" -UserPEs -FilePath ".\policy.xml" -Level Publisher -Fallback Hash
diff --git a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
index 609418021a..05a3850953 100644
--- a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
-ms.reviewer: isbrahm
+ms.reviewer: jogeurte
ms.author: dansimp
manager: dansimp
ms.date: 11/15/2019
@@ -37,5 +37,5 @@ When creating policies for use with Windows Defender Application Control (WDAC),
| **AllowAll.xml** | This example policy is useful when creating a block list policy. All block policies should include rules allowing all other code to run and then add the DENY rules for your organization's needs. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
| **AllowAll_EnableHVCI.xml** | This example policy can be used to enable [memory integrity](/windows/security/threat-protection/device-guard/memory-integrity) (also known as hypervisor-protected code integrity) using WDAC. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
| **DenyAllAudit.xml** | This example policy should only be deployed in audit mode and can be used to audit all binaries running on critical systems or to comply with regulatory requirements. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
-| **Device Guard Signing Service (DGSS) DefaultPolicy.xml** | This example policy is available in audit mode. It includes the rules from DefaultWindows and adds rules to trust apps signed with your organization-specific certificates issued by the DGSS. | [DGSS in the Microsoft Store for Business](https://businessstore.microsoft.com/manage/settings/devices) |
+| **Device Guard Signing Service (DGSS) DefaultPolicy.xml** | This example policy is available in audit mode. It includes the rules from DefaultWindows and adds rules to trust apps signed with your organization-specific certificates issued by the DGSS. | [Device Guard Signing Service Nuget Package](https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client) |
| **MEM Configuration Manager** | Customers who use MEM Configuration Manager (MEMCM), formerly known as System Center Configuration Manager, can deploy a policy to a device using MEMCM's built-in integration with WDAC and then copy the resulting policy XML to use as a custom base policy. | %OSDrive%\Windows\CCM\DeviceGuard on a managed endpoint |
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index ad0435d8f2..a88fc053c0 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -123,14 +123,11 @@ S-1-3-0; S-1-5-18; S-1-5-19; S-1-5-20; S-1-5-32-544; S-1-5-32-549; S-1-5-32-550;
When generating filepath rules using [New-CIPolicy](/powershell/module/configci/new-cipolicy), a unique, fully-qualified path rule is generated for every file discovered in the scanned path(s). To create rules that instead allow all files under a specified folder path, use [New-CIPolicyRule](/powershell/module/configci/new-cipolicyrule) to define rules containing wildcards using the [-FilePathRules](/powershell/module/configci/new-cipolicyrule#parameters) switch.
-Wildcards can be used at the beginning or end of a path rule; only one wildcard is allowed per path rule. Wildcards placed at the end of a path authorize all files in that path and its subdirectories recursively (ex. `C:\\*` would include `C:\foo\\*` ). Wildcards placed at the beginning of a path will allow the exact specified filename under any path (ex. `*\bar.exe` would allow `C:\bar.exe` and `C:\foo\bar.exe`). Wildcards in the middle of a path are not supported (ex. `C:\\*\foo.exe`). Without a wildcard, the rule will allow only a specific file (ex. `C:\foo\bar.exe`).
The use of macros is also supported and useful in scenarios where the system drive is different from the `C:\` drive. Supported macros: `%OSDRIVE%`, `%WINDIR%`, `%SYSTEM32%`.
-
-> [!NOTE]
-> Due to an existing bug, you can not combine Path-based ALLOW rules with any DENY rules in a single policy. Instead, either separate DENY rules into a separate Base policy or move the Path-based ALLOW rules into a supplemental policy as described in [Deploy multiple WDAC policies.](deploy-multiple-windows-defender-application-control-policies.md)
+Wildcards can be used at the beginning or end of a path rule; only one wildcard is allowed per path rule. Wildcards placed at the end of a path authorize all files in that path and its subdirectories recursively (ex. `C:\*` would include `C:\foo\*` ). Wildcards placed at the beginning of a path will allow the exact specified filename under any path (ex. `*\bar.exe` would allow `C:\bar.exe` and `C:\foo\bar.exe`). Wildcards in the middle of a path are not supported (ex. `C:\*\foo.exe`). Without a wildcard, the rule will allow only a specific file (ex. `C:\foo\bar.exe`).
The use of macros is also supported and useful in scenarios where the system drive is different from the `C:\` drive. Supported macros: `%OSDRIVE%`, `%WINDIR%`, `%SYSTEM32%`.
## Windows Defender Application Control filename rules
-File name rule levels provide administrators to specify the file attributes off which to base a file name rule. File name rules provide the same security guarantees that explicit signer rules do, as they are based on non-mutable file attributes. Specification of the file name level occurs when creating new policy rules. In addition, to combine file name levels found in multiple policies, you can merge multiple policies.
+File name rule levels provide administrators to specify the file attributes off which to base a file name rule. File name rules provide the same security guarantees that explicit signer rules do, as they are based on non-mutable file attributes. Specification of the file name level occurs when creating new policy rules. In addition, to combine file name levels found in multiple policies, you can merge multiple policies.
Use Table 3 to select the appropriate file name level for your available administrative resources and Windows Defender Application Control deployment scenario. For instance, an LOB or production application and its binaries (eg. DLLs) may all share the same product name. This allows users to easily create targeted policies based on the Product Name filename rule level.
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
index c3397bfba4..1e62bae47a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
@@ -59,7 +59,7 @@ Enterprises should deploy and install all application updates using the managed
In some cases, it may be possible to also designate an application binary that performs the self-updates as a managed installer.
Proper review for functionality and security should be performed for the application before using this method.
-- Modern apps deployed through a managed installer will not be tracked by the managed installer heuristic and will need to be separately authorized in your WDAC policy.
+- [Packaged apps (MSIX)](https://docs.microsoft.com/windows/msix/) deployed through a managed installer will not be tracked by the managed installer heuristic and will need to be separately authorized in your WDAC policy. See how to [manage packaged apps with WDAC](manage-packaged-apps-with-windows-defender-application-control.md).
- Executables that extract files and then attempt to execute may not be allowed by the managed installer heuristic.
In some cases, it may be possible to also designate an application binary that performs such an operation as a managed installer.
From 8a2e120cf09596b12dd4f22f2d47c5b5fc291e0e Mon Sep 17 00:00:00 2001
From: ImranHabib <47118050+joinimran@users.noreply.github.com>
Date: Wed, 14 Apr 2021 13:24:52 +0500
Subject: [PATCH 03/20] Modification in Steps
There were few steps recommended by the user to fit in the document and make the document more clear. I have added a few of the recommendations based on the tests.
Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/8557
---
...-a-windows-10-device-automatically-using-group-policy.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
index 45373ce3f7..66f5549e6a 100644
--- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
@@ -203,11 +203,11 @@ Requirements:
4. Rename the extracted Policy Definitions folder to **PolicyDefinitions**.
-5. Copy PolicyDefinitions folder to **C:\Windows\SYSVOL\domain\Policies**.
+5. Copy PolicyDefinitions folder to **\\contoso.com\SYSVOL\contoso.com\policies\PolicyDefinitions**.
If this folder does not exist, then be aware that you will be switching to a [central policy store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) for your entire domain.
-6. Restart the Domain Controller for the policy to be available.
+6. Wait for the SYSVOL DFSR replication to be completed and then restart the Domain Controller for the policy to be available.
This procedure will work for any future version as well.
@@ -279,4 +279,4 @@ To collect Event Viewer logs:
- [Windows 10 Administrative Templates for Windows 10 November 2019 Update 1909](https://www.microsoft.com/download/details.aspx?id=100591)
- [Windows 10 Administrative Templates for Windows 10 May 2019 Update 1903](https://www.microsoft.com/download/details.aspx?id=58495)
-- [Windows 10 Administrative Templates for Windows 10 October 2018 Update 1809](https://www.microsoft.com/download/details.aspx?id=57576)
\ No newline at end of file
+- [Windows 10 Administrative Templates for Windows 10 October 2018 Update 1809](https://www.microsoft.com/download/details.aspx?id=57576)
From 4cd601517cc624dc703c85194f962cd1b6f3c795 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Fri, 16 Apr 2021 22:12:18 +0500
Subject: [PATCH 04/20] Update policy-configuration-service-provider.md
---
.../policy-configuration-service-provider.md | 22 +++++++++----------
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 97803c60b7..64caa2be1e 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -57,12 +57,12 @@ The following diagram shows the Policy configuration service provider in tree fo
Supported operation is Get.
-**Policy/Config/***AreaName*
+**Policy/Config/_AreaName_**
The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value.
Supported operations are Add, Get, and Delete.
-**Policy/Config/***AreaName/PolicyName*
+**Policy/Config/_AreaName/PolicyName_**
Specifies the name/value pair used in the policy.
The following list shows some tips to help you when configuring policies:
@@ -81,12 +81,12 @@ The following diagram shows the Policy configuration service provider in tree fo
Supported operation is Get.
-**Policy/Result/***AreaName*
+**Policy/Result/_AreaName_**
The area group that can be configured by a single technology independent of the providers.
Supported operation is Get.
-**Policy/Result/***AreaName/PolicyName*
+**Policy/Result/_AreaName/PolicyName_**
Specifies the name/value pair used in the policy.
Supported operation is Get.
@@ -102,31 +102,31 @@ The following diagram shows the Policy configuration service provider in tree fo
> [!NOTE]
> The OPAX settings that are managed by the Microsoft Office Customization Tool are not supported by MDM. For more information about this tool, see [Office Customization Tool](/previous-versions/office/office-2013-resource-kit/cc179097(v=office.15)).
-
ADMX files that have been installed by using ConfigOperations/ADMXInstall can later be deleted by using the URI delete operation. Deleting an ADMX file will delete the ADMX file from disk, remove the metadata from the ADMXdefault registry hive, and delete all the policies that were set from the file. The MDM server can also delete all ADMX policies that are tied to a particular app by calling delete on the URI, ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}.
+
ADMX files that have been installed by using **ConfigOperations/ADMXInstall** can later be deleted by using the URI delete operation. Deleting an ADMX file will delete the ADMX file from disk, remove the metadata from the ADMXdefault registry hive, and delete all the policies that were set from the file. The MDM server can also delete all ADMX policies that are tied to a particular app by calling delete on the URI, ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}.
Supported operations are Add, Get, and Delete.
-**Policy/ConfigOperations/ADMXInstall/***AppName*
+**Policy/ConfigOperations/ADMXInstall/_AppName_**
Added in Windows 10, version 1703. Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX file.
Supported operations are Add, Get, and Delete.
-**Policy/ConfigOperations/ADMXInstall/***AppName*/Policy
+**Policy/ConfigOperations/ADMXInstall/_AppName_/Policy**
Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app policy is to be imported.
Supported operations are Add, Get, and Delete.
-**Policy/ConfigOperations/ADMXInstall/***AppName*/Policy/*UniqueID*
+**Policy/ConfigOperations/ADMXInstall/_AppName_/Policy/_UniqueID_**
Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the policy to import.
Supported operations are Add and Get. Does not support Delete.
-**Policy/ConfigOperations/ADMXInstall/***AppName*/Preference
+**Policy/ConfigOperations/ADMXInstall/_AppName_/Preference**
Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app preference is to be imported.
Supported operations are Add, Get, and Delete.
-**Policy/ConfigOperations/ADMXInstall/***AppName*/Preference/*UniqueID*
+**Policy/ConfigOperations/ADMXInstall/_AppName_/Preference/_UniqueID_**
Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the preference to import.
Supported operations are Add and Get. Does not support Delete.
@@ -8611,4 +8611,4 @@ The following diagram shows the Policy configuration service provider in tree fo
## Related topics
-[Configuration service provider reference](configuration-service-provider-reference.md)
\ No newline at end of file
+[Configuration service provider reference](configuration-service-provider-reference.md)
From 271e17df1c7a26bf09c1349284027c7eae18c1a2 Mon Sep 17 00:00:00 2001
From: jsuther1974
Date: Fri, 16 Apr 2021 16:47:18 -0700
Subject: [PATCH 05/20] Refactor to WDAC Deployment Guide
---
...nd-windows-defender-application-control.md | 32 +++---
.../TOC.md | 17 ++-
...s-defender-application-control-policies.md | 99 +++++++-----------
...s-defender-application-control-policies.md | 10 +-
...ion-control-policies-using-group-policy.md | 37 +++----
...plication-control-policies-using-intune.md | 72 ++++++-------
.../deploy-wdac-policies-using-memcm.md | 40 +++++++
.../deploy-wdac-policies-using-script.md | 54 ++++++++++
.../images/PolicyFlow.png | Bin 0 -> 71184 bytes
.../operations/known-issues.md | 40 +++++++
...defender-application-control-management.md | 3 +-
...er-application-control-deployment-guide.md | 80 +++-----------
12 files changed, 264 insertions(+), 220 deletions(-)
create mode 100644 windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-using-memcm.md
create mode 100644 windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-using-script.md
create mode 100644 windows/security/threat-protection/windows-defender-application-control/images/PolicyFlow.png
create mode 100644 windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md
diff --git a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
index 8de7febefc..69306ff1c1 100644
--- a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
+++ b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
@@ -16,35 +16,33 @@ ms.technology: mde
# Windows Defender Application Control and virtualization-based protection of code integrity
**Applies to**
-- Windows 10
-- Windows Server 2016
-Windows 10 includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows 10 systems so they operate with many of the properties of mobile devices. In this configuration, specific technologies work together to restrict devices to only run authorized apps by using a feature called configurable code integrity, while simultaneously hardening the OS against kernel memory attacks by using virtualization-based protection of code integrity (more specifically, HVCI).
+- Windows 10
+- Windows Server 2016
-Configurable code integrity policies and HVCI are powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a strong protection capability for Windows 10 devices.
+Windows 10 includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows 10 systems so they operate with many of the properties of mobile devices. In this configuration, specific technologies work together to restrict devices to only run authorized apps by using a feature called Windows Defender Application Control (WDAC), while simultaneously hardening the OS against kernel memory attacks by using hypervisor-protected code integrity (HVCI).
-Using configurable code integrity to restrict devices to only authorized apps has these advantages over other solutions:
+WDAC policies and HVCI are powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a strong protection capability for Windows 10 devices.
-1. Configurable code integrity policy is enforced by the Windows kernel itself. As such, the policy takes effect early in the boot sequence before nearly all other OS code and before traditional antivirus solutions run.
-2. Configurable code integrity allows customers to set application control policy not only over code running in user mode, but also kernel mode hardware and software drivers and even code that runs as part of Windows.
-3. Customers can protect the configurable code integrity policy even from local administrator tampering by digitally signing the policy. This would mean that changing the policy would require both administrative privilege and access to the organization’s digital signing process, making it difficult for an attacker with administrative privilege, or malicious software that managed to gain administrative privilege, to alter the application control policy.
-4. The entire configurable code integrity enforcement mechanism can be protected by HVCI, where even if a vulnerability exists in kernel mode code, the likelihood that an attacker could successfully exploit it is diminished. Why is this relevant? That’s because an attacker that compromises the kernel would otherwise have enough privilege to disable most system defenses and override the application control policies enforced by configurable code integrity or any other application control solution.
+Using WDAC to restrict devices to only authorized apps has these advantages over other solutions:
-## Windows Defender Application Control
+1. WDAC policy is enforced by the Windows kernel itself. As such, the policy takes effect early in the boot sequence before nearly all other OS code and before traditional antivirus solutions run.
+2. WDAC allows customers to set application control policy not only over code running in user mode, but also kernel mode hardware and software drivers and even code that runs as part of Windows.
+3. Customers can protect the WDAC policy even from local administrator tampering by digitally signing the policy. This would mean that changing the policy would require both administrative privilege and access to the organization’s digital signing process, making it difficult for an attacker with administrative privilege, or malicious software that managed to gain administrative privilege, to alter the application control policy.
+4. The entire WDAC enforcement mechanism can be protected by HVCI, where even if a vulnerability exists in kernel mode code, the likelihood that an attacker could successfully exploit it is diminished. Why is this relevant? That’s because an attacker that compromises the kernel would otherwise have enough privilege to disable most system defenses and override the application control policies enforced by WDAC or any other application control solution.
-When we originally designed this configuration state, we did so with a specific security promise in mind. Although there were no direct dependencies between configurable code integrity and HVCI, we intentionally focused our discussion around the lockdown state you achieve when deploying them together. However, given that HVCI relies on Windows virtualization-based security, it comes with more hardware, firmware, and kernel driver compatibility requirements that some older systems can’t meet. As a result, many IT Professionals assumed that because some systems couldn't use HVCI, they couldn’t use configurable code integrity either.
+## Why we no longer use the Device Guard brand
-Configurable code integrity carries no specific hardware or software requirements other than running Windows 10, which means many IT professionals were wrongly denied the benefits of this powerful application control capability.
+When we originally designed this configuration state, we did so with a specific security promise in mind. Although there were no direct dependencies between WDAC and HVCI, we intentionally focused our discussion around the lockdown state you achieve when deploying them together. However, given that HVCI relies on Windows virtualization-based security, it comes with more hardware, firmware, and kernel driver compatibility requirements that some older systems can’t meet. As a result, many IT Professionals assumed that because some systems couldn't use HVCI, they couldn’t use WDAC either.
-Since the initial release of Windows 10, the world has witnessed numerous hacking and malware attacks where application control alone could have prevented the attack altogether. With this in mind, we are discussing and documenting configurable code integrity as an independent technology within our security stack and giving it a name of its own: [Windows Defender Application Control](../windows-defender-application-control/windows-defender-application-control.md).
+WDAC carries no specific hardware or software requirements other than running Windows 10, which means many IT professionals were wrongly denied the benefits of this powerful application control capability.
