From 53a0dd521b6b63f02c6d9caad30d4b38c1d1d90d Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Fri, 7 Jul 2017 17:24:23 -0700 Subject: [PATCH 01/51] added key trust pages --- .../hello-deployment-key-trust.md | 39 ++ .../hello-key-trust-adfs.md | 512 +++++++++++++++++ .../hello-key-trust-deploy-mfa.md | 542 ++++++++++++++++++ .../hello-key-trust-policy-settings.md | 154 +++++ .../hello-key-trust-validate-ad-prereq.md | 77 +++ .../hello-key-trust-validate-deploy-mfa.md | 48 ++ .../hello-key-trust-validate-pki.md | 196 +++++++ 7 files changed, 1568 insertions(+) create mode 100644 windows/access-protection/hello-for-business/hello-deployment-key-trust.md create mode 100644 windows/access-protection/hello-for-business/hello-key-trust-adfs.md create mode 100644 windows/access-protection/hello-for-business/hello-key-trust-deploy-mfa.md create mode 100644 windows/access-protection/hello-for-business/hello-key-trust-policy-settings.md create mode 100644 windows/access-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md create mode 100644 windows/access-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md create mode 100644 windows/access-protection/hello-for-business/hello-key-trust-validate-pki.md diff --git a/windows/access-protection/hello-for-business/hello-deployment-key-trust.md b/windows/access-protection/hello-for-business/hello-deployment-key-trust.md new file mode 100644 index 0000000000..e900f105a0 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-deployment-key-trust.md @@ -0,0 +1,39 @@ +--- +title: Windows Hello for Business Deployment Guide - On Premises Key Trust Deployment +description: A guide to an On Premises, Key trust Windows Hello for Business deployment +keywords: identity, PIN, biometric, Hello, passport +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: DaniHalfin +localizationpriority: high +--- +# On Premises Key Trust Deployment + +**Applies to** +- Windows 10 +- Windows 10 Mobile + +> This guide only applies to Windows 10, version 1703 or higher. + +Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in an existing environment. + +Below, you can find all the infromation you will need to deploy Windows Hello for Business in a Certificate Trust Model in your on-premises environment: +1. [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md) +2. [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md) +3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md) +4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-key-trust-validate-deploy-mfa.md) +5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md) + + + + + + + + + + + + diff --git a/windows/access-protection/hello-for-business/hello-key-trust-adfs.md b/windows/access-protection/hello-for-business/hello-key-trust-adfs.md new file mode 100644 index 0000000000..b419b20f58 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-key-trust-adfs.md @@ -0,0 +1,512 @@ +--- +title: Prepare and Deploy Windows Server 2016 Active Directory Federation Services (Windows Hello for Business) +description: How toPrepare and Deploy Windows Server 2016 Active Directory Federation Services for Windows Hello for Business +keywords: identity, PIN, biometric, Hello, passport +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: DaniHalfin +localizationpriority: high +--- +# Prepare and Deploy Windows Server 2016 Active Directory Federation Services + +**Applies to** +- Windows 10 +- Windows 10 Mobile + +> This guide only applies to Windows 10, version 1703 or higher. + +Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update. The on-prem certificate trust deployment uses Active Directory Federation Services roles for key registration, device registration, and as a certificate registration authority. + +The following guidance describes deploying a new instance of Active Directory Federation Services 2016 using the Windows Information Database as the configuration database, which is ideal for environments with no more than 30 federation servers and no more than 100 relying party trusts. + +If your environment exceeds either of these factors or needs to provide SAML artifact resolution, token replay detection, or needs Active Directory Federation Services to operate in a federated provider role, then your deployment needs to use a SQL for your configuration database. To deploy the Active Directory Federation Services using SQL as its configuration database, please review the [Deploying a Federation Server Farm](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) checklist. + +If your environment has an existing instance of Active Directory Federation Services, then you’ll need to upgrade all nodes in the farm to Windows Server 2016 along with the Windows Server 2016 update. If your environment uses Windows Internal Database (WID) for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 using a WID database](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016) to upgrade your environment. If your environment uses SQL for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 with SQL Server](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016-sql) to upgrade your environment. + +Ensure you apply the Windows Server 2016 Update to all nodes in the farm after you have successfully completed the upgrade. + +A new Active Directory Federation Services farm should have a minimum of two federation servers for proper load balancing, which can be accomplished with an external networking peripherals, or with using the Network Load Balancing Role included in Windows Server. + +Prepare the Active Directory Federation Services deployment by installing and updating two Windows Server 2016 Servers. Ensure the update listed below is applied to each server before continuing. + +## Update Windows Server 2016 + +Sign-in the federation server with _local admin_ equivalent credentials. +1. Ensure Windows Server 2016 is current by running **Windows Update** from **Settings**. Continue this process until no further updates are needed. If you’re not using Windows Update for updates, please advise the [Windows Server 2016 update history page](https://support.microsoft.com/help/4000825/windows-10-windows-server-2016-update-history) to make sure you have the latest updates available installed. +2. Ensure the latest server updates to the federation server includes those referenced in following article https://aka.ms/whfbadfs1703. + +>[!IMPORTANT] +>The above referenced updates are mandatory for Windows Hello for Business all on-premises deployment and hybrid certificate trust deployments for domain joined computers. + +## Enroll for a TLS Server Authentication Certificate + +Windows Hello for Business on-prem deployments require a federation server for device registration, key registration, and authentication certificate enrollment. Typically, a federation service is an edge facing role. However, the federation services and instance used with the on-prem deployment of Windows Hello for Business does not need Internet connectivity. + +The AD FS role needs a server authentication certificate for the federation services, but you can use a certificate issued by your enterprise (internal) certificate authority. The server authentication certificate should have the following names included in the certificate if you are requesting an individual certificate for each node in the federation farm: +* Subject Name: The internal FQDN of the federation server (the name of the computer running AD FS) +* Subject Alternate Name: Your federation service name, such as *fs.corp.contoso.com* (or an appropriate wildcard entry such as *.corp.contoso.com) + +You configure your federation service name when you configure the AD FS role. You can choose any name, but that name must be different than the name of the server or host. For example, you can name the host server **adfs** and the federation service **fs**. The FQDN of the host is adfs.corp.contoso.com and the FQDN of the federation service is fs.corp.contoso.com. + +You can; however, issue one certificate for all hosts in the farm. If you chose this option, then leave the subject name blank, and include all the names in the subject alternate name when creating the certificate request. All names should include the FQDN of each host in the farm and the federation service name. + +It’s recommended that you mark the private key as exportable so that the same certificate can be deployed across each federation server and web application proxy within your AD FS farm. Note that the certificate must be trusted (chain to a trusted root CA). Once you have successfully requested and enrolled the server authentication certificate on one node, you can export the certificate and private key to a PFX file using the Certificate Manager console. You can then import the certificate on the remaining nodes in the AD FS farm. + +Be sure to enroll or import the certificate into the AD FS server’s computer certificate store. Also, ensure all nodes in the farm have the proper TLS server authentication certificate. + +### Internal Server Authentication Certificate Enrollment + +Sign-in the federation server with domain admin equivalent credentials. +1. Start the Local Computer **Certificate Manager** (certlm.msc). +2. Expand the **Personal** node in the navigation pane. +3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**. +4. Click **Next** on the **Before You Begin** page. +5. Click **Next** on the **Select Certificate Enrollment Policy** page. +6. On the **Request Certificates** page, Select the **Internal Web Server** check box. +7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link + ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link](images/hello-internal-web-server-cert.png) +8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the Active Directory Federation Services role and then click **Add**. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name you will use for your federation services (fs.corp.contoso.com). The name you use here MUST match the name you use when configuring the Active Directory Federation Services server role. Click **Add**. Click **OK** when finished. +9. Click **Enroll**. + +A server authentication certificate should appear in the computer’s Personal certificate store. + +## Deploy the Active Directory Federation Service Role + +The Active Directory Federation Service (AD FS) role provides the following services to support Windows Hello for Business on-premises deployments. +* Device registration +* Key registration +* Certificate registration authority (certificate trust deployments) + +>[!IMPORTANT] +> Finish the entire AD FS configuration on the first server in the farm before adding the second server to the AD FS farm. Once complete, the second server receives the configuration through the shared configuration database when it is added the AD FS farm. + +Windows Hello for Business depends on proper device registration. For on-premises deployments, Windows Server 2016 AD FS handles device registration. + +Sign-in the federation server with _Enterprise Admin_ equivalent credentials. +1. Start **Server Manager**. Click **Local Server** in the navigation pane. +2. Click **Manage** and then click **Add Roles and Features**. +3. Click **Next** on the **Before you begin** page. +4. On the **Select installation type** page, select **Role-based or feature-based installation** and click **Next**. +5. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Click **Next**. +6. On the **Select server roles** page, select **Active Directory Federation Services**. Click **Next**. +7. Click **Next** on the **Select features** page. +8. Click **Next** on the **Active Directory Federation Service** page. +9. Click **Install** to start the role installation. + +## Review + +Before you continue with the deployment, validate your deployment progress by reviewing the following items: +* Confirm the AD FS farm uses the correct database configuration. +* Confirm the AD FS farm has an adequate number of nodes and is properly load balanced for the anticipated load. +* Confirm **all** AD FS servers in the farm have the latest updates. +* Confirm all AD FS servers have a valid server authentication certificate + * The subject of the certificate is the common name (FQDN) of the host or a wildcard name. + * The alternate name of the certificate contains a wildcard or the FQDN of the federation service + +## Device Registration Service Account Prerequisite + +The service account used for the device registration server depends on the domain controllers in the environment. + +>[!NOTE] +>Follow the procedures below based on the domain controllers deployed in your environment. If the domain controller is not listed below, then it is not supported for Windows Hello for Business. + +### Windows Server 2012 or later Domain Controllers + +Windows Server 2012 or later domain controllers support Group Managed Service Accounts—the preferred way to deploy service accounts for services that support them. Group Managed Service Accounts, or GMSA have security advantages over normal user accounts because Windows handles password management. This means the password is long, complex, and changes periodically. The best part of GMSA is all this happens automatically. AD FS supports GMSA and should be configured using them for additional defense in depth security. + +GSMA uses the Microsoft Key Distribution Service that is located on Windows Server 2012 or later domain controllers. Windows uses the Microsoft Key Distribution Service to protect secrets stored and used by the GSMA. Before you can create a GSMA, you must first create a root key for the service. You can skip this if your environment already uses GSMA. + +#### Create KDS Root Key + +Sign-in a domain controller with _Enterprise Admin_ equivalent credentials. +1. Start an elevated Windows PowerShell console. +2. Type `Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)` + +### Windows Server 2008 or 2008 R2 Domain Controllers + +Windows Server 2008 and 2008 R2 domain controllers do not host the Microsoft Key Distribution Service, nor do they support Group Managed Service Accounts. Therefore, you must use create a normal user account as a service account where you are responsible for changing the password on a regular basis. + +#### Create an AD FS Service Account + +Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials. +1. Open **Active Directory Users and Computers**. +2. Right-click the **Users** container, Click **New**. Click **User**. +3. In the **New Object – User** window, type **adfssvc** in the **Full name** text box. Type **adfssvc** in the **User logon name** text box. Click **Next**. +4. Enter and confirm a password for the **adfssvc** user. Clear the **User must change password at next logon** checkbox. +5. Click **Next** and then click **Finish**. + +## Configure the Active Directory Federation Service Role + +>[!IMPORTANT] +>Follow the procedures below based on the domain controllers deployed in your environment. If the domain controller is not listed below, then it is not supported for Windows Hello for Business. + +### Windows Server 2012 or later Domain Controllers + +Use the following procedures to configure AD FS when your environment uses **Windows Server 2012 or later Domain Controllers**. If you are not using Windows Server 2012 or later Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2008 or 2008R2 Domain Controllers)](#windows-server-2008-or-2008R2-domain-controllers) section. + +Sign-in the federation server with _Domain Admin_ equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm. +1. Start **Server Manager**. +2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**. + ![Example of pop-up notification as described above](images/hello-adfs-configure-2012r2.png) + +3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**. +4. Click **Next** on the **Connect to Active Directory Domain Services** page. +5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as *fs.corp.contoso.com* or *fs.contoso.com*. +6. Select the federation service name from the **Federation Service Name** list. +7. Type the Federation Service Display Name in the text box. This is the name users see when signing in. Click **Next**. +8. On the **Specify Service Account** page, select **Create a Group Managed Service Account**. In the **Account Name** box, type **adfssvc**. +9. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and click **Next**. +10. On the **Review Options** page, click **Next**. +11. On the **Pre-requisite Checks** page, click **Configure**. +12. When the process completes, click **Close**. + +### Windows Server 2008 or 2008 R2 Domain Controllers + +Use the following procedures to configure AD FS when your environment uses **Windows Server 2008 or 2008 R2 Domain Controllers**. If you are not using Windows Server 2008 or 2008 R2 Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2012 or later Domain Controllers)](#windows-server-2012-or-later-domain-controllers) section. + +Sign-in the federation server with _Domain Admin_ equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm. +1. Start **Server Manager**. +2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**. + ![Example of pop-up notification as described above](images/hello-adfs-configure-2012r2.png) + +3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**. +4. Click **Next** on the **Connect to Active Directory Domain Services** page. +5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as fs.corp.mstepdemo.net or fs.mstepdemo.net. +6. Select the federation service name from the **Federation Service Name** list. +7. Type the Federation Service Display Name in the text box. This is the name users see when signing in. Click **Next**. +8. On the **Specify Service Account** page, Select **Use an existing domain user account or group Managed Service Account** and click **Select**. + * In the **Select User or Service Account** dialog box, type the name of the previously created AD FS service account (example adfssvc) and click **OK**. Type the password for the AD FS service account and click **Next**. +9. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and click **Next**. +10. On the **Review Options** page, click **Next**. +11. On the **Pre-requisite Checks** page, click **Configure**. +12. When the process completes, click **Close**. +13. Do not restart the AD FS server. You will do this later. + + +### Add the AD FS Service account to the KeyCredential Admin group and the Windows Hello for Business Users group + +The KeyCredential Admins global group provides the AD FS service with the permissions needed to perform key registration. The Windows Hello for Business group provides the AD FS service with the permissions needed to enroll a Windows Hello for Business authentication certificate on behalf of the provisioning user. + +Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials. +1. Open **Active Directory Users and Computers**. +2. Click the **Users** container in the navigation pane. +3. Right-click **KeyCredential Admins** in the details pane and click **Properties**. +4. Click the **Members** tab and click **Add…** +5. In the **Enter the object names to select** text box, type **adfssvc**. Click **OK**. +6. Click **OK** to return to **Active Directory Users and Computers**. +7. Right-click **Windows Hello for Business Users** group +8. Click the **Members** tab and click **Add…** +9. In the **Enter the object names to select** text box, type **adfssvc**. Click **OK**. +10. Click **OK** to return to **Active Directory Users and Computers**. +11. Change to server hosting the AD FS role and restart it. + +### Configure Permissions for Key Registration + +Key Registration stores the Windows Hello for Business public key in Active Directory. In on-prem deployments, the Windows Server 2016 AD FS server registers the public key with the on-premises Active Directory. + +The key-trust model needs Windows Server 2016 domain controllers, which configures the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually. + +Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. +1. Open **Active Directory Users and Computers**. +2. Right-click your domain name from the navigation pane and click **Properties**. +3. Click **Security** (if the Security tab is missing, turn on Advanced Features from the View menu). +4. Click **Advanced**. Click **Add**. Click **Select a principal**. +5. The **Select User, Computer, Service Account, or Group** dialog box appears. In the **Enter the object name to select** text box, type **KeyCredential Admins**. Click **OK**. +6. In the **Applies to** list box, select **Descendant User objects**. +7. Using the scroll bar, scroll to the bottom of the page and click **Clear all**. +8. In the **Properties** section, select **Read msDS-KeyCredentialLink** and **Write msDS-KeyCrendentialLink**. +9. Click **OK** three times to complete the task. + +## Configure the Device Registration Service + +Sign-in the federation server with _Enterprise Admin_ equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm. +1. Open the **AD FS management** console. +2. In the navigation pane, expand **Service**. Click **Device Registration**. +3. In the details pane, click **Configure Device Registration**. +4. In the **Configure Device Registration** dialog, click **OK**. + +## Review + +Before you continue with the deployment, validate your deployment progress by reviewing the following items: +* Confirm you followed the correct procedures based on the domain controllers used in your deployment + * Windows Server 2012 or Windows Server 2012 R2 + * Windows Server 2008 or Windows Server 2008 R2 +* Confirm you have the correct service account based on your domain controller version. +* Confirm you properly installed the AD FS role on your Windows Server 2016 based on the proper sizing of your federation, the number of relying parties, and database needs. +* Confirm you used a certificate with the correct names as the server authentication certificate + * Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the: + * Certificate serial number + * Certificate thumbprint + * Common name of the certificate + * Subject alternate name of the certificate + * Name of the physical host server + * The issued date + * The expiration date + * Issuing CA Vendor (if a third-party certificate) +* Confirm you granted the AD FS service allow read and write permissions to the ms-DSKeyCredentialLink Active Directory attribute. +* Confirm you enabled the Device Registration service. + +## Prepare and Deploy AD FS Registration Authority + +A registration authority is a trusted authority that validates certificate request. Once it validates the request, it presents the request to the certificate authority for issuance. The certificate authority issues the certificate, returns it to the registration authority, which returns the certificate to the requesting user. The Windows Hello for Business on-prem certificate-based deployment uses the Active Directory Federation Server (AD FS) as the certificate registration authority. + +### Configure Registration Authority template + +The certificate registration authority enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate. The certificate authority only issues a certificate for that template if the registration authority signs the certificate request. + +The registration authority template you configure depends on the AD FS service configuration, which depends on the domain controllers the environment uses for authentication. + +>[!IMPORTANT] +>Follow the procedures below based on the domain controllers deployed in your environment. If the domain controller is not listed below, then it is not supported for Windows Hello for Business. + +#### Windows 2012 or later domain controllers + +Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials. +1. Open the **Certificate Authority Management** console. +2. Right-click **Certificate Templates** and click **Manage**. +3. In the **Certificate Template Console**, right click on the **Exchange Enrollment Agent (Offline request)** template details pane and click **Duplicate Template**. +4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. +5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. +6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected. + **Note:** The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate. + +7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. +8. On the **Security** tab, click **Add**. +9. Click **Object Types**. Select the **Service Accounts** check box and click **OK**. +10. Type **adfssvc** in the **Enter the object names to select** text box and click **OK**. +11. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. +12. Close the console. + +#### Windows 2008 or 2008R2 domain controllers + +Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials. +1. Open the **Certificate Authority** management console. +2. Right-click **Certificate Templates** and click **Manage**. +3. In the **Certificate Template** console, right-click the **Exchange Enrollment Agent** template in the details pane and click **Duplicate Template**. +4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. +5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. +6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**. +7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. +8. On the **Security** tab, click **Add**. Type **adfssvc** in the **Enter the object names to select text box** and click **OK**. +9. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check boxes for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. +10. Close the console. + +### Configure the Windows Hello for Business Authentication Certificate template + +During Windows Hello for Business provisioning, the Windows 10, version 1703 client requests an authentication certificate from the Active Directory Federation Service, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring. + +Sign-in a certificate authority or management workstations with _Domain Admin equivalent_ credentials. +1. Open the **Certificate Authority** management console. +2. Right-click **Certificate Templates** and click **Manage**. +3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**. +4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. +5. On the **General** tab, type **WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. + **Note:** If you use different template names, you’ll need to remember and substitute these names in different portions of the deployment. +6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. +7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**. +8. On the **Issuance Requirements** tab, select the T**his number of authorized signatures** check box. Type **1** in the text box. + * Select **Application policy** from the **Policy type required in signature**. Select **Certificate Request Agent** from in the **Application policy** list. Select the **Valid existing certificate** option. +9. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**. +10. On the **Request Handling** tab, select the **Renew with same key** check box. +11. On the **Security** tab, click **Add**. Type **Window Hello for Business Users** in the **Enter the object names to select** text box and click **OK**. +12. Click the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section, select the **Allow** check box for the **Enroll** permission. Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. +13. If you previously issued Windows Hello for Business sign-in certificates using Configuration Manger and are switching to an AD FS registration authority, then on the **Superseded Templates** tab, add the previously used **Windows Hello for Business Authentication** template(s), so they will be superseded by this template for the users that have Enroll permission for this template. +14. Click on the **Apply** to save changes and close the console. + +#### Mark the template as the Windows Hello Sign-in template + +Sign-in to an **AD FS Windows Server 2016** computer with _Enterprise Admin_ equivalent credentials. +1. Open an elevated command prompt. +2. Run `certutil –dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY` + +>[!NOTE] +>If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It’s important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority. + +### Publish Enrollment Agent and Windows Hello For Business Authentication templates to the Certificate Authority + +Sign-in a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials. +1. Open the **Certificate Authority** management console. +2. Expand the parent node from the navigation pane. +3. Click **Certificate Templates** in the navigation pane. +4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template to issue**. +5. In the **Enable Certificates Templates** window, select the **WHFB Enrollment Agent** template you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority. +6. Publish the **WHFB Authentication** certificate template using step 5. +7. Close the console. + +### Configure the Registration Authority + +Sign-in the AD FS server with Domain Admin equivalent credentials. + +1. Open a **Windows PowerShell** prompt. +2. Type the following command + + ```PowerShell + Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication + ``` + + +The `Set-AdfsCertificateAuthority` cmdlet should show the following warning: +>WARNING: PS0343: Issuing Windows Hello certificates requires enabling a permitted strong authentication provider, but no usable providers are currently configured. These authentication providers are not supported for Windows Hello certificates: CertificateAuthentication,MicrosoftPassportAuthentication. Windows Hello certificates will not be issued until a permitted strong authentication provider is configured. + +This warning indicates that you have not configured multi-factor authentication in AD FS and until it is configured, the AD FS server will not issue Windows Hello certificates. Windows 10, version 1703 clients check this configuration during prerequisite checks. If detected, the prerequisite check will not succeed and the user will not provision Windows Hello for Business on sign-in. + +>[!NOTE] +> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the above command with the name of your certificate templates. It’s important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority. + +### Enrollment Agent Certificate Enrollment + +Active Directory Federation Server used for Windows Hello for Business certificate enrollment perform their own certificate lifecycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request or when the service first starts. + +Approximately 60 days prior to enrollment agent certificate’s expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate. + +## Additional Federation Servers + +Organizations should deploy more than one federation server in their federation farm for high-availability. You should have a minimum of two federation services in your AD FS farm, however most organizations are likely to have more. This largely depends on the number of devices and users using the services provided by the AD FS farm. + +### Server Authentication Certificate + +Each server you add to the AD FS farm must have a proper server authentication certificate. Refer to the [Enroll for a TLS Server Authentication Certificate](#enroll-for-a-tls-server-authentication-certificate) section of this document to determine the requirements for your server authentication certificate. As previously stated, AD FS servers used exclusively for on-premises deployments of Windows Hello for Business can use enterprise server authentication certificates rather than server authentication certificates issued by public certificate authorities. + +### Install Additional Servers + +Adding federation servers to the existing AD FS farm begins with ensuring the server are fully patched, to include Windows Server 2016 Update needed to support Windows Hello for Business deployments (https://aka.ms/whfbadfs1703). Next, install the Active Directory Federation Service role on the additional servers and then configure the server as an additional server in an existing farm. + +## Load Balance AD FS Federation Servers + +Many environments load balance using hardware devices. Environments without hardware load-balancing capabilities can take advantage the network load-balancing feature included in Windows Server to load balance the AD FS servers in the federation farm. Install the Windows Network Load Balancing feature on all nodes participating in the AD FS farm that should be load balanced. + +### Install Network Load Balancing Feature on AD FS Servers + +Sign-in the federation server with _Enterprise Admin_ equivalent credentials. +1. Start **Server Manager**. Click **Local Server** in the navigation pane. +2. Click **Manage** and then click **Add Roles and Features**. +3. Click **Next** On the **Before you begin** page. +4. On the **Select installation type** page, select **Role-based or feature-based installation** and click **Next**. +5. On the **Select destination server** page, chosoe **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Click **Next**. +6. On the **Select server roles** page, click **Next**. +7. Select **Network Load Balancing** on the **Select features** page. +8. Click **Install** to start the feature installation + ![Feature selection screen with NLB selected](images/hello-nlb-feature-install.png) + +### Configure Network Load Balancing for AD FS + +Before you can load balance all the nodes in the AD FS farm, you must first create a new load balance cluster. Once you have created the cluster, then you can add new nodes to that cluster. + +Sign-in a node of the federation farm with _Admin_ equivalent credentials. +1. Open **Network Load Balancing Manager** from **Administrative Tools**. + ![NLB Manager user interface](images/hello-nlb-manager.png) +2. Right-click **Network Load Balancing Clusters**, and then click **New Cluster**. +3. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then click **Connect**. + ![NLB Manager - Connect to new Cluster screen](images/hello-nlb-connect.png) +4. Select the interface that you want to use with the cluster, and then click **Next**. (The interface hosts the virtual IP address and receives the client traffic to load balance.) +5. In **Host Parameters**, select a value in **Priority (Unique host identifier)**. This parameter specifies a unique ID for each host. The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. Click **Next**. +6. In **Cluster IP Addresses**, click **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Click **Next**. + ![NLB Manager - Add IP to New Cluster screen](images/hello-nlb-add-ip.png) +7. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster. + ![NLB Manager - Cluster IP Configuration screen](images/hello-nlb-cluster-ip-config.png) +8. In **Cluster operation mode**, click **Unicast** to specify that a unicast media access control (MAC) address should be used for cluster operations. In unicast mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. We recommend that you accept the unicast default settings. Click **Next**. +9. In Port Rules, click Edit to modify the default port rules to use port 443. + ![NLB Manager - Add\Edit Port Rule screen](images/hello-nlb-cluster-port-rule.png) + +### Additional AD FS Servers + +1. To add more hosts to the cluster, right-click the new cluster, and then click **Add Host to Cluster**. +2. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same. + ![NLB Manager - Cluster with nodes](images/hello-nlb-cluster.png) + +## Configure DNS for Device Registration + +Sign-in the domain controller or administrative workstation with Domain Admin equivalent credentials. You’ll need the Federation service name to complete this task. You can view the federation service name by clicking **Edit Federation Service Properties** from the **Action** pan of the **AD FS** management console, or by using `(Get-AdfsProperties).Hostname.` (PowerShell) on the AD FS server. +1. Open the **DNS Management** console. +2. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones**. +3. In the navigation pane, select the node that has the name of your internal Active Directory domain name. +4. In the navigation pane, right-click the domain name node and click **New Host (A or AAAA)**. +5. In the **name** box, type the name of the federation service. In the **IP address** box, type the IP address of your federation server. Click **Add Host**. +6. Close the DNS Management console + +## Configure the Intranet Zone to include the federation service + +The Windows Hello provisioning presents web pages from the federation service. Configuring the intranet zone to include the federation service enables the user to authenticate to the federation service using integrated authentication. Without this setting, the connection to the federation service during Windows Hello provisioning prompts the user for authentication. + +### Create an Intranet Zone Group Policy + +Sign-in the domain controller or administrative workstation with _Domain Admin_ equivalent credentials +1. Start the **Group Policy Management Console** (gpmc.msc) +2. Expand the domain and select the **Group Policy Object** node in the navigation pane. +3. Right-click **Group Policy object** and select **New** +4. Type **Intranet Zone Settings** in the name box and click **OK**. +5. In the content pane, right-click the **Intranet Zone Settings** Group Policy object and click **Edit**. +6. In the navigation pane, expand **Policies** under **Computer Configuration**. +7. Expand **Administrative Templates > Windows Component > Internet Explorer > Internet Control Panel**, and select **Security Page**. +8. In the content pane, double-click **Site to Zone Assignment List**. Click **Enable**. +9. Click **Show**. In the **Value Name** column, type the url of the federation service beginning with https. In the **Value** column, type the number **1**. Click OK twice, then close the Group Policy Management Editor. + +### Deploy the Intranet Zone Group Policy object + +1. Start the **Group Policy Management Console** (gpmc.msc) +2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO…** +3. In the **Select GPO** dialog box, select **Intranet Zone Settings** or the name of the Windows Hello for Business Group Policy object you previously created and click **OK**. + +## Review + +Before you continue with the deployment, validate your deployment progress by reviewing the following items: +* Confirm you configured the correct enrollment agent certificate template based on the type of AD FS service account. +* Confirm only the AD FS service account has the allow enroll permission for the enrollment agent certificate template. +* Consider using an HSM to protect the enrollment agent certificate; however, understand the frequency and quantity of signature operations the enrollment agent server makes and understand the impact it has on overall performance. +* Confirm you properly configured the Windows Hello for Business authentication certificate template—to include: + * Issuance requirements of an authorized signature from a certificate request agent. + * The certificate template was properly marked as a Windows Hello for Business certificate template using certutil.exe + * The Windows Hello for Business Users group, or equivalent has the allow enroll and allow auto enroll permissions +* Confirm all certificate templates were properly published to the appropriate issuing certificate authorities. +* Confirm the AD FS service account has the allow enroll permission for the Windows Hello Business authentication certificate template. +* Confirm the AD FS certificate registration authority is properly configured using the `Get-AdfsCertificateAuthority` Windows PowerShell cmdlet. +* Confirm you restarted the AD FS service. +* Confirm you properly configured load-balancing (hardware or software). +* Confirm you created a DNS A Record for the federation service and the IP address used is the load-balanced IP address +* Confirm you created and deployed the Intranet Zone settings to prevent double authentication to the federation server. + +## Validating your work + +You need to verify the AD FS service has properly enrolled for an enrollment agent certificate template. You can verify this is a variety ways, depending on if your service account is a normal user account or if the service account is a group managed service account. + +### Event Logs + +Use the event logs on the AD FS service to confirm the service account enrolled for an enrollment agent certificate. First, look for the AD FS event ID 443 that confirms certificate enrollment cycle has finished. Once confirmed the AD FS certificate enrollment cycle completed review the CertificateLifecycle-User event log. In this event log, look for event ID 1006, which indicates a new certificate was installed. Details of the event log should show + +* The account name under which the certificate was enrolled. +* The action, which should read enroll. +* The thumbprint of the certificate +* The certificate template used to issue the certificate. + +### Normal Service Account + +When using a normal service account, use the Microsoft Management Console (mmc.exe) and load the Certificate Manager snap-in for the service account and verify. + +### Group Managed Service Account + +You cannot use the Certificate Manager to view enrolled certificates for group managed service accounts. Use the event log information to confirm the AD FS service account enrolled a certificate. Use certutil.exe to view the details of the certificate now shown in the event log. + +Group managed service accounts use user profiles to store user information, which included enrolled certificates. On the AD FS server, use a command prompt and navigate to `%systemdrive%\users\\appdata\roaming\Microsoft\systemcertificates\my\certificates` . + +Each file in this folder represents a certificate in the service account’s Personal store (You may need to use DIR /A to view the files in the folder). Match the thumbprint of the certificate from the event log to one of the files in this folder. That file is the certificate. Use the `Certutil -q ` to view the basic information about the certificate. + +For detailed information about the certificate, use `Certutil -q -v ` . + + +## Follow the Windows Hello for Business on premises certificate trust deployment guide +1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) +2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) +3. Prepare and Deploy Windows Server 2016 Active Directory Federation Services (*You are here*) +4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) +5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) + + + + + + + + + diff --git a/windows/access-protection/hello-for-business/hello-key-trust-deploy-mfa.md b/windows/access-protection/hello-for-business/hello-key-trust-deploy-mfa.md new file mode 100644 index 0000000000..8ec43f5e54 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-key-trust-deploy-mfa.md @@ -0,0 +1,542 @@ +--- +title: Configure or Deploy Multifactor Authentication Services (Windows Hello for Business) +description: How to Configure or Deploy Multifactor Authentication Services for Windows Hello for Business +keywords: identity, PIN, biometric, Hello, passport +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: DaniHalfin +localizationpriority: high +--- +# Configure or Deploy Multifactor Authentication Services + +**Applies to** +- Windows 10 +- Windows 10 Mobile + +> This guide only applies to Windows 10, version 1703 or higher. + +On-premises deployments must use the On-premises Azure MFA Server using the AD FS adapter model Optionally, you can use a third-party MFA server that provides an AD FS Multifactor authentication adapter. + +>[!TIP] +>Please make sure you've read [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) before proceeding any further. + +## Prerequisites + +The Azure MFA Server and User Portal servers have several perquisites and must have connectivity to the Internet. + +### Primary MFA Server + +The Azure MFA server uses a primary and secondary replication model for its configuration database. The primary Azure MFA server hosts the writeable partition of the configuration database. All secondary Azure MFA servers hosts read-only partitions of the configuration database. All production environment should deploy a minimum of two MFA Servers. + +For this documentation, the primary MFA uses the name **mf*a*** or **mfa.corp.contoso.com**. All secondary servers use the name **mfa*n*** or **mfa*n*.corp.contoso.com**, where *n* is the number of the deployed MFA server. + +The primary MFA server is also responsible for synchronizing from Active Directory. Therefore, the primary MFA server should be domain joined and fully patched. + +#### Enroll for Server Authentication + +The communication between the primary MFA server, secondary MFA servers, User Portal servers, and the client is protected using TLS, which needs a server authentication certificate. + +Sign-in the primary MFA server with _domain admin_ equivalent credentials. +1. Start the Local Computer **Certificate Manager** (certlm.msc). +2. Expand the **Personal** node in the navigation pane. +3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**. +4. Click **Next** on the **Before You Begin** page. +5. Click **Next** on the **Select Certificate Enrollment Policy** page. +6. On the **Request Certificates** page, Select the **Internal Web Server** check box. +7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link. +8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the primary MFA server and then click **Add** (mfa.corp.contoso.com). Click **Add**. Click **OK** when finished. +9. Click **Enroll**. + +A server authentication certificate should appear in the computer’s Personal certificate store. + +#### Install the Web Server Role + +The Azure MFA server does not require the Web Server role, however, User Portal and the optional Mobile App server communicate with the MFA server database using the MFA Web Services SDK. The MFA Web Services SDK uses the Web Server role. + +To install the Web Server (IIS) role, please follow [Installing IIS 7 on Windows Server 2008 or Windows Server 2008 R2](https://docs.microsoft.com/iis/install/installing-iis-7/installing-iis-7-and-above-on-windows-server-2008-or-windows-server-2008-r2) or [Installing IIS 8.5 on Windows Server 2012 R2](https://docs.microsoft.com/iis/install/installing-iis-85/installing-iis-85-on-windows-server-2012-r2) depending on the host Operating System you're going to use. + +The following services are required: +* Common Parameters > Default Document. +* Common Parameters > Directory Browsing. +* Common Parameters > HTTP Errors. +* Common Parameters > Static Content. +* Health and Diagnostics > HTTP Logging. +* Performance > Static Content Compression. +* Security > Request Filtering. +* Security > Basic Authentication. +* Management Tools > IIS Management Console. +* Management Tools > IIS 6 Management Compatibility. +* Application Development > ASP.NET 4.5. + +#### Update the Server + +Update the server using Windows Update until the server has no required or optional updates as the Azure MFA Server software may require one or more of these updates for the installation and software to correctly work. These procedures install additional components that may need to be updated. + +#### Configure the IIS Server’s Certificate + +The TLS protocol protects all the communication to and from the MFA server. To enable this protection, you must configure the default web site to use the previously enrolled server authentication certificate. + +Sign in the primary MFA server with _administrator_ equivalent credentials. +1. From **Administrators**, Start the **Internet Information Services (IIS) Manager** console +2. In the navigation pane, expand the node with the same name as the local computer. Expand **Settings** and select **Default Web Site**. +3. In the **Actions** pane, click **Bindings**. +4. In the **Site Bindings** dialog, Click **Add**. +5. In the **Add Site Binding** dialog, select **https** from the **Type** list. In the **SSL certificate** list, select the certificate with the name that matches the FQDN of the computer. +6. Click **OK**. Click **Close**. From the **Action** pane, click **Restart**. + +#### Configure the Web Service’s Security + +The Azure MFA Server service runs in the security context of the Local System. The MFA User Portal gets its user and configuration information from the Azure MFA server using the MFA Web Services. Access control to the information is gated by membership to the Phonefactor Admins security group. You need to configure the Web Service’s security to ensure the User Portal and the Mobile App servers can securely communicate to the Azure MFA Server. Also, all User Portal server administrators must be included in the Phonefactor Admins security group. + +Sign in the domain controller with _domain administrator_ equivalent credentials. + +##### Create Phonefactor Admin group + +1. Open **Active Directory Users and Computers** +2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Right-click the **Users** container, select **New**, and select **Group**. +3. In the **New Object – Group** dialog box, type **Phonefactor Admins** in Group name. +4. Click **OK**. + +##### Add accounts to the Phonefactor Admins group + +1. Open **Active Directory Users and Computers**. +2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Select Users. In the content pane. Right-click the **Phonefactors Admin** security group and select **Properties**. +3. Click the **Members** tab. +4. Click **Add**. Click **Object Types..** In the **Object Types** dialog box, select **Computers** and click **OK**. Enter the following user and/or computers accounts in the **Enter the object names to select** box and then click **OK**. + * The computer account for the primary MFA Server + * Group or user account that will manage the User Portal server. + + +#### Review + +Before you continue with the deployment, validate your deployment progress by reviewing the following items: + +* Confirm the hosts of the MFA service has enrolled a server authentication certificate with the proper names. + * Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the: + * Certificate serial number + * Certificate thumbprint + * Common name of the certificate + * Subject alternate name of the certificate + * Name of the physical host server + * The issued date + * The expiration date + * Issuing CA Vendor (if a third-party certificate) + +* Confirm the Web Services Role was installed with the correct configuration (including Basic Authentication, ASP.NET 4.5, etc). +* Confirm the host has all the available updates from Windows Update. +* Confirm you bound the server authentication certificate to the IIS web site. +* Confirm you created the Phonefactor Admins group. +* Confirm you added the computer account hosting the MFA service to the Phonefactor Admins group and any user account who are responsible for administrating the MFA server or User Portal. + +### User Portal Server + +The User Portal is an IIS Internet Information Server web site that allows users to enroll in Multi-Factor Authentication and maintain their accounts. A user may change their phone number, change their PIN, or bypass Multi-Factor Authentication during their next sign on. Users will log in to the User Portal using their normal username and password and will either complete a Multi-Factor Authentication call or answer security questions to complete their authentication. If user enrollment is allowed, a user will configure their phone number and PIN the first time they log in to the User Portal. User Portal Administrators may be set up and granted permission to add new users and update existing users. + +The User Portal web site uses the user database that is synchronized across the MFA Servers, which enables a design to support multiple web servers for the User Portal and those servers can support internal and external customers. While the user portal web site can be installed directly on the MFA server, it is recommended to install the User Portal on a server separate from the MFA Server to protect the MFA user database, as a layered, defense-in-depth security design. + +#### Enroll for Server Authentication + +Internal and external users use the User Portal to manage their multifactor authentication settings. To protect this communication, you need to enroll all User Portal servers with a server authentication certificate. You can use an enterprise certificate to protect communication to internal User Portal servers. + +For external User Portal servers, it is typical to request a server authentication certificate from a public certificate authority. Contact a public certificate authority for more information on requesting a certificate for public use. Follow the procedures below to enroll an enterprise certificate on your User Portal server. + +Sign-in the User Portal server with _domain admin_ equivalent credentials. +1. Start the Local Computer **Certificate Manager** (certlm.msc). +2. Expand the **Personal** node in the navigation pane. +3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**. +4. Click **Next** on the **Before You Begin** page. +5. Click **Next** on the **Select Certificate Enrollment Policy** page. +6. On the **Request Certificates** page, Select the **Internal Web Server** check box. +7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link. +8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the primary MFA server and then click **Add** (app1.corp.contoso.com). +9. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name you will use for your User Portal service (mfaweb.corp.contoso.com). +10. Click **Add**. Click **OK** when finished. +11. Click **Enroll**. + +A server authentication certificate should appear in the computer’s Personal certificate store. + +#### Install the Web Server Role + +To do this, please follow the instructions mentioned in the previous [Install the Web Server Role](#install-the-web-server-role) section. + +#### Update the Server + +Update the server using Windows Update until the server has no required or optional updates as the Azure MFA Server software may require one or more of these updates for the installation and software to correctly work. These procedures install additional components that may need to be updated. + +#### Configure the IIS Server’s Certificate + +To do this, please follow the instructions mentioned in the previous [Configure the IIS Server’s Certificate](#configure-the-iis-server’s-certificate) section. + +#### Create WebServices SDK user account + +The User Portal and Mobile App web services need to communicate with the configuration database hosted on the primary MFA server. These services use a user account to communicate to authenticate to the primary MFA server. You can think of the WebServices SDK account as a service account used by other servers to access the WebServices SDK on the primary MFA server. + +1. Open **Active Directory Users and Computers**. +2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Right-click the **Users** container, select **New**, and select **User**. +3. In the **New Object – User** dialog box, type **PFWSDK_** in the **First name** and **User logon name** boxes, where ** is the name of the primary MFA server running the Web Services SDK. Click **Next**. +4. Type a strong password and confirm it in the respective boxes. Clear **User must change password at next logon**. Click **Next**. Click **Finish** to create the user account. + +#### Add the MFA SDK user account to the Phonefactor Admins group + +Adding the WebServices SDK user account to the Phonefactor Admins group provides the user account with the proper authorization needed to access the configuration data on the primary MFA server using the WebServices SDK. + +1. Open **Active Directory Users and Computers**. +2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Select **Users**. In the content pane. Right-click the **Phonefactors Admin** security group and select Properties. +3. Click the Members tab. +4. Click **Add**. Click **Object Types..** Type the PFWSDK_ user name in the **Enter the object names to select** box and then click **OK**. + * The computer account for the primary MFA Server + * The Webservices SDK user account + * Group or user account that will manage the User Portal server. + + +#### Review + +Before you continue with the deployment, validate your deployment progress by reviewing the following items: + +* Confirm the hosts of the user portal are properly configure for load balancing and high-availability. +* Confirm the hosts of the user portal have enrolled a server authentication certificate with the proper names. + * Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the: + * Certificate serial number + * Certificate thumbprint + * Common name of the certificate + * Subject alternate name of the certificate + * Name of the physical host server + * The issued date + * The expiration date + * Issuing CA Vendor (if a third-party certificate) + +* Confirm the Web Server Role was properly configured on all servers. +* Confirm all the hosts have the latest updates from Windows Update. +* Confirm you created the web service SDK domain account and the account is a member of the Phonefactor Admins group. + +## Installing Primary Azure MFA Server + +When you install Azure Multi-Factor Authentication Server, you have the following options: +1. Install Azure Multi-Factor Authentication Server locally on the same server as AD FS +2. Install the Azure Multi-Factor Authentication adapter locally on the AD FS server, and then install Multi-Factor Authentication Server on a different computer (preferred deployment for production environments) + +See [Configure Azure Multi-Factor Authentication Server to work with AD FS in Windows Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-adfs-w2k12) to view detailed installation and configuration options. + +Sign-in the federation server with _Domain Admin_ equivalent credentials and follow [To install and configure the Azure Multi-Factor Authentication server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#to-install-and-configure-the-azure-multi-factor-authentication-server) for an express setup with the configuration wizard. You can re-run the authentication wizard by selecting it from the Tools menu on the server. + +>[!IMPORTANT] +>Only follow the above mention article to install Azure MFA Server. Once it is intstalled, continue configuration using this article. + +### Configuring Company Settings + +You need to configure the MFA server with the default settings it applies to each user account when it is imported or synchronized from Active Directory. + +Sign-in the primary MFA server with MFA _administrator_ equivalent credentials. +1. Start the **Multi-Factor Server** application +2. Click **Company Settings**. +3. On the **General** Tab, select **Fail Authentication** from the **When internet is not accessible** list. +4. In **User defaults**, select **Phone Call** or **Text Message** + **Note:** You can use mobile app; however, the configuration is beyond the scope of this document. Read [Getting started the MFA Server Mobile App Web Service](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice) to configure and use mobile app multi-factor authentication or the Install User Portal topic in the Multi-Factor Server help. +5. Select **Enable Global Services** if you want to allow Multi-Factor Authentications to be made to telephone numbers in rate zones that have an associated charge. +6. Clear the **User can change phone** check box to prevent users from changing their phone during the Multi-Factor Authentication call or in the User Portal. A consistent configuration is for users to change their phone numbers in Active Directory and let those changes synchronize to the multi-factor server using the Synchronization features in Directory Integration. +7. Select **Fail Authentication** from the **When user is disabled** list. Users should provision their account through the user portal. +8. Select the appropriate language from the **Phone call language**, **Text message language**, **Mobile app language**, and **OATH token language** lists. +9. Under default PIN rules, Select the User can change PIN checkbox to enable users to change their PIN during multi-factor authentication and through the user portal. +10. Configure the minimum length for the PIN. +11. Select the **Prevent weak PINs** check box to reject weak PINs. A weak PIN is any PIN that could be easily guessed by a hacker: 3 sequential digits, 3 repeating digits, or any 4 digit subset of user phone number are not allowed. If you clear this box, then there are no restrictions on PIN format. For example: User tries to reset PIN to 1235 and is rejected because it's a weak PIN. User will be prompted to enter a valid PIN. +12. Select the **Expiration days** check box if you want to expire PINs. If enabled, provide a numeric value representing the number of days the PIN is valid. +13. Select the **PIN history** check box if you want to remember previously used PINs for the user. PIN History stores old PINs for each user. Users are not allowed to reset their PIN to any value stored in their PIN History. When cleared, no PIN History is stored. The default value is 5 and range is 1 to 10. + +![Azure MFA Server Company settings configured](images/hello-mfa-company-settings.png) + +### Configuring Email Settings and Content + +If you are deploying in a lab or proof-of-concept, then you have the option of skipping this step. In a production environment, ideally, you’ll want to setup the Azure Multifactor Authentication Server and its user portal web interface prior to sending the email. The email gives your users time to visit the user portal and configure the multi-factor settings. + +Now that you have imported or synchronized with your Azure Multi-Factor Authentication server, it is advised that you send your users an email that informs them that they have been enrolled in multi-factor authentication. + +With the Azure Multi-Factor Authentication Server there are various ways to configure your users for using multi-factor authentication. For instance, if you know the users’ phone numbers or were able to import the phone numbers into the Azure Multi-Factor Authentication Server from their company’s directory, the email will let users know that they have been configured to use Azure Multi-Factor Authentication, provide some instructions on using Azure Multi-Factor Authentication and inform the user of the phone number they will receive their authentications on. + +The content of the email will vary depending on the method of authentication that has been set for the user (e.g. phone call, SMS, mobile app). For example, if the user is required to use a PIN when they authenticate, the email will tell them what their initial PIN has been set to. Users are usually required to change their PIN during their first authentication. + +If users’ phone numbers have not been configured or imported into the Azure Multi-Factor Authentication Server, or users are pre-configured to use the mobile app for authentication, you can send them an email that lets them know that they have been configured to use Azure Multi-Factor Authentication and it will direct them to complete their account enrollment through the Azure Multi-Factor Authentication User Portal. A hyperlink will be included that the user clicks on to access the User Portal. When the user clicks on the hyperlink, their web browser will open and take them to their company’s Azure Multi-Factor Authentication User Portal. + +#### Settings + +By clicking the email icon on the left you can setup the settings for sending these emails. This is where you can enter the SMTP information of your mail server and it allows you to send a blanket wide email by adding a check to the Send mails to users check box. + +#### Content + +On the Email Content tab, you will see all of the various email templates that are available to choose from. So, depending on how you have configured your users to use multi-factor authentication, you can choose the template that best suits you. + +##### Edit the Content Settings + +The Azure MFA server does not send emails, even when configured to do so, until you configured the sender information for each email template listed in the Content tab. + +Sign-in the primary MFA server with MFA _administrator_ equivalent credentials. +1. Open the **Multi-Factor Authentication Server** console. +2. Click **Email** from the list of icons and click the **Email Content** tab. +3. Select an email template from the list of templates. Click **Edit**. +4. In the **Edit Email** dialog, in the **From** text box, type the email address of the person or group that should appear to have sent the email. + ![Edit email dialog within content settings](images/hello-mfa-content-edit-email.png) + +5. Optionally, customize other options in the email template. +6. When finished editing the template, Click **Apply**. +7. Click **Next** to move to the next email in the list. Repeat steps 4 and 6 to edit the changes. +8. Click **Close** when you are done editing the email templates. + +### Configuring Directory Integration Settings and Synchronization + +Synchronization keeps the Multi-Factor Authentication user database synchronized with the users in Active Directory or another LDAP Lightweight Directory Access Protocol directory. The process is similar to Importing Users from Active Directory, but periodically polls for Active Directory user and security group changes to process. It also provides for disabling or removing users removed from a container or security group and removing users deleted from Active Directory. + +It is important to use a different group memberships for synchronizing users from Active Directory and for enabling Windows Hello for Business. Keeping the group memberships separated enables you to synchronize users and configure MFA options without immediately deploying Windows Hello for Business to that user. This deployment approach provides the maximum flexibility, which gives users the ability to configure their settings before they provision Windows Hello for Business. To start provisioning, simply add the group used for synchronization to the Windows Hello for Business Users group (or equivalent if you use custom names). + +#### MultiFactorAuthAdSync Service + +The MultiFactorAuthAdSync service is a Windows service that performs the periodic polling of Active Directory. It is installed in a Stopped state and is started by the MultiFactorAuth service when configured to run. If you have a multi-server Multi-Factor Authentication configuration, the MultiFactorAuthAdSync may only be run on a single server. + +The MultiFactorAuthAdSync service uses the DirSync LDAP server extension provided by Microsoft to efficiently poll for changes. This DirSync control caller must have the "directory get changes" right and DS-Replication-Get-Changes extended control access right. By default, these rights are assigned to the Administrator and LocalSystem accounts on domain controllers. The MultiFactorAuthAdSync service is configured to run as LocalSystem by default. Therefore, it is simplest to run the service on a domain controller. The service can run as an account with lesser permissions if you configure it to always perform a full synchronization. This is less efficient, but requires less account privileges. + +#### Settings + +Configuring the directory synchronization between Active Directory and the Azure MFA server is easy. + +Sign in the primary MFA server with _MFA administrator_ equivalent credentials. +1. Open the **Multi-Factor Authentication Server** console. +2. From the **Multi-Factor Authentication Server** window, click the **Directory Integration** icon. +3. Click the **Synchronization** tab. +4. Select **Use Active Directory**. +5. Select **Include trusted domains** to have the Multi-Factor Authentication Server attempt to connect to domains trusted by the current domain, another domain in the forest, or domains involved in a forest trust. When not importing or synchronizing users from any of the trusted domains, clear the checkbox to improve performance. + +#### Synchronization + +The MFA server uses synchronization items to synchronize users from Active Directory to the MFA server database. Synchronization items enables you to synchronize a collection of users based security groups or Active Directory containers. + +You can configure synchronization items based on different criteria and filters. For the purpose of configuring Windows Hello for Business, you need to create a synchronization item based membership of the Windows Hello for Business user group. This ensures the same users who receive Windows Hello for Business policy settings are the same users synchronized to the MFA server (and are the same users with permission to enroll in the certificate). This significantly simplifies deployment and troubleshooting. + +See [Directory integration between Azure MFA Server and Active Directory](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-dirint) for more details. + +##### To add a synchronization item + +Sign in the primary MFA server with _MFA administrator_ equivalent credentials. +1. Open the **Multi-Factor Authentication Server** console. +2. From the **Multi-Factor Authentication Server** window, click the **Directory Integration** icon. +3. Select the **Synchronization** tab. +4. On the **Synchronization** tab, click **Add**. + ![Azure MFA Server - add synchronization item screen](images/hello-mfa-sync-item.png) + +5. In the **Add Synchronization Item** dialog, select **Security Groups** from the **View** list. +6. Select the group you are using for replication from the list of groups +7. Select **Selected Security Groups – Recursive** or, select **Security Group** from the **Import** list if you do not plan to nest groups. +8. Select **Add new users and Update existing users**. +9. Select **Disable/Remove users no longer a member** and select **Disable** from the list. +10. Select the attributes appropriate for your environment for **Import phone** and **Backup**. +11. Select **Enabled** and select **Only New Users with Phone Number** from the list. +12. Select **Send email** and select **New and Updated Users**. + +##### Configure synchronization item defaults + +1. When creating a new or editing a synchronization item from the Multi-Factor Authentication Server, select the **Method Defaults** tab. +2. Select the default second factor authentication method. For example, if the second factor of authentication is a text message, select **Text message**. Select if the direction of text message authentication and if the authentication should use a one-time password or one-time password and PIN (Ensure users are configured to create a PIN if the default second factor of communication requires a PIN). + +##### Configure synchronization language defaults + +1. When creating a new or editing a synchronization item from the Multi-Factor Authentication Server, select the **Language Defaults** tab. +2. Select the appropriate default language for these groups of users synchronized by these synchronization item. +3. If creating a new synchronization item, click **Add** to save the item. If editing an existing synchronization item, click **Apply** and then click **Close**. + +>[!TIP] +>For more information on these settings and the behaviors they control, see [Directory integration between Azure MFA Server and Active Directory](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-dirint). + +### Installing the MFA Web Services SDK + +The Web Service SDK section allows the administrator to install the Multi-Factor Authentication Web Service SDK. The Web Service SDK is an IIS (Internet Information Server) web service that provides an interface for integrating the full features of the Multi-Factor Authentication Server into most any application. The Web Service SDK uses the Multi-Factor Authentication Server as the data store. + +Remember the Web Services SDK is only need on the primary Multi-Factor to easily enable other servers access to the configuration information. The prerequisites section guided you through installing and configuring the items needed for the Web Services SDK, however the installer will validate the prerequisites and make suggest any corrective action needed. + +Please follow the instructions under [Install the web service SDK](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice#install-the-web-service-sdk) to intall the MFA Web Services SDK. + +## Install Secondary MFA Servers + +Additional MFA servers provided redundancy of the MFA configuration. The MFA server models uses one primary MFA server with multiple secondary servers. Servers within the same group establish communication with the primary server for that group. The primary server replicates to each of the secondary servers. You can use groups to partition the data stored on different servers, for example you can create a group for each domain, forest, or organizational unit. + +Follow the same procedures for installing the primary MFA server software for each additional server. Remember that each server must be activated. + +Sign in the secondary MFA server with _domain administrator_ equivalent credentials. +1. Once the Multi-Factor Authentication Server console starts, you must configure the current server’s replication group membership. You have the option to join an existing group or create a new group. When joining an existing group, the server becomes a secondary server in the existing replication group. When creating a new group, the server becomes the primary server of that replication group. Click **OK**. + **Note:** Group membership cannot be changed after activation. If a server was joined to the wrong group, it must be activated again to join a different group. Please contact support for assistance with deactivating and reactivating a server. +2. The console asks you if you want to enable replication by running the **Multi-Server Configuration Wizard**. Click **Yes**. +3. In the **Multi-Server Configuration Wizard**, leave **Active Directory** selected and clear **Certificates**. Click **Next**. +4. On the **Active Directory** page, the wizard determines what configuration is needed to enable replication. Typically, the wizard recommends adding the computer account for the current server to the **PhoneFactor Admin** group. Click **Next** to add the computer account to the group. +5. On the **Multi-Server Configuration Complete** page, click **Finish** to reboot the computer to update its group membership. + +### Review + +Before you continue with the deployment, validate your deployment progress by reviewing the following items: +* Confirm you downloaded the latest Azure MFA Server from the Azure Portal. +* Confirm the server has Internet connectivity. +* Confirm you installed and activated the Azure MFA Server. +* Confirm your Azure MFA Server configuration meets your organization’s needs (Company Settings, Email Settings, etc). +* Confirm you created Directory Synchronization items based on your deployment to synchronize users from Active Directory to the Azure MFA server. + * For example, you have security groups representing each collection of users that represent a phase of your deployment and a corresponding synchronization item for each of those groups. + +* Confirm the Azure MFA server properly communicates with the Azure MFA cloud service by testing multifactor authentication with a newly synchronized user account. +* Confirm you installed the Web Service SDK on the primary MFA server. +* Confirm your MFA servers have adequate redundancy, should you need to promote a secondary server to the primary server. + + +## Installing the User Portal Server + +You previously configured the User Portal settings on the primary MFA server. The User Portal web application communicates to the primary MFA server using the Web Services SDK to retrieve these settings. This configuration is ideal to ensure you can scale up the User Portal application to meet the needs of your internal users. + +### Copying the User Portal Installation file + +Sign in the primary MFA server with _local administrator_ equivalent credentials. +1. Open Windows Explorer. +2. Browse to the C:\Progam Files\MultiFactor Authentication Server folder. +3. Copy the **MultiFactorAuthenticationUserPortalSetup64.msi** file to a folder on the User Portal server. + +### Configure Virtual Directory name + +Sign in the User Portal server with _local administrator_ equivalent credentials. +1. Open Windows Explorer and browse to the folder to which you saved the installation file from the previous step. +2. Run the **MultiFactorAuthenticationUserPortalSetup64.msi**. The installation package asks if you want to download **Visual Studio C++ Redistributable for Visual Studio 2015**. Click **Yes**. When prompted, select **Save As**. The downloaded file is missing its file extension. **Save the file with a .exe extension and install the runtime**. +3. Run the installation package again. The installer package asks about the C++ runtime again; however, this is for the X64 version (the previous prompt was for x86). Click **Yes** to download the installation package and select **Save As** so you can save the downloaded file with a .exe extension. **Install** the run time. +4. Run the User Portal installation package. On the **Select Installation Address** page, use the default settings for **Site** and **Application Pool** settings. You can modify the Virtual directory to use a name that is more fitting for the environment, such as **mfa** (This virtual directory must match the virtual directory specified in the User Portal settings). Click **Next**. +5. Click **Close**. + +### Edit MFA User Portal config file + +Sign in the User Portal server with _local administrator_ equivalent credentials. +1. Open Windows Explorer and browse to C:\inetpub\wwwroot\MultiFactorAuth (or appropriate directory based on the virtual directory name) and edit the **web.config** file. +2. Locate the **USE_WEB_SERVICE_SDK** key and change the value from **false** to **true**. +3. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_USERNAME** key and set the value to the username of the Web Service SDK account in the **PhoneFactor Admins** security group. Use a qualified username, like domain\username or machine\username. +4. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD** key and set the value to the password of the Web Service SDK account in the **PhoneFactor Admins** security group. +5. Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from **“http://localhost:4898/PfWsSdk.asmx”** to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. https://computer1.domain.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **web.config** file after changes have been made. + +### Create a DNS entry for the User Portal web site + +Sign-in the domain controller or administrative workstation with _Domain Admin_ equivalent credentials. +1. Open the **DNS Management** console. +2. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones**. +3. In the navigation pane, select the node that has the name of your internal Active Directory domain name. +4. In the navigation pane, right-click the domain name node and click **New Host (A or AAAA)**. +5. In the **name** box, type the host name of the User Portal, such as *mfaweb* (this name must match the name of the certificate used to secure communication to the User Portal). In the IP address box, type the load balanced **IP address** of the User Portal. Click **Add Host**. +6. Close the **DNS Management** console. + +### Review + +Before you continue with the deployment, validate your deployment progress by reviewing the following items: +* Confirm the user portal application is properly installed on all user portal hosts +* Confirm the USE_WEB_SERVICE_SDK named value has a value equal to true. +* Confirm the WEB_SERVICE_SDK_AUTHENTICATION_USERNAME named value has the username of the web service SDK domain account previously created and that the user name is represented as DOMAIN\USERNAME +* Confirm the WEB_SERVICES_SDK_AUTHENTICATION_PASSWORD named value has the correct password for the web service SDK domain account. +* Confirm the pfup_pfwssdk_PfWsSdk named value has value that matches the URL of for the SDK service installed on the primary MFA server. +* Confirm you saved the changes to the web.config file. + +### Validating your work + +Windows Hello for Business is a distributed system, which on the surface appears complex and difficult. The key to a successful Windows Hello for Business deployment is to validate phases of work prior to moving to the next phase. + +Using a web browser, navigate to the URL provided in the *pf_up_pfwssdk_PfWsSdk* named value in the web.config file of any one of the user portal servers. The URL should be protected by a server authentication certificate and should prompt you for authentication. Authenticate to the web site using the username and password provided in the web.config file. Successful authentication and page view confirms the Web SDK configured on the primary MFA server is correctly configured and ready to work with the user portal. + +### Configuring the User Portal + +The User Portal section allows the administrator to install and configure the Multi-Factor Authentication User Portal. The User Portal is an IIS Internet Information Server web site that allows users to enroll in Multi-Factor Authentication and maintain their accounts. A user may change their phone number, change their PIN, or bypass Multi-Factor Authentication during their next sign on. Users will log in to the User Portal using their normal username and password and will either complete a Multi-Factor Authentication call or answer security questions to complete their authentication. If user enrollment is allowed, a user will configure their phone number and PIN the first time they log in to the User Portal. +User Portal Administrators may be set up and granted permission to add new users and update existing users. + +#### Settings + +Sign in the primary MFA server with _MFA administrator_ equivalent credentials. +1. Open the Multi-Factor Authentication Server console. +2. From the Multi-Factor Authentication Server window, click the User Portal icon. + ![Azure MFA Server - User Portal settings](images/hello-mfa-user-portal-settings.png) + +3. On the Settings tab, type the URL your users use to access the User Portal. The URL should begin with https, such as `https://mfaportal.corp.contoso.com/mfa`. +The Multi-Factor Authentication Server uses this information when sending emails to users. +4. Select Allow users to log in and Allow user enrollment check boxes. +5. Select Allow users to select method. Select Phone call and select Text message (you can select Mobile app later once you have deployed the Mobile app web service). Select Automatically trigger user’s default method. +6. Select Allow users to select language. +7. Select Use security questions for fallback and select 4 from the Questions to answer list. + +>[!TIP] +>For more information on these settings and the behaviors they control, see [Deploy the user portal for the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-portal). + +#### Administrators + +The User Portal Settings tab allows the administrator to install and configure the User Portal. +1. Open the Multi-Factor Authentication Server console. +2. From the Multi-Factor Authentication Server window, click the User Portal icon. +3. On the Administrators tab, Click Add +4. In the Add Administrator dialog, Click Select User… to pick a user to install and manage the User Portal. Use the default permissions. +5. Click Add. + +>[!TIP] +>For more information on these settings and the behaviors they control, read the **Multi-Factor Authentication Server Help content**. + +#### Security Questions + +[Security questions](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-portal#security-questions) for the User Portal may be customized to meet your requirements. The questions defined here will be offered as options for each of the four security questions a user is prompted to configure during their first log on to User Portal. The order of the questions is important since the first four items in the list will be used as defaults for the four security questions. + +#### Trusted IPs + +The [Trusted IPs](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-portal#trusted-ips) tab allows you to skip Multi-Factor Authentication for User Portal log ins originating from specific IPs. For example, if users use the User Portal from the office and from home, you may decide you don't want their phones ringing for Multi-Factor Authentication while at the office. For this, you would specify the office subnet as a trusted IP entry. + +## Configure the AD FS Server to use the MFA for multifactor authentication + +You need to configure the AD FS server to use the MFA server. You do this by Installing the MFA Adapter on the primary AD FS Server. + +### Install the MFA AD FS Adapter + +Follow [Install a standalone instance of the AD FS adapter by using the Web Service SDK](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-adfs-w2k12#install-a-standalone-instance-of-the-ad-fs-adapter-by-using-the-web-service-sdk). You should follow this instructions on all AD FS servers. You can find the files needed on the MFA server. + +### Edit the MFA AD FS Adapter config file on all ADFS Servers + +Sign in the primary AD FS server with _local administrator_ equivalent credentials. +1. Open Windows Explorer and browse to **C:\inetpub\wwwroot\MultiFactorAuth** (or appropriate directory based on the virtual directory name) and edit the **MultiFactorAuthenticationAdfsAdapter.config** file. +2. Locate the **USE_WEB_SERVICE_SDK** key and change the value from **false** to **true**. +3. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_USERNAME** key and set the value to the username of the Web Service SDK account in the **PhoneFactor Admins** security group. Use a qualified username, like domain\username or machine\username. +4. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD** key and set the value to the password of the Web Service SDK account in the **PhoneFactor Admins** security group. +5. Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from “http://localhost:4898/PfWsSdk.asmx” to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. https://computer1.domain.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **MultiFactorAuthenticationAdfsAdapter.config** file after changes have been made. + +### Edit the AD FS Adapter Windows PowerShell cmdlet + +Sign in the primary AD FS server with _local administrator_ equivalent credentials. + +Edit the **Register-MultiFactorAuthenticationAdfsAdapter.ps1** script adding `-ConfigurationFilePath ` to the end of the `Register-AdfsAuthenticationProvider` command where **** is the full path to the **MultiFactorAuthenticationAdfsAdapter.config** file. + +### Run the AD FS Adapter PowerShell cmdlet + +Sign in the primary AD FS server with local administrator equivalent credentials. + +Run **Register-MultiFactorAuthenticationAdfsAdapter.ps1** script in PowerShell to register the adapter. The adapter is registered as **WindowsAzureMultiFactorAuthentication**. + +>[!NOTE] +>You must restart the AD FS service for the registration to take effect. + +### Review + +Before you continue with the deployment, validate your deployment progress by reviewing the following items: +* Confirm the user portal application is properly installed on all user portal hosts +* Confirm the USE_WEB_SERVICE_SDK named value has a value equal to true. +* Confirm the WEB_SERVICE_SDK_AUTHENTICATION_USERNAME named value has the username of the web service SDK domain account previously created and that the user name is represented as DOMAIN\USERNAME +* Confirm the WEB_SERVICES_SDK_AUTHENTICATION_PASSWORD named value has the correct password for the web service SDK domain account. +* Confirm the pfup_pfwssdk_PfWsSdk named value has value that matches the URL of for the SDK service installed on the primary MFA server. +* Confirm you saved the changes to the web.config file. +* Confirm you restarted the AD FS Service after completing the configuration. + +## Test AD FS with the Multifactor Authentication connector + +Now, you should test your Azure Multi-Factor Authentication server configuration before proceeding any further in the deployment. The AD FS and Azure Multi-Factor Authentication server configurations are complete. + +1. In the **Multi-Factor Authentication** server, on the left, click **Users**. +2. In the list of users, select a user that is enabled and has a valid phone number to which you have access. +3. Click **Test**. +4. In the **Test User** dialog, provide the user’s password to authenticate the user to Active Directory. + +The Multi-Factor Authentication server communicates with the Azure MFA cloud service to perform a second factor authentication for the user. The Azure MFA cloud service contacts the phone number provided and asks for the user to perform the second factor authentication configured for the user. Successfully providing the second factor should result in the Multi-factor authentication server showing a success dialog. + + +## Follow the Windows Hello for Business on premises certificate trust deployment guide +1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) +2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) +3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) +4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) +5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/access-protection/hello-for-business/hello-key-trust-policy-settings.md new file mode 100644 index 0000000000..0e85b5a485 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-key-trust-policy-settings.md @@ -0,0 +1,154 @@ +--- +title: Configure Windows Hello for Business Policy settings (Windows Hello for Business) +description: Configure Windows Hello for Business Policy settings for Windows Hello for Business +keywords: identity, PIN, biometric, Hello, passport +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: DaniHalfin +localizationpriority: high +--- +# Configure Windows Hello for Business Policy settings + +**Applies to** +- Windows 10 +- Windows 10 Mobile + +> This guide only applies to Windows 10, version 1703 or higher. + +You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=45520). +Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703. + +Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10 Creators Edition (1703) to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information. + +On-premises certificate-based deployments of Windows Hello for Business needs three Group Policy settings: +* Enable Windows Hello for Business +* Use certificate for on-premises authentication +* Enable automatic enrollment of certificates + +## Enable Windows Hello for Business Group Policy + +The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should be attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to enabled. + +You can configure the Enable Windows Hello for Business Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence. + +## Use certificate for on-premises authentication + +The Use certificate for on-premises authentication Group Policy setting determines if the on-premises deployment uses the key-trust or certificate trust on-premises authentication model. You must configure this Group Policy setting to configure Windows to enroll for a Windows Hello for Business authentication certificate. If you do not configure this policy setting, Windows considers the deployment to use key-trust on-premises authentication, which requires a sufficient number of Windows Server 2016 domain controllers to handle the Windows Hello for Business key-trust authentication requests. + +You can configure this Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users requesting a Windows Hello for Business authentication certificate. Deploying this policy setting to a user results in only that user requesting a Windows Hello for Business authentication certificate. Additionally, you can deploy the policy setting to a group of users so only those users request a Windows Hello for Business authentication certificate. If both user and computer policy settings are deployed, the user policy setting has precedence. + +## Enable automatic enrollment of certificates + +Windows Hello for Business provisioning performs the initial enrollment of the Windows Hello for Business authentication certificate. This certificate expires based on the duration configured in the Windows Hello for Business authentication certificate template. The Windows 10, version 1703 certificate auto enrollment was updated to renew these certificates before they expire, which significantly reduces user authentication failures from expired user certificates. + +The process requires no user interaction provided the user signs-in using Windows Hello for Business. The certificate is renewed in the background before it expires. + +## Create the Windows Hello for Business Group Policy object + +The Group Policy object contains the policy settings needed to trigger Windows Hello for Business provisioning and to ensure Windows Hello for Business authentication certificates are automatically renewed. +1. Start the **Group Policy Management Console** (gpmc.msc) +2. Expand the domain and select the **Group Policy Object** node in the navigation pane. +3. Right-click **Group Policy object** and select **New**. +4. Type *Enable Windows Hello for Business* in the name box and click **OK**. +5. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. +6. In the navigation pane, expand **Policies** under **User Configuration**. +7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**. +8. In the content pane, double-click **Use Windows Hello for Business**. Click **Enable** and click **OK**. +9. Double-click **Use certificate for on-premises authentication**. Click **Enable** and click **OK**. Close the **Group Policy Management Editor**. + +## Configure Automatic Certificate Enrollment + +1. Start the **Group Policy Management Console** (gpmc.msc). +2. Expand the domain and select the **Group Policy Object** node in the navigation pane. +3. Right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. +4. In the navigation pane, expand **Policies** under **User Configuration**. +5. Expand **Windows Settings > Security Settings**, and click **Public Key Policies**. +6. In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**. +7. Select **Enabled** from the **Configuration Model** list. +8. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box. +9. Select the **Update certificates that use certificate templates** check box. +10. Click **OK**. Close the **Group Policy Management Editor**. + +## Configure Security in the Windows Hello for Business Group Policy object + +The best way to deploy the Windows Hello for Business Group Policy object is to use security group filtering. The enables you to easily manage the users that should receive Windows Hello for Business by simply adding them to a group. This enables you to deploy Windows Hello for Business in phases. +1. Start the **Group Policy Management Console** (gpmc.msc) +2. Expand the domain and select the **Group Policy Object** node in the navigation pane. +3. Double-click the **Enable Windows Hello for Business** Group Policy object. +4. In the **Security Filtering** section of the content pane, click **Add**. Type *Windows Hello for Business Users* or the name of the security group you previously created and click **OK**. +5. Click the **Delegation** tab. Select **Authenticated Users** and click **Advanced**. +6. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Click **OK**. + +## Deploy the Windows Hello for Business Group Policy object + +The application of the Windows Hello for Business Group Policy object uses security group filtering. This enables you to link the Group Policy object at the domain, ensuring the Group Policy object is within scope to all users. However, the security group filtering ensures only the users included in the *Windows Hello for Business Users* global group receive and apply the Group Policy object, which results in the provisioning of Windows Hello for Business. +1. Start the **Group Policy Management Console** (gpmc.msc) +2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO…** +3. In the **Select GPO** dialog box, select **Enable Windows Hello for Business** or the name of the Windows Hello for Business Group Policy object you previously created and click **OK**. + +Just to reassure, linking the **Windows Hello for Business** Group Policy object to the domain ensures the Group Policy object is in scope for all domain users. However, not all users will have the policy settings applied to them. Only users who are members of the Windows Hello for Business group receive the policy settings. All others users ignore the Group Policy object. + +## Other Related Group Policy settings + +### Windows Hello for Business + +There are other Windows Hello for Business policy settings you can configure to manage your Windows Hello for Business deployment. These policy settings are computer-based policy setting; so they are applicable to any user that sign-in from a computer with these policy settings. + +### Use a hardware security device + +The default configuration for Windows Hello for Business is to prefer hardware protected credentials; however, not all computers are able to create hardware protected credentials. When Windows Hello for Business enrollment encounters a computer that cannot create a hardware protected credential, it will create a software-based credential. + +You can enable and deploy the **Use a hardware security device** Group Policy Setting to force Windows Hello for Business to only create hardware protected credentials. Users that sign-in from a computer incapable of creating a hardware protected credential do not enroll for Windows Hello for Business. + +Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiven during anti-hammering and PIN lockout activities. Therefore, some organization may want not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object. + +### Use biometrics + +Windows Hello for Business provides a great user experience when combined with the use of biometrics. Rather than providing a PIN to sign-in, a user can use a fingerprint or facial recognition to sign-in to Windows, without sacrificing security. + +The default Windows Hello for Business enables users to enroll and use biometrics. However, some organization may want more time before using biometrics and want to disable their use until they are ready. To not allow users to use biometrics, configure the **Use biometrics** Group Policy setting to disabled and apply it to your computers. The policy setting disabled all biometrics. Currently, Windows does not provide granular policy setting that enable you to disable specific modalities of biometrics such as allow facial recognition, but disallow fingerprint. + +### PIN Complexity + +PIN complexity is not specific to Windows Hello for Business. Windows 10 enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed. + +Windows 10 provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are: +* Require digits +* Require lowercase letters +* Maximum PIN length +* Minimum PIN length +* Expiration +* History +* Require special characters +* Require uppercase letters + +In the Windows 10, version 1703, the PIN complexity Group Policy settings have moved to remove misunderstanding that PIN complexity policy settings were exclusive to Windows Hello for Business. The new location of these Group Policy settings is under Administrative Templates\System\PIN Complexity under both the Computer and User Configuration nodes of the Group Policy editor. + +## Review + +Before you continue with the deployment, validate your deployment progress by reviewing the following items: +* Confirm you authored Group Policy settings using the latest ADMX/ADML files (from the Widows 10 Creators Editions) +* Confirm you configured the Enable Windows Hello for Business to the scope that matches your deployment (Computer vs. User) +* Confirm you configure the Use Certificate enrollment for on-prem authentication policy setting. +* Confirm you configure automatic certificate enrollment to the scope that matches your deployment (Computer vs. User) +* Confirm you configured the proper security settings for the Group Policy object + * Removed the allow permission for Apply Group Policy for Domain Users (Domain Users must always have the read permissions) + * Add the Windows Hello for Business Users group to the Group Policy object and gave the group the allow permission for Apply Group Policy + +* Linked the Group Policy object to the correct locations within Active Directory +* Deploy any additional Windows Hello for Business Group Policy setting is a policy separate from the one that enables it for users + + +## Add users to the Windows Hello for Business Users group + +Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the WHFB Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the Windows Hello for Business Users group. Users and groups that are not members of this group will not attempt to enroll for Windows Hello for Business. + + +## Follow the Windows Hello for Business on premises certificate trust deployment guide +1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) +2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) +3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) +4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) +5. Configure Windows Hello for Business Policy settings (*You are here*) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/access-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md new file mode 100644 index 0000000000..3716c6dbe3 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md @@ -0,0 +1,77 @@ +--- +title: Validate Active Directory prerequisites (Windows Hello for Business) +description: How to Validate Active Directory prerequisites for Windows Hello for Business +keywords: identity, PIN, biometric, Hello, passport +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: DaniHalfin +localizationpriority: high +--- +# Validate Active Directory prerequisites + +**Applies to** +- Windows 10 + +> This guide only applies to Windows 10, version 1703 or higher. + +The key registration process for the On-prem deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. The key-trust model receives the schema extension when the first Windows Server 2016 domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 schema. If you already have a Windows Server 2016 domain controller in your forest, you can skip the next step. + +Manually updating Active Directory uses the command-line utility **adprep.exe** located at **:\support\adprep** on the Windows Server 2016 DVD or ISO. Before running adprep.exe, you must identify the domain controller hosting the schema master role. + +## Discovering schema role + +To locate the schema master role holder, open and command prompt and type: + +```Netdom query fsmo | findstr -i “schema”``` + +![Netdom example output](images\hello-cmd-netdom.png) + +The command should return the name of the domain controller where you need to adprep.exe. Update the schema locally on the domain controller hosting the Schema master role. + +## Updating the Schema + +Windows Hello for Business uses asymmetric keys as user credentials (rather than passwords). During enrollment, the public key is registered in an attribute on the user object in Active Directory. The schema update adds this new attribute to Active Directory. + +Sign-in to the domain controller hosting the schema master operational role using Enterprise Admin equivalent credentials. + +1. Open an elevated command prompt. +2. Type ```cd /d x:\support\adprep``` where *x* is the drive letter of the DVD or mounted ISO. +3. To update the schema, type ```adprep /forestprep```. +4. Read the Adprep Warning. Type the letter **C*** and press **Enter** to update the schema. +5. Close the Command Prompt and sign-out. + +## Create the KeyCredential Admins Security Global Group + +The Windows Server 2016 Active Directory Federation Services (AD FS) role registers the public key on the user object during provisioning. You assign write and read permission to this group to the Active Directory attribute to ensure the AD FS service can add and remove keys are part of its normal workflow. + +Sign-in a domain controller or management workstation with Domain Admin equivalent credentials. + +1. Open **Active Directory Users and Computers**. +2. Click **View** and click **Advance Features**. +3. Expand the domain node from the navigation pane. +4. Right-click the **Users** container. Click **New**. Click **Group**. +5. Type **KeyCredential Admins** in the **Group Name** text box. +6. Click **OK**. + +## Create the Windows Hello for Business Users Security Global Group + +The Windows Hello for Business Users group is used to make it easy to deploy Windows Hello for Business in phases. You assign Group Policy and Certificate template permissions to this group to simplify the deployment by simply adding the users to the group. This provides them the proper permissions to provision Windows Hello for Business and to enroll in the Windows Hello for Business authentication certificate. + +Sign-in a domain controller or management workstation with Domain Admin equivalent credentials. + +1. Open **Active Directory Users and Computers**. +2. Click **View** and click **Advanced Features**. +3. Expand the domain node from the navigation pane. +4. Right-click the **Users** container. Click **New**. Click **Group**. +5. Type **Windows Hello for Business Users** in the **Group Name** text box. +6. Click **OK**. + + +## Follow the Windows Hello for Business on premises certificate trust deployment guide +1. Validate Active Directory prerequisites (*You are here*) +2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) +3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) +4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) +5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/access-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md new file mode 100644 index 0000000000..82e38e2728 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md @@ -0,0 +1,48 @@ +--- +title: Validate and Deploy Multifactor Authentication Services (MFA) (Windows Hello for Business) +description: How to Validate and Deploy Multifactor Authentication Services for Windows Hello for Business +keywords: identity, PIN, biometric, Hello, passport +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: DaniHalfin +localizationpriority: high +--- +# Validate and Deploy Multifactor Authentication Services (MFA) + +**Applies to** +- Windows 10 +- Windows 10 Mobile + +> This guide only applies to Windows 10, version 1703 or higher. + +Windows Hello for Business requires all users perform multi-factor authentication prior to creating and registering a Windows Hello for Business credential. Windows Hello for Business deployments use Azure Multi-Factor Authentication (Azure MFA) services for the secondary authentication. On-Premises deployments use Azure MFA server, an on-premises implementation that do not require synchronizing Active Directory credentials to Azure Active Directory. + +Azure Multi-Factor Authentication is an easy to use, scalable, and reliable solution that provides a second method of authentication so your users are always protected. +* **Easy to Use** - Azure Multi-Factor Authentication is simple to set up and use. The extra protection that comes with Azure Multi-Factor Authentication allows users to manage their own devices. Best of all, in many instances it can be set up with just a few simple clicks. +* **Scalable** - Azure Multi-Factor Authentication uses the power of the cloud and integrates with your on-premises AD and custom apps. This protection is even extended to your high-volume, mission-critical scenarios. +* **Always Protected** - Azure Multi-Factor Authentication provides strong authentication using the highest industry standards. +* **Reliable** - We guarantee 99.9% availability of Azure Multi-Factor Authentication. The service is considered unavailable when it is unable to receive or process verification requests for the two-step verification. + +## On-Premises Azure MFA Server + +On-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials are not synchronized to Azure Active Directory. + +### Infrastructure + +A lab or proof-of-concept environment does not need high-availability or scalability. However, a production environment needs both of these. Ensure your environment considers and incorporates these factors, as necessary. All production environments should have a minimum of two MFA servers—one primary and one secondary server. The environment should have a minimum of two User Portal Servers that are load balanced using hardware or Windows Network Load Balancing. + +Please follow [Download the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#download-the-azure-multi-factor-authentication-server) to download Azure MFA server. + +>[!IMPORTANT] +>Make sure to validate the requirements for Azure MFA server, as outlined in [Install and Configure the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#install-and-configure-the-azure-multi-factor-authentication-server) beofre proceeding. Do not use instllation instructions provided in the article. + +Once you have validated all the requirements, please proceed to [Configure or Deploy Multifactor Authentication Services](hello-cert-trust-deploy-mfa.md). + +## Follow the Windows Hello for Business on premises certificate trust deployment guide +1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) +2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) +3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) +4. Validate and Deploy Multifactor Authentication Services (MFA) (*You are here*) +5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/access-protection/hello-for-business/hello-key-trust-validate-pki.md new file mode 100644 index 0000000000..f0faf69798 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-key-trust-validate-pki.md @@ -0,0 +1,196 @@ +--- +title: Validate Public Key Infrastructure (Windows Hello for Business) +description: How to Validate Public Key Infrastructure for Windows Hello for Business +keywords: identity, PIN, biometric, Hello, passport +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: DaniHalfin +localizationpriority: high +--- +# Validate and Configure Public Key Infrastructure + +**Applies to** +- Windows 10 +- Windows 10 Mobile + +> This guide only applies to Windows 10, version 1703 or higher. + +Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller. The certificate trust model extends certificate issuance to client computers. During Windows Hello for Business provisioning, the user receives a sign-in certificate. Secondary certificates, such as VPN and SMIME (future feature) may also be deployed. + +## Deploy an enterprise certificate authority + +This guide assumes most enterprise have an existing public key infrastructure. Windows Hello for Business depends on a Windows enterprise public key infrastructure running the Active Directory Certificate Services role from Windows Server 2012 or later. + +### Lab-based public key infrastructure + +The following instructions may be used to deploy simple public key infrastructure that is suitable for a lab environment. + +Sign-in using _Enterprise Admin_ equivalent credentials on Windows Server 2012 or later server where you want the certificate authority installed. + +>[!NOTE] +>Never install a certificate authority on a domain controller in a production environment. + +1. Open an elevated Windows PowerShell prompt. +2. Use the following command to install the Active Directory Certificate Services role. + ```PowerShell + Add-WindowsFeature Adcs-Cert-Authority -IncludeManageTools + ``` + +3. Use the following command to configure the Certificate Authority using a basic certificate authority configuration. + ```PowerShell + Install-AdcsCertificateAuthority + ``` + +## Configure a Production Public Key Infrastructure + +If you do have an existing public key infrastructure, please review [Certification Authority Guidance](https://technet.microsoft.com/library/hh831574.aspx) from Microsoft TechNet to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](https://technet.microsoft.com/library/hh831348.aspx) for instructions on how to configure your public key infrastructure using the information from your design session. + +### Configure Domain Controller Certificates + +Clients need to trust domain controllers and the best way to do this is to ensure each domain controller has a Kerberos Authentication certificate. Installing a certificate on the domain controller enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. This provides clients a root of trust external to the domain—namely the enterprise certificate authority. + +Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise certificate authority is added to Active Directory. However, certificates based on the Domain Controller and Domain Controller Authentication certificate templates do not include the KDC Authentication object identifier (OID), which was later added to the Kerberos RFC. Therefore, domain controllers need to request a certificate based on the Kerberos Authentication certificate template. + +By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the Kerberos Authentication certificate template a baseline to create an updated domain controller certificate template. + +Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials. +1. Open the **Certificate Authority** management console. +2. Right-click **Certificate Templates** and click **Manage**. +3. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**. +4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. +5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise’s needs. + **Note**If you use different template names, you’ll need to remember and substitute these names in different portions of the lab. +6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **None** from the **Subject name format** list. Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items. +7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**. +8. Close the console. + +### Superseding the existing Domain Controller certificate + +Many domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template from domain controllers—the domain controller certificate template. Later releases provided a new certificate template—the domain controller authentication certificate template. These certificate templates were provided prior to update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the KDC Authentication extension. + +The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers and should be the one you deploy to all your domain controllers (2008 or later). The autoenrollment feature in Windows enables you to effortlessly replace these domain controller certificates. You can use the following configuration to replace older domain controller certificates with a new certificate using the Kerberos Authentication certificate template. + +Sign-in a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials. +1. Open the **Certificate Authority** management console. +2. Right-click **Certificate Templates** and click **Manage**. +3. In the **Certificate Template Console**, right-click the **Domain Controller Authentication (Kerberos)** (or the name of the certificate template you created in the previous section) template in the details pane and click **Properties**. +4. Click the **Superseded Templates** tab. Click **Add**. +5. From the **Add Superseded Template** dialog, select the **Domain Controller** certificate template and click **OK**. Click **Add**. +6. From the **Add Superseded Template** dialog, select the **Domain Controller Authentication** certificate template and click **OK**. +7. From the **Add Superseded Template dialog**, select the **Kerberos Authentication** certificate template and click **OK**. +8. Add any other enterprise certificate templates that were previously configured for domain controllers to the **Superseded Templates** tab. +9. Click **OK** and close the **Certificate Templates** console. + +The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities. + +### Configure an Internal Web Server Certificate template + +Windows 10 clients use the https protocol when communicating with Active Directory Federation Services. To meet this need, you must issue a server authentication certificate to all the nodes in the Active Directory Federation Services farm. On-premises deployments can use a server authentication certificate issued by their enterprise PKI. You must configure a server authentication certificate template so the host running the Active Directory Federation Service can request the certificate. + +Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials. +1. Open the **Certificate Authority** management console. +2. Right-click **Certificate Templates** and click **Manage**. +3. In the **Certificate Template Console**, right-click the **Web Server** template in the details pane and click **Duplicate Template**. +4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. +5. On the **General** tab, type **Internal Web Server** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. + **Note:** If you use different template names, you’ll need to remember and substitute these names in different portions of the lab. +6. On the **Request Handling** tab, select **Allow private key to be exported**. +7. On the **Subject** tab, select the **Supply in the request** button if it is not already selected. +8. On the **Security** tab, Click **Add**. Type **Domain Computers** in the **Enter the object names to select** box. Click **OK**. Select the **Allow** check box next to the **Enroll** permission. +9. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**. +10. Close the console. + +### Unpublish Superseded Certificate Templates + +The certificate authority only issues certificates based on published certificate templates. For defense in depth security, it is a good practice to unpublish certificate templates that the certificate authority is not configured to issue. This includes the pre-published certificate template from the role installation and any superseded certificate templates. + +The newly created domain controller authentication certificate template supersedes previous domain controller certificate templates. Therefore, you need to unpublish these certificate templates from all issuing certificate authorities. + +Sign-in to the certificate authority or management workstation with _Enterprise Admin_ equivalent credentials. +1. Open the **Certificate Authority** management console. +2. Expand the parent node from the navigation pane. +3. Click **Certificate Templates** in the navigation pane. +4. Right-click the **Domain Controller** certificate template in the content pane and select **Delete**. Click **Yes** on the **Disable certificate templates** window. +5. Repeat step 4 for the **Domain Controller Authentication** and **Kerberos Authentication** certificate templates. + +### Publish Certificate Templates to the Certificate Authority + +The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate. + +Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials. +1. Open the **Certificate Authority** management console. +2. Expand the parent node from the navigation pane. +3. Click **Certificate Templates** in the navigation pane. +4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue. +5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)**, and **Internal Web Server** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority. +6. If you published the Domain Controller Authentication (Kerberos) certificate template, then you should unpublish the certificate templates you included in the superseded templates list. + * To unpublish a certificate template, right-click the certificate template you want to unpublish in the details pane of the Certificate Authority console and select **Delete**. Click **Yes** to confirm the operation. + +7. Close the console. + +### Configure Domain Controllers for Automatic Certificate Enrollment + +Domain controllers automatically request a certificate from the domain controller certificate template. However, the domain controller is unaware of newer certificate templates or superseded configurations on certificate templates. To continue automatic enrollment and renewal of domain controller certificates that understand newer certificate template and superseded certificate template configurations, create and configure a Group Policy object for automatic certificate enrollment and link the Group Policy object to the Domain Controllers OU. + +1. Start the **Group Policy Management Console** (gpmc.msc) +2. Expand the domain and select the **Group Policy Object** node in the navigation pane. +3. Right-click **Group Policy object** and select **New** +4. Type *Domain Controller Auto Certificate Enrollment* in the name box and click **OK**. +5. Right-click the **Domain Controller Auto Certificate Enrollment** Group Policy object and click **Edit**. +6. In the navigation pane, expand **Policies** under **Computer Configuration**. +7. Expand **Windows Settings**, **Security Settings**, and click **Public Key Policies**. +8. In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**. +9. Select **Enabled** from the **Configuration Model** list. +10. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box. +11. Select the **Update certificates that use certificate templates** check box. +12. Click **OK**. Close the **Group Policy Management Editor**. + +### Deploy the Domain Controller Auto Certificate Enrollment Group Policy Object + +Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. +1. Start the **Group Policy Management Console** (gpmc.msc) +2. In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO…** +3. In the **Select GPO** dialog box, select **Domain Controller Auto Certificate Enrollment** or the name of the domain controller certificate enrollment Group Policy object you previously created and click **OK**. + +### Validating your work + +Windows Hello for Business is a distributed system, which on the surface appears complex and difficult. The key to a successful Windows Hello for Business deployment is to validate phases of work prior to moving to the next phase. + +You want to confirm your domain controllers enroll the correct certificates and not any unnecessary (superseded) certificate templates. You need to check each domain controller that autoenrollment for the computer occurred. + +#### Use the Event Logs + +Windows Server 2012 and later include Certificate Lifecycle events to determine the lifecycles of certificates for both users and computers. Using the Event Viewer, navigate to the CertificateServices-Lifecycles-System event log under Application and Services/Microsoft/Windows. + +Look for an event indicating a new certificate enrollment (autoenrollment). The details of the event include the certificate template on which the certificate was issued. The name of the certificate template used to issue the certificate should match the certificate template name included in the event. The certificate thumbprint and EKUs for the certificate are also included in the event. The EKU needed for proper Windows Hello for Business authentication is Kerberos Authentication, in addition to other EKUs provide by the certificate template. + +Certificates superseded by your new domain controller certificate generate an archive event in the CertificateServices-Lifecycles-System event. The archive event contains the certificate template name and thumbprint of the certificate that was superseded by the new certificate. + + +#### Certificate Manager + +You can use the Certificate Manager console to validate the domain controller has the properly enrolled certificate based on the correct certificate template with the proper EKUs. Use **certlm.msc** to view certificate in the local computers certificate stores. Expand the **Personal** store and view the certificates enrolled for the computer. Archived certificates do not appear in Certificate Manager. + +#### Certutil.exe + +You can use **certutil.exe** to view enrolled certificates in the local computer. Certutil shows enrolled and archived certificates for the local computer. From an elevated command prompt, run `certutil -q -store my` to view locally enrolled certificates. + +To view detailed information about each certificate in the store, use `certutil -q -v -store my` to validate automatic certificate enrollment enrolled the proper certificates. + +#### Troubleshooting + +Windows triggers automatic certificate enrollment for the computer during boot, and when Group Policy updates. You can refresh Group Policy from an elevated command prompt using `gpupdate /force`. + +Alternatively, you can forcefully trigger automatic certificate enrollment using `certreq -autoenroll -q` from an elevated command prompt. + +Use the event logs to monitor certificate enrollment and archive. Review the configuration, such as publishing certificate templates to issuing certificate authority and the allow auto enrollment permissions. + + +## Follow the Windows Hello for Business on premises certificate trust deployment guide +1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) +2. Validate and Configure Public Key Infrastructure (*You are here*) +3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) +4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) +5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) \ No newline at end of file From 8a57539b506da21ed3fa6b289956c8b8dcf49ceb Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Thu, 13 Jul 2017 10:58:37 -0700 Subject: [PATCH 02/51] fixed typo in toc --- windows/access-protection/hello-for-business/toc.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/access-protection/hello-for-business/toc.md b/windows/access-protection/hello-for-business/toc.md index d6542a7d8f..e99fabcb82 100644 --- a/windows/access-protection/hello-for-business/toc.md +++ b/windows/access-protection/hello-for-business/toc.md @@ -1,6 +1,6 @@ # [Windows Hello for Business](hello-identity-verification.md) -## [Winodws Hello for Business Overview](hello-overview.md) +## [Windows Hello for Business Overview](hello-overview.md) ## [How Windows Hello for Business works](hello-how-it-works.md) ## [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) ## [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) From 16df974cd4571df974beb27d92852e377d22e7b8 Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Mon, 24 Jul 2017 18:07:19 -0700 Subject: [PATCH 03/51] Corrected PIN policy settings statement and removed incorrect prerequistes --- .../hello-manage-in-organization.md | 67 +------------------ 1 file changed, 1 insertion(+), 66 deletions(-) diff --git a/windows/access-protection/hello-for-business/hello-manage-in-organization.md b/windows/access-protection/hello-for-business/hello-manage-in-organization.md index 8ef71c6d85..9aca74c76b 100644 --- a/windows/access-protection/hello-for-business/hello-manage-in-organization.md +++ b/windows/access-protection/hello-for-business/hello-manage-in-organization.md @@ -25,7 +25,7 @@ You can create a Group Policy or mobile device management (MDM) policy that will > >Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**. > ->Use **Windows Hello for Business** policy settings to manage PINs for Windows Hello for Business. +>Use **PIN Complexity** policy settings to manage PINs for Windows Hello for Business.   ## Group Policy settings for Windows Hello for Business @@ -292,71 +292,6 @@ The following table lists the MDM policy settings that you can configure for Win >[!NOTE]   > If policy is not configured to explicitly require letters or special characters, users will be restricted to creating a numeric PIN.   -## Prerequisites - -To deploy Windows Hello for Business, in some modes you must add Windows Server 2016 domain controllers to your Active Directory environment, but you don’t have to replace or remove your existing Active Directory servers — the servers required for Windows Hello for Business build on and add capability to your existing infrastructure. You don’t have to change the domain or forest functional level, and you can either add on-premises servers or use Azure Active Directory to deploy Windows Hello for Business in your network. - -You’ll need this software to set Windows Hello for Business policies in your enterprise. - ------ - - - - - - - - - - - - - - - - - - - - - - -
Windows Hello for Business modeAzure ADActive Directory (AD) on-premises (only supported with Windows 10, version 1703 clients)Azure AD/AD hybrid (available with production release of Windows Server 2016)
Key-based authenticationAzure AD subscription
    -
  • Active Directory Federation Service (AD FS) (Windows Server 2016)
    • -
  • A few Windows Server 2016 domain controllers on-site
    • -
    -
  • Azure AD subscription
    • -
  • [Azure AD Connect](https://go.microsoft.com/fwlink/p/?LinkId=616792)
    • -
  • A few Windows Server 2016 domain controllers on-site
    • -
  • A management solution, such as Configuration Manager, Group Policy, or MDM
    • -
  • Active Directory Certificate Services (AD CS) without Network Device Enrollment Service (NDES)
    • -
Certificate-based authentication
    -
  • Azure AD subscription
    • -
  • Intune or non-Microsoft mobile device management (MDM) solution
    • -
  • PKI infrastructure
    • -
    -
  • ADFS (Windows Server 2016)
    • -
  • Active Directory Domain Services (AD DS) Windows Server 2016 schema
    • -
  • PKI infrastructure
    • -
    -
  • Azure AD subscription
    • -
  • [Azure AD Connect](https://go.microsoft.com/fwlink/p/?LinkId=616792)
    • -
  • AD CS with NDES
    • -
  • Configuration Manager for domain-joined certificate enrollment, or InTune for non-domain-joined devices, or a non-Microsoft MDM service that supports Windows Hello for Business
    • -
-  -Configuration Manager and MDM provide the ability to manage Windows Hello for Business policy and to deploy and manage certificates protected by Windows Hello for Business. - -Azure AD provides the ability to register devices with your enterprise and to provision Windows Hello for Business for organization accounts. - ->[!IMPORTANT] ->Active Directory on-premises deployment **is not currently available** and will become available with a future update of ADFS on Windows Server 2016. The requirements listed in the above table will apply when this deployment type becomes available. - ## How to use Windows Hello for Business with Azure Active Directory From 805fe09b03df1c196ae13952398f0c052696a9a6 Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Fri, 28 Jul 2017 06:47:27 -0700 Subject: [PATCH 04/51] Added pages for hybrid cert trust --- .../hello-hybrid-cert-policy-settings.md | 154 +++++ .../hello-hybrid-cert-trust-adfs.md | 512 +++++++++++++++++ .../hello-hybrid-cert-trust-deploy-mfa.md | 542 ++++++++++++++++++ .../hello-hybrid-cert-validate-ad-prereq.md | 77 +++ .../hello-hybrid-cert-validate-deploy-mfa.md | 48 ++ .../hello-hybrid-cert-validate-pki.md | 196 +++++++ 6 files changed, 1529 insertions(+) create mode 100644 windows/access-protection/hello-for-business/hello-hybrid-cert-policy-settings.md create mode 100644 windows/access-protection/hello-for-business/hello-hybrid-cert-trust-adfs.md create mode 100644 windows/access-protection/hello-for-business/hello-hybrid-cert-trust-deploy-mfa.md create mode 100644 windows/access-protection/hello-for-business/hello-hybrid-cert-validate-ad-prereq.md create mode 100644 windows/access-protection/hello-for-business/hello-hybrid-cert-validate-deploy-mfa.md create mode 100644 windows/access-protection/hello-for-business/hello-hybrid-cert-validate-pki.md diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-policy-settings.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-policy-settings.md new file mode 100644 index 0000000000..0e85b5a485 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-policy-settings.md @@ -0,0 +1,154 @@ +--- +title: Configure Windows Hello for Business Policy settings (Windows Hello for Business) +description: Configure Windows Hello for Business Policy settings for Windows Hello for Business +keywords: identity, PIN, biometric, Hello, passport +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: DaniHalfin +localizationpriority: high +--- +# Configure Windows Hello for Business Policy settings + +**Applies to** +- Windows 10 +- Windows 10 Mobile + +> This guide only applies to Windows 10, version 1703 or higher. + +You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=45520). +Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703. + +Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10 Creators Edition (1703) to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information. + +On-premises certificate-based deployments of Windows Hello for Business needs three Group Policy settings: +* Enable Windows Hello for Business +* Use certificate for on-premises authentication +* Enable automatic enrollment of certificates + +## Enable Windows Hello for Business Group Policy + +The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should be attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to enabled. + +You can configure the Enable Windows Hello for Business Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence. + +## Use certificate for on-premises authentication + +The Use certificate for on-premises authentication Group Policy setting determines if the on-premises deployment uses the key-trust or certificate trust on-premises authentication model. You must configure this Group Policy setting to configure Windows to enroll for a Windows Hello for Business authentication certificate. If you do not configure this policy setting, Windows considers the deployment to use key-trust on-premises authentication, which requires a sufficient number of Windows Server 2016 domain controllers to handle the Windows Hello for Business key-trust authentication requests. + +You can configure this Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users requesting a Windows Hello for Business authentication certificate. Deploying this policy setting to a user results in only that user requesting a Windows Hello for Business authentication certificate. Additionally, you can deploy the policy setting to a group of users so only those users request a Windows Hello for Business authentication certificate. If both user and computer policy settings are deployed, the user policy setting has precedence. + +## Enable automatic enrollment of certificates + +Windows Hello for Business provisioning performs the initial enrollment of the Windows Hello for Business authentication certificate. This certificate expires based on the duration configured in the Windows Hello for Business authentication certificate template. The Windows 10, version 1703 certificate auto enrollment was updated to renew these certificates before they expire, which significantly reduces user authentication failures from expired user certificates. + +The process requires no user interaction provided the user signs-in using Windows Hello for Business. The certificate is renewed in the background before it expires. + +## Create the Windows Hello for Business Group Policy object + +The Group Policy object contains the policy settings needed to trigger Windows Hello for Business provisioning and to ensure Windows Hello for Business authentication certificates are automatically renewed. +1. Start the **Group Policy Management Console** (gpmc.msc) +2. Expand the domain and select the **Group Policy Object** node in the navigation pane. +3. Right-click **Group Policy object** and select **New**. +4. Type *Enable Windows Hello for Business* in the name box and click **OK**. +5. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. +6. In the navigation pane, expand **Policies** under **User Configuration**. +7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**. +8. In the content pane, double-click **Use Windows Hello for Business**. Click **Enable** and click **OK**. +9. Double-click **Use certificate for on-premises authentication**. Click **Enable** and click **OK**. Close the **Group Policy Management Editor**. + +## Configure Automatic Certificate Enrollment + +1. Start the **Group Policy Management Console** (gpmc.msc). +2. Expand the domain and select the **Group Policy Object** node in the navigation pane. +3. Right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. +4. In the navigation pane, expand **Policies** under **User Configuration**. +5. Expand **Windows Settings > Security Settings**, and click **Public Key Policies**. +6. In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**. +7. Select **Enabled** from the **Configuration Model** list. +8. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box. +9. Select the **Update certificates that use certificate templates** check box. +10. Click **OK**. Close the **Group Policy Management Editor**. + +## Configure Security in the Windows Hello for Business Group Policy object + +The best way to deploy the Windows Hello for Business Group Policy object is to use security group filtering. The enables you to easily manage the users that should receive Windows Hello for Business by simply adding them to a group. This enables you to deploy Windows Hello for Business in phases. +1. Start the **Group Policy Management Console** (gpmc.msc) +2. Expand the domain and select the **Group Policy Object** node in the navigation pane. +3. Double-click the **Enable Windows Hello for Business** Group Policy object. +4. In the **Security Filtering** section of the content pane, click **Add**. Type *Windows Hello for Business Users* or the name of the security group you previously created and click **OK**. +5. Click the **Delegation** tab. Select **Authenticated Users** and click **Advanced**. +6. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Click **OK**. + +## Deploy the Windows Hello for Business Group Policy object + +The application of the Windows Hello for Business Group Policy object uses security group filtering. This enables you to link the Group Policy object at the domain, ensuring the Group Policy object is within scope to all users. However, the security group filtering ensures only the users included in the *Windows Hello for Business Users* global group receive and apply the Group Policy object, which results in the provisioning of Windows Hello for Business. +1. Start the **Group Policy Management Console** (gpmc.msc) +2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO…** +3. In the **Select GPO** dialog box, select **Enable Windows Hello for Business** or the name of the Windows Hello for Business Group Policy object you previously created and click **OK**. + +Just to reassure, linking the **Windows Hello for Business** Group Policy object to the domain ensures the Group Policy object is in scope for all domain users. However, not all users will have the policy settings applied to them. Only users who are members of the Windows Hello for Business group receive the policy settings. All others users ignore the Group Policy object. + +## Other Related Group Policy settings + +### Windows Hello for Business + +There are other Windows Hello for Business policy settings you can configure to manage your Windows Hello for Business deployment. These policy settings are computer-based policy setting; so they are applicable to any user that sign-in from a computer with these policy settings. + +### Use a hardware security device + +The default configuration for Windows Hello for Business is to prefer hardware protected credentials; however, not all computers are able to create hardware protected credentials. When Windows Hello for Business enrollment encounters a computer that cannot create a hardware protected credential, it will create a software-based credential. + +You can enable and deploy the **Use a hardware security device** Group Policy Setting to force Windows Hello for Business to only create hardware protected credentials. Users that sign-in from a computer incapable of creating a hardware protected credential do not enroll for Windows Hello for Business. + +Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiven during anti-hammering and PIN lockout activities. Therefore, some organization may want not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object. + +### Use biometrics + +Windows Hello for Business provides a great user experience when combined with the use of biometrics. Rather than providing a PIN to sign-in, a user can use a fingerprint or facial recognition to sign-in to Windows, without sacrificing security. + +The default Windows Hello for Business enables users to enroll and use biometrics. However, some organization may want more time before using biometrics and want to disable their use until they are ready. To not allow users to use biometrics, configure the **Use biometrics** Group Policy setting to disabled and apply it to your computers. The policy setting disabled all biometrics. Currently, Windows does not provide granular policy setting that enable you to disable specific modalities of biometrics such as allow facial recognition, but disallow fingerprint. + +### PIN Complexity + +PIN complexity is not specific to Windows Hello for Business. Windows 10 enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed. + +Windows 10 provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are: +* Require digits +* Require lowercase letters +* Maximum PIN length +* Minimum PIN length +* Expiration +* History +* Require special characters +* Require uppercase letters + +In the Windows 10, version 1703, the PIN complexity Group Policy settings have moved to remove misunderstanding that PIN complexity policy settings were exclusive to Windows Hello for Business. The new location of these Group Policy settings is under Administrative Templates\System\PIN Complexity under both the Computer and User Configuration nodes of the Group Policy editor. + +## Review + +Before you continue with the deployment, validate your deployment progress by reviewing the following items: +* Confirm you authored Group Policy settings using the latest ADMX/ADML files (from the Widows 10 Creators Editions) +* Confirm you configured the Enable Windows Hello for Business to the scope that matches your deployment (Computer vs. User) +* Confirm you configure the Use Certificate enrollment for on-prem authentication policy setting. +* Confirm you configure automatic certificate enrollment to the scope that matches your deployment (Computer vs. User) +* Confirm you configured the proper security settings for the Group Policy object + * Removed the allow permission for Apply Group Policy for Domain Users (Domain Users must always have the read permissions) + * Add the Windows Hello for Business Users group to the Group Policy object and gave the group the allow permission for Apply Group Policy + +* Linked the Group Policy object to the correct locations within Active Directory +* Deploy any additional Windows Hello for Business Group Policy setting is a policy separate from the one that enables it for users + + +## Add users to the Windows Hello for Business Users group + +Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the WHFB Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the Windows Hello for Business Users group. Users and groups that are not members of this group will not attempt to enroll for Windows Hello for Business. + + +## Follow the Windows Hello for Business on premises certificate trust deployment guide +1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) +2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) +3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) +4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) +5. Configure Windows Hello for Business Policy settings (*You are here*) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-adfs.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-adfs.md new file mode 100644 index 0000000000..b419b20f58 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-adfs.md @@ -0,0 +1,512 @@ +--- +title: Prepare and Deploy Windows Server 2016 Active Directory Federation Services (Windows Hello for Business) +description: How toPrepare and Deploy Windows Server 2016 Active Directory Federation Services for Windows Hello for Business +keywords: identity, PIN, biometric, Hello, passport +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: DaniHalfin +localizationpriority: high +--- +# Prepare and Deploy Windows Server 2016 Active Directory Federation Services + +**Applies to** +- Windows 10 +- Windows 10 Mobile + +> This guide only applies to Windows 10, version 1703 or higher. + +Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update. The on-prem certificate trust deployment uses Active Directory Federation Services roles for key registration, device registration, and as a certificate registration authority. + +The following guidance describes deploying a new instance of Active Directory Federation Services 2016 using the Windows Information Database as the configuration database, which is ideal for environments with no more than 30 federation servers and no more than 100 relying party trusts. + +If your environment exceeds either of these factors or needs to provide SAML artifact resolution, token replay detection, or needs Active Directory Federation Services to operate in a federated provider role, then your deployment needs to use a SQL for your configuration database. To deploy the Active Directory Federation Services using SQL as its configuration database, please review the [Deploying a Federation Server Farm](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) checklist. + +If your environment has an existing instance of Active Directory Federation Services, then you’ll need to upgrade all nodes in the farm to Windows Server 2016 along with the Windows Server 2016 update. If your environment uses Windows Internal Database (WID) for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 using a WID database](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016) to upgrade your environment. If your environment uses SQL for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 with SQL Server](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016-sql) to upgrade your environment. + +Ensure you apply the Windows Server 2016 Update to all nodes in the farm after you have successfully completed the upgrade. + +A new Active Directory Federation Services farm should have a minimum of two federation servers for proper load balancing, which can be accomplished with an external networking peripherals, or with using the Network Load Balancing Role included in Windows Server. + +Prepare the Active Directory Federation Services deployment by installing and updating two Windows Server 2016 Servers. Ensure the update listed below is applied to each server before continuing. + +## Update Windows Server 2016 + +Sign-in the federation server with _local admin_ equivalent credentials. +1. Ensure Windows Server 2016 is current by running **Windows Update** from **Settings**. Continue this process until no further updates are needed. If you’re not using Windows Update for updates, please advise the [Windows Server 2016 update history page](https://support.microsoft.com/help/4000825/windows-10-windows-server-2016-update-history) to make sure you have the latest updates available installed. +2. Ensure the latest server updates to the federation server includes those referenced in following article https://aka.ms/whfbadfs1703. + +>[!IMPORTANT] +>The above referenced updates are mandatory for Windows Hello for Business all on-premises deployment and hybrid certificate trust deployments for domain joined computers. + +## Enroll for a TLS Server Authentication Certificate + +Windows Hello for Business on-prem deployments require a federation server for device registration, key registration, and authentication certificate enrollment. Typically, a federation service is an edge facing role. However, the federation services and instance used with the on-prem deployment of Windows Hello for Business does not need Internet connectivity. + +The AD FS role needs a server authentication certificate for the federation services, but you can use a certificate issued by your enterprise (internal) certificate authority. The server authentication certificate should have the following names included in the certificate if you are requesting an individual certificate for each node in the federation farm: +* Subject Name: The internal FQDN of the federation server (the name of the computer running AD FS) +* Subject Alternate Name: Your federation service name, such as *fs.corp.contoso.com* (or an appropriate wildcard entry such as *.corp.contoso.com) + +You configure your federation service name when you configure the AD FS role. You can choose any name, but that name must be different than the name of the server or host. For example, you can name the host server **adfs** and the federation service **fs**. The FQDN of the host is adfs.corp.contoso.com and the FQDN of the federation service is fs.corp.contoso.com. + +You can; however, issue one certificate for all hosts in the farm. If you chose this option, then leave the subject name blank, and include all the names in the subject alternate name when creating the certificate request. All names should include the FQDN of each host in the farm and the federation service name. + +It’s recommended that you mark the private key as exportable so that the same certificate can be deployed across each federation server and web application proxy within your AD FS farm. Note that the certificate must be trusted (chain to a trusted root CA). Once you have successfully requested and enrolled the server authentication certificate on one node, you can export the certificate and private key to a PFX file using the Certificate Manager console. You can then import the certificate on the remaining nodes in the AD FS farm. + +Be sure to enroll or import the certificate into the AD FS server’s computer certificate store. Also, ensure all nodes in the farm have the proper TLS server authentication certificate. + +### Internal Server Authentication Certificate Enrollment + +Sign-in the federation server with domain admin equivalent credentials. +1. Start the Local Computer **Certificate Manager** (certlm.msc). +2. Expand the **Personal** node in the navigation pane. +3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**. +4. Click **Next** on the **Before You Begin** page. +5. Click **Next** on the **Select Certificate Enrollment Policy** page. +6. On the **Request Certificates** page, Select the **Internal Web Server** check box. +7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link + ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link](images/hello-internal-web-server-cert.png) +8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the Active Directory Federation Services role and then click **Add**. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name you will use for your federation services (fs.corp.contoso.com). The name you use here MUST match the name you use when configuring the Active Directory Federation Services server role. Click **Add**. Click **OK** when finished. +9. Click **Enroll**. + +A server authentication certificate should appear in the computer’s Personal certificate store. + +## Deploy the Active Directory Federation Service Role + +The Active Directory Federation Service (AD FS) role provides the following services to support Windows Hello for Business on-premises deployments. +* Device registration +* Key registration +* Certificate registration authority (certificate trust deployments) + +>[!IMPORTANT] +> Finish the entire AD FS configuration on the first server in the farm before adding the second server to the AD FS farm. Once complete, the second server receives the configuration through the shared configuration database when it is added the AD FS farm. + +Windows Hello for Business depends on proper device registration. For on-premises deployments, Windows Server 2016 AD FS handles device registration. + +Sign-in the federation server with _Enterprise Admin_ equivalent credentials. +1. Start **Server Manager**. Click **Local Server** in the navigation pane. +2. Click **Manage** and then click **Add Roles and Features**. +3. Click **Next** on the **Before you begin** page. +4. On the **Select installation type** page, select **Role-based or feature-based installation** and click **Next**. +5. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Click **Next**. +6. On the **Select server roles** page, select **Active Directory Federation Services**. Click **Next**. +7. Click **Next** on the **Select features** page. +8. Click **Next** on the **Active Directory Federation Service** page. +9. Click **Install** to start the role installation. + +## Review + +Before you continue with the deployment, validate your deployment progress by reviewing the following items: +* Confirm the AD FS farm uses the correct database configuration. +* Confirm the AD FS farm has an adequate number of nodes and is properly load balanced for the anticipated load. +* Confirm **all** AD FS servers in the farm have the latest updates. +* Confirm all AD FS servers have a valid server authentication certificate + * The subject of the certificate is the common name (FQDN) of the host or a wildcard name. + * The alternate name of the certificate contains a wildcard or the FQDN of the federation service + +## Device Registration Service Account Prerequisite + +The service account used for the device registration server depends on the domain controllers in the environment. + +>[!NOTE] +>Follow the procedures below based on the domain controllers deployed in your environment. If the domain controller is not listed below, then it is not supported for Windows Hello for Business. + +### Windows Server 2012 or later Domain Controllers + +Windows Server 2012 or later domain controllers support Group Managed Service Accounts—the preferred way to deploy service accounts for services that support them. Group Managed Service Accounts, or GMSA have security advantages over normal user accounts because Windows handles password management. This means the password is long, complex, and changes periodically. The best part of GMSA is all this happens automatically. AD FS supports GMSA and should be configured using them for additional defense in depth security. + +GSMA uses the Microsoft Key Distribution Service that is located on Windows Server 2012 or later domain controllers. Windows uses the Microsoft Key Distribution Service to protect secrets stored and used by the GSMA. Before you can create a GSMA, you must first create a root key for the service. You can skip this if your environment already uses GSMA. + +#### Create KDS Root Key + +Sign-in a domain controller with _Enterprise Admin_ equivalent credentials. +1. Start an elevated Windows PowerShell console. +2. Type `Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)` + +### Windows Server 2008 or 2008 R2 Domain Controllers + +Windows Server 2008 and 2008 R2 domain controllers do not host the Microsoft Key Distribution Service, nor do they support Group Managed Service Accounts. Therefore, you must use create a normal user account as a service account where you are responsible for changing the password on a regular basis. + +#### Create an AD FS Service Account + +Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials. +1. Open **Active Directory Users and Computers**. +2. Right-click the **Users** container, Click **New**. Click **User**. +3. In the **New Object – User** window, type **adfssvc** in the **Full name** text box. Type **adfssvc** in the **User logon name** text box. Click **Next**. +4. Enter and confirm a password for the **adfssvc** user. Clear the **User must change password at next logon** checkbox. +5. Click **Next** and then click **Finish**. + +## Configure the Active Directory Federation Service Role + +>[!IMPORTANT] +>Follow the procedures below based on the domain controllers deployed in your environment. If the domain controller is not listed below, then it is not supported for Windows Hello for Business. + +### Windows Server 2012 or later Domain Controllers + +Use the following procedures to configure AD FS when your environment uses **Windows Server 2012 or later Domain Controllers**. If you are not using Windows Server 2012 or later Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2008 or 2008R2 Domain Controllers)](#windows-server-2008-or-2008R2-domain-controllers) section. + +Sign-in the federation server with _Domain Admin_ equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm. +1. Start **Server Manager**. +2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**. + ![Example of pop-up notification as described above](images/hello-adfs-configure-2012r2.png) + +3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**. +4. Click **Next** on the **Connect to Active Directory Domain Services** page. +5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as *fs.corp.contoso.com* or *fs.contoso.com*. +6. Select the federation service name from the **Federation Service Name** list. +7. Type the Federation Service Display Name in the text box. This is the name users see when signing in. Click **Next**. +8. On the **Specify Service Account** page, select **Create a Group Managed Service Account**. In the **Account Name** box, type **adfssvc**. +9. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and click **Next**. +10. On the **Review Options** page, click **Next**. +11. On the **Pre-requisite Checks** page, click **Configure**. +12. When the process completes, click **Close**. + +### Windows Server 2008 or 2008 R2 Domain Controllers + +Use the following procedures to configure AD FS when your environment uses **Windows Server 2008 or 2008 R2 Domain Controllers**. If you are not using Windows Server 2008 or 2008 R2 Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2012 or later Domain Controllers)](#windows-server-2012-or-later-domain-controllers) section. + +Sign-in the federation server with _Domain Admin_ equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm. +1. Start **Server Manager**. +2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**. + ![Example of pop-up notification as described above](images/hello-adfs-configure-2012r2.png) + +3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**. +4. Click **Next** on the **Connect to Active Directory Domain Services** page. +5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as fs.corp.mstepdemo.net or fs.mstepdemo.net. +6. Select the federation service name from the **Federation Service Name** list. +7. Type the Federation Service Display Name in the text box. This is the name users see when signing in. Click **Next**. +8. On the **Specify Service Account** page, Select **Use an existing domain user account or group Managed Service Account** and click **Select**. + * In the **Select User or Service Account** dialog box, type the name of the previously created AD FS service account (example adfssvc) and click **OK**. Type the password for the AD FS service account and click **Next**. +9. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and click **Next**. +10. On the **Review Options** page, click **Next**. +11. On the **Pre-requisite Checks** page, click **Configure**. +12. When the process completes, click **Close**. +13. Do not restart the AD FS server. You will do this later. + + +### Add the AD FS Service account to the KeyCredential Admin group and the Windows Hello for Business Users group + +The KeyCredential Admins global group provides the AD FS service with the permissions needed to perform key registration. The Windows Hello for Business group provides the AD FS service with the permissions needed to enroll a Windows Hello for Business authentication certificate on behalf of the provisioning user. + +Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials. +1. Open **Active Directory Users and Computers**. +2. Click the **Users** container in the navigation pane. +3. Right-click **KeyCredential Admins** in the details pane and click **Properties**. +4. Click the **Members** tab and click **Add…** +5. In the **Enter the object names to select** text box, type **adfssvc**. Click **OK**. +6. Click **OK** to return to **Active Directory Users and Computers**. +7. Right-click **Windows Hello for Business Users** group +8. Click the **Members** tab and click **Add…** +9. In the **Enter the object names to select** text box, type **adfssvc**. Click **OK**. +10. Click **OK** to return to **Active Directory Users and Computers**. +11. Change to server hosting the AD FS role and restart it. + +### Configure Permissions for Key Registration + +Key Registration stores the Windows Hello for Business public key in Active Directory. In on-prem deployments, the Windows Server 2016 AD FS server registers the public key with the on-premises Active Directory. + +The key-trust model needs Windows Server 2016 domain controllers, which configures the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually. + +Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. +1. Open **Active Directory Users and Computers**. +2. Right-click your domain name from the navigation pane and click **Properties**. +3. Click **Security** (if the Security tab is missing, turn on Advanced Features from the View menu). +4. Click **Advanced**. Click **Add**. Click **Select a principal**. +5. The **Select User, Computer, Service Account, or Group** dialog box appears. In the **Enter the object name to select** text box, type **KeyCredential Admins**. Click **OK**. +6. In the **Applies to** list box, select **Descendant User objects**. +7. Using the scroll bar, scroll to the bottom of the page and click **Clear all**. +8. In the **Properties** section, select **Read msDS-KeyCredentialLink** and **Write msDS-KeyCrendentialLink**. +9. Click **OK** three times to complete the task. + +## Configure the Device Registration Service + +Sign-in the federation server with _Enterprise Admin_ equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm. +1. Open the **AD FS management** console. +2. In the navigation pane, expand **Service**. Click **Device Registration**. +3. In the details pane, click **Configure Device Registration**. +4. In the **Configure Device Registration** dialog, click **OK**. + +## Review + +Before you continue with the deployment, validate your deployment progress by reviewing the following items: +* Confirm you followed the correct procedures based on the domain controllers used in your deployment + * Windows Server 2012 or Windows Server 2012 R2 + * Windows Server 2008 or Windows Server 2008 R2 +* Confirm you have the correct service account based on your domain controller version. +* Confirm you properly installed the AD FS role on your Windows Server 2016 based on the proper sizing of your federation, the number of relying parties, and database needs. +* Confirm you used a certificate with the correct names as the server authentication certificate + * Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the: + * Certificate serial number + * Certificate thumbprint + * Common name of the certificate + * Subject alternate name of the certificate + * Name of the physical host server + * The issued date + * The expiration date + * Issuing CA Vendor (if a third-party certificate) +* Confirm you granted the AD FS service allow read and write permissions to the ms-DSKeyCredentialLink Active Directory attribute. +* Confirm you enabled the Device Registration service. + +## Prepare and Deploy AD FS Registration Authority + +A registration authority is a trusted authority that validates certificate request. Once it validates the request, it presents the request to the certificate authority for issuance. The certificate authority issues the certificate, returns it to the registration authority, which returns the certificate to the requesting user. The Windows Hello for Business on-prem certificate-based deployment uses the Active Directory Federation Server (AD FS) as the certificate registration authority. + +### Configure Registration Authority template + +The certificate registration authority enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate. The certificate authority only issues a certificate for that template if the registration authority signs the certificate request. + +The registration authority template you configure depends on the AD FS service configuration, which depends on the domain controllers the environment uses for authentication. + +>[!IMPORTANT] +>Follow the procedures below based on the domain controllers deployed in your environment. If the domain controller is not listed below, then it is not supported for Windows Hello for Business. + +#### Windows 2012 or later domain controllers + +Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials. +1. Open the **Certificate Authority Management** console. +2. Right-click **Certificate Templates** and click **Manage**. +3. In the **Certificate Template Console**, right click on the **Exchange Enrollment Agent (Offline request)** template details pane and click **Duplicate Template**. +4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. +5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. +6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected. + **Note:** The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate. + +7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. +8. On the **Security** tab, click **Add**. +9. Click **Object Types**. Select the **Service Accounts** check box and click **OK**. +10. Type **adfssvc** in the **Enter the object names to select** text box and click **OK**. +11. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. +12. Close the console. + +#### Windows 2008 or 2008R2 domain controllers + +Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials. +1. Open the **Certificate Authority** management console. +2. Right-click **Certificate Templates** and click **Manage**. +3. In the **Certificate Template** console, right-click the **Exchange Enrollment Agent** template in the details pane and click **Duplicate Template**. +4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. +5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. +6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**. +7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. +8. On the **Security** tab, click **Add**. Type **adfssvc** in the **Enter the object names to select text box** and click **OK**. +9. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check boxes for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. +10. Close the console. + +### Configure the Windows Hello for Business Authentication Certificate template + +During Windows Hello for Business provisioning, the Windows 10, version 1703 client requests an authentication certificate from the Active Directory Federation Service, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring. + +Sign-in a certificate authority or management workstations with _Domain Admin equivalent_ credentials. +1. Open the **Certificate Authority** management console. +2. Right-click **Certificate Templates** and click **Manage**. +3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**. +4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. +5. On the **General** tab, type **WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. + **Note:** If you use different template names, you’ll need to remember and substitute these names in different portions of the deployment. +6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. +7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**. +8. On the **Issuance Requirements** tab, select the T**his number of authorized signatures** check box. Type **1** in the text box. + * Select **Application policy** from the **Policy type required in signature**. Select **Certificate Request Agent** from in the **Application policy** list. Select the **Valid existing certificate** option. +9. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**. +10. On the **Request Handling** tab, select the **Renew with same key** check box. +11. On the **Security** tab, click **Add**. Type **Window Hello for Business Users** in the **Enter the object names to select** text box and click **OK**. +12. Click the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section, select the **Allow** check box for the **Enroll** permission. Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. +13. If you previously issued Windows Hello for Business sign-in certificates using Configuration Manger and are switching to an AD FS registration authority, then on the **Superseded Templates** tab, add the previously used **Windows Hello for Business Authentication** template(s), so they will be superseded by this template for the users that have Enroll permission for this template. +14. Click on the **Apply** to save changes and close the console. + +#### Mark the template as the Windows Hello Sign-in template + +Sign-in to an **AD FS Windows Server 2016** computer with _Enterprise Admin_ equivalent credentials. +1. Open an elevated command prompt. +2. Run `certutil –dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY` + +>[!NOTE] +>If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It’s important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority. + +### Publish Enrollment Agent and Windows Hello For Business Authentication templates to the Certificate Authority + +Sign-in a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials. +1. Open the **Certificate Authority** management console. +2. Expand the parent node from the navigation pane. +3. Click **Certificate Templates** in the navigation pane. +4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template to issue**. +5. In the **Enable Certificates Templates** window, select the **WHFB Enrollment Agent** template you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority. +6. Publish the **WHFB Authentication** certificate template using step 5. +7. Close the console. + +### Configure the Registration Authority + +Sign-in the AD FS server with Domain Admin equivalent credentials. + +1. Open a **Windows PowerShell** prompt. +2. Type the following command + + ```PowerShell + Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication + ``` + + +The `Set-AdfsCertificateAuthority` cmdlet should show the following warning: +>WARNING: PS0343: Issuing Windows Hello certificates requires enabling a permitted strong authentication provider, but no usable providers are currently configured. These authentication providers are not supported for Windows Hello certificates: CertificateAuthentication,MicrosoftPassportAuthentication. Windows Hello certificates will not be issued until a permitted strong authentication provider is configured. + +This warning indicates that you have not configured multi-factor authentication in AD FS and until it is configured, the AD FS server will not issue Windows Hello certificates. Windows 10, version 1703 clients check this configuration during prerequisite checks. If detected, the prerequisite check will not succeed and the user will not provision Windows Hello for Business on sign-in. + +>[!NOTE] +> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the above command with the name of your certificate templates. It’s important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority. + +### Enrollment Agent Certificate Enrollment + +Active Directory Federation Server used for Windows Hello for Business certificate enrollment perform their own certificate lifecycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request or when the service first starts. + +Approximately 60 days prior to enrollment agent certificate’s expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate. + +## Additional Federation Servers + +Organizations should deploy more than one federation server in their federation farm for high-availability. You should have a minimum of two federation services in your AD FS farm, however most organizations are likely to have more. This largely depends on the number of devices and users using the services provided by the AD FS farm. + +### Server Authentication Certificate + +Each server you add to the AD FS farm must have a proper server authentication certificate. Refer to the [Enroll for a TLS Server Authentication Certificate](#enroll-for-a-tls-server-authentication-certificate) section of this document to determine the requirements for your server authentication certificate. As previously stated, AD FS servers used exclusively for on-premises deployments of Windows Hello for Business can use enterprise server authentication certificates rather than server authentication certificates issued by public certificate authorities. + +### Install Additional Servers + +Adding federation servers to the existing AD FS farm begins with ensuring the server are fully patched, to include Windows Server 2016 Update needed to support Windows Hello for Business deployments (https://aka.ms/whfbadfs1703). Next, install the Active Directory Federation Service role on the additional servers and then configure the server as an additional server in an existing farm. + +## Load Balance AD FS Federation Servers + +Many environments load balance using hardware devices. Environments without hardware load-balancing capabilities can take advantage the network load-balancing feature included in Windows Server to load balance the AD FS servers in the federation farm. Install the Windows Network Load Balancing feature on all nodes participating in the AD FS farm that should be load balanced. + +### Install Network Load Balancing Feature on AD FS Servers + +Sign-in the federation server with _Enterprise Admin_ equivalent credentials. +1. Start **Server Manager**. Click **Local Server** in the navigation pane. +2. Click **Manage** and then click **Add Roles and Features**. +3. Click **Next** On the **Before you begin** page. +4. On the **Select installation type** page, select **Role-based or feature-based installation** and click **Next**. +5. On the **Select destination server** page, chosoe **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Click **Next**. +6. On the **Select server roles** page, click **Next**. +7. Select **Network Load Balancing** on the **Select features** page. +8. Click **Install** to start the feature installation + ![Feature selection screen with NLB selected](images/hello-nlb-feature-install.png) + +### Configure Network Load Balancing for AD FS + +Before you can load balance all the nodes in the AD FS farm, you must first create a new load balance cluster. Once you have created the cluster, then you can add new nodes to that cluster. + +Sign-in a node of the federation farm with _Admin_ equivalent credentials. +1. Open **Network Load Balancing Manager** from **Administrative Tools**. + ![NLB Manager user interface](images/hello-nlb-manager.png) +2. Right-click **Network Load Balancing Clusters**, and then click **New Cluster**. +3. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then click **Connect**. + ![NLB Manager - Connect to new Cluster screen](images/hello-nlb-connect.png) +4. Select the interface that you want to use with the cluster, and then click **Next**. (The interface hosts the virtual IP address and receives the client traffic to load balance.) +5. In **Host Parameters**, select a value in **Priority (Unique host identifier)**. This parameter specifies a unique ID for each host. The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. Click **Next**. +6. In **Cluster IP Addresses**, click **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Click **Next**. + ![NLB Manager - Add IP to New Cluster screen](images/hello-nlb-add-ip.png) +7. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster. + ![NLB Manager - Cluster IP Configuration screen](images/hello-nlb-cluster-ip-config.png) +8. In **Cluster operation mode**, click **Unicast** to specify that a unicast media access control (MAC) address should be used for cluster operations. In unicast mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. We recommend that you accept the unicast default settings. Click **Next**. +9. In Port Rules, click Edit to modify the default port rules to use port 443. + ![NLB Manager - Add\Edit Port Rule screen](images/hello-nlb-cluster-port-rule.png) + +### Additional AD FS Servers + +1. To add more hosts to the cluster, right-click the new cluster, and then click **Add Host to Cluster**. +2. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same. + ![NLB Manager - Cluster with nodes](images/hello-nlb-cluster.png) + +## Configure DNS for Device Registration + +Sign-in the domain controller or administrative workstation with Domain Admin equivalent credentials. You’ll need the Federation service name to complete this task. You can view the federation service name by clicking **Edit Federation Service Properties** from the **Action** pan of the **AD FS** management console, or by using `(Get-AdfsProperties).Hostname.` (PowerShell) on the AD FS server. +1. Open the **DNS Management** console. +2. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones**. +3. In the navigation pane, select the node that has the name of your internal Active Directory domain name. +4. In the navigation pane, right-click the domain name node and click **New Host (A or AAAA)**. +5. In the **name** box, type the name of the federation service. In the **IP address** box, type the IP address of your federation server. Click **Add Host**. +6. Close the DNS Management console + +## Configure the Intranet Zone to include the federation service + +The Windows Hello provisioning presents web pages from the federation service. Configuring the intranet zone to include the federation service enables the user to authenticate to the federation service using integrated authentication. Without this setting, the connection to the federation service during Windows Hello provisioning prompts the user for authentication. + +### Create an Intranet Zone Group Policy + +Sign-in the domain controller or administrative workstation with _Domain Admin_ equivalent credentials +1. Start the **Group Policy Management Console** (gpmc.msc) +2. Expand the domain and select the **Group Policy Object** node in the navigation pane. +3. Right-click **Group Policy object** and select **New** +4. Type **Intranet Zone Settings** in the name box and click **OK**. +5. In the content pane, right-click the **Intranet Zone Settings** Group Policy object and click **Edit**. +6. In the navigation pane, expand **Policies** under **Computer Configuration**. +7. Expand **Administrative Templates > Windows Component > Internet Explorer > Internet Control Panel**, and select **Security Page**. +8. In the content pane, double-click **Site to Zone Assignment List**. Click **Enable**. +9. Click **Show**. In the **Value Name** column, type the url of the federation service beginning with https. In the **Value** column, type the number **1**. Click OK twice, then close the Group Policy Management Editor. + +### Deploy the Intranet Zone Group Policy object + +1. Start the **Group Policy Management Console** (gpmc.msc) +2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO…** +3. In the **Select GPO** dialog box, select **Intranet Zone Settings** or the name of the Windows Hello for Business Group Policy object you previously created and click **OK**. + +## Review + +Before you continue with the deployment, validate your deployment progress by reviewing the following items: +* Confirm you configured the correct enrollment agent certificate template based on the type of AD FS service account. +* Confirm only the AD FS service account has the allow enroll permission for the enrollment agent certificate template. +* Consider using an HSM to protect the enrollment agent certificate; however, understand the frequency and quantity of signature operations the enrollment agent server makes and understand the impact it has on overall performance. +* Confirm you properly configured the Windows Hello for Business authentication certificate template—to include: + * Issuance requirements of an authorized signature from a certificate request agent. + * The certificate template was properly marked as a Windows Hello for Business certificate template using certutil.exe + * The Windows Hello for Business Users group, or equivalent has the allow enroll and allow auto enroll permissions +* Confirm all certificate templates were properly published to the appropriate issuing certificate authorities. +* Confirm the AD FS service account has the allow enroll permission for the Windows Hello Business authentication certificate template. +* Confirm the AD FS certificate registration authority is properly configured using the `Get-AdfsCertificateAuthority` Windows PowerShell cmdlet. +* Confirm you restarted the AD FS service. +* Confirm you properly configured load-balancing (hardware or software). +* Confirm you created a DNS A Record for the federation service and the IP address used is the load-balanced IP address +* Confirm you created and deployed the Intranet Zone settings to prevent double authentication to the federation server. + +## Validating your work + +You need to verify the AD FS service has properly enrolled for an enrollment agent certificate template. You can verify this is a variety ways, depending on if your service account is a normal user account or if the service account is a group managed service account. + +### Event Logs + +Use the event logs on the AD FS service to confirm the service account enrolled for an enrollment agent certificate. First, look for the AD FS event ID 443 that confirms certificate enrollment cycle has finished. Once confirmed the AD FS certificate enrollment cycle completed review the CertificateLifecycle-User event log. In this event log, look for event ID 1006, which indicates a new certificate was installed. Details of the event log should show + +* The account name under which the certificate was enrolled. +* The action, which should read enroll. +* The thumbprint of the certificate +* The certificate template used to issue the certificate. + +### Normal Service Account + +When using a normal service account, use the Microsoft Management Console (mmc.exe) and load the Certificate Manager snap-in for the service account and verify. + +### Group Managed Service Account + +You cannot use the Certificate Manager to view enrolled certificates for group managed service accounts. Use the event log information to confirm the AD FS service account enrolled a certificate. Use certutil.exe to view the details of the certificate now shown in the event log. + +Group managed service accounts use user profiles to store user information, which included enrolled certificates. On the AD FS server, use a command prompt and navigate to `%systemdrive%\users\\appdata\roaming\Microsoft\systemcertificates\my\certificates` . + +Each file in this folder represents a certificate in the service account’s Personal store (You may need to use DIR /A to view the files in the folder). Match the thumbprint of the certificate from the event log to one of the files in this folder. That file is the certificate. Use the `Certutil -q ` to view the basic information about the certificate. + +For detailed information about the certificate, use `Certutil -q -v ` . + + +## Follow the Windows Hello for Business on premises certificate trust deployment guide +1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) +2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) +3. Prepare and Deploy Windows Server 2016 Active Directory Federation Services (*You are here*) +4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) +5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) + + + + + + + + + diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-deploy-mfa.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-deploy-mfa.md new file mode 100644 index 0000000000..8ec43f5e54 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-deploy-mfa.md @@ -0,0 +1,542 @@ +--- +title: Configure or Deploy Multifactor Authentication Services (Windows Hello for Business) +description: How to Configure or Deploy Multifactor Authentication Services for Windows Hello for Business +keywords: identity, PIN, biometric, Hello, passport +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: DaniHalfin +localizationpriority: high +--- +# Configure or Deploy Multifactor Authentication Services + +**Applies to** +- Windows 10 +- Windows 10 Mobile + +> This guide only applies to Windows 10, version 1703 or higher. + +On-premises deployments must use the On-premises Azure MFA Server using the AD FS adapter model Optionally, you can use a third-party MFA server that provides an AD FS Multifactor authentication adapter. + +>[!TIP] +>Please make sure you've read [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) before proceeding any further. + +## Prerequisites + +The Azure MFA Server and User Portal servers have several perquisites and must have connectivity to the Internet. + +### Primary MFA Server + +The Azure MFA server uses a primary and secondary replication model for its configuration database. The primary Azure MFA server hosts the writeable partition of the configuration database. All secondary Azure MFA servers hosts read-only partitions of the configuration database. All production environment should deploy a minimum of two MFA Servers. + +For this documentation, the primary MFA uses the name **mf*a*** or **mfa.corp.contoso.com**. All secondary servers use the name **mfa*n*** or **mfa*n*.corp.contoso.com**, where *n* is the number of the deployed MFA server. + +The primary MFA server is also responsible for synchronizing from Active Directory. Therefore, the primary MFA server should be domain joined and fully patched. + +#### Enroll for Server Authentication + +The communication between the primary MFA server, secondary MFA servers, User Portal servers, and the client is protected using TLS, which needs a server authentication certificate. + +Sign-in the primary MFA server with _domain admin_ equivalent credentials. +1. Start the Local Computer **Certificate Manager** (certlm.msc). +2. Expand the **Personal** node in the navigation pane. +3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**. +4. Click **Next** on the **Before You Begin** page. +5. Click **Next** on the **Select Certificate Enrollment Policy** page. +6. On the **Request Certificates** page, Select the **Internal Web Server** check box. +7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link. +8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the primary MFA server and then click **Add** (mfa.corp.contoso.com). Click **Add**. Click **OK** when finished. +9. Click **Enroll**. + +A server authentication certificate should appear in the computer’s Personal certificate store. + +#### Install the Web Server Role + +The Azure MFA server does not require the Web Server role, however, User Portal and the optional Mobile App server communicate with the MFA server database using the MFA Web Services SDK. The MFA Web Services SDK uses the Web Server role. + +To install the Web Server (IIS) role, please follow [Installing IIS 7 on Windows Server 2008 or Windows Server 2008 R2](https://docs.microsoft.com/iis/install/installing-iis-7/installing-iis-7-and-above-on-windows-server-2008-or-windows-server-2008-r2) or [Installing IIS 8.5 on Windows Server 2012 R2](https://docs.microsoft.com/iis/install/installing-iis-85/installing-iis-85-on-windows-server-2012-r2) depending on the host Operating System you're going to use. + +The following services are required: +* Common Parameters > Default Document. +* Common Parameters > Directory Browsing. +* Common Parameters > HTTP Errors. +* Common Parameters > Static Content. +* Health and Diagnostics > HTTP Logging. +* Performance > Static Content Compression. +* Security > Request Filtering. +* Security > Basic Authentication. +* Management Tools > IIS Management Console. +* Management Tools > IIS 6 Management Compatibility. +* Application Development > ASP.NET 4.5. + +#### Update the Server + +Update the server using Windows Update until the server has no required or optional updates as the Azure MFA Server software may require one or more of these updates for the installation and software to correctly work. These procedures install additional components that may need to be updated. + +#### Configure the IIS Server’s Certificate + +The TLS protocol protects all the communication to and from the MFA server. To enable this protection, you must configure the default web site to use the previously enrolled server authentication certificate. + +Sign in the primary MFA server with _administrator_ equivalent credentials. +1. From **Administrators**, Start the **Internet Information Services (IIS) Manager** console +2. In the navigation pane, expand the node with the same name as the local computer. Expand **Settings** and select **Default Web Site**. +3. In the **Actions** pane, click **Bindings**. +4. In the **Site Bindings** dialog, Click **Add**. +5. In the **Add Site Binding** dialog, select **https** from the **Type** list. In the **SSL certificate** list, select the certificate with the name that matches the FQDN of the computer. +6. Click **OK**. Click **Close**. From the **Action** pane, click **Restart**. + +#### Configure the Web Service’s Security + +The Azure MFA Server service runs in the security context of the Local System. The MFA User Portal gets its user and configuration information from the Azure MFA server using the MFA Web Services. Access control to the information is gated by membership to the Phonefactor Admins security group. You need to configure the Web Service’s security to ensure the User Portal and the Mobile App servers can securely communicate to the Azure MFA Server. Also, all User Portal server administrators must be included in the Phonefactor Admins security group. + +Sign in the domain controller with _domain administrator_ equivalent credentials. + +##### Create Phonefactor Admin group + +1. Open **Active Directory Users and Computers** +2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Right-click the **Users** container, select **New**, and select **Group**. +3. In the **New Object – Group** dialog box, type **Phonefactor Admins** in Group name. +4. Click **OK**. + +##### Add accounts to the Phonefactor Admins group + +1. Open **Active Directory Users and Computers**. +2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Select Users. In the content pane. Right-click the **Phonefactors Admin** security group and select **Properties**. +3. Click the **Members** tab. +4. Click **Add**. Click **Object Types..** In the **Object Types** dialog box, select **Computers** and click **OK**. Enter the following user and/or computers accounts in the **Enter the object names to select** box and then click **OK**. + * The computer account for the primary MFA Server + * Group or user account that will manage the User Portal server. + + +#### Review + +Before you continue with the deployment, validate your deployment progress by reviewing the following items: + +* Confirm the hosts of the MFA service has enrolled a server authentication certificate with the proper names. + * Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the: + * Certificate serial number + * Certificate thumbprint + * Common name of the certificate + * Subject alternate name of the certificate + * Name of the physical host server + * The issued date + * The expiration date + * Issuing CA Vendor (if a third-party certificate) + +* Confirm the Web Services Role was installed with the correct configuration (including Basic Authentication, ASP.NET 4.5, etc). +* Confirm the host has all the available updates from Windows Update. +* Confirm you bound the server authentication certificate to the IIS web site. +* Confirm you created the Phonefactor Admins group. +* Confirm you added the computer account hosting the MFA service to the Phonefactor Admins group and any user account who are responsible for administrating the MFA server or User Portal. + +### User Portal Server + +The User Portal is an IIS Internet Information Server web site that allows users to enroll in Multi-Factor Authentication and maintain their accounts. A user may change their phone number, change their PIN, or bypass Multi-Factor Authentication during their next sign on. Users will log in to the User Portal using their normal username and password and will either complete a Multi-Factor Authentication call or answer security questions to complete their authentication. If user enrollment is allowed, a user will configure their phone number and PIN the first time they log in to the User Portal. User Portal Administrators may be set up and granted permission to add new users and update existing users. + +The User Portal web site uses the user database that is synchronized across the MFA Servers, which enables a design to support multiple web servers for the User Portal and those servers can support internal and external customers. While the user portal web site can be installed directly on the MFA server, it is recommended to install the User Portal on a server separate from the MFA Server to protect the MFA user database, as a layered, defense-in-depth security design. + +#### Enroll for Server Authentication + +Internal and external users use the User Portal to manage their multifactor authentication settings. To protect this communication, you need to enroll all User Portal servers with a server authentication certificate. You can use an enterprise certificate to protect communication to internal User Portal servers. + +For external User Portal servers, it is typical to request a server authentication certificate from a public certificate authority. Contact a public certificate authority for more information on requesting a certificate for public use. Follow the procedures below to enroll an enterprise certificate on your User Portal server. + +Sign-in the User Portal server with _domain admin_ equivalent credentials. +1. Start the Local Computer **Certificate Manager** (certlm.msc). +2. Expand the **Personal** node in the navigation pane. +3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**. +4. Click **Next** on the **Before You Begin** page. +5. Click **Next** on the **Select Certificate Enrollment Policy** page. +6. On the **Request Certificates** page, Select the **Internal Web Server** check box. +7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link. +8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the primary MFA server and then click **Add** (app1.corp.contoso.com). +9. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name you will use for your User Portal service (mfaweb.corp.contoso.com). +10. Click **Add**. Click **OK** when finished. +11. Click **Enroll**. + +A server authentication certificate should appear in the computer’s Personal certificate store. + +#### Install the Web Server Role + +To do this, please follow the instructions mentioned in the previous [Install the Web Server Role](#install-the-web-server-role) section. + +#### Update the Server + +Update the server using Windows Update until the server has no required or optional updates as the Azure MFA Server software may require one or more of these updates for the installation and software to correctly work. These procedures install additional components that may need to be updated. + +#### Configure the IIS Server’s Certificate + +To do this, please follow the instructions mentioned in the previous [Configure the IIS Server’s Certificate](#configure-the-iis-server’s-certificate) section. + +#### Create WebServices SDK user account + +The User Portal and Mobile App web services need to communicate with the configuration database hosted on the primary MFA server. These services use a user account to communicate to authenticate to the primary MFA server. You can think of the WebServices SDK account as a service account used by other servers to access the WebServices SDK on the primary MFA server. + +1. Open **Active Directory Users and Computers**. +2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Right-click the **Users** container, select **New**, and select **User**. +3. In the **New Object – User** dialog box, type **PFWSDK_** in the **First name** and **User logon name** boxes, where ** is the name of the primary MFA server running the Web Services SDK. Click **Next**. +4. Type a strong password and confirm it in the respective boxes. Clear **User must change password at next logon**. Click **Next**. Click **Finish** to create the user account. + +#### Add the MFA SDK user account to the Phonefactor Admins group + +Adding the WebServices SDK user account to the Phonefactor Admins group provides the user account with the proper authorization needed to access the configuration data on the primary MFA server using the WebServices SDK. + +1. Open **Active Directory Users and Computers**. +2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Select **Users**. In the content pane. Right-click the **Phonefactors Admin** security group and select Properties. +3. Click the Members tab. +4. Click **Add**. Click **Object Types..** Type the PFWSDK_ user name in the **Enter the object names to select** box and then click **OK**. + * The computer account for the primary MFA Server + * The Webservices SDK user account + * Group or user account that will manage the User Portal server. + + +#### Review + +Before you continue with the deployment, validate your deployment progress by reviewing the following items: + +* Confirm the hosts of the user portal are properly configure for load balancing and high-availability. +* Confirm the hosts of the user portal have enrolled a server authentication certificate with the proper names. + * Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the: + * Certificate serial number + * Certificate thumbprint + * Common name of the certificate + * Subject alternate name of the certificate + * Name of the physical host server + * The issued date + * The expiration date + * Issuing CA Vendor (if a third-party certificate) + +* Confirm the Web Server Role was properly configured on all servers. +* Confirm all the hosts have the latest updates from Windows Update. +* Confirm you created the web service SDK domain account and the account is a member of the Phonefactor Admins group. + +## Installing Primary Azure MFA Server + +When you install Azure Multi-Factor Authentication Server, you have the following options: +1. Install Azure Multi-Factor Authentication Server locally on the same server as AD FS +2. Install the Azure Multi-Factor Authentication adapter locally on the AD FS server, and then install Multi-Factor Authentication Server on a different computer (preferred deployment for production environments) + +See [Configure Azure Multi-Factor Authentication Server to work with AD FS in Windows Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-adfs-w2k12) to view detailed installation and configuration options. + +Sign-in the federation server with _Domain Admin_ equivalent credentials and follow [To install and configure the Azure Multi-Factor Authentication server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#to-install-and-configure-the-azure-multi-factor-authentication-server) for an express setup with the configuration wizard. You can re-run the authentication wizard by selecting it from the Tools menu on the server. + +>[!IMPORTANT] +>Only follow the above mention article to install Azure MFA Server. Once it is intstalled, continue configuration using this article. + +### Configuring Company Settings + +You need to configure the MFA server with the default settings it applies to each user account when it is imported or synchronized from Active Directory. + +Sign-in the primary MFA server with MFA _administrator_ equivalent credentials. +1. Start the **Multi-Factor Server** application +2. Click **Company Settings**. +3. On the **General** Tab, select **Fail Authentication** from the **When internet is not accessible** list. +4. In **User defaults**, select **Phone Call** or **Text Message** + **Note:** You can use mobile app; however, the configuration is beyond the scope of this document. Read [Getting started the MFA Server Mobile App Web Service](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice) to configure and use mobile app multi-factor authentication or the Install User Portal topic in the Multi-Factor Server help. +5. Select **Enable Global Services** if you want to allow Multi-Factor Authentications to be made to telephone numbers in rate zones that have an associated charge. +6. Clear the **User can change phone** check box to prevent users from changing their phone during the Multi-Factor Authentication call or in the User Portal. A consistent configuration is for users to change their phone numbers in Active Directory and let those changes synchronize to the multi-factor server using the Synchronization features in Directory Integration. +7. Select **Fail Authentication** from the **When user is disabled** list. Users should provision their account through the user portal. +8. Select the appropriate language from the **Phone call language**, **Text message language**, **Mobile app language**, and **OATH token language** lists. +9. Under default PIN rules, Select the User can change PIN checkbox to enable users to change their PIN during multi-factor authentication and through the user portal. +10. Configure the minimum length for the PIN. +11. Select the **Prevent weak PINs** check box to reject weak PINs. A weak PIN is any PIN that could be easily guessed by a hacker: 3 sequential digits, 3 repeating digits, or any 4 digit subset of user phone number are not allowed. If you clear this box, then there are no restrictions on PIN format. For example: User tries to reset PIN to 1235 and is rejected because it's a weak PIN. User will be prompted to enter a valid PIN. +12. Select the **Expiration days** check box if you want to expire PINs. If enabled, provide a numeric value representing the number of days the PIN is valid. +13. Select the **PIN history** check box if you want to remember previously used PINs for the user. PIN History stores old PINs for each user. Users are not allowed to reset their PIN to any value stored in their PIN History. When cleared, no PIN History is stored. The default value is 5 and range is 1 to 10. + +![Azure MFA Server Company settings configured](images/hello-mfa-company-settings.png) + +### Configuring Email Settings and Content + +If you are deploying in a lab or proof-of-concept, then you have the option of skipping this step. In a production environment, ideally, you’ll want to setup the Azure Multifactor Authentication Server and its user portal web interface prior to sending the email. The email gives your users time to visit the user portal and configure the multi-factor settings. + +Now that you have imported or synchronized with your Azure Multi-Factor Authentication server, it is advised that you send your users an email that informs them that they have been enrolled in multi-factor authentication. + +With the Azure Multi-Factor Authentication Server there are various ways to configure your users for using multi-factor authentication. For instance, if you know the users’ phone numbers or were able to import the phone numbers into the Azure Multi-Factor Authentication Server from their company’s directory, the email will let users know that they have been configured to use Azure Multi-Factor Authentication, provide some instructions on using Azure Multi-Factor Authentication and inform the user of the phone number they will receive their authentications on. + +The content of the email will vary depending on the method of authentication that has been set for the user (e.g. phone call, SMS, mobile app). For example, if the user is required to use a PIN when they authenticate, the email will tell them what their initial PIN has been set to. Users are usually required to change their PIN during their first authentication. + +If users’ phone numbers have not been configured or imported into the Azure Multi-Factor Authentication Server, or users are pre-configured to use the mobile app for authentication, you can send them an email that lets them know that they have been configured to use Azure Multi-Factor Authentication and it will direct them to complete their account enrollment through the Azure Multi-Factor Authentication User Portal. A hyperlink will be included that the user clicks on to access the User Portal. When the user clicks on the hyperlink, their web browser will open and take them to their company’s Azure Multi-Factor Authentication User Portal. + +#### Settings + +By clicking the email icon on the left you can setup the settings for sending these emails. This is where you can enter the SMTP information of your mail server and it allows you to send a blanket wide email by adding a check to the Send mails to users check box. + +#### Content + +On the Email Content tab, you will see all of the various email templates that are available to choose from. So, depending on how you have configured your users to use multi-factor authentication, you can choose the template that best suits you. + +##### Edit the Content Settings + +The Azure MFA server does not send emails, even when configured to do so, until you configured the sender information for each email template listed in the Content tab. + +Sign-in the primary MFA server with MFA _administrator_ equivalent credentials. +1. Open the **Multi-Factor Authentication Server** console. +2. Click **Email** from the list of icons and click the **Email Content** tab. +3. Select an email template from the list of templates. Click **Edit**. +4. In the **Edit Email** dialog, in the **From** text box, type the email address of the person or group that should appear to have sent the email. + ![Edit email dialog within content settings](images/hello-mfa-content-edit-email.png) + +5. Optionally, customize other options in the email template. +6. When finished editing the template, Click **Apply**. +7. Click **Next** to move to the next email in the list. Repeat steps 4 and 6 to edit the changes. +8. Click **Close** when you are done editing the email templates. + +### Configuring Directory Integration Settings and Synchronization + +Synchronization keeps the Multi-Factor Authentication user database synchronized with the users in Active Directory or another LDAP Lightweight Directory Access Protocol directory. The process is similar to Importing Users from Active Directory, but periodically polls for Active Directory user and security group changes to process. It also provides for disabling or removing users removed from a container or security group and removing users deleted from Active Directory. + +It is important to use a different group memberships for synchronizing users from Active Directory and for enabling Windows Hello for Business. Keeping the group memberships separated enables you to synchronize users and configure MFA options without immediately deploying Windows Hello for Business to that user. This deployment approach provides the maximum flexibility, which gives users the ability to configure their settings before they provision Windows Hello for Business. To start provisioning, simply add the group used for synchronization to the Windows Hello for Business Users group (or equivalent if you use custom names). + +#### MultiFactorAuthAdSync Service + +The MultiFactorAuthAdSync service is a Windows service that performs the periodic polling of Active Directory. It is installed in a Stopped state and is started by the MultiFactorAuth service when configured to run. If you have a multi-server Multi-Factor Authentication configuration, the MultiFactorAuthAdSync may only be run on a single server. + +The MultiFactorAuthAdSync service uses the DirSync LDAP server extension provided by Microsoft to efficiently poll for changes. This DirSync control caller must have the "directory get changes" right and DS-Replication-Get-Changes extended control access right. By default, these rights are assigned to the Administrator and LocalSystem accounts on domain controllers. The MultiFactorAuthAdSync service is configured to run as LocalSystem by default. Therefore, it is simplest to run the service on a domain controller. The service can run as an account with lesser permissions if you configure it to always perform a full synchronization. This is less efficient, but requires less account privileges. + +#### Settings + +Configuring the directory synchronization between Active Directory and the Azure MFA server is easy. + +Sign in the primary MFA server with _MFA administrator_ equivalent credentials. +1. Open the **Multi-Factor Authentication Server** console. +2. From the **Multi-Factor Authentication Server** window, click the **Directory Integration** icon. +3. Click the **Synchronization** tab. +4. Select **Use Active Directory**. +5. Select **Include trusted domains** to have the Multi-Factor Authentication Server attempt to connect to domains trusted by the current domain, another domain in the forest, or domains involved in a forest trust. When not importing or synchronizing users from any of the trusted domains, clear the checkbox to improve performance. + +#### Synchronization + +The MFA server uses synchronization items to synchronize users from Active Directory to the MFA server database. Synchronization items enables you to synchronize a collection of users based security groups or Active Directory containers. + +You can configure synchronization items based on different criteria and filters. For the purpose of configuring Windows Hello for Business, you need to create a synchronization item based membership of the Windows Hello for Business user group. This ensures the same users who receive Windows Hello for Business policy settings are the same users synchronized to the MFA server (and are the same users with permission to enroll in the certificate). This significantly simplifies deployment and troubleshooting. + +See [Directory integration between Azure MFA Server and Active Directory](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-dirint) for more details. + +##### To add a synchronization item + +Sign in the primary MFA server with _MFA administrator_ equivalent credentials. +1. Open the **Multi-Factor Authentication Server** console. +2. From the **Multi-Factor Authentication Server** window, click the **Directory Integration** icon. +3. Select the **Synchronization** tab. +4. On the **Synchronization** tab, click **Add**. + ![Azure MFA Server - add synchronization item screen](images/hello-mfa-sync-item.png) + +5. In the **Add Synchronization Item** dialog, select **Security Groups** from the **View** list. +6. Select the group you are using for replication from the list of groups +7. Select **Selected Security Groups – Recursive** or, select **Security Group** from the **Import** list if you do not plan to nest groups. +8. Select **Add new users and Update existing users**. +9. Select **Disable/Remove users no longer a member** and select **Disable** from the list. +10. Select the attributes appropriate for your environment for **Import phone** and **Backup**. +11. Select **Enabled** and select **Only New Users with Phone Number** from the list. +12. Select **Send email** and select **New and Updated Users**. + +##### Configure synchronization item defaults + +1. When creating a new or editing a synchronization item from the Multi-Factor Authentication Server, select the **Method Defaults** tab. +2. Select the default second factor authentication method. For example, if the second factor of authentication is a text message, select **Text message**. Select if the direction of text message authentication and if the authentication should use a one-time password or one-time password and PIN (Ensure users are configured to create a PIN if the default second factor of communication requires a PIN). + +##### Configure synchronization language defaults + +1. When creating a new or editing a synchronization item from the Multi-Factor Authentication Server, select the **Language Defaults** tab. +2. Select the appropriate default language for these groups of users synchronized by these synchronization item. +3. If creating a new synchronization item, click **Add** to save the item. If editing an existing synchronization item, click **Apply** and then click **Close**. + +>[!TIP] +>For more information on these settings and the behaviors they control, see [Directory integration between Azure MFA Server and Active Directory](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-dirint). + +### Installing the MFA Web Services SDK + +The Web Service SDK section allows the administrator to install the Multi-Factor Authentication Web Service SDK. The Web Service SDK is an IIS (Internet Information Server) web service that provides an interface for integrating the full features of the Multi-Factor Authentication Server into most any application. The Web Service SDK uses the Multi-Factor Authentication Server as the data store. + +Remember the Web Services SDK is only need on the primary Multi-Factor to easily enable other servers access to the configuration information. The prerequisites section guided you through installing and configuring the items needed for the Web Services SDK, however the installer will validate the prerequisites and make suggest any corrective action needed. + +Please follow the instructions under [Install the web service SDK](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice#install-the-web-service-sdk) to intall the MFA Web Services SDK. + +## Install Secondary MFA Servers + +Additional MFA servers provided redundancy of the MFA configuration. The MFA server models uses one primary MFA server with multiple secondary servers. Servers within the same group establish communication with the primary server for that group. The primary server replicates to each of the secondary servers. You can use groups to partition the data stored on different servers, for example you can create a group for each domain, forest, or organizational unit. + +Follow the same procedures for installing the primary MFA server software for each additional server. Remember that each server must be activated. + +Sign in the secondary MFA server with _domain administrator_ equivalent credentials. +1. Once the Multi-Factor Authentication Server console starts, you must configure the current server’s replication group membership. You have the option to join an existing group or create a new group. When joining an existing group, the server becomes a secondary server in the existing replication group. When creating a new group, the server becomes the primary server of that replication group. Click **OK**. + **Note:** Group membership cannot be changed after activation. If a server was joined to the wrong group, it must be activated again to join a different group. Please contact support for assistance with deactivating and reactivating a server. +2. The console asks you if you want to enable replication by running the **Multi-Server Configuration Wizard**. Click **Yes**. +3. In the **Multi-Server Configuration Wizard**, leave **Active Directory** selected and clear **Certificates**. Click **Next**. +4. On the **Active Directory** page, the wizard determines what configuration is needed to enable replication. Typically, the wizard recommends adding the computer account for the current server to the **PhoneFactor Admin** group. Click **Next** to add the computer account to the group. +5. On the **Multi-Server Configuration Complete** page, click **Finish** to reboot the computer to update its group membership. + +### Review + +Before you continue with the deployment, validate your deployment progress by reviewing the following items: +* Confirm you downloaded the latest Azure MFA Server from the Azure Portal. +* Confirm the server has Internet connectivity. +* Confirm you installed and activated the Azure MFA Server. +* Confirm your Azure MFA Server configuration meets your organization’s needs (Company Settings, Email Settings, etc). +* Confirm you created Directory Synchronization items based on your deployment to synchronize users from Active Directory to the Azure MFA server. + * For example, you have security groups representing each collection of users that represent a phase of your deployment and a corresponding synchronization item for each of those groups. + +* Confirm the Azure MFA server properly communicates with the Azure MFA cloud service by testing multifactor authentication with a newly synchronized user account. +* Confirm you installed the Web Service SDK on the primary MFA server. +* Confirm your MFA servers have adequate redundancy, should you need to promote a secondary server to the primary server. + + +## Installing the User Portal Server + +You previously configured the User Portal settings on the primary MFA server. The User Portal web application communicates to the primary MFA server using the Web Services SDK to retrieve these settings. This configuration is ideal to ensure you can scale up the User Portal application to meet the needs of your internal users. + +### Copying the User Portal Installation file + +Sign in the primary MFA server with _local administrator_ equivalent credentials. +1. Open Windows Explorer. +2. Browse to the C:\Progam Files\MultiFactor Authentication Server folder. +3. Copy the **MultiFactorAuthenticationUserPortalSetup64.msi** file to a folder on the User Portal server. + +### Configure Virtual Directory name + +Sign in the User Portal server with _local administrator_ equivalent credentials. +1. Open Windows Explorer and browse to the folder to which you saved the installation file from the previous step. +2. Run the **MultiFactorAuthenticationUserPortalSetup64.msi**. The installation package asks if you want to download **Visual Studio C++ Redistributable for Visual Studio 2015**. Click **Yes**. When prompted, select **Save As**. The downloaded file is missing its file extension. **Save the file with a .exe extension and install the runtime**. +3. Run the installation package again. The installer package asks about the C++ runtime again; however, this is for the X64 version (the previous prompt was for x86). Click **Yes** to download the installation package and select **Save As** so you can save the downloaded file with a .exe extension. **Install** the run time. +4. Run the User Portal installation package. On the **Select Installation Address** page, use the default settings for **Site** and **Application Pool** settings. You can modify the Virtual directory to use a name that is more fitting for the environment, such as **mfa** (This virtual directory must match the virtual directory specified in the User Portal settings). Click **Next**. +5. Click **Close**. + +### Edit MFA User Portal config file + +Sign in the User Portal server with _local administrator_ equivalent credentials. +1. Open Windows Explorer and browse to C:\inetpub\wwwroot\MultiFactorAuth (or appropriate directory based on the virtual directory name) and edit the **web.config** file. +2. Locate the **USE_WEB_SERVICE_SDK** key and change the value from **false** to **true**. +3. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_USERNAME** key and set the value to the username of the Web Service SDK account in the **PhoneFactor Admins** security group. Use a qualified username, like domain\username or machine\username. +4. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD** key and set the value to the password of the Web Service SDK account in the **PhoneFactor Admins** security group. +5. Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from **“http://localhost:4898/PfWsSdk.asmx”** to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. https://computer1.domain.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **web.config** file after changes have been made. + +### Create a DNS entry for the User Portal web site + +Sign-in the domain controller or administrative workstation with _Domain Admin_ equivalent credentials. +1. Open the **DNS Management** console. +2. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones**. +3. In the navigation pane, select the node that has the name of your internal Active Directory domain name. +4. In the navigation pane, right-click the domain name node and click **New Host (A or AAAA)**. +5. In the **name** box, type the host name of the User Portal, such as *mfaweb* (this name must match the name of the certificate used to secure communication to the User Portal). In the IP address box, type the load balanced **IP address** of the User Portal. Click **Add Host**. +6. Close the **DNS Management** console. + +### Review + +Before you continue with the deployment, validate your deployment progress by reviewing the following items: +* Confirm the user portal application is properly installed on all user portal hosts +* Confirm the USE_WEB_SERVICE_SDK named value has a value equal to true. +* Confirm the WEB_SERVICE_SDK_AUTHENTICATION_USERNAME named value has the username of the web service SDK domain account previously created and that the user name is represented as DOMAIN\USERNAME +* Confirm the WEB_SERVICES_SDK_AUTHENTICATION_PASSWORD named value has the correct password for the web service SDK domain account. +* Confirm the pfup_pfwssdk_PfWsSdk named value has value that matches the URL of for the SDK service installed on the primary MFA server. +* Confirm you saved the changes to the web.config file. + +### Validating your work + +Windows Hello for Business is a distributed system, which on the surface appears complex and difficult. The key to a successful Windows Hello for Business deployment is to validate phases of work prior to moving to the next phase. + +Using a web browser, navigate to the URL provided in the *pf_up_pfwssdk_PfWsSdk* named value in the web.config file of any one of the user portal servers. The URL should be protected by a server authentication certificate and should prompt you for authentication. Authenticate to the web site using the username and password provided in the web.config file. Successful authentication and page view confirms the Web SDK configured on the primary MFA server is correctly configured and ready to work with the user portal. + +### Configuring the User Portal + +The User Portal section allows the administrator to install and configure the Multi-Factor Authentication User Portal. The User Portal is an IIS Internet Information Server web site that allows users to enroll in Multi-Factor Authentication and maintain their accounts. A user may change their phone number, change their PIN, or bypass Multi-Factor Authentication during their next sign on. Users will log in to the User Portal using their normal username and password and will either complete a Multi-Factor Authentication call or answer security questions to complete their authentication. If user enrollment is allowed, a user will configure their phone number and PIN the first time they log in to the User Portal. +User Portal Administrators may be set up and granted permission to add new users and update existing users. + +#### Settings + +Sign in the primary MFA server with _MFA administrator_ equivalent credentials. +1. Open the Multi-Factor Authentication Server console. +2. From the Multi-Factor Authentication Server window, click the User Portal icon. + ![Azure MFA Server - User Portal settings](images/hello-mfa-user-portal-settings.png) + +3. On the Settings tab, type the URL your users use to access the User Portal. The URL should begin with https, such as `https://mfaportal.corp.contoso.com/mfa`. +The Multi-Factor Authentication Server uses this information when sending emails to users. +4. Select Allow users to log in and Allow user enrollment check boxes. +5. Select Allow users to select method. Select Phone call and select Text message (you can select Mobile app later once you have deployed the Mobile app web service). Select Automatically trigger user’s default method. +6. Select Allow users to select language. +7. Select Use security questions for fallback and select 4 from the Questions to answer list. + +>[!TIP] +>For more information on these settings and the behaviors they control, see [Deploy the user portal for the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-portal). + +#### Administrators + +The User Portal Settings tab allows the administrator to install and configure the User Portal. +1. Open the Multi-Factor Authentication Server console. +2. From the Multi-Factor Authentication Server window, click the User Portal icon. +3. On the Administrators tab, Click Add +4. In the Add Administrator dialog, Click Select User… to pick a user to install and manage the User Portal. Use the default permissions. +5. Click Add. + +>[!TIP] +>For more information on these settings and the behaviors they control, read the **Multi-Factor Authentication Server Help content**. + +#### Security Questions + +[Security questions](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-portal#security-questions) for the User Portal may be customized to meet your requirements. The questions defined here will be offered as options for each of the four security questions a user is prompted to configure during their first log on to User Portal. The order of the questions is important since the first four items in the list will be used as defaults for the four security questions. + +#### Trusted IPs + +The [Trusted IPs](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-portal#trusted-ips) tab allows you to skip Multi-Factor Authentication for User Portal log ins originating from specific IPs. For example, if users use the User Portal from the office and from home, you may decide you don't want their phones ringing for Multi-Factor Authentication while at the office. For this, you would specify the office subnet as a trusted IP entry. + +## Configure the AD FS Server to use the MFA for multifactor authentication + +You need to configure the AD FS server to use the MFA server. You do this by Installing the MFA Adapter on the primary AD FS Server. + +### Install the MFA AD FS Adapter + +Follow [Install a standalone instance of the AD FS adapter by using the Web Service SDK](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-adfs-w2k12#install-a-standalone-instance-of-the-ad-fs-adapter-by-using-the-web-service-sdk). You should follow this instructions on all AD FS servers. You can find the files needed on the MFA server. + +### Edit the MFA AD FS Adapter config file on all ADFS Servers + +Sign in the primary AD FS server with _local administrator_ equivalent credentials. +1. Open Windows Explorer and browse to **C:\inetpub\wwwroot\MultiFactorAuth** (or appropriate directory based on the virtual directory name) and edit the **MultiFactorAuthenticationAdfsAdapter.config** file. +2. Locate the **USE_WEB_SERVICE_SDK** key and change the value from **false** to **true**. +3. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_USERNAME** key and set the value to the username of the Web Service SDK account in the **PhoneFactor Admins** security group. Use a qualified username, like domain\username or machine\username. +4. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD** key and set the value to the password of the Web Service SDK account in the **PhoneFactor Admins** security group. +5. Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from “http://localhost:4898/PfWsSdk.asmx” to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. https://computer1.domain.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **MultiFactorAuthenticationAdfsAdapter.config** file after changes have been made. + +### Edit the AD FS Adapter Windows PowerShell cmdlet + +Sign in the primary AD FS server with _local administrator_ equivalent credentials. + +Edit the **Register-MultiFactorAuthenticationAdfsAdapter.ps1** script adding `-ConfigurationFilePath ` to the end of the `Register-AdfsAuthenticationProvider` command where **** is the full path to the **MultiFactorAuthenticationAdfsAdapter.config** file. + +### Run the AD FS Adapter PowerShell cmdlet + +Sign in the primary AD FS server with local administrator equivalent credentials. + +Run **Register-MultiFactorAuthenticationAdfsAdapter.ps1** script in PowerShell to register the adapter. The adapter is registered as **WindowsAzureMultiFactorAuthentication**. + +>[!NOTE] +>You must restart the AD FS service for the registration to take effect. + +### Review + +Before you continue with the deployment, validate your deployment progress by reviewing the following items: +* Confirm the user portal application is properly installed on all user portal hosts +* Confirm the USE_WEB_SERVICE_SDK named value has a value equal to true. +* Confirm the WEB_SERVICE_SDK_AUTHENTICATION_USERNAME named value has the username of the web service SDK domain account previously created and that the user name is represented as DOMAIN\USERNAME +* Confirm the WEB_SERVICES_SDK_AUTHENTICATION_PASSWORD named value has the correct password for the web service SDK domain account. +* Confirm the pfup_pfwssdk_PfWsSdk named value has value that matches the URL of for the SDK service installed on the primary MFA server. +* Confirm you saved the changes to the web.config file. +* Confirm you restarted the AD FS Service after completing the configuration. + +## Test AD FS with the Multifactor Authentication connector + +Now, you should test your Azure Multi-Factor Authentication server configuration before proceeding any further in the deployment. The AD FS and Azure Multi-Factor Authentication server configurations are complete. + +1. In the **Multi-Factor Authentication** server, on the left, click **Users**. +2. In the list of users, select a user that is enabled and has a valid phone number to which you have access. +3. Click **Test**. +4. In the **Test User** dialog, provide the user’s password to authenticate the user to Active Directory. + +The Multi-Factor Authentication server communicates with the Azure MFA cloud service to perform a second factor authentication for the user. The Azure MFA cloud service contacts the phone number provided and asks for the user to perform the second factor authentication configured for the user. Successfully providing the second factor should result in the Multi-factor authentication server showing a success dialog. + + +## Follow the Windows Hello for Business on premises certificate trust deployment guide +1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) +2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) +3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) +4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) +5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-validate-ad-prereq.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-validate-ad-prereq.md new file mode 100644 index 0000000000..3716c6dbe3 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-validate-ad-prereq.md @@ -0,0 +1,77 @@ +--- +title: Validate Active Directory prerequisites (Windows Hello for Business) +description: How to Validate Active Directory prerequisites for Windows Hello for Business +keywords: identity, PIN, biometric, Hello, passport +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: DaniHalfin +localizationpriority: high +--- +# Validate Active Directory prerequisites + +**Applies to** +- Windows 10 + +> This guide only applies to Windows 10, version 1703 or higher. + +The key registration process for the On-prem deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. The key-trust model receives the schema extension when the first Windows Server 2016 domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 schema. If you already have a Windows Server 2016 domain controller in your forest, you can skip the next step. + +Manually updating Active Directory uses the command-line utility **adprep.exe** located at **:\support\adprep** on the Windows Server 2016 DVD or ISO. Before running adprep.exe, you must identify the domain controller hosting the schema master role. + +## Discovering schema role + +To locate the schema master role holder, open and command prompt and type: + +```Netdom query fsmo | findstr -i “schema”``` + +![Netdom example output](images\hello-cmd-netdom.png) + +The command should return the name of the domain controller where you need to adprep.exe. Update the schema locally on the domain controller hosting the Schema master role. + +## Updating the Schema + +Windows Hello for Business uses asymmetric keys as user credentials (rather than passwords). During enrollment, the public key is registered in an attribute on the user object in Active Directory. The schema update adds this new attribute to Active Directory. + +Sign-in to the domain controller hosting the schema master operational role using Enterprise Admin equivalent credentials. + +1. Open an elevated command prompt. +2. Type ```cd /d x:\support\adprep``` where *x* is the drive letter of the DVD or mounted ISO. +3. To update the schema, type ```adprep /forestprep```. +4. Read the Adprep Warning. Type the letter **C*** and press **Enter** to update the schema. +5. Close the Command Prompt and sign-out. + +## Create the KeyCredential Admins Security Global Group + +The Windows Server 2016 Active Directory Federation Services (AD FS) role registers the public key on the user object during provisioning. You assign write and read permission to this group to the Active Directory attribute to ensure the AD FS service can add and remove keys are part of its normal workflow. + +Sign-in a domain controller or management workstation with Domain Admin equivalent credentials. + +1. Open **Active Directory Users and Computers**. +2. Click **View** and click **Advance Features**. +3. Expand the domain node from the navigation pane. +4. Right-click the **Users** container. Click **New**. Click **Group**. +5. Type **KeyCredential Admins** in the **Group Name** text box. +6. Click **OK**. + +## Create the Windows Hello for Business Users Security Global Group + +The Windows Hello for Business Users group is used to make it easy to deploy Windows Hello for Business in phases. You assign Group Policy and Certificate template permissions to this group to simplify the deployment by simply adding the users to the group. This provides them the proper permissions to provision Windows Hello for Business and to enroll in the Windows Hello for Business authentication certificate. + +Sign-in a domain controller or management workstation with Domain Admin equivalent credentials. + +1. Open **Active Directory Users and Computers**. +2. Click **View** and click **Advanced Features**. +3. Expand the domain node from the navigation pane. +4. Right-click the **Users** container. Click **New**. Click **Group**. +5. Type **Windows Hello for Business Users** in the **Group Name** text box. +6. Click **OK**. + + +## Follow the Windows Hello for Business on premises certificate trust deployment guide +1. Validate Active Directory prerequisites (*You are here*) +2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) +3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) +4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) +5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-validate-deploy-mfa.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-validate-deploy-mfa.md new file mode 100644 index 0000000000..82e38e2728 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-validate-deploy-mfa.md @@ -0,0 +1,48 @@ +--- +title: Validate and Deploy Multifactor Authentication Services (MFA) (Windows Hello for Business) +description: How to Validate and Deploy Multifactor Authentication Services for Windows Hello for Business +keywords: identity, PIN, biometric, Hello, passport +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: DaniHalfin +localizationpriority: high +--- +# Validate and Deploy Multifactor Authentication Services (MFA) + +**Applies to** +- Windows 10 +- Windows 10 Mobile + +> This guide only applies to Windows 10, version 1703 or higher. + +Windows Hello for Business requires all users perform multi-factor authentication prior to creating and registering a Windows Hello for Business credential. Windows Hello for Business deployments use Azure Multi-Factor Authentication (Azure MFA) services for the secondary authentication. On-Premises deployments use Azure MFA server, an on-premises implementation that do not require synchronizing Active Directory credentials to Azure Active Directory. + +Azure Multi-Factor Authentication is an easy to use, scalable, and reliable solution that provides a second method of authentication so your users are always protected. +* **Easy to Use** - Azure Multi-Factor Authentication is simple to set up and use. The extra protection that comes with Azure Multi-Factor Authentication allows users to manage their own devices. Best of all, in many instances it can be set up with just a few simple clicks. +* **Scalable** - Azure Multi-Factor Authentication uses the power of the cloud and integrates with your on-premises AD and custom apps. This protection is even extended to your high-volume, mission-critical scenarios. +* **Always Protected** - Azure Multi-Factor Authentication provides strong authentication using the highest industry standards. +* **Reliable** - We guarantee 99.9% availability of Azure Multi-Factor Authentication. The service is considered unavailable when it is unable to receive or process verification requests for the two-step verification. + +## On-Premises Azure MFA Server + +On-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials are not synchronized to Azure Active Directory. + +### Infrastructure + +A lab or proof-of-concept environment does not need high-availability or scalability. However, a production environment needs both of these. Ensure your environment considers and incorporates these factors, as necessary. All production environments should have a minimum of two MFA servers—one primary and one secondary server. The environment should have a minimum of two User Portal Servers that are load balanced using hardware or Windows Network Load Balancing. + +Please follow [Download the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#download-the-azure-multi-factor-authentication-server) to download Azure MFA server. + +>[!IMPORTANT] +>Make sure to validate the requirements for Azure MFA server, as outlined in [Install and Configure the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#install-and-configure-the-azure-multi-factor-authentication-server) beofre proceeding. Do not use instllation instructions provided in the article. + +Once you have validated all the requirements, please proceed to [Configure or Deploy Multifactor Authentication Services](hello-cert-trust-deploy-mfa.md). + +## Follow the Windows Hello for Business on premises certificate trust deployment guide +1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) +2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) +3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) +4. Validate and Deploy Multifactor Authentication Services (MFA) (*You are here*) +5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-validate-pki.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-validate-pki.md new file mode 100644 index 0000000000..f0faf69798 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-validate-pki.md @@ -0,0 +1,196 @@ +--- +title: Validate Public Key Infrastructure (Windows Hello for Business) +description: How to Validate Public Key Infrastructure for Windows Hello for Business +keywords: identity, PIN, biometric, Hello, passport +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: DaniHalfin +localizationpriority: high +--- +# Validate and Configure Public Key Infrastructure + +**Applies to** +- Windows 10 +- Windows 10 Mobile + +> This guide only applies to Windows 10, version 1703 or higher. + +Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller. The certificate trust model extends certificate issuance to client computers. During Windows Hello for Business provisioning, the user receives a sign-in certificate. Secondary certificates, such as VPN and SMIME (future feature) may also be deployed. + +## Deploy an enterprise certificate authority + +This guide assumes most enterprise have an existing public key infrastructure. Windows Hello for Business depends on a Windows enterprise public key infrastructure running the Active Directory Certificate Services role from Windows Server 2012 or later. + +### Lab-based public key infrastructure + +The following instructions may be used to deploy simple public key infrastructure that is suitable for a lab environment. + +Sign-in using _Enterprise Admin_ equivalent credentials on Windows Server 2012 or later server where you want the certificate authority installed. + +>[!NOTE] +>Never install a certificate authority on a domain controller in a production environment. + +1. Open an elevated Windows PowerShell prompt. +2. Use the following command to install the Active Directory Certificate Services role. + ```PowerShell + Add-WindowsFeature Adcs-Cert-Authority -IncludeManageTools + ``` + +3. Use the following command to configure the Certificate Authority using a basic certificate authority configuration. + ```PowerShell + Install-AdcsCertificateAuthority + ``` + +## Configure a Production Public Key Infrastructure + +If you do have an existing public key infrastructure, please review [Certification Authority Guidance](https://technet.microsoft.com/library/hh831574.aspx) from Microsoft TechNet to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](https://technet.microsoft.com/library/hh831348.aspx) for instructions on how to configure your public key infrastructure using the information from your design session. + +### Configure Domain Controller Certificates + +Clients need to trust domain controllers and the best way to do this is to ensure each domain controller has a Kerberos Authentication certificate. Installing a certificate on the domain controller enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. This provides clients a root of trust external to the domain—namely the enterprise certificate authority. + +Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise certificate authority is added to Active Directory. However, certificates based on the Domain Controller and Domain Controller Authentication certificate templates do not include the KDC Authentication object identifier (OID), which was later added to the Kerberos RFC. Therefore, domain controllers need to request a certificate based on the Kerberos Authentication certificate template. + +By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the Kerberos Authentication certificate template a baseline to create an updated domain controller certificate template. + +Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials. +1. Open the **Certificate Authority** management console. +2. Right-click **Certificate Templates** and click **Manage**. +3. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**. +4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. +5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise’s needs. + **Note**If you use different template names, you’ll need to remember and substitute these names in different portions of the lab. +6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **None** from the **Subject name format** list. Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items. +7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**. +8. Close the console. + +### Superseding the existing Domain Controller certificate + +Many domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template from domain controllers—the domain controller certificate template. Later releases provided a new certificate template—the domain controller authentication certificate template. These certificate templates were provided prior to update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the KDC Authentication extension. + +The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers and should be the one you deploy to all your domain controllers (2008 or later). The autoenrollment feature in Windows enables you to effortlessly replace these domain controller certificates. You can use the following configuration to replace older domain controller certificates with a new certificate using the Kerberos Authentication certificate template. + +Sign-in a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials. +1. Open the **Certificate Authority** management console. +2. Right-click **Certificate Templates** and click **Manage**. +3. In the **Certificate Template Console**, right-click the **Domain Controller Authentication (Kerberos)** (or the name of the certificate template you created in the previous section) template in the details pane and click **Properties**. +4. Click the **Superseded Templates** tab. Click **Add**. +5. From the **Add Superseded Template** dialog, select the **Domain Controller** certificate template and click **OK**. Click **Add**. +6. From the **Add Superseded Template** dialog, select the **Domain Controller Authentication** certificate template and click **OK**. +7. From the **Add Superseded Template dialog**, select the **Kerberos Authentication** certificate template and click **OK**. +8. Add any other enterprise certificate templates that were previously configured for domain controllers to the **Superseded Templates** tab. +9. Click **OK** and close the **Certificate Templates** console. + +The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities. + +### Configure an Internal Web Server Certificate template + +Windows 10 clients use the https protocol when communicating with Active Directory Federation Services. To meet this need, you must issue a server authentication certificate to all the nodes in the Active Directory Federation Services farm. On-premises deployments can use a server authentication certificate issued by their enterprise PKI. You must configure a server authentication certificate template so the host running the Active Directory Federation Service can request the certificate. + +Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials. +1. Open the **Certificate Authority** management console. +2. Right-click **Certificate Templates** and click **Manage**. +3. In the **Certificate Template Console**, right-click the **Web Server** template in the details pane and click **Duplicate Template**. +4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. +5. On the **General** tab, type **Internal Web Server** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. + **Note:** If you use different template names, you’ll need to remember and substitute these names in different portions of the lab. +6. On the **Request Handling** tab, select **Allow private key to be exported**. +7. On the **Subject** tab, select the **Supply in the request** button if it is not already selected. +8. On the **Security** tab, Click **Add**. Type **Domain Computers** in the **Enter the object names to select** box. Click **OK**. Select the **Allow** check box next to the **Enroll** permission. +9. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**. +10. Close the console. + +### Unpublish Superseded Certificate Templates + +The certificate authority only issues certificates based on published certificate templates. For defense in depth security, it is a good practice to unpublish certificate templates that the certificate authority is not configured to issue. This includes the pre-published certificate template from the role installation and any superseded certificate templates. + +The newly created domain controller authentication certificate template supersedes previous domain controller certificate templates. Therefore, you need to unpublish these certificate templates from all issuing certificate authorities. + +Sign-in to the certificate authority or management workstation with _Enterprise Admin_ equivalent credentials. +1. Open the **Certificate Authority** management console. +2. Expand the parent node from the navigation pane. +3. Click **Certificate Templates** in the navigation pane. +4. Right-click the **Domain Controller** certificate template in the content pane and select **Delete**. Click **Yes** on the **Disable certificate templates** window. +5. Repeat step 4 for the **Domain Controller Authentication** and **Kerberos Authentication** certificate templates. + +### Publish Certificate Templates to the Certificate Authority + +The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate. + +Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials. +1. Open the **Certificate Authority** management console. +2. Expand the parent node from the navigation pane. +3. Click **Certificate Templates** in the navigation pane. +4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue. +5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)**, and **Internal Web Server** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority. +6. If you published the Domain Controller Authentication (Kerberos) certificate template, then you should unpublish the certificate templates you included in the superseded templates list. + * To unpublish a certificate template, right-click the certificate template you want to unpublish in the details pane of the Certificate Authority console and select **Delete**. Click **Yes** to confirm the operation. + +7. Close the console. + +### Configure Domain Controllers for Automatic Certificate Enrollment + +Domain controllers automatically request a certificate from the domain controller certificate template. However, the domain controller is unaware of newer certificate templates or superseded configurations on certificate templates. To continue automatic enrollment and renewal of domain controller certificates that understand newer certificate template and superseded certificate template configurations, create and configure a Group Policy object for automatic certificate enrollment and link the Group Policy object to the Domain Controllers OU. + +1. Start the **Group Policy Management Console** (gpmc.msc) +2. Expand the domain and select the **Group Policy Object** node in the navigation pane. +3. Right-click **Group Policy object** and select **New** +4. Type *Domain Controller Auto Certificate Enrollment* in the name box and click **OK**. +5. Right-click the **Domain Controller Auto Certificate Enrollment** Group Policy object and click **Edit**. +6. In the navigation pane, expand **Policies** under **Computer Configuration**. +7. Expand **Windows Settings**, **Security Settings**, and click **Public Key Policies**. +8. In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**. +9. Select **Enabled** from the **Configuration Model** list. +10. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box. +11. Select the **Update certificates that use certificate templates** check box. +12. Click **OK**. Close the **Group Policy Management Editor**. + +### Deploy the Domain Controller Auto Certificate Enrollment Group Policy Object + +Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. +1. Start the **Group Policy Management Console** (gpmc.msc) +2. In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO…** +3. In the **Select GPO** dialog box, select **Domain Controller Auto Certificate Enrollment** or the name of the domain controller certificate enrollment Group Policy object you previously created and click **OK**. + +### Validating your work + +Windows Hello for Business is a distributed system, which on the surface appears complex and difficult. The key to a successful Windows Hello for Business deployment is to validate phases of work prior to moving to the next phase. + +You want to confirm your domain controllers enroll the correct certificates and not any unnecessary (superseded) certificate templates. You need to check each domain controller that autoenrollment for the computer occurred. + +#### Use the Event Logs + +Windows Server 2012 and later include Certificate Lifecycle events to determine the lifecycles of certificates for both users and computers. Using the Event Viewer, navigate to the CertificateServices-Lifecycles-System event log under Application and Services/Microsoft/Windows. + +Look for an event indicating a new certificate enrollment (autoenrollment). The details of the event include the certificate template on which the certificate was issued. The name of the certificate template used to issue the certificate should match the certificate template name included in the event. The certificate thumbprint and EKUs for the certificate are also included in the event. The EKU needed for proper Windows Hello for Business authentication is Kerberos Authentication, in addition to other EKUs provide by the certificate template. + +Certificates superseded by your new domain controller certificate generate an archive event in the CertificateServices-Lifecycles-System event. The archive event contains the certificate template name and thumbprint of the certificate that was superseded by the new certificate. + + +#### Certificate Manager + +You can use the Certificate Manager console to validate the domain controller has the properly enrolled certificate based on the correct certificate template with the proper EKUs. Use **certlm.msc** to view certificate in the local computers certificate stores. Expand the **Personal** store and view the certificates enrolled for the computer. Archived certificates do not appear in Certificate Manager. + +#### Certutil.exe + +You can use **certutil.exe** to view enrolled certificates in the local computer. Certutil shows enrolled and archived certificates for the local computer. From an elevated command prompt, run `certutil -q -store my` to view locally enrolled certificates. + +To view detailed information about each certificate in the store, use `certutil -q -v -store my` to validate automatic certificate enrollment enrolled the proper certificates. + +#### Troubleshooting + +Windows triggers automatic certificate enrollment for the computer during boot, and when Group Policy updates. You can refresh Group Policy from an elevated command prompt using `gpupdate /force`. + +Alternatively, you can forcefully trigger automatic certificate enrollment using `certreq -autoenroll -q` from an elevated command prompt. + +Use the event logs to monitor certificate enrollment and archive. Review the configuration, such as publishing certificate templates to issuing certificate authority and the allow auto enrollment permissions. + + +## Follow the Windows Hello for Business on premises certificate trust deployment guide +1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) +2. Validate and Configure Public Key Infrastructure (*You are here*) +3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) +4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) +5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) \ No newline at end of file From edc203f3781cfb11159c2b904cbbb6f92de013c0 Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Thu, 3 Aug 2017 17:34:52 +0000 Subject: [PATCH 05/51] Merged PR 2378: Corrected PIN policy settings statement and removed incorrect prerequisites Corrected PIN policy settings statement and removed incorrect prerequisites --- .../hello-hybrid-cert-policy-settings.md | 154 +++++ .../hello-hybrid-cert-trust-adfs.md | 512 +++++++++++++++++ .../hello-hybrid-cert-trust-deploy-mfa.md | 542 ++++++++++++++++++ .../hello-hybrid-cert-validate-ad-prereq.md | 77 +++ .../hello-hybrid-cert-validate-deploy-mfa.md | 48 ++ .../hello-hybrid-cert-validate-pki.md | 196 +++++++ .../hello-manage-in-organization.md | 67 +-- 7 files changed, 1530 insertions(+), 66 deletions(-) create mode 100644 windows/access-protection/hello-for-business/hello-hybrid-cert-policy-settings.md create mode 100644 windows/access-protection/hello-for-business/hello-hybrid-cert-trust-adfs.md create mode 100644 windows/access-protection/hello-for-business/hello-hybrid-cert-trust-deploy-mfa.md create mode 100644 windows/access-protection/hello-for-business/hello-hybrid-cert-validate-ad-prereq.md create mode 100644 windows/access-protection/hello-for-business/hello-hybrid-cert-validate-deploy-mfa.md create mode 100644 windows/access-protection/hello-for-business/hello-hybrid-cert-validate-pki.md diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-policy-settings.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-policy-settings.md new file mode 100644 index 0000000000..0e85b5a485 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-policy-settings.md @@ -0,0 +1,154 @@ +--- +title: Configure Windows Hello for Business Policy settings (Windows Hello for Business) +description: Configure Windows Hello for Business Policy settings for Windows Hello for Business +keywords: identity, PIN, biometric, Hello, passport +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: DaniHalfin +localizationpriority: high +--- +# Configure Windows Hello for Business Policy settings + +**Applies to** +- Windows 10 +- Windows 10 Mobile + +> This guide only applies to Windows 10, version 1703 or higher. + +You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=45520). +Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703. + +Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10 Creators Edition (1703) to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information. + +On-premises certificate-based deployments of Windows Hello for Business needs three Group Policy settings: +* Enable Windows Hello for Business +* Use certificate for on-premises authentication +* Enable automatic enrollment of certificates + +## Enable Windows Hello for Business Group Policy + +The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should be attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to enabled. + +You can configure the Enable Windows Hello for Business Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence. + +## Use certificate for on-premises authentication + +The Use certificate for on-premises authentication Group Policy setting determines if the on-premises deployment uses the key-trust or certificate trust on-premises authentication model. You must configure this Group Policy setting to configure Windows to enroll for a Windows Hello for Business authentication certificate. If you do not configure this policy setting, Windows considers the deployment to use key-trust on-premises authentication, which requires a sufficient number of Windows Server 2016 domain controllers to handle the Windows Hello for Business key-trust authentication requests. + +You can configure this Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users requesting a Windows Hello for Business authentication certificate. Deploying this policy setting to a user results in only that user requesting a Windows Hello for Business authentication certificate. Additionally, you can deploy the policy setting to a group of users so only those users request a Windows Hello for Business authentication certificate. If both user and computer policy settings are deployed, the user policy setting has precedence. + +## Enable automatic enrollment of certificates + +Windows Hello for Business provisioning performs the initial enrollment of the Windows Hello for Business authentication certificate. This certificate expires based on the duration configured in the Windows Hello for Business authentication certificate template. The Windows 10, version 1703 certificate auto enrollment was updated to renew these certificates before they expire, which significantly reduces user authentication failures from expired user certificates. + +The process requires no user interaction provided the user signs-in using Windows Hello for Business. The certificate is renewed in the background before it expires. + +## Create the Windows Hello for Business Group Policy object + +The Group Policy object contains the policy settings needed to trigger Windows Hello for Business provisioning and to ensure Windows Hello for Business authentication certificates are automatically renewed. +1. Start the **Group Policy Management Console** (gpmc.msc) +2. Expand the domain and select the **Group Policy Object** node in the navigation pane. +3. Right-click **Group Policy object** and select **New**. +4. Type *Enable Windows Hello for Business* in the name box and click **OK**. +5. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. +6. In the navigation pane, expand **Policies** under **User Configuration**. +7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**. +8. In the content pane, double-click **Use Windows Hello for Business**. Click **Enable** and click **OK**. +9. Double-click **Use certificate for on-premises authentication**. Click **Enable** and click **OK**. Close the **Group Policy Management Editor**. + +## Configure Automatic Certificate Enrollment + +1. Start the **Group Policy Management Console** (gpmc.msc). +2. Expand the domain and select the **Group Policy Object** node in the navigation pane. +3. Right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. +4. In the navigation pane, expand **Policies** under **User Configuration**. +5. Expand **Windows Settings > Security Settings**, and click **Public Key Policies**. +6. In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**. +7. Select **Enabled** from the **Configuration Model** list. +8. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box. +9. Select the **Update certificates that use certificate templates** check box. +10. Click **OK**. Close the **Group Policy Management Editor**. + +## Configure Security in the Windows Hello for Business Group Policy object + +The best way to deploy the Windows Hello for Business Group Policy object is to use security group filtering. The enables you to easily manage the users that should receive Windows Hello for Business by simply adding them to a group. This enables you to deploy Windows Hello for Business in phases. +1. Start the **Group Policy Management Console** (gpmc.msc) +2. Expand the domain and select the **Group Policy Object** node in the navigation pane. +3. Double-click the **Enable Windows Hello for Business** Group Policy object. +4. In the **Security Filtering** section of the content pane, click **Add**. Type *Windows Hello for Business Users* or the name of the security group you previously created and click **OK**. +5. Click the **Delegation** tab. Select **Authenticated Users** and click **Advanced**. +6. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Click **OK**. + +## Deploy the Windows Hello for Business Group Policy object + +The application of the Windows Hello for Business Group Policy object uses security group filtering. This enables you to link the Group Policy object at the domain, ensuring the Group Policy object is within scope to all users. However, the security group filtering ensures only the users included in the *Windows Hello for Business Users* global group receive and apply the Group Policy object, which results in the provisioning of Windows Hello for Business. +1. Start the **Group Policy Management Console** (gpmc.msc) +2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO…** +3. In the **Select GPO** dialog box, select **Enable Windows Hello for Business** or the name of the Windows Hello for Business Group Policy object you previously created and click **OK**. + +Just to reassure, linking the **Windows Hello for Business** Group Policy object to the domain ensures the Group Policy object is in scope for all domain users. However, not all users will have the policy settings applied to them. Only users who are members of the Windows Hello for Business group receive the policy settings. All others users ignore the Group Policy object. + +## Other Related Group Policy settings + +### Windows Hello for Business + +There are other Windows Hello for Business policy settings you can configure to manage your Windows Hello for Business deployment. These policy settings are computer-based policy setting; so they are applicable to any user that sign-in from a computer with these policy settings. + +### Use a hardware security device + +The default configuration for Windows Hello for Business is to prefer hardware protected credentials; however, not all computers are able to create hardware protected credentials. When Windows Hello for Business enrollment encounters a computer that cannot create a hardware protected credential, it will create a software-based credential. + +You can enable and deploy the **Use a hardware security device** Group Policy Setting to force Windows Hello for Business to only create hardware protected credentials. Users that sign-in from a computer incapable of creating a hardware protected credential do not enroll for Windows Hello for Business. + +Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiven during anti-hammering and PIN lockout activities. Therefore, some organization may want not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object. + +### Use biometrics + +Windows Hello for Business provides a great user experience when combined with the use of biometrics. Rather than providing a PIN to sign-in, a user can use a fingerprint or facial recognition to sign-in to Windows, without sacrificing security. + +The default Windows Hello for Business enables users to enroll and use biometrics. However, some organization may want more time before using biometrics and want to disable their use until they are ready. To not allow users to use biometrics, configure the **Use biometrics** Group Policy setting to disabled and apply it to your computers. The policy setting disabled all biometrics. Currently, Windows does not provide granular policy setting that enable you to disable specific modalities of biometrics such as allow facial recognition, but disallow fingerprint. + +### PIN Complexity + +PIN complexity is not specific to Windows Hello for Business. Windows 10 enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed. + +Windows 10 provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are: +* Require digits +* Require lowercase letters +* Maximum PIN length +* Minimum PIN length +* Expiration +* History +* Require special characters +* Require uppercase letters + +In the Windows 10, version 1703, the PIN complexity Group Policy settings have moved to remove misunderstanding that PIN complexity policy settings were exclusive to Windows Hello for Business. The new location of these Group Policy settings is under Administrative Templates\System\PIN Complexity under both the Computer and User Configuration nodes of the Group Policy editor. + +## Review + +Before you continue with the deployment, validate your deployment progress by reviewing the following items: +* Confirm you authored Group Policy settings using the latest ADMX/ADML files (from the Widows 10 Creators Editions) +* Confirm you configured the Enable Windows Hello for Business to the scope that matches your deployment (Computer vs. User) +* Confirm you configure the Use Certificate enrollment for on-prem authentication policy setting. +* Confirm you configure automatic certificate enrollment to the scope that matches your deployment (Computer vs. User) +* Confirm you configured the proper security settings for the Group Policy object + * Removed the allow permission for Apply Group Policy for Domain Users (Domain Users must always have the read permissions) + * Add the Windows Hello for Business Users group to the Group Policy object and gave the group the allow permission for Apply Group Policy + +* Linked the Group Policy object to the correct locations within Active Directory +* Deploy any additional Windows Hello for Business Group Policy setting is a policy separate from the one that enables it for users + + +## Add users to the Windows Hello for Business Users group + +Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the WHFB Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the Windows Hello for Business Users group. Users and groups that are not members of this group will not attempt to enroll for Windows Hello for Business. + + +## Follow the Windows Hello for Business on premises certificate trust deployment guide +1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) +2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) +3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) +4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) +5. Configure Windows Hello for Business Policy settings (*You are here*) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-adfs.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-adfs.md new file mode 100644 index 0000000000..b419b20f58 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-adfs.md @@ -0,0 +1,512 @@ +--- +title: Prepare and Deploy Windows Server 2016 Active Directory Federation Services (Windows Hello for Business) +description: How toPrepare and Deploy Windows Server 2016 Active Directory Federation Services for Windows Hello for Business +keywords: identity, PIN, biometric, Hello, passport +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: DaniHalfin +localizationpriority: high +--- +# Prepare and Deploy Windows Server 2016 Active Directory Federation Services + +**Applies to** +- Windows 10 +- Windows 10 Mobile + +> This guide only applies to Windows 10, version 1703 or higher. + +Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update. The on-prem certificate trust deployment uses Active Directory Federation Services roles for key registration, device registration, and as a certificate registration authority. + +The following guidance describes deploying a new instance of Active Directory Federation Services 2016 using the Windows Information Database as the configuration database, which is ideal for environments with no more than 30 federation servers and no more than 100 relying party trusts. + +If your environment exceeds either of these factors or needs to provide SAML artifact resolution, token replay detection, or needs Active Directory Federation Services to operate in a federated provider role, then your deployment needs to use a SQL for your configuration database. To deploy the Active Directory Federation Services using SQL as its configuration database, please review the [Deploying a Federation Server Farm](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) checklist. + +If your environment has an existing instance of Active Directory Federation Services, then you’ll need to upgrade all nodes in the farm to Windows Server 2016 along with the Windows Server 2016 update. If your environment uses Windows Internal Database (WID) for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 using a WID database](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016) to upgrade your environment. If your environment uses SQL for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 with SQL Server](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016-sql) to upgrade your environment. + +Ensure you apply the Windows Server 2016 Update to all nodes in the farm after you have successfully completed the upgrade. + +A new Active Directory Federation Services farm should have a minimum of two federation servers for proper load balancing, which can be accomplished with an external networking peripherals, or with using the Network Load Balancing Role included in Windows Server. + +Prepare the Active Directory Federation Services deployment by installing and updating two Windows Server 2016 Servers. Ensure the update listed below is applied to each server before continuing. + +## Update Windows Server 2016 + +Sign-in the federation server with _local admin_ equivalent credentials. +1. Ensure Windows Server 2016 is current by running **Windows Update** from **Settings**. Continue this process until no further updates are needed. If you’re not using Windows Update for updates, please advise the [Windows Server 2016 update history page](https://support.microsoft.com/help/4000825/windows-10-windows-server-2016-update-history) to make sure you have the latest updates available installed. +2. Ensure the latest server updates to the federation server includes those referenced in following article https://aka.ms/whfbadfs1703. + +>[!IMPORTANT] +>The above referenced updates are mandatory for Windows Hello for Business all on-premises deployment and hybrid certificate trust deployments for domain joined computers. + +## Enroll for a TLS Server Authentication Certificate + +Windows Hello for Business on-prem deployments require a federation server for device registration, key registration, and authentication certificate enrollment. Typically, a federation service is an edge facing role. However, the federation services and instance used with the on-prem deployment of Windows Hello for Business does not need Internet connectivity. + +The AD FS role needs a server authentication certificate for the federation services, but you can use a certificate issued by your enterprise (internal) certificate authority. The server authentication certificate should have the following names included in the certificate if you are requesting an individual certificate for each node in the federation farm: +* Subject Name: The internal FQDN of the federation server (the name of the computer running AD FS) +* Subject Alternate Name: Your federation service name, such as *fs.corp.contoso.com* (or an appropriate wildcard entry such as *.corp.contoso.com) + +You configure your federation service name when you configure the AD FS role. You can choose any name, but that name must be different than the name of the server or host. For example, you can name the host server **adfs** and the federation service **fs**. The FQDN of the host is adfs.corp.contoso.com and the FQDN of the federation service is fs.corp.contoso.com. + +You can; however, issue one certificate for all hosts in the farm. If you chose this option, then leave the subject name blank, and include all the names in the subject alternate name when creating the certificate request. All names should include the FQDN of each host in the farm and the federation service name. + +It’s recommended that you mark the private key as exportable so that the same certificate can be deployed across each federation server and web application proxy within your AD FS farm. Note that the certificate must be trusted (chain to a trusted root CA). Once you have successfully requested and enrolled the server authentication certificate on one node, you can export the certificate and private key to a PFX file using the Certificate Manager console. You can then import the certificate on the remaining nodes in the AD FS farm. + +Be sure to enroll or import the certificate into the AD FS server’s computer certificate store. Also, ensure all nodes in the farm have the proper TLS server authentication certificate. + +### Internal Server Authentication Certificate Enrollment + +Sign-in the federation server with domain admin equivalent credentials. +1. Start the Local Computer **Certificate Manager** (certlm.msc). +2. Expand the **Personal** node in the navigation pane. +3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**. +4. Click **Next** on the **Before You Begin** page. +5. Click **Next** on the **Select Certificate Enrollment Policy** page. +6. On the **Request Certificates** page, Select the **Internal Web Server** check box. +7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link + ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link](images/hello-internal-web-server-cert.png) +8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the Active Directory Federation Services role and then click **Add**. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name you will use for your federation services (fs.corp.contoso.com). The name you use here MUST match the name you use when configuring the Active Directory Federation Services server role. Click **Add**. Click **OK** when finished. +9. Click **Enroll**. + +A server authentication certificate should appear in the computer’s Personal certificate store. + +## Deploy the Active Directory Federation Service Role + +The Active Directory Federation Service (AD FS) role provides the following services to support Windows Hello for Business on-premises deployments. +* Device registration +* Key registration +* Certificate registration authority (certificate trust deployments) + +>[!IMPORTANT] +> Finish the entire AD FS configuration on the first server in the farm before adding the second server to the AD FS farm. Once complete, the second server receives the configuration through the shared configuration database when it is added the AD FS farm. + +Windows Hello for Business depends on proper device registration. For on-premises deployments, Windows Server 2016 AD FS handles device registration. + +Sign-in the federation server with _Enterprise Admin_ equivalent credentials. +1. Start **Server Manager**. Click **Local Server** in the navigation pane. +2. Click **Manage** and then click **Add Roles and Features**. +3. Click **Next** on the **Before you begin** page. +4. On the **Select installation type** page, select **Role-based or feature-based installation** and click **Next**. +5. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Click **Next**. +6. On the **Select server roles** page, select **Active Directory Federation Services**. Click **Next**. +7. Click **Next** on the **Select features** page. +8. Click **Next** on the **Active Directory Federation Service** page. +9. Click **Install** to start the role installation. + +## Review + +Before you continue with the deployment, validate your deployment progress by reviewing the following items: +* Confirm the AD FS farm uses the correct database configuration. +* Confirm the AD FS farm has an adequate number of nodes and is properly load balanced for the anticipated load. +* Confirm **all** AD FS servers in the farm have the latest updates. +* Confirm all AD FS servers have a valid server authentication certificate + * The subject of the certificate is the common name (FQDN) of the host or a wildcard name. + * The alternate name of the certificate contains a wildcard or the FQDN of the federation service + +## Device Registration Service Account Prerequisite + +The service account used for the device registration server depends on the domain controllers in the environment. + +>[!NOTE] +>Follow the procedures below based on the domain controllers deployed in your environment. If the domain controller is not listed below, then it is not supported for Windows Hello for Business. + +### Windows Server 2012 or later Domain Controllers + +Windows Server 2012 or later domain controllers support Group Managed Service Accounts—the preferred way to deploy service accounts for services that support them. Group Managed Service Accounts, or GMSA have security advantages over normal user accounts because Windows handles password management. This means the password is long, complex, and changes periodically. The best part of GMSA is all this happens automatically. AD FS supports GMSA and should be configured using them for additional defense in depth security. + +GSMA uses the Microsoft Key Distribution Service that is located on Windows Server 2012 or later domain controllers. Windows uses the Microsoft Key Distribution Service to protect secrets stored and used by the GSMA. Before you can create a GSMA, you must first create a root key for the service. You can skip this if your environment already uses GSMA. + +#### Create KDS Root Key + +Sign-in a domain controller with _Enterprise Admin_ equivalent credentials. +1. Start an elevated Windows PowerShell console. +2. Type `Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)` + +### Windows Server 2008 or 2008 R2 Domain Controllers + +Windows Server 2008 and 2008 R2 domain controllers do not host the Microsoft Key Distribution Service, nor do they support Group Managed Service Accounts. Therefore, you must use create a normal user account as a service account where you are responsible for changing the password on a regular basis. + +#### Create an AD FS Service Account + +Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials. +1. Open **Active Directory Users and Computers**. +2. Right-click the **Users** container, Click **New**. Click **User**. +3. In the **New Object – User** window, type **adfssvc** in the **Full name** text box. Type **adfssvc** in the **User logon name** text box. Click **Next**. +4. Enter and confirm a password for the **adfssvc** user. Clear the **User must change password at next logon** checkbox. +5. Click **Next** and then click **Finish**. + +## Configure the Active Directory Federation Service Role + +>[!IMPORTANT] +>Follow the procedures below based on the domain controllers deployed in your environment. If the domain controller is not listed below, then it is not supported for Windows Hello for Business. + +### Windows Server 2012 or later Domain Controllers + +Use the following procedures to configure AD FS when your environment uses **Windows Server 2012 or later Domain Controllers**. If you are not using Windows Server 2012 or later Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2008 or 2008R2 Domain Controllers)](#windows-server-2008-or-2008R2-domain-controllers) section. + +Sign-in the federation server with _Domain Admin_ equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm. +1. Start **Server Manager**. +2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**. + ![Example of pop-up notification as described above](images/hello-adfs-configure-2012r2.png) + +3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**. +4. Click **Next** on the **Connect to Active Directory Domain Services** page. +5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as *fs.corp.contoso.com* or *fs.contoso.com*. +6. Select the federation service name from the **Federation Service Name** list. +7. Type the Federation Service Display Name in the text box. This is the name users see when signing in. Click **Next**. +8. On the **Specify Service Account** page, select **Create a Group Managed Service Account**. In the **Account Name** box, type **adfssvc**. +9. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and click **Next**. +10. On the **Review Options** page, click **Next**. +11. On the **Pre-requisite Checks** page, click **Configure**. +12. When the process completes, click **Close**. + +### Windows Server 2008 or 2008 R2 Domain Controllers + +Use the following procedures to configure AD FS when your environment uses **Windows Server 2008 or 2008 R2 Domain Controllers**. If you are not using Windows Server 2008 or 2008 R2 Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2012 or later Domain Controllers)](#windows-server-2012-or-later-domain-controllers) section. + +Sign-in the federation server with _Domain Admin_ equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm. +1. Start **Server Manager**. +2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**. + ![Example of pop-up notification as described above](images/hello-adfs-configure-2012r2.png) + +3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**. +4. Click **Next** on the **Connect to Active Directory Domain Services** page. +5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as fs.corp.mstepdemo.net or fs.mstepdemo.net. +6. Select the federation service name from the **Federation Service Name** list. +7. Type the Federation Service Display Name in the text box. This is the name users see when signing in. Click **Next**. +8. On the **Specify Service Account** page, Select **Use an existing domain user account or group Managed Service Account** and click **Select**. + * In the **Select User or Service Account** dialog box, type the name of the previously created AD FS service account (example adfssvc) and click **OK**. Type the password for the AD FS service account and click **Next**. +9. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and click **Next**. +10. On the **Review Options** page, click **Next**. +11. On the **Pre-requisite Checks** page, click **Configure**. +12. When the process completes, click **Close**. +13. Do not restart the AD FS server. You will do this later. + + +### Add the AD FS Service account to the KeyCredential Admin group and the Windows Hello for Business Users group + +The KeyCredential Admins global group provides the AD FS service with the permissions needed to perform key registration. The Windows Hello for Business group provides the AD FS service with the permissions needed to enroll a Windows Hello for Business authentication certificate on behalf of the provisioning user. + +Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials. +1. Open **Active Directory Users and Computers**. +2. Click the **Users** container in the navigation pane. +3. Right-click **KeyCredential Admins** in the details pane and click **Properties**. +4. Click the **Members** tab and click **Add…** +5. In the **Enter the object names to select** text box, type **adfssvc**. Click **OK**. +6. Click **OK** to return to **Active Directory Users and Computers**. +7. Right-click **Windows Hello for Business Users** group +8. Click the **Members** tab and click **Add…** +9. In the **Enter the object names to select** text box, type **adfssvc**. Click **OK**. +10. Click **OK** to return to **Active Directory Users and Computers**. +11. Change to server hosting the AD FS role and restart it. + +### Configure Permissions for Key Registration + +Key Registration stores the Windows Hello for Business public key in Active Directory. In on-prem deployments, the Windows Server 2016 AD FS server registers the public key with the on-premises Active Directory. + +The key-trust model needs Windows Server 2016 domain controllers, which configures the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually. + +Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. +1. Open **Active Directory Users and Computers**. +2. Right-click your domain name from the navigation pane and click **Properties**. +3. Click **Security** (if the Security tab is missing, turn on Advanced Features from the View menu). +4. Click **Advanced**. Click **Add**. Click **Select a principal**. +5. The **Select User, Computer, Service Account, or Group** dialog box appears. In the **Enter the object name to select** text box, type **KeyCredential Admins**. Click **OK**. +6. In the **Applies to** list box, select **Descendant User objects**. +7. Using the scroll bar, scroll to the bottom of the page and click **Clear all**. +8. In the **Properties** section, select **Read msDS-KeyCredentialLink** and **Write msDS-KeyCrendentialLink**. +9. Click **OK** three times to complete the task. + +## Configure the Device Registration Service + +Sign-in the federation server with _Enterprise Admin_ equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm. +1. Open the **AD FS management** console. +2. In the navigation pane, expand **Service**. Click **Device Registration**. +3. In the details pane, click **Configure Device Registration**. +4. In the **Configure Device Registration** dialog, click **OK**. + +## Review + +Before you continue with the deployment, validate your deployment progress by reviewing the following items: +* Confirm you followed the correct procedures based on the domain controllers used in your deployment + * Windows Server 2012 or Windows Server 2012 R2 + * Windows Server 2008 or Windows Server 2008 R2 +* Confirm you have the correct service account based on your domain controller version. +* Confirm you properly installed the AD FS role on your Windows Server 2016 based on the proper sizing of your federation, the number of relying parties, and database needs. +* Confirm you used a certificate with the correct names as the server authentication certificate + * Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the: + * Certificate serial number + * Certificate thumbprint + * Common name of the certificate + * Subject alternate name of the certificate + * Name of the physical host server + * The issued date + * The expiration date + * Issuing CA Vendor (if a third-party certificate) +* Confirm you granted the AD FS service allow read and write permissions to the ms-DSKeyCredentialLink Active Directory attribute. +* Confirm you enabled the Device Registration service. + +## Prepare and Deploy AD FS Registration Authority + +A registration authority is a trusted authority that validates certificate request. Once it validates the request, it presents the request to the certificate authority for issuance. The certificate authority issues the certificate, returns it to the registration authority, which returns the certificate to the requesting user. The Windows Hello for Business on-prem certificate-based deployment uses the Active Directory Federation Server (AD FS) as the certificate registration authority. + +### Configure Registration Authority template + +The certificate registration authority enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate. The certificate authority only issues a certificate for that template if the registration authority signs the certificate request. + +The registration authority template you configure depends on the AD FS service configuration, which depends on the domain controllers the environment uses for authentication. + +>[!IMPORTANT] +>Follow the procedures below based on the domain controllers deployed in your environment. If the domain controller is not listed below, then it is not supported for Windows Hello for Business. + +#### Windows 2012 or later domain controllers + +Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials. +1. Open the **Certificate Authority Management** console. +2. Right-click **Certificate Templates** and click **Manage**. +3. In the **Certificate Template Console**, right click on the **Exchange Enrollment Agent (Offline request)** template details pane and click **Duplicate Template**. +4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. +5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. +6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected. + **Note:** The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate. + +7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. +8. On the **Security** tab, click **Add**. +9. Click **Object Types**. Select the **Service Accounts** check box and click **OK**. +10. Type **adfssvc** in the **Enter the object names to select** text box and click **OK**. +11. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. +12. Close the console. + +#### Windows 2008 or 2008R2 domain controllers + +Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials. +1. Open the **Certificate Authority** management console. +2. Right-click **Certificate Templates** and click **Manage**. +3. In the **Certificate Template** console, right-click the **Exchange Enrollment Agent** template in the details pane and click **Duplicate Template**. +4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. +5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. +6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**. +7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. +8. On the **Security** tab, click **Add**. Type **adfssvc** in the **Enter the object names to select text box** and click **OK**. +9. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check boxes for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. +10. Close the console. + +### Configure the Windows Hello for Business Authentication Certificate template + +During Windows Hello for Business provisioning, the Windows 10, version 1703 client requests an authentication certificate from the Active Directory Federation Service, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring. + +Sign-in a certificate authority or management workstations with _Domain Admin equivalent_ credentials. +1. Open the **Certificate Authority** management console. +2. Right-click **Certificate Templates** and click **Manage**. +3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**. +4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. +5. On the **General** tab, type **WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. + **Note:** If you use different template names, you’ll need to remember and substitute these names in different portions of the deployment. +6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. +7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**. +8. On the **Issuance Requirements** tab, select the T**his number of authorized signatures** check box. Type **1** in the text box. + * Select **Application policy** from the **Policy type required in signature**. Select **Certificate Request Agent** from in the **Application policy** list. Select the **Valid existing certificate** option. +9. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**. +10. On the **Request Handling** tab, select the **Renew with same key** check box. +11. On the **Security** tab, click **Add**. Type **Window Hello for Business Users** in the **Enter the object names to select** text box and click **OK**. +12. Click the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section, select the **Allow** check box for the **Enroll** permission. Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. +13. If you previously issued Windows Hello for Business sign-in certificates using Configuration Manger and are switching to an AD FS registration authority, then on the **Superseded Templates** tab, add the previously used **Windows Hello for Business Authentication** template(s), so they will be superseded by this template for the users that have Enroll permission for this template. +14. Click on the **Apply** to save changes and close the console. + +#### Mark the template as the Windows Hello Sign-in template + +Sign-in to an **AD FS Windows Server 2016** computer with _Enterprise Admin_ equivalent credentials. +1. Open an elevated command prompt. +2. Run `certutil –dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY` + +>[!NOTE] +>If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It’s important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority. + +### Publish Enrollment Agent and Windows Hello For Business Authentication templates to the Certificate Authority + +Sign-in a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials. +1. Open the **Certificate Authority** management console. +2. Expand the parent node from the navigation pane. +3. Click **Certificate Templates** in the navigation pane. +4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template to issue**. +5. In the **Enable Certificates Templates** window, select the **WHFB Enrollment Agent** template you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority. +6. Publish the **WHFB Authentication** certificate template using step 5. +7. Close the console. + +### Configure the Registration Authority + +Sign-in the AD FS server with Domain Admin equivalent credentials. + +1. Open a **Windows PowerShell** prompt. +2. Type the following command + + ```PowerShell + Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication + ``` + + +The `Set-AdfsCertificateAuthority` cmdlet should show the following warning: +>WARNING: PS0343: Issuing Windows Hello certificates requires enabling a permitted strong authentication provider, but no usable providers are currently configured. These authentication providers are not supported for Windows Hello certificates: CertificateAuthentication,MicrosoftPassportAuthentication. Windows Hello certificates will not be issued until a permitted strong authentication provider is configured. + +This warning indicates that you have not configured multi-factor authentication in AD FS and until it is configured, the AD FS server will not issue Windows Hello certificates. Windows 10, version 1703 clients check this configuration during prerequisite checks. If detected, the prerequisite check will not succeed and the user will not provision Windows Hello for Business on sign-in. + +>[!NOTE] +> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the above command with the name of your certificate templates. It’s important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority. + +### Enrollment Agent Certificate Enrollment + +Active Directory Federation Server used for Windows Hello for Business certificate enrollment perform their own certificate lifecycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request or when the service first starts. + +Approximately 60 days prior to enrollment agent certificate’s expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate. + +## Additional Federation Servers + +Organizations should deploy more than one federation server in their federation farm for high-availability. You should have a minimum of two federation services in your AD FS farm, however most organizations are likely to have more. This largely depends on the number of devices and users using the services provided by the AD FS farm. + +### Server Authentication Certificate + +Each server you add to the AD FS farm must have a proper server authentication certificate. Refer to the [Enroll for a TLS Server Authentication Certificate](#enroll-for-a-tls-server-authentication-certificate) section of this document to determine the requirements for your server authentication certificate. As previously stated, AD FS servers used exclusively for on-premises deployments of Windows Hello for Business can use enterprise server authentication certificates rather than server authentication certificates issued by public certificate authorities. + +### Install Additional Servers + +Adding federation servers to the existing AD FS farm begins with ensuring the server are fully patched, to include Windows Server 2016 Update needed to support Windows Hello for Business deployments (https://aka.ms/whfbadfs1703). Next, install the Active Directory Federation Service role on the additional servers and then configure the server as an additional server in an existing farm. + +## Load Balance AD FS Federation Servers + +Many environments load balance using hardware devices. Environments without hardware load-balancing capabilities can take advantage the network load-balancing feature included in Windows Server to load balance the AD FS servers in the federation farm. Install the Windows Network Load Balancing feature on all nodes participating in the AD FS farm that should be load balanced. + +### Install Network Load Balancing Feature on AD FS Servers + +Sign-in the federation server with _Enterprise Admin_ equivalent credentials. +1. Start **Server Manager**. Click **Local Server** in the navigation pane. +2. Click **Manage** and then click **Add Roles and Features**. +3. Click **Next** On the **Before you begin** page. +4. On the **Select installation type** page, select **Role-based or feature-based installation** and click **Next**. +5. On the **Select destination server** page, chosoe **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Click **Next**. +6. On the **Select server roles** page, click **Next**. +7. Select **Network Load Balancing** on the **Select features** page. +8. Click **Install** to start the feature installation + ![Feature selection screen with NLB selected](images/hello-nlb-feature-install.png) + +### Configure Network Load Balancing for AD FS + +Before you can load balance all the nodes in the AD FS farm, you must first create a new load balance cluster. Once you have created the cluster, then you can add new nodes to that cluster. + +Sign-in a node of the federation farm with _Admin_ equivalent credentials. +1. Open **Network Load Balancing Manager** from **Administrative Tools**. + ![NLB Manager user interface](images/hello-nlb-manager.png) +2. Right-click **Network Load Balancing Clusters**, and then click **New Cluster**. +3. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then click **Connect**. + ![NLB Manager - Connect to new Cluster screen](images/hello-nlb-connect.png) +4. Select the interface that you want to use with the cluster, and then click **Next**. (The interface hosts the virtual IP address and receives the client traffic to load balance.) +5. In **Host Parameters**, select a value in **Priority (Unique host identifier)**. This parameter specifies a unique ID for each host. The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. Click **Next**. +6. In **Cluster IP Addresses**, click **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Click **Next**. + ![NLB Manager - Add IP to New Cluster screen](images/hello-nlb-add-ip.png) +7. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster. + ![NLB Manager - Cluster IP Configuration screen](images/hello-nlb-cluster-ip-config.png) +8. In **Cluster operation mode**, click **Unicast** to specify that a unicast media access control (MAC) address should be used for cluster operations. In unicast mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. We recommend that you accept the unicast default settings. Click **Next**. +9. In Port Rules, click Edit to modify the default port rules to use port 443. + ![NLB Manager - Add\Edit Port Rule screen](images/hello-nlb-cluster-port-rule.png) + +### Additional AD FS Servers + +1. To add more hosts to the cluster, right-click the new cluster, and then click **Add Host to Cluster**. +2. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same. + ![NLB Manager - Cluster with nodes](images/hello-nlb-cluster.png) + +## Configure DNS for Device Registration + +Sign-in the domain controller or administrative workstation with Domain Admin equivalent credentials. You’ll need the Federation service name to complete this task. You can view the federation service name by clicking **Edit Federation Service Properties** from the **Action** pan of the **AD FS** management console, or by using `(Get-AdfsProperties).Hostname.` (PowerShell) on the AD FS server. +1. Open the **DNS Management** console. +2. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones**. +3. In the navigation pane, select the node that has the name of your internal Active Directory domain name. +4. In the navigation pane, right-click the domain name node and click **New Host (A or AAAA)**. +5. In the **name** box, type the name of the federation service. In the **IP address** box, type the IP address of your federation server. Click **Add Host**. +6. Close the DNS Management console + +## Configure the Intranet Zone to include the federation service + +The Windows Hello provisioning presents web pages from the federation service. Configuring the intranet zone to include the federation service enables the user to authenticate to the federation service using integrated authentication. Without this setting, the connection to the federation service during Windows Hello provisioning prompts the user for authentication. + +### Create an Intranet Zone Group Policy + +Sign-in the domain controller or administrative workstation with _Domain Admin_ equivalent credentials +1. Start the **Group Policy Management Console** (gpmc.msc) +2. Expand the domain and select the **Group Policy Object** node in the navigation pane. +3. Right-click **Group Policy object** and select **New** +4. Type **Intranet Zone Settings** in the name box and click **OK**. +5. In the content pane, right-click the **Intranet Zone Settings** Group Policy object and click **Edit**. +6. In the navigation pane, expand **Policies** under **Computer Configuration**. +7. Expand **Administrative Templates > Windows Component > Internet Explorer > Internet Control Panel**, and select **Security Page**. +8. In the content pane, double-click **Site to Zone Assignment List**. Click **Enable**. +9. Click **Show**. In the **Value Name** column, type the url of the federation service beginning with https. In the **Value** column, type the number **1**. Click OK twice, then close the Group Policy Management Editor. + +### Deploy the Intranet Zone Group Policy object + +1. Start the **Group Policy Management Console** (gpmc.msc) +2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO…** +3. In the **Select GPO** dialog box, select **Intranet Zone Settings** or the name of the Windows Hello for Business Group Policy object you previously created and click **OK**. + +## Review + +Before you continue with the deployment, validate your deployment progress by reviewing the following items: +* Confirm you configured the correct enrollment agent certificate template based on the type of AD FS service account. +* Confirm only the AD FS service account has the allow enroll permission for the enrollment agent certificate template. +* Consider using an HSM to protect the enrollment agent certificate; however, understand the frequency and quantity of signature operations the enrollment agent server makes and understand the impact it has on overall performance. +* Confirm you properly configured the Windows Hello for Business authentication certificate template—to include: + * Issuance requirements of an authorized signature from a certificate request agent. + * The certificate template was properly marked as a Windows Hello for Business certificate template using certutil.exe + * The Windows Hello for Business Users group, or equivalent has the allow enroll and allow auto enroll permissions +* Confirm all certificate templates were properly published to the appropriate issuing certificate authorities. +* Confirm the AD FS service account has the allow enroll permission for the Windows Hello Business authentication certificate template. +* Confirm the AD FS certificate registration authority is properly configured using the `Get-AdfsCertificateAuthority` Windows PowerShell cmdlet. +* Confirm you restarted the AD FS service. +* Confirm you properly configured load-balancing (hardware or software). +* Confirm you created a DNS A Record for the federation service and the IP address used is the load-balanced IP address +* Confirm you created and deployed the Intranet Zone settings to prevent double authentication to the federation server. + +## Validating your work + +You need to verify the AD FS service has properly enrolled for an enrollment agent certificate template. You can verify this is a variety ways, depending on if your service account is a normal user account or if the service account is a group managed service account. + +### Event Logs + +Use the event logs on the AD FS service to confirm the service account enrolled for an enrollment agent certificate. First, look for the AD FS event ID 443 that confirms certificate enrollment cycle has finished. Once confirmed the AD FS certificate enrollment cycle completed review the CertificateLifecycle-User event log. In this event log, look for event ID 1006, which indicates a new certificate was installed. Details of the event log should show + +* The account name under which the certificate was enrolled. +* The action, which should read enroll. +* The thumbprint of the certificate +* The certificate template used to issue the certificate. + +### Normal Service Account + +When using a normal service account, use the Microsoft Management Console (mmc.exe) and load the Certificate Manager snap-in for the service account and verify. + +### Group Managed Service Account + +You cannot use the Certificate Manager to view enrolled certificates for group managed service accounts. Use the event log information to confirm the AD FS service account enrolled a certificate. Use certutil.exe to view the details of the certificate now shown in the event log. + +Group managed service accounts use user profiles to store user information, which included enrolled certificates. On the AD FS server, use a command prompt and navigate to `%systemdrive%\users\\appdata\roaming\Microsoft\systemcertificates\my\certificates` . + +Each file in this folder represents a certificate in the service account’s Personal store (You may need to use DIR /A to view the files in the folder). Match the thumbprint of the certificate from the event log to one of the files in this folder. That file is the certificate. Use the `Certutil -q ` to view the basic information about the certificate. + +For detailed information about the certificate, use `Certutil -q -v ` . + + +## Follow the Windows Hello for Business on premises certificate trust deployment guide +1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) +2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) +3. Prepare and Deploy Windows Server 2016 Active Directory Federation Services (*You are here*) +4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) +5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) + + + + + + + + + diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-deploy-mfa.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-deploy-mfa.md new file mode 100644 index 0000000000..8ec43f5e54 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-deploy-mfa.md @@ -0,0 +1,542 @@ +--- +title: Configure or Deploy Multifactor Authentication Services (Windows Hello for Business) +description: How to Configure or Deploy Multifactor Authentication Services for Windows Hello for Business +keywords: identity, PIN, biometric, Hello, passport +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: DaniHalfin +localizationpriority: high +--- +# Configure or Deploy Multifactor Authentication Services + +**Applies to** +- Windows 10 +- Windows 10 Mobile + +> This guide only applies to Windows 10, version 1703 or higher. + +On-premises deployments must use the On-premises Azure MFA Server using the AD FS adapter model Optionally, you can use a third-party MFA server that provides an AD FS Multifactor authentication adapter. + +>[!TIP] +>Please make sure you've read [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) before proceeding any further. + +## Prerequisites + +The Azure MFA Server and User Portal servers have several perquisites and must have connectivity to the Internet. + +### Primary MFA Server + +The Azure MFA server uses a primary and secondary replication model for its configuration database. The primary Azure MFA server hosts the writeable partition of the configuration database. All secondary Azure MFA servers hosts read-only partitions of the configuration database. All production environment should deploy a minimum of two MFA Servers. + +For this documentation, the primary MFA uses the name **mf*a*** or **mfa.corp.contoso.com**. All secondary servers use the name **mfa*n*** or **mfa*n*.corp.contoso.com**, where *n* is the number of the deployed MFA server. + +The primary MFA server is also responsible for synchronizing from Active Directory. Therefore, the primary MFA server should be domain joined and fully patched. + +#### Enroll for Server Authentication + +The communication between the primary MFA server, secondary MFA servers, User Portal servers, and the client is protected using TLS, which needs a server authentication certificate. + +Sign-in the primary MFA server with _domain admin_ equivalent credentials. +1. Start the Local Computer **Certificate Manager** (certlm.msc). +2. Expand the **Personal** node in the navigation pane. +3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**. +4. Click **Next** on the **Before You Begin** page. +5. Click **Next** on the **Select Certificate Enrollment Policy** page. +6. On the **Request Certificates** page, Select the **Internal Web Server** check box. +7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link. +8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the primary MFA server and then click **Add** (mfa.corp.contoso.com). Click **Add**. Click **OK** when finished. +9. Click **Enroll**. + +A server authentication certificate should appear in the computer’s Personal certificate store. + +#### Install the Web Server Role + +The Azure MFA server does not require the Web Server role, however, User Portal and the optional Mobile App server communicate with the MFA server database using the MFA Web Services SDK. The MFA Web Services SDK uses the Web Server role. + +To install the Web Server (IIS) role, please follow [Installing IIS 7 on Windows Server 2008 or Windows Server 2008 R2](https://docs.microsoft.com/iis/install/installing-iis-7/installing-iis-7-and-above-on-windows-server-2008-or-windows-server-2008-r2) or [Installing IIS 8.5 on Windows Server 2012 R2](https://docs.microsoft.com/iis/install/installing-iis-85/installing-iis-85-on-windows-server-2012-r2) depending on the host Operating System you're going to use. + +The following services are required: +* Common Parameters > Default Document. +* Common Parameters > Directory Browsing. +* Common Parameters > HTTP Errors. +* Common Parameters > Static Content. +* Health and Diagnostics > HTTP Logging. +* Performance > Static Content Compression. +* Security > Request Filtering. +* Security > Basic Authentication. +* Management Tools > IIS Management Console. +* Management Tools > IIS 6 Management Compatibility. +* Application Development > ASP.NET 4.5. + +#### Update the Server + +Update the server using Windows Update until the server has no required or optional updates as the Azure MFA Server software may require one or more of these updates for the installation and software to correctly work. These procedures install additional components that may need to be updated. + +#### Configure the IIS Server’s Certificate + +The TLS protocol protects all the communication to and from the MFA server. To enable this protection, you must configure the default web site to use the previously enrolled server authentication certificate. + +Sign in the primary MFA server with _administrator_ equivalent credentials. +1. From **Administrators**, Start the **Internet Information Services (IIS) Manager** console +2. In the navigation pane, expand the node with the same name as the local computer. Expand **Settings** and select **Default Web Site**. +3. In the **Actions** pane, click **Bindings**. +4. In the **Site Bindings** dialog, Click **Add**. +5. In the **Add Site Binding** dialog, select **https** from the **Type** list. In the **SSL certificate** list, select the certificate with the name that matches the FQDN of the computer. +6. Click **OK**. Click **Close**. From the **Action** pane, click **Restart**. + +#### Configure the Web Service’s Security + +The Azure MFA Server service runs in the security context of the Local System. The MFA User Portal gets its user and configuration information from the Azure MFA server using the MFA Web Services. Access control to the information is gated by membership to the Phonefactor Admins security group. You need to configure the Web Service’s security to ensure the User Portal and the Mobile App servers can securely communicate to the Azure MFA Server. Also, all User Portal server administrators must be included in the Phonefactor Admins security group. + +Sign in the domain controller with _domain administrator_ equivalent credentials. + +##### Create Phonefactor Admin group + +1. Open **Active Directory Users and Computers** +2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Right-click the **Users** container, select **New**, and select **Group**. +3. In the **New Object – Group** dialog box, type **Phonefactor Admins** in Group name. +4. Click **OK**. + +##### Add accounts to the Phonefactor Admins group + +1. Open **Active Directory Users and Computers**. +2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Select Users. In the content pane. Right-click the **Phonefactors Admin** security group and select **Properties**. +3. Click the **Members** tab. +4. Click **Add**. Click **Object Types..** In the **Object Types** dialog box, select **Computers** and click **OK**. Enter the following user and/or computers accounts in the **Enter the object names to select** box and then click **OK**. + * The computer account for the primary MFA Server + * Group or user account that will manage the User Portal server. + + +#### Review + +Before you continue with the deployment, validate your deployment progress by reviewing the following items: + +* Confirm the hosts of the MFA service has enrolled a server authentication certificate with the proper names. + * Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the: + * Certificate serial number + * Certificate thumbprint + * Common name of the certificate + * Subject alternate name of the certificate + * Name of the physical host server + * The issued date + * The expiration date + * Issuing CA Vendor (if a third-party certificate) + +* Confirm the Web Services Role was installed with the correct configuration (including Basic Authentication, ASP.NET 4.5, etc). +* Confirm the host has all the available updates from Windows Update. +* Confirm you bound the server authentication certificate to the IIS web site. +* Confirm you created the Phonefactor Admins group. +* Confirm you added the computer account hosting the MFA service to the Phonefactor Admins group and any user account who are responsible for administrating the MFA server or User Portal. + +### User Portal Server + +The User Portal is an IIS Internet Information Server web site that allows users to enroll in Multi-Factor Authentication and maintain their accounts. A user may change their phone number, change their PIN, or bypass Multi-Factor Authentication during their next sign on. Users will log in to the User Portal using their normal username and password and will either complete a Multi-Factor Authentication call or answer security questions to complete their authentication. If user enrollment is allowed, a user will configure their phone number and PIN the first time they log in to the User Portal. User Portal Administrators may be set up and granted permission to add new users and update existing users. + +The User Portal web site uses the user database that is synchronized across the MFA Servers, which enables a design to support multiple web servers for the User Portal and those servers can support internal and external customers. While the user portal web site can be installed directly on the MFA server, it is recommended to install the User Portal on a server separate from the MFA Server to protect the MFA user database, as a layered, defense-in-depth security design. + +#### Enroll for Server Authentication + +Internal and external users use the User Portal to manage their multifactor authentication settings. To protect this communication, you need to enroll all User Portal servers with a server authentication certificate. You can use an enterprise certificate to protect communication to internal User Portal servers. + +For external User Portal servers, it is typical to request a server authentication certificate from a public certificate authority. Contact a public certificate authority for more information on requesting a certificate for public use. Follow the procedures below to enroll an enterprise certificate on your User Portal server. + +Sign-in the User Portal server with _domain admin_ equivalent credentials. +1. Start the Local Computer **Certificate Manager** (certlm.msc). +2. Expand the **Personal** node in the navigation pane. +3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**. +4. Click **Next** on the **Before You Begin** page. +5. Click **Next** on the **Select Certificate Enrollment Policy** page. +6. On the **Request Certificates** page, Select the **Internal Web Server** check box. +7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link. +8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the primary MFA server and then click **Add** (app1.corp.contoso.com). +9. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name you will use for your User Portal service (mfaweb.corp.contoso.com). +10. Click **Add**. Click **OK** when finished. +11. Click **Enroll**. + +A server authentication certificate should appear in the computer’s Personal certificate store. + +#### Install the Web Server Role + +To do this, please follow the instructions mentioned in the previous [Install the Web Server Role](#install-the-web-server-role) section. + +#### Update the Server + +Update the server using Windows Update until the server has no required or optional updates as the Azure MFA Server software may require one or more of these updates for the installation and software to correctly work. These procedures install additional components that may need to be updated. + +#### Configure the IIS Server’s Certificate + +To do this, please follow the instructions mentioned in the previous [Configure the IIS Server’s Certificate](#configure-the-iis-server’s-certificate) section. + +#### Create WebServices SDK user account + +The User Portal and Mobile App web services need to communicate with the configuration database hosted on the primary MFA server. These services use a user account to communicate to authenticate to the primary MFA server. You can think of the WebServices SDK account as a service account used by other servers to access the WebServices SDK on the primary MFA server. + +1. Open **Active Directory Users and Computers**. +2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Right-click the **Users** container, select **New**, and select **User**. +3. In the **New Object – User** dialog box, type **PFWSDK_** in the **First name** and **User logon name** boxes, where ** is the name of the primary MFA server running the Web Services SDK. Click **Next**. +4. Type a strong password and confirm it in the respective boxes. Clear **User must change password at next logon**. Click **Next**. Click **Finish** to create the user account. + +#### Add the MFA SDK user account to the Phonefactor Admins group + +Adding the WebServices SDK user account to the Phonefactor Admins group provides the user account with the proper authorization needed to access the configuration data on the primary MFA server using the WebServices SDK. + +1. Open **Active Directory Users and Computers**. +2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Select **Users**. In the content pane. Right-click the **Phonefactors Admin** security group and select Properties. +3. Click the Members tab. +4. Click **Add**. Click **Object Types..** Type the PFWSDK_ user name in the **Enter the object names to select** box and then click **OK**. + * The computer account for the primary MFA Server + * The Webservices SDK user account + * Group or user account that will manage the User Portal server. + + +#### Review + +Before you continue with the deployment, validate your deployment progress by reviewing the following items: + +* Confirm the hosts of the user portal are properly configure for load balancing and high-availability. +* Confirm the hosts of the user portal have enrolled a server authentication certificate with the proper names. + * Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the: + * Certificate serial number + * Certificate thumbprint + * Common name of the certificate + * Subject alternate name of the certificate + * Name of the physical host server + * The issued date + * The expiration date + * Issuing CA Vendor (if a third-party certificate) + +* Confirm the Web Server Role was properly configured on all servers. +* Confirm all the hosts have the latest updates from Windows Update. +* Confirm you created the web service SDK domain account and the account is a member of the Phonefactor Admins group. + +## Installing Primary Azure MFA Server + +When you install Azure Multi-Factor Authentication Server, you have the following options: +1. Install Azure Multi-Factor Authentication Server locally on the same server as AD FS +2. Install the Azure Multi-Factor Authentication adapter locally on the AD FS server, and then install Multi-Factor Authentication Server on a different computer (preferred deployment for production environments) + +See [Configure Azure Multi-Factor Authentication Server to work with AD FS in Windows Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-adfs-w2k12) to view detailed installation and configuration options. + +Sign-in the federation server with _Domain Admin_ equivalent credentials and follow [To install and configure the Azure Multi-Factor Authentication server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#to-install-and-configure-the-azure-multi-factor-authentication-server) for an express setup with the configuration wizard. You can re-run the authentication wizard by selecting it from the Tools menu on the server. + +>[!IMPORTANT] +>Only follow the above mention article to install Azure MFA Server. Once it is intstalled, continue configuration using this article. + +### Configuring Company Settings + +You need to configure the MFA server with the default settings it applies to each user account when it is imported or synchronized from Active Directory. + +Sign-in the primary MFA server with MFA _administrator_ equivalent credentials. +1. Start the **Multi-Factor Server** application +2. Click **Company Settings**. +3. On the **General** Tab, select **Fail Authentication** from the **When internet is not accessible** list. +4. In **User defaults**, select **Phone Call** or **Text Message** + **Note:** You can use mobile app; however, the configuration is beyond the scope of this document. Read [Getting started the MFA Server Mobile App Web Service](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice) to configure and use mobile app multi-factor authentication or the Install User Portal topic in the Multi-Factor Server help. +5. Select **Enable Global Services** if you want to allow Multi-Factor Authentications to be made to telephone numbers in rate zones that have an associated charge. +6. Clear the **User can change phone** check box to prevent users from changing their phone during the Multi-Factor Authentication call or in the User Portal. A consistent configuration is for users to change their phone numbers in Active Directory and let those changes synchronize to the multi-factor server using the Synchronization features in Directory Integration. +7. Select **Fail Authentication** from the **When user is disabled** list. Users should provision their account through the user portal. +8. Select the appropriate language from the **Phone call language**, **Text message language**, **Mobile app language**, and **OATH token language** lists. +9. Under default PIN rules, Select the User can change PIN checkbox to enable users to change their PIN during multi-factor authentication and through the user portal. +10. Configure the minimum length for the PIN. +11. Select the **Prevent weak PINs** check box to reject weak PINs. A weak PIN is any PIN that could be easily guessed by a hacker: 3 sequential digits, 3 repeating digits, or any 4 digit subset of user phone number are not allowed. If you clear this box, then there are no restrictions on PIN format. For example: User tries to reset PIN to 1235 and is rejected because it's a weak PIN. User will be prompted to enter a valid PIN. +12. Select the **Expiration days** check box if you want to expire PINs. If enabled, provide a numeric value representing the number of days the PIN is valid. +13. Select the **PIN history** check box if you want to remember previously used PINs for the user. PIN History stores old PINs for each user. Users are not allowed to reset their PIN to any value stored in their PIN History. When cleared, no PIN History is stored. The default value is 5 and range is 1 to 10. + +![Azure MFA Server Company settings configured](images/hello-mfa-company-settings.png) + +### Configuring Email Settings and Content + +If you are deploying in a lab or proof-of-concept, then you have the option of skipping this step. In a production environment, ideally, you’ll want to setup the Azure Multifactor Authentication Server and its user portal web interface prior to sending the email. The email gives your users time to visit the user portal and configure the multi-factor settings. + +Now that you have imported or synchronized with your Azure Multi-Factor Authentication server, it is advised that you send your users an email that informs them that they have been enrolled in multi-factor authentication. + +With the Azure Multi-Factor Authentication Server there are various ways to configure your users for using multi-factor authentication. For instance, if you know the users’ phone numbers or were able to import the phone numbers into the Azure Multi-Factor Authentication Server from their company’s directory, the email will let users know that they have been configured to use Azure Multi-Factor Authentication, provide some instructions on using Azure Multi-Factor Authentication and inform the user of the phone number they will receive their authentications on. + +The content of the email will vary depending on the method of authentication that has been set for the user (e.g. phone call, SMS, mobile app). For example, if the user is required to use a PIN when they authenticate, the email will tell them what their initial PIN has been set to. Users are usually required to change their PIN during their first authentication. + +If users’ phone numbers have not been configured or imported into the Azure Multi-Factor Authentication Server, or users are pre-configured to use the mobile app for authentication, you can send them an email that lets them know that they have been configured to use Azure Multi-Factor Authentication and it will direct them to complete their account enrollment through the Azure Multi-Factor Authentication User Portal. A hyperlink will be included that the user clicks on to access the User Portal. When the user clicks on the hyperlink, their web browser will open and take them to their company’s Azure Multi-Factor Authentication User Portal. + +#### Settings + +By clicking the email icon on the left you can setup the settings for sending these emails. This is where you can enter the SMTP information of your mail server and it allows you to send a blanket wide email by adding a check to the Send mails to users check box. + +#### Content + +On the Email Content tab, you will see all of the various email templates that are available to choose from. So, depending on how you have configured your users to use multi-factor authentication, you can choose the template that best suits you. + +##### Edit the Content Settings + +The Azure MFA server does not send emails, even when configured to do so, until you configured the sender information for each email template listed in the Content tab. + +Sign-in the primary MFA server with MFA _administrator_ equivalent credentials. +1. Open the **Multi-Factor Authentication Server** console. +2. Click **Email** from the list of icons and click the **Email Content** tab. +3. Select an email template from the list of templates. Click **Edit**. +4. In the **Edit Email** dialog, in the **From** text box, type the email address of the person or group that should appear to have sent the email. + ![Edit email dialog within content settings](images/hello-mfa-content-edit-email.png) + +5. Optionally, customize other options in the email template. +6. When finished editing the template, Click **Apply**. +7. Click **Next** to move to the next email in the list. Repeat steps 4 and 6 to edit the changes. +8. Click **Close** when you are done editing the email templates. + +### Configuring Directory Integration Settings and Synchronization + +Synchronization keeps the Multi-Factor Authentication user database synchronized with the users in Active Directory or another LDAP Lightweight Directory Access Protocol directory. The process is similar to Importing Users from Active Directory, but periodically polls for Active Directory user and security group changes to process. It also provides for disabling or removing users removed from a container or security group and removing users deleted from Active Directory. + +It is important to use a different group memberships for synchronizing users from Active Directory and for enabling Windows Hello for Business. Keeping the group memberships separated enables you to synchronize users and configure MFA options without immediately deploying Windows Hello for Business to that user. This deployment approach provides the maximum flexibility, which gives users the ability to configure their settings before they provision Windows Hello for Business. To start provisioning, simply add the group used for synchronization to the Windows Hello for Business Users group (or equivalent if you use custom names). + +#### MultiFactorAuthAdSync Service + +The MultiFactorAuthAdSync service is a Windows service that performs the periodic polling of Active Directory. It is installed in a Stopped state and is started by the MultiFactorAuth service when configured to run. If you have a multi-server Multi-Factor Authentication configuration, the MultiFactorAuthAdSync may only be run on a single server. + +The MultiFactorAuthAdSync service uses the DirSync LDAP server extension provided by Microsoft to efficiently poll for changes. This DirSync control caller must have the "directory get changes" right and DS-Replication-Get-Changes extended control access right. By default, these rights are assigned to the Administrator and LocalSystem accounts on domain controllers. The MultiFactorAuthAdSync service is configured to run as LocalSystem by default. Therefore, it is simplest to run the service on a domain controller. The service can run as an account with lesser permissions if you configure it to always perform a full synchronization. This is less efficient, but requires less account privileges. + +#### Settings + +Configuring the directory synchronization between Active Directory and the Azure MFA server is easy. + +Sign in the primary MFA server with _MFA administrator_ equivalent credentials. +1. Open the **Multi-Factor Authentication Server** console. +2. From the **Multi-Factor Authentication Server** window, click the **Directory Integration** icon. +3. Click the **Synchronization** tab. +4. Select **Use Active Directory**. +5. Select **Include trusted domains** to have the Multi-Factor Authentication Server attempt to connect to domains trusted by the current domain, another domain in the forest, or domains involved in a forest trust. When not importing or synchronizing users from any of the trusted domains, clear the checkbox to improve performance. + +#### Synchronization + +The MFA server uses synchronization items to synchronize users from Active Directory to the MFA server database. Synchronization items enables you to synchronize a collection of users based security groups or Active Directory containers. + +You can configure synchronization items based on different criteria and filters. For the purpose of configuring Windows Hello for Business, you need to create a synchronization item based membership of the Windows Hello for Business user group. This ensures the same users who receive Windows Hello for Business policy settings are the same users synchronized to the MFA server (and are the same users with permission to enroll in the certificate). This significantly simplifies deployment and troubleshooting. + +See [Directory integration between Azure MFA Server and Active Directory](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-dirint) for more details. + +##### To add a synchronization item + +Sign in the primary MFA server with _MFA administrator_ equivalent credentials. +1. Open the **Multi-Factor Authentication Server** console. +2. From the **Multi-Factor Authentication Server** window, click the **Directory Integration** icon. +3. Select the **Synchronization** tab. +4. On the **Synchronization** tab, click **Add**. + ![Azure MFA Server - add synchronization item screen](images/hello-mfa-sync-item.png) + +5. In the **Add Synchronization Item** dialog, select **Security Groups** from the **View** list. +6. Select the group you are using for replication from the list of groups +7. Select **Selected Security Groups – Recursive** or, select **Security Group** from the **Import** list if you do not plan to nest groups. +8. Select **Add new users and Update existing users**. +9. Select **Disable/Remove users no longer a member** and select **Disable** from the list. +10. Select the attributes appropriate for your environment for **Import phone** and **Backup**. +11. Select **Enabled** and select **Only New Users with Phone Number** from the list. +12. Select **Send email** and select **New and Updated Users**. + +##### Configure synchronization item defaults + +1. When creating a new or editing a synchronization item from the Multi-Factor Authentication Server, select the **Method Defaults** tab. +2. Select the default second factor authentication method. For example, if the second factor of authentication is a text message, select **Text message**. Select if the direction of text message authentication and if the authentication should use a one-time password or one-time password and PIN (Ensure users are configured to create a PIN if the default second factor of communication requires a PIN). + +##### Configure synchronization language defaults + +1. When creating a new or editing a synchronization item from the Multi-Factor Authentication Server, select the **Language Defaults** tab. +2. Select the appropriate default language for these groups of users synchronized by these synchronization item. +3. If creating a new synchronization item, click **Add** to save the item. If editing an existing synchronization item, click **Apply** and then click **Close**. + +>[!TIP] +>For more information on these settings and the behaviors they control, see [Directory integration between Azure MFA Server and Active Directory](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-dirint). + +### Installing the MFA Web Services SDK + +The Web Service SDK section allows the administrator to install the Multi-Factor Authentication Web Service SDK. The Web Service SDK is an IIS (Internet Information Server) web service that provides an interface for integrating the full features of the Multi-Factor Authentication Server into most any application. The Web Service SDK uses the Multi-Factor Authentication Server as the data store. + +Remember the Web Services SDK is only need on the primary Multi-Factor to easily enable other servers access to the configuration information. The prerequisites section guided you through installing and configuring the items needed for the Web Services SDK, however the installer will validate the prerequisites and make suggest any corrective action needed. + +Please follow the instructions under [Install the web service SDK](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice#install-the-web-service-sdk) to intall the MFA Web Services SDK. + +## Install Secondary MFA Servers + +Additional MFA servers provided redundancy of the MFA configuration. The MFA server models uses one primary MFA server with multiple secondary servers. Servers within the same group establish communication with the primary server for that group. The primary server replicates to each of the secondary servers. You can use groups to partition the data stored on different servers, for example you can create a group for each domain, forest, or organizational unit. + +Follow the same procedures for installing the primary MFA server software for each additional server. Remember that each server must be activated. + +Sign in the secondary MFA server with _domain administrator_ equivalent credentials. +1. Once the Multi-Factor Authentication Server console starts, you must configure the current server’s replication group membership. You have the option to join an existing group or create a new group. When joining an existing group, the server becomes a secondary server in the existing replication group. When creating a new group, the server becomes the primary server of that replication group. Click **OK**. + **Note:** Group membership cannot be changed after activation. If a server was joined to the wrong group, it must be activated again to join a different group. Please contact support for assistance with deactivating and reactivating a server. +2. The console asks you if you want to enable replication by running the **Multi-Server Configuration Wizard**. Click **Yes**. +3. In the **Multi-Server Configuration Wizard**, leave **Active Directory** selected and clear **Certificates**. Click **Next**. +4. On the **Active Directory** page, the wizard determines what configuration is needed to enable replication. Typically, the wizard recommends adding the computer account for the current server to the **PhoneFactor Admin** group. Click **Next** to add the computer account to the group. +5. On the **Multi-Server Configuration Complete** page, click **Finish** to reboot the computer to update its group membership. + +### Review + +Before you continue with the deployment, validate your deployment progress by reviewing the following items: +* Confirm you downloaded the latest Azure MFA Server from the Azure Portal. +* Confirm the server has Internet connectivity. +* Confirm you installed and activated the Azure MFA Server. +* Confirm your Azure MFA Server configuration meets your organization’s needs (Company Settings, Email Settings, etc). +* Confirm you created Directory Synchronization items based on your deployment to synchronize users from Active Directory to the Azure MFA server. + * For example, you have security groups representing each collection of users that represent a phase of your deployment and a corresponding synchronization item for each of those groups. + +* Confirm the Azure MFA server properly communicates with the Azure MFA cloud service by testing multifactor authentication with a newly synchronized user account. +* Confirm you installed the Web Service SDK on the primary MFA server. +* Confirm your MFA servers have adequate redundancy, should you need to promote a secondary server to the primary server. + + +## Installing the User Portal Server + +You previously configured the User Portal settings on the primary MFA server. The User Portal web application communicates to the primary MFA server using the Web Services SDK to retrieve these settings. This configuration is ideal to ensure you can scale up the User Portal application to meet the needs of your internal users. + +### Copying the User Portal Installation file + +Sign in the primary MFA server with _local administrator_ equivalent credentials. +1. Open Windows Explorer. +2. Browse to the C:\Progam Files\MultiFactor Authentication Server folder. +3. Copy the **MultiFactorAuthenticationUserPortalSetup64.msi** file to a folder on the User Portal server. + +### Configure Virtual Directory name + +Sign in the User Portal server with _local administrator_ equivalent credentials. +1. Open Windows Explorer and browse to the folder to which you saved the installation file from the previous step. +2. Run the **MultiFactorAuthenticationUserPortalSetup64.msi**. The installation package asks if you want to download **Visual Studio C++ Redistributable for Visual Studio 2015**. Click **Yes**. When prompted, select **Save As**. The downloaded file is missing its file extension. **Save the file with a .exe extension and install the runtime**. +3. Run the installation package again. The installer package asks about the C++ runtime again; however, this is for the X64 version (the previous prompt was for x86). Click **Yes** to download the installation package and select **Save As** so you can save the downloaded file with a .exe extension. **Install** the run time. +4. Run the User Portal installation package. On the **Select Installation Address** page, use the default settings for **Site** and **Application Pool** settings. You can modify the Virtual directory to use a name that is more fitting for the environment, such as **mfa** (This virtual directory must match the virtual directory specified in the User Portal settings). Click **Next**. +5. Click **Close**. + +### Edit MFA User Portal config file + +Sign in the User Portal server with _local administrator_ equivalent credentials. +1. Open Windows Explorer and browse to C:\inetpub\wwwroot\MultiFactorAuth (or appropriate directory based on the virtual directory name) and edit the **web.config** file. +2. Locate the **USE_WEB_SERVICE_SDK** key and change the value from **false** to **true**. +3. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_USERNAME** key and set the value to the username of the Web Service SDK account in the **PhoneFactor Admins** security group. Use a qualified username, like domain\username or machine\username. +4. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD** key and set the value to the password of the Web Service SDK account in the **PhoneFactor Admins** security group. +5. Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from **“http://localhost:4898/PfWsSdk.asmx”** to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. https://computer1.domain.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **web.config** file after changes have been made. + +### Create a DNS entry for the User Portal web site + +Sign-in the domain controller or administrative workstation with _Domain Admin_ equivalent credentials. +1. Open the **DNS Management** console. +2. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones**. +3. In the navigation pane, select the node that has the name of your internal Active Directory domain name. +4. In the navigation pane, right-click the domain name node and click **New Host (A or AAAA)**. +5. In the **name** box, type the host name of the User Portal, such as *mfaweb* (this name must match the name of the certificate used to secure communication to the User Portal). In the IP address box, type the load balanced **IP address** of the User Portal. Click **Add Host**. +6. Close the **DNS Management** console. + +### Review + +Before you continue with the deployment, validate your deployment progress by reviewing the following items: +* Confirm the user portal application is properly installed on all user portal hosts +* Confirm the USE_WEB_SERVICE_SDK named value has a value equal to true. +* Confirm the WEB_SERVICE_SDK_AUTHENTICATION_USERNAME named value has the username of the web service SDK domain account previously created and that the user name is represented as DOMAIN\USERNAME +* Confirm the WEB_SERVICES_SDK_AUTHENTICATION_PASSWORD named value has the correct password for the web service SDK domain account. +* Confirm the pfup_pfwssdk_PfWsSdk named value has value that matches the URL of for the SDK service installed on the primary MFA server. +* Confirm you saved the changes to the web.config file. + +### Validating your work + +Windows Hello for Business is a distributed system, which on the surface appears complex and difficult. The key to a successful Windows Hello for Business deployment is to validate phases of work prior to moving to the next phase. + +Using a web browser, navigate to the URL provided in the *pf_up_pfwssdk_PfWsSdk* named value in the web.config file of any one of the user portal servers. The URL should be protected by a server authentication certificate and should prompt you for authentication. Authenticate to the web site using the username and password provided in the web.config file. Successful authentication and page view confirms the Web SDK configured on the primary MFA server is correctly configured and ready to work with the user portal. + +### Configuring the User Portal + +The User Portal section allows the administrator to install and configure the Multi-Factor Authentication User Portal. The User Portal is an IIS Internet Information Server web site that allows users to enroll in Multi-Factor Authentication and maintain their accounts. A user may change their phone number, change their PIN, or bypass Multi-Factor Authentication during their next sign on. Users will log in to the User Portal using their normal username and password and will either complete a Multi-Factor Authentication call or answer security questions to complete their authentication. If user enrollment is allowed, a user will configure their phone number and PIN the first time they log in to the User Portal. +User Portal Administrators may be set up and granted permission to add new users and update existing users. + +#### Settings + +Sign in the primary MFA server with _MFA administrator_ equivalent credentials. +1. Open the Multi-Factor Authentication Server console. +2. From the Multi-Factor Authentication Server window, click the User Portal icon. + ![Azure MFA Server - User Portal settings](images/hello-mfa-user-portal-settings.png) + +3. On the Settings tab, type the URL your users use to access the User Portal. The URL should begin with https, such as `https://mfaportal.corp.contoso.com/mfa`. +The Multi-Factor Authentication Server uses this information when sending emails to users. +4. Select Allow users to log in and Allow user enrollment check boxes. +5. Select Allow users to select method. Select Phone call and select Text message (you can select Mobile app later once you have deployed the Mobile app web service). Select Automatically trigger user’s default method. +6. Select Allow users to select language. +7. Select Use security questions for fallback and select 4 from the Questions to answer list. + +>[!TIP] +>For more information on these settings and the behaviors they control, see [Deploy the user portal for the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-portal). + +#### Administrators + +The User Portal Settings tab allows the administrator to install and configure the User Portal. +1. Open the Multi-Factor Authentication Server console. +2. From the Multi-Factor Authentication Server window, click the User Portal icon. +3. On the Administrators tab, Click Add +4. In the Add Administrator dialog, Click Select User… to pick a user to install and manage the User Portal. Use the default permissions. +5. Click Add. + +>[!TIP] +>For more information on these settings and the behaviors they control, read the **Multi-Factor Authentication Server Help content**. + +#### Security Questions + +[Security questions](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-portal#security-questions) for the User Portal may be customized to meet your requirements. The questions defined here will be offered as options for each of the four security questions a user is prompted to configure during their first log on to User Portal. The order of the questions is important since the first four items in the list will be used as defaults for the four security questions. + +#### Trusted IPs + +The [Trusted IPs](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-portal#trusted-ips) tab allows you to skip Multi-Factor Authentication for User Portal log ins originating from specific IPs. For example, if users use the User Portal from the office and from home, you may decide you don't want their phones ringing for Multi-Factor Authentication while at the office. For this, you would specify the office subnet as a trusted IP entry. + +## Configure the AD FS Server to use the MFA for multifactor authentication + +You need to configure the AD FS server to use the MFA server. You do this by Installing the MFA Adapter on the primary AD FS Server. + +### Install the MFA AD FS Adapter + +Follow [Install a standalone instance of the AD FS adapter by using the Web Service SDK](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-adfs-w2k12#install-a-standalone-instance-of-the-ad-fs-adapter-by-using-the-web-service-sdk). You should follow this instructions on all AD FS servers. You can find the files needed on the MFA server. + +### Edit the MFA AD FS Adapter config file on all ADFS Servers + +Sign in the primary AD FS server with _local administrator_ equivalent credentials. +1. Open Windows Explorer and browse to **C:\inetpub\wwwroot\MultiFactorAuth** (or appropriate directory based on the virtual directory name) and edit the **MultiFactorAuthenticationAdfsAdapter.config** file. +2. Locate the **USE_WEB_SERVICE_SDK** key and change the value from **false** to **true**. +3. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_USERNAME** key and set the value to the username of the Web Service SDK account in the **PhoneFactor Admins** security group. Use a qualified username, like domain\username or machine\username. +4. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD** key and set the value to the password of the Web Service SDK account in the **PhoneFactor Admins** security group. +5. Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from “http://localhost:4898/PfWsSdk.asmx” to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. https://computer1.domain.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **MultiFactorAuthenticationAdfsAdapter.config** file after changes have been made. + +### Edit the AD FS Adapter Windows PowerShell cmdlet + +Sign in the primary AD FS server with _local administrator_ equivalent credentials. + +Edit the **Register-MultiFactorAuthenticationAdfsAdapter.ps1** script adding `-ConfigurationFilePath ` to the end of the `Register-AdfsAuthenticationProvider` command where **** is the full path to the **MultiFactorAuthenticationAdfsAdapter.config** file. + +### Run the AD FS Adapter PowerShell cmdlet + +Sign in the primary AD FS server with local administrator equivalent credentials. + +Run **Register-MultiFactorAuthenticationAdfsAdapter.ps1** script in PowerShell to register the adapter. The adapter is registered as **WindowsAzureMultiFactorAuthentication**. + +>[!NOTE] +>You must restart the AD FS service for the registration to take effect. + +### Review + +Before you continue with the deployment, validate your deployment progress by reviewing the following items: +* Confirm the user portal application is properly installed on all user portal hosts +* Confirm the USE_WEB_SERVICE_SDK named value has a value equal to true. +* Confirm the WEB_SERVICE_SDK_AUTHENTICATION_USERNAME named value has the username of the web service SDK domain account previously created and that the user name is represented as DOMAIN\USERNAME +* Confirm the WEB_SERVICES_SDK_AUTHENTICATION_PASSWORD named value has the correct password for the web service SDK domain account. +* Confirm the pfup_pfwssdk_PfWsSdk named value has value that matches the URL of for the SDK service installed on the primary MFA server. +* Confirm you saved the changes to the web.config file. +* Confirm you restarted the AD FS Service after completing the configuration. + +## Test AD FS with the Multifactor Authentication connector + +Now, you should test your Azure Multi-Factor Authentication server configuration before proceeding any further in the deployment. The AD FS and Azure Multi-Factor Authentication server configurations are complete. + +1. In the **Multi-Factor Authentication** server, on the left, click **Users**. +2. In the list of users, select a user that is enabled and has a valid phone number to which you have access. +3. Click **Test**. +4. In the **Test User** dialog, provide the user’s password to authenticate the user to Active Directory. + +The Multi-Factor Authentication server communicates with the Azure MFA cloud service to perform a second factor authentication for the user. The Azure MFA cloud service contacts the phone number provided and asks for the user to perform the second factor authentication configured for the user. Successfully providing the second factor should result in the Multi-factor authentication server showing a success dialog. + + +## Follow the Windows Hello for Business on premises certificate trust deployment guide +1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) +2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) +3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) +4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) +5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-validate-ad-prereq.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-validate-ad-prereq.md new file mode 100644 index 0000000000..3716c6dbe3 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-validate-ad-prereq.md @@ -0,0 +1,77 @@ +--- +title: Validate Active Directory prerequisites (Windows Hello for Business) +description: How to Validate Active Directory prerequisites for Windows Hello for Business +keywords: identity, PIN, biometric, Hello, passport +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: DaniHalfin +localizationpriority: high +--- +# Validate Active Directory prerequisites + +**Applies to** +- Windows 10 + +> This guide only applies to Windows 10, version 1703 or higher. + +The key registration process for the On-prem deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. The key-trust model receives the schema extension when the first Windows Server 2016 domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 schema. If you already have a Windows Server 2016 domain controller in your forest, you can skip the next step. + +Manually updating Active Directory uses the command-line utility **adprep.exe** located at **:\support\adprep** on the Windows Server 2016 DVD or ISO. Before running adprep.exe, you must identify the domain controller hosting the schema master role. + +## Discovering schema role + +To locate the schema master role holder, open and command prompt and type: + +```Netdom query fsmo | findstr -i “schema”``` + +![Netdom example output](images\hello-cmd-netdom.png) + +The command should return the name of the domain controller where you need to adprep.exe. Update the schema locally on the domain controller hosting the Schema master role. + +## Updating the Schema + +Windows Hello for Business uses asymmetric keys as user credentials (rather than passwords). During enrollment, the public key is registered in an attribute on the user object in Active Directory. The schema update adds this new attribute to Active Directory. + +Sign-in to the domain controller hosting the schema master operational role using Enterprise Admin equivalent credentials. + +1. Open an elevated command prompt. +2. Type ```cd /d x:\support\adprep``` where *x* is the drive letter of the DVD or mounted ISO. +3. To update the schema, type ```adprep /forestprep```. +4. Read the Adprep Warning. Type the letter **C*** and press **Enter** to update the schema. +5. Close the Command Prompt and sign-out. + +## Create the KeyCredential Admins Security Global Group + +The Windows Server 2016 Active Directory Federation Services (AD FS) role registers the public key on the user object during provisioning. You assign write and read permission to this group to the Active Directory attribute to ensure the AD FS service can add and remove keys are part of its normal workflow. + +Sign-in a domain controller or management workstation with Domain Admin equivalent credentials. + +1. Open **Active Directory Users and Computers**. +2. Click **View** and click **Advance Features**. +3. Expand the domain node from the navigation pane. +4. Right-click the **Users** container. Click **New**. Click **Group**. +5. Type **KeyCredential Admins** in the **Group Name** text box. +6. Click **OK**. + +## Create the Windows Hello for Business Users Security Global Group + +The Windows Hello for Business Users group is used to make it easy to deploy Windows Hello for Business in phases. You assign Group Policy and Certificate template permissions to this group to simplify the deployment by simply adding the users to the group. This provides them the proper permissions to provision Windows Hello for Business and to enroll in the Windows Hello for Business authentication certificate. + +Sign-in a domain controller or management workstation with Domain Admin equivalent credentials. + +1. Open **Active Directory Users and Computers**. +2. Click **View** and click **Advanced Features**. +3. Expand the domain node from the navigation pane. +4. Right-click the **Users** container. Click **New**. Click **Group**. +5. Type **Windows Hello for Business Users** in the **Group Name** text box. +6. Click **OK**. + + +## Follow the Windows Hello for Business on premises certificate trust deployment guide +1. Validate Active Directory prerequisites (*You are here*) +2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) +3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) +4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) +5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-validate-deploy-mfa.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-validate-deploy-mfa.md new file mode 100644 index 0000000000..82e38e2728 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-validate-deploy-mfa.md @@ -0,0 +1,48 @@ +--- +title: Validate and Deploy Multifactor Authentication Services (MFA) (Windows Hello for Business) +description: How to Validate and Deploy Multifactor Authentication Services for Windows Hello for Business +keywords: identity, PIN, biometric, Hello, passport +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: DaniHalfin +localizationpriority: high +--- +# Validate and Deploy Multifactor Authentication Services (MFA) + +**Applies to** +- Windows 10 +- Windows 10 Mobile + +> This guide only applies to Windows 10, version 1703 or higher. + +Windows Hello for Business requires all users perform multi-factor authentication prior to creating and registering a Windows Hello for Business credential. Windows Hello for Business deployments use Azure Multi-Factor Authentication (Azure MFA) services for the secondary authentication. On-Premises deployments use Azure MFA server, an on-premises implementation that do not require synchronizing Active Directory credentials to Azure Active Directory. + +Azure Multi-Factor Authentication is an easy to use, scalable, and reliable solution that provides a second method of authentication so your users are always protected. +* **Easy to Use** - Azure Multi-Factor Authentication is simple to set up and use. The extra protection that comes with Azure Multi-Factor Authentication allows users to manage their own devices. Best of all, in many instances it can be set up with just a few simple clicks. +* **Scalable** - Azure Multi-Factor Authentication uses the power of the cloud and integrates with your on-premises AD and custom apps. This protection is even extended to your high-volume, mission-critical scenarios. +* **Always Protected** - Azure Multi-Factor Authentication provides strong authentication using the highest industry standards. +* **Reliable** - We guarantee 99.9% availability of Azure Multi-Factor Authentication. The service is considered unavailable when it is unable to receive or process verification requests for the two-step verification. + +## On-Premises Azure MFA Server + +On-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials are not synchronized to Azure Active Directory. + +### Infrastructure + +A lab or proof-of-concept environment does not need high-availability or scalability. However, a production environment needs both of these. Ensure your environment considers and incorporates these factors, as necessary. All production environments should have a minimum of two MFA servers—one primary and one secondary server. The environment should have a minimum of two User Portal Servers that are load balanced using hardware or Windows Network Load Balancing. + +Please follow [Download the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#download-the-azure-multi-factor-authentication-server) to download Azure MFA server. + +>[!IMPORTANT] +>Make sure to validate the requirements for Azure MFA server, as outlined in [Install and Configure the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#install-and-configure-the-azure-multi-factor-authentication-server) beofre proceeding. Do not use instllation instructions provided in the article. + +Once you have validated all the requirements, please proceed to [Configure or Deploy Multifactor Authentication Services](hello-cert-trust-deploy-mfa.md). + +## Follow the Windows Hello for Business on premises certificate trust deployment guide +1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) +2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) +3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) +4. Validate and Deploy Multifactor Authentication Services (MFA) (*You are here*) +5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-validate-pki.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-validate-pki.md new file mode 100644 index 0000000000..f0faf69798 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-validate-pki.md @@ -0,0 +1,196 @@ +--- +title: Validate Public Key Infrastructure (Windows Hello for Business) +description: How to Validate Public Key Infrastructure for Windows Hello for Business +keywords: identity, PIN, biometric, Hello, passport +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: DaniHalfin +localizationpriority: high +--- +# Validate and Configure Public Key Infrastructure + +**Applies to** +- Windows 10 +- Windows 10 Mobile + +> This guide only applies to Windows 10, version 1703 or higher. + +Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller. The certificate trust model extends certificate issuance to client computers. During Windows Hello for Business provisioning, the user receives a sign-in certificate. Secondary certificates, such as VPN and SMIME (future feature) may also be deployed. + +## Deploy an enterprise certificate authority + +This guide assumes most enterprise have an existing public key infrastructure. Windows Hello for Business depends on a Windows enterprise public key infrastructure running the Active Directory Certificate Services role from Windows Server 2012 or later. + +### Lab-based public key infrastructure + +The following instructions may be used to deploy simple public key infrastructure that is suitable for a lab environment. + +Sign-in using _Enterprise Admin_ equivalent credentials on Windows Server 2012 or later server where you want the certificate authority installed. + +>[!NOTE] +>Never install a certificate authority on a domain controller in a production environment. + +1. Open an elevated Windows PowerShell prompt. +2. Use the following command to install the Active Directory Certificate Services role. + ```PowerShell + Add-WindowsFeature Adcs-Cert-Authority -IncludeManageTools + ``` + +3. Use the following command to configure the Certificate Authority using a basic certificate authority configuration. + ```PowerShell + Install-AdcsCertificateAuthority + ``` + +## Configure a Production Public Key Infrastructure + +If you do have an existing public key infrastructure, please review [Certification Authority Guidance](https://technet.microsoft.com/library/hh831574.aspx) from Microsoft TechNet to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](https://technet.microsoft.com/library/hh831348.aspx) for instructions on how to configure your public key infrastructure using the information from your design session. + +### Configure Domain Controller Certificates + +Clients need to trust domain controllers and the best way to do this is to ensure each domain controller has a Kerberos Authentication certificate. Installing a certificate on the domain controller enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. This provides clients a root of trust external to the domain—namely the enterprise certificate authority. + +Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise certificate authority is added to Active Directory. However, certificates based on the Domain Controller and Domain Controller Authentication certificate templates do not include the KDC Authentication object identifier (OID), which was later added to the Kerberos RFC. Therefore, domain controllers need to request a certificate based on the Kerberos Authentication certificate template. + +By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the Kerberos Authentication certificate template a baseline to create an updated domain controller certificate template. + +Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials. +1. Open the **Certificate Authority** management console. +2. Right-click **Certificate Templates** and click **Manage**. +3. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**. +4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. +5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise’s needs. + **Note**If you use different template names, you’ll need to remember and substitute these names in different portions of the lab. +6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **None** from the **Subject name format** list. Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items. +7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**. +8. Close the console. + +### Superseding the existing Domain Controller certificate + +Many domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template from domain controllers—the domain controller certificate template. Later releases provided a new certificate template—the domain controller authentication certificate template. These certificate templates were provided prior to update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the KDC Authentication extension. + +The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers and should be the one you deploy to all your domain controllers (2008 or later). The autoenrollment feature in Windows enables you to effortlessly replace these domain controller certificates. You can use the following configuration to replace older domain controller certificates with a new certificate using the Kerberos Authentication certificate template. + +Sign-in a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials. +1. Open the **Certificate Authority** management console. +2. Right-click **Certificate Templates** and click **Manage**. +3. In the **Certificate Template Console**, right-click the **Domain Controller Authentication (Kerberos)** (or the name of the certificate template you created in the previous section) template in the details pane and click **Properties**. +4. Click the **Superseded Templates** tab. Click **Add**. +5. From the **Add Superseded Template** dialog, select the **Domain Controller** certificate template and click **OK**. Click **Add**. +6. From the **Add Superseded Template** dialog, select the **Domain Controller Authentication** certificate template and click **OK**. +7. From the **Add Superseded Template dialog**, select the **Kerberos Authentication** certificate template and click **OK**. +8. Add any other enterprise certificate templates that were previously configured for domain controllers to the **Superseded Templates** tab. +9. Click **OK** and close the **Certificate Templates** console. + +The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities. + +### Configure an Internal Web Server Certificate template + +Windows 10 clients use the https protocol when communicating with Active Directory Federation Services. To meet this need, you must issue a server authentication certificate to all the nodes in the Active Directory Federation Services farm. On-premises deployments can use a server authentication certificate issued by their enterprise PKI. You must configure a server authentication certificate template so the host running the Active Directory Federation Service can request the certificate. + +Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials. +1. Open the **Certificate Authority** management console. +2. Right-click **Certificate Templates** and click **Manage**. +3. In the **Certificate Template Console**, right-click the **Web Server** template in the details pane and click **Duplicate Template**. +4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. +5. On the **General** tab, type **Internal Web Server** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. + **Note:** If you use different template names, you’ll need to remember and substitute these names in different portions of the lab. +6. On the **Request Handling** tab, select **Allow private key to be exported**. +7. On the **Subject** tab, select the **Supply in the request** button if it is not already selected. +8. On the **Security** tab, Click **Add**. Type **Domain Computers** in the **Enter the object names to select** box. Click **OK**. Select the **Allow** check box next to the **Enroll** permission. +9. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**. +10. Close the console. + +### Unpublish Superseded Certificate Templates + +The certificate authority only issues certificates based on published certificate templates. For defense in depth security, it is a good practice to unpublish certificate templates that the certificate authority is not configured to issue. This includes the pre-published certificate template from the role installation and any superseded certificate templates. + +The newly created domain controller authentication certificate template supersedes previous domain controller certificate templates. Therefore, you need to unpublish these certificate templates from all issuing certificate authorities. + +Sign-in to the certificate authority or management workstation with _Enterprise Admin_ equivalent credentials. +1. Open the **Certificate Authority** management console. +2. Expand the parent node from the navigation pane. +3. Click **Certificate Templates** in the navigation pane. +4. Right-click the **Domain Controller** certificate template in the content pane and select **Delete**. Click **Yes** on the **Disable certificate templates** window. +5. Repeat step 4 for the **Domain Controller Authentication** and **Kerberos Authentication** certificate templates. + +### Publish Certificate Templates to the Certificate Authority + +The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate. + +Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials. +1. Open the **Certificate Authority** management console. +2. Expand the parent node from the navigation pane. +3. Click **Certificate Templates** in the navigation pane. +4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue. +5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)**, and **Internal Web Server** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority. +6. If you published the Domain Controller Authentication (Kerberos) certificate template, then you should unpublish the certificate templates you included in the superseded templates list. + * To unpublish a certificate template, right-click the certificate template you want to unpublish in the details pane of the Certificate Authority console and select **Delete**. Click **Yes** to confirm the operation. + +7. Close the console. + +### Configure Domain Controllers for Automatic Certificate Enrollment + +Domain controllers automatically request a certificate from the domain controller certificate template. However, the domain controller is unaware of newer certificate templates or superseded configurations on certificate templates. To continue automatic enrollment and renewal of domain controller certificates that understand newer certificate template and superseded certificate template configurations, create and configure a Group Policy object for automatic certificate enrollment and link the Group Policy object to the Domain Controllers OU. + +1. Start the **Group Policy Management Console** (gpmc.msc) +2. Expand the domain and select the **Group Policy Object** node in the navigation pane. +3. Right-click **Group Policy object** and select **New** +4. Type *Domain Controller Auto Certificate Enrollment* in the name box and click **OK**. +5. Right-click the **Domain Controller Auto Certificate Enrollment** Group Policy object and click **Edit**. +6. In the navigation pane, expand **Policies** under **Computer Configuration**. +7. Expand **Windows Settings**, **Security Settings**, and click **Public Key Policies**. +8. In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**. +9. Select **Enabled** from the **Configuration Model** list. +10. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box. +11. Select the **Update certificates that use certificate templates** check box. +12. Click **OK**. Close the **Group Policy Management Editor**. + +### Deploy the Domain Controller Auto Certificate Enrollment Group Policy Object + +Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. +1. Start the **Group Policy Management Console** (gpmc.msc) +2. In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO…** +3. In the **Select GPO** dialog box, select **Domain Controller Auto Certificate Enrollment** or the name of the domain controller certificate enrollment Group Policy object you previously created and click **OK**. + +### Validating your work + +Windows Hello for Business is a distributed system, which on the surface appears complex and difficult. The key to a successful Windows Hello for Business deployment is to validate phases of work prior to moving to the next phase. + +You want to confirm your domain controllers enroll the correct certificates and not any unnecessary (superseded) certificate templates. You need to check each domain controller that autoenrollment for the computer occurred. + +#### Use the Event Logs + +Windows Server 2012 and later include Certificate Lifecycle events to determine the lifecycles of certificates for both users and computers. Using the Event Viewer, navigate to the CertificateServices-Lifecycles-System event log under Application and Services/Microsoft/Windows. + +Look for an event indicating a new certificate enrollment (autoenrollment). The details of the event include the certificate template on which the certificate was issued. The name of the certificate template used to issue the certificate should match the certificate template name included in the event. The certificate thumbprint and EKUs for the certificate are also included in the event. The EKU needed for proper Windows Hello for Business authentication is Kerberos Authentication, in addition to other EKUs provide by the certificate template. + +Certificates superseded by your new domain controller certificate generate an archive event in the CertificateServices-Lifecycles-System event. The archive event contains the certificate template name and thumbprint of the certificate that was superseded by the new certificate. + + +#### Certificate Manager + +You can use the Certificate Manager console to validate the domain controller has the properly enrolled certificate based on the correct certificate template with the proper EKUs. Use **certlm.msc** to view certificate in the local computers certificate stores. Expand the **Personal** store and view the certificates enrolled for the computer. Archived certificates do not appear in Certificate Manager. + +#### Certutil.exe + +You can use **certutil.exe** to view enrolled certificates in the local computer. Certutil shows enrolled and archived certificates for the local computer. From an elevated command prompt, run `certutil -q -store my` to view locally enrolled certificates. + +To view detailed information about each certificate in the store, use `certutil -q -v -store my` to validate automatic certificate enrollment enrolled the proper certificates. + +#### Troubleshooting + +Windows triggers automatic certificate enrollment for the computer during boot, and when Group Policy updates. You can refresh Group Policy from an elevated command prompt using `gpupdate /force`. + +Alternatively, you can forcefully trigger automatic certificate enrollment using `certreq -autoenroll -q` from an elevated command prompt. + +Use the event logs to monitor certificate enrollment and archive. Review the configuration, such as publishing certificate templates to issuing certificate authority and the allow auto enrollment permissions. + + +## Follow the Windows Hello for Business on premises certificate trust deployment guide +1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) +2. Validate and Configure Public Key Infrastructure (*You are here*) +3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) +4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) +5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-manage-in-organization.md b/windows/access-protection/hello-for-business/hello-manage-in-organization.md index 8ef71c6d85..9aca74c76b 100644 --- a/windows/access-protection/hello-for-business/hello-manage-in-organization.md +++ b/windows/access-protection/hello-for-business/hello-manage-in-organization.md @@ -25,7 +25,7 @@ You can create a Group Policy or mobile device management (MDM) policy that will > >Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**. > ->Use **Windows Hello for Business** policy settings to manage PINs for Windows Hello for Business. +>Use **PIN Complexity** policy settings to manage PINs for Windows Hello for Business.   ## Group Policy settings for Windows Hello for Business @@ -292,71 +292,6 @@ The following table lists the MDM policy settings that you can configure for Win >[!NOTE]   > If policy is not configured to explicitly require letters or special characters, users will be restricted to creating a numeric PIN.   -## Prerequisites - -To deploy Windows Hello for Business, in some modes you must add Windows Server 2016 domain controllers to your Active Directory environment, but you don’t have to replace or remove your existing Active Directory servers — the servers required for Windows Hello for Business build on and add capability to your existing infrastructure. You don’t have to change the domain or forest functional level, and you can either add on-premises servers or use Azure Active Directory to deploy Windows Hello for Business in your network. - -You’ll need this software to set Windows Hello for Business policies in your enterprise. - ------ - - - - - - - - - - - - - - - - - - - - - - -
