad42f 100644
--- a/windows/keep-secure/app-behavior-with-wip.md
+++ b/windows/keep-secure/app-behavior-with-wip.md
@@ -38,8 +38,8 @@ This table includes info about how unenlightened apps might behave, based on you
    </tr>
    <tr>
         <th>&nbsp;</th>
-        <th align="center">Name-based policies, without the /&#42;AppCompat*&#42;/ string</th>
-        <th align="center">Name-based policies, using the /&#42;AppCompat*&#42;/ string or proxy-based policies</th>
+        <th align="center">Name-based policies, without the /&#42;AppCompat&#42;/ string</th>
+        <th align="center">Name-based policies, using the /&#42;AppCompat&#42;/ string or proxy-based policies</th>
     </tr>
    <tr align="left">
      <td><strong>Not required.</strong> App connects to enterprise cloud resources directly, using an IP address.</td>

From 4d4784d6ae4da38cd83d5c8db7a70d5c96740720 Mon Sep 17 00:00:00 2001
From: GITMichiko <kmichiko@msn.com>
Date: Tue, 31 Jan 2017 13:20:13 -0800
Subject: [PATCH 073/115] Update credential-guard.md

refined app stuff. typo in HW
---
 windows/keep-secure/credential-guard.md | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md
index a0911b6720..9ce9b9cbaa 100644
--- a/windows/keep-secure/credential-guard.md
+++ b/windows/keep-secure/credential-guard.md
@@ -52,15 +52,19 @@ To provide basic protection against OS level attempts to read Credential Manager
 
 The Virtualization-based security requires:
 - 64 bit CPU
-- CPU virtualization extensions plu extended page tables
+- CPU virtualization extensions plus extended page tables
 - Windows hypervisor
 
 ### Application requirements
 
 When Credential Guard is enabled, specific authentication capabilities are blocked, so applications which require blocked capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality. 
 
->[!WARNING] Enabling Credential Guard on Domain Controllers is not supported
-> The domain controller hosts authentication services which integrate with processes isolated when Credential Guard is enabled. Credential Guard does not provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Credential Guard is enabled are also in the Active Directory database. 
+>[!WARNING] 
+> Enabling Credential Guard on Domain Controllers is not supported <br>
+> The domain controller hosts authentication services which integrate with processes isolated when Credential Guard is enabled causing crashes. 
+
+>[!NOTE]
+> Credential Guard does not provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts). 
 
 Applications will break if they require:
 - Kerberos DES encryption support
@@ -73,6 +77,8 @@ Applications will prompt & expose credentials to risk if they require:
 - Credential delegation
 - MS-CHAPv2
 
+Applications may cause performance issues when they attempt to hook the isolated Credential Guard process. 
+
 ### Security considerations
 
 The following tables provide more information about the hardware, firmware, and software required for deployment of Credential Guard. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, available in 2016, and announced as options for 2017.

From 9bac3c789f7fc330a912d246c4418854cd5d0831 Mon Sep 17 00:00:00 2001
From: ErikMoreau <ErikMoreau@users.noreply.github.com>
Date: Wed, 1 Feb 2017 12:17:50 +0100
Subject: [PATCH 074/115] Update
 configure-proxy-internet-windows-defender-advanced-threat-protection.md
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Typo fix on line 25 added s to 'Window Defender ATP sensor' => 'Windows Defender ATP sensor'
---
 ...xy-internet-windows-defender-advanced-threat-protection.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
index 38a3f1edc2..aa809c74c7 100644
--- a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
@@ -1,4 +1,4 @@
----
+s---
 title: Configure Windows Defender ATP endpoint proxy and Internet connection settings
 description: Configure the Windows Defender ATP proxy and internet settings to enable communication with the cloud service.
 keywords: configure, proxy, internet, internet connectivity, settings, proxy settings, netsh, winhttp, proxy server
@@ -22,7 +22,7 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service.
+The Windows Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service.
 
 The embedded Windows Defender ATP sensor runs in system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Windows Defender ATP cloud service.
 

From 4da7d3f2d32df4322af557158507212298943d15 Mon Sep 17 00:00:00 2001
From: LizRoss <lizross@microsoft.com>
Date: Wed, 1 Feb 2017 07:32:38 -0800
Subject: [PATCH 075/115] Fixing YAML

---
 ...proxy-internet-windows-defender-advanced-threat-protection.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
index aa809c74c7..53d19c2f9f 100644
--- a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
@@ -1,4 +1,3 @@
-s---
 title: Configure Windows Defender ATP endpoint proxy and Internet connection settings
 description: Configure the Windows Defender ATP proxy and internet settings to enable communication with the cloud service.
 keywords: configure, proxy, internet, internet connectivity, settings, proxy settings, netsh, winhttp, proxy server

From fab8e945a2cbb0cd5404d3eab31cccb97dc3dc03 Mon Sep 17 00:00:00 2001
From: LizRoss <lizross@microsoft.com>
Date: Wed, 1 Feb 2017 07:41:06 -0800
Subject: [PATCH 076/115] Fixing YAML

---
 ...proxy-internet-windows-defender-advanced-threat-protection.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
index 53d19c2f9f..dd145bf769 100644
--- a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
@@ -1,3 +1,4 @@
+---
 title: Configure Windows Defender ATP endpoint proxy and Internet connection settings
 description: Configure the Windows Defender ATP proxy and internet settings to enable communication with the cloud service.
 keywords: configure, proxy, internet, internet connectivity, settings, proxy settings, netsh, winhttp, proxy server

From ed9fd4a4f298f92bbceed3e322475bb675c18918 Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Wed, 1 Feb 2017 07:44:16 -0800
Subject: [PATCH 077/115] mobile to start layout

---
 ...art-screens-by-using-mobile-device-management.md |  7 ++++---
 ...creens-by-using-provisioning-packages-and-icd.md | 13 ++++++-------
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md
index cf6a6dab79..2ccace55f5 100644
--- a/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md
+++ b/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md
@@ -15,17 +15,18 @@ localizationpriority: medium
 
 **Applies to**
 
--   Windows 10
+- Windows 10
+- Windows 10 Mobile
 
 **Looking for consumer information?**
 
 -   [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630)
 
-In Windows 10 Enterprise and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start layout to users. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
+In Windows 10 Mobile, Windows 10 Enterprise, and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start layout to users. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
 
 > **Note:** Customized taskbar configuration cannot be applied using MDM at this time.
 
-**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md)
+**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions or [create a Start layout XML](start-layout-xml-mobile.md) for mobile.
 
 **Warning**  
 When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups.
diff --git a/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
index 8ec42b3218..7cc8395f8b 100644
--- a/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
+++ b/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
@@ -15,18 +15,19 @@ localizationpriority: medium
 
 **Applies to**
 
--   Windows 10
+- Windows 10
+- Windows 10 Mobile
 
 **Looking for consumer information?**
 
 -   [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630)
 
-In Windows 10 Enterprise and Windows 10 Education, version 1607, you can use a provisioning package that you create with Windows Imaging and Configuration Designer (ICD) tool to deploy a customized Start and taskbar layout to users. No reimaging is required, and the Start and taskbar layout can be updated simply by overwriting the .xml file that contains the layout. The provisioning package can be applied to a running device. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead.
+In Windows 10 Mobile, Windows 10 Enterprise, and Windows 10 Education, version 1607, you can use a provisioning package that you create with Windows Imaging and Configuration Designer (ICD) tool to deploy a customized Start and taskbar layout to users. No reimaging is required, and the Start and taskbar layout can be updated simply by overwriting the .xml file that contains the layout. The provisioning package can be applied to a running device. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead.
 
 >[!IMPORTANT]
 >If you use a provisioning package to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration and allow users to make changes that will persist, apply your configuration by using Group Policy.
 
-**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md)
+**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions or [create a Start layout XML](start-layout-xml-mobile.md) for mobile.
 
 ## <a href="" id="bkmk-howstartscreencontrolworks"></a>How Start layout control works
 
@@ -48,14 +49,12 @@ Three features enable Start and taskbar layout control:
 
 Use the [Imaging and Configuration Designer (ICD) tool](https://go.microsoft.com/fwlink/p/?LinkID=525483) included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that applies a customized Start and taskbar layout. [Install the ADK.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
 
-> **Important**
-When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
+>[!IMPORTANT]
+>When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
 
 1.  Open ICD (by default, %systemdrive%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
 2. Choose **Advanced provisioning**.
 
-
-
 3.  Name your project, and click **Next**.
 
 4.  Choose **All Windows desktop editions** and click **Next**.

From 8533fa6bac53f91df75629c12787009f6c9ea471 Mon Sep 17 00:00:00 2001
From: rikot <rikot@microsoft.com>
Date: Wed, 1 Feb 2017 11:17:57 -0500
Subject: [PATCH 078/115] Update manage-windows-updates-for-surface-hub.md

---
 .../manage-windows-updates-for-surface-hub.md          | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
index 40fdda11b1..35787fbff1 100644
--- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md
+++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
@@ -57,6 +57,7 @@ Surface Hubs, like all Windows 10 devices, include **Windows Update for Business
 2. [Configure when Surface Hub receives updates](#configure-when-surface-hub-receives-updates).
 
 > [!NOTE]
+
 > You can use Microsoft Intune, System Center Configuration Manager, or a supported third-party MDM provider to set up WUfB. [Walkthrough: use Microsoft Intune to configure Windows Update for Business.](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-wufb-intune)
 
 
@@ -75,7 +76,7 @@ This table gives examples of deployment rings.
 
 ### Configure Surface Hub to use Current Branch or Current Branch for Business
 By default, Surface Hubs are configured to receive updates from Current Branch (CB). CB receives feature updates as soon as they are released by Microsoft. Current Branch for Business (CBB), on the other hand, receives feature updates at least four months after they have been initially offered to CB devices, and includes all of the quality updates that have been released in the interim. For more information on the differences between CB and CBB, see [Servicing branches](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview#servicing-branches).
-
+*
 **To manually configure Surface Hub to use CB or CBB:**
 1. Open **Settings** > **Update & Security** > **Windows Update**, and then select **Advanced Options**. 
 2. Select **Defer feature updates**.
@@ -104,6 +105,13 @@ You can connect Surface Hub to your Windows Server Update Services (WSUS) server
 
 To connect Surface Hub to a WSUS server using MDM, set an appropriate [Update/UpdateServiceUrl](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) policy.
 
+**If you use a proxy server or other method to block URLs**
+If you use a method other than WSUS to block specific URLs and prevent updates, you will need to add the following Windows update trusted site URLs to the “allow list”:
+- http(s)://*.update.microsoft.com
+- http://download.windowsupdate.com 
+- http://windowsupdate.microsoft.com
+
+Once the Windows 10 Team Anniversary Update is installed, you can remove these addresses to return your Surface Hub to its previous state.
 
 ## Maintenance window
 

From c5f1b8f1349357f9951031d59a90a5271121ad1a Mon Sep 17 00:00:00 2001
From: Jan Backstrom <v-jaback@microsoft.com>
Date: Wed, 1 Feb 2017 11:23:04 -0800
Subject: [PATCH 079/115] Add reset package note at end of article

---
 ...-configuration-manager-to-manage-devices-with-semm.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
index f44e7cf414..5e81cad6ce 100644
--- a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
+++ b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
@@ -413,3 +413,12 @@ When you deploy SEMM using this script application and with a configuration that
 Alternatively, you can configure the application installation to reboot automatically and to install invisibly to the user – in this scenario, a technician will be required to enter the thumbprint on each device as it reboots. Any technician with access to the certificate file can read the thumbprint by viewing the certificate with CertMgr. Instructions for viewing the thumbprint with CertMgr are in the [Create or modify the SEMM Configuration Manager scripts](#create-or-modify-the-semm-configuration-manager-scripts) section of this article.
 
 Removal of SEMM from a device deployed with Configuration Manager using these scripts is as easy as uninstalling the application with Configuration Manager. This action starts the ResetSEMM.ps1 script and properly unenrolls the device with the same certificate file that was used during the deployment of SEMM.
+
+>[!NOTE]
+>Microsoft Surface recommends that you create reset packages only when you need to unenroll a device. These reset packages are typically valid for only one device, identified by its serial number. You can, however, create a universal reset package that would work for any device enrolled in SEMM with this certificate.
+
+>We strongly recommend that you protect your universal reset package as carefully as the certificate you used to enroll devices in SEMM. Please remember that – just like the certificate itself – this universal reset package can be used to unenroll any of your organization’s Surface devices from SEMM.
+
+>When you install a reset package, the Lowest Supported Value (LSV) is reset to a value of 1. You can reenroll a device by using an existing configuration package – the device will prompt for the certificate thumbprint before ownership is taken.
+
+>For this reason, the reenrollment of a device in SEMM would require a new package to be created and installed on that device. Because this action is a new enrollment and not a change in configuration on a device already enrolled in SEMM, the device will prompt for the certificate thumbprint before ownership is taken.
\ No newline at end of file

From c14355694243578c6aa74a7cc1f5b748c42df2e9 Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Wed, 1 Feb 2017 14:12:08 -0800
Subject: [PATCH 080/115] Update credential-guard.md

---
 windows/keep-secure/credential-guard.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md
index 9ce9b9cbaa..8e9f872d0d 100644
--- a/windows/keep-secure/credential-guard.md
+++ b/windows/keep-secure/credential-guard.md
@@ -15,7 +15,7 @@ author: brianlic-msft
 -   Windows 10
 -   Windows Server 2016
 
-Introduced in Windows 10 Enterprise and Windows Server 2016, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets & credentials stored by applications as domain credentials.
+Introduced in Windows 10 Enterprise and Windows Server 2016, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials.
 
 By enabling Credential Guard the following features and solutions are provided:
 

From a434950159b77a227e381776dce8332c73f26678 Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Wed, 1 Feb 2017 14:12:58 -0800
Subject: [PATCH 081/115] Update credential-guard.md

---
 windows/keep-secure/credential-guard.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md
index 8e9f872d0d..6b213c523b 100644
--- a/windows/keep-secure/credential-guard.md
+++ b/windows/keep-secure/credential-guard.md
@@ -1,4 +1,4 @@
----
+,---
 title: Protect derived domain credentials with Credential Guard (Windows 10)
 description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
 ms.assetid: 4F1FE390-A166-4A24-8530-EA3369FEB4B1
@@ -17,7 +17,7 @@ author: brianlic-msft
 
 Introduced in Windows 10 Enterprise and Windows Server 2016, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials.
 
-By enabling Credential Guard the following features and solutions are provided:
+By enabling Credential Guard, the following features and solutions are provided:
 
 -   **Hardware security** NTLM, Kerberos and Credential Manager take advantage of platform security features including, Secure Boot and virtualization to protect credentials.
 -   **Virtualization-based security** Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system.

From 187186da696b467c09899dcabd0c2ac442bc3cca Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Wed, 1 Feb 2017 14:16:01 -0800
Subject: [PATCH 082/115] Update credential-guard.md

---
 windows/keep-secure/credential-guard.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md
index 6b213c523b..62de1f7545 100644
--- a/windows/keep-secure/credential-guard.md
+++ b/windows/keep-secure/credential-guard.md
@@ -1,4 +1,4 @@
-,---
+,,---
 title: Protect derived domain credentials with Credential Guard (Windows 10)
 description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
 ms.assetid: 4F1FE390-A166-4A24-8530-EA3369FEB4B1
@@ -19,13 +19,13 @@ Introduced in Windows 10 Enterprise and Windows Server 2016, Credential Guard u
 
 By enabling Credential Guard, the following features and solutions are provided:
 
--   **Hardware security** NTLM, Kerberos and Credential Manager take advantage of platform security features including, Secure Boot and virtualization to protect credentials.
+-   **Hardware security** NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials.
 -   **Virtualization-based security** Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system.
--   **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures.
+-   **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures.
 
 ## How it works
 
-Kerberos, NTLM and Credential manager isolates secrets that previous versions of Windows stored in the Local Security Authority (LSA) by using virtualization-based security. Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using virtualization-based security and is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
+Kerberos, NTLM, and Credential manager isolate secrets that previous versions of Windows stored in the Local Security Authority (LSA) by using virtualization-based security. Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using virtualization-based security and is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
 
 For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment.
 

From 5bea22adff182a0bd2eb03023e07ca3ebb21e72c Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Wed, 1 Feb 2017 14:20:06 -0800
Subject: [PATCH 083/115] Update credential-guard.md

---
 windows/keep-secure/credential-guard.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md
index 62de1f7545..46faf54f4b 100644
--- a/windows/keep-secure/credential-guard.md
+++ b/windows/keep-secure/credential-guard.md
@@ -1,4 +1,4 @@
-,,---
+s,,---
 title: Protect derived domain credentials with Credential Guard (Windows 10)
 description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
 ms.assetid: 4F1FE390-A166-4A24-8530-EA3369FEB4B1
@@ -29,9 +29,9 @@ Kerberos, NTLM, and Credential manager isolate secrets that previous versions of
 
 For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment.
 