+
+Since the initial release of Windows 10, the world has witnessed numerous hacking and malware attacks where application control alone could have prevented the attack altogether. With this in mind, we are discussing and documenting WDAC as an independent technology within our security stack and giving it a name of its own: [Windows Defender Application Control](../windows-defender-application-control/windows-defender-application-control.md).
We hope this change will help us better communicate options for adopting application control within an organization.
## Related articles
[Windows Defender Application Control](../windows-defender-application-control/windows-defender-application-control.md)
-
[Dropping the Hammer Down on Malware Threats with Windows 10’s Windows Defender](https://channel9.msdn.com/Events/Ignite/2015/BRK2336)
-
[Driver compatibility with Windows Defender in Windows 10](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10)
-
-[Code integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10))
\ No newline at end of file
+[Code integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10))
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md
index 0902a4ad3b..893271684d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC.md
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md
@@ -1,7 +1,7 @@
# [Application Control for Windows](windows-defender-application-control.md)
## [WDAC and AppLocker Overview](wdac-and-applocker-overview.md)
### [WDAC and AppLocker Feature Availability](feature-availability.md)
-### [Virtualization-based code integrity](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
+### [Virtualization-based protection of code integrity](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
## [WDAC design guide](windows-defender-application-control-design-guide.md)
@@ -14,8 +14,8 @@
##### [Allow reputable apps with Intelligent Security Graph (ISG)](use-windows-defender-application-control-with-intelligent-security-graph.md)
##### [Allow COM object registration](allow-com-object-registration-in-windows-defender-application-control-policy.md)
##### [Use WDAC with .NET hardening](use-windows-defender-application-control-with-dynamic-code-security.md)
-#### [Manage packaged apps with WDAC](manage-packaged-apps-with-windows-defender-application-control.md)
-#### [Use WDAC to control specific plug-ins, add-ins, and modules](use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md)
+##### [Manage packaged apps with WDAC](manage-packaged-apps-with-windows-defender-application-control.md)
+##### [Use WDAC to control specific plug-ins, add-ins, and modules](use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md)
#### [Use multiple WDAC policies](deploy-multiple-windows-defender-application-control-policies.md)
### Create your WDAC policy
#### [Example WDAC base policies](example-wdac-base-policies.md)
@@ -31,13 +31,14 @@
##### [Editing a WDAC policy with the Wizard](wdac-wizard-editing-policy.md)
##### [Merging multiple WDAC policies with the Wizard](wdac-wizard-merging-policies.md)
-
## [WDAC deployment guide](windows-defender-application-control-deployment-guide.md)
+### [Deploy WDAC policies using MDM](deploy-windows-defender-application-control-policies-using-intune.md)
+### [Deploy WDAC policies using MEMCM](deployment/deploy-wdac-policies-using-memcm.md)
+### [Deploy WDAC policies using script](deployment/deploy-wdac-policies-using-script.md)
+### [Deploy WDAC policies using Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md)
### [Audit WDAC policies](audit-windows-defender-application-control-policies.md)
### [Merge WDAC policies](merge-windows-defender-application-control-policies.md)
### [Enforce WDAC policies](enforce-windows-defender-application-control-policies.md)
-### [Deploy WDAC policies using Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md)
-### [Deploy WDAC policies using Intune](deploy-windows-defender-application-control-policies-using-intune.md)
### [Use code signing to simplify application control for classic Windows applications](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md)
#### [Optional: Use the WDAC Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md)
#### [Optional: Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md)
@@ -46,11 +47,11 @@
### [Disable WDAC policies](disable-windows-defender-application-control-policies.md)
### [LOB Win32 Apps on S Mode](LOB-win32-apps-on-s.md)
-
## [Windows Defender Application Control operational guide](windows-defender-application-control-operational-guide.md)
### [Understanding Application Control event IDs](event-id-explanations.md)
### [Understanding Application Control event tags](event-tag-explanations.md)
### [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md)
+### [Known Issues](operations/known-issues.md)
## [AppLocker](applocker\applocker-overview.md)
### [Administer AppLocker](applocker\administer-applocker.md)
@@ -137,5 +138,3 @@
#### [Tools to Use with AppLocker](applocker\tools-to-use-with-applocker.md)
##### [Using Event Viewer with AppLocker](applocker\using-event-viewer-with-applocker.md)
#### [AppLocker Settings](applocker\applocker-settings.md)
-
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
index de3ee7f874..d9e721fb28 100644
--- a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
@@ -1,5 +1,5 @@
---
-title: Audit Windows Defender Application Control policies (Windows 10)
+title: Use audit events to create WDAC policy rules (Windows 10)
description: Audits allow admins to discover apps that were missed during an initial policy scan and to identify new apps that were installed since the policy was created.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
@@ -11,94 +11,65 @@ ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
-ms.reviewer: isbrahm
+ms.reviewer: jogeurte
ms.author: dansimp
manager: dansimp
ms.date: 05/03/2018
ms.technology: mde
---
-# Audit Windows Defender Application Control policies
+# Use audit events to create WDAC policy rules
**Applies to:**
-- Windows 10
-- Windows Server 2016
+- Windows 10
+- Windows Server 2016 and above
-Running **Application Control** in audit mode allows administrators to discover any applications that were missed during an initial policy scan and to identify any new applications that have been installed and run since the original policy was created. While a WDAC policy is running in audit mode, any binary that runs and would have been denied had the policy been enforced is logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log. When these logged binaries have been validated, they can easily be added to a new WDAC policy. When the new exception policy is created, you can merge it with your existing WDAC policies.
+Running Application Control in audit mode allows administrators to discover applications, binaries, and scripts that were missed during the initial policy creation and to identify any new applications that have been installed and run since the original policy was created.
-Before you begin this process, you need to create a WDAC policy binary file. If you have not already done so, see [Create an initial Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md).
+While a WDAC policy is running in audit mode, any binary that runs and would have been denied had the policy been enforced is logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log or, for script and MSI, in the **Applications and Services Logs\\Microsoft\\Windows\\AppLocker\\MSI and Script** event log. These events can be used to easily generate a new WDAC policy which can be merged with the original Base policy or, on Windows 10 1903+, included in a separate Supplemental policy when the Base policy allows supplemental policies.
-**To audit a Windows Defender Application Control policy with local policy:**
+## Overview of the process to create WDAC policy to allow apps using audit events
-1. Before you begin, find the *.bin policy file , for example, the DeviceGuardPolicy.bin. Copy the file to C:\\Windows\\System32\\CodeIntegrity.
+> [!Note]
+> You must have already deployed a WDAC audit mode policy to use this process. If you have not already done so, see [Deploying Windows Defender Application Control policies](windows-defender-application-control-deployment-guide.md).
-2. On the computer you want to run in audit mode, open the Local Group Policy Editor by running **GPEdit.msc**.
+To familiarize yourself with the process to generate WDAC rules from audit events, follow these steps on a device with a WDAC audit mode policy in effect.
- > [!Note]
- >
- > - The computer that you will run in audit mode must be clean of viruses or malware. Otherwise, in the process that you follow after auditing the system, you might unintentionally merge in a policy that allows viruses or malware to run.
- >
- > - An alternative method to test a policy is to rename the test file to SIPolicy.p7b and drop it into C:\\Windows\\System32\\CodeIntegrity, rather than deploy it by using the Local Group Policy Editor.
-
-3. Navigate to **Computer Configuration\\Administrative Templates\\System\\Device Guard**, and then select **Deploy Windows Defender Application Control**. Enable this setting by using the appropriate file path, for example, C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 1.
+1. Install and run an application that should not currently be allowed by the WDAC policy but which you want to allow.
- > [!Note]
- >
- > - You can copy the WDAC policies to a file share to which all computer accounts have access rather than copy them to every system.
- >
- > - You might have noticed that the GPO setting references a .p7b file and this policy uses a .bin file. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped onto the computers running Windows 10. We recommend that you make your WDAC policy names friendly and allow the system to convert the policy names for you. By doing this, it ensures that the policies are easily distinguishable when viewed in a share or any other central repository.
-
- 
-
- Figure 1. Deploy your Windows Defender Application Control policy
-
-4. Restart the reference system for the WDAC policy to take effect.
-
-5. Use the system as you normally would, and monitor code integrity events in the event log. While in audit mode, any exception to the deployed WDAC policy will be logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log, as shown in Figure 2.
+2. Review the **CodeIntegrity - Operational** and **AppLocker - MSI and Script** event logs to confirm events, like those shown in Figure 1, are generated related to the application. For information about the types of events you should see, refer to [Understanding Application Control events](event-id-explanations.md).
+ **Figure 1. Exceptions to the deployed WDAC policy**
- Figure 2. Exceptions to the deployed WDAC policy
+3. In an elevated Windows Powershell session, run the following commands to initialize variables used by this procedure. This builds upon the **Lamna_FullyManagedClients_Audit.xml** policy introduced in [Create a WDAC policy for fully-managed devices](create-wdac-policy-for-fully-managed-devices.md) and will produce a new policy called **EventsPolicy.xml**.
- You will be reviewing the exceptions that appear in the event log, and making a list of any applications that should be allowed to run in your environment.
-
-6. If you want to create a catalog file to simplify the process of including unsigned LOB applications in your WDAC policy, this is a good time to create it. For information, see [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md).
+ ```powershell
+ $PolicyName= "Lamna_FullyManagedClients_Audit"
+ $LamnaPolicy=$env:userprofile+"\Desktop\"+$PolicyName+".xml"
+ $EventsPolicy=$env:userprofile+"\Desktop\EventsPolicy.xml"
+ $EventsPolicyWarnings=$env:userprofile+"\Desktop\EventsPolicyWarnings.txt"
+ ```
-Now that you have a WDAC policy deployed in audit mode, you can capture any audit information that appears in the event log. This is described in the next section.
+4. Use [New-CIPolicy](/powershell/module/configci/new-cipolicy) to generate a new WDAC policy from logged audit events. This example uses a file rule level of **FilePublisher** with a fallback level of **Hash** and redirects warning messages to a text file **EventsPolicyWarnings.txt**.
-## Create a Windows Defender Application Control policy that captures audit information from the event log
-
-Use the following procedure after you have been running a computer with a WDAC policy in audit mode for a period of time. When you are ready to capture the needed policy information from the event log (so that you can later merge that information into the original WDAC policy), complete the following steps.
-
-
-
-1. Review the audit information in the event log. From the WDAC policy exceptions that you see, make a list of any applications that should be allowed to run in your environment, and decide on the file rule level that should be used to trust these applications.
-
- Although the Hash file rule level will catch all of these exceptions, it may not be the best way to trust all of them. For information about file rule levels, see [Windows Defender Application Control file rule levels](select-types-of-rules-to-create.md) in "Deploy Windows Defender Application Control: policy rules and file rules."
-
- Your event log might also contain exceptions for applications that you eventually want your WDAC policy to block. If these appear, make a list of these also, for a later step in this procedure.
-
-2. In an elevated Windows PowerShell session, initialize the variables that will be used. The example filename shown here is **DeviceGuardAuditPolicy.xml**:
-
- `$CIPolicyPath=$env:userprofile+"\Desktop\"`
-
- `$CIAuditPolicy=$CIPolicyPath+"DeviceGuardAuditPolicy.xml"`
-
-3. Use [New-CIPolicy](/powershell/module/configci/new-cipolicy) to generate a new WDAC policy from logged audit events. This example uses a file rule level of **Hash** and includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**.
-
- `New-CIPolicy -Audit -Level Hash -FilePath $CIAuditPolicy –UserPEs 3> CIPolicylog.txt`
+ ```powershell
+ New-CIPolicy -FilePath $EventsPolicy -Audit -Level FilePublisher -Fallback Hash –UserPEs -MultiplePolicyFormat 3> $EventsPolicyWarnings
+ ```
> [!NOTE]
- > When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **Hash** rule level, which is the most specific. Any change to the file (such as replacing the file with a newer version of the same file) will change the Hash value, and require an update to the policy.
+ > When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **FilePublisher** rule level with a fallback level of **Hash**, which may be more specific than desired. You can re-run the above command using different **-Level** and **-Fallback** options to meet your needs. For more information about WDAC rule levels refer to [Understand WDAC policy rules and file rules](select-types-of-rules-to-create.md).
-4. Find and review the WDAC audit policy .xml file that you created. If you used the example variables as shown, the filename will be **DeviceGuardAuditPolicy.xml**, and it will be on your desktop. Look for the following:
+5. Find and review the WDAC policy file **EventsPolicy.xml** which should be found on your desktop. Ensure that the file and signer rules that were created authorize only the applications, binaries, and scripts you wish to allow. You can remove rules by manually editing the policy XML or use the WDAC Policy Wizard tool (see [Editing existing base and supplemental WDAC policies with the Wizard](wdac-wizard-editing-policy.md)).
- - Any applications that were caught as exceptions, but should be allowed to run in your environment. These are applications that should be in the .xml file. Leave these as-is in the file.
-
- - Any applications that actually should not be allowed to run in your environment. Edit these out of the .xml file. If they remain in the .xml file, and the information in the file is merged into your existing WDAC policy, the policy will treat the applications as trusted, and allow them to run.
+6. Find and review the text file **EventsPolicyWarnings.txt** which should be found on your desktop. This will include a warning for any files that WDAC could not create a rule for at either the specified rule level or fallback rule level.
-You can now use this file to update the existing WDAC policy that you ran in audit mode by merging the two policies. For instructions on how to merge this audit policy with the existing WDAC policy, see the next section, [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md).
+ > [!NOTE]
+ > New-CIPolicy only creates rules for files that can still be found on disk. Files which are no longer present on the system will not have a rule created to allow them. However, the event log should have sufficient information to allow these files by manually editing the policy XML to add rules. You can use an existing rule as a template and verify your results against the WDAC policy schema definition found at **%windir%\schemas\CodeIntegrity\cipolicy.xsd**.
-> [!Note]
-> You may have noticed that you did not generate a binary version of this policy as you did in [Create a Windows Defender Application Control policy from a reference computer](./create-initial-default-policy.md). This is because WDAC policies created from an audit log are not intended to run as stand-alone policies but rather to update existing WDAC policies.
\ No newline at end of file
+7. Merge **EventsPolicy.xml** with the Base policy **Lamna_FullyManagedClients_Audit.xml** or convert it to a supplemental policy.
+
+ For information on merging policies, refer to [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md) and for information on supplemental policies see [Use multiple Windows Defender Application Control Policies](deploy-multiple-windows-defender-application-control-policies.md).
+
+8. Convert the Base or Supplemental policy to binary and deploy using your preferred method.
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
index 21370c463c..80ef49b096 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
@@ -11,7 +11,7 @@ ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
-ms.reviewer: jsuther1974
+ms.reviewer: jogeurte
ms.author: dansimp
manager: dansimp
ms.date: 11/13/2020
@@ -22,10 +22,10 @@ ms.technology: mde
**Applies to:**
-- Windows 10 version 1903
-- Windows Server 2022
+- Windows 10 version 1903 and above
+- Windows Server 2022 and above
-The restriction of only having a single code integrity policy active on a system at any given time has felt limiting for customers in situations where multiple policies with different intents would be useful. Beginning with Windows 10 version 1903, WDAC supports up to 32 active policies on a device at once in order to enable the following scenarios:
+Prior to Windows 10 1903, WDAC only supported a single active on a system at any given time. This significantly limited customers in situations where multiple policies with different intents would be useful. Beginning with Windows 10 version 1903, WDAC supports up to 32 active policies on a device at once in order to enable the following scenarios:
1. Enforce and Audit Side-by-Side
- To validate policy changes before deploying in enforcement mode, users can now deploy an audit-mode base policy side by side with an existing enforcement-mode base policy
@@ -104,4 +104,4 @@ To deploy policies locally using the new multiple policy format, follow these st
Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment. See [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) for more information on deploying multiple policies, optionally using MEM Intune's Custom OMA-URI capability.
> [!NOTE]
-> WMI and GP do not currently support multiple policies. Instead, customers who cannot directly access the MDM stack should use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage Multiple Policy Format WDAC policies.
\ No newline at end of file
+> WMI and GP do not currently support multiple policies. Instead, customers who cannot directly access the MDM stack should use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage Multiple Policy Format WDAC policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md
index 4246d0b428..8e8fa29002 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md
@@ -11,7 +11,7 @@ ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
-ms.reviewer: isbrahm
+ms.reviewer: jogeurte
ms.author: dansimp
manager: dansimp
ms.date: 02/28/2018
@@ -22,39 +22,36 @@ ms.technology: mde
**Applies to:**
-- Windows 10
-- Windows Server 2016
-
-WDAC policies can easily be deployed and managed with Group Policy. Windows Defender allows you to simplify deployment Windows Defender hardware-based security features and Windows Defender Application Control policies. The following procedure walks you through how to deploy a WDAC policy called **DeviceGuardPolicy.bin** to a test OU called *DG Enabled PCs* by using a GPO called **Contoso GPO Test**.
+- Windows 10
+- Windows Server 2016 and above
> [!NOTE]
-> This walkthrough requires that you have previously created a WDAC policy and have a computer running Windows 10 on which to test a Group Policy deployment. For more information about how to create a WDAC policy, see [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md), earlier in this topic.
+> Group Policy-based deployment of WDAC policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, we recommend using an alternative method for policy deployment.
-> [!NOTE]
-> Signed WDAC policies can cause boot failures when deployed. We recommend that signed WDAC policies be thoroughly tested on each hardware platform before enterprise deployment.
+Single-policy format WDAC policies (pre-1903 policy schema) can be easily deployed and managed with Group Policy. The following procedure walks you through how to deploy a WDAC policy called **ContosoPolicy.bin** to a test OU called *WDAC Enabled PCs* by using a GPO called **Contoso GPO Test**.
To deploy and manage a WDAC policy with Group Policy:
-1. On a client computer on which RSAT is installed, open the GPMC by running **GPMC.MSC**
+1. On a client computer on which RSAT is installed, open the GPMC by running **GPMC.MSC**
-2. Create a new GPO: right-click an OU and then click **Create a GPO in this domain, and Link it here**.