Windows Hello for Business modeAzure ADActive Directory (AD) on-premises (only supported with Windows 10, version 1703 clients)Azure AD/AD hybrid (available with production release of Windows Server 2016)
Key-based authenticationAzure AD subscription
    -
  • Active Directory Federation Service (AD FS) (Windows Server 2016)
    • -
  • A few Windows Server 2016 domain controllers on-site
    • -
    -
  • Azure AD subscription
    • -
  • [Azure AD Connect](https://go.microsoft.com/fwlink/p/?LinkId=616792)
    • -
  • A few Windows Server 2016 domain controllers on-site
    • -
  • A management solution, such as Configuration Manager, Group Policy, or MDM
    • -
  • Active Directory Certificate Services (AD CS) without Network Device Enrollment Service (NDES)
    • -
Certificate-based authentication
    -
  • Azure AD subscription
    • -
  • Intune or non-Microsoft mobile device management (MDM) solution
    • -
  • PKI infrastructure
    • -
    -
  • ADFS (Windows Server 2016)
    • -
  • Active Directory Domain Services (AD DS) Windows Server 2016 schema
    • -
  • PKI infrastructure
    • -
    -
  • Azure AD subscription
    • -
  • [Azure AD Connect](https://go.microsoft.com/fwlink/p/?LinkId=616792)
    • -
  • AD CS with NDES
    • -
  • Configuration Manager for domain-joined certificate enrollment, or InTune for non-domain-joined devices, or a non-Microsoft MDM service that supports Windows Hello for Business
    • -
-  -Configuration Manager and MDM provide the ability to manage Windows Hello for Business policy and to deploy and manage certificates protected by Windows Hello for Business. - -Azure AD provides the ability to register devices with your enterprise and to provision Windows Hello for Business for organization accounts. - ->[!IMPORTANT] ->Active Directory on-premises deployment **is not currently available** and will become available with a future update of ADFS on Windows Server 2016. The requirements listed in the above table will apply when this deployment type becomes available. - ## How to use Windows Hello for Business with Azure Active Directory From 0e114e208673a7ae74c28c3a6fb2007c6ccdda3f Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Wed, 16 Aug 2017 18:53:38 -0700 Subject: [PATCH 06/51] Main landing page for hybrid cert trust --- .../hello-deployment-hybrid-cert-trust.md | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 windows/access-protection/hello-for-business/hello-deployment-hybrid-cert-trust.md diff --git a/windows/access-protection/hello-for-business/hello-deployment-hybrid-cert-trust.md b/windows/access-protection/hello-for-business/hello-deployment-hybrid-cert-trust.md new file mode 100644 index 0000000000..3c35dfff7f --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-deployment-hybrid-cert-trust.md @@ -0,0 +1,40 @@ +--- +title: Windows Hello for Business Deployment Guide - On Premises Certificate Trust Deployment +description: A guide to an On Premises, Certificate trust Windows Hello for Business deployment +keywords: identity, PIN, biometric, Hello, passport +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: DaniHalfin +localizationpriority: high +ms.author: daniha +ms.date: 07/07/2017 +--- +# On Premises Certificate Trust Deployment + +**Applies to** +- Windows 10 + +> This guide only applies to Windows 10, version 1703 or higher. + +Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in an existing environment. + +Below, you can find all the infromation you will need to deploy Windows Hello for Business in a Certificate Trust Model in your on-premises environment: +1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) +2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) +3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) +4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) +5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) + + + + + + + + + + + + From 6e5231aaf54a211763ab002c133d36b974dca661 Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Sun, 20 Aug 2017 14:38:21 -0700 Subject: [PATCH 07/51] Hybrid cert trust content. Removed unused content Removed key-trust pages --- .../hello-deployment-key-trust.md | 39 -- .../hello-hybrid-cert-new-install.md | 284 +++++++++ .../hello-hybrid-cert-policy-settings.md | 154 ----- .../hello-hybrid-cert-trust-adfs.md | 512 --------------- .../hello-hybrid-cert-trust-deploy-mfa.md | 542 ---------------- .../hello-hybrid-cert-trust-overview.md | 45 ++ .../hello-hybrid-cert-trust-prereqs.md | 117 ++++ .../hello-hybrid-cert-validate-ad-prereq.md | 77 --- .../hello-hybrid-cert-validate-deploy-mfa.md | 48 -- .../hello-hybrid-cert-validate-pki.md | 196 ------ .../hello-hybrid-cert-whfb-settings.md | 587 ++++++++++++++++++ .../hello-key-trust-adfs.md | 512 --------------- .../hello-key-trust-deploy-mfa.md | 542 ---------------- .../hello-key-trust-policy-settings.md | 154 ----- .../hello-key-trust-validate-ad-prereq.md | 77 --- .../hello-key-trust-validate-deploy-mfa.md | 48 -- .../hello-key-trust-validate-pki.md | 196 ------ 17 files changed, 1033 insertions(+), 3097 deletions(-) delete mode 100644 windows/access-protection/hello-for-business/hello-deployment-key-trust.md create mode 100644 windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md delete mode 100644 windows/access-protection/hello-for-business/hello-hybrid-cert-policy-settings.md delete mode 100644 windows/access-protection/hello-for-business/hello-hybrid-cert-trust-adfs.md delete mode 100644 windows/access-protection/hello-for-business/hello-hybrid-cert-trust-deploy-mfa.md create mode 100644 windows/access-protection/hello-for-business/hello-hybrid-cert-trust-overview.md create mode 100644 windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md delete mode 100644 windows/access-protection/hello-for-business/hello-hybrid-cert-validate-ad-prereq.md delete mode 100644 windows/access-protection/hello-for-business/hello-hybrid-cert-validate-deploy-mfa.md delete mode 100644 windows/access-protection/hello-for-business/hello-hybrid-cert-validate-pki.md create mode 100644 windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md delete mode 100644 windows/access-protection/hello-for-business/hello-key-trust-adfs.md delete mode 100644 windows/access-protection/hello-for-business/hello-key-trust-deploy-mfa.md delete mode 100644 windows/access-protection/hello-for-business/hello-key-trust-policy-settings.md delete mode 100644 windows/access-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md delete mode 100644 windows/access-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md delete mode 100644 windows/access-protection/hello-for-business/hello-key-trust-validate-pki.md diff --git a/windows/access-protection/hello-for-business/hello-deployment-key-trust.md b/windows/access-protection/hello-for-business/hello-deployment-key-trust.md deleted file mode 100644 index e900f105a0..0000000000 --- a/windows/access-protection/hello-for-business/hello-deployment-key-trust.md +++ /dev/null @@ -1,39 +0,0 @@ ---- -title: Windows Hello for Business Deployment Guide - On Premises Key Trust Deployment -description: A guide to an On Premises, Key trust Windows Hello for Business deployment -keywords: identity, PIN, biometric, Hello, passport -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -author: DaniHalfin -localizationpriority: high ---- -# On Premises Key Trust Deployment - -**Applies to** -- Windows 10 -- Windows 10 Mobile - -> This guide only applies to Windows 10, version 1703 or higher. - -Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in an existing environment. - -Below, you can find all the infromation you will need to deploy Windows Hello for Business in a Certificate Trust Model in your on-premises environment: -1. [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md) -2. [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md) -3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md) -4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-key-trust-validate-deploy-mfa.md) -5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md) - - - - - - - - - - - - diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md new file mode 100644 index 0000000000..e256365845 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md @@ -0,0 +1,284 @@ +--- +title: Windows Hello for Business Trust New Installation (Windows Hello for Business) +description: Windows Hello for Business Hybrid baseline deployment +keywords: identity, PIN, biometric, Hello, passport, WHFB +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: DaniHalfin +ms.author: mstephen +localizationpriority: high +--- +# Windows Hello for Business Certificate Trust New Installation + +**Applies to** +- Windows 10 + +> This guide only applies to Windows 10, version 1703 or higher. + +Windows Hello for Business involves configuring distributed technologies that may or may not exist in your current infrastructure. Hybrid certificate trust deployments of Windows Hello for Business rely on these technolgies + +### Prerequisites ### +- [ ] Active Directory +- [ ] Public Key Infrastructure +- [ ] Azure Active Directory +- [ ] Directory Synchronization +- [ ] Active Directory Federation Services + - [ ] Federation Services + - [ ] Federation Proxy Servers + - [ ] Multiple top-level domains + - [ ] Azure Device Registration + - [ ] Device Writeback +- [ ] Multifactor Authentication +- [ ] Windows Hello for Business + - [ ]Active Directory + - [ ] Directory Synchronization + - [ ] Public Key Infrastructure + - [ ] Federation Services + - [ ] Group Policy +- [ ] Sign-in and Provision + +New installations are considerably more involved than existing implementations because you are building the entire infrastructure new. Microsoft recommends you review the new installation baseline to validate your exsting envrionment has all the needed configurations to support your hybrid certificate trust Windows Hello for Business deployment. If you're environment meets these needs, you can read the [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) section to learn about specific Windows Hello for Business configuration settings. + + +The new installation baseline begins with a basic Active Directory deployment and enterprise PKI. This document expects you have Active Directory deployed using Windows Server 2008 R2 or later domain controllers. + +## Active Directory ## +Production environments should follow Active Directory best practices regarding the number and placement of domain controllers to ensure adequate authentication throughout the organization. + +Lab environments and isolated proof of concepts may want to limit the number of domain controllers. The purpose of these environments is to experiment and learn. Reducing the number of domain controllers can prevent troubleshooting of issue, such as Active Directory replication, which is unrelated to project goal. + +### Section Review ### +- [x] Active Directory +- [ ] Public Key Infrastructure +- [ ] Azure Active Directory +- [ ] Directory Synchronization +- [ ] Active Directory Federation Services + - [ ] Federation Services + - [ ] Federation Proxy Servers + - [ ] Multiple top-level domains + - [ ] Azure Device Registration + - [ ] Device Writeback +- [ ] Multifactor Authentication +- [ ] Windows Hello for Business + - [ ]Active Directory + - [ ] Directory Synchronization + - [ ] Public Key Infrastructure + - [ ] Federation Services + - [ ] Group Policy +- [ ] Sign-in and Provision + +## Public Key Infrastructure + +Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller. The certificate trust model extends certificate issuance to client computers. During Windows Hello for Business provisioning, the user receives a sign-in certificate. + +This guide assumes most enterprise have an existing public key infrastructure. Windows Hello for Business depends on a Windows enterprise public key infrastructure running the Active Directory Certificate Services role from Windows Server 2012 or later. + +### Lab-based public key infrastructure + +The following instructions may be used to deploy simple public key infrastructure that is suitable for a lab environment. + +Sign-in using _Enterprise Admin_ equivalent credentials on Windows Server 2012 or later server where you want the certificate authority installed. + +>[!NOTE] +>Never install a certificate authority on a domain controller in a production environment. + +1. Open an elevated Windows PowerShell prompt. +2. Use the following command to install the Active Directory Certificate Services role. + ```PowerShell + Add-WindowsFeature Adcs-Cert-Authority -IncludeManageTools + ``` + +3. Use the following command to configure the Certificate Authority using a basic certificate authority configuration. + ```PowerShell + Install-AdcsCertificateAuthority + ``` + +## Configure a Production Public Key Infrastructure + +If you do have an existing public key infrastructure, please review [Certification Authority Guidance](https://technet.microsoft.com/library/hh831574.aspx) from Microsoft TechNet to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](https://technet.microsoft.com/library/hh831348.aspx) for instructions on how to configure your public key infrastructure using the information from your design session. + +### Section Review ### +- [x] Active Directory +- [x] Public Key Infrastructure +- [ ] Azure Active Directory +- [ ] Directory Synchronization +- [ ] Active Directory Federation Services + - [ ] Federation Services + - [ ] Federation Proxy Servers + - [ ] Multiple top-level domains + - [ ] Azure Device Registration + - [ ] Device Writeback +- [ ] Multifactor Authentication +- [ ] Windows Hello for Business + - [ ]Active Directory + - [ ] Directory Synchronization + - [ ] Public Key Infrastructure + - [ ] Federation Services + - [ ] Group Policy +- [ ] Sign-in and Provision + +## Azure Active Directory ## +You’ve prepared your Active Directory. Hybrid Windows Hello for Business deployment needs Azure Active Directory to host your cloud-based identities. + +The next step of the deployment is to follow the [Creating an Azure AD tenant](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-howto-tenant) process to provision an Azure tenant for your organization. + +### Section Review +- [x] Active Directory +- [x] Public Key Infrastructure +- [x] Azure Active Directory +- [ ] Directory Synchronization +- [ ] Active Directory Federation Services + - [ ] Federation Services + - [ ] Federation Proxy Servers + - [ ] Multiple top-level domains + - [ ] Azure Device Registration + - [ ] Device Writeback +- [ ] Multifactor Authentication +- [ ] Windows Hello for Business + - [ ]Active Directory + - [ ] Directory Synchronization + - [ ] Public Key Infrastructure + - [ ] Federation Services + - [ ] Group Policy +- [ ] Sign-in and Provision + +### Directory Synchronization ### +At this point, you should have your Active Directory installed and configured with user and computer accounts. You should also have an enterprise certificate authority, and you should have provisioned your Azure tenant. + +Next, you need to synchronizes the on-premises Active Directory with Azure Active Directory. To do this, you’ll download, install, and configure Azure Active Directory Connect. + +Review the [Integrating on-prem directories with Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect) topic to understand why you’re using Azure Active Directory Connect and how it works. Next, review the [hardware and prerequisites](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](http://go.microsoft.com/fwlink/?LinkId=615771). When you are done with your review, follow the [Express Installation](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-get-started-express) to configure directory synchronization. + +### Section Review +- [x] Active Directory +- [x] Public Key Infrastructure +- [x] Azure Active Directory +- [x] Directory Synchronization +- [ ] Active Directory Federation Services + - [ ] Federation Services + - [ ] Federation Proxy Servers + - [ ] Multiple top-level domains + - [ ] Azure Device Registration + - [ ] Device Writeback +- [ ] Multifactor Authentication +- [ ] Windows Hello for Business + - [ ]Active Directory + - [ ] Directory Synchronization + - [ ] Public Key Infrastructure + - [ ] Federation Services + - [ ] Group Policy +- [ ] Sign-in and Provision + +## Active Directory Federation Services ## +Active Directory Federation Services (AD FS) provides simplified, secured identity federation and Web single sign-on (SSO) capabilities for end users who want to access applications within an AD FS-secured enterprise, in federation partner organizations, or in the cloud. + +### Federation Services ### +Non-production environments can evaluate Windows Hello for Business using a single AD FS server and AD FS Web Proxy. Production deployment should follow the recommended planning and deployment guidelines. + +If you are new to AD FS and federation services, you should review [Understanding Key AD FS Concepts](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/understanding-key-ad-fs-concepts) to prior to designing and deploying your federation service. +Review the [AD FS Design guide](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/design/ad-fs-design-guide-in-windows-server-2012-r2) to plan your federation service. + +Once you have your AD FS design ready, review [Deploying a Federation Server farm](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) to configure AD FS in your environment. +> [!IMPORTANT] +> During your AD FS deployment, skip the **Configure a federation server with Device Registration Service** and the **Configure Corporate DNS for the Federation Service and DRS** procedures as these configurations are not needed. + +### ADFS Web Proxy ### +Federation server proxies are computers that run AD FS software that have been configured manually to act in the proxy role. You can use federation server proxies in your organization to provide intermediary services between an Internet client and a federation server that is behind a firewall on your corporate network. +Use the [Setting of a Federation Proxy](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/checklist--setting-up-a-federation-server-proxy) checklist to configure AD FS proxy servers in your environment. + +#### Multiple Domains #### +Federating multiple, top-level domains with Azure AD requires some additional configuration that is not required when federating with one top-level domain. + +For example, federating the top-level contoso.com domain requires no additional configuration. However, if Contoso Corporation acquires Fabrikam Corporation and wants to federate under Contoso.com, then additional configurations are needed because these are two top-level domains for contoso.com. + +To configure your environment for multiple domains, follow the [Multiple Domain Support for Federating with Azure AD](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-multiple-domains) procedures. + +#### Device Registration #### +With device management in Azure Active Directory (Azure AD), you can ensure that your users are accessing your resources from devices that meet your standards for security and compliance. For more details, see Introduction to device management in Azure Active Directory. + +Use the [How to configure automatic registration of Windows domain-joined devices with Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup) procedures to configure your environment to support device registration. + +#### Device writeback #### +As previously mentioned, Windows Hello for Busines hybrid certificate- trust deployments that include domain joined computers use the device writeback feature to authenticate the device to the on-premises federation server. + +Use the [Enabling device writeback](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-feature-device-writeback) section to configure device writeback functionality in your environment. + +### Section Review +- [x] Active Directory +- [x] Public Key Infrastructure +- [x] Azure Active Directory +- [x] Directory Synchronization +- [x] Active Directory Federation Services +- [x] Federation Services + - [x] Federation Proxy Servers + - [x] Multiple top-level domains + - [x] Azure Device Registration + - [x] Device Writeback +- [ ] Multifactor Authentication +- [ ] Windows Hello for Business + - [ ]Active Directory + - [ ] Directory Synchronization + - [ ] Public Key Infrastructure + - [ ] Federation Services + - [ ] Group Policy +- [ ] Sign-in and Provision + +## Multifactor Authentication Services ## +Windows Hello for Business uses multifactor authentication during provisioning and during user initiated PIN reset scenarios, such as when a user forgets their PIN. There are two preferred multifactor authentication configurations with hybrid deployments—Azure MFA and AD FS using Azure MFA + +Review the [What is Azure Multi-Factor Authentication](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication) topic to familiarize yourself its purpose and how it works. + +### Azure Multi-Factor Authentication (MFA) Cloud ### +> [!IMPORTANT] +As long as your users have licenses that include Azure Multi-Factor Authentication, there's nothing that you need to do to turn on Azure MFA. You can start requiring two-step verification on an individual user basis. The licenses that enable Azure MFA are: +> * Azure Multi-Factor Authentication +> * Azure Active Directory Premium +> * Enterprise Mobility + Security +> +> If you have one of these subscriptions or licenses, skip the Azure MFA Adapter section. + +#### Azure MFA Adapter #### +If your organization uses Azure MFA on a per-consumption model (no licenses), then review the [Create a Multifactor Authentication Provider](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-auth-provider) section to create an Azure MFA Authentication provider and associate it with your Azure tenant. +#### Configure Azure MFA Settings #### +Once you have created your Azure MFA authentication provider and associated it with an Azure tenant, you need to configure the multi-factor authentication settings. Review the [Configure Azure Multi-Factor Authentication settings](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-whats-next) section to configure your settings. + +#### Azure MFA User States #### +After you have completed configuring your Azure MFA settings, you want to review configure [User States](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-user-states) to understand user states. User states determine how you enable Azure MFA for your users. + +### Azure MFA via ADFS 2016 ### +Alternatively, you can configure Windows Server 2016 Active Directory Federation Services (AD FS) to provide additional multi-factor authentication. To configure, read the [Configure AD FS 2016 and Azure MFA](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa) section + +### Section Review +- [x] Active Directory +- [x] Public Key Infrastructure +- [x] Azure Active Directory +- [x] Directory Synchronization +- [x] Active Directory Federation Services +- [x] Federation Services + - [x] Federation Proxy Servers + - [x] Multiple top-level domains + - [x] Azure Device Registration + - [x] Device Writeback +- [x] Multifactor Authentication +- [ ] Windows Hello for Business + - [ ]Active Directory + - [ ] Directory Synchronization + - [ ] Public Key Infrastructure + - [ ] Federation Services + - [ ] Group Policy +- [ ] Sign-in and Provision + +### Next Steps ### +Follow the Windows Hello for Business hybrid certificate trust deployment guide. With your baseline configuration complete, your next step is to **Configure Windows Hello for Business** if your envirionment. +

+ +
+ +## Follow the Windows Hello for Business on premises certificate trust deployment guide +1. [Overview](hello-hybrid-cert-trust-overview) +2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +3. New Installation Baseline (*You are here*) +4. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) +5. Sign-in and Provision \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-policy-settings.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-policy-settings.md deleted file mode 100644 index 0e85b5a485..0000000000 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-policy-settings.md +++ /dev/null @@ -1,154 +0,0 @@ ---- -title: Configure Windows Hello for Business Policy settings (Windows Hello for Business) -description: Configure Windows Hello for Business Policy settings for Windows Hello for Business -keywords: identity, PIN, biometric, Hello, passport -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -author: DaniHalfin -localizationpriority: high ---- -# Configure Windows Hello for Business Policy settings - -**Applies to** -- Windows 10 -- Windows 10 Mobile - -> This guide only applies to Windows 10, version 1703 or higher. - -You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=45520). -Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703. - -Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10 Creators Edition (1703) to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information. - -On-premises certificate-based deployments of Windows Hello for Business needs three Group Policy settings: -* Enable Windows Hello for Business -* Use certificate for on-premises authentication -* Enable automatic enrollment of certificates - -## Enable Windows Hello for Business Group Policy - -The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should be attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to enabled. - -You can configure the Enable Windows Hello for Business Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence. - -## Use certificate for on-premises authentication - -The Use certificate for on-premises authentication Group Policy setting determines if the on-premises deployment uses the key-trust or certificate trust on-premises authentication model. You must configure this Group Policy setting to configure Windows to enroll for a Windows Hello for Business authentication certificate. If you do not configure this policy setting, Windows considers the deployment to use key-trust on-premises authentication, which requires a sufficient number of Windows Server 2016 domain controllers to handle the Windows Hello for Business key-trust authentication requests. - -You can configure this Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users requesting a Windows Hello for Business authentication certificate. Deploying this policy setting to a user results in only that user requesting a Windows Hello for Business authentication certificate. Additionally, you can deploy the policy setting to a group of users so only those users request a Windows Hello for Business authentication certificate. If both user and computer policy settings are deployed, the user policy setting has precedence. - -## Enable automatic enrollment of certificates - -Windows Hello for Business provisioning performs the initial enrollment of the Windows Hello for Business authentication certificate. This certificate expires based on the duration configured in the Windows Hello for Business authentication certificate template. The Windows 10, version 1703 certificate auto enrollment was updated to renew these certificates before they expire, which significantly reduces user authentication failures from expired user certificates. - -The process requires no user interaction provided the user signs-in using Windows Hello for Business. The certificate is renewed in the background before it expires. - -## Create the Windows Hello for Business Group Policy object - -The Group Policy object contains the policy settings needed to trigger Windows Hello for Business provisioning and to ensure Windows Hello for Business authentication certificates are automatically renewed. -1. Start the **Group Policy Management Console** (gpmc.msc) -2. Expand the domain and select the **Group Policy Object** node in the navigation pane. -3. Right-click **Group Policy object** and select **New**. -4. Type *Enable Windows Hello for Business* in the name box and click **OK**. -5. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. -6. In the navigation pane, expand **Policies** under **User Configuration**. -7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**. -8. In the content pane, double-click **Use Windows Hello for Business**. Click **Enable** and click **OK**. -9. Double-click **Use certificate for on-premises authentication**. Click **Enable** and click **OK**. Close the **Group Policy Management Editor**. - -## Configure Automatic Certificate Enrollment - -1. Start the **Group Policy Management Console** (gpmc.msc). -2. Expand the domain and select the **Group Policy Object** node in the navigation pane. -3. Right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. -4. In the navigation pane, expand **Policies** under **User Configuration**. -5. Expand **Windows Settings > Security Settings**, and click **Public Key Policies**. -6. In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**. -7. Select **Enabled** from the **Configuration Model** list. -8. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box. -9. Select the **Update certificates that use certificate templates** check box. -10. Click **OK**. Close the **Group Policy Management Editor**. - -## Configure Security in the Windows Hello for Business Group Policy object - -The best way to deploy the Windows Hello for Business Group Policy object is to use security group filtering. The enables you to easily manage the users that should receive Windows Hello for Business by simply adding them to a group. This enables you to deploy Windows Hello for Business in phases. -1. Start the **Group Policy Management Console** (gpmc.msc) -2. Expand the domain and select the **Group Policy Object** node in the navigation pane. -3. Double-click the **Enable Windows Hello for Business** Group Policy object. -4. In the **Security Filtering** section of the content pane, click **Add**. Type *Windows Hello for Business Users* or the name of the security group you previously created and click **OK**. -5. Click the **Delegation** tab. Select **Authenticated Users** and click **Advanced**. -6. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Click **OK**. - -## Deploy the Windows Hello for Business Group Policy object - -The application of the Windows Hello for Business Group Policy object uses security group filtering. This enables you to link the Group Policy object at the domain, ensuring the Group Policy object is within scope to all users. However, the security group filtering ensures only the users included in the *Windows Hello for Business Users* global group receive and apply the Group Policy object, which results in the provisioning of Windows Hello for Business. -1. Start the **Group Policy Management Console** (gpmc.msc) -2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO…** -3. In the **Select GPO** dialog box, select **Enable Windows Hello for Business** or the name of the Windows Hello for Business Group Policy object you previously created and click **OK**. - -Just to reassure, linking the **Windows Hello for Business** Group Policy object to the domain ensures the Group Policy object is in scope for all domain users. However, not all users will have the policy settings applied to them. Only users who are members of the Windows Hello for Business group receive the policy settings. All others users ignore the Group Policy object. - -## Other Related Group Policy settings - -### Windows Hello for Business - -There are other Windows Hello for Business policy settings you can configure to manage your Windows Hello for Business deployment. These policy settings are computer-based policy setting; so they are applicable to any user that sign-in from a computer with these policy settings. - -### Use a hardware security device - -The default configuration for Windows Hello for Business is to prefer hardware protected credentials; however, not all computers are able to create hardware protected credentials. When Windows Hello for Business enrollment encounters a computer that cannot create a hardware protected credential, it will create a software-based credential. - -You can enable and deploy the **Use a hardware security device** Group Policy Setting to force Windows Hello for Business to only create hardware protected credentials. Users that sign-in from a computer incapable of creating a hardware protected credential do not enroll for Windows Hello for Business. - -Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiven during anti-hammering and PIN lockout activities. Therefore, some organization may want not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object. - -### Use biometrics - -Windows Hello for Business provides a great user experience when combined with the use of biometrics. Rather than providing a PIN to sign-in, a user can use a fingerprint or facial recognition to sign-in to Windows, without sacrificing security. - -The default Windows Hello for Business enables users to enroll and use biometrics. However, some organization may want more time before using biometrics and want to disable their use until they are ready. To not allow users to use biometrics, configure the **Use biometrics** Group Policy setting to disabled and apply it to your computers. The policy setting disabled all biometrics. Currently, Windows does not provide granular policy setting that enable you to disable specific modalities of biometrics such as allow facial recognition, but disallow fingerprint. - -### PIN Complexity - -PIN complexity is not specific to Windows Hello for Business. Windows 10 enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed. - -Windows 10 provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are: -* Require digits -* Require lowercase letters -* Maximum PIN length -* Minimum PIN length -* Expiration -* History -* Require special characters -* Require uppercase letters - -In the Windows 10, version 1703, the PIN complexity Group Policy settings have moved to remove misunderstanding that PIN complexity policy settings were exclusive to Windows Hello for Business. The new location of these Group Policy settings is under Administrative Templates\System\PIN Complexity under both the Computer and User Configuration nodes of the Group Policy editor. - -## Review - -Before you continue with the deployment, validate your deployment progress by reviewing the following items: -* Confirm you authored Group Policy settings using the latest ADMX/ADML files (from the Widows 10 Creators Editions) -* Confirm you configured the Enable Windows Hello for Business to the scope that matches your deployment (Computer vs. User) -* Confirm you configure the Use Certificate enrollment for on-prem authentication policy setting. -* Confirm you configure automatic certificate enrollment to the scope that matches your deployment (Computer vs. User) -* Confirm you configured the proper security settings for the Group Policy object - * Removed the allow permission for Apply Group Policy for Domain Users (Domain Users must always have the read permissions) - * Add the Windows Hello for Business Users group to the Group Policy object and gave the group the allow permission for Apply Group Policy - -* Linked the Group Policy object to the correct locations within Active Directory -* Deploy any additional Windows Hello for Business Group Policy setting is a policy separate from the one that enables it for users - - -## Add users to the Windows Hello for Business Users group - -Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the WHFB Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the Windows Hello for Business Users group. Users and groups that are not members of this group will not attempt to enroll for Windows Hello for Business. - - -## Follow the Windows Hello for Business on premises certificate trust deployment guide -1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) -2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) -3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) -4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) -5. Configure Windows Hello for Business Policy settings (*You are here*) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-adfs.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-adfs.md deleted file mode 100644 index b419b20f58..0000000000 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-adfs.md +++ /dev/null @@ -1,512 +0,0 @@ ---- -title: Prepare and Deploy Windows Server 2016 Active Directory Federation Services (Windows Hello for Business) -description: How toPrepare and Deploy Windows Server 2016 Active Directory Federation Services for Windows Hello for Business -keywords: identity, PIN, biometric, Hello, passport -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -author: DaniHalfin -localizationpriority: high ---- -# Prepare and Deploy Windows Server 2016 Active Directory Federation Services - -**Applies to** -- Windows 10 -- Windows 10 Mobile - -> This guide only applies to Windows 10, version 1703 or higher. - -Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update. The on-prem certificate trust deployment uses Active Directory Federation Services roles for key registration, device registration, and as a certificate registration authority. - -The following guidance describes deploying a new instance of Active Directory Federation Services 2016 using the Windows Information Database as the configuration database, which is ideal for environments with no more than 30 federation servers and no more than 100 relying party trusts. - -If your environment exceeds either of these factors or needs to provide SAML artifact resolution, token replay detection, or needs Active Directory Federation Services to operate in a federated provider role, then your deployment needs to use a SQL for your configuration database. To deploy the Active Directory Federation Services using SQL as its configuration database, please review the [Deploying a Federation Server Farm](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) checklist. - -If your environment has an existing instance of Active Directory Federation Services, then you’ll need to upgrade all nodes in the farm to Windows Server 2016 along with the Windows Server 2016 update. If your environment uses Windows Internal Database (WID) for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 using a WID database](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016) to upgrade your environment. If your environment uses SQL for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 with SQL Server](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016-sql) to upgrade your environment. - -Ensure you apply the Windows Server 2016 Update to all nodes in the farm after you have successfully completed the upgrade. - -A new Active Directory Federation Services farm should have a minimum of two federation servers for proper load balancing, which can be accomplished with an external networking peripherals, or with using the Network Load Balancing Role included in Windows Server. - -Prepare the Active Directory Federation Services deployment by installing and updating two Windows Server 2016 Servers. Ensure the update listed below is applied to each server before continuing. - -## Update Windows Server 2016 - -Sign-in the federation server with _local admin_ equivalent credentials. -1. Ensure Windows Server 2016 is current by running **Windows Update** from **Settings**. Continue this process until no further updates are needed. If you’re not using Windows Update for updates, please advise the [Windows Server 2016 update history page](https://support.microsoft.com/help/4000825/windows-10-windows-server-2016-update-history) to make sure you have the latest updates available installed. -2. Ensure the latest server updates to the federation server includes those referenced in following article https://aka.ms/whfbadfs1703. - ->[!IMPORTANT] ->The above referenced updates are mandatory for Windows Hello for Business all on-premises deployment and hybrid certificate trust deployments for domain joined computers. - -## Enroll for a TLS Server Authentication Certificate - -Windows Hello for Business on-prem deployments require a federation server for device registration, key registration, and authentication certificate enrollment. Typically, a federation service is an edge facing role. However, the federation services and instance used with the on-prem deployment of Windows Hello for Business does not need Internet connectivity. - -The AD FS role needs a server authentication certificate for the federation services, but you can use a certificate issued by your enterprise (internal) certificate authority. The server authentication certificate should have the following names included in the certificate if you are requesting an individual certificate for each node in the federation farm: -* Subject Name: The internal FQDN of the federation server (the name of the computer running AD FS) -* Subject Alternate Name: Your federation service name, such as *fs.corp.contoso.com* (or an appropriate wildcard entry such as *.corp.contoso.com) - -You configure your federation service name when you configure the AD FS role. You can choose any name, but that name must be different than the name of the server or host. For example, you can name the host server **adfs** and the federation service **fs**. The FQDN of the host is adfs.corp.contoso.com and the FQDN of the federation service is fs.corp.contoso.com. - -You can; however, issue one certificate for all hosts in the farm. If you chose this option, then leave the subject name blank, and include all the names in the subject alternate name when creating the certificate request. All names should include the FQDN of each host in the farm and the federation service name. - -It’s recommended that you mark the private key as exportable so that the same certificate can be deployed across each federation server and web application proxy within your AD FS farm. Note that the certificate must be trusted (chain to a trusted root CA). Once you have successfully requested and enrolled the server authentication certificate on one node, you can export the certificate and private key to a PFX file using the Certificate Manager console. You can then import the certificate on the remaining nodes in the AD FS farm. - -Be sure to enroll or import the certificate into the AD FS server’s computer certificate store. Also, ensure all nodes in the farm have the proper TLS server authentication certificate. - -### Internal Server Authentication Certificate Enrollment - -Sign-in the federation server with domain admin equivalent credentials. -1. Start the Local Computer **Certificate Manager** (certlm.msc). -2. Expand the **Personal** node in the navigation pane. -3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**. -4. Click **Next** on the **Before You Begin** page. -5. Click **Next** on the **Select Certificate Enrollment Policy** page. -6. On the **Request Certificates** page, Select the **Internal Web Server** check box. -7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link - ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link](images/hello-internal-web-server-cert.png) -8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the Active Directory Federation Services role and then click **Add**. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name you will use for your federation services (fs.corp.contoso.com). The name you use here MUST match the name you use when configuring the Active Directory Federation Services server role. Click **Add**. Click **OK** when finished. -9. Click **Enroll**. - -A server authentication certificate should appear in the computer’s Personal certificate store. - -## Deploy the Active Directory Federation Service Role - -The Active Directory Federation Service (AD FS) role provides the following services to support Windows Hello for Business on-premises deployments. -* Device registration -* Key registration -* Certificate registration authority (certificate trust deployments) - ->[!IMPORTANT] -> Finish the entire AD FS configuration on the first server in the farm before adding the second server to the AD FS farm. Once complete, the second server receives the configuration through the shared configuration database when it is added the AD FS farm. - -Windows Hello for Business depends on proper device registration. For on-premises deployments, Windows Server 2016 AD FS handles device registration. - -Sign-in the federation server with _Enterprise Admin_ equivalent credentials. -1. Start **Server Manager**. Click **Local Server** in the navigation pane. -2. Click **Manage** and then click **Add Roles and Features**. -3. Click **Next** on the **Before you begin** page. -4. On the **Select installation type** page, select **Role-based or feature-based installation** and click **Next**. -5. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Click **Next**. -6. On the **Select server roles** page, select **Active Directory Federation Services**. Click **Next**. -7. Click **Next** on the **Select features** page. -8. Click **Next** on the **Active Directory Federation Service** page. -9. Click **Install** to start the role installation. - -## Review - -Before you continue with the deployment, validate your deployment progress by reviewing the following items: -* Confirm the AD FS farm uses the correct database configuration. -* Confirm the AD FS farm has an adequate number of nodes and is properly load balanced for the anticipated load. -* Confirm **all** AD FS servers in the farm have the latest updates. -* Confirm all AD FS servers have a valid server authentication certificate - * The subject of the certificate is the common name (FQDN) of the host or a wildcard name. - * The alternate name of the certificate contains a wildcard or the FQDN of the federation service - -## Device Registration Service Account Prerequisite - -The service account used for the device registration server depends on the domain controllers in the environment. - ->[!NOTE] ->Follow the procedures below based on the domain controllers deployed in your environment. If the domain controller is not listed below, then it is not supported for Windows Hello for Business. - -### Windows Server 2012 or later Domain Controllers - -Windows Server 2012 or later domain controllers support Group Managed Service Accounts—the preferred way to deploy service accounts for services that support them. Group Managed Service Accounts, or GMSA have security advantages over normal user accounts because Windows handles password management. This means the password is long, complex, and changes periodically. The best part of GMSA is all this happens automatically. AD FS supports GMSA and should be configured using them for additional defense in depth security. - -GSMA uses the Microsoft Key Distribution Service that is located on Windows Server 2012 or later domain controllers. Windows uses the Microsoft Key Distribution Service to protect secrets stored and used by the GSMA. Before you can create a GSMA, you must first create a root key for the service. You can skip this if your environment already uses GSMA. - -#### Create KDS Root Key - -Sign-in a domain controller with _Enterprise Admin_ equivalent credentials. -1. Start an elevated Windows PowerShell console. -2. Type `Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)` - -### Windows Server 2008 or 2008 R2 Domain Controllers - -Windows Server 2008 and 2008 R2 domain controllers do not host the Microsoft Key Distribution Service, nor do they support Group Managed Service Accounts. Therefore, you must use create a normal user account as a service account where you are responsible for changing the password on a regular basis. - -#### Create an AD FS Service Account - -Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials. -1. Open **Active Directory Users and Computers**. -2. Right-click the **Users** container, Click **New**. Click **User**. -3. In the **New Object – User** window, type **adfssvc** in the **Full name** text box. Type **adfssvc** in the **User logon name** text box. Click **Next**. -4. Enter and confirm a password for the **adfssvc** user. Clear the **User must change password at next logon** checkbox. -5. Click **Next** and then click **Finish**. - -## Configure the Active Directory Federation Service Role - ->[!IMPORTANT] ->Follow the procedures below based on the domain controllers deployed in your environment. If the domain controller is not listed below, then it is not supported for Windows Hello for Business. - -### Windows Server 2012 or later Domain Controllers - -Use the following procedures to configure AD FS when your environment uses **Windows Server 2012 or later Domain Controllers**. If you are not using Windows Server 2012 or later Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2008 or 2008R2 Domain Controllers)](#windows-server-2008-or-2008R2-domain-controllers) section. - -Sign-in the federation server with _Domain Admin_ equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm. -1. Start **Server Manager**. -2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**. - ![Example of pop-up notification as described above](images/hello-adfs-configure-2012r2.png) - -3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**. -4. Click **Next** on the **Connect to Active Directory Domain Services** page. -5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as *fs.corp.contoso.com* or *fs.contoso.com*. -6. Select the federation service name from the **Federation Service Name** list. -7. Type the Federation Service Display Name in the text box. This is the name users see when signing in. Click **Next**. -8. On the **Specify Service Account** page, select **Create a Group Managed Service Account**. In the **Account Name** box, type **adfssvc**. -9. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and click **Next**. -10. On the **Review Options** page, click **Next**. -11. On the **Pre-requisite Checks** page, click **Configure**. -12. When the process completes, click **Close**. - -### Windows Server 2008 or 2008 R2 Domain Controllers - -Use the following procedures to configure AD FS when your environment uses **Windows Server 2008 or 2008 R2 Domain Controllers**. If you are not using Windows Server 2008 or 2008 R2 Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2012 or later Domain Controllers)](#windows-server-2012-or-later-domain-controllers) section. - -Sign-in the federation server with _Domain Admin_ equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm. -1. Start **Server Manager**. -2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**. - ![Example of pop-up notification as described above](images/hello-adfs-configure-2012r2.png) - -3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**. -4. Click **Next** on the **Connect to Active Directory Domain Services** page. -5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as fs.corp.mstepdemo.net or fs.mstepdemo.net. -6. Select the federation service name from the **Federation Service Name** list. -7. Type the Federation Service Display Name in the text box. This is the name users see when signing in. Click **Next**. -8. On the **Specify Service Account** page, Select **Use an existing domain user account or group Managed Service Account** and click **Select**. - * In the **Select User or Service Account** dialog box, type the name of the previously created AD FS service account (example adfssvc) and click **OK**. Type the password for the AD FS service account and click **Next**. -9. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and click **Next**. -10. On the **Review Options** page, click **Next**. -11. On the **Pre-requisite Checks** page, click **Configure**. -12. When the process completes, click **Close**. -13. Do not restart the AD FS server. You will do this later. - - -### Add the AD FS Service account to the KeyCredential Admin group and the Windows Hello for Business Users group - -The KeyCredential Admins global group provides the AD FS service with the permissions needed to perform key registration. The Windows Hello for Business group provides the AD FS service with the permissions needed to enroll a Windows Hello for Business authentication certificate on behalf of the provisioning user. - -Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials. -1. Open **Active Directory Users and Computers**. -2. Click the **Users** container in the navigation pane. -3. Right-click **KeyCredential Admins** in the details pane and click **Properties**. -4. Click the **Members** tab and click **Add…** -5. In the **Enter the object names to select** text box, type **adfssvc**. Click **OK**. -6. Click **OK** to return to **Active Directory Users and Computers**. -7. Right-click **Windows Hello for Business Users** group -8. Click the **Members** tab and click **Add…** -9. In the **Enter the object names to select** text box, type **adfssvc**. Click **OK**. -10. Click **OK** to return to **Active Directory Users and Computers**. -11. Change to server hosting the AD FS role and restart it. - -### Configure Permissions for Key Registration - -Key Registration stores the Windows Hello for Business public key in Active Directory. In on-prem deployments, the Windows Server 2016 AD FS server registers the public key with the on-premises Active Directory. - -The key-trust model needs Windows Server 2016 domain controllers, which configures the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually. - -Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. -1. Open **Active Directory Users and Computers**. -2. Right-click your domain name from the navigation pane and click **Properties**. -3. Click **Security** (if the Security tab is missing, turn on Advanced Features from the View menu). -4. Click **Advanced**. Click **Add**. Click **Select a principal**. -5. The **Select User, Computer, Service Account, or Group** dialog box appears. In the **Enter the object name to select** text box, type **KeyCredential Admins**. Click **OK**. -6. In the **Applies to** list box, select **Descendant User objects**. -7. Using the scroll bar, scroll to the bottom of the page and click **Clear all**. -8. In the **Properties** section, select **Read msDS-KeyCredentialLink** and **Write msDS-KeyCrendentialLink**. -9. Click **OK** three times to complete the task. - -## Configure the Device Registration Service - -Sign-in the federation server with _Enterprise Admin_ equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm. -1. Open the **AD FS management** console. -2. In the navigation pane, expand **Service**. Click **Device Registration**. -3. In the details pane, click **Configure Device Registration**. -4. In the **Configure Device Registration** dialog, click **OK**. - -## Review - -Before you continue with the deployment, validate your deployment progress by reviewing the following items: -* Confirm you followed the correct procedures based on the domain controllers used in your deployment - * Windows Server 2012 or Windows Server 2012 R2 - * Windows Server 2008 or Windows Server 2008 R2 -* Confirm you have the correct service account based on your domain controller version. -* Confirm you properly installed the AD FS role on your Windows Server 2016 based on the proper sizing of your federation, the number of relying parties, and database needs. -* Confirm you used a certificate with the correct names as the server authentication certificate - * Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the: - * Certificate serial number - * Certificate thumbprint - * Common name of the certificate - * Subject alternate name of the certificate - * Name of the physical host server - * The issued date - * The expiration date - * Issuing CA Vendor (if a third-party certificate) -* Confirm you granted the AD FS service allow read and write permissions to the ms-DSKeyCredentialLink Active Directory attribute. -* Confirm you enabled the Device Registration service. - -## Prepare and Deploy AD FS Registration Authority - -A registration authority is a trusted authority that validates certificate request. Once it validates the request, it presents the request to the certificate authority for issuance. The certificate authority issues the certificate, returns it to the registration authority, which returns the certificate to the requesting user. The Windows Hello for Business on-prem certificate-based deployment uses the Active Directory Federation Server (AD FS) as the certificate registration authority. - -### Configure Registration Authority template - -The certificate registration authority enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate. The certificate authority only issues a certificate for that template if the registration authority signs the certificate request. - -The registration authority template you configure depends on the AD FS service configuration, which depends on the domain controllers the environment uses for authentication. - ->[!IMPORTANT] ->Follow the procedures below based on the domain controllers deployed in your environment. If the domain controller is not listed below, then it is not supported for Windows Hello for Business. - -#### Windows 2012 or later domain controllers - -Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials. -1. Open the **Certificate Authority Management** console. -2. Right-click **Certificate Templates** and click **Manage**. -3. In the **Certificate Template Console**, right click on the **Exchange Enrollment Agent (Offline request)** template details pane and click **Duplicate Template**. -4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. -5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. -6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected. - **Note:** The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate. - -7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. -8. On the **Security** tab, click **Add**. -9. Click **Object Types**. Select the **Service Accounts** check box and click **OK**. -10. Type **adfssvc** in the **Enter the object names to select** text box and click **OK**. -11. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. -12. Close the console. - -#### Windows 2008 or 2008R2 domain controllers - -Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials. -1. Open the **Certificate Authority** management console. -2. Right-click **Certificate Templates** and click **Manage**. -3. In the **Certificate Template** console, right-click the **Exchange Enrollment Agent** template in the details pane and click **Duplicate Template**. -4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. -5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. -6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**. -7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. -8. On the **Security** tab, click **Add**. Type **adfssvc** in the **Enter the object names to select text box** and click **OK**. -9. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check boxes for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. -10. Close the console. - -### Configure the Windows Hello for Business Authentication Certificate template - -During Windows Hello for Business provisioning, the Windows 10, version 1703 client requests an authentication certificate from the Active Directory Federation Service, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring. - -Sign-in a certificate authority or management workstations with _Domain Admin equivalent_ credentials. -1. Open the **Certificate Authority** management console. -2. Right-click **Certificate Templates** and click **Manage**. -3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**. -4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. -5. On the **General** tab, type **WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. - **Note:** If you use different template names, you’ll need to remember and substitute these names in different portions of the deployment. -6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. -7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**. -8. On the **Issuance Requirements** tab, select the T**his number of authorized signatures** check box. Type **1** in the text box. - * Select **Application policy** from the **Policy type required in signature**. Select **Certificate Request Agent** from in the **Application policy** list. Select the **Valid existing certificate** option. -9. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**. -10. On the **Request Handling** tab, select the **Renew with same key** check box. -11. On the **Security** tab, click **Add**. Type **Window Hello for Business Users** in the **Enter the object names to select** text box and click **OK**. -12. Click the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section, select the **Allow** check box for the **Enroll** permission. Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. -13. If you previously issued Windows Hello for Business sign-in certificates using Configuration Manger and are switching to an AD FS registration authority, then on the **Superseded Templates** tab, add the previously used **Windows Hello for Business Authentication** template(s), so they will be superseded by this template for the users that have Enroll permission for this template. -14. Click on the **Apply** to save changes and close the console. - -#### Mark the template as the Windows Hello Sign-in template - -Sign-in to an **AD FS Windows Server 2016** computer with _Enterprise Admin_ equivalent credentials. -1. Open an elevated command prompt. -2. Run `certutil –dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY` - ->[!NOTE] ->If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It’s important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority. - -### Publish Enrollment Agent and Windows Hello For Business Authentication templates to the Certificate Authority - -Sign-in a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials. -1. Open the **Certificate Authority** management console. -2. Expand the parent node from the navigation pane. -3. Click **Certificate Templates** in the navigation pane. -4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template to issue**. -5. In the **Enable Certificates Templates** window, select the **WHFB Enrollment Agent** template you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority. -6. Publish the **WHFB Authentication** certificate template using step 5. -7. Close the console. - -### Configure the Registration Authority - -Sign-in the AD FS server with Domain Admin equivalent credentials. - -1. Open a **Windows PowerShell** prompt. -2. Type the following command - - ```PowerShell - Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication - ``` - - -The `Set-AdfsCertificateAuthority` cmdlet should show the following warning: ->WARNING: PS0343: Issuing Windows Hello certificates requires enabling a permitted strong authentication provider, but no usable providers are currently configured. These authentication providers are not supported for Windows Hello certificates: CertificateAuthentication,MicrosoftPassportAuthentication. Windows Hello certificates will not be issued until a permitted strong authentication provider is configured. - -This warning indicates that you have not configured multi-factor authentication in AD FS and until it is configured, the AD FS server will not issue Windows Hello certificates. Windows 10, version 1703 clients check this configuration during prerequisite checks. If detected, the prerequisite check will not succeed and the user will not provision Windows Hello for Business on sign-in. - ->[!NOTE] -> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the above command with the name of your certificate templates. It’s important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority. - -### Enrollment Agent Certificate Enrollment - -Active Directory Federation Server used for Windows Hello for Business certificate enrollment perform their own certificate lifecycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request or when the service first starts. - -Approximately 60 days prior to enrollment agent certificate’s expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate. - -## Additional Federation Servers - -Organizations should deploy more than one federation server in their federation farm for high-availability. You should have a minimum of two federation services in your AD FS farm, however most organizations are likely to have more. This largely depends on the number of devices and users using the services provided by the AD FS farm. - -### Server Authentication Certificate - -Each server you add to the AD FS farm must have a proper server authentication certificate. Refer to the [Enroll for a TLS Server Authentication Certificate](#enroll-for-a-tls-server-authentication-certificate) section of this document to determine the requirements for your server authentication certificate. As previously stated, AD FS servers used exclusively for on-premises deployments of Windows Hello for Business can use enterprise server authentication certificates rather than server authentication certificates issued by public certificate authorities. - -### Install Additional Servers - -Adding federation servers to the existing AD FS farm begins with ensuring the server are fully patched, to include Windows Server 2016 Update needed to support Windows Hello for Business deployments (https://aka.ms/whfbadfs1703). Next, install the Active Directory Federation Service role on the additional servers and then configure the server as an additional server in an existing farm. - -## Load Balance AD FS Federation Servers - -Many environments load balance using hardware devices. Environments without hardware load-balancing capabilities can take advantage the network load-balancing feature included in Windows Server to load balance the AD FS servers in the federation farm. Install the Windows Network Load Balancing feature on all nodes participating in the AD FS farm that should be load balanced. - -### Install Network Load Balancing Feature on AD FS Servers - -Sign-in the federation server with _Enterprise Admin_ equivalent credentials. -1. Start **Server Manager**. Click **Local Server** in the navigation pane. -2. Click **Manage** and then click **Add Roles and Features**. -3. Click **Next** On the **Before you begin** page. -4. On the **Select installation type** page, select **Role-based or feature-based installation** and click **Next**. -5. On the **Select destination server** page, chosoe **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Click **Next**. -6. On the **Select server roles** page, click **Next**. -7. Select **Network Load Balancing** on the **Select features** page. -8. Click **Install** to start the feature installation - ![Feature selection screen with NLB selected](images/hello-nlb-feature-install.png) - -### Configure Network Load Balancing for AD FS - -Before you can load balance all the nodes in the AD FS farm, you must first create a new load balance cluster. Once you have created the cluster, then you can add new nodes to that cluster. - -Sign-in a node of the federation farm with _Admin_ equivalent credentials. -1. Open **Network Load Balancing Manager** from **Administrative Tools**. - ![NLB Manager user interface](images/hello-nlb-manager.png) -2. Right-click **Network Load Balancing Clusters**, and then click **New Cluster**. -3. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then click **Connect**. - ![NLB Manager - Connect to new Cluster screen](images/hello-nlb-connect.png) -4. Select the interface that you want to use with the cluster, and then click **Next**. (The interface hosts the virtual IP address and receives the client traffic to load balance.) -5. In **Host Parameters**, select a value in **Priority (Unique host identifier)**. This parameter specifies a unique ID for each host. The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. Click **Next**. -6. In **Cluster IP Addresses**, click **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Click **Next**. - ![NLB Manager - Add IP to New Cluster screen](images/hello-nlb-add-ip.png) -7. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster. - ![NLB Manager - Cluster IP Configuration screen](images/hello-nlb-cluster-ip-config.png) -8. In **Cluster operation mode**, click **Unicast** to specify that a unicast media access control (MAC) address should be used for cluster operations. In unicast mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. We recommend that you accept the unicast default settings. Click **Next**. -9. In Port Rules, click Edit to modify the default port rules to use port 443. - ![NLB Manager - Add\Edit Port Rule screen](images/hello-nlb-cluster-port-rule.png) - -### Additional AD FS Servers - -1. To add more hosts to the cluster, right-click the new cluster, and then click **Add Host to Cluster**. -2. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same. - ![NLB Manager - Cluster with nodes](images/hello-nlb-cluster.png) - -## Configure DNS for Device Registration - -Sign-in the domain controller or administrative workstation with Domain Admin equivalent credentials. You’ll need the Federation service name to complete this task. You can view the federation service name by clicking **Edit Federation Service Properties** from the **Action** pan of the **AD FS** management console, or by using `(Get-AdfsProperties).Hostname.` (PowerShell) on the AD FS server. -1. Open the **DNS Management** console. -2. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones**. -3. In the navigation pane, select the node that has the name of your internal Active Directory domain name. -4. In the navigation pane, right-click the domain name node and click **New Host (A or AAAA)**. -5. In the **name** box, type the name of the federation service. In the **IP address** box, type the IP address of your federation server. Click **Add Host**. -6. Close the DNS Management console - -## Configure the Intranet Zone to include the federation service - -The Windows Hello provisioning presents web pages from the federation service. Configuring the intranet zone to include the federation service enables the user to authenticate to the federation service using integrated authentication. Without this setting, the connection to the federation service during Windows Hello provisioning prompts the user for authentication. - -### Create an Intranet Zone Group Policy - -Sign-in the domain controller or administrative workstation with _Domain Admin_ equivalent credentials -1. Start the **Group Policy Management Console** (gpmc.msc) -2. Expand the domain and select the **Group Policy Object** node in the navigation pane. -3. Right-click **Group Policy object** and select **New** -4. Type **Intranet Zone Settings** in the name box and click **OK**. -5. In the content pane, right-click the **Intranet Zone Settings** Group Policy object and click **Edit**. -6. In the navigation pane, expand **Policies** under **Computer Configuration**. -7. Expand **Administrative Templates > Windows Component > Internet Explorer > Internet Control Panel**, and select **Security Page**. -8. In the content pane, double-click **Site to Zone Assignment List**. Click **Enable**. -9. Click **Show**. In the **Value Name** column, type the url of the federation service beginning with https. In the **Value** column, type the number **1**. Click OK twice, then close the Group Policy Management Editor. - -### Deploy the Intranet Zone Group Policy object - -1. Start the **Group Policy Management Console** (gpmc.msc) -2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO…** -3. In the **Select GPO** dialog box, select **Intranet Zone Settings** or the name of the Windows Hello for Business Group Policy object you previously created and click **OK**. - -## Review - -Before you continue with the deployment, validate your deployment progress by reviewing the following items: -* Confirm you configured the correct enrollment agent certificate template based on the type of AD FS service account. -* Confirm only the AD FS service account has the allow enroll permission for the enrollment agent certificate template. -* Consider using an HSM to protect the enrollment agent certificate; however, understand the frequency and quantity of signature operations the enrollment agent server makes and understand the impact it has on overall performance. -* Confirm you properly configured the Windows Hello for Business authentication certificate template—to include: - * Issuance requirements of an authorized signature from a certificate request agent. - * The certificate template was properly marked as a Windows Hello for Business certificate template using certutil.exe - * The Windows Hello for Business Users group, or equivalent has the allow enroll and allow auto enroll permissions -* Confirm all certificate templates were properly published to the appropriate issuing certificate authorities. -* Confirm the AD FS service account has the allow enroll permission for the Windows Hello Business authentication certificate template. -* Confirm the AD FS certificate registration authority is properly configured using the `Get-AdfsCertificateAuthority` Windows PowerShell cmdlet. -* Confirm you restarted the AD FS service. -* Confirm you properly configured load-balancing (hardware or software). -* Confirm you created a DNS A Record for the federation service and the IP address used is the load-balanced IP address -* Confirm you created and deployed the Intranet Zone settings to prevent double authentication to the federation server. - -## Validating your work - -You need to verify the AD FS service has properly enrolled for an enrollment agent certificate template. You can verify this is a variety ways, depending on if your service account is a normal user account or if the service account is a group managed service account. - -### Event Logs - -Use the event logs on the AD FS service to confirm the service account enrolled for an enrollment agent certificate. First, look for the AD FS event ID 443 that confirms certificate enrollment cycle has finished. Once confirmed the AD FS certificate enrollment cycle completed review the CertificateLifecycle-User event log. In this event log, look for event ID 1006, which indicates a new certificate was installed. Details of the event log should show - -* The account name under which the certificate was enrolled. -* The action, which should read enroll. -* The thumbprint of the certificate -* The certificate template used to issue the certificate. - -### Normal Service Account - -When using a normal service account, use the Microsoft Management Console (mmc.exe) and load the Certificate Manager snap-in for the service account and verify. - -### Group Managed Service Account - -You cannot use the Certificate Manager to view enrolled certificates for group managed service accounts. Use the event log information to confirm the AD FS service account enrolled a certificate. Use certutil.exe to view the details of the certificate now shown in the event log. - -Group managed service accounts use user profiles to store user information, which included enrolled certificates. On the AD FS server, use a command prompt and navigate to `%systemdrive%\users\\appdata\roaming\Microsoft\systemcertificates\my\certificates` . - -Each file in this folder represents a certificate in the service account’s Personal store (You may need to use DIR /A to view the files in the folder). Match the thumbprint of the certificate from the event log to one of the files in this folder. That file is the certificate. Use the `Certutil -q ` to view the basic information about the certificate. - -For detailed information about the certificate, use `Certutil -q -v ` . - - -## Follow the Windows Hello for Business on premises certificate trust deployment guide -1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) -2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) -3. Prepare and Deploy Windows Server 2016 Active Directory Federation Services (*You are here*) -4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) -5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) - - - - - - - - - diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-deploy-mfa.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-deploy-mfa.md deleted file mode 100644 index 8ec43f5e54..0000000000 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-deploy-mfa.md +++ /dev/null @@ -1,542 +0,0 @@ ---- -title: Configure or Deploy Multifactor Authentication Services (Windows Hello for Business) -description: How to Configure or Deploy Multifactor Authentication Services for Windows Hello for Business -keywords: identity, PIN, biometric, Hello, passport -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -author: DaniHalfin -localizationpriority: high ---- -# Configure or Deploy Multifactor Authentication Services - -**Applies to** -- Windows 10 -- Windows 10 Mobile - -> This guide only applies to Windows 10, version 1703 or higher. - -On-premises deployments must use the On-premises Azure MFA Server using the AD FS adapter model Optionally, you can use a third-party MFA server that provides an AD FS Multifactor authentication adapter. - ->[!TIP] ->Please make sure you've read [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) before proceeding any further. - -## Prerequisites - -The Azure MFA Server and User Portal servers have several perquisites and must have connectivity to the Internet. - -### Primary MFA Server - -The Azure MFA server uses a primary and secondary replication model for its configuration database. The primary Azure MFA server hosts the writeable partition of the configuration database. All secondary Azure MFA servers hosts read-only partitions of the configuration database. All production environment should deploy a minimum of two MFA Servers. - -For this documentation, the primary MFA uses the name **mf*a*** or **mfa.corp.contoso.com**. All secondary servers use the name **mfa*n*** or **mfa*n*.corp.contoso.com**, where *n* is the number of the deployed MFA server. - -The primary MFA server is also responsible for synchronizing from Active Directory. Therefore, the primary MFA server should be domain joined and fully patched. - -#### Enroll for Server Authentication - -The communication between the primary MFA server, secondary MFA servers, User Portal servers, and the client is protected using TLS, which needs a server authentication certificate. - -Sign-in the primary MFA server with _domain admin_ equivalent credentials. -1. Start the Local Computer **Certificate Manager** (certlm.msc). -2. Expand the **Personal** node in the navigation pane. -3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**. -4. Click **Next** on the **Before You Begin** page. -5. Click **Next** on the **Select Certificate Enrollment Policy** page. -6. On the **Request Certificates** page, Select the **Internal Web Server** check box. -7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link. -8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the primary MFA server and then click **Add** (mfa.corp.contoso.com). Click **Add**. Click **OK** when finished. -9. Click **Enroll**. - -A server authentication certificate should appear in the computer’s Personal certificate store. - -#### Install the Web Server Role - -The Azure MFA server does not require the Web Server role, however, User Portal and the optional Mobile App server communicate with the MFA server database using the MFA Web Services SDK. The MFA Web Services SDK uses the Web Server role. - -To install the Web Server (IIS) role, please follow [Installing IIS 7 on Windows Server 2008 or Windows Server 2008 R2](https://docs.microsoft.com/iis/install/installing-iis-7/installing-iis-7-and-above-on-windows-server-2008-or-windows-server-2008-r2) or [Installing IIS 8.5 on Windows Server 2012 R2](https://docs.microsoft.com/iis/install/installing-iis-85/installing-iis-85-on-windows-server-2012-r2) depending on the host Operating System you're going to use. - -The following services are required: -* Common Parameters > Default Document. -* Common Parameters > Directory Browsing. -* Common Parameters > HTTP Errors. -* Common Parameters > Static Content. -* Health and Diagnostics > HTTP Logging. -* Performance > Static Content Compression. -* Security > Request Filtering. -* Security > Basic Authentication. -* Management Tools > IIS Management Console. -* Management Tools > IIS 6 Management Compatibility. -* Application Development > ASP.NET 4.5. - -#### Update the Server - -Update the server using Windows Update until the server has no required or optional updates as the Azure MFA Server software may require one or more of these updates for the installation and software to correctly work. These procedures install additional components that may need to be updated. - -#### Configure the IIS Server’s Certificate - -The TLS protocol protects all the communication to and from the MFA server. To enable this protection, you must configure the default web site to use the previously enrolled server authentication certificate. - -Sign in the primary MFA server with _administrator_ equivalent credentials. -1. From **Administrators**, Start the **Internet Information Services (IIS) Manager** console -2. In the navigation pane, expand the node with the same name as the local computer. Expand **Settings** and select **Default Web Site**. -3. In the **Actions** pane, click **Bindings**. -4. In the **Site Bindings** dialog, Click **Add**. -5. In the **Add Site Binding** dialog, select **https** from the **Type** list. In the **SSL certificate** list, select the certificate with the name that matches the FQDN of the computer. -6. Click **OK**. Click **Close**. From the **Action** pane, click **Restart**. - -#### Configure the Web Service’s Security - -The Azure MFA Server service runs in the security context of the Local System. The MFA User Portal gets its user and configuration information from the Azure MFA server using the MFA Web Services. Access control to the information is gated by membership to the Phonefactor Admins security group. You need to configure the Web Service’s security to ensure the User Portal and the Mobile App servers can securely communicate to the Azure MFA Server. Also, all User Portal server administrators must be included in the Phonefactor Admins security group. - -Sign in the domain controller with _domain administrator_ equivalent credentials. - -##### Create Phonefactor Admin group - -1. Open **Active Directory Users and Computers** -2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Right-click the **Users** container, select **New**, and select **Group**. -3. In the **New Object – Group** dialog box, type **Phonefactor Admins** in Group name. -4. Click **OK**. - -##### Add accounts to the Phonefactor Admins group - -1. Open **Active Directory Users and Computers**. -2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Select Users. In the content pane. Right-click the **Phonefactors Admin** security group and select **Properties**. -3. Click the **Members** tab. -4. Click **Add**. Click **Object Types..** In the **Object Types** dialog box, select **Computers** and click **OK**. Enter the following user and/or computers accounts in the **Enter the object names to select** box and then click **OK**. - * The computer account for the primary MFA Server - * Group or user account that will manage the User Portal server. - - -#### Review - -Before you continue with the deployment, validate your deployment progress by reviewing the following items: - -* Confirm the hosts of the MFA service has enrolled a server authentication certificate with the proper names. - * Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the: - * Certificate serial number - * Certificate thumbprint - * Common name of the certificate - * Subject alternate name of the certificate - * Name of the physical host server - * The issued date - * The expiration date - * Issuing CA Vendor (if a third-party certificate) - -* Confirm the Web Services Role was installed with the correct configuration (including Basic Authentication, ASP.NET 4.5, etc). -* Confirm the host has all the available updates from Windows Update. -* Confirm you bound the server authentication certificate to the IIS web site. -* Confirm you created the Phonefactor Admins group. -* Confirm you added the computer account hosting the MFA service to the Phonefactor Admins group and any user account who are responsible for administrating the MFA server or User Portal. - -### User Portal Server - -The User Portal is an IIS Internet Information Server web site that allows users to enroll in Multi-Factor Authentication and maintain their accounts. A user may change their phone number, change their PIN, or bypass Multi-Factor Authentication during their next sign on. Users will log in to the User Portal using their normal username and password and will either complete a Multi-Factor Authentication call or answer security questions to complete their authentication. If user enrollment is allowed, a user will configure their phone number and PIN the first time they log in to the User Portal. User Portal Administrators may be set up and granted permission to add new users and update existing users. - -The User Portal web site uses the user database that is synchronized across the MFA Servers, which enables a design to support multiple web servers for the User Portal and those servers can support internal and external customers. While the user portal web site can be installed directly on the MFA server, it is recommended to install the User Portal on a server separate from the MFA Server to protect the MFA user database, as a layered, defense-in-depth security design. - -#### Enroll for Server Authentication - -Internal and external users use the User Portal to manage their multifactor authentication settings. To protect this communication, you need to enroll all User Portal servers with a server authentication certificate. You can use an enterprise certificate to protect communication to internal User Portal servers. - -For external User Portal servers, it is typical to request a server authentication certificate from a public certificate authority. Contact a public certificate authority for more information on requesting a certificate for public use. Follow the procedures below to enroll an enterprise certificate on your User Portal server. - -Sign-in the User Portal server with _domain admin_ equivalent credentials. -1. Start the Local Computer **Certificate Manager** (certlm.msc). -2. Expand the **Personal** node in the navigation pane. -3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**. -4. Click **Next** on the **Before You Begin** page. -5. Click **Next** on the **Select Certificate Enrollment Policy** page. -6. On the **Request Certificates** page, Select the **Internal Web Server** check box. -7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link. -8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the primary MFA server and then click **Add** (app1.corp.contoso.com). -9. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name you will use for your User Portal service (mfaweb.corp.contoso.com). -10. Click **Add**. Click **OK** when finished. -11. Click **Enroll**. - -A server authentication certificate should appear in the computer’s Personal certificate store. - -#### Install the Web Server Role - -To do this, please follow the instructions mentioned in the previous [Install the Web Server Role](#install-the-web-server-role) section. - -#### Update the Server - -Update the server using Windows Update until the server has no required or optional updates as the Azure MFA Server software may require one or more of these updates for the installation and software to correctly work. These procedures install additional components that may need to be updated. - -#### Configure the IIS Server’s Certificate - -To do this, please follow the instructions mentioned in the previous [Configure the IIS Server’s Certificate](#configure-the-iis-server’s-certificate) section. - -#### Create WebServices SDK user account - -The User Portal and Mobile App web services need to communicate with the configuration database hosted on the primary MFA server. These services use a user account to communicate to authenticate to the primary MFA server. You can think of the WebServices SDK account as a service account used by other servers to access the WebServices SDK on the primary MFA server. - -1. Open **Active Directory Users and Computers**. -2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Right-click the **Users** container, select **New**, and select **User**. -3. In the **New Object – User** dialog box, type **PFWSDK_** in the **First name** and **User logon name** boxes, where ** is the name of the primary MFA server running the Web Services SDK. Click **Next**. -4. Type a strong password and confirm it in the respective boxes. Clear **User must change password at next logon**. Click **Next**. Click **Finish** to create the user account. - -#### Add the MFA SDK user account to the Phonefactor Admins group - -Adding the WebServices SDK user account to the Phonefactor Admins group provides the user account with the proper authorization needed to access the configuration data on the primary MFA server using the WebServices SDK. - -1. Open **Active Directory Users and Computers**. -2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Select **Users**. In the content pane. Right-click the **Phonefactors Admin** security group and select Properties. -3. Click the Members tab. -4. Click **Add**. Click **Object Types..** Type the PFWSDK_ user name in the **Enter the object names to select** box and then click **OK**. - * The computer account for the primary MFA Server - * The Webservices SDK user account - * Group or user account that will manage the User Portal server. - - -#### Review - -Before you continue with the deployment, validate your deployment progress by reviewing the following items: - -* Confirm the hosts of the user portal are properly configure for load balancing and high-availability. -* Confirm the hosts of the user portal have enrolled a server authentication certificate with the proper names. - * Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the: - * Certificate serial number - * Certificate thumbprint - * Common name of the certificate - * Subject alternate name of the certificate - * Name of the physical host server - * The issued date - * The expiration date - * Issuing CA Vendor (if a third-party certificate) - -* Confirm the Web Server Role was properly configured on all servers. -* Confirm all the hosts have the latest updates from Windows Update. -* Confirm you created the web service SDK domain account and the account is a member of the Phonefactor Admins group. - -## Installing Primary Azure MFA Server - -When you install Azure Multi-Factor Authentication Server, you have the following options: -1. Install Azure Multi-Factor Authentication Server locally on the same server as AD FS -2. Install the Azure Multi-Factor Authentication adapter locally on the AD FS server, and then install Multi-Factor Authentication Server on a different computer (preferred deployment for production environments) - -See [Configure Azure Multi-Factor Authentication Server to work with AD FS in Windows Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-adfs-w2k12) to view detailed installation and configuration options. - -Sign-in the federation server with _Domain Admin_ equivalent credentials and follow [To install and configure the Azure Multi-Factor Authentication server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#to-install-and-configure-the-azure-multi-factor-authentication-server) for an express setup with the configuration wizard. You can re-run the authentication wizard by selecting it from the Tools menu on the server. - ->[!IMPORTANT] ->Only follow the above mention article to install Azure MFA Server. Once it is intstalled, continue configuration using this article. - -### Configuring Company Settings - -You need to configure the MFA server with the default settings it applies to each user account when it is imported or synchronized from Active Directory. - -Sign-in the primary MFA server with MFA _administrator_ equivalent credentials. -1. Start the **Multi-Factor Server** application -2. Click **Company Settings**. -3. On the **General** Tab, select **Fail Authentication** from the **When internet is not accessible** list. -4. In **User defaults**, select **Phone Call** or **Text Message** - **Note:** You can use mobile app; however, the configuration is beyond the scope of this document. Read [Getting started the MFA Server Mobile App Web Service](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice) to configure and use mobile app multi-factor authentication or the Install User Portal topic in the Multi-Factor Server help. -5. Select **Enable Global Services** if you want to allow Multi-Factor Authentications to be made to telephone numbers in rate zones that have an associated charge. -6. Clear the **User can change phone** check box to prevent users from changing their phone during the Multi-Factor Authentication call or in the User Portal. A consistent configuration is for users to change their phone numbers in Active Directory and let those changes synchronize to the multi-factor server using the Synchronization features in Directory Integration. -7. Select **Fail Authentication** from the **When user is disabled** list. Users should provision their account through the user portal. -8. Select the appropriate language from the **Phone call language**, **Text message language**, **Mobile app language**, and **OATH token language** lists. -9. Under default PIN rules, Select the User can change PIN checkbox to enable users to change their PIN during multi-factor authentication and through the user portal. -10. Configure the minimum length for the PIN. -11. Select the **Prevent weak PINs** check box to reject weak PINs. A weak PIN is any PIN that could be easily guessed by a hacker: 3 sequential digits, 3 repeating digits, or any 4 digit subset of user phone number are not allowed. If you clear this box, then there are no restrictions on PIN format. For example: User tries to reset PIN to 1235 and is rejected because it's a weak PIN. User will be prompted to enter a valid PIN. -12. Select the **Expiration days** check box if you want to expire PINs. If enabled, provide a numeric value representing the number of days the PIN is valid. -13. Select the **PIN history** check box if you want to remember previously used PINs for the user. PIN History stores old PINs for each user. Users are not allowed to reset their PIN to any value stored in their PIN History. When cleared, no PIN History is stored. The default value is 5 and range is 1 to 10. - -![Azure MFA Server Company settings configured](images/hello-mfa-company-settings.png) - -### Configuring Email Settings and Content - -If you are deploying in a lab or proof-of-concept, then you have the option of skipping this step. In a production environment, ideally, you’ll want to setup the Azure Multifactor Authentication Server and its user portal web interface prior to sending the email. The email gives your users time to visit the user portal and configure the multi-factor settings. - -Now that you have imported or synchronized with your Azure Multi-Factor Authentication server, it is advised that you send your users an email that informs them that they have been enrolled in multi-factor authentication. - -With the Azure Multi-Factor Authentication Server there are various ways to configure your users for using multi-factor authentication. For instance, if you know the users’ phone numbers or were able to import the phone numbers into the Azure Multi-Factor Authentication Server from their company’s directory, the email will let users know that they have been configured to use Azure Multi-Factor Authentication, provide some instructions on using Azure Multi-Factor Authentication and inform the user of the phone number they will receive their authentications on. - -The content of the email will vary depending on the method of authentication that has been set for the user (e.g. phone call, SMS, mobile app). For example, if the user is required to use a PIN when they authenticate, the email will tell them what their initial PIN has been set to. Users are usually required to change their PIN during their first authentication. - -If users’ phone numbers have not been configured or imported into the Azure Multi-Factor Authentication Server, or users are pre-configured to use the mobile app for authentication, you can send them an email that lets them know that they have been configured to use Azure Multi-Factor Authentication and it will direct them to complete their account enrollment through the Azure Multi-Factor Authentication User Portal. A hyperlink will be included that the user clicks on to access the User Portal. When the user clicks on the hyperlink, their web browser will open and take them to their company’s Azure Multi-Factor Authentication User Portal. - -#### Settings - -By clicking the email icon on the left you can setup the settings for sending these emails. This is where you can enter the SMTP information of your mail server and it allows you to send a blanket wide email by adding a check to the Send mails to users check box. - -#### Content - -On the Email Content tab, you will see all of the various email templates that are available to choose from. So, depending on how you have configured your users to use multi-factor authentication, you can choose the template that best suits you. - -##### Edit the Content Settings - -The Azure MFA server does not send emails, even when configured to do so, until you configured the sender information for each email template listed in the Content tab. - -Sign-in the primary MFA server with MFA _administrator_ equivalent credentials. -1. Open the **Multi-Factor Authentication Server** console. -2. Click **Email** from the list of icons and click the **Email Content** tab. -3. Select an email template from the list of templates. Click **Edit**. -4. In the **Edit Email** dialog, in the **From** text box, type the email address of the person or group that should appear to have sent the email. - ![Edit email dialog within content settings](images/hello-mfa-content-edit-email.png) - -5. Optionally, customize other options in the email template. -6. When finished editing the template, Click **Apply**. -7. Click **Next** to move to the next email in the list. Repeat steps 4 and 6 to edit the changes. -8. Click **Close** when you are done editing the email templates. - -### Configuring Directory Integration Settings and Synchronization - -Synchronization keeps the Multi-Factor Authentication user database synchronized with the users in Active Directory or another LDAP Lightweight Directory Access Protocol directory. The process is similar to Importing Users from Active Directory, but periodically polls for Active Directory user and security group changes to process. It also provides for disabling or removing users removed from a container or security group and removing users deleted from Active Directory. - -It is important to use a different group memberships for synchronizing users from Active Directory and for enabling Windows Hello for Business. Keeping the group memberships separated enables you to synchronize users and configure MFA options without immediately deploying Windows Hello for Business to that user. This deployment approach provides the maximum flexibility, which gives users the ability to configure their settings before they provision Windows Hello for Business. To start provisioning, simply add the group used for synchronization to the Windows Hello for Business Users group (or equivalent if you use custom names). - -#### MultiFactorAuthAdSync Service - -The MultiFactorAuthAdSync service is a Windows service that performs the periodic polling of Active Directory. It is installed in a Stopped state and is started by the MultiFactorAuth service when configured to run. If you have a multi-server Multi-Factor Authentication configuration, the MultiFactorAuthAdSync may only be run on a single server. - -The MultiFactorAuthAdSync service uses the DirSync LDAP server extension provided by Microsoft to efficiently poll for changes. This DirSync control caller must have the "directory get changes" right and DS-Replication-Get-Changes extended control access right. By default, these rights are assigned to the Administrator and LocalSystem accounts on domain controllers. The MultiFactorAuthAdSync service is configured to run as LocalSystem by default. Therefore, it is simplest to run the service on a domain controller. The service can run as an account with lesser permissions if you configure it to always perform a full synchronization. This is less efficient, but requires less account privileges. - -#### Settings - -Configuring the directory synchronization between Active Directory and the Azure MFA server is easy. - -Sign in the primary MFA server with _MFA administrator_ equivalent credentials. -1. Open the **Multi-Factor Authentication Server** console. -2. From the **Multi-Factor Authentication Server** window, click the **Directory Integration** icon. -3. Click the **Synchronization** tab. -4. Select **Use Active Directory**. -5. Select **Include trusted domains** to have the Multi-Factor Authentication Server attempt to connect to domains trusted by the current domain, another domain in the forest, or domains involved in a forest trust. When not importing or synchronizing users from any of the trusted domains, clear the checkbox to improve performance. - -#### Synchronization - -The MFA server uses synchronization items to synchronize users from Active Directory to the MFA server database. Synchronization items enables you to synchronize a collection of users based security groups or Active Directory containers. - -You can configure synchronization items based on different criteria and filters. For the purpose of configuring Windows Hello for Business, you need to create a synchronization item based membership of the Windows Hello for Business user group. This ensures the same users who receive Windows Hello for Business policy settings are the same users synchronized to the MFA server (and are the same users with permission to enroll in the certificate). This significantly simplifies deployment and troubleshooting. - -See [Directory integration between Azure MFA Server and Active Directory](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-dirint) for more details. - -##### To add a synchronization item - -Sign in the primary MFA server with _MFA administrator_ equivalent credentials. -1. Open the **Multi-Factor Authentication Server** console. -2. From the **Multi-Factor Authentication Server** window, click the **Directory Integration** icon. -3. Select the **Synchronization** tab. -4. On the **Synchronization** tab, click **Add**. - ![Azure MFA Server - add synchronization item screen](images/hello-mfa-sync-item.png) - -5. In the **Add Synchronization Item** dialog, select **Security Groups** from the **View** list. -6. Select the group you are using for replication from the list of groups -7. Select **Selected Security Groups – Recursive** or, select **Security Group** from the **Import** list if you do not plan to nest groups. -8. Select **Add new users and Update existing users**. -9. Select **Disable/Remove users no longer a member** and select **Disable** from the list. -10. Select the attributes appropriate for your environment for **Import phone** and **Backup**. -11. Select **Enabled** and select **Only New Users with Phone Number** from the list. -12. Select **Send email** and select **New and Updated Users**. - -##### Configure synchronization item defaults - -1. When creating a new or editing a synchronization item from the Multi-Factor Authentication Server, select the **Method Defaults** tab. -2. Select the default second factor authentication method. For example, if the second factor of authentication is a text message, select **Text message**. Select if the direction of text message authentication and if the authentication should use a one-time password or one-time password and PIN (Ensure users are configured to create a PIN if the default second factor of communication requires a PIN). - -##### Configure synchronization language defaults - -1. When creating a new or editing a synchronization item from the Multi-Factor Authentication Server, select the **Language Defaults** tab. -2. Select the appropriate default language for these groups of users synchronized by these synchronization item. -3. If creating a new synchronization item, click **Add** to save the item. If editing an existing synchronization item, click **Apply** and then click **Close**. - ->[!TIP] ->For more information on these settings and the behaviors they control, see [Directory integration between Azure MFA Server and Active Directory](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-dirint). - -### Installing the MFA Web Services SDK - -The Web Service SDK section allows the administrator to install the Multi-Factor Authentication Web Service SDK. The Web Service SDK is an IIS (Internet Information Server) web service that provides an interface for integrating the full features of the Multi-Factor Authentication Server into most any application. The Web Service SDK uses the Multi-Factor Authentication Server as the data store. - -Remember the Web Services SDK is only need on the primary Multi-Factor to easily enable other servers access to the configuration information. The prerequisites section guided you through installing and configuring the items needed for the Web Services SDK, however the installer will validate the prerequisites and make suggest any corrective action needed. - -Please follow the instructions under [Install the web service SDK](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice#install-the-web-service-sdk) to intall the MFA Web Services SDK. - -## Install Secondary MFA Servers - -Additional MFA servers provided redundancy of the MFA configuration. The MFA server models uses one primary MFA server with multiple secondary servers. Servers within the same group establish communication with the primary server for that group. The primary server replicates to each of the secondary servers. You can use groups to partition the data stored on different servers, for example you can create a group for each domain, forest, or organizational unit. - -Follow the same procedures for installing the primary MFA server software for each additional server. Remember that each server must be activated. - -Sign in the secondary MFA server with _domain administrator_ equivalent credentials. -1. Once the Multi-Factor Authentication Server console starts, you must configure the current server’s replication group membership. You have the option to join an existing group or create a new group. When joining an existing group, the server becomes a secondary server in the existing replication group. When creating a new group, the server becomes the primary server of that replication group. Click **OK**. - **Note:** Group membership cannot be changed after activation. If a server was joined to the wrong group, it must be activated again to join a different group. Please contact support for assistance with deactivating and reactivating a server. -2. The console asks you if you want to enable replication by running the **Multi-Server Configuration Wizard**. Click **Yes**. -3. In the **Multi-Server Configuration Wizard**, leave **Active Directory** selected and clear **Certificates**. Click **Next**. -4. On the **Active Directory** page, the wizard determines what configuration is needed to enable replication. Typically, the wizard recommends adding the computer account for the current server to the **PhoneFactor Admin** group. Click **Next** to add the computer account to the group. -5. On the **Multi-Server Configuration Complete** page, click **Finish** to reboot the computer to update its group membership. - -### Review - -Before you continue with the deployment, validate your deployment progress by reviewing the following items: -* Confirm you downloaded the latest Azure MFA Server from the Azure Portal. -* Confirm the server has Internet connectivity. -* Confirm you installed and activated the Azure MFA Server. -* Confirm your Azure MFA Server configuration meets your organization’s needs (Company Settings, Email Settings, etc). -* Confirm you created Directory Synchronization items based on your deployment to synchronize users from Active Directory to the Azure MFA server. - * For example, you have security groups representing each collection of users that represent a phase of your deployment and a corresponding synchronization item for each of those groups. - -* Confirm the Azure MFA server properly communicates with the Azure MFA cloud service by testing multifactor authentication with a newly synchronized user account. -* Confirm you installed the Web Service SDK on the primary MFA server. -* Confirm your MFA servers have adequate redundancy, should you need to promote a secondary server to the primary server. - - -## Installing the User Portal Server - -You previously configured the User Portal settings on the primary MFA server. The User Portal web application communicates to the primary MFA server using the Web Services SDK to retrieve these settings. This configuration is ideal to ensure you can scale up the User Portal application to meet the needs of your internal users. - -### Copying the User Portal Installation file - -Sign in the primary MFA server with _local administrator_ equivalent credentials. -1. Open Windows Explorer. -2. Browse to the C:\Progam Files\MultiFactor Authentication Server folder. -3. Copy the **MultiFactorAuthenticationUserPortalSetup64.msi** file to a folder on the User Portal server. - -### Configure Virtual Directory name - -Sign in the User Portal server with _local administrator_ equivalent credentials. -1. Open Windows Explorer and browse to the folder to which you saved the installation file from the previous step. -2. Run the **MultiFactorAuthenticationUserPortalSetup64.msi**. The installation package asks if you want to download **Visual Studio C++ Redistributable for Visual Studio 2015**. Click **Yes**. When prompted, select **Save As**. The downloaded file is missing its file extension. **Save the file with a .exe extension and install the runtime**. -3. Run the installation package again. The installer package asks about the C++ runtime again; however, this is for the X64 version (the previous prompt was for x86). Click **Yes** to download the installation package and select **Save As** so you can save the downloaded file with a .exe extension. **Install** the run time. -4. Run the User Portal installation package. On the **Select Installation Address** page, use the default settings for **Site** and **Application Pool** settings. You can modify the Virtual directory to use a name that is more fitting for the environment, such as **mfa** (This virtual directory must match the virtual directory specified in the User Portal settings). Click **Next**. -5. Click **Close**. - -### Edit MFA User Portal config file - -Sign in the User Portal server with _local administrator_ equivalent credentials. -1. Open Windows Explorer and browse to C:\inetpub\wwwroot\MultiFactorAuth (or appropriate directory based on the virtual directory name) and edit the **web.config** file. -2. Locate the **USE_WEB_SERVICE_SDK** key and change the value from **false** to **true**. -3. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_USERNAME** key and set the value to the username of the Web Service SDK account in the **PhoneFactor Admins** security group. Use a qualified username, like domain\username or machine\username. -4. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD** key and set the value to the password of the Web Service SDK account in the **PhoneFactor Admins** security group. -5. Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from **“http://localhost:4898/PfWsSdk.asmx”** to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. https://computer1.domain.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **web.config** file after changes have been made. - -### Create a DNS entry for the User Portal web site - -Sign-in the domain controller or administrative workstation with _Domain Admin_ equivalent credentials. -1. Open the **DNS Management** console. -2. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones**. -3. In the navigation pane, select the node that has the name of your internal Active Directory domain name. -4. In the navigation pane, right-click the domain name node and click **New Host (A or AAAA)**. -5. In the **name** box, type the host name of the User Portal, such as *mfaweb* (this name must match the name of the certificate used to secure communication to the User Portal). In the IP address box, type the load balanced **IP address** of the User Portal. Click **Add Host**. -6. Close the **DNS Management** console. - -### Review - -Before you continue with the deployment, validate your deployment progress by reviewing the following items: -* Confirm the user portal application is properly installed on all user portal hosts -* Confirm the USE_WEB_SERVICE_SDK named value has a value equal to true. -* Confirm the WEB_SERVICE_SDK_AUTHENTICATION_USERNAME named value has the username of the web service SDK domain account previously created and that the user name is represented as DOMAIN\USERNAME -* Confirm the WEB_SERVICES_SDK_AUTHENTICATION_PASSWORD named value has the correct password for the web service SDK domain account. -* Confirm the pfup_pfwssdk_PfWsSdk named value has value that matches the URL of for the SDK service installed on the primary MFA server. -* Confirm you saved the changes to the web.config file. - -### Validating your work - -Windows Hello for Business is a distributed system, which on the surface appears complex and difficult. The key to a successful Windows Hello for Business deployment is to validate phases of work prior to moving to the next phase. - -Using a web browser, navigate to the URL provided in the *pf_up_pfwssdk_PfWsSdk* named value in the web.config file of any one of the user portal servers. The URL should be protected by a server authentication certificate and should prompt you for authentication. Authenticate to the web site using the username and password provided in the web.config file. Successful authentication and page view confirms the Web SDK configured on the primary MFA server is correctly configured and ready to work with the user portal. - -### Configuring the User Portal - -The User Portal section allows the administrator to install and configure the Multi-Factor Authentication User Portal. The User Portal is an IIS Internet Information Server web site that allows users to enroll in Multi-Factor Authentication and maintain their accounts. A user may change their phone number, change their PIN, or bypass Multi-Factor Authentication during their next sign on. Users will log in to the User Portal using their normal username and password and will either complete a Multi-Factor Authentication call or answer security questions to complete their authentication. If user enrollment is allowed, a user will configure their phone number and PIN the first time they log in to the User Portal. -User Portal Administrators may be set up and granted permission to add new users and update existing users. - -#### Settings - -Sign in the primary MFA server with _MFA administrator_ equivalent credentials. -1. Open the Multi-Factor Authentication Server console. -2. From the Multi-Factor Authentication Server window, click the User Portal icon. - ![Azure MFA Server - User Portal settings](images/hello-mfa-user-portal-settings.png) - -3. On the Settings tab, type the URL your users use to access the User Portal. The URL should begin with https, such as `https://mfaportal.corp.contoso.com/mfa`. -The Multi-Factor Authentication Server uses this information when sending emails to users. -4. Select Allow users to log in and Allow user enrollment check boxes. -5. Select Allow users to select method. Select Phone call and select Text message (you can select Mobile app later once you have deployed the Mobile app web service). Select Automatically trigger user’s default method. -6. Select Allow users to select language. -7. Select Use security questions for fallback and select 4 from the Questions to answer list. - ->[!TIP] ->For more information on these settings and the behaviors they control, see [Deploy the user portal for the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-portal). - -#### Administrators - -The User Portal Settings tab allows the administrator to install and configure the User Portal. -1. Open the Multi-Factor Authentication Server console. -2. From the Multi-Factor Authentication Server window, click the User Portal icon. -3. On the Administrators tab, Click Add -4. In the Add Administrator dialog, Click Select User… to pick a user to install and manage the User Portal. Use the default permissions. -5. Click Add. - ->[!TIP] ->For more information on these settings and the behaviors they control, read the **Multi-Factor Authentication Server Help content**. - -#### Security Questions - -[Security questions](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-portal#security-questions) for the User Portal may be customized to meet your requirements. The questions defined here will be offered as options for each of the four security questions a user is prompted to configure during their first log on to User Portal. The order of the questions is important since the first four items in the list will be used as defaults for the four security questions. - -#### Trusted IPs - -The [Trusted IPs](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-portal#trusted-ips) tab allows you to skip Multi-Factor Authentication for User Portal log ins originating from specific IPs. For example, if users use the User Portal from the office and from home, you may decide you don't want their phones ringing for Multi-Factor Authentication while at the office. For this, you would specify the office subnet as a trusted IP entry. - -## Configure the AD FS Server to use the MFA for multifactor authentication - -You need to configure the AD FS server to use the MFA server. You do this by Installing the MFA Adapter on the primary AD FS Server. - -### Install the MFA AD FS Adapter - -Follow [Install a standalone instance of the AD FS adapter by using the Web Service SDK](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-adfs-w2k12#install-a-standalone-instance-of-the-ad-fs-adapter-by-using-the-web-service-sdk). You should follow this instructions on all AD FS servers. You can find the files needed on the MFA server. - -### Edit the MFA AD FS Adapter config file on all ADFS Servers - -Sign in the primary AD FS server with _local administrator_ equivalent credentials. -1. Open Windows Explorer and browse to **C:\inetpub\wwwroot\MultiFactorAuth** (or appropriate directory based on the virtual directory name) and edit the **MultiFactorAuthenticationAdfsAdapter.config** file. -2. Locate the **USE_WEB_SERVICE_SDK** key and change the value from **false** to **true**. -3. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_USERNAME** key and set the value to the username of the Web Service SDK account in the **PhoneFactor Admins** security group. Use a qualified username, like domain\username or machine\username. -4. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD** key and set the value to the password of the Web Service SDK account in the **PhoneFactor Admins** security group. -5. Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from “http://localhost:4898/PfWsSdk.asmx” to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. https://computer1.domain.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **MultiFactorAuthenticationAdfsAdapter.config** file after changes have been made. - -### Edit the AD FS Adapter Windows PowerShell cmdlet - -Sign in the primary AD FS server with _local administrator_ equivalent credentials. - -Edit the **Register-MultiFactorAuthenticationAdfsAdapter.ps1** script adding `-ConfigurationFilePath ` to the end of the `Register-AdfsAuthenticationProvider` command where **** is the full path to the **MultiFactorAuthenticationAdfsAdapter.config** file. - -### Run the AD FS Adapter PowerShell cmdlet - -Sign in the primary AD FS server with local administrator equivalent credentials. - -Run **Register-MultiFactorAuthenticationAdfsAdapter.ps1** script in PowerShell to register the adapter. The adapter is registered as **WindowsAzureMultiFactorAuthentication**. - ->[!NOTE] ->You must restart the AD FS service for the registration to take effect. - -### Review - -Before you continue with the deployment, validate your deployment progress by reviewing the following items: -* Confirm the user portal application is properly installed on all user portal hosts -* Confirm the USE_WEB_SERVICE_SDK named value has a value equal to true. -* Confirm the WEB_SERVICE_SDK_AUTHENTICATION_USERNAME named value has the username of the web service SDK domain account previously created and that the user name is represented as DOMAIN\USERNAME -* Confirm the WEB_SERVICES_SDK_AUTHENTICATION_PASSWORD named value has the correct password for the web service SDK domain account. -* Confirm the pfup_pfwssdk_PfWsSdk named value has value that matches the URL of for the SDK service installed on the primary MFA server. -* Confirm you saved the changes to the web.config file. -* Confirm you restarted the AD FS Service after completing the configuration. - -## Test AD FS with the Multifactor Authentication connector - -Now, you should test your Azure Multi-Factor Authentication server configuration before proceeding any further in the deployment. The AD FS and Azure Multi-Factor Authentication server configurations are complete. - -1. In the **Multi-Factor Authentication** server, on the left, click **Users**. -2. In the list of users, select a user that is enabled and has a valid phone number to which you have access. -3. Click **Test**. -4. In the **Test User** dialog, provide the user’s password to authenticate the user to Active Directory. - -The Multi-Factor Authentication server communicates with the Azure MFA cloud service to perform a second factor authentication for the user. The Azure MFA cloud service contacts the phone number provided and asks for the user to perform the second factor authentication configured for the user. Successfully providing the second factor should result in the Multi-factor authentication server showing a success dialog. - - -## Follow the Windows Hello for Business on premises certificate trust deployment guide -1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) -2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) -3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) -4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) -5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-overview.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-overview.md new file mode 100644 index 0000000000..81dda04227 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-overview.md @@ -0,0 +1,45 @@ +--- +title: Hybrid Certificate Trust Deployment (Windows Hello for Business) +description: Hybrid Certificate Trust Deployment Overview +keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: DaniHalfin +ms.author: mstephen +localizationpriority: high +--- +# Hybrid Certificate Trust Deployment + +**Applies to** +- Windows 10 + +> This guide only applies to Windows 10, version 1703 or higher. + + +Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid certificate trust scenario. + +It is recommended that review the Windows Hello for Business planning guide prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. You can review the [planning guide](https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-planning-guide) and download the [planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514). + +This deployment guide provides guidance for new deployments and customers who are already federated with Office 365. These two scenarios provide a baseline from which you can begin your deployment. + +## New Deployment Baseline ## +The new deployment baseline helps organizations who are moving to Azure and Office 365 to include Windows Hello for Business as part of their deployments. This baseline is good for organizations how are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves by deploying a lab environment. + +This baseline provides detailed procedures to move your environment from an on-premises only environment to a hybrid environment using Windows Hello for Business to authenticate to Azure Active Directory and to your on-premises Active Directory using a single Windows sign-in. + +## Federated Baseline ## +The federated baseline helps organizations who have completed their federation with Azure Active Directory and Office 365 introduce Windows Hello for Business into their hybrid environment. This baseline exclusively focuses on the procedures needed add Windows Hello for Business to an existing hybrid deployment. + +Regardless of the baseline you choose, you’re next step is to familiarize yourself with the Prerequisites needed for the deployment. Many of the prerequisites will be new for organizations and individuals pursuing the new deployment baseline. Organizations and individuals starting from the federated baseline will likely be familiar with most of the prerequisites, but should validate they are using the proper versions that include the latest updates. +

+ +
+ +## Follow the Windows Hello for Business on premises certificate trust deployment guide +1. Overview (*You are here*) +2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +3. [New Installation Baseline](hello-hybrid-cert-new-install.md) +4. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) +5. Sign-in and Provision \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md new file mode 100644 index 0000000000..30cb2f7ade --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -0,0 +1,117 @@ +--- +title: Validate Public Key Infrastructure (Windows Hello for Business) +description: How to Validate Public Key Infrastructure for Windows Hello for Business +keywords: identity, PIN, biometric, Hello, passport +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: DaniHalfin +ms.author: mstephen +localizationpriority: high +--- +# Hybrid Certificate Trust Prerequisites + +**Applies to** +- Windows 10 + + +> This guide only applies to Windows 10, version 1703 or higher. + +Hybrid environments are distributed systems that enable organizations to use on-premises and Azure resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources. + +The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. Specific pieces of the infrastructure include: +* [Directories](#directories) +* [Public Key Infrastucture](#public-key-infastructure) +* [Directory Synchronization](#directory-synchronization) +* [Federation](#federation) +* [MultiFactor Authetication](#multifactor-authentication) +* [Device Registration](#device-registration) + +## Directories ## +Hybrid Windows Hello for Business needs two directories—and on-premises Active Directory and a cloud Azure Active Directory. The minimum required domain controller, domain functional level, and forest functional level for Windows Hello for Business deployment is Windows Server 2008 R2. + +A hybrid Windows Hello for Busines deployment needs Azure Active Directory subscription. Different deployment configurations are supported by different Azure subscriptions. The hybrid-certificate trust deployment needs an Azure Active Directory premium subscription because it uses the device write-back synchronization feature. Other deployments, such as the hybrid key-trust deployment, do not require Azure Active Directory premium subscription. + +Windows Hello for Business can be deployed in any environment with Windows Server 2008 R2 or later domain controllers. However, it does requires the Windows Server 2016 Active Directory schema. + +Review these requirements and those from the Windows Hello for Business planning guide and worksheet. Based on your deployment decisions you may need to upgrade your on-premises Active Directory or your Azure Active Directory subscription to meet your needs. + +### Section Review ### +- [ ] Active Directory Domain Functional Level +- [ ] Active Directory Forest Functional Level +- [ ] Domain Controller version +- [ ] Windows Server 2016 Schema +- [ ] Azure Active Directory subscription +- [ ] Correct subscription for desired features and outcomes + +
+ +## Public Key Infrastructure ## +The Windows Hello for Business deployment depends on an enterprise public key infrastructure as trust anchor for authentication. Domain controllers for hybrid deployments need a certificate in order for Windows 10 devices to trust the domain controller as legitimate. + +Certificate trust deployments need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. When using Group Policy, hybrid certificate trust deployment use the Windows Server 2016 Active Directory Federation Server (AS FS) as a certificate registration authority. + +The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012. + +### Section Review +- [ ] Windows Server 2012 Issuing Certificate Authority +- [ ] Windows Server 2016 Active Directory Federation Services + +
+ +## Directory Synchronization ## +The two directories used in hybrid deployments must be synchronized. You need Azure Active Directory Connect to synchronize user accounts in the on-premises Active Directory with Azure Active Directory. + +Organizations using older directory synchronization technology, such as DirSync or Azure AD sync need to upgrade to Azure AD Connect + +### Section Review +- [ ] Azure Active Directory Connect directory synchronization +- [ ] [Upgrade from DirSync](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-dirsync-upgrade-get-started) +- [ ] [Upgrade from Azure AD Sync](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-upgrade-previous-version) + +
+ +## Federation ## +Federating your on-premises Active Directory with Azure Active Directory ensures all identities have access to all resources regardless if they reside in cloud or on-premises. Windows Hello for Business hybrid certificate trust needs Windows Server 2016 Active Directory Federation Services. All nodes in the AD FS farm must run the same version of AD FS. + +### Section Review ### +- [ ] Windows Server 2016 Active Directory Federation Services + +
+ +## Multifactor Authentication ## +Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their username and password as one factor and a second factor of authentication. + +Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Authentication service or they can use multifactor authentication provides by Windows Server 2016 Active Directory Federation Services, which includes an adapter model that enables third parties to integrate their multifactor authentication into AD FS. + +### Section Review +- [ ] Azure MFA Service +- [ ] Windows Server 2016 AD FS and Azure +- [ ] Windows Server 2016 AD FS and third party MFA Adapter + +
+ +## Device Registration ## +Hybrid organizations register their devices with their cloud. This is analogous with joining an on-premises computer to the Active Directory domain. Just as a computer has an identity in Active Directory, that same computer has an identity in the cloud. This ensures that only approved computers are used with that Azure Active Directory. Each computer registers its identity in Azure Active Directory. Some configurations require this device registration to be synchronized back to the on-premises Active Directory. + +Hybrid certificate trust deployments need the device write back feature. Authentication to the Windows Server 2016 Active Directory Federation Services needs both the user and the computer to authenticate. Typically the users are synchronized, but not devices. This prevents AD FS from authenticating the computer and results in Windows Hello for Business certificate enrollment failures. For this reason, Windows Hello for Business deployments need device writeback, which is an Azure Active Directory premium feature. + +### Review Checklist ### +- [ ] Azure Active Directory Device writeback +- [ ] Azure Active Directory Premium subscription + +
+ +### Next Steps ### +Follow the Windows Hello for Business hybrid certificate trust deployment guide. For proof-of-concepts, labs, and new installations, choose the New Installation Basline. Choose Configure Windows Hello for Business if your envirionment is already federated with Azure and/or Office 365 +

+ +
+ +## Follow the Windows Hello for Business on premises certificate trust deployment guide +1. [Overview](hello-hybrid-cert-trust-overview) +2. Prerequistes (*You are here*) +3. [New Installation Baseline](hello-hybrid-cert-new-install.md) +4. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) +5. Sign-in and Provision \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-validate-ad-prereq.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-validate-ad-prereq.md deleted file mode 100644 index 3716c6dbe3..0000000000 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-validate-ad-prereq.md +++ /dev/null @@ -1,77 +0,0 @@ ---- -title: Validate Active Directory prerequisites (Windows Hello for Business) -description: How to Validate Active Directory prerequisites for Windows Hello for Business -keywords: identity, PIN, biometric, Hello, passport -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -author: DaniHalfin -localizationpriority: high ---- -# Validate Active Directory prerequisites - -**Applies to** -- Windows 10 - -> This guide only applies to Windows 10, version 1703 or higher. - -The key registration process for the On-prem deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. The key-trust model receives the schema extension when the first Windows Server 2016 domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 schema. If you already have a Windows Server 2016 domain controller in your forest, you can skip the next step. - -Manually updating Active Directory uses the command-line utility **adprep.exe** located at **:\support\adprep** on the Windows Server 2016 DVD or ISO. Before running adprep.exe, you must identify the domain controller hosting the schema master role. - -## Discovering schema role - -To locate the schema master role holder, open and command prompt and type: - -```Netdom query fsmo | findstr -i “schema”``` - -![Netdom example output](images\hello-cmd-netdom.png) - -The command should return the name of the domain controller where you need to adprep.exe. Update the schema locally on the domain controller hosting the Schema master role. - -## Updating the Schema - -Windows Hello for Business uses asymmetric keys as user credentials (rather than passwords). During enrollment, the public key is registered in an attribute on the user object in Active Directory. The schema update adds this new attribute to Active Directory. - -Sign-in to the domain controller hosting the schema master operational role using Enterprise Admin equivalent credentials. - -1. Open an elevated command prompt. -2. Type ```cd /d x:\support\adprep``` where *x* is the drive letter of the DVD or mounted ISO. -3. To update the schema, type ```adprep /forestprep```. -4. Read the Adprep Warning. Type the letter **C*** and press **Enter** to update the schema. -5. Close the Command Prompt and sign-out. - -## Create the KeyCredential Admins Security Global Group - -The Windows Server 2016 Active Directory Federation Services (AD FS) role registers the public key on the user object during provisioning. You assign write and read permission to this group to the Active Directory attribute to ensure the AD FS service can add and remove keys are part of its normal workflow. - -Sign-in a domain controller or management workstation with Domain Admin equivalent credentials. - -1. Open **Active Directory Users and Computers**. -2. Click **View** and click **Advance Features**. -3. Expand the domain node from the navigation pane. -4. Right-click the **Users** container. Click **New**. Click **Group**. -5. Type **KeyCredential Admins** in the **Group Name** text box. -6. Click **OK**. - -## Create the Windows Hello for Business Users Security Global Group - -The Windows Hello for Business Users group is used to make it easy to deploy Windows Hello for Business in phases. You assign Group Policy and Certificate template permissions to this group to simplify the deployment by simply adding the users to the group. This provides them the proper permissions to provision Windows Hello for Business and to enroll in the Windows Hello for Business authentication certificate. - -Sign-in a domain controller or management workstation with Domain Admin equivalent credentials. - -1. Open **Active Directory Users and Computers**. -2. Click **View** and click **Advanced Features**. -3. Expand the domain node from the navigation pane. -4. Right-click the **Users** container. Click **New**. Click **Group**. -5. Type **Windows Hello for Business Users** in the **Group Name** text box. -6. Click **OK**. - - -## Follow the Windows Hello for Business on premises certificate trust deployment guide -1. Validate Active Directory prerequisites (*You are here*) -2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) -3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) -4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) -5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-validate-deploy-mfa.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-validate-deploy-mfa.md deleted file mode 100644 index 82e38e2728..0000000000 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-validate-deploy-mfa.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -title: Validate and Deploy Multifactor Authentication Services (MFA) (Windows Hello for Business) -description: How to Validate and Deploy Multifactor Authentication Services for Windows Hello for Business -keywords: identity, PIN, biometric, Hello, passport -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -author: DaniHalfin -localizationpriority: high ---- -# Validate and Deploy Multifactor Authentication Services (MFA) - -**Applies to** -- Windows 10 -- Windows 10 Mobile - -> This guide only applies to Windows 10, version 1703 or higher. - -Windows Hello for Business requires all users perform multi-factor authentication prior to creating and registering a Windows Hello for Business credential. Windows Hello for Business deployments use Azure Multi-Factor Authentication (Azure MFA) services for the secondary authentication. On-Premises deployments use Azure MFA server, an on-premises implementation that do not require synchronizing Active Directory credentials to Azure Active Directory. - -Azure Multi-Factor Authentication is an easy to use, scalable, and reliable solution that provides a second method of authentication so your users are always protected. -* **Easy to Use** - Azure Multi-Factor Authentication is simple to set up and use. The extra protection that comes with Azure Multi-Factor Authentication allows users to manage their own devices. Best of all, in many instances it can be set up with just a few simple clicks. -* **Scalable** - Azure Multi-Factor Authentication uses the power of the cloud and integrates with your on-premises AD and custom apps. This protection is even extended to your high-volume, mission-critical scenarios. -* **Always Protected** - Azure Multi-Factor Authentication provides strong authentication using the highest industry standards. -* **Reliable** - We guarantee 99.9% availability of Azure Multi-Factor Authentication. The service is considered unavailable when it is unable to receive or process verification requests for the two-step verification. - -## On-Premises Azure MFA Server - -On-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials are not synchronized to Azure Active Directory. - -### Infrastructure - -A lab or proof-of-concept environment does not need high-availability or scalability. However, a production environment needs both of these. Ensure your environment considers and incorporates these factors, as necessary. All production environments should have a minimum of two MFA servers—one primary and one secondary server. The environment should have a minimum of two User Portal Servers that are load balanced using hardware or Windows Network Load Balancing. - -Please follow [Download the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#download-the-azure-multi-factor-authentication-server) to download Azure MFA server. - ->[!IMPORTANT] ->Make sure to validate the requirements for Azure MFA server, as outlined in [Install and Configure the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#install-and-configure-the-azure-multi-factor-authentication-server) beofre proceeding. Do not use instllation instructions provided in the article. - -Once you have validated all the requirements, please proceed to [Configure or Deploy Multifactor Authentication Services](hello-cert-trust-deploy-mfa.md). - -## Follow the Windows Hello for Business on premises certificate trust deployment guide -1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) -2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) -3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) -4. Validate and Deploy Multifactor Authentication Services (MFA) (*You are here*) -5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-validate-pki.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-validate-pki.md deleted file mode 100644 index f0faf69798..0000000000 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-validate-pki.md +++ /dev/null @@ -1,196 +0,0 @@ ---- -title: Validate Public Key Infrastructure (Windows Hello for Business) -description: How to Validate Public Key Infrastructure for Windows Hello for Business -keywords: identity, PIN, biometric, Hello, passport -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -author: DaniHalfin -localizationpriority: high ---- -# Validate and Configure Public Key Infrastructure - -**Applies to** -- Windows 10 -- Windows 10 Mobile - -> This guide only applies to Windows 10, version 1703 or higher. - -Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller. The certificate trust model extends certificate issuance to client computers. During Windows Hello for Business provisioning, the user receives a sign-in certificate. Secondary certificates, such as VPN and SMIME (future feature) may also be deployed. - -## Deploy an enterprise certificate authority - -This guide assumes most enterprise have an existing public key infrastructure. Windows Hello for Business depends on a Windows enterprise public key infrastructure running the Active Directory Certificate Services role from Windows Server 2012 or later. - -### Lab-based public key infrastructure - -The following instructions may be used to deploy simple public key infrastructure that is suitable for a lab environment. - -Sign-in using _Enterprise Admin_ equivalent credentials on Windows Server 2012 or later server where you want the certificate authority installed. - ->[!NOTE] ->Never install a certificate authority on a domain controller in a production environment. - -1. Open an elevated Windows PowerShell prompt. -2. Use the following command to install the Active Directory Certificate Services role. - ```PowerShell - Add-WindowsFeature Adcs-Cert-Authority -IncludeManageTools - ``` - -3. Use the following command to configure the Certificate Authority using a basic certificate authority configuration. - ```PowerShell - Install-AdcsCertificateAuthority - ``` - -## Configure a Production Public Key Infrastructure - -If you do have an existing public key infrastructure, please review [Certification Authority Guidance](https://technet.microsoft.com/library/hh831574.aspx) from Microsoft TechNet to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](https://technet.microsoft.com/library/hh831348.aspx) for instructions on how to configure your public key infrastructure using the information from your design session. - -### Configure Domain Controller Certificates - -Clients need to trust domain controllers and the best way to do this is to ensure each domain controller has a Kerberos Authentication certificate. Installing a certificate on the domain controller enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. This provides clients a root of trust external to the domain—namely the enterprise certificate authority. - -Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise certificate authority is added to Active Directory. However, certificates based on the Domain Controller and Domain Controller Authentication certificate templates do not include the KDC Authentication object identifier (OID), which was later added to the Kerberos RFC. Therefore, domain controllers need to request a certificate based on the Kerberos Authentication certificate template. - -By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the Kerberos Authentication certificate template a baseline to create an updated domain controller certificate template. - -Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials. -1. Open the **Certificate Authority** management console. -2. Right-click **Certificate Templates** and click **Manage**. -3. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**. -4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. -5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise’s needs. - **Note**If you use different template names, you’ll need to remember and substitute these names in different portions of the lab. -6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **None** from the **Subject name format** list. Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items. -7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**. -8. Close the console. - -### Superseding the existing Domain Controller certificate - -Many domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template from domain controllers—the domain controller certificate template. Later releases provided a new certificate template—the domain controller authentication certificate template. These certificate templates were provided prior to update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the KDC Authentication extension. - -The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers and should be the one you deploy to all your domain controllers (2008 or later). The autoenrollment feature in Windows enables you to effortlessly replace these domain controller certificates. You can use the following configuration to replace older domain controller certificates with a new certificate using the Kerberos Authentication certificate template. - -Sign-in a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials. -1. Open the **Certificate Authority** management console. -2. Right-click **Certificate Templates** and click **Manage**. -3. In the **Certificate Template Console**, right-click the **Domain Controller Authentication (Kerberos)** (or the name of the certificate template you created in the previous section) template in the details pane and click **Properties**. -4. Click the **Superseded Templates** tab. Click **Add**. -5. From the **Add Superseded Template** dialog, select the **Domain Controller** certificate template and click **OK**. Click **Add**. -6. From the **Add Superseded Template** dialog, select the **Domain Controller Authentication** certificate template and click **OK**. -7. From the **Add Superseded Template dialog**, select the **Kerberos Authentication** certificate template and click **OK**. -8. Add any other enterprise certificate templates that were previously configured for domain controllers to the **Superseded Templates** tab. -9. Click **OK** and close the **Certificate Templates** console. - -The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities. - -### Configure an Internal Web Server Certificate template - -Windows 10 clients use the https protocol when communicating with Active Directory Federation Services. To meet this need, you must issue a server authentication certificate to all the nodes in the Active Directory Federation Services farm. On-premises deployments can use a server authentication certificate issued by their enterprise PKI. You must configure a server authentication certificate template so the host running the Active Directory Federation Service can request the certificate. - -Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials. -1. Open the **Certificate Authority** management console. -2. Right-click **Certificate Templates** and click **Manage**. -3. In the **Certificate Template Console**, right-click the **Web Server** template in the details pane and click **Duplicate Template**. -4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. -5. On the **General** tab, type **Internal Web Server** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. - **Note:** If you use different template names, you’ll need to remember and substitute these names in different portions of the lab. -6. On the **Request Handling** tab, select **Allow private key to be exported**. -7. On the **Subject** tab, select the **Supply in the request** button if it is not already selected. -8. On the **Security** tab, Click **Add**. Type **Domain Computers** in the **Enter the object names to select** box. Click **OK**. Select the **Allow** check box next to the **Enroll** permission. -9. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**. -10. Close the console. - -### Unpublish Superseded Certificate Templates - -The certificate authority only issues certificates based on published certificate templates. For defense in depth security, it is a good practice to unpublish certificate templates that the certificate authority is not configured to issue. This includes the pre-published certificate template from the role installation and any superseded certificate templates. - -The newly created domain controller authentication certificate template supersedes previous domain controller certificate templates. Therefore, you need to unpublish these certificate templates from all issuing certificate authorities. - -Sign-in to the certificate authority or management workstation with _Enterprise Admin_ equivalent credentials. -1. Open the **Certificate Authority** management console. -2. Expand the parent node from the navigation pane. -3. Click **Certificate Templates** in the navigation pane. -4. Right-click the **Domain Controller** certificate template in the content pane and select **Delete**. Click **Yes** on the **Disable certificate templates** window. -5. Repeat step 4 for the **Domain Controller Authentication** and **Kerberos Authentication** certificate templates. - -### Publish Certificate Templates to the Certificate Authority - -The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate. - -Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials. -1. Open the **Certificate Authority** management console. -2. Expand the parent node from the navigation pane. -3. Click **Certificate Templates** in the navigation pane. -4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue. -5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)**, and **Internal Web Server** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority. -6. If you published the Domain Controller Authentication (Kerberos) certificate template, then you should unpublish the certificate templates you included in the superseded templates list. - * To unpublish a certificate template, right-click the certificate template you want to unpublish in the details pane of the Certificate Authority console and select **Delete**. Click **Yes** to confirm the operation. - -7. Close the console. - -### Configure Domain Controllers for Automatic Certificate Enrollment - -Domain controllers automatically request a certificate from the domain controller certificate template. However, the domain controller is unaware of newer certificate templates or superseded configurations on certificate templates. To continue automatic enrollment and renewal of domain controller certificates that understand newer certificate template and superseded certificate template configurations, create and configure a Group Policy object for automatic certificate enrollment and link the Group Policy object to the Domain Controllers OU. - -1. Start the **Group Policy Management Console** (gpmc.msc) -2. Expand the domain and select the **Group Policy Object** node in the navigation pane. -3. Right-click **Group Policy object** and select **New** -4. Type *Domain Controller Auto Certificate Enrollment* in the name box and click **OK**. -5. Right-click the **Domain Controller Auto Certificate Enrollment** Group Policy object and click **Edit**. -6. In the navigation pane, expand **Policies** under **Computer Configuration**. -7. Expand **Windows Settings**, **Security Settings**, and click **Public Key Policies**. -8. In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**. -9. Select **Enabled** from the **Configuration Model** list. -10. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box. -11. Select the **Update certificates that use certificate templates** check box. -12. Click **OK**. Close the **Group Policy Management Editor**. - -### Deploy the Domain Controller Auto Certificate Enrollment Group Policy Object - -Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. -1. Start the **Group Policy Management Console** (gpmc.msc) -2. In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO…** -3. In the **Select GPO** dialog box, select **Domain Controller Auto Certificate Enrollment** or the name of the domain controller certificate enrollment Group Policy object you previously created and click **OK**. - -### Validating your work - -Windows Hello for Business is a distributed system, which on the surface appears complex and difficult. The key to a successful Windows Hello for Business deployment is to validate phases of work prior to moving to the next phase. - -You want to confirm your domain controllers enroll the correct certificates and not any unnecessary (superseded) certificate templates. You need to check each domain controller that autoenrollment for the computer occurred. - -#### Use the Event Logs - -Windows Server 2012 and later include Certificate Lifecycle events to determine the lifecycles of certificates for both users and computers. Using the Event Viewer, navigate to the CertificateServices-Lifecycles-System event log under Application and Services/Microsoft/Windows. - -Look for an event indicating a new certificate enrollment (autoenrollment). The details of the event include the certificate template on which the certificate was issued. The name of the certificate template used to issue the certificate should match the certificate template name included in the event. The certificate thumbprint and EKUs for the certificate are also included in the event. The EKU needed for proper Windows Hello for Business authentication is Kerberos Authentication, in addition to other EKUs provide by the certificate template. - -Certificates superseded by your new domain controller certificate generate an archive event in the CertificateServices-Lifecycles-System event. The archive event contains the certificate template name and thumbprint of the certificate that was superseded by the new certificate. - - -#### Certificate Manager - -You can use the Certificate Manager console to validate the domain controller has the properly enrolled certificate based on the correct certificate template with the proper EKUs. Use **certlm.msc** to view certificate in the local computers certificate stores. Expand the **Personal** store and view the certificates enrolled for the computer. Archived certificates do not appear in Certificate Manager. - -#### Certutil.exe - -You can use **certutil.exe** to view enrolled certificates in the local computer. Certutil shows enrolled and archived certificates for the local computer. From an elevated command prompt, run `certutil -q -store my` to view locally enrolled certificates. - -To view detailed information about each certificate in the store, use `certutil -q -v -store my` to validate automatic certificate enrollment enrolled the proper certificates. - -#### Troubleshooting - -Windows triggers automatic certificate enrollment for the computer during boot, and when Group Policy updates. You can refresh Group Policy from an elevated command prompt using `gpupdate /force`. - -Alternatively, you can forcefully trigger automatic certificate enrollment using `certreq -autoenroll -q` from an elevated command prompt. - -Use the event logs to monitor certificate enrollment and archive. Review the configuration, such as publishing certificate templates to issuing certificate authority and the allow auto enrollment permissions. - - -## Follow the Windows Hello for Business on premises certificate trust deployment guide -1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) -2. Validate and Configure Public Key Infrastructure (*You are here*) -3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) -4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) -5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md new file mode 100644 index 0000000000..b695fc4489 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md @@ -0,0 +1,587 @@ +--- +title: Configure Windows Hello for Business Settings +description: Configure Windows Hello for Business Settings +keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: DaniHalfin +ms.author: mstephen +localizationpriority: high +--- +# Configure Windows Hello for Business + +**Applies to** +- Windows 10 + +> This guide only applies to Windows 10, version 1703 or higher. + +## Active Directory ## +The key registration process for the hybrid deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. The key-trust model receives the schema extension when the first Windows Server 2016 domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 schema. + +> [!IMPORTANT] +> If you already have a Windows Server 2016 domain controller in your forest, you can skip **Upgrading Active Directory to the Windows Server 2016 Schema**. + +### Upgrading Active Directory to the Windows Server 2016 Schema + +Manually updating Active Directory uses the command-line utility **adprep.exe** located at **:\support\adprep** on the Windows Server 2016 DVD or ISO. Before running adprep.exe, you must identify the domain controller hosting the schema master role. + +#### Discovering schema role + +To locate the schema master role holder, open and command prompt and type: + +```Netdom query fsmo | findstr -i “schema”``` + +![Netdom example output](images\hello-cmd-netdom.png) + +The command should return the name of the domain controller where you need to adprep.exe. Update the schema locally on the domain controller hosting the Schema master role. + +#### Updating the Schema + +Windows Hello for Business uses asymmetric keys as user credentials (rather than passwords). During enrollment, the public key is registered in an attribute on the user object in Active Directory. The schema update adds this new attribute to Active Directory. + +Sign-in to the domain controller hosting the schema master operational role using Enterprise Admin equivalent credentials. + +1. Open an elevated command prompt. +2. Type ```cd /d x:\support\adprep``` where *x* is the drive letter of the DVD or mounted ISO. +3. To update the schema, type ```adprep /forestprep```. +4. Read the Adprep Warning. Type the letter **C*** and press **Enter** to update the schema. +5. Close the Command Prompt and sign-out. + +### Creating Security Groups + +Windows Hello for Business uses several security groups to simplify the deployment and managment. + +If your environment has one or more Windows Server 2016 domain controllers in the domain to which you are deploying Windows Hello for Business, then skip the **Create the KeyCrednetials Admins Security Group**. + +#### Create the KeyCredential Admins Security Group + +Azure Active Directory Connect synchronizes the public key on the user object created during provisioning. You assign write and read permission to this group to the Active Directory attribute to ensure the Azure AD Connect service can add and remove keys as part of its normal workflow. + +Sign-in a domain controller or management workstation with *Domain Admin* equivalent credentials. + +1. Open **Active Directory Users and Computers**. +2. Click **View** and click **Advance Features**. +3. Expand the domain node from the navigation pane. +4. Right-click the **Users** container. Click **New**. Click **Group**. +5. Type **KeyCredential Admins** in the **Group Name** text box. +6. Click **OK**. + +#### Create the Windows Hello for Business Users Security Group + +The Windows Hello for Business Users group is used to make it easy to deploy Windows Hello for Business in phases. You assign Group Policy and Certificate template permissions to this group to simplify the deployment by simply adding the users to the group. This provides them the proper permissions to provision Windows Hello for Business and to enroll in the Windows Hello for Business authentication certificate. + +Sign-in a domain controller or management workstation with *Domain Admin* equivalent credentials. + +1. Open **Active Directory Users and Computers**. +2. Click **View** and click **Advanced Features**. +3. Expand the domain node from the navigation pane. +4. Right-click the **Users** container. Click **New**. Click **Group**. +5. Type **Windows Hello for Business Users** in the **Group Name** text box. +6. Click **OK**. + +### Section Review +- [x] Active Directory +- [x] Public Key Infrastructure +- [x] Azure Active Directory +- [x] Directory Synchronization +- [x] Active Directory Federation Services +- [x] Federation Services + - [x] Federation Proxy Servers + - [x] Multiple top-level domains + - [x] Azure Device Registration + - [x] Device Writeback +- [x] Multifactor Authentication +- [x] Windows Hello for Business + - [ ] Active Directory + - [ ] Directory Synchronization + - [ ] Public Key Infrastructure + - [ ] AD FS RA + - [ ] Group Policy +- [ ] Sign-in and Provision + +## Directory Syncrhonization + +In hybrid deployments, users register the public portion of their Windows Hello for Business crednetial with Azure. Azure AD Connect syncrhonizes the Windows Hello for Business public key to Active Directory. + +The key-trust model needs Windows Server 2016 domain controllers, which configures the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually. + +> [!IMPORTANT] +> If you already have a Windows Server 2016 domain controller in your forest, you can skip **Configure Permissions for Key Synchronization**. + +### Configure Permissions for Key Syncrhonization + +Sign-in a domain controller or management workstations with *Domain Admin* equivalent credentials. + +1. Open **Active Directory Users and Computers**. +2. Right-click your domain name from the navigation pane and click **Properties**. +3. Click **Security** (if the Security tab is missing, turn on Advanced Features from the View menu). +4. Click **Advanced**. Click **Add**. Click **Select a principal**. +5. The **Select User, Computer, Service Account, or Group** dialog box appears. In the **Enter the object name to select** text box, type **KeyCredential Admins**. Click **OK**. +6. In the **Applies to** list box, select **Descendant User objects**. +7. Using the scroll bar, scroll to the bottom of the page and click **Clear all**. +8. In the **Properties** section, select **Read msDS-KeyCredentialLink** and **Write msDS-KeyCrendentialLink**. +9. Click **OK** three times to complete the task. + +### Section Review +- [x] Active Directory +- [x] Public Key Infrastructure +- [x] Azure Active Directory +- [x] Directory Synchronization +- [x] Active Directory Federation Services +- [x] Federation Services + - [x] Federation Proxy Servers + - [x] Multiple top-level domains + - [x] Azure Device Registration + - [x] Device Writeback +- [x] Multifactor Authentication +- [x] Windows Hello for Business + - [x]Active Directory + - [x] Directory Synchronization + - [ ] Public Key Infrastructure + - [ ] AD FS RA + - [ ] Group Policy +- [ ] Sign-in and Provision + +## Public Key Infrastructure + +Windows Hello for Business deployments rely on certificates. Hybrid deployments uses publicly issued server authentication certifcates to validate the name of the server to which they are connecting and to encyrpt the data that flows them and the client computer. + +All deployments use enterprise issed certificates for domain controllers as a root of trust. Hybrid certificate trust deployments issue users sign-in certificate that enables them to authenticate using Windows Hello for Business credentials to non-Windows Server 2016 domain controllers. Additionally, hybrid certificate trust deployments issue certificate to registration authorites to provide defenese-in-depth security for issueing user authentication certificates. + +### Certifcate Templates + +This section has you configure certificate templates on your Windows Server 2012 or later issuing certificate authtority. + +#### Domain Controller certificate template + +Clients need to trust domain controllers and the best way to do this is to ensure each domain controller has a Kerberos Authentication certificate. Installing a certificate on the domain controller enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. This provides clients a root of trust external to the domain—namely the enterprise certificate authority. + +Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise certificate authority is added to Active Directory. However, certificates based on the *Domain Controller* and *Domain Controller Authentication* certificate templates do not include the **KDC Authentication** object identifier (OID), which was later added to the Kerberos RFC. Therefore, domain controllers need to request a certificate based on the Kerberos Authentication certificate template. + +By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the **Kerberos Authentication** certificate template a baseline to create an updated domain controller certificate template. + +##### Create a Domain Controller Authentication (Kerberos) Certificate Template + +Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials. + +1. Open the **Certificate Authority** management console. +2. Right-click **Certificate Templates** and click **Manage**. +3. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**. +4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. +5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise’s needs. + **Note**If you use different template names, you’ll need to remember and substitute these names in different portions of the lab. +6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **None** from the **Subject name format** list. Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items. +7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**. +8. Close the console. + +##### Superseding the existing Domain Controller certificate + +Many domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template from domain controllers—the domain controller certificate template. Later releases provided a new certificate template—the domain controller authentication certificate template. These certificate templates were provided prior to update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the **KDC Authentication** extension. + +The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers and should be the one you deploy to all your domain controllers (2008 or later). + +The autoenrollment feature in Windows enables you to effortlessly replace these domain controller certificates. You can use the following configuration to replace older domain controller certificates with a new certificate using the Kerberos Authentication certificate template. + +###### Configure Certificate Suspeding for the Domain Controller Authentication (Kerberos) Certificate Template + +Sign-in a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials. + +1. Open the **Certificate Authority** management console. +2. Right-click **Certificate Templates** and click **Manage**. +3. In the **Certificate Template Console**, right-click the **Domain Controller Authentication (Kerberos)** (or the name of the certificate template you created in the previous section) template in the details pane and click **Properties**. +4. Click the **Superseded Templates** tab. Click **Add**. +5. From the **Add Superseded Template** dialog, select the **Domain Controller** certificate template and click **OK**. Click **Add**. +6. From the **Add Superseded Template** dialog, select the **Domain Controller Authentication** certificate template and click **OK**. +7. From the **Add Superseded Template dialog**, select the **Kerberos Authentication** certificate template and click **OK**. +8. Add any other enterprise certificate templates that were previously configured for domain controllers to the **Superseded Templates** tab. +9. Click **OK** and close the **Certificate Templates** console. + +The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities. + +#### Enrollment Agent certificate template + +Active Directory Federation Server used for Windows Hello for Business certificate enrollment performs its own certificate lifecycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request or when the service first starts. + +Approximately 60 days prior to enrollment agent certificate’s expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate. + +> [!IMPORTANT] +> Follow the procedures below based on the AD FS service account used in your environment. + +#### Creating an Enrollment Agent certificate for Group Managed Service Accounts + +Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials. + +1. Open the **Certificate Authority Management** console. +2. Right-click **Certificate Templates** and click **Manage**. +3. In the **Certificate Template Console**, right click on the **Exchange Enrollment Agent (Offline request)** template details pane and click **Duplicate Template**. +4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. +5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. +6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected. + **Note:** The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate. + +7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. +8. On the **Security** tab, click **Add**. +9. Click **Object Types**. Select the **Service Accounts** check box and click **OK**. +10. Type **adfssvc** in the **Enter the object names to select** text box and click **OK**. +11. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. +12. Close the console. + +#### Creating an Enrollment Agent certificate for typical Service Acconts + +Sign-in a certificate authority or management workstations with *Domain Admin* equivalent credentials. + +1. Open the **Certificate Authority** management console. +2. Right-click **Certificate Templates** and click **Manage**. +3. In the **Certificate Template** console, right-click the **Exchange Enrollment Agent** template in the details pane and click **Duplicate Template**. +4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. +5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. +6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**. +7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. +8. On the **Security** tab, click **Add**. Type **adfssvc** in the **Enter the object names to select text box** and click **OK**. +9. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check boxes for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. +10. Close the console. + +#### Windows Hello for Business authentication certificate template + +During Windows Hello for Business provisioning, the Windows 10, version 1703 client requests an authentication certificate from the Active Directory Federation Service, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring. + +##### Creating Windows Hello for Business authentication certiicate template + +Sign-in a certificate authority or management workstations with _Domain Admin equivalent_ credentials. + +1. Open the **Certificate Authority** management console. +2. Right-click **Certificate Templates** and click **Manage**. +3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**. +4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. +5. On the **General** tab, type **WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. + **Note:** If you use different template names, you’ll need to remember and substitute these names in different portions of the deployment. +6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. +7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**. +8. On the **Issuance Requirements** tab, select the T**his number of authorized signatures** check box. Type **1** in the text box. + * Select **Application policy** from the **Policy type required in signature**. Select **Certificate Request Agent** from in the **Application policy** list. Select the **Valid existing certificate** option. +9. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**. +10. On the **Request Handling** tab, select the **Renew with same key** check box. +11. On the **Security** tab, click **Add**. Type **Window Hello for Business Users** in the **Enter the object names to select** text box and click **OK**. +12. Click the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section, select the **Allow** check box for the **Enroll** permission. Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. +13. If you previously issued Windows Hello for Business sign-in certificates using Configuration Manger and are switching to an AD FS registration authority, then on the **Superseded Templates** tab, add the previously used **Windows Hello for Business Authentication** template(s), so they will be superseded by this template for the users that have Enroll permission for this template. +14. Click on the **Apply** to save changes and close the console. + +##### Mark the template as the Windows Hello Sign-in template + +Sign-in to an **AD FS Windows Server 2016** computer with _Enterprise Admin_ equivalent credentials. +1. Open an elevated command prompt. +2. Run `certutil –dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY` + +>[!NOTE] +>If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It’s important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority. +Publish Templates + +### Publishing Certificate Templates + +The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate. + +#### Publish Certificate Templates to a Certificate Authority + +Sign-in a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials. + +1. Open the **Certificate Authority** management console. +2. Expand the parent node from the navigation pane. +3. Click **Certificate Templates** in the navigation pane. +4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template to issue**. +5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)** template you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority. +6. Publish the **WHFB Enrollment Agent**, **WHFB Authentication** certificate template using step 5. +7. Close the console. + + +### Unpublishing Superseded Certificate Templates + +The certificate authority only issues certificates based on published certificate templates. For defense in depth security, it is a good practice to unpublish certificate templates that the certificate authority is not configured to issue. This includes the pre-published certificate template from the role installation and any superseded certificate templates. + +The newly created domain controller authentication certificate template supersedes previous domain controller certificate templates. Therefore, you need to unpublish these certificate templates from all issuing certificate authorities. + +#### Unpublish Superseded Certificate Templates + +Sign-in to the certificate authority or management workstation with _Enterprise Admin_ equivalent credentials. + +1. Open the **Certificate Authority** management console. +2. Expand the parent node from the navigation pane. +3. Click **Certificate Templates** in the navigation pane. +4. Right-click the **Domain Controller** certificate template in the content pane and select **Delete**. Click **Yes** on the **Disable certificate templates** window. +5. Repeat step 4 for the **Domain Controller Authentication** and **Kerberos Authentication** certificate templates. + +### Section Review +- [x] Active Directory +- [x] Public Key Infrastructure +- [x] Azure Active Directory +- [x] Directory Synchronization +- [x] Active Directory Federation Services +- [x] Federation Services + - [x] Federation Proxy Servers + - [x] Multiple top-level domains + - [x] Azure Device Registration + - [x] Device Writeback +- [x] Multifactor Authentication +- [x] Windows Hello for Business + - [x]Active Directory + - [x] Directory Synchronization + - [x] Public Key Infrastructure + - [ ] Federation Services + - [ ] Group Policy +- [ ] Sign-in and Provision + + +## Federation Services + +The Windows Server 2016 Active Directory Fedeartion Server Certificate Registration Authority (AD FS RA) enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. + +The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate. + +### Configure the Registration Authority + +Sign-in the AD FS server with *Domain Admin* equivalent credentials. + +1. Open a **Windows PowerShell** prompt. +2. Type the following command + + ```PowerShell + Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication + ``` + + +The `Set-AdfsCertificateAuthority` cmdlet should show the following warning: +>WARNING: PS0343: Issuing Windows Hello certificates requires enabling a permitted strong authentication provider, but no usable providers are currently configured. These authentication providers are not supported for Windows Hello certificates: CertificateAuthentication,MicrosoftPassportAuthentication. Windows Hello certificates will not be issued until a permitted strong authentication provider is configured. + +This warning indicates that you have not configured multi-factor authentication in AD FS and until it is configured, the AD FS server will not issue Windows Hello certificates. Windows 10, version 1703 clients check this configuration during prerequisite checks. If detected, the prerequisite check will not succeed and the user will not provision Windows Hello for Business on sign-in. + +>[!NOTE] +> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the above command with the name of your certificate templates. It’s important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority. + + +### Group Memberships for the AD FS Service Account + +The KeyCredential Admins global group provides the AD FS service with the permissions needed to perform key registration. The Windows Hello for Business group provides the AD FS service with the permissions needed to enroll a Windows Hello for Business authentication certificate on behalf of the provisioning user. + +Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials. + +1. Open **Active Directory Users and Computers**. +2. Click the **Users** container in the navigation pane. +3. Right-click **KeyCredential Admins** in the details pane and click **Properties**. +4. Click the **Members** tab and click **Add…** +5. In the **Enter the object names to select** text box, type **adfssvc**. Click **OK**. +6. Click **OK** to return to **Active Directory Users and Computers**. +7. Right-click **Windows Hello for Business Users** group +8. Click the **Members** tab and click **Add…** +9. In the **Enter the object names to select** text box, type **adfssvc**. Click **OK**. +10. Click **OK** to return to **Active Directory Users and Computers**. +11. Change to server hosting the AD FS role and restart it. + +### Section Review +- [x] Active Directory +- [x] Public Key Infrastructure +- [x] Azure Active Directory +- [x] Directory Synchronization +- [x] Active Directory Federation Services +- [x] Federation Services + - [x] Federation Proxy Servers + - [x] Multiple top-level domains + - [x] Azure Device Registration + - [x] Device Writeback +- [x] Multifactor Authentication +- [x] Windows Hello for Business + - [x]Active Directory + - [x] Directory Synchronization + - [x] Public Key Infrastructure + - [x] Federation Services + - [ ] Group Policy +- [ ] Sign-in and Provision + +## Policy Configuration + +You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=45520). +Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703. + +Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10 Creators Edition (1703) to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information. + +Domain controllers of Windows Hello for Business deployments need one Group Policy setting, which enables automatic certificate enrollment for the newly create domain controller authentication certificate. This policy setting ensures domain controllers (new and existing) autoamtically request and renew the correct domain controller certifcate. + +Domain joined clients of hybrid certificate-based deployments of Windows Hello for Business needs three Group Policy settings: +* Enable Windows Hello for Business +* Use certificate for on-premises authentication +* Enable automatic enrollment of certificates + +### Configure Domain Controllers for Automatic Certificate Enrollment + +Domain controllers automatically request a certificate from the *Domain Controller* certificate template. However, the domain controller is unaware of newer certificate templates or superseded configurations on certificate templates. + +To continue automatic enrollment and renewal of domain controller certificates that understand newer certificate template and superseded certificate template configurations, create and configure a Group Policy object for automatic certificate enrollment and link the Group Policy object to the Domain Controllers OU. + +#### Create a Domain Controller Automatic Certifiacte Enrollment Group Policy object + +Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. + +1. Start the **Group Policy Management Console** (gpmc.msc) +2. Expand the domain and select the **Group Policy Object** node in the navigation pane. +3. Right-click **Group Policy object** and select **New** +4. Type *Domain Controller Auto Certificate Enrollment* in the name box and click **OK**. +5. Right-click the **Domain Controller Auto Certificate Enrollment** Group Policy object and click **Edit**. +6. In the navigation pane, expand **Policies** under **Computer Configuration**. +7. Expand **Windows Settings**, **Security Settings**, and click **Public Key Policies**. +8. In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**. +9. Select **Enabled** from the **Configuration Model** list. +10. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box. +11. Select the **Update certificates that use certificate templates** check box. +12. Click **OK**. Close the **Group Policy Management Editor**. + +#### Deploy the Domain Controller Auto Certificate Enrollment Group Policy Object + +Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. + +1. Start the **Group Policy Management Console** (gpmc.msc) +2. In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO…** +3. In the **Select GPO** dialog box, select **Domain Controller Auto Certificate Enrollment** or the name of the domain controller certificate enrollment Group Policy object you previously created and click **OK**. + +### Windows Hello for Business Group Policy + +The Windows Hello for Business Group Policy object delivers the correct Group Policy settings to the user, which enables them to enroll and use Windows Hello for Business to authenticate to Azure and Active Directory + +#### Enable Windows Hello for Business + +The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should be attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to enabled. + +You can configure the Enable Windows Hello for Business Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence. + +#### Use certificate for on-premises authentication + +The Use certificate for on-premises authentication Group Policy setting determines if the on-premises deployment uses the key-trust or certificate trust on-premises authentication model. You must configure this Group Policy setting to configure Windows to enroll for a Windows Hello for Business authentication certificate. If you do not configure this policy setting, Windows considers the deployment to use key-trust on-premises authentication, which requires a sufficient number of Windows Server 2016 domain controllers to handle the Windows Hello for Business key-trust authentication requests. + +You can configure this Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users requesting a Windows Hello for Business authentication certificate. Deploying this policy setting to a user results in only that user requesting a Windows Hello for Business authentication certificate. Additionally, you can deploy the policy setting to a group of users so only those users request a Windows Hello for Business authentication certificate. If both user and computer policy settings are deployed, the user policy setting has precedence. + +#### Enable automatic enrollment of certificates + +Windows Hello for Business provisioning performs the initial enrollment of the Windows Hello for Business authentication certificate. This certificate expires based on the duration configured in the Windows Hello for Business authentication certificate template. The Windows 10, version 1703 certificate auto enrollment was updated to renew these certificates before they expire, which significantly reduces user authentication failures from expired user certificates. + +The process requires no user interaction provided the user signs-in using Windows Hello for Business. The certificate is renewed in the background before it expires. + +#### Create the Windows Hello for Business Group Policy object + +The Group Policy object contains the policy settings needed to trigger Windows Hello for Business provisioning and to ensure Windows Hello for Business authentication certificates are automatically renewed. + +Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. + +1. Start the **Group Policy Management Console** (gpmc.msc) +2. Expand the domain and select the **Group Policy Object** node in the navigation pane. +3. Right-click **Group Policy object** and select **New**. +4. Type *Enable Windows Hello for Business* in the name box and click **OK**. +5. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. +6. In the navigation pane, expand **Policies** under **User Configuration**. +7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**. +8. In the content pane, double-click **Use Windows Hello for Business**. Click **Enable** and click **OK**. +9. Double-click **Use certificate for on-premises authentication**. Click **Enable** and click **OK**. Close the **Group Policy Management Editor**. + +#### Configure Automatic Certificate Enrollment + +1. Start the **Group Policy Management Console** (gpmc.msc). +2. Expand the domain and select the **Group Policy Object** node in the navigation pane. +3. Right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. +4. In the navigation pane, expand **Policies** under **User Configuration**. +5. Expand **Windows Settings > Security Settings**, and click **Public Key Policies**. +6. In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**. +7. Select **Enabled** from the **Configuration Model** list. +8. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box. +9. Select the **Update certificates that use certificate templates** check box. +10. Click **OK**. Close the **Group Policy Management Editor**. + +#### Configure Security in the Windows Hello for Business Group Policy object + +The best way to deploy the Windows Hello for Business Group Policy object is to use security group filtering. The enables you to easily manage the users that should receive Windows Hello for Business by simply adding them to a group. This enables you to deploy Windows Hello for Business in phases. +1. Start the **Group Policy Management Console** (gpmc.msc) +2. Expand the domain and select the **Group Policy Object** node in the navigation pane. +3. Double-click the **Enable Windows Hello for Business** Group Policy object. +4. In the **Security Filtering** section of the content pane, click **Add**. Type *Windows Hello for Business Users* or the name of the security group you previously created and click **OK**. +5. Click the **Delegation** tab. Select **Authenticated Users** and click **Advanced**. +6. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Click **OK**. + +#### Deploy the Windows Hello for Business Group Policy object + +The application of the Windows Hello for Business Group Policy object uses security group filtering. This enables you to link the Group Policy object at the domain, ensuring the Group Policy object is within scope to all users. However, the security group filtering ensures only the users included in the *Windows Hello for Business Users* global group receive and apply the Group Policy object, which results in the provisioning of Windows Hello for Business. +1. Start the **Group Policy Management Console** (gpmc.msc) +2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO…** +3. In the **Select GPO** dialog box, select **Enable Windows Hello for Business** or the name of the Windows Hello for Business Group Policy object you previously created and click **OK**. + +Just to reassure, linking the **Windows Hello for Business** Group Policy object to the domain ensures the Group Policy object is in scope for all domain users. However, not all users will have the policy settings applied to them. Only users who are members of the Windows Hello for Business group receive the policy settings. All others users ignore the Group Policy object. + +### Other Related Group Policy settings + +#### Windows Hello for Business + +There are other Windows Hello for Business policy settings you can configure to manage your Windows Hello for Business deployment. These policy settings are computer-based policy setting; so they are applicable to any user that sign-in from a computer with these policy settings. + +##### Use a hardware security device + +The default configuration for Windows Hello for Business is to prefer hardware protected credentials; however, not all computers are able to create hardware protected credentials. When Windows Hello for Business enrollment encounters a computer that cannot create a hardware protected credential, it will create a software-based credential. + +You can enable and deploy the **Use a hardware security device** Group Policy Setting to force Windows Hello for Business to only create hardware protected credentials. Users that sign-in from a computer incapable of creating a hardware protected credential do not enroll for Windows Hello for Business. + +Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiven during anti-hammering and PIN lockout activities. Therefore, some organization may want not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object. + +##### Use biometrics + +Windows Hello for Business provides a great user experience when combined with the use of biometrics. Rather than providing a PIN to sign-in, a user can use a fingerprint or facial recognition to sign-in to Windows, without sacrificing security. + +The default Windows Hello for Business enables users to enroll and use biometrics. However, some organization may want more time before using biometrics and want to disable their use until they are ready. To not allow users to use biometrics, configure the **Use biometrics** Group Policy setting to disabled and apply it to your computers. The policy setting disabled all biometrics. Currently, Windows does not provide granular policy setting that enable you to disable specific modalities of biometrics such as allow facial recognition, but disallow fingerprint. + +#### PIN Complexity + +PIN complexity is not specific to Windows Hello for Business. Windows 10 enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed. + +Windows 10 provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are: +* Require digits +* Require lowercase letters +* Maximum PIN length +* Minimum PIN length +* Expiration +* History +* Require special characters +* Require uppercase letters + +Starting with Windows 10, version 1703, the PIN complexity Group Policy settings have moved to remove misunderstanding that PIN complexity policy settings were exclusive to Windows Hello for Business. The new location of these Group Policy settings is under **Computer Configuration\Administrative Templates\System\PIN Complexity** of the Group Policy editor. + +### Add users to the Windows Hello for Business Users group + +Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the Wwindows Hello for Business Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the Windows Hello for Business Users group. Users and groups who are not members of this group will not attempt to enroll for Windows Hello for Business. + +### Section Review +- [x] Active Directory +- [x] Public Key Infrastructure +- [x] Azure Active Directory +- [x] Directory Synchronization +- [x] Active Directory Federation Services +- [x] Federation Services + - [x] Federation Proxy Servers + - [x] Multiple top-level domains + - [x] Azure Device Registration + - [x] Device Writeback +- [x] Multifactor Authentication +- [x] Windows Hello for Business + - [x]Active Directory + - [x] Directory Synchronization + - [x] Public Key Infrastructure + - [x] Federation Services + - [x] Group Policy +- [ ] Sign-in and Provision + +## Next Steps ### +\ + +

+ +
+ +## Follow the Windows Hello for Business on premises certificate trust deployment guide +1. [Overview](hello-hybrid-cert-trust-overview) +2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +3. [New Installation Baseline](hello-hybrid-cert-new-install.md) +4. Configure Windows Hello for Business settings (*You are here*) +5. Sign-in and Provision \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-key-trust-adfs.md b/windows/access-protection/hello-for-business/hello-key-trust-adfs.md deleted file mode 100644 index b419b20f58..0000000000 --- a/windows/access-protection/hello-for-business/hello-key-trust-adfs.md +++ /dev/null @@ -1,512 +0,0 @@ ---- -title: Prepare and Deploy Windows Server 2016 Active Directory Federation Services (Windows Hello for Business) -description: How toPrepare and Deploy Windows Server 2016 Active Directory Federation Services for Windows Hello for Business -keywords: identity, PIN, biometric, Hello, passport -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -author: DaniHalfin -localizationpriority: high ---- -# Prepare and Deploy Windows Server 2016 Active Directory Federation Services - -**Applies to** -- Windows 10 -- Windows 10 Mobile - -> This guide only applies to Windows 10, version 1703 or higher. - -Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update. The on-prem certificate trust deployment uses Active Directory Federation Services roles for key registration, device registration, and as a certificate registration authority. - -The following guidance describes deploying a new instance of Active Directory Federation Services 2016 using the Windows Information Database as the configuration database, which is ideal for environments with no more than 30 federation servers and no more than 100 relying party trusts. - -If your environment exceeds either of these factors or needs to provide SAML artifact resolution, token replay detection, or needs Active Directory Federation Services to operate in a federated provider role, then your deployment needs to use a SQL for your configuration database. To deploy the Active Directory Federation Services using SQL as its configuration database, please review the [Deploying a Federation Server Farm](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) checklist. - -If your environment has an existing instance of Active Directory Federation Services, then you’ll need to upgrade all nodes in the farm to Windows Server 2016 along with the Windows Server 2016 update. If your environment uses Windows Internal Database (WID) for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 using a WID database](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016) to upgrade your environment. If your environment uses SQL for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 with SQL Server](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016-sql) to upgrade your environment. - -Ensure you apply the Windows Server 2016 Update to all nodes in the farm after you have successfully completed the upgrade. - -A new Active Directory Federation Services farm should have a minimum of two federation servers for proper load balancing, which can be accomplished with an external networking peripherals, or with using the Network Load Balancing Role included in Windows Server. - -Prepare the Active Directory Federation Services deployment by installing and updating two Windows Server 2016 Servers. Ensure the update listed below is applied to each server before continuing. - -## Update Windows Server 2016 - -Sign-in the federation server with _local admin_ equivalent credentials. -1. Ensure Windows Server 2016 is current by running **Windows Update** from **Settings**. Continue this process until no further updates are needed. If you’re not using Windows Update for updates, please advise the [Windows Server 2016 update history page](https://support.microsoft.com/help/4000825/windows-10-windows-server-2016-update-history) to make sure you have the latest updates available installed. -2. Ensure the latest server updates to the federation server includes those referenced in following article https://aka.ms/whfbadfs1703. - ->[!IMPORTANT] ->The above referenced updates are mandatory for Windows Hello for Business all on-premises deployment and hybrid certificate trust deployments for domain joined computers. - -## Enroll for a TLS Server Authentication Certificate - -Windows Hello for Business on-prem deployments require a federation server for device registration, key registration, and authentication certificate enrollment. Typically, a federation service is an edge facing role. However, the federation services and instance used with the on-prem deployment of Windows Hello for Business does not need Internet connectivity. - -The AD FS role needs a server authentication certificate for the federation services, but you can use a certificate issued by your enterprise (internal) certificate authority. The server authentication certificate should have the following names included in the certificate if you are requesting an individual certificate for each node in the federation farm: -* Subject Name: The internal FQDN of the federation server (the name of the computer running AD FS) -* Subject Alternate Name: Your federation service name, such as *fs.corp.contoso.com* (or an appropriate wildcard entry such as *.corp.contoso.com) - -You configure your federation service name when you configure the AD FS role. You can choose any name, but that name must be different than the name of the server or host. For example, you can name the host server **adfs** and the federation service **fs**. The FQDN of the host is adfs.corp.contoso.com and the FQDN of the federation service is fs.corp.contoso.com. - -You can; however, issue one certificate for all hosts in the farm. If you chose this option, then leave the subject name blank, and include all the names in the subject alternate name when creating the certificate request. All names should include the FQDN of each host in the farm and the federation service name. - -It’s recommended that you mark the private key as exportable so that the same certificate can be deployed across each federation server and web application proxy within your AD FS farm. Note that the certificate must be trusted (chain to a trusted root CA). Once you have successfully requested and enrolled the server authentication certificate on one node, you can export the certificate and private key to a PFX file using the Certificate Manager console. You can then import the certificate on the remaining nodes in the AD FS farm. - -Be sure to enroll or import the certificate into the AD FS server’s computer certificate store. Also, ensure all nodes in the farm have the proper TLS server authentication certificate. - -### Internal Server Authentication Certificate Enrollment - -Sign-in the federation server with domain admin equivalent credentials. -1. Start the Local Computer **Certificate Manager** (certlm.msc). -2. Expand the **Personal** node in the navigation pane. -3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**. -4. Click **Next** on the **Before You Begin** page. -5. Click **Next** on the **Select Certificate Enrollment Policy** page. -6. On the **Request Certificates** page, Select the **Internal Web Server** check box. -7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link - ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link](images/hello-internal-web-server-cert.png) -8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the Active Directory Federation Services role and then click **Add**. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name you will use for your federation services (fs.corp.contoso.com). The name you use here MUST match the name you use when configuring the Active Directory Federation Services server role. Click **Add**. Click **OK** when finished. -9. Click **Enroll**. - -A server authentication certificate should appear in the computer’s Personal certificate store. - -## Deploy the Active Directory Federation Service Role - -The Active Directory Federation Service (AD FS) role provides the following services to support Windows Hello for Business on-premises deployments. -* Device registration -* Key registration -* Certificate registration authority (certificate trust deployments) - ->[!IMPORTANT] -> Finish the entire AD FS configuration on the first server in the farm before adding the second server to the AD FS farm. Once complete, the second server receives the configuration through the shared configuration database when it is added the AD FS farm. - -Windows Hello for Business depends on proper device registration. For on-premises deployments, Windows Server 2016 AD FS handles device registration. - -Sign-in the federation server with _Enterprise Admin_ equivalent credentials. -1. Start **Server Manager**. Click **Local Server** in the navigation pane. -2. Click **Manage** and then click **Add Roles and Features**. -3. Click **Next** on the **Before you begin** page. -4. On the **Select installation type** page, select **Role-based or feature-based installation** and click **Next**. -5. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Click **Next**. -6. On the **Select server roles** page, select **Active Directory Federation Services**. Click **Next**. -7. Click **Next** on the **Select features** page. -8. Click **Next** on the **Active Directory Federation Service** page. -9. Click **Install** to start the role installation. - -## Review - -Before you continue with the deployment, validate your deployment progress by reviewing the following items: -* Confirm the AD FS farm uses the correct database configuration. -* Confirm the AD FS farm has an adequate number of nodes and is properly load balanced for the anticipated load. -* Confirm **all** AD FS servers in the farm have the latest updates. -* Confirm all AD FS servers have a valid server authentication certificate - * The subject of the certificate is the common name (FQDN) of the host or a wildcard name. - * The alternate name of the certificate contains a wildcard or the FQDN of the federation service - -## Device Registration Service Account Prerequisite - -The service account used for the device registration server depends on the domain controllers in the environment. - ->[!NOTE] ->Follow the procedures below based on the domain controllers deployed in your environment. If the domain controller is not listed below, then it is not supported for Windows Hello for Business. - -### Windows Server 2012 or later Domain Controllers - -Windows Server 2012 or later domain controllers support Group Managed Service Accounts—the preferred way to deploy service accounts for services that support them. Group Managed Service Accounts, or GMSA have security advantages over normal user accounts because Windows handles password management. This means the password is long, complex, and changes periodically. The best part of GMSA is all this happens automatically. AD FS supports GMSA and should be configured using them for additional defense in depth security. - -GSMA uses the Microsoft Key Distribution Service that is located on Windows Server 2012 or later domain controllers. Windows uses the Microsoft Key Distribution Service to protect secrets stored and used by the GSMA. Before you can create a GSMA, you must first create a root key for the service. You can skip this if your environment already uses GSMA. - -#### Create KDS Root Key - -Sign-in a domain controller with _Enterprise Admin_ equivalent credentials. -1. Start an elevated Windows PowerShell console. -2. Type `Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)` - -### Windows Server 2008 or 2008 R2 Domain Controllers - -Windows Server 2008 and 2008 R2 domain controllers do not host the Microsoft Key Distribution Service, nor do they support Group Managed Service Accounts. Therefore, you must use create a normal user account as a service account where you are responsible for changing the password on a regular basis. - -#### Create an AD FS Service Account - -Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials. -1. Open **Active Directory Users and Computers**. -2. Right-click the **Users** container, Click **New**. Click **User**. -3. In the **New Object – User** window, type **adfssvc** in the **Full name** text box. Type **adfssvc** in the **User logon name** text box. Click **Next**. -4. Enter and confirm a password for the **adfssvc** user. Clear the **User must change password at next logon** checkbox. -5. Click **Next** and then click **Finish**. - -## Configure the Active Directory Federation Service Role - ->[!IMPORTANT] ->Follow the procedures below based on the domain controllers deployed in your environment. If the domain controller is not listed below, then it is not supported for Windows Hello for Business. - -### Windows Server 2012 or later Domain Controllers - -Use the following procedures to configure AD FS when your environment uses **Windows Server 2012 or later Domain Controllers**. If you are not using Windows Server 2012 or later Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2008 or 2008R2 Domain Controllers)](#windows-server-2008-or-2008R2-domain-controllers) section. - -Sign-in the federation server with _Domain Admin_ equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm. -1. Start **Server Manager**. -2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**. - ![Example of pop-up notification as described above](images/hello-adfs-configure-2012r2.png) - -3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**. -4. Click **Next** on the **Connect to Active Directory Domain Services** page. -5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as *fs.corp.contoso.com* or *fs.contoso.com*. -6. Select the federation service name from the **Federation Service Name** list. -7. Type the Federation Service Display Name in the text box. This is the name users see when signing in. Click **Next**. -8. On the **Specify Service Account** page, select **Create a Group Managed Service Account**. In the **Account Name** box, type **adfssvc**. -9. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and click **Next**. -10. On the **Review Options** page, click **Next**. -11. On the **Pre-requisite Checks** page, click **Configure**. -12. When the process completes, click **Close**. - -### Windows Server 2008 or 2008 R2 Domain Controllers - -Use the following procedures to configure AD FS when your environment uses **Windows Server 2008 or 2008 R2 Domain Controllers**. If you are not using Windows Server 2008 or 2008 R2 Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2012 or later Domain Controllers)](#windows-server-2012-or-later-domain-controllers) section. - -Sign-in the federation server with _Domain Admin_ equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm. -1. Start **Server Manager**. -2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**. - ![Example of pop-up notification as described above](images/hello-adfs-configure-2012r2.png) - -3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**. -4. Click **Next** on the **Connect to Active Directory Domain Services** page. -5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as fs.corp.mstepdemo.net or fs.mstepdemo.net. -6. Select the federation service name from the **Federation Service Name** list. -7. Type the Federation Service Display Name in the text box. This is the name users see when signing in. Click **Next**. -8. On the **Specify Service Account** page, Select **Use an existing domain user account or group Managed Service Account** and click **Select**. - * In the **Select User or Service Account** dialog box, type the name of the previously created AD FS service account (example adfssvc) and click **OK**. Type the password for the AD FS service account and click **Next**. -9. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and click **Next**. -10. On the **Review Options** page, click **Next**. -11. On the **Pre-requisite Checks** page, click **Configure**. -12. When the process completes, click **Close**. -13. Do not restart the AD FS server. You will do this later. - - -### Add the AD FS Service account to the KeyCredential Admin group and the Windows Hello for Business Users group - -The KeyCredential Admins global group provides the AD FS service with the permissions needed to perform key registration. The Windows Hello for Business group provides the AD FS service with the permissions needed to enroll a Windows Hello for Business authentication certificate on behalf of the provisioning user. - -Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials. -1. Open **Active Directory Users and Computers**. -2. Click the **Users** container in the navigation pane. -3. Right-click **KeyCredential Admins** in the details pane and click **Properties**. -4. Click the **Members** tab and click **Add…** -5. In the **Enter the object names to select** text box, type **adfssvc**. Click **OK**. -6. Click **OK** to return to **Active Directory Users and Computers**. -7. Right-click **Windows Hello for Business Users** group -8. Click the **Members** tab and click **Add…** -9. In the **Enter the object names to select** text box, type **adfssvc**. Click **OK**. -10. Click **OK** to return to **Active Directory Users and Computers**. -11. Change to server hosting the AD FS role and restart it. - -### Configure Permissions for Key Registration - -Key Registration stores the Windows Hello for Business public key in Active Directory. In on-prem deployments, the Windows Server 2016 AD FS server registers the public key with the on-premises Active Directory. - -The key-trust model needs Windows Server 2016 domain controllers, which configures the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually. - -Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. -1. Open **Active Directory Users and Computers**. -2. Right-click your domain name from the navigation pane and click **Properties**. -3. Click **Security** (if the Security tab is missing, turn on Advanced Features from the View menu). -4. Click **Advanced**. Click **Add**. Click **Select a principal**. -5. The **Select User, Computer, Service Account, or Group** dialog box appears. In the **Enter the object name to select** text box, type **KeyCredential Admins**. Click **OK**. -6. In the **Applies to** list box, select **Descendant User objects**. -7. Using the scroll bar, scroll to the bottom of the page and click **Clear all**. -8. In the **Properties** section, select **Read msDS-KeyCredentialLink** and **Write msDS-KeyCrendentialLink**. -9. Click **OK** three times to complete the task. - -## Configure the Device Registration Service - -Sign-in the federation server with _Enterprise Admin_ equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm. -1. Open the **AD FS management** console. -2. In the navigation pane, expand **Service**. Click **Device Registration**. -3. In the details pane, click **Configure Device Registration**. -4. In the **Configure Device Registration** dialog, click **OK**. - -## Review - -Before you continue with the deployment, validate your deployment progress by reviewing the following items: -* Confirm you followed the correct procedures based on the domain controllers used in your deployment - * Windows Server 2012 or Windows Server 2012 R2 - * Windows Server 2008 or Windows Server 2008 R2 -* Confirm you have the correct service account based on your domain controller version. -* Confirm you properly installed the AD FS role on your Windows Server 2016 based on the proper sizing of your federation, the number of relying parties, and database needs. -* Confirm you used a certificate with the correct names as the server authentication certificate - * Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the: - * Certificate serial number - * Certificate thumbprint - * Common name of the certificate - * Subject alternate name of the certificate - * Name of the physical host server - * The issued date - * The expiration date - * Issuing CA Vendor (if a third-party certificate) -* Confirm you granted the AD FS service allow read and write permissions to the ms-DSKeyCredentialLink Active Directory attribute. -* Confirm you enabled the Device Registration service. - -## Prepare and Deploy AD FS Registration Authority - -A registration authority is a trusted authority that validates certificate request. Once it validates the request, it presents the request to the certificate authority for issuance. The certificate authority issues the certificate, returns it to the registration authority, which returns the certificate to the requesting user. The Windows Hello for Business on-prem certificate-based deployment uses the Active Directory Federation Server (AD FS) as the certificate registration authority. - -### Configure Registration Authority template - -The certificate registration authority enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate. The certificate authority only issues a certificate for that template if the registration authority signs the certificate request. - -The registration authority template you configure depends on the AD FS service configuration, which depends on the domain controllers the environment uses for authentication. - ->[!IMPORTANT] ->Follow the procedures below based on the domain controllers deployed in your environment. If the domain controller is not listed below, then it is not supported for Windows Hello for Business. - -#### Windows 2012 or later domain controllers - -Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials. -1. Open the **Certificate Authority Management** console. -2. Right-click **Certificate Templates** and click **Manage**. -3. In the **Certificate Template Console**, right click on the **Exchange Enrollment Agent (Offline request)** template details pane and click **Duplicate Template**. -4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. -5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. -6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected. - **Note:** The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate. - -7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. -8. On the **Security** tab, click **Add**. -9. Click **Object Types**. Select the **Service Accounts** check box and click **OK**. -10. Type **adfssvc** in the **Enter the object names to select** text box and click **OK**. -11. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. -12. Close the console. - -#### Windows 2008 or 2008R2 domain controllers - -Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials. -1. Open the **Certificate Authority** management console. -2. Right-click **Certificate Templates** and click **Manage**. -3. In the **Certificate Template** console, right-click the **Exchange Enrollment Agent** template in the details pane and click **Duplicate Template**. -4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. -5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. -6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**. -7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. -8. On the **Security** tab, click **Add**. Type **adfssvc** in the **Enter the object names to select text box** and click **OK**. -9. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check boxes for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. -10. Close the console. - -### Configure the Windows Hello for Business Authentication Certificate template - -During Windows Hello for Business provisioning, the Windows 10, version 1703 client requests an authentication certificate from the Active Directory Federation Service, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring. - -Sign-in a certificate authority or management workstations with _Domain Admin equivalent_ credentials. -1. Open the **Certificate Authority** management console. -2. Right-click **Certificate Templates** and click **Manage**. -3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**. -4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. -5. On the **General** tab, type **WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. - **Note:** If you use different template names, you’ll need to remember and substitute these names in different portions of the deployment. -6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. -7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**. -8. On the **Issuance Requirements** tab, select the T**his number of authorized signatures** check box. Type **1** in the text box. - * Select **Application policy** from the **Policy type required in signature**. Select **Certificate Request Agent** from in the **Application policy** list. Select the **Valid existing certificate** option. -9. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**. -10. On the **Request Handling** tab, select the **Renew with same key** check box. -11. On the **Security** tab, click **Add**. Type **Window Hello for Business Users** in the **Enter the object names to select** text box and click **OK**. -12. Click the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section, select the **Allow** check box for the **Enroll** permission. Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. -13. If you previously issued Windows Hello for Business sign-in certificates using Configuration Manger and are switching to an AD FS registration authority, then on the **Superseded Templates** tab, add the previously used **Windows Hello for Business Authentication** template(s), so they will be superseded by this template for the users that have Enroll permission for this template. -14. Click on the **Apply** to save changes and close the console. - -#### Mark the template as the Windows Hello Sign-in template - -Sign-in to an **AD FS Windows Server 2016** computer with _Enterprise Admin_ equivalent credentials. -1. Open an elevated command prompt. -2. Run `certutil –dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY` - ->[!NOTE] ->If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It’s important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority. - -### Publish Enrollment Agent and Windows Hello For Business Authentication templates to the Certificate Authority - -Sign-in a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials. -1. Open the **Certificate Authority** management console. -2. Expand the parent node from the navigation pane. -3. Click **Certificate Templates** in the navigation pane. -4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template to issue**. -5. In the **Enable Certificates Templates** window, select the **WHFB Enrollment Agent** template you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority. -6. Publish the **WHFB Authentication** certificate template using step 5. -7. Close the console. - -### Configure the Registration Authority - -Sign-in the AD FS server with Domain Admin equivalent credentials. - -1. Open a **Windows PowerShell** prompt. -2. Type the following command - - ```PowerShell - Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication - ``` - - -The `Set-AdfsCertificateAuthority` cmdlet should show the following warning: ->WARNING: PS0343: Issuing Windows Hello certificates requires enabling a permitted strong authentication provider, but no usable providers are currently configured. These authentication providers are not supported for Windows Hello certificates: CertificateAuthentication,MicrosoftPassportAuthentication. Windows Hello certificates will not be issued until a permitted strong authentication provider is configured. - -This warning indicates that you have not configured multi-factor authentication in AD FS and until it is configured, the AD FS server will not issue Windows Hello certificates. Windows 10, version 1703 clients check this configuration during prerequisite checks. If detected, the prerequisite check will not succeed and the user will not provision Windows Hello for Business on sign-in. - ->[!NOTE] -> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the above command with the name of your certificate templates. It’s important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority. - -### Enrollment Agent Certificate Enrollment - -Active Directory Federation Server used for Windows Hello for Business certificate enrollment perform their own certificate lifecycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request or when the service first starts. - -Approximately 60 days prior to enrollment agent certificate’s expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate. - -## Additional Federation Servers - -Organizations should deploy more than one federation server in their federation farm for high-availability. You should have a minimum of two federation services in your AD FS farm, however most organizations are likely to have more. This largely depends on the number of devices and users using the services provided by the AD FS farm. - -### Server Authentication Certificate - -Each server you add to the AD FS farm must have a proper server authentication certificate. Refer to the [Enroll for a TLS Server Authentication Certificate](#enroll-for-a-tls-server-authentication-certificate) section of this document to determine the requirements for your server authentication certificate. As previously stated, AD FS servers used exclusively for on-premises deployments of Windows Hello for Business can use enterprise server authentication certificates rather than server authentication certificates issued by public certificate authorities. - -### Install Additional Servers - -Adding federation servers to the existing AD FS farm begins with ensuring the server are fully patched, to include Windows Server 2016 Update needed to support Windows Hello for Business deployments (https://aka.ms/whfbadfs1703). Next, install the Active Directory Federation Service role on the additional servers and then configure the server as an additional server in an existing farm. - -## Load Balance AD FS Federation Servers - -Many environments load balance using hardware devices. Environments without hardware load-balancing capabilities can take advantage the network load-balancing feature included in Windows Server to load balance the AD FS servers in the federation farm. Install the Windows Network Load Balancing feature on all nodes participating in the AD FS farm that should be load balanced. - -### Install Network Load Balancing Feature on AD FS Servers - -Sign-in the federation server with _Enterprise Admin_ equivalent credentials. -1. Start **Server Manager**. Click **Local Server** in the navigation pane. -2. Click **Manage** and then click **Add Roles and Features**. -3. Click **Next** On the **Before you begin** page. -4. On the **Select installation type** page, select **Role-based or feature-based installation** and click **Next**. -5. On the **Select destination server** page, chosoe **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Click **Next**. -6. On the **Select server roles** page, click **Next**. -7. Select **Network Load Balancing** on the **Select features** page. -8. Click **Install** to start the feature installation - ![Feature selection screen with NLB selected](images/hello-nlb-feature-install.png) - -### Configure Network Load Balancing for AD FS - -Before you can load balance all the nodes in the AD FS farm, you must first create a new load balance cluster. Once you have created the cluster, then you can add new nodes to that cluster. - -Sign-in a node of the federation farm with _Admin_ equivalent credentials. -1. Open **Network Load Balancing Manager** from **Administrative Tools**. - ![NLB Manager user interface](images/hello-nlb-manager.png) -2. Right-click **Network Load Balancing Clusters**, and then click **New Cluster**. -3. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then click **Connect**. - ![NLB Manager - Connect to new Cluster screen](images/hello-nlb-connect.png) -4. Select the interface that you want to use with the cluster, and then click **Next**. (The interface hosts the virtual IP address and receives the client traffic to load balance.) -5. In **Host Parameters**, select a value in **Priority (Unique host identifier)**. This parameter specifies a unique ID for each host. The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. Click **Next**. -6. In **Cluster IP Addresses**, click **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Click **Next**. - ![NLB Manager - Add IP to New Cluster screen](images/hello-nlb-add-ip.png) -7. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster. - ![NLB Manager - Cluster IP Configuration screen](images/hello-nlb-cluster-ip-config.png) -8. In **Cluster operation mode**, click **Unicast** to specify that a unicast media access control (MAC) address should be used for cluster operations. In unicast mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. We recommend that you accept the unicast default settings. Click **Next**. -9. In Port Rules, click Edit to modify the default port rules to use port 443. - ![NLB Manager - Add\Edit Port Rule screen](images/hello-nlb-cluster-port-rule.png) - -### Additional AD FS Servers - -1. To add more hosts to the cluster, right-click the new cluster, and then click **Add Host to Cluster**. -2. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same. - ![NLB Manager - Cluster with nodes](images/hello-nlb-cluster.png) - -## Configure DNS for Device Registration - -Sign-in the domain controller or administrative workstation with Domain Admin equivalent credentials. You’ll need the Federation service name to complete this task. You can view the federation service name by clicking **Edit Federation Service Properties** from the **Action** pan of the **AD FS** management console, or by using `(Get-AdfsProperties).Hostname.` (PowerShell) on the AD FS server. -1. Open the **DNS Management** console. -2. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones**. -3. In the navigation pane, select the node that has the name of your internal Active Directory domain name. -4. In the navigation pane, right-click the domain name node and click **New Host (A or AAAA)**. -5. In the **name** box, type the name of the federation service. In the **IP address** box, type the IP address of your federation server. Click **Add Host**. -6. Close the DNS Management console - -## Configure the Intranet Zone to include the federation service - -The Windows Hello provisioning presents web pages from the federation service. Configuring the intranet zone to include the federation service enables the user to authenticate to the federation service using integrated authentication. Without this setting, the connection to the federation service during Windows Hello provisioning prompts the user for authentication. - -### Create an Intranet Zone Group Policy - -Sign-in the domain controller or administrative workstation with _Domain Admin_ equivalent credentials -1. Start the **Group Policy Management Console** (gpmc.msc) -2. Expand the domain and select the **Group Policy Object** node in the navigation pane. -3. Right-click **Group Policy object** and select **New** -4. Type **Intranet Zone Settings** in the name box and click **OK**. -5. In the content pane, right-click the **Intranet Zone Settings** Group Policy object and click **Edit**. -6. In the navigation pane, expand **Policies** under **Computer Configuration**. -7. Expand **Administrative Templates > Windows Component > Internet Explorer > Internet Control Panel**, and select **Security Page**. -8. In the content pane, double-click **Site to Zone Assignment List**. Click **Enable**. -9. Click **Show**. In the **Value Name** column, type the url of the federation service beginning with https. In the **Value** column, type the number **1**. Click OK twice, then close the Group Policy Management Editor. - -### Deploy the Intranet Zone Group Policy object - -1. Start the **Group Policy Management Console** (gpmc.msc) -2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO…** -3. In the **Select GPO** dialog box, select **Intranet Zone Settings** or the name of the Windows Hello for Business Group Policy object you previously created and click **OK**. - -## Review - -Before you continue with the deployment, validate your deployment progress by reviewing the following items: -* Confirm you configured the correct enrollment agent certificate template based on the type of AD FS service account. -* Confirm only the AD FS service account has the allow enroll permission for the enrollment agent certificate template. -* Consider using an HSM to protect the enrollment agent certificate; however, understand the frequency and quantity of signature operations the enrollment agent server makes and understand the impact it has on overall performance. -* Confirm you properly configured the Windows Hello for Business authentication certificate template—to include: - * Issuance requirements of an authorized signature from a certificate request agent. - * The certificate template was properly marked as a Windows Hello for Business certificate template using certutil.exe - * The Windows Hello for Business Users group, or equivalent has the allow enroll and allow auto enroll permissions -* Confirm all certificate templates were properly published to the appropriate issuing certificate authorities. -* Confirm the AD FS service account has the allow enroll permission for the Windows Hello Business authentication certificate template. -* Confirm the AD FS certificate registration authority is properly configured using the `Get-AdfsCertificateAuthority` Windows PowerShell cmdlet. -* Confirm you restarted the AD FS service. -* Confirm you properly configured load-balancing (hardware or software). -* Confirm you created a DNS A Record for the federation service and the IP address used is the load-balanced IP address -* Confirm you created and deployed the Intranet Zone settings to prevent double authentication to the federation server. - -## Validating your work - -You need to verify the AD FS service has properly enrolled for an enrollment agent certificate template. You can verify this is a variety ways, depending on if your service account is a normal user account or if the service account is a group managed service account. - -### Event Logs - -Use the event logs on the AD FS service to confirm the service account enrolled for an enrollment agent certificate. First, look for the AD FS event ID 443 that confirms certificate enrollment cycle has finished. Once confirmed the AD FS certificate enrollment cycle completed review the CertificateLifecycle-User event log. In this event log, look for event ID 1006, which indicates a new certificate was installed. Details of the event log should show - -* The account name under which the certificate was enrolled. -* The action, which should read enroll. -* The thumbprint of the certificate -* The certificate template used to issue the certificate. - -### Normal Service Account - -When using a normal service account, use the Microsoft Management Console (mmc.exe) and load the Certificate Manager snap-in for the service account and verify. - -### Group Managed Service Account - -You cannot use the Certificate Manager to view enrolled certificates for group managed service accounts. Use the event log information to confirm the AD FS service account enrolled a certificate. Use certutil.exe to view the details of the certificate now shown in the event log. - -Group managed service accounts use user profiles to store user information, which included enrolled certificates. On the AD FS server, use a command prompt and navigate to `%systemdrive%\users\\appdata\roaming\Microsoft\systemcertificates\my\certificates` . - -Each file in this folder represents a certificate in the service account’s Personal store (You may need to use DIR /A to view the files in the folder). Match the thumbprint of the certificate from the event log to one of the files in this folder. That file is the certificate. Use the `Certutil -q ` to view the basic information about the certificate. - -For detailed information about the certificate, use `Certutil -q -v ` . - - -## Follow the Windows Hello for Business on premises certificate trust deployment guide -1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) -2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) -3. Prepare and Deploy Windows Server 2016 Active Directory Federation Services (*You are here*) -4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) -5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) - - - - - - - - - diff --git a/windows/access-protection/hello-for-business/hello-key-trust-deploy-mfa.md b/windows/access-protection/hello-for-business/hello-key-trust-deploy-mfa.md deleted file mode 100644 index 8ec43f5e54..0000000000 --- a/windows/access-protection/hello-for-business/hello-key-trust-deploy-mfa.md +++ /dev/null @@ -1,542 +0,0 @@ ---- -title: Configure or Deploy Multifactor Authentication Services (Windows Hello for Business) -description: How to Configure or Deploy Multifactor Authentication Services for Windows Hello for Business -keywords: identity, PIN, biometric, Hello, passport -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -author: DaniHalfin -localizationpriority: high ---- -# Configure or Deploy Multifactor Authentication Services - -**Applies to** -- Windows 10 -- Windows 10 Mobile - -> This guide only applies to Windows 10, version 1703 or higher. - -On-premises deployments must use the On-premises Azure MFA Server using the AD FS adapter model Optionally, you can use a third-party MFA server that provides an AD FS Multifactor authentication adapter. - ->[!TIP] ->Please make sure you've read [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) before proceeding any further. - -## Prerequisites - -The Azure MFA Server and User Portal servers have several perquisites and must have connectivity to the Internet. - -### Primary MFA Server - -The Azure MFA server uses a primary and secondary replication model for its configuration database. The primary Azure MFA server hosts the writeable partition of the configuration database. All secondary Azure MFA servers hosts read-only partitions of the configuration database. All production environment should deploy a minimum of two MFA Servers. - -For this documentation, the primary MFA uses the name **mf*a*** or **mfa.corp.contoso.com**. All secondary servers use the name **mfa*n*** or **mfa*n*.corp.contoso.com**, where *n* is the number of the deployed MFA server. - -The primary MFA server is also responsible for synchronizing from Active Directory. Therefore, the primary MFA server should be domain joined and fully patched. - -#### Enroll for Server Authentication - -The communication between the primary MFA server, secondary MFA servers, User Portal servers, and the client is protected using TLS, which needs a server authentication certificate. - -Sign-in the primary MFA server with _domain admin_ equivalent credentials. -1. Start the Local Computer **Certificate Manager** (certlm.msc). -2. Expand the **Personal** node in the navigation pane. -3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**. -4. Click **Next** on the **Before You Begin** page. -5. Click **Next** on the **Select Certificate Enrollment Policy** page. -6. On the **Request Certificates** page, Select the **Internal Web Server** check box. -7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link. -8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the primary MFA server and then click **Add** (mfa.corp.contoso.com). Click **Add**. Click **OK** when finished. -9. Click **Enroll**. - -A server authentication certificate should appear in the computer’s Personal certificate store. - -#### Install the Web Server Role - -The Azure MFA server does not require the Web Server role, however, User Portal and the optional Mobile App server communicate with the MFA server database using the MFA Web Services SDK. The MFA Web Services SDK uses the Web Server role. - -To install the Web Server (IIS) role, please follow [Installing IIS 7 on Windows Server 2008 or Windows Server 2008 R2](https://docs.microsoft.com/iis/install/installing-iis-7/installing-iis-7-and-above-on-windows-server-2008-or-windows-server-2008-r2) or [Installing IIS 8.5 on Windows Server 2012 R2](https://docs.microsoft.com/iis/install/installing-iis-85/installing-iis-85-on-windows-server-2012-r2) depending on the host Operating System you're going to use. - -The following services are required: -* Common Parameters > Default Document. -* Common Parameters > Directory Browsing. -* Common Parameters > HTTP Errors. -* Common Parameters > Static Content. -* Health and Diagnostics > HTTP Logging. -* Performance > Static Content Compression. -* Security > Request Filtering. -* Security > Basic Authentication. -* Management Tools > IIS Management Console. -* Management Tools > IIS 6 Management Compatibility. -* Application Development > ASP.NET 4.5. - -#### Update the Server - -Update the server using Windows Update until the server has no required or optional updates as the Azure MFA Server software may require one or more of these updates for the installation and software to correctly work. These procedures install additional components that may need to be updated. - -#### Configure the IIS Server’s Certificate - -The TLS protocol protects all the communication to and from the MFA server. To enable this protection, you must configure the default web site to use the previously enrolled server authentication certificate. - -Sign in the primary MFA server with _administrator_ equivalent credentials. -1. From **Administrators**, Start the **Internet Information Services (IIS) Manager** console -2. In the navigation pane, expand the node with the same name as the local computer. Expand **Settings** and select **Default Web Site**. -3. In the **Actions** pane, click **Bindings**. -4. In the **Site Bindings** dialog, Click **Add**. -5. In the **Add Site Binding** dialog, select **https** from the **Type** list. In the **SSL certificate** list, select the certificate with the name that matches the FQDN of the computer. -6. Click **OK**. Click **Close**. From the **Action** pane, click **Restart**. - -#### Configure the Web Service’s Security - -The Azure MFA Server service runs in the security context of the Local System. The MFA User Portal gets its user and configuration information from the Azure MFA server using the MFA Web Services. Access control to the information is gated by membership to the Phonefactor Admins security group. You need to configure the Web Service’s security to ensure the User Portal and the Mobile App servers can securely communicate to the Azure MFA Server. Also, all User Portal server administrators must be included in the Phonefactor Admins security group. - -Sign in the domain controller with _domain administrator_ equivalent credentials. - -##### Create Phonefactor Admin group - -1. Open **Active Directory Users and Computers** -2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Right-click the **Users** container, select **New**, and select **Group**. -3. In the **New Object – Group** dialog box, type **Phonefactor Admins** in Group name. -4. Click **OK**. - -##### Add accounts to the Phonefactor Admins group - -1. Open **Active Directory Users and Computers**. -2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Select Users. In the content pane. Right-click the **Phonefactors Admin** security group and select **Properties**. -3. Click the **Members** tab. -4. Click **Add**. Click **Object Types..** In the **Object Types** dialog box, select **Computers** and click **OK**. Enter the following user and/or computers accounts in the **Enter the object names to select** box and then click **OK**. - * The computer account for the primary MFA Server - * Group or user account that will manage the User Portal server. - - -#### Review - -Before you continue with the deployment, validate your deployment progress by reviewing the following items: - -* Confirm the hosts of the MFA service has enrolled a server authentication certificate with the proper names. - * Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the: - * Certificate serial number - * Certificate thumbprint - * Common name of the certificate - * Subject alternate name of the certificate - * Name of the physical host server - * The issued date - * The expiration date - * Issuing CA Vendor (if a third-party certificate) - -* Confirm the Web Services Role was installed with the correct configuration (including Basic Authentication, ASP.NET 4.5, etc). -* Confirm the host has all the available updates from Windows Update. -* Confirm you bound the server authentication certificate to the IIS web site. -* Confirm you created the Phonefactor Admins group. -* Confirm you added the computer account hosting the MFA service to the Phonefactor Admins group and any user account who are responsible for administrating the MFA server or User Portal. - -### User Portal Server - -The User Portal is an IIS Internet Information Server web site that allows users to enroll in Multi-Factor Authentication and maintain their accounts. A user may change their phone number, change their PIN, or bypass Multi-Factor Authentication during their next sign on. Users will log in to the User Portal using their normal username and password and will either complete a Multi-Factor Authentication call or answer security questions to complete their authentication. If user enrollment is allowed, a user will configure their phone number and PIN the first time they log in to the User Portal. User Portal Administrators may be set up and granted permission to add new users and update existing users. - -The User Portal web site uses the user database that is synchronized across the MFA Servers, which enables a design to support multiple web servers for the User Portal and those servers can support internal and external customers. While the user portal web site can be installed directly on the MFA server, it is recommended to install the User Portal on a server separate from the MFA Server to protect the MFA user database, as a layered, defense-in-depth security design. - -#### Enroll for Server Authentication - -Internal and external users use the User Portal to manage their multifactor authentication settings. To protect this communication, you need to enroll all User Portal servers with a server authentication certificate. You can use an enterprise certificate to protect communication to internal User Portal servers. - -For external User Portal servers, it is typical to request a server authentication certificate from a public certificate authority. Contact a public certificate authority for more information on requesting a certificate for public use. Follow the procedures below to enroll an enterprise certificate on your User Portal server. - -Sign-in the User Portal server with _domain admin_ equivalent credentials. -1. Start the Local Computer **Certificate Manager** (certlm.msc). -2. Expand the **Personal** node in the navigation pane. -3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**. -4. Click **Next** on the **Before You Begin** page. -5. Click **Next** on the **Select Certificate Enrollment Policy** page. -6. On the **Request Certificates** page, Select the **Internal Web Server** check box. -7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link. -8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the primary MFA server and then click **Add** (app1.corp.contoso.com). -9. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name you will use for your User Portal service (mfaweb.corp.contoso.com). -10. Click **Add**. Click **OK** when finished. -11. Click **Enroll**. - -A server authentication certificate should appear in the computer’s Personal certificate store. - -#### Install the Web Server Role - -To do this, please follow the instructions mentioned in the previous [Install the Web Server Role](#install-the-web-server-role) section. - -#### Update the Server - -Update the server using Windows Update until the server has no required or optional updates as the Azure MFA Server software may require one or more of these updates for the installation and software to correctly work. These procedures install additional components that may need to be updated. - -#### Configure the IIS Server’s Certificate - -To do this, please follow the instructions mentioned in the previous [Configure the IIS Server’s Certificate](#configure-the-iis-server’s-certificate) section. - -#### Create WebServices SDK user account - -The User Portal and Mobile App web services need to communicate with the configuration database hosted on the primary MFA server. These services use a user account to communicate to authenticate to the primary MFA server. You can think of the WebServices SDK account as a service account used by other servers to access the WebServices SDK on the primary MFA server. - -1. Open **Active Directory Users and Computers**. -2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Right-click the **Users** container, select **New**, and select **User**. -3. In the **New Object – User** dialog box, type **PFWSDK_** in the **First name** and **User logon name** boxes, where ** is the name of the primary MFA server running the Web Services SDK. Click **Next**. -4. Type a strong password and confirm it in the respective boxes. Clear **User must change password at next logon**. Click **Next**. Click **Finish** to create the user account. - -#### Add the MFA SDK user account to the Phonefactor Admins group - -Adding the WebServices SDK user account to the Phonefactor Admins group provides the user account with the proper authorization needed to access the configuration data on the primary MFA server using the WebServices SDK. - -1. Open **Active Directory Users and Computers**. -2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Select **Users**. In the content pane. Right-click the **Phonefactors Admin** security group and select Properties. -3. Click the Members tab. -4. Click **Add**. Click **Object Types..** Type the PFWSDK_ user name in the **Enter the object names to select** box and then click **OK**. - * The computer account for the primary MFA Server - * The Webservices SDK user account - * Group or user account that will manage the User Portal server. - - -#### Review - -Before you continue with the deployment, validate your deployment progress by reviewing the following items: - -* Confirm the hosts of the user portal are properly configure for load balancing and high-availability. -* Confirm the hosts of the user portal have enrolled a server authentication certificate with the proper names. - * Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the: - * Certificate serial number - * Certificate thumbprint - * Common name of the certificate - * Subject alternate name of the certificate - * Name of the physical host server - * The issued date - * The expiration date - * Issuing CA Vendor (if a third-party certificate) - -* Confirm the Web Server Role was properly configured on all servers. -* Confirm all the hosts have the latest updates from Windows Update. -* Confirm you created the web service SDK domain account and the account is a member of the Phonefactor Admins group. - -## Installing Primary Azure MFA Server - -When you install Azure Multi-Factor Authentication Server, you have the following options: -1. Install Azure Multi-Factor Authentication Server locally on the same server as AD FS -2. Install the Azure Multi-Factor Authentication adapter locally on the AD FS server, and then install Multi-Factor Authentication Server on a different computer (preferred deployment for production environments) - -See [Configure Azure Multi-Factor Authentication Server to work with AD FS in Windows Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-adfs-w2k12) to view detailed installation and configuration options. - -Sign-in the federation server with _Domain Admin_ equivalent credentials and follow [To install and configure the Azure Multi-Factor Authentication server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#to-install-and-configure-the-azure-multi-factor-authentication-server) for an express setup with the configuration wizard. You can re-run the authentication wizard by selecting it from the Tools menu on the server. - ->[!IMPORTANT] ->Only follow the above mention article to install Azure MFA Server. Once it is intstalled, continue configuration using this article. - -### Configuring Company Settings - -You need to configure the MFA server with the default settings it applies to each user account when it is imported or synchronized from Active Directory. - -Sign-in the primary MFA server with MFA _administrator_ equivalent credentials. -1. Start the **Multi-Factor Server** application -2. Click **Company Settings**. -3. On the **General** Tab, select **Fail Authentication** from the **When internet is not accessible** list. -4. In **User defaults**, select **Phone Call** or **Text Message** - **Note:** You can use mobile app; however, the configuration is beyond the scope of this document. Read [Getting started the MFA Server Mobile App Web Service](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice) to configure and use mobile app multi-factor authentication or the Install User Portal topic in the Multi-Factor Server help. -5. Select **Enable Global Services** if you want to allow Multi-Factor Authentications to be made to telephone numbers in rate zones that have an associated charge. -6. Clear the **User can change phone** check box to prevent users from changing their phone during the Multi-Factor Authentication call or in the User Portal. A consistent configuration is for users to change their phone numbers in Active Directory and let those changes synchronize to the multi-factor server using the Synchronization features in Directory Integration. -7. Select **Fail Authentication** from the **When user is disabled** list. Users should provision their account through the user portal. -8. Select the appropriate language from the **Phone call language**, **Text message language**, **Mobile app language**, and **OATH token language** lists. -9. Under default PIN rules, Select the User can change PIN checkbox to enable users to change their PIN during multi-factor authentication and through the user portal. -10. Configure the minimum length for the PIN. -11. Select the **Prevent weak PINs** check box to reject weak PINs. A weak PIN is any PIN that could be easily guessed by a hacker: 3 sequential digits, 3 repeating digits, or any 4 digit subset of user phone number are not allowed. If you clear this box, then there are no restrictions on PIN format. For example: User tries to reset PIN to 1235 and is rejected because it's a weak PIN. User will be prompted to enter a valid PIN. -12. Select the **Expiration days** check box if you want to expire PINs. If enabled, provide a numeric value representing the number of days the PIN is valid. -13. Select the **PIN history** check box if you want to remember previously used PINs for the user. PIN History stores old PINs for each user. Users are not allowed to reset their PIN to any value stored in their PIN History. When cleared, no PIN History is stored. The default value is 5 and range is 1 to 10. - -![Azure MFA Server Company settings configured](images/hello-mfa-company-settings.png) - -### Configuring Email Settings and Content - -If you are deploying in a lab or proof-of-concept, then you have the option of skipping this step. In a production environment, ideally, you’ll want to setup the Azure Multifactor Authentication Server and its user portal web interface prior to sending the email. The email gives your users time to visit the user portal and configure the multi-factor settings. - -Now that you have imported or synchronized with your Azure Multi-Factor Authentication server, it is advised that you send your users an email that informs them that they have been enrolled in multi-factor authentication. - -With the Azure Multi-Factor Authentication Server there are various ways to configure your users for using multi-factor authentication. For instance, if you know the users’ phone numbers or were able to import the phone numbers into the Azure Multi-Factor Authentication Server from their company’s directory, the email will let users know that they have been configured to use Azure Multi-Factor Authentication, provide some instructions on using Azure Multi-Factor Authentication and inform the user of the phone number they will receive their authentications on. - -The content of the email will vary depending on the method of authentication that has been set for the user (e.g. phone call, SMS, mobile app). For example, if the user is required to use a PIN when they authenticate, the email will tell them what their initial PIN has been set to. Users are usually required to change their PIN during their first authentication. - -If users’ phone numbers have not been configured or imported into the Azure Multi-Factor Authentication Server, or users are pre-configured to use the mobile app for authentication, you can send them an email that lets them know that they have been configured to use Azure Multi-Factor Authentication and it will direct them to complete their account enrollment through the Azure Multi-Factor Authentication User Portal. A hyperlink will be included that the user clicks on to access the User Portal. When the user clicks on the hyperlink, their web browser will open and take them to their company’s Azure Multi-Factor Authentication User Portal. - -#### Settings - -By clicking the email icon on the left you can setup the settings for sending these emails. This is where you can enter the SMTP information of your mail server and it allows you to send a blanket wide email by adding a check to the Send mails to users check box. - -#### Content - -On the Email Content tab, you will see all of the various email templates that are available to choose from. So, depending on how you have configured your users to use multi-factor authentication, you can choose the template that best suits you. - -##### Edit the Content Settings - -The Azure MFA server does not send emails, even when configured to do so, until you configured the sender information for each email template listed in the Content tab. - -Sign-in the primary MFA server with MFA _administrator_ equivalent credentials. -1. Open the **Multi-Factor Authentication Server** console. -2. Click **Email** from the list of icons and click the **Email Content** tab. -3. Select an email template from the list of templates. Click **Edit**. -4. In the **Edit Email** dialog, in the **From** text box, type the email address of the person or group that should appear to have sent the email. - ![Edit email dialog within content settings](images/hello-mfa-content-edit-email.png) - -5. Optionally, customize other options in the email template. -6. When finished editing the template, Click **Apply**. -7. Click **Next** to move to the next email in the list. Repeat steps 4 and 6 to edit the changes. -8. Click **Close** when you are done editing the email templates. - -### Configuring Directory Integration Settings and Synchronization - -Synchronization keeps the Multi-Factor Authentication user database synchronized with the users in Active Directory or another LDAP Lightweight Directory Access Protocol directory. The process is similar to Importing Users from Active Directory, but periodically polls for Active Directory user and security group changes to process. It also provides for disabling or removing users removed from a container or security group and removing users deleted from Active Directory. - -It is important to use a different group memberships for synchronizing users from Active Directory and for enabling Windows Hello for Business. Keeping the group memberships separated enables you to synchronize users and configure MFA options without immediately deploying Windows Hello for Business to that user. This deployment approach provides the maximum flexibility, which gives users the ability to configure their settings before they provision Windows Hello for Business. To start provisioning, simply add the group used for synchronization to the Windows Hello for Business Users group (or equivalent if you use custom names). - -#### MultiFactorAuthAdSync Service - -The MultiFactorAuthAdSync service is a Windows service that performs the periodic polling of Active Directory. It is installed in a Stopped state and is started by the MultiFactorAuth service when configured to run. If you have a multi-server Multi-Factor Authentication configuration, the MultiFactorAuthAdSync may only be run on a single server. - -The MultiFactorAuthAdSync service uses the DirSync LDAP server extension provided by Microsoft to efficiently poll for changes. This DirSync control caller must have the "directory get changes" right and DS-Replication-Get-Changes extended control access right. By default, these rights are assigned to the Administrator and LocalSystem accounts on domain controllers. The MultiFactorAuthAdSync service is configured to run as LocalSystem by default. Therefore, it is simplest to run the service on a domain controller. The service can run as an account with lesser permissions if you configure it to always perform a full synchronization. This is less efficient, but requires less account privileges. - -#### Settings - -Configuring the directory synchronization between Active Directory and the Azure MFA server is easy. - -Sign in the primary MFA server with _MFA administrator_ equivalent credentials. -1. Open the **Multi-Factor Authentication Server** console. -2. From the **Multi-Factor Authentication Server** window, click the **Directory Integration** icon. -3. Click the **Synchronization** tab. -4. Select **Use Active Directory**. -5. Select **Include trusted domains** to have the Multi-Factor Authentication Server attempt to connect to domains trusted by the current domain, another domain in the forest, or domains involved in a forest trust. When not importing or synchronizing users from any of the trusted domains, clear the checkbox to improve performance. - -#### Synchronization - -The MFA server uses synchronization items to synchronize users from Active Directory to the MFA server database. Synchronization items enables you to synchronize a collection of users based security groups or Active Directory containers. - -You can configure synchronization items based on different criteria and filters. For the purpose of configuring Windows Hello for Business, you need to create a synchronization item based membership of the Windows Hello for Business user group. This ensures the same users who receive Windows Hello for Business policy settings are the same users synchronized to the MFA server (and are the same users with permission to enroll in the certificate). This significantly simplifies deployment and troubleshooting. - -See [Directory integration between Azure MFA Server and Active Directory](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-dirint) for more details. - -##### To add a synchronization item - -Sign in the primary MFA server with _MFA administrator_ equivalent credentials. -1. Open the **Multi-Factor Authentication Server** console. -2. From the **Multi-Factor Authentication Server** window, click the **Directory Integration** icon. -3. Select the **Synchronization** tab. -4. On the **Synchronization** tab, click **Add**. - ![Azure MFA Server - add synchronization item screen](images/hello-mfa-sync-item.png) - -5. In the **Add Synchronization Item** dialog, select **Security Groups** from the **View** list. -6. Select the group you are using for replication from the list of groups -7. Select **Selected Security Groups – Recursive** or, select **Security Group** from the **Import** list if you do not plan to nest groups. -8. Select **Add new users and Update existing users**. -9. Select **Disable/Remove users no longer a member** and select **Disable** from the list. -10. Select the attributes appropriate for your environment for **Import phone** and **Backup**. -11. Select **Enabled** and select **Only New Users with Phone Number** from the list. -12. Select **Send email** and select **New and Updated Users**. - -##### Configure synchronization item defaults - -1. When creating a new or editing a synchronization item from the Multi-Factor Authentication Server, select the **Method Defaults** tab. -2. Select the default second factor authentication method. For example, if the second factor of authentication is a text message, select **Text message**. Select if the direction of text message authentication and if the authentication should use a one-time password or one-time password and PIN (Ensure users are configured to create a PIN if the default second factor of communication requires a PIN). - -##### Configure synchronization language defaults - -1. When creating a new or editing a synchronization item from the Multi-Factor Authentication Server, select the **Language Defaults** tab. -2. Select the appropriate default language for these groups of users synchronized by these synchronization item. -3. If creating a new synchronization item, click **Add** to save the item. If editing an existing synchronization item, click **Apply** and then click **Close**. - ->[!TIP] ->For more information on these settings and the behaviors they control, see [Directory integration between Azure MFA Server and Active Directory](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-dirint). - -### Installing the MFA Web Services SDK - -The Web Service SDK section allows the administrator to install the Multi-Factor Authentication Web Service SDK. The Web Service SDK is an IIS (Internet Information Server) web service that provides an interface for integrating the full features of the Multi-Factor Authentication Server into most any application. The Web Service SDK uses the Multi-Factor Authentication Server as the data store. - -Remember the Web Services SDK is only need on the primary Multi-Factor to easily enable other servers access to the configuration information. The prerequisites section guided you through installing and configuring the items needed for the Web Services SDK, however the installer will validate the prerequisites and make suggest any corrective action needed. - -Please follow the instructions under [Install the web service SDK](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice#install-the-web-service-sdk) to intall the MFA Web Services SDK. - -## Install Secondary MFA Servers - -Additional MFA servers provided redundancy of the MFA configuration. The MFA server models uses one primary MFA server with multiple secondary servers. Servers within the same group establish communication with the primary server for that group. The primary server replicates to each of the secondary servers. You can use groups to partition the data stored on different servers, for example you can create a group for each domain, forest, or organizational unit. - -Follow the same procedures for installing the primary MFA server software for each additional server. Remember that each server must be activated. - -Sign in the secondary MFA server with _domain administrator_ equivalent credentials. -1. Once the Multi-Factor Authentication Server console starts, you must configure the current server’s replication group membership. You have the option to join an existing group or create a new group. When joining an existing group, the server becomes a secondary server in the existing replication group. When creating a new group, the server becomes the primary server of that replication group. Click **OK**. - **Note:** Group membership cannot be changed after activation. If a server was joined to the wrong group, it must be activated again to join a different group. Please contact support for assistance with deactivating and reactivating a server. -2. The console asks you if you want to enable replication by running the **Multi-Server Configuration Wizard**. Click **Yes**. -3. In the **Multi-Server Configuration Wizard**, leave **Active Directory** selected and clear **Certificates**. Click **Next**. -4. On the **Active Directory** page, the wizard determines what configuration is needed to enable replication. Typically, the wizard recommends adding the computer account for the current server to the **PhoneFactor Admin** group. Click **Next** to add the computer account to the group. -5. On the **Multi-Server Configuration Complete** page, click **Finish** to reboot the computer to update its group membership. - -### Review - -Before you continue with the deployment, validate your deployment progress by reviewing the following items: -* Confirm you downloaded the latest Azure MFA Server from the Azure Portal. -* Confirm the server has Internet connectivity. -* Confirm you installed and activated the Azure MFA Server. -* Confirm your Azure MFA Server configuration meets your organization’s needs (Company Settings, Email Settings, etc). -* Confirm you created Directory Synchronization items based on your deployment to synchronize users from Active Directory to the Azure MFA server. - * For example, you have security groups representing each collection of users that represent a phase of your deployment and a corresponding synchronization item for each of those groups. - -* Confirm the Azure MFA server properly communicates with the Azure MFA cloud service by testing multifactor authentication with a newly synchronized user account. -* Confirm you installed the Web Service SDK on the primary MFA server. -* Confirm your MFA servers have adequate redundancy, should you need to promote a secondary server to the primary server. - - -## Installing the User Portal Server - -You previously configured the User Portal settings on the primary MFA server. The User Portal web application communicates to the primary MFA server using the Web Services SDK to retrieve these settings. This configuration is ideal to ensure you can scale up the User Portal application to meet the needs of your internal users. - -### Copying the User Portal Installation file - -Sign in the primary MFA server with _local administrator_ equivalent credentials. -1. Open Windows Explorer. -2. Browse to the C:\Progam Files\MultiFactor Authentication Server folder. -3. Copy the **MultiFactorAuthenticationUserPortalSetup64.msi** file to a folder on the User Portal server. - -### Configure Virtual Directory name - -Sign in the User Portal server with _local administrator_ equivalent credentials. -1. Open Windows Explorer and browse to the folder to which you saved the installation file from the previous step. -2. Run the **MultiFactorAuthenticationUserPortalSetup64.msi**. The installation package asks if you want to download **Visual Studio C++ Redistributable for Visual Studio 2015**. Click **Yes**. When prompted, select **Save As**. The downloaded file is missing its file extension. **Save the file with a .exe extension and install the runtime**. -3. Run the installation package again. The installer package asks about the C++ runtime again; however, this is for the X64 version (the previous prompt was for x86). Click **Yes** to download the installation package and select **Save As** so you can save the downloaded file with a .exe extension. **Install** the run time. -4. Run the User Portal installation package. On the **Select Installation Address** page, use the default settings for **Site** and **Application Pool** settings. You can modify the Virtual directory to use a name that is more fitting for the environment, such as **mfa** (This virtual directory must match the virtual directory specified in the User Portal settings). Click **Next**. -5. Click **Close**. - -### Edit MFA User Portal config file - -Sign in the User Portal server with _local administrator_ equivalent credentials. -1. Open Windows Explorer and browse to C:\inetpub\wwwroot\MultiFactorAuth (or appropriate directory based on the virtual directory name) and edit the **web.config** file. -2. Locate the **USE_WEB_SERVICE_SDK** key and change the value from **false** to **true**. -3. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_USERNAME** key and set the value to the username of the Web Service SDK account in the **PhoneFactor Admins** security group. Use a qualified username, like domain\username or machine\username. -4. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD** key and set the value to the password of the Web Service SDK account in the **PhoneFactor Admins** security group. -5. Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from **“http://localhost:4898/PfWsSdk.asmx”** to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. https://computer1.domain.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **web.config** file after changes have been made. - -### Create a DNS entry for the User Portal web site - -Sign-in the domain controller or administrative workstation with _Domain Admin_ equivalent credentials. -1. Open the **DNS Management** console. -2. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones**. -3. In the navigation pane, select the node that has the name of your internal Active Directory domain name. -4. In the navigation pane, right-click the domain name node and click **New Host (A or AAAA)**. -5. In the **name** box, type the host name of the User Portal, such as *mfaweb* (this name must match the name of the certificate used to secure communication to the User Portal). In the IP address box, type the load balanced **IP address** of the User Portal. Click **Add Host**. -6. Close the **DNS Management** console. - -### Review - -Before you continue with the deployment, validate your deployment progress by reviewing the following items: -* Confirm the user portal application is properly installed on all user portal hosts -* Confirm the USE_WEB_SERVICE_SDK named value has a value equal to true. -* Confirm the WEB_SERVICE_SDK_AUTHENTICATION_USERNAME named value has the username of the web service SDK domain account previously created and that the user name is represented as DOMAIN\USERNAME -* Confirm the WEB_SERVICES_SDK_AUTHENTICATION_PASSWORD named value has the correct password for the web service SDK domain account. -* Confirm the pfup_pfwssdk_PfWsSdk named value has value that matches the URL of for the SDK service installed on the primary MFA server. -* Confirm you saved the changes to the web.config file. - -### Validating your work - -Windows Hello for Business is a distributed system, which on the surface appears complex and difficult. The key to a successful Windows Hello for Business deployment is to validate phases of work prior to moving to the next phase. - -Using a web browser, navigate to the URL provided in the *pf_up_pfwssdk_PfWsSdk* named value in the web.config file of any one of the user portal servers. The URL should be protected by a server authentication certificate and should prompt you for authentication. Authenticate to the web site using the username and password provided in the web.config file. Successful authentication and page view confirms the Web SDK configured on the primary MFA server is correctly configured and ready to work with the user portal. - -### Configuring the User Portal - -The User Portal section allows the administrator to install and configure the Multi-Factor Authentication User Portal. The User Portal is an IIS Internet Information Server web site that allows users to enroll in Multi-Factor Authentication and maintain their accounts. A user may change their phone number, change their PIN, or bypass Multi-Factor Authentication during their next sign on. Users will log in to the User Portal using their normal username and password and will either complete a Multi-Factor Authentication call or answer security questions to complete their authentication. If user enrollment is allowed, a user will configure their phone number and PIN the first time they log in to the User Portal. -User Portal Administrators may be set up and granted permission to add new users and update existing users. - -#### Settings - -Sign in the primary MFA server with _MFA administrator_ equivalent credentials. -1. Open the Multi-Factor Authentication Server console. -2. From the Multi-Factor Authentication Server window, click the User Portal icon. - ![Azure MFA Server - User Portal settings](images/hello-mfa-user-portal-settings.png) - -3. On the Settings tab, type the URL your users use to access the User Portal. The URL should begin with https, such as `https://mfaportal.corp.contoso.com/mfa`. -The Multi-Factor Authentication Server uses this information when sending emails to users. -4. Select Allow users to log in and Allow user enrollment check boxes. -5. Select Allow users to select method. Select Phone call and select Text message (you can select Mobile app later once you have deployed the Mobile app web service). Select Automatically trigger user’s default method. -6. Select Allow users to select language. -7. Select Use security questions for fallback and select 4 from the Questions to answer list. - ->[!TIP] ->For more information on these settings and the behaviors they control, see [Deploy the user portal for the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-portal). - -#### Administrators - -The User Portal Settings tab allows the administrator to install and configure the User Portal. -1. Open the Multi-Factor Authentication Server console. -2. From the Multi-Factor Authentication Server window, click the User Portal icon. -3. On the Administrators tab, Click Add -4. In the Add Administrator dialog, Click Select User… to pick a user to install and manage the User Portal. Use the default permissions. -5. Click Add. - ->[!TIP] ->For more information on these settings and the behaviors they control, read the **Multi-Factor Authentication Server Help content**. - -#### Security Questions - -[Security questions](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-portal#security-questions) for the User Portal may be customized to meet your requirements. The questions defined here will be offered as options for each of the four security questions a user is prompted to configure during their first log on to User Portal. The order of the questions is important since the first four items in the list will be used as defaults for the four security questions. - -#### Trusted IPs - -The [Trusted IPs](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-portal#trusted-ips) tab allows you to skip Multi-Factor Authentication for User Portal log ins originating from specific IPs. For example, if users use the User Portal from the office and from home, you may decide you don't want their phones ringing for Multi-Factor Authentication while at the office. For this, you would specify the office subnet as a trusted IP entry. - -## Configure the AD FS Server to use the MFA for multifactor authentication - -You need to configure the AD FS server to use the MFA server. You do this by Installing the MFA Adapter on the primary AD FS Server. - -### Install the MFA AD FS Adapter - -Follow [Install a standalone instance of the AD FS adapter by using the Web Service SDK](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-adfs-w2k12#install-a-standalone-instance-of-the-ad-fs-adapter-by-using-the-web-service-sdk). You should follow this instructions on all AD FS servers. You can find the files needed on the MFA server. - -### Edit the MFA AD FS Adapter config file on all ADFS Servers - -Sign in the primary AD FS server with _local administrator_ equivalent credentials. -1. Open Windows Explorer and browse to **C:\inetpub\wwwroot\MultiFactorAuth** (or appropriate directory based on the virtual directory name) and edit the **MultiFactorAuthenticationAdfsAdapter.config** file. -2. Locate the **USE_WEB_SERVICE_SDK** key and change the value from **false** to **true**. -3. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_USERNAME** key and set the value to the username of the Web Service SDK account in the **PhoneFactor Admins** security group. Use a qualified username, like domain\username or machine\username. -4. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD** key and set the value to the password of the Web Service SDK account in the **PhoneFactor Admins** security group. -5. Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from “http://localhost:4898/PfWsSdk.asmx” to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. https://computer1.domain.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **MultiFactorAuthenticationAdfsAdapter.config** file after changes have been made. - -### Edit the AD FS Adapter Windows PowerShell cmdlet - -Sign in the primary AD FS server with _local administrator_ equivalent credentials. - -Edit the **Register-MultiFactorAuthenticationAdfsAdapter.ps1** script adding `-ConfigurationFilePath ` to the end of the `Register-AdfsAuthenticationProvider` command where **** is the full path to the **MultiFactorAuthenticationAdfsAdapter.config** file. - -### Run the AD FS Adapter PowerShell cmdlet - -Sign in the primary AD FS server with local administrator equivalent credentials. - -Run **Register-MultiFactorAuthenticationAdfsAdapter.ps1** script in PowerShell to register the adapter. The adapter is registered as **WindowsAzureMultiFactorAuthentication**. - ->[!NOTE] ->You must restart the AD FS service for the registration to take effect. - -### Review - -Before you continue with the deployment, validate your deployment progress by reviewing the following items: -* Confirm the user portal application is properly installed on all user portal hosts -* Confirm the USE_WEB_SERVICE_SDK named value has a value equal to true. -* Confirm the WEB_SERVICE_SDK_AUTHENTICATION_USERNAME named value has the username of the web service SDK domain account previously created and that the user name is represented as DOMAIN\USERNAME -* Confirm the WEB_SERVICES_SDK_AUTHENTICATION_PASSWORD named value has the correct password for the web service SDK domain account. -* Confirm the pfup_pfwssdk_PfWsSdk named value has value that matches the URL of for the SDK service installed on the primary MFA server. -* Confirm you saved the changes to the web.config file. -* Confirm you restarted the AD FS Service after completing the configuration. - -## Test AD FS with the Multifactor Authentication connector - -Now, you should test your Azure Multi-Factor Authentication server configuration before proceeding any further in the deployment. The AD FS and Azure Multi-Factor Authentication server configurations are complete. - -1. In the **Multi-Factor Authentication** server, on the left, click **Users**. -2. In the list of users, select a user that is enabled and has a valid phone number to which you have access. -3. Click **Test**. -4. In the **Test User** dialog, provide the user’s password to authenticate the user to Active Directory. - -The Multi-Factor Authentication server communicates with the Azure MFA cloud service to perform a second factor authentication for the user. The Azure MFA cloud service contacts the phone number provided and asks for the user to perform the second factor authentication configured for the user. Successfully providing the second factor should result in the Multi-factor authentication server showing a success dialog. - - -## Follow the Windows Hello for Business on premises certificate trust deployment guide -1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) -2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) -3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) -4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) -5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/access-protection/hello-for-business/hello-key-trust-policy-settings.md deleted file mode 100644 index 0e85b5a485..0000000000 --- a/windows/access-protection/hello-for-business/hello-key-trust-policy-settings.md +++ /dev/null @@ -1,154 +0,0 @@ ---- -title: Configure Windows Hello for Business Policy settings (Windows Hello for Business) -description: Configure Windows Hello for Business Policy settings for Windows Hello for Business -keywords: identity, PIN, biometric, Hello, passport -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -author: DaniHalfin -localizationpriority: high ---- -# Configure Windows Hello for Business Policy settings - -**Applies to** -- Windows 10 -- Windows 10 Mobile - -> This guide only applies to Windows 10, version 1703 or higher. - -You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=45520). -Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703. - -Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10 Creators Edition (1703) to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information. - -On-premises certificate-based deployments of Windows Hello for Business needs three Group Policy settings: -* Enable Windows Hello for Business -* Use certificate for on-premises authentication -* Enable automatic enrollment of certificates - -## Enable Windows Hello for Business Group Policy - -The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should be attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to enabled. - -You can configure the Enable Windows Hello for Business Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence. - -## Use certificate for on-premises authentication - -The Use certificate for on-premises authentication Group Policy setting determines if the on-premises deployment uses the key-trust or certificate trust on-premises authentication model. You must configure this Group Policy setting to configure Windows to enroll for a Windows Hello for Business authentication certificate. If you do not configure this policy setting, Windows considers the deployment to use key-trust on-premises authentication, which requires a sufficient number of Windows Server 2016 domain controllers to handle the Windows Hello for Business key-trust authentication requests. - -You can configure this Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users requesting a Windows Hello for Business authentication certificate. Deploying this policy setting to a user results in only that user requesting a Windows Hello for Business authentication certificate. Additionally, you can deploy the policy setting to a group of users so only those users request a Windows Hello for Business authentication certificate. If both user and computer policy settings are deployed, the user policy setting has precedence. - -## Enable automatic enrollment of certificates - -Windows Hello for Business provisioning performs the initial enrollment of the Windows Hello for Business authentication certificate. This certificate expires based on the duration configured in the Windows Hello for Business authentication certificate template. The Windows 10, version 1703 certificate auto enrollment was updated to renew these certificates before they expire, which significantly reduces user authentication failures from expired user certificates. - -The process requires no user interaction provided the user signs-in using Windows Hello for Business. The certificate is renewed in the background before it expires. - -## Create the Windows Hello for Business Group Policy object - -The Group Policy object contains the policy settings needed to trigger Windows Hello for Business provisioning and to ensure Windows Hello for Business authentication certificates are automatically renewed. -1. Start the **Group Policy Management Console** (gpmc.msc) -2. Expand the domain and select the **Group Policy Object** node in the navigation pane. -3. Right-click **Group Policy object** and select **New**. -4. Type *Enable Windows Hello for Business* in the name box and click **OK**. -5. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. -6. In the navigation pane, expand **Policies** under **User Configuration**. -7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**. -8. In the content pane, double-click **Use Windows Hello for Business**. Click **Enable** and click **OK**. -9. Double-click **Use certificate for on-premises authentication**. Click **Enable** and click **OK**. Close the **Group Policy Management Editor**. - -## Configure Automatic Certificate Enrollment - -1. Start the **Group Policy Management Console** (gpmc.msc). -2. Expand the domain and select the **Group Policy Object** node in the navigation pane. -3. Right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. -4. In the navigation pane, expand **Policies** under **User Configuration**. -5. Expand **Windows Settings > Security Settings**, and click **Public Key Policies**. -6. In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**. -7. Select **Enabled** from the **Configuration Model** list. -8. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box. -9. Select the **Update certificates that use certificate templates** check box. -10. Click **OK**. Close the **Group Policy Management Editor**. - -## Configure Security in the Windows Hello for Business Group Policy object - -The best way to deploy the Windows Hello for Business Group Policy object is to use security group filtering. The enables you to easily manage the users that should receive Windows Hello for Business by simply adding them to a group. This enables you to deploy Windows Hello for Business in phases. -1. Start the **Group Policy Management Console** (gpmc.msc) -2. Expand the domain and select the **Group Policy Object** node in the navigation pane. -3. Double-click the **Enable Windows Hello for Business** Group Policy object. -4. In the **Security Filtering** section of the content pane, click **Add**. Type *Windows Hello for Business Users* or the name of the security group you previously created and click **OK**. -5. Click the **Delegation** tab. Select **Authenticated Users** and click **Advanced**. -6. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Click **OK**. - -## Deploy the Windows Hello for Business Group Policy object - -The application of the Windows Hello for Business Group Policy object uses security group filtering. This enables you to link the Group Policy object at the domain, ensuring the Group Policy object is within scope to all users. However, the security group filtering ensures only the users included in the *Windows Hello for Business Users* global group receive and apply the Group Policy object, which results in the provisioning of Windows Hello for Business. -1. Start the **Group Policy Management Console** (gpmc.msc) -2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO…** -3. In the **Select GPO** dialog box, select **Enable Windows Hello for Business** or the name of the Windows Hello for Business Group Policy object you previously created and click **OK**. - -Just to reassure, linking the **Windows Hello for Business** Group Policy object to the domain ensures the Group Policy object is in scope for all domain users. However, not all users will have the policy settings applied to them. Only users who are members of the Windows Hello for Business group receive the policy settings. All others users ignore the Group Policy object. - -## Other Related Group Policy settings - -### Windows Hello for Business - -There are other Windows Hello for Business policy settings you can configure to manage your Windows Hello for Business deployment. These policy settings are computer-based policy setting; so they are applicable to any user that sign-in from a computer with these policy settings. - -### Use a hardware security device - -The default configuration for Windows Hello for Business is to prefer hardware protected credentials; however, not all computers are able to create hardware protected credentials. When Windows Hello for Business enrollment encounters a computer that cannot create a hardware protected credential, it will create a software-based credential. - -You can enable and deploy the **Use a hardware security device** Group Policy Setting to force Windows Hello for Business to only create hardware protected credentials. Users that sign-in from a computer incapable of creating a hardware protected credential do not enroll for Windows Hello for Business. - -Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiven during anti-hammering and PIN lockout activities. Therefore, some organization may want not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object. - -### Use biometrics - -Windows Hello for Business provides a great user experience when combined with the use of biometrics. Rather than providing a PIN to sign-in, a user can use a fingerprint or facial recognition to sign-in to Windows, without sacrificing security. - -The default Windows Hello for Business enables users to enroll and use biometrics. However, some organization may want more time before using biometrics and want to disable their use until they are ready. To not allow users to use biometrics, configure the **Use biometrics** Group Policy setting to disabled and apply it to your computers. The policy setting disabled all biometrics. Currently, Windows does not provide granular policy setting that enable you to disable specific modalities of biometrics such as allow facial recognition, but disallow fingerprint. - -### PIN Complexity - -PIN complexity is not specific to Windows Hello for Business. Windows 10 enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed. - -Windows 10 provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are: -* Require digits -* Require lowercase letters -* Maximum PIN length -* Minimum PIN length -* Expiration -* History -* Require special characters -* Require uppercase letters - -In the Windows 10, version 1703, the PIN complexity Group Policy settings have moved to remove misunderstanding that PIN complexity policy settings were exclusive to Windows Hello for Business. The new location of these Group Policy settings is under Administrative Templates\System\PIN Complexity under both the Computer and User Configuration nodes of the Group Policy editor. - -## Review - -Before you continue with the deployment, validate your deployment progress by reviewing the following items: -* Confirm you authored Group Policy settings using the latest ADMX/ADML files (from the Widows 10 Creators Editions) -* Confirm you configured the Enable Windows Hello for Business to the scope that matches your deployment (Computer vs. User) -* Confirm you configure the Use Certificate enrollment for on-prem authentication policy setting. -* Confirm you configure automatic certificate enrollment to the scope that matches your deployment (Computer vs. User) -* Confirm you configured the proper security settings for the Group Policy object - * Removed the allow permission for Apply Group Policy for Domain Users (Domain Users must always have the read permissions) - * Add the Windows Hello for Business Users group to the Group Policy object and gave the group the allow permission for Apply Group Policy - -* Linked the Group Policy object to the correct locations within Active Directory -* Deploy any additional Windows Hello for Business Group Policy setting is a policy separate from the one that enables it for users - - -## Add users to the Windows Hello for Business Users group - -Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the WHFB Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the Windows Hello for Business Users group. Users and groups that are not members of this group will not attempt to enroll for Windows Hello for Business. - - -## Follow the Windows Hello for Business on premises certificate trust deployment guide -1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) -2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) -3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) -4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) -5. Configure Windows Hello for Business Policy settings (*You are here*) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/access-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md deleted file mode 100644 index 3716c6dbe3..0000000000 --- a/windows/access-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md +++ /dev/null @@ -1,77 +0,0 @@ ---- -title: Validate Active Directory prerequisites (Windows Hello for Business) -description: How to Validate Active Directory prerequisites for Windows Hello for Business -keywords: identity, PIN, biometric, Hello, passport -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -author: DaniHalfin -localizationpriority: high ---- -# Validate Active Directory prerequisites - -**Applies to** -- Windows 10 - -> This guide only applies to Windows 10, version 1703 or higher. - -The key registration process for the On-prem deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. The key-trust model receives the schema extension when the first Windows Server 2016 domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 schema. If you already have a Windows Server 2016 domain controller in your forest, you can skip the next step. - -Manually updating Active Directory uses the command-line utility **adprep.exe** located at **:\support\adprep** on the Windows Server 2016 DVD or ISO. Before running adprep.exe, you must identify the domain controller hosting the schema master role. - -## Discovering schema role - -To locate the schema master role holder, open and command prompt and type: - -```Netdom query fsmo | findstr -i “schema”``` - -![Netdom example output](images\hello-cmd-netdom.png) - -The command should return the name of the domain controller where you need to adprep.exe. Update the schema locally on the domain controller hosting the Schema master role. - -## Updating the Schema - -Windows Hello for Business uses asymmetric keys as user credentials (rather than passwords). During enrollment, the public key is registered in an attribute on the user object in Active Directory. The schema update adds this new attribute to Active Directory. - -Sign-in to the domain controller hosting the schema master operational role using Enterprise Admin equivalent credentials. - -1. Open an elevated command prompt. -2. Type ```cd /d x:\support\adprep``` where *x* is the drive letter of the DVD or mounted ISO. -3. To update the schema, type ```adprep /forestprep```. -4. Read the Adprep Warning. Type the letter **C*** and press **Enter** to update the schema. -5. Close the Command Prompt and sign-out. - -## Create the KeyCredential Admins Security Global Group - -The Windows Server 2016 Active Directory Federation Services (AD FS) role registers the public key on the user object during provisioning. You assign write and read permission to this group to the Active Directory attribute to ensure the AD FS service can add and remove keys are part of its normal workflow. - -Sign-in a domain controller or management workstation with Domain Admin equivalent credentials. - -1. Open **Active Directory Users and Computers**. -2. Click **View** and click **Advance Features**. -3. Expand the domain node from the navigation pane. -4. Right-click the **Users** container. Click **New**. Click **Group**. -5. Type **KeyCredential Admins** in the **Group Name** text box. -6. Click **OK**. - -## Create the Windows Hello for Business Users Security Global Group - -The Windows Hello for Business Users group is used to make it easy to deploy Windows Hello for Business in phases. You assign Group Policy and Certificate template permissions to this group to simplify the deployment by simply adding the users to the group. This provides them the proper permissions to provision Windows Hello for Business and to enroll in the Windows Hello for Business authentication certificate. - -Sign-in a domain controller or management workstation with Domain Admin equivalent credentials. - -1. Open **Active Directory Users and Computers**. -2. Click **View** and click **Advanced Features**. -3. Expand the domain node from the navigation pane. -4. Right-click the **Users** container. Click **New**. Click **Group**. -5. Type **Windows Hello for Business Users** in the **Group Name** text box. -6. Click **OK**. - - -## Follow the Windows Hello for Business on premises certificate trust deployment guide -1. Validate Active Directory prerequisites (*You are here*) -2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) -3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) -4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) -5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/access-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md deleted file mode 100644 index 82e38e2728..0000000000 --- a/windows/access-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -title: Validate and Deploy Multifactor Authentication Services (MFA) (Windows Hello for Business) -description: How to Validate and Deploy Multifactor Authentication Services for Windows Hello for Business -keywords: identity, PIN, biometric, Hello, passport -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -author: DaniHalfin -localizationpriority: high ---- -# Validate and Deploy Multifactor Authentication Services (MFA) - -**Applies to** -- Windows 10 -- Windows 10 Mobile - -> This guide only applies to Windows 10, version 1703 or higher. - -Windows Hello for Business requires all users perform multi-factor authentication prior to creating and registering a Windows Hello for Business credential. Windows Hello for Business deployments use Azure Multi-Factor Authentication (Azure MFA) services for the secondary authentication. On-Premises deployments use Azure MFA server, an on-premises implementation that do not require synchronizing Active Directory credentials to Azure Active Directory. - -Azure Multi-Factor Authentication is an easy to use, scalable, and reliable solution that provides a second method of authentication so your users are always protected. -* **Easy to Use** - Azure Multi-Factor Authentication is simple to set up and use. The extra protection that comes with Azure Multi-Factor Authentication allows users to manage their own devices. Best of all, in many instances it can be set up with just a few simple clicks. -* **Scalable** - Azure Multi-Factor Authentication uses the power of the cloud and integrates with your on-premises AD and custom apps. This protection is even extended to your high-volume, mission-critical scenarios. -* **Always Protected** - Azure Multi-Factor Authentication provides strong authentication using the highest industry standards. -* **Reliable** - We guarantee 99.9% availability of Azure Multi-Factor Authentication. The service is considered unavailable when it is unable to receive or process verification requests for the two-step verification. - -## On-Premises Azure MFA Server - -On-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials are not synchronized to Azure Active Directory. - -### Infrastructure - -A lab or proof-of-concept environment does not need high-availability or scalability. However, a production environment needs both of these. Ensure your environment considers and incorporates these factors, as necessary. All production environments should have a minimum of two MFA servers—one primary and one secondary server. The environment should have a minimum of two User Portal Servers that are load balanced using hardware or Windows Network Load Balancing. - -Please follow [Download the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#download-the-azure-multi-factor-authentication-server) to download Azure MFA server. - ->[!IMPORTANT] ->Make sure to validate the requirements for Azure MFA server, as outlined in [Install and Configure the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#install-and-configure-the-azure-multi-factor-authentication-server) beofre proceeding. Do not use instllation instructions provided in the article. - -Once you have validated all the requirements, please proceed to [Configure or Deploy Multifactor Authentication Services](hello-cert-trust-deploy-mfa.md). - -## Follow the Windows Hello for Business on premises certificate trust deployment guide -1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) -2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) -3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) -4. Validate and Deploy Multifactor Authentication Services (MFA) (*You are here*) -5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/access-protection/hello-for-business/hello-key-trust-validate-pki.md deleted file mode 100644 index f0faf69798..0000000000 --- a/windows/access-protection/hello-for-business/hello-key-trust-validate-pki.md +++ /dev/null @@ -1,196 +0,0 @@ ---- -title: Validate Public Key Infrastructure (Windows Hello for Business) -description: How to Validate Public Key Infrastructure for Windows Hello for Business -keywords: identity, PIN, biometric, Hello, passport -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -author: DaniHalfin -localizationpriority: high ---- -# Validate and Configure Public Key Infrastructure - -**Applies to** -- Windows 10 -- Windows 10 Mobile - -> This guide only applies to Windows 10, version 1703 or higher. - -Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller. The certificate trust model extends certificate issuance to client computers. During Windows Hello for Business provisioning, the user receives a sign-in certificate. Secondary certificates, such as VPN and SMIME (future feature) may also be deployed. - -## Deploy an enterprise certificate authority - -This guide assumes most enterprise have an existing public key infrastructure. Windows Hello for Business depends on a Windows enterprise public key infrastructure running the Active Directory Certificate Services role from Windows Server 2012 or later. - -### Lab-based public key infrastructure - -The following instructions may be used to deploy simple public key infrastructure that is suitable for a lab environment. - -Sign-in using _Enterprise Admin_ equivalent credentials on Windows Server 2012 or later server where you want the certificate authority installed. - ->[!NOTE] ->Never install a certificate authority on a domain controller in a production environment. - -1. Open an elevated Windows PowerShell prompt. -2. Use the following command to install the Active Directory Certificate Services role. - ```PowerShell - Add-WindowsFeature Adcs-Cert-Authority -IncludeManageTools - ``` - -3. Use the following command to configure the Certificate Authority using a basic certificate authority configuration. - ```PowerShell - Install-AdcsCertificateAuthority - ``` - -## Configure a Production Public Key Infrastructure - -If you do have an existing public key infrastructure, please review [Certification Authority Guidance](https://technet.microsoft.com/library/hh831574.aspx) from Microsoft TechNet to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](https://technet.microsoft.com/library/hh831348.aspx) for instructions on how to configure your public key infrastructure using the information from your design session. - -### Configure Domain Controller Certificates - -Clients need to trust domain controllers and the best way to do this is to ensure each domain controller has a Kerberos Authentication certificate. Installing a certificate on the domain controller enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. This provides clients a root of trust external to the domain—namely the enterprise certificate authority. - -Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise certificate authority is added to Active Directory. However, certificates based on the Domain Controller and Domain Controller Authentication certificate templates do not include the KDC Authentication object identifier (OID), which was later added to the Kerberos RFC. Therefore, domain controllers need to request a certificate based on the Kerberos Authentication certificate template. - -By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the Kerberos Authentication certificate template a baseline to create an updated domain controller certificate template. - -Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials. -1. Open the **Certificate Authority** management console. -2. Right-click **Certificate Templates** and click **Manage**. -3. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**. -4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. -5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise’s needs. - **Note**If you use different template names, you’ll need to remember and substitute these names in different portions of the lab. -6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **None** from the **Subject name format** list. Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items. -7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**. -8. Close the console. - -### Superseding the existing Domain Controller certificate - -Many domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template from domain controllers—the domain controller certificate template. Later releases provided a new certificate template—the domain controller authentication certificate template. These certificate templates were provided prior to update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the KDC Authentication extension. - -The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers and should be the one you deploy to all your domain controllers (2008 or later). The autoenrollment feature in Windows enables you to effortlessly replace these domain controller certificates. You can use the following configuration to replace older domain controller certificates with a new certificate using the Kerberos Authentication certificate template. - -Sign-in a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials. -1. Open the **Certificate Authority** management console. -2. Right-click **Certificate Templates** and click **Manage**. -3. In the **Certificate Template Console**, right-click the **Domain Controller Authentication (Kerberos)** (or the name of the certificate template you created in the previous section) template in the details pane and click **Properties**. -4. Click the **Superseded Templates** tab. Click **Add**. -5. From the **Add Superseded Template** dialog, select the **Domain Controller** certificate template and click **OK**. Click **Add**. -6. From the **Add Superseded Template** dialog, select the **Domain Controller Authentication** certificate template and click **OK**. -7. From the **Add Superseded Template dialog**, select the **Kerberos Authentication** certificate template and click **OK**. -8. Add any other enterprise certificate templates that were previously configured for domain controllers to the **Superseded Templates** tab. -9. Click **OK** and close the **Certificate Templates** console. - -The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities. - -### Configure an Internal Web Server Certificate template - -Windows 10 clients use the https protocol when communicating with Active Directory Federation Services. To meet this need, you must issue a server authentication certificate to all the nodes in the Active Directory Federation Services farm. On-premises deployments can use a server authentication certificate issued by their enterprise PKI. You must configure a server authentication certificate template so the host running the Active Directory Federation Service can request the certificate. - -Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials. -1. Open the **Certificate Authority** management console. -2. Right-click **Certificate Templates** and click **Manage**. -3. In the **Certificate Template Console**, right-click the **Web Server** template in the details pane and click **Duplicate Template**. -4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. -5. On the **General** tab, type **Internal Web Server** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. - **Note:** If you use different template names, you’ll need to remember and substitute these names in different portions of the lab. -6. On the **Request Handling** tab, select **Allow private key to be exported**. -7. On the **Subject** tab, select the **Supply in the request** button if it is not already selected. -8. On the **Security** tab, Click **Add**. Type **Domain Computers** in the **Enter the object names to select** box. Click **OK**. Select the **Allow** check box next to the **Enroll** permission. -9. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**. -10. Close the console. - -### Unpublish Superseded Certificate Templates - -The certificate authority only issues certificates based on published certificate templates. For defense in depth security, it is a good practice to unpublish certificate templates that the certificate authority is not configured to issue. This includes the pre-published certificate template from the role installation and any superseded certificate templates. - -The newly created domain controller authentication certificate template supersedes previous domain controller certificate templates. Therefore, you need to unpublish these certificate templates from all issuing certificate authorities. - -Sign-in to the certificate authority or management workstation with _Enterprise Admin_ equivalent credentials. -1. Open the **Certificate Authority** management console. -2. Expand the parent node from the navigation pane. -3. Click **Certificate Templates** in the navigation pane. -4. Right-click the **Domain Controller** certificate template in the content pane and select **Delete**. Click **Yes** on the **Disable certificate templates** window. -5. Repeat step 4 for the **Domain Controller Authentication** and **Kerberos Authentication** certificate templates. - -### Publish Certificate Templates to the Certificate Authority - -The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate. - -Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials. -1. Open the **Certificate Authority** management console. -2. Expand the parent node from the navigation pane. -3. Click **Certificate Templates** in the navigation pane. -4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue. -5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)**, and **Internal Web Server** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority. -6. If you published the Domain Controller Authentication (Kerberos) certificate template, then you should unpublish the certificate templates you included in the superseded templates list. - * To unpublish a certificate template, right-click the certificate template you want to unpublish in the details pane of the Certificate Authority console and select **Delete**. Click **Yes** to confirm the operation. - -7. Close the console. - -### Configure Domain Controllers for Automatic Certificate Enrollment - -Domain controllers automatically request a certificate from the domain controller certificate template. However, the domain controller is unaware of newer certificate templates or superseded configurations on certificate templates. To continue automatic enrollment and renewal of domain controller certificates that understand newer certificate template and superseded certificate template configurations, create and configure a Group Policy object for automatic certificate enrollment and link the Group Policy object to the Domain Controllers OU. - -1. Start the **Group Policy Management Console** (gpmc.msc) -2. Expand the domain and select the **Group Policy Object** node in the navigation pane. -3. Right-click **Group Policy object** and select **New** -4. Type *Domain Controller Auto Certificate Enrollment* in the name box and click **OK**. -5. Right-click the **Domain Controller Auto Certificate Enrollment** Group Policy object and click **Edit**. -6. In the navigation pane, expand **Policies** under **Computer Configuration**. -7. Expand **Windows Settings**, **Security Settings**, and click **Public Key Policies**. -8. In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**. -9. Select **Enabled** from the **Configuration Model** list. -10. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box. -11. Select the **Update certificates that use certificate templates** check box. -12. Click **OK**. Close the **Group Policy Management Editor**. - -### Deploy the Domain Controller Auto Certificate Enrollment Group Policy Object - -Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. -1. Start the **Group Policy Management Console** (gpmc.msc) -2. In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO…** -3. In the **Select GPO** dialog box, select **Domain Controller Auto Certificate Enrollment** or the name of the domain controller certificate enrollment Group Policy object you previously created and click **OK**. - -### Validating your work - -Windows Hello for Business is a distributed system, which on the surface appears complex and difficult. The key to a successful Windows Hello for Business deployment is to validate phases of work prior to moving to the next phase. - -You want to confirm your domain controllers enroll the correct certificates and not any unnecessary (superseded) certificate templates. You need to check each domain controller that autoenrollment for the computer occurred. - -#### Use the Event Logs - -Windows Server 2012 and later include Certificate Lifecycle events to determine the lifecycles of certificates for both users and computers. Using the Event Viewer, navigate to the CertificateServices-Lifecycles-System event log under Application and Services/Microsoft/Windows. - -Look for an event indicating a new certificate enrollment (autoenrollment). The details of the event include the certificate template on which the certificate was issued. The name of the certificate template used to issue the certificate should match the certificate template name included in the event. The certificate thumbprint and EKUs for the certificate are also included in the event. The EKU needed for proper Windows Hello for Business authentication is Kerberos Authentication, in addition to other EKUs provide by the certificate template. - -Certificates superseded by your new domain controller certificate generate an archive event in the CertificateServices-Lifecycles-System event. The archive event contains the certificate template name and thumbprint of the certificate that was superseded by the new certificate. - - -#### Certificate Manager - -You can use the Certificate Manager console to validate the domain controller has the properly enrolled certificate based on the correct certificate template with the proper EKUs. Use **certlm.msc** to view certificate in the local computers certificate stores. Expand the **Personal** store and view the certificates enrolled for the computer. Archived certificates do not appear in Certificate Manager. - -#### Certutil.exe - -You can use **certutil.exe** to view enrolled certificates in the local computer. Certutil shows enrolled and archived certificates for the local computer. From an elevated command prompt, run `certutil -q -store my` to view locally enrolled certificates. - -To view detailed information about each certificate in the store, use `certutil -q -v -store my` to validate automatic certificate enrollment enrolled the proper certificates. - -#### Troubleshooting - -Windows triggers automatic certificate enrollment for the computer during boot, and when Group Policy updates. You can refresh Group Policy from an elevated command prompt using `gpupdate /force`. - -Alternatively, you can forcefully trigger automatic certificate enrollment using `certreq -autoenroll -q` from an elevated command prompt. - -Use the event logs to monitor certificate enrollment and archive. Review the configuration, such as publishing certificate templates to issuing certificate authority and the allow auto enrollment permissions. - - -## Follow the Windows Hello for Business on premises certificate trust deployment guide -1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) -2. Validate and Configure Public Key Infrastructure (*You are here*) -3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) -4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) -5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) \ No newline at end of file From 7b8ecebf9ebc43d004f6a379cc326f7980bd41d5 Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Sun, 20 Aug 2017 14:55:36 -0700 Subject: [PATCH 08/51] Fixed broken link --- .../hello-for-business/hello-hybrid-cert-new-install.md | 2 +- .../hello-for-business/hello-hybrid-cert-trust-prereqs.md | 2 +- .../hello-for-business/hello-hybrid-cert-whfb-settings.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md index e256365845..c617d0d6fc 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md @@ -277,7 +277,7 @@ Follow the Windows Hello for Business hybrid certificate trust deployment guide.