-When Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP cannot use the signed in credentials. Thus, single sign-on does not work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault which are not protected by Credential Guard with any of these protocol. It is strongly recommended that valuable credentials, such as the sign-in credentials, not be used with any of these protocols. If these protocols must be used by domain or AAD users, secondary credentials should be provisioned for these use cases.
+When Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP cannot use the signed-in credentials. Thus, single sign-on does not work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault which are not protected by Credential Guard with any of these protocol. It is strongly recommended that valuable credentials, such as the sign-in credentials, not be used with any of these protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases.
 
-When Credential Guard is enabled, Kerberos does not allow unconstrained Kerberos delegation or DES encryption not only for signed-in credentials, but also prompted or saved credentials either.
+When Credential Guard is enabled, Kerberos does not allow unconstrained Kerberos delegation or DES encryption, not only for signed-in credentials, but also prompted or saved credentials.
 
 Here's a high-level overview on how the LSA is isolated by using virtualization-based security:
 

From 617ac9f95c57f4b3cb2a5876a10e6edfa3ad9331 Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Wed, 1 Feb 2017 14:28:34 -0800
Subject: [PATCH 084/115] Update credential-guard.md

---
 windows/keep-secure/credential-guard.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md
index 46faf54f4b..05e8cf4958 100644
--- a/windows/keep-secure/credential-guard.md
+++ b/windows/keep-secure/credential-guard.md
@@ -1,4 +1,4 @@
-s,,---
+[s,,---
 title: Protect derived domain credentials with Credential Guard (Windows 10)
 description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
 ms.assetid: 4F1FE390-A166-4A24-8530-EA3369FEB4B1
@@ -39,7 +39,7 @@ Here's a high-level overview on how the LSA is isolated by using virtualization-
 
 ## Requirements
 
-For Credential Guard to provide protections, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as "Hardware and software requirements". Additionally Credential Guard blocks specific authentication capabilities, so applications which require blocked capabilities will break. We will refer to this as "Application requirements". Beyond that, computers can meet additional hardware and firmware requirements, and receive additional protection—those computers will be more hardened against certain threats. To keep this section brief, those will be in Security Considerations.
+For Credential Guard to provide protections, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally Credential Guard blocks specific authentication capabilities, so applications which require blocked capabilities will break. We will refer to this as [Application requirements](#application-requirements). Beyond that, computers can meet additional hardware and firmware requirements, and receive additional protection—those computers will be more hardened against certain threats. To keep this section brief, those will be in [Security Considerations](#security-considerations).
 
 ### Hardware and software requirements
 

From 39e194229e9baa926617b1c703163eee87664f5c Mon Sep 17 00:00:00 2001
From: Dani Halfin <daniha@microsoft.com>
Date: Wed, 1 Feb 2017 14:49:46 -0800
Subject: [PATCH 085/115] Waas-configure-wufb - fixed reg values

DeferQualityUpdatesPeriod \ DeferFeatureUpdatesPeriod + inDays to both
notified of issue by B Dolan
---
 windows/manage/waas-configure-wufb.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/manage/waas-configure-wufb.md b/windows/manage/waas-configure-wufb.md
index 9626d2e24f..fcb36d20f6 100644
--- a/windows/manage/waas-configure-wufb.md
+++ b/windows/manage/waas-configure-wufb.md
@@ -182,9 +182,9 @@ Below are quick-reference tables of the supported Windows Update for Business po
 | MDM Key | Key type | Value |
 | --- | --- | --- |
 | BranchReadinessLevel | REG_DWORD | 16: systems take Feature Updates for the Current Branch (CB)</br>32: systems take Feature Updates for the Current Branch for Business (CBB)</br>Note: Other value or absent: receive all applicable updates (CB) |
-| DeferQualityUpdatesPeriod | REG_DWORD | 0-30: defer quality updates by given days |
+| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-30: defer quality updates by given days |
 | PauseQualityUpdates | REG_DWORD | 1: pause quality updates</br>Other value or absent: don’t pause quality updates |
-| DeferFeatureUpdatesPeriod | REG_DWORD | 0-180: defer feature updates by given days |
+| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-180: defer feature updates by given days |
 | PauseFeatureUpdates | REG_DWORD | 1: pause feature updates</br>Other value or absent: don’t pause feature updates |
 | ExcludeWUDriversinQualityUpdate | REG_DWORD | 1: exclude Windows Update drivers</br>Other value or absent: offer Windows Update drivers |
 

From c44f69aa8eaf3601e79c361e6467ec8a126fd33e Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Wed, 1 Feb 2017 14:57:15 -0800
Subject: [PATCH 086/115] Update credential-guard.md

---
 windows/keep-secure/credential-guard.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md
index 05e8cf4958..83458e51f1 100644
--- a/windows/keep-secure/credential-guard.md
+++ b/windows/keep-secure/credential-guard.md
@@ -19,7 +19,7 @@ Introduced in Windows 10 Enterprise and Windows Server 2016, Credential Guard u
 
 By enabling Credential Guard, the following features and solutions are provided:
 
--   **Hardware security** NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials.
+   **Hardware security** NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials.
 -   **Virtualization-based security** Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system.
 -   **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures.
 
@@ -60,7 +60,7 @@ The Virtualization-based security requires:
 When Credential Guard is enabled, specific authentication capabilities are blocked, so applications which require blocked capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality. 
 
 >[!WARNING] 
-> Enabling Credential Guard on Domain Controllers is not supported <br>
+> Enabling Credential Guard on domain controllers is not supported <br>
 > The domain controller hosts authentication services which integrate with processes isolated when Credential Guard is enabled causing crashes. 
 
 >[!NOTE]
@@ -100,7 +100,7 @@ The following tables provide more information about the hardware, firmware, and
 | Software: Qualified **Windows operating system**  | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT<br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.</p></blockquote><br>**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. |
 
 > [!IMPORTANT]
-> The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Credential Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Credential Guard can provide.
+> The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Credential Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security to significantly strengthen the level of security that Credential Guard can provide.
 
 #### 2015 Additional Security Recommendations (starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4)
 

From fd00479513e7d2ad9e033e346f015d7e5f57fd12 Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Wed, 1 Feb 2017 15:00:29 -0800
Subject: [PATCH 087/115] Update credential-guard.md

---
 windows/keep-secure/credential-guard.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md
index 83458e51f1..37f0fd9b7f 100644
--- a/windows/keep-secure/credential-guard.md
+++ b/windows/keep-secure/credential-guard.md
@@ -21,7 +21,7 @@ By enabling Credential Guard, the following features and solutions are provided:
 
    **Hardware security** NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials.
 -   **Virtualization-based security** Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system.
--   **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures.
+,-   **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures.
 
 ## How it works
 
@@ -61,7 +61,7 @@ When Credential Guard is enabled, specific authentication capabilities are block
 
 >[!WARNING] 
 > Enabling Credential Guard on domain controllers is not supported <br>
-> The domain controller hosts authentication services which integrate with processes isolated when Credential Guard is enabled causing crashes. 
+> The domain controller hosts authentication services which integrate with processes isolated when Credential Guard is enabled, causing crashes. 
 
 >[!NOTE]
 > Credential Guard does not provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts). 

From 0161a423f34d67c4e9f744c81377671ae3434a17 Mon Sep 17 00:00:00 2001
From: Justinha <Justinha@Microsoft.com>
Date: Wed, 1 Feb 2017 15:40:37 -0800
Subject: [PATCH 088/115] removed credential delegation from remote desktop
 table heading

---
 windows/keep-secure/remote-credential-guard.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/keep-secure/remote-credential-guard.md b/windows/keep-secure/remote-credential-guard.md
index a8f2f46557..0ae8111073 100644
--- a/windows/keep-secure/remote-credential-guard.md
+++ b/windows/keep-secure/remote-credential-guard.md
@@ -34,7 +34,7 @@ Use the following table to compare different security options for Remote Desktop
 > [!NOTE]
 > This table compares different options than are shown in the previous diagram.
 
-| Remote Desktop with Credential Delegation | Remote Credential Guard | Restricted Admin mode |
+| Remote Desktop | Remote Credential Guard | Restricted Admin mode |
 |---|---|---|
 | Protection: Provides **less protection** than other modes in this table. | Protection: Provides **moderate protection**, compared to other modes in this table. | Protection: Provides **the most protection** of the modes in this table. However, it also requires you to be in the local “Administrators” group on the remote computer. |
 | Version support: The remote computer can be running **any operating system that supports credential delegation**, which was introduced in Windows Vista. | Version support: The remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**. | Version support: The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**.<br><br>For more information about patches (software updates) related to Restricted Admin mode, see  [Microsoft Security Advisory 2871997](https://technet.microsoft.com/library/security/2871997.aspx). |

From 6b319d25bacc26654418b846d7d700832efe9b3d Mon Sep 17 00:00:00 2001
From: Dani Halfin <daniha@microsoft.com>
Date: Wed, 1 Feb 2017 17:36:28 -0800
Subject: [PATCH 089/115] Waas-servicing-branches - add section - remove WU

---
 .../manage/waas-servicing-branches-windows-10-updates.md   | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/windows/manage/waas-servicing-branches-windows-10-updates.md b/windows/manage/waas-servicing-branches-windows-10-updates.md
index f42352f643..b514878ffe 100644
--- a/windows/manage/waas-servicing-branches-windows-10-updates.md
+++ b/windows/manage/waas-servicing-branches-windows-10-updates.md
@@ -190,6 +190,13 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma
 </tbody></table>
 </br>
 
+## Block user access to Windows Update Settings
+
+In Windows 10, administrators can control user access to Windows Update.
+By enabling the Group Policy setting under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features**, administrators can disable the "Check for updates" option for users. Any background update scans, downloads and installations will continue to work as configured.
+
+>[!NOTE]
+> In Windows 10, any Group Policy user configuration settings for Windows Update were deprecate and are no longer supported on this platform.
 
 ## Related topics
 

From d2f76e58eba86de11ac894434bedfbc311842d01 Mon Sep 17 00:00:00 2001
From: Dani Halfin <daniha@microsoft.com>
Date: Wed, 1 Feb 2017 17:47:51 -0800
Subject: [PATCH 090/115] fixed typo

---
 windows/manage/waas-servicing-branches-windows-10-updates.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/manage/waas-servicing-branches-windows-10-updates.md b/windows/manage/waas-servicing-branches-windows-10-updates.md
index b514878ffe..bf763d2b49 100644
--- a/windows/manage/waas-servicing-branches-windows-10-updates.md
+++ b/windows/manage/waas-servicing-branches-windows-10-updates.md
@@ -190,7 +190,7 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma
 </tbody></table>
 </br>
 
-## Block user access to Windows Update Settings
+## Block user access to Windows Update settings
 
 In Windows 10, administrators can control user access to Windows Update.
 By enabling the Group Policy setting under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features**, administrators can disable the "Check for updates" option for users. Any background update scans, downloads and installations will continue to work as configured.

From 97fa0782ba1244039f2b8aebca2888d5ee747de1 Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Thu, 2 Feb 2017 07:10:58 -0800
Subject: [PATCH 091/115] fix format

---
 devices/surface-hub/manage-windows-updates-for-surface-hub.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
index 35787fbff1..b2e70af5d6 100644
--- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md
+++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
@@ -107,7 +107,7 @@ To connect Surface Hub to a WSUS server using MDM, set an appropriate [Update/Up
 
 **If you use a proxy server or other method to block URLs**
 If you use a method other than WSUS to block specific URLs and prevent updates, you will need to add the following Windows update trusted site URLs to the “allow list”:
-- http(s)://*.update.microsoft.com
+- http(s)://\*.update.microsoft.com
 - http://download.windowsupdate.com 
 - http://windowsupdate.microsoft.com
 

From b7c16542943af08bed734aa473975147ebd37c60 Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Thu, 2 Feb 2017 07:27:21 -0800
Subject: [PATCH 092/115] URLs

---
 .../surface-hub/manage-windows-updates-for-surface-hub.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
index b2e70af5d6..d4cb3d614d 100644
--- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md
+++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
@@ -76,7 +76,7 @@ This table gives examples of deployment rings.
 
 ### Configure Surface Hub to use Current Branch or Current Branch for Business
 By default, Surface Hubs are configured to receive updates from Current Branch (CB). CB receives feature updates as soon as they are released by Microsoft. Current Branch for Business (CBB), on the other hand, receives feature updates at least four months after they have been initially offered to CB devices, and includes all of the quality updates that have been released in the interim. For more information on the differences between CB and CBB, see [Servicing branches](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview#servicing-branches).
-*
+
 **To manually configure Surface Hub to use CB or CBB:**
 1. Open **Settings** > **Update & Security** > **Windows Update**, and then select **Advanced Options**. 
 2. Select **Defer feature updates**.
@@ -107,9 +107,9 @@ To connect Surface Hub to a WSUS server using MDM, set an appropriate [Update/Up
 
 **If you use a proxy server or other method to block URLs**
 If you use a method other than WSUS to block specific URLs and prevent updates, you will need to add the following Windows update trusted site URLs to the “allow list”:
-- http(s)://\*.update.microsoft.com
-- http://download.windowsupdate.com 
-- http://windowsupdate.microsoft.com
+- `http(s)://\*.update.microsoft.com`
+- `http://download.windowsupdate.com` 
+- `http://windowsupdate.microsoft.com`
 
 Once the Windows 10 Team Anniversary Update is installed, you can remove these addresses to return your Surface Hub to its previous state.
 

From fd50e41f55a45efa4c934090a680d920b6defe30 Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Thu, 2 Feb 2017 08:00:34 -0800
Subject: [PATCH 093/115] format

---
 devices/surface-hub/manage-windows-updates-for-surface-hub.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
index d4cb3d614d..1a5e22a17e 100644
--- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md
+++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
@@ -107,7 +107,7 @@ To connect Surface Hub to a WSUS server using MDM, set an appropriate [Update/Up
 
 **If you use a proxy server or other method to block URLs**
 If you use a method other than WSUS to block specific URLs and prevent updates, you will need to add the following Windows update trusted site URLs to the “allow list”:
-- `http(s)://\*.update.microsoft.com`
+- `http(s)://*.update.microsoft.com`
 - `http://download.windowsupdate.com` 
 - `http://windowsupdate.microsoft.com`
 

From fdaa09b9646f53166714a44c5fb036d3406a749f Mon Sep 17 00:00:00 2001
From: Trudy Hakala <Trudy.Hakala@microsoft.com>
Date: Thu, 2 Feb 2017 08:52:30 -0800
Subject: [PATCH 094/115] typo

---
 windows/manage/distribute-offline-apps.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/manage/distribute-offline-apps.md b/windows/manage/distribute-offline-apps.md
index 5583eabdcd..b0a6b60bc0 100644
--- a/windows/manage/distribute-offline-apps.md
+++ b/windows/manage/distribute-offline-apps.md
@@ -39,7 +39,7 @@ You can't distribute offline-licensed apps directly from the Store for Business.
 
 -   **Create provisioning package**. You can use Windows Imaging and Configuration Designer (ICD) to create a provisioning package for your offline app. Once you have the package, there are options to [apply the provisioning package](https://technet.microsoft.com/itpro/windows/deploy/provisioning-apply-package). For more information, see [Provisioning Packages for Windows 10](https://technet.microsoft.com/itpro/windows/deploy/provisioning-packages).
 
--   **Mobile device management provider or management server.** You canuse a mobile device management (MDM) provider or management server to distribute offline apps. For more information, see these topics:
+-   **Mobile device management provider or management server.** You can use a mobile device management (MDM) provider or management server to distribute offline apps. For more information, see these topics:
     - [Manage apps from Windows Store for Business with System Center Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
     - [Manage apps from Windows Store for Business with Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/manage-apps-you-purchased-from-the-windows-store-for-business-with-microsoft-intune)<br>
 

From 7e988cb680e3ff469bc2250899b21b22c05b6e46 Mon Sep 17 00:00:00 2001
From: Dani Halfin <daniha@microsoft.com>
Date: Thu, 2 Feb 2017 10:01:20 -0800
Subject: [PATCH 095/115] waas-DO - fixed after PM review

---
 windows/manage/waas-delivery-optimization.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/manage/waas-delivery-optimization.md b/windows/manage/waas-delivery-optimization.md
index 243665903d..b1701d80d9 100644
--- a/windows/manage/waas-delivery-optimization.md
+++ b/windows/manage/waas-delivery-optimization.md
@@ -19,7 +19,7 @@ localizationpriority: high
 
 Delivery Optimization is a self-organizing distributed cache solution for businesses looking to reduce bandwidth consumption for operating system updates, operating system upgrades, and applications by allowing clients to download those elements from alternate sources (such as other peers on the network) in addition to the traditional Internet-based Windows Update servers. You can use Delivery Optimization in conjunction with stand-alone Windows Update, Windows Server Update Services (WSUS), and Windows Update for Business. This functionality is similar to BranchCache in other systems, such as System Center Configuration Manager. 
 