+2. Create a new GPO: right-click an OU and then click **Create a GPO in this domain, and Link it here**.
- > [!NOTE]
- > You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate), as discussed in [Plan for Windows Defender Application Control policy management](plan-windows-defender-application-control-management.md).
+ > [!NOTE]
+ > You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate), as discussed in [Plan for Windows Defender Application Control policy management](plan-windows-defender-application-control-management.md).
- 
+ 
-3. Name the new GPO. You can choose any name.
+3. Name the new GPO. You can choose any name.
-4. Open the Group Policy Management Editor: right-click the new GPO, and then click **Edit**.
+4. Open the Group Policy Management Editor: right-click the new GPO, and then click **Edit**.
-5. In the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Deploy Windows Defender Application Control** and then click **Edit**.
+5. In the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Deploy Windows Defender Application Control** and then click **Edit**.
-6. In the **Deploy Windows Defender Application Control** dialog box, select the **Enabled** option, and then specify the code integrity policy deployment path.
+6. In the **Deploy Windows Defender Application Control** dialog box, select the **Enabled** option, and then specify the WDAC policy deployment path.
- In this policy setting, you specify either the local path in which the policy will exist on the client computer or a Universal Naming Convention (UNC) path that the client computers will look to retrieve the latest version of the policy. For example, with DeviceGuardPolicy.bin on the test computer, the example file path would be C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin.
+ In this policy setting, you specify either the local path in which the policy will exist on the client computer or a Universal Naming Convention (UNC) path that the client computers will look to retrieve the latest version of the policy. For example, with ContosoPolicy.bin on the test computer, the example file path would be C:\\Windows\\System32\\CodeIntegrity\\ContosoPolicy.bin.
> [!NOTE]
> This policy file does not need to be copied to every computer. You can instead copy the WDAC policies to a file share to which all computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers.
@@ -62,6 +59,6 @@ To deploy and manage a WDAC policy with Group Policy:
> [!NOTE]
- > You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the client computer running Windows 10. Make your WDAC policies friendly and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository.
+ > You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the client computer running Windows 10. Give your WDAC policies friendly names and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository.
-7. Close the Group Policy Management Editor, and then restart the Windows 10 test computer. Restarting the computer updates the WDAC policy. For information about how to audit WDAC policies, see [Audit Windows Defender Application Control policies](audit-windows-defender-application-control-policies.md).
+7. Close the Group Policy Management Editor, and then restart the Windows 10 test computer. Restarting the computer updates the WDAC policy.
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
index 7dcfa211b1..bca3a95134 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
@@ -1,6 +1,6 @@
---
-title: Deploy Windows Defender Application Control (WDAC) policies by using Microsoft Intune (Windows 10)
-description: You can use Microsoft Intune to configure Windows Defender Application Control (WDAC). Learn how with this step-by-step guide.
+title: Deploy WDAC policies using Mobile Device Management (MDM) (Windows 10)
+description: You can use an MDM like Microsoft Intune to configure Windows Defender Application Control (WDAC). Learn how with this step-by-step guide.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: m365-security
@@ -18,54 +18,49 @@ ms.date: 04/29/2020
ms.technology: mde
---
-# Deploy Windows Defender Application Control policies by using Microsoft Intune
+# Deploy WDAC policies using Mobile Device Management (MDM)
**Applies to:**
- Windows 10
-You can use Microsoft Endpoint Manager (MEM) Intune to configure Windows Defender Application Control (WDAC) on client machines. Intune includes native support for WDAC, which allows you to configure Windows 10 client computers to only run Windows components and Microsoft Store apps, or to also allow reputable apps as defined by the Intelligent Security Graph (ISG). Using the built-in policies can be a helpful starting point, but many customers may find the available circle-of-trust options to be too limited. In order to deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI.
+You can use a Mobile Device Management (MDM) solution, like Microsoft Endpoint Manager (MEM) Intune, to configure Windows Defender Application Control (WDAC) on client machines. Intune includes native support for WDAC which can be a helpful starting point, but customers may find the available circle-of-trust options too limiting. To deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. If your organization uses another MDM solution, check with your solution provider for WDAC policy deployment steps.
-## Using Intune's Built-In Policies
+## Use Intune's built-in policies
-Intune's built-in WDAC support enables you to deploy a policy which only allows Windows components and Microsoft Store apps to run. This policy is the non-Multiple Policy Format version of the DefaultWindows policy; the Multiple Policy Format version can be found at C:\Windows\schemas\CodeIntegrity\ExamplePolicies.
+Intune's built-in WDAC support allows you to configure Windows 10 client computers to only run:
-Setting "Trust apps with good reputation" to enabled is equivalent to adding [Option 14 (Enabled: Intelligent Security Graph Authorization)](./select-types-of-rules-to-create.md#windows-defender-application-control-policy-rules) to the DefaultWindows policy.
-
-1. Open the Microsoft Intune portal and click **Device configuration** > **Profiles** > **Create profile**.
-
-2. Type a name for the new profile, select **Windows 10 and later** as the **Platform** and **Endpoint protection** as the **Profile type**.
-
- 
-
-3. Click **Configure** > **Windows Defender Application Control**, choose from the following settings and then click **OK**:
-
- - **Application control code integrity policies**: Select **Audit only** to log events but not block any apps from running or select **Enforce** to allow only Windows components and Store apps to run.
- - **Trust apps with good reputation**: Select **Enable** to allow reputable apps as defined by the Intelligent Security Graph to run in addition to Windows components and Store apps.
-
- 
-
-## Using a Custom OMA-URI Profile
+- Windows components
+- 3rd party hardware and software kernel drivers
+- Microsoft Store-signed apps
+- [Optional] Reputable apps as defined by the Intelligent Security Graph (ISG)
> [!NOTE]
-> Policies deployed through Intune Custom OMA-URI are subject to a 350,000 byte limit. Customers whose devices are running 1903+ builds of Windows are encouraged to use [multiple policies](deploy-multiple-windows-defender-application-control-policies.md) which are more streamlined and less than 350K bytes in size.
+> Intune's built-in policies use the pre-1903 single-policy format version of the DefaultWindows policy. You can use Intune's custom OMA-URI feature to deploy your own multiple-policy format WDAC policies and leverage features available on Windows 10 1903+ as described later in this topic.
-### For 1903+ systems
+> [!NOTE]
+> Intune currently uses the AppLocker CSP to deploy its built-in policies. The AppLocker CSP will always request a reboot when applying WDAC policies. You can use Intune's custom OMA-URI feature with the ApplicationControl CSP to deploy your own WDAC policies rebootlessly.
-Beginning in 1903, Custom OMA-URI policy deployment leverages the [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp), which has support for multiple policies and rebootless policies.
+To use Intune's built-in WDAC policies, configure [Endpoint Protection for Windows 10 (and later)](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10?toc=/intune/configuration/toc.json&bc=/intune/configuration/breadcrumb/toc.json).
-#### Deploying policies
-The steps to use Intune's Custom OMA-URI functionality are:
+## Deploy WDAC policies with custom OMA-URI
+
+> [!NOTE]
+> Policies deployed through Intune custom OMA-URI are subject to a 350,000 byte limit. Customers should create WDAC policies that use signature-based rules, the Intelligent Security Graph, and managed installers where practical. Customers whose devices are running 1903+ builds of Windows are also encouraged to use [multiple policies](deploy-multiple-windows-defender-application-control-policies.md) which allow more granular policy.
+
+### Deploy custom WDAC policies on Windows 10 1903+
+
+Beginning with Windows 10 1903, custom OMA-URI policy deployment can use the [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp), which has support for multiple policies and rebootless policies.
+
+The steps to use Intune's custom OMA-URI functionality are:
1. Know a generated policy's GUID, which can be found in the policy xml as ``
2. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
-3. Open the Microsoft Intune portal and click **Device configuration** > **Profiles** > **Create profile**.
+3. Open the Microsoft Intune portal and [create a profile with custom settings](https://docs.microsoft.com/mem/intune/configuration/custom-settings-windows-10).
-4. Type a name for the new profile, select **Windows 10 and later** as the **Platform** and **Custom** as the **Profile type**.
-
-5. Add a row, then give your policy a name and use the following settings:
+4. Specify a **Name** and **Description** and use the following values for the remaining custom OMA-URI settings:
- **OMA-URI**: ./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy
- **Data type**: Base64
- **Certificate file**: upload your binary format policy file. You do not need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf.
@@ -73,29 +68,28 @@ The steps to use Intune's Custom OMA-URI functionality are:
> [!div class="mx-imgBorder"]
> 
-#### Removing policies
+### Remove WDAC policies on Windows 10 1903+
-Upon deletion, policies deployed through Intune via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to functionally do a rebootless delete, first replace the existing policy with an Allow All policy (found at C:\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml) and then delete the updated policy. This will immediately prevent anything from being blocked and fully deactive the policy on the next reboot.
+Upon deletion, policies deployed through Intune via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to disable WDAC enforcement, first replace the existing policy with a new version of the policy that will "Allow *", like the rules in the example policy at %windir%\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml. Once the updated policy is deployed, you can then delete the policy from the Intune portal. This will prevent anything from being blocked and fully remove the WDAC policy on the next reboot.
### For pre-1903 systems
#### Deploying policies
+
The steps to use Intune's Custom OMA-URI functionality to leverage the [AppLocker CSP](/windows/client-management/mdm/applocker-csp) and deploy a custom WDAC policy to pre-1903 systems are:
1. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
-2. Open the Microsoft Intune portal and click **Device configuration** > **Profiles** > **Create profile**.
+2. Open the Microsoft Intune portal and [create a profile with custom settings](https://docs.microsoft.com/mem/intune/configuration/custom-settings-windows-10).
-3. Type a name for the new profile, select **Windows 10 and later** as the **Platform** and **Custom** as the **Profile type**.
-
-4. Add a row, then give your policy a name and use the following settings:
+3. Specify a **Name** and **Description** and use the following values for the remaining custom OMA-URI settings:
- **OMA-URI**: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/_Grouping_/CodeIntegrity/Policy)
- **Data type**: Base64
- **Certificate file**: upload your binary format policy file
-
+
> [!NOTE]
> Deploying policies via the AppLocker CSP will force a reboot during OOBE.
#### Removing policies
-Policies deployed through Intune via the AppLocker CSP cannot be deleted through the Intune console. In order to disable WDAC policy enforcement, either deploy an audit-mode policy and/or use a script to delete the existing policy.
\ No newline at end of file
+Policies deployed through Intune via the AppLocker CSP cannot be deleted through the Intune console. In order to disable WDAC policy enforcement, either deploy an audit-mode policy or use a script to delete the existing policy.
diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-using-memcm.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-using-memcm.md
new file mode 100644
index 0000000000..7f56bfe99a
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-using-memcm.md
@@ -0,0 +1,40 @@
+---
+title: Deploy Windows Defender Application Control (WDAC) policies by using Microsoft Endpoint Configuration Manager (MEMCM) (Windows 10)
+description: You can use Microsoft Endpoint Configuration Manager (MEMCM) to configure Windows Defender Application Control (WDAC). Learn how with this step-by-step guide.
+keywords: security, malware
+ms.prod: m365-security
+audience: ITPro
+ms.collection: M365-security-compliance
+author: jsuther1974
+ms.reviewer: jogeurte
+ms.author: jsuther
+manager: dansimp
+ms.date: 04/14/2021
+ms.technology: mde
+---
+
+# Deploy WDAC policies by using Microsoft Endpoint Configuration Manager (MEMCM)
+
+**Applies to:**
+
+- Windows 10
+- Windows Server 2016 and above
+
+You can use Microsoft Endpoint Configuration Manager (MEMCM) to configure Windows Defender Application Control (WDAC) on client machines.
+
+## Use MEMCM's built-in policies
+
+MEMCM includes native support for WDAC, which allows you to configure Windows 10 client computers with a policy that will only allow:
+
+- Windows components
+- Microsoft Store apps
+- Apps installed by MEMCM (MEMCM self-configured as a managed installer)
+- [Optional] Reputable apps as defined by the Intelligent Security Graph (ISG)
+- [Optional] Apps and executables already installed in admin-definable folder locations that MEMCM will allow through a one-time scan during policy creation on managed endpoints.
+
+For more information on using MEMCM's native WDAC policies, see [Windows Defender Application Control management with Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager)
+
+## Deploy custom WDAC policies using Packages/Programs or Task Sequences
+
+
+Using MEMCM's built-in policies can be a helpful starting point, but customers may find the available circle-of-trust options available in MEMCM too limiting. To define your own circle-of-trust, you can use MEMCM to deploy custom WDAC policies using [script-based deployment](deploy-wdac-policies-using-script.md) via Software Distribution Packages and Programs or Operating System Deployment Task Sequences.
diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-using-script.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-using-script.md
new file mode 100644
index 0000000000..023a0e7b4a
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-using-script.md
@@ -0,0 +1,54 @@
+---
+title: Deploy Windows Defender Application Control (WDAC) policies using script (Windows 10)
+description: Use scripts to deploy Windows Defender Application Control (WDAC) policies. Learn how with this step-by-step guide.
+keywords: security, malware
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: m365-security
+audience: ITPro
+ms.collection: M365-security-compliance
+author: jsuther1974
+ms.reviewer: jogeurte
+ms.author: dansimp
+manager: dansimp
+ms.date: 04/12/2021
+ms.technology: mde
+---
+
+# Deploy WDAC policies using script
+
+**Applies to:**
+
+- Windows 10
+- Windows Server 2016 and above
+
+This topic describes how to deploy Windows Defender Application Control (WDAC) policies using script. The instructions below use Powershell but can work with any scripting host.
+
+> [!NOTE]
+> To use this procedure, download and distribute the [WDAC policy refresh tool](https://aka.ms/refreshpolicy) to all managed endpoints. Ensure your WDAC policies allow the WDAC policy refresh tool or use a managed installer to distribute the tool.
+
+## Script-based deployment process for WDAC policy
+
+1. Initialize the variables to be used by the script.
+
+ ```powershell
+ # Policy binary files should be named as {GUID}.cip for multiple policy format files (where {GUID} = from the Policy XML)
+ # Single policy format binaries should be named as SiPolicy.p7b.
+ $PolicyBinary = ""
+ $DestinationFolder = $env:windir+"\System32\CodeIntegrity\CIPolicies\Active\"
+ $RefreshPolicyTool = ""
+ ```
+
+2. Copy WDAC policy binary to the destination folder.
+
+ ```powershell
+ cp $PolicyBinary $DestinationFolder
+ ```
+
+3. Repeat steps 1-2 as appropriate to deploy additional WDAC policies.
+4. Run RefreshPolicy.exe to activate and refresh all WDAC policies on the managed endpoint.