## Follow the Windows Hello for Business on premises certificate trust deployment guide -1. [Overview](hello-hybrid-cert-trust-overview) +1. [Overview](hello-hybrid-cert-trust-overview.md) 2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) 3. New Installation Baseline (*You are here*) 4. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index 30cb2f7ade..9652af4c6d 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -110,7 +110,7 @@ Follow the Windows Hello for Business hybrid certificate trust deployment guide.
## Follow the Windows Hello for Business on premises certificate trust deployment guide -1. [Overview](hello-hybrid-cert-trust-overview) +1. [Overview](hello-hybrid-cert-trust-overview.md) 2. Prerequistes (*You are here*) 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) 4. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md index b695fc4489..9e61800ef3 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md @@ -580,7 +580,7 @@ Users must receive the Windows Hello for Business group policy settings and have
## Follow the Windows Hello for Business on premises certificate trust deployment guide -1. [Overview](hello-hybrid-cert-trust-overview) +1. [Overview](hello-hybrid-cert-trust-overview.md) 2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) 4. Configure Windows Hello for Business settings (*You are here*) From 6cfa3e06e7585a5c71aec1ee47c480612b5fa4d4 Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Sun, 20 Aug 2017 19:09:39 -0700 Subject: [PATCH 09/51] removed reference to on-prem deployment. changed the stule for Review Checklist --- .../hello-hybrid-cert-new-install.md | 2 +- .../hello-hybrid-cert-trust-overview.md | 2 +- .../hello-hybrid-cert-trust-prereqs.md | 44 +++++++++++-------- .../hello-hybrid-cert-whfb-settings.md | 2 +- 4 files changed, 28 insertions(+), 22 deletions(-) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md index c617d0d6fc..5223cca7ac 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md @@ -276,7 +276,7 @@ Follow the Windows Hello for Business hybrid certificate trust deployment guide.
-## Follow the Windows Hello for Business on premises certificate trust deployment guide +## Follow the Windows Hello for Business hybrid certificate trust deployment guide 1. [Overview](hello-hybrid-cert-trust-overview.md) 2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) 3. New Installation Baseline (*You are here*) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-overview.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-overview.md index 81dda04227..d5045ebf49 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-overview.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-overview.md @@ -37,7 +37,7 @@ Regardless of the baseline you choose, you’re next step is to familiarize your
-## Follow the Windows Hello for Business on premises certificate trust deployment guide +## Follow the Windows Hello for Business hybrid certificate trust deployment guide 1. Overview (*You are here*) 2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index 9652af4c6d..b98430e99b 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -38,12 +38,13 @@ Windows Hello for Business can be deployed in any environment with Windows Serve Review these requirements and those from the Windows Hello for Business planning guide and worksheet. Based on your deployment decisions you may need to upgrade your on-premises Active Directory or your Azure Active Directory subscription to meet your needs. ### Section Review ### -- [ ] Active Directory Domain Functional Level -- [ ] Active Directory Forest Functional Level -- [ ] Domain Controller version -- [ ] Windows Server 2016 Schema -- [ ] Azure Active Directory subscription -- [ ] Correct subscription for desired features and outcomes +> [!div class="checklist"] +> * Active Directory Domain Functional Level +> * Active Directory Forest Functional Level +> * Domain Controller version +> * Windows Server 2016 Schema +> * Azure Active Directory subscription +> * Correct subscription for desired features and outcomes
@@ -54,9 +55,10 @@ Certificate trust deployments need an enterprise public key infrastructure and a The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012. -### Section Review -- [ ] Windows Server 2012 Issuing Certificate Authority -- [ ] Windows Server 2016 Active Directory Federation Services +### Section Review +> [!div class="checklist"] +> * Windows Server 2012 Issuing Certificate Authority +> * Windows Server 2016 Active Directory Federation Services
@@ -66,9 +68,10 @@ The two directories used in hybrid deployments must be synchronized. You need A Organizations using older directory synchronization technology, such as DirSync or Azure AD sync need to upgrade to Azure AD Connect ### Section Review -- [ ] Azure Active Directory Connect directory synchronization -- [ ] [Upgrade from DirSync](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-dirsync-upgrade-get-started) -- [ ] [Upgrade from Azure AD Sync](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-upgrade-previous-version) +> [!div class="checklist"] +> * Azure Active Directory Connect directory synchronization +> * [Upgrade from DirSync](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-dirsync-upgrade-get-started) +> * [Upgrade from Azure AD Sync](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-upgrade-previous-version)
@@ -76,7 +79,8 @@ Organizations using older directory synchronization technology, such as DirSync Federating your on-premises Active Directory with Azure Active Directory ensures all identities have access to all resources regardless if they reside in cloud or on-premises. Windows Hello for Business hybrid certificate trust needs Windows Server 2016 Active Directory Federation Services. All nodes in the AD FS farm must run the same version of AD FS. ### Section Review ### -- [ ] Windows Server 2016 Active Directory Federation Services +> [!div class="checklist"] +> * Windows Server 2016 Active Directory Federation Services
@@ -86,9 +90,10 @@ Windows Hello for Business is a strong, two-factor credential the helps organiza Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Authentication service or they can use multifactor authentication provides by Windows Server 2016 Active Directory Federation Services, which includes an adapter model that enables third parties to integrate their multifactor authentication into AD FS. ### Section Review -- [ ] Azure MFA Service -- [ ] Windows Server 2016 AD FS and Azure -- [ ] Windows Server 2016 AD FS and third party MFA Adapter +> [!div class="checklist"] +> * Azure MFA Service +> * Windows Server 2016 AD FS and Azure +> * Windows Server 2016 AD FS and third party MFA Adapter
@@ -98,8 +103,9 @@ Hybrid organizations register their devices with their cloud. This is analogous Hybrid certificate trust deployments need the device write back feature. Authentication to the Windows Server 2016 Active Directory Federation Services needs both the user and the computer to authenticate. Typically the users are synchronized, but not devices. This prevents AD FS from authenticating the computer and results in Windows Hello for Business certificate enrollment failures. For this reason, Windows Hello for Business deployments need device writeback, which is an Azure Active Directory premium feature. ### Review Checklist ### -- [ ] Azure Active Directory Device writeback -- [ ] Azure Active Directory Premium subscription +> [!div class="checklist"] +> * Azure Active Directory Device writeback +> * Azure Active Directory Premium subscription
@@ -109,7 +115,7 @@ Follow the Windows Hello for Business hybrid certificate trust deployment guide.
-## Follow the Windows Hello for Business on premises certificate trust deployment guide +## Follow the Windows Hello for Business hybrid certificate trust deployment guide 1. [Overview](hello-hybrid-cert-trust-overview.md) 2. Prerequistes (*You are here*) 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md index 9e61800ef3..e33bb583a9 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md @@ -579,7 +579,7 @@ Users must receive the Windows Hello for Business group policy settings and have
-## Follow the Windows Hello for Business on premises certificate trust deployment guide +## Follow the Windows Hello for Business hybrid certificate trust deployment guide 1. [Overview](hello-hybrid-cert-trust-overview.md) 2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) From 293827bda577247858ebdc05172e0703a4cc0d8b Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Sun, 20 Aug 2017 19:55:41 -0700 Subject: [PATCH 10/51] Updated Section Review style for each section --- .../hello-hybrid-cert-new-install.md | 173 +++++------------- .../hello-hybrid-cert-trust-prereqs.md | 2 +- 2 files changed, 43 insertions(+), 132 deletions(-) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md index 5223cca7ac..e7f6788da0 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md @@ -19,25 +19,12 @@ localizationpriority: high Windows Hello for Business involves configuring distributed technologies that may or may not exist in your current infrastructure. Hybrid certificate trust deployments of Windows Hello for Business rely on these technolgies -### Prerequisites ### -- [ ] Active Directory -- [ ] Public Key Infrastructure -- [ ] Azure Active Directory -- [ ] Directory Synchronization -- [ ] Active Directory Federation Services - - [ ] Federation Services - - [ ] Federation Proxy Servers - - [ ] Multiple top-level domains - - [ ] Azure Device Registration - - [ ] Device Writeback -- [ ] Multifactor Authentication -- [ ] Windows Hello for Business - - [ ]Active Directory - - [ ] Directory Synchronization - - [ ] Public Key Infrastructure - - [ ] Federation Services - - [ ] Group Policy -- [ ] Sign-in and Provision +* [Active Directory](#active-directory) +* [Public Key Infrastructure](#public-key-infrastructure) +* [Azure Active Directory](#azure-active-directory) +* [Directory Synchronization](#directory-synchronization) +* [Active Directory Federation Services](#active-directory-federation-services) + New installations are considerably more involved than existing implementations because you are building the entire infrastructure new. Microsoft recommends you review the new installation baseline to validate your exsting envrionment has all the needed configurations to support your hybrid certificate trust Windows Hello for Business deployment. If you're environment meets these needs, you can read the [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) section to learn about specific Windows Hello for Business configuration settings. @@ -50,24 +37,10 @@ Production environments should follow Active Directory best practices regarding Lab environments and isolated proof of concepts may want to limit the number of domain controllers. The purpose of these environments is to experiment and learn. Reducing the number of domain controllers can prevent troubleshooting of issue, such as Active Directory replication, which is unrelated to project goal. ### Section Review ### -- [x] Active Directory -- [ ] Public Key Infrastructure -- [ ] Azure Active Directory -- [ ] Directory Synchronization -- [ ] Active Directory Federation Services - - [ ] Federation Services - - [ ] Federation Proxy Servers - - [ ] Multiple top-level domains - - [ ] Azure Device Registration - - [ ] Device Writeback -- [ ] Multifactor Authentication -- [ ] Windows Hello for Business - - [ ]Active Directory - - [ ] Directory Synchronization - - [ ] Public Key Infrastructure - - [ ] Federation Services - - [ ] Group Policy -- [ ] Sign-in and Provision +> [!div class="checklist"] +> * Minimum Windows Server 2008 R2 domain controllers +> * Minimum Windows Server 2008 R2 domain and forest functional level +> * Functional networking, name resolution, and Active Directory replication ## Public Key Infrastructure @@ -100,24 +73,11 @@ Sign-in using _Enterprise Admin_ equivalent credentials on Windows Server 2012 o If you do have an existing public key infrastructure, please review [Certification Authority Guidance](https://technet.microsoft.com/library/hh831574.aspx) from Microsoft TechNet to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](https://technet.microsoft.com/library/hh831348.aspx) for instructions on how to configure your public key infrastructure using the information from your design session. ### Section Review ### -- [x] Active Directory -- [x] Public Key Infrastructure -- [ ] Azure Active Directory -- [ ] Directory Synchronization -- [ ] Active Directory Federation Services - - [ ] Federation Services - - [ ] Federation Proxy Servers - - [ ] Multiple top-level domains - - [ ] Azure Device Registration - - [ ] Device Writeback -- [ ] Multifactor Authentication -- [ ] Windows Hello for Business - - [ ]Active Directory - - [ ] Directory Synchronization - - [ ] Public Key Infrastructure - - [ ] Federation Services - - [ ] Group Policy -- [ ] Sign-in and Provision + +> [!div class="checklist"] +> * Miniumum Windows Server 2012 Certificate Authority. +> * Enterprise Certificate Authority. +> * Functioning public key infrastructure. ## Azure Active Directory ## You’ve prepared your Active Directory. Hybrid Windows Hello for Business deployment needs Azure Active Directory to host your cloud-based identities. @@ -125,53 +85,25 @@ You’ve prepared your Active Directory. Hybrid Windows Hello for Business depl The next step of the deployment is to follow the [Creating an Azure AD tenant](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-howto-tenant) process to provision an Azure tenant for your organization. ### Section Review -- [x] Active Directory -- [x] Public Key Infrastructure -- [x] Azure Active Directory -- [ ] Directory Synchronization -- [ ] Active Directory Federation Services - - [ ] Federation Services - - [ ] Federation Proxy Servers - - [ ] Multiple top-level domains - - [ ] Azure Device Registration - - [ ] Device Writeback -- [ ] Multifactor Authentication -- [ ] Windows Hello for Business - - [ ]Active Directory - - [ ] Directory Synchronization - - [ ] Public Key Infrastructure - - [ ] Federation Services - - [ ] Group Policy -- [ ] Sign-in and Provision + +> [!div class="checklist"] +> * Review the different ways to establish an Azure Active Directory tenant. +> * Create an Azure Active Directory Tenant. +> * Purchase the appropriate Azure Active Directory subscription or licenses, if necessary. ### Directory Synchronization ### At this point, you should have your Active Directory installed and configured with user and computer accounts. You should also have an enterprise certificate authority, and you should have provisioned your Azure tenant. Next, you need to synchronizes the on-premises Active Directory with Azure Active Directory. To do this, you’ll download, install, and configure Azure Active Directory Connect. -Review the [Integrating on-prem directories with Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect) topic to understand why you’re using Azure Active Directory Connect and how it works. Next, review the [hardware and prerequisites](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](http://go.microsoft.com/fwlink/?LinkId=615771). When you are done with your review, follow the [Express Installation](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-get-started-express) to configure directory synchronization. - ### Section Review -- [x] Active Directory -- [x] Public Key Infrastructure -- [x] Azure Active Directory -- [x] Directory Synchronization -- [ ] Active Directory Federation Services - - [ ] Federation Services - - [ ] Federation Proxy Servers - - [ ] Multiple top-level domains - - [ ] Azure Device Registration - - [ ] Device Writeback -- [ ] Multifactor Authentication -- [ ] Windows Hello for Business - - [ ]Active Directory - - [ ] Directory Synchronization - - [ ] Public Key Infrastructure - - [ ] Federation Services - - [ ] Group Policy -- [ ] Sign-in and Provision +> [div class="checklist"] +> * Review the [Integrating on-prem directories with Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect). +> * Review the [hardware and prerequisites](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](http://go.microsoft.com/fwlink/?LinkId=615771). +> * Follow the [Express Installation](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-get-started-express) to configure directory synchronization. -## Active Directory Federation Services ## + +## Active Directory Federation Services Active Directory Federation Services (AD FS) provides simplified, secured identity federation and Web single sign-on (SSO) capabilities for end users who want to access applications within an AD FS-secured enterprise, in federation partner organizations, or in the cloud. ### Federation Services ### @@ -206,24 +138,12 @@ As previously mentioned, Windows Hello for Busines hybrid certificate- trust dep Use the [Enabling device writeback](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-feature-device-writeback) section to configure device writeback functionality in your environment. ### Section Review -- [x] Active Directory -- [x] Public Key Infrastructure -- [x] Azure Active Directory -- [x] Directory Synchronization -- [x] Active Directory Federation Services -- [x] Federation Services - - [x] Federation Proxy Servers - - [x] Multiple top-level domains - - [x] Azure Device Registration - - [x] Device Writeback -- [ ] Multifactor Authentication -- [ ] Windows Hello for Business - - [ ]Active Directory - - [ ] Directory Synchronization - - [ ] Public Key Infrastructure - - [ ] Federation Services - - [ ] Group Policy -- [ ] Sign-in and Provision +> [div class="checklist"] +> * Federation Proxy Servers +> * Multiple top-level domains +> * Azure Device Registration +> * Device Writeback + ## Multifactor Authentication Services ## Windows Hello for Business uses multifactor authentication during provisioning and during user initiated PIN reset scenarios, such as when a user forgets their PIN. There are two preferred multifactor authentication configurations with hybrid deployments—Azure MFA and AD FS using Azure MFA @@ -239,8 +159,9 @@ As long as your users have licenses that include Azure Multi-Factor Authenticati > > If you have one of these subscriptions or licenses, skip the Azure MFA Adapter section. -#### Azure MFA Adapter #### +#### Azure MFA Provider #### If your organization uses Azure MFA on a per-consumption model (no licenses), then review the [Create a Multifactor Authentication Provider](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-auth-provider) section to create an Azure MFA Authentication provider and associate it with your Azure tenant. + #### Configure Azure MFA Settings #### Once you have created your Azure MFA authentication provider and associated it with an Azure tenant, you need to configure the multi-factor authentication settings. Review the [Configure Azure Multi-Factor Authentication settings](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-whats-next) section to configure your settings. @@ -251,24 +172,14 @@ After you have completed configuring your Azure MFA settings, you want to review Alternatively, you can configure Windows Server 2016 Active Directory Federation Services (AD FS) to provide additional multi-factor authentication. To configure, read the [Configure AD FS 2016 and Azure MFA](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa) section ### Section Review -- [x] Active Directory -- [x] Public Key Infrastructure -- [x] Azure Active Directory -- [x] Directory Synchronization -- [x] Active Directory Federation Services -- [x] Federation Services - - [x] Federation Proxy Servers - - [x] Multiple top-level domains - - [x] Azure Device Registration - - [x] Device Writeback -- [x] Multifactor Authentication -- [ ] Windows Hello for Business - - [ ]Active Directory - - [ ] Directory Synchronization - - [ ] Public Key Infrastructure - - [ ] Federation Services - - [ ] Group Policy -- [ ] Sign-in and Provision + +> [dev class="checklist"] +> * Review the overview and uses of Azure Multifactor Authentication. +> * Review your Azure Active Directory subscription for Azure Multifactor Authentication. +> * Create an Azure Multifactor Authentication Provider, if necessary. +> * Configure Azure Multufactor Authentiation features and settings. +> * Understand the different User States and their effect on Azure Multifactor Authentication. +> * Consider using Azure Multifactor Authentication or a third-party multifactor authentication provider with Windows Server 2016 Active Directory Federation Services, if necessary. ### Next Steps ### Follow the Windows Hello for Business hybrid certificate trust deployment guide. With your baseline configuration complete, your next step is to **Configure Windows Hello for Business** if your envirionment. diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index b98430e99b..7898964acb 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -102,7 +102,7 @@ Hybrid organizations register their devices with their cloud. This is analogous Hybrid certificate trust deployments need the device write back feature. Authentication to the Windows Server 2016 Active Directory Federation Services needs both the user and the computer to authenticate. Typically the users are synchronized, but not devices. This prevents AD FS from authenticating the computer and results in Windows Hello for Business certificate enrollment failures. For this reason, Windows Hello for Business deployments need device writeback, which is an Azure Active Directory premium feature. -### Review Checklist ### +### Section Checklist ### > [!div class="checklist"] > * Azure Active Directory Device writeback > * Azure Active Directory Premium subscription From 7e6637c804aecdb69847a677b81acff021e70ce7 Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Sun, 20 Aug 2017 20:21:20 -0700 Subject: [PATCH 11/51] Corrected checklist syntax --- .../hello-for-business/hello-hybrid-cert-new-install.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md index e7f6788da0..a9c903a1c2 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md @@ -37,6 +37,7 @@ Production environments should follow Active Directory best practices regarding Lab environments and isolated proof of concepts may want to limit the number of domain controllers. The purpose of these environments is to experiment and learn. Reducing the number of domain controllers can prevent troubleshooting of issue, such as Active Directory replication, which is unrelated to project goal. ### Section Review ### + > [!div class="checklist"] > * Minimum Windows Server 2008 R2 domain controllers > * Minimum Windows Server 2008 R2 domain and forest functional level @@ -97,7 +98,8 @@ At this point, you should have your Active Directory installed and configured wi Next, you need to synchronizes the on-premises Active Directory with Azure Active Directory. To do this, you’ll download, install, and configure Azure Active Directory Connect. ### Section Review -> [div class="checklist"] + +> [!div class="checklist"] > * Review the [Integrating on-prem directories with Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect). > * Review the [hardware and prerequisites](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](http://go.microsoft.com/fwlink/?LinkId=615771). > * Follow the [Express Installation](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-get-started-express) to configure directory synchronization. @@ -138,7 +140,8 @@ As previously mentioned, Windows Hello for Busines hybrid certificate- trust dep Use the [Enabling device writeback](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-feature-device-writeback) section to configure device writeback functionality in your environment. ### Section Review -> [div class="checklist"] + +> [!div class="checklist"] > * Federation Proxy Servers > * Multiple top-level domains > * Azure Device Registration @@ -173,7 +176,7 @@ Alternatively, you can configure Windows Server 2016 Active Directory Federation ### Section Review -> [dev class="checklist"] +> [!div class="checklist"] > * Review the overview and uses of Azure Multifactor Authentication. > * Review your Azure Active Directory subscription for Azure Multifactor Authentication. > * Create an Azure Multifactor Authentication Provider, if necessary. From a9becd83b10134520018f63af28b3cc8e4b36086 Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Sun, 20 Aug 2017 20:44:37 -0700 Subject: [PATCH 12/51] More fixes to checklsts --- .../hello-for-business/hello-hybrid-cert-new-install.md | 6 +++--- .../hello-for-business/hello-hybrid-cert-trust-prereqs.md | 1 + 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md index a9c903a1c2..16c6a2923d 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md @@ -36,11 +36,11 @@ Production environments should follow Active Directory best practices regarding Lab environments and isolated proof of concepts may want to limit the number of domain controllers. The purpose of these environments is to experiment and learn. Reducing the number of domain controllers can prevent troubleshooting of issue, such as Active Directory replication, which is unrelated to project goal. -### Section Review ### +### Section Review > [!div class="checklist"] -> * Minimum Windows Server 2008 R2 domain controllers -> * Minimum Windows Server 2008 R2 domain and forest functional level +> * Minimum Windows Server 2008 R2 domain controllers +> * Minimum Windows Server 2008 R2 domain and forest functional level > * Functional networking, name resolution, and Active Directory replication ## Public Key Infrastructure diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index 7898964acb..e148f2ffad 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -38,6 +38,7 @@ Windows Hello for Business can be deployed in any environment with Windows Serve Review these requirements and those from the Windows Hello for Business planning guide and worksheet. Based on your deployment decisions you may need to upgrade your on-premises Active Directory or your Azure Active Directory subscription to meet your needs. ### Section Review ### + > [!div class="checklist"] > * Active Directory Domain Functional Level > * Active Directory Forest Functional Level From ea9fa40f3b54b221e7966ab11dccaa9bcee80806 Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Sun, 20 Aug 2017 21:05:07 -0700 Subject: [PATCH 13/51] Table of content update, file renames, --- .../hello-for-business/hello-hybrid-cert-new-install.md | 2 +- .../hello-for-business/hello-hybrid-cert-trust-prereqs.md | 2 +- ...hybrid-cert-trust-overview.md => hello-hybrid-cert-trust.md} | 0 .../hello-for-business/hello-hybrid-cert-whfb-settings.md | 2 +- windows/access-protection/hello-for-business/toc.md | 1 + 5 files changed, 4 insertions(+), 3 deletions(-) rename windows/access-protection/hello-for-business/{hello-hybrid-cert-trust-overview.md => hello-hybrid-cert-trust.md} (100%) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md index 16c6a2923d..3abb788874 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md @@ -191,7 +191,7 @@ Follow the Windows Hello for Business hybrid certificate trust deployment guide.
## Follow the Windows Hello for Business hybrid certificate trust deployment guide -1. [Overview](hello-hybrid-cert-trust-overview.md) +1. [Overview](hello-hybrid-cert-trust.md) 2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) 3. New Installation Baseline (*You are here*) 4. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index e148f2ffad..29b5f381a9 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -117,7 +117,7 @@ Follow the Windows Hello for Business hybrid certificate trust deployment guide.
## Follow the Windows Hello for Business hybrid certificate trust deployment guide -1. [Overview](hello-hybrid-cert-trust-overview.md) +1. [Overview](hello-hybrid-cert-trust.md) 2. Prerequistes (*You are here*) 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) 4. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-overview.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust.md similarity index 100% rename from windows/access-protection/hello-for-business/hello-hybrid-cert-trust-overview.md rename to windows/access-protection/hello-for-business/hello-hybrid-cert-trust.md diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md index e33bb583a9..69b7b2c8b7 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md @@ -580,7 +580,7 @@ Users must receive the Windows Hello for Business group policy settings and have
## Follow the Windows Hello for Business hybrid certificate trust deployment guide -1. [Overview](hello-hybrid-cert-trust-overview.md) +1. [Overview](hello-hybrid-cert-trust.md) 2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) 4. Configure Windows Hello for Business settings (*You are here*) diff --git a/windows/access-protection/hello-for-business/toc.md b/windows/access-protection/hello-for-business/toc.md index e99fabcb82..16fe1de0d9 100644 --- a/windows/access-protection/hello-for-business/toc.md +++ b/windows/access-protection/hello-for-business/toc.md @@ -13,6 +13,7 @@ ## [Planning a Windows Hello for Business Deployment](hello-planning-guide.md) ## [Windows Hello for Business Deployment Guide](hello-deployment-guide.md) +### [Hybrid Domain Joined Certificate Trust Deployment](hello-hybrid-cert-trust.md) ### [On Premises Certificate Trust Deployment](hello-deployment-cert-trust.md) #### [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) From c2b864873888e322d881476099a990d2137f5e2b Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Mon, 21 Aug 2017 16:17:08 -0700 Subject: [PATCH 14/51] Updating section review to checklists --- .../hello-hybrid-cert-whfb-settings.md | 47 ++++--------------- 1 file changed, 10 insertions(+), 37 deletions(-) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md index 69b7b2c8b7..3f4d2158cd 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md @@ -53,7 +53,8 @@ Sign-in to the domain controller hosting the schema master operational role usin Windows Hello for Business uses several security groups to simplify the deployment and managment. -If your environment has one or more Windows Server 2016 domain controllers in the domain to which you are deploying Windows Hello for Business, then skip the **Create the KeyCrednetials Admins Security Group**. +> [!Important] +> If your environment has one or more Windows Server 2016 domain controllers in the domain to which you are deploying Windows Hello for Business, then skip the **Create the KeyCrednetials Admins Security Group**. #### Create the KeyCredential Admins Security Group @@ -82,24 +83,10 @@ Sign-in a domain controller or management workstation with *Domain Admin* equiva 6. Click **OK**. ### Section Review -- [x] Active Directory -- [x] Public Key Infrastructure -- [x] Azure Active Directory -- [x] Directory Synchronization -- [x] Active Directory Federation Services -- [x] Federation Services - - [x] Federation Proxy Servers - - [x] Multiple top-level domains - - [x] Azure Device Registration - - [x] Device Writeback -- [x] Multifactor Authentication -- [x] Windows Hello for Business - - [ ] Active Directory - - [ ] Directory Synchronization - - [ ] Public Key Infrastructure - - [ ] AD FS RA - - [ ] Group Policy -- [ ] Sign-in and Provision + +> [!div class="checklist"] +> * Upgrading Active Directory Schema to Windows Server 2016 +> * Create Security Groups ## Directory Syncrhonization @@ -125,24 +112,10 @@ Sign-in a domain controller or management workstations with *Domain Admin* equiv 9. Click **OK** three times to complete the task. ### Section Review -- [x] Active Directory -- [x] Public Key Infrastructure -- [x] Azure Active Directory -- [x] Directory Synchronization -- [x] Active Directory Federation Services -- [x] Federation Services - - [x] Federation Proxy Servers - - [x] Multiple top-level domains - - [x] Azure Device Registration - - [x] Device Writeback -- [x] Multifactor Authentication -- [x] Windows Hello for Business - - [x]Active Directory - - [x] Directory Synchronization - - [ ] Public Key Infrastructure - - [ ] AD FS RA - - [ ] Group Policy -- [ ] Sign-in and Provision + +> [!div class="checklist"] +> * Configure Permissions for Key Synchronization + ## Public Key Infrastructure From 9cbb1e82d115c6148d4c2f68a298e894ad61f9cf Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Mon, 21 Aug 2017 20:09:13 -0700 Subject: [PATCH 15/51] Breaking WHFB configurations into separte pages --- .../hello-hybrid-cert-whfb-settings-aad.md | 18 + .../hello-hybrid-cert-whfb-settings-ad.md | 89 +++ .../hello-hybrid-cert-whfb-settings-adfs.md | 85 +++ ...ello-hybrid-cert-whfb-settings-dir-sync.md | 47 ++ .../hello-hybrid-cert-whfb-settings-pki.md | 207 +++++++ .../hello-hybrid-cert-whfb-settings-policy.md | 194 +++++++ .../hello-hybrid-cert-whfb-settings.md | 526 +----------------- 7 files changed, 641 insertions(+), 525 deletions(-) create mode 100644 windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-aad.md create mode 100644 windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md create mode 100644 windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md create mode 100644 windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md create mode 100644 windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md create mode 100644 windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-aad.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-aad.md new file mode 100644 index 0000000000..187e4fc68d --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-aad.md @@ -0,0 +1,18 @@ +--- +title: Windows Hello for Business Trust New Installation (Windows Hello for Business) +description: Windows Hello for Business Hybrid baseline deployment +keywords: identity, PIN, biometric, Hello, passport, WHFB +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: DaniHalfin +ms.author: mstephen +localizationpriority: high +--- +# Windows Hello for Business Certificate Trust New Installation + +**Applies to** +- Windows10 + +> This guide only applies to Windows 10, version 1703 or higher. diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md new file mode 100644 index 0000000000..c835884115 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md @@ -0,0 +1,89 @@ +--- +title: Configuring Windows Hello for Business: Active Directory +description: Configuring Windows Hello for Business: Active Directory +keywords: identity, PIN, biometric, Hello, passport, WHFB +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: DaniHalfin +ms.author: mstephen +localizationpriority: high +--- +# Configuring Windows Hello for Business: Active Directory + +**Applies to** +- Windows10 + +> This guide only applies to Windows 10, version 1703 or higher. + +## Active Directory ## +The key registration process for the hybrid deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. The key-trust model receives the schema extension when the first Windows Server 2016 domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 schema. + +> [!IMPORTANT] +> If you already have a Windows Server 2016 domain controller in your forest, you can skip **Upgrading Active Directory to the Windows Server 2016 Schema**. + +### Upgrading Active Directory to the Windows Server 2016 Schema + +Manually updating Active Directory uses the command-line utility **adprep.exe** located at **\:\support\adprep** on the Windows Server 2016 DVD or ISO. Before running adprep.exe, you must identify the domain controller hosting the schema master role. + +#### Discovering schema role + +To locate the schema master role holder, open and command prompt and type: + +```Netdom query fsmo | findstr -i schema``` + +![Netdom example output](images\hello-cmd-netdom.png) + +The command should return the name of the domain controller where you need to adprep.exe. Update the schema locally on the domain controller hosting the Schema master role. + +#### Updating the Schema + +Windows Hello for Business uses asymmetric keys as user credentials (rather than passwords). During enrollment, the public key is registered in an attribute on the user object in Active Directory. The schema update adds this new attribute to Active Directory. + +Sign-in to the domain controller hosting the schema master operational role using Enterprise Admin equivalent credentials. + +1. Open an elevated command prompt. +2. Type ```cd /d x:\support\adprep``` where *x* is the drive letter of the DVD or mounted ISO. +3. To update the schema, type ```adprep /forestprep```. +4. Read the Adprep Warning. Type the letter **C*** and press **Enter** to update the schema. +5. Close the Command Prompt and sign-out. + +### Creating Security Groups + +Windows Hello for Business uses several security groups to simplify the deployment and managment. + +> [!Important] +> If your environment has one or more Windows Server 2016 domain controllers in the domain to which you are deploying Windows Hello for Business, then skip the **Create the KeyCrednetials Admins Security Group**. + +#### Create the KeyCredential Admins Security Group + +Azure Active Directory Connect synchronizes the public key on the user object created during provisioning. You assign write and read permission to this group to the Active Directory attribute to ensure the Azure AD Connect service can add and remove keys as part of its normal workflow. + +Sign-in a domain controller or management workstation with *Domain Admin* equivalent credentials. + +1. Open **Active Directory Users and Computers**. +2. Click **View** and click **Advance Features**. +3. Expand the domain node from the navigation pane. +4. Right-click the **Users** container. Click **New**. Click **Group**. +5. Type **KeyCredential Admins** in the **Group Name** text box. +6. Click **OK**. + +#### Create the Windows Hello for Business Users Security Group + +The Windows Hello for Business Users group is used to make it easy to deploy Windows Hello for Business in phases. You assign Group Policy and Certificate template permissions to this group to simplify the deployment by simply adding the users to the group. This provides them the proper permissions to provision Windows Hello for Business and to enroll in the Windows Hello for Business authentication certificate. + +Sign-in a domain controller or management workstation with *Domain Admin* equivalent credentials. + +1. Open **Active Directory Users and Computers**. +2. Click **View** and click **Advanced Features**. +3. Expand the domain node from the navigation pane. +4. Right-click the **Users** container. Click **New**. Click **Group**. +5. Type **Windows Hello for Business Users** in the **Group Name** text box. +6. Click **OK**. + +### Section Review + +> [!div class="checklist"] +> * Upgrading Active Directory Schema to Windows Server 2016 +> * Create Security Groups diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md new file mode 100644 index 0000000000..a028f90c3f --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md @@ -0,0 +1,85 @@ +--- +title: Configure Windows Hello for Business: Active Directory Federation Services +description: Configure Windows Hello for Business: Active Directory Federation Services +keywords: identity, PIN, biometric, Hello, passport, WHFB +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: DaniHalfin +ms.author: mstephen +localizationpriority: high +--- +# Configure Windows Hello for Business: Active Directory Federation Services + +**Applies to** +- Windows10 + +> This guide only applies to Windows 10, version 1703 or higher. + + +## Federation Services + +The Windows Server 2016 Active Directory Fedeartion Server Certificate Registration Authority (AD FS RA) enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. + +The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate. + +### Configure the Registration Authority + +Sign-in the AD FS server with *Domain Admin* equivalent credentials. + +1. Open a **Windows PowerShell** prompt. +2. Type the following command + + ```PowerShell + Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication + ``` + + +The `Set-AdfsCertificateAuthority` cmdlet should show the following warning: +>WARNING: PS0343: Issuing Windows Hello certificates requires enabling a permitted strong authentication provider, but no usable providers are currently configured. These authentication providers are not supported for Windows Hello certificates: CertificateAuthentication,MicrosoftPassportAuthentication. Windows Hello certificates will not be issued until a permitted strong authentication provider is configured. + +This warning indicates that you have not configured multi-factor authentication in AD FS and until it is configured, the AD FS server will not issue Windows Hello certificates. Windows 10, version 1703 clients check this configuration during prerequisite checks. If detected, the prerequisite check will not succeed and the user will not provision Windows Hello for Business on sign-in. + +>[!NOTE] +> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the above command with the name of your certificate templates. Its important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority. + + +### Group Memberships for the AD FS Service Account + +The KeyCredential Admins global group provides the AD FS service with the permissions needed to perform key registration. The Windows Hello for Business group provides the AD FS service with the permissions needed to enroll a Windows Hello for Business authentication certificate on behalf of the provisioning user. + +Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials. + +1. Open **Active Directory Users and Computers**. +2. Click the **Users** container in the navigation pane. +3. Right-click **KeyCredential Admins** in the details pane and click **Properties**. +4. Click the **Members** tab and click **Add** +5. In the **Enter the object names to select** text box, type **adfssvc**. Click **OK**. +6. Click **OK** to return to **Active Directory Users and Computers**. +7. Right-click **Windows Hello for Business Users** group +8. Click the **Members** tab and click **Add** +9. In the **Enter the object names to select** text box, type **adfssvc**. Click **OK**. +10. Click **OK** to return to **Active Directory Users and Computers**. +11. Change to server hosting the AD FS role and restart it. + +### Section Review +- [x] Active Directory +- [x] Public Key Infrastructure +- [x] Azure Active Directory +- [x] Directory Synchronization +- [x] Active Directory Federation Services +- [x] Federation Services + - [x] Federation Proxy Servers + - [x] Multiple top-level domains + - [x] Azure Device Registration + - [x] Device Writeback +- [x] Multifactor Authentication +- [x] Windows Hello for Business + - [x]Active Directory + - [x] Directory Synchronization + - [x] Public Key Infrastructure + - [x] Federation Services + - [ ] Group Policy +- [ ] Sign-in and Provision + diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md new file mode 100644 index 0000000000..4b6e0b0e8a --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md @@ -0,0 +1,47 @@ +--- +title: Configure Windows Hello for Business: Directory Synchronization +description: Configure Windows Hello for Business: Directory Synchronization +keywords: identity, PIN, biometric, Hello, passport, WHFB +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: DaniHalfin +ms.author: mstephen +localizationpriority: high +--- +# Configure Windows Hello for Business: Directory Synchronization + +**Applies to** +- Windows10 + +> This guide only applies to Windows 10, version 1703 or higher. + +## Directory Syncrhonization + +In hybrid deployments, users register the public portion of their Windows Hello for Business crednetial with Azure. Azure AD Connect syncrhonizes the Windows Hello for Business public key to Active Directory. + +The key-trust model needs Windows Server 2016 domain controllers, which configures the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually. + +> [!IMPORTANT] +> If you already have a Windows Server 2016 domain controller in your forest, you can skip **Configure Permissions for Key Synchronization**. + +### Configure Permissions for Key Syncrhonization + +Sign-in a domain controller or management workstations with *Domain Admin* equivalent credentials. + +1. Open **Active Directory Users and Computers**. +2. Right-click your domain name from the navigation pane and click **Properties**. +3. Click **Security** (if the Security tab is missing, turn on Advanced Features from the View menu). +4. Click **Advanced**. Click **Add**. Click **Select a principal**. +5. The **Select User, Computer, Service Account, or Group** dialog box appears. In the **Enter the object name to select** text box, type **KeyCredential Admins**. Click **OK**. +6. In the **Applies to** list box, select **Descendant User objects**. +7. Using the scroll bar, scroll to the bottom of the page and click **Clear all**. +8. In the **Properties** section, select **Read msDS-KeyCredentialLink** and **Write msDS-KeyCrendentialLink**. +9. Click **OK** three times to complete the task. + +### Section Review + +> [!div class="checklist"] +> * Configure Permissions for Key Synchronization + diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md new file mode 100644 index 0000000000..cc5f3b3fc3 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -0,0 +1,207 @@ +--- +title: Configure Windows Hello for Business: Public Key Infrastructure +description: Configure Windows Hello for Business: Public Key Infrastructure +keywords: identity, PIN, biometric, Hello, passport, WHFB +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: DaniHalfin +ms.author: mstephen +localizationpriority: high +--- +# Configure Windows Hello for Business: Public Key Infrastructure + +**Applies to** +- Windows10 + +> This guide only applies to Windows 10, version 1703 or higher. + + +## Public Key Infrastructure + +Windows Hello for Business deployments rely on certificates. Hybrid deployments uses publicly issued server authentication certifcates to validate the name of the server to which they are connecting and to encyrpt the data that flows them and the client computer. + +All deployments use enterprise issed certificates for domain controllers as a root of trust. Hybrid certificate trust deployments issue users sign-in certificate that enables them to authenticate using Windows Hello for Business credentials to non-Windows Server 2016 domain controllers. Additionally, hybrid certificate trust deployments issue certificate to registration authorites to provide defenese-in-depth security for issueing user authentication certificates. + +### Certifcate Templates + +This section has you configure certificate templates on your Windows Server 2012 or later issuing certificate authtority. + +#### Domain Controller certificate template + +Clients need to trust domain controllers and the best way to do this is to ensure each domain controller has a Kerberos Authentication certificate. Installing a certificate on the domain controller enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. This provides clients a root of trust external to the domainnamely the enterprise certificate authority. + +Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise certificate authority is added to Active Directory. However, certificates based on the *Domain Controller* and *Domain Controller Authentication* certificate templates do not include the **KDC Authentication** object identifier (OID), which was later added to the Kerberos RFC. Therefore, domain controllers need to request a certificate based on the Kerberos Authentication certificate template. + +By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the **Kerberos Authentication** certificate template a baseline to create an updated domain controller certificate template. + +##### Create a Domain Controller Authentication (Kerberos) Certificate Template + +Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials. + +1. Open the **Certificate Authority** management console. +2. Right-click **Certificate Templates** and click **Manage**. +3. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**. +4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. +5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprises needs. + **Note**If you use different template names, youll need to remember and substitute these names in different portions of the lab. +6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **None** from the **Subject name format** list. Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items. +7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**. +8. Close the console. + +##### Superseding the existing Domain Controller certificate + +Many domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template from domain controllersthe domain controller certificate template. Later releases provided a new certificate templatethe domain controller authentication certificate template. These certificate templates were provided prior to update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the **KDC Authentication** extension. + +The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers and should be the one you deploy to all your domain controllers (2008 or later). + +The autoenrollment feature in Windows enables you to effortlessly replace these domain controller certificates. You can use the following configuration to replace older domain controller certificates with a new certificate using the Kerberos Authentication certificate template. + +###### Configure Certificate Suspeding for the Domain Controller Authentication (Kerberos) Certificate Template + +Sign-in a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials. + +1. Open the **Certificate Authority** management console. +2. Right-click **Certificate Templates** and click **Manage**. +3. In the **Certificate Template Console**, right-click the **Domain Controller Authentication (Kerberos)** (or the name of the certificate template you created in the previous section) template in the details pane and click **Properties**. +4. Click the **Superseded Templates** tab. Click **Add**. +5. From the **Add Superseded Template** dialog, select the **Domain Controller** certificate template and click **OK**. Click **Add**. +6. From the **Add Superseded Template** dialog, select the **Domain Controller Authentication** certificate template and click **OK**. +7. From the **Add Superseded Template dialog**, select the **Kerberos Authentication** certificate template and click **OK**. +8. Add any other enterprise certificate templates that were previously configured for domain controllers to the **Superseded Templates** tab. +9. Click **OK** and close the **Certificate Templates** console. + +The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities. + +#### Enrollment Agent certificate template + +Active Directory Federation Server used for Windows Hello for Business certificate enrollment performs its own certificate lifecycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request or when the service first starts. + +Approximately 60 days prior to enrollment agent certificates expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate. + +> [!IMPORTANT] +> Follow the procedures below based on the AD FS service account used in your environment. + +#### Creating an Enrollment Agent certificate for Group Managed Service Accounts + +Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials. + +1. Open the **Certificate Authority Management** console. +2. Right-click **Certificate Templates** and click **Manage**. +3. In the **Certificate Template Console**, right click on the **Exchange Enrollment Agent (Offline request)** template details pane and click **Duplicate Template**. +4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. +5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprises needs. +6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected. + **Note:** The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate. + +7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. +8. On the **Security** tab, click **Add**. +9. Click **Object Types**. Select the **Service Accounts** check box and click **OK**. +10. Type **adfssvc** in the **Enter the object names to select** text box and click **OK**. +11. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. +12. Close the console. + +#### Creating an Enrollment Agent certificate for typical Service Acconts + +Sign-in a certificate authority or management workstations with *Domain Admin* equivalent credentials. + +1. Open the **Certificate Authority** management console. +2. Right-click **Certificate Templates** and click **Manage**. +3. In the **Certificate Template** console, right-click the **Exchange Enrollment Agent** template in the details pane and click **Duplicate Template**. +4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. +5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprises needs. +6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**. +7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. +8. On the **Security** tab, click **Add**. Type **adfssvc** in the **Enter the object names to select text box** and click **OK**. +9. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check boxes for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. +10. Close the console. + +#### Windows Hello for Business authentication certificate template + +During Windows Hello for Business provisioning, the Windows 10, version 1703 client requests an authentication certificate from the Active Directory Federation Service, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring. + +##### Creating Windows Hello for Business authentication certiicate template + +Sign-in a certificate authority or management workstations with _Domain Admin equivalent_ credentials. + +1. Open the **Certificate Authority** management console. +2. Right-click **Certificate Templates** and click **Manage**. +3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**. +4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. +5. On the **General** tab, type **WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprises needs. + **Note:** If you use different template names, youll need to remember and substitute these names in different portions of the deployment. +6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. +7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**. +8. On the **Issuance Requirements** tab, select the T**his number of authorized signatures** check box. Type **1** in the text box. + * Select **Application policy** from the **Policy type required in signature**. Select **Certificate Request Agent** from in the **Application policy** list. Select the **Valid existing certificate** option. +9. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**. +10. On the **Request Handling** tab, select the **Renew with same key** check box. +11. On the **Security** tab, click **Add**. Type **Window Hello for Business Users** in the **Enter the object names to select** text box and click **OK**. +12. Click the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section, select the **Allow** check box for the **Enroll** permission. Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. +13. If you previously issued Windows Hello for Business sign-in certificates using Configuration Manger and are switching to an AD FS registration authority, then on the **Superseded Templates** tab, add the previously used **Windows Hello for Business Authentication** template(s), so they will be superseded by this template for the users that have Enroll permission for this template. +14. Click on the **Apply** to save changes and close the console. + +##### Mark the template as the Windows Hello Sign-in template + +Sign-in to an **AD FS Windows Server 2016** computer with _Enterprise Admin_ equivalent credentials. +1. Open an elevated command prompt. +2. Run `certutil dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY` + +>[!NOTE] +>If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. Its important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority. +Publish Templates + +### Publishing Certificate Templates + +The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate. + +#### Publish Certificate Templates to a Certificate Authority + +Sign-in a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials. + +1. Open the **Certificate Authority** management console. +2. Expand the parent node from the navigation pane. +3. Click **Certificate Templates** in the navigation pane. +4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template to issue**. +5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)** template you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority. +6. Publish the **WHFB Enrollment Agent**, **WHFB Authentication** certificate template using step 5. +7. Close the console. + + +### Unpublishing Superseded Certificate Templates + +The certificate authority only issues certificates based on published certificate templates. For defense in depth security, it is a good practice to unpublish certificate templates that the certificate authority is not configured to issue. This includes the pre-published certificate template from the role installation and any superseded certificate templates. + +The newly created domain controller authentication certificate template supersedes previous domain controller certificate templates. Therefore, you need to unpublish these certificate templates from all issuing certificate authorities. + +#### Unpublish Superseded Certificate Templates + +Sign-in to the certificate authority or management workstation with _Enterprise Admin_ equivalent credentials. + +1. Open the **Certificate Authority** management console. +2. Expand the parent node from the navigation pane. +3. Click **Certificate Templates** in the navigation pane. +4. Right-click the **Domain Controller** certificate template in the content pane and select **Delete**. Click **Yes** on the **Disable certificate templates** window. +5. Repeat step 4 for the **Domain Controller Authentication** and **Kerberos Authentication** certificate templates. + +### Section Review +- [x] Active Directory +- [x] Public Key Infrastructure +- [x] Azure Active Directory +- [x] Directory Synchronization +- [x] Active Directory Federation Services +- [x] Federation Services + - [x] Federation Proxy Servers + - [x] Multiple top-level domains + - [x] Azure Device Registration + - [x] Device Writeback +- [x] Multifactor Authentication +- [x] Windows Hello for Business + - [x]Active Directory + - [x] Directory Synchronization + - [x] Public Key Infrastructure + - [ ] Federation Services + - [ ] Group Policy +- [ ] Sign-in and Provision + diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md new file mode 100644 index 0000000000..c458526464 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md @@ -0,0 +1,194 @@ +--- +title: Configure Windows Hello for Business: Group Policy +description: Configure Windows Hello for Business: Group Policy +keywords: identity, PIN, biometric, Hello, passport, WHFB +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: DaniHalfin +ms.author: mstephen +localizationpriority: high +--- +# Configure Windows Hello for Business: Group Policy + +**Applies to** +- Windows10 + +> This guide only applies to Windows 10, version 1703 or higher. + + +## Policy Configuration + +You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=45520). +Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703. + +Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10 Creators Edition (1703) to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information. + +Domain controllers of Windows Hello for Business deployments need one Group Policy setting, which enables automatic certificate enrollment for the newly create domain controller authentication certificate. This policy setting ensures domain controllers (new and existing) autoamtically request and renew the correct domain controller certifcate. + +Domain joined clients of hybrid certificate-based deployments of Windows Hello for Business needs three Group Policy settings: +* Enable Windows Hello for Business +* Use certificate for on-premises authentication +* Enable automatic enrollment of certificates + +### Configure Domain Controllers for Automatic Certificate Enrollment + +Domain controllers automatically request a certificate from the *Domain Controller* certificate template. However, the domain controller is unaware of newer certificate templates or superseded configurations on certificate templates. + +To continue automatic enrollment and renewal of domain controller certificates that understand newer certificate template and superseded certificate template configurations, create and configure a Group Policy object for automatic certificate enrollment and link the Group Policy object to the Domain Controllers OU. + +#### Create a Domain Controller Automatic Certifiacte Enrollment Group Policy object + +Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. + +1. Start the **Group Policy Management Console** (gpmc.msc) +2. Expand the domain and select the **Group Policy Object** node in the navigation pane. +3. Right-click **Group Policy object** and select **New** +4. Type *Domain Controller Auto Certificate Enrollment* in the name box and click **OK**. +5. Right-click the **Domain Controller Auto Certificate Enrollment** Group Policy object and click **Edit**. +6. In the navigation pane, expand **Policies** under **Computer Configuration**. +7. Expand **Windows Settings**, **Security Settings**, and click **Public Key Policies**. +8. In the details pane, right-click **Certificate Services Client Auto-Enrollment** and select **Properties**. +9. Select **Enabled** from the **Configuration Model** list. +10. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box. +11. Select the **Update certificates that use certificate templates** check box. +12. Click **OK**. Close the **Group Policy Management Editor**. + +#### Deploy the Domain Controller Auto Certificate Enrollment Group Policy Object + +Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. + +1. Start the **Group Policy Management Console** (gpmc.msc) +2. In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO** +3. In the **Select GPO** dialog box, select **Domain Controller Auto Certificate Enrollment** or the name of the domain controller certificate enrollment Group Policy object you previously created and click **OK**. + +### Windows Hello for Business Group Policy + +The Windows Hello for Business Group Policy object delivers the correct Group Policy settings to the user, which enables them to enroll and use Windows Hello for Business to authenticate to Azure and Active Directory + +#### Enable Windows Hello for Business + +The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should be attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to enabled. + +You can configure the Enable Windows Hello for Business Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence. + +#### Use certificate for on-premises authentication + +The Use certificate for on-premises authentication Group Policy setting determines if the on-premises deployment uses the key-trust or certificate trust on-premises authentication model. You must configure this Group Policy setting to configure Windows to enroll for a Windows Hello for Business authentication certificate. If you do not configure this policy setting, Windows considers the deployment to use key-trust on-premises authentication, which requires a sufficient number of Windows Server 2016 domain controllers to handle the Windows Hello for Business key-trust authentication requests. + +You can configure this Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users requesting a Windows Hello for Business authentication certificate. Deploying this policy setting to a user results in only that user requesting a Windows Hello for Business authentication certificate. Additionally, you can deploy the policy setting to a group of users so only those users request a Windows Hello for Business authentication certificate. If both user and computer policy settings are deployed, the user policy setting has precedence. + +#### Enable automatic enrollment of certificates + +Windows Hello for Business provisioning performs the initial enrollment of the Windows Hello for Business authentication certificate. This certificate expires based on the duration configured in the Windows Hello for Business authentication certificate template. The Windows 10, version 1703 certificate auto enrollment was updated to renew these certificates before they expire, which significantly reduces user authentication failures from expired user certificates. + +The process requires no user interaction provided the user signs-in using Windows Hello for Business. The certificate is renewed in the background before it expires. + +#### Create the Windows Hello for Business Group Policy object + +The Group Policy object contains the policy settings needed to trigger Windows Hello for Business provisioning and to ensure Windows Hello for Business authentication certificates are automatically renewed. + +Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. + +1. Start the **Group Policy Management Console** (gpmc.msc) +2. Expand the domain and select the **Group Policy Object** node in the navigation pane. +3. Right-click **Group Policy object** and select **New**. +4. Type *Enable Windows Hello for Business* in the name box and click **OK**. +5. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. +6. In the navigation pane, expand **Policies** under **User Configuration**. +7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**. +8. In the content pane, double-click **Use Windows Hello for Business**. Click **Enable** and click **OK**. +9. Double-click **Use certificate for on-premises authentication**. Click **Enable** and click **OK**. Close the **Group Policy Management Editor**. + +#### Configure Automatic Certificate Enrollment + +1. Start the **Group Policy Management Console** (gpmc.msc). +2. Expand the domain and select the **Group Policy Object** node in the navigation pane. +3. Right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. +4. In the navigation pane, expand **Policies** under **User Configuration**. +5. Expand **Windows Settings > Security Settings**, and click **Public Key Policies**. +6. In the details pane, right-click **Certificate Services Client Auto-Enrollment** and select **Properties**. +7. Select **Enabled** from the **Configuration Model** list. +8. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box. +9. Select the **Update certificates that use certificate templates** check box. +10. Click **OK**. Close the **Group Policy Management Editor**. + +#### Configure Security in the Windows Hello for Business Group Policy object + +The best way to deploy the Windows Hello for Business Group Policy object is to use security group filtering. The enables you to easily manage the users that should receive Windows Hello for Business by simply adding them to a group. This enables you to deploy Windows Hello for Business in phases. +1. Start the **Group Policy Management Console** (gpmc.msc) +2. Expand the domain and select the **Group Policy Object** node in the navigation pane. +3. Double-click the **Enable Windows Hello for Business** Group Policy object. +4. In the **Security Filtering** section of the content pane, click **Add**. Type *Windows Hello for Business Users* or the name of the security group you previously created and click **OK**. +5. Click the **Delegation** tab. Select **Authenticated Users** and click **Advanced**. +6. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Click **OK**. + +#### Deploy the Windows Hello for Business Group Policy object + +The application of the Windows Hello for Business Group Policy object uses security group filtering. This enables you to link the Group Policy object at the domain, ensuring the Group Policy object is within scope to all users. However, the security group filtering ensures only the users included in the *Windows Hello for Business Users* global group receive and apply the Group Policy object, which results in the provisioning of Windows Hello for Business. +1. Start the **Group Policy Management Console** (gpmc.msc) +2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO** +3. In the **Select GPO** dialog box, select **Enable Windows Hello for Business** or the name of the Windows Hello for Business Group Policy object you previously created and click **OK**. + +Just to reassure, linking the **Windows Hello for Business** Group Policy object to the domain ensures the Group Policy object is in scope for all domain users. However, not all users will have the policy settings applied to them. Only users who are members of the Windows Hello for Business group receive the policy settings. All others users ignore the Group Policy object. + +### Other Related Group Policy settings + +#### Windows Hello for Business + +There are other Windows Hello for Business policy settings you can configure to manage your Windows Hello for Business deployment. These policy settings are computer-based policy setting; so they are applicable to any user that sign-in from a computer with these policy settings. + +##### Use a hardware security device + +The default configuration for Windows Hello for Business is to prefer hardware protected credentials; however, not all computers are able to create hardware protected credentials. When Windows Hello for Business enrollment encounters a computer that cannot create a hardware protected credential, it will create a software-based credential. + +You can enable and deploy the **Use a hardware security device** Group Policy Setting to force Windows Hello for Business to only create hardware protected credentials. Users that sign-in from a computer incapable of creating a hardware protected credential do not enroll for Windows Hello for Business. + +Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiven during anti-hammering and PIN lockout activities. Therefore, some organization may want not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object. + +##### Use biometrics + +Windows Hello for Business provides a great user experience when combined with the use of biometrics. Rather than providing a PIN to sign-in, a user can use a fingerprint or facial recognition to sign-in to Windows, without sacrificing security. + +The default Windows Hello for Business enables users to enroll and use biometrics. However, some organization may want more time before using biometrics and want to disable their use until they are ready. To not allow users to use biometrics, configure the **Use biometrics** Group Policy setting to disabled and apply it to your computers. The policy setting disabled all biometrics. Currently, Windows does not provide granular policy setting that enable you to disable specific modalities of biometrics such as allow facial recognition, but disallow fingerprint. + +#### PIN Complexity + +PIN complexity is not specific to Windows Hello for Business. Windows 10 enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed. + +Windows 10 provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are: +* Require digits +* Require lowercase letters +* Maximum PIN length +* Minimum PIN length +* Expiration +* History +* Require special characters +* Require uppercase letters + +Starting with Windows 10, version 1703, the PIN complexity Group Policy settings have moved to remove misunderstanding that PIN complexity policy settings were exclusive to Windows Hello for Business. The new location of these Group Policy settings is under **Computer Configuration\Administrative Templates\System\PIN Complexity** of the Group Policy editor. + +### Add users to the Windows Hello for Business Users group + +Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the Wwindows Hello for Business Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the Windows Hello for Business Users group. Users and groups who are not members of this group will not attempt to enroll for Windows Hello for Business. + +### Section Review +- [x] Active Directory +- [x] Public Key Infrastructure +- [x] Azure Active Directory +- [x] Directory Synchronization +- [x] Active Directory Federation Services +- [x] Federation Services + - [x] Federation Proxy Servers + - [x] Multiple top-level domains + - [x] Azure Device Registration + - [x] Device Writeback +- [x] Multifactor Authentication +- [x] Windows Hello for Business + - [x]Active Directory + - [x] Directory Synchronization + - [x] Public Key Infrastructure + - [x] Federation Services + - [x] Group Policy +- [ ] Sign-in and Provision diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md index 3f4d2158cd..0d9c3ee125 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md @@ -17,533 +17,9 @@ localizationpriority: high > This guide only applies to Windows 10, version 1703 or higher. -## Active Directory ## -The key registration process for the hybrid deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. The key-trust model receives the schema extension when the first Windows Server 2016 domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 schema. + -- summary of the settings goes here along with a bulleted list -> [!IMPORTANT] -> If you already have a Windows Server 2016 domain controller in your forest, you can skip **Upgrading Active Directory to the Windows Server 2016 Schema**. -### Upgrading Active Directory to the Windows Server 2016 Schema - -Manually updating Active Directory uses the command-line utility **adprep.exe** located at **:\support\adprep** on the Windows Server 2016 DVD or ISO. Before running adprep.exe, you must identify the domain controller hosting the schema master role. - -#### Discovering schema role - -To locate the schema master role holder, open and command prompt and type: - -```Netdom query fsmo | findstr -i “schema”``` - -![Netdom example output](images\hello-cmd-netdom.png) - -The command should return the name of the domain controller where you need to adprep.exe. Update the schema locally on the domain controller hosting the Schema master role. - -#### Updating the Schema - -Windows Hello for Business uses asymmetric keys as user credentials (rather than passwords). During enrollment, the public key is registered in an attribute on the user object in Active Directory. The schema update adds this new attribute to Active Directory. - -Sign-in to the domain controller hosting the schema master operational role using Enterprise Admin equivalent credentials. - -1. Open an elevated command prompt. -2. Type ```cd /d x:\support\adprep``` where *x* is the drive letter of the DVD or mounted ISO. -3. To update the schema, type ```adprep /forestprep```. -4. Read the Adprep Warning. Type the letter **C*** and press **Enter** to update the schema. -5. Close the Command Prompt and sign-out. - -### Creating Security Groups - -Windows Hello for Business uses several security groups to simplify the deployment and managment. - -> [!Important] -> If your environment has one or more Windows Server 2016 domain controllers in the domain to which you are deploying Windows Hello for Business, then skip the **Create the KeyCrednetials Admins Security Group**. - -#### Create the KeyCredential Admins Security Group - -Azure Active Directory Connect synchronizes the public key on the user object created during provisioning. You assign write and read permission to this group to the Active Directory attribute to ensure the Azure AD Connect service can add and remove keys as part of its normal workflow. - -Sign-in a domain controller or management workstation with *Domain Admin* equivalent credentials. - -1. Open **Active Directory Users and Computers**. -2. Click **View** and click **Advance Features**. -3. Expand the domain node from the navigation pane. -4. Right-click the **Users** container. Click **New**. Click **Group**. -5. Type **KeyCredential Admins** in the **Group Name** text box. -6. Click **OK**. - -#### Create the Windows Hello for Business Users Security Group - -The Windows Hello for Business Users group is used to make it easy to deploy Windows Hello for Business in phases. You assign Group Policy and Certificate template permissions to this group to simplify the deployment by simply adding the users to the group. This provides them the proper permissions to provision Windows Hello for Business and to enroll in the Windows Hello for Business authentication certificate. - -Sign-in a domain controller or management workstation with *Domain Admin* equivalent credentials. - -1. Open **Active Directory Users and Computers**. -2. Click **View** and click **Advanced Features**. -3. Expand the domain node from the navigation pane. -4. Right-click the **Users** container. Click **New**. Click **Group**. -5. Type **Windows Hello for Business Users** in the **Group Name** text box. -6. Click **OK**. - -### Section Review - -> [!div class="checklist"] -> * Upgrading Active Directory Schema to Windows Server 2016 -> * Create Security Groups - -## Directory Syncrhonization - -In hybrid deployments, users register the public portion of their Windows Hello for Business crednetial with Azure. Azure AD Connect syncrhonizes the Windows Hello for Business public key to Active Directory. - -The key-trust model needs Windows Server 2016 domain controllers, which configures the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually. - -> [!IMPORTANT] -> If you already have a Windows Server 2016 domain controller in your forest, you can skip **Configure Permissions for Key Synchronization**. - -### Configure Permissions for Key Syncrhonization - -Sign-in a domain controller or management workstations with *Domain Admin* equivalent credentials. - -1. Open **Active Directory Users and Computers**. -2. Right-click your domain name from the navigation pane and click **Properties**. -3. Click **Security** (if the Security tab is missing, turn on Advanced Features from the View menu). -4. Click **Advanced**. Click **Add**. Click **Select a principal**. -5. The **Select User, Computer, Service Account, or Group** dialog box appears. In the **Enter the object name to select** text box, type **KeyCredential Admins**. Click **OK**. -6. In the **Applies to** list box, select **Descendant User objects**. -7. Using the scroll bar, scroll to the bottom of the page and click **Clear all**. -8. In the **Properties** section, select **Read msDS-KeyCredentialLink** and **Write msDS-KeyCrendentialLink**. -9. Click **OK** three times to complete the task. - -### Section Review - -> [!div class="checklist"] -> * Configure Permissions for Key Synchronization - - -## Public Key Infrastructure - -Windows Hello for Business deployments rely on certificates. Hybrid deployments uses publicly issued server authentication certifcates to validate the name of the server to which they are connecting and to encyrpt the data that flows them and the client computer. - -All deployments use enterprise issed certificates for domain controllers as a root of trust. Hybrid certificate trust deployments issue users sign-in certificate that enables them to authenticate using Windows Hello for Business credentials to non-Windows Server 2016 domain controllers. Additionally, hybrid certificate trust deployments issue certificate to registration authorites to provide defenese-in-depth security for issueing user authentication certificates. - -### Certifcate Templates - -This section has you configure certificate templates on your Windows Server 2012 or later issuing certificate authtority. - -#### Domain Controller certificate template - -Clients need to trust domain controllers and the best way to do this is to ensure each domain controller has a Kerberos Authentication certificate. Installing a certificate on the domain controller enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. This provides clients a root of trust external to the domain—namely the enterprise certificate authority. - -Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise certificate authority is added to Active Directory. However, certificates based on the *Domain Controller* and *Domain Controller Authentication* certificate templates do not include the **KDC Authentication** object identifier (OID), which was later added to the Kerberos RFC. Therefore, domain controllers need to request a certificate based on the Kerberos Authentication certificate template. - -By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the **Kerberos Authentication** certificate template a baseline to create an updated domain controller certificate template. - -##### Create a Domain Controller Authentication (Kerberos) Certificate Template - -Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials. - -1. Open the **Certificate Authority** management console. -2. Right-click **Certificate Templates** and click **Manage**. -3. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**. -4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. -5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise’s needs. - **Note**If you use different template names, you’ll need to remember and substitute these names in different portions of the lab. -6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **None** from the **Subject name format** list. Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items. -7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**. -8. Close the console. - -##### Superseding the existing Domain Controller certificate - -Many domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template from domain controllers—the domain controller certificate template. Later releases provided a new certificate template—the domain controller authentication certificate template. These certificate templates were provided prior to update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the **KDC Authentication** extension. - -The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers and should be the one you deploy to all your domain controllers (2008 or later). - -The autoenrollment feature in Windows enables you to effortlessly replace these domain controller certificates. You can use the following configuration to replace older domain controller certificates with a new certificate using the Kerberos Authentication certificate template. - -###### Configure Certificate Suspeding for the Domain Controller Authentication (Kerberos) Certificate Template - -Sign-in a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials. - -1. Open the **Certificate Authority** management console. -2. Right-click **Certificate Templates** and click **Manage**. -3. In the **Certificate Template Console**, right-click the **Domain Controller Authentication (Kerberos)** (or the name of the certificate template you created in the previous section) template in the details pane and click **Properties**. -4. Click the **Superseded Templates** tab. Click **Add**. -5. From the **Add Superseded Template** dialog, select the **Domain Controller** certificate template and click **OK**. Click **Add**. -6. From the **Add Superseded Template** dialog, select the **Domain Controller Authentication** certificate template and click **OK**. -7. From the **Add Superseded Template dialog**, select the **Kerberos Authentication** certificate template and click **OK**. -8. Add any other enterprise certificate templates that were previously configured for domain controllers to the **Superseded Templates** tab. -9. Click **OK** and close the **Certificate Templates** console. - -The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities. - -#### Enrollment Agent certificate template - -Active Directory Federation Server used for Windows Hello for Business certificate enrollment performs its own certificate lifecycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request or when the service first starts. - -Approximately 60 days prior to enrollment agent certificate’s expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate. - -> [!IMPORTANT] -> Follow the procedures below based on the AD FS service account used in your environment. - -#### Creating an Enrollment Agent certificate for Group Managed Service Accounts - -Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials. - -1. Open the **Certificate Authority Management** console. -2. Right-click **Certificate Templates** and click **Manage**. -3. In the **Certificate Template Console**, right click on the **Exchange Enrollment Agent (Offline request)** template details pane and click **Duplicate Template**. -4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. -5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. -6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected. - **Note:** The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate. - -7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. -8. On the **Security** tab, click **Add**. -9. Click **Object Types**. Select the **Service Accounts** check box and click **OK**. -10. Type **adfssvc** in the **Enter the object names to select** text box and click **OK**. -11. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. -12. Close the console. - -#### Creating an Enrollment Agent certificate for typical Service Acconts - -Sign-in a certificate authority or management workstations with *Domain Admin* equivalent credentials. - -1. Open the **Certificate Authority** management console. -2. Right-click **Certificate Templates** and click **Manage**. -3. In the **Certificate Template** console, right-click the **Exchange Enrollment Agent** template in the details pane and click **Duplicate Template**. -4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. -5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. -6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**. -7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. -8. On the **Security** tab, click **Add**. Type **adfssvc** in the **Enter the object names to select text box** and click **OK**. -9. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check boxes for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. -10. Close the console. - -#### Windows Hello for Business authentication certificate template - -During Windows Hello for Business provisioning, the Windows 10, version 1703 client requests an authentication certificate from the Active Directory Federation Service, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring. - -##### Creating Windows Hello for Business authentication certiicate template - -Sign-in a certificate authority or management workstations with _Domain Admin equivalent_ credentials. - -1. Open the **Certificate Authority** management console. -2. Right-click **Certificate Templates** and click **Manage**. -3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**. -4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. -5. On the **General** tab, type **WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. - **Note:** If you use different template names, you’ll need to remember and substitute these names in different portions of the deployment. -6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. -7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**. -8. On the **Issuance Requirements** tab, select the T**his number of authorized signatures** check box. Type **1** in the text box. - * Select **Application policy** from the **Policy type required in signature**. Select **Certificate Request Agent** from in the **Application policy** list. Select the **Valid existing certificate** option. -9. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**. -10. On the **Request Handling** tab, select the **Renew with same key** check box. -11. On the **Security** tab, click **Add**. Type **Window Hello for Business Users** in the **Enter the object names to select** text box and click **OK**. -12. Click the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section, select the **Allow** check box for the **Enroll** permission. Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. -13. If you previously issued Windows Hello for Business sign-in certificates using Configuration Manger and are switching to an AD FS registration authority, then on the **Superseded Templates** tab, add the previously used **Windows Hello for Business Authentication** template(s), so they will be superseded by this template for the users that have Enroll permission for this template. -14. Click on the **Apply** to save changes and close the console. - -##### Mark the template as the Windows Hello Sign-in template - -Sign-in to an **AD FS Windows Server 2016** computer with _Enterprise Admin_ equivalent credentials. -1. Open an elevated command prompt. -2. Run `certutil –dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY` - ->[!NOTE] ->If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It’s important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority. -Publish Templates - -### Publishing Certificate Templates - -The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate. - -#### Publish Certificate Templates to a Certificate Authority - -Sign-in a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials. - -1. Open the **Certificate Authority** management console. -2. Expand the parent node from the navigation pane. -3. Click **Certificate Templates** in the navigation pane. -4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template to issue**. -5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)** template you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority. -6. Publish the **WHFB Enrollment Agent**, **WHFB Authentication** certificate template using step 5. -7. Close the console. - - -### Unpublishing Superseded Certificate Templates - -The certificate authority only issues certificates based on published certificate templates. For defense in depth security, it is a good practice to unpublish certificate templates that the certificate authority is not configured to issue. This includes the pre-published certificate template from the role installation and any superseded certificate templates. - -The newly created domain controller authentication certificate template supersedes previous domain controller certificate templates. Therefore, you need to unpublish these certificate templates from all issuing certificate authorities. - -#### Unpublish Superseded Certificate Templates - -Sign-in to the certificate authority or management workstation with _Enterprise Admin_ equivalent credentials. - -1. Open the **Certificate Authority** management console. -2. Expand the parent node from the navigation pane. -3. Click **Certificate Templates** in the navigation pane. -4. Right-click the **Domain Controller** certificate template in the content pane and select **Delete**. Click **Yes** on the **Disable certificate templates** window. -5. Repeat step 4 for the **Domain Controller Authentication** and **Kerberos Authentication** certificate templates. - -### Section Review -- [x] Active Directory -- [x] Public Key Infrastructure -- [x] Azure Active Directory -- [x] Directory Synchronization -- [x] Active Directory Federation Services -- [x] Federation Services - - [x] Federation Proxy Servers - - [x] Multiple top-level domains - - [x] Azure Device Registration - - [x] Device Writeback -- [x] Multifactor Authentication -- [x] Windows Hello for Business - - [x]Active Directory - - [x] Directory Synchronization - - [x] Public Key Infrastructure - - [ ] Federation Services - - [ ] Group Policy -- [ ] Sign-in and Provision - - -## Federation Services - -The Windows Server 2016 Active Directory Fedeartion Server Certificate Registration Authority (AD FS RA) enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. - -The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate. - -### Configure the Registration Authority - -Sign-in the AD FS server with *Domain Admin* equivalent credentials. - -1. Open a **Windows PowerShell** prompt. -2. Type the following command - - ```PowerShell - Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication - ``` - - -The `Set-AdfsCertificateAuthority` cmdlet should show the following warning: ->WARNING: PS0343: Issuing Windows Hello certificates requires enabling a permitted strong authentication provider, but no usable providers are currently configured. These authentication providers are not supported for Windows Hello certificates: CertificateAuthentication,MicrosoftPassportAuthentication. Windows Hello certificates will not be issued until a permitted strong authentication provider is configured. - -This warning indicates that you have not configured multi-factor authentication in AD FS and until it is configured, the AD FS server will not issue Windows Hello certificates. Windows 10, version 1703 clients check this configuration during prerequisite checks. If detected, the prerequisite check will not succeed and the user will not provision Windows Hello for Business on sign-in. - ->[!NOTE] -> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the above command with the name of your certificate templates. It’s important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority. - - -### Group Memberships for the AD FS Service Account - -The KeyCredential Admins global group provides the AD FS service with the permissions needed to perform key registration. The Windows Hello for Business group provides the AD FS service with the permissions needed to enroll a Windows Hello for Business authentication certificate on behalf of the provisioning user. - -Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials. - -1. Open **Active Directory Users and Computers**. -2. Click the **Users** container in the navigation pane. -3. Right-click **KeyCredential Admins** in the details pane and click **Properties**. -4. Click the **Members** tab and click **Add…** -5. In the **Enter the object names to select** text box, type **adfssvc**. Click **OK**. -6. Click **OK** to return to **Active Directory Users and Computers**. -7. Right-click **Windows Hello for Business Users** group -8. Click the **Members** tab and click **Add…** -9. In the **Enter the object names to select** text box, type **adfssvc**. Click **OK**. -10. Click **OK** to return to **Active Directory Users and Computers**. -11. Change to server hosting the AD FS role and restart it. - -### Section Review -- [x] Active Directory -- [x] Public Key Infrastructure -- [x] Azure Active Directory -- [x] Directory Synchronization -- [x] Active Directory Federation Services -- [x] Federation Services - - [x] Federation Proxy Servers - - [x] Multiple top-level domains - - [x] Azure Device Registration - - [x] Device Writeback -- [x] Multifactor Authentication -- [x] Windows Hello for Business - - [x]Active Directory - - [x] Directory Synchronization - - [x] Public Key Infrastructure - - [x] Federation Services - - [ ] Group Policy -- [ ] Sign-in and Provision - -## Policy Configuration - -You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=45520). -Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703. - -Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10 Creators Edition (1703) to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information. - -Domain controllers of Windows Hello for Business deployments need one Group Policy setting, which enables automatic certificate enrollment for the newly create domain controller authentication certificate. This policy setting ensures domain controllers (new and existing) autoamtically request and renew the correct domain controller certifcate. - -Domain joined clients of hybrid certificate-based deployments of Windows Hello for Business needs three Group Policy settings: -* Enable Windows Hello for Business -* Use certificate for on-premises authentication -* Enable automatic enrollment of certificates - -### Configure Domain Controllers for Automatic Certificate Enrollment - -Domain controllers automatically request a certificate from the *Domain Controller* certificate template. However, the domain controller is unaware of newer certificate templates or superseded configurations on certificate templates. - -To continue automatic enrollment and renewal of domain controller certificates that understand newer certificate template and superseded certificate template configurations, create and configure a Group Policy object for automatic certificate enrollment and link the Group Policy object to the Domain Controllers OU. - -#### Create a Domain Controller Automatic Certifiacte Enrollment Group Policy object - -Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. - -1. Start the **Group Policy Management Console** (gpmc.msc) -2. Expand the domain and select the **Group Policy Object** node in the navigation pane. -3. Right-click **Group Policy object** and select **New** -4. Type *Domain Controller Auto Certificate Enrollment* in the name box and click **OK**. -5. Right-click the **Domain Controller Auto Certificate Enrollment** Group Policy object and click **Edit**. -6. In the navigation pane, expand **Policies** under **Computer Configuration**. -7. Expand **Windows Settings**, **Security Settings**, and click **Public Key Policies**. -8. In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**. -9. Select **Enabled** from the **Configuration Model** list. -10. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box. -11. Select the **Update certificates that use certificate templates** check box. -12. Click **OK**. Close the **Group Policy Management Editor**. - -#### Deploy the Domain Controller Auto Certificate Enrollment Group Policy Object - -Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. - -1. Start the **Group Policy Management Console** (gpmc.msc) -2. In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO…** -3. In the **Select GPO** dialog box, select **Domain Controller Auto Certificate Enrollment** or the name of the domain controller certificate enrollment Group Policy object you previously created and click **OK**. - -### Windows Hello for Business Group Policy - -The Windows Hello for Business Group Policy object delivers the correct Group Policy settings to the user, which enables them to enroll and use Windows Hello for Business to authenticate to Azure and Active Directory - -#### Enable Windows Hello for Business - -The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should be attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to enabled. - -You can configure the Enable Windows Hello for Business Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence. - -#### Use certificate for on-premises authentication - -The Use certificate for on-premises authentication Group Policy setting determines if the on-premises deployment uses the key-trust or certificate trust on-premises authentication model. You must configure this Group Policy setting to configure Windows to enroll for a Windows Hello for Business authentication certificate. If you do not configure this policy setting, Windows considers the deployment to use key-trust on-premises authentication, which requires a sufficient number of Windows Server 2016 domain controllers to handle the Windows Hello for Business key-trust authentication requests. - -You can configure this Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users requesting a Windows Hello for Business authentication certificate. Deploying this policy setting to a user results in only that user requesting a Windows Hello for Business authentication certificate. Additionally, you can deploy the policy setting to a group of users so only those users request a Windows Hello for Business authentication certificate. If both user and computer policy settings are deployed, the user policy setting has precedence. - -#### Enable automatic enrollment of certificates - -Windows Hello for Business provisioning performs the initial enrollment of the Windows Hello for Business authentication certificate. This certificate expires based on the duration configured in the Windows Hello for Business authentication certificate template. The Windows 10, version 1703 certificate auto enrollment was updated to renew these certificates before they expire, which significantly reduces user authentication failures from expired user certificates. - -The process requires no user interaction provided the user signs-in using Windows Hello for Business. The certificate is renewed in the background before it expires. - -#### Create the Windows Hello for Business Group Policy object - -The Group Policy object contains the policy settings needed to trigger Windows Hello for Business provisioning and to ensure Windows Hello for Business authentication certificates are automatically renewed. - -Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. - -1. Start the **Group Policy Management Console** (gpmc.msc) -2. Expand the domain and select the **Group Policy Object** node in the navigation pane. -3. Right-click **Group Policy object** and select **New**. -4. Type *Enable Windows Hello for Business* in the name box and click **OK**. -5. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. -6. In the navigation pane, expand **Policies** under **User Configuration**. -7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**. -8. In the content pane, double-click **Use Windows Hello for Business**. Click **Enable** and click **OK**. -9. Double-click **Use certificate for on-premises authentication**. Click **Enable** and click **OK**. Close the **Group Policy Management Editor**. - -#### Configure Automatic Certificate Enrollment - -1. Start the **Group Policy Management Console** (gpmc.msc). -2. Expand the domain and select the **Group Policy Object** node in the navigation pane. -3. Right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. -4. In the navigation pane, expand **Policies** under **User Configuration**. -5. Expand **Windows Settings > Security Settings**, and click **Public Key Policies**. -6. In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**. -7. Select **Enabled** from the **Configuration Model** list. -8. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box. -9. Select the **Update certificates that use certificate templates** check box. -10. Click **OK**. Close the **Group Policy Management Editor**. - -#### Configure Security in the Windows Hello for Business Group Policy object - -The best way to deploy the Windows Hello for Business Group Policy object is to use security group filtering. The enables you to easily manage the users that should receive Windows Hello for Business by simply adding them to a group. This enables you to deploy Windows Hello for Business in phases. -1. Start the **Group Policy Management Console** (gpmc.msc) -2. Expand the domain and select the **Group Policy Object** node in the navigation pane. -3. Double-click the **Enable Windows Hello for Business** Group Policy object. -4. In the **Security Filtering** section of the content pane, click **Add**. Type *Windows Hello for Business Users* or the name of the security group you previously created and click **OK**. -5. Click the **Delegation** tab. Select **Authenticated Users** and click **Advanced**. -6. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Click **OK**. - -#### Deploy the Windows Hello for Business Group Policy object - -The application of the Windows Hello for Business Group Policy object uses security group filtering. This enables you to link the Group Policy object at the domain, ensuring the Group Policy object is within scope to all users. However, the security group filtering ensures only the users included in the *Windows Hello for Business Users* global group receive and apply the Group Policy object, which results in the provisioning of Windows Hello for Business. -1. Start the **Group Policy Management Console** (gpmc.msc) -2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO…** -3. In the **Select GPO** dialog box, select **Enable Windows Hello for Business** or the name of the Windows Hello for Business Group Policy object you previously created and click **OK**. - -Just to reassure, linking the **Windows Hello for Business** Group Policy object to the domain ensures the Group Policy object is in scope for all domain users. However, not all users will have the policy settings applied to them. Only users who are members of the Windows Hello for Business group receive the policy settings. All others users ignore the Group Policy object. - -### Other Related Group Policy settings - -#### Windows Hello for Business - -There are other Windows Hello for Business policy settings you can configure to manage your Windows Hello for Business deployment. These policy settings are computer-based policy setting; so they are applicable to any user that sign-in from a computer with these policy settings. - -##### Use a hardware security device - -The default configuration for Windows Hello for Business is to prefer hardware protected credentials; however, not all computers are able to create hardware protected credentials. When Windows Hello for Business enrollment encounters a computer that cannot create a hardware protected credential, it will create a software-based credential. - -You can enable and deploy the **Use a hardware security device** Group Policy Setting to force Windows Hello for Business to only create hardware protected credentials. Users that sign-in from a computer incapable of creating a hardware protected credential do not enroll for Windows Hello for Business. - -Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiven during anti-hammering and PIN lockout activities. Therefore, some organization may want not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object. - -##### Use biometrics - -Windows Hello for Business provides a great user experience when combined with the use of biometrics. Rather than providing a PIN to sign-in, a user can use a fingerprint or facial recognition to sign-in to Windows, without sacrificing security. - -The default Windows Hello for Business enables users to enroll and use biometrics. However, some organization may want more time before using biometrics and want to disable their use until they are ready. To not allow users to use biometrics, configure the **Use biometrics** Group Policy setting to disabled and apply it to your computers. The policy setting disabled all biometrics. Currently, Windows does not provide granular policy setting that enable you to disable specific modalities of biometrics such as allow facial recognition, but disallow fingerprint. - -#### PIN Complexity - -PIN complexity is not specific to Windows Hello for Business. Windows 10 enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed. - -Windows 10 provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are: -* Require digits -* Require lowercase letters -* Maximum PIN length -* Minimum PIN length -* Expiration -* History -* Require special characters -* Require uppercase letters - -Starting with Windows 10, version 1703, the PIN complexity Group Policy settings have moved to remove misunderstanding that PIN complexity policy settings were exclusive to Windows Hello for Business. The new location of these Group Policy settings is under **Computer Configuration\Administrative Templates\System\PIN Complexity** of the Group Policy editor. - -### Add users to the Windows Hello for Business Users group - -Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the Wwindows Hello for Business Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the Windows Hello for Business Users group. Users and groups who are not members of this group will not attempt to enroll for Windows Hello for Business. - -### Section Review -- [x] Active Directory -- [x] Public Key Infrastructure -- [x] Azure Active Directory -- [x] Directory Synchronization -- [x] Active Directory Federation Services -- [x] Federation Services - - [x] Federation Proxy Servers - - [x] Multiple top-level domains - - [x] Azure Device Registration - - [x] Device Writeback -- [x] Multifactor Authentication -- [x] Windows Hello for Business - - [x]Active Directory - - [x] Directory Synchronization - - [x] Public Key Infrastructure - - [x] Federation Services - - [x] Group Policy -- [ ] Sign-in and Provision ## Next Steps ### \ From 841f164d236191eedbb315ebfc972a43eefe8bf1 Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Tue, 22 Aug 2017 08:17:46 -0700 Subject: [PATCH 16/51] Removed an unused page First attempt at connecting the separate WHFB configuration steps --- .../hello-hybrid-cert-whfb-settings-aad.md | 18 --------- .../hello-hybrid-cert-whfb-settings-ad.md | 37 +++++++++++++++---- .../hello-hybrid-cert-whfb-settings.md | 21 ++++++++--- 3 files changed, 45 insertions(+), 31 deletions(-) delete mode 100644 windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-aad.md diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-aad.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-aad.md deleted file mode 100644 index 187e4fc68d..0000000000 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-aad.md +++ /dev/null @@ -1,18 +0,0 @@ ---- -title: Windows Hello for Business Trust New Installation (Windows Hello for Business) -description: Windows Hello for Business Hybrid baseline deployment -keywords: identity, PIN, biometric, Hello, passport, WHFB -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -author: DaniHalfin -ms.author: mstephen -localizationpriority: high ---- -# Windows Hello for Business Certificate Trust New Installation - -**Applies to** -- Windows10 - -> This guide only applies to Windows 10, version 1703 or higher. diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md index c835884115..7b69febd1e 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile -author: DaniHalfin +author: MikeStephens-MS ms.author: mstephen localizationpriority: high --- @@ -17,17 +17,20 @@ localizationpriority: high > This guide only applies to Windows 10, version 1703 or higher. -## Active Directory ## -The key registration process for the hybrid deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. The key-trust model receives the schema extension when the first Windows Server 2016 domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 schema. +> [!div class="step-by-step"] +[< Configure Windows Hello for Business](hello-hybrid-cert-whfb-settings.md) +[ Configure Windows Hello for Business: PKI >](hello-hybrid-cert-whfb-settings-pki.md) + +The key synchronizaqtion process for the hybrid deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. > [!IMPORTANT] > If you already have a Windows Server 2016 domain controller in your forest, you can skip **Upgrading Active Directory to the Windows Server 2016 Schema**. -### Upgrading Active Directory to the Windows Server 2016 Schema +## Upgrading Active Directory to the Windows Server 2016 Schema Manually updating Active Directory uses the command-line utility **adprep.exe** located at **\:\support\adprep** on the Windows Server 2016 DVD or ISO. Before running adprep.exe, you must identify the domain controller hosting the schema master role. -#### Discovering schema role +### Identify the schema role domain controller To locate the schema master role holder, open and command prompt and type: @@ -37,7 +40,7 @@ To locate the schema master role holder, open and command prompt and type: The command should return the name of the domain controller where you need to adprep.exe. Update the schema locally on the domain controller hosting the Schema master role. -#### Updating the Schema +### Updating the Schema Windows Hello for Business uses asymmetric keys as user credentials (rather than passwords). During enrollment, the public key is registered in an attribute on the user object in Active Directory. The schema update adds this new attribute to Active Directory. @@ -85,5 +88,23 @@ Sign-in a domain controller or management workstation with *Domain Admin* equiva ### Section Review > [!div class="checklist"] -> * Upgrading Active Directory Schema to Windows Server 2016 -> * Create Security Groups +> * Identify the schema role domain controller +> * Update the Active Directory Schema to Windows Server 2016 +> * Create the KeyCredential Admins Security group, (optional) +> * Create the Windows Hello for Business Users group + + +> [!div class="step-by-step"] +[< Configure Windows Hello for Business](hello-hybrid-cert-whfb-settings.md) +[ Configure Windows Hello for Business: PKI >](hello-hybrid-cert-whfb-settings-pki.md) + +
+ +
+ +## Follow the Windows Hello for Business hybrid certificate trust deployment guide +1. [Overview](hello-hybrid-cert-trust.md) +2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +3. [New Installation Baseline](hello-hybrid-cert-new-install.md) +4. Configure Windows Hello for Business settings: Active Directory (*You are here*) +5. Sign-in and Provision \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md index 0d9c3ee125..a984216e1b 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile -author: DaniHalfin +author: MikeStephens-MS ms.author: mstephen localizationpriority: high --- @@ -17,14 +17,25 @@ localizationpriority: high > This guide only applies to Windows 10, version 1703 or higher. - -- summary of the settings goes here along with a bulleted list +> [! div class="step-by-step"] +[Configure Windows Hello for Business: Active Directory >](hello-hybrid-cert-whfb-settings-ad.md) + +You're environment is federated and you are ready to configure your hybrid environment for Windows Hello for business using the certificate trust model. +> [!IMPORTANT] +> If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment. +The configuration for Windows Hello for Business is grouped in four categories. These categories are: +* [Active Directory](hello-hybrid-cert-whfb-settings-ad.md) +* [Public Key Infrastructure](hello-hybrid-cert-whfb-settings-pki.md) +* [Active Directory Federation Services](hello-hybrid-cert-whfb-settings-adfs) +* [Group Policy](hello-hybrid-cert-whfb-settings-policy.md) +For the most efficent deployment, configure these technologies in order beginning with the Active Directory configuration -## Next Steps ### -\ +> [! div class="step-by-step"] +[Configure Windows Hello for Business: Active Directory >](hello-hybrid-cert-whfb-settings-ad.md) -

+
From a3708eb7b673201aa6269e28ecfb112a66b185c4 Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Tue, 22 Aug 2017 08:35:26 -0700 Subject: [PATCH 17/51] fixed broken link --- .../hello-for-business/hello-hybrid-cert-whfb-settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md index a984216e1b..9fbc810cf6 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md @@ -27,7 +27,7 @@ You're environment is federated and you are ready to configure your hybrid envir The configuration for Windows Hello for Business is grouped in four categories. These categories are: * [Active Directory](hello-hybrid-cert-whfb-settings-ad.md) * [Public Key Infrastructure](hello-hybrid-cert-whfb-settings-pki.md) -* [Active Directory Federation Services](hello-hybrid-cert-whfb-settings-adfs) +* [Active Directory Federation Services](hello-hybrid-cert-whfb-settings-adfs.md) * [Group Policy](hello-hybrid-cert-whfb-settings-policy.md) For the most efficent deployment, configure these technologies in order beginning with the Active Directory configuration From 209a73be1b12b5afc8e5eafc8fcda1b0621af443 Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Tue, 22 Aug 2017 09:11:42 -0700 Subject: [PATCH 18/51] fixed formatting --- .../hello-for-business/hello-hybrid-cert-whfb-settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md index 9fbc810cf6..a7594f3319 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md @@ -17,7 +17,7 @@ localizationpriority: high > This guide only applies to Windows 10, version 1703 or higher. -> [! div class="step-by-step"] +> [!div class="step-by-step"] [Configure Windows Hello for Business: Active Directory >](hello-hybrid-cert-whfb-settings-ad.md) You're environment is federated and you are ready to configure your hybrid environment for Windows Hello for business using the certificate trust model. From bd40b2644370e4a6974e9699dd000c3789aa7bdc Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Tue, 22 Aug 2017 09:31:11 -0700 Subject: [PATCH 19/51] Updates to WHFB configuration settings --- .../hello-hybrid-cert-whfb-settings-ad.md | 3 +- .../hello-hybrid-cert-whfb-settings-pki.md | 81 ++++++++----------- .../hello-hybrid-cert-whfb-settings.md | 4 +- 3 files changed, 38 insertions(+), 50 deletions(-) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md index 7b69febd1e..0ed1cc4a76 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md @@ -6,10 +6,11 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile -author: MikeStephens-MS +author: DaniHalfin ms.author: mstephen localizationpriority: high --- + # Configuring Windows Hello for Business: Active Directory **Applies to** diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index cc5f3b3fc3..33d958da6d 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -10,6 +10,7 @@ author: DaniHalfin ms.author: mstephen localizationpriority: high --- + # Configure Windows Hello for Business: Public Key Infrastructure **Applies to** @@ -17,18 +18,20 @@ localizationpriority: high > This guide only applies to Windows 10, version 1703 or higher. +> [!div class="step-by-step"] +[< Configure Windows Hello for Business: Active Directory](hello-hybrid-cert-whfb-settings-ad.md) +[ Configure Windows Hello for Business: ADFS >](hello-hybrid-cert-whfb-settings-adfs.md) -## Public Key Infrastructure Windows Hello for Business deployments rely on certificates. Hybrid deployments uses publicly issued server authentication certifcates to validate the name of the server to which they are connecting and to encyrpt the data that flows them and the client computer. All deployments use enterprise issed certificates for domain controllers as a root of trust. Hybrid certificate trust deployments issue users sign-in certificate that enables them to authenticate using Windows Hello for Business credentials to non-Windows Server 2016 domain controllers. Additionally, hybrid certificate trust deployments issue certificate to registration authorites to provide defenese-in-depth security for issueing user authentication certificates. -### Certifcate Templates +## Certifcate Templates This section has you configure certificate templates on your Windows Server 2012 or later issuing certificate authtority. -#### Domain Controller certificate template +### Domain Controller certificate template Clients need to trust domain controllers and the best way to do this is to ensure each domain controller has a Kerberos Authentication certificate. Installing a certificate on the domain controller enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. This provides clients a root of trust external to the domainnamely the enterprise certificate authority. @@ -36,7 +39,7 @@ Domain controllers automatically request a domain controller certificate (if pub By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the **Kerberos Authentication** certificate template a baseline to create an updated domain controller certificate template. -##### Create a Domain Controller Authentication (Kerberos) Certificate Template +#### Create a Domain Controller Authentication (Kerberos) Certificate Template Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials. @@ -50,7 +53,7 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e 7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**. 8. Close the console. -##### Superseding the existing Domain Controller certificate +#### Configure Certificate Suspeding for the Domain Controller Authentication (Kerberos) Certificate Template Many domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template from domain controllersthe domain controller certificate template. Later releases provided a new certificate templatethe domain controller authentication certificate template. These certificate templates were provided prior to update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the **KDC Authentication** extension. @@ -58,8 +61,6 @@ The Kerberos Authentication certificate template is the most current certificate The autoenrollment feature in Windows enables you to effortlessly replace these domain controller certificates. You can use the following configuration to replace older domain controller certificates with a new certificate using the Kerberos Authentication certificate template. -###### Configure Certificate Suspeding for the Domain Controller Authentication (Kerberos) Certificate Template - Sign-in a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials. 1. Open the **Certificate Authority** management console. @@ -74,7 +75,7 @@ Sign-in a certificate authority or management workstations with _Enterprise Admi The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities. -#### Enrollment Agent certificate template +### Enrollment Agent certificate template Active Directory Federation Server used for Windows Hello for Business certificate enrollment performs its own certificate lifecycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request or when the service first starts. @@ -117,12 +118,10 @@ Sign-in a certificate authority or management workstations with *Domain Admin* e 9. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check boxes for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. 10. Close the console. -#### Windows Hello for Business authentication certificate template +#### Creating Windows Hello for Business authentication certiicate template During Windows Hello for Business provisioning, the Windows 10, version 1703 client requests an authentication certificate from the Active Directory Federation Service, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring. -##### Creating Windows Hello for Business authentication certiicate template - Sign-in a certificate authority or management workstations with _Domain Admin equivalent_ credentials. 1. Open the **Certificate Authority** management console. @@ -142,7 +141,7 @@ Sign-in a certificate authority or management workstations with _Domain Admin eq 13. If you previously issued Windows Hello for Business sign-in certificates using Configuration Manger and are switching to an AD FS registration authority, then on the **Superseded Templates** tab, add the previously used **Windows Hello for Business Authentication** template(s), so they will be superseded by this template for the users that have Enroll permission for this template. 14. Click on the **Apply** to save changes and close the console. -##### Mark the template as the Windows Hello Sign-in template +#### Mark the template as the Windows Hello Sign-in template Sign-in to an **AD FS Windows Server 2016** computer with _Enterprise Admin_ equivalent credentials. 1. Open an elevated command prompt. @@ -152,31 +151,17 @@ Sign-in to an **AD FS Windows Server 2016** computer with _Enterprise Admin_ equ >If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. Its important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority. Publish Templates -### Publishing Certificate Templates +### Publish Certificate Templates to a Certificate Authority The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate. -#### Publish Certificate Templates to a Certificate Authority -Sign-in a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials. - -1. Open the **Certificate Authority** management console. -2. Expand the parent node from the navigation pane. -3. Click **Certificate Templates** in the navigation pane. -4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template to issue**. -5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)** template you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority. -6. Publish the **WHFB Enrollment Agent**, **WHFB Authentication** certificate template using step 5. -7. Close the console. - - -### Unpublishing Superseded Certificate Templates +### Unpublish Superseded Certificate Templates The certificate authority only issues certificates based on published certificate templates. For defense in depth security, it is a good practice to unpublish certificate templates that the certificate authority is not configured to issue. This includes the pre-published certificate template from the role installation and any superseded certificate templates. The newly created domain controller authentication certificate template supersedes previous domain controller certificate templates. Therefore, you need to unpublish these certificate templates from all issuing certificate authorities. -#### Unpublish Superseded Certificate Templates - Sign-in to the certificate authority or management workstation with _Enterprise Admin_ equivalent credentials. 1. Open the **Certificate Authority** management console. @@ -185,23 +170,25 @@ Sign-in to the certificate authority or management workstation with _Enterprise 4. Right-click the **Domain Controller** certificate template in the content pane and select **Delete**. Click **Yes** on the **Disable certificate templates** window. 5. Repeat step 4 for the **Domain Controller Authentication** and **Kerberos Authentication** certificate templates. -### Section Review -- [x] Active Directory -- [x] Public Key Infrastructure -- [x] Azure Active Directory -- [x] Directory Synchronization -- [x] Active Directory Federation Services -- [x] Federation Services - - [x] Federation Proxy Servers - - [x] Multiple top-level domains - - [x] Azure Device Registration - - [x] Device Writeback -- [x] Multifactor Authentication -- [x] Windows Hello for Business - - [x]Active Directory - - [x] Directory Synchronization - - [x] Public Key Infrastructure - - [ ] Federation Services - - [ ] Group Policy -- [ ] Sign-in and Provision +> [!div class="step-by-step"] +[< Configure Windows Hello for Business: Active Directory](hello-hybrid-cert-whfb-settings-ad.md) +[ Configure Windows Hello for Business: ADFS >](hello-hybrid-cert-whfb-settings-adfs.md) + + + +### Section Review + + + + +
+ +
+ +## Follow the Windows Hello for Business hybrid certificate trust deployment guide +1. [Overview](hello-hybrid-cert-trust.md) +2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +3. [New Installation Baseline](hello-hybrid-cert-new-install.md) +4. Configure Windows Hello for Business settings: PKI (*You are here*) +5. Sign-in and Provision diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md index a7594f3319..b1dd44cff9 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile -author: MikeStephens-MS +author: DaniHalfin ms.author: mstephen localizationpriority: high --- @@ -32,7 +32,7 @@ The configuration for Windows Hello for Business is grouped in four categories. For the most efficent deployment, configure these technologies in order beginning with the Active Directory configuration -> [! div class="step-by-step"] +> [!div class="step-by-step"] [Configure Windows Hello for Business: Active Directory >](hello-hybrid-cert-whfb-settings-ad.md)
From d69373774cdb3939634bbbd8701b92f5dd6ca9cb Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Tue, 22 Aug 2017 11:04:31 -0700 Subject: [PATCH 20/51] updating metadata --- .../hello-for-business/hello-hybrid-cert-whfb-settings-ad.md | 2 +- .../hello-for-business/hello-hybrid-cert-whfb-settings-pki.md | 2 +- .../hello-for-business/hello-hybrid-cert-whfb-settings.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md index 0ed1cc4a76..374308c69a 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md @@ -1,5 +1,5 @@ --- -title: Configuring Windows Hello for Business: Active Directory +title: Configuring Windows Hello for Business: Active Directory (Windows Hello for Business) description: Configuring Windows Hello for Business: Active Directory keywords: identity, PIN, biometric, Hello, passport, WHFB ms.prod: w10 diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index 33d958da6d..6114139e30 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -1,5 +1,5 @@ --- -title: Configure Windows Hello for Business: Public Key Infrastructure +title: Configure Windows Hello for Business: Public Key Infrastructure(Windows Hello for Business) description: Configure Windows Hello for Business: Public Key Infrastructure keywords: identity, PIN, biometric, Hello, passport, WHFB ms.prod: w10 diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md index b1dd44cff9..b0aaee5487 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md @@ -1,5 +1,5 @@ --- -title: Configure Windows Hello for Business Settings +title: Configure Windows Hello for Business Settings (Windows Hello for Business) description: Configure Windows Hello for Business Settings keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust ms.prod: w10 From 1912ea38818a27290b01cedfc769cfb89d010b6c Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Tue, 22 Aug 2017 11:20:22 -0700 Subject: [PATCH 21/51] fixing formatting hopefully --- .../hello-hybrid-cert-whfb-settings-ad.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md index 374308c69a..9d738655b6 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md @@ -14,18 +14,18 @@ localizationpriority: high # Configuring Windows Hello for Business: Active Directory **Applies to** -- Windows10 +- Windows 10 > This guide only applies to Windows 10, version 1703 or higher. -> [!div class="step-by-step"] +>[!div class="step-by-step"] [< Configure Windows Hello for Business](hello-hybrid-cert-whfb-settings.md) [ Configure Windows Hello for Business: PKI >](hello-hybrid-cert-whfb-settings-pki.md) The key synchronizaqtion process for the hybrid deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. -> [!IMPORTANT] -> If you already have a Windows Server 2016 domain controller in your forest, you can skip **Upgrading Active Directory to the Windows Server 2016 Schema**. +>[!IMPORTANT] +>If you already have a Windows Server 2016 domain controller in your forest, you can skip **Upgrading Active Directory to the Windows Server 2016 Schema**. ## Upgrading Active Directory to the Windows Server 2016 Schema @@ -35,7 +35,7 @@ Manually updating Active Directory uses the command-line utility **adprep.exe** To locate the schema master role holder, open and command prompt and type: -```Netdom query fsmo | findstr -i schema``` +```Netdom query fsmo | findstr -i schema``` ![Netdom example output](images\hello-cmd-netdom.png) @@ -95,7 +95,7 @@ Sign-in a domain controller or management workstation with *Domain Admin* equiva > * Create the Windows Hello for Business Users group -> [!div class="step-by-step"] +>[!div class="step-by-step"] [< Configure Windows Hello for Business](hello-hybrid-cert-whfb-settings.md) [ Configure Windows Hello for Business: PKI >](hello-hybrid-cert-whfb-settings-pki.md) From 9d2816d65448a5360293a4abed2c052f2461380c Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Tue, 22 Aug 2017 11:22:02 -0700 Subject: [PATCH 22/51] one last fix --- .../hello-for-business/hello-hybrid-cert-whfb-settings-ad.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md index 9d738655b6..c9d7524e8b 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md @@ -10,7 +10,6 @@ author: DaniHalfin ms.author: mstephen localizationpriority: high --- - # Configuring Windows Hello for Business: Active Directory **Applies to** From f2adae996fcb499626492c5d7cd2643c4dd6459f Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Tue, 22 Aug 2017 11:32:00 -0700 Subject: [PATCH 23/51] latest fix removed ":" from metadata --- .../hello-for-business/hello-hybrid-cert-whfb-settings-ad.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md index c9d7524e8b..ba4b6f4258 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md @@ -1,6 +1,6 @@ --- -title: Configuring Windows Hello for Business: Active Directory (Windows Hello for Business) -description: Configuring Windows Hello for Business: Active Directory +title: Configuring Windows Hello for Business - Active Directory (Windows Hello for Business) +description: Configuring Windows Hello for Business - Active Directory keywords: identity, PIN, biometric, Hello, passport, WHFB ms.prod: w10 ms.mktglfcycl: deploy From 3b7d2c9401e71dc96e843576d661d86d59de3e8f Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Tue, 22 Aug 2017 11:33:07 -0700 Subject: [PATCH 24/51] content changes --- .../hello-for-business/hello-hybrid-cert-whfb-settings-pki.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index 6114139e30..c41303b9ee 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -33,7 +33,7 @@ This section has you configure certificate templates on your Windows Server 2012 ### Domain Controller certificate template -Clients need to trust domain controllers and the best way to do this is to ensure each domain controller has a Kerberos Authentication certificate. Installing a certificate on the domain controller enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. This provides clients a root of trust external to the domainnamely the enterprise certificate authority. +Clients need to trust domain controllers and the best way to do this is to ensure each domain controller has a Kerberos Authentication certificate. Installing a certificate on the domain controller enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. This provides clients a root of trust external to the domain - namely the enterprise certificate authority. Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise certificate authority is added to Active Directory. However, certificates based on the *Domain Controller* and *Domain Controller Authentication* certificate templates do not include the **KDC Authentication** object identifier (OID), which was later added to the Kerberos RFC. Therefore, domain controllers need to request a certificate based on the Kerberos Authentication certificate template. From ee62bdfe86a31a37071df1fcf6ed7d5ef96c596b Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Tue, 22 Aug 2017 12:43:43 -0700 Subject: [PATCH 25/51] trying to fix header --- .../hello-hybrid-cert-whfb-settings-ad.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md index ba4b6f4258..80fa7f07e7 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md @@ -1,14 +1,14 @@ --- -title: Configuring Windows Hello for Business - Active Directory (Windows Hello for Business) -description: Configuring Windows Hello for Business - Active Directory +title: Configuring Windows Hello for Business - Hybrid - Active Directory +description: Configuring Windows Hello for Business - Hybrid - Active Directory keywords: identity, PIN, biometric, Hello, passport, WHFB ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile +localizationpriority: high author: DaniHalfin ms.author: mstephen -localizationpriority: high --- # Configuring Windows Hello for Business: Active Directory From fcd6e26d7799dc441583f834bae564e16ffa70aa Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Tue, 22 Aug 2017 12:53:43 -0700 Subject: [PATCH 26/51] trying to change author to github account --- .../hello-for-business/hello-hybrid-cert-whfb-settings-ad.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md index 80fa7f07e7..21f5bfc082 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile localizationpriority: high -author: DaniHalfin +author: mikestephens-MS ms.author: mstephen --- # Configuring Windows Hello for Business: Active Directory From 4f421cbe4c0771fe6e3f8d56275d8b08b8f537d3 Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Tue, 22 Aug 2017 13:41:11 -0700 Subject: [PATCH 27/51] fixing metadata and some other stuff --- .../hello-hybrid-cert-whfb-settings-ad.md | 12 +++---- .../hello-hybrid-cert-whfb-settings-adfs.md | 24 ++++++------- ...ello-hybrid-cert-whfb-settings-dir-sync.md | 14 ++++---- .../hello-hybrid-cert-whfb-settings-pki.md | 36 +++++++++---------- .../hello-hybrid-cert-whfb-settings-policy.md | 24 ++++++------- .../hello-hybrid-cert-whfb-settings.md | 13 +++---- 6 files changed, 61 insertions(+), 62 deletions(-) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md index 21f5bfc082..31f92f84f6 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md @@ -1,7 +1,7 @@ --- -title: Configuring Windows Hello for Business - Hybrid - Active Directory -description: Configuring Windows Hello for Business - Hybrid - Active Directory -keywords: identity, PIN, biometric, Hello, passport, WHFB +title: Configuring Hybrid Windows Hello for Business - Active Directory (AD) +description: Discussing the configuration of Active Directory (AD) in a Hybrid deployment of Windows Hello for Business +keywords: identity, PIN, biometric, Hello, passport, WHFB, ad ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -15,15 +15,15 @@ ms.author: mstephen **Applies to** - Windows 10 -> This guide only applies to Windows 10, version 1703 or higher. - >[!div class="step-by-step"] [< Configure Windows Hello for Business](hello-hybrid-cert-whfb-settings.md) [ Configure Windows Hello for Business: PKI >](hello-hybrid-cert-whfb-settings-pki.md) -The key synchronizaqtion process for the hybrid deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. +The key synchronization process for the hybrid deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. >[!IMPORTANT] +>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. +> >If you already have a Windows Server 2016 domain controller in your forest, you can skip **Upgrading Active Directory to the Windows Server 2016 Schema**. ## Upgrading Active Directory to the Windows Server 2016 Schema diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md index a028f90c3f..ad9fad9d6d 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md @@ -1,25 +1,25 @@ --- -title: Configure Windows Hello for Business: Active Directory Federation Services -description: Configure Windows Hello for Business: Active Directory Federation Services -keywords: identity, PIN, biometric, Hello, passport, WHFB +title: Configuring Hybrid Windows Hello for Business - Active Directory Federation Services (ADFS) +description: Discussing the configuration of Active Directory Federation Services (ADFS) in a Hybrid deployment of Windows Hello for Business +keywords: identity, PIN, biometric, Hello, passport, WHFB, adfs ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile -author: DaniHalfin -ms.author: mstephen localizationpriority: high +author: mikestephens-MS +ms.author: mstephen --- # Configure Windows Hello for Business: Active Directory Federation Services **Applies to** -- Windows10 - -> This guide only applies to Windows 10, version 1703 or higher. - +- Windows10 ## Federation Services +>[!IMPORTANT] +>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. + The Windows Server 2016 Active Directory Fedeartion Server Certificate Registration Authority (AD FS RA) enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate. @@ -42,7 +42,7 @@ The `Set-AdfsCertificateAuthority` cmdlet should show the following warning: This warning indicates that you have not configured multi-factor authentication in AD FS and until it is configured, the AD FS server will not issue Windows Hello certificates. Windows 10, version 1703 clients check this configuration during prerequisite checks. If detected, the prerequisite check will not succeed and the user will not provision Windows Hello for Business on sign-in. >[!NOTE] -> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the above command with the name of your certificate templates. Its important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority. +> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the above command with the name of your certificate templates. It�s important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority. ### Group Memberships for the AD FS Service Account @@ -54,11 +54,11 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva 1. Open **Active Directory Users and Computers**. 2. Click the **Users** container in the navigation pane. 3. Right-click **KeyCredential Admins** in the details pane and click **Properties**. -4. Click the **Members** tab and click **Add** +4. Click the **Members** tab and click **Add�** 5. In the **Enter the object names to select** text box, type **adfssvc**. Click **OK**. 6. Click **OK** to return to **Active Directory Users and Computers**. 7. Right-click **Windows Hello for Business Users** group -8. Click the **Members** tab and click **Add** +8. Click the **Members** tab and click **Add�** 9. In the **Enter the object names to select** text box, type **adfssvc**. Click **OK**. 10. Click **OK** to return to **Active Directory Users and Computers**. 11. Change to server hosting the AD FS role and restart it. diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md index 4b6e0b0e8a..7adfbbef5b 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md @@ -1,21 +1,19 @@ --- -title: Configure Windows Hello for Business: Directory Synchronization -description: Configure Windows Hello for Business: Directory Synchronization -keywords: identity, PIN, biometric, Hello, passport, WHFB +title: Configuring Hybrid Windows Hello for Business - Directory Synchronization +description: Discussing Directory Synchronization in a Hybrid deployment of Windows Hello for Business +keywords: identity, PIN, biometric, Hello, passport, WHFB, dirsync, connect ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile -author: DaniHalfin -ms.author: mstephen localizationpriority: high +author: mikestephens-MS +ms.author: mstephen --- # Configure Windows Hello for Business: Directory Synchronization **Applies to** -- Windows10 - -> This guide only applies to Windows 10, version 1703 or higher. +- Windows 10 ## Directory Syncrhonization diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index c41303b9ee..24470fe21c 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -1,27 +1,27 @@ --- -title: Configure Windows Hello for Business: Public Key Infrastructure(Windows Hello for Business) -description: Configure Windows Hello for Business: Public Key Infrastructure -keywords: identity, PIN, biometric, Hello, passport, WHFB +title: Configuring Hybrid Windows Hello for Business - Public Key Infrastructure (PKI) +description: Discussing the configuration of the Public Key Infrastructure (PKI) in a Hybrid deployment of Windows Hello for Business +keywords: identity, PIN, biometric, Hello, passport, WHFB, PKI ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile -author: DaniHalfin -ms.author: mstephen localizationpriority: high +author: mikestephens-MS +ms.author: mstephen --- # Configure Windows Hello for Business: Public Key Infrastructure **Applies to** -- Windows10 - -> This guide only applies to Windows 10, version 1703 or higher. +- Windows 10 > [!div class="step-by-step"] [< Configure Windows Hello for Business: Active Directory](hello-hybrid-cert-whfb-settings-ad.md) [ Configure Windows Hello for Business: ADFS >](hello-hybrid-cert-whfb-settings-adfs.md) +>[!IMPORTANT] +>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. Windows Hello for Business deployments rely on certificates. Hybrid deployments uses publicly issued server authentication certifcates to validate the name of the server to which they are connecting and to encyrpt the data that flows them and the client computer. @@ -47,15 +47,15 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e 2. Right-click **Certificate Templates** and click **Manage**. 3. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**. 4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. -5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprises needs. - **Note**If you use different template names, youll need to remember and substitute these names in different portions of the lab. +5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise�s needs. + **Note**If you use different template names, you�ll need to remember and substitute these names in different portions of the lab. 6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **None** from the **Subject name format** list. Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items. 7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**. 8. Close the console. #### Configure Certificate Suspeding for the Domain Controller Authentication (Kerberos) Certificate Template -Many domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template from domain controllersthe domain controller certificate template. Later releases provided a new certificate templatethe domain controller authentication certificate template. These certificate templates were provided prior to update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the **KDC Authentication** extension. +Many domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template from domain controllers�the domain controller certificate template. Later releases provided a new certificate template�the domain controller authentication certificate template. These certificate templates were provided prior to update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the **KDC Authentication** extension. The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers and should be the one you deploy to all your domain controllers (2008 or later). @@ -79,7 +79,7 @@ The certificate template is configured to supersede all the certificate template Active Directory Federation Server used for Windows Hello for Business certificate enrollment performs its own certificate lifecycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request or when the service first starts. -Approximately 60 days prior to enrollment agent certificates expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate. +Approximately 60 days prior to enrollment agent certificate�s expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate. > [!IMPORTANT] > Follow the procedures below based on the AD FS service account used in your environment. @@ -92,7 +92,7 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e 2. Right-click **Certificate Templates** and click **Manage**. 3. In the **Certificate Template Console**, right click on the **Exchange Enrollment Agent (Offline request)** template details pane and click **Duplicate Template**. 4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. -5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprises needs. +5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise�s needs. 6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected. **Note:** The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate. @@ -111,7 +111,7 @@ Sign-in a certificate authority or management workstations with *Domain Admin* e 2. Right-click **Certificate Templates** and click **Manage**. 3. In the **Certificate Template** console, right-click the **Exchange Enrollment Agent** template in the details pane and click **Duplicate Template**. 4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. -5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprises needs. +5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise�s needs. 6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**. 7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. 8. On the **Security** tab, click **Add**. Type **adfssvc** in the **Enter the object names to select text box** and click **OK**. @@ -128,8 +128,8 @@ Sign-in a certificate authority or management workstations with _Domain Admin eq 2. Right-click **Certificate Templates** and click **Manage**. 3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**. 4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. -5. On the **General** tab, type **WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprises needs. - **Note:** If you use different template names, youll need to remember and substitute these names in different portions of the deployment. +5. On the **General** tab, type **WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise�s needs. + **Note:** If you use different template names, you�ll need to remember and substitute these names in different portions of the deployment. 6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. 7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**. 8. On the **Issuance Requirements** tab, select the T**his number of authorized signatures** check box. Type **1** in the text box. @@ -145,10 +145,10 @@ Sign-in a certificate authority or management workstations with _Domain Admin eq Sign-in to an **AD FS Windows Server 2016** computer with _Enterprise Admin_ equivalent credentials. 1. Open an elevated command prompt. -2. Run `certutil dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY` +2. Run `certutil �dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY` >[!NOTE] ->If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. Its important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority. +>If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It�s important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority. Publish Templates ### Publish Certificate Templates to a Certificate Authority diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md index c458526464..a117af0704 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md @@ -1,25 +1,25 @@ --- -title: Configure Windows Hello for Business: Group Policy -description: Configure Windows Hello for Business: Group Policy +title: Configuring Hybrid Windows Hello for Business - Group Policy +description: Discussing the configuration of Group Policy in a Hybrid deployment of Windows Hello for Business keywords: identity, PIN, biometric, Hello, passport, WHFB ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile -author: DaniHalfin -ms.author: mstephen localizationpriority: high +author: mikestephens-MS +ms.author: mstephen --- # Configure Windows Hello for Business: Group Policy **Applies to** -- Windows10 - -> This guide only applies to Windows 10, version 1703 or higher. - +- Windows 10 ## Policy Configuration +>[!IMPORTANT] +>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. + You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=45520). Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703. @@ -49,7 +49,7 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv 5. Right-click the **Domain Controller Auto Certificate Enrollment** Group Policy object and click **Edit**. 6. In the navigation pane, expand **Policies** under **Computer Configuration**. 7. Expand **Windows Settings**, **Security Settings**, and click **Public Key Policies**. -8. In the details pane, right-click **Certificate Services Client Auto-Enrollment** and select **Properties**. +8. In the details pane, right-click **Certificate Services Client � Auto-Enrollment** and select **Properties**. 9. Select **Enabled** from the **Configuration Model** list. 10. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box. 11. Select the **Update certificates that use certificate templates** check box. @@ -60,7 +60,7 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. 1. Start the **Group Policy Management Console** (gpmc.msc) -2. In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO** +2. In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO�** 3. In the **Select GPO** dialog box, select **Domain Controller Auto Certificate Enrollment** or the name of the domain controller certificate enrollment Group Policy object you previously created and click **OK**. ### Windows Hello for Business Group Policy @@ -108,7 +108,7 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv 3. Right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. 4. In the navigation pane, expand **Policies** under **User Configuration**. 5. Expand **Windows Settings > Security Settings**, and click **Public Key Policies**. -6. In the details pane, right-click **Certificate Services Client Auto-Enrollment** and select **Properties**. +6. In the details pane, right-click **Certificate Services Client � Auto-Enrollment** and select **Properties**. 7. Select **Enabled** from the **Configuration Model** list. 8. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box. 9. Select the **Update certificates that use certificate templates** check box. @@ -128,7 +128,7 @@ The best way to deploy the Windows Hello for Business Group Policy object is to The application of the Windows Hello for Business Group Policy object uses security group filtering. This enables you to link the Group Policy object at the domain, ensuring the Group Policy object is within scope to all users. However, the security group filtering ensures only the users included in the *Windows Hello for Business Users* global group receive and apply the Group Policy object, which results in the provisioning of Windows Hello for Business. 1. Start the **Group Policy Management Console** (gpmc.msc) -2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO** +2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO�** 3. In the **Select GPO** dialog box, select **Enable Windows Hello for Business** or the name of the Windows Hello for Business Group Policy object you previously created and click **OK**. Just to reassure, linking the **Windows Hello for Business** Group Policy object to the domain ensures the Group Policy object is in scope for all domain users. However, not all users will have the policy settings applied to them. Only users who are members of the Windows Hello for Business group receive the policy settings. All others users ignore the Group Policy object. diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md index b0aaee5487..dcaad89239 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md @@ -1,24 +1,25 @@ --- -title: Configure Windows Hello for Business Settings (Windows Hello for Business) -description: Configure Windows Hello for Business Settings +title: Configure Hybrid Windows Hello for Business Settings (Windows Hello for Business) +description: Configuring Windows Hello for Business Settings in Hybrid deployment keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile -author: DaniHalfin -ms.author: mstephen localizationpriority: high +author: mikestephens-MS +ms.author: mstephen --- # Configure Windows Hello for Business **Applies to** - Windows 10 -> This guide only applies to Windows 10, version 1703 or higher. - > [!div class="step-by-step"] [Configure Windows Hello for Business: Active Directory >](hello-hybrid-cert-whfb-settings-ad.md) + +>[!IMPORTANT] +>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. You're environment is federated and you are ready to configure your hybrid environment for Windows Hello for business using the certificate trust model. > [!IMPORTANT] From 69cd22faa6bcac97681c2c050c14dac2b7ae103d Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Tue, 22 Aug 2017 19:32:26 -0700 Subject: [PATCH 28/51] More content and style changes --- .../hello-hybrid-cert-new-install.md | 6 +- .../hello-hybrid-cert-trust-prereqs.md | 14 ++--- .../hello-hybrid-cert-trust.md | 4 +- .../hello-hybrid-cert-whfb-provision.md | 61 +++++++++++++++++++ .../hello-hybrid-cert-whfb-settings-ad.md | 2 +- .../hello-hybrid-cert-whfb-settings-adfs.md | 38 ++++++------ ...ello-hybrid-cert-whfb-settings-dir-sync.md | 5 +- .../hello-hybrid-cert-whfb-settings-pki.md | 4 +- .../hello-hybrid-cert-whfb-settings-policy.md | 2 +- .../hello-hybrid-cert-whfb-settings.md | 2 +- 10 files changed, 99 insertions(+), 39 deletions(-) create mode 100644 windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md index 3abb788874..0e474a201d 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile -author: DaniHalfin +author: mikestephens-MS ms.author: mstephen localizationpriority: high --- @@ -15,7 +15,7 @@ localizationpriority: high **Applies to** - Windows 10 -> This guide only applies to Windows 10, version 1703 or higher. +>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. Windows Hello for Business involves configuring distributed technologies that may or may not exist in your current infrastructure. Hybrid certificate trust deployments of Windows Hello for Business rely on these technolgies @@ -195,4 +195,4 @@ Follow the Windows Hello for Business hybrid certificate trust deployment guide. 2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) 3. New Installation Baseline (*You are here*) 4. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) -5. Sign-in and Provision \ No newline at end of file +5. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index 29b5f381a9..9b3f11ed30 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -1,22 +1,22 @@ --- -title: Validate Public Key Infrastructure (Windows Hello for Business) -description: How to Validate Public Key Infrastructure for Windows Hello for Business -keywords: identity, PIN, biometric, Hello, passport +title: Hybrid Windows Hello for Business Prerequistes (Windows Hello for Business) +description: Prerequisites for Hybrid Windows Hello for Business Deployments +keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile -author: DaniHalfin +author: mikestephens-MS ms.author: mstephen localizationpriority: high --- -# Hybrid Certificate Trust Prerequisites +# Hybrid Windows Hello for Business Prerequisites **Applies to** - Windows 10 -> This guide only applies to Windows 10, version 1703 or higher. +>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. Hybrid environments are distributed systems that enable organizations to use on-premises and Azure resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources. @@ -121,4 +121,4 @@ Follow the Windows Hello for Business hybrid certificate trust deployment guide. 2. Prerequistes (*You are here*) 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) 4. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) -5. Sign-in and Provision \ No newline at end of file +5. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust.md index d5045ebf49..9aa02bf959 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust.md @@ -15,7 +15,7 @@ localizationpriority: high **Applies to** - Windows 10 -> This guide only applies to Windows 10, version 1703 or higher. +>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid certificate trust scenario. @@ -42,4 +42,4 @@ Regardless of the baseline you choose, you’re next step is to familiarize your 2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) 4. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) -5. Sign-in and Provision \ No newline at end of file +5. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md new file mode 100644 index 0000000000..e04b8cc73b --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md @@ -0,0 +1,61 @@ +--- +title: Hybrid Windows Hello for Business Provisioning (Windows Hello for Business) +description: Provisioning for Hybrid Windows Hello for Business Deployments +keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: mikestephens-MS +ms.author: mstephen +localizationpriority: high +--- +# Hybrid Windows Hello for Business Provisioning + +**Applies to** +- Windows 10 + + +>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. + +## Provisioning +The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**. + + + +The first thing to validate is the computer has processed device registration. You can view this from the User device registration logs where the check **Device is AAD joined (AADJ or DJ++): Yes** appears. Additionally, you can validate this using the **dsregcmd /status** command from a console prompt where the value for **EnterpriseJoined** reads **Yes**. + + + +The provisioning flow proceeds to the Multi-Factor authentication portion of the enrollment. Provisioning informs the user that it is actively attempting to contact the user through their configured form of MFA. The provisioning process does not proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry. + + + +After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity requirements that you deployed to the environment. + + + +The provisioning flow has all the information it needs to complete the Windows Hello for Business enrollment. +* A successful single factor authentication (username and password at sign-in) +* A device that has successfully completed device registration +* A fresh, successful multi-factor authentication +* A validated PIN that meets the PIN complexity requirements + +The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Azure Active Directory to register the public key. AAD Connect syncrhonizes the user's key to the on-prem Active Directory. + +>[!IMPORTANT] +>The minimum time needed to syncrhonize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. This synchronization latency delays the certificate enrollment for the user. After the user's public key has syncrhonized to Active Directory, the user's certificate enrolls automatically as long as the user's session is active (actively working or locked, but still signed-in). Also, the Action Center notifies the user thier PIN is ready for use. + +>[!NOTE] +> Microsoft is actively investigating in ways to reduce the syncrhonization latency and delays in certificate enrollment with the goal to make certificate enrollment occur real-time. + +After a successfully key registration, Windows creates a certificate request using the same key pair to request a certificate. Windows send the certificate request to the AD FS server for certificate enrollment. +The AD FS registration authority verifies the key used in the certificate request matches the key that was previously registered. On a successful match, the AD FS registration authority signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. +The certificate authority validates the certificate was signed by the registration authority. On successful validation of the signature, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current user’s certificate store. Once this process completes, the Windows Hello for Business provisioning workflow informs the user that provisioning is complete and they can immediately use their PIN to sign-in. + +  + diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md index 31f92f84f6..6c4e73ef26 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md @@ -107,4 +107,4 @@ Sign-in a domain controller or management workstation with *Domain Admin* equiva 2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) 4. Configure Windows Hello for Business settings: Active Directory (*You are here*) -5. Sign-in and Provision \ No newline at end of file +5. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md index ad9fad9d6d..947af19002 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md @@ -20,6 +20,11 @@ ms.author: mstephen >[!IMPORTANT] >This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. +>[!div class="step-by-step"] +[ Configure Windows Hello for Business: PKI >](hello-hybrid-cert-whfb-settings-pki.md) +[< Configure Windows Hello for Business](hello-hybrid-cert-whfb-settings-policy.md) + + The Windows Server 2016 Active Directory Fedeartion Server Certificate Registration Authority (AD FS RA) enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate. @@ -54,32 +59,23 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva 1. Open **Active Directory Users and Computers**. 2. Click the **Users** container in the navigation pane. 3. Right-click **KeyCredential Admins** in the details pane and click **Properties**. -4. Click the **Members** tab and click **Add�** +4. Click the **Members** tab and click **Add** 5. In the **Enter the object names to select** text box, type **adfssvc**. Click **OK**. 6. Click **OK** to return to **Active Directory Users and Computers**. 7. Right-click **Windows Hello for Business Users** group -8. Click the **Members** tab and click **Add�** +8. Click the **Members** tab and click **Add** 9. In the **Enter the object names to select** text box, type **adfssvc**. Click **OK**. 10. Click **OK** to return to **Active Directory Users and Computers**. 11. Change to server hosting the AD FS role and restart it. -### Section Review -- [x] Active Directory -- [x] Public Key Infrastructure -- [x] Azure Active Directory -- [x] Directory Synchronization -- [x] Active Directory Federation Services -- [x] Federation Services - - [x] Federation Proxy Servers - - [x] Multiple top-level domains - - [x] Azure Device Registration - - [x] Device Writeback -- [x] Multifactor Authentication -- [x] Windows Hello for Business - - [x]Active Directory - - [x] Directory Synchronization - - [x] Public Key Infrastructure - - [x] Federation Services - - [ ] Group Policy -- [ ] Sign-in and Provision +
+ +
+ +## Follow the Windows Hello for Business hybrid certificate trust deployment guide +1. [Overview](hello-hybrid-cert-trust.md) +2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +3. [New Installation Baseline](hello-hybrid-cert-new-install.md) +4. Configure Windows Hello for Business settings (*You are here*) +5. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md index 7adfbbef5b..3ca478b17b 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md @@ -10,13 +10,16 @@ localizationpriority: high author: mikestephens-MS ms.author: mstephen --- -# Configure Windows Hello for Business: Directory Synchronization +# Configure Hybrid Windows Hello for Business: Directory Synchronization **Applies to** - Windows 10 ## Directory Syncrhonization +>[!IMPORTANT] +>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. + In hybrid deployments, users register the public portion of their Windows Hello for Business crednetial with Azure. Azure AD Connect syncrhonizes the Windows Hello for Business public key to Active Directory. The key-trust model needs Windows Server 2016 domain controllers, which configures the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually. diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index 24470fe21c..35b02c4710 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -11,7 +11,7 @@ author: mikestephens-MS ms.author: mstephen --- -# Configure Windows Hello for Business: Public Key Infrastructure +# Configure Hybrid Windows Hello for Business: Public Key Infrastructure **Applies to** - Windows 10 @@ -190,5 +190,5 @@ Sign-in to the certificate authority or management workstation with _Enterprise 2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) 4. Configure Windows Hello for Business settings: PKI (*You are here*) -5. Sign-in and Provision +5. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md index a117af0704..bf62e333c7 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md @@ -10,7 +10,7 @@ localizationpriority: high author: mikestephens-MS ms.author: mstephen --- -# Configure Windows Hello for Business: Group Policy +# Configure Hybrid Windows Hello for Business: Group Policy **Applies to** - Windows 10 diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md index dcaad89239..b9e92550cb 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md @@ -45,4 +45,4 @@ For the most efficent deployment, configure these technologies in order beginnin 2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) 4. Configure Windows Hello for Business settings (*You are here*) -5. Sign-in and Provision \ No newline at end of file +5. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) \ No newline at end of file From aa3dfaccb584158d0de93cb68b660998e24d5c4d Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Thu, 31 Aug 2017 14:03:56 -0700 Subject: [PATCH 29/51] Updates --- .../hello-hybrid-cert-new-install.md | 6 +++--- .../hello-hybrid-cert-trust-prereqs.md | 12 ++++++------ .../hello-for-business/hello-hybrid-cert-trust.md | 8 ++++---- .../hello-hybrid-cert-whfb-provision.md | 7 +++++-- .../hello-hybrid-cert-whfb-settings-ad.md | 2 +- .../hello-hybrid-cert-whfb-settings.md | 4 ++-- 6 files changed, 21 insertions(+), 18 deletions(-) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md index 0e474a201d..951b55bfe7 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md @@ -26,7 +26,7 @@ Windows Hello for Business involves configuring distributed technologies that ma * [Active Directory Federation Services](#active-directory-federation-services) -New installations are considerably more involved than existing implementations because you are building the entire infrastructure new. Microsoft recommends you review the new installation baseline to validate your exsting envrionment has all the needed configurations to support your hybrid certificate trust Windows Hello for Business deployment. If you're environment meets these needs, you can read the [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) section to learn about specific Windows Hello for Business configuration settings. +New installations are considerably more involved than existing implementations because you are building the entire infrastructure. Microsoft recommends you review the new installation baseline to validate your exsting envrionment has all the needed configurations to support your hybrid certificate trust Windows Hello for Business deployment. If you're environment meets these needs, you can read the [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) section to learn about specific Windows Hello for Business configuration settings. The new installation baseline begins with a basic Active Directory deployment and enterprise PKI. This document expects you have Active Directory deployed using Windows Server 2008 R2 or later domain controllers. @@ -34,7 +34,7 @@ The new installation baseline begins with a basic Active Directory deployment an ## Active Directory ## Production environments should follow Active Directory best practices regarding the number and placement of domain controllers to ensure adequate authentication throughout the organization. -Lab environments and isolated proof of concepts may want to limit the number of domain controllers. The purpose of these environments is to experiment and learn. Reducing the number of domain controllers can prevent troubleshooting of issue, such as Active Directory replication, which is unrelated to project goal. +Lab environments and isolated proof of concepts may want to limit the number of domain controllers. The purpose of these environments is to experiment and learn. Reducing the number of domain controllers can prevent troubleshooting issue, such as Active Directory replication, which is unrelated to activity's goal. ### Section Review @@ -47,7 +47,7 @@ Lab environments and isolated proof of concepts may want to limit the number of Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller. The certificate trust model extends certificate issuance to client computers. During Windows Hello for Business provisioning, the user receives a sign-in certificate. -This guide assumes most enterprise have an existing public key infrastructure. Windows Hello for Business depends on a Windows enterprise public key infrastructure running the Active Directory Certificate Services role from Windows Server 2012 or later. +This guide assumes most enterprises have an existing public key infrastructure. Windows Hello for Business depends on a Windows enterprise public key infrastructure running the Active Directory Certificate Services role from Windows Server 2012 or later. ### Lab-based public key infrastructure diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index 9b3f11ed30..4147f2d87a 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -18,9 +18,9 @@ localizationpriority: high >This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. -Hybrid environments are distributed systems that enable organizations to use on-premises and Azure resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources. +Hybrid environments are distributed systems that enable organizations to use on-premises and Azure-based resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources. -The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. Specific pieces of the infrastructure include: +The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include: * [Directories](#directories) * [Public Key Infrastucture](#public-key-infastructure) * [Directory Synchronization](#directory-synchronization) @@ -29,9 +29,9 @@ The distributed systems on which these technologies were built involved several * [Device Registration](#device-registration) ## Directories ## -Hybrid Windows Hello for Business needs two directories—and on-premises Active Directory and a cloud Azure Active Directory. The minimum required domain controller, domain functional level, and forest functional level for Windows Hello for Business deployment is Windows Server 2008 R2. +Hybrid Windows Hello for Business needs two directories: an on-premises Active Directory and a cloud Azure Active Directory. The minimum required domain controller, domain functional level, and forest functional level for Windows Hello for Business deployment is Windows Server 2008 R2. -A hybrid Windows Hello for Busines deployment needs Azure Active Directory subscription. Different deployment configurations are supported by different Azure subscriptions. The hybrid-certificate trust deployment needs an Azure Active Directory premium subscription because it uses the device write-back synchronization feature. Other deployments, such as the hybrid key-trust deployment, do not require Azure Active Directory premium subscription. +A hybrid Windows Hello for Busines deployment needs an Azure Active Directory subscription. Different deployment configurations are supported by different Azure subscriptions. The hybrid-certificate trust deployment needs an Azure Active Directory premium subscription because it uses the device write-back synchronization feature. Other deployments, such as the hybrid key-trust deployment, do not require Azure Active Directory premium subscription. Windows Hello for Business can be deployed in any environment with Windows Server 2008 R2 or later domain controllers. However, it does requires the Windows Server 2016 Active Directory schema. @@ -50,7 +50,7 @@ Review these requirements and those from the Windows Hello for Business planning
## Public Key Infrastructure ## -The Windows Hello for Business deployment depends on an enterprise public key infrastructure as trust anchor for authentication. Domain controllers for hybrid deployments need a certificate in order for Windows 10 devices to trust the domain controller as legitimate. +The Windows Hello for Business deployment depends on an enterprise public key infrastructure as trust anchor for authentication. Domain controllers for hybrid deployments need a certificate in order for Windows 10 devices to trust the domain controller. Certificate trust deployments need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. When using Group Policy, hybrid certificate trust deployment use the Windows Server 2016 Active Directory Federation Server (AS FS) as a certificate registration authority. @@ -86,7 +86,7 @@ Federating your on-premises Active Directory with Azure Active Directory ensures
## Multifactor Authentication ## -Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their username and password as one factor and a second factor of authentication. +Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their username and password as one factor. but needs a second factor of authentication. Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Authentication service or they can use multifactor authentication provides by Windows Server 2016 Active Directory Federation Services, which includes an adapter model that enables third parties to integrate their multifactor authentication into AD FS. diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust.md index 9aa02bf959..3b32e32413 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust.md @@ -20,19 +20,19 @@ localizationpriority: high Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid certificate trust scenario. -It is recommended that review the Windows Hello for Business planning guide prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. You can review the [planning guide](https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-planning-guide) and download the [planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514). +It is recommended that you review the Windows Hello for Business planning guide prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. You can review the [planning guide](https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-planning-guide) and download the [planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514). This deployment guide provides guidance for new deployments and customers who are already federated with Office 365. These two scenarios provide a baseline from which you can begin your deployment. ## New Deployment Baseline ## -The new deployment baseline helps organizations who are moving to Azure and Office 365 to include Windows Hello for Business as part of their deployments. This baseline is good for organizations how are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves by deploying a lab environment. +The new deployment baseline helps organizations who are moving to Azure and Office 365 to include Windows Hello for Business as part of their deployments. This baseline is good for organizations how are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves Windows Hello for Business by deploying a lab environment. This baseline provides detailed procedures to move your environment from an on-premises only environment to a hybrid environment using Windows Hello for Business to authenticate to Azure Active Directory and to your on-premises Active Directory using a single Windows sign-in. ## Federated Baseline ## -The federated baseline helps organizations who have completed their federation with Azure Active Directory and Office 365 introduce Windows Hello for Business into their hybrid environment. This baseline exclusively focuses on the procedures needed add Windows Hello for Business to an existing hybrid deployment. +The federated baseline helps organizations that have completed their federation with Azure Active Directory and Office 365 and enables them to introduce Windows Hello for Business into their hybrid environment. This baseline exclusively focuses on the procedures needed to add Windows Hello for Business to an existing hybrid deployment. -Regardless of the baseline you choose, you’re next step is to familiarize yourself with the Prerequisites needed for the deployment. Many of the prerequisites will be new for organizations and individuals pursuing the new deployment baseline. Organizations and individuals starting from the federated baseline will likely be familiar with most of the prerequisites, but should validate they are using the proper versions that include the latest updates. +Regardless of the baseline you choose, you’re next step is to familiarize yourself with the prerequisites needed for the deployment. Many of the prerequisites will be new for organizations and individuals pursuing the new deployment baseline. Organizations and individuals starting from the federated baseline will likely be familiar with most of the prerequisites, but should validate they are using the proper versions that include the latest updates.

diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md index e04b8cc73b..b6f18b025b 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md @@ -53,9 +53,12 @@ The remainder of the provisioning includes Windows Hello for Business requesting >[!NOTE] > Microsoft is actively investigating in ways to reduce the syncrhonization latency and delays in certificate enrollment with the goal to make certificate enrollment occur real-time. -After a successfully key registration, Windows creates a certificate request using the same key pair to request a certificate. Windows send the certificate request to the AD FS server for certificate enrollment. +After a successful key registration, Windows creates a certificate request using the same key pair to request a certificate. Windows send the certificate request to the AD FS server for certificate enrollment. + The AD FS registration authority verifies the key used in the certificate request matches the key that was previously registered. On a successful match, the AD FS registration authority signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. -The certificate authority validates the certificate was signed by the registration authority. On successful validation of the signature, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current user’s certificate store. Once this process completes, the Windows Hello for Business provisioning workflow informs the user that provisioning is complete and they can immediately use their PIN to sign-in. + +The certificate authority validates the certificate was signed by the registration authority. On successful validation of the signature, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current user’s certificate store. Once this process completes, the Windows Hello for Business provisioning workflow informs the user they can use their PIN to sign-in through the Windows Action Center. +   diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md index 6c4e73ef26..f11a19428e 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md @@ -17,7 +17,7 @@ ms.author: mstephen >[!div class="step-by-step"] [< Configure Windows Hello for Business](hello-hybrid-cert-whfb-settings.md) -[ Configure Windows Hello for Business: PKI >](hello-hybrid-cert-whfb-settings-pki.md) +[ Configure PKI >](hello-hybrid-cert-whfb-settings-pki.md) The key synchronization process for the hybrid deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md index b9e92550cb..a858847f04 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md @@ -16,7 +16,7 @@ ms.author: mstephen - Windows 10 > [!div class="step-by-step"] -[Configure Windows Hello for Business: Active Directory >](hello-hybrid-cert-whfb-settings-ad.md) +[Configure Active Directory >](hello-hybrid-cert-whfb-settings-ad.md) >[!IMPORTANT] >This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. @@ -34,7 +34,7 @@ The configuration for Windows Hello for Business is grouped in four categories. For the most efficent deployment, configure these technologies in order beginning with the Active Directory configuration > [!div class="step-by-step"] -[Configure Windows Hello for Business: Active Directory >](hello-hybrid-cert-whfb-settings-ad.md) +[Configure Active Directory >](hello-hybrid-cert-whfb-settings-ad.md)
From a14fe5c3047e913764d7e5b3d6b91458c1731117 Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Thu, 31 Aug 2017 17:34:50 -0700 Subject: [PATCH 30/51] More updates --- .../hello-hybrid-cert-whfb-settings-ad.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md index f11a19428e..e1cdf2ae97 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md @@ -17,7 +17,7 @@ ms.author: mstephen >[!div class="step-by-step"] [< Configure Windows Hello for Business](hello-hybrid-cert-whfb-settings.md) -[ Configure PKI >](hello-hybrid-cert-whfb-settings-pki.md) +[ Configure Azure AD Connect](hello-hybrid-cert-whfb-settings-dir-sync.md) The key synchronization process for the hybrid deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. @@ -57,7 +57,7 @@ Sign-in to the domain controller hosting the schema master operational role usin Windows Hello for Business uses several security groups to simplify the deployment and managment. > [!Important] -> If your environment has one or more Windows Server 2016 domain controllers in the domain to which you are deploying Windows Hello for Business, then skip the **Create the KeyCrednetials Admins Security Group**. +> If your environment has one or more Windows Server 2016 domain controllers in the domain to which you are deploying Windows Hello for Business, then skip the **Create the KeyCredentials Admins Security Group**. Domains that include Windows Server 2016 domain controllers use the KeyAdmins group, which is created during the installation of the first Windows Server 2016 domain controller. #### Create the KeyCredential Admins Security Group @@ -74,7 +74,7 @@ Sign-in a domain controller or management workstation with *Domain Admin* equiva #### Create the Windows Hello for Business Users Security Group -The Windows Hello for Business Users group is used to make it easy to deploy Windows Hello for Business in phases. You assign Group Policy and Certificate template permissions to this group to simplify the deployment by simply adding the users to the group. This provides them the proper permissions to provision Windows Hello for Business and to enroll in the Windows Hello for Business authentication certificate. +The Windows Hello for Business Users group is used to make it easy to deploy Windows Hello for Business in phases. You assign Group Policy and Certificate template permissions to this group to simplify the deployment by simply adding the users to the group. This provides users with the proper permissions to provision Windows Hello for Business and to enroll in the Windows Hello for Business authentication certificate. Sign-in a domain controller or management workstation with *Domain Admin* equivalent credentials. @@ -96,7 +96,7 @@ Sign-in a domain controller or management workstation with *Domain Admin* equiva >[!div class="step-by-step"] [< Configure Windows Hello for Business](hello-hybrid-cert-whfb-settings.md) -[ Configure Windows Hello for Business: PKI >](hello-hybrid-cert-whfb-settings-pki.md) +[ Configure Azure AD Connect](hello-hybrid-cert-whfb-settings-dir-sync.md)
