From 4aa19482d1ecfa40614b55990e5ec76fc52c65fb Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 22 Dec 2023 10:44:53 -0500 Subject: [PATCH] refresh --- .../hello-for-business/configure.md | 145 ++++++++ .../hello-for-business/deploy/cloud.md | 27 +- .../deploy/hybrid-cert-trust-adfs.md | 8 +- .../deploy/hybrid-cert-trust-enroll.md | 6 - .../deploy/hybrid-cert-trust-pki.md | 14 +- .../deploy/hybrid-cert-trust.md | 18 +- .../hybrid-cloud-kerberos-trust-enroll.md | 6 +- .../deploy/hybrid-cloud-kerberos-trust.md | 18 +- .../deploy/hybrid-key-trust-enroll.md | 6 +- .../deploy/hybrid-key-trust-pki.md | 15 +- .../deploy/hybrid-key-trust.md | 52 ++- .../includes/adfs-additional-servers.md | 95 +++++ .../deploy/includes/adfs-deploy.md | 95 +++++ .../adfs-mfa.md} | 19 +- .../deploy/includes/adfs-validate.md | 47 +++ ....md => apply-to-on-premises-cert-trust.md} | 2 +- .../includes/auth-certificate-template.md | 83 ----- .../includes/certificate-template-auth.md | 64 ++++ ...template.md => certificate-template-dc.md} | 0 .../certificate-template-enrollment-agent.md | 53 +++ ....md => certificate-template-web-server.md} | 0 .../includes/dc-certificate-deployment.md | 1 - .../includes/dc-certificate-validate.md | 18 +- .../enrollment-agent-certificate-template.md | 79 ---- .../deploy/includes/intro.md | 2 +- .../includes/tooltip-deployment-cloud.md | 2 +- .../includes/tooltip-deployment-hybrid.md | 2 +- .../includes/tooltip-deployment-onpremises.md | 2 +- .../deploy/includes/tooltip-join-domain.md | 2 +- .../deploy/includes/tooltip-join-entra.md | 2 +- .../deploy/includes/tooltip-join-hybrid.md | 2 +- .../deploy/includes/tooltip-trust-cert.md | 2 +- .../includes/tooltip-trust-cloud-kerberos.md | 2 +- .../deploy/includes/tooltip-trust-key.md | 2 +- .../hello-for-business/deploy/index.md | 222 +++++++++--- .../deploy/on-premises-cert-trust-adfs.md | 310 +++------------- .../deploy/on-premises-cert-trust-enroll.md | 14 +- .../deploy/on-premises-cert-trust-mfa.md | 31 -- .../deploy/on-premises-cert-trust-pki.md | 20 +- .../deploy/on-premises-cert-trust.md | 25 +- .../deploy/on-premises-key-trust-adfs.md | 256 +------------ .../deploy/on-premises-key-trust-pki.md | 15 +- .../deploy/on-premises-key-trust.md | 15 +- .../hello-for-business/deploy/requirements.md | 55 --- .../hello-for-business/deploy/toc.yml | 12 +- ...how-it-works-technology.md => glossary.md} | 243 +------------ .../hello-and-password-changes.md | 33 -- .../hello-biometrics-in-enterprise.md | 88 ----- .../hello-deployment-issues.md | 4 - .../hello-for-business/hello-faq.yml | 4 +- .../hello-for-business/hello-how-it-works.md | 54 --- .../hello-hybrid-aadj-sso-cert.md | 8 +- .../hello-hybrid-aadj-sso.md | 2 - .../hello-manage-in-organization.md | 103 ------ .../hello-planning-guide.md | 342 ------------------ .../hello-prepare-people-to-use.md | 54 --- .../hello-why-pin-is-better-than-password.md | 68 ---- ...tion.md => how-it-works-authentication.md} | 14 - ...ioning.md => how-it-works-provisioning.md} | 0 .../hello-for-business/how-it-works.md | 84 +++++ .../hello-for-business/images/fingerprint.svg | 3 + .../hello-for-business/images/hello.svg | 3 + .../images/hellosettings.png | Bin 57498 -> 0 bytes .../hello-for-business/images/iris.svg | 3 + .../images/multifactorUnlock/gp-setting.png | Bin 39725 -> 0 bytes .../images/multifactorUnlock/gpme.png | Bin 114371 -> 0 bytes .../hello-for-business/images/pin.svg | 3 + .../hello-for-business/images/smartcard.svg | 3 + ...on-of-emulated-smart-card-for-all-users.md | 17 + .../configure-device-unlock-factors.md | 19 + .../configure-dynamic-lock-factors.md | 18 + .../configure-enhanced-anti-spoofing.md | 20 + .../enable-ess-with-supported-peripherals.md | 25 ++ .../hello-for-business/includes/expiration.md | 17 + .../hello-for-business/includes/history.md | 20 + .../includes/maximum-pin-length.md | 20 + .../includes/minimum-pin-length.md | 21 ++ .../includes/require-digits.md | 19 + .../includes/require-lowercase-letters.md | 19 + .../includes/require-special-characters.md | 25 ++ .../includes/require-uppercase-letters.md | 19 + .../includes/turn-off-smart-card-emulation.md | 21 ++ .../use-a-hardware-security-device.md | 20 + .../includes/use-biometrics.md | 21 ++ ...tificate-for-on-premises-authentication.md | 18 + ...ud-trust-for-on-premises-authentication.md | 21 ++ .../includes/use-pin-recovery.md | 24 ++ ...certificates-as-smart-card-certificates.md | 20 + .../use-windows-hello-for-business.md | 22 ++ .../hello-for-business/index.md | 193 ++++++++-- ...factor-unlock.md => multifactor-unlock.md} | 83 +++-- .../hello-for-business/pin-reset.md | 4 - .../hello-for-business/policy-settings.md | 85 +++++ .../hello-for-business/rdp-sign-in.md | 11 +- .../hello-for-business/toc.yml | 51 +-- 95 files changed, 1709 insertions(+), 2126 deletions(-) create mode 100644 windows/security/identity-protection/hello-for-business/configure.md create mode 100644 windows/security/identity-protection/hello-for-business/deploy/includes/adfs-additional-servers.md create mode 100644 windows/security/identity-protection/hello-for-business/deploy/includes/adfs-deploy.md rename windows/security/identity-protection/hello-for-business/deploy/{on-premises-key-trust-mfa.md => includes/adfs-mfa.md} (56%) create mode 100644 windows/security/identity-protection/hello-for-business/deploy/includes/adfs-validate.md rename windows/security/identity-protection/hello-for-business/deploy/includes/{apply-to-on-premises-cert-trust-entra.md => apply-to-on-premises-cert-trust.md} (98%) delete mode 100644 windows/security/identity-protection/hello-for-business/deploy/includes/auth-certificate-template.md create mode 100644 windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-auth.md rename windows/security/identity-protection/hello-for-business/deploy/includes/{dc-certificate-template.md => certificate-template-dc.md} (100%) create mode 100644 windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-enrollment-agent.md rename windows/security/identity-protection/hello-for-business/deploy/includes/{web-server-certificate-template.md => certificate-template-web-server.md} (100%) delete mode 100644 windows/security/identity-protection/hello-for-business/deploy/includes/enrollment-agent-certificate-template.md delete mode 100644 windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-mfa.md delete mode 100644 windows/security/identity-protection/hello-for-business/deploy/requirements.md rename windows/security/identity-protection/hello-for-business/{hello-how-it-works-technology.md => glossary.md} (68%) delete mode 100644 windows/security/identity-protection/hello-for-business/hello-and-password-changes.md delete mode 100644 windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md delete mode 100644 windows/security/identity-protection/hello-for-business/hello-how-it-works.md delete mode 100644 windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md delete mode 100644 windows/security/identity-protection/hello-for-business/hello-planning-guide.md delete mode 100644 windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md delete mode 100644 windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md rename windows/security/identity-protection/hello-for-business/{hello-how-it-works-authentication.md => how-it-works-authentication.md} (97%) rename windows/security/identity-protection/hello-for-business/{hello-how-it-works-provisioning.md => how-it-works-provisioning.md} (100%) create mode 100644 windows/security/identity-protection/hello-for-business/how-it-works.md create mode 100644 windows/security/identity-protection/hello-for-business/images/fingerprint.svg create mode 100644 windows/security/identity-protection/hello-for-business/images/hello.svg delete mode 100644 windows/security/identity-protection/hello-for-business/images/hellosettings.png create mode 100644 windows/security/identity-protection/hello-for-business/images/iris.svg delete mode 100644 windows/security/identity-protection/hello-for-business/images/multifactorUnlock/gp-setting.png delete mode 100644 windows/security/identity-protection/hello-for-business/images/multifactorUnlock/gpme.png create mode 100644 windows/security/identity-protection/hello-for-business/images/pin.svg create mode 100644 windows/security/identity-protection/hello-for-business/images/smartcard.svg create mode 100644 windows/security/identity-protection/hello-for-business/includes/allow-enumeration-of-emulated-smart-card-for-all-users.md create mode 100644 windows/security/identity-protection/hello-for-business/includes/configure-device-unlock-factors.md create mode 100644 windows/security/identity-protection/hello-for-business/includes/configure-dynamic-lock-factors.md create mode 100644 windows/security/identity-protection/hello-for-business/includes/configure-enhanced-anti-spoofing.md create mode 100644 windows/security/identity-protection/hello-for-business/includes/enable-ess-with-supported-peripherals.md create mode 100644 windows/security/identity-protection/hello-for-business/includes/expiration.md create mode 100644 windows/security/identity-protection/hello-for-business/includes/history.md create mode 100644 windows/security/identity-protection/hello-for-business/includes/maximum-pin-length.md create mode 100644 windows/security/identity-protection/hello-for-business/includes/minimum-pin-length.md create mode 100644 windows/security/identity-protection/hello-for-business/includes/require-digits.md create mode 100644 windows/security/identity-protection/hello-for-business/includes/require-lowercase-letters.md create mode 100644 windows/security/identity-protection/hello-for-business/includes/require-special-characters.md create mode 100644 windows/security/identity-protection/hello-for-business/includes/require-uppercase-letters.md create mode 100644 windows/security/identity-protection/hello-for-business/includes/turn-off-smart-card-emulation.md create mode 100644 windows/security/identity-protection/hello-for-business/includes/use-a-hardware-security-device.md create mode 100644 windows/security/identity-protection/hello-for-business/includes/use-biometrics.md create mode 100644 windows/security/identity-protection/hello-for-business/includes/use-certificate-for-on-premises-authentication.md create mode 100644 windows/security/identity-protection/hello-for-business/includes/use-cloud-trust-for-on-premises-authentication.md create mode 100644 windows/security/identity-protection/hello-for-business/includes/use-pin-recovery.md create mode 100644 windows/security/identity-protection/hello-for-business/includes/use-windows-hello-for-business-certificates-as-smart-card-certificates.md create mode 100644 windows/security/identity-protection/hello-for-business/includes/use-windows-hello-for-business.md rename windows/security/identity-protection/hello-for-business/{feature-multifactor-unlock.md => multifactor-unlock.md} (82%) create mode 100644 windows/security/identity-protection/hello-for-business/policy-settings.md diff --git a/windows/security/identity-protection/hello-for-business/configure.md b/windows/security/identity-protection/hello-for-business/configure.md new file mode 100644 index 0000000000..f491dbc982 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/configure.md @@ -0,0 +1,145 @@ +--- +title: Configure Windows Hello for Business +description: Learn about the configuration options for Windows Hello for Business and how to implement them in your organization. +ms.topic: how-to +ms.date: 12/19/2023 +--- + +# Configure Windows Hello for Business + +Windows Hello for Business offers a variety of configuration options to accommodate the needs of your organization. This article describes the configuration options and how to implement them. + +## Configuration options + +You can configure Windows Hello for Business by using the following options: + +- Configuration Service Provider (CSP): commonly used for devices managed by a Mobile Device Management (MDM) solution, like Microsoft Intune. To configure Windows Hello for Business, you use the [PassportForWork CSP][CSP-2] +- Group policy (GPO): used for devices that are Active Directory joined or Microsoft Entra hybrid joined, and aren't managed by a device management solution +- Provisioning packages: used to configure devices at deployment time or for devices that aren't managed by a device management solution + +### Policy precedence + +Some of the Windows Hello for Business policies are available for both computer and user configuration. + +*user policies* take precedence over *computer policies*. If a user policy is set, the corresponded computer policy is ignored. If a user policy is not set, the computer policy is used. + +Policies for Windows Hello for Business are enforced using the following hierarchy: + +- User GPO > Computer GPO > User MDM > Device MDM > Device Lock policy + +>[!IMPORTANT] +>All devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP. + +>[!NOTE] +> If a policy isn't explicitly configured to require letters or special characters, users can optionally set an alphanumeric PIN. + +### Retrieve the Microsoft Entra tenant ID + +The configuration via CSP or registry of different Windows Hello for Business policy settings require to specify the Microsoft Entra tenant ID where the device is registered. + +To look up your Tenant ID, see [How to find your Microsoft Entra tenant ID][ENTRA-2] or try the following, ensuring to sign in with your organization's account: + +```msgraph-interactive +GET https://graph.microsoft.com/v1.0/organization?$select=id +``` + +For example, the [PassportForWork CSP documentation][CSP-1] describes how to configure Windows Hello for Business options using the OMA-URI: + +```Device +./Device/Vendor/MSFT/PassportForWork/{TenantId} +``` + +When configuring devices, replace `TenantID` with your Microsoft Entra tenant ID. For example, if your Microsoft Entra tenant ID is `dcd219dd-bc68-4b9b-bf0b-4a33a796be35`, the OMA-URI would be: + +```Device +./Device/Vendor/MSFT/PassportForWork/{dcd219dd-bc68-4b9b-bf0b-4a33a796be35} +``` + +## Configure Windows Hello for Business using Microsoft Intune + +For Microsoft Entra joined devices and Microsoft Entra hybrid joined devices enrolled in Intune, you can use Intune policies to manage Windows Hello for Business. + +There are different ways to enable and configure Windows Hello for Business in Intune: + +- Using a policy applied at the tenant level. The tenant policy: + - Is only applied at enrollment time, and any changes to its configuration won't apply to devices already enrolled in Intune + - It applies to *all devices* getting enrolled in Intune. For this reason, the policy is usually disabled and Windows Hello for Business is enabled using a policy targeted to a security group +- A device configuration policy that is applied *after* device enrollment. Any changes to the policy will be applied to the devices during regular policy refresh intervals. There are different policy types to choose from: + - [Settings catalog][MEM-1] + - [Security baselines][MEM-2] + - [Custom policy][MEM-3], via the [PassportForWork CSP][MEM-4] + - [Account protection policy][MEM-5] + - [Identity protection policy template][MEM-6] + +### Verify the tenant-wide policy + +To check the Windows Hello for Business policy applied at enrollment time: + +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Select **Devices** > **Windows** > **Windows Enrollment** +1. Select **Windows Hello for Business** +1. Verify the status of **Configure Windows Hello for Business** and any settings that may be configured + +:::image type="content" source="images/whfb-intune-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Intune admin center." lightbox="images/whfb-intune-disable.png"::: + +If the tenant-wide policy is enabled and configured to your needs, you can skip to [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business). Otherwise, follow the instructions below to create a policy using an *account protection* policy. + +## Policy conflicts from multiple policy sources + +Windows Hello for Business is designed to be managed by group policy or MDM, but not a combination of both. Avoid mixing group policy and MDM policy settings for Windows Hello for Business. If you mix group policy and MDM policy settings, the MDM settings are ignored until all group policy settings are cleared. + +> [!IMPORTANT] +> The [*MDMWinsOverGP*](/windows/client-management/mdm/policy-csp-controlpolicyconflict#mdmwinsovergp) policy setting doesn't apply to Windows Hello for Business. MDMWinsOverGP only applies to policies in the *Policy CSP*, while the Windows Hello for Business policies are in the *PassportForWork CSP*. + +## Manage Windows Hello for Business in your organization + +You can create a Group Policy or mobile device management (MDM) policy to configure Windows Hello for Business on Windows devices. + + +## Disable Windows Hello for Business enrollment + +Windows Hello for Business is enabled by default for devices that are Microsoft Entra joined. If you need to disable the automatic enablement, there are different options to configure them. + + +### Disable during OS deployment + +If you don't use Intune in your organization, then you can disable Windows Hello for Business using the registry. You can use a third-party MDM, or some other method that you use to manage these devices. Because these systems are Microsoft Entra joined only, and not domain joined, these settings can also be made manually in the registry. + +Intune uses the following registry keys: **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\Device\Policies`** + +These registry settings are pushed from Intune for user policies: + +- Intune User Policy: **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\UserSid\Policies`** +- DWORD: **UsePassportForWork** +- Value = **0** for Disable, or Value = **1** for Enable + +These registry settings can be applied from Local or Group Policies: + +- Local/GPO User Policy: **`HKEY_USERS\UserSID\SOFTWARE\Policies\Microsoft\PassportForWork`** +- Local/GPO Device Policy: **`HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork`** +- DWORD: **Enabled** +- Value = **0** for Disable or Value = **1** for Enable + +If there's a conflicting Device policy and User policy, the User policy would take precedence. We don't recommend creating Local/GPO registry settings that could conflict with an Intune policy. This conflict could lead to unexpected results. + +## Next steps + +Learn more about Windows Hello for Business features and how to configure them: + +- [PIN reset](pin-reset.md) +- [Dual enrollment](hello-feature-dual-enrollment.md) +- [Dynamic Lock](hello-feature-dynamic-lock.md) +- [Multi-factor Unlock](multifactor-unlock.md) +- [Remote desktop (RDP) sign-in](rdp-sign-in.md) + + + +[CSP-1]: /windows/client-management/mdm/passportforwork-csp#devicetenantid +[CSP-2]: /windows/client-management/mdm/passportforwork-csp +[ENTRA-1]: /entra/identity/conditional-access/overview +[ENTRA-2]: /entra/fundamentals/how-to-find-tenant +[MEM-1]: /mem/intune/configuration/settings-catalog +[MEM-2]: /mem/intune/protect/security-baselines +[MEM-3]: /mem/intune/configuration/custom-settings-configure +[MEM-5]: /mem/intune/protect/endpoint-security-account-protection-policy +[MEM-6]: /mem/intune/protect/identity-protection-configure diff --git a/windows/security/identity-protection/hello-for-business/deploy/cloud.md b/windows/security/identity-protection/hello-for-business/deploy/cloud.md index ca409fc0b7..90bacb03c1 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/cloud.md +++ b/windows/security/identity-protection/hello-for-business/deploy/cloud.md @@ -21,7 +21,7 @@ You may wish to disable the automatic Windows Hello for Business enrollment prom Cloud only deployments will use Microsoft Entra multifactor authentication (MFA) during Windows Hello for Business enrollment, and there's no additional MFA configuration needed. If you aren't already registered in MFA, you'll be guided through the MFA registration as part of the Windows Hello for Business enrollment process. -The necessary Windows Hello for Business prerequisites are located at [Cloud Only Deployment](requirements.md#azure-ad-cloud-only-deployment). +The necessary Windows Hello for Business prerequisites are located at [Cloud Only Deployment](requirements.md#microsoft-entra-cloud-only-deployment). It's possible for federated domains to configure the *FederatedIdpMfaBehavior* flag. The flag instructs Microsoft Entra ID to accept, enforce, or reject the MFA challenge from the federated IdP. For more information, see [federatedIdpMfaBehavior values](/graph/api/resources/internaldomainfederation#federatedidpmfabehavior-values). To check this setting, use the following PowerShell command: @@ -56,29 +56,4 @@ The following method explains how to disable Windows Hello for Business enrollme > [!NOTE] > This policy is only applied during new device enrollments. For currently enrolled devices, you can [set the same settings in a device configuration policy](../hello-manage-in-organization.md). -## Disable Windows Hello for Business enrollment without Intune -If you don't use Intune in your organization, then you can disable Windows Hello for Business using the registry. You can use a third-party MDM, or some other method that you use to manage these devices. Because these systems are Microsoft Entra joined only, and not domain joined, these settings can also be made manually in the registry. - -Intune uses the following registry keys: **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\Device\Policies`** - -To look up your Tenant ID, see [How to find your Microsoft Entra tenant ID](/azure/active-directory/fundamentals/how-to-find-tenant) or try the following, ensuring to sign in with your organization's account: - -```msgraph-interactive -GET https://graph.microsoft.com/v1.0/organization?$select=id -``` - -These registry settings are pushed from Intune for user policies: - -- Intune User Policy: **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\UserSid\Policies`** -- DWORD: **UsePassportForWork** -- Value = **0** for Disable, or Value = **1** for Enable - -These registry settings can be applied from Local or Group Policies: - -- Local/GPO User Policy: **`HKEY_USERS\UserSID\SOFTWARE\Policies\Microsoft\PassportForWork`** -- Local/GPO Device Policy: **`HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork`** -- DWORD: **Enabled** -- Value = **0** for Disable or Value = **1** for Enable - -If there's a conflicting Device policy and User policy, the User policy would take precedence. We don't recommend creating Local/GPO registry settings that could conflict with an Intune policy. This conflict could lead to unexpected results. diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-adfs.md index c5e4939fc8..8e7abc5f48 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-adfs.md @@ -1,13 +1,7 @@ --- title: Configure Active Directory Federation Services in a hybrid certificate trust model -description: Learn how to configure Active Directory Federation Services to support the Windows Hello for Business hybrid certificate trust model. +description: Learn how to configure Active Directory Federation Services (AD FS) to support the Windows Hello for Business hybrid certificate trust model. ms.date: 12/15/2023 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 -- ✅ Windows Server 2022 -- ✅ Windows Server 2019 -- ✅ Windows Server 2016 ms.topic: tutorial --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md index a9363c8a74..51c513dfb1 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md @@ -2,12 +2,6 @@ title: Configure and provision Windows Hello for Business in a hybrid certificate trust model description: Learn how to configure devices and enroll them in Windows Hello for Business in a hybrid certificate trust scenario. ms.date: 12/15/2023 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 -- ✅ Windows Server 2022 -- ✅ Windows Server 2019 -- ✅ Windows Server 2016 ms.topic: tutorial --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md index 7ff5c70e48..f2ec26a26f 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md @@ -1,13 +1,7 @@ --- title: Configure and validate the PKI in an hybrid certificate trust model description: Configure and validate the Public Key Infrastructure when deploying Windows Hello for Business in a hybrid certificate trust model. -ms.date: 12/15/2023 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 -- ✅ Windows Server 2022 -- ✅ Windows Server 2019 -- ✅ Windows Server 2016 +ms.date: 12/18/2023 ms.topic: tutorial --- # Configure and validate the PKI in a hybrid certificate trust model @@ -22,7 +16,7 @@ Hybrid certificate trust deployments issue users a sign-in certificate, enabling ## Configure the enterprise PKI -[!INCLUDE [dc-certificate-template](includes/dc-certificate-template.md)] +[!INCLUDE [dc-certificate-template](includes/certificate-template-dc.md)] > [!NOTE] > Inclusion of the *KDC Authentication* OID in domain controller certificate is not required for Microsoft Entra hybrid joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Microsoft Entra joined devices. @@ -35,9 +29,9 @@ Hybrid certificate trust deployments issue users a sign-in certificate, enabling [!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)] -[!INCLUDE [enrollment-agent-certificate-template](includes/enrollment-agent-certificate-template.md)] +[!INCLUDE [enrollment-agent-certificate-template](includes/certificate-template-enrollment-agent.md)] -[!INCLUDE [auth-certificate-template](includes/auth-certificate-template.md)] +[!INCLUDE [auth-certificate-template](includes/certificate-template-auth.md)] [!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)] diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md index a9d49ebfec..7f96eeb160 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md @@ -1,29 +1,19 @@ --- title: Windows Hello for Business hybrid certificate trust deployment description: Learn how to deploy Windows Hello for Business in a hybrid certificate trust scenario. -ms.date: 12/15/2023 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 -- ✅ Windows Server 2022 -- ✅ Windows Server 2019 -- ✅ Windows Server 2016 +ms.date: 12/18/2023 ms.topic: tutorial --- -# Hybrid certificate trust deployment +# Hybrid certificate trust deployment guide [!INCLUDE [apply-to-hybrid-cert-trust](includes/apply-to-hybrid-cert-trust.md)] -Hybrid environments are distributed systems that enable organizations to use on-premises and Microsoft Entra protected resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication and single sign-on to modern resources. - -This deployment guide describes how to deploy Windows Hello for Business in a hybrid certificate trust scenario. +This deployment guide describes how to deploy Windows Hello for Business with a hybrid certificate trust model. > [!IMPORTANT] > Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. It is also the recommended deployment model if you don't need to deploy certificates to the end users. For more information, see [cloud Kerberos trust deployment](hybrid-cloud-kerberos-trust.md). -It's recommended that you review the [Windows Hello for Business planning guide](../hello-planning-guide.md) prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. - ## Prerequisites > [!div class="checklist"] @@ -44,7 +34,7 @@ Hybrid Windows Hello for Business needs two directories: - A Microsoft Entra tenant with a Microsoft Entra ID P1 or P2 subscription The two directories must be synchronized with [Microsoft Entra Connect Sync][AZ-1], which synchronizes user accounts from the on-premises Active Directory to Microsoft Entra ID. -The hybrid-certificate trust deployment needs a *Microsoft Entra ID P1 or P2* subscription because it uses the device write-back synchronization feature. +A *Microsoft Entra ID P1 or P2* subscription is required for the device write-back synchronization feature. > [!NOTE] > Windows Hello for Business hybrid certificate trust is not supported if the users' on-premises UPN suffix cannot be added as a verified domain in Microsoft Entra ID. diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust-enroll.md index da843f036d..97ac12626e 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust-enroll.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust-enroll.md @@ -2,8 +2,6 @@ title: Windows Hello for Business cloud Kerberos trust clients configuration and enrollment description: Learn how to configure devices and enroll them in Windows Hello for Business in a cloud Kerberos trust scenario. ms.date: 02/24/2023 -appliesto: -- ✅ Windows 10, version 21H2 and later ms.topic: tutorial --- # Configure and provision Windows Hello for Business - cloud Kerberos trust @@ -17,8 +15,6 @@ Deploying Windows Hello for Business cloud Kerberos trust consists of two steps: 1. Set up Microsoft Entra Kerberos. 1. Configure a Windows Hello for Business policy and deploy it to the devices. - - ### Deploy Microsoft Entra Kerberos If you've already deployed on-premises SSO for passwordless security key sign-in, then you've already deployed Microsoft Entra Kerberos in your hybrid environment. You don't need to redeploy or change your existing Microsoft Entra Kerberos deployment to support Windows Hello for Business and you can skip this section. @@ -174,7 +170,7 @@ Once a user has set up a PIN with cloud Kerberos trust, it can be used **immedia If you deployed Windows Hello for Business using the key trust model, and want to migrate to the cloud Kerberos trust model, follow these steps: -1. [Set up Microsoft Entra Kerberos in your hybrid environment](#deploy-azure-ad-kerberos). +1. [Set up Microsoft Entra Kerberos in your hybrid environment](#deploy-microsoft-entra-kerberos). 1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy). 1. For Microsoft Entra joined devices, sign out and sign in to the device using Windows Hello for Business. diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md index c53e872bb1..07da3537ae 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md @@ -2,15 +2,14 @@ title: Windows Hello for Business cloud Kerberos trust deployment description: Learn how to deploy Windows Hello for Business in a cloud Kerberos trust scenario. ms.date: 02/24/2023 -appliesto: -- ✅ Windows 10, version 21H2 and later ms.topic: tutorial --- + # Cloud Kerberos trust deployment [!INCLUDE [apply-to-hybrid-cloud-kerberos-trust](includes/apply-to-hybrid-cloud-kerberos-trust.md)] -Windows Hello for Business replaces password sign-in with strong authentication, using an asymmetric key pair. This deployment guide provides the information to deploy Windows Hello for Business in a *cloud Kerberos trust* scenario. +This deployment guide provides the information to deploy Windows Hello for Business in a *cloud Kerberos trust* scenario. ## Introduction to cloud Kerberos trust @@ -25,8 +24,6 @@ Windows Hello for Business cloud Kerberos trust uses *Microsoft Entra Kerberos*, > [!NOTE] > Windows Hello for Business cloud Kerberos trust is the recommended deployment model when compared to the *key trust model*. It is also the preferred deployment model if you do not need to support certificate authentication scenarios. - - ## Microsoft Entra Kerberos and cloud Kerberos trust authentication *Key trust* and *certificate trust* use certificate authentication-based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires a PKI for DC certificates, and requires end-user certificates for certificate trust. @@ -45,7 +42,7 @@ When Microsoft Entra Kerberos is enabled in an Active Directory domain, an *Azur :::image type="content" source="images/azuread-kerberos-object.png" alt-text="Active Directory Users and Computers console, showing the computer object representing the Microsoft Entra Kerberos server "::: For more information about how Microsoft Entra Kerberos enables access to on-premises resources, see [enabling passwordless security key sign-in to on-premises resources][AZ-1].\ -For more information about how Microsoft Entra Kerberos works with Windows Hello for Business cloud Kerberos trust, see [Windows Hello for Business authentication technical deep dive](../hello-how-it-works-authentication.md#hybrid-azure-ad-join-authentication-using-cloud-kerberos-trust). +For more information about how Microsoft Entra Kerberos works with Windows Hello for Business cloud Kerberos trust, see [Windows Hello for Business authentication technical deep dive](../hello-how-it-works-authentication.md#microsoft-entra-hybrid-join-authentication-using-cloud-kerberos-trust). > [!IMPORTANT] > When implementing the cloud Kerberos trust deployment model, you *must* ensure that you have an adequate number of *read-write domain controllers* in each Active Directory site where users will be authenticating with Windows Hello for Business. For more information, see [Capacity planning for Active Directory][SERV-1]. @@ -66,7 +63,7 @@ The following scenarios aren't supported using Windows Hello for Business cloud - On-premises only deployments - RDP/VDI scenarios using supplied credentials (RDP/VDI can be used with Remote Credential Guard or if a certificate is enrolled into the Windows Hello for Business container) -- Using cloud Kerberos trust for "Run as" +- Using cloud Kerberos trust for *Run as* - Signing in with cloud Kerberos trust on a Microsoft Entra hybrid joined device without previously signing in with DC connectivity > [!NOTE] @@ -79,9 +76,10 @@ The following scenarios aren't supported using Windows Hello for Business cloud Once the prerequisites are met, deploying Windows Hello for Business with a cloud Kerberos trust model consists of the following steps: > [!div class="checklist"] -> * Deploy Microsoft Entra Kerberos -> * Configure Windows Hello for Business settings -> * Provision Windows Hello for Business on Windows clients +> +> - Deploy Microsoft Entra Kerberos +> - Configure Windows Hello for Business settings +> - Provision Windows Hello for Business on Windows clients > [!div class="nextstepaction"] > [Next: configure and provision Windows Hello for Business >](hybrid-cloud-kerberos-trust-enroll.md) diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md index 10b8e56a94..651ec3acde 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md @@ -54,7 +54,7 @@ To configure Windows Hello for Business using an *account protection* policy: 1. Specify a **Name** and, optionally, a **Description** > **Next** 1. Under *Block Windows Hello for Business*, select **Disabled** and multiple policies become available - These policies are optional to configure, but it's recommended to configure *Enable to use a Trusted Platform Module (TPM)* to **Yes** - - For more information about these policies, see [MDM policy settings for Windows Hello for Business](../hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business) + - For more information about these policies, see [Configure Windows Hello for Business](../configure.md) 1. Select **Next** 1. Optionally, add *scope tags* > **Next** 1. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next** @@ -72,7 +72,7 @@ It's suggested to create a security group (for example, *Windows Hello for Busin The Windows Hello for Business Group Policy object delivers the correct Group Policy settings to the user, which enables them to enroll and use Windows Hello for Business to authenticate to Azure and Active Directory > [!NOTE] -> If you deployed Windows Hello for Business configuration using both Group Policy and Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about policy conflicts, see [Policy conflicts from multiple policy sources](../hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources) +> If you deployed Windows Hello for Business configuration using both Group Policy and Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about policy conflicts, see [Policy conflicts from multiple policy sources](../configure.md#policy-conflicts-from-multiple-policy-sources) ### Enable Windows Hello for Business group policy setting @@ -101,7 +101,7 @@ Sign-in a domain controller or management workstations with *Domain Admin* equiv > [!NOTE] > Windows Hello for Business can be configured using different policies. These policies are optional to configure, but it's recommended to enable *Use a hardware security device*. > -> For more information about these policies, see [Group Policy settings for Windows Hello for Business](../hello-manage-in-organization.md#group-policy-settings-for-windows-hello-for-business). +> For more information about these policies, see [Configure Windows Hello for Business](../configure.md). ### Configure security for GPO diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-pki.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-pki.md index 2fa08c15c9..c1ed39fdbd 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-pki.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-pki.md @@ -1,15 +1,10 @@ --- -title: Configure and validate the Public Key Infrastructure in a hybrid key trust model -description: Configure and validate the Public Key Infrastructure when deploying Windows Hello for Business in a hybrid key trust model. -ms.date: 01/03/2023 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 -- ✅ Windows Server 2022 -- ✅ Windows Server 2019 -- ✅ Windows Server 2016 +title: Configure and validate the Public Key Infrastructure in an hybrid key trust model +description: Configure and validate the Public Key Infrastructure when deploying Windows Hello for Business in an hybrid key trust model. +ms.date: 12/18/2023 ms.topic: tutorial --- + # Configure and validate the Public Key Infrastructure - hybrid key trust [!INCLUDE [apply-to-hybrid-key-trust](includes/apply-to-hybrid-key-trust.md)] @@ -46,7 +41,7 @@ Sign in using *Enterprise Administrator* equivalent credentials on a Windows Ser ## Configure the enterprise PKI -[!INCLUDE [dc-certificate-template](includes/dc-certificate-template.md)] +[!INCLUDE [dc-certificate-template](includes/certificate-template-dc.md)] > [!NOTE] > Inclusion of the *KDC Authentication* OID in domain controller certificate is not required for Microsoft Entra hybrid joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Microsoft Entra joined devices. diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md index 2b0ec7021d..5d4b28e95f 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md @@ -1,39 +1,30 @@ --- title: Windows Hello for Business hybrid key trust deployment description: Learn how to deploy Windows Hello for Business in a hybrid key trust scenario. -ms.date: 12/28/2022 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 -- ✅ Windows Server 2022 -- ✅ Windows Server 2019 -- ✅ Windows Server 2016 -ms.topic: how-to +ms.date: 12/18/2023 +ms.topic: tutorial --- -# Hybrid key trust deployment + +# Hybrid key trust deployment guide [!INCLUDE [apply-to-hybrid-key-trust](includes/apply-to-hybrid-key-trust.md)] -Hybrid environments are distributed systems that enable organizations to use on-premises and Microsoft Entra protected resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication and single sign-on to modern resources. - -This deployment guide describes how to deploy Windows Hello for Business in a hybrid key trust scenario. +This deployment guide describes how to deploy Windows Hello for Business with a hybrid key trust model. > [!IMPORTANT] > Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. For more information, see [cloud Kerberos trust deployment](hybrid-cloud-kerberos-trust.md). -It is recommended that you review the [Windows Hello for Business planning guide](../hello-planning-guide.md) prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. - ## Prerequisites -The following prerequisites must be met for a hybrid key trust deployment: - > [!div class="checklist"] -> * Directories and directory synchronization -> * Authentication to Microsoft Entra ID -> * Device registration -> * Public Key Infrastructure -> * Multifactor authentication -> * Device management +>The following prerequisites must be met for a hybrid key trust deployment: +> +> - Directories and directory synchronization +> - Authentication to Microsoft Entra ID +> - Device registration +> - Public Key Infrastructure +> - Multifactor authentication +> - Device management ### Directories and directory synchronization @@ -48,7 +39,8 @@ During the Window Hello for Business provisioning process, users register the pu > [!NOTE] > Windows Hello for Business hybrid key trust is not supported if the users' on-premises UPN suffix cannot be added as a verified domain in Microsoft Entra ID. - +> [!IMPORTANT] +> Windows Hello for Business is tied between a user and a device. Both the user and device object must be synchronized between Microsoft Entra ID and Active Directory. ### Authentication to Microsoft Entra ID @@ -66,8 +58,6 @@ For *Microsoft Entra hybrid joined* devices, review the guidance on the [Plan yo An enterprise PKI is required as *trust anchor* for authentication. Domain controllers require a certificate for Windows clients to trust them. - - ### Multifactor authentication The Windows Hello for Business provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but requires a second factor of authentication.\ @@ -85,13 +75,13 @@ To configure Windows Hello for Business, devices can be configured through a mob ## Next steps -Once the prerequisites are met, deploying Windows Hello for Business with a hybrid key trust model consists of the following steps: - > [!div class="checklist"] -> * Configure and validate the PKI -> * Configure Windows Hello for Business settings -> * Provision Windows Hello for Business on Windows clients -> * Configure single sign-on (SSO) for Microsoft Entra joined devices +> Once the prerequisites are met, deploying Windows Hello for Business with a hybrid key trust model consists of the following steps: +> +> - Configure and validate the PKI +> - Configure Windows Hello for Business settings +> - Provision Windows Hello for Business on Windows clients +> - Configure single sign-on (SSO) for Microsoft Entra joined devices > [!div class="nextstepaction"] > [Next: configure and validate the Public Key Infrastructure >](hybrid-key-trust-pki.md) diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-additional-servers.md b/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-additional-servers.md new file mode 100644 index 0000000000..1e6ef1fa36 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-additional-servers.md @@ -0,0 +1,95 @@ +--- +ms.date: 12/15/2023 +ms.topic: include +--- + +## Additional federation servers + +Organizations should deploy more than one federation server in their federation farm for high-availability. You should have a minimum of two federation services in your AD FS farm, however most organizations are likely to have more. This largely depends on the number of devices and users using the services provided by the AD FS farm. + +### Server authentication certificate + +Each server you add to the AD FS farm must have a proper server authentication certificate. Refer to the [Enroll for a TLS Server Authentication Certificate](#enroll-for-a-tls-server-authentication-certificate) section of this document to determine the requirements for your server authentication certificate. As previously stated, AD FS servers used exclusively for on-premises deployments of Windows Hello for Business can use enterprise server authentication certificates rather than server authentication certificates issued by public certificate authorities. + +### Install additional servers + +Adding federation servers to the existing AD FS farm begins with ensuring the server are fully patched, to include Windows Server 2016 Update needed to support Windows Hello for Business deployments (https://aka.ms/whfbadfs1703). Next, install the Active Directory Federation Service role on the additional servers and then configure the server as an additional server in an existing farm. + +## Load balance AD FS + +Many environments load balance using hardware devices. Environments without hardware load-balancing capabilities can take advantage the network load-balancing feature included in Windows Server to load balance the AD FS servers in the federation farm. Install the Windows Network Load Balancing feature on all nodes participating in the AD FS farm that should be load balanced. + +### Install Network Load Balancing Feature on AD FS Servers + +Sign-in the federation server with *Enterprise Administrator* equivalent credentials. + +1. Start **Server Manager**. Select **Local Server** in the navigation pane +1. Select **Manage** and then select **Add Roles and Features** +1. Select **Next** On the **Before you begin** page +1. On the **Select installation type** page, select **Role-based or feature-based installation** and select **Next** +1. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Select **Next** +1. On the **Select server roles** page, select **Next** +1. Select **Network Load Balancing** on the **Select features** page +1. Select **Install** to start the feature installation + +### Configure Network Load Balancing for AD FS + +Before you can load balance all the nodes in the AD FS farm, you must first create a new load balance cluster. Once you have created the cluster, then you can add new nodes to that cluster. + +Sign-in a node of the federation farm with *Administrator* equivalent credentials. + +1. Open **Network Load Balancing Manager** from **Administrative Tools** +1. Right-click **Network Load Balancing Clusters**, and then select **New Cluster** +1. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then select **Connect** +1. Select the interface that you want to use with the cluster, and then select **Next** (the interface hosts the virtual IP address and receives the client traffic to load balance) +1. In **Host Parameters**, select a value in **Priority (Unique host identifier)**. This parameter specifies a unique ID for each host. The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. Select **Next** +1. In **Cluster IP Addresses**, select **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Select **Next** +1. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster +1. In **Cluster operation mode**, select **Unicast** to specify that a unicast media access control (MAC) address should be used for cluster operations. In unicast mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. We recommend that you accept the unicast default settings. Select **Next** +1. In Port Rules, select Edit to modify the default port rules to use port 443 + +### Additional AD FS Servers + +1. To add more hosts to the cluster, right-click the new cluster, and then select **Add Host to Cluster** +1. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same + +## Configure DNS for Device Registration + +Sign-in the domain controller or administrative workstation with domain administrator equivalent credentials.\ +You'll need the *federation service* name to complete this task. You can view the federation service name by selecting **Edit Federation Service Properties** from the **Action** pan of the **AD FS** management console, or by using `(Get-AdfsProperties).Hostname.` (PowerShell) on the AD FS server. + +1. Open the **DNS Management** console +1. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones** +1. In the navigation pane, select the node that has the name of your internal Active Directory domain name +1. In the navigation pane, right-click the domain name node and select **New Host (A or AAAA)** +1. In the **name** box, type the name of the federation service. In the **IP address** box, type the IP address of your federation server. Select **Add Host** +1. Right-click the `` node and select **New Alias (CNAME)** +1. In the **New Resource Record** dialog box, type `enterpriseregistration` in the **Alias** name box +1. In the **fully qualified domain name (FQDN)** of the target host box, type `federation_service_farm_name. [!NOTE] +> If your forest has multiple UPN suffixes, please make sure that `enterpriseregistration.` is present for each suffix. + +## Configure the Intranet Zone to include the federation service + +The Windows Hello provisioning presents web pages from the federation service. Configuring the intranet zone to include the federation service enables the user to authenticate to the federation service using integrated authentication. Without this setting, the connection to the federation service during Windows Hello provisioning prompts the user for authentication. + +### Create an Intranet Zone Group Policy + +Sign-in the domain controller or administrative workstation with *Domain Admin* equivalent credentials: + +1. Start the **Group Policy Management Console** (`gpmc.msc`) +1. Expand the domain and select the **Group Policy Object** node in the navigation pane +1. Right-click **Group Policy object** and select **New** +1. Type **Intranet Zone Settings** in the name box and select **OK** +1. In the content pane, right-click the **Intranet Zone Settings** Group Policy object and select **Edit** +1. In the navigation pane, expand **Policies** under **Computer Configuration** +1. Expand **Administrative Templates > Windows Component > Internet Explorer > Internet Control Panel >Security Page**. Open **Site to Zone Assignment List** +1. Select **Enable > Show**. In the **Value Name** column, type the url of the federation service beginning with https. In the **Value** column, type the number **1**. Select OK twice, then close the Group Policy Management Editor + +### Deploy the Intranet Zone Group Policy object + +1. Start the **Group Policy Management Console** (gpmc.msc) +1. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and select **Link an existing GPO…** +1. In the **Select GPO** dialog box, select **Intranet Zone Settings** or the name of the Windows Hello for Business Group Policy object you previously created and select **OK** diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-deploy.md b/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-deploy.md new file mode 100644 index 0000000000..93a223b236 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-deploy.md @@ -0,0 +1,95 @@ +--- +ms.date: 12/15/2023 +ms.topic: include +--- + +## Deploy the AD FS role + +>[!IMPORTANT] +> Finish the entire AD FS configuration on the first server in the farm before adding the second server to the AD FS farm. Once complete, the second server receives the configuration through the shared configuration database when it is added the AD FS farm. + +Sign-in the federation server with *Enterprise Administrator* equivalent credentials. + +1. Start **Server Manager**. Select **Local Server** in the navigation pane +1. Select **Manage > Add Roles and Features** +1. Select **Next** on the **Before you begin** page +1. On the **Select installation type** page, select **Role-based or feature-based installation > Next** +1. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list and **Next** +1. On the **Select server roles** page, select **Active Directory Federation Services** and **Next** +1. Select **Next** on the **Select features** page +1. Select **Next** on the **Active Directory Federation Service** page +1. Select **Install** to start the role installation + +## Review to validate the AD FS deployment + +Before you continue with the deployment, validate your deployment progress by reviewing the following items: + +> [!div class="checklist"] +> * Confirm the AD FS farm uses the correct database configuration +> * Confirm the AD FS farm has an adequate number of nodes and is properly load balanced for the anticipated load +> * Confirm **all** AD FS servers in the farm have the latest updates installed +> * Confirm all AD FS servers have a valid server authentication certificate + +## Device registration service account prerequisites + +The use of Group Managed Service Accounts (GMSA) is the preferred way to deploy service accounts for services that support them. GMSAs have security advantages over normal user accounts because Windows handles password management. This means the password is long, complex, and changes periodically. AD FS supports GMSAs, and it should be configured using them for additional security. + +GSMA uses the *Microsoft Key Distribution Service* that is located on the domain controllers. Before you can create a GSMA, you must first create a root key for the service. You can skip this if your environment already uses GSMA. + +### Create KDS Root Key + +Sign-in a domain controller with *Enterprise Administrator* equivalent credentials. + +Start an elevated PowerShell console and execute the following command: + +```PowerShell +Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10) +``` + +## Configure the Active Directory Federation Service Role + +Use the following procedures to configure AD FS. + +Sign-in to the federation server with *Domain Administrator* equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm. + +1. Start **Server Manager** +1. Select the notification flag in the upper right corner and select **Configure the federation services on this server** +1. On the **Welcome** page, select **Create the first federation server farm > Next** +1. On the **Connect to Active Directory Domain Services** page, select **Next** +1. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as *sts.corp.contoso.com* +1. Select the federation service name from the **Federation Service Name** list +1. Type the *Federation Service Display Name* in the text box. This is the name users see when signing in. Select **Next** +1. On the **Specify Service Account** page, select **Create a Group Managed Service Account**. In the **Account Name** box, type *adfssvc* +1. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and select **Next** +1. On the **Review Options** page, select **Next** +1. On the **Pre-requisite Checks** page, select **Configure** +1. When the process completes, select **Close** + +### Add the AD FS service account to the *Key Admins* group + +During Windows Hello for Business enrollment, the public key is registered in an attribute of the user object in Active Directory. To ensure that the AD FS service can add and remove keys are part of its normal workflow, it must be a member of the *Key Admins* global group. + +Sign-in to a domain controller or management workstation with *Domain Administrator* equivalent credentials. + +1. Open **Active Directory Users and Computers** +1. Select the **Users** container in the navigation pane +1. Right-click **Key Admins** in the details pane and select **Properties** +1. Select the **Members > Add…** +1. In the **Enter the object names to select** text box, type *adfssvc*. Select **OK** +1. Select **OK** to return to **Active Directory Users and Computers** +1. Change to server hosting the AD FS role and restart it + +## Configure the device registration service + +Sign-in to the federation server with *Enterprise Administrator* equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm. + +1. Open the **AD FS management** console +1. In the navigation pane, expand **Service**. Select **Device Registration** +1. In the details pane, select **Configure device registration** +1. In the **Configure Device Registration** dialog, Select **OK** + +:::image type="content" source="../images/adfs-device-registration.png" lightbox="../images/adfs-device-registration.png" alt-text="Screenshot that shows AD FS device registration: configuration of the service connection point."::: + +Triggering device registration from AD FS, creates the service connection point (SCP) in the Active Directory configuration partition. The SCP is used to store the device registration information that Windows clients will automatically discover. + +:::image type="content" source="../images/adfs-scp.png" lightbox="../images/adfs-scp.png" alt-text="Screenshot that shows AD FS device registration: service connection point object created by AD FS."::: \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-mfa.md b/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-mfa.md similarity index 56% rename from windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-mfa.md rename to windows/security/identity-protection/hello-for-business/deploy/includes/adfs-mfa.md index bcc3c3b497..621f3a318c 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-mfa.md +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-mfa.md @@ -1,19 +1,9 @@ --- -title: Validate and Deploy MFA for Windows Hello for Business with key trust -description: Validate and deploy multifactor authentication (MFA) for Windows Hello for Business in an on-premises key trust model. -ms.date: 09/07/2023 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 -- ✅ Windows Server 2022 -- ✅ Windows Server 2019 -- ✅ Windows Server 2016 -ms.topic: tutorial +ms.date: 12/15/2023 +ms.topic: include --- -# Validate and deploy multifactor authentication - on-premises key trust - -[!INCLUDE [apply-to-on-premises-key-trust](includes/apply-to-on-premises-key-trust.md)] +## Validate and deploy multifactor authentication (MFA) Windows Hello for Business requires users perform multifactor authentication (MFA) prior to enroll in the service. On-premises deployments can use, as MFA option: @@ -27,6 +17,3 @@ Windows Hello for Business requires users perform multifactor authentication (MF For information on available third-party authentication methods see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method) Follow the integration and deployment guide for the authentication provider you select to integrate and deploy it to AD FS. Make sure that the authentication provider is selected as a multifactor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies see [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies). - -> [!div class="nextstepaction"] -> [Next: configure Windows Hello for Business Policy settings](on-premises-key-trust-enroll.md) diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-validate.md b/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-validate.md new file mode 100644 index 0000000000..9b62c1816b --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-validate.md @@ -0,0 +1,47 @@ +--- +ms.date: 12/15/2023 +ms.topic: include +--- + +The following guidance describes the deployment of a new instance of AD FS using the Windows Information Database (WID) as the configuration database.\ +WID is ideal for environments with no more than **30 federation servers** and no more than **100 relying party trusts**. If your environment exceeds either of these factors, or needs to provide *SAML artifact resolution*, *token replay detection*, or needs AD FS to operate as a federated provider role, then the deployment requires the use of SQL as a configuration database.\ +To deploy AD FS using SQL as its configuration database, review the [Deploying a Federation Server Farm](/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) checklist. + +A new AD FS farm should have a minimum of two federation servers for proper load balancing, which can be accomplished with external networking peripherals, or with using the Network Load Balancing Role included in Windows Server. + +Prepare the AD FS deployment by installing and **updating** two Windows Servers. + +## Enroll for a TLS server authentication certificate + +Typically, a federation service is an edge facing role. However, the federation services and instance used with the on-premises deployment of Windows Hello for Business does not need Internet connectivity. + +The AD FS role needs a *server authentication* certificate for the federation services, and you can use a certificate issued by your enterprise (internal) CA. The server authentication certificate should have the following names included in the certificate, if you are requesting an individual certificate for each node in the federation farm: + + - **Subject Name**: the internal FQDN of the federation server + - **Subject Alternate Name**: the federation service name (e.g. *sts.corp.contoso.com*) or an appropriate wildcard entry (e.g. *\*.corp.contoso.com*) + +The federation service name is set when the AD FS role is configured. You can choose any name, but that name must be different than the name of the server or host. For example, you can name the host server *adfs* and the federation service *sts*. In this example, the FQDN of the host is *adfs.corp.contoso.com* and the FQDN of the federation service is *sts.corp.contoso.com*. + +You can also issue one certificate for all hosts in the farm. If you chose this option, leave the subject name *blank*, and include all the names in the subject alternate name when creating the certificate request. All names should include the FQDN of each host in the farm and the federation service name. + +When creating a wildcard certificate, mark the private key as exportable, so that the same certificate can be deployed across each federation server and web application proxy within the AD FS farm. Note that the certificate must be trusted (chain to a trusted root CA). Once you have successfully requested and enrolled the server authentication certificate on one node, you can export the certificate and private key to a PFX file using the Certificate Manager console. You can then import the certificate on the remaining nodes in the AD FS farm. + +Be sure to enroll or import the certificate into the AD FS server's computer certificate store. Also, ensure all nodes in the farm have the proper TLS server authentication certificate. + +### AD FS authentication certificate enrollment + +Sign-in the federation server with *domain administrator* equivalent credentials. + +1. Start the Local Computer **Certificate Manager** (certlm.msc) +1. Expand the **Personal** node in the navigation pane +1. Right-click **Personal**. Select **All Tasks > Request New Certificate** +1. Select **Next** on the **Before You Begin** page +1. Select **Next** on the **Select Certificate Enrollment Policy** page +1. On the **Request Certificates** page, select the **Internal Web Server** check box +1. Select the **⚠️ More information is required to enroll for this certificate. Click here to configure settings** link + :::image type="content" source="../images/hello-internal-web-server-cert.png" lightbox="../images/hello-internal-web-server-cert.png" alt-text="Example of Certificate Properties Subject Tab - This is what shows when you select the above link."::: +1. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the AD FS role and then select **Add** +1. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name that you will use for your federation services (*sts.corp.contoso.com*). The name you use here MUST match the name you use when configuring the AD FS server role. Select **Add** and **OK** when finished +1. Select **Enroll** + +A server authentication certificate should appear in the computer's personal certificate store. diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-on-premises-cert-trust-entra.md b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-on-premises-cert-trust.md similarity index 98% rename from windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-on-premises-cert-trust-entra.md rename to windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-on-premises-cert-trust.md index e3c6bad7b3..10f7be45da 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-on-premises-cert-trust-entra.md +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-on-premises-cert-trust.md @@ -7,4 +7,4 @@ ms.topic: include - **Deployment type:** [!INCLUDE [tooltip-deployment-onpremises](tooltip-deployment-onpremises.md)] - **Trust type:** [!INCLUDE [tooltip-cert-trust](tooltip-trust-cert.md)] - **Join type:** [!INCLUDE [tooltip-join-domain](tooltip-join-domain.md)] ---- \ No newline at end of file +--- diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/auth-certificate-template.md b/windows/security/identity-protection/hello-for-business/deploy/includes/auth-certificate-template.md deleted file mode 100644 index c3f30f246e..0000000000 --- a/windows/security/identity-protection/hello-for-business/deploy/includes/auth-certificate-template.md +++ /dev/null @@ -1,83 +0,0 @@ ---- -ms.date: 12/28/2022 -ms.topic: include ---- - -### Configure a Windows Hello for Business authentication certificate template - -During Windows Hello for Business provisioning, Windows clients request an authentication certificate from AD FS, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. - -Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials. - -1. Open the **Certification Authority** management console -1. Right-click **Certificate Templates** and select **Manage** -1. Right-click the **Smartcard Logon** template and choose **Duplicate Template** -1. On the **Compatibility** tab: - - Clear the **Show resulting changes** check box - - Select **Windows Server 2016** from the **Certification Authority** list - - Select **Windows 10 / Windows Server 2016** from the **Certificate Recipient** list -1. On the **General** tab: - - Type *WHFB Authentication* in **Template display name** - - Adjust the validity and renewal period to meet your enterprise's needs - > [!NOTE] - > If you use different template names, you'll need to remember and substitute these names in different portions of the deployment. -1. On the **Cryptography** tab - - Select **Key Storage Provider** from the **Provider Category** list - - Select **RSA** from the **Algorithm name** list - - Type *2048* in the **Minimum key size** text box - - Select **SHA256** from the **Request hash** list -1. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon** -1. On the **Issuance Requirements** tab, - - Select the **This number of authorized signatures** check box. Type *1* in the text box - - Select **Application policy** from the **Policy type required in signature** - - Select **Certificate Request Agent** from in the **Application policy** list - - Select the **Valid existing certificate** option -1. On the **Subject** tab, - - Select the **Build from this Active Directory information** button - - Select **Fully distinguished name** from the **Subject name format** list - - Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name** -1. On the **Request Handling** tab, select the **Renew with same key** check box -1. On the **Security** tab, select **Add**. Target an Active Directory security group that contains the users that you want to enroll in Windows Hello for Business. For example, if you have a group called *Window Hello for Business Users*, type it in the **Enter the object names to select** text box and select **OK** -1. Select the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section: - - Select the **Allow** check box for the **Enroll** permission - - Excluding the group above (for example, *Window Hello for Business Users*), clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes aren't already cleared - - Select **OK** -1. If you previously issued Windows Hello for Business sign-in certificates using Configuration Manger and are switching to an AD FS registration authority, then on the **Superseded Templates** tab, add the previously used **Windows Hello for Business Authentication** template(s), so they'll be superseded by this template for the users that have Enroll permission for this template -1. Select on the **Apply** to save changes and close the console - -#### Mark the template as the Windows Hello Sign-in template - -Sign in to a CA or management workstations with *Enterprise Administrator* equivalent credentials - -Open an elevated command prompt end execute the following command - -```cmd -certutil.exe -dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY -``` - -If the template was changed successfully, the output of the command will contain old and new values of the template parameters. The new value must contain the `CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY` parameter. Example: - -```cmd -CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=[yourdomain]:WHFBAuthentication - -Old Value: -msPKI-Private-Key-Flag REG_DWORD = 5050080 (84213888) -CTPRIVATEKEY_FLAG_REQUIRE_SAME_KEY_RENEWAL -- 80 (128) -CTPRIVATEKEY_FLAG_ATTEST_NONE -- 0 -TEMPLATE_SERVER_VER_WINBLUE<[!NOTE] ->If you gave your Windows Hello for Business Authentication certificate template a different name, then replace `WHFBAuthentication` in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the `Get-CATemplate` ADCS Administration Windows PowerShell cmdlet on your certification authority. - - \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-auth.md b/windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-auth.md new file mode 100644 index 0000000000..e9c5401d58 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-auth.md @@ -0,0 +1,64 @@ +--- +ms.date: 12/15/2023 +ms.topic: include +--- + +### Configure a Windows Hello for Business authentication certificate template + +During Windows Hello for Business provisioning, Windows clients request an authentication certificate from AD FS, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. + +Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials. + +1. Open the **Certification Authority** management console +1. Right-click **Certificate Templates** and select **Manage** +1. In the **Certificate Template Console**, right-click the **Smartcard Logon** template and select **Duplicate Template** +1. Use the following table to configure the template: + + | Tab Name | Configurations | + | --- | --- | + | *Compatibility* |
  • Clear the **Show resulting changes** check box
  • Select **Windows Server 2016** from the *Certification Authority list*
  • Select **Windows 10 / Windows Server 2016** from the *Certification Recipient list*
| + | *General* |
  • Specify a **Template display name**, for example *WHFB Authentication*
  • Set the validity period to the desired value
  • Take note of the template name for later, which should be the same as the Template display name minus spaces
| + | *Subject Name* |
  • Select **Build from this Active Directory information**
  • Select **Fully distinguished name** from the **Subject name format** list
  • Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**
| + |*Cryptography*|
  • Set the *Provider Category* to **Key Storage Provider**
  • Set the *Algorithm name* to **RSA**
  • Set the *minimum key size* to **2048**
  • Set the *Request hash* to **SHA256**
    • | + |*Extensions*|Verify the **Application Policies** extension includes **Smart Card Logon**| + |*Issuance Requirements*|
    • Select the **This number of authorized signatures** check box. Type *1* in the text box
    • Select **Application policy** from the *Policy type required in signature*
    • Select **Certificate Request Agent** from in the *Application policy* list
    • Select the **Valid existing certificate** option
    | + |*Request Handling*|Select the **Renew with same key** check box| + |*Security*|
    • Select **Add**
    • Target an Active Directory security group that contains the users that you want to enroll in Windows Hello for Business. For example, if you have a group called *Window Hello for Business Users*, type it in the **Enter the object names to select** text box and select **OK**
    • Select the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section:
      • Select the **Allow** check box for the **Enroll** permission
      • Excluding the group above (for example, *Window Hello for Business Users*), clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes aren't already cleared
    • Select **OK**
    | + +1. Select **OK** to finalize your changes and create the new template +1. Close the console + +#### Mark the template as the Windows Hello Sign-in template + +Sign in to a CA or management workstations with *Enterprise Administrator* equivalent credentials + +Open an elevated command prompt end execute the following command + +```cmd +certutil.exe -dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY +``` + +If the template was changed successfully, the output of the command will contain old and new values of the template parameters. The new value must contain the `CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY` parameter. Example: + +```cmd +CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=[yourdomain]:WHFBAuthentication + +Old Value: +msPKI-Private-Key-Flag REG_DWORD = 5050080 (84213888) +CTPRIVATEKEY_FLAG_REQUIRE_SAME_KEY_RENEWAL -- 80 (128) +CTPRIVATEKEY_FLAG_ATTEST_NONE -- 0 +TEMPLATE_SERVER_VER_WINBLUE<[!NOTE] +>If you gave your Windows Hello for Business Authentication certificate template a different name, then replace `WHFBAuthentication` in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the `Get-CATemplate` ADCS Administration Windows PowerShell cmdlet on your certification authority. diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-template.md b/windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-dc.md similarity index 100% rename from windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-template.md rename to windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-dc.md diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-enrollment-agent.md b/windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-enrollment-agent.md new file mode 100644 index 0000000000..badbc07f9c --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-enrollment-agent.md @@ -0,0 +1,53 @@ +--- +ms.date: 12/15/2023 +ms.topic: include +--- + +### Configure an enrollment agent certificate template + +A certificate registration authority (CRA) is a trusted authority that validates certificate request. Once it validates the request, it presents the request to the certification authority (CA) for issuance. The CA issues the certificate, returns it to the CRA, which returns the certificate to the requesting user. Windows Hello for Business certificate trust deployments use AD FS as the CRA. + +The CRA enrolls for an *enrollment agent certificate*. Once the CRA verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the CA. The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate. The CA only issues a certificate for that template if the registration authority signs the certificate request. + +> [!IMPORTANT] +> Follow the procedures below based on the AD FS service account used in your environment. + +#### Create an enrollment agent certificate for Group Managed Service Accounts (GMSA) + +Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials. + +1. Open the **Certification Authority** management console +1. Right-click **Certificate Templates** and select **Manage** +1. In the **Certificate Template Console**, right-click on the **Exchange Enrollment Agent (Offline request)** template details pane and select **Duplicate Template** +1. Use the following table to configure the template: + + | Tab Name | Configurations | + | --- | --- | + | *Compatibility* |
    • Clear the **Show resulting changes** check box
    • Select **Windows Server 2016** from the *Certification Authority list*
    • Select **Windows 10 / Windows Server 2016** from the *Certification Recipient list*
    | + | *General* |
    • Specify a **Template display name**, for example *WHFB Enrollment Agent*
    • Set the validity period to the desired value
    | + | *Subject Name* | Select **Supply in the request**

    **Note:** Group Managed Service Accounts (GMSA) don't support the *Build from this Active Directory information* option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with *Supply in the request* to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate.| + | *Cryptography* |
    • Set the *Provider Category* to **Key Storage Provider**
    • Set the *Algorithm name* to **RSA**
    • Set the *minimum key size* to **2048**
    • Set the *Request hash* to **SHA256**
      • | + | *Security* |
      • Select **Add**
      • Select **Object Types** and select the **Service Accounts** check box
      • Select **OK**
      • Type `adfssvc` in the **Enter the object names to select** text box and select **OK**
      • Select the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section:
        • In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission
        • Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list
      • Select **OK**
      | + +1. Select **OK** to finalize your changes and create the new template +1. Close the console + +#### Create an enrollment agent certificate for a standard service account + +Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials. + +1. Open the **Certification Authority** management console +1. Right-click **Certificate Templates** and select **Manage** +1. In the **Certificate Template Console**, right-click on the **Exchange Enrollment Agent (Offline request)** template details pane and select **Duplicate Template** +1. Use the following table to configure the template: + + | Tab Name | Configurations | + | --- | --- | + | *Compatibility* |
      • Clear the **Show resulting changes** check box
      • Select **Windows Server 2016** from the **Certification Authority** list
      • Select **Windows 10 / Windows Server 2016** from the **Certificate Recipient** list
      | + | *General* |
      • Specify a **Template display name**, for example *WHFB Enrollment Agent*
      • Set the validity period to the desired value
      | + | *Subject Name* |
      • Select **Build from this Active Directory information**
      • Select **Fully distinguished name** from the **Subject name format** list
      • Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**
      | + |*Cryptography*|
      • Set the *Provider Category* to **Key Storage Provider**
      • Set the *Algorithm name* to **RSA**
      • Set the *minimum key size* to **2048**
      • Set the *Request hash* to **SHA256**
      | + | *Security* |
      • Select **Add**
      • Select **Object Types** and select the **Service Accounts** check box
      • Select **OK**
      • Type `adfssvc` in the **Enter the object names to select** text box and select **OK**
      • Select the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section:
        • In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission
        • Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list
      • Select **OK**
      | + +1. Select **OK** to finalize your changes and create the new template +1. Close the console diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/web-server-certificate-template.md b/windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-web-server.md similarity index 100% rename from windows/security/identity-protection/hello-for-business/deploy/includes/web-server-certificate-template.md rename to windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-web-server.md diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-deployment.md b/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-deployment.md index 07d8c9cc38..d87237da6e 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-deployment.md +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-deployment.md @@ -29,4 +29,3 @@ Sign in to domain controller or management workstations with *Domain Administrat 1. In the navigation pane, expand the domain and expand the node with the Active Directory domain name. Right-click the **Domain Controllers** organizational unit and select **Link an existing GPO…** 1. In the **Select GPO** dialog box, select *Domain Controller Auto Certificate Enrollment* or the name of the domain controller certificate enrollment Group Policy object you previously created 1. Select **OK** - diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-validate.md b/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-validate.md index ec0faae68f..8d43115fa5 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-validate.md +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-validate.md @@ -11,14 +11,14 @@ Confirm your domain controllers enroll the correct certificates and not any supe Sign in to domain controller or management workstations with *Domain Administrator* equivalent credentials. -1. Using the Event Viewer, navigate to the **Application and Services > Microsoft > Windows > CertificateServices-Lifecycles-System** event log +1. Using the Event Viewer, navigate to the **Application and Services** > **Microsoft** > **Windows** > **CertificateServices-Lifecycles-System** event log 1. Look for an event indicating a new certificate enrollment (autoenrollment): - The details of the event include the certificate template on which the certificate was issued - The name of the certificate template used to issue the certificate should match the certificate template name included in the event - The certificate thumbprint and EKUs for the certificate are also included in the event - The EKU needed for proper Windows Hello for Business authentication is Kerberos Authentication, in addition to other EKUs provide by the certificate template -Certificates superseded by your new domain controller certificate generate an archive event in the event log. The archive event contains the certificate template name and thumbprint of the certificate that was superseded by the new certificate. +Certificates superseded by your new domain controller certificate generate an *archive event* in the Event Log. The archive event contains the certificate template name and thumbprint of the certificate that was superseded by the new certificate. ### Certificate Manager @@ -26,9 +26,17 @@ You can use the Certificate Manager console to validate the domain controller ha ### Certutil.exe -You can use `certutil.exe` command to view enrolled certificates in the local computer. Certutil shows enrolled and archived certificates for the local computer. From an elevated command prompt, run `certutil.exe -q -store my` to view locally enrolled certificates. +You can use `certutil.exe` command to view enrolled certificates in the local computer. Certutil shows enrolled and archived certificates for the local computer. From an elevated command prompt, run the following command: -To view detailed information about each certificate in the store, use `certutil.exe -q -v -store my` to validate automatic certificate enrollment enrolled the proper certificates. +```cmd +certutil.exe -q -store my +``` + +To view detailed information about each certificate in the store, and to validate automatic certificate enrollment enrolled the proper certificates, use the following command: + +```cmd +certutil.exe -q -v -store my +``` ### Troubleshooting @@ -36,4 +44,4 @@ Windows triggers automatic certificate enrollment for the computer during boot, Alternatively, you can forcefully trigger automatic certificate enrollment using `certreq.exe -autoenroll -q` from an elevated command prompt. -Use the event logs to monitor certificate enrollment and archive. Review the configuration, such as publishing certificate templates to issuing certification authority and the allow auto enrollment permissions. \ No newline at end of file +Use the event logs to monitor certificate enrollment and archive. Review the configuration, such as publishing certificate templates to issuing certification authority and the *allow* auto enrollment permissions. \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/enrollment-agent-certificate-template.md b/windows/security/identity-protection/hello-for-business/deploy/includes/enrollment-agent-certificate-template.md deleted file mode 100644 index 8e3cfc064b..0000000000 --- a/windows/security/identity-protection/hello-for-business/deploy/includes/enrollment-agent-certificate-template.md +++ /dev/null @@ -1,79 +0,0 @@ ---- -ms.date: 12/15/2023 -ms.topic: include ---- - -### Configure an enrollment agent certificate template - -A certificate registration authority (CRA) is a trusted authority that validates certificate request. Once it validates the request, it presents the request to the certification authority (CA) for issuance. The CA issues the certificate, returns it to the CRA, which returns the certificate to the requesting user. Windows Hello for Business certificate trust deployments use AD FS as the CRA. - -The CRA enrolls for an *enrollment agent certificate*. Once the CRA verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the CA. The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate. The CA only issues a certificate for that template if the registration authority signs the certificate request. - -> [!IMPORTANT] -> Follow the procedures below based on the AD FS service account used in your environment. - -#### Create an enrollment agent certificate for Group Managed Service Accounts (GMSA) - -Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials. - -1. Open the **Certification Authority** management console -1. Right-click **Certificate Templates** and select **Manage** -1. In the **Certificate Template Console**, right-click on the **Exchange Enrollment Agent (Offline request)** template details pane and select **Duplicate Template** -1. On the **Compatibility** tab: - - Clear the **Show resulting changes** check box - - Select **Windows Server 2016** from the **Certification Authority** list. - - Select **Windows 10 / Windows Server 2016** from the **Certificate Recipient** list -1. On the **General** tab: - - Type *WHFB Enrollment Agent* in **Template display name** - - Adjust the validity and renewal period to meet your enterprise's needs -1. On the **Subject** tab, select the **Supply in the request** button if it isn't already selected - - > [!NOTE] - > Group Managed Service Accounts (GMSA) do not support the *Build from this Active Directory information* option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with *Supply in the request* to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate. - -1. On the **Cryptography** tab: - - Select **Key Storage Provider** from the **Provider Category** list - - Select **RSA** from the **Algorithm name** list - - Type *2048* in the **Minimum key size** text box - - Select **SHA256** from the **Request hash** list -1. On the **Security** tab, select **Add** -1. Select **Object Types** and select the **Service Accounts** check box. Select **OK** -1. Type *adfssvc* in the **Enter the object names to select** text box and select **OK** -1. Select the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section: - - In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission - - Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list - - Select **OK** -1. Close the console - -#### Create an enrollment agent certificate for a standard service account - -Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials. - -1. Open the **Certification Authority** management console -1. Right-click **Certificate Templates** and select **Manage** -1. In the **Certificate Template Console**, right-click on the **Exchange Enrollment Agent (Offline request)** template details pane and select **Duplicate Template** -1. On the **Compatibility** tab: - - Clear the **Show resulting changes** check box - - Select **Windows Server 2016** from the **Certification Authority** list. - - Select **Windows 10 / Windows Server 2016** from the **Certificate Recipient** list -1. On the **General** tab: - - Type *WHFB Enrollment Agent* in **Template display name** - - Adjust the validity and renewal period to meet your enterprise's needs -1. On the **Subject** tab: - - Select the **Build from this Active Directory information** button - - Select **Fully distinguished name** from the **Subject name format** - - Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name** -1. On the **Cryptography** tab: - - Select **Key Storage Provider** from the **Provider Category** list - - Select **RSA** from the **Algorithm name** list - - Type *2048* in the **Minimum key size** text box - - Select **SHA256** from the **Request hash** list -1. On the **Security** tab, select **Add** -1. Select **Object Types** and select the **Service Accounts** check box. Select **OK** -1. Type *adfssvc* in the **Enter the object names to select** text box and select **OK** -1. Select the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section: - - In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission - - Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list - - Select **OK** -1. Close the console - diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/intro.md b/windows/security/identity-protection/hello-for-business/deploy/includes/intro.md index 89062e7d07..2513a26916 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/includes/intro.md +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/intro.md @@ -3,4 +3,4 @@ ms.date: 12/15/2023 ms.topic: include --- -This document describes Windows Hello for Business functionalities or scenarios that apply to: \ No newline at end of file +**This article describes Windows Hello for Business functionalities or scenarios that apply to:** \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-cloud.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-cloud.md index fa5e9a3489..13ebf9bd94 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-cloud.md +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-cloud.md @@ -3,4 +3,4 @@ ms.date: 12/15/2023 ms.topic: include --- -[cloud :::image type="icon" source="../images/information.svg" border="false":::](../../hello-how-it-works-technology.md#cloud-deployment "For organizations using Microsoft Entra-only identities. Device management is usually done via Intune/MDM") +[cloud :::image type="icon" source="../images/information.svg" border="false":::](../../how-it-works.md#cloud-deployment "For organizations using Microsoft Entra-only identities. Device management is usually done via Intune/MDM") diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-hybrid.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-hybrid.md index d273002ddd..30656b4020 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-hybrid.md +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-hybrid.md @@ -3,4 +3,4 @@ ms.date: 12/15/2023 ms.topic: include --- -[hybrid :::image type="icon" source="../images/information.svg" border="false":::](../../hello-how-it-works-technology.md#hybrid-deployment "For organizations using Active Directory identities synchronized to Microsoft Entra ID. Device management is usually done via Group Policy or Intune/MDM") +[hybrid :::image type="icon" source="../images/information.svg" border="false":::](../../how-it-works.md#hybrid-deployment "For organizations using Active Directory identities synchronized to Microsoft Entra ID. Device management is usually done via Group Policy or Intune/MDM") diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-onpremises.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-onpremises.md index 5594bf39dd..55aa1c3d2e 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-onpremises.md +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-onpremises.md @@ -3,4 +3,4 @@ ms.date: 12/15/2023 ms.topic: include --- -[on-premises :::image type="icon" source="../images/information.svg" border="false":::](../../hello-how-it-works-technology.md#on-premises-deployment "For organizations using Active Directory identities, not synchronized to Microsoft Entra ID. Device management is usually done via Group Policy") +[on-premises :::image type="icon" source="../images/information.svg" border="false":::](../../how-it-works.md#on-premises-deployment "For organizations using Active Directory identities, not synchronized to Microsoft Entra ID. Device management is usually done via Group Policy") diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-domain.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-domain.md index 5e4dd851b9..55e87ed876 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-domain.md +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-domain.md @@ -3,4 +3,4 @@ ms.date: 12/15/2023 ms.topic: include --- -[domain join :::image type="icon" source="../images/information.svg" border="false":::](../../hello-how-it-works-technology.md) +[domain join :::image type="icon" source="../images/information.svg" border="false":::](../../how-it-works.md) diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-entra.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-entra.md index dbddf38006..3411b2f791 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-entra.md +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-entra.md @@ -3,4 +3,4 @@ ms.date: 12/15/2023 ms.topic: include --- -[Microsoft Entra join :::image type="icon" source="../images/information.svg" border="false":::](../../hello-how-it-works-technology.md#azure-active-directory-join "Devices that are Microsoft Entra joined do not have any dependencies on Active Directory. Only local users accounts and Microsoft Entra users can sign in to these devices") +[Microsoft Entra join :::image type="icon" source="../images/information.svg" border="false":::](../../how-it-works.md#microsoft-entra-join "Devices that are Microsoft Entra joined do not have any dependencies on Active Directory. Only local users accounts and Microsoft Entra users can sign in to these devices") diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-hybrid.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-hybrid.md index 206857ace8..60299417e3 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-hybrid.md +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-hybrid.md @@ -3,4 +3,4 @@ ms.date: 12/15/2023 ms.topic: include --- -[Microsoft Entra hybrid join :::image type="icon" source="../images/information.svg" border="false":::](../../hello-how-it-works-technology.md#hybrid-azure-ad-join "Devices that are Microsoft Entra hybrid joined don't have any dependencies on Microsoft Entra ID. Only local users accounts and Active Directory users can sign in to these devices. Active Directory users that are synchronized to Microsoft Entra ID will have single-sign on to both Active Directory and Microsoft Entra protected resources") +[Microsoft Entra hybrid join :::image type="icon" source="../images/information.svg" border="false":::](../../how-it-works.md#microsoft-entra-hybrid-join "Devices that are Microsoft Entra hybrid joined don't have any dependencies on Microsoft Entra ID. Only local users accounts and Active Directory users can sign in to these devices. Active Directory users that are synchronized to Microsoft Entra ID will have single-sign on to both Active Directory and Microsoft Entra protected resources") diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cert.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cert.md index 8719e2a1cc..011f9d1986 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cert.md +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cert.md @@ -3,4 +3,4 @@ ms.date: 12/15/2023 ms.topic: include --- -[certificate trust :::image type="icon" source="../images/information.svg" border="false":::](../../hello-how-it-works-technology.md#certificate-trust "This trust type uses a certificate to authenticate the users to Active Directory. It's required to issue certificates to the users and to the domain controllers") \ No newline at end of file +[certificate trust :::image type="icon" source="../images/information.svg" border="false":::](../index.md#trust-types "This trust type uses a certificate to authenticate the users to Active Directory. It's required to issue certificates to the users and to the domain controllers") \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md index 57fd74f5c3..58bad86a1c 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md @@ -3,4 +3,4 @@ ms.date: 12/08/2022 ms.topic: include --- -[cloud Kerberos trust :::image type="icon" source="../images/information.svg" border="false":::](../../hello-how-it-works-technology.md#cloud-kerberos-trust "This trust type uses security keys to authenticate the users to Active Directory. It's not required to issue any certificates, making it the recommended choice for environments that don't need certificate authentication") \ No newline at end of file +[cloud Kerberos trust :::image type="icon" source="../images/information.svg" border="false":::](../index.md#trust-types "This trust type uses security keys to authenticate the users to Active Directory. It's not required to issue any certificates, making it the recommended choice for environments that don't need certificate authentication") \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-key.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-key.md index 3bbbe2214f..41d9b6cdf9 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-key.md +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-key.md @@ -3,4 +3,4 @@ ms.date: 12/08/2022 ms.topic: include --- -[key trust :::image type="icon" source="../images/information.svg" border="false":::](../../hello-how-it-works-technology.md#key-trust "This trust type uses a raw key to authenticate the users to Active Directory. It's not required to issue certificates to users, but it's required to deploy certificates to domain controllers") \ No newline at end of file +[key trust :::image type="icon" source="../images/information.svg" border="false":::](../index.md#trust-types "This trust type uses a raw key to authenticate the users to Active Directory. It's not required to issue certificates to users, but it's required to deploy certificates to domain controllers") \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/deploy/index.md b/windows/security/identity-protection/hello-for-business/deploy/index.md index 46c44a5c62..bf99fdffab 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/index.md +++ b/windows/security/identity-protection/hello-for-business/deploy/index.md @@ -1,65 +1,205 @@ --- -title: Windows Hello for Business Deployment Overview -description: Use this deployment guide to successfully deploy Windows Hello for Business in an existing environment. -ms.date: 02/15/2022 +title: Plan a Windows Hello for Business Deployment +description: Learn about the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of your infrastructure. +ms.date: 12/18/2023 ms.topic: overview -appliesto: --- -# Windows Hello for Business Deployment Overview +# Plan a Windows Hello for Business Deployment -Windows Hello for Business is the springboard to a world without passwords. It replaces username and password sign-in to Windows with strong user authentication based on an asymmetric key pair. +This planning guide helps you understand the different topologies, architectures, and components that encompass a Windows Hello for Business infrastructure. -This deployment overview is to guide you through deploying Windows Hello for Business. Your first step should be to use the Passwordless Wizard in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup) or the [Planning a Windows Hello for Business Deployment](../hello-planning-guide.md) guide to determine the right deployment model for your organization. +This guide explains the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of the infrastructure. -Once you've chosen a deployment model, the deployment guide for that model will provide you with the information needed to successfully deploy Windows Hello for Business in your environment. Read the [Windows Hello for Business Deployment Prerequisite Overview](requirements.md) for a summary of the prerequisites for each different Windows Hello for Business deployment model. +> [!TIP] +> If you have a Microsoft Entra ID tenant, you can use our online, interactive Passwordless Wizard which walks through the same choices instead of using our manual guide below. The Passwordless Wizard is available in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup). -## Requirements +## Using this guide -This guide assumes that baseline infrastructure exists which meets the requirements for your deployment. For either hybrid or on-premises deployments, it is expected that you have: +There are many options from which you can choose when deploying Windows Hello for Business. Providing multiple options ensures nearly every organization can deploy Windows Hello for Business. Providing many options makes the deployment appear complex. However, most organization will realize they've already implemented most of the infrastructure on which the Windows Hello for Business deployment depends. It's important to understand that Windows Hello for Business is a distributed system and does take proper planning across multiple teams within an organization. -- A well-connected, working network -- Internet access -- Multi-factor Authentication is required during Windows Hello for Business provisioning -- Proper name resolution, both internal and external names -- Active Directory and an adequate number of domain controllers per site to support authentication -- Active Directory Certificate Services 2012 or later (Note: certificate services aren't needed for cloud Kerberos trust deployments) -- One or more workstation computers running Windows 10, version 1703 or later +This guide removes the appearance of complexity by helping you make decisions on each aspect of your Windows Hello for Business deployment and the options you'll need to consider. Using this guide also identifies the information needed to help you make decisions about the deployment that best suits your environment. -If you're installing a server role for the first time, ensure the appropriate server operating system is installed, updated with the latest patches, and joined to the domain. This document provides guidance to install and configure the specific roles on that server. +### How to Proceed -Don't begin your deployment until the hosting servers and infrastructure (not roles) identified in your prerequisite worksheet are configured and properly working. +Read this document and record your decisions. When finished, you should have all the necessary information for your Windows Hello for Business deployment. -## Deployment and trust models +There are six major categories you need to consider for a Windows Hello for Business deployment: -Windows Hello for Business has three deployment models: Microsoft Entra cloud only, hybrid, and on-premises. Hybrid has three trust models: *Key Trust*, *Certificate Trust*, and *cloud Kerberos trust*. On-premises deployment models only support *Key Trust* and *Certificate Trust*. +- Deployment Options +- Client +- Management +- Active Directory +- Public Key Infrastructure +- Cloud -Hybrid deployments are for enterprises that use Microsoft Entra ID. On-premises deployments are for enterprises who exclusively use on-premises Active Directory. Remember that the environments that use Microsoft Entra ID must use the hybrid deployment model for all domains in that forest. +## Deployment Options -The trust model determines how you want users to authenticate to the on-premises Active Directory: +The goal of Windows Hello for Business is to enable deployments for all organizations of any size or scenario. To provide this type of granular deployment, Windows Hello for Business offers a diverse choice of deployment options. -- The key-trust model is for enterprises who don't want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication. This still requires Active Directory Certificate Services for domain controller certificates. -- The cloud-trust model is also for hybrid enterprises who don't want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication. This trust model is simpler to deploy than key trust and doesn't require Active Directory Certificate Services. We recommend using **cloud Kerberos trust** instead of **Key Trust** if the clients in your enterprise support it. -- The certificate-trust model is for enterprises that *do* want to issue end-entity certificates to their users and have the benefits of certificate expiration and renewal, similar to how smart cards work today. -- The certificate trust model also supports enterprises, which aren't ready to deploy Windows Server 2016 Domain Controllers. +### Deployment models -> [!NOTE] -> RDP does not support authentication with Windows Hello for Business Key Trust or cloud Kerberos trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business Key Trust and cloud Kerberos trust can be used with [Remote Credential Guard](../../remote-credential-guard.md). +It's fundamentally important to understand which deployment model to use for a successful deployment. Some aspects of the deployment may have already been decided for you based on your current infrastructure. -Following are the various deployment guides and models included in this topic: +There are three deployment models from which you can choose: -- [Microsoft Entra hybrid joined cloud Kerberos trust Deployment](hybrid-cloud-kerberos-trust.md) -- [Microsoft Entra hybrid joined Key Trust Deployment](hybrid-key-trust.md) -- [Microsoft Entra hybrid joined Certificate Trust Deployment](hybrid-cert-trust.md) -- [Microsoft Entra join Single Sign-on Deployment Guides](../hello-hybrid-aadj-sso.md) -- [On Premises Key Trust Deployment](hybrid-cloud-kerberos-trust.md) -- [On Premises Certificate Trust Deployment](on-premises-cert-trust.md) +| :ballot_box_with_check: | Deployment model | Description | +|--|--|--| +| :black_square_button: | **Cloud-only** |For organizations that only have cloud identities and don't access on-premises resources. These organizations typically join their devices to the cloud and exclusively use resources in the cloud such as SharePoint Online, OneDrive, and others. Also, since the users don't use on-premises resources, they don't need certificates for things like VPN because everything they need is hosted in cloud services| +| :black_square_button: | **Hybrid** |For organizations that have identities synchronized from Active Directory to Microsoft Entra ID. These organizations use applications registered in Microsoft Entra ID, and want a sinlge sign-on (SSO) experience for both on-premises and Microsoft Entra resources| +| :black_square_button: | **On-premises** |For organizations that don't have cloud identities or use applications hosted in Microsoft Entra ID. These organizations use on-premises applications, integrated in Active Directory, and want a SSO user experiences when accessing them.