+
+ ```powershell
+ & $RefreshPolicyTool
+ ```
+
+5. If successful, you should see the message **Rebootless ConfigCI Policy Refreshing Succeeded!**
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/PolicyFlow.png b/windows/security/threat-protection/windows-defender-application-control/images/PolicyFlow.png
new file mode 100644
index 0000000000000000000000000000000000000000..13874b6392a89d2161102ef34bf7c22730dfbfb4
GIT binary patch
literal 71184
zcmeFZc{G)48$Z5@Xi|pQrwoP6W2q!lWh_H7WFAu_A$FOzZ75=kL=hQ6=6TFak)q6O
z5sJ(q+nBhfCyXU9~JD)6bgf>gvWL
z=#N=ByM@qbY8%sIXf)cnrdsyxZsccv=*UNQCLgcUA`w&%pEpw6qty|jcdjw@-m_X9
z>yb9m#a!l==2|*wQe|wv?2)-)(&v~qIX~^#RCSaLh(e(cmT8l672=L7_yLw;pBS@+um`
zp-`sczzbPB9u;!i)=do*G#`S|J)P6rx3e?zvN6K-6t86F~nr4fDy`i!O|9kQOSp7fc
z`rDkoX5rR`*b-zmSDF)KHfDo|HaFI1aLq!mXUdEH+W%>XcL*jMbK$L3qz9W>R+aBjO)dNP~YmZi}6L9N(!68LMB3V3$chh0pU6FF&!>F~m(JL_PY+3?FRU&PL;o{&i)OlCf*j=2*OPHc`YOD&d=SXKiKd4O-GkrsCB3
z{*hoKqT>;BnYzkg5m8+K?Ab#khn|6}O#P1k*ntow$MNWE`~g|o@)~d5dzA&Js~WIL
z@>7NkFB7gBR|?o_gk|aTsIhTx7-<_m=pkPkzCYR&{WAMpjLpibLoB9Nns-2&b%rOh
zhiHlK3AY5^OArL{Ib6n$D@CFDYqnv#o@JGf{&UOw6x!^Ee!TbldZJxEr1-K%**BV~
zBz{3HKc0)%v9I15KPO+8q?~;_z#|uKcm0h#88&iZV?w}#?ZSnXBEPBL_hN-J?@umS
zW;MB;Zyr6?pD<@jV>9kC{?1JZV#7|rXe~6oaV_`33!a4}%6Xn;1+#Mj}mr&{RUQQ$&6(mn|7IGk2&Av)9vU|4RQahC%KoS@z
zy3Hf1x@!2Ma3;J^*l~RFF-~1`wA4(WhmLgO?oq)FnTqnYm+EZ!Pl$&9P)eH`B?jGg
zQlz$%Dt<8kU667Djd?Gpb?e)2@t%e;FL=(5pV2UlJyD^$=JsM?@k3Q|h3_F!g8RBv
zC@V+w5#F9eLWF)t*kw!ADU#(>qv7f+Mogdc`uM1`PKrk5%$!oV(0}vwqN|Dadpuv2
zb1-FcV=*sNKw}%JsW-zL^Vr;dW!3MAp%UAzuJvSs)UQfM>kGJ^sW#f(+Ffl*$yyS3
zHnl=3o6?9zw+4jWOnetaZ%S=S5L9E|7c|@JJ;c+RCeB#*&XhoW-3hu1u|6RSOq<$o
z+ELmpURMiI%yn~fQ#UjFt|lLg>9>0*sr`m@`x=>Kbj)~8YW&6LSiS4?B#*D8lN~O0
zlZM6a6;_I0M{TSAsTtS<3g!kY60`iPX>IHaiSf>^(GruwiB)5TR-@#_i9=$?}_?IZuv1%fH3Am{a$l+ZlO)ns#m5(E3}iT-?^bT*QucYI7aS^`EHP6fpiTV5sl9~NB;_?t
zrnvTrg}ubYY8S4=?EBlBEu2RCYfubN%6Xm1y8fmP(^wp>Wtau3#mSoB-n%TnA*Rj7
zZL}}GsYAVFZYn|bnKV%^fwztK4Ws2(Qe`SuZxo|dad-9G&?2jL)DCAY9Bw^Ap{{fx
z6dz)Hqsn)YzWbs9e$JKCa3FudP|jdw@tcSShTat
z0!=v!7XL}2lOWpvqTO@S#61zZhTb^$HUax8PCPm=Mn$2
zQ+Y|Ea$CLKgw#Kr;F!M1Gd0K4whp6WX#dH&qEg!)*S(m4p3pG6qqdP;`v!-5n@fY8
zI_eU~QyMt-a~XLsH1-p*Gztv_|DqJr#LWLTi-(7YN&b&sb1P>Tr;s~jscD>lu6B;W
zHZm(TM|`2^XUS20-N;7tDXWF~#r&jwAk
z=gDe(>ZxLrQjvsz@X%Rmc(M~a?PtCEFD_mddA6Z1)stZ|SI=;9cv7fTHkL6hITLeI
zx#TgkZP#Rq{vmaudLJQ*vBN?z{C#4v|L9Y-)Pk{h?z&q-*1_6c(v0N^WbMx6|N>IdQ;-hJWn3;A6i9!kV^;UEo`ufvn3PpI%Wk4cj!j#i_`m`isQ1
zWEo8?YQnVhj;2WxCBLQ6iJ$qGEeY_W{ohR&Fh1%lSdJ|2Hs=1OG{YTGoA0sCc0nmn
z;Nz~B)^$tHF~cOmV&~6qgY%Xj=tl&f5p@3aCYXLR#U5
z($ab!(Q;KHsqaCGW8X4~$KK*GypmNV?8&v@w6
z`Ro<(CdG=!#qF#g)7k3378j(c$Ev!$vbMeUT0%Sd7;9Tfsoyk7RY#e?qA9Pz`*OHnGM@#I?4&<*NV^2
zWO_=cUX|j1sBG~3oqLMGp@X^E6T2xjzGoi|_{n}uX~s@Ju7DasLC$CJ92J?4eTIGZ
ziE6*QJO1hFa#P;j(C?1!nll-!7bYZlR(v#xt6x_oJ;IgLVa&gPf0IhT8l9!Cad)<7
z;-Td1tH$E&Q`#Dm$?wTuJ7;3Ny_L;drx!eeU1Reh$~JE6#=Hj&dz^nYIJJT=^pa=(
zciu~oJ$l#sumYH(KN@FZjlQ~BFRdXG7gvdt3hCRL2@9pu?#BRfI5W}{(lGs3E
z?>Sj#!y}`!cE0c<)}$y9`&V&xS`$Xop?B?6tjtUTPZd?`iwpmWq8^UK>Au!ULbhU+
z$9hANlh3=KH#7`|m>vxcr1Pb&2lLr%w!{o2r3~JTrc1)toy^
z*s@6X=0%yE4EXz5jCaUAgZn%0o!MtUP~ym4cBAAMX$dTR@=v~2Z8vg2p&^s`*{|v8
zn?!f9y`iDJO~DEXd_VZhM?F^BGF%`WI}ig_`yW`o{DmFXK7apL_t@NUV?wyF2`ewB
zM#L+jy>l)G^0@U$6Fh;9V^3tk1gTO`wd$XHl&9htz905f?q3=9+Rc}+_09vz|4Q1c
z?IQOAWtU+G|H#fg56@5a7GLU3)lBB{Wl}A)KJE|c`HRiPstv-J%trmDxa;CXXIt;c
z$jI9&n>6gooaJDysebRkK=Tq*d=^3hVg!93ZH}c1kUxL^eAVGs{pBu>ao-nzea&x8
zPz(-Of)t`P)1cVHhIYRk_0uB9(WWPgPKi@LKZVj?@~tesr!=>@j@uk?WZdMo^NnDT?f7igx4Zr2=Vo>Pnwst_qY6s5cAFin^BS`6mv&#a|L(lLI7!%5
zzhF}3VHpec7+(bu^6G}}-d_Fy76Su=A@+|X;tZbrQ+u*Hp8c}%of40ASB_Sfhj4)#!zLRi+!VLPmXs9I~MxkC@5h0hgOMLwS^uGSlBPg&0;t$N?TX`-Tmfg2C
zj1$Lgti82&7_9a8rwr1zrTrDQ?>s>5cMsZZqwdoBN_wn0OVV-Il2~U1W!vM012j0S
zf4Kc6C=+zLvnfXE{H(4>CT19&yH`-!amAy`{>R1Hn7+3T3Crb@&cEZRjT;gyxG04O
zs&LKHtteDF5_c1=BB!zpi>P)9+jwSbnvAvGuRJv|A=o`-DEI!Z;RM^vwK6r>05=(u`+Dp
zU2kmL98TK7?=tp=s=d+YAJ8!S&A(97dl|g{ivjZxH%qc_OM~XC;cS@!;T4ZY#p0iu
zLBl@+Xa!N#hoD%b8^QBg(QK%%?79C
z%0?g0rrN#Lh4DeR%O(mxeV{;W#67Gw-J5kBtqFr90LQdEOz;%^V*C#;ZqYWAV$M
zQDUl_@1NE_NSCztZ@ypfzUwZ&HF|bEF0-&Vh)qV?V{O^%b7%VX`ewnd>;9%ZF%JTD
zg9xb$f$Cg+c{j_cS5fWQg47fxs$*Wi>9IA1QT|4Uxj#TAn#vu
zAuP1cwZil9-Rnd3!M|RLFen~SVEpSpZ#1t<339K!?1C*tQ$F+K6_wzu46S|8syuL(
zv2!l9V$e>qQn8+TV)=qbV7&h*(+~BvZtAUig{*q*CyQ4Rb??68nHOofBSotmRYDI{
zOD;r{F}w~NCdrXz$+BPXbpmDatsywz@?
zk|le(dL*#c37xBZn_*XE+_rOG4^<}~9&j5XVOSGu*%w9GPjsp3eehnG?OO-O
zT4y!6{6k4{$?qWBhXi$$=Muqrf$C~t4+YX2n8^zB^T*if13nkP?X?5L(|-2is&
zBaZ@JWz|^B4nLz$`$|rUo}vtP^`a9T
zYB7TZJJC8u0sSL^1zU2;@~v8*vZIp5AyF{@3c6INinz*ltddZ#mEX$t(hhrHzV;8nUicaomT(Ln&D|4xPpJXh__p#ASYD`QgpB
zPfZywb{}(~W8gMzNfghWxs1McM%`@AWOLEv;M$YAY|-(e(mIEkS*TKb9)DbTb&yIW
zH^n{hXHaUvU>WuyH$I}2KWQR>6hI0L5lk8<_gsbQwqw9?V(v#L0bkZj-#I>~;l-snL
z_n#+^--{vJGAO=)&~Wrgw)ew`+oU+bgw-!@-JYL1Hvanm6k@^h6)&
zsJuCRL2=EVKdGCK_*y%vn!-~XR$s<7Tu^$&pdw)w(P4hT7rn&FeaPV+9dVaHbNQoB
z%bgG<=a_8N7iuNzW+i4E471%g;Vl3F?ZsvjG9u_sH`$s;W}&B8u>{H2{;=qAD6jF4
z*9Wr=y&e}mxc>6gEv^{qL_sw!b_)L=zeL&W_d8HUz7Z)o^1_IjDbOh#{GiL=+KJUX
zT@DRX^6E6?@z-|`(cx1}-rAcK5ERLTvMVkTQ&_fJkvCNzc%@4FZ`I>M`>aG~HETWwXc
za&{En+=k(LWB41vy}6Btf?0^`pq6HXLrIwv^GYT*o$rX{k0yC8H@hBi(A((mzy`kW
zAL{lSZcHy)@R(4F)f9SHs2BUD`(WtajR1#g>6k82CX*gS8(F6nXPhF0!p
zVx_==a;`$>3>V`|5OqK6(5RSS&YB->4#qt_lPVL_G5AX8-81o9_>dDxKgdmAQgFy-
z*9!X&;_t8VS$Bp1qP{pNk&8BUKQ{pQbDC@{|BQFY@}kT0c!z@J&LMUdovSfjX_CPU
zg+iy$sn>Fv48EC^PdoJr_*K-8J7)FV#OlyEb~Il*$DCTaIaoRQ_~}iZ?vt5<5*Z(R
zC1pgOb01O$iVPgB8OK5d@HRCe<#c!(9L8@^QlqTwX=RR5^|3
zBZywn#FhC`hY(@Lxu^xpb9SN+rT}2n+dM?mlE3e85}|waYpyCm{`HyIB<>1<9*uzU
z)CJM_y)vV-TE);ll&N2hV0&1);zE$CHl6jlUvqM#j?V`7d1zGd-7}shIcM_yChd@1sPc)|cgO>c0R?zE`5$ka
zc@`ARurCTcJ-R_#CQo{Ybjw(`N-Pl)d1G%*k>n{jEHT+K!Ft)Z+MI5MUVMA+`(cvk
z-nG;PY_N{yWQ5wqv1z2b7xMSLC$w83DaL?DTe-Vd7^Ei`!
zNI;(CCGDo)3uz!@>EV;>EulNY%%o>tgE7Sv(gten;c8?5
zol&owg!aGc!J5DK=eUiLg2*$*(sT-i(7it|?NOj13CMqZ(a*J1mvNOdQB#M7@zCe_
z%AaYzBC6%YamQ3XmSJtnhpJ#u1;QT8#HFcT^NMGD__BI2quE{M)VhOf^eAsr3M<3U
zyGRiHTfgSt;`VTOavxywYY}UE6QlHjC4<{mH?!KW=D`yJ?fO)L-#`C}^N{m0Q-Z%zSq5DxFOP8<~|6a4JYLG1H
zwgmbmrY|qetS0YGb3&8NlU^N-#lj?_NwU4s16&t&V8R&3IxnqI-ZeLsRw=wqz2o&~+}cs&2feKj*eC;i)~`fZ13gW|hSg0GjA
zm3^&1i8y)Fnx>kobuYgeD=?X^Z5fT=ntbnfP{9}FH*p)Oz@E=|S|wnuQPO0SsqdMs
z|5i01hp>UVYJ*}-fwtm=NJ
z$MH7{cm&E_7aJmv%L=Bm2G)vQ(r^kQsT0g2Iws1yc+l5r3H$?hdu&wq{nnn5(ZU8A
z_7O9u7e_^BEIyYFG!*-v`J&MuZn&}(I-LNNU;`5h(q^7OWJOnENoS;)o@lW9J>k(a
zF<~>RaK$XFtvK#0*|k5=ltTCM@`*2y=_6$b`l_o6_&84TP-->QNN!q<(!=B0-cJiU
zT{5-tgn7oSa1G|>&Obu=P)^EpkFsh{j7^Z3xsv5hQYN<6y2VO=(9rKBLQXECBD&ZW
z%B}tZyJm(jvAc68@Rpo2^e~-Etx&6wJ~J!3{}pJ`ta6m)9;C^wkQ~~4SwA51C5@5;
z38V@K*`y`y2VC&v4)krVoq87X@NRd}gqpGkGap8C@^8vMW=v2vX9-1P&28yCH^3D-uFMYAzoizno_eZl
zxZYD}GepbjA-_wY4c=|tLR)n;aJ(Q%8Q*|0w&@&PgcvAcqxUbCCz3KJNY^S=3#>;f
zHuIo({U*|RhG|w}0*oLdCgMJS7q|a>FZIQS`j~ro$M1M1;h-2mYv9p7-94~{SM)30
zS5C&@F>Qy2B4QVzYT_ZdOW+G1gagm8nNt@--Y3crOJrkozF*TRv|k_j619tvo-dp(
zt&lZM(jl(SM-W9v1ee2ibg**9a=2IV3SyA>?B@AxI*KBsC4wl4GXpYCV#r+S)NbragV6+H6EoPCZv=R|k
z6k)syPHAX}8r28ak^6oj}NfliSCAB?_+S*%6KE*TRs68+JL2|~8XMn3mY(7wq@5(@wvd!Zy_oG3?d#WKPji^;X
zK4InNcE0S4tRn?S{u}vWy=Gj@Af^--|HUwAt
z2iM+;ei{J$H*l8(-C&Ngg}4P*UYd5krZ>V=-)k>U9ggMZAhS#Htt(!%cM2FaM+gndO{YMXH
za}PAr%IW|z|IWkC>7SZnvD*$EoSl0
z-wITglR4FaksKFXRlu{~6A)t&6pXL89A=+4YnBP9h0vL=Uy{N+l|zV}ZohXW7S|uN
ziq`HgwhlJBi|OC&kZk5nY_@^C_?w+;RC(Q~P>kXc-JgQer?f97II)HG7Oa~PD}qNw
zr%o|9%iN7ER>rCO_2FKcQh3VyvvGfLGJtAzR4JG8o!~VMega(`FGpg5m21VzN#Wh(#
zNZ0;ayhB--$%6vGgU6@KCPw+~XwPWvk-yjIF>^^W7U@1PUQp2nk-j+I#p$xXx;WPG
zoPX%F6gNxunKNfTOnOH495HnOewp9DfB!?(W#uZXx{H&dh6HNbxJCr?|H%I~@FntQ
zGSu;h$sMD|UD6`74THSxOWqm?@e%a2&I^7V6*RscsK(20ayG``Fm1I8zp=V&;M@^@
zKdBGpGreZnWooFWk;HRvY#Oz&G{em%51BA>R*t$khlqL`uR6DYe#}6DhR`r0!M{F`
zRuh9%{)+ng`et2RK7SV(M>E!Zf+R%|iXfP28hbf!T3y;%%1Nm4R;`nt@Euj~s$P2|
z%f|dhL~k*i___(x82{L)xLaRQGMgty@%Z_G>h^$moCN7>0vs
zvn{(UYS#%afi45Z&Vg@jC6k@+&QDhTz(T$9iNRxu*mLhlsuC1MB@I(F>LnU6}^H
zgX9%ErF7Y&gRhXBYsliNt6FR^soDt0ng)$RJeXV&9I
z`7>wF)=xf399?fU|L{2CX5)TZRQnzUQ&Yr-jn5{oz2WgtotqoJg3l+bNZzg{$uhwp
zU?4E}tiFkf%vGw#j5dMBRUX*#X+{(kJbP>l7w8G&_5^tTg!tpzO762W!zUZQ4)|d0
z(x)d+p6tSSl}F3qJQha29F>Wn_(-i_iZT}rSs)yT8Iz;xsgxp|JHvYm7o@)+^@)QW
z)N_oJPvs6=kR{Imb}V#HPfy!927I{s6@6mx3XO=|p9j7`W<3U>txC0+MRn)q4rG*(
zTkVzj@4AuCFHdcGZ~_X=x-&4iIss*c1gL=pF?HVPj<$;F!LKl
zXai;I5rz|JcySl}P3+6vh(cw%t0#8kZklqFk`p>6Y_<@C2^7fKqm!;m^m7kUXiuzK
zK^+!uzOAu6QfWE{H=n)x4UHu&36^omZthWtOF-}gq(Qo~CvIS|eIh!h!#i8c;bT8m
z0yKI>$`wGVxz&g2;D_*C3(=+&5?qYp_`*vKCer42n}JEcj-b-7>}ZuXy{4N<+5IV5
zEW5tS%sPO-R;Vq*P5>Xt`mHU`S~&f9_h^@i_~1Y;3kvou1zk2BZRTCgQ2me7p%pB`
zt}gJFG0Ij^E5vbty+~|y%CB5e2xOk!x8D0EsuNZJgd?6F|!xF>sWKSv_OeiU{
zQ7Z+qlC8>$kPG^!<~5iwo5wWi-lFgv-=V?uB(f4+pzOZ3tDGLHfEI&)T|*`9$j9?*
ze3WavY=BHH~r_%t81?D3pGuMQc-@LRXDV
zyxY#s?p8Rt$ibbL>jnbUJ!K=8KTX{tRzodN10J>h(#6KtN*Slft6O)Bs(P^Y&XM6#