From 343daf1530ca8ec7817f2ced5e35bf2b9484cfd0 Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Fri, 1 Sep 2017 18:20:30 -0700 Subject: [PATCH 31/51] New device registration section based on feedback Start of document restructure based on feedback. --- .../hello-hybrid-cert-new-install.md | 25 - .../hello-hybrid-cert-trust-devreg.md | 511 ++++++++++++++++++ .../hello-hybrid-cert-trust-prereqs.md | 6 +- .../hello-hybrid-cert-trust.md | 7 +- .../hello-hybrid-cert-whfb-settings-ad.md | 28 - .../images/hybridct/device1.png | Bin 0 -> 89361 bytes .../images/hybridct/device2.png | Bin 0 -> 181429 bytes .../images/hybridct/device3.png | Bin 0 -> 50168 bytes .../images/hybridct/device4.png | Bin 0 -> 29047 bytes .../images/hybridct/device5.png | Bin 0 -> 9031 bytes .../images/hybridct/device6.png | Bin 0 -> 55867 bytes .../images/hybridct/device7.png | Bin 0 -> 81228 bytes .../images/hybridct/device8.png | Bin 0 -> 358525 bytes 13 files changed, 518 insertions(+), 59 deletions(-) create mode 100644 windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md create mode 100644 windows/access-protection/hello-for-business/images/hybridct/device1.png create mode 100644 windows/access-protection/hello-for-business/images/hybridct/device2.png create mode 100644 windows/access-protection/hello-for-business/images/hybridct/device3.png create mode 100644 windows/access-protection/hello-for-business/images/hybridct/device4.png create mode 100644 windows/access-protection/hello-for-business/images/hybridct/device5.png create mode 100644 windows/access-protection/hello-for-business/images/hybridct/device6.png create mode 100644 windows/access-protection/hello-for-business/images/hybridct/device7.png create mode 100644 windows/access-protection/hello-for-business/images/hybridct/device8.png diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md index 951b55bfe7..99ae12c00f 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md @@ -92,35 +92,10 @@ The next step of the deployment is to follow the [Creating an Azure AD tenant](h > * Create an Azure Active Directory Tenant. > * Purchase the appropriate Azure Active Directory subscription or licenses, if necessary. -### Directory Synchronization ### -At this point, you should have your Active Directory installed and configured with user and computer accounts. You should also have an enterprise certificate authority, and you should have provisioned your Azure tenant. - -Next, you need to synchronizes the on-premises Active Directory with Azure Active Directory. To do this, you’ll download, install, and configure Azure Active Directory Connect. - -### Section Review - -> [!div class="checklist"] -> * Review the [Integrating on-prem directories with Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect). -> * Review the [hardware and prerequisites](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](http://go.microsoft.com/fwlink/?LinkId=615771). -> * Follow the [Express Installation](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-get-started-express) to configure directory synchronization. -## Active Directory Federation Services -Active Directory Federation Services (AD FS) provides simplified, secured identity federation and Web single sign-on (SSO) capabilities for end users who want to access applications within an AD FS-secured enterprise, in federation partner organizations, or in the cloud. -### Federation Services ### -Non-production environments can evaluate Windows Hello for Business using a single AD FS server and AD FS Web Proxy. Production deployment should follow the recommended planning and deployment guidelines. -If you are new to AD FS and federation services, you should review [Understanding Key AD FS Concepts](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/understanding-key-ad-fs-concepts) to prior to designing and deploying your federation service. -Review the [AD FS Design guide](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/design/ad-fs-design-guide-in-windows-server-2012-r2) to plan your federation service. - -Once you have your AD FS design ready, review [Deploying a Federation Server farm](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) to configure AD FS in your environment. -> [!IMPORTANT] -> During your AD FS deployment, skip the **Configure a federation server with Device Registration Service** and the **Configure Corporate DNS for the Federation Service and DRS** procedures as these configurations are not needed. - -### ADFS Web Proxy ### -Federation server proxies are computers that run AD FS software that have been configured manually to act in the proxy role. You can use federation server proxies in your organization to provide intermediary services between an Internet client and a federation server that is behind a firewall on your corporate network. -Use the [Setting of a Federation Proxy](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/checklist--setting-up-a-federation-server-proxy) checklist to configure AD FS proxy servers in your environment. #### Multiple Domains #### Federating multiple, top-level domains with Azure AD requires some additional configuration that is not required when federating with one top-level domain. diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md new file mode 100644 index 0000000000..1794f87811 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -0,0 +1,511 @@ +--- +title: Configure Device Registration for Hybrid Windows Hello for Business +description: Azure Device Registration for Hybrid Certificate Trust Deployment (Windows Hello for Business) +keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: mikestephens-MS +ms.author: mstephen +localizationpriority: high +--- +# Configure Device Registration for Hybrid Windows Hello for Business + +**Applies to** +- Windows10 + +> [!div class="step-by-step"] +[Configure Active Directory >](hello-hybrid-cert-whfb-settings-ad.md) + +>[!IMPORTANT] +>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. + +You're environment is federated and you are ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration and device write-back to enable proper device authentication. + +> [!IMPORTANT] +> If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment. + +Use this three phased approach for configuring device registration. +1. [Configure devices to register in Azure](#configure-azure-for-device-registration) +2. [Synchronize devices to on-premises Active Directory](#configure-active-directory-to-support-azure-device-syncrhonization) +3. [Configure AD FS to use cloud devices](#configure-ad-fs-to-use-azure-registered-devices) +>!NOTE +> Before proceeding, you should familiarize yourself with device regisration concepts such as: +>* Azure AD registered devices +>* Azure AD joined devices +>* Hybrid Azure AD joined devices +> +>You can learn about this and more by reading [Introduction to Device Management in Azure Active Directory.](https://docs.microsoft.com/en-us/azure/active-directory/device-management-introduction) + +## Configure Azure for Device Registration +Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD. + +To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-setup/) + +## Configure Active Directory to support Azure device syncrhonization + +Azure Active Directory is now configured for device registration. Next, you need to configure the on-premises Active Directory to support synchronizing hybrid Azure AD joined devices. Begin with upgrading the Active Directory Schema + +### Upgrading Active Directory to the Windows Server 2016 Schema + +To use Windows Hello for Business with Hybrid Azure AD joined devices, you must first upgrade your Active Directory schema to Windows Server 2016. + +>!IMPORTANT +>If you already have a Windows Server 2016 domain controller in your forest, you can skip **Upgrading Active Directory to the Windows Server 2016 Schema** (this section). + +#### Identify the schema role domain controller + +To locate the schema master role holder, open and command prompt and type: + +```Netdom query fsmo | findstr -i schema``` + +![Netdom example output](images\hello-cmd-netdom.png) + +The command should return the name of the domain controller where you need to adprep.exe. Update the schema locally on the domain controller hosting the Schema master role. + +#### Updating the Schema + +Windows Hello for Business uses asymmetric keys as user credentials (rather than passwords). During enrollment, the public key is registered in an attribute on the user object in Active Directory. The schema update adds this new attribute to Active Directory. + +Manually updating Active Directory uses the command-line utility **adprep.exe** located at **\:\support\adprep** on the Windows Server 2016 DVD or ISO. Before running adprep.exe, you must identify the domain controller hosting the schema master role. + +Sign-in to the domain controller hosting the schema master operational role using Enterprise Admin equivalent credentials. + +1. Open an elevated command prompt. +2. Type ```cd /d x:\support\adprep``` where *x* is the drive letter of the DVD or mounted ISO. +3. To update the schema, type ```adprep /forestprep```. +4. Read the Adprep Warning. Type the letter **C*** and press **Enter** to update the schema. +5. Close the Command Prompt and sign-out. + +> [!NOTE] +> If you installed Azure AD Connect prior to upgrading the schema, you will need to re-run the Azure AD Connect installation and refresh the on-premises AD schema to ensure the synchronization rule for msDS-KeyCredentialLink is configured. + + +### Setup Active Directory Federation Services +If you are new to AD FS and federation services, you should review [Understanding Key AD FS Concepts](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/understanding-key-ad-fs-concepts) to prior to designing and deploying your federation service. +Review the [AD FS Design guide](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/design/ad-fs-design-guide-in-windows-server-2012-r2) to plan your federation service. + +Once you have your AD FS design ready, review [Deploying a Federation Server farm](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) to configure AD FS in your environment. +> [!IMPORTANT] +> During your AD FS deployment, skip the **Configure a federation server with Device Registration Service** and the **Configure Corporate DNS for the Federation Service and DRS** procedures. + +The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of [KB4034658 (14393.1593)](https://support.microsoft.com/en-us/help/4034658), which is automatically downloaded and installed through Windows Update. If your AD FS farm is not running the AD FS role with updates from Windows Server 2016, then read [Upgrading to AD FS in Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016) + +#### ADFS Web Proxy ### +Federation server proxies are computers that run AD FS software that have been configured manually to act in the proxy role. You can use federation server proxies in your organization to provide intermediary services between an Internet client and a federation server that is behind a firewall on your corporate network. +Use the [Setting of a Federation Proxy](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/checklist--setting-up-a-federation-server-proxy) checklist to configure AD FS proxy servers in your environment. + +### Deploy Azure AD Connect +Next, you need to synchronizes the on-premises Active Directory with Azure Active Directory. To do this, first review the [Integrating on-prem directories with Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](http://go.microsoft.com/fwlink/?LinkId=615771). + +When you are ready to install, follow the **Configuring federation with AD FS** section of [Custom installation of Azure AD Connect](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-get-started-custom). Select the **Federation with AD FS** option on the **User sign-in** page. At the **AD FS Farm** page, select the use an existing option and click **Next**. + +### Create AD objects for AD FS Device Authentication +If your AD FS farm is not already configured for Device Authentication (you can see this in the AD FS Management console under Service -> Device Registration), use the following steps to create the correct AD DS objects and configuration. + +![Device Registration](images/hybridct/device1.png) + +>Note: The below commands require Active Directory administration tools, so if your federation server is not also a domain controller, first install the tools using step 1 below. Otherwise you can skip step 1. + +1. Run the **Add Roles & Features** wizard and select feature **Remote Server Administration Tools** -> **Role Administration Tools** -> **AD DS and AD LDS Tools** -> Choose both the **Active Directory module for Windows PowerShell** and the **AD DS Tools**. + +![Device Registration](images/hybridct/device2.png) + +2. On your AD FS primary server, ensure you are logged in as AD DS user with Enterprise Admin (EA ) privileges and open an elevated powershell prompt. Then, execute the following PowerShell commands: + + `Import-module activedirectory` + `PS C:\> Initialize-ADDeviceRegistration -ServiceAccountName "" ` +3. On the pop-up window hit Yes. + +>Note: If your AD FS service is configured to use a GMSA account, enter the account name in the format "domain\accountname$" + +![Device Registration](images/hybridct/device3.png) + +The above PSH creates the following objects: + + +- RegisteredDevices container under the AD domain partition +- Device Registration Service container and object under Configuration --> Services --> Device Registration Configuration +- Device Registration Service DKM container and object under Configuration --> Services --> Device Registration Configuration + +![Device Registration](images/hybridct/device4.png) + +4. Once this is done, you will see a successful completion message. + +![Device Registration](images/hybridct/device5.png) + +### Create Service Connection Point (SCP) in Active Directory +If you plan to use Windows 10 domain join (with automatic registration to Azure AD) as described here, execute the following commands to create a service connection point in AD DS +1. Open Windows PowerShell and execute the following: + + `PS C:>Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1" ` + +>Note: if necessary, copy the AdSyncPrep.psm1 file from your Azure AD Connect server. This file is located in Program Files\Microsoft Azure Active Directory Connect\AdPrep + +![Device Registration](images/hybridct/device6.png) + +2. Provide your Azure AD global administrator credentials + + `PS C:>$aadAdminCred = Get-Credential` + +![Device Registration](images/hybridct/device7.png) + +3. Run the following PowerShell command + + `PS C:>Initialize-ADSyncDomainJoinedComputerSync -AdConnectorAccount [AD connector account name] -AzureADCredentials $aadAdminCred ` + +Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when adding your on-premises AD DS directory. + +The above commands enable Windows 10 clients to find the correct Azure AD domain to join by creating the serviceConnectionpoint object in AD DS. + +### Prepare AD for Device Write Back +To ensure AD DS objects and containers are in the correct state for write back of devices from Azure AD, do the following. + +1. Open Windows PowerShell and execute the following: + + `PS C:>Initialize-ADSyncDeviceWriteBack -DomainName -AdConnectorAccount [AD connector account name] ` + +Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when adding your on-premises AD DS directory in domain\accountname format + +The above command creates the following objects for device write back to AD DS, if they do not exist already, and allows access to the specified AD connector account name + +- RegisteredDevices container in the AD domain partition +- Device Registration Service container and object under Configuration --> Services --> Device Registration Configuration + +### Enable Device Write Back in Azure AD Connect +If you have not done so before, enable device write back in Azure AD Connect by running the wizard a second time and selecting **"Customize Synchronization Options"**, then checking the box for device write back and selecting the forest in which you have run the above cmdlets + +## Configure AD FS to use Azure registered devices + +### Configure issuance of claims + +In a federated Azure AD configuration, devices rely on Active Directory Federation Services (AD FS) or a 3rd party on-premises federation service to authenticate to Azure AD. Devices authenticate to get an access token to register against the Azure Active Directory Device Registration Service (Azure DRS). + +Windows current devices authenticate using Integrated Windows Authentication to an active WS-Trust endpoint (either 1.3 or 2005 versions) hosted by the on-premises federation service. + +> [!NOTE] +> When using AD FS, either **adfs/services/trust/13/windowstransport** or **adfs/services/trust/2005/windowstransport** must be enabled. If you are using the Web Authentication Proxy, also ensure that this endpoint is published through the proxy. You can see what end-points are enabled through the AD FS management console under **Service > Endpoints**. +> +>If you dont have AD FS as your on-premises federation service, follow the instructions of your vendor to make sure they support WS-Trust 1.3 or 2005 end-points and that these are published through the Metadata Exchange file (MEX). + +The following claims must exist in the token received by Azure DRS for device registration to complete. Azure DRS will create a device object in Azure AD with some of this information which is then used by Azure AD Connect to associate the newly created device object with the computer account on-premises. + +* `http://schemas.microsoft.com/ws/2012/01/accounttype` +* `http://schemas.microsoft.com/identity/claims/onpremobjectguid` +* `http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid` + +If you have more than one verified domain name, you need to provide the following claim for computers: + +* `http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid` + +If you are already issuing an ImmutableID claim (e.g., alternate login ID) you need to provide one corresponding claim for computers: + +* `http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID` + +In the following sections, you find information about: + +- The values each claim should have +- How a definition would look like in AD FS + +The definition helps you to verify whether the values are present or if you need to create them. + +> [!NOTE] +> If you dont use AD FS for your on-premises federation server, follow your vendor's instructions to create the appropriate configuration to issue these claims. + +#### Issue account type claim + +**`http://schemas.microsoft.com/ws/2012/01/accounttype`** - This claim must contain a value of **DJ**, which identifies the device as a domain-joined computer. In AD FS, you can add an issuance transform rule that looks like this: + + @RuleName = "Issue account type for domain-joined computers" + c:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue( + Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", + Value = "DJ" + ); + +#### Issue objectGUID of the computer account on-premises + +**`http://schemas.microsoft.com/identity/claims/onpremobjectguid`** - This claim must contain the **objectGUID** value of the on-premises computer account. In AD FS, you can add an issuance transform rule that looks like this: + + @RuleName = "Issue object GUID for domain-joined computers" + c1:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + && + c2:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue( + store = "Active Directory", + types = ("http://schemas.microsoft.com/identity/claims/onpremobjectguid"), + query = ";objectguid;{0}", + param = c2.Value + ); + +#### Issue objectSID of the computer account on-premises + +**`http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid`** - This claim must contain the the **objectSid** value of the on-premises computer account. In AD FS, you can add an issuance transform rule that looks like this: + + @RuleName = "Issue objectSID for domain-joined computers" + c1:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + && + c2:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue(claim = c2); + +#### Issue issuerID for computer when multiple verified domain names in Azure AD + +**`http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid`** - This claim must contain the Uniform Resource Identifier (URI) of any of the verified domain names that connect with the on-premises federation service (AD FS or 3rd party) issuing the token. In AD FS, you can add issuance transform rules that look like the ones below in that specific order after the ones above. Please note that one rule to explicitly issue the rule for users is necessary. In the rules below, a first rule identifying user vs. computer authentication is added. + + @RuleName = "Issue account type with the value User when its not a computer" + NOT EXISTS( + [ + Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", + Value == "DJ" + ] + ) + => add( + Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", + Value = "User" + ); + + @RuleName = "Capture UPN when AccountType is User and issue the IssuerID" + c1:[ + Type == "http://schemas.xmlsoap.org/claims/UPN" + ] + && + c2:[ + Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", + Value == "User" + ] + => issue( + Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", + Value = regexreplace( + c1.Value, + ".+@(?.+)", + "http://${domain}/adfs/services/trust/" + ) + ); + + @RuleName = "Issue issuerID for domain-joined computers" + c:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue( + Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", + Value = "http:///adfs/services/trust/" + ); + + +In the claim above, + +- `$` is the AD FS service URL +- `` is a placeholder you need to replace with one of your verified domain names in Azure AD + +For more details about verified domain names, see [Add a custom domain name to Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-add-domain). +To get a list of your verified company domains, you can use the [Get-MsolDomain](https://docs.microsoft.com/en-us/powershell/module/msonline/get-msoldomain?view=azureadps-1.0) cmdlet. + +#### Issue ImmutableID for computer when one for users exist (e.g. alternate login ID is set) + +**`http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID`** - This claim must contain a valid value for computers. In AD FS, you can create an issuance transform rule as follows: + + @RuleName = "Issue ImmutableID for computers" + c1:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + && + c2:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue( + store = "Active Directory", + types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), + query = ";objectguid;{0}", + param = c2.Value + ); + +#### Helper script to create the AD FS issuance transform rules + +The following script helps you with the creation of the issuance transform rules described above. + + $multipleVerifiedDomainNames = $false + $immutableIDAlreadyIssuedforUsers = $false + $oneOfVerifiedDomainNames = 'example.com' # Replace example.com with one of your verified domains + + $rule1 = '@RuleName = "Issue account type for domain-joined computers" + c:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue( + Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", + Value = "DJ" + );' + + $rule2 = '@RuleName = "Issue object GUID for domain-joined computers" + c1:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + && + c2:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue( + store = "Active Directory", + types = ("http://schemas.microsoft.com/identity/claims/onpremobjectguid"), + query = ";objectguid;{0}", + param = c2.Value + );' + + $rule3 = '@RuleName = "Issue objectSID for domain-joined computers" + c1:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + && + c2:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue(claim = c2);' + + $rule4 = '' + if ($multipleVerifiedDomainNames -eq $true) { + $rule4 = '@RuleName = "Issue account type with the value User when it is not a computer" + NOT EXISTS( + [ + Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", + Value == "DJ" + ] + ) + => add( + Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", + Value = "User" + ); + + @RuleName = "Capture UPN when AccountType is User and issue the IssuerID" + c1:[ + Type == "http://schemas.xmlsoap.org/claims/UPN" + ] + && + c2:[ + Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", + Value == "User" + ] + => issue( + Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", + Value = regexreplace( + c1.Value, + ".+@(?.+)", + "http://${domain}/adfs/services/trust/" + ) + ); + + @RuleName = "Issue issuerID for domain-joined computers" + c:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue( + Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", + Value = "http://' + $oneOfVerifiedDomainNames + '/adfs/services/trust/" + );' + } + + $rule5 = '' + if ($immutableIDAlreadyIssuedforUsers -eq $true) { + $rule5 = '@RuleName = "Issue ImmutableID for computers" + c1:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + && + c2:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue( + store = "Active Directory", + types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), + query = ";objectguid;{0}", + param = c2.Value + );' + } + + $existingRules = (Get-ADFSRelyingPartyTrust -Identifier urn:federation:MicrosoftOnline).IssuanceTransformRules + + $updatedRules = $existingRules + $rule1 + $rule2 + $rule3 + $rule4 + $rule5 + + $crSet = New-ADFSClaimRuleSet -ClaimRule $updatedRules + + Set-AdfsRelyingPartyTrust -TargetIdentifier urn:federation:MicrosoftOnline -IssuanceTransformRules $crSet.ClaimRulesString + +#### Remarks + +- This script appends the rules to the existing rules. Do not run the script twice because the set of rules would be added twice. Make sure that no corresponding rules exist for these claims (under the corresponding conditions) before running the script again. + +- If you have multiple verified domain names (as shown in the Azure AD portal or via the Get-MsolDomains cmdlet), set the value of **$multipleVerifiedDomainNames** in the script to **$true**. Also make sure that you remove any existing issuerid claim that might have been created by Azure AD Connect or via other means. Here is an example for this rule: + + + c:[Type == "http://schemas.xmlsoap.org/claims/UPN"] + => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = regexreplace(c.Value, ".+@(?.+)", "http://${domain}/adfs/services/trust/")); + +- If you have already issued an **ImmutableID** claim for user accounts, set the value of **$immutableIDAlreadyIssuedforUsers** in the script to **$true**. + +#### Configure Device Authentication in AD FS +Using an elevated PowerShell command window, configure AD FS policy by executing the following command + +`PS C:>Set-AdfsGlobalAuthenticationPolicy -DeviceAuthenticationEnabled $true -DeviceAuthenticationMethod All` + +#### Check your configuration +For your reference, below is a comprehensive list of the AD DS devices, containers and permissions required for device write-back and authentication to work + + + +- object of type ms-DS-DeviceContainer at CN=RegisteredDevices,DC=<domain> + - read access to the AD FS service account + - read/write access to the Azure AD Connect sync AD connector account

+ +- Container CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain> +- Container Device Registration Service DKM under the above container + +![Device Registration](images/hybridct/device8.png) + + + +- object of type serviceConnectionpoint at CN=<guid>, CN=Device Registration + +- Configuration,CN=Services,CN=Configuration,DC=<domain> + - read/write access to the specified AD connector account name on the new object

+ + +- object of type msDS-DeviceRegistrationServiceContainer at CN=Device Registration Services,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain> + + +- object of type msDS-DeviceRegistrationService in the above container \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index 4147f2d87a..22235193ec 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -33,7 +33,7 @@ Hybrid Windows Hello for Business needs two directories: an on-premises Active D A hybrid Windows Hello for Busines deployment needs an Azure Active Directory subscription. Different deployment configurations are supported by different Azure subscriptions. The hybrid-certificate trust deployment needs an Azure Active Directory premium subscription because it uses the device write-back synchronization feature. Other deployments, such as the hybrid key-trust deployment, do not require Azure Active Directory premium subscription. -Windows Hello for Business can be deployed in any environment with Windows Server 2008 R2 or later domain controllers. However, it does requires the Windows Server 2016 Active Directory schema. +Windows Hello for Business can be deployed in any environment with Windows Server 2008 R2 or later domain controllers. Azure device registration and Windows Hello for Business require the Windows Server 2016 Active Directory schema. Review these requirements and those from the Windows Hello for Business planning guide and worksheet. Based on your deployment decisions you may need to upgrade your on-premises Active Directory or your Azure Active Directory subscription to meet your needs. @@ -77,7 +77,7 @@ Organizations using older directory synchronization technology, such as DirSync
## Federation ## -Federating your on-premises Active Directory with Azure Active Directory ensures all identities have access to all resources regardless if they reside in cloud or on-premises. Windows Hello for Business hybrid certificate trust needs Windows Server 2016 Active Directory Federation Services. All nodes in the AD FS farm must run the same version of AD FS. +Federating your on-premises Active Directory with Azure Active Directory ensures all identities have access to all resources regardless if they reside in cloud or on-premises. Windows Hello for Business hybrid certificate trust needs Windows Server 2016 Active Directory Federation Services. All nodes in the AD FS farm must run the same version of AD FS. Additionally, you need to configure your AD FS farm to support Azure registered devices. ### Section Review ### > [!div class="checklist"] @@ -99,7 +99,7 @@ Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Auth
## Device Registration ## -Hybrid organizations register their devices with their cloud. This is analogous with joining an on-premises computer to the Active Directory domain. Just as a computer has an identity in Active Directory, that same computer has an identity in the cloud. This ensures that only approved computers are used with that Azure Active Directory. Each computer registers its identity in Azure Active Directory. Some configurations require this device registration to be synchronized back to the on-premises Active Directory. +Organizations wanting to deploy hybrid certificate trust need thier domain joined devices to register to Azure Active Directory. Just as a computer has an identity in Active Directory, that same computer has an identity in the cloud. This ensures that only approved computers are used with that Azure Active Directory. Each computer registers its identity in Azure Active Directory. Hybrid certificate trust deployments need the device write back feature. Authentication to the Windows Server 2016 Active Directory Federation Services needs both the user and the computer to authenticate. Typically the users are synchronized, but not devices. This prevents AD FS from authenticating the computer and results in Windows Hello for Business certificate enrollment failures. For this reason, Windows Hello for Business deployments need device writeback, which is an Azure Active Directory premium feature. diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust.md index 3b32e32413..1183ae9b8b 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile -author: DaniHalfin +author: mikestephens-MS ms.author: mstephen localizationpriority: high --- @@ -41,5 +41,6 @@ Regardless of the baseline you choose, you’re next step is to familiarize your 1. Overview (*You are here*) 2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) -4. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) -5. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) \ No newline at end of file +4. [Device Registration](hello-hybrid-cert-trust-devreg.md) +5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) +6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md index e1cdf2ae97..6ed257222f 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md @@ -23,34 +23,6 @@ The key synchronization process for the hybrid deployment of Windows Hello for B >[!IMPORTANT] >This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. -> ->If you already have a Windows Server 2016 domain controller in your forest, you can skip **Upgrading Active Directory to the Windows Server 2016 Schema**. - -## Upgrading Active Directory to the Windows Server 2016 Schema - -Manually updating Active Directory uses the command-line utility **adprep.exe** located at **\:\support\adprep** on the Windows Server 2016 DVD or ISO. Before running adprep.exe, you must identify the domain controller hosting the schema master role. - -### Identify the schema role domain controller - -To locate the schema master role holder, open and command prompt and type: - -```Netdom query fsmo | findstr -i schema``` - -![Netdom example output](images\hello-cmd-netdom.png) - -The command should return the name of the domain controller where you need to adprep.exe. Update the schema locally on the domain controller hosting the Schema master role. - -### Updating the Schema - -Windows Hello for Business uses asymmetric keys as user credentials (rather than passwords). During enrollment, the public key is registered in an attribute on the user object in Active Directory. The schema update adds this new attribute to Active Directory. - -Sign-in to the domain controller hosting the schema master operational role using Enterprise Admin equivalent credentials. - -1. Open an elevated command prompt. -2. Type ```cd /d x:\support\adprep``` where *x* is the drive letter of the DVD or mounted ISO. -3. To update the schema, type ```adprep /forestprep```. -4. Read the Adprep Warning. Type the letter **C*** and press **Enter** to update the schema. -5. Close the Command Prompt and sign-out. ### Creating Security Groups diff --git a/windows/access-protection/hello-for-business/images/hybridct/device1.png b/windows/access-protection/hello-for-business/images/hybridct/device1.png new file mode 100644 index 0000000000000000000000000000000000000000..2835e560495d432f1e2ddbd445b5e619b61d3cd0 GIT binary patch literal 89361 zcmYg%Wl&tt({%_55-hA3h*SNs20e_yA4(;lsxda4?W7UL|lxkgreXLUKYM zK2${^ycm9l{Dyas)N=mt0lDkn2MU8q+7EIO+eJ*%MaACC#of@!^n-(;rJW0dov8~k z8v_#q$4j{J`iBqiky4^Usvi0$8L&Ul)w=r6+j$lEfV@?PSe>DI=)DXye~3d>m15R_ z_Suxtil}f>aF(Bh;o-@?e-`#SZ@XWMlT+|rPg_L#1efU*s`dD02GJD=KGBUz2Eh+V?osg8|JT1q0*|47p%FNk9rKScC7yYSBZhJl%!-;-< zzGrnm)204r;Er?>Qc^G&tkiLCWMrh-=H;4n2pI~DjL#+LOA@T`viXEO%!hK7b%*wN%Ni9f8YLi6+U<7eKu0)|Qr$34{D4FElh%21!!tMQN(bCg5ZYO!fmRpBY#* zcDWgxhN6S4qk>(V`ZQ(19wq9;PK*@%-{7-3<%p8<@?%Zsg4AGxlC7;R$Su?_IB2%! za;O1$YMtL-kY)3D`#FD+EeWK-D= zgCPFYx3*yS_(Vj08Qk*nEQ$CfSb(<24%L~ZWlME5ShlBq0f zD(KnLySn0rc1KovcaAVjz17YUhU5b}xX0mBcmMgn#uDGn`VWd1Sc3ElKli6=ur70Yiuow+T`hH!;MuRlrzk~~k)?VZH6(sCklY%*&&zb&;h z+;qg4iO-#w6dI^4;IzA+NpA;>l)|N34nA3RlgHAIj0J zcWcc&tDVLe4@wc}SzXB&MiWi13*B+vRZ`jK17&G0Ip)ph;zu7e*kcI2lTD|a<=68Q zaW>A-epQSf$!rzS>;48=VTAPG)CO+lJe0GIFC<9IvHAiFSUe}a(iLDgtqbpmWn=z} zNQ}vGcH#sv9Gi@ZEWEcjcbN0g4zjn8`JXpEuF!D;w(6Eq?OHEkD6}ZuGSrV4OUi?O z1f)%=JASQ3>Iqc5Q$MxNzN7P5V!gE-UJy=vj~&L1p5o%2vjqryx}p#BKW3`rhgvrd z_$iKc5*hrss*1Gz3@TWkiEC)bA6}?3UffI(QE}#wKuTmXyx}~#V)&zm`*o10hmn=o zd@`*VJMz%R1umyv>UUDifycOZWPUC$)K8&LPg%WYh5XB98J9?0y^#SV?x_juLDJ48UsKRy#?qvr;8?P) z;a*pUXd>I!)8-`ZE4p# zIuCi1Und0vNC1j6LN*By1mq@k(Uc6DN&7Xz5MYZ!IYvd_P zwVMKJLUwCwg`|F=sP9p5r2`_K+u3DPnA1+{8TOC(TaCZRVcGwk98LSHQaJO94A>sn zBfrkm`j=gsg`b*W$OLu~4emj|3W=HmS~{30a#hl+BPGp0m-;5Y-*^R}Rn4mAKN*^t z1!~xAl3UKcWYmLbT5}n|0#T4PefYh_lD?*Z&!?uip6&bXIi|KUC%kPQw<+nOZxSc* zw*t~h_u;|}%&i8WzT>CwBsa>?P8M79Hps^>Wc0hp1IISk@+8#MAumJXt`F+YBJ7Ku znBK2bVFwv)9&5p(PNom8FeWTA^ztgJ6VhAX_-^O{)Ka{|dq~!k4ahlcyy1HNAHmi( zWGiks*Y%n)N^^o&RTws0iINcyKjxQ>gQJ0X<_+lXJk9~E-a~!0~raSpS%W+0dSL4S5LP*qtRZb)v z)6c!d51*P))bdLSz&Y%7MfW^%W-5)H`5=LKqh4ioiLZ{G9HS0}Lr77o#S=wepKVb@ ze&YA7M1$VwZAGk9vndv%{yW=j!bYn(25@C-k}Yf;HlH3(Hh2(R@DTo8=I&V~E-N@8 zgukWLsfb##Z($}rUiflR@uXk=mB8Or4b{~Hn$>r274yH%>Rk?!e94;1cW&PdYJh`^ zcI~GGrLnb}v)~|{>lGEi(?M=4w=dFjl5dZQ`wP)~;~vi$L2dMeNQvj&qPeCUUBb}? zwD(2dwbc?9KVg853zS+R=fpFZzxCyexAkJd7{Kqr>X^{$p~H~-ZX8u?`F!lDJ4FaS zt6)Hql=fpD6*FU_wEshG`TL zWh~bRGiG6F(XVz|)ge*pb#GHutzxt=2k%!x$+D`2-5;>ri>>{4%X_A?wEb+PB*}87 zjxj%3!$)6xL&4Mwb_2f*5V9>j(w0bD>QSopQFYfsv3Vd!4cgRE{-j1gMoffd?%F)t zolc6K7^s_LVPi?T;@jKgWv1yrIX5TmqlYv*%RV!w`prx8UDvyxAiCz6&M}e}OPuU; z&F*xvl|#7G=0|P3;~9fUs{~IP!#Vs=>s+qBj5-9$nm+1nROsq{UIQOuQO6Bm%+ajD zUutPmQ~_kBaC5bm#ZcgiNb~Wl&$8d10mhRQ020=sQu~}TsoyP&sECo`it}XUPSapn z{i@e=C~oX!Y0DSOIr`KtbUt%w++qhuKA~bGK_lCgDhG1k!@Bs-+Dz6@jCg$%|KP#x z@y#`&5dB+Txy;@OSI$fAyj| z24XIhY4ot1yOG|_ai8$Je_kcpL*q%9WpI~))M*D=*repq47Q!a@vf| zcc~FoS`!Az17dEZ9(JKee<05q3R41_y3{(aZsKY9 z>}wO~%lwK1Lbv-vjJE>=pWQ1Kk=<3N*CW$e(<=-iPIEYPVGi|~YWqx<2n3uo*6>=4 zaO6>VMHDY3*9m(at*0K;sfIC$;h1A8CKKlE9m+b!leSx8F(_&#J0upZd_-;2<#rKd zMhm(?Rw#Unh1E_#^<4kuz;_8mS9d{l=xRUkG}h)H5+y`f|`sbCTB;ovjdjUBBTO`ke>$-`=bI#0^6>>I-mR z_hKAI7FAN$8UTATI$ZlO8t(n*-B{!Ec)+8r7R6z2Zo=gs&QeDj2;r(aEnp|!=3Hcb zxh1^O@eQq>A{jAnAFIjbjC1)hM-F51$B=AR45yLX&S=Ay)9L*WL7ux+)c-j)I?no% zm+kZV?>NsxZUa93oGA5U#MhwOkGK0WyI`xt+)rDZo!g0NxYO(9&a>U(K zj->o%fXu%2a2h|b^U*7j-b}sl@taD)h}q>;{zw+PNJb-{>ljIl9rd-Dym=^zjuCqC2|CSbypdjAAY{KWW!EJtOg4h|1D`) z9c|+SUL7qYh!!L%#+r_`%%`mk*?Xi@(r-hnKWuAi2sJ zn}oGs{qq-S772FZ^HT2KoN?e(&Hn1jO%#7AcZP^(;hp3w_e?&NrM-22S=p{|9gP)# z;T&e!(sIHe4(i}+Cj`ZV=8$onAC5rr#BOd+#%D$tR|H?i{tV{Yrfn5Ku z)+L|K9>$3t3;Q4~^@>Z~ed?uP((&!)R`B$UoNF5aY_|(og&1Q5#d5Z{}mHPYN`Yip9eg0(vt*^X@!S}`{M^wm#Aq7zl+tfhk3PK zhSC4g8jDGK3DmU_L`6fBl9Y`8kAHX?mU_&8GJ-};(ie0Ci~k!=-f$5zTxcBfq^b?A zezK*SmAqClH@};}*FCP^MRCr-0OlZzq$WMQXl47vc0P>Xag^Ma4QW37y|pjOXp?Kw zN>+dnZj9O?auKqQ?^t+WX=!P1HF5$Fu%!R5gfy+So@bz;rG?D0A9~6miXkTUDGNPC z`(hb4I)@Ban>JFoJzHIDIlCwM=_4<07&4r5j+$vR4vvz1vu+05%3lI|oM=)WuhX&! z3*23LM5+7i5^iFh2D|*69N~Zdfealw4hERH5W!rOWDvQiq+P*vtQUcc9KasW{1xQ)srnarw zQYe7zM=#s(7Jd*4>RBUj#~_D$ZaZdrUrAwRQWc8D1wFRL+?bvS^tdc6;J|X10@ecvh@($n3 z^LH}Wr6wj~E-if*FyYPWc>5ft9(L6ZjEi#bJ32~~^u@IlB!fJ@6T1U9w9^7*2-@an zW##v{uGlLEflnp%^@$n0?kqM7Os;?p4FjLv7*YvURwwRil2Z#hrd)DUQu;xje48A# zA_(#>7SEmvR!d?g)?U)V3$E82p$&^t#Hfq-&M4ozHjSo$f-**i@ddg%Viv|um0d(d z4yI+kwC8n!qFvuNbg3T3n+H*{m^zEUIbKw+>C0l_9IM?7Zsg$*f^5Z1uOyj31Y~_f zUUU;~BLuqcWCW{7X8vQTDtjP+<%_GUYpGsK;{6&>ft^&qlpmd?%eH8oy@21B0O|5r zjhzB+I;N6PE?u!S^PxmSYGJ4xN%DgEZXZrV2<>gTW4mp)9}EVJ1Q)J#vp3171!87E zap&WH)n-dyX$ZYMm+PUaNp|CbKn78DM33~<&V4y?p;q{A{xmt+O@;F?Q77gpKS{`& zglt$&FgQBlFCr>9%kse3&O$XOL3rP7I58P6%B zwW+_%<}$ctL}xayW^Zlm=DC^*E_G`?56J+oM_2)TPUM%L*-1)M;DRu2Ku?4CSHcx*noFQGf{6VYBKFOx}hv z!<&!1HZKg33Y}MyaIi0o$mh~v5?iKvX&in1@V5uvf<nncA!j1`YEiOKVG| zee2rV`V1ZDytXzuyn>=Ky;VCE3YP=LdL6MR_nq1#+@@5 zBP5+feN77AFof;t;A0w3hgh1>vrxY zYn)k*_X74?nfvSeK?MEDyhaSpCtHpeA?AlCA%Mb@XXgs0ZjPYtH>i;pZwhA(dgbGz z`%^Pnh5XFrEP+|W}FOkD4r(N6y<4;ZI=<)k0uThM*ZO5^E+RYL~(4TMiudamM)#+a{iQHg< zU9?K^Jt@~u;7pGGFo&-lg+&zdb_)>x#W%LU;|ZvIcVS7pQD-sg=eE@L-;|I|$% z=DAUhg;OJtdCGf>{niG*$BXIIpTx`Tj@-MYO81;0=Xt;9J5m|aa~F=$LI=AAe+_ZSsWg&$vWaV`&4DVa1`h z{s~_symkS868F_xT5hrlhX3p5{_AndUYpk2NvxOk_g5m&^YXeXT28}r zaPV*|Sy>J-WTT4Biu#|pTs+4NXj6C+3pF0hvkcdC!>6^c^5OWIP_xe}zm9?TTnBJF z1$k_Q6ngGl@&f>4sTl>lIGn?%(`W_WY(Jn|#siseYbL{4E)27JzreIM;cnM7SGR3z zv7B0;b=)fv9^JB`2;9;b*xvAH+^_u(M0~Vh4y?ySgcL)2O=QNPD{P`W-&De=+szot z%&pD)!fMZZm`oo-cwVt4*ssUgJALmfcfxeUk$xSU0XO(~fr^ zh}L=h0wSgP#=87kd++OWY|cgR4l1@n_MfgMa@#yM<9bgV1p59gubW(Dv&GD%RWTx( zg@c)7o)B;Vb|_}jI^zW_ugCm!_4hw|;)s}s=+yniSd14M!dG0hX9}0s1+r}dq+Xm} z5Z}sKi3pzd1u6_@k)Ii^KlPbOK@$0k?mt9K2Eq1!cM*g0t;yWhz*y9Yy>SIBMggoG z=B!mNfWMUrh1ESA_{(U4t#0o@biDYKJa3lx7xLYEJ(lfnj)cbi1Vfd2KS@ATD*Sl8 zoH}FG=M#4P2Lh=PV}tlNqpC;)SDtYm=g)e{o_R&43n45#M;vwQebGOM7aVCmt4wpZ zURM$FDl{_f95&!I4&w3ZWwW#^n#!@Z$V{!m&j0Fjx)k^TGDQIsyf1pM4iW*Ffkhe*Z6UC z=q+NNdGm3my#S%`CA3cYZBuW63q3_<3cd^XP&6lOwtJTzc61buEg|g^Q8sS0J%@*p z^WK*6(|$~VH9DzpI!Mbkfs&Y`28b7ZXM=b3kuwIZQs`w>Fk4aoulN!|x+^tVEN#&L z#Ag*3&d<@q_%QU*UqliU*O~nujq|L4+aZmSHTn^MCPa?HZY_W*b`)SHNFvKSu)n>g zvyV2k2`$i3;r;OhkU%x{iS=^&n|IwI;xiwKCYL##0^dt~s_)I%rxE0Zi%#o`%L6op z>w}ut8D3%n*YkST4c1-c;F9`sOOdDR$Ixz@)#hM+6pLf;n_Nhf;lg;i_UFplHBRQc z4IJb8BTVjy(FCV<@BaGPkA^D3woI?cAR^C{sC~`qdDe9JSG(N)5`!v-Eb`xHp1&{E zbIQ)3yai5t2z{@p2|>@+{J8vCwhT%m4;#K`UPttOxSFih=YrzcLB`Z0eFs8B7Yo}t zNKvi52cuib>2Agz756xnxMlV3M-!9Ybz>Q?`UL$~Eh-a*Nm|NWqN6h<* zO0BO*e4#yc6sw&b=I(J98Hn(IWBW1Wf`K>XS(k*F8+Cx;JDSAg;~jvg0&$szyEtNb z7r(He!6oEx4>t_0o^KdhOfmv%PF}-F{Mt!;@I5+34>h_m`TOLLyJm`X+T|fq%o;T2 zllj?(adO?B{*p~#$ zk7m-oN{PK8#Nkl^hMR;zDGQX&D7HHH8Hg&&=H7shHF1+xtIzU*7T3+ahG*zMn_7w# zRx2FpR`euC4p`(vD>Yq-paGjbIf| zdecz~x0Q59V?JL`3dBfXgKmjWXA<{f;tV{`zI7z!SHVTyqIoodKu;Y!KcTf;*(^f` zr5T%R>0|8%?JWh1Swt?buUiy_vQ3gW50qapYn5XN6ck-JkUHA3)WKsRWPjgtUKKIK z)k7NhTn>HlQmMib$Vl=(xx)XU73O6Z!|@M68E%%3dU{*6C?h4Mz<+n{XO0h_Y8H5a z4TGu9`7Om*93zk}Nu~jx#7Ydz=&rnyZ4USUu6Qf6-K?x}2$Fh3cHIdv4eB*iKLhmC z5{XY7cR$*=Vf1as-Uw)PxEM5l>G0acnvFn|6uYxbl|~loL>}P$l|xXQbV|zSfyTY5 zGZ@98oPgC7K?YLME0>YtW=VjLORD_a6)_~fdt6P(*j;B+jg;T6hMwl_m%w@#3%V3O z*gx}Ab+ov%;ou>kelh5@XKibb`%e2{|~y{DO9($=(04 ziRwA)_xhAyy8gq5_vSs^^21U*yY0Hp8g9%4g<*RmY%51C{^a)?9igN18P7YNOM_Mbo3mU&7p2yZU0E6 zf8vQXpUE59aMe|qn`}nRZ|rhd4#1&1bSIjYgZ9UOq<#%($jdB{&pvThctE2GuPae! zavDMvm!C7A?fgpDEKBK1zJr&r7IEfh;x(!1B6!1$_}!d#$5v%FvqQxqNxg};NQ#+w z=-MfxUHC47a3m)BgV{L8_xje%p;lvW-|^KOj}7Kb{pxtFHm|EJ-m}8{S|8Q<=bE#& zbDYatx>94^g@-#)c?@b86J(u{de*aitV2!x2=LpXYkG@G;6shx<2R+u_cN|&T-51};nnYuaQL`CtAbPc zfIa$tJ7=P?W6bJF_Nv|-Hb0~{W|M8r(`!nHT0EuVIkUS2$v5>Gmm|iY9ReGbO)v?E~pR2cup^VQy12; z{@g!5W#qpYVVV4SKN5-qY-tTYg z$FWrUA7kR?G^yUnzRwa|d$jCgH7_CKO!B2Y{oY7nH<8g=lY(-Sj+iJ0Qj+4|#3c4u zrg&s*lM>CYwj)_z7I`1d(qJ)=&tH^;3YY!UFqOO^8%5# zORX&GsGR+s#!q(ggU&YSe-FsJBQIH6PAF<<6sq~em6K9+rQuG@uzx9;OyNlF!IBU$ zuHn#6x8CQCBvIHFGu4}@I3v-=n#Kr)YT68J;L6d*+PAbG?0z_YTj3e1j)PYm!Zff- zD$~hM=!^8o?%OjvV!v%>S+d0J&(=>rShB$)z*_x0v6Mc(#(eHPtN|=4EzbuxiN#L} z%IL5n9XU?!+1pzJ)-m%LZtLTUa;Z~B?FIT>jZb>89NM0~YgOQPJKNe8)=51&&Fz+9 z^&6z)5!BWN-&pxb1ILrrT{hEZ;H!wtlbp9B8d#lH;iVJqT+!#(g!R-u>a2IfwGjHi z&);Aw6*wU>`WnP<7kqnODn3h7HdA?hY-UFy=$91&;^X0_Stt)HLqse#N9p3+kwyYX zJ-)SJ*HU@*R);Q_bq!M!;1{ndX97>1v>u@9`h=xs@c<(aYsNM0{%&u-97&7|5u`en zjr?r5hf7I*D{yEd%E>}320pWJx}QpHPpO}gt1VX6w=dxK%q=e1L7M3)YYB$}e|PA8 zZe^ZE#lpfmQTHCq5V=>JEAKQumYzFBnMCfCt~MKt=i31bFaep`=Ba)SCCo!*AP&&Y z5lAWSo5hngR`pHzzi4MbQ7caMRlZz~Gf7Q-bsG@u0Tzi=4*ll5TJjmcTKoGG@#TP2 zJWZS`WIWe9CaJgbF^v<)Dpgph6+@;lEvBND+?Z1&OGhsC%7?CfMXzABtM5av-^h

9OJ% zGq<12)nkio8sN5ZHhNa(?Y5teE9Q&uspu4X6zRu28)ml;Jg+4db~wR{YBcE&TXQYg z9P^khvjz_5e(ZVFB9+?5lJL&PmwvzpcL^;8#NM3?tuOJ;mHDYXf6zui+hfU`A#npO6c88%(sn^6Ae4=^||}~P1J<2 z>!|nb^Y_L;owFAd1f&Sh*SC318?JzTyT;!N6epDIoUx=bFc;^btP1OmFF@sM=>?8M zx$?)3j%&`Cj{a?hDx*b!7fP~>iEXY2D0NVZYdBS?t?3a)Z!KueICq!2`ly!RgsTM% zSlgy9NF&&5@!cOLYNAiBmbahwtX{nJMX>{J5$LjxxlfIgA}U1EpRdjSJ_I6HneXVV zcy$x&@<$|{i4ahQpdMjuH`5&pRlj)UFhP=RHDVa& ztEqCs;UG3O_+4sk6TI5*hfbD}!{Lk-5rStSt65P@t(1&hrAO4EZ;?@agxv-qCC?n! zK(1ug5poM{K+YC94wkDFti?FpLfmL1jwNp50I8g50o$nhX-33>aD8Jqu%f;@2eC0u z!)R1rB1i0sdzJUG(oovA=B+LxU7Xm|OPu%12J8tc4B1UIzqPwZF-#tdDI=*sDnyUc z_Ebx|i#6d)_VBgnZVUGUjUbO-Mj?)R^lv>g2^K20I?asb7t14PwE7tm^Vz!Z> zS@k5hTKuf^jU!**I5TBMbIe{MrmKaFjx~bXV4>FiYKaZ^bAJSC2W}$?jHn9-H0SMp zpS8fAhbO{erg-b^Mj3$11fGI|qIk~dIrQL0VBBb2mW_MN`+8utHHRpF7zJ#WtBCCw-Kp>zWUc>%Y3!I$v`haIyKLv{w>fud@_f4cyZ>yXQz&d~ zw(jkjvvKpOFa?b3C!>Toa67*?+`mo1ER`I996|8*?Y`p%ildW!tFcZA-8r5yvndT$ zAjP@-ECOwPdk!ya4=AylQ%pHz#nWcr6xnWk<8o^cDXlp#?w5&#&rMP#b4Q?>VhR%= zUeHGbJwbUP8T4kZN-vFu1FK*g?q;`b4xswl*3ym*a3iX~)cwe38v(rUV*>iP-3-Pm z>GH5Y*k7UTKo4kh*m%~*OH3i=c18VGlm%!7;@eUeh$d)?0+??>IQ$G*7F7WHbs4?s7(WmuPY#8hBe-mBTm8rU_y zQo9AYUeXFBU~Qi@LG)Kl`482cpQf}fUgQwNghSos?-y#mh#-ZOh_eF9*!-hXaP zu?UAtTwg?RUW`TI)jm_y?p#YWz26dXrRCQ$h22)X#&x{!OHt4-l5Ht$?(!rh84&$c z@G8^RS5ad?;0MMywu~z-$BxDNy0gx*3AW0pJ=neYKc6=yRUsgaB?uh0NqCs0^W$J3 zvE|$C2M~_`@TO2g4mL2C zTBiRR5>rlJTB4u^Wn6N3Z1G&Hyk`1J)!wa)=HU;O(8?^ziiZYfA&P-d!&R+SH)N@a z>Pt&Y{;9z$518Y}pJP3|S?&4nzqVm!=Fu>w+Z&vB8pn-*ivg)>mpyTR;dnAvac!qyDE3sTxFrKeMltkcuXleSYbD^fj{aJh^D zF~BE<9)Y?S??v`rO}WOjXZ;mHaXG*+zjvy&z_Os1WiEpp8u=RS!E8R%rHRKmuql6^ z(<6b}G7UT=PsYO&)O=@j=kpBJ;9Zvla|xBSm5&{*p?R7_5$>JlL6k-{DoMf9A=4r7Jw+2#>ddW$X?CdEf?*ibJ}P`+Ap;$mqeA%S23P&i?!8 z-xN&rnR!QtozWXFci5#E`$;;`fw;bocW6PVV8KmW7M^&rqUv z%n)mt=KB*;D~oEDswtI*4zFuId^o6#@rh81Eev(I2KoBTIm-ditf;w#nAn=lO5Drf z?Q@QFlj##IEjQeBbxo4)(Qyvc?8BT`(e0aRI5&^<^y7j>SbP>kA@n?T*2jJ!eS2iL zpjp9Qd3L>fG=1H<;13bK>UZRZR#sA?<`+pg7lBBw8F$lw+2ka3{Z8YV?m=Tb1+%sLPwGMI6)?^-ivpX1D6@lz|K6^K30J zd`jjhtcv5W;+L_PnAb6+akHi6_V3tKN)R-T)a@d57ceK+_Pl6j+0=4u@|BkAXEI$|O+BM(3dz{RIdsM?%=YcrxE8bYV-8z;Lb$R1H?##RXEVcP@P~YZ*t^>cd z^4Jv~B)b`^rqNbq3IwN#={2mmEq``h^bkcs9hS;B5$~wr$_v zdp0mi)5*D0nk&0)JdE1Avo1f+IeFiXeC~CWL^AKgQ@9v961>&sl6bPqJRkC_t=niT z5a2s&&EP$6mZ2|szluXonhiPr^J)09%g?(lsUQ(kS)LYVhwsibK9p8kNVo8|PSuNH zcZ~OZqHfo${JEoJ+PN`+2@1!?M*};$>TU=_GP>6j8r7CXw=E1!qi9Wd_IvX|A}OQ@ zNn=7hWg_-rmOf!yqp>D>wQG&AzY{W6!65xzN|%I!y1(KxPDbnGGb**O;$YcUgZ zUanyygu3)LaH{@b$rs2f=MzeJppvP=AH6mhAzG#2Q8Oz zURQtsBOmwCQ+0GMbUCBl%~F*WT@$4m);r0dfr0IJ6tsXEYLr#Uj`rUdvWdpxpjU?Ki&`PSocj=BV<(RRTl0U*LVvJ!9fP_#xJZhBf^*unZkUDi+T z#!8msYjpY5ss^&$CrC6MPxGPAV^q40l)PN8?PFg(?t5SMV(}oEE+iRTb*E$WBm~Ra zGShionel5MhVIYVA6!0={ldlIT^jV8(J*W|Accs~LQ0DnC`jOHYJ8@2be+dp5pkU? z_15JxWJD$G>(B_|CZgO@{nzGHf8TaN-4Ir%nwaXv?eX9zg1S1+d}Dw94%Ah?J2(lX9}p)Jyj&99~H$z#uPsx4A14oiS{3Z z>AAXs@n_L3>=;0Dzv-EvSD5i&jxgaK&mKSJo8(Q*i?B!7ZqY}ndXi*{WQDZ3qUec* zm>Df4Jhx+bANNV^nQScj9r;0}8k&!as~%t|rA#JFle%ciwNx1!F=QB`mEM6mO0YVL zCM7g#U7UnnbEM7_;tz}ct00kJ9zq@IjtY&hM*Nw}L{EX!O-mdGga0HB&Y)%vywE5`_s5|3B zm#d;@xghrx({PHBE)SVIaTn3Lmr}fje zLgQv%8q=3aoM?9rm6a)PFw`K@4~vcO4}Lx~Pv`_>6R??!~nZ=OG)1`(Kd zd!K<$*o1;(9JHa;pFex7Ex)q#Z&kH@DEX$q%kDnU!-LXhHnv`=GqSod0nuuz$fXQiZ*AGoD z3IeZ84R6QV;&}ZT$35(7Pt0c_Aji{O14p)e*=3wl8$s=53o5vceon$|g9d;@d#S|P zp253!EYc?Xj7DJPMVu^Y=a>=4J z#C-HGR^w^81aHDCRm1x+?%F(ph-b7z!m`s@>m!d{`@58_cg1t#X4ZTEdNUJozU%i9 zue0xV&HEwFyL_JOqc6_^pL^!9jG5nj?3&&LZagnd%}TW$v!TBAnRlBrIv%e^9bEB? zox{F&3ydRmN}CV2j61D%054va&uf0{H9EuO<#Qmk+3RnvbFRx|71rMJzx~b7eU6ey zIZiEXC+g_)qjD#nf~NDh&jdL=Lq}c3+ht{*kw#7;&0o12+Kug~>Q=r<3B@Cw^F7$V zJ?@xz)AAl!Ws~$rX3rb+6QJD8ovu#r)Zck%1w{Z*QE2k+ltv z+QRPF3w-X*%OE>*iOO0cR4I2z$9wQR1kwhBNbw--sd*A#_p1B5#KD=f*Pr{aldAz? zXFGb>0Cn8r5{J}F$->%-8tNj&JYEoGWm!|C&$L0#`F)^C)^YgUX1g7kf_G)6%Pw>4 zY1zztK{Zg5$jc@E_DWUW9K9qeUHwd#ZBBI?(4tY;tZ$lO&)~ZBDd}sa;|CN0wy%X@ zgxxYa-!S6>FC?Q-s)iK3s&h`3aCI^H$NBhphI~WRGA(B~j)v?k^H}dw z6_=e`^K~K%R@7X3^!-FKQq)AbqNNPoULdJGs;&2IM?T{OUx(l0!I9!DYVxzLG*Abj zuBm+l_krf#?PPk@C%I`oscR@ue&0VaaEr_g@vPfAEWPO1g@KA9ufFj^8zaw9V_IgE zcUMd;?y46JH+JhglSrYKO6lmI+>F+3gu~Z?HgDsYIdD7Ooc9Ad0{w4S+H6i0bfSTU zxBX$z*(lKkW03&JyiD(R(%Yve02AuI_Nt>rgwbQk_=RSLmgoSyHL6s@UKA^_?M`1) zwdo;?da3SU>TMca`vz<|=F~5RP26N5V<}=Yn7O>!ddqoSWr1~uf{ZRnjT_t6BBdY- z1MVelHnL~J{vW5(>Y+Z1zQow8(@P+Vq1G*!)LOIz5X^2mM@<)N&Gq&uD|f5a=VA3y zlin*NeB|*-pY``D7Z9{Efr6axS9Z^zGkdVglzBEPg)ZWdF6=O*ClwD%N=0;mCFwok zqFr+OaVeFz&~}E8Yg1TTGzDqM$SGqh-V=2n>uh>zX$E{2xQ8%B`;y+wGjSGF{U@Da z1AoZKC+Ez|^gFL!^q;c)YhPMNEK_s}a208LRZ8<841m`@DYnNBRZK10?6kw!pSnr! zayr|m$f@`-Z;{^|t>C7VzQ8c7HfuGk&0`A*XX}#YzXreUgxc=r%xu#=6jIaDX2b}1 zJJ`!chuROXO2W`H8C%-a@;V+G5ARB@jlA_p@4%N`#(673N2p5Xagxgmm(ihNijlLA zPN_YF?tk>YUTp=yV({EOcQHC$l2aWu{UI1i70(Heyu$18baA9j_>61oV+|T@|<2Tv?{(id#K! z|IEk3M6bDA5vYPuxQfqhQ%w-$Purv_L^`_$*qv6^-_2s6!=FIrks3>&SFo7oS+@;E=~-7{gfT-o@+JyY>cK|Jz3jZ7m@Q!*^`UB z=4toH3O?n#hu-SqCw#}w!9k&!x~MqEgm^PpqgEsG;|STxyU{!{Qd}Y|iOKs5lES)_ z(&TAPYFpL@;zmX4M<*CjqIZ_d>bBrG7>Y)k^+H>up2w^n zGjZ{vWx^^RU*%$c7yl(?Es9(e)Vs3#lItFaZ6s=X1LKs#U@w?z6{^{BBr!(jp1S&M zFxcbLLq~@O`rThWQ&4F+f*vly8wh;)m^xIYU+q^`IMw(=w0FE9`FD-@l>5(`W=TVH z61OPB6C>Kw(0KtVvSWkCM6`hB(JVP?72PeO9lsP?J^DszM;z5HvVY(~E-y0=rkJ7O zchgy1?d6h-^@dDn^Vr$SFLDTSNbvX#T;j^UIHsLJi&)7DjpOhiji+YVW?gYVwke>Z zCY9UGyS!zT?jTZ7@aODesSGW)JtcdZsU)X$InvUu#0^>6MRs`{!mNm>P~9|`UE)eq z<03dN*93_`<;bbIn)q`YnYhKyoH!L*wr3=c3Vi z=4|iC5c*ZrzWPPn!pE{83`X(&3aLWF0_eTD7eE|1ls?Utfd8vYPq9+vCf|Kh+wH4D z$vNa`M1o==w?BLU&nP)YI;W0RzalS}I)|cS%Q&LP5#qA_q|lX?4V2Nc2k#3{sBV{on`wOyD^Yy z%!QqAnxXncI_sJX+NdW-tCI4p@rw2HZf_yWvsO_?Tm}yn=H&ch+aEpPEu2tK`?c#u zE6h_dt4c&eLA$%6sFnag=DSHV7wZGy*0j2ef@{=v3GZdljG~I;i!Dj zhcD7SZu=F*%0%Iu`1u!GL~&xP&+|HH#dE9j@{qG#zpq5i0k}Foc-66N$5xuAN8LD-Q$rx($=Yw&xg1FfF7f2SM6GR%{hN-bmpxV!*Gy_ zXt$|JDF*i{Sj1x+iA(HC%xR??u}llHR3kP-pgyibRESO zc)bd?W$gYassL2{s?{&mF1(vi1*StQ z`MgHJsb)38VTA$XwCA6qr_9012)p~9hlB!u$UV_F!I439PwOL5tZ4Q*JQR7fF!>}W z!thCjo*^I7i;cH0@RfqJWkP-9+8d_L`agcI2KV(Wue8%v;^iyw8_}&88(B%{3`J<= z4qge$Xpd{$jd(P{Le9*68@1#=6Y{25e81-Zx{hHfQuQC(iQ`ngFu$(&)W079`vGF1 z&tv7YC>8rgK#gVeG{$H2O2pvYn(a#{=)z#--hdWe0k8`r;HXk#h-P z(Xg6sn19id0jZcRG2Nh!YS0KpJzagmLN$?LWJSkTvuY5i9)Fk{3G(k~hXk^QaBxZ* zn;S@0X#voUcs{)`~@ec=qH?*VoP> zK3|eOX(kT#MX{*coPP5r;qAHKgbDz|g>21i2{q%dcIO-OO2?^XZ|$}F{R*Lnl-#yr ziayfqOhsg71TASAzModcnUcJ_SCSE!nbK&<-i1c2=xo94ofniC$%b-h4!0XVj5qh(>|lHO;|qjfYgDipJrC45KjA z&>~wFa>FvqFYq_I5jAVwM>(mBe}Dn@&h4Y9!3!BL^^yZVYhTa%>lq|OkmqS$r6If! zL3X1Vx}hz#S&;Eh*zo#1*0fpZ=sMDw3uf^;8VME%X^bw%?Yv%^2zRX;1(_Q`OJXw{ zBpQ>+S1Q`zzSH8%BRP9KAcS^wC;W+Iv!Oyfn7=yVwXh$$CYGq*Ga);;c(z0wHoKsS z4(ptR+dBuUk|YXghATHPMyWt1gw78WYqTqzCZ?mxBDJA9m~iH5agS>iW*Y3>XStUUW^r8cbIdbwz6?Xgtv@9Rt7u|<40+IC zM35@IQ0vld$}W%up(N-s|LYH@@F#nhf=s~N3w~djIAvRoDP0x{WT&S^66y`Lr8-@< z9@R6|NKgR#s2xxB>k|9H1sj1|o#PABDWsF@UikSAoM1GtIO<)6zOwB2ioXW2dyY+p zU0}K1k-FXeVn19#z*RnGcYv_Zqn>M=vnn!WA8nE^&B(;0BJ@l+QM7K8_5O4@W_m?8 zYqFZ`{50Nqb%PRnQni9Pdgo^)?qIuH`IBwdE3Lf^iSR8>sJ3|8QukZfRGjiGp#0E& z#iof091n{)%`H*zFlC2hO0i*G=@Gi%m=RNOQgMeVY^;r&4GYd&p&eZ|j5Zbl9iFB9 zY4YW!p5=?(mmV-Xr}AOex@{??LZ>e8#KEV3l6Qb-M)4gHAh>JV$yo&G1%^G71hl09 zDzI%RuetqJ+mj(^Wn4>yrULJy85>G$i_fx}ekasPTaZtPa$cQ)BQlXlvBrm07{QX1 zi-tnJDeb@i&l#W@YJn(~z$r_0L8^d0T(P<_z^CnLVP3~V5~R7CA?qxQ`%*GxaxD6heFN9OMxtI4<|hesNWaN|OCazLkVZgqaA3SS7Y;nkKZ9&%DU zhb5ai#`oipEhO0qSO_rTyBf%Dc772={#`$my~g80zt_kl=WoREbx#H!G8n=$`)q4_ z+dA50>!xox`3LEsAtZfMtK#yCgtM&>|2`5a%RYy(koMQO7AYLE_~Bcl5=!q#Y~=`v&sPE zmPM4!$lTS|O}JtvVPGpRSb`Zcu5hXcb_Eue6_tR3q{R(DBaK37K}WHkZ-TM6HY8>~ z0%e8L1hv&~6~%mOS!q|uJI=i}H`VE-4Y%p0CXjQuhrB%0K-;US>fH+Uf10?yG2IvZ z{Fyeo0)198l?+9`j*2(yYbQ{G2L`y`^0#p23<(8v2rx-`-)NTKxRoa zam5@5EM#5wd?t|WdCh_j#OnWtEkPCX8m`!Kl;33|0OJXt)%RNH3x8-lEV*H~4<$b^ zR8a@3|9C1Gf>yzB7GJ-fQ>hhmX(XWVV!u39J)tTsYC#K0!6Se$J`y5*bRV21F|s5b zosOG-w#)L*U-5)g(ncF?vNXnh&ldVR(3oU;j3CuU9&~{-((}sZnoHL|vbk|yg%@Yw zI-UZ)gdX41p85Yh_EqE6n_Y<-Y< zA`3|+V+@8wE8Biw$>Ro-theJER2=l*ObpmZ=nuBrzTSavGzIf?OvddQn5&V8O7%}j z|M5=r^uw6u`W6K$xrY1~<3B5R^qz1RV<9I?#AyM2qSKS)a2$>OwQs9ENhG_UY?5dDxM=i;i+Bz!ig_OiQ%-yDm?xeO8jXZW)qiGXEKW%IZIA&9x zcA64YQzQBszWZ>PC9f1SN{U%nfXtVznb~H?LjucY<=Tscxt3)-;VS$LVYLf5F{lZR zH;|PzJMG{zQ>KjOu@pvEop^sJ8dcKg9 z(iZ(60W^SyF6+BF(DC)rQAe~dJZiEquQ5BH1{>7w6{n;Fs8e7mRUIXaHoM+7l47dB zBs}1vt1ECoe@g10HvUq|1f*sylJb?avv!84?d6zjYEVWy0nNf;lQ~BY!@^M)RVX$T zC2u#-0FSPzQzEaOwl8^To2Ek1F)?I3mHADjg|ZxkK<-YgPjIyq*mL1+tEHnc3-i9A z7+Y*ft1-Naius**S6cnp#qnucYe(^&h$f*DaY|*;Vi;FXt-DEd))HcgRH-fD9Cuv0 z+VXtnF1CC`S!GPUDMW=0w1Hm?*Yb6JT+#Ear1hDce0ED*%) z#44VvK4B$$JUSB+j%yw~VF+Oc^`0bHCqjP;CzQa6)bPo?#}84y5Zdga$r&iCX8!HQ zycLIa+1k7q<@wr5iJv-3DN7xN6-btlllJhIL3~ZF)s1<9H%Ck~3J*&7)!wB$feqM> zRYEtXn|>k!M&DJ zIPW|lI&VD?+HXldA^V#U3FIJ2*h~c1mMdDBmX>ARA`|j>8TgG>RzC}B^HK(%wNU+_ z)MewPTy!iUl@jqodgdT}n$9^?De!&wP%@zzc~VswA`-Pf(~3UTp)JE)pI@;U z2eeu**bOPW@MzPM^B6cscZOnlWY-$^c?oh|uuzu*tRYskBA5AJ*hA%4+vWRH*GSC*s=Nj{Vf%y{74_!)q}2DhHNWMVdizKdQoa zwp%2kc79VFBM1!|Fp!s9s-J6JaByUZMal^)KN1kIZXH~R-(uCNZ#p{RBgJUaZ3I*N|ItTe@Z+RjmI-3ZNgW@Mqj}@N+FwNF zM6b<$3C_8@=|=}@hcSUv#Viq*rk4_7XONz|aFCcNG=A}+Bb%xwvg9}Pscl?|;FRzj zYgt6edmKlG;cVMC>iYG*^knn{LqeRMh>*?Nqd0E!><3ooTEcWV{>R-`#ZzaY{<7HO z+M^_xl#}9mOaJg^YhQ0`&Y>nblLa%$FDLLkTsM^a_U;3AX9yeYJmRuL%CKJ)u1#}$ zY~%N*6julV^mHMp_d&)dTlHCjcB8vcFw#*ggV^?O;f>BLt*)axUsh?tYs|N{ zU3qxgoD7x^5a#(Oac5l*&-f#n7iryW*GGMd7MLDiX4R@TU_^0}@jB|l1o zed`a52-HND(~COpMliP7f$Vm_lyo`}(^);?^bxa%-4-=wd>5_4oZ>;SKHk#YPnH*h#uyzpeFQxce#fi$j0jUVeQ4R$R^2J1`I) zOZ58r&Df5BZEcuuR;)KEXQ0Og{oXwPa_%Ex#5&8tRj|Jejy=ROa~Pgkeu$Gc?Dre{ zqhSc=Bxp#Z!+`0$s|ms13Kk!U$aH>AGc89(X@Svfea!fZ>EmRaFj49~8XV?+5(LZf zWKU2!nve-oD}IZPV}yb&H-jfF`?|)HUOC(((^uYUJR{ND`)(PDZtMm%wA1mxiq%fy z#XWKjgSx=v=OzYrAsJv%6}vj&RIg=d@FBvmA-Wg{I(y*Hg!kdqTvS@lWP#97yrH1o z);_=Y?;YW0r#Dw$R-U$yYKhaLmPXhp=G=ox?+e58ExBX99LbFh(eMINvms;4QQ`jI z-@OXCnr0KuhJP@-$Cdilw6c&;KW_Kk^;=o-w0aT<+IMERd*A-4TD9AHtM)UQOLO%& zSe)6=0PU%X0kc?kgOCy6WZiam!tA!zlR+4}Drh@~!$|E8c<>;$!+ZP|amy3kW{0yz z=7=Ud7QUW?$T2n##_bvuJb?sAkH+ebZi>(2eh@164xhZA|hbTeEj z%_Xl;AMgKki}7n(Ur2)6?p*|3gawt_JOo)qc%}QHc%#alX|FQ{+nuf2yWLTlb{>I6 zOeGpGuZ#jq7w7~*Q5J_w=8nOl?y;slwHyN2e!q~R`FV`%)2Fy!5{QlZw+BMyvderG zzIOi4PDQT#c4yB$SszdzaT)U*28l=R3;*?r&0&?+hTkLZJ*Cz$!*IS@J_JfW`Y0F>e;4?pef_mwS;43 zgOak2sA)bFv2RDzCwZ<+Y`cEOqND{gL~2HEV{Zd~F(EAlIWc(JbE=B<3%TS?yqvV% z+w#ywX^MnRq`wViYOom8z@d^~I$ltfh=-0aEYu#H6%a#_wILO^YE?JMP|Q24mMTlu z>ZBtLIg@44zodGul9Z~f7axB02U*i5-~T(rlVd(E<;3=i^hRI6)crRNys=PSS)7L_ zw|rS(?REJ`MZ-gWhw-S2?I&4kJIb0C36*a#Z%mK`J_XV-5!957p-;K~fm>f8q3>`& zV&8u@R|FIua>yjQu^MF&Vluk!Qcxw(@};y>caP)?n*UUMe&T~PI>(T#XCcw|sgTV0 zS+AOw{&(3EqqErqq zr7*Q!F#?-&#tXr&ZrG0mfQ57l?)ku-yb>*{e4+pp$76Q}NjnovZSsP-z6kGDJ%f1Rk zg4l6&V%K#Q^{L9QHHjsrr2;UMEH8YPf6(bYDO zii@6!3@eGg>)g7G=dhOqXnjo0Hyh&VSNLhM)42JhVU#t_K)#^3XS&Hy>t)|!Z$J_) z`**F<@reSSjp$hDjBgsb6U9*Y4zf%IosC4;0|85LkZeog4GUZ=*KfF#ppfYYeS`Ro zn0;<(3U%85dQfPkoha7LS$X66ha}?`I76_mmVJTOD4= zgud_0o2JX@H^jF^)YMnKvcxqT!vW0Q93;hDFzrQsX&k<+?9}om=hL63yS^Yz;`RTY z_{w2H$CAaDW?Pj_722%6)n$abb1;FuI3yrM%n4`h&g~XWFpOP~#bWy`KoFRJ$@-Er zvNLeUZjYsGu8EFqJ)BxlQTlVL$7}@_T3-9tn&<4&4o;{{~=t$qG3L z?TJpWN#g|*SSR=nUr{PPnL{ITpb$=Cec2(<6!gV{$7V3wie645LL^_ZW7>>Hx7Fqe z>**_TSn{O5=r9)1XdqV}j5gcv9f>Av29Z-Yv+dugKJJ-1xJ@<7J?S;Lo+A{G^NFa; zarvcrHq8Dma+5&^);Nq(>`&;A$8L7@J*t9&TdK?#+~GAkEJ&Tr?0yO60bJ5oBUs)t z{PdZqx>N`nU5tf3Mx(>O(Wd}&`tn1fG+FG?ypf^*Sa-+K?qEeUO`7kI6Mm+6u6I53 z_TlsYVTg`!!;iy3>U1gCxinui~s#UKD;xgieMVscx0yCu90dt4`=(;eYE(oGth8bRuSa~i8B zW639mr`L$DhZhf2{g#ZIAa&3VSuyjbsK!siAYoP#RUDMPH37a0^5^K<9{^if%J&z6 z@M={m81QaN4`$>1dqAVB6SN#|&hNBfJ{u4%@-7`+3u~Tu_{=Xyxn_xEIAo5#C7_*# zjt^F#XdX-khc5E$cOptk;&$9XfLCr9rP%HeS{R?YZ&(bANrj0?Y5-+zg4Ip0z=*+j zlifX(9b##qZi(R+Vd*d4k_>}If4b)xpV%G2)=kV2bJ3A%VgL6A>$() zD{bx4QH4JhVbnz5M^wt)akXe=W2s2>#k{rYLwHLu)O44=ThjpdPjQ(AIy-pq(PR~i zLRYdJ1OU83hF2<_4KoW`q76&;x0jTx-5F}~NYk}Yy~7O!Be4TxV~Om3Uoq6&H8S0f zN7*hPV9Bei;`izH8ZA=&5sET^-Dcb=Xt?n)5~ph3-h#`hJy}?brOgT$rZKh+oGI}r z1QhqP=@HJ@J4C3m8fj9SDw3jUv0m~pCF*&lqg21hgR?TAwX`E6R925Aog4`#dea7| zG4(HZOYT$nl*j`wm4wg(#iW4D=*3b5#<}(Ra?GMeY|}K@-9PdeVwN6l`VCQt5nBP` z*x^%wd~Bkh=3Y1aAdwV^ zNlgrs@&4AgU0n`98ReKSgno2-cKO6Ru)Lc*SLSY{WyKZ|DW&MIp}0}K|Lh|=zq7Ak zrTG@3&{Q@>{<{wndC$Ys3q_k`do^QZY`nOEBlGt+M;}1leUsKqP=o6WbbqOWl`=>+ zFx5#%09Jk&>qQfo#j_Y#;ADYv;onfrvri^O))<@uJP4}uZ!$Kk=cJHaOo4VHo1w8h zeg(>aAJUNjKBS}d3bPug|AEREOErfL*|sl@IK0%D{bnF(JPo1h>bcOLwNW}YpUy@= zb!*fnPt_>j=1QYw^-~dh&Kg_)M`c4KP`ljD#=|@Fu@1w^wsO#M#Hfj9;2ZPy%4*}5 zZROYTwmU{7%!V@4#)u9=VKh3+22)x`Y&&{**rsOj+Q;|r8v9)3t5$D>S8bw6NcnCr zfz^J}-1{;}Jxa%IICoiUA6Cr+^tMY-mW`H7Q%?d1H@Y2_b9wM!Op*7r_zF_ns6Q+A z=c5^m*}a;Ba%2xFP4DgV93Ku(m~_sS6WL6aRJHcfv4XuBp7khTmaOyFHV}($0BCac zKrdI;Tj+Y`72Doj6z;;K^rieqm)ebm7<2eZ2kD`XJB-ZmliT6w;cXi`c9&;IN6l$YIewd9+el72%1=61j0#pkni-;oOmaQCVRH-`gbCBko*Yk1>JDZ+W|UU!D#YliLM!xfl=U(tmM7NxHZq#PQ;f#ZM_oQd`WrfIX_{P;Gl+YDlTr~?BmrJ6F8^Szp1tH^JE`*J1 zxJTzldT@cxr&jIn4qiC-cjpf?=#Ca>h?Ugs(4OZd@Db-#SDp|>IWq>~{gYE)T~QZR z3yL%7u5x6jNaJ0Q-+BJJo^EN8+JhCfbS29U?CuF;MQ_@DNiARn-EbZNXEn=BDO7lw z$q=po?xc~k0zapk3k8*P?{EJhwB;_`PBawT=8OO2^V0>h>3&7@OjVMI;wr4AH)#QF z(#BtiK?b7@xY5M-LYeDRHLV}suNJvvOf^PGOlcE%?JRWo!7qsH=1*w+*X2O=y%dP0 zV(#B7SYx9l(DmecVimJU`?d{~&G~A(m6EtmGio@$j*D*6AN$M^2)jVL*CP8H4-iyv zuDvxBwRV5JJJ??(ixu9#f8ROSzNm{a*CPxR7lA{JnYfmHPyjdV{$-^-8Y71DgK`{? zb;CoCS&+^h^MBSRXdwHG1_F1m|wYrdt1n3N|2it05dHxtz=e23d-*0 z`gI2bI4Eo1&q`RrI}f`wojGAr#!bKHapr7nc)UQzDdP2|yz3jI6lY~|@-XTC3hlc( zhAZJDfuXUyH6CQV*orH`KpQG639TWoLi*^mUN%Afkxf(fEjMiMHo1b|39T6&iy^yI zQcITy{^A4Y#zoP<6r+Cg8RQDA@`!q#3hr0bjF&9D&}2}H`P0scwObA!Dc#2Z-;VE} zSS}Kv`Su)?UR2OHYa?=g6Jur{y?Wh=3C7bvYcRoTRJt+(t+Znc@6tArvXrd%C$k%M zgA*)((xYS3p(d*SI-o2UAGo1tVq%JZat5$bq?*iJte;>_nw!%AWo8(h5lL7na(cq) z@w5%W-XsRS0NFcs>PL`-LTsgkIN_*kcyR$gdZw5U34viAT**@x(skL&Wg% zoYdu|*(r4vTnYqz)Wp91Lwyp)xG2FB(WXmOwCtHHBeyGkhk3-;@!y$4Mu4ZRt|j@r zGB{zS9?3LNCG`)hPXwbj#g#>A#@6OHPhrHYhd0cQ(xrRj=TJUZrAs+oNaO{+yYtOx z7MGM4h))^W=4=+@PR92?dRDmP)ew>>^$`jChlml4W74@*uL1AM;Q1T>^6A>f2vA~* zrMZc}v66&(U`JIB`he^)J;v11bW($k>ux&E7?3k^f#r<+;|z|lqg33J+2mDcQd4h;t?EgL9?^)1=F$-pAHT2RC#V`1A1o%#nTyba3p|1g)NuQ76 zPr4z#WV^zF%c1|FxE`IsE%)4zzs@K$5UQsUsv*$ggha@icI z%2m|O$7kD#ITaPfYTw-jh1reB;x@b(pS51hum8Q^e_E}7Z3qnOF~>=^9N4SBm5gL% zO9`cgtflX?q?$IZW_<6Y1llufHurV`%ZE<705L8*wN=f_J{pM_w2bzc8Zt!lXl?@s zlECLEENOKbkU(T>%v38i{j0$CZ|@_{jc1?2p9ivCuZFl-Lb&-sWl`_?KjjBq;)R%& z<=XGM` zo#ntJ4h+nWW9D-e=eM9|rRMjcf0~xS7`RYTMX3)0bPIwBzon!Gt0-OiR$`)gb%UYb zGzCVs8;2H>4>dzwz$Sc7kqp19v>uBT!FM=`>G}K|r+nnfojdi##NW^OYY`Uq1=5<% zyLIA}wdYS;Y38(`((L^~s*F9+Q1#FMbE?RK(_-;S3D2~y)?nt=CeEi}Nj5zT8EcTkw?6O1XGpKjdDS9|+vb;M!5YzW7+*|3ey z-0fx0CKc|6ZwX$X5^bqztRs62eyM=rlh^mkQ#FqoWUX$S)9q8r2wFBkKi8-#IjDgE zpHS(9`zC2`WjttN;UK*@soAuU>B2mL#ddCcznUN$jz{}9P-^bk1UNR{Uy48}i3n7F ziEz6$Tk?r7=1Zx(02=qKU1+o|hMw(U8K%yN_?AEFT5T4I0$@Pv;?QSm7!Y2Rc1-pnK2&8-x z{QEdktOq@Rq95i8kntl2Y(w_q-^`FyR3jY8NDZyylo6ANBdr!>4-A5+EzHrIT7<+#Njd5}9TGA) zJ93e+a$>>1AWf5^5TcSrgMUV#DLqBZFf12oa`u4!`#~yy z#2<4?zL|nkFe>3Vbkpo`N%dDUJIT}O$G+kD(K0r@As=CC=Tx8I#X)ju;?tjZQjNhq z=Pi3U!Xz;Ci~F|KpKfD9wl@?|Ztv~l{ zR-K}%@-?*8_5#>yME901!9-YMldU!!Fa1J&SVbCnbLoxhh zcOEP5gnnl0$l&i67rqz{UY{3gpmDu6^ua-hzKKXi;5X-Rr|PG4*As0GGa5{a+Vdhq8)d{{JuK$B zqMu;ibg_{e@Z~?7Sv+d@MA423PSgdkH`D0Lr^%AyKS|NMmc_m+0ld+}iiLt*ZIJk3 zVo=SBzPaRZW+{c{pJ5M?PQ{1|1I0Gy@Tyz#b8*fokH*1wl9j>xk?P#b215_ZwSjBl zo2DYDd<2&0an(3lcS}UV8Qu~?l7*dJ+0@Q(Aii%X{bgiU=c8F&vtufCcN`X^)tacb zDy1z;UMn=@fFM;&D*TC_UY3D@VaZ=0IFiaz?H_VA(SL;m42o98%+{#ELPQSAsuIPY z(j9idH4(91uj8G?(lU_dY9oYYHTkpytgmpcs6jka#VGy-&lv&Ae86Mn_FinvNGS&N zcHh=vn7)n3#+FD`0&9GuZn~L72lDw3JF)CXBE8I6kl-*UMM5{*e_QGQ&^TQGp>e<^DqLOX5jdMAC9jL83VdEWzx&K@9g z1r~D=x8`^IPfg!#*uUWUqMEua|!=d2unNbU=f*M{%D!kemexu4`pX?FjPnh$`L-u@^UA|Fc=8Kg#a!olR)C zOf%~ylhE;W-dW=e$UBthbM~6v_0M3In*`ImJtH6{5WAO z@bu=!Ao1`gckwmTTMs92nw7bZj_IMF^Pg{e%zvv63hK#_x)#Kwu%`;x?%|(2TsInb1QCTT@?|KlB65a-Y6eQ z8_tUMPbS*A!M%M&MO|5G!>*N_*FdYrou9kaqhqRlU&fMnNmkl8!8VipbEif-@DQUq zD6D>y-GszM`rf&5j(LoP%tWz>pX$nr(zXQ&wYr_<@g?WpsCbQEE9a6`zpWP9xbPt% zCa>%yDpOpK;vNd8(wmBC9gogEeSI>;yQ*qb^mRhz*7Zjel=LaUi_?wob!eif|8vKG z`0++1ieB%i`IryJDB!$D8i`2!Sx~9Qi<5l6XTmxv;#f?sIWG?b-|MeRHVCy_?>6bT z5D)AA!pP%1RQK}gt^XXjyxwUbXI3<#p4z6ffR(DvtC?1gH48%nFEsTV*}t|3c#R79 zXPfQyot)?M0K$K5V*{Fb6i{c>w7-?g1AO~m($Sq4l3(7VMSwSw3c&FQt#iYk|0W>1^NpWysr8K;12B<&A0huuXEKyjV#Q2qZS3n!$X=1 z=Ok+m_au+_552kY?2G`pCoPQ+_0dGX!Bds4J~_(?!0}r5(hCwD)IXj4-fRh0_kJag zjn$7{4u@De9v`^ z#_&o@e|~-IRGqOsnl6Be6?&%m{{4GfTot&i0N^^!EUfr^*W#a>aRD-l+E%I$Ro^$7 zmIB1hNlPqTkinOtxKK?$p7_bFxduPPZ`|4SWXDTAnAX{#8QmcJb@-YH@; zkrnN5p|0e;Rl-u6z-tmnswzQoUvDayV*72E+Cvo1J;P2bs=iQ!tySrJz);qo8hegW zk>s*K5hQI7rMzey+MB^ghx{g;5zMcwB>o>So1XjW=HXFMvmtsi;Pp#jLLt;Enx#J? z(i!0;84XMt?G+@P0nS>M$m85CEO6a{#9yE+R{&YC*kFzxTsun)Eapp|yt7dDKW(5o2SwXSahvqVEm%J|4XKo=z05v(CFBhD=YR4IGW&t+n*%k z$}P>b7x{06FZE6W&Lzy~Wrl9#+di5C>Rd0)Tgnxz8jr9Gb zamj3L8fnB>b#(_m@Q&{Hup4*Cq?y1DuKznU(wewVn{NSa9#Yz^$A85ibt-1$_+euav!4~EZTKMm8Hc1VBAeb(9%E7R|Q@# z$=5#q6x`|`%1Ie&V;?aU;Ft@Y2?pA->h`}C$}F?_3iuNFCcO}QC2v6E4ljnd z0;^?9?BHD|@%2=G%}fnlWn02h2X1RV?f{Cl27Z>;(z}yQ?oAh|UzZumWRL2`22yqG z$Xrg$Hz}7^lWz=+)y)gxvbOPpVlS^|=k<(>uu&^3+tyOFBX&_2O8I3A47 z6`kp*N$L`A5hm!25*vx&^=GOiU!D}AQiDXESpFH&^L!%vl=IB^*atogFw27%6b??W z*8vtX!TxjWYQMgiA;9f-R&(n9Cw482y-dYS!*R`2!c>>Ez9_QC`>yW{$d>5YuWo_H zolnaE{2X2v zg#Jl`YBa5On*_8hAB@fAc-n8cA63&>)strLzOUj2)nqnQ8)Z*M!WlG?xyT~c;N0&2 zX>162Z|_~7wTB_;#~O#5eWT$X7Yq``g469UzIZ#t`iah~31FYWyT-H76_T+#7-XM3 zxnV2mh-yYb$DL@4&s}O-)#N03+GOF3<&B7BWMIg&(gcbjDgx*^Fu2--c0awNK%%un zBdtH5VDRWM=7Xou93NZ#J8-EbsRaKW>wl#U(?VjXC_Y%g(tO^ohS-ITICHyd6C4X@ zlJhM?=lbL8^a7P_T8RO9%{msyAF8`oe;Y&;Ej;t9$JaZ(Z6-21On_CRK0%e=ea3&8 z^|ekLE?U;)`C4^pAj@!<@S+`E~=i~nOyi*{J@j(Zx58uQWNN0X3 zU*VX6`_j*t9;}DLow!{qDV1Y`j_#Wi1g(cm;k!zIZ*t>jn~(dG-Iru7z!3Jo1Dy4> zKWtCmrvA05IsskrA<@v!fWBQ&XX)A&3Y&7Pyta9quI!AZ_?FVk0QuLpTyv4gD9xv< zRR%uofnrbn>7B`!mW#ZhmXZTCtiqO4TI1}49_Q+e62(FP$ z`4`>q6WPcDgKuDNTX*Q{&T(5d+*sBXtpz#HbczBIc$zW`3A^5V_|# z{H&CYCjVrW*(=WjNs03++@#RRqOboiuG-}A1h-yb)mBd!(RLGl?p7Fi>mwC`@u?)e z9+0S-IX-SDB3%7$ z1d^2$sbv3-!d7ul0qfnukfXfw;IER(F0EC)yajMs%J~{PBa!QO0)t%GH{)S6^BQ2{H$IEH5(Z*qRm{6ILddfOKBJuk-_Y!EXW2`R5C58>+6FZX9Q zBY$2XQ?Xpy!LM`y6-c(@JzN4Abl1=owjYZ+(d0&&@9Pw1yn9>d{s5dfRUTSr5f|uw z3W^;27X?FC3#fQXTY~!OgQ4saRYfHxafQ~ zC3wr63i$VlLp_&}Z$rJiI{Dpyq{uvn0_LL=#T?UG`-S$Z2)O3%(ZxQ+l(XPBeR%chC}*rC;uiWj@zZ zb>K=$qIW&|d_f01FXPMe#_J4Eh8TMs?WD_Tk&G_+CCuW=w|T*9ygu<16HQPz)P#^X zwd1nQV+_slsDWORV!P5yChD2LZ2n}AelwyWFJ?3=-oViF)kq8IH!1FVg_>Qrc5tsZ z-Chep@HJ;C0PXI$?b8GaKLyrOeSb73I4Do0GR~ztMi3mwXZ9IC9FWC%-8Y~jo)}=J zO^biq+&!r*;mO<^tZ5fEG`FGL&osN5R=-K(F()NAPx_F*{bS`}BCc zz^#e7;7HK;Pj&Ur*v@rL@FD#jf#yJ^nU%ya&u*^R7IR+=Cr(39H4?WJn+iaV5RS*B zg5H_JP94p3$Y8A+(MQUSP?^Qr;5Nimm}ao98(EX}ixu4P?ze#eKJ+|i6i$HLyZ1qLQ?Phw%nI}nmh_wWTKw0Y&4so`) z@k;N%nzTvv?Oq%XY@#?=na!V;7^!r@%3}Z|Nna$-dzm| z5k`gPa4Gre)W84Y*XIt~!JSrn1g2tgo+f7+m}aD2v)LhnrRLMXNvE)+R@BjN1yWZJ zy^?!YJ7i3tcAD&j;v4ItimKiuHojiI-l@uY(oz20k^&&9DU-A#K5H^!zxtwaa|brE ze+>+>uAl7&@N6-;WMBQ-4Orq`S=>%i3EOU?weFJwG}P@pkK0uO3nPE0{~b>zfTLaJ zBD^JSQ-pCHUZVAMle7R;-kx+(T+`2{NoZ+$G9p@VJ({ZEdg24&S~lEhTOIP~;ao(| z%M*!88n3raYLSrQZ(UdT_t#br{^M8NZ=uyj&UMt7cqbzz2$IGm$duV=yCJN%-?*X>ELHC|_B-)JI}j6_&mRqJ>pi zJLrQ^MORj=q-kOCt#+_XVisU*49PjKJM>Xh*wKyHy~$c#SzgdI+dAuLw*U_H-;@?N zf!eez+x$zd1{_abiCk#+@LoA{ks|?mdtRj{EqeWKosS(yEjjocjj1WxjFUmYMV}xE zPyO=J`MF&9**TrGk}AEza%|fUys9xKivQb4XcsSttwhT3#l;HSvMExp)!9jCg%+X- z*JAzNHny{op)bvZue^3~s1)kSDx+?Ni;g=!bB$|9m+IqTChHcKR-qE6dRZk8)LET0 z5(Y=jzH%3}vs~08dx}|_cXMl;#{EoDSElZw@wXh(aIwkAI4(V+J2x-I`pC{@v3T^D zq;kjnU@sy_l{jX{1%jeM*$!K)~a9~rx~ zKvODL!OJ2y9K7V&*R8QejZRvAl+#7rHTCr{X4En5FsryuR10AHMRFN2_UihDJc>@6rbwL6b@+RoJfPE%g@P2}`r9ukaA% zV=_Lx5UkPG9^LwFkSLR_`|5l(1f5{t=1*FQXWg^&TVC^TIPYi@H;I3=@4v84QhXEC z*OAA%&O^H&Tuqa76KZPYslfa7Krbgfd7(0?N&!AB_(LZ-A0u;<2uo|D+cL(8B9^Ua zCwJ$&uPyw4M15m)9pTz`+ca%#+qP}nwyhnrv3G3Swi`QXY+F0FzMS{0Z=L!5to6*y zJ-Bh9Qko!6hx5bgS0M|3)|CPO+Z)XDsej$_OZXC9hDS#aUY%-tk_&gyrG{k-026l% zj=whm@!j2iPIHWks%fYF&MG^=f~{&j&`<2Urhl=`GDva;+%(J2XT@`O(&M!#4M%nL z#4Uh!?^o@e2w@)iW9>9!RQ)Ni^Ju&^H*?DHg!~IdgNHPbauV!_YuRBHx(ssHy%=AA z4XI~m$$Xogy0_e$Zpk}q&V(M1G1#c*{b`1t9a-^Z&E&TC5L@be!!_$Na8kH9C#oaf zrkZr{gufLyIXWWEy^H&t=-gf_-NN0ZXj2l5Z?G}|`vk7RY<7nizuZCqlZ`b1aNb5^+6`gU2W!+NL+zQEP z7F>$uAuYx|*$^tTxc`bKq1D zg6qsi@d5x564xvJYz+-4ZgihIKD(EqhFNQ~9@?s=n46)G2IeiHk_it8>RNvl6YkGl zph|Sq<&N%7K8i8UIfWhbSucAUvM~@{tE-=UWU?&f<-|3_pF|@Xvxk=H`3$$KF>E!) z6#4w@*?xCUN1UyI?X~IG?;Gp}^BaiRA9Z~|JF3-q@b@VX9*Jl2Mh?*q&nO4srjO^c zvsYXw&Z&Db96et;0KaNUp`~QG3(l4e&98dO^lkM1h@GH{#Ph;n+wE6j65DZK1Sg9Z z=WE}X#ZvH_644{jAj>VuwSYH}SAVLHtVpjT%{9JPTc-@|=q8FWL!v@8@DsYX(#xK# z7qxv-UzD2`lg|62*P4gf6JNCb-&TmH_oLnLoe5F2Z973d12${ud-&@62eIN*nVs>M zL=sdPjZ|*_RVNE%$UgX~B1Th+##Wbm78B8uA1!R!Z#nHVjj6oegK9ZiUBA%i~I91c$_)y*R z=`bad{?2K(AIuTmV||@BEc(vm?H{BKH=dBI8OL}38IhkM2{f}*SqBrX7DmdqWmK}m zOR8nBER1Qp%y|Ib>o4~)FXC`1ZtDt4sI5_Qd)r=q&dkzOjy@uzuq#0SFn>s?0{^W$1d?0HSIX5kY!{IcK7#u zTEg~b_n#HEl+)2ijiDJFblD<5am^>TAu+f@mFDYmM8orG3~k1w!y!3|fo<5|M}v>J zB}g%Uh87}Lc*XQ74LBlYHRn%gbPm)3T%d_dh|oJ+kW<@w{Tq#J$@LWP!G{Smg$|Yz zO}8%(sZKei^N)|!&`OYyG9|)tZhSis)6#k+14q5tP1$EC5i@xxZ^9pGSg9m@{E}F@ z5l2Z#ND`C_=T#*I)tJi4MuXg3aJV)TZgl#-gr9Fd&);3V(KOp1Vm<(TM}R3W-%Fc} zl?HLwOGj(B0!KGDH(7@tgh8!BNDx6kg&-gagJJ~|TRZ-9cu$ufc_96eeY~3}?yzjH z21TkY)O$&)ZY(J`sXe7m&(5I1SelXE5{mVWE& z%ZG%F8$-E3!I5%}M?XUY?Z#W&-o&FIDM?#cmk}^h2z=R*DAp7+A(2Og777`jr6TKV z3z>*;9oSaQt0yVx=*U`&v!)R`l9Z4l?buDA=YV$AM6e!hqT5XT&_BOfR)#1k@skN* zh1G6MzJRfrkghOWA10g$8+DJ=aAoDj(wtgHhC#uq0Ml*`OK@MBwbr91+R%^wcDJ<` zO8Y46kKTw56*f!N__@rc0zwx6QIcx+WdUg^X*~lW<=uRP$n&5nI4Gh@4$mP$h-|!< z_6$n;auvuWs#y?@VLAfMPQLD#6Ol*dG5^fw$!=$5!c+zf649Fn4&f<2^2pw|GFU(u zRPsyVsbm|!!N(Q&2!dtyA zPgeuK(PA)69lKCc4I_57*v!_Fpt28j;2zxT5@F(dkCv1~fz@M<5V>ASOZ^g6YW%7k zVV53B`!zFHU^jruXAcwI;AvE9Lb)fd??sI;x-3QP4-1;RA{rn${oFdB8LF69sf75I z=-sH+q=a{fb~!j%22jpqSD_>;0_z*Hio@spC3FSnFvuRcY43p7yhMt;oh5U`?=yeZ`(^nEB=l_OR#c~{0nWi8+ z8N&O$y$eO12Zr4~Q=zr#GP(VWv`Mm$ zrXURsB6??%Y&IQY)0EL_x5i?|7)uzpl1QN^!zW=y%r6yZ;4_|$$~jMrFJiqiJZh$Q z6U&Z?t9)!YTthpDkTR!fgx?DZOBSmQvl95#;b{$?39V-6hN?S;5YjgK&e zYoDPO&shYtb+csAb;@Mg2Qu9b0cy+k?w-sQK)pemN1;QSIU>8VQ$6b zSW!i-0%Yt9+;euJ_r)oAR&@rq`%-`Y)QCdP)5y)-bO zGr;YZ3UFmCe8Qj}4y+aRxkQs0T-NDW%zP@hkXgJ$JsQ9>o8k&g0uk|LxXCo0$f|jF zLct;VXR z16h%w%bn7&KE%S#ayA3YoY7>1tz~_C>qKUii)2)NA)0=e9eiO=!*+352EFZ*Z0@=Z zC`Z+Nhb1WuPLa%}5sgyKi6wxUso=hLtWLPeL7IFqQh_Lm;Hq>Z*0Zp=bmGVlb27jl;sLTe#9Th4}>;nN;#IS5PEB_eR(KlhCep)k=6e6^$dc+g@kDz z?l&A>-!g5w+zDgfF@Z-ModpihAIojpdB3J81<5~m=ms?&I#1cZ8C|?Z3MlwLcQl2l z3InvmYP*GHbopT(5mFMxgez`FvjG zn@T0$Z z_>q4vqHRq6S?iL8$Vllr@wU=)yX3~V9mxKf@%fr?vQF(8-(AF+GNZ z?zDW4+HWEpbl#f#zToE=;gNH`mDgt@5?o}(;d~Ba!PsFN8X6A7V-8=_SCOuNK-j-O zz<0iW{O){Q(!U-(uR7oK30SKeY;0svPR@|Cs)YrZVa6_M^aoOV>Nv&Zb+;uAc#(4y zdHK_h%kQRX%Sz_6AGzF(##FG!(cWabBr$+{on*npfo?d zK=>OW3g`mC=1Q=3@GS^E9Mh79&zL>Pv%L~<1 z@GrpSOl=H-vdZ}^OZ#SYu(^}IS=v|cCbxZW0b{nLb1>SAPauKTJ~g6!a_|T56%w(; z@KmCFk-q-oNPoG}O*`>21Qs8f5oI5hhwMTvq(pS#@w!LK0*4(V=oO=4X3tq>^Dk?69(%U^P>iqX-_A?$jj@!=Y=&dJvBOQq2P+t`QQ88V45;pv!QR!}!V}3~up1BA?0W zkhW8#TniDs2BW*%xA`K;aEV*%(|{p5bhtX>=J>vUx$WPhWyzzLn-~7n#$!2wMg2nw zkgz>71Qn~z=qMA2{DI5HBa`t_XT^(nUnY1VYOa=K&Bki;yW$1%mG`R}vq7_-kN7!+ zV3K!UIWz2@stTh`uoJX(|C$~*XJ|(itKu+^6p9|;dYnH z9lBxaMN$7P>f4Eg(5t<6tMYr}x3ud~UmQH1?cP9#1$ZP|l|%BqPYE3Ej^r})FB$6r z`vTg@Ow-+TrNu=-`)K~(CEi27FMB4fFRS_|$HOQuamkxmpf7x|IEK*_P>lzQtJEpS z9L-OJh?NFXvFKlakEx6PIZl05j<+2wevFCVd=~lR%qD8kEDvAvPs6B6-f4mv8Jb#` zNQ#SKJaHw5?nq9J-PTZR;$MvF0VTs~=xg%lu9Fx$pIY;inaN(QH|IyvfkkEmkz6MK zJ1-v&@?%^kP^MAuli9vppZxCu6W|DMu%kQ+l&rv_UN!t+_YE)E`uUcg^!w~c0W$T9 z`ypS94_+?yKz)-RV$)PbnpGC8%T6h6X8+Av5lmB(p_NbYI##e&ehcsK{-W{a>OF!X z)8Ef|W;EKK5GkQ$^Uk6G-)E+3j^79l(plgMO%iq$gLWG@AI;k|AU$}F24l2HVEXO9 zVf>N==@lak8j>*#lJE7Qj~{nr_&#rp_|#8upSPdhLE#7l(cs;wnRR3YM9CNx#uy@~ zd-=@~9>1%upht+9cld_5*dc&Xq;Ip7mB{)wJ<`Uf2Z#iyc`z)Sp;|ltRJ9}Iko_`j zPiWk7D`w-et;l=VoWtHLYpKgskmDkTtZ!R2*(x1SlBz!ucx|&HmRQrZwT^MT;8?k2 zDx~sUIPjF$y%d`pV0F;3*~e))4KV${F=k3HcWk!^ zQ+7bBBBJ5{haoGwlW2nmR5j(TTJXqZ{WrM#R}08b=Xs+g3G7mWVMQ@=AA_iARC4T0 z3hNNl(8R2B4`&>WzJJor-rnZyaMV^}zM&YMCg7tBf#%*aefD&vdN$E9NRs;FUX&bGzZ#bKGt45CG+#bmG>4~|YgCYS4bo>fauts_09rJs zanW&l6(SV!$G~*};#9u8788wT>p7LF66bSE8sXT(HKWip*Hd`lnnG0CaYN|nU|+Z` z`P4=jG|~Gkf6X8Zix6kB5fWvoU49Y(M> zA~6yua(;HsU+T9PGB4W*kD}a{+>SZveXlgx_A*-5V2Ul1|2XXBB~)Pe9)>w+AY*NZ zL=u-EzZ*@gG>F-(Qw*7@g5gdcXq;g=es()lmP7#5u;7bgRw!PG>~#J#Djzw9rI9Tj zUoZ`jAwF!DMexN=%@nM{4}(hx#xj;f`;?8N z8v}|NS7xto6kLJOvDW*^2XPqqfmy5E6Pk9C)l^k1c)M?vwVj7~tzse}9ZsIFjPY|x zH3mhEjg-?zNbqVhOT^b{>a~Zo^~EyRtEMHpZwcA8O)k!}8ym82@3?GTWzYL31}~z? zHBAMbykHfg*#8`$h{@KqGe6BeD1MI2pA_#y5>^9bqE0HAtoCGA%6wB!iDDpsh(!6< zz4`v}cKJDCy!zW~w5vU3gN{%~vl@jUI((?})xKxj-oC4!+wVz!lXow&p$R+&X*`Ut zB~e)&hOrGZ;I;1Jc$lr?MkRmE7+Kl5i^JGAIPu2SiN+l8k1lKuZHdC})I4`Bqd*x* z1wN8vmW#VKbgV#%R^jSM*q(d{V-2)iFEF)8%v*f5NzDF}XyWL!if5P9425r)Y9kLO z2Tiz@WINeM>o($k{-+w@R zlxG8Tj_xFX>@&}wU*2vD612Ho2yux3ZtmO8d0jGLp~)E!O7Urhcvwt$_n(SwZ8Unm zv(mcEqx>L&tm2>EUj_#}RHhH-3&Wu_!q05P286HDE!M334MCk_bQv$Qra({l!YO|h zxBah3!>$!|9&2oibg6xuEgatT<=3FkXVRR?&GD-3pLWN%Mz6*9=R6LH16oOKOui28 zF5n}=4qukEX)(TkC{H=R`YolKgG8#>QBn-n*c|e(&p;mvfc(c{x z1wEe2w5oOM$itCEOqP#RLcMEbC1@eLhs+JIV>r36U2czbc+^hC*9*-yhuo=t>D!q% z-x2ab!cHHFblshhw6&8q)#nUt-sA=8a#BpWc!4@PjBIlUo2-W>J}tA&lIIHvJVUsC274k<<4{at7h_*2$;H%4uQG)!?ZsZN?>C zNh>dWKeuL3*`0m2s@c)`L?h z<7W4{m~8929bWD^%@GB<5d0I!!x`gF1}*RVb=;7A99`IN*)o}q>&G1feT#81td_STG=S^dtTa+ja{N*LDKeTYcht+XZVETzrGAF%Ka}@Ea z`+EwHrJubf9*vNr2J{{jvMze_aKdQnDN$#2>R zYWmICgDMr(<6sj7a#A;kU7O-`oF2`7PyZ$ITU!NyYrn@yZUy{qy>KWjm9dn%QayQ+J1E_xgRs2?>5aflFQco$G;sqlXpD$a<2{pnh z4=zt64wWMqX)m23W0p12EKPlMUWhs@)n#%s8k4W4i5d$M^=< zWv?nx!6g}W?hCAh0`+a3&c91Q>!?de*vXaaF=xU)WIl!@-hnt%xM;>)1&Qe##?82` z!m4@Pk%y-V>+3S6zHn{eNsV$8x1j^-(tiZ>E3SHhw8jhC)C|c#CF)7Ble376O9LXt zs7_ZqMm*hN_s(9}kP_!G|AMEa` zJ!fe$pGv?-h^kQ~pz#(QjW6hAgoD40w)e#qv{+*O@rM#ulloCelc7A%7Q7S?0S4CU>DJ}?2`iBWQI?-8>-a|esuq#ErNsaMPRHEE$u8Yv$^T`GjAccvANw};V^v4w& zOCV~>i`%rB_6G&Ali`xs!y@AkL8td|fWldR69eo}O5V06=@B1}4 zuBhmLL%iwivxlBb?VP+PIEv1MG?lq!NewgC8Up8wVWvJDzpEF)L$;qZfMRI}U1$?U zvFdE+NF%h3Id8_(bVjWTTDX#B$CL9M>ESIU2kqI~B)?iF>gr#tQJ)3<=P6egCSXfn zV$JLP(cTW4m}7#&ypwRNomEI$8SQt?CgkMPiQ&fpuy9rR%`7`AnBI#i;~yYyBTKU( zQEBOXC#i6Uu2E5D`1srYE9gNE$yzqBZ@_LmiDS$9jHJK9UqPy7948hb)o%dP= za`wSJ;-{0q?m-+OTQPLn3!yHzlBqrnZ65u z9dNZMZevR0PN`(*aQGgHT}^VRMv=uA=T?6_o%kkY=!T72wy7a~U+*JfCJUC-m;7(p zyGTQ^PPMVEqv{we?i2iVO@s`6W;qoYdW_7>EUg0;UxsKbs&z%ceTtZEcoI>!pnw9D z7x;BA%lV|!T_|CHb}lHGWRVhr0!j;WW$cO)H-Wo1uIN}m-}catiWx%NiDHf2cZ(S( z%1S$dHHrw{+oG5XUxQoLsYB~Ci|@ z(OJKg+%w#*5J?K!Xce&N=Gclbs=baXDJx1_FJ#!AMZW4b3O*pU@7wK{7@%bRO<4|V}G;DCfS-e zeQRvn)#s915QOt0=W*9*kAJe)0GS~15I7_ME$ zrP<&9?I)%m_G7dQbm=?NJNkR{RN`np$IOXRo+%eCqbY+Crm9#zv8uxkZk+vMH)=(% z_{|AV@cx2?Gt(p(p|ivF++1I#19ak%TP7@w6&Mls@oa@k88?4SBc^4QC*jn?Tk% zH%u`B6woa6XCVI}A#J@P4(NJ){5RwL`j})vlVYMm$S|Uy|2>N%D@WeBh(rL5s>cLm z1_X){;2LGR&Tky;L-|B>D0AGOwJoQFb%t<_%17+P4a%9(tq3?LjYtf^Bh^%YL(IIY z*n5KFnzn0co~7b6L?+LL{$1xY;g~HT%H`1N6&%AhxeFvhdjq4Olem^q;voA zsceY+Fg%u>+Cp{V?h(N;R$J#ie1q|tapIi{e*_xhZ`!pUe=Wa*q8dxHh+IaOOH~mU z&5m$bXpY!B8NSIvcu;w2Sc`BfgnXI(NV!#YSYIT!EvP*zdndonDUY=3;aG_Kg0@V1 zU3Lw7^}HiY=0YKojVaBaNp8v)p$=zXB#>V`>@VLw6?J>V1H)_eBm0i=kWD5YHC-`W7@9#`f=EmTI2a|n>YIvBZb|kEH{=19c z2bDu!;$eiqz#vhgsH_xUG{Y?urD9~newB?*=an`qe@$)f}8-VXn_?N+}uFqjc{g!$8*M$XhDM)Y>G1lBpu3v6J{! zpx3m@>milrm6w-!NsR84lPFh+MvD+vt)wW+?1ZW8YHNUf=Mj)b#;L{iL{evD&BE|S z;h2eTaFOkI%Gp^WVMLzLs0R{*j|%bG0<|c3I6|Ha2`i-ZKW0-sEx+19 zAI4nLRVU-jh4ktS!+$<_2zh>bHNb+y9#77c5G!9&{|s|@(a(r>QG<1Haba<}3loD! z`|3!KY2 zsr^k)_OJU%*S0%JXar0-<017n@%2y^vA(>1a!)ZyviC*1W>^L3j|p-v(!+qg_ornk zQ(rX5h~{uo&Z<8{;quoeV{ggN{pbW+FthI(f(svRkY(%if~M1vA@$kiS@z$JFP>DN zymmfm{#%ou>JSP<(9b4R$-5=<@gkAV5K>&k)bR?ZG#)|48sR+HnZGYyoG;e}HUJTw z?@NptmSSmw9jLd5;A8`^#g6Htx9?`aY___=cz=7H+k?+>Q9#B{bLP4w<7%@TZKsR2 z#3l)EsJ5nOnLak-o^O`PT7)C8CGHfu;%%M!Mi}urTuT;+mri9jTiB(yDXp@I9n zZWRC<^eNEVhga$VpRZQX76ujJC22?8k@=Q95a&x}R z3g1OK6%Fh5zsJ)O;m7&4vE z+drk0$DpP*mZklF8d%-Slxpt=<2hp%vZEE@EhXF znrY>oNabt#+vcaC?WL4eiryPHmqx9jFE?6T+3&k0QRs00+w%Wkq8`@wS)E;ZuRKz) zrWTA+fJyFV+^z=k%@3e5Ql7ML>vzjuu0$~lr8H2b6zlgc)gX*4?5!Iy#%dmQro^OxY)14 z0n~Bb;h8CE-!rIv={<5mM5#tP<>hi6;byv^ZQpP=0b9;Ra?d0rn25^!We1u?TI9DI zj@#RtGdbKM*T&8i3tTL8b4=k=oXz+XBC zAAL!6uH+_DU{3*gEBbq-_JP8!9;}Vyl7TQv7oxRb=Te z#K!#zj{Xxc|E=LWRG`TlZl}|a!h*=}jt!@0r|$Lq%i<}g#@V0Pt}c(v|F)Pv4F5gI zl~sQC4^cUSL=O#@rezz5ohs30i*t{-M_VNVHd$K z0%0PrpKUaL^LF{%mGY6j3Y)3R<9G4ShPvk9fB4jy3p@*MRns@ULmP>czXuB6Rq*k> zmEXQ15r~S4!ob5b5={|@7Zech$;iqU<>m_b`bZCP{P(Lr6i?u3Z7&>*fPZipfSyRx z@z){^v!KW(k%nz*)JYe`;HdHnn~1VM z^l66NHhzMn*&n_$GhEUxTKvG6t;3iKns7;=fZHqF1enwSI5kSNC3YJKQQ*&tUh)=| zN)qXg<#(cRjEd);e#Qd0qYW<(BafV6J$QyT13{y|s+&4B!XiSyf)8Bo9@QPa&dAT3 z;gptDHRl-NKkfY;TTJkj-eQFHGA*z zojNErTJ?w!1ga__5SiPp3Czzkky~06vYlivE%{28W_^((9Q6rbiZwYr z<#EvuhCEibkCTMvf{dH|Y9_U@OH19ak7khBc8VYPBHi#vS-L`oK4m}sz}L#1IC{LO zwcwdWJ9x;af?O@E%kz|UK7B`yZXQVmNc6qkiOVl;m4k_d@27*hun)xMti(`;-GsYBTpQ=@x zj!xF$Mtk4k&_pJ)Q2&|cq|={;cJj{xU+(mBTU+PP%<%Y3j2#LmOq~1Pw@~|%nJn|k z#-(D%t0*#aApUNcbTSh%_!qtftZ&B8kJK=U(_%tvU`%+J1E3XXJjAwd5^U&u%2KRu z>-Z2|Ts5Bn&c7k(ur)9oCy4Vh?zx*$WXxFlZh}>tD!%MT?+eg)u+w1fD?Ap88=SVEoJh8TSbY#elq9N8OFRzjU zU7YW!`d(iLq8n})*VwcY$j>uU_4RX@_(i)!Jj=4XheOvX#)NGV;vxgZ+)O!I?4J!y&14PCI4@2PE7vXLtMYY+ZM^#0Igr`xdZerj34;Sf zMF&}$B@d)8=w>0jyiS!lye86vPQ`+&l)4H#3!4*P%B1feHM(93Kd{b(5!F{heePJv z02^#UREp*&Wx+&tEharGDdfg`=qcnmo)r;%`TbHZ{hP5WLs?zKH@|kLpaxvQAK%*c$C5dH?*qCh&Qw z!c*lPd^)wfF*{ou4x<=7%=2R4oQ=WXJIc$Y5XY+7FlM7XrMrlU4$Ur^UZcOaL#s4pxdpIc7!9#_`mVnGXET}c+mVjYzO1j|!)Ayemv%ANEM$&I!` zzs2ny933%I;Ec`Bn#eFYYv8wqMJq}(NG^~yGeo?+a1jv`_xOLqB$}MdR9_9qvdkm_h>JO5h zj4Nz%4&PDrYu3l+dhyIvdlAhV5`ja929+1vT$pi9Y{nRSQxo^t>S81w7_^2bEC0l} zsGdM|xj!mm4Sp4TQ*0F)Zd8dcV+^jgOho1NaS?^w=UVNlMbt83*0kGwt4kin&0K;W zs?Mq}d31ef^eg=rK}@TwYa`Luy?cs8u*f$xlMiM~5p9|CD#*|JWHt3^+35%@YILTf z^?~b=)VW3T@N>`~WBSw7L<~$LT{2}~a{eBQoNll2-TgY_Tr80GNJ(Q- z8BX`SDVj!;D44eYSddDVHfuidmxIcf@ii0Oup7kAKaqV|WVUd3>E!Bt!EA?9tl3(g z+N2_)4Mtu2ax3IIhQ~q$Po)`!pz$y8&MeQ&oZsJI=CS%Jp}E?%7c##WXK48N$fTZj zcC{VXXQ)Rc5qy`DZSOa{LES-ji?kgy=a>faM$NmGGw=45fT*9yXte)!o&@8zW>J@i zT6k4c+TEESa2^YNOo9-5ck=Aw1G`#HeG_4=(HcDW*l={uQy+%TWH#Lb^OME;vSc;r z7yM2j1E|v>Je_|-N848F)CJ%k(K(o`Eic;?FkE*d_=_($nqgAQw<+nU{uxZO&6ibk z*lbA!9YTT9GEI_3><_eTcTcljv$?SV!C;=@sX~5o(<{<4RS2yv*BG|i!||fG&kkc$ zcJ5pS_TFI1_oU~uZD9!?gle?e ziz9}eE_L6M;VA*m7qSut^=ObQ3b(H;?o{zS8pH{hZ=p49Yo}d_u0j#rGRk1l6XCYu zamxvHljW%DPKiE4Yw(`@g@f11beXmEY_!DcgpGC8>MRhIabVF}G*{-Xq#&NUpyqo! zzNA@oCMs*p$3BH)&{hi=?(O($-%{abO%8DA8#Jhd4vv4>BjvU*298^Ci)2eH&fOK( z(_vCe>#x%$Q=gWZ`ejLAT$<8!$pA+ zRo%fSt!^t^xR`ZKf)^31(0LfQbDK+m>|;Jh$>4oaQ=CQ%_AxF{lYW6Vc)X8Kk(>MF|!KvNXEwUyvERnR(>s)t-sIQ-2Qm^fp4sQy&`dhb>wRb3OUs>VC_tI1NywHb1vER0$c^0tdi+&*JM4P-rw0` z02nwR;(qzSvYK~Q#-*JoKWeax=TzIAX>LEC$d(TlRO1?_m)M^pJc}TWDQ)|=;IcDO zOqcg4Aj^)2FRJ|q$Ufo@|4h6TDgmJ{3;PW=+cI>+~^u>VeY23%2I*pjv_=DhX$FcL9<#u2-9ii1Ws)3!59r? zF)r0|61^vNGT2LReSUe&>z7{QQqJc;NK$lG_$g1@lHs}xC>gef z6iTu88o{<{EbC;8*X+gLFK`#0l0t~>+k*G%;Ku@wf4HbikH=NF?}&}Z zGw0gw0pk9@Xi`ghyR*1C{HTMvoG`eqbs`2#JyBgt}j9-KZzFhVUd5XSt z5Ueft5GhVCJ+m)D?E%-zaIQH`hyE9Oo1Ys-)$8ifvU}fVby+n!6p>TThTYEqU_XdK zxn2)c-BY0+mpw6iSrnOS%GPhf#E|ViKxT9y%hW4r58-0|UoC+aryyb#b3!yj(I5!B>tp4$an)TO90LiKQfEQgpZoiW2CYF!M?Uns0Bzf^u0f$@@4Jpyw?5C()$?>hci$c{o(fG_v z)AEBlPzU9Cor`)PhfYv1L`cRvSJ%wH2~a~56MmL{Br5L5!R*e0n4gI||xc)wMh(4}}8piO_1Fn+*w8Q7Ws zk*phmuv_!Pn9#fCNz6&#me{izQRIcw@i-ONk~JE6%){f!2Qv2j+@^X+vz`S26=TGE zjC9i8(JnzPxo>eICS>g$9ue{K>p}8|NGQDDv$me!E0`H}Yn=8X)myfa9nEG$nK~1t zFI{HGp0LtC(d3UKlj@+u*%|clxX%~P@hG1Ws;TWMJeL`L#zGNr!1JO{M1RfAkRA0d zQNP4k6#}0+%kPiN>D108EdI5Gw;dl@qnz|3>bq*j!W) zY+jxop~({_bSM2@50wy0Bib3idU&l`^wN$sqFgjxo=nynlNY+Wj>A;s%>-qU$>AXG zRXV1=8n37zW-g7(xuUeWqO#~xzNvg(z(uW$SW;P+5jSIZ8fks3nz|wFIPtx5$WkErcvRvpE`|>QRg?6Bn)t!YGyd;4IA_ zsdl|%2%u~R8z!t>V*_40!j)xU?isM$I&E^B&1tT82jG2Slg7%5-{RU`eww76!~~~o z>k(gZ(dMuY>!8d&CDlSIr~PaEe7`>w>D17~6Fij_6JBFUwknMFPWu>g*OxILKwj*D zXJBkNU7CUmk=!;nuM_w|Ell{V`Tb7cx1W3evN1YKQ?}C8ypU@;z=p+?$?2@@?Wkz; z2@;3NDibqfiuXRboyo4WU|^}?Np;rMI-BA)^A@G=MIq*o`z+-|42I9#JSqNQG2H;~ z)c1Or{D!KqE06;{YSC|A*I2KJ5@(l|yOmv@v|8*Y^9B@Z8n8l#-{HRmNE7NPa3UKw zHNUUN$19-8oxLjX_j^ou8jr(pBk3T~iB1VcO;DI#eD{#>2*jBPp+BC<`a>moA7JmB zR`vZ&?%*VufEb@Gwrr5{u7f_-Knp zGI2%)JGWo7{4rU4s`S2n+%%TO=`0kc4Hy_3Z8aP-gp1@>F}hnm+qhj2f0X(z`-~Xb zIEZ@HU@>B5z0fkaObS(pX9*&%+|s#>DCQ~sei_X}JrE&T-~Dbd#x2n}I{(7+K_WP}sW}ZRV5zGEnE4jTDr&SjJSv?SbU6$ss;TJV z4DT$NT+!%P>pw_J46CJmn2j<~7^a1wSHtG%*1DNyvvs*+6qK>vl@vsMR3Xk-_>32+ zm3NbY3YDmX1R=GPc{W0FRtVEr_w{MHA1;sar!I)H6Ztokxi}xDCmNAn?qyVUWeIyj z*wL)b4iWT)O@v&e^w>-+yew>lw!bPVH+6c4^HLdbHUcKJnQ=oi_dj1|0UJ)Ga^Td1iq-% zlc%7~`^|{w$(zi*`W>mWz_%Y;20qi9a67v#M%_`QCxwY{AE+x*zZic?x{Wgvh;HMe zBoR?eQ`;oYUp2j{_w7zmvkX1+M!0Qj4jn#KQXY1T{5w~Y%07U@p|EIV_awL^ncms? zlEX_7sZRF@tQjm=$=uo5v7-{0T}ARB-|}xeQCN)>pRZDamwJ{huhk= z5;ig;wydimQMwtlAp!b6aH`)1CoSYo_Q!1<*HAa5b9+JMS@Q^sEy!Z}v0~`P$w*m} z5iw>8f8J87&vONzCy&qe(GQmXf%Kh`9a;XbYPYDAD&iP+$rc@Rqn2nV#V=Yn7Uhn| z^$jZislE5LE-~q%Na}B4eB2c;CaS5EShmR)8$Fk4aT#QDze}fZiI08j>$@S8LHH+n(6Lo?)f}laL^WG z;*2TL$YmcO?e$mNy{OeO3YE;Jw4URR1GE>S03bSZbEV|l?M z4kx?t>L;j5NJ#xIzlvS7tK5maSb+mkm#3L8FlFC_&AU*v+P?KA zB&p4>j^RVde=^rhG(p9+pBIxVn@3m~s+bs)Kc~e639>dj!PgEwre4-nuv)CKZTYyrV(9vwFQSTlKX;O$( z((qiCfd!3jG=Jd9fxyY0P6Ht!63AXlSRmqY*7(xnlD=~4D6yUzod_E_@6&FACs1M; z-ST5`-%~iO>thTZ3o9uJH*oic-dd+O=RCsYzID;i;{gIO@k@q*jG8j1IzqI4)HIsW z4atNEcQhQbq`Rbz)*kQ$Lre;+aS_+ejFNB|w*SOAc$3z(-l31$V7O&rD82D|$j5T6 zXx80|cbR4QN#fCH)6^y~5Fx#7A$9zSZrW~rET-7gK>CO2vHbp#>3H<%h_Sr6k)(gM zhFebL9MD>a971A=-nEuX$h8R@kGw5-o(>{B3MK7&gqosYc_gFJDh=>$Q3i&wrl^7# zTAbSrL|3f7-Dq7wJJgJ_Un4plr7Qnl9Q|6=q+>6iU(}XoT=q4)84)kq;g*7b4VUTCQMCpL^fF?(Y{@W(0o%J~TyuF4g$?FVgO1nu z#wNEdp;9wiHjp&z6ay2{aBx5Nja6zn9O5fqDnxh$irb)*IkkhyySCGxQB)(*@Q?}I z*y5Jh7HP^BLGhLR{i>7oy*<_oHW{O|0zOam9`lRTBih5LyCYby#|S>^iXtt5fJk0* z%6_LAK>D$Izu1HdAtm7AXS5UfE{5K#VXrb_HeC zVgD1xG_r5jkyGg?w}{iL55d8~-ojvp0awGoW~7ItLtl8CCNA!|K^_^hO+AT~Ix^kTM0O4BMB znV7|1y&5w!X!=~boo)(Li{%LX+mXN_z)_?q;4ZPUYnKm)4BMhriJKBIz7mI z<7FLQEwa&cayz_Koa8y6v)sZ%X zE#aafD7J+W#%(d!Ht>-R{L1~ zGg!a31t;$d0fjt^I&2dUWvSd8O6`~*!uOP3DIhuQCg zvYLBGN=Xp)=ykcl{J|TO?kOH^M3C%B&v-F9gk%~#^?I4Il?rR7hxSQ=#_PuVH)Cez~*8=SBXlA#DG1X~MF$@&$0w`*Lr?nx_A#p^%{O(qZ zST?-k>@*JwO>|B!%wLHzxpN7RUN9J5n{d}Czgvx7CAl(2JkveAUn`NxaYejV&}}7f zEa>cs{?>(6H39^_?bXx>NvwZ=EW36bxJ79o%$!tTX-uCwwjPUZ+ie0FDHK!&1zLeFObqUx(LEC4#iq5+pBlbJNP+0TT1sIA+*HG?7RvytkkR)+Vh&GQg3F4E~-@Av^i z=0tk;)JbNt1`noaiIu8G4bx#ReLi92+ScKbZic|ZkjX6WJP$m%y|niO7y)4y8cfS` zO&;m9eI$-TB7uSZiRv8sk-ct6x>c9l(RA)YB3uLVvnfp;?QBG?3+V7Cpa`S@v`U{j~QK=6!Z?zTEQKxXL zHT(R#fBQtDx1N!6>a|3-rReT9fE%1)oUOu~gqU=1$xT8-R@Io7#4khA_hX1I>ciR1 zXF%ZdJL49roJ-HBv`$yIT*K8q3S6(70nIZNo|7-Ml$=o_|j`1e%RI!_iL!1s7{~KnNIvvKo zB_B7!wbC-yc&*JIubg1D_SAhuR&ujKpnPiC6r zYr*AItoStj=fguTJlKdRMr=1r?ySi0`C zaqTNSxNDizqhm$gtq~6|-ie7(79dkB)=?z8gfu^69>@|GR!quW$_Jt_F-1LnSyv6@ zj}L13)Uc^$(~-&fcG_{NQn7`m3a+^74Op!ZfuK|7eATe2~Iy>sOhK#lKN0JA7U`EMW#`$iawsksS85z2dl8$Uuq4jL6tP7cF1RJtL;T@g`cZ)(cepKJePR{&5w`4QOUluf6fmd7f8kfO3~A6!NU21NRv>a#Hl*X@l8qE1?N*dDN4iR)UaC^UTrNR5GT$Z}G08;_r+PNd z4f`5#Zwl1|rCs%vK|z=LC9NG17s1GfPcU%`(drh%CCm==mS{H1bZ0mP9E<~_HCgRn zgvcvCn37p#>zjK0i%(=6l?*+qLC_ugLW@Fjwe>gAJmVDFS|ftJ>~J{D{RT}b+FB&t zMKbCas(2L#1b5A}vv-iD5S@~NO|8LDSIB^so3Of{Yc0FF8{QRIYf`d}F9b{Ev^^iw z-{1H6^_FULYEea{g=Xswn*gVqL_>! z2?~_HRwO)SEGAC1PjNV>s4rt2oXnOvFwPcwn$N)&L=kdyQb59)g?p;Xh_ek-%tQ`{ zjKkau(BlLnv8{|ev;sbGCnrIb_*hiPpEh{5S!T#v!~&B_>_oXlHQM$*eKCo5tlCv4=J%cNTv7X@z=g;jlx9;jAJsI(i<>n-(PT9hq{EHjiM zJla+}-!U=J;-b7qE(vFp56T*44a>}v8r&{{=g%_F<46or4>WNxEfd&zD{Pp4LS5yp zz)NpE@6(lFW+2}hMNKoit4xE=pP^pG!_Sy;wL{*9t;jbF7b4p8Q$B@M`j*A{XWqrI zec;Hrx}xU~+iE)Mp3yF4CPWn%pHjW?M$tEXuLnZM5;2sAV%^;P2<9yfylDConnfc+ z-~CoeABsgkZ+*>Hl`Rc#QG($Qjcx~RvM!8E;!FAJwzF=fkhqo_5es~38^xCOm3Gh8 zI29vFsX8h%AEJ*&)iXPch8>-7Z7mFJZpqHhM#p(q(YqHiC)nN6wYY4M)Z zfY}e*+9qGj^W{(X_YAZZkrczNpr4YEG5dEUdai7Wx=PHpZi7!&(ae3+pa-4X*ocma zL5O>Q$AI_77x?KP35qsmWn)v@ureO~@1wOgPC6FXK+b&zb8gsTF4L4>1&I2!LdSab zteE8;aHK=2N(0)l-2Z4d8SuDcdgwA)!d9Ein$)kMN@8@Kogc#CglB^FKYC%fF^Gg- zkNt2i$j)~))#x*WbT9Z%oLN(xu9v=|Mt*)+q0BKZ&xxP*{zU@aD5)rT`PM@t8@oQ` zRtYvMn}sxBD0fcvi%n?q*v8(xl1E;!^RPY|9Sb)+Z2DVNb376EfgAN+-*q8Au^e$bi_&OYYf>u8Gx)jS z9nDjXMKIFVi1sNhrgJk<^of@fR0JP|h?@*cKtQn!#ASJf=K83hOn)cq%BVltkBfit zoK~W5>^gw!=MVfxKqAuMwg{-c>fGPIi?@1t<-Eog^+`n&mupuf-;;6vNnuO-Jfs-U z=V)f;5M@3L1j~a_9wu7Pdy*P_auo+GMY%a#UHLH6su<`e_*(nDY4{Lw0pb71F{&oN zA3CG$wXq@ZSjL%&)ZX&iscuBXPB)$A;j4$rMzb(&DFb0QSDKa;nE#ODq`=k4)#agQM_tJdtN;_D)kW#kNw3XJD^8+!ohc{1(b? zb6csS>7ub|CK(l!x6=TDt0rHu%>^kgnnH?4(!4l9xw5Q|Ct;|i@Jf$vOwUB>P5oZp z%?BFi%iZZp8vLxDzOaw>HGB4-t%$l_0DB<~HtOFKo2s(bhPym;!5#?B+}-d1xG|j7 zjYZ9nnUasl*-Kbgp?i{SeevVIDp6B0kkL{{{{Ag9 zUUe6N2m>Hv4M-FlJGCidri_7hpkrmt?tX((So zBxB(W{Zs$lup|x@Hb7B7Rm{>LroJSl5?-Eda%-j~Y-}O&{gy{{%V3pNBB>?{E|@-{ zup0g_Ef2CpvbF-nAo!`P!R=VHdv3zqj)q(>84nd#+Q0^`rbX1a6q80z@YKAPn3pS} z_`tX^((2@-l9EG#G{C^YtS_Qo5Ctm7=KYj*U%)Ma6I>SJDCnE*eqeoI;WTC4mE@6>6*h zU=c(=`WXM=A^5@nlbM$A1b>8jDcF#kgZ)TVaLf3h(T1wL#IEjTFc&wA_<;jR0}&(n zq$q#Mff3etrCcuzBWz|GJcqD{Mek%A?SU=ous#E;wsnYu2MdyNxxK=I*Tjn%vF1dq zzea|zW0cMQ(73Bbz$@-p`ezz-KXu``WWgt+7UTOhaYKah2plh1SQlAg;}De6@P@9G z|GaQ%o?Z9>sFm_;P8_<)n;9su_TO9iUdU{PQN?}VqPlDD9hpQa@5tDc_VIw5O&4rK zDPMG`Eg~)Yy=(h3{?y8~;D$J>bdGGG2o{})6#qhEL`irE!-Rj-7G=7j+)a(HLGO{% zPcMq4b7V+Ou3DP0KlPZ&Sw^L}ZlZJQ^nJPfs)j;fVgEyyTPNu5gn(+NHMX>V7rk{$ z(HXuK#Y^{F-TVhs=`L!1$K_dp#&<$ByIG;v1pr@e3!EFE zdXSOu=z!DU_<6oO>q#;Gaw4IIJA%%#l;Q-QXqqo%ksL1jD_Xeg8gR>I&D@G;_ZORP zcVpxYJ8yJptc2ecS(r>v1&)_z;`L;qo4V85Z+~eq&+Mf+;LrlPPtBeC$Wi>yK52`n zBPPsho&dXFqN#LUBJL+X)A;-`TVpAc>3)QNFP$_TRzfF5td4rxFlBvc@ohB?eHD`} zs%IkR%^GIc$Mip0!<=G2bb8DK#I0#&)o3-_bhDDW9vY{X(n3{eF@0N=im@Juv?pFz z1m)FU6G3=STN~6Fi}vJy`KU}OkVm0Ys1$&Yh5=d+|C5{MBQ_N- zHDf-(O2YGxQ+DsH9*^rM#{7XEDsPA|0s8RY!}CAYR)?XBkc8x_OhRnSOGLk}e7}IH z9V^~dAcGI3u3pm(AFSEv)UY)fcVL(dEE58MvanC%-4R!%ZjJnOM#NUGaMz^`klfN6j*VXB92|Itu;>n<&63&Z;w*y~Swp{zwd$75mugGPd;;VeA}xM%E!mIY5#0X|pEn4w7Y| ztTDRA(S0jIVh}>G2r1zuPMGTSXmnmQkw`9fVxE1JsgH}`AvgJYIOE|r$6D%hEAD$+ z*TmFg6R|~(G>)fbZaGQ5cSV3m#5%-Xl)M(5g}-Jd;_3pY+OOr^yoZXYrj^bqs-&F} z`4EWoCpyYt5RtS{D%qqhCF;(i2~c3j&%Xzo>DfkAYgKT2<6vsrI95rPOkU>4aP@uQ`urf8ua~acNsZuY3qo_)W=SJp z7;D#M+AE#-(K@vrDz1k{KR4IX+fPQ$)p(M|zn?QB`Xc{1+4puXbA?&4Mzb7XVMjnx z-Hp!u*QERAL0l$-D+X!%jRh|*$Mk$|b3?MOsDw*7oKD!=CnlY55Zw-m#kA)Uky}JN z#8YI~+$j8V&^VKsk>wl>0o7{#q&7;#>QJau_C0W!UoWsG2{2z4b*|%svs{eyhquva zKYGd?i%mJrH*Yv=N+Rlq;qFCJu}aJDL<`_T1%6x_6&f>(<})>&MaOttApu4>gu?j) zSH3sMDh0n#R%GKE)4T_zg=^Ko-4^3z5fcpy*7&(i=|Ebd%4*GB%l#2;D#Ff$*on_^ zE@yO&oa1teoyRL=dj|n#SQ!$KgiM^`run+0m&g@{5nFSwwkY9-kTz{&HdoyCboeR$ zA|S{8h)6Iz*%#lR0D>y&@@qcBQ(@IHKb+}zc}a3q9;W;3DY~KjdFkc5`g15$k!JLT$ZC$ZHc|6}3Qg1XZ2-G--Ln z-Y+R#Arb@(a1nKN=xdGB^Zg^4&wW$dm*?H%&-7ov%)76#9dBIWWpn1vHFTX959~k6 zQ9f1=7lv?~&g=17NUB+Yp{t;Isp}N9SDs2HHEa&x8_?g(El^jOG#ik*d zbp`3fHnPnGF>dj_W-6UF$-@lZK8pU+0UicxMQksQo%K0c#Kc2sGy2*jFt#?TA~QupbFZMwghN8+j+ z!hkXRRNkvT7*4ib?wyc->lXET;zuN5dP}XJ4L&e6koIBV0!IJ2LjyN1<;++V9SVLj z^09_$GCjBNUkbe&3e(oepT=Rrx98mz$7Z5J;f;qE9VQ-Z@dIX?c>4m!QT!sW7H`M9&#|)iIF_ zXO?r8HR)$VUMsn33?lcBi-iFKu>|!6Qm{nh;$~ykyT#?VXjdM-@sLjZS^Z}&cq{D& zU+*a7#V7c(uXdpk-<+9kP4gIS_V%4cyYp*JeUEMbf6%(g`M#eh&1ags-Q2rRK5%Tx` z_1sPf5SaYkhFGGUzM$ts6tgIn>`Z&71{>dm&+bgl$&xj&XPTTwE$Kfwq=~94(yS{jio7ss@F}Gs7stWGHy}Tgp=j*eRT!W zjPKdrKop{j?F@|pLc$~#Df7&7qw_duzoVs^&DTF8mG5ys7#lZgTWK=K2yWHnAfPM? z0WS4wSI`kVt<5{&;fF!lx+)OLD6CYci+hH{yL?EMk zMCZ1cUm9lZ&8*G}Gn~`6gssKI_w(9B9yPsK-X#8I%C4FKg;y5*`If_iG&Mk)l)m9Q$#GDkN)m;#NvoH@m z-SRSzTUAs=?~HgDlwFAu4x!JjP%Jh<%-}71q^n74TcM351Pqy`&MDvlFYjIouefv` zqf06qQX=03YH7|a#s-HR50`t$)rJk6e#A>PY|bTz#kG(_6;3heIRd0Do6b0Fb?b+O z^n+&9@hPa5zGYbf&@oCJ_Y+Y(Up!a787HE=$HN`lp{5b|U;eeXT+^nGy7@Jvu^=p; zb|F)Wh?J)%V}c**l>(g^oHr~VGgZQ53#ql zBfe3DmLzAqR?h^H{m+-TugJve*U9$79qH0-QT0l*N`?DqdY#I0!V~;0!DZ3v$p0PS zs#ivxQgkZdBKrM&0D%`ra+E@J64b6>WJ$OenliiOqYe8#r*qZ5t2l+!17R(bFw4aX z6s|Mo8waOBSwlmNo=X!l$gn>r31J+raoME?syYF)D3SBUc&|xGrtMvl97-O}45&{A#c8&OmENS}h#RX=^uW zrT`jk)GDacYvkCpwiTps0DvQTT<@eDWVBI$hm>e_VopWDT^AaFqNt=z_z~IcYrNzZ z*(h#aF-cigF38mHQ(qSu{lp`ZKm$LoKsL@`=V6LbgE>bSqFkH)$UJT@4~asEB+^SL zVwO6~y&EGo#g_4u zMlbWRF=>bU-x#4ixl*@8os)Td%}4=03(U z9C>!k+Lb(PHbCrIItcCe^9CufM!T{S-OY?ptK^Ovl*_^i)&h?sSE{t5GZkUZMoQ?o zk|n2;)R~RnM*j=xNG|4Aq3g)nDJcE<78EqJu`b^}VH;>`Gx+!-MyRJ7v|fTSV6m)P z;z^i%N1eNK$_o?8i3J-=gw6k8!b91!w{4I3W=+`px3W3XDDexE$fFiVPSDK3<3=~- z%I(ER@YA@@;xq&g-nH~oW`5Zp8A7AySfZSI`kL0oc{Rr1Lud}h9z=K)M9+!4LBIHFQd$ypKYoiV31aGw!)6(D+JDR`o(XP1TiDKKdS^-&2mgDG z*miG3{1D+;W~jv2>2a$()=?X`h8sy*_MTm<-qCLXBHo@LG@W#m7Z71e;GH|jH2zZ` zspnmId*v|U=Ka6!CeFomVOf!H_9p6ZOixu!Z0wTOns%jyRc&cYMda1AscPjl8jg-u zouGG=rFwv1V~~#h?U(|c%d2H!$d{xZ{N+aSzGvWH4pmHIMt_1FXE(Qb&JXlM)t}#T zbT=bCCEt$wpcwx##Q5a)Wt10K8oHf6!(N!8slT%(t!qc<+i{MZ$TYXb6WK0}PYGig zrM6TrdE$akz;jNLen^OXu9jNZcRWFNjgXx|!I`VNPSv>?&A(3h+oi|*pKk*{5B%)> z+E`PdcX?mhRF`Y(mZ%K>FsV?2rDWz!QQqO1-8PRchxNXKuXHdpD7Jm)@)}F z-Y6{7!+D0403Sjvq6Kq~hKq!G;^kS%1y;+EA5*S#a8RQR<_EtjvaC5C(nGw!gTGiPfYw|BTqJGA?~x+U zk11m;iQIR9$nOQEQ^?-gmm zgGXj^oRCJzgqp*7&V&M9446(ot(*CI4EV9&T5Ga>SquYCmj3?Pl$<}#=g@bxGrg8q zfLAlFHX;oP>MAOLDdkwodsJio;B?)WaoiSn>;3Wm5q(X^KmwCCd~Rw=7zZki|-L{cn=~8u?zkH^H35Ei1Jf0U5}| zvYboRdhXHK7J*()aF;y<@-Xq6pYJ#zJnfnzK5~tS?=bZ~!32kq0OUL&1Sui>!3%Ys zgJaWd)+|~7Od$)&4&B!iBl7rO%%?;;C7t7ZP0E@QTCT(!r5I^+p~+!`)23XR`)oSg z7Cmhr%b-0pjCa-E1-Het?@&u~foBlk9sjNU`Ph4K5xeux-2AWK^g$mE2?=o@Wh^VM zyNC>~YSkM)vF(}Db)dUL-22jIdZ^0$wvvF545IE#*MoB!$|06`(%aJdC+v3A7fBTG zA;Itnzfc1yu({dUf_97l>~hqzK;n#N>j0FzX?DZAQ`QIEWrttYh)zI~R?Cq_sj6s` zvdD~n76B8N$JccuvQm^H*Fjt zOH&%2!CzLN?XJK3{Z%UUeiO$ej3|Cy)I~Y@7K6no0K0)>`!^UDj{LkP{}75^w6!^H zE5GQXG!Q|kKh?~=N{KgURxq&kVnF7VOdAv+#qwePGdcGNcYI=^qSmTde|INtPE)^t zLv4Gh=!xWU^e5#H!@llr#qwPgv9NFEl?e|M7H5Q}#_f3{mWRG~L*j6QE$y~mIcTvJ z%~gcm(TFfDn*ba5-#W@a^d9_4H2G~7V?ewj4Iqeeo!4%nQd-U+qN zam#CM3$<66d43l()&!>VQ718U&%l8>GTu>x8UE>~VK{sUFEt->{RGejNnyxKKzXj0 zE0x&c#jlA%$H#b~gBzQ-r?DASH+JMUOABk)nPVAP*)%mq&+_3`(THl0%POTm)s-n~ zwyl-AhElLbM3>$4K*tk0^xHs{Aq; zeGIy$C1glU1euUf&f5a+vPD&e-4#ZkGCin{9!O1+`)8CYa$P?fJLzWcW&l#cCKgY4 z%2vTcaf}8aR5`SrIiWz0|05zrjnxcSDf>ks<;)`5m9hvl^wczADz{r8RlI?>O%L7p zIVpc7t}BZ`5QUcvm!d$pKiTn>TM-Rd`&0~q6&^;bUhw(7BbB?R?SGVjqQ#J6FSdsb zTwJo1JIm$!7$4lCe12RN)9`)Ph}2NR`Sry;ISlhcDatL#F0@q^xSkMyL%J9wEl>-O zcc1S5krmYWQf{L)bT53B+)8e5x@6|fYy^2(M-0CfMkS=Dj z%cC-;4_?jtxNF1BM4=m1s#DSf>h_#$K;GA~#UC6lGGF(tdKc7&iX7}IfpO(VSNG{h zdMTh;Z1AIOcg9g%p>ye+ZM8S4V4AaLZf8N zrFiAX)S=@a6kHy(iebL>#Th5n(78-w;O0lHhaovEkw%OhVXkp?Vq3}!JKZWp@6%XV zSQIq5`OliltG&IkPipk${%zVi>|6AqdgL6ruo)>%W1HvwE_G8>G`VdgsMg`=hmSEW z^B%*-S-I%|&-Sy;4GC(?qVR%3$-CBZdM)Ru*Z$#cof|tebzbS#pS({yPFt57u*7Aq z`J}MAB`-Zp;L6A&rW0X)Qu=EBu}%X%p>19vJ80j(t~32a19l6eU%fK9y~_FiLC<7(J1*_rFc&E)E&JsDp~Z##I20BaaO?Hd4w^+yWI`Fr?;8GE6rZ(1k}Qiw4R0?4=QpS>SV^c8e& zp<-l-smMhBWKNhxO$twL1wJNW?CR=nw+1nR0{7~l)JG;_u^0rTl&^kkn+WUI0(>~7 z9*%M0aOaZf(@ls!aDS&)zw3a_r5R7!@$m(ytB|3fpcww<+q*aG+jq1i?S0{1HNKM8 z6GS;wZMpxO;^1;fY2B3}rKpJVV@enP5whtx28qc_C!a%2Wqa(WIIpM&^~R#sc%c<1 zeDiX|yYW@F=BUuRx9S)wltpJ3$gIa^gj=x~;}p(mBYf26XnG8xTpx*~kC;gR8_Q&N z@Goqb<6kpJd&-n0vcmi9PVH(d(%DH&W{mCeitCcn!@6>|--~3pj$gj6K5mt5#G-ka zdDOr6)bL!L44l7F!|UW_1b_59Ry*eMDSqSbUg3A5j!P7Mkx_5;sgF9j^0c+y2$8f; z*@GEnI)#z2qF$QdGX~Z;n{+ihvlP06H%9;IRH9p+G`U=Khb?)is4i-2%1BH!oEymI zD7O*P+jr}`T|t7Zi~NFv*~xuNGnxC<38LltE=Ipcx*?q?Zf&sFxwZ=zlAn~h-w1%g8u37%X9%EbwG@yy1f?in|6 z&>(%(hhn!qm{RtEjDAQ8GR}*$*(vRiSRFE;hf~O1Vo%tmnp*O;!%1M=+lAvb-+W-o zBY7_D_&ZW%ejRVry5S!pepmRQiMH|+?1C<)$ca}(CmH;vzca;V^>Mf9+UEEig&eMv z4jQTq$>Cm(IcKV&edXnMxrR?=T;gb! zd1XX5()kXmx^N#y>g^u}qX1V&Ywrk3A!&gCsqj3`j~@*!el% zyUyKB+Modm;Z27=XJlS@q#ebUSY7`3o?(p+9G(dqu>h{fpzjKc*DIowQi<=sxtydH zF6owe(N3P^(g7;H9cfIE`0) znF>yU$6+@1)(5%cMcbi)J|o5<`ha=;80R{lV*WMp%%6=w+r8^+;x!XEgEn?#XD5U$ zwh2iDHx-aDq~L?WGg(?D#>hB7%yu|Yo%G(#_4m@6l(<=&WlJfF=lZ%i2Cx&|i6A(M zV@|$|L$KJWX7ekFPn%&^jchRrO6V)_!3+I$#?ZJtE|x7pEpnb31_5U9-nliZasA{X zQ7ty{yNF#_au{=WU6XhNS8DT_nz}fiP2t6Cg5Zni3-DM~g4Uk;*7m$u-@#sGp(F02 zKcY6N+$?SMoKxth26VNns^{T-iXzmIXrVsq$jQl2qexfzT7H#$bChvay}ZRaGB3g9 z_(Q^)L%#X}^)&6ZyE=AT@LkhFwaCos*670mlq>6kqU1U~ zUnn1h16SCPpKUM?BNFm-zkJd8D=8wV(mqsx3#7S^Y_=q^M)PJu+L#}bxWX(nt77gA zL*^Ysu-8;yp^WfM=!*&eBnBrD)sckQP+c{=q7Doh1cgXeP|r!7zE6~}h(Q|U|Grwu z`!<2M^AmPmv@=L3Iz@6#f5p&8B4asLIi6%FwS=5C;$^GBpMHR%NuqueEUy-M_u2k5 zvi=hO#1jjJ+$3@cADg>eiW!toN^0;Txi@bx}e)!7ZVUp8OsTi zK>2UUf(5#f@2?NRVG$F^lC!E5&naY-7O&LO%9oasMN}3-(7+l}Pem1wQAVbY*frv3 z!Q(I@>A`?0!9`&~Q@&>8?RW(j*%mY4oA1);qfWojP`3NZa12t0DElGRWv@2j=m$Ih8tR7!WHez6OH_$8c_-Mnhy2!HmOY@n?V!*0;6-5{ zf|IipZV;-VN+84kvsfs@uGpHK7KMx&q3B&r6p)Z?T#U&4gIEaa87?w z?|@~Zk4_@A;`PaAUX4~rg5o{Yn*xo50(6bI9BJ@``-=5}IK7Sew+lWr@FQS{T4e06 zI5KIcOG^FWhc1A^wO?32onl;S9L+(LfDqc?;mYop2y|MGkh?0hAlu)*;F>~PgWUn! z{&-@5WAL9&OT;8T6dP>#IQ)LiHw35Y$)18|asN$CSZ~G7{8*ymvqIO6nKC8iqhOVt||F zqni5BtVu#=%O%L^FPMak+TA+O+6o=e=>tUc`5|B(T*Qa;DbJFL&vO8?qa3x`ShDR59hoBi-A#1Z{Kqu+FkY+~yv zYh6aW-xXdueS*pci;~|$WD0{9)fMvP2DCbu_{fNTX=FbkU;~Lc5tcqN@kI%W@7rXE z<(Y`21yG5F(vx8VZZx2ylh_L7NVe$|Qy+ae8e~@}A4(oO@q<^e(TH(`zIa5nMq<6< zg_t+Ee&a^*Q$Qtl3XVsU+>nFL>JiC`=-lX~TN@J$#{Y!G`%kPNv*q%Dvg~sZ4uu%709HxHx9Ems zf{~FMrVYIUI9g#Jaxh4KUSQDe9?WD?+@ih42vM2aVFU^-7$oHz5gU8L&Jw54T0hII zoHLxgo|Y9>(*bfT;Wg)`Dl=bweg@=6E<$%M44fFkpY#9ZR;n)_W z9%vv!ejSjsyH*&vK0|*ckrf2HkE)kTDAm)_QiBeRMoyUV*;ODykM$zIXN}+~?%oeB z%3*j2`AJQye#AmGhY1z+T~RJ#^#8HMh-DSueHKA7LF2`9d9`$?IOiEW*8?_o9DpD%ZAEB$o8 zE28!ZMyfR%`1lW*LQrwe?=65b&8Y|_D9??9K>8SN`GMuj=Jk8QB?+h=`2*u4)WcTt}zz~ z;VGM9eo0MLHPgCv!Ml^(9g4oTSM};bd$_y%H;ej+P&r)h zlI-+02{E0X+3w`JZyGD?11e?d$IyH8^N^6A-Uf8p3Z zkDTg7eyEVhS_$oU&u`B=zd94FXp~mtXf0*6fA~eVp$DE{=$^7Y%{d*1O}Z^|+Z~tN zoPG&NkUUh_<`bOHfxP1y^fre~DP8NPI%Z=jmaF96l8Mo1^cpp6P>2>tP2I#InOoig zMu!^A!yQ>Sp+%coxFB-lsGJI6+CzzkjECi#mi-acCP#givUQ4EBAq+39D}#5>>1xM z#_pCb5L07X+Be2$^G0Tu=L<4ks)w8b=v~(|y&=2_@mXSbrT*gPo7IU3Wa!Nwv|CBx z8`d_C_z9xibo>>Y9=f8Q+E>sR#2;Et9UkozTnSM|W$@8i4^4Wc#A*?h1s>~ENj%OB zQ-38TBD~oqn0F?oNu3!8TF4408i>K(^*&(E8)DU{aqAjhHMx=RsZ4vGsJ!@-S^plN zh0)-Og|&Ui7LQg7wagJANGMy6(Tl5jbQhLgE^xIpKb1zMWV!o9V+Z~hNFvVl@xlhn zzb*f(ssGJBw5aM$Rj2mAyFq`DBE!}E7R0!Hk5KSd^1$P3h^*g#f=qd#w6L%IxChyN zZDP#Mf679|_w9baZH;qEh#s+Mu|VBnDXz^hQ>t*R`}$=Q`(0*RrKW|e4CcAUfc^ow zc<9y7Y5Ti-Wumj!Gk2a68%!#_*yVitrYJ3EfFXU@ z-QYVl4b+`S;KQwI&FODBrCFC{qThWUS?w3tyw1AhX}Jt0B>0SNb!{FnIa|@w|^{B=23lH zDLLtDtG)qNPkRG!vt|oc2&a*nkw5NUWvrVg(Qe|Ig_G9j<^KphfBnW*f1PXuruoj1 z<%#2&-mCMxaiO+(w?x;8Qc~-Cz#(Ll_mf!fxt|aiMk00)9Nf1OWx(&$uCk>-J1oNg z+Wo|v+C?HFF`Cg}Wc(XrLcu*2HtT6jXHdiIkE>7SH=m9$CET+vc^_j+GcEtp`RrK6 zizw6HiHac7DV#&w{BKr% zC|BNSS5S?ip&Hb(?tL4&E1K4<7(!I>y(hdYChF*5`M|JyVCT+_m_oyPXF6kl|J6*1 zXsB+LYKZRe=$)vw8&v%K(~}Leneb*aR`B5zEp1Xt9Ern9Gv@B=#;Dbjn?ID*ZpTL@ome9WhPT=yQVP4{llZ`&ek#i|2+ZA_ zg>k;&R_9#kkSA^#|M15yl7Hklf6?4Vy^LpY@LIn>o{T}x-79{b?-UP~9t@RyBaP-T zXO}JTEcZ{ybYwo_9b<*p!F2mQoyEPQ;tF``>+9DTzBAIXv|qv1V$nWWzy33&T!&2w-zqFLHmFP<|Ob-s=%XUvw zb{dXf zmf^bGGk@&TDYGY!nKcIV9$j!NotDhn%{Mj^Y0Lz2wW_m`WGuZcDt;^&7B`(Mf8dS$ zvSrl-3zL5F6DIoeI9) zDI&{kPkrve??W5odz;VBVCP8Mr?cCL_q95a6w!zg!EIes9#=XRyd z`ufFFU7tuV=&Pv_g)TFHa;~oz!L&KD{+ut#!h;29!>bF?$>>9Ch?>Cowq4&K}PsPmHs zMJWL1Gdvcj0JpC~x45)kKJs84*%X$o4Ky%wVjOzRdu%ZY;5yxYAo*N(Hv zTO8wiA+Bty!gIsj{bvVztof{>rxE#K#*mM!;`0bE*@aXJU{l^c;1 ztBIZT-gRK!zz|jcF}ml*4Zi2OpMzc;Z`YftYow$II1thnpN6{1KDF;ZtN0P$lL*lT ziIk1;V`mnd5xOmXG>qbRZ#;~IMGl3^bNB@b=zX+AhS^W{3Sp2y6N;F8&L8q{`uZA&oM-B(tJMax1K(`!_O58sU#fCo zggq-TBPBV;rpv2$`nyE!?y!)M$gs%%$roT^Nl97jRrYBX*cn#QR15_9Q@FFi7LmI_yEo1s7&@walnBfYdI0mRELOs6~wyI$6}hdhZ>b-=_Tm zD}qNyHB01SnW+le)m?35{>yBUY6`!j6p-JSizI~k4smV|Z^ssmLJ=Z)Uo26_)oaXO zmt=GY=hV%)ELNU_sUPNxQJrzvss|{zX5DWzU`pwUG!ZcHmWJxMHlG&Elt}3FIVcG> zsNIe>qb>d2s9D;%*MwMTezC!Dj1j&Vj4M%$<=GHv=g-s)aLkf`=yr-LEcx7A3rv(v;MBH*lF*ULg{#HwWt|9y0!b7ai#^-kPFLP zE}xT1?0^R@wG*xTib~OYfMFX|)iGOszSQUtPSY%`OR@h!@!%*M4mx7MX;7N&Q1NTu zqiG%#yM1xkn#H6QzV;YX0nO4jC1ke>ITHNUOR3LWU!5Dbn1^g?m5+1FZgFHM?zTp~ z-kW<4{3`fzp)-2)q-VHBlK&+KMZ2KY`qgMgi7_7L@*W+1d)GG7(ky9HooAY3z75Xv z3B{@6-tcEJ%!Rx6pE<1$eaiaj?R7#TrS*r^)W1iMbMFGu;hga;*|kZQoRVf>0XN2Z z+HD3*mE@>^spu4P%p0a2fz9%bkkcynI~~$-Rx_JMsg}GjMiGtsE8OFm?RHzqperOn zGFPuRdUam0Cg@Ye*198u*5icm^{N#0Tw?HY?c<|gsZvnd>ij53S;m7#10JQMlCAgs zjz5+kfvA&onk69lnF6_K7LVkJgEc2FH&5Nf)Tlce> zTbQyR4l5QJHGNEd1knvx3Cb1s-Y8l5tgea-3+SCQrN?AvPPfD;mi3#Gsp;W*=>$Ds zO<$1;Kqj8=Weo8&C?`Y#^?KoQpQ59haVo?$wP4H}Oh8_w1PswuTcs>>W4}FJNxS#3 z*tps^M*o%b$nUcDnxoj#J$|c$g%BRND}F;938PQOWk0t=Ic$vPW>#k~8Q*=leJ-Y; zjuSPUZn!m=^L*uSDyaygS8hKgy|QHAw=Jd^-*u#Y{Ia^{Z5s_RS`@y}J1`TihH%RV z@(A2VG`hC`u-cUIEC{mK*N2(-B}XC{zYkog#0Y-Z`%}*&U&!%{ui{GjM;T#RYNtSA z&r~#?b|f2gTQA@OB4t#cG4_#rB&4}%BvoF_RLB}JXZ8hM8C&FJh^J*SSWR_u8J&%S3@<)r^Xl^>e@Du1ejgiL z6wU;dHy7qCv2$rq$U-m`n<3OzGZ|b41hNpi@9S+24xq;y7pbMArD}FfgrQ*F-2O+5 z>T_5Z5;x@IzjxdKk!Wq>-^vaKD}MqrHkQ!hOp_{IPsG>$V3IJEwsJdWb(>6O$;^(q z66aX+J$UiE71m3MJ{h?4(-k1Msrq77}c{%w8t;>n8!DAnhzt_FGZxa znlze5QQksQdmdK67)|ZPDKvblHuu`WcHyanM{rczjo4%%^q9?>MAzylL4RQ6qKDFS z#7JR=J6~fKJr?sp?`(b8XEe{${1B}3+O_Edk;I+${T}Wb*ScHk(0yu5v#Jwj%nuG- zDOtC}-p)8e^d`CFZOtC(;l;O$?O9}51?#=Yg*Jo~t?GSr7u=n=-`cKLW4CllV-^r= ze<~$|`vSkfjYB?r&nq*GEXokHv(K6YEjlHkI`BsE-_ccf)J7w}FpkWFKnJDFMRdJ_ zqp_hELf}J3;8|IyS>v+BD3hR0fPVDAFB=A@)jyZ?5&`+tS>y+OzZZDDVAg z*jnlF%=m(c*|&XHsO|+|bF4m8U3WeH_;72ZeWZKSqzw~%@me8z74wSAUTLfW`_55?k zSQMCM3U6e|eB0O#(9Nf8`tC$231^zy#YmPkFf|@%PalqK_-{}9c#Z3=tj!xRINAMn z2x_=ZvO~D`cc7eXvdA0CX^Dpf<}XNyW3CcYqFnwqiRV(HM4`+TW)`g{hZu7whd#~B z`Plm`YaHQ1cJ@xtlfjL8!aDnil%UqHmhEpzQp@CIi%~6-C9Nfvi7BE69WLi6<8swR zZDi3URmUi}{V^^b^G1QoM^AZGno$FNQC_VPGL@rb1~qV%+z(xkHY&?ac}NKwFcn&- z9u57upgJ?7#^$Vrm=-Snd}Uqhg!-0AgBtD^Vz{Qlka0%BV7BJr_pddhaGwpQb!Nz` zg@78}SqFwIvxAd}Z>5~#q*VcNGfm6-7su1EgF#ULS|;zcRplWsy~YjGK5W`-%Yzl_ z*l0)pZNi9k#Qx^u75X=g@0wGq*|}stdh7n$0$6S|Y(%injPESrX?z4H%Roi+sNio3 z=#^+(`@vLhdGY>cllX&R-L>;8hYtAZD~nldv~d@8(q{ouewT^<`Ce4F7-Y=ipJ@!7 ztPLN?!~FfvmP-!&hX?5=8=5ZhFs?(lTt!a5%O(G<_Df7T!qKhkR{c?DJ;pk1QYOFI zrE#5=b}P#~M6xKUX?^{R6R%!tRQceqFv_(f2Ht8CheFmB^OB*`;E}oCUSPrz+r?T; z%f^LWRyE1#8=ZUcHMU;BY2zJf=peMBb8=Tb{e{^A9avYc*VW$=K=SAIKXX3T@tX#{ zGtH{lF^%F@mD}L*128VJ3X$P03&ID3I=)LQgyi9dDqw_M)%VNkzBxy`BiC^eeK%sC za5a>??kP(}`RBl;ckBJbGaj+%xpI83t3*oy$%yRy`zPt!Y_Ezoer3Uj_vBS2AhKxy zb=_aRuEpyUKl%m9#Yp!)VEPS9g`C>FyHC|+#a&2;Kz*PXgLDNYk6Q9>u1V4=C8@}B zrS`UAgq?>H6l0NU8>puUrBlK-c~B@j9cI;YaLFzs4f5ZHGz5mq9Nwi! z{350^x^-bvvUf3oW?fMtBj zP<_MsR{;CS(5>L+H(~y+{TRL2{ig>?RFdBy)wWLdrJA}m*5tRghRtqY;3%ag{L{th zpl^<)KqjVm?-3;*lTvn>(!x$Q%C&W}ZHGY1$fMG%Z!qRY5CM3c_%Tq#P)Pbb%Q48Q zHSRZ_jwBs?{f_V2XNv9^J^93%hVXkL2(5WV27K_)GE%jQz&^2Yg8@Xb{8oAR{K~5o z2)+`ovvwts2c#q9G&YiqYu4&+eoz0VpvG7oHt@w8dbmvG3RkVJ=iGy_ANC<%0Z*F~ z>4OE-l!okzH~Y#RJ4x+8T)MadyAivF`z#V8b4#p_4cumfznXPQQ}y(wkXoJ^37+lW z6yR=43ui$-JEI}5!JwV!brI&$2cYdjcJLdNN0?rHBO@q`A8z8)m@@>n@V5?g1o-Rs z2M#G{IiN4~;b*1&a0A~+$m{KbHU%}f2O@rs`S8#YY}#<-INg|k)`ux*zsoh!09&J>73AwPZIeDuLd3VytJ^JWY}ehq?WMIr!~6*;nMLXX;U&;C zVaM6#CS&jQ()?^bnTt|yk`Ti2-|IrzxBE^0=9cZ;p!f@wH0<+9vZsDg3ZL$?qBo8_ zHsQ;dOxKXF3u}=vCfV6gJiNRwq$e%GSJG%MD%r6;)2dfFdVHSmV#H@ew=a!f59>?{ zb;DmP#a3xLq~L3u7oBlx5Mi3!#3#YJ6IyoUUa!-F(#zE;biD01Hh)0yM``(=e)x!0 zDL9=DIAGj|W=%!Qp5RfAeHdjMsbpb!d|T2g{zql>cv7xI>x$#VZr{T)3$Ej9<}khP zqVG^<&56Rb`yVNe#B2`5OU)V;Zme}BetA%^dr`$?HT!TQF_kHQX#tQvZ*aggP-QVp z`_Q+|w{h%qT7GGGRS<+zK>Bs=$6NZdq*nwTF;n07E9}C~4y!#!TtAP!`Z=j(#~Ij4 za>yVcua*7yENF)WyX}+Oz`8e1fLk!1U63u-0#|jeFsE~HaIim{*57w1ZXL(f3$Bbe zGxqBm8>4aQ_&giy=hLUb{srKkneolDk&(|o@XNcuKmP!ygO?yvlNyex{2t~^Q^@M9 z?;D;+bDQD2(aH^-&lDYObdT7G?Q#uz=D z`@~&KoTdS^OX0)8Bd%RZ!J3fpLxK;@bM-pOkK2DQjq7eaPyWRZT)qB>j0m3p0ou-> zWKVIiL-(wlsX3+AzVXLdZW8#a=-!EtpsD}kc4fH(TLmTV@z9K48ow)}GrZoa`*eI% zAKL4P7hLXoEM5VRk2~h2oS_nx_)j(t|hXWU0jb)}D+KgVJ?Z$bqQl)sghADdV$ z7&zwEQA$vy@cB(Wvr(u$|3t`o=qXMj4nMw_S>~niJ-yKHaYKT?TZF&hR{4%qYsu87 z+k+zJkYUX1UL{0Qk74g<{W5RfYa^{zp+$VoUle|L7z^EQ~QXqc&(?#j+r0hcufBLgHEb2p+H=w`7Y{e zoKTA^mC!ay`Nl3t(0ldwpILG-#x%j2!I1AQD0lAHI@dJN`#vwH#2P)}j>+G1sHgo) ze70xKs&oZ1&W{V-g~jNuEczBCq)4^GgaW>{$gFHfPVm)E`UG`t)%|f_&Xk$=A`M9< z{yIJHNlsrr+`XUIWSS=>jBilcz2g1WlW5)}Z4=+DADf_Ay)O*UD7F*3c6IwUiBfk$ zr6v6>rbR!!R(=J1jCmwl)ULEZQ)v?==d-16`G+@#ox>l`)bVJl1e}I?&OdX?71U!q zQHU@;HqH5P@JeBOsxa^KkB{C@Id#)ST*qRH?DH`;H}EKOv)Oxf<|+<1FfHCisx$jB zo#4q5>i{WnN!6}&8JZwTBRu2-xeEhRC8#G9H`$CkyMl)}R5K2jok%9eBh{|-N)|H7 zZ0UNqg?UUMzkCzyP{J7;G+z$`%M^_)aERZzTLwhp25=I%U2)WJ%+cVFU&WEpQzi1n zU5Tl_hP!+e2nlXo5b`7Evq62C-jT|txmGJ|uJvU_ogKQ4q_TF)2*i0*dC=A1nYK44!qpFg z@XztI%v=FUYWa~9V%1P_JP@R3eAn9_-&dn~_sC)MC$r1V3IoecYdfgM=|hOw@g$$! z1nvk|iOs6HOCnnR&+yyamz&5WVT`%(9(!f<;ngJJ7_C#f;8vF13iK&if z^|Yx2d9_S+Tcps-LqnWYjbR_t=_{S%LdTW!Ah;G1xjt5$n>xz55pENZkXk1f%@m}d zXN)jts!}+R%h$rB;j=7qKf=2gZq@Vw#BNB?Imym8(~H|?=IB65%p>B?a#Yk1I7y;X zcg&k<-e%nl@xud~#C{=bB)Qr$r%>>TmHNzz^K+Bw8J_Z&*(#W3uMl`*Nomq8h7yeq zR`@tHB5YDzsMJ7SondU)0IF!;Klo#2F4U7pc5_3SSjV`FT%D~M1Q1H|ZY<=}na8od z7jf@vdpq%>XH-)P6W;ebNSlxi;Dr!|?>$NMHAqDo17?S&w(~GY1)>LPRDMcu!GLa5$Ry9v8{e;M{ZqI>P;oYqqoD0pmqUN+dt<&i2B9r6Gk1=C-OF`CQQuEsq*#R( zu4?hcBFb{Ii&#sRBEfh z>C$D`88L{-z$1dYB!zg) z^*8iC4_Rr_XcyL@eLlr-WCTAv{4GYuf}AKf>H&=I9#uglKd*5{*N`7_m1Arm(?5_y zbmkKi;ALD=(&W5f3=mnOpR|rb-gXDQfzfjSA6cM^pC5j;-rg9DLm$H+_M+@>e?mQ^}1asmNf%B`O|N zEmSPb*d!)c!=|MLufRMP^|7%T;iJQOyzh@^V+*<4R*c;Y-`WK4TVpAUotQU1(FB}B z0?~daGcNJgSQSM1FgOE@g*4ZAGT5xR&BGuVAH$y$V#SUEmg$@O9}Zp$NMs$=QXIz8 zk5v(F_liHW3wRGOdW-mS8I&dHg%q5cxrW~~VY-=2k40we*9;%E$c)VYl)e}v451ag z9f}pGNY3g1$pMbnv}$UdCICEgt~TN8db2Vk@?=K$7ZXrpY@f3NFY?cQZvKO8x% zKdhAF)UN$BZi$|zyuqN<<}ea4*C$*?ydl2fL}BHxb}8FP_JoDsxP9t{77}+ zqzY9s_W46RvBx(~0l~ukDlxMxmjmy4(Xg3)$D334B?5n_-QF)_kj9agm`cQF+q|Vh zp|J7}_!+UA@{P{CEJgAGpn5J4M!~8_oRDY6^S4jT?E<6~bAVEfzYNb^&S_h&~ zc;qp^!WNC}h>LO6OADqO6G^*=@P=q2wqB_0LKbR%KKCv?%1rvWJ^D^del!r8_{O2+96Yp89ZhpK%I53^d(D}RRv!;U_U>s0Rn#U%}qXB#j(B8iUT#?`82faA1 zBst0XtPmC!x*wF~%2AWH})Sy-gkMqvrBn+fSsF?F%>&SSe^Ar-Ls!e2HE34@y)3Z#(!x2+GD0; zY-Y$LS^(nmxO1qjYcdA}%>-3UZPMj*fD!vLj=E7L)*sbkpwF5lf1oeysU9|LrOiOj zA$9kq>NIYXqznHu+4Vep!KQGiOT?+d-~?xa<|Iag1GIUl4oOO5E)BLKUNwcPHhVRaC4>M4neoN zvZTgw?Je}kP)t2WedJskIGVF5dThNm(}YAHps~kAgTl${;(Dp1T}X3* z;lxOdm1%_@{JbJ8BBPKJ(qdpHcv1&k=@nb ziY-=bnxrzJYE{kEUK30!&9?w-Xse1(4gE~*7XnK8J+AlmVrqBWVE+Vy-`-a(R<*+?>i(VU%K`vhqqX5+DU+%*--x|5xn4^Sw z9yRI7J9-V(|L}RlDpYUA-Y4-V5cX6_brTZJIHBSV&N|!}A40{qC#Ji<85TbpImke_ zlwjN$4RbHSAo7?Jo3u-e7fTOM-@shHlwMuZ^mZD0T{pMXc2lL2WUZ{X0}dzhp^o<0 zw5qKl{-aXuE+oYHR_c1%Wi?GaWRLI9Z!z{Oi&PG#TPw_)J(RJu$RFSZZVZqKX-v|1 zQVHC_POy#xu;_q^f;H{_Ok@S}7fP%J-#U|lH45Q2d2lmU3&15n)}Jw!jTlNk%wI;b zFxg-|$*hNb>d1b&2=-dqzUz1o^)0Fao}t(#elg?+H`#Q(=(p?yY_R7eh|ch5_TkOg zi(i|Elz{sd$QQv1sV>LUjcF zUQy&p$ujfqxrFTIBXwqAU)A+gJCxJguH9nBV?}n^B&=A~g;>_ZRO73+DzVO{kDF|= zD=}u518ocTkPt)NM8X@41x%)0ZrzNk*bg88?X;EZdTJBZp{7oD^+&n<-z!m==R}{u zPIvsQCy}h$MO&ftq4`U$;O8azPh`g5Wp@bq>~y7K@X*o}S99pTvZh$U&yje#ffR=b zRb{caq}oP|1+JBDqIplc?p+~Ja#6){iZte{G{j&iIxN`8vq-*tNzF+Zxf%7ri;W^{ zdyYFT4)%yTaOaWwYyAS?v*CNN)!2*=RyQJ4Z_J1Y^|&lJ%M5P?2x^6zBW+&BdX2bj zOo_B^G1S_O9fq0@*^C!XK=&Tii|$#(uR8_+aoC4lI8{ z3+8KJ6+WrALLE#E4`GyxkCe1~_K*X>r_+QO>**2)z#VkM^jVL#0f@Wh0tuaxuz6du zyo~&lAz|RZ{BSJ*lyICDN6WHXlGh7habj0d0P^%2U2Sy1GBiGCmu*JLJ^Tvvj=3>LXEgcIWD% z^|#q^Q0@ljtY|Q^CpTyBMBQ`OE}gPS@JdKc_ZA)<0GV7Fn(jCLZunNWYT?nSwtr7s zX=9j%nnbt|HGbzbmd<2nTRzAN3V;Gus15kE-nLBJ4 z#(KjqAUemc0zXRZ3nlDW-%yf}08RC5pZU*EgWn=)M<9yUFP>HP>2*k$jn`bX8uUA) zVE9oD^eE=?+Rd!@UEAyFRChop;S)KcJov1AM!>ylaBJ}I8KNQ(A!9}H0LQCt{2WiD zqN-_2_aFP(mxsNyAM=rnj`&`AlL-0d1oggTIzyh_y za#=-fGjqQtV@5-AKY_=jTg`JfB)>qdWvITo8+Eyl0QNzf!wO}tudeD(sy$P_$XKXO zv4lN&{6^r&ubb8J^K?sj^!|cgD0Bix7n6vTCBnGpR3Y74OVVgvEt$QO~v6miESL`JAMJ6F&iHM`x!kd*{POa`y zb@7@&Z@V=#XDJxxm@>C?ArV{~>2?$DK&l=}SrWIXze`wr+0`kKVGcfl9+|;& zGI={}41rZFGA>l9O_39{4CiH3L9Qz%A?N7j<2Xm%I8K9vW@m7e%?ipjqrJJh%c!_Y zil~nBY#2y+QcLcZ^j8s2^>f(}879&_?4ud>uyAAF4=MrFtLeAbuFM(DvUxCVXU7Kx z-6XjTej@vajqIvh=)dZ2?y`hX{fjY-AR#qj`G2DuS!GG+uHX5)Hs&5FS?#~8ajxI_ z5$4G!%fFE4SDnusoR9=gxTksM6kM2;$z2M1RyqyFo=62}xWv`4`Zl7SFQhJ$lL)%ITNZ_!6;a$xymTLih8Ot!bw$rS-H6I?&CpF-q{kd z|7YHIxT@0oyw>v59JuQ+wD^NLQ$|Qa3^cARaT|lrg!VB@ zyqxckAUTmDRs#L?v~FeO-8`TN2KGD(ofA1z`b$`VstixH(7wafPy39aFQNHX$kgtxq@l~Woa3}C=VkGTXYt4Z`Pwc)MZnp8 zsxqF&iEE+KG+!G6-Mt6Fh9Z40XL33L+vt|Xa&s1-8Mn7RueU3AVi9W}>XXB`KKak1mHM-F{|(kZY?M}GD;D;6WqIi_NGiIC0~ zRWd10KdxMlb46-4xX1<j!}4Z#3RS(9ze zinkoJ5;8>CAfCS%!5lAfBk4g@6d5AeC_#0ALkxgHM?Y87>{3*gVzlsGR-lJ0bJAy-kd?tmE^HC2W& zHD)MlhiHD)xaFb(s1fw)fays-#`0LG;o`#$qo_GutbQ8+WN+}ranjOvGV?o0ih~xv zWi5FhgLaVu`X}kogNES8pb1y+W~|!;V16lY)QOwkIh%1~($ zv4^G&D#Pi_tr!PbKRRlkG4IC)#1Mqz^Q!h~(cIkABL=z~tQngVD`0k6l5=4q&GagS zgeN_!pOh$+(1m~BZ!;m>4j2HCFJ&cl8hx_tZt?5>dYvZ=G1@=XTs4V5P z%OrJ{S12?vj)RbdO2{L|boN|O;8TqBv&jpFNok3Rh1Xs|zmlYo3IIBdE99c2mM|On z9Z4HZWsrx1sn%-X{{B=N6TNRN#KZ zJx1B&`epIzr|D-;J1u{@%;vypY_O_T7ld(_V{bYK4M+%0{53Bm9#f}*AiMF96|oKO zvUIPVJgwwnm*sX@o)ja-y>r07Z0bZB=Mpu`hx~Cd02oJmQmg7!yfJi%vZi|PV-`ZzYPxKMVo1IJYASm; z@TYlQ|GVcWk`dy#{5K7*uZu<|FP-xyhhYR$V~KV}f%LU}}S zHx>SV02cw_ z0%qdoxG;d_u8eW8J0k-yx<+RZ9yZbqKoi-FOh>AtQ7&f*WNECrwn;h-z&5RVbT|7w zvdky*E3R?NdHkqOLN2sLzRI_DWCl4r1(-S(xxUFyln%~Si1TbjZ~i`X$~!7UxK;cb z!{kVc)sppBD4c58F>9z#K-)L@#AQq&15EAw4LE*@=Gs5hIdWCVx=E%I&$RoSp-LE= zI)b8VW5;ie07;Ic2jgNZy<2o(l!PPfm!Ec%Clfu^?>Qj@Jf4I5ihI(59@JhrNylN4 z5KOZO)_t>P!aXxEcq+yn#%TVha#DEQ6=hXzNLiU|b&oqe9ThrlTd449Uvykd#?j_D zYQiFld}ViXbJnWsj%YT?&IYl<`X9Lq&$aFpj{!jYbefT%V83x-IilmVT&TWyu`EF)H|Lpvy zNltHt>c~%CM<}vv1XEM z<`g97%|saXR}L-8e&wnB`hI0cn`H4g3&-SXd$2_QZ8c@3Dwpg}mD(xwp&vyphGCE_ zW)Em`n`&-JM^^V@`pIZ!ygw}RyKj}8aV#WCf7$*vg*C`)kEij|P%r&h~1Ppryn zo^uPjS~6?TAvRss?}m<^?l(i%Bnu4X)wSolE{jqq9l(7~}gVwl_(BSpCl?b`PZwKS9tipAQzS zc4+HGg*2t*qs)>4*muFveXAd}({9vd_FD*R#QPh*wIap=6*rN0mwhm4jkV_E>pn`kK>W&C!3PaNsN$s<@*ty|K|*bs#!gfMC%B3Q7r7y6i;L7^4}Hp-xc-0mO%a2_5SO6#BliE4dlNY$bUDGzv1tH9#s6-FaGNn{|~=N zNs+k~D-AuHSW3Cs{^F)5`n8-~nqN&+W8QZYktR!I9 zPrTR8c5vP%^7H4Lzh{~P9)7fVu$-Q;S?<%|vyDFX|9A@Y?4UI$`XPT?isoe8g!t#b zFW!|`A=U)@8^j3`uYE!QWNYf7ubE=dI3FSSnV_KH?5_(^G|U_~Sv03#iGJV#3VkF^gJZ{@Q+WHxtYio zHy@BawfpxtzW*HO--FEmpFc=S*46H&>G_T zge98$wKE;(9mt1|R+a)$DRxAmqV2-WmZ^v7fn}Z&BIoU+CcB=V&@q#s3sadCE*H_! zDaLdi(@Ql^&9Nz87?02LGuM?!bG}nB`-{o0K+7$pr!%a_4DBkx&SWL+88$7l5x6J? zGuj_Usi3hNE9@)K4!_gLjqTs`0R()HwR!T2u-JCFk>?PUEO`012kS(oN6&Avi7#D9*db`j%4Z}^q<3y5X;>`N@C*IiuZoShG& zy!O@68)%&CFjzCVXuZR1;C%=EdbI)5z!JgNNDrhxMsTT>C-|NNp$E(R^_L%$b+b*S zr1oJH2V-=jx|=-#;1-|txp8To2$8Ho1mRNIJ2iQ@X?(gcS=C@v33j0)GOP0{UzK(c zEHa5*NgdbAHuAn$ne8tLTIaKx9oHPzO(BnX8=V1|v-U@`1z zvKbHd4ee~Lfx+zVw@3h2nO)TAoA;KQSZ_2wYCk9i58ZD$%hQsA?!-0`%zTnF&%eQ& zeeo|%12)n)4N4NW>iW==-n>}9qH?<}{{ghTH*LUrkSPImtXnX|UcW!i*SL3av zIwj2Ua*X0Wdb@V-nRCaRzIiah*CQmEQIiXSn==IW`v|B1D+&ko_)=RB{qre(+N8dU zK4hOe>=^#~d{Wg2-&RQmL>`&U;q@td`(H`5i z_von)%j%=2{-ZwyKd)p@&f73+uD|mgeNysW-D1a5y3JQ7o#SrJTdGCw*KL~CE~U@y z{o|i^-=~5F&r^W{=U=P>SN`p{&7bZFOhJ43bmqK26+GAZPtMyeI9KL+d@kn1G3B1z=Oe%Q^PQ)dJln}Vf%~0&S>Am+uV+sI z=Y7n1oM&JPUj5HAHU+LZc?w>8?=Mb)>+ZLCApg16uFIbMu6Hxn|J&6R{L2Huab7-o z0=N0ge{3GicM4wr&`ERN4G*7~yw?@H{*lv~^KN)FFa>Q2+?X>3Z+h$(r@+nbC%^6d z(&V?Dz~nmKz})ai*5tiB_hjED&;0zkeCVfdkL&)E@7pl%^ra+#_d;7p`uCXuVS7%LutL%M0pN~gp^847zp8RhA^ON|GSb;Eh~`LAT(yEDC~` z*)}eIyt<}OAEp7z=BW6ccHUoXto7@L>gDVIr59=s)3BChb?sj&X?)Bo75~p;sxWY| z#?*W!@P1jU{{sEcpt!F5e3W)B>#n=*EUIsptkAcGAJ=Va~O`%tH>GgFrcHKlh{SW8uSV`j!ZBY3~a*q4*e^%6( zdDHdMBlbDRd3#>{fL^aPT4OuevE6u=Zg~4E4e8rff4jc4hDXO~{Fkq);NL$|?`5;q zyCT)T z@V&b3+3K1V7OLJwp0Kx1uCLEFcRbZvomaShrXrm9cpd`$fLv;Lacx3zA2u7Q?>kJDTBG5=Jl9valLf-T}pspHHM zdhwn&)Nbz_0Y3}Ti>bGEq-v7IOKDqjRHJvtI6`pWD-fe$Zf3ENM zP1h&R*S(txtILnm)!_BVb@lzF)n`awJ@iorZP+tTFJ1kJ-fK2YgKB@IOD!&LdaRr} zwP~Q+Zwa2Oz&ZF(JvUEMxf|{4;@=CYOP}6)_E9^hc3t*43G6d)+nl-XzGnJ%Ky%%G z)g$&kUqp{P=eTH7O)@=RrHCsRjtctwJKRi7oG0}NPz;o z3OFUgFbu=|fpb1{R!n|xJBG=b^Ul9mmtJy_&dYuIc^B%k%P!MpmtUp}oYyb7SeIXZ ziO#o|FSz(pU3&3_Dp>F$U3$gky70X7b>StK>C%g`-sdj7^m2RIuD|e7U2)mPI?uLs z>E)N}k_*ny+SjFaSztfT{cZc_U7$-Yze1MTyaHkU)kHw8t1%Rd~w!spSV2m__EGnZ?CNT+xfBmUVP#>o%7%voAYwcu@pSdj?Xzy&ihwj-}W}J_pj`? zf%BLy$$MS`Z<9;2w&lF a@c#ql`l5#>zwhJ#0000NE_2X}XOE366%>aoAQ_c`aj z*Iv6n@1Ogl+FUhj%~5mBHD!$6`-oIml|w@&MuvidLQ{~J)`WtBrG$cl5kiE2tHH&G zguWGUHWDflP*8R8C}6X9Z{Lwzdw83Dwt{js zvvc-fb++=L9t?Q=3yMokzMgWc0O*pZ3gh> zPx$fCsGO*JdACdDqK8<>I}VRKjw#o(j8QgNCej*=kB`@9WM;bA+0_+qr*bg}N0(NdDp8&WJ5u_s$m1;e29Z@%M83bj=jP^C*VB8< zEhsGPTW^kuLA7^qAW*rbsi>&v9T`jo>`L0VK)$Ww1<7ob1yO_A^`8jlou1!$4*EpL zrT=B@&F22e-14%#k`juuv-2(0eotmtxNhaaKqQVoa3`GExcyG3H;Gp1%TccPm&Xln zgJ#E-Lc2Vge18B^kKX~Fr~!Z@AACol4=C!v1*h(x?S@0vgwe;u4Eg{EW3+#FnPw^j zLlg)lCnr~0Ru&l>8=xPotfF#rnC)V2VWIH!#z{8qLa!yVRx7}>9LNc97)?XJddKV8D zYmV!!H_`7R>Wvr~8SPlx{?|J|)-En=?;`$ZWnQcTG}Ye*{$r`p##%F2{$HDKRTr5n zI9QYo4WF_yWn4by*d>b7B>wY{e>GTrT+fSu(ijML7-7f{_ilJ!fAn7WyI1n8AWypH zfBN-L2e)kes9*;8MaG&lOkTH|J;7q>XB4{-E3FR$Bg;mL|Kmxz{dk3h9K6bVkQG;5 zk{HDh`MJ2b9-Z8tne4iMif};Ji!`T0o+Zg3Yt?4Z_h3`W;C03qHspjAJLNgLQkm=? z*Ul6x6RtVs>{1PUe-`D^{Y*Tv(gDVe2lbpk7Mz6a;}+Z;MaB8i5Gt;88`bAwO;KYl zy6YIiPCJd0@Kq~xK69gK-Xgoh4^0;iEe0BD9Gi+;lS}u#zzqy6p|6~5(h-11#+bpX z@?k!+n38{=&)>npVJ}%tbmy@L(gh0dB#??UY_LWP2ncX*>n8F70jywPVJE(Q;+Q*W zG-`GIT3cJ&mH^2T!GbR2Z#sApEF__ebkJn`l*E9wDC(S{1Ug#zqJqmu#PPUBbLcIiiD6>mGzys|FFT+FyLBL>?OmiU3o1~rh!iDnuy@41MCa$ z&-@WL`)XeFQXYw=mr5N_T?8e&x7da1wNnJE?IMN+vxF`{XoMiH)*`dSSSg*wqRaxh zNovlWvAd0T#Y9{&fh>|tQa^K8Ldr%%I8RQ5fpjT*?g!ZqD*Di5vq5ef;OD@2SOM59 zdWPy!4UE+7mMcM|`~KrRquzh!W#iQkJbZirLC_6>QRkOLA@9rW)6*xy#l=PNy(xsJ zsj2C&vB4)M9u>Okj!tiB0Ttd$X6NMWkFU5h8#d>F!Qi&(zsJZZ;IT66lbWQMt^zE| zv5lW2g#j5P%tpMlL%~aI$UzLkvc?LW1Bc~pLm9Nh)q_exXi&4s-K6CzqFVnP9<|`i zh_M)r`H+-xj;EN8j8+&WqlOGL>I(+Syy_F0}epNOO6ktYhR zX0PGiMI_ENyFP#ygqE!uxj=)-68|or*l*upUJp!P!>X&R+Y*L<)zu{i0mFlULr9o1 z9-*P3fSF;X>)Xd+TkfoWJQml(aRc37uQ@q6>n?}bRgkGc!B>D{f57WfiErS}tRf)) z8T09!x%5!|ye8+<(&CGeKoD*`(}mG~5wBw29-|ldl0ktw9vKs_sZMX@W^6+mO_)kt zvZiiN&JgixF5=39d(hZ&#C;8kY}y7uLTUBTA@aYnk-DT+o(pg%$isvzPHGxGC% zXA_`!;v*l7>wZA{Ub&inT!`w zFz!zFI{CkjXre!Dm`|ytTbw<%LbW~Z%H?z>iPz}Ho7D7w(o8Ew(%>_Y0v_~N;RM{y z$l2T|xL_qA!vn6&8=fuFm<>iX9Vj^0vMT^$gTq0$-rzYga7y~G^@u8mAAM6ere&5N z(W3N3m3<=E0-cE(Rn;`fh`wbnAjOdiP8l5e55-bz53idK4^!OU4EqUOB~4wQqf+zS ztZz0bGhD>41fJ4W7#E5i>hzxTA84?WZn@@tL!vIyiTpxlI`k^Ed2W0vHC&Z8xh}2> zdBwFmWqe}Nx)JmZ_hZRT0g>%CsHHcU4AzXuuoOulGXm`*ub& zN33yAu+#DggRZC6U=~e3C}lt2HL~nv(EpRClHdObS?Kja%GpZk-;+{ANsCk~SM^a& zqk29_i~RVt83l7NtA`r zfy?6l5@;juQs*1*)juFkF&DI#_^}?PuT|A$)>abm`|##KzvunDQR8}fXZ$k^CeteF z;f{n9v`yWd0~k7+G-&R;H4Jw(Sujj}noFB(^gcdtEbE1}wZrIW_N$sf{d#0oFQf0M z|MJUYzH5s$?t(nIH{a#Sv8j(1^9adxvyS*=GR#)J;QbS#8%v)a|A>FdZVSqJED^w;Cw~#QLz9 zw+Ei+Xf-t)c7g0zp##(BTEv41=V{md4`@xmEvA4W1W8-}Ytb@T#p8MO1os;ndUT`R zG(E)kyy5&l^xwZh;K83&@2aSCCXtIX=sJ zG54r`m9BWSv6b9VXpSZh|Md|K2colW)uIyRC3 z6otEHYfzp$(5D>>Gg;WQdt{nX)%Qqrkox9P$anN<{_?{e%v!uql2ZFrd6S%jl|M%46y1l>W zdHz8Wa5qB$2p0oGzj>Fpsn0Io0tnzD%$XKwDExs~ke42ax2mCGwoG4gGd+{|>(YU5 z12BU5f`+vv=XjiIvR%%VnmzJ3hqJI=scjptUk3swIU60(qo*)6P0;gxY?=!0cgbx| z{Bb`G-4am5C5}w=&qU@pozJU`^>XchZbc{C)oL_L zbMZ!7Lt;ose4h3EC~znj64UkX33@Cy>MYJb-g5N3PKT2pOei)KrG(|~Q12{%_o@hU zcQkLL`Zjms0>lDGPL}ED=1+10c68DdQYbf*U>1x;e;<_?u9H)`mp1s9>MwXp4_1_9rFzzCbOB&GB}(~UcS zC>-g8tISOxGhA)};LBJ;&r00Qh@2Z9DJEh@D$p-AoZg2Fpht}e&PmKyOaTu}UoyP; zt}L!j#je-XM2~_UFzfV|0JEcG#a?!U``NsY6MdH)O|&=+v*$Oe1q`R04y?F^r;PM~ zQ##eKb!yOqY}&e$tVK>C>*iN72teRfa+{Hd(_WDA=Hu`U*JG$F-hrya2_u^M*5$7% z6M!Hac;cCV5tUkvnO&%t=8=Y2qy_Tquon;Ig?V1GQ>{ktRRku|+uumtKK zhd;02V1NIUgF|#~?gqi zcu6a+_9w3#3Is96Mt7W`Nz9}L(r)aT=x`mVkR4j-9mJAZr%chJUF_>}?-J(8S{u9= zF~(;_*~hhK{6Be0$W>xQp2IF3uSM>APi3)y?d=IF} zp)70pis~Zdm8UA@6qo%&bn@$vN@2VGET_xLm>xdQ_l^h+6C zJ9*bLJln>r*8T;*6B&VheXAAANl&mP?aK1#;LND5#jKyrWKYqz2$Pa%xx4k7LxnNw zgen(L%GU{Z3RjNetU52TW|z-2MOM=MYg~ORto=LpQ?)+lLPNY^$|?H9XCE52V0jiz?P|&6+DJ+kW^57tgYF zFi-{M{aQ=?BNswclVY#&0NGajf*?TylmdTu`Ub^XVi}f5X${@>w)N&0GZ9`BXLG~C zAQ+rK1n!^8S)Chie=AwmMym)U&~Lh7<}m44$!8z0YR{}fe2@Id zzujbm#-~KbF|iw)yB&K~cFp(ep3lrgWmr5oP#NeZ(Um-OA4 zABYL!=-@d`qYuN=3Yb zkzZ};|< zQ4<1&qtHG$j!+Oxo=Fqsb!;9jEU6}PEy@*aaV!RSB;9Fb%q-&gc@eSo0FTKqqoGz_ zLt^1PQ7X)jOQ`@1B%X|-8SP6cb=MEd%pLlxx+n38i1`DBF^7 z4WWPYb{aTUM)Z6_hgo#m{_Uk^Ke6i_QLI(D+%c0?g`}~mjnu-&ve$p_&A@|_Aaee6 zj4co~EIKE9H=@GqbAWi$CFmYB&d{UBxy05`3eD8zU1xre99MFRAHg*^RIb!Dk#&@B zbFz8?Y(5^SA}rv2W^#GG2mQHz?Uk?AyKQ~JKAT12HaD3(^|M13 z{av&9xkTZYSu0J3agWh=!;9^=q4?$wD#xUR_q7++f7yF<8#|M5(VoNh&PazGIF zXShZUf3B{x7-Nc)eq;fv#2F0DvYI#9At59^si*q6?S>G5;`Q`u?XHge0ndCs&u`Ib zEKx=k@-{dr9ay&Y>(fj1ltB|1cJqrfiCKK-_ZH@Bn6p<4yl%45t|TIDm5SwnH!qKHpU!Nt zk~MMeI#obF7B+FF*WfsUEDE|up0sH}E?cg*+94{kM>X5H3Ysva2pXr)<^@b{L6UAI zgJaZ6U7zHxEO3^Ff~myelLa1%_-fIsEG@klFYkbJIg%tWdD`5G5xlY@4+Vh7Cl{s zKjRO#9U$Xk-JT)!NLGDQ?E1U?X%t|W*FY7-F6+U!25| zni`|t`US&*oahp&txT&PzsN`3z#)3cg&^R%5dRVyr}|NU+?#*aq9~m`AkoXNtpb=d zye3ut5Pfdz;`jv)Ilk6TAtJA2IE0qditZ?S#g z9$W-qjdm=Jjh>5ZjyVlKi%Jj%2FB;A>#^HFOd8k<#kl)hCFlXA%K4q^pZC}AQ?6lK zz$+gHH1qFIn z8qcJMiH2?epl#np?kx)n;UuIerI`w{WUahAI3coUrW>SA{5~SUX3VEJ*M*rwRY}B0 zIPGz?>$aJdOh0AjEtKW^QiaJ*M~7gq;2v3MuTS5Nk~pmwIu+KSpD*02kga4C`OC6g zI7#Vf$`w3d;CP{FOTNVTNO`%|SZ?9D?8%xd65HfXSZD4!<~ux1(#~)lU0N<>=|1B%$_D!oWNVSz-U8Im%B6{z#WRJAtGP1=R(I*uRHClmxAxp9KmIGZ#HmRUf(}3-i z;LQ2*5yyMowTDE)L=*3Y>*MO@S@~$@;-lA&Ncu4S=-tJN< zkk;d+>@PA4h>Q&91z+(^7XnhOWOs7uLf6*ko=b03qqNqqS;#SkB9eN4%Nr6^6r!b) zQL*kb6R_s)#Vl`*a1pd&=}rchro-e%=Lp!0g$ZF5OUr6-Rm*U#iVx+=Gr@bNQ6%Tg z6kRFrrELgQO|5O`rK$YXg0m9&S##53@-NK01^;#sa*JhuKAmU0y~T+x7}#j{90NzK zxg>>!hr3^GcD1?0uZ`bvV_{*LW*w^4(bI`H58eU9rWUa0xMjY46cwuZlKpNdz3!r( zo>6A>N>JFm@5IE`bpP3)kAV3^17`f|EtQ2t&cWGUGv$<|A@HIAka~3s5y`QVXm7g^ z!7cT#3l*`%7-W;Lz22ktVNo~&OdtrG$EUXZX7)L35o);*@Dp~t?El6-mJjkknGno+k|gR{WCH2YjdBiK6r_Zg9k}1o8M6!^$4ddru*OF$3`4#eOZZ)|)d`hTL>S&cR3|BWO4HP{!KnYfhy)tR>oKWn=G z7jmBYzeUdfKPDbh;pEND3k7b>d-mS{7qdZQ`fl*G9LneUqGbX`dW2m>gyp|~3&M|j zd&Nq~nExR`{^CLacZo3na2RieFjq0uf8RZY$|(L1UqXXD!X@=Tn~f*@-)8^+LjpL@ z%rraH=w??%3gSMGzj4hQZWe+VU#n+A;3W_JFJI+TIzFC}ab8`>Ao4vULtjF8W#Iz##3r;yAjJ1a;;b?j zIhl&1EXRESvGtu4cd89G9-fNwM-H7|8;whN2{ZtD8kz(`3Mof>Q5~{?m>7&1p<)YJ zK3Ts29+@U7!tqHE_v($=)9NbGTy#5wYO6-Sx;Kec>dUb*Jl!)%8~tcZv>GKNM_xuN zH)r%mq71^~UvjZCGyr7>4R5?;%$j+TG)s+P*4PoFJPjdLJr#1=4dOehi}OaT5bNN> z()XpPidk)<8N3Dgw(rFR67^?Zfidv#r5;pOxk)jWyP;a-=?Mxizj3wpjMLcbek}vF z6+4D!j*T8vDUt6Pt#mg&r?CW2vcHHQ=4MJ0UuEU7It#TJD<JnXd}?@nl84p1v$9_nnKPfK)q^PW+SZLyU|htdq!jX zDQP1QM&QYyp{c+dtvrJJAW$rxQKYlEx=?I;4PhD2)a`S_`}x?DFtIZ8DxM4}1S-3% zc_h=RT{V)jrwUZTv3fnzeR?sUNCMGX`ZB+a87d)BACR8#{NB9xL(<&pSXVbvgXU|ybG*Xe`;D*Yc85kE1w2kE zAKoP&qkYt--qe`o)|q|j4q+3}0{Ptz*w z8s~o|G8EgNWL7M2Y#Z%m$Anvnja8%`5k*w$90M*mciKF)*Ef0>$|c+B!s4BC3RfTu z!!Y#~_Nu!{O1$rMqzYZ+H0&A+&p%2U75%9^#abhwJ3Ie)-nmvHhylhr#Se5s>N#38&(4yvV}8;ta7_Pw zL|(zND}Yk0hxpHjf`i6N4{Nt(ec!(ij3gHdd}z&WB6&%F){s6T9ajFSyWzd_Kmtgo z>gnFM>sB*0WmR;L&cvO{gBJe&|s}nM@G$!O7w`;04}0CtX^A<)dY!}m zJ@I6?pr7$hl_-M;UBi%k#AgY6RVk^h`H^*j=~o;2Vf3+f;JptuiWPG2)DnOB;21sYADp~_<18pqh=^fxvHVOO;kru#C<(IFsRom zDA4?9*g-XNz2aCxq%tC95D-M<4zq7UEJu3Fpm9mVoOP){eadwDOwXtw^NG-t+nV;e z-a>FEwkXEdBc`H>Ft&8?R#;(N=sJIH_@8Yqh^g=Bi+nJH-ZtKjdPGenfys@E_E4V9 zhEmX=*y~x(O*Bv04I>GGxmk{8{$5oe$ccA#Kuf52$QGXx6S1u|E|;8RV6)C@DcmpelGi+kypv7bmmHgNuu-qneT_Gb zylHc{pOH#>O~rlD%Bv$45qegBoYtFZ_}Mm2Y)S#*k#!bIC_t#vU=Xa&%KRZP-MTh1 zgSzHslw_@yOs{`?pT=SoyUO$>h2r%Y1GG}w%ag_t#e&hUKZ$;kGM_X_P=cGr_X<` z@!amA69>$Vdy6ZgrhPRLzDVw)feZP*)64OlTT+KD>(DKQRu?{iEsz|VRGy?XK(SFT zROCairF!Ktu?9yeS5&Tf-M?p$T9gkow(@69Xp26g+*}@Z_2ZBY6$~l|c-x3*YF^>k zI0ZbWCit$;dXm5px)Ab7iSSPr+jdCQm{pC#c3g92`TEL>JQK;i3>+aHd}~Q8sQPg39ou&gG%@1*c``eR z2%XgTu1p!Z5?({4eEJwo^7jJPE~%`p0m92Wz7^l0#PTS!Qar53WkM0-Zdqt5!7Xla zBW?cdb@zxXjkJ#}xWs9_pr5MXJz+oS!gJwd^Rnx1l4!l6JcYUj@Qo8w@>GP0-dM?5 zfzbyIj`AR6rHyW=lE9*p6;hNj+HNVQ%}9JD`oDczfTcRzAKWnV>Mw2Uv|aUCr@IWS zE&|_TonS=16WLS4T(<{=r;H+xG7+DUl3KU+#IDY2jxt3@y0r}&BT$@jM?tlP$6q)#W87n;(}}jiHda;#8$pd`Mfl+dqm`kbH}T#uA!^w7AROi(7czqCF%0& zG}$4Y6i^eYIK%e~)&e!P)t&a|_dGXh>ZWeT%|Nu8b>4Z&U^_WZfetrViZ0Kr&{dO0 z$$4AZBmwWu_=E@}jULUPs|XocRqy9{k~&WVV}_gy)yRe~yujM**^JI`pTvn72{0G1w0WFqSh2TX;NA^6g>%GhR01Yg`3+ zwgblH>Q~m(T8Hd!o-U^a>r}*u{)j<`x^s#Or+wB~ORdN#FTS&T9Gky*KwUGVcM^Uv zUyG@~9-d9D7=L)Hb8H6s?E%wT-dbt>MVQr=9OKo@=cB%HAN)lLq@Y$2j9v0#1CNu{ z{3PA~IL;${d6{;wXl9G&Umkr-fD3FsJ4+wl>+WIYvP~=TSwz2RSViG#sse8x4Wxvu2JNJ+FwBU{OKC(> zLRs07Ox=C!!#wy%9>^YOYf4iZDd`J^tV7k+{iE${pJ|5*GJ z;})~{-NQ)AFmpC*8ci3=`vxcQ_KW~@5M6VxifO<*5M{GfZH9?P} za{WxUl@Wb>4Veu(e>bzahJ!aZ?7{8cZZe1T8y zf%kn=UzS$$v#NdTsks|eeK(Tz$!aYCE-{m3m0vP~f_iODmwe;Pi{ z#kIdL@IYZFnklCX#U|_SF{V{p8o1~%kttZ?S3s|u=1h&qMmaY(RFAb(jhoV`8nd$j0wbPd{3CnB99-A(!z z{kFM`yN^S%!?vdsrHaKh=S{_YJwd*#6aI#ulW_D8GGhYl_|T{VK)*vl66JP9X}yU^ zPcr$(1Sv02usAqWfy#}h4A;+QOn4!C#2$r{7DYw#krzv-aa_e%R+9(09H*ItBt;sI zYIbTRwrZ7{VlPw|nQ9Ks9kx^cYpIXkVp;#p#1`1(Yj+P~ZsM=H;S&6Xw{CPh?jjL$ z7VKHt#u!(C|6_39%Swr=~l*7DuQcI?>-iIy%UH-%0spjxlR)WFaMXyocu$1uh~&YqPzC z_=1|Ajl?0|)ue-HoK1$PW<73STpP(Cz#cW;$e53a`>wGC6PIl2W0`v0+bd`9!SSgo zL}nna92nw>A*lAbeWW)6g)8-fcV*do+@f|qSEM1mP+w@CzF#f0XS2!w^SJBD_IetD z668SgM@^>NbOZUoV-t~D@cq0;^8AvHD<4go8mS~Owfroa>UFN8;*0J*2UX5Pm^Z=Q zPcvl2=++a0iO-3zv?bMi-+=qh#NAD>s2@&b+81~I96izYLARISK|74s1=a)tnN(ce(UZ|ulKg(R- zu#D+L6pKv{(p7wi`w?*ecD1*ta7~Y~x|uII@Kdai49}klN{oMhYkgkh32O20rm%Sx zg@DG!4DLEUy>^7X^C1`#!?xZ$1aE;l-Q8}tuF7)bA>ZnI7$*D$rlM*zf|aw=rh6gdVxCp_t2G%wx!cl)dKop;a8~QksU*W(+cG1{3;6I_QeD{g}FBoaJG#eH8r)(yHlha`oy}q#iRr!So_*e~} za=))sS~-SJ6i5m;`XKxSo*#TQ4cU6mTz!#z(U_06s<`pym?u7O2&T8*biBqFwp8QE ziUH4$Y3LK_1z_!0S3TGVXK2TXW2qvrf4A$mVPBHgbMo=wI#2GO%u0>q`&g=-m@1>N zccTrY$$Mz6?XqqyBf+c8$hi28AdZwTMGQqS4)4WN!l%Py(`?vN_(;m1M{B*}wsj@M zHnc`By4o(HI8(#ZXN&qkG_~J4C2|3nv2Eicuh4?BN1OIMHO^tzv+?tv!Md1o$*Z9DNvs**&qoD+Vv@kSOf~Q!}vuuZo%vYoYYa>p@dJ*im zUMYgnf-$^$?khr3A#J&+(NCFYrIfp+*Ap-{2o{gFD&-e{7u?>4m8U z3^;A8$2u(>+&&FH*0HWjS?FVbRLOVkq#&T2EBE`@c7ih+HP71cyEQ+kIwrG116kAD z=fxRof@-SKHzR4^Ht;I#Lymbe2*C!wvgaF>uC~QJKMM42b>}-J#-KzGj3URi2vxma z#`ogYxN7X>V9J>CN`G5=WxCoO0 z+M$LCk$kFy1ve^ZvzL_DGdqUE!s8wi9$)1ljVSlzl`lfM%N&2PzxoLO#PmM+Pk0!> zSsrN+3AuSTSCH*{?jNIH}VYbAOI3#}UpT~q` zWmfv^+{1t1$X(7Yx zPgIoez4y)z`lAMT?+!=W^j}zn?Vt;DPy5yeqkmzs;NF$n8tR)KG?cqoXuYp=q-xdS z`VH)a(s)v;D3fpr)OT>yRN2ais-8jGrIr*R)R5bmp2MN6bDKGLAE8$Z%{(h8)*F}; z|Ih-a{=(84gRGIhDEHLkDJ`R;L%ZnQdp=5nZ9XL)L^-ns%DVsQq}A#atEr z9~?aCil>h+W3iHmr%(1(@w!+`>+6a(Q|wx!YIKMY ztJNP;T%u7Q+kl<=pdj8t|3QS0+?UT|eA2=C>N$!BO_uE=5&%wY;I$&<+N>cVJ5{rY zvWYdR3q@Q1mNDw~@EZ(}xB*iQ7ts?4UTYKA4b_>Yga_XUQ6_WGTh#&v$X=hm$wO?3 zyxgsppKeS2L`&eQsf|aIn8YUWR5xn&ith7{6i^ZvJw?)MzFfO3Zi2HlTLw@4R?;E- z1R+{uh{>aHdS0Bl-}4G2Mwx!f%TMmw+rk(c_4!=MVnPB}BfVis7z6CR#h)VLRQ8p{ z1<*zx+wMjuZBFfXcgfgZhZ)s40u@cgHuETq?sj~h^&J(%C%m(*?~)sJ@Lb0Q5|&(s zKl4<6ofWn6$yAtkGYj||#Pc`R@YhzcVCHM-`3(WJP}~$zfQ7{TJq7$kP)_o&10yv0 z$>I;9vr?LMl$PYOh>Hc$%MQlZKk4QQE&4h2Ofo{8 z4E}u}0(h3B!@ADsbnhO~TVZ0zAMa?>t}k8W*YcTD5iTiEZSltmc2Z(UZae;$DKh%u zvlY~qrGxIv0@*-vmXK36$>C5{A37DPcok8;h6SLD$5N zv$E68C2pROGJjXz%*o9_c=+#xWLg&NcbZtAb0FZgo+F!{6&1^xL#(Zd&_Mf`%{X+y zc3+~5=}2K>x+lRCOtajLE>tzfo+E2d&nJM#J?DY^NYX#ZIdC( zRguZ@jM_CX0i2~oALywAqI#$THI>;hFxYhIyg#u=hYg-On3)8(B0}%pz`;d0|3nDl zbMYF8j1<1NB|EB{*HLik_M0~vur4F4UOy}L^pE0*jbqHsSnn&y#|p?G!5dAi^+oO; zB}=G-XKj~ul}G%pY9)lRV2GG-Vj@XJwd~gt`c3XCn3+o48s4yt408|xiwBjFubkX| zn403k2SDY&GmTzkBKWmD28FxpX4s512Crtm!qomet1gb>!df z^?)FN$2TQJSHS|RSE;+h#2EPWNNmT3?InxnVTBt5O?|&LD%~_NF+H$@EPqtvyDz}a z0Ad*UcuR3RX9~_KX`bOmJz=ht!p)Z#QnuTEzv+ANF7J88kQ9Thq=F$Kgrc*TE&mxw zEZ{XD4wyE>F{9SELY-rD>t_O*xYD<9M}UwB8Qg~-0YQpFg_Ymg8AVsWb^GJ{hrEmU z+Wt-Xp^bibrkF!$VDH|F^cK;|)Fd86@PXihc?NNC#l$FhoPA+!QswH?W~_s?Q7Fsi zj=L2@h%kq|t|LF255csfZlpW<6P56Z5G7si_o!BNlkRM#*MtX@7N_b;*MU^NC{G)D zK%NVEW$B8nHx3qyqC;p8a^Da|Z8S28I0p64+Mi@))PmBF9(s%hI^D>`YX~JQD zma7}gPNm!Ulolb8*qClUG8`c!df)q(QY@| z!$N~fXiNj6)4hONYjeth#|pYee@Y9wa;}TkTp2Gu+17?>rmHOsKPw#0HwYs6g*dA3^eaGB#?a4K`Axu-cDz5KB| zwQ+RJxv8W3=IuPp!I^(J!{K`>wOqgWbvsA+8*fiPhY;IO!&^7whR_W?NyZD8_fO}v zFneRid;wq8UT{IgZwuX{iP$$ad|2n>oqNrOj>&?c#Wct4Rzz|ToKPsWVW}ovxT`gN zJ5p@KzE%q<)#^g|gb!|+-oOX3Q$7ym06C1<0CPY_?#}Q##4L?^tvwJ>R(SJ%@6bv( zO@RrsPl`)G)= zlF}TjAmNQ6_g( z(lyQlp5bT`eL+1PSGW=yVamq{5e?0~V%0eXD~zLLs(a+gN<|OPG~&_*rIUh_py66h zhWO$v)+~e}JCfs~s#Z(~f*_Nw-0_Vkjzrx|%F+ES>#8E?H6f}=35Jz==hg4@C%B3= zZ58NO35biWWjmT>dG7OaBOU3ZJ8Nx{!4XJhDFytsA-TXOgqzV=+v>xX8UAu?s|Y9W zMoc`C;Wv_CnceFa#!_^%yo63D%$p6Nma#siGfqQe zNkI@Efq`ZGAjJXm%p$9T2!~4>i&i9+w4LlXXAcZ^82btCy(12~pRd1g2P~lV{BrE( z*cbUQ9~x^M*|U3#Hpe*fJ_SupeMw|sJL3Saol9zB9e{4t<_G`&9=0(WASmrKa-*;; zJ5aa5m=ofyMD7bu!$gO57F-`rF3Csz^jVfq(ar?c*Oahq5pUDb8Ce!Xhs#gX!Pc>?3wGlmgY_ z8B?!Lu7^i+!kH&@wo?b9eU@bvT}pI^DAubKeykJOTk_QmA3N`3hkF#10wwUytPc;` zd^Vd+9wYW)CWqutrjwq0l|#v|j`+=H`y}JVx|yPk)kD>voYZYy)}!_Uqb zzFnVf20~blLZMEuVD`sV&)w~h&+STgFUuS~6-v8Ha=&ZtG*oX!=(&-+1mtor=_V3+ zq=|?g&}^-Y9-&8CYI{u^C68^WWZ(R8Dh%=nPMmo!3t+9kjS-40i7ouKafiW!)$NVI z2dl~Ga8=wr5YIxAi`1hR4C&x#Hkx=4$$T^h&E&FAL+pWcNU-m_b_{*cN}eyoA?>&hF(ep70HtmXI|0Gr2`ft zh1nv6r;Jf{b>0)J4x}WmahScn`#gqS+1Kpko_U>qUIb5NYrEME)h}A zydq@KySPVfOm*usXdGq@HWeD&F{+SZDZcCj;1?odc6GxG4eRGH(Gi(2h)ZYEZQ#c8 z&>Gz!9bqiN0wZm2)m%br=czM=Ko^ZMXVVi-rYm+&YYwi+G5abz`(oa-38ouy15Bmg zzHKTf&f(N5*%x{^Bc)LVv#V$tCiK%G%s{*fDg3Xn=$~djTmAkc??-L2Gt(Kw6?`O< z9T>=!LzbxM^GlkZ&W*J;X%?yA_XLb(!hQ;Bwanr)pd5;$MeeS|S@PVn#OM|~z(*v3 zB2w`6uH80XFUnS}p-p5ILugXjf$+S1X!Api-XP(N{2ge@IrOH&lvksP+H|$-Z!Do( zj6w8gvjA53M$e&X;5BvNU4Q;fIL|Or`7sw;WIk{CG2`8!^*suBI6iP72>cxF-}oxn z)(>yZ!D*DKdah%L4c|Df?3IAypGlU^c|ztyy<+x(?R6VL_z@89c+Xr?!5VdY^%8Lu z2(&QqcfwnmH4JlERc^a_Pm1!)aZG>Agt31eOXWKxSB@m`JG&<^b3;N0^>Kf<@nPvL zrIq5gAzgIe(SxUp+7r$xD0K_GTh@8~pz*Czj_`t|*P`DAIB{#mRlKg}8V9TyxU^0lpV|-B2Y>$|A}CU&7RO zd%`>=G0IsCwUcQ=+}>NtUjRC|`;?OPUWNCfp_ESmD}7`|@?Rh)xad+Ik?xB`nPw*i z2kD}PkF!6SFS0Vu)DBv7=iB908J@;$YwyC60_7Q(z@)LXCRhO3Uy@E*b&CEVEQ0wK9pfzH6NQKv#A1xc~#z~dtZr?8-1cd$bo*YWhvqi&QfDZUbOrdq1|R`#Eu>Jh#z@RGfz{TgHmr`W`eBpjAxK+Fp=gm#sHmvfFZ{`fTDq$-C_xH0 zC#YH$s2EYrsHl) ztpA%x5DSINbe!ts$bh@6kD$bl23*i8XF&5SOlCF7GRytB`>_6oYkB4Jn<^}z(?2!tTXC6+Iq(IAF1ew-e3C9{SW5sgtiV2Qe|^2#BBdaML~OiNfrIyr3g{@cIAzZ zD&C6L=@b9kjzaD~?bzAGfByWL7YCKeVK#j>ZQleVGBh|V94ha^ZN|-lPwyj0ICC}t zJdTYX2tdH1hYQ&ZwySHc=^Ljqi!U7a3mF0X$Y#!s9@%i0smO*b2QjY&(nUBiKA(-7 zyQyI%_X3aN3;t5D(*C7j?S@g)2}Y!kxzx^?ys)@G)u}RY&#aAN)i%#=h%O;`-chz; zt$vSGyoe4tc`lK6sUxbJW5Z_i2_^b}n0u>+IHRRaI{|_PhoFtSySqCCC%6We#vKye z-QC^YgKMKf8wrgC5AN{wo;}|?^AqN@51x~*Rkf<>Uf2CyDm^yk(bePKM>`k2piK6b zRs@}D)TM6LYQ&2*@4&{SvO9w+@aHb$F<*62J$YVt`FX-7Z|sh$Z8gLqn}~6}%d4l; zhz7MQj%(w*WT7O>tcdcnY`8_$vljmQ@R|RY=~prtQyISu9yAR|V0gwJ)>DhZD#SYv z(ag75qZVga7CYzb)Nno*E==;@Y68VgJYf>1sHCx9QpWs9jz$*uS#!}1BZ~@9L2k1w zJ5-;WBs!>pO*Y8Sj*^P)v6_XA=eTox82)}{x1sD<;2;5n!<#7PV_Oop7d-iudpaZP z(65>URJb`SVD`pf1MVq43Fz=QC#v|TK9PD2ia}NCUhK0CZksNX}=Rc3Nhy44j zrWscS(%B~6uA>msw65A%YkWlu9oj|FdTKJQL9sxet6jQ{t9(zV zAR;UYlHb?@e(0B>B*bj<(t`$`_uYRZ5*lupXah`2soqy>EVMt7pHfbC3rGvv1Ct`@ zM=~`4NF%1X?=>YDXiCa-zAPQiyzRa$Mg@Eh3IhAx&J`)d>lSD_b^jQEX|v756MTFd ze{A*Asn3dU^>ov&zM0nbr8SWb>$fqtQ9}+-?hDYO`Gu}6XG*iHld*Uy1%}kyO8d|S zL$56vruTE-MRd|SbG*j_Oa)wX9_(1G`cN#1()zDW(^^~~&z)8VPwfdjc@4=+Trg7Q z7_oHQ`c1$G)qh~X#WzS%? z@Y&Md{tcPP#rCB0!||QZM==@KnNr)jlYw7lG5ZQ?zfbFIGJ`eOtt-PrpTSutC!wz< zGr>OwM)~ZGdgWxcsmdOE?iZ(1t+J#vc1QYp^Kjyo*bIor+nCQSTH}OR#8O;HC+lCd zAP18?&18Oyt55&KDU83??Z`htx zNb$rx{Dbu*Z8&$Q;maB=R*w&Xb&$@a?SK%fZgz~bqETt|YEgBajvfCBh%;`Xtuea^ z=)6A5&0XTyN)BCVqyz|fB@`c?{$nMPVMPAbK1{hKu&0~vCJ&mL2IAONbd=4J;jUcM{#E09 zus4>zF#Iuc(E;3eLX&aTI(@tw#&g1|v5L{5qe8Lt>T$TuIEI;Ii~0N3^~RM#Q3Zbz zV|Dt!<-mYn%Zlxh6@W3mEpgyqYBW-zpd|vqoCST*7>e7jo29So&73$|Uh{rQG=hpR zDJGejV+L0-S2>^aafO`cbe3Xb>R%L^mR(Q@U(TNga>lq^5moCEIKo^)2W2kaq1{MV zzLCyqkBtTo>S9xzTKN>qIgNC;=zm4zGTeG$$U=>Ro*}{Ean6IZ=>e&@i_S;`0Y_91 zYtD~7M3uypY2KpS`B3PV?^rr=f(*G>OBVf>|Ggm=7S^!*Q8$fPN-~&BrdW+nz!kwN z(gG7&1=KLEXSfu60}$KMoXo*bw;K_-aji0ZCe7xWGCqIK&ZV8*VC11ndwz(Vt|M!5 zZQ?05%rIkre&K@HOAp`@O_7Rzf^;kz&l#P$#J46qCwqm@e;RG<-&YB`mps8=!UBN1MMn}_cvNX6qJ!}eFGyJc%3O5KV`r&UAy8Ues;n< zc>{2W<*#!;dJW`G%&Yp-ER6MYV6f!nP{y{e;XMvF=?QQhxCDPH_?F>U#Q(CKg;!aJ z$Hv8_TldIY3|GZkAp>lc!JVe{PBPfZ4odqn`iAUMJjqqA#CSyH%?-UABG~aA?#0L7 zYu(it4*kI9{fBZh^gJo9UGGj=?gY@%XHXIJbb&PCeIzf0Ln=S~>qE{oiI9n}a&Sc| zVs>4b?G;L;v8=5WQp>p|LM}BnhP?|69Xh0(aKcmB>It?06p({6hc0Tyj*}=a-Cs4S zw?@HJu?6FBK>M46r^@SxavnA|b}?9zz+|2j|1*5^$k+ z7rM;Oy+A&^MpJW2frJ!C!P6MS<4$SgIotF`&93SzSjom~FeiB6)+vf&tf|3fstNmB7{QZuM z+Hr*;p$`y`fha9TG^CFd!=WxU?D4g6^KB>q9pYasd>M1&)=3P4U*jWz-L9zd1^8x= zVnp=5nA%1Q@ z@i7$*>`_)`E(T~75$Cel?pVLgY`LmDglrWDSYYLLvK}7hNKriYU6#V^4UeJ%gfE~I znmwJ8GO9rHPZ2KQ2UC6L+mq<8btVL|NAxH=FNxO%NKB?;?>HoAT5ZL@<$%bzA&gqu z#}6fSA0i9AhYwWy-akoEgWlhCjRVlVd|;%+Z!T*R`zGDYU}l|N;=jz8#+r$=VfdJQ zVN9LJw7Vn4UAZeP<%L5Z3+;oY?bWE2)3y z(5Yp0VJy?)b2ICUlrItscMcLu6_Qi!TBxA`;nB?4x6UgeO!wl0-5C7oPX5xH?7xx@j06EHgWl~-1L{jw zy8&+)It!_Sq7RogeeKSW zvEx8@Q+gyJDVks52TVjvOQxQYzFkM?A?1o%D8GfZSU=m3@Du?RcWxN<1xs#uyG88s zR#DmW8vkl9*)0^rZKffHmAB$Q2FQ5l|9~nXCagl81rC%P^XZmWWyTZD4X#0j&E$E> zMB3MPQMG_J+~?mjs@|7Fud7naNaf$?H7c{yCWAOnjXP0kcTB3M&%*i)JkcB;gfHsb z2le(guOGoon`Y8qzl%&b-mP|}&#mNwK$275zzH6e=u4p{^Dh_m>%Ryt=$c+wfqz^m zg0B^)Qm{XzQS0KZY?tc!t+Z?p0pF{8u8v4la+(h2>QHNR-#(UykXa-4|7yDiw%AD- zPb;xGt5(jM!eqyyBPHw{;M;FK!7+>OoKGI(Z@F-V0;7C- z6a)$68%!rie50OP4y-)kn@(4~8B($efo`ZI06}c!kvW{snf%L9bzqNxb51gCT;t^s zo~}PcnKVibxremiuMS5e_0#lU0S zJCWp5q-1LwB4!Bqy^V?`!OQYRb z5zxS8$mPa2k!7hHLExM&66t_%7BiIXnY&D8*y5f zt&ueDzmhmk>FZz})u|rLv+>W=m5{VqC#)W2^smmfXUYWXj+PBip@$?c~p_ zhdW|CXq|U*qlXz_sBV$<{i==#d9%Q5!rT((b37iM)bm@6QZq@PrMPd3aR<$McoNPS zLz=xnpYlJ5zP!L9q0JO}SY!2a&?pF}w5O;=fJZ++Y}i@KZA(sHf&l!s(Z#9>e_h#G zeu$UopsHnJ{<=M}>O6<2n5=T6u?h}@5;)-T$xlY<9Xn~&IjPZlh6p-Vw+89E)=v{a zF`GlzO}%oAaB{vd9=uMb`O7Q^!%Vv)TL!|tk;3WcSOAkF{r(OBgU?e4kH996S$_m;wg{;13rj@5Pp zb*C>%uw&8_jt<(Y(aS>+g zw6+X$dsmgBGG5qnRaPv6tr5O7;MFP_oZJt5+C-1HwKRgna=|;UZ~zSb>6{tIO%hqi zuEQ+Vddj|DGi=Ek@yHfqZrY3UeB02e(1lV&26o@u+k>oy#+FFbmI3S3rPz|8yyH*W z8N6D4kLe%dlbFY@h7J53Vdi(Ha8J>XRHF<+wHbHIFc1SL;6QOo+p;Dg1bXkE$t6>3 z%Ws;Ey6j1(xZ=wlrs)LtEn!zpIYK2?g?F8sW7?;DMzEN_TrHK}0KL`=wC zeRzV@PIGRHNl-4@{3SFKIucT>ALbOOWKvr!KA-yYG=mM7o|5RZ^Fb#m3x7UqyyuNw zUqx`oOJ|K0N|8gO>@WO7PkjxqI$oOTj7CsT|%_bPa| zn^e#u%A2f^bN7>WV6z1W=pR$x0{+fKKJ>8#1Q0F43qPuqH@bJlDTtC9Q`_A0cU zW*KO$e>HaiN?-UIUP>t0mmY_6S0^yXysEyi-u6XedpSUdYz&@a>y?-MqcfcC5q66+ zBl=2)$3ts|V|=7rgL{4+?03z|jT;@_v3A#Zk+CmzI8#0?Sg9js9?I-Q;4z^9B|7^jH^_Dq$xHZOY(vll!yArXW>4MTOe zaWV)UfIg>UkQrX)1nOgwy`t>#H#pvUo7u^PDl)XO>xEvFx#yrWmpiegW|M+3j8+)o z#<{BUbX9u#k)JEzcM3pD-&O}-&-*@L#?{XD;)bCxG_lm1o>-Dr$)wm_U6kbP%02~*;@(;$JPSyORqZc&Yyj>!8jJLaoUPSX-O z+;}X}hLYOyZS?4yl;HD>XQ({H@h zCZ~h|c$_$gsHL`B%=(qNKwStsh>v>d2lQ~`hE-Axb(Ex@C%32ntTAqV6CAZS|~a%qU~SOlgEmCy zF5OIVN5R3Bd<`@BbLdN0UV;e>sqmmZd~Wu-VNH)>&ZGI;y*~lxHycAu%MV{rIqUFV znc#~%TT)nB*Ij~mqOb!s*h_QGl@JjQ-cl(?)Hv|z+}tTUhnh}*m8>M3{FRXS_JtDi zJbeSlJ+ERQ+?WrG!15=5X*xo@6S)-dKx?Dqa(E!WFRsn#`0Rz9vn1ylpO*QtO5s_Fy19weyNFvLQGfmmAKH zoufSU!1wyavvI94mYC=sxc3h_(7LB+_0Bm8`|7dI2T5EBZxhS~AGS66FKWjD)DF&3 zVXpNu=Fk!jJt7VDSDN?d$ZKXgFtq6oa@&5gJrC8qd7;ON^S8_hhd6q8(00jR_x-8^ zF|K*v(1o|3?*EwwKP;h||K>^F3&{1if*i4bPWayB=j8k#L3nn|qVA{K@Oa${;J6UA z>Vz=m@XxDEy^$TP*Zi26u`jCOZT6_mxR4ELc6UYyXYp2>uQzWXCm2HoBi0c38U!h! zE_|^Bf$^}IVM_XcSf6YI*|jn61Y`uv`R~I})oO>7(6p00JP@ke&hhq1A#;VOy15ZW z6^5a|2uJdSgM&8dpuOFuW%$`1 z8u*d>#HX(;#B0NOx!wFsfEh^y!w5Tj?B@l`9VVy4Yhqb`kE0Ly{hjG{dKc!(5h0r9ED;6Rv$bvq zN}_nc{@jmO1CRK^F7t#*KF=9l;)9H(fVljg&_G9Y!fO$yqwBRJaRxKu)m{sNF=E&W z8~j2x2(B*=lVy0teWD>k!@4g)IfSJw<&iI66)}NlpCCb%c!C#YAz^PkO<0^Os!u14 zwY7Bf`+Xr>)!6gIrRYdw@gRY4K$7rbeFC`Zdrdda%IvoJVk9RY?aJ3bo(ZY>j#m9k zm}n&YgK3`HyJd(83aoeMF6~gt+GM=)iQ$Cxw+EDn$fL;b3-y4#W@dy{?>`BvvLa*0 z9juR_Wa}GmiLZGB?H&FqK^sGsApV}~(65?LGaDq9ERp;g-s#xgZBfa&u)rm0xcsdl z<`upy5KKut6})7++qZ@7)-@AUk=fqim=0A+EfZ zuL__OpFhM|m$fxOf(0E6Xq<|6O9`Tr@PW>L33d50MgqG=za0w6-0uDk5p;E)BIE&x z43byFt_pmLy5dIp5(adb{hoG?@q7|M4>gdoA_71%?=imaMcf?mpIbHhxyE|nFI4nu*LSZ?3jj8qZG^38Q9E;l|Yg0hX8vTlP>P%&XNk(yD@B1O#(}1>0 z0nmRws{`%d{2_{;#(CeFbw9(&$+4J2{zR2ULf}}h*KPNIl^xemZ9WUdoln-kD{z?sgr!WLRO1f^86&4fLm28Ij+A zK(&IQgwR!x7O_20v~TuYUfvFXpIJO%FXo+En3y|_WiP*db6HCI6Xohb}N3y&6d{emI#=7>x%uO5Vo20 zcd;Nh4sv+S`YPyKcv_qNTKwVrx{VJ#!Z{tgr5op-WAofuMF-@-uDl}h`Rwj?;*MQn zF|h>Bc9nXoAtX;MTkZ^7SfrR~vff3xX6G~&;?19})p+6`-!_`Me_DAV=YBr9B0e}m zOzgcb}NF4JwMBVIgeD9Ia4t)t0;x_SptweQBX8 z^V9aPuZAr018JRqcZp?<4C^0lA8+Kascj0)0(^FfbCd##o8Zi%-nxX$go7hyYm1HT zfOjcfbe^|dk{}%F$j86T2dz3dm4iEK0YVPid@7r$OE@VWh1xl6Lwx?AC7e`GPU?f8 z?+uxQbZUX6Xp@qg6H7Ouzg0%ampRt7WO|xfq+6CmnZkN_N^5Djb~k@p9xiZHW&7gp zi1!f$!@JAU%YQMnMqR|`-gQeERhzFIG~p=9J}qJDi$P1pEq3OydYX(tLdS8x91*2U zc|jxA0|s$gcULMgl)5Wn-bI-+p#983LxxZyem$;bvYDtb6$7^5o{mjo<#yG$5I)m} z1lRKw==n@(M55t%PoF8{qV098-mgz6#Je4~L%CW}GxKTZZ tN$CJfLRs+c z__Em@=>UqS)$D)6R9Kvhm3BlUWPkx=_Svd#S|)c4@7UcUe*)7Y17r5SJgL(3Id(qs zC$d-Az6TgJdgn3Bm2 zhWShbl}9bjXe>yc5>A@A^RYIDD74rnOJYewF+fdlNWywwS!&d@t{! zSB$0k#TjV^tg&a9DlanvaH1;smj7j8E$J$pda=ha11K&OGd<UPvrV4U1Ib9Whyg zrmcrXsO~z+Sm*DJLdtOG1*!lJBW_r)h6!Y&QhT>|XcX-2dE`rUx$a9TOWy$JHmMmW z-k3#x#;%V$@)92+8Z(#T=Z(@RMpubgRW0q0@v&Yj^Z%A}Y^Dc|OCbxE4FisfSv2^| z>2E)i3Ehz}Gwd4_7gY<91X>D7P$JFNmfRVUGw+%yrSx&FY?9rz!n>qcYMTjuBu`Aa zwFUuw+yy_8|A3=&9a06nV^`y2j0yUC63~AkmiPx^w#(ruTya+;!K0j^E~=N#&wO4h zu`1vQqq}Y##}j?mRS=MR(IpD?Zgq>bV~g_lmswJf7iZ2b)==G-rKQH2;3XaDgQ69Z zp4^=5+v^U4TDi+Tz5&;la~}eF`ASt5C~`s&w{f1_Wtuh2|JIk2QKY@dV;3(iQFV8z zGfM^c)u&pdPZ=cHhRTRLw9xhI_R!L?0%&u}xNjh9u;V7DcauRih-ya)P!Lgjjtr{(6LVYr)1;jvmGIPkf5^>k5IjKGz2!#`ak` zBi5VfS{9Ho{G1Ghp`s1>cV%=p8sVc!$dEwED@55c@9x1!H}6`Bm*frBX4v%FQyL@?%*sVU;}dHzqco* z$?4A+bSWuh|J6xU(f=#k(T`r43$b|pyU=_=rm7R9JNj;Va5zT+oXq%KuJmXRgdYa@ za)DmH?2QddlPnH$q`IN^`RLnM=e{b!Fit~R75N9a@Rl4MV3eM7x+y?9aRoCoGV{{-}nj9Jc$U}Rh~p=eAR zKfH=i7z}T|Gd*c_5_RbkgB*OgPUri4?F~{Gm*Q7m1B^Eg#r3BZ`A8MoO}Zh^ej7px z0o0qtJMqm0=qWbNv26zLnLf3S+8jyoN##fv3YJ_c4yG6X)Lhm=xzpkY$p99k^ zNi2QQLoS2gyo0b5uhNgCNc#Bg4d>Ud z9;Ax-tUQ6B=fRCb1WUy8a;+<2MB|K=!Jj;t?Y(66>UVzL|LHbHJjH@4Dy9(sjLw^H zsMirbcI>(>!uJ2+fR7Qzku|aeUl9X@tV5Ruf^{9X>E7~2n@7jREcqMTiRtHU2&@^X zhuMQ<$n~c!84(^TMb)hM@m)? zE`m>&5ynD*HRfMaAM~O6a*k)i(12p6%R$(pGy((}oIxl*26{sDZ9m`tLvBg1E{;}f zIEi@=I1VX5ikT@aS)_VWOQ9Z3FEnU;#o?&Zy#FL8lO8$B#yVJ3WW&W^S18@@S)P!c zr65!6LXlHF<%z#f^>PCj@n34<#C`Zh&kK zT4%K&CcNp9s+_m%jJBSnxqNEh^q;VqFV5~K_RlBy9)oR7DvRXGHN+k|YRmK$0DDL`~8T@Ne9b%+UI9HftCrw%krw=m0Vy$827oSZ&fulI<(2huL} zY3I1mXVahNE1;4c*xg_)i9Ij%%4HF{6+h^u*C&dPTBy9a{h2^hG??7a<Jx_4(t1 z0IL{$GyU`gx$*yCF(>kW{jWo#d_Cy#jH_bMwtH2okt67t*}bE6&|YBuL^S@nZ+J;D zy~FK@0?+>J5|O@SjB7~j8-ZHUEluBDfIol%;f+08z~~|T>Qz_oh^}9R4u;B zd;36`LajSUz+Ev`5!FA!ESRX0;(H0vIyKa=o+HBZu28`w+pVY;>fAAAfr}95yM%9f zEe$d59A^iAUS+uL_6j9h*{vYV8fJ6AxOF|4{-{5rYYb_^YQLbH$vi`0n2ix?f@9o1 zVw0T#Kz>sTs^u%@@VSPrCTY`*;G=5~LoP~M_2sG0{V%SRZh6d)<3{dF3LlBdm?-Z5g{Q6FcxIdKWpsIx&IH&^6}Vj3c7qlw&*Bw+(!8G02Sm*Cu#g|2g;r>W|K!>yq92M4|F!~qQV%_ z%C0cH?BYn#?%F%NchR=Qr6npNI6`zY0B40=4RM&{Y$*_IPmVZm%5T(yMMkj3(?U?8Fdi!}Ej!{JpFns*{R_|d1}C|UA>O9|l8&vG z!@Dy$2D`~h;yek50K2K5P36irX|lT)-&v0fZ-QY(2vBd3ZcRIP3k!v5Q34N%HaPCp z==ft{(~NzV-8FECBBtCeZPG~TcV@h(wZG1ly~K$V-zw+2DNVDf8_R0gF`6ros2$XF zMQ_!y_{iW!6kf1Fxv~G7fJgwX^uvS2PN?k7bK<GJ!T3DVd8qW{;CC;K#hpPBjXx5J~VMC56#v72RZA_@n6;E{|i4{rDmGywFG)-zx2L) zH@YQVQ2gJ24K|EaW%^+L?dPq*#+*lFGqX{)35!7Deb8=(TXF?hk^Y3ogpD~bfW&q4 zpnrDhdY&s#g!3N!hOf|#3!;2<{U1p?G*>d?kqu7d&9g78NGoda+U`)XHX{F$N9YTXLMqd6o+Xv4czlzp&GLMO?F=xSI#YGf9wK859DQ@5wk+Qr!AS5 z+xX7~yW?AAF>MsKLFw1R`$tF^)dp_H4fD)IfgbaxuY0X>V;h`zFMO zq~Q;s4zL~TqxtH<<&MH>nQ&+`(H?yf@}Y7@p6a(~Y(R2a;ZA_9VpZihA_W`U&yrKy zC$}h0o@jYt2}L!4_>Uh_v{o7`+!DTJq%4Q3F2CusLT-HEl?iDC6y#Bm$oc4ER#VIb zmLPvDaLGi_KPNDei=p_?_*Tmyeg1MJ85uKCYNS0)n%G zUMrYjHN;XI%C0;PNYNk?GBPnF{jiYa?J5a#421mf zbb4-Cnn(yH!Hs^rvE!CNKZ$`G!E^=`g{x~>F zK9;;gdTMd%Bn$#koRR1#7_aFHz^Ok&5(mDMP%4K+g~}I5&x=;T^~S}+Lo>I%ZhP7i z-cNc*(s%58es)n51|K41`dZskCw0GcivPr4AI?Z6FE_PW`=j#P?O}cM%{6L`esk8W z$o6pG=dF?@bm7wL0=~oJaOANdZy}J z>h3AHH(JA^t|X;R?XPQ2ZFPFH+oHVvnT8E}XE-N10D z?+9IPdVXmBU?YDp*_P_pvXc8VfE)W&87Iu}`)pKc4gay?Q3uqlXUt-MqhlPX!7mcE zd$7Cnc`!w?1!(YqtLC+VRNCQ5xEs@SYA62Wo#Oh>0x#6_uEDmJQd)*w&W-XnRj2C^ zW$-9c?&AXsmT1z7%em31K@r)f=)Dt(#*3H_1YD?UIQB#Ht%vd_Uj+FHk2%bpMeroD z1A<1^bzl4m*)y{pJU}M)K{FeB&x#Gxo*$=WKT-ck8*Q?lF;M=lyY$-eK`qUM0JlVT zN>?Aywqi!GfInx~vKJP<$n@mA%=M#d6e0W%1I;L{4NB)U?mLBmmQ125N=Ri|#A}R(mT z#R0n9ufyR~Uw^NL)=fqycgMT%mtg{hzTB#796H83S@4`CGw(fyCF%bDq43+*<9krg z0~JRTp_FPsKf30uL{QD@naolF2WiSoJ0jfTZ!!>dCY6jV2DCg&gV_idQL=WlCr5hX zW22}Tcv1(SL^P9!TCBQU_ma0S!%LqVP^*iIdovFfV9vEXI2aBFW4hv>ihTD{+Bw;| zRh()gre?@ldBdk)6uQP@l~B3Vaxi5rESM(lt87RYqZ?P)merJ1k}$e38%s8;i;asT zz$5Ea&^)?LLV}o}#ngCJ>>^R|p&3;J*DLFm(G!v)8YZ7(r{y1uQ?4HuPwx%E7p%iO zR6{K$);icVx3B;lO%fwp@}~y;d>fTm*e#BXQl;(h%Ws?zCydsZ7-uYD6O7GSpz+aT z9LEbp_^mhET{WRNRn}COwy~#c22r1Wq(QY6_#E7@`2f$_+ZcSJMz47nvuKn$)?39g z>Mk>niz*2!wV(q>M^V$4C$(WR(-f09s8WB+4AopoP0CCXvzMT;g!mO{u(&ZV&|*z2 z$~0aid^n;NrG`7q=2x0ViX3R-Q1|nr<5XGD&yPy4#m<|bu;7l>uR}!foX;Xr^y+qo zOResK8PY`Gj~sye^t=P{`)o&UqIU=vF=Rdqt+h_U%TZ@xp%1%fXTOdX`+ln&WvExm zp(7V**N&P%Us0@wgUP?dpxq}~2ZsAr$+sK`;=?5Wh{WP`9EqRX+LroNNL0e(rtkPn z=yo&G1u_0DnJ)uWB0UQa{}jP@%nm*dw{sS`?On7!83LkBmA6azi6imTeI53d$u~X?*S>^)}S=soDkhx?wO@!`i>uBUQ)o zC2DF)MV+Xny&lebUGh3L-n5`UUT$rycm1T6g`vZ)a_JIIR6I$$IyYjq?Y4~+ZcpMh zeoWwgRsqg)hfF6as0%yr1w3FN+@G5)E=wBRfeJfC!V{tezcmLi`g)KKF0+RnUyd9U zK}&{Tx0i0vgF1WN1Nvlb1c89-c|#!Bc4oM}=&YJ-9u#H{d9ZG^5(ImY9N3zOfRsPM z(T_pbW^2udba)0y*7(>z3&}DReYKmPu3Kxs4cU?&^Ej;cyD1Ub z-}*x*J(sf1JEJNAyXQGtXVq&tuQ|M}@oh2w(d{0UqFR6a9xAg7eE2fk{}1;B4U9zv zHC z43n7D`W+mHi=Fjs^x*9ViHLr)By?gQ2-a@1=N~-#XVz7g(iiZ*Vy^82@cqSM%WH>Q zFe~VPrAzYpi_dBI`&vR7;H3 zQ1JnC%&+;wg!}HVJMNr#mLi&suvpT-!8#)G;m}TJk83QEZ?4GcUq$0;9$-)EX&2_| zN9p3?%ih#qRO%1TTGQohNi0fw6Mg4x_Sz2-KVHE&IkeDvuKt>q!v1uZ?R~AG577^+ zL=pt~zCV%(ZYmz-t1lX3jqiMMYCdJGk^lvVujLEtj;{Y+N^;Uc8pSIf=IJ)#fIRBZfJ==LZB9d zY$b?uMIA8)L9t;}Rx4$*cM=5g2t%2CVwOg^(Ky--vfEh^(t0IoU7%<3XKe|c@663pLMO&6@kjuTGC$U&ly_J7fD-`-z9V?c-w2g z?@wSbKyk`$WiHB?WC%`8S8;2T@TsI?sk@^ql1 zYnm-pZ)ESQgh>YJu)`&j)C|uvAJOlIy2k#Z^Wy@^36q3xADBN2g*_3V}>p#Se<=W?e-osrs^rxOys0?SBL+yNnO~RQq!Et?YB06xbCnq1V=SK zX!yMhIG*F67pQB;jGK4v5frbs8wF{8AHn{cO9Lmz%FmD4(VY&pW5ed=-jkJ4De1jB#+y$rsi$U#yW?t=t6NaZ{xXXb|jE^fCYXe6Rf`^V4{ZIAX%I7>wf6(Kn@_ zX(+88SKitMk2p9@e@tN;Km0nvz2m2%6tf}2)E7I+HA9s%(TT)rBREEo^vM~uXbim$&;^02aS&p8VEN}#VZG}B9zh2&E$3`y z(tx;BCy`Bx&FPr5!a~y)f18dAgNZWi0i1aJzbXxux09PW@itP`%p)tdNR0O#`f%gc zJf3%Tki}OLoS5mN>d#|O&FBvg1=~=Vkh>q2JkL2lF~DG}H;lRb zXXUvA?IKXLS{pD@Z4j%*Ph(3nd`?V9U+qq=)eyWWYC+=#>YX)-J8=f)88 zq}KbmrgU2&XO2tOZ{Dd4vl)$)(9q1}?Le%v=sO?b`mAeCVYSjbq!*7Y1D_?|eM9dA z_0&Bt!R#Hc-uUS45Keoab+OZXjjEk@Q*OHYt42N|_qSq=uP-c1X0Dr5-od74+ir&F zbcoT2+$oZXj}v3N>oY#yTM`agk`<`k0BU$(vedGYl9;VE@^C}v?jBlF+B!1=Vq030 zHdn)}rJN<=f!~g z$zmGOc=9v0q1dD0t&<@x?!gMaIjI#yQ#NiD_Y!7(o?0sq8spsta{(VC)Q5Hq0o4}% zV$(AI%7dw$OD0Q0e%wK_n46o4I4dbqB?{ zI%KdD&aLbvfdxh*t`v4;pG`+YYzh)yqD;_^Cp!jJtMzA5qRI zh7A06r=Mo;T2i8KzBW6o3qni(<8MZsUn4kfdCz7xGMAi%HTgpiY9K1dFeY{`O*cE21gflSXd5NxEY~K-DH4T@fG1Tb`ief&A-_>D< z`e8vc;W9LIK=P{&j}hr28zYwSA9^+&fit$B!RSUbH7@wc|Go&g_VRTeaB7ow#2IVC z4diXXNm+d5URII*jwO#|>a|L2akA|Cuw6~Fc!tO*@@=H>gyi8F4ii63T1}ruhxa9m z+6of-ft{UmUG6OwwWsR_&yG?Vi_d|I4oRq$l}X&I92h(y2LIWhRArG3>NxO+=*)raL1j6FtUa^GmAv(qS~+^=jYLN5)G0SnJlX9IelK``VqMSJ+iembF343?gQiV> zb0@p(qO5Er*$~V}HfkLFzzAtxRBAcEa+@NoHWXa#edk&UcK!Rcl7KFLaKMMP8-4TF z;v$kDt?^)V*BrZYpfneYl}FQUkKmE=P=#LeWv@$yuy4HU;#M9bUcJkbVD$Npqk^Q9 z3y3^s&`7!f*^QFR@{`N!u!zU`#?VePixdvmfy&hS(eNSxmSFEj0FiEEeq zpG$o-##rCcn*wCRVYSVlw%g;}Y@6J!?wLko-nhz;lk@9?k;mEk5GD~` zQFOMooyyqBG)r5w`N0nj-hWfpW(FzM{~u5P7+6`;v<<_PnM^RTo$T1QZQIGj){dQt zZF6GVp4hf++sV7n>$$)0&#FJGtF=~lb@g#n;aQT9Z~r2HyfS?1apVwDo#oSzuDGMD z3QlIUMm_kYID>gL-g>r^2%Yk}Uj#(|0o|a1gpE z5}Qo=dy7|3P~aI!M=b@)-mcV(r z;sFJRyA~Nnt5=5N{^a&n_t-RgLmdlc=tg_H-5PP}i0yY)LBzajhQ5<5S4Vjq{PGUCx$2F&ef`3g+C7yeDuG18sHFxcm_H&w93_k4}hCob@5 zj~HI}iq3C-aA#@U^(B&I&ow#lJn486slfjbbeCCW<6Dl3xFr~{Ql+m6Bvs* zL~^%e`ipEWhlN4bLVde&qxqtfF{AfV#gy-PI{?8KQ|5FJRmSA#;`9D(994!X=a`-R z>mulx_P$&(Bskp@GW8~<^%(=pek3W(^&1tvtq1&@tcH8FeYSr^@4U)h|`x$DO z04Yy7&V=+P3tnZ?l$x3CD)sHUGZycmT1o&kGLWF0=}$pAcn(-6;}M7b+4Ti%8pX@A z7oY~<{#O`vE9)cG&u(xp=TD5^f9(Qwxx9}za&D)ecYz&L_(zX8NY9S=zyHL4>i&E9 zU_C>HBJjOK{ZIVAV%vT6KM25XdO`@m{uBTArq{E{HZcICl=y$*e-(fp-LPKZ{UANy z{}cbGcqiq5ZRm^f`~NlNzt`WHu8|P`%l!U7@qbMS(TCvse(M>e;8r-xeZWrOOnO1)r{ZoO(KQ=wwr#yEC5FGOi=b zOL#$3b>8Kix@AH9Ae*sh-yb`|hdFKHo9BX|(dZy(LeEp^wsAy@g6 z?yf_*c)$8GlGNr}Iq{xt&%d*8?tILxR+)ZjI3-NQe+H;o$Fw+D!(y3jQ!vH4eAyvwaN|%An`6 z3845LQy%sfVt2i*N$hds>115@;lRH4Ia0Iv`6yh@`i1|@3N2x4OBWCj0E>V?ZScR( z=(=aX$=Xpjg5_zKBp@GDQE&aa$;}sQ4mW3PdBHM$TJ3_B|38FF5K|N zFwNpV7~ua*M7P!?K;g3+Wo=+n*M-0^MhiCnh;k3dHU*>)vUxb8Y!x+)DelS5ug{fx)|R!&z%E}09>jr@WKXx-sR>k+nPQ)nl~h&bN+10@ zNCR;7rM_yJS0rtfohWExp4t>{doa{$YVNb&=hddpSOha@p2JEr?bZH0wJvHZOQ+f? z(lr^pe5C4k34ku|%BiX{Eu*5gI94(Oj@s?re6SBx3kr}F45J~oPW&V1y9ty3q#%0u zS-ucHV*FZ62pvfRxVX3o&ryEJ?dI7JT<0iy|NMC7wA~skaFZD%;YKmFYk%w9&2s7( zRB`czllkR1di8~AH}q88o`Y@op7HudK%lhg_&qPL>J}P7xtx(>Kl1iDvXe$52F82N zktmwh;MFXL$#Fof%CzCPa}3k`y1?r}rw;7q!1#hEv==C8j000{nC!Cd<}WkF#&{fz zzCBxv!%eD7eXWTleYvBvmoZMa_DI5Z$aXpD$AN&r0bJwBa8_JN3$&Z-LHXAm1}uum zh<*39Z)}1RvE^`iyOe8v>kuCL{WWGi)}~%JX!UH6w=KdkeHR=42c!VH%wRpHA4@e( zlTLhJr&f;}6osnf>k+p#a7p%0%T(x7h+AFn@x%^|#sj!U8|=P20Wtgs`DjaS3c8a4 zCE&m@Z4uneV;rW|raf&_-_M^pzMs%%QzVMZbfGDsdPbJtN7&(OyuU2@GT5S8+pFT$ z3eo!q+PUsFn4X{fXrw`FT9~}oZUO;$H#k__vki18X3mBS?5Q9G1S|&+up@hP6Nf^o zK%#t}TTDE-7N-&R-m(Vvi)Ub#`CMRYOU%jw&Cg6e)t+(Y`u>IHoz&|ZFK{` zT8=S@pC2Fi6maiZX4eg_qtW2))XX+hQ6T=l#u>WFMss_$q~0sO0Y5HG^=jNYx^?B1 zgDl0z%}~l^9(OQ3E7!bAbe~Ik{wXpHLQFd`{H}?TPyKom9QE{u5MlF@wSkyfdUUw( zVT{7Fq}e;X?12C(8$!_@_ZhS0UzF^ai1AFdg)lZ9IzId(V%sPcGppOhY+{~%kM|@D zV+n^~+{MakCQZ7|V9gU&R7`LPfRX2(!IU``DJ&fcC28ylHz`SJ*{j#U%oJ}P3|%s@i-iNDWd(pq5SsmqO7u7%|}cpVU*hc%zUfh*C@Mn>0{Xmc?%ba$PsypBew0?(@#}dn=GWvJ)3R{p^xW`RU|>S z#H+}pZ2r-vdQ)!u_z7rkTjQeaB$z1tcjOcS{A2_-p5GH$N|f%8GZ{y^$!d0^ZU11l za1L+z9DnAz-{67Slv7aSH3c!hSEk?KDSiEfk8LZmg8K1w2g)`Gc`O*AgSiIV#-S_Y>RcDH|Cdzb-yH}-rj1OH;Lc%7=Nr{UvA0#&8rB0jCNVo$~Yc| z+cot-NxyCHC&8Gl0(LE6iiL!n$jPeimgD`10bQkEb7ZG9&&CoCi_2lzsLcRO*2P50 zOGn5~1lf|Z=vHTmLfvCUvrJS@+=kLG6K*L&-sxIb@8woMqyDo&{`-w@_YOXY0l=TX z1AF2_)_Lp0(S|;5q-_Kv{Sy*ZtE(8mZh}5Ri2a;ZNnnKX$_~RW)*xk~8|O^Pat3Pf z(#C!_`SsvrKl_~ktt$dOVTt*-tby=_l3c1!a7T=D;xe6pG1~Js-Q_G>q~vE$s;^C^ zi~@#kBR;O(UJb_xT}a!wrQD}e5#?1J*DpD~j*p9|_N8vL@3XS6Y5Cwm#WU8ZCm`N` zH^AS!yvd&AlGIzs7dvC$<-6Ux+nP=fw`ui-9FsDG?Ipg;4sH&K&)FM?UVBPxcjJU{ z2;T1-Q9&(Op&=aXg8FO9)&PIE@S1LvVuxnCw5YwPEjyp~ESF5+gC&*g)pE|ir#0_x zz`+MO0O%QOe(zEr-e%?+)`mM6fe-V6Hj=6N$my6&V=$8^N~6UQ!+G|&oiY=gTNoC3 zOc5UB8KYE^$Ls(*t>_gqy)OpAeddm7pGB3yBa$uuZxw4?yDc>+0v*QpklA+tyJ>@F zsAT4rg(DWXU04(Q!}fiUItoAtp~`Q9K<7YG(-;%Qov;@fynvc? zKw1Di=DNjGA0;+#O|c+Fb(Y@(!mn0oX5?sY`SLI61qizkag4l0DrmqEg3)^5p9wOA z-^2v=w>K6R3fBR5$^Zo4*M88RJ2DkVKm@q;3Q;Q;tzMFU@&4Y82Zm&nY38?^2)?^# z3#4ZRC4*NsfBbv@1&nk~S8nEwJO9qWl%-jsnq@y({udHxC8;aAXPk!4X)ng4A#)#>X* z%f1@HPRvklVP{o(`0Xz$%Qi(T&k_%(I901jl#GY)M?&sCV*KC-U6v(Ps++{e`@M2v z+gvN>(s|I_=2|!i1dg57e2~P_fbbhT`OrlM2$Q@zS~C`|7#mgvhW2B^gvj^Q;)HG6 zs~8sd$3nr+^WUycSlA)1FdxG;%CQhH-hl?~>5sqSx`{H=gYjkPc3hVKXcEuT-*>XP zGg}EW)6!yB&S2n7shIUj{J(N>is#o zgihrrUR-uRGwk+rnYvfHXoqmK62|J|svQ!K)T-@KBH_3G!b zno~rtkFVbOSZ8$mvo67$oLg?YKdYfne#W0LcNt8cfMY}22+h>be(*%f)_3jHTj<{| zfJhc@$RnErb1&UrcT?{l^)JsRPBXpf9oFmc1 z>9)IHP(DAOR%kY`gj;7$bb}O612PlUloPyyA0pTglUIbU{NOW$_;~X8O3Wvtes4uq zKLcN359xTtgeDNtg~_M-*y>*I-Cf4BC&m|WUR-)afh=sfp78l+ZqZ+Z#3cJEv2Mm- z2CZ2dfws93jm!xaiKR+OWRci&>g%q2*=7aFN- zNf~INVkk=`+Br9}vNXBmI!5LpWo_mUOXxxSc7XSv(ZF?@hPiEMVpY} z)WA(eLpU~4_iCHRDR@LPHz`=FaE%wF@vzL3vTv_)I0Y(Ar`~G0O|Cv?%luINHgn(r ze{qdc3)*MOe3JpgngVZE&jh4qM+w&N;aNecW1H;crr%5Gh~9*ep>OUg^U`18?)E2K zPxaK`nppXY6gj0qd3VU}JEVZAkqO%TI*|8ill^;qdU{z0JrSgXd)5JhfniNdLN-=+7}jI4ery)LR+Qh}oB|erVn^#vY}AJy ztn%X?0oufH{rrg@n532H?Fwl*WB1tyOk|F9;pMeNp=<6?*&hnMAOBNT44KsP=gc!R ziVN=EseC$J_g!P_ixbJ&&^)$>udiyn`gV(?fag>{7zux$lxc!Zcb! zQEYoNv3=VyBHb$W_bN}B^c8%kdE!y`J5gA$Tyg&2zXI-idp!Y=4Gj$x-qR{1`^|)a zP3Yml2E<-ENCgIx(_D~Sub1ADsWiwSCS$T=O^351B%_)O6BpH4!fudi@T2Ky2Ap73 z#JUwbzcD3TJT7yUcF;|i*CNhr8CjDWRfaJ-W%Fn??pqyIxkP7Owzm)xJvIH_N`Skrh;Fh zU(QNWYgm})#oX+XaBsry3dN=+0KcF+b_cH9z$!x8D9WQ{f=nTwlwrsluqoS|-G4U#rSiA_R1OJQF~s6YU6R60fwu%{>$K)r zZ=`{Sr$fi5elGMXUU@@jeqPa99S%poJ9!V|zJIoue;b=Jgu$M>uc@I+kC+j%4Gk{Un>bf+^@2q6R2YE-Gd0Og+l;9n_!X+>TVh;fDJJ zY1OD`-r#i>lH}-*n&rrvy%x`DG@MYBPT)u4`IC~9DN(+=%L)Yg=I4`nXyZHX?HaY= z+V=Q&X7yYvP`BourQRg{ULeZUjOZfG>kk*LF5Wh!p+6YyxAN_X)$Y?N0s~e}m|ZUA zFn-+8r?L9dyOxQNpC|vQ`(dO@1c@=ZBaPHO)%6}sKgpA)O2O2ZWw9<-E@p)~t_#Z} zigc#IcBIVrArttug6&_gEjq*>Jf}1{QAwTlRV(pzl;e1BkA9Xf4c0U00ddHO#`@Ll+UN8Sp0H>IvTI|4h|#M@I%eHs;Bo6sy9wPT)a|KRt%)3o9`tBh{+UzwSa!6SZ7J)YW z;vOM*Pc=WrrehW2H%Z}?_DQr6rurW1=J^q#7XBEOMC}GTj%VGF=6JvUWInpu7E{at zunMzmZ1hxML57~O80GAzt#jpj0HZ|p@pfGzAl_P9hl&a*?4e;E!4<3P3|*JIg(>!v z%XfDTgWQHIc~@3eMnxpW#fMzarQXTFMIslBs>qb+-yH1iXo4fPD}IXw0ga}{ppwj>mo1a_r7h4R#9fpU>OSLRXihR?NM&F#)AX5mkSP0Xm2W>88# z9C<0B1WyVHseQ@wJ@3PaHm84{6nk}=^Zw!V9<69s@hK(&0D16dm^EA@5{hR}=F2Ul zIVa<5h*%)t=!u)^nY)sG>LF7aWA+1bZf6>%o>h+V^kp!-FOQf(e#6+u{Qzs&kplTH zQ8MUmi3lERn~HFQ5Q(=4Hr{MT>Q+Is7Tx(CKS!^(l*+gkZ^*E5>w*tWhH}vjpH*X( z)71Pk#^UI}IEDG3B8I?#KMteK?9JM;vI6_RhV9pc{q5Gt+Bq^JwH?-F?fPj(h4r8q z@~CzP4*>p3RusO-65EY{I?sI^JJ5+5(&6M5g-aA%Y%K>72NdZvO*fKbg5^L2_`YT# zr2iV&{q9az9#b@DV|6IH&IPl46cWI@Z_Il?;kUiq1$npEtU+Ys4cR)bL)7?s@xG@Fd+V#bDiI z2)V||mp_4roDs=Uxaa>8@ zOVx|G<3)EmmRGLXfHvf4IPt3qoF}iQDuXb>RebX7^*vi))YAt-goUlWBh6C5ecVQX zHBfI8ijXS$ovwPfF@t5axu*wgUW-ux7G`$GB?4aUQuDpa*R~m@e1wq6xULl^MUFU_cRN-IPt3H_f+sH2KWT*M$6tT+`nYru4_q}w07?*u-MkHW5SZX>tqOZ z&|ig}21rd}7Y|1E3N=RUuGDEdCbg#xC6Ew_b{-My^2Zkn=TfsrSIIUV;=Wjeg1J($o*nUU7jzQCK2Up;|5{8bu0B zO9(BP&<z=(6_Hw@I%z&higiMHUWCG&SXT_oN4AcE?K(zA}BX7JdCp4;D@zYfiU7 zxU)Wy^l{~sd_ZZi`VI|;M^5k`0%?H)sNLTTziZorZdq(uf+*B0u*Wq-w?1^OW(zVZ z>Oa?|O8p#ONv z0q@rqcq)zsNe310xC8Twio{k9HMO)xV*yg$-rnK6gwBzlpPyG1{_p7EB2?{@$wS~5 z=|f*1Ye(bHhgMymrVw*quj=U59P%C}yqb(l93B^xA9*hClC`$;QPnG zUMbl;P^6c0#U=;Ra6TtT>#%9X27f=?3=sjB8f}XC08>pq?}9A7(UCVemdDUfwXP3l!dX-CsmIY^q4DM+}Pc z>BnC9{ioEDJa%zMY$UA=H%#Za&9ek3z8Ak7u;`O6H0)4c9KHh&IdbFVkK;Fr?2l?o zDMI=F&5Z4IoKh%G9t`r8Am4ASVe@{_L$&YA+k5aP#r%MRhdprbHrMy}*e5(cmwo3+Eo;!NPb3KHnyUmXHYH665e3Bk^3% zI$jv@?WSr_GD-s23iVUWgs3E2IuiCu7v>8fYkY=erMNvh+Y+VvVyCw%+TgPTFZZ|m zDsw%SM>iUfB|Fm?|b$-@SeKfsiPOZLW*InYzB- zw6}`-QGF!di9w;hr$%g1y{?|1??!xKI!wfW_v-w%ykj>-aUnbZGGga@Cm!~?MM5Mr zM5L7M>VfVaf`#g0WLp>3^Fn-^GM+h#Kf&soz7M~THCmUL0*Fxvxn>j+vH0imrX2UZ zL3wfps@77yqQqc2nQVP(tsiUYBer{DxQ?oFbZQnX<2l3R(Qum~4c3T?nt9?>R$e$s z{FFd6=9Gx$h=e_@&Af@;=#jCKW;hS1%CL~D-I?tG5m~utN`wge5iiM?<~}~1+e6)n z8Ii;n=GW?s{+y(HC9e*SicnsXw*9AP%QLp~_-PY}{%C+NKfhc8K)}`{%j+=C-Vd(Z ze*S^|6Aa5C4Rd;h0q$XzwD&?G?K0=7U;r64zOe zg;KZ666yL#kfkQMUP{8HET^UjXD6+{pGpyu_dBZV?N}Hb$KYa#AuLg+5+jhC7BjKU zIJcex=_~3CYQm;SnfkR%65M<|H<$YD7o_ci5pX$h*D*wQEuZp)y*nE`_CZ*#D{8fY zh1}NYAp1v!9+re)^NiJyk?@jzhA{b$)}~7igmxCU(p}8gcnQ!=Cdu0*rL9Tw9HV)! z;Uh9A_74qu1dy$=M1o=hTajRBBv|J|LRwlmG`Qhz4H;3AB9n#ZSI?Kyw-X!x@h~R# za3+>!Q^&hr!bcrnnVmTWIqMCw#2rg5WBqCR)u3Zn2b${0Hm$ z3V(_tLb*BO4(n11qOS|e9lKb3byKL}^mMXUY7k+Nzh4PuTbHWhUr2DU8;%e+wEB#f z_TFKNQsv#X#m$%=qS3#XY$58Gz5JcwW#|TUuM!Cx(Y2TGo-Povnd;Q9{L~Lm^0mfe zKMiw|=VoU`CIYA{II(3tBH+FM@Q=~2?^)CYBVzhw%C_6xRCEx8oY(6g z)u#CIaC!TIl5>pMA@4LbUbDOcaM%g<2P5PJqe3V;og+8iK%Vcp0r762c%b=!aNvPA5)K~9WzJD3VHi->bW10-;@Fs6T-f#E@)Ps z6cA&{fOZjW1kXx@01Ni$dh%L_Ouxiij$4Mc-7Q2!O$ats98pQdb$T0Q_hl&?2d+Ou zY!0-|QQ38v@Kc%-s)c;RpLGd*0Y5^z0)~3lmY@D^w0|dZhE(Pk{e!d8?uq~@l3G`B zus8dJFiv#rj?wl;pz9oq1?v#r;fw4~dkVu_M9ja`XTB7{1;7n6J^YxiC~$n1f!UJf6Xr8Y^$y*LIJa-Deu3yY31#ZoDKNJ>2!`PHSo0rF(ITb?JZj+&V~r?QdTlJaP^~< z_l@rA+XJmR`V0NMy*~AQ56|p^fI6qWyq5Xhr|?6jGJ6RY1UD=GteHO3{$s?32G+$i zmh?Hk&qxGQTEo2?X3)I$q5Eor5P?c_X^sIlTQX*=L(CdAr`RzeI{rK?ck{k3 zWA6j!(d7fzi-NH1tDCsrA2$nBVzbKne^^6P=jj^&ZW$MTU7lx;ED>$-e|h~hqsQGY zC#Ga6r#YrF(sX%d+c8sP@;w~#YG6%_?-il5)9J?`_)Kagzf>+xW}bpu-*EraZsP6l z)v>?3`CBN6-zvp>V(aS`4)Q8-`s|zd*$8JQuUD zGXh8Bsr-A)*9-qk%*k47>}_hrnxam3yjZ=$AtTE*i!ncpD3EXG z+C|X%@--u#5Lh6y1uJc_;OVWuN%l^T-AWp!;1*Au@VLQ zjChyYPbnItH8xOOtHSYqgbY>GV48#Fi;T<+NB=~%q!ho%7B@6^rG^mvSM8j5Aa%lI zwBWeVNfrPl-d;sjm63trIx8u9a8S&I?1fz)EG_{eA8%ho9NFdLXXmILCnvc_PAz^o z%6Crh=j`K{S4w$~fzj^IECl|{!CT%xJQrvm>22W^($vpW^h@>>WC8w1H#&S|ul(*W zAPax9j$_h#gD6q0@i;%w{}@YbNl)MyeTCm^JcPh|p!eZ(|9-VIygD=i*RCQR#HwpZ;W_+KIXwOl)_}Pq-^&N&8L(tq0u8Unrn*na)Qv8 z$9Q<#lTZ7c(A%Y6SPl`@Pj&dys_#3g&;On{b*N98?+ukvoBZ4flg8?eZZ_M7$?}-s zXu}y{=JmJVaW#^-U-i)txnN8Ob#ifA<#tU*?>iB>G@hu4wcbdNpH6yYJc-PtnWVt0 z8&XR^QqHI7iFC2|JK5 zbz>OkjfdAomr`6uWOY45@n%j{8LTnk27J zse6-4bIt4HlQ25fO!gvrorw|A>eBotH}kZ5zp+1nd!SOpBTf7s=WMYoBrk`EbBITj zD^{EtQ)js<$=@D6{Ejau0SiIx!$Jzn>+$7# z74K!ylP1L(hBxWy0J%(#V|W2NS~9_n`Qa6u(*MIpe&hSjM0e>!b(L*=nZv&yQC)QR z5D%9rX`%9%A?;9VDG|XnanhiNi%%>&WyI-0@&`S4n}WIgm5pjoj=^k^NewSLzeSvm zlUlA5}U7>)ODO^bzMj{X?h4^j)KyJKit}%xDv>>jelO zap6W}1{Dr@)oc61GNPA_!p~ctk{Q?R zhDY$x`qG6(+7Y%T>5$~`_Kf?C6Kc6$qF2TP?@>Ar<0DR&P|QB_ zcu!@;r`_9A@QZ~=FYMDy!#;T=ruUSc;Kf!P?@8U?8ieXn6)+)#K^5r z!^Z@w2!X-oINo~Y!gPXfg17c}cNH~hZ%r_SKDpX!A-c}q&49g}n}=wP@VEJ68zIJQ zm7;t(UbHasWygB8)*HK$9lns}pu4)MNO8oD_iMOuKK!ZjMLh`5@)lo1#+>s`>HO93 zOI1Y2BHzjEW1-bI>=s{O7(gkdRex4YUKW`g9sfX1vRa|%thIgzwK?1qYj)q!v}cKi z7ggB7lfP1)E~3pP;M_DH0Fboi!SDMB7aQ$;+;f$rV5zhW22X1mVgG*KxW48IGR~|m zC+K*xPIOl5lHrc7lvmAq4}rT4mM1nA1-X$21r1AJ>6X){B2(nTewRYYX-Q8wA+gfb>o!DRPLqV!n8`!K2fac#=LHY^3XxC7_l@P3DHy3LGRE@J= z!_4Kk9}!5oHLVw>_qQGK;{9`${pKlGF*46PJqC$u-JLghDrYqmcEQ8cegzNvnWITHM0`wBGE-2S&T(r~ z>5Nd^)piLUaP06A*||&FBan(GqP)1>q$;a%%|Nbk4;G+wtDjVpwEM`PYhR7~cD0!p zX=L)Tv6r@vK<(xq8OQn)@H0=L9gS(h9S)1;GvUCxP%p=bcc;<1hH#gQ51=m@d)%C&AOV?BhRB8rHxXX!_OYwX;@05;$A2(MG0$!Cf?cV><(-eXsVsRNCTS%sn4($*tvWl4qddyv3!};Inh1^9ioVA97RDPl z$zviNTNn~I|AT#lfxtN}6x4tnT+SpZM_;sN$q8G8LgG0+KeNkeP}? zO$xC;+)r`yh6G!)BwUvUIKkOeOaZPn##eZ!L1Ygeb*>^+e(Q!uhvrm`O;;6u93ij6 z2+L9p3RSpLk5RkRs-U!LbcT8ld6O^(Bef!0^Dcwyrstwd8s2O{a*R-oW|_Z@ww1Bx z#!c3>_!BIErgw8w&-Wni^>x6{=R#ic&ud#DC22*@t$q<(tl7iN zBL#`?)gA?hMZ{BI41XjC8q|4u>EFRD7J_eDVsfdWc8!0-YF6?lif8xhx0ElA*$|kH z63L;U+Gj}Ztx+a{?`xTJoS@P2z{2kWjlq(F7)5@*#Hp?f&y_H|gM%qXc%0x@ki6`w z6?s21`hLxQZI79>OIXf94{#?-bK5G=G=u&AOGX+T;cuQ80X9xJN_R4A$@jL8^7)w3 z&1kgafWP1p@B8!%Sdf;_*-rBrrBK>Cca9^$t2h0;tTbSG-dwAxdOgR z0Q_vUE`X>uP){)R#0PYw6BIdcp#Srfbmz7TN=lS7DhyaA z6}`KAh?BTRo)eE{T62oT2+3~Gwaw(Ym`zwKNZ}{d2Lg(xjg5idpoS;sUi@r+yda*4!gl_6R)dkqrOHli-@gQhKkYmLJ1zh@38A_-Dh6w~CHdIo| zlQqY+GVI z&5Jp<{*>;&_n$DS+;=ct>5ZX%PuL9b+_kBqo0RyiSeD}?ZfmxeO&sL9S*Jp(IfDm3 zaaum}&K@SXfou~d^SSC!!|1(t?Ro^T4OU~VjlKx%LARxoFeW1>EFSm%m{8w$Y2XbX z(xATs<0qD2%n7hf$4&C+KM>oi%w{a8_9hQM!1=2FHdV)DXX|;qslc9CwbUE%8(=LQ zcf_d~TlYu3u4uwTkSncIv!8iFO9&V;+9aJk|J>N~d70)Y#THE1n;P-c$ZmL2Kz9${ z4n@V5Vd|a`%Hyqp9}Jjf6cPh*j5k$3c_`V-R#4 zTqXg>H}$z)%<>378;d3LZzQXq9d71!AAQMXNP*NzT2kN?e-P*_4KAvSRuFh;^!DJ@ z_SRnF>5)L~DHp3SD`0vL?J_iPpf*_;>ZDeTR40rWJBp93M9*M%Wn;{3w?i$f8Eg)wH zL)2P=5<&t<$IwxNlGw8P4(wJL2nFN{pK38xUz$ARb&Bk}NT_Bv5c`ObCCwBg#C@FtKt?<=8#i#MsN0@X9s2P`+w<5$r_b7RwE<3Mc=cfL8muE4F_l==}2E0 zdgUUD8*#D!kVCw!(?g8Sc)n_vY~(@l&rXMA)LFrmTWJR`V2Ua+Dt1>`5tF;7RI5bT zanF%$`qoB{61#|d0Gq^f{mur4)ibM4GrVnTXbBGHpl$AXKIQK$$ddqWw|;pXiju!s zq%%RSF3=>7mfx6O+U@KAkRqzP0&-3BdcX!73Smfo&l|L~B!2iuV>GZAw+Dxu6fQ{eeX(^9fYOOCscct2DyF#@8cs(x(g#Sl7>O%lAod!)> zBH|0qaJe%CV?sYut^9VE%g;BwvW^~t3iSE^jqF3nnAX>&tXUryo%$fYvFnjF7N$q8 zQL0dk?RqyPZuHmYrx7K%m#6 zzIoZng~kfL92tW-09Pk|=S*;)ZQkW18~Rndkc&;Tp=}KpmP`9gSIcm&mA{ILMGZoE z60HUpG`+=H6#zIU2Cvs4Z&D4Ad9{p>zC19zM$y6}8?DL#T)%psMlyBFCW>bfQEVpz z0CpDP_XprWR*uklHG?YZ!_Ao>ubS;|aRVMam*`B@A=?;gB6jNV1{etT3~i}|amDm@ zc!pcI6aMocz(C?amZAz&GzqkXO__={@o=f{Rw5>#iB)tqgJ^RwARP1oyBBZZXc?oz9G)TyauF z9@+iC>L4rYJdEbAe&Qb`avAJ-w3~B%K&W_mIypOA4cj(!(nW7ab9{f_-Lt(b51b|S zYW&$aXR3f^%DUBME{{hRpx(KG3cSDlJ5XH{%)S1nba^s00E`6HC9>LY-`>CuF)ZG% zfu#P#jb()NqXiFWHGz2A<$9F;`t4QN3*F5LM)*4FCXvUGq~i{fN)kU82Y* zw4B;pZtZmU*WrDC-E(2j=C!tw2TQpN`T+n7Px&n!7F6GFV?&9_-KGx=HB@^7sI@hn zS;9Q(|Hugn?4#323PfJGudlYtYLd>6To5IcB|DZxRg_C}q+E0sEzLfKm*6>S0NKLe zTZ1InC0vhS4D)}9;7m^^c0^PnRZp+3AD>>;Ufdz1bv@B-n3B7EQ2S$K14<>MnmCiZ z&wdP-9E(&pc%!(qOU1^NHfw*N{`W880mtGr?_X|NFK=u>yvA!{!2fMC*Imen?n9q3 zXe(WJx3^tiguOd_WlWd$oY$PAHle^di9Ti9Ox>xXgwOR(kFfEo5qcUoh6ZCK_uX$Z zFB>ZByhC}Mcd5*8ILTETBG)LnJn+)`WMLgx!_%UovpUQGO>WwuHws`qEHv8Xranm!HX4*>5+N5E5~h9 zr5O&>0jp)WzULvg?fkp8-(Tb{djF_OlfxR(dUwd^D~-vCM~2(vQup3m?=fR-I+Zol z<~KB7w&BL&zRppT{i08>ZEEo|CZ8VVt|rmtjG-x5C0C)!AUX3U=Z#gHj!c>8Rs>(D zy3H{ul{<|k!^B6sr1MN(Mx_owVuupjlQJXHKX_droStDZ-ZC_?%wnnIFT=4m9M(>m zxR2~aEUd!cHaMB4&*-^H##Xuc@8qvzLF3tpS6qKo!c&Q|>7pzPujKw~E=O(+JXJZ? znW;}-rb)SG;|-!uFk+yg8E9{Kn+K4Rtq- znUExOeB68TR?BZ63ecb8`EDwU0m{g+xha9!QG}g9L~(J5kZO{6)g_^i565$T&J0dR zvzv<>3B3kvQ5(Em=CK^_@~+<_CvIgh$}LFF+Oa7sAH ztcOUdWQua>>LmKh{r9aQP^05JD;sP5;3hLv5Q_%6$NViVS(?m8;T<2rNuG4EDz^Q+ zh6R+|e{hOXO4LV3B!mxns|dP;9}4>RfUHu=DYEYa)W(nS%uI(ubE%^*vQ{hT_n|2V zSb=shM@j1ew&z6r*2K&y*2d!2oP&}T_Weu(n!R8y;wlXLi0;IR;>vaj0OqZ_-#t90 zQ+ngKtV?brQ0Fz?p^x{G`7BL>w}l+TmhaX{6^`8%&w(w zto)UZ(GdZ8cluAL?4WmeDzGBFK!>vc8q8d zH!pjbpcK;vl6e_k5+}9)_yc=}0;dFLiFciFcYMX3n~k0xF2I zZVl)Ll0pOe=zPZlYW)FRI-_6)AZo_|i(=I+LpgHbuxDJ3sevh)v*uy$9P5dyi=CD% zQ&rxlmhtAuZ35WHb0`Z|B)Z~Muqaj-6ROD-tx#Nb?}kVgLs-+U?!#U3SOyUJfXp}I zxnqsRm>WoWu>V23meprCNOM*IyjJa3UwmV9r>%yPrntHV9c7!hLKAYEXsWzDvqLsE ztrCNN9@J{vc_M%O6Y-2!_Xxjj8uKX9KFG52C79y2)?rawlBlwcCX-CgD}T@YlRa3qjlcx|3AcWeIvg5bpoTae32~nIxd! zti6K?KIp54`M*!{+saI*9r*sqTrn=cPi6!L{U?P^o0DWMy<~*^C!Q!(pFf~XC6CYY z#IBm;pLm)XnY z|Dg6>wbz*hFm{|GUW+t(rusj@xcCc|+Taw($j1gEXWvNgFfaY-&G9?0vK2oz z!}4JM|8FuOVB}eu>(3YJ!9)k>nFp2qzmr>8DIJYZi4KE(!vKeuyHZS=Uq^^A~14_vWHvvCR^t|br=b{a-cF^z_dG^k-z zP1iJhouNFNzv2{hDIPVfZr5`h@EJ-xwxqb053IeFDGQIjqm(A&&y`hgatgk721i4hc-y)RweL4tV#GSJ z*A2Y!w;P;zjc>6w4|QZ4w4?2`W+A2r+tsdvXD}*CS6YawGnsLVl+z=n(F`9 zL=ut zVSgq@Ip?T-Acmg;xT$?9=L>lj@@8Rug+gNuGJUR$lk0;i@_;tSIotfrEw&5}(Y}!! zMNSS9=TcG9Z70h34+xZxr(gGKVb0h`o1Q%#Smz`e4Cx2TFHCOyV$v0km*&%x;QS97 zsHkZnCC`P=7sma|RwQa$W`65a0w&R|Ihq^7Q!zzHjkr?8vHYxmxsH*zEuaoAm^8Mw zF>buZ^OiyM3rI;r+`%S<;nvSexdQ-BP7EK&s2GCe-RHT)bUIv1ROkTPq!tg|w#Gi% zQ{Ly9^+%B%=Y`#dga8D_>=h)c+F;y+2>Nr@;1%Kqu9@R5H>*|R6U`T z^=Y>ygfZ+XB4DJMUYq^iONc+`QbuB}W&L8m8|3i;y?POvD;zMi$oh(u%2r(QLipLS z?ZUvsGX~E@bOq}lkRH`Uk~#W1_Dr?)B-c|9StY*6tRGrgseyu_&uO_ z+w?phvgo{*%l$=2g6f=pDeR#UYXf*{;-A}GQ7(^Sxj)7Gx9Jugh3|5`Ze=5o^!TR_ z;Xp}0%Fjd$aL2**pz*(Ee|qA!wuE0{q`s;IU1>;EIe%c9rO0uJ`umFn@dL1JH*$s} zSuY#ErS=CNGtq4)F0SgM0p-d9i&|WFm zi_i#`h9Z2Q1iTntaRtZ}TBWjKtSxKjIx+l;mS<;GMz>;;^UwQ%iO0uWAANa7uT9W) z;wSzXad6=1O22k263;5-KhW{%nsdQTYYYdkETO#8Gyw54ptFCc-mKwxFug>AqpX*7 znyKAT$2CYE*O$JEH3>jk&_jHDCS7q2Hq~z3|0#AvS(SYHhsw&u8 zMA{_i;(oV^NShSt%x zuoJWrEaS!%b?>#b{6DOOpKIcDeEEKRg9+#eeS86XzG_5ndh5qGSbP-^ZeTA|YEidyvgT6kuzXo{5ADw$fVQ&oEd z{g$qeH(t9zb0ym@;N%SXoiY6Z?fwB^z4wa}+ZNMb{IHhxi-lSM6eT3Yzp5G8A~q_! zwIgqd$JV!y>$&Mp>0`MlJ;GZu|9Ow(O-;!`^p3IUNffcQB!|n5Hjc}F52-C|U~?9p zItu+G3^eC)H1dJ3Vvh$N0ntziiMj(cy4jQpHb|wb>^OAlL!y3$k@s#3^d%={uWp~~ zc!n_|D;W3_4<{&eu!(pyml5XLA#{H*jOO=uE`%l@)P0HVk?BoGDeo?ZVcDSJ+Rn#~xT$k=^lzjqxI1RcY$kaw}V~ z)0=-*oc}kwzR#c@ytzTRKAtQnvS8=CVpc=kneJdRj?m6rivq0QTEy&zV*yYJU$u)*ynqLNCV1Sa#%4!9az!_|1Z~lsP0p&kQxBd{6fp5NK9E zG8s!lyO2llQ%VyAiNo}XMj-R>EKW3c?2IlUCv`5iQIwGq$Ng<(MprRL!+$R*Gv86m zCAc$|8d52kAnRnsLxiOw2PYK0y=g$tFz%U+Nylg4r*}%AXMMHw zhoq8x|J7;fsz=JnmM18O%N)|qV!zE3o&evvjCM!u8m+r4TPck;XsvA0r~R21j^(VZ zVub4D99mh}4y(P4RNKCsP~RzGf|vq1p$6mO613TXT(IN_8l0Db$AuGb>tR06EhsvT z4~Qp|&NYXakNy(T@Jz#Ii}Z0Bldq>5!k^D(!td|4md_xNf?Ig2%7p_sb5zL2c-rXs z`2eLr3*Gti_4Oa4z-f-S%Pa<+ae?V0B?9wUZi} zdL)pJ8sc@{95bvgxa_qH5zRR6XP(((U2M~wg$p6FSb5yE6Fh$j^F(So zqQ%du;S6>^UF0JR!fh zR|D6mIL7=ar-X&4a~7a$t4p$NX|To=?6+qj^EtC1NB>(Jos8kXmUk?JWW4|g-VUcI ztV}CeNUHoi6?yLQ|40S}Y3=umd_~kW8}F+%_-0%CpnxSXkivO{!%qI`qRCsSMaUjG z?^DkbUnmX=J}5`6R@0_*ww(PM_xHJm%kzDtBl&pffizhWlhq^pIcv3oX&AD~Wkh4H zyY^bDMbON+zOwMqo^DrY5rk|KNVRvdtCo!TJskZU_mlW}`^g z(A4~iD=hm;u6tq%7@(}m`F1>um}JWvoP4z=^X~?Xq@lO0+;^_;DJh(=&HUzf^f45~ zIPOWxZgV zXqIv6A-X@=3e1s|ZiY)&NI81DDCJO+_ERG@vB|)B-X|u?qxIB-vlpVEXUvBUo?HY= zZ*U{xH-#5o>lb4?-MlivjYKhMkDQ*Wg9Nw3znx_FWBTKD0dAU3ERN+fDESGOP1L=u z!~2K*ETR55;J5uO`5sYI!tsV3)kzu}G8Uf_)j0xvxvhF^q#x~=<_i`jY-8O)rEy--(ps|pjH!;3&X6I$y>h)pkkJ1K>zEO zl&6>gYlS^5aCAfJly$UMqpid1y`F1h<0*@qJ}JiRH>^CL`hb|UyqT*yRT{XFUeU;d z{ir^nLS<-rVssy8gkJFzH-rz#8{=pq$Eg58Utef*a~%a+BhFGDL-GchV>;y*<%C*> zuKEY{j9-yRG!4hiZBSt42V1|PBs;Tpz!KW~SyOw-O&{$J*ByNkS_84Eob@#!geoQ{=+yRg^@g}k!Vo3L7qa6tM zd5BkR1!Us9( zF$x2zWC?WohsGAbuXwx5(LlQI*vv(TQkgMKB7?bYcMIfVqxE8>H`-boJdGz`m0D<%=lo3*R;xOJRvk1K1F*25aQ*rm4VI5 z4SO}S)`R7UgrHX5mU^8kF>|A?k-tZ))Y|z2<)x66jx$@;Eg2sWUnW0*&OLgIQ=z6< z|EM+qqQj?lhIWqkleB9mfnb%PW4WsWrS$B9bT2nvEwJ+gfGdeflGH4XPpktn_!Z}h!`~_SUEuSzKLSPldCA2>2OG~ zFRs#L{DJ&6g;i1KV4Y@&J0X^$QWrZ{>N3fb74L7HH&x+o2kfy1rrIwqfWH~1UzetQY8Dg-` zlgG8ILR;fls9lPq$Q!m2FXPHEmJrchZC5~kJA1m&C>XQn=_5P{{I1zOair@587FX| zWP)x9f5MoP`()-vVXP?Xh61|b1aU=}4PE$)=2%1@Y{sm|xZ zm?^^&S^l@W;O{A1-LNv6@n139=6Da_UvW{yROh{^ZSs#32Kov~J$Q6DCFVl=f6`y` z=EPVBs*DpA_}-9!o6W{+1rUH>NQ&$~`3)e?vJlG9gAT=%*_pcytHTP>#gPimZ#+Z5 zgBfA@Vs9;p*}#E<399^=2zg)Y*x`^xXY!Fj4s*G9zsH8TA+6F2n63)&HEhK7S0@sM2J{u zN>0FX4R(|=0*y|Rh`{2?X2XRSv{ckr49TmFb~k35Cf=RlVES`a9g{6sBiml!Oop{M ztd@8t)=p)7ZUS%{T^EX=ojiLPEhqKHa-$-WZMz_HRD5o|lmBbCF!4~FnmRy3{d!d9 zD*5e$PEiBeVuCyMva+fr0k8(1IxA9%Xcx#C`2tT>W>aB#9JZf=vm_IitEWW4mRxKX^au=&9n6fc^Zz`9e2^2Nwx;t3sK5Q@c%qN ziXqc1b6BHAwtZLlK7kxdlbYYOcI=DRcL)`gE@TUapp|{_p0Icx!;*WCJVNW<&j7xZ zOI25^bU%gx*fE(%?+3=nv?Wm8m;7dTATpec)a3{^c3H(rm8;kac>y9lf_8G8tp1To zAH|hVklLjJ6P*3F`#yO{)$ymZk!D`lNscK2f6&hQqGLn=?e`%-#plfGd8VTqXq z439o)|Gk9e<)C79B2OgE(X!IwDa2g<4QZ_6voMFH70W55L8ZNJq0~v>0F$klp9--p za7)iKZNEYUNH9w?o!gLTc!XZgj%en(<#do(NUgPrk~J=cUEffUm~-MD_R=>#FzjB8-dN&B?;m_?#DrCC#{ zn0qAdCQFEk?muBnfY6d61)Osct#nqRj5dGCweA*|jc*3ijBg$$0NKhm`6{mPx2%pX z&fnBt0y%j@=*hkaFo@J%h?s|$XI34lzcMLFbB@O@T?9H3s8bZjQP+Bf=Nze3=Vql` zPUZSYux5(5f4Fq%*5B`@1;qtKM|I?lbmUjFWVEtUOOjm}UtEcY(Id+%JjJfvXJ>1WNejyp>a%5InKmZ-x%uwW zq;`fJ`Fv|)Q)AunLB*-xFQ(5n{^-Bl#9{W9FN27G*WU2vaL^j&<2nXG0GCDe8`@+c z0W-Sqy4zkIrkaR5IT^!zsE^Ua4G`Wk^fFJ9i44%lX-#=Jr94h#pm2agWv|!JTK-B- z>dPJ38DAq!goaD8duEi!*N#eF!tp{Iq>FNIUM$r9{d#6Eewdl{Djh_Yh*ht6h1rZ` z8zyn5+KA8mxW`mWJ>$*&zFkoVp|gRXRb-aK=!cd3LtT5^_<2&b`y)_&chI;?SQx&$ z;4VmW5s5;t$rp6deYaoA7y<+K+K-`R8X`1`rZlR*`WzbBHB(*|fES4Uv z7KacfClPl%Pkrw3h-ixbaTxqXoJQ0ynswXNR22l8ey>D2DjN!@^gY&#)J2f37cuRj z6Z3HUisTUWO+O;PF5qk8b09ylx)(ynjPB;3Vm%T}EUS-(A`Uocx7ek!%H=i1!&IX;CGR5Zt3K5FTO7z>HRsJX|39Fvc3 zb4#EgA&x@rGd9_`NI%YKdu!FzR|hvhzs8VuRO;_bEh$ob^porG_Y7F=fnIx_ zNM1L7G}wLv zX$_Vf8m#NO96dV?#b><9GXZtQ3HN2NMv+4W6I!w&j6#ivo0N#p zAAzkvi`hL zp6v|C`?XHbx!RxC~>T0d0_Go6;}-_5SR9!z%|p1|qJkCa&M3mbr+q z>UbfB2q5mXJ+^rY2L1QadCv}g)AA~{k}WJW^vz1gtL3MvS>93`Mw{+4 zC{NP#d)5G+&*W?wZiw_^adXhGbO!r*rbJM{^!Pm*ek?yQG zVOc;A2%pvXzU)nFjTqMz@m>l?Y0;Q(UqSt#MLCU6P+n1?p}M{xoi`hym2M$9tjf6I zm8Jl^ElByj1in|jUHAt`XClUzPSlV4-LOa|EaAJh%0;V)8`5N>ZDrsG3aBKPtX2*0 zRuJvfuRXwvAAklx4+OO{5Pii9zDio{HD{E?bVwV-;P2PM8n2|K7;L|O`)Z|c_kt2r z(-P%Z1#a(o*?_%#M_L$nrM)?pHgnp;Pqor)w=SPP+B*5gZo|(C+v5|KiSHzLVWLipZXwB1eCa&xrA9`3C*V8MaA&teErzNrE@hI3)NP1=y9h$L8G8>Vc zu?{^cy5QM&oF#oG80TQKM_P48$wK7L)`>G7%`2kNYM;*TC-L;UyVoN1L0|d*)|)W_ zv}47?p<=}a##C!d0{btHD0n2RBIPHSOD1WSNhv=`{KDehq#Y=_r$?cpbOE%XP?E>4pPXaD*nrs4Mp0W4GzGrD#E( zUat3);N%m-kR~$^a|yWe2SG3c+WN^A_ku%ye~Ck#`8!njJcU9fP$0=R0PQ3EIHJyHqos$&>1&L%iv9l&PRZr-ExwTlW;0usYhVVbL>k!5*h5s7NlNPKRnoIEZ@Y`Gq#whG^_ie zlWhwrsSsdT!Wvqwy}@4_Rcpmm7K$~@ zd+#gQ)}C4jhsB9SS$CLDN{Y2rpSaGQv!?6}vFvhsXr?z=RYbz4vOod)VNA&(m3#4d z$7Y%W^n>3EcDu(q*le{2~n zT?wdYb-?&4Q0UgxCBym~k>DmlS`LUhen($cE>*w!#jt(wDe9t42dCXqYku<|`gl0< zVZBYmq@SI0pkW5ph&N|DgDr!U6v-(~wk!owG7+3%sGGCTv3tPWo!yk^&tWwQgBG*N zNy9) znHdN=v}>zDL4D(ePm9z^P(X@hf=oy=JvH+JLSK zD^`Vj?Ym~Y!oq!@n0Tmi5k7FoFu`-3rA?eI z+OS62F|So!x%!XJjLk$VP=L5^0z`&hnv?YHy6&ihXc81HZgn%8wGK`^9ANT`YmdHf zX_;FfZOP(P->w=Ymz@j$v2J+5v=HUlgoIzKB3QBy>fVEdb>>!9J(sZlh_|=5;s3{6 zOwvBUpFtkQ5~ztrj^ZvkvG{k43g3fe?}4DCqy%2&dJnrN#2+|rgZYyaj><5YgFSk& zOw1w?hC4)kx7kdyJQ*TmufjSD`gJYyC$=AFOY^*=D*y+4;LAIEi+g6N8r@zw-Y$*w zaL*$Ov8F9WYt|vf)^%9Q==8@@8SBWCFLf1ebWD342^jPnPk zL;CZc)mK*J!Mp_j<7xfNt+kF5x39G?xG!qb4aF7TvnNU|A+U1Xp0m#?32otba!(RC zSxZZ58s%(KO3L7!ogI?kMvvPAxx~c8A>Zp!N9KYL5U1H6GQn*2O-fX-HCvgmy2UZ` z7O|st9q28XbfFCP#L66I2%x?0*bX5kb^Cpl{^ja<(1w~&!!E3$L?N9X6nXgBJuy+&{{SQO}h0aGoq_kI=Uz*V|ZMF9}PDjsRd-V1?z$)Ku zwG9hGL)jT(PTg7gM*r;()3o1@$}CZ9G|*h2sC>PDFi5` z^V~j zRT+2~DeGJemNaE}|CIu&w*wx+R?ncuQoz9x@S5_S zlAwi^MR5!ZCX3aVz&vSW{;1GsmFIcqqUyH^|kDV2tL+ z6ZaD1rh@njsdQY6onZ;TDNha1{2vp$^WDh!I90E|$hJeLcp_l5B~pipvyz} z$H9i%Rn&_K0D-U~Xmg-WCTKO@2?1BI;U&TPV863t==_yLldp(*`un$BGHzSES0W}& zdrce6JX$-qgVp&|bLAHzF2*eIA8)R1v6b3h*;I3-7ka-BXd%%#6p>))Hyy|aD+oW9 zKC>j7PS@6N%1!Bwhh0_9u_VNCmujXLt24-k-zoVB5~Gov1?QLmv-Hv9r@{y`NJi$D zz<^ncHW>2t+H~9~$xgl(?hc1bX7Onk(Qj0{^@um;6X4+L^0T}tiRPMZj7NxPf$U|+ zEp$iE+5P*M8_WjeDA}e4jWMNWn(3?dS{7JFtMr_^J(Q}-Z=RWwpREJw^KXz}F26TM zZ2HLeST1758d`6imYuw(cAe^3jj)vgXJyyh^tUT~0D+VVf!)&E=Yo5gflc+ap~>;L zwtH99mveLn8ssFfLYIvg#VDmm4+U15C4S!^0e<;3qBKE%skg{>4JN zsau?0lDe^_`XwqpPitwPBdo#3j}a-Xap93lD|e|mX5=yG;@j~@2~BQr=OTIHhApEC z>XI97P-29!BRf;8_Jp1K;tk5^82NeWpm+*161G(&Sc>8e1Bog@q?OSK{kRmI)2^D0 zxUd_6fMkC-u!IRiZgvtMPZClAPLREAs}L(*yT-@~IEDod4(`WUO)ju5N;kykwvh0ivH zYwhcr093$f`0?W94%zc(c<*1qU(!L5K%6e*e4nfnU*{MuhO~NXV2d4m+xR5H^5_L; z!R5rx%7(&5hxhL$TkTr&6KYfV#RA1OfU6%8$LD*V&-*0#(l+fM{VN~er3H%=NOR%k zOB@dChw4jO29{GrWjkc*rUDW}L-wP+T#Z@VAFMpt=|#VoFIL8?U2Zf{GH0>34;Es9 zjOikIDSjSwXWR^9S1YP?a@vm#&YyyZHN5>*$>s$t_J>g-UnxB*S^cvkc6y9IY!qpZ zuWb&QbpCZx$-pXCh|!EJ>v)jSJyGx;dBiHbE!A4~lf4Hu1QP&!!zh2Fw7KYFxGkRIKe!|6Jx6{Nz9_tcPJ59`w+dmz^R_@iQF@C zmaW$nxd`I%?K)%I&oLq2=dj2jhwnB~4?* zP^lT#B6*R0JE8}p(i;4X1ygSE0cI@I?^5`wOg~1)Vhm&*`;Ozy#SdG;J37(Wc4-A1 zQfI4O7=Zik$8@m5%94HrF@WV&XIi5HF&fz` zjQ)m0vW)`auUsv$qW42cN#<2U-`UBpHiJHYsN|QO{wsX{M;2hiHT>&?7XI1U7Quh| zv#}fjkK^OxKTS;!Fk}~-9Udx9cX5)g#sy}{908USmT(B%Vfq24mx zw}@$8&z;bSI_5*obdn>E_lJgttm-DXEub~F(t+_|Zv#6bj4)MB+CA+fpIQe^1}W%- z&m_SN@{))?{naK{=UW}*6GI1f1#W^D*pB@E!-Ef91<4`blY>+tx8^C|*GEW#0z|cY z?E|NCNelZ$&0fF9Rto&7L{7%EK=<~-sL&!JZG#9sRlm`{VN-bAJ{YY)MDJ6s_0VQ4 zrib7<5z96ZiQ^beSxD|WkUKEq9^{Gea}9`G$(b;&4PgM#S3+!tK(z@*tW0-i2(%hj;6PG_ z_>%Zf-p4v-KJSITBFltkKMef!}>Bj6kUa2iSEcF2ZTr zhM@5Etl#4Psc)P6fT+~Vw+`JlbA%%YEA@pnsr`Lc@xlUGA9dNEKZWbk9?`NjDU**K z*r)Rj&Ld!n54#V575w~fUMHS_r2cgjXU1c&lueu0vBYZ;K!6#~Ws-(EdAKNT>68H# zWe<+GH}tZ5mHBMK?~oWeP~v zmQ?d&rW2!C^?bu}d+}K5`XF~&ZNtP$o1Jkq)p5PA-x`gI7wq?{XQ=}ESmJzWu`$QA zvhs)=tnA7<3*763j=`?_gty`_rEh3p#H;OE776{{m!TLb)9&gTyzux&*TV;vP$TZp zy*=Q+{+#}0<=qS_3cKsLvc9f94fwe%Gx4`bz}cOUu2j$fNLNqY5bW%dwvTS^Oqs*r zFT{h{ZiMZLa%Ya^>0gw1{U()UCfj;iqq;3Gce=H|*v6SHW|@pxG&%3djHF4ZXbV$_ zD{!sd1_y|@`fgun+O%1qkE*QTqXCHvMzxyp6?@Mw=QL+w_8)Pl|5hs{?1vQ*O zFdoFJf0GV=Zag=6&Tv_vb-M`P9Zp$Jt$i5CJLdLny^)%&yhXuoVkzp`lRP?Up9QcYS)#eJa zjskyqR3~q%0_|m1Uv04P?H7F{Fjxs^y7v#;FQ(1MR%uKoLm;K@MpDFqkiyROi70ul z8$8fBl`E9rBC{Ckn0B?nwwc!#xM_Z164T@D5nTYO$OFS zI9zUiWd5I0_E?$B;(h$x8B1ch`(CDOo|2TpJ2EIxki#<4Nv4~E=PpX+`Nz7w5oU11 z?mWOQhHhvt(d}Xq4~YeAHo?gOOFIvl)f&g?SEjW*|3q%M5C4OMU^5xLMDs6d;W*(W z8Ps@CV7zPvsp#*~ca#m|8aZeCi!bSAIH^Z zlC#?iQWAMfM9ci`Q;j8myK4-4c9#0+Fu_+Om4hbMnX?Hh%zC+}B)Xlk@o;13FDblN z7|)fTj&xlaLhIwA-jod0jbsta(F;d)-sZnGiCN6YbUZYOmXhMYP+<=4w4g_r4qkV@ z#DfW&b|nbRZQiN!KLV7U*5>~h`R|?b{E?g*MQGT#QqHNPp1A_07Rg_C-Sc5Rd;GNt z8--&jukA?VUpUKX84_S1DC5s0cf)K=kifE~>9PkCPJdLX++QvF`YVUd1zabjb~$8cYlN`#sgoE)PJB4D*b` zM34^kUr;yB)!LGZs za2xp+U)xJ^Q@OQ#&rt7;1P`pc4Vfu44K>~&QRg|y(Kav)eP(L^PuaqG5r7DxVlk579D92 zr}2O2w)astfQiNayLGU0;SA-xyJgKu3mwy1xsBoWGJMXl`{g(^IZ-2Y!6#Z2o3{bh zb1VfFD358zeRVIQb~p*LLI)VG*>S!k&AtGM%wx~Xmb@7nrhEUmp*Mw-+s8G}>d??% z9UFoU>||fGkTCWtg>YS{;*UG)kONB@DuG|z%$ts40tv>2#M#(|syapBK(1R*lMe~N z0w?=})z8CbOV98O4U+P{Pq!XlU^IqrdUs!Z)HPyidQ-vaTx_YDe6D{4`GPNar-EL=PUj)%RtRNMj9j%GW~=jZ z%|_paHp&VF`^vE^-z+gZ0PhvJ*N?k$@ghOQeK zg{i~j8d{Fe*&BFj#SH;_laIba11PVK4jv%?zUBl5@cxWmAAJ4zUBs0odG#i37c)v| z*pubLGd`n&h?N*{FHH82B{@CYLF{}3QLt?+;X|hNM!i_^5oC&R{@9?49sd5uUYUmT znO&@{OFlzx1>ae=%_Z{!#}NeXmFW4!dBdF5`FmnUU2b&V?$my31=ofI-OCk8+o*9i z8EYUvMWA(^HhlM>8^oN%{JO{n%w27U3UEhP7l)gRk;fTzP2?Zz&4zhlf+vFH$%W9+ zHt2kH4iukKdUhCQAsQ0iYd^6WyZ=Rf?#d-mC$5b8AH5+wnlOYh9jiOiv!g;9^a0 zE>IJi4z_f_P22Y!V*`Y8S$h5-w@Da;2Ov;`9dV1zQz%`(94M(G6M6(6c33iXii-p> z2qtDO3M6#LOFl{?{K_p?%lbC%wEqS zHara!gH21WOnku-G;1> zMh0jHOO-|r4U>^yfo_ct)Q@?wyTF}VRdPkwv0HdqN}*5AGbsR37a8>RqoC=~_?eD4 z67@2yyDtZzu6M)#F(7K4r{4XJ`Eeli4^9ZH-9-T_b^O5_8X>=D^a?rzwE_)aulH)R z2@^p}#BVm^n4g}w%c8;wG9Gnu$@_=)CI`qmPRK2Zehwt-%T*R1he-ozwlh!K&I|`= z#W}Y-#lMylCKo9>bZEv*H(&b)Fz;C@pVYGc%0~DO%)gl!@YYEbIf|gEK%phUr>OX0 z{MXMDeB&x$qPV=b?0$76u2_oVZgxjWyX@QnxP$Nd(a2q4M|v1i=XZ1i&x#9_F9jza zi8}avuEXo06wu>GFxI!oNfSyvTuSBQKR=z>r9?SFScjRF$eU*uH$;FzEyaOn7GnWD^^M)#*WdI{l1MRn~40dZg-tPGdJ?zBAQv z=;ePxiaMG$d1*P*ZE-+S;31|Wy}=T~POIgJq z*&buS4y{6R-LT;kcXnEDc0}R^0Yi<>~-9KSu3fWI)A`H;>W!wjZmnMv=i(DR-3Jp4qC5#>E=$4yZ z^iWZO(oDP4;cY>YS>Dg?i+Fqb24lR1sPO?vgeq64fHj(-q4~-;OS}s0YPGR5lN>Y` zV=P_2tc(tWqGR@ICmB0lgU4d&_gW^+W;dWJbsBOX&blo|b2&Dq zswJ3Y&-E+Bdoccw756`Tj?=clym^I#8hL~$f>Eai4Oxa?vYxL^xi+M$NxW`W0!*DWYHQQ0dq553KW%A0wU zyg_+Vbkx3jJC@=?if(ankuvO@iWG>IQx)=DlRKQbxhy;3@TasZIryxl4eu*mo2zL- zIQqbIM~Jv3{n-0*xSj8A)sy*m_84X$%GHt24n}4eBByZs$dvCJFL8!UM|)a5OfRHS z6qTbat+5uCp^}BB=5hkj(R9-v(fl%jlhKU8fL3o>x%S=@ji0U&6P}X_)C2hihYsKL zm$LVUqO>u4Mo34u~@+M6D&7r3y0frm=+R4inmxsW3uPgKpY!aYc zDPG0jfcQn@>j!Q%WM>5}<4a{!V_vP%oe^eosNW#kUkKC1Y(E{0?j5Ic0q;0N@4lJ7yAqC-5JJ zwkJC*b3^JUvYJO#pGf{W-=xHz2SN~b{xgz3o9nW=s;0O_7WVK+tu@IDen3*;6#bA7s~@6in=cB$j^f@8ug>!1}WjTL%pIE|`|#ko?ljw1OH&p9~q3 zpXf*0AUH%f$o%{#R2epy4yV4wmU3%gX+hvv5L0)1CY z<5NDE;g(#aC!iqHAruq1Qn7(@<}K;1m5<@Kz6cskma}$k33CQo{7Lw0ni1CLE7nGe z1%2*}lB^`9Z&>cU#9C7u%AJC@oGvTjh>;TVqS+jN-_cusR+6vSZILh?6=2(*|Nj8bKrp|k6RhCfS^m*62WE8}mBO!lQLY7L zHMD9ZS&}Oaq8xNx)QJ4c6LHNeDyLcyHk-qQrl(o-IbtlC@W-d4R^ELJDMg6<5%u7kMx8+M#adRZ)SG9|bQXnUJ!A2cYJh`cT<0gI|t#94*WVq~znlG37y za?9sc^B`7vzC`BLBsaeoNbwO6AAI;e_z1`waraW5c#SRV&I;u^gbN3DvMrX8oC2NA6Hu@f`mh`?-9#6oW^EI{1|1D;M+S z>{V>vw_hmD^Z5I$Jp||U()9ci2M?Yj_LW{)lJ82tjNjD=p7+CWQvw0u;lx$Qtr`v* zQ-TQ&xJCZZ7-Q}snx5U}+@3vbTK+Y2*X|*X$uQB(C$9+16Dg9zkZ0y3hh z<;jiX9KPA6+@K;%Fw|uea%?{_Rch+eg4y(~ACJ4Nj2hZ`7PyM#XLA@7N`}7qIg#r` zdDR=l;8#TSPC*`0+A+9994-Ac-QLT(kV2ujRd8qjdX7BmLN`2$O_PiNoR68gVhcNV z?_tN5WqkD?3kiDOL~-OwR&G4UqZT7}VRuw0Z2ITtS-fHs0XaRG9a6CoW!agO^ehMb9#Sd~tBMqOgmUxbo>ea z;NM%`F9ISU6;csr8Sl3s%;mq{ZAxz3F8S`oFvEsAa%0c2`${HVLTP^OR%?#G z`yFrmmP))-ekZ<5`)|I#Q7*mVz6GgBPIf2!R^lVz6n$lD+5tA4d_cFw`6j&A>3jS4 zYd;0veF$;#x7V1g#EzTEhXlRh$n?B%|0b;ykZBg*CgLy&-s^BDetYe`&YO44Wf>{I zWn4U7McmT)j9|Z$oQba!Bxl^-TM%Y%`Q`QR`@X#if3o5}$?im2C*m`1?>q4xw>MQ7 zZ~qo}rwk-KRuy&E_pusmBZ&hN!r=pY;(H z49Z8YYU0?t<`l76PkEmALWGx3;mamea;DDfTFAs1kRv45^o|pdG2G?>O8u8{IQEtB ztDk3ndkM~N6@m$y-L+(%5t0497#0$v_3w^g@|~bbt{pf|3x5| z!@_yo3C_AWt^@~jtHdC_*lCaiBruMbeQL^YU+2>C5RzWJEg5%<};YE^|NCFLOx_ z-o@4}N4Qg_WvJ~5hXnyiukNEI;~1CI>ggR{)R31HG~Zgnnb<6Pnw}DLG>o*$0g)49 zxYW5^+8fB-ymqC0eDdpy>`&e+0`k3(N~wjeSNFKMX)%kJE@k1I)oeZ-&67S8?za@x z-vTl|PR#vJ30Sw96-$Z;EU&Z@ElL!5FE4MNJQ(DhfzAP)(K+XwbIv*E+>OpT=bXE$t2+GloT_f1 zfdOWK8)gP``yIT~^_`r)bN>JDBrNkr*q1<8geR4QB|7s20WnBoXj`QrAjJ_+(1{-u z1mr*vkSZ;p?OS4TC>fhu`owqapx8fTZ?&6z#~bJ+j4^TAiVV^jFiPlSWu=2;Gd)7vHw6JX zU}vd;@H>~VDi~%}bL`}cGSU84FxOH*p#FL6ipMqOCQtU+nQS20`7U>Y8|Z1v;mJLJ z@;YZ(s`KLEEf3OrmNoUdx7b1O&3kxewz4`?ikGP`nXU4;-XoOrb{p`S z{I*5b>Gz9(C|R5CrJ*p3OwqSyW|vdnHHSig-ftf4OQ5Yrxj9O6K^{3GJy|*V6t_;X zxp(SD?eDG1GT&sbuaUBXTDqp>X@=h~@^PXkGaKJWLMi1vCLksJ-lJ;%H~%5RdRHkP z6gspkH&yxRC2d|<*4FPEn{sN1b8b;P6IG&@(P8W~N z4#pH>fZLcL$48fI*S_Gwwd-8HYCu5I0LxR=xaxZlS=gr`AV=y=W{UzazjKvO&tK*G z)ywF3rO~#q$7G=`cK*>6jcO9eRG9}(z5(P5jJ3Z~N3`udKKh9cfrT}cWCq~l8AI*d zGA)Vr-2LR|oV)q}om=O*VQfWk;}~NV5%@azQ1l7`;XujifFKJFMqEF4g=-=WHy@kg zoz*4?+#bu%3h>l9&xe<1Sfkh^2!g%udHrH?5=IZ^Ygf&hwKbWW8 z1JW_e-sU8w-bP%$cA1N!F0P%whJi~V?Q^@R7mIN<@+Q6In1IZc;-KqEeC62;$Tub5 zF9M=f&2kq_N{;1Q28I%xz9iprdcIke%a~5G{rw~#-*=Vr9utsae(zx&KaZcKtbY-! zh%P>f?&i~ocK$b~D$UHu?@4_q-N{SkjtPlWNdV*}bEoa(^OFYt=gb)b@=N%y?|_c+sL!YHPnhl1{;dV%g-k-x0tGiVOI9lY|0ImJu~dcBMsF%EKT;(J-v-u z44~@W6{fnonBLkKbU|JmI6+HE0R?$^6qHoZI=Ov3=pVATAxKAg38m#-%8zdg&d z@*)a_+q}XeN}f%!BT2<6k>{z8G*(bnkWaoyS3yA$^+PKto}Y;*?*Zu%^}CJoV4sbN zHU_3w+0mSSsbp!Whtc^>?GhuIzWE;ND+Pw!IGu7SA?Dig8 zbB)9rKENxxQq;MqGf`j7a-WY#$bleXGkrZw2=<}bW+GB|s9t5brc@hezNojF0T#9u zEDcmsUM$QC3MuWJ6?LO#XSRc?(n3w071a&0EbCjjL|^9^3mbBcyBJGW25GD;7I_nO zTUbr+!Y+Fvo};}bQ6FQ>t!ob?INV!ixM!4^m9zUpzA5=W5|A@J(=+|esg(DdfIO<> z7jaX>ln?Q*Zx`}=_l4O5X*V1@jFB_az4_?w3%!n~OO#;$?uH4EhR zE|cH8NMK$s|1a}8{zdU36$?rxmX=9r9K$fWj=xPC-~;_KeqRy@;~M@XWPtlIW&9WB z)%@e+37oS>2<~1aqGE`@ep1Cx3uZ{`Sthr80pGkf{@6gIRj-0S2pGYueTkgjC1R=u z_#>0@FO!=y{qE^|Nl{Hjq4kol{{`R(hz+>fy*XX0OP|4r*V)%SN)rF{Pgh@4@# zU&;T&W0=rNK@6fg`DN4ymgx)lr9aaE%Kt(Th5t3UlTV|%xm!3+(%3T2u@(H+!2{^E ztWw<3!-pZQ{4lf$-PU=`4a@nvl7Kv^=U-;d6I)uwA6VD&&)asHomnR*wwn(kI{066 zrb+Lg;=Fi1pV)`*z#Qg575rb!E4f~~gi}I47oxlPc~CR|rD56GQmpqu-%|o2!)$MF zr>(8+tyQ|8nVC5b;Y`ltt7M#whesT)4^p0!OLEyT z+sFGlGX8v-O)pkcIjfkhBe_3;i;p^PJ4=Uw7 zCm^-_IBu3^@iJ6ATOg%tk?@jUe(2T8e@LGsxS)Z5db5Ckc)gVW*|Qgi#tD8P0Oj8m z`uq0^`7dr4@DD7S_;KwDDHRR;o^c)jGHn{K>|*}Qdqw=Qa}$r6XE8lRK>kJg9FZku z{3Ag?{;Xw-w*E2x&BG%8E3;~@x36I3U&lYXE8@Ig#{V;Dj?9{N{-t9rfg|g<2UPM$ z_Y3)Zk|@14PiOj_({GZ1{L6m{fA8;|>6yMC`gi{>N5B939R1zb*q!N_{s#0&wlSfn z%?^WuU)!Jlsw($(94s^t?&gM7XfvylkO*^$c~-l!@G!Z|E&DLd>~MUzFD@o}n7gOZ zzH)?Wp@ZBAOLT2LNJxkyA}pHNj2b4lC#Z;X!PFv(o>h6lr;JMy1{FKY!!%@T!?J$( zIe&TAg^1`RGV+=j-;k#rNq0g|rSYZoKDX0`x4Tq_-yH+ux;EI{7im8{?dFtfW^Gg~ z^i`AJHo@|aNY@DgIgaxs_ZrojYgDaZyWEM(PVv-_ZoCyHl>VfQ=Q&~Q6-DlVTzh&F z&+FqniSJeO7kZqY*Vw(*{5ZU?FVEMhv{SG$(M?TZD^r`=y41SYhWjNyn)puKyk0eN zzA}sUvfUf%;%J}!%~paR8WT}7#nKr8c{lw{&w%_iZib@1MQozGIUnD{CxK1;kAWTh zZPzwq3(I8pt&rchOy!gSkP{0yIv4Zz4Qlvb;wQ-%TqSR0i@Jqva;l$c_JI7qGiUJ2 zFXO)w!1JHDHu9+H6ag_61SD-%kQ_-s>iB03Yh+c{^M`un{F!YJ1q({rM3{yBBF_Fb z$_JIq%uMmmt!wzVA(NDh3iIwsZkUww_hopm&DWWJr}Ud7Aphh4hYzb?XCoPFS`e>KMwsbt7I^vW*%t%`@ zftL3P?a-dDcCfp{%IqBL0w^wb6cBA=Kxpf#=J@O9fK-I9k*z6e;+}FbqMHrn@!qvp z)(f7VEf7JxA|jnfl7KW2^vIN?9(m&2vDI@C{$B#Ra;M#~jR;$0@fFb$813?&S1k7h z0jYB5rh77tV<(q-$}|YK`?9=_pEdElycBY-#1l)uSPBNU1mxv-gQX@A3Gu-K!TPKCk=da$H`o z3sl&h_A}eBK0kZshei`jDWnG{-z1Y&*P?uE+685yH&vN-4kI-b?oGC8&@dq z7~nzrAi5btLI=4O)yBVes^wqAPZ89_0Eh!fSq>O)V+fL%xCQ-S==!>{yoO&7k zT#sz!4-Lxr`wwgR>*zs@vRBA09_9yvg#1Gp=4YJ35cf+ zAp%eA%dgTBC>|`*m==Vcbu3NopDfbs0JwxbiqQzXK3a_UdKEO6<*x&NTzvWgVl~~k}EqH zUQvrYAF%K&m-Nb3&GUh3f|_U_p6cqOZxK$giwGkqfkHt*7u7+gmYXe z{Y&yj_&M4#LUGd7Lr33^(9Bk56k2kkt*1j4drOFM)z|p52~4M9VwtJdYRXcR$V?B% zTEzF%Kau(g5zo;MGtcsfu-3y+Uk_ua08-nRg!wM>{mqmoCs9xokG+9DM)uw$G|ve; zQPwAQbW%_In@soAk`mRx%#Mh!qnOy_QYw-iFg7;B);o*tRWSf?Z4uE_a>~SARx8-dTSe1SGC%gnuvherU`EsMl}eKPOF*QrX47 zxthoC-^}Ot1wr}!+k&JxKI5<3R!A+VWz!}pat1^Ykbjl8KvY=+e{iRe zzi-#X4?0$fOl;&I+$rIYtb1{r*`l=U1p!Gbtq=sHgnwvN#}C@q2}y0?AKVpjoy2*! zl>f%4m2*+e{3DU)KYZAPPsbwnEUNgg&j`qOU%xE^B03s+dVXas_wgay!GW2gA|}L( zJ^nQ+-Q~NukmKn1+VG?v$-mv*9CdYZc&ta_nI5TMcK_W_k+zr8EPi*t&fPbxG7U0a zQcs>=bt6=h)?;^XUCyV&7QZ#&zd^NbzL`3F5!dVO-(E!+GOSbW@VTCZ|Az8>qaLU2 zt=q<%>g8R-Ink5wj`MKzrusM){z<()e=mi8$^CIST0i3VyQb@1^i&$;-`$oLwi+7P z{#CWHk-FeurV0w+PyXb)K|tiJz>xs%*`atCc~CpG#awd+US{{Xc-ah>m==~L0g*ER z`%`ol1Y=>6#*he8O8}1JmB98T0rf6V`t)*syADNNVwaP?C4raPm1jNOYl95Ao{~`*NmVn4(d*yNF zE#W#mjBa9hZiYOwAMo)-BRnGFNshJR#syn4S{B&eoueUG7h5YIB4ScW%P6IDQjm@c zPi}jp&^)!yScV0<0ol|}>}g2FaHb8$0ckXh&(fW0g@KM4uKo#RW<=w1?;MxRBPbi+ zWx6hbqn!q9+&7W3PbN&G~MfybR?Vd!B4L8 zG&Gj@NIxte-NY<^jMbSg3Y>0X?UzhiY9_hmy)3Hbfdwb^zK?Qiny&JEiu1F`O!UIi zB!EWIhBoJFa6k7`KG%06FgA{8=lfjMi=lmWi?xwb+-~1P-#LufBtaeno^bAihXmHl zu)2RnK;B7z(*)#$glUomQ~dMi1Vre=GXBK68}qzXsvBnsZJH&#X&Rg4PW~s82L8Wk zvy_ia{Z9Vh@Yo^epPfpbHui8(lNS9 zc3CO^$fllu*0@Gic_n|SFG)`Y|L4#?0*03f6HGc(##=XmWqbvHV%3ak*D^t^^F%gH zk=@kE|882&-#z1ZqCBT@(E^U zrh+3m5}44y%q!FF-z7QPSF-vn32z5WOrMxz>61_Iih?h#X86WskJ-i~0W`8`n>{`n z_qDRYSVJ`x#U0Fvr?)HT0|92LDNK&1Zc+lQW8+ulV2kONQWC?<7?vRA*!Z_02g(il zN&<MJ)EgKA#XOoxH$msEr%JSIb#jboZl9Q85CvvYUv&-*XgZJ!Y8+nE#+_TAmXL&T;eK+nBCZ8 zb*P%P#c4J+Hovs7{9W|@Zu2Oilcm`PLLLhO(!Ih&djz+Bb_d&>9(L8*Je+*dKOrEk zQTph{wlF+DL%!9|d0?GF*SY}s`;#Q=-^49vn9;#9tZ$nTCF)aN^eMwRI$nZx>zIIy zXW3vFlq>oeEdd$Lw#O_aljhN866|d8Noit6a|ZVsO(DiSw2h*4bdEajo80*9Q|>)+ z#L?b_>p%M`4_&gUEK0`W(KQSr>Y3NPQzA{rvmY7)veQnQs{vQ^LMfe*o8X0$qgC3I zoH4y)MttXnrpy~-eXzBTqg}oWJJa+QhhuANj^2&)T)l2X!PG9}RpD6P)W^SeLF5k< z<5k2s7-OC@D%x=|!B!?18(HDvUqIjH3Oyx}7~hJeM-Y(Cw5MFT?MBJ8f_?P@%?V~) zbrOB(SQCi`Kj*GvE(4n)&9cl+>RY2CJ?b6SJJRqHM9b3nE?)>D6V$ZI%4|J8*RNt4 z-NwwG8ue@uj(6?J=v!o@)QkJpNi+zea&)wZY9tM_YX*eWOtW$}1M+VAn(eBvv^DC1uQc5^jZq$RnJUwD`E5A=nf zvs19X`}!RtASYjDzD`bGL@4i4c=YHI`uh4`();)Clb)WgNzd2bgsz?xovkxB&Ku*G zm`t>vy8wXJIF?PYCkN)=q8zDqm}pEE0CxQC0qoHsn*$}-8d+i=5KgQhR|$SWq;@X7 zX07x$D@S{yWJj2A<(Kyf&gf$0*!;^P2JA2&-0jln7Ef%4pqBMcNS66 zyTGpM*J~>h>}*doQJ9%TY_t>i|LRj7S$h&D+HOw6AgkI-Ti!`lYCL)35k_|R=CR3F zh-g>p*%HD%Z1GKMXZfTp?F^G;{{=tz;0}TH%g2UqCkLxt6vtU(XcjH* zzl&<9n9%HY*7m;Qr4fy6ILnMHUS)L6Z8K5s%hFUo8=G6NB^Gb1-#7t@)DjR09A6NS zr-Fd2Y6*y3qO&nbPOvMwE=9~}W*3g%o&61Z^8&Fjv7=yCF1?w5djcYWZC{x`<}p3O zpRgAJ9&XJrlwmH)G)s_OUo2xgG{@)4^d2gf7|*fdGoLc%r|Jlm1f*w!wT%gyGDP3( zYmbqs4WU(I8q#@s2IM&bnVX@|<}T(6=>_NH;gScRuN!9R%$eT>J z1kaLycpMXuHO4coFbd5Vz*wbuC&zLfF%Qk6p*af=hiI}}X3@OrBE7R^-dG1FQ9Lk2 zsjD$hbS?0SNg_Tjp7?|m%GxJb6oja~I+qAPM*+^Q2+U|>POyWM{S`-t8_e{Gb{rjm zi>(ML&(e_`fVXWpZ36U5LeiNXino0f^`leNr37GV??Z4>5<$*pnCKgkF|^BQ zRRX>i0o1PTYl*`00C`ciTn%exeWHWnq*!7^`Z5dKnck5EBtlC-*2d|~aYx6olsUP_ zM6pb7fj4(7^B7uNVzMotz)YHTe@|vD-tep(U~P(`TE|-&KEe z1msvH@p#k4evgZ__kx`0i94NBW+xW|KDQHpPs}AjIC(x%dC}mb)3@+W`7fBWD5w=d}* z{J|e!Y;3Fv`)dh^YJ%p}5UibwnHK}gk#d~E2p1kaEo5Qu%Yf-ODMx$jJWJH)TF5gN zcHa`f9;g`0v*nysKAm!wL3G}TfqraRf%3PQ+_y=cayXaJ#6)ZiZSW3Cpk6SL*ZW(f zSq!+|jv4fbr?<-aTNcmP%OUGyRYd7MCSh2u1ru*82fGZH`tVcp0>)Qg(^h{YX*^z9tr-%ivMRiuPi<5j&P0OqmbOCku}Kpg?ME^6V0hz1}V0mib{URXVzBt5mqTNoe zmGv&|CiL*OE$t@sZP5qD*l}0anULlMX2(VZXl`Li;2PNm=30{Q(tAL3j|%nPIPJOq zJh94QOvE9H%JX<%B_KNsjMn&|ciV-U=_5h*kJy=MCe`!`PqVt1Y6-^pt|R5+@;y94 zx!gsz#WkK}46!`dNa)EXblI;R?W35eCffB8S1dCbSlQLa_gVt-DIVFKqED6Gww*bYP_#p z#jj>bLqGx^n3MEuNz|ceJ8R8^>06W3Hbr~33%8AvXp%D^2MTtch4b*dj%Eqg*$l`# z>TjHYoaveVHuXC~K&1QZ>}>w}um2i%cX!Ph`(Gue35c_^vxaQ^*`NK{m-LVS_>VC& zGkXUD5{$KD5p$yRRc-cD80my*PzxKX15|5MRK-|eU|@i$gEy%iYvO(1VWzi<)R-bF zvb-=cwZkX9iHX@3Qml?z%iEaPB-6gN$KJ*Od5-3o85m(^9Z2b@086Jo@E-0nU+2f2YmW)39A|e=`}I&O zN2nE3R0lW+5@3L#u^U;>W>Bd2m~DtAr!0qX7e~B;g7LLWq`Geo&G{_{TMQN?QPw=n zx@wp4vT!^s4K%Y!{<-bUD+JJ3=_IYVg2YIFJUt@F>zvn2^S_XNMsmW5%B-cXF&h^z ze1LochY%wj zbnHV&Y?;@5sa+jy5x}&NzD+e76YVtQrI25iiMx>=W-ftb3$Su@xW#l=Eg6~5#6YHI zZM2p|0UQkVOtJTfrJ}2qEQf1+@>hS!M~}o{pWDIwOgF_oiDah-VDA`7dG91GDK?my z8e(W-#naGQrgwJP?o7q<=12USzqyFMRS?DfVxTS$C#P$j9eK0+#xN!BR#?alpr+>d z7Y_<^QFf{wMyrC!YON>3%^oWwV=Q88S$r+{Jwmb3PWUBrVk-sMl_sLjmztySwKo*) z&=4c1WC4~oHA`Bg-P*Gxf}Dh%zMcRZ;_qsMd#DGYwTs6#r{qYp-zaU!D_IPYf|Ox52ld zpZWF-9PfU}pa1Y2IwoEebk8$UAB~HRDTan7Jh6zQX+hq8f5hl}N@If~}EU{H*SB@AiF+j0}X|05aMpnI5Ym#?u^q@y_eWv`6RD zyDDc_WO)f_zd1sEiXWB+#u)1vVqzObX8R!ZNj|t+1kxy%EeZniEIkPKr{PqM_LA^pW~hw;LM&n;G0%L`>cZ9g?<_`-3g3MAuTnYh+ua?lw#?aU#2J1g$qAA zkC|UMApt&^+`o>ll@}o~q4;>1aO<)owKF^HuD6ix_!uMe5F(=@2@Mti)WU|Wt~F+# z<>0RW2|u~*Kv;4W18aR02Za)om`rkV0&%{MSh^Q8xVFa&=q5;p7_@5B9WcM6Cjf*u z1%oT7j^r1vDQY7liH(UTDJ7YdKu2s`GR1(gPHW^4uB_#wuyohshHPeDc z>~D1uY+y-9ZVmNCNhC*y6PuJuTDk|$W`X3iF0eI`kN%BYT-9+PG`WIj6YIQy&w^!a zv=QeQNJMczioHQ%9X#=gtY<|GQf!Y>>|@6xeM_99MZTh4Ft{qfhEoB<%1H{{4Y=^x zeH_AK@pZC7@7^8EoCArB_s7~u7X#B61_W52u8YUt%#Nb@J?2|tu)g#mSFD1G4)egt zSb(Ufg-oiJ=*kWf1Rz6{+q9;fbd0@3*~gNaT}98-FtyQ^JoxaJJoHQ^r+t`-&IHW= zQm)w!A|b7up6L}v8`4NiOCc^Q3ti0UZd9IXMAwc5SM^(qGO(N`+^B6t@CVYUzt<# zG69iu7xS$Nn3@}5FGyWVxx%+j}YxQo$8Sdfv5IS@6OXx z)5y^BE^AZI$cc*){-cN$eNX?=t_E{yjuN>KJBzV^6bWYrG+!jM#9(qq8V3DWtM{ zoCWcs?(a;|Qk+3-xUh>YrK+Za+P)zs*VLjcl!7oMLEnVwPfdXJxTJgzsvGuKlP%I zSrK)%EJ$aKct^K{{h@l7m5ENOTERCES6@8&9akye9s#+3MnKN=Jc1BY${=o-ax3I(B$sTLn%lyq>nvx|3t?M*N+^r5JC z1?5UP4!`__%erP*i}G=Pa*dz*n&hp$nq>#p7QhXknwc0V7G?7Uhm>dRzPdL?3~<}^-njY(k=L&f z1Ez|;I9L39qiEdN=U^zEAV(JhOXf67Esl1dkzxOYCyx0HNdn?!&I6+m>Q@8+9n8Yp z=o-e6U2Mr^LAgPAJbp^?qDr&DJ;=(5l7&4M1Sog7_W;KN0i1-pnVLA99=lLHE0+(1 z@x(Hlk(E(OeDCssjxP<xefoBz5dSq({ZfvlMK9af{%#MF9>(-VW7l z&9#!^?S_Mu3HLt#3+~7Ev!xX2sSe_!r=pWD5n2zE3cYsi133 zl1u^4mI`?K$dRPRZpwnKF$>G3byd5>LbXg4_tJU)9cNop@DGP#oog zm1tK(JKFfwBl$!*n_-tPfXZww8R1Xys#w%6^*NElZ5Eyt5#$j~=I|z43oW9oAK~4o zMD;vfUq?V@sE#q=QJer!%ai2T{({R^0@&|}GT0g<+4Kg^6$?!Dq@efn8(5_Gv8$46 z*G2g14U{c@TodhYSu+cDC;;y)jnV#i*xO)q^T+(iJe?6y$KwSy?Fg0$U z+iBCKwbO>7Avv%5f0g)%_N;L$R2zo;{lfm_S>s3Z`&3x+_jA9e!g_9h%I^62h2K+l zFZnyR7k{;GUN(D?ZW*T5jn@9;_eq+idu`Y!Y1HKXIGodII6B&3usjYgb3baO)zMwy|PG{WYd++$EpjQ(Sio=r0&!m#nLXHTUq8~NpTqQak#tP7c2Tc$11 zh+83T%n35G)e(d4MFX5e!ikKICMqh9#N--=HwAgo`u>urHipS_e27U*12a7tSlu+h z#xs!c*cjnIhWLbXdY0B`j=sgy#3nR%Z5;{FwN-|jz6Uvd9TfY!5Rl))l68s(+cC{#^9z!ilY$d5%9%M6Q)?4ZO$opZ$pQ_l$XB`h@$R|7U)5 z!;JW@9hMpb2n-9NZ2SbfF3}nng1<{HgNh0A1O0Ics$p65qkBX7LgE57OyT6u%@IV19EphNp z6Ci$%wXq7K4E2Z?WNGhE!E}2zZl5_)v9u!w!aY_8s)#aoz%3+-h+towjlSScSR0$W z+YFWZ@_}U@Ih+qn)99R>r#|o;R_OyQ z?1(ZD1940EHB1tF8D7&me<7y{$dDi)A`WM7viqjBoBGAT4#TA0w;{5$ganU3vRjAI z%uR^GJvy2sOUH(g_(nP#g0K+;B)@Nm-I+Eja>DUR z`b(m4HE^SJLA);~p#Mz2QI+zI6A;N_O9od&2RMpj+1Qz$>33S~OULl2oMdHdm!6() zb_S%jwpK$p{?)(wSDL*aKls59__zP|-{R}*t4YUK$!P*&Z*R{({>T5AKmF4`{gVFS zAO0aGCMNGdK!UNf&tpm?|6rwyLO*jXy&LH2$Rp7B7OvHE8h~~3rG|qgI`hLZG)Q7d zARb9TiX)z&6FDs2e{ z+zRhxQK4jKGLxs*3`rW;Mxhy0j^jHe@(a;&UjuFP3e8N!(cT8bDfhVPoyX8bF&=jw z6IeUVrd&sR?EheIo6e{kSj9Imwyp_9=sGQd_5{Q@qhl6DN%xWfi?Cl#ktmLhCIW0NdHmQKA75|0yu9%BvqR^;0WJ~sj0h6u zb!d(i84`k^4OYT>S7(?`30UfV#XW{QZ3K5$~*<#a%96{FDn%6Q~m7+;cK< zFhzN^BbH{NbgjsD|A3vo48k0q;8G&m(`22FA7KdoeC zqKB5M7AAIH=jKem36&xV$gP_<#Pc^rK!nP{T05|x>6yMCDo>s2>gxJN35bj@IXRic z#6(h3QZ&EiJslk#9h!Y1UnQprNNZ~=At51z%eAwwsN7FdUtg~Q;9pNb#%M_J#n>{7 z36XqxCiz%t3}!cOVV6@ub-Fe8u3f|E$rFr?p5hi%#+YK6XW4-~d=STgKs@^^!{i6+ zaVM&u4M9NGM#>4hcax}|4R$wsD0Y3w^cAGUCiu~ zX;~IvH_(vlm-R6)G{MB&8k>YBmUd5-%h3T#y(zexJi)|J-dkeKP5mc=7z_#0u|Rjc zCHJrB@L1Ob(g3AVq}B;(Jbzp`4c7pylg$EWx3iLQ7gVoyhALr#{|= zhj*{>P^8=1^$B+`+{fr?4g-oYvb{Zc>Q%gA8;TZH z%+$r=V`4+WoRZmwczmBcC0$h7z91m8ZE5%!nUmH(M^{z=`bKH=uP@M^CvgLL!H`1p|no(1g;x2NLpGfRpVwnUrRWx6#EozFhwwt*>TMh2MN{wbFO zS_HXNFw+&y&0k!?#44ELZUKBEm0_-1V7NnD58|ERW)n19vHiYlG8WGWL<(Fi6+90K6;`& zBa6CNKGm!aRsE#fd*BmTp}Cvow5a=%@%M2M#P-#LmG@ZdN+ZrLG1Ri_SI*k<}!GIk%@QY!NKB?7V`$WOQq zw<7ykUK}IG@fVonEVC&I$i^IbZl7bCJ z!zW&3mRI6;>l3c(=wM=Mgq^`T{z4~?enCJ-a?H5sUP`B^xbZSCmM8mucL~Uuey3IY zj>!)VueU$b-@Zx-^!Mfe^PfK?qkaCHBOqsbrtgz#rqsU$0`lvKBp}7b#m7%?C)L%} zUwaYZY+oA{HN$KigCzCp2+d^)WIvlmxiLyjyr*W#my@G6A@Oxgs+24ZKcl3imsPp3 zQL)BoM>$2^tL*I`p_CUp6&KLGB=>zBvNhLEs*fA4PL8iqr5*o^&-sLzExh&W<>{y5p7I&Fb-y!RnoH zDq;fhauWWXU2spXXLeJhw>y`r?rGLfafE}NNvadmsBD|ytPWOE+t$svT;6peqHo=qYNo8ZoX&+kR1422ig(As-Vxu_ zOtSJDXl)#3Wq*U=))wkoCfF4ts3db8Ej6@E$Stvg%#A*ywX&A6-2=8}dTFbwV|06; z?b$xss_PgOm3Amd+4jN!?G@DwuIz}qX{Wq$NRWaRddi|jxjW(L9!yl>fFNmy9H};$ zXiUP(Cy20$ewKybhO`>SMET3SskWwhmhOv(iyL0vQRGa$V{l}DxP?2(#J15B+fF*R zZQHgcw(U$Zv29Fj+Y>vP*vakxIp^NGU%RTSc6a^u-Y=fDR@!0GPJMth8krJOvl0LE z8>JF&$GD^lg_?--K3RWF{yU1prkHO{;T0NQN#YX8HC~3j)bBzMtwvGFINrv~wUo%? zCB`jOs&PYyytqlY4hr=q{C;G}-3l3!d5I<=N()`#s1vQ#rJ{!u#UWuAsQR91uIR@@ zf|P;AOuN`z;gp|dDwL#^=aWsQuq=Ngeg}X5JY`3i*as?%&FxZrP=9)Qk0`Q#-NunV zC=*xHyEQ3v+lM)4x5tr?Y?`j;{EHbc^tV>{9)`3`d16;t&Y-%ee@G=(F^K&mv|&+wn8WxcFgH$pQ&YM3@5Xx*Q0&)RuacPU zQ|NS&Q5zYSW`17kC<)h}Vj=%A#;;SADS`q9pHIa8bgv~ttl-X|&v^X)*YO<*TySim z@nCXnrQG#+Z%^3P_QDC~nxqsZ`GnHcpkT?Q5&fm(7@eDNxPH#Xi+!`!nN|$1r!V&C z$>y?$AZfY!=op@x!}scIVp~6vliM@)<&J6RFUablHdcq$Aa_{BYmP6Ei{Few%%=RM zJP}=BX3IwGu8etwKOf5uh4H<6@9z0pCxQa$QX$szyFcpH#(Fo2!KFA#do0i1CY=*v zwdvj=YuXMKWlaype=M7qp5?r~&V6bvDJDoY0&$@C@Nejr zv3>J|-TpvXB{s_GQV~t|RQ=t5X{)uA#crLA@TzzE(`+mK#W#=m^!njy+a~qpb$V%` zwp6(bV!GYut)ygn8fFw!SB#_(<1V za)#R2(=7waPX~2{v>+=5XrJJUR9j^A1bu-&w~r2mc|G_vLpv+sz3)Sic~ciTsQ(GP zR!;v*;x>@>M+E+N)wSu3Plr<^6NfPYzIWc9O;gLJG-=0t)H<7@UU+|O0xGjIyGq{| z%LC$0G0k=6BWgjGh36}fElFHevwF&+D#s8uG+-45=T|nW)4pY$Qgx1fYt1QEi6y^R z+IiKv_X~2$e@v|;yv1)yjbcNHx)6_^Z~e4TO>36!lXk$paWkp9tk}so5;=srTT^&m zB##aZ-MYpEgN6Nf*!$%{ysOjg{NLc^Dfd| zdu5tRyHxvJZXvFBS=+Mt%lFS}S_-v6%xQ&!i)cF&RW4D8O?xQ(lZ6 zGrrBOPW)xZf@`s0t?#~&8N!DdwGAXCZpWNwzBA5GLXc_nJ=KhtQwY?{3^y_Pk#(OR zQVFZ`tfG)${~7XYk>cpF*~mIQn9v99HmR3!E%G^psN6@=|17Z6f}1rfrrWW|$%RJW zs&P9_wyhRe4_yDy%qrGlg!a`{U-zE<^jLq_j6avk{`sPD@UbdOJ7V5{nLd8@ayPbL z?mF&k9m`%=pWM+p=Gnqd?770yL!oe)Y}9+EejwI9CY*5}#L5RJ>cMh8m_aC9ihu240Y0)w95v-i4^mzf(vMCWs&-+!Vvm^hym64 zmoQ6G?u*VPcC4+l0~IB2xbX!ThlEij$DXiv6_y$ta?CR=`u8mbdKM z)y?-0DdxA4GxSo=pqX?@cGAs*>%hQB_;V1<{lRJx+`<(EVv`?@Rcy57e6xB*C}JWDXx^z2p`P@UT`z+^8~zk zt}d($gNft5B1Bi8>=)~J(k=C5EE!34T>a(#Evnh?l!wI(DS53QQlGm;&5U)uKnVw> zh%!ox%@D2OMzJ|{jH>B-#Y9~Z3m2LzqE84)4(5(U1+frbBK<&7EaZm5MSbV8?aU&M zX=r2(Y~Akn$f|5}nf3{79~$|1f!!}I%JB)-(3UklrTploBBi43?)AN6H%x^oJ=GD&<%28l)3%!@IeY# zuSG3YQysQ)f19RxuT(2jKhDg{GP3tld1F6VfxA0b<5$Fkk=k6Z>a9)C%cxAlfz@B7u>B)qc%2_eV2TfoiSui8+ch_KEaV`bOQ&C zsu)DiUvDWfk$UdKHW8d(3CP#$yZhD?DtB+2Kkro&AQ^S-WSP5t5cfm$IUvBa^6g2s zM)JQIc<2(!GBq(68T-T*_fWb1^n?X^AnOv?)wMl9wg&5DVh$SpriDNE@$fo135gCz zpMFH<2E`4V1qFvm<%Mnz0}6x2QrW#p9bB$T_?KI1Jh||kP8T{u zQV{A2Fb)d2GTQ_N-akHW?wAHPNpjCV)l$$bq;i}ATM$;Tqi%Y(DtNf3R)C2KB0YGU zszJ@a#`XdAUR;nsS}J$S^5~mC^MAnMd6in^!}yrpNqa1V5SIYdEqR`v8Z0b&(p7Kh z2(bi?9`I!4nrJBWNXe^~9zEfF*KfWzr;Kfu)G#_Gl(}a0T)0_=w)B!QjkwF^X`W(D z%)PCWIu+=xKRrV!xBW#+##O+{ThLCiP2L|RG3$?rZ)B7d^aD}J)ZAwEu;c_I%8&84yU_8F|_`HdTxK`JHdF&IF)CA#laNjImpsv*DBnmW5U#$bwP_c0E zGpyvbT`}BBO{}HVNp%eiF0Z`a+9wzZX)b@FVUgf{zjF?6Nv3$a|- zy~~>2dM)9RQ&UgZT&`UB1FscSES)^X2IL@!JJ22;9^wiAV5H@{d2{38;)*COJOdr#B6SBr@2;67{sjBpn&)^yd^q_*?lMgCc#7tDy?`_~1qYb@(8(Tk<=6t-5t) zYVHUp_HZf1ZSwZWZ%X1~(p5=EP4ey_j_TZGeHzln=C`Sh_*Lvdu@tyWhm2^mgFtqDKtP5 z&^eD0KB1z+N1LWJ79VgMTvCyrM5U9bSsLXpl~t}~8!@!988Vw@ML`qH+~G@{-hhkY z^IP?q|8IJ0mz5UK)S@uTv9ohEjiCXkBoQ>k%^)ykWb2V${AhXa@1I$U8C{lweqXfi zIK>k#m6_KqSE9ob5r^<+|CE&fOGiiAA`KEOQs@iYqrNf+?OCv`{PAFXiYe=u@+8`O z(C*DxyhSxj1}Jey-~QT;Uo3M@2d7BL_^l~Eo;dJyO4g1xlit}|UXZ8%+5}B+Xz>is zZw|T5aV9Y*kR8b#tE}Mzyz(Cl1vVaRuU{gsH~_K)ZV_86m_KlGyGWY6 zlq$SiG93VCB7QXl*TH>LU+m~2q%<>P*VlpDo|Y>PNU4}x7eI&3*qkxzX&zPv^m0Am zQjC~Gi!e4g5WW0+vTG6d-ANbyTC%i}2U^-YEzGDTrW00r`>yst1Hm2TIqcjQGx13~ zIu>qZel+(JgKwD0VN6)S=36!|m->`5;LWag;{DzTM=#sQHg*Zs{aEDP=12=?yk8%s z;p9;aQD}81r;z=CBEEZKaJ6n&HSv2sG#g8OiLpru%v=6@jE{L9L})1bLBS04mwtFz zm=eXUZQDWS#Ox&Cum#z1!hbl)Illmc^h#`Tp&ejx7&mbURHB}F3Rvt)_YoA`-_d|e z;~p41fFV^0qLR$bG1aacZnmQbON>2dh?4?f-j2^d zZyMbs<4%)b8<9J#^r!a?MKmIbvI@Ewc0JV)cI{Ezrpc z@2(~BAgFV$OUr+SQhQ+>%^_8OJeZ27v)MVu3Y)d9c!g^M(`GZi6HoDwN$w2TVV|vZZ;95ADJyS zznv$6q07VKM%yo+Tydo@H*(iJWP=Asi*Gdpu-g=}+arQxql3=0r(IReLpdWr{5~x7M2qbPf*82+s&VX5rBacv^zyD~V|6ZX zoR_*RD$HjGwnqmB;?Xx^{C5^N~0vV43Fx`p$8M5e%!urA}ouMIJ+FJoRfMDWOZ_s9Oj za#w?{QfNvxeZ}o_TbM*DF|tXU8Jx~b3n^dLvVs*lmVyIT(#9OD-bQ+0?pJP9$rl^F zuV~CQdqxFEchQbwdh}x8L1AZ1qe2Xl#{W<%jh@QW^f_d1TNO)cB$SF(p{qQE&P;yq zA_g^WGvQy)cXv(lz44`nk%9W{&7&8qFz7*-*Q4_LDb{%9Wv&l-LCr&2<`%~pxjKec zcF{m1|GM6h?G{UvN?~mC%c|d9*#uM6Xo>+@zf{TmU$~LYQxRJ`rzelq@-87 zyGzIvNL+zC&9Sd8iLbJuo$&99WWLl}{F$BB7@rc<@_Wdd=JqH+6fshw=)imIb#fS> z>~85x8|T(LO<8zr^w_*rHB+El+Q=J%1VETho|$h-((Q?R zZZN4Q&k&KDDjXRyu(4sCk+`5!6Y!+t$Uqn7?~RwDI{w4eDX<(vtH71as2A+v0|IoE z?DIahiz`_0hOv1;7A%8jC1&!yhqeeKQG6L`5QuLho5t((mZKZg9IAZRV+Ga%h2Gr& zac%~Fi<4XiT6#VEfz+-s5us#&g{2T6+i+`JJ~^0cvtP3+{o`!P@34TF1Z#V7M{D@I zGoZTkR$V=UJNMl4z?rlxQcc z-htF$Gpo8($QVQ-hJtAmfET3BU!>^m)S=duw>T2SIa8RS(==AxH88w-`tY zf!}QkwJj((&qrip!1uc^_B=>bTzmUZiDBNB3UM+wnu&%9fdWIwY}F3{x+`UdBe3ZP z^vAKGLKNx$?J1xmxYABq?xbTX#ldY6&5U+lc4IWRwo6TBs?lIr)J) zwLm5RvupVRjC(tzr)^?apLkB88mTk``)w4r`Y+JZ z=0&-@m3`3ITOTcokyVhJwm_LiGbh*F(=sS>43|g8X;>owIEg*uz6wF@3`1?tjB^5LkCLG0U=P5Cfsjstk0*a6}1=PtI zv9Y6ZP<_4A>+4%)9j2s*bU*Cl7Pbqaw>BMwg z@i*@i^v@9stW`w@W`_Buwn`K->*UmORPm7!9Be09Sp*g)wt@aIxYTd(@FpUK)86cl z$^HJ0jydg1gpZFi=EDAZAN;5&QkI8FG*ZF`xy1X0cK(F*&zGnPmI#Q-xTzZY`Dict zajN2f_YWgI3?aCI=Tu_hRhq%5p%dMY9AbkO08eG$)r}O? zq4`3TGn&Z)^)=dup$w8gNiPwRzi6>KYk^`Tw~j*45Mj^rE;bJ2kn$q?(7GyTDyAQa zAKIU?42K!AKN~X7@Bq4+JltZ*Hr-DCo0zI~Fen;P?$=jzG_{H6me*zosqM+FT;oZ% zFYjUXrFn=YWBkY;pPpWxyZ8yR`xnu;s1MfIr>H`n9np_}(G@ONX$nD$pNQtLfT~JP z+{tLl{t1yH`k4MltCsDa_Pj9%O)`DY{4~SM=@zte`_bxfZ!Yh)eZpL+tyMNwHzlsk z_5l-khb|ytJqPPxA7yT0tQ=HSzZ1v(FJCRR1pjf994||Q3awYtKHH{BqGfXUJrD9R z`PRDe{AHAc(`8p(NUEt!Gze3RoEka{qSXV|CO*NQH_Vgo-RDyi7O11l z>)7Kl?4Cu?(s-!H6XEBn(8D|pE#cV7PH%L3C1{vm)5hOD1ufw8%hE~ZuHXSuDnV0l zN;VErzLi$bYT@@yM=XRF3t>JRV)(=EJdeD zq+a4R95F2sys^m{$@uaV1gi*Tq4S8=4nCl76P9uXE$oPwN($p6``@*xNuZx&;R(KI zzMrh1DX)%w)X>f$Y+&qpL|n)ff`IHb|6YA?>xn{D9XluXhXp)qlvh^LyQec_-u4Pg z!c-qiQjWdNnN(V;wM$kO1T2urU-N~fL|7DB zPoIQ}CBdCPUfmE|JZE4c00f;jRns85GZM``o1S}OqVl!%3=3DwoK(AA{exY}YEv8c zq{K*Wj59rs5^}H%6bM1KqXD41IwcNKrWkd);UyglKhIDJjEw;rF6`9`vgp8?neVUc z9*}3;E&1w>iHCDUUZ0n`*mpjRi=SR?+0%Kj>IZZobvt>urmFroiZ)=EV}E>qZ5#P} zMnuX%(j=B5w*M4k=u2V*+3~3a#n4?{HFR<@NY2w$f@=5eC~BDKu)kIH9uOEr>n^xWfYY9pzE3V*b*E3Juv-MWGwd6XIc|R@i^%x_ z`NlfL#p|<|#5*i+fW~0n+E!o^8a-vgklPs$=SSBKuExk7vcGRFZhc$=z-QJ3c8%+a zkmh-cs;q7*IFzua`@ficE-+sG#nX~?(?k8F5I9yLq(pUq!F~9Spf+e|WF6Mt6DOHX zPLzsH7n_RWd5rG=NbKLwj*qN-)`3HVhzbxIrVUWh;ixf>Z>x5Q=p)rb82WXl&NrH6 z99mDH^ZCl^r<)_k?D-xsL99DmX(W8NbgkwU888~p;zD@PrtPfq4V&=$cZ93$k->Vw zltb}Gr*Q=t~lFE?TFFb!nkwvaTNt@ zlaqIfh=oMk9aeXsUtP?)P6Md_RdO+M||h$@IK+^pa3)~@h&t8h{)Je7ax9? zja^B&Fqt+XB)q>Q9kn-@wXG5;=WM4m_36qynG+y<{4;QNu(-ae-Mn|LSlIc8&hpuRn(N(I5D^}O^4Q)-8yO`d}Fgrnc(K%q5c(~@y76zSc(#4|8 z^!=GYl-xj1EC^9{f$`CUv~TVt)88@AmYgUK@Z1o=Pze`b(coQNCZ{KvmUm`O3WI<~ zt^B~Dm~VEsu93%}SE&X{j1t9)yW)5<659*VF!t*DI=U6Uk*!xU;f?bIA5oP& z^N&4)^pVM2`hnNx`!`9!_4ReO>!wZQ`OQtb_1We6XvPVL@BmvTebhhAy}%Ja6BSwd z3#Zs>3qjWl*w>$ZkR}F&#)U99^#|LG{$YA+B%Q|pwsXr!fYeC|-(2j!MAM&l?OK+h zB{{tXGtAGlzb(|eP7*;Y@%EDPSU~a)SZSU>D6uv(z(^vM9M|kBa}8%{f7?tHz3*uY zPL%m(#5^auroS(s=UDQ~;iVXee0Iri977*TePwuTNW5f8!y#Xf@l;i~eoD5e3H=m7 zgXJOSvzALfazqfHFFr>BGwNEv9$zCs@yic7*HW|S72`Q3r1mIhA-{}(<|*#3*l1-;>_l;0b z>vCvwgw#Nves-e*g6tL{gOS5zX62g5cq$uHv^y=KYI(fxCCgXx28 z)V0$0wT) zsizVD!@Ei+ph7yuCb~c^pUpeb8>)8_5^nhNTA`kM>(^6vz10+@04Pkg|=t@NJ?{Y%T4 z%hk(M1+Y)9JqnZhaL1TGS#nG~C}&D11c_{X(RwKeVqb2qHMaPX-?(&d z^vAMyHogoJnb9y2pkK$pGgwuu)Z} zhmTk;;LkGP4a}U=tBb?%ykL(OB_(UmJm4%m<5jkR1|^V7!mbvWEE!m$kBmA+MvfZs z^&AR>saZ^Yq?szXEY)&)CLWQwt7!@|>a?eUfQigFCt3nzVu=^-Qy2hHiucjC{SFV# z^5eF>d8{T35x#Q@x5NShjF%M9+cNHc<3|dZ$peb~SihN_oo!|P?%V}2At;bpa4b`I z(6J#MRQnkL@A1II!ZKf09E^WzM>~0+f_`8h7x^w+=8;ZIyaV{<7Tdf;q>ONds>(UA z3?j>ZTVjty#aYN8~t3mM)r{lpL+YWp_cf2rgHSYa?Yz9I$6%Ed6V zcm;*}@Yt26eUn-{Q`p-*ZuPRflK0dlZ~{xyeI7FDx`WarW*qJ(k9=3R1CIANvuvQW z&RS|?smUH{?V({Q>{tEOd)q(I=0e3#9WN3cUBKk(c-_|{JNt_PGQ9%$gAoljS6TOO zp3jic{Ym^AhM2Z)42r(`;b)mW1ac6xyR5rIB4zH)ntlNy9TFu_dAJU2Bs6zy>qw@g zqxRVuD`I_=IQu1ZsA|~89;SDPZ+1Bc(+;1;(6(e)$qd}pFfKXQZhWGFY@Ts&Ddsr% zh3n%{Pk$HIE&<*|TCjB_y^RH3?+^wcw|%b^r*G5BCc4eiX!+VN5=I(y3m>9DCJgA& z69~npyGne+(@rXDJ6cCts}`Dr&9fK|RO8~)4VITkOP#JGTYvZpa_5>E3LPvh1ecF= zBHdeurl->D%INUI(;#q{Ub&MU^g)64|KTpV%YN*gzuk&P+Koyauv3V^C&J3e7k^w9&rioOeSrK>CV zCj?u2K}1JEz3R(L3y@`KEZsCQa!uGBqQCq^c;GlU8Hi!D0$o!{hyd8=0i45`nQSXk=n%jTs1Z6O$N7rMdQZNKQWI z(~Hr8<;3)%F?$4JFe-(}Zi7z|wovh8tXk()Q{1Dmb6L*6h}T<5FUxuB zgpq81At1m!Q9y|(Io4=(%UALuLHk}JnvIOxMM6Z7Bhy~4Z{HpeTS&~y1%jbPgamm? zAi-`r;^of1>14&0bynRM8T~#N?3?BL9jfnZt}!`Z0sxGgVNGndUu1kWLzw!S#kO}* z;;bIew>C3s2LL2#gURsp2fFLh6MgYx>>z*WCfXfHCL~L-RA22Y&(2)fb1JPgXU}RJ zK9jAFNqgW;dkF0HDEtVnv_Lr6NcvyI3ST{tmUCUj$;(FM*wQetCr!CNeF+Hu@eR4zxe08&9*& zjGWt-JL#;Pj7MOmi9bz!$;dY}wGD$DBBDujpMrWxhZ$u{RspeAoCTom4T%L%T1IAU zbaXZ+?U4gC*cB06#$iC-pZl=v;7A>T5XEs&Sje&Nua=;I5En(k#g#F({ytzs%QnKl z*WX?G92SPUXEO4ET)Vr{HT-&nBi6Fw`EM~lA_|NHL&P*|^B}Gm`Lo~$1kcVPHnuKx zGAm$z4QJ=Ez|s@4m@nI`FczW@m>GzgJ%FHDTC$!>to^fbe#|^Gb<)m2H zOnPV};StKYmN7E8>pvGiHdbf+;uwoO=gdn|U+!xx0q@r(-roT2w}{|#wLG_b;%aor zn2m@s&Ug0VyD`KurPJP`{&hGJ-aXq|ze3?MAPOBTfdmmY_n46XPPR=h4)byWKi?%=fV2P-rZ92x*I6_N<6w+?c1=y1j);QRHdiY+{ z^@ZJ{yA~Efe#Yda7TJOzsonn&wY^?I-%q`ZkK7k7CF*N#FjSg!<4f9A{XAn?SJj3_ zJX|6(U+=_bJ=mTlDi4he+?932csZudu5z%{aBK3;a~Zno3!-qh2x+vCR7`iI5P?vf z3+(iv>+g@DFT?X_6THxPoS==Nuaad}bDTA%Po)f9RV0}HwDkr2UVZcAZPuer#iQ0> zBi&O7%zQ)lU=u)=bbvG_P9FXaGOcAXYoY4kHh2wID2l>dOC{=AEGL_Ue+sSfL9Ap% z0(beqDQAs6H0@sm+h|iYjAJ>sz9w427Q4DS<^|2cos(AXX>HMe=X%FP3h4kABxKtF zal-`#1v3lp9JkHbs6E=f#-yy{Dy8I+Y~`(#<#6?)1`6pT@i9z3S;B8&N!8_0 zB-Jr-(@=A=sd{w4b3C+dcfopVMD}KVbB_* zt&5ZI+u*#@-Q&_V3F|p^Bm%nIzpaCxoShj{&a-uUA>_o1=5cn6DNuuWir|G~w@U|P zCA1u2sW&>_b3Ie2_1|A7U_2a3WFs$0Dl3D7%lwsknFkuntX(t>es!`E;zWms-BqKq zwGYV}n(|gNaM0P`F|gBBK;CxSx{Z!1l3Qi&4sqTsv1hk@6%v@Xa*HZjSt28Y;3CB& zJ002A2>6C5qFM0c`XEt2*d)ztK)c2 zqX^2Z>zc~Mh1(eg6w3%AG8TI_&{{ZUh; z;-KIKkgC{^6^uKLlYE~nwzlL!?x_E0_2S^h%wuLMH0QHAm9z7MCULq5oWG|@tb)--0k|2 zx1uLX|6msLT=7BOxg(T%3!=F|sBtg-M-OU(N9yjbQGb6wTO;81dZWyhwr`-5ZiDAP zqVqajvda-vOA9?eha zCMa3SLk|v23#3drV=WmBKIehx&a%2Er5#+^MP$1iVjVNT>h7|~qs1ZX1XgoQEPq8$TV0-|rEf{j*G-IzQp#b{%i5D{O8)HM z+NQYs9(zz)l2AD2!h#E#>N*w8@-sCAMxf%-ti&7tBx9YA|5Rr0JNx()HP3j1cd>BREeU&k4_?gFR9>@P#df421WjD9S4GFPF66w8?OD{Q6m;&kw58h6FL{D0?>XZdYYgl^Vme z+;_il3aFP882RTYe;G#tm4>s{GN+WrMPgn~k$e931dcX-nh>3Dj;zwhMeQOgF_iA1 zzHDdO{uued!s7nDJ|N9@AUt*^$&Zx(5i)aqVsj-mx3F-Smq#e{0;HpPf^^FK1ss4% z)`2=XKQl744f1)!spNfQ9J=W&QvP4?dgbJr=l=*`FKn-Cm{FMt6E^PIcdX$NXKSlO zR~K6v!u(03t|kNtn-_3P8Q$2;1Qmbzv~RhiE?;^X8g66;g;_^351XwE(+3=Ye_|jAP|DQuT zM#hEJRY^a;58m<%5!1E*Loy}1{%xb6%t?%yoI{I;Tb`Z#q83OiDinu0#?m^g{Xxo* zcrlJ8zVZY~wPRve5nVAUiiUmMI2scTO!I6^XSNwKYsxvTO{Fe?t)ik0#{ zd(FVGUzk^xoT0Wbl%fvEmh9{b^sS4UTqH|cU@bp8E$ucBfDAo5e49JC7GWQtj$1u) zS3}>pEeP&QcB}b@{WMUXV_ZAk+K_5HUOU7il zh*P{qNU*(0NvPs5e@&`ysq1Gf#a43dkA*ll<^$?ICehi>%Ctrzef&ea()Z{@@WWmJ(>L;7~ z5pmnJH+|fDkUY`RW**x>`scz`2WtD3v)%0+?%1AhPf9Wt0Lz;dt!BrNGcwzk293>s zxNz4BszWETtb^C$RC64*kEW|Db$k7wE9)%!edA*TY4+r5|J}K0v^hO7cp%7mzK6nU z{jQX488Ld6A;!~4)4YftI-z{3zvI|HYL3=@{zrO`4yB1jW@1qo2-v6f^?jgOx!N2a zolcPHbu4yux_fSF+xI29_^p3Uy1pH{8AyHv<;?7NA|f=?_3Z&9?#@XIkQA_nK+B^L{&m?Rk+S`ZNvZ)34AG&#=P( z89}>3Z1Vn(sCBBUj?ptTVDulSH?=(MAbnx zX;=JAedK!DoW+ZU*_6=HH&9zVsYKq{KoIgWw+)Am>A%S#TjF9AbXF&^x!@yhDG$az zKueMfveZo-y3UaP--^ZHH;C^S&GRR}21_*i)n0Z@-_+atRT;kvT(|JBiU=#@YiMK{ zo183dYskk;J!y;2?UFxODStR6S|46k>^h2AsZA1jK)Ty%WHn^JoMB0wxMxsdYZf!kiU6B*8neViK8b$jylFWnz(7oyC5{O%Hrd2`XmSvxh%1Y zgKW|9(80_fIWw)R3v4VSw>Lh1^)a#Pxe-Jige)CnHTR0h{oYp_ol3o*n;W7-%J@MsdjxaY>7*>tuzU3PX z)A-~}T^hmpV8{eFUco2 zezp2GMN3QfAa?USlFmGeXDAf{R6ZHSek!!o$uXz8N(9Ky@#(CK)&pe}l8Ewu?#YhL zrcV@a@?IxQ6Zzn`kgL*O=^cKIM*?seyqAI z(3-h)eY<_wx^9!ko-$pPYM)&E?36t&c{fRhvXHwGXS(PnlMKn2U?*GX5Y>h`enLD= zM$!HXF|2o&+#wx2D4YPs=G;Wj$N6g;u}0HVWwRA9%!E4Z#Qk1V{{KGYUOVLl59&K8u~8Wq7?c$i z1)ZF3(p4YP?d7f!h#|pk_)5D7E zBHJ2S@9QyS@e0;2i)Y-F>Mo;xf9k(F9~(*pC@zF*^8cf#G?5ovY)!TEcJYImu`O~q zTs>iTZX^8@V}KFKJ)`Mu$MLk5gKK2#nzgi$9@iC0a5d@^^oqM2uA`I!7-z^6#R1yJO`xSxYFR9B&@`dac#> zuN(pR1_H=I6=zm5k)&)zIn;8`B-QBbqEOs-Y}fY`u12lBf<9T$9mm9fvs5Mh0|Bvd z!=NHvYfi8y;LCqG1*ksG`tIO9PVof$UoSW5=g=LA%A0(o%L-OqwMP(yavu z(WH2R&wYWT-nZ+|PR3J#7s{^?#-3;41&yvLxs%_<2`ejdriO0W-BV6^#oCTTG|^t| zxc^qyDoJ1^bqZlygLE?evB8~x8FteWsH}Xu;O~}^T)>#99qKkl$)epoH8E&_oc)Lz zi%Azl3cBrA;->0G?HvP?M36o6Q%ZBlN?k4HUHeX)?}@j(gEMO*2Go`{PJo;yzss_C zF>^AgUjFu-``?Fm;Z(l0Lw4$ouy2izVtakCa1&uO!AZPcceN#qWJMfKPNk+VJh-!K zom6NoSRVOr*-N4kiU3WY6vP$(*V^_gjcRWFJ3Z5GW*n1V47fKBQKF`Yf~hg6kF9Rm zsT%9`+CoOGiPA@i6uGD)W*MajT=!30*BV;(M@l#U4g@wc#&Man5Bx*K)WR$~%m>R* zuSYsO*%zoaf*QcoA<6awKGhM=m@_b5=8zX90SIO*v(>(*+dsYx=l2q~=~QlNe7R!4 zK@E~<#05OJnHVrpzrK;qafw`|6Y%7J4 z-!X>}w;mm>f;oezCkYKAn3Gh&FN3!|LRiDC+|!s(phFU##i}l$g||_xotzJ!=+<6% zc{KD`b#&I_kAXyDdpwXPqaL}?R6EeRHB*#VBByXY4mN_bCv^c&@aJlNXnZYi-;!Jt z#q<8(1i?0fcJ})oi2)ejXbLZ}>+g)hvb}zkyr&q)p12l+#Mbqed%X^Vo1Fu`G&`DL`nvS1$b`lTkYPL`|FpJ13Fp`fTZBR(x0!T|L269|GDsU{BRw=nslQ($s!WRyIcr{H>11*6}#Xi&$q&y0Y zI{b9Lbq3XSW2Nq%m(9N}1>2=HiXgX#f)~a4_LMBY2TzPhUY-adfPy2j%o0;mh4kFe zN|3*gUS>(ux5^qEL!f`RQ%yZeQk(C~5e^F0j$&mUv&J#iXYH@h#630hbk3{})-&%6 z%OE-_XfMdAijlSUDOp9~yOu<$t?w}sFX0?iY@N_`Kp)aNEh#Av2>Zo2uXt|~PxG52KK2YXSf-c^Q##1Iabo?1!zKo_6Poi(6u}Pgy2s2vO zIH;KQ&H2YtP(ayQ=5-O9K=@=8fphlADpzb_yedIe>Yh2K*nSAkVDZ{6(Z>Fm=f)7K z`J)RRx;4(uY@5GW%4Cy<3dtEeDQoneg-X>0?6+nfQM0xm$Je-bY=u#Qp_lvFH_ap) zbOc*W|dN7ij2 z2M10>Evuqvp7V^g2&LW5A*E@P9Dl&xKPS98?jGy_Zv?fv8vp3->YVsF}JWm0Wp z7!SER(t0yNM@597`wsX6pl8~t_eV`cFm81tV=uGpd@{xsZd^MP&5is}vU@C~tn#AD z7S6@lYSi_xL4~=}2M)`}rM~@Gd~6lZLAT&J?RFbAAy8Krm{b4%aP^j9ZAMMkXs`ms zo#O6N+@(c}OAEy*?(PqNzvdb?gV%DAmQYB-t)cRxz3;bORhWnp1t?X znzhzUP$F20DfMqVowz@cX`j)?>kw?jCD@ZnHDvU+ORv``uo;Niqkdl9g2SRpaZh65 zT%`KcN+Wwa{H-{zR4m3+6W@ZgC!PmV$c_01IoUs5 z6UCq|9$YR~*jOb-OP6!wqO_q~`D@RpBkz(uRU&jnanG39LE8%Bn}k?5^ecf*8lf1B z0^Esid&@yj8C0k80BPDr|D=fzTO3i+@%ZkNojdXKB2~5c9ysmCM6nEzX*d; zI=U^GXlvVsfpA%Mh3N%NfcS=q)Tp7ExTzirb z1(6`R^prAH#QE|ku;CebsR`KU~o~elUk?XD81feTI=)Mh{GQ1@qoM40VKjg)6L#UO;O+hKZ`JOw&?|(5#V4Iro&a6 zi(oANEr}AjU!O)71%KPPn~4r215N-RjxjH0iI9n_bdH`;Te2MJa~gN}d`+sA?B}V8fklSYuezT1y{+BIDezgM1Pk;!^*nI`N#xNxT2 zKC`{yVg@Gm0+)f400YM($7~yF&0Ku{^qIG#{{Z2HxyF!Jx)_F-m+V4RYK5P{NZ(3NoIx^}XhhCNkKWGt)HCh z8zfYfOhq+(YduXG_l!hvE;#eeb-Vhk0tIdKrPt%Ivf6^TqPnkx?5sRsxcu0rGdEd zY>;SOr<+Eop44?bb&SgEa)eJ4?DRGNdz}O0j8Yq=>n}T{=q%GxE&X=>7_W+XJN%BM zlbn#FvDLm?D-5h1vfZS-GVby#9KAceSXe}FIr1S^cm2b5DALOl^>y5PuKZWDH>5)UQS(d^o<&T0PeP+_gV*S?^Aph~^=Z29r+7ntvpB}M5%wQ7cp3*f zBxIOW(T(?U@ieC9(<{H*OJ%8!O1lZ$FHN4UE5__#T&7KfNbfaZCHXrXy$hwgz*P4H z+e;C;2*0TuC+cU5TT}NB%Mm__DmKeL8Diw4i&x=$<+TSZ3A`vC3Lm>-rjfiT4sxKK zRrM!DDD|r2b%xRx4EP%zZ`N@v)ioTI$L`9WC!KZx*ypyy=jAO+q|+2Ic0QuZIeuUTo@OS)uvj``KEx~d9ep_tNEV5G@_a7i0!eutH+$2?&yjNb`#A0ffB z7+=E?Q6N?nQW^&$rxWoR91;$RR`p}n9TCb!=DLWl{UXb!P?G|PYcXc0FjDIJoDh|Q zVwxl68Ou@ebY5eX)#5zRd!GH(0Z%*NV8Rh8I$pmN(k&zfl1wrjYk+1x_-$rtwQst!si^&_v{H?S4R@RN3&kGzX`L0OXqJKcNK6_kGJ%A+vM)Nb&z=)QxURKc? z9Jv7b;zT{YYtBH}&guP3^6OWhw+K+=#B2k;c^u;r_Q~jVNy*$tU-25VwX%=d@IqRb zUmUNQBMNv%YBnfPb4IXU{{FFh581JE4X<>PyGDrs31!$+B0Ss3=Tc_lt7`=CeMufm z4H4;;l-)LdQ*j2yR-mZTET%_&luDbj*|nvb$(DT%)V50q)$+{mGC){Rc3-t#=$*bg zMWKy!|F%y(%ScG`N;o?5bvC%Ap=!ytnvYxwUG=?V)99LpRgEyYjBDT&!bid}ZV)~g zwT~{$_j~EP%rvE~31zHOh5ZMQy^UbA5!+_1)0hVma|N+gL`f@@X^?gtT`!u9F3g2J zrDd$<5P`n?Fz^0r#X>IqY!r2yfkr59%$v#lq9-_C;5FNrD$C$(Hm69~&q6A?+1uB5 zmPYbYoC`UDip@KFLDzy&Bm_yQ`eihm&%-%ZN7Q$;T^tA_9WgzBzi$pN_XgMAm#}TD z`))(YxQDr=7~x-9-?gH35V0a(=cVgWhj7L z`5Ib>Y}aeO0T(Jqu@o3)?6RsRcOPqBm-Rl!7)8>}c!+J^whx%ELQu(+a{&g#)V+ZWL?sYH{CSz_KFqQo&?_8 zFwl)YLn;&ELv z{ndMxPo0w%H^Z9e$=Vpnhcr{{`W#vWJm)JadVJsTvOSg1;g`Yl2c91~l#mifED{^H#Ef-BYE7j!rr(bf)$-XoSWi9N7)e(fmVNC$*kL97bb6 ze+A+;-ztLJN_V?{cwe+%1dc<{J*V*T#}yG%p27;-wFN~#sB0i6Zk*(nunN@+sa?Gk zb=`&j=Inqpr7a}79*cI13=FGp3bH0{^|SkQxAx!Ov?f*f+P5oGd&~Z$$Nz*uA3)$h zhg2M0{ED#nZY}VvD<3&u4%pp<`~4jSe(vsA{Jg{!eEqoVb}6v7Y4JhEw#g2!`MzvQ zn_BbV2BWd7P;S^N{1P>+iYxk;kv-ssFw`&k7i~oaI~s4?C^9xH>D0uVeV(|%px?YL z9E9f!lcYZJ#IEVWDd3ry4b&c>csdNc)EW0M(NA*=9QGlc+eFI zu6U8ayQt=C$*4}AG_Bu2aPUOpjcx()-$_fFh#hb4Dk-|K>@_c1Cu5W7U;lCoJp-mO zt}g}zy1!fuq1|8tF7BjVkdrr_uJUi1>6={!y$UxrwZbI1Fn-TY8U?+npnm)#My+b9 zz-=Nt3mK8+s$t0z+dXOk&c6no68iTa=S=4}L$<4z13`r&KEMC5DESSz$hcF6bf~o*m!# zrvKhT^Ic~$WK1(37Eq!q?Oil(=S|Lg_cErtY4aXbV=u|ccwfO5y$TmsdB0ac0(90K0IjF}_)^s;QA@=lgfObYu79g!{U!oO4jF`K2Y~i8T06D+)V@ zdjof^^J6We4E!0@lFT2%7>}X0b*m|>}j9LE> z`X(ESMMrck!o1Pemy@TSJJ6_Tm@2to^X9#tH^Z9Et?_Rfd|0f>6_Hm(M?;@v#8gcP z1!`z^QAYSbv}<+s??>az``K?GF4v5;x>vWYu^*_zW15d|+TNuB3g(!6agW#fjVMK8 zfStnir;}&rLza*RIi7o=PI9rh_FM{e@bpB%LY1D{*4!S;8_4b75g0PNI+2~~g!?~E zCp17#vCs|!O^=AOBP}pcPdKHbP8!!YOBc1wmpACjnEGqhZ_2Osgb!L2A(=84OCcwRAT?bY=f0VTl81d-s&ee&PzgOgzypH2-c*p z4v9yoe!-SHz=FzQ`}V@Sb>-B`eP}2!GYFjx;Gb+w#w;b3;odrOBO%;5Y_vR9hci(E zRC&r{ysZsd;U6Wp3ZPQ=#@6U)Y0%!jnrk+p!r(2@m)(sbKxgL!YGtMZ>a9mfr}vWR zLx;*cFt0Zi$|mj9=3;@wIJ&f4R6_u-B|3N=Nsr3oPYeoqIva-vBl_w~R!9*lV0d)2 zZ)GKaoB;rBa?BbwYH`_lf?e%<;T1~TiG>mq6K5N0SYeGkhukjOy8HMDQ#S~Q#^)MJ z-Jan7P?<=Rk(to?z|~Aybun7I@vvypX}2+c5^wA=eTE<4AS1!MEg)Y0gXxkk4>|6D zg6cb+6?&~Xe4}oHa7)J=1mKbU|QdS{}5Qk1cMqSdEZDW5Xgi{dWQp z_Q$pL;}A{@3Nj@5i9FZtr07{g*<6=(`0j_)Yvj3CD$(u%3C=!Q%A>=KMl%^j(>_!# zGXkQYKXe`;@VY`)W{Ir)Yk6cU5lc#=;b@;^8!;SLbBbrnKCk(7o$MkdjX`D&mn-@@ z|1T^wX*LQ5`h~U?>TK3hgrsZmUi-Q4W#aon$9??!GrZ*@ACB`J7;mcko!*5-VJ&E>$~Is&^p{tvcB;E98N#4)V~-(~OLOTvTEA_u1Wz#|H-+ zQ)Q}z(xo!E00txRc)O_O%HLJr+iMcrmmD09jP~(gqDM~&T`P*@meIo5#O&_8b^5);01H5Zi76MS%W`ZE+K|>M+sS41 z?uEHYxo33FX~*|5qxu`uH`UJz`gt^Ry)N3v9tn&e(@4^xAuvCbp5-OWiIvd&sDnnG z_H6a=%JakrO|HEDg#Iyzd_L9TO|ISUU?gXMS<@8Dm3V6+nVH{LGH$6D?h}C~V)A8v zOrMqBh7JwFyc~shy+RBwANd{HU2qaA_rz{Tt~&2i(MWfN{S>~rRVcioMwwx`uX}8( z{v2q=+QCq8^e$_dGXG0RKyvwZ!!htv=Co>OGx*!zsu1kWXVIyAPP#q89Fw$76Ole; zU7m}OkW!y2LCiV=bzdIDWEm38vA0sZ$n!O76EWZKXK#)^-#xJS6bzHzv3F3a3rK(b zt8k^>$#UCu{h-(k!(yA(;Ip0im$4fT8Q1ydRfd@Oy``SAJ1Zix;a)K+xU*-1$(Bn! z)HDBp%J(UJKNAh?>4ERu$=KsNa?s&A6njsm>gFPrMLo9Is$snRaN~3rTT!Ycd1V2r zd7wbjKTU>qKS?X>Zh5a+e{Zx{e}mtnANB`}Q&C1t z(RR(>$3R|d4e^ZDr@_kIy2PQ9@z$MxRyfNHM*nBCnX1AbAM*mNj6or*f_xKTY+3Ah zT;J)nS#UNcOF231Nm*A(UdZ$@iidg5SH9KWQMC%heahWDx>ZrZ7k@x%>ebH262D2y zS*MOmm}@8w9upK$3_r+b2H4XQ@Lo(3wD+slsW-RA5A)D6;8V==b_;sPzu6A0DLeWI zZ#C+kk(mHohA<=bkB^U|lBlbzZ9YcUuf_R?2TG4HUH6u8=rRY2b(^b zI2cf*k%>TORhCQD4zfZ_e4dK48lQYG>~A3DTbUswAl@g3sji}|3bWnF>i3&19n0H# zu*cp)H11QQ(*Y^hGlA#kk#02Jd6lBG)q3MNf3A>J!x7J(I7%|_vukGsg6h zqU-A~9Wql*{;UNYaZejs>DQWOoYOz^p(LM%465-&Q5-{VF&h!eyhQ4Zxm2_!%FVt zT4McA*4LB!)6UMvnYqb@wZ8q*!nMp-hYkuMH|k#4LyP1y>$RG(z-gq?U%y`K>+5S2 zh+BunM%Ag&l8{*EHpzcDcy=rt?v|W5x!cnFM0VyG-#8^jp#)9-Yky=OdmV=|1Fawq zW#i1Mx+R>1u zjl?4E%zARd=v(2O_OAThitAl4fS(>oz5zg|YVxN%{*^9S6^+=*@(NShAWzEtdT+Y- zopH$}YY*rEz;Ff?eBS72>;y-;ewL9OK1LrbA99*ZUJ_I>Y`A2dD^9eQvaM>=gator zjOxJ)teYLwbWv+r(C9`+M)2y>QIl~fg@b~S zn(y^*PCV4KR<2^cB#Se)*?X!o$4U*L?AQPxTP5H67KvuAhm0?Grvk7r1|;XavDvN2 z$vrMBDa(*9zZG=oj3aS)#139*(HtmL##B|mDuW;W9dCQM@irWRx71fv}j4Up(8 z3r_G};S=QNlD?rhC~fQh%8~+dF@871I{aEzT6Fl`VM0Q}%*;$D=O`L+)`(MECSV&+ zUiR9E;Voi(nmjuvCoq~6|57Q6DYU9lYbWe~-+3UwfE;Bi%G4OT($7|6Qs9NF!6)G= z`}?4*!83w=I`q1wtMPTYeNIpbO|ZTIqVA0+LY7@xR{!0b8#ZyF-JX|wU`&NlPbK?G zq5ZUSpl4S%4a;9$(_-K8NB5_EPuQ=r5n4x10Bn7R{_peOuPEhw40w*{=;((F3{QFtA^IhP; zk2nE2f+#LDUo+0Vp^P!J#-|V=SR=yt5k+(`&ccNh%=; z4RUjEbQDmBaE22ZWa3%+$44X!A<3ia6*Wz4tUmEn@f5lFXpd+9>t-q61Eo=kEhu+X0PIk zB=UP?I>;`fTL+7BPD`TCI;^g21J9!AF1scB{k#3-^T9${pe2yjtMZdaU0ASx(V7C* z4&CVu>l#|nDo-TT)WN-8c|+h97GzeaR0^w8qIsdayua3=v3Rj{zJk>(@Qz*))G~zZ zcbz{bbzQ=iQ8w?(8u1P^X@_^sGAG$%p+T$DL@TDp!;Vm zB>`Bu68+0&vin&#;+O;lMh0|(*@I5aGubMFx*gI+Z1Jovz2_z2!+KB7RoU<~mIVve@&OJPI`1Q-d-tNrW$|V;w7_?w&eOUYnIyIg=q>CK?r8BOaBFEIJ*7ZjP zC`-D__)$()$(Kw@+}&ky$HCpF`eBaeTY_Ap$ZYO}_VPcCm&W5<@0S}6pm8-|J3K7{ z6E>A%&Cy{we5Yn&QgE>6G3w0C&0X%Tw9RpfAd}<0N)ES27Sw@_WW3`5SFnw7>}cYZ zXSZ7i8=_7^i0$@;)h7AhYJ93a-)CY*n|<20qA1GvUQg^5^Y>YIbFWYbN9q+Lclg%F z+eB?X3%a`i637CUU0rM6OLOJl4i%;G^N1nWco+8sBb2NAs;6&$?6r5!Df5X`g)s*u zRb?ouAS-Ea;NP}A+@hOG3(ZGCxu$~8qNV5dZ}MYLprX18VK(2s6m;(K{rbl8^XD0O znlTL|*(yovUMRKrbnYZ$y&ArN(R!agCKonRC)xc;^y{FgLO6!#?*P`HWII`Up9f{c zOYwYQ>T;MN}50_7ro zXrEq`U^g4c1QaOc_!%%x2J!LytrV99q%ku*`rP(n{)Uy~nppqiDrw zwoaBXinGMMbYbjq(zICBz1-p2URtyjcJAWBx!psnYP2={Y|nT4>^INe|2Gv0Y?uL) z%aU?~zeu{}-9HyD`e)v9FL$dvywP2lDVU+5GS;@`(2cOZfdv*}@ntpj% z^N(*uMQS^m@_%lDa)xdHY)jj#GF@YX%rt3ByG!E8x*A}q{;zr0>@4;UEV{YEVLM+7 zPzm4ootj<~ejfsO!=!Z`!~QJXEnimHcK|}27bV}UD#088^%9Y1QG)m)f^x1!-=a%j z!?kEQ0o!JfIee&q+BuFpWRnKI?MI+Va`5wvvUks;S@cCmn*SL&H2n_S!V$wdw*Qiz)c1)BzDP+ zPhIrZOM=K($H$xB2|sL~2Y$_PI_F+bksE$GX!8kcA8e!fG%`P~Abm&e_=_m#EY&(^ z*u%YMSF0@1sKxRAD_{x|bJ?}*z{G97eHY|dcY+T*A~JkBMaTcL`2G$w(Dn3H(x-AF z3ktrpwT9hN#{?}_N2@yb$+MJRJ@OZHo|Xxgdu<|M6DEIIfbuqS=*sadK?5osXU2)t z9+6uhT>;q$n61ij*YS4oxcZ-tvCarc%v$RQK;FOrCS`cIg@?$$XzNKrB|q1zZL1vQ z2|M#AT=*qtqC^{;ZF8EzUIU-!fzHT@JMcKrJyytlA8qc4jWghY2$0%C=JX5GamsD* zcg8g?4xerPy(0ltE`SM`{%cncK1v@<-%9v(j`p!7jsH9ATec#Zy7aH}VKUsI7OpXw zzuGxM)>G^8y<)G6+84$%nzft#^*se$BkF%C7J7cz5$HJ0?v8}dJiq%nbo8=da|L0w zp3gw;_UF$6Ni%@#H8<~)Y%YBnzCSAMQNceQKhDKa!LQFZWdjJVgNON&T-$c8xWPI; zOt@N8GhYXu0SqXvaSUsnlaQuddX2sKRI|xJ-KYT{0!jE$4uy*s4gq=AM8%Ff{~s@o z4SiSuzlz~~?0qM|lz)9}7adtvr33v>9noIOvUMm2QmL%0iL->6>Fe~n@++JqpZW(y zcNyKkGR$%HhsRrB2Dax$(b_THSMzu2kp}^3_s}^5QK1Bc*mvlK1aNK?mGb=t@J= z?N=`Ee;sqQ9Cv~^Yv!xWqtmN6x;anP=k_Y(*FcP6*P2Fi9y($DvmV{-g&7_1S{oN$ z+8A?!)bn3tG-En7cQ0Dzis7hg&-StcA;?}0p1B5l=@Ycn_y<{uB>uo9{-XJezAZ$;Ibo%tVliO4A{DTPF8%gU~EIV@Fdl=;PG0^e+n(SU4;k6l>fevOpm|AtRB#7C5HJ_b(WIv2Ux*i;C#R-K*{iZw^Rh&NW@iAz_-4TEisbtbH{7SMcbf(qJf$#?5*Mm6U@2 zM43kHKWZMsg1R}vHh3}K`geVl%UGBf6n$6VlOLg~@U)DCL}yD1=$8Ww=}&m$GfqH7 zxf0Lj-PqqI)eg_a4_t*z{7U?*C>1lw{1jIfQNuKSp8#~5*l~1U&9A1mvXqrBGC-Y1 zi>q%^*=j1~@%YAKPm}#!m3IPIp%<#moQKwrGcjfi1AhA6a^ni!1(o~eXMj(mev1ly%erx@$k96A;6s0ogKm`vC#Sj_w`_p2Zh6@JZLc9R{ z!vbf=nY(j6t!Iy0_r6m!iwfM}wFY@?BwVcAvrr}ga-ZJlZa&a)a_jSUnG46@blAp|9sCAFB zBu`s>WA+Z^h2{nr<&CS?53q!ckICuR4f%>vObRk5=mFb#@4Wkc@is{5kxECeCAV$o zucCwLA+`?o4yRu#TnS{jX-bN_(_FE>-xrHQ&Q7}e^t(o*Pp90Z#PVbsRdyRl*@Gs8 zvw#GU#S${dXtMPH&azP8jT3|RirhJ2Xf%IEP<1FM=1u7zN7Oq3g&>jd`K%-0N~hy3 zTMZoJgY56$OABj_Y|pJbY+SH4rx#|p089xo(#8s(_sAm;2Cx$n1zPTX{XqZ!p!8K~ z4vL73yhtm0il`_GS=tVMynRjrDBB(21O0#HrGMqCG2z-a(hz&ad+~EGF=>?;N(}54?G7UnXRSSsXY3-ulUxC zxW;^kjG>`tFI&TT=EA6zLEIz#lD7)KA?C$BpW}4+gNar8CGFhMW@by&c`K7sKd+b@O~?z<749c-@?}&(7|=r;cO@JT)1uN#z?E zG4ywOaqez@k2U0aHomt%dmaJYNIXS`vP0 zQ1>9q!d2FOv-LqF&F(vm8Tdrl6;%JsI%W*s+OsPwEcLn&9&jtmvf; zQ#A8Y)$D-~`h4m;|0+30jAuUnyn4m`5Y6r5-9Fp#KW)0OQjcfsPdg+*kf{FKZ02;DE52nI(t!bw?viE(X5l~uHo*x56z3)+EWeQoC=LQL2TQ=icexn8a`A;ip${pFUL-Zj9 zq z+xQ414bSnV+)k5{ED-MxDOYZQH1rzGkcYT09=jC)1Upy2=ih23KSlzti$j{yao)Ts zEVTCWBVLZ?m+nwCp0`+fL}F@bpj{T&^k2y7!9xW5HTDJ#6Zk9Bm3~d+aTPx7Hi^(r zDhlMzNvb8JqV}Ew1Z0Z>s?KP!B4p5-JFXhUp7ozJP2EwTMrg8dX*nhDKw6O7$hs=> z0{o-oDA4b190;_a^yLhrxnkEeE zI{)Xw5By|gG&)fr;eT8Q{@mhHFiiNqs;X-L;J`o)F{=|LItVNa z)%c!kz6b1a`-{f|SXrHG{fPf>7bTM_;De28W#&WXD^t;eKC@-(Iv&T+*90qT*hKHD z{E>{N11}PP68}vZfQktc7+0`X{ET&7j+10!8ZwvqlM~lPRJvBPp#)YDxzLc$LCJ0$1AhFB=pvg~`Kl93R*67P< zZ#$)wpPT`ehm?b(5?LVck&Uxsewe^~5d61WeETj<2wn4YlOtbJw0X-HxAbTugQu8k zW#7P1$2R7tG*4kOPtI+(uEN|UA2@7i1hBax`L3G^#iC$jD<`}$(cwZ|zh9d=zw(`~@N7ek>(yZ|k*#1EF+Fa8Uw&~tfA>M|s0czbJ2#eF-VYzy@Pg0$ zNJtOCNwK{;AOOnH?vmq+H5C4*tkNw1zh}8hH`lkQs5ewpf=FSFPbMXkD_ym-Oi2A; zF!*D+$C88p8K=Sfs4@NWG?0XtST!=;)rtcZYq>xEyzT))euT~3fqU{{!xv8oUrS8h z&WWbh`Zje^h$Sq98a5?Wk}s78(Z^$2?MMv6Al$kCIzJ^JI#*rMsA}tAz;-~@yQ4<` zVn;s}_xBcy%t+LvqD*c3(?32%7XzFm|56?w`&80-^FqjAf5^1Is(53mu;Xy`!Ma#2 zS2yjFvYG)(Ees2=m@))3b7AVN%JG)2eA-zQN2c)l80SeQh?lk?`QA8$kx~*N+`$6W zaod=9$Pf&B2iYRhM6#dIC2k|G*Z%z0(GkZiiKv-`|G2=`(SdgJ+AC!niar9GG#@rR z8In5goRE{b;C;W-womy+tYOiC6SZeOJ9_jl>5}sH5ORf0n%Di^#@chH8)8AjDq&g_ zz(eCc*sFxf{MQP($GI-T66IHq<@}$;!M)zV4dqvXSW(ex?CYAiELRFhOnPM{+un!l z>HaNvF?)=8Ai^E4>C-V`xGbcF4|Vju@@cFlc14o{E!ilxAJcOAML}S=n@F2~Dx)gn&3FXBam1 zCgV)xH-ar?Q|})RI5hNqzL2E%wM;bPYfldIm|aL7kF3jRig>owr*#o1JOxhudmrqD zwa#|%cT6}^lXi3qoWuC>)**V_$?~^8b(Yah`5sq=x~gIy{s#N(QKEouiod$D<7Dz}FM*qM{;Qj9$vgjqRs0+>ex|8)2i3(H)$>SLn=;C0C3#3yWb)E} z*ei0u(_UR0&}D6?G_fS*f=PddC;IVb)T+d$29?__{PK5O%O=kd41|T;{UAQLD>FZe~RmEbe48+c$ln-Z916!_^@A z@$-r=$a*RAD5Qf+-MUNiY{1I{dU=`lcsjRe;XizIKNf7i<_<*Wk`As!aEY~V(Mc}R zkVHn$u7JaVoiF6}m?fK%zE`Ah6Zh^&N1_}0Gr1tsYRNL75!Fl1z)>dc_%toY%?#!mc90I8hZ2EUY}E{CD4e82I!wq=35EkyVCJ5->xH?p7P)Kr;KE)3To`;`NPKrPsxOr zK(fake0MFy!8ZIB7)4H0 z5qJ;Qe3Fn7O7zi+`=Vidw>gKWiUsk%7aBz8IaGV^vk-VZeUpXJaq9r)k(nN)7Y z`7Hty^Noj3bq3cwe#%#EKR;0z48}q}JUnbbDJyR-1kHAP!QTd|??yj<-Y#%wp%c$~ z@SQm9jNSeBv47*wj(*Ucki`2dn$CsY5&nOv#A9e8v{M13NH!r6hkn3(-;R_i#x;S< zOTka2=mq^FFBJZf`sYoO0|lpIHZ<)VEc>;Ze}OGBIYhdhWFG_kVr;GJGaQx7*7aoq zBVO)?G+_strad=?LX3lN2;^q|XQd|pKPyG^O4ce)$;(SnDUqsYbaeFE6!Bq1Bx@zR z9Jm~r2EIN2z51hc4m;-Ub&rFlbdb&>ty$EKpl4Wmi-D3gg7}qLufK zMwHGwl@W_Zf1VeZ`5)z@#T;d2_~oJKlgRu6D(Z&B8X6+@M4?yiDOI&S{Ux9Mm9*!s z=m2k6rjIaAvjl#Id(K!Ms zf`ZHVOE6hjjiy^SeNp!))#E9fuy1gS$tnWv;0V&XRv^wDPKENDA`1uiqbNos#kBE$ znw8k;4C4`sJbMmouzy3EJ$?V>prXou;hS1>_WzU`j-Qc+lyvV1b+fT!rg4@z# z`H3rSYbnw*{_r2=fUxdFeN$hki~Jgx&9Ff9#g9x(|7oF1B6{~s^7-_K3{YV;YOWrw9*$XTBK28>tR!Olq7oA_zs-yZfG37@`rBG8T_*d|7Bn8 z`x_E40__sxtO-=>+aJOx5l?yPO&FO`)3h77jr2^~w-)0$A-XFwTM>CHYul@h`=FpZ z$tgP~`qkaR=0~Km@m}M*mF4Y5HV{F5u=6=Kq;wFK4nf_Lrzuz9^)AM?C9Qd`vB}B( zxwm_<<#)gG-9c^bvGZp$<~4DhyvLq>!i~o1J;WymSz?|uU-O*5MP~kVFKK;mpsBklJ|GoiYcHSg`SCZn zb%u-K)KxLPVMV(5psehPgCnFPR~VrqOON}*j-|D{3q?^sUwa7 zHKz1$aOeG#r{v>Iz}nKGoJCgQ!3P|5`#ry_Xfo+2k@Jy6sn4A*8g|2f*oTC0TT*u$ z&>sIEy52G>&ShQKZY)4>cL|>0+PJ%hKyY_=cM0z95Ih8TcX#*3-Ge)PJ=Z#C?RoZG zA3u9^GZ?%zx~guuo>UemS15Z3k``eGFiz+t97l7*D-b6e!!IR6K5^D$UG1K5((0C~ z`8zqJHw0`tw@oJ7PE<(RL>{ZmLLu3c!-GU|9Cpv z>B`MdCE*p5Ei}QKx=|z~3eC`__zuaSkzfdqq32F@MMf;qTavw?h~}A{;5n(t#Vl_6 z_I*MlM3J9W$aD*7;>@1(PabO}?<+2&?fPi5R+Jm@e%fi}PVzmnJ^f^jra=ASN` zKv?q{gyf2Zk;9#~yKMyC`!R&Jr+s|}92EFJrF$(W%sr)pctGUYl+)e{@=uB8MX56= z@s1N=p;tEC@sLX|BOclAE_{`0+C{%q-|v?4_W<$h{Xc)sEDxJhEMFYBnE(51^ZjpY zSsF4l6Gr9(4Lm&j((*DI4vvJTW(K?@7=K$;Q`57&ysYesF5S}Fx(FTnxGXioc;0vJ zzz~%#wSN*&?a(2rGE3vgnlLA(rsvEOyZc){I0SY&Qh|lt{3qR5rpS7V6spkLt}@@^ znHCp;wy5eX5@8H1diHAXX=HZZb@W4a^e5_D7SoqCPS?`Ny9xQ4o@jdzwcqNvZHU`9 zT1Yr3Or4K?qg3I^Z|D^{u7gxH{=@#l6KWmZGOd9$xOk>b%o$CN4V*d?x!;9XvLYUM zE_MwbN!R-IGncI7l+{T@0hof%v?<=k`Z_THWTw+}Y0v5}Jhc1W>3QD7| zBvl)hMU_hNir&JBI^CRbaIUxyPb^3o%}DmU3(X>D5jm(FE!Gq(IFRX1K2iWgGX}zn ziT7||dq3M)Qi$4ZDyc249*E8 zdcU%koM$lc_@se?iGyK3!Y$v?R1$qG@@UGUtL$|f#G2)RU>)F}kyqQsh!ab(M-wEw zHZx<~iOiz*(f_Pm-#DG-fh-duSb=#PI^`j?ZR^~UOt6i|z2}`J-3x~`9Zkr4Dp}>% zk5-`K)nIjXm%9&M#L*wH1cQNMHF;79tCe4GTw(z7RGbr?w?Bx2Ipp(dYm z=Ty$1kW-V>$%`T7?ap9ka=Etu4cmGLDlvrf z`pWX0!U=J9Ls6(L1dp-&p2FKGHT_pYTg^n0rCeV0Gmn`h?__r)sCj)xzHL!FdJWx~ zdr7`#R?`Yp6Nr$MA9-WE)7YJz8qAVs<+6pYDx`D)CsLIBd+)v$j#R>B)1@}xX&srH z6>7=)Tuw(5hCM1N5wj8z8^!XkeLhF_Z%1eiNK~%g??y%i@Epj*yk-_>u@`h)=R4qx zWkFHV%>4XqEP!S3)Cj9vvmCDJyKICBW)wq)UzUs3n3b_xO;V`#0<;cop07I{)tu8U z9I_BR+ypA>?3f%psbc@lc!T3wcT(4out)G{^QLRuFC(-+MV?jfNf%eWy1cyzjBQ;B z0`Cwp7fzpAw%5DiX(5JQyik^>KS6sGhXZPUSmJ=Hqb$0XRJ$lI@(Cl%2RM0RI<}D4 zc{)b#eeNhG1>SiT-jAtyJABB`nelc9GYwij@mKcRSXpKJ=^?aKRLzJpdZrfptQln{ zu<6Iw*`g}=lDb4VL{)CSIj$uflvhswW)4@=9<)=(4M7S1#$Qm##qOsXvtD36R8@v0 zxLY#Z3TV1B{RLxsKH--G zlF?`P2l8h`@+7x=;)<|4dBpq0gNKnkLq3%>zk^qx{Rq1cEQZPaZW7L0NH&Iy0qEZa z4aLY7Yo79Hl2%r94Gj%y8XD<(ec*3bXsQ}9(Vh@Of*LBnF*#;+=eRS4 z_izcHD;Z+nE2(U^E7g~q&d$M%_2xOY-7TAQaY+Zhr)RRU;HAK&tWGKU`xh3#u*5{# zoXa>`<4-l=3C~R*hRnohuBUiHdp>;yHyz+BpEi}`F_!=HgZFhWLnMSf!9I2i ziyf|`Z9i=%J|%LozF}-s48L6rj}`x&#umBPTlRS%yu&&jq_*ORHH3phJY4;P@=(nK z6i3ps54~5ja!B7?u6dK6E2j!@s-|cGeXHRSScYUY$?zsqt|ks!RqR{Fe99X)`(g)1 zPtFMlAu)IHr?#VMnH)BcBs)%9sOg^K!i<2>3)(xavzgS6Ba+G6efmMpmHGs5n<)0= zorOb{!VeRzX)=TYg1bmf7ceAhNq3jr0mANnWR@Y>9`!^!BnKE}uDd~G@~cAoImMrW zIhRXh8iSO6H}MW2$csICQgp!)o9c}fqE1Ul#OD?{@YDgbmr*K zK%H-lTBK}wesBHExYth~g%vy;u7p2*=kkaANEBA8Ys~F;NrldsHTWXusMUVftjskY z*$_^UvZmJ9|6yaNxM_uBaI9^g7+^jg+GQvKa33&-Am!!`uh?uqAPlpf?{m+vCvzqY zJW4dYQ5o255CcfY0AeL!Gi{>s*wF}Ok=Y%3Z@&{JKu0cabe|RW{-6xnvFA@&0ZAe+ zi^Y0fGBGrI;IWUf@~tbFT7L8~vHkP10GL^2AEn|}vw&dkrEG{DX&`QC3F*J)89z1S za!v~Rw^UH~e*-qlpWk(Z0{vewFh zVgcxB3MorKzS!YqN9v{O?(EPX4j*6$WfNfx83m6-wJ4#sA6aCFgicsTTh!?#AwyF_ zSaS@N7sM|5;W`3Uc99ci4k75J(?H&!)SC(&OUStH z5Lzf_s0Bdnyrlvh5t;Aq$KfoUxn~s#@eN!mhBI23#5`kJc>E4?^?+)PaA!loXZ{Em z%Jhs?NrZ?FV3F6J^Kr>;ku|CPm7ndzy8-e$Yo=@2!$lQfXV?6i6|MCQIUm@TKHKJf>a+;&{Oi%dwO1m()NxzHrzL-_BA$Q3-CZuY0}Nf8hikd39`EV#$d(T>`t zR+N23ZvS%J<{EkFuM&R>G}v*7|M`ucyqz+0qap5WwJhw6xR(aDQ31c7H9xCMS=}98r?(PJgoyya*E3l%wSp5bG7pXes}o-t!OtFlDM%qoa9v?A?(r4ppP*o9jg z)O3apT~l*97l)X08BV_-wj0A|t~^7>@ZTaT@L!UxB16Y61BXFhiH>}dc`uigcyD(t zPixR(nfZqGZskBa?|6*XJc5#8{?pOu0muU5JCnTQN->>%C$`zUzu``csU&{M-5f+E zm?Iu0GZ}{GCaV!?_8zHo_L~pxcJ^sDcW<13 z!xl5StZn_^JYOEn-b|BAKK1s-$gYODk+-1XKKbG6M11QJC!tO;(YmpDIheDLroYB+R379md;whrtAnpjr% z-27S!WPwXAUuiE3`puVaYPZvpVzny zBg_NccxY6JS7a4v6PHinV7bDycux8dT%#)e`xUrdDg~i3o z@Mz7LI;FrcQiKCD-6_uPF9OWLVefVkL=@!Q6leVrUCVTb1!W{i$a=DO2Bl@E z8S;vgb^o1jthl$_H--+TcNFPcFweF3i-iZqNxudmE2r z>TnwAgeknP=DcX&gV^J+X_?I25!22#l`JLAh`|KSv8@q^t-i{OxCk16Y=M-Qxm)c( zPoUUw#oy|Qi`wNfiR<)5_gU^=s*gqTH$YxlTQIno#75bQBn60r zng&Zf7a9#-f1wO~7&bbLz}mhbJlU(%A z^eJAQ|JH5)CkGKzw97MW#+EL)yQW4=9`pT)ls%|{7QXU!^3RKlZhY%)k?nbs4=d$A zEC5j{bNXQhkzOZdm9J}Hbzfie2&npBjfIPXv@|?0GI=9ukNGzYxB%Ik@ZbIpBh}w| zd1SL?st#j=y)9K$Q*&4{Qs6ho{ns~Z8yOi*EiIX8K#5i?SEn1J*4`)~3+sAQ-WaFn z4E!YNC0!g;1G6P5M%D8MobbiP#j(rvy&T-rjnOaUlswK3*KT@yH3p(sZDXvlJICbk zrYv{CXx7^u*@+?bQ0#kz@o`+d#jw}yhv{iW{kRm#(&^#4BD(dYebeGJmPmcCLAK^n zDbU~;#f}G*()NYEheMCkB#Dkl{KLJ8bf!p!Co^y|QZYsdbhtL$KrHOwLeu*rt|aYq zWM0P}J_+qY+zc$kqmL5!!Irh9|HrrNBp!B1)-E7cp)H51iQiK$S*+A8E-M?WTe*c& z71o_;3q1~T;Bwuhd4s>bVW_AD3IKb}6j2*^7O!^`6t2fu6|QfT2<*c?=Q{?8W2JRa zKO;7*=4^)*XEPW2zD#R3iDAvQ;v!8>DoiDM;hz9=cEbiq4w6JVK)+|#p|H}A37`qR zf(Q4&w6wp}!C-2VcdU#uZz*&253DF9)eT-Yu&WNupg(ql6UT?Np#x`jG+cqNn4p`j zhbWV}fuMtjHA(q)9#)?FuIrJKz|~o=Dg?%#&XO``SO}1|-6|D=-})`KtSN-1Ult9GX=t{lo!oP>Lmsl9&XfSv}coRo! zvGGjQD!bwEO2aWR*qo>)UMQ)X+3oWLbj_VP|%84i$NaKK+9 z-V12|BF!3@zgD2l8>((s4+wCDC!IBnObT&4l>PAfTo$0{E|UP3iyGu3Iw5 zh?S+Kb8zsTx8?z_Ji?h_viO>fZUZs$D&+ zbvrV$LhP(1Fl7nT6!}>!u5)genP)=M7@E55HEj68;4$Tf3ec<{ak9*G<%tcPkYiFN z4X`V&&73s<`K1R2Ws=k(1bfqX!A!45Pp`1yr@J9}<7CzVJ844qJ(`r|NkW*@>JQh6 zUO;Hv+rF|q$xXhUSv;OL4&En;CFhdhEms6mC448Y^)fIvq0yvT-5f>=VBTgju9Aak z0ppjL?E?|=2NVK}>W`-cHQYpW^NFewVMi9GJDD0zs>Jk+TIT3gx?|(t=8MUH%$E?x z<=fvyMFY_A=!D?Oig@_=EJ?2x8pxy$L5_HThH_-ID|eevb#-;`&Q>LU!fD{+qh7?Yk43`E(y3j@r{?W?K&%r4X{*RF?(~gf!r}1cl;w|A z>)mnSxQO0%zdr~{SQC_VJd z@4lSq`XEVcB%H2qNoe`Nekh_5=p;FqQXawd_d5J{hn(yS4lrTUb@Ep`^7=U=x)WnHQ#BFr!Luoo1Pfv~lMS5M!Iyac=cq9CQ zJy5(TqJ8-QU)(2S9U2pg7IFxV%ZJ15N0Aa`hBS6PzTeoStKI4ZjP4|KdXym|j<}=2 zJuUAQNa)1|$kcE}zX3%WcwKvg6=b*lhyRqJP-%8a^ln@)nulcHOOZsRzS@n5x%bJ7 z<@+tt?mF_|{PM?*%ujXWC6Iy~JGyMr3d8JP4P2<|Dspnx&#^$w|fm}NLJv9WfC@%@uj-+Mf;gi^%$#lUo2z{b< z!`2bsTLI<*3lm3}enG^-KGm`1?8S^7Zu>`L5sV!_>C&rShjbI_cEV#nNxk>3>4k%)16A4X-&_34W@ z&3}C&Tz*66Y7T^5;^yn-U`pHD*Dz0i1P7;U@FEj(`qkIhmz;dJv#Wyt zYNS&GV^+_rBhhaM`#+7#7ud=0RK10ao z+wW(dU2C-CvI}4}k1~_f#Hk|`bVvah`6OQsSQ2vWhc8BbDC(=VYb;&1Vobx);@rcL z8zxhxTXX>6ff4i+pTal05TBA&h;vRU_-^R#DsY<9?4z#FT@SIR^k$qGxfD>Q-St zxZz1N{)}TyUKb?4J$ao&lbEg&m=H$MwH6~Rj7cIKK?>dlS3r}V?S`mTU3`NvoOK+N zi~LGxA8UOeeK>D^So--B&kM9|dxw87T9O%}2HWy_n}KhZd{o?J?l*=AkE@PE(Oj)r zN>H3>bl=z6Vr@J@wtlS@gCJEWmgS`Hi781+is}jndbDA8Jn(JlGM(mTVGkKZlKrng z8JU}90NegSs)>Nu5Ms%^8{&VSYe;%5ILAc zt14Sg>Un?O4^B0)-JV}{A6Y^Sf#x{JRmZsOzN8LiloS*e#mA@1Ul~j2Y-}lrDhgXBISla< zh1Q0ejxJ_sMyyT1-IAoP9|#RD3pyv$V_jq81akml6JDVS2Ob5x1RfrQn^%>(J9 zSDCl7FaHYV{LhsIMfd8JY|vpyy~@b4|Jx(4;}wm~|C4CElX*U&4t zXAh1CorJBphF;@E(Z#$MJNG}dHD@K@IF__|qt~kDY)(__>b*WWx7|Fbluc58Wnr4Q z@g5_EC}3ZQsJ#`~Pf;j0d~Hc_yDHRPf(GST*a<^FZfD-Qa+pN()96_CaPyy z;`f=+PGtbi6an7wq$1Y4+AD+EdJv>akb;Qh2mlAFoTBYgPHV5E6kWB!lgjh`xq1)r zzKv;7U0#k!0osv?fX!VpG8BQyh?8vNESk|*?A6Cdf866IV}#J#RRH>*HgoKaUfy>0nandWFPwLFvpNx9 zy*1)tBwdWs!2uQSukze>Ps~?4YG-42BV&{Jv@{`c6PPpnomKh|qm=6z16v#xGPQC$ z-&kNU3lGA)f|KhLWi1bXGm|)V1WGk(>)(r)`W04&WTu{O$<5+6QN8OqdWGziqIOJR}a)wuW;+ zP!_@W>?7TL$4X!vvw~wUmkRarW0lRx|qdHm^=z@r9k%nRc|t)~OZPj)OAa zES5V(-*K2y?@yQtvKvsQB+lcwtCG$&Jrj&^E&ULW(j*oCRf`z?nm^6N!g5tX7o+~g zw=iU$E@8zd{r3u9TGq3h;B4N$$>1Tzd$#kPMVeRB0DIy6=g0fMl8Jv$9wsL84?J;B z&rpm0Q#?on{}Ai^^L21qF#>Buy>=p#tGC(lfOrLmQHRaB_uKz}SkXozhL|0RAq4@a z!nk=#-`$<1?Sl#0~@BY3~ zOOUrr3vgVR_#%Y!lJb0V;6g^%t` zm!bJAu;s#)w=)7eZS;R__@lncU@_;0Vsw0ZIu1N)vY*~krlQQ}YIisUfT}34@}c9lkg=@ZWDb!iPM}n6T>ch0TG7t z_75bDM#VH2+O53J8q-le_V0tztoZ346W~75n%Fr6rL`jl)?sN=p33tXx~kUa7#cKX z7u4$XeUH}Da)W879#h|Xq+BH< z|MZ(YV-p6}9?oqL1dZN|FGg6-givMyc_PPk3ip3M{^dQ%i!zCwFfnmAD_8E ze*#9B9mk&(_>NI*vIz{toMGG7MOO-Tw5UiM5;ENn8=0Au80@EUAkJ!}E3EnXw`Obv z?(cap5>XZugZ7_{U0ryaA$U6NDmJ7kI&(>SZ|H8F|Lwjt{LOts!4Nb-6xsFULH8QZ z;j?XVpv;G8b_j(R{FcdeN+PE}DICiqz$bl8WNU?-wJ&}I7!}b?>(~pXr=Iu`KU?3V zCUkOYtursbntU1$DaH%VnBi>o25!}pAOVg#_PXTXp|7};=X+ivNfV&0 z&d%&3KIhqbmFQ6&UJwZtzv42;aq>y(gUnrsn#7;K0KQ?n64Jg~1#h63mzB5=JYD}; zIq!