-Delivery Optimization is a cloud managed solution. Having access to the Delivery Optimization cloud services, is a requirement for it to be enabled. This mean that in order to utilize Delivery Optimization, machines need to have access to the internet.
+Delivery Optimization is a cloud managed solution. Having access to the Delivery Optimization cloud services, is a requirement for it to be enabled. This mean that in order to utilize the peer-to-peer functionality of Delivery Optimization, machines need to have access to the internet.
 
 For more details, see [Download mode](#download-mode).
 
@@ -45,11 +45,11 @@ Download mode dictates which download sources clients are allowed to use when do
 
 | Download mode option | Functionality when set |
 | --- | --- |
-| HTTP Only (0) | This setting disables peer content sharing but still allows Delivery Optimization to download content from Windows Update servers or WSUS servers. This mode uses metadata provided by the Delivery Optimization cloud services for a more consistent plain download experience. |
+| HTTP Only (0) | This setting disables peer-to-peer caching but still allows Delivery Optimization to download content from Windows Update servers or WSUS servers. This mode uses additional metadata provided by the Delivery Optimization cloud services for a peerless reliable and efficient download experience. |
 | LAN (1 – Default) | This default operating mode for Delivery Optimization enables peer sharing on the same network. | 
 | Group (2) | When group mode is set, the group is automatically selected based on the device’s Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use the GroupID option to create your own custom group independently of domains and AD DS sites. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. |
 | Internet (3) | Enable Internet peer sources for Delivery Optimization. |
-| Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable or unreachable. In this mode, Delivery Optimization provides a modern download manager experience, with little optimization and no peer content sharing. |
+| Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience, with no peer-to-peer caching. |
 |Bypass (100) |	Bypass Delivery Optimization and use BITS, instead. For example, select this mode so that clients can use BranchCache. |
 
 >[!NOTE]

From d23d739707acef1a9756c3a78ecb1a13a48d0e92 Mon Sep 17 00:00:00 2001
From: Dani Halfin <daniha@microsoft.com>
Date: Thu, 2 Feb 2017 10:15:48 -0800
Subject: [PATCH 096/115] fixed type and added change of WaaS-branches to CH

---
 .../change-history-for-manage-and-update-windows-10.md    | 8 ++++++--
 .../manage/waas-servicing-branches-windows-10-updates.md  | 2 +-
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md
index a794ec798f..837fac6dda 100644
--- a/windows/manage/change-history-for-manage-and-update-windows-10.md
+++ b/windows/manage/change-history-for-manage-and-update-windows-10.md
@@ -14,6 +14,12 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in
 
 >If you're looking for **update history** for Windows 10, see [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/help/12387/windows-10-update-history).
 
+## February 2017
+
+| New or changed topic | Description |
+| --- | --- |
+| [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) | Added Group Policy setting that blocks user access to Windows Update. |
+
 ## January 2017
 
 | New or changed topic | Description |
@@ -24,8 +30,6 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in
 | [Quick guide to Windows as a service](waas-quick-start.md) | Added video that explains how Windows as a service works. |
 | [Manage device restarts after updates](waas-restart.md) | Added Registry keys for controlling restarts. |
 
-
-
 ## December 2016
 
 | New or changed topic | Description |
diff --git a/windows/manage/waas-servicing-branches-windows-10-updates.md b/windows/manage/waas-servicing-branches-windows-10-updates.md
index bf763d2b49..7e62bcbf3a 100644
--- a/windows/manage/waas-servicing-branches-windows-10-updates.md
+++ b/windows/manage/waas-servicing-branches-windows-10-updates.md
@@ -196,7 +196,7 @@ In Windows 10, administrators can control user access to Windows Update.
 By enabling the Group Policy setting under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features**, administrators can disable the "Check for updates" option for users. Any background update scans, downloads and installations will continue to work as configured.
 
 >[!NOTE]
-> In Windows 10, any Group Policy user configuration settings for Windows Update were deprecate and are no longer supported on this platform.
+> In Windows 10, any Group Policy user configuration settings for Windows Update were deprecated and are no longer supported on this platform.
 
 ## Related topics
 

From 4f8eaabbd71970f37e631a964a11549face01ea6 Mon Sep 17 00:00:00 2001
From: rikot <rikot@microsoft.com>
Date: Thu, 2 Feb 2017 13:48:57 -0500
Subject: [PATCH 097/115] Update manage-windows-updates-for-surface-hub.md

---
 devices/surface-hub/manage-windows-updates-for-surface-hub.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
index 35787fbff1..e1e0574390 100644
--- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md
+++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
@@ -90,6 +90,7 @@ Once you've determined deployment rings for your Surface Hubs, configure update
 - To defer quality updates, set an appropriate [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) policy for each ring.
 
 > [!NOTE]
+
 > If you encounter issues during the update rollout, you can pause updates using [Update/PauseFeatureUpdates](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) and [Update/PauseQualityUpdates](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates).
 
 
@@ -106,6 +107,7 @@ You can connect Surface Hub to your Windows Server Update Services (WSUS) server
 To connect Surface Hub to a WSUS server using MDM, set an appropriate [Update/UpdateServiceUrl](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) policy.
 
 **If you use a proxy server or other method to block URLs**
+
 If you use a method other than WSUS to block specific URLs and prevent updates, you will need to add the following Windows update trusted site URLs to the “allow list”:
 - http(s)://*.update.microsoft.com
 - http://download.windowsupdate.com 

From 408c738d0429c64900130e1a8ae81128e7fcb9dc Mon Sep 17 00:00:00 2001
From: Justinha <Justinha@Microsoft.com>
Date: Thu, 2 Feb 2017 13:21:14 -0800
Subject: [PATCH 098/115] fixed formatting

---
 windows/keep-secure/credential-guard.md | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md
index 37f0fd9b7f..980862a955 100644
--- a/windows/keep-secure/credential-guard.md
+++ b/windows/keep-secure/credential-guard.md
@@ -9,6 +9,7 @@ ms.pagetype: security
 localizationpriority: high
 author: brianlic-msft
 ---
+
 # Protect derived domain credentials with Credential Guard
 
 **Applies to**
@@ -19,9 +20,9 @@ Introduced in Windows 10 Enterprise and Windows Server 2016, Credential Guard u
 
 By enabling Credential Guard, the following features and solutions are provided:
 
-   **Hardware security** NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials.
+-   **Hardware security** NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials.
 -   **Virtualization-based security** Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system.
-,-   **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures.
+-   **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures.
 
 ## How it works
 
@@ -60,7 +61,7 @@ The Virtualization-based security requires:
 When Credential Guard is enabled, specific authentication capabilities are blocked, so applications which require blocked capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality. 
 
 >[!WARNING] 
-> Enabling Credential Guard on domain controllers is not supported <br>
+> Enabling Credential Guard on domain controllers is not supported. <br>
 > The domain controller hosts authentication services which integrate with processes isolated when Credential Guard is enabled, causing crashes. 
 
 >[!NOTE]

From 594e403a7f6420a90b540ff54f18f1472209e05f Mon Sep 17 00:00:00 2001
From: Karthika Raman <karaman@microsoft.com>
Date: Thu, 2 Feb 2017 13:54:25 -0800
Subject: [PATCH 099/115] making a minor change to reflect the KB requirement
 change with V5

---
 windows/deploy/upgrade-analytics-get-started.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/deploy/upgrade-analytics-get-started.md b/windows/deploy/upgrade-analytics-get-started.md
index 1455ee624e..cd76825250 100644
--- a/windows/deploy/upgrade-analytics-get-started.md
+++ b/windows/deploy/upgrade-analytics-get-started.md
@@ -127,7 +127,7 @@ The Upgrade Analytics deployment script does the following:
 
 3.  Checks whether the computer has a pending restart.  
 
-4.  Verifies that the latest version of KB package 10.0.x is installed (version 10.0.14348 or later is required, but version 10.0.14913 or later is recommended).
+4.  Verifies that the latest version of KB package 10.0.x is installed (version 10.0.14913 or later is required).
 
 5.  If enabled, turns on verbose mode for troubleshooting.
 

From 09621fff218b73be9552c4ffbff860db5756f997 Mon Sep 17 00:00:00 2001
From: Justinha <Justinha@Microsoft.com>
Date: Thu, 2 Feb 2017 14:25:52 -0800
Subject: [PATCH 100/115] fixed metadata

---
 windows/keep-secure/credential-guard.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md
index 980862a955..9d3a33d12c 100644
--- a/windows/keep-secure/credential-guard.md
+++ b/windows/keep-secure/credential-guard.md
@@ -1,4 +1,4 @@
-[s,,---
+---
 title: Protect derived domain credentials with Credential Guard (Windows 10)
 description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
 ms.assetid: 4F1FE390-A166-4A24-8530-EA3369FEB4B1

From 4fb86ef0967caf665ceb36ee7bcffcbed36e306f Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Thu, 2 Feb 2017 14:55:33 -0800
Subject: [PATCH 101/115] sync

---
 devices/surface-hub/manage-windows-updates-for-surface-hub.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
index 8cd7c3a9fa..d8661c166c 100644
--- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md
+++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
@@ -90,7 +90,6 @@ Once you've determined deployment rings for your Surface Hubs, configure update
 - To defer quality updates, set an appropriate [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) policy for each ring.
 
 > [!NOTE]
-
 > If you encounter issues during the update rollout, you can pause updates using [Update/PauseFeatureUpdates](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) and [Update/PauseQualityUpdates](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates).
 
 

From a1b4cef484bd08b7b9aa34f8bad236086c911ebd Mon Sep 17 00:00:00 2001
From: Greg Lindsay <greglin@microsoft.com>
Date: Thu, 2 Feb 2017 15:40:23 -0800
Subject: [PATCH 102/115] bug 118

---
 windows/deploy/usmt-overview.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/deploy/usmt-overview.md b/windows/deploy/usmt-overview.md
index 9f6a18384a..9dca476f1c 100644
--- a/windows/deploy/usmt-overview.md
+++ b/windows/deploy/usmt-overview.md
@@ -35,7 +35,7 @@ USMT provides the following benefits to businesses that are deploying Windows op
 -   Increases employee satisfaction with the migration experience.
 
 ## Limitations
-USMT is intended for administrators who are performing large-scale automated deployments. If you are only migrating the user states of a few computers, you can use [Windows Easy Transfer](https://go.microsoft.com/fwlink/p/?LinkId=140248).
+USMT is intended for administrators who are performing large-scale automated deployments. If you are only migrating the user states of a few computers, you can use [PCmover Express](http://go.microsoft.com/fwlink/?linkid=620915). PCmover Express is a tool created by Microsoft's partner, Laplink.
 
 There are some scenarios in which the use of USMT is not recommended. These include:
 

From 621a8df6f338a941e610f454e0f0d5a09606fb5d Mon Sep 17 00:00:00 2001
From: Brian Lich <brianlic@microsoft.com>
Date: Thu, 2 Feb 2017 16:33:26 -0800
Subject: [PATCH 103/115] moving link to baseline to the top of the article

---
 ...dows-operating-system-components-to-microsoft-services.md | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index c7c8415926..83ba743e69 100644
--- a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -25,8 +25,9 @@ If you want to minimize connections from Windows to Microsoft services, or confi
 
 You can configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. There are many reasons why these communications are enabled by default, such as updating malware definitions and maintain current certificate revocation lists, which is why we strongly recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience.
 
-We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com.
+To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887). This baseline was created in the same way as the [Windows security baselines](../keep-secure/windows-security-baselines.md) that are often used to efficiently configure Windows to a known secure state. Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure should you've chosen the right settings configuration for your environment before applying. Applying this baseline is equivalent to applying the Windows 10 steps covered in this article.
 
+We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com.
 
 ## What's new in Windows 10, version 1607 and Windows Server 2016
 
@@ -1359,5 +1360,3 @@ You can turn off automatic updates by doing one of the following. This is not re
     -   **5**. Turn off automatic updates.
 
 To learn more, see [Device update management](http://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](http://technet.microsoft.com/library/cc720539.aspx).
-
-To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887). This baseline was created in the same way as the [Windows security baselines](../keep-secure/windows-security-baselines.md) that are often used to efficiently configure Windows to a known secure state. Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure should you've chosen the right settings configuration for your environment before applying.

From 6054eb2fff16a81ec8e16636c71cde81f4e50ec2 Mon Sep 17 00:00:00 2001
From: Greg Lindsay <greglin@microsoft.com>
Date: Thu, 2 Feb 2017 18:01:56 -0800
Subject: [PATCH 104/115] stub topic

---
 windows/deploy/update-compliance.md | 337 ++++++++++++++++++++++++++++
 1 file changed, 337 insertions(+)
 create mode 100644 windows/deploy/update-compliance.md