zWwFU1lq%5ZU3Xz^unu46wced;k?`fq7vNmb#htDuBmV?<7YkVrJKBq~XJCNM2=H?C
zg>`7405QzZcQzzo+@ZlL?d}{GWZp*`w+A9hT+~@RR`CcKw`TFS&I
zdMbeDyI@@I`~yXkb7P0|Iff>c?teu~V^?Kuhart0(l~*_bHRJN`}IYw&I^FYoY&)5=(K7Mbe
zzhc*qkKi9W^*tZK?rH1Bp03HV%$t2^QAfS_GcFyu2$}H@>Krj|T5<2|*~Tp5O7&G_
zx_{iCRe%1iW||J8CMYSd&JHQw=dE6Y7?q6vi;hEX&Lh@lz=GBaUiA3XZGq
zo0^)uF!Fc5y$vxUm!;pauehT~D>v>82QwLD4qgEe2oxZm@Y9qhtH%~)QOmynbK`mN
z6CV2%2kSFXQ0t6~cOy<8rZSuiKo$I9S?P%bisl!V0B8KVhLnS@)<83z=Chf#5v}L_
z9o3U1CT{V*{*(ub8FJIZwO*%XK0?xSu6M6&`=573wNZYB{lyrOi-7l}nFU=K{CvTHf6RPHw4c3Bznz691=blz7IgmCf}E}
z%ju6BSWxV6Xt4R9aFuTIBl%AXj;F{P4|ZInY}FlG+b79w4U^}uXBmDHB0CgVZ71-S
zrp0JS`CDWFz)9tJ{DRy*?~123C_Wvsden|hF0>;f021mQ?&h3(JWVMsBM;mDd03r9
zA`Kl;H=cnBkeq(%V`#5$BO^B*o)!QJXaA6Z!)|V1ouDcZKkYcxQ}~O{6l8zQar#@y
zAnLD4fNWBKma_wADLf(F3K;{4ErY#=dQHY5K8kH?v_!^Z?V}J`+?7B4+Z^=E8D4GP
z((atw6db=dYnAVMn2PCB#FhQ$9`lM2aNaEi?V)|6qoZ3_S6wysmAcH|yuT;sG6hFQIY2=ss`rS?Fd!Ra|8s8;lmHnDpLcZ}%+XgMK<
ze1XTj;IaF_lEGun;Nb7@ql^m6%FdSpP*~`1b1j
zgJ}k;Qegfq1LQ7U?SV?{QN;hAPPo+^1OE3CC)(^yZFvZ^GwLn~`Cdj&<5Ytd21K?(
zgjU=ZH;jY4yX>+!q3z y1YU76Lb+0_CH}08PqIjeU4>^y`W07HS1u-rN>f4|}(T
zF^wV^=s=+qh6=6bdo&85?sNm*#f~-evHa1=$e_so@GhKhV22kV8Zg_WJ>l
zR)9|r3@_wmA~*b22exO3J|lz()Y81?0H(?1;pTpR8uVNOkoyZpAyFvtF^B;2EWEcb
zyScdmAut`Gy9Yu8Kg~@5z4jt-eglC2c_+RU0)#*=Wo49
z;TtmDw&H2;Gm0}q2SnW{CS_tukPGI*(EsLv;DRR0hZHqW3350cl0A8F}u2<
zaj~;Z6s)h}O}l#rcvD9vz}SRv)RQmph?f~%pokST82M-nZES23kXf5>g#PLua1p?+
zh*h!OfDnyg@!h_LBIGIA)8i>2fXr@&qp&B?W;uvQ-;xtN&cCHHs5CdylC6eCfSxkU
zBS17*2r+$F)AQ|{0F7?Q1hVn!@}}tX*E=F1X$iNbTvZZzXZk$3wG^7^+Y*}K-=rp_
z(2kw0q4vQbj5W19B8X5GlqPxmC#b+zoj5z-#5IcJD;Fke{pr6V$Iws_12Ck6kJMb_
zIm>vHYE@C>-7zWmg}VsZ*-B2!Lb0UgQiN3ZGk8sNE53{^41y3=ZMpF|^s$`wt%A
zUkA<(Y+J2BPl@Abfc;O<3?Sqn5Ym9`YuB^7Y-9!97ZCOsF)5I9E&}h<}pa_D`tDd-Ee-;?FF?m>IkS$|Ad8msfs-ZEYK3jysGH$lFdp-vc;>
zJpJy?mGA%`b>_#&@^QQ%Z)Dr?(v}i}V`plpE10Na<|Kn4j&D0C&zoV%?Ezm^J*Vjc
zTin2J3D8IYJlPhdtRqwwuXm)VMN2%lr7Tqvxi}-`x{xA{xHIl;X@2<%F@1~Inn=DE
zjxypvza|QqR2nkd18NGjr35lOZ}wGU%ThGKs)c*^Iz2IcXpHBqEYInLoWEQpnmX26Tn7%PbX|JFH@EYc`YdO;CJY{
zMsM$H2@Wx)rx*ddd4O<;g~qEZ^S2yK&p~_83Wt-~_A@<1z*zAf7|36N3W$BKDErvauOEQt!25jir{~_*;1;Q2i~>Z^{7l&>U{e!f=sutR
z6KPtcVC0tnw%$Qj$&W=yzSnXdUMx(*HM@zB)}jptDtKEjT*wHV^VVh2%bYS1wPSE>
z3n))RGR(pZuz=as64^531xUE@`2@1rjtniTM~@zrm*VegrtCQZWY0cAv9@B!At`zQ+NASQ;w((cP)JAXeT#SW=Hg`-sI16z*5
z_$kb({;g(yb7Hf=HZa$%%fcp=0yNBETsu6F*@_8v+fhIaw8RdX?i9DLMUK&;WMd^=
z<`PrvplTx1yLanyElBbtvhV2t;By=
z1myrj;shnnDJwHz7J-8Ij+zQ1C}6@+*ti_@5OVsKeUM7?(x64(Fe0y5XoYk&K!UL4
znPo$P#)|?)F>E3ryRdCD^Kcp2Bfv+)Q_M=pIX@bj$)X=9F)LqV^NE}EzC94
z(Zsct`N3ljkmPUc{sI9etnrbAEnAYMM^->mIv=?;nXNbXLF5RCBmkNOp=@0S0mBPG
zG&_1>GR(G1#`*U#P^=3g7e^7dEv{7S%7HxI@?aQ)N!XwigV-?&&FDgLrE+Ld@2K1&
z6!YRoFyn1+VBZu#921rA+Ob*K{2$to01`>qwoByY#?0tBpIWfiKktTin(%F7fYXRh
z9tv!60j}0v7=*&|4sVOgM-JOUxai$05M}zXiJ$ElGUBy`tXu4o)uQ<(j6DwRhl*E=
zbx2sa&z93f2LN0-jLC+4#HR1
z`{3Kes1Tfr^1VE@uje@Wb^BJVV>TD%L;e*VFef$#+yf`o$ORV#WD(=2zKUI2&P~B0
zUj_ItVh|K^+hp65Z#@BU{W>$Vx&9UuM+YF_urM1U_YNln8KWBx(&VDIlC1rYOewZ#
zfC)bM+24sMF)3iT*n5+s(Fk%Jto{w_ZOeK;)F&fHv!AGyIgMX)FkObC^tNgFnjx+W
z2gTK!z)NsD;M|bqdD!dE?@=ZSrURWJUiC^7EV|=bA|Cufw!W%ZK~bd)6+8s
zk>M)`IVR;yyY+Ar0@_il-$C)ICiEMvkW7O0K+2WEmumbEmXK>LRN&sXu7MM5`mbwD
z@apqdd-ZR?36luxg74H?QR4;o{I(D}b{4d9S7D}n5mYK}1(SciRQR$90aC4B>)Exo
zmSzGQk~wr!Ag=7IFd}RKXka+$Rv-Xed}P
zy#NJZ!0exw18fLcEYuPcMMzo_TaIRF|K@wAl!B?R004e{FQrF+#Z-vFK
z%YN4=guGLvjLDQ1)a}KNx*=oDUeyV=Nzih;f3TVz>{S3c{0*j^S5o3~>~~5Vl4vC?Wc41g{(
z>hHk2u?oqP*LMq@^Dq)|pWig(Z<1c`WG{oVsFRs>V|1poe_uOZ3U1H~bweNDdZK!8
z&)>8%O!|iHda5j_@VxflPrOE2pQ5bmfP%wo{}FkqlSC$n6%bq_!loVd=>y?IhMm;vJ#64Al2=tF;|h@<
zDk+MQI_c}g&5Z&4u6G|ke5jqY>M@&wK&WSjIFA-71aTdJDvU(}QjexH)q4T6T-h6k
z3kzL(HrHY|9T#Rc*Q?mr7&h8*tLpUG3D)^N&{zySgIIwmS|p1>4!fb^4$h4iK+^TnmJD1E`TiHkmsU_?K7g`=eL^6x+%WJ2
zzlidA14r&qamu+macOXyM!{ZN|F7D4Xdx4*tdJ*;WZyT?&Tm
za*)rtpv087%I3+eHPj-yTa-s`Hx)F4|9o5P5m5a9Kd0OnerX4ap32lTM;W>PR*kmYh
z{_S;Ku9jSlEuucfID8PkPE%X|xQMUKlyhlMy5)1}8Hm^aa5V?{m?qkhGpxV#73nn<
zR7*F@GXu6hS7ZDDJ_OWtj1^tFF@&}$KrDTdC$jAlwJ19)9K&ZNMGne4Sq
z7lRYDbnC;yxYUA5CBy9U*ujB?-ZX4~@a2EHJ60{Ba>Xl(5128TAypfT*;LbZZTcK4
zTYkU$TQC(M!f25@4~hTI?A?Dj9mI~RBFht$AX(aVYD
zw*B(mo4{G-x3TUE$}R@~fA{BpeBjbsj?aP54&kKjWma5I4BNJj&}ur#U;Pa{&$SYj
zI8pQ^U&-a6j6?6+0WHayIg7fX+As^+wT|a9Gs?mAgC(Pa2T}%+BP}|Lnk2y`)$+|1
zi(1UcSCdPpW=65l%lkWoeDY~{M4YQsW>Sv5MY|Ls!C!?vXUIEXS0E8zZCp8EEf|A)
zPT6$n+pU$N5}u!m8ddIkJ@LyX+NMvxKQM>6g3#->_Ltj6D`es{B(q+8qkVxp>wORLciao7qK`F|}
zXLJ}j&NPHyw;f*(E6g2e=xr;S_~qmJqOy3WNw^j1KoId5mx06trnyJ$=>a*WJ+_U+
zqf;Up-(nfA)mqd(e!|nDi06F`U#WRfP%V@C7Cw$6eOk*^uR!mIoDlYva&hXB4={0P
zT@u-E=SO*d7M(7%w5#*Kc{AxWAXiiFuIJKGFQD;MctD87_FAPtk69b-!PyzTNwY*7
zN4Y45i$B}Q;rjv7O7d1(G#>HVysOEsH;Hi!${eNJU%HMA>@$As1PMd^=A
zdJ^X5J@JFUb!~;SiO1iW)yS`k<10P%3`m)`or}`U*);y!t~y{TbHRYQVZSH4AG5o{
za^${q!>vimiWzb>l|c(7>IPRO1%InYO4~eJSYf$eR(e6PZ*sJ!$F4Pv;#RuA677F8
zR(?vElr+u$Yq)iHdzL|E70j_eBJy+-M6E@CD~}vF)<%kDJoa-!x~aUGzrsk9lsP?=
z5pPX;_UZprgLg{>SbECMIZTr3spmmj5js4=Cfq$@<3n99Y51EYip6N%5!&Umz)|h^^RYFuZkoovuTQ4n{rt+
ztIAC4R{t--^D!0Onu^kOs&KDxf`@9R_1e!q&t|ecQuEmKhLyR@{~?F&m_j@Ahe|81
z8t%gUOhXoAOL`4NI0j*L2a&TQ5pWn!3Veu-bnuB7-}iKg2zJ^LL}5>gT_tsk~RVA?dYO
z#q;XJt{==uTnA+5=)g1-PhJ*jLzacD
z_Z{;NLFZ||S-c>jK9H#6Avk_v2!Q_A6Z_?(cX>6xzp#~>Mly^Ju4$GiXjl#;5`s$=
zRt9jZ?Xh__YS$}03as0XG?-~Ry=lW}Bz2l@%MLz+#T9Z1DOm<+dZAoFzaIgGi4@e?67V(HSUmty%V^iwuDwIiaDo}c^
zA!L30o0h?Q%~9F!^Y%}XWYm+Zu0(uOD@#M`>sgI`SL{NI(_}VO?9N^}QY**urlBWm
z{9xgbN7A{=URCa8@DYmfFrAeSOKm6YwrUl(!57~2aGt7{>D$wyHKYSL?X-Ov+JrGQ
z6w(J_;uJ{`uD!y8G>*u3V(H10T+6Jq6;C7tK4p%PHrUGYS($hm%f?F%%b2ZSx&e@-yoFn{^|YI
zjqXq94t>rBsh-=f2QAC~M#W%OO9H&flzPxG7}wB@o7bsJ1pB?|u54!@&#=<&`ol~x
zV8ib)@x8``#Bi@52l}NJw`y+&X?)^8(n`0fQF=_vK0cMUc0njq=6=%b*9eoSnvVq{
ziQl$T)c16wuAp~TteYm<5|dXLzNho4*J+Q6Ug|J}eLOGb`9*k%<;uL&_3}qT`6f-2
z5VpVGKXR-fgkyGD`%<9LRI&D9lK+IxN%Wrasfjf+A)mps?aOyQXOEjE!h!0$h;nM^Su$rG!E^Uf)H46e6cI+f|!w(0ZCmNyb!E=sgbj>LbDo(?YP)Z1TqM}u^mHQ(6o
zA;WNE8zadgh8-(;(n)~mg87{}n1&QQ@Pxc5`LO6i7~
zASNu{<#7l~+eGs-rEX_Du~QPh&EXuIE}i|>xYM39>p{0+0G!>V^*h(#COKJJvb;ac
z&QbRY@ycrH&_-H-eTsXpJZ?AR*G&Pw{k$+M0oB}`+7i~S>|FqBhY>|9@2k-mllq)^
z5y$W_;Wu;Ll9k5KXfZl7{oLZa$FbLF*LmdUl__VP1Kk_a7xJvM_f9o}I8x?ahe}jj
zWk%NT$l;IiPM?oaEN~9ACPbY;j)GWE7@k$xCvRR=Yn!0DDiAi1ydXM+(K(!5;of`i
zdmgpo6z&DBZ&(!KX-sto4G+d0SdDen5d!V6%{r;7r7sq%T^%dNcf9D!wc@zwbjPxV
z(&00y5iIS@ZyrtZU8u<;YHRyd^v{J|Em1B$_iH|+vVWPFLD>EtAEv)p-sr3`u5{+s
zqa(wlpd8L{HNV5QZI!D3A6wrYNM-;2e^e@?ME1-mBSd8;G^~VVlZaG8l9jC;$6m<}
z*~(V3DiX@fNyI55E6K4roZt06((^o@@2`KJr_O!f?{&SeeZ8)y<=EA-D>Ji7%{%|k
zA?)8Bbdp{gN?mwgG|ir|EqvK@V8Hs=IKiRm-jK#PV@dP)SMjQA{g{_<>EIffWv2AF1kZ)T;W~bh{Z_7m~&PUp5HhK!*9;Bm&@R+
z&1#ejd%j7l>v@Bfo^g+AY$A4!eS8D5
zZ!GGZ!CG0&bW-M}IVFdCyu)OdHEWFQ=gk0El9}|HlHZ^w-J()ww;o@#;}JX4EPd1T
zXNNkh43E9aYnkkrFl75k-$BpSdF}J3>YS_npE)`tu5{RGENFT^8&_A$IQdYfQMZ54
z_H&}(d)d?M3?HfG2Z{);EYpjT>8m;{Z^CY@93TzX1c7h7>kIRW$o%(%JrFNYgBX|D
zsg<==ulW#g>KxwRGKc9&0bVf-JJ63adCMnu*l36TaZ_1~lgEx2jJQGJC;Lr(v2O?L
zEDWTkCU)3fml%`ET(Gdok1KMiQH@Xk7x3TH3mti@;fk&D$VL^<|VJk3)p~^R#i-&JphC3t1gL(so-u
zR_Z0H!x81s2bDPX+MkI&H|jujb|Ob56ZS|ztLk$GZDo(VnMa0!a<&
zw{IBrfTNp^@iogAl!9Eiz2>1CgeU`6%qIL0mX+hw0tBIVdY3&rU$xwO*@K>U2L_{0
zk2j+rAGFQw@G#~(xp`FW`h_*x(}>u}TW0<4saXwXs0P-Z*%>EhFC`9DeSzh
zCYI=d&8}#=rTns9DD<%MLpMkk3rJSUKaX9Fo$4GtL0I*Ll$gy^x=TKy49cJy9-!_#XH69Vo|Q3$=&l=0xyC>kxZQ
zq79S!e?mlS+q{8?g(5_ryIWC~MgJWafzxYAYY?^f`b>c_E?MN>)>Zt(3}shHLEgO+v0}#6dO*{)x(5Cx+5c!bTzqMbr3i!J
zWW*O^;tWSB5sFwE0@SMZBPI2DO68xEIA}Zh&_w0Ci$jEs){0){qPZcNISApenM!m3
ziy9YtE)%#k+^g;R(H0}oIw6Kv>=7W-a|`u>5Rv&4OV!Qa)!0vq6PyI)u9Av>h6zxI
zD3j_QH7KwyLfnO(8On98UEQ<$*a_~slZ#>7Bnnke$=!YY$!PXT^obZ^smeFT=Q6jm
zyp`&F16Fra82&6K=vztVb77S6_3r%s8TE38vr10d%={`%BX*spd4p_v$JHjUF=e`*
ze+gu4
zTp_{5WZ1T3Cr5ticI;0-LYTn)JwKj*&k_r~i|LHYlCOW}
zl+AFsge0E;oj4!pIfAZF>mMz?Jsz{@s#iJh&8Yd4=Q}l~jdI#&YswB=((aKcr)P{x
zXRtgIAD6#7etI>)X&0S$5fBN|FZYS7Mn*j^2Tb076TB@Y5iyamiC`(691)h^XGPA~TiOn2Cp#BFbh=_1t~+pDOfwnGDIkmIe`^Av72
zo_OTl7aOa%pU#YsG7LFtgNmgJO?!PW9M1N$dsQz%P%v&}sSj-vIu26kMa$J+Dk(|*wuN>6&0`VY$%I1GaQl!ar7N!pzowpVsJ^fX@gtTIVXE7Guw
zJ?#}_Q`r!i5tVBy`*4D5zB+@~B&g$*T6dkIahc76(sv==0ElM<8rL3pbB|!P>hvKP
zGXQC}(Z^#nRxfsnB{PWr_!>O&==sZt1J{#vD4Cxh2w9qrbBFY%DrJ__%OQta7usEV
z+D-5^m=w_v4va%qFR5Jd3H@)^nG@N>hh?k
zO1~eLWld#bXe~HpFg+5Eq}@s`SWiPwMJE1fYxDO{OutwPXkY8-ZCREwF&zr#BjmMH
zIFX<GA51fR;
zb?9Oqh%9AAqdNG_!DShg&1%^vQzCR$m>NPs_J$<8E07e_pTudrR!!99UvlrLG+=Y0
z#k`bt!<2l_TGh$Zh`_lHDhT_IN}b%#5p;Jp{j%XP#lZKG)Zf|%hNQso8QUggYM=a6
zo2*`~D+w2#1H>>K(%d_19k279J?UY4q{fDhI8HAQ%+*=zR4631UPwC}v&5~YtXu8d
zW%yKCLfHF5?}ZDUsU>VdQCc)`gD`!&DNZWxHLh;+QRM1|92`?R1FMUtICTc5t#y};
zPf8}4ZBcUa4jJJ}a~Md!6kWgYoZy?gyxMVv9up!G!i8}#)+g<@3rg>_tAE*m%Kw5d
z7>`*B1opdLSfZVnhECQr0_#uY+k1DqOK>RS>uwp1zGx_`dLcP%Jcb6
z?rHCVm-SRSw85bxTv&;njg@Io0zg2HTaw$(hxx?RK<6(lT0sh!B0_P`(ci0!P-=N6`|_M3E0xom8&Q!lFC3zk
z1(?dQ$DJ6H)An$SQNNyH?s{8Uo=?8f^X-)@9&9V)64R{1N?#YTNUak502aaJc!