S&$p@amlZ_pbBz>@GhqAgz}vGo(=jHLd=(APW@kDT+@NAPBy-$J#UTj;$AB4dUl`ga8@_J+HNYdgd7$(mv;}4O_fLwIq%+SL$C6(p z;Dc2yZC@NXFW8s8($7%}aPUNu4Rb;mF2XAtrKJA?9%tHHwb~G-JqQZ>3@)OYPB-kK zZkY`X0IJ@_Cg%EDPznk4b{#-6Y>XYUqS}^y}`{k0x4eeh`s%Ct7YsV^_VOx zZpVxlV*m@#`seG24suS1{QTy}AesqgJ{1{ZKMYTxt;y)VTvM>=OhpRnqKJ(d?{N1g z=*)(_awPd5BQ3)p`wcfftgl?ih{_kkzXg|KG$%OtPgU7vf~mjNweXmUi+1z20t6iC zJJ^}x32q$wrXD5D&cT724K>au*kybSaT~M~>}wKYCLe`N4Vv-2e#m9q*^Tiik_wu;b zn7-TR(MqJD-m(a=4w#8y%44@K*)&AFW`{vK6YZ#4kfpmp6^O*c1FkOkVD!fun^5wTDlY3z51ABqmI zR)65+@}(QAz8|kaggzAVAdx8OdZC|y>2bR*u^7oFC(C>I!rv0MvLH4y{d1F*$#_w! zt_!m`A9RaV7<0;{xE%vHpGH`%st~9+p6J#kQ1tff60q%w^NSLW$22L{o4fZAvN?&a zbHUnK+(1TC$0hU$G7P#8ee%>#3__L-1*<6gAZ%m^(x?c)3{!XmEmY@iOx46UfU+!R z3aHHOHYx%W1(7+{H<&&|9-Rndbo@ax(HZ}I*w)A8qqPiw$>%T%P?L1*xJ`7wDvMcW zA+rHWr7*F8s{^DiJ?7-A6s+j(M>X|*+9|J@n2E$Int@;9&PJY$%nMxGi z4(afqD>yX95OCNZNomaFR#O;!&SR`>Fco}zugYQ@Dc`unu z?nB7;We}H*0t0$V%%9=ID0KK@?!z!L!_AC(mW0APu_k$2;&xKDL%A;cKaI8%HqS>X zE=tWj8d@!xj|W)-Lt6>`ZqFCR_|{MXHNprJ;Q+F(TGp6r9#;&F{K86>U~&ci0S;<= zMpZJ-v#J;*WLLA9$Z1`$$l^EJ2a?=Wd65eM#caicMmGDrQMy?GVYEj*r03<2(Kso+ z`9mZ01$9owRc>mu|0>4(-PH>LYgc3APN=5F-A8j@oQT9PMUnF%h zn%f$_@b*DD3umR9-Js2uRl=M|pUCSEEi65p&RtPIa@|de*z5MS_Lqcc@2qqNX&J3| zh5K>yhp6z0!Xni_Mw?#vh(Xj{6`ql)u9Z z@VG=pPk+`hD02e`wfa2hS(SE_wV4bz9<|bgWtyutk{v%IMUM0cD{LLLTk*PQy;L-6 z!kAFq8hKiG^UYGrZQzme_(FKGDr@gl)Wp z%LIy}W2d}3?MZzR4t!?%1GEb56DF$}PPi>nd?!Qu+7P=@vMd7Y6Il@xR<7d(`Sq!z z4A^cah~X`m?EDPbB%Og)oK6WU-XvIypej&%M3%}Rr+s;{y*7`r>IOV%ONCd!eL98? zHK5=aAGz{u)5#;GNr$|BPf^YKma4umWhR#B<)K=2$;QVo5caOtd2P~tjv>wiqU8RN z7;rSewAP!YB+(qVDk@~mS4jE$U#OhFN5GFoAYvcQO?WB{A0IGy?|Lk)K-GantvY*` z7jHk>Q>4w9WmywF1pGn)3JFn_x9}513-Flknit4|Cb*K<+li$(_UvQ;Z4jLc({h|> zXemZ9LrShT=t&-)^GkU5T6f%R5TDb&gu_60lqMhRwil$N^fu?o=15eF5PpJib^YzW zmlkB)f&7-;rks6bbld<%fc06Jbq*Fp!_W+;pmhKaBT47@=2rqrsl{e|*Qg)6!Wz!A zh`@Fv()0>7Q)5aLSz_tUdpo@J^R3-~I>X z{)rs_M8$05Pie4mS(B8b_9=ARn3!S&bML8?J;paH1$4&kz2;`*nb+6Ls&=8;A=?g~5P*Oy zU4BL?>K;0gTkH-*N@yohzyX?N+5O;G+e5O)JOS8DC0ta%pb<{9D&&%_Z&pwED)cgE zJR4`wCXV7f6y`=-S9ai{`RvJ2x%|PvJg0#zRlEl4(3}WB()K$fbwdtCyAti4Ec0A! zXz8+)&39Kt+`6okXlPXXy)TQE+B+-bs|87}`B`n6<_I3Jeol7R1&oE(eh+|1`^uD)Fc%fVhfBz*Mt;&X}6vJ6fnN5PX0={ z#d*HrFJgz^E~3q*{Qc`%1u)CdrY-Y?pPFkoD>~HqqG#Ahmvw%xaLx>db9{n%A-!9@ zv3+U7h7CgUXFKg>*6g;Ik`vCL!@wnGwb*y9%cV&f2ClS^HL`GgF>6hnZ6+|1s-;D@%lx)eT159wi7~lqasMzw=X01ZzDC#(XgOC?8?TO(x zP+%scx@wMKQ!hc=Zqj7e(l;iaUOR8-*0Eq$>f&` zv=VOp+bnxvv!$pwjU!4(L*F3K6(C7+w4VH9oq@8rPNn`|OU>**{+omn39sK6Gy8g9 zlDFp{x!=ZmpZT%V@rMW8U$M0q_LR~#`;r&4cY+ohs~i`R#}+QSdf0#PM2X-g&xXXp z3s$Jto+U}RpGOg$u2g5qA?H#6lVT6sGJquRk&7;;*sB``I}9>}j78rBI6pHOXQuD! z5z=wg%*$r(B$c1m^7qycpe2W7)b5NMi8bjx?qj>0GVRFK@_`+Y0*|jEo+fbo5`;}F zpCF9lD*|X~Yv%Q6q8(Q?6Admm-pcAHF-pB257$~W%FusC$0rXzjD%e{h- zcM0muBFf+ht67OoYvy|ko4>L6U>0VFwMPp1B*(M-`Fvw+Cc?6r9QS}AY-!K0)e}8y zn@>=LP(llIDP<09$4Rds?mqiL^m*IWu*-sCX-IEWNSy7Yo0pYAly^7VemRoZiR8MYN#(EsV~s-tUw7-K#P?E zwlcpjeae3S9DH19Pd^lL8i^<^Gf(OS?$f&d?J%aStD6HaxGVhQ>h*>xJ3HH_OZdk& z5pYdG?i-pM*qeuZZB|E;8)I+4xQo5t!7o!u@a6?1L_{OJjvf!mQE zT9A4TMpY>6;7|q}W$So+nQ8J7+P4qxnk{YypX5}|R-p|~D?jb5a6$I*`@X}WU#~Xt z1fFV#`BgH<{HO&7h|eaEMu9_SiI&Ns*LNJ>wAF;4Q!_=(qc8oje?9mG8FrmTO~aNlF`U*~&iT!eRop`+4-SQU94w_t%1=_M zK-Y2aAhslHeJl0Ejf47mU@{dxi8sF%iMyZ148G0aOt>qGLlh?rjVpX=ZbNXG z#RBa4xUAK1pTftO;z8W9Nz$inm{~{HCs|be#Va%X!$J<$h=J+P10k!QrD$_y7+asm z^>MWyKqVMCrcse$rdwD2j?f>nx3ugij-v2q5!LUdCqx%S)GZ*!p&}v_CkS9tvA?N* zt0GfwBlyRmKasBS_4z(x6O^;LxfycxczsY^Q{&M^dV``d+I#AnfA0Z$p00z_z-ZQU zjHI=$-JX@uB~kudo*ZKo-P&>x_~JG>(Vv6R!g$2z(N!^jn~nUG0}fElmpK20$yTlY zAF1baV7H))ON06MlY)YR5El~@Dhv#ah-R90dI-|`Mo!N|xD*1@G_9=&XUf75aM)&k zVd3AR$$x6RsD&Gd^kpdDRMjLCRN5{COg36*y`BEq{}z=3C$qNxi**(_dw590%*-q* zD#}|2cF4kFVu17h@$oYfVAJOREuFuU1Fo_zNZ(il?1??MV6HmfoWtL5bxBr&-me%j zy>|#?JD-lj-M@fA>2V0h4|*Z^Vn`2jJbAncL{i>{jT&1JokMjz828-0Z~s27~j2nM?^Dv2l-#T z{^@YgxKZ%!8GFBH|MLE(I~~^IJ@^)KtME=j{{9E(^mg5t`f&O284OQ9@cokge&LO> z*4X))UH(4diu-c!3v6dizDmq)b$9H)F9BmW2M7P%-~LmHB*tYyxtB(;%OI%yV)}56bL+w)mY= zutThMf}2MM44{21M5R}*ry>r z$fqGt)0$b~l=XHXz1x0^euhPjR~A%pg2-}ou(l%4A0N)F76>jsgXf(zn&sh%QJj@` z?{U5worQDaj?Q>@9(fulX>%c@_M`?u&6u-Jq#o8x?D)<@Yc*4wVx%I2KcLH>8^5|{Z_3G7wq39>vH5J&vhaj)42Gl-k$<*W zq_;{p+rHys%2$>%FBTscOJ}ZZ#h)>P5qJjba9t z6ut+;tj1^;RS9IU+P3#2TS`PXw}cD2Q)@PIIkp#|T4L52Nb)0vJmsxM`7^*>qzD+oJ?p=O=E*{3a>OltCHsk7A}Syt zD)h(Rw7Uan0ejUt zW0|UAdbAf07H!v7`yKnd-}{iNj?GwW^Tk{hB%i(6RLdT67C?g@=j}TTv;NTkp^T8o z&dEVD?=zUCh?2+LzB8IJ8G1P_bViNGEL#I@=L!AaQwl z<->k1Ci5|BVyy9poBV{k$l?%9a>`wFv70qWfU`N79#gh6Kf!j%mM_);_LkX)YN5zP z>kR#@=ZuG{Z12aW^^_0)xqdJ;`r@|6oJSk-E4tR;S>M+Nc$k)zVbF9%mGYux=TtRF z%bk$CWp1ypF(Xgd!^0VeEytsp8NGv(E;P9fyq3`bpaQ+1Y+@6f;1z6Ldo1e?5g0J+ zIN}M+kDwns>?w+})0*A)Z_h9(GY5M|k*^mw3{s3ajcYYVgteD$L1@DGPE4~>`(mzi zF?};E^x0d}Cejt|o8B`YM&&f!9DV7W^N~Q8ET(}n+#*V3<3-x@$;(Xl)FLAQ^x$J{J`FuUx}J?K}=6X5ekq^3POFjx!7Tde``-IpT${cmp)FYi9!#p6oAO;Kzy5w5q_R5buvWr%Y>HI7^nqV)^zO z%Kc0*DRMKwJ+sdAu6%azPKfYGMj}{plRU4bz1i!K2+&$>#)9_$Ryt|F0 zi?xW!EoyJcJ(Ko?j|_9V!*y;NtpxYK>LB%;BxaOgec{Lt_7CfaN?fo1r*mIcR)~$t z^`W4oBy3?prKtDPs-Gu z89bTQdcvVxOSBtm+0DbTWB&#L&g$$B3kBG!eH%w2d;L*IfP-vCu*~ zxr@}e`rxvvMON6HbMW4_yRon9)QM!CnfP>_SX##yW>Mj6Q&1GvaQ1o(Z;9Gjd~UKMM7bYL3q=UE2G!O>qn(mu7oWbR)Kn^tlnyy!u-EzbIr}e*JMC+UUe{8*FR9xG-wTnxz z0KwfMIE6dGJwOuNr66eG?!n#NHMlzjcXxMpceu5(?>*=H*1q+-8nYU0&N1K7NAFLs zC*X2IQ>t%=Nt4gl;ZpEgq~dHR7XI;Ega~d?dbM;pM#igNo;4NFU*^<1+v$2N{UL!v z1JhWdPO-#*mQja7(INjSsXdyn|Gs9nE85U%OR#m6$Kr5ww2Mq>%`Xm~q_1lPpMZwM z-Q$GE{sIEWY93%pNVcd?lCgh2v9u;7a|655=FVejIZXDhR^5W--KzTEh8}hGtMrN4 zS#dM7;=|?Bz-X9{BStm7QAD9 zeHW*5-_BHiszK2a++Z)tO&NOb*!U=$a;)${xMrMF*~AMOyO4EW38ml3iLGnTud&?h zs@j<9EvspVTr(ZmDF0@32m`mU z@VEC30T!}CgmNZvL^mra%)j&khRrbK0K3?vR(nU12Q+erTkdJ)oDL3}WPJTBPFw?U zeUdc$K20zknRt5sn9=0{vHq$JmrF7k`#H?(H!n@| zf}xrOYi>cA9YaA)ETVWH$&mI*#BOW`PF2zE?8n9Y;O*f zwzjvWrKDJ1-J`5mo5jH_XR)Cn_Uu`T|=(8td`FxQ!Ctlx9Vc)0>e$$`oA*^H@I47HDntgIGHj#t>PF9At^~nc*3&>N{DI|EC6D8(6$K;Iu)E` z&;k2mAue@1uJ`0sh?VKvMC0S*g);tM2>@)WTA_kIx`$`YG-3?o|NcdW#DAxTay_0m z{Y*g9u_?|R`R~u#`QO+~r&Gu*a**jNTh_*)d$;&B7QH;y z*b;RIj4$4A8cEj}IC9Z%#tgQ<5~ecV)vQnXhPN>=7<`g)9UhhMmU> z?*Wl-KKX;#_)`@|-BNEYI7SbSq!73}quZVrZcgqWdojl=^`8Y9PR3%@7)cFSSG#{I zsP<6-(ZCf!EH|Em$C%WABU9kE!hh@?|8$KQ53=IH!oq5`I!BL5EEjTYI)1bBNQ5(BJzM%z_R{j9pCrnea+nCILh6hiADfe3tPkuVqg-g(I(JL8 z0<~42^rggJ@HMA*`*4}6IrwzP1GsAQ>^j$zw;Rr&qmmUqL;A&1%mR+CrIE27wZh0*8#43}(Wi536AC_}+Xl-!g~ zCHRVMof|1@;YL>MI_kJ=lLEJ=i%637$5>8BGXH_DZX-W3xWt_Mmv=q1%))k+*<3+ zBcLR~fP5I)jxs{x7b}$+_MTN5m*&i;6-}*n%45NR+ABx@^+5qi736l>sp)wNMW2t?s7TmtjiR^_b-1LOVG5wQXxRyaOg_Y*5s^u zEo_W6lMo|KJ#qllG0#I7H$a@_!DFF})gFI_%R zN7g!opu>F;BamWGjj(2Spc$vCLnGAFm3Ui-`_KX<`+JHy~iuE$H<46a(Zs_>JT)Iaopnx+`9vl&|F{%f-JjQXGOF}*Ap!$z#C z5KDg!G&1VBQ7?C7`bYcehKhKsu#JR5{E$?cL1z$)(wN}*MLiw}EvPE>GsY16XK?M(uwV)1gKqGqOcX^b7}gma zWB`X#K9?5{DHf-$$O|0TB30wZIfT4BS#?HmidK|M;tOmz+4KhT7t@I}o-E1gnFvjX zYR89_;b~p*{?X|NJUFNI-MgY_K%!i$5Pj-P>z!l_CXRN@W61EPFyW?Y08pT&;aO9h zR%7y6T1^yM7V`Im0J)Z9C-{3uW)K*Qfr~ZEp{1Q>(VmyQ@+sX#med><9}}Lr>>hfs zhMvR1B6lzZJRv3&nVF{)PbTFrz|S5xi^J8hG(D8bgjka zT?qQqfl`(y`Me6kV#1#p{h$(C-p z%{;Pi2J^%@9ZWdxVHn&qygzoUE^gU`X7oZN6+2$#Kvg-(=eaq?M2w_rIr2&t>zh>u zoM>Q&_rsxmcuJ)UbpWdBb#DDUurmd}i)xlcrAB+Iv3AzyT8sLtGPJ(jw+6U4GeW-x z6TZ)4mM+)+V%%D5uv!lORmbdf1h$bpRgGO@r&DY_CS@8mGsAKrabcu17e@&6qC@^7 z!WRgqhLFzAZb%9`ZE1>I?ODwLy9oM1$1ksBD=OdW!Y$UB#;R7s1n%^A?&o71FDZXW z3LqeN$hdx|$qjJQxv_;P2J04%tAU}HX6)h2)OumndO&w3D#S+AZMhppWj-SphB!0D zCFvDK_!u=U`5ijl6~7OM$IROj-b9jw{EfJ=3LuY;fn6@uzrrAi(f^n_hQP8!6KET* ztgOtuD{v-|7p{jPYK2$;UL;^&pSGDM(*0QAKrO7S`E_x8Tn(}U)Ay1cf;4pzB=eu`;!=~!TwzU`sGOYCmIaK5Hr6dYa^Y$-p=^sa!MnoLKr2y4FMO@YN(4P;|71ih1HnCYntI|YMuQkAj#&L z%wVi%K0F!j0lvdR9n&PCA9Ca`>lx|mP(V46I4)352~fiyGb1M8<_)Z4qzuqwZh<#w~hJj1jZxm zeDZ?L%d3ZfuR%vCQ9#q_EVv2n$=?rs8bBiIX<6R7tMxvLF3Mv-ce%*~;<2g~en`d{6qjgtY#L%Wtg*OG=XHZZ;rt zU@Pz|Apv`Oo!~GOQpy3wgyv=Nc$)N!61%p`%IhJ5V-@U9znaa&(t)aXQg!=uZzB`!5{2UviYC6+{2@ zKk@6ZQr(Ps*Ix;8l@fwb2J;+h{az#+8cp`X&bL2JDaX3R>&iB~%z1@VdQ&d1ZS>*s zb*TUbrT$qEKLD*VL&`O-caLd?|6CwPg4iIA@c z{h3|DB#hyZ1B$r9wu{T}P6;KwxPiy<5)Lh+^yf!5pO6H{=?Y**~$V^E|-AzV1&-idCK5x*)O#V`$7~SIDr8M*mM!T$A#mo90t& zc3=Q)faHb8m793-s~<+t-yP`fe>Tq0VCH?}4xh-FdwhEOtNH~Q6{HxG*n=#j(dsV* zoLkeDYXl@``CJ4m<3Xko`KdT(_~pPuWQ9AWtAT`JV1(VtgS0~CHATK#$YJyc;wLKQ zB|)p79C&3x)U?IE5g=%ZSK9dKPD-o>7BXM!Z6g6zCaxx%8-)G{qHR}GIL0k*JY9Sa z6v{_6yUj`>#gONT5&Kwt8+gEUl_a+T!C2~E9Z{vxVz@GaQzRcvq|HkYVg!l65LE-h z6(3N}ka5Q$@di3h?AcaZYyV-go3QDuvnB);&K$GR=@nNpl5o@41ENB+U@~$xHsdAj zUTuP#?>9CP&_St|CMmVBZaWq8t@7)`< z!h^p+G9=3&@tM`h*utjU+PE`miso|mR;$!tTb{n)?fyor3{fv9IuLOK5A&O#=M~&0 zPkLCpWxY#bJ}fkJlTS~9(KM5~qW6TV1u@y2$(&_ZHW z9_pimgUMlMvE6CLeyBsf!4P?J!J6=lf^WpU;9?)*y#slYoMAZm8n@Tnf6l3^uU!A5 z`uKqNxy+AN4_aU_5{r_mD$v%_^0c|UqJoBt3x}S*L=ie@%I#?uR8bIrh08Vefb)U$ z89pK--m~UEB0BKz`;7ohY~M38GV;&LB7J#%65hDrKE(O=^)1SGT6X5u4v}Q%70q>!JrQqlzaa%pSx3FJ{&m>A#r++!|5*WL-f?39 zJb3cvp|o_b*ndZGo$>UuNog@5n4Iqw4MyCs;)m0#{?oyrneeY?W0Bv% z!9m~3Dk3p4aS-fYJJulHJ~&)1vVX6dQnwTZPXrKvbx(v12^csbcc!JelpSM}l)06+Op^G*PsC3#CLj`VGSyJPCm6uIn@ z4!(vPZu(m*U7%N6LccD9scSK_3>hnHaLC=;1ZSF|(pb{$bQ(;7nY{UPdyr^euFOM`pe_y579NMvgY^AxbViK}TA`jmkIb zN6_iRy~SdEc*ULO2EJ{2a+=yW|S^->KYpI68;RxYlmNL&l8 z?{>oeJ`WCQhS%y9aC096XC`ubmG#d~nwHKLppJdm<`8hANVrqTxV+H*3enJwbeQxq z;~}V;a}p@)azY|w`V(_WKEKnfIW*H2c#c~Ca)I^!X#L&;9$=j;R&D)u+dnn>)iZjH5yE8cnkeVawfMhwz2GVTt>(jcRudClR5Ggo0WivWbn&xy;0tWCbr z_>ycR?{@A#+@WbUJ?5Z?ix2_;QYo(@X&6ViGk6ondr7)#T4v@C$c(`djhAGqC+D$~ z-1XI$6iZ=A_GZz=S2l!%mIxzf;(UNnF*~B$+3)tA)pdFRzs*Q#8mJ{0e$=LzH)8Ld ztBWc1uFw6R=-v#Y5fj9A!J#6H$X*|W6K-;@Vyjv(Sy${|DABxP(i*n?I z)y&K=J+}BS^H>&_#|L`C=ni7nZ=CK>*mxPc_r*;lBylsRvQtyD3iAW1V=!cnmJTy# zI*`7?dWT`bY;3!S!n@>>nB}VrbFGQmxzJJN$Fn=4vNDF)iE#BT2$vLxrT+e0WM*2} zrrUjGuz_^IVTkOA8anYU&&biYJ-}8*R;Kv3wXqZpliox&-f>QDL#pFtDc7xhnVEwc z+{f|mawB&H(!_Ce9S-U@^vPVjp9M}9aT!M+loH~1B`$jGPwh77vc8_b)A`L9ezRkiis`T1<0eT#sg z$oMC-BYYjJWX&1Y#dR6uV($8!h#yMrB+$?v)`-zQoN8?+I)lqlcCjApKZ5ovYr}pA za4PAR2vZz8cvDZeD}Odm#bsHQgOVc8kQ5jI7lqJFEvirqsix_wPj_w9I#-m@)sOyr z(SB?MLxn$mib_bJhN=Of^CwKs&o?mnyCXtGYg_fD7&L-r(nrQv(WBZruO(Q-vC!4D zKadxCg-kx}YjGe^G}!qT-@z~_K1EHj`0HY00z!yl_P`dG)pzCNua*GPJ9J(mep-zrKr5oO5kYtawhDZq#) zPB3=ePs%YX=+=`_wrKi?Q0&0Ke2i9>(q99djGb(yGHO1awel%ZL7PK;xg2)Jx@6i* zYu_7;4ddm7IQ?9=))**Ncr=ibtDrzn|Y9`)ShT?xR% z-8V_yQ3gzEj$=t<$o$H|C9S!p!q0rBzdu%XBIKe3a||tq@*@`CJ>@mgO3&rwQ-b0U zdevjd9DG#Ztl>f5(xA<20KmzkN~kjQR1;itSOgtxnbV40cQY@zvll5;X*ulZc-k6L zGpeHix68^8kaP;*0!Ex{7ZSBBT)rBg#ow^3-NI#JYChh--!i`(E|XM-T4r?={z~iT z;&w2?;d8RwuN*ZDX{j~uy9)Z_4)U$0nImj86+IZ1`{_mv12d>CI}$3~&OR4RUwBu! zT}ZNMH=3AtgnqLv4zuRC_0+VTCg>8d{akPJaE7U@vAb^{JegyY_R=LK6VluLObls8 z#DKqlIOO7g`k3zi{_6B%)0ZJBu03M5Jb-Gql~S5X;so0JK}%-|z;(R}0&x#EtXt_H zXM`>YF&f@bd?baWG(hn_2s|D{ZtcxJ_uAE5A%HxvN104c=bN}WmWM?4iM&??dX+0m1UuTj-V<=X3j=vl)Z>JZ9 z2?l3EkdqmLGUJ%WL)wxM8zN>Ty=|FiD_vweDdLR*h^he-JpEL>3jW- zC`!@GZ;wJw&gJK(&sfbUG1hs?98c#psg$ zcKv=VW{l6zlVhV_-w!Ag?#}pSD{_95hd!&K>K|uH$x6~?&AK}oqY+g(G?@OKP1shk~ubEkL5Xzhnk15SxEhP9)KmDy8+Ck1T{dM)@FNN5o>R6tWu`*@3VMr zxh%{5*Q8=z2P*~@WO0j&iacLu6s*;yP*If}@qt{)Rar-PD|A^7=@ z)4xqFpZpk4UomI!1UHAGJF=v3q!LBCpr|eqy-Yt}c2t8=KP}VHq%orK$6i{~t-l2N z4Ddl~H*ozmIr;!b(a=+mWWWHbyjP9!c5M);KRo{YM)SWF*6)~ zQbp(b0lMj?W&LvBa=G_W=&JjkkK3^~GH%Lt>O9pDYnj}45lsa!EHzB;E>@Y!#&eGi z#+P5Y*glpPBPCdY-3*as+^uJ#Mv`&K34(6OJ36JU`vLGr|{!UN^YkqnO-JnOf6P z4)g`W2j7~C&EbT<=B-ura$Rtou39@2;*SmIpku?cfk5{(+%2gY3?wVBe$KN^FX{;z zDVBS6`^N3>^Fmjzj>&zD?)SH#QYgEkpK??)TOV;Ox}?j@F~4%YPO2|}??zvUkMaPl zOV5Qqhc?(R+roHsXbhEJ7a>nZB&CKLs?CeR_;}W2G%p{x3}g=DA#A%+xiDkx3ta7P zHb7}T*Xq*~y^a3unL;+H|2Zx`{?CCp9JtsJR95fZ>UulG{+0`NK7SKDK9q$-fI~mQ zeyqCQB03}F@63%MHbH@Fo+9Ml+vv$Jo9n5IU~4nd`+W-y(exQ2&p{3%$Y(J_bs-gk zGB9wTu`%)6U{V+c&i=%ni|wAHH=^*8?pp8dr1@`2)c^@*``80lf^lH4J@PEZPrFDx zc+Io?@5;u8swKbWb%ZMBTN|~Bt<^bltiLjQ;`EUK) zBuNUoUY`ZwnK6}T#)~9|{~YsKw4h6$Mg{a{IID0qp9rD^Bn#@S3;K`dYPr&gr#Jwp z7t%3Zyb@QaqDxr=Bx*-e1r20JQ1bNbCjI((^7CAEwjy-d>$}*LcIOiLrP-jaYKVe90RyOMCHiLOP4LrBC)X$)Ko}?a5o;#qr?DZ%m ze52kmzG7%m;_Op$Dpv@bc8@7;E`Td+xdqi$nwaAEQFn|dny|@IQP6D@nd`Y9gcn;YhW~iG>SOq`r6PTE`!em3!6yOO-s?)y$Ztd8^!AT-MrDlF$2)s-0 z5&#Az-={Wme*Y`B&;Q4Ti&6@)vmIkh4xc@&UilB2v@^?Hv9ypGj#QRB$;xZ6&X4aA z)IkC(fGvNj_ps|+!3{cu&ANAkMG z9-l3^BIuHw)#ciU9q58-Fz8dJis-pYPC76!VuMz8E6-kMbTQEvzX9)ZQ!X)?gB*CJ z8~boVM#mw~&J`cy{!Xocnqh<{H+gl$^rNsGBT7xy&X9;>H2p>q4;Kr=UQOlneW$4t6DTYM&%s2{+6vqbmI1wx8T_} ztZT*S(1h9hs_|X&JLnS=-nC>t%MSzQ3?5-_GwH! zS1fHobDN;w6wJ08zoD67>nRS|xKAL_axuF=<`z ztM`&J9^R$3nMj)&5QmS3&&&-WLhMaM?r%E{%UVI zS2U#iuH7CQ1EPc&CeHkF=I*ht+5d!Sf&@nJXv}2W1ADVeR%DAY-f{nm$OzKg_8T*=b;iH1(3T>S1TQ zgoXF{r|9*^{~=aI%C=)tIuG1;pPcNM6_Nc@BE63T9n{wL`UF7^CE-_|ZZtl;;;to= zIX5#IxETB)Lq}lnbV3Ub*u#mQrEtHuv40bmGX@IFee`z`S6Kn{wn9L^eighI$c$a* zjaZwIiMjr+aJo8r=7EEN4C-e)z}j6^DPV=OtXORVS)uWPd06v~vcA*!c(LoBnHkx% ziGG<2a~I!I6wKW2!fm2I`G;YvE98FTzyD*fZsmBoHi%WBCi4_VURQ$A5!|{XXuq>U z3_4$J;kNHiO&Vei%Na>DX`u_T*=${C0FE=&XExA~mIMyYv14R9M=jK@hz#W&qJ|K= zf|jYG;TDxi8yL;Nj{ULK*Os0~auj%G8vt$Q*(P?#wg-ai^lLCH6x4xhNKm6o6g2s% znWo=^VP>^Cz6c; zbQ)s8x_zrJDBBt+SkVcDe64{V@TeObdt)w{a=iU}Vh$)VyI#LA;qNwXs(pg#c>1<@ z3(-#X$Jabg*3ZQ(x`WJ2D!vcSh1P#l92q|`p3i7ISu_@R)(2->RAiAbb57EmT;+B& zPnMgusk4*IObd>KQCuay==7(UADYVCb*^ngR-_grZn_rvODg6DV`Vkb>RB~1e6SAH zK3RFh#BEc&u)+4 zbDy)@Cl?S(?%`5N|B&!JOGoq1md)26(2%^==Vb4n`rCvr zJFI>2ZpX=7xbvm3RjuczZTrS=Vp*T3nd&<_OnQc@wusHSmd7Auyub_Pu{cqje$mI>6{?$@eXi{E(fd|SqAo+FSMnUGC<^R^N z@m|0>y0V6DLAh`VXi39rvhQ) z?iR+Ew{^8F!)mHr-Iz5b>BP6!b^aoJa@LX*C@8no^Ycz@d6O0Dl?uap>!i@z&CI++ zM|(0m=8j=ZO>Yt&MB$8<$nx(Aoy0lqCNziUr$B=_(jk-J-bE0vW{R09fu4O{;@lg^ zewhBlTcWAHYf{D?+|kid@iFel@yR`86V@YYT>KM5sTRlP-SzT(Sb>ymRQw}?9=kay z6+6uEt7LPlT%h}zAKs*(XsE+T@OdkiJ=(6y?r;X{Dl5BH!{ORXSyBqU)$VD5n zFU8^lx$%*WPpcwl)b*A67Ok~G`mS+w>1*s|N3G=q{!!=b{AzBaN)MP}wQpH#-M&_w&?0@{Q@H(O;jf(w)*nuUX1cy{srvvQkH)>W?%y9PUasHYfN!UfUON?h zkp{QbM58av$Muax1o_lYa5&vVc#kMH#eX4||Hml-I@HImZv1YbT{RZ)eF4P_1f8F_%wNZ+J5wsi+T zkhK!JeVxz5X1AgRm-O8Z6_@Sq0oPXKS;Uw=t2q!2(&65jj}2wy9U1|sA9A}dk%tUj z7Q06i^;_eS8;}TFaHU-LA^f^UZ-SZ`#s+dkVVW{=_L*7v=EQPlv4|7Vaxp3EO_Pjm zjY8B#K3q?yx7N3WfuodV-5MqZGn8 zGqD{GR(3WyH%DsmIuvlh^#_dcrB>836O6K~x^bi1@mPzhiHJ~OY3Nfc&B~&&q`Mo5 zA4RU*TgbjM$i)A5QArvqo&G{?(tgE%3rv?7N?oF_D!zpF16v zotzBhxYJI{G_iHXZY$zk^!Vv+6!qo_Dr04|v%S6M0C(+TTlTGHNq)MoIKi|5tVest zUJDR|)w-uloX2E+4J{jKm`wmLO6;~F*dCth`%OgBlqLW#3W*aHi8e(O1x{R0Tu+dn z6vvj(#N9R}dGf=SM|xGQo5XFSREOMnPG{UY0vSqwdA4ll<=!EJkRN*UAD_)xCyny^mYNaW-(?%C(AGQ@Gg&Hh= z;G4*F(2n8EfxFc6#rdd(!LD_mIWGSUfgnu-4x(IMWOA0wlr$0RG{fH=QGq5jHsKX{ zmhPypC!b;guG3$9lqJ#;YT@AzaPDz4QhN1{nAo2jm;W?2MsUxu03W&RVZDI+sSmJQKE{EY#OR}!LC{#bv$8u_=Nd74`f^-%uVEX zn@F#?00Nyo58Sz;e#qfN35nl}w2Z*H&oIY`CKsjtX$=@mgu!y(98|d7IygLZ2a})T zF=e9FV@By{!LG@yDSF0}v>CsYlb&WG~- zU~}EBsAt05+@}TwWy#WF+P65NbfSHu+U#!0i-X2_?hsIir*HC&5O9-hmQ_q4XL zfu^}|)vb=sB1BC+72N%P$^0@c^a>wnAd@DZSg8fr|~#G;zAAFy9Nl)<{u8KY1@HV=lG||>a=(P{;mPSe)$7@jt3_L9 z`sC&cUa2|D^OZePHU`u^}6I|I~3r1 zG<(*!S|88XcOT^@y9{Fh=Wji3301XnT~uaAgMM^C(Lw3ZXbvJ*cUz33I=(b!niGTK zBAHmCaHOJ^)tPjge0ndTPk3xY`OvO#*%B1xY$6jacWAXWJKax=|YWzFoy z3?DtoO1EJND}06of&OPE^=L4AwdE1?Onj#<_LY}*Ot)#<_5YrY{&7{oM0It2QC3j_ z8wS9uRg#8SUw^;+d1xe9p&EGk#=MvTZzFeR^aW;6lq&nA%2~lU5^j41#^sHMn;=S} zJ1byuQGE|NM}b51)AL)DO5(VFKW^R&0J@T)1Emxt1#uDuaR&Q81pGx+9!kt9@boFqA*Qz@|wJ;~=a%X5!zq03` z$=qE*v~bt$a+Zk9T8=5=s7r^Q7_ps61tDGt%o9u)?mvs3+h|A* z4-*jH4`zW(L&_fr2&<5CtKDY4dDW1wSO4ne=IazzdyEiQ(ajP;T=C*z88hL_FAq&Mu0_VIL zz0zxQ3wUWeaZxVJrSB$~Ki=ann_=N9F;v(wE&wFb3L#l!e41FB6xlug>VBTK=cz$N zHLlIQmn1yCQ#&z zKSAt$rq=t~F(f0!Zh*|^ZBRcN9%)R7R$s3*xG}X56jD-XZi~8F+R6Uo$nI}8!R7xL zo62XgKO&N{2~{Kg`2Ibf?&6^WHp-;{jt#W#=@Zq;o6^!^`a5Fxu0hrL$L#RUH}p>M z95Bc7vgUmby9zVwv)qK4JU%f(em(u&UkYN-+E_+Y@}W4D-+j8rSrKDRCpyl_%rvZK zqmbmSC$oLE4{VZOxSBm*w8W8CUtbyeJ`Wky3uoXV8YE+7VnT|nmWX6I}iJ_GxX^}P6zBH-ATJivm zS@q}m{WsKB)9Etz?ux?KQA2m@h1l;ZvYRSE1(*G-ST0T6?7LfNEA{>fYN*K&T-9=z zPaz)WKeY^gn96cB($3w5aWUe0!Tt4B;Wq3yihakLoqy^I+ zk#74iH=MWUSfh-{bF_9H-v|Zst~V?1d+860KpN7`vbWjp@4VHJx5e9|q2|sG$Gm(k zf!LBraQqQxPOQjy;<8$yZN@msszuVj>T%av%1pkM!iXrKLce-wk_@g58XEXD-zFL- zu8RYq+!qq zg$NQ6^=cLndfNnVY81V8ODa0HN;+PAgkH~d8*j40I{TannOv@Z8;31&NCU>gR6ysF zC*%o`V((xNZc@rL_-qc@iMRkmkTZF>p1Np? zC9LI3qQcwQ>LHz1#XL*`Fn1y!mQ*7g>2bso{zE>nrHMpZWe$<|>p>F-ao|*6i+Sqh z3Y*3qP;|<;_of5*!ge%SD#(fCdK0go#(Um-J%uVkEjf6<w4f?^!GCR<2FxMlZ%44+o$Q=*#eX280H`2e&k8!fjVg+S_%`KBfBk@ol@LfFq2%J z+X~SjDKiV_Po<91H3oAdvYXY??sz_~f0grZ;s9x5j-(zb(?C$7&r_7=-JzsF?5rH& ze!N_XK-))mc4ZbKyr66|?3(#*P4VATX~N(U=}mKU^LPrl4jlsg(k8K9ak8WT9XAI? z%DMe=TRIrA-#t**of7wcUD-q^Hz0_f5wYdJ;b2bfCFItsF_Q<@HKeeYJc zKsrdVvT$J@6*i7ln_Yr#F(JH3SZ2h7*ZT)_d{8RpheQNGdm}CImE4XQr68hf^cGW1 zI`J{VsXU@4G?sO*00K1IgA84xDn2Z8NiR&fkr~0R)&6HjZ#k|WQ2z`5yq}#Z0g<7F zQCzSY4{A>Mr$_>=rY*^z!$k{%V|fehS=JQ$!9tE>%%-0@_vKW{BGZ{bLv$I_`XLSG?tLF_v9MR*OK=UF7R=%%bUIOZ!nqW?z zSKQ1y;FsM?bv?`;|M7jr&}ql%FJ64Czl+z0GC4HK} z70g3CJj1+}hi*{K&Ow_10d{2;LW72aWq4WXn zuC^pCBJMB$vG9IT-$>VhZ{ixZuIH*Rx2e{TcgKF*{ohzBTbC&jNd@R4 zw0JJy-yUY2+}~HZUK|Qx+k?L&AMS?9Z6&o^XnAxYcuo(?8L~s(iw2dYsPX8+bn|2{ zWV`^p9`^{^AAiy$YUzIEpj+#N?iJ%p->vY%zJI^gXK0%~zG5rD8cnjP^@!H^oxD8Jx4*u9PB0PDyJkovJ|(vcAFtxR!t`1@miy98y4219 zH4;(zdTjl0w`~2m-7Bnvl;r%}GlbUy(<8Q!ZkWh$ZT&WMXWrhU8ky35$rX`+>9Ehw z_x{AO?s<*n#j`6Xwnz*8c#nW`Ndab!WTPZr@7y_zXvLc999FX{V-5T1p=EF}RTY`% zl8&UjdcBrB+&l0UmUYn)tLwG0qFC2hKTglDU(M>)+n#8U{<3VFkzB4iO|5v`t7zfY zzw>Slc0$r2Zv7iC6f08Pic{R(ihC(7?iMKSE`=6% zcZ$2aLvaEG2vXeLT?7B@XTRf|=j`tH179)%W018n*SzO-&EJJ4Y(i>zm$mq-X*KlF zrzySzPlcWg57b`lF(xL`liU>An(*kmQKWD?d^i{8NR}tEf&mPX4=U7_bL8v0A@AI7 zvk`T;(Z?X&SRwWsk#hK(d-ym0?l0f93eb=(MV;}5&kK@j+qW|x7#Q>X|&ODoLaR@yIpnGXY_I%zvBi-Wm}3O9r3l)_It z5@qXLJ%b4O(W_*8>)k6?9;H`)aw^5Qc}KsK-u~QRd>c0utb5zztOtFEwdI>zecVBn zNHjJsfp5x49jKS1ifA25c_mUG^xY=ApURQZ06TLDi9u1nkad+GV>qe0ZOjfqG)2v% z0E>_MPBA&_iC)9P;gq6O62N^T5@QQ%?S%OYuJ(Aa(`l=7DpHgRI|ox#=0xa2rWDl$ z?c9Ur_+mmy2A8{2JMeu%DeU);s)dCk|RQz(IsWKk>=vM;0v2b_SYs%=_#ktX~ubH98CU8jT z(qPW!ClYi{0g=nlFAx1)AV;Eox!9ycP;U8QDvB!7#Zr%vG%cccxv#R67DzeFhXXyg zb47WQ@j#}~MxO3f1`q@~VBa9r){?yZdLq&%B>0B^sU##7pedSK4Y1ZQ-GXe)R3CKr_sYBj zw%rzg+r5=oMq(UfWbmo{$FGGot!!-iXJ==*@JxM}Yb-J(1Vt><*7uSdlbJw7T*FsKyP%s(hfucyeFTHe zUbOJm#A`t=t|(XKN~BK5?-__z^5N0|%~Xd&I~~U$+U2ccXliI`c5DrbIhw-8>W}UA zy+X<7E!^I0rlxJJEN920LQDYT;}>nN#Ph9Yq|EhQmyUY2VDk^a2;VW|z?W+5Y}CN0 z;aDS8x88_|Fi`NhNmdb92S-6)zDvUwJuu&U<+N%o>1 z-55~Nm!U2@V)k6uY`!{7%EmA<*SGS{0-FDxbGE@=)ew#Gvyz z>a^=6sp`cMDLLhnr|ASsG$9l91UF1}vWtbE6LoWlYJ2xJ z-bT}Fr?O(i*Zp2dv1!iv+trB9af83vC{haG10vcFLE^eLWeW{ zQjn1QYAeX$e()6foIIWPIHQeiz(&xxdC_LxPdy#(J`CUuC54mK;Q7yX#D6RKW8h>> z6rV2&m*Dz=6cdkQjzwF#i3+{8*?ths+@(bXU!dIw{=7O4+f0*MKY#YI3`?6xgR+^# z2^&4(5XOU_3R^9lqOTvpMeLVKInZihn_=W^kq}$bvigh;@y4fdP-($e9}2m1x_oE) zEwqt$Nz@H@^$KZ0+iE!aY-37f%E*gd4Kpx4JM3f zXiJIfClV<`-KEIp(I9AK(p7uy##Se321ZG)k7EO_nF5gh{#l&_a>A$I0!Pc+CH6c} z-~CzR9lJ6H9Kw#MCY@>0`MAbiRf!cVhiH-t#t zHnV@bXMFf!v`qCErQyrD3SPaB~0s70ufSEjN z&mvRaEGdTwwA}3)X)yc7T;io!W`#35b{BCZ;~WPId6zo2*h21@J&Ld5{@O_A55fUp zw(&Nu?C0}tdCx7l&_bNPjxFv;+H}0|_{EhK6Mkl3+^Q>U`IZDp7sYdy4JGF&zF-rs zr({i96qnv=^GPf0na2u3EQ^~==e-__8j?IQ!7zen|eatD$=otNNvhec7auV%%+iD*$EX_!^Tjs*eY4 ztXuFT&B4FDm}#MDQM_mGq7%jIc(Nri1)ZZVwH}DegW4HV zX3(e4DZ8tX=(HpH@~V|0@6S*rbIFe)5^4djnxaE?w+G4Z)|d2hfe*2nOA+xd)E-)nXOE|M(7n#43fpza9m9U+ z#;PoYo;%c6_eE|A02HZg6)JKZ9n!Uf1!W@|?vi#dtF6{-mUBlNY$My(n-B6DIGr8n z86WOSk}?^m98l~|lDgVKVwu~N9maU$JGDrc3x>bzxo-G2Q?>csWpxxWqm-pcgOfpl zs0NqhFQ-r~q%nKV(LJ?9%2*4DYnjkJLv%>BOHunlCN)imkdw;L$Tl~5w43v2z9p0N zG1`%;HYg`mYam_Cz8;x&=$_i^He+`qag(nAgR(T8Ms@JGB#TdoF{guz*shMS)hf!ZNCXuP-%y*8~bPq-g5TEqOijag%p)c=VWBQzSM5YAIUdE zFW+hy0|oa^PE6dbUys=nvbK}dRC~zxPY}fG6-c(|ZGX2xkRn}no-;j{g!x4nZ7p4- zO@G!lG$+UuTDn(QM;njKidw$mm7+5-sd0^6RmVadd6;UT)LIg*Lfh#D)$}gxUV2Vn z+J6Y|P};$3!%9ilLw*Q#dVUN3LKQJ5Y0|KZ%OZEp)j0DBvJ{oMN<#J1I-+LXnWXa> z$FBoV*+`F>nbrEY-#V-m6_NDf1v0-AOcB6?>k2cE!LK`XF~{@^&mlVe?o06h1{-ls8%ky!aF5qFM(s~JGz1@~)o6j{9Luxtp ze2QU2mL=n*M}$dI!MB|Ryfa1pQFGf&m?5sAfo}sRkaf4X_FVXl=Ug%C{C%*?Kk!lKAN#^0-6CYBr z?(voFoA*hruv0) zeLM3iGIA1p@w&`Loq8IBEw6<7>B{9q2LgI>KYZ8UaVpL2jV+d> zEq8`a%OQv057GL~|G1er)vvgWqf3&BJWke4A4S55wsX+)vbEZ^2wbO<`CYfI;!QP$ zo%IwH0)uJYtB|U{IA-1%xfEiU;av+g4A*m)NO~@wHEWw3IQGUx71qCM)^3ei{V20e z^(tyv$?U@k7sjX5H{C96)SgAH#i6&qMup=U93XCPnzpblekaIe=US%Jk4}ecN?A?& zDL5W87`W$sPaM$-Ui&JyhFxa3$3z``pb%S%VE^!Be(>Uj1?6;~J8Vu6ky-A`^oUcwg3mv_~C{G!e9K7WB ztG(Hzhi~c!IGGY#38^jvr6gOS7KkIW#caPpGF1>_q>E&mz~(bWw76PAmzY;Av70VL zw)li%Y#UDJWn0Bs(D{4sW7Fl>shiU6WV;zpVBE&k?q-R26 zM?$nxu)VOZDgodsc(*HRy}cIOOS07PqpIsp$jDeWU5PDwR#Bt3kNcq3$16( zhB5s;iq;yi`8Vujz9Nzdk?9!6z>D=0J;4CZ)_wNnyk6(%oQ1iiOQ#+>r!~lY)Qq=>g>BVN&4BskUc;5B{#&Z9go-q0}@UU9O%r%5>CAF=cD0kT;&TYIHL)=7&U{o!Sl#p5Df3U zEP#m-TXE(+pIXPx+SkiH>erKM|M{QHF~5=jA{r#ayvZ~7|Ih`|#S%ADHe&DZ?@z$p z4ikIClNtRmY{R?}d+jj#q1J*VMGP7zooCQpOkDKd;uQ}j=N>_-nQd!;;XEQ^)ekvX zG^YwxzGguahdmzFi?kGdP1C(d!9kYRORlPTRfo(HIdp-R*}gP?A3`yf%`I|y*R~+b z*pqLink33u+hKmMl^h$3v$(7?p3Ze)-?$mrWhJn{hZH^#y3W}d;;W8zCm=;u>!$Y= zTT-u#K|^|K&CKMj=QyYuS;rgVm|?b}78wPcJ)MtRgdAH(%~qKNiV9Q7tf?7(|8Qz# z-6OK5I4waff}m<;vb$O4Mjjx%8W;F(4?1DL7EKqnCKUU{3KZWZf)$kxBF3@ra!y!# z@*Q|Y_4w)=8vGU>n$>FPI~reqf<;UBYTskCx5lOjnTg!YnT@!LbQX?pASDroBOTNM z@7m4=D~rlnnc2-+5M<==BGsEwvcwfwfh*c*p6=3)e6Xs_P>n`0%%gkdC3Soz#JP;} zn`G%1`OPv-k<;tI&d}h&azuZw3Ej2cXN42Vx7QpMhcx}qF!-4`^kk{I-C(%vS5+2V zJ!1$zU}xQ-=a`Q$i!D|+?(NpNW}>o2XEc>7XtZS=fuG5BGIUK!NTzdf_I;0C(>BfZ zsTT6yRkC*Gou8%=>odqt@KIs_jP41}4wpv6x1vE5RFZtVjpo=S`1 zVWZU?J5py}b18GI#ECo0Q<=n5Ds2W%(|Xn(PQ$-mAeOU#g6etuSCOHQLjWZ~MnkE= zk6);hqhEcjhNB>;kNARQY;+iLY$-F97BtBU{kzed1BfUTRG)>K%%bmvOA0Y7l%b&C zXz_m58t4RRyG!MNcoIA+>6jGK^^QuB5=lZiuOjBdYM)B^KFS0 z20mkMI!z{T!2>bKaXaB1d>vlI2BgNwgr*6lfXjCnOYVxkgBQpa z^IzkL9b?)AnFEpYT|b z1j1bHPI4=_x{cUh<-if2NyTrqiJ8KY!o{Q(bLW*GD7y=iWY@VeY}UkAN{cVqeH&D* zBXhr*{XC-KClXQMCa^rfFHjfI^3W@K3Epm_<~<~!kH+b~9NfNqVG0bO3<*pIO9RH7t@2FYdBguhAV++ z9aGxn1*wP!PqOU#cR~gFFiMC<8W^>ZXuq99yD>hmE3ffaMW1MO#Jri#Q56a;5yip+ zj?O$%lq+Du`35}y`*OzMx6=+DyAn=4KxV^tDfri07|XG+U&lXRd8ok=NqVZC zoUDsBk?dGops3ls%3;kR{z@@*L)ZDJuW!dF=(fCW2~L6e3Y9~u&iNpL^nm*e$WUeA ziYbN?2NT8JK?%ic4Oq!116NhFuFmv4mi_wZ{r*4!x-6M_IPAW3GT7_*j&{d+;K{MU z`r4K?Q7@%v9XWhB=s%Ii|K~o(7He;BS7asO?VTe3bM1$LiB95J=70{2v{D6n7M7g+=CHZyojva>KZQf7FT6=%PTM{sC3fVJrV{PJfYd#k!t&;jjokM{ zg3_sP=h+l7!CE?sWhb}aeC`SDgXPyFb7ys+MH37{jh%y~Dy}8*7cBGaNjW_i#O;c}(TLlR1~g!U4_Y3? zdE}KAEGL|-a4X7KOos?q%%PyYB@0%Q+6FPWsST#Q}4y6Gx)ED&N6ZRNVY+V1QO2SSAJA;dbg5mjo$# z0$!*OC5pGS{rlw(CrrNq56OiEZ|nunbtE0TYV0DgmClkBCg`pNAOM*E%w zHDv;gOI2T0$p%C{z^&xyi1={MavqVMRlxDy%4?D!SwXGRhjT$)No)V2^Fm&AFt;4N zmA!Q#xX8*HqHhmQKuTySB4)GwwsZnhluiym+v%oc*`qL z!MB9^^Jrdr8W&XZzT?4rnh6>)Y*!>PsDsp&~1Vt^Agqaoq4XU9we|J{G9` zxhopYHq7*2TAFz8$*ZfY6zvbbp^uM`t4XO-=5m9EHe9ZPxAtq&1T7FSIhx2z0msku zA-cUjD0p`Mmz$2S@gfSZ{xrIA%<9pLo-BZ<&*$(A)B84XXp{WLahN|TZgT!s$Ktu? zp9rIbXAzpV^Q+0v>f(C4eQoUTppaRn(P*%$>IYS$cZgC23A`Aot+Eh^#kc(&SE3QA zXH&AvGRxz5wVC%7iT_YQpfIUV58nT@pNxT_LeTT`^WFWuPvf@2!87D>bi6Y4t2{L3 z%})IvyCSBS)PqiZf`VP7i$>ZOHl)B3A;$Ob6$2+kTi)a(xQjBgbQ*Mq8!zgF8f+`d zS@Bj_b9F4PSb8jOEFP9;Q1Ny(K>`n}Cgbi-^|br=v-wWCq#X_K+PJ#v6z4|Xb$u*! zyt5mNpIUAGQ|I~+93359qA052NczUh>rn-MD2~hqAmFP3a@^QcjUp2qn2ZNhd#X!S zNso8de;1#V@h!$gc?+@7*h$sn*dt(m{Z61N(m`!A3?|rvw6{Q|y2CY%N+!zwCu37usGClYj$3O1aC2#tVQ1NE0x4U_Nxt4`2O$wI`&&@?=VQK*Tu~_OqoX z@S5VV;`?|mOlVq>?t)wTtKoUvq@<52mn2mRUi|A>ecchT9fd!Bm(iUoS(#az@kjNy zFg$Ej+4Hsr_(mez?*ucTwT{$SjZ1cp7fMz}eoT<<1HNuWT99iJ{MO(^5!zywQ1so% z>wqQNNifBmI5=Er{~)AmGi0-4mpbY5$D0Rskb%Yo+ubToIq+I6NZ>1d)hGq+8ivM= z4wky6wB;9g(mbcG=C^%(3zGW3r7A^A%x?gwc<&jQ75;%>gU(q9{HH~FpRAE-BD1|Z9DoDT%N5T6^yyTU!#YXQ^jjXO5I@Bxdhn=~vuD`F0*$ff zdWwlEFy5lbQ?{rxUlb4XO#TC)$rN`f8N`Ag*h$yrgzBJXDES+5e+^2mSs4>4FPcy<&?ahFB zGf#TBd$0N+ll+fw6m*8F3d2t->zjRZEWe^4P5LF;&i>wrup%(Bz1=s+i|{%^8I*G1 zAkF!~AP&)%^*!PAfn{_@kd_7PHI=AJx`VAh*W%@!v^iLi5x!itRCRU3I!WE@(h2^*38S}t#y*9S4WW^uNa~l?fH4dONdx!4H z2O&CT?X^dW%z^!Fd*AkTZgzH+p(AY2`bP$K{p87moZ7huAx;)YRa7?%nAQ*n!M0oSt+k#&lHXm?nFcSM_#YGq(#U8AA(UBi z*H?S$EY;Fb`{ylFurKUe1qk79y;>@YhS<>UQr+0Bnnoc?5?1@Ks~EOFP{mSl<#bbW z`1vDb-ra^OfM^6C`JZ{0-QTDVo4ycxk1AL11_(~JNSO*b_AK;gha3>XViA?*KApD{ zi<>(!%Yon!5DG#r>q1f8dO5qZH2aNGoUy@|8|45j<&bil8>l1`wz>~};FMl_C zN=bKoaxQR*Zs~y4%(q~FDTSj(rPTf!_tDzh1G0m@k1}~DpyfzYi*#(kh!{Ou?X5nx z1=UnAG^%|P!EAWDYJQD+vMXv#4E;Q}YkLaCl8mk*)qR zu1{)G6B!vpoJ9~#nFLP0iae$}rW^Jz&K7@tNYW4rI}%L$wZYSQmosFU#_a8zUflz_ z-BrwHB|j#%Wi2ZGCrRr= zkBLU*qO>aA+Wsa?HFPk@prvb=FO>M$RPMgeIOSc(C;sIV1@AagjA~ks1n^MkYld#; z>=f7WeU7f^hKi~R>OGv8txy@@gZ~J)OlRJSKW^k5vp|RHSX6=O|MwC74=HqB2r>s7 zqMO*3x>vUApl}GVD9ucs17WAkj8DJLNkOupGZ@r!?Ma&j6Z!=%->}jjK6~JVIM~KS z2-4Nm-mcFdGS$|V?Ga`BpbC;Ff19-SgGGARUd%u{JWI5gE+ProjiWk%D5;Cg98>Kr zs7a;XZDudn3RqbheSdm9xw{Lxd@qn-f9jQwNkC8)(!IQcb`xDY48+^*@{sVA;)I89 zFcn4Vn-q+P_2}GxPkun^pTIH>Hpuve(<2!&ZPq4)2p zK&M1WH}7y!Wz%phr^gPI)aF^P+6Ta3{M9+&x1{!{O4=xBBqg77e`X9Fzal|$iluD# z^$j#;_t%n0ztHcz|Tz`z|WqoGcD@LPVj^q_pw@lnBSs z-p@Fb$x&;WQx_{-?HvyI4&LhKX+dt5stN{Qgl?Il>@7}N95OqO1Z`9-)CElzL_XP) z4sNQ_l3P+}#SVdWIrnpBGlZ*yg}rVsHY+bRg`opS?OF)n)+Xnw40*NNsj5P^R+d(ryC!3q!D8C?1(czyuH!VX8U{NF`uX&Ss(>Z)sRXpE%WAGB~IdJ>16X2t}N5)!taIS zM&`4}ZVf~3R_{t!DcybfKIUu$yU5I^+^Tc(a)Ol zL{$d{5AHx$|JDc#N;83Mx){|-x)Jkxk%4(EqSd~%8(|+j8AsJ7%jIaAj-c2Z$MZ{u}iMZm!;Pda(^fP{4bW)I*Zz0x6KvZ&(AL&^7J&@AT%&GhOVFh zbb)~;DDT_J{n=RqtD2irpa*Y*E$BY6TKKp`b67N;CP{jhO)U>mkFt7pl(`lQL2Hq*lKdGj|Oq2F3;vjqS&YOpj17PyNV>d zNVH_B4WHfD$zy#Ez9`dI={qA3y9ptx>k=UcuHK_k{vA9#-KJ*RDZAn2ZiKIc_!_il z5M5@r89gQ2&$u*!WsEs?6q{&y+{1U@wT4d%qm>w zs;X$XvN=c{N9>#LgHUNZt3xMMK;loGNq9!hDa{)5(>w`hJLjmMstIw;4Cf)alcnZ#$!|9@K;h3^Y$ow-twArw0BSQPPySLEh@^3 zd2g5fyET^V&o9A-(wX_o+w?H#`g-%I*oo<6^QCj@Agzx%ZRqf+igZZ|iqf&RPn)^fm+W%S-XBsGPq}A%OprTN4CLo^n zK3HPu#j8yRlXl;z;$k> zzDA+I7RqmHZB@KC_z}CaV=g2l#Ky@1tGQe-WQMw0~gDLSwr2tFpF9~=j=om>w5Qt)hvJj+12eWC@?<@EKFJYB*6hIC zZfv#+M|ExaU0)a)@(N&gYnL(JymI8|$5InU6l(SThPn%Km>G{xAwox07#-~TO8s{?h>l3i$VW^vx~mjE@b)(Oe#qZe{XVgu28O> z!S+ES@$Z3IHg+ph)oy8xR>oO8{ALT+w@vs3T;@nd9$QsUhrEw`9_%6IS?p<_gsba> zKtE9N+1(U=8hMW+P;6(z#1#B6dM%MrBjT5IiGTV=Yx;+Is_gzqdo(aIJVV$HSoaDe z!x4=t$5Ha=fOcg*%fDEt^(st^N8;bEBQ&kGs3>@8NtaC6Q&LLmM+w?iV=}9O35`mF&ZzB3HV%z}P$rg$FvBN)6>o2p*BF!& zy;(YLWbxX(;wBq5hknjbjHffuJXH#2sW@5``$_!rVTB6_ zKtXff8AsP3ljNP6!;S`B!yk#5M1wZ@R=DIo-;3G7=F6}33*|9~3RSajwieKJc0$w9 z^#^B#BXWB@xPTfG)OG>eDnjWUQB(X0T@Tjt{A%&d06C@au|)SiE?_)+c9Xn{b}tQTxJnp&gGDB5_>p2(V|+7xdAQm( zC@kg{wof@h@AeA$8YNb!9iJi!lcIYjO(zP(us6Z+`4++IvTmu~X<%_M+wd^ZTKIGn zSZWj-?r}h7Fi1n46!#91A|3hz)%E|EELiIiCoZL`8p}|OjDoWM>j!Ef9wrKv;}2&> zMn)*d=lgdAwXzVV^i?6K0 z61t7Gc(A9coe#@KN4cd8p2yt{IxLb&R){1_94T1-@pc5E$Ec%8GH*y8{I{Z%6jRB%U#c&LUiq*G3CXZRggnM+0k+^rhNGZ^o=J z!$`PNagsi(w|*1QZ?PSGXNKHCe|LWilOM^oYsY7nEqS;EH&9}3Ja)TwRvQ1Uki3+Cb7%TF#t}pmT#Z1)z0s=Rq-e(HG_dred1M=;zliEY z5|}r1s1?s&V8Hw@m-L45$(*V59GVpnib(A2`hL!-`Y75tm? z&a~5=28fxi+9P3#^=<*oo0lu~fgNz#2oeI_I7@XODdccZ&rgin^kX_`C|4kUGSKTr+pqu8S_ zm$>si;yh6rh)KZos7&pplT$7(1~GcE+VASa+&(>>U$&{}y22luvAVz6Q~dZ`y#Eya z^{p7$YnaK~xcE2U+)SAVW?0nHT(Pqs9G33+TS{V=P~HQ^tDi_XzzXX1n2*b!EX$H$ z9257{(d%%~w}f8z%>hXP(O&JvBm>ojh^BAFNJNn+dYMfDByh4Z5f`o=AvR z$MKhZ4>M2w$MicM?Y;V-zif9*1=+1+HGP}j@a&uW4{_V=tuL3b)UPk=auP7cj5XOf zM3;w&4fs2I!ZTc%1#E~N@QR?@hPl0Hq;hV}&WA{Yn4af_KDr3t0#j~94h|F3o}VV2 zOX-lLZ>CL3ym8e&5cP1w01~XJ=H-#E7l?~U^W#wd;F4;2OI9LO0iM~&%1h|?a$Nis{mZCBwkS5W(wU5JrCXpfDGkl9GTVW=O$D&P z%llC*AN-cdcyTY0nW9j9kLY~G0N0EiWU7Jm?M8#oDp?Ygac)C3^d!q^2Nz{TxI7YJ zWJxI2t`3`@sCZk!NA1dC^=44{I)1+)aM58oVl2#0Me=?xxGeO#W2B}mx`Zt4=euV- zz=tqPa$XK~tdT6cV|Ojlo~0)yZp?9~KB^xF(J&z;h^F}=F;I`9tTn(;KcUO0 z)0AJYPk=f!i6L<4lncUY=dhLAfl_Q3b-<>u^kI{pTotC4@Q=eh9pUHl@c^3j+^(){ z=mCmM#M=V801h;9S!IQdsW}MFfSB_ZRW1J-7{{|Znm>3E>!Kd0;_!#UBiHsIpZQHbU ztJ-bub>4CNql83Rpc0c^iqS5_v35-tG`gLz!Z!iL3xjp{qG%-%u&2d)u=;-CSQY|KNu*Jbq-ypV-7QT ze4820%jj?E|tA&YlfVm>n$*(ZDzJOUcA>BwNZ4j za1x!V9{_&VL2#?e+zgvXSFMb?TM_7X17wC)ki31G9N>IK7hoK=|M=D_nI5A1Z;jDB zqC&ur`q4IB_mAVgG;OBCm0FIA+IH=4a$;LzwLg&uubm$MNKVEVdG2Yq%`%_mBAv#T zh9EF&m3($qW^2>E+Tar2@nm5`~J-9ETWv}+#1Td<8(a>S>FZLa=&Vnl z-1i77#Tka?TzpjqStwC@xCkrmOPzzzKjL1-h{e*es`_Suwh}rW#if{;2`9hbhd5q) zig~IFoFlr_NA6EHb#r=;Y5YuXG>@J;_y-a~qunwkm)fOYI%TsW#Jggo7^i_9xQ zkA{z6nB1#XdRRBL3LFXv^{Hge?`reHuCMHUo($fTQpn*Jp)~cfMab+fE=FqUPjrlr2VfLXG znbXU&513#3m~IZ{uPABaKj++XFz4sz?Ar#NYNqqhxm!d=rAB4Kvm6Y&Qm;<$Veq#* z_vX!$lW$E1a9?mdeQnZ1-4|=PzQ}BBiV5lJIow7RRs-TxDng$N%t)*XDMSc(@!i@b z@9!TxH}^g9vt?Kr4l>9^e5vZ&67C>^(4c;63WyvMj>=1;f-(oV%cb)_j7 z`*WEOy1YPG5&7%Mn%=C}i9m6?tzEmx+pglecJ`UYbfM{@ZF&lBAqaV##C6lGpW^bu zvo3R*Cz?~B!EtTmI;o@9a=Z1^3(B`l-nO~eJvg=NXmvT}X)*e;5#2A9T7~jHD`*XX zFHxrY#603~-r*#|r?O}Ahz2R3{-J44RcJ#fCgKOToVRKl9C~;BAvc{Z{67VS>f_a)N4mdJ>s7Nb|<5ez1}F?uO?!VZtl-lR3_;#-(n-DhnUa(g zMDI)BU!;WVLYc>5R_moM_rbqJC&|tpceucZQUl1L?5Y||@;$pM`uA-@U#=}!#KbQY zMa*`eAl1j%quf!ykSimGRuoI5hJfCoWuu|aK;=R zL7B^R3f+vO>e||!rG14Z)*~ZmD0S!5VD9{<=UlNs0TT^WR5bQ)~g zz*3m>FSgs{D!8>>+rXD|P(UqUFlufSFt#!QN;#nl<@GzUX)0`G9+HUKrxEk$fA1Kuej$WSN(giL~YLg0`(o&6$af)JN{wO_7xAUk?Sa0I$ePxGZXtNS#Y2l z8z?M@ZSTGN5%y4?##sHfhlz)gD4@I@xx+8J4c~9AJ5i7tHxYZ&Fevp{?JJ!|+}XDk z*db1$eqp4`Tzl*{IGXIXUmG+tY-w1AU=@-zK5I~Knwfpmm<+L8jjIgbVv}Lfp_`i2 z7%qFGP>%g|pUEfexG~<{%+2KP>8t9ehx|W^{yxyHXUYV3E@_hnkNbEl_|b@&VzYGK zZ2agYD3hhik~rBXx7FSIO7y<#`Iv{jAq^vi#g>f9}YpfOa%<#X?3#c4Z)t5O?bZ? zEGeL`WoNFBd$a{7P13~&HZ}|PPUyXv@%@P?SP;fT8T^asxXL61EwaeS!R2TG*M*gA z!)ZRSn0HvxL*|o-CY#F)9J5lW%9+p(FnwG;&J0ynmr&gasjZpMDu}J&g`d@UkaSvd`fmGK&vv2z~{UJ*Z!j% zt4}21U=4dTkD>UYoaW5OpyhG7&k5!mb{@#l3Fb)e;j8N$DGE(v_P-!wePo-9m6iR- z*JBhb~%tCCyp=b!ZXRb{%~;23L0F+f#v0DppyBfOI)3EULmo&ttCO(_XC zTfPfstPR$EGo4jQ^*8CPig}E}OPOzd^Td=kR8(V{txoI4Shv+ z$R;GA&^$(cV*F~vK@>cNONywK-@%k)VCpQFZ;{I$U))AXYM#vAwmtxvQ?gL{QQiGn z=3R~LoFv&+XBz^|Y#!Dl9-Uyxc<8#B3o8|=9dg&Z@h)$avbJZ_`f!e?rvqrUNd2Q) z$ianVW|BfXFIs$j{HnvLsZUc=Q_Vh)H$|{p3KktOPss?o>7+x9Y#$%UDgGGA5D^n^ zLL={l+|T^0tE)k^LOiszK`kvaKLq{~xsv{QmqK4m5Ha{aolp5+!kyecboD_}OY6T# zc04Kqnd4kHRHC9U_${TSuLFCk9p6Ix!!ENwN`E}bcUvPPaYMs3z#A?>n^mMD zG!z9Y`>pN(sC;6f$*e9BUqrXAvOE7@YhM{w*Rr&^ks!g{oe=D6Ah-v2cV`1Z zg9e8HAq01K*tkmw9wZxgmsy;1zWd#|-~5?pX8o?!tE#$JclF!VZ*31O-|@R{(!U;G zp)nO#RFvRP$rGr>h?^$$3By@osQolrk=d9nom+lDa~4GQI*!8PsH=yR-$Y8=faG&d z>a1I#&2Z<=qei|W0-s0U3DiESK#$+uQA{Y{8YSR*x#MJXEM&jMGFr}=$pxhYQ{44I zb3m}FhbpV&XWeigz@?${9~}o2)F>l#79J>&i+g5;e`rep4og4H$vPdlVutwk&t$3z5$we`;%Af&^Z}m?;%GWlwIapH_1YLPqk79KwG#ypGZUDgqaTh=n(SZHl zyA74lVOot($bRdtfR^=pSS!HLyV->XskTi~J|m1U41shy-r4Y z)1$U6laJ{xim^E@v6GVtL~8(oEb{?eaOqip@;K#^K6vwbg|U44v$c5q=FQQb1}J~h z(!btLmDk-U?-3N3qB-^zKeteN1xzryJW6a*1;pU9e zA(|YW#PrB8ee~kSu(6D3v4@SnbV4&N6X^BSafI$OyvntdbkuCJCwE0vXM;7XI_RH%N zOL#aq?_N8hlQu)jI%&VqSy%>~5oSz_Ro`{`zg@nhYq!{-!K_3O_eNtTu5(Rp?LD|v z^Ir@A!-?xT&jVSW+C1Hv_7m`wcY4lgUx*4> z$5Kp%FkBp06tQt-B4=TTT$?u;-{LtM3JxZv9hlw%?tAH&f!!q}48tEk6;! zu*4X+q*!2H8I^|O)3|<y-Yez}0V7)|Oti1&&t+ zDGy%-GJB?|z-c4Yr$9w)TcMb}0?FMozb5xTu!jsRN|9#~(`1!bKJwOg!iqi6&}Kxe zbfHcoJ6ey{U{7@p#;L7OWg#TUcFkKEL%a!xxUB~jE5!epppu+X)anuAtLnWun* z#e+Ew#@Bs3T4UEuK)74#4|h98n$4fN^+q1~_bII(1y5CWW)&vpq>fbPFQT!#Z4PE# zk!?gvzpb8h8;ozHYQ|9F8Z z5c{LK`3q22I43CbKdu#t0!*m!wYA*S*KsQ=2EaO%p7pRv8ObJy(0i|h8P-N@(fjam z2bGy{$I930f(v9tK0hpLLve|Gbme5{xPZjAXN(4)?Q;w;(29+Auy z1w1=2b35h60b;TD-(|gvMR|+1$O36G2-CieQ68?48C*fNa?OJhZq2$KR_M43KWRO_ zr*(xY>$h&UN5=9Aw|a#@qR4j*nrp^+B1)hfjQL~&9+z}Mlj*oAZk(bW_oPe=WwQ|= z>Mlt^0AAs9=&fmoC8?e*$jj^E*44GKDTQ*C|20zoI}gH{N)vOL9BhGm=-JH9x4a~)Ell=0rsX|o7D@#oW za@S|-{k<1OOz?r%NT5O1jj&=IbpHx~7&c`P`z&Vint!G1b)BwwS1|JNr;YRktE3XW zDc6LnKXfe^>FenWw+S4KM-73NBwSwGPFeBY3CSFsg3Ty2j@6E@>T@$a$4jqwP^qg; z7x^@aLTZ|DDl&YOSt##-_|$BWHJ8L;yKtEZ{g9I;-`x3yPEyhe)RcvC>XZx%2S>`@ zz8u>2I!_9LoQR01XuQc92ADwy{&mF|SS8ue1dtw1eh(B~g~2DrocDpg(j_vzK1`S| z_QDV+HeB-ML)h%&d3#qhDL5se24NV}@y5Orj1KOGJsn;o{E{6Ylx;l7KcIbLN-o=< zkeMK7EJ3cKr{W^SpRyfkylb$uo!>-rWy;xmbF-PkJt@R6HVBj^V@j*tPOg3FnO1^B z>3GI|XKSk9Fq;lC`F>BuOAaH|~lqKLq@NT`xS(&!4xc z$2YuRl~f74H}xcUO5W1745HU;H>RVEJEJhX@fqae6JovF;ba$)*Uv<0$y#CO;Tl#| zjD$FFd|+ThaurqdJR!99!YstNU;rhQfB()|=efDF^EoZea<`j7S4Auo!|FKz{WmHC zU%k_;iKQjm+e`J7@tto41#li7SBCJE&Qy{>84``aQ#F>cJm?7Bf>7k`Bu|YI3o(?z z6RaiKhE(l#P7u05U?|Zs2MNv#qy6YIMkX?nM>D|h{eUGvhSRziR0o+dL9{YxXmXV% zcS(XnpTu>0iyWwpoq9;OmyMv&u(7Rl4|X>QJrFi*ok zk{hb(*;JfO1cvi*Cy}kMp}Nos?|_Y&QR5|AWL%D#a5d%bo28nL6oTwxe$Q)m#H*a0 zA{Sw_=B*DuEaY^&wmed#B4i9Mb9%a2!>td56>pscQSzHe^dl^+<9|#jlHzPR9gpxZ z=e%bxFWP>03!a0+gjQE`Qd3jQ%geLZW&7_F{tqAPoVFb+>T+$?ww<<)CudT<78WMW zvgi5s1m3(QK!GI|ZTzwSrmnKFb*}&PsB}Oc%x=U!5}le8-|AU)HQpUyK+=P6LEF#qe6}u$ zdU~UyoJ0Dx?8lFLFJ3~_qVcf-QH`OFWeQftYekliZJ#yHhw3E1in?O}G;2@k|B!BU za0k{lG&~hKplpeqpXzo4U_K)wBY^AkRc0bwYS^gIKiO%w+e}YQJ@4wC>wi?)Y!=0|K zu7;z$xPw)tzaz}LnWv7nyZb0k-5Ge%r!L=|W8*R3v=27jf*#vr={|D;9?MPhymgCR z@9!3tE!0|m*=yL4sM<Hmdn)(A5^uYKc3IC%$Q=<%~#5K~cec_Pq=H?=LES zVrKKYO*W{AkS*w1Zt<9$oh@wM&oKG77qP@QV+|0Z*4B)+aO7?jen%G@G(DSv0SDRAUeoF$F?=WWu@>c|!8K)MW&x zZ)+K+*}thrBu?wqECt{=wK`?aYPZqFCjTgRJ=kLOPD_gk?!||2hr9Q!sFc!NslM$0 zbO5cGRT7}OL}&Ebza02<_TAsI8hCwF@3afBB+7#-5E3+1il7L*`@09k$#Lj!$v6}P z_;WiE1F%P}6$NI~?eF(Dmk0ja_!V~$N5<%oyPSVBKRIV>Bb@w)4@6iolJ$637n;^~ zQALIh4s4uUTtwnv3(6ayn~3{g*vOHG7oz>fBN&9`=so`WFjUz+~@qQJ0DSwu!9K`G!ehEBMeldR5T7nn54(b4$ryE**ba;b6LrqLkS1)~(($ys~ z+x{86V)$$~Wt`48GgQq9%ryw!Xd(*ND8};WaH`6EKW* znO#H^QAwG$+!7#v_W!wo&%Cr%)O*G9;?+O{kV*dCF2aEB?sH-y_W9-I_mmya zXLnBeNT7EDV35=93`1x{1PvD#4ipOgDwz_)O!MLWVYN?{@Yd_zva3U?R~iwrH81cp z$nZ;JG_~!}38NH~yPkR?rg6kK#hdFc$P>A0doBtebp{bK^k=jbemeS=CItlrE&)M7NeMF0g_@9R1{RigLqq!RY$?S; zfo2vvjCZ#|K``d3;%p?iaI~fcR+i#I%5vh~-qL=Npu~i}TjJ5RHA-ToZH^b1Vq#*K zuL>;f?fbWeQ-R+QYHsBKjD(>TC;rG|`m&kRj|v)*pw zLg(Ff8`(6GxVO*U#5`MTrHJ{hkDz5X8O&FLwhh0_i|?Zu!cqZJ_bgXu?SoG_o&>Pq zJ`=w@F*QT`Q?v`dIR#&_zcjIFYXg}Cl~oaPbnJIGzoIZYT*5f++Nf~ab;tj1`&Rqi zJP}Pa5;>2~lIZVfQ&A^+w?$($UHe336%dims#-#Hs5aS~FG7w1p1BN&K`}A{^yM!3 z4-!Y$h)sSEe+W$D2Ps_RMt>ktinwcTnsphqzTW+&;+L+KxNhDUtGT1-oX$%aeWt2v zEj=BAo;Gw&PhS#IW8)k$UWSAu(Aq=G%32A9eP9JYn2F7euen*RAxu zz`C}6sp=3AA`!AsU)PQVRZ~NX8Ih@5NZED%Y^wtcIlk@xq|1M_7l$$^V|myr<~k#V zx)^QhKyBb4?V`nYJHWMoJ6u0Q)VtP!J(psi9Q6I}^Icx$*?sFE$26S0!;zG*w`#<> zE+3}GAMxpjN2g?S2SWnecP}PVc{+bS9^)BH&Zu>ugkNJy(-9f%+Dm+hLP&_rkEx41 z=EQ*oFNBxW6GDT2RXRiQ_xW83BjWBudm`f2dw;TT&J*`>GVUqU72vn$_@h=tS5Yf1 z8ks&%qhA`45izUa>a`CX`E3%Q6oC+U7Dnc|k8-?AFukTE{+BVbO{F+jpA`77`{ozi z{_vvW6J)w)EFcRRQHb&k`+0{=Lqj!`YKE;&?+|UN*BU*pO^9xYx40upk(F76n2Xk- zCb~n-ZxKmNe&IL8`YNAtR~Exq{n30Gq5LT78nsa4WU;GI&&oFN#BlQ7!h?vY02QK|lfi$gU^d3a*9|cOpaz=5ILFbMJO|hvI;9N}d z>B&_aByBCp31z<}xHxabnO$@YrNhh1+rlDe8jgY5C-p{fgV;+wo${ z3Jd&}HMB~f`D_Id^CugjT2V_(TY!FeS%-8%FI3XSCVDCyO^1x}6LlcC9RiI%(7q%? z$HH7X&^>3X?uak89rVgKbi8_1-BI;3VjgSBFLd99RHfn79XUsvM1%`d%DTLf@bgbR znejyxgeByo<$^+716w&@ipCq@LA>6qJ`+WDF%8p-EnZ6<=o>*(EU7lJ7CQW6pifzM z-R+q1TmTD5FQks${}rCKdKh9T`N|g983|S5pY4qH<=15+$+JqS?Y_Fcc?hn&m&L*) ztxTcaSS({g0)LY5g`mO1@8qw%LZIdOi6mBohl0=C8H~}ej`MonA`%H3Uo%#$a) zc^cPmxFPHP--W;STjnC8NO}6=Gwxqaa4iVCz=37p5lo4u%8z;sQ(jP3tbBz>DvXJ; zW10`*nadU4C2ZGw(JMfw84TALAors0nSAxl4yeexO zRf%`QM1=T$_m=7Mdsy=EJ|uy^-0Cd}*TYc+G$WATU74<4I#fPJA5{*##!2p5zlN?^ zj0hEmj84KwQz5jAmGz1F*r=rz2d#RbRE?O5UG9s7PX{s3Cm%U&-VquL!hzM0DP=0> zR%A?$c`ThvCzhNj%#pj~v0=W}wcz#VyV4f^$sKMF5u#oTd-1W`s6JOz43;WSN0UG1 zn^K&N_IL8I*)2#^b1+H=0u`fLTub?T*T@q{jYjC^>jS&W`4q{VB=FZXdNZ&@R)L+- zlq6&yh0?+@~jx&&2owqr?@ zCC05WgDBKgE}*;X!Kcb*)S3BGLCQ&n$VB)lO6=ZCp#A3~+~uJ`oXk@r=0Lupn(+_0 z+rD?&HSTEj2bgD<-W#&cSk{~s-P3pU{^#f2c_E0EZp#DIzQokRX=HLi@r3yt^QIHD0b*)y_)90rkfmH*!_BNa>JJtmQUkVzfk02|^%bq$2)kNa3%46{* zq;ZL+G8B;zILFNaO6K>`EwT2({)f2Cd{~nHKEVM8Rg`Sq7{#p>ROP+lKBwIIsVQU~ zKMBN{Ay+8|mxOR3S&bQZVaGGr zCjl%Sg%2G5IKRG)D9h+2AxNZ-t@~EKohimM2hhI2w9+#ye{Z};Utzp=ZbhlL#9p|) zCJeHWpt|c{>XYO5TOI4Ge(v}R8*csN=@A`IODK6aXd4%r)UNZ0+UpsxcK+DtPtzv* zXhY(4qhS`QDCmkJZ{SikI-VYKj@eK|`=iE1`<9+=j!r1r`NIj-wqcl3xt=#6%Hbyn zn9+p@O?f+xQ^P0`?aRT+zkG8C%R+yibZ31_0wun9x)_$Jyv8MI{}q0a9RwaL3$E*X z;WLHh>FK?p?JA&?u}|OJMq;Bi)^|UfVCJa(c)Td6innaj8r3Etiuy_dmeQlDIUzG?U*Wv zAu8f&JcHvY2|eWtEUm#+|DoNllZSp_%FspKT`u6MTU2`2|9_qv-k` zCu{kMFz|y=jy}z4QfqxK+?=&YtpW#F@vWSWHw@#*+ggVCluvr@CKew-O|iYOT!$j@ z#Wf$|aolm7Ze_W7gj98X5lfs-z;Vjb?m$5_jKe%x0%YYkSf55QI3|o`3wg;WCz0ic zAhL)T-uoCryWUuNBV|XBf zJQOY|{^4%A^$ZUavHD`&XU?#w=0w7+VRH@9AE~Tv2p>2_VTPe`1COj()=F69nfEbmqB z7T_UG#PJW@zc`WxSrIkEy>Hn<=a%Sd#Pc+`fqz(eAU0cR5076G)M4tl z#zEe|mrwf&1{vDmsQVcvq>${2;;QEhLD+;g+3pwbUS}GWjzogIhAz!KDRp1$M6Odc zdt1r7o&iEnhHpws`>2%jm~60e!+u`4gQ2z_AZUWyWrgRAwXBmmW_d(m!J@g`yZ5x+ z(?doFo}X62nM3uEW!{A0w5i-0wc|wY~H&F z5m(oxkRH8Yh#`->iaLbEGr7YBeGgK!t zoXny`F-b`_3#V*n#}CP+5VkV;Ay!Y%v7C0#B}?uIHGgtq@P z)hp2kqE>aU%mm}Rzyt@hhsG}mYYq#&ZQ8*=#9Vb-?c9@QKaHVwMLnuD2UWc$@4ux8 z=*@G)63;|mV4Pa-@PWf;c|>9o5w3K4p!2+mpekJq+um*gU#-U8JXIq7dQhL3n1Yw{ zf`99C*tJa)`HcsUdb5|8Ia`P#$6*CEZr0FfYqh?IiJibL_GRzwVOO=-!;4|QfEb64 zTUb;39FGn`X2&Td#NAzF~I#wvgww*0H5mjuBT?qKn!raq-~7 z^xC5f?x~}%<0<$JO+X_OUot5f!4fZ#Ui>}*w0+111 zPcIyVorAwJ8e|**B^hL?H@z%`9785jKQIOQuBgICs4!7^JsVS(UCztq$ zZnQI&wa{dW@zyX#!afG+wTYa5GER^UpTCT!0SoB{kIvr9glxXKykTh9=ZS?)o@OC^LW z8lqJhpI&PkOv5Ydg0MEroXWPnai#A}j`2mgx(5!I*8QJ%TuEo}uB%AAKNBcT~#H(J-42-5}1UXGdDj5fh0= zMMo!3XKuzO7;HN?C2)Q-#0qh)EzOJ zON~xa4F82*F2m4r@W9EKZ_zVU;4;d~SjoJq74T}*F!J0AytLcH>XJi<4^48#O|EV? zD6Y+a*_rdF2)u&b5vy-KLHL=sPnIaeK4~U5`ro#*~4TD zsPGO?6aK+u1qFrF4Bo}$Cvp-iTM-c}Tg+BxzI@~7R@vU)O&NebpDOJ9^?f#H8e}>e zK%5tHTKgf@C1qt5mp6K4 z$~cpo@unMn(FCRki*>s&(nYvG3AbSP=E^jJA$Rr{yR+K$wnXoLXy*w&*~JIAjAaT8 zjmMDine>FCNuQ%TH;j9oZ5wY5B@emO@rvL(>wCd}xa0$POH`f^u-bggNc5Xs8B&-( zbBW@fEn)!)bdPWs$F!LGKsnb^C{;70#1gA(nO zEzrEmZl*!lgoNLe(iF_Pr!2V}9oJ!5^_#!mvzD+3eb~G-zg}qbX*lH)70m{(7<2lP z@;id&D-5-=OY8Qk;`hh}oTZ@-n{KYw0ny+UG-PDt7s6je`FdOl5>1 literal 0 HcmV?d00001 diff --git a/windows/access-protection/hello-for-business/images/hybridct/device3.png b/windows/access-protection/hello-for-business/images/hybridct/device3.png new file mode 100644 index 0000000000000000000000000000000000000000..c6572cbd5a70caa4a707a42504d2b3aa8f23b5ac GIT binary patch literal 50168 zcmdqIV{m2B*EiVRamTjPNp5VTW81cECmq{%$F^nhdIzX;zQqh`R@`Q(|}~2M;X{2bqi@Yv5Fh=%vCqNju# zP5JwrIu7)NC1dn(I0$?KYTkHo;}Dlb zJ#-J46_U|Nr~Yu=68SAHqmOs%1|JhUzmm|Qi)z> z4E9Wn|IXwK43CZlrT4iFmrmw6-_bwlab=hd3*Z}eKk;$dX(Z z`dC-}GWaJtQGpv$f>~?ZlOaPDgp4tuH(o95$}owDE42XfzpaK$N*9**{LU1fO>uH& z2!w4u2;)Pu2DVnF7Sf;I8GhKVqgy>_B`)}yYGyI;tA~qxzo^84^mpc-Uef(ZWrI7| z-PO7^6eXe8AdcU3ElPnN=DEhxh>h!UDHJo{d8W~#D6XQ`=6p`4ACNndTr-z|vcKYE z%iy%k6q!nPi=Xy2%7Y<~5|#E?Si|+*fE15ci!^hjS`k^@=V-jD6E)mxRI}d81p(k3 zSc95Ew+va9F`!I>==;5n>dz2-^}HqM!>Dfzbm5ajC##esTUH2?OLSPT>N$WKVcQ-d zT|{x{fr@~26jfwUNjN1Tp7{Nhq0nsHGwoAgmdQA4+{ZL+a6JAQUTQYQjo~xL469CB z##qxeMp)6ASB;S(JS+@2T&h%7e=wEJt7GwTcRb4+^))$05)wiE`*ElcI7jj|<>dj5 zBHe5#)v>%8lX1r-Qe)khIQr4G+!s!=$DUB5Jm{v0@$vk(0+ENl#RrVN@7fsb?l8Ul zp4BdzUR0{pzejCeG7)?C2vyxSzzB2fEt$H)XAH>Rn#g8{hl_2s{xX!MkPRFGZ7?k3 z6H*OJZ~VbwDU@}XQ%}q&ULG%X*iuW~b8>nHM&HQD6q3JI^0kql;s2L*|G$@w|4^$E z$%R}QBoMR4?gnp961HcsPPU2GiU9hnLn<{hYwNP*&EnO<^N~(mTD*mDO z6jHE1b`@Z0Vg6Z*_{4i%Ds=lJ}gG;;<>D*Wm$ar4t+O(}~rZ!GY>1iT4#^Wl}(lJ7;<<% z4t~xhB_FU4diG?E@U!!NWgiVe8?MmdP?zUGQ9L;$PQn51fdIi0oDlC~MwJ z489GtAxa+Cr8NvBP|ne*85)uh^$8Hb!*vHi<6Gh{(lb=V>q!-$q zt_gmqZ2wP%;=dP}|8r_g=%Sq2sBTJ=?_lyni}A0mb?~tJa#dC{K>D6)3az#fY0`cg ztYE}DUjFl@Z}|g<=gMF7PE&nQwT8Md7XUL|Z=RwJg~gw#5@~N~mZ%1-h}!$Rt7~Ty z*KEdEZQS~+sTs(SM}JC!i=tisOjNYcECa>2TYrE4W(U&Ww+fl)e0V(by? z-rq8e9f^x&>$C-(u#5?JOtX*PS%%=vA7>kVFW=QjV;}FSL!CB3ZgOH%f<|{(*k*Va zwF*;xyG#|U!f}YR;lA1g<6m#jnDRPykGNv2-A51}F0Qm*}@ zc+uR}lnkufQe4G+>RY(;c+$%I=Z`M2xEXdlF4u19ks~xLofjIK%^WwgkjV*} zR-B6)>T!`~)Qyr=jaI?%rtBcsP5uFVaD^;FiuyBu_|xpcqIewJZZhcoVm;gKZuSBdB(wy&S?lGUuqYBatD4-cvM)NF>RVc zb+88OHGMM;m^C`@?-NY0GW@gIde_6+b;mchnexZh^2lh0AvzsW7K zCFsh;Q)&|O68W;*M>;rtY2qiHSx5wQVl-Tb7vI(JVh(yJ;q_K^2g{tGnl{;`9w@^A zaM`vt!}9vPu%0N-_pu>6wB9}Rhah@P8!iBzz*~2K0xIna(KOc$u+{DZ>aA2Rd9pd! zo$0Qi3LtUxy$qncHe-mG9w2IPCNp{mh~@@V=cm8hi8nq}rXc;bfObm*;F-Z`LFKxCA3@%6Msm@{0!0mF}X@5J-;|U|%7O8YP0I;AJ;HP|M5nWK3=t z3BEmh3BMD68N3^R;E$Mq7Lww~UMZ=RK)X7ZvU29H)Br=y#PIgmDfrj@{NmHa6;B(+ z2hV?oeF=b>>7V%}D*rbNI!IbRdRIO@OcQ0KO8^}tr=qtVX*QhrI=St7=(Ai@8|9BO z33Sx~ij5PW0n42Fx1vUa4Y~caUal+9Z5J6p(}xyvr`_2SeYr-HbZYK;ZEbCW#Z+3M z+dL@ezC^CQcsQqv?cEFYS(_uOhICdeFd!3;IpzbFxYy3|=(q8j(5~_<8P%WPf!g+2ic$`ph>)da6 z5XNF=>%y3`U1t3Xj%U+oUZc!CaDF+&@k5zUL%KTXKdeHU4uAO|_!;zPQa36I=RJZ$=*>8%rajY)kSf;N(XpxWsX#`W9il>OsMn~#Aq{svhjVP$rAb0ijY8-5tfB-K57fykooenp3i8Dd zFM}dakgNUI`-sdN*ly`(_d)4r@UOLV|9k(%kF0-<6s1c(dVcc>Ix_hQ>`mpDZGEP1bv(G3vc`RofeHZ~qz34%zQ7Z<)+Hfz;jOP`3&rxDNn?l=@vVi3i9LDA^fDq1#s zWJGB19zdXG1OT2nnB`t5DOR+$j~BfFVzNt?cb@WiXaflaE5K(A3RH+g#6XTxP{8gj zZo+$rETi>8Ysgo?bBGv%czKPDLkce*R;@qlz!d|8Ufp;8d28pY&oUCz6cU$jzgt%P zns2};AbF{sTW|%)t5Ub~EVzfoA^C z^_hWz;Y-`siKwX~zxt>CKWhHZ%s4$qa9Ud0$c<4t8-FCYWe9wxlW>@tF!7+ z%!I5YTaeV7D=3J|HjyK{W>pdr8=*##pHE!zbSj4_1?PinJ6>LnfE6ZsZvAb$VsS;e z<>U%g=n*jCH}5u=G^J&d3ixg1?(m*kB_eWO4ev3HfG)B9EFm*<1G(#~tB+jgL?gjg z^U2Sys|W$_rRMBZ$h2+_FpIjDx8`Io1u>3K~XO!G1w*ZS#aB!F!^Xi z36zT6}I zy?ODR^r^JLmGpVmQ=u5Er(7Fn=W{1(<$y@e1e{2Kn~vO_QV!#eWfJ+I=+_d17&ksl zXSXpt_p{hgup%$Kgb4?|etEwZpeG(jR<7U62EDjf$?@I+c_XM7GxZpp;dTV9x5=<% zqNQ;OUh9z~r+(WHPt1tPt102%9#ZvpYo8OA@t@D|Fcs&LHE`OQx=7X~8k~e&sJ40j zVkc(bQPKJpdkT*7d3dP!}zO@EC74_33mf&6M6gz)?XydRPagLM^BQcP%Xf~0mk`N;M$F; zRo|g$GzC;F9!s&(frp*D*Gsc9lyX@Om!_g_fR&x3Kn$QAe0t55Eos@8K92M{%@mny z;oje*(NnQJxRkmK$?(p=s!|Ji%tnKu9o(-wLbH;k?qsTS&j?f-MdRnfMJn&2q2ak9j&$+${M%cKMk2Z^nMRqVBIQ;x*TJ@%Ej!JH}lDhC_g@X zB?&4Y?qA#)-9v1>lP;p3Vhs|P72M&&mMb5Gwvcbf)H^WWU-971U1_BMoPBJRT{9XZ z1!~b#_i$=oYs_W5s$A~V*a`6 z*E?f4srICC8Q+LLt`$_WYa;MqWJ0kB!S@)QyZFPS1Xjccz8TzIzo$8Ny6lPdj>4%2 zA79$H{E`Lhkf23W9s{RlL2P~`ru#-fj7m;(FvLb&t}cszjx8-`KWaWp=~ zeRpD?$JN#rUUMc#(1$ogqBIiLCcFUE%uOB5)z1bI-4s~Q%BUIZ-G$c`XHeJh&W zDOD%mo1iUZ zABJimo88ea<**xQM2IMX5K1y&guNFyx#iL*lWpCsv_k6Iuo8h*{2ca-@!KwTu=d4L zYJDH%tM(WhR+gc)6A%U+7T|DCCV7(aTJpG4$RJrx!;e_glMCy9^%3K}cX}*P!%<$} zmPrByIu(+glP1&dBB;vkB|#%$jIb<)-IZx@R6>S$UPNVNk~0LAO+ear-o>ar;%~tT zuf#~ry*KeMY7!bZB1tPCMpcf3WKOY&b|zugev0`nN^?y2RT8i7qIjP$2%FP#azYn! zlM=F0#%J8p#q5Rl|CSg%jokdeQ9X*O4O_ipqs118;^`kY$lCMdo-S|YLDPopS=hd% z+xwOYI`2+IN%=Fg^|Z%m1FN(sSi0+YM(Z5e5Mo_e_XRluhf~G;GNvh8(L2=zd~NZ9 zAMPiea|)03z~1g%Zo@EbNbG1}TNVLCYSehf&{69XQzR`yp+h0T{sldkds?8c73Yj= z-?89DxRgX8ajd#JiyFLexPP@(AfOX@ihiVrK|go;uuhsO*)dp(%(2M62ldyP$3hsD97aCY6GM&2Ad1x9J_sKefAV!Pr34t)}$p`l6AfA?Zu ze`|whrnoznGhBJUVv2^{_a%Z7uq?o`vO4#jORW!(2@zW8{aAL{y^>286TQ3jn@Ws) z+VMm=;29Ub6DZT)jcvdX^N#fm>sk|7>9YuF@Aw|;!m{H%XmFQPW{Guw-=pc0Z%n!s zpY$4oeMva4p%h-p!+*{m^!6Bo=V&2n5_S-T8#e=3BE-z}`~S3X^DBlKW4Ik{RK>3g z^el$S9ftt|XjT}4CGE*2LJ35tU>wm&wsr2G z`%^8uvmh+;D@41OGY>`h)gF0)_2-YG>Td!PDm17Ej{PvJCU}GXo<_Z0mP1jv@vfNZ zELLgtme22xK>79m>g(;Pnwuk|X{Z_7+SILAI`wCB402=X6E?V|W3WmF`gjGt=T8>PhgZ0E4$TRq~&7!+5wHUrFL*U~b~>?m^>315k#?eSbE8qdqXdy=iNvBE zTSswtLX*p$PIH$BljggYo{s~wvzsAt5^#XqEt-$9fWc8fCMjIwRc1Hcnz8zHPz|vE zFt~9QSue~Q&(7BI#KGZm2`I=;`)leUaM)F_UoCb^e|#mB;&dX;i4Y3l?B6Xb!r*cy zos{N*rNr`XJ%uZ=G{fXH1mxO_YRs1WJ_1vv#)oyaN&rfqrH1}_ulsX$ioxx{H3*kN zQgGSs1(x2Zm56smu!V5L^>0>8Kj`c3#YGv6tHg?K=Z zwQ>9zTf^iN_S%r1YEvmzWTDd^ppH$|XHJZK7W$2*2tXcEEmRl{27I&8HAiMNT&ap5 zy(F@^&_^S$7<$1=PHISM-dUXOWpAe8(o|I31*H2YW2?VB z-Yy(QnOUp`;l5%cQWK}xUrXwRdw%&>uNLU+{I{KFF;zBSTLsCv_urAfc5-o3T2Rw< znzH7_I9E|+=?VFwIXgl{f44)_$Vzu2jX5MN%>9?X!2moSDrxc7c3uTy8WjO3!xP zC!BhtD}Pc`ml@AR1c!Ly3#C<6<-E3Ia&902+)SztZoXVx;x%~U`(F@g11cNV03 zmgs|b6M|s|h`_BynK_6dB`t)Ei0*#rOG;tV$KaRPOLiO%WhB$PvC^Hs*;Q?|#kv^a z9+=|&3~Bq|QMHUEXWvN(6xsegZ@rq~o+DtbqZd)#&(=RE*lqX{XL2LKkzY5UZD|+j zC*jE?DI6U;diRt^-}~cC&wW{Ch2^3HJXVqRt|!t2M;>o4axWiL^R`fMX$ zIXJ`CY8_NC@Tt%6%y76*(@s}`wuD>npPsM;-*GX+TL?$}_Lk=Gq-G`Ns(1Ak3$70j z_Z^teyvnnxsyAGcf2cPKr*k}FqEh36UAX?U@mKGt1F%zoW4{{r!PenLkukAIys;UC z(&qY62iF4OEsef~co8<2pxPf0ytA|NfdO1WFhQ>u2;qY9e|g}0O{BrXWnh{{50%SV z0u~_-GTQ{AEP|-cK3iy}-eQw(N(nl~p!$^!&s{Nx8@-n6dHCtuw~=;?MRdp;o8EsZ%=j^ zY<4?|a;diDQqQ#fM(phDShqR>{}J;27|YMK&Zn@?!l38qUbvAXl(U!!>7M_e76^$2 z#2pFX@HjOh1cs*c`y(1)`shAwmg`T8`AHhIT8!>rQF6`NFs8=JRMcuAP zB7N87M@e3q%02rVnJM;Ec(j;J#5!_FCpdR_0c)xQmduSkf@LReEyu~ePUeo+V{eF) zUJAESt$G@o`H5bT2xw=;8ggyvZEVtgOi~AP@_g^iodfV%ohxL_^3X5AMC%?&c_ z5O=k)7z8;sDqKI&Xo4fwI0WyJ21k{}^1*}PsX@q3l3-tTD$lJ}q5TzZOO_`03iyI_ zt0cCcYWE4+7pw8-8N2B}sXS-Kzmb_f&ny2{){!v5lLMW=cEolsCip>R7xG z6Cs$ax$zGnCi6I;W8XlZax$}wXDXXPvWAjpJ|4OeKRw6kx_rlkmDv~_NpXOGSbQA) zOuT=VMijLDnSmxuw}X1vJ=8lMz*u8WjV5-UjEM~y=Rl3RaDM@Iisoue$@UmJXg=Nz za!0RTwHiY&XLD{>+u|B>KM?N$IbfDAf^!Cmt5?{uwLUMteG-Ta^IXDo5s;~==#XHk zEQ+Lpd&w2%5WZC0bob}1n|UV@O<#Wj6jFc2*6ZdbS(dCxdC$6FA1oFO_^^^HAQKS`0aXbA^HO`3ij>plgn&U!!k#R{OP$J3Qv zlHGRoNQCBl(1a4RmoFvFuLnpXjhvm~Bv>*06kh9a{Ypqni_YU_M&34y%G`Mg-vv!-8+s?y(npmn_NKujEzmQX5_>X;X1sB*->NZSfm-)At5yA>%;o)ApdzQCFzF8-02&<0G-d83*%6{AF!T@Qu)V5;j;w-q zhA<*{MAS9?oy&Ludc}r+5nFP!SVye9LME4Q_1y&@B2ZLWGxB#Cw>$};tQN~`&d2&Y z-E^^t9=<$p-y=x$&DJrtuOxnJB4%}Rqr(*wFB)vAqrhjPH2GhzmS(>}kz1fmA{i>_iU_C=TVITD+hITktqx8_wPNXL_%@9h#2B7v?OsLlKym+ z;kmGU>)RT>?Ur1V62BQa;QVR&3CJiRI)|iXpKBo9?gDO*W^TeK>71p7q(6|$Q-EOS zq-%X?C0gMR1wnWhL9x@y^R$u%A5E@Mv4$8y&!5oYBz<%dXlrXnmC-_RdKkitRB>Mh zTK$WT!n-crUo-)+&1cNA@xFo(+t?;onMyCWL$=&-7bA}lNGqtVun+Haf+^eTOXO1u z&GV)lOXJ;&TlRMBTs%cRd=hT|5;L#(-WrsnuTd)D<`kM%PknRppgeXO=|K4XsXXgs zQ5dFrh#P0b`IQjaEZ1_vx*07tfMPR*BS0~GrHuH-RO6YFtX6&0`Sgwt(`>C?TO*Zh zRD2bjT)-gJl^rG02b+9f!mT0EDzsK#OHD<&2pg`2?63DMo;Akca<_)MdRmQo(Gld!&^d!{fUx9m&`4%mmYJjlhNJx z1JJ4A`$7q{?&2zGC3elDoq{&}!gVOgvdLc^a> z3EH%PBn4oq3Yi~I)iY=$CjEJy{@Pa~qI?a?gXEj~bcXX&I~TRvb5*&K43QAq>tfEs z5l%xQz|als!(Tc1H5HD%dE-=jXnT5}E`u>c9(k7B+?u~)-(1@m%{>?KHx4DYFb*o7 zjvvx;b-w?Mc#QXMJ*Q0?&9yRB$D$ zhMq|M)+Eb!=w^cH z(OuP*0u$urv8TvUlE>6AKqd`7c43Sa`%e&~v^X#Q)ChI=Hq>nmJvok3*+cK<7>&Wv z7RXi8hRDu3ti@YjwSFpep;RX6JoRcbe2~>m;BikToklA^mVe4)_p69mgnNoNE8_cy z;v17%{*XwTz(UH4m32g8U6jGcoWCecQT)ePRx?g~#N{c5*!k#-P0(&*=G>ttsGF?! zdFPW6(EAJQj9fYKhsS>GD;}$9ZZ&JWLq2ivjb&o3pK{E>-$x5XOGM#~O;*a}<8g$q zWuZjyyytq}F?EHGEwALFY4Fhdqk!W5*Xz})9(F>-1qW&%38v%)QjfLc z+vh;KJ4ko~CLaGz4`RoHUJ|*XiX9WhqC??>ywxTqn&Xf^-XtK~`TU#d%rcy;1#_6n zHR9dDqmPj}_CV3j+WTe5@TYnu#Y!H*RxVfOfeyaYM|(6hX9OapOF;QDWPcFnc6j5E zos$)-;`1&B)xv#ua#vLFn3+OJri?dM_$s!CuCEFBTc76D@sx|Li3q-D#|lIl7W`lz z^r;^5uc1RGvP;(0;Nav13a?_8@yx1pjDw#lYmpZ<+$RcPiu^yK>7UJVMn`d_LtVLDK7W6CkrZFF2B=gOLJE}IbU<#d(JywGpvmA z_;lE6C}}q+S`_WkD^*e6C>|q?x(@)e{7a*Eyh;}&Xi$v?+_xKF+(+7x-ZjVu(F?B` z#e(!OsH;U8VERmb|Km2H|I2Oa{`0CcKmN<9s*+#^>D6}=jnKj5fua4cYa&@fU_tk- z&O~xBbCnhIpyGO71(oUL@bqhD2|xKs9?zG-SQ?wmbUa6hMvlm*kVmw#^jtq{@vRH? za>|7WC^YW{z#L>0+4duxDhWsBEk7wA?v54q)sI)l>L4P}_fco)N@ zhczQC8C6#j@RY1iSF z(W;V5pr$^fAUAU%Ss(3f3(9=(6&o!$>p-QX8Xfv+pZw)O>v9w39hCuJZ0-FlS zKeba>nr2uqLuYvg$y1jm)l1l2d=ap{+ahEe3@~uKEs-ZoTB2?C0|#Bqg>)K$E=t5vlywF) zG2tQrAkLYxu$x$>#=6m-mug|cziKH4e=y8Je8y2LoSCM(eP9g1)e(~lNPb?zePDIh zOED`ZAB#FhCMuyPkwn{fPwY``bcuMj+^Q|E!K_P%<#-GMir+Vli#J@S<3BMs^AgEe z;2HSKU|`E(*nus?2@b42^H1!q3wiAg*NjWhj*8{p0jC|CbosO16A5K``gE)zlq%!= zw_&e87a~NlXVusqW=|5YET~{LYr_cIB299z-TPN8pnJUCoSTk))7nztaqya=e`ga`*{HG*33dW7g*p7oA6reHZC6#qO`@TXUJA>!F0R74E& ze^%+(Q4+(V!ahnk5!q1v(OYzG7CJ>Qod4@{OP{lX6p)qaM8P1_m|^asRk^xRkda750wCIMcrKywlDrAE(QO>2pK@`ciDsyl z8a@A>Z82Td+#Sc|eU7Lb#byn5gwHyFnCn=QhJaA5bq=NIGM1w7rH}dn5s&P-hxq}D zAD3o(yn?_;sQcszsX4BCDN8eIf9z3=h)B{@{_i>w=o1_CE; zxZYnuFIcULM;xgbSA7%q5QfDf84W-R3VQ8pT#kkN4+gt4ADDTWf8fn!t((CMa%K&V zCa(T%2N!c5aAa4u<|e4X$5+9$P^RgFq7@1)BeGd{Mj?O@(L^FI_!g`}HM9_~3^`d) za$D1%Wzkv9xhLorUES*l#&XU^D=$$pH8&7o^y)O9X#YMB8^N}i za&RdcEFb1*k$fdA)j&18NQr=krcTVm+D0uBXeJywz9Z!J?oSd43!F1crtIMN z&&bGA%R9k@B8XQg&B*V9NS)88%KYuEdehxC2(;^J&ALA-NuXvt!yFFb^vw{eEiSDy z#=aHOV*0PL6w%GRI0-TQSWUVUQLKiA5yl(rWCz*O??fB3%8lLffxsop^4SjD6^i|e zAmE+dM-BKrtZy4Nz+NC)KjnmDG5~kzc8fLToh|Mfwc)8xbyJNoj-d1j_uAZX{27yUP z=$zhT_zc3QLg}e4=a72FDcG5*Q$D?Bh?Mm>&>4K$=Z?d0tj%-+zzT9#MSJvfS0lf? zITDLw=>XBlThkL65hgNnxNWjT^FDI;69#R>SqVhnb)ju*I~aHCV>cK_3Ddm7p%9T9 zD+{beRPzoVsz&29DDM5xj^b~W)|30bJrJJi*j%Blvj#>wmWF;QG7CpKj1bI213jr9 z?yLZGPI&gdU&ywTAdP1&5n2Z(c0;${Sv z-#vc&92t@fcDa7)ki@~`R`vmdi8zpY>nuciXep4a4+@XgSHB&40u#;yddH5bz$4ZC zb*CgqOgre`BUt?aw2BwO6UZ{+`nVME{grmcwp?v6h`#W)Pu_FTLh>~51BnIx^oCCu z{l*17o6kshuXjTmuw`2|J~%JnUUpf7O_j5c7;|l`2bs5tM5`cq?tL+%?4aQKBlIEx zpwALxvNF(jEOfmilp2VFR^iumq70u<;$eHO8lfl!pdEJO*5b4e?t_Ebw!z#+9cC*Z;CpdrVT&mwBdx zx#jwQ`K=Jh|L?;?k74XScEwWrZzXN?ELUN~`j`zit$VDP%;p z{Jmo4ls~fn^6;qb{~8u`$upR5Q%yZ2JZ-~#Y&!pYeVVrk z)TPR1R5D<^YGL@Kv0qqP@2Uim*@n2t4LO3uc2Pmi3Q<} zsis(UA|CJyw6BYh1EZx66{^cs z4?R{>mcu7ptCjWImKt(8$VOOqy>P3pZ%+y~X)Z<`z24yq1z&hbSZm;Zzk6URr1J`l znv{_m>U^6)hsw{0V98#NGSxfA)V!9=uvvsNX(F-vf(OC0xgb1a{P5p01)^vVC3@N7 z2dGxagKc_7jdCkVHwnk3_VU=d8Ksr(ovLK9j%(6HfKgF5+9QSfqEgD@l3>J2IaBQ% z4>`3G?HLTk)lw!U%z2L6u7R(J!M>xqv}1q8GKslDMr>xh|07lcxyIr*GdFwBzgfyt z-+WVBQ25|t8jX-~uR(EIxGO5Q{MF;QTS0{dZeNxO$l>Sh|+E_(lQ0etq{RV}}^Z0N$U~4L5l$wE{56 zMm0(PI>^vYbo#RpY$VGAy?JgOrs8?zLKS{QlZIl|1mys{#?`@``RJFJouJqTp*_UQ?F#_is!%%<9Fq5;~RzrI8Ge7BR=wsXIzbm``suF zonFPz+10pLT)qqWuTo9*?f8K?U*7k1&nVRNa3XanUhtz28omKNadwE#30^J8fOr>! zo0K;C{ULTo4G-YLkvL?LGQZ-!E~9RFc)%O#0Bc(7l4%gkU*+0Zy)VSjBS#BEV0pf$ z&RFNKv5Ok~y=MCRjMIv~U?JL%9oABKeiDzknjb29dyvgDJZ7|M7aJmgdLvv z>Kr}O6f@LZOPP3Q3$Z@U89_O{Nx@6th}v-wC*Hc=<~G(B$MH=M%GpvYTD`APe>13| znA;K?u3XL6`w+Rtl^?!+F=S9y1E17d?y1w9wp~L8--~vX{x3iJT?axWJuW!m6M(LB zR&cG;6O=c)uIB`xMR-~Z<9ir|{*&gP)CtFdTxIRm>uV4SzuOGzy6%1m8HphX)ZSe2 z<;C64TN@Ra-f)CU=%mDoCLt5GtYhoQk~~}Y@vz~>{5%a5AjI~9e@ucas`s9=u~Gd+ zvVCi#q;kUJTBU8nB|6-{mmLJi#YCEYCrZmFC!qU^AZe~m)GTm73aG64ef&nU z>)35(F(eHgwL)6KQ#FVU!e1>9TzqC`QZ~X*GzJif6(CR^q!cfMK%CL&O^%S%r?+AI z2T27LtwkR+LJXeYi%caR*lN~CoyZ6v2*pvvp0ymj)Df|t(0Qs@`$h;JayPX7Eb&=+ zjA<4f=E0BtovmQXc*un|t|p(r>k414tUyw-Qpte${ez#xtm7S=&AJ)pv3o4WYX;=w z+74*djL_7`7zM1jPskOGqsihvKo2#HDPkA;$dv+dOf?H`2sajerS?2fH2j&Sbe4l5 zP@#<>7Hb$TUXM>iOP2=P!MPII)cXQfwuLK<9(FQXGminAt&8ng2UBQw0yts(bZ8F{ z)$W^6D=n^ouM{)}2$F9Z*VrSGkYcLw=iAejLJ38aWblz>l#0p|5CLVyh zrBzpAttZ4tTw09DiNtm-hDRp&K4x*|EW~of)F=zv0u5 za}$!&!+-4MZWJ3VnKD6H!_(@&uj?X>oW_ume*YWa5ya!I?g1Tb+U`p>E-KmBz1S{F zvPn3@NiijOLHyUjr2#qJx(R->i_d}ob@i4`SUUg6r58ZJ3jwg^6g%_K6_EwM>HBd# z9h=+V$(}VtwxUj)ZN5|0C@d)f@rv08<`AWVp(7h31L3 z%WEXwW`GfS8cd|q5X9&qcR^tJp!re?klGp0^s2Kp6#1x2_jO^M>i|}+4ISn@9`R5b z9W63iB;^zJ!|OjmPxzkyOOR}@L`eR3!-hLl(bb?|jp2Et9;9CF++RV?^W;$rN*z^M znd`@?PZ$uK+gpzZF!YA7E*L)Lee!bUD7OO_@_}r0Vcsye3uv0jr+nT|F!a%`Rd0GG z9jEZ<%WQ(O**4P+<~N#R%NL;lJmy4ivv!z?l9x@S@UGessT<#N;ZV1dHQ3IQ=$Km) zJnFJX`Fy9<@I8pt;_O^|+VB*Y5wiYl_R>ftWfkU!t4qMJHM7-mgInn~umuZOzoeat}V1s^u zg`Q(nf@remi_n*ybwO=9fbAKQqS|iVgfx~ed1~L+O|USIc$7$(Z^H;9t_YHF3%oZQ z%6D2Bp_?iTBy-)~w2oHj+~VKADs`tQid`Z1juSg&hO+yypdGDM5sW@x)(%5I5-nTM zuw&C-P^*L2=XLD|JtHk;q!D;dPNszeO5c*Z-rKGnxJ$ionCwG5xC@i%>K<0RwZ{Q#2CVDDv29wE#DqPh8dS%6Bf#IFeyYT(Tx;%=W4ES<0tHJ;`HH7$;j4*fxHS}lFJ*AHKC$Vs3 z-peR`XqTgWmg41{3Z&A^8~G}#R~Y?tN`4o!N@OsNE&SdGP=`$@5b!}%boB& z8s3t$FfhiK;Du`a$hYr{ZD-qOKF~;B#zDFxBL=-n$Xl|B-4)e17zTw~0uw2bs3LNl zY`!|M;^rGNwlXCUvhUU|a~Qd^4t}y*;G|x<0!X8+sm#EREi#w*MJisCxBykNncbM~ zcNU@grY!f2gf!1i`kYxR!=FgjIDiwvqGVOp0JxVq9KPO?9HzMYd(M+`O#uBEMa4J2 zX;qz1k%?bgJ13%-zQb1X!7p`ktG4~R*S2lDX7p_}pN)eRoQQ}K_0r2gawXT(F4DgI zf8*}0gW~w2c+U_Zkl^kN7F+|tT?cn}cXxLgd~gX6oCFB&?h@SH-Q8s;zk2)j->t3P zdat&sXR3OpdZxSY?R(EX=X1Vis+kR2m51$qKsZ;wu$Zmg9Aaf_?rt0D3LcwgoCKvW zg|^DHAps-)`r(0FKSt58;pLwivig&(Wj=nuOIHC?mT71@?ai3$IZP5LF6Y1rzLMQ z$>$gghrtw2tU04l@;5iESqVX2F$`JF__ByS-;JYl;sD=sQ)rjA=7z~{IfFy`*@~$# z!ddtpgFkKFkd5Dt{e$ zoI>XNTwZ^LxJAb}QV}0j0xMzIbC=i*adJ5`j!-@3=`5RA?Y`$BERLjGROKWKDiVZB zixHzHvmc`pnsrh7^?K^I`v?9nte>p_;Ikh##YeWd*Rf8o74*KRR%=dfLz-ds;wThb zgv&%Y4dsqnCK1_7hB{NXudrDyN-Bkv3Dx4z7OmQw-liA~l4%`<2!>gD4wBNM$xPfE zxfMhpLym`sg(=6MSKW^V2$J@Q%ZIVC+x6XsT(e)nt<4dl#a8Z|gTBm8+NfR)`H2VT zwhrHPqyD}@&B&=Qz`$(W!|teM#~EyvSw2{=Ny@O|f#68j;$3xu5Ar2QpKZVLA`_E#X(Eh6w@lbd!ehrB#^Pa` z#+=MxoO7HYsC$ycNTOt!tqyEm@?A@W7y8 zi@@Fn@uT83RLTNh3x<`ec7QV7?ZssS^yDNZzJEl=cY7{0(2&cf1v73A+hN>Omi+ck zB(cTJ^+)8<^N*+R~er@Mu`k^C|$&1 ze|Lg=H_Y8s+h(HJ@aNnu`S6R47upjfFPP$BXh#lkzhbcfZ8q5Wf&;oxAl%PCgWPS3 z(6?@fR4$sOGx$U!iBy0|;`-VypC7(v5hSmTER?Vf`^&Zzx1-y*E(}KhZgeyiV@Uft zd}|sza#`+BN*o&CM1|cW)w&^^omGm-SoicDv%wLaqU^VYQBA(uJ)=VFF4@L+N=|6h(%^0tkw8v8>j3Nf58>U&#%kN!fVmAGLX9R;?g>jAWc z{7*%@WaNCogmfQG=b8+PJTCjx2lUQhaZV+y{kmXvKMYSw?qO$w`u!6;q#=)RX=8O1 zj!p=zo-vvGIJyXcYjou~#qmDbBzQg1@`k%XWN!MmFitmI7v3$K1M@)@BOIIey zQAi-b@mGLm5~`#=w}-w<(JsT1{ZY&OXN@>2Fy^UDM>KRk&?ebc>`}p=G$HJuZSqUc zz*tu+E84+aej`xIlQMyrDV*02If9| zW+-R2>oIZE6*|z+BObUQds?@^$*B*~XEKwvx5N$!q6u>KVd5SQ*IGYGKCP>rfigtu zHztZ)BVW(!@KI0z3S+wVF41j-FF+0y z>p!^%$XRS>Oa{+&!cK}k;cF;!)Kk`-?K7@^kHRq1 z^|gyA_cROkV-Pn6DxqOikDufW&Le!5vhA6uB-x|sz#@Eyv(O|?Rvd$SsL{1SpO5c^ z0b&+f95@9WTBc#IV&RV5fK0D+0{wXJl;cwSs^s`rZ+HAxqkEFiuQB+Lov{3=FX$4@ zoN64`V9_f-UXb>8B{L}5>5kOXMubL2E6j7G z$bj0FD01abWL7--);x;RVvK6r3j^wpz_g z5bKrfJ1fSaro7@ck81DNJW2l~JST+f1Nl@>MA}JSGK9O-(JhwoMJ8PP z5v{(rT#(l(;spO@5R}p*CN}-6m`p}MnlPDblx?YRrc(fWm&oP)bgRJFcDeuQw@QhH(DOeFG5}lNO->79tN?ROpBCh)ap1oCF07h z5Pjb6=zS(cVsR-ioiPuBn=LOu8E1oJA;CEpj|a?mLH zP$|rs06+%VK|wpX)5%MD%g%8YO|>0i*FIp$_GD~P9Q?>7)9-zyGhZ$^)310k$Tna; z*Ep?f#jS#ho6_Ntk;M*Z@Po7QE-2t60~>xZo_gP7!LtgGCchi*nC+OEk(~5@M;~~M zs4Jv?-+zp#siC)#$4I_O2{;P|YsLo-ku{gG5=pXo<7qZ&ba>ID^Bv&gq;Pb~i?kXx z={uH%0^jTi;@pyf8y4+;%K*|W4nt(N_Ga=;<%^K90eX++wXSSKmt3+-n>P7aNvvi= zS3&+P=X8fg57cTk<$}~=6O&>?slGFf%}nWi4Q%8%cEP?o)-Mm6Ne)?-MjR+JE_Hf!PSDuMsticGoi-B#ZNEx-R^EtiC!Msw9~eJ%FzRL$DAP31-Y&8zyv z>YDsF!SieClEMrfmwrg?pWN1`dM!R0`QN4Oe-;><^u?}KTWzX%O&1f6kNz4x{;v9+ zOe3tRCZ%3lO#e(4S(mF;v2!J6`ZY3{Zp}ZvsKwE;T1%UWJfSeg>H_i_z!U$;3B|V0 z63sqSw^JSgA&p1;|5t)g|4U;%|KD(6Qm~rAZ@q$Ho~0I7qw}F+2{c%1uhpby%gbA1 zrMsiiBc zl4Jh?12L4~=&@n3#YDyu4?cLb^rizRCQPg`KEcpLIScPKA>#~hz4(6{?rnTXYM|5{Z$sNCFKW>!{ZJHGXQxPy2iF#95^+Z?BD zVw?+|)N;|n@r7}X&m=BV;*@24ON9jj*KW>b+Csg)S-H!CD zJ39q;wZOh_kNd-Q^9@N!n3B}HPF!<;bW3Gs?f%`yd`XIdm8;%;_1DSqDWuuh#k|w+ zDA6r@5l#e*ox;Qw^o7+9(Hv`}<(gy1QGrF_6Nl>1Q^_9DY%5_z$NO7bLn0BwDUl?5 zZ^+Twtq6N+XYjlna2O*aEL{`uj=-LKKwZdV%Hc!(xQfmK+h@KM?ryhH)B^_I05m@B zE|+mj+`98H8LNTSC*BmS2W^ilGQ&LmJJp_*U61& zZl_`0PkFC3yUh}ed3TXZ^?8P8xE$v{R>cB+sH-J5cfOx*V!e{!>DaA1;GoTn$Lr5Z zP+F3TDNQmKsNivi#Y3=bI$6^g;%Mz@^jnTUFpYBT&)Uo_tMBn38!GO;i}?{`p+%|1 z)H8Iz8+~3ETW`dYJ7A^NZ)juAx=@}T`;5t;RgoFv9T(6-VBW`y)|E$AG-ji<4r`96HuOG(&j2}<1CcQ_bU>s81Cmz!In4pBr~@@Z>n zvpkr?WMp>KcXB^@D+PXpA2@$5#2rEG;UN@VK3OH{J}~PTQB<_ zWE-mj<0;88S#&mzTkU{y^%}eRymvY|YQVDF+ufLj+Cq)^WQ@j;&vMZ4wNjJ)llxU5 z!QcKZb_V;5*kD^bc0YR^6rv@UAOBMD)TbgeVbQ}L! z3~JO@PTA|cdm)rxsSTD}=_dPQS(CXUaG;L2Cj^LIR25{Tpl4t}GAr$al`|Bk_J7>P z*`2%o4|#$>qdTU5D;=(}>DQW(q8e=aYO&~8{I@AjcwD74g-5eL+ht>%mL$wp&q`zS zv(i_oq*>)_7_rcm6>Ct-Ue8@aSDQq?_+>b?Rn|KFVjf4JGyLU){Pg0spx5_5n(FPn z&WBUiUHOl7{R|KwTIv@xu15QRlg~m!LxYSSXArLPu6}fUJ{7{y>Hbej3n_|Xd71qm z@}-C~^uDSet9GJsc%pwP&c^ZUME*(Lv~cRt`9!w!dZn1BxNEDW^WfqoI%V+W6*NnRDf;vkEJCvh7(W!uh#q71jpt4hMNf zz6ZQ`dT|?PoLiCsBCR9%Ilsjq_(z~w0dO4arHJvngoY@;*`<5x^gfUiXZSp@d_Mn@ za}Vk+Q(u_M`0{>T(PE+!dC$Hv(t9s69$*%(j6FZ$ntBgoxOz z=FSu0Mlxpaq<~c_-*~|7hXLqpGVTkg9W+LVFG!->OF2f5>2M266#zm2a)xq%nKB zELO2oY8jeRS}0@?pK>yOKbmrKZCFRMtONJ~d({PK`+rS5+Q=OKTxhQuLba3}W7ff< z@3wTwG>;(#B==Y(3O(FSlU}T_%6M*43;J(EJ>*_lG^4{Bg`yCBy5IH)K&-`c)1s|X z?jZUGjbaSe=T9JHm%PUEvCB&;F8!~^e-(3j_39g{HxMKUAwkM7wn?ckmLnu*2o=j- z4l$IL2Of(I(DXXLg?t9OX$8ihK#iC8H&UzxQfjj8z40NgadjO)f;a^VE38I?uvR-T zGK__tGcuPM)mUcAA97wbB)alwwOZR<$}vO70IY&b?UiPql7tA{MhOM03c4wg)ZnMH z3n>RdO<|f1tl)EhDAsa>O515(8u+XotLF5D0-BFy$GLF4b5gLY#NHHV9wS|3WpF`b(7T*MA} zv&6G(1Ds7^$GEC+>}oMmzWt&0Ha)b*l;qAmwzT5aj~z4nlQz?spF}lsc|c*=f!hdv}zdsY&Gss8o=H}xvt1)AIT!TRfwS~JDN={oyw94%@D@^>ws znlWovA?lI2kXA)F)^>iGHob`OCtD4r9U;Kj*9Xs4e>^vAI&@n26ggcPU{{#B^#DqQ z{~KTZwPo9YoZ*z{kMv(2D)o(n$^1%$zk$cl-ZZ19fkdyFpz#SE*LwtEPnDN3ig#KjmzS4~E{Euh`t2_j zKZn?oy_GGhOVul^=$|PS@cxm~B~d$5En66{P!R|yUil`yFr6xwVnIf34}S!Bs{@{g z?6K!v44%;X%*kg)XJ@g7hKBwLi)^oS`0FoPJ8IWjfcvisV;UM7st2~%o%dv7cBL~X zCKOELAQO75vJ!={WbZ#RnmR8I3t#jK9#jAgN>d$4_}L$@WUDxfR=nJ#9{DF zVc(cG#K`c7aN-Os?L^S9F!ajK{$fNfJmB_ul@LxEx{Ty)7oOronNXvnW1s;5g)59i zM&!Fw2@v9Q{Ngtm9@c5BP|qGIB^kan)o6%*nJ}|HtS#9gu%X*{Ag);-$x7K~cNmTwnNp`xh>U9qI~@Q(uB2SeJ2gddU}+fG8}y zL9S=!X?9;Q6FA%hJ=riE-gufCQOPWiXw~uA3CVWw6=3wJxow$(n#a(>7Q2X~~ofkBvsJM7Vxq4_!krcK7t!{&0fqwaH=x}&0L~+?Z zuK`{i=i1QCgCa&MY#5CR7VWXXPh9CD_Wfpv%q&*gZF#Q`3L10`STgC** zMl9cu?#F&Rh#X@V`?=^ti>C3!C9@6N@7NNYNQ&7uW(;jx>Zj-kK@w1TlXip?-j`>L z8Wy`L6_`)WT`POE;__*cgVbC*hI-6+eAv%KWSio?`pe8{taF;calrTpQ7{ODeRCik zd+I@hBK;lleJ9-{dIe8_?HM{3jBN3&YYt&M;l)`|3=OD!3wHM>7&xeXqgc;oi3<-OUOg!rT}f z&`z1aEvkt-VelAVXT({HL6aXd;dV8e$2)wHj&dy;-bUEcwe7{m9A#M}Aga-T>gC(z z7hxKCV(bvlju+6#14->!B@$ExMZy+~Fz49V_ki330;lLB|w~cCX+I6nnzaRtGMivfE z*pSPCC-CC%p}!DbR(@#AfwR&54xc~vwI@S#YN_Xoc#E;)(~R7RD~t}A&xCD8Aw>c^ z%6YD0%jUt9Kc?TQW%M#}gOobO{4(iE4kLPbi*b}OYQHOSz)dY1p_a*q9E-kdDcja) zptx9w(Lkjc?wmOjJqL22gwCgrL~;fzeS*JYn3;G~a?FwDwKJ=Bh3Jifvo8N0AS3`k zc`oG14Uis855RxQ@)rykUsaE!@IB8Klu|T-5b~0(i4tZt) z+p1#U=;;wbLo}SuhrH-p7>>64-wy7NK+tN$8q5VepO}`!Z9}ZeO1Df!uLi$b>lA43 z@npvy7#KvOS(jIuE`M{uWd?AF;-L?^pA;`HLe!13-^4il3GWdht8|4 zP9;YC6en&4`5ZZP-`AOQfW~iQd)EnX-Z#i`fd(qIK~Ajkr4M4p?}#9>5eG>g+oED% zAx{fE;WC@@$#KCN*{$p0GQ02#6YC93^f^zOccRjg7dx(pw+E7bk`wrtDt(MfDBf^t zM1#`z<@b8WyA(ao9!cFeB#*+}Llsll_T$S-WVI ziwqz-;P4Pwte72)xjTDre>_({UQ2V4zkF(my#y%dMZuQb6A+OE%fulIB7zn&MQ<)! z^(o!QVNPhi`6M<*4;;ps`^O>eiAI`lnx z9;kwdZp2p50V7PU`k$$CL}tkVhpik?vx7wb)JRZtqB6R&E2&|6CeG{8)7aI`C%kA4 z22o%2f-v6kGfp6SPxyb^KeH|VQZ8mo@x>_lm)U4JBbEU1n&SR52L^{{m78e^mX}#B zeu<7ZSZI>Z2jN7hpF zvL?5dt@u;#pDR{UsNYeZQ;%N5_tHJ1T7xR6U!+3!zBPwCwc=mv0Y;rK&7L92C!Tmx zr12D_rS5oRhv|bO!{ToBK|gTS5iJ)`&LdyA2@Hr+K=h`1Zf?j|TY!I5cv8hLS=j2O zC+6A+QLCbAJvl~VxE0YwO6c0i;xae;GGEl-W9JyfdKTN#{n?|? z#Gh&K_m2QEQS_7fXtCrXmA$Wbg)-3Ot;-WYui-M9_eTXH#ng!(@AQz;Sj@Xl@Odla zd5bwBB&E+M?d{xb{#f^$mEOEMZsT1X>-UuYGb(56g3+ct?Ca4&Pun^s=BASSqHohW z4}=;)06z--($ZgRnIU`mQ}iR8XkjD+qX$b_{TkBBT;G4YhugeJo*;Nf+oUoatkuw& z*x927t=@MH{-iSb{ykY)_)VpVbX0kFHqDv- z<6DD!zPa{qWeJf*e`xM|li+)UCV7~%G+WUgS~h?DVXSP4!q>!%jG2x}vk@O$*nv}? ziGpvobk}PdIbTUflMc)K;ZuPggiCSQ$&vk?%!tZTfjd}@W?ws<#06UC1L}|Mx(f$w zMAugtVG{`WYEWI>31EpZWoEoV8@bs~x`Sur)O4R4_K~_JV%U-tlL^e>)@SH36#_K> zSSkk41P!^KRYe+9D^BXRz*DGm6_f70>D38N5kpFxQOBRaY0lO(VkE|v5sGzYzO$jj zbpV3o3wZpGDl+h5p9)B_uAH2%12%Xbj(Dt!kMLGNQGIoq*bb5MVqt>_Rl7RKg4S zm=VWN;mCh`VJO1Qz~-V?Ij4j(Bi(M3*jazrun_=ms*n!$mG7m3T0 zYjD&*veH^v@ti6H=gXSOY;*2wARN3@E&=S)_=?XL(N?+5OaP5N2#Ij}n__%serx)m zIB^|;tMR9!x|3*j?^U$Ri7(S2pQoZfhFC)hl;E1l@9z z;YmvG1Iq4c2%FA7wgh;HnilmK=409XAdkQ0{CMmoFWP|BuyF)Y0dg|ZETpwX0LbA$x-Nok-uTX zjp|2W>WV$$E!r+@2GI!;f0X;v1?W&}$+(k+Nl+d$n*J^zS{%N0(kO<@bQp`j?#n2$|6RKNJs znBRD#Q=WmoyEMLPV4RT9nmv)bXPgqBt^v3L$u%_l@J7#0EJF`r z<7DIfMJs&hQ}f&G5-tx6<0jgYUBUo*w@00WVvJwaAzQ?kB3$0fJgz8JIi3%!F-~B1dO#a>W9UvcO=n|=f zK%x7sCJE=a&6mmq2kW~JJ`)O>VP`+qtrt*COHMkqS%BlifdgPak9SWfBVF|5Hb3BB zguXL-xGiW|Q;7KdE@tOcmgi7ww}DeE3%_Lc!@F#C5_YHygIg5*qzL z$@fCQpU1}u>3cRh1CU=z@--`{@IgflQYv}vHkDYQp`~bu-6|Ds* zr*Z7nDnkzAB&A+ML3k(BO{!l)gG#F3si>mXPiFi^R;gke^=*qrdDnD7=o;5VvTJR8 zSg=~keWVdPB{bb?Z3H{m0{AI=z zkqAR1DYprOgLrBsqSNfsRzt#k!ZrIP>Z8;SjIr4G&_f>kuIfrSIq_$Q<@`I*YV1>q zb%aKI9M~wR8U^*};HO95VhmyB9gU?SnCmz`(X@Njmo;0?+r?s!98tV0I?cK>X0D^4 z3&Jl)W!Sl@EvcXB#X9pzlyO2{m%MP=+ay91`52 zh6NW*>bQoM&9e|90z;p(Jr~?2vHjNECu-t8uL@4^t1kuBrC3I|X@da%x>1m#Pn*7m z3~vvi{p#wklF1%qoCuH_P~;1q2+emtt7vk7!@u2n-2eXB&?AJ+V5>+FhzgkS!dg1v z0-eq?3ZCEC+Bix6j95p@VqfdQM({?&XUDtUPwUY=3uiIjr@kw%_Aok(d)UZ4F!Un+ ztJA$%Yr^MOl!>6Zdx+a0e<@lG2bP@z2C5bDixYNQ z>7yZHuSP4Z1hK^h9>*>qbt5l19z@IzOxTva*CYmmo!{5%tA>rDnBOs zO?uwc2Gn|8tGUeT#{_TEI4pJGFwA6oNzLT>p4H)#>*ilvTtL;T@Pm^kksNLV2^`2s z@Qds13%H7WEBNtGDK*F`Xg(b8SBOUCHf$2v#eG*6BaV@{#Y}e5nDd4G#3j*nJ|pC# zJ%(F85YO+aWh`V*`Dk1cAhP~743nhbUmx(R< ziY`BJIMLYtTF9eV3x(c!IN*G7lX`jK!z-m-r*{l>0P3rPL&KCN_}-JX*%R9ZiYY8NMD7Af3bqUAn_e zXvvD61EPxheMuWEx$eC+L;;(KnZ{6y5I!5}Sh6Gx&pcbr?6I9TKGO;&jphc<%t%!LV~am`e-DXdif9?B!UK%YeA1*0h-qyFiR;)oCv^r z_!DCW7GP+(E5Rg$4k*CTNZW4wz<`r}r75}STYs?RfOVrG)tEIV}4Q8 zV|Sh`LmD+?*k$?E3V&>qfa+sTs`VoNeEG%$vdGiqYa zkQd#@p<7?7++ui&)zQhK9+omy*o40oJ#{2lbNSeLW=+ViMr2*Ke)*zVX?>jO~C`S42FSF5Odpj}FFDk#Ug)^WEr8O3V$Hh2Zk`$wmSD@9pnF z{nM5lbG$&IhuPbQ!cdyq)DX^d-HG=WJ`<5x1M36h9q$uioTWGKKG)vfaHHM{$rAoc z+*N8mSh91Y2oK@M6{>_JwM9f$ls*!kA!JB#rmr2jukm9749|IpWZ^a!qBha2l+lH+ zOfB%+?!6?8JDg#M?g3@%dS&ol(F6PvECm2qyV(+1hy-uC@~4Eq-3h3*mQ-(;^5-g^ zzwf@oB#_AyUL!llZR!CjmGYn+Qi6IZw=ByooIBY^J`W1_w{7Dt1U{AJo+KX45Y)h> z8YdXkSYlZD@FEhKEt4Hd;@jEhJu#s{JbD?%GUoV@k?yxADo2fLm~GEtfz4nXu}~b- zuh;{5l8=4ssm2px&4$41phX|<_T&(NVs@G~+KnP4W0D8W(Of>a0p3nb&-VBIvJzq= zer)_-a|0k$^+|E)fiFA0BtLfA#3b%|Ty>y(8qr9R0?`)=)om~;$7Kg&&>Bd=Wa<(>xIiCd;3-=vIuD7VrO$R(BFU_MT zDKR&V@ri$-6j0+&$CPK8T~RHF-A%9z2PZ8R+!>?j#TGklM zq$tip73qkT3D9C940h5@Qsk{FWZTujvX1lZEDQ)YCcEUeu#1tk3wI>MiML)WLf?KbC9ck_XnzGu@H8 zl{BIBZW`7$)+ya^6jhGEp9Z1$7gEHS;_1+gAdcoquehU<{);@{8E!q(_211?t=2!R zzvi{F?Ilmhl5ea0NnUbIv6H~J-NoO5(dxhGU$i64&sOMcdm zdYQ>4HKlK_-Xmu`3z|i~wp>qs_Pxefh0ISC2s4wFk{74_F@b@pyAgfW=2xmA?w)`U z4Q#?Y6mTL$Ar*1h1;f$ttB{{w<Wka*EM zRs28w3dkmvd~@T1{7*R#vXiC`sYx9J{ZBd%vhB@o3PL1m|Lr_VIFLZ}EdDt!UdTEB z&tu=v-ZKLWJQO``8FFN%X`UuDysbTRuS!Yu&}D3ARa@zlozu4lj}$yFXK^m|IFKI4 zB^K3fwNi!`@UTon-sh%@jYS4_lJ`=EOJmLX>c(xXgecp|zCI-=%y{>s97P$+KECI~ z)ulnRG#DYTEj6s@V{?ZkpiFv5?|R?aV@rC6_=DoGEe7BH1KHrZI}RExhs|B!uaq6_ zBmrXzS>_qTuc^7dm~SO4=b8{_31*%t@^T0!MWHDfdGMf&MC1z8>v7aQyOLkbcTTLd zNEa~Gt~n{s98wSd{rr=j#AWwV_Fis;G>$9G;^2KtV72U%HGPFJ{44f2u1*F^<$`;C zVXIbKC1klnI@fYxIsLZtfx;l)cH`76aJ+Zk>g^Q4RQAZf0mY~M?&lQB*Y=unQMG&? zZsJ>Uj}$^UKm5S)KJ~9sNuK-1dhx1gIY62I*YC!Pg*3^YAYae(Wub?HM-m@;J=!wT zch885R-cs_ji-!>zwOX+K3!&8u>LSSS;Et9VmUw`zFu{OJA(>kNHy$naq?Lz^zSLY z(-RuBb^}GnlR$<+Q7b9h1SMARD<>SvJwq4DmNJNml(V`Y`ofXb*ypNz>G`%7$FE4I zGrjY}2{8+bYHvfb^jxWZ2+Dy+iZwg@7VN^2CqAjZH>ANMnfURD`_?)w7RK3oP-X{H zXNHIH?*_uBs^+f9UX?`E>gc$c+CEhDY7nN|MQUwn&u)1y^xSpL@S(vjrUR*vhDOJO z))yHLX7=m{+nM_oM*Sja1}S5Pgw^bbzXg{wyDZ>Zo!@pW(pyiU0N4~Cp5bCFv_;ZW z#eCZK8fcy!If_0k;^7UBjCCc#2+(JAAXX25<)3_rWA65jIc!V-L{x;gMI%Ry6U{NN zg&3oVRGF{hPbEy@!s(h=r)}J`G;E?91n*+>;do>-P_5-Wfp^ZKFW$6U718FyD!51c zBE!=?k}|*QmR38}pdFhA_kCi!<9O&Jx~%$mNND{H6#!96nIV6*XF-mcdm?8XBY?wp zEi%r{{eeu9U*-4smy_^HGU&8wcZWPOT#&5I=6EvANq`tEhkZcOKBQ+)P5bVKz=$@M zrk;FLFRE>i@96thunUA3+~KRp&3^2wD48KD3#Sw@zh$|XehTns>_!fj*_cSNNPkK& z=BpCc+5cX9KNVr!ZRk(&xGr+;zipPk`N7AD7SnKkj!$0z|0WP@N`ao}D@7Nt;!CFJ zqZn9kZQJ{wZ)uqlHbJ}1V%00^$`VA@ImwN-W#@IH`(Q@V<#ovHBZb5COK!+3Zv~ft zH$qnENhHcB2Z)JdqsshPrN#W~R(qKN=t7s(`P~y;DHLM@mS$fO_s(AcCMSYN{LtCC zXh9mM#sm%3e6nw3pL>`i-%C|~OUr|EOui|^n`H=?`=Yb1UGng1fNseRrN+}q#ZHv2 z)JDjQR3$t+hbaTJtwGNKxxg0Zeg19y4T&$a*YB!<{ioW7q4W# z8o_UIGx|g7F|Pd~%6%H*&Q9Ux+mmI5GzHmS4UH>-1~`^yoSu>)&Yu%E_^h2V*8=J<Bh|MhZ$tVIu6Lig0lt+Ub1;L$F=21Q z>M$_+eKHtJ{+A5L`Vf|hafgJJ|Fh%er9+D= zjPJ6H*nT>Hgal(26&Dc6wL5Q7`LMM>P|N3&qCM89DOolyuyAmKNR?+OjS0hk{`w*O z4)2(%&%O2!iN#vtQ>Yp)4ASFD!k)5Mhre@Zbo6BZBHvrB6^3WHQ^6HC6HW`_E3v*o zK3^`xI`9lpDu3J^=M&Ravc?CQ9C~kQPBmpFr^Zkhm*UP>kssY?M=f8?wRdtHBSe{^XB1YgimUGhEJUls?ulvziMIg7xBfV+1Te#Q&=xf|RfHcw`R=)3WU z6ol9j@`EGGmm928ZC$JV`@@GJGR#2raf6L>Wk*Ua z7C6mcjt*^3pKMjuxho`0Gvmaz>)L^1`Nj+{bgX#%9HWzJKJ%?9ELJX@Vb7MZY{boK zg}obhpw*p3$jP7xy)uRyZlZ@6>z-^R?*!iZ0;LD-`&=7On6_D_xsq?vUNT(1lhdH5 zz@;RJE3Q(KD>{ebpojW{j8oEsNR~@2^m7UL9~=>jxC;{mrY{Rv2H=_ubl2tLeOd8u zM|jartfMTGEo??*6eMh(mkq7@_#a;4dK$6NV_KdYHnnW{omeq8?Va&#JBTB#aPkGo zavQ@wujjwY$inyZ&F<(kh#OZc;|Ga!59Sat-$u1RY@rZ%P&FDWLTYbc3`}z3ik^bJ z3PcV+Pge3vJx`k8_G|W$Jfx8Ss8J%lukY)G4jhyRg`N&!?dZ4Bz!OF*)=MV%gTnQz zy5!R6*nVE53BY}M63F}6al&ELA}}0Dz}~$0R?sJ>F;(|>-HCO0hH9M#tp=F0VC#c~ zVj)n-Nx}yUDSZqcKa%D^(_U5H@V4cfYu=x5loQdJfu{du6>*=r)+xem|7~c$;2QWl zGZx0&nLEX0)K1X$9Ob7oq`@qQK$S~U{GtO-y3L0~4&?a1whVuy0e<6n_(JPeh(#NU zzBNMa8RA9qHvf`EY=!f^JT$TtsDn$a{)`NN-v*MG3ro=>ITVJ|Z|Vt=D4eBQ+qA+8!tsOCjXiDZDEW0eTAobkk$- z_6#qq^rfg%`j+&DrgBPR(sm%?=vF#3V%QUiV+b+;KI@p0vDq>Ez3)^v_jQZn{mAkF537gW= zLJw{KosfE@P*Q863j?@`q;+83^m0^m97P(2TP&YrH{W0f0!H)UkGzN=S_IS@ar!|; zzp3K3IAuCQq|tIYIU|DvFKu_xsT#_Z)Dc%s15o{~5AIn>{ZZZTYS*#M4PNX}L?^`f zqwHdx4lgLU?L;A!>E$ky#FR;XSvBw{|EeVZ%P8Kne?<8*8&==rN8gC>{vt7$&)?_q&G}lW=EHR;ox*OzZQ4Hi=Tszu z$*Wf`<~8hSl5k_@H*M1Xsp&VVzszm~x-aK|z5wJr-=mIIZkZ;cINWCp6}6GVtuPVF zVRgL-($bfB#6B^-oAhJ}j2w*Eug=&%9}iX?@*W`GN{VC2Z#r(oLD>&(oUj*l5@)@a z%vX-h9wv%yY}|IR9?>B@5{7KfUuAyeZB(0cWT@vG6fb>5WJ3^+7=Vq&UY{@8rpfk* z{4gg;98rf*EZLR(Fz42W#^b=95eu!fQSU9lom~7u&=q;gQ{Q&}Nt9(r;xgXjiT^e;O85^@Kjd&l0%*bSGq|DpvUXjp-FO7%6FTZe z-)1DnSrvgd^}W5h$`{X*3eE8PJ-}uzj6l=<=~`P~ED^dX!jig**n?8VoZZUkP|TYz z>lpHc#=PeShW1v)DQIh0@kNstmyN&*QGDWQb+a^KH8->>iIJM+za^Zq)s*PPk2 z&)$2^zSgzYz83OTXVtWDfkT}lZrP*tsR}UnRV>oTKU(;)Jn>znR9O#O?9Jz$W3M2x z`d{i>z9_1^0J!7@WKbHy#Z(qsztS%E>KvuLl6&PMeRbqgGKNsm{14Mg0YM1!S8+6^ zJ1%rjFU|c~{K@B)O#_*-tgq@rtomP?TEFBeiYg;?`2HkiUxyU=(mx8(K?zv}3|%NZ zq+T$*M+{-l=|Q{_gd4P0NZrehKjBl6pBqDR>y=f}|EOD&s$YDNYC?Wwvi({5GK8`y zWAigg+SZ?vif5jq@9eXgnR{U65&kxM1%j!^fcGlo4UN5ESg`A%D7qN2o zgt06q=k>m;%wcQtrzt-8l$g!%(MR<8Z?={Ao?=`b?`u8VZ+!1ky38HjnUdCo%uw%N z^vd*h6P9^XJZhQI`nFOccDEFYzCZ0+%#P@1uhA6D{~%>SmH%0Im2vfP&b11TAARCS z2@>|Cn}4Q=)tYt&Z|hTgjh9&-f#q(k;S^r^Rtlrh^gfF>FSP|?c4!CsZ*@d>tOm56 z`rHli5w!|mC##DzkO=ws0F?9L&X~Yc?vOZ` z1yK^CD(P%~t1*AC`J)JJltQl^^0rPv=v394z7)JbM{Yo5#GI66j+$4(`xmNLy=PYn z`bYluflzQMdA^M2hKG-PLX>`4CSWTa^Cb6G3^wg;7lX1}c^^Cdc{S~V;xOAtqx`(6 z)Y1#=NU-YUY&;&f3ZbQpFf7lRd-wesNZnW`$lHac=@&zBAXE5b^Itkv+^(SyKE+nP zH8>R-?YL6B8u=C?H6h^N6B2#rdS=28zNH7>JvUhfKK8K39$})5VVRfrBH3)j=;v8I z6`oTkP{0h$vrh3mh00Q&f0@WqSAFJLu#&iz7haV?(euFhtKW=LxEM4xwr;(%*W7zq zgAIJi(N|pPWZmLDEWf1Z-wz|1qguh2KA0}Ub4j9ZfDE%IpA6kqzUbe{E+(D;%@XRh zTOpQb9;ad7StnXDJ*_Km@o=AR7xo66iQxR%+Qu?}`%v+)$5JM(8i8|}HORL5(IS_D zyzA)UkJmI6sd!v0QtowWt~vBjXnI+yK?*Dksd|5^S~iIOx=;J<+)VrGhSPF{YN6r^ z@Ye2Qwu$1c7rT^^hOzsKbU|DnRmu_Xff^3f3ATRsvm65cB(dHcvZmiLZ#i&onWFr| z&!FM|Fk#o=xA)z?bs?c2APJTWm9@zJfB0IA)86f!FStU8= z8dsiuoh_^83S&p{@!i08HYuH>T%V1eL`@?9R!|wfts^QtH{DV*y^o;lC}~?fsXb7l zTE(GPW+Gc_(86r#IM}O5y7_{+&)qe})E}0j0M4Y1`(Nen(kjXX1U0zdoE-y;tkGI= zMd;dQDDh20E-UX!n|s>SUWF>sD`E}f)Q{x0rusjbk+|**3@lfS>puv%kE;aHmOno} z`LzZ5Slld9AwfxDqWEfXiYG(ZJT5EG@Hdaxn0^cPTOI2m zP3S{tyFB zaWcFt{|N_Hc1HQY>t+br?qQ?hUHZ3S3`^oUF|-U)gG9@&yE4)CiX*R?y=sG%xGD;p ziTsy2DkX=O+L%BNZdHhJd5(nW#HhkOX(7oM%R}Fs6((=G=yqRb-QMX5`(pPPi)(#& zwDtDI;~Wp$>ZtRc+fj)@B~sdsGKY0}=0UMPrC?vd?187;U_uWfXK%yN)Jv|oF+BGR zaUGb1RmnQ$M}ZZn{Df7DxP~eBSZI|{G{vI-(A8EnJyJNIU{Uhb`nDR*S^qTgRQY<+ zjz}{y?Vun_r1I2Dd#=$;ean#R*ch_YeD_;IJ|x;jF?CK2_l-egE_!8@_nE2PQ&2;| ztLF#^8~*Dt;^y)Y<5dkEx*s3A#B$*`SBCb!J^kX_wTq;9tNd~GvZTlDH?%@7OQh>2rmc(qyZU8Fzhngo(5^w&?bITOkx zqFCwCnyVC*LAx!`JW%_m87s}J4Fbj5sWgP}!l>$0VmV9z2ncRU>s z>T>QQoZ3p{w;^v*COPNts7Ql0lY6sv$wjU{NP6cAH6LWYyy3Qaad~^igK{8-srN{) zolTXz_VmIKv=`X9!dIoapTkPXU!^^ zx)7TDj#OPM{_i2!0q4*`!=;;rA@uir8HD*#8JSsj>~{}@jGR@k+SV%_B??ulI{eJ} zDzZi7s>nNZZf~pG(ygfWWplnm9B20m)Q=(`C1PtV=~;_6FJ_^1QwG>4UEZ6Dd`D7WGwXAN%Xo zu-g4Y(^?q8aFsFTar>wC-tw`F03l|I>v6eK|J=?a5=cxsCplqbK4bFlJpguChtL$g zy3X8&?N_pM&Y|Fk&<*HHeldoRZHzg~;lgI7?u5{@9B9_}!LLqXM>*DGq~0ELJ`3vh z3aH!MT^M-X*_7+?JU7p8A&sq7SI%?+%{^vLm{q2eO)v00gh~vz8iHBnt+!kMK-avV z*ZWw7xu7rfMMou1em3A1;?bf>J-7_>Fal;1>N8%QJ{zW+;ZBHeBZY3qQ&(i-isA#2 zc+Mdxob+v2I9GH^-lMnapv31i$!8rMXfHBvA@E8THYPX&2!8=cNK&q612xJh9vvG^vDQvhM`+7hNUjvB5bfn4Wo>v zXP@kX=q*RQ&R5;iCTh0;C%PFDoVAU!(DRYu-AuQzs*%QcJLIY#mUBdI$d!VSf!J=a zID`7&b$j|glG>-xb@DFped^T?{&LCYK~}NRXH)f9W!py7k|Lo}y;`z@^L+&&Ui%3Y z2R%2yqa1TJSgRY*WX&*;Xo?24y72|@eoHr29; z=vv!GoEy$YZi_zN4cI097TrZIM`hW}?!lY4>iQ5Zyi&NmL$qqgw1l^7xaa~o1-8#^ z6;G6CN}FhtFq;BmF7}lxHtzJrJpgB9;+8D>-c;D4Nu`Awxnd_sdj+&l?vt4yf?Uuv zk{Xu*vzHz@#Cj8cW_$IydE)a+wH%H>A8WIrJ!;%;%AymxF>oQs zt$x(4PqeI*h5*YlAMMjtI1cv7HpA%;95ltZCb_UrS-^AF4oBLb`O!+75dsBRGiT}y zx~pf(lN@T%E4TMpEGBi1-37GFaox~H=*(P_tz-L}F=C!pBbah%H$(bxu*v-8X(NGn zC)tH{gtb+XfjBdn$FNk!b^N>DT~P5jiLvk*$2nK6Pz?I^@#nyg&u-toqQ~}rr036C zBe`S>`q#Yc=!$1JL-c5pI+IqFn9}_#SFRi~|MzIT%X9V0mABOYxAA{+4&+{NkUv$O z9|sUOCTz~s=;X=7p!M2|D<9tAh#VJmXZX%sNqFo?2TA5Q|B=SE_iyF)qp?Bj|6HJ! zKSUNjjj62m+rt9Rb}PzA;}&`9hw9p|bDV!Nwo+uH86Izs6Vk45Z(Tms`TMd4@|`jK?}b_%^D@!f^Vs zWVtyrY`wpws?v`OkN}r0Et_FSP1*ch-x#AKY#4tFdba){_x3Mn{z~R3Q?}op^|tQf zb3e)YeWFP!@jTFUcEsO<5Eigv0^2fw_)J*%QYC)>+hQP&z5QgnwF%YYK8@T6HfkTOzB(?vwVQ48IDQ%Jat0FRt340hHw91n`diG zk@!I2sa%g&*(6n>uCQWpS$Y(HCr}pkZpb!AE_gshX9JndUKGlD4G}UTMk4=pYrg;r z#O>R_5VA$7Rbo)$lr=l6uHi3n-1R4Zdksm-hc3kP>x>xBgDSC9c&O+})kxJgRR@04 zugPyO!aF_+)Q2|9L7S@{(diR#mMeu!rCid>&*4pqen`e=OlQJ6{D%U zJM4VT=DcT?^m{r})Jbf-`!%uSutUhYZGBUqB;(5Qq=2!Q%dWjuXBcMo@c;SP%cMFb z-RFz&K6KB(lgAddPH?=ZykSJJDCibMqNPT?7p(>E&`sCefa6n5ZH!|dg~|MWP^NKjNUdUm04I`zp3$g{z=5&)5NPCh_0$HhP{JqddQhxdl|C&3j;0 zl}~c(8JeBj@R?ro?}ZFq4Jy&`Fv5eTkF5z2Q&6vwUtX+YB~wE|TZpE86Nv3@Y{Pb= z<#?@NRYSv)832OTHMR}}kTATUDQMZ%QU0)^rmVL8I)$wnK6~ z$l4$OB3}kr5*YltSeywv6ML5dv22AK=gxkkw5^~10Xl(3;iWvQW`j#Pe$SVoZLTWb zO1-R|Q-nE(Dd0J9W=n@dnqh*)S<}^Cd69=ItQ}_*u79XDT|Mw?oQrgv+ zphS^(YdEX}&2(MmH*O`<2`7vz3MNdiiC~nDq=66Jej$!8ZOTuYCi?7=JgdFn`ny)t1_M-%qXU6S5*WHZVq5#x-L0Bnb8` zfp&??MDk7O_3UcYHv8J#q`K{>LJwov6O6?W;vWyMUoZW{^5H=N8zlf{7(PFM85LSl zb(&oLNE%3-Fe7$gbZv4GNYMs&J!bK9Uu67x5-r)+6oZomg++)z*M&q$PRYU#Cy}Bi z0gV#z>!nfR?F=Bl#o@`WC$EjpRsxLHn!+c85pBcXR>s9PoTxJ}pP=vODLKjnLIs&K zh#z=7CsC9KY|P%eHG=jxQ><>mw@GTZzFGR#_MmD_RIPmDS2r@N!-f#uSq5}pneIER zsVg$+FAJ6w6ngOyb&umFs0p^Qo4gqTv{J{B5+i;Lmt*cQQGzyi4xXO+qmh*3e7!hlli!DRIm#6M+ZXYZp@8=cKrz!(J9lgj~{_`VV@$<(3v`6NziO>91!_OOTF{q)mSkf zuY9J^ok;9+3s?btdqYrnkW~xWDzD2VMBUq}QwYDfVEQLMEEBlYS%qvJmiV((9dQ%F zHS3y1n}+27)?8ea<+oMhVp~GI&ImgBB?0ztwyKHqIl1^z7`tzE1^iu@Fk* z-S`Adm>ZldIsMLtwI0PMpnMuI^>8FQGe6XZF@Tscu4@I-HEO<{bi$Xp1dc~p_tjW# z?fRRhv)DECP2`ke6ey-!&?>4}HgxqOyRlEdE%?JbCz5F_(r)+^zMcq=mI;4h*~&Jx zDqxT0@(T)2pEL={je^96`yiSyZuCHyAHv{sVV^(OFXJi`Rf6i+AQ`(M%9ii+{ ze^lw)*r!$r<3DmM547n8h4woB6vkJx7YB`n@W5A04r!iLvlXeq_oo+q9#S2+mf^BI ze7>63xU^+;pp7B$rRf1ddek``J7RQ4MdjN&ljf>9LqD;xd!t(Ttd~WS{cxPCYSv2r z-}Ure!k^Q#jN|rJ_>aMA-L>b0qOG#Lu(^N#6alBXA-kGRGoK9k`70`S@!+iWEh{W- zF{174=AH2qPNP&ThXBBnc=)O)tFHPtS5eOgq!o_<*)5pH>gzk zM?1gyZP22-Ke4}7wT5`{in~3O7qMqCGVf+Vg zRcZA@=MwY77N2w%LP0XG4$#lM#cLwwjxb$@NFKZX4!mxed3w%pfy>AYhk~mXq*9Xu>!VEQQV}6Ai9ml)CDqn1T zdF;=wpNrU*92Ma9hhRrCi%K9(&cuQunZ~|5K3^@6LeC@>3{L#nyoQJ798C^$-9$#W zt7KAxwC~N^0XAC;>Rq06E=|w+?wvF`ucc98O+Lf|w<~DJ8pl(93+_tJdyvvX-voTd zz3+mNvtAa7t<>=kwjTx#Vx9pW~8I=iynI5{=KkH`Icr+)JeA zUTFDB0KVB|oZWAJQ`H!ScTRB`tDfmuSfN^CE2y^ccn%{N=%k>{-Gs&5ge|I|w<*b$ zPxb#m9;di9PL-TqkMy`BOgeewu$a}co5t7>ajE!9B!*j{t)}C!Y~hLc%0LPh=f&o* zGtyQ-A?cvr|3bNx#@C_Dj!c-)_<24_fmS4=zQZLr#d$r}&Tma{>v6yS_HYA~`*7y*E^n zZ&ppbeuec`5`(J#bWi*kB2{|a?{~V|E;BEb}pIJ z`JeUf|5zypR(5vC|H8p-8l|L5C~W<2SN~jgW#l0I@2TgD;|jET*op;fM+a3}z&r3W zP-vDLA9!S9nHVkt@90qsPc!z%48lQ~+nipqDS3OxKevDiGp}Rgr8;G>>Q$`IAp&7>uS?v`;hh? zbkt)eAkI@xV=)=C%DA=ZKU#g%=d!hzTRI_BW&C>`ENDz=?C-#C{O5g>MH*G9upzE+ zRWZ0+!8&DYQ{SM;rl}6nxNzRQGtww%Sfch!v~6J*#G0#L%NtKqFL6?Bav5P zqj+RZd8w&X_$wO8PeSoFzyBWD49HqKR0YHb_%2rN685){BSEQEb$#Y7$gP@IaBFdg zLTa^mdsxXtJds1#stH`SpzzF4((i20n2}xgIc)+qJ1+M;CTu0}$Al`z>K@P4@1>V# z>WMrck)=sb#5AY98p*;7U$kZ+a2BkV&$29*R3HyHt1?9$2cf}+etVfEUzUXf{Lz7K z9E)n(uiF^6oAuKwOI`<662G8gWEugvpIFNS;aB4~`kMWWitZUA=2i=*2(93sUxa`; zSZ5U%aFFxrUmf7a9qu0E;w|nQV527KI-wj@R^IZRD$eqe2#u-KBJmqRUcl|g0F zb8W<8A+vg)Y2&rNaM(Q*2>*$h1w5S|%)riEf>LNVg8O;IWl6sll_OV#mg%$97KMCo ztsHhcXR&EYMJ8kyYFh6h9G#-5sFlToeM3=O3w^H94_R;%7J@hK%zRzpeN+OSSx1MX z^1!VShwO3%D4|Mq-d4sJAN8{7t7(qz;uI&IZfb68CuUL9W@=$6c}Y{WEQ6BeXeT+S zXo6uRM_xMz*iu;mPTU;{i_1_{bvG{KAFb7nq_TKn99lUl=J8;3y?;~{FWqCK6w5r| zv1>-dE@`5qSH77fKHSDGL)!N_Cp6RHi{HFb|I?;958@U)09MxUxSUMB%FcYpY&F| z;+VO85)@bqBco9ji2$vG8$>ljyVXLBaljv1CM2PoZvp-ZwawN3Q2Xk=+nUtKP1%zXI>ny)HJE6X@`+@47pT4@XC+!U#v15H2%3Cg$)6fZqzeBeLH_U zMLjw z%FAe9mxAY}y;wx6YetVTVeQx75 zqjsx|h9TfR>mP3a`^V;?RChG#D>|nh8byOD%OYchy~ZSLn3 zZRIA5{kSd)_VR8NLf1XCV>HL(L%m5x0K%kA7cN`ATBa6goqSR`le=u;)l+0+w3)O< z^`P#@&wGaPTb?H0!s^A5jh&CF8$qMRFcubrQ!f(YCuuilT7O#>aCrP;Bv-)f5-BgmLTWmmNQD|kSzd|uDl!Dg#vhu=St5Y})6wQU;aeyC3U$%KfG>$?j7I zj!rW-j$;)H=FxF`5Aexw%0*@SpwOWH>ZAgB>pghevD5mQUdruyniCrFkDf_t!TWlI z09G)f*CH$gWf3>Z~RhxjZPvUKOE8mCsMa zB{k^m#JP`b&bfx;t4^CY{4^YBk0&!)4aTFplIB;Y<^SVvkUoiRg`ZX+RogZf<%cYd zMq25PNxwiPHDYer zD1fk>;p=XvExmpiWfuBS@R%3!#k=1$IjFP3rKgGA*z>z?a3)Z<8j51 zM{icXpXLBT-ncA`9^txRvIUGoe{Qa$v5{r1B3YA2qnzN1Kx*btba92kmLf2E_|LAN zV>z}l%n07ZQGgv`se(N;=?g7ZhK73aTSH34CWFV&FHZ(s>(emP9`4m09k~_bl-?Ug!!5#5w7B?qac(&LMnB~u`>1eV$P5GA7%Damw z?Ars5pV>l6C4ez<9}vDg%raADiXO(9f0{h%wT)j8smj`{e3oj37{!Rs``iFd=JR#? zUz&oM#-`m^PhoD`r#<>>hZuIOX;*WA=~~%IJTm&*SlMT1{X9kIQxPXRCyX0?00)tF zez}o84N`jgehKe?Uc8O0-uv{Q8+aVQ8d}ME9CKMuj2`P|VsGvB{SQ!GzT9uiGCrP2 zZE(Hm;2GdQ*v84DVZfj&|NUPK5BV3v8z21ZK>)66#uPpa{`VE$2p(1a)b@V~2m1e4 zw62m^{Is&}znOV_*_rWd?7w699}nRFOt(m@#I}voV;?9H*qL`mzF08*D>O(&m)i2| zgq$w)pT|%pn^bh5fw(3F{)shYY1`S?%|&pCp9+IF6>wBx>Vk7V%EWlg<3sVjX(xwG zUF%Mix^Z}~HOVUEdrMRRtiNA_v^i@S%Op5?S$aN<>GbSOJaE@OFepf7W_L6-DXCD% z3VG_<*!3fldW}F3prfP1u`IUeU-rcMh9T3In0WTK*dvjz|N6?1S?EH1A>Z9-c5jp&)7!Ibav zU!|?n$FCrE2C2Egu7<;j!`n&x6$3G`zaC%w)4hfev5qw7f1{B3?#Jxy9u?QABu$xpD=+v?zcT@=uUCX@9#~SXriV;1g%GoVBT1F zYBs1bvR?6D7q*CVIo|$FP`p96BiM5+jO9Vh2Bh?uOh8J4w_s09qwnHZu;$&8-Pp2%EyOv5deB|9~jB zq?2+OsA0F-f784`;Y_A#W*g4v5_Msw^zw<|Yt28bVjgCGXSF~raj@i@R)f9au#xeJ zoILP0mnmQYQm`pTpJ*VOl4_d&BjOt4Dvp2VI+WN-)C$St%FN2m{{lVtJ|W~8H(9y0 z#K#&qhDF_WuAOTNER_k98DeA3#2$&;3dn06V}A+0ASC9cS83BL4?WicAz$jMIM4es z%dd4<+2jnF2E{z=+aDVg?Q65c?0K-hG}M0jRhFSzT8Oh8mtq^V7HY#T&~VAczvVz! z?6qE43#Mo31xuM3LgcxdgsD?f4?;f`n_pfEj3gh9d)OQpoTkRgSS1#19*vOYqy}o; zM7^v1{DjI#Q9C99F_ZPXu`^ZQvvKHS*Y*Li?)pj5l$FiAyc}z}t;@8A^Pc&~vhB?| z(|7iQzNLnN&B9=a5v@{9Lz9mB@KMdJOrRE=_E+^!UvOB@%4MAPw*t99VNPdc7*&gS zjViIQ@N=Ee#N3FR-k0xVXm!afrSmk*6Jnn(2sCVIWQ9sY>=<_y05XS0 z7zqr@aZ-))NwLe|{-a9k`T~$7v5?8m#Cg$+UIQwd9yrP2(*;o|Nw*F;mp%(fMdQW% zq9fj|h;`LNDpBA<7D3sK6|$gFJI*Lh+SmM~x;1U|Zp-}V5lkN~Xm#})NL*I;M0Yc- z?|~@Md{)N!+ByX*4;?g>xSj^ut_K9C#~HWlS~yRB)PAyMv2rUZSy}sT%xraJH>6w# zsyjX1qe@~C)63BbZSV|FdO6kEQe{7LNR#vjf*V*VQrn&9EMV+jLiNR+GUTKdpIKCM zZIqR_CCAJn^*-TeOh|J=-d+{(UK&uPReA}PeCApkIHPjZKuhLE@=o-cNq6H6Xah=M;0_+&})zQmIJ#vKt@iyzzl~ z|Ge7nnHa8rNk{{DRl=Naxp5E<0EAl37`NZNgR1L}930a&v7EjU2R|@v@emn;HZ#LAwX*dI7bn`rgX`@UHRLz`&xlJGc6fj9%(gQ{F<8PVz*eR%mdwgFk(cC#DgXW zRRIt&{VDXBxWlXv`&_Gm!X@2e*ShV^DrbDvf|g+Kh)-bVf!=lcVecG#SD*FDm6VH=0g~XsxoE=a&dDSGwUiczt#BI6K*aS&z4d1Q>55 zZ0cW#bfew_layg0PcFWv?mlR!J{m2|oH;KP%@XyApKIJTeigqLU&=j>1^2!WXg|n< zS2=cifh5OY=Y?4UJUZs}?e3R+`UXJ}m1vSK(ep3d2k)4d4D}A*qQpIoPX<0xv0&aP z++1lO#wyJJt*CLPqjjI%a1GJ}^taKzgl(zfSl*)Cd`!ukh%0chc$ezwTNQ$DEAqOj z9nAZ*jQ7dYu2pmkpfz9`!02`+&Xw4@I5(Jlz{`os5RoU%1!Gp3?v^^}7qF}@PB)-*1aHKr zX`KjFqNWTvf`z4WOMK;+1IeW(&mj)i{7q?M)8nm^AHy_i)5nHpg1;z~D*z1x+zl^m z-AJ=_qI0#P8uCF61~WM}0{G2@hdiRG42^12Q4-T-){h2;B})#i77i%i^^jES~^qOUw^Oj#_k?G7Sw5FeqyzP0u+r&MxuZN@wfj=e^6T z0y_CINi z0~W6c2q0}v=~4vyis5?RZ6(m4f8sAHo^6qbpr&+wM6_}oL~Lrf9nC)fB6Qna-FV5h z*gZ6;!bwu3d6JF!5W9__{E zMSg9z91h~}PPm=($SM0wNV5QYh(RAU&DCbSb)KUVU15_kUC3Q&8H_C{t;cSKsCfr$ z1Kh@%OEV!qrUO5xBWZVx${wxc@MeT1qr&mmC^r=<_3GtrRy&E0)J0}E&%$Jgv=k$OU(D4p>j!pVr&Jv6aY4KCPlO2fS$W&)fSS4M4*qFSaLbEv7=$38Ct z%TjzDn3;497p!-zW~VRpZwMKlU!B@bLZ)((fI$ja#7|(Z#R}8E%O1M_df{7x&|+X< zAT|<1{*?6&O&xlfinF3@H6a#GeaNSA{>vTIY0e>FA7%P`oRXdeAce`aQfN4DzBo%j zq;tok!yvUuZJV&p)aEib z`-u1NLNd?*mXas7j-4S1x-8rOg{q2VDK!ZYH_ zKa#eD4tGZ+(2^(BmMwKZ8pC3)QBbgR4*hSZww3F+{sQKL8=FUsg`FK|IjFxcA2yzy z>Gb{2cbCO{E51xOyYruuUCnjeKNW72P77@aaml~NGz&3f1F~1H zcoHw6;Cx81s&CA$g0{>jmix1Ox;uB}G|n1cYaa z2ndLCXejWXjV4hn@Dqq0+6vMLm1E?4@HfxjOQ}gAAXFz{+*%^T-=lv}H1a?|!0vhc zMjUW0wLw5|!&H)$()BfmwCx%Y8g(4Q4te?)gS#o-FZl#4wGH@r^*31`?jGHpPg~j5 zV>y%knswocjDBX-8U8U6k-$0rm8NW8cpbVFX6aW#IuhN)2{aa3p}^zpS_k$QKeUNB zywF!QE+c@Me2#NJj6Ck<#*tqJ6BMCKNi24R1`3l8YOMXv67W6UiZTYFa`#$u_AA(0 z4}9eqj6d%b(jq$7z^Ui#7L#RnZsLqa-5}mGNj|%&@t{GSV0^#D^mj7!eBpxu`|%t? z)JTx-K__9PTKI(qnfB7hcmx9gM+IIR2V1KS1^6d7rHVToHK%e&{iHL}_QMV<9m8L`K<9k9q@xLRH zY*eF;_qnISq)zyhwv(*;6^6`c6HH@kl-I7$M2kisiDgzlS>5vowaRX z6;PAwu%<(A=NBISq-GZLIe$U2pKuBR0rw>F2i7Hp;ZwmRA&pf@=b)2iOr(uj+N_pk z&x@`qA-XjqvO3;C%SOL(t>;+j(NkyEitv6@3X$8OcJ*uI~7B~edFew}-8jO1XsHDayC~c$RtJa(4HE zq`Gc`1Im#&8`Y?(u`}ZR58BzXq!R-QUvf%QEO;jAiH9s-tqLIIittqP?#HuTZv=jz zRswTTDAvw=b?ez?g90=iQ_Y_CR4YosFW(F-N2 zC;vx&%}Q!Bl|H=Wyp|PA%nN~_o-lkz5^^~~u0PzU6g&ST(pc;eHIp+qIrnBCcA|(z z8Sy>*t!m`xgo+3;6@}syzqnxHDVK>ouw19Rn^Sz=}}>kbcV6#;&!jkZu;SlrFnHzVU|eYI(-+7wTe-zcRO+zFnvyH&~hIyaBFmbUhO5&Gz=ZP4enq#J+!Zwbc33IS^PyGaq4 ztGAk8!X>mYMo+-SX@&hRS}N=hf$XEQ?~15a-cb(dK)+U1A-yk3@pYyCtsORIqdmqq z{c=}^JArr79=^5_5I6JWjtueKXyMAm@oLS1N9e#VO4<5P{2J;Q8qmVqVEG`OT=fxh z`6^a+Vea9XJis}} zxXRx5Gcbmgi%%5UjSyN&Tr1Sy(P*r%#{j%QicgQsEWoN}AFpR9e!*8DEhEFYw9`Mx zL9_dp*DLlmZdph{8JCGv1N#8=_+%ZJ*T{d5nMbt~^&)P=up%MZzgpw;Y_R?-Q&l1G zh0tXC)pbO*;F-E-$NCFtxm9IZq3hc^M``@iX1nR|tuUOu^ogsH#q7lM@`H(RHfHAh z^V*xWuCN9*Md|jJ&bf(QbaQ3FgjwtD=iI{;-a+Bf=~XkQvn|H;yt_5+^b|S#8iNh) zA3)UEoUp4y)!Fp$SN8Mam|3j^J^B_3-roHB(1WOW7S^Az6^q~-r4f6bw;>Gcxl(lWRcMHCN$WKg{> z&5_LSXQg~x{W?f19OT1L>M-1Ic&T|M|DIZJ7K!ov&M1&w)~(xrbol}8l%O9;rEz_n zY0fB2%NDf;ltaTeq;IT!W5@3mi2c=A%=p!iSSdOcRq zZ}IAvp{Pzc6ZCmu-tdJGCw9(EeBilQwP&g+E&Wrzu#*57%~e(sseG4*7lbZEQ&!eT zJMcg%9(3E}Opu(&DVN1$GqFbPd(=|miWuV~Ix$ba+ZFZ_00EqyGwfx=)G@5zbGDk9yRx4kxl5~J&zJQS`j5!Q~Tm7wEBZbU7d z%r|bIJAkYwCntCothiZvC3CYEX9WAcMvO-IS;fOuM}o0u$RU@>hN_oF1;g$IGI}{e zK#I5TX6WuX6C?S@$q{NaqM-`@Fp$uA^gH5MN=DG%u5Kje1z+u;w9?Bi4Ol=t{}|Ce zfUP+cxn2Af&mRS+jt}Uyaz_kchCNTOCisE6ypKB zb9LEVm=n~~poJk6SzezGE!16*H$?Pp-2NIWcuh23Nl7>#C`oa-$$11q%!&0@8^m!F zJF08HAiPq6oeAU(?@i~qW3fNzS|33LM_ikOW~<$`K)f^$11G_SISWNgj^Fdhgu$@O z<3?xcOaQN>NCM1>?v(Nk)C7($1Sq47-;M{S~kH5`Uow}!^dxI>8cAp zh{UrE5iBF|f&Mj=0Gv(CSV>5 zE8{P=;CBe|K)i7-ns9t=l-&szNom7mkGkit(*%2@f^^;(%P271M`{T%||&&?yVs>*x4Y4;EI zsWmdl=Wtdwd-TLk{or7Ac)i-AnbU*`K5`_W59lB!t;HVX^L1*9VfS&IXbbSE=d4R0 zvtr%KQ*o_J_sR=?vAm078CH5(Xd$|C;TGj-=Zmf*FAf^-aMcChN zpCn7d6C#1L^6(&kQzJYZR}=M`BQu4!CuuDX<@p!Y-r|4`QU307)Zso^c^T42E;HQX zLlt*3gZ86Ezp{ZLKsMNBwd%*;&ig)-t?2fMKn@Te4f?g|2WkBD0yToE!vtrYeJ2LE zRokY1fZMoMH{6`%m9iL%Zr=$M=b6A?(bHJKO>9H^=_9`hxFsYkEO-j_EgJGhRFJeIOPYh?O!A$^fNFgg8F<4faK`2T@M(u%J>F)>E1K-rov| zUf8@Hseh&`zR0Z1VU;0hcpu0CG+!?>%*JpV_-HNnI^9D=?3s1HlT?rq0}6IV;n+Ig zhsY~sVPR~w!G<@!f8W-Vw~MK<{}w9eM7NKcW}>IblWt+!`Y$Bs6CqnfP21>9y-t+C z@@8=&lGZ2&Lg8S|Wi>-PDx{SkpEN_rNNouSF}5HKe1_9|Qm!E?^Vzq2Eb5}~94~*6 zlcT=}K=)=lLa4Np$A&n~QJhomr0h*BmRNC+4Z8_>z*}WkOk>7iu)>J7hA1nMqk)@k z3hM3Mr4(=YZn55e`e%ASjoRu1WAS10or1l67E`lr^aQUHMIeg$Sl&nZmj!~BV%}n- z{bjltZRUN~^(pI(ccI?ulc=ZHc9-Fz+#Q@#Bfwb`Pe_(TwNHUQgTRu-JOe@Hmf+!xN z)8s@W(tUosZ#)NV7njJOC5mPUN9{3*!HkMxiULeR{Xmg%x*I+ z`=#i!!6gxFh1KD?$XfeLID~pULR2)r+Ta5T?6@w)P*?YSHnq-P`rh#{ctX8kQDZ%j z8E$@cpWYE{t1z#J7qRnZy|z$BXQFq`ziqv6WVWA%kD}7`572FB!vmjrv%8$d^h6Ls z1%s`|@gGO3H9h>?6~6-4x*cwoXz_C$>7v5v9dy6FDTYzBj;O%9fF^imMlmSzgHqdp zPK;I-9K;rkU2_c^I*K^^>0Wm$q$uV8oK~8)&g;5#dL(~=2^+)#G63&NCo;`>i|Z3A zG8O(NnBvOqaqTw-ER#z}NC4sz--*K~Rs^UEkWOQAeg0y6b1TEE6yJ3wg402R`tsyN zYXl=5o910S&RCVlK;fT7Af|74IB`f->Dg`XGd=ePO%eGtrCR_%)6Ii*%ZI-tre@I^ zWqm)s2lta;6`)1Oxr&Gk#3dy7CADOZtT!$2#nv~f;Oa)sOK@aU6}vMuML^vEJY;E( z_J`mb^zOGaIheErWDJkr=Zm?R9beF2y|Lonmu*f+pt5ST=tKg`d@SEcBH&S|$Q^N% zbM9H&9s74zJTB1L)bI=pQA#dr?zj#=w; zI#`Hib$zm7-C=e8ch|)Yq7tZu8dKtdk`5zt(pGUoH zl)l^A5eZiVS-CRpPH*1{@>;56OJ-X+9$+5#Tq)v&Nv7q1FxO9WAw+BB z|KL?0>4~nQ-B;(kHwB#%uLui6aufBl#hqKC@)BBGb^szU$$*=#lEeTp?9;_xknQt~ z@|(>5h<+J$=PCSuV%DQwyWOtZG0h#mCzgmv=2ug!b?u%WD_qpr3B-om^?6~YTJCs$ zI6-odZtc*SQ0kzPp{C}yhDXBp?s{cc(<&x*dwYBCk@EGyvvCurJ*Ccx8DSef>ib5Lf6)BzEgSL@Mf!t25j zlX0i)eb07&EAVwAD534~ensw`BfYi@F`cSl{pGp$(c{M30n6%aaMY`QEj$+Wa6)G`&Ep zyzu7RO<~1+)St33hW*7ch5$_yrg(yZL1FGr;HECJ9|aV+>Rwh4E`=I3FeK20d%hZd zX5|^0z6C)^2e^5_vB{zKv-?7w@==1<=_~gDT&Ea z&ROQ&ILNt(dLr3Zd;oNEamo-@_rz)sWt!!}cfEw%fC#fEkxo7m5Z*MW%vK9c=39xO zmO$@3?tgS9Pk(VR%VjmjG4A&$75_sY@u@Vp!NL?uFy;_3Bt1ERT7 z8_iS(`7`l>{G6l&RQ}^f*M9q%-nC`N4nkRu02vr6&*;)#lIH7;Id7pyJ6zIy6xi0m zEeWc;?gvF(oYclekslZl@aNaC=v6cx5ztT|)`lz?(?M_&op(rowfvr%Uwscs5Su7e zz-hHlvJZOE3~Zw;)nmnasxvy9+c|ZU|Dl>$}QJh#!@=`M8^I2OfqLqGO%+ikieTTGUp=9_?X|j z5y-xG+Vfm*E_j;nkP@u+gV@@|uvJ)LRHr$Z=2W>HkLW=;HK$ugbl?!+Hz-0B$?Mh{ z_^!yNabba?l`MVkT+U63a;pTphRy%z^~>~mt9QE5g7-v~_On{qb?VvWFRMLzW}4qc zr$EizO>;VUIZ2hQn!g|8zl?0hlWqt6>rPN^gUz_!b|R3g3P;MglC2%@d;->B0G&Gb z>08@=X;&~s{h|xN44H4JS0p?*kiYvjyu}mz8P!hXJ}IW=b+BIW{el@#m7AN|@C#u_ zMbE`LBJi+#IO)PW!Zn@!8LPsDrmZC5Qqap?9CU4*T{DJ}wgxGEFy&7QrE=7_Yn?$X zk|Q<4UyZ){zrldrF3+48)o>|6%&OZ+ZHem~anlRa?nLLJa=u)-b?W{g0wclv5HuRr zqpn=R1ZxkYVqwh>?-=z8gT>bV7D`DBlpG7anb>b(~e+ZUJl(z44tmkbCt6$c zx*zU6DRmf~2mGdzlD#rsM+vimI=Vlqgg);px4f2aHD1wM^o3^8GKnEa;m-H`3t7Gn za6=Vb=|j;$9_S@w4+NGe^&LVUORl``1qP+iulAv*>(R85?VZ0;65MRFF0!Sdhq8Lu zP65;sT%&s9mYA{gLGOmH5)Hr}MAMBp(*5_$gD-c-#)j~!{?rcoyW!hz=ur^4Ket>9g8ZSO&xO4%ef%Z=AzJDotgyk)%@v-Ux!w-x{XkIwb$&l{WR=JJ_Y3=@TYc zkx)PIT}ZqxrqHa75c2eN<{Eq4L^LG&;vCglgsDl}kfPKErT_lQ%RfZ)Y=ag)oUyj{ z)E*nhToB^Z-bdQPks>kv^V2m^6r~kQo=g)y8coskTOwQ&M|dpc?mY`J#x@BcR=Hr< zxWAL23En#0l?zBpOGC+vQ!4fIeU+r7WC(%PE)XQh1*B*uHxOi5C%*|!rAqE?cfJg% z%Q^K)t-nh;Tk7-23p8M&u|F1tnksx+nOoi^yt2L`_c}aAJ*E>cEjRYb%L%Cqi|M^F zJH!OpS9SEal?xgM9DXeQK?F=-=v;bf9@`HPgK>Ke%=~eK)z| z5b1(1E&Tc&Vs*W|I4Sim*7El%L`T5Q+o>WYU&gs@4?Kpmu}Dr^p;t7+sN?2z{9}?3 z{{o6e=RczLsnA@fl!N}e;y)r*_>2|UbHnuhCNUafJyCvzGuPNQ=^LZ1`3{#2ej9=& zV5_#%K4!i58K4LJu)dq`eUzY}#Xn%tSRz{w(Ym`rMs^~z#Jke&(yomqI#D^!^8?($ zzK075&h^7sE1WAL$V^-nA4KP2GP40gjig)fiLDYCx`jLF9<+QBD%osj&EBay$~ zVfR>4uD=r3PWA+C=VGUL!9Cmg^|6tlXt9L(P{p)A<7*?TR5FOabmQGBd%=XWf+|3z2pA$?2c1gTTSw0t2P!h8S6rl#pwuEA*VNifD$_9!lJ%~=ke3`roBH-OwM=R($+5Zh;QRo# z^L)WKmZ^*m<7=tlc5~1b2QER8+^T0FY69;3dVH#tTY}6x>s!g|)=`^Cd%D4h!?~=5 zYdcwHZ?SY+{0dWXIvxGm0122U|TF2VfjMr!+W8l-&fMpt;ATyle>E#-GIkT{f=_TQG zH~Dk9)?*{E0Y;agqm$1f_1w4K#JNOtZbur(FO>=VZVl#4Iy&IEhn|g> z6=UgDjBoY%wP?62|I(GjKS6eqH>#razbG^ur3<;^ zwUkB5_QrV<^YT_L*1X)o{$^g)#Uj+wZ<%-p$;Tp=#IrHxNG;BcbMdMa^7% zJcLlz1t)-j@iAQLJh6b!OG~C(TU&Ln1>l3XRU&J`2luJb{(HVRja?Y%65jg?t%4VR z3Z15?w&yXD5G^46lj|}UqmaM{oRLORRA#PEL`>FJX19Sy32lu3IsE_8n&>?)?@g|K zu*|iNtSp6}#<)>Ab8+1?@M94s9PFiyAIUlm(HnSv7l{l%lBnL7CEzMviuV+QyV+io z{*z$qenplmlz#=^)SMUAZ&X!OWE>nEVz}v?(GsIR984jb{R;mBcBZ$kGL~)f(NcN8 z-b}A$Q7b7?g*V}EmI(W(*(M^PwC+hdHriQyU=+3yJkw-FDCaryE(mCTQ^HZef zS~tExQ*)fbwo1z|6gS)Amo7N>Co!dqS>}lB1n6M>b7d}UCP>35cu0GpXYRTf6f_%z zLVM{?Eq&GD-8k4O}f3u*o13 z2{axjC03)B#rglnWgo$GBbHLe(FLmh5a30OJL%fcYzwk(ePR3puXpSId!1Rqwr4gW z8A(8W$mN|xN6&Si8I3pVQrI}K81tQ3N4nGk7ChyryK)L+N#D(!093cN_nOI{pT$hd z%|K4?eC(8$5eb>L#TPYoSbiuZv#_j zh9DW6#v}sSHwjK-?&vfW&z|N)_RNOP!O`&(ZOo4f128w(u{6cD9w?s!;=JJFE3LT^ z&iKt&R@3iaVLJIbfjCPo&Q7$kRA__%QM+D?Q)h(H4FwC*3gU8aQ_pTvpGBOJu45X} z^ER%!RFFt_8kcV~Oy8XXl@sXg*Zq3tM-k`WVVhEe1Kr53iFX?L8ioIum3=JGdbGr` z@92E+OP0-seV4__4#z!h=E8`Uj|=?tXyX<*kF$Lulsc9~FXKqZ*PIbXY4!?P_e@qxi_^(|0c@G*`IMO-q6VR+uzLT0PP0|>oCd2h@crkAEz3@e2 zqV{6Qs0>fY)|=i`-FzjsNzIrLYX-&TgNpdCbw`Zw&LN1`g?|EZ)zT|+yaQr`3z;|| zvaXq7==`h~t>i`T0g&Y!M>NcYtfU}6ACZS>piDRp$_IonPU0Aev(u~df^irMf<|M_ zOYuj73L7NJBbBQkCSv{jsmaG_0(yEdp>{K*}QX&!|l6g zT+U1WYx@qVdU^#l+O7Mt2wGJPVu{a(4ZN&T#`IUao$&;m5VhxqqOj#Iq^M?wqUYxq zkcyl;*uyX}gra5vyTA)pxwX1{P%^H%1l z3J>Ogjyb1Nhp-1}H>+4R6q%%qZHV+3;@5Ggsot9-^J;^t8MqlU{L#Q7De_)HS~*py zd@e8t8gQ8lS1bLYTtEK>kRmE}IKPo8uv$LZuR)cv^%Iv1Vc^4^UNPEttEJV06w&BJ zSE@%N9%Mou{H&rR1Uf#d{g^YhTv$V1>fEaoNB&c}VP6e(TXk7Mu^O z)S0tE0pI!EGXALeuw^zGc~%(LubR~{A$c_(8NW$gOimYUZ&`3DodxB3HTAAE5>k@s zR3J)Z<;89`kW0XAYLNGEkRAeru=r*V_FKc@D2r-uM=><_^6@_ani-fD=B!VmuAH}!Tet8JV^%IETz@stRp54F2;Q#&Ho`U!%BTZh1CzZVH z%_9WX(MU2vnvX773p5sQ1OWEKY~kUmERK znjz5?ZN7biNtqDQ2=O~uVaGV4sgcl&rurA#vZn(Scztv6Ku{6`B z{9qj;EN->Ws7F=5{fbY3^h<%pNx|)G8DVEJ-)nXb+L#{7%i&1SSFNkR_SGwIl- zQryJ`>f=-X(IjMeI!^hxy^8R_N*+Z11_230^;3G51nCN8cNg2+?Lo={r;r7Uh$OMC z``OagX5}x}SgRa0wJkt44r&BNLNJiIn&Vj_IHBOaMow{7Suf-ae*pTGDa;ipSojTy zDK_J0a4;}bfC0QiEKkuS+OC@09i-Ox)2XO}l5sc`1HDl(uSh5lTq1QG2fPV)e*~EP zFdLZ(1FF`z%-|^E1EwmaOf{w)Zbd&(yXZdSs{Ix1sMZ~lhiaAc`jxOJSpycui|nLe zCRprM0`6(WKQ8rRwP>gt-aE$S`|*CQ@dEE9s+4_6!HpB&1922MZ+;WFTV=bPd* zlIDG7Gft)pqJ&@khXxFPL2}!_yZJ!q>)BZ5?#&?)O}`x2YHItg`Tc2{%{iUaoRL=? za1MXkfGQ&f+kav!&H9I;7k?^-m-o7T0mXbi^T58Wf*sczL$}~#yV-}jtYl0qArpUJ&a`vLySZ^;znj^xn=lk5MwCGrD=)uUPeP+k zX}d%!XfvE#iD#B5j`oUvr=R8yo$m7xJIb zNAz-_h?Ahuk8-=c=~F39x8Ko2TPmaO8g(TU*rVkxwkd#l04|haPO)FCKfD>d-#OXo_s28>=v6SW zSyX_~BF8#`L1JOkPucl)q2fE4P+Wn)S2&+5^;yWHd;$3uxlh zbbK$93}6e}Mn>b0lD7euxvQd9Y1wx2I5j249Co|QP*GZ@?0UXTGoZF}daYcZIU_cG z^9Aep&K}tIYl~z2c|qBoH(;&u0O4LY2Wb&dq0heKXO0NG~t41 zO;ey#lTO@ng3Yh=h!nVx*s_FUWF%xrZ9drWjcFvMr*-Bge|x>DwWiT{T!i0@ouMB= z2=akhK7t|AyGD~uyC3&h@rS90)}a#7?s#vdE@ZYPc-T&liK#@WC#(7ZvAh3#a_+LY z{LWTSDbhe)I58qBu?;qnrL#=&0YW!}3TL&GvjERJDq5Bba3wJfW8;|^NvsBM z8JP@_7tEARG#2!FjS>TAm=p_DI4GQkF<%=u@_=N=YhyQ2uS9+E-$j2MZu$go6fyk5 z#6D}@n}i_{z2=F8go@K&@aYtFfG;`i{#!e2IpBtW)@6!RqaJXSBY3w+ZOUv=PpuwS zpSzK5Wua%E?C}0WsVW)Yt*wGA22$JQ#^2j^;L0XQ*!O}WvMYsnT?2124W)N&9J%M@ zU?PY`Cv(A-dc{@_*uZ)msj5lNhwGBAVK0vKvR#hQ^znCjJAALoe%2=Uw zkY8}7qTu+TN=zI&yH8s)(?mH5(>KwJ7Dwvi!^EE5M@PY-{OHCyR@nOY4N8=-JEpUB z^NJ3+fIY=rw0!r{ogUfx9w;Ssd%PN(@)qMAWXN$cA_B|^v|Z}HUw}0ck@ZzK1Puk~ z_}hd6MOJle62bDD=@zIPw$_aIO=fWx_f2tqtJfP-8^^i;X;X?v#2$Qq#i)jV6y)IT z79jE&i|n&s07OFhevyP_Ou%VPv~F`#BE63?P$EepOuiK6cG}FoL~shRdIA{CC(c3q zzmMy1&Vj@k0H+9FH>++oSK0z{#-d+9-Yfr$kUaLF!r8~@gEDz|K|z6f$@BxqMMwWV zYH?i{Gm?#^rDaJ9TyeS4BBB0`RH#M=uj6@h|DU|J4M`n;25}M=lg#yVOVS2)wVHlF zg7+upjDd_HuHdXk!9e^`F(@j0iUI$|pZ*^?%A*D$O!&xm{!M(C`iwx55N1$G?XdR} z(85ra{Om7vF$D2q2xF5<+F1hLK)YsdL_+TDa`F}6;Kx)V%MMp4F#aoiZV9#GTJU&d zB2rTJ!wVO9;t$jtVZUgZnbA>+v1F!}cmIARFK8fUAfhfk7`GC`q6^MuOLKe^?18Bd z!_uyRsD`ympw|+dy16Aa+;1vETm@B}ob&(C>c`k_9aaNxA8QXUg>bH4cfHAr^EFRG znIsRQ5;2)ckkV|mGYP_reaTboWS<#)C9lRsqiAYX;NAO#lVlW-@595(~h-0<7+pmWS5^v;Rd{<~H-yXK94}o>p zqMc0C@LnTLTr~!Ji7GB)sxhL!$V@Fz$r!Ysc9%NX-R7LLG z5r3v4Jp*sI;CjlX;Y2dGivUn@+9wnHl@~pQD6c!iPeyMs#Tn#Yp+TjJ52I`??QP9B zCgS&8Avu9Y*-3qPmwOxST)+js_p_o4$f*)`xp^#pS~+6qeR{=~Mkh*K?(X-)NrS`5 zc?23V876nn_Y zj*3o>>)cyGQm=6S5?i2PFBM%pRcaqK0gJmV-jcNI&hc>^SgkS?f8Zo{p9%CKBJwv} z9FY2ld5AqSkMyUde=1!6qjbSz(AfFK=SH9M;~OF~sd{54gDl58(52aW4VlT$E8p+! z(Cx)QMgxn0ysIT)!0${}g^f^napSrRX#dk;fB3@B%BgL=aW~)Gs#^g}d}#-4QV1$P zXZLu=E?!w>pI!YYmF|+4o!<~DQLV{2p%fE0H_wYdf3xREB{|BRhZEcP1)_Chtny>n zB#|g4VO4D^=^r95A!%-bzNs}02*h=xG8FI=WP~{lY^?*k%0zrSYg3^A9%b1O#?F9@{#cq>I0_h(VOU`)9_ z$fLYtp$g!$WH1BHHT{(RRj9zJnZ<;9td^c1V_bvn=X{Fp(h?B#W%rWU>wA?r=UlYg zNw@r!ss;Nq4c?&JJ_;i*V<7RI4F(rAQQegBScI7M#N2Aq%p8pLf=z+Z#b+5Ai3T^m%%atPlSeP}u%_*|*#mG9E0t(fi$IEyG zYBKaor;UibZ7oUO5iePv$`|^ZwMd?r45td*-!wvuhxx~%-)4{#eLTyW1J;m%dlJ1E z^)WZ~Ocw;rI&j!w-{C69C6LjQGB?+v1mu7Zt_E{PLK$AI_#iaoiH5bxYZ>~>ED88& zhU#vj<6hV?bEuXJg!;qDsZ$G}_vx=h%VcDtT(L?sd%>05r)guw9g96B!R zIkwx=aZAa2ExwGi1cy*swymPCtL?r_a~d#C$rHFrSG4ha$mr*%jIE!O4nj`fzm`HT z-3$&5MU0-m>N*NBx@t?m*c49QPhI}XckPoTRBWx2d101O8wwg%8Xj7G-|Go4k`a}# zDF21AK#}CXPCfY4*R3}z-JjFzcGzOLrpU-Wxc}UX`m+t5PLv1`HwX*Ei85N?b`ax+f!c&jHY`(x}ceK0gwX)&JKjt_NdAX#&`l%7x z@!J2_of;iTK+^(g=fNoSD6Bu`ATw5tB$(#V8_C-*1_1=T%b{zD5w86^ZuxuFE4|C* z;xirXw^#j)mu%|x0*I&D(mgsKe3gS2eid_w38^B>acuzA63jB#kL*XpnKr{qO@o6| z)^o8xR~>uO+oneT0_c(f?gP?ZB>ED>yr=!DwhA=`6V2yiwRJRog6|(LtmNv(N_qmj zTI(Cg__d4d!k8*b$zE%|#`5-xa7czhk&99(Jjm4El^myMzUAWvo(Ju^PRdc7R+Z zb2%`R@Ulv=k67Kx&b`=@YmwQ?-Ty@AU-+!31kJsHm_XV3oB9{xxDh>eq%9!W>g0&1 z+hdq3u=bW|O++<{h4=a3PEf%F#W zp3|2(4+-bJISk^^H?Hq+zCx(yr42J1%eUPSKFA!{F(bFC%X*8Gm^`|vGE-l!LX4!jd2e{NOv6*xqONXQ!NXXt$1hwRrc|}#2W*NXG-1Viq8vsgLYzC)G z*Ngggk7=W#hi2VY$9v`#{3$nuAaz+``X>eC0(CHXATlOK=2iw`aIw+nzhrxD4c05T ztu%Z|edHp}t&MTQp^^2in54|XPfUoUdL#lACT0J*l(Q-8&NvVdF>j^NzwD&P2nHlq zLeg!_q7_Vs3G@^y2F!?x>w%m;X9rrIoLUw0g|h4(eK9mzY~$vR_o~&R2gx9&2R|0@ zeC0aDi`nv@x^1s)!M0cp+-uscP3^uAo}Z?E?sC`{%S5{(<##DYB9}(>x#^5!mmC^q z)*cd}TI;_#-zv4{Kg_$=t7;~vyXVVgRE*meOzREbmfYB_h3(fbTi|ucO}Bz3@jKzIdj8aRc9*+qX~Oc$WIbZei@Vy7mBgflBYWpA zGcEm+{b6fokGB_+c-hY#Ovp>H+K4*i06Gg77(k5UsD{do>L#uRA=-gWmrz5-QTekk z2isQac4x!HrY*DprNr~rEyqQh|K#plm{XQ3I~(x&UQ_Zi zIcB@rN`7Z3vG&I%m-)4dU#KNjc8EJFDez`mp;I1W9nhixSJjy5?@0l)>i#Fx+kR{> z3Y2>axBnOO+X_SEX4!mIT$hpwFH7eCD4T3Qc>hF&--g^$4LrnYgOu1=SoSrA?~bjq z?k3&fb;_UcFPR~DEz&FVoz#v=8l2DW^Zx!g+Qs6*b{5IfXp)e`8<89(o zeXRG{qgYoR@_3l-C+c9wT~!`)aVlv&@?h}w<$9{NGS7w1fRGd&id(P)Z1x}U>+ z1&tX+OkvW{G&Hm`UVXttpSX+5 z?LtgBKbx<<7$OfCe^2AcDN2+#FOWGgGZWcA?%%CJE%xk)X7@bKdn%28jPvur3LBsY z(KwdjaU#O_@6avv^@+?of|d(ZU3PbN8eZ4hfAYW|jbav6y% zJ+3ZkCgQ&A1}wQuI%Y`nGu7I+40Hi}SoR_F-xy3zV(!bBB2a$Zr2a%(jp!}xnve&` zqRtAIz$q_jhmPtXc4`~HFA?>QMrQhTpGAA@S_hX)eD;#~; z^BLfKIw%lhB>ksUUyvp=cA)$Ce(@H)C=2x>8;o=rj6$PM&!L9phIUgTauIp^z51S} zdmylCo`555C`Qqg@{{%GWy2qpKe_-Yn7J}*ryULCIU_^k9oU0^5lMh zQB10^W2k>a(BSE`)bGtT8qNiv25m+;&xKNa#^?hZSaBlWuZdt&wwaWlF7AEbE1%FT z#nfqbP+FcO5K?K@SKlXPmg&Z}&6EfXGVr_$%Kzn4)A3Lt%yx7V>}Z|X;K(a~j9y3PJU8J{ZxWYif9P0ma zxInnW#XBJX%Z($S)-v$q`6&n_g(hxN=DN4E6cUP|o-e(6iz^gyJK@+~am4=Pp_%NL zcTR%NcT|fWDv7wRIT+u~1=9zBSYQv8q$4x2!h4SX3?GLcOZSAa-i-^&C4Kh!01eINOUzxtSBD-W_M5V3G+Q3l zPZPEf4V9I_PrJnEU1R~6(1*gGAn0^%&hf#V4)Bp_bXlGddrdj(ei;Y-3vQz-M~QUL zc)qj{vhB8kbqXTA-I_yoF_XJC)KL9H;AD5k$d74EojhD3NJ0{=fxyz| zJ06v4ih>TQ9a&hkfC@X8-S84>-rL3Rfhl=K^~@{J3uSteXjdV|b<^QL?o{wNyhX)C zv5r1pka1S^_OfrZ-ZW6S-O_8B!=dvTNyugu)S}8cWJGW8TkzAv|U$0=lX-aZ-kr*no!ydG;pjlTNG=uM54YBG?se1{vZkA zFk3no@OQhF2wq<=W$InHB`^eH=Qq4lF9keO%4YlWmS&9&3e_niqL<2Xhl{{Jj+AdN8ovG z#q?!e_guu>{EBWu5n;+tJ?y4eRTCc|?Tv!(b%-uFzj*v%#@0Ak40LVr>hgIIgBQ5A z7Jl1PiWsf7cs*n0GOuzPS^i+AR;pnfs$^nv*CXd1AQm(?P^6L$|33rPLM|Th9s1+4 zvqw>lX_7%}#@n|TKPgfGxGRVQ`Cb+)jdH&M0wR|R14>|c#6E>`si0BJMpq?EKErCN zYo%IhV|=@G0|u2C8fkr90I+#C-pkpExz%=XlHlXBchQg_v9wG!F`J4vytkp|1MT-3v*8Vu_Lb%pn~@!$?B6Au3?>9$2{K zC}3DbZN+<8Qe4n%1sK%_EV)+oXcX4<{uG+Tj|}HJADCR2Tv9rpKd_ZklfA5FOkfxm zM>zf_D7MZw@ikPjDi=-p4Wr3M5Zggmb&C^IQw;PjxaUR$NcY)|U|vW`q^g(yGsyS6 z_haqNqB;3M-T!LuJHwjl)@_v{(wp?&MF>a-sR}4a6AN9c^kzUx2mz5^Lz5y+iuBOC zK%^s8YUn7vcL)RmH^_I+z0W=8$KL<c1##IBKLuP*ZQ@(ZEKd;#!r6 zh}Ek8%%?^q+r+hBT~RzA#M@;vMzIMU99LKZO$I^Sm^A8@5>37ynEn`5_Zv4#YxB16 z7&*4CZsy>O$kYTp+5+kGU0*xySDScqcb7IiJqa0O@3`MEbd_mlKQ5Q6vwFEE8JgqX zCU`d?<8*G~qsga5qtmYY7^r6PPx$2ZyC*uDb?}yI!-2(1_4TB5<13v^9iOjUJ%wXo zQ4=KviKIgJc4OSePTV@S#nwd7w8on$S$8(Mu`kmXqwI`MTB!kOZ#ui@gyVxBx* zYMfq}q^)Az_7@jFQo+L5-7pOi|64My;`1vmDpGWG1YltKb6z)cOP}%4(Tl@(R`{9O z216w{!a_pig2s(s|Dtq(1%Eu!y^S$GSwq($oQkrt=)ZWrAw(Ezfra6$m`>CDlo&TJ z=F>*BI>y|KX(>U3DW=|4j-V)zRw|M@z6`)_<8;JzUaOl1G|K@8^CEx$xOru_w%NAc7`ALEv}e4>p76e5n|*X&NROlU zIAZ+B0ES|Znm6rUE^$hV%(iBW;1x5tdp8R z%1rX*dQtKgY3?Flgy__UEMQl|>p~}BFKY~hU;?7`g)_G!nPkUBj()YC5*34N0Fz z^I$E5M)y5le6w5j*)z~MXOAMaZ8j}mkGfl}m@2PS^a|8RI)9w%x2RlUbX`fH6ff0e z%TG3W3N=R6w1*~z933K+5pd{_f${n@Aiw4OOhaa^&s%J;Pw-VdjSh&&Xa2aIXi*i& z94>pJApM3b>I@Q`E)vzI=YI{9O=$j$8cF&19_B$F;qv6QxXyAJ8LWod@(?Pi0yGCM z@w}W>h8|4hHwC+Kc$vXYfEj6ZKX&wBiBya!pO|Zu_}uWG3f5=!Z~-W~6X=o>qQ}zP zw{{!f_a)5E=uOTfkZZ$J5NzG)&v!2Nv4cv#^LPO$yI0=ToGdw9WFzlXH4wNpeh0)= zHja}XaS4#krU=r$@@mXbn8Jutp~M_CPgY=^IKl!p{3n|d3oR>bYvRX5&#N?CBP@8& zPoQ%)vzF2tRCV=coYXyW>?DsZ4CfEIF?!I)n2IL@LVd}u>N!JFlH%4RQ9rd_#z`z7 zBY(Q!GWgElZ@wn+ORnaBk+-G_E1z}(l5sFyb_CF#;^F+_w2^2E&vEQNSfFRAE7nFq zIVN+b*Q4;x2H%UL8TSjd{FjRQW@m7{Uyh->R%6!+ZSKBCeT=YTj zuSWe~UCVFx0aTs1ZI0urO#p26+eZ^XhCr|R^u$Ry?qX$7xerNNP#C)mVsrAGZ$Q_` z$zg24ps4o?6d)Vgae}c`*ZY`B%{4y=8c&t!xwDO+kh9o%7a2^nCtL9TzvSvwI09E||EQouWq|%j7Ld=ctR0TCr}iRrnBCA^ z{W^><$o%b{Mag*+_0mZHPNh=<{3Y3~^oK->M<(O6GH9~&b#Us_IXVaV)RPvilbvnj z5NunoNJB%RVK6DP)Sv7h;O{)96J%%_ZMkJsdI$Sa{+@WWZ=g8}}QH4{8r2;BwW zxRL!RQnLFQihZzhC(D06zPXlxkaS{a2;ji99w|FecUwidT@w8za1P82S>S0L*qZLL z6%vHgf+Q>7F@15)^o$gc`M8qUrNR@zfmz5AjJ#ohfjGi+X2#QdzfRgdV4&PX32NsK zyY+gq3pr1+JH+$>CTQqFL1FZ#kZ6lKpbJ}2=)q&fAhT^Z0C|r*WfaGW#I$#+e#2uh zWnbu18&3ke_Kiw;8k?@4;#Vp<@@*dA&HG2YW0>4dkCPz_)jnU~cW3HVNSjEcApd0H z>(pU0T_5YnggcB`{-zm&7wCO=6B1A2)W8(kn6QFNe*NRfM$*4YT8j3nII_tbuX%6q zL11rzlNy)tal-cbMj*ak#R}uxAGs4Jc=44^tt67!gJ>LT=&sqj#JtT2tHC4wa%b|j zy-OB^{DXmWCNE_SWv6+sqGRLpg`<5&QJkXEDT-cErKl@q>A}(Ji3U9uEen(918hsk zmMKtTn&KDQc{YgG@8D+av6Jr?B694tV0m%?yeQ1de4e`!#qR*on&%(}&m0TALh$usipX`T zBoONpg9vx3(i3^fC(M&9c*$EN^H;tf+h^gzc0SA58$`AdUeuf3MID{qhT!$oyU`gw zJAPKW)3hH)8z-ApDLAmxDkOHRbDutdt!>;6`Rb($v)a>*RfBrEX&RdMYdk@KI=!r_6VXVoxQS}yM#IKt%K=b zmQTCNv}TNk;qc!3!z-*2zr;EvLB_+kWao;->l-fRa`EB3olqv;EMK2Ua?%?Zv)f|sqDpQ>>-;Eo95hvBH z3%HnDXY1C=(Xyl1&qr!|=Yd+5Aw@XF~U@^>bpaGH@%Fqs%s>paTt9{8i+ebh4$9W*wX-&Qoa453$}- zY-ZC|p$SF40F`8TWo=@Cv~Uqum|f?=D8c0rFbzG4ltYE{%AvyCJl%w~eH}M>3!zqs zTy@qZfWWmPy3X-|58Cn$Nw2qnJar}5O)-OQs_ts4mhe*U6?0KP;C$N$j1}(99>eR> z-5MwI2M(vzU|CDyoIgsh*&6#k;yP4>6lL@&p$SoPI23eRo4lfd$;)4TyrOR)hqjwm zB_;keyDQXJzEW?A{$kU)WUL?2CLQC+l1`5^4Y=3zgC)p!Nen(<5UIQ2#6ROsDpv6p z`GRvY*T#*VT4MsUbrbz}eti4y`Ozbhrvv}_l8)x1kMT28aE9vqK4DNvbCjLF??;}K zsq~AqW^6bSamTWRMt9heAHoOC&>mGs!U3&k!`!3Xcd`-C zqGP;bhJw~fGM0;SGdgjj&lw%h+ub%*r`sGChkOHtEQ=J)-wR&Uq0k8tqP|#@A8P}H z$u88ARER(J&1MhT_W;j1!bOM6>>UI}O%{0jcCw*)O@jTS@u^B*yPkHFidJTEb9A4i zawIF<5l3hkA9Gw(Gkinc1OUCGEqO_u$Jvw z_Q|bdjyV>Ap-xV~P`S37IF6jJ!;cDL-Lbp{mW`C0frIpBEsHaN!!Z$AXfy5RP}9R@ z&t7R(Oc0Mtu=uzg6rbMFc$u9-sS=I|pgRG-F%u)v5Bb9Q&iD0aNg*B29fiZ*wrBoh+)mGA=~P1s9_N9&_UeUy{+U%>cj`ic1_m8 z<2_UuAdnI9Un!x2LeL~Wb84xnq(KxfnU1cT%!+!_=eK5~Eyz*frF-s!!EXLxI2BL9 zQ`;zG<5L1>g7AGEAD+?^;^#euY+Bk^HMb@U`>pSzif(lje)?K?Pb!(t)8J(ww<5YH zQSgP;t`T4^UKClqzHNf3XK`g1Lw1h(-Sjm73%t;rUoR50_nwwct8X*39X~HLVPCZkMd?%l zi$&fgH*|70qScHu_U7bHFPaIaxTa7q{dGYoPwRJC-3d)&pR-vFcl~L5KbafCagUv= zAqz>?%D!|bZ)}m8Y2TM6QwFiM^AzB4g2mH`hbLM|XN;CLq|5YQ&e_H~e>n(*`7DPm zZb`H@INR-n2={^u4|huWAtv1E(+uK$ZxsyzE8q5;<@q}7&u1{}sjWdBO~OogAi`?< zGDqElP46%YAtAf@__b9>G2E@jv97|Do+neO9>K+`qae zq3aUAeLJrLtOwJFG=HZ_d+cqzIkdRC!9)=Jcg0EZ*HqIDbj1gZzQiG)8u|=kydj%D z73!?g&>K>^aW7fHojDm(!34AalvmhqOXh~77QA|gH3@om!)5cjaVieGZz!uKW`Srm z1|Or&zI>j>PT4(>jagmvl|JyjCaXsbdskAER35u?-_m|yszqlO7po7B8{NoG-4ajY zPT>Wi?pTI5BUi_GATf0O5$j)y-Et##PEIW?PXZnQ{NoA_ zS#@C7goHjbLsW`aXk{JUPN*_Z`nq9B%OWIhOfqo3G4%bQ@@eBNCDO`G=HM7+%|qQH zGBcU|7h3Ax2x+O&m~EIL&p2I<05TIHY=?`ZcDAh)>PZhDuLXAV6y8NscFK$m{c3mnfg#*cGMKvN1GjiDZ%t_GS6|b zAb{Z2k?>^hT2QNJBxR%bdxf+uZuf`_y4iDRKrPaxeVOWaYfSiyS;`!yy`gE7PuYyNeLeS zowv2#Ge}a)$;q_>*RGJ{6I`)Lu54{(YflcX98NR= z^?jiM!Q18?`s`1tTz{VAZSf9Im$vkmncbD*K`6tksUlt3-XjFont)0jR2P}h<7lTi zvTp}{;d=l7#vwxd7SvTCP%4 zgQ+ebYy|1;oUKL=3GQ(h9yv0sKAAbr(NyH-uVGwYzQkV>*%danPf;Od3COhH4HE;B zSeWxrs({V8D1?w?+KOEXocIQu(Xc4e80ooCr5?ve3l2QqRk!7nF^%V3phU*7`Jk-| z1Ox&k@jC1Hou=muitGD!$Xe&3J4(V+nO>65g_zb3FfGkb7r%0Y<{zvhEX6Sq$hG(vfaEapn9kw`@s0VS5{ zcyv;=ymE=@RWW*@i2n=jn|NOm`|(r}^islK8jp8FBt}iGX z#n1VK)n;v3u0WO;9>9Cy(7r@e&<{`bm$|S-*ucI33vwH;N%0b`uC2IgncLLlah8m# zpOcpx84pEK$fyim5&haXJsOJpF;08#c3#j(@iq4$uBzAMH!yDgn{TjE?IXcg@*bN$ z(>=JK>ygLu%JCsE${@w%{!e!2Qah}0Ry^c!kRf!D4}3KolRVN`s{VOCXrsc+L1{H6 zHs=_<@C|(bm-IZ!r?GFeONSAxu}x+H(%=IpgEWfxN_)*ouE)2ud86lHNIKkdZeblp zSoi)ha)1y_ajMMgGdvSaNE739Iv{!-&Q!oRxJ)zsACX@DZ%qFGMEYiLtTSEV@pHkJ zs1bY>mFV2x%1zCK5m^>{Bo3Fdzq2gn%A9rX{ob$Uxqtd=UvpWCWY8oKTi1zwIeA~# z?h(Gn)yGx$Y3I4Bv@JB-gp2NZ(~cGg!?|LOg4mk`e+CcN{RZvnMM;nS;8k}tP5e}t z}-NS3+^Z%HdBdDyXKzxo9;W3cr$2;iL~=yA0d zkX?&*ZPH|FTH))(CO6Dd@YWt+S*6#+=oZ(c6VozHUcdYUD0&DaH{JY(ZfDG>97C({w5U7cN zGQ6~_->y9S=+1alQUq6dg$(ogr{Ld6VvpmlQBhY*kS|dx96L`rO|}>PN7e$@J&n3+ zD;cUj@rO%|JKR7TLYw4e z$2BOr-mQ_#B#Jt!y!QHq#Zvae&s!@bo+v@Z;s zAD)wmb94Xkej-y6=Fh;w)DizRQbqj{6lcu1s1_hpbNLFZ{5XERMkd#7^2>S~`8}k1 zM1gv&Piue}-utH~%FU{!@X(Fe*G3bf#PEJ{iw|OyrSy@-e_u0ecyw3m>h3AT(s89aY#>s_W$jHyBCg`Lem$t|J`Ps};+0Tj31SIK5C5kw52lTRoA;) zN})(oOO3HN#PnjLigZhhTsw+Mf9UM9=X+YAA5}A3Yv)}l^wF%wpr=KADXh}^9QW7w zLlqJHJ#lSM+R+rHvv++@nS64&K70#Jl6NEC2}gv=w#4KA)}kz1`9bG)DJJ6E2laA3wpxBpJjPjs46UUq;&gm&AC~c zlE@Uyd2?ba(ci6t`}1({D^2tC(scg(SPF!|yccf?XEpvVmnPQmlG<_jgh+@-Qgkmp z6bz7$ZF!5)_&o#Vhbg1-BpaV-87!S~I}Ra4fG#KI4it}Nb(7uk!pL4V@uK>_#J$hTx@+=G2SPG^gVP%Yup}TNQdEPPJq(k z3*#;WNJIy#SuAABVC;Jtk?f}d38)AGa9HqGx$|<9kQ(dqzFM@6=SV|sfrJ(FcjTpB zjzeoeWUaQNI%`McUE)ND5QEm&je$p=!L!uI?7taeLn?I64d>M2_G>dnLiDlp{c-{= z$}e0#cQD>5+?_&I5VoYe+}Al-_D5^Ah8Y{{(PZS$o(CuyH6|0Exje)O!1R@EmaUg~ zok(OC?(rxj927^7D+rxcsmxd<5eKa!oOi<~XJS{A0{}JWJSz%^_KKSOlX{J+oM8(_ zG&O^rr~Sy+(krDSq>+{Ri&P}jYGfF}I&hAMgXC?cjhY&(Wf~$RO`a+E(3oB5{UdkT zkvpx;CY{NFz<%U8${@hzcDvV1ME7Eo&TlRBoQbaiFM-;7M-SH4R;@xgWkHtkGoGcN z25;>*LC24%5A#@_&h;wcXwKs{72Poyb9U3hRDLt9ZQA!{%qT%X(){^CpOpbT?_3}_ zZ8BzRJT)jW=F7jpdViU+yDRu1Vvy9QA=|376V~eWy15P-ITCDI1#Nbo%;=6~k#GDS zDi-(j$Fv|LqHt-2UY-6AF?`RS%z0Ap(QcBL%nPfWU=_Klu1%HLgaQ94{@&JcI{4J| zTRLGT=9HbP=S1(&+Ik!m`Vj2w@rl@Ab)`Fw0X1r=&ZG2>=xtY}0lFw)bH%LX-MtIg znP*zT4i!(U?S_sO zlbr95l$;5X^iyq)SecH;7u=N+m|Hp)N)xxB&Q&LF+1J6(kz}i(?R1~a(6_O9b8;TB zT$glyC-T5c*2>Nz&xY9|zSDH4tb9)!nd{c1+dU`Dr1_+XD8LS#B?AMFT{H z-j6@cDU5)LeG5sJCbEF^b z40Yuut|UBxzS)`T->qTtk@iB?n*>0+WYU@1*&l=>pjSb~Fp<5Y?aN}KmJd*kx)F1J zjg^FnxAY=3ZJj6^h|T_#XZUK2>qGC<(($faS{J#ym0oEE(8@p6TtX30@~#s7am3=s zoC_jqV%KMT8D}THYZJ)uLr~x7YQ2)ts?1Fc9Pi>YUNGk5Sph(C;Lk5*vMMc6DVt-A(e=WBkBI>zm=NXN17Txq=A4BWGKhZu!f0 zuW`^f-o}vr!xht=nfji|B9COwJ4?OUTwlv!^C4-EH_ZA{#EChqVeQ-Il@h-PRM-TZ z(u1W?o2DhF!P6yRWycG;CTAw#Hp7LGV^i`zv53@7f%q%4tp6v`^GIH1NSAo zv$XEAMcwdDCi#C{Spol>5d8moB%|z@O9n&qxDxCS(t5xwaUYY zM|2KQ9gK2({o;|503xv@8x$`>r?;m@7|v{!_|&zSo%gr5eEkc)Rr#ab8>Q&lQl5@&g+Y* z(zyQNbgaV4(h{qf7}eR?8Ac-(BOoA%PDltUF6JLWVeFpQaj2W%DowY+;J#M#U-Po`b6&K%_{6ct1L41vX?*bh$b#LVV+onnu{9m#) z<3bb8u=BnX=K3*z27n0qT_pOlXx^yf-~K(B{9n@2|I_JT^Bnx=KK+&5B~MI0{U61;vdaJf literal 0 HcmV?d00001 diff --git a/windows/access-protection/hello-for-business/images/hybridct/device5.png b/windows/access-protection/hello-for-business/images/hybridct/device5.png new file mode 100644 index 0000000000000000000000000000000000000000..c3754b5389daff68a8f65572c8b6875f59d9dd28 GIT binary patch literal 9031 zcmeHt2T+txwl9bXNEAeJ9wcXQM3Q7?$Rkmb1VK=8j*@e7W`*!QrZr!T)s^06WFZ4Nmy3RTM>(jrl>Wk6QQYF1he-{S_hZLly z1i`_%1;fF?ogl=!x#w)(L)|EF-65(9I2D78Yd4+ScJi9?I5<^F#21$MH~oDb4LxOO z&dlN{VjDBPi0MBZMYQ#fERObDd&DtG*)3vb4l(_Uqcex2{fn42GXNBkV{nL>+1=ee z9GzLj93EoU22uTH0L0?q%;MqN;o(ejTK>Smz~bReTf5#vo8`>hyk!@Z;krSgsI}42 zQCzqFK}`SP=*-}aE#{C(+HP?4&-(a`7j(rhPOKhw*RoYsTM_lRuO{y8vsqCs4TtLJY~>4S6|AY$j%d%6Q?ep5%(heK zG5_r15a#ttz}Q)%XN8fYiJZGrU7Gc9^Hyem%^*3_+r&7xG}GNVX{mN07dxx(2?M%z z84IrSe+%C*%aGlLuWuWcOz52YxuE*#YtL2atIQU@^a>X;=pzn|#lAS8Ju-))D7U%m zQK`x_J`hjfZ~NcA4lHi|fT5c6WU01C)e*kaZPJdGS#`qNCTYb2Ebdw4u8uwbDM>Dt z9BS?!`#6N~-%2yMPRXhj_I#F%2??~D8#5iX@P-$Xim0#Y#%nkrW3veqju%0B9?r+Q zj|NYx`~Bp~L=aO7w^vpgjK&3@MER=0q(F7ML4q|l2*)Z93sU`KJ57L@SkSQxb^UE) zR7BA0HMz$05#VPJ4(6v4$CnLMSsInyF#1Yd}8*1Y3vf=C}#Q$iEA3Yf(CeT2-`o}i{S%y_z$f9pl6 zm$152S|QW-kwk)3j~Xry(u%?j4w9)))z5`E?B<&Wj|Z>u5HLo-wqS!&; z*7L@^v+9x+Mg28|otTZ0=dR)sU-`=G@~D(DhWOB?(5TgKwJU5+W0O>QrY+AMU^cH9 z*5qF8<2veF&41s?sAYV9p>3facm5oOFe=G>*(4fe5nD98;47>k^61h^R;WG!;8nN- zmg9>pB)j^E*sA7Lzi&7Zh)A}=226^h)&ky9iwakE=Gm?Waw%RVPdpnD^;CfGXNNmK z&^R+llF~^k>6%|m*6wH3~Hd19IJ4taC;x+p4fpc`1N>& zS4DuUiqvcs-=IM1`rBjhw$%jicYk0g-WF2!u*tqMsoFFTQZev}w>@_W#@tN-beAo& z6O$zIJ#M`EP%vp({SoduAY_^+R^!jr@euPZLo*=(AOn17Kd+P=K@5D>?vr#sG zBkYF7V7uk6_E@M0bY*c-zDF}94t>p%N|LCgH`)?(r!EVcrlYM7uwHBnn>g|N`9P;W z0GJNK#(_2XqVr-KedJVkBxFNjwpK%nF}>5vx^SfYabSrx{>YcsvnEqdEPj}0!l-(` zDUZ3rFZ96gp)N1*%Q13~!>-|Cc|)Lq_GS8w#4m<{QnUn(n(ZTV!Z&b&JTkzBj|YPy6#O`xm1sHB(XL;Ff;( zO+a-$DnWN#6y;E)9Sbzxs+&JOi->Qyt1DQKEl17tP6~kLpU^#cvPr*bbFZ+h((kwD z?Qy~V8Tt<=pZC#gY61nwk2Xr4DY|#2rxBC zZ0e9Z$^5Y(;(g;Ttj~JZUDDmC4dZ)c9xCxHT^de`WT2zw(iF@~gx_;7Jqk?4A2e)c zv3TImN%Q=oF@q(hxc2bH^;8q*QArx%{!U{5oNbZR$x&?c;_7dP)MI#Uyov3vfUUuV z3_+J3ll!B5vF^TVlHKif&Pvg4X7!R}iFOOu0qODnyH>TrpsryT0 z>$2hQrG`r2Qmyrm5Dc2V7=Qe0UlTzVT!<>_uMm5K2ZG6svq$qZ)^Nh*M}Z7GA80WG z=a1%rvwoZZ8>s&Y*8iu(A>5;H@uyhO(*FD87I)>?kC)Wde8=DKjaha7JU4U;C)kPG z{VL(hsENig$heX~u1Uq&s$h(A*oiuZfMq#S7yjs=8$xATo*^fDKlydvA**>xfyPAoV;5T^*v zY7~a2CbVCF;Frh0R0-Oy+&1qiW1nq2E(A*w>zlM`BFprA>!(^x1;&+@nnyJPH)fBN zhrP0qgH0(8V;e(UM-YnGZKjTLJ#ayazTfdmwW@H~Ow49py8B$^G%!=C(c@M52b&y$ zeIu_-HPALeq4*Lp*dD)7+?u_R5xyiSg{szL?(M!O9Wb^3;O!0|m)TlK*w=9b)9Lmr zRwJ?cw2&t2Glsj_p}ttlCp{m=j@bosF~(`RTt#24l>&>_L2CXYCD^$G0sF_}TFLI| zXZsvH_&kPW@Vm9;6!u@+d?6I<-Proam5pR}QZ$LbP($Km0RITd9_Q`2%)Wa;E3}g0 zP%GxxR=vnEC2&FKsr~&@7boC8DP(9lS(;T*L;ZG7VXK@G5^ZlgFXYY6`MdVzd?_4@ zhduSG*vX7-hK@>|qPlqLg&{qs(Pj6{am{#JTBr25?3|xRWP3Bn39UOm(3%LR$FPon z(8Kk;&%AL&*Jc!*I%rlCvQnJxD2?>haLCZ)R7!|kK#h=q?e7$dhe6U^ldCU1_YC|9 zmT~yI4bk3ii)^YZs>)=eBj;7K0?SW@=IBThBVkMX0?FI-7uOQJu_WU`foBJ6S{enj z3;e|{Vr$LcrlP&G`Q47aGmbUpd;0Zx3@%JGcGN`&;==VKM9*0%ZOxBmKtLdc|PYzUA>vfp5 zBGc>20C>0gaoOsBFyyv@sm(#w>fc~>v;d^I080I`;9B`i@lC_PouIh=$grgCu9)|Z zEb;F@X11iY1^yArf2CEPXCMduzaor*lgm9>YX7YUmaoWSaq#Gh8jxV{sm>Rp3_t%% z7XFFp|2eVTzU`kO^0%@4n-1afwD>A&ocuPw1Qrhlr2|C?0bXDg%zWF5D z2ltVao2vx*=nQ8M&0K>Q9tO;kpAN|E%z;}>a}ru&xeug1V)-Sxr<`U)uWnfnM+~iC zKgQD>mRD6?F;eOFT9b{*RGo}`d2$DHQGB8ugBB_bb5k|FsE~Vq(xZ{`y&gFVLQFw4 zdBC=i&c<1fAw-ezOOEQ}8U6jY*z<%ygUt(yf-vZy^J|OEUFz5Rny2IBdjyOVvO+Xp z;;L6|gN6mMy2$mJFBh{dpUM~=W5!L@YaA3e3(|5JM=CC*PLVyR*R|3%I=|#@^Mb*5 z%DjN4si&91`jD%LhrCw5B-h9M<(@9D!ZBJJYqNP#dd9FasMKw_7i`nGV1<(azPP~o z(+|_lL;|-ty~j3g?en#~!>VusM@$vx$MT_pv%I1oY79lMbK$f1Mkn1MpHA+*?Ri>V zre5Gfl9?3++l^8}AR+eMK2fGqD;A=kL4uv8&(WzPjo2ZYy+fGYLY0qZ} zn;`WNP9U*G!;2>aJ(9lZt1|Ag2QiEAx~nb|n6i+0xBS{3lmJ5+6gfYiEE4nDW!$LM7c#%5i&%y3=&02#ktiCfRW? zrT5D9O1Vym#^>}LqqBXb*xWD0Kje}!|5Em~(kBGHj$mIIs(%mNwKP%-S*xVIchbW8 z=9IVW%vhE|XwG%5vHk4z_f|Kbmqj1H1z!W43!txmn4t$Qo6U1GDHK1*_o7TlWU%y^ zLR-AALDULKG2sFtG047BD0T<$_(h2k0Vjj8055Vkeq&*`!F1irGIptof z`BY!SuN%43(SS^Avr>gsk$3d3o%>DDP1c+&%>;PzCD0Mhkka`}WIR~#oo9Y${#rV- zzxG-Oce0j4a5cf&qKlDzMD0vlDHK}d`GI??As6OEp#jtiEQ@Gk>>&=>@U|z0H+z_E z%}VLsF$U8RD!hIm57Nt3YHHMepabEE&M|@)>J!R5gjjzD&3$dyp1h=xp?ye_H2%z$ zQoQdkt9`S+Iv~E10&2aHyS(=JDYc6^%PfuFQ5$99$?6$u4LSM`Cqi%PvYEBez?^79 zXc)AmAGKwph9@|=yr}-6K)gC9K@zAO1VqCc!h zw2p1^Y@T_i?*#i~dJwYi^49(0U}t*P@GX_tUKbKR2luYit5QtxGkVC&W5)VO15T1D zEoC~=uixZB$ZtpeTN?Yw;`LLLEvO40U6{y;RT)!9y^7x}H$%iW%?F!bD0Ej9^Bq&) z4tb^?O(X>5M*OE}V#A=5HQuCNYlHfdUdarMo*4(4az`i#yHR6#XRAwcemLJb?fe$e zA%ht0>o<5Zf5d(RdDrsgwb#YZod%h<4YXcWG(cxfCtI}y)3qtRdPoIt4{kRK+WHDq z$?jl6z4HK{{GRuYwto;J&1_IJb$k>08qO$mz3k5P5O1L1tCmXWhm{JZVzBuH^cWKg zH9=li(6dDghu@m8J$e2|=LR|5~c-lhvGuZ_M` z77e%BI&blul41(c^Xrz=|)wE*G&a7kA&T(|E}uh+W|;jDWgFJ zn1z!lD0Z{m=T>ht)xoE$X2adcXz-j!0Sr+*LgfcRHWd$E#Dmv$?oLVeNz$}U@=Z0h zHaY9}wmN!MtG3t1t3=B%Rb@8fHe*vSRs_y^=M^kZKOqcNNM@Ak&bCSf zP~p!V`*XgtW?1LO6SE=ge48_!D}5Ratya2~DnbjLvr3G&>FCk=B-{YLr80i@g9xA~ zFIqg2Wd-jDRkK{|fd0RqXzDGyEfQr#@Kr zr@yeQ1{t`Im~QdpBFc}vi(o*nm*DN6o}g31?n3E5M!ZT)379;75in`$*@4@OBH)mz z(1p&@{%M>2qnZDVz&{t=|K5-PH%52%ztpRuGF>(-~ozne2#t_h8KkU zVC!9rK|T5VSd6+K6wt||UB|F8`(|Z>EkNaNK>uRx@!RQj)n~rhaudBZ2Wt8E;{-Ko zH!6=1YDe!ITBn~!j7jva=f*$F@#eH;Tqj6OMd$pu${7Pym;?oeCWXPW!Y>YWm>AgK zO4NZ+KU0Z|;v7 z2+&99uiLQ}FE*eG@9w|5*hK5nDi|__aut3LsC!y3Dmc)AY4^@SN+Bn>3EwyV1xd1>>eOyR!XnJY`ZswSNbkuGQMt2h;g zW1fh+WIy3s8(Ppfp?5h^O#K%T(;`>-RF*40J1%Rc*=mKNnF*&>+?Nv`5QD;PS@@%~ zW~r(BQb;OwK_gzz5*IozbNp&H%dS?2bg4jhiPg5NO$~-AJvfP;YEshzp(4!`?%!$X zdgB}LLCjHSorE5j!``em6dcjRz2DUtW}^m>mw=LM;_G-nYlqpwj!PTiLL&svrNu5a z%ib@b?XJW_OC{DK__9m*rc2z|Sk?vULl0waSwBc0^ta-}lZQlH{_eHTuiB%#Dvt}4 zBxmf|;shg$U+)YLsMHCj-D3mOxjk0JiP)y|Ec6mHR-9lNC0ep&nEQEAGcMQ@*|1@0 z(IOJ+BMK8ztYZtKZCwRvyrqY{<)7W4=gN9EAATu`$*0h~6sP-qHS8j!O^L<%0Ru>^ zf}r#k0eko|AZTb7pj2KP`ZI?MZs7tsBpBLZq>D&O8-tOS@U1FwSuUYTxNLJQ z`;>ZcZf%(mv8WxmBi((YS>vaFtluH64NU>Fp2oZWqT>9$|0T6?{hqaTRDg9l>(Lva zEo!(@%8LpnD|z~zIj}-`-o;=vu<#(mNOfW?zeYI*;16>#~M3whAGO`0gmXHE zB{k(0UwzCL9YUd@rDUYZ!2h1+bCh$bcYWe+R@rFnRz0B~WF(0lM}7(mR%x z?7d>f+}pDq$Dg;0LUu_IdxOae&@bQi!CKD!KU~9RHHqsdFoU1x*YDOFv|6&mb=NvKE9=3GtxB0n>_ErZ!0I`>3z~lXdVx2MbL33Q-r(`!E&h|c9|<= z94re>$ek`Y0wY7J^~U1HEq!?*7qn zSwM2b&DlbSVds{jM6M&S$;6jG<)wqV_o%VD;kfu;XS2JPtLZKFcSS~>+7g`^zX|(^ zk|f658dEIgpin{`cLb4WGAe}Z+VCm`udd@Z4YUh?@Msv4NKB+->qtBIfhI=<|Kkji z`aui2h_oa9W1S8sW;|lLSDreDwr(NzLYy%^(YVpxhub}!25;_uxk+dg!Op*HT&nC=r8hw`qFxGiJi$NXFAoxhK%9o7w71O52+!tk8*)v~1aQ&wdT!5GicIXHWFkL;D=E-& zQj@B;6t>S?#IFDevkSz?D3UI5$T%3S!{)9W@}fP4tKAWKnHKlXCtpe>c__Qnl9c{s ziGoixvNzp=pY2Yp%I&-mUVhwg2?XHu2M8(8oMiJa zMoFw>_O>4H7c`8(h9QI|($vwwH({@$3>iBFWTIJ#MXH8a1z~53aPB}ORdt29wSmR3 zPYdR*rYH3iX4$<|+eXZ(J?VL$f72Ynppx{Oqv4P4ol!ItbX&M|rJbkAYv8HctFTG; zax7D|j|pM5b4!cVa7ygrS@p~*H8;52KT=-Te`(6QJ2<2gB3{UTJjls&)n!Q5!Ny!g zo%dFe?VQwxvicOz+EXEgZ}%IlgxCQgu&)+;U-onjrs^s0G8< z_hxx|fjc1AaKajv$eewNu-#{(RQlcTbypR{t#<*Y1N28^5#tsSb5ujz*VxsCxXpScHzxAmAcbwhf4-mpKFk}P-7J}eQ1Rb!>p`DOnrJ4nyzlh4wFSSh2{sjiDFBU|Ya640h>U{>3T#IC4ckU- zvY`suWIK0~%nR85LUj%_8L{DyPK6)WXU8XPZTKs}Psn139Qsy4J|N1j_x$lv)tBlI ze!{VDr2dYFoRM6eq((Lv#|w#5Bt;_jl(X{%+oV`;VS{CS&u)&J&`W3I+v%@HUFGOB zcnlKc^g@&N1V}}~+SMO)z@g1^@I6gxLqAbep(X!STby`X*!2P@<@r}huRM?CsMfC) zu8Wcw&B^R%ly0Q|T_ycDGXI}k;ieA%f9t>HNq;$>{)M#c{h8X|kgk7r*8K~U{WWF# y*IoIavsTew+)ooy!*&#%{W$4=mvxVt+cxVwJ1yIXJx?yev1!Ciy9ySuvt3r=u%nJ@X>dtYYeVV?f; za9N8*H{I3Ub*j#(bN1d9t|%{o2!{vv>C-1fDM?Y~PoE&rK79gLh57vH6WDztNh;_9 zn3J*u;8WEU!5`2Gq`9!1@TX6;vGA{kP@r>Idr2*)PoI$b|Nepv+m)Dn`m{PDB`U1y zu78>Z^^H*NSBOd`l&jV^t(9OuEyGz;2aB)D>pl*Q^6(7{8~=WkI>|(>R6=5;J_ZT!Yd1 zd|fLvcy~A!pETEeI@`0&`^j-{Z|}%nYn^&=PpwE&N@{lAZPP=-uG#a>N;XG;5E_Y~ zWNsnBUin9*?|PRH@22MoeG~z=@-QX_Ms7(-iBT)b3n~i>%jHRRcfLd{k)({wyhC4! zQq%6oxm)-Ad`Ac0>-9Jzk9Qja5g$&c*8|6aH3BY+sKP!U89BL&`&yHYrvL{B79p?e zKsfpr=MLIT*HIEgWb^`9!_|Q}nmuPJd3g@N-4_9YO_;3omKH8@RjC51p%sJT{7(!#43INmt|^r1s^^x$4Q~EM;m6c=%eDdH#Wuo!F+9s(9D!epPW0ah1K=J+ zUqtT#-6URL}USQ#Jt$D0oYj^ zEx$ib@L!+i?h43{7#!Oe~>SwI7&ds~tz%K@eKtJ`5 z&#O#hr_f?kvLh=8$J#t4$9zZFQOI7H-_h0C$kL+rlR?ESW|8!OMO(No;o9FVxhWMd zC1onJl^mN;hs$T9B3;BXjjL{=WtU34lgenByffV1L4AfgAe*z*^MVf_Ur=#;R+T}}h|Uz?VJ7gfay3l>vW{h8e&1n{ zN8jBp4F^qaaSvQLHE{18SIpN%@29Ei_)HykF&37e0P?EeY|JC80pYVi`*a)?*AU!1 z>1U4vH8wEl^YMWYq>s8u91~NOPQ75t0$3$_=KHg?V&d1tq^qZgv?6UII^7l&K}3A* ztIY*F&JQUCFr5@}xxKyYUl5dyD)gWS2Z0_u6OM|9S5|3yi0f`{2ov)e>I55N;!zYc zCQ7a%RWK=jzF69bZ{30CoppgQfQDJ1>$g6EAUAe+XiDx{k>af$vDSXkvdP|U=?@%4 z!@b+taN+dNi)gzRA$-bY=0P;!SF*9I7LBV|3}2ynUZhHJV8yOG#tDO5)qLi}@RF@4 zgEIM3apYjA#L)vmU-Qj~jr9M-X^CvqHA`Z$BSqE_Rd=E8#xaXKS_<7!s3Q(^nqDcf81B8}V(^WnnZ!HdSl z$8<>?ejvf!VAJ(vayvP5&0nw=52@wCuRV+NNf7LbqEzwA4`BC3g zL#U;t_531#>FVg)853 zZ$c>^MMo*@gg2B|E-bIIiwUqOHBQR{SoClk;UO12)v7l`tgEkgdA!aheY~i?(IT7T zX!hn@Tk>W<7}YvxK+orMs6!>I`i6w58IPjZ?#d2mng*ul3^bUpFtsD=QbvhsNx2T1 z130Z${O?YdPcFCnLml4kmQSXGv9PgE828~1iiH@v9*y`v?$_+d`T6xi52tgg`{5Ij z$qis%&f72S_eM}VWi8g4D&I5zq!{>y>xTA5?4#!eeMani*z)t!HrPc*Kv>8T#)N~v zbMq~msnX*`AQsTQ&=G(=K0B-2U2C?B&CMmDpi+PH7Sq#gcdg7;mw|C~{RUuTPDPOe zipzveIDX5kK9WTUdF9x`@(AIsv1SJ+ZA*kRpd<`=_HH<8v6@WH2`|TAM9XifIOdEWNfZ78T!kB@qY+7SWB}4`W&?$Nljy?& zvbk}tx5k~hT0Q#%TOqx?0vmnxF?T_i>?SG6fZH8mU&fD$BM!gL>!7J zxJsqUF>&gdyb21w#+~6!{AjIJ{&PF9G7Aa^hw{%c+*XEiQ*+dvZn zb$uchDZ;0X4U%yJmiZu-oPoK@NJ~_6-;+J9gFr|gISYl?^>l`_Zr{S~)vKl*i8wYh zNP(dZ+i*xOyYWDC5V3kR6{T1q32nO!)IVY?QS>}*z-yCHH>#t5XLWRhd{|f*4FAoV z;qN5{o|8+zbs}ZIW-_P)WW{?tl{uUmD=RW4(sUTvFe-5L{O}&2#s8sGu73BSL+bHG zs#L+H${#2RWG01lPqJqFZupY@`RHV%3K{&iF*#O+>{V$wBhIg~MH$}N@hHkti-35( z{`=KAAhS5|OeC7>dNj8$-)Ik;D=O8_I>qsbn>^oaZyrE(Z8{0c`0$*7EmLCHdL}^m zXz#q+ALG_J-HwG;d6GDY1BhaMn}^Y1Wx@G1HIn9g9k1ZzLp>{1d}jWr4pt^P%003Z z7p9|!%}=n}jy#gSER$+wSa5)_N=2?0cWawujR9ndIH#Pxd}ZAgS7e6oofY|Ndku=# zVgdB)+ypwRj~5%|4A@R|81;eI%ngevspyHJf54uoLy^V#UMPz^zTkh)jBtILKAD^QshQ(CAgf^Ys!&p%+-G6gE!Z_bg9Xn?H>4Hu(jRiHeD73bfW;@Wf;| z#{zF==zTODvL%%GNiqPYM-4-oq)Ll%fIW&IDB$x zp7E&ETdqss_F`)bhTHsiPk=a#`@@D?w4$0x%bDqTGOm-0gy)o1zc1l1bcWrA}Bbz};$1EDDQ_DK-$cAv^KNFBpmhvmf?9NKOEl ztrn0fvYSLh!4CD7?;ps$KdAVV-1yH@5KdahKxyh2z~T77MZ_2@g7bwCpbycYNv}ga zWu6|PEP3L0WCw4<8a<+=7Li1&aa`(yJi0aX`L_Xj>~__tFg0Ci)Yk1jWh#+w*dJjr zYW1Wk;tzYu5KnB9`do}q&ky(~v7e7?h|8tyk(YPZs_X7H&A?MnXM-i;KqP3VAh z>SEQ1sKBBZ>&KUS!YjQO`P3b~#zX(O^wa}8NGoCNh!z4$TDh6ifl{~(d5Ui$q6AdW zA>{Ma&31_EfnL0mgX?d#M{Ex;^5^(KgO7Qz@r?o$HMl*jwv#*C)>A9duPzCpZ=9Rg z3bJ;0WcLrAs*JqLD@J_anoNcr*$im{s4~b!WaQq+(!1XNbbrJrl|RV+W$Uj;gbmf( zkSh6;fiMPZK7VEkLZ352Q67G3;%nbzj0LP6mSo@t!M@b}F7P^pkH@LOx(X;~u3J{N z&gKx>IB_mC58iD?5@~#3InT)Xt)>`4f~k+K6j31a+34_5>1d?@S(?R~5c|zDc3ve# z5y`BZ^d=hjn|el%{_EuG$SVNR;M9<2p~N2XXab5 zk&HVBNATgd@1jUeKr>Qx%+Ka0-1WP6n#*iYl@+*Vc_ii#|D0-}RgsUQ)2cfDmZxzm zEwbIVn=mwlFVKO$yI&#bVdwqjTuJ8Pld0Ftix4hR$00}OyH{k9k-=ecoXWTknb_c9 zDxV#!8J)i2019YcQkZ)oBr$NtON3x@jL{(L23$ z<(?@%j#VxTF1X_%+cA05=gXd~N-?OrPokB!BE)4+U`Df_WTv0`g7jd963xR%y4*ES=x(pbZ}rMqLpey&80m7eB{glF~Naz z)({64oFm6fa3G2@EXeJVRKH@RrKO3(q_z#>`(R)6eJ@xpSp02D%}~pqbM$)K`S_>r zAa&({m+tKe@sZ&b_k>5br_dDavB~9oqd4Si4PwSGzv|^Ld%6YUKQ)ht{3*TOYDYGR zf0}x82u~4P(Sb&!x<(OY=hNSp{r~VlCc!`%se0hm%9SP)1CIFZp;@Bs_Xp7%ie1C2 z>g3b*LFi`xByx9g3aVojNpK&l0JN#8>80$*B2*tMsRAP{E#vUYVmV5@QcN&B_Ayt0 zv@qSIB`s96IO_y84iH65EMSD^8ZV9yUNRj#F$J$yEsfWWp-3So#&Pj8>nP7P4U4zF zSlcqKI0ES*111!Jh5bhnIP9(!9SUfkQ`6D(rPf*z23-$WCao1R)-q28Zwloull zJd$wOZAK-0Q8@Mh$fw-iI+Lq%-d_lQ1D2^MkvJnVrt$bf&Oz|t)T)iH3c%wM>jxY5 zOW-h<2~o(FtW;4=fHT|tVw*^1hPddsiD5vQOlP0J%I89}oy~{xeY?{jl$f#uK{GTJ z9LG8&KnUne?1%{P_~WZOdX-@$0BD_$S}EJZ#vo(t{si$Ek;6#UEC%0njlq_BOxh82 zDHRIP)&u$VlVje!T(!|pfmnfOi$NaX0`#b$kxTD{+tgBZii)1LwzeVF{{D|z8}X4= z`A#@UQuX1pp{i^yLh^x#8lkwG^ll$sc-u1{X1fPw{)+~o*Yal0_g@?6^HlEJ=`lo$ z$&qS<90sa?$d}XPtGxrz_9d`!Z|*3ET8R}TF=ZuqSXh)5g6rxWTU=m=&d3#dDsR5R z4HzWaFfh(Q?KBAp{MQ3w`j4xTLj-Rq%|7pydf4q9Y6t|Cg!|(Eh@;Jtc~@aRSX@eV zBmqNr6DvDYnEc@{cWj4Z=KTl(m!u$AxJ%Y>!L`v8hXPH|ZvQjx2%PztYn|uwQHyql zEGJhuI{5&cJ8)<_&~1qPOS91Qd??8Pl50Df5i~p`scU8}I4TiQRq?*m{OyZ^Wj5on z#~fRDL<9&3Tj>t7{OBu6Dp4mfn+D-3nZ{c-E;Ly5+Q7|DFMOvYDDW~N5(hG6B!0UL zHz7}OP|?eTe<-`wlMYA^y*Qd)X$I~|9|xdhd5>gA%_VD~PXi2oOi z+J5tvZ~4(2FQ#6bGc#cE>iT+)>h*SBfv0|dFLUGFq+X~(zf)TwI2~@Fbc&sobsh!` z9*b^f{^-a8RIL%nB-72_n5S3iwHsaUjSlImm0^VGcY6Lw8q9QfeRQx14-XfQLi8YI z6zo1$xS>cGk&^-8VK<;Tj`?{Y7BJSEa(DW8waaYS2T6!kDCB)T`sLZDG?`wfZ+TfG z)Y!=A){#4=wc0$#M;#kZcr&^4c24GMQNv*S=`d%Qwz?yb+v(ujYMrU4*XZeWB(>99 zKG|AAY?sf=v9wSO?a2tY-|N+I+b7vHmY+M?Kbc0~O=u2D?9SmFr-4!lRED5jjhdQz zhN{7K0}oV&^Q`BIEOLhVcw2WHVl#AH0(@+*sq8a2Y;O6n_P9nzM;}3j?d2rr)=|rl zNsm7m4!cz%(y|0;Avmw&UKqozJg#CsjTSMGF6qZY<@31(nAUg3Y@%OwcVEgF%P1!mb1ayD|ZA& z1M6TKH9`!?pJ;|bN$8Qi98@3O?T@^{i4;LG?m{CBR$AD+nwlCTFD}A2urn}?9 zx%^E?V68bBHfLF0t%=pTZWMn4|m~yp!Iygz$w7t`EKAi?s5_X^LVxl&7CP zJ3?y-2P$)taAV-YQ*3QQsTVsHx~<9zazv?^F`=Abe)#8khm2ls@!840bDzCn-p;*| zzYDy58LNR7vFlV~Y(GE#zOY5+T~CJCyl$UmRb<;!Q~`M19vi=k#b5O1{}w=Eo(>mm zf4_HiV5#(Y0%t5a5gx3wQlX<*@|yB!J;2Qs~1fAplb$C+vWO_ zmHmwDCG_SZAZjKD3UaJ+l>(wttGMS%HT|_hbTD;t-L_k>Tg@k77i(_f4qcPI6osT* z#hF(1LIhH>!^tD=vbT{!M%KU>ubunhJB&-Q53DVtozLdg4$!}6W;mlSTjh*0Z_$#- z1t#Ec%+C9040OJnZa<0=thB(Cf2j`bAnvdZ;ca5T4FxaI$8Y_`(I%?w&4-1U6KzlV zOR4L7jny#>!be-E{*vW@GJmCb6JILZrX+pUulhZu-Ez6$Fy!Vp|8A;#%ADuMw>C8F z?_M8elb2b?)s+Ta4J-Icn{#Tqoa;M|3o+>>i>f5|gA|5_iWHs~_hNxcBy7Ro7l>PN zdzuqW_AR1XF1|W<-%vUm9F!jf*(a?P;M`r#A6*}H|GpO$B%oECY;~$>=Ai!u&-XA= zLQZ3sPNwe+P)PP1GG3e|ll_Gm`7^=I__PQ{b~6EH`Ye*!O)TylVpPBvCNkwT$Q%v@ zzXnfaxU#>ZS0*llFh&dF;N*>qeDgch!3A&3Kuu-pFB>$fyYxsC%!