diff --git a/windows/deploy/update-compliance.md b/windows/deploy/update-compliance.md
new file mode 100644
index 0000000000..add6ebb4c5
--- /dev/null
+++ b/windows/deploy/update-compliance.md
@@ -0,0 +1,337 @@
+---
+title: Get started with Update Compliance (Windows 10)
+description: Explains how to get started with Update Compliance.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+---
+
+# Get started with Upgrade Compliance
+
+## Introduction
+
+With Windows 10, organizations need to change the way they approach monitoring and deploying updates. Update Compliance is a powerful set of tools that enable organizations to monitor and track all important aspects of Microsoft’s new servicing strategy: Windows as a Service.  Update Compliance is a solution built within Operations Management Suite (OMS), a cloud-based monitoring and automation service which has a flexible servicing subscription based off data usage/retention.
+Update Compliance uses the Windows telemetry that is part of all Windows 10 devices. It collects system data including update installation progress, Windows Update for Business (WUfB) configuration data, and other update-specific information, and then sends this data privately to a secure cloud to be stored for analysis and usage within the solution. 
+The main highlights of Update Compliance are:
+•	An overview of your organization’s devices that just works
+•	Dedicated drill-downs for devices that might need attention
+•	An inventory of devices, including the version of Windows they are running and their update status
+•	An overview of WUfB deferral configurations (Windows 10 Anniversary Update [1607] and later)
+•	Powerful built-in Log Analytics to create useful custom queries
+•	Cloud-connected access utilizing Windows 10 telemetry means no need for new complex, customized infrastructure
+ 
+## Update Compliance
+
+This topic explains the necessary steps to set up and prepare your environment for Windows Analytics: Update Compliance. The steps are broken down into sections that follow the recommended setup process:
+1.	Ensuring you meet the prerequisites
+2.	Adding Update Compliance to Microsoft Operations Management Suite
+3.	Deploying your Commercial ID to your organization’s devices
+
+Update Compliance Prerequisites
+There are a few prerequisites for getting the most out of Update Compliance. 
+1)	Update Compliance is only compatible with Windows 10 devices – currently, the solution is only meant to be used with desktop devices (Windows 10 workstations and laptops). 
+2)	The solution requires Windows 10 telemetry to be enabled on all devices that are intended to be seen by the solution. These devices must have at least the basic level of telemetry enabled. To learn more about Windows telemetry, read this article on configuring Windows telemetry in your organization. 
+3)	The telemetry of your organization’s Windows devices must make it to Microsoft. Microsoft has specified endpoints for different aspects of telemetry, which must be whitelisted by your organization so the data can make it to Microsoft. The following table was taken from the article on telemetry endpoints and summarizes what each endpoint is used for:
+Service	Endpoint
+Connected User Experience and Telemetry component	v10.vortex-win.data.microsoft.com
+settings-win.data.microsoft.com
+Windows Error Reporting	watson.telemetry.microsoft.com
+Online Crash Analysis	oca.telemetry.microsoft.com
+
+
+Add Update Compliance to Microsoft Operations Management Suite
+Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premises and cloud environments. For more information about OMS, see Operations Management Suite overview. 
+
+If you are already using OMS, you’ll find Update Compliance in the Solutions Gallery. Select the Update Compliance tile in the gallery and then click Add on the solution's details page. Update Compliance is now visible in your workspace.
+
+If you are not yet using OMS:
+
+
+1.	Go to Operations Management Suite’s page on Microsoft.com and click Sign in.
+
+
+
+2.	Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
+
+
+3.	Create a new OMS workspace. 
+
+4.	Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Select Create.
+
+
+5.	If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator. If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. If you do not yet have an Azure subscription, follow this guide to create and link an Azure subscription to an OMS workspace.
+
+
+6.	To add the Update Compliance solution to your workspace, go to the Solutions Gallery. 
+
+7.	Select the Update Compliance tile in the gallery and then select Add on the solution’s details page. Note that you may need to scroll to find Update Compliance. The solution is now visible on your workspace. 
+
+8.	Click the Update Compliance tile to configure the solution. The Settings Dashboard opens.
+
+9.	Click “Subscribe” to subscribe to OMS Update Compliance. You will then need to distribute your Commercial ID across all your organization’s devices. More information on the Commercial ID is provided below.
+
+
+After you are subscribed to OMS Update Compliance and your devices have a Commercial ID, you will begin receiving data. It will typically take 24 hours for the first data to begin appearing. The following section explains how to deploy your Commercial ID to your Windows 10 devices.
+
+
+ 
+Deploy your Commercial ID to your Windows 10 devices
+For your devices to show up in Windows Analytics: Update Compliance, they must be configured with your organization’s Commercial ID. This is so that Microsoft knows that a given device is a member of your organization and to feed that device’s data back to you. There are two primary methods for widespread deployment of your Commercial ID: using Microsoft’s Group Policy (GP) and using Microsoft Mobile Device Management (MDM). 
+
+Using Microsoft Group Policy (GP)
+Deploying your Commercial ID using GP can be accomplished through Microsoft Group Policy Management Console (GPMC), or through an individual device’s Local Group Policy Editor.
+1)	From the user interface, navigate to Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds
+2)	Double-click Commercial ID
+3)	In the Options box, provide the Commercial ID GUID provided to you, and then click OK.
+
+Using Microsoft Mobile Device Management (MDM)
+Microsoft’s Mobile Device Management can be used to deploy your Commercial ID to your organization’s devices. The Commercial ID is listed under Provider/ProviderID/CommercialID. More information on deployment through MDM can be found here.  
+Use Update Compliance to monitor Windows Updates
+This section details how to use Update Compliance to monitor update compliance and troubleshoot update failures across Windows 10 devices.
+Based on telemetry gathered from user devices, Update Compliance forms an all-up view of your organization, allowing you to maintain a high-level perspective on the progress and status of updates across all your organization’s devices.
+The Update Compliance workflow can be used to quickly identify which devices require attention. It can be used to view and track deployment compliance targets for updates, and it can be used to quickly assess the distribution of Windows 10 devices in your organization.
+Information is refreshed daily so that update progress can be monitored. Changes will be displayed about 24 hours after their occurrence, so you always have a recent snapshot of your devices.
+In OMS, aspects to a given solution's dashboard are typically divided into blades. Blades are a slice of information, typically with a summarization tile and an enumeration of the data that makes up that data. All data is presented through queries. Perspectives are also possible, wherein a given query has a unique view designed to display custom data. The terminology of blades, tiles, and perspectives will be used in the sections that follow. 
+Within Update Compliance, we have these primary blades: 
+1.	OS Update Overview
+2.	Overall Quality Update Status
+3.	Latest and Previous Security Update Status
+4.	Overall Feature Update Status
+5.	CB, CBB, LTSB Deployment Status
+6.	List of Queries
+
+ 
+
+OS Update Overview
+The first blade of OMS Update Compliance is the General OS Update Overview blade. This blade is divided into three sections: Device Summary, Needs Attention Summary, and Device Update Summary.
+
+The Device Summary displays the total number of devices in your organization. These devices have the commercial ID configured, telemetry enabled, and have sent telemetry to Microsoft within the last 28 days. The tile also shows the devices that Need Attention. 
+ 
+Needs Attention Summary
+The Needs Attention Summary summarizes the devices that need attention. Devices that need attention are a subset of your total devices. There are multiple reasons why a device may need attention, so these reasons are categorized and summarized in this tile. This tile is interactive. The user will be taken to a table view showing details about the given device counts. 
+
+Needs Attention	Definition
+
+Out of Support 	Total number of devices that are no longer receiving servicing updates
+Update failed	When a device has reported a failure at some stage in its update deployment process, it will report that the Update Failed. You can click on this to see the full set of devices with more details about the stage at which a failure was reported, when the device reported a failure, and other data.
+
+Missing 2+ Security Updates
+	Total number of devices that are missing two or more security updates
+Update Progress Stalled	Total number of devices where an update installation has been “in progress” for more than 7 days
+
+Needs Attention Categories
+ 
+Update Status Summary
+The update status summary summarizes your organization's devices per Microsoft's new terminology for identifying the status of your device as it fits into the Windows 10 Windows as a Service (WaaS) model. For more information about WaaS, see Microsoft’s overview article on WaaS. This is broken down into Current, Up-to-date, and Not up-to-date. 
+
+Update Status	Definition
+Current and Up-to-date	A device that is current is on the latest and greatest Microsoft offers. It is on the very newest feature update (ex. The Windows Anniversary Update, RS1), on the very latest quality update for its servicing branch.
+Up-to-date	A device that is up-to-date is on the latest quality update for its servicing option (CB, CBB, LTSB), and the device is running an OS that is supported by Microsoft.
+Not up-to-date	A device does not have the latest quality update for its servicing option.  
+
+ 
+Overall Quality Update Status
+OS Quality Update Status is the second blade in Update Compliance. It has a donut data tile and lists the breakdown of the Up-to-date status of devices pivoted on OS version. 
+
+The donut tile offers a summary of all devices in your organization, divided into Up-to-date and Not up-to-date. Recall that devices that are current are also up-to-date.
+
+The list view contains the breakdown of Up-to-date, Not up-to-date, and Update failed -- all pivoted on OS version (e.g., 1507, 1511, 1607). Clicking on any of the rows of this list view will display the OS Quality Update Summary Perspective for that OS version. 
+ 
+ 
+Latest and Previous Security Update Status
+
+We know that security updates are extremely important to your organization, so in addition to an overall view of Quality Updates, we surface deployment status for the latest two security updates specifically, for each supported OS Build Microsoft offers. 
+
+For the latest security update, we show a doughnut chart for the counts – across all OS Builds – how many are installed, in progress/deferred, update failed, or have an unknown status relative to that update. Then, in the two table views below the doughnut, we offer that same breakdown for each OS Build Microsoft supports. Refer to the following definitions for clarifications on what each means.
+Term	Definition
+OS Build	The OS Build + Revision for the OS Version. The build + revision is a one-to-one mapping of the given security update in this context. 
+Version	The OS Version that the OS Build corresponds to.
+Installed	The count of devices that have the given security update installed. In the case that the latest security update is not latest quality update (that is, an update has since released but it did not contain any security fixes), then devices that are on a newer update will also be counted. 
+
+For the Previous security update, a device will show as “Installed” until it has at least installed the Latest security update. 
+In Progress or Deferred	The count of devices that are either currently in the process of installing the given security update, or are deferring the install as per their WUFB policy. 
+
+Note: All devices in this category for Previous Security Update Status are missing 2 or more security updates, and so will qualify as needing attention. 
+Update Failed	The count of devices that were In Progress for the given security update, but failed at some point in the process. They will no longer be shown as “In Progress or deferred” in this case, and only be counted as “Update failed”.
+Status Unknown	If a device should be, in some way, progressing toward this security update, but it’s status cannot be inferred, it will count as “Status Unknown”. Devices not using Windows Update are the most likely devices to fall into this category. 
+
+
+ 
+
+Overall Feature Update Status
+Windows 10 has two main update types: Quality and Feature updates. The third blade in Update Compliance provides the most essential data about your organization’s devices for feature updates. 
+
+Microsoft has developed terms to help specify the state of a given device for how it fits into the Windows as a Service (WaaS) model. There are three update states for a device: Current, Up-to-date, and Not up-to-date. Refer to the Update Status Summary section for definitions of these terms. 
+
+This blade focuses around whether your devices are Current or not. 
+The devices are broken down by their OS Version (e.g., 1607), with a count as to how many are Current, how many are Not Current, and how many have Update Failures. Clicking on any of these will allow you to view all those devices, as well as select the “Update Deployment Status” perspective, shown and explained below. 
+CB, CBB, LTSB Deployment Status
+Following the overview of with respect to how Current your organization’s devices are, there are three tables that show feature update deployment for all devices. The devices are split up by which branch they are on, as this directly impacts whether they are supported (for example, 1607 may be supported under CBB, but not under CB). This allows you a quick glance at how deployment is progressing across your organization with respect to feature updates.
+
+
+The three tables break down devices by Feature update. For each OS version, the following columns provide counts of the various states they can be in:
+Deployment Status	Description
+Feature Update	A concatenation of servicing branch (CB, CBB, LTSB) and OS Version (e.g., 1607)
+Installed	The number of devices that have reported to be on the given servicing train and feature update.
+In progress	The number of devices that have reported to be at some stage in the installation process for the given feature update. 
+
+Example: Device X running CB 1507 could be installing CB 1607. In this example, X would count as both “Installed” for “CB 1507” and “In Progress” for “CB 1607”. 
+Scheduled next 7 days	The total number of devices that are set to have a deferral period expire within 7 days, and after that deferral period expires are targeted to install the given update.
+
+Example: Device Y running CB 1507 could be scheduled to install CB 1607 in 5 days. In this example, X would count as both “Installed” for “CB 1507” and “Scheduled next 7 days” for “CB 1607”
+Update Failed	The total number of devices that were “In progress” with the installation for the given feature update, but encountered a failure.
+
+Example: Device X running CB 1507 could be installing CB 1607. X then encounters an error during installation. In this example, X would count as both “Installed” for “CB 1507” and “Update failed” for “CB 1607”, but not as “In progress” for “CB 1607”.
+Status Unknown	For devices not using Windows Update to get updates, some information on deployment progress cannot be known. It is possible to know the current installed Feature Update for a device, but not which devices are “In Progress”, “Scheduled next 7 days”, or devices with “Update Failed”.
+
+Devices that Update Compliance knows belongs to your organization, but it does not know update failures or installation progress, will be counted here. 
+
+
+
+
+
+
+
+
+
+
+Quality Update Perspective
+
+The Quality Update Deployment Status perspective is a breakdown of the most essential data the user should know about the status of their devices with respect to being Up-to-date. The perspective shows a summary of the organization’s devices for one specific OS version, or build. 
+ 
+ 
+Quality Update Build Summary
+
+The build summary blade attempts to summarize the most important data points to the user for the given build. It is divided into two sections. The first section is a summary of devices for that build – the total number of devices, and the amount that need attention. Each row within the table below is a breakdown of why each device requires attention. The rows can be interacted with to be taken to a larger table view that shows detailed information about all the devices that meet the given criteria. 
+
+ 
+Quality Update Deferral Configurations
+
+The next blade is the Deferral configuration blade, which shows the WUFB Deferral configurations for all devices that are using WUFB and are reporting to Update Compliance. If no information can be gathered from a device or it is not configured to use WUFB, it will show up as “Not configured (-1)”.
+ 
+Quality Update Deployment Status
+
+Under the three top-level blades is the deployment status for the newest quality update for the given build. It provides information on the revision number as well as how many days it has been since that revision has been released. What follows is a table of all the last reported states of devices deploying that quality update. 
+Deployment State	Description
+Update Completed	When a device has finished the update process and is on the given update, it will display here as “Update completed”.
+In Progress	Devices “in progress” installing an update will fall within this category. This category is detailed in the following blade: “Detailed Deployment Status”.
+Deferred	If a device’s WUfB deferral policy dictates that it is not set to receive this update, the device will show as Update deferred. 
+Cancelled	A device will report that the update has been cancelled if the user, at some point, cancelled the update on the device. 
+Blocked	Devices that are blocked are prevented from proceeding further with the given update. This could be because another update is paused, or some other task on the device must be performed before the update process can proceed.
+
+ 
+Quality Update Detailed Deployment Status
+
+
+This blade provides more detail on the deployment process for the update in the Deployment Status blade. This blade is more of a deployment funnel for devices, enabling you to see at a more granular level how devices are progressing along in their deployment. Devices that are not managed using Windows Update (Windows Update for Business or otherwise) will not have detailed deployment information. 
+Here listed are all states a device may report: 
+
+Detailed Deployment State	Description
+Update deferred	The WUfB policy of the device dictates the update is deferred.
+PreDownloadTasksPassed	The device has finished all tasks necessary prior to downloading the update.
+DownloadStarted	The update has begun downloading on the device.
+DownloadSucceeded	The device has successfully downloaded the update.
+PreInstallTasksPassed	The device has downloaded the update successfully, and successfully passed all checks prior to beginning installation of the update.
+InstallStarted	The device has begun installing the update.
+RebootRequired	The device has finished installing the update, and a reboot is required before the update can be completed.
+RebootPending	The device is pending a scheduled reboot before the update can be completed.
+RebootInitiated	The device has reported to have initiated the reboot process for completing the update.
+Update completed	The device has completed installing, rebooting, and applying the update. 
+Detailed Deployment Status categories
+
+
+
+
+ 
+Feature Update Perspective
+
+Like Quality Updates, the Feature Update Deployment Status perspective is a breakdown of information most essential to the user. This information is viewed by clicking on a given build on the Feature Update Status blade and then navigating to the “Update Deployment Status” pane as displayed above. In Update Compliance, a perspective is assigned to a query; the query used to generate the perspective can be altered to show other information, if desired. 
+Every piece of data shown in this view can be clicked; when clicked, it will alter the query to focus only on the data you need. If the perspective is not meaningful after the query is altered, you can use the other data views like the List and Table. 
+
+
+
+
+
+ 
+Feature Update Build Summary
+
+The Build Summary blade provides a summary for all devices on the given build. It gives a count of all devices, as well as a count of all devices that need attention. Below the counts, you can see why the devices need attention, with a count of devices that fall into each category. 
+Feature Update Deferral Configuration
+
+This blade shows all deferral configurations for the devices on the given build. Deferral configurations are WUfB-specific, and are shown as days. Some useful information regarding how deferral configurations are shown:
+•	The devices are grouped based off what their deferral policy is set at. For feature updates, this can be up to 120 days. 
+•	A deferral of zero days means the device has WUfB configured, but is set to not defer the update. These devices will be under “0” for the Update Deferred field.
+•	Devices that are not configured to use WUfB deferral policies have a “-1” for their deferral days. In this table, the devices will show up as “Not Configured (-1)”.  
+
+ 
+Feature Update Deployment Status
+
+As stated earlier in this section, the Feature Updates blade focused on how Current your devices are. A device is only Current when it is on the latest feature update and quality update Microsoft offers. Thus, the Deployment Status blade displays the deployment status for devices regarding their deployment to the latest feature update. 
+The blade breaks down the main states a device can be in through the deployment of a feature update. The possible states are as follows:
+Deployment State	Description
+Update completed	When a device has completely finished the update process and is on the given update, it will show up here as “Update completed”.
+Inprogress	Devices “in progress” of installing the given update will fall within this category. This category is iterated on with further granularity in the proceeding blade, “Detailed Deployment Status”.
+Update deferred	If a device’s WUfB deferral policy dictates that it is not set to receive this update yet, the device will show as Update deferred. 
+Cancelled	A device will report that the update has been cancelled if the user, at some point, cancelled the update on the device. 
+Blocked	Devices that are blocked are prevented from proceeding further with the given update. This could be because another update is paused, or some other task on the device must be performed before the update process can proceed.
+Deployment Status categories
+ 
+Feature Update Detailed Deployment Status
+
+This blade provides more detail on the deployment process for the update in the Deployment Status blade. This blade is more of a deployment funnel for devices, enabling you to see at a more granular level how devices are progressing along in their deployment. 
+Here listed are all states a device may report: 
+
+Detailed Deployment State	Description
+Update deferred	The WUfB policy of the device dictates the update is deferred.
+PreDownloadTasksPassed	The device has finished all tasks necessary prior to downloading the update.
+DownloadStarted	The update has begun downloading on the device.
+DownloadSucceeded	The device has successfully downloaded the update.
+PreInstallTasksPassed	The device has downloaded the update successfully, and successfully passed all checks prior to beginning installation of the update.
+InstallStarted	The device has begun installing the update.
+RebootRequired	The device has finished installing the update, and a reboot is required before the update can be completed.
+RebootPending	The device is pending a scheduled reboot before the update can be completed.
+RebootInitiated	The device has reported to have initiated the reboot process for completing the update.
+Update completed	The device has completed installing, rebooting, and applying the update. 
+Detailed Deployment Status categories 
+List of Queries
+Operations Management Suite leverages its powerful Log Analytics querying to perform all data calculations. For this blade, we provide examples of queries that show useful data to the user about their organization’s devices. 
+
+
+The following are the ‘Common queries’, with a description of the data provided:
+
+Query Title	Description
+OS Security Update Status	This query provides an all-up view with respect to how many devices are on the latest security update for their OS version. The table will detail an aggregated count of the number of devices, out of the total (so count, or percent) are on the latest security update for their OS build.
+
+Update Deployment Failures	This query provides a chart view, displaying an aggregation of all devices that have reported a deployment failure for either feature or quality updates. The aggregation of the data is on the given update for which a given device has reported a deployment failure. 
+Devices pending reboot to complete update	This query will provide a table showing all devices that are at the stage of "Reboot Pending" In the update deployment process. 
+
+This query will show devices which are in this state for both feature and quality updates; the data will be organized on precisely which update the given device(s) are pending a reboot to install. 
+Servicing Option Distribution for the devices	This query provides a chart view that aggregates all devices seen by the solution on for each servicing option available for Windows 10 devices (CB, CBB, LTSB)
+OS Distribution for the devices	This query provides a chart view displaying the distribution of the different editions of Windows 10 that devices seen by the solution are running (e.g., Enterprise, Professional, Education, etc.)
+Deferral configurations for Feature Update	This query provides a chart view which displays a breakdown of the different Feature Update deferral configurations through WUfB that the devices seen by the solution are using.
+
+The configuration is in days. 0 days means the device has WUfB deferrals configured, but is not set to defer feature updates. -1 means the device has no feature update deferral policies configured. 
+
+Pause configurations for Feature Update	This query provides a chart view displaying the breakdown of devices that are either paused, or not paused for feature updates.
+
+“Not configured” means the device is not paused. “Paused” means it is currently paused.
+
+Deferral configurations for Quality Update	This query provides a chart view which displays a breakdown of the different Quality Update deferral configurations through WUfB that the devices seen by the solution are using.
+
+The configuration is in days. 0 days means the device has WUfB deferrals configured, but is not set to defer quality updates. -1 means the device has no quality update deferral policies configured. 
+
+Pause configurations for Quality Update	This query provides to a chart view displaying the breakdown of devices that are either paused, or not paused for quality updates.
+
+“Not configured” means the device is not paused. “Paused” means it is currently paused.
+
+
+
+Appendix
+Architecture
+
+The following diagram summarizes the general flow of data between your devices and Update Compliance.
+
+After enabling Windows telemetry on your Windows 10 devices and ensuring that they are assigned your Commercial ID, (1) user computers send computer, application and driver telemetry data to a secure Microsoft data center through the Microsoft Data Management Service (2). After you configure Update Compliance, telemetry data is analyzed by the Update Compliance Service (3) and pushed to your OMS workspace (4). You can then use the Update Compliance solution (5) to view Update compliance, track update deployment progress and troubleshoot matters that need your attention. 
+