zaV~%dZ+Dt5fpTO}((&sHN#C7?(x>hoaiR@rKje^fxZXW>R<3nfJZA0sJ0O%F^bNaU
z1-Y<-rQxZ@>9_g3L7Z%Gpphpp)DYD;NEs$$+ha0lXd%37XwIUVcG90g??Jt!9M3%h
z!UF|O1e;wM<7yQh!v1*P9Kb~gbE#dc$289=Rj7W$B}w^*oPyAEvmSSF!~-G8ZBC+1v7sl0{aB1o
zLY5~-sA9m&;F;e;5UL-X(^*47{V#`(2;IIz@JWBtpsR|lTS#>I_~xx?blYC;nwC|Z
z$>v@D!-2jqpw_IC)UCer8D8K3RJtjdXLQOkCu?Zi?(bVpHa;Oy{dNR@!unJ{t82d+q|a+g
zbUZ6L)Ao*$4o-12)SLaev6leuc!03njBq7nTpZ;VJG*u*yv!EF=$-q7g*UTDG`rgQ
z=nav;`T0bbCSW?ShHDyadjp<|bk)b`de6-O$;+I_!=?hfG>O771Qyh5Z0Yz_!SiCwc
zY;fjRTy(+HtSr9j%OJQSDe@EoV(oke1|ABpw=37E;CGxzd4^NcT2PvPn@*f*ZxAkp
z6ESt^@ko=K#=iHiQEPvKn$_%)vHb+WJp(mt`hwn^8*ep7v?B-p@!2ug9-=sZSr&hYm_7YTKQ?#apGlMOHN!
zGpjb+C$Z&r_?m4R=}UjVVgd6vFjR{*D|G%u357J(yoT~yvO$2Ikvy`hDqJkFYEpnsi%oZk|%|HKu=FJno)IppzeXz&|{-XL^b->~Z9@f}6sF
z7d~s11Ei5Y(&^8Jq}|8fzk8=TZQ=oiSO1=uOHPig+;jeC7S*e|ri|hl0eo-r8Unvv
z?3g6Al9rSPr<9RlUIuUtqiH4~C1;ef>!+P?blX#RC7-VekyU);$fIN|`++aXT|8uU
zxOaHxO8+jgLPgyf)t8+VtYE)$yftWS^%&G7fSfNF@zeIy*bhLOR*>
z@y8fZwb>d`L(Y+m;PeDs>K-MnyKKV~@3sf!@Kp-o-Ef1V%N`E^omzpE6S^DEk)ct;
zZ{QGlJAAvzc;)=!v$yT_)%JQGyz_vYx)Ib-zS{m;Jz7|RnU|VY_og~luDz+oP;482
zXHTJZgDNE0ahU_w@GKPHO!Ga4G;?mK2;BdQ1@nVxRTO(j_}s(6^PIZ}Svket1ZpVp
z#WEkP3*FuHIae=A=QBn8{83A`)+6Zv@x(Xmr`GJ}AMSg(u{V7Wzmd%Q0BPG(&u0q<
zOB*IWT6jT#*Y5d>Pf(+kMVavU^(8NMyo|e>TajkPM&^-vedA5vH_Z9J0&betX3gyH
zRMEil0T`~#8p@O!oKk{Z+{HVai$NCuf%29{79?
z+?6@*bI9!HR9XE(8?kC?Ig9>J%zuyTCuq>Xpr6QK*WQs09@G%np^)bb2dJ6TW!ku=K!A9QO4so#*
z1g7!~jdl#q88&%W_$wr~J%kX~+Q
z-O~;Mg;zAFCSgIz_vY@j*jMU*c$c~uAFGDWBEQh%`P_Dm)E5WGj8b^1g$!=T2px<{
zK9TrF(;SL|>$gW5=N--X1U03yzZVTm6}gOp&IbIpK@i1T{J%e33rW)qEnPA-HAv^J
zExGM`ck}SXN0D!t{HHUHCZkEMWmc7aQo#HD@X4EXty@SJ!8^!SbmPtGm7X;!ZPrOr
zXe@JsI_&kUZhBIJp~LpzK)RpdH2>`|p%-<7^>dl4XAjlXyzn-q=cV3h&RWWlraU0k
zkQK(t#ejb`F23vw>~y+EaJsp7(e*o2gA{vh8_gW;m902j@^Da#b0UZA5A38~9t)+t
z6r7rM@S}n8{7jNe-gXG{9D+#8TA=jAs~uSSm6!XQI?LN|3K}D`<98-ywcBlxcpp1TYkFU7S
zWrI@WO>UaxBmHsFVIoD@geSp
zrUXHUUg%>F4}HR?DxFK%)t0Xp(B412>tc%vMo`WmZ)r@(cSa-u+7Py
z0eK{YGPP^Mb8q-LE#8GTFalzuMoJcJ@wm-sHKw56|5f*bKb1^-MxkV>WrtX
zR>S2dViFWQZdBHKi4xfGl-68~{`*uc>e^MlSAVVH88-Heb!o~ZI7zQT-pZEgV$l_k
z2KQTp)rOi}5&W}8O97UZgTJghuJm@l0|D?ej)p~?amx8K^95+_LQZsKy>A?Klunax
z@u5oZOyo}!G2cX1yM(V*UhWE%kLFJK+hD67q-m?UsVVbCLeRMQz;15;1R4?YJi-;iAOW!TO$D?YB()XRHL85MzSU
zLy4R%##y76VNj#P7d4ndCgxvZF06M>kc*FjV)-H
z&0Jdf`jjVoBULmnCbn7L_c80eyhQ`6Al62my33_6u6^BiZ3SfK&wk7}R`FgMRyeC^
zb+#zeRAk$pcB`Ju!xD1#?D+*hM~5I2|^L_{7NuFCLC1-O|e_QzG-N-#+YGu;;
z3TSKxHudRq-Xv%C<)P2PpC!ch1hm;a=C?C6_}TDmeBhr2f8dAYZBKqk9_I$hm?0aU
zjI$C0)WjQ55IpTdkMfUyQ5j3M3l_-gy6Di1dSLhPQxiQj-#)xzu*v^i1?$b1S{$z>
zKNcmqM*{Ddh<238e%i`gr7(YD%`^?-R<4^wGq65i42H)_29D@Kf#-S}SiyGC>{xZC
z>FX0jj%k#{o>&3dG}wzwxP>jW=ET)vWBP-qMKX+RB~zc|Xz&Z98YCVUDGeIwbCEc>
z|68NkGH1?R;o*IZCJEii=1lx9&7F_jzP}3J$S`i+bxeauki-cGU<8yJlex-l9Qdfq6CiypJ>NJcAn4l<-TR@
zRy`?uQ0(W!m7r!lgY(Yk6vZ%BiiH-hL~(Y_coKNYE}QjkBrPlNwi?d^1XMk{VZpUX
z)9Tn2l*A4Gw2!|iS#K|LTz<(X`*2Q(kMUtUbvs|B@en(c?$2cX-%5chic=mIc9j_(
zo6^FRNJI~#KBY0c5Wm(H&e;43a5s&__^|}K_VqwikDMN@%wZ)t4{Sp9VVy#c2fd{!
zmJ)A$G&0t$d0C*%aasoKuxDV~Scef`wL&?G8VK7jdnW+|kj!CHX!w3UY~z0uy8Rd-
zwYG%$LKD<_se+B0&$7ecbHI@`WrxqGACw>%c;f@6Decw0G@y$ypvVpW9bbuq|Fsv)79ngwuiF{-{@Wz
z06!Zy6guLsFpOp`9-+K)f@e9I^;o=LX28_Ze};6l>d6Q43;`ez=g|@~P%Bycp!10L
zs`2M7S1gDQn@XP0t+s+(3Y?OJ^-9;&Y|vPnyQGid=`^NJ+mCT>c2JbL~<lkue>>y?gqn8f9*qso!538
z=3QIE^t3%%6Rd6+!W&tMw3ls+DS;{v25%p~yT{|!g|paQdzp^}TiB?+*d(e${769_
z4~#tQl#l~%awCV{m}z64^(CeruX!CLxr|OXGpSHbMAQz{yLq)4@25>XCNiLqD?a=MYRwe4^OVrKo3V@Qv14vj>ub6fXOl^i)
zP53qO8v-XwaBv9O;13@TWV8edmsp8F&RipeFI7QOvXho~8=4cfAfDj3+6rO{JH-H&
z!G|*Gzhw%{{24F0zkcOB5XO!z9=R8E13O8dN(M+_%1c@_!(2ImUrq+PX2$dW>aU9b
z*MOqu?+QT7nF}HDDjc|Z{*w?nJWa!mK#KD%rRqj_$Ww(gG4ggq`g~cb+=f^xI0v;^
zJOE@mRIBiP7y_5lNg{(_(F|t4v>Y99rfa)jJ*PB17(iS(9whGoMQ!UP9)|_1{QwQ#
zZd~82&~gP`afrq@U!!=tJJ}VsvydbQbwJZcFI>JX*xN(9v7J}Wi@xE;X1z=O=~2k<
zfOJi$n!cnU#zL#%T}{!`*03g+G5n#1qwa7bRR69s27fo$aaR`*8k=jji*;;j!z1Ct8$nAvyHO!Qi>PNtD
z2CoggI<{uMM>Q0xmH&`ng`nyK1+bRJZ%;xEBRBZK#a~I!YI@&apB#>Nkw4Te+un@W8&V(}}mq}J6|&~mWW3vf${@|!pK7$*0G@^O~BksUC^FFzCq=PU-f
zndo3HzCoA9M;}lM0LaG|sSDEs&Rc23Uz5_gMSuq@bM@HZf&R7w-rs>#ROt6PGG7@H8aT8CF8G3y
z6Y*ncJ=EGamWltZq`DppPK{tBsTr*aZb-h3GGy^99swfoA~_=r5Z14Cbc}yLErKw5
zV87NJZq3KyP`lT`<|l!RUxDXMfts;7hQ|+T?cyBF|5k6MgxJ!QAS7?#OpnZIGO(>Q
zK#=_;_$p!W7rDy6c|-rfd>Dk)A!iv2Wn3lMQw3b=r|IukiwWx^oOXE3gUUA^|7!%x
z^Prui!M!9&SK*)$7fRe5Z02Q3riY7GMS|YMC!F#eQj`8BuyYy&?Rp7d0lImOy?_#+
z24dt(={J1cWyI~L{1C2&^-lmWfaCi+Gw2?-Fx7A`uJTG`IpQ+DYsAOqSOb=1D)Jx!
zuGIu-K!#bbAF&KaTLriPL2sg
z3qAMZ`V*n?lh^_TI;0w!_wZ)x`Ws*`)=wW=^LzZy7%CWs`h-~R{Re)X#5zYJ&+2EZ
ztbwYnSKjVgP6oUI#)glqM~k2edY#iLo59hjU2aJbrdDVN7*I)1z(a7`abKwaGI=Fm
z02eCcF-RPsaA+C7F2ve0z;%Y)cYYj48Te0~&X+npy|xJ*Ln{tv=#;16x90utg^NQ`
z=v&n3MWs-%2Nq3+2z&PWOq~}^+kM_yB?P(<5()Z6)4vB{qQ70Yq;dXtBUW*G!uURa
zzY%#x0qs%4gF~n)6Am%xLBQ3x45=?x;ZPC|wUA7@zdhhMZl&s+E}nxL;GgWXeMK}L
zm`>WKBspmI<`i`9$NMJ8A4XZp+)BO*g;%m|4SM`m97zrXZd$n=qW16^7p;WMy5m1R
zz6$~-{byBVaXmX`QSU|7cK^w&656bgV9+VQ;OaZgI&CG>Wq+7MvA#d=5<)-)fGU+~
z!5%oNN2Xh>mIi#bTzPwDIhjxrDap}QG@3tF0vIa6517c}4J9bET3yYTo%%?l+z!YU
zYGiIY8h?`xPB?091mLCXC7m8OoT!pYWTt7a=XniIo?=wuFCnVCDBPOOt+Wf+n}(aP
z55trN@r?-?d~UUMS6$rerRm=wfnb(^a$q7EY`CUoDUaT~Z-4pnNNweKd#WsB+Nse{
za=7PK`(Z7+3Ki0!Eg+7>LhgW={8%QQ1ogWjbb``}2uI`u3-);f-R2qR?^kqx-cY2i
z&AAD|11H)bk_9tV21f&WqD-ePB*;s+NFE;oX}7KAfwe#**ki?Z&?UScP*WCJ($r#9
zB#sLLpjZ=>!oydMnF`;je@F^T-rc}10N#%G;*|au0$o)I))uFQUy4F8a<)RSVLxCj
zK?1EvfXWwW`bC$(60b$!&x?@EoW8z7s3oqbI{K_UJn2n=Qd^_#!RMe2h)mzUF2b<@
zTB(F6LV5^sFKodTL3MY6M(34bfRBJF)KFn;ZD#^s
zZArH+AzUJFonbqO4%932$n_9_9G;uDn#4#jlIhnOfrgOxTCOwW@8VSGZv)b+qFRXG
z6hcSF`1`IPsH7m^kIm%m)qX7XcXg07JOnoPww6dha*^fM-Gn)DM)92(*7ELup3-bh
z=I3;JMq9fp0dT}*tLx>>nxW8LZ)d#fe#eYX$Zxjn0`!X6+Lt#(&%Vmr#DF=x7XTST
z9SVQEKL{%i68XDw3HGDVW~p|m==v7_>LYM%oz7w7rvK-m-;RK@dqh#ErScN1J}WeK2c1NPr2i0nJ=pZ=0htT?si@XRPEk^pU}TwW(BqIACg
za2Ps01GU7B)AJv*atPOaB+fL_4#o0=CY+cQJ2Gy-^MUSCT9``l!+*Xw2|_vzQf3%O
zIv`n(6R@u@!or~67;A}&*54`F)89S0Cn8x>?F_>$DvV1#XnKKzpFq?U=c6N(!p8j_
z{B1q$PRVFPUq!B(cfr|Zm=qdtz!`F;f%~h7{4f(X;qSv&n`nAfvGrdlQfMGni%b1`
zt5f2DK6qp^L;N-?_kxa=!8G->uYV;a4Fzj|0kCFd*juYAa?^__OyT
zKn56$0hYCX?J-^TJ$z2$iOEI{2b@2?!zlMQN#Sh(OX7tMTB5}_INOwp*rFj2G4&pE
zU^|Mw+o_xj2oiyV9f;KOu>j5E)cnsPJz+m(lTPhdDi7h20%%vO_BmoKBew7Wz#^!M
zIkV?iKGvpzua0|x>Ue8r;?IczE&***(Lal<2FL=Y5gh94h2m9krp_%1a(bMhF;1dD
z6j{h{{{2-%ETgVTi3m_2@i!A~9Z)3YB${zfY{M$ZsQRTv(3l<_EI)$za038$282KM>pud}_Gj#_%a8B7%S_b9MR)=FkJlqEZOz
z+zAx3r5PY+<0J&0(~uO~@6`U!V+g2lfT+N1Lt37*14vy_fFFq_17!Hm!v+K+6DlDM
zwU8^RsYy1c#$W-+)P`J$l)?ep2i@uHIWjmV#uyR-_OGLp^i8A4xx&%o5!*E}mTcha
z(c^TEDXfm(0F+R6ubV|e&G#91r`_YTG>|499?mRWIATReQbiBC}z{&@!j2kO#}})coG+#oT}lEBA}Rip+(&PyNF)_W5wuH
z6N&+-T?~EU1bhL^6<|;@;KE`W`PmL`8bBfbHcCbSwEl&!Np>(tkWTB{@T^zemW62*%mFJ
zY|
zqX@=p`bs#lvOf#jvF!RgibY|yy6<@&esxR=pmYDBy;Y{PlZ2UN)}st*@b7`(EdYvI
zzf{X&IF`oNN$V|C7=7Nq!{US3DgM3SDWtV6Rq68o`yo;j%_uwY8m7M+bN_qCQ_Xt0
zHLwK$^-2N~pP~_t?7-Wa>S{prgL7H_fiOSi*1)b^OyI#}&<7QC5a|34!%rzS(4g2X
zVNl6~AOLHvft~y3Cx9d|Nf=C)cfI=OIHB&(*mmiG5<9%vW`Ud=$R{wegsS#|1Kfe_
zEg`<;fhqyaX!$leZuklIA1+7jG5U;=2CQ-X)pi73^!FL0Faa$ZCQLwwWjQ#you-!@
zi~$wN?8gIyjB=$vm_sJed3Dhb6MOM->4mOK@?d8AqKSI|nTfQ_SlAC!FX_0>cLC1Q#=HaQ6*hSR3C(P%Hi2Dgi4{77uNO^nuLRZ2$XR
zF0?ENnX!xzk>?ne~?0tN;br=zsqJsq?xC3u@|{FfadSqNs5PBKcoDopuz;#{bkI+KjUxG-=2yZRL*<`Y(uWu2_n53W|k>_6|0-bc>i5fajq%Qh7>#h7pyI%IUl
zEPY47GZo(v%;ypb@+SacF0bg%q!5HC&l;F)WH>Jgfx=Nw-!(_jXOH`ydsv3xejEUh
zaPc?7DJMf_(FTKNF4P=K)y|B-%*d?TQYu!P#=nRdyUPLb{&kct!#n?<2VK#F=X@2`
zKTWQ;!{ojNMSF-ac&r4mlXaLdV=f3lt)sVEG7UG}xq?NwXJlqlVA@pbzx@=(SZk?p
zPfse~8v*nXEHEzyfm4_IgKh!vp2kxD`zx3(Or`$N<_pj%|L?EJ=0iGxXDxsO0t3wz
zP}+IY41pTCfq)x$O9FjpeTy!FWE3B#AZxIj3QiFQmDlGDAaNp!M4)|u(}d}qfQEy`
zsodAeIII8q9J$WRzpJ>oSntzj)c6@XCjdQK8Vohu`u8g1Af+#VAEw|9!TQetWIk)G
zg-o!kn*eSOKr#zN{`Xges;jjJpqleyh^+rPj!tkR1;*7bFITv#Vhm6F(*EZRaw}Wj
zgSLoB<8~z}lzj4kjt8M5s+fNRJp`_u;jw;_8hKy-EMyLB+EnrDfOihtle=e%lqLpx
zlJ+a;S}^?`nEDAa9Go#FY_Qn)CQw6RdkUxtYf9v!DC;h
zDJ|aLSRFcCO3cMFh5plya__y7Ec^oUQ};g-ibP+DdY6#wiH
zLRIBigH*CVo8%1P?o`#^paQ{$pNL*qTEB?Mu37xuK!zpF9Ro*-O7J&uX~U7-7nzz_
zKNNCRBj!8E5%_T(EBgQZ2=*ELh|safut*f3Cl#+`M`7Wv2_9OlaZHT`38PUGU#awYAEu@DS}?rgyc<+~_AxiLlr3
ze-|aL*VbCz_VqJTGFbhToxSE&QSmBAiRZ=R!etBBxiNX4Y9lCVxed)&;iaeXJMK$lTAr
z143A8uD8Kjrd?Z}cs{^@S{%sg?0jBg;WHAe4bw
z!q=6%fVZfX-iEuu2;B(c3Fndv?Qhddud~st3a7z$S%%l)7NRNYB~7ePas4a}$P1v}
zSis+30W!ZG7Jyo}kQZP^Ucml83#b-uom*c3UG)ymBE9{CXR*=`A1BtS#H=ALxc$M)YaW
z?Yeq=p{^B!>2m>Bpzg<9x^irIw%kXD$G-#RtV-Phdlu0lATyag_uhOFe!)b6K6xaE4Wf7@Fa_v<)a?oGd7dgN
z==gKi9%-XxeaLq!bq8^)KQB*#MxQ408ssr76Z~^!uOLDP8wC;(jr_>Oe|QOWp_zKz
zFzBw+>vtg%f;k~qw<2L$wyDk4AsJ7}Zx5y)e4q`r4@iqU#(@{wYIzhEdvyJu(Fs!