>qb{8_U75t@n3 z4kBLk3H=f>=ZiV`uL0i`Q_%u?RlJ#8lQ|vx)bqbLSFPlYIkeHV5X}-zA67*m zJg+(!V=5W8RwMC7*(ZO>w_VUCvBmdQTq6vT%8Y8vtgPDd?Nr^@UYTw;k~-EOThIy! zo2Kv4++sqwg6V7izU~q*B2$x;m`V0q(;HkF5SuTQwe`}kLC$>&Y`P8mhJo*MIJ%ur z^mGX$HN@ek6YXKE6!Dm7E%{-fE=^#BrtH8%19y__k=s%DX_h84$MS_xLfi@|!f{f< zy^O?ETAW@&R~hemZpS%u^;A}2OvqLoX>Or`3T+-fE-Tsp2f*cZfXzmUhWwxuj+;iB zP0Gs5bpMzjK~!#HPCI4=$d-s@W{I9}v~znYqBJ{8O*<;4?Hysml|Mh=-AKi)Wl9u; zmNYe623|?qh!xh&@O9ZWxQxwKQJTiVK!1VYD-`L7+?sz9?$4I(>E(iQFEHQdhzNz>PK%)q#ze0ivyIgg&LWUzI|Xfi?ILH7zdCP z)|NI3S;LL@CSMX*$By(a)zB56aMdfUpS$825QAx&paq^>a zeQ4>&@`F>iT@L}Rd+q1{zVb`3yW6@ja3CvyIDqTlyPV5lYlENyQFyKBQEm>Whp%S{ z==3{U#vV$iA^$b`9+1lY9m{*y2{lex@hX}@hf#$@u?@T5CtxEhTm0)Drh%WVZzsHX zSqrg7wrKNVj-rEv!^Io&_D8y2K);W^aFq=)%ZSr!`pK^*5kLI9XK5dtNIOUYcQj&#qYhd z*N8f+*~tfZT9?)m55nZfKyQH9f;9}9{}+m2upL-B6mf~=lK?%l1ob_frb0;OnuqhU2=C!quyS64iAD=t?&zSxukq^j+MNd|E)| z18CAJk#ux)l$i__54Y`R=bg70hw;91TU4Xk(V`G8f6m=a7b4&%iv4iiEQ1%-U6(rj zhyX{$Qg6h?z{zLv(*!o<)?CtzPbJp=&nPt0lDgIiq5M}OTlaT$ z5(~Y1U%_)XGdN}iICTWa&;C(?{0g^f}rlEC#qb4|ejB`@Jt`i5j z^Bq=tY$EoIXfU7Y+u4sioYVM70^G|*vHvoFiJAHvb1Yx#i)d0%a)v*@KmgDAFnk8N z_4>R}_E~w%t}3n-|0Q%(#s-mH+Z%kAUAx2w(auY+)2*Y%zmLGnkacSEGXC9HnfkNH z93BhCu_#YPE{u>41-Q}+F8sd-|KE)u*CvFrL*qLNbtyejZPYxC$eOHPtQ|njSp?Js z`-&3ircBDW>(nR}K+VXw?6JX?U8B9I-q&(El#i1)elnIZ2QroF{L)&X61}gyfh>*Ng<)v22pU-G);gji+<-gqcnu|z zOkv_c&2-Nfls0;?0NBt5D1vlUvbk2p1Y>1BRJ( zvqGFwg}v%@cp@0$9o-`{@LK*ih!2l=UA;W*J zrh0LK**)kWWNL=FNnA+mbxfoD*mbGchda?rm0MJ@xIG`?e?9?0sW`BYf zMe7x8WGgbx@D50?jl5qfa|CEdS0E3KUr zLlD20r8(Bnm01iAs9ig`eJ;4Q=a7a*J#0xMRt7 zKQ$CB4oC3`A#kBfOYR|_=D()?#edy}7WGMXB_((HqGZYM@%{e!v1;ZiDK@_9*{s3p3g!U1bQf~E4}1PKU}n|IQ?yzEh7>W_nKoMg5TZE;dFLYpxND&te@z4K zaHruEZ}1HtOtGY1k}a{eJsdO<2pc3Hi4b{>v9Npzwo%#eqQ!Z!Wg{U;fhao&G7+Ng z?(T#31lP4V=4K4VvlcF#xNQe}qY3gUs~N4?tP_TInKlx@u1d3EH)KVfw9GR1l^#KrC*OLmdRHYY5uhaB9 z0Gi0&as^2W2bXpXH^=8b4V8y~D3&<3rY60+;^y^cdignR4-^HEQuIB)c0C>7^M8PX z1pBYzB)gXF&#$}0A4~^RM8rO~@u+2mD#h~8zWUx*g9N8a|Hv$PIU6$JbfjW>wC_t5 zvk<%NknE;7UY~J{c|jbInfb^Q0wIs8jxgpgZ z*AW6sI(D7Gp#S}G!UcgaT`A~Pvi_l=&>#ubo$sdKhYx>G9?2p7A>~Vg4b9!|3!d=qNW92D)e2K_1ylv@Oa)@IA3h)6|WXbB`_HeA)Ib@>JWbv=lIT%zw;Ph z{_bUuC{FvJID>4Rf`CTKbvaqWbTBjCj+Y>sy~rPbk^)P3p(?-_9v(iq6<8jfn&JQ{ zo`?l)fn^cE!qUX7pE4=OPaZc1e@YdJ#KmS+CUK=}@SNlG(Zk zbCKxxkt<>qh?dlpxltsAVnmUOgs7s!mg0ypQPvX*c(?2jn&1+uLkf$>CB0B%E?n=A z-*K=6Ry6RLZmik1Bc|xNrp0tWY2ePi-|w5ON1>$nQp z3{@@h^}XIUJKCNz6(kGnv^gS+SfsPSl`r>F5_dms{bfWCP>|8T#hE~_xeow+VcwZn0GBDq8Mr~i2BeI!j(+fw~!(YZpoAtPE~SP)FBaj-UVyoGd_Bv-lQv{>P+ddkaLon+?sFv%H< zh9TxB%<6h~2`3D6bW{xUlliIatg)BI!oQ2JB@Q(j!;GfgvnG^*fdRSmyU~3@4&%tp z@C~d7!&0JU*tuQ=5MGfYv)(+`hD20&lfuzk<-oh|iV~)L9>XBTPIe+iHl5~r(pMu- zvPDQw%;+qRS#qTIE!$|Y$796S^8zeRJiknGFaM<3=klDBzm^}%6Js}o>h+QV67wMU z@RFV;h-&xe#g`uAX}m|ZHxqwhfubnY6Lyk&viKZlv}(V3;+#g}sMxmE&4GHn7&4`! zdW4HNCYWs+7v6Wi@i2ZbMT#jF7tHY0ZaGm~EtKSEb3^^%@DbHU5!WV~T)m58a{p=Z*1)FhpVZJjLS8<{D@vItQu@tE~0kuOLU{Y#LP_^Yie z&9;bv5v((QJyuD?b1dYiD>dBZnr1sHB+-9|-m+ zf^*kWeZsD^V}k?4QrS(IV)7yTU#fz)ijt0TC}B3bVFk+O(%DStrFQ_#U)bP9+7(2O zugD*bdOUriLh{?bDEa3RVwEBgM>b{rP>jO~AC-u_T6^(9%_0iQX|EP}mO{3cV(72c zJBhNHA|wzaJviw|J*Jqn+)2`wSR2pWB%C=fH8)0a|YchQ)CgmC{@>vFeAJlpVb zwB4ab+v?ar{djRDL86K@*YcO&a_Mu+`m!5l#f4zEg~i&*TI2Gr>U}9#9R;*mXtKg;tN*YC)DR<2Z*k0W)-1yGS z&R^KH)o%S+;IS52oKUiV$&&nP(H|CP-8fi4TtrEa;(E4vQkQTn98qk|^xD%C?6WVs zu9s^4o;j`9*T>%l+3w9E`UPAYap1r_45aNsMC-Tqk8uf5_kb|rQF7@cC#-`jFMgx>?&sUS&6+mGj&n{yTb zL64RS)aKT_A%yXHxUNR22Bg3A*LC;Ho>K8_h|D?ly`Mf4H2ZyLvc`D7PT4Am)ezWh z*`ZGja_w*!%y_;j>eK1&2IqX;ueSGc`%2VxO`~IS>)wE8`I6>iEF4b))XbW{rl^Y? zyXq+<$MIkSdm8-N($HP3q5$A>WkU&&2)e8&8yF^}1xU^)K@JR(SJn`OlYVLZ5>Mcb z00#C>lNq`Y$YLT!DAE;mSUC~{E8cU(Raokt3nKvmftp2n{Vn9D9j8R-TLCL7-3zkf zadu7#boF@EuBKwKhz%LDfu(AQHf3e*+}vVE>cDrEHmmMT@q$_1#;@<pHO$TxFrxx=+6L4gG& z(aTGU*j|8EOGSrO525gFWt(K+Fo}e;>6(3+-k=+JTVuI`XY#Ut?5{yAR?ZwW<0j0+ z^ZvpZwrEO%?Q`JuXTREq`?HGRdDNGj4q}CeW|s>OL=SksmTN}}QUpCJLS<&uBd#Tg z$gZP^cH4wmnYXLz@6~-k2#3@UDd+~TLtM6tT5UTSyaX26qg%pfh5C(?Ye>7(3inw` zY}%p=(YlMzuj{q6s&f{6t{O-MzB|7;G9^Kkt6vfrD}c$S`u5}S+vwhg)lI??t0x@K zZI*?O7PZ3gu}eFX*Qyf1Mys~lqWr}z;&Ze?EVm)yJwjqF@v{M^T!K-h_(vq=8hNd$iTN$Q zfIhKUQ`V|!T{@O=jPF|mP63ab_(yz#>IoezukoUu^o^K*Thl~pkd+6nxa%=6Z`YOF zV31Ld1s7~|tt@f5sBapbZ*j{}HnkI4B=oFCtn4Od!wkj~xw$hqp&E=vg47TfoLXAPToUTm~-Lw zQ^YbJ#EeauoGdUNxjWFJQU9a;18fbO+#fb}E5i7grETMZ;g}B|2OEN2J59`tKvdH9ML(FL0-al`hP{Ivm;5-AI$1yUT^@HFLw#Frf59 z>26almm~I)}~(!Dl|%qd30Hwjp&6=6uE-~PLue4V4`vAc^*px*_azY zIE9FnBlGv)01{p_!F$4j19+zIJ>F~io^h^5#Ghm0?S%FW?N1ouRAdm=;Bt(xUFD_OEOnr>527aLJvK3xct#SE^lc+|xHAYT2QO ze-+mxyx9}C*4X)h-6fawX^}#E213P+g4|;CQ`A~|3D5{03xCQ>eNO*WBgFv4TXWiu zaFfWCTjF;)&}uO(n0o9wNMSP83_rR~Q75aWMGx6zV2F(Bnc^8y(~>WgzQ3ZWf8kA1 zd|AtvnpKQ!p710(r7}HH@~`&ERyzW&U27G}DL_Uw{av1&FUCAkt>UG1O;7XUJZQPP z4Oi(;($#&kZX0~oM!gGH=>R-Azf*ao69*ktJx0O-gSc$+S;q-2T3>)(Ig{~3bt-pJ zR(ezaMC}=~$KLeFWZ6Z{zDLW)ukPIzE5)|4xb~br*c-%8fG|o6N3yGB%Kcwe%K3gj z>p=SZk7B-l9Ss`nRe6f8juP&C)$gRW6kvq+7(0I=8T;u!UOCs_oAEx{PPG@Qlo2!L zHrx*uyZia^%G5fD`H?V4=*^Hqps~q1OJH*7Cwts9Ua?7~xr@6#pn;`WL2plN4QF@o zy^mV(Ob%0IEiaJd`h*%gCuC^XzdeZ&<2raJ1g3i$LggF zO+WKiKa56Mt;YkHXz8E#&d^#{iQLWej4l2cwRS#x>Z%T-t!TqhX^5pWo|52RPQI$K zy0$P-6`pz0LWgGFj~1CZoFi2L$||Rz8zeDO0@W1~%;P{vUKoh-n^pAYA12LJq z5);+c%LMfn2nL_^u0(IIs0ZL}8IK-U?R3E)5&Of@at{k#x%87Gka*`WPxjqT9s;-8 zFTdU`69yq4Zkrlsc-XxWU8g_7EAT~>ub+d@9T?jbmNhtG=YRAPydK8-&7QPIDD*H# zv2NO4-wRp|{K^IOy+S_71C3agD=f5#YPSSlcXD@GhyR5!om) z(E*3VMAay)qNmNX9L-iUe*Kple(EHH0(LZ&%}31ODuF2b+>Q^2_74-jpjckSh z;dgS!S{^#=lRnlO0Xo8;ru&PceeY*Q`q1!K`D^n$zQ-~ed32_fpNZLX%uk0<7(Lu9 zkwe@M@-{Htgt{~rZ~xvGGxmp!42>*3cq&?htMlyxuGc)Zcj-P{acO(+wrIVwg5aU&|L zc(5;d&GS@fc3})kiivvGMo6j5lbJ|Z5C7&d|7>qsn5wJekau2-2J7`5Qz34J||Dz!Snh`++Lgf0icvSD}JDKq68U006Jdrs}3D{_Bb{Sg=ox z&U*A9sfS8>y-kG$2vGhTkM&cT1@Lgb!E9kEl;kqqqy+NJLkJLPPDh8J(`*}DU2WHBI!zsK;fG`41@pLN z`+HQb#~43AVhIA-x @BY1Zg{(P`DPLUusGqRYcQfMxI`>2&1B}dnpu}{M>Dt&~*C~eo+H*Ri|03}M!kf4pP{KH|^Sc$WE z-GE*eVfqG)H(ctiKB5>!cYk80vUqmvYdRk@ef|^aGb08{txt$z@odIzk@?Xo>dz|7 zKsFwE^2Z7Xft1?(l@%3#Kd6>Zn_}e8zdGc9#%tI#UUFh|xX4&Za*RF1hd=gT0F6F6mG?B_h9|X^dYwPxJ7?~;=j8AgIxW728oUup3@l+`v4JZ z2SKy}zTUm6dDOF%cSF-f%xpbEK&a1BgWcwQUf3A{#?O;igQ3Yb(zF=}R-Z%-V|cXr zla;SQTx?shLv?7D3qvC;PRs|jvLm(V(?1umx}~r(?p8qIdj-@^>vXZW`2zk^>0!bC zJ0SjV*9axs2LHDdgHW3PH2uGM&;Q=?{~T5R*Dn8Wb`b`}Hfku!{l|yQ8lJU3e}i$H zQ=&H|+JE@vP;)>P2P|*>+M#-cC`hRpeIQ9s7Vod~EH}_p=V-h+fQ=rTf@cU~0L>v( zC_uFHt+$jEY)1n8c9sb%Dm0QNOnJcholq`NDXjtsRO%HVjp8%F&;J8lzPZmnccDSTBiTQ6CPZ zw`N2$9V2?HU==tMfO|8a7~E6CXR>>ln#cUhIm^Y*qlQ2K^_@5;j2CmX#xxnS+0$R` zWvfuj8ht$8S21S#?Q1R{rNyHh_XpNl((S*s zGo)HpbIwbdnokg4<~v>L%$Bz_%JnV}U$TaB#?}`&Z2f$D%sBaAn(>JP*9=ZiheDJ1 zl?^A~uPrd0UdqdtI?~zOOQ9HAo|ySv%9Y#sw56*%E;XobQK_GCHdQChes;E7n0dTX1L{iF*zw|ucmfVX2Avd_yxPkb5{sL zjz;|X9o!tBfw+fdSM6s~U|fCgS5W|@Q4w00r8Ef@ZH7Na>@gX$UTiY%aCnIae?oMSyjFxq1;kw4rZOk_5zmh>UjgoWl={LmS-7b(c zCu*j2_RtVmp3fg99U#=FNkQ!0tEo8}2n7#PB^*qol|$uA!UDrYg@sAS#>SK?b_hmq zRmiqUB#rhd@6f|3$GjZ&KoVn%)jCRP8QM^kuQW7$AWhWOj0p0dr{Zi+X$4r)J!{8N z$`l+@e30jekGSkC zYCkjU{k}%TTD#Do;da@np;IuMlNpwkYf4K;pnmU9lk~owmG~7D4x;LAKAxAmXS#g6 zKw>44NFah4<^1cbH;AE!hJk_UIcwgE*?K#7`*o5g;L|3c?&{j~AHBj52COh}Ctrpk zI5svGRfQKcZaalE-~o@Ql6UTUgg=jA0@%ZWd_g1W_YiRKaB*i{2&*SU<>)|_c*zHk z`ZA%TT|^N};rv?h4SOmyklLXt+YuIpTqS;gd^M7CPW2OQN|bC;N3>6$B!sqlpOWItZ%MO&#&OQUVUakH zH(~&!L~me{)R+fJ)$=<8Kw|ZyLrPHYwnzkAMWj4z^tdt0TG4A8`4loU&f|JoLfo?4 z_z{BwkjIvYADOH)NO>u(xiCVD-Pw_0oZtRcqD6r=v;qr63tbT&`>YP)-|VxP4RR<3rH%4p2I(D%55$-icgC7>utzT>QyEESH(Dh#zwQ;;uGI9Vk^|#z zV$=Cyv1j{owNGOX60gyIT1`cx07g~|W<^1=i;-4j(2@X>Z2YYrfeT?+;rQ*IJF=_n zg#1w==pa(*`0s^1zM-o{P28ptB2Z}q%q$+kFRphb8r(Nv4At=x{JT^1{r$`u15=|b zT$?ezrD@mD2CYkfH7Cm6=WoJDYMz|#%jHH#12y@pWf!z3e#M6jd9DA(UMZ#EaqXf0 z?otc@l7&ozL=H}M$nUe`Ygo&J=sJr28LE#wYF7sHrM7`e8IlM#cTf>`ckV_@wS0uj zM<&*ND?YWKvhUy;{Pkxf zbQAr)4h6zWR&-|7T?tX`k1znwjxnXln+=b_n`Z|4(@wDG_k_xlT;ZuEk&Dn#a z3jl(wYYvvNdFEwWeLIIX1U+H|puB{THEEI0CI22=NEOmRG7%w4YaTB++W2hu*>ITp zm-`LPHK8C-yu}8Hh@fI&g)Ek9EI*1I$ZX*wgErFs>e5Q`Z^jz}NPJD_@iHX(c4P351E^OY<&O zL*j|c>G|!bb#RO%9=GD-{_7@2nmm{R)mRhu!`QFcY3>&5e2&==vXctJ0Li zo%ifN9O0ETcYZNzxSjfwc25S6#D$3p0GMsxm@y6_q5m)T-YP1Nwb9m20tpZxxO?Le zEWuqGC%9|y;O-Wj#x*zuch>;HU4y&3yW3x6t?%16XN>>cotu4!R8@CXz5dSm%(wvI z=KWPX4}^PnBYk7*=%oN;!M*;z7)mq3UBT1w>Qw7}^nCx-^bXQ$Hj-7zW^I#Vx#c4Y zas(siAMcOBQAd`+6P8k(Po{OAUx3$w;C`SlMD{`dPOjkN_4;lPQ4jmF6vkC2GdY4U z(K8t0hm}hxXK`Fl?!0%3ITO1oIIVa`Q7zw7e{GB-d<9EE5c_@>2@NS*Z-J{UQ+R|v zp%|<;7?N%l#eas&eL0h*igKt|r`Romu;i`@L)mg(6aDt*wP@LT+x;9(+bdp=U6M|W z*Xb>1jCy#MjADYYqZ?aTE7v;1N`f}%ZGDBjMCcy?eazPdk@;;jKUbdm(!S0{WV_nI z(VLYdWWl6&XDJ}Ax>tNsi{9`{I1yeCj4)}sr%Fu`?|?xJ_DdZdCU{w35Htmc_#KZj zrcj^DVG`QB?7Mv1{%#V*2<;2(0T=u$!1}i~8wv}Ge2Sf}@9$rokdRFE(vB0!N}a2$ zG|$3g*D$i0ot<^%F-~E(Y2Rh7t}Li#UK73Pvx^;i z1=#2$s3MsQmO!U~aE^qomC>!SYgYTo8zM^3*q`b8}9*w_w; zI86NtW0I0w`|piyH{(?Hq@q(&ip#tJpImozfZGNp{K57C&@$lJu>x9_ z0HCwebeL4C-^mOq46E~M7KmbR$&V4cIGnG`9OEH~j*hk`ACJ7)pGE@I8f}26C@i5c zVLN%30mM`#PmJ1KaN-<`Id$x=USsOt<_oi5URK6n*?emhe*}RbG?N#r*GR~Gc?Zyk zX!FJm0kO)?atoiHzJ6GO#9wEasqusJrVF*U>n=G@3A~QSWgJQ&o>1TiVKCV51Dm36 zrrY(ANIng)cqG!x0YEs$j3O393r;*APDOd1$7T3-cW;BU#Dem}@z_4tZRK|-5L}|b z?H(m?I+(_dO78dXjAn(&l7BiYVE#5($`k`gaX|F+(#iUXRh;ra8tr#|EEgLli&7?O zQ04ihCv}um09lYJMlh*p_*Y;J6eA*%Wi?mT!B|&Xex8QHFSD8t+Su}LKFcO-w1^S1iVW_Tb`fXc;+$( z`EFKx**zcF)7;O*J3BjHL{+W8qpPVS9!U4RGa-0>83f&vY^SHCmBI&c#FhmW*442! zKVE5g5RCbFZ6zApa}K6*sg#i_Kw>100kPur+p*$5Z>uu3EA;%+JOLBGD<2^D#0CT| zyi=h#pa0ZaX#Ccs*_$fSAZ25#>-Wq)fd^hi(Fxg-+cD40?d|UVkN5iResJo4xVgD6 zTzYQ-PuI>p`SoVawD$P)DIh>v15hfQ7I`x1r7%Qjb9Gi_c@(zNwpzC7hK-HK&3I2w zPj{Mg)h1cAIos)8+GX=q#xl^*&^woaK1N@wua~9Qb@;3#WqqbXAFz(~I<9GncL;IA zm;{M6)O;Hi9C-%VQVk4RrAlWj;RIavZ^^Y2v$OoVz+eNNZO&*%iYx8v-(q4e2a`ou zZ=j%3W&&% z=rwAkMh0qndC8FaSfgdu*4HmR4cunSm=y>0CDM)nl@TuzE%7c{n5n>+aA{d-iaZ%6 zgLbjgLXFup4FyawBDIvfS`x*%9*f6AJNSLtY=dI}y0W;tz_76O6o^q6)Nu?&{=R>n z@h!*`y7Ezjl(gJe+j8ue-8PMaD3~mJOs)DG3Lssy?;?qN0%~0~V*>Zn&H5cKk;?`O z4}%~@2~NR8&YS2%=)Q7!T?RFf@B6uIOqYg&2OpU@y-LI=ziH!Q5tq}yi?5V_81?1z2Htf ztEP-R`8LlNv*MFPN-+Zx)w28fm*1K(212!Xn;M-r@whU6) zl~}+^WDb0#qM(nI7htYUg)yM<*TQAW&7&y+#{gGAu@MxLYZ5jDmFj8A6K-qCUCx=j;34JNCzS}twm*<4D_G-E(r zE1*{`=PzT}6gZ2TeXF4p73m@78PEI-cqSb>z~Kz-q`P#tQZ#mL&CxLu+KlmVZdV7R zy1wl#e-P5?z6oj0SxxTsp7!2%eNG4J@Ore~br3t+#IgUra_#VEJq-zw?P zFho?Natlt&9u2ZDW;_+^7j0N6LYGkF`!k?a*8>hu2VqLWXvHbecX@HhD=|rR)ZxJ< z6-^sq|745WqqioD&rjDa)AJ#!5BJN@QzN2MGJ@(B@+5t>iCEdTpEY))Ju6eI*T^e2 zaSgmc_PMWuRLI0|#nT&|1t==R4(83pCA{yJpP%x|v}lkDWDVVZc~zz<4ub@3iL%dr zY#NbU)fyPw0+v?$88BF+Hol3%UzNtJDiaH9HsuMBIjWO&hD6yRmkEbgSS|BvRrKCU zkUOr2v6+@lpqv_PG;;}c4uRWk2`gK+)7+$0o}w`+Y`=h>K&_SG&Rn)yV+qcy{#c>DwUChwy0w zKnv#lv?eT0Zc)4Ef9Hy7i+`>v?c11#vthJ()-8DVMf|dMeD^25K3Z?&>sdDA%O7dmZQaBf*ZF9W2 z*{Y=SVqhU3)`s9^3K5B$@$yRnO0Zu@3X)Y-3jIJl1DoJBgM&w}8OFxt=sBd@xu%80 zBkc#A81S{T`7z<0DLGfo-!%_ zUfcpKLXtx#rir!r_B-f;0<*3L*pBp zP3T)eLI%g@KnVT3^U?is095nklhF|b3|STd8>Qa+hNhOWqrrLc=t<#phiPPfl0`WS zL1T1Xu*6rdfSyMSMrp9Z`(W^jt2UW*b8DqBB7lUN0@><9-R~hr^kl%^3+!6lk@@|N zxjH-2YTZV=Z9E$*C`<5R9L+_~M(Gmv zb%Jh5-*q%b34^v~=;=@cr{)3{mp-|nk4Yc2B8~sHab5@A6ddprY=h9rd%ni1OrEAE zaROq&aKX^~60RRzRO$5Nc>81CHyZ{QkM{HuXAydaQYfg4BMTZ{=nxA2RN;07UfbA! z-Dci|^|%1)MJy5uhS%rr3XCo1WCr<*z06t|32(J1G8pfJP$SXA#3Y1l3ijc?41WOD zK4{*_oP8hJb6}TG@W!dCU7wk%X$a}{IJJe|+9u|mTwui`g&8o`nzWCUvSZZyW8_?_ z>hH`Fk8$K5wyK6*Ar{cq+p*(`XAJ;&Zm3Lw-WCr}NOH2B< zUxm9Jw`P1MMm_3>&`a@pGr46kTDxKD`CfnZVv0nugN7HB_|v@ZN=BXoqB~x|wJXUr zMkRz7$>JWt+W#EKhgB}Jyr1%iZYDlC2b^V_aMm3F8imf+0D<-TNi?t&4u0%nZ$Wi$UF4-{+QNFG6#L4Q?4M@r@*d5fFY*MfD+RnIHxleSne!RUx<9ese#l@KSr|+r1U+-%er~gHSNa5xEdyboXTEcM5HE-A45f*xjePu9W(|)19BR zMR<(rhx9J}^34+4ASY^d?png>DNfc9*4{gr6-ivfbUDHb0pV$y*#sF&4t6*pj40MRZ7+Q=jJstJ1 zX!F}(po#h5OdhXSX~oH_3OF@VbY#hT3x0~J;st~00F9ac%&NV6Ee$@MF+Pi4k!^>+ z)yg+(iSo7c^r71bVw@AtO|is zbx&Mtb_0wXd{}$8eA*}FcSYd#x>ry~4d5O)J{?yg3XdmIed*OFv~1G-!y-aqoc5Cg z`}5CkG~7cE+-t1dd|gk8V$_5LI|V|oJBYxQod4c`;M6AT`u+Vj88QDMpGMbP7y_l$nfDAiO!;5P zK(SRZ%CaUdd$z(=2Sc75z!Li}Q)OS)ZF(M)b>Nf2q3IrpA3088z+t{76HchH?E%F<} zf*W*4U@g;BepvSfq<6NJNw{bu?~csLVxLpZbMK3(x_WwyZD*Xt2=R8WN!oj$Q_JK9 ztrEr{Ec-Fni&E--aYitLNo%#jyV4y?xa!7b<#fM85jiZlYm9lS;|)7_c-&z!hVo%W z6p$haBqsFqqBZBj^ykt!*6oa}5?4NPEWVT!kPt~rlewCIUFPSEfAXcX*#RCUXKjiB zJ21N*dPanarl;ZUKos^7BsP|KFtrv9ZmDr48N+*4!I7BMfX($oVgP%Mk!LX+ z`}Yj%M&N<5=DyXc&ey>ylxMon7tB+3yg%N>|Kz5{U0<9$RpPLgex2)-YU;Ny?Rp?> z9xB!qo(N^F&hYsMmY!?NtyoZSEB$%JwptE4VdFaT?l0J$OLq>;$1~EwMrHXO|HA_Q zn|@2N-oc(wqI(cME3T01{8$m7ZWP~CQGfi%H0=nrPl^h&CU3*YijyqUsV{DgPH|7r zGqS(H9TUeT^wTD zGq$Q_eMwZ>ZL{uQ_T#zf!*S?Y>rSAyh!i#BX&Y8lap6zz<=^3LT>4CRkCZlDaYThI zGI~o*;x|3VrTpax*uuDR>}54KIr>=6*h1(8Gj#e)v#?IfnY8!fsm(&q)U@`RF407_ zO4V3rJ~hWghN$@(K(DzE?(z{qUMH999n)v$Ck%?|3@-nA+kA-* zi9PXUSAS=o&VdRac+78l!`r)AjNkHJt%7i-)`IsgG$|LL7t9AOk&1q`Awu~f7`ih7 z2i22rt&DJ$e;=2)3v~W*@ic>3aF% zUbfR}!$4^pUzuaaaHr5s<$&pL%Xyo)GQyZ{!_iRcLL0(x48q!23HVtE#u6Oo$84f` z@32C+-NtG2z9Nh6h{=)-0<*2XTMvyNyCyfD$zu33U-6KwkKZK+#pVU-$La94f3O@w z438b`$MxKtkQ0Ml2Eo*kf;+k{0Z(?W3tg{_Hj+*nL_uQ)2o%`)3%td_H%a%~`((FU3U)#9%ot z(h2Jv&8K`9%p@|%?bDhA#bndWP%D%49eo5xwWKA|jMfY1lic*X}aw47!~wgRx2Jks6;36_t6sceq!-C*7^}r4KS4 z3Z2eiMOV20aTpfRKsPb4Wwac_#pn3eR33@u{r0|aN{U2diITvqF_ zZ=T4dDpNzrG_#coJ1WZBDg*I9UTao$royXuokxNyF_r7^fI(Q;L?%+)^GEIsCEJ}2 zb+@OkO(8B~Bgo=}{$tNfss2Qzl>Odkm|b17axTdsf_XoEnki#Xq``%l7dGP8vk&V- zJ=L;O++S(Gu8HH9va>mO@FD%lU|KXPxK9ph8#gM#iw>SG+Ti{1bpz@5rLBvbtx?Y@ z4bAeER#+w#!dz645-Db(#2i+0VQUF)MQiO|Vs0Em7}bzL0!=qwZp60ftHOrN=%XM6u_4k%@PDWn%%6@><^Gj2xD1cZGRivU;X%G zt`XhuXH?$|V(O=@@A!=XZAg=*|gJn$I0@n{q_oD4eTp z!tU#jp&B0HkL3*4&MC&GoV+u^*pDaS>Dwt&MBg^v6}XWId4Ks70$(X(CfnRJXt21% zz(6fni4gHKJmyD2=~Z%8SqAvaCc1>J0x}v=#31;zv>%1Y0oBHoCj$(ZhToXo%1SpZ zEkBJ?)Fn@)l;-nj7>{9CxH(GGv(G`+HIT}jXUkQIoO5K{)Ie#%S&C0hnT1S1YFl(c z$@_LQ=U1)DgwoBRLO67s^e9tBcTY4ja8ilZw9_yH%zQa>5%UGT`#P4F{ z*+HD+MKyk(dgjU?A2vQPF;Oy**6$Efw?2?~Uvc;c`yp%p2-klt#0ZH*Ua1}R=&9A1 z-NbJsx2tGBrOKUv_3%=pNxtDO*bm~2__?RL1EC|AcD}lkwcFEUW_Dk=i7Ru9L}4$S zZ|=jai60z^^3OiNc8wWtnt|M?Yr{b=_vRF4Gvm<&#oEQmEo#R5DDcdoet>71Sf0h2 zw`pBj^EtjWh+(9S@9E0x+iz~95(blS1Hbhx9j?^~%lMU~TFdUQ2cxtEEz!6x6xlB3aEJnqKpYay-Pr z9k2in%efE=09#DPe|$pU=fD0Y8x={PTNDdplZ6`ORr2boN}Xz`5C& zG5UOJ{dTsmL5Hanxp!co^Y^3A$)(}-&+9-oVqv9|)$xriD#RY7o-%TBJ!?rLJ=PVEq{BZet815US1nhQLAtX2I{XWtT9{wn7 zpsp*-4eYTP}dM>;tGvZ1GK_{bhFuBehw#MF!2Um9%no+1n4MJ?t3)0L-MiB=YFX?@40SF%=QisvHW=1z?{kz z0IzwiBdw0By{`9CeU&6535F*}CmMnU_(x1%{nIOc0R8Rfv|sRIiD5W4Ad1-=T?Il* zFQfNw?sy~Iw3EW(j=B9l9SH0zjhf!7hXPyJAn%LY1XOC${O#317IFRq^9848x*Zor zn6ig$jae4no5d{t8?h#qAy!ahkyKJ+z1~4?JLp^}lJ#Zpm3EvMgc6e!(ire=b=5@N z+1WI+R@69qWvJrJ8_&)0t50d2(5Zxz7mHR%_*rUlWl4hbC#0v}gdIXH^&MsLsKHmC z5UvOjPGgD4@^@D?lf}NG%^gMsyHIuuZ>(3&8zdYaVp~(;rEA@)V7z;B9QC+M#^A># zB>09`wTyvTtQiO=LFRaP&8SE7vU*x9*QPEOv-kpHAc|4(t-`3%Y5 zz<)6N!_;)3NL>8a%kffl{njCBB0CS?|0%EZsM~liiq$wkvHDjpZwM$>|B6}@-=RUm zl38^h?=DsA9O;xx)cwDhKDqyU9tEnA;Vz1?+ZSdQ77PHuGQIl#qiVYROI68j17}ue zLzk5V38+dm7jlH4xN)Or^@OtgNHXuq%le_)k$dE9K0!iS$^_fFmWBBIW70=y-=LDabGNbK+-w^NKfIh=@Xd+m2o+Sq_!I)jC` zV9n0#l!ftsfuzg%(~Mb(Ku$ zFd&>OVz}JMx^q*C9FJg7P}?x}Skh3%+GPEwa6!OwHcV@1sB(&mem3(y6&&c;pX?JV zCJbOG(qeaQnkJSMRIaoxg76!ej+}WL9v&k;W#L%QW4PX3hY%`zEi!GC+Y=qOeT|Uf z;hQ0aNw3#pDEc<1HTveZ|FelxmwrFdY?$1W$fg!ypy)f-`S!fN%t<^(-7CQZ&en<- z3j`J-C8}^&P>2k_i5kb%EkSqG2_phN^Ngx#bg)B_GQb_x>gHal@C0ld%ldXl*ZuD6>y3pbmblUR&j5a#UKPzaF`d%PlLzU!fDwoF<6DQWsG7%hMJwfA{W2-T!Z){Zr29=NABC zCxaGfYh%Ym_lt~_)h}@Pw_duUZj=6>3p@_6;qlV8DFbbr-u=}f%Ul}I)_%!*_^G_V zCzvqG=$%=99i#smJO({ZQFtpHf{9}WJAcyh^qFbxkPAgiJ-`Bjg*|Wb^rmTx7KLu8EI<}!DhnY>(E85BVyF8a(wNbZKdxojuS|s z{`HkRMg-p#c6ajw)sxL}7L{KM38rWTXA^Q2AK`apnO-aU4=ah38tqm2&}mRh0s~tS z#5$fD)4kvx@~_*TNPv+OmNa)zgvH!E156SJA;NIV1^c*X+*--@K|Pa#nj=8aHz4o zi!winlBxUX+CiNx7->BVu}@@BITSwLgpsqMNPGhJLIrd>U|8GswB&SO^s)HsDiRxM z*3VPgUGja_-HK#KB6jmm#s9u%p|-x04>AJQQWSdQXOXc=->VluFi~QHVj`RD61)RW zKcyxsUQ1$r-3r~kyX{>2_4xvMZ2)ViD^w^DC0hCYG6vU0y;MJ2TZ&p00Ac-~=Hx!Vf7(e9YEJ}_C?FV72nh{ko~oqyPmx%2_y2nYIvm#D z5{4k$F8sGc0^CL@e_LW%GR=Q3@}EOOF(H0_(0}%fZES4r-u-PeMMA*ezEORH$Ul(xKU@gHYVgZm5T5S(QKk9h3ZA0-+FM28{fGUO&$vxp5YUUD81Jsl)VJnRFp> zHdTft++oksTU;N70KmL4Os`LGMjK1QaC5;0?F4WHzGfORR&JIem+#J5_5Mw z{c-{c?jW@sLUFYvFdcHX}H7?P3(xX zch73bsm>K+*hJoZG_rmUfi(|JjYF;H>BTuEp7LGf|PGyBZP8|}W$Krhc0{!>fvSUDs zi$D4W2IARGCYD>a)NTiqcGrEbUG>*3IvrfWaL!#ecjt8fQSqZ33eEk^=;8N=6LXk= z`w+34wd5%s&>NB)nX3KM-H%?y@EFIW?_r`PzH2g|V?vG3Jq9r}Kd3wU)GQjW?3Wp3 z4Q;cY`o?(5}ItQ zDt`R*Bl!vI#^>4%i?!}hXZ8o6tJHhcpdB(OYX__a#2bT*4$SKJJK|<;FQKRgv_mso zCqiPrHIm~U(zl40O&|3epPuF|?^!E&|82-vg8g8@fCimOCGKd+aAyzkp%{9ttE3ez z`MYStP>1m&C9YXQ5F>h_37q=xGl~GysQU3*vC|R_NgjviQxxvoU6F&^Q-_D`fiV8l zPYAMt(D+^aEt)Tr5A?!@n`v6hHW(t_qB@g*T(R8+Vx8UHQ&h<94BD*`X{~l#-!Ub~ z2<3-6cnFN~Bo85-s|NGF2hl5r?6I1ef+RarHSnAt5y9=vtEPn$KUb)l6ee9w_u@eN zuO#1H3HF4?I5^**+}_RlOZk_sJI)Z=F~9!X9xG%~+R$troOJ6sc_FA*Bf>96e4TQ% zl3HH1`pDDr*Gx8O0`aqMWy1~xd|u0xJ58lj|Fpz&AOZ8gBZGjyf`|XpX!*Z`hyOj~ z?+D;OvxxtFF8@D+&HpVg|65-EUsRG8S0N+Y5Nun^w%?>_9SzrC3A^nF(l;w{2|7hC zWE(gd6G%WG=$F!w09s9q)X)uoLt+Hj`V0+Ol1Kr-2nn!onPy_On4Z&m!!b< z(mIbZ&V=|8gH}^DVUM!~39JGLgfs7xKAFS54X~gUji}k&DHu#toal?$`Qx6sn9G}B zJBC-s{EY2&=z<-j7SY1;42u`iKjEr%a<`tomPbH-qcR`^qyvfRCl|i7+}XPMd*U-d zr!n7$0CD~8LD)&H5PW0egQi!U*@^G=aV068nv#|U6ai9 zt%j!xfTL>?{gNMd)85-PE|v2wY80_FJ~gW!`tU864b4_6B+jQ3iCe;d7y>}C# zbHl{K-nzP0Klov6zGbeabx1UlG0T@etsrVH@#v5|eS~e? z&6O1X%vbYZccXuBe@+a>OTtQe(@kp$u-e?Ad83rIAf<;0B*Ox2Fx0aCGKvjrVEBr)fbXUVy_2 zc*rE#rGH*LlE6=X6L_4!!+!ZG(p7;$6vVZHXh7hCq2^fzQW(5eGPr5d`+Tetd30G> z%RCYvg>u3p>)AjG0gPEMmrD9{X-ii5pbaIzMUxCgHloa`FpEHJl2lp1zh+<<6Z-{R z*b~wpMa5EEoJh#y`ZGJbGogq8r@k;hA2uf^XHKG1!dzMV!$-AB=$>$bjsp(6$jHc_ zUUaHhl@H4zF3}BXu`c}^b4IhJbS|!w`;tjM6CDisk^?NY=JqL3GJ)JxPAE<5wzo444raf{ykEXsXK;32 z-V3*KbQNI4no^`r;NalAxI`{Ezr5ur1Mr|L(F63N{QTchG$46-l=RIPpKfk$u$f9< zUP#Bb(qyaSPDa@pf2a~GZV*w}hHu!q7(mQyOoEcr^%th1q7hiK;fsxr)1OFSa&RR3 zBAOkK)Lc=b#?jI})I-+{rp*XBCne~clkX11H?rn;P zWYlS2T(35t0Lz6Wqn^QHy4W{Skgguxhv)`gmM^>~=BfA)JqKwPHH(R^s26+3lIOhz zFnr!~aiLi~Ix0p7YdVohb$VMjuC(K(%Q8cY+)WNeiJdEkgELLdr&suiJ=u}jq&QF* zeqI<59ZF4HDP}f@cTN4!hYFQ@Ib%!OJ;8s{my}80+NYm}G=5CUt&s@*8EC)p! zuZ9EFRto^BS_!{q)=_9U>!$^>oP&XM(k8$o69j=2s4m+RN{Q+L3|^{_A1AJtALt;( zlx6&obz&PiIk|d(DZH}3Uqk@SG%n`?n0GIE2QOmQAz767lrIed2NuUP0bCCyaxEqL zJziG^<6MS=9T{MrHfJtPlLe%r4`MfFke zYD=wGn+@ZZgB1pd1>@I9Y%uYChg48S8nty9U`y7WzhBrVAU~a#yG9mQWF|Rxjqm~& zFEQH&2&{_QE=^1-T)-Uy&|!h&rQb!r`cs_rvb&)m%3?IKLgva^ktZlVfez%i-@P7ypoHC&bb(5A`LPf36hj+eW@wkc&_tT8@uyWSIF2gN4(}1W{R*FH`2J*}bRijM7j7HtmRRX1xt61R^H+mS$#y9YzG)PtZ^>h|0qq#20vs zuRQK9MW>H=_8!2X%aeUE-V=O)EMJxB2UAEM#vsxfAHum^cq`?PKg z_s`LY0{)~Vh?cZ-fMqvQ1^n*`kpX_;z_9A&CZ4N18 ztWzuRy;36_KRXr}no!Zxl%7^W+XJJRmvcB|B4tR?(J}R=hO_Ed=Uu){88IX|T=bA@ z`C2O-%RXq&#_{-C>r#5v3=()fS`uy@@#gZu9^R<=zjGpcS|G)xG+gk519W)Ks^GMiS@xr&ME})71N8bC zA+W5ej(!A)TSufLy1V~qR?jE+EnmJ@+P_&Jn;IDPX!F!Zieqjf%}DVpp=!-$3baWz z?UWRHY8bA)VexlKU>t^LD?9<*!cxgU@gbIJ^|eA&$_2_U5YvSCw<0TLi>b%=_Jb^< z?Px+89*|$U_b4h|l2sX=KH;8GT zh2+hu$YH(!Mp3dv{ineh!Ij^lwk14i^A#hA zDM~A_Z@Hhs=N_?p+k2o%e;q|4T8#@l>hU=I0j&I6yC22hIP|lEv-{4h2OrN=q~)5zB5`d^gt5OP9RE!Nr+g<~33Y_#HQ06cZ96cRv&*rhr zcMTY?LvVtl!1UJ#2U+%j`aC^1FkzAmFC?VFf98i1yH62s%D01zXb~H-+Mmc(xi>3Q zOG`I-l^U`7#HYFEUysEWW;hV`gC~b%pC!UD51KIm3O@(-@Rg2^-D1=Y{`kXKWSq)( zp9jz;*+I`wWgRL}ApNO=L4^03BNt`^Te?dZ!84b|h-g4%po!@Lr{*wT;0GumZWJ>|hWg)Vb9^ zpw-b`dxGBBncoSKD{~JkAQbi7O#C zq`t0ij)8faS!FD(n;%v(3!+4=@;T74__P+jDG+`5^_lW?@_})Ot^1AWdZJA3idbzm zSy$8z>Sw5~f|Ck=sLm+aRpXXUglGI3k550m&dHin2r@Oxa>0bGPYdrCRVWMJIS_aM zo>S-e(AQn`WlgoZ8+}Bo)r?vDpatjjEe)qT=aT1@ekgZ>DLbl;e!n+#N0eC4T)Iwc zd<=J#V=W<=J+h&KvZ3zr)p6)dM6Z3-rWGe@RIk!=t%D0xNzZ{`sAs>t_}q`?oy+q; zXQxi>6xk1A-BX?k9K}$)Y1Y^o)Jn?)WG_vs$+rzS|CwD`RaMyIAZX3=TZH<@;uMIq zz?^O*prDoB($_KIwZ#9%j#?>Ia-PRv+fVYZyjc zY&wbH<*iprW_v2@cPvdb3kOpNpTWysenvM+*;R`zxaHp1+$3Qe@zlDvIIN4hJgjA4 z5XkuDVM!vfccWU^R>2j~q&XQ%|IzzUG4z}+&RC@OR!@HkbC_+40i2=fCEWDLDp)Yr zqRu8$lC1GPI{4nHHu9XBKg#pHe&%o^f2tD%CvU9e=UEEvSaC7-+dXZJ{LV=xLvke` zZ3MX8B*rsz($96USyQ(wrkk>wCzBGIHv<9>zjPR%7T8q%k@D*?>bF90up8TuW?h7( z)7_bUNJp!IM)KeO&MZ^ZnudyB*M`~_J|s#(Hk(eyKSVL*qaA)hAL0M>j|!_|n&YSC zl*-rmoZsa21_zmxlV4)@>*Aa<|?L7O1~ zR~rFOK?mQRq7I+=3~+wzUR(Mb-ZW>?E#A`^ynFIHiXRxa}cVH8fF(18w#q@(%BJ9d27JEq!8Apfi{c}Irxqwm&T4EmIy;OBF8E@D@AP5 zP-()yhHe<6w4j(x;Q886xUc)ihGzDIxkq^w-I0R5{ zWLPaX2Ze-;Z{GnjAzgr!&BEyt-SXm{<-YhMG*fT0Zo=VP8l99BeBAO(h{S#J3OGqA z@BVt$I9>PZU>0NF$jE4~=b@C795{gY9U^Y_v5u=Nr#8U%PkjO=spA9WR@>X#Y(eMe zfN5TLq2A`M2@h(vOfw?eN=z(>_c}{7LJtV6xVuYw^V{`u>@t8kXc+p}uV2`#=GaHS zueE{HRLzlTzm)jwsFdWL?+ZOQH_itOztElmFDs)(Qek|r%Rm7>oXNuV!7Lhpv+0f` z5wd?$t2BUAOmKwliUoxq0{K9I8=Mp{k4NBqjxA*c+3MsFJDqgb7OIyPO3EG?NDj(nnxx zq!aLN+iSbrZpK#tF&DvRrsKJYrOkJysnnD*X~ncsCVuWux7#=K%TMnZ7#KX#H?V;m zlmcxT8kf&svd5l*_>=r~;BADow+k8=8?Qqs)AChyaG6mVdYV^!;O!Si_?|;W30vTGUI!?9r0Sr454q|jMoVVt`A2kozf~wVgJGb0h{qv8E`{g4v=-Sunnu`+jk+DbYs_U4>zY6E;2NcGJKDUA^9om z^Hwck@C;4JfWO&a`m^YUD?Z+J%fnfSBYmg%1CXg?Pfl@S$ctD4X)qqcKoH7g4^vqN@GRMZBwB45e6r8Y0B4A^1r{JLPHocJlA50X&#fO&j+U_%{9DJhNb<2B^!3yikP9%GBTQykW+jjALyvDnfznVF8|JBTui z3+PN>(zjof(|Jj9!E=aaFrYc7h|X(tIxZdA?!waP1W*Sd%bxco?NN~;35kT!L>o(e zO`2H?Awcx+-aW--@rK$jm=|OCa1}sPK)djWx&PP`>4t}l{4+kv4oUnz2_J6PJd*Q| zeQX!mb27WxE0!OmBy%gk^1!|-8qQK>X;}HVz_56KzFK<9`(G+!RIwj`x8>M6Jw2@| zPhdlqO&`}VgOKd-dx7iTMGrBXcd@~NwgJFcY!1Zl+fv?9+^SV8aypu>hjOBVI*mpe zq;h&BT+32s|6~X`=$gZ3dpps@yaBx(x2KY>V^bVfpK_@MHH3h-6i3S^xsWa$y!eCcB6|aEyyV3`%l% z$lktFE`iM|Oe{;5taazQJlW5OeA~466{M8~aP4?K85wjmx zzCZ*gxk(|zki=q^i}z>iDW?fyM}FNE#n5~sXvHv1Y;rx!b-ZK77)8iRtxru&eU}D+ zRm#?y4786LiKYFsb9mMaf=J~Q%6=_qa4?{_q1il<(`BCvp8aHJFzQgl9UYS+4ntL= z7*78sg%4xGD2@x{oloD*Z4&nWt_K!U90*9mOPHGpq8@u~vX}Ca##SP$-V zFw-9B71~~SV)p<~%pSM*vBs&1Y%yn*VV8cF%;olFtuMSHr7rP$BdyOt5?3PSV~iWI zwBH6Bbw?&$bXlhy^LayOUqddM$nb|~OF&pSp2RR`6!EPrR)`ue9PtV$+|+K-3_0cy z-u|bYm=62GF5Ms8`ddOV-L_=Vqn@{I1^6oc8QgC%JDK9oqg{Rx?#_JTV#(GTt3mpe3FC1f(x z@_62KwoL;9MW=gW*{S#KMUp;5i;9F|XPl?tse`tgxshw*tjY(F z1KAEHxd~%bwFLMP{W&H3+~Nh#A%qYbcf*MGojdoNi6hMm0;qAqmsow(v2=s+*mj6{ zmx;k8@cv)#r;r$wm8fiFCH_<=YZ4Svl=y>&A>?)ygn!~l_1$)`SB}2xSMqA^mXeR5 z%gALggRaQLzh?vxY0$&TWkPskjxu}(!t_p0AbemEe5sV=drWsJuwlBahqF zZ=U)9i&YUm+-4dvf|99stXE~*0T4!!gEqQ@jbrQ&Zp25gPiOOcHc3v+&H%4J`eSND z&{xkpbU!(NK{xxTqWv1+*rSdPrzFR2YF4OF-u?D7A$(rnLlLQ2Xi7HuC{fTjIMa$suZ5n?k zgp*{dB1Q?fIJd7l;c*RFU|LvatcVgwAx;4!L*TdheqL>xfWT~B&d-t-E{Dx-S9S&l zVjTS%f1(X1Hs=MPqDrQPMHA-q^v2Y^eM^wJlep~oVeZu~M~`1DI9kWKmtRwYa)3~c zi}7bnSSar@cBjS$VM)NWrkqoi3T0=NS4Ua(q=TR zM&>=TdCCEvN{w5KQ;E}dvVqwCtm7|p@i)|pzl}%S?JXThX`=SFnsjd|??!Y7^wXf9 zws=XtREcOjy^IKPZBa8W4SK~}#5^4wYoCn7SsL$>VqO*J80W44_>>(o?FFBnft{nT zuJ&(KR>xwi9cnPc19;s55PMdKzvDomP*I3#iVP{f?_u*lZ_O@H&Z zAmg0`0d8F54$;mcmHuhuPwOZMXP8g9JzCxusSM_!qkyTRI6<1HO8FOwF`_t1CbsF%j<^x#9${myBRuiuh#t_}&$WZu-1^S9(`dhd4#4g)7Z}Xuf`LVV;Yo+6rd6SQ>bFdIU_z}3<)%t)Mm?5pTAl!@(%xvXS0_Ti zG%ExB&^DMfr``UZ&LB=1q(YAgn0QWHcRc*+;|M+Z&FwSr(QSt4kf(rjxKpZo_L9pPo3Jdwe)pKW68p=?b5z)wmQ z^|WHfmG4qc90`zqUJxS3pV{0pIUNvJ_DWW!+z~>KWH=3JF13&7NW~cC=@b)`@)y}- zAg3tdRBTMf{3AaM1ney)=EuO1(I>2kPy4@+ z=>5M!#eX^4hbY7d_H(QQxgYa{2b(V0gIgo)PI)W%`8s3HkZgHB9Z?XFuK~#CB)#`k z=POU*4`rX^f_H?LAmPs+DEt_Ziv}{bdy{VsR1;a&h6l2UI<1w)(7>@(Z??GAI5~hz zCIlnJec2{h$lt6&9$*H0=;P%#tslLl^16y6p!#e|pw&KvkAWYfLQKX#?T)jEQf1nD zzYyI>OKCoq_pUVP@+!yNp)b~OcI`Twa)ZE;YS2x&S2z~b^IS1~u9(V<=S>EK-zQxc zmie*-J$f!HP9so;P>ogSOjWa93&e&+(+tEYKXZiW}A!m67{XR_|6HTX?+nNW#FnTe>5?Y{r9lo|k&cZLhPQmSIEwQ?BBJ z_yx`~MqH3~Yp8FCAz669(<4^r=TFCK9g^J$HVOx8C^mJck&W&wy>Sz+U=M52)@XsP zS(cWKS?epdl`m;gmiK3xVU?Z7QS+T7;bQVp*@wz)4uCcvo?T_#ASptPt)ualoZs8& zyhKT$lj)GnL>7;Y5nyT6M&O^zA@P_eM9(KR<+l989ByNt&CdnZvP?*SS~1o_fs5_R(=qrYlUONE@Xp9=NPFZc8=fNOo4fY?xI9~TAUS`_aVOlm?P zoce~2Q-_T=2SNMy2Xd)10XP8M{JKv4*?6#mR3{%HTk{$Lk$Dcb=1PVv78!)V2Kl54 z?`fufPx1-az3_9vu%Qxh8qi`v?47z7v}MV^~FDF?f=^Cx#VvmX8DTSc4avk<@goDpuK`RY0UC}_SjGh3O>#?X|VpJh~E zH<~{f{6>+qAF^XS7L*gfXlai1gl~U}`kV;q-gx;c8gZo{LB3g)H3A*6;*2q*{e^<9 zeM>W92{YW$%l#v3?zG7$Z<>FOKUu^X8{S#NX~5kQYR^Xl7txVd0YJixWa~A2HS3KF z)hD~nE~U|*^?(djlkm+dn+N1s^n;*A;j;jP{#MGbe1zRg^T3&NE8d)?m!We_0XR~x z1?;mrm2a<4r>+-`#dsY&YB&TYl!gP^$fvEaPuIPuJFb>`LEbO(-4ZUQgKgTvt_=R4 zYBp-!sUIVjOU-czhy0${Z05u*qlda<(+Sxe3o^?)ROi<_y|`d+*Fcnq%h6|Rfg3N7 zGG;#PkEquDAnzkX3*#LMleh24XRRdOK@aeMs?kY1*I;bk^2Y8$GFAdnYIokW2NB1md= z5}mW50jDFAm3tIrYLS5LV57d{zWrtz>EGMEE;mNkc+F7VCDIV$ECR~lGfB{@(#el4 z@#o7Wam$#bV&cTvWP7TFD>kEZntMED=npOx10b=~_3}Lj%PS}z%6C%miye3?t<2r4 zf=ldgkrtCSU~9?Y8oiN;+5vW=1ZlffxiVq_XajnG2fytNF$rQ56fg%sQvwE0xfiji521q?<>f}Z#TM7>I2)!9=D8(#qKBbCo zp!i$wLN>9Tloo~h?E$3liYAwF99Kd|xgU0?E*Uq-==+lzuVEPtRvxM39oi!>rt+a~ zD0nt5?q4fWQzi%cPqEe@Gh@(!jA@vCOj?|u0yc{b{pgsakrATNmzvm&q|h{qP!=(z zUyBW0%MB15-XuStQkWdZZrEt*^7GeE_2k^r|(8U(G7= z>S#$1O0o&!6a4b(EKT-ykLIyPz^>N5F(Vc4Sf2UeDC=r9Y(}} z_7l5PrD&w>m__S^1$*e{Ly0;YEsKo{0hNkGTL}<>rU_=<5=ogHOYQ zZtDXP6~P{1=@^eW zl3wt1Op395*=3Em36=a}BBh7~ll-UYZ-UHh*cS&d!%|-pb}6-n+X0y|YAQX9Q2$y6 zRS+b9+jDCMGUM~bsgyuve0HN}wu?rR`EW0XO?SXn3|LS!TL||v zK@tHV066OW%LQ6fL9ei}920oFJJrYgy)o2fHmU&>$-c|p8!H#<8P-wE^j{GMF!tXD z%3N?%phX%-l%%92w5OLBggaFB`C_XAr9@2?_Lw&#lyCqx`=Os*kgs$zsQ*iR9W?3d zhET+9xKsszI>F>vG8i~B)sJ-WyOnA-&uDj6ZDU_^6HjoGJ>v?O;SWRdF zjIXuj4P-taevPI)i|DH9;s-_3^Z*$f`nXG?mF|ru*JO+x60k6SuxZ?QbHvmm<#O$I zH8gYhIU(pH@8M6^L+RFZolTCvSup$XJ9OS-!KsGmPlB z$1mCJTYxa-?ANB)M_B6w^VWfp5{2>FEZGI%i(EF9@vqqZ6Ty*AZp~T@VqfTB@ zMRI2o-Tiw>^`cFM$QgEbE2$pXv?YqE&l7cgcP7i3nBQ%+kv}c{M#nEuF`E!4QBIElR3-qVG_JeO^Z))`ZWZ3T_pm z@hL`T2=Ci#>seQMZQ8_oJt7OL8`hnWt;lQf1#?4zI@AVXOZpvZ0~J>8(fALBp*I2y z=AXV!A3}OJYs>P2J(46uHPHgCqcWVU}*EX;_zjy zJeNQV;Q|z?C?RJ&Q2)#T8+O+j9H>a~`IQjnoA)uV_R^x^iL2_(t?y&`?~5-bdpIP5 z8xg~Zv!&Po$blj|Wj{nE?Pc^XmYNDg|cJ=xsO`I4a;w;9tEWCtcwz7l~x1L3XJzIsES?-u2(S24&x$rOH6BByzIDMj^k$uQN7c` zJwRTF*}1h?i`uC`J9gNeLo0eGeE3TzKd-MS z{D`@>J%#`r3#L8-V-M((w-O@{EksW=Yq099lcoPpW2#|(9;cEK@su_Eg&+;6K0Ds# zAK8ce>V(98J{j(r1s}kzc)&^jzD-Yod#7|3GY08rIvqR`lry^}?XdU_qdIgX+)A(# z15e(~O;20mrh{!wV6(+ykj8-eQPHsY;N9ed=x1vdh8=n_<5w~unt5A-1Osy5)=McF7QxEX- zo;!Ys-^oi{@Ihy?1{=gaB6DUlGN4BV55z7w$#5o;Gc4oNkc1Y2g#1=?&?tAqGT@d2 z!v?j?7hxCW9l=(bktjCM;fTQfa&=DV?OZ} zftlGP*C+9PI~aDBzs<{LFd;o4)kSS)wR!i7T)r5~qU&v&2Z3V~bOW&xD0y4a_01?K zRBJX8QlgBj&8k9`x?ig#k5Qur3Vbz31wCQO`KT8Pm3u%%M?rrNaqYl~v z-cBLDr`Ehx$9=H_!ovMAq?(u&<#%lA#WSzo0*x~hN{Nb=!-Wm_?ycCReNC}?LGW3K zaS1nU>@2@SlkJkSj1@&n%;$~byU!h^YStyM&wUdgrJ|R1{*gs-J38?7)YdV%!8t3x z8K77qr9)^hG1k>R{62Kk(MpxoQ%@;t;7k0tfee5mVA*bzS}kqgoA`tlWE&8WPpLYL zh<@mdMZ>H$1FjTF{{OxfRJ*|2Xp^*eBhu=gdBk&t!y`!W|e#rXrTf>pvK^UnB9#JRF@JC1`;W!ECCPv8Ud zbK{J9$YSZkSrP3NF-=GRtl#n+*85t%UEatB$(Ov(i7Z#;fS+d3{uj8=1YGnxNX7%|CHU>9?cy>2~%BKbZ_Y143z_--ww|N zG$^U)2~vTXzu?}U*!Td!%D$W%ajhR?N9Gkw|6lhOXjuWJzu1z8Ia%ZiQ6Wgs}3+ zJ|OF(GgU^*(|1psd|}mfLBer!tzMqot5((i4B-8lwhUDrmEm1!^akqhAl4g@SjCDZ zq;o{{!gg}5_7R+oD}5EP0i^XqU>R4SwcN zo(o#TJn`O4jvju!OzudKk0E0O-yiFABhB9X%l)g96(>JiT5UrXONpNE91h1boL zyBA%+Fzs*m=u0df{wem*=figyjEU7>k)i^WWi?TOb#rDmB~r~zCon;B@XjL0S3=C` zjrH|-a;G$!Y(C`bXPg0h)M#E5R1``*M$-T)`HwnR=q8QCN4Id{OiY8(!Z0JhLpIX! z&|JdP&()cn>0<%Ahz=thAo&a5okgf*t#@y1=2x2=z-j;q^=59k4-ec$N|H(%!Wxu1 zs2n>}B8!-NQ7%&qDeQ}Gl}`{|kB)B%@(;_O?Z~NVo1bHeLqwN|HG%7;+V`{D?%m&i zYZJjU%cw|m3XW=s{ivs==p)uP*hg71nD3z}Le6)S1KD%*?UsLx)l~^~bTKY-NF?F1 z_>9qn=3eU3%Psbt%9R-Qj-{rEbZV#51A_qRuiTBbg7E&GDk$n!%LQ3gTt30t$D!MUX=!_)$c)vB~;=SHBAR9Sf|4q1sNIq54V=VUhW+Hm*a+8 z1!F#qNc<8#j<>pulXL!N36GZ8bX4F5zN@TyU9^@K_X&gVL0RG669X~pwqV_p7~XWP zcjLzt_j`#weAGy&7kjp}G}t&QatpXg?*g)1Eia?H>Cb3Q`5ufyG-wem2!PfTIcfyfCYBzj#QR#(8=Lco zqnxjJ$_hM^qIMkiE?$vmx3CmbK;e!lp@=L6Ge7ijMV9t(?C%?gxd?U(mzM&X-wDDO zKgoE$?JKkLdZ2DHAJd>NNh|h5@rwm9bQtTtnJ75cQG(j(C&h;- zP>}xo6%j!Up&N4Q_t7pQE1|L}1JrbCBsOIaB*tZq8H2YTDYWt%zSwg?Bj5OJe0UM# z_e-B|1}cX{i^92XWiw~ooCZVf{fCCV&ShDo#jM|ljU3JTkmy-rk^?(lvkpzAwBksK zA{1=cb5A?sEh(vtiinsca8t>s@Je{30l9Ij@Qf+afo77iGWC4vjH~(Wm!!` z_t3ONT1=bB({dg->x_9XFOtcx%uiv5L!-U4o<_g2=SHD#A@HW)>A@66Nn9njhM+et zZc$7pR`gqSAs-~4B)PG0+kQ@`&>Om|b?d(xf{Rjdt|2}6dk?Q`br&;${_xNP}lrKZ2&0*(x<2lP; zh$OMe{^etb>Y>jWNT$JGzapN4bIn)lMwFf^s~Vc%)u(qP?(5E`ZLb`taC;?D%(9;IrkmX^ z-rb>16|?SC>LT2*NVm}B8ujtKFHOAdI_+IHj{X(9Bd&*0Pj=(!kZp>XoK}p28yP?R zLEt%Nmt zd+E09QVJ`rSS#JtH~vJWnnqv(Ezo5cikfu52>zv~ey)JK_8i^|u)XCKY$2B3r-dK5 zSkX=qR`$FyC}zR=z^`fLiuL{>(Fo}Fp|w8mNHcI&V043-gogi94#0Dcq+*4HJ#Vd= z_ghhr*_9)+?m$Ms`7jp4d>rqr^4OjkOV6U-CVyOuzkzCy$yq#a)%3~phx%M@DDvCj z3B58V96}x7W}K%TuI_|NAfBC0gw+<=5`kAS|pJucc>D76T#64{_*E8i)$<oKgZVuG zR9=;4bdqtYY)LGds4Lj+nyo`vBtH*(5zEyEFSz_FlEn6ms&WzCAWpz1U3I6Ha)Kc5 z@0vN3%&nd%+?I6`j?qtTa+2W!5xZxBnfLl`)ls_`vuE{X=#BD^p*NLBksH65J3>AY zE}5%fS<*CEg|uEX<>#XIW$$XzS%;^#7zk)f8oK=yecH>Pn4S+htxTz`w$_pO`RHZ$Q+oD^aQ)Af zo9lc*lsac2AMoW8djj)rd{}J+c&ZoLPhyZpY&s$os%D|<@hY5zg`r5kAmGKNJM%_U zuGVb3%16o&@uISb1DjjSQEk{Pe0_6WZQu8u7o1o+*QAGs;iXW0FFrTH7cQV!YFnt~ zv}UZ0f|5&MiWe5U`pH-q38lPNw$ie5+dcf3M7DrEZ-)Cd0NHyVD9E}`-e#fhi+Dk% z`gz`AZSB`)5-TI=EpbE8ETz2XM%o(9YBCAwFc?bV?&a<93nNK{-ZSMo0eaB#VFStC z-7Iow(yem>Cueq12OvN4H)w=e^1D>|eM+Pdjq(e(gk`DP8-h_hF_KEm($>$Jm&+$> zFLWGlHUq(T=|`TQ;>tFwjj!P*R(Hk?igG)B)j4Nob6O7LW-qW!rHsAyoSt80SSWHB zdSmvD^J4Cw>{$d|i%yfJsfi_!VTYW58Nm`;;d#DPy48Z8-}!_=a@dVqb8%!k|W{y78eyL zzm&Ju-ab`?52Ex!l`;}DpgP@48&>CSdh8iIM8DNs=ox%uReB00FU`@aUz-)CnAEdU zg!zP6`&l=}?GN4XxTu~YKK~-iL-i|Z8L`@*3lL(YRFr0*?n(5VNF=S?h^UxZ`r~Ke zzmOA7M?)}J(MDF3!|FrvO&|$te%jT}9j|Z!;JphnGSy8Hn zh@e;&TIxGAkG5_sq|6K6CZlj974F!OQs5G1P}0b*VuG~@UJ1ENa_ic##1f1e8yJM^ z?B1P_#;SV)&WTuei%9PqR?5>ZM>B!LU3{VTl7<_o-#L*)w_V`8Gjm%lB! zL2u#!&|N@xXYrdGtml=KUGcYF=xpP}xWMX~H*yt?4UpX19i8(|Lk_JOnzY^^sSny49A>PL9k$12gP{6FpGU#jnPj;Kw0~o6!c$)k z;C{Ww#AwtEjp3y+5`*rEg!4O+6kMk0`Pcgmzan*p&ftA7=uyK#Bb^2~3y*O%RU{>! zJPfPs+q;SOAnlfj77T+UB?{Mi@&ss3G@G)Rno5>!8MWCyNtAT{@bYZ^h$$Ps8NJ|JP7nI&c=}=Jdhfe~KQ1D6a`GLmSM)k)`aDa=MVVV*r#Rz|l z&!mwK9i^1GkvtGBS1f!>TKnBH3Xm0zF z>jY$7j3Ahf+WYn^8|5|D_B}K1;=<|jjKAk$vh89*I%ex;g}*cBTTgEn!^_)Sw2+nk zG6S8!X^@f=j(fc6Xm{sD(C4;!o8Ty*ToyTQknD&h?%w(N_~XemKGmUD{>ZI;x*q8l z#87-53-N(g9KNYDOW7sxfU2H!Hf4~cxHSy>Fo8$fyjNy;2)P(U_#CZbgsAf9VsW-Q zjl*VbJX**6xM6O%;IEX$zp4=0d;EFTzz>Fotjx)JplBfUUL^-I0%Slr7QGKKF*vS7 zW3w5@=KuU)-BT9*0+(qAM7@U++D^IqF-WQedvnGu#vYC~SJ_ zu8&Md@(+FuYbo2-!G^b`h{U#9Cd*}$g1fb25KuuzMN#FjiPv^{{27^;9a>rBg0n+d zwQSY7Udm{IkOP?hIeb^dB%KH)AXKEAz5p>2QOgA`Sca099ronJ>&@ezxWHdeU_t25 zCLIXYoX#0zW9UaJt)!w7JiofBH1;r>e^ne5;U`pHu7K*?{eJDmgbQhT?Nfucn&J~r z!wnrC^tNMt`VD7Ns1X`?VO43IZh(LI^mH(iS6+@{E&P7L!b|f8alRk!c%78MZ+92x zh6MM&h7PJ1o8Y7i+TjRlzKYUtC1`CSt#$1xON`8MbvQOcw?s6@${NHdMRxbly-9Fk zj2B>kLhJtYw-wZnJfzUpX%U@h`mpl^X5GiRsG$UPqH4BkSp~LkTr|%QwME(hzz{1w2Og>UpRELsce>7s-C1uQ`0ir$qF@^2 z7dt}T6`}Q=jo>DKn!4d892+yMpe=kC%>}-$OAuv58EW^$WtO?~Pi;y@e$*i9eAAk#f^Fuif%7fDX}3JvXdBv1Vj_LYqq0#NTf}DjTY;BAT4_ANiyr?d{T3FPvfJFiAoDUl|+$D-(*n`dVZd)ttSFm#P1aN4qGcUr8~MeN3;jpNP5tpHJ2W`Y zCDZPB9$T!VNlK;OO{dHiZ+vCQW$JIM{*I4sWymp6w5~?Mb-z15={5jhKJIQs%JdE3 zKOzSUa(;lsjVKMYpLv2rEslF#-3R0GE-%nre@vk7!>NPh>#|J7v6f#39b7j<$x~{a znfuL<`w%+`$n0_ZJGqg^+s;2^G~HO0g$~NJM_6234$~7k3g)}>$6tGY^`vnArA^7q zhizq*>_dX{Z>jhy>o`PL-q+~@w|Rhq;QGygO*$oEy%a%AH1NxcOl?(>d=CA+#6)}dR6$JZ+s4O~M34fD+&NBx? z4+Z~AJNhJy zVF_XXTn)ucrLChgNkda!_8x+(+0xe&)Oro8tSyH@C@#8|mx*X-o~n%Zm}fh@!hdtTGXGoG&LaG5UWVosMNyGbJh6%e}iOT`EKk9cmBx znM*~EmQJ5^H{6@%S6DoVV>K^b4iZ}`&!Jw17A1LIA7Ox%H^5`=#%^Ik0q9_v+-50v zuJeq4%Vw5%&&&)Ku~j*qO=*5e)nPw0cUZ=mF3>SI=>x0>1gK$DITXC{w=9Pk6C*t9;YQ^#{^Gr>{j7= z&K<1veKN^%$*;bhI78tF5zUS@wfcS3Rd&KPQb1;MQ&b<%TG-QD?fbdg!u1yW57y7g z%(|slvB$00naiA529>peimuiBVdbuNhx`iyyz7CzY=Pf-a&CBz_M<<(5b`#s2i;6= z@!B3k|67ISX*8jRfuya)$QKtEXOf$I|MQA&PdHSV6ng!i0R-zI=su)b<@h+>T^F`p z+l*Dy`NZW`#0zz9BZ(oBPxzj8y;zz_4ezvIU0-Y*HkPLXE2ypaRZ%=$BqhZjmD)S%#Nr*j!<%u)?PHmP{7$pG5aH zM)bP_hzI|KAn+*rtpWvz1Ww`M1~7R6TC}$p{XISr-AOU@oJEyBL*=>EV~rRmQ#&>u z#7ED=pINLdm?R@Y2#*_IeXEVZ4p*=TqK0J8FE47Hnk&o8{&%~cA$Ro!z_Hs|O`m=AUwy(yJl4;VF}8h< zkw>hi`wVz&=2X&cm#8?FeEvmOoir+u4sZp)W6VmUZP{us5KVzqxTGHlONE6t^aVQ; z#T$^Tj~}WL+zu~v$1gj8F?_4sFQgm^KHs2ZHShM3v=u~oAv*vC!hJUt3`u;ic4!-; zB!cGkHk?uTLO&VkZnE^dAJola2tJR+<9enR>|91cvF&B7j?Rb%!OTtu)!xgc&E3#T zgx{}CMxS+c1|#>y?3|jyb9X((_Z#IE(CD}9S?vdH=O_hJVkD}~RypuP;j)M%BxsN^ z(x3|5>5y}?<!?fd5Yw93BQ0;lIqYSbG#uOjSdJG^EP& z6C(SQP`*)3ZLQ(AZ?gkO*x>Ht5#@{3)Gb!)WxNP4V}Md}5l>=T*E7%eZkl>PxmUSy zbH_`jB$$SbUihFUyX)V27=Y2x(6ITo#P%c#heLeY^~m8{VGQ?O(|L^XXzXFA1d3yp zLotn|-FX?(ulNZb;UKZxU|M~$dIixWr0LY_N!&3Pf7B>7vo1Nu)qD)r165?Gw-d({idlY zvTBKM-X}6nQh0`U6k)zan_~!LM{UPD5=M--CdJCIzrj#wqk#^w34qg-Vm9QXo}HB_K8|PWSve^=t3tP@ip>| z&}JUg?&QwXkY*5+{1IzHNu%tNce6Jqw+s)|PXX3X#w5%9i;`a*UDS2;F;jaWibwk> zjJ4UCs6o;>9o6?%(a6KJ9UcLqmhF%m0>cMmxOWIPA_>=eF*v@Y=;(w-TS29ES=P<{ zAYZtkE#pxdSc+fkM(xz*ym6k!mgYya<0g~DMpKo9Y&CxIM_My;v!!?Y#Q)iJBQlI5 zV?};$&1!v5sT(9%v#|v)>lJ2M?7rWM2UK0jfkU&f(vao+zS!0rvU`ODA{CemhHwE; zOq)&055q_~Gx`pz`0GHPgJ_f8GSMAj2wQ95`|3*Lb{9y35=yDuTh~^vL9c~H`{cx` zzj!YK-gQqZ9?z+wg6^dO^1Lg-qu3Mx0Zjpy)Z&{cHi4Q9UP+A6qfoFAKgL#H2WEe? z->$m>X9)gAJQ|Jh=C%vlZtRdIN!rH>4W|IC(vkw$fi%61nI8|twe!~H82FZ_9 zcNb^&@BckSNm)&8ZAjx{sQ2Ehdjo6pgx*v4uD$aENW!c7=eKdY#}9lSw~V8squvhP zpESms%ZR?J&lf4{{q1c1Yq4f^()=R=Y*ez`|8l!1c8p|WEdP%lRyes>&HuGZ*pr~3 zqYLeAK8%lv@!j41KI`N8&mH+mF(8G7L}O~CbTt3m*=1IOf{P2L1!rtxb?=>(@r~?R zxYnYTW6N)LOgKhd%62_-XT(ssp>};98MnU;tQPKT0V>rmUt*Jz=8hUh6n`}>2V(DP z5<``RLwQHSsE6Gp%Rnsxx_WF4t!Y^q@KQ*iJx|~iE{b8=n zpElPKFl3_$1|!5@bQgX(UtPjv+xUHvV!j@f$N9tZ!SnsC#{eZ=^U{f&qJ%q$?t3Q} zN~_RT?1I-4b$pluKJ&uG4etHtM_$Y|aBBQ+7e$dns(EG|BUVyjkM#wd>s>iQNwkP_ z33(ePCV1e`TQ9BR@43?>gk(_(3k%yiI7pb97SYqYFBLW(AR{2{OVt@WB|y@wL^Z$x zQ7L^CWV@lhDVVe$dI;~kh*P#dDDXnH*%9D9sPVxtS1A)?^-^#9Bq#yuBhOr7HoRuqk_eV5DEJm@FM5#ZahyNW8P=s}^gZ>~d7y=k$zh6-=WN)pNG#Fe zAe2xdn^91eou8n%Y#iL}8Xnl|?fcwvR*>cd7~9G5CR_RWSRnU(7;w$wuk1lO^NyZ< zWT?{pL8qYCN}Atk5i#h-#UwB)?JXJ}-mr*|kfYN5oV(wBOs?K;g7-DmNO@_& zXhG`eZawn}M4@2Dh--=ZBuj4hZf)(EmPSD@kXk<3=z!hgK3yL3u9we*im0a%4Y}VR zbCX+k&uOKgj?pB)bZt+U{U3-#qEkYg{{uO3Xv_x+dis(zWt%wfKa1B1ED^*)YPA{> zf8=atQ^Nmz^T82_P7f-M=TYc0J1CD0C^SdzI~G2rG|H+pXh_QG#>zAo41I`N5vM4< zYI8$n+Y~&g)7mrhprabS_-UT%`ZhzO@Nh2F_OvmOay_G|AaWeibfqkZK^|-DH_nyO zvrHKalJD5R!e)ylcK$%P8`%qq>h&lJJ1uN&_hH6#b8}0N&kVYj&&ZjnKl>)UH{)pHq8F0#oTf0lw{X-!^fzk6m9s{E z;UR}~qmIi2Vm>c12% z! z?M{=mK*yt-rxac;U(M9iOyx{&p5h+`J%odi-Av7!5EDHSr;R6#Be5m`^(9(zQ;!lY zV$BsLO-ZHRc(+~g zd%;@5$zdn^%zyOp>{$$?#gl}#HbF^A$;{rfHy_vU348gVZ{l>^LAYClg^r%zlYQyt zfUffkNSNFLh8>Y`7$rv=X}I^4?jM4A*j$E8O<%EmKixE!TvZZAGOZA=|zjCZT`n#6pE|ICJ+u#-4XbU|vB1?A};<>t+^S zI~e+{A)?ENk@6xa2=C%n{>aqR91ujet8%{}NO1N`+IZ?!GeXBYs@ek8Ffi%8^r%)i zo5(>=n4;sE2LzgPEL-KK@@?YU>^ z>n20mdb%Fv=1*vKU@-iM?oSC_T2Gp$VRpo+P8Ykt&bp2Nq`F-pxEjtDbO;eE9t z8oB9yKH}_q*j$cS!MnO+yVv*OORCiL!*(yN-j!tM2Y>T)gWJf~ zbw~|s7+7C9S*0TiIL?2iXgD$gPmcrg$^>unpX_13aAgcE(gHB_EGBO`@j9GZ?*lV> zh6ib?*I9he!Wu7*uQJyM%s5yb9;5HO8CBCV;d*0TjKBkHn*!6eob^!U??sFkZlX7k zLd0idL36%Zt{zo1uScH)Y1H_zdJNu(6+Ddz3KZWEI7B>14Mur`Ow>YM4TJlUG_f^< zq-U*Sl{zDw*hFKaxeL6xVb%^ZMWrPy)|8_kk^b?oG&&`6va>hBpmIhA`)E>{KEA`e zh2D%@@pJv=L8iY7h)8aLGu}@UMgD^YDg+Bw)4@lNvPnBw%#S}~Z*JDJ&iB9c{BOAj zlTtJC!(>km@jCaT$tXWjP|+ih$I2a+Uu*pPMI^nOqpsBO9-W_mQ zt=5jhV%9>1_xNj7T-=?YxxPtXM`wwFfRK>zhU@yo2Q~Ee*4go%U^7+)*4FH-i+X%` zSRfRQ%gHcd61Do{;u2T~KLclNVWG%78j{itlGSey0+Rz!t&FUM9BMnvNePz%HlO)T z&6t8Apr5&85|f0a9EbR&MYW{-QO^Va2)gRb3?yI;BxCCIVLj?{bYR0tw<)|~pW?Qo zoBifJ@l}YpRzxY7!rw!AwTM4Gx3; z{T(M6DD^6bg-FTVQ#f! z1aJD{)EOn_-+&DP?dvfmhH93At|yj_1!*^yp2u_34%Ri37jPXttatUo7V(px#WtU7 zzey4EU12adZXRW0RYumdvje#wKV4bpQtM5Kg!F|P_9!Sztt8Zc`rc%@(be&K-gUd4 zQ&IQ(LCUukaq+-jO}iEy*?rljE*-weYu@lY5fKUeF z1Kf6>5mKywg$yKT4BAOztEvy0Q$#%PeS|6Oxc;6qh@j(!fJxc@9!8FZ?p+K#HsD-F z;j^CtIh*MO8S38&Ban}SdB-5hxJTmuIx}EO^&)azs!eM6lDzp2a>z+3Nmhs(`u{IK CVT`;0 literal 0 HcmV?d00001 diff --git a/windows/access-protection/hello-for-business/images/hybridct/device7.png b/windows/access-protection/hello-for-business/images/hybridct/device7.png new file mode 100644 index 0000000000000000000000000000000000000000..80f9d53d2c947a099bd817f600ded6836806a25c GIT binary patch literal 81228 zcmagFbx>SE(>F>&f&>rF;)}bx1Y1aOcXxNU5Zo=eySux)ySux?;vadQuWr3>)vbH~ z*qxd)r_Pz_>Hc-kuloecNQokR!}$gQ0fF#SOjr&A;&T85#3wlzsE>cFVLI`Tflu~w zqJj|RV1E_~Xzf8BZ?xU+?pB)S=zC-5vy`^rOH5Rz@@Ffh-oaiYHg@kl1@# zg+3|&XO}TmrN)iT*x=d>(sLIJ%$4E{4uUgr+fXuu*x^TeIbF`Nr)P}wXX~FV*;#&= z?TqYL69~E#Z@O+%KUTd()Wlbj!rx(qH8mtLs*p`hk6dzM3`B-ZZDrh}4Lx;3cE9io zuRn-_@^J{1t1>-IWybEJO78*U3RbgtlD-48{)G?0lo1lC0ntFRtUUuv4a92!hfk9xw}=ur zj970e>^WzR)Qtx<9hag!me{quU@%ErV~mpPsg*}?qoC&$h-M~MJ}NO;73+Nl(*x&Z z?-fbRJed4)ew-n9Uhz!~JVLo+1It!JJE~L^7TtqmS*Vg4^;U9=*YDViIKH zvltGp>x2r{tLPi^g!i6}uq~~6S;r2@Hxqe;oB)o5v=He+6mBQ%5VMRF-CTJ>HgI0I z;UbGc@yzByD@^cD)4|9)k=g;fLO$Yqvk|%rCX?V0eCc1nc%O7NVEfbl^PXD3u}1Po z=Qv;qPReY-$~@sm&F`dFN5d?~^%?FCzUqYh=c&%Psf? zJU;r$zkM-39n^G=%XiM}|K1_ex#QDW!q@3y6YRv$S%%W-#?iU`rgQjRr_&>I!Xk5p zrPJuU4krc!02W>gesSU}O~2Sm8u@-sk|&$mqH$)O=XW!e-kpkZ*}~att1S4rCKld0 z&~87MH(nx>IqbAt?2&awgvdzb&M50@GDtkwk~7dJPs;Kcm&`llBHa|u-7M1$i$uhE8A!6uLhEdk-s67V z2_;~&oPN_9gxvJ(Vzm=xWfR?X`F)@NiEFk`q*gqR?F4oa3OnAX`7>xG86e%d>TFQ# z{LgTXu#ipADK~WGjJfbha144qxgT4mdF&BP5UA8Vg^Z?3cELr#9P{Q>bz7DG&!Z%l zVS6<<3fpxNpv)J zz1CkZfEa)rhP_;SA#NjK z+OVOm<37lu+_Lwn4Q?`|bjkvYRj+_$D#*g$@)?vBulmKy)bV1;wD<4dzjm}jj&zbA z#zFi)Tj@F!l!FLe-h!UO6PjZb^4N()AHID&2G_l>4h=Oz8cJOKbS+^l!z~7@B#TQA zogu;cx(m%n*YXv*O7AFx;Sayh2#r&aD=VvQj{g|08L)o}$>hb( zGVG8KgBiCdG{yk}yJ&V`WQ1!ePhv8xaR( z>8~_3GBq%3u#F15E^CSiY4UP>iFX>XedTc7bev?la`Z+Lg>nABb# zssRs0C~d8+Hm^^P;HRgM9jsz|Q@4GbskODX(Y>7=`Tu8P`_br)kA9tJe$3_10o}}m zIO8kMK-xMm(sW!6a}#qQlKjFY)Mr%in~z5aDWFKUp?7&Fz;q@*jw2%LAFeD1dGv^N zTqB{f>!}7BH=~Ty{IfaAaFvk%ulAK3=PK6J2W)ce+xMuauaAO_{rID3&MbQ2A6$56 zqsZ@cqhMge}#5Cj0%vaq0G|yuLU6MBReqHl#MfP81x{Js@%+Tp}6F8GUlcsSg zi~A0WC3AYoNj!>@>ydX%(n2#*#wGkNz&vsJ>2D)5zy9XbY;;gg1qIxO_#7D*(;vhI z$>&-MzrnRL^+K95E)0EJ*%{N$?PcC+{t+7;VK3hdq}8O|UI*s^t3Bp-V$II3jz_6w z966!p$SskRbGydXr)f$o48)+pt+a0{Zm{^u5Bkw_5E@}p1IFlTvTswwp6-G?3K=P# zy%u=1D_i~*5;h*k9tKer{YS;+CzH;ue=GT9@lD^;Y*uf0DdrzmgK5INlVfnM;A*nP z%zC>W%f6$=i1&KRFO=J8-sNF?y^Yk{a4V*f_Q?Y=_8%3Ji|+}G+9_R6jRmq%Vq=(X zh&TyW-fDZE`HxAwR)R~35zZn92s>SYd*Xe&`_m4rbIxa(YGU!?CuA*zr z$;T^*CTpgZl{RzAXN)((xLV*+TACJk5hJ(cLEl;Kpx}kcW>PC~tcaI|pm*5U#8%qR z@!{dof8!%-Z&F0ougm3<3J<69SoE+Di#~!6Q=Pq^1YU2kU2Y$GI33j7<+{mmhI1)3 zh98xInB;X?u9BXl?!kr@DC+iyg#TBI91qX%4!L#fYoh%#yvWnWGF4M4XH_mki8Oi~I4Msh}os843)U12tyr<#NJ>n3fmGgFqImd)Vf^H|%+?p69bc>h%^P0$`U^ z`|2O_{cd_xQ0hCn>^d8qIt!+z-}<4>(8BUs2+C0QicEOiLkbLS^ykl132|ZpRsKR` z63}_sA{D|@LCvT>>A|4ZLrBJ}fi)x>`RjUApV}0-!zVFQ>0ji+;hQf9^y~u>}Krc1o#fd8q66xaygWp`O2-JbnF{|w} zA`+520pU$X^kkyP`@g*+OpzeX{%j$J+ zFO=uEOXUfgsUTKbRGBtSc(cj4B-*N?GM0vmB$M9L)9H*MIwZH7G$i=>mJd8N`SG84 zun6Q}llbS0+J=c~cyO#zr|Xu(s0tUR{lRG0X!JavQrzAQR@cSH**Vayz;8@X^h#H9$=SWwMrV2jy zpNa8r1mWW1;q_IQeoh#XpH^volVIKExz3)c<<~p9E=sIFrvi;~`BxeoU9kyqc|Nh& z+2=h{Tb}0YA6^=o@PM(TtW|^DUL$nwI`_ac7F=eI_5lk%B878?coC?W))x4GdN_aF zRypczTr8gn$jQa19N4-3!UD;^i%YsqyegK%7tgR-Gdt*#50)>U#^wpQC z+pdj34`Ekvw7(O^RO^esP-xmloyQmuagJghAQ5!QveU0N)2D5FlOGc7B$@T%aXbA5 ze?pq!N4br>%HU6XNBD40P;xl`U8k67FVm#`LQoTS5mZ6e(eXQ(_{=oCq|glJfjb>Q z))_Q=KB+*Hv6!c_ivNHdt-P+~PLEL0_JVQxusZNij2W`G=P_Xj#7Pdwr+x)_L~&$v ze>{+RD(J#n$AwD8Rn~uk3a8ZB)Q#%H1;zezLFm#YOn)=QraFoQg?1~(+n#FB6*g2d zZ;r4idm1oYRJqGU(hE?J-Qn#k@&xOqkt$wRQ3?he`yPj!Tvxk#Wvb+@g#I?6KsdU$~opu_j&T9Ho-g%HjbS2@YhjJvy}5X0PW;Qa1W_qG8j9&A%#I zA(7~oOcsYZ4ZS;bQuX+j}B=P6b~(b>l_i5vM-@@F_g|DlU!~ zs=~rKL01?yCUa2sq7R~D(klXUR)`AuHCe^ns>$~^d6aVtXzb3Mx;?A1(tB`j(n3fi zdTytVOqF?Dwiqrsa-)WtT6@Hg;r*lD+=rs9XSS6Rl5>0XJtY`Leo zmgn+*nif5AV7>9XCwTK;Kh1hDQ&*na{Lj+*19u)B0YbW>880 zK880QV|+F zd;8qZBp}2E3pUu)zqua!HGSdr$jwB?Br%^d*SyV|jX!XsjJ;8`{+0gKz`ub?eM@us z!jP+fgkL;>VmQll00qMt?n3dL0xt~b^}Gt@?*L3i70PJymk}Y6n>eJeq?>plk-Y3UaVHMF&Krqa zGZmx>n{fnbmsYggt4$n`x>_w+$Cc7p@Do~!*w&<61if{rv6uGYA})dOJ3I7avdB)~ zjLx1jRXyz$UNw?Kcs$Gr`%e)BOXhn}+@H~+yZ~u55|`J?`IUI}fCqhR0mC|s;!oUH z&tW~_%y`dVHP4g%4MG$J)8f?w~@JL_G+FwWTiJCHaz zKl?HmTxPve5v97n=O__xq|&lqjz4$kj&{!3G`m3sf57gb#1%h7-ys`O-dvU{*jBWC;R86370L~MF`ni8*Y}Uxb+OX!0rm6Nvom#Ap#~ z0WS(ZdIPa@L)}nl7inSKIfhSb#QNK&bwxGN^@H-GBFhVc(h{=kGa2I11hI| zsL%>Ol%H!2Ghi^oa35)#Dgcah%!7>&zyM^ueEwT{YGJV~oXBMy*{beWE$OXu-;I#S z>__gd<<6Gen-L_5z9lb(a%)=v!j-f- zf|+X35X8=;uFCi1J2B*px_E?WZJ#WxZGH+bS9otMEw2mMjvEpZ60B#9LA!6?qCD%M zzr`zxzP%<5b}R$%XT1CUPq6#6PKfAc+!S^j?k+`lmynY}Ub>S4HPb)jYMql{6ePj1 zg#4Iu^C4DsuUmxZg{1WBy=KU~nyzcU7gBRCf3eUvSASua;{pup&)W%$mn*;Dj_nBU zEVeI215FOw)qXPedjAOc*epE<+TTI-HymtMtA3JFEh4Mv4cv`QLoijMqc-Pm(L~je zlpUX>7LW~z`Dlf9Ne_0ErK(V_NmCmht4AMk?&GvX=0^F%vGl~<5hS4Ux201IY7f&W zf>c(Bq3$g8F4dp2FJ`GfwkL>wtlFCb0PIi;rJu6!SZS~n`SIg7gNzinJ1NuyqO*w4 z`wv@FK058>I$?+T_RGP^JlC>NgP;)tJ5wWqDjK@6ZPox1GUDfeRn9GTnX3{6&bGcE znOYT}S20lXDw?9Fjt=Fh_ynp!0@$_1UjYhq7s>G>)<;skOP1vhOS#gJ< zisc+YyWX+X%l17^J&+;*EKR|d4g6$=ek!;xoZm>2387mnWpmP ztMGRE1@G$J{eWhqd87T&_w!WezBFc06c;`I&q!Qb@i$N(9N~Ab6^t(H85*!vDndqG ztd0HMmsJ%`jP;R$Zu6wv67hj<`ymw<8hp5iyjWY;ArcKW9$2eTvaRjzpN*9|-^VAg zLu*Qx^lgpiRZ`PAF$#>r`i745Z9SG%a8npzMGK_6w^VCvOx8VcQ(MsJ;FRU9y@B_% z8~$z75Bd|yv5RLepSanZ^$+Gx7SDGB@mhQ$zssE3V%)&J5#=h7eJ?8BhkOfTmf6&DHI)qkKzG zC3g29lT=j)N5-H#c7DaihVP=W#>CD^(b>)({h8uVi8X(M3k znKeT_8q8AGR&WWKuR4U$FbS87P?g!sz+Yj<+L?MW{gap*P5{TN0ZD!u#rv|0h#R$z z8&?y8sc9d{JH|h+)Et17k=OO2$(Pu64-r3}>_38OMW_@TQ4{D)Ov6b~V_eang_p8f z>%vuzw-Q0&$RVd>uC*dB>T8J-kf!!gW23nmR<2`v53f18XhOudzMmp+NND< zuGd<*w8tXRa*n>zOhmT`4Z?FaYY2f}fFoM26NMv?h+ePRJw8?g<7mdGq^NIM%feTM z<(dbDzE!V*{yi-;YK|z!2?2o1u%Ib&TPe=tUHuAj^M3$*X>W#$bG&*%-pEzv@ zJ>xqK248pXcPL=+jD}VlbQ(7Y&R@ggnDu~twm!*k z3wmB?*o4dJ!g_k9UUUqF4tYz<#MaiggCQiex;rsy8@ojN=n`KomCjJ-_LHD*C`&83~%8SI^BVI0CBVXV;}w?rbZ z%Q)WnMb)i-e_xYXJro=qTH(wKgxgh|FAZrqzjlo&Kk&SeM?1M@uE>zMiRYEv$-TLR*7s{8 z!!n#0&MuDsnxKoK69 zH`X(o*$6}?0QXF%Vz!tmApa zOiNtOvtuMq<|2`?orT6J%liqqtWEqrj%Djs+41ESc4b$J?8c4tG4RXDJa&NiIIrrw zupOm1yaa9&E>yf7?-X8(!@X#KW!imvmT{lrTt&F*3UH4W6T;Z0lj_lSl$f$u7SL$4 zMeFb~3Q!Nk&>t!jqq&9?iR8->=5%tp-+uPq@La-I960wc?i&^a3OhmBMbY5B%j;*+ zp%%!us0iF$8CMN>TB|wKgT6;{Jm=xsA>Ix#c}$LI9eZ=bA{$5U3T;pFb)CuI`#Zm^h+5cX2}6`?C!mJTzrb*%=%nAj#MZ9^paQn_pZ(9Xs(EUWIEkTSiN~S z1BBa*V}%)wxEFIcy0s5hS9jB4r98`Qv_^ix*k&&ZBVSnGV)#5q>?Ffc2P{^+2(w$A z^j>^gOgK)6%hz~*Uu>Att*6>B@CYAnUt;@%1_xxONL!S)_Bg)1vajZcTGWG~GKNjc z7`j#0qh;=vKPyg*9kyKKvn)0F58(5SRezg4OzDuxzu*d{ z_bB!{3TvRkJR5agq)fQJR{jy%E;X$EZcw1XPVZfHi$JBVI0W*ry=6WA(t58iN=d)x zTJp`iY$n-5>S!eAC2u~~JxNh7(W63k&Mh5WB^uarHd)G7F8679<7>>EH zoyDW5B`)gEyCT)=bT=1%d=Qcu#{0M(Y;;Y!pfF1!Xq#W=z3mg!4C0!k;F!@`ubXv& z`JyEwZlF+%Y>h4owxQ-iZ$i*B_cmfomWzmCi6C%vOaeXp?K+a=c*{#6WqjT7lZ*R+ zX7qS_>`j!^;5X-3rfi;=#EKg|MNi+>b(YWK^0xb&(Z14tmL?3q4OxtoKSk<{ z??w;T7X#N0bGbswcWe2fZoSa`=&!u!IJ$av->7D51>}AeGj#XnqUri!f1NgdTY^zU z&#R~#`SXQav?Kt@=1p}efj9cOrL>1;R4d$qQZKPZHl|GH-WqfX+7ujPTTYMOGI zud@OV4fkkYzPisMR%(d7{yq_8lEH5>vHW_hN`Ye;QnbRUjuy_adJe; z^ZLNonX4W)F$&J5Xa|v7{k?qf&2plJqXdZ&;n*&-BEF2jetvm5e-CC|>s)z%cypf) zkh&b2D?ju*S#G36JjshAhd; zScKYeP7V=Rd9B*Az{1u=lR^Xp4Mnt6_C&(V*+aQ5EC8W~#CYmHTx0wK_v|3(IQQUEkk0CL;R+*3-l#L24%p@md5#b3uBdqND^_x6w3Eh?GKTP? z16Fz&kUKnQ(R%?}A(bh$Qy)xa_kI6>a;D08c`o5w^amo$KVnItGc^pib1{`IUuPZu z;jf;e961-2Z7z>vk;ox1geKhUrp$=N``-=MABBhC=L!h2`!JU=3os3KM(Fwat+=T_ zjwPM$lFveSPokHZx%B)czst*vbIeOrW#*2MCjRiu7EgWA#HraL%P|@=s(e(UD%gj6 zC+FLjZ#Z*VoW=c?a_p%lBdp{rgfp#>lf%j7|;8OZs`s- z(SnJVtT;t|+4%%*FR0K5F1?CRI3q-KQVF+6h=GWBg4Or#)K6V9E%E+;N3NLBSbk0| zvof7{U-VV@|K}jrvFTL0C7-5%70w;&TIJA-1@@1=f9G7K{>&A$!oZVVn~J;?$t9E&eH&q2G(G6&n>>C9{Fa%hvg$xbsXs|Mt#B&&@HdL{c5bK}ErK z@<_d)kU>uzg6v!2gBGt44U1q~#R&b9;?u$&c{%Ot$@Ob3Xwe*iw$T)hb`c24em`Z>;=+5 zLD7AAI`Pna(*-Sh)f)Jv1^`>7Ctr!lJ z>9~0n1eTf_1qFnl@KtG%0S$`Nrf@dDTI<|4sxBTjel030f{_{*>axV#-AMWKXunTv z^AobyiWL=#8n8VzLTcI=3U50ww4JaUh`j~RB$yPia}-l*?&tAyo?Yj(|>+>McMX*dR#{w>{!H}q!HZC=SOaD zPtPRNj&XD!4y^Us>It)ni$I}UmTg9f&{SN7*&82%43F~Q*97iL1>@~)S>_YTM|ldL z^ude>2ZUXA*Eyu}c|wUwr}k_C4MZ@@ zqCN8=SI0F3-ej4-SQd*v!i7Bgcf-_q>AErs-hXl*%S9Y@F#RYWh`CvwVgu;+w0i`T zQE~15HS_CG>(6SJr17$@fS-ENXEN}^Z}@HQ^BeQ%{){`3!IW#Fd7pSI43CEm zCxI}l5tlz7h40W#0|PXepvT6QPdF1ffX-QtS_Y7BX2jM_5$FrAbj@I46b5QXl;8x0 zM*NIp%L+mHC?(lN)w+s$B&>r?%K8ybBYtZfY>_TV*sgtq^FlGMlXw>&##q zGMN)S##^Wl5&*7H%reLZn7pA>p;Qww&Kckw<7{)LpPbqu1M0QW{_d{dOtG#-+3Qk_ zw`kHi1_gxMJO_7daK{IlfQ}HRctTLB4S*Ix{YId6q6&LsKl-ll)4YgZCtbDc4G?$k zyP1X^7PD27LS=|UdSR9MhQwjdeQ>~+5_=Z2WWOBM1sF&?v_6;&6^jq!i!-G_nyDnJ zp2FjFg~LzRTCD67>1C#kY$64&yVFGAwySg#IFJEX?el~FTyty%h+>uQ+jbYZfxwxz z-GK;7HCx!xS#_KEHr_+vM(5FOapnQ`6HzD*LQHR`u^*Ntw}LG(+}GL zzZU^bphj~`E(+7vJ#MmVOKvv7cFO^02`Cy0;;o$3`W@S@>98p1h7{SVEthYhyL8(m0ME%3RaGeLGskA;QI}Pa`Ek5V|wdzjYY) zlY_~f4RIpb-`5^KX@QNLqbj9tqL=eqoolcDJQmS zQqthaG$B0!)|5TXY|)UI^p*=N6Z6a?rI3V*E$mQ{nSsFparm@MROs$s8sXpq`fYnp@kP+da!Pv;G9%EToPBBR-UovXAreucQ{rw-YWRexTul7ZV zl%{68dj`bZ4L^Dd%$cH-vQP~7_l&w`osiEManMQm45RCnok4D%&g!Nq%&*7*PiNq020vV*_h*EYWWAab^f272 zurN~8WCdlyIfR{q4AecuBzt^VgTFWAOI_v9!XGs)EO&;x1#Wt1*t+jU<%hH5C@cBW zeHI0%hs?(?P!0rvsn7VgqVt4^oGOh2uw!Z}n|#%}7E`F|4dcJ-+Tffx5PzqwQK;Om z`hJvvR2e=y_&wtFO_wQ0rzIJa3T#j`-c$_x3(sk;0MK7&mf9GaI&8daepk9>!ol@N5q zsGg&AV4@)LAj<{&Nt1oJk{=(YnuG?Vf&6f)26ADQ@V6{sGO_6)rsTvKutSbU`ZIA> zt^Yl0fRTy`W4Te~Y#bbV>&zEw)%WOaJYC;d7i5*Mtv|2^KG)pu6)#l=c`r;zYNY4@ zJHYq+q0%)D$O7w=$Y_qJ!A39OAxBZ4(Gsxf$1|E*_x(H&3FG{|Fed!cA5*InVBPAo z-u4`1$*IBX{pJ3?rcS+itKJEgMziYATL-n}Uzn}sJS~dB$#NdI%_k}l7)g8qCeS%i z+WUZYP=Ja{{Q<+9|}L3vbz34r<((buXND$+bK)#LxnUu*zWD9U~K zzPz{?ln0Zf%%BI>g9p@OVc@Y7V%QFbGzUZ3Tgwn5&HHV3cg1a9WHnbXllOe{`xz<% z69DB3`vx{_<<8rUKF^7i6|K@aj$$p-h4ABdWP3y22$9c-JL56If+lgs-`pZO{Gq}DL`&Ax-zn*WZk6?!Odx$u zMnH$v?-1qg8-5814Idy-R&a(I|3J9#_;h#DM>0VDp|fr{ppR0|kFm@GUB8z=duL~F zGK0dm=KrXQbGS@d^f}x+o}rOl!}bzPz;OljKb>j@Empi+E!LhQ6j-iA;qQe4vVPid z*`OR9p}^eT`_#-}fL)-8S(y>fB=Ky9Zk($42Xl%CVVG^%8Igjs`1DR*wtBXS{D4;L zx84{pJND7vx5%gIaQTR*BeY(e2hb4aw3YvX*=;xjH8bYbEcnyV(jku_(5%=?P<|v2 zYyULl(j)V|k}`4C5*f;wz>j+29PQbc=VSB3+8fa})TM+k%;>i!*RqKKamS>+nvT87 z{XLA8_aln{natSxY?U|lE}4G}{s%xVz(6D5`2C8bLO0*_798FKPkq?VdnQ=?*UiBM z{X;Ulb$Zv+$uGukrpXzG?)RAgX-v6TTd_YsMn3TO|J~aDe{WDo50_y*#NbQD0rwWy z5R3iA{QmvV;NT#+l1!8WzWB$pWt!Lo1Jz;R;HVW*P*7mtkVH9#WSVI-fh>RNh8dA3 zzA?(&e=w!eNdF+nO)31cGh4vm_moPT7x8^S0bmq(A^>tZ1FKc7PCi4^I3OWMhG=pz z;OZl;_6(p)+VT?R_ws!RyDDAvyW6?Yk4{%yHMY;ZI4=eqkxEER-7@^_tJhaP(Ni=Y zdMtQTUF;0yTLX9Q` z57wlQ`3-@TLM~Tq>V^c8q1NwMy=+&)ZKXM8=2!1S#~*eobxcd|f-xZdd;GHgb6bmx z=!MJEfU;*b9;Wd_o<2rjF!+OWNg?n>>Zqc?pdW&Fhn&6=@>GX3<+}4OEabh7cy?Aa zPJ(_jvoc~R^J{174{%2*{P@^snNAhDMA6E`daghPSA5QiH>NE?=uYv?{-$k zOpTD}nP1jK-t~qmo-hJ-Hj!(At77jt&Z?*n>DKdNe>ae8i1n)TpY{4UK`EiS0YjfSxNalIDEgi4o z$%?-5HkCfS^f{8$H!J(8jpEq&&mqA5$ly%u&NQ^8=n;H1A;r<*f~KH7-ZRjlo;~G8 zKgxm+F;@WiV2j`t6tornuNs}5h~wC?AFP`?txgLJov$1I|(EuU>(jTpXi~fjN!L0aDj``Jq_VBIwyxdPVt^qe1zB?3nu=6rJ=$n zFLB(fn}9t#_C%*c{|IWjO#8^LL`OpW@PbCdc}uqOy!C;h*9MuC&Y~v=Mk_ou8m}FV z2VskIZVdBn;wo<;wB-h7%F@WC)E==1EgvmFMRr#pE#rTwze1&|8 zAuZ|LurA9TkO#V+%NWl&-!DToltkng@q+q_9z&-tTFDhIu(yWWeoz&#uKHT-43tw> zT1{D~M0A8U=|gqy%fQeSrEw7;3XBAx`izRTn)5*`vvUg0=}?{HWplld5X|7NSc%H7 zNo1KZA=9?AiM*~CR5{Iyan*As-#zrHFnwtjl5f7mkV4$Xq`cb`mEb&NF zbzl|3A@%2(N<-{de@h(6k3zl`-&%MC7S*rd#%6c~sBOH~*;jbbJTOQub?6P*Lv9AA z$`nVqWvzFwXbr{vfw(_Sy0b+{T3-VAXAhGMM!c1_%jQi{!c1^|heuk%>X$gvDeJ<_ z6<*KeJq3%yXz3q#4|U&GvCj)hFmF1xbnWkB--ou8vx+HP6N;q^2sweMRp;%4aPQ z?q35YkRSOU17lL6V=pK#>tny$7m3xYZxG)-CvEq>?iv{r%i;N*alc$CYhIHL$*HK+hx)bX~ zwhQKF4K*{X<7}->T!-ZX-tFFoqBNs;Ol^1f>S9!QM?0m5A06fju0Kz8*YNlyBJk(k z61<>6Jvhu%TOFt}af_UxFcxx&%wQipEMTNX*34q9?!kY(Se^%Q97Z#m#DaZq4AfQ2 z8gw^jaN)gXn*Cu1qfkdqgv8m1iW49rA0RYm1LeaR+uAJQfX9mcCI!f1O7Z<|nNq01 ztnmx#wOqlWbTZyz4vqV~?-xTUw-3L4cxI&-)dSnBro^PjCT*Cq4md*w7K^V~LAzl9 zZUdR4osE1Fdt6>Cw^;0s1^Hbkx}m#c>PIqoj0VzlPgLPOgp_yu`%?rRd}NgL9qr!E zM(N$4h=#~AT@I1YbZ$0W={aL)aLd(lXbiE4G?gzy>RD1)?X82x#w^N1g_fXQHUBwj z!6xZ3*Jxvm7=AiVQq@8pomHRz<&qH)9i+L8_DlX5SKzrvce^hy_2G7ruCFue$&M{f zTzRXz3ftbI@#mi0o3eMMuppIt&e1N4-wy2>V@|~=@-NNghes0RmHbBMhi`&Aa$6k* zNO22@)T{db1CK-2Yne|r%rT~G+=Qsw3t3ze9YOHd4&%}}t<0;1BL~3N`UkIcKNnWV zy~1)=)7iEs9Y{GQ)}W4K;miVkRlFZuuGq;hFdkG8rXgt!+gF}rF_onq*Gzc6JTa5v zV9O#v^8vjXR_+_ik8G|smIX(H*;YF?P>;03)z|RgBzlu<^{b&@_kd^}s zZHhSr?3&83CpI7jm|ZeCnku4)65M|M{OgrtOr7tf$Dc zcRSLj77No9YbcvEgSvrp?jsfT*v|gD96AYuRD!pHJ6xC1D#AnfGih=PANvw*D!z}> zXE;V|aB_2tE_RX21vIK`xmh_h84D4`xb1-OIhivzY~&JREq$J?>X!(Ui?z=IJrPhj zzkKObTp02B=T8I&s1O437oC8<%>!dL48&hIl&nMj%WVtS3z-FeZnQA=^_L74&crld zyr^@X4d|wz%)UDOd0(EoY~BB33w^P@;u<(EbLw>mfjh5%!r=%n2ybU#7-L1r} z&lT{sR

|-Aq%NMsUJLtD^o$YVxn6d9Q|8cCOkfI`iRTv(J9Z%?lW~=?sApP1vGj z<33ZRIg6}j#g&j&9oZYJpJ>U>``UwNbXn#gPU#j|ZoOQN?1g4)T$VZdKbl!fcXMpUtI$W7wLGtii1i?nuECFX(Dh}o>@XprF zlOmS5=TE2f^HAOT?>%el z${&T|br}eeu~c%mEQX!T8ovSDXO~`O=Pn&kt~$GA!7i>pwf;T`_ijs>sRC z%!8Y>OkH*oq`IjoXl~$M&tc-S?l2rjF!Av!=|%30f_6 zR>kkuzpV1<&_gx*8&h6Sdnvqyq8FWOc+-g@K@?Z0=})A6@py@?8st6|gYhagmvlAt z{^fn8Ud&%{vi8;M3c7ely~M`yPUe~>&#sU05$m)~PL)dB7`FyH?=|g=VMiGE%_RHo z_ufX|V|#pmw{TKzMIrmf<)#OZ(u1PxS|8hjs5<`|SMbJQI(fnCWK|(TdsSyB&pvg6 zkS4g>u03;)ounM8V1{kukn)AL_QDzXp!b9S3GXl2d9xR7f$f?pL6tVQZLFj-zbrX^ zPo7qw74Jt0&oa{{_Vmvml%dC68-$K#YE{~$(jeavRzyEGID>(T3G6`j>VFs1+ zt4sxVAeG1F+V;3EkYd?!wjbFttN;QcsYW9E&`gKMSPJ9UIw|l+o(%w21o*$%p)~vZ zwOfKwmp`g(y-xeRt(^rYY zx;uhjzi$ee#d-rk@3D?SPV9Ths2S#^?SgNlBy_p* zr^dv59$J8iT?EtRbxllxG!cDn02k=&pJNEnS4gpiuUCTH#K7|*0Hfrr9Aq80p>jiA zyAU?`Uj|Yc)X|fT&aDOXCf1&wW{xCI)nZJilJ}L-tA~4Ukj09Lrw}n6 z>=!z<}MK8Jl2@3h5=9;!9mjPlW|SUg zRVq8{_gv?SIhZ#iG&%?fSJwXFiX|x(z_lj#qeMi@RPhWnK~LxuyUfkbte*CVH0J80 z6fLT?aF?)zVDeiYLmIwbp|PM^mb#i=akJ{Dje>NUh(d4$6YF86gfBaj52<_QW+zJX&_Tq=FqP$<6xSp1&-q$ykgE#TpqH-# z)6{78x0bw4;zJQ~d9FrMp}r}%=s{66SwPtHa{wJ9*1y)}_iAXiX;1@rBS1e#jSS_fAnG5ayF<5Au%@rrA!;J=^;qtMQJp^< zz9T{F^ zvT-NBf1}3FZ!HOEx8ec!W&>P$OfL%K=ygTic5*pH5R2+Pb{s>REiI9E(uOF>Ylyam zQqw=O9F3gxM$24?YUs|ylCz>ZHG4}8e@5prcIFT=Tc&D+S3_qP8$L@mbmfC%FhZ# zbuG=|ri!%0*Ft;^70NXV+=6u zx@rf*n^&#VBBVEv=&|rGoYM3nXaDOf#?J#n99k;;cco1jXFePYno#@R+j%M{m-Q4^ zu^tbJDtt6mKkNRz(%|D8J}~^Y9j!HqeFJVn8~X*}Xw7qrb#y*PCVnWhs@G0^3;zgK zfuWyVAV_v*dOR7+3<0a{ALx%Vf%v4zen5BTnc5i9_yq9uS5HzyTvbTOt0PCHF*v}LqIsdE*s1CxRh zcoxwzzK1swWV9*H{E6%3SwIF?(t^Tye91v>Y#?(?P!KODp2v&8jvnOq1{B>y2CN4F zyYYd|NWcbEU}Ivj$!#9Czz@X7iL^Nz!YOyTkmAfYhq4V>UzNwC6YP8s1x2w<7(XO6 zOvhOXo6^pCN+CNAm!f%6PSD~_`RX9F$EpSYyjYSlz>W!@-%`-WPO{<^ z*qP>`L#NcahtU)Mmt`Nr=n=hkpRuIF;h}ZroIXH_>RBW@WV{nr$!Pc?P{#<>>{wj0 z!2z-LN+*I99kCVH5B=doeR))iYA8~JG@t=PmTGmFN|?otzb}TmIi(l_1plq5mjM9? z9oK{qg~SxlhdR8Gba^g+v^+ zKs`_`987~rFM!6BgpBh={{>a$)*Vg79aROXYy&|pc-;e5nIr#1r`HR8>H`;;8?7!E zRbLfOC=P{n7=h3-__hfCS~GZAq1OY+Y1U8Jumva$F8WAT9zaMLkuV*)3(Id%q8 zV~!Z-CIRrkgfQ{DSJS>y6xGA~z4nfLLh++gEGU?;3LmIVjf?rJJv=~c1zFW`{KnIi zNWw0>=_x)6Ue@155MRJQ?FXjN@HVUjh!mz{p~fsLLaO0Lpv;?s{$X?gK`J6AU=pYI z4>c2FVxLz$oX?m^DDii4H&!le(q?iPw56th)Jl2Mk~`4;bGY7dU#Qx&gOqU+8NA!9 ztuNk%;u##Nzvxfn<*t{#!`0|Ie{%us$410jcvi5q{)Cfb{K}6|iA(2$U^jngu&s076b{;^@>>i6GL1L=n{f_JDW9I$Qw% zM4%2UggU061Vb7b2#ukKY7h?BGcqBjn~z-V1`_)LRCl)}Rttioyp|iqQx$^=hUxCT zax)Ux>1GSsU__D*4KBbcF6xPws(cOBJKK4F;+nG*7$qS|0+?|8tN#AGHrcWMAYrKa zE_+hB4MDj5kU4U%jl#eF!Rt~1iO8>Oo2XyJVj&sml~)OSZ}XAeD)r|=;RU=niQ|nD zz`qOQmg?O(U>Vb`++pfHv*PcKy(md{eBj#vB9*W8XccO4y4;v2yQFlYynmA^?{ zb4oQINj6_HIcZBphQ|AW9Lr!G8`t6~s=kqamvTJ@xA*J>nM&Ro**DO9$UzHBv&5L{ zG!y$OxR(?SUW)x=vj~_w{u1wJG7q9Chm7{>Y*W9ka4H7ZMY{=*cy=XVN#mKX^t9TH zfUI6N#1P)Egpma2!OWhSnb886+d~bnbc_4}^$NHln+%li{79UcIpZE|Zf?HR^A|^r zaycwJa6KuVBs9Pi|B9bax^HkIvQ>x>gXoL_DAech$S+elG(~0`ay`ru<=jk7HAX=b z69T(by*CqLk~tHi+puEJr5GFFrVH9+2proe0PfNPua9)*d^tOpm=dOZMoF&fu(fPEM`Eu zc@M2t=CziAN&kg~CT)Jek>sZ9{<@^b-k0#CqhR&Hu*-ud^m^^bZ4)pezm`(y_VaL9!SB}X-3^%}^ZWcP zCN6-dOW|RE;(XGTYnyQ?c`Ee53Ww{$XLATkmV#QknI2x#Bdh6Q1uL~vni#@r_XC7y zEzJWWrjtzU7=?8ZmE&|3D&)qI4%lFyDH~l|4~rfri-8a#G@laRaDa5s+^@(Jr!}mL z;f<~d0q@@kxVX5o=?|rUO=MhbV?K{4GA-$&JlNC(pAtm6Iisx=anG~~#>d{HK9sF& zpN5FigGV+B08k6d2)gxJE~v(D*Z_U$7*j`(_FdB;f?Tzl`$7uPqIO$V*kjJAzPF4V z1+-+|ZNIdMu*2e)4ND>+wePRE_#c4HA%@`07Va86ze+K29bXaQiCDm1L4xdC;Hr^DC zxgzYPg+pDFTtC!5=5TgKos7zZ&s}$2dyvTN)9A^1Hty3ndAW=Owy~=13Sg{6+#P&u zHCD5{Y;PScya5_v{vZPJP$Xj%g$O3VNms;FpAcUa@p8fRweh$T)y`yUi5*2K|1(p5 zXA}fnhjqaolTmgg(x_x29U)i%E3OUmB6%LHfT<`cFP76YDM32W(BENY-4Z z2J3YOq&IIY2glyG`py!q-uhzrH26?%-1Xle+_z0FXSNdF>CMXo^tzG>otnZPN7&}y z_4IuZ!*%X`;zCH7)R3eCfn%_HI6y`Ztz$L6SKpK{2aZkRH1Ll+8O{cEa-0u83_$1S z=$)7J+LJ7JWX2}#M4WA9a<|O_N2E{l;+m19i$dCLH@=}lJUc2cvv|dAGFX2ze80c^ znzly{8wzih_7EDxOMZ8>$eS99rjF`=X8RVZaW_q3LUrsH$x0mEZgSw6g-y-IMj)R+ zHpuqrQ}u?c#Mh7VzP^<3?+rg1Q23)DWXf>n1+{*BY44MFXpLd@563>HIf*A4OIQG* zdYUtd8`AoR{~LSMn>_BhaC5uw8WewQF+(pTK~^}gCP1zWDkpA!LOSI2W8eCN;TGYt539j6-Aq9mWX>vn8rUegzEk-rIbo^+r zQrAQ-0t{oAW(xQmGSSe`xIQ!p^9i*@9^eXo3-}&3=v}F9ra1J9*W$L<%AsaIjQ)^B zvP{c^BxS<}AP&R6LXU|fI`$23H?fk2+3g6n-=X0x`rirZMF4E*uJrR@lNqOh;&zHR zR0BdCnm8D2*_3|*h=DJI#U2H$$PDR|pfC9b!MccaKrU3(21l8+r~qI@PGvPw*9_J?;rz(|Ra8_u zd3)IR1KhDxVhM(1+AGkU6K9NHwUH`ds?$my(K4I`?K5Nu9ivOiiD)@rPl36L{VHWc z1Qr5pDq7<-PxmK^ikSfUj`VOLH+}^8m1+qhbM@nR{2C;8KTB%e7>+d-Gi>sB4o&w6 z#z3qH<^j~GF@1@>dS!@`lQe*yW(He;9M9ovam|h1DPC$Y$|MyQ#A8SN3PPQ$zsrwrL-h2Z;z?@BN9%!C zUGlV*s+Gb!h5y+#KDE}RAcUgY`>r6?NIq%XABQCGWopfp;Y@NUE@z~*Ij)g_SdX6? z8Ynud$#gxVWMynfKkD>`i=F)`%g|6~qA2=~Q-6VW#Hmfq;16kIkNh*=Yn&dxa!=-` zr#KTWqcxAWPEe;}wBlQu4{L7o%>`L=rG2?tr1JL~Sx?c;dh(lupD-@@w|f#;U$g49 zQU*4Y{+8~zI9#|m>yyNp`zNQSriSxxJoNt03QFl_A$??Gf^hSjM)Bb$VGrh$>c7Qo zC@i$|`>F-YmaHkjtgY1I2rNoPNUS$6V{ zwvT9-eM7D?ghzTT;ZD}u$jCTugexOAJ2}3(S|wZfBN7^M$s#oeHO_j+%Ff4(KmNQ? z-mY6yb^?@_@0!?+y}Z&^z=q2#n1ahBh?jp&{zX~NIwXL*KSvnjgX}wM?i?}Zt$FDQ z-MYJ5V7m~p(5C{w-EH7pz33z0D1sy|!s0Mkv9-Q}RM*!YRAq zmif|Wj3t3j_;Oxc;nyFCeq@Pb77?{0a7KWv=Ousq7KMZQuUafVRMqjiBs60>xpMGh ze9czK(5Zyf?v_F~iV50z?9hnvcFXVl-C5VSQuwdBO=vKi9+IAA)B zz?RP2pv57s!_ND(h{V#|7TMYzD7Ulpb>ooR0?Alius`4)PXER@SbKKW(z5u^^sSA_ zzlehrwzzmlTME7}*Q`5iA?t{^mAp%`yqI+n)jsJ)hE;l4)0RM$#5kX^;4HT2=Y(z{>$YEaT(4i{mJPZ$;K*A zh67sT{?7OqM~X?BmE^k0k9}J-obN=cEl^9Gps?5PbYT3}#@_Ms&-mT9dF~iPCSKsb z$w{r-9cZd-a^_Rz#0sPF(ocC+VCe08+nL-QxyhkdOiP@2k=8TfI8Hn{i^Gf?0a59Y z?b$R0SUQu!n<(2F)4mz65@%!l8X^Ml`&?@gc&s5*^krb>8b5 zf3kycpR6Z?DaECVyq_D=*a1WwrmS0w%}z%3U5*B1k2l{5PTC8;pXn&AhI#DKjNFMp zu*_o3p@c<$M??kO@0q-^JCPQDV!X{n^vPR`-5=+t3BNU3`c6-F$1Z)B>rm%$gdS#t zVDL5{YHw4Da{b@~FwqCIXRZNC zAaw7nv>ABFmsnN$k`8@P0yOM&)&=Y{Oyzw8S*`b|xsk>Uy1|H=bG4dX&o505=m1Ox zCO@zDBmhmE;CME}0>wL7tJ~2!I}J+m(z9Z`F-nFT(k<-kC|Bc-BG)1L+ZUFlz!_}8 zyY>3J0Q@2E8tf`+Y1gZAZm%5Ff#!Lm0=1j|+oBdXpKTl-M}5li_%{}lKkWVr0R(j_ zu4wzL->BsX$p&Y|)fg>0Xh-+=j@m>DErRDQ3FUB5BOJ^HJPs}Xkncu^vXs6Zk^;Go zAOMNK6^YV-Id=f@tiTA7fuhwdT8RmA5Apy63Y5j&m4a|!k3S;oai--%Y|^3N9$nJ` zc_U9&2s@U%tNFNx6*cnuDPf`c`h$)sm*F3=*ztHgR1JImB|+_1SA9>j&|1P28S+5m zA!tO}LHga`+r{ukl&vNgFM7xV)AlLM6XG zqGtxS)=}Q{H|RTdw4Ox+#qk~Lckj?n7KvPFr9quOR{9KTbkbnc793QXB_-87%_Ra_TU+n+h9ItB<>HRfsN@LEgN?-F z|Hlsb*Vw_U&1|iH{OzX{Rf^;N7tYc+=~*xe9wk0>YI)hfpM<4=wZGAB7SMdN`_E^8 zESdoe6dxcsihH1{3Ma_uN-|I6iX||o6>-*v5Z4mHnWkI!_xlkPPGt8=b-Z=;%tTBv zkgxZ6=KAq_4u}65?zNr0PYGho3V*O31IXb*rr5^M@_FrLCsgxs_@%5ETl!nv z%V@q?@Ucx$Cj%*_X<{xfnY&gT=_*9YPP{R{k&MSrQ;F1z6*I_RPT6jgudvaWXTB6u zBpdxNB3^Ohx09$wLJmc{z+1-Y+fN)!AfCkh!{zsOAmjFXo*9gfZ)Ext)Cc$pdZdY- znp`tiFgAm(dDnKOr>~yQr(H)3h1i@ew+m@|$!&g!?;%><7f!U8SqwQ-R%d=kzcjF? zx&m~+UO9Li_2Amy@Wy8DU+I|ZuLN3l7d)#MzYv8YNF$;}=bDJBTSC~`XU6SQHTWcn zx&QkO^Vk2vSndD39_%Uhho|Hp2$KYBRR90I5jw1AZ;$RA&e$(r_L&hc(i%3h8udbuurMlS<}vVVS%I+k zZ;2XRqAJ?|{VB!}a~~Nbx#m}-Z(Y@&*DFt!_-t^Vwejjk9$~$fZtt2GainP88t5AM zd_J$IVOP%G4~4#!^xX6D6*b;tF+AABp?DiLE-b(8C#6!~p!5%g+c!lAP?~)rg=}js z@wos4aCdEmapiSYh8tzE4#oQ6^@@s=e|?g9aRNf*w|-b7lPt=A-kc6!@Ofy`yGS`w z;o&q4Io!&!UGShGY19vitV1I9xQN3r~^gFCo#q1p@I9v&VeQk(QtKjZPS1iAo_QE zMzC=gRsGLB148BFWIL+i}LCj`eXYM$R1ButJLU|sKpDcRPNTtDU)(BUj7Vr<-Zy89c=x) zWvcYYmlcC5RKkeUrd9`L|EM>oqf~&dxx33Tb#ga0lTe}_nC|0&09MIEtvG)0s)G3| zEt@d@x06ykOr2tEkKw<}M#?8QexZ zIsGpyme4p2I$y^xGqR@IWHBne!>OyvPj)ACQO$!vI*h(gM(dWgvmObGC(>9ETj@RR zk$(!WiXV^CiXJDBj9i9xhe@ngb`QT4W!(wenLJ|BmpnFNBD}C~4@iDCmyJ&uPfB=K z<1QG!%Ah7N3@Q#xh$uDxFzHr^Re8=-^ZD&(=R8KL42QdtD;e^}{m9*q*|!2_#Fl9h z$Z3SuJ`ZJTRw&tewH?n!jZYuReR?=nEXJB5hd&ooj!NMV_~RC{p*txsr=M6vQ(%Nn zmDpwVTN3`hvorE3D=j)M(-E(yTvV;i<4b4`vdB4+e`<|b!vo$BO-1k$=%W8RzQH0^%;>q!xE*zO z@ygGz^b0RxtjAzypYjLiiH=B+lLf@L%<@8+Tv^5%Ui>c~#l(W8ZC;eZ7>fPNhsyAz z+7WS0awhiv<6f|SEV93XYDErhCOMYkqa?I%dLjV|VeN&F*w15~n zA^1_h0J{g_)HkqUK{;1=e}b&b&8|!4Oqn@w>Fml>nwLDFq@UeHtny7 z)84{E(2Ga)2)RmPzBP@xR@TK&E3p@dInIqdS0MyH>}}t>_xkL_9`;Hxj7p1d5~3MKIo1;v+hJr+?jb)`K7soJ~<%#hH-||thnbzj}N2H z`^KVE;$Yy;q%7s^&rnVn6oU4uooFnEWKJR;5t!=W(7+TY8JQk2Y&!$`i&8zv`*syTb zbqVm7bOe_(MF6xue4<#667w-JPFl6}o+9rY*SmVqOHyStwAN+dTRi?;Cm`M_nY*od z1u!%7CCHmUMC$44+9v)L!T%uhRSyZ;;Rf#$(;2?n7?3q9mK!aM03pAi@$IM-Ob>SD zzx0QYqe-U9naBo`xU@&Dustex7S(PSL|Q#-%>zx5a{fNGvt^?~#21Tefu52HL$ZZC zdcVqBX2`XT{zzqH6(QzvV&~jm1YD&4DqscsXl zr7vb%Jw))6v>Cz5H}AHI$3Qw&iU4VZiflQ1PB#vQ_*{h#fIjj(r$ZQ3-o!8iUDzk; zwD6#iYKhN*<*HkOZ{)IHt~#COtpB#38tFZB8P#>AlC6VWNEK~R-`}!EG!AN#_o5?i zX-qwNK|UUS;cARcP||g!D*UINFzWccNe0_+!Ka5nhyqoz47;p4BABgUfZ-W7dOh2X7>q;V}hNIKX(|4pHR*KA@HpAy1*DRluqzGe)s697L zqx3Y-^(S^_4IUH?a0cROb9SA<@fd!>TqY**;h;pDmnTh3lV+cPIYBDcjl2=B4yX2w zE0ex-AQu~Law?&nA9lh?P795#4&ZTF#9)re85tWLp#O%mx3Lda#jZ>NuUr>YQ`)T(VDsVys zKlB#>+Dy7F7(^lIhFGgs%%wt>l#(7*{j4(gZTgFvUxE~{`=aTcwQ)N(X47=n3(FL& z*wdbk4GoVN5R=m8M`G~eCp!?=46nj9qs!S#AL`_2C<8YN6a~9K;e|iat*verNvNxS zc8HdbmLt@WNf21MGVAKypt9q&@qD| zB!Dz@1VR85yXHcLHW2zp1Xge+V)u_dk1_v>j1}A5&P<9Rx4+TT!y+=Veep1<5Tn5E!P`Y6fz19D z%(R@Vb#1h_w5O_RHGL`JHhrCT{aX8aSM-MPQLgZJnO0^c<-yf(BYjJ!o?DLkn_0^yZ|=~G3Cn?a<{jLt1vUH>d_ar$pZ-^XJ?ZV=mOopX|3%3Dtv>p~gjnhVa+Rq{RGQ;C(y( zFb4YVy;L05I^wWQ6xx9xQwIh~-l;dUw?4FtjFgy$O8inY-?`j``4HJ|z_x9F0BZgy zG%Sqdo>lzAE5d*7#+0O??TvZULZ>kCzrk{5-LV*MC3=l3Ehkaiu|~ipTB`IJ=&lqA zI#%ROtyeU(>~=kf`9)SQaC?s;rktf}@ZMn7P57wA%3{1cbMSA_oS4me;C4<%T=2`6 zJ1E~0aiOGjGx8ZplO)ufbns^$QXaWR7e5->h?M;leYu!z9Q9&Kn2Bw})zo6;yXFWh zsT4fyqJ-GNxUUqy(X1TWfKxTZLMpdI+nyA?FTz$v)`Kfs`+3!u(vt*BomN5hKC+W7 zfc`0NQN(W_X&j*Boe$sX1DZYMY#WJw8LJOxiF*#jkUAI1m+XLamOCULRMKs+zZ7sKeFTBol#k6r$St(}0u$oj+-!IX^bGP@dr;%tr z+k0`flea}k_IPo8-rhL@E|&9~(qL~7Mq9U%<&?6a-1nGy^#%69eaASb2hoMgSGkowUcfB9Rj81qJHf`T~R^#AELg*g{Sjd0@sE6-?;0$ zGvNFFI|hB(8`Ywe+h6DiV-a|+lb)Yj3p7P2=L7f9vQNZx8?nVnfh2y?Yn_>1Jh(;b zPlZ9dg01b=B5J-S1B5Q0GJXn2KvY|HZF@$`g|3;n4y8hUR&0VXnuS!t?C&KVPx$~2 zzvT)a)15f|)Md~n>t@Gd4jot1;o4F3BDl*{IGsLCuUjRIVw88uZ3W%G1L*r>leELx zHlT^U3=@VHlz$qZZxwQ{58iI**uH;->gubFV{c{$)9q35@?vUS(=y3|EP#*5Dc*Ml zZ>=L3!7E_KSYnaL&aR5cwifcClyA7b2&h3b>&BNN=5=`&$iC|=_k?UsL7aCj%9B532PD~P$BoAsosR+#{nn_>tB83ziJy8AjF zj(Z_MI5he9hJM8(K-MSLBj)*kExpY)?dR4B?7&|R+7k^jm)i(=V@GYl&Wg8xNGZJ! zjEwxwGIHp>dpf|r7ifPWM<4w+8MZnY4!>u;Vz4t=?ZWQ`2a4u(R^xO&3Q`tz1#d?R zUFF!g3%n`b+5I|Kv-43bGtTF?lD9xuBk3M7`=8INjiy>JV*Ko{wm*rGpkep{e^M09 z7yVlaARa??OW%9 zhTlZprkLZQq6WDf=#-ZXL#<@zn^0UGJuBtU8}O3bvS9U*D8l-}1GM&zDS9@r(ONXQ zmOXsTnj063BmDC7_ocbK_WQLok%4?{sIDx?IEWvx`D}*4+JzUdzTq4-6-yWJ_^D=a zGnaBHEn!juLq&ba|C@(=G6OLB-Bj z>rb2-Zfzo_MoH#Cc5t~p7dCtrztoNJ4WKh;+PdHAkJCIZdD)k+g5%ZO`w_ple5_PH z$Hve2qMKYI)(Rk>j&`;U>aGiAqPKUyILI#uH{ZTaC>3{Umc(382%g1NCf^M_Qr27t zx#*c|c=fK%`*b+e<4HxvUzREqH2{k@J#kNHIQs5V$4mxpvr?7fm%HSKe>Hknh*c`( zTz;KsrAVipH({113%%-kKiGcHX-D}g%Au95|FLZamTAjD>st+=-tv5n%f2N%n{=x@ zudYx9tQ`^TD-Q4ZT}Yp}L|S^Wu~sRh`ItNzZ9JCX>4>jJ-n3MC^eg}AFn#Tdj-QTN zSwa3=HADPOr=f3L+)&%!b7rB5g}e&Gv=+9jz?0&NnW14!BY(xjb7Jdn&SmaX3;x8J zjwzS)omN%~Z_CMxu{~LzxZA)7`KzFZmMNk18)ov9>u%H3EBm`$PAI?ZxkU7*s4HdV z8J9h%E?Nmr-^4x~eA-QFi+K zyKV!mm0clbgfkEmQqy<{D(8jlJxb{aumOmB5I?u^%R zt-x*!MLRo%eIn7RQA?)DBBc+W8gms?_nmX|+=;`9rq3bmTLdM~g$~|!9do?1<2DMF znh^!1mZckOZ0&R5mvie_N}cof*CNK@Ry9Ulm-y6JP!l`V>$UexnCqtR(t&4J>3* zKLElqDNWua8{ZsNo(yrf8htA!W;plS)5Efl&oEuhmJ%csj*#jPNkx9!XrbyHWgrj1 z_i*(yocjd4D3d<^B*fKebH3v2;Ta0aPzX>4;ja=5ZErkO6k?k0ZPE`(Rpidae_Xc6 z8Fqc}S&{!V;KRNsNfz2%(KXP#;r@w3Yf=03+xp$0OPg5Z#PCBwkq%bNNxIO!tI%Zo z_DgG=Ku*wI%<~#e*)->SN}dS$i?jYq;pyh=+witV)13?*&95V_lDCXwMPf|7rQHpqen`Ag&eSF~bED zt2GVBH41dTYNG(p(4px)tN6lli|*6+l;Yxi=M3GiT^N3`h9Qeb193l5`$-XkVQf{) zr!zo+#!s@<`*6%uRkzn55c3q8H?1HJ$B&zV3`pR`CnV<=J0};N^UpQiN98lEq_5u$ z83AjQpTDx5aXtmmbyqvRF}s?nGP<-6;A<45=sX<+!ol zeVr%Q$UN&4yWZCD6pbc#LLmsf$eORIU*(|q#M3b7|DKKWQUXAdsc$*h2Gns`z~sQm zkLkN8y2J&D^M_b!Aidr%<35F2)?c+^S1x2@^vo93pN3&~7qFkkq^O%awM--J^Ia&7 z$tz!*Dnz%Uy`SYpbu$Qq#7ro1*iTg?92X@id?sn?AxZdQJGSb^T=~~AJ@r0i)r%i%H7I?<1a(tenI2tEGyQJs69A>Nm~ zl9Mcda)B-ZUCDxv-#RhI35S5+>47&@s$q~oY|{=Dsn~$Udz3M z)92-7uP%d$P>qnyM>dEN%}esW*6t~9b!F~|WijTDfOIaYx?Vn1f181~<23cj?EF4n z5#qjcOa&q(sLka|VZJQmoWW`?lAF!_^5G_nQ5YzD zKjM(-`6gnZh!=h)-~%EBde7=qAg833|COA7ij95&Z=v(4Y!T*0hLafX`Ct2pyUIgx z4@dN}tjqh%ymxdLUfGczdjHaUVUTexo0 zX3`G1pCM|Mvp~F0YMWtVUZHRC zh@#U!)elCj{nkNIzXd$VV&#!qDykqDzO554=F<%1!wa!loOLPSYNHT0*lof(Nh-sV zlMVU-5uKSFG2);49gQ!_MjW@nFH_6iVsbR9+r=*mi|-lw2;KwFYjJbzBF;o-0a0o(=FC;HNR z>^ssnIeG(wZrOy9TxQY8QVHoyr!)d66`xs+V!!4os`N!{HcKf{!5>M}8vZWZv<<;X zic(NgDyeP!LlaRLs9JyEWw?#FQ0bDL_$3LQ?omrjh_LTMMoFZ55sSKLDK+^s-K6i_OLp*&a&C<{vG}T6JQ>o8q1=IA6qfV?!^n|~?os>l43SEseK`&x z0^1t65Yufp1*M;odGNdW4X#qU&B(dkNh4iNltxgR3;I5dy^>nTat7>oeco?#D8ffh z7^hdKDQ~QW&F2y?H858(Y_$p|7$@&ibTb-hN$lR)Ujhn`PX-mJT|lxqF$-*rw9i*^ z@Y3C=nEF9Pql%*nSF4Idl8-q$f2nQ(S?_XTs3$Enm)hT2s(rQdG?<+zxg6tNmr?uy z<3ZVD)G|Z6o^Mi1p+=T({l3;T=DdS}TQ?YM^N zdI=r$>B!||C{<;#*5P_|m4?z~+}CqqpG)QyJqB&90;$OAxdO%eefV@_+vubp;ijJ6 z;MGYdgtR)v?uffVa#kTiNWq|;@odx;txk6*p?Ju<` z9>iYVVg*e%QNI6>p2Hp{7$^+OMaaOg+V66W}pa zMI0aBIf zXBm_>|An+<#IaaQiXH{DZIkLS70J%vLnXrOy_iYnyeRxI%9m(Q7mgc6BT~KoM_Tih zZ0S8IRgIW6u{w#Cme#=4LEb0A@doto2S46D8-054l&ufY|4;r0OGqy2c@0#;D|1g2MkX(sJzp`e62q|4@U}W!=wcaja6o{9R!&+zs>^$e(@P;VmMmh0 zg}vx2hPxbcM(NGlXF_uf2mFPlHQeO< z1aCP_>m2y-UWJhhA9ma`7Ai1zq5`@c=Hz=H*zSKPB(2bvZmG|gwH|rn$C3V&%^&w5 zqnB8C9~es-G(272$12lSGmP9LLuMdq&@q`3J{Ut}x!&%%QqzDDL&VW{{^_}5-OuNL z`X15YwnSSC-NDdkhh0$iBvyEfk8Lr_L&9Umpjz-_x)wAXWdszf(i3Y+OTN8-6s3Y> zF;!=x1&^L?q6(;8y% zqv5?g3V)e~c(#x$`9Ry@~6+| zjz@p)dce)j6v29ec5;3l6aR(?O_^orrJo}$LjEyS@&I)eGm4g`uOSy;8#8r{*B%W3%5HSKl0Xyha(=0H@b>@Ij(U9Kdhfr4$41pF`Q2g}Ob27E7EMavOptx%X z{DJ{J6RT#y?9D;^hd_y&+wkJ^^Tqe~0eUT=wq$e}wMSZS=D#k=M<@l}yW%HywJx(N3)W2=v+wMeHI6Fk8Ch3TS z4c%#oP$&h7)zml7VG~!vBi4yC4y;8i%2U@23VKk7xPc<0m;bCma}0(35um3xP%fI;#4Hk zHIu6&2K%jB>8kpYq!y%oh%ZO%H;0X2j;o9Vvi+s)>5Ym$07xuQokD>di4@xi{@A74 zK4F`lolbu~zCZGTBAvQa^p`n5niZh_uY9+nzEA zix6qt)&i4mw_$q8wWbhXu1B*kVr9$UbRBn$DxZMpFW?lFiNqlS!Ys$UGz>8T8jc)6?~Z9lNl zO+hMVBMP=z971K*aACn&AkQILM2`YyhfG0;D!zSFj7&+IH>H6%zndPo{O~BoT);CI zN!kR5tJ4bSSUOQu;P!M)foS-NvL z0OH8@+_iSZUJ^Ed0YI7%n%Ko32%NB)RK<{n(LKY5<^EHN*0v0RtVTgroPY>ha{<>7 zB$B*x(W3Aiw{;U2EAmchI(imA$MUamowW z=Vl>RJ$&%*l7b*oIq+EyyTpk7Yyw!pevKBh$5Tnl!T+=QHyNE4D&SYyqWJgK!RDb8 z^+*FuJil?H#93)HN>s}wFNpuuCD@nZ0uZZ|d``^w(#7Z_M|t7=@W^~B7C^Ch9!AUe zTg<{@2L}fjNh@!{8MuMWYT%A@z;xb(C-3I4Dc4FasEI0TLPhB1-XtMXyh|RtTzTpq*X4^w@9faw9L{~fdmvp_W#g^e4F1OWTatWXUPOHc3!E@;j#0y}(LiX3R) z1!FA2)R1GjS!}+}2?){#x9-vLwEp>l@6^PQ)1jtx(h2FtawpUhuXFP43VtGe zE+7nZLf+4}g9$toVHXMq3>cCpPY=R~<*#ZW)EB#Me6Zx^Qe*Y6LgW_J?D3o4V<+rLm$uX_Og35Oea{p&5} ztp(16;@pX(IqiS=3~Uy1^SaZb^UV#UV!)RmX!dkCjtIk~oc-zt6#LA!3{x9ObGAOPf>N2F#&? z-gCR(IrlF`^isgf2W}89xuZvaM%X;>QY4E-jPIj%9q*zs`2^UIjx5$_u#R%PCf(=9 zUy3IaOiv01A=i7>S||zhX_7xAFO9)avn>c7qMd?rSBT>h--g=_W#C$;OKt7rxdD2V z4gPuGAvP$R=mwD>xH3Bww$}I-p;EvB0jf&f8*=2ag^0XP&AK+MR49S-Ox>%BwrB8DNyih9PW%Fi& z9@yxv#t{V0hmymP!4PM|QbD^?Ob{5lFN|(V*=&^cR*c!G9eo!Wj}>?8Xz9EXp^HL* zp3*M9YS(hI13Roi-j8mEHT*@E?Wx|H=8KD*bVt>f-wd3{II1P`r~&69|pAuyP zH+*IqSx_LN%v37hPYPX<|K1tk8v~ULRNz5~@8INbkhQ!+-R>W#7S1yL5#(KwkxvDV zL;DzAjdn8>`J5hb?bf0tmc)O@uG02wAmWXYg=V+eL#$%ZTde&gI;wca+`r)yNhbxA zuItU+VxYSuyVw^2e=}6iA2A&DOiVOy3S~P&20FskkU`(wpi_KisXR?v3o;y>3ZZaw zA_zX-We0pm@#U~FgObkpME5!8Tx0qDtON6PX;RnIV`g0)SUiGv-u>>baXf>H&MT7U ze-hBXRt$o2npg*!T&*S#!oQP zBt+ho)}OO??CV{$W^) z16mq)KIX=q;H4|?Kyo3p1X}83Nd8}jdtA{Gi2#(kT@0P@8N*R55eHz`5rVWTIZ48s zWK`;hvuos*1Z@fJK36@Z6GaARv80agUj6`p#vtT2a(*cf9cU8`x$x3TiFTc0D*=1X zP(svcqT-q%;Y-b^|KSE#0wPpb|2#DtT7-ZN*+g}o0Wk%XV8}yGs@Phqp*h8Av&1do zoXkjsKmeat^)F{M298Yxa6FQdaw=gZ5;#OeQx%gI5+9IsetJOfhRTuWBn zx?<;gnUP*L@xT`h7+q8bI4qI+_fhG9ItmC;G17bd64A#lIfIMcLt9NkF^?IJenMHW zsXTU2zB(x{)T5gMFYBRnxqa}azRMZ`^pY-Q3z>lw(qgZ-Ais0@5YkK8=8T%#rFS}uwtqMJny zW_~Ej!|@2ReSDvcto{yWkXcdN`Z?r2etNw;I;5QOWzz$~;l z(c&>{2m9y@GNTekJ(Y&jY3ioaUDKLl+QFsbya3r8097OeF)LxCbebAS2#?E@&&}*B zF(lZ#SB}m`mQY4K8fdj`7?G@YG63poO1+?F$!03d0g&B=0Uw`SxaS}Es;6h=Ztpms zqVm$($5GI=E*_JpHEA{x7mB|Z26ZOtj>rWe3UjDVa|E;wT3L!Fwf+iHGcwI(B5h?s z2X|%2lY1wf)-wHjGdp%1K`KJZrAP0+h!65A#AJ6w>IArL?mMBy#1QonC8Sm@2k8(g z1OztHEvy0%D*U7t!2Oy#=d=kDVaOMe@qWX^2$@HeGqo@)W2?O$45=d)XXoO2X3!}- zuq6$kqZ!FSzbk<&URPydWjlVs0{#}YhPo6MWfqMw##sEX0&XEkH%wUN(}iL`q z^4lNSY|L{*`a3vOI(&qph^Gvz5GX{oO?ol)i2RLwGWlk>sIY#ZqE+Rq8Dm~Y=8!}9-BF}HahzwNN-_J)F2H~wUm=sp0XTGK9odebPT-=je8 zCVUAxI2N)9nP^$3@ctyM+nn=$IN3vdwfAJ}Gyryj~E3*qBbbkBr%7 z)>K~v*>-F_ev^2C+cDu(I=g!wf$AcN|xL(MVQ? zJd(_(H1cjq=#ZMKMlQ77Sd2;dUS#Ov=O_-b3H|YB;po!cj8G<3%5L%3@%7z#C$QDi zHzFe|`@xe1tG)sb^{qLTpNa6!nQZ{9AFRok9B%N$q70ie!3F*04Od@s$B09~@Jt8= zNE092x(yEDRh0=*ztSDS12cixb_T461px%^$6Bbs1a~riOjZvvMuwp676nql9g_>l ze4X3iu1xF#G^+X@v?d3A5K@CcsYkP;1;IdYw17OOj)t9!G8C6vD1(Lm;u#IPHDjkp zf0r%dCvTrxr+pR}DGXIr_H&U|f|gW4s@DW&)F0fEz7upi;Ap7_E$bbF!%WT zb6Pf%4tPvAw=5w?R46kkcsj-hD)WSnk<%R9W}W%w_CwxAGk*d`qyK&xXLIc+MziuW z-+<_*$c2e%?nxMq*DW0z6BY2QTiVsvbPfQ&;ti^YpVIzUGvH;=D)Bh4nl=VQAhaq+ zEF$Ql0Fea9(-1AqJuP#ILDlG%NY&SFdV_%;Fdp~M$$OfP#}SL?c)C5=u<6ElZf98t zt#nM+`n`%1^Lqo)%$0+VGCI!%*pY*RKdASb?K_wJ(O2BZIx5JZ&+362K}KmbVx^+yn#&xY z-9w>ue|tH>UGZ*%ylQ~|9uZV93DI~{ULWPFe!$PhH%m98-S3;w7V75_(D0f20^mYx zZJsIIS6PO=4$nX9>d%q>Zo6`DdC*WXIEzjkdqlM;IEW?SK-OxlS8=w_JBT4jK>*0N z1za-yjLRk1an3pVrB4=%^4lxq$(tgU@$zElvL*A^{oM)ocf>vXo(apmr#V6hTje}= z$QvN5;X-=}yd;57&8;@AX9ZO!ruAe(%-y5LvLS1+CV|P%|QM_Cou5^5HV+)M2q2UcZnL2*=vf4I; z>D90&Yp99mmUth{ffhgjMuspe@)2F zgVsi@?B#x{VDu@Cde?Pj5VJVvA&BNWh*EKg3E^FSN`2qYkx3m6?Mjgj!ArOqj z@Obr|sMj%YjD<(y^PO5S3sixt0Rl176`U z^+u+T0Nru<{raR`?NA*WeM2wd>WP?`?&YV?)}2;8Z<5cbuOJK24||2P{*=HU#N-~K zfS$SMslG`4*9OG_`_Hn*G{g4UrI{=8p4Is*fJMQ|4{VjIN=GD1k_Er1T>k@mLQ^@F zDH2|$QNg6Pk-8g_tG>pH90wPdzMGS_T8|MHc6~ZAnaA@^yCR%Sb4tNcIN8VOID9@p z3Gsrqy8%^# z&oqYPvzea7+2^qVw7Rq<(avh(zjKMU2zZ3XLe**horwDYe~(K{A{F?irf)VoToA&C z1{Ux+ z1hqu!E=3ZOB7qSNX3mq0=(;N6+PZ{RV~hrJ$VBA_^Gx2n%u2tlb|QHC$$d7kMhU5d z*2SJ_91(};6Ihz(2JK;JSx)Fd#TSagc^A&*3Ej0xAu7MrzuEdW<+~rbG*JRCZqD`p=}^%nv|L&VD(NyszUGRktYKKBnZH*)#siQ zI@Z8oXv%8R{@gU5S+txWno%5kXV7mg zm}YRQ4NZtiJlbpc0QZXXvnXM8(&u&~V14q;Wn1#ub}uBS`k4Kuh!MMYZ&@o-7J)j(t|UA)vGvwArqM(;{Yi9_dj z^l1DP*Q*`X&Hzd%$ru1WenfgTzj1P@|&mHE4K z1MZ|lk-9Fl|7}$;g&#vwzA19plVO7h?yg-mpub*&)A4*pPxmrnpqn$EQgLjAbTdfo zj!qw%#gNTN;jzseQHoygh2wz{?Q;&g&-2HDU!aUbxOu3?hFjt;OWg}67%F&F+#M$l zP2X4E*(n@(LxMX-Q?hbf2cf4Xw`1^suL~Jr4YOq_Vd1jPw0T?>)hn9<2{U|p{u%@mI(S7Y#c0qi2EAJa z5$cMyo`i8f!$p{kPgr8X)cQfcpigZb~krqSUzzY6EJBJ8-og|I@i>L?rlEjs1+xZ?|- zLr$_B`4hB^?J$AzG8WUk+Ya;MrLi$rwcFh2L-6!tG-y4g<$RS-esI81zk5f2xY#+6DD=Q^4X)L2W?dEWTZ1XQ|A(T`ZyGUw1 zYCTQ5!zb@K_^eD$JPWf?QZ$XJbgcxXQR2wyB6Uvc>?{#HTA6_oD{d!_7^U3cLQa~^ z!6@0)mO`QRYU3Pz1Uaf~LH)CegXb&$ z05@q_jXBEgsd7p^T{-QW+npcn?pm0M%cziDp>pSu*7nu|UXQptx689Xl#^%st{XRl z=YrHjuW6RmQGymlH`}f|H>Qq{b)_9Gt08x1Soo5DsS`b2@dEL^eoZr`7j6p5^6&iA zgZ$3aifC$|fpv^pQ0gvpZwULa1KdtlVv=w>i7KI0VynH}-i<>Ao8q8n$I5@%r~mGC zt{eWbj{hGUCxQ&q(i4#|em5joJq$;6g{y0vQqGF~(`@lx$No>v7Jg=&P~Op>JF|~@ z^u;U$LL(FuZyuE&lC?v3W&q8nX^|-MS$VQ0%`?ur0v^Qs&`h zmBn*UUIPrQe~In7P<5CuU%yUPcf2Eh;2L0=r!%#jLZ}IOvAYpb$eK*v^PYNxI0uKQyf;gNlDJQD%vb( zsVuuAQ$24H^lQ$VQjISU$xd?1Xzt9&Q)5QWO0byrV~M5d*MLGtOlJ(=;;ibvT77?W zNS_osOh0%fev1)9sg#tM7{onIV=`1gA2v1~ACs%t6~B=x(M3Tk9n=uT4|z`38GG}ifZZ2{uXKK-$%*+m10GjSWkM0dGV&ih zKm3qUFDY}hS#_tL{+#iFXyCpq>S+b=1+J|~YJOo6M>;V^;a;ta8mjz)L6579&c`}d}@z+EpM!!;#0;4KMe5h-Y$9w}al z_V$a8i7rhJ`Y9K3JVn(3uPL84rd|L)sKjXS=VTZo-Oq&_$flzu;{zrc#xhK#gYg=0 z0pR$vboUY2^zi&EVd!s{Xm%$XR$%&aVF*O1^4L0n^qGcSNC(cv9JO_}B5HFQ2~wKR z{*X4;-E0Drw(j%>e0vh}i8gRhMfs*eKSKC!LcC7P#lCK$Z~$yoEXGp*$hU%9U;nY#H|pFa(=A@su@yIt@` z8*g;{=-T(S^%Jdsgl>uAZnktG77QZ%1;gD8EzO2!1}v{P)^oplCA7!;n4^B%MfNQV z75}NyW3w+5#8`6c{{`c-ks?M4NDk7}__gl$mhrQ|cEmQdrsf}s=vHBN&ugYB+!fk0 zyN8LxG_Gc}0o?*4Y%=&6~%RHu!(b=hTLSdSF`(-P;Y5HU?|PlRluB!A`u zMo-PIQ?2O`6O%5NdN2PUr=Q^!%j`DYs!Xem*hg9OKhuqxztU{Qhki%8VnOXSB7O8zZo^ zG)Z%T8Mt7~_#-KVk~s{uU@DptS;j3F1i5|96t=i<5TYxE%0h4NUmTzQ8vAvsWuD7f zpU;g-$jNJR$)tn3OJg*&fZbD9+nUKPzK(bEs6kaC^fr;3w_tYMC%?EjB>GWk!}tem zdhw*?MWW5(j}vM3&qqwQI(XS{oNJw5w5d}jQ6eN*mT&xE+SzxwP`_9M7#SGZ9DhmH z5x6Yeuk@x(ZX0pAVeybGfnlC$jV}%yYySL@=<>DECc(EO?#l?$zZT?-I37ke3%QpN zxt~I&+ zHFvkrM+2T~z1OG#S)DM2-?a0oSz!_puM5pG4tQPQJ}8KUpb6rU*B|qMttNes)=4Ar z$NI*uy3aY+{lf*_x=m|r7JZM8f4wBof5SY`VMC9B1~gh9afyJmEGPo~d? zmFwT(-@or0Oua?_{5eUbRl+Dkn^H!8IJk`Ro=otlf{C7m8YiKco;5zNw5X_G3=|OT zyP)w|O&~n3Drrhy-V9F6jEi{(k}};odq1IUGbgI~k@|?rG(Rw9cWUZz(_q=Ok z!u+%PX81C<_8QM@6z4r)VZ@IXE(j4}J&Dx`1Mbd_1YL^nOKJ*UVbtYF;j@NQI(!1< zlKC8~>_tdl-HDmmF23Ai%m?v!Z!N3%3AdpKl#uWF%_~9~RSbpWNXzR_?Hgc@3fB?7|xljr?$({!cwCWD(o*6t>Q zR=CiHtM-3g{3HU6U4ePQSs!5R0sP}cYrwCB2vCz2vj1NmJg4La^A^?{defs=^N&YS z-uL~XL_k1j?9nHyNc$Z8w}qWgaVD|3SqBh=ujW&(AOU?&0AQ zI(+xC@9ar(Xq))HWcT+W&7MPO{2`ba58omdfOTLtZthR6VvKoZW%RxC$j2@EmPZ(!>!Qa z0{3Gc_HK_@2V7`v>C_;VID`5pKUgWwk2dh5qs$w>zhE*lGI~@pWeJ_ag?m5fYa%Nh z>qde?dA4fO*?R@cK7oh5SI(6O`t(M~+qUn;YgRkq+T2bgZ3s4;4GAuHN5}{m-k&!o z1IBSiLM%w;xJ_w;C0u#$L~;IWR_Z2veLyDxO#hOkmp7E7Y@WT|3u&W0!^}r)cHQ)O z3Y0>IF86Ua$c0_8R@>+*!9rOA<^iJMu^!Lpi@}lhz-~r8Hn-nGHdAT-%==>n_DAu9 zbZyb2US`TAs#TEs51&j1No6RK&3k5W50;y%g+AkrW&IhrM|(8dCkTnUd*o~M<5bGw z>KnpYcHreiy}@g9puHhwBJS|-kvv}MK-ypJQBB#1;1RZLi=N*eo_(%yy~et%&#A_o zXJgH3+Xzhd+}`kX#Ia!|{n;XKG#G;!Qa{VGq9oIEftDIj;5=;4I>rZIAasKGVpAPS zqBGY6aT5K-s#~y9zM&BP`(pZrPWGbjw1c*6v*M@OyqLBN6)D&h5QZktKAMc(>&X;P7~&L)2gX7NdC=UiD4(xR$N9<8X;`fmgx0`}3FzWgpCa=wUu2Arg z2tjV=nma0QA%~GQ6AtJRS9-Pmzwj$82#sbHNGM`L3XXw%ZAiS$1TPOq)jcpBZfE*N zz7N-jJtf9`^#d4=*DWA7VvL*>spvP{!IkXPOp5yy?+7f}x85B8`1LM_&gpPQOJR~2 zq&_sEvl&DrNW1lg->}JtWf&U;XITtD=7`tQq>H7C6}3jl=#Z(V!%7g%nIex3Dv2X& zvkSiMZs~!ztSV)9XIVik8PE~|Rg_yrJXsNM&LCHtM;%BvJtpWQYzO%04+>%<7oiio z$}SmWeXJ&xj`PXd?x=8GL{hIMo4hWZ4WEeUnd-YbVO(cYJWdIf$G z3xRW$T0zIhHkF#S5}idi{cLn}Dwa=4q8?D+Gcz*>+}n|LaIB|5#5jQ4U-oFOGoui2 zvB5lh+~uoRB3o^92`r98w_%YUB%S|6-gnWlH^@NWjq=cb)`3X^#XKvY=J;G^GJdhX znPYJ?beSOD{lpHOEaP0l%#5Y9qT@Mr{o=rRecjGLJi%nMScl!(Y8_(LXJ|`8?VZ6q z5wtjz%}ofp!qGVh#*QSAulnixN<+L}pgfAs%^|oqdC8}cwi#FSA8WKa%Jg32#)?C zKC$>`XZh#%X`1tMHYsGqX#x~bTlKebQ|Hqbj6&KRnBhcrn=O9$Tx}`QX-4+aZH@?K z=_8i5Qg}nDtFGFkVGQ`GhSyDkkDNbOSzvEjszXE-kx1shy^>*6ihl%@6GFuN?4bht z5n^3B3+;P@LCSwUw_sz2k=gsDCi~da)i$(+r6rN1Z)N!lKn$P*3W=bAI>;U6^Jj~L zjkVYbmANco06^-E z8iYuKv-L8WxA0SiB*Rn13LFsNtcD^bBNKL>sD&*mD*AUtSy|Ognq|5H9_|lVnd+Yl z*?$cWza@l7cb`hCJ}CkJfj|AC{__Su0fFO|&=@cN@jxYL$)mj!cV$>;M2!x_FN2Ok z>38*w`RHd)VL9f}g{}!yj4Kd;S}(r|B&3`fJ`K z>|akHtpP=rf3g%q!}q=c$Tm7(lA(_u%_)m-GjOFKv>M$@tz6Bv)^gz8BC|I-z#fom zyAhoqfvhxL{G-37ybkzyLg}ByndWyuQ^lVX64EDSDl_cxoPf^6;+aRz44bmIhur2x zv^iOZ-1$55I6-%%lPGqXSI@}K5#>Gv<^1+*h_nhUrG3k0&&95$xhoE~{(OAa<1yi4 zYu*abyf5VE1^DBDtV`WP| z1X;LI1@G2`HG&Z|o@(moM1qFp=-a|{+Qx#b5hHTR=hG%6DF7VW>a-h2eVRvD1D1zv zaOshnfgjTd>h^1kvI1_*G1UsL794s*Qp^g9m+a36%lzl(tkP;`-?h1o`xhsQVvG?Z zSGUdA8YXhaITMaVe>Pg}J}Mn{?3-dv4S2MuaeqbU7$6#71(fjmg=73q-E_y4>1fg5 z``Ja-q8m1Cbzwj;#)2wy#g4PpN%BK8jMMTD$LK5mK2=2=wu3_0<~7Aww;r#H5-VNI=lv>D@Fj<8P!Rc0AaX(=glrO5f1V1OJDJw>JIvHt z_6`h)x=kf)<@3n9n3OU+Uy)N#KzCkNKRVQ7M3vYAaBy(qWzgX>&Cx?@6kfCpa->Y? zW@u|Wch{vY7xdnZko`*>YtkzLt?ue5?SV1(?fE@aZfyXHY@4 zajei|ssG&9pJ;Z!%l$COK0ZC2k}IkXQ6NC1&+5wrZc06utYiMciZ#*OgEWPmw?~CAsO2^2^Z1!Q&FuEZGT{aq)p0Cem`L{rCHTz8QXTx=x1X;B;9i*07t=V z1tnv7X1@#?bX$l<1vl-&9-u#Bu03Dtm=;OpF>=2l^L`YxJI#$qeLYjOxow3&lb^1? z{`B7;_2~}`qL|AR9L`*mAN)uUfLZ?|78&jpr+}VN4wdMg<^m7Z1{}=#wW*NtAzShfHv@{fa7;~?!6;%^5hy4te$XbYXp0a^-hk$9lMo^ZEyxC-MRn0GtL!`6Ujy^s%_d~r z;4hJcc;y>IoD|lDi~&*D~zF#Dq)O*B@;BEcw60 z#s8Zf*WwoYw@?2iP!Lbul|Cjq%Fin)Bp- zNBH%1wuwp06X9bKv^#X=>|T`~aDZiq-F2UdnZ_1`O)iFJ_F3qr8PE5Pttzc@1Ihu zZ+2Axd?euwb&_drX<)Z5jaiu(|D}>S2c_YjXhqMvqQwIN+Yx!uitSwk(r4jPbK;kg zxo3~82)@};9|7d6W0QEGJEEU+uEOIBlw`|R>f;Qg4Vr>hBxCorl3L%tEuZ4X{rDm+ zU%RD?I~5_X!o>Umq0YhT^6S&(J0EF=`7&Aq%zz~}G~!6vo<^;H%NGO^kj-M;_5zt& zFd&!tK-m9ggcq~A;$}!JO4I?4-L2ZF0gN%zN%%)4Bh=$uud9edALVoE3sTLgr-0mW zq^hJ})9zr%{1mh0Ey1k(tiYe$%zTxjCQNI%x0_v7ysf@+SLIW}+{bs?K~_2iap*Tb za;j=tfsZT$d25kB)cZtI#Mg&P8rE(sB|UYF)Xt=fzlSeb1Wh{L7_Iz59F8oeW1t6F zeSPzpB?GB(T)JGhq_fnA9rwhXG!S~xcC5*nJM7)#-BoPTy8R`p11qu(f82OQI_Q%x zChKI2KMCmd`w=^JQ3=oS5yF9>Ab_1+qsHcrJVPTs1+vLS=Yk7Df|udgXz+hI@T0W4 zx1&9NTP$S7V9JnIsY(&Gtni;0y_c(c)jKE;fnab{ z-!3K$yA$8b<5Z({X_mE*^Y#c)BHiQCGBbQIOCnmc?Vb~ayKTT-V0G|!^JKY7E*KXvOWPUmgpvwR13N*ZRb z*Vc5(Z_NYZ$ZJ>uEBS+>Y&W9FR;%sNGs~{T;BwpckU>qqgG_01f%jzZi<84@GefF% z)CxtrQBIRel9V*366AW9#=G78rhO?0)E~XEJc-f8KJtW%+LkmF5hq|-KRxjF5$FZE zeSwjSv}~!de^18(_f`*YV;K)_;$8)73&dhFw(Er~pPJXM1}i#!f0zGWkiEJGuL<5X z!L;^SMPql9gK%%+7iYe|>t`6hH zv<9JVdO}a*b`twHA8*gXFn>S}6okGq%ByM<$F|*G#h;pll3KGGC)V@YNfndx@RD^t zR&8F+0vSY6%oFi98m(w+SuD1$pIf z-`{4j8!iYath|e9fM->hobr8lG9U`-Xo0kD1P7jx5!(w9l>a z?kv~Ri*Xzd1>}spKjz!+8D@_?8q;Q+jGtQr=G3-YTvo2X^^vQvHehl6^w!y?ep@G9 z`dX4*{HSpYP%xcf)c%#3WF3+`rLuex4)dX^GeA>dPG0`tOh6D7ZI4A9?HO`D8XunR zuA4%EDc**e|2ojX%zYUTdC3_#?R{z^2orUM1tm3wHzMdM=AAg>H?2rG+_-Zcx+2KE zeXjKkS0J1fAq(vKbF=Md^SH>VND~s@zGP~wu1-=hiCfh0_VUEblf-^lq9&~_H*l6FBej2E+ zI;2j0e$}fdgXv2@7ji}J>L?C(6-dRR@11r_!HF$wbDa<&0>64o`{A5u7{+-BMU)9G zUgU%d@>t|w1kj~62pjy8whv-kiQF|F+~mUh%>;f4sRN7W@uAs84s5?l=0D2LG5+Cr zM$OvEiGYTlTexebU0DU_Nm^hYrE8(aUdC>bQK&T6jy81_RLOeoj&s&rF{xS{h~Wyyy4kFE)0CFET_XAx zHP*T4j(EVrZ%WoSQgmyYs-|d!tNled`=e+R810CiDeTf)b8N)Ws$s|kGyMM2Fx<@L-e93Ibmb$9&JltYV z`M^g(Xp(DBT9CC5RXYC4{^X2|$G-{!Cn?<|$S@t11;tLz6b@Ex%2e z3@ZH;jtM2_9K-j!oi9GKZD6xuiO+gp>i)NLq^xes)_{X{j!WjZED5IxbV%2vB6@MNJee$$m}m*e;_X(ezYMR5%A?okTPPS< z04B5qQ=KJ=PY&|Lv9frc06+H<-hR>>>AV4@>q8~l%XEAP5fQwB2K=o*yiJB3PN+Ss zHd6C3A8#>{hCBff-3jaOB(7_%L2%Rf#s>`2?qEKn^SDG!7xo0-I9o}gw-ns@12%$l z`U)R{JLo+ljrk6cT|ZE7&J9Cjx2j(Tt!h+Qckv=Ab>vW3xc`c<(brpesi&{%)vLflJ0t#TVS2ZHqvSkU!vGRt+!z0NcjOr!>BW+@1v$wW@oX_x-FG6%K+8X6f8v4=;AV`Ik)utoee>MWpgyslEHh4$6imO z!vPf|0MB>+*tIJV7KwRiI^5zq;D}v_=^ALKZ|vXn!M1x+vmEoWo6<%eTaIxgZqEZz z9sfJ{;X8G3IvK>kIjS6eIqdMI?mopPC;011AKyy7Ad<^FVel6NbjUuTjv;A!pc9gU znekwXA3tD}#-@MQ*<+mUS&b>*)x2xScnNPVNOm0tAB0gdscOMqdCFdiJ>XlG*)uk) ze>0LL86CcuVu&()*1GlS9S3cXC!QjRdPZ~b>N#M}>roTpPI}@xQO-yBl!-;tw|bZclNVmCYcN_fUD#Q-h=vivq3tM`4$n z9_W^#s%2o?x0ojJQL=5*mL^%@G+012#~=&RsPJVXy5T&A9BfRYnQ;QN&J(|6P=37E z(k(O?rxjFyEJr|k0*S%fF`>E`q9jqtyl)-MI!HyVha?kcp_R82^QP}4MmU5;^7wk1WhTM9NDaN$jVr;G!d$Hu_P0J>D^5>f7v=&A0+W|kpS%2N_lCvYFvtguO*dKsn7#hH=O&Rf zhhJp(Wt%`QaPKBMh)Iwvw$f|tU`n23l&5vNHY@BoBl3KSsDtgahWD$Qy~zQaZRu#M zf20RNb5%X6LFXh6)vcbi5cPRl9dhnb?m#$^(nOj}!5`toseI~O-uP_72pFoHpBwJD zbz3WJrgS9g9lvTAYu>zLzd5k`)qBo!qpTA~p#TWVhL+(#sr*O*KKgHU7rUy+thTC1(Jkv{;Cyxk7i`uRCr$@JmE5muu{b&wIQJH?2!bVTE80UnsO@% z)F9<<7y?&3rWtR}+H8gnCWMUS-z)*5R}f%OAmn!0&ngU+$*(OGj4E5DvXK# zz}a4vShM-)yq(&z%@Ym(vrx;ogw&|NB|b2|U(aSd%Uo0dZ{#&PaqF{$#H4(4d)24_ zaFGR^X{MQ!s*M*e?Sr711Qe8Eo>{luZlq!!q~Xt*xlBTSO7X_Uc@PodPdZ-iqn0ig z<#VtSXQqq=Y9Gy}nWhF6Na8bPi`U(vKr6Sd|EU>G6Ne@B+@jNNmtW@&-{g{FKW;!Y zk&WX75wo?4j{1oo(KlFgu&Hp&(st)&> zCZtu^8niPJzjHooV2X|>s9IV+J`(%g+IG1xM&rvW5>wTlz-x)~i3#^*4u~d{tZB07 zgqGr?9Mv&Sxu{@%hvan6O})_KkWwX_j?y1vtKdXR#xskD9LonYsaoutb(54bInZOk z38Q#YubJqiE5ixVoVD(DZ$;JzeQ6`X1)j1b7KWqz6VvHRr8;Zkceg=tAM{xp$uvD8 z1}1_y7JPAUCP8MyQWB2KzhOo+PL4JYJaz<*Z>mA5W5<&8u^LOhM$oGg6-=5}XvNY< zlPl+6>Lgm@6QFhOkyzW%uXTe!B6q`#Yz9bJ@JA34i$^ zN{q4Zp(@R81B;9<$Q@X|MMzTjA!TSq)T?Lv-*E<{Oc0$Bd<=U52mRLawl68S%%OgH zkR?uxl3r536Fz{JcEhi$TvPeI$NAD^I3=XLh(_yMuPta@1(HD#l7k@OHQ7?Y(7w=ed*vET>v-TA#82tvkNx=Gi{GWAEwo zZ~d5ey(Zy{>SX+M_#2sM&1@bMQ6?UznFs`)dQu1M*N&ioZNG|X+P#-6ev7MNw)Hz< zl>6+nc`D{FKA7odi6X&cNM6;)J(KDqo2Uu5i!x{maPi@@I4n=4zVyID5Rqmuk@3QM ze0i7D<_BE$U+Ao20rT_B-)BR+sF;_$pJ7JjWXLjsr-omdH)3cvxxOd31yOV!0>FO1S z&-Zdv%&Vgds8 zW`1>elhRy5KD+*QJ;GQsyM);F8AnIiES)Ll&X|0LE6YKc725)ecRN@Q1Wk@m%@~pf z=I+6J@64j~Xv;NoYI52YV1|zhP59o$qjdS8oo^c?bz&Ib<>h?cc@%4=x?MF}ILHa{ zIvts)q(T|M$7QwKH_3nCEc>Xsp4y93TBF!rk-a082DYCL>k#@cl!A8 zPFBj}vbB?1PV&zK<}mJWhCu-xrRBR*Sf-ko0bw%rYck2l4QvV3`p&PxXWC5ax?{tI z9=n&lWL!+>6}f>sLf0KCx_^8vdZ0Kd6O^!F(oRCMYfP8;KEx&1T6^~>%rW9o>=2mv zU3uhFvKHE`S=~dV8Kcb+$R%N*cI_!+cjyQ-P{OD zuDmYghqYi^f?Ed|9d+KlYs!+QVq6#} zD-615rJf|vgF{MnTK12RM$|m_dwFck@U4DIJ(<)z_E^==a_F;@bhvo617iw3oi(ty zGzj8evTxodKIad4BHV^hHt~@TXe;#-bwv;4Y{23cBS{=-Txd%SZ|j(`7nvE@f5{n0!eVnN zqs%>VIG(%n@@lN&*6H~`$BHreA!6sf4o)G7I+js| z{QdL;8Iehs0gK)8@9hzuN?#g2(u~+RCr|gY`Iof)G`f|83om76hBGc=llOyY>;p}H zs{BXoSUGP4c7>hKdD=EjD_9E>LA7bJ+h8K(p>G`OKIhi^^gtUIA_6UJ%_R{28D~r8 zUPPvcY%`k;X=m}-G56d3R}-k1BclHMcym$26n#0dFXseLbDz{*jg6N@osjx}WX8n$ z6&#L7)jmQGw1boiwRkTu%$C+-k7&WiZ3O&IXq^Y8(Wwigu-mqqX=!M$9g!DAUQuHj z{R^A%A!*kA2NS7!O;Q8h_S>XR+4!^D&m9X=5?WYi!TMBx&M&KR&ObP5rw;8oSVOb< z89gs*$U|*zVM?EH(SSjp=AXllU5R|Ss)06Lwg->M?55*f#7!e4 z?8hS5nIs37x8$W~7h+$<888mN|FkfO?e}{%e00a>;V;^7jm}iYFo{%VA@4x5%??o^ zaz_>niikVxLhA6k5j%5XLGBtQ)#6ON*%gagb0lc8(s!z>ItJt1=%Kr70v5R~dR%@& zFifm1-#*P{7EG7m-o6i?zBXC#)U@X4iP)NdZF4vlQ-kK!0COq~5*5QSPM zCQ^;26Y-I8P31l8%C6iP!A#e@Pe*^!4&TL2z=ck}atdG^NUsw4)f{b?zVtMH#|h5d zdr*I&sNK|TbYOXoo~nJVZ=J}wHgF^qcXX?<<3AC7SjL|BIkfnJS!(zE!(^-xenrF) z7PJsebF6vPPO6@5f^B4m?lM=uWY2i5rylP-O>83YtIxmh8ba9D?6t#(*u>jYByS~i z(b#=0aLrdoG~Sufj%HDq;1C!Iy@MzV5s1j=g#90^y=7FJQMWDJ7Kh-$HMm1?x8TLy zT}p9^Yti7Y#fno(DK5nd!JSgvo#O74o4)6sbME*5`;jr89~mPVd+%qhHRqapu2NZ4 zQ8`A-K75Wt6A(BpQUoofnN}ud9iLA9GQd@W{#7dTaWzi#5ef9DX#4cb6mOeW@ql_M zab13<&}vk&?Z!n6^WEniy7udGhE;1#mgVfx5+^c8{lvl<#P+{rGa6M|-zJ64oS^JO zT9tdI?GJ~7?N1^O6`Y&4&ivKYSs!1qJuZ z)O3FE__F<-Q_jer(b~Q~{ZhC_6uMnx>@(@rel0R1Rd@@*flN!%l|rqgP}mphG3;BD zP6dGQajQ=sKDaqdD+erPShu(8Qw{IcYxTgYJCr@FvD^Ooyvi`nxF!y|*kfY*@K*ZI zbI#qj%=}5#2f|~KeutxR`SWV)lz!-mk}c!DBFEYA+unsv+$hi}MX7$JUgHceez0Us;DdOgPxhCyZ5diJvTMBEv$+h zVKuUEK>P!4k{vc)3{iXQco`L0KT8u(^no-Z+rCA}U+iy5s>fqqepD+}j0UY@nXSpk zKxwuFWwS^%iG7sDd#@IS%Ym}dfv*S&8|sdD)uhD5LjDaCC>XUhSYnaN0KOaF4byF% zI8wEXdy8PaNuHXPU@AL1vJHoub;m-Y=8U!!7sieL6qR?7N10;?WK@(q-e1aps`(a~ zO)xvYK?M4_TAY;gnMGn(v1&mDt!_)Nkr>_6%Iz8ZCtX&rYgj1pxL~x{)VZsEE$&*! zT&B!9qL(cFPq!JvfV)UsTZ$pcMKKKJ>5{Eoq6qHb^vo}B7$To%jV0$hBu9C;J_icC zdjAQf_C%EiK6Yv#_g)t@4z2%b0XQIYL`(b5MNQhU$6()qdx11DGnh22i|`YSqxH>> z+Z=e{V?r#aHFlhC@oDh@o&zG9rJy_xWZ?p|-#M?e4>tZ*(@uKx?$b$5;a)X$WW!q5 z95`&c1Mz5~B{@NsJaK%LA#gJb4Y!$Aiyq!!;I1MXolZ(3Gb)+eBRGxWT@Rf30w#!%TXGP}_+-?&VsV z*Ty&>e^=os+g)5Anzob?K$QMqpmV$4+lnUPqaTx6zC$1Q?Y=C=6B4e%mb$Xj1l^Vo z6*bIEAIeY6I%>uK{-Vkl>hdS^_8e|>smN@0qnlxwBIA2nB;Ap&QH(z~5-HxI$5i;l zwDx4FEgfSdr**dbosLuDn9g@pK0%*hCnx9{^lLapk5wo5Ku}PRVt0xzrE5x;;bA?&QpKE8hjQy2;VFYv zXAo!*SW;EKFW7k(J3G@E`BAwN!=J;z5LMJ_IEl(J;#631eJ)Ek9Hxb2m!qX@?Q zwdqjJ0T&6U%MI+g{T(qF_bE>GVd)9CfDChMm3KlWNyeT&uf~0U;A8kOyBxaeZJq&p zblt|e^|s9XI(Dr<5+;SJXNVp5G0_dVf+C@4z?QwyTWU;^h_wihwB6#=n&@%Jes{#( z7Y?yVI?TWX6i}1ojk*(>VuPNC_=Qp|PP-i_=sx|xMwh>bm*ab!@iQ{ zJ*uL0$NGCS3Yg+4+jb^FA$1py><%6xm41Tln9b&XhWbZ$wBt2y>cd$%kE37M$2WH% z?q#fFf5-m!cx#`-M$TYfj6UHj(urfu<`h9hWma}pz5JZva>g>{rnB>&JXo1_?0wCr zr~O#B0EKykYIwu&%_)sI50OH9M1ozI8wiB8yU2RB@aXZ&Y#Vj2K}LVS?mk4_=;&2W z$(s!!kCb@@#4;kZCaQ*%05aSe$@(?TeiqSK;dTUyxg z1)}BXG5S+1(`0`sdsiYedV{}!X<2Pdh9NFr3;Tf z!b5p_4UM}8tm49qHja8#C%kmrH;T|m~3A=q+7pImWkHi|dgd6C{9h?&Yw@s>PJ zE#&ai*xg?fJctvanq)a@ zNdCPhIyYSd_At*zgD+8#odhb=gl#O_Mw)Rb`a?B+dZ|LYZN!%q#iD^@*e{%ipcwkA z=C=bV7r1q&Ovu5C((G6et-l=^1yVAaba6x@et?L&1?;xfC9XO4)Wu9Zpl0hYL@KsC zPBqwOn@cy_1h7}%(45#Gh&7TJ&#Sx~iv+s=EMW{x)24aJ=g}Q2vRZ#8$f^MmMmHau zb0ytOps;cUnE>!;kHHS+PKkbnU9}UQQ~ozL%gMu(Kr_Q}%5YOedtZ*8QFgGV=?&}< z9tMb#g<}g};ir=hX6U`eHDXZv%A^$YN4B?x)IKdkhx2Pl zcaFFQUT8N;04>fNzdxF1yBm-B_eQ{J6_FDDh##lqC9u>IFRP>^j01NlYQ6b|Uy6wDZ?DmM!v zGw09MtwgBI64a@{Vvs`lo5H94JHL!;Lgz(wmP_CBlBH`GJm}uFKsQ|Lpb{?}1Ii0u z$dTZ_NY2swC@L598eN*4fHMCf?%oM5OK^yB#hj{6k}mP1z==%KDRX-DJ18rvSwHYE zapJiu8dFSXOyYun%Af5oEP;@pt0tlo^k~dd@PyxtwdyQ{blRL7{_^(ZBEu;I+9l1zsuITcoqECIFcKe+B zCT*hFO-K8pG5%@YA*6gBCPYiZfls*Q&mTSab9AIbOn7@ zT1+o`e?Mr&_X+~WycbgiA^%LvOAKAir6*iZ;j(>65B3*gqOyXpJjeVG3PlX;W2Uy$f z{5+&?(~U2&^v2md^|1_tys2})NY2a)Ya15{Z)S-SBRFziV-G=6=;XkM@OO2KP-Or0 z>RH0Kwv_e_w8ShA7ezFBKkJ?cD!o4-U&h0?XfqdGHTTxWI5g-6iKA7sGHeB}VZw&L z4k=6|N4o^6Qd)AJb{_`E?5KCb+XgkUx1jhRp^1p#646e5Y@QduoqkPQwxX!GSz?&u zs=KiGUFz`td#>O8A{&O9Snk>CL<+dp;z*|r)VTMqm|nj0H1v85%MpF8XZl~`vEd*? z&zEf5^DY22qotQdNS>y>OGk5Xc1%8`fn0-Vo?>wwJWDEl zhex)ljg+XUT_McSP*)KU%Kg18s)zuFS##lOX@t6u}ggI*CZ2{)T#oS9lPfnv2@p^U5n0Ih8sCwrO zo1j0Lv%g-kjnRXMxqwTJ=|EzJd20tJRzeo^+W$LXIgIqJ0i#G zeb3F*n^AGfn6LblErdQO=Z+HT^jn)(>33l(z1(Lw{A&ubLAY)C83|%B_0tAnyGNwr zVyxshm(U>tv-!L7!jcL=tzL8Si}_;Ht<3~2V3;W++=M8HQ`W13_5nLD%7rjDv{8%c z%}GB9O#9|=;%>b`4Y?#algqY8L>p`w?V$z*vf7CI271-H~yjYg3z+8Ns1O(kCu=4UY?)#e}gdr5RIBuY|)ptiR zv&+d^qS}s|zUFJn!@n^H&lINJn3xs<2U{><_t@29){k8SG#`9yfLr4c2*k62`}Oy@ zaKcXTg&Y0~0vdNy&!x!N119}gu-3+9-y4#v{+S-SMbVmPBmm7Db40FX_i)srf_9JY zLyHSHGGdApyaRrxSf93O+?@uP^(xk{zZb-M5yFdpYQPzN&x7`26MFqs?CByF*ZF>( z0cZmTW(0mqV9x)NgltA9R1zT36zU)Jrb-SGl6{RC3}QKUSVIQ*klh+iPfk0i^n=I zW+1L}{+$P$nF4NB=ZSZ|lRd0$3k#->zS}0|=(p(}@ZcABP_2`v8KTtt@LdphH?M5n zCeqatS z;ULP=a#0B?x@FPL6d*!9^V_p%>d3IO+Z%_dgv5`#SF+lw!3|4ZnBZF&mvuN+5Wjn0 zo?uLlaKVjDa7BDw&rplCagI&gZqEvg?{*~YfwQMb>pTim^dm0B{_ivB-P<>$pHkzB zAHJT=igbW|iV>c)=my8=huAA64XViG5+=hx-7xF-_rbirpmo|Ll05|CtvZ8WzgQ(| z-hXN;Tr;iuksHVMFkbiPj$M|cdek`nPwY61{fU$zej%LXF$~wonMn9k*4D>hCXdG5 zqRYxl)bXz}LeT*n&+{W})@zNx*I%29uZ=p+pD!-YqT_qog+}bVCYx%z*uC`Xb~PN) zM^J|8uMj>aBv(nNX}^)hwIv3-(l^`=&^|;8FEco=3p%&;Xj&lAh(SQAuW_b9BQFsfVfV+ld3jTZ0A^5keN=S(yX$~A=6ae~% z$$XiZqdtoJ_iq%645r%tT>VJuD(rS65lDrk!z{SqF8WuE%_xF+IKyF`Z-mKOu8*cn z6iJt&j77BM0XIM(bo)1z#==GmscsChh)KX;{!V|dWxvXD`tIhU66Vt$k8rIcrj((* zXu^{e9<#X8E(lzLe?Vm9%Api`mGgLZ(Hs`Ohha;gvq2fXfzmbom%Al|Ns**yjPLv) z(c_J^w|xjj&6MA1;rR9W)2|M)VG*QC)G z<;nYVk9~fN_uYbkHZqx#Ee#VEeK0RhB$k^3mN?XwLUEO`ZCwu8zvj*{V8QY;wOfxk zj$eUJI(?7z6)Ib}{BO4Y@88}9V=O7I&FwkV&M^|*<|+^`T}3Q9VAS+PCp15f?~A*V z&Nz5H`vbCN)M{X*SJuYAvl7+TP835u@OE$MqC^^F=)5G9SGE)~POMacS3;4^Ul7av5PvriaW~?{bI`lCW0tY{fth{Du}MnRdyzF>J<8^0-S*-;V*aG@Fu`*8?x|lc}ti9FRdd7p*bV z+(Np-0bMGiKK^YHhj$zRK<9Inw(o_hf()@AA&|mo+!UP z10!C@%g~Yd6miqt9D6>uzHnD7LZNqbx?dl!ZyAWa`Zzk7Lt&Su>Ju>9lX|9{PV@Bi z8n7ewPj6hDA{@OD9Q3=_->H0KtE+q@I}%%A)tb>mxK^Mb6np3V^hJpBw80iqnI?pm zIB7+^5t%45inA&4UWCBq*LUxYV>0Nxk$R~4q!da)UBJ@&4HE*`PnV`&Jt)B{IFye) zyV<#40!48Gznv6*Ugsc8I%+RU`dh1h@A6a{k+`Vb?I6KoT+U$j*TU%Dt0|w&aYX*O z;cQ&(g6LlB(@SGk47QO2i}8s3<7bjX4T9Tl#0Bwppx{aFZ^bvP$8awxNs$;Aeys0J zxiN{oHgQebjI~t*pKoA3?K3gym#!`ai?^gcu};O(o!{#N3`{DjPp6x@&OfXSe|i1w zB{=w3Q_N$z_k4N;`LD7nRKwyt*{eW4v}fr#PG9CN{v}%vyQ&r7MOFQ z{Q4gX_(SY-TG#-*eGVsGx>w8@y0{?t^`x}ZlpW)}a2+&rIBbqh8B|X%(%G*iwlhHa z_3+d&&;Cv({}jq@Z?d6@hS}cT8NA4GQ|(|NEbP4C|D%t4;UW0l=E|(rIiWurKD*uH z7J*k>Lw@K>?cNF6`GIJ@8zlBx*YE4uPH|)kd^e|p zP`Gr%Zl=u~sYIC|$C=SSsW*u=F8f*j-)FR0QacfZgI?yOQxgil_&j#rLojocMRw%$}hQS#Q7FO2Q+k*!>H++e>ZT znjN;1o##W4sHuzUqdMg+b0b=hpEUXNdT~qQeAq98fHso5ifftnhgiq^M|MV*>zgUw zXNsC9$|}gQGOHofgo9>{Bjfhv8MKs-&6KF;oA^%#Ur~}^dAHp@tg7UJr%7;IAn^rE zw5=?=OzU&ZDZDX>wuO(^)SRaJj$Cy*3=M#9EL^=*zvYK4?xcptIJjGkBxh~)@(0h;P`jk|2>kw{{Qq<@fQN z7A|%els@YrP$FMup)|ev*;ixnA9ciQQYFCG%58i$ zCe^vzFY*8x*E0u$l{!E4IEn8dN;3nUK8^MU}3e% zZ+ZC$_Oz?6H>5HKoQ$OY7NJ}3StgmJXvSEzxsbg^|8ut7NZJ1(k+vmwj0hwG#;SEA zNt*RDRgN6_WRL}RMG!sIwq{K9#mZlE zJ?>3mhMYe;e78DsHd}79Knn|z*cfYGl`ThNT+d`NDi~TiH-Mb+lsa?;h&L=&!riju z@nF_jiMj*JeS0{dT=UcQ-rT~w;|_uIexu^rg)yXZ6^2dD#+UWrm)qdGuAsNBza)$X zHBi$#=lQMicB?)}9_JHAXvNBJBziMXG()Y9W#x01geaVtCtmy`E{^!HQCw_>r&+=) zsgK~(Y5cUCiSLU(fk-l&9V4dBHuh%%Max{S8B7!+iqCy`gZEV0@4X~Om-gaCK~AFN z0`E2x^~@k|#n_ceio!~@ZhDMx+8$jOE21UVf)HFfr^)J-1J&c+7_T*AK9-S62Jfo3 zU+*rxD{ZCB6q#{*lHP-I#(H=iYz4GgYtUa^m#@Y5zd*l*XhezBqpnoMWqyg%TT<)g z9-#AmkA7iAbDTkP1+Vv-E-4!H%uq!@io$3+Yz@A9ChfO>ANNIl>8rQvb_~v%S7X0v zW%hVXym`9rnwxZ6L^ei?51FYV^tm3popfw@ttwN~(26SDOl8Et-e3J3J9VHVY+FXW z;r>o^eAG$Ner8Zmad|!fK0MsD!)orNXI2 zEaq3ed2LDBKpnry`n7g@wtZfOmz)hW{e^sP8-0ydM9kqSscAs$mFOI%X6i>)5Om8E z^!H3c-9ZFn;PhdmXckD!(E#euM(@)z=k*}W$TDTT{!Be2_dZ5U_l7k5&xdiEYBoG5 zgJ*B~dzVdo(8P=Mw?_V(@Q1Bmj!vU__ELQ1>I5;Vk+f%z{-^7C%@5|)2GmOHvEQtA z%~uy$)eGZ+n-*4FXojRBZuMzn(2Xor?0~WxQt`67Ah<_sMdPntWPg8s6865(>*_(= z**1g^dFNT8f4H18laEIK#81qa_R04Mzl1FoY}NF@hy>;iES@B-jEC(Gd$)26`OD%~ z5|`-c_2O-h$j|kH^$}qPpRL)icbJ zsme5fY;QKc=!$A{MNeFIK%)&u`TaqM73d1t@h9dEWo_lVd5!|iYmGA0B+irwgm&FsuK&H>|m<%ogT(ZQs*Xdt{A1L z!ga)?W1i;BgSLe2UK2g)hI6_#M*yE=6U1w;w{8(*y35dk{OG&=t;DkpvVtO;+nJUG z_i&?cAN#4ME%L|lY+#RPnsH7YX-yJj0tw&4`+JL%{y395ljp`xvG4u-5=p#Ey`78O zA1v@1x@G;AyM3(I!cgF-+zbT1A>%r3&UP&{Q@bUfwR#db5F}=Oo4MnS&S02VD^LVT z*5x@v$a`6R++}>a+d=VpY?GJ_lHbCqsj1<5x|&v-Z*n4IVa<`7V?3O(7C%3Eq(ZH` zt3vqS6DpRL8$GS{SMFuuah)@r6Hl5B-krdN@nN;F0{T`X7S_RB#x{&ppW=H8K~`KY z5j^&90XJCBWT}`F!+zH%#{=_g!LZNi916I7uC)}3n}Ot%%Y-J1f&oZVcnCXu(g=}n z^R^k?-SHzRh!(1M zqMVvm0A1mfc|X1h9utignX!qaX5s?i3NhE@@K7LYjjeMIx&o@ouH`bF-)?AH^|E3S zA|rejx8(_)cYHt^J-rbTRu)pd9_j5fc%CW^106Z!ZZVz8`c0BKuuwUxhQjLLgPS^X zO4v~{GyXt=kEBv$2sJladS3Zi-Oz~s6`uWbVE)^SffC8pL>$vf&ZXR4Cl>UJ!y>Pf zKhn{fg^_;acYlRNj=~DYdaE0y2eM=Nh4n_ac;?TE(O1Qf34Pt9BAjTMvtO;=9g?`> z-N<8AI~hlvLz3zR*JcYA#;a+bult;o|x z6JZ~~u|ttv5x8Y9d{ieorKn9=aHLTI3)#^lOu#o}KUZ0bXffU*9)e_zy#YKm@XVr` z8Kd}J*NDL7S3}jPP_XSMa;NGW_kXQ@Yzsr^OZ+-{GTOhe_(clIg5<0K8OI;+Z zls9r)5A@P7^HI@BmBg7}?cl%t zlk&ml&;HA3%M$A6x^|b9-uN0p>!c)ILOL4ZZRB=ot7KCqefcqUgO9!MhF^Bsmw)); zOWkTFo3Tr3XWl6w>h6(*@uEd1(2?9qGfyNDmk=_=f1gDy9aM~xd9`zVta6C5EGyk) z4jfd8leY}W=xGd0<3B$MtCKEHPMc6Ri22>(YVn9rT#WmH^ELB%b`t7gIt`}~y40pH zs6jOZG3B=mU9ZjHbQ(w^d)I23nQ_rrQTRk&eI=|oNx{Cw+dU|>+mUkg+JR1lg)ogogeU<-WzBdM&C2_LQ5rH7RZ&uxKEIZv7(rXJrd z=jK|a^21r4K5ARIOa+%1vXn>ea{Hges4Ndn>HCW~YdV?I&yq}C^EDaHI!xlD6@?gr`Z`93xza1}%aWS|UL zNFA7LJf2}=%X>((Xr8c`ab|_Bf1nGNQ0tyLBfgvVrt%OWUFg}+3n^;n?OjtXJ06h_ zUtxIn{5hJ|qPEThSL4EiO}hy009JVQyn4a#PD0)mSY(_MauoAxji`l~9{|T6xeSu9 zm4F@uY!#3-?N4{4-(8<^IwC{T>)n%ZvZr4g55)@lP=QI*YjTVmwp7eu$8x^W(E;&)dI> zf|Ctfm_Pq8th2elz4;?uK$F?-uz667xHBfcvVZALVPPL}O^ohqV#$=Y(~~p@smi$< zIv6{cFkhl^&Wxgf;kPKv`wh0ZVhRRdzvl04W#t~{TBdRxj&}|GNU)Uxc-zxMBKQX} z3;*acyg1IPR|DlC?Za`y6o&k&5CA(z}Y3$Oeq#LOoQ%;&OEjzlrD zh8HX_9qZ|;C~Ick%m<`!1^;CDBp{@k`-*>Z@4*W3k#2VCYLS*Z4hz8nYpC##&QhCCF-(bW&I0xDh z-I3|UmikiH71DZnEDdv&(olPy{Vzr_A@xdJ*3QhxW6a$@7sAgB;zE!$Lte{pI-&h= zAozT#&HO`|z2wi+dq33)+03EVclx2LsDDtBCi}5C%J>D25D*vQHAUVIQ)#DA?C%MLU#a{F7h=9)v zOp5()Y)Tzdcur_!d=pHq5sEr&^H!sWI3}fkTP1lUh0HhEs5ZV<;t1K8gv z?_ep@Gf1al%{Np;9fO!E#}FH5^Jr7VR42m`Tg1h!0nDBV*BBSY8xW$41xOJp;t+sw zBHS(!WGsLs$wM?~MNv$#TG?FH>EP^ejnr`XFUhCK%31)e-68-Qqm>aFs*SwE7IjSM zv|;R47yQ;i1P>%>g%hLPSNR4U3X5kE>BRL7N=&gshk#0fuU#!Fj(*6BoRDQ?HxY(u z{wPno!#cGL?5|&$nzrV7XWW?5SL|%*e;f|cd2VmADC=t^M6-^7gM70;_Sb1v;BRGQ zpiUPP5?Y;ANncHKN}F|{TurB1PL93_=|)B(78b#N_Hdt4>cDa8w<*4DU<3Rfkup1W z456fp4vrs^iq-h@4opM9E?-(Wedpm(kQ>c`KfO~@c-XuB{)d{9G-Etn18IIZA!PI1 z|Hc3Ao7oi)19I2R)vo3ID>$>@`svlMrM?+R8^|k50;E6lLmhk6*=&bTb0q%&E2GGm zSGKMD@SSfoA-8X8i^z5R&X-)w?KKKkLHCVVd95c=;E8yc7&O=1O&pcORH%g#;Dg7e zmhrM9$x={;)N5~84G-PTTW+CuY9obAk)h;xjYEa=u}q(-p)q1nanHjYQRwc2ez@s< zNws;`)GSejlc^Qbfb<>peJO1m$d-JRg~`qt2u!CPUC1J2Z7G=AtFD1X(5G&Ir4w!8 zpMF=a6oevuG!(>h&@(sQ`rP@GipF>!mP@-`obao zy)ZPq&c2qTs<~!@?Q>?xQEFejnL%{)S8HW`0}b{F8fA2p33}fdR$0y!ysKZ#)u4!B zOF<7WapVJ{&(9?R4di(dSXT>Xj7B)H*FS{z#l*;hzuFb{?JLJH%Gs=cpCWlzo-F%@ zNofOSIUm+rv(!u1K$XfgxKTg{?YfTF1bM6d3-SLHm~emwgm|a0N};FARPuwg=|ce% z)Jj_>;ei9jwYKrhUgXVTsb;{?tq-`s0;GaTg%-10Xvd|E;JnDssczgGFDzFt_Z|Xo z0UzI$(1Kt->fHj@CB+o(v8|6 z5;YX|S-R{nSP@Iiazi>R3n180*8rqjSPsG~z+=rt$|iQloZe&e zYdh|d$Zke;u`I;84Lc2fl(AGy4Q&3ju~?g$KS3Y1xdn}y;+$ez0*ip+pQZPO$i=&W z&j1C)>tO}dY~b*|3VfR*5bOxi#Uh@sOZO}3WgX%}-!qd}u%=396WbQ^D4Jo!;Flzc z8^w>|`VlNu+7*ZS8Gf^@V1foGrVLrsOWo=Wu1v%Ev%>%4&t$;HZ8L;=iu=HwFP+l+ zxC$drEVVCp1dj79*cq9S4RW){up5Eepv$1F6A>uB-Lu;&J>hshiEBqPO0yB2`zl_` zqe3*zr_7!qTFl+OCv$6eoJfoetMek8`PwDC8)t8~T}Q6CImdx11hS+c=n;+kYZlHc zl$+=1T!fB|ts}ZC@*nsyp%qG4B#FmjRo}_Qi}ud!p=kvEn1?(i#zx;ataj98;j0b~ z(Eh$rj{}4HVK&dCePJX~t^Q6N;|||~#DjkuV981O7B-CE3`sLW{wnYln>8nWXjpwT zXNOe@6ov*m#08dT)7{YHTGwzJh*wpSE)6urTdRLiNk1EktU(!Lmv<@jR_BYcWWr+h zo=N$99R4Py-S~-*f#{fVx46rh19^-N{CgxFlXhaTe~ok@6u`~w2&PdHkIUt_qHdzf zjJctUq~Mbg(q@m0albo)rnM6D1OHP1ePoI}Y+Bg-6iQqPlx_u}OEYCk$vTH8w`Z9} zoIiBb{2)MiR7X?x%7Ptj>-Zq+{uCiUOL*n1`QuPZhwkGaLEmwzrCXEU{%_D4`$N+s zp?6rUWJE1OW|HC8?j@$gC_^3WgGx;yGqs*v{ENsV^-?`GS9K8|HauMsNenr)DV!2n z>U9-FxPhzHbK$FMx@zZsz4B6r1HOPy8`gbf zS~6hm445!B;~Whvb{m=|n9mSAG z5{IbqrE1HQ0_z-*QO5nL^BvoIowS$vy(l)r({;?}$Zq&5BwYeiqyujZ3N_J5ihy2I zDVwKg5%0c%aI5JZziC9BOrwJ(yVQwQ385J%2YZDBz*(Lw)>C?G&8*N}2p*#F`x46} zXXMC<;U4M^0O0qKA#AZPX-bjyo~mUvDb@ng{T~#=1r9J!1n4M%3YQ^+<{jYx z{(ykk-qWA8Z|7T%5mi%(4O>?GV|My^g8`32u1%-n2?$Wt%_9S{mNv7HU`ehMS$SFz zJ;l(1W=ZdwT=f7}+Tys3&OU=SLCO~pS~>x!g00~Vy7&60dNlq|M?F(po%40mxX@WO z$Z)c=wfgZ;#Se)4mCG`CE~4Cyx4MRM)Q%o{-LhL_I!A_A8JR}Vm!z@s;V#M)2Ce3+ zDu)Lc3oT03AVaWq1*s}wpL!Zh-o%bcDVGIo?OXf65(9!C>_a*hBepP1kyzikS);)d zKU;4O3~#Pf@;YDL1br&xwqnCvyN;L+Tisz9S6iJ%Ah(n@VNbp=eGkQ;6QhDPw*t+) ztz|NGSeV^guwz1al8F_Qv7LhEywfMdwO#U0r>hh9;XotGll(fxEjq5(p3*C9VFBOLN(~_-YxL zW@ZvQY|VmdQ^CY8*>`+d@uMsr{Z^wQrlj8FkC%_BVVDY8^JZ47L{rwH#maKfnb`~e z@R(uofe$u!i$#*Yr|cawtVL&dxUJX?Am z^Hoi_UTpQ&@Cya3!iFX`PptbT-0}*G{>AVZ=>c&Aa-)J7MIfYhysEm&u@=zx1W(S_ zSYFc+uFzUnv5irbIUx7F)lSr5jHhLd=i^ug8hl{JJ20Cp<2TI)N>16F^N4-^4pdqI zJ#k}FAfe@*D05^A@y#r=WckqjyKni70M>fS9tmhYXbW)ld$?zC!GQQJji7T7f8+#> zRBi_I6_eMrc029;l;wPCVRm@J7T%Pf44xsD3cO&o)Q&O@-1wiRFCwm9bH>2NgUEua zRL}_`)RW+Tj~FO3Eh^l{GlpAp&qy2t+mC}echN?suLg=e>%@PYcTWzF$xT^2%u@{J2m5w;qXdI zh!h}t;F`4Z2jt!jHl+5;;Z6;}D4_%(xu#GJf-e!>9Lc}@DSM;=8)AzmOdqP|(XML7 zn#rCC+u_6l#opJ7&OcOTChhd)tIeC3d5M9(axPKc3^}V>cvJBR0Y~sk)vHD(kv6&N zXs}~JZ6`I&rf9+r1bQPDdf%k4erFVIrP18iaJP+fVSk%1ekWIg20#4n43VQ8y;;6O zbm4SiA1=6jY!l8`W2YV22DyxkxoOjUAA+EE}h}_|vZTnHJJ@G}GD5ERO zTcyySI`gQ0Px-TeB6XW>vQuIUX0g2q1N5kSVe_ofJ#ZdY?Jx|l?3e}%ozWil2@5ZO z(==#uQVXSh-m)eMR!drmUbfU`SX3G8d-eP#E;ln#;}U~wn9Hoip|wCYfh&C3&X3>E z-bP2OjaYo2&$=VbNp9E=B?mKZX9DiJ`d{&+F?yr8npvAZB9u5XRj@T;^XWb|DmGfG zP$niyB)O)(9(KOP=z39t)a1Mn9tc&X5oJK?3mH)V111<;h^oZHgBclC2>&M3c{EDB zZeZkjkJ9GZQR_JLhRv{+egoAvqjFNE8GQw91Czy% zSB=ZwdXB1&n*d2G+@ySPwf900d{nMSHwZeUw-yWgHn8)V{!x2E-YoA8Aje37TR$o} zl2;765>C^`lPv~Q5BSN~25IH69HcaZ`JosA)Vd2G*3yHKakAPY|KEadS<-S}(OoZd zRa!^WhevzX%4diNt$ad=mY0pZ6>i&2;f7*2kqhe%gGNxoF8TLrongBBqsDOr4*VO7 zlV7e8;tGGLM{#&a<98s;Jujz%XnW-TuCsH=cc-qJZ zDf;h|lCSAg4-o%s@T0EH5#^8TtxH{7VE5X35*~hMgTjMA#epG=u@$YfX=D3A{Okc9 z8D8YTz-{$DT8CZ{|3j9@iNkSgsb5T(BVjYKGe%YA^Hzha+BCZZ7kG0v_feXIrqBUr z-an!U`+^-xcSn`9ZL>+3wDnhxEe0(KN$MF84PKPdZ_=C{i+$=Pi9u+Jmbk*n?A#w+3VD(%%)EV8D;lyW*NE~cb)j<~gLU1W4f3}iOE zv{%hSVv-EB*JWgmoso@Tw{F2|C_swCs3ZvKSvx5}jRC4{Ci@SQSXTfcMb-ameKpbC zr`+D8b2=9(Urn$!JyeY@^17X;bt)RvS9`55rk_V}ICQ|5Ka6{+XJy+cm>5d&&FFA0+)HN;YrJ_OtE3oB}1X(0+Z@=4z`;d4a3V8L7MZy$d#zj`Ic zr6?n%4R5=XS}M@!n1O+%Nh>}*aN(buJ7zC^Gi%fjf1(Ww3%YPSx2HQr;~(4T!7s0R z`}?J6n5AW9>Ct0`aXv`A)*#A&Sc(8!x)9URST%gzl9T~z*D|Ghh}tXsGCCZ2&r*ab zZ|$B2TPv>SIn_P(UuRE=Exg>p5}VE&ZGcpe=>Ct}SCBNBI-BicHRX zA!UdFTum((b2ch{^NutlGS*@m`rlZXK|_r-(ot|>ffo1X<^&ZDUB;)^Nl;L*r+b|8 zZ_r-_1qI0z`RXbE=NLONyK&p6_u$oK&{9_p^ zCCBRJ9!GxCQdoAsc!vu0GrQfv)_^P%IrqD>qzeg9WZfYK&t!lP%O~uF?;z+=KR!IA zWJlDY7&2;)6uxiuCxsKo|Am`=rp6RraMf8R7OKe*h$399?-Qcu#AdqP90}>`7eM=% zMf3|iL%+RcI?4;Hu{*WUH!$qJj6uoGU3PuiRy1DZL#wr=NZRAV(a{_DyeUn!EU}Cg zl;L;Q>4hP_p>66z;GDmjpsYsmc^;_qmq*>Rq~q)+bt$J4`ch^F>fpy^CPIN-4w7e+ zYj(hIr-2>WEa4k0oH22QStneH2XR}`P)28VVTiE2ui~gINpd1v;;Y>%qa7}Er5)x8 zR^tx)AMhf2tX{_ioq=D!a^@C73~-sY^FeY(RCHx+KzyAnxo$%J@eGY4w6#>s*klEV z9FInH>+Ec!Sij8;JLB78%%$D<`gRC~V66*^^KuNtJWW(0Lm==0d8cRMJ$uo3ynN-7 zk2U!NhA$nol!F$h_EI4H6WCi*3lEij zXZJB6cvT!WQ~N_zn@G28-iQf~uS@Mb&1-lqO%{ZenHHL&mwFE-5L0J#0vKpmQ#&YR zy;7CZCu9GyB_SV%C-oGu4rw9*=g4V6!maz@j#q(Yb~8ZO7bQ!Dn&$i(Z+Zc$Pi&&a zXA^~JcmB#T)X+`Xx4!1QnnTRs)9*?r`N;520n&e>?^#8T8gUUZHzj=}_ATjb?aWq9wi(aiI&(R6cTMEHyP!SwS_!_G~qAVb5>7#w>Uh!06eLNOcJ9Waf4^cJw;u)D-0m=pNn0v$7u(*v0VC(WzaxF9<@$=VtGo8-Ynq+nQ?V#UK z)b%6HWszDA`qB5fJLAngm%0kIzbPbyByWOIQVx04eVxcPZ<{3-hpL&{nsGF4tk&H< zXpKAE-6EP~TbtoWJsZe^O)HU1%yLDDZmIBF9zal96G=Q=TEiSuSO*l3CT4jHXFg*z z^@+gRX+7n55a~2&xxn5eMS509t7=t1ZDyh($Ugv+)u_EJDSFE~6m0`wsOBHWhOKLt z!8lSNRu_4VRX4X&3$m^iufhs@mk;mSxL4>!cYkn*0fm{k%o}k)D|=nnN2R6E7fgna zo(GQ^35r%^?v2#@ZP6|7n)?xitRW)+254i){WeI5oZbHt4IgrozkRc1?SALD7S!|q zFk=C~bJT!v8j2Pg0~;Q`!&Al)dvbSM{)Kj;Cz_O;k7Z_N=D600Szc9zvrQERfwH?k zSTa4G&H~}TzO%D}`UU8RCFWf6^UqJqyZqdko~pMMF>48F&tu6BE0_v~36mIB7B03l zgBv!B9J1g5V;76OYEC*CW_X49!`SSO4bJbP7s$XD5gvwBz}A*!aE7-d!jk|}n5oJE zWfL2Lrh_96sBi9Sx%GpTaSU2RaWwPvSM&{UqDXbI+H{jT2ouFpB0B`KG4XFdt1*Pd z>_lIiPqQT`(jJ13s>Ueeo+Ytl!Q_HDD{-0$;ygC)Oz0s0dC%aKZpy{JeZkg`;p%c^ zo($m&|8f|dVb2(`AoNom`biy_O&P6jpH@}`5V!f5jJg>W@!*CY_qdCbl zpm#(b$)(xR{y(QMotR}9gb$M+0zu%sHIjw~p3V^HP|D**8A_i$eU8uQ`uEA#$Iovg zyp=%plhKx!j9^vO#MT`%)o^pAA$(qEA)qkelXq7(>f_2{RE<$wjA&imZ;FbuDVg1= zE)5@h;P9`w^*vDpEFu%v>?TM$apjLcGC)XrM?`q#s zjINh0h67uSOg6Iy11+$>5cbAzE(pU<8`dEO@X`*_ZK+1(KSn`@ZYz*LKfWGZdIq_K=NBZWDwEyEmX+wKf ziF%CbBA!PcgRH-b!Kr!9xh1xRGhY$$@F3piQe`UOy^S~>^vED`819n-0~YSVIflRV znGiRH);+qLPwg^K;QdZlp5f_#2;=|K5 zuST^a;u;4Y3eQXU!NzJ;T1h>Nz3T8tkWL(DW!p&eFe^X6;pu+nPnZM^W^Oo&nD-t1wykH4lfYFzrO)jbAL&FeM3=} zQM?qV>5*d^$6+Y@W~Gd%P^7y|L?yZCScVx5)Rv&`#lC^SJgSk>gHq$e0EOoh%R%J@ zIL1Gz8Awz1$p6d~aU?cWXR)PvP)DXZ@1J6XsRrDx$t-hxcfW8$4$tjO|IvZI(g4gQ z6W8rMN7r4^x$Eapa|7u$WNy&mm)a$K-sn}g(6aL(xw+N;8z6nYHQ@SqL*cXbBLXsT zyy3$RH($^|c0es8pG_TdZKIFax({p#^h9BytCghB*4wbvCODN=x^wq2xvV0Dy=VSE z#eHQ|n`^f%r8vO@gyImKV#T!(+@U~mNRXmMON$l_?plgd3I&S0LvSeWPAN_)Zbfdo z_jmU9oqPVAG479>AB2&2B#f-*WvyqA>iZvW{mOSfia{gDgos)15NC!D@nP{RN@L>$&{4(l%}0Y$VT)fm~!P$<+xBIC1Uv`8`}L!+qx}4OrA*Qz*2pdPRXR zz}YwES+FBk4S27?rLccYEW`dA7_1rNwcM>aJwnVVnk@MyA^3ucgYwq^pIc zoZ$lIfgtr0w*~UWw=`YL{fgba%Y6fhDMzQcIoD#s)_yeGCNQ)=W$#2UMY({fPN?hdG|>= zIzdf(oH;7xq;ayRc}`xe#;Xn|t02__$czz^`P1;(7+~y<%SCp$W<5`aDTcxNcOX+Q z0Td1*&AY)$^d({?93_uQMlq`lLfSAkQ8Qnm{8R*p*^P@2tnonP*)T@9o z=Mcw|BLFp^_y{t_N!xU67#TJUV*$r9?^~Kq%@d}4fpMq<&W*YiIG>>NP+spqm0FW0|+kMO=cq~`|{_C2L`8J8e6O)?$U(83`7;-^mE`I?7FD#RXV z_k|W#b~upz42YwBmGqW@Lj`K$jhh_~x_^x5kAPjp0f{5`MWT#9f+SyqKD64Y8vsbX zak6VcGuJmVOvvT9EbWfNrYp&3g&%k!`MXWesw=;0_OWd9eQ`pBHXz%KJ#2lgv0x`p zx6}||e?~TgOtutRfl{H&1E5|n^u*xJ_jnp)D?WTWQs|H~?XmZU5p?f=_Aw(lxsUNm zfmBslh?PW=5U7<$^&qVV=YJFpEkJpk1Fw=ckOj%SFoo4BF(e8h!LE`y6PL+o2fD(0 zBwegap$F5aV}GJ!cUrwZ#9D@v!OG+2c0uafgnElVQ%SI z3OO(webg8*Z_>xm<;?rkNkIHjYaw``Tk|C|{9yXsGIKwY;z~i7f{~)II?PGlQ~N&{ z^*qoMr%F<<=`_~Lk37K5xMNo7(nv5nqq3=hDshlig(tIj7oW`Z%^)AEWW|k(O#izn zHReD72`l<9k7?rh)itFQ))+N!|blU2iw{549JRpz{Sa8&c&p4Y~ zU(q&8UL_Pfb$%mru@$$_T~RhmE~yO&zX{7dQDcdK&4rl1C4V+2P9l4e(N)$|)f{U; z(aJ`^9NJZlx2*$1u@IzG=YnkSZu0R?v316ITJiB3KZg|=MF^5a?$N;q--4yqTwwiM z^CyD&3A~C%Ge*K`-4%t_u=A2*{ZaE~UV)^Mf>A;g?oaWpJp z#o+h>ilBk?Jk}XqGJ8nUb1gL8ft)--_8G0p!&*GbNLFR2i4*^qav*!eItd;<$!H#O zSBjI|gRDsvUZBRT){rQ}g190_P@^8we6ist^sk-3`hDg=3bfSF2U zANcv$sOvN@M8#+9=iYd+EhK_2(zH02eE7VyuzLxEtjY72!MjL?C}pKfi`@$snU{ri zka`S_%A_Yu6rKRYpH@MbX9CaCITNKkB%tL31K@~(E=W1jCUTaVIY(juTFy4GBPI|Z zx183s@@2TY;_yGxCmOHMrAq074K52YiyQ^aIO#GY98nU%s!W>rl-XpuUoI+_)jAdU z>8FcMd47dt(B{(=`jl;OU%XN_D!z`8w}^+%E29N6D=xxqB{at$8TmgYRZdu3;lgsL z@6ye)XM#xwa;|KZ7;JL=MF!TCMEaC)V&k!Bn!y{aYP9tDB%z7`x#6%NFdP&4BmDQS z8+Z7+DY5KDV<=jDwF2_o88*!rm8U3sxW;;SVME|pb!s;VPLb2`m{>~4nlEO;E3g=rt-PW=~ zm5S!nM5r7T>zfiotJl1T>u5S*HZ3NwK{7sP~ol91(h)3`(DMsmZ z^z?G_@(yV8s5T4aSh=~Ldn(bhN4RRT4LmR4C(%V8C>m_m=pO2ilCd&uKqY!!MH}~g zD|IKN`1hgZ_4O;w0M`AVhVJT%~P|$rwLM&p~m6bP2wMxo44|6z*1;sP+VP&d#qfQZolrS>ncqJ$+JCd_y`-_a z9YDL2`rPdX{rT!K^rq(1ujM?_VEA@tvz?`969?qUua&jE0k_Iz^l17`^)~#-t0CaK!`Lh2HxC2U;HkSy1GT&pu!!y<&^Q z(^0Z~uB>w#q(iJh`zhqZyPsb#k?V-~dmRHoZP%pgMn-v`KA|->HfpGuu1E#Py*0&i zEs;8&vtb^#kGq|HB+qE?MesofZ5|_KE-K$lC87@*Erd0vMab4#?+LO4eGwo z(fWO|9bPOd!J(5p8&_03X`ywTsSJu(Z9l2Z^)KE~etr!CC&lU}_dUyXKd5fUoL>#@ zS`F`7jYGLJkvOaWe0HfH^u9q&a~fkh)Mp`UXNR@r_yW@y@Bsb$z?2=YxK+r+gtnc7 zF8{%wp)A}5IXNhodHKk$2b8~bF%%?2gS1>k^i-_>-D>jZjTz(=Nb=_IqhWsn`CGae~#Nk&`Rs93V;QS?4!F zl9N<_%YME+aRaheE@0zfL0DTIzPq)J#U{}!G^QWY+DB`6SQ@fW>|$*P9`7!nQqgzR z6jpMqn#qSstgO;jdvcsvg0zty#?oHb&xXayQ4&tvWvPUEqwa&oAinHT7mFR-l}VPW zx?ZF|60xk8I|US2jNRKq6EZmF#77B5IjG|e4U9*dw0#HpoG%abh7V^6OnPmh)9P+Z z4Q3H}GM?#y3`vD%h(l79T&D_*k3vroItW}v?SW5+fhP9j4dmGdB) z7T};NBhOs-k-%pny>wY#07ll<=6-Dj{N}!*YeQoVzwFwTP{~zcC~fxP9$Ai(Gu5IW zka_gUiVaJ$^$BD96-9g9LF{n}e#hZw+Sj7#(8dw>;jv{jw^YR+sl6SO=b|H2%dryn zFJVI13JlZDblkKdJ=bBaRgWi|YGqF^@+)0W#ckAudO3X=spbk|DHd+#-VNhJcWZ_s ze<3cvOLFEm+3a(6s&i;`D-Y5UwJ|1iCFsb`Iduj9^6MmMKMU+FUKaN4A-_NDt4!F- z|JqCw%C+>_y^ZIYDINlyd9D$GEt4C6N;PmYpU11_;lf}kT4EMhg2)GETe;+ znwnVa@vvbNp2Dv8kad?FG4nu-91@>W%{7vH&+KSZpF>+_i32_yylHvlEZ&fGkxz4W zMh;Ej_YD=Mu8uyogn~I+Tm$k;HyjlcuXDF894~r7ve0c zH{m?HL51%i7UZuw^YQj*m2CSO+5Psfl(feIN1xyWd(n2yFr}wCm}A||yFn{fv59hL z^!eYQ*XiFdRJRZ-io`Y=_6j@OJhP6?0wAbgN^hI5KDXYs0%H11g9^C#yz>9UKw}6j&rJWde0as<)?xn&tl>1~(9VuU#^_y()^pFOj zURF%S6B*|G-gv6R7trc0(3t}-6~;$F*rY37&7Cced(;f9am%^pw;m?TFXgyIV6>RD zB-nyDmxWs>n>}GWz;P(L($0)9nK~pN!-7}Ko>peQ-*tjwcsc|BPS>b%-We#bwix-G z?J0NRx!b&$neFNp`D2mUO7CeyPTupverKw50RV*MSFjn;w=J`v@Lc+unP1)a=!xS$ zn;(rWs=hInp8VzwttcZs%+-lQAUDnP;!ae82Dp$!qZ(K7k*^cob6S+^FV(9Zyw5+I z-%^nrtk?#ks{+)7%dJwG&BE;tIHI?$I6@`L@lVVnsfYBs z<}^usF#s}`1)=K|_D{Ud4g5I{$dz>|1|zBnX>Bkk3pmWh-{W8asQgDFzpb@6(O}>S z%6$S8srQnMw~UgdtNWkEH12$^MJJDWl6PuP%^Q8O4NtxSO;%Ih?=_NFHpG^&%t#~0 z)AsZSjCLCA9KHXU%k=3Z_IX?DSluKlRc%^G7WMgBMh`npsJ*v!PNShlX;r&|RF*QK z_cTR(h;3L43~%zB>}V4tk&C6_zy2c1|5-)zGTVo-%!57!H8^ z8^V&>!a>x7i}7DHYIg_d$rZ1ZZ^bLly*1{bKPRyZz-4rjx{bd@g-NJlUKqW!*m58_ShSDYJ)OTVk@bWNslPUOeD`6$!Yz~LCRW1V zMsK!iv7y5LjT-OpS;%Hxa$3`v!9`~BYQQ)7$ACQ%^r4r--5t4@@vNnk_$n5TfXS6$ z5`|e<-U`J{r?l1hjb6#;ylsEqPo130)ENd+kAn&w12+e1LFI1v9}3=@*S{6%wHx|O zeNq0|!dYxYpR22ArG#*JrUYM?bqFhXSr7tv0t?``+}PqxSUMacV%4C><#m2$6tkXA zrbri%Y}w0r@tW@T*$$?{XUZ9mU(tu}_d8>LFplh_;{Oy6?HFd@f=6Thv(3{q<3%3X zU9bCTS~@`)i=_FV`yLn{yv30xrhFak+Hol01roBR+HzWm!V}9RTJxle6oBX2_erPa z2oP=bK0)lsqYf6NR(cJayC3pYcr_Nh0)TsnDrzf25@$^;$zOb)mz*mq2@Mf*ba^Sm zV!BCU*M?Sbz249;N&JdBFwT%GJM)#B^SO#48k(2J&g(4_RAnr5 zQsa;NRIPE|WY)i??lJ3NiUlRJjMYWJWVy?At5#Bsy?kChU#8&$hBz}aJRwS>3^#0u z-Z)~mloY5-C$U6h&Cw_0bnFWHC5kCF$Q`-NlSumLt&vfNM@!K62;kL18mz8KblOF{ zcek`tGL*+Mwf{89to+^d2wCAlV7!5GL`0tK)%;;shKmkubitezb+ECZ!=ZVso8U;p z!4``BqO&5$1fgZULe^_ukF?+P)K;wQ>hf_L2Kt9BVHJVOI-k%wkE2BD%yQmDz+4bL zG=(F=8wCD?3d`ja>}p3C_m>+Uz+4fnviS=Y$3W2F!&T(UGrYA)r5=o#(YG%lZ&iaiMlx5RXIXZ&@T37 z>o@H(O4xkAJU0&H4MbbfaVziRo;s+Tbbb36BW%4H>tKr-SZ3Nyq#~8BF3Y1vTX&@3 z=P8&c5et3fTTjBQ)^W9qYwmCuR2qR}xk}I-^3)<%#G6|EnuUH~8%&0?%dFiLqW^Xn z{oYSq*!?@%MC9&VqBWi1ns}W}5yZC(ZCJkne#-^&8R{J|` zb%2Ty@l@XfAwvqVDA9o%VTc2GR|Ud`GiNf^g~vJG@MeIlPyLuuLKqMCpKbM(!XNzO z{6yq`k8l3qC}&g4e=x}Z0%9GlDsa(19agY%kz|h$&gfNO(&G9?9;2(<=L|t=o&P|y z``^!99;FC_zn@QQr8$eD=RZvp$&g3rmsp+&C;8XER6u2_nl)li%*>3oNvK6q&Jw&X zE-w9}sZzoBME?ol9wdt+PAlgmiC&Br46ZDE1{N0=|9DXw+Vp8XAe041*~!mC^j3~jY|m4`UAj5HmAcLqo%>+tX2AXcyYGVKKzmfvn{* zi56FOIR%dMg9oe6-Rq5&*2Na8NVHaBz=V8=X*ip@V@n3i|A{M zJ`2rXuR)SJuV!;$p1(Zm5SI@qqrzqD&2-rlw}!zb5vpB`AhktZR4}(9?r1?8Ogi zzZb=AYI+fDUqeHxZh+olp3K3%c`C!I(ed<^7;?Aoqi9lD z+IiKJ-^IvT$bfV4JDSJuf;4@gdz#Unx95mh*{bqHlW8;;ZT^xAI_g8MdeFHtDvq@K z1q8r9i|SD~!JBO>k3=i+NnVM}zF4BsZAV+G;Oo^?!%UB-+ZpzX`rt<-SEcWnb2F{` zgC@C*fwZ&Ee*Ep!{KDlcNAxd-w}3qz0|PcJJx6Jgn8@|W@Rpx{opiO{dkRnPNwYPN z{y9@0C&!R#rWsYtZ!|n<9Fpl#<}6l)^P)L6bVZyojm85~R8C4}1CZUf{yE-k=5)3< zN!j|Fvp0NlF~_mukr?M){0sH#Fe^>JWVSl}BFErwEWYtCbfvGw%s-5ewY0vi5-t5@=I~KOOw3o{G6|;xx>`0e3wyMQ1bUUAJeUm|OUXZD0i5m##N?|28 zxNHzJt4(yTBSJTabV5(JQpfH_57YQOQJQLPqGN)#)+$ETGFEH>nIDXhtzPOk>cDQz zd)v16`1kjX+@E6{V$>zPU{fvM^o4g6YIX&PRhASdPr96;r#fepqQv>$mz{CpDwW%& zBFbG)dCE_>-#wh_f$}A2Uew_6G$43}GvuVG7K9Y~OoMo518nuVWT?JY+GpZ1Ic1Ffd-zG3&AT!lhlFb2JH(`b`s4{R6<{OHKJRKF4x zlYpkwrPPJjhxhM8+DPQxlT7MtQiK6K^@TV{n8SnQ_iUy;`ScE#{5>&-D(%_{B2F_a zW$o!xew}`{CFlIuhGril)^V33$p1Sg9hWi&Uu$+6T z{eAnK@J6DBWT)iK{aiRN3yVUSS)(hPd<+$vsuX*MC@COFm+OS4gmvzzQN-?@HDb!RkBy7M}WtM3fIO}X4*TI=OfUeqQK%kYr47u?5I>v=O2 zJ;vW4YgM=oCsni0mhm|uJ(#5pD*IXFch{Wb7`n0}wD{oyBKq2(yiecJ8@lj2347{I zCS8$^Cqv7qW58ChqqF;5RQ%);tA;0Qbm-+S9_Y&kJFT?_WCsa7?$6y1&gbx=zg$#_ zrWDeRc`(YWiDP2B62h7vA^08X>L`@gyxh_YkJ|rp*O?1plys2;`6Qesy7+6r2zV-3b1RJ}#;Uk&$<< zbfW(zpbiKrVB)0M>T}-dFm;%3p*{xZc1KJL+~EgXk;=|nUO^kVb5m7n<80T ztpH~Ui*RQNOJ1CZo>@=?W2A$uQx_UZjlB>SJ-uXCRdBGdYC3=VlY_dQiA{b!KFf%c zBIxJ~g^clPj)5UIl>?(@tVHs!os!%d4F~i7AFAu)2pu{(ZvyE2Xe64@F))mr5Bf1w zGk?i@OJR_!zLc5N6m)DJ!g^*+i(uMr9iu6aUDitxZgk^ij-iTL!ChvHM)Sj*HFsEC zpR@5s*-z!}`7wV%h`~Cmx_VmRT2aFZvVJBw;?mOUZNVK(mp#4+(a zMS=Ksq*VH0e5U4`RoI)k@Jgxk4p$Z<;YONJrPy{JyGntW*G8cq_BL`hpG1@zedO^7 z#^ywhgI|YytQd5Dnjv#g`Q>*usB-K{pNB(7sS6|0h*%oklHu&if&X_leT%L7lehT$ z&4PVL=z7A|O+;?J_u5fKr={KYey{D4|KCbJe0JXW%*5H6A> ztT9Z#wVrAwn5&U(!tW?8y#7t-rNyeG)U_c&s3EP@DOS7>E9>X4LtbZ$&#iKrroyz+ zMzJNs8yy$&Rmu-{7Cbqv%UtCX#MP~ezN*&(O&F(|G?MmN9(;_8wC)j$S96*h-$yZ} zH`Ccq%AYP*im;zs;q zoK#<2=zG2?Il%JL5>m`2P6K**c_I6(EdNWndGHN`&DmZ08i%n4dumFCPTEx9aCN{- z=HFcsIY~kl!3l+V$ey!*Q(8#v$+sdjE>-a)U;-7t@K{E>|9`@m|65@?TE!NdS1Qm> zhB#1-oXU#}>QXo3;r)Zb)?in^@*5gJ>gwwHbq*Bx)S|(UG4Y*+qcJWj>@Ub@E?N)? z3B<|&11p)scGlKVC@CqgC33`%#u`wY_tPX$K2nzy$E?GH{|zRM0B&yd@yc2e+#ZWbbhf<*1nDq$aF1IHL(ruw)1cM}2Cwc-U>8(M77 zqX4VO+WOIlnl<{;eT9f9oI!4VZ#uKTF6NvIwdc>~ksK-Z%O0(Gf+lK3{9YepN?yMf zj#6)4-&asdEefuxz*g>;kKM3csPZL zqWHd0rg+>^O7y08ZJ3>yTI!0c14^{HEq*s-TScEe_;vZKrN(o6k8>4Il$jUya-THN zj?Z?VOB>$^9Aq7pa2`IiDU_e5#8NvP~|wmaCt{v}Wjgi?jJ2ZB;{R zyL_sEdOzs~pVQh{jdfMSgI|bx2{moE)pD2CPbn)GZr^|l4(d2YZ;@xkRld%~^&#Si z&uUCwzobTnmEccUgWF$TWEU&qhfWG3%aC?{n~sI3-_@1M?R}rdRog6s{uMZ{l#lX~ z>t~?f1DDOk2CdEb0Y}SSD~6znYf#WGC*a0~?lU)UNI@d^q4hF+h|Jee5M`3=SB{ks zQM`6UoW*G+Vgj(AN)w9sP@858!`L?|sr1Pvbr_-TDK^-z7+9ihEJ8WqLKGF^lYRRb zIS?rXJ=JphQE}Mio38iA_R&`JwKz{9}2O(E#=%}Z5@OoncB!(oVbPeZvVWK#6Q_fJ?=S+Ow@E@mFx z?^G_d#n@yC$$1RF$@N8>oSEqIZh-v|_!6gUUlqA(SgW_Z1m(_%+vl zw>MxQW!=8=38PV+EXOxp;Wd`CyTMS{9uU@j!7 z(E7LE8rG`!EnP@bI?hsH#>_GfGZy?kwG{1Gi?4s+s#v)gU^Q1r)6^4wY_&|~=>J|t z1g$5s(9dY17xZH9-CT=7Fh|&j)a|)du0Uv5B7fw@BQ2P?|8=MpscxHKf`C6T#THM6 zHNLyti~AB6YGlgjIOMg=7it=W7Y}L!EBEn-fGay@TBu5Xk3I>cB+D44g)U{F0$(QO zmzH9McsBM!y9`X>Re3V&pHr8_v6TmVp1mg>jGV6xtceP)kX1zNDel^|R^fP74YKFb z$oQDjE3>m}(vO-=|GB4HKqnoDQ@sC{cDS$&Jw=*JHr6{{ADAB(&us7`^>|O4g8(Ej z{?9rj%Pa14#Y0R&LPUbJoaKK4v#?nI^^3p)`Gk$}-_x`+@9o=4o91Sv1&46;n|r~ z8U+io>EwMa#bbX|4_BbYJw#pjc_C*Y3!!y~T#78u4j))-9cK0&9^}8-sjDQr^L&Li z$xp88pEbX6eSbWldMF_>kRf$=y*08FHG~Cm!-9062GgUY62Z3!;r{4Y5EL#(z&Cop zBV0l_im^N>9RflnqXRr@h~nW7PqH-28TS3U1wf&{7%``eX8f$!PEa$6Hy&aMObjQ>9CkoKPV>-b5_P4TD zk>0gA9?u^{k(13L1HbT^EiNXommEya+QC z;9oHdW@CY`M^j=Xjb7(|Y>t$lMBGf;OM~v`3V6;U>B;>Lm+1k8LVw5fg)$jjn)7NU z?z;rFovov;eU8LL!A@LxP4<-edmV|^$0rdR#80AVG`+VU^^mY#Lr*hN3-AzYZUo-S zz0Fe-6UB91Pio(?6RWUphDN`Sy-k`3=V~>q*D-7R{?aZRq{Z&A)chQz?)3M%eNJKk zyqGV=FrCjS5HkL(@@pmUppsEkJb9|EkVBVuAGUmbrS4c_@Y!?Kq};}80N} zi``kQ4Z}vrh$njzJK#=7K71tgygxd7Qi1z6^n zWft%pd$FxDoqn17>x&;hQ+c`E`(^zC5w{fkp^N0E2p)Hwf35%4FAy10S5&kAHT{*` zPeC9)!*xDMdpC-&GPTxEH<@gy&2T@v!ECkd)SzdBySS-JCUt4CXgvPl%k`6U$E2;8 z+;Vrp&v)E9_UongXPR#E^IbP+F1o_o=K}kq_T;;H)mtSqQf2uTE&{XMv$Gt2pPxn( z?Cd$+>ctOaRE0lYcu{Zs@}+o@<09?UQiPe^d#*xN_ODU1UwucP5}+PI->6Z~D9`kVC`Hp(3Z*2Q zWa?LROWFo_H+wA>?#_sPPhXf#nVcWfnQP~|wXG^&Q$nONlWCXBn+8uK_T3hSDcB$8 zUb*iUOFa3tn7`*lDtP)q)MAFk{n}C2@ZF2rIwzxo{jKSp4q19Y^V!}h$D5xmwR;q_ z+P_a#&aS&wr1FhljkG=IFa>G3t0Z$_#U#IX{%q}Ym3VV-E8u0jZD-mGC(RLI7y+LB#tItriiWhynJ!Gc z%h`+J@Aq$B#kXWR;CCIh6{(w1K*A>Vy7@1UgU>GO2@o>34huDGXJ%4kMc+OOm3;XU z&XWQEe@L-8gm7BnyUAkj&vowthBsYN)}oG&UCz%hh~XH>B@rMi;?#VHj`B9dg!b4E znY2+*G-W}kC@48$JZLB=&xxQ|C@B66U4$qoD00XwkAf0`Oz!{w+;iV b@%N9DZ8uC77B(`GFQ6#Nsmqqhm!a(|d0gsX23IG9p76C+sR9tn>vcNo1C2)oiq|9Fzq@$YW zrIVEWcB_MSFGvw_e}KXuW)c#$@`%>P3MLBr4{Us0_u00lzZp`r=~)#Zi6#Vk9)BAj zT-fW^#D$R|r-4!`IVYjU10d+#$3*`n`TRUvx@Uc8Ag{id~&V?K8;F^{= zckD(icPcf|(4NGmFjuzgtP?)~E0>TToba$|JlVWpZ)b-nBB-s6yCzkXl#0cQNOWjH zdyxfo#^YK!W-Oov*@m63-HS?9zj4iz`3SO5$&1v(b(w z5shoWqgbBFI*b`{_bQCtl`&YBP<((Ys7dAe%b85}=}Kgv#e!@I2&Mvpv8i?djf92? z4AZAWfLeMS2@mh@?(7Zi06C9-*(DHq3fGA|2m>)=IWG08Ijvk)V`o0BiHQj%W!bje zs%TkWVaMOMm1b^T-J9^33BWiCLLQ?&4-2%j5=#rGq;yf~*X1yKvulXE)`4M%z zHNrqSV4gvFQ7D^8O%W9p18gx3@TkkaSrf%d>i8vZm2} z_MqGJIKpduJw++?{3KiZ<@4!+WYU!uILqXj0rq1K*sbGFf*&`PwR5hD%j~<(TAZ2( zx(%%7&4GL?$z8su6~E;zl|mftkmR6hUR&%7(0kos@TQPS9Ab9o7W___#!rF$;AU*O z@)4794^I2*a7+-=tYPIUD%;N{CZZafnl9SSn$)1Clj!f)A=!+BUyb)LTWGx5}U_QHji8D=J%}%=lcuQRtBa**Vldo zLb|DeD>|2fMu`xfGThTb^v$xUu`eP27OPN1_6e}MQ4S0`^gVu4N8m8!Pz6SPV5659 zPp8~D+UWqM)S!|+;rujI@zzQ4XPC{H(g=DYcIgwnC(X$HJ$i(qP~+Sa6g~dqSDK&H5f~V0_2>Pi;{ZOo z^WN?a%XqnNC<0^*UG ze|9nCta|r-$a~$!5i=!0z@469sfuCv={LoCAT6Nw2y>eY3u zH7nr|zQo>XcSL0l+eS@z3H&XI>8M09jJa-i-_JH|CX*`5-=DH!aFG@Kj~>H*;|4Ri z+;S&Y7FrH7-6-i0{A|@rfpdrkh8)4leuD~}o2OEovtuU#(PeFS7m=N&6eq& zzw%F8S2||5E5A~Sp40Hw%KI5RKRU8n0PAh8uq!d;(XAM7?f1Fxc@f`E9b*}HCIbD`UHJto8 zs_{W+lB3xXrH()z9hM}^zL~O2U|OpGF^JVC85-Ra*=PBe^a{zHK~+)LA{-J~1gGnb&*3)S#Vg_&|=m(2GfPl4SbM+xj(a=k1b^ z)mkj?`C3P2g zBT89u|8~$5``N9-lf}oo!V}Q;1mt((m|c&R3{=q=lr^QI9X-CWgJ#$w6-h3Zgm6H1 z%21c^OHrH2-2Vt*E|jChZ*$M6>nFq>1}`P0-H_hYA? zrTK9QGzArO)9?O$Y}ms_z9@7^PfR#`wKgIz5P8*IzBZCyrhi3q$0)spmRs%cK#;NN zffevx!qRbn6no9-5evC+5{9CQTtf{bDgZB7a>*e&oyDHGSiqwB6=OKeM!F6-U~OCT zQugC1%OpQ2JkTf}fmx;*^3^4fvNKq=B_*wRo3CCS)WanS1~u&=cKV@ceA^;oZ!n@| zC?ja=_UlRQ((oR1M~=D#z-4YSV3SB=?jKIwPB9d?#&@t*174f`jGosxp3t(KhN9B8cxW9CY7={a^#ZU#q#n2NK%FZW(5djOK`If|67WK zl2#WN^Ck~3Rdl}jB zm<;klCnyDx%7%}`-AEYHA2v%8j-k(G5%75h&41%cvGm2^c)(rj3e~o>NF>tW!2*-= z9bgN5J9i8K^VU*lN{L0&I3-fzC2;)k4(WrCFCrK?oUe9sVo9!m3h_Ax^u}UE#C?w` zF*^~Ow9~lx^B8X{dO;#UGqI)2sb=jYnSM4lp6B?z>g zj)7DlYyUA{kj$)1_0ByPkgGYhDg!D0$0`tyI8AD&z1Qpap`!KwM4GJ2LlG>+DI~1! z2&dgWEG7n_AvG2AqA&_pmz*pyIk`SbzEn(1%$~y9m=}pc7KU3Cx~vf}rY?hYXtU<{ z?}tiH;v*Lu47I8AN89JWP!OUZO39K2$#HTTVE$O^ef2&&}pMRM*T^!KVn zIk`FYC3C`PH^%>BS?~oHz=ka^nLsj!V&K1=IO7ubfHiCs*mLC!V95S4STbIuP zJw3b6`Ir4QYO|LLav;K(ym)MO=EY+*a9| zS+)z1^G}Kfn92`nwEf3J?ynQB>m7`6!Q26Zi4-9xhR?fg@-W{?P?_Lf3>h)wUI?{w z)LZ_)L@{r2duJAbk9*~88$7~ffw&r#(q9uhLNId8z@n`z;Kot*&d@m^4M$gvSEsQy zZpi+*lW@&;o47J4dT_GVXHoL=JEh1g3hk?fQB?9i*?XZv^Ea>MhlcdGvwokt9xSNk zu}GtdVBqXUdLg?z=S0rLPu9W!L@qZB&QfdZof`k;N8e|y>9009ErS*sp3!90a-njz zyTSi{jX(DXR(B`D?IpW7!)%{wb=eGpqP8>Ga@UpwdWihMBZ&s@J6Uz0bu9I5yC$#v zP38A|aF1DLC{&FynsrCSszGrt>FsbR(oJG=a?f^Ybwi>UUv0MVU4}=w%ZP!S(<#Gw zqjnMVlI87VCXKXK;u$cevXFidI{`4c(ymHX?d4(6xhv;$LnW=83!f2}=#OxNGPQV<4SUFrwubjJ2azaTOR^RH0&Hj&+4$$<2PlaJdi5Y0h{W7pE*ykW=J zjaZ-29{I4Gw*MtYw?AqZIuRW^?+Bug+R^AEQ*9=qgQ?9~H6x4XgdoVf4HidTl zeDz%NRRG-bGVjLFR{!Y+R^jw?l*>@FhG`m{zI)1?%)_Zd(E<;Do$%BZuE>bm5i5lMruV^5!m`wc$uPtn~NxV{ToH(jv1ZQ(4P|cXmAMm0j5nJyg1u6Ap#v*!H zKA%7E|c^RFo_%)xDkwQoxje4zBHpkl@U#*O0gC-_Me`^ z&nJCSstWY<+*b_Yki!zF?>4*$Fw$<$C3S@e|8d|bq&Qgw((};`X}#7wcrVs)eYn*T z`ubvU90WNL=QJqCJq$v0waZ&tt^k2h<}mA(H{ceU!2bW{!LDy-XMgijA6NwJ>1l*CFTBUhzIX^^I-v(M&nq&pm1i4_QU#$WrE9!i7u9gI3h zit+Z+nlWt#>hL3N+Or3O$JXG+5rv!=7e7+>-&{O$MF{}ou-5=iekBQlduszt$PQ z3`$mI;ZJO$(icRV2UV`oV7mXiCiuMNn1ozj(mTH^tJ01cjFO?ox98fTS-@WoTFbxO z980GHw}9S+kZ1bG7he67i94OcdZ^u+UkLuU>_`{e$jy2n>tnjkIerM*FYCcrVr>A< z4_$KW|1^B#ELM^`Oa&*b4;PLws=jmA%vIZ;vI^obNBR#!4s-Nf!Zs^?^IRhZw?cd# z|C>_w+R=)Lcoel4K*?l&NoVAOw`4>#SuTCW(a1Ecu(KT|!E|cKPyLVk1%*}5ukY#n z|FPfj%35^Q+~{Vd9cNdg>BwGUER5I6X~d^Y)&4(GWF3{q2wezbZ8v2oy~Pqnnb)%I z0yF2*apuC+^Q;W-Q*xBy#fqxeMsfNy2Rn0l4>)IcQ_mACfkYS_bLk*rrG}@FXcpEy z#(L}C=T^`SRG+3I0c-Yt2cH}UvFQ-sHj@PIi%KrogXL!Mru<0tL=-znp01A)70bhF z_wK+X+i?j5N&3$;?>r0n>OAte7Obte3MZf2*_m0UIx;Q9Y-?rHKFx#-cjTM~$}8C;+1K)=rmPF_V&#tR&f*&d#j< zH*x+Kw~1^*XgIwa+Uy@X`Xd81<>|S}X4Zo#B#(rg31V2~bT46fr%&N)!T&1;U-*k; z7Xlki&pqZI|ME|3j_KZPku<4z#|anWZD6wzdaUP7D(q~$sf5NXTE&SNRf4eX|b_6`p_6gpN`mG5WdL_|c8Fff)X#nsjHoMrWTXf4H- zGcz+%b2*KJgM(DEKB#l^^ZRly#MmxMHc^{je2wMZ126Xp*JZg^+-hfdQb#c0ZVacifITE?OzL^=MDy^2_?Ck7RB^(eCkY=yN7=>tU630I&NQbaKL7hpBMV4 z73IEsEC*l0{S$uG<r%E82BhUtrsh!BjR&b|nIBUk?-1k7HJiOu3Z)vJ7en*)kwc9TET~ z0hODHFtHHkAXMU^xNtfKgg}nEcBfhJ_P|>@%p~&hRUvJDG=_~wxMQMdo4Rh4N>%(oSdw$qJV)uH8LV924J?@b&69?pPV(e;*5&`-gBvAbXJg; zXZU?S-w4}EZU^+Gv^s!U*Gn3P_3>2~kBeCu#Km+JMm|4e*cOLx;!8Z}*vFrX}69D z*T!<;+wFFQANZziY@IT4@DcU~1!}Jv>Z!rHexIjf{=nVnw7Y2UEIZO#m9Jq1XRj=x zz&_Qo^;@hfVgH1o({lq;Cgme^`-ehnPT_}gJ!0_BmQe9drrmAt{G*UPDHNZEHkavz zwR2RU`%;|dM$9w7+Gc-PQ6o^@(OHQrT#Rs~CuJ2XFdii2xIMwkd*Fi5J^7~OFqgSv zCzt8)iYVh`m~XTK<*;)dt|oqJHFgA-HK6NddziiIDx?srJEe0>2|r4~uxaLx4AmvZQ8( z?Le$=k|myn8WJ(M@$zoXJ$&dxTR19{Sez$Wm1GXe&yuWseve0Iq8+BP50lPg6NP)S z2>qR`Ro4lcpKSrF%ged8Tivv{`VGKn1|166?Foax0uSZRY?$L8OHn}$UGQ~u=N5() zO_1YDsd2Fgo%P3=`HKpcn-NwtGi3r^%t^3OS&xX+Q3H!p$F*@Dg-_e?%E<9``blib zpG`ow^0QbE+I1YFlngQ_({TOnS%1JBT9lSrf1LljBiDx8t($-6i>~esZ#zO#j5$;^ zfj`aTK+P_eW_*;wjOc+>fY6b`ouA;Vn@Odr^Z7Xq^s0Q-?SkAq)G?U&;&@uR-71e= zQ*j4zWvp(y|aF)xVmbu07UU126OnCw-jZf(-(SsfI;$4a zJ47{}U}by7 zy(=A`^~QR_*FoVmR;1Hams({@DtGv~UfBDD)COa|-?scQ8si*BANId89UuqTDk?aA zMsZ=1ZT@t3E$N$K1ms=%K$098m(p+bRcmYnN2(dDSq|V=z@}pu1>E_j7hGnmC2}2m zy_;WkGhw()$s60>zB?tG@5EKXMw#G@TGD$Wo3L>FY9Jmak1(t6VTw)-GAf&N!|k-k zeDs_}R8a7T7VUjK<5t3=^&Mn#q$T?tSWD&~A&0Qh1!N{H%#-NX{X>S1H#?9KR1*Pl zk-H$u16^OW2gaEovA-;aswd7ga9#nXVM``T(S6I4tg|?9;2c6TfZ&2CBHX}p+DOjY ze^U`kDPsuk?P8R{eCA<=?K5x{fTfTp7#ctexf-rLX+1oRz?Y^sEO91;z3?zmjCm_AC$#;kuvhriH)isAt*bN<5qIAeiJ=spefVPE?* zvQPaYuMrH~KfE_(+Er&Vqw@RQQtq13UfRIG%P{657i+)22p2?2zV5hG&7-zzF?F&Q z`BQCtF2iV8yPd8S9WTHYPH? zIMEp5_VvEyKj*v&Aw5xJc=u$^Egz9#jyT>{lf%4eZLDPDGl7Nr`vb%vZmO?q}4Qnodx;S%(Z#670WbPq?{cHm775CTmB0=X=^Jg?_m4HQ1GmTYk(>rT&Jid)@ z0Wj?dZX)|U2Rr^h^sU6N+}rt$qaa5eOxDYzuHDMCE)rn^KO#3JShwu!<7Q8gD!Lw2 zBtaeA#g7%r<-e4?YB1zMGNMBS9N$bbs@tpXD11yNu0^ZgfcVUWk^2&LwQV>VX%tG_ zb6CG?80mV%wkzR8)R_KMzXOH;Br=ZG?q|Y@2=?~TTXW2L2Rkmn*8p=tw)}^j6emDa z&cM8h5*ZzM(WppQ=DcSMP-V4{@$H3QZMN01LES+I$lVZH%-#CYzUGY9Dy?i~QROfRILmH9(f zsKsV!pqpqfR+2iLX4A^=eK&w^^^Cw=_OdvPlh5G?@o0>B|L|u3U}dkv=^hFfUq>h* zCXZPd!o(1+#r76p6){^#4WZMvlCBbjV6@=DcQvGCtFL<7JuOcsQM;hqDZa}M{xL$G z>m|%*$4y0$B;>*P_)}B*Z;0m7!m=$+|KuDZuQi01?h^-u*RrHG(d7x`I0;W_LmK-9 zmi53vfqZQzG2OuBztQtctUq`vxqu|0h*{5AoL9j}zAZZlG&64abT>bhPdN~cJ{c3` zt&cG4lqg(X=Lo%~poj99U-|ML95c<$mf4e`-9;d4I@pYhJTgl0wS%nC(lUK@PY#T# z){R7B0qNtLtf1>cVCj(o$zm{nWd?fRe#_9Dm6hP0rFtGB1f@dL(B0 z^&qtG;GXA%u)bB6`_FDDXRT^_oUk%%B_Bz&}Uq+6w_*wvkY_C5kKJcWVuRX2pW&@(}}3J;K<% zlY2Sq+>w+l{8>eT@FkM`Cpg`>yrBJ}4<5-J=Qcd`v=c7tEpe2Rg)szUG0eLJN4(?l7=LlP=Z!j>!r=!>-G9fGy@+c_Cj@dc} z?tn(`CXT)fl)MuiM83KIP)MT~!p8UxO0@s1X|bdm%bXrVSp(gTum+2=rUi93`Wolb zva;faX6+^jgR-nBManTVFXJ=<|itw$j z&wGAqjGh431#g~slJ%o=JY4LKC~?x5?yd!WcXuB4M{~-iV4(FX0{J-O$19mS+2cjh<}AahwL}htFsf;w@Ak$*_nkrK*3)wc&SCF+a4%O%x3-cN3uScij_c+=LrmCH0ZgP-8v5iH1kyi+moHbj=Qv1uJe z%O>aN=l?l`mzW}igZH(q{d(I-#ckH-O}GV$P;FLUN|y0VCzBZ^lKWZ4sgjIA#E>Az zmhC%#<{6n@i-lt=ZfHMFzl;M_SXkT}D%Y&78v54hxu23Ka^A>DBH`e`3=QLm=<0#t zz;YX#o)pyiW~ii6DroMF4c$;f#K8swFz)GeG6?