From 29f60783f3fcb4738aaa88f05ec3972156a25dda Mon Sep 17 00:00:00 2001
From: Greg Lindsay <greglin@microsoft.com>
Date: Thu, 2 Feb 2017 18:02:58 -0800
Subject: [PATCH 105/115] removed again

---
 windows/deploy/update-compliance.md | 337 ----------------------------
 1 file changed, 337 deletions(-)
 delete mode 100644 windows/deploy/update-compliance.md

diff --git a/windows/deploy/update-compliance.md b/windows/deploy/update-compliance.md
deleted file mode 100644
index add6ebb4c5..0000000000
--- a/windows/deploy/update-compliance.md
+++ /dev/null
@@ -1,337 +0,0 @@
----
-title: Get started with Update Compliance (Windows 10)
-description: Explains how to get started with Update Compliance.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: deploy
-author: greg-lindsay
----
-
-# Get started with Upgrade Compliance
-
-## Introduction
-
-With Windows 10, organizations need to change the way they approach monitoring and deploying updates. Update Compliance is a powerful set of tools that enable organizations to monitor and track all important aspects of Microsoft’s new servicing strategy: Windows as a Service.  Update Compliance is a solution built within Operations Management Suite (OMS), a cloud-based monitoring and automation service which has a flexible servicing subscription based off data usage/retention.
-Update Compliance uses the Windows telemetry that is part of all Windows 10 devices. It collects system data including update installation progress, Windows Update for Business (WUfB) configuration data, and other update-specific information, and then sends this data privately to a secure cloud to be stored for analysis and usage within the solution. 
-The main highlights of Update Compliance are:
-•	An overview of your organization’s devices that just works
-•	Dedicated drill-downs for devices that might need attention
-•	An inventory of devices, including the version of Windows they are running and their update status
-•	An overview of WUfB deferral configurations (Windows 10 Anniversary Update [1607] and later)
-•	Powerful built-in Log Analytics to create useful custom queries
-•	Cloud-connected access utilizing Windows 10 telemetry means no need for new complex, customized infrastructure
- 
-## Update Compliance
-
-This topic explains the necessary steps to set up and prepare your environment for Windows Analytics: Update Compliance. The steps are broken down into sections that follow the recommended setup process:
-1.	Ensuring you meet the prerequisites
-2.	Adding Update Compliance to Microsoft Operations Management Suite
-3.	Deploying your Commercial ID to your organization’s devices
-
-Update Compliance Prerequisites
-There are a few prerequisites for getting the most out of Update Compliance. 
-1)	Update Compliance is only compatible with Windows 10 devices – currently, the solution is only meant to be used with desktop devices (Windows 10 workstations and laptops). 
-2)	The solution requires Windows 10 telemetry to be enabled on all devices that are intended to be seen by the solution. These devices must have at least the basic level of telemetry enabled. To learn more about Windows telemetry, read this article on configuring Windows telemetry in your organization. 
-3)	The telemetry of your organization’s Windows devices must make it to Microsoft. Microsoft has specified endpoints for different aspects of telemetry, which must be whitelisted by your organization so the data can make it to Microsoft. The following table was taken from the article on telemetry endpoints and summarizes what each endpoint is used for:
-Service	Endpoint
-Connected User Experience and Telemetry component	v10.vortex-win.data.microsoft.com
-settings-win.data.microsoft.com
-Windows Error Reporting	watson.telemetry.microsoft.com
-Online Crash Analysis	oca.telemetry.microsoft.com
-
-
-Add Update Compliance to Microsoft Operations Management Suite
-Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premises and cloud environments. For more information about OMS, see Operations Management Suite overview. 
-
-If you are already using OMS, you’ll find Update Compliance in the Solutions Gallery. Select the Update Compliance tile in the gallery and then click Add on the solution's details page. Update Compliance is now visible in your workspace.
-
-If you are not yet using OMS:
-
-
-1.	Go to Operations Management Suite’s page on Microsoft.com and click Sign in.
-
-
-
-2.	Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
-
-
-3.	Create a new OMS workspace. 
-
-4.	Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Select Create.
-
-
-5.	If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator. If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. If you do not yet have an Azure subscription, follow this guide to create and link an Azure subscription to an OMS workspace.
-
-
-6.	To add the Update Compliance solution to your workspace, go to the Solutions Gallery. 
-
-7.	Select the Update Compliance tile in the gallery and then select Add on the solution’s details page. Note that you may need to scroll to find Update Compliance. The solution is now visible on your workspace. 
-
-8.	Click the Update Compliance tile to configure the solution. The Settings Dashboard opens.
-
-9.	Click “Subscribe” to subscribe to OMS Update Compliance. You will then need to distribute your Commercial ID across all your organization’s devices. More information on the Commercial ID is provided below.
-
-
-After you are subscribed to OMS Update Compliance and your devices have a Commercial ID, you will begin receiving data. It will typically take 24 hours for the first data to begin appearing. The following section explains how to deploy your Commercial ID to your Windows 10 devices.
-
-
- 
-Deploy your Commercial ID to your Windows 10 devices
-For your devices to show up in Windows Analytics: Update Compliance, they must be configured with your organization’s Commercial ID. This is so that Microsoft knows that a given device is a member of your organization and to feed that device’s data back to you. There are two primary methods for widespread deployment of your Commercial ID: using Microsoft’s Group Policy (GP) and using Microsoft Mobile Device Management (MDM). 
-
-Using Microsoft Group Policy (GP)
-Deploying your Commercial ID using GP can be accomplished through Microsoft Group Policy Management Console (GPMC), or through an individual device’s Local Group Policy Editor.
-1)	From the user interface, navigate to Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds
-2)	Double-click Commercial ID
-3)	In the Options box, provide the Commercial ID GUID provided to you, and then click OK.
-
-Using Microsoft Mobile Device Management (MDM)
-Microsoft’s Mobile Device Management can be used to deploy your Commercial ID to your organization’s devices. The Commercial ID is listed under Provider/ProviderID/CommercialID. More information on deployment through MDM can be found here.  
-Use Update Compliance to monitor Windows Updates
-This section details how to use Update Compliance to monitor update compliance and troubleshoot update failures across Windows 10 devices.
-Based on telemetry gathered from user devices, Update Compliance forms an all-up view of your organization, allowing you to maintain a high-level perspective on the progress and status of updates across all your organization’s devices.
-The Update Compliance workflow can be used to quickly identify which devices require attention. It can be used to view and track deployment compliance targets for updates, and it can be used to quickly assess the distribution of Windows 10 devices in your organization.
-Information is refreshed daily so that update progress can be monitored. Changes will be displayed about 24 hours after their occurrence, so you always have a recent snapshot of your devices.
-In OMS, aspects to a given solution's dashboard are typically divided into blades. Blades are a slice of information, typically with a summarization tile and an enumeration of the data that makes up that data. All data is presented through queries. Perspectives are also possible, wherein a given query has a unique view designed to display custom data. The terminology of blades, tiles, and perspectives will be used in the sections that follow. 
-Within Update Compliance, we have these primary blades: 
-1.	OS Update Overview
-2.	Overall Quality Update Status
-3.	Latest and Previous Security Update Status
-4.	Overall Feature Update Status
-5.	CB, CBB, LTSB Deployment Status
-6.	List of Queries
-
- 
-
-OS Update Overview
-The first blade of OMS Update Compliance is the General OS Update Overview blade. This blade is divided into three sections: Device Summary, Needs Attention Summary, and Device Update Summary.
-
-The Device Summary displays the total number of devices in your organization. These devices have the commercial ID configured, telemetry enabled, and have sent telemetry to Microsoft within the last 28 days. The tile also shows the devices that Need Attention. 
- 
-Needs Attention Summary
-The Needs Attention Summary summarizes the devices that need attention. Devices that need attention are a subset of your total devices. There are multiple reasons why a device may need attention, so these reasons are categorized and summarized in this tile. This tile is interactive. The user will be taken to a table view showing details about the given device counts. 
-
-Needs Attention	Definition
-
-Out of Support 	Total number of devices that are no longer receiving servicing updates
-Update failed	When a device has reported a failure at some stage in its update deployment process, it will report that the Update Failed. You can click on this to see the full set of devices with more details about the stage at which a failure was reported, when the device reported a failure, and other data.
-
-Missing 2+ Security Updates
-	Total number of devices that are missing two or more security updates
-Update Progress Stalled	Total number of devices where an update installation has been “in progress” for more than 7 days
-
-Needs Attention Categories
- 
-Update Status Summary
-The update status summary summarizes your organization's devices per Microsoft's new terminology for identifying the status of your device as it fits into the Windows 10 Windows as a Service (WaaS) model. For more information about WaaS, see Microsoft’s overview article on WaaS. This is broken down into Current, Up-to-date, and Not up-to-date. 
-
-Update Status	Definition
-Current and Up-to-date	A device that is current is on the latest and greatest Microsoft offers. It is on the very newest feature update (ex. The Windows Anniversary Update, RS1), on the very latest quality update for its servicing branch.
-Up-to-date	A device that is up-to-date is on the latest quality update for its servicing option (CB, CBB, LTSB), and the device is running an OS that is supported by Microsoft.
-Not up-to-date	A device does not have the latest quality update for its servicing option.  
-
- 
-Overall Quality Update Status
-OS Quality Update Status is the second blade in Update Compliance. It has a donut data tile and lists the breakdown of the Up-to-date status of devices pivoted on OS version. 
-
-The donut tile offers a summary of all devices in your organization, divided into Up-to-date and Not up-to-date. Recall that devices that are current are also up-to-date.
-
-The list view contains the breakdown of Up-to-date, Not up-to-date, and Update failed -- all pivoted on OS version (e.g., 1507, 1511, 1607). Clicking on any of the rows of this list view will display the OS Quality Update Summary Perspective for that OS version. 
- 
- 
-Latest and Previous Security Update Status
-
-We know that security updates are extremely important to your organization, so in addition to an overall view of Quality Updates, we surface deployment status for the latest two security updates specifically, for each supported OS Build Microsoft offers. 
-
-For the latest security update, we show a doughnut chart for the counts – across all OS Builds – how many are installed, in progress/deferred, update failed, or have an unknown status relative to that update. Then, in the two table views below the doughnut, we offer that same breakdown for each OS Build Microsoft supports. Refer to the following definitions for clarifications on what each means.
-Term	Definition
-OS Build	The OS Build + Revision for the OS Version. The build + revision is a one-to-one mapping of the given security update in this context. 
-Version	The OS Version that the OS Build corresponds to.
-Installed	The count of devices that have the given security update installed. In the case that the latest security update is not latest quality update (that is, an update has since released but it did not contain any security fixes), then devices that are on a newer update will also be counted. 
-
-For the Previous security update, a device will show as “Installed” until it has at least installed the Latest security update. 
-In Progress or Deferred	The count of devices that are either currently in the process of installing the given security update, or are deferring the install as per their WUFB policy. 
-
-Note: All devices in this category for Previous Security Update Status are missing 2 or more security updates, and so will qualify as needing attention. 
-Update Failed	The count of devices that were In Progress for the given security update, but failed at some point in the process. They will no longer be shown as “In Progress or deferred” in this case, and only be counted as “Update failed”.
-Status Unknown	If a device should be, in some way, progressing toward this security update, but it’s status cannot be inferred, it will count as “Status Unknown”. Devices not using Windows Update are the most likely devices to fall into this category. 
-
-
- 
-
-Overall Feature Update Status
-Windows 10 has two main update types: Quality and Feature updates. The third blade in Update Compliance provides the most essential data about your organization’s devices for feature updates. 
-
-Microsoft has developed terms to help specify the state of a given device for how it fits into the Windows as a Service (WaaS) model. There are three update states for a device: Current, Up-to-date, and Not up-to-date. Refer to the Update Status Summary section for definitions of these terms. 
-
-This blade focuses around whether your devices are Current or not. 
-The devices are broken down by their OS Version (e.g., 1607), with a count as to how many are Current, how many are Not Current, and how many have Update Failures. Clicking on any of these will allow you to view all those devices, as well as select the “Update Deployment Status” perspective, shown and explained below. 
-CB, CBB, LTSB Deployment Status
-Following the overview of with respect to how Current your organization’s devices are, there are three tables that show feature update deployment for all devices. The devices are split up by which branch they are on, as this directly impacts whether they are supported (for example, 1607 may be supported under CBB, but not under CB). This allows you a quick glance at how deployment is progressing across your organization with respect to feature updates.
-
-
-The three tables break down devices by Feature update. For each OS version, the following columns provide counts of the various states they can be in:
-Deployment Status	Description
-Feature Update	A concatenation of servicing branch (CB, CBB, LTSB) and OS Version (e.g., 1607)
-Installed	The number of devices that have reported to be on the given servicing train and feature update.
-In progress	The number of devices that have reported to be at some stage in the installation process for the given feature update. 
-
-Example: Device X running CB 1507 could be installing CB 1607. In this example, X would count as both “Installed” for “CB 1507” and “In Progress” for “CB 1607”. 
-Scheduled next 7 days	The total number of devices that are set to have a deferral period expire within 7 days, and after that deferral period expires are targeted to install the given update.
-
-Example: Device Y running CB 1507 could be scheduled to install CB 1607 in 5 days. In this example, X would count as both “Installed” for “CB 1507” and “Scheduled next 7 days” for “CB 1607”
-Update Failed	The total number of devices that were “In progress” with the installation for the given feature update, but encountered a failure.
-
-Example: Device X running CB 1507 could be installing CB 1607. X then encounters an error during installation. In this example, X would count as both “Installed” for “CB 1507” and “Update failed” for “CB 1607”, but not as “In progress” for “CB 1607”.
-Status Unknown	For devices not using Windows Update to get updates, some information on deployment progress cannot be known. It is possible to know the current installed Feature Update for a device, but not which devices are “In Progress”, “Scheduled next 7 days”, or devices with “Update Failed”.
-
-Devices that Update Compliance knows belongs to your organization, but it does not know update failures or installation progress, will be counted here. 
-
-
-
-
-
-
-
-
-
-
-Quality Update Perspective
-
-The Quality Update Deployment Status perspective is a breakdown of the most essential data the user should know about the status of their devices with respect to being Up-to-date. The perspective shows a summary of the organization’s devices for one specific OS version, or build. 
- 
- 
-Quality Update Build Summary
-
-The build summary blade attempts to summarize the most important data points to the user for the given build. It is divided into two sections. The first section is a summary of devices for that build – the total number of devices, and the amount that need attention. Each row within the table below is a breakdown of why each device requires attention. The rows can be interacted with to be taken to a larger table view that shows detailed information about all the devices that meet the given criteria. 
-
- 
-Quality Update Deferral Configurations
-
-The next blade is the Deferral configuration blade, which shows the WUFB Deferral configurations for all devices that are using WUFB and are reporting to Update Compliance. If no information can be gathered from a device or it is not configured to use WUFB, it will show up as “Not configured (-1)”.
- 
-Quality Update Deployment Status
-
-Under the three top-level blades is the deployment status for the newest quality update for the given build. It provides information on the revision number as well as how many days it has been since that revision has been released. What follows is a table of all the last reported states of devices deploying that quality update. 
-Deployment State	Description
-Update Completed	When a device has finished the update process and is on the given update, it will display here as “Update completed”.
-In Progress	Devices “in progress” installing an update will fall within this category. This category is detailed in the following blade: “Detailed Deployment Status”.
-Deferred	If a device’s WUfB deferral policy dictates that it is not set to receive this update, the device will show as Update deferred. 
-Cancelled	A device will report that the update has been cancelled if the user, at some point, cancelled the update on the device. 
-Blocked	Devices that are blocked are prevented from proceeding further with the given update. This could be because another update is paused, or some other task on the device must be performed before the update process can proceed.
-
- 
-Quality Update Detailed Deployment Status
-
-
-This blade provides more detail on the deployment process for the update in the Deployment Status blade. This blade is more of a deployment funnel for devices, enabling you to see at a more granular level how devices are progressing along in their deployment. Devices that are not managed using Windows Update (Windows Update for Business or otherwise) will not have detailed deployment information. 
-Here listed are all states a device may report: 
-
-Detailed Deployment State	Description
-Update deferred	The WUfB policy of the device dictates the update is deferred.
-PreDownloadTasksPassed	The device has finished all tasks necessary prior to downloading the update.
-DownloadStarted	The update has begun downloading on the device.
-DownloadSucceeded	The device has successfully downloaded the update.
-PreInstallTasksPassed	The device has downloaded the update successfully, and successfully passed all checks prior to beginning installation of the update.
-InstallStarted	The device has begun installing the update.
-RebootRequired	The device has finished installing the update, and a reboot is required before the update can be completed.
-RebootPending	The device is pending a scheduled reboot before the update can be completed.
-RebootInitiated	The device has reported to have initiated the reboot process for completing the update.
-Update completed	The device has completed installing, rebooting, and applying the update. 
-Detailed Deployment Status categories
-
-
-
-
- 
-Feature Update Perspective
-
-Like Quality Updates, the Feature Update Deployment Status perspective is a breakdown of information most essential to the user. This information is viewed by clicking on a given build on the Feature Update Status blade and then navigating to the “Update Deployment Status” pane as displayed above. In Update Compliance, a perspective is assigned to a query; the query used to generate the perspective can be altered to show other information, if desired. 
-Every piece of data shown in this view can be clicked; when clicked, it will alter the query to focus only on the data you need. If the perspective is not meaningful after the query is altered, you can use the other data views like the List and Table. 
-
-
-
-
-
- 
-Feature Update Build Summary
-
-The Build Summary blade provides a summary for all devices on the given build. It gives a count of all devices, as well as a count of all devices that need attention. Below the counts, you can see why the devices need attention, with a count of devices that fall into each category. 
-Feature Update Deferral Configuration
-
-This blade shows all deferral configurations for the devices on the given build. Deferral configurations are WUfB-specific, and are shown as days. Some useful information regarding how deferral configurations are shown:
-•	The devices are grouped based off what their deferral policy is set at. For feature updates, this can be up to 120 days. 
-•	A deferral of zero days means the device has WUfB configured, but is set to not defer the update. These devices will be under “0” for the Update Deferred field.
-•	Devices that are not configured to use WUfB deferral policies have a “-1” for their deferral days. In this table, the devices will show up as “Not Configured (-1)”.  
-
- 
-Feature Update Deployment Status
-
-As stated earlier in this section, the Feature Updates blade focused on how Current your devices are. A device is only Current when it is on the latest feature update and quality update Microsoft offers. Thus, the Deployment Status blade displays the deployment status for devices regarding their deployment to the latest feature update. 
-The blade breaks down the main states a device can be in through the deployment of a feature update. The possible states are as follows:
-Deployment State	Description
-Update completed	When a device has completely finished the update process and is on the given update, it will show up here as “Update completed”.
-Inprogress	Devices “in progress” of installing the given update will fall within this category. This category is iterated on with further granularity in the proceeding blade, “Detailed Deployment Status”.
-Update deferred	If a device’s WUfB deferral policy dictates that it is not set to receive this update yet, the device will show as Update deferred. 
-Cancelled	A device will report that the update has been cancelled if the user, at some point, cancelled the update on the device. 
-Blocked	Devices that are blocked are prevented from proceeding further with the given update. This could be because another update is paused, or some other task on the device must be performed before the update process can proceed.
-Deployment Status categories
- 
-Feature Update Detailed Deployment Status
-
-This blade provides more detail on the deployment process for the update in the Deployment Status blade. This blade is more of a deployment funnel for devices, enabling you to see at a more granular level how devices are progressing along in their deployment. 
-Here listed are all states a device may report: 
-
-Detailed Deployment State	Description
-Update deferred	The WUfB policy of the device dictates the update is deferred.
-PreDownloadTasksPassed	The device has finished all tasks necessary prior to downloading the update.
-DownloadStarted	The update has begun downloading on the device.
-DownloadSucceeded	The device has successfully downloaded the update.
-PreInstallTasksPassed	The device has downloaded the update successfully, and successfully passed all checks prior to beginning installation of the update.
-InstallStarted	The device has begun installing the update.
-RebootRequired	The device has finished installing the update, and a reboot is required before the update can be completed.
-RebootPending	The device is pending a scheduled reboot before the update can be completed.
-RebootInitiated	The device has reported to have initiated the reboot process for completing the update.
-Update completed	The device has completed installing, rebooting, and applying the update. 
-Detailed Deployment Status categories 
-List of Queries
-Operations Management Suite leverages its powerful Log Analytics querying to perform all data calculations. For this blade, we provide examples of queries that show useful data to the user about their organization’s devices. 
-
-
-The following are the ‘Common queries’, with a description of the data provided:
-
-Query Title	Description
-OS Security Update Status	This query provides an all-up view with respect to how many devices are on the latest security update for their OS version. The table will detail an aggregated count of the number of devices, out of the total (so count, or percent) are on the latest security update for their OS build.
-
-Update Deployment Failures	This query provides a chart view, displaying an aggregation of all devices that have reported a deployment failure for either feature or quality updates. The aggregation of the data is on the given update for which a given device has reported a deployment failure. 
-Devices pending reboot to complete update	This query will provide a table showing all devices that are at the stage of "Reboot Pending" In the update deployment process. 
-
-This query will show devices which are in this state for both feature and quality updates; the data will be organized on precisely which update the given device(s) are pending a reboot to install. 
-Servicing Option Distribution for the devices	This query provides a chart view that aggregates all devices seen by the solution on for each servicing option available for Windows 10 devices (CB, CBB, LTSB)
-OS Distribution for the devices	This query provides a chart view displaying the distribution of the different editions of Windows 10 that devices seen by the solution are running (e.g., Enterprise, Professional, Education, etc.)
-Deferral configurations for Feature Update	This query provides a chart view which displays a breakdown of the different Feature Update deferral configurations through WUfB that the devices seen by the solution are using.
-
-The configuration is in days. 0 days means the device has WUfB deferrals configured, but is not set to defer feature updates. -1 means the device has no feature update deferral policies configured. 
-
-Pause configurations for Feature Update	This query provides a chart view displaying the breakdown of devices that are either paused, or not paused for feature updates.
-
-“Not configured” means the device is not paused. “Paused” means it is currently paused.
-
-Deferral configurations for Quality Update	This query provides a chart view which displays a breakdown of the different Quality Update deferral configurations through WUfB that the devices seen by the solution are using.
-
-The configuration is in days. 0 days means the device has WUfB deferrals configured, but is not set to defer quality updates. -1 means the device has no quality update deferral policies configured. 
-
-Pause configurations for Quality Update	This query provides to a chart view displaying the breakdown of devices that are either paused, or not paused for quality updates.
-
-“Not configured” means the device is not paused. “Paused” means it is currently paused.
-
-
-
-Appendix
-Architecture
-
-The following diagram summarizes the general flow of data between your devices and Update Compliance.
-
-After enabling Windows telemetry on your Windows 10 devices and ensuring that they are assigned your Commercial ID, (1) user computers send computer, application and driver telemetry data to a secure Microsoft data center through the Microsoft Data Management Service (2). After you configure Update Compliance, telemetry data is analyzed by the Update Compliance Service (3) and pushed to your OMS workspace (4). You can then use the Update Compliance solution (5) to view Update compliance, track update deployment progress and troubleshoot matters that need your attention. 
-