z0ou&vwJ@`-Ko(~CR5YsHH_3EonE>oMbbKokbFd>e4iEZ)@S&+8yuqs0he?6b1pA{r
z*Ws`JP7sKb%;ES7nDuZ>kI*rZ6$k-mmnK&Tq3Zn(hfcHSR?^^?ppD3Ex
zZThl5vl6TtX|6ct*|E9J2h0V|#9lbUz2vi!(DrPFwa=z+OIc}}@kDt9_LV5S)4v5=
z7easb2QMH#vDLO}lk!6J$XpPlCUoCq)`qk?b%!TAME5p)M5Z8
zD0kv#I!@U$_9zbdXQHRi;&vQ_%zJ|mTV{K2|9Nen@B|#MOE27iwUJpsMP@d8)a*zj
zjZlhT3m4A3J7&+u0G%
z?f=VEWgG85<3@1L+Dz`L8lxC}1`IQ#Weg5O7zI8z=DrWDrvWs6)sb1EAKHv{N|$I1
z=T}oLy#sQE1!yFdOmJh5k9Giv{l=mqJdc?iQRkxY|J78%H!OE_BDmxjB5lTQLU34i
zA?y~$06HzNf$sBRG+_;-y%h@ZZcr8U98mU405se==Zb&k^YZ%lH(74K!Q+B%XcYT(
z4{fBv6}rAe2Zeet_HSR`Z1_B}S!B6=a{>Fdot&(Ro!~*yC+~XVnQHojXn5#Ji&-rU
zG%XN0lvofbgATAw3(;fOj&*uWu>fmcRZ=_?2e7sVPRja-+&nt21=
z2UQ&(uHRSq0=(~2m^1Sdlw5VCmxLYDkYMxAte}B}f_(Djd37^*6`Fg)3#^ci(nbf7
zA-2TUWN2YvZ>|Vt#dYA#?HtF+S4kfP#`5>~;rwYc9`TwY;Ci_$TB29Y+jE*4>BYYg
znY@K~uG+{9m>oc=XgT_KP%oEtD&2YqU83==z`D_0+)KU)%|JdD_71=pwIN~%e+JVH
z&){~PJ%LH_LZCbHkHA=|?Cya+hlxmkZ;$_HHWgEd*E%nOl)&ag9$Fh!*ZC)8j)$&3
z?Bw#d%w%8o#O4{5B}f<>-Ga?RENl>dshENS;WTHDUJH;@|K8aJ6xVbS2W7*yuoST1
z<-bGhB~1p#6ib*hT
z(q?WlUvLDSO*?BVf9_3d_>J5ad9)10CY#w
zO56bb?JrSH?BtY{kPiiC%FAx@;?C?)-N~bPj?B^FXkEU5%U*Tl_ZER%2o~%n=fpa%
zQ#&}Wl-)rwwRhR61V&I{sX6R>nzwVFh!ooOieoTAbEKyvz6HuUZ|?xisYM9S$p$}S
zfM+YauPzRTra3PnaQXbnvllWB?c`RF^}K_Ak3y4o1;wjfj)-I~&MjM_lg-2|-TRLB
z65(k#>Y8JJ1U@2T@HwU*Sm3wkHESZ`wrC94W7rWOR(PiO7g?~shC&n)2(H=;F8~=I
zC4!f6+RAPPPU{`{3IfZ5hj%TNIW2dR{786`OdcEYGiljk8=@F-O3O%8v!XwPblSpF
zA6V!hc+k^iG$KyIdzP=BviNv*X8IWRTpPhgJw96GM_PLgZ(!{x3bGmQM@iuglFGrE
zrz*wju|%*bM0D4!Dx9(x)40s%3OXli*+n_`UkR?KD5Sfgo)LF;hAF6xZE0R@X`jdR
zfXey{`@qiSN`Pjptlk0`HbI)j^HBeDeYA}?Q4k}2rlr&5dR5-i4`Q_lItTWk!#*77
z97fCYxNd;W@fzBPYz5WrK$-SD%>DJP&D*v@KW^bNOaT?#f0>+xA786ap;vnxwaKib
z_o;niwA9HT(WPn~&xV1^o7z#>KLmiQ;PI-*R4>r8gJ8d>$uuGSf24;gCx7gbw`0#Q
z#Yi^;$*IltfATc~to6&lPz-8x;R*jPO@B$pi9Fk!{8EM(OaV9IU0q(z*Uke)B!<&L
z+!gK3&g{(swKpNYTxjFbVTxK~3Au3X`U>c`Sx}&99-2+BS%3g7hz-2KOI(muIo>ryO7^L2wTs=0Uy(Z7jC1
zPG!Qq_XedeJ;5a-!KvX+4T~@wM0eNJ@zU>n1Y3O*T+?KR;+bQgSURpa6YeN(mrq$B
z-!+&1xt$9-0bNE76=yFsMxp3#%8Fsv`eqo8AYw6ftlm`v3O_oVp)E;b3||1Ma3tr73gA{8$EAo
zTTEF?(67Pxp*uZs6)o&^rWjrVxVJc&{>?k0+b(pzWH*i7V!
zmu8O-C~med0u?1>yb}4*%br2pv}F;D`_UbdbOLBp85f`VduV3Ua1W9Brs~@N$@?=z
z$}*!IV`$ABD_^Lf1L{M`MiS`{klWZArxd
zM$4CYX?>H!i)~L%yscgYs`?=4K-Ikbs{+SD)ny|;TzhMCnoLVYh6!S0k$WZ7r}sZm
z$BmB0L$He$nG3Q`19jK6^f8x;sV1;@f$ud!r#6m;Z76u#tzi2oy3E8RlHbmG_6x{`
z`xXP|E<4es>?a&~k~euNF+5MENF0s^vAL6p7@{2RtO=&Dq@>lRxU^}3vKSNSb4&vUUA0z8q;FJDyr*?%Y
zTXL9Q*3v7(p%70Yr9Vmru!K%;X+6K-Z~`@PAcQi>jMUQkqC@Z&3aTxOk6d1;@Ba-o
zJ+w5pFtl4y1w)rBc;ig%&3WK<+?XDyZ|6Y88tW!Vbcg(YyQ}bWUg2x)4c>4aI9sXT
zes;^<=c>Iu^gnA&)Vl%|34_(cUUds4UXqt$NWR-rMP*wDpFUWFxs~EJm7T|>h)h((
z@5-W49gRADLJY5r`V5ijC^y9wM}*xe>x29zHK{)0&c?jAsm2tkbr6};Y&o5G>Mh8BggZbHnlkSWEl
z<9=b@2-v_cyDNNQuwj(EF4F-yH0x$%k-phw8wc7RXIM&psegYH--KL4^xW4^ZlGG+
z)dpVvl*|xJQ(bZ6w)vE^U0_hDm3}?(VCRlI5n6EF^bS^)cpn-*fv$Ujm+<>ciRZ33
z�%Th?5g?kj0Cf;ZC3ZI>=JaiFN9al&!p4|;tHAEamNa=Gt5LIS-Zfv_VQ
z?cayzK5b_1Y*vEWO7qu&=8k9j{S~9b&
zwQs_inB?B}MJZt4Kr6ZfCj-pdKH)B}&7@mouQWC63k(&~e@?L*Hm4SE0B0Rcy*v!6
zAh0Bk5m-oCg~O$C2ZE>y+`h={nst)OaK+8HnbLF%Pz^O#Os*ds$heVnHNHNxTVH`U
zk1Vd$ZzgwivpfwQf!9
zyG`u)?6faVQk9|BJP)vwct|ns-qcq8f%yw?s;o;Zu#p21A0h9;`5@N|@5rYXr~{0B
zZjq}YF3umRj^ChZ;vG2YtNE09Ctb_llP^L%#9~H<-kx7lZ9aSfUg(xKy(|f`sy4^P
zsZ1S_SLMql8B-$$b@YneQyh1Yyx6Iu2QONAHd*4_>SSjCG|BjsjeK*O{{H5zeO!8h!BdDwW^yLeZ
zg3bi&EAO{9@NH#_==|a$!!4pG0w2S%zd}u+bbZRO6UwB3sS{
z_<1`=0amXR-by*;6z9s&L{W?+bcnX1$+lc*Z|HKCc~%(j55keG^C~Yy
zZi+-isULY1IOR9^X8qniNJxn!S3vDnghV5<9^LodY}uZ#_>uoUa82=mo|h>jWdcJ-
zsrWR>fIpFr%naLh2+L-2+#Wa-pT*t-YJXlgwSDo`ZOKGG@Y#)~pB@v%KLqYeRy%5c
zH2(}^OaRR#+nk<5Y_ge-Oa3q;E&`TV
zFm~3sg=Li?@S@nZ(cAwP_}?JLT5o7+HspgGxVmD}u3r?vdepE@HmGLnG(_xA+N8(k
zse>Wz+I#k$ZBn4!vT@2@xBLy-mlaK$JJoEi7(!I)kN;u~6gGw|1DT;vr8Tlh^#7<=
z*3wjNU&^0~62qRBGTVnI`!3t+-_fE$RY%N^T#|w3p9*azXnlE5k3!0$Jo&|={Q0Gp
zN1!Or7kO26ca$9vD?ysE@Yuzr3AO0%uo6H~KEo>%B9sdkdW1s7&
z4I>zrd&f)L9k{sTeqKGM7r{p$jz?Fcy9Os{1zj>t-t3vf70vgQGn*n++n`$Rkmw@H
zZInkBVE#DH(%-=u&gL~)8MwVubD|*+Yk)fkO{=?lD{_IcHtByPXk9Hl0HfhlCPWum
z@=H@*G58B?7oNzcQeUoAMY^NB=j`Zc@G^K|$hvi&Ds>GosV;dM5zzSiYy2$iDW%O#
zkHwVYN;*zy<|~43Vge>6ca_P?nkr1kviPFdJw{(W3{IYA4GL$x-agic%xlpyOuUHL
z?j44iX}O;=J@0A3j(hyw!EjhRLpbFQg4e&}8;Ca`n#lCs
ztzf&Vy5f-c?a?gi`_*)yi?Cy&7v0_xG1vmPy53+K&L!Kt)gq>J7t>5b0=MWp}qV8p+F>98ijx|j(v`sROzE2QCKlt=|
ze2q+L%kAOD6%nABYQbYv1)e5q>3O-AE~<-f1uWSeJJg*jn%qq~5Qaj(ZuGAS=RY%neA*c4@Ckbz!F|
zViuRe_XyarUv#)rl&Bt9Oj>MEy3bFl;iw_4t&CQ$folS8O*(fFkvP+O2WcDgQ+OrO
zpPOcO2SQ_pC!K`*;`py)+t8Off#G(XPtP$`ZZg)_3uj?<{OW}=Xzl>V0-eJdh1o(D
z^l^;zfj{A{cOpa`&pY63Dk5KYKO=|4uG!&=tMtOwy0__LThkX#<6^6B3R)y^`uhmE?*=FjS@)f3-15D?pXxZKUu_lj9SGc
zevcjFhg4JjCgUi}yV4F`5@%8OrEg#r-a%;?W|k`o5Y;OHA<*sxA+w`*fK6w=hyp}3
zmmXxhITA~{;0pO8y+$BbZE3+qjy$E?;eIRsQF7`H8|}k@Q%>E)4=wZqyTsZ_K-!yj
zbNS{b89!eX!zrlx;gD!xBqm`adNrKSk@=JMt(65lI8lg5#g(iSU5K1+K2Sr8oSus_
ztx8xs(S7BugDBLQw$j2{&ZE_|^4@`f_n6Q2eC5DL8LQlIfVr^f=V
zd!Jj}enqIBF^&weNYazL@oK!)XwAH;lC${g%F++ToCWhWqM?mnZmaO;_-LG|eSF5;
zNw8tc+NP=;$b?AqT!CVU115{H&m{WDf_J6jYB-$e46}!x|FiQoQMX;MnN{T}p1pql
zWYvrQ!@i5(AJi}vOb`~kdWRNUQ`aiv-h^v3?5&?0x0wrHairGEFu^(5MkHfxpI=s;
zf5IL%M2deV<1n?>OK1s~Q|GRKvQ
z1x;MLIjWH$5EhAM)+>0gjqxN|eJp4
z%d1-Z-;caBc&_wo@i5mT&R&xRrO)wFoVJ56^t+O0N_6`cmRmdXtUD&!=4TT3UKdt7
zPr55K=YUmD97S#-$4;^@le+Iw!2vt5%R9oyz4rDR2a!+JKSvO$lVxf>0qOZS6R6kwFSQ5r*ud
z1&Og_FWHjpOJr;z*=H<;NsQ$^_w;zazxRFrt#RM?XFH#Bu5+F1;4+W<&cAX|H>?)1
zHRar|Q~$H|XCtPlgDa7%^UPseeZ3D(0VnBM$=Iy+h^(Zka=Wx8b7K6|+e{}?`P0wA
z$NN|0)zrF4rj-jm7sJEdF$DwuRqrqx-dqz)Z5ssM>dgi7J9?KiR;^oU{mykr8R{ElZIhexWX>myz^D+
ze*8g*{aU^ikI?a60AECKM6$j~YUUAc?Nc68=e~yZ^vhhSEKr(1H+4Fvx5bm!alqY)
z(J;wXDtE{vx#0xGq}spR*))58tK8NkAR;EhCdNo36Gi`d+OGiF(mpQ;)H^SB1#WXY^si!qZfeAZ~WuTt1fzCaET;e>#Y#y`s8d&RzFeD$mPksqtN!dnDgXN5Iht`Z@e9sY%GDxr
zO;K0wh*6GzRk!6>X1_335%+5}6x3=ui=G!!svy%7y4AEg%OE#@UcCBy^MOx*vr{kO
z<+egI#~vf5t6X8GY7&w{Y(i~Pl$VNH*2d&SA)S$R@t!nwg{Z8By7a_dUv8TVC^Td{
z9n*O;H>O|No=$3e1goj@7wL0lusQ(^_kKVyZCj_$
zj`UeYZm08_+DV%X5Ifw-c%JxiQWAN47`%M|BO%#R_UF~6&Zc`=&O(QLfL!ki#`Hyn
zrLy>-NzZ~~9M)vH{F1_%o4y}PBek#?9CxyPmXi0TLRe{<+s5YWHug8!ygBwe`7#Pi
zj8#}i${i1!_?b^Q*WwPS_2~H)5d_`_`qSd{C0x}#Sb}AB#snvx=pYBiWK1^uOG);U
zL2J7&Dl6p;Z$`G{N6zPkig*9ctJD^-k#=#3q6A}
z!KX32@gI)#kjA}R3Z~tiD68`VyPItd-3DRCbM~0oB+)(UA;+}1L(EhQY@smcFOZge
zhA_Q(P9h}H_sEuOEkz2Sll^7IQs-0}GP
zdX*S8i@}Br|E<+`CLyYkEdoj-MliQtDYnlM{i9k4Z||&sbA+-E9}hF%Q9{UYoSe@HOJn>yUL
zYl}ikTK*&|0S5wN(_Jd>4}xptqp8;tqv4MOgrQSMNPF^dG3k`PahM@&mSt=H%Gn~!