| -For Windows Hello for Business hybrid [certificate trust prerequisites](/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust#directory-synchronization) and [key trust prerequisites](/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust#directory-synchronization) deployments, you'll need Microsoft Entra Connect to synchronize user accounts in the on-premises Active Directory with Microsoft Entra ID. For on-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials aren't synchronized to Microsoft Entra ID. Learn how to [deploy Multifactor Authentication Services (MFA) for key trust](on-premises-key-trust-mfa.md) and [for certificate trust](on-premises-cert-trust-mfa.md) deployments. +>[!NOTE] +> +>- Main use case of On-Premises deployment is for "Enhanced Security Administrative Environments" also known as "Red Forests" +>- Migration from on-premise to hybrid deployment requires redeployment -## Provisioning +### Trust types -Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**. +A deployment's trust type defines how Windows Hello for Business clients **authenticate to Active Directory**. For this reason, the trust type isn't applicable to a cloud-only deployment model. -> [!NOTE] -> You must allow access to the URL `account.microsoft.com` to initiate Windows Hello for Business provisioning. This URL launches the subsequent steps in the provisioning process and is required to successfully complete Windows Hello for Business provisioning. This URL doesn't require any authentication and as such, doesn't collect any user data. +There are three trust types from which you can choose: + +| :ballot_box_with_check: | Trust type | Description | +|--|--|--| +| :black_square_button: | **Cloud Kerberos trust**| Users authenticate to Active Directory by requesting a TGT from Microsoft Entra ID, using Microsoft Entra Kerberos. The on-premises domain controllers are still responsible for Kerberos service tickets and authorization. Cloud Kerberos trust uses the same infrastructure required for FIDO2 security key sign-in, and it can be used for new or existing Windows Hello for Business deployments. | +| :black_square_button: | **Key trust**| Users authenticate to the on-premises Active Directory using a device-bound key (hardware or sofware) created during the Windows Hello provisioning experience. It requires to distribute certificates to domain controllers. | +| :black_square_button: | **Certificate trust**| The certificate trust type issues authentication certificates to users. Users authenticate using a certificate requested using a device-bound key (hardware or sofware) created during the Windows Hello provisioning experience. | + +*Key trust* and *certificate trust* use certificate authentication-based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires a PKI for DC certificates, and requires end-user certificates for certificate trust. + +The goal of Windows Hello for Business cloud Kerberos trust is to provide a simple deployment experience: + +- No need to deploy a public key infrastructure (PKI) or to change an existing PKI +- No need to synchronize public keys between Microsoft Entra ID and Active Directory for users to access on-premises resources. There isn't any delay between the user's Windows Hello for Business provisioning, and being able to authenticate to Active Directory +- [FIDO2 security key sign-in][AZ-1] can be deployed with minimal extra setup + +Windows Hello for Business cloud Kerberos trust is the recommended deployment model when compared to the *key trust model*. It is also the preferred deployment model if you don't need to support certificate authentication scenarios. + +### Device registration + +All devices included in the Windows Hello for Business deployment must go through a process called *device registration*. Device registration enables devices to authenticate to identity providers: + +- For cloud-only and hybrid deployment, the identity provider is Microsoft Entra ID +- For on-premises deployments, the identity provider is the on-premises server running the Active Directory Federation Services (AD FS) role + +### Key registration + +The built-in Windows Hello for Business provisioning experience creates a device-bound asymmetric key pair as their user's credentials. The private key is protected by the device's security modules. The credential is a *user key*, not a *device key*. The provisioning experience registers the user's public key with the identity provider: + +- For cloud-only and hybrid deployments, the identity provider is Microsoft Entra ID +- For on-premises deployments, the identity provider is the on-premises server running the AD FS role + +### Directory synchronization + +Hybrid and on-premises deployments use directory synchronization, however, each for a different purpose: + +- Hybrid deployments use Microsoft Entra Connect to synchronize Active Directory identities or credentials (in key trust model) between itself and Microsoft Entra ID. This synchronization enables SSO to Microsoft Entra ID and its federated components +- On-premises deployments use directory synchronization to import users from Active Directory to the MFA Server, which sends data to the MFA cloud service to perform the verification + +### Multifactor authentication + +The goal of Windows Hello for Business is to move organizations away from passwords by providing them with a *strong credential* that enables easy two-factor authentication. The built-in provisioning experience accepts the user's weak credentials (username and password) as the first factor authentication. However, the user must provide a second factor of authentication before Windows provisions a strong credential: + +- For cloud-only and hybrid deployments, ther are different choices for multifactor authentication, including [Microsoft Entra MFA][ENTRA-1] +- On-premises deployments must use a multifactor option that can integrate as an AD FS multifactor adapter. Organizations can choose from third-party options that offer an AD FS MFA adapter. For more infomration, see [Microsoft and third-party additional authentication methods][SERV-1] + +> [!IMPORTANT] +> As of July 1, 2019, Microsoft doesn't offer MFA Server for new deployments. New deployments that require multifactor authentication should use cloud-based Microsoft Entra multifactor authentication. Existing deployment where the MFA Server was activated prior to July 1, 2019 can download the latest version, future updates, and generate activation credentials. See [Getting started with the Azure Multi-Factor Authentication Server][ENTRA-2] for more details. + +### Device configuration + +Windows Hello for Business provides organizations with a rich set of granular policy settings with which they can use to configure their devices. There are two main options to configure Windows Hello for Business: configuration service provider (CSP) and group policy (GPO): + +- The CSP option is ideal for devices that are managed through a Mobile Device Management (MDM) solution, like Microsoft Intune +- GPO can be used to configure domain joined devices and where devices aren't managed via MDM + +### Public Key Infrastructure (PKI) + +While cloud Kerberos trust is the only deployment option that doesn't require the deployment of any certificates, the other models depend on an enterprise PKI as a trust anchor for authentication: + +- Domain controllers for hybrid and on-premises deployments need a certificate for Windows devices to trust the domain controller as legitimate +- Deployments using the certificate trust type require an enterprise PKI and a certificate registration authority (CRA) to issue authentication certificates to users. AD FS is used as a CRA +- Hybrid deployments might need to issue VPN certificates to users to enable connectivity on-premises resources + +### Cloud services + +Some deployment combinations require an Azure account, and some require Microsoft Entra ID for user identities. These cloud requirements may only need an Azure account while other features need a Microsoft Entra ID P1 or P2 subscription. + +### Licensing requirements for cloud services + +Here are some considerations regarding licensing requirements for cloud services: + +- Windows Hello for Business doesn't require a Microsoft Entra ID P1 or P2 subscription. However, some dependencies, such as [MDM automatic enrollment](/mem/intune/enrollment/quickstart-setup-auto-enrollment) and [Conditional Access](/azure/active-directory/conditional-access/overview) do + - Devices managed via MDM don't require a Microsoft Entra ID P1 or P2 subscription. By forgoing the subscription, users must manually enroll devices in the MDM solution, such as Microsoft Intune or a supported third-party MDM +- You can deploy Windows Hello for Business using the Microsoft Entra ID Free tier. All Microsoft Entra ID Free accounts can use Microsoft Entra multifactor authentication through the use of security defaults + - Some Microsoft Entra multifactor authentication features require a license. For more details, see [Features and licenses for Microsoft Entra multifactor authentication](/azure/active-directory/authentication/concept-mfa-licensing). +- Enrolling a certificate using the AD FS registration authority requires devices to authenticate to the AD FS server, which requires device write-back, a Microsoft Entra ID P1 or P2 feature + +## Planning a Deployment + +Planning your Windows Hello for Business deployment begins with choosing a deployment type. Like all distributed systems, Windows Hello for Business depends on multiple components within your organization's infrastructure. + +### Deployment Model + +Choose the deployment model based on the resources your users access. Use the following guidance to make your decision. + +- If your organization doesn't have on-premises resources, use **Cloud Only** +- If your organization syncronizes users to Microsoft Entra ID to access cloud services, select **Hybrid** +- If your organization doesn't have cloud resources, select **On-Premises** + +### Trust type + +Choose a trust type that is best suited for your organizations. The trust type determines whether you issue authentication certificates to your users. One trust model isn't more secure than the other. + +The deployment of certificates to users and Domain Controllers requires more configuration and infrastructure, which could also be a factor to consider in your decision. Additional infrastructure needed for certificate-trust deployments includes a certificate registration authority. In a federated environment, you need to activate the Device Writeback option in Microsoft Entra Connect. + +## Next steps + +> [!div class="op_multi_selector" title1="Deployment type:" title2="Trust type:"] +> Select your deployment options to read about the deployment process: +> +> - [(cloud-only|Microsoft Entra ID)](cloud.md) +> - [(hybrid | cloud Kerberos trust)](hybrid-cloud-kerberos-trust.md) +> - [(hybrid | key trust)](hybrid-key-trust.md) +> - [(hybrid | certificate trust)](hybrid-cert-trust.md) +> - [(on-premises | key trust)](on-premises-key-trust.md) +> - [(on-premises | certificate trust)](on-premises-cert-trust.md) + +## Prepare users to use Windows Hello + +When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization by explaining how to use Hello. + +After enrollment in Hello, users should use their gesture (such as a PIN or fingerprint) for access to corporate resources. Their gesture is only valid on the enrolled device. + +Although the organization may require users to change their Active Directory or Microsoft Entra account password at regular intervals, changes to their passwords have no effect on Hello. + +People who are currently using virtual or physical smart cards for authentication can use their virtual smart card to verify their identity when they set up Hello. + +[!INCLUDE [virtual-smart-card-deprecation-notice](../../../includes/virtual-smart-card-deprecation-notice.md)] + +## On devices owned by the organization + +When someone sets up a new device, they are prompted to choose who owns the device. For corporate devices, they select **This device belongs to my organization**. + +![who owns this pc.](images/corpown.png) + +Next, they select a way to connect. Tell the people in your enterprise which option they should pick here. + +![choose how you'll connect.](images/connect.png) + +They sign in, and are then asked to verify their identity. People have options to choose from a text message, phone call, or the authentication application. After verification, they create their PIN. The **Create a PIN** screen displays any complexity requirements that you have set, such as minimum length. + +After Hello is set up, people use their PIN to unlock the device, and that will automatically log them on. + +## On personal devices + +People who want to access work resources on their personal devices can add a work or school account in **Settings** > **Accounts** > **Work or school**, and then sign in with work credentials. The person selects the method for receiving the verification code, such as text message or email. The verification code is sent and the person then enters the verification code. After verification, the person enters and confirms new PIN. The person can access any token-based resource using this device without being asked for credentials. + +People can go to **Settings** > **Accounts** > **Work or school**, select the work account, and then select **Unjoin** to remove the account from their device. + + + +[ENTRA-1]: /entra/identity/authentication/concept-mfa-howitworks +[SERV-1]: /windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods +[ENTRA-2]: /entra/identity/authentication/howto-mfaserver-deploy \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md index 1757f9c6b1..deb99ec5e8 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md @@ -1,180 +1,44 @@ --- -title: Prepare and deploy Active Directory Federation Services in an on-premises certificate trust model -description: Learn how to configure Active Directory Federation Services to support the Windows Hello for Business on-premises certificate trust model. +title: Configure Active Directory Federation Services in an on-premises certificate trust model +description: Learn how to configure Active Directory Federation Services (AD FS) to support the Windows Hello for Business on-premises certificate trust model. ms.date: 12/15/2023 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 -- ✅ Windows Server 2022 -- ✅ Windows Server 2019 -- ✅ Windows Server 2016 ms.topic: tutorial --- # Prepare and deploy Active Directory Federation Services - on-premises certificate trust -[!INCLUDE [apply-to-on-premises-cert-trust-entra](includes/apply-to-on-premises-cert-trust-entra.md)] +[!INCLUDE [apply-to-on-premises-cert-trust-entra](includes/apply-to-on-premises-cert-trust.md)] -Windows Hello for Business works exclusively with the Active Directory Federation Service (AD FS) role included with Windows Server. The on-premises certificate trust deployment model uses AD FS for *certificate enrollment* and *device registration*. +Windows Hello for Business works exclusively with the Active Directory Federation Service (AD FS) role included with Windows Server. The on-premises certificate trust deployment model uses AD FS for *certificate enrollment* (CRA) and *device registration*. -The following guidance describes the deployment of a new instance of AD FS using the Windows Information Database (WID) as the configuration database.\ -WID is ideal for environments with no more than **30 federation servers** and no more than **100 relying party trusts**. If your environment exceeds either of these factors, or needs to provide *SAML artifact resolution*, *token replay detection*, or needs AD FS to operate as a federated provider role, then the deployment requires the use of SQL as a configuration database.\ -To deploy AD FS using SQL as its configuration database, review the [Deploying a Federation Server Farm](/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) checklist. +[!INCLUDE [adfs-validate](includes/adfs-validate.md)] -A new AD FS farm should have a minimum of two federation servers for proper load balancing, which can be accomplished with external networking peripherals, or with using the Network Load Balancing Role included in Windows Server. - -Prepare the AD FS deployment by installing and **updating** two Windows Servers. - -## Enroll for a TLS server authentication certificate - -Typically, a federation service is an edge facing role. However, the federation services and instance used with the on-premises deployment of Windows Hello for Business does not need Internet connectivity. - -The AD FS role needs a *server authentication* certificate for the federation services, and you can use a certificate issued by your enterprise (internal) CA. The server authentication certificate should have the following names included in the certificate, if you are requesting an individual certificate for each node in the federation farm: - - - **Subject Name**: the internal FQDN of the federation server - - **Subject Alternate Name**: the federation service name (e.g. *sts.corp.contoso.com*) or an appropriate wildcard entry (e.g. *\*.corp.contoso.com*) - -The federation service name is set when the AD FS role is configured. You can choose any name, but that name must be different than the name of the server or host. For example, you can name the host server *adfs* and the federation service *sts*. In this example, the FQDN of the host is *adfs.corp.contoso.com* and the FQDN of the federation service is *sts.corp.contoso.com*. - -You can also issue one certificate for all hosts in the farm. If you chose this option, leave the subject name *blank*, and include all the names in the subject alternate name when creating the certificate request. All names should include the FQDN of each host in the farm and the federation service name. - -When creating a wildcard certificate, mark the private key as exportable, so that the same certificate can be deployed across each federation server and web application proxy within the AD FS farm. Note that the certificate must be trusted (chain to a trusted root CA). Once you have successfully requested and enrolled the server authentication certificate on one node, you can export the certificate and private key to a PFX file using the Certificate Manager console. You can then import the certificate on the remaining nodes in the AD FS farm. - -Be sure to enroll or import the certificate into the AD FS server's computer certificate store. Also, ensure all nodes in the farm have the proper TLS server authentication certificate. -### AD FS authentication certificate enrollment - -Sign-in the federation server with *domain administrator* equivalent credentials. - -1. Start the Local Computer **Certificate Manager** (certlm.msc) -1. Expand the **Personal** node in the navigation pane -1. Right-click **Personal**. Select **All Tasks > Request New Certificate** -1. Select **Next** on the **Before You Begin** page -1. Select **Next** on the **Select Certificate Enrollment Policy** page -1. On the **Request Certificates** page, select the **Internal Web Server** check box -1. Select the **⚠️ More information is required to enroll for this certificate. Click here to configure settings** link - :::image type="content" source="images/hello-internal-web-server-cert.png" lightbox="images/hello-internal-web-server-cert.png" alt-text="Screenshot that shows example of Certificate Properties Subject Tab - This is what shows when you select the above link."::: -1. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the AD FS role and then select **Add** -1. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name that you will use for your federation services (*sts.corp.contoso.com*). The name you use here MUST match the name you use when configuring the AD FS server role. Select **Add** and **OK** when finished -1. Select **Enroll** - -A server authentication certificate should appear in the computer's personal certificate store. - -## Deploy the AD FS role - -AD FS provides the following services to support Windows Hello for Business on-premises deployments in a certificate trust model: - -- Device registration -- Key registration -- Certificate registration authority (CRA) - ->[!IMPORTANT] -> Finish the entire AD FS configuration on the first server in the farm before adding the second server to the AD FS farm. Once complete, the second server receives the configuration through the shared configuration database when it is added the AD FS farm. - -Sign-in the federation server with *Enterprise Administrator* equivalent credentials. - -1. Start **Server Manager**. Select **Local Server** in the navigation pane -1. Select **Manage > Add Roles and Features** -1. Select **Next** on the **Before you begin** page -1. On the **Select installation type** page, select **Role-based or feature-based installation > Next** -1. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list and **Next** -1. On the **Select server roles** page, select **Active Directory Federation Services** and **Next** -1. Select **Next** on the **Select features** page -1. Select **Next** on the **Active Directory Federation Service** page -1. Select **Install** to start the role installation - -## Review to validate the AD FS deployment - -Before you continue with the deployment, validate your deployment progress by reviewing the following items: - -> [!div class="checklist"] -> * Confirm the AD FS farm uses the correct database configuration -> * Confirm the AD FS farm has an adequate number of nodes and is properly load balanced for the anticipated load -> * Confirm **all** AD FS servers in the farm have the latest updates installed -> * Confirm all AD FS servers have a valid server authentication certificate - -## Device registration service account prerequisites - -The use of Group Managed Service Accounts (GMSA) is the preferred way to deploy service accounts for services that support them. GMSAs have security advantages over normal user accounts because Windows handles password management. This means the password is long, complex, and changes periodically. AD FS supports GMSAs, and it should be configured using them for additional security. - -GSMA uses the *Microsoft Key Distribution Service* that is located on the domain controllers. Before you can create a GSMA, you must first create a root key for the service. You can skip this if your environment already uses GSMA. - -### Create KDS Root Key - -Sign-in a domain controller with *Enterprise Administrator* equivalent credentials. - -Start an elevated PowerShell console and execute the following command: -```PowerShell -Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10) -``` - -## Configure the Active Directory Federation Service Role - -Use the following procedures to configure AD FS. - -Sign-in to the federation server with *Domain Administrator* equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm. - -1. Start **Server Manager** -1. Select the notification flag in the upper right corner and select **Configure the federation services on this server** -1. On the **Welcome** page, select **Create the first federation server farm > Next** -1. On the **Connect to Active Directory Domain Services** page, select **Next** -1. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as *sts.corp.contoso.com* -1. Select the federation service name from the **Federation Service Name** list -1. Type the *Federation Service Display Name* in the text box. This is the name users see when signing in. Select **Next** -1. On the **Specify Service Account** page, select **Create a Group Managed Service Account**. In the **Account Name** box, type *adfssvc* -1. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and select **Next** -1. On the **Review Options** page, select **Next** -1. On the **Pre-requisite Checks** page, select **Configure** -1. When the process completes, select **Close** +[!INCLUDE [adfs-deploy](includes/adfs-deploy.md)] > [!NOTE] > For AD FS 2019 and later in a certificate trust model, a known PRT issue exists. You may encounter this error in AD FS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. To remediate this error: > > 1. Launch AD FS management console. Browse to ***Services > Scope Descriptions** -> 2. Right-click **Scope Descriptions** and select **Add Scope Description** -> 3. Under name type *ugs* and select **Apply > OK** -> 4. Launch PowerShell as an administrator and execute the following commands: -> ```PowerShell -> $id = (Get-AdfsApplicationPermission -ServerRoleIdentifiers 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' | ?{ $_.ClientRoleIdentifier -eq '38aa3b87-a06d-4817-b275-7a316988d93b' }).ObjectIdentifier -> Set-AdfsApplicationPermission -TargetIdentifier $id -AddScope 'ugs' -> ``` -> 7. Restart the AD FS service -> 8. Restart the client. User should be prompted to provision Windows Hello for Business - -### Add the AD FS service account to the *Key Admins* group - -During Windows Hello for Business enrollment, the public key is registered in an attribute of the user object in Active Directory. To ensure that the AD FS service can add and remove keys are part of its normal workflow, it must be a member of the *Key Admins* global group. - -Sign-in to a domain controller or management workstation with *Domain Administrator* equivalent credentials. - -1. Open **Active Directory Users and Computers** -1. Select the **Users** container in the navigation pane -1. Right-click **Key Admins** in the details pane and select **Properties** -1. Select the **Members > Add…** -1. In the **Enter the object names to select** text box, type *adfssvc*. Select **OK** -1. Select **OK** to return to **Active Directory Users and Computers** -1. Change to server hosting the AD FS role and restart it - -Sign-in to the federation server with *Enterprise Administrator* equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm. - -1. Open the **AD FS management** console -1. In the navigation pane, expand **Service**. Select **Device Registration** -1. In the details pane, select **Configure device registration** -1. In the **Configure Device Registration** dialog, Select **OK** - -:::image type="content" source="images/adfs-device-registration.png" lightbox="images/adfs-device-registration.png" alt-text="Screenshot that shows AD FS device registration: configuration of the service connection point."::: - -Triggering device registration from AD FS, creates the service connection point (SCP) in the Active Directory configuration partition. The SCP is used to store the device registration information that Windows clients will automatically discover. - -:::image type="content" source="images/adfs-scp.png" lightbox="images/adfs-scp.png" alt-text="Screenshot that shows AD FS device registration: service connection point object created by AD FS."::: +> 1. Right-click **Scope Descriptions** and select **Add Scope Description** +> 1. Under name type *ugs* and select **Apply > OK** +> 1. Launch PowerShell as an administrator and execute the following commands: +> +> ```PowerShell +> $id = (Get-AdfsApplicationPermission -ServerRoleIdentifiers 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' | ?{ $_.ClientRoleIdentifier -eq '38aa3b87-a06d-4817-b275-7a316988d93b' }).ObjectIdentifier +> Set-AdfsApplicationPermission -TargetIdentifier $id -AddScope 'ugs' +> ``` +> +> 1. Restart the AD FS service +> 1. Restart the client. User should be prompted to provision Windows Hello for Business ## Review to validate the AD FS and Active Directory configuration -Before you continue with the deployment, validate your deployment progress by reviewing the following items: - > [!div class="checklist"] -> * Record the information about the AD FS certificate, and set a renewal reminder at least six weeks before it expires. Relevant information includes: certificate serial number, thumbprint, common name, subject alternate name, name of the physical host server, the issued date, the expiration date, and issuing CA vendor (if a third-party certificate) -> * Confirm you added the AD FS service account to the KeyAdmins group -> * Confirm you enabled the Device Registration service +> Before you continue with the deployment, validate your deployment progress by reviewing the following items: +> +> - Record the information about the AD FS certificate, and set a renewal reminder at least six weeks before it expires. Relevant information includes: certificate serial number, thumbprint, common name, subject alternate name, name of the physical host server, the issued date, the expiration date, and issuing CA vendor (if a third-party certificate) +> - Confirm you added the AD FS service account to the KeyAdmins group +> - Confirm you enabled the Device Registration service ## Configure the certificate registration authority @@ -187,6 +51,7 @@ Open a **Windows PowerShell** prompt and type the following command: ```PowerShell Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication ``` + >[!NOTE] > If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace *WHFBEnrollmentAgent* and *WHFBAuthentication* in the above command with the name of your certificate templates. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template by using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name by using the `Get-CATemplate` PowerShell cmdlet on a CA. @@ -196,111 +61,7 @@ AD FS performs its own certificate lifecycle management. Once the registration a Approximately 60 days prior to enrollment agent certificate's expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate. -## Additional federation servers - -Organizations should deploy more than one federation server in their federation farm for high-availability. You should have a minimum of two federation services in your AD FS farm, however most organizations are likely to have more. This largely depends on the number of devices and users using the services provided by the AD FS farm. - -### Server authentication certificate - -Each server you add to the AD FS farm must have a proper server authentication certificate. Refer to the [Enroll for a TLS Server Authentication Certificate](#enroll-for-a-tls-server-authentication-certificate) section of this document to determine the requirements for your server authentication certificate. As previously stated, AD FS servers used exclusively for on-premises deployments of Windows Hello for Business can use enterprise server authentication certificates rather than server authentication certificates issued by public certificate authorities. - -### Install additional servers - -Adding federation servers to the existing AD FS farm begins with ensuring the server are fully patched, to include Windows Server 2016 Update needed to support Windows Hello for Business deployments (https://aka.ms/whfbadfs1703). Next, install the Active Directory Federation Service role on the additional servers and then configure the server as an additional server in an existing farm. - -## Load balance AD FS - -Many environments load balance using hardware devices. Environments without hardware load-balancing capabilities can take advantage the network load-balancing feature included in Windows Server to load balance the AD FS servers in the federation farm. Install the Windows Network Load Balancing feature on all nodes participating in the AD FS farm that should be load balanced. - -### Install Network Load Balancing Feature on AD FS Servers - -Sign-in the federation server with *Enterprise Administrator* equivalent credentials. - -1. Start **Server Manager**. Select **Local Server** in the navigation pane -1. Select **Manage** and then select **Add Roles and Features** -1. Select **Next** On the **Before you begin** page -1. On the **Select installation type** page, select **Role-based or feature-based installation** and select **Next** -1. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Select **Next** -1. On the **Select server roles** page, select **Next** -1. Select **Network Load Balancing** on the **Select features** page -1. Select **Install** to start the feature installation - -### Configure Network Load Balancing for AD FS - -Before you can load balance all the nodes in the AD FS farm, you must first create a new load balance cluster. Once you have created the cluster, then you can add new nodes to that cluster. - -Sign-in a node of the federation farm with *Administrator* equivalent credentials. - -1. Open **Network Load Balancing Manager** from **Administrative Tools** -1. Right-click **Network Load Balancing Clusters**, and then select **New Cluster** -1. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then select **Connect** -1. Select the interface that you want to use with the cluster, and then select **Next** (the interface hosts the virtual IP address and receives the client traffic to load balance) -1. In **Host Parameters**, select a value in **Priority (Unique host identifier)**. This parameter specifies a unique ID for each host. The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. Select **Next** -1. In **Cluster IP Addresses**, select **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Select **Next** -1. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster -1. In **Cluster operation mode**, select **Unicast** to specify that a unicast media access control (MAC) address should be used for cluster operations. In unicast mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. We recommend that you accept the unicast default settings. Select **Next** -1. In Port Rules, select Edit to modify the default port rules to use port 443 - -### Additional AD FS Servers - -1. To add more hosts to the cluster, right-click the new cluster, and then select **Add Host to Cluster** -1. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same - -## Configure DNS for Device Registration - -Sign-in the domain controller or administrative workstation with domain administrator equivalent credentials.\ -You'll need the *federation service* name to complete this task. You can view the federation service name by selecting **Edit Federation Service Properties** from the **Action** pan of the **AD FS** management console, or by using `(Get-AdfsProperties).Hostname.` (PowerShell) on the AD FS server. - -1. Open the **DNS Management** console -1. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones** -1. In the navigation pane, select the node that has the name of your internal Active Directory domain name -1. In the navigation pane, right-click the domain name node and select **New Host (A or AAAA)** -1. In the **name** box, type the name of the federation service. In the **IP address** box, type the IP address of your federation server. Select **Add Host** -1. Right-click the `` node and select **New Alias (CNAME)** -1. In the **New Resource Record** dialog box, type `enterpriseregistration` in the **Alias** name box -1. In the **fully qualified domain name (FQDN)** of the target host box, type `federation_service_farm_name. [!NOTE] -> If your forest has multiple UPN suffixes, please make sure that `enterpriseregistration.` is present for each suffix. - -## Configure the Intranet Zone to include the federation service - -The Windows Hello provisioning presents web pages from the federation service. Configuring the intranet zone to include the federation service enables the user to authenticate to the federation service using integrated authentication. Without this setting, the connection to the federation service during Windows Hello provisioning prompts the user for authentication. - -### Create an Intranet Zone Group Policy - -Sign-in the domain controller or administrative workstation with _Domain Admin_ equivalent credentials -1. Start the **Group Policy Management Console** (gpmc.msc) -1. Expand the domain and select the **Group Policy Object** node in the navigation pane -1. Right-click **Group Policy object** and select **New** -1. Type **Intranet Zone Settings** in the name box and select **OK** -1. In the content pane, right-click the **Intranet Zone Settings** Group Policy object and select **Edit** -1. In the navigation pane, expand **Policies** under **Computer Configuration** -1. Expand **Administrative Templates > Windows Component > Internet Explorer > Internet Control Panel >Security Page**. Open **Site to Zone Assignment List** -1. Select **Enable > Show**. In the **Value Name** column, type the url of the federation service beginning with https. In the **Value** column, type the number **1**. Select OK twice, then close the Group Policy Management Editor - -### Deploy the Intranet Zone Group Policy object - -1. Start the **Group Policy Management Console** (gpmc.msc) -1. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and select **Link an existing GPO…** -1. In the **Select GPO** dialog box, select **Intranet Zone Settings** or the name of the Windows Hello for Business Group Policy object you previously created and select **OK** - -## Review to validate the configuration - -Before you continue with the deployment, validate your deployment progress by reviewing the following items: - -> [!div class="checklist"] -> * Confirm only the AD FS service account has the allow enroll permission for the enrollment agent certificate template -> * Consider using an HSM to protect the enrollment agent certificate; however, understand the frequency and quantity of signature operations the enrollment agent server makes and understand the impact it has on overall performance -> * Confirm you properly configured the Windows Hello for Business authentication certificate template -> * Confirm all certificate templates were properly published to the appropriate issuing certificate authorities -> * Confirm the AD FS service account has the allow enroll permission for the Windows Hello Business authentication certificate template -> * Confirm the AD FS certificate registration authority is properly configured using the `Get-AdfsCertificateAuthority` Windows PowerShell cmdlet -> Confirm you restarted the AD FS service -> * Confirm you properly configured load-balancing (hardware or software) -> * Confirm you created a DNS A Record for the federation service and the IP address used is the load-balanced IP address -> * Confirm you created and deployed the Intranet Zone settings to prevent double authentication to the federation server. +[!INCLUDE [adfs-additional-servers](includes/adfs-additional-servers.md)] ### Event Logs @@ -308,7 +69,7 @@ Use the event logs on the AD FS service to confirm the service account enrolled - The account name under which the certificate was enrolled - The action, which should read enroll --_ The thumbprint of the certificate +- The thumbprint of the certificate - The certificate template used to issue the certificate You cannot use the Certificate Manager to view enrolled certificates for group managed service accounts. Use the event log information to confirm the AD FS service account enrolled a certificate. Use certutil.exe to view the details of the certificate shown in the event log. @@ -319,5 +80,24 @@ Each file in this folder represents a certificate in the service account's Perso For detailed information about the certificate, use `Certutil -q -v `. +[!INCLUDE [adfs-mfa](includes/adfs-mfa.md)] + +## Review to validate the configuration + +> [!div class="checklist"] +> Before you continue with the deployment, validate your deployment progress by reviewing the following items: +> +> - Confirm only the AD FS service account has the allow enroll permission for the enrollment agent certificate template +> - Consider using an HSM to protect the enrollment agent certificate; however, understand the frequency and quantity of signature operations the enrollment agent server makes and understand the impact it has on overall performance +> - Confirm you properly configured the Windows Hello for Business authentication certificate template +> - Confirm all certificate templates were properly published to the appropriate issuing certificate authorities +> - Confirm the AD FS service account has the allow enroll permission for the Windows Hello Business authentication certificate template +> - Confirm the AD FS certificate registration authority is properly configured using the `Get-AdfsCertificateAuthority` Windows PowerShell cmdlet +> Confirm you restarted the AD FS service +> - Confirm you properly configured load-balancing (hardware or software) +> - Confirm you created a DNS A Record for the federation service and the IP address used is the load-balanced IP address +> - Confirm you created and deployed the Intranet Zone settings to prevent double authentication to the federation server +> - Confirm you have deployed a MFA solution for AD FS + > [!div class="nextstepaction"] -> [Next: validate and deploy multi-factor authentication (MFA) >](on-premises-cert-trust-mfa.md) +> [Next: configure and enroll in Windows Hello for Business >](on-premises-cert-trust-enroll.md) diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-enroll.md index 016c4b4c9e..d906fa9186 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-enroll.md +++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-enroll.md @@ -2,18 +2,12 @@ title: Configure Windows Hello for Business Policy settings in an on-premises certificate trust description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises certificate trust scenario ms.date: 12/15/2023 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 -- ✅ Windows Server 2022 -- ✅ Windows Server 2019 -- ✅ Windows Server 2016 ms.topic: tutorial --- # Configure Windows Hello for Business group policy settings - on-premises certificate Trust -[!INCLUDE [apply-to-on-premises-cert-trust-entra](includes/apply-to-on-premises-cert-trust-entra.md)] +[!INCLUDE [apply-to-on-premises-cert-trust-entra](includes/apply-to-on-premises-cert-trust.md)] On-premises certificate-based deployments of Windows Hello for Business need three Group Policy settings: @@ -115,9 +109,9 @@ The settings can be found in *Administrative Templates\System\PIN Complexity*, u ## Review to validate the configuration -Before you continue with the deployment, validate your deployment progress by reviewing the following items: - > [!div class="checklist"] +>Before you continue with the deployment, validate your deployment progress by reviewing the following items: +> > - Confirm you configured the Enable Windows Hello for Business to the scope that matches your deployment (Computer vs. User) > - Confirm you configure the Use Certificate enrollment for on-premises authentication policy setting > - Confirm you configured the proper security settings for the Group Policy object @@ -128,4 +122,4 @@ Before you continue with the deployment, validate your deployment progress by re ## Add users to the Windows Hello for Business Users group -Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the Windows Hello for Business Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the *Windows Hello for Business Users* group. Users and groups that are not members of this group will not attempt to enroll for Windows Hello for Business. \ No newline at end of file +Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the Windows Hello for Business Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the *Windows Hello for Business Users* group. Users and groups that are not members of this group will not attempt to enroll for Windows Hello for Business. diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-mfa.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-mfa.md deleted file mode 100644 index 35fd08dd4d..0000000000 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-mfa.md +++ /dev/null @@ -1,31 +0,0 @@ ---- -title: Validate and Deploy MFA for Windows Hello for Business with certificate trust -description: Validate and deploy multifactor authentication (MFA) for Windows Hello for Business in an on-premises certificate trust model. -ms.date: 12/15/2023 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 -- ✅ Windows Server 2022 -- ✅ Windows Server 2019 -- ✅ Windows Server 2016 -ms.topic: tutorial ---- - -# Validate and deploy multifactor authentication - on-premises certificate trust - -[!INCLUDE [apply-to-on-premises-cert-trust-entra](includes/apply-to-on-premises-cert-trust-entra.md)] - -Windows Hello for Business requires users perform multifactor authentication (MFA) prior to enroll in the service. On-premises deployments can use, as MFA option: - -- third-party authentication providers for AD FS -- custom authentication provider for AD FS - -> [!IMPORTANT] -> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multifactor authentication from their users should use cloud-based Microsoft Entra multifactor authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual. - -For information about third-party authentication methods, see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). To create a custom authentication method, see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method). - -Follow the integration and deployment guide for the authentication provider you plan to integrate to AD FS. Make sure that the authentication provider is selected as a multifactor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies, see [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies). - -> [!div class="nextstepaction"] -> [Next: configure Windows Hello for Business Policy settings >](on-premises-cert-trust-enroll.md) diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-pki.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-pki.md index 2c8db04a8f..dd0b4625c0 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-pki.md +++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-pki.md @@ -1,19 +1,13 @@ --- title: Configure and validate the Public Key Infrastructure in an on-premises certificate trust model description: Configure and validate the Public Key Infrastructure the Public Key Infrastructure when deploying Windows Hello for Business in a certificate trust model. -ms.date: 12/15/2023 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 -- ✅ Windows Server 2022 -- ✅ Windows Server 2019 -- ✅ Windows Server 2016 +ms.date: 12/18/2023 ms.topic: tutorial --- # Configure and validate the Public Key Infrastructure - on-premises certificate trust -[!INCLUDE [apply-to-on-premises-cert-trust-entra](includes/apply-to-on-premises-cert-trust-entra.md)] +[!INCLUDE [apply-to-on-premises-cert-trust-entra](includes/apply-to-on-premises-cert-trust.md)] Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* or *certificate trust* models. The domain controllers must have a certificate, which serves as a root of trust for clients. The certificate ensures that clients don't communicate with rogue domain controllers. The certificate trust model extends certificate issuance to client computers. During Windows Hello for Business provisioning, the user receives a sign-in certificate. @@ -21,15 +15,15 @@ Windows Hello for Business must have a Public Key Infrastructure (PKI) when usin ## Configure the enterprise PKI -[!INCLUDE [dc-certificate-template](includes/dc-certificate-template.md)] +[!INCLUDE [dc-certificate-template](includes/certificate-template-dc.md)] [!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)] -[!INCLUDE [web-server-certificate-template](includes/web-server-certificate-template.md)] +[!INCLUDE [web-server-certificate-template](includes/certificate-template-web-server.md)] -[!INCLUDE [enrollment-agent-certificate-template](includes/enrollment-agent-certificate-template.md)] +[!INCLUDE [enrollment-agent-certificate-template](includes/certificate-template-enrollment-agent.md)] -[!INCLUDE [auth-certificate-template](includes/auth-certificate-template.md)] +[!INCLUDE [auth-certificate-template](includes/certificate-template-auth.md)] [!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)] @@ -57,4 +51,4 @@ Sign in to the CA or management workstations with **Enterprise Admin** equivalen [!INCLUDE [dc-certificate-validate](includes/dc-certificate-validate.md)] > [!div class="nextstepaction"] -> [Next: prepare and deploy AD FS >](on-premises-cert-trust-adfs.md) \ No newline at end of file +> [Next: prepare and deploy AD FS >](on-premises-cert-trust-adfs.md) diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md index 4c3f3c04e8..c6ab2f4fa5 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md @@ -1,32 +1,25 @@ --- title: Deployment guide for the on-premises certificate trust model description: Learn how to deploy Windows Hello for Business in an on-premises, certificate trust model. -ms.date: 12/15/2023 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 -- ✅ Windows Server 2022 -- ✅ Windows Server 2019 -- ✅ Windows Server 2016 +ms.date: 12/18/2023 ms.topic: tutorial --- -# Deployment guide for the on-premises certificate trust model +# On-premises certificate trust deployment guide -[!INCLUDE [apply-to-on-premises-cert-trust-entra](includes/apply-to-on-premises-cert-trust-entra.md)] +[!INCLUDE [apply-to-on-premises-cert-trust-entra](includes/apply-to-on-premises-cert-trust.md)] -Windows Hello for Business replaces username and password authentication to Windows with an asymmetric key pair. This deployment guide provides the information to deploy Windows Hello for Business in an on-premises environment. +This deployment guide provides the information to deploy Windows Hello for Business with an on-premises certificate trust model. -There are four steps to deploying Windows Hello for Business in an on-premises certificate trust model: +There are three steps to complete this deployment: 1. [Validate and configure a PKI](on-premises-cert-trust-pki.md) -1. [Prepare and deploy AD FS](on-premises-cert-trust-adfs.md) -1. [Validate and deploy multi-factor authentication (MFA)](on-premises-cert-trust-mfa.md) -1. [Configure Windows Hello for Business Policy settings](on-premises-cert-trust-enroll.md) +1. [Prepare and deploy AD FS with MFA](on-premises-cert-trust-adfs.md) +1. [Configure and enroll in Windows Hello for Business](on-premises-cert-trust-enroll.md) ## Create the Windows Hello for Business Users security group -While this is not a required step, it is recommended to create a security group to simplify the deployment. +While this isn't a required step, it's recommended to create a security group to simplify the deployment. The *Windows Hello for Business Users* group is used to make it easy to deploy Windows Hello for Business in phases. You assign certificate templates and group policy permissions to this group to simplify the deployment by adding the users to the group. This provides users with the proper permissions to provision Windows Hello for Business. @@ -40,4 +33,4 @@ Sign-in to a domain controller or to a management workstation with a *Domain Adm 1. Select **OK** > [!div class="nextstepaction"] -> [Next: validate and configure a PKI >](on-premises-cert-trust-pki.md) \ No newline at end of file +> [Next: validate and configure a PKI >](on-premises-cert-trust-pki.md) diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md index 4446ced825..5d508d4b14 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md @@ -1,264 +1,44 @@ --- -ms.date: 09/07/2023 -title: Prepare and deploy Active Directory Federation Services in an on-premises key trust -description: Learn how to configure Active Directory Federation Services to support the Windows Hello for Business key trust model. -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 -- ✅ Windows Server 2022 -- ✅ Windows Server 2019 -- ✅ Windows Server 2016 +title: Configure Active Directory Federation Services in an on-premises key trust model +description: Learn how to configure Active Directory Federation Services (AD FS) to support the Windows Hello for Business key trust model. +ms.date: 12/15/2023 ms.topic: tutorial --- + # Prepare and deploy Active Directory Federation Services - on-premises key trust [!INCLUDE [apply-to-on-premises-key-trust](includes/apply-to-on-premises-key-trust.md)] Windows Hello for Business works exclusively with the Active Directory Federation Service (AD FS) role included with Windows Server. The on-premises key trust deployment model uses AD FS for *key registration* and *device registration*. -The following guidance describes the deployment of a new instance of AD FS using the Windows Information Database (WID) as the configuration database.\ -WID is ideal for environments with no more than **30 federation servers** and no more than **100 relying party trusts**. If your environment exceeds either of these factors, or needs to provide *SAML artifact resolution*, *token replay detection*, or needs AD FS to operate as a federated provider role, then the deployment requires the use of SQL as a configuration database.\ -To deploy AD FS using SQL as its configuration database, review the [Deploying a Federation Server Farm](/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) checklist. +[!INCLUDE [adfs-validate](includes/adfs-validate.md)] -A new AD FS farm should have a minimum of two federation servers for proper load balancing, which can be accomplished with external networking peripherals, or with using the Network Load Balancing Role included in Windows Server. - -Prepare the AD FS deployment by installing and **updating** two Windows Servers. - -## Enroll for a TLS server authentication certificate - -Typically, a federation service is an edge facing role. However, the federation services and instance used with the on-premises deployment of Windows Hello for Business does not need Internet connectivity. - -The AD FS role needs a *server authentication* certificate for the federation services, and you can use a certificate issued by your enterprise (internal) CA. The server authentication certificate should have the following names included in the certificate, if you are requesting an individual certificate for each node in the federation farm: - - **Subject Name**: the internal FQDN of the federation server - - **Subject Alternate Name**: the federation service name (e.g. *sts.corp.contoso.com*) or an appropriate wildcard entry (e.g. *\*.corp.contoso.com*) - -The federation service name is set when the AD FS role is configured. You can choose any name, but that name must be different than the name of the server or host. For example, you can name the host server *adfs* and the federation service *sts*. In this example, the FQDN of the host is *adfs.corp.contoso.com* and the FQDN of the federation service is *sts.corp.contoso.com*. - -You can also issue one certificate for all hosts in the farm. If you chose this option, leave the subject name *blank*, and include all the names in the subject alternate name when creating the certificate request. All names should include the FQDN of each host in the farm and the federation service name. - -When creating a wildcard certificate, mark the private key as exportable, so that the same certificate can be deployed across each federation server and web application proxy within the AD FS farm. Note that the certificate must be trusted (chain to a trusted root CA). Once you have successfully requested and enrolled the server authentication certificate on one node, you can export the certificate and private key to a PFX file using the Certificate Manager console. You can then import the certificate on the remaining nodes in the AD FS farm. - -Be sure to enroll or import the certificate into the AD FS server's computer certificate store. Also, ensure all nodes in the farm have the proper TLS server authentication certificate. - -### AD FS authentication certificate enrollment - -Sign-in the federation server with *domain administrator* equivalent credentials. - -1. Start the Local Computer **Certificate Manager** (certlm.msc) -1. Expand the **Personal** node in the navigation pane -1. Right-click **Personal**. Select **All Tasks > Request New Certificate** -1. Select **Next** on the **Before You Begin** page -1. Select **Next** on the **Select Certificate Enrollment Policy** page -1. On the **Request Certificates** page, select the **Internal Web Server** check box -1. Select the **⚠️ More information is required to enroll for this certificate. Click here to configure settings** link - :::image type="content" source="images/hello-internal-web-server-cert.png" lightbox="images/hello-internal-web-server-cert.png" alt-text="Example of Certificate Properties Subject Tab - This is what shows when you select the above link."::: -1. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the AD FS role and then select **Add** -1. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name that you will use for your federation services (*sts.corp.contoso.com*). The name you use here MUST match the name you use when configuring the AD FS server role. Select **Add** and **OK** when finished -1. Select **Enroll** - -A server authentication certificate should appear in the computer's personal certificate store. - -## Deploy the AD FS role - -AD FS provides *device registration* and *key registration* services to support the Windows Hello for Business on-premises deployments. - ->[!IMPORTANT] -> Finish the entire AD FS configuration on the first server in the farm before adding the second server to the AD FS farm. Once complete, the second server receives the configuration through the shared configuration database when it is added the AD FS farm. - -Sign-in the federation server with *Enterprise Administrator* equivalent credentials. - -1. Start **Server Manager**. Select **Local Server** in the navigation pane -1. Select **Manage > Add Roles and Features** -1. Select **Next** on the **Before you begin** page -1. On the **Select installation type** page, select **Role-based or feature-based installation > Next** -1. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list and **Next** -1. On the **Select server roles** page, select **Active Directory Federation Services** and **Next** -1. Select **Next** on the **Select features** page -1. Select **Next** on the **Active Directory Federation Service** page -1. Select **Install** to start the role installation - -## Review to validate the AD FS deployment - -Before you continue with the deployment, validate your deployment progress by reviewing the following items: - -> [!div class="checklist"] -> * Confirm the AD FS farm uses the correct database configuration -> * Confirm the AD FS farm has an adequate number of nodes and is properly load balanced for the anticipated load -> * Confirm **all** AD FS servers in the farm have the latest updates installed -> * Confirm all AD FS servers have a valid server authentication certificate - -## Device registration service account prerequisites - -The use of Group Managed Service Accounts (GMSA) is the preferred way to deploy service accounts for services that support them. GMSAs have security advantages over normal user accounts because Windows handles password management. This means the password is long, complex, and changes periodically. AD FS supports GMSAs, and it should be configured using them for additional security. - -GSMA uses the *Microsoft Key Distribution Service* that is located on the domain controllers. Before you can create a GSMA, you must first create a root key for the service. You can skip this if your environment already uses GSMA. - -### Create KDS Root Key - -Sign-in a domain controller with *Enterprise Administrator* equivalent credentials. - -Start an elevated PowerShell console and execute the following command: -```PowerShell -Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10) -``` - -## Configure the Active Directory Federation Service Role - -Use the following procedures to configure AD FS. - -Sign-in to the federation server with *Domain Administrator* equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm. - -1. Start **Server Manager** -1. Select the notification flag in the upper right corner and select **Configure the federation services on this server** -1. On the **Welcome** page, select **Create the first federation server farm > Next** -1. On the **Connect to Active Directory Domain Services** page, select **Next** -1. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as *sts.corp.contoso.com* -1. Select the federation service name from the **Federation Service Name** list -1. Type the *Federation Service Display Name* in the text box. This is the name users see when signing in. Select **Next** -1. On the **Specify Service Account** page, select **Create a Group Managed Service Account**. In the **Account Name** box, type *adfssvc* -1. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and select **Next** -1. On the **Review Options** page, select **Next** -1. On the **Pre-requisite Checks** page, select **Configure** -1. When the process completes, select **Close** - -### Add the AD FS service account to the *Key Admins* group - -During Windows Hello for Business enrollment, the public key is registered in an attribute of the user object in Active Directory. To ensure that the AD FS service can add and remove keys are part of its normal workflow, it must be a member of the *Key Admins* global group. - -Sign-in to a domain controller or management workstation with *Domain Administrator* equivalent credentials. - -1. Open **Active Directory Users and Computers** -1. Select the **Users** container in the navigation pane -1. Right-click **Key Admins** in the details pane and select **Properties** -1. Select the **Members > Add…** -1. In the **Enter the object names to select** text box, type *adfssvc*. Select **OK** -1. Select **OK** to return to **Active Directory Users and Computers** -1. Change to server hosting the AD FS role and restart it - -## Configure the device registration service - -Sign-in to the federation server with *Enterprise Administrator* equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm. - -1. Open the **AD FS management** console -1. In the navigation pane, expand **Service**. Select **Device Registration** -1. In the details pane, select **Configure device registration** -1. In the **Configure Device Registration** dialog, Select **OK** - -:::image type="content" source="images/adfs-device-registration.png" lightbox="images/adfs-device-registration.png" alt-text="AD FS device registration: configuration of the service connection point."::: - -Triggering device registration from AD FS, creates the service connection point (SCP) in the Active Directory configuration partition. The SCP is used to store the device registration information that Windows clients will automatically discover. - -:::image type="content" source="images/adfs-scp.png" lightbox="images/adfs-scp.png" alt-text="AD FS device registration: service connection point object created by AD FS."::: +[!INCLUDE [adfs-deploy](includes/adfs-deploy.md)] ## Review to validate the AD FS and Active Directory configuration Before you continue with the deployment, validate your deployment progress by reviewing the following items: > [!div class="checklist"] -> * Record the information about the AD FS certificate, and set a renewal reminder at least six weeks before it expires. Relevant information includes: certificate serial number, thumbprint, common name, subject alternate name, name of the physical host server, the issued date, the expiration date, and issuing CA vendor (if a third-party certificate) -> * Confirm you added the AD FS service account to the KeyAdmins group -> * Confirm you enabled the Device Registration service +> - Record the information about the AD FS certificate, and set a renewal reminder at least six weeks before it expires. Relevant information includes: certificate serial number, thumbprint, common name, subject alternate name, name of the physical host server, the issued date, the expiration date, and issuing CA vendor (if a third-party certificate) +> - Confirm you added the AD FS service account to the KeyAdmins group +> - Confirm you enabled the Device Registration service -## Additional federation servers +[!INCLUDE [adfs-additional-servers](includes/adfs-additional-servers.md)] -Organizations should deploy more than one federation server in their federation farm for high-availability. You should have a minimum of two federation services in your AD FS farm, however most organizations are likely to have more. This largely depends on the number of devices and users using the services provided by the AD FS farm. - -### Server authentication certificate - -Each server you add to the AD FS farm must have a proper server authentication certificate. Refer to the [Enroll for a TLS Server Authentication Certificate](#enroll-for-a-tls-server-authentication-certificate) section of this document to determine the requirements for your server authentication certificate. As previously stated, AD FS servers used exclusively for on-premises deployments of Windows Hello for Business can use enterprise server authentication certificates rather than server authentication certificates issued by public certificate authorities. - -### Install additional servers - -Adding federation servers to the existing AD FS farm begins with ensuring the server are fully patched, to include Windows Server 2016 Update needed to support Windows Hello for Business deployments (https://aka.ms/whfbadfs1703). Next, install the Active Directory Federation Service role on the additional servers and then configure the server as an additional server in an existing farm. - -## Load balance AD FS - -Many environments load balance using hardware devices. Environments without hardware load-balancing capabilities can take advantage the network load-balancing feature included in Windows Server to load balance the AD FS servers in the federation farm. Install the Windows Network Load Balancing feature on all nodes participating in the AD FS farm that should be load balanced. - -### Install Network Load Balancing Feature on AD FS Servers - -Sign-in the federation server with *Enterprise Administrator* equivalent credentials. - -1. Start **Server Manager**. Select **Local Server** in the navigation pane -1. Select **Manage** and then select **Add Roles and Features** -1. Select **Next** On the **Before you begin** page -1. On the **Select installation type** page, select **Role-based or feature-based installation** and select **Next** -1. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Select **Next** -1. On the **Select server roles** page, select **Next** -1. Select **Network Load Balancing** on the **Select features** page -1. Select **Install** to start the feature installation - -### Configure Network Load Balancing for AD FS - -Before you can load balance all the nodes in the AD FS farm, you must first create a new load balance cluster. Once you have created the cluster, then you can add new nodes to that cluster. - -Sign-in a node of the federation farm with *Administrator* equivalent credentials. - -1. Open **Network Load Balancing Manager** from **Administrative Tools** -1. Right-click **Network Load Balancing Clusters**, and then select **New Cluster** -1. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then select **Connect** -1. Select the interface that you want to use with the cluster, and then select **Next** (the interface hosts the virtual IP address and receives the client traffic to load balance) -1. In **Host Parameters**, select a value in **Priority (Unique host identifier)**. This parameter specifies a unique ID for each host. The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. Select **Next** -1. In **Cluster IP Addresses**, select **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Select **Next** -1. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster -1. In **Cluster operation mode**, select **Unicast** to specify that a unicast media access control (MAC) address should be used for cluster operations. In unicast mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. We recommend that you accept the unicast default settings. Select **Next** -1. In Port Rules, select Edit to modify the default port rules to use port 443 - -### Additional AD FS Servers - -1. To add more hosts to the cluster, right-click the new cluster, and then select **Add Host to Cluster** -1. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same - -## Configure DNS for Device Registration - -Sign-in the domain controller or administrative workstation with domain administrator equivalent credentials.\ -You'll need the *federation service* name to complete this task. You can view the federation service name by selecting **Edit Federation Service Properties** from the **Action** pan of the **AD FS** management console, or by using `(Get-AdfsProperties).Hostname.` (PowerShell) on the AD FS server. - -1. Open the **DNS Management** console -1. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones** -1. In the navigation pane, select the node that has the name of your internal Active Directory domain name -1. In the navigation pane, right-click the domain name node and select **New Host (A or AAAA)** -1. In the **name** box, type the name of the federation service. In the **IP address** box, type the IP address of your federation server. Select **Add Host** -1. Right-click the `` node and select **New Alias (CNAME)** -1. In the **New Resource Record** dialog box, type `enterpriseregistration` in the **Alias** name box -1. In the **fully qualified domain name (FQDN)** of the target host box, type `federation_service_farm_name. [!NOTE] -> If your forest has multiple UPN suffixes, please make sure that `enterpriseregistration.` is present for each suffix. - -## Configure the Intranet Zone to include the federation service - -The Windows Hello provisioning presents web pages from the federation service. Configuring the intranet zone to include the federation service enables the user to authenticate to the federation service using integrated authentication. Without this setting, the connection to the federation service during Windows Hello provisioning prompts the user for authentication. - -### Create an Intranet Zone Group Policy - -Sign-in the domain controller or administrative workstation with _Domain Admin_ equivalent credentials -1. Start the **Group Policy Management Console** (gpmc.msc) -1. Expand the domain and select the **Group Policy Object** node in the navigation pane -1. Right-click **Group Policy object** and select **New** -1. Type **Intranet Zone Settings** in the name box and select **OK** -1. In the content pane, right-click the **Intranet Zone Settings** Group Policy object and select **Edit** -1. In the navigation pane, expand **Policies** under **Computer Configuration** -1. Expand **Administrative Templates > Windows Component > Internet Explorer > Internet Control Panel >Security Page**. Open **Site to Zone Assignment List** -1. Select **Enable > Show**. In the **Value Name** column, type the url of the federation service beginning with https. In the **Value** column, type the number **1**. Select OK twice, then close the Group Policy Management Editor - -### Deploy the Intranet Zone Group Policy object - -1. Start the **Group Policy Management Console** (gpmc.msc) -1. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and select **Link an existing GPO…** -1. In the **Select GPO** dialog box, select **Intranet Zone Settings** or the name of the Windows Hello for Business Group Policy object you previously created and select **OK** +[!INCLUDE [adfs-mfa](includes/adfs-mfa.md)] ## Review to validate the configuration Before you continue with the deployment, validate your deployment progress by reviewing the following items: > [!div class="checklist"] -> * Confirm all AD FS servers have a valid server authentication certificate. The subject of the certificate is the common name (FQDN) of the host or a wildcard name. The alternate name of the certificate contains a wildcard or the FQDN of the federation service -> * Confirm the AD FS farm has an adequate number of nodes and is properly load balanced for the anticipated load -> * Confirm you restarted the AD FS service -> * Confirm you created a DNS A Record for the federation service and the IP address used is the load-balanced IP address -> * Confirm you created and deployed the Intranet Zone settings to prevent double authentication to the federation server +> - Confirm all AD FS servers have a valid server authentication certificate. The subject of the certificate is the common name (FQDN) of the host or a wildcard name. The alternate name of the certificate contains a wildcard or the FQDN of the federation service +> - Confirm the AD FS farm has an adequate number of nodes and is properly load balanced for the anticipated load +> - Confirm you restarted the AD FS service +> - Confirm you created a DNS A Record for the federation service and the IP address used is the load-balanced IP address +> - Confirm you created and deployed the Intranet Zone settings to prevent double authentication to the federation server +> - Confirm you have deployed a MFA solution for AD FS > [!div class="nextstepaction"] -> [Next: validate and deploy multi-factor authentication (MFA)](on-premises-key-trust-mfa.md) +> [Next: configure and enroll in Windows Hello for Business >](on-premises-key-trust-enroll.md) diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-pki.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-pki.md index 6d7aef36c5..fb5552e61d 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-pki.md +++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-pki.md @@ -1,15 +1,10 @@ --- title: Configure and validate the Public Key Infrastructure in an on-premises key trust model description: Configure and validate the Public Key Infrastructure when deploying Windows Hello for Business in a key trust model. -ms.date: 09/07/2023 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 -- ✅ Windows Server 2022 -- ✅ Windows Server 2019 -- ✅ Windows Server 2016 +ms.date: 12/18/2023 ms.topic: tutorial --- + # Configure and validate the Public Key Infrastructure - on-premises key trust [!INCLUDE [apply-to-on-premises-key-trust](includes/apply-to-on-premises-key-trust.md)] @@ -20,11 +15,11 @@ Windows Hello for Business must have a Public Key Infrastructure (PKI) when usin ## Configure the enterprise PKI -[!INCLUDE [dc-certificate-template](includes/dc-certificate-template.md)] +[!INCLUDE [dc-certificate-template](includes/certificate-template-dc.md)] [!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)] -[!INCLUDE [web-server-certificate-template](includes/web-server-certificate-template.md)] +[!INCLUDE [web-server-certificate-template](includes/certificate-template-web-server.md)] [!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)] @@ -52,4 +47,4 @@ Sign in to the CA or management workstations with **Enterprise Admin** equivalen [!INCLUDE [dc-certificate-validate](includes/dc-certificate-validate.md)] > [!div class="nextstepaction"] -> [Next: prepare and deploy AD FS >](on-premises-key-trust-adfs.md) \ No newline at end of file +> [Next: prepare and deploy AD FS >](on-premises-key-trust-adfs.md) diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md index 961219b27e..45a004ed3c 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md @@ -1,20 +1,21 @@ --- title: Windows Hello for Business deployment guide for the on-premises key trust model description: Learn how to deploy Windows Hello for Business in an on-premises, key trust model. -ms.date: 12/12/2022 +ms.date: 12/18/2023 ms.topic: tutorial --- -# Deployment guide overview - on-premises key trust +# On-premises key trust deployment guide [!INCLUDE [apply-to-on-premises-key-trust](includes/apply-to-on-premises-key-trust.md)] -Windows Hello for Business replaces username and password authentication to Windows with an asymmetric key pair. This deployment guide provides the information to deploy Windows Hello for Business in an on-premises environment: +This deployment guide provides the information to deploy Windows Hello for Business with an on-premises key trust model. + +There are three steps to complete this deployment: 1. [Validate and configure a PKI](on-premises-key-trust-pki.md) -1. [Prepare and deploy AD FS](on-premises-key-trust-adfs.md) -1. [Validate and deploy multifactor authentication (MFA)](on-premises-key-trust-mfa.md) -1. [Configure Windows Hello for Business Policy settings](on-premises-key-trust-enroll.md) +1. [Prepare and deploy AD FS with MFA](on-premises-key-trust-adfs.md) +1. [Configure and enroll in Windows Hello for Business](on-premises-key-trust-enroll.md) ## Create the Windows Hello for Business Users security group @@ -32,4 +33,4 @@ Sign-in to a domain controller or to a management workstation with a *Domain Adm 1. Select **OK** > [!div class="nextstepaction"] -> [Next: validate and configure PKI >](on-premises-key-trust-pki.md) \ No newline at end of file +> [Next: validate and configure PKI >](on-premises-key-trust-pki.md) diff --git a/windows/security/identity-protection/hello-for-business/deploy/requirements.md b/windows/security/identity-protection/hello-for-business/deploy/requirements.md deleted file mode 100644 index 61dffe9d37..0000000000 --- a/windows/security/identity-protection/hello-for-business/deploy/requirements.md +++ /dev/null @@ -1,55 +0,0 @@ ---- -ms.date: 10/09/2023 -title: Windows Hello for Business Deployment Prerequisite Overview -description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models -ms.topic: overview -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 -- ✅ Windows Server 2022 -- ✅ Windows Server 2019 -- ✅ Windows Server 2016 ---- - -# Windows Hello for Business Deployment Prerequisite Overview - -This article lists the infrastructure requirements for the different deployment models for Windows Hello for Business. - - - -## Microsoft Entra Cloud Only Deployment - -- Microsoft Entra ID -- Microsoft Entra multifactor authentication -- Device management solution (Intune or supported third-party MDM), *optional* -- Microsoft Entra ID P1 or P2 subscription - *optional*, needed for automatic MDM enrollment when the device joins Microsoft Entra ID - -## Hybrid Deployments - -The table shows the minimum requirements for each deployment. For key trust in a multi-domain/multi-forest deployment, the following requirements are applicable for each domain/forest that hosts Windows Hello for business components or is involved in the Kerberos referral process. - -| Requirement | Cloud Kerberos trust
      Group Policy or Modern managed | Key trust
      Group Policy or Modern managed | Certificate Trust
      Mixed managed | Certificate Trust
      Modern managed | -| --- | --- | --- | --- | --- | -| **Windows Version** | Any supported Windows client versions| Any supported Windows client versions | Any supported Windows client versions | -| **Schema Version** | No specific Schema requirement | Windows Server 2016 or later schema | Windows Server 2016 or later schema | Windows Server 2016 or later schema | -| **Domain and Forest Functional Level** | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level |Windows Server 2008 R2 Domain/Forest functional level | -| **Domain Controller Version** | Any supported Windows Server versions | Any supported Windows Server versions | Any supported Windows Server versions | Any supported Windows Server versions | -| **Certificate Authority**| Not required |Any supported Windows Server versions | Any supported Windows Server versions | Any supported Windows Server versions | -| **AD FS Version** | Not required | Not required | Any supported Windows Server versions | Any supported Windows Server versions | -| **MFA Requirement** | Azure MFA, or
      AD FS w/Azure MFA adapter, or
      AD FS w/Azure MFA Server adapter, or
      AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
      AD FS w/Azure MFA adapter, or
      AD FS w/Azure MFA Server adapter, or
      AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
      AD FS w/Azure MFA adapter, or
      AD FS w/Azure MFA Server adapter, or
      AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
      AD FS w/Azure MFA adapter, or
      AD FS w/Azure MFA Server adapter, or
      AD FS w/3rd Party MFA Adapter | -| **Microsoft Entra Connect** | Not required. It's recommended to use [Microsoft Entra Connect cloud sync](/azure/active-directory/hybrid/cloud-sync/what-is-cloud-sync) | Required | Required | Required | -| **Microsoft Entra ID license** | Microsoft Entra ID P1 or P2, optional | Microsoft Entra ID P1 or P2, optional | Microsoft Entra ID P1 or P2, needed for device write-back | Microsoft Entra ID P1 or P2, optional. Intune license required | - -## On-premises Deployments - -The table shows the minimum requirements for each deployment. - -| Requirement | Key trust
      Group Policy managed | Certificate trust
      Group Policy managed| -| --- | --- | ---| -| **Windows Version** | Any supported Windows client versions|Any supported Windows client versions| -| **Schema Version**| Windows Server 2016 Schema | Windows Server 2016 Schema| -| **Domain and Forest Functional Level**| Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level | -| **Domain Controller Version**| Any supported Windows Server versions | Any supported Windows Server versions | -| **Certificate Authority**| Any supported Windows Server versions | Any supported Windows Server versions | -| **AD FS Version**| Any supported Windows Server versions | Any supported Windows Server versions | -| **MFA Requirement**| AD FS with 3rd Party MFA Adapter | AD FS with 3rd Party MFA Adapter | diff --git a/windows/security/identity-protection/hello-for-business/deploy/toc.yml b/windows/security/identity-protection/hello-for-business/deploy/toc.yml index 87ab1eb026..d28fcc7569 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/toc.yml +++ b/windows/security/identity-protection/hello-for-business/deploy/toc.yml @@ -1,9 +1,5 @@ items: -- name: Windows Hello for Business deployment overview - href: index.md -- name: Deployment prerequisite overview - href: requirements.md -- name: Cloud-only deployment +- name: Cloud-only deployments href: cloud.md - name: Hybrid deployments items: @@ -59,9 +55,7 @@ items: href: on-premises-key-trust-pki.md - name: Prepare and deploy Active Directory Federation Services (AD FS) href: on-premises-key-trust-adfs.md - - name: Validate and deploy multi-factor authentication (MFA) services - href: on-premises-key-trust-mfa.md - - name: Configure Windows Hello for Business policy settings + - name: Configure and enroll in Windows Hello for Business href: on-premises-key-trust-enroll.md - name: Certificate trust deployment items: @@ -71,7 +65,5 @@ items: href: on-premises-cert-trust-pki.md - name: Prepare and Deploy Active Directory Federation Services (AD FS) href: on-premises-cert-trust-adfs.md - - name: Validate and deploy multi-factor authentication (MFA) - href: on-premises-cert-trust-mfa.md - name: Configure and enroll in Windows Hello for Business href: on-premises-cert-trust-enroll.md diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/glossary.md similarity index 68% rename from windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md rename to windows/security/identity-protection/hello-for-business/glossary.md index 3ed49353ea..fb3015ec28 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md +++ b/windows/security/identity-protection/hello-for-business/glossary.md @@ -1,11 +1,11 @@ --- -title: How Windows Hello for Business works - technology and terms -description: Explore technology and terms associated with Windows Hello for Business. Learn how Windows Hello for Business works. -ms.date: 10/08/2018 +title: Windows Hello for Business glossary +description: Explore technology and terms associated with Windows Hello for Business +ms.date: 12/18/2023 ms.topic: glossary --- -# Technology and terms +# Windows Hello for Business glossary ## Attestation identity keys @@ -21,98 +21,26 @@ Many existing devices that will upgrade to Windows 10 won't have a TPM, or the T In the issued AIK certificate, a special OID is added to attest that endorsement certificate was used during the attestation process. This information can be used by a relying party to decide whether to reject devices that are attested using AIK certificates without an endorsement certificate or accept them. Another scenario can be to not allow access to high-value assets from devices that are attested by an AIK certificate that's not backed by an endorsement certificate. -### Related to attestation identity keys - -- [Endorsement key](#endorsement-key) -- [Storage root key](#storage-root-key) -- [Trusted platform module](#trusted-platform-module) - -### More information about attestation identity keys - -- [Windows client certificate enrollment protocol: glossary](/openspecs/windows_protocols/ms-wcce/719b890d-62e6-4322-b9b1-1f34d11535b4#gt_70efa425-6b46-462f-911d-d399404529ab) -- [TPM library specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/) - - - ## Microsoft Entra join Microsoft Entra join is intended for organizations that desire to be cloud-first or cloud-only. There's no restriction on the size or type of organizations that can deploy Microsoft Entra join. Microsoft Entra join also works in a hybrid environment and can enable access to on-premises applications and resources. - - -### Related to Microsoft Entra join - -- [Join type](#join-type) -- [Microsoft Entra hybrid join](#hybrid-azure-ad-join) - - - -### More information about Microsoft Entra join - -[Introduction to device identity in Microsoft Entra ID](/azure/active-directory/devices/overview). - - - ## Microsoft Entra registration The goal of Microsoft Entra registered devices is to provide you with support for the _bring your own device_ (BYOD) scenario. In this scenario, a user can access your organization's Microsoft Entra ID-controlled resources using a personal device. - - -### Related to Microsoft Entra registration - -- [Microsoft Entra join](#azure-active-directory-join) -- [Microsoft Entra hybrid join](#hybrid-azure-ad-join) -- [Join type](#join-type) - - - -### More information about Microsoft Entra registration - -[Introduction to device identity in Microsoft Entra ID](/azure/active-directory/devices/overview). - ## Certificate trust The certificate trust model uses a securely issued certificate based on the user's Windows Hello for Business identity to authenticate to on-premises Active Directory. The certificate trust model is supported in hybrid and on-premises deployments and is compatible with Windows Server 2008 R2 and later domain controllers. -### Related to certificate trust - -- [Deployment type](#deployment-type) -- [Microsoft Entra hybrid join](#hybrid-azure-ad-join) -- [Hybrid deployment](#hybrid-deployment) -- [Cloud Kerberos trust](#cloud-kerberos-trust) -- [Key trust](#key-trust) -- [On-premises deployment](#on-premises-deployment) -- [Trust type](#trust-type) - -### More information about certificate trust - -[Windows Hello for Business planning guide](hello-planning-guide.md) - ## Cloud deployment The Windows Hello for Business cloud deployment is exclusively for organizations using cloud-based identities and resources. Device management is accomplished using Intune or a modern management alternative. Cloud deployments use Microsoft Entra joined or Microsoft Entra registered devices. -### Related to cloud deployment - -- [Microsoft Entra join](#azure-active-directory-join) -- [Microsoft Entra registration](#azure-ad-registration) -- [Deployment type](#deployment-type) -- [Join type](#join-type) - ## Cloud experience host In Windows 10 and Windows 11, cloud experience host is an application used while joining the workplace environment or Microsoft Entra ID for rendering the experience when collecting your company-provided credentials. Once you enroll your device to your workplace environment or Microsoft Entra ID, your organization will be able to manage your PC and collect information about you (including your location). It might add or remove apps or content, change settings, disable features, prevent you from removing your company account, or reset your PC. -### Related to cloud experience host - -- [Windows Hello for Business](deploy/requirements.md) -- [Managed Windows Hello in organization](hello-manage-in-organization.md) - -### More information on cloud experience host - -[Windows Hello for Business and device registration](/azure/active-directory/devices/device-registration-how-it-works) - ## Cloud Kerberos trust The cloud Kerberos trust model offers a simplified deployment experience, when compared to the other trust types.\ @@ -120,19 +48,6 @@ With cloud Kerberos trust, there's no need to deploy certificates to the users o Giving the simplicity offered by this model, cloud Kerberos trust is the recommended model when compared to the key trust model. It is also the preferred deployment model if you do not need to support certificate authentication scenarios. -### Related to cloud Kerberos trust - -- [Deployment type](#deployment-type) -- [Microsoft Entra hybrid join](#hybrid-azure-ad-join) -- [Hybrid deployment](#hybrid-deployment) -- [Key trust](#key-trust) -- [On-premises deployment](#on-premises-deployment) -- [Trust type](#trust-type) - -### More information about cloud Kerberos trust - -[Cloud Kerberos trust deployment](deploy/hybrid-cloud-kerberos-trust.md) - ## Deployment type Windows Hello for Business has three deployment models to accommodate the needs of different organizations. The three deployment models include: @@ -141,16 +56,6 @@ Windows Hello for Business has three deployment models to accommodate the needs - Hybrid - On-premises -### Related to deployment type - -- [Cloud deployment](#cloud-deployment) -- [Hybrid deployment](#hybrid-deployment) -- [On-premises deployment](#on-premises-deployment) - -### More information about deployment type - -[Windows Hello for Business planning guide](hello-planning-guide.md) - ## Endorsement key The TPM has an embedded unique cryptographic key called the endorsement key. The TPM endorsement key is a pair of asymmetric keys (RSA size 2048 bits). @@ -167,34 +72,10 @@ The endorsement key is often accompanied by one or two digital certificates: For certain devices that use firmware-based TPM produced by Intel or Qualcomm, the endorsement certificate is created when the TPM is initialized during the OOBE of Windows 10 and Windows 11. -### Related to endorsement key - -- [Attestation identity keys](#attestation-identity-keys) -- [Storage root key](#storage-root-key) -- [Trusted platform module](#trusted-platform-module) - -### More information about endorsement key - -- [Understand the TPM endorsement key](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770443(v=ws.11)) -- [TPM library specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/) - ## Federated environment Primarily for large enterprise organizations with more complex authentication requirements, on-premises directory objects are synchronized with Microsoft Entra ID and users accounts are managed on-premises. With AD FS, users have the same password on-premises and in the cloud and they don't have to sign in again to use Microsoft cloud services. This federated authentication model can provide extra authentication requirements, such as smart card-based authentication or a third-party multi-factor authentication and is typically required when organizations have an authentication requirement not natively supported by Microsoft Entra ID. -### Related to federated environment - -- [Hybrid deployment](#hybrid-deployment) -- [Managed environment](#managed-environment) -- [Pass-through authentication](#pass-through-authentication) -- [Password hash sync](#password-hash-sync) - -### More information about federated environment - -[Choose the right authentication method for your Microsoft Entra hybrid identity solution](/azure/active-directory/hybrid/choose-ad-authn) - - - ## Microsoft Entra hybrid join For more than a decade, many organizations have used the domain join to their on-premises Active Directory to enable: @@ -206,34 +87,10 @@ Typically, organizations with an on-premises footprint rely on imaging methods t If your environment has an on-premises AD footprint and you also want benefit from the capabilities provided by Microsoft Entra ID, you can implement Microsoft Entra hybrid joined devices. These devices are joined to both your on-premises Active Directory and your Microsoft Entra ID. - - -### Related to Microsoft Entra hybrid join - -- [Microsoft Entra join](#azure-active-directory-join) -- [Microsoft Entra registration](#azure-ad-registration) -- [Hybrid deployment](#hybrid-deployment) - - - -### More information about Microsoft Entra hybrid join - -[Introduction to device identity in Microsoft Entra ID](/azure/active-directory/devices/overview) - ## Hybrid deployment The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that's synchronized with Microsoft Entra ID. Hybrid deployments support devices that are Microsoft Entra registered, Microsoft Entra joined, and Microsoft Entra hybrid joined. The Hybrid deployment model supports three trust types for on-premises authentication: cloud Kerberos trust, key trust and certificate trust. -### Related to hybrid deployment - -- [Microsoft Entra join](#azure-active-directory-join) -- [Microsoft Entra registration](#azure-ad-registration) -- [Microsoft Entra hybrid join](#hybrid-azure-ad-join) - -### More information about hybrid deployment - -[Windows Hello for Business planning guide](hello-planning-guide.md) - ## Join type Join type is how devices are associated with Microsoft Entra ID. For a device to authenticate to Microsoft Entra it must be registered or joined. @@ -244,86 +101,26 @@ When combined with a mobile device management (MDM) solution such as Microsoft I Joining a device is an extension to registering a device. This method provides you with all the benefits of registering a device, and changes the local state of a device. Changing the local state enables your users to sign-in to a device using an organizational work or school account instead of a personal account. -### Related to join type - -- [Microsoft Entra join](#azure-active-directory-join) -- [Microsoft Entra registration](#azure-ad-registration) -- [Microsoft Entra hybrid join](#hybrid-azure-ad-join) - -### More information about join type - -[Introduction to device identity in Microsoft Entra ID](/azure/active-directory/devices/overview) - ## Key trust The key trust model uses the user's Windows Hello for Business identity to authenticate to on-premises Active Directory. The key trust model is supported in hybrid and on-premises deployments and requires Windows Server 2016 domain controllers. -### Related to key trust - -- [Cloud Kerberos trust](#cloud-kerberos-trust) -- [Certificate trust](#certificate-trust) -- [Deployment type](#deployment-type) -- [Microsoft Entra hybrid join](#hybrid-azure-ad-join) -- [Hybrid deployment](#hybrid-deployment) -- [On-premises deployment](#on-premises-deployment) -- [Trust type](#trust-type) - -### More information about key trust - -[Windows Hello for Business planning guide](hello-planning-guide.md) - ## Managed environment Managed environments are for non-federated environments where Microsoft Entra ID manages the authentication using technologies such as Password Hash Synchronization and Pass-through Authentication rather than a federation service such as Active Directory Federation Services (ADFS). -### Related to managed environment - -- [Federated environment](#federated-environment) -- [Pass-through authentication](#pass-through-authentication) -- [Password hash synchronization](#password-hash-sync) - ## On-premises deployment The Windows Hello for Business on-premises deployment is for organizations that exclusively have on-premises resources that are accessed using Active Directory identities. On-premises deployments support domain joined devices. The on-premises deployment model supports two authentication trust types, key trust and certificate trust. -### Related to on-premises deployment - -- [Cloud deployment](#cloud-deployment) -- [Deployment type](#deployment-type) -- [Hybrid deployment](#hybrid-deployment) - -### More information about on-premises deployment - -[Windows Hello for Business planning guide](hello-planning-guide.md) - ## Pass-through authentication Pass-through authentication provides a simple password validation for Microsoft Entra authentication services. It uses a software agent that runs on one or more on-premises servers to validate the users directly with your on-premises Active Directory. With pass-through authentication (PTA), you synchronize on-premises Active Directory user account objects with Microsoft Entra ID and manage your users on-premises. Allows your users to sign in to both on-premises and Microsoft cloud resources and applications using their on-premises account and password. This configuration validates users' passwords directly against your on-premises Active Directory without sending password hashes to Microsoft Entra ID. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours would use this authentication method. With seamless single sign-on, users are automatically signed in to Microsoft Entra ID when they are on their corporate devices and connected to your corporate network. -### Related to pass-through authentication - -- [Federated environment](#federated-environment) -- [Managed environment](#managed-environment) -- [Password hash synchronization](#password-hash-sync) - -### More information about pass-through authentication - -[Choose the right authentication method for your Microsoft Entra hybrid identity solution](/azure/active-directory/hybrid/choose-ad-authn) - ## Password hash sync Password hash sync is the simplest way to enable authentication for on-premises directory objects in Microsoft Entra ID. With password hash sync (PHS), you synchronize your on-premises Active Directory user account objects with Microsoft Entra ID and manage your users on-premises. Hashes of user passwords are synchronized from your on-premises Active Directory to Microsoft Entra ID so that the users have the same password on-premises and in the cloud. When passwords are changed or reset on-premises, the new password hashes are synchronized to Microsoft Entra ID so that your users can always use the same password for cloud resources and on-premises resources. The passwords are never sent to Microsoft Entra ID or stored in Microsoft Entra ID in clear text. Some premium features of Microsoft Entra ID, such as Identity Protection, require PHS regardless of which authentication method is selected. With seamless single sign-on, users are automatically signed in to Microsoft Entra ID when they are on their corporate devices and connected to your corporate network. -### Related to password hash sync - -- [Federated environment](#federated-environment) -- [Managed environment](#managed-environment) -- [Pass-through authentication](#pass-through-authentication) - -### More information about password hash sync - -[Choose the right authentication method for your Microsoft Entra hybrid identity solution](/azure/active-directory/hybrid/choose-ad-authn) - ## Primary refresh token Single sign on (SSO) relies on special tokens obtained for each of the types of applications above. These special tokens are then used to obtain access tokens to specific applications. In the traditional Windows Integrated authentication case using Kerberos, this token is a Kerberos TGT (ticket-granting ticket). For Microsoft Entra ID and AD FS applications, this token is a _primary refresh token_ (PRT). It's a [JSON Web Token](https://openid.net/specs/draft-jones-json-web-token-07.html) that contains claims about both the user and the device. @@ -336,32 +133,10 @@ The PRT is needed for SSO. Without it, the user will be prompted for credentials The storage root key (SRK) is also an asymmetric key pair (RSA with a minimum of 2048-bits length). The SRK has a major role and is used to protect TPM keys, so that these keys can't be used without the TPM. The SRK key is created when the ownership of the TPM is taken. -### Related to storage root key - -- [Attestation identity keys](#attestation-identity-keys) -- [Endorsement key](#endorsement-key) -- [Trusted platform module](#trusted-platform-module) - -### More information about storage root key - -[TPM library specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/) - ## Trust type The trust type determines how a user authenticates to the Active Directory to access on-premises resources. There are two trust types, key trust and certificate trust. The hybrid and on-premises deployment models support both trust types. The trust type doesn't affect authentication to Microsoft Entra ID. Windows Hello for Business authentication to Microsoft Entra ID always uses the key, not a certificate (excluding smart card authentication in a federated environment). -### Related to trust type - -- [Cloud Kerberos trust](#cloud-kerberos-trust) -- [Certificate trust](#certificate-trust) -- [Hybrid deployment](#hybrid-deployment) -- [Key trust](#key-trust) -- [On-premises deployment](#on-premises-deployment) - -### More information about trust type - -[Windows Hello for Business planning guide](hello-planning-guide.md) - ## Trusted platform module A trusted platform module (TPM) is a hardware component that provides unique security features. @@ -400,13 +175,3 @@ In a simplified manner, the TPM is a passive component with limited resources. I - Nonvolatile memory for storing EK, SRK, and AIK keys - A cryptographic engine to encrypt, decrypt, and sign - Volatile memory for storing the PCRs and RSA keys - -### Related to trusted platform module - -- [Attestation identity keys](#attestation-identity-keys) -- [Endorsement key](#endorsement-key) -- [Storage root key](#storage-root-key) - -### More information about trusted platform module - -[TPM library specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/) diff --git a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md deleted file mode 100644 index 3d9b51898d..0000000000 --- a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md +++ /dev/null @@ -1,33 +0,0 @@ ---- -title: Windows Hello and password changes -description: Learn the impact of changing a password when using Windows Hello. -ms.date: 03/15/2023 -ms.topic: concept-article ---- -# Windows Hello and password changes - -When you set up Windows Hello, the PIN or biometric gesture that you use is specific to that device. You can set up Hello for the same account on multiple devices. If Windows Hello for Business isn't deployed and the password for that account changes, you must provide the new password on each device to continue to use Hello. - -> [!Note] -> This article doesn't apply to Windows Hello for Business. Change the account password will not affect sign-in or unlock, since Windows Hello for Business uses a key or certificate. - -**Example 1** - -Let's suppose that you have set up a PIN for your Microsoft account on **Device A**. You use your PIN to sign in on **Device A** and then change the password for your Microsoft account. -Since you were using **Device A** when you changed your password, the PIN on **Device A** will continue to work with no other action on your part. - -**Example 2** - -Suppose that you sign in on **Device B** and change your password for your Microsoft account. The next time that you try to sign in on **Device A** using your PIN, sign-in will fail because the account credentials that Hello on **Device A** knows will be outdated. - ->[!NOTE] ->This example also applies to an Active Directory account when [Windows Hello for Business is not implemented](hello-manage-in-organization.md). - -## How to update Hello after you change your password on another device - -1. When you try to sign in using your PIN or biometric, you'll see the following message: **Your password was changed on a different device. You must sign in to this device once with your new password, and then you can sign in with your PIN.** -1. Select **OK** -1. Select **Sign-in options** -1. Select **Password** -1. Sign in with new password -1. The next time that you sign in, you can select **Sign-in options > PIN** to resume using your PIN. diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md deleted file mode 100644 index d80393b040..0000000000 --- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md +++ /dev/null @@ -1,88 +0,0 @@ ---- -title: Windows Hello biometrics in the enterprise -description: Windows Hello uses biometrics to authenticate users and guard against potential spoofing, through fingerprint matching and facial recognition. -ms.date: 01/12/2021 -ms.topic: concept-article ---- - -# Windows Hello biometrics in the enterprise - -Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition. - ->[!NOTE] ->When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. - -Because we realize your employees are going to want to use this new technology in your enterprise, we've been actively working with the device manufacturers to create strict design and performance recommendations that help to ensure that you can more confidently introduce Windows Hello biometrics into your organization. - -## How does Windows Hello work? - -Windows Hello lets your employees use fingerprint, facial recognition, or iris recognition as an alternative method to unlocking a device. With Windows Hello, authentication happens when the employee provides his or her unique biometric identifier while accessing the device-specific Windows Hello credentials. - -The Windows Hello authenticator works to authenticate and allow employees onto your enterprise network. Authentication doesn't roam among devices, isn't shared with a server, and can't easily be extracted from a device. If multiple employees share a device, each employee will use his or her own biometric data on the device. - -## Why should I let my employees use Windows Hello? - -Windows Hello provides many benefits, including: - -- It helps to strengthen your protections against credential theft. Because an attacker must have both the device and the biometric info or PIN, it's much more difficult to gain access without the employee's knowledge. -- Employees get a simple authentication method (backed up with a PIN) that's always with them, so there's nothing to lose. No more forgetting passwords! -- Support for Windows Hello is built into the operating system so you can add additional biometric devices and policies as part of a coordinated rollout or to individual employees or groups using Group Policy or Mobile Device Management (MDM) configurations service provider (CSP) policies.