From 20f539c21c638cef902061adc7f8f6e5d112a0c9 Mon Sep 17 00:00:00 2001
From: JanKeller1 <v-jak@microsoft.com>
Date: Thu, 2 Feb 2017 21:18:51 -0800
Subject: [PATCH 106/115] Added missing backticks

---
 ...deploy-catalog-files-to-support-code-integrity-policies.md | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/windows/keep-secure/deploy-catalog-files-to-support-code-integrity-policies.md b/windows/keep-secure/deploy-catalog-files-to-support-code-integrity-policies.md
index ba8e5d4999..898731c8d2 100644
--- a/windows/keep-secure/deploy-catalog-files-to-support-code-integrity-policies.md
+++ b/windows/keep-secure/deploy-catalog-files-to-support-code-integrity-policies.md
@@ -124,8 +124,6 @@ To sign the existing catalog file, copy each of the following commands into an e
 
 After the catalog file is signed, add the signing certificate to a code integrity policy, as described in the following steps.
 
-<!-- All options below need to be confirmed. -->
-
 1.  If you have not already verified the catalog file digital signature, right-click the catalog file, and then click **Properties**. On the **Digital Signatures** tab, verify that your signing certificate exists with the algorithm you expect.
 
 2.  If you already have an XML policy file that you want to add the signing certificate to, skip to the next step. Otherwise, use [New-CIPolicy](https://technet.microsoft.com/library/mt634473.aspx) to create a code integrity policy that you will later merge into another policy (not deploy as-is). This example creates a policy called **CatalogSignatureOnly.xml** in the location **C:\\PolicyFolder**:
@@ -134,7 +132,7 @@ After the catalog file is signed, add the signing certificate to a code integrit
 
     > **Note**&nbsp;&nbsp;Include the **-UserPEs** parameter to ensure that the policy includes user mode code integrity.
 
-3.  Use [Add-SignerRule](https://technet.microsoft.com/library/mt634479.aspx) to add the signing certificate to the code integrity policy, filling in the correct path and filenames for *<policypath>* and *<certpath>*:
+3.  Use [Add-SignerRule](https://technet.microsoft.com/library/mt634479.aspx) to add the signing certificate to the code integrity policy, filling in the correct path and filenames for `<policypath>` and `<certpath>`:
 
     ` Add-SignerRule -FilePath <policypath> -CertificatePath <certpath> -User `
 

From 3f472177e6cfcbdc289bb0150cc6e9f0c6e023f2 Mon Sep 17 00:00:00 2001
From: Jason Gerend <jgerend@microsoft.com>
Date: Fri, 3 Feb 2017 15:44:53 -0800
Subject: [PATCH 107/115] Create windows-libraries.md

Derived from this older topic: https://technet.microsoft.com/en-us/library/dd744693(v=ws.10).aspx
---
 windows/manage/windows-libraries.md | 129 ++++++++++++++++++++++++++++
 1 file changed, 129 insertions(+)
 create mode 100644 windows/manage/windows-libraries.md

diff --git a/windows/manage/windows-libraries.md b/windows/manage/windows-libraries.md
new file mode 100644
index 0000000000..d65aba09be
--- /dev/null
+++ b/windows/manage/windows-libraries.md
@@ -0,0 +1,129 @@
+---
+ms.assetid: e68cd672-9dea-4ff8-b725-a915f33d8fd2
+title: Windows Libraries
+ms.prod: windows-server-threshold
+ms.author: jgerend
+ms.manager: dongill
+ms.technology: storage
+ms.topic: article
+author: jasongerend
+ms.date: 2/3/2017
+description: 
+---
+> Applies to: Windows 10, Windows 8.1, Windows 7, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2
+
+# Windows Libraries
+
+Libraries are virtual containers for users’ content. A library can contain files and folders stored on the local computer or in a remote storage location. In Windows Explorer, users interact with libraries in ways similar to how they would interact with other folders. Libraries are built upon the legacy known folders (such as My Documents, My Pictures, and My Music) that users are familiar with, and these known folders are automatically included in the default libraries and set as the default save location.
+
+## Features for Users
+
+Windows libraries are backed by full content search and rich metadata. Libraries offer the following advantages to users:
+- Aggregate content from multiple storage locations into a single, unified presentation.
+- Enable users to stack and group library contents based on metadata.
+- Enable fast, full-text searches across multiple storage locations, from Windows Explorer or from the Start menu.
+- Support customized filter search suggestions, based on the types of files contained in the library.
+- Enable users to create new libraries and specify which folders they want to include.
+
+## Features for Administrators
+
+Administrators can configure and control Windows libraries in the following ways:
+- Create custom libraries by creating and deploying Library Description (*.library-ms) files.
+- Hide or delete the default libraries. (The Library node itself cannot be hidden or deleted from the Windows Explorer navigation pane.)
+- Specify a set of libraries available to Default User, and then deploy those libraries to users that derive from Default User.
+- Specify locations to include in a library.
+- Remove a default location from a library.
+- Remove advanced libraries features, when the environment does not support the local caching of files, by using the [Turn off Windows Libraries features that rely on indexed file data](https://technet.microsoft.com/library/faaefdad-6e12-419a-b714-6a7bb60f6773#WS_TurnOffWindowsLibraries) Group Policy. This makes all libraries basic (see [Indexing Requirements and Basic Libraries](https://technet.microsoft.com/library/dd744693.aspx#WS_IndexingReqs_BasicLibraries)), removes libraries from the scope of the Start menu search, and removes other features to avoid confusing users and consuming resources.
+
+## More about Libraries
+
+The following is important information about libraries you may need to understand to successfully manage your enterprise.
+
+### Library Contents 
+
+Including a folder in a library does not physically move or change the storage location of the files or folders; the library is a view into those folders. However, users interacting with files in a library are copying, moving, and deleting the files themselves, not copies of these files.
+
+### Default Libraries and Known Folders 
+
+The default libraries include:
+- Documents
+- Music
+- Pictures
+- Videos
+
+Libraries are built upon the legacy known folders (such as My Documents, My Pictures, and My Music) that users are familiar with. These known folders are automatically included in the default libraries and set as the default save location. That is, when users drag, copy, or save a file to the Documents library, the file is moved, copied, or saved to the My Documents folder. Administrators and users can change the default save-to location. 
+
+### Hiding Default Libraries 
+
+Users or administrators can hide or delete the default libraries, though the libraries node in the Navigation pane cannot be hidden or deleted. Hiding a default library is preferable to deleting it, as applications like Windows Media Player rely on the default libraries and will re-create them if they do not exist on the computer. See [How to Hide Default Libraries](https://technet.microsoft.com/library/d44c78e0-08ef-4e91-935a-a6f43716e37d#BKMK_HideDefaultLibraries) for instructions.
+
+### Default Save Locations for Libraries 
+
+Each library has a default save location. Files are saved or copied to this location if the user chooses to save or copy a file to a library, rather than a specific location within the library. Known folders are the default save locations; however, users can select a different save location.
+If the user removes the default save location from a library, the next location is automatically selected as the new default save location. If the library is empty of locations or if all included locations cannot be saved to, then the save operation fails.
+
+### Indexing Requirements and “Basic” Libraries 
+
+Certain library features depend on the contents of the libraries being indexed. Library locations must be available for local indexing or be indexed in a manner conforming to the Windows Indexing Protocol. If indexing is not enabled for one or more locations within a library, the entire library reverts to basic functionality:
+- No support for metadata browsing via **Arrange By** views.
+- Grep-only searches.
+- Grep-only search suggestions. The only properties available for input suggestions are **Date Modified** and **Size**.
+- No support for searching from the Start menu. Start menu searches do not return files from basic libraries.
+- No previews of file snippets for search results returned in Content mode.
+
+To avoid this limited functionality, all locations within the library must be indexable, either locally or remotely. When users add local folders to libraries, Windows adds the location to the indexing scope and indexes the contents. Remote locations that are not indexed remotely can be added to the local index using Offline File synchronization. This gives the user the benefits of local storage even though the location is remote. Making a folder “Always available offline” creates a local copy of the folder’s files, adds those files to the index, and keeps the local and remote copies in sync. Users can manually sync locations which are not indexed remotely and are not using folder redirection to gain the benefits of being indexed locally.
+
+For instructions on enabling indexing, see [How to Enable Indexing of Library Locations](https://technet.microsoft.com/library/d44c78e0-08ef-4e91-935a-a6f43716e37d#BKMK_EnableIndexLocations).
+
+If your environment does not support caching files locally, you should enable the [Turn off Windows Libraries features that rely on indexed file](https://technet.microsoft.com/library/faaefdad-6e12-419a-b714-6a7bb60f6773#WS_TurnOffWindowsLibraries) data Group Policy. This makes all libraries basic. For further information, see [Group Policy for Windows Search, Browse, and Organize](https://technet.microsoft.com/library/dd744697.aspx).
+
+### Folder Redirection 
+
+While library files themselves cannot be redirected, you can redirect known folders included in libraries by using [Folder Redirection](https://technet.microsoft.com/library/hh848267.aspx). For example, you can redirect the “My Documents” folder, which is included in the default Documents library. When redirecting known folders, you should make sure that the destination is either indexed or always available offline in order to maintain full library functionality. In both cases, the files for the destination folder are indexed and supported in libraries. These settings are configured on the server side.
+
+### Supported storage locations 
+
+The following table show which locations are supported in Windows libraries.
+
+|Supported Locations|Unsupported Locations|
+|---|---|
+|Fixed local volumes (NTFS/FAT)|Removable drives|
+|Shares that are indexed (departmental servers*, Windows home PCs)|Removable media (such as DVDs)|
+|Network shares that are accessible through DFS Namespaces or are part of a failover cluster|Shares that are available offline (redirected folders that use Offline Files)|
+|Network shares that aren't available offline or remotely indexed|NAS Drives|
+||Other data sources: SharePoint, Exchange, etc.|
+
+\* For shares that are indexed on a departmental server, Windows Search works well in workgroups or on a domain server that has similar characteristics to a workgroup server. For example, Windows Search works well on a single share departmental server with the following characteristics:
+
+- Expected maximum load is four concurrent query requests.
+- Expected indexing corpus is a maximum of one million documents. 
+- Users directly access the server. That is, the server is not made available through DFS Namespaces.
+- Users are not redirected to another server in case of failure. That is, server clusters are not used.
+
+### Library Attributes 
+
+The following library attributes can be modified within Windows Explorer, the Library Management dialog, or the Library Description file (*.library-ms):
+- Name
+- Library locations
+- Order of library locations
+- Default save location
+
+The library icon can be modified by the administrator or user by directly editing the Library Description schema file.
+
+See the [Library Description Schema](http://go.microsoft.com/fwlink/?LinkId=159581) topic on MSDN for information on creating Library Description files. 
+
+## See also 
+
+### Concepts
+
+- [Windows Search Features ](https://technet.microsoft.com/library/dd744686.aspx)
+- [Windows Indexing Features](https://technet.microsoft.com/library/dd744700.aspx)
+- [Federated Search Features](https://technet.microsoft.com/library/dd744682.aspx)
+- [Administrative How-to Guides](https://technet.microsoft.com/library/ee461108.aspx)
+- [Group Policy for Windows Search, Browse, and Organize](https://technet.microsoft.com/library/dd744697.aspx)
+- [Additional Resources for Windows Search, Browse, and Organization](https://technet.microsoft.com/library/dd744695.aspx)
+
+### Other resources
+
+- [Folder Redirection, Offline Files, and Roaming User Profiles](https://technet.microsoft.com/library/hh848267.aspx)
+- [Library Description Schema](https://msdn.microsoft.com/library/dd798389.aspx)