_o()SHlZZpL{zfqqo`+FrL274}9 zu<8zGNcSVevet|i@ahf|KY()H8zHgKn5J{s!I;qg2sdETnk~i|OBuL{;tdu3DZh4N zu7~_RGGKGLcbrAcsk8WJhSUK%ry%uuPuNxKSkU=GX`dMM{AGq=0fdE2XZyetXKqcV z2HRbU;0s(=TAp7I-M@h6JWbi66MN`NGN5Z#Ifan-&t~zgZNJu*2zoZ~nO;5|_^9klD{d0Ss>l|tD2q5{~ zMpY6c(n6>&+8MG5R~RnLiQzFraZ=FRO|49$8pd1r|^XN)BM&&Ov z)?=zPL(%%(EA_Z~((N>AU4PGDSDM6O&{v6Vzh$+CZJ!2~1imDt9Qf@dhiS!v?5HlKj7Y*|IdJN3HTxBol+ z&gJwL*L(;3QTfTf&|7Nhnwo_pSF!Ix0)Y5g$SME^?6TC~%b_ci*RYZ0cUvS)IaxIB zsVHUl?9E0+Q`vU2p2ku#7%SKo53QEoXWSh=tgf}7-MD=>I%n5o1;WSCD`L9}84;)W zy`%;N8wbbm-wX~7P6{%hS<2P3#)v_aX(7iXreC#o*M`Uia!S$kUB&tG6zw0=UX@pI z`5pTr?KI+LvVDVGBKG}D*d&@RgkTykfn)eA>0Uu_niX~1E^w|SV5ZU`vCQN=pyMSU z!NB9qMmID90oAsQC6}hj-NqHu?9yo@c_=c82CLo1rOvT2y+`oWSHhHL7Lh#b)qjH* z00!~kMJmdogKkqnrM%Z245ymDg3U2~Q1~Dhxjz^J1NdXUYYY)yBkvrjq(Ja2s{wwA zF+zK_JeN5AIt_d}2<&htyvm|yU>U!%`sXjpHQ?oQ(#mA--4hv`VLX-nAgAg4RuW36 zRlh!4Dd@Gfs`8odm#{JI66cKEC&LOr%WqM?o61*S}`r0mQpXBJ{08T)7 zHBCpXg9X+()&2fg|NCQm{Y4LbDODKYo=)f2bK*JCeMndgB!}-ONmD6mh<)A(OZqgH z4222_AJ3ua*0FfDkVr)@q@MMJTSq+=yNlHB&-@jQP6c>PRdOdKdfB-UR?Y5<_IIxK zz^2;cyYc|~~Lw#2g!+0<)k))J;f_;A?c*};elxu8)ooD?Ko}_ zHR0Y4Ho8%P3UuF-P}wUHu!UH_tQKT*dho!x5+Qg5mlAf5$=@=aY2vGFK0)C5==pMa zvDc|EMBjbPbG^%kyuy(;P zHA{!IIF^|NZJOJHrtu_17=yDiqCGm11cqkoR`EZ>7}_1z_bf8!JRRsIdBq1RA5lfy z{-RCT76zldG?FS>erW6YfCEKki?5W>7z9iOwS1ltwcjU$o5=?zUv{fR_g{f@P_yES zxxas6-C;DLgwlkG2VLTqx?K9Qu@Br*J8JNhn*7wEK-FrG3|@_lou5$!AVR2LVH(0C?JSAhcoP(6T)n-j-w~z;mn9(G^ zQS;{)q4u8!NLtbq+M)+%$@eTd8p6ghQ%t0hZ1^dcPQOo8Bf|&xWz`k4*?+p_w`;l} z>$c#x)_62joIBv^2{Q_X^rzeHjz>)o>3<8#M0QS_!qf*$!jVgcLY)dYVLVeh6mBah1aLB3&nX{lUtw8XS4-kb;=n65@^D>FMP}}k%K>1Rj z6ZVT7{2t`-SPd9>=@tpEHu2H%+K!3i$MV%%xyvu3C^#(jZ(o|!-3KHjtw6uKR6V>V zb|=W7(2Z#^Rmetch~$7?roS{#^B+n{S8dVpTrkpKAMsoW=auWzUq9b&c@l^IuPb#I zc@*L^d|h*3457=GD6LJ)^{h)Sx)KlG9SC z&vD16WC&uQW_$~=HNcAvm|9>cNabok-F)>hsMjU^K|j%dCF>H0OAzG=n)kZqLqc(c zok8FsZ;vI>_|MdF@72~pzbHznyC?K%B5QjdtUL>p$chY3Em0b<&(7SE<{XL{L z`{yI2{C89qg>F4t5ZA(A)dB%Mg-J~%xikz67>#n&uxS;grTXUcOf+K$uXDWSCS=q! z)PtT3DzO6&$SGkCVnvAuKkK>D3rk6dQ|7Wlt>#cy*pA(nz4tW{GA5}gC`!g!18$hj z3IhI@r(Lx@^_Y3^uNsY0pm+nQR1^N%8o{%$+>6IVO5&KT4KVZVm38Df0memRys?1uTVxgy!rO3Uh!B zofWakWd3cmbzOzBOdB&@prhxWFXimb=lj&2zk0V`Btc(-+}aNhC7;h>mVHc>SLZS- zAF9aDmh1h~&@6CPaB)GfLz(EGgRzmC)dMZa;o;@QH83!U8Y3O^mi?l@z+vFw58=nE zuCZMdY@$}bSSQPQbW~JOC>@3boEC8_22U-%kp3NBbQ}(wN~(OcgQ5|+2voXotgjF4 z5|yPz$0L;D`p{`)$PWEHLOcxpA7G6!RQ{#tqDEAKtTk-=r?}Tv6&{JnoU^6`MQn?G zfTF`97o#QcmFU&&v9DEo)S#?6aNC-ZGEYrij6ldS&s)ZfD`3WzT z^xu}$SB=?tly-7}Yvw!{*~5qQyD6==+Ka$KS#5S|!18hTOGKkKlLT7p%p=e2`qR3u zWCv~q%w2U$oJXd9na7DMW)VjDZRjZihT_-XpAqJX@-GX@-tuyjfzRSbolN%tkmDe2qP`(K^y0p)TsG~_hM~7j~>bg=tZ2z$!_l-C_&eMwE zqP1>7$o+ce-o4bM_=f1*$!i07Slulm?6RYW48POHZ>O)X#wix8-*d1TLd&eAEGo;I zT+66~bEiUG>p8_&2%+<1#{An2R=U%to?H*7ZlMO>x1Qyq^OKv`X{iMPB$>DbHe=Bq zx_|TVb5bq}&eUzbP{N;4Rb1Rjik+fM7<@|3qxEdT;>68nvTt%2LB#dz9XKYj{cnUy z*SKWX`y`%b6-I1w5|PCW@c=kPgR7Vg{SAPZPN`em)kYV;IwN)G^gg52X#w;lC5p*q zg&Y(tB-8_v6L|(23W^-ve|lPhT|>dSzQGX@`)r&xFtws0BbDT6SIofB3ya{cE5gqr z`)mPP4oMCv@YaM*+ia_4NYv$jXEGNB#eH{69Qj`f}WGtUW6eE{X0FI+( zOW4epBGMW*NCrs^$(rX1+=<>;-SY|M`TnRFl}^7&$;*MvC#dkw=`saj>+1vKH#=I4zi!we^aS6Dbg$Qc+P6nDu!&3NuZ( zS?(~rHd97)_|=Bhs)t3}iNC_AXrdgb)gg8Ow9=UNF&{W3*x2}ZVt8p|D<+j~PtV*k@_Y|{ChGjV7)p0%q z%t+4m_F{&rxTgHaA)RlYq!cCFmDZ@*ZJ`dFQ)tfo>eO_fkMw}Pc z8L?DEyTTS;DrfqV5ABf-?6L{UMOEyPCB8Dle(&M3xU8(KlXPrH;h349jBL;_@-|=J z&>g0&t?ld?LT4;A!y!Y!hu?D5lN1RK7CP8Rl+}vw&F*iXxJ;5_@Ssn31cwg>_X3TP z{_EnE%X&bik1d@(sW>^vsQZ=Tro$gQZhi=fe(GzyXWX1-^PqTWD(Z-Y>+vH3gW5wl zRaWpV2}sI50+gUneVFlIuOOAE2es035o zi-^A%)IMsT+`k5QD?z;UE$f}0MJEjYRA@7GM#Ft0BajqwnTX2!t}jo$V>37$7j4^# zy=+WB^_K*>_mve0myFWyRuJJU38LNp9%mL@b0Q;DF1tYhyeSmZD`TMJ+b`~ITywi3 z@%@WV)$(4(wn!60rnsH`56?*_E^0FeE{SsqAskMEmmf%g3nw-xlMY;2W68rNYP8HA5q*y}rG z<^BvTK*VKXfLSJz3@W+SP_hOv;zMJuUqh~C$IuOjf&MXr?+QyaTCmX?@W>kOaY6TJ z9uajKi6uIdVD@~nL$8q*P3fLNkygVcCZc&tQ0tdYiPNPF%K17Uhoddr`6|0CHYcwW zIIdP*`{}4$)E=s8yhd1f3VsG+6z|-BjNGX#6?bfhr#dMV+U)|y&Og=x#IGT2&y--Z zu_D=1JE7E?hV_S!3Jc`5JdPtn)H^2#62{rj8q&IfVHizBB+yl~cWEA&oWnBW_*qOR zwpsxDaA4}MOXQHP&)bi^1MBNW3B6v^`&VL|io=}SftdJ| ztMUAXpGW2v4#3@!Z=_02ZcudrH5<;J?Q$~1M+VDk2Mf!>2yZ2GH_xHG}z3=jBFwkV6|TxWCT-m|lIuT>s3G zf(EcQ8*G+hk!A+LA=K9@S;C;N%MLA9Zzv=?hM|h~*%RTY-%sjM-tmV0wB#@xd3vwa zdm*#YSX)G#@!v(Z;x-P>T<4Y1Xaq4CbzwAr!%Rdq5ivS-4b(UjGn4}(m(7I4TT{{I zYDEX*!cup903MRf47cPDYkI3FTPBGx^OC&bj_wpxqMoQ(vCo?0bW=e(7%_KPaH|`R zsN}Axu7+1`|1S-mD1-9$tH}Eb_3^+Jn{GN|nHh z0QAvh_0axYJ=fD^Zx}k3v<^}tj(_^C(Kw)SBj&-!i7*e+^K(vqqzV*1N;jCm`wfh# zIAi*yBS%sf+57DogEZkb3-gxl5GRnR&mF@1Y3EnGM3xG)a}-dH-Kat^J zVJl}O5_Zk2!@keA+--?Buf-m9pf&$0`D&+r92h%Q9J)lv%3(jjg(LDsZ{VmMln~L- zf&%Zfli6Qu2(Dfrw(6T3p34iLq*wwQZgTZ9$N-NtxII|6x{%S<3#^JZ17=CQYn|C`V2=!}IiFN+Y z;DO8h=QUfQ*Y0WE1A9PJ*AgmnH2EbRGqeBb*1^GN?$@D{Fge|R9NT7LST}?O&AE(0 zuN#O)*LOO?NBB+mR~^u#*vGq@ise&WkO(@GEBA=sg3%=Tqux0Qm!0<*{h)xqP<0TIE`<=cpACHR}p$uTFu~W^*N|+ZXr43Wu9%D?Xanu@5C}xAMs7SJR zGr-6rQOxg<;qkDFnGRTwcNpPqV3-XH*mXiKqetx_AL*K;vf*Sj7R^~T?w1UOC2rdV z3*iXlVDY;ZTjG|?_kV#$nA1Yi`Ql6@%z=f)@-W3F$6QenVbty*LgGk^kY$MHTSb$}IXz)Dv?`>Pir#CW`EB`?GD`tDIOi63BEx8f_&?!xC2So<5u==9Zxe!bwgDy z3Pi!I?mU2X}W!a0%}2!JT(e{=D-{&lD_%r_zxMw|XQdbdN;|8noa!Q{}pUK)b7E6IU^-Ifr*P~jkAQ96^*82 z=zES=sAZF(QnR*D!arv{hdVi25!#RONzQWfZX1Dt0Ezd>tq)0f`19fICC7QHE(=B? zQigGw7Ba6x>g^!#k#O>z?SsokN?N=HXPtUFQ@x1ZLnuDyHmM+R z37g)@Afiy0OGd!4Z#|F4c*v=&py*rh&vc&k3~AU(A!KoRh)5Eza6fkhgY}P(upvK5 zoM(99))KBP``B`Ik>I|Au3o%Zq}mo>jx<`gY9v_F;&VmgP*BkXvhEb#wKG{%Gll%IQTZoynbVoKN#D?znMI65(^( zCZ*n`wEfmzdj$9UHfr(=+90Ia*WmVY+q_)-%xF$eBRKj7G^Y?B)`A{r+Md|dcOG1} zY46>71x7w~wnTD{C5zHQe$EhVK@^9$>e0MlT^0pM9R{*BGhbOwV5`G%Cb!Lsk=MdT zkjYZQPC>e%6YVksUHBJ7e>`4^QB%J6eCS2gLIt+iv-;QQMw0P96+EOey?=Q^{1a)D z@w=RU$*ht)zj}rEb`EpkD5(M5$S*A?5U#mmFAzH)s>?ooD4cJ>-Yi7XyGfje(=dlR=S(B$vIr7$*YPx0{M zSJD$zxb3EoKLsS(&huR+6CllJ7g;C@JkWAR$=)KmY*;f3W9r$fRX#@FMEZlLYMuPO z*BRAE##j8|h= zpZaj>W@dr4Cd|Fh8fyOFh%XWJn{q+x8TRmcM!{~RB`^M5Da(%2&U-g-G%W@Lw5`TE zCppo*x4?BXdHOQhkc}ew<2HcfX_KYtSPz3@uT~iYRSeBO$trM3Lq~TWMb?9|LLsPe z+5nUUEu49ODO%xZ5s&*7GRI~=Wm543Vl1YKndAF8s^8ulXpCN0{sv+5jd*sr#1)SjUeU7b`+{*%U#F zdUi632TVXfgan9k?*NsT+(P9b``tFdoX9NyS9p@sM0O;}?ZFo`(s2i?S2PD|CmQdQ zknlOn^2tIt%}q|@Cpr7~Xg`=Dh2y|ufhD|-lam}%u6}g)YBJ^%UPakT)LvBeQWacy z5eFaXhT=;f@4_j8K-kjK(t7ez-fXa?A?52=|LxsCY#9+W^K2Y0c)GS1dLO*iY{%~# zIv-jnP@3mT$9}9b2~Dm9tRQfXNuU4xdA3z-hVQA6D;hNiXyUWN3dbZHxS9N&9q-ZV znV*pDIrdhKo8IPTufa6r;NBMF*3p^r$6A089Mw1R67z@rAPy~&(3Q^ko*F6%Rk7up zTCWZ%en#%+XI?VZ**fplB@n-I?kf;-ndu?cyn^ynKTj6%7zc{l!sqc-E&7o;U&M)8 zw%tz6Sv~H(e|X$|$72LkiN8rH0BzZ0I{R+JZ{HnMWe)vPO0GUM(2G{Uk-w4L|0H+c zcdiV_1c}CH_4Nem5m)?d5uTiq?>N)KMVieH!R6n$D;QPYhqxjO2H-C88q^8&G=Md1 z%FB&yl%%CKH?wx3ss@hjlUCd0`{+k7$&3`HUlm~kd~QGbaoT>MlL?@IMA$^XcMN>^ zLx7$oMATmhxwvm#TTfT?%vijnk1_0gJE^Ixm*bqQ-|G_~m|>qSy?Nl>dVNdye6u!x z!|kt=h^80~|LZ{swq(n*?zxIfu#~Y|GUe+~AYhUp7V*cJ8!-j6b`j+as1U)RgY1;- zQH|D%7M{p$Kb(l>8lA*V7_26)KLdRER$f1G_G8SU&iX8RmG89Xf&T>3Pv}Qn_qH}l zFNBoC+H)s=5cPK10FJ1JMq5AIG$mP&aB4^$TN-4K^xAs494;uVPE;=0FsP8mCp@** zFM_n~-_o&sd7(XNLN6v7FmW8e7QHfg|EU>4SkERpPs&l6zoc*4V-N0^CnunOK{oxe zO8gB9$+%5qn7UVjHxrSuQOkC9@; zKI(fsw%v#2B~@bZk5+R?~IvE_x zv$nEW|F(GBq>X&MP!W=|xFjP-8}L~Cfo?1##JaaXgTogdHtI9g*8#Cf)RcI6fe`u(1@b^k{C+v#f=(bWn!4a* zgtleAnaS!Q2h6ib3BQ?=S=fIERd$&@fJC4g2h;~0DThQ_iygb*em9i9YM&iK6OLMb zL&hmRw$A=>Gpl5v>AfmX!wM4C_Ot|c;hjsqN|*?bH)33zW4LmMeF#sxrSaCS(blN; zN7UA$m98bHK$r#P&KXypRsStb&TsGqcpG8=eeZ@GgmI8!vA@KP>s}<P4k zB9?iw!>MNec}oUW{>wt^w&wBXj1P^5)C8O4NGsn?k%2TY(xBaw%mVN8tAX?~#|pB; z(VM$9*X}7Jfz1FN#Ga%J)eP)6)YN7*UMSdR{w_;gq^VP|`t879w?j}jFTo&~e3&){ z>fyH&AlQ?SoRpWTSFkB14rEkx;4Ix9ntBPE;Qhqu748k`aaG6@NUd;DlyrY_1$L!q zaFtK5#ML+0WZck`O%a95A~~7W6jGP(Vs+c3%apefBA=M7EKk~Fhw@CF+T zJR`8bX)RD1@$TUO(S!_}_f{ z|GWxn2zAlw+m5CJ3|MQC@31SC2Gi=~*t%NycHn_{H}*_zRTCEEOn-8=E&Og6 z4fd7^zMBU5INkPygt$x5@uq0{nr(WNmUnafDi3W?Bt*gKx!Kelexxz(pZj8BkbQ%8 zv=b8;!Gn`+Bj_`UX8Z)bu{De_U4d*#hgtCD9WfA8eO*+GJ$F2VQ7jQ6$# zD2(ndNm|CkJ_3R`MaV%xbuET5O-+P_lasPL2n@+;)W74=MfEK?nRa5__I zY!&M&I-#8}$DeORUZK?^=Q{`y-PHl+QP>A#2bYk-g$*9o8A}qg)&d;4i^?Fj$|db< zmh7I(>h;^3CKFe(KLNKUO`?44-|7B4Q-(Qv?}g>$|=;cx6=VR;kB#%-o3196(}8K677)XmbsG(zpMeU~kOI#9t?Ejr3HM#uK^ zNhU#GXrP$iM5oCGKGnpVf9vob6`**&fB`xbC2l5xs$r;-cc9%!^`Ohg%)=!#R)uf) z(Vg!RyA}KKcQJ{kSn0FPI-wJm15rRV?E|{}{R{#aPu(hhc_jZ~RDR(3W_- z!Pu4;WuJWswmL|0k#LVh{?=8(f_6AYJ8{TC%1>pLsC;2rZxq$NHceD0?)+I_&0q`F zH5olYQh2-?J}EnZOvLYk8)d#Xy=}~K4(?-XJPnocsw_c_(}(QPUmJaDxh((I13K*$ z%JGB#?O&SQ9GM(R$z!7h5qs9V&^a5c0VsK|Q&~*sgv3i*tp9-kidDLizd(fW7l;@@ z?^*W~IC|AltA%hVf5UrfbNB1Zp*zw=i>W=YI0Rt3zb`&a=aw(S6fo<5TUvUFfDl&x zrMj*Vy(o;9frUZTLYFg2?k82MR>BkP#+$yL!o_31ewy~ea_p%QS6nD^+b9*Q0ZD>IXng%1%bn!Ku-#%G{wxnpC&_MKdcri`p1V>8c5gk&83 z2Bc+CB@gDm1KsLQx}?KJutrzI%IyKNr{NlF9ExXQnq~+~*Z46gMyney@qb?(2B$%+lqVIw*bLI!qThIN{jEPNpgcd+z4Z*D}&Wh{P& z#QTXwuMsC83}K>X%)(|6Yhh-7uxAQ8dd_ys5F%7Dq87wz$KI7?Z?^*wY~5qn{jrE@ zMC)^+yi~K{++?=ppI( z#<6p#@`pQxDb{~+Tujov4-9}(@%lc)z?CinOTgdmMq2m|@`1sgZi`_{>2umBpY!%$ zme~P4VnrtNxTsGBE+oB6#m3{F1}rnnanDM46RJ6*q1*exCRO$G-~z66Nc0WdzGRB& z@FpA~>p_$Q&LA+!T3jdmLqJ{~ZW3T`-iN;P21CFz`^{O3oZqbl*3-)4Cxw%D*s2S< z86K<{Uj-bxvhuDF_&*Hr9EB8*Api0aWx91a-T(cS*{^7|DFY$KW)ANt98($u;IREl z^w2&B7(UqLOI2DG;rIRpYq#N+=!_(5M3aJRN;_GJc|_`>W(R;B$#DtGwlc3J*SQ<_ z2JLDZZ*CZ)zltLSg~jn@X$DVfqXJTKLsXLy*M*Y`Bpiv|M9$E9+YirajgB%!J!+c(VqqgRTIUgL4)xg$3cL86g(>F>Uh>ukQwlOA3G_7zZ zegf8lZ7?AXVsL9|Di4dn)y*~@*XE@v|1@m7{{-3MC47DN7X+Jj@i zZQ@m$yfo~C$9$7Tg0Djs?-ZX!Oqk;_c?(%XQC*Tte{@w+xsDr&x8R_Wc% zv~1pm1G(8uJlAQ;n@gIy=;=eu176<3c=&`GIq0Zd@{tR&{SWj11Oj=qx2F0B2;VXj-i6qRDs(6Dt zT`~H2tZ8M}Jwhk&M?P}nnSeySE_>QsT3dXLJ(^4=?{|uXLK?G1BdRM)PudOFCw@Hw zNl6fCO{H=Bu56MgmU~irWh=HZH}qLAWb^XjOQbL*I)kL5cpaJx%}BcVbmn_ zx61J9JITYxOfPfVs(R$8&-)Xrd~_&*dA=%$jN;REERtUBU)BpvPLZK_-dlDV zFTa8?vWNL^zqe-y@@GlwdYnV`&YDOvky1?QNl$7pQ}z?Na0;#JFVD6RhYn#<*AYnx2+w?%L^Gvpdm zr>cEPK>a@bu9shkJS^&6sCByTg_=BCWX{kI&aWIMJ@Cu&2rd5fdA>?c;!X|RuJQw? zCD2y!WFD4E6Z)`$ax?}dp>E5d%=_o@37b~}&q|#r8DJ)L%MZkn6`9lzaP-MRsVz4d zcidz<@XG?Vk!`y@igV%<;PwBc%|54+GfSpaZBD;JS|{!250t~M530fEo%Fj*Utg}z z{cA&uva}l^>IaMx_s!<=tjrLCWxjs!e|B^cjge6Bb+zq=<_6R2&SI6m#&lj5f3z;JW!UhbKc0_b_TN!4%Qu&e7OUo#iCqdZYmF_J?EDS1m`@ z;JG47_?7uMaSOqk_qtLrH;f05?)f1TAIbz~VC~MxNJUF~$)NG1JB*Bymt5$vx6HI+&=KPZCoqf^0_Bmy0xLlRt8rI9V zCE0nHPX{Siq19WS-P)~iHE&URNvRx$PY93yFow+1EqbX(rPBS`zgRThf8h-6L#tX~ zBKq1vp|rZJTS$o$VHTA98YA)NWSXWEmT4DdzfRZsDCc)M+S1FU4Pb#l#mDJAy0m}a zlr?W@Z;)wK?!Sn4ekk<6FmkbJ-$ckB%2gc?Tr9YnA2mg+A_YU0P_Xv^U|@(L~Z_c3oh}O|;MzF}w}YJ*f%mSu0&6 z$`{l9;lIV2zy2`2FZmwY$qt@GfZU48mA`Z4edos;-3(hQ&)WZ%qs)hWIgblZ5@4m0 zVHKaZ)HpaU;wSBzRLvg4q(k(6<@29QEHS4e@27XiZ#KyeIHn%YffwAXHKDnPA+(*8 z+sC;0i28r}*6aqQSh~d|=JDd}R~~JWv{-gGP0?b@ z{^;C2%3-%+IjL!`5yEEYy?aYrLa?s+#_xXEwSj$S+{uXkN3}}lMo>5LAjifIkLa#$ zTH|v7=I+%>3|`)Ad_P*U@>b?YWC16SE?SC3>j&>GNoaG)|0}t)gTM9r0-xKg%VTm@Z)-AQ#M{?swe{bm& zlLB-aym-)<*)#~u8j=(<^@*jKXSjWIs79xax#aA%spP9UYZk@ad?!54(Kwx2+Y=~j zwvGZ!Wd>N`qp6~facxD0EnP}mNBliwIil5l*_LM33&MU4vILF%^Ku(pAn}Pfh(%`q zn+C3omHi^(Cu$}=*Nzp0Y9=jVJsZ}X z%_ET2H=Zv!0nKu5X_Xra<$+i!mc*2w_j|hL+}qkIAy)j@6{G1(1~s_CuoQlN}>JPENlK4o{s! z_f*u>7*zt#%!~BDFlRV)*ruWPl5mkPDl1l*G&k}M)T10##-kl0g4XGXdS=x z1?y1$ghPMs{f9GJ+Nx$NPaGv@h98g~nyVDU^JDUi9xYR=n~>L&cm!3^nVpTmh&{!t!Z-K7P zxZFQ?5AR!WiI^%WBL2si(n^p8MuJ$daOg-`~QAC+Gl*Si?7cu7cU0Dne^mNUi2k)iB@6 z>GYzaJ%69I!7zTnf%@kSmRx`T(%Ud~8nZvb1bmKX(XfplkJ~6%TjM+2Eq!|ys(Z|T zB@>){4iL^sX-0x&gI2}s6g{ic32Cl$oan-Hjs9yv`-gtIE^`v}kKU^PKR)C^6eo3v zT!l^dhtQi27Qj|-WoycyF`BBD=g+7453K)Y(h!4eNM!$h&6iATUiyAErHecls42jd zDLquNDd7nF6O3kZhm0r|M5|j=GhzcUdWDQDf<#V@bfWQ`knL#54(_o}>0qa6+hKl? z4Ph)td#jC}6&!^uU4Gnr+3gqgp>&j*YL~A%Y(f)4*WPI77grZo|8EIV6>ObwB3IaK z!zu4#7yPk{g!3pT_2A$cvHW9)t z|HU0PDXRFR^EaHV8PN`-*Mr?{2aS(Wx;A3DxX&H6w8#hAa#?tvy3T(3%8gVQgz z$WS@kUxME2HD9Ab2ZUCA-X}NjUmp39e(XSo9`^9b&rDhuaHNuImP@X^pyC?!lVOv4 zvEh5R9>BV2AxkqU(ZVHr0aS5KYWXY#HxiTqh;sYCc7l39yxM( zwPYw637}ddFeEOfcx0DOSXMSD_^qhH)5=pp4vf;@>hUFF|Jgl-Va^XY5qXJ*p^NDM zohGPMVbd1}(fO5Fdy^Jbt2V%qY&vRXEQjaIT7q_Nn2K4Yg2<N_(>0zO{yLk2c>QTwa)S7PI#M!6D+UmekR8joE%isM)9kc5|?>B>?5o>V4ITgfEw*I=RB(&yTlT zp5_QiQ#N^D)iU~;MA^~iFBCxh-Brf0TMKa017ZKCBr|O7TM^?OA}L zI2#8gZ-@thpR*TMyI5a0AdHU`N&ib()YLiLw%qpf^=UAx(JgHO%ds;)-aQ~cS!Hi; z?{`ghHgvhz8K9{j){n7QD>cAN=!3Y0q=4~?fTEVGgA5Zh^A}?#Jx@;_f=L40|E!bT z9o*fDAeeBkok0OBe6d+j=7Ja3%}%Y8O=;HWsnpS5i_!-5e~`w)AlvljO?68`lEVp` zlDnw|kqKWO%rR$_xk2{s^B-#A=PPxVS~iKHexKs%{RJs|-b{TedkbJVg4;pcdcw|j9}Uyf zE@YuBwcVa+Kf)dU;@vtf@@!SwbqAn6sC6^wVRGHG=x?R|c zJPb4D%hSR&_q(_3plWfmF{VS>K=Zs@TsV^a2s9dFW75jBKbaXAs0f%qTHox;{Sij` z>~?n1#MLwyvO5`7jQ~X=OcuK*Cm0kId3%c~{*?p^F;05btOS#Re-n~Yko(R^s{NY1 zbG}W>6Q65`T{$Hv*CcU->kIL+P@d`tTY{f72A<>39v0fPb4!P6)P&{Y=Sz zmAX#a&*Zkt@Sbuu0Lta! zjPSYOf2DciOLW!W_gEL@G-#cx)F7+PUl%o1HV_j9NaeSbwa+RIQ9jKW?o0LgypM{G zw$oKrRmA{kHel7iyP)=4Rb1HfO&smJ!pE6Z%;HIW4Mb^-&`AYrb#l3E4OAQukqH&B zJp0r)HSrZ4VAuo&1x-NZ(10VcOVP&vPbN*<4jo8LO8QGOg`|<7zX>etv-S6DG;@7W zUfb;3$+M+^-^Mp5yleT;=l@^7^YWrqp1;)9@khTuJ|tqGX6TDzm&}NdI(wjuiEQcc z=)a7KCnVcQYb{&8nrWb9G!UN(dW{V!rgWknkoc?-3sBjDT%{VcR3G3h^hhS2Zj(>* zeOKd;yJ6geGT!$lvv#a)=#zXeyOAjJJ&xvn2|w&pb6!vK`|EWqo=4))_d!Xck=CBu zj2CkBxoDEQe=tDJ#HL4ytSrg{X`>|7Jt5)2#&U*E<4?(LQoTWK1Ja1baUh*<)VvFC z?^$TT-){S3?K9{Sz#+pdUC=+RjNUR57Srl=7F95~g$tNU{$5NjoV_@E55{4TYma)m z3jx;~#9iuLaGtzt$aNmPVSAQkKt{CZj?zCydlQH5i!^6bj6K<=@j*sUX2`JX&fs+Z zV!V;Y98I}UlwMR=0y-l;)w+$2WO{Yhsuu3P{ev5_QTz3FQcVHRErexRdcaIsP#xd1 zfN90t*4*T(bL))ZFMzC2aI-vt@mO1lj5NA}4Ar#TqqEv3?(TXvw}nD%QtB7l#KD4xKYmQj5EVVl2CFmg4gJ#ap z8CWz)LVa)+#a=}P?Q`|1v;LA@W{YVd+g6b}O+22Fd06DYef-0&? zb>EZv+Dz2OX}OWGGSI#smbpRDGo^DP6DBW(h~0RRzZRyQc8ab>CCwhbAVhnh^{eoW zeTx?BDZTXtQ~f30oH5`{eo4a0f9CeI1Zu}fTDdX9yMucsP|V|&``7sGj_(^ z6eXX7UK|`r-P?ve?IaQ~V;aB8T9f>|E=pr#sp-wJZbqXqI-4adF&eM&(FLo{bSYAs z5?fc=HA#NQxa9KRxg(Dkkb`_!;Q8=GdJzfM+uo62ZKIhWBC}Ed{UJC&i?%}j2@z+~ppMJeM1ERkk1+Ab*7e4Il^> zZBr#qhz5t&jh8n(ci}@?Wz1Xlk5mbHLp*5@59gzA?41ljK91;#AYi^P0YDd(2I(Ow z0~e+nD=)0Cd*+KnJL|!Dg#sZVaeg7Gvl|Lhl$p#ygQHsTbDs)~=`c6knQl+lJhqq? zrZaytOgfv9)b7_tY^aATVZ1zdtKsxL9>Qo`SSdnDPAKQ%QGabkh%p1axFEQx`z3j+ zGplARS6lt&9#?U}1qvy4e!JVp56AM5Q^wDBt}C7er&iMAv^>=#BHw?V_D2f3@@4PA z76J9vZhDFtHX^+|va_@MR1~A4Q$$v7l@Nr$33C<%a6vIK=q^q{8r0Nxj)~(9d7n05 zdpwVg-Cl<$xSC?@2EH}fyTgTRD>~mVVr2jB1n!QYprBCU|7yU*?18I4Y~mA45Hboy zd<1r_5%l+Si%4JFskKR5p7&265f<-8zSOpH*az_j5Yh@!eqE*omK?i{{9-d)PK1t) z07@SVo|0p6!^gkA<5kKL(6mFewE#kktuT0bCOW>&NaCz}R4YfHGpND)HgINtZ_x@r z`QVI;6ql{W1QE8Iqx3n^YqFpJj1J5XGq)2og-1o(solw1elGzPL9B+w#l@w}({Yw5 z&S3ryfspR(STK|^ghfZAv9PlClLife-^l!|rK}hd4{!uRuh631MP`U94)hidAa}rO z>@r<$KEwF9=l;Y!r}qmFG&8_nFt=CK@X?ALN^0BV{~8X)PnYK$p&@TSP04Q+LvP8( z7~Dq#^_NyVEb&;|+Safd{5lv(Wj?>Uf^J2kts!T+eRoI3&9Bxh{F5Z)1GO7w4LZ;V zU!~*%6j)Bmjx!hh2|v!yGD2{rF)+53GDDX;UxNRvcMtutJWA0pv7`bQ%#tDLx4Izx zR&)U1laEc6s_Uu6tTuG^@~yw4Yr2;3)Ed1Ejd(CQnj5Wp*VvCi&5WD&0Op6S2fcq! z(uv*2T;9#eNL&SKD*m#Q}%oiy)xR)FIXW!?Q}ONQP_xLucvZ}fZ4t(~}JiYFWf z)_Djc%Cwpd$hlXKQ%HCSbhgHxK4Zvu@Gg=*+0IM`#^P#<%;OK&{V z)X@QefjruECUIQ_;>B?cV9e+k!}=gif$N3|hOBxM8_ z!}(H__^U%-!`ILDaKE-`rN4mLgm;lKfDlQ^{s~uAswIekJS6dBV^5=%a$zAFSM=TJ z7r5uucDuSr;x!JllN?^R&%Nf2>(Ew;h~F%l>T=Q1RIFtn3m^VyX$FmZvXf%MERouz01bBDi!Z4Jh&FYHCYhKS3y0u2zJdw~*eo`(AI$q7_d#Kwg@3hmt&yj=@Q5nhbu1x8agfGE(} z(M8fZZX`rrL3nB87wxw1E|sy>}TeD`L8jnT_3L7L0@PePhRyl9J#7qb9W6|Bvd% zAeHs@3wY{=-*Gub*V8j@%H2_M$<-}vmz@cF`LF@Xe%^6_kjBL%C7If%)ir};8be&LXX=&Z;18q+>BfD|F_udKT;dPWGqSdd8>N{S|Sva#>vBw+YQ4Fv^mIa`HWqAh!=CfwwPEl@DI5O7UNYBH4bkK0HIA z-fVFDh+(Bw`xD(`U9f2(UMi)KrU`E1djS2`_DT#}1#yVek_TM@2dO~an^)4C?sdyi z&V3b*hKd<_`j${7yWbmhfMqz|V8DqV4BmNv6DQ6e=F#U8%G^r50NOABqGa744Wtz@jiVy!yY{3B+~@sD9q_&sr6lv(z& z_h&h^_lt`(`cgqp`Ze!t_$5TeHrg84 zGL0oaLEMz)U}TOfS$9H^XM7N5Z12dcs9?ia8oi%e8MwKnbyj`eF{}=~T`^he1Xp6D zgcZ_E`1H)I(wt_vLopM_N)o!9Z7&m$^^y8nlCua%jE^5q#ATUp)EQtZr^rIqZtQp# z`7O{v4??tSgMoUp-uS}hX;wM@IQ28yLRZV> zDst_LG-!s%6NJ1nr`WGt5h&*K;sL^*gxImfKFSa>30$fn;$ti+iu0VCq?a*5f(9aj zSj-x7lVi%~e`*33zav1^78Z$`Qy%bH=Xnk8U@!m9 zi6^nt%D9bo_OGusv|o~~$;kQs&Y1U|?6O)r!p-wN7RruUx&!v|n1i|avruGlON&5* ziI2THlHH2C8awfqe5?AalJ$| z{}2B9Mk09hC#LIm6zC#uR{IA;RnI_udt(Cp-ZVIfgbp-=vSfPEw?`jd`k1;fb23 z4K}VijB#|xNktWuOx7rRRLb?OF|F%tS%Va4fs!eF%8bGs+3|9#CG&C%lMn!RqHPpx zp1{`dd`Xuy^a;|L+!g#ycjbpVh+@D8$1c0gnFI;Sx?zluc>d#|a&SYB)BGw$o2IDG z7EVIc9nKfndUN$DHdfjW2csW_=Q9h@Xh&x3hX3opF`!pw8I^7O8;|Y>+36#3)(Z(?pILWM>vLy;}<7}4pFJ4QUo zvgm!G;fVPfA3R4ISo&9@NbI$rI=r@guFpS=6Fb)CV85V>l{<3hIKy14rE$T z>sHu4efwDtx>}Ut?%Tr!Ufclq`nHWnXBc%nh6#eat~gJcaMDg&qhK4kGK4Ic7^VBf zt`oRf;wnE+m*{2)I1pXn`9X=HW|0iv5B^v~+qsm~eX2B64dZ&vGHb0caV@aYnr0im z10i83UWvyZq&BPceYi?y5r4yi21o<&onp;R8M3MK64YHd%Ty?IrqZP5UBV;OD_fY3Wubhi30p!;Xy7L#E zqPkcUV$ zvN+5N$kLwFJZs`p_v!c7G!POd=@7hza=fQ%snh_GM(CNi#hv3{Hkc3mNjQzwfON=k znF1*69(233q5^~nm?H1bC!tbQO#vo4070UcE5)H7j^)C>=PeRn5%1`=4O;4tGZ z?Ly6N2u~5%8+sv=fsaQun}+OF#J{h9cWHPM-yZm)C~W!;-IOa~#|1OB#B$!&I9ly2 zCqH>(MI|tY+yGj+NY&En>a|A^Vojr7`NW$vU7PsUFKEXl7mj?xkRC@>z0o_PnclUmms}pi=ykdb zkZ@(f#-tqgVn&5)sC7_HXvm;eQw>(8`LP*jz_aS!GMnArs?0B!o(xe);l9$d$49|uWgcPaucHY%DIc|EA7tF(v-9gr(zv(dHh6(;0 z%8Mk_kQcNeQzYL$Xq}NU$S9kaWztzp+J2%2j{8scnUdw#P*cPeHPhVsPxIWmd- ze07fKIUWIef!Fx?V}AYT72AuKK)SK4h}(~CQN01F`}_e&Jx)Icvz$6nE(yhG8e@(^ z8`mBakp1{uwai0Rcr>Yh-2WyO3+H?GJMfR=o_gKd>cKp^ht1L+>z*&K_8{vCDng{+ zzo6bw?S`(PzX|WA*xg5wS)lvTgH)smR+|)Ja=I5L$-BAp*hEu6e;?cSaPhNgFI|Jx zpek#ukGEmDGIi`1H=@z&nTOxG0ewcx+*s$1F``G=dropJxA;)v`Y>LPY-&Ar)E*b@BApT!}C^%nwCgIau$S_TS_S*%0U`yOY=W! z(b70kbN?Wxq&GoC(M9~_Hr`fFATJ|((*P8qa8ZZJ=?X_xA3G)E6Ki%q_h<@UE?gyw z1@!&~_L&mMp^3YkpPP^hyMwnuTcCF}+-c2J+J$yfJZgzRw`43bA`4RW{~g9@kUGL2rl&ypIP=i9+g53zs7^MfW% zZkYut+hRI(Ph0`OfnzLFZ4|EA z?rIz>nPS3TMCHB<5-~#HJ+9Xj#VKQ2#P0f;*t05WafC^4_(rh@kCgoCV6n)WwCgvb zj>mT9`xhY&i+3lzUl7UE5bj&IRIXlA@o}U6jIZJ3+oXfVe)ys7y}OxMuReH4^n1T> z?~=UkQV55Fu;I(*obp70Nj^V_%8K@#lu+!G@*{Oxh&CC-c$=`- z-t+gG%g+zQzq6C8tR9)Jo-5cL?_0%oY*~J_P5f)z)VY#~p_uWesC0n!kg;d_=aivmdaC_jXmFkz(x#=c3nI4>m)^XV;D2 zx=G~oQKewUI29Y`hDSQqQPkq4d~_Ep*xt{RAx>nDVG1!SV5H( zw;Jwb&Bt?^9+zKSh(#6_VE%cu2+tot+D~qM1TCTsLkh1AA62xNjuh=B;$VDpWV#M3 zZHo&JzNCvf6)>+IBBsM_djqeM1MR{umhHe0I4-?dx}uu0d@iPa?_IOis+?^%9m<9Y z3{09)_m@YznXi*A}>{?t&>v1oGJZF}==$s~(`8=0<)FT)Ub2+~5bp?pOvo#0ES zbJL)_smxo|#XP;|V75xe6y6MQ(wY4Uqq4hGJ?hS;7c0)BJXVhjlv}>Aenz*MNx0gs z3FnLHLRj@kY^hIIkG1sHGW~dSV(;0c$&?@#MZ$7RTW!%!3bZ@2veop~m10l`tWwz; zyVgNPtLsWW${#XOuFIt`zZd-T#)MEnnqsX{4}JP0J*CYYX_7F~d1I+C+nPuiTyAB? zCu&rR>m@{LtH7A0`!|AhGX<}dsOqmTfYGeiFv<2;Dsl3d#7wQb>*yU0V9_4J?_SP( zKaRBcFQ3amDT)qbCaqq;M^Y&)((0jk0_odI;F-al{m5~JmmZ3#?5`QF3Z`cwur=)z zEV?RTK;#oxt^fU4?XKz~2#$rI`?tIB@{jTGoNkTz?BrBz#(SN5Uv7QVOOwh^u|@D} z0wpRQW4!{SvmAfMO%>hKB0Np+Jr}7u;k8V{KZg32ObigD@xdm&N2-m{y( z2!40aM$i?0YN$WHV&=1t44o^skc#+b+MdHg$0SyzN&Po`Gz#i7vtdR-9a3)kYWTin z>^i$}+(uSgwj9M_W#<7@jKu(h&$HW~@_j9;qcMXNrQhCT-#7w&h&pt9W>Qk}<=4el zTSwd9;_f}vs)CTTtc?#Ov2+fH<*(w=o*nClZy`QYa4&ScVSRm{kds&9L2Y`W>y<{ zk+yt}Wbrpijgx_WI>*g9h!u=09L{%q`YjaUS`=772%ftC0b{ zbSBr5YOZY*!7yA(8`+6eJi2^P>MHewT^J|g%MDuiC~@p_rBa3uH@3fYneoGpsNbu0 z;IUrk8-i2Gjlr9hKbIsTrdxGlg!R+JA?bz@wy&6k6W^gcw+|er3Y2M2T-ohdA&;Dd z^NnN=Sb5+IOHS+CK|c4BBE;TD>FT9X6!jR$gw^hs(s9MnKGvd0`i?PK{{~u>>6&Aj}3!i~-Hq*f~O)86fg0~OR>s;Zxwll=e_s%#bn z9&`<;r^IYKQ~ZZO)iil@yZ7in!}$s&dI;N8mkA-2XLehh z!akAXDr+kYJA6#{B~+K5`fbfd?zqwv&np;DO*&wUUZBTORZG8gkFrm<9~Q>)AX>DSK!CZwo+s5dwc*K|<4k&CjuoQ1ggoVnN=yzZI zsEFeDPFe4n5BL0Fj&Hp^?fJ)~Qnlq3&~<)1I{(!>M}j~Szn}g6V^Pq$S@l1ob3Q-_ zL${{`WA?LHKS(|&y$i9XDvHvH=14C(zE^myxunP|u-(iLW)C>$#FuKSe0}BJAatRj zu8C6$dB%{NEfrG8k|93UMQVfN4$yJ$SY%Fn_X)0Vb85Ck?aea|%8DEaiYyiJWJRJH2GW)8ZWWe4uW934Obn$&u{&y$W9-0|z5O`5~8G znR|BlXP9?i$;vMZi_*HEo2>z?!#8tXN>(ZHk0j^bt>;N)Ka>)K4(v?p5)awiAJjt1 z%(J;8LAfbVdJX|6Z}jZta0t_uRV*Uh(z}oAp!L>L2;L>0DZJRHK8;C%!kyKUHd{4t zAQZ&2ncv=LlL_Ki`m8kgxc(@hkh%5mAYFK}VJ+?*f4zy=X2Far#bTPMo}BY^URF<)Vv8sF^QDQx$B>+HWH`{|USNCP3+ zh659{!lb4e&H-DHTd8f8N>46+iov$Np7Q;l#Ltm|5T>vU1b4NBcs`SzLeHu_ATEPk1h$e!?koNWIUTW<~I1|SK<6QxD;FG*8GRwr((dDlA29&P zxn{wzDGV6tnyFT3o_sPC<2~~&7{Tnce+5LNV-eT%zYlw8ZtWZD%;$#%<4O~u_Nd9p zG82wH39nURZ%|j>6~Pzu2nMz==h_5(fBYfDi` zwx}K3=I(u#9rF>;fGm25;lu6E#X5Y@7cr1`6>})X+-F|m=BgK3L=htM`x-w6h<{eP z7cn&;Ji9sBgrTV(fH*&TyQ}ipG9x;if=ZI+Hi9*1n?tHAoUb6heZDz|>*Eixh-XXm zz&E^Wxw0>w;DG}lJ3LD&8@;V#*yZJVtr{E@dVqEDz@9JG+R-9ig;%N~&KjRyi}10g zZe!V6-4;4{_bD`KdyUhzR|>o%J7J`JZLcbIT)hpeV5faTzD;+^C8O+YD^B>C!F<;Q zqtQ+m!||ctReE}cQO?bZb@rt2-re%D`$K(YYHtPOrGIpC=qwj|Cr_ak5IF;xM>6-9Q#>3E3kZPXi0QH|zM8?Y`1R z+2MA^QxW#1tg|*&EcO_>j9$Bq&ikBKy8GQ&9BlhvPgsg^OA3Rcbikh~s)8ukl;+9* zDTG!g1$oOf415x02Qeq+3)|<7JjauAi!&G7u)!|Gym!qP`YO>b$3jhxe1ys_NNho3 z?_)=kw;f>HYG2U{se;$*jhPpp&spT*RNSsk!mys_U>!XM-wjxqKaQZFnj~L!B^0!M z$*zS0+(3X4+nqiY;TS$!DIbi_d+PYUgjj6pFdfMM!q;wJNM_PufF($Vjjg>$^CKc# z?dH#%ntBfjToqYr47-n*grltUOxr6i%a}=szj49%;NK_rBK*dC_x)0Pwt8n-BnNNg zXrIJ5#_)c_{llP8C&Zd!@`tPVz1HNn?@##s>KsdGWfBD97LqcwlC=}{dnR{VKg}6N zqMEgQ7)fO76PWW4!-*j733RYub^}(APVAkrG*mS2hWB9p*-`**RX!sKRjWHx^{0sK z4qQ2}mV2az>~gW0k5mu9im!ebc(h64$?2)&{^n<5eO7flevt}}kWDb8l5v`ld@|hb zNP@R-TXjz)m4NxA1`*^q_X(sTt~<37D%mi5K?RmNs(5`SnpvS4|LWVP31hSYVBhAw z-F&n&940mYT@*I|3g{0s8EhZH;8`NP$)199sH7PU{{78rlP%WaLP=pNH(hB~c_>Bs zScebQd%G&z-qi#c_C}lvjCQ&emH_b>y@p(Z%&%j2y0dYe^*dLqK$xQZ_7TG?kkKT# zHeDYJSIh?gz3&4$_`p|)#5pi>-_nY;FstCteuoJ#i$xl(%+lViz?t?+gpVc|7)|PI zmx65Kii%06?ISHm)?8-E4|q(IxR`TlVK9Gqvz@0cY!CURx|z?#>Fiw^+~NN0u9Yx$ z@u$~ky!oQVw>&P_pUi;t89PY(Hy=~t-+ViI)W*7#L{bvg`ZPB%Wy6YkcamrI14q>U zY!M;#*@^ze4($60T@*1=*HUbG`IMa4y%GU&gxV6BWb(b zpxe)s=(}92cW(*?B1bZNeyH1mv?&mACM40J5qv!>AeIfGHo-SE7qO+gp4dC{c2~dL$>G~p}s1%LS-bRFnS@oS}?Wbt=3@uvZ z)i7@LTdgLP2~lPlG6?XA?`s<%?aoNz-UAVKG=yY)zW2W34`Kv;1=R_mo)1%|x04xL zw{FEkoxgW$fQ43~i5>k#5|cc{bcMn47^_>!!G@C9s+37HWK>X86#5fh!8x0nxBOOb z7ia4`Ew13MeR0=tt2QKJ&yS!?Yf1R|y+BVH@`@`kk{B{--ph`VJr(h3#_*q98GHfZ zX~1Xu5QEM{z*`2(^m4auS6uRS6>$xpB+E~4E|LmT<~nUg=~T-dIT29-H5?^=?@@a< zlfRN7N}qY#JRg`88XO}+%fNpK?ewVv5krn$SOp7$K3ffIGa_)gfpMy-vS6BkUs|mR z3hsP85Xu~W+U6=6``Vs-W4QD}&vGh@f(p_jw-E-o^NX1BJ$Mf!xW|L0%fG?)VCpYG zOr(N3`=Ff|ZoNY5cl5o5zlH|eunnWfbPll9fG?ukhrD3}^Tx@HmijZAae&k613tpW z6pPHU_}!t^K5URJk%d!wxN^jlH7nG&n~>X!3)eG(e0H3(S{KX}$A*d>zSies;(YTg zxJ}rnGf%6HoD1@gJC_h4Z~l@Q)mvQfHl6Kf{#8SQy~tlACYptm@wuD%O}Jh|zxa3{ zXSA;c6BK+d2XE!3am$W zi^;tfn%U&Ey}&d@(XlGvVBor=F)_gomniYQVr2;hooL+;Z00vzDo5oshKV-RwX5P@ zTNgFL3t{C8X~9a`y$gi;svdi1YkhNCpLNGy6D#h5ApTNK;2k3qLXGSNp@%*qaF_(u z)R>FlTL5P}E$iEA#Lva5KNOKr*6l2alX`&1hm^;9M?E6z^hXnD-|?#A^hdWz`AwNI zXjOeo)s0PhUl+LG&M8W35&Rq7Zpu#P+D>H(Fe!R+s^tPP1Dl$fB(0qU&j|#C2*gl8 z{`KG+Yp)3lAr=s7>ghjHla35Whm$8(+%JcR6K=yl+Q#yI3eDVLdX?{MGntBWl>Ydh z99#UcRR4fwHV{sKvGT5%t?hPS`Vk+R-eMCADs;kr?8%BhFkcuGnE7BcCp_Jm&liUj zyxp0afwMN9v@+yjd;}r=C^f(rh9)0Cs~~){RT_|=?MN)5lo^C3|9l56TLE~;=!=MKv3UyJ?$7 zAa~O77%Guc^&+**CKK+e8>>xeABW3KROXW^ttPu@l`%HRdBBI9ePYR)ub`v#kkL34 zkB}YO%VLF|fkRLiP@l@zd4qMoL-E&(s*3}nK!P<1QI=qAm@i(Tu7l3BzBlUNegYGXH*GbHJ2dB{yb7&Q!N}gZAm`sL8!8Am1PHMf<-Q=Mlq?M>~PtVRZ_HbL6i_#kH*f2pmf z>5k0pp7e{Md%J$p-L@&Q;5?=)K^&%CI^FYoF+&!VAOFqf{(Xw4t?Aj9(X-RB351n} znmbI^QPYwXs{6bMBFYKyS9&b70Ai*svq2K}5k!Ufuirtja`ADWY+CPr#8Si^M=pN< zuQikW5jO?FV3=wxK@XqzbLKxcoOK%=O9kJH1kB~D+@i{l=1fq^-tZm-#%|3t<-Z#q0kN%X#~$o75jCpUC+i+>dy-u)V^(&J}4zE*(2Y z7qq4aiKwSPmep%sDiGDX+$1(0w*>#y>-CuiLon4hL|joqG9`w3RTin9PngnMFVE%>kCmj5PQTrOwz_ohtAQ_>;t%$%q=7OzYmzZ4XDO(+ z;fL{9^T)0*p1(D7cbB%X_)ET~hx7^;#aBiW*;y=A!%miJ?RZ#Ha?DW44fn8Ztb4zx z*IAAPZwb`nrl`zz7lct}3YZ7_N~5~019S0L>w-S$lQRkrOE$HJo-EZx;F}IeWLX3= z+UE6nvOIGxnBxt_mMploXninW) zCt9Z1V?%I>VjZ`Y5D!_ONpu;{sf=p60%pG|mFO>U@X^g*q zBym z57tM;ND%}Qjnc_7AAiop5-iX8*H3eALJ+~gUn}N8ijn~EOR3*$Yil2l>%hkh=LmSL zlEA&CE(rW1PPIY%{Sm}APEL6uK^U8TDy6DF=5}FyHA-3S6q48>51DNwxWvl;Cthpa zF<|jh)nNl4vT+eGps?4Nf-`ipO_J()B?RA!E3xJuZS-lD;y_r&g@oz+D8T+(Wr=zn z{WqF2&pRNURDC~ERP;2-C7e9&pW)}S<=``&B(W&K$q9&>6xRx^o9q_%>FcDFPCj&3 zj*B9f)r|`uWwgo(P{e_9NG!Kg!fd_Y{rKtRw(E9VeKdKcw_#q2_n;OpYDoLZG~K}1 z3(AUFSgr6jkGO&R5pFb<^OJbMTgA^w)~i&hsF=kGw$jAik%MA@n0@dl^PMj8OxP_o z+Ah@NV>;e!-aW`1YcB^nFj49hO1^NE>a>L>C28bXJ2)usi36UU{`W75APFNh*XcL~~U`r(gHXMJ}fIO9OH3eS~=twf)QdKmu&oO|j_ zAXj}FITh};>1Uo9ouR*PnyVqjdNj}{8|4K`7=1%C&5c2+xi^+6o@MqP6dS^L-IE`7 z`0Q$2S$sNX&@EDw$yqDlWIlDp!Rr#Pj`>6{^CRbs6@3RqPhWokbuER^0b4Gz0I<_t zkHu(vHG}5Tpq8ja`t##Zk|wabr#t^c4kM~!0EUjBjs5jewQw;blA#J}&(pP!(uF^< z2Kst%G&SRDe0jv2b^i|t|I;=H> SNq9Am+8 zl2Xc(!dccqpU{8%7OqJP*pn>JlZWhG!_1F@|+`>W`<$jrC>vq3wfRy~h38qcd$zPjj5L1+;*%&m4A zkXtv_fVp{a`)p9N%Cx!8a#skvLF=?ovFTV0h)^uX`f^Sq`tS^NoD7rpF9D(KIxgd{ z*Z>{c6SSXdrxE?HlKN$N27bVu+CS{jN2M0f8IhF_w|pmDnUxQ>OSY~!LHx*bcgL3& zzT^In-B)8?i-!0gdLO&fwyL*Sph~Ls=BXsW0POT5QN15>e=c8M!mP4b;ix`TaU5=A(zD^(pUSnZb#Ix_4rsd+kd@BBApET^ z^U;YOtTL|Os8|U9ZsymMKgtyRR9z`tI(&s&FeNr>x54Xt{m9@Uj!l%(aI{|dL z0O}TpgkB6vWzUn>li+2Q-OPm`VdA}@bzl#lVJbTT23NM6X1eKl!7S!lpVu78@MlLxWe>pPR(3ITdz*bESlm*Cl z{=B@{!Vkx-iL-x-w_ypQm8Gzd*;>HTmTE~&5>_KN=JTjl$EAESO1GDT)~A**L_&IKi|O1s&}}^Pmjyy(>ab{ zhFXvyy=u_2w+2$c7)t4ZsCoC>%8HgCPgIi0Xb1J*6to5?cK>)$ZG5M1X!D&R%*An@Z=&~lO_Wij&u?ijkit+A&q~nSu&S>k~5WNKyvb4+f?fQ<+5bgDHcWxS9jj_(# zq@bGIigtyl+iF&V{{*y<*{0E@oNxB=(bi)RA4g*;l}9p~HKiua(XO~U=P+Ly^O)_= zBCs(AS5eQ`x>|^%*?t+9UojJSVO+atI`(PpwLGpX--Ue?zcn{ zV%Hap#j1g$!}6Hl&5~4=d||(1pmcNP(4}ZT$3qtC{$plLrBkhYL(H!3jZMJleh54t8twDWWt^WEQ^=nn} zAU>=UeAAxovNlp`S<^edh_cpHfiZtil46R)fw_z=1H0r>opz#;uvUysEPTr!dGn=c z@&hIRb9fq25ny1x%oeLHG9b)#u}CLJhaO+LVMLuYgqx>{#3b(*)U0sqM|ZZOLLXej zTWbrdwt2RHx7*<5ewx>x1}t4mj%Ch4iPmBvb}&G-KGzdtXkWY&Ubxga;<(#w(#3j{ zhQQrP`bz!Kc1|((gsNooIeDLZLl{g(5pPGnYd6e+@fb~_UK*Bj@OV~8fXRTdd7IP`RtRc* zKT*bY$Q-9xx)r`TXmEwn`puSc$n|FrPewSOvD(Dx!dg!&XNADDRqcEn?OH3jFmtq_ zisZNTinIi|GvlYuPBmL#@>y%jV4AFlx9g{R%1oN3;_dU%15HdpD=dhXRI_}}uYcri zI&jE2ubd<~6tR6Gn{T$4hhgcGOZ0P1hxF0BM3*GiXC%VnQ@#A)CKy5*hdlJ7Z)S0J z=ngS9I~jqStTC<$r8cDXd1gm25emCSLzK51J>L%8RSg@PknwXq?i%T^O=@b#&Cqpd z6ldAxjE83}*tBOSfl3;U z9C^3uCXzGyhK})FxvPs6h1)$%k?!6-v{L`gt#e% zcqbIk3wI8=jW)_7YHE!z+#4G>?5zK zURR^8uk(0YuC?OdaD`d9du)o*UCq)Pd+oZ*w(D`9qwb%%b)8t3=PY1*U3q+b*#T|YI5v*2X!%rIG&C7hhY13fJ!`j`sECVhlJNr8V>;f~%j&~kAT<-*q zhu$J_w^O@{2x|bD_KnegT%BfQ8yhJS@-bcG-APzSrON6p6 z3hd9zoksdF9pYwkz`MpbV7N zmzD$NNqr;`F-6AXD*I&*V~I|YtW0R+krHvHWr76PqDpuC$J|YB?&lLUb5<#l`w!et zTNJiTq2geX^#!Lm>&a>NED&$IF7^q`k#4poPx;tuF4&4?lv|bPgj#k>4mxjpmz(jk z&5U~S0k#grg*pkmidL+jSFj7GRmhb}oQVHqB5r*^5~tk1;|L`1c%%Q8!#*CmOpbvc z^@*|y#C(TX&?Qk~P9@3cIvd>uQ{6`BoAwjxxUxa8g}Zue-iqW@wNchxEa%bd1bh*4?Q@nUo6VDA?yOe-JJ?&{09 zWQdLQV29C=eIO-J6ObhXM6&gv|C*TaSu*q0@O?JoIb)!=~(_f{0mJ zw#1)h>k5dDQk89U#f+jZSiFDv0iO{pnlTwAYgMVQ{Re1dI)&sY0!)oY61?KvRE?= zXj6%!D!O{!6Hn0lcSGVemBPzXRJ0@^eil>ie3p_)g+r zTV~)NbQeP}$5KDMHQpS=+te_55v2_^Z)gJZD3^02o`-DCk@W($>5PD{ctNFP0aOmM zP;+H;xx$lXDmcV^XR^sdMhZR|$4@d$pcM(60y8do-|Bp=yB+=^BuoZrc6kxu7&Iac zO=gQgqmVRE#DfC=$sd2vW-KT_t?P}ZEPO|gJ&dFOqs>4*mp?p}ldaPb=7b>}nzgWa z7D@B|=wKc9P=2ep(v8M4lVNzR(&HbGZ25}FMWx;lz4i9b9dL3a|K9|OGhjp-q37Tl zD_JIlkZur-c*vY_8RP3-tiG|8tgR*Br8M>M+h@Jt(2n7*jt;!AeE5@ZhJlrt17*Dt zM!o(4J2?F<9k;`M9g<*OUhyV|Nk*B3VfiC;pY@3<%XVMX4ckiPpG;ILio7eKPh&Kj zjk=^ux3;YwBJzfLeoB#UKj_0DJr5kzOC10Y*f7IvbE)syh%6Zvvp=ZpTvI6FU^!~y zz^<1Wz^POpk$Pe|r=?LShW#-{m^3E8*$;83+XgewtnVFq>lE8koyNZ<1K9u*Fmot) zXExZeNhFgQ8Um-gR4g_PzO@T+Wis0wdYe||-eHZPb-D)jjwDW0N^3CmA?e?2$dfH~ z1s=4T(7o*o-O0gc)o-&w^9A~gllUbpDy2!MnRebcAT+dE(o479^Es%)dEb_+Po< zful7#kHn#K=p!a~DSU_JyW7;wS0Z(3#Y-u4+fhA+!8Bi*3TqQNzDpvuqJ-4O)<=Y) zRTXtum>&ou1T$SepY;)|?(1TcnRr0bkxWyX>s3Zn?`sxG54CzzG#}JVTaQN&c-w97 z>CDu0{*~3`ohL9!Yz-*_dJ=n#qix<&cfpa0Y*CjtMg@8zI}atss#k{)(#3q#pc@~e zVOQW-D&~&8hiX0m`3YXF1wlXnj zlKDC$7fuPFY_0Kv`{|@HP=S{zc!i^`7~cT5U4B|AQ4C0wm{y6oCP+B`n$*3_7V|S3 zNNqFNO9{>TYSMnen`l9KqKHK0gsbORZoT_SzCN2wz_eCl%A?S`!wzhYn+yIEkcli& zD&s1Zb0==lUIKu~&+hq-pcHrC_kgoUEjBAGewo`<5m@Iq@T3@aDf#qKaRpPU3U|f5 zkejksf;?X+Wf0;yRNVXD_B_i;8hHN5I(W#G{v9?Skc;|o&#L`9yga{xE!>|C$_M$h zbR2=-33i@`+%_3m%GAhusH`gEqVQ0~`T0#nag+n#LnmSjQSi}x+FnDF2zy8k%_Q0O zjF#j;LGYx^&7D!-a06|l3RSI)ws$7Oa0RotCh0M(k@@oV@cWkJ%zc|r8Y6=kQ^2Vwc{y_?O4Zexow}+TyWb3=n_rh-l~1`Sd+qXAku%3lo_Be|l7MLT zT^h^Bohh*@78istRE+JrGyIz%iWBRFv2QqU zS)Cak?#Iq~+q|i%888|jq^7j=(jFC&J--_e_9@l`6f8dJKx@uc8*IRbNX8LSHfa6I z?7RM=CjA`kq_n3jE$RSi%B+@8qA^OQvLvrnv8RWPv?{&ThqpICo@UTWOnt8j6T5yZ zVyUT7X4+J6z7vKz!~87}gk7h|>8w~kY$Q$BMVT0Scs!FT{BgKGQ|9COxIVI-0&(VI z@6VH6ysWWTpy}oDOz0tet7gwj$4a;1oqRN$vxx9s^NkmUVI>WFi>;`GuQN=Gfp*qj z{EcU#k;IoAM3hHpI~#1< zmHs(Es4hy#ntc*!$?mAejw-7Gr)(kYV3uM+reR{IS;E1>@3Jf(VYetR@d3g;ch&s( z)7Lw$f7?k04b~g~G9F+h=&}3(5VLG2M*e?Qw_kZxAmw`Ez!&pSc;XpX+|!M4jPzzy z?S$=Y;mJz4ei`vu86f{ud;!rt2^rZT31&gUaWaHWjkcJs%?(^^w8?Bzj(xdOq^Lm6 zj70w+4GGmv??{S5)MQQ0;eePV83&6f*vXIdIyPIgd1(6cNoKwvjNKf8r_UfYq2x28 zNN>kT6iqc@r(0JYTnwXL#+L((;U!$M-r@6c`H4^=W~AiJK!+XWESJVQ7M3j$Db0<3 z^5?k1slkcQ7~aJss4N`)6E-Q;G;btSqK9V{q~|8jYP1i_EAft|x`F;IvkZbYgRZWH zstwJmE7&i1f2CO=8^Gy+xgzO!7%g#|bKAb>9){J!Q^wjZEE}mbFq#h)A)gb??#D{8PqZcyP;I z2mhtJ)ugxeob>%@Uw?0;mfr4`#qDNu1sml1!6|S(iqqt<&a()5qlwGp(+kvJz5kVD zhQt=%*n2sWGNQeeGm|TpQF4sx z84I032b4cK-%4>rz^f-wl;>J`c3US5Oc=mKHN79D+r)mMPjm|RNvCOU?`>TRs6>TB zpFuy?;PXA0V`){i$&|=#CZuZvzBp|bS2Ar^%<{yah<5^=iAF)`MtjL$iMYhL7{UA*5-++C^7T&D=267Ho9xY1%i$1O3#($%oRD~C z_y^Nk&gO)lck#5PMy=qCQUH4EmqrIk%XISxsg?y*hp%9VsbS@pssZQdU*9z>47y6N zW%(2*U*4vlI{mREuj+sprBDB*@2a!wzZdyK*^L-r6=)w>!}%+{7J|EQbxA=%olD;~ zErOxaP(DIM;YpdMqe>Dhzeuuz-QXO9YoaUAiX15zIGtg%1gRIFr+B9QcdOuvz8TT- zEXq+;!nZXVu;-14_^5=7k?qUyau7?+o!%T!y3`E}DqW*M@^}ZJI#{!cQZK&u(CvYJ zi4S@u=T7G~n4~wV3zIYOoPD`V!WuG~*};NxXL++ZTOj*#2K}cy;EceH>E?81Nknb7 z>E?EYX)Z+qAabj3YK(Vi3km2S-Xjk>fvAPOT@j5M;HyxVDin+WuQI+2%+B4q6vxoOLrY)j)JfmR9b6mfa zW6l{ptBw$-x}yFLV8B^n`I-R5a2ZtcwL$6R;ym|^+AS%BR@K$+gPL1VKf-1U67PD6 zN{o?^+At5g*G0OlIJ(M3S2dA~nW}zGYb4UO2^qZG`3L#YFB-|a3a@<#^4IZhf#!Q7 z+Z!DN=2-XE4IoO>!{9~k;aIYr69#Ax=dI-ITcW?#i}M0dctM7^(}gi37WI8OR#4eJ z#mVv^(CIsiYsX;RRZJ3Rfl_>Wf$NsT>bKFBklz;nS6Oa5?N5sL|6QO^(CnY-5^6AG z^g=6hsP_{HT$4G`99a2-nE6#!1Vd5?{C9-wONb}kQ@}CD))tGF&Nk^I(@Vlpo&nBYf@NSgTj+eB80HqiBqmyK;@*ny|>bTLiwvM@YbgU zxgv5CxeHu-Rew=$2#C5`EXXwYWD<%5j$!g$kijnU0aoCeN7k;!hY5EksArj?p(o38 z5b_~UaPzy@+b@_ntUs0WJlVudr}4Y@yz2maEeRlqeFy6Jvt5oVqXm10GMGm%rP>~W zC;+y6>h;=#o@beY0jm;j8~&f*18jv#=DQ2lp`?>(W$uJoKp!?{!BB_R$2+P{+pfD- z5BJv6$AEaSdk))U(w>)1A)U+#L_}Q-(UENHi#d&4nIV&jO0(*o33)r?EbWJ-ABzO| zxEQ%pBRGPVQ*1n;ykW0cR&j`#lQ$|?+avg>=0DTWl}332P`aDb*RRfT{ZrrnC1c>K zbMqFpo_QXs1yhK1k+_el%=BnUsu^wR*KED3oXH%&+tv$GPgBwrBiWstN9g~=bHX!n z-h@;#|4(B6q6||$;J-Z3ucoJ1qU1HX82!-3YU+J3qK=!ixawS921#$8zkTp%`fEIB zzHXv5VdEe9zT+w-5Ed30m3h_1-R*Uy-$-D^N*zSjS59I_c-a!FVLps_IFu7&cfDMH z42$vSC*A%W*HN0NBx|TR*eY~e2LC552DZ6}tTvPdr2&du(sZe?5~$=&=!4$m;2Jz8 zl*3^@bcQo0en)y)Zvl~uZZAFIci-fY8zb4mN&~#GmMqW(3oROqJj-=X2b*_4PnKyR z^AYDT_xeycehhEq`edbzSy+lFlBHtbnekt0BZf={68xgHNivzB0YFz^e8>wwu8{~= zG>gr{OB0#TuE>RClVi1Ise##~femGFYiARbj-8&8XiaJ)@w71e=cRYL0;tsD{p)vA_$Qf&o|YDDU_FxXNHh<==1^JaDmS zn7XcRM76n5;y+b=CFKwUwAq}a#N=M+pJ{dURj$xpJ^o&@F^@12y;3)f>+r_sJpf@a&sN4;$e_)Di~OD8X?SZ*5B*cVeMTWm6)NwNERCk9-i zAH&K$s&cO0LZkHS4%5mKX1XU_3KC}y??pzbq{lQ8X)DF4Snmjj&ab-QH=exTej1-V z5NR%$9WW|2CBSgqWqJvKCfp6?bgD#7@Cd8feS#qc1YYLY$tB4@SJQ@9hZ&^QS;EZfzruOv5{L^H33rr8E5%j$?R;s?*YmtelG| zQAI{pE!0;}xjX=L6N`MF6uqOohcR7qLKZ>7{^|Ip$x^p}FHc8u(U zgwBzD@Pz*VNT`XPAWuXR;mC}1Z(N&4F2mbg$dYyFw>TQzOn>9ho-({?aanQq|7%Hu zRouYEFvcit?KT`kwv`N!l-a;plzy zjhwu2}V74)jY5wG1X^C>kkv0ka`-Kb5;6OI&3cBOH#;^s7YE%$PQC zKng-q2cRg%rdb1C_s*l$RX8UC|7rp3f_Q<`A3)sM16CWxgR%oy4!VJ|;(#gH6j#*v zw9e^+sRV8TQ?|l^O?$^@WcgOFl<|SykU7StujEij*uqtDd>I7O8d|kit6~lm6Ms2c z;ELzqwYqTPk=x|TZqy;CEW*IbpX`-97asKrvh#p@-M?dF3l2$W{?!^n!jgdv9+nJq zBXQx@?m${zKzBp&b^v?{N^pMH0=5E>W z@F{k~gTWz)9~U#O>EbYK0|LgLhsiVy3uRFAyi`MbF~ZSYl=HG01Gg*MiPSYp@y?ir zW^{|>`(`ryG*Igc=w7mE(5D>F5o^$pix3OP=ho#dz&wZ4_hM0S=|rA&3q}9EG(R_B z>JyBPT1LRsFF*>-BDSd{*lO(@*$kP4kYJDZP$~u$S*6lchfXk&!$1xVoVQk)W)4%vQuy05OHY?2nsCn)!+KT@7 z1sPz|orr)V!tX&=G*_&flYzX_Y3}gQ{389~8KgiSctc2kWCE|x`?ae-tr27j9Bzyj z_Q#KTM@~rL=Xf3}QeUbg7PO(#tqOL>dacE94S6!mQHeO6V@M-tlLm(BHVl5`4vr%h zeK1Kkh?mf_kYiZlfyG)W2cPi}Inv+qVg}^vOV!sinZ9@Jq=p|rSsUpX!K7DO`Glq6 zE0Ain9auJCP1r1egXuq|0Lq^sl2#duy8T4|a|@&R?h=zBb)?y@qWaab5WFKp6zXHA zuIpo|-qY+re?I{eQg_jf_v)tf{N+6qz`SdNi`w&h5e>iYtj~oz2ND zx!Jr_=#(wFTX~MrHhwcRN>fu)WkG?!{Wh@c{P4f!7OtRHv=UFZRz~xzC85gX#Q3$g z$*k|}zd)EaGqUO5h2#jzudjA!YyRBrvYCRhdAK1RthfU$*|eFxBmK zC2ynVZ)1B&CR0?w&5g3hq-f2_q{gMX693BfNq@3&~CSnq{@2@Qnl&|i)?;TdzqX=Syx!YsM1^p~s}T8ArlzD!mcix9H1jW3yp+l z@Tx6c*gSFasgez6u@3ip5|)a~qX zLEc(R`nd5#hej7$hx~>P;0Siyyc@nV2PE+#@;lH3cOR#X)WC(BV95@kmI^oUQ$0IH zL&i)3_5+9ScDCsv9mbw`3iSTvWzCrYRW-GOE!ak)!l(6z>jR-$>$|~vvle^_R5I(GLG&7G5hc&lM9`-uTK|0IaLZxRt&aIL ztgyZN18~56*s`R6tBoj=<)BD<0e$V6UcpJd6Pa;|$Dw(x01f{^bM-cIyG)TXoRoBs zs({pxj~Y@7pzJ5)kJvLaql_Czw(;=A!u8TU>F(7sRT2wEolW;UEuwVN1xv2szE;JR=` z5C5Uv1)rb+ONs?;5|nL6f+83;X6RrSay4x@po|pS)A`_lIdH*~pF&xl(gn=JH z3;9{H2cF;FVp@*mEZ#Goj>+*l>FDTy!RH3k$QcwD4s2~ch~bfv@T+_A=|M&;-CgXIvSSL$%g{nr z78(9uZ)@UF$z{rIwmzMx8kTA`^)@?SRqH$XKRvm%KA*bMYSyQxWOh6~Ik%SS=%l== zj1Pfw{mjW%`#|&S&)wh3NIMv}S0#&dzQrQ z61&)VM$Pgb=r=naj%EKJs@^iH?d=I0JuNL1C%9AG-MzR&ad&rj2rVuFiaWHp)8Otd z!QI{6{pP&?^WJsu*JNcS*}pxrXJ$V#8-w2c;JLPGC5r93?5C8|gLPiX$G%|1!nDL1 za_}xM28N;%)EVzBO1lI8 z_c!8~`k`(Q+BFu@9_4H)%!U?kFON&$7C8|Sp}YamZV{CN9=k_5F7pKB(e}VxJRzt) zKEp!MVN1C>ufb)knEQi8&{uC-&3ey`i($vwI!AG0U&$HEH)o}fLFBwbkBC5>!j<-$ zdDdLz(Te#%S1ft=>=BoC$BD2nE2W&dJvxkqCvUbQ406=WU0jlBD#6D;`{cDvXoph{ z@BOF+q)p%W#}=GSI~e}AsjgyGb)$<*4&jgHo>kglo*r=wowj;qPBS|s$0Rwpe}XRb zF)aBaaJROk!Nk(2yBq}q*ZPtL_GM6&8jqk)5s zJQaHDZ)trSrbf~MW*+Djh<b`92~OyE=qp^7!8N zisIPz2+Pi78FY-j=5?&U_I>~ZJiCDF!7;$*9G|XJq<3GW&s*CEYYH26cA>cw{TC#4 z(bGjrWw58G4eOQYO2V%kP#4LmxmJEc9;Y87L9lTd33*w$q*5SMT$UfutY}@dg3pOR zxuX@pHC`SyR9MgP{>CeL>lby3C}cU`+OQ~aj8zW-W~ULA8EX6+g#Rb<0G#;B|9iaX z5j%=sql^CwrX3QI|M!g{;Xsbu|9(__z$a_*{~N~dUmA?WgS6%zq}pGe{67Szr0*GLnvyF>(q{ zvuVkHfpryC(X2(+3o$O4X5`ylcQ*gp3QB5r*KQ+BLIs~;uQ^VwC`}gEoCz&eYxDl^ z8U^dJEGdf^JCGUwjL6;T{~8pUYC)^&`o*bw|A`$H=Xl|(>UP6Bsc;SbL|Lkc=O~YZj=}OH<9KS)2#&L#e(cY zziz?GvekelFItT5)E7VU`o4$?Y6%PylIWsn+ zSx=!6=0?)OuMRUC%ICchTa!WoL#9g>aPAB<9)jd>=LIycUxbAw5Ixy?eE zQ4yr|%EOGI+fG8sabATp!$VJ@+m97X_Ft2Yl5dH^t9+;**j}@b!!3cIdW8H!266(@ zG_!p_29Z$x+O-~RI7P+S_lQT<4ZCn3Aqo!BVNp7~x=B9&y=TN_i%YJVP1?DRD%|mn zYzwN20w!5V_-B8=ZhtW>XKOdba1Z?c`~%qmMgI9*$u1Tyg-8{b<2dne=`TEJv6ZG8 zUXq#e-@e|dbVih%`6-OtzH9b*J09(C)>}nN+)ubRb6{N z4JQ4^vHmWi_uV^3dzb+1z?@R0_1Z{>)(|@XLO=p{DPFhV;<@cklj1_*3f~8^nV$^g+ESG?Z0er75jZC z92*O3=ojg~XE>YL;4kL^G2^?F#a&4?Z^!+0OoZe(C#IY8zC|<|O!^u94p0CWW;a{u z`=|qFU~LJwbUEgKA0yqK6ElXaH0?^(*5~HiAfV0*=Nwf09l_As?&3YG3W?I1TOdG) zBqb&N>ADZGp4Us-dhtWp+8$C+npZ55mvLa~b9Uabw6G~sE6C3e27%Q{Y3$Wag~GO7$G zRt98qoxbq!vh-NlM?WShwfDtCg1Ie|J|W2#(f_Sb19IDPI306it$`DEPtCCIegFy7 zy*dnK-+-LbV+G0$sv;} zhKPuGnoh4uv-kPsks5HlpHOQBXg9$lXWwR31FA~2A^Qt3OW7z_q` zl+zK5EVi!pCB^zQf{lF1%1|jVaJ8jNc?9>k7Rv>HL5^Ov{pM$7Tf}*>q7QCAIaTek zw<^=P7XXs}JuY@2%6R~Vp<&BTE?u7-rH$o;63_w=>pUD&Pc+^MUZGn(*z`NuXNlR4 zsEQRVRS+mFER2sK8U_yKuTj@WsDX@jqZ26v0$HLgRY`yXMcw;$XV4Uh2&LD_qwz3b z=wZm0*w`LD@0u$tdlqr`vfIA3uFAVi(eKOCapp$CuUhy8Uu!_PL5Oqnc>IyDzk=H28d&*Xuyj)v1DB zsxR|u$nf3a*+RZC?EB?^8|?|%q;NcI`BoZPN^P9iaQd3hfmo{arxC0opH zX*@Hc5D*6kWd~-agAKH9O?^pk`J>*iG-xVoZRjZCWE^a!O#cvL4#UCB) zeq*+U5YT?^BKdzFL2-yL#WQLSX3p*{T}}nMrrj#8kU!CW?_-9wRqtI^KaV7i?Ei}B zA)>8NNsg*7N8>z0zea{;gcC%zqr5p`huSVt z($`o`lGQt|L$>;&pj90*)P}?CdT-3eZmBi`nSiT!8Y;#-RBJt5+9sxx00jiD$T>e* zhwDfrzUo;}ymU2QFlE-KO3GZZBB0CD$nyo}%-T(1(0fE{FNU8j1b|L`W2;vmX!v_4 z9wuazg;cl{7;Q}l)=bNnYhRN=R*<^aOe+(;8LO~s@l9=;NL+8^X?H{wE&~W-V zC%=T)iTmOE9h|aNIrTr1ipw;AuAHJb+ld~9ePz-` zyY`0)=KaZDfegt)+L?8dvH9h|N4q3ynES_RV04{F$?#|vza}SM?7u><9b z+R(txPE34nBeyX#>#a5)36GARWztqukmR^|BEE{hcRo@PZccme{B4SS+0G&}swLw* z;SyQ9X%1D(mUNpw6FbW4y`^3S-+?T;PuwwauvC8OcFwY}FJ<~j9gfOWsOstUmfq?* zLX&?{K^!f}`>AF;o($qS>^ct6s3KM#7mn?~MaAej77In&I~_NaQ+99F#%apIVf&<82FO(iHyFp({uA$<18kNqSET#WLHL#8{fXVYhrJ z+~;xN(z-_7Z`FbmW3G_ZPWz)py?6P#v1F0*{(~!!aCKjNy7pE66n$5XBX?h)+{wv_ zf}1-fb><6SPDz+tX2p}Yg@t*I^StxrYn0`(HtJ}ll&Q}P56V=y?7yY3%Ruqvq@Odq zT@z-f^oUu%c2V^~ewYVjy{E4)gi*J?ICc-KMknh7V*xaV9a|DsQpfU}Ae8gIV0>>O zxf$d7eKG*z(4|4}e3~(|3?ChpudZg3QB<&eDRpcC5}Fh7 zm80b9OBY+U4@||A5Q7K{qHT0wmznH#_G@mzu7A52Ha-z4)%EgsCUkcG)7siv3*G#W zE15)9;VNVuFHZ!A@IX6*29h3i-LyJWy0D5Aa90IC#)=Li#!~D`ZYlG(Su^pr*W8EP zA-8r%&Y&*2tw&Qy3MOEBc7r5S{dUTw$cq4L;@+ub*)(0Qt@!E5N#A~kgqzE!j!d7N z)wQxgv>eA~o_PXK5^4?s*;hZT8XFTAwf`E4v#&lK<@tZdse=9MXN7ay)LYxyw3}RZ z6_BlHIq{TJ5a};@xY2Q@NgK0qyKlFHoCVm>mc{(ROUnsSEiK0FZ5Y1TTx6_N-&+zx zRmhL1KnHvJaJ;^EgelAhouem&uGr<>D=)2l3Rw;gl%WQ|#Bd+nNyQJ7AQW@~ZAwyGwV!gFdS-Te zH2_95E3hP;D)`ogzkY)r1PuDkiLcLhV8?TVyHiyYlIQ#L?asH?bZAc&O~CyH# zbOff|)d-Rc&8yosINvP5GimF6H+^kJ<`I|q?^MXjjR(vsaOmiYig>T+t+sYxeDD2m zPUg}0-nMX}BJLm(*Bpy5YcJP7wyl`iU;-e%l(2Ixdvl%Uu8-QS8o*Xo(R=lPmVy7L z9&8{+NJ3vKDk_3bnEpTYp|_Nnw{qKPcws@o|G#jQxzrvCXEJQl{S=u3F zs`3Y=dPGEtzoRrUzpAvnNMv%7#D43D{s^@un%1Qj}z`q8V1roWfpV-Fu= z8MOhi_?fNZ`@{GhOiq5a*}T7@^&UJaXq#8&j}7nN%sApT-c<8RkupyPHJ+doHpm+< z)bBDJwrQRk)u8*FOhiLSGmFN{UQ618#*d(VcUb++eAA_+PE4Vw#V`2l0m8f|p$v*A zl`H@w1H;Y(bS9n=-F)rP7q0QbQ1;v|{noZp3SfMHTX|p4I09LXHG5f3&WBqRNto2z zW2sUrZHXFv(8f#JPm$tl`rL=PXHmLMY{|vuIwE6&e%nEl?Ccn3AgMNVy$Cjy`gi^; zBJz_@VTf}vUj{>?%Ag`<9m&x!0K0sl^WpFsmrnz?N2Vr~!xOJxO3Bt%O-$rV0xZ*p zk4~kBC@*kt`e4QsInvFXkFh{unl~S<`vUIhqObX%KX!YqZ&uuxWqVDILaG{Cr6Ur) zcBWqU3OgH$%t2v`h51nP*U<#`Bj@ig3UvlhWrr61ndUcadOX3sFA_XcJsa@Y{2DK} zMW$@|%r%MWOhA~$|J8f+=SfAI zW5e1n*1~r5tIVg8OdpiWf7i&78-SrtezdXi4H`pu99C#;zV{ZVOLaCV%TtdH9#R~? zWX2mdiwxff+N%|NAd~0OYmF&Ddy02i2P<(o1hBy?{}}8kddfONQ{$2$8J-d>0mp_` zA>Ut=+w`*J+pgZykW~dENLXl=p(q* zVJq%}X}x+@L`QIy(cCMb0#FNtY|(Ees6@a!ZQM5?S+SfVIY*cXifXE;)bb@}7SE}Q zT2G~9C(Ejc3V<&!d+DdQw`4Sq3X6XIuE5ForRHsDHuKb2z@KYuZ0vS469Kh0T<3Uf zWI~x=<#FzdF~#O06te7lV^3Ld-$7cwOS7_7Q#uP7YQ3>W9F=`l1v63;K~>*B3WlCf z%OeWQzC&Dt6)r7{SyaPjW5T;r-&{=Vdw+yo+EFpp{r>hah&vnZfbC+@Hy-Ox`i9ec zx}6u+Zqc#Of2$ydTi2tI7P-F%d|^9FWy$rp3CO2RNmSDmDf8Zdf_qytm%kH$)-UxSQbJ zw7JTnUDWxA7ziwY={ibf7c_AEnXnM1ZumM%C%g+XbFwlr+{>V+u0v~q+H%%zv4w0= zNR#{cPH^VFKHZYj(aF9B<=t=;xb>CY1ZwcTYeXM3QWN}@^HaK4dJVGQlU?SH2Hav6 zeBxG(Aru@vVGUvt`0d9EnO@rP_JOPqwL2?#ft^wJD%X3u(oVe}wkeN1C&$f*5-c4z z7beN=^!}oaEG%DWYPifd#Q_*EbQA~9sAl!tT1q5u8nq~xry^7f2NrBOezyDHeY>$1 zI_3*8efBUiIfQwW^qVoqmjX37cQd8t20S=yRj9N9ZgC{lUXYoN&nd#(h4KID5uUBZ z5T)5N0yC1Yt%Y3xE%grFd}M*Iru53|?a4^Cg8)^6LdFrbv ztX>C{g~Z6Dk6T{E0HM5n#R8~L!Bq{rbPP)FfG_Mz?FN2G6JBQam0)Z`cGzxfRWPl0 zdXi$U&7k5M#>i{)QheH}LC;3mXESVb>xBbiXM!kepS}^nAf8 z3U`SnC~h6+UU@$eXCl$=klzNE}jdgvgxl>e28b#^_Y6^`4C*ReDRtW^j&AQ zH+!}BMNl@S7W>AxgkJGTB8D91h@)TLpJ!{JSn8-oxG6QLClowfzh|&WQI|o0H@UU- zeeca6mRx98`0YhtcdfX^MqH_=kiBg8n|xB0@lSf!Ck0Y*Ut>q!S5*UB?j);Azlk2xOTR>O&d`2}Z;mQ4&`7Y@gV`S=a*}=3iXPQYy5Ah?q z>Ln|*glE5w?Aw1OzU#=vFBQyxya82DX&mON>Xd0k=>xEOt3U<95g=(GikAc|d0ZKbW> z!M{xdY5xG{ov)qytjy@MpWF!B)9|K1Yhuotpo18HD*4QYOxBtd7Mp%H9|mIS=SO|* z8smog{?)>8X-!*(iVAS`Rq0Z;3fUu$i)FMG)25;jg$Bzw`>g(&NStMu1 zVtQp~y{XAmTx{CkD$La!#jnE~&uAbKJWO)@qSLYgY7!K%uz)OWd68CTO$J7A?UjhP zv{rmhbjJu*rB~D~RuS43k<1@0rPMrbnNsg@>fzZGufF}19gGu3VC>v{qlX8ln9uo~ zz~#sn9LcE!jH2=R2P+|V{;-pB`LR4Nz#*RY&YoF998>=^`w(PEIU&{3ve0(V(!#nB z9;PJGwYR!pg!Xp$xG*6tiE+=;sy?B>PAU~5uaHFujvhrC<1=63hb}$z{-)%0MH^cG ztBsFEA9Q3KMIU5|;|6$QG;=+q`rHcbr<_U6c(T%|=o2VQpeF9|L$79&ijyQc=+`pJ zsPg^_3W*>OU|>Xe>U1I6v6fq0<$TU8|^oM#@4<$wT>Xo`O>3o#yyjRDu z84|EHBjdmiZKL1d^8szFp6lUrph^IdkYBJ*L(R9BH}k>9-NAA7>(O~Wa{RNuxNHif zE}whLLwlnsVC}kYU*uoxlZydX4M@**cr`{CRiHnryXA9B4Nb+JS=PXTafN`qm3>9PI_igH0g!kdzpk z!os^eEE$VKI0fy3F@l13r~yP{8@k_kh0)Y#&C=zu+fyU0FJYobC~s!!+^;ve;c1fs z$tE;?*2y1C>ReUhZ!-qa@y`newCgV;Er~R_vmt1fbQ>*>%XE$ITVXW#x9z~Q_I!vb z&dVdO(5W+lf+v<}|GMnTrgPa3{}BtTRi)du1Ksa-dTjsb-7inAsS-x_W7x81kAqBpbNZb!A@;^0-amd~{| z0x6h%wL*GfvB|#SLHs?(?}w!2mJ*c{=V^BfHW@2eIFD?%Dd*0};3D(w-KBZbeNo%0j z1tS*^BDFn#Tv&FNJRu$wZf2?RNEe-2&BK-t5agnB)ZKIOFc5~V!r8y=b~4B^W-he0 zGZKL~H@B|h`u36c*=>he0(;ua4}Y`d?uCNVoKhL;+KgG(q^KqX`Xs*S3{v!Q1KqN z0kD=5!-sQ^Jg91c8YyT1jCJ##2M3j^%-tthO>3GCv@?c{awSile>9~cW^SneLz=5+ zq$n4pgvKR_Hs0893|7KLio)wjbJtpwWF@9fW^s7JGyYi#{aWl}1j!pU#Sayvk#7hu`abTN3@*A0LHW zRBJL0m9tx%v+5E`DP+y1;Gy*CWqo{_riDAxG$P9pC7FM3vSB~xsOfmJ0ueE$v9v^mtjhkk zYt?70B|M3mjpwJ)X|tiNqiW|-mRoGe8>H8DlJJHlCxgtgfh8m6(f#W2rD_TH_Cvdu zHcC}yo6*?$>__<(pKO&_>y~CB;nBK36hH#|^>b>wra*oeA?$s{XQ~Plaeum1fV-Le zHUvtpGKd-4?CiWhXx8yI)fLkLQCq_U8BW(zh_@OOO^??K$onHFF{ylfQ}&QJsvZtb z*zA$kHuH59&7Y{(|LQ;358SGzR!?g95%k{o|9g*n_T8{`NI`hG(~%lYuRh?N!LvI& zIS~`X-~SJfK3pH|BC}9GjF}YPrWGIlJ~_+WSj{PY(SaBQUTqzDMuRdR?DpY zh8xpoI>V)}^`P`Y_>L(lbjn^I{hbFH?otJwKk>s&-l~W5&q_XS=aAml;m?MLpT)-# zdoxWpcl5=}a9A2d|H*j1-ySy*Je+Hzwwxg*xLvgpQVip&*^l3A&=mBkEKAgK#a3Lo z#EB7;6ZvvYjf^oc9mc!W;F9OpUzfe*#1)$z8*=yg+Ba&dNFc5pZ!L~Ez^&lkgwom_ z;NY9W-YcEAlFm0tNL+(IPp7%Cn?In%TGf#27%HYRUR%{DNe!{L%V zj6Z{kw$d$=sK_LOt1x%5Oo|0AwL}~y*qBaBR%WQyT!qEL#>onX^TO$o{7Pwi_9`|9 z-FFd6KS5#JxcrY_7P()(i2loPs83#nG~~Nyoo#(o`V&67L-DVU?ikuYT$ZFpNggB9 zS4u|RnL%oHN>wCIv!Y%ora{T3eov*CM>vXta>&E48Iq6?b@S|KnK|?M^ziyS`>6W6 zp0tlj?t%r`q4s0CqoOm@kO`3t9-bLhK^!#|_MSyTR#`bXwcKosYx+7e9Ce{9$1u86 z`BXgj+l*%XkD@s8%C{?aba6p|Nk`JIDB;{>(X70HYNCII7vW<*h1FbI;h3$OTB@9) z53I~^J0+F6qGuw;NbP3O;&$P)JVh+#?LvZtf8Qol;OJFGQIWji;rx|KHu6eZ0YnYe zJd<0+aVAztm>s8+A*_m*(&9}SejFZ^pC**6tVWf=y+0qyZ&S=Si`Zrwrsk9>mtshX z&m;5)KOjx_y+vq$=G_T*%}z~~Hc??aI@F+<^dr8!q}_?wrUBrnigfkeRxj`xsnDTX zh51Sjp=P9g{_~cuYGOhcIAOmOchZ#W4`Bmh6=AntHg7`~)RsLJNcFiiqNee0OqXrX zVyzF?Z8rNx7+y>!cK;bDj9hTtM*N)|km)g@9gEMJ%7;Jw(x+JN$+V&Jm$HJ`?*}uL z{tn1BQD;Cc)tGYTsX&aAV_L}|7GpV*A;X}g9ev4J^?7PH(VCPYM=&`iFVvO{E`!FKm4gUySLc__%iKZt|UMH`?Wxucf%h{~=2da4Ej9HKv4dXRC zk)u|I1xoYFY|WHrh#}lvaNgxEi1>O7)xHLdnd?rYE@EqRZ^kitZMRiftrU|w`rRfx z1i40Hzh}j`m=5-P5y4d=)Re7&-;KU(O1$0p{Gn~3e>0928z zn)n~WSr$aP@fhRRP#;mF}z%wn1b!M z-_8k2UiW>KUh$Cb`}7(iHNE0=#@}K&jHQ>uH+pjOhI7AE?IhTPq`VqLTy^~343YTG zFy6+4i49SyZ>rW5+V#zH{&dwO)U78)<{Rhl0Tj^ZVM#}E*@?ylEJG2wt{-uK(ht_{XyFn zrd$!I;PRs_O3t#x2y+IzQ9WxO?CW4um79598F`10PKwBYSSpV-Pk^FMPp?FVwz*H5 zaQpL5*Z_!WI+(m{?{@#yXBChAoT8=tRjbXNB+7HNXbq7_%W03SBg&o|-)`^(24$3B zDfTX**Lfj(?|xjUU}VQ%K4&QcRhV!<(vk#r)<4#A8DcW`BH{O_t=muRu^aAkRt4V^ zU`$QY#vfr{IhiDsV2T1{z@18VF?&wXjpsCpV7Kf z4=U8V8ppa0Dx1+1{r5^T*QE$ld|v>i;WJWCoBqUKG>DoRywTFamc<~{Czl1%5rq1S z<*~v!yVMR$9`Uq{B?@<>9Nv2A+Hr7`lWx+GAfDQ=o`0l-FRb-C#4-ptW?WO*8slCp z@u0;Y-q}B5Jp>_U6XT@L-sob}C?*RS-#vY=+IGq8qWH|xZ^m3csxK2v5AOquil$89k8$0&NP$hqGaDkQ3eWrer@(Ti2u-sN*&BnK6*9>L2mSt-fb z&~V*BcuvxX&NB#UAp+x_Rea79`iBNmcH1R)3-p@c_G2&brnsE|BQBl%t>3eJb$2Yw zZ|eX>uZZ!o9i%qHbGfgJc8{0pK9#Nm^LPIUwr5eDIKl(w=h({Exl}@EhZNZVtf!d5 z)3qRH2KQaIW!AWK?=2blye$#WXYz2pT_7M+Wp!;g3(otY*DfCvoN_|q6=B!I<-+um z{U&~WHZcKJkhbwx&3YL6nMTTyrB2_{Bi-wmTH1=KDZ-!i=N$-`vESX@on-KbhVUm1 zOw`|SS%E@q`~>mLE*Qi5EWNz@jY4tLH_+n;OVoStYBoPXaB!wCc2OD;$@$L5`pdB- zIWBIf3UAK@Bf*nGd$@y94Zj?*mTWoQ=uTY8m6238{v!)xu5rEHi2&0N>bFcm26!n(KIEskm+FW?6 z9N3e`bg8CumnH8OsjJ_6P1?N+5N)$gt>0(3kpuvJwDU;v(Kr`V7_hbLguR%T+V0xG zXj85a4C%a~hOlQARqD89`*(TD_b{oSeWy=ftJ2(Pe{2fBc9ZC?u-4t0?@fGo;hF^n zN$o4&zr+6Rq6Mh>3O{lA#epqfLPQ)SmBw?6L@V9VY>`yw`AT`FDG)s zYd+GCab{w$JFXj%=Mh(Xwh+a={+!w%^Z<1Syn0#&W!9yObr);s?fo#Hc(oKy=s5wi zX9f0@;MsVkj#FGdK_~1O;R@2bvHCwnwLH+g+#@{T1xvoB7sQ&;3vIP?(#>_un&18@ z99R!XI-2*jtfy>RUMWdQs-7|t?~O~UjIPyUQ#Bowj-X=XjhxAsRzWB4{XSiNzpnUm zR*M+uE6>TSD@*Y%03A7HvgG#T_%Henb=c@(OK!&_(tBnbmxNRH*LSNu)jWg9GvxJI zHI6_3JrATWyEm{n_71qyhsWHbXk@sHy7bS5tc^I7ubTHy>04@7i?K?Oo^+HmkPHIB z(dtX~3_=H;LahGdyp|fo^;pk^Gnc0O@cdj^cWMm{11mDCMU?zXHIwpo=aHxxs0M2D zZ8HZSGaygl_BJub^VV=&Sx%}WzRXX5yL!{@_kbrgXvdlj-szNKS+o9&J~!1```&Y> z2A%U&v1S$iEE)GY)u(~N%P|J%*W$0M^|Phu`$? zOrKeGxpHoq_>-r`&8nJULisuNZ5KaS-swcTIxR-I`$8gIjryU63Ls{<$R`K81Gxh4oye9z}JNfAwTkd4#NT2yBFkG)h<~6Y%F<_aJCnqbiVb`y< zaulcMvz{;~6hEdOc<;GYG?y^^jz*EwL&+6_JoYqkJ+6t@Ty%q%3iC>0Rc?Q+PSod> z%49w)I(96-qdU1((NE~EX=p#68yijE?Y%BQ#lY4vG=hs|vBNv@aJp%e5+VCcYuNFv z+ToYY(VV;)Zr+i=h))*moBEvdbkf=qHl=4QzqvRir)pgrSX_m_1QLEGbRHcSa^Au7 zvS48|T!nmmwTWYRxri#a;3oKS8&PO>CP|sq!|;Og7|5R6Rew!tOdV`v5ICXms)lYO z{S#LQ%CgcI4V&rVu=-n=p2&Au{_=*S@q~$CUK2PObPpf3&j7N*V5m{iez>+2cYS#gO z6i2W!=$Hf)-ceyO#A)*0uVFG~B~8H$&$-BDuX5qw)xn22Uumr8WEa0rHTK;LvseD@ z`Ujuzj6qq#B>TU_tE;PLq(tJEBL3w|rGJFH%9A`hjXU`pWBNeAs!B&wjINBJ z-ZaEAWL`eLYT~`9NCh7Q{Leq{H!|WPYH2Fj%mykWjpX*?QBh99OCet~7C-SbsQ0Y; zAzVVDXcS#ZX@^6i_Zeg^RwMT%oB<_KclXK>M}@PUr!CtL_nL0Y9=nd0^LM$!Ds|gN z94lsqrDvYIv~`EimnkKG52v;a?S(vQmY^B(rZ|r0sefaKg!&Kz(c0ERhqwj@^Oa5_Nna_xz~ zM}c1GYQ8V|4V8QUN_b_$K*hI-otYjBqktnthAps|6OEC~U`B?Yg6X$>pF{$ei=wG9 zhj>e3a<2H?`z3D{cc~*m1Y(nsq5%q~a38%J=R>%~c0YQl0b_EZBVS}ARqKag-D_d6 z>Zu4L;&zU3@9&lfzI}*G9FW;V!dob?k%x-~ca+gx+ykas6=nMT`0~^7WiTnL6;2S) zK>lRiA743hG*mbYJgc7I^L6y}3o*b3ocyb^lw=7k>754>Wm2$>5~)$o)eC;ibsk+U z0wS0_obFT?uBv?gh<9%$2AaKho?2YGKt}ShW&1cU+s&nNKE%ya;f+SszIM#Jl|B&n zlid0xuJv5WAU{Ytb<0r%v$j6>i&xfh^;J6S?aE88^s ztB}#^^?LlJT#`UBn0Dl#&~ez(76Yb`Uv%P6l6-ngbY2*0wZ|jE=sfCHlJ^n)?ao3) z{^9~mK2FZgxTbFz)s(eAHIV4t~lTX4ZY>Pq^NY5kl_?kRfbYZj~y6?>|{(i=Pjf)bNq1(Ps_4 zB&dp_KT-F4-j@e8M6COK|FVw^_x*j$VpQOabk6gq2P`v-(Ga}f6e4^}JzRn*|G{E8 z>OfE+FKY`NvatQYi>k@FoZ{p)bSq-)ortejS@YXb_Y+W0-whb24kV%3cLX!9*>!D2 zw`i?C%i+UIslMsurJB7X%Ac*o8}hmJXtZf5_U8LKQaQ5j?kq`wR?c%B@}j$Jkqmth zI?79j8g2?$-f^Rm4J;3)vQF^dh~8}{V?zj{7x=-nsQzF@+#-s-(X7!zg^Y#fp78K^ zw>hqdq@=ZiE$z`i5G9sDJot6V8 zR7^`_;Gk!%CL0({jrT4&#MN1y#pD_*o-+#TCaJ^MNfyr8#MM%d7cMKnGFR0;XnD*5 zVHVVGzUQE}h&CyfK)YP_HSvMS;wul??;1Kl$!;>Vp8et2 zo4($BpGoP5l&847naJjKr|qalRD%aZS?x)ifO3ub3GK9uHw-<`sGSuzm9Z>Ji#D1< zSS`O9&EA<~CxAC9P}@*N2N9~xw-28_!J-#S{!>zlGle^OTG0O0iXS;Ahw4NMW!VSC zILLQ5n@|O{;m;&UuH1l&$k13Xa#kQ$EMm}g|GtRdSyESt(gdSoEk{fuK=n;pEn&jo zaG+!&7xlJ?POzwtB~OIp&RQ`i^kkc(lv{30zjUP!|0d_Dlvd?B++pfwxPZc%WcA_$ zQ0GudITRkIBPVz4lD7U*REjWB7Jk`l-Kce`f7RvcYcjuOJfJ$`&nYK7gwtCb4v>8= z+cLoCY@n@YB)IJ>X-G%5c1R@{fQ1v6p_xut8(fDGV4O1x00J*iD{YGCikH1wNV1Py znkYj1Bj4quV`In_{46BA4=E@utYQ!QG52yzItRp*eIL|Yq$^k0S6NS0^GvRd1ulC{ zPa;Mw#d@H8l~YCLJC2T4A(UNE$_`Byx)l$9nUGlQ!5+nTkd+vy)-cFq9eF0exbR`l z?C;V12Rl^d4li?xGe?mqJPQUkJ@G~sZ*T1ZyocFOTi1jSyO$92ef0v0jNU=&fx-uz`gd(+v6x?6X^C`ys>+Vw;fQw z47Io>-qQ~c-E!{cg}slQ9Pj$yzcR|Yq|Q9SQxPK0DHg|ws*sxi=KZ#!(8uEMvRK__ zG6iLL+uPfr1Pn=j4_9dEkdE$6G*ENxB-9{{d@hG5`ql(*+08(QCw!BsXkfH& zmfK#_IyvfEWX$4if8$1}ct~rL)2((lusv158lrw^7Sx!V(^}G_rqXxLIsC-`n4rBG zm4bN`<0w9?Fsji05Oh4MZZ4>4_eH)uRgx?g4F}GhK=VXjW>D>|8xyc;trWgQ5ciuR z$*2MCR4&Z>la98_<1p4r59j{xuY!cWa&qO2RYqlF4aFiS$G87f*FLA?oQK%{t(Iqc zyW@gN7C0{sMY;7Qn1x38*K~7Ve99s|3Uwi8=H?0v|70Af^0A4c-g7sSAmVekO2jzb z$~6LxzF6NmbF|U^kLqi{xp&eCSB#hU16l&(5jIx1f5#{#YM%QPc30KB>zk4VxL+K}D1vkw?GY_Lg2X&lIlM@Z*@RXJbks z7-u0_Vb3JJk6EW2>!@&^@ky?-AB?kO#I2UM=#>gZ1$qY6@0sBOz!f8!Oxt+0E7f-` z3DoUDn~G}`;Sy}7JrUs@eRrD8W>Ut??HC#wntwes&qi?)Xyh&2BoFt=20@)&Yf*_A znJ0mnS}VO^?I_a@pD{TXxdzyWPN4p9b&i(5g*4%8UDcvvaFfOo7NQF;II}5Y8 z9+JCd=X@56n>rIFLSwB5O-|b@7YXpL?hfL~W1Ajpz6T<{NiV3?bSk(HJHI^2xYhRR zRo%Ci1B3xzBX5Oh%TrlNo)50>kk=e&b))*n+z3(xd2c?rl- z3mjPM`3F?)D;m7cd&Vbf6QfM@kDUpHSb|aveM0J^`Y6kJ)YHKANH3e}1_8U2*o*YH zXTpJjfwIw*$oL%Ji;~nVxjx-z0V)#PX+7#5_>F=aW&wv%q^KUz%>a{V@P+2xjN=WfeHOPsb zUR#V?kz0W$r<+W%ySpnLfy)8*hmoM{Ky3o!jxLu|q|dnCGXWK`C5`Bdg8oc<8}%FxBTq}AFf1}Qe2;GM;>slh>t(sqCT8D?XFAxx{wiS@ zg0iXw^%=S9^S(Lr44xW^YQtFTVPlUN8s{|b@Uc(t?T78CUa1K;Tds3E;z;x#82i$! zP}c#~JM*a)^&?mb~x7)0g|PsGj_@D zdDAoOz2YG?xyMp30wa2MV`89T)yd>gDitgdQ2{59qzyEc^QQlcFCEnc349z zB+8-xhpo4aigR1GKzBkmBmsiE1&8475Zv7z8h3XK!QHiy;1C*j5ANEyyL;pMI{V)9 z?#_9SUyMNydVJriRWhq;PLTOTfYBiZn&z{x73P0GqYGP z2rR|@H&gW;hF-;1=TtEQFU5@Mq@hyaWdixu=IB0B#2KElf*u>&E*R1>QR=L^4)0+W zdEUX-)z|ppE>7;Tr}qK<*#$>}a5wd51IwkGNO}$=eR)90h%gdlJ8#YD>!7(XV;<2% zc$DSRm3#7x%@}G0;EBWK*SbG`)Vsgd~Po@4UkuE4rRg8{tq%uMc5)5fG?SZ;SkB)D=R<2%4r6Z_-{! zbvo2l*B9ec%7!YN;HR?%vSG2_5>$YW2eVnm1fxI59@e4>EI2O9jhZg=vee=GnY^XL z9VcrIHx0F!Mp;sz|727@1)8y}<68*QBu(?6ijAKyb2f*fX=9{nkduUt_rt)^A%>(Y z*`Xn3&iM`o2t!Xow)Z!G#4imgJiO(EYolfJ;WA2i|7=W82YOrSIkq&NMHVkLNpAm5 zN4jFuj*D{&KTSm-?*uHmak8mzt8fj&Q&7r%X`G%|m7}MgJ=jz#QxUcv@WXBNYw4Nv|(D4ZXcrk6rj1`rgrnb`MCT?D<4(U?f<@-|9t;2 zn4@f}&~A|w;Xnt36t&&Fppr2zhr)!>;H3O})Nc~-Zf*KR$U@H;faJhN8x=MBIMsf# z6)8}bS#I`FI0*lx$nN2>o-IWg4UXBPqp;@dxbota>|r>hvDW%6*p-U9)`}z>%?Ord z&)8+q3&P1_f}C(`@z7OTJwD~N=JpS*j3u<&GkCJw&XP-94?hIv2%;fIu&{V2RDjyv zQ~DH#Pfhrg%D_%f%_R@H58At|?6JG5Ld#|{HXmhI*wSXU&7>5)O>&fRzH82v2KR6i z)&n3vqkAHjzGqqk|4VqpL1jmGzq9s{XyZ6}U&BEUZVT&W{LR$W&cksFz9gor%yTZs z9;uTAAA6YGBPnNt74DJT{Kmd@C7)%S3aT7Iv70%t4XKQt)+@ThTDJ#2swBZuy zeSKCh7Q=P7GUov4O2-ed6xR3h?4l(sBF3BAc(dHV?RiF}>hg)lruqz-QG?gmQv^*{ z{OnYOE>HuL%_ZS?K>YbKTXdNj{gm~Sr4Wqw`G@ynre@9meMU1^vT@LNN-{LX5muev zE-87SBK%MY5A!PRCH#1q0ca8=+or728YKNGyN2%L$-P1m`C~M1v@sDz4@!#9b&y}_{>77`wdxl0=<3XWTLh<_e#2m0j8Nz{I`gdEZHKDNYB{3{px?H0Yg9YWN zK7OPvr88Mp(I^}&LbJlJqy^GcFCAGGvB+*i*l6uSws9`(o3kNTZE}YNF3+b5x|>4+ zZGqsndw$bRnCvTQyD=&PhxfxRRs9t*Jb2PsJDj*KoFy{GlURrgG&kdbiT&p%ftU=7pJ=kgGlUTV4pW>gzy8GI>lmzA*g`#y|<1& zDfYJF0w<_5$~vjyreeXknp{vNnw-y+Dc{38I11#{d4f2Dxf?Ctr<_%l&j>T_r?|t*=gz`ioVgs*~BFBHsxAMDqmd-O|yg?1nJWNnNr)y zC)->PZ7-CcaL5lm6UVevdg`Z}HK7y1+j08&)^(|^v{k+iydGR!=;4w{4aCs`9NH~W zw3i=04i1hf_18Fk9J$A326fJYLtwt9HaglW>VAVg7Z& zpGtp!m|FaICsYXyI=ySl0nLv_LvMS*p75)4^`$7*9ck|U9{J)6C^*|aJ$#srnsnrc z4-_Y;o=O{TH{>$Tnomq zttf*x8iJ3S|Jh2KwAHuHpl7&@F^Vsx!)0FrID@by5Y`09>EBWc@{|kWPV)ROVheSO z%eK&3ODnmZT1IlERwJGq=%2+nLFp0-YnWD8@G{vLkM>cdCh zL28{<&hRy@nBHk!2Uk&zGZy23k_IX-#u7=QMAXKqrFCLo9Y@&gXCsfRR|+($!iQr# z>HZh1Mu5d&yq-ST^U0wKmhy$sJvL?aHMK$CC#(eXZ{wijobmBzF4t9m_$5z>_Fkqj z>WF=S9ix)`S9GUU>yblb2k!Cl^(Z7BBTEOwgo{ygcEQ0Y-2S0)eS>vV_2Zba^*Xqt zY8u=zyVT)w=}uK^Bg1xb(hj?xT{QZ6d|aWtid|Ge?%?d!K0mm#o~>3C0iT%!Ftr0G zQM%X?gO|gQ_<_Q7q#nbwKhiyRoqNRC@UcDP(yzJkwsDeM-q9g)KfHfgAvDZP-%cTf zLxZkw`jzb87+{Y3edu8aD)VI*_OriUHf%uhBpBq3RfDc%4aNJwMq|dlUis8mPM@b2 z(w$6AQ^PpD9?<1-!u^#{7a0t@j%zSv(ujmt&4*VJMpIWV1#tYtydr8i17Fr=bFRx- z<5$=jt6%ARehx+~_h7l`?L<@@DK^;Z^1mL_G)J=+eodY7hZS&S*4E^Vb&zNOMfFAw zSI!vXA!|w55U_Q?b6L3?y)QgkRlL6RR&KO#t@1gYRaMh}_vwiiF#){q zUb7tWtopg`^m|B-YC*_OiS(8!{~DFqk=Fd7Q{ipmPo1JY7J*8>Pg5szlNP^Nd57bx zOi}3~ZS;O=E&8xX&#MQqCO=(%z=G6hUMj-RmT2ZqF&*wU}UeM|F0r>|H) zhC?LLmc~^Z^d&s4<1NvtsXtTmi>=(|U&$~}B|S5IR-GO#t*s#6&L>AHIM#QLFU~3W zEUe4U%%7E*DpDPIK{GUr-jz^_d$^g4KNZiyCf4>@cjat85#2?9`lK|}Cp21V4h@Aa zx z)9=jsyjO`5BCD+{;yeD!2YAvfza9WjIl>$3J>L^>yA}$EOlDlqVG|FY{KJj)zh3jz z^7pd!(0{o+7PNp1w|V(*U_rJn-5caR#*oByNZ_N6ad{QBZOR_XQM>T}Vl}H0WvSH? z`Y&U$^FaD9XQxsx6u&76;?to=_)mUmUMmgFR%W0vx{otWw!h2#FW3HlfR{Bbdw<`$ zi(#;9*w5|ek%Cn`feldmJF@o+W4%9|*&FtyYs6qjs%PcqNPQA+7uafFD&7#diCPr( zR&PUQL5g~I>R~2*kf?<`ACC{M*lI<@g_hdW&a*x@ye_b*5suix9oXN}xcO3!qGx-O zcU-^MLRj24tNa%m4u}CxFbFTKlhFs#%tv^yLnKACCym={P;2|$_4 zOF(8ls5`yeJpi`9jv!wbTu3Dr*+z;wstLH<16D;mA`bM5uVdGb-z3 zxEdS$bSX3p#GB+s}iOl=DEl0Uw7ikbgNbA zs)H{Y43mfV6kJ9{M06R#m^%b3RjI?5%yfiL?20$4k3(KxZYceTHIJv?70nI>a+Gy! zKhnJ7N5*w1eKJsMc`^C$0yE3Dl|=OVtA&;?VcYlXpZUTyr$A8G1V*~EEQw<)R+t8; z(0(cr>w{BsB!uVDDy2B9Yeb`UW%=CRt(!;216EJQ(fr*Y2875&bZZMw?nXA&%qI|;%&*`52Fmk6XWo1#JF#A6v+y=iyxH}31VV^rSo!s zSuBpCn~H2~9YpJUf9lozaOV;3gp4mNWQ`9+rSIImHcwAQHDq>2mq1ddT>mPMoYrtA zwFL|9;{Uwm9gDxOspEfr@Hp|k(6T(ru7_9@c12##!YD~+e;{Ln5op;gvZa?5we8jt zI??^HqoyOF{b2S`4di1rEJ@Z7{-+h;o>a>~O$f0kOd$Ng%YlX%j#CtRwE%-zU^poNvl%w0AcVAtwVB25}6z9pFz1+>Y?!cZ}29>LWx7s=%Fyc z`?ixAwKi|Ze2Sy&GUTX_FSUL^Oa`29*PNKyzrodQ@p@EIYc&_mP6uS#3%rDF0f?k9 zn{IFhM10fcV5l#%-4F52|N`M8r?2@ z`H-@2aZdO679Z#G#mqU?I5bQfdlwwc=ur`)k$~r<&1UfQeZ@L+DcRJfKHNv%tatAW z(uph_sW!I0Wanv+tnl?=ruT{0oLzgaViO=S>Z);h_RqZE|7E#tiVqYfIvvn_1N-%o zaclGo*&*!^dNOm4(gVdA0n9;*#ovDX%YpDsu{cPcY;%}2;TF3eVw2A2<= z%;}7cVMA5>1kvHjcTyPk&`MP>tRJ`hQVX}Ma`mj#;HY9CESwV!Nbt0Yyt&_Nk7|9F zzO5k{TlSHo()}3`isRc$s6f0v%H<7=KcFWyb*?F5_=|b$tl8tC@Oz>`xnAqQ&M;Qf zVaYNP9m!&M$bPl6)c5JH*4Ay3ErWK9JY3-u=f>BQ-lC|ypvubH&e2g|aimZ4ZNgT3)80bU>u;PlkSqm(KW8bjl_eX#2hPLAKyGFs)cqJxa+nq7XL4BD= zm8zREI=7>1yG)*rzXvnL{`6RM(rf5+FQ5C$0&3glGt)=z3EF0AW#?qX?5`)@d()3j z(JLYf9^E~>wr@&-`V36m%l3p6xV5!zc0W4+3lzWj+c#qH z7V3(=K(QvJDXyJ+`oi_X1K{QS?B*L&4J&bs@FW#EXlaqO-rR%)<7W5cwOf`m8$L+W z;&502Y5AsLL< zq%}wnrOgHDcg2|Ly|0caaKTXqNpzh0@FC(La1Pg^ai^~ZF5!HP%=p(&C{&W zxhC)L2~(}ab=B(t^J%p4^mO@WKYS8TL=~|Ua1poN(>cF6i|-=oe~!#&5Ki1ua5@fQ z-U$-3MiaZ*{O&Nqvz<$5X`0GcvnxZ2p$tq$lSfubVF5?XwFvz7p*pk;I+JO^to?&TIQXO*8o$S1;IS6cb0N)qR) zaNk*Ic)jJEccyW8Q0*@9MnVyLhB?%VI0~GX<#kEL*g_ZXQuRr7fc31-K76>=v!;KK zhIJlKGkqdp-v|$ghhxPXXPFD7RWQXw^X%0b;TZ{oBzNr#W^7q}!sqYvkQRTti4Knw z0}O&cFlo^d(#oear3m4oP3Cc&id0~WQASn&L}dKxZ^Rj7F%l%C6-q<-iEz6z?1NyJ zwP^^qp{3(DBlYET2oid-uD5@yeD!N8j$lbwa#jPe3}5uyr}9j!CC;7_2)$*^yB@;k z%z9!yK9saW2ayjogzE-l{sE6%j>{2v_4cvL7=K#Qq;?K_f!)xsea+m^i@ndR82j8>LK-Z=*Y_rtd zr^ZIt8UfaWzx9dw4O_L4tp$adnHK>FMd0OLiR_hg!*v2~g&xi5y|LjLf7f zN!1Tk+QrZWw%YNb(B22kL9o80j)j~@Kqn4tr~V5xS7$sXCeJh~DZA#(RD?aeQkur^ z@&#NdYcv(;aNPW}RYyh0u@c9q#l`IDZg9SU=4i0jXA9pGDRm?fB@esi6#rhQAg`0< ziQAA%`q8(~t27`n9DRXqGhwxlY&(4d(nd^mHty=>OdWh+p6vc5dB{{LE{s^q4 zGP?nxA8EFw`XxH!KUTw*h{RNMn<@W?Cx9eRT<+@=H6e zS!vZO0KHPea*aKu5SA|MdHUH7HJLRRI()yQZje^n_iNyZg0i<1ndcAVI0av`w6rwO zAb{9Em*|D>e>(;?(0+qfV!I@imuql*ynk{s?r5%J4qFPG8XJr3!UYZP@qS3qr?usH zwf(1N{uf9Q#hPo97z<4MYMCKWav}9D9?eE_zJN(&p0@9ClSD3cglxc@%EN(u(F7Xs zqvo{ykZ#mm6;>76EB^c^S|1@(5?3gGB4}jl%$G4s)|5`;#}!t8>qB453c%ZH?-tHTf@NcZ?zH~wWgP){W- zXp38wRZ1*|t-yAYAa_{AD0^5$``W9+!>!zs_-Vt+;_9AT37W#cW4sB2J&ychu#)PE z@1*kJ&jFnheLf!^@3HPTh1yCtE(#4|isQ!X0uTH-Re8NX{bDkAZSA!A;~WOv>FKGQ zy&Lo=+V4hUypN{C8K%A&c&oJDzk*jc7b7}AvIee%&*H^B;57Rx^l(iHEspK z*d?%{(6lfEbD=8yV%?EUOJ4`$twCj~Z^TBgrIXq;-(o2Zi>y#!v8a>d&R^X1mZFcY zHeAlV$vJs_4wPy#Ln8)r+Z5J~m^n5wqv0lVffoBbL0^nw;?le$lK6lVAP+2VcF@53 zj#M)UnIh#rTus?*qCkuTH^ zG%rZVuDDuQ7Y{`Q4!2S^nZxm>&@H&=fi}07|8~y%Yr=-|0>B$?9K3a~(86(@?q(2^ z#OCG6ww<6vq-Zm3O41}HKYDh^FP_ej?@;&2`EVk>kM7aHnMU?_TXWI8J@@21&bj1? zUjI}3Q;Y>?G6@u#`UsVO$}f&1`AN!0p8WZd-1u*hPwIo@f$ppEVG;Tnh6WZ{?mL!> zRmu#Hq0(BCW&tIfv0s(1Zjr6#V~uuj>uLt1fRCn5&6mkHJ^Q)rlxWPM&21rZy0d6G zq2`4s!oJv&v9Ys~cC)70&Czh6yRyHJW-uq;A;5kzxF~o(l^4TOTOJF27Lg23)}$*cok6YlPQ3(CRa_0Mp2BKi0DQMF^r}&SG@7# zj? z!8T2*7?-OHV~>};UaDE-3y^3ah&-)HGOyCdp*EX*^m%LOpvDSnP@7h29Iqw<)+ipE zuJ_JFW_#;kOx{7;Qg+oE-VW!6f%8bh1;p%2$#Q3io7LD?JRO<6kLBUS@UTfok(rAl zhXb*I>qfGA6WbL-Y%vQ6YG68@@pSo-kccey)AeWGX^3ZlU;)su1i#krFQ}Rss-z)Q z2@IW0NyH`p0}5hgnt1wIc#*Qeiqez-ovJX()OS%8>2FDI;7!MjZ;qReo6yOmHmfw; zuw&3qoP%n$`{yf{GK$}(4^M5L8hI`RzSFf;Oj@_1Wm6(NN(^hepf{Dx9Kttpvc+%C zukR9@w>6$^B~QIu?Y>x-#Gff#aOP!5HE`lc1F0~KMC*|AyJe;g>Tp*_48Jrr7a@=C z)P*!%PlI!r?YUb*JZelU-Df0qSEt^Os1x+bOQggs{B8ZVPN1a!PP59h&)IY=qf>R| z?14XGZEKEB-joMpweY2F+~1=nmH1Fz%Qq4ZXOU<&;6$#VBzNKL4cFFnK*fO9A2&QxRh9C|Ri zqNF0J=oK+neo;>xI^NHS$9(Z+vhz!gw`HbV(BPFKC)+t^OogL()9jIz@YdHiMdC&7 zkFTG}DYR>DBh0-KzLUFXjsWd%>2Nc?FAadH;^F!jqAc~XX!6~n9eDJbRq@8k0xT61 zQGd$G!{abH{q5IPi;Qm(tU$v{Ce7k1%Ud*9@7adfD_MV;lKa2AZ&td%-H1q~Hr7pv zl9A)|!7e(&?)610C%C z8aX$8`d>);B(H~Jd}0V8aFHe*6^=$`m~n0}jaVtS!CHe6f4l{ielWD-XR$SSCA&H< zx2AF%a@`!w>oIwgzJ?axx9CvDrk(|wCM^uL!0O?rEZfMv_RRMW5t_xo}fyI!OX73wPAWulhg?2CZ zblHpF^l4ohkEH$HkR$iYY$EKawgP0yasQwN&|JxoZMnLeGW%Q^-QHc>P+Bc_(BSgQ zObVPXa*bNN%3zEgvr$V3q-kUAFer8vx-<;jRj-FPY|!NhpGCw|E*kr2Tkx*h;46U^ z>toosmhEoxHM?c&4ZHrcUO;ERZX=`bU&=A};aiwPFLAOZ4_-cpPY?V)>YiaH!Bsy1 z~hI# z%GaK_s>@lPj`9S(q;>Aqco@|9JCGv9e=Zl5oD4=NY-zYzH z|MT z0a&1(jrsJ-{iomMm08=a`EDFTZkbPY02Cox(~=5DZAgiKz&`-C%GR@3o*M)s5J2hX zUUJETAvFz~KV-Q|;x}spno8w%9wE)&N%R-BrOzr&2R_3dAm-jqKL_q@$6}lI9|+G1 zS#B_5))I{U798d1~5JTuUWZZyIzHZsziF=oJ_ea0{BwqHE1f^IbJ7RG1J@d-7o z^W{6*5wII$yoT~APff1bRtC*o1cIwB6D!K6BX$BFzzu8ea?5H7WGF8E=`}?Jl4y`3 z$`%L5(h?16^r9lWPElDHjEMUwg8AZu1OVeaFI<~ofTo8%e8PkEoRrZoF4!=egAPM9 z%0k;NVw~?F*+v7rd|NfkNJ=2Zjp46NVeFHovcgCy`=#+flmJbGQ~7WAn)IILXI}4} z_{Z+vJY#d3H_dAWanh=t?KU?zm2eU={UZ51J{bF3tMxzb^NB@7Wq}?l9MM`06_|{Z zK!*xThNt@_hqjXmp|0DuBH+A6-_@W`lYIH@FSnuo;dJP&S0y(L5?0)tST8c=j#jz!XA|9*X?Q0eyjx_ zW$b?1L+vTeBT=D&%`J0$ar~`N8bimW0G^+#z@^x#(Y@IX^=-zNB}Mcl2uLCNHCwkm zFI3>SMCt!Ia(|Ls`W%NI_i_~R?av~o{;6&GA$SHJ=8SV!aGUO)==5e{hJKa^4L0=~ z*l8W_H8ib@Bq9DFPU}JT?g$XS!LJ}Mw*&1$RDIU6-Z%R8s-gp_>_pca`)yAJ-E7=p zGXakirbB|RS&T-r+l1aLhJ3EX3-U9g3_53`KkUrMcitxJE4Z7wgWKkBuU6~=UT!?R zZ&r+>MIv@~ly6IrA5G4%exW!CSQGK`kCF~XRI&9}3UIo;!hgDTck7!5M*7dY-af`1 z`s#RgJ`W(yRU)|3;R!)Dv=?mM!%krPHSOp9@rdu|#u;>sboO6uL}8DwHV!itKH+c! z9A3wVHxnFa?&%YbA`ME=kqYnAz*<17n3U22GdQb5P1 z7W=$3eUFMl><&gGB@s$BBSc4W`4mQaIg54x6uOjzUb4uD{@r!_>%e#KnOxjfB?>BL z?YW*EBrl*e2Df;1X1t`ahocV7O4ygEl;9>a!a`ef36#8LgR7UXdiZ z!q|mGKf-}l_|`AW`wE4{TqKLA4pCfZqj+zK>3J&K?ZWP>xwMQk&ju(hHmo zm$xw%8{Ap1&~a%%3QhMS`_^N&-&TV@g}p@L3Zvd&4ADyu()FRj)=@A5CvKlCgOAn= zr@!>A@V*+vsvY&nn%m@!5#HREtSruI#X`tRgWZ%S#Bcg|HQ^NA&e7Qm%8$^5is4({ zTMJfCQ`&P|rBVyNJ&f5FS$ENjc-BCrA{*X)@6vvsS<(I+eP&s2261uF0mxc_?!(h{ zxgj%;xcoCM{y@&1!walO=Z$%9?n4|Sw8wpKstx?i;Fn86Z?zk*FKSexD<$;vy#B}c-qf}B4Yn%2HCOGyBq}^Db6>M4WKFMO0+st?_4YEYq{W$~ z39D|p48n|pg~yc{2J8l9ka=Or;OV>y#fwrlY#X;i&50lagH4|4_1fJ{%4^=B4(V*v z>DXgB2i2pt@~#%w5A_=)3eM2mf(E)aylM3QbIO;qmWotIlBlIL`ps5fG4MvfeYMVq zRa>iXnez?Hx4_@G@RAuC*QhODX6SNnPgnAki{!5MCj=6FIRNP!iYj*x`8^>el)p3>PDRo3cITz7dA;3|=W;rI zAiwgI*#S6y=98KQgmDtKTM#3><}!itH`e1V_RE^WGC9pSe1vg0su&7U^fp^(4Wp2q z)*}CcZPiZUYUttLU$y%k;0K4H`tSM0_wrAyXGcJwCzT(%g)>4p`G6WUAsRFa!l(^6d_IN|`GY}Y?Vbr2N0n*gQtvwE0Rb#L<5vc;bD&4G3evGdvc6xr2 zYL4OwU4S9xC|S=gk3c93tS#sezd^dlMS8dA=?DBdlSRoWGLQ zPPiw82DEQIyHlNs--i69v3UDW{R7JL%ldK@|kiGQ$K>FXg5yczp7Nax2UAHambAXxt~HwzmS}Mc5p*7tmd zYi`OS!@E_6>K_A#!KU#7 zA-d9X3RI?aWop+o!lkX5koEec^u#FOkW`G-UOzvf48c&oiel1Qj;mJXup%OO$Pl^b zGT1_unN@xs%vb<5WPRJ4&l#MA)T-dEp za<}CoV%p%n_N~J*U(mQfaloLFz^H(MqzB^JT;|{kt?netKbhx$Ft2nZCP~#qiwuND)Guw;x{FWo zJ=5Bge0OWcJMtB=$};+N(|TVq82TA>wWmNDdSKMbE>dC&3 zw=5@MB&r;0(ULxJ=s;CIu#ki;-OZ#x6?<;iN4P2Gi^6eHIj7hnWBKt?B9&UaQdvrD zIL-v z#Y}W8swBFeH^#zWJ-#5W`j#TVeENclHCm#nd-wAxM1=~R34a)=#S9+HxrI=*y4W@J z*wgggp2<_KB7mRd<`iKxO$mQyQni82Xc>KmE#x(}hJ&ETM4^CCNo(lvNErV=0*Jr)6#XHBD&sfu=I)L=vS< zcD$hlAoZ!xsh`oKTM|DrNTJc|XIa*&^y1{b2sVXwu+x|-$}kOrX9MZ!;HvYZJ?C7K z=r;Y~3;oZO$!^vGcr$UzWuZ%c<*DFKa-gFu!r!(y5=UFNy$Y1L;O8)GZtd zxp~b)_T}<~Q;FH9iSM#q7H>z?m<$gkm6$g#nk;&^<<`J%5jDj|eLuz@)_)S>X;(#4 z=qU9t4kzbiBN=3Oz`=sWtLC5R7fPV0s0{-DPj^kG{gazU3MeC44GN&5_8pG1$@&Hq z%)(}DJrEL_vDz2C;y(z2DEI3VC-E5_Rc?b&_yi6{ef8azd)j#(#6m3q1a@^>!M5#q zTUIO=kuWt_738df1E(-B!EBl`LdzaME&4VKRHg`q$sP-8i@9P-S5G;)TGr9Z6Er## zNYdAvqx{=$Kkl@Wi`3E=`Pfe8i3vn*B|(ztMVw*59Bb&qu4ZcBXql{rcyLygFjr&?iXl14o9$5w0;f9bOa?>DH;FptY##=0`G6NV( zl~SqxgFKukL!O&J;YKjEE0H65>6&E0mzff+Iu1(Ph!5XuAU`jJD@;U8n`^4N^IUX* z;P@}s+DzWdZ=+k_FGhzp&Zmc-7|m-Y#MRlI^#hB(7&fFSbYQCfWHapifOV}w)~``z z677FlX= zI!&wSQ=R3jVBJta;N~9cuVhznrD8{FXazp3t~vJsZ@GH3%1s4>d{XdYk_Wi)%7zrt#q{wBSgfdB(Gr1C)q%sM){|LfLRMxA-)cjgG zemZJFkHvGk2j(ibWOAz%w0tFt?}Ek$YRlihqGC}0o>yi3UDe`J=la1oI#v?}F%uew zHB5efk`Z6`GJMC673?%_ielVnVHPW)_x2wP`wx1r&$Q7lW*kWH4cjM_4&%qa0<$Q>*v+c zpIhNqFbcW`WwS*u@|kS`K`n2ts81O$qAaaH1i{_x>NtKB)O!j4^v5Gsq%vm18;jsr zD)UlPXA5P?Jtv|yhV!T;G@VsQ*CeK7Sc5p^&2C(^vrf-#!dK_I8{J)TT`01Uw-)A) zQ+sO>=LW`PwtW?lJ3Biq0|Nu&^PP(&nR09om>PdV_Q;dlbiF2v)OA-qO4((_ulDMv z#wG0?G}S5avdx~fXVQG_sRcrvt_4F}diHd3YHp%}3WwzsS<>JmcogdI@LCmxy2*@o zHeIrN*Vv3|(z&S9ZFD`W7Ad5xEz!j(*tVXPOx%yy5Fs%eTIhmW6H1zrO$KkgFgluu*JnfLu_=l&b z<N5}2A9<2N%U#P+ zYP`qzFX%|A*DH_KstFCH93QD*zH8jLoQ#I!X+1_(&Ihc@;pL9q{{qvH1H0?}S85JBVd#ZTs$-Rqa_RB@T`OU}zhZec7ri z7`Q|7aK(SaSaBF9sc+9kAFR1kM{-zg_eptfN$8i>p?CH7W&V?o4)l9C4KK7CeLfa# z^V;fPe&?6}vh9l0zZxL<%ewNpj{r7DWdZ8A{q{f+-NT~4h9&PCLO<62#2%RTRK44M zJiBYvVi-9k3uV?$cGU{hFLyCDGh{4H&PE5$7X8=24xd^;|KWo4Lp8b%G zPJW=1%9kBr8*{3RsPl?uHwu+kATSaOVvhtaMT`sFN9H^p&-50E!!fmN^?S3b=$GwS zRfitx`;N`&yY*|)g&Fw8TwwEGzc0kczbaDPISTi_752lQu70$(;){3cvh;~^tLptF z+1C4+dL(oVpxyD*`c^s+_+^=AA|9$!RFdZy6Z6kK{=e(p4oFmyrw&uhrw}d8L7<7t zK$cYUei!C|Le>+EMg;jbf}ndjpe`d-ix7|dr{%K2E)o?h17YrefP4WeH zVn|N{#<=3Q>n?)+$SR@Grph1o^gc}2 zipr@>M%>Cp@+KicQ%eJ(i|HH(9sP+2*W7WPb+QTA4b|(=g;gW&5G(#4gN^qi*`?xO z%ab(2LRSkv`l;`93pL%5^Lx!qEEqK&&&A+c0hU7fJo%ajQ1jFJy;q~zU8Pf>+HzL2 z5%J$GFyfUTJ+g{4$Q^BleL8&j&eYjI6{x9;}M?TEf#;NV?AsT_#{ zEe*{UCTY9cnnvxKr?!ezFF+P)RdvmJMIlScuF8N`*=-@zCT!Xj zi)Uu5<5@W~1>l#&FMJ;#vEdedie#^^Hr}zcB2Xv^BBW3$es9*cVI<^=ZK4p|Y@{eD zDO{bRGdpE7p%hMi_AtUMpH{v-c&?8K#YDwNtIakQaO>$4NS|JghBm65ixrYL$yaj+ ze;92pyXR8Y*SXw2c;5)(ES@MuhkSm5y7gFR=C>%hIWWm+$ErY}g;1=JVoml*kqq zn+qjJtkFYEwK^HS>@EEeI!MfQ$SHg@M$W#P`ZN9Fjw)ipM&&1%`OupqRktW6*KhtW zr))0`+Vo%F6NJo}VKn*O|5B^U-3-uG!8}^Fc6{qoMK9d{xXj;?F$0@*n9IyOg01aT zh&;&?`9(1z&jESEA=Ai8Y_ib>%a+Wzrb1U;ZJwrqIUi7Ozzd0{DjVc_r#IhO%oM@p zZiyxQv!N#$eOBFWl$&8El+4k4{xhZ?0%fl)weBK5vRB#8bk8jpUfe(z1F%whR1tT0 z)pbR~6xeXh3e)YcKWSRTcf@mTayhoLXyo$JJmFy`hF;oTLS`eoG--naz=;|hlf>pJ z3Pt@rAux1ejKtl_fyyQzbUKKzB9}DBQ`I}Kz(+{gbK#EjujYvaiq8kC*TmV`S$rPX zNFKM-eJO~zqBJ1fN?=h=*rZR_CqB@Wn-lNl9Dh zr`tA~1@rAvInqORm}?40WeNM>vrj+UA%r_?ei4@m^x>z4cta?$xAv^)L;IHB>$hZlp%sl{)r*Ff6W`gKcx@Zk}3KZP0eT0vu-N#_zt8$ z64Hoof%a~jK665?IoMopsEa;0FMk_OLs@3W75ueRwOo_&?Y4K2_ndtSIzDilAoa5W^A%}_8~(sV=ZeK* zJ`9We$`lk60+ea+TB5mqY>%t`%XUH%f_wcC1JD3h+?B^rk7wVrhVZCgEm-VJJScZG z!vWfl-dYA12n~!~?QIfEpFobcdVC|7Lto*~LWJ0nXs-@dN>ezoU~qC8kg-mT&hjd=UjfKnwXiC+~)6!)qmkd()bT%0}Hp*I>=eqA0+@j z^eHMNduSeF9wWr>`9)xBNtcUnvFZVPx?qanTS~w&9nDe&dJy(;Qm~n}MGc$|(jMK0 zVJe?w-S$>ng^#5RkY?|akzDhz;v+vQ7d~JXZH9mDpk_Es$@hHZ6QMC7Zn+bq-Rf2w z-M`ioX8%~!WYiq*pez?B`HsbJy1eFOwhVzmQHWsni9hjCQyu$9iBQ>tY^sfKjP%y9 zdC~I(-s?0TAl;Q;Hp+s`DeR5OqP;H4VX@uVdjAzPd}HCHz%RBP}5A?z!o;@G-2Z*CNV1PxB` z;6WQFK;stN-GjSBNRY+@javtIcMt9mXj~c#?(Q&^+&eRG-fzvCKMh^0>U7mPyY}AC zmgg{M1V0MgbS9Edu(`zufp9K;PD)+~KR?^aur(U|X=C|fpf*;P)=Lrm1@BJMbNB@r z8%)r@!~?G0Y>H}GL)y+L;AiPU3}nAX*1VOtEpwfATH3$4@~)))l-#Ju`~VeOW7DGdffeEzF#mZ3R6xWzsKJ-`MsxgB%J9 z?R9(pSWgFbmx^SZp-iFvZiR!DlS<9c@d;|F_Rd~LPc>D|xF<{qcGjjcRG!~!!^SXf zpvTFv6NFfImf4+-ayJz+&P@|NsAaj#EB>a6;?c-oBH40!Z&md{j4{2Zk@fw9z!t`{ zFsqgX&+QhCcc;)aF2U3=l~?`q=dESSD>xp$qtU^C8xRnWx`>@Zv;5N5PvkMnWn#%PUHRz!YU&8KAqkN+%Bul}KX-`G{oZ z-dF%|Uu!j~?rWK*9=x{LpN@x*ZsiZ=;VyDgNsbADwyt4g4m+Ai1q9ZG4 zr?PTO8EJ!AIzN=Gv8XEMLZW%Ojou*cx1A3;OZG~ z`wSs2US_< zPXksGTcGq7+=FGnANALO#e99eC};|94CX1f=m!dIEkt)Xt?^rqvHPB|sGd+CoF&We zcHHocjNUbua22N7Ad^3B+*2~wZsf3@t6AC5^E8S&t?=m_Znt?r5gX>qMF?(ryP$-7 z%6EW{yC&nYoxf@(UF6LbJhs++kbytqJyNxamuczFs)5@}O-*`&k@wA*m(PBRWIBx1 z0lS&c$;J+U5OeY^q=*>dQ`M}f{9Mjb0Y9INWHC~#6?GHr@sfwio}!90IGf8Bau#nP ztRInFxfpwJBBebWOm+6p^Zo9u`JcI)yoj)Iu67&iPtWH_vvrVlm~~J5-^!nB1)TM9 z19_JvgdBlNf*iu0lphaAqi=8goG0>+Y$QNJNAMJ*=TG#*E}xvxNk& zCvRkB7un}8m%ofW)!-u5Y74p7q1AAtoy{%YsjG|%**>rqj0#%>KyZ69y_S{pe%9ZIeY`VGHkV)ivuBF(kcC5WQ~NC|Z%$WlOOB)?j#@{3BOT(vx{)iZ zKQsYFQLR-1%L0w0R3Zb;W9R1bY?(GJdsTwnyJV79cDG+v2lEgSFrT~6hFu|S=fVhZ zdgAl}q0|Hup?~x`*;Nx0>UgdU=Ld&M%}lih+-idHjUZe0Fcp^%WIsNk6BKm{-m@De zGgE^3Nz%g}1ot?drqcmz+36uoicpOQy>QL$rw63_|K{8BB2Ht}KNH7CdAss!__!;+ zLpmBv{!H6tCfY`xWGDo)B`CalLn=<6ag!Od+=#L@5qok`!g9WIUx!PXA-v#nMldLr zJ5MBlPh`Fjt|FJ;>2_csa}oYliFHA3tYOl{`ft~^03<4I?3C^TJ*~<%GtB> z%jj35o2y|qO%gPT+`xX!WHbkP6rUN0P~*z z^!ZG%U&<|dn_lNwN=3anbpt&knar^znDFZBIF;=X*z!|qDNb`u7{Bza(Jjxph!4lB zv!jOR$Qbkw4+twV0{wS2+t-*Z=0C!Q5U%Q+z7&4)S+)gPiICX~-6^^><61}otVaKK z9$zMvCE0pX-goO#@6S?E@gxApf!3qRjg=%@v$C}MnV%|U;MEFntAW&fvK&0b2stF( zgQH7F?Q)_;1t43boI-jy3XE-yNeb!5ZmIA1ACGWs_t8>ktbE_gG80aidPIG?Ad|K4 zySUdY(O*DQhD_t&yK+7U?B*z)adpeK{VPVqNfQla{a}cKDbGv7P-itYO>pVEmDLhW z$-yRYM|4-$tu5R+0N=upbd?m3wPr|Bcw*Hp5n~apdvAHT>B%^5 zZlYqT8_QmK9*1mRu6mESPPzNrvPUR|H@;Ri3h;C2E9%Kn52W;M_nMq$Rv0AWW2iYU zC-1Z4G#lbp2H$J?!3WGgP!CUq|M&S;N9c1uG;*SeDNom3q@za3uaT&a(k3q#8bTs( za6aD>IXm7}N`!HN5A=GlJ|x@j(iTjH{vG zKU+e1*v}wbGDO~Qisq+!@@91cF+da5gz~2)0*XNwTvJekX~?#SvIsDCD==(NBXW#;Tj#VNlBcYlfxxAQP3fO z;M4W9@MAPp-{O-$=Qd65H+KZBvR4@bE4?Yu>dlO=Y+Lg>>2A7YKrr7fA zcS4C%QYURwvE_Ze7-Kh&y8`&)3bhl-hLVqK)Wwcm=>aaXbNoZ(mUuIz=6hx9eYsc( z&T)$o0`x9*rFTi}pSg4QqhlSOH81uo7w%W0iY!`nRp%auNa^DI;omp|74sM?RbeS_ zsJ!7)tlnw@X)S$bqRU&!n6g{wL(l9zVS|^wlVfNP;c) z-xwSCAUphIvvaeZJ*$-_SGI~B>S%j2NDh^cu>CID=iioC77dB>Dehg zJ3U+A{P6lC-h$BwW1f70+ys7`zbjuewDDjw#LJr;VVK3pN`)esu6=IfTf!CLaOTSG zFZnuGyIsaCj6WRtCP$Td044cm*H#B6ID28D|1e6_lqJiPl;)K*ncbS@-P&?W?1o1* z!q1HkQa=v)vuJx&bPS~9s|vLCJwX8y8yst&aG52WEpRgqOJ3DA5cNV^`h1mi5D)g0 zh!HCc;%;GzwGM&jdM9wACOairBGUExc!dSdLUNuWH=txX+AThDZBa%3=R-A-IG#Y* zTiqa~`mGehh@)hW=ta}-HoP2?jXQy=4Ook4)k5sN30=j$DoRMPh0|KDbDt_3(260S z_jZxZrQ%FF`@|VDT&>lPiyMeo7OMy|C?mqpc*<0*F}%SZ$M}J&B&C+X-nI*Wgu@Fc z=-I*>Ynd^AIO+4-ZxX<5!!6LjqE8?wc9BF{W2bWw^ef`A@WD zDR;ZESN3x47fm_uYo6xX_Di9y{H$nGzFW3zxjOgc8Ri$S0XpcpY|$4p5y|;$L<@^M zAp@0Tpm3YdIsMp}PE?w#)9@9Ymffo5;3_%a0OJ%~m*pYmmZeHp!gAhCh3NbZYIwkM zY@?yNzBqN?BJrQEZ`D?EXV4}TU=6YkydjU7`XQV3q^Rc_{HS@o1AVNi-CU<2yU835 zvTnrbjZs)Q3{mJ$WA=u#0*Mbs|Eijnp7YL zg2n@YKQQA%-{-;L4M*lcmR-d5jTpw^T}>zS1_NQs#5AW(5ax}!w3vYHbxs*PjHD{9 z`NX4Qk|Ws-;K-?!rOZN@+Q*-VX*GwwbZIjrv3wS95tPdFVBHNc$c-Ccv<)(<1rZx6 zP|w9Xj_s#uQVdGNg70cDiX$wz*)ot@OHawpkDYw3>o6H-t8<)tNQx?2x<+;HG`y80 z8)CZlM3NIc2gBJPx;DdKcT2y34@?-vtDgqUV5uAZyvsWS4f*ZsDX06y*HqceM6Xvy ze8q5%O-$us^WKwV;5)JL`>FD$<>~=eJLc^>Z+N~L;CVuf7Zb#qm?BJ$FthVOXBlr% zjIH_vrwgeorW`y?R1lY~>24;-ARN-A{QL$9NivaGIHg<|QRjT6l*cVmQ+Q;>>aH_~ zH~h<7Bi^L*%S0wZXPSMAzyk+trIOK7uu{=@kz~oHMS)RXjxDnO@f^p@(R&oJ#jL9X z()<&SXv85rVDTbbZ-m~`M3c%jC(gO$+Qv-Ic0 ze|c`EV#qCWxrdJ2k*%Ro*W0UZadYRncC{>>SF;McrJF{MSAUV5i#62W&&)U1`?cwS zFd0k9F#Y}zoBz>3rSY>9YrQ7^L*to0cL`0KHAVWl)*H4F+g;4Q*8eh?F{iQ@ySXAO z77{Fe>}kzlsvM4V)knR^x63{c+oy=iAoaMM|Ef>SkV zwD7GVu9C=h7~PlsWoD3wl3D%Tb7M*NqaXgP4sbTk>cU7%2KY1=vO1fc4ZZ07t+7hU z_id^6_Nj~H2PcQlo=|$-5WX?*w9^Czu3?=?-RYcaJ-$yMLCk~Wwv=i^dpHAuK0hT)y_!#RA zyBIj@Q4JG!Pc@L7BDuY`bZxjO4Y7yRkk}CBbI*RFe-0`e8rNf#YOs{sSQJ=+M+zE; zS1Mw5Z||dCZ4ZR7@3@DtD;V+@3&6Z|qh=RqmM+|mmHGt#`cvVJDZwNbvqGD;l39@f zVim{ebJ#_j66hMjx0O5w?C)!boOTqCe+0DE;HFIZOzUxReJSQN!_#Zve5Rm5M7Wqn z>U$r)JyEEXeP>rhL6mr^N_@_5KlQ$90`sFwqI`Sm&Ik2Z98XU=MCyp9p@BF7aK~P=`s4N#y`b5h|?R+r`V)+TYW0qM`lH=3abr?UpWII zvf9{{6!5;kl{InMhyv$c2`W{r=mP|?!cLSJ7#JV@gMy;I<>*QMye#t>@IS^s}cya2#R62NUTds98@zz ztNw2*t#=7*M7M> z4jsJevv!wO3IPo?bzPj%tf=Ut<>0y0?Du}QlwWsd&A52pd?;TpdJ#$J@J2>0g;`^o zG-W8EUhHjcp4j|ku4ZZ+mp`Q?jUY2^)Gm=Gv24C!lWI}qEbl`=@ObX>^VGU@1U>zg z-hZk4%u`w3s{CYOXJ7-7PB)-Sv!D}gOr*x4_}i)MD2@4r1*y%B7%9-0P&F|D4K_M` zp$vPt2jrjRJZYqRwbOxm7=$HKQnddLU0y}sTVu}YZ!}}Ovbi@d>Lj^S=z?SVmx}vT zv~XGc)2_d~B=qGskPq;< z#KshS^sc5lwJo~qOTJnyt+b4H^@O6ZdYL(IEu2_=&f{4L{_M)j%=@KAQs4BOCXr4$ z6N4V}v!RFJJ^X;o>GmoKaccHEKhoA4LDd<{ji@HBKV-!jAe~7$kzTC21{k+6Mr0PT z-D4(UXiRS+^O(GqLa@%BkF45^Q3ZN)Ea7h@N3$f3hK~r|rr5Sz`L!qwO~gr+=`S^= zmZ=Pl1S}^tX!rIle~1^ba*$WCoUc{y?k&bOl)xDEyTlj{b2yv!){|H$LMmc8A46U@ zdV#^A-d%ySgLmw%Vyd|r&C!*XRggo3<9i+VaC0o(lKfHFrHSg~+KP&L0Aj-!frL67 z$%}F=(P0PYiioff?P6}hzBxkGpQLdLr`N*>s zDu#WbPl5t1EtesO=jY@M3gso>h^;e&Zdz;Mt0pdnVn#Vte8k>jR76rg9ufxsbUh)z zCulvj7O~PO_QhUFi)RFWa<_l^s{1lJc7`0RjM2FkPJbdaQ{knOFQAI zNT8HDH}aw~Lu0QX1u2Yb(2AVYLU;A9R&TXhsAqhZEME0QGTD9>x1WzPXg@n{-5KGV zOPLgrTop}VAAF7@h}DzHV0%0MccmvM3RaKNNC%Pp^5DIONOd+^gFU?ma$8H$V2Wd6 zS~g;B$aOIXv1#2IvZM1oKgui5YD6pB-7<{!;_ODTLIz(K&c0&a4-a8<7x)wV_ew~2 zb{Vpjs5Uy4W91Ia)mgM8?sV^z^Hm}{c4XrbGW=|~Vp`CC5LL9}s);B!dTm(T-1GjJ zS?CYN1SVJbV{xt-9HN7dKxFMFTr7wl$s<9btSO6LRUq#YbzArchA9w{T*UTpr0axz zHdd10*r=JnB$*y2o3$V*A3l+AN|i4fXgABXB}WbNHoE+YirOU|lYtly&0z5Fv&GKb zb*i2VM>D!s+5A;W(GBN0%;BQx3Vod^JmJEXcj2u$CdIAMC7nlOeOTYa{FhcEPUc0M zc;r*6;rLO;2l?U~n|jI1tq`hcnm=y80O$#J((;1PZ6zH8L^so@QJ$TJki!LI#9SXo zhXxRvezVVzDsb@m*y+6I$fP~ld1iaJzq33ON%h1JH?3vs=cYkX+1R;mYn=-h9IY-m zogRg0j#xhXodGGSGM=oBD|Mxh@4EqksE$H20~f92!oIUk_3aCfI4)^Q&Hq}U4*&)H zrzKQ$IEc2C8K~>IeZ?q%Pg`{&d7Nb{RVNvqP7jgbFza=MY&sNz$-09!;a1#Ih7{SN zPIfaSPolpATNl|$#M=tY+cBu*!pNr=U(07s#8|VzdXz@BMsJ6ri&V5#$@~7xypc#R z{w((gUr;ri%1Q%>Bv@*jn#zWs*IP-||K-We_-dg%-SNcKgZK^iMjzRyn3* z%;CrnFP^^+P}1`w&ZnoR^XxmW3GP_{SR?-Y!n6U$8% zjA-jS<7!$^6>Z)|lu+nP7LJ6D`p0nYdNWpBv#G81XbFH}=l?d@{{ENl4>b#uq&pH) z103d9-zN6v3_GhcaUY+BE|7n2tlpPG^g;$-}K4Mh;+yG|^t@x1BsudEsK5J2!XYM)F_#Qr?>8RK7_wP#1f=Id{Y0i@8VoEJl4ujI8cIzf-&gv&!URl$%#|&eO;x`V} z(`Vy6A&}h{oKBV_MK6UKKL1zwgR?O%AYUJ0TvE?FcYGl8;;Pe#&u|cu-=1nY2NU3A z{{r6jPWtV2wDU?N>$>XKIlFHs(QLZD-|05|{gk;o#-^9alTEDp;QM@K?ZjBj%{~M1 zRB+mY2kV~Ve#h!#4UTW1$GH(knmc|B%|$q)p9(#H>`aEIHDB9v2$>h0V90UPo)}}T zIAKsYGOMhtd@i*=GTpCmsIzX0MuN*lGn9b($~W*-e9;WR4o-t&H8#5a!_re++(wT< zovb1@Nk-OnKrZC^oq0Q-_V{fsa_}xGpv8%2%ey#ZPu~JNNLEpXd*X#5dPR3KQEaBt z0^+MUlb0;ps+M)OsA`O+{t% zwL$43&>^DQ&v5?7SCVv`lz`S1}yzf`h-CuX_}&#?1CJiyvz#Z;GvMiT=^e{l3GGG2xxA|fTM)bV^iFj+K`neKQ;H#Z7=rh~+T&W!r zhIbboH{%LS^J6(v$PMK%vW14ROfyo331G`vJm&c?LlbvSn?Dk1Zy0*%-c4DJ{+AyP zkQpe)x6tY3^VUroMk;IxDi!*4NY{iH1NBa3cS?_z&2;P{TRT3L6b97L zQX1re61s2|C>OQGF3@fih^6g}=gqWFk22*?p1PS*IXZcGHk@jNYRxj@a%_LT6M3Yl z34VR-yK;AQO-OZh+Y@V!^;aEBle*4uo;$$(q+3GL=zqX{klL{;JJpBDi?Ll3%5vud z#c=lD?xN<4`ye=PMoPg`^4ep&?SrhhjPp*Tz?O42ef`6M#*d|1dAHSYRxcfs7^|Gf*8DrFE-=eS0EG?jNB+D$5cyLj z6d@b6Q=@N8x3joVMAJc19uZBL^65UGl?%B{N~furP+u^!*ImpTBC~&A%9PsM)WJg> zar(Y=3lxL9kvZS9XHOZ6>RV-+8t+hn#X`iA5MXMM#m$uK7`hvMN>Qua8Ne#s28iZ zQbywoDre}8VKg#O+eTtIlx1_4e=3brpjs$55@0qC8xP_K$fBWG&4S>QnfG3uL9Llr zPlwZZd$=)j_tcAejNcX`#}?kn6xQd06JLMf5UdopmU(F^R=-_@OHQEQ z5F^-f7uLUUwt1`cxTteCSUgbi`lNu}9G;N#pccPn+HS@AWtzJPsr61hk#2Fqq`utd z%YM=weE)T453+<;l zgGZ&Aqi9i>dVL;0<}Fb&*%_|RANShO^10d~G)>NZwbPjDBO4d>-8#^`CHL%`obvU$ z4ncS&wGI)*4nJ1j@#=#@_021f@f|Qer@s9aV^Y%a7IGHg?uO$huUS~{^Qt18nz{?-WD_A#2L1utxKKs*8 z`2gdvBbh1D0T zu59^y<)PX(I@Z?pf?^z0bt~?b>nXdj><>-lS5Jt8(E3Jm@unP}#=AJLo{e=)7#+@9 zW>0|BD^q84*QD>${_q1P0F+7jyESqG|m}Ltm zArn3u02R2;B^7$`H9dJ;oo{efno>u-YcUv0m3%$_Tq8FgZzxj$G^xd6?Ihc_p*Bg?9MDW zuM2JHf)mHewfO@QZ~Wh17w3w!D&-+UiAAJ1m&J~~yYE@CGf}KdvcAEM@JkM4 zbEcj>lV|U8*&uS!!91y6?8Et@Qp9>fGv`Xt8uO3}B?&ebaA_V5*_6zND)id-Z*4&_ ze5FD*1+o7OyZ`~qNA5tHacc~e{S(My__mzN=KJKJ?2La6L`{M>iAo1D2#WSAZ6zyC zPu=UV!_YfH{P>|1&u6MVL5-rj(=~~OuB3NLH%t%2Lp@5pL+V+2dLl&r(?I> z++-P^S~Vv7DqT+ScUoN0M_PMbc6g1A_r38dNi1$#ukL@0uT-czbp~*cU)6InCUK_g zjNrI+X1{#dw=`cRHV$(WW_aX<=A5b8!{PrzZ>T~?y!e@{`Kbt2j^4-(_!|)G!#32I zTjD?zb3^r0A?pCdh@Q%C<^RJa{Y7n7&BOUi-9 zn*Ku)B1KU7J2V!EFufC{&0ww|qQb<)w6n8w+eVUOy?0ILW0dAbze**=XN~!A-y;uW ziv?P@6o1JCW-N`Uvinan#8FljB_F(|hpWlN$mB+b#XlSpT83s%X^B3P#$TRI^p^uw3tQjN0T+&|$sQ+fjjrv*b z=RZgI!d_GSwisu=LHT_U1#$4B4fE4-FR`%0v<3!sGkSLO{jH$z0a0Rw|Ka zBTTGrVD78o(OyR#QY&=>n|ev*Yg^C9q$x{dfQgBU9!dtmOZ5a#Pfy2>nu;k$=rj8H z`h#Y^l8NBG)Bmd{f|!DeYHitxDhtwb4d7W3?uWaZi(I3gh|BA1fioZAkUReE4w${y zAaS}-1Sqp5C$W09dP9bI@5MthDt5~CZzW5t3O-;Ykpg@Y`6M#oTGSR*Y7O>SoSRe-kna{o`Lfvp!H=*T5yo4_6Rq$rz$_T_ z4*+T{`v#V1G5BpAwn&M)O{chg+d@uq)L{73uZy|OypHm(M)3982m8_3;Grp=MYk1i zTbcU1%J4w-PN|{ms@hd8ZBL;+JL{ycS?aw+290Rr97S{@qGnW>G$GbF@R()kI90s0 z1!@*6W1H~UGg%qfGzmVdt{9$99mBnE=b@v&;#B8g^i%1nsHmut?sk)%iHg@65hwr` z0ltCN$F_dwxq9CRzw7L^`@5TMYmn5-0u+2-&KRG^k->S#jN*a7nZ~_ek48|lpR%<& z;QK~?-4G}2FEz{0&mT?TL;DiR6xJZyR8(y%4d7`?!(=;5!;3^HA3JwpFDrQ z!MoRrEmhbMA0H3Q$*XX=sXhby5rfm=o|*DiY1Is)^(SGM zz$M4x53j?yfk=ne(d>~A&OtyJ{MWFQr4dm|{$4&4*s@*Jvu4+*1T_TOK}>^o7&gOF%U#B?O{*qM7Pp%qzw_fv7^s>|THiMww{WG_}) zB3|Pi5DKNlleXl_eKhOu8*KqJ=d{0t^xcM{PlD}mmwSt)iIM795|-(EmRDQ}M;>2mYn98$48Txzq~G7IaA*5?c z!Sitjvu73s_Dli+&UBqZ=%tD(|4eR2#l2?~6CT{+rD`742I%%cf2@&j{#bnTaPxaPPW ztu&*=+g_1iXB`IbQ#AbaWIfDmq%OWHvZB=&bZWG(wvZU+-$kY|!HQ!bMA{ zY=FT=LuToGOQC%~!eL|m@34`*$)PC0*VoEMX(E5$s17by)EdHt!9!E;e8yO!D`E+R zIWJ_5cF_o5%ncuqa&$0>(yH}#x*VJYn~VLRZBQv3{$ZqrPXj)+;+dbXAYOgXi>vk! zhrW34zer6&&Zbop`j60!9=kR&pB%i+Ko%1dtFnQ|aazwAT3Hp*-<|NqLvp(G$f&j% zXfG}>u&Sb7HF9e&PDX{{J&xXITKTz-)G+(>>qnu=S?N0FXT+||Ce`I*{x?|=fLzmo z?u#lOG!-feSrsaX8~d@h#LvPgh|xUKzt{?tvek=I55QV&jrViTb)XlL`sd}0?orT|h-$hOt_Pj?_ARP_p-`xMsTFs>&tW>x zt(vK#9w}KR!zCaag7Q{887*JS)PY z8KSJPf9DTr*eo?kT$W{t8Q>T5RS6^6V6F3Z6KP@0@FZO*_^VCJV){OzB%*ef+(Q?# zdE_GuE(Jpg>|+d2H!yF_pZ+VP6{4ryFVN9*b?=^W@$eWPEWN*bh8hgHv;^@9)IxH4 z2pmVu=xc%kziu`8=~uQ9Y0sv-&po=-PRuGyMdxml*_uvl=?G-;nzj=QCzV@07OdcY z@;7sdLB9-zjwr~qX0tC?3u(zHD8A%$zhcqNwgFY3hZAVoU};bY7&l^nC;)wQ&4V;6 zkBu)2>tdiznVDyrY^Rp|dw0HS_cp1qE32y(b0z#{BWdv1?}=FNJ#Aq_mlx4 z=2aVF70^;>qJBHhm*Ax;w2M0ujMb1?$n_=^HDi6zzA|5xA56Y#ONPY=n z-(a-hi1cq|cIBDjHdDLkQ<(FypHNCeX!xA<>aYX7-eE1oW)~waE^fO@P&%F5!@*Hp zW_ZwaU^|USk0W7%f`G-RS3YG{H@t(;cWJ3#p1VH1v83i-r4K&#!lui39zVX`yDm3~ ze@Cd3URz6lgkEfT~ z^~Mv@m5Kle)c!RoSG39i_s~CIqvL-UTKs?P%kPB7@8@-=`i(DtU)_ZH+tL2VOd$R8 z?f)6G^mhTq?_Y~nYi|_;J35uR2Zf}h&`cd;PN}>?SGz)5BSxe(J8lL|i< z6?&y?DV&cr+g+%nYB}sgy<2bVjC?-n1Tq=pq!XHeuURa%yxOr?ovGxZJuk@?{GvFn zjWBZweI>bUfCUSsTuAut%=_hBXZ3PC*sAvR^VMv}WDdsM<&<jRG z@@|GdeVq5BX~Mc9DxjxgOI>I-X(==nod6u`-n zon*%?3!;1BFx|cRh!@f)&e_p){;py`v;9{)^so84N52w$tk3HI!gQn4{zA2k%i;5& zgx43$@oVNl@{FOnBykVYx_x7r5{Rk)^4o~ki3zQ@;T_8bkP-^1l#chFw);WP4J}Oq zZoVix>;5Af(P~|ep_^yLM)^15mH_y`16kse&6|x8s?2zyYhTcle-!2P+ud7$SNzCl$R$Tk?WLBmv}#HaDEIx)Nb=TXK~$ERFW+ z>;B*ivh2o8vi6T0I&)}d!ztWhyEC7&pFJ|%-*Fmil1=8`QAe~Qmrl&5hs=gTJIcxQ z%C|Tv39HsFilsuW|GsH(F^O=;%i^lcS+v6~LUhhP`l4a5*4fDoKa9kQ*lhSz(2CkE ziRW>>_GnyZDP8C1OM9q561oMaIi*O@X7CA%|GxDO+@w>8>^_R{FKS;9!pIw7rhc* zqq##Ew!qzApZ)zrC#j=~*d>J!5wa#Mfzj_(rzeQ37fe0l&H@WII=mOhx!jaRZDn|8 zHqgE{E%to^$@hon{YN>jEBm@LQY#eY*B76s-<5%7&)w%c7N-bpZS_i0)Zb*CzDY#d z$Y+|=S?`d)%nIYWUyzR`ar%HWO38BpKkczhPytTtgYp?7dWz|=>6tItxTE4(J z!k^$b=%xr3as6>w$qmT}YPz(BmY}>ne?~RXB$lt3?N%&9+uy>kSj3pJHSyemo%%q& zKVlOpon1AQBzQB}K2yU{gFb_$mg$|*l?Pcy4GP@?inNL*Kb}GnZqMoj9kYyK0si#5f+>6z!IGf{3WbrE&fD%fLVV8~T+I+&c7U~IDRQySVVoJ>*JYvOH&$4YFGL zzQ1SH>JV=Z(?PMR6q9LW%(~n9tMb1U?h&AHWn&(!`5p(X@l)c< zSMJQ?2xF7(c3D42s3@`-HFLTCd?y~cX|#!*Q+)k*=e4@S>i%kLBF&TerH0nAnE1ZE zN*Zn}{ZD<)t}%f>UR)?`!dPjzSdz55C!Z8DrdhbD<2jygvV<{KoxLG=O+iRLfmlVV zORZhkZA(l?CJVi()j32NYJScMePw3mMPBWKhqd&bwme)sl0bhwyULSV-_}qT;vsK} zTw7%ILgKb^VcO_;Hz+P<`u%+B(U;MO`5KI z54`RYdu?a_#hYP*q%P+XO((;=kw9m==V2@M(Uv~uUpaohj6_Zv1;<)JVQR0DOk zp}zr#V%9AM*y-wctsy-_6k`46MRENZ{FLCjEt8N=6jYOw<{ev)*#N*G&HaAwzfWo+?r(+QM9@{ zuDWx%9ll9Sd@88(hMgf`>89@qt^I+*{1BGkg`$M4?{yt5<`zNJgS%(ihxG;8U;HW( zl+p3+FM~H1AmD``dOaN-U%1FjM>-mucbr55GP7uo+JNnqZJEqKLRR$XHKr ze-IWqGF@H=<2s75%BgF>1lf|Lul8W+8wzV`rkS~|FP~~qV05SOd6RU&H@JL`iF)Kx zy1pNxh)2NI56hK`<|^W230*2&TU%^OZWSgCy!QwY2n2bPQz^pD-97lQv%5R6v(pTA z0&JH$~?lDL1XpUqGCK{R~(7<0h2;3>_gX{ zyXKHC7;FSJOmMKr4&)SfqI!Cg1!?GdapX4qVVftwa>J7Z0~Px-J_Go)Et+aRneF-9 z-OcFv>n{wvycxKRUMu=cR#o>p7i9kU?Y_V#;8`UP5yZrG!tUKuS3W!jKT)sN+Kw@wO-p}q?~0s5G(dWhq1M(SUy-r*R$$#L*v+omjg`B^eK*65?h&+Jw@ zkzDrYHS~A%m;yrbDrCu{m9R9NZCILb3C8v`tx;;6mLg`}HZg~Nzqx$_aU31`MpX)# z4alnec*ZknJFBZ-G*>5k(_lbfIA!yFW%3SC?6sNVNcfy#hly;#I(1(UE#PIZSPAIC z%+kFU^DAA(!4?-cXGYGEB-*X^BA|`cBJE1Quv4e%Y*tWobaYzC?k)o^vsQjGy)Sl~ zlcOUAJuj4j>~n~hsc|+mF_mmsl8&01Iw3JJU*VNhXdYMDPvdTL3TeWS6y0VI(Nr}J zIj2*2bb_=2xu)$`;#Sv2p()z5T>%P8wG_*NoqK;oB&GQ7M$?d=Q|e|wv2>PAg!s>p zyyGr|jyN6pRCte3vPXpD$cgTkN;k;w)GVNojvau=Qh3Ve{EE)#eGqGYQ#(NqZxq*a zaQ-r89_mBc6P>->de?)r*@B#^656p$|Hw#m@0;_r(=GTeqB$A(H!3i)`ZiHqJHL1jG8 z7484YG>mkF-(H3jNvPGv=;U4NB=jwLQbK}%n>`jou}y}p9m#W$9)oS2L&p(k&2ZXu zBOT*cZU$Y=I!HqUGWW=EH%(`#`y@Qi?3_1Twy=EE6z3vC7!n!YF+Z;j>Vd1PtB0u2 zI=mIO#!=A}>9ULEr_pRy{RSCp^!lzSZ+r`rKc}vI-;Sv8{2Fe1>f=H% zubMle?vPTGsqGIzUiJFiBkDvGU)s3t=@ZN4+?Ir+70Kd0istNfv8?njoN^BaUVL=z zqjWfl8ILBl!T>`+pjmsK*dB&KjYd2AAfSv$rL2nl@_ldM%%h@W6 z!8HD4(NNrSs~Og6qmku~Aa0-AI=W0kkd3m|@$qURc~Yuq*@9QJ$c3RXE6L-+Wf_TG zKSYe;w#&4&!iw7=BV%1M?UfRZ;j_XrFpEi8q-il$l38dW(v^N+&WkSVRa z`F`{oQz76q4239yxWn~O-|*&)BHhsplaQ10>SFOIUn|~PSkcW+s(*T zk;ZM5q2TA=OCekHODHk@ZhNboI?aAe(l3C|4g6 zAe@^z7DnY|ajnjOjwZ%3QquNni z?$}b8yo%v2>a;qkv&+peTE52s&e zggP}6iR-|@1X?-pUOMPU(=9J|)~JgM(c|v!HzCX?S>xI?fy6BV3#o4x<|99VmA7KD zde@_=q}9s}pIT0p07*MWtGOCkZxu>5*Q8^t=HtpcDE2J*cHQ6P7tx!wDSf!bTN|_f zC$9tF9}>L4w0Gsmzo#$bV%G%4$2F0AC_y%7DmNq~N67g&pL(h>qm1aP?$BOn<(N`J zqoeZB=xZNyP4n9IF`jmT*?E&0TwUAeYS#R?5G=yNu`if4Fc(vE(9+g%*Oj-sa~hSNslCpb_f7hWEv@Z< zqEobOHy(?v*=YD5ji;X%gO~%UA;`M#pJ@*2EUNVRT=Azwz87kzbi?0J=4Sk*zS!UdkKa z25X^|k1V~0%M>K!!cQIO&cavojqut?pMTD)nn?a%RJ~qdV5<+u|jaCxVw9c zJH;J}I~0Oziv~?`cXxMdvEc5O;_faXFZVy*Z;bcyF(39hW1qd3%r)0scJ}Lpt&>Oy zxjqA_aCD;HjV|AL75S&9rz6$Nu&}VBiW&9t7tI=_)dp)!de!VP9XW(?{oFyj*3}iA zMmKKjY#d`$(h=uoFSzWfop9O{&jQyfj9@U7nl#(RA8T)DadExgS~`q6Qk{*EM`5WY z>h8lUn49(2#j+b`*215~gSww%g=rQ3vJS#3wEA|30PzD? zXjD2}`x2=u{RT$%mA$Vx!66fuI-L8d7CJ4Fi%>$ELHe8r)7wp3AR4XbZye)DMZg4&9_0N(q}X96W(4L&O%AP%G5lLu&Z z%Q5hu9HsG^B^--vg}9ZVJz};~{HYvRy}*bt-Ie#eU2^!}wNczny9Ygm({mi;qWP2N zh1oI{Og_w5ro7GaT$;6ARTgq=D%!Rpp(AX?PIz&<0v7d+Bh-)QeI*e`YZ6fj({25p z_tb7T&!nYve-5qr$SgiiAZ1E*WCpz?KSv;`NuNx2qFr(p3 z10`BjjIS*Vm&6G?*<-W$bc!r@lC;rXZ6eZoHv6Pb`S=}7U( zSEz^|GO6rH{--r5e5O-RB&dLO%9Q zaJyOxNT#e?ug86rVXrG%%@lS^4+!_^LJtM`93p~HbEuI3dn;SN8>Uj zf)+)V;<#$aImqaMbK6~f!2j-vVK!qvs+v4e`F9o1iQGPwa4JP;q1(51ugm-urt(g) zDC;O2x(ywxgq@Da#MM!`wx&d$$z7`CI6uV@i27xFh$dwLemH8ktR`R@!E30f%959l zSQ1#@J75H=YpA#39LhHUO}=^Tzmu2v7f-&8^4*!V6p#CsRDM5aEKWTUGmYDE?ia%z z?}V`vho-k0-{#9xL5C^Efn@MvOB;DW?P5o8%Bq8`D~SCx>0t zltZz`tP|NP@^BZog}eMoMPq;wJ0gX>{iOKt+*l!c=vgM#(rYNEtfD3DHkj{dfug3R zZbl1Y|G#!SggNqVL%`{%_uJ}3J~#MP&1)=N04<+c3PINp;Qqv+0%|b_;I=VUz8%gK zFM^+N&@BZjp~_JlxKLMXmWt7=u?%enWsCd9;w<_RHII|G7>JQ-1*EGgYFN%4cJnU$ zDK2khthY12He=2IxmbfUT}k8u4V-*KnWs~2G^_lxv6AH^mVBT>27?WD@irq211CQt zkbHW#Vxe4|-P+o+{GJmPXjZ%w)<$(!V)b`-JGi6;bJ$FnfK4y&zhq!p$ak-D38Fb8 z<p=qh!eX{)M6dw=9&UZJ@`*t50_o^*vURu87@7tND<8FpQHN|h~z$Je%o{GkvvyhwdEX%w89Amc?gFjH0Yk=h}_P03M?#}-SY{I z|7Kr7$n3MYh-rMlh%zf)p<oXjF+GIS*Z*x49=RTl`nL!eKZCNT zR~G5&o&3QP4bbIUis>X%@Lf#U5Cfti*=8$1cuWne6N7G399pAUV@ymGuZb5#g( zTJ8)TO<{B0y^{V&#%XbU=Wp1WOJl)5@X|{=rp#W}N5Ga^9|(WL*7F0zBzqbgibTh4 zZRT>hrSV*K^UYJp>(|=^I@9yNU;nyvyDi6W)2q0weI=onnp?Fk9E>$D(Q9&|u2^vT z2G8pw!!47a#-yfI zi(rVyp^}dT({Qo{g|vRh9{6tD8w$!s(APkbK(CL@Z&1Kg96vLDMu1a90VAF_bHl zzPFcpUZhGjA5%KoZ*>pB?`7<*nd9T-d`0HKms%T&kVAV=H_PS?ScUU342V_`hPhr|8Y!G z$VOO05Y1(K)PVU7bB6z6V3d-BqZo|;ALfR!ya*zt6_fstVB(c6r>Lw2oMs|O2nq3W z7wPdq{Q2M+5^o}?^T{=bi$QWQ2V?gz*4EY*9Cc8ByZRrWWxLI6V8!v_;i-Z`A>h@s z|6#%Jc=$iw3m_a_rJSo=E+j9H5>dX0quf@7Aab{yGhTK?@H-h*)x~{A-l7G#ZQTtW zSC(DJMWpG@7UN-AcB7?K`M!52rij&}iFp;mq6uR2B*V?Div72?6!Fw{4?oAnsr4VH zUlo{beelPMb^iRTIt)>P63)Fb)+9H)=*)YesR5OAgqLVbIs2OW_ZheFMC?3%KtY+t zkiWvl!@K2xY(XPkZv3+=0)?H&<4q{S0YqPSSd`Kd( z6|$hJT5Ysk38Hlna+A=Jq>6hX8|qrT_NM0KREsR#VF#XXh_3&lVMlNg;2!|%wWh)P z)oc6ol7mqpGxGAol;syQ(sKjbd~x!OA^n4!WUiPg9eEB5;zbpdYK-ZSdqtW+1a&-K z=O^y;%VPA&#}bNH zsC3MxX7|3Ug)=+0=Y;`hK`g%v5o!9SRl zs?}m$DFTL8dv5oA8e4TOX|Syt;;zy^8qUqL5Z8lHKTt89I@^py{8T!>Zt&V}-b}BS zyV_@zlR{%c1a6F|g`mAjabu}%964evyNk4g!bHPP@ikiK!pAH7*c zQW1~%w-6QJLo^C-!C`iu0YrmNuVsB=CA{AHkc-}-?3L-X({^E1yN5GzIM}%JtBS-Y zIy^f`asnumm;x{zgAU?@;N~rHZ8i3F-!5Nv`_6idUS`5qXd|mgM>Hj`< zYuV@^^kY8l zmYLWev=?{j9J!A_J(|K^;oREEK=BnJm8%Jjo|JF|xZi%FV@(*EbL&k|kHD%?Y(7Ek z)DPch+v{-wx7TZdGCCesgXH_s?nw~NNX*%?mjU_CR3)R|{raMxQQMnA%>3zd^$dRA znoHXl55uU=(e@RXAYK*Ar=Z&|;!C|yRP;5kAFPTK34a{-U}CAqk*5(&Y!z!MXl9E} zPSByq2(rh{EeFE_rZOer1e*d?^BD?)xTmSu;mfgo}oGk;8*= z9=iR!#U2}}!sm}qMEUqgMyLC@z4lMs-g8Za;Zmxu0A9}zKFHw=CS2_xQL>jlqVoy6b#2<|$ zLfTmu^|U=XV91TRol6iD0&^6;Y)DJ`R_F7kEYIp5?a`XKM*@>sk64k+V%@uP2=h-? zR{X3{)xBKWKf$8}qDK9#Rd()&7ZIQg- zpW#Z8yuJR!9DzrhEwifE@cce4aG~&(5|<|be*JDn!q3D1X}Lu6<&OX3!vWozuv|D) z_V4S`exyLGH&`Q?0LRYF3~F+~{31e?{wqFsvAMWhH_=`=CASt*Lxw3C_qC+T4{nba z>m3y;T&1;d+jWeXj>0|_&$LZJg23G?w5#&f3S{giIFNSfX1o2LXQ~YNsi<>c1}#+i z5LFUR^GyXA<;*`r^4zHcz9`hi>@$di_(Qqz)G4?5U$I#Jz5x$5ZDD=ynHmXqzV{Nj zmzo<--ZUs%Ic#pwf9x>6HqU1O(%Un20)+NIYHU=EW`D@@GkBT-Ci7YTK8zDrx8G5t z%#TH9o5tea9VIf3X4Hx*i1==4ELB_O{;Ld`G9?ZWzN&-mRyR0C7pR5~M+jCnCl@vSEQS zhF1gM)L;CI&MVEEv6ly1Kn#WmLTX&}B5D!u1Ip6sq33&YtxAyu?%5|UyObzGzM_CS zRlVa+AD60-61^N*@(LTOoRIlS2|939z>X3*tdYM^9oIR6-i%iE^CwMrito1T7yn9f z37f#PbJci^#STo=ui+nLnvC%KOVw?0L#Wu_S1-4)SUvRBd^ew&%_&%j`_Uq|6)UT_ ze2-guITB0}u4faOVh&+d+no@Kw7``n z1b}I*{dJze0$eiB_G5+o<%Lde<}6od!8pVTtCi-N0Idu}*2(y`0iafQb-VekJY*)n z6D{{FUSy@`5aW*r!D7)@hjB@6ktU-rBPjPl#PqnGL`IcD&+{^=Jt~`2>7VsIIMA5w zA8J+TyI=AEG6DDUUrPqC@c}@av5QK87EwF(O|6_?z%dce#jse zIeBpv3Hg_3hN!5BtuMN%D}QK}7{MSqHnG^$p%3ncY4}8B8P*0CFYDW(0qM|ocV^{u zp3RfxhVqa*#Jt4cpG|*+=7LHuckNSGTEB0$bIa(E30PY~`a>(+c~L*T5N35#R6dsp zVao59X*rO#QCMd)GjS~Gwnj|5TCwp-wMfu#dm3Bo{ZoW1mo0(!(E!EC`XAg@?IR<-Gf zM?EUy{<)eAASZM1x~Om6L{;uH&K1G*?}i2Tc&P`OzR8ArAC6MJex=hzgfwpBPtuHAk^Lx0R!K z?D{%Sy@>Yo5x7c%w=p%E{f~3F3op*Cl|CoyOBQa3-W}ubCy1p!N`k5RwSL>+$r1Ej3 zHkT#+WbB!fxPG^+1a(wyeqjI33B=8j+Dbn&n^3Eplu6e15+o~7E;}c5pCYXpB7CV? zqxtN2LlXtB`G;P1B2#QQ0!YxB@%%H1Eb`FQe`39{Z+z$dR=kQ|Eq@EF32uo1h|P!( z$w^8}86mDf%=em4iR8$la*ENkbC(>q;#EVc^YGk&Rk4%xhUE9qBngemcR7uO!LSJF z^5{nB?qo1ply{Y%wB4&(7JK(g(7>RlJU?-<3cS-!mmo7QAnNjEinuRJOcTUwU2e zH>lY@O1lqudnofYQ(hEU}<$Z#%x z^`o5}-nr@h!os6bZN=vX?~M7{uHm!EtY4sGF*HO1Dc=mSdlF@gFZfWQdHa3 zVFWAkZl+Hyy3eoHDT}TTpHNK2UzRjElR5_%DQ(!?)XuNS27YkgL(Pj3{am3c6hU46 zSMGc=-BrUc+Ay^#9?fiF3Nc!*utmbJa0k10%_P9`XLAHj!XdS;m%J@NG?@rXDHhVR3=zm*Ov1X*sD;;8LDZ92OD;+8S6y#`XS zMI2wm6f_Wt2a2fQ+DxvHJ?qVv5LfN5 zf_4X7Yv=jh()|d7jc^{+uSHh}dXlft4x>#x)L>i)l$g$v#>L%9loHojtgausaJf@7r5oYz8iqFbGJZ?TEnom#1?VZ_~}&NM3C z#QRqB`4(MzQrSez$b^?7eNGlw z-Y~;?$*P$4=&dGolNu)&W~HO`M$~IC8djo2Bxqh&J;*KBJ(@1Y%czl$TLksW;6p=1 z;%k)#6^{z*e_hdM@3G*d%dNz07GpQFdx~krc~X>@x%Pbm_9SHSw_iJ7foC0vCXq4<(Kjo zjrk);tqf}$<-%@rr%-x)k!>9$dG@Uj_j$ZPso-U1_Ig;$K)r%pxhsOX?w3+_KL4#j zh;(4Ey-M$>G(9mEQPl~TckYfY*0ik?wIphU5f6haW0c^IFS(2|5%F7unkP{}*RuhI zxYIvdu7y|w#XePfTe+3gfCQxVhtC?Bi%^C>wp|Lbjm%_AD9$K@f<&cHvCLl7=>Gjv^1xzJhtF)? z#$1Bud_Bc-UNd2M-OaO1<&}DMHYX{`dc0>;%1+h&C{VMliSh~E-Gp7TZp&Fca7d+h zAYwvJOupwlY`f|#8_8dRZ$F(WUuCOPdp8kxnu_*Z^?F3rq^(bZVfZX5XDD%Tt)2jH zdit$LDcpJ!`FZ*Y^fr9eeKyj@gET{S?kjYXmgly1XaYdBk|juh_eFmHD$+%1B|yU{ zHfMlX2Fy(({PZp<@m}YU-%HZ_6sVuY_P8Hc1G4hrx+&RA6{9u#4`(qWuY_uNo<2sh z{@k)ZUtsf__epya%rm@4r<>air<9%N+$DZh-SU>6gLsjk-81U^9z}nu6*iXNaC?1l z*C!h~oj&S&ShNSq;axtnJa!XhoPExHRFH`kmWUT%aruHgW#1hX@_;s1(XDA%h4+$r zgBYJK_Rk^=nAX0sB`C#{J*G=91G{^ZJ_5W{`LH`yxwi$pu)gyNu30g($?_T~XomOQWi?ZB9H zy?A*eqmolqaTz2Mm~tnwn3XBgu>0CyuzS}%9i1Ae)&<=g73kM<072r{tZKxiwCn>N7?;y~|H zYs`9aCFA?y7HeJ9==ROg5AV2%HPb`y?p0J}k}CSxHoecn_c$IApIeMF?pa&7^dT&) zc(sd?I;OS4-pfSJY~7N-Zes?Fecs$Zwedzr2lEVK>3V*HWjvc`m2LY@&x3@KR;2Kr zO~(VhW)QNjy?tZ@nX@`qcOE3dj)9=4c_+k$Nl2-ps|`q>*NS`ki=ebS%PEeNxETb- z=rZQRQy-w9(%N#P_a)1oBZ)?kiH64;5FOGi82qn13Y%?QIGc4Qx{bugw}htJ<7;?CR+M#Gp(%_JUA_O22%d4+MI4v0qUTg z&tQeQQ;swwU@`Y`{U#E>k@?69U{`>*^6XoYmXNX_(eg}8Q&wqYS zb>G-$Z1kN^T3K12Wu;}U3j+5e0pn1|f#}C51j}3GI^|6EP=Q!wc0VrG%etu6CFxC6 zayp00oYD*LV9I1oWBK6wyDx8nihUivqj-U#K~ za9iw-xcEIz5jZGgi5<42EReOU(^c<#;!UrKNMwS!&F4fWAp07h0yIXptGPS}rHZQr zW#j0w%$fH&z5adDHKBJi$Yc^lC^`^g+X z6_BbgQwIfv#pFzwwpehjV{!z%yz^M@s5R49eY&UU@7FUxVJ@BGjgG%m1;GgbT1Sb> zsSVL(QA+bZdFJ>moBXrJjbuxzE&Xuu0X>&ileVEE#gvOH)sB5v<%mMDYwJiG+b>L< zab^5RNGSwZTic5Ht*CY*0|TS;0Q#D*WW#6uszpEynQ^d+6tNiS_z>{w{M8TE|AN{h}w{`#p+2WyxDE+id%C1au7cPUB z>6oT(eikM&fKy@L)suU0ztjnM#`kr$9-Q=BrV!q$y^2Q&N7&c~U~g=#xF5!I>r}tj zBH5u$VW|0_px}Dx3Iv>+46@TmvJSAwUHpC=;Wcx;lD|V!18d2vVAr{%9o^RC^8_DY z6@hWTn358(3*nG@WQu`r|EQ$t=qcqcYVFqOAA^{R@SO$k+Fy zZWDK-`t7sZmDrGu+xnr};`Xb>*e@uh!)bpm_E1UJKTjpRw1R>4lW@i7s#T4h zmh_47J#1KbK;Kmz>3k$yWaPhtvfZ2=S_a`%8E^3qF?njP^l zOYCdQBW+P+rE~o78b})wHxlvspds=KB6r4EQBercQd~i;pIuMAIeaT}GemvhFYs?q zdG-_hzs{x?JUKvBT3{q-!lXHf`*k_2PR3^ulDX`z|S^&X&WUjWW5Z&>0*otY91uzC+F}wb&yL3$-Jy}Nm z?gQ!tno8k`Q%_QpQ*TymS})4`F5&m?9OcBV{$1%$)Kw~<%qeVws+>kF^?~Fs9vx4f zXGxYk@M@Aft?hU_5dr`0fL-#^Hukwdb;e3Wm%7PM*E2aMS%9eJ=hPmOmWa|ns1rz5 zz!iF}uxKb=iPQru5LBv;{P$!zLy;{wD5$o+enxp+$s?XV6y=%H7*vXlV&5o{UXQ2V z0@4ArDUimjC_#K~o>VfGsr8!cakj z&30x!`-Z=%u;!Buva*SPlGCb3ZQi3-H40F$;TsC_OVZE4(F>8*I7bhKmi0vrC*I5n zG8rICLA=H+boaDH{4Wdzx!+fZ=xJ?Mgc#L&7HkIi}hje>n2Ys;TK7;tea zpIKxC$NtrH&6uh^v*9&u$(MHY*Ja06p*2^x>B=U~t0n*;c)@hK($u$VV9=SEovm_z zwoWAC^*zSZR}Y1J2XY#en$(Le-Cx;GPRwaU)FcsuP^JoLwX?j^#%53B7?>&xlWo_T z3T$n9=t<>;dRn-DryX{Zkdi$qq3Y8Yw)ob>af4l<**aYi4A2VpSj!DTqw6~8y6D7W z!^jqHK`VI1h&`>eJ_|CElMwNH zHLTRR$aiD(^<>L%MJV}bf*+4^c{XkWPp#bvJC_=O-dAt^<3rU3ohW|azr|G78uab} zX@BEC(+FEm#tz&7A(2!^2)6uc3=W%*U4>za4AE)fDlV^gzd7}^M;=^^JhXihxks@c z5KCwSQ;@5RfnDz!VgGb}SunF=nq76XPHNR)Viy^yorK_&pVf22NIF5G>LTgR$_38> zgOrp%1AxjAlWfyPS+UFaHC!*P^%6`K0moyVvnw5}tSyl?ADKzkC-HL(_hR(Jtk0^p z?QJiX`3=d+o9v()*!*uzM?`}JsEc7Q#2x;LTsE}8%i(h}<;lx%1^_a{j0b+t9h7dO z@t-izZFkNwP3$ZnJ3tC-9L^=ZK=5$$xUr=Hd%l2cQR$!Y{+voEKoNJRo*@m762>^i zj7PY_XV(hQ1P+zY2>V;%Ng9Md(jmQ<>!rVef04qo8c&xF|44Rmagi$vCPydXQ|kIY zFC~*H+%}z27R^z_wU!vk0oZEd@)NYoqg(mFNjDDMB$L);1dwrk*NCCbf5L3p>fB;H z4EOFnR(~SE=b(lj{Akl((d*)&2X~p5)NaNjbPL5t(jMt#aKFdoVYY17 zx7&P3IEQCbBYij9`i`IT)lHi|e+0{2?bv3yPeupA6%yeiZdy}j0d@B0@Ic7>Ak7|* z%|{&6wuGTnsSRzY$UbcC8KfnaE9bFFL&c5x14Q4YcmMe+ zym?cS!fpS@#oh4r!~!_jY^>Dl-qEQgg|@tE{VBt2L|(wMzjPSci5XB8py`xa)cizjJ7LaHbAhk8fKL(I!f z@60jykX>b=Zwb%A+OuT#WZkf9PsQa6$J2StX66})ZVBD`LCk2nY@~{cxbFmW)wM4F zpV{QDCE{n{_RfzcUm85MUAsu!l^N*?R3Sq%I^$getmu73+XDelT!uBFLRLLf8diKZ zBVUTxohV0`#cjurzTU?4AO(hjWK4K|!w$ZSsH)&_YGDL+3?~+40?zm99+mhSVsq%n z9Z^CB=beeqJ}c8B)I>i=NU1Nb(d8?qn4c#MqTEaUcPN%39|93%k%m?8>%Gf$PbjC` z!B=&SCRz*LIPz^7j|XCfpqNI0g_JGm*W@?z$bVzpOy$y_gM=e(q>Tx=I|4?6G!EMZ zcSAy%Cmow;^9kJCMf>;~cecU$)1Ft93RfbjizV!^_a7~CL9hP4<`vBEmDi`^2-0K! z^e8MSuy5k(j$G<>rPT_5%}R1L<;Ec(!xBUR_{$Adr_26he&!rvS%)=^(gG^2OQ=nv zZuEueoO&&*Re0Zb(+PZt5){g(ZD6yp_f1zl`%{{w5IU!U?hpJmMf~&Jklfd~;EKRN z*weBIYZ~|7U5T(*q?llMPmlX0<50r=<)HW;|9Re#aqwopxDs#iX(*vsDce#yZit!L zNxWcX4NJt*E%wM=s=;va(%t}viixRA>E1#!oSoCXT76pLrLUiJ;=7p)cw-T~p8F?Q zutbawY&Al1Ui+C>p3M8%<{3I+17l7EIKzJ6SUNbYgyIE^gyFk795LW8_kUG$7@nH6 zwkvAtja<0rmGS>qg~i+$j(uGI@0bGtorez@_r303Hyo+Bee$$l(;r`0o8skqPbfb& zA$`iKA209OtRYtQ@2!k~YiY6vDo?h+hhUZV_F#bMGsowX#UF2AX=e4o7M7uY$Ugp4 z|E3%x%@t*u@MZ$&wt#rJPvjOS54;i;{vjZ~&5);5v1oY=;s)8KMVe?ar@ob=;3D|I z3lUX1?)P6K(XcIUp$~%LxxX{z__?b|Nuww0rbDucWgiYB9#)jG_8o6mervfqX)JNP z@;}|44*#%>HEYKXMB|n@pV~0CO_3iot0&5C!MD*V_yps6ADnm%{O2t)#(ux3z_~k< z#*+BthmO`GRqC@)Y`<8CZ);e)Yec^@Z)JyIqVl*#=9iz|`Z>3WmzQ7Vf6WNiF-acL z{K&>L$ac4vzH=XTcKu;Z9(*Qx@Vbh6={U1-0b_0JhVoM6^@7Y(iS>;rT<>x~@H@tv zQ}G|h)cAi%t3+l|&9_7JG9$kRULX-;cTRl2(fnuEQ$(%4)_^0JGWh*eji<8}xmpbe ze-3}kcZ3l&vWv{pVQQ|v3Er42L^Fwoe)$B?*ktc~XeflXY-IU5EJ-uk3tt`C}OF_d$ap4UExs z##mpg?}O|y+q|9kvRmLY$ao&_KXc#3jo%0B7Q{q_k!V}AxqH*lbHnyhqg%7 z9eW%Baa~jF7>oEYnvXBRe&T_|Z_k~ht6VuTmioCT#UQga-TmP?Ef#|wyO2!*fA}hn zvsM^2;d3_meGd$8d;^9`4d)u!GCX)mf57rR19Vu*!@~+t2o&+#*mlY4*1;kdRKfi1 zs75n?1Kk)4=+iV90z$aWJvd93)fFV}F4e=8w?K)eqV;%i?+easpQ9eXRhN(5^8r<( zIH!kq6C@&!HyR>OGdgw^-pbNqmw>pH?P3|8wsw0X={Q=)fmhL&gST$_0rES>y}R!I zUa#G!2_FMTm3Duym!Rb;oUFu1`(= zcbT4F?)@*hW3fFWKtp6#+S(3Iw)c_zhQksG{d}&`Va+|Btd=LHRpJJLgU&e^TkmF2 zm8FL5Fpx7a7DO(Q;QKGOw(YTRNhJ=&y*4T~rdpG&BUJ$!z_E6aM3PbuG3oN2vaeZlS`8Kv1*=Q3y4cuK5;Td z9_d8quK-DpU1~s`KR{I;>`SDW+tfoZV1@MyyJ?MU-Jx<5J?ev<#p?aTmrZ zegjp-C(Kp5ltziHYcW0Z_D9(-2VN?+ti;t=QbGnEyIxi--me;+{fhPE06ux_w9)6_ z_MC#RdsX`ot^RF;mdhWxPSDE%W`G>NYfU{~XqT-HB!d6Nba9u$ZYfds-#d5U%<4+1ArG0`7vGe8Y`Z$9 z%a9hNKC=$$Ltu$U(U0!5WkQ};8x6l~M<>gRHq#>|xYRY|mB#@idS6UclFzIpJ9YFw ztC*rlw|V1g*|Zeo7k)NuoRw2lEz#}bWTEG$&T4FQb45!u=wb>1-5rJJHK@Nc4l7tj z-*cMhTdKf4w7VXgAO2dD?yRq$KBQ{6bDb17Gdeu^wOM}WYocPi7rQ96##qd^*XMB# zH-g8MWHtS-pT7h&d)557io~wxQg1rMWflhf-q|Ov>lFvjT)8SF!oEg9`dLlC#HJV5 zQ_vp0YJdF|r>Lfu{WQm8se*{5^V#&dx=2=| zIyAvb_0I;|=daZA?XuZo1v_SHE)94Lc82xf=o7|W{goIgwVnB$CX)JaNrs|zU)AT* z8s4s&kR(MG<3B4U$$`v(aTSz-MO)^83E}yRuGY7cXa+8#9TB5<_AZS^1A5FjD&)p8 zUcaT+_2HVRt(}3q$1P{yBnmujnz!;F+Mbz*ep|H*erYdzlKy0Xta}h5?aKd(4v4v2 zQMFt!1##ik{To9pAttRU!%`wa@UvtP%90;yZS!X6uiV>}9DQ75~H8 zE==nEbLvAMP6IY%%M#!=E3kQ+fg*>>yFp>HGzsW9x+skwdL;}mdW`C~e-%8t(6Ji|6)@=A6 zK+SkcnCqA48c`g>Kbj6P0Ly(OpQ$b0lUqqWTQ#0f{d8fj>bKSk+3xl5dv+&iZ}bY^ zd*a*jH5we&dwZ~?kuyOie6^keZ5Wu%@t4%UzJg6&&(~UpfUbMZ6)^*jmt!yk4o2H* zsZiDLr_Zks3jq^YT?7XL=5*@;eo^%Lsb!}~s8kc&6<~p4|7Q+_Y}{IZobJ_NNh6VH zdc^gKQ`{xoq!V+(`tFGN2xDYC)BFI<-{nqRE?fmI0%yOyhALlCMJ=0R?B~3_E`2w_ zh^KkqV9Y}q#by1B4VTnaP>^*yZ0ae*5K$y))gt4f+NV#Emn5-EbE%Vx?+(JXWLD$`Vt-xQ~s;N*Z)o82OC@(D}MjyDrLqB9z? zV8cy;ll6^!{9_&dsWLiVbhA=Sh;%lSN$xi6?V=@<6X041@4W zq~rx{T|HlrV&&f&&gmz``O8E|llFhM!VRkEz2YKhJ2?l$6)$M@=~%iFxg_iiN(l8nFSBhxkn8uPQ*}dukG!L-T@Y)leQJ< z2X{$DulNm+m({(47t{0jDFn(hLKj+hvF)U+d}A?6dc8# zpWQ7po2qB*y;*>=x4E_r;D?K5`lL%GuMRSUroPWQ1s{60i``z&kokNhDq)%%0XJF!4o_$?Vm@Ke zk8KSt{v>q52azT4i+i?YZ>Xo4W#Ln_o?;pA_>B-M<6M2y`ZnRapxLdwo3F%ysD5{o zmNybbl$j*dWJcJH&%@3 zmTsFf`B=te*W{#f#`SKAGv{#-@~HSzw%}PH3^U^X)qBj)rA!7eA6Sj7V9ics|Nipn z=)3w!OltcBuBCKcW>amiz8`zy`QUVcY=kDe0OA|QVNHjf#MXQR2WV{AJg|@YsQgJ^i@zU7U$JtQ{?!kH$RW;M!Ij$Q0jac--BC^`tl=-GjJ^rdx90InJOd>)Q3({ z$Ju=NCt7M%+BiL?zr-Y7iQtZvELvCiL%`NFrVgGMh?Mj}kF?w*I za?kv}z?Kv3-8S={k;=Ejza|gG5dA&kszUQ9m4h00NUtq3MMTE1N<+T~x~){OYV^`E z^*b%myJ;2^zR(SBM^4X(X@ByS$^MaB9#Jvdp_^iK#bJOGG z{zTg2io$qVa>w5*eFPyi%m`;`Ii6Jz0IF1I zsav0@o6bD*dVa1va9r$Ef%l@8XSPhOpqZJuJ~bbc-ccCz@0^B3x7S>r`|zB%yR&gG zw0?e4Ar|LM!s4vyY)qWFQW#0-Os(^K+f5=o<g&z;az4ob%Hba+!xva*3S9cg35 zM;z;||1oLg$#QqT+=#(l>ecB&) zcoCi{q1zF&lvtKGJD+9L3W|)-v4M>=&t^ZBjEYbsSHFy92ORbfL(f?0d}j1Xc%(m12gQ>lmLt0v7^^MS0X+((=0Dq9NAv$c7g8C4Dj@D{>?d#&M2|6xt-k2-Ej89g^z4j$s-a2+UH+zB zusW~_#GU+D!)M*_FvQN9GZB=I*{CTmW%vMf9uP8;9O{X;I2Vo1cKE#DnB`|9 zJ*UhXH`#vxc_wOeUHgW9=xM=n91rp2j+MjV9TM>@%)TzuxMM z)SEhlflN#Q%)XJ+$48mZzY(=r3hrXcPnfj&7Pu5m-|p1EwMM5Oz!T)I;zHVq)%){W z3ow=!6(^C{sR=mkm`AP{HCqu4VRY2zI`~Rs74f zf$!7+0xE;lUI~t{-@}KfkTKi+mZF9wf>`HIqak-U_#0a94!WP)RJ|R$)3>YZ%nZy2 znpaQ&ut;0_&Vy@76FOaQls_0|6Q#`}hDrO|HQY-UIM6`xEDW}~rB-i_n~a4UC{h2! zTbag3OGacBr)}1*=YvK%+*SJs-HwdetvD-|?q5HvYWTp6B^q_@>Cx*Gj6#&Y(Z#c1 zG}|@BC~G0Jozy>^&Lnjd;DAzCjq) zxDK8W3+rPaLZ>FKlXCJ;cPGDc}!DrZv{Hs6GujBA2#ViXSV55?2naI{uY;M7|MoW-bWZHpD5 zHZ5w}oe|_czj4~BlY@I${+jHM@8W#cuc(4bd%o5R61CKq2p2} zdS?JSXK4(L?Rvvuv)z-X!JApsw64``dE#Q|rlqPa?k!FoYU({Rk>Zvtk6fSq$NID3 z(e~)hM1XI0bYwu{R4zSL0{gV!6gV+2@ zSS~87vq#0A&j226ak7GSKsT%m%YfbHoziVk9(7~RV0ZusrH)hjOqfHD@mD)5p(W(1 z7xeMa{suu!Q%j`gJ^(Alo+)Xvb_HbZn{kF78*J-qp z4)#pj*f|}+sQytG*1!n^6`Rlz=V7WDaCZaA85=v5B*PL}1 z-zeS4jhGu3A2&-bDMpc>Jf>{cAw+*m^cZe^mKNIz?d&=Mwl@Mj5yaLhc2sHky7LXl zADVyvNhi#91+EJfkQPjBN`4r`=eUT~HI@Dt#*G#;N*(Qn$Q=~!4H_7D`b2-zWiqlv zSAj^k8((F)=t>=t8UT9%nXX@a*eP*e*5esK%KnC4momhhTz>sn@x|NqQ=MTqN@Y6O zc(k8P_TGdgf1$l&#pcUX6@JlD@3_V$S(6&HT{M{LB%8G~jE8h%ECU3j%V16!M!|$I zp5-pFW-_&=P~Y~79uMA)xt?z}M?+XgD1iKgw0qG7FV9=}T{V%rw%7WFF>dy+AjDj(&4wA%zU`SHiUhq4%8_G#iU#$U7XpkuJ0^YgO1yRSt~ABBkH8} zlUqr(CIamz|70SB=y1DH``thY77wshPU^c*!n6Swv#cGf=Spi9_ro`CPXTi7yRBHY z80&+FqeOP!ut>^Y6z6PF=);KF|JHy4wu1=^n2zDx?Il;IAw*Wj_MpoQ?~|?-r1&COT8^<7OG__PdRsn@ptiRM1N< zCw^L5ve!7N5*3SMr4aRmE4@X(Qw^)@Tx2ojs5b%soXE&DBQiR=9O@dlG*^PYGqJE% zHjcy0tn`aaHd)}W3$5H~Inc{^63g0gkHn?2rn1@sY%GxA4%D&f4T4iR-TQSnt6ZBE zNcx77XzklBXIAVuP65OPqE>Rp?%#@K4Ck+@=>Vk(aN7p0hOLX>)Qa`aVDtRjaP65I zPQVW$Ob;UtQd0H4>q*p2#$zZ^Fq_9w+Z-|^qntVghYN=BTZ+TCk8l?w*Q#t{ z_PQ{jMYy17Rb02!f~c<$mTIq<7(zvq(P8wv*HcOCY3-Mdhy)K?<45~%U@sJjG?MMc zweg!Z>QibbkwZ#8RoU=H4C+X(zWEMsEshwEp+h*GH$3>z5(7{oS8?&;%1#45`M5v= ztwauR`{n}cz_h8HrkFEDbh~b#wyWh{Mw=no3TEZ26oZb`-{_4bgU}cIN$e{rW{c2; zag;v;&f)im?U-z5P~uqUY04YgNo!f20iJmeERs8J8=!L}S54j!@Z);%rOB8wuzLN) zwpZean;_x2#_ntQ7^@z>p1L96GYW}ppDD5=@-c^mFyrYkV?7+Rt;=qKeGAN=01eMF z+00t}wa)fA4_b`pg3Xcmc2YefTX2y#0ONsHwkGS$iQ==yeCK9>Q+89LPO=v?O`Egh zRYGmq=~T8JXWrt=rXaD_yzbz=Mm6!)Nf4W75Ytt0w3}-Sxz=6fc6fB!WSyg)&jEK- zYmyE2-D_}h_o-a*t2a~@0p4$A_p|oIoN1V{av|jY&1kTsTIo6MH70ti+a=koMzj$C z7_f3^nB0jSxTqg|*cd&#e^_|W_SnT;S%kmqSIm3pOxk|tIinx|2o9V^N|2_+8 zBfi>WrbtQ-mz`)-sQf!(21GpHwEZW^_RO@iK;(6o{^^ntBCojs+SS$TSoTsjQuk}* zyiR|UE5Yx-7+65UWbCC~yeuPr|!T?ib@->_TC?nD>UKX_h1 zIe7_v4j67~^zB0u%GBp$qszMZp>b(4O447)*KRB`2BlQpCmLJbaUX@V^X^70U1MQG zx2v~QQ8HU6LBc{*ciBjt^oZJU#^pOO(yp0(Mhn#Q1Xp{0O7HOQcxqp?xnL7^7=Sf{ z^Pwuc3yY3`i~!kK{4z{f5nNb?PxY(Qp*t2lw<#JPpqn0N_dpOIexv&_p#Kr=7fGai zQ);%!P3^l{A8c6sm&KYp65a_BkTrtI%$gGR8Q-v^Bi1d*9TuNYy>$jLK9iCOuvuDF z|JG5L^%iN30cl-7MIA+I5BG-CzuIs#&;n+8PShP3!G(a^${{~p&Y4cu&;Bgt``~kJ z4T~CU$+cP}uet|EQa;alubG%f$BKI<2dqc(1!kPoILSxPl?f*=TJ2Fbk!Dni$r?0( zHLS|dB43apO)k-kNcMd5>h5)N{Dc52uKgaH+Nd_LL1yOW8D6$TiaKM=&68|7#IR$J zPfHG_^y+R|&oHR&jTe8>1t5eU@H6&|yeZ?Wes&!Z=IOEHH{=K2&}ZlD)i-QUaL^`Z zj&rRCX+0dOmS@9>4LQ1IXfhfb`Rvrdrup2oKEO6A8vw)sXc zMf{kjDbFUHB;r=(1kJ0UwepJYJeMI#s@<{ai?PM36N63@|ArS;z&-L^_(Jobx?&#N zMrDMF>Q+;V$C0F@ML(Xmy{V!79fP{9eA3{bP=Q0hEI@m1{8d;P$nZ(bT%bwo)1ADgjayGw;T`L7OWmkv? z5hC}roMj*<`Pv@?4ui@;--&e7}*pt!wvf zZ%ygdAHkZ+3jP68=)0$FT|W`-S$AJ4GG=8m39m7b*cPIEuAk0T@C?-#Nb*#S7rvZc;Y^N_gbaqLAM{F(F^^1K@u>O5c4!^7GLpyJ>PO&%*IcAXscoD0Kp8k&XGD4e<)ScJdVIFnj?QfD)OFd`Mr`WUWIp}{16(tf-KROam~ zZW1XHB2!xT#G+;P_9>+n%a<%2f;ZB?Bf8&!R5M>8vz$0*7=|D*l`DB_I-LySG_s_t z0p_>OJw=-hgRtU^H_@llWJ^9R@+2ku{tJ1xI0jQ~4mlS$O;OfbYaohsqxnlbNnS4i zM~)69!hBNMTl&SR^d)+AZC6d& zdj!PCmoydPPfg2E&>$oXdcn_fub_{TXzk0$kQl789L5TB>jWwfIf!s?lMxvh(SCHO zuH1gLFP@#(lUxrvvUu18p`iO<*Ym7kploqQ_H`{bh)!UUJ zMDk_Ks}099Q50`#@Syqit1^D^YCMrWmpH!2o;e@;j=x)dV4mUw{@YmuIy9a_@gG6@ z^+WKn1004T%6H*`v#?6am)2b^FpzD2A+D~WQ#lwfTwPWqrSw(>s8KR}11G@wfC%jp zJYdYEHa}^OlRREvpCD)a`P{*0MT@06VYqfigA!@Dk!;;6j-#dZHsWxGT33}a+0p+) zR`-Hj#7!@!lDa;5G5;H^P8?du#j%e;C2}Q*Mt8p{{0_J4j}&89j~u`B5Lsv;`1((j z5F*`rpy|rZ*r$zeUaHXwSR<`1MySDq4Mc7(llCSRi{ct%Hh@{n-&fV0W8q+dLC-7v zP#(7IQc+opQEhs29u#`gaZlE*&o(6Gij;YJa-{6wAk}CAu%m6qm=sB*DeT!VN#0;z zE>Xz3UKBxh*9+i^zEfhTqO!DNyLuapJXP1@^wlx0N=(oPv%iWIPJq;?%r2F=?GVL+yxkY7YV#)w~ZM|!Nz%3pQ|O)$ zZFNfKLELU9v`n$Jk~H|D{7EmrOwP{_r}`?ZmU1B?WU^PC*WYgT3z{fn15n9A2EH?i zQ56X5h&cKpaSPWI!%@6OE+#CE^X}do@UujPCV&{utB?m|qp$a%>SX3RSP&t(kuD2-AY$a`w{Sau*PZs3iKqa|o_TNPIvykEfW@ zFpckzn<;?H5xkE3W7r5?Q@OHbJsqC%Ip%CB3BDX~JeVKsdy`g6+nxaTgmL}0LAmC0 zXT9e0gwRwbv(|~7bBB}EqXovk-5yuV+Nx{{zyTOhOiA`q%MjM{c8@v1TN8oEC7`Lp zL%!}eJH?Zhw&FG-Ul2blVJ|k4S9d&+bFV=@pKpGA+iAqg+L%k->+fJ| z+Hc-G!P48vL=xx)lqaa@HU0iw9HAV|zW-(-3Jn#35!-*7fJ^9tt(ySvI(M47o$Tzn zb-Xd?=ZPI$8TihU9-H^Df;;=JqJ0Nu4FSI6(M{V~_pCrR?sMccD?ITf5?OltfW+3w zBLCV*{>bf|Jm9r-k>uq4fT8R8!mjIkq5LW78!K(X>Z+4+U``ak1oJ$`? zm~ z)rMG*$KBm-H93y8FRs@9C>>PIs-A-Cis2uOL#V7>)t8 zOUGiG?Tu5u5r+0pNGU{wZQdFUE%@|DWw4&b=t8vDZ(X^Y+WGb9OLSGIC%-k`S-B4* zLNz?aY&ratw-5Z96Dd;uk2RJ5mZP*Z5d(ZpsvrA@48^XRr|`aa#k+2(qUf}{RGt!q zZr{c0LV*{@IUS+t!ry}$)jpmTaK*;qunHF>&0%fCPbmb;-fLZ(u33(P{lex2^r~WZ z-l#Fqa*%|+I%C@roZu&=UX9cLx8LY!E0~Xb@>EmZq%zSzX*l*?;i5 zNXYa1PjA)cWwpHMeqz0PO1dLATbg{fx;<-J_*p3J;lB6-%0f+T!|&buFaAOVIF}=) z`_;{T`Q9pI9aw*aTrrT)=FLL8h;Uqp@pGxO77``a)koLn=0o z>|`*ye;z@LNJoZbC4YvB{m{Lt&e+ zIg2-JX^KuPYF85aV(ejGXv3N?u$rujhz!zRl%Xn|d|#A%^oM1fl?Pp|Z{tfif(La*i5j zh)a(on>K4ExM2sjhPwtYV2(GiW-Vs7SD5$m;I4b}pcxa}#yc;@hgwbo*-E77U$?X~;H zM-O^Pn6S~e-50G%w?&rQGgoqU&NSA+C^!ks!Q3Swz89V}rO$K1od=x(*yCecgQavg zH|N+mX8X6Z*ODm%tgBVu1m_+H3ca|afx+8aV4~_~t1C`7`$JYKZ^A~V z?VbtB9J2Qs_KUk`!h4{`y8XK%SXn!(S2t1KzZ(%=Rzso#!{c0}un|aE{hFrptNm>+G{gtzg!duGzh`MW8P{ah?=7 zZ~q4@3vg@JJ=ey(wLD%ibLI2;=F@U5)~V3^ z@(iR3~rPxDa;9M4Y|Z$kwNBEnm{{d3l{AuOG3&&54b( zxF`pTv`o=*`O+JM>$$QWZbU=P6c|!*aEwY~Wo7kCH9xqQg9h|iO+!-=(q;p^XngKY zJqz9=BoO@}b}7(?cbHUP1V|)eQhdEI@8!9%+o`LzCBo#{w-LGW+JD^A;(Oc= z=y=?q%3Z=4^Q^_uicjEVRbS7;qxBjUZ_pb%w_kplOxUgSI0oMV#T(9Kr_J|R8 zECZE`6tv*blJj;RdgewN+;FYZs_Js*!HO9-Qn-XEvqh%C z-B!O*pO3Z{(%~0L+2Gug&zQ>6@YZxhVo~hbrQ=|QjF9DnnBMR~8afW+;hgXIFKL1- z36jivPs%9$6OqDGOMEHFEiuSxw`(%O`cUcCg2cmuSy+q+Q%p!cF6v+?=^p+eVky568<>iW z9}wVh!N|%J>y=5jma44!wiv4ND@+9QC%a8c6?)T$=$G(R8z;>>vo=tWHQsrzqWxMT zEeVgP^^ekRf*Mzn-hu1_c_m=g>F0vYIO1r8rTom2U_}xhUEg%Bw6Cq|W7q+;DlILN zr#bysGkvkGg2r)pTalcO=00d`L@M**{XojR4KYk+mtTr)+9ELAq14+67A43%*|8K8 zV$j@k1qt*QLCEm8T7zxSmruF^zecF#!6=oWw$e?Vfi6U(8RJ!#^Kh5>gnFcQo|?J+5G{U$m+?(J)*@7-Ja@A zcRYPdqDvY7pao6Viy;kvx?J8<3NoN7sM{=8#rA;j9J(`J`yC~n#S+~wm9#-xHACDk zdL@ysk4>jDRM7|;FrjNlG&4l+y{{f-gM4_esr{BQelmS68g_s{Rzd~Osz_$ zMPr&H{tDhHwc6$#I1^NzjEhyeSpPFyqMHaXAj%h|`?*x7(O?ZpyTO{FmZ>ZDol%ue z7GWOnbp}UetZ+;i9@Xz#L;E1AQ8(=lrjQBL*W=&tX@}y6Z>ERkH;u+%t znUkpZk#(;`kwo*?Q5AQD-k~4GAzS@!*p zV6F>nG%-e_;px`rTT9q)bKrXugH_e(&B$G8y_!InD@rEQSHx*$jVNQ`1xE83Pm1t8 zut{yE!S2Ix)>`C3R~D&_0(zYKqm7cZaGyr{$;d1~Ck5aQkV24wqX+k&uM(;6tB8gj zIXpISqM07Ew;iz0-on3#A(I$2yS$U(k<%aE3>wp8N{%eXkPwi`4&k+H9GR!&HQKm!ub$t(iIED^=Gb_ zLMcpU(>YmxrN*5OsJTTJQ~nWr^$bLI)$HUSC|NL34e6*MPS8>_zhj%MPA1hG5#>rG-)WY{ zjdiJaeVK2mg;v|`EZN()f11@i?P0W-y{%5-*`p*GNZ)p!v)*T{t)*|J`}9s%pur|L z8}}aDiia+^2)Lk$gtqYTI9%kBP5?%>Oc8KmW689W`2_{}sun&Bb&U3xbdX^XnVM!m z%~ZUG^%j1Ji`k>v$jWLvp*{qfGcpDZ=e7i@t&S(h<6}!I<~FI*3ozp+hhw!m9k2{r zNGPKaFI0i7JBDEH-d#$TaTNGppTnVEIdOK9FS$L5m67Wkx7KQ-x$}hc>EtCSHlhl> ztN?M7TYfgiU2Kg74Pc--)5okRUSw65yMe!`fq}7Q>OAy*qsbW;QWK<7_|biQmEH-v z6r1iE$02fL_6A*>JR-wuhfTo+d$E|PMGz!})Y@O#nC7}|_}^zGb5pRJe@xGf)00kd zrfjEYF=HXqG%ZO48s@0NC9H=o~-G-cd;wmrp1%+^-!M)`%Mxo?o z^7SjqO+B;mt^cr-uRFC$Gm2W#tzpEKJ_S2|Saw@L^8Up%JbKwZs1Q$nrEuBX%X=r@k%_hLJb>8;sBMCRi`5L%Mb1k7co>#Hw;s}2_n$}3Nq zx!Y&`&|NUj6By%Hp7HM8+qDExPRZm>Ia=Ezv%mi}X@nI= z_NN;mSIifzCsb)fcwP4hiR1+L+Og*itO&mFVFWGk5o6OIB{SimRXAPSj`uP>0NiiQ z@|YD1%AsZ|=oqV9!E>e1+koj3F~Ucjb3q%FScSP4586b_fCzk*d*Z&&$gB?D3oYF) znp-I@qS&G##q%DUJ}MkW$>>NcZW=ni`OVvq(i$t>crFMkfwm6UoI!HNMuq=04poXJ z=UIfBnH#nwbyf?sS}613TaB@&cwIx@1HuODZ{0G@RjMTN z_39RbY1w__!{qgU`-zy#YXxRJmvM&mK|udg@hTmaMKb zbe3thH^Pi3TD=ij6tpk(0!MqEdo^QduaN9lLNJbFpz%X@5s~6%^+%CE|jyaJpVf)s*^6z9f*y`x@G4wRBr9%wG#NQ>;P2(BN41`MNdU7s0McJibC2 zVcQJS=}~n>b$17tv%8q-P3$1BrnHH)?zCxSLfOYbFTjU*ZsAlXQJnX?(I7Kou|34! zisnZ0b{H?@;VCPJv}+y*!kTpTO3C84i{pPMP7a=rFcY2{Cs_wutvcfg`8}A-Mo>SL zWpNsFF|}Fq7O7hs^ms=)k>{Bor?B|1dt94rw3QpcV|1h}wW5)ZVX_|Vw1f7EGeLw| zfv#4CwcwQ~NRdE=RA@d>L#N>UMI)9L& z0i($T9){Z~;`9CV-wtOoeS}5r8gF?<4E6D_tr0oNt%+#dTyEj1^EX;Rh#+dpw7T%7iGWCt29wVExR;ky zl+|PYgbqo6``I7NUZLIkHJ>~lyP{hi&I+A0+c&atPP2Tc=-3p#6~gbu z?dav1E2UXl>!ckG2pdLR`;(GoQlRn`n$P2mOj0%rQ7t)N6~6luaM9tp9{#3Y2IZeT zJ&$&0r90840^eDVu#OXJ9#DA}o>LMRFfT(}tOYC9IJ+*Lp22Sx4+ROB@_es7-*ZctC0*FimO-O1i(BLuiL zT+pGSqSmHNC%&3U(p&ga0ItYrt5xIdtUg5Vdq-QNXsa^?kte-J-z_j~9!(kLj-~V2 zL7~W?BHKEoSaUxn<$(HKjO0JWc2wNGdvo73*R(yK)cK?{>H8NeLH7>P0q*K<6t?Ak`x0)xTfnq2E>6&o&*Hcy@ zSW@h!RA_c*E@Ho10z$85OxOg^dy%jv{Jb|6@?i0RAXtZ2B=$zi`M5N{-Oua*l$#Jk zS4wFO$!_omu6KUvG26m<{gq;4E(t?<@Z_duovfjseh)lDA$0rO{oJ%o_CNxLnp=H4 zF)DMxQ&TVzerpzuL3fX9)_q`%W_OF?Aic}4bk=@z+m02RwUo4;;!7s}{7hH5t#$L~?aGLfi@gPOj3Mm6z|7bkVZ^7|QWgeLY#At@>MQ!x4V> zSW+&^Rc$yONNR@aa;cQwDMXCXlj7w|N>@L!$oYtsWijbDNaULlB5)EIKkAdl2FdX} z&i0q+owryI5QG)Gn)deK%i%=M&E#Utp6C(YjJ$qvdQv`U6W*W^CbHX}@WZ|aNOC6m>nEboNU!HMYG77!&whjIm6odN}zi* zhQaP@``B^$@yODPO(2pR()hvNd0k%mmYUr_I|$UY?Vv$XzkJ)L$WI89a$_+{2jNly zhIn(w+TFNu<-HkU#R?-zt=Wt>9fAQpx6`{vrW%!NERwGi|Fiz@ppIq&iBRerg;0zt zN>8q9+B7%&*Rrj?zTdQc)BA@mNjkJM9Ap=l&3{~kFe05;b_Y4T{?>y9b~?}6Yr(AP zVT!aK-8`TlI>Wl|Wt5q^ZYf#3UO7yki_s{#ogdkXMKYYZf>zxxqGo3U3H$zIFn zIzFpTVf-(;#>Y|W2Ch+CiE9vvk;{TTUXKo@O+R%&fUuJ0)dVfV!*PCa!_szC_^=y= zt#bMYREPN#{YTy)L{$gt$L1Ai_=QtOp&VLgG*?c7Ur74QWoC50i|@b_{nHk5vfSoK z(?0**m+o%|l1iO&8Va2O7Kx}6bOgNx2+Q*tB2!Tfw(Ot4(=*poPf;^M22#;7xqr&D zFNDLh52jn-ucE#{NqnK~=8&Vlm0wvN^zw==Os|GnK5tSKrw&H_Em2;#JIP*88%zwN zs8iki|6YC2%Q{PbBMarXBhFIEmEL;T3M$tkTU zP{e8zGGRX3H86=3?Qp%SfRtoKDKcxOR!LTuK`5M4%L4n3B6k{R7Ov#qx{SGv*KXLH z%@2fls~;UmX5BgS3p5fd{5hfzM=fV^_#$t-2kYk4c+18kw-ion?WJcs=Ge-c3N<(5 zy6OM(?9Qe-&c0M-G5t-;jKyUbM6hep=y4B!$lzfLH*7C5Xm#d$TKGoJ%^=>Kw0&we z6n3r3>)6D(E*q{&U@u!$%zyqm8v9QIsfBP@NdW^CyU{$bP9nS8AdM!`nM~zjEP5&* zeNtDf{+CnazYqG?@&A}clElsiLpg1oe{^M7PME8T`+BwT2f1MM;1;T{4 zroV1R0F1&x^XL1)J7|+}E}Tp=8im;;UU&Zc-^sx9iW+C}_f-c1S;ckfjjqXVd2j6b zIS``b>*ws6GwFbA%FXli+ion6PtB=?-|DJRBO)Cc5{(BB?AOzuSxnKEj7OeP@gs^> zdXckbYM|U30mJp&Q>>%KiT{sSG19T>@DjY=3PjrQs&nGSF`5+qiXTN}oKj+ng z|L>L*K!KqH6c{dv1%awiiGgeqUV^AW5hg@_72Yw_B!-L%4De@@x!&Ar&0{|=DJp|h zeScO)unX*7<X%G6RAV48HJjtN%OY)qh$}wXxiTXWlHBSKlEC^ z0la`*VH}pRPtg@5_EvQ@ntb10hy#{(auG?%A42|PWkT5$HsarDmt&;JogWNTg({F0 z$qiItt!1|@`9a^b_-ZC( zCX@neE12;-eoBO;ZnHLvDax4AUpyKSRqxumk2~#RtftebFBmm7Lr~S9dzJ7x*7{Y0 z1gRTW`0N$~!AIRstp!i&$;tHK0-Ft&Qq=nz;i;-%v#l0Qj&C*5(m-#-0Zl?& ze0y3!*kr7UjCv|gkLdYVhxZXxV^Cm|$Nz6e zg7V__&ElcpNcxrc0DED~WKNL;_dD4IrBxaKBf~Y@&Vp*X!nN$i`Ql#fI2C%{LYR#G zNCr^a=LP!G@8t(etiZC!rKZ7@eYoSZ6fa#(|e+x)L*n7gBDR|2`GXv`yT{h zMb!hE{%NSfH!2iCjmXkQ=!&i&n6xMBbHW=(y8w$kLQYdEWL;4JG6PwZ7^@?BW{R%g z8t?kV%IYGkLR{-S&vb9Y7JY{@O1zA@MS$f}dB{_fjZUvF4CaT*Ebv<1aTx#k<;KhzyY%)Fg%LY~ zip#>7elecDUiRQCUiteiE7>Oy&v@fjd*rl&)_?gP&+K6!ob9m? z=FDd~csy4!7|O*@2dxJq@UWnT;0J%()TJ4=Z`w^P1k){nU3bvyARe&dmZAuIw|ci=vjzNo7_Laq&t^Z z<pCX#_gd%A$K6Ira*;TD73Lh9jW3K~zNk(z-_)u!k&aPUP7e`_rJ3b0V zQvkXbUhcPM#Py(F$YS71hJU4|?(W>a{G6CTb+mrD-IiC8;$=St9;Kb-C&4nuz*KPY zZj}s!Pk0tVM~8Q(S7Cf~cZW$xFqdiR0J>LOKoV{euYu@EhlkB3b*(b4(p7~@nlWPf z_H$mbzUHxQR{9#LZq@3Q!8v0}msC_Vxee0oDx8IU7dT#Nk2vhDYOV6FxIY6) zI?T6JlQL3duK#^;N(y*_T228V$Gqc8T?gC$SZx3LxbPpp`Tv24%QL7Fl zDvxb7B+jbP{c#l+M}q7P@ZWp9#Yh-jYg6{`QOF!zOGCi7GnIlzs~n*CzKs@=3Bih3 z5kxTzngnxKxSOPU>YIRfFstC-9pAPb&9mWZ9kI*EWAJA4-`_}MIKKCZK9>&?RY#{q z#nqpB@{t-*Lqc%UV%keJe!DXRnB2Nu7;-RQmikfWHGJ(OQtq9B)^Yw-DOKZMGFJCa zjGoHbH91%6xZ%>DcIS^6W7m7j2Jyw|9crgP^=ZXA2GgWQYO?Mmx$1Q-!c_n**4X2C zNc?@I(R@8KMC@D2fmOn@JS6;^-)BDCeAiK%%s?~v0|p;moCkPxtU)%LV#_SZt@0P= zKRcy1C$|!`85~}CBIRx0{R?{i8-@L|*U=wiC$`=qccY??2c}j98+b<9o`NyTC0dqc zm3mM1ftP1wc`&aLPq!)*Jo`l#z0X1%X?0uAMR&OLd$tr}IJb(Rl7OiMPwdUB-Ppv_ zNTz{9@8R1r`yVhEUE%k)=^JAl5a9`a*A<+Rzz{rpd9IaK7&LVcX@Ylea>V>rSoyv> zrBT?4Cw!6B0;iHc=UfI(wvNvZ>1kuR8TtO;6Rj2?YDhlr{pVRTN&#u>qQ9c(kPCs# z;_m&)LKjwgd!i66NRQr4sbR(AYAH#Wz*O;?u-FIW^Qh=}{XZQ!$D;z8DU-;yp|m4j08V>KF*1-i8lYhP&n4+%67ln zGu$ZT$En-uwBsWJmM%Wj<;mkmY3G8hCaN0;=K6z|>i23PA~*<=x#+Ix1aulTAZr&$ z%CaLp%%|M9<92)%@@rLR>5ZBx)LlmHzN&hF1^sH>CKJP1z5df}Bb}y2prHYGsSR}0 z_MX=%(|By>-pfBKyN_SwAXrj3A)NiQqe=bXC{eQa-cXE-rs;n?Tu>A(16NbTcLmp1 zfn1Af5EMg0{5lV;md|IgfXQ{mwbWG#dnxL-;>U1F7osNNIi3j(#NwU03L@0T#N080 zrd!DQiTg5+>-hxS;c^t@g1}v`D7!*7$G0x-C#!_Q;*|u@$f88l25`BAGDnJ{@hT23p{X!5_g?GQb`9g(Dbo5iaTK9_E zapPy&s-q{2KVJo`?_hN}<6obtxC;W0`eF7EMSI8d@%-$c7T&3} zqEMm3l1to3HOuh>W2)7GkfsKY*0NLYBzyKInN%>x*`E#8EOkc9i6f$@`N$W>QuzNa zAOnw@3Rzu9GJ&C>9p&J3MQUBz9yNJF6QNYpT#CST5g-^_*6`weG~|%2>>okDP(o;U zyqn2@2H*VH^D22>knZS1**oJnmJ~` zB=>Ngd_t6u!!7#0JdQRUnr;!viqVs{wZh3P>&v-Q3j0ucK+ynGNxVQbo~_4~1rri5 z+e%Z2W%hC|U$sxs83{1%lRy||uuNfcVRRP)!cRvtZ5Bg6Kz$#7%=z@y{%zc~3Ja3* zL|F7-QKny#hKG!&oE}k4a7%7IiP}S^D&c-EdiHXaS~j4&i)Y8e=2L@fe*(9b`lv$f z5MTB@Hsv_N*UkQjHu7swXz^bE?#lNC&+N*}3S61*1*W88Z5k2W$cK@Nhk8n8C^Kev z5`CSpZGEOvEJbRiJ+4im-iD5Osh7f}U9YdSfVX4EuE$q+-G!(3mbCH;?1zWe`{ocdqiL5_bgh4ik~zcg*ctP#_q=2iimd(c?P1_1#45( zaJyn{1Q?O0D=?;d5A)x+cDreS%Ho@IomWh2dxc|Uw>?50uAFFJzYIR|59efVaPkb% z$P|1R$gn?iGODh6^gFWfE+UN1m&TaV0G1D`(B{2o4=wRTIjAa%NHr;3BTE>l$lrn` z{Srs=zYD^@q1|UFv{U$N`y&^W_m1@I$8W=TtWdg+=wA#_LYNoBF`-QUndfA?D^lAn z!GLTs9gS4w{?%d55xJf5m#F9K8bW^8P^UWnMT4J#2Voe{>f&+o*rc>HzSn%C z0Drr)fj>!QB1#3pq(8@r$4tG7Wl<#(N+=Ag<;qWwJ3Q(2wfZljy;(`%sq+P9EA3_w zBW$&z)cbO{lsimY>`$A`&OB(+6Xhhh-p=fg{PXd&=$B)^k=$Aphz95h$4otlY8bI( z!Pp}W{BuYBNt@R5@n>BJBGn88`v5C}Py-v0O^je?bKoEY|AV!GtL7V%7|4t&;0B;y zZIIf>bRw``qnTnO@|Sq|bvB`@`_^c&PuJ<#N-|9GZ>m!&^^0$j%8~B%@l>W@{Q@en z%lF4~pwDAdG4g!X^Smkdt2^#jR>aA(nNVQa;0<~wp;>fw3|K?Xrud~jtSk8hy}(2Kn?^_K!<}n?;GroNzaRC3!O!%l?ac*I4CNij8cM(x=5!T)j;{0zW*=G@B@txQ$x0O+7y@ zAz36&p%$AYtTR@wkE(Ox1+AW^*6#HIRgUX?v9XW_?+M$X~X2BRL#Ui?wYyY1pnGNDmV`zEb#lvSU#iQ4Ge>1$c_xKHk}P z_pjh5NW5_Wn>YgjDX-IV83Ylp0KblGwfC!R3#_9lW$GsWX1eZ8$tmkV|9_6_1z%`Q z&m7G-ToE6&U(FN6`M~u=AO(8Jr@si8;=;CM@w2>uW)cU5U?ax zwa4F8ShbSmVw18pk6fI*D_Gp_ecp&ZoO`>TJvTvM*p{@NWuSAb%uR&bPtVNPTMMa8DT7phDIyVP z&qS(Cugza<#mQc*zrG~ltiPlSZ?s@RzW^S7{mMf*-|y|6av|4^*ks4Pa?2{p^awK5 zaSN0mtkd3oWy$Y(A^6u){*O|;8i(2mA3Oi41`ji%$HbeNDJ816-=hYKy7H8dF(nQr09}v<5Bh9<6OmIu2NXa?qjOL5o(qp2_#DWk!8=P04U;~ zOx;+QF0}YKxw`KyeOwzu*M1E!>A4ELIb1hR3BLbXLc&cX58qwL{%k~fs3)cFxpbJ# zl$+<*4%L}mbZ)%nM9KEhHtCYIPM=48@Tz6&<&<$F^`iavo|Hju$RT?yRsn7W22h1D zi^sZ+H)0N$BJ%{#ftwrRXBQ9i5S8V>4rZ!{>$-w6N_CiuA(Yxp?HlO~?u6?fBVSv& z(1;v;4OIY(tTT3v%cN~8z#`O~xc2yLqVNNA(Nqm%W&h3!7RB8~xqOi7rWtQSbK>Wp z^>-&hDNDHj$^B>Jy8*SlP??DEZN~Hg2%)CCDw^P5N&^`Ot zIr#mcQ1xWochSJ=q(Vbx#}*Jp%7hYF^@%)})q>}LT+AR5t7??ila0FHG+GAG>_(!c zT>#dVWpY>zyr20GY5T6z^R`sSM+wckFQ%M~6ZvS+r%`LfCkbo; z`!TEQ!%XdFl{DeJOwoPOnSq@;ZS0)Z`at|ig}dX@ILc9&FzCB&x5I{A`TQougfaBV40sYY3YF-p(C8uk{Bop240$z@CgzVpfFnuPtjMYso%hP9ScU0=_}HsCqH&4k=aqJ3M)YT#Cj02{JlJh53lbL!`ElTcizk zzY)A{Suwi2@-+O?^~y}0C0AziqgQ}d;ZM(TEG}2qRS`Eg_c--jh9V64iZgrr)kh~z zoyl)mg=p?#XdL>7ZClGMC-mrQ06U76DymN)eC4$G<_c&eD&1)rIE9M+n|V~Nsuf3C zP-|lK)0eQjl|VG+y6w=^Y&Pvca3<~8V7{?#gQ$gNq39xm;RT4YJ#N2KAo-KANgLi7 zdvcXc@EW+I9A3#4c6ws!4vYVRcm^bS_#cMyPbp&O*SDRI1Z_X! zfxl0n008I6WOOu>-6qZ?J{CNwAs7QJ7Ecr|S|j;2v#A}S`3FW->^GR};H^2&#!l|o z3Ec3sq1l6(6efe4ClNPOI;neBwKKLG-K1rTU0)XxSua3_nKrM)3jyAAcfc$i8b4CwZb&9<8 z@*GF|Tvh6`R5jkSfZ!8nU`dd_o9>wu2z+lpUu!mFL4h$CVen~EJv~gpA;f6YQ+8_k zCk>^%3j4zojObX3&cywBa)ZXiIs5>+PyCQrvTbK;QoGNZ%;~3E?qn)^lff?`}z5K zHE}PyZGtgy z>I<#6li}Ch^z1rTx|As~K5j4p=onbSg^TC0;bv{#@z&ri8&Af2(|CG^IYx+7ueEjjSr^THS9M+_1=^C=V9{d+G3@P5e82lGn z{a=jL|5NtD5{ciXE|J%X28w)U-RW1~jL>W?PZEDw`x`mtl;Tlwwm*eu5wX0u0PmOL z2%1vfB^hrAK$2{ekxYWe#a*?fQ=+E<3SyC^_iamnGgLuS@^~$8=Iyxd0$(%8i zOa9V=$6Hf=@bL0arOug@B-#D?zn18~06l(03m~qBB(XUfQ}Z4kq+eeMz(I-F2;F(d z6xL+IAL$ovx2Dl3M?742rt@iCbiv76xe>}5t;ZPrR?{#rOf7km+)+aoh-&J} zq{A0>EwA~OwazmZ>t{ej1QPY6E|pYbp`^`!Xm>(iICfHmI1N?6sI2&{8Ubz*>Ln91 zzq>E|5B`n}*CQ-Bv0goh3oFw=NS@l^ca-Yib2e~ul7E^(IG!j$ilyB3Tn-{$*TP!x zy2tgNL1;~4C+ZYcy3z{+Z-0{Q?Ve=H_qB3d&GtC`1;OR^=)QJ;d7pY>MjdR<*0 zsKvb)G4&1}LBTtLE!8uF6)>}Vb6i0S`81btWT-@I6ggDk-h0?4ZNS8|z^|?abf-M~=Dnk< zdkNzuo1&tGl$0VlKfgaZ$5)72_w>;tD)jp!EO{fYF%@PIOTMx&KD*nOJ>4T&)Mnha zh42LZk+kOHhYFMdCQ0vUg^3ht;|b(~s~dLVb;9sYiyn8s+DK!y`yy#*q3`{~Tg^OK9KQH3m}udyyUvXEOX; zUR~lefB@TlKtbTbzd7gq7cc9ANAEaKUusx z+a0GZz>CSVk@6@n0lH>ss)CD3)v<4VPGpw&nJXAI`ymem3{y98k96@#eXx#X)3^Sp3IS;%nO@6i!_I47vo?-;e4y!lr-wgRl<-a=3cp z^4T#Dsb{7%y99C{c7roAoFL5?;*Gyq`T$a&8c+@Mj2YBfqpU$GN{Q+-XENS?P9g=A z@|<2|k*ZnzUwf!!*_u6>A5aK~KA}C34>~9_x?LHAf9xHrrq_gyuo5qAU57 zH%!q3h|Q(*ol!!^*%onIzRsP&r=ghck8;XrQ;|>13JK} zTYA(i)FG@S*7sVe7#j4hIa^9lphG(E{O%G1S%5!9wUFteQU42=qE>TDgwg`^c0rjT#hPeBZbr&%a+JWMU(mSdR;(7#_#SJZ zj$o|0xU`xDGDER0C8MbKHzH0xxG>&795LVR=QSK7%e~L2`f#->&_H~V{p9+fH*~%; zrehI`sXv$rt0qPN1kWtc(bufmCD%DbB-}#g1E(!N1(ldy`+(YUD{nCx0$YY(L*O9;Sy;T6XeHxi9<*1e?g9U?ZFsh6 zu$Be`z?JhOW;M}M+Z>Sdy`vdIU%_dxhA0tnJyoHcA?Y=~$Lf*L4v}igeoHmp(_v_a z*m`I=;ZVL+WXrIQ1s~!u5p~VRQn^`fzbowGYi@b(z$dM>4Wk>Rp&fqK%4|W8H~D!; z!t6jpHaiYSEhg4eTSv4p*k>e{W1|MAZxeawsgIYiIsVpuyMg5`?RxpK)LB!*Y&mj|yNDC?E#yGj#Zz{J=b$OC$6>@+S`*8aWsy4WTX;v_di_;)DC}?x;3NyR zd>hY@7vGvkg#N}8&oMVnX=rg;Kl<4G_~v6&&{iy-pM9{X*XyP2*f&%%^y&yw>xf}8 zl+o_>?>=8hgJuAim&}ECNtR7*7Pz{vxsy-O2zav>fIV@v_gD`Nf4$)6YWCGw)hp>K+)?ift_QBKj$k3v2Qjg-B1dGzWZs2nylX{ztNj?sjW@W37Nl1_>p|gi%X=ib3R6c2oKoid$f(zfB=t;}6vGxJvHB-MY zbcGI&a>Z)r*LL02dOfBSLq)1YJE>FW;su*O+?mBZAiYJIFt}>F+^l-5!f7$GGy(|Q zx9|VroUg;4?|Y^V(NK)HikX}6al~(n9vwxsg~Yb$e7t&5cfJuG&nHIMqdFPU&Ln0k z+-|jicb6_|GX;bul|fNHl34N!^=!%QbIOeB5q3JG0aLBR%2J;=lAmwhWy#j$9?u(? z4ZqU=zuc0Tx39*S4+IK-+!8dA&H64`IH>c?H~OY$zsz)U*aPRb@MpAq`CDCW439(& z8!{*JYsP}!*rHI1t14*_x`1!{&JP=zVbP;lf9>to*{mcsknuh*BT(17(g+4Y)bTfS z7p28r&bNG23=Ks}U^Ry>lOSguP$`+QxvBZ>&MiZIQ|Wv?11!&I5YgizZz;h41YM%7 zDOR5RMvh{dn{$t#1%=IUW%ru9|5Ncb121Aqf2DVr`Gp(#g#5&=3DHNpDyG~_#97b4 zjicLI;d0Z17?ApeJ5}RJ7i(?1m1gQZYsXeen~|-%bxsaD#8IiQuV@W$WV#S@CO`{l{`WogNY6Q zN1mOk_})+q(p9XZUKo}}I|V6|ddv;??T;|X#M^DUv5O53ev`xoohR5J zFF`nC#Yk84T&g6#QWUT2e^Up~dkPZ=crtD$CogXMyO6HL|Ngr;+HTCCjakH-j_^69VF^UVqTq@-|rrazbB=C zr<2PpP2TUwk32YUzi9BLL={I-KE6=1xFw6b{%i<+H^Qr-EN&G;s%1 z5x+l8)KVbTHG8JbO?pRLF#B&;Ebwr?C4~;Ay(t?*CiPWlOV@NWMumZJA!F&8+MX74 zV62#f*qP_abBtS%)jyvK$LL0_AF%Y*5_3~JpO~agp z&T|;OEi3xJ@4s!!oV&ENgo&k05Ty{EmR2SzLlI0v=7ET=686y_lQf^!GFxuQyd$D% zIuy04`g9<#(r0zBlf`Tn{n#MkDG-b=qkp;vWcR{& zy|>_OOiaPvqrgDN{iG*X!|SJ@Z}Q$;g5@2w2u2d2Y)B=_!$q4CdX2+yxDjPTK9>C6F!YVDDRaosk=bq3=KEzl%B zuu*_~$zZP})LKLxHZACo&E?R_#D%zTdC_ZP{75Wp0t%0RI+3n*vy#u@`mFr-MksnQk9fxS4`N+KPzBYW2RBO4{I}G!K(a3G8p;vxn^v6lwjTMNYjR~Yx3=YQ!%a#h z*+WJSY^A0F4i43l;PKJ>&-VGd2uQqof+1O71F`g49E81hC(Gy> zu9sNl%S_W0$?6p*aiRjFg0_RHACWe&!|-?}C5aGpq}Uw^e7k&gZHL6pI)Z+Yl zZ|nr?nC@j*5Q|f|{!4<~CXpArI$o-+GoK0i-KnTR3dhgS&*^LxRM$vZFbtqUV1cAw zB-hAcK(b)})0c3c2kRr;D!8==QzIp$53T7ejS4t$&pdWgnH}| z-Vv{BWjP;fBw3UdG2<>eAM0kclj0-z{>5>;!MBblJ_&=`CdU`rca>J6kNhJr@u49g zp#SZ-VNEyQiQ6eW7HRmi5pIKVi*%*p!1Af=#X*xlrYebr4q5ZRNut-}0ZD35dbVtq zfL5!E3|El}8GjUnh=>t-H6}x(h5wk({T-b9Nf`bq{$qC6`j>CDu5RpAa_L>UZ?dKx zYItrSJw!Z>_%#Vxix~hTU9Q0x`53J|KegMKA{V|qccZ!{gGjtaRM&k*8_DpwEc;V1 ztL2(F9Op@P@-wic2Aqv&Ra`f~Nw_c9t_;h1!_|45T43qT*<<-J0o-hvWG7DPqrrtN zSt^wbP|r_)>~h38xkR_1oc4!rd)XX=C&v;w>5em+m-Z-Z6X|?G{m{&zihkc3ct*}M zj&M6JP(^kcB};({Z2xjNn#GPNosz-d&6Dxayy;g%gY0=0L9sMr>%RooBLK{(;ZAaso_bOHD zy>ww=3k0Obfx1R%DR@Wo$<^!pA?&)Ue0etUF(!A5wR1cgT*?9KQ*7@JmrW^KGWBa0 zDpVs{sUHhYCHoQ(6PD+!=emG`BetyzxysD=Ld?eAw8axtpUJF#LAbxxa1MOC`a$c28(8Ma6GGGPrR2v*zBc zQX{gz-++O5a6n#OrC9Sw#qYcCp2WaPeoSior`QFR`HZRP-PS-+6uv&YveJ&vY>VFOBh9It}y7{H>|!RJ`Mq1iQAfNSECYKaD{4b<0b)@>Ul-n za`kxJY}+xM+{%|5;IJ~hd0WcQAt{T}51}{oYtCn@lF*sKi64za_zQNRDFzGVFJO+# z*^S5-3nbG=w&6^1Hi-X8Il56I}P%^{vQ z2K5{}v0he2Su6it`lJzo8x;}F3}pAgqA33we;rK~P}il>G$fD4DQ6azw1z1ecIjlP zTolgcxbksCl&3f~O>)d&m6Of&JNNPnD~VuzJZoG;g^#g2Bbi1_QkO$7kJb`T_!;7J z*=}rBqDV|Ch%!)}2U8^;P0zM3TBq=xv64cnZ7;ZrdNYpc9Scv2)?6C8`tmm@g7g~} zw;@oDD*VJgm)T(dA=zPF5S-y{Ed4a|2>(biNg+l7Y(-)6RX#;5&PQ*m^PC)VGS{84sR2JXH^`oLhlU~QeZ_WB}xPC`o7@8#5%=s$xE8laCW{L zp7H(6<$icCJsZ!}ersXiAst@5u;_WFecXOq$^IGI^9-v$v|SZ5TIXH7&bxQ{jsBh; zOYKn1@R_^qZMGLam)p0mYp2J@W5>jO!Alt_+lU!=SlHXqDGphEeeX^O2IEQ+kA}Y` zm2IIWgFfrOQ6IkTf0moB&wU- zU%Mn$J$9@Ivq}Y*fOg4GCi;~I(?cIY1=h>&uuJ1Z^V)LyIxTnp!V3e45vgQAj)?Sf zb`C~T%67Mq1>d*7?LY_%#12S9j0TjDE$q4U3Um1sGFf1_DC3m3XsCBgA(lLD1L}hJ zt`Lyz$`mg z{)A85EAq7MF$X4v)5rfi0dvbUYx)O{Yfkd4`;?v1wtmBBVe;~~t0|h-mIC)bH4hoN z{W%~1AzCjJeeLc&xEn2d`gl<~ls4p7gZop;-4xpjkYs`6&oW5_{?` zY3|8@BX^|{8qt(5|A;ylbz{!@62QuK2~Bg-3O?>FclGOs;3&ckFjx_%%2Ag&sIkGd z|1cf2BE(=Z<8Z58jWxW@Wl;-KAJr*N@E%uTxL~H}_vJTyZ-vg9@5#P?aA~8Zn)nan zqU?-n3mOf@aE%aoB5l-89@BT19*-PP91^stUzQC@FAJVeTFvN!KC21-w4t$?c`@qb zIcdCvo?bn7mO?*o4uDE!@s}2wZ5-#}&xLsO@g~^vKgIo{tO7hN)dlq!OqJkfUIHXA7?l_tCU>)2^6Z&za?H-X>pY5H*yHW(*jr zHbYDK)vfZdWJz$gV6Wd+7s`y|k(ttvkId;6Jz$BjJkG4E<3V@B?0&aR&!b!4WQLDq zB#?~ISigu=cLs$5iv+yY+_Vpb=k2ESSrr%DLQCgo?s`cBO7^yEil;2CWWU$sNRU4e zEBz>+gO%qnZEysqZe{(c!!kgG0E{A;$n2M{up7)DD?p!UO83w6+b}EHaA+5_0*E51t$~@Q z=B7w3JVK;_jy|NU-$&Z39-9CoAsq#ht58gtn8w$iAmmbt;a?_;;YuIBVQg6=g*9ci zyD!4N{{?z$j~gK)V37^`iff%QKp=sV!_r=y;`DS0BP>i3+FeTl=v09dz?7#S2#txf z%gf$Gc+^v0ZaIq#u-%#b$`C1yKXB~b;&c3;R_|$ovG9Wrhq?~}P%ZYvRs!@T;jWHs zWQQ|H&C5Xy4is-4O~)}R}m3d!7y)7-NOc|OA% z^vgB}iDnCt0#||Uu!|j9=3I->jyw1$T05&rdT+!8CZbVJ-8`p;47>-H3K614CfkBT zPps;jndswI=*#&$yBk?j!I=;r!HDUweIAd_MR-}#+)Kf#VE;-4S=15m#iZel2SFtP zc>e?;3{SwV7SfOo%0T^T6o9C;CDv6?U-#mJEI>BrIY>A##zR@T|F&J%>}!ojXPL8g zDbf%Bq*erhobyuHLTIbp39fo|C*Du%M|WS^!fNj?8sA$1eBvyb7I?PW@T(q|tSptk zPPo|IX|D`sKPWauQ&zILLHTQF9En`PdJC{oYt>n=BFw2339LsA78)30uhCJ=xndEe zA@<$ZaCw@{?mn)YhUE$2dUk*o=6v4is(rrS^ED93N7W{sH8dd>btfn5F=vn&EbrfX zptFcC8=3O5BcAuqp-0{#itAGj4w2TX)G7gN`96H@hk^R#kSWniq8csze$=wDXF!TN zH+TTWAZUxR`g!tCh{pmc#SWp3A+z{$yF}Szm>9QH1}=`C_@^C=9b8#7>#b|fpBrjG z7f@@nj9D0pYwMY;6q8E4H=MHd14T5!ba1Q5g?