      For more info about the available Group Policies and MDM CSPs, see the [Implement Windows Hello for Business in your organization](hello-manage-in-organization.md) topic. - -## Where is Windows Hello data stored? - -The biometric data used to support Windows Hello is stored on the local device only. It doesn't roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data from a device, it cannot be converted back into a raw biometric sample that could be recognized by the biometric sensor. - -> [!NOTE] ->Each sensor on a device will have its own biometric database file where template data is stored. Each database has a unique, randomly generated key that is encrypted to the system. The template data for the sensor will be encrypted with this per-database key using AES with CBC chaining mode. The hash is SHA256. Some fingerprint sensors have the capability to complete matching on the fingerprint sensor module instead of in the OS. These sensors will store biometric data on the fingerprint module instead of in the database file. - -## Has Microsoft set any device requirements for Windows Hello? - -We've been working with the device manufacturers to help ensure a high-level of performance and protection is met by each sensor and device, based on these requirements: - -- **False Accept Rate (FAR).** Represents the instance a biometric identification solution verifies an unauthorized person. This is normally represented as a ratio of number of instances in a given population size, for example 1 in 100 000. This can also be represented as a percentage of occurrence, for example, 0.001%. This measurement is heavily considered the most important with regard to the security of the biometric algorithm. - -- **False Reject Rate (FRR).** Represents the instances a biometric identification solution fails to verify an authorized person correctly. Usually represented as a percentage, the sum of the True Accept Rate and False Reject Rate is 1. Can be with or without anti-spoofing or liveness detection. - -### Fingerprint sensor requirements - -To allow fingerprint matching, you must have devices with fingerprint sensors and software. Fingerprint sensors, or sensors that use an employee's unique fingerprint as an alternative logon option, can be touch sensors (large area or small area) or swipe sensors. Each type of sensor has its own set of detailed requirements that must be implemented by the manufacturer, but all of the sensors must include anti-spoofing measures (required). - -**Acceptable performance range for small to large size touch sensors** - -- False Accept Rate (FAR): <0.001 – 0.002% - -- Effective, real world FRR with Anti-spoofing or liveness detection: <10% - -**Acceptable performance range for swipe sensors** - -- False Accept Rate (FAR): <0.002% - -- Effective, real world FRR with Anti-spoofing or liveness detection: <10% - -### Facial recognition sensors - -To allow facial recognition, you must have devices with integrated special infrared (IR) sensors and software. Facial recognition sensors use special cameras that see in IR light, letting them tell the difference between a photo and a living person while scanning an employee's facial features. These sensors, like the fingerprint sensors, must also include anti-spoofing measures (required) and a way to configure them (optional). - -- False Accept Rate (FAR): <0.001% - -- False Reject Rate (FRR) without Anti-spoofing or liveness detection: <5% - -- Effective, real world FRR with Anti-spoofing or liveness detection: <10% - -> [!NOTE] ->Windows Hello face authentication does not currently support wearing a mask during enrollment or authentication. Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock your device. The product group is aware of this behavior and is investigating this topic further. Please remove a mask if you are wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesn't allow you to remove a mask temporarily, please consider unenrolling from face authentication and only using PIN or fingerprint. - -### Iris recognition sensor requirements - -To use Iris authentication, you'll need a [HoloLens 2 device](/hololens/). All HoloLens 2 editions are equipped with the same sensors. Iris is implemented the same way as other Windows Hello technologies and achieves biometrics security FAR of 1/100K. - -## Related topics - -- [Windows Hello for Business](deploy/requirements.md) -- [How Windows Hello for Business works](hello-how-it-works.md) -- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) -- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) -- [Windows Hello and password changes](hello-and-password-changes.md) -- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq) diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md index b5c4e51668..7936af83fa 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md @@ -8,8 +8,6 @@ ms.topic: troubleshooting The content of this article is to help troubleshoot known deployment issues for Windows Hello for Business. - - ## PIN reset on Microsoft Entra join devices fails with *We can't open that page right now* error PIN reset on Microsoft Entra joined devices uses a flow called *web sign-in* to authenticate the user above lock. Web sign in only allows navigation to specific domains. If web sign-in attempts to navigate to a domain that isn't allowed, it displays a page with the error message *We can't open that page right now*. @@ -50,8 +48,6 @@ After the initial sign-in attempt, the user's Windows Hello for Business public To resolve the issue, update Windows Server 2016 and 2019 domain controllers with the latest patches. For Windows Server 2016, the behavior is fixed in build *14393.4104* ([KB4593226](https://support.microsoft.com/help/4593226)) and later. For Windows Server 2019, the behavior is fixed in build *17763.1637* ([KB4592440](https://support.microsoft.com/help/4592440)). - - ## Microsoft Entra joined device access to on-premises resources using key trust and third-party Certificate Authority (CA) Applies to: diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 6f42bde365..6504bc66e3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -20,7 +20,7 @@ sections: - question: How can a PIN be more secure than a password? answer: | When using Windows Hello for Business, the PIN isn't a symmetric key, whereas the password is a symmetric key. With passwords, there's a server that has some representation of the password. With Windows Hello for Business, the PIN is user-provided entropy used to load the private key in the Trusted Platform Module (TPM). The server doesn't have a copy of the PIN. For that matter, the Windows client doesn't have a copy of the current PIN either. The user must provide the entropy, the TPM-protected key, and the TPM that generated that key in order to successfully access the private key. - The statement "PIN is stronger than Password" is not directed at the strength of the entropy used by the PIN. It's about the difference between providing entropy versus continuing the use of a symmetric key (the password). The TPM has anti-hammering features that thwart brute-force PIN attacks (an attacker's continuous attempt to try all combination of PINs). Some organizations may worry about shoulder surfing. For those organizations, rather than increase the complexity of the PIN, implement the [Multifactor Unlock](feature-multifactor-unlock.md) feature. + The statement *PIN is stronger than Password* is not directed at the strength of the entropy used by the PIN. It's about the difference between providing entropy versus continuing the use of a symmetric key (the password). The TPM has anti-hammering features that thwart brute-force PIN attacks (an attacker's continuous attempt to try all combination of PINs). Some organizations may worry about shoulder surfing. For those organizations, rather than increase the complexity of the PIN, implement the [Multifactor Unlock](multifactor-unlock.md) feature. - question: How does Windows Hello for Business authentication work? answer: | When a user wants to access protected key material, the authentication process begins with the user entering a PIN or biometric gesture to unlock the device, a process sometimes called releasing the key. Think of it like using a physical key to unlock a door: before you can unlock the door, you need to remove the key from your pocket or purse. The user's PIN unlocks the protector key for the container on the device. When that container is unlocked, applications (and thus the user) can use whatever IDP keys reside inside the container. @@ -222,7 +222,7 @@ sections: Windows Hello for Business credentials need access to device state, which is not available in private browser mode or incognito mode. Hence it can't be used in private browser or Incognito mode. - question: Can I use both a PIN and biometrics to unlock my device? answer: | - You can use *multifactor unlock* to require users to provide an extra factor to unlock their device. Authentication remains two-factor, but another factor is required before Windows allows the user to reach the desktop. To learn more, see [Multifactor Unlock](feature-multifactor-unlock.md). + You can use *multifactor unlock* to require users to provide an extra factor to unlock their device. Authentication remains two-factor, but another factor is required before Windows allows the user to reach the desktop. To learn more, see [Multifactor Unlock](multifactor-unlock.md). - name: Cloud Kerberos trust questions: diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md deleted file mode 100644 index d8f299c354..0000000000 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md +++ /dev/null @@ -1,54 +0,0 @@ ---- -title: How Windows Hello for Business works -description: Learn how Windows Hello for Business works, and how it can help your users authenticate to services. -ms.date: 05/05/2018 -ms.topic: overview ---- -# How Windows Hello for Business works in Windows Devices - -Windows Hello for Business is a two-factor credential that is a more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Microsoft Entra joined, Microsoft Entra hybrid joined, or Microsoft Entra registered devices. Windows Hello for Business also works for domain joined devices. - -Watch this quick video where Pieter Wigleven gives a simple explanation of how Windows Hello for Business works and some of its supporting features. -> [!VIDEO https://www.youtube.com/embed/G-GJuDWbBE8] - -## Technical Deep Dive - -Windows Hello for Business is a distributed system that uses several components to accomplish device registration, provisioning, and authentication. Use this section to gain a better understanding of each of the categories and how they support Windows Hello for Business. - -### Device Registration - -Registration is a fundamental prerequisite for Windows Hello for Business. Without registration, Windows Hello for Business provisioning cannot start. Registration is where the device **registers** its identity with the identity provider. For cloud and hybrid deployments, the identity provider is Microsoft Entra ID and the device registers with the Azure Device Registration Service (ADRS). For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the device registers with the enterprise device registration service hosted on the federation servers (AD FS). - -For more information, read [how device registration works](/azure/active-directory/devices/device-registration-how-it-works). - -### Provisioning - -Provisioning is when the user uses one form of authentication to request a new Windows Hello for Business credential. Typically the user signs in to Windows using user name and password. The provisioning flow requires a second factor of authentication before it will create a strong, two-factor Windows Hello for Business credential. - -Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business provisioning works. - -> [!VIDEO https://www.youtube.com/embed/RImGsIjSJ1s] - -For more information, read [how provisioning works](hello-how-it-works-provisioning.md). - -### Authentication - -With the device registered and provisioning complete, users can sign-in to Windows using biometrics or a PIN. PIN is the most common gesture and is available on all computers unless restricted by policy requiring a TPM. Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential. Neither the PIN nor the private portion of the credential are ever sent to the identity provider, and the PIN is not stored on the device. It is user provided entropy when performing operations that use the private portion of the credential. - -Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business authentication works. - -> [!VIDEO https://www.youtube.com/embed/WPmzoP_vMek] - -For more information read [how authentication works](hello-how-it-works-authentication.md). - -## Related topics - -- [Technology and Terminology](hello-how-it-works-technology.md) -- [Windows Hello for Business](deploy/requirements.md) -- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) -- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) -- [Windows Hello and password changes](hello-and-password-changes.md) -- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq) -- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index ba06402421..1b1ad680bf 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -16,7 +16,7 @@ If you plan to use certificates for on-premises single-sign on, then follow thes Steps you'll perform include: -- [Prepare Microsoft Entra Connect](#prepare-azure-ad-connect) +- [Prepare Microsoft Entra Connect](#prepare-microsoft-entra-connect) - [Prepare the Network Device Enrollment Services Service Account](#prepare-the-network-device-enrollment-services-ndes-service-account) - [Prepare Active Directory Certificate Services](#prepare-active-directory-certificate-authority) - [Install the Network Device Enrollment Services Role](#install-and-configure-the-ndes-role) @@ -49,8 +49,6 @@ If you need to deploy more than three types of certificates to the Microsoft Ent All communication occurs securely over port 443. - - ## Prepare Microsoft Entra Connect Successful authentication to on-premises resources using a certificate requires the certificate to provide a hint about the on-premises domain. The hint can be the user's Active Directory distinguished name as the subject of the certificate, or the hint can be the user's user principal name where the suffix matches the Active Directory domain name. @@ -59,8 +57,6 @@ Most environments change the user principal name suffix to match the organizatio To include the on-premises distinguished name in the certificate's subject, Microsoft Entra Connect must replicate the Active Directory **distinguishedName** attribute to the Microsoft Entra ID **onPremisesDistinguishedName** attribute. Microsoft Entra Connect version 1.1.819 includes the proper synchronization rules needed for these attributes. - - ### Verify Microsoft Entra Connect version Sign-in to computer running Microsoft Entra Connect with access equivalent to _local administrator_. @@ -287,8 +283,6 @@ Sign-in to the issuing certificate authority or management workstations with _Do 11. Select on the **Apply** to save changes and close the console. - - ### Create a Microsoft Entra joined Windows Hello for Business authentication certificate template During Windows Hello for Business provisioning, Windows requests an authentication certificate from Microsoft Intune, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring the NDES Server. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md index 4a2846f9e6..350c47024f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md @@ -217,8 +217,6 @@ With the CA properly configured with a valid HTTP-based CRL distribution point, 1. Review the information below the list of fields to confirm the new URL for the CRL distribution point is present in the certificate. Select **OK** ![New Certificate with updated CDP.](images/aadj/dc-cert-with-new-cdp.png) - - ## Deploy the root CA certificate to Microsoft Entra joined devices The domain controllers have a certificate that includes the new CRL distribution point. Next, you need the enterprise root certificate so you can deploy it to Microsoft Entra joined devices. When you deploy the enterprise root certificates to a device, it ensures the device trusts any certificates issued by the certificate authority. Without the certificate, Microsoft Entra joined devices don't trust domain controller certificates and authentication fails. diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md deleted file mode 100644 index 896453d0bf..0000000000 --- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md +++ /dev/null @@ -1,103 +0,0 @@ ---- -title: Manage Windows Hello in your organization -description: Learn how to create a Group Policy or mobile device management (MDM) policy to configure and deploy Windows Hello for Business. -ms.date: 9/25/2023 -ms.topic: reference ---- - -# Manage Windows Hello for Business in your organization - -You can create a Group Policy or mobile device management (MDM) policy to configure Windows Hello for Business on Windows devices. - ->[!IMPORTANT] ->Windows Hello as a convenience PIN is disabled by default on all domain joined and Microsoft Entra joined devices. To enable a convenience PIN, enable the Group Policy setting **Turn on convenience PIN sign-in**. -> ->Use **PIN Complexity** policy settings to manage PINs for Windows Hello for Business. - -## Group Policy settings for Windows Hello for Business - -The following table lists the Group Policy settings that you can configure for Windows Hello use in your organization. These policy settings are available in **User configuration** and **Computer Configuration** under **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**. - -> [!NOTE] -> The location of the PIN complexity section of the Group Policy is: **Computer Configuration > Administrative Templates > System > PIN Complexity**. - -|Policy|Scope|Options| -|--- |--- |--- | -|Use Windows Hello for Business|Computer or user|- **Not configured**: Device doesn't provision Windows Hello for Business for any user.
      - **Enabled**: Device provisions Windows Hello for Business using keys or certificates for all users.
      - **Disabled**: Device doesn't provision Windows Hello for Business for any user.| -|Use a hardware security device|Computer|- **Not configured**: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM isn't available.
      - **Enabled**: Windows Hello for Business will only be provisioned using TPM. This feature will provision Windows Hello for Business using TPM 1.2 unless the option to exclude them is explicitly set.
      - **Disabled**: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM isn't available.| -|Use certificate for on-premises authentication|Computer or user|- **Not configured**: Windows Hello for Business enrolls a key that is used for on-premises authentication.
      - **Enabled**: Windows Hello for Business enrolls a sign-in certificate using ADFS that is used for on-premises authentication.
      - **Disabled**: Windows Hello for Business enrolls a key that is used for on-premises authentication.| -|Use PIN recovery|Computer|- Added in Windows 10, version 1703
      - **Not configured**: Windows Hello for Business doesn't create or store a PIN recovery secret. PIN reset doesn't use the Azure-based PIN recovery service
      - **Enabled**: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset
      - **Disabled**: Windows Hello for Business doesn't create or store a PIN recovery secret. PIN reset doesn't use the Azure-based PIN recovery service.
      - For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md).| -|Use biometrics|Computer|- **Not configured**: Biometrics can be used as a gesture in place of a PIN
      - **Enabled**: Biometrics can be used as a gesture in place of a PIN.
      - **Disabled**: Only a PIN can be used as a gesture.| - -### PIN Complexity - -|Policy|Scope|Options| -|--- |--- |--- | -|Require digits|Computer|- **Not configured**: Users must include a digit in their PIN.
      - **Enabled**: Users must include a digit in their PIN.
      - **Disabled**: Users can't use digits in their PIN.| -|Require lowercase letters|Computer|- **Not configured**: Users can't use lowercase letters in their PIN
      - **Enabled**: Users must include at least one lowercase letter in their PIN.
      - **Disabled**: Users can't use lowercase letters in their PIN.| -|Maximum PIN length|Computer|- **Not configured**: PIN length must be less than or equal to 127.
      - **Enabled**: PIN length must be less than or equal to the number you specify.
      - **Disabled**: PIN length must be less than or equal to 127.| -|Minimum PIN length|Computer|- **Not configured**: PIN length must be greater than or equal to 4.
      - **Enabled**: PIN length must be greater than or equal to the number you specify.
      - **Disabled**: PIN length must be greater than or equal to 4.| -|Expiration|Computer|- **Not configured**: PIN doesn't expire.
      - **Enabled**: PIN can be set to expire after any number of days between 1 and 730, or PIN can be set to never expire by setting policy to 0.
      - **Disabled**: PIN doesn't expire.| -|History|Computer|- **Not configured**: Previous PINs aren't stored.
      - **Enabled**: Specify the number of previous PINs that can be associated to a user account that can't be reused.
      - **Disabled**: Previous PINs aren't stored.
      **Note** Current PIN is included in PIN history. -|Require special characters|Computer|- **Not configured**: Windows allows, but doesn't require, special characters in the PIN.
      - **Enabled**: Windows requires the user to include at least one special character in their PIN.
      - **Disabled**: Windows doesn't allow the user to include special characters in their PIN.| -|Require uppercase letters|Computer|- **Not configured**: Users can't include an uppercase letter in their PIN.
      - **Enabled**: Users must include at least one uppercase letter in their PIN.
      - **Disabled**: Users can't include an uppercase letter in their PIN.| - -### Phone Sign-in - -|Policy|Scope|Options| -|--- |--- |--- | -|Use Phone Sign-in|Computer|Not currently supported.| - -## MDM policy settings for Windows Hello for Business - -The following table lists the MDM policy settings that you can configure for Windows Hello for Business use in your workplace. These MDM policy settings use the [PassportForWork configuration service provider (CSP)](/windows/client-management/mdm/passportforwork-csp). - ->[!IMPORTANT] ->All devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP. - -|Policy|Scope|Default|Options| -|--- |--- |--- |--- | -|UsePassportForWork|Device or user|True|- True: Windows Hello for Business will be provisioned for all users on the device.
      - False: Users won't be able to provision Windows Hello for Business.
      **Note:** If Windows Hello for Business is enabled, and then the policy is changed to False, users who previously set up Windows Hello for Business can continue to use it, but won't be able to set up Windows Hello for Business on other devices| -|RequireSecurityDevice|Device or user|False|- True: Windows Hello for Business will only be provisioned using TPM.
      - False: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM isn't available.| -|ExcludeSecurityDevice
      - TPM12|Device|False|Added in Windows 10, version 1703
      - True: TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business.
      - False: TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business.| -|EnablePinRecovery|Device or use|False|- Added in Windows 10, version 1703
      - True: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset.
      - False: Windows Hello for Business doesn't create or store a PIN recovery secret. PIN reset doesn't use the Azure-based PIN recovery service. For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md).| - -### Biometrics - -|Policy|Scope|Default|Options| -|--- |--- |--- |--- | -|UseBiometrics|Device |False|- True: Biometrics can be used as a gesture in place of a PIN for domain sign-in.
      - False: Only a PIN can be used as a gesture for domain sign-in.| -|- FacialFeaturesUser
      - EnhancedAntiSpoofing|Device|Not configured|- Not configured: users can choose whether to turn on enhanced anti-spoofing.
      - True: Enhanced anti-spoofing is required on devices which support it.
      - False: Users can't turn on enhanced anti-spoofing.| - -### PINComplexity - -|Policy|Scope|Default|Options| -|--- |--- |--- |--- | -|Digits |Device or user|1 |- 0: Digits are allowed.
      - 1: At least one digit is required.
      - 2: Digits aren't allowed.| -|Lowercase letters |Device or user|2|- 0: Lowercase letters are allowed.
      - 1: At least one lowercase letter is required.
      - 2: Lowercase letters aren't allowed.| -|Special characters|Device or user|2|- 0: Special characters are allowed.
      - 1: At least one special character is required.
      - 2: Special characters aren't allowed.| -|Uppercase letters|Device or user|2|- 0: Uppercase letters are allowed.
      - 1: At least one uppercase letter is required.
      - 2: Uppercase letters aren't allowed.| -|Maximum PIN length |Device or user|127 |- Maximum length that can be set is 127. Maximum length can't be less than minimum setting.| -|Minimum PIN length|Device or user|6|- Minimum length that can be set is 6. Minimum length can't be greater than maximum setting.| -|Expiration |Device or user|0|- Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user's PIN will never expire.| -|History|Device or user|0|- Integer value that specifies the number of past PINs that can be associated to a user account that can't be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs isn't required.| - -### Remote - -|Policy|Scope|Default|Options| -|--- |--- |--- |--- | -|UseRemotePassport|Device or user|False|Not currently supported.| - ->[!NOTE] -> If a policy isn't explicitly configured to require letters or special characters, users can optionally set an alphanumeric PIN. - -## Policy conflicts from multiple policy sources - -Windows Hello for Business is designed to be managed by group policy or MDM, but not a combination of both. Avoid mixing group policy and MDM policy settings for Windows Hello for Business. If you mix group policy and MDM policy settings, the MDM settings are ignored until all group policy settings are cleared. - -> [!IMPORTANT] -> The [*MDMWinsOverGP*](/windows/client-management/mdm/policy-csp-controlpolicyconflict#mdmwinsovergp) policy setting doesn't apply to Windows Hello for Business. MDMWinsOverGP only applies to policies in the *Policy CSP*, while the Windows Hello for Business policies are in the *PassportForWork CSP*. - -## Policy precedence - -Windows Hello for Business *user policies* take precedence over *computer policies*. If a user policy is set, the corresponded computer policy is ignored. If a user policy is not set, the computer policy is used. diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md deleted file mode 100644 index 55a70b9a89..0000000000 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ /dev/null @@ -1,342 +0,0 @@ ---- -title: Plan a Windows Hello for Business Deployment -description: Learn about the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of your infrastructure. -ms.date: 09/16/2020 -ms.topic: overview ---- - -# Plan a Windows Hello for Business Deployment - -Congratulations! You're taking the first step forward in helping move your organizations away from password to a two-factor, convenience authentication for Windows — Windows Hello for Business. This planning guide helps you understand the different topologies, architectures, and components that encompass a Windows Hello for Business infrastructure. - -This guide explains the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of the infrastructure. Armed with your planning worksheet, you'll use that information to select the correct deployment guide for your needs. - -> [!Note] -> If you have a Microsoft Entra ID tenant, you can use our online, interactive Passwordless Wizard which walks through the same choices instead of using our manual guide below. The Passwordless Wizard is available in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup). - -## Using this guide - -There are many options from which you can choose when deploying Windows Hello for Business. Providing multiple options ensures nearly every organization can deploy Windows Hello for Business. Providing many options makes the deployment appear complex, however, most organization will realize they've already implemented most of the infrastructure on which the Windows Hello for Business deployment depends. It's important to understand that Windows Hello for Business is a distributed system and does take proper planning across multiple teams within an organization. - -This guide removes the appearance of complexity by helping you make decisions on each aspect of your Windows Hello for Business deployment and the options you'll need to consider. Using this guide also identifies the information needed to help you make decisions about the deployment that best suits your environment. Download the [Windows Hello for Business planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514) from the Microsoft Download Center to help track your progress and make your planning easier. - -### How to Proceed - -Read this document and record your decisions on the worksheet. When finished, your worksheet has all the necessary information for your Windows Hello for Business deployment. - -There are six major categories you need to consider for a Windows Hello for Business deployment. Those categories are: - -- Deployment Options -- Client -- Management -- Active Directory -- Public Key Infrastructure -- Cloud - -### Baseline Prerequisites - -Windows Hello for Business has a few baseline prerequisites with which you can begin. These baseline prerequisites are provided in the worksheet. - -### Deployment Options - -The goal of Windows Hello for Business is to enable deployments for all organizations of any size or scenario. To provide this type of granular deployment, Windows Hello for Business offers a diverse choice of deployment options. - -#### Deployment models - -There are three deployment models from which you can choose: cloud only, hybrid, and on-premises. - -##### Cloud only - -The cloud only deployment model is for organizations who only have cloud identities and don't access on-premises resources. These organizations typically join their devices to the cloud and exclusively use resources in the cloud such as SharePoint, OneDrive, and others. Also, because these users don't use on-premises resources, they don't need certificates for things like VPN because everything they need is hosted in Azure. - -##### Hybrid - -The hybrid deployment model is for organizations that: - -- Are federated with Microsoft Entra ID -- Have identities synchronized to Microsoft Entra ID using Microsoft Entra Connect -- Use applications hosted in Microsoft Entra ID, and want a single sign-in user experience for both on-premises and Microsoft Entra resources - -> [!Important] -> Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models. -> -> **Requirements:** -> - Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903 -> - Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 - -##### On-premises -The on-premises deployment model is for organizations that don't have cloud identities or use applications hosted in Microsoft Entra ID. - -> [!Important] -> On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models. -> -> **Requirements:** -> - Reset from settings - Windows 10, version 1703, Professional -> - Reset above lock screen - Windows 10, version 1709, Professional -> - Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 - -It's fundamentally important to understand which deployment model to use for a successful deployment. Some aspects of the deployment may have already been decided for you based on your current infrastructure. - -#### Trust types - -A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory. There are two trust types: key trust and certificate trust. - -> [!NOTE] -> Windows Hello for Business introduced a new trust model called cloud Kerberos trust, in early 2022. This model enables deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Microsoft Entra hybrid joined devices and on-premises resource access on Microsoft Entra joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Hybrid Cloud Kerberos Trust Deployment](deploy/hybrid-cloud-kerberos-trust.md). - -The key trust type doesn't require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. - -The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust doesn't require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 or later Active Directory schema](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust#directories)). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller. - -> [!NOTE] -> RDP does not support authentication with Windows Hello for Business key trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business key trust can be used with [Remote Credential Guard](../remote-credential-guard.md). - -#### Device registration - -All devices included in the Windows Hello for Business deployment must go through device registration. Device registration enables devices to authenticate to identity providers. For cloud only and hybrid deployment, the identity provider is Microsoft Entra ID. For on-premises deployments, the identity provider is the on-premises server running the Windows Server 2016 Active Directory Federation Services (AD FS) role. - -#### Key registration - -The built-in Windows Hello for Business provisioning experience creates a hardware bound asymmetric key pair as their user's credentials. The private key is protected by the device's security modules; however, the credential is a user key (not a device key). The provisioning experience registers the user's public key with the identity provider. For cloud only and hybrid deployments, the identity provider is Microsoft Entra ID. For on-premises deployments, the identity provider is the on-premises server running Windows Server 2016 Active Directory Federation Services (AD FS) role. - -#### Multifactor authentication - -> [!IMPORTANT] -> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who require multifactor authentication for their users should use cloud-based Microsoft Entra multifactor authentication. Existing customers who have activated MFA Server prior to July 1, 2019 will be able to download the latest version, future updates and generate activation credentials as usual. See [Getting started with the Azure Multi-Factor Authentication Server](/azure/active-directory/authentication/howto-mfaserver-deploy) for more details. - -The goal of Windows Hello for Business is to move organizations away from passwords by providing them with a strong credential that enables easy two-factor authentication. The built-in provisioning experience accepts the user's weak credentials (username and password) as the first factor authentication; however, the user must provide a second factor of authentication before Windows provisions a strong credential. - -Cloud only and hybrid deployments provide many choices for multifactor authentication. On-premises deployments must use a multifactor authentication that provides an AD FS multifactor adapter to be used in conjunction with the on-premises Windows Server 2016 AD FS server role. Organizations can use the on-premises Azure Multi-Factor Authentication Server, or choose from several third parties (Read [Microsoft and third-party additional authentication methods](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods) for more information). -> [!NOTE] -> Microsoft Entra multifactor authentication is available through: -> * Microsoft Enterprise Agreement -> * Open Volume License Program -> * Cloud Solution Providers program -> * Bundled with -> * Microsoft Entra ID P1 or P2 -> * Enterprise Mobility Suite -> * Enterprise Cloud Suite - -#### Directory synchronization - -Hybrid and on-premises deployments use directory synchronization, however, each for a different purpose. Hybrid deployments use Microsoft Entra Connect to synchronize Active Directory identities or credentials between itself and Microsoft Entra ID. This helps enable single sign-on to Microsoft Entra ID and its federated components. On-premises deployments use directory synchronization to import users from Active Directory to the Azure MFA Server, which sends data to the Azure MFA cloud service to perform the verification. - -### Management - -Windows Hello for Business provides organizations with a rich set of granular policy settings with which they can use to manage their devices and users. There are three ways in which you can manage Windows Hello for Business: Group Policy, Modern Management, and Mixed. - -#### Group Policy - -Group Policy is the easiest and most popular way to manage Windows Hello for Business on domain joined devices. Simply create a Group Policy object with the settings you desire. Link the Group Policy object high in your Active Directory and use security group filtering to target specific sets of computers or users. Or, link the GPO directly to the organizational units. - -#### Modern management - -Modern management is an emerging device management paradigm that leverages the cloud for managing domain joined and nondomain joined devices. Organizations can unify their device management into one platform and apply policy settings using a single platform - -### Client - -Windows Hello for Business is an exclusive Windows 10 and Windows 11 feature. As part of the Windows as a Service strategy, Microsoft has improved the deployment, management, and user experience with each new release of Windows and introduced support for new scenarios. - -Most deployment scenarios require a minimum of Windows 10, version 1511, also known as the November Update. The client requirement might change based on different components in your existing infrastructure, or other infrastructure choices made later in planning your deployment. Those components and choices might require a minimum client running Windows 10, version 1703, also known as the Creators Update. - - -### Active Directory - -Hybrid and on-premises deployments include Active Directory as part of their infrastructure. Most of the Active Directory requirements, such as schema, and domain and forest functional levels are predetermined. However, your trust type choice for authentication determines the version of domain controller needed for the deployment. - -### Public Key Infrastructure - -The Windows Hello for Business deployment depends on an enterprise public key infrastructure as a trust anchor for authentication. Domain controllers for hybrid and on-premises deployments need a certificate in order for Windows devices to trust the domain controller as legitimate. Deployments using the certificate trust type need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. Hybrid deployments might need to issue VPN certificates to users to enable connectivity on-premises resources. - -### Cloud - -Some deployment combinations require an Azure account, and some require Microsoft Entra ID for user identities. These cloud requirements may only need an Azure account while other features need a Microsoft Entra ID P1 or P2 subscription. The planning process identifies and differentiates the components that are needed from those that are optional. - -## Planning a Deployment - -Planning your Windows Hello for Business deployment begins with choosing a deployment type. Like all distributed systems, Windows Hello for Business depends on multiple components within your organization's infrastructure. - -Use the remainder of this guide to help with planning your deployment. As you make decisions, write the results of those decisions in your planning worksheet. When finished, you'll have all the information needed to complete the planning process and the appropriate deployment guide that best helps you with your deployment. - -### Deployment Model - -Choose the deployment model based on the resources your users access. Use the following guidance to make your decision. - -If your organization doesn't have on-premises resources, write **Cloud Only** in box **1a** on your planning worksheet. - -If your organization is federated with Azure or uses any service, such as AD Connect, Office365 or OneDrive, or your users access cloud and on-premises resources, write **Hybrid** in box **1a** on your planning worksheet. - -If your organization doesn't have cloud resources, write **On-Premises** in box **1a** on your planning worksheet. - ->[!NOTE] -> ->- Main use case of On-Premises deployment is for "Enhanced Security Administrative Environments" also known as "Red Forests" ->- Migration from on-premise to hybrid deployment will require redeployment - -### Trust type - -Microsoft Entra hybrid joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates. Microsoft Entra hybrid joined devices and Microsoft Entra joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates. - -Choose a trust type that is best suited for your organizations. Remember, the trust type determines two things. Whether you issue authentication certificates to your users and if your deployment needs Windows Server 2016 domain controllers. - -One trust model isn't more secure than the other. The major difference is based on the organization comfort with deploying Windows Server 2016 domain controllers and not enrolling users with end entity certificates (key-trust) against using existing domain controllers and needing to enroll certificates for all their users (certificate trust). - -Because the certificate trust types issues certificates, there's more configuration and infrastructure needed to accommodate user certificate enrollment, which could also be a factor to consider in your decision. Additional infrastructure needed for certificate-trust deployments includes a certificate registration authority. In a federated environment, you need to activate the Device Writeback option in Microsoft Entra Connect. - -If your organization wants to use the key trust type, write **key trust** in box **1b** on your planning worksheet. Write **Windows Server 2016** in box **4d**. Write **N/A** in box **5b**. - -If your organization wants to use the certificate trust type, write **certificate trust** in box **1b** on your planning worksheet. Write **Windows Server 2008 R2 or later** in box **4d**. In box **5c**, write **smart card logon** under the **Template Name** column and write **users** under the **Issued To** column on your planning worksheet. - -### Device Registration - -A successful Windows Hello for Business requires all devices to register with the identity provider. The identity provider depends on the deployment model. - -If box **1a** on your planning worksheet reads **cloud only** or **hybrid**, write **Azure** in box **1c** on your planning worksheet. - -If box **1a** on your planning worksheet reads **on-premises**, write **AD FS** in box **1c** on your planning worksheet. - -### Key Registration - -All users provisioning Windows Hello for Business have their public key registered with the identity provider. The identity provider depends on the deployment model. - -If box **1a** on your planning worksheet reads **cloud only** or **hybrid**, write **Azure** in box **1d** on your planning worksheet. - -If box **1a** on your planning worksheet reads **on-premises**, write **AD FS** in box **1d** on your planning worksheet. - -### Directory Synchronization - -Windows Hello for Business is strong user authentication, which usually means there's an identity (a user or username) and a credential (typically a key pair). Some operations require writing or reading user data to or from the directory. For example, reading the user's phone number to perform multifactor authentication during provisioning or writing the user's public key. - -If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in box **1e**. User information is written directly to Microsoft Entra ID and there isn't another directory with which the information must be synchronized. - -If box **1a** on your planning worksheet reads **hybrid**, then write **Microsoft Entra Connect** in box **1e** on your planning worksheet. - -If box **1a** on your planning worksheet reads **on-premises**, then write **Azure MFA Server**. This deployment exclusively uses Active Directory for user information with the exception of the multifactor authentication. The on-premises Azure MFA server synchronizes a subset of the user information, such as phone number, to provide multifactor authentication while the user's credentials remain on the on-premises network. - -### Multifactor authentication - -The goal of Windows Hello for Business is to move user authentication away from passwords to a strong, key-based user authentication. Passwords are weak credentials and can't be trusted by themselves as an attacker with a stolen password could be attempting to enroll in Windows Hello for Business. To keep the transition from a weak to a strong credential secure, Windows Hello for Business relies on multifactor authentication during provisioning to have some assurances that the user identity provisioning a Windows Hello for Business credential is the proper identity. - -If box **1a** on your planning worksheet reads **cloud only**, then your only option is to use the Azure MFA cloud service. Write **Azure MFA** in box **1f** on your planning worksheet. - -If box **1a** on your planning worksheet reads **hybrid**, then you have a few options, some of which depend on your directory synchronization configuration. The options from which you may choose include: -* Directly use Azure MFA cloud service -* Use AD FS w/Azure MFA cloud service adapter -* Use AD FS w/Azure MFA Server adapter -* Use AD FS w/3rd Party MFA Adapter - -You can directly use the Azure MFA cloud service for the second factor of authentication. Users contacting the service must authenticate to Azure prior to using the service. - -If your Microsoft Entra Connect is configured to synchronize identities (usernames only), then your users are redirected to your local on-premises federation server for authentication and then redirected back to the Azure MFA cloud service. Otherwise, your Microsoft Entra Connect is configured to synchronize credentials (username and passwords), which enables your users to authenticate to Microsoft Entra ID and use the Azure MFA cloud service. If you choose to use the Azure MFA cloud service directly, write **Azure MFA** in box **1f** on your planning worksheet. - -You can configure your on-premises Windows Server 2016 AD FS role to use the Azure MFA service adapter. In this configuration, users are redirected to the on premises AD FS server (synchronizing identities only). The AD FS server uses the MFA adapter to communicate to the Azure MFA service to perform the second factor of authentication. If you choose to use AD FS with the Azure MFA cloud service adapter, write **AD FS with Azure MFA cloud adapter** in box **1f** on your planning worksheet. - -Alternatively, you can use AD FS with an on-premises Azure MFA server adapter. Rather than AD FS communicating directly with the Azure MFA cloud service, it communicates with an on-premises Azure MFA server that synchronizes user information with the on-premises Active Directory. The Azure MFA server communicates with Azure MFA cloud services to perform the second factor of authentication. If you choose to use AD FS with the Azure MFA server adapter, write **AD FS with Azure MFA server adapter** in box **1f** on your planning worksheet. - -The last option is for you to use AD FS with a third-party adapter as the second factor of authentication. If you choose to use AD FS with a third-party MFA adapter, write **AD FS with third party** in box **1f** on your planning worksheet. - -If box **1a** on your planning worksheet reads **on-premises**, then you have two-second factor authentication options. You must use Windows Server 2016 AD FS with your choice of the on-premises Azure MFA server or with a third-party MFA adapter. - -If you choose to use AD FS with the Azure MFA server adapter, write **AD FS with Azure MFA server adapter** in box **1f** on your planning worksheet. If you choose to use AD FS with a third-party MFA adapter, write **AD FS with third party** in box **1f** on your planning worksheet. - -### Management - -Windows Hello for Business provides organizations with many policy settings and granular control on how these settings may be applied to both computers and users. The type of policy management you can use depends on your selected deployment and trust models. - -If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in box **2a** on your planning worksheet. You have the option to manage nondomain joined devices. If you choose to manage Microsoft Entra joined devices, write **modern management** in box **2b** on your planning worksheet. Otherwise, write** N/A** in box **2b**. - -> [!NOTE] -> Microsoft Entra joined devices without modern management automatically enroll in Windows Hello for Business using the default policy settings. Use modern management to adjust policy settings to match the business needs of your organization. - -If box **1a** on your planning worksheet reads **on-prem**, write **GP** in box **2a** on your planning worksheet. Write **N/A** in box **2b** on your worksheet. - -Managing hybrid deployments includes two categories of devices to consider for your Windows Hello for Business deployment—domain joined and nondomain joined. All devices are registered, however, not all devices are domain joined. You have the option of using Group Policy for domain joined devices and modern management for nondomain joined devices. Or, you can use modern management for both domain and nondomain joined devices. - -If you use Group Policy to manage your domain joined devices, write **GP** in box **2a** on your planning worksheet. Write **modern management** in box **2b** if you decide to manage nondomain joined devices; otherwise, write **N/A**. - -If you use modern management for both domain and nondomain joined devices, write **modern management** in box **2a** and **2b** on your planning worksheet. - -### Client - -Windows Hello for Business is a feature exclusive to Windows 10 and Windows 11. Some deployments and features are available using earlier versions of Windows 10. Others need the latest versions. - -If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in box **3a** on your planning worksheet. Optionally, you may write **1511 or later** in box **3b** on your planning worksheet if you plan to manage nondomain joined devices. -> [!NOTE] -> Microsoft Entra joined devices without modern management automatically enroll in Windows Hello for Business using the default policy settings. Use modern management to adjust policy settings to match the business needs of your organization. - -Write **1511 or later** in box **3a** on your planning worksheet if any of the following are true. -* Box **2a** on your planning worksheet read **modern management**. - * Optionally, you may write **1511 or later** in box **3b** on your planning worksheet if you plan to manage nondomain joined devices. -* Box **1a** on your planning worksheet reads **hybrid**, box **1b** reads **key trust**, and box **2a** reads **GP**. - Optionally, you may write **1511 or later* in box **3b** on your planning worksheet if you plan to manage nondomain joined devices. - -Write **1703 or later** in box **3a** on your planning worksheet if any of the following are true. -* Box **1a** on your planning worksheet reads **on-premises**. - Write **N/A** in box **3b** on your planning worksheet. -* Box **1a** on your planning worksheet reads **hybrid**, box **1b** reads **certificate trust**, and box **2a** reads **GP**. - * Optionally, you may write **1511 or later** in box **3b** on your planning worksheet if you plan to manage nondomain joined devices. - -### Active Directory - -The Active Directory portion of the planning guide should be complete. Most of the conditions are baseline prerequisites except for your domain controllers. The domain controllers used in your deployment are decided by the chosen trust type. - -Review the trust type portion of this section if box **4d** on your planning worksheet remains empty. - -### Public Key Infrastructure - -Public key infrastructure prerequisites already exist in your planning worksheet. These conditions are the minimum requirements for any hybrid or on-premises deployment. Additional conditions may be needed based on your trust type. - -If box **1a** on your planning worksheet reads **cloud only**, ignore the public key infrastructure section of your planning worksheet. Cloud only deployments don't use a public key infrastructure. - -If box **1b** on your planning worksheet reads **key trust**, write **N/A** in box **5b** on your planning worksheet. Key trust doesn't require any change in public key infrastructure, skip this part and go to **Cloud** section. - -The registration authority only relates to certificate trust deployments and the management used for domain and nondomain joined devices. Microsoft Entra hybrid joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates. Microsoft Entra hybrid joined devices and Microsoft Entra joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates. - -If box **2a** reads **GP** and box **2b** reads **modern management**, write **AD FS RA and NDES** in box **5b** on your planning worksheet. In box **5c**, write the following certificate templates names and issuances: - -| Certificate Template Name | Issued To | -| --- | --- | -| Exchange Enrollment Agent | AD FS RA | -| Web Server | AD FS RA | -| Exchange Enrollment Agent | NDES | -| Web Server | NDES | -| CEP Encryption | NDES | - -If box **2a** reads **GP** and box **2b** reads **N/A**, write **AD FS RA** in box **5b** and write the following certificate template names and issuances in box **5c** on your planning worksheet. - -| Certificate Template Name | Issued To | -| --- | --- | -| Exchange Enrollment Agent | AD FS RA | -| Web Server | AD FS RA | - -If box **2a** or **2b** reads modern management, write **NDES** in box **5b** and write the following certificate template names and issuances in box 5c on your planning worksheet. - -| Certificate Template Name | Issued To | -| --- | --- | -| Exchange Enrollment Agent | NDES | -| Web Server | NDES | -| CEP Encryption | NDES | - -### Cloud - -Nearly all deployments of Windows Hello for Business require an Azure account. - -If box **1a** on your planning worksheet reads **cloud only** or **hybrid**, write **Yes** in boxes **6a** and **6b** on your planning worksheet. - -If box **1a** on your planning worksheet reads **on-premises**, and box **1f** reads **AD FS with third party**, write **No** in box **6a** on your planning worksheet. Otherwise, write **Yes** in box **6a** as you need an Azure account for per-consumption MFA billing. Write **No** in box **6b** on your planning worksheet—on-premises deployments don't use the cloud directory. - -Windows Hello for Business doesn't require a Microsoft Entra ID P1 or P2 subscription. However, some dependencies, such as [MDM automatic enrollment](/mem/intune/enrollment/quickstart-setup-auto-enrollment) and [Conditional Access](/azure/active-directory/conditional-access/overview) do. - -If box **1a** on your planning worksheet reads **on-premises**, write **No** in box **6c** on your planning worksheet. - -If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the Microsoft Entra ID Free tier. All Microsoft Entra ID Free accounts can use Microsoft Entra multifactor authentication through the use of security defaults. Some Microsoft Entra multifactor authentication features require a license. For more details, see [Features and licenses for Microsoft Entra multifactor authentication](/azure/active-directory/authentication/concept-mfa-licensing). - -If box **5b** on your planning worksheet reads **AD FS RA**, write **Yes** in box **6c** on your planning worksheet. Enrolling a certificate using the AD FS registration authority requires devices to authenticate to the AD FS server, which requires device write-back, a Microsoft Entra ID P1 or P2 feature. - -Modern managed devices don't require a Microsoft Entra ID P1 or P2 subscription. By forgoing the subscription, your users must manually enroll devices in the modern management software, such as Intune or a supported third-party MDM. - -If boxes **2a** or **2b** read **modern management** and you want devices to automatically enroll in your modern management software, write **Yes** in box **6c** on your planning worksheet. Otherwise, write **No** in box **6c**. - -## Congratulations, You're Done - -Your Windows Hello for Business planning worksheet should be complete. This guide provided understanding of the components used in the Windows Hello for Business infrastructure and rationalization of why they're used. The worksheet gives you an overview of the requirements needed to continue the next phase of the deployment. With this worksheet, you'll be able to identify key elements of your Windows Hello for Business deployment. diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md deleted file mode 100644 index 52459fe655..0000000000 --- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md +++ /dev/null @@ -1,54 +0,0 @@ ---- -title: Prepare people to use Windows Hello -description: When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization. -ms.date: 08/19/2018 -ms.topic: end-user-help ---- -# Prepare people to use Windows Hello - -When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization by explaining how to use Hello. - -After enrollment in Hello, users should use their gesture (such as a PIN or fingerprint) for access to corporate resources. Their gesture is only valid on the enrolled device. - -Although the organization may require users to change their Active Directory or Microsoft Entra account password at regular intervals, changes to their passwords have no effect on Hello. - -People who are currently using virtual or physical smart cards for authentication can use their virtual smart card to verify their identity when they set up Hello. - -[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)] - -## On devices owned by the organization - -When someone sets up a new device, they are prompted to choose who owns the device. For corporate devices, they select **This device belongs to my organization**. - -![who owns this pc.](images/corpown.png) - -Next, they select a way to connect. Tell the people in your enterprise which option they should pick here. - -![choose how you'll connect.](images/connect.png) - -They sign in, and are then asked to verify their identity. People have options to choose from a text message, phone call, or the authentication application. After verification, they create their PIN. The **Create a PIN** screen displays any complexity requirements that you have set, such as minimum length. - -After Hello is set up, people use their PIN to unlock the device, and that will automatically log them on. - -## On personal devices - -People who want to access work resources on their personal devices can add a work or school account in **Settings** > **Accounts** > **Work or school**, and then sign in with work credentials. The person selects the method for receiving the verification code, such as text message or email. The verification code is sent and the person then enters the verification code. After verification, the person enters and confirms new PIN. The person can access any token-based resource using this device without being asked for credentials. - -People can go to **Settings** > **Accounts** > **Work or school**, select the work account, and then select **Unjoin** to remove the account from their device. - -## Using Windows Hello and biometrics - -If your policy allows it, people can use biometrics (fingerprint, iris, and facial recognition) with Windows Hello for Business, if the hardware supports it. - -:::image type="content" alt-text="This screenshot shows account sign-in options to windows, apps, and services using fingerprint or face." source="images/hellosettings.png"::: - -## Related topics - -- [Windows Hello for Business](deploy/requirements.md) -- [How Windows Hello for Business works](hello-how-it-works.md) -- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) -- [Windows Hello and password changes](hello-and-password-changes.md) -- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq) -- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md deleted file mode 100644 index 6fe91595bc..0000000000 --- a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md +++ /dev/null @@ -1,68 +0,0 @@ ---- -title: Why a PIN is better than an online password -description: Windows Hello enables users to sign in to their devices using a PIN. Learn how is a PIN different from (and better than) an online password. -ms.date: 03/15/2023 -ms.topic: concept-article ---- -# Why a PIN is better than an online password - -Windows Hello enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a local password? -On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might enforce complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than an online password, it's how it works. First, we need to distinguish between two types of passwords: *local passwords* are validated against the machine's password store, whereas *online passwords* are validated against a server. This article mostly covers the benefits a PIN has over an online password, and also why it can be considered even better than a local password. - -Watch Dana Huang explain why a Windows Hello for Business PIN is more secure than an online password. - -> [!VIDEO https://www.youtube.com/embed/cC24rPBvdhA] - -## A PIN is tied to the device - -One important difference between an online password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who obtains your online password can sign in to your account from anywhere, but if they obtain your PIN, they'd have to access your device too. - -The PIN can't be used anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Hello on each device. - -## PIN is local to the device - -An online password is transmitted to the server. The password can be intercepted in transmission or obtained from a server. A PIN is local to the device, never transmitted anywhere, and it isn't stored on the server. -When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, you unlock the authentication key, which is used to sign the request that is sent to the authenticating server. -Even though local passwords are local to the device, they're less secure than a PIN, as described in the next section. - ->[!NOTE] ->For details on how Hello uses asymmetric key pairs for authentication, see [Windows Hello for Business](index.md#benefits-of-windows-hello). - -## PIN is backed by hardware - -The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Windows doesn't link local passwords to TPM, therefore PINs are considered more secure than local passwords. - -User key material is generated and available within the TPM of the device. The TPM protects the key material from attackers who want to capture and reuse it. Since Hello uses asymmetric key pairs, users credentials can't be stolen in cases where the identity provider or websites the user accesses have been compromised. - -The TPM protects against various known and potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked. - -## PIN can be complex - -The Windows Hello for Business PIN is subject to the same set of IT management policies as a password, such as complexity, length, expiration, and history. Although we generally think of a PIN as a simple four-digit code, administrators can set [policies](hello-manage-in-organization.md) for managed devices to require a PIN complexity similar to a password. You can require or block: special characters, uppercase characters, lowercase characters, and digits. - -## What if someone steals the device? - -To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device. Then, the attacker must find a way to spoof the user's biometrics or guess the PIN. All these actions must be done before [TPM anti-hammering](/windows/device-security/tpm/tpm-fundamentals#anti-hammering) protection locks the device. -You can provide more protection for laptops that don't have TPM by enabling BitLocker and setting a policy to limit failed sign-ins. - -### Configure BitLocker without TPM - -To enable BitLocker without TPM, follow these steps: - -1. Open the Local Group Policy Editor (gpedit.msc) and enable the policy: **Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Require additional authentication at startup** -1. In the policy option, select **Allow BitLocker without a compatible TPM > OK** -1. On the device, open **Control Panel > System and Security > BitLocker Drive Encryption** -1. Select the operating system drive to protect - -### Set account lockout threshold - -To configure account lockout threshold, follow these steps: - -1. Open the Local Group Policy Editor (gpedit.msc) and enable the policy: **Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy > Account lockout threshold** -1. Set the number of invalid logon attempts to allow, and then select OK - -## Why do you need a PIN to use biometrics? - -Windows Hello enables biometric sign-in for Windows: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN after the biometric setup. The PIN enables you to sign in when you can't use your preferred biometric because of an injury or because the sensor is unavailable or not working properly. - -If you only had a biometric sign-in configured and, for any reason, were unable to use that method to sign in, you would have to sign in using your account and password, which doesn't provide you with the same level of protection as Hello. diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/how-it-works-authentication.md similarity index 97% rename from windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md rename to windows/security/identity-protection/hello-for-business/how-it-works-authentication.md index af0ff0de5a..9b870a85e4 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md +++ b/windows/security/identity-protection/hello-for-business/how-it-works-authentication.md @@ -10,8 +10,6 @@ Windows Hello for Business authentication is a passwordless, two-factor authenti Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in and can, optionally, authenticate to Active Directory. Microsoft Entra hybrid joined devices authenticate to Active Directory during sign-in, and authenticate to Microsoft Entra ID in the background. - - ## Microsoft Entra join authentication to Microsoft Entra ID ![Microsoft Entra join authentication to Microsoft Entra ID.](images/howitworks/auth-aadj-cloud.png) @@ -27,8 +25,6 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in |D | The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.| |E | The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT, and informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.| - - ## Microsoft Entra join authentication to Active Directory using cloud Kerberos trust ![Microsoft Entra join authentication to Active Directory.](images/howitworks/auth-aadj-cloudtrust-kerb.png) @@ -38,8 +34,6 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in |A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a 2016 domain controller. |B | After locating a domain controller, the Kerberos provider sends a partial TGT that it received from Microsoft Entra ID from a previous Microsoft Entra authentication to the domain controller. The partial TGT contains only the user SID, and it's signed by Microsoft Entra Kerberos. The domain controller verifies that the partial TGT is valid. On success, the KDC returns a TGT to the client.| - - ## Microsoft Entra join authentication to Active Directory using a key ![Microsoft Entra join authentication to Active Directory using a Key.](images/howitworks/auth-aadj-keytrust-kerb.png) @@ -53,8 +47,6 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in > [!NOTE] > You might have an on-premises domain federated with Microsoft Entra ID. Once you have successfully provisioned Windows Hello for Business PIN/Bio on the Microsoft Entra joined device, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Microsoft Entra ID to get PRT and trigger authenticate against your DC (if LOS to DC is available) to get Kerberos. It no longer uses AD FS to authenticate for Windows Hello for Business sign-ins. - - ## Microsoft Entra join authentication to Active Directory using a certificate ![Microsoft Entra join authentication to Active Directory using a Certificate.](images/howitworks/auth-aadj-certtrust-kerb.png) @@ -68,8 +60,6 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in > [!NOTE] > You may have an on-premises domain federated with Microsoft Entra ID. Once you have successfully provisioned Windows Hello for Business PIN/Bio on, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Microsoft Entra ID to get PRT, as well as authenticate against your DC (if LOS to DC is available) to get Kerberos as mentioned previously. AD FS federation is used only when Enterprise PRT calls are placed from the client. You need to have device write-back enabled to get "Enterprise PRT" from your federation. - - ## Microsoft Entra hybrid join authentication using cloud Kerberos trust ![Microsoft Entra hybrid join authentication using Microsoft Entra Kerberos](images/howitworks/auth-haadj-cloudtrust.png) @@ -82,8 +72,6 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in |D | Cloud AP receives the encrypted PRT with session key. Using the device's private transport key, Cloud AP decrypts the session key and protects the session key using the device's TPM (if available). Cloud AP returns a successful authentication response to lsass. Lsass caches the PRT and the Partial TGT. |E | The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a 2016 domain controller. After locating an active 2016 domain controller, the Kerberos provider sends the partial TGT that it received from Microsoft Entra ID to the domain controller. The partial TGT contains only the user SID and is signed by Microsoft Entra Kerberos. The domain controller verifies that the partial TGT is valid. On success, the KDC returns a TGT to the client. Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests. Lsass informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.| - - ## Microsoft Entra hybrid join authentication using a key ![Microsoft Entra hybrid join authentication using a key.](images/howitworks/auth-haadj-keytrust.png) @@ -101,8 +89,6 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in > [!IMPORTANT] > In the above deployment model, a newly provisioned user will not be able to sign in using Windows Hello for Business until (a) Microsoft Entra Connect successfully synchronizes the public key to the on-premises Active Directory and (b) device has line of sight to the domain controller for the first time. - - ## Microsoft Entra hybrid join authentication using a certificate ![Microsoft Entra hybrid join authentication using a Certificate.](images/howitworks/auth-haadj-certtrust.png) diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/how-it-works-provisioning.md similarity index 100% rename from windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md rename to windows/security/identity-protection/hello-for-business/how-it-works-provisioning.md diff --git a/windows/security/identity-protection/hello-for-business/how-it-works.md b/windows/security/identity-protection/hello-for-business/how-it-works.md new file mode 100644 index 0000000000..b05fb8f4be --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/how-it-works.md @@ -0,0 +1,84 @@ +--- +title: How Windows Hello for Business works +description: Learn how Windows Hello for Business works, and how it can help your users authenticate to services. +ms.date: 05/05/2018 +ms.topic: overview +--- + +# How Windows Hello for Business works in Windows Devices + +Windows Hello for Business is a two-factor credential that is a more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Microsoft Entra joined, Microsoft Entra hybrid joined, or Microsoft Entra registered devices. Windows Hello for Business also works for domain joined devices. + +## Technical Deep Dive + +Windows Hello for Business is a distributed system that uses several components to accomplish device registration, provisioning, and authentication. Use this section to gain a better understanding of each of the categories and how they support Windows Hello for Business. + +### Device Registration + +Registration is a fundamental prerequisite for Windows Hello for Business. Without registration, Windows Hello for Business provisioning cannot start. Registration is where the device **registers** its identity with the identity provider. For cloud and hybrid deployments, the identity provider is Microsoft Entra ID and the device registers with the Azure Device Registration Service (ADRS). For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the device registers with the enterprise device registration service hosted on the federation servers (AD FS). + +For more information, read [how device registration works](/azure/active-directory/devices/device-registration-how-it-works). + +### Provisioning + +Provisioning is when the user uses one form of authentication to request a new Windows Hello for Business credential. Typically the user signs in to Windows using user name and password. The provisioning flow requires a second factor of authentication before it will create a strong, two-factor Windows Hello for Business credential. + +For more information, read [how provisioning works](how-it-works-provisioning.md). + +### Authentication + +With the device registered and provisioning complete, users can sign-in to Windows using biometrics or a PIN. PIN is the most common gesture and is available on all computers unless restricted by policy requiring a TPM. Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential. Neither the PIN nor the private portion of the credential are ever sent to the identity provider, and the PIN is not stored on the device. It is user provided entropy when performing operations that use the private portion of the credential. + +For more information read [how authentication works](how-it-works-authentication.md). + +## Windows Hello biometrics in the enterprise + +Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition. + + + +## How does Windows Hello work? + +Windows Hello lets your employees use fingerprint, facial recognition, or iris recognition as an alternative method to unlocking a device. With Windows Hello, authentication happens when the employee provides his or her unique biometric identifier while accessing the device-specific Windows Hello credentials. + +The Windows Hello authenticator works to authenticate and allow employees onto your enterprise network. Authentication doesn't roam among devices, isn't shared with a server, and can't easily be extracted from a device. If multiple employees share a device, each employee will use his or her own biometric data on the device. + +## Why should I let my employees use Windows Hello? + +Windows Hello provides many benefits, including: + +- It helps to strengthen your protections against credential theft. Because an attacker must have both the device and the biometric info or PIN, it's much more difficult to gain access without the employee's knowledge. +- Employees get a simple authentication method (backed up with a PIN) that's always with them, so there's nothing to lose. No more forgetting passwords! +- Support for Windows Hello is built into the operating system so you can add additional biometric devices and policies as part of a coordinated rollout or to individual employees or groups using Group Policy or Mobile Device Management (MDM) configurations service provider (CSP) policies.