From b1b4dbdb7c11fcb6b4cad7ae35168d11f05cc2cd Mon Sep 17 00:00:00 2001
From: Jason Gerend <jgerend@microsoft.com>
Date: Fri, 3 Feb 2017 15:54:13 -0800
Subject: [PATCH 108/115] Update windows-libraries.md

---
 windows/manage/windows-libraries.md | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/windows/manage/windows-libraries.md b/windows/manage/windows-libraries.md
index d65aba09be..6d3460b637 100644
--- a/windows/manage/windows-libraries.md
+++ b/windows/manage/windows-libraries.md
@@ -88,9 +88,8 @@ The following table show which locations are supported in Windows libraries.
 |Supported Locations|Unsupported Locations|
 |---|---|
 |Fixed local volumes (NTFS/FAT)|Removable drives|
-|Shares that are indexed (departmental servers*, Windows home PCs)|Removable media (such as DVDs)|
-|Network shares that are accessible through DFS Namespaces or are part of a failover cluster|Shares that are available offline (redirected folders that use Offline Files)|
-|Network shares that aren't available offline or remotely indexed|NAS Drives|
+|Shares that are indexed (departmental servers*, Windows home PCs)|Removable media (such as DVDs)<br><br>Network shares that are accessible through DFS Namespaces or are part of a failover cluster|
+|Shares that are available offline (redirected folders that use Offline Files)|Network shares that aren't available offline or remotely indexed <br><br>Network Attached Storage (NAS) devices|
 ||Other data sources: SharePoint, Exchange, etc.|
 
 \* For shares that are indexed on a departmental server, Windows Search works well in workgroups or on a domain server that has similar characteristics to a workgroup server. For example, Windows Search works well on a single share departmental server with the following characteristics:

From c77b871da65378be88d27eb1f23f48e11ef0813e Mon Sep 17 00:00:00 2001
From: Brian Lich <brianlic@microsoft.com>
Date: Fri, 3 Feb 2017 16:09:06 -0800
Subject: [PATCH 109/115] Revert "Create windows-libraries.md"

---
 windows/manage/windows-libraries.md | 128 ----------------------------
 1 file changed, 128 deletions(-)
 delete mode 100644 windows/manage/windows-libraries.md

diff --git a/windows/manage/windows-libraries.md b/windows/manage/windows-libraries.md
deleted file mode 100644
index 6d3460b637..0000000000
--- a/windows/manage/windows-libraries.md
+++ /dev/null
@@ -1,128 +0,0 @@
----
-ms.assetid: e68cd672-9dea-4ff8-b725-a915f33d8fd2
-title: Windows Libraries
-ms.prod: windows-server-threshold
-ms.author: jgerend
-ms.manager: dongill
-ms.technology: storage
-ms.topic: article
-author: jasongerend
-ms.date: 2/3/2017
-description: 
----
-> Applies to: Windows 10, Windows 8.1, Windows 7, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2
-
-# Windows Libraries
-
-Libraries are virtual containers for users’ content. A library can contain files and folders stored on the local computer or in a remote storage location. In Windows Explorer, users interact with libraries in ways similar to how they would interact with other folders. Libraries are built upon the legacy known folders (such as My Documents, My Pictures, and My Music) that users are familiar with, and these known folders are automatically included in the default libraries and set as the default save location.
-
-## Features for Users
-
-Windows libraries are backed by full content search and rich metadata. Libraries offer the following advantages to users:
-- Aggregate content from multiple storage locations into a single, unified presentation.
-- Enable users to stack and group library contents based on metadata.
-- Enable fast, full-text searches across multiple storage locations, from Windows Explorer or from the Start menu.
-- Support customized filter search suggestions, based on the types of files contained in the library.
-- Enable users to create new libraries and specify which folders they want to include.
-
-## Features for Administrators
-
-Administrators can configure and control Windows libraries in the following ways:
-- Create custom libraries by creating and deploying Library Description (*.library-ms) files.
-- Hide or delete the default libraries. (The Library node itself cannot be hidden or deleted from the Windows Explorer navigation pane.)
-- Specify a set of libraries available to Default User, and then deploy those libraries to users that derive from Default User.
-- Specify locations to include in a library.
-- Remove a default location from a library.
-- Remove advanced libraries features, when the environment does not support the local caching of files, by using the [Turn off Windows Libraries features that rely on indexed file data](https://technet.microsoft.com/library/faaefdad-6e12-419a-b714-6a7bb60f6773#WS_TurnOffWindowsLibraries) Group Policy. This makes all libraries basic (see [Indexing Requirements and Basic Libraries](https://technet.microsoft.com/library/dd744693.aspx#WS_IndexingReqs_BasicLibraries)), removes libraries from the scope of the Start menu search, and removes other features to avoid confusing users and consuming resources.
-
-## More about Libraries
-
-The following is important information about libraries you may need to understand to successfully manage your enterprise.
-
-### Library Contents 
-
-Including a folder in a library does not physically move or change the storage location of the files or folders; the library is a view into those folders. However, users interacting with files in a library are copying, moving, and deleting the files themselves, not copies of these files.
-
-### Default Libraries and Known Folders 
-
-The default libraries include:
-- Documents
-- Music
-- Pictures
-- Videos
-
-Libraries are built upon the legacy known folders (such as My Documents, My Pictures, and My Music) that users are familiar with. These known folders are automatically included in the default libraries and set as the default save location. That is, when users drag, copy, or save a file to the Documents library, the file is moved, copied, or saved to the My Documents folder. Administrators and users can change the default save-to location. 
-
-### Hiding Default Libraries 
-
-Users or administrators can hide or delete the default libraries, though the libraries node in the Navigation pane cannot be hidden or deleted. Hiding a default library is preferable to deleting it, as applications like Windows Media Player rely on the default libraries and will re-create them if they do not exist on the computer. See [How to Hide Default Libraries](https://technet.microsoft.com/library/d44c78e0-08ef-4e91-935a-a6f43716e37d#BKMK_HideDefaultLibraries) for instructions.
-
-### Default Save Locations for Libraries 
-
-Each library has a default save location. Files are saved or copied to this location if the user chooses to save or copy a file to a library, rather than a specific location within the library. Known folders are the default save locations; however, users can select a different save location.
-If the user removes the default save location from a library, the next location is automatically selected as the new default save location. If the library is empty of locations or if all included locations cannot be saved to, then the save operation fails.
-
-### Indexing Requirements and “Basic” Libraries 
-
-Certain library features depend on the contents of the libraries being indexed. Library locations must be available for local indexing or be indexed in a manner conforming to the Windows Indexing Protocol. If indexing is not enabled for one or more locations within a library, the entire library reverts to basic functionality:
-- No support for metadata browsing via **Arrange By** views.
-- Grep-only searches.
-- Grep-only search suggestions. The only properties available for input suggestions are **Date Modified** and **Size**.
-- No support for searching from the Start menu. Start menu searches do not return files from basic libraries.
-- No previews of file snippets for search results returned in Content mode.
-
-To avoid this limited functionality, all locations within the library must be indexable, either locally or remotely. When users add local folders to libraries, Windows adds the location to the indexing scope and indexes the contents. Remote locations that are not indexed remotely can be added to the local index using Offline File synchronization. This gives the user the benefits of local storage even though the location is remote. Making a folder “Always available offline” creates a local copy of the folder’s files, adds those files to the index, and keeps the local and remote copies in sync. Users can manually sync locations which are not indexed remotely and are not using folder redirection to gain the benefits of being indexed locally.
-
-For instructions on enabling indexing, see [How to Enable Indexing of Library Locations](https://technet.microsoft.com/library/d44c78e0-08ef-4e91-935a-a6f43716e37d#BKMK_EnableIndexLocations).
-
-If your environment does not support caching files locally, you should enable the [Turn off Windows Libraries features that rely on indexed file](https://technet.microsoft.com/library/faaefdad-6e12-419a-b714-6a7bb60f6773#WS_TurnOffWindowsLibraries) data Group Policy. This makes all libraries basic. For further information, see [Group Policy for Windows Search, Browse, and Organize](https://technet.microsoft.com/library/dd744697.aspx).
-
-### Folder Redirection 
-
-While library files themselves cannot be redirected, you can redirect known folders included in libraries by using [Folder Redirection](https://technet.microsoft.com/library/hh848267.aspx). For example, you can redirect the “My Documents” folder, which is included in the default Documents library. When redirecting known folders, you should make sure that the destination is either indexed or always available offline in order to maintain full library functionality. In both cases, the files for the destination folder are indexed and supported in libraries. These settings are configured on the server side.
-
-### Supported storage locations 
-
-The following table show which locations are supported in Windows libraries.
-
-|Supported Locations|Unsupported Locations|
-|---|---|
-|Fixed local volumes (NTFS/FAT)|Removable drives|
-|Shares that are indexed (departmental servers*, Windows home PCs)|Removable media (such as DVDs)<br><br>Network shares that are accessible through DFS Namespaces or are part of a failover cluster|
-|Shares that are available offline (redirected folders that use Offline Files)|Network shares that aren't available offline or remotely indexed <br><br>Network Attached Storage (NAS) devices|
-||Other data sources: SharePoint, Exchange, etc.|
-
-\* For shares that are indexed on a departmental server, Windows Search works well in workgroups or on a domain server that has similar characteristics to a workgroup server. For example, Windows Search works well on a single share departmental server with the following characteristics:
-
-- Expected maximum load is four concurrent query requests.
-- Expected indexing corpus is a maximum of one million documents. 
-- Users directly access the server. That is, the server is not made available through DFS Namespaces.
-- Users are not redirected to another server in case of failure. That is, server clusters are not used.
-
-### Library Attributes 
-
-The following library attributes can be modified within Windows Explorer, the Library Management dialog, or the Library Description file (*.library-ms):
-- Name
-- Library locations
-- Order of library locations
-- Default save location
-
-The library icon can be modified by the administrator or user by directly editing the Library Description schema file.
-
-See the [Library Description Schema](http://go.microsoft.com/fwlink/?LinkId=159581) topic on MSDN for information on creating Library Description files. 
-
-## See also 
-
-### Concepts
-
-- [Windows Search Features ](https://technet.microsoft.com/library/dd744686.aspx)
-- [Windows Indexing Features](https://technet.microsoft.com/library/dd744700.aspx)
-- [Federated Search Features](https://technet.microsoft.com/library/dd744682.aspx)
-- [Administrative How-to Guides](https://technet.microsoft.com/library/ee461108.aspx)
-- [Group Policy for Windows Search, Browse, and Organize](https://technet.microsoft.com/library/dd744697.aspx)
-- [Additional Resources for Windows Search, Browse, and Organization](https://technet.microsoft.com/library/dd744695.aspx)
-
-### Other resources
-
-- [Folder Redirection, Offline Files, and Roaming User Profiles](https://technet.microsoft.com/library/hh848267.aspx)
-- [Library Description Schema](https://msdn.microsoft.com/library/dd798389.aspx)

From 4d84b705cc9c89faf39df2f3497f1b297e2d7722 Mon Sep 17 00:00:00 2001
From: JanKeller1 <v-jak@microsoft.com>
Date: Fri, 3 Feb 2017 18:19:49 -0800
Subject: [PATCH 110/115] Responded to a customer comment re what's new

---
 windows/keep-secure/bitlocker-overview.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/keep-secure/bitlocker-overview.md b/windows/keep-secure/bitlocker-overview.md
index 2ffb869b8f..e3d23d3102 100644
--- a/windows/keep-secure/bitlocker-overview.md
+++ b/windows/keep-secure/bitlocker-overview.md
@@ -42,7 +42,7 @@ BitLocker control panel, and they are appropriate to use for automated deploymen
 
 ## <a href="" id="bkmk-new"></a>New and changed functionality
 
-To find out what's new in BitLocker for Windows 10, see the [BitLocker](https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511#bitlocker) section in "What's new in Windows 10, versions 1507 and 1511."
+To find out what's new in BitLocker for Windows 10, such as support for the XTS-AES encryption algorithm, see the [BitLocker](https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511#bitlocker) section in "What's new in Windows 10, versions 1507 and 1511."
  