zu%1}DVwidLTEawvBMlk8JZo6yRbEwOi=tQ$rM<7%+OEIjY`oDzHB+sIVO<}UBx3Wf
zFrpC_CzM8m?5IG~1Ymnfn<)@So~?kp|D}mvVHIX;I<UQyvLMlx&@j^G-qiY(h>;==D2ic*wq7>a_jKGLl-M1o=vQLqoqHDR2SvQG
za|6;N1CCBe`e)CjMN00PRH{30<83Tr$l&GrXd1R0Xa--MdK_T@}i#KDD>eQr|xykbJlAPhv
znZ9DIx%UA!?Lz7vF*bYV*t+D4QITMUl2@)2g?rw&pnCQ%`$MAotFY7oC)go!{-siY
zs@)vjVun-|M>cjf`V(@4uXc$EV~V=QlqxrSb1h|4*>8j!RHxCMh?x~Y!M-&={my@D
zsrXY;Z~0WJMEZMd+*En;m_Cbbl4T1VQUyU1!iKo7IaqTtC2eY>NT^n01~PJWaq3jS
zyv9X<{)xbz-+DT^bw$n8Q+T?B@a=@uwyzp0Pe5sTy6
zx1@35&hTIvPxz$`pNvP9E@X+9o1El+{_e*k>Tfx)c`j@C&S#Oi_rw<(p9SdnUX-wRgLCb0cV6q>)>_9~WxFD9`dPj5XWD6u@uk_!PK(N+^y?lQr}dAf*^gWnTGUNimDD0-
zf2*=gNc-x5pDAffV3+CPg=-x-TU*+#9$OP{xmSFzBqd7e40eBOiiDRY8T
z2x4dl1&&TPgow2B$SRhwyd=DD1}sJ8EifEknx^3RQKK6f)v8Z%AFnfpC+Ah|zNc2T
zKjpZ8<)ak0Z?F5z#XmdRQACLKM6?@6&!7%0gyU_yw3GA)gaW4yZ@n8a4=_K9v%Ok9
z;-18~H1;*$jK@ce+`oJEPB%&7O%yMNC%&;mi(J)0aZA#~VS2D!E54Jza#rH?Mn=B%
zme;&$n;I;3^ZBsW`gFZwQ!%H?yW2mm_n6dLSv+2FZ0U`JjAj@d+jx@W?Pw|%=4c&xJx$t
zPSTr>{jNCl!47n-y_(LmLSBs*Y@icAk&ULAffXiS?xf2E5
z*~=kcJ^k>h)c|}V9@*P-k=;4f&O}U<1DBAj?%Ho`j1fKG+vLvILUvgT6cNhRG@EF>
zG`)Q~4fgta)rt-bs+Ym8c`b$T#W>i15^1pM>d+hPxMLoMUu*Ofw4#X7@nw8{A?d8_
zoV$5BD($Kg$;K$ap#|4}F_EUfegv})xUeOZe}0+%v^*B6M5QR0#EX@*C-JKeqG_Yq
z5~mo>Wb5C^8}5~_y<8%zn44f3+ko#_zH#W?6~YJ3-iYkAKdW18-yHSCQ_jxagYH;K
zhIe)KDur$&))z)-#c(G(DQUg)BVao=jOrc|6UZeumR21^pSq7~{T5%jW~3lvv75V?
zKunX|)3m37*x`H*0drGMF9X}`2m5V^jVv2)mn`zfzQG`Kq|W#dLa;eQ5+0pl{p`9M
z<1!b6L?I^i`Y--4_9X+9)oosn3VGL5tglyj
z%&(V>XyNanhy_Hj8_heviwyg~j!_($)m=TWb1$zy(!Mez=PD*QmV9z;8j#<*Knl|M
zI?mq*hzSyZv>J^RMhw;c(=xmQBIq{|`vjKy?0GcLIS(rSS92<3%AfI}5Zg`hkFFU}
zmZDcCM+*Ld`|)hbvH0LJ%2Ap-gdUBpLA08WoDqS~2UArrmFnu{VH}=;J{*QHL-mxJ4d7W7wK~1{NE#O+%
z+=&ruoULlT+vHMBq~to?RwV{GO(dX?0j%cYCpOUs??G}abzX1r2a7D|_?FeYY|??!
zO5HLyv`V~;t8h#$5RT^n(YpEzptjt0G`}9o!VVw$rI>t1#z#QgpLe2sYDMp3MCOKg
zsKi4U$Kf73xiBB(Hb0VEbOT@{vB6IOb+br@y@q472yXu!I0mN9cv7^LD(Fo)ZAk
z$PMd;g?rKSIcddBMUiz8`e?UE{CY&Q?=gm7Z8y^Yv3@w*xNB)~yzGs^LHMZmBK2>U
z+jU>K#h7JxvIOl1azS=6;d0Jvqo&qJbUV5SF1JY`7~Hpe_W%n&(Kl;eY&7Js{+E%?zXojTffS}GQ>IZ1S@E8>hGN{G@@%^I0!etRLTo|X686)
zq~b@uYyQLs4b)<{t`c+gY)ax$r;fhmaveTQGr}FVk!yIUOklKu4&c6g|J?HN&_2Ew
zz@K?Q9rYiYUK8dFRJ<|fm!$k1q#hn1i4r(ZMSSumzZ1@KHdRgdWCB$ADdi~NXs0|=
zl_R(O-CN~ZYk(^fF%5vGYOL(cH9+h>Ot3r25KN1Ec3Q-es->p_U$=$(|-uZ=!F!|aC1
z5{uuuCWVX4Sc|LuH%x^^WP-qmyvgjz^nqj4dh&vX@5t+2Rn>1$#(d7V#x~Of@O+ElfZ9aGaGmy#EPxc#^5v3%QMhiX?wNKB
z`p>G2M~TF)nwtp0x35YWcx=Q{yBiDV`5KT)NA19|FVJ$D@qkRnXjv?kgGFzh$f|tuQR-An
zf*bzHt!_)|aO9P3K_0RK!#l6(0QwNY`Ugl*lP(*%O~M
z5^&bGiG_+y0EnJJsyl>>09jgwqh{G89=~Y!j6Mh1Xq6&#e&B?Ta&$sg+(a9$Lg#ZO
zqNG?vYvWCkCO~`^-{g>tfhC}iOVf7GtdQzCkx*b#grSW|_#sF^58axy`uGG18+OY(
z0BddSl7z~Fq3*n91Ds`()SJ$^4^N=N!wG#Jn`
z;&RQhF|yCz{Y|9RDgI7;$5JzLLitKm%D(F{u|=95mT6~_fl9?!FZvuPPs>-jNQ)0Q
zz&275`j)5t#}O4;I9Z(|mZ*d1Fd=72drT%>lSOo?6?(@BrrfD@OJ=o2dpqh9dm=0Z
z2Fmsl5B!AT+5DOXB9N(b?V$}oV!4?KCjk&mJ>@J(9!>cJ`Q2LNycTJ;a=y?--e2|B
za3|lYHJAbA3a~?vTEq7(RBtJ+I|LB&1W8AGaC7h0JCwFWTrUhFY22_kk@yKM>TnUh
zoFbjwej%95f!FYdpAi^NW)Ig{e*n~f5Q<;4)7!y`oz$!FczS860r>~24oFOK{PGMUSYA^|hJa^8^J0uz;;{>*sbW=5s)
zfD28F0d#9SB`jK!Jy$6CY8>LNCqWxx9JCokyQw(PvEacLiy#J9__tyQxGz69+9`PR5g57KcVIPx)23v3B
zs`hS-@ox3)mlz+hxSDqEI-zl1_VooN_`VFllq3B|LA9=m`hn;FcuQkDd#w2}CD{~A
zF0MX-e%A&Zt9S%pUJFj+N8)sHHv2&;H8gmB8ia_Y)w3zjYW-NJGYS0Pf;Vpoq{oYa
z=);;lQY1^=5TxIbBB*_FF?1*BO>~EZT$#Bk!P>LYZtb1O6Rmt!3X@XwTq%WNCS%!0
zB%puluqG^pOT_;_Q^$@AE-n(hOL)?#GB}~}WfOr-^Q6&v@ub%i`VJhe!evc!QVx|H
zlD{jSQn>C^c#JetwkG1OLOMJN^o>O|zUK6v^Wdq&?WNYwsS=Rxow3IYL&!b|dyJ
zgnq?c|53hGz!9OvYi?=5Rj<*X{o`4E4c)Fa`=7X#WogXY&3-IjsSK_D+bIQ|dhhqW
zL>kQvpH|8tw^zk2mk06qCr_oL12-W@qP2R}V)J81SrlRsw5j2k^A(|_*X0(X-nxf{
z8Y5#QUil8S)+88x3?pJrDzq1_$R!2gX1DN>QclMfTQ_gKZ!7-77S5lNF!j#Sp`~#A
zuHk}QEz=lWj$QXZonu(jg1`>ZTw7+^0ubtNP=h0w7CAF=u)3skT9tZSHo<-LC7&3uuIvV?yyfu3+oeOGC!$(iPdXsT&EOi$+qp~rb!HKZ1zJH2(6eDSbwzoj&zU9
zUgNz-n0k+4Z4^j=j9@7cr-ldM;+p2Dwz>&ZI25%P1>~qB>|LN>$Rq
zCv{L@uI~W6ik|wS^PmPX%@N>BfP>k|yiJ$-b7u&lW95Ezv}nyf;>*vOl@rQc^pJy0
zX={BXfSJEzAR(!hWss(MTC4GGQ>{j~dsZYmqD4lNgvVo^N=JNsVoiaQnd|pREMQd$
z>g14vseBDl=q-SpaBj)w#m6%}$5-SV(k;)pB}rd(3yVFixv|D@I;psFgiLB>oxU{h
zJUrOLE4-Dey5WtXW78?R*om&vUwi6pQLD_m14WBYok{Jw_$dwg7?-+!d9}
z%G$-}xt1hthI&zWs*_vNa
zx}ZV!jd9Rx?V3C_Fub5z_c&`fug#jD*dWZ;Akg8-MXcQ&5N{1wWe#{d7u%mM8&}a>
z^*@T-qST8z57C_anLJEQ=(
z#m%Tz1FN@~8HB|OG^EFwLGnlI`I(u!{IZEFidq2OElNErdEAAjdp@qM={B*WkOd|c
zwGmUj@^A9D?>oXzAo%BSRCOl_4Nmf)?_G~x^X1eD%kCXi(TQ%rTi)rX3}slSKmCm+
zv)lIIY|ktV9PQsCVga&6Cq9Xheq3n0UpZFlL}i>1VInkWJNTG>02hRtj&m-IAMI>#
z=1rL&h|p)3eQ7THb<*ixbp>bmQx6eOUZLS@3upNTC-oHCb!-TwZ-Aa~NEHR`0et6x
zr}K(s=QiV`lVh;UG)J+{TAz|Vl=StAu+-V?c>9nhe$2w1_y@S`HLPQ6(YyxPE0Nup
z{EUFE5rJEH0EiE=Yt{u%!j{0>aCxvDeP}{$*HpLZ^*OZxStH(@^E+OguQ(>9l?fkq
z=YX-HTiHA;xN})+q3*g_`wj+;l6G1L2r7F)0zq+2+5K-VArM@iihlyP%+!UfV|vvn
zY;vj8H0fGprNMw=&yE->o2AzkTit{JE!r#T`-&fl#m2=?t#XVeIpA
zP`;!tZWYnek
zw41{zmJqTzCJ)HA9=dYL0c*&ipO#+L=sVzKvS2-kd>=MD?&9DPO
zwOy*nAx=V&ly3+)TZu~H*2LVTLX|~N@5;G?L&(g-6$~@K`WrS2YVcL$2!DQA`Q`n7
zUB`zQ*z|9SGfkoQV2y>=uffbsJ`?>y@Xwdzd=sk5MV^Yn=7q9Ocr9^%rsrp{@X*d)
zQ6RM@ndkdfg!@>f<$XEN)F%puu?&L4FS{O4i!oqf`gZov-sIgB(Ed^hSp@ZJlfm9vQ=OXK*z=Ys6ZVXQ>LYo(LOL5i+sfEp1c
z0E}GUW(=~jYu~(M6k&dn>2-%(3m*|uUFmb(t|Fe*o>o1B+BZ9lt})9_GVrlRgfq!`
zq`mv#8aI{F(m=1={dM6ULB`wy$<_a3r?Vdhfxrp(z%?2Cg^l&yb58hDM<-UIq8g|DTWF}Aee%V-l3Fpp8uAA7G%*qVc@1Fd}&Oen$qkT)~3bU4j9l>
zCniCxNEN9llm#xycVOKDN9V|!HoLi0{Af(ge(DRJh>RPB@cGlgB1_~0M#)l#1HJ&T
zY&|vL^6if)x%c5tpbpf;IwQz8TR22sRKFcnL|LAR0qR63LI9Yh>0^WPK{fW}Qx9;E
z&7#6T)`}3T+=e?USzF>G0g#QId<=*iYkl@_ps*__K+8H|B?L@mCQOEOmtxKyHOV=o
za>ZMCuDHusIKVNpjoqc_;ZgL1lP@%aE(YqHfDf@7aNr70FFOIh6M1l5VmHHm;QbXC
zLDB75M)fWdEBt$0h6^tQJcFM*6g#2WLg{7pb@(vIbwM>Ae84$B=Tyw~QnpSguq$mw
z)QD>vA$0yrHj?kT?oOz9sCfD39Vm10sqco
ze;~9FDKG-S2zJ7DQBa_F#sj2wB*d!kf!O5=d~sXzq4Q|1UC&!!PsI8a*&rPETjL1r
z3Ymt^Jc!Aia#c?v2h2Mn&4OC2jPx{(48r}b1_oaS3)$8aupC&JM3VXY+fHoZ->L(u
zsqC1X|2XtAT0s?bcafj*!_U^2yLDe#kHc}HZYY!7+ov1X;*lCaKRB{|jHLLITddzs
z)a;lB+LPHy?CBQk@om{=
z)d2yBl|&JyAik)p)+-@gw?MqI9VeYfQOkh#=02TyZZG>1=^KkmR(2Lem~qz7p{eh(
z(+jZ4aO|klT;pqG<_uJ72;Am0Q1RqzaBY?X*Ch9;f1d*>0v;8yhU=Nhsg|WJ9(e7!vFv7@{6nV;Wpskh
zNQM7>9@LruOB)firT)K_O0TCN&9*z^Q2KCtN_A4w%bb@JHfq~jG{mazLDK{SRdMn;_yN*z1VB~;E0sK@q^pN&l(m51PT6M?DQTfsLH{M?xD*-w{?5w<8Sp(GuuXm0tzYXTW>hpH^Pv5ISbFIDL@hr{3Te}l
zeys06X~z(f5h;Jj>l!=fG9xV90SS~ynl;_##mtPj+D7;uV2|BnjH!7q3uPunou@xb4vOl-6gnGzMf~Yu7i0K;Qi5T&5u>K
zIlKK{W29p^QsJ-{$)!NagYDarE!LoP|ER0{q{qM&fH50bI8p^2jZMP0r}{m}fI0%N
z09SDzd-cKT)ry5P9EkiloH)yaIR-5j;c03o!xj{<#?)
zU+44p?T?%aW<&maGP$HAj(|o17I=SWkC)nF8;i-)?f=XaG;@X;y7Im*3x>O_%dqD=
zF+uxpT(xk#r1#Iz)qmHck00p8T-=I&cW(iWq87aFFvzc&UZ72-Q$XELwx&B|*vr)q
zH;bcE@mv4xQ}ihe&s0RKJ%8I8NFV5WAiQQz;XX622$0JD(8t)l
zZG)F}`e}uoBU`({5gVlGw1P*~f{-3uu}}pSmMih>zjwDuEnOsupptg0S?`1meu)0B
zLdM72+Y^a3W|oH&ZR#>4RQnI?>@)k}ok;d*H1v%m_i1t*`oEW2I0Tx%^RT~#R3`%-
z|2TJRAhm|S_Mhqznj6PC?{isH`T2k+_}(k0k1<9_JFhn_VDsD`xRiE5U!0|%)dB0j
z)ZG~@rb?c*gGujWhcNI6Y|wz8N?TJ~+!1sq&<2;_TS3~RCLB;;FfxUla;+*h9+jKF
zA_KyQ%eYq0ZhZguuLZUc_V^daI