      For more info about the available Group Policies and MDM CSPs, see the [Implement Windows Hello for Business in your organization](hello-manage-in-organization.md) topic. + +## Where is Windows Hello data stored? + +The biometric data used to support Windows Hello is stored on the local device only. It doesn't roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data from a device, it cannot be converted back into a raw biometric sample that could be recognized by the biometric sensor. + +> [!NOTE] +>Each sensor on a device will have its own biometric database file where template data is stored. Each database has a unique, randomly generated key that is encrypted to the system. The template data for the sensor will be encrypted with this per-database key using AES with CBC chaining mode. The hash is SHA256. Some fingerprint sensors have the capability to complete matching on the fingerprint sensor module instead of in the OS. These sensors will store biometric data on the fingerprint module instead of in the database file. + + +## Windows Hello for Business and password changes + +Changes to a user account password doesn't affect sign-in or unlock, since Windows Hello for Business uses a key or certificate. + +## How Windows Hello for Business works: key points + +- Windows Hello credentials are based on certificate or asymmetrical key pair. Windows Hello credentials can be bound to the device, and the token that is obtained using the credential is also bound to the device. + +- An identity provider validates the user identity and maps the Windows Hello public key to a user account during the registration step. Example providers are Active Directory, Microsoft Entra ID, or a Microsoft account. + +- Keys can be generated in hardware (TPM 1.2 or 2.0 for enterprises, and TPM 2.0 for consumers) or software, based on the policy. To guarantee that keys are generated in hardware, you must set policy. + +- Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (biometrics). The Windows Hello gesture doesn't roam between devices and isn't shared with the server. Biometrics templates are stored locally on a device. The PIN is never stored or shared. + +- The private key never leaves a device when using TPM. The authenticating server has a public key that is mapped to the user account during the registration process. + +- PIN entry and biometric gesture both trigger Windows 10 and later to use the private key to cryptographically sign data that is sent to the identity provider. The identity provider verifies the user's identity and authenticates the user. + +- Personal (Microsoft account) and corporate (Active Directory or Microsoft Entra ID) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy. + +- Certificate private keys can be protected by the Windows Hello container and the Windows Hello gesture. + +For details, see [How Windows Hello for Business works](hello-how-it-works.md). \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/images/fingerprint.svg b/windows/security/identity-protection/hello-for-business/images/fingerprint.svg new file mode 100644 index 0000000000..e2b816716a --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/images/fingerprint.svg @@ -0,0 +1,3 @@ + + + diff --git a/windows/security/identity-protection/hello-for-business/images/hello.svg b/windows/security/identity-protection/hello-for-business/images/hello.svg new file mode 100644 index 0000000000..5601c82127 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/images/hello.svg @@ -0,0 +1,3 @@ + + + diff --git a/windows/security/identity-protection/hello-for-business/images/hellosettings.png b/windows/security/identity-protection/hello-for-business/images/hellosettings.png deleted file mode 100644 index 9b897a136e46dc63f3ef4dcb703b940ae7daac61..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 57498 zcmX7vcR1Va+r~Q{Ma|l?p%g{!O~q(w?AjxwN{Uh%qeg?)t}Ry0RPEiO#I8;3T}6$E zSu3Ox^G$#6AC4T~B!}Gdy6)>dKleu?18thy9JjAsyG8?g`q=o|wHtibu3fL8xJ7zL zj?j%Jy(~p|6=w}iAYs8K$?n9z2m|<;#%!kYecP*rFyfR)E&k&m5Rf*YWvt>{3%~n|H5GdX zDe;Y~B8U#UWvL|ieRyzT~ zkA%}94fx#wALi|vidI}kg~q~9hCZCn2IDsUx|LUgp?-D+o&i$tmWU2^UkNOY+UEp8 zE&pc24{YRm?-#ySnA@?yKQ7KB(0I(FaYVuI-xUJWx4!Agm$1pZS2)E^EmPSsfbvx? zZ}PQFh%ie&@V>bIRdwa2ww7}&Q{-uA?l#M6`W@VCageHxaS&{3(@3+5Up84espat< zdqoY3fwBZu*Fu3lH+;sersD5$3ZAJV{O)53li%qt0?*-{r_rIFguweER*oV;cR^U2 zpdYqvZLfaK*3`4v1pD0@yrs=O^{ol z)nC*MxXQi)De>96p2rsz{u{zJ9QJpuj@*O>r=MJhj-7@Wmu4S}PFfW)J|L%NTizQ? ziiTnOo>c3Dr~QO<(?mbsrk|6MmHoO92!$4&{dbNsl+}7QDY6py&B!+8z|JK~6(q&` za46DGA-tt_4N&Zqxo3sHK22$L%8nk^w$mKg$ms5go0KgDTOA$^e1YWQQw`@XR1i2S z?EPuhf`MpV*3z20Co(^q}*+=aHyZ@)8xxe}StNBb8CDAec69u5_qxa~5rQZO%v zJgcxc@{|Izo?QRQv62eVPCGf_RM{S}yfbF%V@Xj~4jgx?6loudyWVsvMhQW}y)|Dt zqzQIobsBY+g};D!Qve$q=X|Ww8X$b>#yuUIzng`M!aF#z%-iWPHYS2J)7nR|$tHZj zqM+7yonYnaX<2im0&od?dvuWbo+~lHyKv?#N^f1B8-d>Z-P#PtPg_U@o%^{=7U|nM zO*bT>;$t8LmYeoY9`p5;-kW0`1C?cEWvub=VLHvIcb#2u{KKagQ@|E+Sr;OGTDj`P z1fzI&HMvi>NqTA>JaF}RloevJMl`qxT)ZH_=q={Mm0r`qy0PiER=V-Lbox8Wz+hD> zb?C;;!(?=Jf=X(h%TzelqBEc`-1!k}2r|9}HJS=ot`2a$1i^GcmhRKKwp^gg!h062 zGHI$oizzoZ8CAuXWSLTvbknZjrpO|G*UKQ4_6mh|y~Ig2-a9wd67D`)%kll4WMZKB zq{tv=JC+=nkGegf$2;`toevww(fV+5mU|QElF$c4M*@O2V`*a;EDR--t8g$nYPt1OZu zsZBB?rD)2Tdl`@iK{WtQlc1xlrT&#jfS7CL_cT$v zmYU{ZfwWw?nSEeq>I{ zk5|$$xAifT?*LvLPvW-AtI@jRt^AnYxa2&|Nc5K{G1+SRJ^{Me_-jySsAC2Zn;>I-T20Fv3u(|K{U`qDap0U#b&%Z9b>7o&XhtkL;ZcP>s zS~=z1H&i(co1_tITw`z|<_Y@uZl$gPwA1{$KYCdWFr+I41!}7LhdEoTdJT*#zzlYz zhOse7t?G*!)_c;AePX;^!bW-cEly=>>UHCiS<)pSb_+h%r!PMH6T~Wj_#^z$N8Ovk z;$r%m&QUEWsj#4cO6bH{#99`WW8YS9;3h}NRW`!$D8r03Tb%J=kj$mi+X^IoTXS(r zyix^b|5>RlH)x@N&=%|mAYWm->AUEY{-@<=q~>g|d9Z1xN@U)>xw7Tt_q)CD+;_1N z;2Jfba1?S6_!oP8RIQ%*&){J_cCW?;aA)hTa1Y}4%#b?8D10zxnssG&!!Dj2rFPgH5 zTJjX zG(D~S-{)P3KAmPYB#NFjtGJ3)EAgf$tNK0Lf zP+rS{9dr$y?iXGZ4u)#7;Pa7cG(@Vu`%RBnP+nRiNqY_^g#8GWgZHJHN6k-%K z@Gd9MyKA4*^JtXbQKH(DD}*fK`>fr3Wyo`(uSXs6|9PqO-K&`?Uxl1~t;Lb{u5xIY zEj_xEEB;w`OXXSx^j_^luRd;H)O1v;h20!GwP21nLKzt1lMDq3(wJ)*z3q;=Gm`lH zNxsKY+lUZvf|!iXghRZnK%Yq4}PVAXboW9mvibR-<<5w)FXfH^f- zQHn*bBPPngKox+gId2K=w$4Y$hyv?2LKgshtqDRyY&8!i1+kd)5AW^|u1(N?`UEd- zDxo^;8ha>4yPP1JS}I1f8iDKQ8@`XNrmqsSxa`py+@CFHn2|lv8*0D0*oP)O`kS~P ze04UmTRW;+gNaveQcM6Xq~D2LXWghf?;mS&z=!&$g#X8-Oh*g>`+)rKy&HVk;O(VU zey^R-BfgMCxkUe=`!$Cen@;}Pa!2UmUAl5cOT#~8`dM82>E^vUE5Y6AOmaWgX zC_*u$t?oUj$i~d49q&!tens6ocCga57)>1yy?fCuG-n^ly-*gt7nvs*X?q9>#7{4V zUYn-MD0|1jA*k!m)Gl`Jn#!mINjOjy5!S5^WDnq08XM&&jS=4hdAq{7pS^Xf1)>Tw z_GVg|wo^uBgxI7GRzOBCtxSy7MWZL{0=Us9ASz9|`wtAF&?XkI&T&q>`o%^k1x=Jk zdda1u6TUj1AgTt3P&GC|QOyaT2jg%;ceqkG^xD<0K96M584JU)iZdyOAr3HdVJ`|# z2K$^Wf8%E%ORWp#^RCsc+0Qz=hhyXjhwA%YD;s^a{zPm#H0yOe%uDcutKAP1Cl9vE z?sK$DNUkLI-s#=A+xMc2v`BXx?Se1x?q*@BY%J`SJS8H!zvSXH9GPC)tR)+&!jdne zMXD?tCa&q>z&noB-LmMfY6V?V|EYeTAWUH&oX>^We*_&Fx0=#XGsI?iv=MvR<=pnO zgHE@6$lWB%OzXeYc;@*-!wCxaUGH{JqKND4k&w26nwJBDu8-6aD(A4}^zoCU3$uve zoEVu$Ua24603ZN0I{cuv;Fy#Kg0_2HMWaTg8SahV@Mj4H6N&hn-TKjhwB&bSHXu9~ z$Cy8`*tr8x0W<7x2&lYRG5G8|=0o$eSsvFNA;QV31$K%?IRphtmV{YdC z0TaVl7QD_^NrBVLOA4aK3uIwem^!URUJUI9B?7mE+c+a7Yuvu`h)IXN>MP*Uy9{`4 z)@7FTHKdESdzh=Yq%VrNrnCfC#}5ko>F`S4^Zu;!Q~b_`dEir%QML~SIu=(Fng=4& z?SCg9z=EtxZ*OS=dAPSQV=`>~*_?S&bFN2Nf|5vE8>o9LJ8V5&_a&Egb*3B=o_sKv zZaO1MTr;WS_a|U}q$jTxOCi>Jl6L%y!praKuqC`Xe?#2-&pPk$D;os0jq>T6Q`Drw`w&LrSE?ZL^P^#M1WqIOi@&h_Z(ib*2?q#@!&CaigenBJ zd>vBFEbcW-&Jhp{L-E2~Fz23I3~6+z6J9;cR;zJ!L|0VwKH%lrS@??8Ar_+ntg1!d zze{%~T~=Q#`hH)ZxJMgwC`8<1d`AO^$0Uh8#;RwwfIU-W*kR6>jT6uT<#-8I&zk-U1TS+ZmjaxcXK6;ty*772Q`c zs>jYOJ2MUat0|ONXTR)wc@-#yLY{OVj$)6@AghWgiAN_ed>pWQKo_kEE#6YMOxwu% z&%eYydObD8DQcS)ef>O8v0Hr!g;HA(#a9(zbHaM*=B4Rb1nJu0$LMfzk*Oyg5d1S! zaY*}%EyuM;Rr%aPnI^La;aD8?GXb`35xhLYw%#_pDzApxtU`7N#P-6`i>kmmI)g<>_M!MdK6lW*C!pRahGNrfh;h#;qxcF+BGCBmr4!p-gsdIK76R92c+vIlzNoKp*TK=U z^h3igiP+xvlH{IoR-a*k6TRg!b1wXaF@peHDulwCmAKXez6NtiES3s9INBKMmC@=q zRL}j*dQUlhFDw%0#lg2MLYe0YO5GDl@vdab*GS^rE-M&_A5@-_G;kVIkqu(;w>Y0XsG54a|q71%T(2Og473dljFQEUkkPE zm67CyYT_%7)v%_bt-FH2WJv^7*vfh5wIHFCw=|$Fs_Tldf&oJ*o&%HMy}%si^T4^4 zN8N>SN1+O~)LjyucjA?M1VD0^J(={pOHxLAMQZpV`Kvm@5M_{GT9c4DF&U?W0Gvi{ zUA(LE8W?boouZ7s$6&GVDori;Y*Sv|BD|8 zF5T&rh)oNR=Zt-D4jnX(<#mx7Xt!i4dnf55bl)W)0y=8UT3B%=GiPs^xd$#D@C0rl zCfQ(H`5>uRYr6AhI@r!_=lZxy*Cj2Id}6`!gwf-*3{cwaF_7{|5VCh60XZ~IdgX)EF5!z&Rq7duE7Li03%YAO98|0n~P(SKJzDSajW0r2$==))u(rC)R#gX<% z*H*@?QFe)+yLLO?cC0=4io?Ni3jqx;739I$am>+?ejbE9f8}zv2)07$qzfUQW*r_m zf+FQ=P#)x^pBhlT5}<)>y`WengQ2|@69m&Cl@yKMPUFpI!a~SP0jkfjcW+qSDMuME&e-|4QpG)$h2rlhd$BDl8byNA4ZSk(aI?ADC*d7 z-Gb3+0JK_};Nv`{ZWsy@i zz3AS~(V#J15LcDv9L;MHVu91$b=HtMb2v8DqJW`GQ$5k7{w=Ivw?D&J@m-#2^-sm7 z(nSBPzsYmWv{BRvcgHu>tQHz8MR#Wm(%!o8?M6I-v6>G~lx0r-$TN{i;O`TstT`z? zoO<(IvDl>8V2|~hRqHs4u;TrZ3K*1R6r4&AT;-cI?0Yl|zsHICr>Pxb7#sUn7=cmA z`(1&V($rl-vav{**hdtq?Z}=hCMLN$^uYSCnmLYBsTZ%%UMB+@5fp3rmSYG;?Vkrk z#Q?teFfkOxcm=7fl^kJ8bnnHQK(c-{dVhV)|Ab^8`>_}@7v zcff7U5affq(l2A1`8G9^`Hs<5^KXCJjr!&dgz`Uu@)~fa5puhX~0;L+(g;vCEs-gl-3F zlXH{;QbN>wxqWC$Ry?AN&KbUR7!rMS!IQl}pvDkRU?b^wSmSm1#M+uPq9*y`jDi7s z7jF*sVOF^DuP7ONr9BtvI^}h@+}9IxY`!lG_U2_M%F6~m_w7Ok5X?&bv8}gso0DoC zJ2DpwyR;_@22Jt{?nO5|zxXZnZogyVZ}VJ@jL!T^+>NcEeR-+F?BVQ+=wv`Ym6#a)^^%6AvcFw4832<4Ce3S|H2q z9;PoLz3=Y3A*}CqX)(HCDM$oJ=%8DxYTiSn+XaAb(Q*mdy#Ah={q~oOX9pQ;|5T}o zZ8(GPe(TBG2>Jk*p5i>{EWw&?0Yi%7HD4TPk<`ac`d)jD8%=K(i+HnPxPL0@M((?j zxVW8)+W3mP2_1L%`R|jqjb1(O_NT=)R%GjBhxrMr2+|kl;sOJnGw^jLRQo5z`@IJP z#aup0d;C_BFY+4o8O?pPICx(?x_P%gE17*eR4$_^gBk-LiE!2uDAufEZK=2WfLn$E))2HXEo39cWVl4 zlwGc-sZV5=(8QR0Yn^Jhc6w`i4z}`pLf`-Xa#eQtFoGv3af74+RiynKD~=^e9cft} zZF91(_DBoY%gJaVV5f3~zC&SivAIE7O`-cqr1IIHT3fRBNPyC{9D8)i1A_>S``mAS zT=ygmH#*a`>VaVPn-J-!-y~hx|7^FxHuq$~D?!?EeJH~uOPDhg==_K+!hTJ+>X46X zht0u?^5wz{Jq%e4YvsfGpI`RK;=d)PKNPrQuKAoK#Eu{hQ=cfzR`Ap!V%_kQ1Gn=- zy!$&6{1&9ej%cEl_fTD}6sv5IjEV?q_SIue02j`x(mYT?C#nw>)262A6_?LJUVNGw zBJ)Tlc>C#&BtWJWp&PMY7FArVL(Ps7^!O5PUs{;)nk3k2vsBHQoZ1nSOh>HwbL_Hsj_NJd*Z+L|B5hC<9Q@Tg zz(3pO`qt^#Qy2MH^?EA4wV58%kF`LmiSjHAEXw8zBJ`swN3kYp%nTJUa~0?AP;$Dr z^8##l+AnrJaymkM5}+5P=rc%~XwksaW7v|-`tG$Dx87KGpIekX7M0#rNf(_|;;7f` z6R+;SD6NeJ*>(4Q$!8c<+7V@qjIS^c=1nvJc;}JMM$WBk9P$*i3bC?Hi=7ICg12s9 z1j?IRp2IE#B1F2?jcd6#hxMLZp6x4#Ppf@?=Dc>nbz7*}JKGemrTIPEy52tX}=GLD1EFjD#!om6ca*k5rD?`;|Y(7rD+> zeWVj%-K?wlP17ZT;~V_hrI0UC|A@Gj?78SO+xVKbSJ7O9jgOt`H~;kPy~So_tN!P1&~xnTPcm)^wHzTIB%Q~2SXnhgn4JVl zxZnQlh$B`+cr;?u#2y|d^?V}5faYeEwsV}WVDdMHKyyf-&k2Guh^Rw}?JLBlxG1xU3*J3Oy-#jlF(hnn)Fco@Od+}v+QGexreUWMB+YR9#7Z`Mix*`!_& z+yBSb9Dy#SD(HKN)IB+i02NyZ^jBP%Gh4NgvZ&(Im;1HR$0#CIY4#oc<=t(=s!L-% zE+IwFwWm&pFCNsAX@;&1^~NjjZC0#Qx1FN(&%N&|UFQxr=usCvKmEJA6Ps3E)r20% zAOB5K#6}n#Qo|zRK4?0P->gxC8X{E}W#6pAav#UBWvkN1vMD_jkv4pUPpN3XJQWjH zVqLKs5Ud*a-t@AV&8G12a6fIhwVHcJ4B!n%lM93go-A5i?q6MwwuU9;O5U-G4Q^SM zEV}Md%|`jdU$rx;+CfnSQ1Sj?eK1<`@>J@i3vfAB8S)hx59lQ;=Y@N!k|ko>qa=Gh z_jkH%WNh|Z=%p@cxs|4RxFw#e<){`6G~B)2A^wglOg7@KPStsdFCeabYsw{~M7#Cx z1%8qoxYnmg=C5MX2Jc+Dlh=Aq%5<<%+OCxJK*(QQ^;!%cnX>u7dETSKS9agM{R8T} z1D~TrD;Y8Z7OZOuG*eAQ!J?DFD&4PV-?$g-++5OW_IQa7!3ThRknwvS$wJoGql2r- zw6;hSKWh8WBJjMx&kj}xU${1I6=gZjzi#khIsRuw{S&Wu9*c_Kef!fMR}Q(*iB~;! z-Wc`dA-7T74A{(zY^r3f54=2x1S;ITL3Ng5V(`zjK|kDwsWE@8+R|Ga2HalFeWd4o zqq9Uti7c`_F|hlNHY!l}_q|Q9s=a?8#iSG`Hb#|isqoRP=RJdy_0Paltmi{AG{Z^k z8)BN-WI-O|e=zoH%iU!%+CKh-4;ozN*-1~h0y`XfLM0Plvpmub!C>QeSO3t%G(jwU5O&I`81)H#^(m4;uDW|Ta2*q@#jUenVVE#-Os@tK7$`{2)!mkUrgM_ixf zkEix6U37ijAHMyNfAd~OPqg0=A8I)AAu&FcQC2E(kd^MI^~w{(%^Eh^iZ9O>=vn)8 zm!j_QEqodz9Ze-iOz!qVyww2awu%2%U6TTvI-Ahu*S)5lqWYMK&z{7glMKg?kf;Uz z)wM9(#XHq$qH{J%g6v8nSLykA2fh7=_llgMsr4TvOPe_h$m?BymM#w&ozr2T+)1x5 zMHIfyACNzt-RT{5ywqxi&KTTu?4kM%3#NFDrra4o1m!q}Q!S-|iams4&U_Kkjnl@B zLN%H9?g$letEW=$tEYCd{Xj;LTbg@wR6IY&)0bNR?e9$J95XuX^84}g^9_n($w^An zyN6qeGLC;MOPJF5lS&VN{#DQAVBb`OJ3h-Z6_7${-y#yQ*B_cZWgB${cWxk#Rid;b zqcxH8uo@M^VMc%0?vh~XqS{Q$#BqeErw+&x06Ja2_s7=?8JV!Hp;U=f82d&~j4r}T zyZW0oRL~s>g}?COSV59$z;Ca-l5yjr$N<2qox<=<6ITK-ed ze_4R$DUTdiKKDy}lCWT*-4o7P`Xn?-SRWR)E%dZ=Je(@BFtsuhFts~mj^z`xMO0KI z=E7kCl_hR?s;*Ri?oJfw5KYtG@{khEe4^Ls$sjlaZ9u zQWEr#tew`{IFSDl1b=jKC^DnQAP7JxIc2tp24JH#QQQA1@u+3zem=bLhSBdO^NZ*% zvP5qu>RR;U&NWQkdAD#68z3ymf|idPoO~9zP(1DHU(Av91qNRAW}XyhCd5qc|K2{_4ttZl>BbPx4U2UY3_cPaLo>y0XBy zsPM)6?0;)9hy2CHAXnH3U&Z2_nB zw}{)jkiG%BizvFh+`M2!l?zlz02FXafQ~*<#dB)&Vg>ZUN_aY-KEt>>m!~pI_xNdh zDUkM=bv2Pb`6rq3gn*U4Ktcw;pv9tVK=`}W;=%!qDtIza@H8(C4ISR_i&0>-I@o{J z8zih8#2eIzsp`V5j%FBM+Od-7=13ZUs}s2Kfn(0FWOh%wNt-79852-g!y9Qw?8ie{ zqgjM$JKw9|hKqm3X$+PZOzSHe$2v_<9q92|D0a#*{}xOtA9m&z=%Jh}9vHkYQa-Z0 zfgyD#>L_MX`dD{D&_Xd9WF4qc^#%#wmj4JJG&nDSW4r~$$WMsx^v>0#+tOkn9H6GK zt>fP(bd%eGgstL_$;n~jz@c)Znzfx|k8`6@nbxCJ+uJoWu81nwB~ev=_06@6_Ahq6 zFCX7zYVX*QMgI5>U@fehEC~rx2;=S-f669L2}JToF>a^dI+WFyd{6+_I*j7{ilLY{ z^+P@uBmOEvtcGn(uJvrKHHi0rA*t(xS&)BN5G)`f=wE({ikXxO!$qrG2j1{67jq$; z%B8>^OM_sekFkX1zKq*#JwIk0YwO5UF@w>`fO^J*{Xlm3YBBN51+OGV*OShQ7Q5x* zFJiSCM!!^jbnsiyVqWh?hAK^Iy37UB>M{aHIZrlw8JH$lA|+8^(ypH$g3mOhkRFc> z?CH`V;MAb%nG^ljC(86723%Gc^^){)seT-I@)xM8&I&8|eHV3^$S3u_8t-OJvTGNs6ioc!uxpg==)w~yEKD|9q>h( z&XgWrS}*x6vgl2AOC5pN1y-9**{DRQ_fkjWo>e~`b3zlX|4Z$c52uJOw> zdwiKuQ2Lm(AV#X`FAz`5Lc!fz*yJ5WmP`*xwQ7kgF!qBe40m6@2oemNwYR=frH*;W zk_S=6#w2ef7ul$;p^J@bHciS}vO=O^jIS)TUX6E-Kl|{mHNLAl_8=2|EMi)%ncTVlMgv)I2 zN0tX~vVI9VWfv3y)XZc&15f-SKSTVgk}&|=yf1KC>l2J$vRie;iU{&k>mt&_!Tth7 zq9Z83AUvEvOw`)HIL;HZdhoa%b*>wZOt(97TI>+_LWs2m8)s+)L)^upblY#|iQgZX z+EK8bG6b467!@DfU0s9n##F$eeFJV3*5vw?+9u2Bs@|v8_xXuusfp&inZMIX8@5m% zkzSzt^po9w@mPN z3=+IlV#z;k*2ceO8&v^6IC}lmj%FIT+xQ^v8Eemw=3s%;_bcbKQM2`mrnO1&WFa%8 z8#MwAd76t-_VUonld`NhOf4Du@(G?mjxc zo9(rP6ELF%aN2O+EbXmUmF!(Y4T1vykuRl-1Wz9do~!>w(r{DEh&atkWtw)RiJH77pF!uh@cboQbUXs8%sCnY4+Ec=M)K zM4^JmuOZ|JE`HWrJ)=Sof)E<^zfi}pEsh(wRowVF)qvq7LF!n^n@G?4FSu(c(j<|! zae;a9KaDu7BhqL`3oJ*UAf;t`YQ>yZx96&>i@I~CaXvr14lg>-WF}T!KB1{>O&Z9( z4=DFz;vm1#=x7~SRZVY?S%g?&$qSgS97tE{Qd7^Sp7IE5cl2@cK^z>@XNE$nMQQ*j zT&8)u+Uab~$3zT}8rX1x3+Fvj0IV7d7`p9G7|nGZZf>NnUli5N!M>mI;>GKe7`|xL zu5~R-y1Kyj3s(iP(m!$6{V_U=@`K#yYW(L>zKY}upA;6u9nPp?*o7<5z(M0Ovti$~ z+L&>E@EK2-L8x&MxyiYXDe5H;4Hd%ttHNBSN49}W_W+vAzeHEq)ggp-DsP*~0$KRp zQ{HEeGvtaoCJrse-1eu}Zw4DSQ@L-g$!(<7K15UlKIG?i=5Unh3z(^4W!%nV!$7j# z7hE3+4$QV-CP<#)pEeQb`~g(lg73do+{2Qh!yM$Z%oY^tvX#WjNK}RdXVMl>+A6-k zTlTJT({zL|T5X9h#P2s7t5B`gn|E%kH>Vj`{)W$gK#Bp#_2jfvf^46))2Kt2Yi9fj zdd#gB{tv?+J9Jk^RS;Y{b)t`sD7#iyPn!t-L^0}{s)tk;fihrQ#b@zKsUkh_h+pP# z3$)XR^O@+Y1^BGB^V7zzIwESF7D{m@RFzm0UQ-u8#TN~fDUk>M* z9rE~aW+p)IJA8Z{Px9Vl}FTlNm;L}m2M^$T%vR-0 zT3q=hdc>8f+UE|Zex?0fm{MtZFmyzGRlW4GcB)V{RO7dd&zb(wF;wPpm3`fWs~#7O@nQIJMg%|<>0eeN`QK1iQ|d6hf;ifTfg(&Y3${BJn)Z@fqvxJ$?> zT2_v5@x(TdNi$+~P`IeYvm-dD&1B51uUerPCNu1r&&8sHR1I|89Lw`OS@czIx3Ken zA~)yA$olr`;zSwq-_7S8A!Jf;!W);Rw$?0yc0AYCEfeYw7LY(Qt%SR~)Hlzg&W5B% z`>DiRmYIH7t{ioc15!v#PEpqbD_J5Ls zM#C?O8)9N2ivOIarK`&mPZB#ec)T^4!;7(CNHnlzo8dYDv_M#VjL@D$qM$me+T;OV zk~-f%&ml@F-~Wy((8sESXT0%t*@)`dAF8n9B%}cwysCCY$&-XND&(()(y1ms`ukH; ztmQyMejG?r>cwb#2cYS;0>I0|1Z?9*?*EAJzl**Q;tE}`5DC}yk|NnBn^J+KreXg% z94AY`kRtu8_1G-P#kK{G1g9#6+W&Ze9hcsI-owt!#u|9`*9S-Xd1)d^I?cHviGV_p zT%J+ztFtBFa$yo@j^ZMzPq^l#ixGA`5@L=h&JEC!n|G6LJQ`7kZcmkp>F@t;&8Z6N zXf!9c-t*+&yMA^mxD^*%ie}zsTF)b%8eH(kLSFT=c3D33?2^c&4d(i>7Wq;>tV(& zc#Wo#+yxDi2Z1qHe7h9rJNGi{b%E1puKV=bKla#u782Z=?KPr^8k{q`1`j1|1x>0=hwS@Ww?nBoM5ygV)*k>HSg5tj9aR^>oV@sfan{?mu% z4P2Ov{o|hex_Pp%InfzSh8w5bz;Kv9$KN=4MIGi64SE3Oj2M4Ymw5j7BwHFuT_w=UQM8N~y!{vVSCvGTrNuU|IyV%HeB(>P%LV>^Kjuiz)UQsxO z7rZ;!bN?R796^59@5k$mHzT2`$t1>js`6zEi6h^u=nJD{1oL&VJ(mr0U07)J!Y=wQ zr7pgmA0BX^aw1tk>HloL5x{JFaIoM;oc!-MPR0TFZLGN#35oO(efbF zcb5(Ks|eU^a3N?>AKncj*!#w{kdSB_5>zMnk2{d&`MVSx+(6TmAEmzvi6nS`l=$Nwzl?G{m~&=9or_f9RRxjdivyRiHuUf#G9ibZL>36qD*ZmixaXm!-(Ky<66pJ* zZ$RRDP(MnZQ$4n)ig-l|jhO6+A-RVs8u3P~Wb9<6R#4PJqt) z8t$Iq#O5sg1N`R~duW)#=2Mlm#9TA(JuiI?7aI2XNoLm zkA_D_Z7}bHa~}WVj|paB@17Z|%klq^&P2*Lb&r$K1}t4cCjh~o|j5Yw5= z(?%l0UB)>b9yk2K4Gc<<`pnJ7_p!QK>F3!^d1RXj@WSy%G}X!7J;+fh*ryEm#+8vGotY?v>W_Scll#kCtv z$piKDic_a>%~`m9j^@ITrN)(5CjaF=iz#B3qSf*~_8{_#@R!~FoN)M^SN5QfOct=_ zWu#17FR1vu3eql5>WzhPx~T0vg>bA}jv9xC@#zbLYsAlt_rwMZXlW`#`EOT-8qe6a zL5H=|jkj%uQdnD^_j{KA&U>UY8mf$6gxxss^&mLFv!SaAw{l^_9-H6 z$l1zR389@I;4+Ycinfucj^tdbj)l?OW{#O}j!JSa&1jYB=tEj`;(cITvM#U_=O51j z^d=@gxvF?hf6(B4?12T7t}%F$aze95(qW}U(EJuTknn+OkW2({4qf@@OaXnP6i28~)77Zm$bH1sm`P1EY=jZ0>j~A8`Vst};9n^mJ z^y^|}OwDJGt!KAu5@qcik`jLR%-BLB43K&I2%cD(p7-ry@YAj0=4#~4a(>|HctZAg zuf<^S+5A#d`(QHJ#6h!O%fo|{w}jIF+O{uAcNZGpoa1fOyRme)aPq#i%74B#?Q-(O zdgL;f$41z*72XSY;`BA1EA(yjcnOMUu%%6lhcyn*0X#wD3_K68q_#l79Bwv0(ry&0(XRXo!i+#RG zv9g;hL*9d{+Na@4%i5NeHqjYH_UyJ53;e7-l^ZQzjh19s)4tQEXG7L(IrsJk#I}e} zf@JN#`_PMs|HhhmwDBeUAdVW@J}IzxBGYKX5=$o#0RBdOXSpFcH|W&mg#7G15Y<;t zX~R!A)Qr#9iu1H@e2xumN8YUPexv0`GNNmig3c7%`7i%Av^PHFJ|^vCX9EeaG~Lt? zIm+42X5$(U&`Ls^?+Eq)Ife1+-8RH|__H zTp=o?GGa7{d#bntj6!5=RFiA2_O6eZMT*p#=bDKI;hQ#fHI1w-~T2caiDcMGV*f^X!t;m3bPb;g*+ z*Ew<7SR^6$vp)SM7H?T*OC7B3Y?!nUi&om*frzGWvHu#ys1Wmndl763|q2Y1#>t#6R?z)1~=kA)tb( zt0D3pmg+`sS15I3A*?K^_5+=-T-uK~jOUt7Dm`HKPgY5H3K9j8@QEC5`||Lm=K-W+ z#bUxEl8aM?>jPenv(q;!;HOL$qtVE#^9^g{>6(<*^HekQB+`w9IqazXI|8rHzhNx& zbji}WGYV_36Xy7}v*%hR^2>bMYa7rjl3HGJF_fABuxsZU+)Foo!e~|*tZAE9GbUYO z(r%a2_CPGfqJ*y&q*bhKpCmbL9?|PB3-xT-yn{Lo*AD=4pf|m*4V-JzsAE z#tHVPZqmSg8cT9x%ayqXXA)G!0d00ekZ^3v?e-V1*&?1*Im&7MKwj$v)qWEg7bWs< zLG%)1MCyh>0kYweH#RYoOiGUT_nm%G^hVL0ehcqZjB|)r?9JhQAaGi7%>K~w>yI2m z(viTq%8_H7{aj-*;E3AETpr-MHCXmf!tJ zDAfWoa-US3RaV=RDA31$WN%I74YE`2L{Hh$B;#D({kJz+^IucjB1z^~Rs#mmH)> zht;T%G?riS9A-cn{QiCks}fL{1D-;1vLy_%sVFbDS7#O!Hu@+qJKd(~Vicpdw-Oyl zln|R1%yNWne4t*l`RzoWF5T8xWpmx`*t1{e-;@4wH&3w%bv&**QCh)xXLS$6sFwe# zPyWlTG<_Zvw;^M&c`W)~>HHjZ-cc?GkCSS0pR8}Kb6o-nyLQRgeX{GiN4C?+x5NQV zX!3i~IeU}5%<$XMD{43iro18rcP^RmpnnZmnUdCGLrL=g`tBmK6wCc!+;J!`!UQX?mD|pbN%Z=%@nPxmzrkKR9(&U`e(U&T)Irb>n(~CrCt{P zyOX|a9qGtKognK+(Yn@aeBZPhi+Zx{;2jd zV*y=Ie}Y%slNorIAE+v2jSpDw?m%tOMasu;OLu4(=-onWsV6p2elRV|jgS0KQ@eMx zz=@r0^I#RH2jL{Xde*3RGW?8q@1pu-0Occ4I6r>4UN_4otN56BMp?FThU>D zhO3EpN|mktPG_PNbdIhTy?xntb@__Zxy3`%VNQR-B{VZK@^i}&+Z!Q;AN`38ltKq4 zWz*upa_J(nor=jUl(c@3YW=~xqylCsEE+Wf%US0n+QbwX~N6zPqtpTXjzF{q~p$j%*^Eq zVeQ)NIEv7w;pwjQ!RcQ!>hs-leAIFH^z&lx6W#CQbY;s)o4wQQqKwWWrzJ>yK+s&x4kG`1B&)(P947%3-s=IQEXIM%*eDxz4Fg*j74adm8O& zAI>IcxrDztj_Qb{DNkbw6LlII?vJ3q<-Y2HKWDumiz~iT$*Mc=V^W`JE>>q?^?FTn zOr=sv&-o4OH0o=Zm4zp`sgdAYKQ=NTgt#Xo&2xES(TmkY+rjthVrtQN@anuwfByq1 zul08*^?vNt?sWVTN>7imN$9}Hb>DB?SlI~b!M`OtVR!v!`70NDv^v5|wvm!gN=lK8 zJw5d7{l`B^J8EKqp_I=)n6CWrV7d=e|;UB_vZW$E=h0y z$z|@8XUBA3v&%`gw9&?IvmKMUVu4+ove_}A-dU-nl7X0tN|FFD17C2CNIo3zx}xzs~X zqWaK>AMF>@K7X42i6twlJs+d4ORRUlJlv7%T#r;PbDS4nAI$!hyfv<8^%J`BPxhjy z1kKUdh{Py=skSvC&8z1wv0md6>1aAh!+CcFmD(>#uReXN=z6|bo$WbU<)p>7SycA} zx-%s|wuMk)luv$9rk`11HYr8?JDDjYjxEk=d?uJw;nTFG(7FAQ?K*MCv|U>vt*n`^ zrHG?yB9~1VxQB+0!WUPSD1xL`SrXW(J+A^;Qn<9dDuzYNjCwvKiXb@eto)9N zy)2}s#=ljOQn*r>xjkbg+4W#=e-h7qbH7*<6^qkYpj}ro?q(^dVZDd zys)UPpS`$}(4-(G4X?i`fUYAn>YUdZqfMj&<%}{|kXNgJ(wWF{HPv_A*EuxFdc4nv zPp63G`gcS&587N3iF%T#vjt9rhmDet`J!>GuW`x~m?g;8rj@STIs>9VX8xp@jeWdi zGN`#og!!kR-Ea+j=S=Z_M?ZY3-qvCK8hh%Sm&eO#vrk)lGB31j5}*3qyKei9fMYRc zw#_V2wt74jr_nM^*#y~UZ}H8IyX#HExKXw!^P8Y=*@DWTa$YKq@ypR z1h|Z5wh|v-E7m#f&@vybEzYQ59h1*7hM!nX_T(`a(3gFGPt0C)?#|dGu(o<|D!m)g zc4J#sz-3#qRWr(F&3W#&_29fCyD5sj6BWRBd zc;EDL1dd{aH^Q?i#c{55s4=gw;BS8Mp6uDXNG}UK3R-IK!^EqFue05gdY-gQJEz01 z6#|5~q5>5@Y3?z-)}|0t&Xc8;4_sJX{uNPC;?eVtWGV73?{U90zI=2zdPYyeB08kH zE!gRA*}T`vr~U%Yn3tbjmiK~F>4mY~@rP=+l4qP0--1<0NguPp!=M78j_ z^2f+F`dE*KWF0AcDbq}kN0W>c{rxVl-`&UAl1ssa5HBwOj;l-xvz0kt#5YJtC-!Jq za74WqeQNb@Od4(0AFw_-Dn($~fGeT#?QhTelWH?zTGe(^Y~;L;L9>5L)2qQ%B4-_@ zStL0_>ZEf-zGCB3PO@(gJ(Z1uCFkh}a~Z4`9J~idbuKw-Lv}0<>DZ!4*Wub}ZmX|M zB)6&tc{z*6Y-!AltuFoS2n-6*WSFGJm( zO;9?2lah{a;N>>^^1*Q6shNM7xP8FolU^82KYc`#qd_Gp9XRY5zxjg-<_p{OUs9C2 z@o%}EK+VTB@wI;MCq)J-h6QN@cx7uM=i&WsGJZwTzwtL*v6Z&p%}hc&sj^@uvjM(i=rs=j&hF>Rg8H z;7|h1b^h2+JrE6XzDW^cW=PpjXfpNXl00aUhgK3s>~ecMVH#N`Tfcs$ zXm?XNZs%Xe^JJ7Rzo4eZ%*@l%4pb?5!fVcCmI(Q90@fY{p}sgYmg>lLhEXyDNxNw> z${%$0-|K?L`L}UpL%73=+^K-`j&|*4(XXk>ejsPk;}FxII-zc=o37=pYvu#%j?%p@ zay`HxvU34a+41a6S3^2&A?%GByHpXyPKo%!L1-+)2^*pjNU&(}-+Xr{QN;bz_B+mK zCdD`~QXwjxX+c;zu>SgFawn;99bGXP?FF@bo7H#-J61p9ww_r}*5qhyu&AKJzs?JI z5Ei>gd#1_Fd@Mhq)O&vPo5>Z5+8#6CqL=2l}LdZ3qE#Nrc0&78C6vUH1YNi22|DWdv(&ii&FM0ZnvJJ)u{hLhoGF7ptrC1!^` zWYT^8{{0pCdn~i{kw?$R1=(UVV}J=GvP9B!7C^n|5{Ji)m97fZ&wU2ea2z4wVQF@6_`$j@ZLjSiOo*X04a@*FY<0~68>ngS~e!WU~< z)(cV)slRBt%vCH%5qASIf&q)tF+$tEhru4q+p?HU$gGi zpv>r%FL%@B^zKyq@44PG9>S+nAck&zmkH0W7~ikVI%x0Yk3Onh%55Qwq!XfrIaMBd z0BpjVGh5IW>jiL}9V5%?=}*?*+MDaPt0p&)S>SGKjSX>>D>HxlOc+xQGhrlgL_zf2 zh(xg^;^UApc~DO>(LG1y0RoBD36u0#YLMd|`sHlHH&3{lgSgH`_tGjkUZG1i)feJ0 zLJFxlz@}gXFsIaH#{|;};?|dKwq8Id)^-E6ym%hF1xZ(sBTu~neW_eDyKnp zXW*a3du7L}*;{?xred^%3T#+|B7~DGZIIg(i2E;R22t4?=Xi!vBW7Yl-;r#D*9bG| zgdSx6d31_aPAnYS8-O%r6vA3%J6N*%WkbZ(pGv8aR zUXIhMb3_Z6R(A!yXN4NDY<}7RMypQK(?+r%%mpQ%qYb&)Vh11Tp4xiusg6H6JHK?x zFiD}~9vM0B>fYCR>||!KTOPrTXf1!t#4NYFsnI{$`G*PdYM4QQ;WyVkN-{#nVYl~v z9p)Os36{WH^{&C7knn54I{_UKzLI@NK{UCI9zV6(U6*031rE~E3U6?O_5!19%81i+ zAfrykrh`b`G1^aj!YTRlI}Aqs8AexTlRaJF>w(6mu3i2UIj;gAf14XQVHh-p(qIU4 zD4JMfr;}Rb8I#-j+IMfDkN1MFC3Y>FhD!1^q9fy|Dd1^N`M)G};l&=8)A-(!pueE$ zH2O{lCUqAQ)%rb{YGg2h!%(~S8DBmI`kQMwcJv;jGo$N<-mFjJ$dLzB|Iwp#7c{MC z3!q}0ZbS>%GDu1&12Q2?zL9GZ6HONz%p~c89r~>a?HVr;NP?pdTRMbVMzFNtLMm`A z6#ANdF{jP%*_?$VZff$i^o=q6qE~|{jtuU0MkMpuq*)-AdR}x1?bb)vFtl%AnB`J$ zP)k6uu&6ysxL{+NCX^<&7=bS!m{t$YD-?Ck4>Gm8B^9gmOoz88tDQLwfZc2F&Tt9$uD_v?)smG?V=6PVC(yBQG%c(aAt1n-R`uXJ!-ex?+tTpsq+e61_Pe zvA(X^BSRD|rljL}UR@4^pDFCVuG%%#-o3H zc-nN^;7<2(0V%X9HUT<1S~j^UJ^ss{ukb&Auq_c6a~&iPvb($1=FnW6Mo_rjBGL9d ze~e?@<8_-qwk4(h6h?Hp4eYMey=aPjYVF;!UN&o?kDw8@BLJ5%PZQSij5{mE{$?V1 zB%kWm1(#&B-HSJo{PjWT0sOs2VRL$2tB+y87sU-uZqa^`Q*9F#eN!bhl(goEQkF=m ze5W}{{-38lqzK;B`Sa>BvNuZirxPDM3R)F&Qxd(mG{6*(`tcA z=jeC%pvzm-!cSjGYcr=%Efq?hn2j|WDX$G~g%mBa+9ZDEpo6RHJ$~<5R_YunwR*fk z|D|bl$wkNP)!_X3i}l|9RB98~YRMOLJZ~Ajdh9H;-+LKMd1$|PJ2>hsw$42je%;S? zJUm+S6Uk=1mcA1~vXUcs;nZBYyC)r<#H+SwZnR=9#4|5rZ(5xc=<$xEp=gjnrA(6e zq0J!-qnUg|S(t)QNqBJzNc`XgQ{*_ew#qK4`*DF#kDI*2U*nD-MDjd?^DbGG{*0$C&(t@PGF3} zj^%BMd|SpJqh?}Xg`drmE97sRmvW^N6aowQ;VmVF8Os<(90JN84^~<51h<=RZ~A`j z^)r{eYtJLJ*|8`n4a}#W2~HGFbcDyi6B7Kp`)|kamiMc}e=^4%EbtB_sCVH7^WVBfq5s3I8{@Gf2U?~>d@qa z5knxKca;VF4qT06^vCgb^5R>m7%ab8EXxxU(0tg!kM-}N+fd&ij>up0ef5Gn ze!ipZNH!!l>h~MmZ3;@b^_uMaV*ktwMX zH`fxV&9r)%$HaZrOb-i_GH1D6`!U8v4V#&sbiG^K>RXHx#IbPoR!t<4Ba)kSKUiwQ zd?yBbwOH4qef{S;k8X-WuW~%~hz@;8eZ}%fH_bPNt~-u<4e{Y!@}ag1D{fM~1X9HW zv4vsg%BdP{GIAuYb$og6&+UFvFv$em+vn&LESgcw6CACdCMJhSBJp18LBwW0UK?97 z3RNjC=zm_=!i>hsr)f7<8f7rl6OE29(mjLItc^kRpGKznYSZ8eo_k>v@(B7BLE$o- zFD-6hlydK37@{$x(%JzP{EX@->Dni;{YyH?Gv6(6{jpFxIo|DOQb7%ltzASqnVN| zYbI%DW?BH%zaX8L&QJD%!7Pf+jRivTs6{S1_P_CL zaqJ`eB4E^cziSO9Eq~je=iqi8m9E3NRNUX&RjgR#nak5?cRum}dlR>z&T%W|5Q`vm z1t$;(OU~7>OKA=_y)bJG4=Y;W*LSJ6k8@J&zY1mK?I)~Fd|I^SU}m)|S!j8I)%hmH z&J3oRn;>c^Wfan``1A~((N#<)X(RTKu;xc@BDAbU&wlia1ncS}BqLePDm&|q4#z9m0D`Ob%{Snc`apQ$WUM+7>C zj{f;PuUkxQA+Miw-cy}l8uu6acF(C(ddkF#TaORuAk2P6uLnKMJt>@AS#T6-8+12h zLVteADQ&CJ9z7eK8mCj}_c30#xHmGL^XSxr!b@aaH)xGZj?LSjJ?K{Ywj;JJzN7$3 zW})f&gi8t?0*OY|VWd5zwY45n`V7|>f8VF4Q)D~)ymH*>9AXzY+~w)UMv}%Nor)yG z%wZEA9i_KByZP!(dVZ;JZO;Cf!l1E@eOdFFcA&!kVvxea-SWBK{b9FpuX8)|?izj> z1-sMA@ki~diBA09qQ`;{Kmr7giaJuCd*b*(hF0B0Rf&(FQwdv#2jSE!pZ4bot88Y3 zD2{<}Vb=g4dBFZ8qXO}k`*ZD6- zJ3T(@A|*ytn_hl64+Rw3(!D%@rIhyVf)?7 z^#*(cne%{y0|quk_M_Tv)G@^ZDn6F~ys@5Jv%SsuOLRU|#?AP>FoFt6JL0F6yJg`><-=4vU|uYh`GmI=4n z-=e-ohK(&Xospzn7DXPVChjpbMB?||-srjB>!JhRCyuCbr2+fB#8=e?`%!y`y?0#$ z>_V)Nd#5Z%iec4H)`Vh$nhFw$HWCrxGeby%8yL*{{+OB+H0!8_^jXrz2BR>AAA$FE zxFUp1kO4DPK|_03?4c^w4UgHEuDL)}$EXLCYfR^77wrPEA*!SXy4VIuct_<=ezGN{ zr<+J<=MG-TwicVr8jluc8t-k=_MAhA>U^uRRld2RFOUFbKDSMuP=Xd4m69z~y5tJ} z%-%TkT+;#aX{wjKY3oLg9r6Y5M37@%V{FM8<81puoFI>O=>45{#N!!WOU3?nN4i+v z@>ys5JYmK0g2(+NLq9|4*w~%C>T345<8fkBm+Zx;$Q09+*P7!K-&KE@i*M;yFZM(< z;hIhkl-RcvcMViR!08gV?e)hAIbEF2JJI-vwT^zC@)!014%rO=9kR}ULrH{F;5+M6Psp`FLq5g`;s z=kydg5L~|$gtG6<;sNQsYhNx_odoJL*M)-~K9Wpb88(v4uv%?H-yOU2#Ua!y7lChr z!(o-z-Cyn#%aTa4_-6jV+Q*9 zT=BN%=A><0oyFa4n(I-NGJLXc_~t5)cK+&u?tI^2X^M^<;guWhKJ=mF<e{r>?8>T8kw=v_A?jet8fQfgOl# zKmOi=wf5?ucUm$3c7?CW4$;woCdqEo7|r!71|J&A74)Sz4$16brQd+O=C2m0pTAzL z(bH9|RFG6d#HY1{wtb}#mrbsCX0al}3hRyPli ztVZLw`2)7MnJrhalrD>Pz+~g~@Cd|f?W~gYu(K%-qi>Edy*N{CF9`CZ>puIGw(b@U z%+&tyek>)tWG+0NHuR~OIi8H&LWG8CJUlO8ugr(4cCK1+Eq}N1vWOYS5Uc4gDkP*R z_#5IW{`GqQS?NZP$oQI!n~u&ml$d_+NFeM+({^2yJJKaH-nX8sKMP71qlql-vWIh#%WBm%QJvDmCF0dP7@41%bUebp8^pF@V#}1 zBa#auL~b7s1iDR$U^KlF=z2wF#PNlz_7-Ta4v6EvH;fQ3V#-`5qZky-prGdV=F%9* zrcMa6{!eU%*z8ONK0{5UHt?sNvs&toNmms=s7bm8yHixNfL+bdmeG?r2EsYrK#y3Nfy0D- ze1lv3`g-;6z#e|jRONcMA?agj#Ceti5_8sf=5fQsAeeU}LJ@)3@Q5NbdWT4=zZjkX zLd2d5Ojnw&wE%{big5^}&6-#OO4|V%M@`7eBk)MW^fu}m9H<}OJO1kMhx7=4v*PWs z#*2a2p2)_Q7j#hTY?U*6uI39A09u7a3S?F@okftU?Jl zerbbXH8JLM2N3AK+sW2C^dST`quU+b^5DFEJ{+IpFK0%H z=Ml(ub>aS76W4~&9L*Qn@6EL+;8WTM_kx06JG4Gz>IS@(O-Lb{!_q)tALjp#07(bg zKwPgYmUR$o)%a374w)BxAv>SX=znScBy23VP6g4X@{+vy(IA4R-~1`u^={__W}mu- z?l)bC+jB+dX2LfAhjBe5S)buZw+osQ^KJo_*8No$?0pxzj3P8NtNK8L?N~}cV5BdO z2ohWL^*~(w8XmYO-hxBmB<2d!TN|F@BIbxwN*}>6d(OW2Ag~MVJye;Z19K$t7ZN*) z-WRHTpCZQK$OGCjn8Cm|zw)S-jOIJdcUrZescC)4mX;UoK=Ivd^lTHsWbu1pR=dLT zfSJC1u`mE55w6BnHDxc$l-yQQ7u2i5V)I%1u&SHK4-5VOm?-`5FiHGy1F`E$?fuxG zzXeTsM(1Q3*YXvvk*%3GBRqTqnv--=yi(kR^polMB1aJx#d2}~5D70Q6q>^whzcGL zNUu4!zrssz&(SN571R5W98`0J)2CU2YTo!DaP5WXrvI`8g{o;j$43^SI|Zq@i_3TE z{6zo!6{~&Dl+WOyf_274>4h#PYjyda?2YlRP!W*B3*4G2ftt=jMVj>&8bINpi)5=XcLbuzR7VGu)!} zm}-K*Xizbf!BLFy+*B9a&O_b&Z4kc>atzDLhtH#trjte1}4YqypHgR30;ynppEonNQg4DI9A0X$3Ijzwz>HC=ci^Ug%0 zv0O%&06j8t2zEUSM_$=B$=lqU$oY|ACRoJLyd>`s}SnMFCoz8OJzMf?d+Ny(X zrljyp4uaAnJr;hWKNI(-@p|sMm87=Ps5;Jv>Q%q{`&A5&kdyE^A?Ivd%iKrtj;Bnx zgo62T1&{1S?@>M@UoHDfHCo)oWk(mzMLcCPNO0Yq^|ndg&jS@C8iTVKGCKH$kg4vV z%>0d~QgxkpYY6nX%|K^EqWW8Rcty97v81|4goMrqpM6WX=}&4XLdO93|J~ohwyVvc zS$5rKNcez%V6b>j;P)`fAM(*e-vBpv==_3y{b#3)TCLP!;3p-}&>uLdxL$rEUH_fm z{C7P7m02$sSNg<0VN^kFu13B?48;z?F!b0P)P_*x(i&2FY2LfNe`sfs1R#(@W`w*m z?%K zmEAxE<5|`Uek>Zr(vza$l!>;u@5ldQlIhQ^+N<~Y*&3wt+E`6pG1($~Byel~=$84x z0;TG!{nEH9&epGlSYLAS+u(0xzj3r0;c7B%X+yrSGxhO5*k3f_pcp#9Z!7EOdQY4U zm(ut$r&zUW-uvg_Ho3~z? zJJU5E9qfQ+33qSKN&b@zLr94ca~JJqDEZOLOb0rjtUD;bow$O?>6?|KFr+C!;fea&{Ido^;>NW;)pYl=;2T2Uqr_IAmdB3qn_i9Iv@;oc?>|3OSX2*NMS}b{ zc$q&z%U;jIds5Q-s6;(#v_WE_tQDKNduyV6TG1SYOL{n6_ViC3=FttOqwPs`z<FBTm)7Q?P!|OE{ z@aahuJa&2%y{l4czGLuwf=XmI{Ka1eGiVIcJ1};P-EaLMZiLhihHD(U?st&ov zz%39Vw+>hW=>mI5J9<{~67&S%$2f4J>mt1eh+ugIrJZC$i74~@LPqqt%NY0&W#Au$=z?Xi9CpKq393TwREcc z_ltIrJ}?IDg@gZCV4}?cL&Xl>$S+*N=*Aa7?M0%=Y;*yIWXM3Y*-nay?gMhk!QpVV zG}jeUf!nLYY_NvHnzI?!qF=j_m!D$C_3<~X7Bm{CKMjCCWe53GO%822hbbqMzjCbEc^Huq3Hc8Tp94NtL>-%zoD>tN$KR)ES>kh3^wyXAU3g<(Uv7G zkTOtC>;bLBb>tmn7<#vl0^-^cOn5da$_FE=iUJb%Fz2)5b?qVDrCn6aXa}6@Nrd!! zHO@Pj!S!{Ywl~z2_YiYFm`mU=6K&IUJ=P=1%S?+2f!dy1f!Ra>FP|3O21S<@^Ctg` zaf3^}1n_bu9;u1)`|Se;WS!?HWB{l@%3qxB?n3V%AB*}PlAD+4JC>w=_H8xqG|Nd< ztA77kg17SlUg8qQcSDAcz|M@h+-=gMa$O>*-74$VPD1aP0SzX;YAZ*u$E4Qfj1Ktt zXF+JXW?wgY?aoGDwohT$e>dWxzJQ^BIT?kV$kBkr@{lZhEU3pe*@NSE%_yE4-yK7r zZ4xMEpS!+M1iFV+wvuE~7aIylpjx_K=f;VGPI)-#0uCQjeP2$!Q`Z^QxjioSjzuRM ztn-7c5(WYw|NLGxe+6qCbe7pgJqrA zsY{y=9hRfII=e6Y>Rwmlz2mgdt<=74<=4zL5n7)qT}ieF_e@8tXQi_lH#~rl&o9j@ zlo&34rbX90fd_G7^uFD!)h@sLO|Sp{Pzi&dN0l)*HS+QGKehZC@|zv>E*&66)!9-qG76Bz;yK7QbIk+_U}* zKZf^RhlTsCo9Acf`lMKuPJ?@);ylYwU0RbF5p7B z#QRr)irP;RH78uPYd-ImZae_g;GbF|4W)!ooE`ebnu(Wqmg`xJcjetpFd&3!Ar zXELXj8c!kA;o7)-uW=d~ymm-Gyb zS5->Vb*Ir9Kk-+_k7E6Tx9`+?PRDjx<3&Z^(+Xw(V6RmIf#!t;WTf_^E@zoXKRScz zw9Q^FKA*Y_3}g@5q_+VjQrTCC|_eCoWK3`tiO$tRtDLcd}I&qqU+BUmr$ z9AMnztZLgEt$cdf$wymLQr51n->z2NnFX47)VAoEk4@Qeh*{%$9Ef|qcmLf>thW6^ zQ7VscZjibSE8EFPVvT8O5UMG0!uk|t!}vRvuPOC8;$J~A4(8j|xdd+a$a-qh7v4Af zkJcx$3%O!^bh%B$Dz_e!zC9#ni}P+0kWpJ3>sz+~2NTN;cINL9y%|a)rb_X#-)ms> z{sE8>gBZ*~kH)Ecf3~B#%iVKckn)y(bSIFK(|wluPwkCUjA_d^hM`JB^2EoaFe`KS z`OB=20+=5rM}MI(spXu!xK`f^`DJ=ezR-L;@lb>|QFN)vRyp+U(wD8I&2FVH&=A5; z+RAKhmK9o*6JCYJCh`x80bH(7eV37Ghx6swS7cg1WQ%I@RB25oTV#-;mZFzk7ySIw z&|Nbd6LnDV#z+i}{6U{j@BtDs__rdzb?xNiUNA3FY?U{+?GTW-NfzMouD?d!4iSs6j8Kqbn^ zOfl_S533RP?^a9m+#xsPeV1c>tkQ)v=^lJc*fzux=+hhWYhwAwvCGVQddJJGC($Bh z*X7i9r{<=%-J`eAw#6fyWzxcM70=`!ZXDiQ#h(&6cbF zX;B=~mmE;b`th95gbj&|XRzPQCp2#GOk|Jhvy}9Q}atakvN?#Vad!>NV3R{#=#@INR0T(kI&ipJs z1_MisLVvYx#)xb+!8YX8vq|ae)`z;+PjJISNLIgQdMBkQfw2ob+{zYD*u?$(dq$nv z6t?{*AAvPJg`A#Ed%8|aM``_V7JAtf?Vk!}rlOh)=nh+8DfD!bTNAJ3gj@(PXUmI3cvOM_}YIfdgALv=0aK4hKx+xtvSQqT} ztD%QnO2Xhk&c5TGt68*5>41la#P`3Z*X;the9$Z>B~o00NC6e^N8PV7{qA9EY5(hl zX@|%=j7&VktuXUm7~^w0X0B+WSKg?~xiA-X)B7EZZImtWR8LK5Bsbjv#v1;H5>6!O z{ywOmr^ft(Umz*|0<>(029C}n7>YYbx=bmC(w-ZT669`2H3 z9__b0-QS!7TPP&9XH~UNfd4}(ER(e!y>xctrt_dNgnx;8SMd@m(f#>ZV4{7Az-(({Bb2#mL zP@hqlRBieiy6dF z!^)1}N60S{;#t4Z*6s+Wu6q=l-qF$1X6$?PD4r_E6(%1d8miWB%64RPa51BPcLdumFvDZ4WAmj?me_ z4_Et(lP&FTG9oN|9xUdAAzKFT%7Pl98-)pdj%pS;ud*2LTmD0@s-v@AB!=KgWoJ6V zT<8+WTA!O(bC}b-+-AY^OatB=m?k0sAYPSGAw^?TwGA+C8Tv&pEw^=W(c-rj#@bk6 zGP*Zg2GXvA-lK#hWY^6(aad z@DF)%bsLa1cUsl~>=vE$-`Gy*Nj*D_qxEIGPkZw|m=1aXjpgZTx_9FgFbS;TqrQ(W6`5aSG zulGlDX=2u(-*^DHJvIC=YV_8+`QnC?q~xc;656BGI)l`yuiG;EdAydw)7IKVE^@h0 znE$>Y4AwoTxLOt47Af`;k353#C|{s~=3K91(9k0^rJGLxB-QK2)RzFeA-3VX)=LJ>hHzu=_-xI%Krp6yk^+$c$7CoS%s^m=MGtNicuT9$ zwFT=r{j!gbT)~=yrNZhNd#OA7qzS>rHa>u=WOrV2b$PZJ-V0t}8}iHbaHZA-Mppju zkG)M=cgHT;iahN$+@rIZ5!Zx_w?ud#Zq5vIy3mnvaM_l504wYO(0~40&RJZ4@YS+@ zzq71|F}dal>e0=BYtO;&64IeDFK-LBVD!Po^o-CJfP#&qO1!ZTPZA_eF_S)fnba`F z8aS5+fJi@n@l_al1;UcfN@CZH5O z{-HqZcm5zd+_rOJyy>PA%>gO{mtePz_odc&xT&`fRlK(Sm#vz`Ff_BE2dx@|Yo!|J z7bsyYeUDbi)9QH{wClO+?!+vBHm%XnqN4EqA>T-Uydwu>GQZ!w1ti|6G+J3fdu6d; zJ*O&Kbaw@6g}FqOK}v?`vtIN9$kTIRvP}l8JCrmU!&sA-r6^~v5`8$Jx-RqgHO;bP zjezB1zmjND*X96y3s&2dCU23p!_Lr*CiKRP6aw2$Qj;3beebJ9>K)cdUvfX+Bj_`^ zHSdez^dV2d8jt@&39MuN=twYWREq2#yC~;g=W5_I@1A$ph6H(O-6Bt z_@-?AhELH8^a9%exN4aKg3}4v0cm_kJ6J_6dah;<7rpp7*}L*5&Np1_0;nO*gk7&l zbe0b2ivhfATAqIm(jMx-Yg%P_biM;tnHGs)L|>q7hkxr}pkGy+_2Heaw$Yo=_rskM z$)|vkzPw#1=)m{d!z4+!=u0sL98xe_Bj6|NTIj5`MStDnV7t)4D=_m5F0P`f1bR0I z@ofFLd{YC3*c&e}ufN{-58}5QB>Q{yjS*~9Q(D(96IXwORT*3eTP5=sKuZ7lN#JpE zEcssOGl0?lIzPl2gxgUZT@;JDy4+#nROUx;s(N5<7vX0yUE@iF+(4FaWu&6Oc`SX| zjc-*F4IG*of<1LH{7^Ctc3MnpjhyW-W=n@tSvz4A)gQd!vqiJ^cjO~mkUdwO(e6(TS~Zz&4!}4Z0K^eK0VGX;#S$(lr{oQIOMeO1nnbKvg&#o| zV8m;IMJ(z6vD?A4U&Ggl#w(yJ7Lxy=NvdB_xE+JV!MGmM)SeaON6&FM;XlGa`XHVJ z^7n74;k2(1W60jXH=E$K48Zk2A|3v*&RkG$_b8g^zSXmmatb%k#+q@R_#T#Rw22w=aeT zHw)+*+)qD29=q+`eMzlE_az>4n(bRLA>LZ+hI9(Y-CIyM(VkTbitIDbDhk`9Ed{}F z0aDltOD$zR80-cc+iOXz)+O>KyRPY&uDcaUm{=EvLEoIuF>{;gIVjCn40FxxLpn7H zW-Jp*_yGRPBzP~b3iOR?F}}7C{`Hz?4e@o%3gxx;s+;O%(t>|qwfag#Q1u2DLt1br z>yBYS4fgz+U)xUuCF56;p@fdDFAZV?udN|^Gr!Th4rB&WVL>iGab>H)OMXhW^fY#GGd2#m~@4z5Uv;GSAX4|d@8BO{wT(yQJn4Lii zR~2T+)BjfJs)+NS592=@1|P6VwVPN|Tj|A@!Qx4=0-u2{&GlxuLGl;Qg{#KG2>k0L zdlg-3HETz$FZB|sKwi=W?~!AKami)B_s!zWz+Ym65`C4A_N%NP(K+`(Up!(K)^din z8GcN%eEI_I61m^){XX6PeQ|g;67{|Y+O>$X#4fEs9r&!DDUGBz0wfg+I6Q+=oIKP>^)X}02 zWtnjS4>nyAJ*Hg#oO!Y?(?)uEp9^hGE5rMdqZt3V_cbXEMlrnqAy%oQ^l49&Yb%5p z&*0vnir(L^FY<$5dL8M3Qz(8$((d+5Q3}9y`8pObD z6Sp}C#Va6#2bXSzDBJ%t%c*^sTKya%bW-e!GvXW9laA>E!(_oqM>E?vnb;0sk^=6n z4S1gsmlORdVy#bu4a5Xz*gzG~+xaJcVmA}6>;P00`gJYP;In}(dKC~6PF#&9)kn=_ zB0?xAOV{YnCh?W~VqytO_*F~eZIsrBYU`JLbPr-BLp9S#K*VS4Io@iBuSBrfcwEFi zh+%ciZ0h6z8CqT zi(FrU#v|&*#4o9_h<^xAE71J-v>i!;g@me^XoTu(JvN<$Q69a*i@BT6jjrbjJ;`T| zr1;nY(>K1C<-48E-;H@KKA_s${^G^tkNP{0(lO`O3fLc;zf?}wrVA&M?<7(){X0Xu z15Qdi7kpTsX>xC51FA5AD-x6Tb)CzEC6?h>hyvo%bnmx*TSh=+^Tb04K7?rID-25d zw`Ro(Lifrbf{tok;4R9hZHR+V*e|S!yVplnxJnuj$tGbCoU#OpZrRx+AGjW|ABA6L z9LB_a6tAnYLR>p(MWUpJj6rr_4K$BJB*^(Bl28GZ=jZ3G&lF!aaEwJZFc5XoSlT{b%~7`cvo_jH4F?)w_s} zDmn;CCtWvM@7+FFEaQH`JT#>q@d)TnkvMr-mp$yyG8v;~`Rm;(Y;m z94!LD-6q9MiNCXPpC9MjI5u-|y|Dh3KZN+=gT~&Ur%%1rcn6dBea;H>%go#OEcuzG zT;bersf_14K7&pUaRp1t{x^liH1+4|Qr-R1>6HL2MaL=igS}AWu~WqwLaFUUOZG zN!d0~LL{r2uZ!%`W&}(E0OHQfB!UU?Vhqla3xuMVHC2zu=xz?>+(o@SLUZ~PzeHQ8 zjX$}-f!xWrYqaY-p|%Qnhq$;`g8FIO=T9WbQ}LzkD^}+jut-*RGzV4NlB>S>ig{T& zY>+-Xdd0`+41IWO`GlFsPJ-z$qmg?Wg1O4#@X-NDY1cxXf31Wz{ zf(|kWm$N9EX|#t-H8~C*c9qO473#(9O_)x{e}(s}teU{2xbgZE1Ps@Q{>4VxW*irj zJ~}rVXvSZ4{`*}FGvSVlyAjXl(I~iXg4*u+y&@j%7pf*kcYN2#{`bO()DVN4#W3VG8M?S97f^A3^C&bz4#2WmRWD%FoX+4ACbF)zg5 zYl@R)S?0y7usNB*Scy!K07&9JbSmVo-NmH9uSAba;RD45tLErs5sOD(hGqAM&s~`f z-s}D7TqXlgapSk*6A=ul%I{qu=18C00*A7<{dcge>ezoY(%L>1QL2w4Bij@Db?OP8bh9siE%au<`ehc zEEeM7GKUw6Ej$)nYA~5?8IRLen^q!dFY-@Z5qkvE|5lRk3wYAK7`m&jQMs1$+C1s% ze)N+Xz|%YpL>pNrz9~i{DpJ*fnWV%}a2r>yBIdADfuKU7dL2Pi{GP?a2i0Gcl~eJD z+NWW=q$H@mMs1v8f4G>z+x|#@OV`kmKQiQ2Y!*qKl?+@ywUcxB9(8>=WOL)QsCvL-4wCV2lcRUF z!HgNV`uyX3{<@8nM<_nZmpMUn>V)wwkE@)6oZ3lgPCcQ|zInng(H_I>;q$#*`*o@> z-$awFdiH&y3dz4WKi;HMH_ENE>fyh>PF*ZmndW1KsEB^v75`C6YX42kA;mvE8jX*iG`7}M0P7OR=mqjmLiJzbqYyPb?Mkd*eK?Y_pbjBu9 z-4%%Wt>m8#$9!6-rEz7h^EaIEUpBE7qp|@8AF(b=1!N^|uiNG$ho6V&{WOO6nacww zK(p9le8;fZElnwMhpd{q<5FkBW`=ocbpc8A_mQFMWv@;#6E3uAe>V$HXF8!xSFdZ| z0Zsj`&l{#p6T_T*IgprDUyp}`t7ck5aZA(}*g){#N>uNd8K-c(hHaT%L`60S3oz8b{(r;{E0x5>!b{-jsfu@(oFMSLuL@oNt}t#wJ&@gom%X>Ax|X9*$f1PwW{zjxoVd4MXUV>~bIa*xu(LRb zzK`izU?7!{atOn(>>3xjjm=N$FA8OP8})eE;qxZW<=7{cINBM3x_pG1<2!YjW8`LV zI1iR4otN)tv90mj2oyI>=wz)Rk;ut{k4Y8iYl+e6*PC>Fh5%3-Rwaz8Z6D)nU z!I&*^xKL&C)TTW*t!6G^5@0{JfaO^2yJwXu*q{Y^=+IV>!)*iQ5`soX-N)zSfyOdu zj4GP$2-cjNJZ&zB znP*7mO1sZQx$(zm*kR!ksV!g|Tw+A$!#$yDC56CGnWyj<{mKl_~j{ia3}+8 z2wrv5000BbMM4v9UeIWil{aj@-HHCFl_@>~oL+0KAcy7tI?v^-d?Ako1wY7O7!=J< zy81x_$PLX2s~wy*Pmd{R>Os3-03ig`U3AW48~sIo=X>26`ufSxG~8|JGl*x)8Xhjz zVcq~CguK?p+Sx0B2Jbxy5g^Q-ezz5f1prH#+jW@adQ>GiOzw+O&OyK;P+c3yUIl$` z5}+lhG+&-N+t-~R7R&p%FG1c6=7B4%k!^s-xHa;Cd9+w3HSpr}KheF746yRu2PM4< z)Yxo{ypH0<2-^=ZKtp}t^1u`y!zkVN5)XgnXwu@@=^Th;9YC5oS9~-}H+Fpvy7Me1 z;3-ila#~`#=?f~l6kt3cnT{|8EY>O+z!|NSGc>lP{?Bv)eon|Gmv{`&nN0(K?tX}T zxcL|&6`0cwX>6?xt1$a)5Rftbssspzs~?b(&ut=B?N=l8Df;G{UOaV15oF?5pr{ObN$k~9f8%8N_j}!7#87NbdM*Fda|6V9B zesw9$%Dx#uV(bjvW#p&tL*SVU@YK^&vCB@Qol+VjZw33E6_o1<>q3Vy{sgr{2*4G_ zwVEN+4ni#k$Sw8k#jJt7^8VTUzaLr>nqDDW;#bS4$>fgn0AYn|AELhlgnCCK4 zTS!vG!0LPLfSAA=H9&1>#_C*I|0Wap58NI}`BSzo;zZ^yxT$E!lfkznlw)r)-8MND za3m6Y9hBLgLO{%Z7bHso(9y?DcygPo4)CjA12gA=x?}M5JBLjmJJcNU7ja99qCnaa zGz9j4X_c5X6Chs(Q}og$IGk7FZ$OFUC6hmY$19D!f(2#?zZN*nI5#2ugO(Ry#`T#= z!CuyI^tJy&h=k#Zv_7D!+%+kNT8T~HVz@*nzU-#)M@bjn=K|Gswhb-YtB{~@6p)s zVLJ548Gy0*AQ`o(m@gm|%-Xch@S%DE%XQI!Ef83;tIvFLoy(MR{{pdge*xBno8G8w z5RPEUvSfF{AHpaiLdI_eu^FR7sk4MyY@&l(-u}lx`J`)Pyuc7%4KC20SUqR)mSfagNi1i;wfoz>Dk!yO%|4G#OHJOUVvBM&`{=(KvN^@NJk8+T_j z_`HX?9Y>VCMSj@n+ZJwB-TAWJK?=y_%}>B1OmhM}FlTQN&!}s*jWL#~LouwTK4{wr zDLtecQrlM`De)9Q*i|p&l5&%;^|gxkRRtdLrjnJJAUJQpVA$&o=wo1fZe6KqXzr6N zf{lyF0$h{sYVgo~_WEGee&hP89W};2VzG4s(KQ7jRmFG9_#uQ)+)z@nFJJ#cbgnCx-oehVq>}0#qN!0saNg5BT%F`=e~T1F7i03+i?U z8^nU~cguv&kg&p(XQ4Z!BU27pzx9?akpOlzQC!;)r2z8gFA+SK^diXbH&cn!2jO|d z?&q3rHz>s&g$RxGE%ih7VVqW+ayW{W68vv8l8E~)^x~9Ui2{CG9jKGtb_rl*@?-^o zPCllHNwX)>44xen10Hq2<6s5An@`+#R`Sab9)N5lu^cge14sU2ok!aJqU96tb_g^{ z%~*5$y!{i{RGS$o>Kg4?judD06yXpLRw|x9EKYi8=**pK;SL1XIWq!EFce8w3&iI- zv@s1$=El)fe6ToQqS?`msYIb?9T9`qxbHq^e)3hwZJdx1fQSyYPQm$|DfF-qrJRgg zg~^95WfZyk%$p?a(OwRjSNp=_l`aEMeuWM@2&4&FA^h6za;BAo(-E&__}BD1U{H%x zGYv8@kbcz@vbww$IFe9SY zsnra7HKwGnYNwMc%TdX9K2=SfvIQArmpFr^_ULPtmhmIYxPJ=N6(B*86g7hBJDBQs{P5;=(Z)1d96+wpJaE-HI%&7_0ZS8 zoDQ7ypHSiLHvK8swvKQ4x}0}84ZZU$s#jaYDXMEMs&BN>-$l24C-7b^Cw{(<)sfTm zY8?MC(w0J;$i5LC8`BsdB3Vd3PglT{zB_d_pKrazfXrSSX@#^)TaiqCHQbRh2!aN- z3=nYyJwX4jd?g$7>E1}Ev3G1c|LGri3^na95nUQ8e(G&Pmd>X45^B$OxZ%Eb2?z)zl3nDRd7ye``t`zO@1&5sp# z2QG;d-zjCrNo_`b3O4)n&`4je#uW1o&Y6oX|5Ym(J*VQ0w;DegbMZ?;)U_m6xCw|-1gx7A&8t&7=O-jAWCF~~l5 zmE1i5){X2Rz;pI3y-OI?!hASx!4<_vPD7*3v`KT?9WPGXMUiSDw?P~%ldQLv+%LiX zS}36`3q98@8^za=j4w--Y#a`@ezDH&U@W?hNWom9*M`+ic%18dvabtl>~%|9eY z)_B=1&KphGlD=^@8rCqK@7A2^>~l4_ha89e#p-I;4QtUi{RR!BfN?ZY^xEG}e>g>G zZ!sdEo@!aK&S?y6DW^#{av1$Mk_~g8tc#LtC>L)m4eiDi9bkR0{E}mzzR1W{V z0jB7_>-UN($wggRFOo$`zR5=`9o@NZGNG67C>AZ-T`wWZ=gfF|fR6G!sl`5*2pv!nh_d3CpyK{m|BYRoYElZ<4w$Lkq@IVN7 zOABube@xwQQ2qpSMSLHQU~$}N6e2ux%Mz&P6lIsM#>LA3%lVO^wcdk=fPD^@!Enhv z>u+C_hltAa=}~SOBjmd4Rhw6`{nwPgO!%S}Lwp#d92{hwp9g%B2ngIfKZh5ZMVL6C zvx8Bjc5w*)Xr<{I?W_5tfqFZ~r&|G~dj~GKbJ40Hu~hpcn60W8U_Cg*)#E;DSr;qQ zqn?C4{aSnHJmQY?3@O)@c`tGyzZ5DvcZhJ^hU6g>cyTQAB>>n$-C{dr{n*dnDwt<;8#1kbcJl4v#}% zs@4>#shhyEc#+TE)~H)JgMQjBpfLRm(BES}p8O1zo9C-E8k`t>IPB~!j~zx@rOK3B z(|(J7_s!0+y+b#Z*i@EB@Z3JNlNvwyHLtr<_=<_7IGp{iPm`*&;d?0%R6|vxb4(dG zd|2Wc*H2BETwMK)TnM-HKq%nn;cLCK5t^sv{(M0{7^3F(NZ5%zw;ve_*Jydozt*5B zef#$9=fT>h1TsH9qjw6Bvp7Uxu5lbiL8CufVH;IfKENGex46T8CO6SG*bNT+rsJ-J zf21ozStF1}^a0qB4KS6H0Has~lwH|CwuIG1B*WjGAGDHtUfyT=N>cd9!Swa^Th?r{ z3;_)jTn@E?kzyd25A^_xmH=7+pF>k^uft)LerV=MudxErW*GvH7rnqX-EamB`h$>o6eogZjV=fuB(FXMvtM$@~%qA2%#LnkOfY|`u@B#QiR*a+;uQU|i7 z`+=m96U5mhGx&_@dI9$>wSSivwxGeOOg52e^SZ6rXl5%01{-`%pBzEV9HL}=6+_~J zs*mf;yYi)CS=4;usV3cA&LUr5mgJMH;8*gnK4|(3PZXOlYR~5J1Lk+OKN|h^J1BKj zK|svbKqVFZ_`IM_7El&&bAf}hb+cp$B3MHiu8HD)YJ#p@gnKIG1Yp8^(EPR$lzRK1 z4mN}0rwz2jML^#@O|=A1g@QdG-UTFmwFM1FISG%zbnb`BI6w|f!Y7f+cH(72IbTz@ zo(B0Gz!vb?;GaRj%iso7=}gGDZ>01gmn1}|F8?r)05L6gn$O(qYas6#FEEk*FPs6i zkIx)6g8%e#U^?K`K#LR&VrcBg{Xf=T$!s&YkNbJmb^M=`JDq3Z$J5~-LMS9Bq}OYn zCbkGXc@6Xc+T!#6PiP1*HUNhJ?NV+J7(ntt91Gn-lw@J3$ZgPGrf3+d57E;6(LKLm zOav}8H#Lx}RJ_6>*cU^7WKH`!#I1ikf^<+3eI5&9xQQ6;g-r#n-L8y|_H*L0~c?IrPO5-e6%>ijafALs{a zyl1Qa81O~FWZb`kz|i9rIXAylYD#*(=$}_y#kOi4NAd)5fOqmnGhI)|Ku=zElim1C zTW`L9`nPH>7JG0e1rnruCIRazTB{S6E|MZ(t{2o|l{c!WP9Q6S0{8ztj^Y>$_2=fP zhQA11b-Z91VCk{tIPT~jnEqY8qC8g)FoB)lZ@^6!y-q!9_jTcc>h`wq*s&#YS;}n} zI8QnVP>muWyhJk%nV%zc_2dvdG2wr{#97g@hb$kHWHZS=A3FuaFHr%vBx@sUk5N2< zEd>B|lSq}?2m7i8Xs(t-MTG?!>_-5GLhQs)&!wEyZX@9D;hu_tSS6!%N zzgf<(_?s>J;uC~4?1OoGA3(CQ&^Not4)93~&qbU2Q;`)xzt5nYkc5uOD*qo}q0|3{ z$GJGf^1%OJ9g(ysH{sd>UoN0LWPeQ;>Au+i4Lzo~c<>7N&&&|$AO0WVUq$ZF zV7#p5-oL>6W1z4fO$^LD?{5Gym53E^*J5e) zMQ38isXn>f5-{VI-mXdf1wgrdsKYvmr4{L_Xrqe!cN0AS!$uq?bnr;Pk*uH=gI8-0 zIC>Hm3i1QZkfZ_1hzK$TVCnE8;usd zRii^1_S4!jY&-qMEb!u+V||nyYEk*8%9IPBrj7mp-r5Hmh(0J#3?#TOB&?cBnk(erFq$hreW;5p)s<&#w8_qhIYgcmyaZ(9T!F?4h~%KS^L+N*X_ zI#F1Dv-nrPGTyo?9F5RY+gvZeJQk?#62YaQDkCg(+3~uI2DmO@Yhfp(q5{X4FVUTN zMq(_Ye1<`X(UA}A=q3gMEtfh16c>+DTDzGakQ9n3yy(92fZ$R#rfQ}7TY<$lttV=p zODjt?gRHsynGbT6%mln;SOjt*aS4ZKCd_+iQR@!FOGK78xrlNH_cMpG&Z#%~%s3|5 zX-3N<+mj1+$LfJ`owi+I=Uc7pwMxDDdD^M0{(x`nVM@&>TWdg8Rue<9OfIB4F90Yk z&!~%Vmju!5mO1ukLj-M7%gt z!U5iZx;O3=vT{BhYCXX(LnC^JEU3if{M(xKV?v}(fs=e;(xZl8&aR*D@OqH@80Bn< z?3Sa)7yF7N8AH_SLN-vT5;=xn4llS|cs(heM~f16!iioJV^}h423dz-3GkGPpu9-* z=ql&0fuq%w=q`U&I%RTHqMZl>w~K4DSu4@`-2s7U6X=f`BeseiFJ{5#c#L)cqxoIy zSK!HgdK0Qt2Y|-{eL46!H~%hKf|eMuirU1R5Jh~IkO!COL`gncL>07o@WQMTNs*f* zk2d|=&LpZkz(1fJ{_%B$4~de*L&s5{WtJUP>|-vehMR>@bOT0kVZehkG;2`RJ;$DT z87THlOw1nD_@(Xbits(~H^yn^0BEPsi;xw$S@{%nh2Sz8ihI?Qi-7-j&;rWJ^@Vk^ zm!OqG^g1y2O+rM|-1|^9S`E z-Ht2-PO(Q0h@IFR$M%*J%xz4e7^1x-mg!nH5Nd)w=KaoNU3Pqxf5wfz?+^Z-rD0G0 z)|r*a$d#3q*@D7wM~ViR_$Es}`Pl=q1)(IQkIf|bfaw42ZIcE;HW*2myf9?ur{puM zd*^VP{Ay#gSeg+H*pEAM8W*X=kU{eH8=icU5qG=69P=$}#Bd!QN$^gtQg_>iDcz(R z#>ONK6isR2U9rr}(sgB?tu4~%wri8Q{)M5)O0k>b}i2?SHmsKA-*6dxml>{cqf}z~(|OCGpd#?vg$qz#uihpKec6S2PI+3zz)an$&@Y zYQSUK%l*9JQkgaNT)CCzpBwaJ$=F<1p8iT!U-$)CeKTV;kQ=`D68W;?W-O)WnGRjQvzq6 z6wRgwb~f=b4J``b`p1?@uOyN-MHJ@IAE`a>)AB3PVStezMLg~)%!w;Sk1?+*sjL)| zZDZE%GqNPw-!rBU&I_8B0&vpNfUH3~QaJ3sN(cLiy#lp;na+AZ0Vp)$^cKP!j$^g6* zFuniLlQn)NzjXm#__3|1U!gRS>>?O1P3=~lUBMQ#`x`;wotzA9K&$C`H&29nbkgV} z0;C*%wi|*dq2@9p%e6qR+Mt%MmelJXN^KAa4PIKagL8d*9@{4C+W@y^x0?#JfTcXw zi5Avn$KmC8ock1T1ZDeQ@soHUdt8*&qr%0>Y_n8nm!SANNA^Vn5ox++0o0I;>M!fb z$(@0IYlS^ZEkX)hA+lOXhHI>;uGzd2>(A*fwxhu1xu5@ajAC_}seWCPZiO|hn!GC{ z`bQ6!dk!UvsEeebs%|N=GKc8zVm%`{j8!d+%8T`#);k{YvrCoS0 zar;%w%Qe+A7WaK+PFJjWh?z|#P#J48?eVbhai`MpDwwV8e)XMLx&OW70GiIMwm<3i z$p67jb~z?^M1qJ<3KM40nW6Ogdccx(jG)ZG)=6wKHu+W}8d{1c?p6=QR+Hz-6%IZD z!e>t(oXb87scV=7xCuEz1u$&jo!K*O^aCN>1R>=Wd~S>k=3O(<(#z)7yupsQ0oVwI z`NMQyLhF`^T2q)gCv2$JrtOF%^~J)&)tj-6e%3Y~1aiGm!C4X4XyuA*N35>q!`I&? zUeBxj<9fJ67q)nPUF}B)KBossJ4;J0(XDo(I&jtXH=~GjMqj0HR!S_WFg|2D z{}}U9MiidSUFFUa7u&@Zv?8=u5KBkC-gj-FLseprr`Ccia)Mau#G2LeoP{{ZW)EJ& zH%5`jBSrqk@nq$@ZgCREcZ}k>Zfeg^!+ox{k1}IqtIBUGZ^bk359x5d*zeXAw{e)W z?y;o0f*!+zaX5w(__M`|qcV$eHT2^V4JfA7-O)H^DRP}HP1ed3X6w*3Md^D2tD{db z4Esd_;mQFHOsM|CH_7+5U%_5StILl&rb)TZV!@#5WswCirj0=2Ep(f{X|5M~d6NK< z6zr>MpiuXRo%8B0m&EonP0L0tP$eN8EI6X+IOr-9x4@`%lheEH5vOBMs#>&SPA`hU zuPs;&FAXkMk;2}{#ZSq$J|lFbl+E4K9;-&V9C>)d&#TH>Jq_G<##OXf%Ux8OhhMur z+j4Za%p;oQ!rYG6a&Z{N5C$8O*6Pg`Cqmo3E#kGpzn*9rE;vyRL87QBRZ^-xFkqOFBCWl1Mvlg2c$5Wx096 zL%GLEf6J@4<}0H zX&&o7?ORCAR!gy0@y{XftCnrMffv|tl!WbzR30t(KzAP@KPG6)AnuY@_AuLpI=T0W z?d?TqLVr4BP@)0n-%NShBD+^#j6)a{vFe<2<9mf;+L=Yk#OO+b3~qz;gqenMnoqGq z@y|z(6`Bh0b6*bMXYgK0wErfuR3FFGR7(79hCtrt;omU|FTXebR|jLqX*Yq`U9Mmd z(f)n1-@*95`G|0K{o6f&MG#^vtoaWT3?)iW0^!qAYMTpLC^LqY#kI4rK+Pew)%%pT-1`%rK`4_vOllQyzfxq;Zzd;YYkeu!rfWHj19l}MaHBIcoYv2w#2;y=q z)l7;0cdYJz5IpLtatF}288HDf%tDG5a-LLuQ2OG$+989KYu@_zqHoSa)zec5uSdOX zIv0fsuZ;KZqX16=%0z6H+`dZ2F}~huSmu7{IK`z0ZIEW9Jc}*()bxKX41k6ft915h z_)fO+NF<4sOfJ}U&Z7x0EvbX*M?qcr(XuOi_zw3cp*F#^{o<;NFK;pgT?W_FDMp@r zQzz!-IA3y0sd|(EV~n%47zf33y;bHostiLk`|RXZYs>GD^;``yl6bTIy>^eG`PGHH zsKf5%<0euAv#HbG>p{54d8x&__l@$=Wj)}_B(1=gz1@wz=5zAueamkj4n`T0)em=; zm8AmjX$3jpn6;O~`j1=1+dL?_w7pR}HxX>*Uw4(Q$|^o(z-fhxc8aIOvbGDA2H!(q z5hsMI!Ng>YdUws`Sn!vFz16x@RnrLmo_kC2@}7@t8mJw2kgF<@)RZ6g$S(72UdH7`F^G zM@ZjQ-)y@PO;&cNh!t+!5+Kmt1+GFV=>CxVA-Q_?tHIQSV&ePhyAl0=Zmh|Sy;J10 zm#;$!mwwuH-Xff6!)G;gut*;PEsxgbY3G_7X>s4HEyr0n+>Y32 z0KcQ;*#gyx@v0?`oW|VfIx9afqG!>c;5oGMO8%Q5^a7Re@<`%SP+54u;PY=;%K?0_ z!*IiILmdaYlK*ZEv<_a$z;EL44A`of?2cG1e0tiEPzVK_L1KvZrm-&MPXpG#|F4;X zcd~7h9^ct|kHk#Ag$;U`hEYd9ZhGDe_JOPzx*z0o5YkQjANZ+9%l`U`d4S9Ke;DK( zcXwtQc$-F8dUsT)C$Ycf4e5d+H8t94+2e`y?jDP!woW7alC9|eI6>%djm@S3%HR4P z$xRV;ID61};3L9mAkjsd5GR*Mh8$x`Ng}bsbyQ9r(7G_Z^Zx!F-V}M3;x588MJt3B z!Nt%(G(|qx>uduY;pL`Z|Kd*}Zg2&j24oX>@>h!gxOAizkJw&of!A z5fzC)t2<5YaYZBsF5^=Qb~RLod{i|lPhBr2ktQ^Ueq#4BFp5h!ie}yRD|2S^2w=jg zat0#pD)4{q{~Y_hWq^9*m_^Hha#oObcFy~lG>XL8iWb-V*Nd==I{@HOtTFT9i`vv{ zK;K$0AL1&o+~oy2{Tf)`9J%6M7zLy1amQe@lRH2S5P})~b?>vVY6eN9G2qe8XNI(h zAkt%H_Wb0)Sviv6LMxk&t**-ofP2D#jmEikaPae6B1l*t|B;+?A0)(q$%xbMj1*v< zQMZ3LB$Sv20{5MMJEZ{#@{yt8J zAjF!Sh4KXMqB$1AvmTDhc89UVophAf}12w!(smMcrrB8l#9pgxzF!&<{sxuOKm!_I`-D8v9o zM@OcT58y7PZu^%u9_W`twc;>N*i9H6>`L|(M9)jS7`009zIG!=w_I64=8?xLQmBBI zGrQxZVhA3L7C2vN>oq+;^19GFVr86M>9o|YBW+lR!LjRbcykZhi=7dJJQXPw8p>xU z&#ew&NfnM~l8u}EU_aOpL98OR8G&Rh;^88XZD`l!N)l4bnP3F1t<48g&y~O) zCGqN)jp%=2&+hLNoftqZ-{mp|lsy5n<1$Ckq>*t3|ouQ47b+G}52 zIe8$s(s`gnGh*GcpyKBnC?nE059pbxUGBLG%^ii0xufLhN8(}iv-p8Y$>(tq+A7ACt^ux@gxAmiBVQ!cqaXYOOa_p2w@5q;*+6#hvK@E?SJ!fmPx-E#$S~&+45pm2!)fm@*UJ!iUuzQ+ zlq*${yVzfU!lu)w@f}anL|$V5o(e;v(R_2jR^J;b>;onnwkUrd{Dyc^72}Ht{TU*^ zy;)C%@8MxNNzBUO_L0o!({rjFAFs7^78-Mhe=8cY4v)vaq%eP9zb7R}y`(od{U=_h zxky(&w62K2)mr9>*yEnqW0R^wm9`;bzm|JCviXAOo|ZVv0%oM;%f!Ms8toa(1Z8zk z>YAFYUNPEqLilEww|_$JC!+mTx@@0hl`~1<2%YSWgHAHp68e=qvhCNi+*1g=0FS`? zbSUSSc)`J;ii!ky+XPZZTP>T)L1;_M5d`qZn%QJ+)=q1&d_C!(07D$saq{m44A~Cl zDehE+-{oin?%J{Pn49=XuNcND!TOQklJ%&NLgww=>TV+4d0STC8QjVsI~3dtV-&Tp zV7@Ld|C`)`$)`9E)3<73yIj0~zSinvH1Li=-N+DrDW{3(L3f5k+!+fEwm5jW)VCgX z=2LPxCOh~9Qeq{t@ybG>S(Na7)xt!0ZnF&YG;BL`?LA1X8q+fBVTtb3OB*xF&Z}6i zaiI$ntwa8Mhx4?(8cj1%RKCWUiiA-|+p5)0rm3=l@ z_u5E{yP63dwhEnbO7@)2-YhylR)+D7%V+awa!mvnWfE6(pWSFcuHVGUaFX!TuUcj) z!AfLo%KQlruCE{^J%E|EzF(xaYEo?D5p7}ACWhH-Nu za-~;xJ6J+fE{R4SKJuXQ=lwGl60h)BrVOq@jE+qS>02&g&z2@^;;jHAsaVjoncijI z$*_PLMxbW9PA$_p`$5E3|7*98xkK{nm>R*A2WvOBZ()L^4t+-b6^@qEAI{6LFMari z<=c$*@4>98%bb#_0~9f`pk<`-)k=5fUZ8~y*y^!d%JebaB_61a28OoZ-$X*-Ej9w{fubz?YEb0jd+ z-jOC~pH-8~mr<1(21uPF!rVe>mNG-X5qYYy%os*|;*(Oi`H|(q>cg`;lp>DaOZYIc z@v!4VT^LU#?LwV>9J~ABeWpa&#TLu2VkZy9vy*7E{MdmMqQQRq82ZeAE{aV3Je zI!>7}PtZN=?H2)M${4;gxODe2Bj1+^1`fz#q2XV=wCEL3tp_#$tQ(wkTEj=jut z@mdn#Iv%tU4xOTya-VBGUmCH0B-mEtdNb_ww#78oqBzesulbQ6KYnf!-dv5VN9cY5z-^ zrNYmj#QvQW$a|h2PjmG}MACk+8{TquPmQlCfHO=h06s%rz)1YYI}{qJx{p$ot!@K+ z-UT5Fs;iU|_`I0slI<;n_gX?)6b4>aCB|qQX(nWaq8A2fY!WSjK)-&y!A5;OGA7`yDLZ8TZf-z_3JD+uPdl2aqwCuVngk8791ghau z|9>=!LbH6=)2R@b8dQM+v->?uGt0PzksfL{(1vhe_VNV-|LED*7;I|pN))oCD!#g} zljZ{)1#xYl19aGaWMzNvCn|fGf{xiKE~F&ahpF8NH5CNf8rc3O0S>#O0!S7NmeDve_bd9!?aYt%4&LKUI%p?tUg7mR`Aq6RnCqT#Y_rXt zMY}+M=UnT`rCl&+teheBBUfN1>iy^(>PazG7ommPilEbet@!cT&C~8Ys?!IR&6w5# z3-=Y?f^$5f%Y-*afG%P}`H`31Y}_}*h89c@XL&$-xVH;r>5}Xr@&pw@M>XW@)(DRC zBh||>(IA7&`8SXqA3vDU)!YEn&D~U0D2c50?fU_#t-2Q%0YnC3$Hdu}eO7X&87?Q# z{2gS*%k$^Jf+&)cX-~Q38;gT{qvYuaa|7*PhdO@>J}xW$)Z_$prv~7s69qMA@Fzng zq>4C8nRn*xWFhZO+T3f`i+ArejWQsa3p`Q^2bHG*g0-*wI_`j!X((Mk> zL(HJb&w{;^RSIhHV1Zk|j9^~-OKBj)qA@?rOxl0c?pz*t97k%c8qE&pl&c3hCfxQZ z^smRJEXmtTEyBB^h(&O3^4?E#tO-gu^tC?tq$aW4+M&~2uHit*{KVgB2rdw@Z`V2$}(gCBE zKG^nZr{nb$IQHh+{o_bv_4;RoAoSDwyt-7ghFe?G#T`V3XrxMj(NctS;c=<_aaTB2 zF-?HCXl;hi|8=T+#XGkAAX$A|E{dPseXuTk>~++)I9BD^O^sWsQH5qs*W%?@J9P~2 zyOebSSmezBA_BWM6`UT-KdE2`Fp4COkGfyXPrJf@=e`aoZZ-G@F*8m`a90VV)wDLS7F)&#+(lP64o{w2`l5VW*D)>Iy3xAFv=|wpGI_rx1|sP!V$r3jV~-g zz-ewq8vF|WWGQQo)Yf>>DGV(e>Y-kVPytF==s!!!LXSH>FF0vVyVj(UU~EoMBYS7D zDVC1S-{cJ9-8~1E_Z(|4%Q4T^U0Ck+;e83XcbO6+|A$JR1L z)O);r`U80EmlFVK8t=!mKnW-V9o$`Vy)UCBSb`8N2pQ`@!y<>X-v5C(QNA{p_{7aZ z1wj@ZL`%E1^ezfeR1Tb-=JuJh4j`d?OE039hYoPeLB|g7YF1oy?_Z%S5p%8d#p+hB zm|Q@n!jUR(!8Hh_yVd+K!9d|$0{k5CM{Px>rSChL+%k@IUR4N}qGXn-E!+UbkYf`! zzJ`;2h4(a%DoQidkrYZ6x=OkHZvNk~Y;ZR8MghP*3{0B$qRFNkf?_{BxeX53nJ-Ld zR~UN=Q77 z*suX;F=S*kTI`Jx3IU*(4m+RfRj)TXbpr16v5h#Yt+fwM(ay~<$JD#29#I){tX=B^ zPLU4N7)@b54bWEf@rCM{egf~&_ZZ|CFNJ6}A1PRJH4|7vbY67qQY;Gfa6Rns%{=#w zm0agn-)l{GpXIBDn@Er5P?DlzN`N!CRwG@mn!Rj(w%@%)|AZS zac)BSD8;F&dc$JTkE~alN#6=eVH?ooRt%@7z;3D0;S_KeGFUbJp?F~^rNL`0`&l30 zWwAgRmyIBw0ZL`{1H{?YJPhgEXmjQu;U+L}owd24`6k?AHX=aLR8JPR%Ln>2|5FkeTC)sY7 ztZz_is4eC+6s(^G&Fc?4R5+`B3jP7gQ?~r+hdEK--31e#|K;QKF&iI7)p-ZTzEbv)2)B!6dwyfW*#1kt3kaB|6gBv!$X%Pr9CmxTt z6!qEE1Mx0otoD=B>=HM?VP)jmc?k>6rTDYI-vFJCF-fQ&v><09qq| z5KzZuwc>&EZZPv`y{;`ziG*^NQ$V_C&&Cs=dF%t+Yn3(TR}{NYL~?coLO!q&kUSp5 zNNsXM+2Ll#fN7Xj{vS_wALMV72a! z@qrC~yF34@Z4uB{Q=#15GG2TvIcfW%#lO?kEXd#6afHK=na12Z{v6y4pe-DbTw^Gv zVg zbN3>2TOt(!QDOxogV(+={r7z^kW+=puLxoZx=GtZPC|*?