 ## System requirements
 

From 088a59b5b47b266f1209ce1349c5baad3d9eb565 Mon Sep 17 00:00:00 2001
From: JanKeller1 <v-jak@microsoft.com>
Date: Mon, 6 Feb 2017 12:55:21 -0800
Subject: [PATCH 111/115] Delete outdated text re TPM cmdlets

---
 windows/keep-secure/change-the-tpm-owner-password.md      | 5 +----
 .../initialize-and-configure-ownership-of-the-tpm.md      | 8 ++------
 windows/keep-secure/manage-tpm-commands.md                | 6 +-----
 windows/keep-secure/manage-tpm-lockout.md                 | 6 +-----
 windows/keep-secure/tpm-fundamentals.md                   | 6 +-----
 5 files changed, 6 insertions(+), 25 deletions(-)

diff --git a/windows/keep-secure/change-the-tpm-owner-password.md b/windows/keep-secure/change-the-tpm-owner-password.md
index a8b0e386d3..16b63a490e 100644
--- a/windows/keep-secure/change-the-tpm-owner-password.md
+++ b/windows/keep-secure/change-the-tpm-owner-password.md
@@ -44,10 +44,7 @@ To change to a new TPM owner password, in TPM.msc, click **Change Owner Password
 
 ## Use the TPM cmdlets
 
-If you are using Windows PowerShell to manage your computers, you can also manage the TPM by using Windows PowerShell. To install the TPM cmdlets, type the following command:
-**dism /online /enable-feature /FeatureName:tpm-psh-cmdlets**
-
-For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
+You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
 
 ## Related topics
 
diff --git a/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md b/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md
index 013355ffa6..813dde388c 100644
--- a/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md
+++ b/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md
@@ -27,7 +27,7 @@ With TPM 1.2 and Windows 10, version 1507 or 1511, you can also take the followi
 
 -   [Turn on or turn off the TPM](#turn-on-or-turn-off)
 
-This topic also provides information about [using the TPM cmdlets](#use-the-tpm-cmdlets).
+For information about the TPM cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
 
 ## About TPM initialization and ownership
 
@@ -150,11 +150,7 @@ If you want to stop using the services that are provided by the TPM, you can use
 
 ## Use the TPM cmdlets
 
-If you are using Windows PowerShell to manage your computers, you can also manage the TPM by using Windows PowerShell. To install the TPM cmdlets, type the following command:
-
-`dism /online /enable-feature /FeatureName:tpm-psh-cmdlets`
-
-For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
+You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
 
 ## Related topics
 
diff --git a/windows/keep-secure/manage-tpm-commands.md b/windows/keep-secure/manage-tpm-commands.md
index 71f3c2229e..c95d30f931 100644
--- a/windows/keep-secure/manage-tpm-commands.md
+++ b/windows/keep-secure/manage-tpm-commands.md
@@ -77,11 +77,7 @@ The following procedures describe how to manage the TPM command lists. You must
 
 ## Use the TPM cmdlets
 
-If you are using Windows PowerShell to manage your computers, you can also manage the TPM by using Windows PowerShell. To install the TPM cmdlets, type the following command:
-
-`dism /online /enable-feature /FeatureName:tpm-psh-cmdlets`
-
-For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
+You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
 
 ## Related topics
 
diff --git a/windows/keep-secure/manage-tpm-lockout.md b/windows/keep-secure/manage-tpm-lockout.md
index 3f5e966157..76b1ee2bae 100644
--- a/windows/keep-secure/manage-tpm-lockout.md
+++ b/windows/keep-secure/manage-tpm-lockout.md
@@ -78,11 +78,7 @@ For information about mitigating dictionary attacks that use the lockout setting
 
 ## Use the TPM cmdlets
 
-If you are using Windows PowerShell to manage your computers, you can also manage the TPM by using Windows PowerShell. To install the TPM cmdlets, type the following command:
-
-**dism /online /enable-feature /FeatureName:tpm-psh-cmdlets**
-
-For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
+You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
 
 ## Related topics
 
diff --git a/windows/keep-secure/tpm-fundamentals.md b/windows/keep-secure/tpm-fundamentals.md
index efb080c89c..044bb0c1be 100644
--- a/windows/keep-secure/tpm-fundamentals.md
+++ b/windows/keep-secure/tpm-fundamentals.md
@@ -67,11 +67,7 @@ The TPM can be used to protect certificates and RSA keys. The TPM key storage pr
 
 ## TPM Cmdlets
 
-If you are using PowerShell to script and manage your computers, you can now manage the TPM using Windows PowerShell as well. To install the TPM cmdlets use the following command:
-
-`dism /online /enable-feature /FeatureName:tpm-psh-cmdlets`
-
-For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
+You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
 
 ## Physical presence interface
 

From 6adbbad69d88543020b5daa8e6edf19703900ce4 Mon Sep 17 00:00:00 2001
From: Jason Gerend <jgerend@microsoft.com>
Date: Mon, 6 Feb 2017 15:21:17 -0800
Subject: [PATCH 112/115] Updated Windows Libraries file

---
 windows/manage/windows-libraries.md | 128 ++++++++++++++++++++++++++++
 1 file changed, 128 insertions(+)
 create mode 100644 windows/manage/windows-libraries.md

diff --git a/windows/manage/windows-libraries.md b/windows/manage/windows-libraries.md
new file mode 100644
index 0000000000..1608798dce
--- /dev/null
+++ b/windows/manage/windows-libraries.md
@@ -0,0 +1,128 @@
+---
+ms.assetid: e68cd672-9dea-4ff8-b725-a915f33d8fd2
+title: Windows Libraries
+ms.prod: windows-server-threshold
+ms.author: jgerend
+ms.manager: dongill
+ms.technology: storage
+ms.topic: article
+author: jasongerend
+ms.date: 2/6/2017
+description: All about Windows Libraries, which are containers for users' content, such as Documents and Pictures.
+---
+> Applies to: Windows 10, Windows 8.1, Windows 7, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2
+
+# Windows Libraries
+
+Libraries are virtual containers for users’ content. A library can contain files and folders stored on the local computer or in a remote storage location. In Windows Explorer, users interact with libraries in ways similar to how they would interact with other folders. Libraries are built upon the legacy known folders (such as My Documents, My Pictures, and My Music) that users are familiar with, and these known folders are automatically included in the default libraries and set as the default save location.
+
+## Features for Users
+
+Windows libraries are backed by full content search and rich metadata. Libraries offer the following advantages to users:
+- Aggregate content from multiple storage locations into a single, unified presentation.
+- Enable users to stack and group library contents based on metadata.
+- Enable fast, full-text searches across multiple storage locations, from Windows Explorer or from the Start menu.
+- Support customized filter search suggestions, based on the types of files contained in the library.
+- Enable users to create new libraries and specify which folders they want to include.
+
+## Features for Administrators
+
+Administrators can configure and control Windows libraries in the following ways:
+- Create custom libraries by creating and deploying Library Description (*.library-ms) files.
+- Hide or delete the default libraries. (The Library node itself cannot be hidden or deleted from the Windows Explorer navigation pane.)
+- Specify a set of libraries available to Default User, and then deploy those libraries to users that derive from Default User.
+- Specify locations to include in a library.
+- Remove a default location from a library.
+- Remove advanced libraries features, when the environment does not support the local caching of files, by using the [Turn off Windows Libraries features that rely on indexed file data](https://technet.microsoft.com/library/faaefdad-6e12-419a-b714-6a7bb60f6773#WS_TurnOffWindowsLibraries) Group Policy. This makes all libraries basic (see [Indexing Requirements and Basic Libraries](https://technet.microsoft.com/library/dd744693.aspx#WS_IndexingReqs_BasicLibraries)), removes libraries from the scope of the Start menu search, and removes other features to avoid confusing users and consuming resources.
+
+## More about Libraries
+
+The following is important information about libraries you may need to understand to successfully manage your enterprise.
+
+### Library Contents 
+
+Including a folder in a library does not physically move or change the storage location of the files or folders; the library is a view into those folders. However, users interacting with files in a library are copying, moving, and deleting the files themselves, not copies of these files.
+
+### Default Libraries and Known Folders 
+
+The default libraries include:
+- Documents
+- Music
+- Pictures
+- Videos
+
+Libraries are built upon the legacy known folders (such as My Documents, My Pictures, and My Music) that users are familiar with. These known folders are automatically included in the default libraries and set as the default save location. That is, when users drag, copy, or save a file to the Documents library, the file is moved, copied, or saved to the My Documents folder. Administrators and users can change the default save-to location. 
+
+### Hiding Default Libraries 
+
+Users or administrators can hide or delete the default libraries, though the libraries node in the Navigation pane cannot be hidden or deleted. Hiding a default library is preferable to deleting it, as applications like Windows Media Player rely on the default libraries and will re-create them if they do not exist on the computer. See [How to Hide Default Libraries](https://technet.microsoft.com/library/d44c78e0-08ef-4e91-935a-a6f43716e37d#BKMK_HideDefaultLibraries) for instructions.
+
+### Default Save Locations for Libraries 
+
+Each library has a default save location. Files are saved or copied to this location if the user chooses to save or copy a file to a library, rather than a specific location within the library. Known folders are the default save locations; however, users can select a different save location.
+If the user removes the default save location from a library, the next location is automatically selected as the new default save location. If the library is empty of locations or if all included locations cannot be saved to, then the save operation fails.
+
+### Indexing Requirements and “Basic” Libraries 
+
+Certain library features depend on the contents of the libraries being indexed. Library locations must be available for local indexing or be indexed in a manner conforming to the Windows Indexing Protocol. If indexing is not enabled for one or more locations within a library, the entire library reverts to basic functionality:
+- No support for metadata browsing via **Arrange By** views.
+- Grep-only searches.
+- Grep-only search suggestions. The only properties available for input suggestions are **Date Modified** and **Size**.
+- No support for searching from the Start menu. Start menu searches do not return files from basic libraries.
+- No previews of file snippets for search results returned in Content mode.
+
+To avoid this limited functionality, all locations within the library must be indexable, either locally or remotely. When users add local folders to libraries, Windows adds the location to the indexing scope and indexes the contents. Remote locations that are not indexed remotely can be added to the local index using Offline File synchronization. This gives the user the benefits of local storage even though the location is remote. Making a folder “Always available offline” creates a local copy of the folder’s files, adds those files to the index, and keeps the local and remote copies in sync. Users can manually sync locations which are not indexed remotely and are not using folder redirection to gain the benefits of being indexed locally.
+
+For instructions on enabling indexing, see [How to Enable Indexing of Library Locations](https://technet.microsoft.com/library/d44c78e0-08ef-4e91-935a-a6f43716e37d#BKMK_EnableIndexLocations).
+
+If your environment does not support caching files locally, you should enable the [Turn off Windows Libraries features that rely on indexed file](https://technet.microsoft.com/library/faaefdad-6e12-419a-b714-6a7bb60f6773#WS_TurnOffWindowsLibraries) data Group Policy. This makes all libraries basic. For further information, see [Group Policy for Windows Search, Browse, and Organize](https://technet.microsoft.com/library/dd744697.aspx).
+
+### Folder Redirection 
+
+While library files themselves cannot be redirected, you can redirect known folders included in libraries by using [Folder Redirection](https://technet.microsoft.com/library/hh848267.aspx). For example, you can redirect the “My Documents” folder, which is included in the default Documents library. When redirecting known folders, you should make sure that the destination is either indexed or always available offline in order to maintain full library functionality. In both cases, the files for the destination folder are indexed and supported in libraries. These settings are configured on the server side.
+
+### Supported storage locations 
+
+The following table show which locations are supported in Windows libraries.
+
+|Supported Locations|Unsupported Locations|
+|---|---|
+|Fixed local volumes (NTFS/FAT)|Removable drives|
+|Shares that are indexed (departmental servers*, Windows home PCs)|Removable media (such as DVDs)<br><br>Network shares that are accessible through DFS Namespaces or are part of a failover cluster|
+|Shares that are available offline (redirected folders that use Offline Files)|Network shares that aren't available offline or remotely indexed <br><br>Network Attached Storage (NAS) devices|
+||Other data sources: SharePoint, Exchange, etc.|
+
+\* For shares that are indexed on a departmental server, Windows Search works well in workgroups or on a domain server that has similar characteristics to a workgroup server. For example, Windows Search works well on a single share departmental server with the following characteristics:
+
+- Expected maximum load is four concurrent query requests.
+- Expected indexing corpus is a maximum of one million documents. 
+- Users directly access the server. That is, the server is not made available through DFS Namespaces.
+- Users are not redirected to another server in case of failure. That is, server clusters are not used.
+
+### Library Attributes 
+
+The following library attributes can be modified within Windows Explorer, the Library Management dialog, or the Library Description file (*.library-ms):
+- Name
+- Library locations
+- Order of library locations
+- Default save location
+
+The library icon can be modified by the administrator or user by directly editing the Library Description schema file.
+
+See the [Library Description Schema](http://go.microsoft.com/fwlink/?LinkId=159581) topic on MSDN for information on creating Library Description files. 
+
+## See also 
+
+### Concepts
+
+- [Windows Search Features ](https://technet.microsoft.com/library/dd744686.aspx)
+- [Windows Indexing Features](https://technet.microsoft.com/library/dd744700.aspx)
+- [Federated Search Features](https://technet.microsoft.com/library/dd744682.aspx)
+- [Administrative How-to Guides](https://technet.microsoft.com/library/ee461108.aspx)
+- [Group Policy for Windows Search, Browse, and Organize](https://technet.microsoft.com/library/dd744697.aspx)
+- [Additional Resources for Windows Search, Browse, and Organization](https://technet.microsoft.com/library/dd744695.aspx)
+
+### Other resources
+
+- [Folder Redirection, Offline Files, and Roaming User Profiles](https://technet.microsoft.com/library/hh848267.aspx)
+- [Library Description Schema](https://msdn.microsoft.com/library/dd798389.aspx)

From 0b178ca1ef17ca8b186183e413008969f04dc7fc Mon Sep 17 00:00:00 2001
From: mamtakumar <mamkumar@microsoft.com>
Date: Mon, 6 Feb 2017 15:33:07 -0800
Subject: [PATCH 113/115] Update mbam-25-supported-configurations.md

Updated SQL Server database requirements table to include 1 new row at the top for support for SQL 2014 SP2
---
 mdop/mbam-v25/mbam-25-supported-configurations.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/mdop/mbam-v25/mbam-25-supported-configurations.md b/mdop/mbam-v25/mbam-25-supported-configurations.md
index 38cf7a85aa..7f215f9a1a 100644
--- a/mdop/mbam-v25/mbam-25-supported-configurations.md
+++ b/mdop/mbam-v25/mbam-25-supported-configurations.md
@@ -338,6 +338,12 @@ You must install SQL Server with the **SQL\_Latin1\_General\_CP1\_CI\_AS** coll
 </tr>
 </thead>
 <tbody>
+<tr class="even">
+<td align="left"><p>Microsoft SQL Server 2014</p></td>
+<td align="left"><p>Standard, Enterprise, or Datacenter</p></td>
+<td align="left"><p>SP2</p></td>
+<td align="left"><p>64-bit</p></td>
+</tr>
 <tr class="odd">
 <td align="left"><p>Microsoft SQL Server 2014</p></td>
 <td align="left"><p>Standard, Enterprise, or Datacenter</p></td>

From 2be8f358e3dd889df6ee4280ad49d5708aef3bb2 Mon Sep 17 00:00:00 2001
From: JanKeller1 <v-jak@microsoft.com>
Date: Tue, 7 Feb 2017 14:38:21 -0800
Subject: [PATCH 114/115] Added an intro to provide more context

---
 ...options-for-app-related-security-policies.md | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/windows/keep-secure/override-mitigation-options-for-app-related-security-policies.md b/windows/keep-secure/override-mitigation-options-for-app-related-security-policies.md
index 0f98929851..b686486083 100644
--- a/windows/keep-secure/override-mitigation-options-for-app-related-security-policies.md
+++ b/windows/keep-secure/override-mitigation-options-for-app-related-security-policies.md
@@ -17,7 +17,22 @@ ms.sitesec: library
 -   Windows 10, version 1607
 -   Windows Server 2016
 
-Use Group Policy to override individual **Process Mitigation Options** settings and help to enforce specific app-related security policies.
+Windows 10 includes Group Policy-configurable “Process Mitigation Options” that add advanced protections against memory-based attacks, that is, attacks where malware manipulates memory to gain control of a system. For example, malware might attempt to use buffer overruns to inject malicious executable code into memory, but Process Mitigation Options can prevent the running of the malicious code.
+
+> [!IMPORTANT]
+> We recommend trying these mitigations in a test lab before deploying to your organization, to determine if they interfere with your organization’s required apps.
+
+The Group Policy settings in this topic are related to three types of process mitigations. In Windows 10, all three types are on by default for 64-bit applications, but by using the Group Policy settings described in this topic, you can configure additional protections. The types of process mitigations are:
+
+- **Data Execution Prevention (DEP)** is a system-level memory protection feature that enables the operating system to mark one or more pages of memory as non-executable, preventing code from being run from that region of memory, to help prevent exploitation of buffer overruns. DEP helps prevent code from being run from data pages such as the default heap, stacks, and memory pools. For more information, see [Data Execution Prevention](windows-10-security-guide.md#data-execution-prevention).
+
+- **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they have been compiled with the latest improvements.
+
+- **Address Space Layout Randomization (ASLR)** loads DLLs into random memory addresses at boot time to mitigate against malware that’s designed to attack specific memory locations, where specific DLLs are expected to be loaded. For more information, see [Address Space Layout Randomization](windows-10-security-guide.md#address-space-layout-randomization).
+
+    To find additional ASLR protections in the table below, look for `IMAGES` or `ASLR`.
+
+The following procedure describes how to use Group Policy to override individual **Process Mitigation Options** settings.
 
 **To modify Process Mitigation Options**
 

From 31959bed942d63d9e76eae3d3ab1eea204bc4128 Mon Sep 17 00:00:00 2001
From: RamonArjona4 <ramonar@microsoft.com>
Date: Wed, 8 Feb 2017 10:50:12 -0800
Subject: [PATCH 115/115] Azure IaaS support

Update supported versions to clarify Azure IaaS support.
---
 mdop/mbam-v25/mbam-25-supported-configurations.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/mdop/mbam-v25/mbam-25-supported-configurations.md b/mdop/mbam-v25/mbam-25-supported-configurations.md
index 7f215f9a1a..8f148097cf 100644
--- a/mdop/mbam-v25/mbam-25-supported-configurations.md
+++ b/mdop/mbam-v25/mbam-25-supported-configurations.md
@@ -573,7 +573,11 @@ The following table lists the operating systems that are supported for MBAM Grou
 </tbody>
 </table>
 
- 
+## MBAM In Azure IaaS
+
+The MBAM server can be deployed in Azure Infrastructure as a Service (IaaS) on any of the supported OS versions listed above, connecting to an Active Directory hosted on premises or an Active Directory also hosted in Azure IaaS.  Documentation for setting up and configuring Active Directory on Azure IaaS is [here](https://msdn.microsoft.com/en-us/library/azure/jj156090.aspx).
+
+The MBAM client is not supported on virtual machines and is also not supported on Azure IaaS.
 
 ## Got a suggestion for MBAM?