#{o{jCCJBA77{;xo_G21 zElcq|JX_hvKN?PY~biE*}A4$$&C0Vf$lDQxEiG1NXj3g>~UF8 z81xVS11*R%XNKtN0;L^4q<%H+U1*G|^qmESNr=%{H=YTRJYO$n!5wIg(pi5%8q9M* zYJcnjqna^9FpS}2>39Xou~{IMs2Z3v^#dPqE{J#_QY7(7m)ZEZpO5Vez8WA&N$+w(M(a+#l>4Zd`qM~cD=_tdt7y$!bOz`$!bLbJ65 z{dy4+aApprD+t}AIwhG=0^#jXDQ{B>9w)K@2>UbjjoVpN5mC8s&@(pRk$gJY5_!Gs z1{7><8jVhvz|UqCu^&hRwEyY>ay-r#pHfi32AuQR;o<`Sj6iuaoL>BEr!;sX=bWyg zh;8)(K>RN4dcH-KIh6UrRVF`1F(ZHw8KcC~%{)R_ARr~IT{i1g1TUnO1$pc=J2~UA z;NpHW$LD2r>0Yn3^CeAEAxShV`Qg9M=k4-AXaJd!l2wI2?MG7hv4Appo@UBx3Xt_@ zK`=}U5bPSz>tW=Fg>*L~;epL)%-46ZCu>ZqTlCynf5W467#Mi*%QJq}jB0<(?`Qe# zVXMlutDP++*}e??;hw=JpzP(vJnT(-YoqOj*?xd%F5;-`cH4-}zYAfJ5^sQuwt)d8 zl&-ysQEWFx7)T;fQ%>mXb^x?-p|jf@HO<0<*x1CLZ zqaL3LBRjv(b5&iX<&`LtPEY= zvp&@|YR&mQvt~PggdCV_diHy6=FeXj?Wa3m(?{(F{DKa0ME<_%jTFApGb)!wE+!Hh z?jqX1U%=2Q6c_+aPsf50hLNR7$+O=-e1t9m>yPhhG&+E=0DlkZI8uZJZ>Y>$N<(mF zIsbY=%H!7U4#m_0}KW->^3@oB+(w$2lMxIWDJD6Mjlgu0Q2kZ8iS z&hV9(kY*Y3c8BK#Kq#qYSjvwqrEZ|F0WkhUt#b+f5~jxZp$PCT$h5 zG&-)r0>L`_ly_^dmHsv#0H%CB5RzU+t{;%pioqV1i+8Y@`v*_I4dp9uSYv~2ORz53%->v}BMNk-Ourh)%w8Vlb3Piizy){2;nxb2D#;Sv#^ z!ik@cFQ5S$#DY5GYvXM~{(Cg;3s;t4i^4WNnW=Ue~Q zT6frPR6Cn z9qY=|F{!znO1`SNsj5m~o2NNkRESj z6>X-$dVEE=>zMIo_H!0xRQU1vn~tMP@1R)x3Nda^ zb=5koib`#6vX3j((}@bEc4Y;rJuX{WvwA)o!hOwn?mhf!FUviRLX+P?aAW2Cq$E>6 z_4_8$9jt!t)jHwoO8ds)x3n`9*^e*v_@5sgiLL78=q>sDCAZ*G!qp~|Cx>)|lNbDW ziC&+ZDyD6)TI>=X_>#2BL(q8ny#~+Iq`-kPISPEFt*3KJ?C#}ZF2`tKe2ff7fnFSf zq97FG87oWS_UpUho#o%Q>exE}0(2uuXvsCNo9qqmLrdgl>$*|%XHxFANo~iU*Hwwx zq(vV`sk1o?B`_3)kdG^83=1A@}H7i!^8m;oSp4Nj#sZpy`qo@@`ZS`1H%G*+H z@#q(`s`hHts1~6{VyjBb+V7Pwf8@`&bLDnl=W$-=@jI#(RGw*Bu_MhWl49s{OoGY5 z&0MT$-^;R5>enLHNl7kqUV@l&66g%;PO^z>|A6E-tuM=mO+x+W$chEms&;wHDv9Os zLEj$T?PtrlfL9Q!t$lLjF+IK#!6&nr;?}8&oEul4UAH9pFv5{H<)xIeNJsV8O~y|T zxWsrO(@ISoh)#cYrvRlx8F)J6>8y=;K$heJpcKr{kzb`ez%1jp#~fDcz*xVUL5nsj zt}HnP<;gtY5Hy@o!Fv)Qr_I*SgQyE`P@2KOFf13K7(Dzr6RK-}yo7($^&lM3KsxE( zwEfB;!0$lN0chO7Bx3QixP1F$e>Mq#H@`k+)sy>6@T_Qhb3F5r8t@&|CwQ-_$d`sV zjLnqFSee-{Ge?7ZFtOzEVZT{_#O6mqQoX+@sm||)pmfBFWzh$agfbRgjv$$0HtI#y z4c$O(wL3L)maX#F`z|uQ+SxlO^s8p4hwHwIZ`9pv+5SQZTNy4LIkhjaH#}HqzA|X( zk_U(rBc%ThqmQYb^FS=rJz9p1Hvw63{l~3QP(iFm0(d+mrD>BCLct8JTAe#v zC0OIzr^g5MtPc(lUgzlC7*yIFLfHidIXu{qCL9lPZw2^-XF+@d04HU4wF;E=OTwkC zpq%?l7bHy$DxnsV2oBX-x$O8_b_6>RNEpaAR|eU(Ptq8Gk32&>LmF|7m zsNZFp1JRcM9s@Rkoy{|U689!wVmRPX)IS2&L8I%RfIJw-gJq67uMNJ2Ukbpn$kStO z5vFI zb<$vEds^gwNppug_5cp-NOkYUAv8a@;S7}#SiJTGxHai~Wxje)>JL{sR?u(AXL)|0 zp0D3&3e(ck`f(js;Pti0XJZU}D=N^8!14E|eQV(`q$KDkyqS(rjam}1E7DbW0luA5 z02c|nLXWYT2kaUsNJak;B~T{vXQ;2}?Q2OxaVtV@oMp+JCFVa z#LUT^&mb$s%K|2yP`U}IL-~eL&BB^+2$Z82)%~C z8O`|oG0iWVfG{KN8Ujw!Ab}vet zT0r$K&5YP3%~&8Ji+ICvvnMIlYkh>xsQ;ks;yl%8ouSq}S$L1tN#`UfPxDuf6{7muE4thd|q^av$+By{rSu zu285QDkWpZv&rHLfiTAPwNH3-=`K?;jI3bUKut+xSn~)-|`$4RE~e44w;inH#{Xw3J2DLeZ%kixAsS)KDHA zlLGT@nE~9CpgOuJiT?Rgzsv(=;6ytr30+Rz1G_;WmYI3QBKsJOF;kitzp|3IiS`Bgd_noyNHq&F zheRC)WQ@*jFsO1HXfExMn1@)jG^Iy3OszA9{J5a!Q79#;6rFvI4WKWO+UOADoUiVkpTEl;DOfXtnz> zk$P+d^A>H~8+aLwB>0>CQ~Jw|xRiB^$q6~}fsK?5+P^_je}3)5XeXo)bn9=7lScE? zgg)LMywuPqpT%zIIUbl1dJqGzd zh>Gi&;doK^(a4Mb#u6&_-OBAEtdLUUIe$d?c~rJ7GY!!PGqq^Ou`t9F9wsP4W_0yV zcD{9j{9jK${d^87p0zJKEUrwPx>uIp#kSd)8aN-tQg1&=u9WBWX?ZP}!Gn#_)Xlg* zoJ)XzwN!9WTeExdJjTDgG#zkSlm#6%=^&(!P=-`J|Idd!Ojy~TZ|2^^0`L6W*W0v8 z9}|#d$;AAn4jVdyjQ^Q!hUCjgCC*@sXr_SQB|`5dVYGqm$b5S#*WZ!D+{BCHPbfq! zsjQueCD*p6@#Bfw-SL=0f;3*jzt12+kfrtkU|QqBo-+O0fF&RP-S};xo1ZU2f8u6+ z=j|6;Us?Kx)H!9Yt&|nbpLW0KVS86e)%@~Jt2(>|j!yO{nizU&n3ze4?3s|dj9L@x zq@uWD-p+pHdl`=m^GG)7eH&-l!OB848)Uj%4ntiPx-;4)n#BU5&eX2;m7r0D1PP`Y zPJz1j#c}T+MZJa6&+zk83gh%BQqNwU~KwQ^&N$9)>u@V zO1|eCCWr3)IGp=4Eh(Zng`FIypvdMrOMi%HYRs_QqHaXQ@)avDv241Ie=T>f}J%}q2-(yC+6@J zUUpsw_H);O_3O&Gt)07VIMcGCj;oFX$I5?a9{MCq};>duf1X+slp)& zcRotmE6?tkuFSDt0{kpH7bx=7#ueM8?{ohXe35NGP`wL!g-U>*QcmVpKjsWuvU5ji zX;)|3oIUW^Sna}H@>!Lo9Nr~+Ju`BJqU{KbED|Y+vBd0EQ#GFmk*=Yf>ycR5)q_XkN$*OaEpsuo8d6S)9ev&z*HnTGB*HDS`f3FP>cZIIyTS z=)z??YAkDA4${J>G`&Szzoc9^Q(~bxXTe-uzxodxBuE7`EU7`lWow@H{AYyE=lRYP z(9UkcDy9R8l}D2^s1L%QBj&5Rs}X={^~0Fz7mYI!7xa?qIWNFzZ&IitibaGT)B% zf9@#*To;Z6{!Z0K&tlDQHhWkBn_xOSa;pM49!XN)8@XU0Y zpQ+wh72k_0{A-zegM<^=OHtbJ8q#zH=G^DGES@On?e?01t(59WFC&=$!FShs5XWJ8 zROgmX`&@-H|08>APZrr)Axb&=maYXE%z}6drkPF&Qbb@5R$tC;>6@wQID1a5CRaRj zB}^wDal7))?95lJ@*-ItduO;sEZ*HoUJhhL-h|7eS!9li_kR*kxO=mEZDRAjn|k1i z?khx;_La}rl@^k$h+?_PS>9KvnHC!MO`P{IIm$a3wlk(^F(3gd!gZS;tb1Ycj}zeY z-{(OGuAl+GJ!uqudOTeHw?4nzF`vp&%$bDzBq9nCesJk2*2Hz8L_k*{iKrVKgU$P- zSE@GmASAma!CP^xCN%|;sJSB3uUkOoK)z?LfnxD7FN`xKEvPwE**oBnhTWe;ti>H$ z66s+a<$gttfjxIfZYt^L$P z?mFC*!Qj1(Q&H~W1c(+7#!0z*>u{t7KtBAYPUY+X(;fp1Xr`dK{Z35nnzMXI#-zGI z=Q(@8CRrD(lcO1mit3DRwVm2V31z@cqFkU3w!W4>qaosgB8KpTw#E3oz@uf|YPgjC zijhzxo>hXUelkgt#`@+R513Go@Sdu#>fZJd?y?5M_x>gOotnD2$%*N)6>nQr@d^S} zezF!PZ$ENkB;Zo&wAwqvFJzV2b%+v|8Bf?^=VuY*qe!H3td3V?u=3UGEU?(9$h{C) z+Wz{r`Yd?a;=jLahI}E#cNh?Oa+JMT-U~*X9R1qhG}Dl$mC?A_WLi{z+d+TSpm{CH z9EvRZk?K=tIu*^dvw5M;v16c)vLu zJSnjwzQKcJlBINg?gj%3ggJ+T!MD{%r_ZlmX3kf*(P#t)uie>ntxfm+3;!(r=hlx9 zr*9`;F@Lo#n?aG6O)Nl8%X)lO7vXhip^^nzk(2sZ5)Us60(~UZM9&pGZCMj3Wu`@D z(&ujdRGWE0?a;vBOa=5)ta`MhX_|I?Tu;hmpPp0bXE@m76+{%5M+Yb!6kou@2d%xj zvltQg5?;$-O@AdeHE|MCk|M316fP{g(3+QSsUh*++@N=3m~Wj)xG$&OB7tp;rd$oU zqh#c{yHTFGd4PeAxZF{-h?G?BZNCK#>U=KH7 + + diff --git a/windows/security/identity-protection/hello-for-business/images/multifactorUnlock/gp-setting.png b/windows/security/identity-protection/hello-for-business/images/multifactorUnlock/gp-setting.png deleted file mode 100644 index 47823d76a8add15a4d82c01735578dfa61dab54f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 39725 zcmcG$1yo#3w=LSiU4naXg1bv_0wF+ff&`b~?(Ul4!5xA_aCdiicXyY!JKz7mbMC$4 zjPvdpUJOyN*DO`CXNn;0BD4@|0pXCy8(go78Vb4#nAC@len6_u!Fscl`ZIZ>5vrA zgk%pii5c4I+nQS2n_5|dFyKkafp!FNyQr15i>;}#i9M(ob%+;eMfuxmYp4tE`p(|e z!Vtu9iwX}Mfd?N^v@)`H(zP`NX<5I5yCeP`+|*9rTo>qS3#x6aiUOM9z|E?vyQxACwQV1haz4gd#+XB*vitWYVS>H+dZ3ccGsi z6>kq0N;e|HY$CgMPhXF{Ute1v@(pzpdS#U0PZdp7%g^FvqA9hVo4sfGP?$i@&1W5m zWmcpxjH|wrPD9KT-@xM}5qe(B4L;03tS74&c9(A3Qn+aXzQC}r^4 zOK$tOb-gVl!>_BKpLV$X)T$2{iwg%j29lUM1Rvz;s2efUmuis`hF*zUUx(f{J+J>c zbM-ktCpb5UL^rK_n(Q|5I`HhDb*6mf*V{)SOlv{4D+o^~8<=YtOg&c2>y*+>PApf~_qe$9LE90c zQaCuM#l7Qi-U+N`m@!tZ_qBrVADPIU8p?}L$Y>9cXuaNkZ2h=M6hFc9Hq7VRWc6o6 z*>lcYCjxmw^jyJZ_*1PsxwF-iSCHaqdSoq(kl5rep>_Sqca|K68Ed~G}gad*hXI(s-D>U>`R$+0fkCX&bB$9Ni+ zQ0npeP@^86i5TsXFuUoYrW+)CMN6ERHLyNlNiIcULxX+MdB#kRC3WA@_s-isZ?jXBd zMf2$jQpsEHwtF`!BO8{#o=CbyVBr?`j{54&I5EPeib5We^LhnSA>J$1w5hW0xqK0A z+9zIrb|%CncGMlf#1L$<$J_Uc30!S?gkG|nMb>=TqZO>Tg+JvMU|zR$zv@?7vU%iQ z!VwZ{C+9lbr%vzrgDi$=-WKR2k0O(3iU>9{p~nQm{#e*m_TU=^A#ri7pI(hlW-S3v z&o~M!%L&$VFOmer4<9K{JkQZ+Us{l16Zp=%2o@nHseJ2dmr#=xSr_=riH|w*z01UA zicuZse!TBmk9s}(;(i<<>SLQw)+<0;u@@rxXNV~dl25ZPoNOI6#OZuxUD4Sf!fJ7C zizmm6sY-XRc~5Uv^qTvlGl&e=NX?fxj9-sTdiz%&mW39hv1(4P z8o~b3js&At(0&$% zscG#7{z=!~DM?RkmCYv>t=?)mrp=VY(Yj+!48i*Nz(vbPq(HA%YUgI{rMmS9vMQ4s zQnKfVvl;LP$c3NzwDmFygTz$ZuBE!A^U~(@GA(q=>R|{;taj2x`C<2|U$E&h%%yLY z>0{tUZRZ6Ro%zqer=wa5yAR!Wx!azI_b!*`CvA=aJOi#9aH@IGQBzN7r&$tCSYON!xpJ1k) z{~q$gZ|wWH=)~agpL@R%LR?!)waxmE{F_aW%@&BbFZ)z&9?z{dSNOc;daZh2 z7teT#pM)g5<;oxveOI51Xc@Ji&^A|oC+amodo`b7RR7pWPB047Ddu3 zNa%4O-V`(YE`6ecToAo5IbqV%WIN+H4*3jWJTx6UygZ+!Y?DH?0DPft@U&q`hu;&&{aaf4Am? zUEdI2fR6zFXo3d~0V-U7XgKp*vpJ$`+G|Z-FKHJyg*qr@h8MMsF-4;m=qM!OE;q=Q zeI&MN3Fzv9P489LMhoQQTFZL#&Y5L2+kW7XJxKE|YP{M2c}b-isoBh>y> z)`g+N6X3Hw!FRaYJ@#4v+j7aUDN*0G_2?zFfvbkP$dp51xMo)g)r>0ny;yfZImAn5 zZ~3M2xO!tu*$Capa~m_ziE!$KI=7OsN>{4rbXqSe&#P*W=SJgPX6ZRA@k-)B1pcG1 zYbLT}jv~R;l)xU+5(VyYJ^c&4l>cW$(k!J6H)+uY9V_95U zvo`k!y>-tcjb|gTj+@=vqw5pfgLg-bkk*3SusFm0E%DO!Y;+xLRw-?}ErKLMZiRy7 z++}Zc9z#xB_Z@J~tAlVhjiV)}`Oi`@)E=^awq6;N-BMG7ObK=F-?!Wl!FoDsHw??2 zC**63Ju-nZ2;-lT@4nS5{@DUNSoxagTp9v}7pnWN|3QT0z614-GQ6M`*2z{Sltm`O zzSs1HXH1Rw)4cjV{isr}j&AG|uwQhz4Ga3lcd3+s@}u4 zob~H55GY~UemXv;;=W#CXx6)8wesC^o;+O=^o_XVf_}uu!+b-C+@_DTx)NhIt*>2* z;v(VXt*0WBPSNq2j6Oo!*f_PE^a`65vy;5^@~7vkn91_;zfDv33X)MR+hFqYBvD;; zC(8RiYeV2|!*td^gtYYMZ1HYzs((>fEcOHBq3)wN54{!hJY`n@VLyrFleM^XbTI4G zd#5Fz_fA7y0{a&_Uz~99-=gQ@-^M@s?HpZLIs+h)5T*aE!cy+6mYBF!W%fI=tYj>m z(+^;5`aS}l2@EiE*{PbqpJONfL2wGv`W-TVJIG$XM|RSF06A&Dyi=(73vb1bvKvpk zC2yCC8noHgpZC(-&b@}++Rie-$TT?oLTfia>5wPa2mI+jfa)jb5a2US?th77|HmCP zG^+TLl9QfZYhOFfmLIX6c0Yr>^J_R43c+U#wh!Z7hxQI#^&kdWA58rYz8xR75I5E4 zc<{F>Y7j7?2`+})z9<|!elJm04;5TJlvuCJPy(IQAfHCO-{Lq$U5)HGmF%W)WctB= z`fy3daVe`LELbd=(?Z%24wGVuWt}D2+4&PyRN`ChpPlD!vX@a+Q?0R71Qv)-Y^+?-#hQEF;jr zen70g&8jX`d!DFX4E^#4&uG19y=ngZtoqQCGmNQarh)fRQcS^8NlNO(W|JPVAcq% zoJmJ0@4D8@&7vCcy4xgqw0`bN$83G6aDWHDET1p((GyOIZ8B)w0tck&q%TqQ_A_9K zqhN{Uxa7$wl0n`ou~*oSGY+bm)#C|UnC#ADTHDF6NAN8*$2D11T|U?qLweMOj~R+| zC|U5taySFJ;-(B^Tj&G(Fw(w%C`uZZq#vWQ+_kVY+`4U-xNXtY8fcumCL>+dTj8=d zLk%U8>fhg*N;N7)g-M(Hr0OzU4~wG+a%T225N&Je@%Wk8u$#@0F18jC?(>e2yq*(U zNIHD3Ehows1GbT@1dFWc-9pKMzH`cQ${?PGmi# zwRCQlVw3F-Z+#{hs&iz@Td4-g4J8xI&GDg}-s#xfq!6S&y2-1l6=>ao$3lSDrWZcg zBDMk1aORa4o{XVyNgaHdZ>=kYYQBNVsKw{$&g3dIjVGYWbDo@REopXS$J`4Z*G9F| z=Y$a;&JnF6l{F?pmtm4j$S1S}EOn=4F8!?t;M?GFCJ9%V1gl2X*b9Zt-(W@JG}uDD+D zYRG5)u)iNro>P_lgkG%>(PN_!feiZL=b%MwpDmV{P&_QK0kUQFA2;N44e-%E=Dq6v zP1W2q$Q75J5Ce9lRLO~NSKRXCdWpQ6F+kQ9dz?p$wW!7;uP7_9wl*H_gxaSLM^F8v zM++{vjU~Nn%{MsVkDFxy1Mc-G}y_fQZq8WX~=d7 zED>|%Nzx#sK|eegmXP@=^j4{=O-HAM4OSd~yHB4jh{{I8!Sp!21x|*j#F}0!haZd7 zKxe&&S%5`+LSoq>fe@#9E(e_*NpHWssV%~=aJpDj`Fn``XD0b=olFf$VH@SOylSZt zlKtTTO1Mvl@1$My_cT*OhCZEt=iu!Pr+wtEF*4FSw8cVJz${GEbu4;jVE=HAgKN%eX5X{|`BVKJ|DW^MJ1 zClCJWnwkUGbAOi6bt2K-17mq7OtnVUg_g~^r1_{0ny3mhFWE}{%!D+3iI7XJ{0GRl zpNp%zI6EGDTb-G=|D?B1wcgXS8t<$fuB!P-8X0a1tw0Js?U66l-QXNO=;Z4@J5d*> z;(Tj(*;Ol)p{cD#FA<-Ycliv3K0a)?AflGW6LyP4upPm63l~|+5KCc+$c|B*Jjym# z>4Z2^<3M&26x-`d8^Hk?#!UBq zSQ@5!sL4A+QQt_^b-eNpRc!~9hQ=(fYyxzJgA1*PlOs){I(~tfkm(nhnXfjQb>@uC zNBlGO_(goZXtw*BHDw0r6`zZ>89w$ItPbXD`fILe%Li8z(fL34`ga`=2y2eNu`liu z+d24b591+36{ddIy2aXD?76@FSdzM@X|ZLG2AP|XY3oSDSqPm!Ca0fTM5#y`sb6IM zPvV1+F26@Xkd4isHsP7hGiTy3s^xZG|J?^$P zqt5$#Nywk=P9f`-gX=ciZbMfB4T6Nl*wKkr{dm=^r-Ybi-w;IVIXfpYna;zR6BGBa zwuJLuQhGO#{IZN@<(g2LAmk;~1~V5E%qqa5_E**MiAQS|ezjCI~R*i#R5bhEiJ z1v(XKZEAa~21aGsU9frTgOED!Utdq{)w&OX#s$89RpPkXQurBac z*b3w2MF8W4{+YA2pX0*Xx>GT51bw}_wHIMKc1t3YK(sSynV!XIWw&^2=j953s`$XF9>5gLGuBfJpr60 zNPIzq?g?{jQ83HySmtlE=jp;ZaSD6!UowN&BbuGCKV-h4q#W~&o13^nsv%yb(npVLWr!^A7!fj|g=R6dTju@PD9Y1Y4^;L$F(MO?TshaRzP zA5gtIawBv*01b|twsaks5JX1AWt!tNI}QbAm-jiQtJGk0qFTg#N<|}F4J~o*PKSDo zA&F3nV7ADF9-X@0yrV;O=Q0JXvmqPfne~A^)?&qXnqUz$bdwug_{zNg^zPug}U`s9CT6zBaJ3q<38=3TeC-n%btk|@@gmg?PZL+sTpAl;_~?47+QtJRSit_mH8UR=Y0P>TJP7aIyRm~kDf=A=%@huV zU)fYMI$xhPj))i)(?*1Cdh~_g{ACD8e?VnOsG|EX{L<{ihzM(c?-mfk|4aH{r9n>C z@DcFLRD4jOXi<0y_F#^)?0?tx)F0FvPUD&~@&Azv{kLT4|GvWnpzx0mTLKZM9|a&x zCLOFBw-gxKp(%@@6HR7U@T)2gZe#L4rh=)OdwO~RULYpMzFz#bcI1a`;@KCmrI{~V z%DWkho5Bg@LzdMYTJn)sITF}u%`4$6dQ`i>RG!bQu9Dc{1q1}JB#`QL$e@>JHv`lJ zaA0;lz84oc;$W7Cp-2y3gbx2FHj}F)A}VULD+FV%-i{g{AAf9Y%sZ9OX#;4%B_ZLe zq?LwoW6~%J&E)-XP?I%f9;kj-So`QC)?82Q=+<0bO6*vt%YaqGP~AZ^?%3`y-C0`a z^$y0Z8IQ8$1AqV`0hVFv0-Q0n5=q9nOtaoMG7`m^pID6^+kCkJ>uarLK)0Sx@20S% zBy6c>y`GXoEYt})Y-pu%L2*?U`{}!Q6xX$L=e2WtNXp#u2ett)#P8fZ|5o1Z^VSXk z?>@b3!PrXK%f#)DmUPnJeW;@3Rk`FhMoS?d-5QF<7WQP!5b^oN4M_6-gBck3xE_vlr;V`Ia}|C~C(SX@nUkTb4bmS){hlFPiyQ}LM) z>&jW4|Lr2Bg_|447%N;<{u^kT4}R3$R>4U>BeG_+^xn21QtHEg{hd_!Z z}%V`O|F)tuaiskWTS0aEwk9^nh6gJH5AB_9}fbn zR}gN&7@bpE;ukMPL1=u%Ji4*{TLp+~~8&hzL@0a`GcbJUl#H0)ojE6A7M~ zZKZ4#hGd0b@o2V+(e@;rmNj2~m#swp_>B|oF?2oC7VEbrCUetVhE!CIY4pe7@kjC> z-$9|Q<$M@gle2Hu`|WM^5Oxgm3XxY=w)PIY8N70u+7R|mAM?0zX>u6Zq#X=ep}Um_ zc45J}C?z{PJCQ?~J^lVtoz}?Tiur-dr5Tw7%{v-uIM9@zq6xAaCf?}ysv#VH!xM7ym8FZQX0$85Tm5`fB6+7T zcIs&6kUMy*N-I|>r-}nsM%ud!YU}IqI5;@qe^35EUx6iYN824uM{QgVK*Tv~gGAk< zsQ@7_^AuR3CNbdO^w1beESu-LV8p8YWp@a*F$D;RT}0ECBcZ?DfmO}gLW|L28JC@s zDkFurvb1FUoGwV@*f^OlN6y8is*?#&LK`tJ$mCDHRyDR!+~IVe)_3S})dhh`Q-FY? zZVdV4iu}=ecQ_d~VGufbIIkgM*vM~iyQ9hF(mp;Z@*)qL8=qiZ?lh~Jg|?mRYc7)p ztz7x>alr|Os?odr(|28O3~qn=?J3egdLIm{Cv9T@1Ix;{E8vkKLp-6Gr%rD64c{npJW7Bv!U{AB37f{xQNV&>J4SP)RwTgNe+yEru zfYIFDoeNW)s-kmRTZQIH z@BWd<$U3`ugJz`y`TtSUOtJv)4Ib^k*X;fWVJMvbKg|qaZy*q0Cz78(qwEYP2LX$P zuTBKMUYn0e;)S$Or-y7!-7VvuKr_oefE+QrxEHv}~vp2fkP_ zT|CxYU0~APZjRakw<52i5;*_In4EzD+0@iDQNWFJU|@jRc!Ut_d^a~YX>)=2!O>}s z;y%5Y9nlBOm_V%4tVVth@^{ns#V014q+rW7V4+wSa5%tZWn+W}8Lb)|}CZ$zQoZL|LuhzU{L61zDkbX z^9ejV7~&!%GLFv=*UWNed!i0$iSE+7Lp51BwR2q4nT-e~5h`~ox!FxJDG)5d*pk^7 zf@zjY)$#r#@Qz;0dFKYVOnu5Ic> z3G()O>h(fWf1NJ#!~$8bcR=$4{sf=$b#^&EtX3$es!K`<s#LoK%fes5X7 zjXh`1S*OW3l*~06O#21|;DsMCZ&p7P6E&AiRF{}sjamVi2Okjcw6xp)hO0n+OL~v- zFPPOg(mR(mcG8f*xyC6Br8@W=4wQ;D>)%>6Ut`}KF9!WF9_={12A&&0Xq>CHB3W@g zWB@v_`tmdx#Rj^ZS-9Tw0t*7ScneX9zCuecUQ%8PwHN>S=NXQ7=}F2M@8sb4)W(Mp z?&(afWJP@NCZ~Eosc)BlHF8@1+w#os=&J(`l}Gg%;EY(0|K*Hg%dn}wRG3auy=FfG zU-%;I3{JVvd#Ja>(KiPJB<-%Jxfl)_P zl>TU%Kq8wl3fR54-IxPNjuh}Yz=BEu@NQ@5m!E*!%{O;<&0I{b;#{M|;fXTWx#z>< z0j@hfQGHJ3%~kk<4&Z__XLlVx29(&u?yX7?GBGMXLU?c@c=kc-o)+jNjxt_&7NO!^6YN7Yz*zzL}fTXH`z(Fo^%uhq9c% zg1o;1N)m!H-lMnMksMtg9Et(3H!e@H??&LQ!qeYH(gX*e>%-XymoI+JMAJOWFTYV+ zOi}h}PT%H>B4u@t)BG}C42@pV)79cC)Q}O`g=j3H0TLkotOEbxTg+Z)DZ<6ajb^t7%u<; ze}U?i8fyWx>T6|kIl_JhQ)ohR>nPrF)oPUO{f!eqpbl+@|9i!_03NNcujlr7u%9~y zP)o$p(o*n14Uj&O!6DUZU~VSVB1TP;CrF(5Ru)vxLg3c{XW^tQHhrfAEfFC=jLNUI z-4;w9>I{7vludd# z381z9f}r}@$WU|GAByx8J&sp35H#4e=Hl7a5YXHEpd&EKMS+RqAtw+oi6~dWgp#l$ z9U?6~324p)L3>;Aij$0GHDZD9f-C*y<;5Uq&G&e!##CmR112*(F;y2px0U{B%!w#oosk=y-2%Q6Gr)Po5c!7x zE2lZ9#C0cpQ__GK)1u*QKgH$xFeZw+J}ybJT@(jJMBM6e8nnU z(P<1FxA+GudZ_rA+CyN+5#sQ0wVycX{B+)n9NZNI&$JKbRmv<4PlyQe+G$Qv~r~Lkcpt?_rUraYYMlF znI}SRq7YH$c8=*JQdHT@lg{dvJ4x+sJB9AJx|_SgB4kZ?=2^1nv~;*H7m1(_8+cyg zX#HzV5kJzbet&o-@!tT4Q8qcA78puaQ(o@aD?Xc6MhWMRCQ`PS(C+5!m2vK`V4$g& zGU&+Ep8X@E-BC*X5rK8X7m~W7)k&KT{Tf{?<{WMDsRG{9we1fqY59IcV1Zc#hsTr_1rR_he#p9PRIZscNQ^LdedoabFn|)huJ#n zjK?IDJmj7A!>kty&-vZ~m0wn7D-8Aa+pLVt8Xx~?mg^wYGahMH4iLK^u$104vRIR= zuC(Xkn$vhY_qXzn);0lb=l+uqEq#FVdm}k>@47D_15AJX`r_M;jHTqsNOGuMo zFZ%;the=X-(~Wgv18Zmn;p6%soBR0)J!zhWd7OPd_EyVoMxgd9p1 zq1!^4YyqFa+Y6a{;p_?WvW@zMPK0B`gCgUEwcHqoySxecOg*88gWn|{C`Old&L{O5 ztf;dcPfJBDo7j$C0s9!V7Sl^i(~%(vuQb(jN5zCGSJc;H>_0iUxTvcHfj#xc=Ed?` zl6N9xUV_tof)fY3|B&JEk786$mC}O-UzqtS|F#BT+u^^XlUPzI<}z7jB>fuKvu{cx z>5?E#R@7+Oe|w(T$u|-9tQNU}1Vza*n$`aYm1*77++`9{E@lR8OLt1Jf@E+NbKwu_ z9F+m#C})VpQc!{;ydo7!Z3d%pdh4<5XkZZ?q&g3EKzpZdO1CYhF@G2(6VDpH@EDC| zc}xLcqge1EWlHgPcnTl6DN^Hfra%&XA;LFBgvkVZph1=*Pdl_)>?VRM?53;w4Rgq= za}?2Mi_(rWZRJ`-j05I{j1{&QtJ>d$gTWvpTSu%>7C0; zSA4!xCUtZ;7dax&9A&*bWE#lbmq#3^7w=d_e} z>V7v=0{60?H`s5Uyv!0Y`~%|g`E7e&(OiuTq1IJ|@9Aq^qKQ$4b3LR0gE1xfw(f${ zopOJy5Bk-K(0l&j54j{*jru(0t7BtnO)gM5sO zDxe*lJIn*`lZ}6pN1jQieSZ*3O)L*68pOd#!v^qE4XFg^jpN13< zXRSTRZcn9Xh4AgU04<)08p-n3ks33ZO#Q5du7vXk!8K@I4U`+%tKK32Ur$9ZicvKG zubJH*0l2K>c|dY0H=WD_=j+4_5&>}{yS$wF;Q8_K@%(Nx>hOi={@-$p^}kBw0qX)& zAZb(6eiUyo6#OFR<>gf=diF0$6d2}!QudSke_W?@&hxiq%7DAY`7hG^g0I8>mwLy( z`)`0yXd^(AgX0N8{wcnq6a(thgAH)L{iE-|%PT5EzWcEi`Wia8`5#>-{&N=!s`?OV z$2b2f+WHpq>HmGd@xK>v{hN|iRT;qk&2#+D|6f!lQGu7c&3+W&K(G(_XNrMtv6a9$ zlz1^(0NlUZ_?wjZ@9Exu%Lo4l9T@WbXDt{4=KoQI==&pG|KKT{eip-I0eD+(d4pfP zhKvG!6SF@Ux}A}S1)JCg^R7F5mHFvp{T?U)arQ5>jNSX}dVD=)wV^y;B^yR%Km=E*e8*&kuAAu-Rl8gfOlX0U)UmHxsgQzprn zP&AK!?r@mK6k0=Oh&e%H9i@eTuO>^0Rhf+WEun_dw^V|ei42b=mDqTV_NV0FEUHKT zFG)QaFY3LcKDUrw#qPy)oMWRQA@lSizu9VJGJQJ3xnEFEREo>|5MuGa_ zq3|a)RTpK6x4xKem&*2^$aG*IV2Ic&;u{%c7gVdRPoxn@qCn94wVuamM>0mi$`&9e z9efbO^eePf7a_D&4h1lC)85;aE8F5CGw~2}%Oqe5`IUC1B#pn0?~&M4|D)dwm4$*U zZsJz%^6Z4XOte~lqcl5?q?2dO`MVSUR=6+TG)6-o_eZ$!JOdxxEdofLTbOo|vtwxnu z$0tH^GHL#Ewg#|+W(9Qf?1iX*q_6*?_)`cc2`A|rE4&V3@_J~s)K|j{dQ~>;BW{7D`JbRb1 zK{w3G?V%96HQ zio8$B0pA-L%3CI2>XLA1HEAOZz6zWlgebeht7<#lHHbX&*z?`9+?*CU@*DI%rVOzB zAmZq^LA5NCUan;P!fPqLo14}WvDP$cmOpb2f60cqciA=?*mB8RAcQsQXMK$E*gnfu zS!f>DF$GbQZuR{9F08$^IdZf>&458z-IEVRY617*lGsbHk{}9lHr^Q!ZGYvN4Vu{D|7* zM}WdXi}JQW>3zcy(Ke$1ik=DVI(PN)7WH-3I>cebKjZ25srr@k4E2W$8K)A zsfs&JGFpP&7t7BVYBD)*e~1*Dd652IoQIk!y-4`2olun?R}({`Zm90mHu2Q9q&! z7d;+VjBj3y>)qKZDwxCxN5?QI??ak`cq`NAfFgP?i{>;~I3J9#+`f}-{xP0{Qx|H; zz}M7<4~7td0p02gD}&1CDu48xh<5lNX*H+Vp7UShGez*fO6iD|ThuxKvHP*wq9!Qv zdmbmc!EZ4`BY{FtfW@>MZSq{jv@E{7SJpx(4#*{xUVbi0U5}K@5fb%o(SJJyGky6k z$Ak9SSUnKob=!*o1qpiL5Jyy~Z-nQ4zp;|aFpExfS<$d7{G=wCz$_A4%25ybK8Lmc zt;-QNNupG92^t8YV))g|&jl9RQpIjnl*=c8#XpTf#XDvd~0FQdH8 zx1efQfhq0lrWa_hcOBz-XP%s6C;Q2Ex+MxLpB24G{4nTOzK(Nwg2{^iSXb+ zc-Q+2PfLzaPKtAt0HMHn==wCF-=Fs+qPv>94|BY@S z1QISwQzMXZ7vyI7X?7fM(Nn13(C!MCGe0L(=OFDZ1zM!m4`iQTEO-%E5X76JO@H!Q+p|IB+Wm0PVF zPG~H~FgH;lkvwOqTGay4iseEZnA>cX$EgSH?2>3fc8fc?Wkb4a50l26T|Wtu_Xs7_ z<#Kg5AuRU?u_P#n^korb2DIX_&lwJ$lTgN{7(4qPM+TMK-XgwR=|0j)SPo$|E_Raq zIz~05&++S%S^#VRcK-(mOV(fCctH^|2`zK-$t9kbk%o{-@?qvN@OjE8TeOk>hM7Bw zXU=5v!?fonZn&-+)zFsK1Ep9oC?zd@lBN1_V=()v3^fv^iYLzq>OWnjGX! z%bG0J+Z2eossZ~J%`(Z4v{TL`p5{CdaAc+3^^ty5dSvzn%%6eqFyNRzK~2ASb0H zQb#T8&?~!rLOH!0Jv~cPeOghiX>B4uZ2nP#p~v0Y`Pd}HX_LyXvd_EEdDtxJ&q>>p zhgEwE412kL0Jk7yo)Ybe6rx;$9PQ!z_=O+49T=K~JKpTkaM{F|tGS7DO{VB35?n=(6lzfq~_I+P{+^u5R z=56F{&-sIAG7+5VknXI(-EaGTlC#9wZ1tgck2;oU-hl5N5YT1=t!T8Db)rr~=!^t? zcWas6O3a3r6H9i%CkDurza*TlEw9P0c)+%5z6yLa54gKQS=)W(LAbj8)@YtOh4wOk z!Mt*>4Q0pwOzw}WKg{G6;02JX?}Ov>1K1(fW${)z_CYEphZu8XkuR-xtXw4B-m3TTBXW3)kx&1XOtDb(5<#FuP!NcI ze96d7PN)V8JCLc^3-Z(J6WoYfbK;xT+-Krchc2?L3*g5OTm_wyI)6+~%gRx+Jkorn zNxF4N3&UO^sPt8ox>zmiLu4_as%!vVlDy&^-cY+MAE78KUyZfMnn%AQ*S-)C!XCX zF4esJIa;Sys5Q(yaxC~>=1III(*5^aJFHIIT-^J4@4Ny0z>7eHc4Fm87~(A@Zf@`A0!hvXEugY3NSivMk0Y*~#Qu34{Q zbrgF^uj={mnaA7GSEDD$7Tzi%QJrU48pq%0&l$F!K*fr}#xLUJ#~dfmpoe82p}v;s z*H-`&19cAM=r-uk`@JxVsPSU=Df$gO0QkjTto^RTxVDRnu3!uP2$Vtuo95KCwvt2% zy*T$>obn1OFYk6~$XtLkAh{?6w43LJa_U$e zGUl>p)+5rtNd&o@^5uTQkW(p%_SuT8C^lY~mGTN%JF`NT;ym(uRt+By7=p^;b1E@f zN_LYnHT6<$B3lZd8&9vziKQt1<}0P3!aP6W1Aw)WQ`Qh(qOm89>gM%g(#7}|lcaNx zl~UQM9z=e`b2g=moawtzDbgAjAZY|O4)w0-)N>-~=zJAP(?nZ2Y)MpGUBtrlJ6neN zdH~8i?6>cK&Lm`|aU=ghzyUror7i9GYva*tr*Svv+>i;r(~PSN04jBP=KCHCPe3ah zHqO{Y`jK9>o-m@)AmMkMj$)x^-q_0y0N^JXO_N98#}%S^of%p;Z*vVs1?VNaZ!4=X zV#dR7FUCej4Admq^efwF#XtzL%N;t(G2)$`NAIMvPC4DX{^2%BK-efxq*Krtz zDz#AXtir{j9q^)Z#D!%hl%VTHRV9c>_QZquXh$}Mwz=zfur#~$S%_wOc=}qV+e;Aryr3lwR z9v95v@~3tey!`yp1l2v=Brg@ZVO_6zJDT>ztLQp;;>E02WOY=`;JhgA_wKHkiA8ui zs?Vju@g+@lB)cR@Lq@6JK*Ldx^oyvWE%tgyDE{ea65QPl50POLAG9zMTnLV zR^MsvGE+o?etlwQuXt zp+7o-i8%Q$KK+n!-@bSdEFwzkWWY;9lQn+_+$VZ=@y#>s{&` z+&kBLTq*&r^kz_iIWxkbxHO-+rkV^yv7%JlvMa+aBI>k@nkmHnGS^+m=?kzEwLu;7 zexRQlWA`5(W~@u%(l0Roh{;7KF((ATw4z^A#^ls@P1dQMXtpdea@M89_9$?RR1e0Z zI3LC;f_I+K3wlUIe@S=<`eTWP$Do0knlONBxsxwg>_?zinH>5}ejb1LmLs0%hkH%= zAs-TQgHj*N<+h5pZNwBJHQa&IgfZI$g~%$*&~Kqk=_PwR4a_r>c}NO!Hmt5 zo8z3i6#kr|u3Gmtc-h^#X{%9}8Soyln49@kMQ}+;3spnQlx`9GdK;?% zSJZ?-%n}kP^Ty{~Uk1U|yalb3;MTKD;76-_C2_CaR{e?oZ|f zg$vdH!`XXBHPviIC|_ks4jqZ#M%&)a67hC z$4R|Yr_Au#$`>EMTaV8sv#-ui7U^sVP+w!rk&0}bXV z+f37biMlt9>L7W6*w3;==LtQAlUr*ZMRalZl06>FTt^&Mlg@jIEwQ#b zg!b%-e3pM{O>r8&CiqssxR7yd?|DV;SkFyd$fTf`sMX%vYusUCy}c-jROe)Nyux$$ zuW^iW*fn+$x;UbBbUJ4PS>6>=sVwL&It;bb*i9BhT5NxZA~r$&ajHU2FG8Gp#qyv4xW1CjwgoMZB4&f z|2oc+iHJU$e_XKjI_?ScWYajS%=PDJ=aIntq^(V7SG3TiRuJ-;5!^#^4IBDa;4PF%>8JJ-N;Er80Os$|vatFyCqNO??@XT$4r*Rd+49;P3jANjj+h9~`aU0+yFQY;Uoe4jXV=UaxPgmaBGtd@HM0ds3_)IVsZ(O;QCzzYPIbkfzp;;`debL=P?=a0YLkLcxmj#NCZ=V9R~ zluC*XI6~;i$L;SYk2jQhGXv;d_=oY%5mz?HT<>1pa~>U2c@9Ux4v({5u^Za4goffX z;WEWPg9Gf(ykT#r>>ROQwh5NX)$gQ-Vk2X2jp*s13&3x{jCCag-QDf=pHKj~5x+Si z_la@tCu2`VXQ}Oj_q?MU{0esPo9rW&KhF_P|ExYD|Mv-Li>5`KS*hCc3Ij7Of-b$$_7 z<`@8v10bm9^&_pUSAJ<)_u`kW|?FRW&he#$98nP`THaniAiW+Pzz05qp^zFqBf` zaKb1=N$2ZU(ev#WqQRg*QrqH>9&ThZ==WlDM)+-t{esPBPary_y1E35N&Z&zAIiMC z6$B_uWfxVZHx?1RBlCTDg1lAE7nBO0t zin=^ccxZ4Corj)e3%rAWC)FNysPC`HU;_!ZN22np<;}P2P17@=Ci=xwD&CW>mO0+$ zG1rQOp2QW-GYt|`;ombl8WVPJQc2FZm|yGnXP${PmeII}a{WN-Qbztjj)HNfPt;6v z)GWU^w1~CX@7wIkVHfYFMZheTs;X}s(Mjrys#caK%!)r#gPk;#4Fa}hFwfO>yQQ$5 zaPV#03LF;V?#J=$X#^vN5nQMSP8Qa6%o~W!2rZZWrRHFPWS)LDR$)h~YypS5)Im3R z<3_rjOR`wbmK?qy-`aUf?zs=3dq4yg4G)u$8Wccp}jfV9dG8F`{_1Z##<`+ zt@Cygscx0lj{0ljyK8FXO4s)*$NDR|c>FM=%C|!DOzNO>m{;n14?U6`9;ftCEsfqX z$r-ozAKPCK#VMH=t80_;VQ!4J3EIMz&!ImCZF32Csq-Ob2?fnP#rkWUb0x`;%Exi> zPt`~Gsj$PhatZIGG;Hr->f&>$78)9V9=AS|WZet29b>}e&Y4o)z#XP}T0h0%-iCwP zTlh4=Mk=`j+cO70d0kZ$`eMu${5Z@WYfooov4DrPY-%K4KMV9^#MPwiIvFmk7kNZi z+M(E8vZTu?mi2nz9L$2?aTVVO<)*q^8`TO1**Jx<2ee?uKFIFr(zq*Uu4{>W?}8U_ z2b#=gXd;m21LZ+aIiF!cd|34bh+NwDjiJ5oa9`;-OKEK$%v+3k4qBhp*{rUW*$h3$ zyeq57FWt!H;l>JDQFH2)71hxnueJu6@*I2|ddI=!!|j-S9XY8bd6EEql(G=4uzMOW z`h_chD*13REy6)O6c;dCRqkxO6r4~7zG;;tF79p+yh5dZkFl2)xPFM1I3jml&CXzj z=s|J=j-4131}DQcy?T`u{sEWWb)QVEaHjsIzmv%8 zg!MEz1wrg|70;!Q4MV#R4h}ke^d?&W9@4&7%EP$r37^g?I}Tvx z;s8Aa9^md?^_K3zg9qO+IL(F)23N$Ak!$mD3Nevt&zz)n;LL6Rys4>4N>Y;U^aOB( zuGS37?FCos!tT_LhcHq+y{-r7an}>GvzdUOS1wd1%vZK0CUjK`XS4Lz^HkZ-mF?~9 zlmO@T2!TMDwlOg?TU#9|)~-BnJ{Mn*3z_EP->b3?wfiz&Be>^#iG;*uX3^6|wIWhV zRl|Gd?a90J&o++w9!|Zylq4kYm_t8*bdl%dTAK(e*LdM4q1Uv171#yxhb0@Z2PVmD z(R*ej^&oZaYv+5q;c@3&B1=~>s@9(eomxO=@GrC5v1`pM?o^w(^-Ro(=#{+^Av@Vw z*)vA|6Q)Et)$I1$BsbzAtBziwp%sphLKVAaddygU%dtfxANy>8hz~*urqFiEqGtSv z86#*xqwXtDSjo5PxI_~7y6rQF`P!7_d+(n@?s95|)^j&W>NS?lee<@&c7J`gYYy-B z>53{|s-3PO8_@2;?!AqQL0JE}Aq%+9=% zPTPYLLAZj+qy=bB-u4Ic-ht9L=F=a!`D?Ue^1tBGYXRmhMKp8iF5%n3WYUTT#+`?D zg$ajKT)!ITq&KZssP)@l`OOdH4tZ-#ct;RqRt5V{C5hM`^OWyQR058o>t{ut-teuo zZYg9P`l$J4SBmrVxF!={pp${*9ZPA>dUQ$%v$@`8Y4F2rf7Lf-h^79}8r^=l?q)#m zE1$&*^Q{uY-=(I&4gycenaxKvU-^j=pwJ?yd}a^Op)2Qmssn2fhsr2g29PCXDC z9}JmxKXz&TZq_Z2tt=zpiymmdnjy^DOKxuaCMGeB(Ijp)jHzbioFLWa+Uy6uH`$KK)bYn3 zktX||)C?hiXw|R-GP%8M7{Tr}nSP&H-X-BWBVf9GHPuGwYFVt^magoA9DXCbQ6nZp zp~QqN2K=b5?7HkIVpQv}Q9u&w=)<#D`P`NFP_ZRYA;9e3R|u}mlH1C+CQ_IF{IT%G zNkxiUIAWD}F#hnnvW${=IZI-W z`AtGi^IS5ekINCYxUNHX%)Nn{93OT5{J6xx>&1k?Usn8thR7&+hv=f<>_g9naw(0S zY;o1&z6u&ZUbl8^^f1kKR86sg&^MYCzr@m`n6$4Q5Mi>ilE*Ih8}E zu}7}`L1%qxtaH~$G>W_ngIOzQ?b8a%4jK;6XF2<9HMN!_JRH@`+j@cINZ}{zPEzEN z%ZaL3A0j?k6QO8RN++P!mQhJeoecV|-3zf$J!v(j+CWy-ny#kkYP)#0J2tSC!3!bxQYShQ$BTHLVRSjN}Leif= zxz_42U)LswgZ0M7-*Jt^dLU4C46B04#-r}Vd3p}pQz<=jsgI%p97~|(Hr-Q=dM*<8 zY|1fLJoQ8YS9iwcHXE@(_qEC*+A z)lfYt9jFOZObA@we6SuPj`0Zbu)MR2nq-MR3-R&M=iuNd`*NGa7G6^W(9HS2K?xyo zJI>lN>fU32CX0@*!|M-s-b<)aSEHtU9;g*0PEJk^18ps}2!xyuU21BoKj4HPU6*@XehAR&9D927h(@Hx$E` zo;0ThEGTIkypj!Rs7=6bYYj&AM$c&ljOXyX2Aro3>elia-ey`yG{hi&)cVlX^_$jO z=s5SfkUqpY>sI`*F$k)ZR-=AVXV^8@f_&2{`{GR_a&i-s?&;N#fG#XX){Of6i{MECfj(a_*=oC zjUy}a1Bl-3e2=2K8eN!*Bi9d0BYU#M$_E+Z%KrW0A8E@g=O(Ds?vJ}B64eB*F^)q& z#P>z`iv(@?p+(C)4_3WqkT@1bwHR7ca!^S7@x7_>VLYv?tNnTKk)N%Mz>6LR+=IQz zOvl_$xdNU6Pb4+2gCzYywH`B<1$hg}^VURzF@emAS*%5JEgG}Fdwg}fTjw?>hp5&w z@V;w609uqdaC#!!kT5+HHK&@}wAFIhK%8+)j55`4dH`KFt8eljJUwZ8M+v;7*1UUZF(jh zZJ8!~bR%?atHF6cfCSN1%WA_G`2ZyYnO%uab#7)gKR^g&rok z)`zn2Ko@!PwcQIN(e8FLV$YkiBg<6W)_=mYBlUy-PEdiL;^Zgn8fDwyd#Th+?N1kj zS+}?~$!5;q1!w#=PTW0~ zIC%bJ?=hmeWN_A+*hf6hSdej-c6mizCrsEX7kr5)HiPbJsyhcLg`9srT&>07K!@}5 zZQCwF|D$r`-{B&!TvI?NubaKz^3T@{Iny%_f>ofxLb#d(*zjg6OG^#0-tyz&zse3T zUQ=sEKy!omgCsL3n#-c*u6E`S7UULtF8C|EE?&wI2FcR**V~a|1O}@-(FTO^u zG|j832Pxd-e2b|H1wUo(ePEuDmS^eaGTIxbzuhx>pevXhUyIPRB!UJOI>uQmySDoc ziC!w-P7|NP&dYHRbmQtz*$3QRTYq~Bm+}wiwsaq)FV&>&)3U!}@+nBrO^`aX3BZ1_ zfPnsD28U)Xu-{jS0=4SG;})-6=BljMrJ5(khL4y2B4=)IDT;07o_^oYs~crSn0WZ@ zsoX=Bn9iGQb`!?p@YyJr2Tk2^RbSG3a*JIR4$=e0tG~y%U>e1|xZA#Rms6# zIZLxUgzL*E;Tj3qXX#wzb^Q*dZxf`TJSbdQeCzsqOSTAc?UCg5H67y*y>Zm8@>>}9 zqf#UBc5MjYn0AQ%_bt#c8nC-g}^o0-zb#-I>t_*`5Pajkdw3Y*#4 zoa$!~4cB8us}?q8$sp&Z#<$g!O{oI@TANB{_q-r`td+Ook*{g&l8$>1w_I0lx6ADb z!8B`GPaW?+dzsl$3(PY){jER^Y|9|N2ERI!I(eru*uEEkP8qSZZXSn9^cfi240BEd zhZf&^+qeJ4`7;vv2E}U+mDfsxe|iS&G-l)ZqStc?^e8>%kI{u;~`` z^aVJ6$Rv1rc`tzA7ikYO#k8PNlv38H|-tY-7UQCOa{EY>uVv4h*3sY|?Y zF}Z1WckQjdi!Ys+Ci*2vf7G@!WFdhoEH74?8rJMRt>p*jA`c^|GY35WdraWlm-yg; zg(&^;7V9a2%gaH*?CtL4I2Pkdzn8F(w)%S;o=tp@J%JkKUoSvzi(l*=`j_wJ*m#)eB3_Qu;{q@wEn$o!Czj~wY zhLpGKo!FXvUyg%UpcwGopRzimRlU~^mwuOcFO_WNa^1uMHl^wPdrMKrAAL+A|~mj5ZgyTGU82{Ob{&0BL~RECSaTR zvFeY#8Q0^i!Z)aDBDF$t7NjWgf;j0CJDAb78N)%hHPdy$G@{evl!)Nwh!VElOM@4<7KwXJN<~V} zTr8n0Ux#^HX`O+V+Hx1B#79ikmCa5;rX!Mj*w@`eMFrY*%uM7jzb^Z{ydAthtkfHM z5mM)_FzR=w4u{ z7^>N)<kgnmuIz3({!&h3yOywn*dU|~J^^!qN*f0V310a*jgB^aW8s;4VudAz z6aY%q89sZOzn>}&LtjRUjv;}oCt>Di)fLfIv};MEd}hQ4=#H(QKA@2-sdar#bUh9< z)`l|?4Bu(yMRWm3jndVO&G=kFcbn4@C^IXH^2_gx^5oM0(NhwaRc>e0qz1DqzI5#^ zN5+(DOdvG(xaU75VV{1!6njFw>+<^Z9+VkzY~1?|u<_*be}^pUfDylnUa#s`!5vze*?wuA}!vx#7QY zgsE{e&oh&M_FJcC9C-4re0;zj z9zulU{5UyFl`B6k2aYFPfUV(S%|)?aTU8DJf-v*$+7G`HnFqv9M|hc6JiRW-I7&-P z`yXtikE2jn{)OFLEsb2cZ2wd2X)E2~@q&6hr5Q_#E=8{ZJqFo)((GNWzo)=46s4lilI zpTBcSGbK-AIA9$51d%_-PS#K%fgw4qs*&BN>R zw_3g;L=XJF#hsptX%iRjyg4w1=xSn1Y4FpbOH9IOz2kj&+%=L_c*iHyxP_@B88%2# zZN@n^S3Z3&XDkh38j}NFZG;kHns;Mlx2nG#n!Mg>*;)7ySa}iXPn07wK--#eS6mempq4>}7 z-%4HuV&c&(3*8trFsLp8Le_2-re@5!Cb17Dd6xD>!{PU8_x5cGZEes#!=p0TP^PFe zQ`qdodyjx5kH6m>;s4Gp{{;d}lf$cyW2oa@ir!I6lK1UeTpdNs3RErh|6G4Xtu**E zFwf*;yJY_r$ne`A4%vHfo!JpH!-XaY>w@|peMGgAvV~><`G{a1!7?`Z5c#ge$GWcy zC&-lOC$EjkF!LFmrkB|Wew@w%Z>l=&wk07k2&3+w!>u>2tA>Sd2;(0sX(&wCIqH7& z;UQX!=?oB=E3Kwc!)k*~s*_%He&a_cOK3aCB`BEI<5dHnl=N)r^7LWW#xf7=hFPW zbQWHE)Rv~Uv~Bg(-AVk$?@w8U%@hS}y1v#ZriSql%7?56@T{?WGp^Zz#$3@K+I@)X1d#~?j_ z+Cl0dW;-}aX6=pOB7|tmY>S@PmQtV|3CYhFG-gJ=EA_2KA9a%zl`HF_mmy_53YID8 z=8V&4>Ey|KVAF8u4*%A!yE@Tgt8*iB&r~TVa?sdc#N9axP~EhvuCI?g2t~qlD}2Uu z_4I;H9N`b~l{qU<7iAsly;~x_SCWATMxi2slTagilMo7s*K2dO%|nQl5=uHNyF|9g zN(F9iIqT7??^J&xQJba-UAe9$P75FJt_Kb zewD034=s*H#`aBacWo{N^bw~??vVRcbr)z9N;S6^vr?qA!$ti#T9^`ee*P*ef6UQh zO~PArzUHrpZkl5a9qpRzX?ogHP3E@nQ`E7fEAe_q5Qr*gWn10Kihm=LuIJ3ie5r=H(>qQ?5rg&weJ!)cg*p<&1ebSW^y4qJqz{`@L= z4_!lL&aP8~*TeJ8^*XIw11{>spFVy6)PfJ<){N&oAH^WETqq9fB}}~^=C}`smtv*N zoS}+M>Q6f*GyJ^ z1dVI^werFSmwpfX8P5@UwOqMQgei|Fv#YXGcKmV=v!Z0ZJC5N=d&hH+fr-`;IpwtP zHRQD@LNUtY%6nV{|3|67-((TochBHXTEva$v${^d6>oXMBn)|@rVlOC2E8)bRij^c zd~ZKpaNO82GuiOrnGH<&LVE>oPDrgM!!)Pg8lu*uv5sZs4SS|k3wDp!Wa>kM5s99g z-*X3}E@n8LwOEf9@oo6oFyumH|C8>@Jp0^9;#T6A(X9AotK84#jR!qxt3p=iMl&ZF z)d}Klt06Vgjb1X0r_*F-!I{`J;hs_GsO#cbCjI5uFM`#wYNS(dC0Wc;hvcH7@NhKy z-pd9T)9`$*@1%m-^vj&`VrNI5o;zaQ_CV2F7p82h$gq?%aHq1c@cdWF@4=2Encp#$ zSNpV!JFr;3+AWz}a!ha>h(44BxYd2Y0uF{2>bYPJX$$jWiR5^d*`+o>%RY1C&leAI zJDN==ONEl!l;ntFK8eA4bLdNXoD8es(Bw?oxqcp>mZeT@eW$SymxP=lxGavvCT#|=geF|3O$ zR3+?#IvOOkGhg;PClziU#l`d~8n)=Uepn@=%#))6a@v>{Pu;3?>hdueo2dJ~R@yDiVWF0tV@t)}W z^pkg7h0TG`d4M`ucQj4#f?x;DRal_wL*P`8FT{=AI`khbru%doAp1M_B&L`QDt=j2 zuFW*lpYrIv3%I-KnM-cPaAu;3WRd~@op^%2mI9Kzxs}^Grr*SXz&?epw^O8Q?S{q^ zhl7;8FHOe+gb38phe^@#zW&#V8LV8>VAZA7nk+8z|56Mf>sudGN6s850tSOpH(GFk zTX6!&*3rE@*RiCD_5IN59C?8|MS3Q3`c+3J`M=Gs2Olt~scma$q{#$tZ>I*N%*rOj z&f+`8G-E?@pE+yyFS+K*cXWt->17%0#lEVfxQt^qs{Ddd1Bvc<>g2wHIlXJDr)^%P z+c~{MLUPwd+0z#VUI{KfYz^$sI{N3z$OfHdAD-03xWZ18Lqb_w0uX|}TbBAtt@P}A z0QVbkG+n>7@3*CYa~Z}AbOWhFoz~k!UK@M{?#PMVs!uz1#Ps#nrm0G5>zMbZ<^FVI zJN{Weg{kR=3P8_Kx8t8nRt7;1!|`4M1wNGe(Ulh*sWvniLuV75JSw+raoqEu)R((|4XF&oU^LdoYMu zE31U#r`&3HW>_JIF9a?)N&&BZsXWFIS=c}1^>O&zS=dD06!Jcr5at~>K$@Q?aQ;oe zlf|iYrPq@Q7uM{;Eo{iA1Qt9nOgMPj$*#P%s^5v)$00{TtV!xDkJ7#kA)m{(N!Z$! zIX*Eo8>`C(%GhDKxHt2jKQYV7=#aU;G%^FF^HIdqItqp=0*O@&THs;qX&)xzgEW5<86AXe$E&)8T`BoM@5r44yy_%*z5fjMC79EISnM)t)txsbS`jhADoy&H z+EBeMpg~+RRfH|x4_~~s-ZE!jAd<$tJvM5qZH8D;Zea0?m?#{`XQ`6Jjj?bYj-}Gy z`GGiTPrW6(A%9}9#gtyG+D!N^Tkp)0`d%&B6JU44)kJS3v5d)4R#lvDc;W{Ry=I9f z^2XxH4Ari0f=Hz~oSQf)aTd{P2}vVJc-ig#r;T@b*(zZGA^LD8SHjIlg7m$O@gFrO z`H{E~Q3Tg2OaO!O`L#Y&8C-%1njL9sS6#u%-+AM3<8UpU#p!Uxv~t7KVVQFF*OPr5 z>N@fi>*@)N4!Bx~-!bqSUZ=12$F6Jv`U|Q@%kQr&HS?HGg!LXI66w&$`53|t*yA;*P^M(HfI8@4^oInhay1+643wh#Ip@l}sKXD`CWVGO1(UzWyCY2M2j&pJLxj z!nX-(V)_$3Ak8KJb4>Yw@8(ss%)AU8)80zgW$?+jh#{@F(J^k&cpmcH?;T7!p_K`bs?=+-%zVzO-ltXI=EGDFm4XLb!`Gjrz zA=@4+?aBKqHxXu2JnxkH61hY0s2_Q0uI~C^cG(>#>>DD*UoiQ9_9@M_G0s|>$(<+1 z&JwE<gsAPndI=nuGdt`k*Ad}v# z=+yd;+tJK#A!p`fJUNNw+~OKQz*5cr@~F!fcn`6IUj8XN{4e*m7^CA?X$KGmbzXPH zAE)}|Wf@8B^{>j(y2d{uJS<##U|cK_+3m=;#Xt@p z>|&iNBG8+Q*V?^2&0A-rH2wtC0FEqcKls|mJ{<#&jn^+Tm2x=zk~Jzv<3qfpD>P<) z2D#e-27te_-2aX7A6~Ilgq2;;K7SRn^2B(~7)m0gHpNGI{PbZL+#Ay9WDN&OlIGM# zNEzw|#EKbwl|?+~HXig#Z41Ro(H)wAnEkV&9f{PiFk+5!^6;G^LdM|dA>g{W*z-Qu zta|l(v^LiXl8hFYIRFiKaJ+>1o%m_VY?e(A$o;faUwBk~ArJ!(mRoi$Gq($oAe_(4 zm}X~Xl|SYuNt+xPh>eZS%QgLdNXvY?$#Kw2L5ekU z)mzT?&M?u$6ZhiZHvobi0?<-VQT>k3q~ZYp_?3RP#{zr}w*;%(p=PZ#Krn)E$wZqUJ`X*j?mgw_I2{0qK$r7ljM{}M?W%m46F zT-e(FL+#^o*qh;{de7Cc-;!?x(t1X@G?QWsDsGZ2CLwtybSN^XmOF3zYG(bc!|A|KHM#%V1F1n^{+U7G zyLi@?C7!{8NOy*R6ez$)q|`tdpLz1x=Z`vD8wtrYXCh#fnFX~y_JeezWHs_qgHbaD$J|WyFP(}3k|=ULk`HcR?ntkXG{HF_{rW(6y>B%H^6xqz`Ff}{zH zL-Kd^@=B~w$xVJVAtxoCpe}DIUE_*~LvkD&z%H)+`PY>X3Q*SL$Y zdZ54oS{{?Y-;0?q;$BVL=-2}A=K>w72~-aMwd-?NLf$OH z>KGpvDO+CvS5X&!bIg&|z(uUfzdD@734QIZ5z{=%on9>QGRH}IiVHL3hI#{%e@Zbq zq@GaanmFd9ojhDi0|+DTWK>v`PAkAvzTyR_@#x@e72_fZ>0YU?xSZel$Mm$+AK8vh zH(3(}k&z1`y0kMTWBROHah?~z(IvO6qMF_F{3_DaQPvgXd#nAKTV#9foX#h{)zO&d zdw2byGkVgm@Sw*RYM_+8lt%{XTC({4Gi+{t=4{(Au!slw`sVO1wjSbO8ozLVJtsd5 zXG#!_oMp;IkR2JJZ4;|7g+fSQhG(wUEx*X(e@Yh83k9zh_LtUXqNB-DJ)2l;}fk|faoSIX6 z<^!jxLBJ)ABVEe?+|#}5b&Vd`hRY3CNZ!A`K#9i3hv!0P#C7v?DMDRK3yv_h4u0Uf zO&}Mqj6@p_&q+}?Bu9jTrz3Y=@?B@c2aSXPLp2q~(Bk|f#_9@F-Ml=h6t#XrSzvq2 zN{aEav;go)7SGs@6v2^zx>aaw)8(^0+f6xR|F_ErX3EjM5^=7>LD5{D@VdI0sHmvV zJ@xhVH%?vRdTcO2dPx1uvAuHPf7AJlUIya2dky_2i}9G2YH}>kVX1AJU5lj;{AZs+ zT~DX^Wo&;oev%Aq297?oy!7qoU?7~C{GOT2i^RcIJ{b4fw7=!TzhX%ao936l0g<=9 z(qhTo%;UG`Dd}f7#7^oWkE;O{B8IJ_-v_z&hM!jG*j}2$a_4TR06}QsvGnIPhK_s5=XSEtL1 z!MLy9F&o8Sq{4Hq>|n=qSkh>Irx&s)HC>CN+oQ{bV8U*j9HaB;|HzHtvKM7CHxv>} z5Nbx@JHf+IZ?E<5%2xeu)1e@}VAz0Rd5G@lzh<}G`C9+VJmHJ+U7LEtqc-m4SDFdD zjtTERG{(E( zv~}+^zGX#tI^^uhm!Ia#S-Dq*!PLZtn300mPx{EK*h%Lg+Q;rp%Z8tNnz!{94?kJ_ zDy#*h=Jy3}qQX1)2?@_OK5{aTv~hR6(!2+Z!TR4Z$az04H4}zqT0BqlL(kSq3^(6C zddbXVfeG7%IVA)OB~dm`B$!Wsl>Oy#f)mnUNt=@Q_>l9(0P7N_J}FH?LI*qz`MFN! zSE-DFng-(2jy`aj4Q1(<&vkhS4qMqu7Fre^kfmY?0g%mG_d*vHEYGv_ZV_ zT5ojyK0dok=a)v(dWx4l%FBdN;END!#%&KM(75f_ zyW&M!I92>=m)>b68u1A;AKyH?gP)hT--Os_ykRy(mRyf2K{ea(KY;>*!y~Yn;u{M= zdZO6e@mv&NbuNvFyBT#T@@clJXKgy<)aEFKe3n#w0$z*_P9>uW;{m$X13X;4**^@Q| z5IPLJIG#4%*F|z_;xp>{eoVCYa5~m#X>mD0B2mp17_& zND*S1PjsjrxT!!UTlw(~_Kyt6)-iR?~IS;`cG-R#0=-7%lGtHI~Ep2bbp&Ug*?&tVn}1GyZ+4SbWBEbc{Zdg zFsOvcye?Y}7;^0fa~y(#f;NTt1qATG4)zdK$n1Hhd#?QE{dAzEK-gmEF0XxI)Qrqa zioe2Qn+nEud>Hb8`Z}5%;MKVHznb#+&A%ReacYVl?Vff=p0Aivuh|#PUrb~y3g@P|pbx8>260}wRtoptH~^*Lv(k$)^xqQmFI*C^eHfb=bDv^gnGCUqyU3zCP)#W=9qKWN;fis-#dV$QThU8$>>q&+tTd(yT8Zhbt|Ap*`@D@s~f}pYue)`x$EO_V`m=<%&nk#Kt@G z4w&IbA%%4YeNq{AU~qqBt!hj+djYP0({1dc05feE_$zv0+*s5QX)HB&y)(P6Gg`sY zqxZjUARlbZ^ADn|$}&J@(}$L;fZZeF&4l~Hyau;&vnEmqw)HjN_B$K62whfhsJY%J zoe@-IX6Ben!TmR@u2A%Rm%IqRb<#c3GJ7Z4q zXSvSp+OV-(lhU&@c>TP=z8^q}f*=Zus8F_hfp@6?h>5J> zHIN!)XsN-?!`vv*7-l&UQ)NHT-JHp{hM;U|_<+9+=)SnlIE(;bZ*CqxY)doN&U zL-k-+YHf=_k!5s(#Mzex{sn`ggJiZPUAY!5rK0$HphVURSbx^C8z$6apFce^IS11L znizI#x(@I~LiJ3L`&r^Rbjv@@3ue`if<4J*8t*8LR8o+gy2TNB4zku`iwek;60GDk zZU^7tATGztbzcRh)Kdeo+I$mPhWcNH7u8csf={|MTCah{!!STaGc)-sLvcb!mAR&q zZ?o_*zXOG3yg=7#btqDeK4jEAF;Xf85)>4`a?uRXlG%2780cTv^d-Eo%`Z1Avr8Lz z>WU7BxoY>nP;TkUiR5;y9M91^d6pEIPnw^;fQ%V*R3lBL;K-Sv1Qu_#(#8%iSrTWxC+DEBIV(!T_7^Kr~yk%irwz-oQ292;Qjwt&;X>Y2*eqZ_c|A?B>y8${YNkTpYZm= zx%U6_W7cJkhSh=Rx74uE(2O`h#^mPIJn{y=#k|n=F+&^9BRt`yK1^k%$-1xwbK}p% zA)mul6XxARWZ%y5Kvf4W^KUa_=i>Q5+1j0fjO2?ED{BEVBM*w{q^ZaHfi_E5Z)t0 zV~8x13bSeHfH}&=Tt7Vx#he`A&98w+%6=JS z(Jm^=IP~!53rW?iAY%nOFFGAc|7NZ|MOezvzADwb{V4Tn3nhC%v+Gz&mhGd!o(^7Q z+JxAKRzZkYFY(+~)Xn67DZN2eY_V2w!lW+7D}H!sbY}-yd91i(X_*ck(Lq8CZ%krF zgDoo2V=Jmdr#o^MI7i*GW&f#PLF9tr9YFL;MrSd0XZ!c>q+;Goz=Lb{-Q8Y_mg5!% zY(f~72?OTPa}$@aTE8LQrNJqhUuS7&<&$Gyt51W3sXY@0y$sIP#^pDf<4twprsJ#a zt+n@}fIH3RaCBSfs8{4dvQ-1G0MyWNNR`h&keb#cfm zp3CWwD%@5wtilmqvFo<>O6ey5D{sL5M+S7VTh--9ipN+z4YC?p!bMkI@)m9svBBvLY=GlAS{G%to zyYUgxicq6BU0wnf%R&eIn>_9;X4O&4-)HnWlXj$0(L$P^f8FbHD0TZ$be8?b!AKS; zGQZx>Y7a0;TAVH^?m0?*`CoZpM{bFHq%yLZzIaw30f5_Qps38!l41tCE-MM~wPUJ1 zARFw2ElY&$Nu46eGa8^b*EwQbC#qBs9Xu~S8d$C;U9`E~iY{OP48#6A5|#rtKhDCu zW6&t`x*utwf)jRYq6h5fKW`zHr%O^@?I&JdWB@AA-7&Z(IC^D4^Z26wZHj_PkSwP+ zOd>icRb=x<(NRK{XT;#)SGnC@C>N$Fp0!(U9nx%`GKKY6TxqWOvUT5_ml7KSq@^K^ zMS_JO9_W9T^}F8RY5mYdPvXiigoD7AkHx?su#y% zPv_`?6bfS)TSN6;{c>>Qkq)cFRs28gooiH6R~E-pYo+Q?YDYyy9u8OpMDRsG9{YtXXS5%*UIRQ~ZT019zy>kWk9$9;6dG(BKxLKULHk(M_ z?&HU4z2=etYP>m7+kKt4FDw?5)!1~S4V}M>yZ3m-{lrNPIPC?t6x(voWaR-Q_59Aw zN%O9jZ9UnoV*ub!ar?%jZf4umskYa}8Q&Y<7G#_RWpRx;JsrO=k*F8{*c|M0&>v7UzjOgVg*MD(m)*numA*vl^rU-Q4t*OP z;&%4MsV#4PQX0=ceFF2s&;rW}8T{AHY7S|-hzp7ekjlG$W2lrT!uhH;aoSrgpOvT=Zip(8Weh2r^Z4pUTLmJn&%=jYr=q+LR*}CZ=@LXw;}Fq z2J`*SMJYQ4vA4`k64#fG<`&&hbS~x}IHN7Y2yUycI z2!|7DMe+nS+W;)N1YiVlPdy8k^{xlAScr?xN_)E(lFsJKNOtd_KbNeT{8D0F|LBQX!_U(1 z!~BG;eHjrYVe|*t+o>knBnq)`(#vmx(GnU)9#5{c+ZU}UHh!4sE7S>@9-kSE*teSm z#@VPIrhCQs*50#c$nhB0J8Ur!0OuU(B%1*1D_ne5 z`}LGU^2q_Cjd8d9B1rBfQy=PPvZEy)Roi{~v&&`v-KXD(nG4lgX+6uZU@VHjBh-2Tj}T@iBdZUf9#3l@`>R8A%v{xv0qGj$5B(HrQm6KZz&;cHSuCIm?$-xlPL%OS zh~pd8`(W(tuBmegx%JT$XM02AwkAJ3JQ!2^dM4zrYPtf6xzI-KZ~`Md+% z?$mG$*Lvlzfat#wA2qDP@t5|aEe+gS#a_$%jvHltx->}g&3!JpAo7nm0s0N991ctJ2O_!B3a4kxHqR5i{rEF z(2o=Ok5FBiJeiIsF7m+=sXCij?zoR1)RKZjSK#H*IyRVqPu0uXYgAFafWid?DVa3y zWGj}cg(GjG5Y}z}Ucpp-M;5GBF_k~`i1bw4k_zEfUCPgtK~@0yw1o+zB9?JDsBU>j z`i_9A4<$9PaKs2uc`KoxjPMJwq|pz56UC&~|9;IBky!SB$S#N z@wP5Rr)+fkAS5L5vgl~NKUS=R+E%^C9Fs3deJmE?duyLtEHjcl793v)Qdwtb83rj*;?kc5{Y z=8Nu@H)mG;1g6uz`iCGLXx@duiWXkN34(1SU#=DmIJ);uirZO&UJe6g#0%tfw1gQ| zLUis`tA{b-=cEP~hAF1vuD{f@n=fq5PI==FDKd9!W^aVZ!UqJw&G=1xyh@ZNn6;NT z>9V>gWSsTh_AO;E2VDx+G{;K>oS;+n0s?ab;UbGsUQhvl4x61fe&+dQ`wCen+{FpP z--}NzBz3yoL8-Q4=P$Er9lAT@*6-o$PxxM{7?xBo33Nr%?s%Eglcc9497Y0pS9yAj zl3}bmMsF}z4x?rYN^jVlv~{-G*&vG#Q!QQPNCoyM8RG`Qr}eb6hR5)mho_+?x8$>Y zc*1=W8PD7>ycT-dw3@Mq8+7Smbx)+nicdRej}N3T>)o_osvZ&FGlAs!k7}LSt4?=a z@JuM8&2*%baU*zf0~CROO>n|Fp4cOvb(cu3me#&-DsqjSZ>wg?+9-E8Fz@i)6)pa! z&tAFBv&&_!IdlDZT0Qww^%BVGV=X${oBnw0GXffwT!>eAm=jXJE#&DX6@Ar5*}*NW zZG`mSF7pLbD+#vSAm}K3L=xH@Xl6LAEB6pNT)Y$iIC7x~Z!VlY=V@=+SYPs6AJXR?WUMAtA^V3E}A8`G$cq{c)jLZ${Y^IPQLw-NwZ_8!8Z2v{LtjSTAf zO7I-@8!w^t%2TE4bBs`SmDlu?AhWbCRh`FqKB;a};wwOtl4g`c$Uo-D=sy=-fw?fm zlC;4PzRY|*`0wCwc$Nk0s6_A*Dno?+v>vt({|0gy>#DF3((D zKG-{f@{0Rj0A0i`K$n8Kvze2XgNv2D9f;!g16H7)@TOnh-oew!%JPE?sF18r0_Y|E z+v{Zh?q=wH7b{zHknkDVZQzsJH=k(PTe!Htb20}RIbd#v6aBrom9v@6J7B02sHV9x z66hwl>DGDYWM^e(32LTa3j+G^|9#)p$;=#df(h9E?=X3LTU&EG7tm>6d=t=zcQfpb zm5YrzD0gp!9R#`$QdW5O#v^rS7UJ_}JPmUICs_>oz^$*SLVoXVylHMc-k8F7Z7lX+ z+?tUQ+i@z@W5mnXLwnQXMFx7aMuBXTJZgU?n2U5P{Y~%2=|k?9J^eHCH8*KrULkjk zxohxy-B~)4+1)}Qrcaga{UOoZVCS+-*G%16>R_GVt%14>=i;~~$C76Xf7?Ucx!Ued z9ly7pGvn^H4s^Kdez3M}<*E@z?+tJ{oqr`ygyO%E3KF02K>s;a2hoA92F*n0!^O1!txGZU12a zJ>EKd0A}zsPSv9O@$=KJWcAT`k1W5rgZN-1x`vck^WW{VeDAvM8_+Yns5*!&A;dsW z5u*mP8Be(JKp~gDUDSf6MK+T|$7ZtUqbhHG9QQkY%I!6J0`8JWG39S*_Yg9N&$;&t z9NITQt(TM+8olvf*ReQhh=_A?cG1mL3y7pOq?Zgz@c!!C-nWHjIKO7H{&jA=GG12U z(U4-ioo<0CmrB=tGizhNgzQ9{drFm=`JG?7kGTU9oGzA}y8vJ9ZY~a>&pUM#8%Z1I z$@PgrUq-I6m@d^6Ln$mEy!c|RFuchcdr4Q=2~;S{6{0(NTtMC)Qy%Ce zAkmQdLrg%PSFo2@DGhb}3|vEO*HcR#oP?zUIV+s<)hpl5w5j?bdVFoKbhvk+gOZVdlDg zgzW$5r{pOq34eq0ciokQ|A!EA~)9e++Sc{9L5C{GIVfzBgYVD(XGq`4k5S zk9cFKSwSHy$0MqVE8pV1vLdIuNF&#$$aSuORz0YimX}Lt>~?NL2{8M~z*HtrOFtbB zjlq3EHV?nYl$Zk4kG#}j_nIp^>!n)#k1~($Ytyo-oI1^M;^aN7FTCzO^f2v*FLz2= z$%yxvdXHbH#!!?sZ6&;M6on~kXw|WrVv1j?)kJFel!N7WE%+EV@8@GsV)Fbyu&RJzInIod8AZgAwS-ioF!CVF$&T zMP*%p`}9yS2i9&_fg)|g%e<-E>xOQOT;Zv7i?i*_;_Sosd-%Sp_GEvw;-Fp=a{V*! zy{b8oT$w(2=;AVKeN7CmODIut2}=P-)(}CSs_$2LAm={4K`U{{e@;V93_x!Fx@0Yv z$+!DmSV~uHHGvieuN%;FCPySWa%O~Y3_(giygR=th3GM9+#_At9dg)1dE^Y9wsP$uMjvS zMS8x!-mx3d*QE6|wl3DAa$J{w(;@fK?UDPX_nDV9O=?0+eyv;*Ik`D8&wWn(t^@u< zdyNXgdx&D{NxEW5n3iR~y_+#dind{AB8?W6dYUWbkE={%p*Z|gQ~EV|XR0tVVbN^h zVsAF}L{v6|%@rML1CCM~7-W$c7C&1K-2&m4yc^?}y>EG(X%nf+2et64O$RP&`H;^^ zeIqsggiXuhm)j%T_QGJ~{?i^9c=~HKdnU31z$z6IfcO%AlW0m3jEw zZ2Faj_3q1;&`qrFN@-f#^N1>&$lzdxPz62wv^1+b1xL)=-Jm=w2qDPB9hH*gyXzmk z2?8eBN*~>=XS-AAP93FzwPACkq;V=>6HH-u%Q0ppn=d(tE{wV^K#$!W5(_5UKV#P4B*`p}q#;9+6;#(>PbF8T(qLq;ot^a;DazL*SsU*-C&$|C^Zaj*Pq`^FdFQZxGR3U1Go zI^tAmABf95r{Z~UNojM9a1B#-BEiMeusGk4obuy^_QNl<3(MWdk8Z;kLsRY1cHG~S z3>k~km~(71_JX^pHiAF>+~b>!RYf2))l*<*EG*Hn6uzYoUXRg%L>YD4lu7Il*0$e5 z(U)w-kn5s_>NMFR-%#1c%7_qQ-optV5)h!@G0t}2jxNdymNjK|D+esI;=JsS&sQX{ z5P27olJDloKD&DcIbLpj%xCiEKSzf`_0K=_mTUJdjXN0Ey7%cV3QRxFtBv>>X7qdP ziy1Was5sAJdnD&#feuW+biCHy)VKs#y^wf|oSX5qckWyQRaIF)@&>9UhE}FNIUf^z z4lS^=)u&`$0=Ic1&KbYO<_koctNE|-Km6z|aFV?w$p#4X`697@3f;v1s>)%r-H%Tj zb?9rcZ@yO_JwHsP_=s=&(9xZ`di?+frWp-<0h|EfJLb#=Si-obQc4A#2X?(LCh9z; z$oYABC4@0j<$jG}k(~p-Y;c=h&$Z|J+50D`#H{B8)WH(p%Uc&BtmC8RBaYD%%P)(G znQ`(M=;=zk*euPTjb6<+rl<*~N5phwJdKEqYW6%Zr8R8US(omo_*r+DiCi;y1V2zH z*8=HF|Gf(n45B%@?%OW_6E2BocN3xhyHie zQyjpe|2B5ejrRU+sURWH{|x@n25P1Y!6P<#`bWgGTV%5OOE(T%#e0K|#Gye(d$nN@ z-n}C6>X^)>Jv!@<&u~7k9C)_f9WdVyu?#DL4A*r(=6_H35GG;)3R|92yPB*SL>Sk4 z(hxT!QJ*$8_qR!~HP=>iFT$qjYk!`?9!e(mOJo{Rx_?pDvNvgyG{`(H;(#R5XRB{f z9en%yfL#Zfo$6SVr>K{S{0Vh}CaXu%$5coA5Yw5qRiRbB!k?%``b3F5BD1@HgVm_z z*MxYWyIG$02CXamv7cBX`1NG9Tcn!qTBy=?lycl$z{dI%9o?;_MHw;|!ldVc?8eV#SN@8O|jAIu$10G0TQsyWwpde0Z zCAM3-5H5|TMLn_0ke;Yw*h_2R4sicy$yeh+I8&2YgwW?KVEq%qtC{{sWXt+f9wS}s zzg4;AI>X}MCP35PmZx$>rl&Q~w!CMqH8#7UHbbAR!knrzpY0V;_H}&;&>Y{iY8o(K zz~VH5wVckh6JD-1SI22zA305{Mbp8T-Ix2@=RoqHcZ)z7GC`kAWkYQ7@k5LJKZyk6uhgLb!v}lCbELN3Mb6v)#5T4pofC^YV-nvFDA> zTKjbK1G(&yNV?E}w!Bg3dv%&rOe&{-3(z|UW=!QK?sU0Sz&`wS++bUKH43Uo>= zrYo(CUZ2&z^_DE$k@PM?mb{{3 zH}-!pr4#lmyr z*L~GOc)fUSLi~LqXiK!Z)bHAhr*%J z{*-+=>g{Q;hs%C6zJms#s`eg3@~l?^A{nr&11Uee(3@r4tQou(->O;`o2*v5f9D7P zogZaoQ5_x6BSe^fmkoO}5(wQTnB=+`WOmgY`zPhHN5Y`e>*eRL>rkD#L;9FJzq0&H zGt-_}4k--k=xHY@HiMLtzbv#q_3Sx(pSFNGE+c;A%3VWn4O&6akH=TMNJQ-u+ROpA ztAbiGVcs?@)mo2 zQ#YHWzT5|9V{_iiM9Pf9r{KN5OS_(RaHKS!Gb~M_YW8{+y*6yV8?x;U@BawDP@<y+`-RMzYGaS++gau-@d%x43nZid6dckF!anT@(|8|VBx%@J~a zMv%uDMahxuYBHxTCQ7A5o#5kOy0oG1$+*-}pWxGv_*ir@g}?nq?Xf)2F^o{jj>T9s zyW@G+y8+k|5p=7jw$z?H61|$?vAmGN)#O2eum+p#*G}MrK*fnmDqFQ+8I+K0?c(;L zEau#2mA|H&1_v*U()vy_mRapm0eES@g_S{KskF`l!4IblT@{)g)~Mh@AC$>&B5MvV zIXT5`7hYiRb*m=xrB-I9i0>GNnMbf0x#<`V-YL+rPxm|Zq@$w~bJ^g#BHLMS{)EFI z6f6_@3SazC#U^iZRICok~(?Eu6Fm-N1@_2tT z%+QCuycMSHAzz-IY>oysdY=jSUb<)(>EmYE-7&!wJHb$K51`)rLNlVLj+gV1P8*e( z!~?^LAdSe*J&+p`edlVWap) zOqwmDc`%s%q@;b{PDeAhX3TkO*?d_9*P#2j>ziV~*mX|PgHuF93TgR|jrao_*<+Cg zZ#Z^dZ+@vmt1LY=S8wZ2GPY~ybEiu|9|ws7xXrt>ISnzvOxebWJ>^&WmBqE`59ZIe z0#SQ))QLi#0?6I#SXL$a$-4D`#LfsnP)uMnesSGLLJC;)_+I@#qVF~L8tCc!b;vb4 zRpX^s8m3Z+w`E57D{HvO6`4pmW`UfP>BGVhpt53|buY;n#F~dQjp=In@j4yFe9j%l z_=~rf#7JFTT@77^6*=f{IT*I(G%$IY^*yV;A)espvZ3lgLWkX->LZ&Pvjicxpiw>$%bfAr|XI8#y( zs+ZT;{1Dzmr+TH4kYJ@e@upS^ zS84mILF0UBB39a#B1^VV&mi@&CJ(g@^K?C5KSQI*$zsvznCnf9^$GNmd6SivbQDx_ zp@aTbGl*xwB&-dV={@CE8~@xn(eKz|aFLN1wUaah*6D(VnGQ(TUAq@}>#1phBJh3; z;~{8x=tm>NAqbW3lK9cHG2+W~w+C3AE#<18M}8?959%%%EuR_=t`(mdwVJIC3i?jp zyF8QqCgXegJ$|jI%HcwXeSf<%-f^~S-emgAc@n^C+%zL@?uh|e)CU#=z@8)-K^m7?;kJwD5h$Rt*_S>%LNQS_t_w!yxGD-LRln)}fg`M^L_i&B| z^X2ho0HvYVyd$)8A}|{pu&gLbPVMgr@WVYH1M!GZek=zgrlJCi-tUo9`c>ft5v0ql zEdhMhp=FGQh!$7156X>Mv}U#D-4f^v^oiz`9HLW6W}$)C=x!D77QbKT4=WN7_58S~ zzoW-qU4JYWnu1KK?lV40cD-d+g=6j%R3LlKnnS`g5FDmbI}h%PkT;lqE9$?xLuOAB zKD1GLi_Z4)tYY$HPTea*>PyTZEI2b~T17icNPW%XaNbcWZr|HYliyJk#9==9H$NCopF? z@h60dC-`kPI$)E|;T(f-wCN>dinm{E{=!;KnK*edY;99qH2EwL9g# zxrK!*ze0IlDz7s)lZx$3*Cq5-j?$K2Rm?a{={STxXw=~iTVA5WHUDIAp5O_N(%$TWFR{5-eXPC<|OBor^;P)rlqxAfV5*$w}k_=X+_l`=2LmaYtnLc zG9E@Re7gbeH#gPz%|HoNK6_%2ZAIw6OT%#XIHGI=!Jbwo4qm=aIK9iqbE-*?urg?1 zEz#1~=Y=JDl9Rzsz+nx?1>6xtMrZTXzQ27*UfxmBPd*EGV6^}KQ=`cbw1xT`^1rA_ z*ys1RJVmxk!&3(}w4nnvyaOFp$FEToMThgrw<*~8-nD+IMb0}9O5ei9VpC0gYHt20 zhE46I9w33*uTk=YCSA&z8}J6vh+VIO33_{`#^t+)V*~!U9Urei&A-Iw=h<-K?>I0pbhf%O`t1*9;K+0uoFKK1(!+P@Y?e)i6J4gF z;CW=elXbf#eY6)y?qcwYD>9e^v>-jZFb42e%g#7r_LFs>Fo>93}fC3VvnT9{v zw0(Aca1?JB+yf#IZ$z%^3GI>fA@&D%t>lRCNg0}JNlmoSK^bPWDcw4$oh!YASj!-4 zIX+I4tDm-oGuKLX^krY(yIdA3K(0fvD za6EbdERzZ0r84%Gfy`YxDs{B&FSgN&*yskips`4OE+3RM9=;os>2xf$4f413)?g;M z^}&Yt4#6#gNs;Q^?#I*aP+_3lDTz>MplJfpr6i|X8;b#n zo`DkRze_Muk>%?8U$$)Ipz@2SUsWR>nMspCvfnfmWDKC6))q$0EBZV+FxPi-2Dua zP&ruxgs42hfA7EYXFnzb^>7V+tR5k+;1!$z_N$vUzlm1&ys6b2^JZ87`HI6ErqA)w zR&xy-CCoC zTu=6^T6-M$Ha=yCNm$Fdk|unM;OQe=PxBQWn!b8DfrzT3q}Ss2t{O$oLw{~unr#kM z*D&@E3_gCJrl<6-qb#0U#d~@R>f0}?^l#r;Hi%5ZUZ}+j!=d5xH@n|R4cze<=_9x% zZjIh2UT1$Y23C1H@K`{;M369Mr*w_4(fNw#zqJ5QDo!%%<(@Axu26ITfXYl&AFJkB zS)N@p{B{Lj_JPHh_v@*y!mTG=M<~z9A~*gc|N0W97_5a!9vXTEYD4&ypozR0=oIOX zBMFr~L;Cw7#Lk}?Z3kXv$AI7dIVrRAh9`Wdk8(18b$iZeMXD$F*W*!^nyiOgRc~J@ zn?Ku_96BI(Puo`MB7y1Y-H94tl4+5I{kUIaB_a2QL0Mgsz`6)Jxl7ndQM2du(uuV< z*wrtrx+Yh2i7rk^t-Z_EQbMuU8X*PyY>{E+`sMLs;qFI;*(LPC9yt`13$C>xqHMeOP-78f!W1dGR zGB4F|FIwIly9NeomZ;^C%^&;pXyX#)8!D=ia`B!?1e~n)-kx!@9qQXBaGcvpyh31~sYlmUOawzfKyzO<3F zX?N)s1A}BOE(4cYG?#cltLslvu*01nun4-tB&MxSi+fH=ew0<{hatTTit1{NCr?-N z=`7~>DdH0V53$<&&LX#y&e(@9vOE{tDLEpqB$LerK3!gV*pnMVt1!x+q^S2sq2J2h z*f@GOM91A%ytm-6E|c5ytY{)d{=l|H)OWNy=WBi9GQ+oN+6Q}8w%{*J>fNdH>_{qfW520alOdJDN_1=&|foy@8)mXSrdAC;5Ic>+GNAt7+py6!@4KEHs>o!F7 za=oBC4ONwEd**H1i=C_IgM}Lk@0i16c21@&oF}(azj7Ei8e@=0$ek8ny7gU38vGLb zNCj?|E^uQr(mq;7c=@%`lzhYpM}qA}<3l_i2+#kW*P9J-98g54BhF-Xs2M#2g2aB# zAJhU@-`A}gZhc@5p>02?a~(TB>vq}4Qw?1b)oaQI zJAPrmRTihqN$b~QAkQ`{QW}ePv~?xIl?o8xLKrLHH%E+)Q?WpBlho%7?30V`h79m_ zH)#KDn42L*->ny>pk~p})2~7r;*>SD6&+-1BS#iuLA~XrfT@f!BM0guH!p@m*UeSa zZogIAMAK?nzSh#Fh+^@hZ@(91rKbyrM^m2hR8iwACh=1dOHqBB9)~g>Yz_QyFv8U% zziRxhZydC;rB+r87t!=dV=yD5Dyf){3IG8{p(GgaRWMcp%``PUe@#e_S{D>@CTcL- zVHV2u-HkRA{#+rsJWY1VqoeWF^{r7x(gR>J(NCn;`2CIZo5Ht~gMIJxoQSrFW7uM^ z?76V3XJ6*YybS*-G+{s+SST3iIPh(c>hdKCTlx33_3FpH2JS!1H@SNwn3X;|N0dRe z5#(>}dbcM~sNDJ(So*>tl%^>J$PmtzS>ViH93&D1WV2FlbXp-js9fCWh zwl;{(Ump}7zLndC)K({qFP~g{moN#Xd_1T=S@h{Tu7H_jsr6!s zVr~S(&O@0F=Ey}t;Trexnz|!OW_Q^u4=u?<2~m<{THp3Q~9ao~e@t zYFcWPYV>PgYBDHafI&KA^vr=Rbl@9|^>&FZ)Jx(&a!~=~az5>DI+sHYWIF)mprYzX z+&`w^n@jfZ=*4cvHe(!p2*M*}!cqZeS?qa~>-J_-4_F#b-Jx+2uXE>KENN)!r3{!T z-^A@||s!>i^3%OO#@b)~F+OGpCeU0h5n8HdM% zQv>;Rp-BF6#`*Q>J}aAiSZLwSmjw1Yk!o!PgWkHGtD<=l`-#(;29X-aIln`=_^|uK z#VW>oMjB`hBr9_>#*=Bq)UNhGWd%!>WRLpB<&P8_HJI)p`GJh`$c3@r#cDC>gOAr_ z`vRbm5$G|5PgCm?s5IgoA?WGp>dK*fNlbfaVehfy*?s??#Dpa{r2$5L3tQR}wE_5| zP1ZX_yx-eN-S|KA_e=c32}&jViMw6^e$U8S``gpfb*PRwdxVo+%>3P%oym~CNF!eW z|6n?iN&pUJ1MBkHUrk?mu1X%vsZQtDzeME0cKqv7aiR?OkawZmqI0$Swa=lgs;xM; zYz&RQDr2qx=lt{0yT7(=5Uvqdj8n5cRg5mQ&J{>Y^jpp(BfDgYi=@%SIO&YM3Hd%A zQLcV#>G!~PAb#)x^i*LfSXKO-f-B_Ki%!y11OmP9^xwE*o6a5o7U#Q{uz z_4~`Y{^LhLqVB_)_MG&DbEZ(c%j^%vogRjPxG>AU73Oj)(Vf}1okP7a<_JtkhW%Q| zY^0+G8uwnMBdL#1-jkdLLi4*^i;?p*8Gj5f-x#l-udit|5@yo@NSoj7OJKWAPyg$~ zuJ>~tx>q-pZt`&=P$kgyt=j;z%$<*^=7e5f^fN-M9XWX$(WKTBc0W-Xkay$G<5G2( zu1w&ICkE~?h^i|IgOdyrc4(dMZLV_854n@dwBH&kRpU$~&)cvwi4QWBwguV4{H!}m z5xqYVI9Z>|2J8?r*Wsyo;o<@n`oDy~V1Buh|P$o|owzA%`-;T1mvWv5vw1+u&N z+||35eXETXkU#VI^Bqd-*I#g0{d$HAacjY7X0LFg7xOA1k$J_RmVJm%O5PhCb)w9{ z>O7o!XRQ}u^a(4!9Lk7q_KCUHm^0~)xgpqALvlL79ZyxX(byOFy_LwbSu$tXyo-(p zpjM~zgE%TyAyz{UU+qfX2SD)5%2Rsm(Og$qBa1OsN=G!*N|oEX1NL(r15eo5N>bg~ z!AxA8DTIeBT0c9ni&uyDL$0#+Bs#4|TjC&p$X@XWiBk^e81e}SqWx|HBLZnZLjS2N z76Vb~ai=EhuG({N-5l^3uI9HFk@r$NuX$u(_gvxd6sFR>z|;A+1IZ1^*1*mnSyDfb z;J=`rk_h2*CNdC%z$=#&SIAp3?jui#wZ z0f6l60e~cEe|d4v&-r2ZXHFs@$oHKmpbw@EC7F_5J# z)wK9C;ZRm>pMU6agyJMo7zE^TLf{wk$g^ts69*5@7>j|G-|&x<`yJXJw`78+_1}W! z?3mur1n}c6GbxN1>j-;|JxOJ&C%X!g*+ zI1y)^eQq;ILZ{hxNZq797Eua;m)3bbw2B@{Sz)bv?llO}G#{#0I%Kdts+7MRR`4;+ z4GeN?nOvwFd}7ATM}P@ZLX}ZI{J3MnGi-^04Og-PvPypxfY$@ z(b#zxyd@*F;_;Ki=yT_gYc+GF*d#5()EUC@xPr&MN#A7e8NV@%(xTb|&`eftz88np)JG>AH%vNVj`8d;d#){hjxibV1NUEe%DplTk^g zJytQL-~26n962+PcA=d9zUD_%?23gcrSLX`B>>Fc=~C}0tiO&P^ErPK@)6mbII?hw zeWs~Lv%{qns|Su&VY_qn&iw5?bNzc*D>^0)mi8Lbk5&*gN2?z1?_d0?*3u&(EJd5%5* zR9g=_#M-`ARXumBc=H@^orrS|z{1`-guUL==P%6Eo4H(l(}jTjiH~6VA)HS9Y0xC}I@vOHCejv4NfgSP}YhKfsa?TLy3~7&IhRGwD13XRaQCNZhf6(jQzd?9wrs;^gkb zoH~lq<-EmVO`f#hHESar9y>0FjK+WI6s0G8aSxp8q#p|?-K^5JX@^F@c=av` zdV<%&@zMDbdaHP4?b!Q#31OX-LcZ+UVK_1EEXmy2@RzzI*;9zB!fcBAb`L&n+-t3y7GOGa%=;D*TS|i!pG^L}#T(qVrW>4X99g z1#MJOW(#1UYODHh=KOA&uOk;;hkV>o z7WS_p;#90_I)V*S$7A1|EUGG0F~7=GeF@5`C*Fw+SkuuaFmXQ0uySbrWrV{!n;!Y- z6k&L^@&d@h*NLNKYhKzhT|9)tY|RiNrypxA9obZN#%H=7ad{y+jLWm8wsnv2j4kI3 zbnts?qu}e@#OU?X=oF;^R_iJqw7o|(zGOi+3k!RpZqt!3KP2HQ{uTs-0A}3ct!v1< zU8{@H{_wEoZ&jrWGg=XK{J_LbT;)hk@+eW1SJ>#3=s8|*w?PR1*Km#}H3ni#h}bXt zmR`h9w54KOU({C+uN7C7%^NH9S1v#Zwy(#&>>Xz1#K`PEGlp#I9zN!IH;h_n_D6oS z%ff^BmZDUs$h|nt_B3kw6^j6)Rxm{kL_UJ*E>xc5RB~L^$kkH-6`C(<7Qu~SA5Bh$ zJTK{V%cw#&)B zND!gvPGn3vlb+>cSg@#B?4sqcE>SO?iddVBfH}z zLfY+uUv^YsH$+pXogp-@1r4bUQ{eAJK{*pC>Pi}N?!NC^6%FNCY_XKX&_kof-8M*H zK_yYZ^0QW*r!hY;EqjXaOHoXC_~Zpfo5B8u5}y6qR87}q@uo1Pp3=EATjo|pFMr3Y z8ordR3)bY{_Jd0Y3*K)A*C9{tJI_5w3VVza#;;X9cK?I=$Qw69(_>j9yk$c*K^vy` zl8Lg9mOo?5BrMzR!PNK>?J(4grciJ!enVn8ZqafMGJuz_S1mEgPezi6vaGo0fnn*0 zNYrpWmD>vY)5~sjHkiDBqvUvmD9XtT>>>FbZ5h#HXHYv; zkw}$aX^KmRB_%Z8z$#@bGtRGWH5}h1K@k__PEzq{%e>%V+47|PqlrjA1)CfW&QwLV zA{p^RTJUTAx`}TxCA9~E+{=i$Tac~kkv!7b-x<@f)AL?N-R%ri2cF&;2Es>5E*ZFw z4ED_rwI90*`aV1=*RF80!&@-xMueKoby2lL$v8|`%w(4hDVr1ecMN~{1?jv6^n4B$Ps2?+{}B3;u+Z>jtS0No zLnQb>poev|m{Yg13rRvcljbXiPP_U%8#|IgqeA&@Mour3^Itfyx~cuzP9-YL>-%V zr7b`|kjgnjKpb8=kF*WiTHM!W>rd@gDH$(a3@;iR^Sx75l@I$eBb7_gPk$2mOI?qf z#prR2C;hf=BBNnqe|c$P9v4nY=35y=!zi7h7%zY~cGKL_#O+zqx1(`X_e?l_7WLR0K zD^vtvA~lln3K=@k^W>^UM_z(#{UQ?V_g~>kiL$Lrh$yv}uXNU+nD-*&p`hvmNh;&4 zA;MzZeGm7BtNFMsJt^2G?dT{I;Lxnsf87EKW21`AuXpB5o!6Tv-CP-prqS!bdl9H% z2NO=3X6zAfPy5qrxjyF!)FLgLFGlo$sEDgspN|kz-^z2Yq5KGU0{i&|Tr(F#t}J>C z6x<0qF8y)KfB=a*zOyy@)+?PN{r1a~?TaSNRnsZ{6qX!k-yo0ZE|cM%O)g0QrV@dJ zukC*Z2WL%OA)Cm4%s0$_k%^o<-I;0wQly?+c{#sM&j19&fWS2iSQgn8>Oe&7?c?22 zb!ggl+RvT!`uV?jLGh$DAnhn5iEEJa7hxC2sVJisfNQdAnE&FXySq8*(KD(cP|>au zzSytX%9kkv-}2=Z>Yw6b1e@r}sqeB@7-ty}UE{w1&`yva(vA00>euhz?dqqHqDDuARdok%v`Br_DQG;9i%)HqI$bo@+=6Tq%2?I6U%@Icg$R17e zs5iHi1sF892xOngVRij*NNYI{&FijsOi+ULUH*WzB@c@>a3%`8DxF*iq*?MG_Yeb?Nl+|0GfkrUEn=zzP{3rxJq@?N#)S zw)TYn{I{sV*u6A{%O?B^Nd-?>%RzEmc?DS6LB>kiXF;TSDy2YC zP}X)*BX7Cus22BG!`HCTrXbgPrZk{v)k$hwlNQuLVuIj_uywEzg-%5T*i!iH-imZJ z;H@lwxWw;s63bh{V) zLjMG;@9`Go`qzWoNTsZ617%gL{qP?X<;hOChn#$YwEoOp4+>7bxHxOGz=5~trp`3C zc-cfp4Mgwz7+ayP1Gk^#RwbV*l?Vg5@o4@3AbGFI!SGUx3nz8i>o+p9P>??}+1Y6d zYZ@b<@4+sCHwn*ryyeN-;sZYsw(|;lpIxu3ux;Do2PQSA4?)boqnsfrCp}8D)jTNU zu^WOv)YTYz-M@9lwinY>93mmD?yf4Qo5ZRJmthKLTpE6oJ=)x9MA zW$gY7@X3jUxwnwYQjFvpN^!tKjNp2y;x&KLkX@jxsF;F4Wp%UTz|E2&Ekt?ru&hT=#Rh+t^urGPrpNS^j0x$169sOuc z+-LPrdD61Z`96(9)z_Dn@l7#+2&gvz^Z>q6x4OZ*Kzt=uP1J$MZYrI+u2Xeu6{OW?KtOTaT&1w_Rcbg1d!dyNa__#A>mR8DaMe;Yf+u}K` z)13hlsXqSiOY9MX5q~lFqSC5_*iS_lMr!!qgrrC4W^^eAtf-moUL#rYI5Z^p0waD; z_O8!vin@&O*f`FK>)0J1AD*YrAGojRXl_S}A*&ZsxCgBB2YUeDu$e^wPzXdMTz_b8 ztu00L z{?q*`3aJUTSNf#wKP3;dVS`{li_sd2O!RviM^Mlq8t$mA6E z;@VlXW)ejy`cB4petZ$gqPs|R0tQRodE4!rk-F2hjM3ita|t8-mLS$$pyWCLfcl!x zYr)3g*3ad^VgA|!)=8(#Kg%DQK6wTtjtjbI<7j*fe=o|L-8&Uak() z!D7OG_RxRj{P78OOo|mQHO(>8qsdFglOfL}UBwoo3(8@=8}dM3d$cw1f-(ngkmP9b$a4E80Po#AelX5c*VqnljUkp@FJEP^mi&Ce9?JXG*s||8Ux2o@{7pJu$$-@Y*nYNp<7#GK-oo?kyCK&+djVR_ zZ(j5L`d&y#ZAM(&^o3i?nIn(vWCy%%pUKo-YrdkX+!D-wo;`nn9@QkpP>MJIr~C?V z*no6wZNd=2{8(Yu%k?6~v%%Z992n^lqzhtLHthbk_2lqfia1R>X-4h_V1-B5~f(IRjpb0^OyE_DTcL?t8 z?(Q(aU1aa?KmWP6j$CS{pqQeE>F(A2*xL&?ayWS95RSo!*=0dfqG%bFG_hl#FhGKM z-vkp#cSm27tJyY@ZNWMt@}XmKlg5VYXv z&b^0d>L_DeceE#E#oIG_2UF8m4~&N7M(|p%%L>Y0r())@7>a2LyL4(B^SK`QM9iPy zSk_Sh3q4^;Qu)sd@=95JfBbG(P1-LPMv3@U7}OH< zmlk>mj^YqopZTO9*PalQaIzDY&(=HJFHT=NqE?rh^OW9$y92zAnCp$?#%y#G68p1b zx7fX)*}-Ixx7aknX6=5by6zUtz>nJ-k&0WB8U~x0io!>GO2BHKg?#~N>nxMY-Oloz z!pNI}j@Ylcl&Y?JrK_F5 z^9ZCCYcIxR-43g!YfswI_<(|;2HwA<=z|aq+)8UM+1VU}t@1;S-s<77?a@kAh>qLt zrHf|8SF}yY9a>>Z;a2Zt32^L*#%%rh!_)B6JW`E)a^O;n8ov>(#XbL(^IC0677wDi ze|ll(n|XXYN9V{|9uOsF;l`Wjgcswo7+8wLa4)5tx0yH!i0i8}B48rAn>S>eFmj6~ zM~d~k>AkDtC(1vwtG(w_M=~@9oGHyJ;-1sV8j_bY=Z|F#t+1M&r)cn(P*YZ_p(D2; z$Dt$A1HNsylyU1S1Tif5^tU_pDXH+Hvow8bhHoC$x_%N1d*bU&yIswi752#nBr(oK z_;Iq7$?ZP*P{!jgMO$YY|0&Hm>(-p@FHgE|k9JB`%ik~8*KsS34W*)xvRYA_E55q7 z%)T%DETL|8|NEtOH|$Dgs8exap;Uo3$Kl+cj4;BFr(vgk zyBf8gx9pC)^j@6t_`dn%Vu(LXJU@I-beDcLhG?OvNMKW)f$JkJ{;2GO(zO>Xp*zOS z)L}W|QDvZ$j*poVm8#@GF>OVCTyu6W!@UD{NX ziecZSERq%2U=9}$baqRiYM-|UdqVSIA4fF%{eJT)%jy~p9rA~m_t?uHBRzz85VI39 zU^m%T#`b*~GJmgZ;FZYqKv-$!)iz@@4fD%&3mv>j^j2j%e*B{4o=4fBc_`)vt@>EF zV@i*R&zWqzgMzKXxyFa+yvXXohWs()82?FijOSJ!n$vKZ+cPIAb(4 zEUPDZC6>w9b}~Z|kQA0%!PznJJi7ARqmfQsEVCO;z4l94kZZQe5w^;3j)5dEBSYs4 z1C0@X9=_A^w@*1f%tuE=xHAFbg}?eYm2!5U4je@czaGKMygk~R?Zj)TjP`J`ri5mT z3^c%RIMks=uy@juj~up7l6e1c1=IAzqt`1Qk$WaA@?!0WTE@d%0{svFygUt4CcJ(LUs@AxZ~FY71A zhq_Dzwu+{5oU7!kxS4aBtMju|?dy5Cw-;U*e|JlsOMkS|D>mD$ni@&ED9)D>Dj&R? z`fcTJrL(S2PoKG0l^<(4yE`FhYS_=F!eYTBQckVvH3fh?&(ki5JtO%xS*ikGZ)F^ed z$XW7QDEI>{77Ez$hiv1%a#B|@7g_cviQQIE!4-Dd2gZ;Q#do;PZ*sBkBVPOsuISYCE#8U@d=t6k5KS^J;#ql2TT3hHYhiI_4f!*K+Irx8PmPKwj)|F~lTYl`ipQK9Cz zZC%Y*+Fr1tO?N`WWx?0c@W^nmHDF9Tu&_nvG%LMaelJ3dL%0 zU6DOJ&?2;I2esr*;#Oa*S}ZB0aH?4S-0B>BSpRLEGUxW;h{Jl(gru-@e&%#@*|-B+ zgzaobxll%EM<7x!eh;HJfw95CQ;Dl0I${AdY4@fj<{vI-#OU7 z*f3SA$3~Zu8Dy1Y&7Ej~a|ab_Q5??Y{su&qio;I)Jw!T$Rz+5Ru8OcS!3LlAOPBMo z4?1-wLueMmE%1}AU2%97mx9Q9jp;>eN)ka8S%)!*Ch*dl>S%oy)Yg3YnFn&{C1mG~ zoXW$f1vQ`4^W=#v6D4*wP&u++uU{|^IC=7wtXejS#K@KeO=pDeH_YtU&Yd1oC7hKs zxpTeexOarnHiunlXLuT#FfyRKPlBF`oDW?)uibT0)(W2@L%_Q)kKDNaH0bILklrg) zOya_)Q$T}fA+Mv>@^A)+MNDPq+v3V$A8u`)d?5n^0$YNfw$~7H+s_8CH zpY(b(9~&MZ`}dM&ZlcRJIC3|(4RxQkL_Q~)(~YICz^*LoA9^r7STEabl0IM&Z(C0F zzW`a`?z@S-6(oD)BsqQ(ExT=bFseh0ibyh^z^2x7@=C}vi|VyxDJ|yaFHMg8!NzM@ z^npMf9=pjm3wE*AZj|H$Tb;|4sf7}=RcSho7@)Y$2WdDs7#1d8#w4eh%#DAky*FNy zlbdFluL~g@FEJ!Qvm961vtD1rID3enQ}Nx1LO#bqNf`0c%haC1(97 zok$Y$z(q*=Xov^OzUlE@-p)>a9N?Aq^*DM!?-Oi^+Ss5=5v?~?I?51Opd6^-6@Akqon47^z|hva>gy! zIyF1KZW^COvdR6|S0qmBQ*TyKUR}ICyM}+bStJZE_ne&1V|yTsF8jsJls&{<++ah$ zyJ1A7OxJ@Q^2#`)F{%8T4^OE-pq^ByUx9JFAx}Q%)qtfxKfX@EBufLZ0&nX40V~z$ zD}1bb44rOQTNc`ma|u~R>YCFNoD+F`l7BAZ0^t0}Xo`B>2NlDl1zYCmwk2yykn{D^JI1BSKpH)&-+wu;%uC(=5~yR$XwiRCFbikH>G zFVx~O34SZPKpXfB7+$##JyMv zJd!zE&5e^+%tbV@bN9|u4K=1rdVN<*jEhE`AB~pR2yK+?!$!F3O9}x1OuyOgk0y9A zS#q|LA|!Y-Li)It9(eN;iEQIri|em8q(`3;!4r@H0rAFTiKqYKHN+nckC{`)1n43| zH5Dl7F&Rcg9BOQj^-FD^sWQ-?T{^C?oc-o@pg?m+;be-lrxt|+@7&z7kSb?cWikug3z-euoODN(^s} zRPfi`64(8{jUP_uli>K;S(~o*jF5`u?%k2MYItSX=TB@NrNw!||7i}nU1o$I z8^lMFJq)zBQ68kLJ`4#)ff+dFJJ)Th9x)!+(n+NdW(&z(L^fO9d(qmdf2FX}*sd>= z-Nf6k;P^|&xn-#9(4;X=NRuchR7i08sJZyR8ZS(o`T>*1@bRd86%|B>us>y?Ir=l? zwAp6Xps)kJb-Md^4$c|^JT_gw-!hJA+Pe-#pSx=EqDnloT?++=!o%sh)}~;hIo~SJ zu+hGIT#d{=(iDyMzi&|ZJvYU@V2e-Y?U$B^uf_Fy1vn!go(IIwbetU<6p#FfF#7+swPJEJV|G3JNCJ%q2s~3Ci^AD`@eN+ zLgV9&0E!(q&(GtqC{S#ZQ}EAlfdEQq_jq6>_%LB5VZq0N+v>^P4}}WGZg1Clx~1IS zx@}cxmCr7;qYZT8%SjLz?6K`T^y>NlAx#Gw7<~8EUp)Qo;7y?goe5O0X6OWzl$yF7 zDsZ&&Tp;dC1|^?1fPf>baDh(_Z^&m6kK!HX^)*{^p!=&=xJ3s#WEXuhR`$rUy&&^a z=!1CgKdp*RJ9qFablATFt^BJDc$=kyV+4*HD?UiFXRW#*3$Fjji7#kUJRCEsi*(D# z%5ATeX(?%xWcU!FG>Y3)Si1ng5f7i%pnZDe!VoHo!Qs5!&pJsM8rbS2MZ?Gpl|A0TY*zA7K^=IkJ+B^IaHwclVK#ew zxakq;wq0~**tf0gQVy`~+#AM*KgE(KT25rYp_Tq4BEy=lq-v;ZvYaRe@GFV0wM-UB z8gcnt56zUwAuDZ>XDoI|zoQR~WbQt?g-$av83BYG=t%Jg;|eV&J*ja{KmvgA9>ZCV z_l&?(OyO1-BOiOx0x1Yy>sEZU0bw2Bktjd8 zf&DyH_K$x`He-(tF2_c!`OQQ7Jrvw0C)U3ENY*6WtkNa+A?XkIe*+*sZ_hZ3F zujoewO-}ZII>`!)0nu9}h?WNPd~nBz?qj%>cg9J}7we)5KeDuQ0KyR*(t+DlPUx#J0 z9?u~0>}#Hryv=mh7MKFLD9n~hOe$;I@N-eKSIMKWDaEj^1(}Xzu97WeFY+VCPv4+rWe(HDCYLAwe1)?-Vold`C zXp!dJjm@?`xMgU{Z=qshIWd}rMpcRDS(ra6=bU3qiGugDGmdcb+~oIbS>O%jSB$7e z#f)uxUr&qQH_3np90VONucShwF02$DCNnnBLdMwHK+KJ2$HY%ww+bMh$Jm-@Ab+-R z0|r57VR*l;O38WN5SWI60|DG4z))21d)Lv{3fm+c!TK^MRIQf1v9Tu4t!LxJ+LtvL=4>}n9Wj|#d-8fWFYsfg zY~QX{j?iIko34q@ht)-R!Ax#PD56Qj+)iBRCnj9e&%Q&4R@GWsd>G2xRk|M<7*Dxy z{HD4kTm^xBxgt$#heIVlOe@r^*b*|)YAcrgSg-_KBd@egVOI)j9_cjWcB?Q>IM^B!5@%uNW#@T2yR;O5 z4T^5{V79{T{1M6wlCeMe(IE&8L216dv_01_c>3xkz5=|85wr3}@Y7ASRYCxF@2fcL zJA7#=X)X3e0HveNsBmi`+iiwA@g}Zns2R~Jzp3TIC~}E;p=bj3@QH?XszX+!-uYhp z6V9HC+=EKld|4kBXKvb@!+Mh!39V2vdAdB~XmZZ*M{z#+Zya62?#wHsmN|}cZ(&od zlsd}?Wy%(W=(|GqdjZ3@BS#R{f@Wy$Dh^9+MMY$Me0=>dWObQzqs41Qo%czQP87~- zlc~F{(5r)O*yU*zA)1&kSW#MH%(>AW+}!$XVDDl%L?4JoFAU5 z%RKnSWb4QEfe|kQ z4V^1ycxFrKsb1u5cv!7G=y#fS(D+kELqsm#4F*?C+|v? zT6VU^BmK{d*$j97Hq1Hy1z6J*tbFCHe<>?^SEBs^ou#2@5I!NlEIO!i`LB_CO zZAT!z+tWxa3IG;_ku&_5KjEGWVdN+#N33ruiRG6O(w3yXb^n2|aM=WK;B3)x(BMMz zpCph{8W-`vpKr#1Ir8b4@s2o_qtnmRExvdLZpC^i50@k6B^J_~@Bz!j+ z(&Ak$nV&EHxa8MB_xv^NW*Cp-9Zpr3Mi;o?&Pn{oh>M|g3hs;JT<{T{zyeCORl~qj zo2KFNrrp3zsxWZux-Z3a86$_HC&PV1h!NPn3rt&YzRxpsK%B6iXQHko-#vnOcYi&5 zmW6hN325zL`-!;3)nabB(EtJX`O&Xc94=0Qa>%G^ZY$rA5{iHY-=~zu?q!O~_sE&K zPipWml{7E~;r)9%v;D>u{Ij~D*4$DG8awskn@&zbQp~v{j$8WOKS`eEtLv5N|Z4eze#af*BXSM4}lwz`%GqgM8*8G@pGU2I$#pc~(Ys0mJ+jSbeSh9*fX9U5I4x)|^e^;huS?=v8Q$G+O12)l z*#LNjUVIGbXA&r{UOp@^bXMQdDg>DXB^Nm^x~49#F@e-LiVi7zrm9sbZ5+7FeUS_>{=5E`)~@Isltql&_zsT^n%bpjy9H z4*7411%a;>V)NZ6TbT!TC1!9B2ZYU-EkaH$9zsN>^|O&PZE<8{9St)`=mba>$4Q3V z7`1GlQ8&WW7;43}Fy6Mnvok6SgtANF%`0Sm6M6+Fn)ma6O;s-RKzp0e*=g6i{OO=E z2UAAxTk9Br6fh4DJKmlNo}Zr&m{k~8)Mcw{Vfo>74TIk`n9p+$Y-I}IClX~87GV@E z3oZa>klhmeyiRwvI_N-#o$2v9hvyOaiWfRMt&!{D-6F0Pvb$7^E~0Z+zgz7C`oiZu zWh244Ls`7QIGpmmU3>FI2_EMNr;#o3|B1`YJzz>s#y)*ik3tZm+xp)wn~Uc6V|Cft(aaXww^oh$kzTlf2o+j`O9BW_?-7%^DH`HhlxD8D!Y#x zf&R{?(uVon3fDOnPAOG>44zoaU#mdAFDPAp@o&;DdhhGzuB+j zVCV#F=LeX08v1GeaR_y4miq2=zF7DK_}kcyD}TS}w)2`kUy;5g!v8a0JuVMVaH$iC z0<=DuHYz+YB=f>A(hr&mkB!QO)4d63vpL8O>KWFC)Zr)~Kr6ua>W+$gLKEjs^hZ@0APqQ&g5ZfRW_4 z$za2)om^s3btV0NgW@yt9(N(Ih?jJ3^TA?}5*q~kBR-{wy_*hn;}?*tx>QyH7uf9A zE|=D8KMm&kngps}K8}%X6~Q>v`NIzlVx9BH&6|C8JvY6PErmUP!7=hOy=K&;bb~50 z1++MYsxHyAmme7YB}u0;Ar_s0rUIv*RsB?)f+ba==J6@{Ojd_~E1p?70N?7b@tB<7)2wvGce@VRN}$y9 zN#Z^QYn}^5%<(GnCiP-rN&9)5Z{yW93txP#&Jq}3=}ix|2{m4<6*k^?TMhPlzw@NL zyY^hSy1%`fCY5Mwrv)t>x=KE5S%ymk_6!*7h|I)&Dt{DpyOxrKD#sGT8yrl<|NWrI zMDbHIV{WFaB&|)MEY3w=XMEfXcBQ-a#CS@HU!?oV^EjsDyo1(+9aZEk0)R`=r(jT2 z?}4nzK^%RC=2IGwKN6_6Z>Cs~HW1sa)8RKP^wsA=Rh4ldHQ5XQoyqC~(; zZ08hDhT)H((BZ3+dlO6F=ODyRHI`G__W`qF-<1s9;}VTtt?mF)uVZ|Q5xycR4dEWA z;bk9J5aUI*lpHaz}z?0U|kYD5&!6-YMBtvIGKZ@YJy*f=mEN{?ta zD;*Fd+U_QhokJjCfge*ua{V}_f(i6x!g*39^{)+c-wI$8QQ_=V%j-|5N>)Ju2~Ue~ zw_}P?b`lc}?YS?C-Sncy{;=aiaJDQQVMk?mstd?y{4?g_fQAJz+?tDHw zU=)*^=iSJ8uWd|-V$975#0jC)-@ zifhtX$T_WzaFuVSzZ#c@3y9{b+$AHk6n0v45$*Qv?@$z<(r){m4$BL!XbGm@$J%jo zHcoO`7%APBqLsaY-6c#bNG*%@?+a=U{%mm+h`1z_YS8VSf zIwVIhyN30|a&y@8Hn<{g1Qr1esJrvnTzw9E_rhXNEo<}0=>G|gNzby@~hkEAPczSx&?AY_8^#LLK>KrY;4PyTF>Vq{?#l5fWfXsiR8^jARZg_7x4M`un z;g_LzHMfN&5CIVi;8iUtzUFXFfY<>?MCa34Sao%q&TfTj!WoiL?$W(q@Hex08{6>A z+_FtkqEE^=TDm?_H|hH2zH*uw!*C8cSM@sAy@vl*IjGV$DetW;DR2-;fibZN2&_g? zqoFXfrm|SYRDE})mf(=Eluy~@-e?C6xPD>b?|&()nzFzo{%9t^>!P=fpx?TWzWZZ& z=1;x-h?H4?^8o@;%CC4zRS_X!_EZ4N=f@5_8I)(ILS>yF>jEcQ4(@f6$FS+YOG%7V z=Zmc`qA0;*$I#I4z0D%(y@I0PF!C?!Blf9ke_)FLk#`oiE8#Zo?}S|7_pY9nkZH7E zzegq6ria*sXdB))W$nz5t3OgvxQ^=f7$BiTNqmt{p8Gn>DlW@lm(5_ucLf!W9|j2w zCX~!_2@@(_bgPkF9e+LOks11Voj+7ASM9h44r+GAaeI+{nI6n&KWVl{bnFa2r5F@+;*x7-3-HPd_k0zr0C&C5n0izf3no7Cf= zEJJZ$6PWW+2}pW8>QBxj<@_73cTl4zm1l|FxdV$CDyiuz{z!as8eyey3U;*)r!bwl z6}YLm!B@6`#Xfo^(kt^)5GDtZ++3BT6!M6BUEjVjpTcf)EvxwMqeRdFg;ZEDt(%^! z?<|k6oaOC4EiRi5F}oZab(hQcBQ*fb+qt*3_L#B5rymm=N4NQe7 ziM<|rmyQ+ddE$c@_Kowp;l)#-PPhZR4>~*jC6%6ynr;t27Ftz#{_e6W=VjKb zkGejtk^AqwnJJOk2M!2my@CQ(KQ2`rkBapyW993XF>8c9>ez9ymf*fkQ42a&T^LS` zk%67AJ~^bp(bzJv2nx;?F25@*fAP-sD<`er-aqtt;K$_DplmJx74!qdnJ*zq;%sZ& zl&%VVvrlf{Llc$5!9wr^#>{ZS!N>`jUqZe+Tb9z2i8(HiigB>dXeM*u7$@F+Pt7Q8 zq?#EQ=|HzJf4I7Uqw0ooZpAD~>4xBJmmxHqN1E1JC59g@wJBHmUfAI!aKAIqWm7L? zb^H};E~2m;!$xUwu0G@V%eTjHKa=62VrOYUz1kjFtY_DC>TIn!4(8tRW8BXMrAxwH zIzIEChf0zUtY67^tBvAEn^W%tzLweWh9v3{FW==IW~Ze_N1@h;q^Awo;rPFKu=oBM@~6kA zQm%iM8n2UAI#+IWphb=>EB?&+1LFkhJGi~&I2IgqkK(JJ`T9nFa2D~}w0ca^1w#97Dsx+ZH~_qOF)r0OT9)(w;a;|5vy2p=-iQ6g&(Sp*n%>0H-LY5ejC#8vJq|BC}%k6_(Maf&ZwqDg2li2Vh z!+?r@QG3l?g1m9D`Vd zBbU4mKG^5JnCYJKsjJgUUEg9WvJuhQMlIYs8q_h&!CGBva%1SZCSi%|6POy-zi>BY z;s6(gJYv{~CfKaZgeuhXR78Uh=0BBqz}@cuwsM{t;d=R3Y0yNhyeA7TV0qfzOC9FJ zC0nTxc7khxb`i9ef;4M}Sf7ym*_LYJAFNJnrBb(to-U`IKPdhapPYSjIwz+mDCU!8 zPL}#6sk#9{lVS4;YAOsEN(VV?0CBVF5Bt=POPh8RXQ-xBpxS#4*h&KJPWgg~^FFkM z*_7_))>5KebS6wO5riaS1+^I4{3My*}V+inA=IBUa%{B6&i8*l?pMu$T=b)G}I zV&-p;PTa*9GzYXG&U$8x_09tW#OuI$s|!cyjN*A88^?rO)oC zDmM?``Ek8-_wW<&-YyIFNW;J%Zi_s*jXVAG7bd@+2`3Oy^WCY}cm5wf-#-apk}N6| z3;iIT0DBpo7crSh(PLm709NXa)iY-t#^~aSnd1QIU<{^@^~qQChd(1Ii~B-#$M7fmO^Y=&It?w*}h!Or5$&Me#(}<|i)iZ{O?K zVEUIatG@(r8fPWk%#{w(htejZHJS8}Nf;0FzxY66c?$n`G> zC!gxTuPznNSTTt)sUW2iudo4;MZGI&TH!GFhYuCNC74dJaKKxjWTX=miH$TfU4tM3 z@;V~&c|bBj6vYBm!~cDjR0nRu0d1C#_T50?W|89=gD&9r4a#7yR-Qzo_m|T+MPfAN0eoRROsxlHLXZnOk9R_z1BF5bD@XA`g@_(3KAOZ9f6HiVM#?Xyw68Vxbq zD`SZQD?Hw$x^3U{+XHk}H`Ub-ID#1Yx{+{0ub3GymU3q;0nP`XrAVAR&P{!&-|{V9 z3z!ssmj82H^bc3-cOWj>LXPIWq5p>DhbJGUFpv{{#->`5u!to3?qJF-`)G1re$BQ{ z=Y&7x!3_Q~&)(u-3#0mw$X_-tc@j>w5em@uArdnmWd?}iuTg1LZHI^`B$~B=Uvi$X zRs_Ev9V{p6(yRNh&g2Wpvku_QU5M?q$ABxaXCH7!Y~?E-;Sqhi!~k$9m)mZiC`!M1TK z37xl-Cj&Cf(_Ece0y$KE&FBf+x)^FUVNl7g2vGT|&)I(+#AKR--=9L%KQYUYOs$Xo%q{MkQ}~R4@pNjud-XhNAyUl6#4d-1dD zn0ox*XeQy;=BnL~7zUVaqtcG-)V;<9Ba#yJYL*Q$?$gvY;){Dtw(#jDr$9s#2$vdD zi~JKVtylw$fTWzQLxW4L0-E7>6Yi|C_me>;YP*=0DpCe@bpOgBYPJt*#m$fEys_NE zcpP@SZb#_wu4lWiMFg(|^XpP^z?RCK_n5bdW7;sR5h|{8i$&P2G}s-5b@3!hx3i*L zFYL=Qu>s*b`K+k>0{A_z%D~}p2Rsi#%@_Q0|ga-ftAA=rizzC*tr7o%rQR)<8PkM$^*b-J;uZwZ zrdq4Q9V{nj`KwZ@9h|XGczYekkIITRsA=)6Y4-og`>4AQ=TCiA+tc|qziQp4l>Y^z zGM&7VnYn!(xL6>w=bRSj%Vfk=MJpPw)gH7gHT5UU3of%UE@W};8v*v1o#RXcD(BDp z&2}>FyngJ7%RJms7issHb$Y!Z&3jI!d!t3tMtN58^a%sFYs&o2pTv^v_+)MkK4Mty zD5MeAd;xO>Lxi;EPw#PH!5bz-Iii!KC-pwee2CkcuF3l^(x{N5?P|vBj=k%cKKTee zlsZ?)fsnlKRL%*#cRMIC@UI;G33l*JDvi>7oQcwi(64(U>;=z%VE2D|$r^aLULdX0AadiAbiP4=f5?(1XJms>=(c?Qk50rk*+9yQK6!ehAhG2m3I zR{(JGcKYacwhl6^IvbN^d7B;Oeo)pEBwS0cWnbQmDJnOFjfFdK34U0=9RS z2zmvCer7Pv#oDIHZ9#qvSRzK20}EHfGKBq!3}Lqno7nJeYh&56ZckqQoy&8$Bcu<@ zG7V0Jf6mV!7mC0Jd@c^?Nh@V%9YhibR_>%K6=|*xjd29yCxLl~58?cIX3D z65Og`D}%~|Sdo@`uU@yMylmw}Ss zzNKHhiXl52O9Hoi>A-YLqBm{3u>*YSIA%RlTzD8do2@N^i4WDs{QMEv!IM2^0HBF! z$}sEJw!SlXumq@$I!X7GVYmh6=*0xA&l8G|-KOCs(KAU@tMAGkp|2c*7gdnjJqHX@ zLPDAR#$#kUN}9AW7z9GPq9GIzFn#A^yeLX|~c`cM%zRREz3x%=5fbdEI! z__FWXJ*5~UgK5NYl%EhN_YO(?T3vxS>HO1_AeXw>rqMn zClyf$5#HWu6EW&QD%l>K9^M}3oTqPL2S4J(9Jh2&g!4h$TC}9O5DW+Hc19?;ZRRR> zpayPq-AyhK=2T%mzTR+3Dc76TK)jNyf9VRc$^V>GFwq4KrGi6pQ{9W`m}2|G2e;ye zP2++1-x&}eWEtiV5gGR6mgP>gim3j}4gT@U>dpVj0A|h7KmS6!|71c{aZ*s~ZP#JV z@{pQ_UKK3ivti{kVhu!EM1eVh<<||w84-$B*v%d$os*sSr`R|ggF6B-9d))Pi#>X( z20#9dy87XynfQR7$G}HPMCL6eb7*;2FWXbGju{j>4EU8jBrYcd18iQ8=czpM8h?9C z{a-5O$MwB<|5h55%@FnFAk;`67Npzg8V% zzA9P^))Tr;wqEn4Df+Tz0nmDW+WW_=sPY~q!=LVnJ;_JenAp z7Ufn7h32&-eX#6Z3zuwv&tFcko$A&osHagY4DB(WepJA&1Xdj^zpaQt(@|#<`Eg#z z5&S18x0l(Ow7%D-g#N=V#9?pZ=W`JBQpF}R`afBK{ps^!mnO9AkE6H^K*zPOp`gEy z#}5ua_19Wlw*bhU!`A>rra zr6$)Vec&d?&d;La8@z9GK!q7shw;a8)c+6?W&2eIJ>KC&gEe}sQ~C%Kh7NufEnZR? zahk2c)cq=!#OU3qXJgMK;rl%MD3@`7xc)rf)g({uow_+3FuG_iao<9bo1$aRNbdP^ zg$o#sNWi7t#Skgk#=)uBCr~TGo zBA~f*)GT`mKrW;pox9_?w~yB?1`vvWa*7UsxhO6Eyya5LQ-2yc?J@b6jYv_9?Vk`u z{X;=avNN-wSIhK?!GKi$T&iYTCkFU{gUb}O$qWA}P&1*!d=5)W<-hcls0TXzx!|np z(%Bm5GQZEyRD*DD+Y{%G?k6f(Md)G6T2Wd=>woqUuY{|{jywLtFEpAiHR|r}bXIle zZgdA)v$yLwuvU6=RiP&{=UH1`>KFO`CA5EbvTVL5#8Y;0VxI;xz4gysT;%uiekPuS z2i|=yh?c}_3~aB4J5TN?45Jgjm=&)&Q11Ywqg^F!zn%aNr0;&Jwgg_U8WsQozc)U!V* zKWh=srvkrQw&c-2RM89g)Sd6r=Ar3V|8SC*$>{NJ1QPZCdW&yXCJ=#vGr7T+cEXy~ zIdjmhNG%l27S2!ca?EubSyEJIvU;v4iyp)wCD){sh0#gX&S%k&@=R9-R<6G_69W&y z_7$B5-nG(0m*PD?ap_}w}KP^<>75X{w>4a z=^ip$ks&Rv5qBc<`$Lvl{8eS73yF5V1E9+Iu>)~PuQxa6*HB@h)VWUJE=xVYxlRmQ zTEN-1vT)!O~o0 zF{r|PT}Q|-gn81bxE|04<6BcKhm|E#)7*z0Pd3Ydo=;-Fv}JcTfmzeR@;k=DOhHV<|8q*eVp_hG0iyskLky~Trz>D5zWHL^{h^h zD_b_R-b_3H+54pm6cDIOnK_Qzel}VtwJ=2)IXoN1=9D*#hzyQt+<0ww zmilc^m@yjc5VY_zA~H*G!yuUb6vf+`Tcf7a!YUk8N)7Jn}TI~a5LtkXbhLvYcTYu^hCrei4}s0_f_943nJaq#@UTzPPwEjrvNv` zqV9z}`6@ea4a7sYb(Zg9faCBQ@JiCik=1@kX6`{}EB2su6?^S8YwG+g)LVxp6^}Uk_wDYu zhdv|0D1w_jg*H=S?+x9cGz+42fah9!nmjz6A0bQAsKV5P7vbZmlYelCc^?%t$8Zyn zCiW_Fu$l3ML_^2~GT$N^5dem@%C{rWk=#2dO_v5xc#^IR7+1#iAn*1a5fP{W*;ewj zfg&UBI+Dl@3=$^khQRXe3z3^P%uM_%CT9DQ`SCzz&F#AYCVF#I*!91ql4UL|STjHLFf?3)IQ8AP z*;g3&#a+q2Z%wz7BC}#s#=OA3Qe$YzdU2VgA;T^?K*H@J^XJ*Vz-FyS1pIvW>vBBg zU_2g6dvKC7LGWQGt!Xr{f;&6@8!aUX+pQl0hG*G+Yk&Y$T(?E&bvW%6;&I$G4b}TA zOrsg~xBaPnE=BPV=Q*Fs0;B;a|2{n$Gs!0n)TyFzkP)otbhS7%}IX0>NE_yK8WF*ARlcy9ald1{!yF?$^0_bC_QJ86d-R{9IwU)Ljlrs*735>>(a|Gbm7 zG)asnd_nP>fTl1ONTp02W|vaW3i}k+p%`bQ+JH;Y`D{h?g3+V!&L4kc~YdPRaVhQ9JgIIBKZY&XC{WseSKk?6u?R>{EQKgcx`*7#I^dn<+Gk z+DZ1bo;FX6N5ZxI?5hGf{gXDYeWJbZyC<#z>xXvKn}}FM)Z8;|W^{Jat8y5V)3xEN z!;(O24r-gv)H6lTEjz{^D8zBQZtaYBGMB=?>i7I?bHfNG*4G<8SjsrF~6K^n0goyI5zof!E!>$e# zp86I3#;Ei%g4;ibI}unLn48p~F@#65KVHfI$~VBlCadrEE2TZ)<@TS`oES>v;da!h zqL4OqVS5M7?dJ_a9=E+#3qtGIga!YpI;_7A5Vn5uOzPGd;Ogp-HU&&Z7&kc)8CvGY zu2W4I0jth!C8K~xq+z~X?2ZJrqKjNDq~hSfXUBFr`a=bAiCK~a`x`%3ruY3nCn!Me zn}dlir`@>n($PW6ncVklP`~7#x3`()JG(xq7L}#`aKblhHKEvz&H=cEy|nqjT^_9{ zpu;lG7|5O2?bet^NA_~sXdYUxit@F!;t#7NzPsRpF88jTpOSkACmsCvyS&0250BY| z>4Y(HMo=GJUPFNhf1CxFUtig~w3dTy5b5WKhy`0viCbp8kOn@!BT+bO5%vfJ{8o_! z6`@gGmI>=EpJ&wpgU6CR*aw7DelhV0ZXfuJh>*y(F~zV$8*FKl2f^$}+uOu4o6(l* zlq1l~F=xpAaxYNa3W&9bHQY999D4?$8@99u5_|t_=NgGQETc6rDwNt=5wB5m( zX&XbyC_PSS0`B)#FeeLUW!wX|YrSC|UgM$r`!eS&cb!nxW>nqH=>7M|;ins{ClD*( zo;!itDJ7rKHg2`<|2NeKH~}-iE{^3sSs&K4jQ|BgpojipiALA#+989F`jwK*YlC^1 ze|zw}a@_nZl6oL~maCG{!?8sRF)Ozr(uPj3S7QVq|gtu z)wVXcCx~g0Qm%iy+fdonboT1o<`eRr$EefCJV74@$?%Iv5a})3gOj?NXZ+y%bKuEX zQd%N9O|&X6Qgql4?UGM)54Y40`oWf70xzK|;?T?|WVt8kL5qhqd9TCHJt5_{5Qu}; z{D2+ScEQ6dm}-&9L^=2#^c~yX1$kN!1#Xqx%0bV!eLs4p#)?l##o;jnxie-8(eY>| z?ID{oILQWdSC)Wxif09)u$hmUd3XE`nL8Jbl@66-Sz}k?iB|QV#w9q}(`yKn1Y?8< zhe_eR^z=btL}%JWEISXk0f7 zjkc#*3RQeO@g{VaYlZ6R=*Leueyxg5=x!}b9=PrY!$#hXCzmEC%W4n4@#V5dq-Gwi z4Z$N=Qln>ZH=&6u9nmux%KNNNset<0dsheBn-bZF?7`8=t- zkbFHIiSgx)&C_6!RyXu=y{xv|W!TJfQNhT7Uf72BE7 z4pGdY^7nT-tW952#&u${iiN~XwX8i2d#QH zxLn+pCAAV32n%c`QtKuw#LBh*(`ekeGi5kCn7`?0TB0 zWLE#9LdhujEi|SH*n?%~*V;bU6f3QE;fEPuyRqVu3sd8}63yjccPX=ra2TOU1Y|UQ zF1RuHhn>jwX}d6w6SxSQ){8prjS?*pUtd2IacMDRP|nax(SkSr4A^0;21;)|o2gve z1gN70zS}=pkgxwJAlYq~p=gm?w+99P)@J4d!HdY(Td%$pd|EFPL8caP%Rm7d1{^zY zgTs`IQejqVdMpznEQ{*eQ_G!^n~}Xv8JtJW!l5t`g8Ev#NXE-3R;@XX!_n$1vVz`% zY=#0&FvgzCR;8;pgFFaUokZM48pY6*3+X|Ir-10lCT5=2V;3~~sYo$pKB_(5B2W7> z;YpUuLR<}d)?2G%gppKYB*7%&pqCJq$!qDZ#0(?P!pmE@8;BK0I1>ZGCyE#?-Mhi4 zHaL>nh>d$^bRv_9k&ACl&7!w4Gdro8pz2EWU#KbQjg}8fj9oPr_0A-W>6}kmd>9`d zc@x_d%o*7*$wyu$V=407`&PgN;3)UQ{H&}I_#*@g8$Xespd5tmO1%*mmVYA=j)IuO zmOXv$;Hpwe6VmxR8ndB)0eV$E#1+epI{Va9&pwZ@H1j&FA>v}Tzvi(tQPZYDn+jj? z3vF=2j&^)}k!I$QFb)4gb=Vuj33@Bho{f$C%{1JAk#7wRQgP#Klt`LtpTSw^8f*2- zNS2qI)J0P1x3tP-?!0j&`kDkhoQvvM!M~5k9F}e*kww~^dF!Bysi2N__2s?~t?MNZ zYrKKZy}SYW2QR;%S#63tKOmiCfUl(YN6st6^*3m$cMb%=au5DqKOp$b5(Uflt(V*_ zywfIiE?s8sh|LIcEp-W*>rLEFa~cMx7|cpEnaAsHUv1&+&?DL;mfKpE5w(slB7rIQ zO0Q|=cGiJC*v9kF^Mz3kFMWGoMVv!q^~Gw|iF8aE2EUvojq65=)Hcri5XWUl==Wt`mmM^5 z>$Pdc2y?(wS~J!3aOt=0vTAVMY!dLYbimiyE8oN^qrQ;&BUa?G3QF%6T&h@9a8KC4Tcx~^2KsbZSJOHwG{89 z@}ceP+nA9FWkk@08M3VCcOF+&NeCk$@l$0)ZAn)Au)eyejh$g}_QL5%NhKGX5C|Ea zAl*v;sZHI9=hNPo-|zh3bH{%w{>GG(Z+Mf$^XV5>j^b}`Lq7qg?o~e%?|eB)??uxe zH>+I52Grkj$^O7fBz1pZqP8R6S3f+YIg+eRd; zB*uB{B7MSSLWPOf1i|~PRY5y?CLtS{!*G+xUtU1kxsmye+{?FKZ=Gu0P@U`BF1QY- zf#=J|v_e05%`@?Aygqqr-D6v#7u81<)^KCI=$F)ZdXCdVe6@BZJ;?qPdct*bl(=|) zcaq)nPBp$B8!m)2U9CS`d3kBCTej|{7nIWZL3T@PMJqVXcfEak*ln%38?K!pyv!X1 z{mGR9(t4Z;HmwwZo-+pE2LC2?e)V*seUR6j;d^J?6QayJX?0kc=q_cvo5>Cu;Bmbr zaGkf7e*;@(2MWR55fKdas{%E-lVk*n@h8YG>XV6g ziAb6#3Ud;FfSM2X8lEX0$|U{~WIw!U1xfEumz0tnikO<_$%ip9$6l!@2Rsu9vGg01 z_BpwUqu;G^m5#o5?)Q|PSyS|*$37CRU$*h_lXSVrP1QFFfU+~)#>3rP)%SXXVaD(> zxv1L=_Y{vZ2`@I0eY??e!M46A6eJ+KyOeflp4yEx6*$wJ^x7n`qOQQ0CDr zWG6U~^RdmbjfLy@W8EzKh$_y{CIq=hKKD)WKr`8i^C>V51IVm*g8Zo~va?He!fGr} zGu=H`w`qogm};qbJMC=y%_u{fI>C%MTu2B)^_#RiIY9JtuVqIY4a2zgm}hjW z>5hq*P$mJ1Kyo!^#s^?aij^ZPbLAQJpJs;2(e3clk^cn6QlzjoAB5Y%p)$OeQrd>r z3F&xeT~hQGDr^~>DS%+%P%HWh4H<6^^bFr{2+^a{AsN&B(T7LI48>L9uSGabvOsBT zpCT}&{gkC5sAkn@CAq(4o!SHvis~pg6yvIsemvi1Y)XD&&>1i}x;sLeywo-z<1w-G zFZ+~LUJ^bgw_wp7{0f8j&+hl-bnAX6U(aO+{Ge_psWzkhAyOtDXf3+DwJTCO^d*@F zu`5MPX@%SM=G9g0aEZ2}CKT;6=-l9P@#^a8h`LhrsI_a&h%x#j@G5ff=2Na0DyUKD zI}qZn>MGm)-YBQaiaz{MvI{HwdMD*G90*45l*w;>s=19kj1n|^3)K=+VcIsK3+WVI ztDymjsQ_o?Av0-f|9UmT7wCW1%H^hIc`-v3ROqJ`Ywc>fw|x4uB(80}`+T@F!D|8@ zn0mR`Tr{tFq-T z@s;%0TA~`4t($7p-IY&Yt0wZ4Pp9N8@1O6-)RqLL?G5j?9?;L0YOWX5u(#e#Db%bN zX>SfGw+$q-YH#+l8i%d-Q@O15Q#Cjqs`Wa2PrUcc-XgiH;Oy!pvGB;^4;FhDZI3?B zs4YlM>cvF)bc5mQ)pi~}>GkIXtldlZL8~xBAuc7=%P=mRr|?JT!ld}G;I?HMc1nKX z2r0t^VTVIR@Kbr!t>;=WRsH!0uM-jUb>^q@Xg5Jc{ilS^Fvfm%6Cx z4cfjaugxnJIBLv1tiI7UuypzaAD zJT6lWTF)Gmpk$-jc~B~u_#qIA^PObzGpVP_+!D`F2! z*`~!-!udSNz~R`EZG{8lK8l3fSmGo0Zr;M@x?GU0tKa}@TvO$Z#WlVY9(Uc(5mqeU zFibJ|WK!<(#DSU!QjcMTvoIQX7k%NTw_J(hEpE*N^Rhabqty?4irvCU(~*O1NOHG_ zgKpEQ?!R2{{%xye@SKs(^*S8MTWl>88D&kv4jQ;m4iV0cjHn{28nMc2L;-bx@r{xd z5?r<<6H<%u$JqM8_#>kyUmO;0UJd5kMs-9v_}#_b2UQh-UzJ7cI)u7^AH#c8`fSH? zOtDRJ6-cykAhDdfDhUa3og{p-En=SWEj3O&BQ|gNe1@I$A$OBAEfqcE@{m;BlON78 zYZ(~V=iQ(Yg$N23n@|@^#O&tg&`gjKp|blV_pee7rxr z(NC3W?#g%i=k+oeD)sl9Hk9t9ii0Sz`j;o-#X)W`4jIuu7$RI7&SVyTJK?r8k+=YP zCYRYAYU&zsJ31hry`7tC`7YBdAW_RTSQ~k%<8$*>f@LAyzX|Qj2X)W<080%#audGF zN=^xF5S!>lCezw!PycTgAS~U+&oGbZ{8*L~zYKbKXt8`*>U3K3!0LYN2H8(3{kQ+F z0$MpiLC2oS6M~Ci>->3$c=L^Y-E{0n3jRnB?d!QSF8o;wWXhN)pn=V2a!`9boidl* z7HVVZ`DK~clBinnMZTfh$oG^9IqV_X8H4zVFxu?jPW1M@(#-P~{A!G$>3avPtu?I+ zveNGwR{NL>sHtPQ1J7H=wx-8f4{ak8Mjb>T2e8(+V2I9nQ8+Km!w~db`=&n=?bHhc zuZj!0^M=pvR$Ikodv?xs>)3f;^LWne8zq*M_A3KdQKlsec1z@6^e?z8^vWf`-xHy(-hYyXuY~OAW2tL=foStC6X!B-(-q*D4gCbpYwP=zx*?>W5`nK_hOyYS) z2=zrcQaj3MskP)zc$madEpd*O2gd0cipE^pX6F`tn-`c~8*k*TmSyTI&LN%EG1zH`cqb&#B~QwjF1K?szDQ!n}Vhce2*C5*dF=9n27cPq`5sI zu759@g`xz#0`3ka@Of`kK+^Qc?%`tJD}}T96m6&R=xvVJ-OuscI*)q9T*tB7GEAc{ zjSCmADqAUH9D_;a12PX7gtG6V78*J#-NVgu;}1%yst;mLOpjD&qAns0cPnePU_uB}F@_P7(DRBkl$xQX7}C_PZrw!F2M?jmU;sO|SqDC)&I{}6rgu7d_0gOYpa zih2Krubz+hDrjU>Qm}R~!lJ@}b0-Dn?HgP0dOyA_?prn>FZnZ>99wym`KklMdiEaD zyHnQO>-ey3C)*720mw*qA$w_@sxEc>ui9Ow;Gvg)^dA@K!peWzy*j5 z(=W-{l&em+GK0&rTgHIv?8ReZ!C!0zcyNcE!OJr5&uVale1w6h8Ocb#`W_%4Y zE#?qo-P+Z4FhdDQA@C5`x6|TSfpikKdG7dPIHnRef7Xgy=#5tE@r{`at)tc>SWM$S zMk1;P7fm-_IFelzMjBO0|CY>-!bS!oY~R_AM;DHwpZs5^L9c_lbt(02($9=L*ot%F&j8bY z{d>tprTIW~@P2Azgsyc8+IY75++nTd9v}JhmF3MeM)=SP&f#UU=+L)K1H24;q2xYC z6`<46zR@;G#(m`R*gwn8jmb=&A0R8Z_C`tm#E>@t<$}-UN>eGD zAAb?cW1s~H(w{;V$qaRWHF7WxppiR`GsrYp7gDu6`hU(#08$rHI2f#~1_ti=Q1t%T9pndJi_l7y;ecsac_UU zwID&(I_gAk3K}O7{M$IVJc{_8OYxC@#qRlv5BPir7=nnuLxAY*E^rJ+{%OJ^Vm`|Q zZA3RDW`k)IigOTC75!kg(kn7Z`30>};Da9-W3 z7&2IJ{L)W6EKDr3lifhOV5$o&w<>6zG4LEn_J)#s7(SS3nYI7#@PIFvlAUI4lBo3KkR=86R6Ge)v~`CHaY+V2oa)>DDoE zo1?qa8d~OVjS$pbP?b`v+i^iOUXhqwRzPZNpod#-HE4{AN=SbC`ZYNR;zyOk%fLOiLgtr`*pr7e_Jnt+&%-e)3e8!=9NE3vN%H+2+Xzp0i zp8_)sJgCn2J+YWLQHA3RECtIADd_69|i1Fib*1qxGiE6gYZc_8NV=V zoJXp`5smy-k8_NiCZUw+Is1s96Jz+Xzp!JoQciV}I+2}C^XGmi6Y>s0%KI_)$?$P) zXd6JRuu&+6sK^1{p=4yW4ONz`w=2e3`}2-@%{*&Cq61v+lgLu6n8)nxRivI*VplRS zXhYvH;>x1(n2-K`wqw>6QL7p_VfYgz?=aDxlf$JgY8Nll$xO=`XAF0|My?QxqkpaB zbb(4#V84K5gg1h>{nX z(tU_*l+_Mi4*3W5NXHP2OxoSU^ch)*oq3N$lCtk7Qexv<#gf2e{+gki@!dx5g~LQq z*+3qV8kd#5hoD=Hqt52r1JNN=W1>B;K;0ik*UB}Ph1Wvl5f00hByL@RRakiRIIRit zTe-j;J?ZPBbKjcOUKtg9^e+@%0jhgPeBPnt_NH{-*kJ0t$}eVDXu;7SE9E#%GnMv3 zu#0H^MNLFuX@gMmcTKI@-6cCUhBoN-+vXKRSv3>trD!NUI`LKANAnF#nizO&gv}Kk zQC<>!45k_*#vP!2N3ya9TOzjVm*6t^)MMn0l+Sf+?*M(TaIRKwWgDAt>`expBm+o1 zB~!OeDmZNR{0sD84!%La>T&kp5O1zyTv%|TM4|?dfLhi zDneL4rc=iVQLcRw)1Y|>u0Jco2%>}X(3QS1>fQui^<;7@D!?W$P8;T3{;?q5PBj_? z^CB91#x9;|2AW<is22KFdAu1uv(~Vcrk0Zi`tV+NQCeE5 zy1gZ``Wrj4CQmX+@wAIVjD2}y&*KkemDYvlO7_d5Ukl>u?N@#3?N5E`-A{kj+wR8H z+up|1yKYuG-wt4(o=q36#V2ax2)b_?+8hR!1t}KtLf~Wz+?0>l=lw4EX`j`oW!)f_ z7vJ@wod_}+iN}RJc-#TQ`wO+0K&BOe+$4fXQ$TJq2`D8ZcR!AOeQXGl!uaVkD6uz@t09(20AKh)EYYe)ndTrW)>JiWTRwUfZGYRb^E zv?k!0x^IpYPV}mFoDef<6C=&M5I_g^hf67g4f`W*$1UF<)tzG`l|C8TYpRS0ch71k z+2M+JUu#pF^D=zj5YjP4V>T4TRmF6uLViad6x0PpZzD%RuK04#Z}^HNNv}kJxz6me zZGV#kQ&$+dS)?Ag3vwjHns?MmwDFsKXN4U}l3LMBXd+`Y!jEs*ZgU_7GuS2$txFmG zWm+g=%5?B=%73^Z`u0B9mBE;_IbD~i6T!-ui*!BffK5jJ%XVZr>X1vf2`-@2yBW0j zhx_>stO#gE`zL89Cp-3<@3Q4QtQ2My<|%*43#D)OopDJf4h>!(1j1pQVs;TNS@+5G z4w4N#+DYQ!C9OE-?ZUt}cyN6_Xy>~&$D4dri7^~SI(nl*QO=>+LBPS)A{_k+J?$IW zUWu{CT*sGX4RwURjLMCr?Z-`tSRN}NA-r<7Ip}`&8CnfCt^QF_^R1G{OF&qOi(#e_ zmj|$I%-qsy0U&Te&@#p-!y~SY2J+;E{+IK#9;O+UB9v<~R<*PY*Bn}uYJ!d2+)@v1 zlWkS^s|T=x4U}K7v_$L50E;;0kuc-5Ek#1Q-bmD`PUdHlr8*Fn{pU@>kFiCf^)z#= zUYShl`yTy2h;NMcx+IQ`kNQAx1E_vI_}7~-n0n6pppcldt>Fe=jqz{HPHZojl^65< z(U!YBjgs(3R*F6I20L~ZL%`wwSU|BMU8TX5UABz)mc-B*6XVxK>-{G}6uJ?`^Y^Ar zCpEDUpl!S$ntB z)88^Y?@UNsHlow%=9LYSzeF&pR9odxnaDYctWLEqt7?3H=1l-cn{|1*-EO#?QFj6A zpUk(LS`oefqNpPS?waOMbxi4hP-aoc-r?oHzbuQXVpU#$`1^LTi5I_Ngn*B_f}f9$ zKVbMQaBDEhB!cX@o9G#wYSrq3!3IcQ0830*{Cgcm%zm6xc!ZCL!)ecew&rXD(8RuP zJ9Bj?ne{f2FNYuw>K4HFrd8E1;x;rOsR1|E z#~6y>>n=+P7d-)j!E&`xs%+1&TR}4N%!(VWJO2Zif13j0$~fr9B3$db{7zIJZ#UX! z+M&f1UI-5nCjSwk-gfh)@kkngU0R%S9J8Py6x!6NT-?-!{o z-gDZ^*`BYD`g%oM7}NWmEGG(9&DGUp%j7uBo2EY|OoXZJSLUx2 zz*x6L+I9bLaHMn;19Nat-2h)2(ZfE2_x5y57dW}2yuk9GAK~=mEu3sbbm2UT1VSS# zFKudOg!|EJz{0y!BB)ntfen;*novTR_**zuRO180fSm~}UhQ1wfv+|ZV`nst7O>Qb zg8{hSrFHUG8a)h=^APa8Vfyc%vLG<(^iz{vHn{!1|dn@lox zz*m~N!fIbwW^_Bn8Ajup^zAF0sW+?L-$-#Dmfcr? z4F!>|eIZKK-MY&YyL*nrEahXWs=S@x&v8tqe=Qwmcs7JOwU}S^8V3UzoL@Nb@bOUX zGG@5Mt+V3w7X2jAVMeC4<7RCiakAjP0@St6rtNI|ko-8pg=GWqQIfVl-KrK5P5(+2 zRr%a2>JoyYV6CSO6Omq-;Kx(btqimFQjc;Xo1-e zYXZ<=Ecdm0t%io|KsRf%LL>M4cXYoXRY!tQ*=@OMfZwxo$7O1+~2D=E2ekME^>tW}Ml(PsHbyEqCy-I4F zx_JOE5Y;)36+HrprYB}loCBs|_IlZV59E+V0~`>#y*lBte%yV2GSOyt%PU}+Mz{(` zfk{rHWiWl2Jv7=Yy19Cw*m`)jC@5x%nDp#0;)iZdO;H-lR&A`O#NQzfHn`ixCXB2Z zpl>72w?tpep3E5YcMZ7uFwZWxD(mn6u99)NR@5gnlrq5MTq@uk%9`K#I$Y!Gej7AT zrkG5Mzq0Y9H_fX@^D@e?b8ja72RZuF{s;@q*^v1m>v}|Nrc3@zG7;eK>i^;GkV^2_ zv&tjB)p8lA;&z55qa~kpF^Xt^K?X4UByOF-RDN?-V9;O5$h8=@?arT5{a*q{Iqk2& zx!Wa8rzJ(n>M$jERyWNDo%Vr$)y>|~WJ?xc0%E$`T%u-5@rMY_i z7niFjOgRo)TX8OYO6Amf<{3uTjD|`&Ogk~3ky?DNOq@foN+z>Z8|Gfle%mH^g(H^W zxBFPffqnAID!p^X#?P9CTKx>uzt~PK%j~w#o3&v=FdeMI05i@_T z=jou%ws=7~ku9vWRwzn%u!P7a@H{J;BCf7#@Mk!BONbYNgjUi28JGF_VhrI|G5G+2 ztE%WMLdb`L*>$8KTsaKQvCZ|4L-L#@_ohL+M@$++6*4(`q4bKLuSn0)78&#K!dZ5z zMFROC`l(z+3LIk(w!TBQW^_L@;<&G_Qx8cOoEXLO+iD9}67?7a;DKMR(#12otdiD| zGftJ$Rpv?(#n=ddKj%4^CAm%U+8fjEI+eeAN1z8-Jev-n4FfR`zyotuPc{*4HO>%u zHo_9UIuH1e^0;|2%DCCs{VuZ-GaqiGKJyR0Pk7~IHV3@7=;%yU&SGXDOS*TUSEQ9A z{XJKUE}rj$!93@dV${mptW6bV9KIvsmGhjnd_31@1Y>p{Z4@j zbF3BSE!Rh9W;J6}j@-#LUcSKTYc0$8?kpJC04^n#oP`Ts$TG#39_ejI$P4lQ8!o|G*UA67hT&p1L}m?b%nuki3*Dl|dxW z-PEuj;_$YG`g+vD)<8=`VYu^VUGbu`AwY5`=UwE)7#4;yw84v&vI zn@)>OqvP6(kgM|AXPv0{+)+BJW+phcd%^v9GXw$4$QKAL=+afyO&%8_ZUMlPtKwrA zmwG-2d9}KLdbec5#mgUfr{$4yeG!8_S)bAj9E;H@Vi>Ww#R?A*V9Ids@`;<}c7e{W zs*)eHvo&UD%m_9s19DO9HGwsjrsyPmqfvz3%|28cO8Pbjm2TPubp@KWf6+Bx*i6(L zvtLZ*`%QU3$Cg-QmX%tbzP|sgamEk0wo~UG(H7ictS;#R_ege-*!R@kuS_eK~RF@hZ z5}lsZ1{9PngZW9uqxBgX2@m(;&a`|mB>JoXbMuKi3Ex_a9M)%1AkBD7$bxR*K$LZ( z_xcvlPAr-o0*7w_@npmJCs%MbB;t#S)hnM9Ua$15Ot+#Xz<^QAMP$=)9-zdS!6_Rc zmZ{X*CdN%t6P5L+c_U+VUo-coh4{QBks{@HEut)tQR$|T0=o@T{eTIWiB&xKlXGD{ z3^Ls_NJr;vQemDVK-`M=t$MS@3=2#;lwuNaC0-Ws**vZ1V0Yq36J}Y)*MRuTfjc2# z#F8E$&E+fHTvBQB6*wN86p^r`W?wKl@QITVT+R!)1heGca_|YJo5JlGHrA90ECjkP z5ji-x=>}cL$s`y}T7Qnq{wDA*6;3p1*H~ zoMZq5Kp&uxUmK|yALqaiw;zFqX1CQ+%DsC$5mcyNtgLY=1H>mic9x?9I6Jf6Q21Jg zvbnI;dO92h_Heig+6^)Nq^3ry#Vd^%Kulg{s#C9GC^af>kJxnYT5~96;m6jcVI8p@ zigNLOBzDBTjyWd({0*>y@yUlnM5(HYTdu;J7+~k5T_s33h9792oq=kzF!U5jVJ#<7tB?f1cV3i7E!WG${jEndBf*&K?)M1r%GyLX%Gz0X=-NPz%-X=F%-UZ3;Myjg@}EKFvJho0Pt}K$ z_{8oS($;rh3!ZLB08Ni2l_;<9?qCi#`T}c||2hp*BuJ9fW6JTrS)W`-$V9m)haB`( zmz5W8yUp}}vjD_p&CUg`a`L7!k1r-2p zLA!N`3VQMRnu6hZgBqiFO@@?3lhUsZ{0|7GUKe^WHk2UtM<1AdY>roxGM@aQ*{ zNjwsX^G`7CGnm+DeA_;i^7GoGhthM05YAgnj|!NO>LY*lQ~qL*zu;go>0+1>^e)grBSi^UJcpgOTk&Z#BXaY3oxG)sByRO{tiY4(&(DKq?Yd?&`>8qDu|*U^UA=$q+$$grgN?Jx7`CmG{Z05N*q6BhH|xuNymT0M~q-d2&pw%w^d|2&=T z8Q-2by?#*C@hdTYDt!(~VL^aNphq8TY$PO{+((c%?IKa=7Eh-r$E){(SMRdFwm<2o zyjTli-DTatLy+j5C5r`5n#1U!m~8IX*L!IR%D2_&R!w~58SIcADByA#ExIo8U7QYO zC-*#vU8bat9Bt0(rQf`?VmOxDne%uCJIL$M0d8-A>S#g1U~n@K5?M35HNIKCZk=V< z{14DU`+tWW$*GD-L-Qj{&%|XOHtW;Y&p4y%r<4yw21f+k?-@v|LVhvrajq`@er3!i zYpl3r(n@%)S5}0+KW_T?j6p8?c+*~-+lH+q&g zi(Bg3$=tA1L)Jq?`3?q1a+Pi02m0EhmEM~hlj<1(x(ORw*@ZLN(F5>`4C@vdlWoKU zPB+N|N+V2M;y-J)vaW9!ld$l%4xd>h)~)VzWg6R^z>CnovKSkd&3x}tywhAWI#r}) zOu9MyH9dbQ64lz)Yn-fkwxvdt*bSsP%O4H`DVJ(I)3lw&k=eE<2P7J~!_OGCQkNF> zm+3QC_ijk`59tfW_Sr)oRfE@7ROic+o7AU)xBTFfS76^mYWudsVw#E6O}q3lPDJli z?MqY70|zVL&_WvxnvQ9^MeNA)8wG@?+hn^pA&?5<;h-=|6^$CcsGN5QGphY@^m#A+ zkbE(d^kj>fvFE}U9b%YhYR<;f4XN?%zuWKiGvjMgL}Ld5Arq?5nPy}hM>}Id^+yg9 zdubC1U%EdGjfR1>QD)wUuzRW;_{Q2fR`_XKJI)yly`AXHPI@Ui9$c67sqylr;=;iU zu}(NEpRA+CY>O@7=frbe6Nbl#t|jUANDLQcEe%ikDV6qxcygxS$h2nP;~B?RrT5j* zxIy_lt{m(J^u@QO$)@)Y@*dO*W1oYfcGb)6;}^>dSrPo+n6N_}v==DXCkbF5Gzo9* zr_Jj#ZO9derPrW(V}U8*RL$hy-C3J`?Ziu()p94dBOWylbwPKIfpK--fyW^$*vy2#3+rm#1F6 zkSfYgTdIB{p&~a$B+MH(RrZ-QNA7rmKGhI>ER@SL`Vp1YGrB?AZYM>l=|HI0Rc(5h zAu?Tub8my^w+17j7N~I~C$vWq;eQGxEgOdOO4UJ3mgKa76Fk;w7tPD6$CXzU;8MaL zrLLfAy=PZ8sB--DxkZ~JeyK%Q_qp|M^Xc`Pi}Nm|;UQhmF6#%LjS>^$L-@$kGn+9D zRQ=0l0_1hip%=faidwq)-PttrB-8huy9vH$Mtm_oq|3oiAA$k&GehH_=RkU>A~CV~ z?&lct-rrb;(GD@fG6Dph4lF?GBQ`cW!A=YBwk$U}m2HVmw#9blLNi4r@vJPqp@om2 znM(R!$<5W(K10nFkj@&c{!wTiXnR6CNEp0wh*~v7GnjTrKA0e{PUs?+!4dAXm4Dp& zT{fT&47f&7h8LV}g&ifl{}$$3s?(ZAfT?uO%BQH=x)N07R^KQt!1g_Cp$Gt3*B^^C z-8Y-iDm)#`VkC`M1qMf@aA$cM0w2i|8_ztfYRdFE$Jx+y8=tKB@2$+SN8kCac<4LX zLL{%xqj%vxd0f;LE(3R@s)-I6bnCAehDd3c@fQ4KtDYROs6S=Qw@OT(v@p-qTt>=p zIX{=PaKEl^MM`a{T3qf$b8ew(fe52PKsfk4sQvOt#Knfo()^szkyF=5j#fAR<=w(T zPEi?%pxha+OB=U4hU123)B*RuwA9?hwMneiSMpzx+k>MmYuSg@9;vy6_u>(dR!?xE z>n-O=-7(47H#i}I%xeqyF*ahdTC;TEeqEL5DIm?a13bTqvl7|uHGkg35a{T9UwYX2 zFOQM`sR9cu>fiThNH{(N8T{-|^YHuq`ZbASO#NSG@P6=&ybPV@x-t`yl@B7o2>KT? zN!nBN`)Y)M==+!WG{Gg_5XCCZUeXWc`qBr{znEO|w4hzVDm_!IOSN)x@$XniUS;#K ziQ@@ zUFDb5jA)g#nm-i@zRIdv$71uGmYRx;&mea=$%Pa(&A`j%#kPQ2&}s>sQ9XVDYrJ&; zsu7|osXAKM?BB?&hSc^O_PQf;3$pqj$-0yAi?T*>IiF-lV6J$Z0ww?VIBHpS^FVJC zed=}-g2q6{H_|#jj>-AYw>64X|6-~mgoU-XRyA4r7+*Bugpgb7T?0mclZd}HSAc`B zfr8IK*6tr%YHqQCK$dUupJ|*mr3I-fGzarMa`a<1!Cju3QMqGZBNsdAw)v*sL;g9w zjPv_Bw6bf1N8Y}5!k_QRQ+57^yq0;YZ6j}PMr^zyc~-CF>bAR{7$yg#ppJ#+?SrPySLGA?vXncjav;FV=g9{E3jr=yo=OxR5uU zG_;AZ3V~9JzkmnjVI)XEgo+6bGhr9GVH)2$0-Ld zDHCW-R7X){kj7}4au-%b)5HHT9saHRa+R1+BIxpinu-2&5jF0tb-5$qMI zlBDiFUtLOG|DsnN`5>O&>9#W!0bE@E=O~%?6>Hm{RbVU@~>j`ccvde2kJ=pMyej zSf%~gyyo2Erg64O{yd<=q8vES?)Q{Vlvx+ws!FvZO$JV4i2} zeXi%^1u|17Cze5ZYsoWfYE{;N$nct+U!QsCPJF#zM0ix|D1O~^+MHo@+>gFh5%2bU z-f1MGS@Qa)=jL^LxXcD-K`kzPv)0Zj#|7d~DpXL`mmv3LH=q36U1X0`TUALqleRHS8s*rwRA4$aQ^7me)EG~O1Lc)R zF@DOb&(`c`T2f_X;hXffk+IR1nmhF=()a=xG(3gP7$mb$<;@66)v{C)W48~tCg;PK z&jH>Gk8zR4lIqdJW>T=rwf#oAVRx_FM2uzL{!d`?T=MqTWbiGwFwo4eHXmPj+KrXi zUH>oE-a0JGuk9KJQABA`Iz&XeyH%8uPU$Ww>1I$;DM30#1f)9$7?6~d9BLRsI);X! z=DP;{-Ov5J-}64-{m1u*a2$wUd+%${xz}3fI?o;SP3(^yE9z{E&g;XzqpX-unO8ts z?e0Z`g!%rArwXujT2)r*A_3Qt2fh-Y*v0?h34xSGUe^!}sCi%jZlHhF5Oo5@v4Czt zMry8g^^b5dfdo<;n*wD)PuZ1CD^w4j_l%Qn;XDaTH|(`PSh1$iEOA|nJe0?#A^la* z7gYAPWEm{redMi1uCyu_Bg68IfSCSAw&pt<_n2jLtsM{<8Mf#9Q+_C%1HN zXxN3bzbN8NRJ&WSv{H(JnMVNaeWshMO%N;nP41rN{rDh#yav6C=3aHQ>lwK7Fr?5I zxx6hFVuN$+{DX9vC?VnZLI=UpM(l5|mxOb{@9 zV;cGJ3a(+aT`k7B-dHXEfj%lOG?B(;F*KtR0KhheYv=@U)DKPZb zFR+?cgK)v$fJm|qs#Ii_C19T-7XG`qX5I+o=&j`j4> zIvz1;u-ntPEx|vj@r_z?d&a9wPn>4AoodNu&Y^cej@-;ADcCdXui)T=jm!k}05N*t zAbP5N4=lNM_9zfg2S%iV-+)67@h`tu{Z$<-g#Hx4NCUhZumxrWq@jS)HJxahf?L%& zgM8|S^NOaA?7%%2;WIS~qIW-TKTo{F*v0D&V3Kt!rZ+BI3!9_m-DRQfnn6duRJbWfPq?c_V*XV1H%oSFV|iB8y*n3n!RnC<}@lv>+r- z&e7HmAj*8J`!gEZ-zihm)?50S6iiYFL{YF3b`o^vyZ>?^0-(ReGy|B*J6zf)Qgz_2 zqW+kUhYUouxN3U&4>K^jp*!QVz?EWATNEb zq8bzxGb~yb80se$9#(D9eS(c<(Hp7n7zBgfgPY#aHfcKaWa)d0tebFklcZZr=}_Wh zruH~PPSO!rXekJgMCNi3_!x^|RYF#t( zIR(@)zC-JhXweV7IiH<%VO-b9Y!Acjga<(fbV#5?hWK=R=pOKAKM8Q8ghA5g^KUTN zOB{H@w1K`9hxpzPe^;4DEO62S6<|1O7M#@)g}3sjh~AS>+nC;cnol8g@P>A~BzP?n zak2e04942t+(dZ&xL7$4Ilv}h%Q3=S$7w zEA)5>e~@wi*2|Q~Q1Pxo8*nt$%~;x+G3oB!Lz#y?COy1&GbP5)!ruUlNq0pvHzX%E#xlahuxr+U#wpBUs9~PAeuqfTBsWCqMET6`gDRWptbV+YM!@(7dnXOV3)!-r&WQ6-Q7&`Ss#8I=BD(8XpuH4a79>IJ{L8 zh-PD~_lX8CI@5v*TcxC2qo41I)#gydR@{szN_4a=kbCE@&CA$V0JIBvcoWEA*(n}f zgeIA)zp)Hv2Wn(&$hpP;rD4!cjaJ25@!y^5mCF*9bFSmSs1a-g=-%#y(8(|QzMJ0Dgl?#9cc zk6ThAfxNsi)}BKDEs=52m`jWmJ8*_uK!vUiTD_)oD zoFIKf&d_js;Z#}l3UE#6Vvjd-(+Ypn`g01rZuP%C5BudD#_Rf-xhm+pA)j1z4hX0& z8%7$hO?veCdZQ-2|M#NQN>@h4IN0+HYYUTzoB>kqzhdh8vrN#Hw`22>Hqe`vX9fxA z55do`!W90q4jx^BAfSi`uM0qM1_H1Ft=fq&avO4DL6nM$D0n()BvN|_x^CK#$6UjL zbG(k@p3`z|5!o>8OC#9Q*(W#pwy|dN3KU2EFQdr*Fj47eWNlwsI<#z6W-?;YR zHP_~x`@^-PU!%G9Ta@I#bL|YZ8MokB))4OT0vw?E3m!JTXXJ0y+6}$AGiKN5pYwP3 zdhfschjF`Zv`%ZbG8*I-%{aEemLFipFi?u$f5eWHaH>!~IJxkokKEt*1JJT3M&pcF zKP5bbC68bxKjODGnLM?}t}>3VJGmYQ)JNixLt^fWN4C*`qi7(IT%VSyiiZRLufSf) z)(ChIjTr*-*1s4_+W;x_;XctbkEylYB=>3u{1SWG8Oo1DEhA_iQp8SxPXv@`$*h7! zQSeyq0_oU~ME8OgQP8Z#-5E{3hLKJf= zk~=~Tg?p~+MuVqrxb%>MU&P6@2c^=Dju;pq z8H|$RoTM@}PQWxB<)SM+daIEWFDS4y+xCVb32;koG0FVxs-+AzQn_S_0{{x^r|5P2 zasjd%5#TG{;o5r|DJ=h0zP)cwSg7@vS=_ghrLE5ZgWHsk*2=dVnlMZBL$&2x zz=!_c#s;dO2==N2ShCEgwp|~G&5GGV%Qw&MZkjp27U|;AX;*DcW+f`&8;l?M=31>o zfG_X%H1uDong)6_6+r;kxpNXt3-AwY?b?Z^mTF8yO7ns28o4Df{U|a1WljeQoG|ML zQ74anJfB#*$%>{T0yW7kMB>Cz_oi-=)c?E-q)r`uZS-%JPq63! zJr5p47|kImUX5|IkR>nf{(2N49R}0+9mB4f&#rkShEpMzw*2dhtQhZOt?RBO>2*~@ zybC@K`IRThK8CFN^FaMzZSE>TUtUsqVu)w!CezTL{q^{XAq<;nxB0<**SeJ1>2}#t z0vVUq5Q~CCft2YWlI*{;fP0ZJO6_jZh5=)Q%aQ|DvL!m_=NuHuv3Q;ec>nNt-{;mc z)fjVGE@_b-c{dsDvtJ{@-!dHzRIPN|agu?kL8;bUT=;4M6U0d@KgAByKB*7L-nlve zcph3iH8*DkHUQdbh?Z3TmdT5^s{OQh`n>KztehTW@TO0m5OpQ{A7C6-i*6PCb8?scDaF=3?L=<;REq~%lGWbr8_n2q$FMPE3&L8ov+HtoN#wX zSfM~hm4}vn<-lRO+jpp8$+`)&@5$^!BhZ%R(Du zZb@%s(v~5ThIZr{5afpq0nqX<#aa#B*Q3RT8pU^uN+!boY(ja&$dLdBfI+)wqg9I= zhAxxbK8f?m&Ic2PFH-kYm-n|10)Dw4vtK#>q>fyLf)}aNDu`FcACAg)>q=^E##yRx z@C8%{sCfEbpaHJO_T%%2ye**8h}CqwE#%rAS12aHU!Mjx^6UerN&YQQa+7C6R~spZ zH+(h8X-k4BmFi4Qe&E#d_}0VS;@9!3PWQ@ib5NZ?|6DPn>*tWTCSPm)#4EljBTG}r zlft|D8#$H|f1#oep)CdgQzc}=8%V6ICD7p5&w=bVVEF3ZsxJV_C(`{BT2ck<-RPG3 z@(VL+G}2sWjp28+hAJrvGYFOGEN6X6cqxmSnJX;!wHVn&>xro!S5p^JSsuH>7!i(V z-_dT*RU7c`=;Rw?zL2dapjD&%)fe9jP!@&lD2NJ%6)npd}Gn7xYE9w z@3XK{2|uYu%95~RmxlKs_i)tswDS8Oi8NrHbl1$wrSudLK5=WKQ|0v&Ol6kLq*bKE zkSUf_8Iz1cK`(Rd8|&K=D4ae8=h&Pbjrlag+Y?FtBzyeTAKZ@aG%`#Mk&zQluj;eH zIXl3)#|qRyu}v^h$!7u#`VQL9mRFS$sc&N5o`7pgE>4C!sS{GJ&Ti(f7M^5?y^s6H z3vd>L*LtBlIOy3B^XVLs!zR`{<%ZlFjV88d+a6HfJdR=4ASbMJfk|W>K_z;39>kz< zu-cS5)>9mV8l6WDEP`mXS3d@%AR9{z#rxpDVKp=e?QgJXj4%oC>27yVx6;Vyzk}(v0C|>590Ar(-V(4ROq+Xq&ayU__ zQ-cZ9Nwo>*+~mjKw#h8r#|yMtb~@gfj`p-0*@CcBX9|esQC%U*V(VSH#@=*%)U?WJ#%i1#1Q@hJ+@fSIKOCej*E5|l9g+3}< zaeyMUnl|sFfKWERCu) z8XIL>T#eJeGU2W7W9$3e4soyxfx2sN+00#UM_}@NJ5wc*L2VDG>}!!xg6*1L@SeWA zfp_b~4`rXuqGad%KC<1;`*V9;LB$wg%0Q|V{zGR91GHv z4=3J{>0GfrC%PIPqt1!Pvw3uUnP@MCr#tiJvfsAdaxTee zGyXm&@AwiE#kk?zyDDm=}e%&cX^OrP9nsMlNs2ZHyVCDUVhcGpwZD6 zb07D2_^6H}|5>QWgF3N?tbN1}tCAUfSnvM4-?`5l96r=&{iNyLu&J*Pq`CXq52u)? zVb-sE!G7J13;t9bb)G)M;m`{ox^|sD8pgp;ukfF^$40lB{W~&jh0SktTLqZPhP|lr zli26XljH0ZS#G3ljm-p%8|r0WU)o~VI0|0r9+PHqf#ynmZy;~@O<8TW!1!kdoWvGM zuES-PM>7_N-sVkig(p_)g1K?>Ke?F`@bENDQ+qdvxbg9%O)2k=@|XDE&@&Zk;tQd6 z23zh#yr9o26m0T*ZYlCSw9_D7&MBDL`_Sy;W3@+;TTwU<$b=`(?gg5Cw6LVWdfL?3 zkii<`1-3nE(RO$w0p})rB3(lzSo_tAPb%Z5s&9-FtJBcFqkHqmjL%lwyt3@Ms(lRA z5X(^h7a{1V*|9TCLW5Cak7Gmrq}L!vlb1)~ZjOaEL6J1Zxo3L|)Skl?_z>Osai=hC z9(luU@Uh$&f4cr}++Pjx^XV`ncI7B7*-U>-(E`I5DM5`);(3O9A-^klT!wKZ{a$<( zAst$#r!1ICfeZOP@aKI|x=!Tmt=A&aJU0j`p2B;tjj*elb;wOhaZ!YF#VK$KBu6c@ zHKZ8xymYbs>^*bNVqbqHs7`1Wb7!YyfcJX9!8Yxso*30<0vPR@%u9lyrb4IqB<=hx z6ceVC5URXN>l@XRn1L~J{5R=+<7ono&K3h#&rmWxDYejCyVNe8uj2)~%ZA8pyHqK8 z&9YMelb2u1H8b4jBVPO*_+3~gef9W)lWJ)^Av^bc zn$1&x{Rq29r+0yAIHmT4$wnHnq!`y)W^2>E@8&azv6joVGkfzFn-j37wpG{!XTyh! zny3n(V5Ljuh6B%YI7v{#+2%2&GL&h}!@gD|xwN6@MIE%pMUql)AcQ|iFIc2961xzY zcbg_nabnguOLqGp!B=9bx>rg z+I}+|cM;O?bYj&W%+U=nI@-yot)jl!t(EPkGT=KUmpO;1;-=N~Y6*K{D-aHskU>u& z{Br#WYOJHcay08YG)@h^dJw4Hd_Gv_y?2h1JI)tk>y~PA2_j3<@m>fk+k??HDQqAD z`WNe}#66K=1{a$U>mxE$b<{8}y@%1KJrdK+tc3ux;hPyUT?}I!VBNB6FHM57Io0M_fT_`E=>Od_)({RD z2Ivbf+-}n3l&#-7iJc9VpOqzZWfz|C%*w2i^#TwX&Y<(O`(ufo)=o?HYT=R6)t}hg zN>7gZ`jgK2saA%~(v4ywui;{)B~K>Q6dF9}U%9yydG8m0b&hui0dUW z%Nj+06#Tb;?>cq^K-Rp}py3B_<%-bdg~pKLUP5<^rU<0IzNf|xDh#^1SP5#1$h|E< zde)pjF9iMrJ$4L)oaTPdw*?tAx)rQ6^&{ ztp>TEEs|=izG^Di^6+Ta*vy-%c)Li#x=yWh?jE&KDUJ5y z+2UEg8RY(U#I04_aL0ie3&27fWi=g)0}h`}d*UPK}SsQ-n3&`>{`#W2a(r`?ey`z5hSmR}P z0d+QTV@YU3VJYv{O!SCDF45=4=PaAaJFvEk5ofC((p!pjPYt_!TfC+IJP4;k%%cSB zA-UVR%x9rL5L4YGc_QRQXWjQOLi{iv^n9p2t3>1qdGw?ThH(n zgc@Y>jP#VT+Lo_;&ci?FJj~fO<6;4wmH6H;%=)6gY4!Ez>SibG;lP(o`1_>`kE>>3 z6lWd1_w^bIfkm;tWGG|gSiEP|#RrX62b3nvA5+dYVj||s1Lhhrolub{bFBO-V`TIS z_v~8XZ?-&N04F2+bk3wGGFSPA|S2qIS$Y-OWJ;moRvC^XUqwd0PBGLCrKpL>*P9K$PRAU+K~f1*Mr~=c^r> zr1L6TB*$@fDZx@vynuXlr8q_x>mANm@*rFfqsP%&R687<*{ZBcO-&cAHID@M13EHT zSl5EFV)Mm`fGl3Tw=U+@=qfiqM z%3a9NwaDWOB;56U9fjyU1L@E|p+j&msb`!Sv46rG;R0Fm>#1MAV{-{{*9yf1Il2%FTq! z`>YvQ3lxd0cS4h!Og!%kA53dfb2`_Y2XxS8^9>tj+~Q5<%*y>4;HR$=00M@LOpEz_O`-V>YtV@-%nTEv%?5|KGye{YHXQs7qa zla*sn7Ib{7;QNnIX?D#qdi7X-htF`R7(c#?92+b}m9fkAlqW~rTaO}Qj4@J-?a0(d zP^}cI8_ZAc?9?N=g!)5%rklspJyh1y5_;@LSHPv-v#t5b3{ll$E+wV<{Q}k>iaCOZ zEwipL1$q_Yto>*Z+b40@58}@8fI-YBk>Aux>m&KIF5HjH?g#aDqfI^Ht{mMdmbpuh z6b9}+889))eD|J4|E@Baf8$5hGRjzvI8AJu*TIj(QVO4JyK?9yf3!jYWk5+ghlP8v5wcs7 zm%Im4&4E*pq)*f;>?VbjsWILOiFwH80JiqgX7SB#7O52gcoZ)` z4Z@?|6EmxleJ6m=!7D3>i1YRy72;T&+nrUM;+o#S)a9|U_!~|ZY zD5q~p>u%{OR3nuCRAs- zrzqoGFFIQ(bNRt_e3A0FWWy-ozryq_1l_3;-!^7Bhv!{_Z8J3T+><}ns2Ai``?u@R zq(OCk@;CE~Pk0THgG~o;PRNO}&Q<%t#_ro~0bfdpd-D$X=m=g}hJwYGo`?E1D~h3V zbXZCW&QrT*xH*%24L3V-IqgP@ONOGm%Nm`mCS|CbM+e=6P6Hl&GRNYR=s4b`Gkqvr z7jU;3z*@=XZ54wThw0{S?$X{cSsjn~ssziWe43oz0MYk@#2dE|#MWYhb+)JnKAHCA z?Ua`jTzrUQDPJ+&V=KK6b<}e`ydirJ*`P;H++zVj(SI&;`xl)fLzy<>;A8f}xuc)hIfTp|FIx`-+a<-{|mzHd=u|B2HRUQ_g{5~Vh(Qj{>o)9h}_LzI< zX`3Edi?gZKw)<{so^w2Acl=u^2J1p-^({(8vO2SN;)6!~g&$1h*71RP*)#*A%c4Hb zpDmrfCU}jGE0JO47#@#=$hZ@KV*`zGwgaLg7>{FIDd+shVRt&!o_FW3HUGNSoTeIY z=*=deOX~G}?);lVxL6u%Do2$geUhqG4*RHhbSlrD0E+qSk)cHY|Ah=^70zzL-ices z^N-XTr9Ru{rwOsN7!pIHhwyFBgB2wLTJfITS4nRM;Z?8p!ok{Hqi=-LW+X$)SikkX z8he#R!$?J)H1+WMTwaW3q``O|4vs&XY98)Y_(skm@Cf(;dc6PotE^bd&K}1wXB`~A zA`8<$yxno;Xb9u4lmyU;^X+pAjEy9?`H^hWM3&HlmLY1{^KGf=kniY-e?7EjOL#xf zLwz9Y?NI~D0p`3kj@Si5=sHfiLGKVTsQ1=z6zu*d(ss9F2=^;7h109CSSPcQEF`>e0| zCkFzud#jM={=3+S;>f+hUUC&`%B3_zma*GT{7QU$-+1B+MA|=1v};zZJgLscyPv;S z0GYU##9ycH{4sO?q)Y(6#QI}K{~T)-1E{1W)039~yd!jRRr?tV?^1@sIWMAW+ogU~ zHnvOA)n)TKzFd82=o2eq#uB18hnq&fBO~rxLU29*+KHBRjMH6NsXbM5`zvftKv41lEU{SaxoWL-)a2w98Gw$dQZovm| z+lBmBG;o#kT=6u0%+_Hc5(-4LT_W(vZPi-iIpdI=t3!DgupwxXllYstN{x>vL*~EM z#u``~^1K_C7((qG^TT#ewd<&)U(l)wbDU9 za>e$>SV#Z&j^{on9l=Yf{_qZyWu#;Gu9wd*o}wQL^_XlWZEcSH4xbJihmWyy5YeZ_ z*3G>&k`V1)wPvXw)VeZQ?#l%Qbg&~o0nU>{)}e9nrO26_fRXX@+oNAp+=Q5e^bH0* zckadHaI&qA1Rc9wDs_}Ix<9-I7bn|U1c7mP3M~XKl>T#NHl}vtcarFx(=Q&W)qpaa z-3z*ZEWD~BmN$Q*INqryBmohx0egr%hsAF#-j}!*XjOu27dr3%%oX;>*E>(4mu2`K z7not3N10Z$k)3agL<&X{dWc zEF?Aya#kI3Z<{WW|k+af58P@|g}vfz@>?bD7LF z)y@qkwrKjInsBo!GBY${GxH$4kD+;)Sn9~V{iY1aUWPIk{Pi^ zHLEB5_K4REDsNx7@4xtP>a!j(lT(uN(rVG4HfQzK<9+`GmYr80Ts@=(0Uh|6_4FBG z7w+Sf0&xxBfz)XS0ZzL_1`E=kA>Y|wGUvtpS_tbGxtFo7z+g7bQLZX$342q6Y3$H? zteiyk%yyB_JUVpy-Ups~)s)II=SW=IWmk3{x%TAE#XZJ*0pNv($*@Mz$g+h4pg!y3 zagL86vT3t8UFDh+jLwwr)Gc0)zj>XMrU=fv`thmMduqRPBSSO^a{z63H)@6H7qBd=>WY@5dU?3WjE!VMTaK2fO#I1aA>@ z++eX@^2Oq@x23rbpIZ*+g;*E|z_o&^p&xX4d7ui~K@bbGVhVD`^VfX8;@_~q6xzkA zdK9fO=;jgSl<#Vub3yr_QzYlKtu{sMD`qrIJ`-6@s$Cs@} zOQ*2D1XZN!;<#HnYDzis2wqSfc@c_r0ufZ*;P>}#O(gyZ(^~XX1s0%-D(&o7H^a^? zzb$jYCjaGWdxJkmQfVbf6ytvtv;U1YlraC_X@lfn+K_yHFVM=aGeYAqn7-t`!n$Ip zAf^4Ra=WBK{-bzv%9S4$rH+YDsfG|*`r1hxyD!5-6ZOa+lvI7@apXb$K{H3~HCN|r zz0occj!!p9^7W|(pg;_fxhV`^=HiQ@V%&@7TcXpzu5~$bly+YHV3%i490ngv@$A zanh7B`seL38p2LFxu-i*+~J+Le0F8q6Z}y*cw-!xyF`-zl~%2_#yF)A(HPLtZ)JdU zR{>-Rf6P&Mvf6-(I8SP&@{Wm^bIoqQLPI|~ovYtG;m_c`rsyX7nnLPXGB;C~PPm(j zJ#Yt|$Jal{t;es=Dk_DS56@BlTCl5plx*|)=ln6Sl(zy*&s(ASWR&MuR=lGRe8J)P%m!=Poe{UdsQ26Bg6X|25szIkTM`HffNh zPp^|^l`UUl)81cl&K>d+QKt7bYTWXbEp$S9l-GA6Mh6}E_d$U0y@6%-3iU?#9RO(Kq9Sbjx)cC%2gX<5htM@*5g1!-WB=?oTDq){tY z)qlJI)5kkvkd;mZs&OUV6mhFuo3*00wrjgaz!7d_?%)trqy9nt=VY!;XT~EmShrE9 zO!5sKeBl{5+)H^y&cYZ4LgPjpdc6ujmXthSJ9G?txN~>HdiP#}z@_uZn`Faj664|} zYYSbT${Ew^D2Y=+xSa<06+A*?7K%PLLzrd${Fr{a%BkhXH9)w=qERykd>C&2VUQ$_ zjwi^=%18buxfEl{qiV17wz+oJN!)I)P)znz%}_u~r85l-a`E{Vy0UfR~u`gWc#lfM9T3Lo&+g`I{s#_hmW4ukI>ek`5GoCSjLZredDq+vI>^NDy13xJO+Y>0x;j|3 zwUYpY&3Id_2F4qE49Msmp)97%sm?#I5 zUdz|)E*M*;<4q|^Wic<8c5u-=Vs}RSXMYfYCoqZduxA?K+z*(sRKMIO&vRe6)H8qPV0}r^35n>CW6`2W(5W)DJM*}C?)Pr*_-eI14HRsdTi-LhG76umSodmACpTU= z433s`PEB~nP%jkXURov$@+<&53_G?&^;V7ZAT zY%dMi+O`Gi-LdAHO)r~(Z&wtEW-Xh{wQSinYs_n<9)2DkbDpI%#V}aZbUbo-O7L#; zKJuVF!FD6db&$_kVrZ3hHKN8_v{WR&4$3L}J?%ZjCvym2im=$_%2i)Lpe0=yH)oTU zM@ItKC@=*ClbmYA4aX^{s6I4= z>=(Z(TktKOkp}XBfR;e8vW78<%s^F5+4rGU^RHuiHG58}s=RHgCaju2UnJo5$Gx*H zBz@(I1Ha^&!n!JIl97s`_DSw>_U%BTrxmkXzF7rKxF%dc>2k!`NEEs1k+bI=irRgA zVqBS5u2R)nm0T%01fZlEt=+W~0s=Q)?|&|G6@yq$?Q z!^P79(KD{G&hn=q?~j*^r#|g3_ve6>?H?<7MO~M_gW66atl6D?)#QWVuX9vt7%R)c zGY)*UbE^cmsRi1a?S)9991I^y&M6+600qHwGmSCThHHBNrE zJT&yS>v~U0p3A0X#DGxq#6PIW)UD{tzqLZaEDW7>(rS5~A<)kQ9XAH&K@zO>R}$v1 z;W_BDvV+Fz(i+3_lr3;sIncg#k0`}7*z1PyUJ7>gb* zGYJRmZ%%NbBag63JXKU!OFv1sN}OJ21@(fdwniCnr-2l%F^ZtbIG{r>l-nPtKIwMW z<&7-x$pdigHZhd#Xmc*h`ZSO)G|B6jknnA#AJVG>{GPIF>+JBgnXgXN8%PT#?h~h}9}Jun##)A)L+9H2Sv$8HT^Fz+Nh(8M$LueEPWxt@ ztdY3Icnl+)62ssOMlr(WLiojmx569nx;@ihdo)9fb|_ayfA9^~TMH$ZS!Z~OZyMGq z&6Vh|A0d3c`Nf=w5u=Gl{pc7crcKE})3RR59g}#){t*WS#?Nu4s;m^`c|Z6c^m6kk zVYRC!hgOPW>2XBBb^}^YS-Tmumv(D(uxY)|)#mv6Ntoa4P?e^nc)3qznUpVe z5qyCt=CJ+8FQ|77ikQGTT=vYE@o2T|8Hzz5XgjRsqONJbKd7lOHe+v#oKof77zFX{ zpV>8N9!He#s(ZV(NzZO>;dx0ezn(U+2FEtqsxvv-I&RQ}`*)m$`g@CdTX4#}@wP}4 z!`KqXI>0lS-D&zW9oVdEkS)4dbSrqM-MP8XKNF0m<(K@O5l}wsGuKj5Mp<; zwNNGT&qtf?x&Z^D`)%P3_-n#GP={IX>7n2~?TUt?gYUSg=XK}XtTPvcamVe-#M@V| zb}?=T?rWa(vLj{B7Jk2%fWgl$$3Np9Ld@-`)~6m(-%3P>JB6#Kz+|y{whQCaemO zm(nu4MBK8m@mlYk6#hr+)#rG#sW}j{t)96LFWxKL6wSK$&D0REOwo8XPXgFOn)Dl1 z?8n%|0$$co1GxM&25Xgt;>n4hjf$cNk!QUS+>Zo;8YHi323j_U5z@^a9;it0b?VTb zt1n+HE(J$%G&k<7mZiYpB3=92gcU?D#~LdEZ`N|bn)lk&cZgVFt!G01A!^H)=B^U zDPWYXX(R}wnZ1I%^z03N^UrfS99{aOblj!>n5=+bcFunbzxkH#|7K(O^Y6Ae&~UO@ z2=t?uFb|r6YK9}p(SVrXrWuBxJEl=De1OziTW#zcOO_L1zgy6Lh z@V9ZqV|RwXqw~DqjfYXPvpQ!Muc*q%t;nskxvF=^v8=6xYIg^Ja~1e@JmiHad4BK$ zooB4Tt|`HGkbV4gwg0O`lo1nTOuqGYjRtfZq=FCJ#g&>jyp%rrUp@n+BIT;G3>RY| zr553rL#o)!yyI0@x}HjA#SJR@QVEcf#yw6Qk?8Df+G_Vcl5}ry!T_gqmu}WLuSIC# z3A78LrXs*oTdDca*4Uvwx4QFx_o(V^b?pKwK!^*zKhe7l{} zyGFmTp7zmZ$%A3p(RWoo(vUEfV;gJim@c3~xFjs~xEnkzu$48OSl-sHWxQwpwoN&y zqe7vvdDJ6-Rmsn)U((p3uv>+<5Sp7{+LQITaAxS6siNSce?A&7kF{=NtT@D*e!(ND zvM?)6D8>f;?0C(`t#Djn^@U|zy)hxw6L3BZVo0{aO$A!0%A5)RaiHQanY}ZxiQ8v{ z@3Jf|%YMA&(y`7a>W%m9VP6T){P>*rWrg^-~-HHQI~)gcU= zp>j=pRWytPUdfJEGy#UziK`RO|0=`jbA`fo2k*OdY?Bsq-3#$6oZg+glfZI9LF%gZ zsG0cd@8JlRI6xFG7kZ>=F#j6&6-KJ=jptERZ8O?JoZfYswU0s!kXah9NpP-3IlZ4k zj&LWsf&71l(LrNwJb^>qLqL{7wr{g*iP994Y+!-dS<&r^-HV-Fh~#k-{C>tM!AD*$&Xv!|s;f76T_|ipV6k#XrCo5H| z$A(DvUp_i8lC7azRA`6s6N4ZpH;2!*ndtlNSI@Ysv#>Kq=2W5es@-xl6K=N#4( zU*s!{z9fhOl+N!x=rYNZZI!=-GQSdfQPevNiYkKM4PF8@d^Y{ak#L>)g!Gagx`zuI z{%@L-cT)Zc-W%M*BHbU~D8?RrQtuBHqVD2+#rHiUFQ>e}r*ZoQrJ)^TiANUvjV}i( zBhtF8`TAT6*ZX&`+=T@AzRJvhasYzwmk^oR-Q1fE)A+OBhZFs)Zq8T5D3^)RiVD7R z+S0wUSmQ#DN}Yo!PNl9snlrU@&KKatTxP+SL3HO}7=b=c1^vVt3Z2HHgbBD7xj$(X zz#bi(xn0zE^YBh%U!OSts{hewb(&H(SH7B2oC#ct=e7I{g^o{oYQ8p!frAgs=%B;! zz^yDM_0VwCBXOV*@Ybm55ZcC&OKgrZM)jH>c?)`5dr7Qn2^}5rtf@;4CR0Md)1v7% zycrOf=K|^V_UqW06r#acbR6rej$220=5trEzKndhbgR>4py>^e>PAZzX=>{sB4*Yy zyMQ^HTS2GyYD5}HkjsJXsz&j!0kSb^`)%Hh@f~{(GT_`Va%*i$!JJcE|LVt!kCU^u zvYEOvD(x@DXk}s=J4Ts@j*hZf?H*CvLOV5-&e(Gd3wohkvq>6Wo%OM2V<~F{+)}D< ze^0Gt2tozZdrwJ-%N4goh*_9jV zh)@Ouk#foi&~Lm7{BJu*&RX^WbodJ&_)Gz0%l(=AKkPkFR#{sk$=9V2{xRYBfQTVi z)AI4O|BI<-SzpB7Un;)a`?4BkU_A9zTz{F)RF{R*rMm6@mA3h8B;i-ovh0Jw+|6^ofH)i>o$E^H>mc!{pD!i}z3%3tkem;~$<(ZidE@6R=z#G-2R zY&X3t+X#xD6&YJeZZ;(YR*H;73DG%-<8NOq@7kYIm5Qd~J-v-AH}K8uUuPLn&;TUg zh!pBM!9KBFN`>-wvy>IFOH#`chFRQc#U6pLc(S2``*5K@9P>*6QsN^#z#f*JkK)@f zF5UL<0(=FFbPI}5YF9&R>MSEP-?e5mQ>i29=TlAYd{Z{P`Ku2~x|_V=klSX{>Z<{9 zk4ZO4SG$oK>cOv~Gk_QP&=8s9Ar7Q4d-tl-tdp;j`?_2Q06Q)GmJE18Wx$EtJm>6i z5uIjC%3)7h0o=_y7l_Nj?o&_Hf)T;ZVwA=C#*LXaB!g zVCASDjb3yqt*CJhDJLq0ivlKJm|z@}DcOX&hI!bjYg$PGojakF+WCFY7lX<86i<%zm;eaD9{cJ6 zMJ+@^hy6E>yEs9MQEA}<2N!hik4YtIXy-%o;938yjbM+L>HovpTZcvUwQa*75=u)- ziXZ|a-Kn6UG@^7P-O`OgNeR*tB2vD za^T_2-fOSD)_I+AEw6B4B-yMPcXP!XyA`O}_qeJr$imo3^rExP37`Y}lA%l77J$Ed z-=~EA{|TpJTa)6Kc>snT&4^8RYLAE=A_3Qwk)JwGp1%$D0)SU%(-!IEak?3 z5?f2m!*#C%D3$K3#)Xz7HhD(LkoIu$k-@Vd2h;a%ok(qb8Cnwoc7wm5RVQj-J%6Eji4|A|P84v>ZguVm2z^9K?4+{a~)xCEY` z#5x|6@9r@J<;>E4yk2XQiAv`dQE1;DF&jRZ_+Pzo6mvg%>((j4oJvn2jNpGM8F zc|mr|-v{TBXK;2OE<{%ITxOFBusZ1qPv*{!5!7GK_HHyzRqo|t8c270P<5e)zU;> zsR3qT6JDx&qqIy444|aD&*MUgQFRwPms4TTJ&edb8>Tcs8Us*&&x2m+%`)kx`CJ#zCQh@7X%g$bb}<4V za`p01DUebe1Nge&JFlb5v4$0m=yvpx&}ZCZYa;w6wjAd`gy|l}{y)5v^;`@8r+0E6 z<(;e=fgjZ6j42w;mEAD@M@~rype5oXKQx0Pv4Zl{rA;@^4J^Mk)bp+w&on*F_}Wl@ z^6QRux6AwY^HDDDAKyn=ZXm|)|7K8X=oq;x&p96zGWI@-P!M-4zMNnZM>EZETbI>x z0PSOD%hf_E8O#WR9iCozCpHK&=wEN9HV??0$}4p6t_z&+^^gV$3Lu zzW>VRbOgY9p?(`dREATrunZvF0lGMxjbEmP9tV2^N0>>ZE96r@7BqA^k)+V*co7L# z?R+_0uhZFb>2bjv<@$n`f&k~i5k=SgC|LiR_eFyg5qYcgD>m3;r3v}jJc)ejzSD^U zrNQ<5^TroHc#7YpI|KJr%-!I#;0_X5Z_wqYWzU6Fy`v$n2f^Lf^IM@2@?sM{dU@|t znhCor(gPl#7bn`I(~Xh`*>T?6bugPK6qcR$@E;6^BIV1aK{}$BKjUc|Ya9FUrF|pe zmy54n1RR-BHm9xB^-KR+GD1ogG#}@pA?+(PXmVrjf#|SD@7U1jzK*gpNA%volGk6g zI}^t%)|bZ}#eYDMdOPr>|MzeG^zMt~gzLAPtxAZA(XQYXwLaP&Ytq%e8bC%GeE8CW zld~|wRpBnBXw z#SO^ZrkMJ?3Jed6Zl&Cx@gyEoWq{%BnB|CDl4W4H9%x7pfN$5>v+=U{NBqW{NLD+J zt)oLNAT|1x zhfv-t6y`>cj?3rH>dJ1xdN2kUC4rA3JwF!ZD{X6=mLQ;;KBZqckeL1o%FF?h?}f~< z%vd}D2^9!~iII)SxL$vY)-neq;JJNL@4Y+;aqRbMkcMcAg4Ra^KD;%?x3(9Uw5Wby zfLaYhA8O8GmU`R=(B$?_f4QNKr0}V+HmWxBzEL7AFg_GI`D7#Dq7Rz{3<+ z?&zg$!=?FJ`sVsrbCAOSv}717-yz`X*4Jt_BX5l73tEd76|SjB*I|d~p)ByTJ*V#D zjs;#N1xbg{G)se1l*e}ES-*l!*1>r3mVy?r2GZX6N$}ST02Ec$s28ir{S7q_=Ahw? zJCc|(b6fwN)%9wCWeQ#X>1u7@#C)WQ`Df<^!e&Y9tbs#vNU0PI6m-=LaJ9bh()f8c z;9Lp4%tCAE=so(wl-{pMQp2wwlAqxW=p+7EP^>oK^Sk8bvY z&qD$GY5N87bKJnIGF}F6S8vd9ns&kSVJ}vz>d4sHNlMl+!U%}ezefe^ft>w)qR8FB zVsapLpOTY&dz89wJk{jchRF|Y7qS^OoR1p&<3_e&iYc=e_YpQ47J2m}i8&(`BX@+) z8LqC4WNBM-3u9_|>{9xCBpMN;>PzFWHo5!dZew#F0O7bBla{j+wR$NQeu$>5ZH4n! z{Qix}_P=N9*E!mow%F$Bx%fX&0*Bl`h-{_u+5`)=jhvJFtMo^J zeWGT6z#!+`t7ZEJjaFpEkX{i|8Mmg_*PTNJJxxKG)mX;F;A=oEIWKl%NBF;^AJ2=r z{IBT8d7gbyQ_rL0l2z@8G5j*QUsnosAF|gdoKR; z4ZDhw*{lL=ggc1=5ptT!U8s&3;Be- z|JvzWD{RnDt)r>QbRrI)=eoVSy5Y|6OXf$V%Q!w#gE?B3EwHn)SY z5`XwW$620ZgKh#4XDVdh0uW#P$R>g8<@Gdc+xoNrKzzJ<6+j5+8P^kYb{XFI4@A6elX{zYu}N<##v6l=y)_EOWorSE+z#TfvpQ@B)*~gNhsL0Y@Aq z-CmGW*M=JBXyHmrfORRZtd0?rio0aS>Ii*Uv5L;!!FpwSQ}xjyy~%4%+SXh=H}h)%y! z{t(PCOk#G=nP0iCBZs(fzumZCo+akE@A0CE;qA+d26W`4w&GlKOIq-7ogAZ`NBzGd zR@LYu57DWk9lNhW3V%{ZS>>qI(F-{Ka99?veyS3zUpuyyaT_B? z=5`G)K|`x!5_Qh=-cq9W%Xyx7NwTkNH30VcfZtWAvlQ7T*s2vT^o-&Jf#Y3h`C z+w4h!#`>DMZU&2`(HP+1KXtuF49p|N2_4*~XK`~%#bWqO8uPtmGjO%G@HooYfk((PR=2-WKe3_5w_qZPs z<3FZL1*^p0`8Bn8I(?Ddi7qW1M}ikFLWC01Ze$=AJgz-=-y`C#7`vTRbI0zkwGTZu z_*U|bJ!z(4S(a=Z4J;ac@|UYsF$+BWF_Sr?Z$&&G@O~i=ihT0*U63-{Xq<3LicGT1 zs5pVwXCC`9iUxiWt0zyj;>Y=_#@4$pD^@=owt#(eVG`1VXLwxB zEgubAY(#I(KWPJjRitYUJsQDH2>PS6X7RpPKeS|pJ8}@jek)e5iR+8`7x3boUrX&v zI`&BZzG**3p;Z!elvBKUILA0s37#czGlKE#5`vTYVq>Z^*^P%RJ z&0gnTt5}jz(#1{*hk3=gBGjU8U%kG)iWZOZIxd)v8d-Y_+2x~fdW}!MUCGaII#B~Z zlsa;Gbb$l$dSr*?2?nf6*cz60 zA5x~&LF4ZB{(dT3K7!kU{m%)g|{0pgMB*<8$(2c1ij(4}V zw{qGLVa-p@E~G{O5rC>NHwEJLmz}C2$GL;WTLJsH&HcF2bc;v6lZshQuDFI?XBoZz zOWiLGPq-NU9{*cO4-HGcwzIBU;VZGjWFed3>}P{&@HDUGwQL+IOf-4iCO>&RIP+y0{4IU- zGXI8z*Z3Zh8~kkkXgf)_#`f0+9gN@a7FY>AE_h7!%1XE`K2Rj)!qHs!qVoLdc{L7P zVll`n4&JQ4DqkY;Ro`#$;5MrO74v5ofkvBGeQ`ajwo%IF?=%c|Sf*Zm-bp{b)4Hb% z4u&7RUbA}2xXy6>`P$8Fas`T=`=G6^?Yxz`DDkMS8s;3C2qh5}=TuJ|F(qHso#ZQz zGt&oqVB82a-tu8!E4($)6<_dbnagfo43b9jTOju}iowkn8=p8a;N-1u;w>5q62MEU z*(-eB6OKg8lUy9N*ewtaBTObWF%izD5lcdiyBd<%a5Hh@O^WDRA?<9Dh9XIVZEOT_x=kH&0zi7uRN=e zd>*XsUTl1wCXHAAgy(}>N36S4h2)4YuX`(poZ%YYAKy&bxYp$`le@&d-y;2~D}}FN z$YywdjeBZs|Ks4oTTI}i2IYj*`afq+_qcV%-kVVf3aPSSu68`9*P6D=J?!QKy_o9e z?Q@g0`*E$z;%2iSR#$Yp!&h4xT?eA7FJHyG&9o)%#o9WJ9i01gcoc%|)C|u27|+u9 zH+@p*-O2uNmt+>-#4vamvk0)vladI@Di%s<&I!q~9E=4vRp%dR*nEGZM+i5KihzdT z?x^TQ!Y9v>>F>T5e@F?c9P6=t)z?ZsXpr8aARg49nGKxMYr#DH+4!D?$0HHct(kv& zpx(2ZFPh8bnTu!9wr%&`|DZnhTVq0XUqgCF^XN!V6-3-h@I(7;1qwf>^R$nHq%bF_ z%DaVkuJe=5#Xi48HgQhBuHnfp--xZZhK@ZR!;3;Bw+7Z9o=6>vTmC+JImvKUVlG+p z15XLK{@o+zZg@#J!I?aSLDnfex@XN3J6xLm9h(Vt_iqI$T)u`O zYkYP_}@7udD7oR)vzpCbEO#ig(YY~#akqM73l(<^iI>s#C0Ph}|`J}ag zQbcf@RZ>y(1XCa&U^CiAX_f--0LxF7Ep_W?;sDm?dpv}%fFIa<-5N5r6ice)4J4(` zMaCM(3e8h)V=@5DtD#{QUF2e`EQ>Cy2k6>Js4dIX=c%Wv*zCmmbwjeIovM7Pn_|%0 zidxGaYUe86K`)$ca!*B`zV+ywR1$}7rfc%9yG7q4>NY2PaQr#3A(xO&D7^_H8f@vF zR1b{j2YCLU(OlyLMiT&Q(fowicw#WUkfd--KNynumT3hE zGg5r`F>G-&I=Jc2;@;%U4au-oQvsQWi$Ve)BZJ>J z^NkC^&YGMoAbR``!jH{acCns!X2w+FAhnQQQfrWJOeV}Fg>_wbmWI7Tx_F3r`s%r*JVR$WNul7pufyqDb! zFMn>Vh7%7-dT^cOj2J|F6DiMe2#m^e)_Q0a}@QpTh=8R zR}aAS9gx^?vqn_PlBm9n+%HUgZENTg@oxRVyU9{8eOai{AN8HU(UxLCQ-7D;whmW} z(A>0;j^d?FB{@;sUAmf)bt-}=P@arpK1<21D=ugWXtVJY z$#t8#bRE@`rXNX9Bw0)iWBR>MUIm9dG%NH|9kn(%x-QZz9O7@$&F~U==4WAw`n--Y zl^lR98_K&D9%E0r_pxZly4w`NRhFBeBL4BlOJj9C^B?uyqhvX#4NaW&H4p@ivq zMkQ@>2@Nb|6@4 z`E=a>^1*mR$zE40jU!#*ZcudLZrYjz08K&?bRuj!!iyhvROyTgLLOV~-W?wuaNnkV z9?h4Lbk|wAVreTgA^j<>IHml#85B!AeX`qY`}qPDuUDI0z6Abt?GlbdebI5lgkr8z zzub8~j=5=zpX;{_Z*ra{Bo6`9R^GZ8Zj3Vw*n(?2iDo5<8@l#f7wV&Ia=(PsY}yt` z;LjFB*}^LtZ`N$qYBxHC1#~fe9$3H3Lx&B$I)0cTe5E}L04%{X(1Kq|ze9z(yF92rx?{OAu;Pba2#>7C}q zEki-gT4>bSZGysgXP3k~O)x1O$Ms2Aji4tCllw`QFLH%X+It0aW!<(I%#&G1ot&Cg zreE+P=ZTP!iya49>fXEit;I9~vU(djCW8DpmR&J^ABo~ktza%>7jW*24T(QB z79W+2h3W^Ygu4oGVHHAk+r-(pE~Ib=)y1bpdedA$SUYZ5bAIH`ErCyX5y&CvLA*I?F;@SZdGcHCe&_{Zhf-m%%Bwa8^2Z zxoH1T2lmP5;h>$Zk33zJU&>_qyT$aV;TQ%ZMSfcDYl5Q{^Dy@mG{8$c+@@Kp;>&;F zf@K<36Ah+k(Y>XguzT;G!S>I z=mBq_=Ct1yS^ZSvAS@pPQo^QV?g9HEXIhUM%l6={sxbsme~wl$?Rw~&SBRdzx|6Ub zxYbgWV8~3i8IfhA!*J`tHaktHe(;pSHC5;orb1ka%V&BDE66~_umzlq(H zDjvNFH=?`luuqO5CpIozjUe|&E>QZ@?*SpxeKpYyJ-+ben_Jkwef!5WZ~7cRoz&^d zwYH*qpwz&JaZO2!YsUE@e;PbB3mTPSZiEcFjyvi6>G6S>U2;|z#cG>O^HU5E=hjNH z`}nljFA-B37(>MAg;lrErszQl0t3|aXN`Dr)(3g9-fyIo>P{#7>hkQ>Wg>C{3kgMH zDagJRq+O|6+6dGLGu9zXpd&KO$>oRn0|o13E}jwa=MY*Q?CslKf?p zRYE(f-&Sd@fkk2{!x_#zxM^Nn_oc-K=Dvy0)OHq733ra1OEn#vl~Roczeo#@HF*D} zfpl+@=J~tfL|G_-(~okRKRj*VYxP0?yM8xVlE#2DjhdVF$VR1>SXj zxcU20sJhjJUtIaejw(7Ao6jUqmnvQrZ?f);pLR4o?{*=T-yK!tCMCcj_Vdqwxdg;P zeGfLQrI2;t>T1{<(e3$$?nqkUC^|C}_2nUK9X4gU*rwKqlD3Ir>?YHO~nwEhyWyU`Afu>bTc0)EP z-gnjWeyO@&2H1+p#ORAEu#ht;V9$$s!=INHkPFvIINb~^Xf#c!dh_vtWJtRid8&){ zSuVM2L3T2sSw_j{^;s1=?rT#XFPj{7n2Nvm6=vIxkJ`p%kf9&&E zn5pYkZS`DwIT|+Y5+tRfIv*sv(E#N}CJ&9phS^mBqdO&wVl#~7-g6Oa^J%?V-(&vg zu|+3Hvz_Ce#8~|rT3FS-uFv(k<@RWPLFqwV*5C>FBGav)%@qq-$RA`}9L()`tKoP4 zot5>ksXoME6wvy z;3+o+e}1&Z1JzeI2#uM7(u;RWm4hDnt2W7^UTjZyU>O8j{C1fUv^(t3vIbj^@)Sm! zARUtWhOSeWVPO!*Sdr+vjL8mk1~ws(xHrmlLSt^|1sEH$u4{WqcjTmhvxAQ{>U{I| zc{xWGCX+uueDLI39RG@Yd(D)g>+qNT3O-J-q-)Sio=KR<1IpNisLmstPN=%j^G3i9 zR`(9Mlf3l4e~(3b*RtnWi_ZGu!juY(0}v}WvkyP5jhIRd!c`E=`AGD|Rx1tAVEA}6 zckDAtcQ+$XizbDXZMhF}f@gNBy9)4HQK02XaM5+^d)Sz+X(nMTDVPi>vo zA4Uj3hp)dR5e2Fm#8NI+WXpL^Dwe+nkv^h4pn6ZCJ+7JjW4o*ahaUwhEUi8U`s0{+ zYxY*4@NWmdo#`Y737CdB%pmB+o`N(lEBuzv{U)hLZ=c!+6N13-+*_YZQzt8apR1rr zmQ*QJGez`|0Lz4V1!*_c$J%iC4`~@JQf2eJeHwDCIVo}CM#O;DlQo_14jMM*+V0K_ z;B2?f3?aNbOP{^H7Owlj{!r)8+A2JpzL`qQv^-!z+b({-B#NJwmO0`sai0`*710)g zlFD+^-fxKhCj$lL>}=&^nC!abA;_a^ykv98l7FazI(A|N!5|jB)wuoj7>%@5f>8#= zp(MWqt)B@f<$RCWtU<6*;^E>6)dz>W3pdV^_di2dl-Xn8T{qgwjxA8Z*jckS6 z=-nCtSSMc>&kV`*B13^Sa}Yxbtgd~#sOo;>gzunXdeGLZZvJ&GxOyM`;ki#dy;NHT zwWk^Goa|Sa8!_SnEoz7ul3h6(ZID|o28^H`BlYGckC~r0n7Sy9FB0adkGP!OOfo(a z0jSCNE&iZTs*8~{Y6qpNoe}*h?)x@qOT0+#DDAzQ;ies}cP^ftyqFve?lMd_F(FXd zBXov^MXlDoirr47y%=~lD26jr=9ySr?i4yoY!rflfPpT+ZtEV7t$lgJ0s;?5N8XO) zE@Z`t@1I1gxvPeVz-)o*h=+{KKg^_f|Yg>QHQ(u*w$|A3*4pY*l(!=RGTjKDUtWR9>*Z+C}TB+IskGyiGSEJ0Nj@PTro>Wo6 z0V;i#erY-#laQOK6;MFj!>Y}QWIXzN0uR>sFf1iDw57VFR%m?dHRwuXm_G8Mnc?NaIo zkKPG(^_H07>n2I;uP~V)clwfQ@W}R}l;tn6h!;rGZTo*WLnVep`p2 zwuE`UeH-5KbBPMIoQO!xXf-9gFuF8ds$8aChan-5;|!@&Ue66owntbC2=U3Gqf1yi z?0gw|A<2E7=y{ zhAQ2QG<*V{!@a5P`Ih%L}uB)bvSK}H9vt35h?PUTu}vEyy8 z;n9!b037-9(?X)KZ5MH61D)24Min2A$bH@9@%TE-vW~4~AA>Bgn@_s*5a_uFq(aqe z_qfpP3rY7QsBsl!DZujC&zbTx6{E$d@8MVB1LhPoHpusG03y!AJm`pX`x8Nef#A2+ z9F;K&2aAZrP0{qfl&kpopYS;-(;@cWm{>PRb&b8xqyTd> zB}#2TooF=WqgubENgsaa2FpdzkG zFb$|=1X1rdBs~gRGcxpAXH~F2^rDoBX!q}K1OTy~;(RzVjYC|hfteEp7aVVJn^edB zy`ik+JR*#N?yHvh?Hz@}Kwhc6BafDv@JvH^IF2TNPP4rsiFx_xCuXCD=5m7|vN`uo z{)0>lCg6lCLO>F@qFHa2t+H2fn41m=>XoHmf4~d$ITe3es^7Wp!A52fCL^ReIHVLR zCo##JT;qNe>Uck0AjN&OT1oJY*tZX6yfb6g6!@1bhJeyQml+M==U|gzD{54XH-3W2 zn1(vIO@KVd8fcOq(dOVuRbX!F-j4z{_n;1*86PHHKisW*6ZecwChlgv%l^V=V=Z=v zH(rb67+PMP0=6seS+fu2T2E*S2G!uU`yhvCMD(xPesqgUU_&1fKvVC08v-<}aK|~?(ZiaH)dF;`=l$Ec-kN%{8|WvbWNvva0_a>H@=O5lF^ukn#D(`O{2cjM#*WhT zb(FKeD12VRaFp4#IUU>)ujcg*>M-bluvbTSH}hX zgBsm}Xm^JHoqS86+a(fADF9u^AA!(4T$Y69IP#3uq?*-t^+3dfmot+1_ZsD#Ew+=< zKx#yJz!u|Z+dphg+CM4)d7xKhpE7Bdin=e7rH z+K?><@kU+=vG1)C#!XJdYa{0=@!*OjPN|a5Y z%o6xK3jz>0Qj}{K0Xo#Mp_$Hn{_2|ze{h;a8mq<4mRv4-cR$10 z#-~<4_0Dz9XU|WJkQoC=$AIn?Dr9hJJ!`1ecG_|U*?>VMUi5@TX7VN@UUu@Sz`uoK zcOU*md2Vqlq4t%>RP0l{HBsE0-v;fz0u)}MRta@iZAP((@agxtjCq(~t-g4*46K6M z9W2LIVd)n#@%U;0P*ja4jpwsXF(YTze59%V8K)MPHZ+F3v3w}T>u_CBzq)ihh8 zYUUxi^60b^n+>1Z6>o6*P#3_r++10BeB5?z)?>4PV%v!%Fs(roOSQRSS^Ft@A>{U| z&Yc$T37tu){sJdkt8-v0+&V^-)?+IAc;x^m&V6k$y}sw8xV@R&CYX?mi1I!NH;Fr2 zYYM5EGHF1{-d@~Khb+F?no0qGt0(HGnjQ|BuORK)d<8AGbjkaIZX)db8ikUR?qE(D zRqCn!#OHKsxfptE4)9u>PMOm^dw*e_$Mm$(qD@Bcyf{@+mjxIn#p5FYDO|rg!2(YT z0I)$tpVlDG6W|}$%ZWMZI8Au;c6XL}7;u?PTQq;eGO6Ap8M*rj`t89JIQiSHXGrx! z|K0uij8i|NYa0R{UI5hNk;|9u_warJwpFVeL|w715o1=|bU{;yw-6fAcdMe5+-re; zcZ`LreRk3<)9JU@vA5|4T%>%{y*PdYXfw(3`ysN2vgd((^#Ge}*TTKSIN&Vmj2Hm~ z6WEqh?1(rjGs!=_&Jx8YhgP5)+gpYv<_7}M$;tA3+y#zMs!-63oa zB2*wLZ;CYloncmOj?v{t(Mn4kxCq$p(#rWcrbqEBRrPz4`U5Il70Spy!&yAnP$ zF<+|eiyL^la+G&b19tPOgie6F{~A%_-l6p8 zi;n0M2=WY*(eEcx1jr3}ay0IbDqerzDw|=%5nt=NcFX9(I|UrDT~V}Eryu2WwC%jy z6=@dwA{Ec?{cWS50-FzA+fUd^^NRRh&CAX#p{9i=jimQ}s0(b!`Rvdhav0W&;dzj& zBgJq`QjrO+m8wGJ(YFgw&>KMDzCW35eJ#bJy^kg`%_)~@cE8!;JKHC?4!V)(HsVzY zRHU8Bjb;tp&v~XlR_N)Imu)#B_tE^(K=Ik4$oBA2?#8uZEo_?#Yn5M+`GXf?`lrSkvw z8j`-8hayHE2LZ)bLcuuRPfVK=&dZk{-#o>&#Rr&U$Mh4;=5Q$Sv~T2xig?3;n6S=J z^S)fFsYimNiJy=0KMsB}tGLgLnZ_j}Vc!UV13=n|xX(I};4Q|=kKPp{%uM+(B7$%H zzzn_tbn*EwnBmuDIDi%P@?}Se^yhXO*U9|2^W%ECs;!K%-ATOZLYE{!=dZ2;F%xx5 zDch<(c2br9OG{0_cQ^=Kx3%%c=U#L_SENLSp4;Qiydu=|X zpuye2Rz)-Sbji?`MUTBxx%{;*toDdq@~NnuV2;5U=||DN$GRG%z@RI6WqPK4Zyr{N zhHlPk6Y)~@52wrn0{=aQ4#C(3=>*M-$;BK{^sg0CjWv|0&-?DXYtW3+Cv9idDz;U= z4$WJxgqygygS-GOY!SBZ-iWPji#@)fLJ&Xd4Ie zlniUGXq9A3u()uTfw^wcYFI^SKPdS2taz?Tnk!oYVhfquoyj@@_J|=h8|-nIPK1t} zz+D%@zd~jS+CP#M*$tpR!uGEtJUmK4)*J=0Edo3QLDp{Xbtb_n-#VgwGV6*uCU)AKoWW}_iL|(9iw>fqxIyeV6D7nmiPB;EE)ah@j8l- zyle=YJo9`OG97Q^E3<88E;aUw_MOszn;m3aR}LjSCRP;i1&&rK9J5NICJY+k(PO+i zT1je>uEO0PVgfaUF^w z=B2_q9YQj)bXc_7^w^|y0f3Ypyo#om2S>+%YSwPs~S-_i{>VI8aB$oYu2rj1`)p^Hj$63kM? zi}5wcA}mzD#UYq|Ov0cQ{<9gGF`cPlmp zZ}s~vcXMB;jeODTv1FnVMHF48ON3FFW^&cgi)uEx;c^?r$>k13rM0YdGt?M2X%x$jpKFj)pZa7@fa>dSfv_eh!B0Ov-LR z0k@l@f7fius}QR7Fp}))N7XcE8l;SuN<%7o5Y(P0G0aadIj`cD;kKIdfAT47+W;cj zy{pD7IqSFG18|T-i23{rfHSFjC?H=L_v=lwzTdo;qc^m|eR^q{+!$nI`H8J_A=cxV z-7*GXE~~nCcJMjns&#rEj4#}}Z!~)?dTYXnBx}ZlQF6h*RE+cD@dQ2ltuSlkRmey+!jam5%T;LzbJTQ z^;67&u6LvokHYuqx6X048falMmn!dCVHM5Jy*>?LbwCtj5{g$5*w`9*u70-;N7!ef z!rvT!mlIDL`Nzq)dtLb@(Dudbs_l!3=_D=C!`Z}ioG>EzBA?buA@Zd|!LHsw%QxD>tv<1x_HiWp!^dO zznz+f@%V-CmZun82U;Ff3d|T0K5a_;LHbF&!=)vHlVAHC{q_*KyA(`QN+x~6pEM$ zC`Tam0ATW~PyKEto;t_xDhZuUbzjwY2HCZ}E0`J>GvOGz%zNFg_86vHofmO3go=-M zSZb4R)>G+j+76U=Y796;)YC*@Q~IG447fZ{kc7IVpGx6s)Tr5nJC*EdqEwFaYqO-0 z;dAAEz1*eEzJm_FQ7(~a56Kq|ioH@X*U@v7U_lQdtN?_JsWFDaHKOH7xAD`*o&_gR zZIn78m@lGM|nvu4!zT^1FjIb z4@xMJtda74iw!G77utS)1Ga!(;^hAFN%b^iO4Tjni%zE_H}OaV2cm73KO`cfT&+qB^8T#oF&WY5@$*?FVoPkUy6ASN@o={gnC;9-P0a6i5o> zk4eICn10i(0VwnDuFoXLYIlL@lWgU46N5=;tI|_>Y#6OW#x0<9NZ<^`uqW)6eOsI# zOnpWkJC1_;wBalgOI2Hl=iamI9iSH^GEy9aFZ~A-%Nay6H@p+4G(PI-ZzjnM!!MPm{LoTT(jBpniZk z_(W@PE+AXoQ9zDk7O*njo12yS^23bsai}uI`mRefRQ3y7)%2z0Pqw+w#x)4ji$k}| z1s#XPq1xa$>7gpzRHz>}`Mf$&ouzC)!wcbESA-N;pns0tj+6-N6sKSoUw>XK+jgqE z*rD;+acyFMzzesD2b;K?TCVE=u@Q1Y7SY*IDIb5EYXQPE2fI9IC;^=O6YM`?vC*oI zGYi=m=FTK-31W}f$itq0vkC)HI{^z{_kmb6BP1WPF-}WJL%1CGjY5X51m%yg@J+c0 zj>g!S05KpgRM%++&HSwT4|9Ufc_THYGwXwmUi(disOkl`T*EIS2n0&=tE_-mT!C`{ zK^Zya$lbvkxcI-~sdf%Q0g^RFA}=G+;?@(~tp`Sm`P>0z;Ji|jrR0PEdmJRiYx{2y zvb6ILoZyM`>>rU$f=~bM_qKGKhu0DFw>)ri^nY#8=R+Ixr!Hoj*H0zR69X3CGZHNV z>f5gG=@;LPG{-$ibHr{)`fZL9-=oTQfIiP|`6kpJ?4QEK`RyTPu%q}5fTpwj>2E~? zNVB=OgToPC5%d|$;zD~D^gn&3Kjyc5%hBPr4o_{XK~oXmN>GU7|BuSQ@c@X7I71wt z`7%#9Kl0OuMeA)_eRLl5W{~Gza{{kWZ`|#gn8x$Dm4+=wTYy{GOwCZf^}!RE={}rZ zs+Xe)R~E>dRW%=uI9-Qp)8#FF&BUtDHbV2AGV*`Ous`)T`7$vE(m|sKE;4@XMGzc` z0r%N9+sV1;9*0|fwFZDvY=hTls2}p|gz<72S08qsi`-|#O}L#BPC7&}O%PN_2=M<3 zaR|X%H=;rLN>1xHJ!Lk3bd*6hj0je+-%t_&m z%1W>(qGRr&S<|&TM?|-)!(&8d0kKcX$Q&&GdY1oQ%ec-D9|%GOYgg24kE`spfwU0`#cpJec!yf(=MfrM)$ci=55J!6UK^KkueofIIVmM;*1{N1k*GShkHTZ(`KDJ!=J(szavz0 zOQ*8zU=?d0r@bOB5M8EF+ZwPlq#1G)+;+Dq&C4Op@H7|&;-4g$D$T$z zTFByp$}@nmw&R@7V6MR2S}Nqf-}oRK~Ys4FW29AnZFdB%tA!mJH zR9j4+d**uN7Vg~b`fezEZAfg=I~{7^5K~LZDjW7)OEx_BIoN$Xi(3AR^4NT%qeqt~ zU=3fT?7LEr4tK3fZUNj!!#V&eppF;V@yb4nFHcOS^en0Am9)CBg zZ)}LV+Si9{C+a>Abw!|}ovXk6AFk-yV%;>F|dS59(m;OSJArU3FAL zu#wvti912q)o=j_PHp>R4EJqas!{khkHjluz&jd*34Uy8#(K@m^1{d05zsR=bMqK1 zbl;(646-X7=zko+$n!!)Fd+B+nx2&NSzcsnhpHwz zU!8^Hqo_Bfl6?mKmPOL~;b`D0T`cT_VIo?h{%i;GfXYPBvc=M!F2b>UG% z^Yk+-hZI&N2gA#voBEYvBKm%eAk)zYo2t^>SBDCuijqxW2A)u(4{o$eN;(LhSOhYi zZdh3+0qZy^FPP(JZ9J)5UY|=z1bXz@_yXG8*~JYi7PoujoZr)Ij0#>5Ihi-xEKq^UTD$RcQ0oS}u60Tk{LFJ^dl^f9q z{Mx=-2tdQw#Tzq4T^bYuGP0z;l`b<1J;7 zHKlfMmiJ~@+W$Q#T^g_tIMvB(YNzfCLUlU^=O1lW*|!mbh%Kk_!0kTiUhcI8RJATV z;FBG%)%>p;9@8f2S(1HzcUqb@0ya-O$QRaQn9${@^C_STel;-_VgP6&0Rlku`rn)A zkjdF1YiJfaZIYAb`A{@VZ^q_1ax%~T-+nv6y|gQF)U&Vde(T`NI|TRc?6BolzADhFNnqzr-o((mB-?y!F-&7hc~;rKgksA)kSo zTF&VqB1~sRaq!j9N`Apv0O_FpAoC!cKv3xHi|9_I{%j-K3@h01v(T}yIu`>K)I^zP zL4awtB!Hj*<^$$uq&9hV^456@u-mlbbsxd?3q()78a+j& z16tB-DUzfEI!I425H*KA%ROIzQ+)=UijCLMeJ3r40o3~6uxZ`7|RzU6r znk7Z-{L+MrQ-td4#yS0+7S~Rid9-P(rf_@{FrWxS_guA7PM?J%r+MwB5#xf&%Xbkd zP7P&YF@}%%0LLEVE?FL`kFcP(^DMWjuC`Z1er&Pj}&Lqave7)LtYpTjG<%h znGYE3QtIcMO!u>h10gO|nM`<-xr+r=TQS$x~qfyO}7LOY*~bkoU#XEgzjLohrncKXPaGLX5;LQJG?JJ<7 z>fU}2At5a)NGl2|ASE4xq5@JPN|(~zIlzD*AtfRuB@NOcogyV2(#+7^9mC8$1HAw5 zy=#5z*1BhT);ep{v(Mi9iQn^kp1t>)^U96a<~lVR*FJE+&kx^aLj5s(oM%9l+ESqi zE>nB=ODDu2SI_Xa%eCAizF*gu-ll^#kL!oC0p3Uthbo=up{Jf$eDi)l^5U6OuvO@p zC<{WMZabvz6t!TDTAP*oW$dOi;t0@<}Z^FSy$F zRF*XS%(oQ#(=QOCp1AO|#By2ty&}iHaJy1iqa&SX?l0|#ZhgGpeXHWZbj~FNhrHAb z2*LTo)7oL)6?)y_pH=yjo2bwey7Lsq{X)TkMUffp_tt}GqKks^HY9cO!n*nw7cHS5!+-9o^vhKrrbh^soZVY8ADZr>7QxX)M|=ES|xtT7v;}xgBPk z=a_It&UJ5zVzE16_F#QHe;ou||7W3xes;P#TV};5C+)O);5%%(p8M##B|47fH3+1K zcg>fUi_KJHh%vEDwroES^aKPPZZc81+2olK60n=^W9Sq;uQn*{N#jGDy7sIu7&ew3 zkY5YP49Bb|a$x-)|B?EVHZ3?ij=i6a`@~K9-O9O6{wR{SmGT(P-FG{x= zIV=!kiV|HBQo!liv{yjLmg*)649wp3(8sehN<9k=z-pzsxjsBCQ~zZJ1wfd_Y!dAe6atFyP=$X3?fcb52SDig<-^xPr=}^+H zbo746TQyzQLVdKSGyahEI}R!8h35UYkKljRHTo;<3%m0;HpBm%SA&ty6tb{j4qrj~ zPS&603sUug!LTp!T!T?vX~zl+;f@Hl@-Zh+I1HMxj!E_J+SG4#&<#3 zGx`WPuI`T0fJ81;ic%fgE|#%&$IEV?Z`e4dS1VYqyYI`7w-1!>#1#nfM-nQyHiET8 z>t6(SIX{to>CeOSd-%J}cQ#&*vEiMF@CV!ubFpqVJ27?P#9o$PpHEd~?S*KcBZ$Qs zH}g)b?GJF(toi*eicUlCdL;yjJ1yim{5)$^DACPyt#V#|NYv$lDI?IfZZ+=Uz6!CY zuo@lboG22;-wO#^>qM;R=rh$kcRce7$VfJ&%9g_)JH44-7D}e8rdOX5ru$F#9L&rC zTx_g^Ln+;n|L5#1%o+@xa+UI)ED@_VZu(o)z4$fyl4GIm_j|B#aDZryI9px!nWzm9 zV!W5GW)ICEyT+=|NT5by7Fyn%iGm ztbI&HZE)%s#ZCVMsh^j8J}oXP@n(1uOyty_pSv&%x%Fc7z75syH^58;lULok9R_5!S*O zTx7;(%|2tPdZ0?=g%9}4?DOw0+?;~k{~gR=v}XR9Uhw=IB%5c zG^$pV$m^{i}0C&6@ zegg`HYCAuepn#s^e8m^7)Th!F>D7 zQiTb_&ru8V8v%y#19&H5L7t1m&=;+?Nnow~4fBH2#W{=Krif$s*eM+%LFPLA2T%R1 zIcFhwe29vt_jA*@hcc*@WfA=C^`)fj0^479@|FB3j zp*)}4=^sPgon3&%WyT8bO0Oplo~{C(2SUqYRQrzah?eEWWP`~_Qk8ecp!BdcUrmq@ zk0&ETgNPwto#t*9^y-(YYi2i}5?61({Z9~K(v^{a5k&Cpft39CBldQ365D15QGDG_ufkhTMB#j#N$!925>M{J!yRc* z93mC4m53y|KKM~hlDnCpAlDcR4qS2P&4vVoR=Uk%DO%a;s}sv`T>yBs4Sp2`fR9(O z=*F9W`WISKjoTJl;(oE#L#`Y26S!+gg5VL3c6lN<1uJO+2L zj*?#u?Y%+NyJUS=f^mCd)JBo0wxuvco{|%5tF$nWga7@In6%;s`{L3ATwarFhaIA@ zyK?3hE;fmg1j-1Bs#-zII&3RQq;SN#v(h-V6gSLzpkCw-=CX5(rNr`j%8%We* zWJ%S^FIW~Q_8JSTACcgoUS1dnr6D9wx&8G|v0_3_az693`<&}l5{Wb`DYwgvq8rOe zdqkmTSI1?8Kd%uzo@tcSXL>O_Bu?;nq00}d;TBka93ao-xMn)~ zRNF-P;kuZ|X3@YFk$V~UDa38`*XClfp)7r}U+;q+B8i%?tO9;MoNr4RC7-EqgWqO) z!Cvrg+kaD`b*&jZd0}w1b8mB#lBPONn>9-BfFyqLnIHWH)!o zfkf!+S{GNMZ`LaA4UoI*840sz7Ceh_vu4zkJDs3EVEHv@{lT&}buHx8T{7__CUM=y zRTc$`kQbvBw#>RUBAu)o6&%pIoSY!mM3)Z*p8Gkxy|U-+-!k2V*XF91`1vz>3U0bT z4?MxSE`EeB=yt@%Futt;7hCaukTUnixQq{CusWB0Rn zO80Kol&53#B%n?DUKc?AfP{>r)^Akz=v+weycWKPzc^;##f z4s#T-SC1!cqWA%O!Z1VKo&Tt?QQ2<<;;M?WZ~f>9_04#8U2&Y z=eO+h+*kTl7^;5I+P_EmTE6(k@r~Kl*raTQkag$kJ3c8UiVV-WpC5wzjryLMl(FZ= zGoz0ezDwIHz~W>aogYFzW%r^j(DVJXI}$sXu;G)#m8pw^ocWA zrKKc|UTIq>Q#-K!8WfNSlQ|U7kwt5fsa=kR@-BFY$t(>Qsa^vR>ix+MY)hUN!ef@O zj^5YKr!G*k=BQJH5F%Z?o;kBRT3Y@-nfWX%>CB2-)^)6eUP8*_nx;drP?bjn+u|v8 z8a1(-iBYcPdY5CCv>=b?rC+UQVWVX;IhZ6v>-WXRfQ)W3;$*jtfqJC5NcEJ}YH&c> zOW`#oD!b9sQlG?;UVB-6SJ0zR*i4km?31gDphvB^^NI*XhB(yo8N@DsK4WQ-Q;M29 zE)g_obXeDXS6Rd1jLRuaRNuLIv%0Gf0~}7%o0VOnhFX{L_p-t-ij}Rp$RIPBSJf`u)H!YgH!w zr*&#Xs6_(OoCW?O_cmW|k7g+O@|^|d>g%`rCJBG)1X$dAGaT{5oOnIeiCv7KoIN+6 zMb4TiajjN_&>$LL!rbW<{k_4f=&>XV!XB)LkE-zOoBXFSN#I6-fP z&HGp(Nb&i@cPUQK&(*>p&GiP*K>tgSw8hrel1jid6AxJy6yadAwioVD82lh>a;-t6 z|GAVl2}6Ts9F4p2Fgomy)VL8WgW^M)4<0B_b^JWhq8yq8MnCSJ1X83u;I%m{ExZ>) zDq#@KERn|cLQfVDu9h)~y8YPgwV^Q0j&YOJs;VfT;GrS!t+oy8&m`dP=;ZRx#a}y? zrQ=*dv3xjseMq}L+OmR{o`rKp`$xg$xNZv&a1|?7dfZRbz7UmmJ{UGo7GzHLZv0W% ztll_jsJV@H#8rX{(olUHdY{#*Y!B?K;S4TPC;GSp%$kb&z)6)qKD^|1HQnu}s_YV} z_2GcWZ^}uBFAB4VrM>3F<0Fr^uK|ig<74lcjaq%0Xg6Xzdlc$c**$vF~g3gKT@gK}TN#!(p`I zhfKdJlYqQY!>zm~SwNI;u=2i&Uh06ppFhd4L*|^C z2Kr@dx}BHO9FA=%0DTCiEH5my?tb=Sdd!I z9wd+J7Y$5hiY2UAso#t$kC3PlgOY)xmeK@n8q)$4g^t+Vd}`n_@WeVRl!MYLcGK9N z)|daIOxmV=TbyOnHyf%(r9{h4)T!y!1uJZ|hBGAJp5g0b4$kB%1~(#?jAe-bxdmza zrSCBX|XaX;e^F& zw@3ZY%Fk7Gon2$V{a}1+ugG}026gKs5oMh}@*VKHFuiRx>ez*w9~JV|Vch#D&7IKS z8$L0Vr-Dc=HjGnIjxO8jeLD&M!eYVOZ_!8BE+Sd-R#7lql^{n5JCJLix!{JuSN{~Aw+FY4utV$H{3N`R#Ba{FXX@S^LYu+4DPYQ< zL-XSaBvO*7m4vG)g)-kCnbl62CJ*oR&pc=u=u*9U?b1O|-P6P_^gMHO+L%zcac$+( zqigWOqQki{Z-adPjo;H?P&0v<(DqD6EW)1?)H9cJ$j&Ag~z7 z(!Cg{h4L>(K(20m-BfYt`iG)M+eSxa7>gzK%U|JQHV%p_Jx!p6cJGp_3c8Sr z*Vpfn0BaMKB~wgZvlY}4bPUMqMcGfxoy=)HKcEXB3SgjcH{+f<%9ie*=|^oqN+vXEnpKDZZUsi|NVw^4l~B5|W+ z`SwWPOTp>P$vyJlQkoNbV`t0!!i2vE458oOuHsydt?!pjtXC%F4Ypb~{#>Cxwpv=_ z&GKW}SoP~Ocj@UwJnqu7>tC&cIZe?or=;fNkxk{vlhl>0qNV0jElVH+1W)>(_&kGf z>(a)`f^Zs__wBW_-vs?%Z&g4wMy|=>GZlAGF!kSHF1!aMOy1?`Ag2+_=AkD!E;)!; zNVU`?N(?__EI@o7Bkn6M%=N2jkVxEPxO&@K80UMkkIBQTOVzulvI79uZ{pfmPz^Ku zD$}-TZ7idw8=k6Sxj}A2PuDsnj5qA4e2RPhj@VY{UMoR{)Ba{YIQ717@ST6w{4Lz#=cGsG)U?<;MeW3ivXVAJ~YIvqFZM( zYcaU*A&DoYcl;YS$oe+_`(^Y0ofAl{iReWzWQLH#9V-3QXt!(BT^Job;`$HCl!hZJ z(Sm0O)(lqm%8ZVq!~jITaY7zY?vZK}dEX>)X?gfoiFD0)VW-Pc>h-oP^Yy)|SmOI_ z#+57dIn?g6CI|6`B-Z=J{pKin{zF8{VW20?2eM8%e?=k?p{bb7)&^e_A#dNE@*$hq z4XK9fYxS9Y1$XDzX|8T^p9vi=UaYRFa+wKaJz7z%7sjc*j%hVK{9t3U;~Ss3%h9y| zZnx^!EQrLk56mmoUw5{MzFp1#?U2QDzyv$UiC#0BcWzaAIP7=VR_ zFxTx^e?_rP8qr}Go%y`uy`{)YlRv>@jSaLOKzi&UBKz{dVp7T1zvjawH48n!(OUWR zvVKp$>lyE!*cn2r=*fTll4}XB9)c)As|59a<*a;;K5!DBoAto^GmB zQw9DaKVpz4Sm!Sg?liDa<39t;Kv$ zGl+9Y5gWq5)Hf-ktw~!{Cz#gVJ4xtmNfUD+?`=qaYaW1Z{EEKM?1$A1l-wBCS6^o6 z)KcPLlGH&%!=upJF^Fv{sG1I6zHKRz9GKIZXRR*XiKHUWW@`RT*#w@7^5+9L$X3|0cVt4}^i*J;k!ozX4 z0yiSUb**R<9OkrF?|xR->BY$##j`uPHTp6upS2qI-Qc577jkF%PUi~nzcA@$0@Y*^ zX+fb?G@@SRH$i89yo#p0Fx_`Crn?iD3~bD^>O76;Q$LB970-#6#UmH`PDdG$?rV>tPuoW#RW-5jA;Nvn(iPdnJ1L^<_yEs)m zVt)Aze}uOxLKQ!UI#izH?X+>GxvmXPt`!#F@P#!;477G5Nxqy$b9fCNSLBNIY!%BQ zoq^q%yjxd&`y7fkD9w^;uq-p3YTyg38)2oO{T#$$&IXNdOvgfC!J7;kZX}sQH0s7z z54X$p2M?!~px`mc&fiGq9Jh2A%V+~C1%kaeB zH60%*Q%-?jOy&jqv6UF|E&Jxh3u1q`mf&Av(g3*xY~a!a5_$dCV?*wLC>23;yg7LC zj%{w_aF>(w1@?G$(>DbV2wjIIE_z1QyCRMk*$wx{_Sp-LdBsmHT~0h=7x-9y@l&-#6mCY#=QQ3cTUa ziK0Q)$4b+;>KaHgH7GI$ZO;vGUR#CnLFJyOjs7wV4HlKfU}Wx{-3O6H>}(#7d5a@u zWPGz3SH&-TWiO$G1B9A42u@XG&Om*YqUnA8qp1fM;jEcwCpLna zIv;FmBlGP4{K32Ig6VxX0B|N4cCwA&&tH#!z0g8y-6;ZeLpDWq+?LaeXcZg=WV~LG zO_|=6V4aKz0(z}xaD{7`@y02>)h6K1ET?0M_0k;lTe%U;q;gnst*U+!oT}zE7VO{U6+z6r(}zBNdaJ@|H)}$uS3{W z6!)rOF;>f$muTy|kv}(+xq;-ohyI0d$PbilUJS+_!xoVV=cfQ#knprhz>$&+4rFXko7ki4u)>7Ten(VV6Eodx-#+^)1a{sBbHTX&jKd<@Q$HT!_R3zatD$>51{?UNJ zr_#M^*1Hs|sw|gU+ZmrycV$Y9c3e^Duvd}{Yb!ZyB7PF!iXgEWUI;VnFw76RzP!>v z6%bKxTJPWD74}Lst?=hAispo!h;3JF#K&|SU;s()L1?X7a=iIEX!=MVyKp>B_2isN z%%&ZHQ~ow9TmsxJEpeCSAZolSk}P!OX{}2?aW9mL#~##V>aJ;T@3qAV3okN{Iiroy z6GtE)x)?cX&U`#hk{Yrt#!+kFL~SAvdkq!emYm1==MaDJuyjK($34iVDJnic|WD?7`a_{s4aYz?+ zxdBY7R{RaWKD+HtWfKuUTgWhZENpxG{7tb`FKK|bE^2+(>rPQ!) zwTqb6;N;T@%_Rb+i2X0R_)Ls(5k-=yA@9D-R`h1x_bq~PAXsHPfif%LrsXXUm$4f(Lz#?x; z=0(t@BG%QlucpFF0eZ@lH9K#kJ7BXkOH41@%$1VVAvP~7pN`W$q9PSAj%FEL%#)QS z&u7#r>!o`a4-HjPxp>*!<2N<{6NObehFXnlWxS_SO`<=xO_@9j`odbRhCK=M5!veH z+c7#XddFwHl{)TSwXm+x0#)8aT>5b-pRvSdIxo4RHm{!(L>~c~;#b-|0mYY7nwd$6 z4P=i(JBqjbR+ic|TQ`|M2jYQ@F z;9`v1Oszjbf#9j^pJi6on024qF zxR%7NsHZAq_c&B)fj$|U)sY?XgXe{2_;d(vZE}@zH0k9O#=m&jQa6`5864>Z`NId| zos9XfUz#}tiWxn}LXtfU(v`+{^gAEiyPQk~*;!nS4KWaR+3SOYIuwTfVy@wDpGu<>2Ag_)3a~><1c-)%U1{$tNR|@pRawskX3||Of7vMUMb@P z1LL@X9)}NrG8u69*Py1(Nf~vp4CDBB5uW**pwl3s$AuDSlwS!u&u#=63tKA8z$b2!or#5f+!~39U*>^Z#BbAAPy9Cx(m4@|A4j1DON_%G*OI~}s54vTJ z`vqKYYHRd0qI$j{egzBDDaL^_^ri*yT|A=2nlIwpZ^f4TsY^Pc3txygBHKTV6_svGB(;dG>SC9m1YbOVj%lD}7jkAl7 z@n>?L#1ULeg{8>sUa&=G7)!*O#bfc?-hiK`lxFFEnj3ebltJQv-cyVnG4O211Ki}g zjXc*WJGH?i@{#b;w;?~+y)R(?=CdmtOi90Xmd5HR@ zF))ukgU4QyZnx5#P1OLHi3gn9C(a^p$BibaNiO=?_b! zi#mH?{>+axZ>n_n(Z#Nx4pS;zFX;9yL61x3sukVw@Es9%YBwEIFlp|ZD9<^vG&#U{ zXM=+qbU+(14S2?6Vv6I7XP?-1H#fBiu;m^RHDG8|xfPScu(wtZefEW{hCL>b?~aBV z02~|~Vp02Bf$LnnK8~2LR+qkd6)@T2v^$BBeF8ja2;$tD`x$L(x^OxsQlT&TK;$mQ zqwW6n#R5PjSAf{xBjDPv1;D%{#|p3VS-4T|iQCF$3Q{fB5kuXN&f|2Yb!YHi`PDUQ zcxAuR6i3K$rRj{>N=ySvIe4qpx2HZid^{0J3=0?dTc6PTiOe3NxD%VBT6pKH#`Qw6 z()TXe5++cE(YVUZx@kjPfyJ_)tKwGOi9L!5)CIM#mKLVx31&;VY0}Xcl=HR47t5=X z=M{N)EH4@xy8Oh$sdqg&z1+X5R|SLxR$hs49XENh#!fqLCkPljfZn~t{X4!!3CiF9*wwXYqyf z9%Tm!1DJ7K4ZMJo`+27U)3#50TAkW?dsZdms51W?nh#4^Hmxy%X_xLhRr> z)#_9JQpCRs=4F$l3us4r+bs9ON3N{B>~&s`Zqw3$wi;Qn71lyr&|`zGfn(H9O3;{@ zPFLPy@w$o~&V&g4yH_;M&D{>}hSAu3IHR_`GbrrR2*6ER}(fRYJ4W&DP zYupv_rs(_xqfDbJF-*4}RLa!iZ6!iCVwG|HkC(bdHs`>b4kPOEI%v{NWwbomA0_o z?-$S#>^bN0owj*RIt>kIj0Eb`Ho)k#nu$(mySaDT;1cL>mM++tbmD#5# zZI4VM5%7+0K1=!&=|1vl9Ll>3In55^at{E156%k>_OZ1 zx>`0r1S_J6&rR%IRek^i!XgX7!E90obWg{IUrt7*#4i1X#j<-1m}Y2Q$ceq=l?JL! z(&#G2J9mHynBu+m?IOW$lT9hjgikz*qrz&zt}7#s4mb`BxtE zzkg(c0OY1E#q8`IDdO?>Hxj^XTArKH41b`Fn2No@pn3R$y2~X~6fR^X2z&;;HXzob zCr9R(EI&XOFJ;nAI~8`cagjTW?G^(A4*3MEnRS#B=jr$?u5jk*CDndsSCb$3ytLt4 z)|KYh2a4Jg-_9tzo_2P8h+0jgVsKa0cIY~B+FAl!)NeN)K>v+HFxiuLvKzC*7@uH}Ik-{5megM%$uUrqZcAXvO4 zX&54HOffjap+I&Sq%73L0}{Rqoi98|dI!esR=Q8Zr{zy-l7-7kUH%D=hF`}ak1^E( zCjvXrWMt_f?y`yW&)PtV?rUI`f_HrRjo>i|6I`k^-zZ+-%EcfB#Dj4&y8SG#_ zUEoYVPT{fS*?r^_hE;eUDYS9&Yx3Sk-&(~Y%;Ouc zhPdjA6{ZVqrgKY>pC)9NL2CHNe`&TJLk(Wx5o&J6aH7I&`|HYvpvwpAItL3s=v|&_ z@!B0jymd+5v4uc=ocNz9->MN6RxidAWaJ|QQ^cHAceHuO^3Pjv=t=;*xT*EITDlS+ zvLz*KOjek2n~$GlzHwH~dVvMR4ukIk*t)R<&0EGMYN>9jZZ7nqwB1iQd?wCXLU@M` zGJ4rs^t3DykhwGF=S^h*jfIr>RD0JYk?!8KU%b0)RHSq zyCQNYhqr>c1zYsIet%&LOx$g}cIav38^!3ovfIEAAB)HKW3(J5aO#YXpY*AJe+WNg z*Ks1$;^pn?`AVi%(A8~^c+A^{k*c;%m*b*!cXYlcR)zSUYktjs=!cH$uLWlNdSKXI zai|TpQF|YMvh6J?MAx@fba~D0tsdB{c;fL`^zm7N*sqt?>(`TP+?9!d>s)OG_e-)I zzRZ&D^!(6y+!V(AI;KOh#bvlSTFo`q|3)|D*E<}4f3CX8)F_DOmPo|`Z3SNZ(k^nP zb5%&I(ku$9jmygibQeJnt?+c9A8-6!v>o~+>$3AhvHM6Y!}4b0X&XsW;x_brJ_bn` z#DC9D_iQIyi~srZcX4|XQvZ=}7#<@q!XWA%kU)=aYxUg2mMH54|59E}U^c{sv6XD2 z!?T;C#AMWtv>rM0U=g2;apoAmULzjAhdUc+=q+N7_|}ddPZC#b-PG00t&^po7j_9y zbwY>YoWi~0J#J;{$YpPitg*Gg}@R;tVe z4^}pJ@MiEmDiCW3;TfaYcvi^trB!(BdSiD4|(okfIQ5 zDq2KnaVJM`XS|Q~uJNBVY`~gfqP3b+BQF*?5MW3gd6WHN$$gxM>_oG|&yoVRv;7>k zJRA9_bBMXrntpOcU12$Oe9G!aSCtf4vinh6%Y9TcJ4@%oTa~KvSNVmysdjxDKxpFG zEkO}S)ClSn%f`~*r`p-JaeT;j%^DThNXaT>i@d9fW^#I|*+M_l+i_@*Ji0?#gJgT; zG5*7$_qUfVcgy@z-`#d&W_w=XGcPS_t$VVmdWMzC{+BqG)5_|1F}Hm@^k3#Nwx^6i z?~=vKF~W@f6PYrIMl-s)Qpu_$wbF8;zO70oEzY-=?IHy>W%20i(+>E4<^CWE0)mBvw_LL5MqxQ;D{cEM)%Z^usHNExGWcg4ws)Xt< z2>Nm?A{@1-=jv{Sn;F9$)kAH4_02X0dM@&3{X0DH?V-QOyG3Ei0%5OJiUM|?rxVhh z_4O%qYiYHxan=ZmDl4A!#PgwLRdRocAM^OI`U`@i=hM17(4vbteO#U7LC{*He2SB1 ze3}HcvlixUNGrkB3N}}>s*Lw=CoAA|HJ3@OCSM)W#nyVgV%1so@niyH`-xH|A1k`3+X%UEgh^ zVGbLhz4mpY6K%}z9mJ*;Ax(^#hIcX$NycK~x}>VFNH~PY>KscLxJW zNn!?*R_Z42Gbtg|1g!AvQ_uDNcs# z{APP(wQw;cV(Sl4L!|5B%PUXlf>&)0MkC*h+Cx7c1*iS$ktEu$1mTszhVaNCk&_dW zdDSOrMi0Tclh2`jb~CD=()aDp)hw-IhnMTdcxVw36gSk$V@o*|?}}X{=Z};HA4bFW z(HvGs$mwre9oMSpjGv3W`wrH9A82N82?^?+!pVwPTf^q|??vn+g{xnCB|Qnkw^m(f zWa~KU5!AC?XpzU|=#`Ex&n@g~*p8TAD5(u2coflb6=2tkl3_ih^_j2m>X@1$ z59;W!c`(}>_~haJ)Z&TvNg{0>QaKe%!4IR}e6^i)l|9<-u(s=WqPAP-C6@P3+$s`LUs3U{0!&sX z@j<+g8}g0oyLKXFx$~QdHplQ<8mXfr3eH3$C#Qs|XVVS=X^%1+u9jeU_7~YMy#h@b zgAM%aO2(Tobu%lCtR4nUTM5@5_p@GBtvIW?X6K! z+k-`8PLi#Spq`lzhCymN>fW0*>Cbe8e|n9~%g1!8sk2(mkzHh%%kpq_@vZCms~N** z)tT|UEjBGXFDHa(&lfp_AJ14)C4?;^|GJ+IIA`+6o3E%HMDZzGSsO4h9qyVKCL~8( zDHpTb(tSxaS?KK@eGLf{(887I;$WQrqq#W+`Um5V+`S1#Knfe``ZL?{Wgbxybe4qXNEZzQ|{O#Bc?;SvctAfj7)2n2*&u zzwfP|t63XA97<;E!X@Jx`~123tw<2+l{Fn6(#;$WCw2+RK2)ns`#{U7)#9ux`b)3> z-m=#^b#TPD<8nHje96%i9#Z0XJ*AJyx$h|q@9ALcVX3I^3;LiZJV@;DP-#wktd;(M zKK&g;!qK70#KAZ%3Oz^T)Dd!qxE1Y#hkHp<_&WNV)==YV!pujJSCc|TZ^mDRt>h>! z#9f#`9`vN=e)_XSq>v)ane6k+KHaycq>m~NCY7!1b3FhS4TjHbCH`0q>*X~Cb3W)` zHtX8iuimF^V!)%ScQ}oiq}SgF47WL=D))J?5i|^Bpi$gS3A%tyAB6E!ScGo zUXnlA9y={AY7<;Cl-R-6iYMgWuNV2m6*Cx*TG{@nTlgIn9IYbXb&bYrYj-!xvbi39 zGZaO}NfOfu(0T6O_3`mbeiBFNBSSYnjl4InWwSsooAc*>PHtLm%^f}xh_Sj?oWM~J zdZ1Ad`fe$G@H-@71A-iFsZbCm_^f_)s?cFs}K(*=yO8TgDlAmDU$%Azndz zNwbG>a<0P@;xvQ1S-H9!aTN#_n1#HJ6(bf$ANTacHrC$<3JcYz^wJMkO1M;RwZcVZ zD(82`rUh;}bTkwfK75#U-&y_5yDYn@n1nfmeu3@yc+Yg_C%Z?Gl22?Zj}{QljB`hE z{OwPuzQ{<^u#dkRExw052w`T|(UNgByrJT{+>gG!J67NKdYdF;O_bdj;;qXGV+be*CH308yTC98u?luSAU%%-0%(|j=+~k zD*cW0b`4J1Tz)s+&i_7Oe7D{#3r=J_4i?Y`J40+~z?yF99T*Ah(~<&$O(kgk?vv_c z9~1=^FiV{Ar}JIU#zfM~kBS+1rK}cLr9X0_PG1IDUQVTs&KS(=K&s4so1rI)7r>amUkEBG9-^Ze~7kJRB=)Q&d9a4|`|0l)q%vtj4f^5Us3l8^DU+PP?` zl6*JOt#evZYd^YttE8m+-C+_eDiekESNhpMB42sWraPyXs%LwPr{sh-8sci2q&ohuV(A zPwtA!^DB{H*r&DeK2mi`^Jk1ErwFaSUN5)1;bM-U3_cxIgu`oZU_AK;_KzImeA_Io zH!|w;ci3}EO}DZWj_jRLtbDz#%~S7hiLlNi8sF5>D~R)^tD|dnyP5Ju$_22r$~~(n zhL44a>Ru&jf?@lDzep3Bv!Dir$GNV!{_f}d(QELtgL1)=uMm@WageB4jnj?>QJfx^6!5AObNtuagT8!QuS!0FUfYa-opRW zRff~q!5uGJ&#?}uWgHdC4re>Z;}7orYaCcHewt?8Q`Tik!bkWn3m?VY=RAhDH><Q`?0(%$eE1& zVOn}JZhA?ck%*M?rm2CCWGAhJz!X@aQGnISXJhesNx6Eo9O7tc%U5GRc@KFq?BRZ# zgbFFo6$)#R+j+p-L&;U63X z&WcvA3TRcFSfIjSHDNyfVR{LND)5~;h(Y^fyl!TJV-f3R3KfRc*-!N@Y=^Mou($K( zqb0^Y4h&axJR)xxYkAey`hP;NZdOdQA-sll{T){e(bK!Rg0tA&F03`SiO^ICk+uub;qi;hOZNL+lQ0ltdM)(k3 z47#Gk-`ua12tlmZi2m~2P^--Cfpgugs0ydH?9NdCMTmXBck&;t=lF6tbb+`m(6&2NVF;mGCtB`B-z zDNp1R*oL21K9q;vB*xqi1}*{@YWVK)LDC;@v=#(w*mXs&qB}{V2OAjCwkt>&5^D)2F zl>(ulFgJFF6F8ac*;dglYxEj#G=4Sp%sVU%smKD3GH<7!^Y%1ISd^z{o*k<=BB_|Hoo}7@9@;FR13N6nNS5|~# zjW^n91fO7+1qWjGTwj$;qguY0-d*j!?K&1 z&lY#WHuH>k!>&==Ynu&7=-)4IP{5Z5ms{~=tKP3_X--2sX!+P`cV`K9LsgoOr(8YW zyw8lH6lAqsGywEQs`lBuZXi4AAsu5!0n_QhhW^wDAso8vUxD1|7>GFY zVb9N6Fhf9>Q5#LUM+#rPy|ME1Tt2XJ*5!W<<9V=}uPAo-wd)OwHzp3hd;QA_?H%>s=^0rV+;jqO}lN-6qeT3>W8we`5ftKI<% zAkN3q@{jOgRj;i0mfGqsO%wfR$L_}u;+$v|yJ%|;$HhlYK)uU8^`TgK(v8SSt*Vr3 zP#K{E8J`4)QJCImRYextyup*>Vje+r^?N;=VxOGXZ)NYJ=hI;%I%b3tZhm!Z*kzlp zk!+7D{Z`E%s;TR=$Xjc-CsN9YyPtimi2aLw^J_$jy_aF3+{#DqO3ufn?Dsi+{zpq! z9uL*`hQ~e_L!^{!S;j6Q6NXk}Cy6ljU1S-{keIAdlqI{72&HU^VzSE?LUtPal3^HX zFk|L7_5Iz?d(XX}_ng1p=RVJS?|aVqTsQuB+?Pl-oI%hYWNll|4G2Y|*wF<#==b)P z1qFxN_pH?>$MRR+tfr~Gu_hc>(JLV}46G>_blY_hxV^EW%E{kfx$4{`H$VCA#|BO` zzue&Y$gboMM^F~Q{GvzX2-~B-Q_vT|6ZM~0`fz}qdd>tQ75jn8vK>j48N{xS1kBLC zZn+Ra9js~HxaFCl8)AISpEjiOt7x!^C?A#C2o=gs!W&6I6r~$Mt7&n@G1-PKRv%k!05Xn}+DzjMq49ERX3 zf?6W7akd{pxSJlg?gJ*~1vtBv^Yt1j#~n@PGV`pN^0F?wyw!aOSy?&hs&^%LnjhhQ z%+lLIrW6{XfBWad)VefZ>wB?JU2O%GdX3Iiu-5}k~zaka+V>u=6|Xd+=oxkDul zGfx_h+t~CRKCCVooBFWky(|P9f(;?xIHwb<(bX_?+!i`e&Mr4EuqXDhsy@lF`9 z^|8XXogXkZ%fru9T`;PSU5qHPHlFTnFg!hNz_Yp;QNXI<55-PQSHe1`aRnPU}R0} zDCt;cNb5K3)PxU<;{^}m0SpFOHS%^&t2pJeR`kAK3Kk`O3KG1K%cqa#)a)6XoNSl_ z+u2cwa#x=>g>0DPXYNBt-(pJga^(VjH|8|GT2^%{KhemKsi2`qFW5kZQkj!J8^HeR z&bA7z?X6~u#=_)Xm!vTVs_ogKmgoE11r$p2j2G5%%>SkK)Mfhz`yvO$g)M9sC@5b; zL7mU!Q+Q7w3j*tKq0=Tw*s&vB>BK#wWNT8;I&-T8h=owlO)PH4B&8QV(9n-nX;-cG z5fo$gP#fPdF+Iz4=Ep8M&8WFE^%0|KkdQO&3WJO>*j5VeEOuT@@J#-n1Zn+xf=FjN z?{${YzI)D2C0i$u-(FI2V3vj+j~sadz^t$MF1}cCHVGo;jh2|)E>w^SIj3ndo_-Q0 z(xDnp_>>0w6 z$NT95czGx8Mx11Kl5ptpME~8)IH&0YVLi7!UEOMz!Y5wVqFk;gB5 zZy4g80303YYOh;@+$s%HDPFeA6j64^GxKt1d}!(sAnUh{ylAax(H)o!+8A1g8Ko~} zZ~F9`+i%5c#@@Z_wVZ!bQ?Dxv`43(^EBFMHS1b>dixc3f2VIVB-7;K~IIE|qS1Wo; zWY(_gJfA(uYg7_IM=7`T&bS%ZF*e1tV0a>Nz-u`=kHGA>B19q{71Mf-ZW6#zQC`T@ zZo-C>7c$_WhR(J^b4GxP1OsMnstY?b*UnkkoN2a(RHd%7Js%t;cRi4{Yo3``!WjPn8>mCV$69an zrJ1z3iy_Bn#%AgHH3g&5P8DNN2eWu=n!CR|x>gy)*#V5Xm^#wA! zae%#MI6C*}g8Qd%UVy>dz|cr;$ptfw{wcLnA}h@CNqgQT(bI)@3?E#Ny?%VzN2Q#~ zZNe?jw&Q&uQewWp5{Qkg6LFhX9fM>$h;WCq>hb4;91SvLU;V(7t_XCAdpfSU>FQwk zKUrs$FYPEjI~MHM(71x;dk^7{8~<=SD0u5tu$P<;is%&?HQ)vmgN|gi8JE!o(|7B= zL^>EHI{V82V1$}0d!N?J{7((*_|*1QeCgN(LP!{tD95)P|AUNJ=YUi1Y&g+^Pdeh2 z0_X(>K@Q9Ial+4`#ftj^;GZ|6;$ccYiyvqdT-muMm!%G$=$*0+UdaQX8>3d|b~A zz@B3Rz&PL--NwF820e}5@Sl5YdGz5hFjQ0S)2MH@DAxt~lTrdwQm6VZT(GES5q5iN zaaaju4X)vVr+7%0Ywa!lo=lZ4wG(1T7YPCMxFxwbF!0LxfF6a^q=d`s9A?6&U-OS;6CnMopz zPFUrLb93>n{+O1}E)+%FPT0B;Q^0)Zib0&YWQKfE$)nEJJ^s(H;Pegr9M3#s28yeM zmx~N>9p73K)7pAj+Xfk05Z8E^{}>!0NENo94)9@krL2RjBw;q~pu?AB>3kInk^^jp zCgQoFKqHtgPOdGWiW{mq8~x+ZX`;a)9HAHZn5ox99iip4>4xU(7pFQk{qWaNjNPmg z1H+d0nb$L#maO{0=)7OtY!fg)$|mM5ruiX0Vlzx5vrgCR1(3E0^+dU*hq@+;4on^7hX`{0>98@n`Pv`qy^MXn5HK$b?87 z*nZp^ov01%U(GQEfK))Bj@DMtpsvdeQJuu));A$wRjDA@mQh7sxa{-DFjG~4ek^ln(kc1c$2gVe5b5d3MP}|ubatkTFPU?rS zfgUO*=p2o7U*ZB?4w85L&Q70tR?IIhFP*1t$CCnh#fPw=U$K0^)H3q-X5}Fv4oaK= z$GT8?FwcqzU4yiC3LUxLiFyb8BJ z)@fJkRc1IwC6lGj&XE6vcn{t0dQ$=4_gH^O4$j08A-8kIm1*+fxJaR4k&MD-^0z2r zj-U3Wg~oKw(;w)B4)Qr*q*IuXInbi)bbn zQgu6L^*gOTB^EWx2$MC47ua{bmp5L1LGFTt*?mCyNl`dW;KfB*qDw(#1kNOOLS^3`r-MlwEr69E;2iuDvSwJrV z)#0WN>g`)!b8J8Fd8_@Wb{j};{KD}XW|4lLjr1wc`Pus~NZ6x5Oyhn2uB8|N;&@*7 zY-Uh3Jq+m>m&5m=0lf}dt=u}u?efb~Befwy+mB!r^7JXd^aL(wdW9L1H+35zm3I!{ z?e1@FD%?X{el%>06R}qFW3@74=?lfjbQ%WLTOoBH^4M{-pui;w&&5*u^L7nS5D(8E zi!rs_ZC9FfMTXf=6Hhta5vcraWu8nekH#>5j_#C`#hzcmxk&SiLFS`0uixm?1Q2U} z$XJH1!kq1gUR2F$zo`K~uNC^mck3b)$c;#4R$^VLVvtVSWx6M(CzucH7d}Mg>!jUzym!)G0e2>6m*OZ`TA`Q+pYVHDl@rKgYjERx(6K0+`4u z`7;?;a-Ck)_s%u~xAxBOw}j>w+V22LgMW>%?DpB)P`|6O&aR48Ra9{O z9lMqZ9lJ}rnZ>;}59cRb5m}gK&}D{YT?q!f^exBk+8X$)Z>2F=TDNvDFSTCj@)-M% z`Gd@5l^7hkDZ%4m%9J^b9W6T=CO_2BOkqlZrYt*fzoG}pN9o32QKDO&vUW~` z)PGOjKab!|2;jf2zwK57I$&==-Kwq4HMi7w90Pmc{(xP@dv~!55EL9dKs0b4PvV!O f`~D9SR_PbBz8UL + + diff --git a/windows/security/identity-protection/hello-for-business/images/smartcard.svg b/windows/security/identity-protection/hello-for-business/images/smartcard.svg new file mode 100644 index 0000000000..c9d40368b5 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/images/smartcard.svg @@ -0,0 +1,3 @@ + + + diff --git a/windows/security/identity-protection/hello-for-business/includes/allow-enumeration-of-emulated-smart-card-for-all-users.md b/windows/security/identity-protection/hello-for-business/includes/allow-enumeration-of-emulated-smart-card-for-all-users.md new file mode 100644 index 0000000000..e04516cb89 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/allow-enumeration-of-emulated-smart-card-for-all-users.md @@ -0,0 +1,17 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/19/2023 +ms.topic: include +--- + +### Allow enumeration of emulated smart card for all users + +Windows prevents users on the same device from enumerating provisioned Windows Hello for Business credentials for other users. If you enable this policy setting, Windows allows all users of the device to enumerate all Windows Hello for Business credentials, but still require each user to provide their own factors for authentication. If you disable or don't configure this policy setting, Windows doesn't allow the enumeration of provisioned Windows Hello for Business credentials for other users on the same device. + +This policy setting is designed for a single user who enrolls *privileged* and *nonprivileged* accounts on a single device. The user owns both credentials, which enable them to sign-in using nonprivileged credentials, but can perform elevated tasks without signing-out. This policy setting is incompatible with Windows Hello for Business credentials provisioned when the *Turn off smart card emulation* policy setting is enabled. + +| | Path | +|--|--| +| **CSP** | Not available | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business** | diff --git a/windows/security/identity-protection/hello-for-business/includes/configure-device-unlock-factors.md b/windows/security/identity-protection/hello-for-business/includes/configure-device-unlock-factors.md new file mode 100644 index 0000000000..c016b07329 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/configure-device-unlock-factors.md @@ -0,0 +1,19 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/19/2023 +ms.topic: include +--- + +### Configure device unlock factors + +Configure a comma separated list of credential provider GUIDs, such as face and fingerprint provider GUIDs, to be used as the first and second unlock factors. If the trusted signal provider is specified as one of the unlock factors, you should also configure a comma separated list of signal rules in the form of xml for each signal type to be verified. + +If you enable this policy setting, the user must use one factor from each list to successfully unlock. If you disable or don't configure this policy setting, users can continue to unlock with existing options. + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/PassportForWork/`[DeviceUnlock](/windows/client-management/mdm/passportforwork-csp#devicedeviceunlock) | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business** | + +For more information about multi-factor unlock, see [Multi-factor unlock with Windows Hello for Business](/windows/security/identity-protection/hello-for-business/multi-factor-unlock). diff --git a/windows/security/identity-protection/hello-for-business/includes/configure-dynamic-lock-factors.md b/windows/security/identity-protection/hello-for-business/includes/configure-dynamic-lock-factors.md new file mode 100644 index 0000000000..2105978133 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/configure-dynamic-lock-factors.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/19/2023 +ms.topic: include +--- + +### Configure dynamic lock factors + +Configure a comma separated list of signal rules in the form of xml for each signal type. + +- If you enable this policy setting, the signal rules are evaluated to detect user absence and automatically lock the device +- If you disable or don't configure the setting, users can continue to lock with existing options + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/PassportForWork/DynamicLock/`[DynamicLock](/windows/client-management/mdm/passportforwork-csp#devicedynamiclock) | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business** | diff --git a/windows/security/identity-protection/hello-for-business/includes/configure-enhanced-anti-spoofing.md b/windows/security/identity-protection/hello-for-business/includes/configure-enhanced-anti-spoofing.md new file mode 100644 index 0000000000..f03858b9a3 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/configure-enhanced-anti-spoofing.md @@ -0,0 +1,20 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/19/2023 +ms.topic: include +--- + +### Configure enhanced anti-spoofing + +This policy setting determines whether enhanced anti-spoofing is required for Windows Hello face authentication. + +- If you enable this setting, Windows requires to use enhanced anti-spoofing for face authentication + > [!IMPORTANT] + > This disables face authentication on devices that don't support enhanced anti-spoofing. +- If you disable or don't configure this setting, Windows doesn't require enhanced anti-spoofing for face authentication + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/PassportForWork/Biometrics/`[FacialFeaturesUseEnhancedAntiSpoofing](/windows/client-management/mdm/passportforwork-csp#devicebiometricsfacialfeaturesuseenhancedantispoofing) | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business** | diff --git a/windows/security/identity-protection/hello-for-business/includes/enable-ess-with-supported-peripherals.md b/windows/security/identity-protection/hello-for-business/includes/enable-ess-with-supported-peripherals.md new file mode 100644 index 0000000000..af71e0d820 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/enable-ess-with-supported-peripherals.md @@ -0,0 +1,25 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/19/2023 +ms.topic: include +--- + +### Enable ESS with supported peripherals + +Enhanced Sign-in Security (ESS) adds a layer of security to biometric data by using specialized hardware and software components, for example Virtualization Based Security (VBS) and Trusted Platform Module 2.0. +With ESS, Windows Hello biometric (face and fingerprint) template data and matching operations are isolated to trusted hardware or specified memory regions, and the rest of the operating system can't access or tamper with them. Since the channel of communication between the sensors and the algorithm is also secured, it's impossible for malware to inject or replay data in order to simulate a user signing in or to lock a user out of their machine. + +If you enable this policy, you can configure the following values: + +- `0`: ESS is enabled with peripheral or built-in non-ESS sensors. Authentication operations of peripheral Windows Hello capable devices are allowed, subject to current feature limitations. ESS is enabled on devices with a mixture of biometric devices, such as an ESS-capable fingerprint reader and a non-ESS capable camera. Therefore, this setting is not recommended +- `1`: ESS is enabled without peripheral or built-in non-ESS sensors. Authentication operations of any peripheral biometric device are blocked and not available for Windows Hello. This setting is recommended for highest security + +If you disable or not configure this setting, then non-ESS sensors are blocked on the ESS device. + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/PassportForWork/Biometrics/`[EnableESSwithSupportedPeripherals](/windows/client-management/mdm/passportforwork-csp#devicebiometricsenableesswithsupportedperipherals) | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business** | + +For more information, see [How does Enhanced Sign-in Security protect biometric data](windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security#how-does-enhanced-sign-in-security-protect-biometric-data). \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/includes/expiration.md b/windows/security/identity-protection/hello-for-business/includes/expiration.md new file mode 100644 index 0000000000..5a4ee75582 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/expiration.md @@ -0,0 +1,17 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/19/2023 +ms.topic: include +--- + +### Expiration + +This setting specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The PIN can be set to expire after any number of days between 1 and 730, or PINs can be set to never expire if the policy is set to 0. + +The default value is 0. + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[devicetenantidpoliciespincomplexityexpiration](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexityexpiration)

      `./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[usertenantidpoliciespincomplexityexpiration](/windows/client-management/mdm/passportforwork-csp#usertenantidpoliciespincomplexityexpiration) | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity**| diff --git a/windows/security/identity-protection/hello-for-business/includes/history.md b/windows/security/identity-protection/hello-for-business/includes/history.md new file mode 100644 index 0000000000..dcb91ed8fe --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/history.md @@ -0,0 +1,20 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/19/2023 +ms.topic: include +--- + +### History + +This setting specifies the number of past PINs that can be associated to a user account that can't be reused. This policy enhances security by ensuring that old PINs are not reused continually. The value must be between 0 to 50 PINs. If this policy is set to 0, then storage of previous PINs is not required. + +The default value is 0. + +> [!NOTE] +> PIN history is not preserved through PIN reset. + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[devicetenantidpoliciespincomplexityhistory](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexityhistory)

      `./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[usertenantidpoliciespincomplexityhistory](/windows/client-management/mdm/passportforwork-csp#usertenantidpoliciespincomplexityhistory) | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity** | diff --git a/windows/security/identity-protection/hello-for-business/includes/maximum-pin-length.md b/windows/security/identity-protection/hello-for-business/includes/maximum-pin-length.md new file mode 100644 index 0000000000..3a80b11d1f --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/maximum-pin-length.md @@ -0,0 +1,20 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/19/2023 +ms.topic: include +--- + +### Maximum PIN length + +Maximum PIN length configures the maximum number of characters allowed for the PIN. The largest number you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configured in the Minimum PIN length policy setting or the number 4, whichever is greater. If you configure this policy setting, the PIN length must be less than or equal to this number. + +If you disable or don't configure this policy setting, the PIN length must be less than or equal to 127. + +> [!NOTE] +> If the above specified conditions for the maximum PIN length aren't met, default values are used for both the maximum and minimum PIN lengths. + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[devicetenantidpoliciespincomplexitymaximumpinlength](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexitymaximumpinlength)

      `./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[usertenantidpoliciespincomplexitymaximumpinlength](/windows/client-management/mdm/passportforwork-csp#usertenantidpoliciespincomplexitymaximumpinlength) | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity** | diff --git a/windows/security/identity-protection/hello-for-business/includes/minimum-pin-length.md b/windows/security/identity-protection/hello-for-business/includes/minimum-pin-length.md new file mode 100644 index 0000000000..bfd8a64450 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/minimum-pin-length.md @@ -0,0 +1,21 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/19/2023 +ms.topic: include +--- + +### Minimum PIN length + +Minimum PIN length configures the minimum number of characters required for the PIN. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or the number 127, whichever is the lowest. + +If you configure this policy setting, the PIN length must be greater than or equal to this number. +If you disable or don't configure this policy setting, the PIN length must be greater than or equal to 6. + +> [!NOTE] +> If the above specified conditions for the minimum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths. + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[devicetenantidpoliciespincomplexityminimumpinlength](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexityminimumpinlength)

      `./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[usertenantidpoliciespincomplexityminimumpinlength](/windows/client-management/mdm/passportforwork-csp#usertenantidpoliciespincomplexityminimumpinlength)| +| **GPO** | **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity** | diff --git a/windows/security/identity-protection/hello-for-business/includes/require-digits.md b/windows/security/identity-protection/hello-for-business/includes/require-digits.md new file mode 100644 index 0000000000..e1e33b9c09 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/require-digits.md @@ -0,0 +1,19 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/19/2023 +ms.topic: include +--- + +### Require digits + +Use this policy setting to configure the use of digits in the PIN: + +- If you enable this policy setting, Windows requires the user to include at least one digit in their PIN +- If you disable this policy setting, Windows doesn't allow the user to include digits in their PINs +- If you don't configure this policy setting, Windows allows, but doesn't require, digits in the PIN + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[devicetenantidpoliciespincomplexitydigits](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexitydigits)

      `./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[usertenantidpoliciespincomplexitydigits](/windows/client-management/mdm/passportforwork-csp#usertenantidpoliciespincomplexitydigits) | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity** | diff --git a/windows/security/identity-protection/hello-for-business/includes/require-lowercase-letters.md b/windows/security/identity-protection/hello-for-business/includes/require-lowercase-letters.md new file mode 100644 index 0000000000..84efa4f875 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/require-lowercase-letters.md @@ -0,0 +1,19 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/19/2023 +ms.topic: include +--- + +### Require lowercase letters + +Use this policy setting to configure the use of lowercase letters in the PIN: + +- If you enable this policy setting, Windows requires the user to include at least one lowercase letter in their PIN +- If you disable this policy setting, Windows doesn't allow the user to include lowercase letters in their PIN +- If you don't configure this policy setting, Windows allows, but doesn't require, lowercase letters in the PIN + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[devicetenantidpoliciespincomplexitylowercaseletters](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexitylowercaseletters)

      `./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[usertenantidpoliciespincomplexitylowercaseletters](/windows/client-management/mdm/passportforwork-csp#usertenantidpoliciespincomplexitylowercaseletters) | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity** | diff --git a/windows/security/identity-protection/hello-for-business/includes/require-special-characters.md b/windows/security/identity-protection/hello-for-business/includes/require-special-characters.md new file mode 100644 index 0000000000..b7a73e5e27 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/require-special-characters.md @@ -0,0 +1,25 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/19/2023 +ms.topic: include +--- + +### Require special characters + +Scope: Machine + +Use this policy setting to configure the use of special characters in the PIN. Special characters include the following set: + +``` text +! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~ +``` + +- If you enable this policy setting, Windows requires the user to include at least one special character in their PIN +- If you disable this policy setting, Windows doesn't allow the user to include special characters in their PIN +- If you don't configure this policy setting, Windows allows, but doesn't require, special characters in the PIN + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[devicetenantidpoliciespincomplexityspecialcharacters](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexityspecialcharacters)

      `./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[usertenantidpoliciespincomplexityspecialcharacters](/windows/client-management/mdm/passportforwork-csp#usertenantidpoliciespincomplexityspecialcharacters) | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity** | diff --git a/windows/security/identity-protection/hello-for-business/includes/require-uppercase-letters.md b/windows/security/identity-protection/hello-for-business/includes/require-uppercase-letters.md new file mode 100644 index 0000000000..b807281de3 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/require-uppercase-letters.md @@ -0,0 +1,19 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/19/2023 +ms.topic: include +--- + +### Require uppercase letters + +Use this policy setting to configure the use of uppercase letters in the PIN: + +- If you enable this policy setting, Windows requires the user to include at least one uppercase letter in their PIN +- If you disable this policy setting, Windows doesn't allow the user to include uppercase letters in their PIN +- If you don't configure this policy setting, Windows allows, but doesn't require, uppercase letters in the PIN + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[devicetenantidpoliciespincomplexityuppercaseletters](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexityuppercaseletters)

      `./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[usertenantidpoliciespincomplexityuppercaseletters](/windows/client-management/mdm/passportforwork-csp#usertenantidpoliciespincomplexityuppercaseletters) | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity** | diff --git a/windows/security/identity-protection/hello-for-business/includes/turn-off-smart-card-emulation.md b/windows/security/identity-protection/hello-for-business/includes/turn-off-smart-card-emulation.md new file mode 100644 index 0000000000..052aff148e --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/turn-off-smart-card-emulation.md @@ -0,0 +1,21 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/19/2023 +ms.topic: include +--- + +### Turn off smart card emulation + +Windows Hello for Business automatically provides smart card emulation for compatibility with smart card enabled applications. + +- If you enable this policy setting, Windows Hello for Business provisions Windows Hello for Business credentials that are not compatible with smart card applications +- If you disable or don't configure this policy setting, Windows Hello for Business provisions Windows Hello for Business credentials compatible with smart card applications + +> [!IMPORTANT] +> This policy affects Windows Hello for Business credentials at the time of creation. Credentials created before the application of this policy continue to provide smart card emulation. To change an existing credential, enable this policy setting and select *I forgot my PIN* from Settings. + +| | Path | +|--|--| +| **CSP** | Not available | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business** | diff --git a/windows/security/identity-protection/hello-for-business/includes/use-a-hardware-security-device.md b/windows/security/identity-protection/hello-for-business/includes/use-a-hardware-security-device.md new file mode 100644 index 0000000000..28f22a1ccb --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/use-a-hardware-security-device.md @@ -0,0 +1,20 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/19/2023 +ms.topic: include +--- + +### Use a hardware security device + +A Trusted Platform Module (TPM) provides additional security benefits over software because data protected by it can't be used on other devices. + +- If you enable this policy setting, Windows Hello for Business provisioning only occurs on devices with usable 1.2 or 2.0 TPMs. You can optionally exclude TPM revision 1.2 modules, which prevents Windows Hello for Business provisioning on those devices + > [!TIP] + > The TPM 1.2 specification only allows the use of RSA and the SHA-1 hashing algorithm. TPM 1.2 implementations vary in policy settings, which may result in support issues as lockout policies vary. It's recommended to exclude TPM 1.2 devices from Windows Hello for Business provisioning. +-If you disable or don't configure this policy setting, the TPM is still preferred, but all devices can provision Windows Hello for Business using software if the TPM is nonfunctional or unavailable. + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/`[RequireSecurityDevice](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciesrequiresecuritydevice)

      `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/ExcludeSecurityDevices/`[TPM12](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciesexcludesecuritydevicestpm12) | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business** | diff --git a/windows/security/identity-protection/hello-for-business/includes/use-biometrics.md b/windows/security/identity-protection/hello-for-business/includes/use-biometrics.md new file mode 100644 index 0000000000..703728a97a --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/use-biometrics.md @@ -0,0 +1,21 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/19/2023 +ms.topic: include +--- + +### Use biometrics + +Windows Hello for Business enables users to use biometric gestures, such as face and fingerprints, as an alternative to the PIN gesture. However users must still configure a PIN to use in case of failures. + +- If you enable or don't configure this policy setting, Windows Hello for Business allows the use biometric gestures +- If you disable this policy setting, Windows Hello for Business prevents the use of biometric gestures + +> [!NOTE] +> Disabling this policy prevents the user of biometric gestures on the device for all account types. + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/PassportForWork/Biometrics/`[UseBiometrics](/windows/client-management/mdm/passportforwork-csp#devicebiometricsusebiometrics) | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business** | diff --git a/windows/security/identity-protection/hello-for-business/includes/use-certificate-for-on-premises-authentication.md b/windows/security/identity-protection/hello-for-business/includes/use-certificate-for-on-premises-authentication.md new file mode 100644 index 0000000000..26050f2673 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/use-certificate-for-on-premises-authentication.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/19/2023 +ms.topic: include +--- + +### Use certificate for on-premises authentication + +Use this policy setting to configure Windows Hello for Business to enroll a sign-in certificate used for on-premises authentication. + +- If you enable this policy setting, Windows Hello for Business enrolls a sign-in certificate that is used for on-premises authentication +- If you disable or don't configure this policy setting, Windows Hello for Business will use a key or a Kerberos ticket (depending on other policy settings) for on-premises authentication + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/`[UseCertificateForOnPremAuth](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciesusecertificateforonpremauth)| +| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**

      **User Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**| diff --git a/windows/security/identity-protection/hello-for-business/includes/use-cloud-trust-for-on-premises-authentication.md b/windows/security/identity-protection/hello-for-business/includes/use-cloud-trust-for-on-premises-authentication.md new file mode 100644 index 0000000000..fef51d3a9e --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/use-cloud-trust-for-on-premises-authentication.md @@ -0,0 +1,21 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/19/2023 +ms.topic: include +--- + +### Use cloud trust for on-premises authentication + +Use this policy setting to configure Windows Hello for Business to use the cloud Kerberos trust model. + +- If you enable this policy setting, Windows Hello for Business uses a Kerberos ticket retrieved from authenticating to Microsoft Entra ID for on-premises authentication +- If you disable or don't configure this policy setting, Windows Hello for Business uses a key or certificate (depending on other policy settings) for on-premises authentication + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/`[UseCloudTrustForOnPremAuth](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciesusecloudtrustforonpremauth) | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business** | + +> [!NOTE] +> Cloud Kerberos trust is incompatible with certificate trust. If the certificate trust policy setting is enabled, it takes precedence over this policy setting. diff --git a/windows/security/identity-protection/hello-for-business/includes/use-pin-recovery.md b/windows/security/identity-protection/hello-for-business/includes/use-pin-recovery.md new file mode 100644 index 0000000000..0b57fbe090 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/use-pin-recovery.md @@ -0,0 +1,24 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/19/2023 +ms.topic: include +--- + +### Use PIN recovery + +PIN Recovery enables a user to change a forgotten PIN using the Windows Hello for Business PIN recovery service, without losing any associated credentials or certificates, including any keys associated with the user's personal accounts on the device. + +To achieve this, the PIN recovery service encrypts a recovery secret, which is stored on the device, and requires both the PIN recovery service and the device to decrypt. + +PIN recovery requires the user to perform multi-factor authentication to Microsoft Entra ID. + +- If you enable this policy setting, Windows Hello for Business uses the PIN recovery service +- If you disable or don't configure this policy setting, Windows doesn't create or store the PIN recovery secret. If the user forgets their PIN, they must delete their existing PIN and create a new one, and they must re-register with any services to which the old PIN provided access + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/`[EnablePinRecovery](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciesenablepinrecovery) | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business** | + +For more information, see [PIN reset](../pin-reset.md). diff --git a/windows/security/identity-protection/hello-for-business/includes/use-windows-hello-for-business-certificates-as-smart-card-certificates.md b/windows/security/identity-protection/hello-for-business/includes/use-windows-hello-for-business-certificates-as-smart-card-certificates.md new file mode 100644 index 0000000000..78d0919383 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/use-windows-hello-for-business-certificates-as-smart-card-certificates.md @@ -0,0 +1,20 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/19/2023 +ms.topic: include +--- + +### Use Windows Hello for Business certificates as smart card certificates + +This policy setting is designed to allow compatibility with applications that rely exclusively on smart card certificates. + +- If you enable this policy setting, applications use Windows Hello for Business certificates as smart card certificates. Biometric factors are unavailable when a user is asked to authorize the use of the certificate's private key +- If you disable or don't configure this policy setting, applications don't use Windows Hello for Business certificates as smart card certificates, and biometric factors are available when a user is asked to authorize the use of the certificate's private key + +This policy setting is incompatible with Windows Hello for Business credentials provisioned when [Turn off smart card emulation](/windows/security/identity-protection/hello-for-business/policy-settings#turn-off-smart-card-emulation) is enabled. + +| | Path | +|--|--| +| **CSP** | ./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/[UseHelloCertificatesAsSmartCardCertificates](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciesusehellocertificatesassmartcardcertificates) | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business** | diff --git a/windows/security/identity-protection/hello-for-business/includes/use-windows-hello-for-business.md b/windows/security/identity-protection/hello-for-business/includes/use-windows-hello-for-business.md new file mode 100644 index 0000000000..1dac6ae92b --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/use-windows-hello-for-business.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/19/2023 +ms.topic: include +--- + +### Use Windows Hello for Business + +- If you enable this policy, the device provisions Windows Hello for Business using keys or certificates for all users +- If you disable this policy setting, the device doesn't provision Windows Hello for Business for any user +- If you don't configure this policy setting, users can provision Windows Hello for Business + +Select the option *Don't start Windows Hello provisioning after sign-in* when you use a third-party solution to provision Windows Hello for Business: + +- If you select *Don't start Windows Hello provisioning after sign-in*, Windows Hello for Business doesn't automatically start provisioning after the user has signed in +- If you don't select *Don't start Windows Hello provisioning after sign-in*, Windows Hello for Business automatically starts provisioning after the user has signed in + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/`[UsePassportForWork](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciesusepassportforwork)

      `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/`[DisablePostLogonProvisioning](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciesdisablepostlogonprovisioning)| +| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**

      **User Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**| diff --git a/windows/security/identity-protection/hello-for-business/index.md b/windows/security/identity-protection/hello-for-business/index.md index e0be2b5b93..0d3b30f8ac 100644 --- a/windows/security/identity-protection/hello-for-business/index.md +++ b/windows/security/identity-protection/hello-for-business/index.md @@ -4,19 +4,26 @@ description: Learn how Windows Hello for Business replaces passwords with strong ms.topic: overview ms.date: 04/24/2023 --- + + + # Windows Hello for Business Overview Windows Hello for Business replaces passwords with strong two-factor authentication on devices. This authentication consists of a type of user credential that is tied to a device and uses a biometric or PIN. ->[!NOTE] -> When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. - Windows Hello addresses the following problems with passwords: -- Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites. -- Server breaches can expose symmetric network credentials (passwords). -- Passwords are subject to [replay attacks](/previous-versions/dotnet/netframework-4.0/aa738652(v=vs.100)). -- Users can inadvertently expose their passwords due to phishing attacks. +- Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites +- Server breaches can expose symmetric network credentials (passwords) +- Passwords are subject to replay attacks +- Users can inadvertently expose their passwords due to phishing attacks Windows Hello lets users authenticate to: @@ -37,7 +44,7 @@ As an administrator in an enterprise or educational organization, you can create - **Fingerprint recognition**. This type of biometric recognition uses a capacitive fingerprint sensor to scan your fingerprint. Fingerprint readers have been available for Windows computers for years, but the current generation of sensors is more reliable and less error-prone. Most existing fingerprint readers work with Windows 10 and Windows 11, whether they're external or integrated into laptops or USB keyboards. - **Iris Recognition**. This type of biometric recognition uses cameras to perform scan of your iris. HoloLens 2 is the first Microsoft device to introduce an Iris scanner. These iris scanners are the same across all HoloLens 2 devices. -Windows stores biometric data that is used to implement Windows Hello securely on the local device only. The biometric data doesn't roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there's no single collection point an attacker can compromise to steal biometric data. For more information about biometric authentication with Windows Hello for Business, see [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md). +Windows stores biometric data that is used to implement Windows Hello securely on the local device only. The biometric data doesn't roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there's no single collection point an attacker can compromise to steal biometric data. ## The difference between Windows Hello and Windows Hello for Business @@ -64,49 +71,165 @@ Windows Hello helps protect user identities and user credentials. Because the us [!INCLUDE [windows-hello-for-business](../../../../includes/licensing/windows-hello-for-business.md)] -## How Windows Hello for Business works: key points +## Hardware requirements -- Windows Hello credentials are based on certificate or asymmetrical key pair. Windows Hello credentials can be bound to the device, and the token that is obtained using the credential is also bound to the device. +We've been working with the device manufacturers to help ensure a high-level of performance and protection is met by each sensor and device, based on these requirements: -- An identity provider validates the user identity and maps the Windows Hello public key to a user account during the registration step. Example providers are Active Directory, Microsoft Entra ID, or a Microsoft account. +- **False Accept Rate (FAR).** Represents the instance a biometric identification solution verifies an unauthorized person. This is normally represented as a ratio of number of instances in a given population size, for example 1 in 100 000. This can also be represented as a percentage of occurrence, for example, 0.001%. This measurement is heavily considered the most important with regard to the security of the biometric algorithm. -- Keys can be generated in hardware (TPM 1.2 or 2.0 for enterprises, and TPM 2.0 for consumers) or software, based on the policy. To guarantee that keys are generated in hardware, you must set policy. +- **False Reject Rate (FRR).** Represents the instances a biometric identification solution fails to verify an authorized person correctly. Usually represented as a percentage, the sum of the True Accept Rate and False Reject Rate is 1. Can be with or without anti-spoofing or liveness detection. -- Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (biometrics). The Windows Hello gesture doesn't roam between devices and isn't shared with the server. Biometrics templates are stored locally on a device. The PIN is never stored or shared. +### Fingerprint sensor requirements -- The private key never leaves a device when using TPM. The authenticating server has a public key that is mapped to the user account during the registration process. +To allow fingerprint matching, you must have devices with fingerprint sensors and software. Fingerprint sensors, or sensors that use an employee's unique fingerprint as an alternative logon option, can be touch sensors (large area or small area) or swipe sensors. Each type of sensor has its own set of detailed requirements that must be implemented by the manufacturer, but all of the sensors must include anti-spoofing measures. -- PIN entry and biometric gesture both trigger Windows 10 and later to use the private key to cryptographically sign data that is sent to the identity provider. The identity provider verifies the user's identity and authenticates the user. +**Acceptable performance range for small to large size touch sensors** -- Personal (Microsoft account) and corporate (Active Directory or Microsoft Entra ID) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy. +- False Accept Rate (FAR): <0.001 - 0.002% -- Certificate private keys can be protected by the Windows Hello container and the Windows Hello gesture. +- Effective, real world FRR with Anti-spoofing or liveness detection: <10% -For details, see [How Windows Hello for Business works](hello-how-it-works.md). +**Acceptable performance range for swipe sensors** -## Comparing key-based and certificate-based authentication +- False Accept Rate (FAR): <0.002% -Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing end user certificates can continue to use PKI in combination with Windows Hello for Business. Enterprises that don't use PKI or want to reduce the effort associated with managing user certificates can rely on key-based credentials for Windows Hello. This functionality still uses certificates on the domain controllers as a root of trust. Starting with Windows 10 version 21H2, there's a feature called cloud Kerberos trust for hybrid deployments, which uses Microsoft Entra ID as the root of trust. cloud Kerberos trust uses key-based credentials for Windows Hello but doesn't require certificates on the domain controller. +- Effective, real world FRR with Anti-spoofing or liveness detection: <10% -Windows Hello for Business with a key, including cloud Kerberos trust, doesn't support supplied credentials for RDP. RDP doesn't support authentication with a key or a self signed certificate. RDP with Windows Hello for Business is supported with certificate based deployments as a supplied credential. Windows Hello for Business with a key credential can be used with [Remote Credential Guard](../remote-credential-guard.md). +### Facial recognition sensors -## Learn more +To allow facial recognition, you must have devices with integrated special infrared (IR) sensors and software. Facial recognition sensors use special cameras that see in IR light, letting them tell the difference between a photo and a living person while scanning an employee's facial features. These sensors, like the fingerprint sensors, must also include anti-spoofing measures (required) and a way to configure them (optional). -[Implementing strong user authentication with Windows Hello for Business](https://www.microsoft.com/insidetrack/implementing-strong-user-authentication-with-windows-hello-for-business) +- False Accept Rate (FAR): <0.001% -[Implementing Windows Hello for Business at Microsoft](https://www.microsoft.com/insidetrack/implementing-windows-hello-for-business-at-microsoft) +- False Reject Rate (FRR) without Anti-spoofing or liveness detection: <5% -[Windows Hello for Business: Authentication](https://youtu.be/WPmzoP_vMek): In this video, learn about Windows Hello for Business and how it's used to sign-in and access resources. +- Effective, real world FRR with Anti-spoofing or liveness detection: <10% -[Windows Hello face authentication](/windows-hardware/design/device-experiences/windows-hello-face-authentication) +> [!NOTE] +>Windows Hello face authentication does not currently support wearing a mask during enrollment or authentication. Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock your device. The product group is aware of this behavior and is investigating this topic further. Please remove a mask if you are wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesn't allow you to remove a mask temporarily, please consider unenrolling from face authentication and only using PIN or fingerprint. -## Related articles +### Iris recognition sensor requirements -- [How Windows Hello for Business works](hello-how-it-works.md) -- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) -- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) -- [Windows Hello and password changes](hello-and-password-changes.md) -- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq) -- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) +To use Iris authentication, you'll need a [HoloLens 2 device](/hololens/). All HoloLens 2 editions are equipped with the same sensors. Iris is implemented the same way as other Windows Hello technologies and achieves biometrics security FAR of 1/100K. + + + + +# Why a PIN is better than an online password + +Windows Hello enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a local password? +On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might enforce complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than an online password, it's how it works. First, we need to distinguish between two types of passwords: *local passwords* are validated against the machine's password store, whereas *online passwords* are validated against a server. + +:::row::: + :::column span="1"::: + **A PIN is tied to a device** + :::column-end::: + :::column spna="3"::: + One important difference between an online password and a Hello PIN is that the PIN is tied to the specific device on which it's set up. That PIN is useless to anyone without that specific hardware. Someone who obtains your online password can sign in to your account from anywhere, but if they obtain your PIN, they'd have to access your device too. The PIN can't be used anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Hello on each device. +:::row-end::: +:::row::: + :::column span="1"::: + **A PIN is local to the device** + :::column-end::: + :::column spna="3"::: + An online password is transmitted to the server. The password can be intercepted in transmission or obtained from a server. A PIN is local to the device, never transmitted anywhere, and it isn't stored on the server. + + When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, you unlock the authentication key, which is used to sign the request that is sent to the authenticating server. + + Even though local passwords are local to the device, they're less secure than a PIN, as described in the next section. +:::row-end::: +:::row::: + :::column span="1"::: + **A PIN is backed by hardware** + :::column-end::: + :::column spna="3"::: + The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Windows doesn't link local passwords to TPM, therefore PINs are considered more secure than local passwords. + + User key material is generated and available within the TPM of the device. The TPM protects the key material from attackers who want to capture and reuse it. Since Hello uses asymmetric key pairs, users credentials can't be stolen in cases where the identity provider or websites the user accesses have been compromised. + + The TPM protects against various known and potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked. +:::row-end::: + +## What if someone steals the device? + +To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device. Then, the attacker must find a way to spoof the user's biometrics or guess the PIN. All these actions must be done before [TPM anti-hammering](/windows/device-security/tpm/tpm-fundamentals#anti-hammering) protection locks the device. + + +## Why do you need a PIN to use biometrics? + +Windows Hello enables biometric sign-in for Windows: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN after the biometric setup. The PIN enables you to sign in when you can't use your preferred biometric because of an injury or because the sensor is unavailable or not working properly. + +If you only had a biometric sign-in configured and, for any reason, were unable to use that method to sign in, you would have to sign in using your account and password, which doesn't provide you with the same level of protection as Hello. + + diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/multifactor-unlock.md similarity index 82% rename from windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md rename to windows/security/identity-protection/hello-for-business/multifactor-unlock.md index a99c25dc3c..23cbfc828e 100644 --- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md +++ b/windows/security/identity-protection/hello-for-business/multifactor-unlock.md @@ -1,9 +1,10 @@ --- title: Multi-factor unlock -description: Learn how Windows offers multi-factor device unlock by extending Windows Hello with trusted signals. -ms.date: 03/30/2023 +description: Learn how to configure Windows Hello for Business multi-factor unlock by extending Windows Hello with trusted signals. +ms.date: 12/19/2023 ms.topic: how-to --- + # Multi-factor unlock Windows Hello for Business supports the use of a single credential (PIN and biometrics) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system. @@ -331,35 +332,66 @@ The following example configures **Wi-Fi** as a trusted signal. ``` -## Deploy Multifactor Unlock +## Configure multi-factor unlock ->[!IMPORTANT] ->You need to remove all third party credential providers to ensure users cannot unlock their devices if they do not have the required factors. The fall back options are to use passwords or smart cards (both of which could be disabled as needed). +To configure multi-factor unlock you can use: -### Create the Multifactor Unlock Group Policy object - -The Group Policy object contains the policy settings needed to trigger Windows Hello for Business provisioning and to ensure Windows Hello for Business authentication certificates are automatically renewed. +- Microsoft Intune/CSP +- Group policy >[!IMPORTANT] > > - PIN **must** be in at least one of the groups > - Trusted signals **must** be combined with another credential provider -> - You cannot use the same unlock factor to satisfy both categories. Therefore, if you include any credential provider in both categories, it means it can satisfy either category, but not both -> - The multifactor unlock feature is also supported via the Passport for Work CSP. For more information, see [Passport For Work CSP](/windows/client-management/mdm/passportforwork-csp). +> - You can't use the same unlock factor to satisfy both categories. Therefore, if you include any credential provider in bothcategories, it means it can satisfy either category, but not both -1. Start the **Group Policy Management Console** (`gpmc.msc`). -1. Expand the domain and select the **Group Policy Object** node in the navigation pane. -1. Right-click **Group Policy object** and select **New**. -1. Type *Multifactor Unlock* in the name box and select **OK**. -1. In the content pane, right-click the **Multifactor Unlock** Group Policy object and select **Edit**. -1. In the navigation pane, expand **Policies** under **Computer Configuration**. -1. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**. - ![Group Policy Editor.](images/multifactorUnlock/gpme.png) -1. In the content pane, open **Configure device unlock factors**. Select **Enable**. The **Options** section populates the policy setting with default values. - ![Multifactor Policy Setting.](images/multifactorUnlock/gp-setting.png) -1. Configure first and second unlock factors using the information in [Configure Unlock Factors](#configure-unlock-factors). -1. If using trusted signals, configure the trusted signals used by the unlock factor using the information in [Configure Signal Rules for the Trusted Signal Credential Provider](#configure-signal-rules-for-the-trusted-signal-credential-provider). -1. Select **OK** to close the **Group Policy Management Editor**. Use the **Group Policy Management Console** to deploy the newly created Group Policy object to your organization's computers. +[!INCLUDE [tab-intro](../../../../includes/configure/tab-intro.md)] + +#### [:::image type="icon" source="../../images/icons/intune.svg" border="false"::: **Intune/CSP**](#tab/intune) + +[!INCLUDE [intune-settings-catalog-1](../../../../includes/configure/intune-settings-catalog-1.md)] + +| Category | Setting name | +|--|--| +| **Administrative Templates** > **Windows Hello for Business** | Device Unlock Plugins | + +1. Configure first and second unlock factors using the information in [Configure Unlock Factors](#configure-unlock-factors) +1. If using trusted signals, configure the trusted signals used by the unlock factor using the information in [Configure Signal Rules for the Trusted Signal Credential Provider](#configure-signal-rules-for-the-trusted-signal-credential-provider) + +[!INCLUDE [intune-settings-catalog-2](../../../../includes/configure/intune-settings-catalog-2.md)] + +Alternatively, you can configure devices using a [custom policy][INT-1] with the [PassportForWork CSP][CSP-1]. + +| Setting | +|--------| +| ./Device/Vendor/MSFT/PassportForWork/[DeviceUnlock](/windows/client-management/mdm/passportforwork-csp#devicedeviceunlock)| + +#### [:::image type="icon" source="../../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo) + +[!INCLUDE [gpo-settings-1](../../../../includes/configure/gpo-settings-1.md)] + +| Group policy path | Group policy setting | Value | +| - | - | - | +| **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business** | Configure device unlock factors | Enabled | + +1. Configure first and second unlock factors using the information in [Configure Unlock Factors](#configure-unlock-factors) +1. If using trusted signals, configure the trusted signals used by the unlock factor using the information in [Configure Signal Rules for the Trusted Signal Credential Provider](#configure-signal-rules-for-the-trusted-signal-credential-provider) + +[!INCLUDE [gpo-settings-2](../../../../includes/configure/gpo-settings-2.md)] + +--- + +>[!IMPORTANT] +>You should remove all third party credential providers to ensure users cannot unlock their devices if they do not have the required factors. The fall back options are to use passwords or smart cards (both of which could be disabled as needed). + +## User experience + +Here's a brief video showing the user experience when multi-factor unlock is enabled: + +1. The user first signs in with fingerprint + Bluetooth-paired phone +1. The user then signs in with fingerprint + PIN + +> [!VIDEO https://learn-video.azurefd.net/vod/player?id=2bdf21db-30c9-4d8e-99ff-f3ae72c494fe alt-text="Video showing the user experience of multi-factor unlock using fingerprint+Bluetooth and fingerprint+PIN."] ## Troubleshoot @@ -374,3 +406,8 @@ Multi-factor unlock writes events to event log under **Application and Services |6520|Warning event| |7520|Error event| |8520|Success event| + + + +[CSP-1]: /windows/client-management/mdm/passportforwork-csp +[INT-1]: /mem/intune/configuration/settings-catalog diff --git a/windows/security/identity-protection/hello-for-business/pin-reset.md b/windows/security/identity-protection/hello-for-business/pin-reset.md index 1b06da1cd6..4515fd054f 100644 --- a/windows/security/identity-protection/hello-for-business/pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/pin-reset.md @@ -38,8 +38,6 @@ The following table compares destructive and nondestructive PIN reset: |**Additional configuration required**|Supported by default and doesn't require configuration|Deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature.| |**MSA/Enterprise**|MSA and Enterprise|Enterprise only.| - - ## Enable the Microsoft PIN Reset Service in your Microsoft Entra tenant Before you can use nondestructive PIN reset, you must register two applications in your Microsoft Entra tenant: @@ -176,8 +174,6 @@ The _PIN reset_ configuration can be viewed by running [**dsregcmd /status**](/a +----------------------------------------------------------------------+ ``` - - ## Configure allowed URLs for federated identity providers on Microsoft Entra joined devices **Applies to:** Microsoft Entra joined devices diff --git a/windows/security/identity-protection/hello-for-business/policy-settings.md b/windows/security/identity-protection/hello-for-business/policy-settings.md new file mode 100644 index 0000000000..5944796aac --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/policy-settings.md @@ -0,0 +1,85 @@ +--- +title: Windows Hello for Business policy settings +description: Learn about the policy settings to configure Configure Windows Hello for Business. +ms.topic: reference +ms.date: 12/19/2023 +--- + +# Windows Hello for Business policy settings + +The list of settings is sorted alphabetically and organized in four categories: + +- **Feature settings**: used to enable Windows Hello for Business and configure basic options +- **PIN setting**: used to configure PIN authentication, like PIN complexity and recovery +- **Biometric setting**: used to configure biometric authentication +- **Smart card settings**: used to configure smart card authentication used in conjunction with Windows Hello for Business + +Select one of the tabs to see the list of available settings: + +# [:::image type="icon" source="images/hello.svg"::: **Feature settings**](#tab/feature) + +|Setting Name|CSP|GPO| +|-|-|-| +|[Configure device unlock factors](#configure-device-unlock-factors)|✅|✅| +|[Configure dynamic lock factors](#configure-dynamic-lock-factors)|✅|✅| +|[Use a hardware security device](#use-a-hardware-security-device)|✅|✅| +|[Use certificate for on-premises authentication](#use-certificate-for-on-premises-authentication)|✅|✅| +|[Use cloud (Kerberos) trust for on-premises authentication](#use-cloud-trust-for-on-premises-authentication)|✅|✅| +|[Use Windows Hello for Business](#use-windows-hello-for-business)|✅|✅| + +[!INCLUDE [configure-device-unlock-factors](includes/configure-device-unlock-factors.md)] +[!INCLUDE [configure-dynamic-lock-factors](includes/configure-dynamic-lock-factors.md)] +[!INCLUDE [use-a-hardware-security-device](includes/use-a-hardware-security-device.md)] +[!INCLUDE [use-certificate-for-on-premises-authentication](includes/use-certificate-for-on-premises-authentication.md)] +[!INCLUDE [use-cloud-trust-for-on-premises-authentication](includes/use-cloud-trust-for-on-premises-authentication.md)] +[!INCLUDE [use-windows-hello-for-business](includes/use-windows-hello-for-business.md)] + +# [:::image type="icon" source="images/pin.svg"::: **PIN settings**](#tab/pin) + +|Setting Name|CSP|GPO| +|-|-|-|-| +|[Expiration](#expiration)|✅|✅| +|[History](#history)|✅|✅| +|[Maximum PIN length](#maximum-pin-length)|✅|✅| +|[Minimum PIN length](#minimum-pin-length)|✅|✅| +|[Require digits](#require-digits)|✅|✅| +|[Require lowercase letters](#require-lowercase-letters)|✅|✅| +|[Require special characters](#require-special-characters)|✅|✅| +|[Require uppercase letters](#require-uppercase-letters)|✅|✅| + +[!INCLUDE [expiration](includes/expiration.md)] +[!INCLUDE [history](includes/history.md)] +[!INCLUDE [maximum-pin-length](includes/maximum-pin-length.md)] +[!INCLUDE [minimum-pin-length](includes/minimum-pin-length.md)] +[!INCLUDE [require-digits](includes/require-digits.md)] +[!INCLUDE [require-lowercase-letters](includes/require-lowercase-letters.md)] +[!INCLUDE [require-special-characters](includes/require-special-characters.md)] +[!INCLUDE [require-uppercase-letters](includes/require-uppercase-letters.md)] +[!INCLUDE [use-pin-recovery](includes/use-pin-recovery.md)] + +# [:::image type="icon" source="images/fingerprint.svg"::: **Biometric settings**](#tab/bio) + +|Setting Name|CSP|GPO| +|-|-|-| +|[Configure enhanced anti-spoofing](#configure-enhanced-anti-spoofing)|✅|✅| +|[Enable ESS with Supported Peripherals](#enable-ess-with-supported-peripherals)|✅|✅| +|[Use biometrics](#use-biometrics)|✅|✅| + +[!INCLUDE [configure-enhanced-anti-spoofing](includes/configure-enhanced-anti-spoofing.md)] +[!INCLUDE [enable-ess-with-supported-peripherals](includes/enable-ess-with-supported-peripherals.md)] +[!INCLUDE [use-biometrics](includes/use-biometrics.md)] + + +# [:::image type="icon" source="images/smartcard.svg"::: **Smart card settings**](#tab/smartcard) + +|Setting Name|CSP|GPO| +|-|-|-| +|[Turn off smart card emulation](#turn-off-smart-card-emulation)|❌|✅| +|[Allow enumeration of emulated smart card for all users](#allow-enumeration-of-emulated-smart-card-for-all-users)|❌|✅| +|[Use Windows Hello for Business certificates as smart card certificates](#use-windows-hello-for-business-certificates-as-smart-card-certificates)|✅|✅| + + +[!INCLUDE [allow-enumeration-of-emulated-smart-card-for-all-users](includes/allow-enumeration-of-emulated-smart-card-for-all-users.md)] +[!INCLUDE [turn-off-smart-card-emulation](includes/turn-off-smart-card-emulation.md)] +[!INCLUDE [use-windows-hello-for-business-certificates-as-smart-card-certificates](includes/use-windows-hello-for-business-certificates-as-smart-card-certificates.md)] +--- diff --git a/windows/security/identity-protection/hello-for-business/rdp-sign-in.md b/windows/security/identity-protection/hello-for-business/rdp-sign-in.md index f3b6b984fe..6a84e6ea32 100644 --- a/windows/security/identity-protection/hello-for-business/rdp-sign-in.md +++ b/windows/security/identity-protection/hello-for-business/rdp-sign-in.md @@ -271,16 +271,7 @@ Here's a brief video showing the user experience from a Microsoft Entra joined d While users appreciate the convenience of biometrics, and administrators value the security, you might experience compatibility issues with applications and Windows Hello for Business certificates. In such scenarios, you can deploy a policy setting to revert to the previous behavior for the users needing it. -### Use Windows Hello for Business certificates as smart card certificates - -If you enable this policy setting, applications use Windows Hello for Business certificates as smart card certificates. Biometric factors are unavailable when a user is asked to authorize the use of the certificate's private key. This policy setting is designed to allow compatibility with applications that rely exclusively on smart card certificates. - -If you disable or don't configure this policy setting, applications don't use Windows Hello for Business certificates as smart card certificates. Biometric factors are available when a user is asked to authorize the use of the certificate's private key. - -| | Path | -|--|--| -| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/`[UseHelloCertificatesAsSmartCardCertificates][WIN-1]| -| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business** | +For more information, see [Use Windows Hello for Business certificates as smart card certificate](policy-settings.md#use-windows-hello-for-business-certificates-as-smart-card-certificates) diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml index 61aa6291c3..07ac2257d1 100644 --- a/windows/security/identity-protection/hello-for-business/toc.yml +++ b/windows/security/identity-protection/hello-for-business/toc.yml @@ -1,40 +1,25 @@ items: - name: Overview href: index.md -- name: Concepts - expanded: true - items: - - name: Why a PIN is better than a password - href: hello-why-pin-is-better-than-password.md - - name: Windows Hello biometrics in the enterprise - href: hello-biometrics-in-enterprise.md - - name: How Windows Hello for Business works - href: hello-how-it-works.md -- name: Plan a Windows Hello for Business deployment - href: hello-planning-guide.md +- name: How Windows Hello for Business works + href: how-it-works.md +- name: Windows Hello for Business planning guide + href: deploy/index.md +- name: Configure Windows Hello for Business + href: configure.md - name: Deployment guides href: deploy/toc.yml -- name: How-to Guides +- name: How-to-guides items: - - name: Prepare people to use Windows Hello - href: hello-prepare-people-to-use.md - - name: Manage Windows Hello for Business in your organization - href: hello-manage-in-organization.md - - name: Windows Hello and password changes - href: hello-and-password-changes.md -- name: Windows Hello for Business features - items: - - name: PIN reset + - name: Configure PIN reset href: pin-reset.md - - name: Windows Hello Enhanced Security Sign-in (ESS) 🔗 - href: /windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security - - name: Dual enrollment + - name: Configure dual enrollment href: hello-feature-dual-enrollment.md - - name: Dynamic Lock + - name: Configure dynamic lock href: hello-feature-dynamic-lock.md - - name: Multi-factor Unlock - href: feature-multifactor-unlock.md - - name: Remote desktop (RDP) sign-in + - name: Configure multi-factor unlock + href: multifactor-unlock.md + - name: Configure remote desktop (RDP) sign-in href: rdp-sign-in.md - name: Troubleshooting items: @@ -44,14 +29,18 @@ items: href: hello-errors-during-pin-creation.md - name: Reference items: + - name: Windows Hello for Business policy settings + href: policy-settings.md - name: How Windows Hello for Business provisioning works - href: hello-how-it-works-provisioning.md + href: how-it-works-provisioning.md - name: How Windows Hello for Business authentication works - href: hello-how-it-works-authentication.md + href: how-it-works-authentication.md - name: WebAuthn APIs href: webauthn-apis.md + - name: Windows Hello Enhanced Security Sign-in (ESS) 🔗 + href: /windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security - name: Technology and terminology - href: hello-how-it-works-technology.md + href: glossary.md - name: Frequently Asked Questions (FAQ) href: hello-faq.yml - name: Windows Hello for Business videos