|AfRP>xr@~$M15b3l66x zesiMyKry+-ipP`4Wy42yUq=NUMpZ`dNrm(+bR$pmHR0{t0~t@p)jx3C_TKH}#P4m9 z&CUpW<~RPaFa37dMB*G*Tl754_EFSXk)SVh7$fE5R4RhKDXIcG2#H(PsQ`Ip1+4t6>7wrGR44T>o`UbGB0gg$I$zOFZpZvH;SfzerR~-Xgmr zT^!ZqUUt!GUpb~Ah{TRkD!p*-$41|SqEHoE^UrS>y7i7c7>yO6CTe;-ho(ATN=0f} zmPWav$H85_b!E9#H-OF9#$OT*UZ zSla;^12(5d<+8zX+n#|^I@K1VwYf}s{N``ts46}crK!6e3w*KkyWkBBTEUTZq@+>j zzmWa=xpd7vD>l`QriZOO+S`lyPS~FGmLT!l>8#-u6<9BsucVJBBB`^VQrFZHd!r~R z@ZNv6#1n9@dU!eX^}pQG$v*_g#aBN6mmu4R3-MbDAymyaGgTB3(fZB~O6yk1(bH2@ z4CXely>Xo8wj9sam%Z^$8zgb?CsrAN1Yj(bkjs2&mj#FRd>4TvyHOD_@qd|NNWMDe zA9)uS(hi_6{?CQ|e_f9B9ou54jl>Yu-U!-ud!i%;sFT`V??2P*pvOHdFq-qLllxdi zKtJ(GX!}ZBUKf0X?C;%-yj+L#BGlqufQ`6Z98Y?`TJQkY1n*{528BB{0MB?>s`j3pA z9i%rb1&D<>9*R}F2SF{ojDLO>S+F-hx3ecA?{_|?Oc9i3ut@iFO6OwKOCG1)%$xXT zGj2ZpLKiY&*Y7ipFN9Q>6U+Cf^TYr8gSmY1^}8rSPZsv3^Fq_SoBo^*R?4PYguy=> zd~qv5z31F~etu8WD!`WUAzcBZy9Uj75BHm{`grsc77|zLB0Hv;rrR+z-W?Q)3%36C zgIg*pe$t%@b$9IqVpaEB2M5FV7-?`5q57L;9BPJ5;U;Ly3_V`{&9}C$i$Sap3sJZY z9CE%yqy5g9Rj9A;%-}lBWP*|7n)lN_fmHZ%Tu)P-9w@9gC{5~<$BFu*IELSOu9FJi zV83eqz53v`W^~rbPh$pX$k8AA*zFU<0p%DbzD2iS8JTiDqds7KB zHs^Uof?M8wtWeT4$} z)HbbpM9O#%pv-m%@8zZA@YomyK=vSU_UDdK_fR!JT*c&k0XsS=t?I~p&SFUAVrMrt zslc{Ov`)D*z4#&&sFO+7p1WF3=-}u$ME_kOI*D=whxAavVK@J*Xfny$UKLOza-Ykf z4HtOGLBEhdJ~B0@{>cYqbN!l)~sF|Yk-PDdHOMPv^S^^$OzK0ao%zOPfQA9ja$SRca$#yt{44Njy(0Rgor1`bN z65_)6`2F$rz0&Ie+rVOZK17R}eYl|1U_!=r7si_}#qV4wli52D12Z~o`l(?%Wp?H4 zV|w>MU7UHc6bXBms+LKeNRqG^mrXMgjD4t;-T!FJP~YhprAokS7iEd~bf^8p$w)x<+3t#D%JpfQ(z-B-ik#jr(j?U+CX*49;*BNGj~NSQXm!8KcV#n{L(j>+Uq zu4>RuMJKe^P=?@;<1XVudBu_8?mZ_*=T^ktk4^f^9U}+P?TVaAnJh08gZ%7yVm=zD1HcUCqginBr zrCEVw@HWiAygnk$)eK4XO^DJPiNT{03Xa_G)Y&geloC#3yOMmjqUoe0qJ*(Ga-(di z#_W@mpnI4BBO6`J*Q)}oYs-jk31&G)i!eRE%Bee(iy#p^>}OO+ewO!E8SG*lJgD2R zK`h`HUf5N9yftsBLFf9u-5Nqcot6I-ELcnSNkU2P5!sn+*_lkt;PmJQsma@m)BC;E zJioytqMlb#;ybu@!pAE3@b(-hHc{4Jd4*P(SR%T1decs(^|OyG0NmBS(5t6Q_NONL zA0zi#MZINnN;x;n+;I|N%*AB*TlGO`{Qa-{Kqg1hQq9>T%vAs|YAVqfrSghC z%Xnx(7)}*Mr{EPq#-34JZ&ejZy{OZC!K#JDN|rm7U2NHF20_r+c=}j-);EuhIX+olcFIr!B_)=frIo&9HBuG03(Ry>@@psF2HACDG-YakI733g1%h-;!j5_lI7N znsi~^&6%W+wIlSEA8_5-Nyf+MY`3n4TC*RBr?{K+cmmx4m5zclS@(=BKgArX!4GGd zgTS!3!_@QhMo!l9EdzAmb0EIydoQ+R%^m{B8V4Shdl&(8-qc^4=c@P<g>FMUD-pk=YdVnwW}!g(VK zqFj%Yg#A+;Ot$rsQ4P}6OahaS?&l)PKtt~ZHi$ON{GLxS$uN}9f@%6R;UyiN?ySZE z89Nwi3Y)OMt>@F**}-F8H0RM!gI^2&+&RADBpYTEUDmEN;_HLihjDPKag$T86_HK+ zNI`scfTLTR1;t^{;iARHJMti+h=x<)i_6lcyA+rORr;O77j+fF1c{)Kt|l4=9bR?kEt zspLk4=fRq(B~p2l7ha;hJu!1U$iANoeqC7c;7324JUscRvSHZruG((GYeqpRn7C2@ z>YZ2ySk%^3&;LHx*?!Euh@lsm3e9K4?{@TMNR)Ir1P6QCa+>wY|J2UNhQ9P>O`JIM zimR-Dicj9E5BWzKTS{8Y3&X)$WHrDR4vl{@8{V1+v()U|_#x4Np#s9+ zs~rfTDOOiqg|?j0SBTZ^Z@9p6?mq7`=MHWY33b%vi#FTYogvjY<9%RDb)HAy!6{Qy zk-#(#_~uA}x6~;J1%uqzBk$hG7Gdb9vO$*`P2>{-P43C2w?PczJ|)d$0I8R6c$7xV zR#9<&D$_em&N9iXH>n4nz@CjSvl66n#Q$FW=|IMy6?rJfSFQ z4~KRm(do8};dI)Tbm~n(=i#%4CJsdjZOG7WiYyb7jPqx*+b%}A&;6FJBzsc@$m^i` zbS(dHeL8;3*l^{YgXQS}Or`o75mv}z_JwDw@pP*^4sb7IaVw+K&-g6o`6?5)4{*aw zl;U*cR9h^gxm`{5amr{78|wiaXEbC2O3g%T4f^yRZb&8$G2U2|UDkTrY1oGwUH913 zx}I|8&I-a)1pVzDG`0A`FA&1m8Jqf69v@B?oOtuJHd9m2J8ygsz2RmuAC3%^`IaRY zlU^>i4)q+BQ`_fD6=Z#zJ~^6&Oex(-e}DEbpYh2NsAQf5QQclF|6~f#K;A1k);IAt zUEdiW>jC^T%Uk%r8Mm*j&F*S+!2IFp^T|lNbI0_1TLxXq-z6*mRDI&~$LAY#AS`|HHQE1_Y%e(_vo?BXZe`3x*X-|I~H6(F%DTt&isXG#rcqUJ|FWD3`K^4`gAe_#H39^$m|sRDzp}NKSq%% zVt*WZphyZ-(z?9Wo3ByS3S&~bbf?_;*|ftAfZ`~CFI2tIP8_c{+;)-*l1&XBS4L`_ zadM82e~pqKnlcGVmZ3V z2MSt0ACAs~xN+lo5=ar>xQjHPc;~ozN9m(y%#T*XUs%rfh14v~qV%Ha!#!2;KbSki zrPw(hLs(k1m%O}q>UEzZkpTv99%Lyq4jU#P9#`WsHIk7@>hkQL?HTM_Lf3vhDB(F^ zC(XuQ3J~hJvMqWpW^ADuXlj|tx0o6Tw9Z!=Jv4mEJ2`Jj>J_C2n2>}HNHrs)*b~{@ zzNFvLt{-WuYIxsb39B@Jb9seUvDNxAhj&f{&U!|lbf;-kbWr0e#8M7EH5d&v1GU1` ztkc)`wfS;JW-a#urR=i;#an^`sxO^r7Ji?C*v{W-RpIt)2H2uL3e=-ck=tEKPuh!T zfE{M{C16JgGI;Zl6b;5H#vXSaW6M5D(iix)Ee>JnV+D_OV(`{&^fn=&Io0RnLB6Dc zaZs^K7rZ~)a)Rf5V^8Lh!ue`3@n9z3ppaPxHP>0asWh*6wfh{x?e+a@<#VG04|3&u z-sz4*rO3n!3oT~O{i*#deLL6E8fwp0+Z{`cJ#*;NcpjXUFAwyNPWCk$Qf zpBOg-0)zs$Gs){6)V(N_n~&5aDFk6qo;Wk!zicXB;O^Ofb9#_DwUA_pzWArfP%{k; z{N5m>t<`472TaoR%_LC?&03QP0THnn@OvGM&6Exjvf~d5LuOa#VDzjQ16>J>--LVA z^KZhPIOd=AMcnsX1cL@yk8b=<$BQ8ePG_B2{G%3^if3$h+s3RiXj6_$ZtsG>`AnLt zoB_%Pf-rQnBHhJ-Sfs5u!(Hp0M#lf7uNd}DW<3M%Wi6*%7o4%#X~ahPQR7L0Hey^O z983L$NRIn_^Xgifq@c)#*}DfrfrowJAR;UW=asO}75JCqC|LLRMfO%`Zxt!L#gLhE z)bm0X0osQ5o5N1_zxwGFwR(f_o_-ymc%A!bzbA_9IPuP+d~g6fzGR^C@aDAu49JX?EqTGeTztd#5cr|I#KSnHq=YQhffp30eAh} zkG1+_U_oK&& zM~%9ildf*Bn|qwLXKl8`=6&5X)CCMo=a|E@aKof%S6lxxVRx9z0VHal*9LT5uV+Rq zIxeGgXvPk_Ju|%<+WHpfjWDh;x2j2Kkhb<KPGz`d`Ud2I>yI~y=Pe-!GrMl8M|224qD*LscYf8tNN<@<1N)Y=Pop+KCGH? zeO5+a+sUML)$Oe)LH%Em@A$5L@BSc|@9&DA!fjs_preC>TALe71U^U4(h^>TXz$(m zmib(1!UIY%sR-Gjr^FL$!D)~jL7l#fnXm|WQs`XW&Xg3N!|I&xW405TH6UfDql7Zl zEXn4`et7Czo427ydZ@lnFR~EOvC00DVT*dq@Qz(d6r9{-#8pHFQ4Tg_(rT#r;<1_A zA!&DFQ?-WVFLMsGKYYsW>JO>f`me{#R?r?lEVgavIc^Q)qy9W8MrLDq*dOnZ%E`#eznujvU)~Ht_@C? z$taI4pLF$_A|V}3?$yxD90eh*cg}z1H$Mo!t3itk2($XO53H9LgTvZemtfYby_SAo z1^aW}o7-zBF{lE^kzYi-x~btglK#NxN95#~&j2s_d?ZmnnBTQI10Jxzl)bmj<`!_4 zGg8aANNxn+rOx;&*f9VZ)Nr(#PKUq;9)W&j5#DcqDm-QBAj^#r0t#jY%?OhnW<-x1 zS7zWg0fJUG7en}O>auDu8Xr~76e`Ia`AG$K*acHLjQzPgiY)~PGDk=$II^4(sAeYT zF($LeXCLe_i~7(1$x852tt2G~0E4R5B3bro;lzh~eEL4Vw}HhX^8gQIxpc{UB?)W_ zthY6!xwN;+bsuXEXa(19?&U>ATQl3+GCiIYdY{~DN!sPKs8bU5otas6B+_0BKql4L zSItWoI;ftv=Z9V1Ocv=EIcq8T2=qDs8J_b$JLqNVsV5M@{CoBrevhkcnKaITK>n8O zd|owL`Jq`J&$?UAJh&P%!9|S#Bxq70fqqk+XpUyGc=kz1d+cIY2Z2#hj)J3kOh3iC z7AFzAKsQ2VU|lQfds6tyZk&T31x#ynx5^~rj|g}OXz0$GB&4D2A(x0EN_Z6~zLxa$ z9qIiAMy?hevtj+Dt~?vqk+r&|(Mm`zdCM%8bMO|C{FNP4-wb#7JjR>AMSBi(9UM_{ z&>~S+2!WWO{G<41!V7TM5_u}ZM(XC^GbDxAW*5+uiC7l2U@{~D20IjPvU#haB@Wp) zeoVLBaeU4tVtk*a0`qdWr&F{wYP|@-ou2FVyczo+oLR2xJ{jjYdS(5<>!~)fkYE(X z0?kfFE$kIl=JG;ga==aCx=CLZM|B(2XfO_cDzni7FKMpg#O6VLYSwz@xc#~JJv^Q^ ze^ovTxnj%=1VInb>BcXDS zH5}&CqTAJLNDnv97X^CGe%O%l+d_YJnd87NP1o;&shvrK9wNY#wqI@fvM0ze_LBi! zLbkjK_ZjuMNHZ2LddK~QZ%<8Yon~R*mymfRH>@M?eVH!&Am;OG#!f(PnEay+8bhm} zgboyT!0DFsVAi1qJR{tru0`VxJsZ~*-Z3Szg-|+E&C=QRJuzGjX7s z@yEq{vH0z@4!?%E0&y7BJ{`?hoS(}-+z=Ot18p;Pgg!sv*E}-}-852AcZIHgvaIPh zP5kdbu}Exy*``dHOHru`D>ON|Lt(gB@;I76XS7!AmEH!4lEbvM@W!LN-HPfBK+YHbX>5t+yq%NPM@Aw4X*YW`I2YO1P_a3zmezTrRM*;6i)+LgI zF7HZq)sR=)MpM3cYK1U-M3wh!xtVDvKXh10x#^7DQS)HmwH1`*U(vJI4oOEI9^|;7 z86RCRX#N%HJul<-Qo(er2)qgllEx%E#ER)@mO~0=OqF*v#%#4Nnle1K2dxip4e7(Q zTrHJP(Aeo;%F!Y749$J3cj7cY7)UU?4|IB=cvx-rvx-?0sIH0MZd2#oLE|D|Fw_R`{A3`G^~h_m9&#ItV=0@T#7GWiS44 zh)oZOjDm9uKMXB+=bQ&|_OB@XK6ca@PvzSZcJEZ5T_@Z7@yGXiC(g$9_8a8=S}IuU z)(Lu4h}&8c$1r{M(&s|<`<$ID{!pdo-=u|^{LL1M77_~Tu;KR^(w1is@^s}+X@?t} z87ZX6-mIZ=cwcr-BMT5+LBC^V8H#F;NKV`+h^I$ufV{i&!PT2K91 zP41PC`7h69zb^w3x=sBS&hgPXWMwq!4Wb0QV;YJr zijKwMYu_zP6D{9m!l&zl4wi8hgIK($^-CL`il+&i0#|>6&SZY18!0k5%lXtsfx^|h5bp(x=_fSX@soNllrJ=9q5-Pv`g zOVs^(WEa*lQo9yWG&i5>K8;oRHF)1SiPY(2!e1<`t;ueKYfiK6>qYa1dosrjo?_c6 z3+iw+VNVHkA87C4PmVaVZMO1f2wl)QiJiKH zCrpu;3v8xcoYFRXjblKRB4Qb>pqHUTda|XV$ssr!D6$f5~ zT#$bV=3!ei4*oFqRiJX3{ktd_*WGcRPItw#vIRURw7W`;wstxvP#0tNH`4K-$~Byy zJ{3u=49vb8IN-%O;6-zPCh{(VddB(NLC|tAuKzVv#1S;kHYZ9U3JL zYHNin@W;34+Cd8pG&TD^RP)*O@>aCYxH{7I=m`aY$rse@+OLvIXPSzs3#v=Mh#6!W z=({TsciIn+8uKQ#-|7&Ysh=K%8DKY5PU|$Hs5DdXYWMl_$~Sr9Jw&N|{R`)bh1;MX zJ%KCG@_7g(FB@kk8)sjeqC|J3ey_{>uQxu}I{SR`TPdKWrRB%x+#*Dbz#SHRd|U6K zpGw+2D-vWQX|5y}kx=~j@T%Iw%AC%Sg|6)jrvgX(Y^&Sxe^A^AzqCyvdmMQbVXyc8 z*XRh%>1V!N&tc_)@>;$h2i~T$pN0Mi8_x;96%lYg<;Syd@QA+~SSi`CR|V9I zz4^UR{-tGr8KS{osxF0a2|XY#OB)~3{UG;|fpq&G`7|9jq~Z$Z8S#dcck|~fe8~3M zpOS$85zhc*9|*di_K}}Kpx(C?_~&t%o!gWUGo`jql(C}Y4cyL#jPEE1_Capwt2Fly zTCQ4s&CZtUo)by$V`9;rBDD8@%;xa0TnN}jPT;@Td_=bZa<#dm;c?m+^*lzbNK6p9 zq1G@@$b$BN)B?Ldf!Ht$!u>QunZv#ZMM)cVm zw_~MH$~t!{6eVw|GP%J;8Ta4YEjf@E)knp0;YCZ%UiUS)Y;-*Mu-wvHLAxLWqoI0gnzwf z)b8CoosRSv+UTWoTtccgm>)lpIhjd5fIcl`c>$pJ+MCQ%lMr3B!OPKC8h2C+6e*rM z+I4$H_M(TLXxV7D2fMCJ!`2aw$(kr1j+H{laWQ1{Y+e;TLdbvT2q=M;L%W<|0Oyy7 z*$?XN@Sg6Q?g6Bhnb+YaM4xQQx;g*vYEJXs$NFY)Tsu_{jEC2acNLA~-M@`grz6i&}K6aXK_ z=UAp=DKGq`fo*gW9#3>u*T*nx`gh|T;VF$tbl!Ncd_`7fvjL)O@>5?^dt=u%s*WcU zw1|YYf~ur%t2;|~VeP-dLYl!!acxN2YKHKg>QGcRN=YZKOj&yEil%l51eX|0TOQ$4 zFt!b?M#$dlU5c*S+pu(&;+{|DC$w z5nsa1tx-VK?XwBR?(QxZFYl4ktHj_AWb`gfOc($LCjt|tPOZZh8pQ?Of7!uDTK)wG zDP~VBNM39MxbFR#!PL5+)zX#C=4w5E+MtgLnEY&FJ+~h4oD1XC);hZ*-PYFjF;wO= zX>WxDAS|7X{*jDytdIR;Nhmj8!kLbDP(x=JUvGy3X;7ZKcE`PEQ zpN8bd<86rY<2}Nf=bp6+4V-dcR^A>+@ce=@Yx?K3L%bG`0~fa|mq=OqImXGN6)(z@ zBMOPONatLPvfGLE8qNGS1W944njdNt**s@$w-jT0a`~pSLu9DJzBNRPnXsz!@Vm=V z>l<4j0mIYOug_Mu@D;7EP<4qq1AQiJ8EGneJyH3;+}GpQ*w?qGk#x6Td?N2pvV`1g zSXv)%J!=;?`@zFC(~*GUs6khGtKp!EHp)Xb!()NGB(~I|GiCkl72?(h18yBlri=xv zp4Vjl*`6$5PzYc9pN4ZL?G1K+qXyPKrCNa~)Lx zp34|c<8q4RnX+NkV~!Kj0QK0zanIeu zb$<*8mfrwB1bq@!LPA1srce=_m6XD0jgLo%g2(s1d=V zA+bUU*sM7p7lw^TKGV1vkGyodq=%_R@{DuMxEJ-?kCg7K23voZ>T zU_;Eup1_h50&W8?6-~L=%(ueee6cLkrG53>U0qfKLuV{6&-TAr9`Z{0OLj3}=50wNT=ML}CpNZBr{O=M`p=hf^B zSXo^w#Ma5~x%;brPW8b@Iv&!Cb9Np+L_BnjrG$!yd>y_Ji5xG5U&@(7-S9y zEE1S6H;zoAGF^wq z^?8Gg;4LE+^Hrt<)^TGWg0{`;dqV}q_*B4qkjw?Ge9S3+n+?hT9Yd@|cW`jP7VzR4 zOJ&c|Y_M@UoC&$VpUMh&%E&|r!JGJ?8AD{{N6{Pj16i}mT2?2Tfvo|{A)5^aqq?qj zgL3pzsXjrxUKGjthNO8TzZuKNnHvp1pXqUSJ!^l`D<+s?Rc-v65bvbPX-=rRJfbM{ zhVwK8C>R}fx<`%6l7kRhT*Ox_ zj5{qk6SjYb0sqSSrs4l!DoDMsV4k)n;)nP(nd%68hY__$y=vVf!6h~pJQ zU6;B^vedrafJyi9%Nq2c9_Z)mC~wB+$P$bU4eR`UdieonTl;Mts4D@>PK(*yFKX+> ztaF@%t>T*32vlT*>77SCQPG|~v2zjhO{n{RK?R)pMR#_%Jl`NGor^PfH+rM<213^7 z0~1}OZ0+zJ(NQqc=96TM#>HH-<2^3h4sP6$I6io6k)Do>{W7}@BYG300}5UH)Ub;8 zCEm?7$!Izxo+oJE|D1z*Il|;Y;iqm7ec2ML8FA*+P8&z{<;bl$AISf0(1Z;Ap<7=7 z5ljZXFgz~DgR3o3I5=eIJOXjuEhS*ij;s$(Jz_L{pEFnvr4y7!!Q6($;qPdQ7r%o2 zK0>8>i-XUXUHKDPHX6c`p?kIu34m^mTJofV(U9|A(|=pL{%CY$b1j})N$lml@1eP* zS3L>viTTa_gAdN|azw$w>#!-lV&80*J}ANXT-~J<8$&WCs8S)sLe06YUVVg$+wA6IzUYgbWJYPpocZtTSl-707 zG*)P7Par!ihwHPLES=r_l#SwiOkgnHx@AEOJXgpM%}OCmfd0s?96T3N$d$g`9Bbm8 zkCqiHS>I?oobzZrD*#*)w(qEIGTPb2X>BMDHiNU`3-Ag%^SYaOyw)yR$Zbs1++&)2 ztfi?fFqzN4+Qc&$QNmC(&09!rYgHc)KYcna*-?9207HE+9>n>r6odanVZ%j0L6HK@ zZ8f<&K`kxh89g$5>Y4vRN1PKHZ36po3>~!?a9TDHQrM2f_CluZ`w(F9l~%C`gm|MZ zs9O+W#cQpHsz`Y-X+vg;0ip_cPA>_sP>;i9FZq&p`H$A@jIcHVPJutwi&WjZ&qh)T z`n)5E00kcHt!Zi5N+sJ-WZ+E9wrS$iZCzz$I0FPYqa|(KY1G z!3BvISsB%pt%5+KS~ASoqf$a^M}1FJn`=K?JX5Ne@!j*~V(HUiV-Y6M!SV_lm!3AZ z%JUeP$uH+{<9(fKZF{3Ff`-$tSe`tUPjNmK^h?SKL{E#+$%@xz0vTwI;AOsrl65pU zDYc4s2sG>ZgH7624wu5D?K0MKELZ)Az2tpyJ7opG@*|z6?d)&GP75ED7B~$!f@W1Q z!vD>NmOx=g*{e_8ayP=Zk%O>z#qEt~gJ^6nA;PM^*}m>)z}KG6?4ez*^ct>sWX+7; zB&_yLnu7CarXl2o{} zuc!2`{cg$MjQ@hAu^rIz%g&S!(*OTV5ZuWFUUc}sF{=Ib_r~8O_3fjxgr6fIR|J>= zy$U~~kap%a+R-Wan@?i_zunk>gTKBI2HvjrSLevBa&p~Ay#T(bNaE9ezQGV;R{od} zxrU3o)ez9d$46GF>`wuB1&9vY=fsgMG&QwYsC(WKaj(?PTQmnBGVLj=%n%<3qW8TM zd&JYZoiwQa<(;6$MaxQ6t+oAi}QPzA?7c= z4*$L|IyG+=|4mWf%uoQn_=4RHa~z}*`C0Bm$=8%BD}rfUZ;_g>hZ>pWvB-b2Nu!7esV`Ik-zRe(9?Q<$_!K zY*v<6@6jUh)YSDc1ITKcMHw+|(u7BB#CzL+K!dTU{es=vZBQfD{^0pWT$2)?zRx>u z_f%BqdRob-yJ<6u4&^k0$49B*w1n0qA@%}bxva8V@F~%CZ%usWcyF{UytSp}1lr@k z!)FBMHIAX4zk(faQ2tGH-?pv0C9p(hP&aHyW==#ml>q((5Bl}#YYXze{USz$xgJfE z_eZWo(WAu_1eIveh!Nh?nrKF54X!ED4pYGHt-tf+Qb+pkaBg8Kmt)dbb4S))4J4|}6v z7mxC=VoM$|$mepKloH{UiCq#8ccc2_G@Q=#SAq_S3>C_o z{?(XXkC*}v&UL9C7IL~OPngm6rU=g%BZ)7f4s4roMu+TZ|mty>gX2IhC*|>E+1H6J;)6@1h7E} zLQ&7hKzKfK<~781v6SL?-f!>aS=jE^VW6qG+>|qD8=(Kk0qt~TCAPsxMYg>3v+ms! zh86brg3^q`$_?`(&dCds52M{X2(MC^%$ z>8MTDSDFiECESI7Sw9(;y{T$UjN5gt;yUTR=eCp>59s|h7JgbSGgFK&+gW`iuLY9S z>!z(+C@ihh*_U3w?BOb~)gAr*dcBS-CX`CLO5{Ti3SV z){BbFfQhkadXn`WdEmJf&WTVuUlgB261qW*FB;9ku;byK$0ui8CB9H)A9ea;zR}Hb zGNLMyPeyeKwu`4!J2ypVhKTIxQWrc;&6?@iEABbqY`~Y?VOq}}wlLH@+wqlMbHSo` z7qFf_mQUdeY8HDh2jXbT$7mMvap+2(oV6gk>2jGy^V8EXVs>MXfeVnTBwx5&27tPP zdK1ifi64%a5RIo#p0;vE79hBlV;rz8_=MrvZK0bjg6@KzdHP zR0ZoberAz-5meQCB7n@3ot{<_8PEwV?`5_NDmgGrnF0` zMHdC{|AsE*v`jsQ-0Xrc;T0W^;kr;XjCQ+rcB5=AA9e}{zS=A)=FBnKV3Q@tz}KWI z7j$#3pC42Za3TK;*K!!B?t`~E@C3jGc#ZF0kw^M8yGo;p)U(`E5(m`z?zCjlY?V4i z!2aOm+$$j}VLHma?AZnV3|+r;f5^hA+pT`Q7o1GbR3diY+EXZgI+ zPTwA=8)E zj7`DkaE`=xYc|<+4Hu5X=cm^8nc{=3ftolpA>WOvSnXR??!f$`cxEAj1;L}N2&@fL z>xhD|vF*OnpV->}-X75zF#tI+7Vea0h1;5`xIvi?aT5&^oT87p>rtv(XWs*RL})LU zj&8X1n1pFw=Wrj{>&VuAnqCRYzcV#`9zS|3?#6scgZz(o9gVxk>jcCDn|Jz~`Rlm# zljonRwSWCruulE=*adhQD)S#E^WUSYlO3dx2V{-vj!(S`C_ON|?BRN*juJ6%ozkxw z|M8wbedM(_eEYl-6|T6oyAiYEoPqQpX=G%=h`RyZI7|BdnyT>EXstRFtHz?{pPkBE+_vP zbAxkLRGYKW=Y>b{u_!4se$*f46hMA7Kgs#-A>_jfJjIr|F5_6(Ucd7WZfi)>n`wUd zFeL|7aB{7963V^&Utb=4Vf$F~qSv(S?y|Qals3wR ze>8K;XIqdYl9)^V?4f5RH&5~BN4<_7{TbZ=Cr*{|MX7Bi*(Y?+yDQ?_6pjdUQZfC5 z?TB6TF}1Yu0C4L%+G9M0&EG1%FG_>WDhVB(OvjxYaHZ_mD?@Nq5Et}CSt%K%4Qt9I z?_lJzXkzfQ=Mz_l^UvQBtdVWQJoZ8IwO+bgm$yT}RGIlA-iR})+2UR8>o=RShn^_) z&8u-y=>G7P>@+0hw9)1+2z96HIYSQu=~DqOCm&EZs)NoztCq-k$>yH4V9nt%%}^ge zpL`y;7vrajeJw;JeB&9l$0p)~OY1a+OnQTZx-rQ66)U9RM%ljrXvhO#%F(K9(2bMLn0=o|P4av(RUsU4tZM2k@`lf>5!if#w-o0L72_RP?+ z;uF1`Ld4G2?P5Ljv~SoNILf)}oPMPPE~Udy`Sa!G7K zLVM;j{Av~x@ANGdB)~ZCo1_EB81g~&F{!MFxNp;jVKE zB0lf%qmGoj;@uNH?&L;aDqRyqHf1TcfC=M6FVidD4RmsSi3;=c!`_T_jg&|*EtkA} z4N;*=#m5@CJ_nm;%S|<$(e_hey?*x5*&`INyBd8qeNDHVOdE<#dAz|{<8WA&^|Tb1 zj9_lRjPv@{yZz+=&e?rNrzIhfvidx&;of_Z{sQ{5PE{rJ89{c3s;nL6Qv>4CM1ckQ z>y3doZoOMp264031GMM)&V;qq@qAd*UVIi7f)BLGmkndq;Y9a9avu`vA3?x=D_gVn`LV^HSD{7cJ3=#{~ z=HPsSpO3C{NH_b`U^O#a9COJN3wvqx3sqbJ4RC;!4L@1XzrW*6&JPNqP_u*w&1GNt zRuQGnr1ph+a8(+jCUk*Eccb+y=~~uiS6#-Hy0dT!w*cJJI6L5=NzHpT*jOLgel(V& zCy_c}KSa+WKoK{~|4|Fm| zIg+@IHgH5*w~AI4f4p7z#nngU2!_{qWWjvk*P~IUr2(aXEeuwmw*iBNvRy$G@_K^k zY7V3#zCdeGk!%{vII|R4x?wLP8dynd0=y+@h8;;5bVKh{&A3{e5l)0pilc!6z1Xb0 z##Rm+TX$r|I#I;AenJna#f9c7lvP_QgVvPfN(qq~)#)tc5k)KS4nv86Jjf!h-+Uay#$;FlSTN*%`Hp#|Ud9!xe@)^(dyZ*1nj^M?EtyEtUJzeod4lRHOX8 z-?GGzOWO(U6fqRfMwhRjjT$Gu5KKm995nDJw)SenTe3x|-C$-J|AN-OU~-em^sq+g zfY+dC@5xj4sbi(hxU2SFM!faxvp=dtK-=SrBfZ=sd(da@3;Z=QUBoZk^hj5Khfd;g zAaJmW6jz>ct5BK>8M5Gd(uW;1`}kxZnLNYyA~gN?s|ik0Mn>5aAfLtHAy{MdEGL`y z$peS`or=+uW-K1nwi2Me14G>>(da=ln({-P6AA`C`@r#wl-5^cW#oF?y>Bvqu%}QY z^sb=ypri4T12KP?@oMq8S4wp}ZGq?W%HUyaaV2=xiJ(ohu*B|XxVO`5IV9mBTr{P* z`YxIay7N1l?KP9(#t`_IGOWEB{{;gSStoV58UfZJI?OsZE8o{>56gI+K@xOHt4@K`pfKUjtA5w>3)eDS(EY@lPrR2(ocpT0l&`SSd-$rCww z)+4a;Maedp$7c_`$)f?^E&tHqQZ$ktf`|3t8wn7a>CK)l#zIFFpt(UTRr~x%FIG&E z8tz>4&I(pub$y;-MUP{$I5!KmdO7SLBGvkpxfJh}fPk5k4vE1#YK;`{PRy4rSIDfF z#PBRx@qW53;s^GF(QwLhaG%jV!>3i#@5u6^0`z_D0jc?3yDQZm;lYP8XYC`x zK5jScU?Yuv*ma%qOZ6hF9vj|!LK#ZseU>EKjJ%tuN!t&m~fm z$8?RjUERz-G`Xriwymbm0wWhn@T%&u>i65DlXQK<=5fya2s-64oIoD;& zwo)~M5=nR0&zC6ICxJc4b1TS?>I#EXr;LjELwwc#*zy&8=ty<0GZEuN9RrrOiKc^x zv{aHfA>t|1w%o2?QQC&Do8w@xrkaay8Cyx09>r!Ev?6E5w4K)tKMHo-HhWYEq}hk` zTBcR1yJTwJs91z>*@*U`SkAPDS`ntOrLdPbn>YN3Qu}f+*5G!w>Z+DE$f++=cE@@~ zbC>glHWHHNj4GM%FHWlK&!Q$7Gx6-THBG3!u$H80+W*Vf>BH-Q*smi#crdiLbH(j+ z9`MmxTMU!t^{BM>5qZIpmzXR}F>qoj>aknK&f86m*r==4W$nHQ?CK;7Df)kt z=D_MR^`BnA|B<<{VhL*lmMMcA_hux3pa`<-UZ%^l*BhmCa5@F^-yc_DNF$MbK#Aw0 z!`3ee6jD136lY_o0QKQVuBLE%8RNSI(hr%q1-#kHuoCb{BxGdCzXs8rYn^N?-e=p3 zqWRO9Nkj&dYG)V}8r24*^scp!S)&jW6CYm2%geo^wznrU#*i0%^EVrklqJ*BwRLmC zcb8{f(M%H^Juzb;#5s90rT+Dr)r<(?aE5|U*B#qlE zL2{~`i18EaBYy)XV0Dh(NKwO$7u+kvt!}J}8Qd&3_6(Z(n24tPG<>~#ksno4Y_i}U^ad2<)}7rwKu-|^nw%R;H*N;&cII}=5RVw!W5dba@Q)<1qeX+L%8CF1pGlYHVp3eBOg z_O$x3W3gYPvNDx}_m3w>UEo#j-ly*}J532x6Vm4zans9r-J4OQX}Wajs5ebh6>&W; z#eNn3MFc_{r9QL_QSUQ81l)$s^cTcWKx!LMnh!w=YUqBvD#o>({;&4nf8CxlfR%QG zcjlhN4k!Tn@7TmS!=|+`JFFJWkSJkX9eGJ$)-mBWapUbcz7LiLN7U0UM%M_&hx9=c zo)y3%6eto62_c~_KdPCOa1tN{ctYK}jW&@}e}xw|HTeBJs%?WMY;lJ*3VqfWAuk%X$#FQaLRZXnX#s28gA^H3!uDgP=`!_+&HDyk6rZKtS#eZmRJ=BE#|egNlA% z!(nUeGUpS0i*~LDlWJ6HvA=dP?>lPar@c%*#?wr#4$rU>pYso9QG!@l+y(ER)08#_t^!>HdA@264B z?vvgEzQ*v`;?g}b^?T`&EP!4s<&2P?Rr>YrW=Db|di)Sbx-LmFD z|DtG_Y&?)ZX1 z3gNadkJ-5!`St;$OeA$^&V^q+-=)@qtL7)|4Q0lcC@LU68g6*O8Lo!lRZAm}nsyt# z%b>I)U+J{_HZjMix{`iXuekq!8o`guIuRt`ei^(Os=)}->{M|H0m;)sWG zmq@MtD;9zpF@SBwU4UM!RN?9X#&n7@0lNu=@m9mT&twgWLph*OzN+y8E)w{6Vx@?- z;c61un1)9UQzeFGkR#S*t;yEKu??wSlHJr64VM=}bun7<3?V&pvyebe5Z2s%P0}nx z$`LSZ2^U>@TiR7>)0Y!vUDS8)RTmv<_P@CRY@4}T150*HPMyga+ZYzOn z-=s+zkQ-lx0U+`icWcB9jWhJ&{DMy*3EmzPwvT+6j2ix{f!-_as@I)@L0dIqtY>=Y z+p7k074NjZ%7tqVfOc?MJ$qO%7wHXl0$|=pE$B69&TFPtaQ7ABPD}hr3IscFcUzQH zIUVtSh@wNl({%3cr`Imq+Fq#|UEE=;uLESQjz$ZiRcY%>-sx(>pp2Oe+0v__=3ZNw zRGKRI?qIjIgaquczK43Ro-57+*%WHL~g}SZ@^OQtq^gOt>fDa2;?|LBu_nG{ADzG&Y zlzV<^;qabrb`YT!mBB>T<=el2JC@bh!&qKO;jdw~(M(V10g^76rO|$AjdBJRfUaUPLZIawI`Iio9;)?`LDQCc z`P7M>c3>1ZE(Iye)1o4it=d<9JgUqlc}z><@yL+69p?1bhN9EwllXl)SZpTUU9rP9 z_;m7lG$Zs|h^K=dq0(+9hGvqP;Vo1Nyb2Y9fM6QKYSK@qTBxP3dtvKX=y$=VEZAsH zJwVhPdGYEZQPbm>uhu)gE0d!Or?jmV(S{r^$qs;(%IB9E_aYn{;gk~}n=Yw5rC7RK zDt;j4X>3w$K>fNCGCRza>(suVVsGr|ioCC?Cv5`ZWF0-P;g-cY_Un=j2gM=B%ZcXI z>NcF&=DbpYm*y;%Aw;9med_R%$&5G);aWLB-^PMtJsXaZ;kkx6 zonwbrlnE~pflS`TqErhv@5FPEtn%MKiw$9hkkIHC7O&m7)0%HGf^aB_M)w+pPf}E0 zJbWC%*}EtpjrcKz50j^ugfY&rat+2(!Ol`>liJy(;#J`XtKBDg+)8mqN%EK^_xMDR z04R)65OlS3Xs2}&IDJ>sZ=DZR$9cUez3=usQ~3fT$dPsFjd_3<)752fSlN+lR+^|8 zw0Bt-tu5-51oNgOb`n+gMJWCS)tF|+FiU=N|50mvdCX|z-Af_x15vXRUZ`|vBEGL@ zI|uDZ7;qd*JRKQ2E@i!e29!W861GE|GNXqW0$@4Wn&YB0sxH(u&h*Wuv-RZ?_fGe@ zJGT>XZ^OsHYW`K{LC7IDyydiU`2ETJ`8y71j-YErpv?|r9;dE^)wbi21YxexL4OyJ zn68?SH?i4l4|A48+XKh=JZ^sD(`#_2Ny$;tHc@oE&mX*_BUNFELL81ZuXY-+$854UaKmr?{^)8IOE+b-4=*zKw3PU0%x$OUqLn6dlo$QQr92d&W)I+#F~) zuucz+QtJSRxR$g|*QG_xg={?f(N;?Yzeu=v;Hta7^>g{kQiOzTw#c-~pJt^_D~WhG z&~WD`Tl^CIt0-#bTji03u79S*J5lo{*^Z$OV{=E*65NpN?}27vWNn{Ce;(8~UNsrDXHK?iS9XBma*6C@ zQ%vSafJnSrI0PqNd_7RPxq*0sY?g9y#n$%cbg7It)KrZ<-8yL8kICG+Z*qTG>j=S@ zTIAb%*Z@XU0b`_((g83w#B;tFk`0`NF{t%8NPAV=dje{4E723)J?5NN7_Ol_??WiB z8G7AHjRC7X$|udxt3W=O+0I;!%cS6Ux7ZU%`F5(iNf zlHZtx9TRif0oqfwIHO$@@5!WL)o8^;GW#KT{sVR;>9Q|P31zLEa3XyI)tJ)xOAFVwv@V-w%7E&g>b{$Wl?kkuR(<%0ZrH&IP&$n`jj zC(6wHxApb#_FHH9-6Z!p`3P1*5C%NynUe_PiOzycFOZWUkD_>MMvAqy%NE_5jtZz{ zLOjCsTg1QJkB#_UhsxOZwGt}EkA<+jk#??DX0fukGRdgfeDOh2y> zfR0ku$5j#%zO;FvC+lQQ#){_!*0@LSi$m$hd7)XIa%^zqzqFdq8nbY+hR(Hy8w&-9 z(JAo=eRWWq-`ACCe|Jh-z~bl^BoU@}opgwV$A5d8mvst_RKw#qvoyutJY}1LKMme3NEbM zbZ=sUMmQcmi9akZD-&$F7g1T+-Z9zG7^>Md$06ljsovcm0J&Jr^GYa-S~yl zMkJ3STXPdxll5Y@`FuzWA7@aVRdV_&%kK|)+aNd)jDOuijJ~vUm*hB^&s+1JU)Gqk zKCkWJe^JpK=9SDa%|tP78>wWUpPfg3P5b+FHl9?&e+gI!phqvKG*TwgKncjMN2fwD zp#(U69wI3Y(O;`<(rUMCl*vT|bFJ%TDkrMIrn6bSkrx>bj+1X?stiM_bcOf3Enb%g z1zt2jhpRO=TKVj)xi1y3xaeQU1O$^n0-k7B)@>cN|rQar|ks;cb>Zk;$=+Ul^z73EnhR>$|bb!V(Y>Oo$) z>ARzl))czuNB*_6J$lr$$qEDBxjun=9cTXJyA-7p^>$l94Bv}85sQ1=r5CQ~5q(L2 zYcr881fg`C^>`k~0CTuohOF`Yk>RBbT$S6`7(B?u(Kq3SIj@jk4UWKtY_RUz6Tb8-9YTv?oLZ4a zQ=D3usvv;VN(kC(CT9XYt9_s>NlAE$yuKnqDh98+DHOsBRbWi<3aH@QaR zPDg`e6*3GqS$)Jc zN-(Mcmvp;lPJJTQ4J|qVxP=8EZ^;j*dF&0ok5@bMfaS=Ej%Vcev#sUu;6ZWi!9DO8 zNhO(t73X3`yvt=vvCvL2= zy;@Bn?q%{sOFU((zR_O6hJtZlzA?tRZlXSUb=|6D#aBSS26jT7S5%)1nb7tiW!;C4 z(MnsdB%0ZhY;`>%T-QCL?f}mVm3TUj11(QaUg9-HNlv`NfG0RfxG$o$97mf8wQh7Y zKI2?i#+oCy@BGxgNCSVA9);Vir6ZFsx`GP~W<&mAsd{C z@f5%QoJe)ksk~<0COo@riRfL#>XyVHje>&stn3O^BaYB>hXk&4eXdBY6k=>C5S!15 zSlUVk_4Nq@=GUk&Tel6-3fq411RS*Bs5xdT2nEz!`?jFj6gy&u6gHN-bSSunc(CK+ z3!;X_5u3ra;b?Y1NgaI9yzCC6KUXflD8MXLd0F}?&Sp zbbBF1reZq9ulSSr5kMI~QovZYCR=*OiU*kd@DNlhX!KmR{)YY+qlfSsXAnbcNO#J5 zAi<12FeUDeh1Z31?w}g8u5d3RDV9>%6{0z^p)kopAZt{R9vyQICu)|Y1irUEW>57| zLeb3HRFoxGN*)W0`8r!YoamkS@$e}$X7ss{Ic+wRPpAtcwe7ie@CtQ|lJ`(73u}9e zuO+)2K_rNIt7PpyHtX-|^Tb9aqkgC_i6kxY!XPRZ8TC#M!5iz2T5nlZpxR4Rvo_Yr>?YF}?9y&2G7% zqa|aN0Bgm&Ns|I_MrolUua(pzGCS+0SA>7aZ-bF@gAelfnEl5^&tb{l%Y-{_)vz_% zyt}bJoVL0j6!S?>q!!wcewyZGg=tpy?eI~03K#0p^f1K3`|{G`9!rb1S?<)Fc%q2D z270v;fr<`Leq@`P*YtT^s3tt4rkJYF4Ko=vr*ztYdW%gf&D3w_I(4MN(PfybboNdG z1Gb5!h5>}c4_uGxy7W{GdW9h$-r7->JXh z{1r-oY9z>z4_}5C21QU_KYzHnx=peFkbx`Pc@c9@NDvrxg^aksNvb-iG_+4R1dgkw zbto{_h&uB>JWP(h6%&`tWX_1YGZky%1lTB8gkaU9OdanI&nmVL8(CAeuzN_o(^ z+ppZ7@)rwnJ66+xY zH&}Z2l*Mg9^8$Tp^xeJa%tWEr^)g=hOWVKb(El|-q)2ME2|{!6q1nL7kF&Gpajh8r z#JWkBE#n_;08xVII+3Q@;(V>{TOIBRhMX|5>dKWpvWs-;k#K8j)0Qw(xvay zxJ)=2@*Fif(m>z_mNjupwZz{ZE|stNX-%qV!zEabPZ#XOR>ZKpx&AHSd|q(Yl+Z#_ zA16T+DQC3_qIB3BHR}dNkzXuvooc7a{2HnfE|k(F6~H@lOv9edW$AcTNy)-R+H?v} z~&VZ0)MhH!>c57h*17DpuS-Ew8ONf_2tJL$M;cT|wtoN--AEcfkx+eJhusOC;JY<%i>v1@pyGDmV-W>6@2_ z`J^gnxUFt%a__mIQrhV$sFF7vC8$(WK`_bftKLKI`*&>oonmImrz5b#@wKU`XGp&gQ|O9k zek2^OoE0rNosEa$$vdLNcKjYn|F=p{{c_q*FP{LgC=nX(nT5r2M05ZBS6{V>*l$QurW!lfvT3z09yb2QPch z-QUg5igRh9JxBQsGzU4Vy#*A=2Zi%XUm?vf#z-dp8n4=su~G`!8$sw4PxthagVtfx zO!RGg=2@Oe@PXx?*g_i}<{N1!6GJIxBlm$5-1kA=Zxh!NUm~HEO)(+bCfz>}$=m;|`1i$wCd4*X8!Uyimks=1%vU4W*I+Ge%Koyp>+3{@eEeJ1$J z3dFTrHcmli6xYv%Bi0%$#0{GamA3|`X~5Xqe{o}184N2^v3H}=2NGHWM*xQk04Km( zgc*$CWeL08=&*?h8Zl6(X{CiJj&WE3WLeQMeniqm z-H^s|Jkw}%nFr-YjW=TmasD&jV038KuR`5RE%m7>%R4g*C)9Z|iSzoL)iX5bqox7d zoXNYkkelTpxYhZR0cW>~u~NE{**uZ6iKDVJH5$H)xpK%+jjin6My%EVdx-krDWac8 z>SO)Q#W-1P_}}KWGlFj)O5qAfryH3Y1c(s6B(}DKfWr|f?zfSRL<8otUFjuvuL4J< z(tmE@E%5#EX9dGb^YK4JnqWN~wMqe8ozoED6?*clXL-8C}_=zYDk`CSs;Ie~KMy*(XzKpeDJ=*osnf5{oW?C%jikkqQbIvz(VX=M^uV>EByT&(sqzy z5a4FKmf`ASna5qe=~>yM3;8dF65OxLciFaQlgI5Oo+58Hf8Utrf*tqVt=1FM6PfrlZ$vxwI%C%~5obk2|fQ!z-!%=rlA#f}%tJ6A+Q% z=f%&ryY)@2XO(YIcLZ0-diFo~h@<~M*4{EIu5D=>-GM-G4el1)-2*gk!Gi~PcMtCF z9^4_gLxMZO9fG@dk2^;H=+QD)ty*(d)vWo{Q?2j^y5S%6 z?f(ulJXmsh`i=3Ed(xW?6!BY85%f!jry`iq-s|>+ZleG1A=4pwd0aO;nrInj+noLz5k%sZ?!yUd1H^Q_a)7mWo3IIgbh^g7@fH2|Ol; zCTbW)okVvE`sXc?Xbo;cn2d_$bUEM45Zcx13|CPnh1YZ!wy)bQJFxTRijFJ6 z`tqlJ6&|~LAG=n=X#Z&gJ^6{~-?D^%s9}A_65gJ-Lj0lJtcfl_CkwE655LOGAM<;r zV9s7|DP#47<5?3GI4F6gC~9$!yidruj!h67#E3b6ct zcl_Z1MXG*Rd`93 zI*0>6b9g&c$Ld%akP`;!&`ESB6F!*x*i2Vx@_VyaxG7H3*?w%BC;TBHrma$zne7&y z=nqHJZ}XWIN&8*MZ*@x?k3lViVdlgJLXx=JkL*IvPfkLm%ek`fT3f3O9@k4USxB@Q zH;2TsIqdL7L>foeN_-;`4LiABqjVdK9bZj{JZ44FmzFT>S?3YV{%VC+sAjw9d!v@{^C`S zwS1qu*Nfi#$-fDE^Ye%LN`ylHISN&z%->_4H`*F2I_V%RE?x!lhhHBZBKa0oxAmEg zM03tQflT!LuCdf%e~MRloba^8NHBNzC=v}|IvNP(`d)C6cF%JIp=kY$nx52}#6D@R5qXfBk9ZvIYp6+P6M zWY-w50w0<#XiRiFJC}r!_9Ux0lI#-#_5z4a*;@qjl5~OyYq|xoiW>O&2Z3{sHNf>j z{qNkOypmTNuYfa_KWtJ>AjAv?O+7M@_Dl@wV)RXo2CnZTXwd%GyJk$zwI3Ot`h7&7 zLVxClCqgs?AvW@4<&Hjl5CwEzNeS==-}d|Xo!#$y==D*nX>V5FNI|MQ%CH_MDou7G zjA(rK+swEs6o^f>R$P|Q)PBIW*Ph(a9WjmX+$E(X-CHL7f&d0u5ty5?7D&TZ7jxSJ zvwm&Kqt=_bbe46=x>t=&S}!~!**ka&<}jOu^sAXLC$TcC8MKmzDU}>rI7!X=g}5?% z_qgu1`h2C@ec++TyKJxo#fq5~+JAO|u zBMjkLd!`D}bv+^s>`*odN0v|VSfd7m{vzIxV=$gDAXt0ty~>~eFJCLrU?FG09#S!! zH+DFqPGg9mvR*m<&~CpUMieM9X?)!#A7qSWZw^Ak&WXm_$Nt?qn1RP-HiUyL-BO<% zPm~((8m3>%*l-<*t5TigXVX9bAd9tX@H#g;ab>*+*fzdIYxHJ@&S8DDWW zKCAu9wlaI*heeb1a#JQ8@6EBD|GyWF%>MNPl%bpzeEf@)$BdR zs8#;6Z4Sr!!old56A3HpNBLQ&5b(M4fG)2_oT~+;%dz6X@?nFPWB_^o>FF?OKs-rT zc=nkMRPqk#JKqrSoJ8V?4By7?dLheSPl(O zpm#5}4ULb_#O}5N&K;v$OYse%5dDtnIh4tgE}1pVY@Erw2GwT#90V^5xZ64 zIvj1T;bjOYbYDq4sZBa*8QmJfj7Cb30xP}N$&hU1-cgs5juU>tz?_d!m`l3&gy1g8 zylC;sxYQfux6!-<^wIRx5YI?t}3(reU_L#;plc=*K80DT? zw%W;+KAWi`)y^CEjeVP#A|D^4poVR;S;ONxdck8eR7j`0hH7FwLE}X&Th>4v7`tvH zef?p~&2M!?Ce@t0D^?*B1oT7*P*`Cx{~<9gdk{Cbvr4^bTi#}wz{Q_)9cXz~!>zY@ zjnn3+l)8H;wIo>|%ja`*&|sibRrB<@?yhzPQ2 zdo%9LWhau)`~Q$`)dr@JB%o9rlDZ$@3;T`}(u{wGAgxC3N_F-QHuaCsM}Ktf)FgJ- z&%O96wU8`_+m(*Ir$2QJXp)llAV=r)E8{)BU7T41f6Ks7hH!gcAy9BDKaX>}Z!HDh2lrb+-+aRD4x!6!=;M|YlvhLoYR~P|Pma!b{t(GagCCRHBt z48Xy${i8KW4P8iEGvgQeoz333Iu~AXp<{eR^y?9d%Q3*ZvMrc>@**nimY%a${!~eA zKEsZTlKow%jC^gUniPmi9B}*XXRy%Z)5M{7{P;|UrK?EcyJ|Dlm+SY93^xySUFf^6 zYkA(oON7~6QHT8A!9Oiq8eH%t^X*u7ugxs#`PJa=OnmXXGN8y>%ES8<eS$lIM@N778RQuJ?vk6>oVOU~Uhdh!HeLlZ*-d-shXUJ6#x=)pn15ztI?V&|d5= z=tbm)r?H9GcCNVfyU*48R!qEHwM=w(KCm^*KJk)y!6@|NlL@2y;NBiX%*gh3mG%_yrcf6`4Mirrpmy|^Jr(g#US-6?U`~lde7J#`LN}(a?GjG z2g&WcW9?6y+ee@@&oEJiUqdI7S;&R#ClAUJ$g5?xR<=2Pifd2{WOf(ZZ2fPQ|(ScBKa;BZVk6l0)I!C_IyQMCcpE?`(vy^$pvjc-^0Asq`joxL&uVPjk1#!1YSq&-l^>|*lz_Hr!qmP}IgGMJ z>*|y{V$;F29R)QTV^3(({OyN+VMp6Z)S-0Gn6F*PZwE)RLozPP)imk+6$agw3FX^! zyJwn`gQJArhL#e<%`a1 zLlE>xO!dQr+MnCCZ1cPhI+uRsqUC!yf!Vyn?j0Qyq2>T>N$}48vjI;V;7a&aaQ7eB zoB#XHm*V~UEyRjLyNMUV*pklKVe-O{2sikpRjQER=e|m_TYmKQBxHK`!QuJ0F{ciS z+}>Gqt8u?RreuA37k6OUyI6ED8!pIRS2F`B4V#onH%Wn;1xnga<&ptUp#x+0Y3pUd z60iL#oJ(y1sVm-27RI^WA!!5imr+}3cY#H*=J52j;C|KJ<8hH ztEn5%eF!gd(fa<|6eZkj?^n?R!kJ(b#X@A4Y4>-@Z1QX33hl0OuNj?L3PlK@K>%2T z<54|Ejil=oExFghEn$E_0PAYD7yrp8U`IIkRWSY4d{QmWMcH~$eI!od&8`ps3-K~I zylXP1ZyDK!t-R_e*5h9ZK#%r!T@5iKHh$y_rbMR4-B;UzEV!V zje0O2&Fno!8%rqD`EhqrqCjOxz&03=P*E9b_r9o*`cPKQl*cEGnpge`@DJU)X}>uP zCAEx?Q}QD7LlKn{r>w-RRSzo*Yqzo&W+|L)+)H&knZOWsxx5kn25IkQvB;Nl3(kRb z6O$f>?4pmffR?FSL<8w+hOtAwE>ohe?sSo@Ru{r`@h*>c;iv3K9yQ3=^O$$1E9dEs zO6mI?;>`J5ez>gEpZVNKZV{8}rfY3<{Sow&&90Ps#W%6gt0Mccy&f1`xekWq40?wY zp0p0lmT%SqNAU>{t$+vMigSt`6^-(%}u**%> zw+uwTCP{?l_NIE$a>7mcS+2qWG0aurFPW^ib+>{%2C>)wXuH~`N$2Wa1U_)FQ zsG|u9EmIAK48&6qY3{`A4F3`XJTv>K1j_cy_U}9SJTnw8>MIAIr)&e7&X;=zDVi!I z69rsZeJ?#BXQwhB5t`J--FF8+w3Ov|CHpgT?gxt&qc2~;6)9|q4u2f8 z=;D$Z9%@B5Nh1^3n@u7c6GDsN+Q`jA_Uq@RNrj45mPRSrk2TqI&8uIA(s3Q%OPZn6 zBiJgX zo|YeRfCuZlNZ`kbN{DAZaD}$G*dYbrW~&4uI3~KO3|n`cP2E!r6d$AOdVXQlZCl1D zb9Thuv+t=R$n656>-$_|?N&5?@v=uFpu0BkDGwodm+Ej~tr~uX<6;gq*TzWBZB4O} z-Z@~lq4s-}x$Af8eQN7|Q-p)4=}dn(Z#qu;nk_o~vWl}sn=D*SNbhzC%f3AaKC`UW zoTj1!iIV|-`#|$%eXNk$3Q#yvVo^>AB*~YYn)jFl36=T;x3f*8)8?(qAc{qwW6BQ0-PZleQLHb8@ zO%v0*b97nCi9QE6mL_?{FtCF8q5ytIDwT$kjZFPIy;Fy|%a7zP=MY*PTW?qJN6T@6 z^5UF&Vky*2*&|oh^~C$?8Hp6RlR=ljx-it;Js+QN){^_q{kPM~w^KhVi(4|@1?f0{ znf=9BNIP9RY&3aPD`zzqEX|$FG;56#jYICq642BB?ohRppbe}Xj6^u-T<|hLzU%vS zZ_iT8O8{N>=bYCJ&`mTf$lxgKxGaGzt#wtAUIE8S$^(|9zP_6?tc5MKV10GsoM1Lcoj*4-V%+CsI-C=JCrA)x>k~M z=8Xw0xs1BBxoDf!XKKbnE0xIMu2xti`zO;R(CRtq23 zxxDMU`jF^_f) zRWQFGYTLypd4^YScvsI~PP<+6dVj$b_Ps{8>$)V1hA^f*#-}{}14rPVQ%AvXjXr$l zBz2P}7BQ&9nP4|THtfR{epWBl#+xa-;t5F~f&_nc#|R7EF&(nHOADMn<)R{}b4BHz zEWS|9(^Z=f&CK7=Cb3xR8UCRd{a+GV*r3(b$lKt?I~|>pko|kkmR!B?(aRzozPd2> zM;o46vp1nlaum$B4h3s3sZ$B>9kT_w_8QW^f%;^?sjtopWO6VVZ+llAmR$mHpRHgM zUWi^@=%0LH|B*4U4C-mnriA55z&(%}u#ub=yNS;%tVE^^9g_mzzPb|rw_&*-a~@o_ z51*R0*RbQzortdz(@)ceDxu$nJEe<>_%?wnG2AgEpA$V~h~Zz%w*ueuj_6$Nyq>sl zon2wxCeimNGjT3ZjtWi&6}%SfK!}dz+ZL?Z`do*W;6(wlB%C!=33$Tgf6j}%wi7F; zCe|{zH!MQjbf!F{87fu~=wk^xy z%@H6W&z89I9t?gE6r`3o>|U+WJisqfOp+oNe^r0*v0>G7|2vHxCzq{8}B4KNt z9a5Ls{%<#5Ch-3Lrmy**5GQqSti91+VnfxyszFG^D-e1?TxtFI@Zs=rHdCoVRO#qQK~WhCQz8zPE1A zaW{S0-Vn5k^US=Y6S&yFQHB!r|0Oxlvvfi>A%Y{F8T8ABCMNS;XbM}N4_igM^Ury0 z-kZU9Tjd=4wsAPzU92IjP!@8VO(r~Nd-5|pU!8i?vs=@Z8W zjWj#S%$&1}%^jifl-8qa+Q%q1H+My;{-gh;uEW=))A#F5*aos9L!t=hG`UTX&Gvz4 zVJl>-z5Eut`Ec;)n$)?xt4P_JDu1ol=;Y72uW1RTE5{g{#qqX|wij+jIup#o$qx~*72$l;XJWG@cO zylN>9p%ow_&q`WXjNvaz4$Gv z>CSxz7qfF^SbAy77wcDM5%#U#O4MU`e@m`be#kLAe>G9<=GGfT1^$W6gPTLbRgUmA z`p|?_ZAdu<#;`Ent32mF%ewy~=lUP?{Sq`|a1{3w@SJtz;(#pj7vJwZSA)rklnE~| zucb1tOSs^%s0!JqT{FvXr?S`_B%?<_9JJpfS?paq2Gaa8KAxoWr*=>c6eu#|jz7W1 z0q&2^WR%i|2+$}$p6efWYyQx;_bB?}UiH$dmHUbouJnz;LTX$I!)dw;0$Y%`Y3|n3 zp0DwpX2MbD$7qgR2zMm6f56jVRhV-u@85R!0VA%4>a3XY+-EiB$J;gh%Q( zsVIdkR<7)R?KK`%YV7U#iDHOxu{KmOUdGPG4~?B)-#!^R1t8=qUnxT$Xl^r((P?e& z*L`g|#g4yFy}hGtY4<;>X#jI~$9Dgtnr2F`A}A>5JtV7ZhI)Ckv$itWN+fp4BZOR& z$bP}c34JR@F}0H{;FHMZje{(FAE9RO5ELML(pE{eZYD^y;g<*t)CIlE`3SJnRsj>q z&fcFi;w(Agk=HD;Tka@CIID-U9=1sd7m(A9u+Z#HVLaoh7o$ifk0&e_~wnPn+=tQ2gE_^o?Tw`LO4j}2)x}y$u5B;-tv&mV%Zj?s_(E@~@yuVF@o6q$upkK(1b0fN{;NsIf3YCAS z81`lfM-6FGa=Ty>K=2I&#TmF(HgY3~-K8HWzPaUkmt|D*?Ct5S9jF-c?r~lhZHsWU z8XbkuzOF>K9p!Vj&-V(80vFOQ)8^-0^tY8y$Jf=BEdECOw`QliYO>u^@CT zrLJ%DT(-qR7h<+G>L=3WYY02~_cj&nN}nVRDq`Qhn#~6kf(PegnOuL0OZAQ7uwDm{ zqXMzM_)61hx)Y!@Zy>t1+q+j|L)By&Y|nA4yVSYIVIgDCx{&^>37KNS&Uo^mza^}O zYio-PMIS}wSO%eeXkEAZJ=*Y%L8PX+&9H5a@l(@viCBrPb53KpYLDhzEp~3#70k8S z3AP{LZLQA}-PwDZQ+OkT+%xB+>EL^>>I##+La*P}oe>r)l2e_{yb8_9-v30TuC{hT zcGU0`jaW@&#vG2dceBAO1AqM2UL%XCRgomTpQVl_Wh}Q)FnR=czt{X*;5a+#456SU>`0${ z$)xi#@uo)w0kApxz4Ul0X}H z@=kWnW^^*}ZGHf$4k|n#cqRO8ek!`BC%Un19-H?EES$Yh=t3)Z45+zcOZS>d_!-gr zjZjk&#(Nwm1Irf`y|5H$r*$E6*PVS1XpO0aUv!`6g}1`=&Q7V=x2gus8%xp(*&}iJ zjHzKP9rgC~JpF{Uf@R~nE86+oZ|R=X4P1wl?k0<7;bEyeK8&_d_Es{geVX#7_j?sM6Rg@xudU1fL@kr`iui5mauk z9HQsaVm=`m<=kammv^=>;|(8RRTqDpb-{!7v{v^orCvL$2o7w06r0M?v&=kKdB6;` zHY%m5Em}GDfoDed75?+n;(m4yy| zGs2416ic(jk+hg))8fvsX(u<*1fI^91Ebtp zR;(;jP|2hxj*$W;ofPN0d|!f)Y1^c-SksgZ&$e5wj~0tiIqs{|Qv8eU6!o3J8WaH5 zC4W0mZ>8+5{_3jvlbSuADSOKKqa8Pt1e+l4avp($W%e`p0)8cmEzD#qQomN9DdS_q zuqc8IQR%feJ(fECh=TGsic+O{itgPL1 zb-vf;_m=BqJma~)zu(#2T}z@w!wTBK!3aZW#)Jnj_ii`{?Mjah-{#8b{op`=N)9lM zBjL#wc(IU4Il6TgaCPf6C6)1DGIIm%MR#}hdYyNUSLnM9lI11vEZjR=GzQ5z{gr&! z8o$p#Y?Nh2mV78exYUkHpsj749Fr{|n}Q;6Wn+H5mDvG2vwFI$pK$Mc@A%W;!&+M< zg(M?2w+Z{{2C;;t=KHk`pBN3H$Arm^rz|B&@>$ou`tSY6PuID2Q=Xo}mTUSrM0_TT zioe(PH+Hj|*YlKO8~aj9VUl<2@>Xy-GES|nGY1o}z2|HwG&Nf6!Ol(Y$n-WrdWD3j z6|5j)8>6@O!({Y_pS`d>?xrWU~T98*1rUUWxeD1#e`ozCy#o0uT|3LQL-O& zHESl6u8m$cfZLeP{Vv{|ci*BMPnMsSUlg6vPhQB3Ls$>}&e?`3a!-JkMEZ(k!#Xjr z9qIm1E>4`soVWU)q`a^9~;V+S0f2QBWD%VJi4EE>^+@1 z@;YzKI>n7rp{cB3cSel9yojCSMT_G1yOkGnmQu`()mvgKwO?Z}R$X@oHtRmOy6aX` zVKKT@G)hG)16zV9SjW3LB@6GEFGfl@@19QaqrM}nnGh;=zi3^^wHLjw_+6JQj*Jyk z{%ys9?Y#RUXL-QQ{Fe*WlqGl-K)>A0A7$PvIH${tzjetDli%9fD)G^yAmO7bny;S} zDc!09C0Zwv{^LEJ-e*9}`FqFcFSFBdQZ9dGR3sJ5sM;U36#zMj)ywk}uIkuEkdiaO zLwcGb;{Cf*i6bg{wokMV%Q{Vj&xJ7xtSKs-DpXi|pa@45p&2&$8G8B=c?-)(USB}$89Z9vO2YbmYv0?tpYWNUUNAbrKjwtu@-H#`gqk=1MG%5 z6yimmD@;}UBhSk4I186zOw2%8#R84A(cjZ-HLIwdf&ZON7*^^9+)gL=qT5(#**$PzGQ<|}b~M@9FM zcrPGHWITiBwi#hrad07r8%!F?(s4J9!L!ICof|{Ui(wFAceS=;)-cG=B(# zXJQZ!2Rhk)L;9YjnfBTKwH?DR$D=MWY<#0qCQ+*x~dTK9#8q)`in+E$PCF?xf zIt3O!&w^)i(@XUGs%dM@0*$C>!B!SmVoXG|K?{CP z@D+ouTM2>i4p?|z9Pcw>$N{~SM<*O+eV^A+}GXFMokP0 zur!?!_>PL-uUJDBp*iH$vrk3eZI#mvw;^-wLXc1+%_zjzn8p}dhfU8MUk*sM>9#^L z&+Q#hkWV|Q4par^&PF?jx$6Hs&~w6DD#QkgxmXTdLr-B)d;0Ps5zXAo*+Lj5i9ohZ zD$gSZ6T+Eas<0DJcE5I7WywVTzL2A@ti=9R^FrG6j)2)yqwu@MDqM&>es9tlbXrI6 z`!LfWLSyUhE|7*tcKuvAdG>c8t9Wd>gWe*^jU;m(#~P+r?t5j0YLkPwpHVq%nZF_f zEsiw26^uqI8Ih{4Su3JGgF^jF53zEORmO#b+h5Om=IwwA1U{#m(lFCG7*gj|E zI97PvX%a%cB4f8;6I-)%(r|R~zDW~{;gAKnW?Fy?bR;4A$w>=@QM=-K0CGedu~7J0{BKG2_ls z)FYNzyx;B+HVo9G+MjRSoV$sXW>(u+m^T~4=g)}FkhTBH>?^WA)Olc=vB4>PN(qx* zVFC8GGjwhadXXZ1uo8d0RN?pw@Kxrq>3YqS9Sl&gHtVA&uP%6#vUA1Dl+$H^9qOc7 z@qJ@(#j?zP?!9Z~UK zYBr(gcRgWgcuB*=+q<8EUYI(2p2TZd*|=l(8%pPetlm@x_+Rg;K@lGtM)kF})r$A8 zzO8iXJLc0w!dJB!R=haYh>BO}G2&K3Pc352`kBC8@@WPSq%?v@4X{w#V{Lom)|_zJ zdcwal(l568z0HNx>h7@F6GMumz=@}7&-%=$fH_|*vwOp(eZ(&BJEs&G(ua!I=6V#) zK1V2J`4b?mXYo{y9h zA~twZxZRjQob(%7dVgA&vejVE@@$r^z7hND!Qak-9crq+q1HWA%u;uW{{eVH&}cE8 z|K@t5X87xPTdX-0f!D%TV(gLfelI?fK2f!(j5vr*uhu<1xUI%)z!x99t1EF|ejdCT zb-oZ{htHL_x$w-RUCM4Xa`_!!?3|VBeWvcTdFJJ+(Ip3vDa}_5x07-Gi+IF+iMv?duJXu0+!0O?v68()`_!CS49o$^5mWO}JdsxLmoBi7b_s?Y!%8u;p!>S`gOf2iU zdP;ht1|q}#p{c4+9=xsZ_3c)RMr1hkg{bztld(*8$_DhW_b=-b$Rnci5=Ur;Xjx#A zj$Q&z1d{Vh8L0T_BN?zLclL3VRV^o!w4_pMqgySlDn5-)jIh5jQR_1n0BTBgRmZp=|~GR1D@EgW7Xe(8F?gkIRmAKILPg@Z#anU7M1OzKBaYUkNpw|I+_@hCkL?J0TSy!$- z{UZkpOWZsJJ6EmCZ*-rknE2lk4VaB*^xtmy*}W|g7Z=x%OZ_9+lMvL@G{cn&RMHcz z!fgqMVBFRT4d><-CT9RC4MgDm$y~*H({VUtWGYV1WZ&n9=faPwer`@q1=5Khkcb5q zKda9*&`Fa%jLJeODXD!cTk&0Kve9g@Cp$bm)R6ykjqImAsHu@U(Fw1U->XZ=ApyFT zLl@do5$6~Y32RHn#{(@k>V;l%c|3!-U+T5!?6gy-NVMZXvRG$KL_&B9vH}-cM+Z}N1Ta%oBv?wa(7{n!DTbj;;=n5G}OXVC4&(LzJjQ|5PDq3 z<#MIL0@G%>ffY=bkdWZm?+p1*&*=^~PS}U+6-CzzV;Oc-W#y;6NJUEd`gvuJQ?YtX(&**lfR2EF~${84A-mMS1seWSpzGc9V5@MMVWV zi@N+mTl_~=*~t>!DQrfqUyW88y=rqfjiV*95QWM>DaD^bcNq_3@VT9hg`rbaTMk0v zX19P19nuWX^^k}x3N&t14D9kD=Qr<(`%T69Cr@FU4tHm{dVT1 zvwLb|;;DT)mnh~)p%(PlID_7|n;vqqt(=ngLhuL-(A;`^a9wj5}4(+Wra(C=`0>`9?vkyw~K z)n*{mc9+Wk;9R>6d3kARszj0G&(uwmg!mwZ3j$}rtx`^-K1@C^S(P-S6kjU;VQi^P zYtD6O*_39)g^iXKyw}Q9LKu5Zf%p9+==*$*n#DDv)U9mj&x2DyYHayIF0(`44qS&LC#7X^|ugbr>+2qg)v zwJ?Fz7(JX@!V#2G_DyeSWVtiDe`!jW{o!ArP{oZu8i!2b_%6-LY9Dp!e@UE)2-ps+ zq#a#^nQ}^2Wx+R62MN#>?BSP(Wr?Nreo;26xKH#nftO5CG`*ezYCQkcd6&Pojtg-2 zr(k?p4ymULoRPx{(}F2;vCg}ReA${?(BF3{aua&Uq8J!ml?@l_3~sV}4#rk-C9q?p z8(ET1eYx(Zcw&)%xuB!45tL?-H>YLJnX?9I&9pBN{)%fkROguR>nyo6* z!mf%F22Qi(LhDTVTlb|0p8v8qf7TrCOJ`D%P4QI^LlLiP&}6ZwpI(~mpDdwe@HqLC zB-E7AOem{KMe4mvdMXRl)WQQ=xnCCHkO~FSg&xP%Akh>Z9oy%1uzUtHe2KtD#@RVC zbvn(%#tXc*^GY>b;h@!|8qr$@Awr4u;KmM*bIdWfZV-loNJ}Cl#(GSCo1cIDw;ETD zDexU4MouVH2kZ*i4BDqrq*mdN>dAfiu^eQM*oWPCTMwu9TB|AN?D*@siMu`ROJp?m ze7n(l4+`HNgLBzjZqzGd^jVavWkF;|<2*>aOk>Bb5roQ`$`vFi!JdXZDw#~5Ui8P0 z*3YLc=8)gE2iQkK8n{*<%1t3xG!(woKqbKngC)Qz|MAU9;)|A+ma+|)B$2rH6SE>{ zRGK94C?;B}u&DjOe2)iv=B=XPh&!zM@Ab^;D)de#*hY!gBDSXJLpWi4RDbREtxD5+fWy zK2;;zmKo(r&)oeh@{IU!yWqu>a*#T+u#gf11A~T^7Gm1|{4ReZ!1-Ij%POt^#2Rg@ zQVS(f*oO}vAl~d>W7vsfgsrb7d;}#xTpMK2_yg__@PKn$X;M#VjIfA5vVaH@-{!kD zL$V~4@Br~Y!aYPwLrt}7V}$7?Kz!}Lq#dC2KUiagq}m{J?#~C|zDAHi&r%@ia!UWw zKOX?PSs{bE$wE!ZLYBzilBGcgZHHJaD(U|gNACY8aSEZczkg?ecRo`-+;%!!<>eKU zSwMp1KG5EZ++8c{=vae4tVX}b!bOtT-| zig!97cMc0q>M)&_vKVRLQl7~Qc9s&RM>L%!e z#4Z2!@3)(7y;XSm$;o@n&6)g-I{*Ha2%7KYsw3)DRunFZ-O0qny~|R2L%6a^Whz&D zp^4Twvr6RX>~tmeiPmQl#YgeIBJfv!(+-4xzh1zF*H#Mh)JcOBO0`8V_?pOGfD3vs zuzKzm7b2YVA!`*3X zb5JXDL^Sk_6yBpug#0c8dAbDTHaALo%H+kb?(rh>la7v@p&@x~Z7p}z-JSat5I8RT zV3U8#%)}Ja(IG%*_p5j2-q}}hV^UYB**Yu*t0)1zF0ErRI%z+cfROh2aE*7OzFPY2~PPs+>CX^cK^hC%jVd zF+80wxd6F)_s4BEjhrHP&E)`1jN{f*xCw(B(yp;_E$_8s-LUk<&R7Q4=kfIMtfl(2 zDvn-9d?%c0;{q#;pS*jO5s{&F906Hh2-F#}LW_1)O(%4|388-9pv^F*5aTN&1M^hb zlan$eb0j;uaMFBhU_shg%Ump*7xbH8Fg;5S-{;6Gep6FZi2hBD-*e-C>Kva=}Pg6AQ!$)8zl8#;!Q5eDFq*A1nrIn^tKg>#qO$bfEDH4B#7o0*$ zMJ93b)>OIC95h1nU+gwP6qzU)R+Rcy_as5orE@*$e_H>jay}k= zcQEb=%524YBy8ESvs7UX`enp^U~T^{ft2 zm|dOg2X?Z#6!{I*y#3H;Tq~ci(Iwdq0u3ag*G9F=4q+x|%cj>q&9-&gK0BNI{D9h6 zVt<`77@ydX9`5HCi~V9NT{DhiE#w)1=_<+NdV*WMj}fNauB2C$r&qiaxbom&Np#Nc z-X=I-UOI}n9d>&?a2h0x!!|;zzM`FU_*HF%Y>cQO$7eWBx#}m~zdwK{TrMuIRi{Zo z2K}zpEJvd(UZ)U9ON?AvmEtrN-*$+p!s}A6S?|2R^#fbs7EnEuosZJcGMQc`Pz`{D zd>-&6%Flcrotz$#riL2doASjGcI2G!yyFyKiN%wFmr;@tky$2oR&y*N9mRj#t-4rW zO_@e?`nH93NQ<(#Vr#N9)-|@y5uGqik9aCUqliLjFsBifQJ>a^=yRcUhb+4v^=)s& z-5awpy_6L%fB$4}>by%4m&2KQrH-_Fgr$<^Yvt()9&4K7+3{f3HmfBn(^p-)j0XG> zr&HJM92M2*sj}4b;Nyp2P{YCSR#i?2j7}$6TedW_kNjlKhdKs{qSf!3W$X`|2AtAW z+bSWGb!PfPNqQzZ1Bt11iNi0I;*%MepNYNLkN?Ng{drUVOAv70d8>!b*f#KJSN$^_ zllrcg1bmTsPUgwGjC*~1TcUo-C-Bm8zZOQ{-qC`c?a5RW%tf;# zB6IOx!RB-*<!dLY-U?;=Y*YNRC(P172e)O| zKw@S?blD3y$kopI%WnlUSH7GrP&j**y};mop@19(^?N0ZCd>sGMvJ?RX7|HOzl)2tXoDl3>R%fsU3W2Wl>Edc7md$z1&)Is{F@3I_%}L?$?sJbgNn-b??v5we zN$=(;z4ii{ik5V?fAbZax1s>R+nbvk9zH&N)AeYX$pSC2BUUoM$S|^p86NioG*lsL zHewQA5Gx9akaf=0sN)LKR1{(b?F4U`v82O1S;Wk(N0=k#3Hy|8BUo=%+_b+WCOiASgV!q4fP~3d(P+#e3 z9W|0Jn_pkwK)+*koTa(uje9t{?YIZh($KK%Kbf?ghL|heutu<HBcBRlZ^%2ZK5$8fbQ^eE$wWCCcQfJ&w58&7Xn zD_jpYsojr;sXeZSOWe265s6zh&NVQF4y^+tSrvJ3VsuB*=1{g-Q51{C3&_JeIkJTscUx>Kz&6+@hpok{`52|)NzZuWB9y@8PTr4 z6XJ}llPxUvFP6Bn-(csmSr%iy^ZgR0z@IMi7X)DOe;9kqur{M^TeM0`i$ifKrMPQw z+T!kR#ogUoptw5(cX!vK0fJj_iUxucTyOfFbNB8(_x?D)$n)@$m%N#4t~tjXW2~d^ zu&x|NX>l30Xz#A~teAacOCuj$}QGBvxVYq1D+u*O8u+)i zwocvLG4bC)h3Y)uN%{vhH%rDLOdsJrgketUG-Hi<98ip#p*DvG;9v>K%TNLSpP#NM z|I~%OXd@s_n~M+?796;+_uB{%i^rLG8BJn`>FL;vcuJC`)Z2Hw3RM?x^>%$D{*;kO z6!Qn`9w*~3)RG=nNF&ole}3H3xm~>y?C`2E?f>;DSGksk7WMNda~`9|W9Isb$&5)- zj2u+Z2>g4~4*|3yO&Czv+L2eZ|5W7Fk%44y*HohiwU&+a$HJ+A?27PRgULzIbH!0B<|{Fbz{lrTu?JBH~4$ zmEuK`hqSb`l(e*@ygYzEolIF%lK=tkut&_SwUVc$rdsf$J?&`Q!5`m{5gLUg>2JQ? z<6VJ3lHFFlvYMW*(8QxjId`6TT1O?i63~%75au=3_M=I&stf(ffEhUvUIl z;Pl~cGNK7KZ7{tUTr5w0MCAf5uDh1=eMLKb%QN||iejzSZ%p4|1p;cH0a5^lQL{L0 zG&`+?_PxQhtS$xZakWar4_x2dtX|td+}9Jay%f zJL?~`krBj|Z;2rPccZuOef9eFWQUgYj_1`5f;WjFQ(>p3jSwP@NwDKb_k=xY3$H$nicP# zd;IN(wv)U<{*TM=wJ?NL{yUfcjo>v@!~f%|leVuY|7KjoRlb0b|MA2>zU?_i`u}uE zDwz8V4V3(50x=L{^9li3Ma%J=x z`oyoIE7e1@P~M|bEQLz2DkR{YYU7S|m#vDA+MV5uO@sU_#6~xISk}W9mI8#*E5cKk zrtI=Y{(X{1C`}6(jEZM}X8f7zRlwI!_9xJLGVd`2>3$^m$t!~}lJ9I~0G=*zET1_} zCJs{Ic~CNW4ofp zZ}yC`X3HI0_uFNF=CVtcXi1a+VnKN9f5L4eGF(FP7Gm7s^v(1%QSi^-m)YwNSAIco z5iHn_5&nLe5eK$8zn)~_~dJ?dkEID#c`uydrs=o4nd_}~| z&xL2=TF?G(?lRrBasqER>L zgwH)U3o_Tfub7|gD1&p^6@%4suBalN?$lY}c4VwZktA=1WjS}H=tjK!@=_etyX*={ zi-gjh&A>Sddkn##i=zF92K+7x{9sGeNqa+nb(XD3`8|lo2coHu@SuoMiMa6!v#n|U ziK2e*xzAsRQPT$9oSXjLGLMvwvdOjLPl@g;4bJ*wNNX}mo-BS>qtRDO{q*)fS#eJ# z*Lp^!4@wp(a;Wz^)qE^$++V%RQdok-iM_OTP*s-QSsee`qC`v$ay7G^R?}#OVy0|~ zg-zqYAo{;2cq)rmnuqI0c)Ox2BC~P_vRqnL%@Pj9JG|KE=aLMnx`rWQ9&1MV+U?i0 zR~P&vk2LaU{^j_0_kalE`d^2st;{78>*V35-vQ`^@QxE-pIc&j5T7`7 zQUGg(o7d*k%dE$si|M<`vNgc6+ZtI!`*-|Nbt0twbw$M zuo6mFQj0$}YPKI2yS!vTMl@bnCUS_wTc@2U|K#Tj;)mk!yVUHPBrL7hU-Na|_ma5} z)71IduRT2An-K-Lt@99zKcu!eQL*;FRH}a?N!R~NT;tw?K4^v*w1^)vH}pX=ra6`e z%r$M=qZ!8*<_sh0vkr+ml!v^5v6|?AHj}~j{lahYb07a^-V9~8eTqedJ>r~(j)}o^ z2CoVqbl?4kOyTa4(+;8q&dGIDHI&Q`E;mXr2w^gnM_U&ch0T}) z1BqiilY(bHKpGmo*|3+xExK$W43?Sncw1|1pS8fT>l!ift+ynPdldNcu+tP46Dori zh;QT+R>E*$V3*vqd$wxj-9Qy&w8+@;VnvAg)m20Mu9afEB+(0QgS70o)Kez30i=%! zk1K#W9_i!*O=2ppoR)qg=k(*zN*yP)`<7}mhDfq&belKU2Esv&=mPecGl6Qj(Pv-s z63=;UxdUVBK7b@iJVtU+GjOwdbSd{JE}ayP>Rwctpq6m1zfF>}tk_;~m+?+~{nCo{ z`t!9hOlNUYpnEQgWbaIcoq=Q;`C~>;AZo-dIJn-ojcnSxR%P{_R4>WU;%rc5UE|rI zH-Jtq!uY&?kAD?{`J~d2Qm<@mYdQ4eSa7>*6zS{{M~K)^#j}(;hh5NgaE7OT0Vu5W zi0abY{@VGMJ;=dSe6f`46!M02{kapcSw~*zfhJnu{_~YayX4AGzJsZgY=e7h7_?!6{1`d*6m*14$#5Y@l)Ko>K)JFM z=7XA9Fksf;QPQt55CQBfC#Xy1FvZ_Y>-bG?H}iWVKJwtL;*u;*VmJHlg{8h_M+>ny z-C(KKjA;Fbyn@+D%W$8o;&migI`t& zTD_EKd2*XP!~PC+W^DHnM-;HI-ezBCpKL*PYYJ|oa&_h#;;)T$1kT67C?suJhn9I^ zNA+axv2WSFHL_Qm>QhAn!J#7J1NDTz2P@$`F`<)fmr}y@JW15-2u}(5$J9{otEzGL zyQ-||d^aqhqVR2r2*3UkjmHxhzQNXE%obbmL z;YyMvt4Rj*Lr1;SrjGrANq5TR%RT6`Qz3mktA85Dz&3wA!w_CZ{I5-3mMoqH^uh1T zh{{;P>dDwepqcB{r&5kYbAZQ`Mck@sb736UTZjeRj=;)KN5V}d zu(oI-xv?U9SI2>yb4i^J^cq)pde5#i0Fw22x0ukH-qvvCdY@B zY>;GXwnL;!wisOVZYQ>X^2*HnL}3s7PG7u1>09$e>Nvg$B;T}INX+Acqv5Wg(}F|E z4IS7A=Dgy}p6=uy=UhoBF7tJ`Y}LyPS~xTSp{Nzp{zn|e(XjezFp7h zH${!ixLFH0Q5hdaGHO7YCBcNvVdin)=2Afz9W%l+em=~tn*84)ZM9SW7>$+A#kx9@ zR*;p-Hgyus7e#fj4*!#k5v61ZpHT=Cv1IgJr|}3~lNEmMWd1L0)=OsnsiM7ao1!d1 zY4-Dx-rgt+7r@jR9h+|EN$c55?jf|Pav0guO><`G4fTB~dBdjVfZ zP-r&VCzq7l2AGJ6XOnFaHpd&86Z9yPKYZBtoYu@xGQNY4ma`xj1)tDsU8{}k-w3vJ z;RaNAJ2dBp7Y<>p%#~p4X4wwZV@oy@^y{MBG|rD&b_ZK#k+n1*OC4W9Gg^M;6PUJ; z4N+51o-N2*%$RdoVSQ0$6vffe=n092DQvE-q#SC0IT^n!ZeGA35&B_^K4;J~W<``+ zgJ`vGLF0Q*50+f8WIBR9DDAtH{y*q?8!h0gyHxd>-Rfk{pGP<#Ytw_Qu6#Q%WjXs5 z#zjM#m|M8~uJW-mA%|b&-4T1F^4*s7Q{L#D3US>3&rV7++g@{L3948`%YdX*wU!HQ zMY&*f4ER?`b&7R{k@*nojyvUzm+iL~0`i}@cbbaz6DJewE6%gtz`5|B^v6tSZ}(LR zDmm9?b#&7TU#kfnBPIxk>te$lxBNmTL@p2mI~}#Cg0_CM2(6=E85TY0*Eg5?|Fkjd zwi}H^h_2#3&RlpVKsh{k0zuTi9d|UA7fcAhqx~nzfB)N}-0#p7)PGDq$ai)`_$uPE z|JxC*fBL^_hh$RO3Ot2p78W%BPTl@9uls+0_+mQ>c;ULaxwX0-k8MT^`8JTJscTT( zM$+q-?H(z)EYV_xma4nh>?W)I=k>HLaud;7$o14Kfp8i@LKyAWA}HTRPwZ}EIVft zG{hj4@@)@Eer+w5ot+)OfIvxcGmpC7s3)j-wYGu0bX1{;`>l%2b@1UnG)C_@^*%?N z<=L~Rb4ih}D()H;jl%!*kL!>h?J9d*>l+(A_c!p+$Vkqj<%fL4e&(}IWz@?@(C%w$ zAuR4^i>9{ZfcOWJk_I;V!+Ct~n`zgnXy3l4aM%Vm`1_m=8rpS4Vh(4uQe!G7{5V z&C7u@OPF|gW_nW~34hLTiBI zp+keD)cXG3d-hho_(nc9CMA3Ls;J4N<8Z0T&aAGKOsF3NHH79*-DCHCSp~D5EApRN zIbRMkqVAc7J&j6fv)dr&9ow<*lb13{hr@>bN5o0T!=?*k)=6}X3$eW$BrS9TS!0_N z*V!wYW4F3%2e|)2DYltQmLaBi3AGT;I6)x)jeQb!RWx7EuCAcUvS?KCk?LHhk5>>1 zfgyg1)m(Wu7#!~J|H3IMYaoM7q>io50om1bWauY{TcxCOv^>6VK3^M&8V25mh->}( zo6{m%8E#R@Ty|09qM;}rSqIZ%*Eh3Rl@Hf;E6c4}+aH|)!bdbFI1aRC4T zLqo%eoKNQtQvzZa3U2@bq=w(d$vnOSYfELob;S(e_WU#HscDp0c|BLGv9Y3)(^CpI zw&7jL^5neW%4=G`t!5Kp4*sn1w!71+Lelnyv2b;5uPJY1{AoxLtCyveHlOFXTXUQ&t}v-a4+WNmC6PvPS2va=TWKJxC$1@Qk=mW+W5K zVv22VYsW)%q@Mf$e`y8mvTUhRZhFlH$hD0;&@F^Eo-cK;O7w5ITyr{TqfFLH%^x^t z4mcfJ)badK3syG&p4{u@G{)jvl*|KJ`N<{3=K||nZgE=Z@)K%vJ!I?L2d(&cd)qEf zlx)nQOiIy(IY~yJe*SGi&`piIzRsOx^9IDeP>Cm?t3A!x{+y(D|3p`Uv6UKGZ*HG-k=?%6AGRk$^ zF!9`!?L_bZ$3#iMB4#rI@02=gc5Ks%o||&&vhqtdM;KcaUkhP$G_yuKR`3t^7j<@3 z zZ1J-xm5Y?J313@k-TZj|xzTR?aUfE2zJ_97wNqJ6?lUFznmhVry|d}KcHd87aT*4O zo+UuaCYo9GbgfW8N8WpC`Ia(AwBMsp;z~hs_v>F9+hnGxJD$qU{<6HXjDV1LWg$-^J1`btxk2zrR0R}g2{v#y6!jH;*XG?P(WIG_QlD^9qTdU zn51ydOiNwTOFE0mJ(W z8RW36*PsVORU++fQY)h6_IuTbvy#RNJ!#U_$N3BeC^p!HVXa!b!GM`+R5Ne!9M|af z_Cl?Ev7YGan(YO9|34HKU)|+6#Liw8Pd?<$wVKolUM8@o3g#8ByV*4-&mtRzhWFdf zH1dC&{zYxkI5>1|U21#FoJ_kC%3DX0QqTNj_x#0hJ+0Hr-Q+BDVbh1(3+Mg0Q5IfA z+}`HF=4sFPk`uvUJ%!UjdB2m^z6i)|=UjI3am*819COp)9B*o2XU16%xpF z&LS|r9sdaU&dWNM_m+nzvS--%o&;HuiWF?NE zk8Pdri|_pD-a;c1TR&OHK_&RsDFxn}4B%H~mQv}gRjZINpLyFBgqphADPV=ixKR!y zT3A>BJZQKll6#(;7qxAlCJsZ6`=5 zsZU?l8FNQkKk_=tB`0)b!U69!*@nPCqb@#>{mGZ*NTN4J9_F7&_z9J-mfy@c-;p&$ z`ThpH5iD5Ui@u(FGSYfImm6&)?&@x%beHc%E-WSW&eatZ5*5YeyGE0mnkshpUZ{#L zmrDd(zh2_?(^NRMq^bC{?VDez#rB?*g;Z%z5_QQ-5_ywQOQ-Eqk<2T#rSEp9 z7JAy>2T}_JR~8-PxOMIw4uB31?5A~^tArbZis?$ReMampP zW`Zt`A4^AJjb+o$+DAqCMY5S(S+Z?te`5a~HJt2kQWNCvc~BC+m&ku$Gh5Bv_#zK- z*5dte^4Lu*$fx!@8Li*jB{!lP7h)M6UiM74WQfDmt2Mp4;7Pv0h+PtJJZ$Z>+6l z(@V-NvU;f^?FV6&pA>_&y6i{Xm#I}4u66n_Xx0YS7=daHdXbDGCW$!3?1nHZ7^r#N ziB3D=gVK#TpF9L8W9uYOGQUN@MV7}=%4*;$ZfrX6f*L?<;IhoxG}#Va8Uf2L&wOV z9z%hkXD_~Dh+pF=2TSCVA z1>UDm)#Is8=-^(h?0 z{D&!f96vMh(pXM(_|)1MK9Tb!m7g<2k+gXTb5KxV^R;cJqhF|Z)wgI39_eb|bV{o; zrC(7B@ezo(#ak~lN6&&?t8KTLgss#LjAy4vuG`wadAvGp0o9#og-W2aCi$>0 zqY0mb(LmSoD?aVhThHvc=H-`iR!3@vO)m!+3M;_IXK4&nl_Q3So!;L*fobS|)<@{L zF1oXs-&3WzYJZI`>Goc_L&@UQ4sIL27^g%eAs6(?U()JjyxU(S+{-P2vFZ)8uq`q} z%U;zp00U=R2X0o8WT zulJD_i{GbrissI?!IAPdKVZoWd+qF|BP=`97K<{oS)QZ%SFjx3JwfH3E^ zFUa{07m;QW!CVG7Hh2gcZT7s~fRc%P`Tp^zR3)k4fxzzXgchs$Y8#AH{~0CpO*`5$G^u-LlEqj&G-HRp#%bH@9jDzVZG?_l`!{G zrL?%m%#s9nun@-SJv_Z!J2{}vY;%46YibKMRK5UF*7eRV;V-xt(2cNrJ*Co0UYDJr zzC%`f*FvLv1pOwg8YLAMHyyc}uQ++y)Q`c)z`)^YhUESxPCF*DUpD{$W z;l-va%4wOh-bH(|8*gx>xoC=ocXBzW;(WW(q@CH{>%$vO+C1{|ak|k8D(=uvw=^oN zS@lzBnEW#Ps6wP_qwaTmlL;E9MnPwGYHeA8U6znlxN&a})VlDcc7D&eJqpwR!t(gM z@bZ`pBR^>q+cu4`Z?~gsf`}AgL*UYf{D!rLS*| z39>S2HW}NL^mr9U)-G{RMxt~w=M#pE_LV%`ML(f4gzc;@EWSnUHuNXM6<(>qKN3U8 zusmU>;(q?*i*;u5o7)nLZ%NoqQLw3GzQblp2JCE{Eqj%LR>?%Uw{2XK4WT6rVqlNXEy%Waz_s%CeI>rfu9Qo9Blph z`7$9Pp?Z`xf$4pQdD9<;IkUV|^miuneUt}_RindFy$tk>w48yr(9A!Bf2Kzr!URHm zQM8Npw|6%S9GslYx~FF6??7vc!u7S;KiHU=rDjhVOElxtyB-tk?~W)$XOFEfG>hqc zPp9SM??6IvXNU+dn95V}>`|7FJ?VZEc(E6--)JL}DI`BB&oab;$k|M0vH~KTiH0gS zyRNE*!-d(^6D+hB8hObo?lsAdGS;~UA!2J{!ZSzL4)^@`DDh4|yC~QA00#AL^8E2* zUmPeAW@su&>M^PDW0=g^?f%Q5VQs(7lYPB?4?b9?dq+~l-i0DZZvQxZ{)vJD0fMle zJ0K23T59=Db|HO*F=_^KrSH6}#9q%i+A`^PxDOEk&K();okfnUv4z)w_$Jo!kY27> zvHd=jzRh?@KPp-?`u>H4iptgCn>8Tl6=zYGv@Y?6o1#i))$lba@=%*oB%nvBWY(6x zYF4ZNP2?Qh_F=Yu_jn{_n~XN0!1@M%-Fy5&j-=@taqk?+k%8w^O8_W=(VpU z|C(&XW}9TF_sSjyCvdE<7wV7b^L7vmAj6K~eNuVP^fX6M9ck3prvCGGgw208o&i!eS6L}zUI9M%IN#ALY7rURT?$^m=t38 z9dihI*@#uE;NPX-sfp?9%C>h}Ht$=^=cDE)W(7pIXoTzDT3-_b4>Lk}S%c!LHC1#{ ztcnlrtqU}Rq#9-r$A)1E0<*O_MAWU9hxGOz22v7lD^@&iUI$IpIdbolj7%U)&$k?N zo0t?N;3mh#C(BCI0w~7oi;@oCa|oSLfhexNA>-iU5P~O>(z$?RnJ%29&<=_qbJ5p{ z3kwO&ZSj0|q$Om2GChdQo(-!%!c5DHoDh19ombcE&XXe{?z}^TP|0#XbvI zy_n5Z1OWxv)R`Zp3cSu?{R@oRAzk(epJw83Ibn$2SKZCeXwd=>PcB2y$omQ%#So%r zb-6&={H?9x%Hhi>5C|-T87fxDyXNyxqeLmldg$z;ohkY^6+fmKAP zpy|8xze_z6OqQ{SFl&pq>1@G)UWo<&Fh;4+{BnN zn7NE09T;$AbUyQ;uaB~nO4W8oSD>P~xzGJ{`AA@{9OvIPka!l4I!U*|{yx=slyVQhpKzpuTwdqnL<=ACI&lGJos1;;E`jE|nf7G5$i z+1sZ+G)Gn%4-c<*aAMOJ#wzSr97zNq%=(L+%7E8>D&%$l#1yfUqz^ zI2nnOOLgyz$Lxt|)eO7wp(p|$xVE;TPJ@j8L)!fKbqmRxf;HE#(v7YW*}b}vy(6Ls zN5?RVeZ!gP)&o$Kw*;x@KEnku9RwND3^KFG;Mj!0GA)^y%#KsYEmLx&lVaf8$@%;z z&xT5w_CXs?$8FJZh_HQldPIk$aV|`?0j$)^|I`DCNRN)1%Qi_Do0!+hd?kJ>%dfj1 zcMvPUNfgh#&m_k>u1GsAN$pha#!7B;WH*S`dWRb>HR6UQ5?6j*=JkB_OYP&LGGaj|L)| zc)V^Z=dOEp#e#>mvB6E|o|#&S?EyaJdGtA;736&+>vXd0>tpZLv~7y9S!%*0@O2Up zQC3n~=a`q&0xls$34IiXe^?A@e zr1JBI&j9A&+FVCRM>rEc@qpYD zRAlOpA77y#Kcn>9oCYzc931HMj0LaNl9xt@J{onCt6nvbYiVRB0OftvNTGScJS3j} zd9hsX{mpSP7~*oKxTgd)*OVTPRJWhIPakoNp#Xz9a4q;JTvN*=MwgoU*PYL+Am&INQMcN4!e`h zL4(+a^Qba(pFkUb44SEzlvOI}u2CKNP$oSq%;2u0tlnCFSY!|)@!q33=Zs7lC@pe5 z0g-Sp@?^PCN~qU&BwIabN~b*_vaKR#{h1jI9eE3w15NyNQ-5I!kN5Lm5mnQR&#XHYR$sEaF=g6dHMF5}x`_2`Q=AJA=! zlY_nECwBV%G?&`y=9KF}32!dz-$ibApJv0S5}sT;y)T&jq3k_9oy5C>uI%<5 z!v!g;XfB(jlN6^nm=U1dq$uC+Q~3nS-;X4R9UU3e^Vkdk7Y&~;+@wlrZsG0dTi1!* zsepL&NuI8^oM#`eh@wY81JosOPae(E2eaZveFYUm2BT_T=sXywda6;mLLG3&ZsJ$#u4yR4-n<7@RfoeiU)8`XZ1JSWrO8ZaQW> z5J51I(yBFZ4CWNJ8sIF@mnzhkD_j%tWk`v@PRJdJdl)=XvqU4j=0YGBd>pJ(!6ZCeZ!q8- ze|}7dnqzYJ)%lP;HQNbur$8S_Cw!j2XyP{;HZHlJWwAUfigaH{GFknW6d&m-896gz1sKx-VtZ> zYM$n>>-#M~{>xy)<8(B-1u?q43)+g4H~aRRqVq_t;)sfSNw%v&2g8?cain8G{L#EMi7r_*Jer}K<2+0B1eW)@|g&6 z93eI~MJw{2p2g|u>42Hb^f6a|{{RN&hX8#I6ulf)_otqzB@BF0;rhi!4Mx?dMdP_r z+dI+Rr3!s*pKw(hZid|3%X4X36`SZ)rj?+wCDZ@tvi~=O!&h>TS`|^=;PW~osEe2L zvq9zvG3S4D+W!(n9;ouya&q*qEA*Qmck`md$p51n{~vGEMn^+~AnO00)RG6m&q4o7 z_x;cN-LCAm2ARuPr~j`TO_C_;c)uVZAlTa4!v7iiIMe0g>2mWQi8(_5o)8lwp{6$X z0dkF?2W*N`X-P^-{uN1w(~x&Nqbq4?4bRsYl>tO-&`A(-{J+29oBG*%>82AL%~NZg z_yL;{ij9H)P12#pp)OzOWxzPA#iDmo)oUKE|*#b0U*LV53F%VRH+6#5KSQgknEztshzOU-AD7?Wo(^wq84rWOqqIE@)r~wo?fr`wvgLCa2#N!()gU0WS8%ng~@@>pINBuHQ8?Ro{+c;o=mQB z#~7GZ==fazoff?k@Jt&QWGfN~c}CKO(+qq2%)meId%+ zzc>2%mHfJlsMtSD>U=HboKniocT}w_K3qCZAuTJehbia4}@LZDOmeeU3}jxWv4d6sTE;zh)!Y=3m=3)!~D3iFj#PR2B@0-Io4lm*P+HLs?XI1+bA+PwjF z4_A)v&e*rU5S`gX(|X(KBqX0XHVY8X6awEPD1eqYul*kE-cN0v3}8uAu}*VzQ#^Di zFBjBo7BRqjWnn^(SIP|*~5P&-ydC^muGReOfh52=5G*Od(ssnq2-9>z>4|#j-hwK0bM#u zSfkb>X(_DpZ5H)+h=LgZ!?V#=Mw5IW@^$2vgoG_+t#n~6?{|B99$RJQZqR_Yv^Y=_ z(>=%`fu0|mRo=(Nd4-1V?VGK_g4nniIXMR&N+DodVFeAk95YZ75Pm76Z4fPN!Lu+h zp@bK5p)>GDe6>g$PB3yY{*i@BRd>0g1*0`0^yv=IP6$rmN8lCqGN;88iJd$@y(S+l z^fU-*Xq)!)<3$Mj^2=JWh=_!1*9e#8ZB1%)d2)CZ@O^$9j%MY#PD4D(ecWIg&fldV zHr&OOD;X5HCJKtClya#E0@r0`9dBI>F>lgcTi&g4J4cms@hFY|t4CU9{I5W7TEiHn(ymUmb>jAm?Haj9ymY=|CV&5_Ysf#9&97U}n7+d0;sBg3?I zEmUvL`Beq>eCa$rZcT@$nPc+Py_MdFNet0{)})op7{RK8hl~$XNIsxR%NPv2qc3+Q zV;T3UGw)@1we(2FdS0i#=TwhR-CMwR*xPU=B3q&Yh+NpqFa1r=%G&+*cU+wEAOl0u zwV^`^b~|qk^s`xM`$B01o1~P~XF*J?$*Zal*w|}jbTQrys(Ls%h10N2sp`29*Tt)7sqrHGu`JhWhZq&{io>wN>aZo{ zLjg$BbNkW~U@A_1n>D!D-2 zMB$s{SKPhQ`?&M7dKFPQ^(AF{Rwmk_-1d-m6_@FZ*aD_@%Z!qtLN*zhPpXNMm3uy< zv)|c7GLlF0f<^6;H19Txlw`K?U+aHVWm$P97#?m^V+jUqe_ykV8{#qNykpCsiD>9uz|%D}D7>`xBS?Bq{En(&C3Gw~9Zg;q#Tij5GxoVECWQ4ktnMUwsPm%l?Rd za9im2FU~JlnDuBl9D-dFE@dW&i22f%hNjRKluOuzTVmrycPVMP3VK*BRp}R6`goF* z2x$acstf6e??hJ$&;A)UJeyY4Ri{%q{KQ8wx?G7Rsca*u>O>c&LNX%L*&MM|&oH~{ zvc!UGNEN|NMjymK7chjFJGwnbr1=Zf$jr*B^~}sn=e?<4qT#qDaO=|8O4Su_)mEpV zV&1FdQrEP&@p{#OxovxfPKuKAYi{ zS!n)gzyOllrA5S|-%h#fa^PXHt6D#8vPL0nYA$vg33F*_X$Mdz-PU}>5g+j03qz}1`N55YB|S!;uA!F|GGh`5c1c`D&G;Qk_%tguDHAa#cq1)sDVe zvyzN2tgu-5qnkGCn=!7toTmR2o{Ym3+FmC*WO(7h93!e z9DobX*Y<=R3+Tm*{N&f3I{SoFSCjR8lL-Z=SY~*WoG5dQUoqxo^=muZvLtU0#gsJW zaJv)98SPJWn!a51>v}y3Y|4fNjyc2T(wi6_rQu^l8dWf1WZU$VnRqVTV^-rt>Nm2? zt4gmh9gTT)8T5+0qHQ#`VbX^L2VxCHsr}P47Bl`@Yx3DHz=i|VAu4`qoUX`>6oGuk zL%zlWD+u$=8uZX(ANZO$`n>0EOA2?^FH4@xBMD087uvMn@TZQ|tC}A(pJ`rvVX~02 zg3*%wNCT_V^MaCGry4f2?5Yo+Y-23Gk|omOtdI=XVm>wL#dJ>J2(XItRpI+tUOXG& zz426hRdjV@+J~R!yB5jiBADIZCJ%>32c6t-%YO?mYeVh)AY31~i(RL2Q}9}s%GT(1 z!I17#G7GdV*86k^3ys>eY}1}yB#xjip4IPgG=+#o1RS;z!dLeLb#rO5b4s!I=$-uOuovUCR}lqwArdxbbLO_JV9pNNQy)C~J_BII zi8vUKh`@oxe|ebWUAvm2y*VSH-&~-)kX6MTBtp&QG1?9`SEL4cY0V#BHq1&EhhFU~ z#%$^L$aAR0mFF^zRKGWoTGEJ_uIPZ=htcKt*{apIAMY3d-PeL$1FFQqTFhrI54Idc zu4$Xl_m!Grlpb^w4(Z*s>lNn8`&LH90Rxeps{6ZrD!@{gJ}f)-u!a>TeGtHsoJa75eEDTn`7EakBU>{$ z0F@6!0Nc->MS#HmEhtpIErQQ1BnW$-75My$e=LhpZ)3LRy zmR8#7{re54iZzcpQJFxTBu8oXJF)4g8ZQ{ffNRG1QH;)~%CSFPh?NIyHbYv;WI8rH-JvZ4LFQ-+Jcx|?0TWsq`*J07v*PI3|+aK zElbV?mU0(M^wZQ(pVVab{(0_0Q2!mUKlV93CQa1ft02!!e?n3s!Rb{0c2W{Pc$D2U zb|)rL-MGB%n{1UrjdH3|=&hcbUe1(Mq@37mkHv)9r8IG0MPy1Kzhz}6GePwQ9Vv>^WnMUfRxW~QR5`Ml+5c4*yv zwNaMG5ioxkvtX^bNm$9MY<{Y7dlMxHWXkj3G%nuena2gv&Xc z7_y4RU{nXK%X`bMxt3{EG5zSjdBfA_{)$uosQ1$nOJZIa`z!6}?3)0xQ{CuMYemR9 zR=a&BPhjQMtnq;uS(Gk^$T+5{P}bv>U(fHaUh_G8B^yD#%}maZy?5t&hry8sbg8uR zzlu3W$mW8Y);z=I1$|QSNdF(E{wk`?wrj(MpOzLW?og~0EADQ^-QC>@?plhwyQDyI zcZcFmaCZxC!6C5n{{OeeSUcIxM(+C>GxIvmk(vdB~Pa7hWio$Xz*8UUMs3pL5Dn1(qoo7RCeM zOQKwV#59=RAYV@J&gG-H(S9F7q-L8hXkojXE9Q8VV#dp*SN6RXbAX{N-)5ar>3jS_ zo$2H1sHn*b(pf4FFoXiVg}9J(hN>Q8UD?A*g|8JMN3ZFtZbywNsJ!ZC^A#fk?j&hO zO@HozzO@Xnsim1tmbb@O0QvMaQHWltj#Z_EWU$;saP{?Ak56xS*F5IqALN@KzG1h2 zF1k<&9Z7;p5-o?vzA79)8EN!PoqjD<(aUa$)gb9EJcO&tbmvR_k77f-FYo*%SumhAErA@->+S=I*EI#y)oAqH`%Lg zm8PoG38W(P7pcJ4oAdX?VUi50_|e!G)^vVa;SV!ZuJzTiKM6&t<>>OHJmWPH)DL8u zl`oIQW`AcD5ABGC-6s2!ECGEVE-W6ecEX-kTAj^&9xf)2=Sp-MEMraLnr#=N47+?- z?G_pK!lZ}_HO5P4NjSy3G}&*jS8v~MeWZP7-69`>bbdHm=CJ9UpMzzHXx(tYrrdqQZcdRfvT$A{!g>2$RF=wC_?B^|Y7k>ioE|J`D`f7OPz zm&rO~U&6IY4t2HkV@%S1qv6jTvqw0?Z!Fp=#Ou^{6xfQ{|Xju^DOB_5-Nm0%=Sd2q~S>%YjjIlkf6bUo8K zmLGH%r@ebue7M~t376_D$8W<-X=SoZY)1%qk7j;q)T8;z4Um3W+ST*77HpmP)5y9+7{xDYSe^Eqz&JO3q zNNT~psJg(Xq)k+C9i7TrSnntMJnJv@mMaa+WU{fHn3S4?1?O6Ih5#d(6DBmKru{kQ zv^uDKj0ta6wZV>f2cy*p1(5AeHf}bG*!-M%#OBMwLRe}4NBH%3q+r-BXf-j}T6#75 zyh-1ME6>;B%62S#lKtDH8Naf7?}>VLud;cUUFTf>Bpss#tHVgI^^p<=P!_M_V&Th+ zm<~>L^LhlM+s0!Mxh{cZ_bJLMw22;&RW)pQ(7Nu6YOod&>u;nwOhMv{8-h3FXxZm# zG+XiJra2^5fJuBrv_rvAvk_Cx>~0yS^x=cnAe-uZ&wpECA$t+;j4Y9z_cBgQy!IlHTKK-mFC$5N7kIgB5r%67s>Vs|Rnd zCA`c%wRA&xq#i^xb0;jAfv+tZq0*-AT~cXg(-GizKj5_ZiBjKkprUMZjdyYFw+Zqh zs|IIOxm4I#y{XK`VpfpRdiV*B-zodirArP*C9ms<|gf z>e%97{8`y`_W);Qr^TC?^YVP?53R?L6MQ-f7W;vTda3(upjy>lm-jLb)QKc`fseGX zMdRBVmVDSz-^1zL`S}M1#448f>~g&{7)TqalrGF=dQ!)uAH$XJIfcK}w5QSa9D@l_ zG%j4Nuxb78|4zA?aw1%Rfa78%;rVJ)|Kj2zi-5Z!wCw#KFU-u<|Kl7cxvs9R{-4QP zUo!RLFS#wBRN&aQ5Wfy#+R)4lGg~u=+pmca({T@7@OjL+i2Q4TDjoaO9`7-kn;*m! zBVA4z#3ykD5u7VZa0lywdxxp$vg;06w@;TGyD4gARdGmYUlUK-9(J>HZYjXD+?w&sG z)|Zy(>hp6I=j{(^R&|6-+Nc728XYL(I644f=vFlrhL0h|%) zrF-7p-DNKN@l1bhnRin~b{(A>p=77e?%b74qVRJjhA8PmmYX@5KcWnY1l zJmR9|(Dd!bo^E!mM#@@VQuS%9M`Z zChgN`tWT*B11p@}njU|V&z&z(K znXO?`D(!R+({5N}5eK>0n=A3@%$uK0VGuW7s+D~VDODiWn~etx9V>x&`FSo5epNu_ zB^Rs4OO%$Z=684m%Kiv!<#BTM{C!zNJ#N{^RM;#Fv9b+c$petA&Rr);$~P+w>K!nS z3--kw*36tjo*OfEelM7i`Q>`LTD~azERaexJo7tEEX1?ZB$Bix&Vc-6Tlmy;@Jix? znDG6xy(5Z@xC-W6NivQNloddKP6-M~qX}=fPaC1O7!+t;E+eC;j+enaq`>|WrOm?A zmXqHE|0Qa~wNQ`eQfBwg`@T3EmaT+wK?Ijw&nnBROI_S~JAVZua5e0j^Y%U~_2WlU zQdsg+0FS34(ujDfRpqH`FRX0)J0E%qp2QR~j?x@6YH%~Fd13>zg{p|Iy@7)EE1pDD}N{Ar36gJF3~xa=80A8UoSTNo%X}*U8fkfU3D>&q-EuQZ)1B+ zGy^s=;sOD~C?Em9*!tO_U&!G@_bS7$azpll;mNXP44#&9dyYp>K;7Gwqkp>bl)u$( zl?i&in4oz`HSf8Ha9r#GcK=yLxUk@cHc>5^>b=7~ujxtb+rIjOafnCO`;SGNVm8bHtZ&q9WEXcRkgs936}2{a2-7r?*+?p8LW-NQ<|gJytsOVt)D^%j!xDgY17gBe&#AvQak z2xfR@8^VXS`9{Dd94KGapzI)b(TNX6x6RkNy!VhP2&kUPpyuHR(Me0Ib;PqlXUPJr zB8>9KbULzg$1+lp=xMo7a!qpMh?MxA1QjL)8+WtQe5!D@F#Zq8*Qdcj690{L zC>NEqxE}M<&XlWKn6(T`Q7`0Z)BH;npANRRVL)B5*xeEKa4HO=Y5$k)gIK=(hbI@= zWG6&ob#F%?T?pj&bB&pr?csM6^=o<=PdhyxYC6jl^&)Y2R+;*BC77T%{xVjg;ZEE8 zwKh4DwguA^u_brS4krD4n|8wsyeIGn6PrskD!Lm>b->#H)a;6Z8gm*@=@qCTb7O|= z`HI7W002)a>D@TKwy$NlJfR6DKIm?xFMl!Th?>Mh)Rr>obm znRRqsOMVqdOsdOhX0c-1Vp z6z(Ymafx#)vOs47tJ|kCQD=f%%p(qe9H{6g{j~jyN}u(f%}mztZ#S{$<`%+yeM8R- z39NYyPtWuJRYLYgffslz-|^Y%N?wU_y&RRIrxQKemu!3Rf++JSLrPJTi|WZIv-kkN zlsW?o_uuF^$_$8Rxj}YA{osgI9Gd1jZ66`@TtyWNUao6x|Zld4|W>aMryYP~*2KO-MIl8D)Od^z^@Wvj|xHH`N4 z>U{d%UL~Y(mDVkP`A8iYIJ@7YE%44;gW7DlVG`I^fF-jKzjK;bqm>d5)7xuoIK#NW z4Lk9k&V9xF;d7qz!%41em^RU6*8VqN?aCpK=F5C6D6hYA!y{%vk3_rijipOcyWR() z2w4}7l@pQtlt0{3>$6T!teEld@!BktXC)~SIld0+_G&Q{#w9+r=Q$FkVJ5|H(Z?eh zn>BgcwwNRTgTrY3R&`EV@G=hidd}0P|4m*(p?KKV^~VI-;q92g^5w(87GmkF46^gi z<10zdO$4=m?y^GsokcPb?_Ze(zZ1{C*srMT7?v8*+*)knl?Ia!W>T@1yCIR4yzNmI z72vtIyrCF^dTeMp?VgWT)<>1$m1ZB(J;_+p-GRuMmAdH9i&D-xEvVdJr>WyR7ec|gig?8(Q z$L_|xI_FunCst*!Gudo@)1_a>5OM~W%{9B8i3VMlMn}rUXR7<3u(A~9c-95bi+6wmcJhwE9=KFWy7& zV71JH-WgnoHjB?+KEq`74Wo%M5~jzBR6;RuTIoNEX9B4fM$7%9x)?1B4$CuH%kqCi z+>Bf5fvBpZUs|ldF|@FrvZ%Vf5;l)B+vZ$EDt!e`Trr`8q8%^$x*-P$QYSk-Gtug| zWNonja;XQOLDQ0o?R$xQ_GmHt^`jASFnQ`3^8HzscdmO%=w6$}R*^e_MTMj5E@G3K zyXSF$exb{xW#=1n=)f=b;`a|co+`CyHAa?tQK96^dxScXU$p~8&&S*WExhm!@aFU@(P89 zXqLK%E!Q`Qp~E*Hi;UBr5OdlQ!|ApZ9FGIpC&qHkhK!icR%XiuH{MqBK5u$U){v-W zKlIwXSwF8sIFq@&T-V*OG(xbQEou8nUn4}I9`#g3IZ*=&XGdE>EtgNf)4IZ0%zHVg z%T6o0NtLu)^9aNHuar2ZqF^`+%6bZUx#?|v3fu(rS&c7nCb12ZuY8_>Caa==M{Q!i z#Po9mIp5rj7vJCSAY|Z^TBczQ2|y|?A6zLDL&p9~vnD_sd|6V<@g+%4breY`>h8>j zA(QR5^B(+cm6Rhxm7+0O$&^5-%0O~nuI zb)`eJOjLg9QxNH@Gw~-}h;y;-c$ZJTYifD25hg-H{C<8o`_K&{Wc49iJaJJoR$u?* zqUvGtw3~ig#y(jZ%uD;i)8GwH=GPR7daoi0;99uGaY?Gmd|S#waS#A5NTRC*`Ypwm zR7jvoP6>`;!eTbwj%DH2icGvuR5&4IlwSU3-9DQiqlY(l+8n}H4jfOu7c3Ds`LaZx z2n>)hlJ3`_mauF)p@2!K>)Q9^=q7&;+iA}N>=;HhP#f!iN9_v8&Z89#e%j+d731r! zPJ{m2o6p!8!`mp8(-1?|?+sERBMdtdyQ7}*iDchI?k-q*S*7rfS(4(dl@vBDc)!A| z4-pJDJOC%Dq$q7398kdiap(wVllzp+gdL4GkPfxxuYTHS zy(Bn&AhkTN4z65x3E^B^Tk#KIv6{8pBfbC7&)89C-xce9v4x~1Wdr}&V?zhBfxZ3` z*#8vJ#{C@GN7UB&?lI$8zu8)SA)}}94s3ixc(>unq{_Dthjt@Nwr=c~jm&#H0r4(KLW^tZ@ouN&{tXWN*~4m9*2R^J zEPRBcOIlClInHgv8Gw84d6>lP=+JKV`j=Il>@kNt*rVZLmw~FBiNxg2DzI>)!ri8U zDVcq!mg)H)pYeh$Q2}GdMNZfYx|Uj+jF^yLE^RxHcQ`a^&9T3 z{w=ExFXa*kPd~u?{{nv8YYpUEt%^fQxwWxKf$vdyO(lev?jwuL&l|kIJn-VLHxdNx zl^5o}*Lq@3jJOt8ew&X5X!nJWrJd`X1-L9^bxWrvuAV1V! zE^Ig>uWOFTKU{z#AD-C{?WqIGBvNqj5^^h6t1iDPR-Aj!UopK6o82wdjteKS(`pk9qRUuoaNZl+>3ged2zv4Tb$XwN(*LvA8F9iZ3}yTE%wg3VA>VTdwg~r^40~sJs$NBL6`j>-ZcC@3SY38f8To3IHB4321X1DKF}Wf zHU~nc3&k?Mz72TQ%e;jJf?IjTIHI&cgYsU-yqk5c;V)!9KXV}qtPPLsN^fPn{b<8q zFVk8>xWsdpH;WLUMi*m#@qXWTr;@sxNG^L`X$qMH9{+TkI7-JhuQ{u?-LZczx)$=1 zhav!s)ZBOCnN4TDoKC2380)GGspAP@w#uYgfNa+V|lC*ernZCcwkD~jCUYPmp)|4HW7P- z5b$H;cVl5 z&i8+HSupn2ap?bVs@b`}Iz9hijLOONl|xMZQP35ZC=0BzW^as0`R9Lj3?(G#2?+NT zehyI*dI@T0j8KkFUBaOfjNng7e8SO5I~kgh%GV)Nn_ z61)dg5;*v{`9`Is8rs^G)pHg@a)C87;kVzpO(U4JYybJ3Gjo}u|F6fYjS|Lk7Hmms zY08^8eDTh#lXcdjqfdN|L6pUgOWF~PMwar$I_CMEp@tpd@--Z^bDgu!9k#b9c3pog zau!LxZ?LT3ZJ6Ty`F~uqljr}>Ytn-cV?`a(wvx$xD)d1ZBm!P6WH|Wb;ho_PcdZzqko8oe)d6^%d6)`4S_6n=V$3kvzGZGh@kaW3m85;V< zSPHd8C+i-3Av#iq_D$eRb#Kv1R0Mx>iUD>9o6|3wwPzGUC6G=W@s$E}MvC46nTj z4K%@$^5%=z+5!rJ80@Xj86w4(hG&*;R=3;Tw`UvCZ*bw$fEyvrHK}YPG>TU|OjxKj zWD6Mv({V?`+DNAEP-fns&uqS%-wS4=WYkSWrF`4{>lFfi$IPFU>syeyF zGuxwu#xoBLtgrjnInH~M$`A^#A?VvVtIaxFy0aY^$7H6D)?q`wTI=68Z-6#FYbs~6wsQw!DIB3_qcd34*F6}K{LU}_u-(-9tU_hFmusiNyCcI$wwR8a+@iLcn6c& z6$Nm%XHB;3FGuc;PlmRrU+=4`uG*r>CbO1s4$$ z%t5-L(pDbd&j&?RIADAg&4S@7+V%`?qXR~|Ds^5C9ogZPO^7d_&<*O|J-itZu1Hc# zS@0}KH(gg!#)datG~)~1_(DDM%_z5{n28LM#2}UA<}4e4!ETIJ&Ap`c=K@)iNqW@L zY;&r9YD+@WuBiJCvnpMY{AKm(R=sIc{F8U_`O=Gux@@8e{7Df!W`OMnDA`j+9tmCp z8~pB<`IsR)*>Tzh3pMS6=H8UGAN^x&O%tMDnCbgpUq5Ov;STXBltP)g&jZV5;G>ui zG=gMIB3BRP`0wBv$$gT}4fy5`B8TJ!^Zu>SXX#Rk!>-5mw&t!jGS5btDbxU39wUmH z^IpG%{D)YEh*VJ#9(Lh3H0j3FGjUE_s#f3qqN3@rDFF?GV@Z3XZgowB!k7so*?1v3C)ZmU|ZgxiOGoCaY_fU~O8Hq_Q1x7`r> z$KllCv>h;2l&+b-s8-MnT^+7oC#c`sZO+!v*0-GxK9N%|33Iww)_;cXV8f%X4K~}4 z)aW`})bSOa^?RHt!&rh?!e;VMMA%bi-1`)g3$M(A0EqK6O%%VlMG>En#0d`}Aivyi z{<>9r=p<01MQ(w$wG#!R(Ltvf>RJ}w;t*UUNi+|>S6v`Qp0p?ep+9G&rl+f@6vTzv zf;BAkwF}bxkAEVjlmA~`NXwWz>P!%n(2+NtVl$E$eT)MJQowehb9`sX6PS0$?|Lla zP$)Du)^V+wu}~_WE5L3J5w7ca) z$bd6tYEnKE&f@Q@{tn~httJijY!n(N?6$w@;J{M_awUpxcCSndS&jLd1oVnwA&HqL zV>3G>M@C=@q3Rnn7Zw;Lq&O_h3tzizS)+o%lQ{ESa2OR zvJ)ITzUj?i|BAb%_4G^W)E~Cc44ZXpW0VU1NXytdk`|Uruw+fmhiNe&t1<$iJQ+}L zgm*7odB{Cp&L=Wh^;1e;+?sQqb#7!fPx?kA%d?|tmsx)ExqlVSc)9+w+v!Glbx(lo z8nFA1A`s3xFB)9Ef6Ln$hmrcDOgjhfb>u{(hkdjav1gfxQpawtsv8e^$%tIE)%zeu zGx8684An^(_F~DDvDXDLm~Lfbg}sE8h28`ASr>x74cqb<_k>AJ7OqSF{M6ABK7q%w(ZvSGvu&ukfi-gBLTUtcT>qsLL{fqZ z8wYX>0DNrXMXZJR%zr@pNNx@rF%Ge|H}2z+ul3tsg&ssB+Pi}p0RaUTljx;dr)poD zP6m`3(Ad`)(q1gQal()G{tEv3Fxhd_f!H9I9_Qxp#!BLgV)Bm-eIhto9H|wZH!eqC zIP?Q!V6o%Fl$-5Rlp$PLzQtD%XPE<&9Qm*}BMqm|jABZnW?;nY`6GfsK#kOk2y#X% zBQa>d0Dt~-(r-hNh_v)x>FA=f)5^XSz|RMw*bgsz>>4;7T^dJi&7u zIUPAnUx4u>OxD}ut+SM05jZeAh`i-yA`uTbB!3!(Eskna2I1D&{us#dMcu4-yCV-V z3;z>QX|sraOfBNUXm#XZZ}%*;DV%bZA^lR(3YyJ@o zWVN4=AF47O-LKvtxDq2-ZF&vGLk8tH0cf6A3kli&;GbvvDGU#}Kh?f)4Ut8O@Q&Vj zzXB=5vDH#RKku))uE)szC9qSvLtMI-&tPf}FQmvN>8FY#33MZL)-B{bvd z%q2!W0rfEF>i^W?Pft~PEj(^V7=@Ct1u)lhX?eLROl-~UUb@T<+XN}x?;WPPugeL* zds}@oMBjCzjh-t!OG{`yKTy5)MWCwlNg1%mFOYM#z;vj8UD|bVnFW3m=bo08}Tk;gnekbEi{!$Mn_d-t^Arq2CTjv{ai--UW#$fjN|=oMMJ zl2i#lRdHey9NS<|GnGTci`VpQwtSKpzGWslPm~Ub&NOVIr@sqsW56yz%Q;#KzBWQJ zj`L^QOl2>B#9J2_E9X@^o@+r4MrbO?mo?MnGWfTcz&1O2s5pSsxOq7tdZ$K!s6iVs zfI@nhU00=JG_S{G;n_Gc%4SrcpgC<+L~$Y~Ux!yss^?ZM9JUu|JoDF?0ZW2B$O|i% zi?u|T0$zR@H1;#`bA3O-1;V+h>V{#=QOz)+3Yq!X1O1+Rh;`W`Gg`PebVb02ay4&I z+^RjVqfxa6kE~G90dtth4EaKm(8R0aWEra zA!meKNu*6u^^^4JEKl7b;p_FYA}w<-)@RP!+7Zeg|Gwg(0^~Nr`ZK&)bCp-B=`aTS z^$;@FYH8rI84p^2WFH?WQI1`OU3fKi1V$IDpd7}>wtRFHjX1&d~MiGp`nia ze!xYkKao+ar}$scE>=z5V+N%N%=e+XS{n9mmaZYP-ZQ?m}=2C^`W0& z*6X94zw1H!nGK>Gt?NG>PcA|A_S&Og2wG!6=^rs3+t%+&8T^h^b|EBNctW3u4gPVY zk`ew5$g1kb{p5@oc~4KEen8)jzBMIj5^^)(K1#ido|_gJ|KbM zyetsmUBcY(+{gRf@hI`UI|AoH182i`efs}Six8~9k2QkoHgEcxj_Ywvj%;YXE6a~X zbP}|(Dr12Lm18v`@A!x_V=z&@)%ETm3IWS6n2wai=hiy&Th%ww$%zTWj>#aQiIa$mTVJBVnf4TEtfFxW=bj%f^yn0Bbdg>(lIaYv ze0_kPs5;8^CH0zX#M}y{g9@sHmwCd%lRet#R5rME832eQ0Lf6s<7{^RhTh$M(RYz>NW` z065h7>P&0!(QZ&wXr@re!cR)}rrQ$3d*m;q9Uq-7UQ{hL&&TL8F*GnNhM!}Mb%V?7 zA9|E(E5rCj>+pHFeaZcWvWBO|xg}!0v?b&J8f|2?Ct#1x<&Kv5mMZ`5^4sSGQ_)f^ zPu{c$!m_0=649(nja{JgR4tyPBe7J@uG6^i*=VQS)WOZU7x0nWf7qcasB}#ZIo~mH z`)|ecf(v`hg=qenBbK)eSR10jZF#pcl5Z~UFQ28c4Lc45C`m0v)HL9^wxVoA>S}9M z9kw`jf2QkNPZ?5SYw_OjI|B5Xhx^CHGb{6@?g*`!nj~$feIzrC zYnQdsB<>8VV)-b+Rv6h+2MlfEXHhaR+Csl$vl2 zA{UpF{vsf=z7V=E1vpeW)RDbdRdZRBB=@wJxOS(U@}-%2PL}b|8w^Giyy?ev;Z~17 z`zFZtu_YO|G1fO?13KAgdK=p9aXr)?yf(trr@#~~3fj5ETiuRj38cv(CfDBH&vXHP) zY>Gj~<=BymH5T{QURY+hHHvzFUS2amFI~kIRJ+I*?35U%{w|gQFc5EHUaWtUPH>`X zTI8->n#DLinzAj-ZXG#J$cR-IooHcED?&xqTsCIFCSR({D;%2leEuTr=&TS2{EcxZ z*n#Js+RU(e_Ir?`jBFdUV9}NFF5&-d!{4yM8J?j`COV~PDRXI5YS6@vjqc+tll4s+ zzPAIR&i}|0WzN+Mlq$d5-zDv?J$6G*Ql?Wxucj2T3w!T9h|hUb%8ZmmhcCN3yFSE+ zn8I;2SVY3#wL2Qe=W=5rEg?D^#;+=o9B+vE><5iyzVgLF&F)<(t2 z#j$LP`Wf;op2p=_I^jOE@uo-{?h3HO(aJLB=f-eVUh3*Pb1z`)+^s;Qi) zVn4@ewu>VDK23;TaSW+K%Yv4(8#=iVwZ4!!19?Tn%Z@ z*^b2THA}Y=roVdqBsrM5wf2cq^;ksr&14a_{WkXK)$$RB!=^hZ#hRC~%`1#1iBu^< zPKVYlo2A?&v1x!GnygReIMTSb|7k6vTFg9bvAD!i@aM8ev=K_zFQLUT=}LoZnrlI< zX`goLE5GGVgjkC@N@8Xv^eU(soHf0$`+?j&!oOIgwHgZ))3OI#4rB=C6Zrg1!f}pW z9zWIQHOK4<6#nHs3vi(<0wZV3k9{YHi146BL3Q&wi9bpVKbsx z_;bfIq;yy`Qf7j>P?_zI*Y`@z+Uj0}7?q7ltT~R~ecxq}`63~`RJTu-oN`<~5nq3b z{zux8o?kp0WbqqrO}w!6piWDO#o@m3CSDLXwP}ih7qrhUs5JQC^~Q! zW#%>;UmAUd>TC4(b%`pGPB?lGV6vpExqgE-QNB%~HKt8h zs=Z8Iq^SQ(F~KKt04ns;Y&?c216M)$Y>Ey9pi$`gmyvjfVU?l3 z&~v2_aKSenbkYOj4qjxtOR(miyP@@|mw7M>PSQ&mBDQpo-$6OAO@ZT%j(Dp{qqhmh zrDrMOTTG&)FEQ?mrj%b5TR z(Q(`n{*@|8aDB&gaeXTOfwot@#l#UvHjrVm#zX$>OY3Mb{Noz@t%>k~wv$NWXkqV+ z?2aDpYq!*fl2Gbe3?J$$#Cz-ftSgJ|*;N&NDiXO+Z&sxUo^E5Yzy#~wt1tMY>d@z1 zPX|sl@$CGzzK{LBS65XPcRZ@W9<`+&fB>93>xKAJH7y5rTb1`{^e2yH%lY_dA$Q4M zpac762!=tE2tG1M-2Rol_Es@KOs02?8`tigQeOX+$IK%#7@xV}@;CBJY<2w-LjrcX zDeHsG(AXtju~sk-z$H~IO@!Dra=4Ek$?m$cPne#}8N{CCnkJOf{AIUOimh0cKq>Tz zPNsL3Mn%7{&G>Q>sgRx+r+(|GotL(rSggWfL zo0#)vfBrx_rc)K@{GcV9G#yAxUHzqtG$3b@KB_TmV>`v}JHFuDrf9e$lcwQJMmxOA z>n`doK$JI-;xqg48~a5bUg)GWJ6sjr0W^>a^sGlKOgskZr#kG(A!AO)QIQmHHLTOG z?TYIjrMj2#rn<2P)*-ww_OrG!*}pS44F`s0_)?jXR|maoA*mqE$}2}2Co6t@RZ7IX z3iG}E&nEm3&Qz6NjZ7H@P-{y zT0pM)O3%0V;9%ULmd#mSZf$MN;u`k#1hU9t0RDnz;$2XdqEC&rV;p&Wg025$w4CFp zX1=tj19Pu7+@1cxdF1=AKfjk42Ww((cv2k&|2%4Otf2cj3DqVx*_K)a^lL=v>H6ZaUFIOIo4HB2(coZ8nKS2hjso^XkMJl z2}LNHJZdm#kq#}=iW)lTQ)ALDT4q!WhRTVPUb|!!#fg2T4Pwfu;fcw$W};X`IcmV$zC~^75_Y6HlbgeaBPJ- zy%I<|%sK3gi|So@#`Xn>4Q5&3Jk+(tJdWqjDcTQR+3A*pJ8!du4u}1}ORL1g_8?ci5*E8DQ);r-IA^bdqlvJ+x_2DQ7l0Ee%w8uliLLL7b8~$0 z*mfefXi9ydh(WtJ-hI962JjzF`&dLPwVOMlUbyma32Nb_tsX}Bw+}pyf?)@|Mgp#~ zqm2Zi-I_|>ITw8@%r+jS`^rZP7dRzgkeFRFd;^Cii`}CAJavtP)ce;>(afmc+_SRQ zAJtKTp=2vstQ(yF^emo9L)cA z!l7Xa$^|iXNUskXYws`wcd$0+XmbHA=86l1T$yZb^_J~+>6uqF2Lz2!v?;E5T=3>d zEcKO`snw?Vk8K2Yn(;Dhf%~f3aU3+7Tv7ZVhMk2tVnZ9OSWPNe`IwGzM)EfDd7y0g zi_B)BS+%(N^b2LDD;|Bg!uj;x)Td&YZ6nb+Tl9R5<#QRdyTX7hwDHCE?PU7IZCq(` zis=wB2&ayKL8{FOB(u6Z*G!Q+lEG8t%0#r~U0QF!KSm%Wf(1QD;AWS}tigjykApL# zidQYAF0)j@ps&w@rdAQ-IC(?nhi@f_=E*7fTLbi{RLQJ*`ZR`cE|b%jRBbWCWrWo* zkNefb3oA@rNnix`Zs3Hv@$eqj z-S(GHmI&up7@wCSm|)N<9vdbU(yNurfwng6hq-Q?cq@Mf@GElTG`0Cp$f!Tj}>ai;o$r zp29rUh7LGGqnmL)dneRyktm#T2bH*ot7oj{olRikp87^xI4$-}F@7hT_lT+ru>xhL zkj{;U;~6ceZ1zxyi9j*8f4@AC#qOE;RfTVfHnXS`X!+SL4`4Rk4i-}MCgRQ?5)C8jA!>IU0vUU|dCdF~Wk)yhj9oYA$TH$DR*GlNJJ{*%zCQx4ut=7*PO&a`B@L0d+IB()zC8T zguczd;Nnc>5FN8T0LV$oTlY_X6-- zspCgXa%!#UV`*}LOMlak*Hz^sPntiOWR`b^{ba)AW_%~w^F}9=Qghf>T-CW(3uzsy zCOK6hB4&~=tl>oW;PqzJhk^6>64FIL%w@>z;tDuN*>_)23In@ zrv3DH?Em5EEx6ihpsn4uv;|t+o#Msatw6Bi?(XivgS)#!@#5~1;x576-90!T?>Xn* zKaepp_TJ0pT+agQ?cBK-0!6N9!+b+OU%geK<@r!3=2dQaIijge$n>w8^Voj1)W#;& zp=bf>CY6~L+dtfpGh}7@=D%{CL`U~OPQr~sk^77%enbLq2J}7k#%+$HUV|AfRvNPTZnh_TTVwGU-&t1ZO5U+o{M@HH>Bk; z0xRm(r`Ja+r|J&slM;cpiW<7zsxn&297>3^=|)ZTt_uWjYNL}c3Z;=>ddNv0((@Db+fa=fATgMkI#C@D+4jig&Sa<`kG(f| zf~?rMhP1XFnZEHqym{>V?9*wc1@VUO$|MN{>(ab?1Px9=RCmJ}2vY1~Tm~`l3h3|S zt`qks4tbQk5y7*_y$eDD8EhK&@IQkjmq!AP&$`HCNgDCt$-o!R@UVFI6 zAcG5EN%{3sQJ7jXx|M+Np4$fW80?YbC7j>dnx8X+ZV9&={@c9OQ&K*h9LWT=#>UJMeLok2f&hfg#TxT~2yhuK! zn&Z;fABp~3!aUI>WG1hsywAK?$x7AU8$iF6HC|VQMOuP~lrNAEro5U0z$st&2=E!y4 zhgS)_MGAaJs%3?%H3`71k>Ui{Npte}Tv4xkLkV-dAK@!trG=K2)bpQBl=D*kn?Y_l z)>3;Rb9o&=mUYnbujZFX)0g60%Xr!Q9%Z85%wJV5MoT5i+k{D)Ug}Lm=dKF*LzD)v zQ)-js*p-!!*{G)i+X;{BlN-lhXNWueg!a(}lZp%W6=U~%Ye?{{(}8gLY=;SMXp%%< zt!?-doXQ%w9Nh%KFL$iO5nit~CThV%7jc4$0)Br#oTWKP8~s=nd`%TY>?}GP=rNz) z{|w|t23TIXyFH;%4V3GPR54pGG6iFe%^V6mvdN0}Ir=>6g~a0r>S<3@Yrdq_EfK&v z93L)bPY5eCW#N$>HBN}t^{^toY?m#t<_Y8@>urZBYb2rPeSH7c@FPWQJg?#DF=OE% zWOOCdaop(0j-*oRLrOMcST)hhiwpHcc*hgNS_qhfHev)&JEC7@R^K(lIJPss3Wj@l zV=2uop#4}vpFTBmQ0G=HctM?$o!6BLtz4-_M32!@e=IWaAlt-@4-5idtWSrWUbiw8 z&NJ3$81!ntNQ`?J8*V00CX^-%45@p5HrVk*cmpSf>a9obQGhmMh~DnbA>vKRV*J_aeBNPd7d0{}aaf>- z367#y;WK9I%|yR0pKIdEmwiLVt62_m{ES$-T$s%}F_t~j(>qkxYGhQN*lWoZ#`&ax z#BoQRrH2S;fT4YOoxyH%*iGqL6#P>F z(|~%JbBR->BpPLE?2?XB(t;N>vb#W`Txo&MXcT(##cLE;9yOEXIU$a(Qa7piNK!Lt z+8x+dqj@c)4@#uLvz_=3e06>ty!j4I3sTja!fOhwLd$nUm4ji8OE_|6eeFsDnUd7# z!AhO5PTOe*K^S2qb@FQE)Q=r&1`8J@2z)*npCt+9gwiR^CvrP`(ykud8a>wIkWCBZ z0k2D>(L{?v1218pi>UW51^sp)CXr@$roNLRHj;wzGmj`qot_F{b$6(#C{D;z)cb7$ zPqh93gl2}I8u36>@fjFFQUuf7BE=x)h|vWq#xE#v3x221dJol>teT}+d)kc!O~2aj zESYtd+V0)p)Z#@g2~And50N_c_NB(1tkMbtP{$w-4UDYI^!vV{*;`DUB?Q`=-HD9| zRhQiKYHdz@CyTBWS}CtdQ=5a3k7Np%txH?(IX~YKx&k4Cw{rx|EsT&N|f^_Q^xptPUK#(Ku8UGldh~|(&a%XF-KiG(~XEh)vVPdu#i3^ zumfu-h%)>h-!o0Cjy}Cq9MiK%swu&y#jIpJl`uuaSu#;1F1juNWT2mwW08*@zBoNy z^EU9asNg5Yu?Co>?%J+?9X;yQNhJv2`mj~&f{~!IW^fX0Md0J*xUM2R!H{RxkQ|v| z7PzT1B(Ar@iD(r0TSnRAOy6JQVJT`Sf1wIT$^}!U=meUqRwtn)vB;1*bmIzJ4Pk(f zDIRv^Hr9%hXc)=N;e%IEIJa(2q@cTFKz52;covZ}b)GW?SDzE0NjPf{t>CHry{_W{ zpN0QWD}_1ZjRShnAg&QgWrSe|$|+WHNB*g^3L0xN+5E~Id7gsqsZiYP;()~8^i<3H zBY3JU_~iLi$-`?ofgvRR(xVn*cRkDt)}O9vvLb;t>DR0 z({Q?=h&;lmGL5TMuj?WaD>OrRl6`+y@WF zi1ePS=`4jax?nZ%nseiJDi_7+;#SwjzAYOg!jd~0Zt9j{Cu#6`h$7yv%v;4?J%HZ+ zq|A;q_W8qD9F&FV4n_8Goi#0T!83d5=B~A(-u6-4ymrkls0&;A^tED9@{Nahs`@#b zPVYAFP8}u=mXcsfN0c$i^yc{mJKfciDm$iNKoOQhucNEzaDB2vp%5xyB{xe#rD0~$ z71kq#E3Z_ako58bBG37&vlCl}x{N(u&^8#8tEpP<+(EV<(lO$GGZ$HCQQ?|>qZ8-_ zvG^JQEp!~@hI!KWVbJ9rpD}$od@-Oc8pWN68N(L@KG|Lm)oUNpT5}?4N1>U7>yy7y}%00rCaOK=G}AnBfS z`+<4j+6|raf74pXg&dDEb^jBB!hF4ZVy>Lz7Ew59VHdb}9cJLqkG+d_M%^K+X$=>2SX`fYlP-VLoEdEj@u;%l>wHo7gfeL(aA7B!w4vFhIy@*UU z^az#omXoBU2s$-N%+c{<6tgavlYMD_}_bcIkfTuLMBd!SpfF+Nn- z(7qll1kY6f2s9fuW8lkhfo!Rvqh|X8NfUW^{9%W;R5em=*`#BX(oAB-x8|m@Ge&le ziH3f)0Pe^JZ(cB0q$EBLa4=)0dRv>jA!}}R!d?jBo?KS~bym675JCOPzzj>4s~djP z&cHO#c{Kdz zl!NICMv*s5@+ncv{fOUhT-OjUJEfI+v1zawZ0G$pvSyQwWPU4nvM7ru!|NQK_PN9L zn62#CRmkXqBRcdmt;F~VRiJr3?!gy9QtI^xjFE<$QhwMd3gDGcvCz(YSMPnP=K%%knJ$al-5GfiDv9G2s1E$xsiZy$+r{S zRNT|Ww$f7-XUUu+;DUGAGZ1CIR7hX3RA1y0fmMID6q76!330*3rJZtUpTLzO7?n(r$)jo5Dm|&x3{|3Vo#S40$3@<;Hs!h+#}UTCoTDR}c+e+7ta+G}BXl32DV#PQM};L(03EW|FNapHg)SVKk=@6d(n!x2%AKu-bQ|9kEB< z>tEXFJR8cxpCMGYn`RJGHdGhIYgtSiFE-G;IYUqHrg6R!v>t`RTunTud=j#HJ+B9$i%gk^)Cqk!a-1twVfTLv%gJMsXv ztgh!9Va+>@t}3#L+;gmu+c7p-JX{vA84RU)rFah=x`?0^hvi>Lz9nyPm81UY?Pmra zJ!9RNB4_KF%sG7T#SO0vTF&zg97lYuH|ugfvg%8Ay`yMm{qD6N|%4rcZhWdg;(#RqZ|61*U9&$Tj1C3a-0|6zu2D2 zCVRMvt{HkXtDNuU5CW(_6Xl=WrI=QuD0yDP@rMYj!|S1@dMn-(3)7%XbQ#}>NyuRZ zjK$NfoY&*n=l-0?4SiqaVgzTLMR2Z3$~BheERmGgY*(4qO19e$4-9Pf9D0fo?(YBH^+ z4>vN5H3o0ojoB;R^>HEq9#H-Sfs?8Pt6tBT#+2D-Zvmp{qZX}`YtK-pUvwN@SmxjH zj};o|d(%!uHOa%nl&rK#!iJN##nn2ro54v1Oihh-V=Tt&UNP+bs?r zJ!ofs39R5+`elTU}jIj7h(em?=A^vokE9aN%v@poF zK9YH)oC`0u`%8>lP{uwvE~}i6bQKYx!G$$_{ys~{Gk;-^!kIX|OGOZtV+>cW?HxO{ zPfCWhv}b?$NIz<cbiwPSZK!+Kwibo*g4Dc4KyjuG+ zHIVd8P?r+BGHjoe@Rf5rDe&)qhUWiV&6l6w$c5RauGu&ls|tSJ{t$KGZ6>ajbO_CL zPR&KJsIuz=txc`1g$JNqzuS$p88VFH)~MTClI+_SwLugl-zd2K3J4E|%R6Q63y!rp zv|Hq)A6UNtmd<$5ak7VQaV$cQ!oxhikfaYs{Z1exrr<_%X=cRB=b1hj0Y3kk3Z}*< zWWx5Yi|12YiLNvRo`WKBxI+Czf|&}mzuujXY;*;vdu;KjhGD+TxF;k$b}I%5fJr(3 z@QwcT*K+gaw6&vouG8DtkSjwUtML-VqT=69lv!c@8k_g-I|Bjd!gF?-;@3iLlc$2d zS-jA^1ohvg1QLzXp=YOjffj<}!i+m{p)yF^0wEe}7x-e*Gh(#QqU3hz%@)40AxJlF zVB)$!2F#E`{+Ov^4lTMIQFh=b%bZBVkp?=i-2vpyJ5*_xy-8?_3W3Y;51m%3?gdB< z%nJ$nOlzYLUzjWXn$eKQV3;H?$2zv-hdt zAhu{ErO~?fsPMh<4o2wceZI~!_WVfj_(~|OTkCD(Cr69Ov$k~$2|un9ji);9>Z*aT zd!@%tJmS4-vif+)XX!Mdt8-Ed_)q>Khu_YH{;)zEnwswt6^UZ&%V@2{Uxilt&Qis+ zsh%Fc_Lq2xzr}ej7A@R7 z?(LL1aTWdcl-YNHCVvlR<#amhRdM%uEJkMY)Y=KVI{()xP=PaT`D0r98XiOwg;wCW z8`v_3^H}=)?_@i7OYMuIq$~HolPXPSy9yF9Qrtc_2a8*RqS=G6yX^pxLWy8h%fbND z**iK-i-@qnWtK|)T<)x)*^oS^-Nvm+*`X`LTdpQYyxGpB=xnV%N}{P`c%}Ev6C8Y< zIyetp63ZqTB%{r5tdW6>)Rdf5@hQ&H?0POns$d%e**Hsf#^-2r7WrMzVETrw=9`Lr zZex4Ka1X{SE19UYD6?+j1%lLzmVseo)- z)~`3mJ+Zkx>YzFNHe&-<$4=!X5$8vX$Z*W$;$Lv{$+yN9ZP_>PIG`Y3@w~vWPs*m_ zmk{qmlBLoT?1UZubiJT?qSAVOqW4`teK+>6Mls~>{kstq(ckCMnQ!5C{9kZqcp3|| z64oO5GrB8}-51>Y2kUx`o92VGnvC7&iWZ~H=>kq6tLj3bL`Hr_9A;G%M(1bYuZLsK zHp}U{)3a$# zTWADT&LtwoEfMC|x)Vi@+z<`KqoI%Dg$E37H00;9olR=SqNu?MS5^%fnGw_br6-q6}1BbNpU;5=d3TSK)~qZD)JSy*Qnd+ob!ai-Jn^2A{vf=rF1OL1 zUyuDhmqqA7(_*d_eaRD{`a%-hAwF~hJH)_V#o_k58d~1}CD>d5#j_C{WD3pJBa?E) zb@R6Y)96k)MV`r5=2ex6_> zkZ}5P908iQbDpaGr+zc`ErM7P_{PzKi~GKu9+$lNe2hKN;F-dSdf$?w;7Fpsp^EgxZxy#bv}!B_*X@x{mq+d z4dT3E7>i>u5;~yc3dibG8TR{4XOyW_8qZ8Y({LzS)jRcm*0}L2Ke;lI{W@w~UEljy zvAzB!!IFKabN7jOuJC-WEECI;A;}bZZ)wBZ8BJ&H%@?`vI=x{nSCt(#WL@m4@3*U0 ze0HH?;dmMPqlh?D?%j_$ouS^ccwOSpSp!Zcte^w76v1R2l2U2DQP*C*K*()}Sr1O% zz9J4TDUoYOizg7nJHv;1pw9Fb@40}(Pk?rwHP=H6tBg=YP%7{4`EsGgSJLo9!-4#d z@k0xHi;t{NKa=Zc(L7SFu13C&EZ`C1ZpTbH}l#VPFgS;kRaj2 z5RU|E!t{QiN0&oIv?wV72n45B8j7N0;>}^5d(EY48va|^+y|N?5RFi-^Rm=vrQ?S^ zO;x2$$~TwXGSj^Dei;9qr&7T^W%2`EFy~*gukaUm?RX@GC$7A;v>fHqOQBm!(rg#^ zw~q11b#FwcIE1tqvUn}qwn^oO0NjL_KRNVl4Ets@L9UVNZ#rg_ZyYg%5R@l65*l>> zdHWTv?6^E_FUqU-^q<%bYv>lX;8fkV_M!0IB#Nczo{rg5QszuS;bm9GOn=FsN z2nzw}K@#F=?BZ?V&NIXlSZ|;Fchw4+DvfIF@wWRuXpJz5J$wAph{N@e@nov;rrA9a<|&5(<_+yOAK6H8*uSc0z}|AmIv8T zp^H+|OemtiXj(0>q_`%Pf*8p&%-Q_q8Y;JP93r%1bjs}%g7gX~YHso5^S6~X*$+n} zbw$+olVyB=Mj+Qs)ZL9lOItK#>U96C3!_}JOdyTy!{%lTx5_Qg`Fw>Yn|rIErQB9& zqNn&^eH_Bsa^8_$xC+|*9#`bLj_Q*AQ-oc>CUkhg$+~k>W>JTX1GJn*O`lS&lxWwt zS@c_;)RA#H?MJ=_!s`*M0JR;fWms+QmBaV7Iwb_ypPc?vl49pu(B_9JDQx13@E=TY+_ zhT#=p=6^D@QVsSV(Du*ZJCu2 zj3BOT2J@}(Y;POhN1@N9lqVg*vFTF{rZVo!>5R*=`Wt7Tf!_ryyk3|cdHW*o-qZUb zle+~p8XsD788dKJ#G0{(SmYXoS5K5bv9o=c*@hLM5*xYsLc1jqzbG%W{T?+|GGkiPRm1+jOZJg!nV_bD8%o1DHAl!>~w1+@% z|5~Jo)Y9Zm-Pd;L>F54~kh=Bx?=MbTI9Eba9SC7A-F(u zj@;u!mwKK3{*q%e4FO9!9ZP4kQ6xr=w)LK?;6&I)YYl$AIHcPII_G$}>(3{QX8^lH zILo*8RNyrs7jB||$DrORuF-vqrIg1Qr%BKtwg?pcsS8@#L89&Rt|d5x|t@ zY8$pyP+7!qh#*8^Iiun3LH+65%l)pt%k8(Kq73!+fhbX`Zb0@?KIFknbN)G+2>%lV z$k08O36(1In1J zZ||el6L+4cGx#UIibK7WvMYO-iS58zi7}B922lPzj}G)BXuR0@doWGVa77L7l=k8> zJfvUobXcN3sd;w{Usr~g>D|*)kUTbtX;4$-Ie4na4g@@L3p?f{`?vA6qW9z*f1g@W zL$%?|;!5f3)zcM@yhi(EoxEYuB0osbU9Kz%T^YGCNR$_br^xPmcMu^$ zxx&ge`6_X(999AGyK*{Jy6@KjzDKk;gHWT*_KjREk>(!pQi-$thH@>m7dVry+o&8& z2R_T%5|3;~1#p2~@fHuONC025M+@A)kc&@nmwRoSbhgKx%WaOymVwqF8SQs0VB&Sq zrcf-C!@G!rp5@XJW%trkrqOgYs z4+f{M*IP@*8}1sHHN0IsC53Jf=hV8C^V?^}>)lhQ{ixx|@6X;DvG4x#SV3J1Y&!kyWrp7Oo$nagkZE>(W$|tkIzJ57SvlSj*RoQNhJP5tHqVPJOzsGD4c(ziBP#vYr$`g* zExoc$J@J{%ISLij4@Q2}qQ=z!UEmATD23 zM-(w0r|(EY*w`PsIg<78xVlQ-1}ZHW8jmJVlKcH!TXGWKKHgDjb)&!6#Xm&OyM;f+jB z9&spxS=Zze+kG<)4dPdMSO1S%+m4euhWWUFIyn9!#Nl?D-bDT z!gwhy(>LUWv@#DvjEK9s;hx_C#gAgfs23JOCPuRoYQ zusTw!5Teh8E;R%adQGK6mk;yYM*~UaS#Q+JU{GBNK+PQg#)*>7(9^gRtt2`KS(*Gae?GY%>`Ws2)|BWfd`Y%c7{Sg*Cm$z*WU=xSwD@FLl- zuqI?ArQ9TbGn%;Gn+kKv6wr?ne#_jOZXKjFFv$HD3*SVVJ9E>RDs_a`+<%Ovh~(P^Bbhbiv^h?Nl#OJS z(VrLOwoHWnkk@kr!=SznN6NX3o6uWA+kSBy!lvzt&w%A!vteq;0 zDf>0?t%zuAZ8rQK4y?W1azH($Hx%W})6p_O|DaDzO~76Leq5w#{^~xIEvqegR5ZqT z)NZBwBHUSz)K?ERxD0OFk?t#JEfaEcgvf$-W?t9$Y+OP{8>H4iu=CXhX5>_u+k*^M zB+g7xlX2JsvlRn`-zrsHpmtCHd@C8>q{!4vzD2%8ak%L({?&91w_7Zp*$I0Bkh-sD zN~~7!EZx(~t2B=6G-2GQ+r&vu_}yDCTK?XX9zGvGZTIzk>_PdQI7NE8P1C2)D+HuH z6mRvRSGcFXQi$H4zRQKvIyiD95F@2C+RTXqtfdS{j+;TrBRdjyy*S*wz$-;W5u{^^ zZu?c?R~ss*x-D>8oY;31sELlaf9+|vOrND!3eeYb7Akji4|c^0ns20C#&&7T_Mr}5d7!#^VGz#ow z`?jMen&yx(zVhiNN7M-N1(%r>+4q=#?KG{sY?>thXV@6aeV;nkHQ|Vasy62!2t8aK z*ZtCG&m{M3*Q0Q28)-WoN4(Se;( zDP%y@1PwKdB&QaH=Jp#+DQO~Yg-sW^ODi1uzW?mWx^~TRvp|fu0mAZzKI}id&y9`OC)G zlIG}E^cn5!b#GE0at3?UMS!=n`ljo<*6m)n+xVo&Cy@^P4e{Hi^OMk!w(thqH?2fW zMb%h9qU(oOT?qMFiX&CXN@xOsg;q{Y2PKnR3i7_F2qq&BAm~dN0ItbT078zbe4c_l}sRw2&4woMW%aWRKpJVkqIH4y;9{z&r9V@+M1baa?JOwJJLwQs*r-A(+ z*~Ub;wg|cwN2YigucWAdyR&jrpB&UTdxZ2m=)FH!@An5w!n4PdxYFp~?i5=qHE2uX z`9npbUtloN80=>I!Ige9`r+Df{?j)biJR5n>!Cwq3Yta(AAa&8njH0ku@l=W|HrQ| z&LSI|v}R7GirU6w<9B3fFWVpPmQGFYZwMm^%zW2RyRXtP(X95z3M(Q~RU2r_WFNQh zso)_fBUgy~Y8uK*2)cii5gP4s2J~OOcxF;ZWK(_;FLA{<=La=x={`)Dk*v#sr8^&-({HsTBZBS# z@KDCFV8=HMAJsr;DO0usnbbpm@x>?CT{+`H=ykWVgfR?Y-KsY<`pzY z0HSu2V(lqb@OO_|dVedCWai$&3t{x+5X6sFP z`(T!0;?=(BI&)^i))66E89Cr>Tmq4kY|V<5!kseK`x_eY*VZ^ye7h8h7e0zh->& zhAVNHH(Yds$I|sII1kxc_i(2gq1{=?DJH`8_+_$RHt9}j^s~&@`huRklr4rg zw^*IMo|_-^5N;}yF?s)FcTm`xJjPjIM4A^?qdTIUWQW6PkEY}@$JFX##pClrB=~ZV zsE5q$n=FLZQmE*b`x%Fi1TaSYvvF<0VRm=xS?uQI9v1vE7ivoHQ(*aS+c;^J)!d}# zQ*AIEt4?-?O!T&1)g(F+QE@?>M+BUiNyNeb{R_mTht$fbg0GHTj^#HHrS- zb(U&NZ!xGS9R7*AK6H)Es$oUcVZIX_`WuESsdbbvjMdLzbhfN!+#I9CwDN>=u zQ_BreJ8ba|Z6;5H?;R#ai{0=~^0Ip2dx1vH{|8{$ZT7~YBIv$UeBUUsBM(YNJMPTh%Dj$sN7!->vM#2R zjj7cVF0krbZvuvbUFFf*I<%dsu}JldoZZRSB0AeIPT?WT!3&2Kd9(ZY3q~#p7!FTS zaF9lrwAW*6;2NFS-aQK++~h&XQRb>MtK>FA_UCgAMcL4=PLibD*It+HZkYkcoV7CI zAr->T!zS1Lw+E+7BceG7w!<7x@6k-Bo1xsyE`@lK=P)YF3sA~G@PuHt1f5Q&-0RN8HY#VF-hoPCT6UF#wNA&4z>4izG{e zltF+5ATuKO88hu2|HM508y2E^o<(Kh#iGh@-60imz4 z7*|`cJxu0B+-aCLDE4<9ZNxdi;d%>*z=346R=`ky&J`5o$={Mq%YWPDl0cK7j5lo* z{Bhaqn~9?862p(~_$O2CnFA@_Bp$YNj`Yr>?~qjHs4p;``9|xY zzoYH`CV%i3Q*Py-?p-NIdHen7z6?FFu~5@D8n}jZNk1tB5ayZ`#Eo>MDwW^=`5sY} z(=ESK5(KP6;{w*dQftxfg?~C~OJkn_+Ga61BOs)J%9^P^d z3Il2SXg_Lug35;PQlJ(g==f)dtRUcDz38fX~9&;eWa{lM3Ed@pkT4 z+`t2^#G^c8iB5^NF{gqrS(N+|IXAz&Spsfb&?_fiLK9ZL3(AOHXk6uwhg%M7DyO;c zGSdDpBkY~}^YtBl#Gq3bv<)Q5bdKI>_Wt|-y?=kRwvI3f^8Y6Q!m*J|xgd%jQvHV-zY&@D5w4AEeL3=Fw zuzjJ%n3nQ)P*H2N0c*M;oTfFJ88CQLz%TBJXtw04v`F*=&p3>ac6?tJ$S|aaWCU)- zl<5TJh`nI_Ic0#jI`l5uh}8WyOSaH5QiVev?rF~PhN*)mt_HY})@A+(lOT;6fma|@ zD?banU_s>Owh$o0V=#pxDjX0MqG6x)#*uhKvTNeKn|ir)?p3f{(_$M4)0%pGOZEdo z1$hHcTk#J&XtNKjC0!ZC9HtOSZ+Rwtg0a?Zu6}g%CgE#gu~vxbaijtqZ<*sXf2U6{ z%igIP%$16i-~KG*Qpnj(FoT>0w44AD|JD5n+35vnpiN&(jH9PH&IkWdqCNbZ*R@5j z28SlV50wRIrbc;GO z#T6G-JOA6CDS0Cl0lMjzXOff#qS;0H3?nEUCO%+Pd4Ep(yJ^zmk1xzeU!RSJ>_jho zk`jAVBr5BR^dO0ph_Q-oCrD0`?^}@^gushBQ2(8w_jA^d0j-RKvST-UwbHczKjH~S z{5Ryq9yhuyl_97`*r>L_fvxcW4^H=U7tHWP_la8{GgMsv-Q)klOE$iqS}jHEp6VF7 z6}XBKXj{Z&J)(5=!;2Q#?g(y?=1m8sG3hB+%eX0q!n#g6Tue{%U!l^G-8=e^Oz>M} zmA-Hr^1~k?)?ni3K2ok6UT$1t!0>kU8n z?0dW{!oljjtjQ%8qUq%+J~cmMy>J3xt`GNz zmp{t|g~bVaDB_d5-qweTA)BREsU{hH{HO`|Jo%}A6*H1c2Q*A`giOWoVz%TA>ug8} z*Yx_AjQjwkx>dA&2JNAS9#LSOm}2r(JIAn zmG+*o zbebUR+Gk+(=CbSI42Z`Y8qQ>>IF!;YG4X@FDYV;B*jY}T8o>osj6(PZ!hdCF2A^dd z?|zPIab|Y8xRmA4YDxzjuBxB-&sTIwc|Y(@Rihw>&7rvLcMLDEF+Rfydt8D4Mwl&8 z6JhVLN4*dexj2C)%F{yCc}ChueoCNVlPDN(8+k z9wuH}>pY?{ zS^9&~;(_6Tx^_-l1 z40I605o@@YCr7S5aaa=1X+KW$6`{|?pvRrav2U7xalh{1fz6u;? zp|RE~)e1D;3wv#n-*9?Fzs;Q?ZcWIbxS>mO-xOdE89jNz28ego z(Pzc;=gHrdL%nFj;lPfyA+)=6Cpo13lH8s*icm+A23&W!23+ofeJsWMzoaRERUoHY zJ*{E}$<1pwx~6Ex<*!5si0RI{&(C=wJH4W{9}{mq9PgmQgOkO&MX--vi`D-YPxOvX z??)4pQWk08Az(7Y=SX-5G?dU_V_c{_$ri{Y?o6sq z(ujdxo}lzbHPC!F?GN?Jcb1@-{C)=KdXAGGTZDS$-0rFUd|y_V$eeDLp1c6tnj{zBbfDu<{}Ua zB))nVu}FF|V%sIf7ujngS*XgxsR0RgX2Per$Wubc#eSs8YNc|!5Oh4ZM zj12_rz9_~ecP*a)>NGj`V&sj6Dt9B_uUox#Jh6Zt`R+W{C~q#aizLb2G@O8ss*yH5 z@F*QEijb1ARuBShMc3bG0syfJeSal?UuTq7HCx@5Bgc;N(XB})vH$DMl2_dlA^*hi zYS*W5sZY)IKoTp_g`N;(vx|Qq1O=^8xEHue8jdH7t*{pl`Wa=OI_t|%d$zhir`V(q z3W$$row*6g951PL_T|%UCrT(-Q`z-Dhy*R?cCUY&Zg@9WBR4gNKm0jdX>ZPW3HZt+ zwBxz{>W#y1@C~1CyTw6^j{&h?#g({NHLH)h5OD92;VD_EotfX`?ya_RrgGxsk+PNd zfne@@@5VzUlXV#7?Yl(Ww}0C=l*!1ry*Q{bT>+1*);De*Hq{2;lu$Pfrukc>P^R&X zR7L61XU*)vyld^r3~}(s031H!4=}LfX6>cScQq|PJE8wM2<-xVkVt5jQZBw1z@7(s zi7RAf`5E&o44wKblUTHg&QerDWh3@Y0nK(@)0Vhh<4Y^;tzi<-3P5X8#69n@NXV}? ziu>it9njkLE()WsGAEVO$Os%vmV3D>{@Bc>2oB}Z?mN+$)oq46*uvU4MTdYSNU`I@ z|Dk@(S*^rx*bWBQ;a{@60+oQrO7m}@Kor9ozY-dmRPOm$)~U70Dl?{RA-=S@CylE$ zs`|=DcELMB(RG7-T>iX}P_6Gv&RL_rX;cg6lv|*EMpKU8)6_CGd%cD>suTQ?qTOVQ zYdo*-UoOyf=jOonMxkU#&gKbXd;eJs>2Tt2GBG4~#9ovBs)wgY-d5*TQDPY$vw7Pc zh&&=*zL#o*@o{Tz`^1X`fUoNu@k0rArMw*;{lVvama(1W%H5t3PY*_GB`YB8=Z6+4 z#bhCkbj0H1N|W1@fYbr(xM#hwnBmxkazH#ivXj9P++!4um=(khN5GmZfG5)QaRr7T zih6TS&)WaZHCA+pObOUv`&%su`MzdZzBRP-@Gt5ME^|9~mPhD1nQJxVit;rr-bE@n zQFI&;{e+#83Dk>{F6G^_nMXY9{uzCs(j-NWL1=>U-2E#v`Qrgg@o-3e`7OWTEwRj- zK|bIGqH=?%HPsq{C$gWt9jb;$4ShX&BumS4b3z)|9a}0au9igi?s-e=cxC)?qmnKW z`Q$!slh!j_lAlVt6q%bREn(CDMIGJtuR2wRa)+OGR5L zi`yM8l4nu;4b}Ct3>>7x6FU5Y^uLjey|%7yNaelP(|c!n1}D7Y@X5?xvMB5aL+Xor zU;OcGzbdtO*s`dNOK(jLU2=Vc0>#A*yv@0=o?j^K|s==|~BQD<>_u)WSK&Xx&;I4N@MGr3TCOzx) zzwo4$==p=cP?0uLkH-(`#0fgq`;!lL4Bm}+d93@`-sS0Iu#zOdweIhOMv_io_^THD zj-sU#t=c0e|9@nCV|1ijx9(25V|MK7*tWZ4+qUgg)E(Pq$F|+EZQEwWxwXG@?-=)- z^Si1>)p%>owbp#*gNq-I+uL?Q1()Bzt|TS|YUe{)o+`w+m`-2|EroQqz>E|u=aUBL zX4V7cC%w?O`SKQq*SG=YAr`X;m`UbBDkbIL;zn;7B5HQuPC$hyj#W6;<3Ah4wAHHd zCx=ZlPI7@r)nq5%`QVg9F~wRc8S2X$&2y8fu`hr0Xvd)JjYRT?+$-;S!| z47W`9fGRUnnUn1WwE9jHe&1$qCkeK9;?fAjciF6Ej-uKH=Bqaohl_NvlrnnjlZfbY z@tcv%2@pn9E%EzfqI|7#w!GtmE_E>+VP+%{CDF%MANd`6Y`vkn%^gzhrF?3$mb=!% zS+7;SFA?4G-ryUh)}wD}K}uq+4tBFL^HvcY#&;6I470g0 zZM+b;n6D9%=_th4yA+-oRsWive5>w!mwC`of{dxz511U!07lmL>SXuRhIpxSIyjUi z9-S?lV9?03c&_nrHr6Qrhl19>g(W3)Z;xzQLwONLp|4Mo2ca110D`3U`5lTqCakc# z5POdyRdS$aR@z|Lc4{OdvKZhlopS+R$mMw`YlfgJApb;&T)vSUifn^x z_(M)Lt+X-3^~2~7gZv8|@su;6mEhtLYwMM|umpf7dTvM&F_qEod@{I8Hr3J%=4f<` zVK%eHmM1~~#irnhLfB~Rd}Yp^t=>0nU~)R-U@cuDY?%Ch-Fxx9sQ2iK>Lqz$%QNK? zpD`amdM@jvbShVHq66*wRAt0Vn1m9DXnw4OKU3BzF$A{V`#LXxJD~>B5pfc6=&gcW ztTSIhRN*<_+m0%ryb^Gt9IbG|xe`R~)8$LHY@Zbg-56Tk?7oe1P!=8Lv{F8<*NZu6 z&s1u42*DT-EFeN=o{z+(Y{qa6VY_KGY`nTTwnYxg~(U@RLmmmL4i%!qvB!q#Aec% z&oJxtsk{Z1EmX+H$cDcuxO~eG0}1rz#Qwb@H<~wJ@o0JD&36azeNjm=4r>Xaokzd} z&kE3BaykC!4bt@!ux%vY8=D3?zb->+f%dp1q0*0RI! zARD!*B=-XN>mTMxZ|4}D?KJog<<*R{%Nu-Y(=8IXWw1XQ2l!l(ODRCfulEpsH)|xiBXd$U!|G>tX8tIW;w4E3*mo5e_Fdt& z4g@PJ8vUXd-vzflU*bEXolC~N#&vxnZFkTbcLN8`nGsbiCnGl=GZCjqX!ufHj9rmW z$Mbtm4XSu@zOMq29$ojufTMIR0PJwy% zr6jO(T=c;gQLVH$Mc;b}Ti@p|=hnP<;ecBaL5wO_LL7BSZM`-lbl2RwBTn-^(_oGF zJI^;UD$Y9{I062M9h#g!O*brqm@-zolIx4^+Zm@5mes)U`juJanBN{33r7DjPDa_0 zDyzXhN<+-9jbvoAg;l$+r2W~p^LKI!nx%P9D_Ss{mIv0wB5 zvk!nHi#uo!I#Crcc>0BOOrbvh4~8l8S|F0GHp?~0(c(42iTsv)O+LjG&@trRT{3fS z07#%;<9dV|1 zm3C_0EjsCIwPAocnx3L$LHp&9{ineyW3xe9A*_7C-uYiM#L^}I?2rV9(u%duXP6HH zsc<^(^?bN272iLX+pGkL)cR7H9U->DUHR!!guYq_(Y_tK93UhI9sZ;?n*3Bxmejv> zY>MRLVy>4$rzPpTkL%C2n5-iDVxd?GIi5%X-}GxmY)NxmJ@L(Yv-QG1D4`l8iB2zcms2Di7vEL8=g;v}oe`452YE`{y|92t05wodpD zZJ5of-ljab}kMROWIcZey zkGkOj7s1=RgorMq7FneJUj1~^eg$?A?fUQs;BlHoW+NPlfECwA7iX|DkZ4txd%qHo z@DZ2ESJRcwnKD^q_C0CM2%UB+5|0c&3UEv7jK|RMD&TrXoB#y`=vOI5R?eFLZYp3T zU7HF{@!z}rzjK{k>NjWD88o8~IdoT7q!^ZH<;$=~-@MyS!Xj?>qEz>2j6Urj2KAJ()n)er++ zV^qwVLIxzh;Cd-Dwp43mH9ll8%iR=fSgJ6bIAyQcbWN{(WbVh>C}J9fDu?jV=$!fG zO02p6wQ_g-a^gOFCv1v7%)edMGK}7f7s+r{9`85^DuUn0i&EN{4ZXQg5N+CY zNk!hSN9gLvs9nHwryOHZh2}uK?b!_0PPJxzvMNl}iZgj!L;KX_S1slUEAU-A<1g~3 z(Lmkq_*rTc{~!?(PDdsj&&@XVRe%)Hg3)uB<~>1M2F@uSotmNAiP zFhxkmlkWIJ4%fA$3r4v7TW3Pe(dg6bwQ)&j4KsR;>FgOz^@D%0 zU$tiwRe7WD@dob2PS2Cgh}6H{g#RJhdBwcPC`Ag&>}?~_c+t25N5Ag28OP{#9$GBP?Wjo)u4CxIm=ps>uQ>M zEpH29R-v?Jr&vZ|M2z!x1AsGvJgPt8R!K;uSJof#K2^*7`|1m43qv9I&G&Zk=mO0N zyGZ@I$bmJ^#3jIL#isSIDrJI^!n`h&rojq%#^f{2T6Vf5-rv&PEw;R0j-Jr688BxF z!Y?!OU%dpu(I`o9GZkKwfjRSeQKR0;cFv?iE%DaBN7F!gk>2@Uj86AkLTt>@Knvd) zoC(b0gBUD$_)Ze!sX@^fmEB(IG*rTo5#tW{;JH?vcX0{n#vK*4r)c^mdF+*YYM-{NX8lIw zSZU1gi+0I&82=$mX7771JQhyK9?o5V+h);y$9;xsX-!Nft;XqvnE42^jS+&x3uVSH zv`=&sQ`6ka%BaRh*Jr|!!OcOEoDi^C(tiz`!MxpGFmE@i!!i7NjFwu8|8JiLKlAk_ z72rpzJ_9BUsu}?o)q5AV4snLbND7%ry-alQ%H-iKEu7--_S!^ESyQM;#GzZ_2 z!*qF&=NQ~f?QHxr_&@<4b9fSo<^0HP2)K8fR4$15n5<5sIO0I|LiGm03L)a=>ZKdwjs|H2>_cz2DVa}Rw;l4mR^3~z8ct}x>BgE0vV~fN*U3*Dfzy-hH>(H zO(cY9wXdCcYhMuHlKK*qPNohntTjLGRNU4m!}U?9y~u2g3V3K=Dvv~LN@1C^&SRZz z>{!wtXd{`>pBdsofFD0YY0T`cR7hwG;kS8;oaYt2-2XYV-BmoN`p%Eod$kTU16SP% zmiTy}^0OlOzW!2=;RFCIK)QG}JY;aaw&V)fPj`}5{*q+kbjodel$Qv3m@ZkH#- zpDevXBee?Gk!Ug#v&^rqT=ZM5_+U-t8q8bEa&puX&GA*r&)SgVUU%MlgG0?$8(J0e z8Fz-v(+9!?Ja@zU9Xf`wdac43e&kHtt>3;hTeCjmsA9ACL)f`Y$i1AkW(QJQ4Z7pI zZu!fe<2cH>L<9Sah(v0rdAEo&EK1a5Lr1VYveqmPv+(me`X&JGL@fQo`Qx;T<3{Lr zs*}GHGEVk*HH|Aci}bCbrBp+rXw*JRA((=Z!c$bK<-Js&^~CquyN|Nr6C%0`r2;hi zjp7q*DAmPv!c=T`7>{-%8bK0G7ydm@;kbD#PgFQ6P?t}!7knw2S-!i zH)^^`PeWb4Oio?NueopT-L*YrTd@jwcXQC^yv@|HV5DQc(xc_izk`WADe>Df@h6F&)id&{vT9s{J%ThYuc zUC2GL^%=!r6~RT|2v9`g|8gP*siPp4`OVKI5jsZuqNW;1dO4jTtT@IbZ0lI>8x?T5Qs#D0XpyJQEqX~8>hV1FNyR1hZ z7bv8`RITjiG`S%;{j3gk@R;fA493&hpPRL%Ti=8QtNA}#m^1D#$L?kB-2ESCCwXIx z-!$z~r)EqZIrmn4$&s!`11-42Hzxq`_xDI1t71(P?X>sd+=l)*()U5u<^%7?AVD%AB2DRed8Q>7)ij#7HVwz?r-&p;d-fnMA&S5GZE!q>=aTZkftbLT*l++&c>1QKUoz zs~C*Dmx7)6%2i8+_HeBbm;VekoMve-%jPKOZRtqB`id{IT;+dM2;zeijhRQCvxn}p z!$D-A%E z#MFhcU$Oa-UCZSXKtX=4_{yDUd@pW9{i|u|=WtzPvLh!OCcSR#=5E%QWs6`VJb`va zb`T~?Cbyswi*x#vq5km~yHOw(kglfRWZ=72gop3^-)5OUN#uDWG@89 z14lj@99ML~BopvLYymLtmCGw`Tz6g-JJg|0(yz8J7c6i zFCuyL(_FEiJ*EQh5MF1MT0Fb8*gbRR@vg#M?l%T7l;fgV%n`-pzCChhbP@+0c+E-K z#A8RFr7#`M8QRo_Vt11X&1aK#4l*@gupo;h$CJz$Lkwv?2T2UAv*Pf{4dsY(kc&PN zoU^M1)=C5_$}|uFMg;h4w0L5;^&`zPjE$Z{P)>3imi9QXyq81RUppK|Q5PLtakct< z)s{8bsZrAJPB`(o2+~P~sPa_6ohntB3mT7SF|?{EcNNW*=UV)4+HofI5p~opv;w9) z*k--HH!XHcs!hdGtsp$rfyNEK^sDgicfN&SVjEdJmQ(D5ptmf-j`&0R!q{1iyvJw$ z&vDk6I8e9BAE)KygEO__C9lydKFS!S&BOSn61?FCkGAm+ec65?6~8-Tje4Pdev;cc9SuSk z@h>KoiS1z^7DnAB4AIq z>X|2ha-etq36J5APX^qSFy(l8dah%|Q|cD_&h;6E6P1^$G_;ChY_`hh9#>;xgbHYH z`rINAB_*s5; zP%wZ*T_thJ^L%JKGH7?x#OZKIvX)$>^{X*V&4?f_s)+ZSMD6}Zv|4e+M{LaCVeAWG_X9q)La=qPin|d$>#`ZoY z;&Q&p)O|7w5gwxLa^*Ov+xAvh5X*q~V_%pR#=$8Q=#x!+&qOOZ&EGivn3T?xln@El zVHNd=M)_H!H#_G2KOFgckhRt)fORm-+Iv6Yn=|E%d|v(ui6%HWjuR%}G9JP`(k>V# ztTIwO0ZZ*iAVUxqGjAq|^;VY-sU^CdB~b2$#;(zRI<^+@pY1osT2;5N%OVVddOc-g z0DDih`2@Ufk$o^A=i3U1=)9lNeno^pWWNZhYh-t&-Wz6@UO}d?uQOp-7rlPJgu($7 zXjVSB_DA3ILc7e#5`Kb5_Rmo%U!Qi{<@bW@?C{Y#{9pxrxFSZ%v*5lpXU8hqhc@G#(;D4a zb*gS(yd`ybH#RdOXx|)0?5U(tDQ?T|>M>{RA!P~#+`4p(L`=0l*BjDY&)!G8P6^VY zoY{Wy%BQ0TX@7twdOfl-I3tekqBr*&Q@$Z%8g_A=J9&8}{6n)RdYRJ>YRdj#_sCZ$ zeDgE));}CuD?aH?JHmY8{Fc{a#$%y!^6L@e%VVp)*_^uVO5G_Aw2@A6YIx#AJ^^+U zqKa|hA&JdpOHCEX!;D>J+&85uXggbQhH_qmvkr#d_fi^k`Q>=46W52A?a$uu1s#`n zL`I!?Eg8^GT=>BH#dpbnv;J_laY$|POrJa!gM`lA$?Z`j_yKQZyQdF#Q(hth&f>Ch z&m4$%C|-~ zxp?67#K(s3YjM>Ju-yYr-==iAT+qyJ)kFEL`H2qgoTWALwt2@~im>#7>i-P7Bfd3# z5l&{z-#TW#w|_B^~Hd*^HRiL59-QVV>K}l1iGFDo}PXofD3L| zlFe4%wGS|do1sy~0O*jXv6#XyRq5sz>|aQbgO#eB;$netl3+Z2gd>m_`}Njd;O}GLfK` z$;{TfyiG@OsHPLsDt>!+W}W>Lx;Y_}o8J&B#I@3)jXwT`gZ|wQk-A0!93~av(qJ%& zW<0s|?V<+(zl>9q<#`3#!fzw3v@*HwEQpnhM)(EqVj}4xT}I_OdPkYF=Ba}pJ2J9n ziz66m&+FRpPM3}?G#Tq5G*X6aX6cK$u{tFBl|a4t##yY~jE{2D+j~XT$@0oPF)SKB&3>YP><7CeP&dNGz;uF@<8VhS?!3k~{tJw^ZaARvmDv)``u6Ih5}YyWrpY+7Z@l?}Hgr}wG3Mpw z0*Zyq>yL|uy{{WMye=^vwnKZKeuX1k^cTHlxwff$3cutn89;e4b+>!^xU;rU&g+19 z2KN;f;xjU>325d&BP_@i$?+LSBKv7!Z`UXCY=rG8gg@(I4r29yD?BmBotDd$P$cx#6K#92Pc z@$6w+))sqN|0@oLEG0@>>K4AhrJrSl@T~`RQNkPL%(|~+866@A_d0|$R?~H8hQDUF zG!rFWXT#@^FbkM9K1d>ZlGWO$3SNa^se2^Jl&5wXfXN7mTVOBE8m~uhKNrup~CkBPSXyy)tq` zeqy2FgOpb!8F(Ngv7w~%h>$?_7s`VW6!j)XLts)>1>a>v-`-m&+2g6*;iAQm&ID_w z&(4RoeSV-zI6U2Sk{p_C*N;uE&ja3vFqi!ZvHKx`@za)YVd^B%pwhpyI&B3oUEocd z*k1X*CKe_L3IhX6iK^hwHZckj))+14M?8i8e_(ihe?L;@$Vq;tZu-JxsZGy z@Y1FySJXDmPBqdmZg;y~^vccP(q%wk>b7aAuxA~#Hkb%)g?QGAl92~f5T1&Go!D%S z0=TJZxrh2{Ktw*^mPs(3NyGx90+mFgTB_Daqe>ok)k$i?^#zN2m$>tG*ncb|Wm-)% zAqx6K=nH)My=8#|;~nG~{-c3d%EGz)FOiiv3~h6{Vep8)3AjPo#+0~Dn}MU}&XZ7# zzzNz(-7jg%;)EnJ`X}I*M7X^+ zFNoL5F$-1c2wMtbiDJvHwht(@fVV=-Yr^jc+nSa85>9`x$8ZqTW;Z534WXyaf@OUc~ zQZ$w=?e{@IWtzBLc)ket)v_bO}bT7b0N8LGo!nrw|hq)JnyB@7j~~1>v4$t`UnhZtjjGj z(5%xUimi11Y0j-FI2we*4E4)WwUI-XTnT8_%&&tfNZl-5B=lvsO?f|L6fmygliaE2 z_yqGcZo44?p*`jHEV2HWiwrIWt?(jxV)le&!dAnH=c{(+Au zyrr&0>SbWhfnp#K)lR~bHT^Aq02H(=dM-KM6|9#d3Wu6l94!Dmz6u%kTdKKoudOZ{ z--Lw1YJNLMq`uF*dY3CjovK>j&ZHoDnD;XjWug@AXJgB??cux{(}NvY$pK51!ub^R zsZK2LYm~((|I%;#Apg4==wYK5t)CN52ihj1dd)3l6yGGLW)Yr2s_#-6Zwr@4N@l5DaH5E0 z$2Kly`DVm7!uiNtEr!pg8so@gq-WjG0%CEAb9#9;}i2E>@v z59#&>o`s}Q9J|~9(pplKSq20LX=BuWBtK8V-nH3ly;N2FL#S=dEuK_Wof|+MFw6vD#ocNX4He zr`R#+$xDbwoLANb7ldf7fDVI;>xX0XZ>p`K?PP}jldy6T zC-`rEV9DjbgcPtC%C35 zMb?l_UaIR?JnI9$p17T=R>fQer4JH8ubMfdFhaUBDx&5U3pr4ucA4q-9UOCTSd1Iq z^ajysG=z#Cu-HdKkEvDd94}x%nq(vyIVL!)MU7W|u=D#}iRW;Sr8YZ2+_AZ6*7rbw zB4NP-i1IAW~(ukx{O7kKp1!uepi3r4^~NXtsY{QFrJka!uu)s;=p%g+UO)^d5Q>-0lL~c%Vo-+uE zg*g5Fdo~^5%Oj&+VDg}h*_3AVVTE$0VCE!2jWj7iI(3YP3g0Hg2x zpJyDe0VPk|crkl}YW^5Yc3|D15aK0yGxZqHWZC6A&a4|TWsngj(uq&#YUE{&9h;{; z>R3hmHTp(CypZ!_qwUYFHvZ$b9q1<9_%)*z_wX#?!P&PB>SK>BEZNSQZY6CuFbRlT zchT|fW@!rNT5CKp?#pw@JKB8}Hs73sbcToY79?2F6DIhD{9mQef4RrK6+gM7=FNtZ zCPZe~E!%PZo=c+Y1%$^%@u5-|9{)t?AM9!fMiJ;H5J2ew0)xeOF7V-}aM~iy(WVj$B${ z>#W}qV0n)#-BQY}#w+6}?W^GX(h=yfTZQl7FvF)do1gWV`0z;M?S^qfB%6Z{@f zuVTl7Gj~HfUYbM|O+S_x^)Fj1&24Ja+lWEdjl`g~rIv&fn}J_B?MhciHx-U;edPL_ znOEyOmmBR|9-Do%G-B)>Jy7K{_mkQoBa6-4l}JtVH-BGyjelX8VYHKZ&7nXwNV z8QMyfHyo2dar~FE3sHSOc}6pnuCmB%kIYVHD`H}6&5c5oq|J-5bJ8Pj!t=0vt!6cM zK1fGo$zRt2>-=09r><(ue#PaNwwN!*Xp&a5iWO3vMzK5ecRgt*`~A>6dmh-uYt4=h z4!t`~f)H)f8q!J^M0P`DXYH8_SPAIj!!HmO_?y8+YhSqjB`fT}^5 zgbSV+h>gQJ-@nwZxL((A!CD@`j6LJ|fwv2aaW0IKM>Q5rYM8XowVeBBTP|szc~ku* z4SZ3rFx^hC*>VeMv+S_HKV_w3R-y(_kdC!&38deNIv(^dTE}sWE`xSGAIO@d*XGK1 zn!VqhU0-bPcFy~pRbX%ACBD-Hq6&qszjS{K4aXkS)gbThmW5O#J@WEGsp3GFK+qL6 z+cr|t8JBczRER;bYI*^3SlT6*-A^SfG?Gk6VLKeKvl~f8WHk z37&mfa`!kpgMaHJhs5`LAY~v8N}QKr>6=7zHK#t46LB8o)RPq)k1v}zHiZ@8C;Al3 zbLe$wW}RsCaP1C zRK&h5NVHL^Z}@vfada42km7bV@$eY4;WbBib+_8dS4}wy3>ig>@vf(Ty0~O zkXv#q1AM5D<0>x)a#R*GzrY8Ql``;XIeSWZcKH;uk>ibPTwU+i@nCVUP%ckzYxDTL^XfKj z4N>S2=1Q3RS7gjwG+zya^k{<#;MBbSqK2Mc67wXAX0LdhO`_1FcK)5z<3HBi|M@*# z1UN2mm{=*lRYsb6l^$O1W>dF-P&X^7{z}Tto~6=gdy|slU@OO;KG|qE2(q>jf9fVCI3anll&I*$NW_Yf>h!^fL2Yq?&DU-F}Cl+|;{CTgnU&Q!2F2ZL!H( zG$x(BM7126-FmS=t5C3Ht$}=_(l)i(<(n5YyHW3Agw3qoud1~@&g*|(;E^k%7kB5G`U2#YPW=D)^=jv>i5qa5CiR8m*w{oqkpOuF0QD#n)@q&MV zn-Tw*imkh7nOcQJIUG8!<1yP!VS#Me)@A86ltw$2T-T5Q)qb_9&acEW3oFPUjzsEP z?3=av#^-@x+^kQ2bV!mMb0+eI z^MqiHDSns4Ik$FT;h#mX^UMQY1Kw-b*2MK+?_)SY_lGZ+ddrvRBS{w}*OIj}pA3f5W z^BL9PXkK%BbHmiCSCFb+_r)3g6+2)39~g8!VAHuY5SpPXq!C+F`XhzxPIJ`^DSN)UV|W z#L<9vIO_7}=AS*n1Uw$Ud?>3NXBi@gF)sSj8)`WG4ceu3np;ODm$)v;1$^S>x}r%} zr@o}HHeVx$QJw;HVG<<59|t!M*|3oThu1s8WysFge+8lm1P3%zV7-k$ICTurB_r?q zF2-f~I!IblO1Ff8FFvkYTguJV9UnJcz;w3?qfiI;frE2fZxUsX3tjT&FPOXC>Hp&q zDw4WS*`oa9EQ-f$#oTohiUiKnsJ#O5$?Pcky%Bn%%UfJMzNT=v9}F@m+g)A7?8W_V zAp(RBh5hs(0Qe_hWfBqkzdl=%ZGbo`b{6heQeOJlPiSB!WN|;1a_$N1f0a6`*Lklf zB{S%b#s}4Fv^haoPi`H_c|)$?zG~`KVkOCj-})AAoiv`%VJ~v{2MJf#py{JnBiW_(F znnp__MQnQj%Em$~c5_di={ZyDfc3Wyg-Ky-8Nxith?HP&uhj+awXIKun{1wDwP*u7 zf3%lVu;D(q9o*%Qf&VbJkEC*eI{iYDoCN;NSn@{^;gpzu*) z`;UZIXrWNQe+&HouTe!(>{H-BpZJF+1Lw-()}&u2)f@lu$2z55R#u)foP z8Ydmv3U}FR^~fX)j&ijp(dR^+kPLa!&13?|4!n`3cD^zYS=Bw7onc3OXMKl7pkdFq zf1aVc_rGg@t+8HSQXz7T95_l)#kYlX%UpoUb4|6l_-jdzIwA9&nk5lc&<_$4GMmcJ zPY^P|KP*(9Qj(KI5fI7)$d1z7+&U3-KpNA@ySYapV^e5ELMA35M%Q&qB}DPX=Vqyd z>c*y$s`b87C{gg;q&E<1MLvw=NtQM6Ut|jGAGVdD*UM-MlD=uSy^$9RrxmPwy>*=9g45hz3p`%G(*i|wWmdWpvprFG=>b;da#(tD)jGUytV5X(QB798^P0jz7K(@b!%jXxT5-aNh2F}g z;OKQC)puSVFl|P**V#lphnIHU0|U6eT%+iCFvXQguP~ia)!r3uVmVr}FSS^Xervn1 zkgAP4;@T^Z;z9a;(nenYQ8td^34goe6+~@ti!cxo(>p7GXz#jSXIx$5^TSljr*!c~ zPw}?Y6tjBz*XHY93tp)!cvlyc{NF|7wizu6s*`*|EAEW7G`((cr`iOd%YGY^H-; zm_Ikbmt(6GuI`dPc945#9!IicBq&4?;pBE^;QrDp@8of*5&W?bU6sWi6yYN%tmPHKki(@-C0# zq&J%xRJws9TcWt%p*5+l`P^0kP2ZpZVW?GZ5&zLqRG$52dZfM=HvUFaj)`>nDcgj8 zwElQ>&BxB`;(IG|HKUneqQPGZO5`E3c;~J35q9gj-R6&q``PGNG26L~uyGr$sH+Gz z^ZRdtRRS7;JVuIk92MG);f;$4sR9Lr>@uS>j(_c%j{S|*?Zyf7x1vdj*XKLM@}o~4 zcN*B96SY*^XIyu%u&OuzHk}ZrZZyLWya0^$%lJ)J?u!p|vZz)}k;EYp8GWdDL8Puh zsI4Ub>&gMOz7a7rKwS``oq*ovFEh1b0@N%^7Y;rmcxa@lZZ+{NzpWz~bFNCa1Ls)R zC+*k>v)SxXzL7~Em>6IMeCf+7k8AL7+0U;9k$f$7;wL{kxrNQwhuNm9=#Sk=mA|7|ecEe;VinES6tTzz) zhM*fmvz92Jn-L)GiUH{~ecLq_=OcZi2AOqjw|qlb2{d>^W-!ZG>>lNs1}yA9x<{TZ zh40sD`=Ib`|CTi!B}6;;48WEh*h(Uo3>!xtxZ%85BNM*Iu zZv=v5ZW$ z&9*WrEg+PP-4I3XK(J7^H29tuqFI#}_DiF_Ip>A^#S}&D3Zq_QBr&-Yc70d1{8l=; zX3-*g$yxg&Bz}`y$&Ye>{hQZBYYkq00=Z|QwA^MmJ)yu!C+lcnHA_a&iBawOySC?FDw8NT%b+#)~9!V}LPbgQWE9fS+-m}B& z?ds>0t+W0Can^QC8I)n-P1acxe~lNDJN%|LPc^xvuUfR!!&YUwHT(;qt)dU8oxN=0WwrIS1}KIza~9 zWhj(>eB}Xz?tSFThX8Z?(Mh>2X2S9AE)6cOm*u_*y~V`-PywI&sIBDS^6pKQ{BE`1 zaRJ(P0TNjDNDp6U$mi|R#b=tuS(K2`pS#q0zKNC*N&ew{nCZd{3_rR zHKt%|ms;QabP_MJP5f;s-!Dn|7B{;;LHFwn+-1l@Hq(_nn}B- z)lVKJm%i35-J*UFHW$;--%C#~pRys94C5afMDDA_>qveFZI7Uog2)dir6}gBg=`z& z3l|sX|)Li4) z>19qd3$TnS-11kp9;lvusHJ?>;}`eT>n8z5fQ}#9H$M28O(?l9fCH+VgA^5u>0jN= zS4O)vo)uOs!SqcahedYe9#c{I@eFU_);iPYqLCj~8I!$EKlCe5mK}KH{M6@EmUML* zo4{ z_BR*7d3Ck$%g`Fki(z*+qnp>OgRwkg)y3(5n&5_in_&0d^FicHy{+s7>$Ov>*UUCB z#`Ej@mER-Gp|a-Q9e?x89=d)*BDniS&+c5>k4U+>Ej&BwI^9gFPJMS;?bWaQKa{;? zKwJCP^}AbID8->gixmpR-60e&#fm!=hv4o|in|rJ;_mLn-3cDtAy|N5ft!8K^WJ-& z-E%*@pYthet-p*peq+ubJgv3`*K(e52^iWlrEUtle0%HpS?7fC=j4pnSNKo-<#pUF zHZYGP_fQ>{PyeGy|5uquM^X#7SQ@6<*Oqq@pQDB!%>pu63~lU{^}~^P+?O#AR%rkG&}@_Qx-X z9Wj&QA7|pfmXg9hm(<-F1xHZ&Aatb_fHq;|eFm^7s8lw+DY+0R_q`NcO0#Rd#oqf% z6AJ*+`CBf>{c#mfa#&0IIsjQ9CmWQ5;O#_X`sUaaw|Kj;j!Plq+K>FWtTKwpCY^j^ zxQVOb${p*|`atBijtDI+hqeph6)GErMqf@=u4fH~d{}}bkMpoN?vyY!s8`zE7BIMw zP4yO764Y8bI2eXr+Vz4~Q_`M=t|++Qy)OixvWMPOQ9M9|UWI<4IYFpf<g?WG)4mgn3zg>Dy^k!2O(B*zBgJ~|)g3zeeYCJ8EuKv5=dyEpCNBzjmd`D# z>C)FypJcmeJWmRnbbs{9a=yuFgrM>Jt1B5j!eTPcG|-S}aV6yR@IR-Ao%9lX&86Dn5nN{yiS8?6;MG zYT1<580VxD#Afu#r5})}THH%cBk@tCp3HQa#gT!mhAc?DxTM0~A(bdY_VL>`P#~&c zf3FPy={^_)x6d3{T%eg!!K%3AouT^enUaX8d1P+9x`X)yhRuiKDiNZ}?aAG_^dg-yFy`f4PvL##LX!C_&Db?%KSbsqsk${+Q zdVj>X!v|1V(>p)2I<}|j4Vk8UV9?v5PZRz4jA*KBC@m)?85za{#U@lKOSKs%@7|ry z^6`RzI7gM@4zx;*zkEgLE!fnX`0M!nk5uxE(=42lT_Q-iuf?U79e_PFb6SucQ9I&| z3(t%jec695li2@PZj<^Ymt)s_1-(}dr<7H_QF4Bx{^?RnsfRljyDc&=#+o`9La~!c z4^f19(WXp!p0^rw-7>*LUc0cDZK&4OvG`*z=UZ8-2k0Sg;k#c2{ZQ|kqw_>e-*;@J; zCY#(C6BQg6BI_}G2RfSeoIJiAgQGULBvaa|nhgHRuu>oR5Koex#-FVBl9<)GQD9G> z{oBQk?&O4bLl#SFMVptOg1h3DC-tqh@q-i>(b@d-xgfDJAc?aHKzkX#%W2lIpInYY zJS$&tw~H@XV%jo8hGj8|And)6y>M+uMc413-7-~Sfvj6Kw~tbdLG#)VB+dvGpYg}m zfl%?^zmwo2RJ{Mb95yfc5BwsnqRMrNpy`ge0%0{jEFggIQ7!LYYs1}zmwT=~6y0O& z6DKVx?zP>t7iR(#v&(CbR0p)3)JezpWAu`Wv1m4;V@Ilb5>4LrV0_L`|EtL~U*fW9 z5w{jAa6nU+LMu3Q4)g94r$A)c_KQuUS@MlTEK^AIuGHJy$FEVebWGvsU@j=e^QmLw zS8HPyBXcU8bf0i~nlsc@n=900+g`y`@T^~a173b;xcVptjg}is>ik{-ZsY<^KW$6* z*IA6M9Ui%2RPxZ>5z+XT8}4^ugMsS+GTJ%zMh9zC+qT|Nw|Yf`ImUN<{xrT78={{D z?_PacM!D9}1559Lh-<|?OP69onwMQ6gu{n6$vyvkE)GXZZTmj3cq}BalOix z-V7p$In#D?PA^mboFhb?iUC1<#%6=x>40u{1Ag&Tn6qRypWSszI`IMDqKfl+&zXRH5^8je;aZ2A3E+eDFdm$ zsuv6`K?#_^C6p2;DB9Zs@y?9V793H`fohxSFlO?Gfd@%J%%z;#T*_~x+Cg)<5x}R! z60B17oPI$WEpN5xj(pi_C)u7`eV?RGY}+q?ZViYcLNo-OJ=gWqHvd^#DKN9b;X&0R z+6Q{IQ|UW;ol!U(W<}0WQ>QdhKY-2!K3WleC2r*EV0fTH4>#`{-pVvTmGrs&FoGST zW+Qo8gQU5hC=rvIievXfhzmH`3RCjXm!S?#TVNq9{#PLZ!1q=ZtI9}}95H`FVk-!v zxDvre9?q3X&Zt3>o7U3MV0BmK?QR*LIKTg#*O9Zvx;JPB7`x**SP*B(0&?MN;hOmk%AIs2STF_l%4-&!;TXTPMO-A*7Cefdc}3t+#>MX)Alm9#eKc`6s-RFp*UQyHr*i2!UTias z3bbMZTBW0mf?1pDuy&%QR2v7&Eo`mrC%9B@h*0#hS^r`9JGWj!7nec(nvORnv-EMP*ZPdVHM?=k2mivsmw$7I#L(H0RF&X zLyI*7A3Esy$w}YV=9}rB@*z}Rm`$0*Uw=JaN{frAh!pHuvA6H;)AuMpB_D7lF`hOX zduqn!XPUWb#hsj6nYd|hzze9vo$V8`Ftuq}w~rKvYPJ~#u25rgd}YpR|C3>;u&0ah zNwKbNnW@nGfDZ-?uM9a7##M69a4$J-R(Hiz?r|YaMYK{cj}^$A`#pdLQ_+A*={`~N zgB{H8-sus}F!>x`s^H-Y*|*w-#UJg~_(+;9ahA)417B2BVXzC z^nVPQveu?2BAVx0z2f2biOFiyf07?sD^YHAVFJ#U$wg)Xwu2Q`d-5i~EsZx&ef30j zZLW5}^_B&)S)?%0PJ>qGuE0sZmP?7CHmX6%TD9kT+$q^<3+E(Y~xB6!Beo;PRq;6^`U%L z`5|AEqkQ!~NK=Pxi^(gU#sr&b(F`WD6It%W%M^?r&e7?FGMZ!)SB@jJRADuLV za)O%cOklXMe3~T3&Cvv5%OSfbS%>c96yHs+!GsI-Rl^5xC&}j#k0ai~T|lOFFd660 zTW)Hu!Q2(ER$@8?4i}-bT)@Kz$*MUUn3o)6xY+h22X3b zv}DbATVfqzqi-%Ou23zBCf<26{_g&bmys>5k3Dzflg`jW-*rp=!F^GNcao-lC6oV` zYts&8VrGP~Mn(0G$tGYO*&9$Pn)ri>f$y6fvinQT-qSOWcv(Y z_x+F*@|kuI+fSb5Xd@+D)Ww55n!=)RpVykbxQ7kVsu-_1iePsA;7LH{P>R42?est% zvJrv)Zk1LH0Q-vOZ0?I>n|7p#5Ov$hlvJx!Bw0zIoF}L4D4RKb)E(=3JQT z<~%bs+o-S+E^=fv#S7PhP{ioI!N zg@Mt1I~vXn?UEFCsyw?3AGY#6NcY+!s>$ExSeJ`LbmnJ-e%XHckf@S-xc7nX8j8Kk zo4@HuPY~b%y!5-dB_(Z6x-CE z^9%jtuzeQ-0N~ChRMm1Ez>QFceZEF00G=Wygqb9#*nOeOl|AWLQ=47XH5|-U&0C)e z>e7d3))*f$JNol!I-W$qrO7xg_k4q{MvvPf3iBjy-xu@P(4arH{j9pKW#2)QrsA8*lT(`NFQj3a8S_e8RU< zLFN3T4 z!(%1w2x~R;i4cCS!Z2F5QRJ?k>UHyM&F79%VvRv8R7oh=bZbIam&CvBm7V7B%CoE6 zCJi>g{h1iRYA)imf8v|@tvustYaE19tM{Gw*;`PSLqzj_s&zC@! z-;q6vLSEwdmDCjkdv79eF0+=a(~)$xaO*+Rh=jMVvnk`lcum#^c#Mh$03|E?_IN9I z57+X^MZT=isqq~3)G?zi;-hD`Tv=3~I%7t@>&ZK$(y+|>&U2n8NoFE}q+9^g>l*h2 z3OHHUQ#mCFAxW|}uky|b&>oyPmbAKBf9F~*s9O(L5H8S&&3SlGS6tiAR?H2PX#C4fcKk@cEK6tZ$Vp{w_crVBk=WaFy}8o2BZ&ptr32p@Stb^o z89ZCs>$q`l9I8SGcSe)x4_9?3HFDLt+facT_vCzY8z!vFI)qQKTU(hiMjCQ;ye*jv z%m@MIGOxBM|2RnUKMcfRiP3i!4&v z$wf*x(o=Ktv7VBR70_nTndZG4ace|_$AXkg6;>tp(JwyhnMo4UJEvHLOr_f49JmOQ^^F&mH+a8nAon%%WrhMYtdHnKc}DTk_$ zcuA_gKd`5~adR(mZYrL4D;;1J&5Z*k9>IR2?HG$F5h_vw4!MG^is8rEcL(^mBkkh1 z`692*Pyf6Hck8&~*jYbMfz63MFn?Ys1x9z^f}pcV)WKH$@QZgR?@0Z6{5p6^4}%e1 z4c#)yempI9y~rZ}a@M@zwj9yBvu(FBq443LqtO7Pl0g-|*L?+c)ZlC*>G8NKh_354!2yRC-b&*?{Y2{8B_UwSi^t7Kl#NDQjya*4rKeluypW8thXRYrOeAoA~Nu)?sz%41MF$A zREDyJ|ISz&TiooBA6Dij^$?}S-r>WP%4sDE@qzEp6=ET&q?DL|EI|>wR0ZraG%wbY zeW6Jx5W-t~*HcRQ3c&c-8T$Jj*SD09f0UAe+ucG~xL%%^i}q5KrX&H3U+X{X8-%O+ zf52{68e9HkIEkF&T^4$^{MqZbDejL3K{ah@)aB4<2qUu%$tS0fTEtt(`H-v`uv~7c z4~yRCvLhC2c(GY9otdY!E1FM1*30~oz+V|38e=>%?WfKkb;{_U7114$(s67|VBWdE<pMNGy`!C=lzC)ErP5%ZWf)_u{zrqvo^_FOTGmiu?K zUE@^*lNw&_b+`t}xDgd){oCesFOAM996Zb_1~MhG@%hZ&jW#1h*Rh=*r$>po7v?hx zweZR;3(Y!e-_a_gv|5|3IwBU#XQ!n?o-M-V{bO5c#V+F1f~Vd$9xz+mz1hF;mLgKa z4`RR8^GrAtDPVcLvFVE7$kv%@SGnKgZYZUh9Lb~4CD7aa8n&^JuiJ0=M3G9sFnS-| zv2ok5K@qfIZUpo`6XK3~bcdc@8A0WIxOPyW0xwE;^44^EqoQbjG8SYd(IPnP61iWi z>^yPKsMa*Fb}U2irWmmO$((47i|lt5^pKF+oD@ftkm}D}f5Dv`(7-VmvHC3b=(lY} ziTmBfJg~!~;)|zBLN2}b*vNJLwCbEuG!d|6zS$Q$r2k~IH_SqXnI{WG+ZHlMgRrW8 z=YFblUG!tL8+o5BtK^Mk1h?e6OJ+7o7JDtdV8G)`-F`7=ut`HOUK&m%BA_8$L@Fnf zuoJyTe`Xo@T7^}mnO*p6zNrwhEp%O_s3DUUX=(#6s!D;xtz>Rj(3W#oc&>1ZpU0)I zl&tXBtgBLPA8z|HM_{1(mj@eiIqw92mef5h$1d`o)O_{?`RUmVi||*+b(&prEUJ&v zW1b$gK{~Wv)<}mKsj}xOnBpDO*kcz0GV8-ymz-ozhi2L~t&R-H3N{-9ZfOEqC;r)^oXHTbr)qt5eG`;M`-4+qSxXChT9 zpPaDY!(PAk+!;dlbx%_3V}=8$!^T8_}GULPv*r{HQ=fa zyC9P^%&mdltL)5Y1}CTGJiumUi8s?H>#fpfR{v(ga|LrT z6Di5p8kn-Aasz+U7j7}8m=48w)u*)lod`K&f?_?N!okBj?D?Ww_z>c#DKk;vywBtP zW?6`Zz4%xky^{Aq|CKm|*OD)#6RpwUI<{43e!@*sJ_cjpE}@`rO^D8VXDp+t@cD!a zi(R_tnwrsV{fW!*Os%twZ&f@w7S`4&*``Y28e#o6a!0}VSw;R4fU+`TO@#L~v)b%8 zD0nJ#;PK2Um{dtS_p{V)86zsqHxja?9LY;-n)a;BBBbR~C(F$1-FA4$6?F#Ht=v1* zb8^ducg{S!OSBH^^OVlNrXkh(d`T%>t&^V9j6s#!!#RB%`}*aWLfRO{9hS(e2SdgI zE9>36&WJ=y$j&yvX@4@atCpu$${P5Sxefont&#E5Ycib)c?u>ct`r0#ZqG&wa&D+l z(qVLpMr1EqzPQelftll;ZF%Pfm-vR6Ja z#~C`WFqydt*zY@rl`zQ&-o&N6m;gc1jD6%lq&7yV; z!G1LP%H1YM3KS>un!F@Z?@%hp>zR%|eHAVI0Oel14A#M3=N*07QvH}8^}Fm&S=@I} z`wpEnl|Y;NVZ~n~^4vPn?6O#h8mw@N#)0GADdt|Ue`D@Fi^2Ub$?Y*^|IVZ(dp%gO z8lpgci{{&|n+ia|ZN53?B)cS<+qJ6 z-TeM+ySzTu+i!^-6osYPcO!hL+-c>z%U8ICpj^3zL;}ied&`F4#SNUvBwZ8BJ_zpn zpGNcF?1t+Wg54+b>AC!^%K}l`mdS_0ld;OR4g?EbvV|uFoo*(5+85W^j2?c7;o?28ISL1 zcysI=Q~-YBOB`mOMA&Mkd%axU$Z$m~bp{^6zl**cR&4Gw-qpw2DbVLsj6FxRz~#Ak zPAT9Cl{%OhDxK55*@~u{Y{l}eJDHfR)UGwJB`s9OfMNFqdM24o*KQMdrOgL4t}#gh z;)Tu48~nf}_t73j*B}E9HD}I^Bdphk7XzP$Cmbml8G@3bjv9)U*url|!iUs-&-Av~ zoXls5M?z;bw=(2@PDr<@HRf;6lN-hHU?$<+4z_X zRg&vv_tCVu7jr}}eDbAG$ls11*bnZ3+y5<2k-V#x=fg=nWt%%% zgFTLiVt2+C*$as%JG7{;cJ&C?g-)91YX?L@1gpFkh_)I51m0nHR4jV){(LN2{o#AU z6GoAGxp0}ZHiy8+fW?Zw8X4La&V#Y<=X38a6{r?iVLO*2K9S5NHf{2yzMr)(JDc1n z#ZUg+;)l**P2{`daL>$^F!wSt*>FrK1^;ZuN7YzL8}S#dxMbVi?VrrLpQocbN+{CC~>FCO3zM&q(ml)YDnw%dntwJ>an+Fqp zcep}NXPM_~!eUPi*s{OeAL(3BD1C4_F)t`X#doOSK#wFNW^8k2(np3j!&P?xWIoCIbgtU%n9@{m>y+^2JHG=!x8S9s)qC121S7XzO__QpZwK{vWFPT06u zMN+CmCDYL{*mbB9tikvCNk1@4gi+Q_u< z@I|;Zj_hGF``s@jKOhbt7SeAO)rR!s=`2i|w}c(TQB<~q=Bob+-q{HX$*pcCVU3(^ zWkJm64q1qk7^KG7Rf~*ldR`CweERgUgkRyK-X4pC^Sng*`{|H5IrZgOr<9SSJ&wD| z(6ajT9z|Cntgib}_llGDAC68mY)g6R)Sr2y$1a*9Y&a4ylKkz)CruF_n*E=8_`M(& zt^?wR^1t*KrH<+)eF#{*Y)wm4R}JT&I>`L=Y6Vum+cANx+gG%A?w5An!tOsJfb1YV z+lP2Iv0}5NmQiWma+P{i2eqTI+BkP1XE;~E)>;%@v5UQ?60r$B0exHoQ}?y>vRadV z$neBzg9s!MA}nT?rH^xI3!`Krm2LGY=H6+_T9S8?mwrVvA~K^FYG#+STkqTmSyw5K z`x#rjz!A)(iM2eEkb-%_$lD9cbFPNQlh3Cx0oFBCy?1n$zT5hyy8hgkw>h-oDm|az z5qp!BXFHwG%}FQR8D)Ly)f-huI0W%TLkj-{#SCmvUNu>WsEzuBtiJGrQkrk%dSFK( zm+rMpXOhtGi!f2setUNC2t60%c}{Y)DvtbjeBw3VLCaK8A(Nycl>&KzZF?Un7oUtU z?B)AGS>f&(<6UIv1 z6z|xh#N7RRd7}b|%T_w`?=i*Jt>>6&_mhauVQ;*Top)Na*ui>Nx~>EPo_Qb0x=S2T zBp)Y}-;N-kNhK&@E&EIxvI|`g;KkVX*$|Zd9j%}FF|&MGsz}0XG!4&bG>DV? z?S8kEpZRHxzXrk=e^pHF4l!ATsqW7^zKmbt_}m{w0+pO*uqCCjao7;8x!dCXooWIm zQ7T_3^ipqop`Y|o1XaxYb}0Da%<-j1nd`>qss=KI)DIgmKpVY)i$>cdj<&21?`XSL z>GGxS2$ev+3-d3R59G^$#izB`w(nyN4BYOQwg{S1+HY9}941)|r*-?4H{tWxH=+ z8Bq~~zfxp^xAj+t`tPg$dKT~M?x+e0Jnn^zGQ&v60G7S`X=nQ<6$A?$RTy%s_mPyI z53>$4LtmCg!oI92RhxeRB-_QuZ)mj|pJj|C^IPBEv}ZG3C@mBC`Ym`1-FEaa0=0B# z4^xn6s1RAT|H730&AjjR(HVL-3F$yhdH1RRS`w4BW$iCa+ zdBkQgyUdlJ;kI%R9!gEYM;}*DE1tVfzmcL62ipm8$NSxO7EGNoSpXd9a|fbLj`tHZ zm^*?jza%mTQA=4%MPd2TmTNBOa1^woO!+K{_bZT!G!kE#E9VPwFiUNS3tCLICSQ3Y z9L&t&L+n@6SGwUU6II#HD6+!vw8aLtg`;c#$MPq$J;LWxS5fIR;Oa|iOOpC*_4AX_ z_KbksigK6uS<81>oEqdIC+B_KYynn<&B+O*;xi?sRf?4$u>q4gm?%(lHCs?5_pI5X*D0**0zlR9)*;q0z%D+KYww%VW2%$h}<@= z?#x63aux>2q1D-|o{bdxJ}@d$H9q@KJlje~zy1GD`vJMR=pIB(mY!Fu${jJY!bi7X zP#aFZnRjZSTgW|opNBCsE<_eGS7{e5=gnXwAb=di{5BhN>-0tYBobOyXv>-xE~#1EK4(kZ;h{I;vrD=&lm_99L=+T)?=Sysbh7n?5x zYvo1Fv_e&zjVH1yaTj~EY+L5*eFvqJc&|Dh<+P_Su~^#d--0=kp3YxQy^L_He70rw z&cye59>8^>gqtmL^2kzS{><8kCFf3On?$xGO|eyyfyVi$>qpuYZ)r#2+FCTIl8JE1 z7}@eU<$m>%<5`zq8PKS^FmU#0B>4go!SJF$zt4V*6S*BmJHsP@xB~#36kPGSc(OG_ zK-UBuKADy>#&ae%+4VjYbCo<5mrkB%8c_D;@SrV(eVqloAfokWB(+b)32fxRL zUmJ*{z`y`BhhD*#`4+%;b9i0aFu_tgUnXp-?`nFIz$++fgVWiH2J(5(fC;4wKWQIU zI246(-tkT>0&{&J1J+#BEULG+$ETBEGb&|Lsl*wiXevY{>!g;nGXAZJk5mYui66^iM{TD#k!}zn%`IgAQ2qf7d?Vj$?~H zkpGi^o*n!kj)Hw+TX@L5@oZvFh)Za6BJ*pfcEHUN&aq=WMJ34#550l4En=UOhMN|> zzJZX*{|CX=r^MJi4sC12U4w3& zcd|YcR((c5Yj=A1BBw%*dfJ8kajze5rwu2ronkLicv|-rBI1nmPa`W*M{-lB8yxKj z|NWKubiWTIWU4Tm07hzZwxa-;N#X3U2G35$$HZrQTB|%CRo8#4XN$WQuvtHDiswaf z)ESqhrW{tD-z6U!de0z~;N+|*BPRz^{Q~4KKF~B4emJ|Z0@29TOH*-)3HhFIF{d4m z%CgT|a;W^Dz0#g0iKu3NyuA5)HglN)&>MpUCRvG>L%Z zdGWE?*NeWF{^0sRi+f&wbg;`|p`gr>m<{aw$#${Ds07k@c_|C_xsN{Kr|f0;^J16H zEO6e*9uyJt7P}KKF8b57!Br8xglfP2<^zwRuhsK$TFFgBrv!jm(7LM&p&x-1wvRI} ztTK{%$pxKKy??`k1GmvpSvukxku7#MDSG;GUN8Lnu`f4ywg8#Q@cu(eB?WU`^(tR$5V(7~O1|jUXrU6{HTQ3_T{qvnM7ZzN{L$JYkhBp+tZR6c$JAOVb+~uf{nkps)J?Pe9%-GU62q+8h;V=<4ZcT6EII+_W ztn=+Hr1kppCc_Ksy+3Etb3nacVDB2ud2d#11%I;l|4 zpA!C9wgemQG1$S)#slR3$=2942-83{oC1MC8#Z+!Z#Lo_G~){2O9b#TZ)J{r=?1Ig zotS>S5*)T9B_k-bcZPjC32q^rJM%EqX>hc$vXB*k!2x(f^Jl^AzgeZZJA1m`!YUYOcZ=4w+g<@OjE3wN8}(tKHqG$Wds}Y{4G6#?noD_>SdLj*otAVbFD+j(vFioApDw{hNF!4RmUtK248QJu=oEADOlcj@6un<{R>#?A zaT=~9gO8&E#e3=j0^mT79-qP^9-3{Iv&0i;efZQ*K=4dcDI|EXRVVB61L=sxn*Z%k zp*PFpO3*~X>b7JIz7sIxPT^%vm`nPMfl#Xeae}xqWAKTz}4)NS-dhRD2sdp1*NJiA2sXESY=w)6TFi3pe`^pDT5NqO7ip& zsRi@^^t8wV?q9~A+-n{=g-1;4j?ypwjMYu5rqh97g89Wj&25RAa=tq#phv{ca}SB1 zPB?I<$Q)_OGFo!q`JJFzOLV7)r>5}k_aIyOM~$jq6_ES+HA8YO9{$aJ#yjiv?J3H|+ap zTGag#daik{RHuK?`}oOP=eK=U{s|{9|k(m-8L@c3Fe-qs&5^`Fq=XaL zsH>-iw%YY=;Q5|%v*QsXPOImI#eDul{qPkZWwn6b9s%2Sc?mjcn?D2yWq+kMvfp1s z{#w!VP6Z=u!4TbH8fS9v<;-!`Le@BqDq-_3W}&mCz)(y7Qz(Lhz6XpDJ?i0T zsU8l9gJ|LSw4$TTj7M`hKIdw(Er|i8OFTmzo|YG*=2 zqdriMJv$X(AXF@47djj_w2$HL=6&_F1tp9tq`@m^w(mZpFBje*BO!zt$c<{Tm|8c@ z%{^;Mdm`wl24}V?Xa(yPN1|tJ2RK?~LY|QR+)ci>dY-p&CPaip zVmHJwvdGl5?G+6)8oWa7chzMEnXdQc(V8!k0>@nu){g{+w?J;O zUglUd1T2sKy1n<`pYvv!2jx-2-(~!kyINo?cmak{I}G(?hT!29>wm*;M5_vaLD^{4qxQm^V!hJ419vCB@H?2nO7Boay1{tF zB6PvNk6>>BWiJ@}3HE0(+out>?&0#@BD-`5T}!kC!Pwf=f^xHGp`1K2)8M_Lnpq(Q z#TjLtx*FD>&8eo@e|IShYB!(&VtYlMsa_RnpU8x%9rV?aEb(>>xQpKCVd_T?aI;2P zK@fRm@|QVe(b4bG0U;y(E_D@OgQ8_SHbz{D+06@48io#|x4z4j?O)N>1K?rPA7n0c zi%y5S{H0VYhq59$1}(3 zr88^Ov;P4FI8ou&M>D=(%=}40b--m#qgsOgyRB;?LbE#lWk<}V>`f81+j?6aKsmTR z_oDkR<~7$3n@hMouck7rqG#TJA-5Sl>R-q0GiQgrW5`?y^>{pLYA!>uO-hloJ^D-c z5>>s~knOuL+PuNGq!e?T3xx;CvTFRkrBX26(TRhe@D^Q%xI3f4WNV+frU@&DH)}+Z zoFa)wj5`MZnR?2zve&Yd$(*<=u7;``Vp@%dQZO_u$#?+G5Yaf+FK1}B*UIs)Lq8hH zjQ0$Lm%4IG^;O0R{66QrTWv^#Oc4lJ^m8nr?RA zL$Yw^@N|LO(y74d0F5=ZzOH)THJ; zWSAOCr#34`_^M0us8L!%K zcJMLp&3)JV`bzivNaKV>J^p zuG2^)1)nJa+S5nroq_9(!X1(s=vV$Iq8NO)WNTk_w-Wm9Ey?hhr(9RF6oemPSaS$mX*s zdE35IpdO`enyad6?$&1bI|ZMrO3o$i5lAy{CrXBDt6|X2&R9}bYP@{SoVoye*NWx^ z4^;Vp4f@bpFONy%&1=X}}6V`*aB#=ChG}h{H z-oznm73BFG*b}=2IcBRqMB3SRo5b3?<;thqEWiFc0G}4jR}hKP(bpGfbdc7Gi8sGw zj|e@?!Y-78+LiqcmO{X+&fVbjKK2=XC-}U&{lyM>@3xVRTao%;rRnAq{XhLI$#M9d zTE!_3)vOP_0S_&Xn?1T;Qa?b|=+)O5IKomnefa1#9y!_0rALBsXm9%Qq%e5h2UvA- z8#qR~*j~hB;DZ^&)s`|(%mQ0ES~Rk)^xcs1?3|m%tFe3K#%XsFCTO#w)Pw_$@gmA1TwpzCl)KD z@*6JqFPIynwya#=43J1QIYRy#Z;Xm1EPPtAIj>`6k85vg_TW_`wVZD8;n0fW`<@Va zw*}{V&qo<>WBbn4BPO!+#(Y-0(@T8R`;jHPIIUeoxZ(>&@~hooWm92S9~LU)WZ% zEqPRU_D(1LNSX?)UKThTm!ylwcI9{&B9kWo@q_<6(S)=vsVxg#xTxA014ykWEUi)WeI2Lgvj_@JI6$W;&nk|V4gO#q{Q}z*=t*LnRV8rW59?khzw5yEw zm{!_UEOpexK5jlun=Xy2bGu34AslO@e}0>e8`qF!tA#2*KF8f}X0Qw41y{-3|qvSN~19EC<(lKt@gI&GkFw{(qa(z$}7bqmL76063D1( zofJb<_o5Olm(K{CHb_B>c*T^oNJ`O;E+^)Pd+;>rG#fizIYd&D;olM7m2{s@Op|JD z+~r;8Zw5)Ww~iSMtxo>RGpa&FA(>t?pH$}2Jm0xsXqVI^J54vC%gjb%N{+^mM_DHJWqKx=k)=*rv{|SPHZRx zgt}twb|l?c3fqly;jFrz*iYyriH)o#qP0X;XA_hZBa>0af(;lwHD7$bcw=GP5q&M<|FKB#uy(e$?QYHtMn^}B^g97#X*_0kmj^euw?ta| z%L_|O>~3e@h`Fr>vwRu)aVl%c7b# zZi38;h-C-VXXoKy8j~LlCEp$ucg{&&O(q`Umme5jAf~dC8${(^Yke@UUwTyBKCKIu zF!RU2>oOXk;J$iDj`j5BBTkZ*zwp^jvX#wxO{IC9Aoh`HrBT19TlnJ4tZ>SSKT-O} zMt$@O6@xRmBRyga5f7NPF?y?EuJI!e?_w~~$lO<>Ro$GZD8s&o>f}qnI2+6uE<+wy zosB?j|KRkSf5ydihvLx^vKa<2Us_G&yi80?d?)OazR`mybl4lEa$AQ52EOF6UFB>$ zyn4Bc@Z<7}5q{i{ssuy|GY%pY{C6JH1Hlo>2+fnVm(MyeT&;wmPwG;&| znd9noKh2IM+3JS9UJ`^UqtBVOhD2b+q&0nC7){4>{yLn6FLsAD+^R@Zy- z!87U^3(Ow+`SpPxCPknYzQ|?5ySYu4)CirS7%=lnbd%paC4*_*eYg)*A&22AP_3eV zH^BR^%=4J595KXM_VoQ91(m5MYzUTsHRpbnK~Ir(BQs*Q$aLf@P`4r$78X0Zli~si z)N#Ro`CnEXC4)J_io?%q9-C7wDSc!c1IIbR_>A|-n4}eFoOf~(0zE1!ohtd<77?f( zaNRfTw*;t2J^M`-Ct+v;QUI~(!L7(8jyzblmzh(|6>F;R-mZvxVSk;y6S&* z-f-fRN$z56`vwW@&y=c7QSnHr{ia4tM$wIj9984 zD^K0;PIhspe^H8uI*=Nx1|r2~x{1*GJfu)$rsPHsv{EAqNmn?g@0$=}$&mktueXkB zYkT*8cS~DnaVYNY?iSkOUZA)YcXuzv-Q9}2ySKOpceh}{f(FT(z0Vov-gp1bz3bm( zWUZ_*=QAJud_yo5mIfrEV7Ca`H#rj)QqS5sAHSHLniW4^W4nsl$f7r?@WB_B9QEyt zPjkBOM6R*=jI9Bq%uxcIt@`5p@5BBDx$!aFZmsn)`V0q3xpCX!C@2y$_lu_Rae{8z zkv3eh!6kW%Ka$$qSq(R2CMUDvNc#vR$~+Gkn0O7G6{}lb0!<(&E4a~8XC0(8G2DE> zDI6}qew%n_eQAhned|pVCnl_Q6q*L}#`b!diuJ5cZxu~`V@4N*)zpP5R^b;dlOyP| z>X8arK~e?>Ce*`+Rg~zS-zKLgi#4;tW?8fBT65E)mUZ6Jzj*kMx^0cU*Kl~x)!8LX zhiZiGXy@n6SoUy^zp_6~I+m$yHmOG00CYAT#Awf)Gu%PbupvbkcU3MXOD&l%P-@Fh zYiu#w2_K@`hWAaJ8oMpOOMBrAdYdEQaZ-J;4rxqujO2TJwBWLNtHmwYS@$ zB4(38qN0PZnugULP{~k?NH6)kkIz`i`F!uA8(PhiMf(U|xjaGlY(NK;2JTMzNBwJA z!+GP5#zJn0p%~lziS(hCLHgOBO2Kb>|8A(O`cfT3cR$MilQov+Vg~>9w+92_;LYIp z_7APxgsa)>OFh^2XAhek|B!w8`$76ZQeVNx$keNY0%C(_hBIv<-va+ym%iOd5ltB6 z(eOU$A(d6Kr$N69J_webO%6v6e|qc_f7~Y*7S0L_3xjz`NJ+{4gJF6~{rkB3FAS6N zANR{PXX$xmpEJ_Fq0824pC+lBrk0GeeTO%|)lkPCS0s%Ngx0mC*x9D8wYv2Q@K{G} zPa{GH@@lK29aFP;WnD*WcI%^I2+!YMs?v<)uC;%qZjWEKPK(|1kgPXiu$!o@fq}s~ znK|sNr8yos~QP78n|Ed@LKacu18m=Gv z-)r~-{GL1S|Lyb)h^AsIsW*~ryDwt<7{8+6!^5g%d|LQobjD1*eP(pFsV^V4&Z+W+ zP0TFGD_-|B2;MjT@A?!D5RML}7GXt#tqQf(o3m@EEuWD@fC0XGYQQEZ0gi;Ps|@}8 zY!ocV3xOKDTe*F$BI(>~TYYI_yld_TQit;+_qqm(>LD-aTmA#c0GsDc7|Jb7B=_ni z)(dKHy8+8tr|pLc{KunnajF50yNkrxodtGpW#@WNne=j04_F*&V;H*OqD&Znnf{W@z-fVp_l$KD=_yTA zVwly!6t*H5SjIZn>zlu+zmH&?AODA)nV!e+NM}%_mSMG})%M!#wToN3%U^ZHK*v zVA|aGHGusjoYy5hg1tG$#lbZ)=6($N+#M?lDgXlZpP$GeM~L$l9Xo;@Vw*0fH4Bc2 zr@TsqnKAS% z(SL{EI|S*Lj&Fo2saKq7sB?qDcrb*~zuHwK|7;X?q1|k#P~68Z#K_#$S@3NAHJMs?Mj$VTi{8igA-KOtBFBjFSMX-P zD5SY9rOE+O#YHaKTHy$z`R{wfzNh|6=0cP})I6E=TW-sih{Q__<1~oX3a)^YH%J}| zDjO_KA6l*uOexNNNV9p)@jCPKBK7S<1m}7#JEvfuHwG{rs9CJmvXDrg?|(%q#6LKC zs6g!quF?_Q*bb3lyD=ftS3;WJsKAeh$$7!LqMBmSW}NYF!(Sp(y^E*iptst{KA5(# zdWO~=Xf8}s#F0d0{3qtZp)YtFsj!s_*8_=7GGJ=OS)}>DGqrFFAsyMbX(xcmDo4JJ zv8MC(Glaq;&+8jbC(;+Z6L^*OM%X6Us$u5qv1gjsTyZe#qMG(^EIX3Jq2#VaX(eB; z{sZJa@$v>|p-64lT_78@c1;8qy{{4vLV0oUA*4q&TN#0`er7onwX4T`?$@LXASbHD z&LbCh86H0gb}N%-Kr}BB#GI~4Vq7aC2TBR#-N&hWtr0*A3OjeSI?FBqBo>3Y7Icc0 zyT2l>Zok>K)Qf80h`X=HQV2mPSKDLzJNx*X-|BxqI;_6-0kHr$JtKd<{c!bix6d%+ zEOej&rntdC_O~CK+U%%Za3i8>Zz-JgCcC)Npeg0{5Kyf#!Kfk1z>_qZvolMv8vf;_ zs(Ii@c5-=>K3&CWdmH2kkhd-f#?*lGIII5QzT~?Zc2=J&7t)ZKZn!rQe06*S>HMR? zC-O=qrq1>o5uwjL#is8K4q5ro42~7&{gepnkhLvJz+ntxz##!zu_Z;i2*^y{(5fk~ zvW@i5`jBMUMo&j}Hn^wwPi*eRi&XB_J}7tA>sFFEX7jsVs(}{2H(*TfTMcPp`SS6= zix7X89j<7z0k9s~ubra~J=P!w%6R#gP$qUX-Hs#azg) zdG6(9N$%A=-{!30ww9X+aTrnW^KUBVYSEx%k&s&F6Mn1t^52ig9=@ve%&sM*hQX03 zJ}XX+R*3DmjKf2;Z%1;^SpW>rMDxW4CJmw5nuBlMTnNUm-BN6BfP)4tuNbV_SIlPx zXZH%w8S-w=*+dkMT20Yat?taV&P{F5)gR?=D6XNjW*Ubf^G~x`Q)tm=H`~Wg{C`FV zebbiRtEz#QZ!jDjnGSkx4BdbWD5TeXn?3?jh9_CIV=+4m_1aO^-;$I>VHrTcQ<{>s zTghqX>e5h0{7z#QK~YbBr;PrGJqGD%^a$nBv#&3;?E(JBwmxXg=FpmA<_+*L&AQ`) z2Zo<5X`mmI!UMYKP6J!dUSceu_|LBg=G$++i_vQ_6m*~uLhs}a71sg8D;&wJdPL=r zBV)khlN{r1#>8R6NKnr~EY2nL-)DD(xk=&Rwy!ONVGM-AFBY(L-SFD~rb+#kHj78T z)0~Um!^Eswb6))uDE^cOufw;it=|6X1TjB752NvCx|sP)?SNVJhTK%o+q)t-u4NwI z#%kg~vx$Y@(f5x96jU>k*5odbTtH((r@30o)71?Qp3io9Qq>J>Bv1%t6WtO6X8{wX zG(1s?e9?Vwb+F~pON{UCk>>Z9);f$nLul1eczPm^>v-e;BC=MWtL%;98Ct4dDLJV= z_Y3N%GCxJ+VYhCHYud&r%OsUiAB2P9tUuR~A#!fgWMcG&yJ`0wx?8i)xrpfOT-)0% zzKsj_*3xd`?@9NGmbocnZY?Y7jCU~ph)~|LpRGh&KSQV36h*^h#dknMG}Qt%Nr75# zYyS1B1dpBB-!vpfV7U1WOIrKrCFZj}NtnL&c-&7l{5gMw1xzcg^7Hgt>o(ygEQ3W- zx%H#wH^(bpyM8Vx&vO9lRo}M_>ts>QF0{890wkiVxAO>2Tow$LDeF|W^_pxItkF32Js0UnS%H}vy#C@*DW(KT5OIxmR@CbVqlZ)Y! z+Qs}^_j1)g73nGs0G{r%-f`zZ8B_u=K+Udr6!!p(Bds+t)6%5u(^cFjM0CA4x^>-A@SMBZv8<>?#+4wfRH_rA=f z{uf>0n=q9K4O%QygeZx zbo0<2zMlT8%2J*Fp4H^yQ2A+PDC=Yzw8UXV{k&<}8`amX>tjcL9NkleLlxmOP8Qr# zcu%JGP;hnrq~1*wt!=w4ZjleDolwq}=MMwVTz=yq80=48Y&?ub3>4-{INLS4#EdL% zEVz3Qjy}xsIP+E}Ux`Quxo&j$HxjQO6wt(}{MDun|0b>d&L^Z(~lSBJ&l}T~|^y23ZLf!-e@0)ydEbx{oSdY!=w7(OWBFGT4Vj(Q>G#@#&XB({2dXNeO8>Wh{#uyb#&JH>Z? zL74lE8PgIKT%}_lc*T#!KymGmmc;jGETf@c2(!STmx=Rhgkj zO7ApCfmjA$T4X@`r#WVO*O1tizDW=11s1-b`!Kz6dVTbU(121pQbaQ@a(IbyLU82I zH&=KHFH2T34Iu|Pl)YO|ueK^FnmE&tHm#~{{DVCY1&H7J zxTVOx%&+odoHOdNoQEA+=6thv1a%BpwY5q?xb2IDr4KE)-S9!q5lZk5 ziXz%`fW2Rt)OvU*|C5JPzOj{q?J z>o^v_aAJO!b~T_uLSP5T-Pc)Yu-cbZtI%vPd|R;yH2bt~aQLlDU>3~jK$rPuGg~wH z5vk!UF>SY`C$NNd#wAN~F}Fe$T0)`OW`b3|E_S_u^$yNLhy$!HKeE^Qx}Z-3a6%e} znGo&Qg>8MdJl(EO1CG4?ImT!cg!)B^!T`F8vlRM%=X}Vj?z^kK*;e?x``aBo(XU!2SCLB#yDIw9 zdFaNJO5B#xfjs(p3t_xMCB)6OeF~;cYqcn1aBuiC<}Oe9+?2awGgJ*c#$_=JS8u^T z==l`Vr){UeI97vGer3JMV}m@kDZhp3&Qi2H2WEcCe-69Tl!j5#Sg6@@Blo)K6qnip zTl=B6;KN%Tx`Q^_ZLyD+fCc&cR$K&atvbmj)J1SBeSJerU8B03SMu?Ya0$xm#!qvX zI01)ja5^Z8#uHGXNN+m#P{f1i(X~%3nOo5f_Bb z9A;_V^KoU~BK)v5XN@P-|I8Z9s2Dj4cl>3rT4oZ$LN{QH79PVTCupYmm&P z-5ja&hfouiCl<{<^M_GpQ^s8;pw`m^WewQx9aQl6$0KQ_}VO*qDWv7xWg%C=VbR)S=+Cu8xh$z zKxXVFO2{2s<<3y8m~?#<#Uw`xO~2hi+PmjctJ&pP8uVHr%}JJsf>25O+O61EE%2-- z)+mn+=p*Q97KGg`XFYxJsKoAB@g4!~p^F^eCUx>849$F!gl!Pjs*AE+!$toBxJ5aM zS<;vDg$L$&aT(*3Y)?WzK32X(aBFpBm0T5Cd3|Qo@lu?Xy&!8#ETm1NE}dl@>OeDdbqVrZU!z ziBu=4$%0))=^|Cg?Im6^{F1UM;!0OV{lq;gP4_x*j^>ws;^a9f@rfjyR`xNME~T*= z+Un*t%*us$L5$)uN!eyRRFBI1DRQLecW09If#J zkqAwg`Dd-?=^YY)16f^KG8WyLM>xzAHq8BCe7i4l!05QcksJb--QG2 zqGg{g38QQd`2SlpO!+dZaZl4OHzRU&nS|Z+xvaHc}IbQWzt+?bc%wYH!mVOCfUe$Dx_8V9Zp1KmFuzw#I8(Mc?|! zi|u~tWKrwq!okhLHEj9slELo%}e+vgL5^TbJmnOlLG0uce8 zD@10xYqMj83(vr(=O%T-!{M>j?n)rr{ob{Cu_dM#S%Q-%if#9iL}bcB zmWJwefri1X^W(1<-EVKi(A%)D|!cl2-e7-1!&DClu&9F7alf zreLQD+rHysHsdOt&uwJ9VQG@AHXBU-s_$%5i2?juECQbP{U7-`xUy%DCU1J#bWq3A zj>E$Tjp`0;jNHpPkx#Hylf-!95fM)snc$6Cd z4nY6+9UKQu4HN|7GiMq{}e9{x)?#zyo=ZV&2 zpcHRpKoN-|>OUyimr+@#%$!)gNSz&ItIq}BqW7Qy)95D|d24WX;VG2+Oo)Y&=7~^1 zi{NXx7+Xp|lis8}wP@(UcEUi$KNs2V8Y@~wpyga6xOxM7?t_&qQqrX)SRYIjTWYtGqYBn9L4rug*hR6 z*m3!c3L+Z&j`Im}t58fISIX%YT5LyS;dnke2iSu64he0-9((wkPzLc;rM_7+>W#&e zXLvF&GpmvxYnQmK)#xwdF%W1KeS>yW$6mR0*gMT;yYh}c7aAIp>SuW&YE?7uTZw_0pu8DMHPjq7^6dk#| z8>i4=yEn~eHGokJ&CuK6F)Z^trLH{oC`K z#LfYZGXBsbo#vfw_E=ULqM5Urwo3E>Z^?&_5+g4%b5|Tl3Kh3dIZT-<<%AIq~VZQnh`u`63#huNcBK5&l5PO(=rO+e;XIIH&HGZ2Y^uO_;m@wXzB>{<*m`=c&SWZ zgu;>VB|BnYE-9CL>K?ndqCjb)z^cYw^Rx0fU!HXtmJ5M)G$EC(rpNK61*`V_dv$IL zg&Hi8S|{njBQjrVcU~Dq>sH|s-U&v&;`OlXQ?vj&2ooMBrJcipBAVgRXDk0|xKuG= zT9eMOb`wc_P2I++`8%ZY_ppG^flBZ}jR5n^(p^V$0(0~ELdPP}BmT3$9?y?eCes5{<42+HB>5+=5bS)d2n^M>!kvHlDYZ&>Ya0QR5t9WKt9or@M7#h@`PY5q5N>S9wq zNcx3V6hWm!Qv*xkfy0`OyGyW_7>T@mFr(PYl2g`W8QS}IT;q3V-@0mo<*2# zXVVW1+)U%;h^s>c*bXGNCU8*vO9Trh7V3JZv-j6W*_|BNpgBr?N-b7kK(W%h{1|(} zu!H{3Pp^2d4?j1cuNu4VlDeZd=#R&G+no?R1^_Vh@T$*cG9EEm<)6dRZv3_$6HFiW zL03;x?hM7Dz0%V~71Pw>S%zYd+sybKfqhmj)R;eD4ExP7 z)gn&~vz4C(6;y_qtFv{}=RVJ1^e64QceV$)MuCyqh1+-0g-AlxiWa}O+KcY<#(_^4 zzV9>8*v+f61;>FXdupQ8Mz{4l=d9eYPA+5;<0;%5s}Hsa~9%5YAyU96MjMc;<2f8 zW*-9ceQZ?HC?x=eCg2{6rnPjgW4x-$R%e?t{-19P_?+pnC|yT#z4S&I+@iqp74|** zi=3h={xc@;>_motN{ZFxwB;5Ye=jUG-t#p=fSjNi-sA}BDg-mHpNNHD0eVM^#WZak zlM*krFTl}{+bo*%guV5bBKVx8=sii9G4tsdSqWWrI+}r)6FmiUvHSOBE(EeLk#O2f zVWbHsDrf@EtRLfK&BI2q!waR4emzRAYnt5SgnRgy+i%A{tOH)czCk96*l2yXfxB_y zcWR7E(KAI1ddwKc(#xF zU6dBncux%28Q52!WF=^E!2@V36yEjW1AK7wh?{N> z*X!9%*K`x`_}lf&M5WqhLu)VJRpbhxqx+Ip3{SI<{{EMM0n%(Zh!)-=YwSf&B4q18 z7LU;!61;1!QgZ1v2_3vRCVF*``Jzc)PDEkVdIl0EUMXQ&dw0^D&Hh}8ozi^S>X=&? zS0(@aH!fJGo>80xtMhV2H0#Avo?f>Q$Mjw9Z-5pH^D(~u*vno;emStmwIJOU|7?X4 z+dj^(6mLEfHlZ=E;XqFnnl)v+wr(=m;d{q^{HwJGf{StOY-X7;OlmHN&E8ZY8{<|NDKX0wWZ1S-8 z;h|LAyF0@$HWoK!Fq_88+Fcg!WLT++*I80wv>zK-;LJXz6Kq)E-k?VUqSh-V5!W5& zE%s3h^+RRRB&Y-{8wlT_tJ*49EV?74u*Ox|=JsJJ#yo|i!*vaSB))MNz>nOZ=PSEw?h(1*No#z|M0vA?0)stL z5>?y48fU9P_J3sCY|nI6%uV6b-s*E!;g%yCn(J!T3r@z3)3X`^-1VZxZ;7~WKK<}A z6dwHqm?Ls$q(36{)C#7;hg{(Ffjy_hU`!EtqHN7Qp6w-pOf}Wlx+4he7 z6S~fhtf+jpPCp4gPsjAqnALJ{qq%YidocWG`SGaC(L+~DzBZ7i--d$D0dsjHrTie_ z=2z!+ES!Q?esI)1d65OFopFs#F)2M_IDV+&LluWR@Y6zCYwb)E-Q1?>6~~E&lacTN z@@hllM!%2nT*62xq$#*#_8LOU?ATu8b@`!;*W)zj z%X-T@4u>b1(!JoB`=AgW{)*N1kXt%V1XU(-iiCGSD zZAB->>ZZbxK8^ewgDPjxHTHLTf0FwB8w>Cj(3a00eu}pK-vfFo+ zwolTkRoBYy|=|GQhaAY@eDtn$>n31%_`2hblUvVd}?E2kQdY45pHiE7rBjQY!9>L_x%d zeR+n#M-2m^B6lhyvP)xGoC@p}fN<9pSjjKzA~gEc<>@x$=g8-QO62&pIOY5uoPRsh z5$1&@{X1TU6tDQq6G+-(P;ws%+qB~j0GZr;Vr@DJXB?p@Vnr1-s`J+$7ZFWAm){bi z-{?+sG~Fq{n}}%No6|aZ{B}>OT*$#~06N`Xa!U`TCtV0-IR`xobO&wd|3T9GpER5q zNF3XBIBKGgNx8}oS@xjfQ?|i)ZD(SLy*9s0b%&;a4|$-VOR+aF=lbjX>{mU(X5+)T zhf4Qh?oP0NqSy=#@+8VbPW`;j^!F=eMR9-+UweR1di-sc`zVDl*TuAmxKO2$uQYDD z9b}2SobN3lb4a$yrpx;DWH$J0Uy%I~8YvlO6>x|GP5)+`^dNIv1~}T}1WUC(zH5rf zNNdvjz2c1yXk|z^9WP)mU-_wD^a!sCk>L4ynPVsoRwY*+-V(3~x);4b`Ryte0Zfto z4XXTt7eaoe8!5#NipB-76Lbf zS?0BNbXddb#TY-u9Aq4jS(T9zFsR=n+}f4kGbFrn3r^o^NI_lBKD!!o{x&rNzEc#(y&{ zq+s;?YXIY>wLTzjRgOMlU9uWxRWF>92rg4fQD4?)8ouP58ukueYWXRTE&;ux*Et=- z@;uKX{xiW9Nj8h2MxVz`6-EtGt6a40br-C;oUE8H(|=am@HrvLdA6gk0%>if z(}bkJq>}OT@1xF51RIVdtGgc?SYv)eBGWEadAh5r`(&1(R`qcbG`8)X)fv;NaAWsh(tu%Jzv0 zv@{K|;J1u_OxNpT6(eN*&Hlxjly;5URmr`5;aT1%r>pm*rh5=5_BiD?Z3ON78awjL zTgxRGoN9+TeRp&4#&Heva1nwWxp~>>`2(>1DJij>jjO5(!EnM6=Cn zJ3kMD2CWq+S4Prs6gGZM5(#!*Y|wSCn2`6(Sxs!Mpr*S|CXS8zFpczD`!XHO&1@Gf z>PwVN`()TP;2C=poDfhQ*3720jf$uzm#H$o<2MmK@X{-Lywd4>>}Be_UFqn&^-<7{ zUF}nEq1>6n$>rE9BsIR2LM6C{m@K>vC&-)B*zbOi$8ok2_yTnQe%bWqbYAY7CP9h{ zRXJRoGG3ZmDS}&^21`awk}y93aTqAmcQYgSWP1=#)E?u4?wgRE61UU&jViUMu$@^o zIbW?_TH}gd)=67_CtIRCA#1?;@&%d~pv#jk_gVj;zGJk+=4O-XVGIR^<6kj1S_uuP z=YAjSHG01*?AxjGpo1e?4vv+@6IRr(JI@=T;S1xymu^;dD@bB)uGzI>-2m0ve zVP$$52t2>f@V}T6?R5G&##vQKMG6n<2(oR*EiASqa_Wr^T2XquDjzH-B&55()d>`! z5N)||kWZEZk`ouj-1D2y)pQpwg3(H~LV(Mo*1^=B$|N=#_;pj_gq1rq3No$d7N7U| z`{l$-=dk|!VGGtU)cnGRaCUK1eiU>OxPfpTpHE-A>J*=t^IWxers0R~Q+L$R(G7;| zJfYAl_OY->)6gXz)h%WZfLP=9+M-)m6e>3`;EPhCC&pnc@s{?i}o3u+Y zdN;AyTu>=8>RqH@xy1^7P)h5W%vUI$qcB`L&koKTT%YH3M{pO_ zna0nbjRqpH}AqYobh%+TDW9&=P(_g7rEq#&osrR&R?|@V6~meEbxW#x5<~L zPADPxzm|`w*C;)gI0<%t>~ksilU+64%Or6`J_^My%AR(lygK2&-cKKEpPHKA2U|!x zr+D#a%~2mg17GB%o%OyHuVU4&rG8+cnpcaRvgW#|U5$`)L1UFchh4(hEu%t(vv&IU z8yzXBx@Wi7Q+Xg)%OHL6l0ghBrPlt-FcsnOotXhO6u&w`m}dnGEZqeaJC^uq_B;iY zp3dBSFkZcx9&?Uvva?StZ$t{*b5O$c?{BcHwKUSmh;Zv^i4)Adge%JD6lE@eB=Ezyn)0P1#Wz78Araa&ekYM(J zX&GS4Iz%x322kUL9%4n07!b(PA1ImtZu30(`@;mq{q=StkdU~BJRbP1L>JTSAeEYA zSHPH|zQW2*H@V6F1&E;ayT$x{Z$aUL>{!7XpJ2raoG8E+a2{pOO{2Z6@>*>ec54{J zV)rMrCj8-2#d^cChp3=JvQnEnMH|@iYg16FImB8XfKKCgmkNQY8g1|oecZudJWw!+ zH`@pUJPfoN8rS_q9muYy*koi{qEekT~zG-aTx7t;yYkBgZageMl({B;)qi30+^B6HVxDtZkUt zZnEjn3a0Vltt=mHu3R5AQEw!9imsjR#^8<@8RV>_-G_IN6OZzPBXA~#ZRe!A(gnx& z0`p3(nIL0{sX|L6X+FiMXULa{H96Uxlu}PC;E-0IiAh&%pp}8i#1~6;u6{nbR`#LH zsHa}`t4?=|N--9&eieuQCQSIQ@pHeFWnZ5<1{C++d3((aDzX{$XBSwnzvqkxq2U=L z!>cHo^RHqNh1DhCY&&Q*POB!trUVqZ%QhuMw3ZUr;bgP9)S)8|57tfDvdj{mIIF*| zwX_tfZ;t>nV&DE={P5F6c;bJ&;QuFM~>QyXv&Vw-!gh2YEWs`TwTN;-(b4^O-r(X^>F-y&~GfzbKeGA&_bdZUI#tcM0S{U!xWxRHBN0=_4rhq8bc1-F$)f%PKblVXaoGR9ZJJYEa*T@DHLdP zv3oWzN>AKKz}M;SJ)=_V-k&e`Mglca0; zP|Z!IYJ(feN{rS>rQCN`C|O#H*rzDekVv}O{T8n|>!ma@e$fJ|*sv=a3@U;M}`a6+;lqw7+=<%mhUdTD{Dl5%KjG1@@q2N~r4 z(^Fg*oyJ1tiOsT2Z+c%eO-|btH+2-vF~Lk1c~$2&Y_CjLsvAvqFp`eXZ*_TNZw;Ya z#q;ssx6$`)cB+0=vvK-fA>+JVlTY1xhfjZmI;$Y>;2PWrxvm+#=W--V=leigPzCcz z*G~!TVh-aY?qeS9m@{p>7@9ptD;PB{3M_k*sQK4|J?cZ%stIA`-QExXH+K5w(Z?RBQFo@{}M4azm2^7N=lBKKpNULD`R#I{(Q1| z0?DLrIXFi>w|0b69-V zrt;^&eZ-P_)?I`Twr?HprhM!j;cU^SnR=L~haN#-p*N~4O^s1ILuw6E4T1``E1hnmKBK@+p-$vK_1tORmF@9evwb6R(;l z?gJO9GOr-^(WSGMOg)nw!>1L>9(01W_S;Ba{_26~70;n9o6kRi+9-RW=?nO}=)Y-B zc~7Lm1o+2-s=AF%lOQZKh%gHw6g8{^k#e1y9phLDj3Rr3J3{!{IYcN5(ng^`2Y5|prO)=ie~HWuGfdtfw(N% z>~5!;li5Ng>)xqysjM89Gt}BmRuZYKdYaun0?NwDD_!VLJru{j#>nsWiO6@U`)vYi zo4%Y-bjllT`ZD4?%84zOF)BA38Zpf{yCIPo#o6?hYV?thHjPNL#$(emRK%5#-D87h zLF%Wf73Gk|jj2t+-M#6~+u|(QK@Q!L$ zwii9VS&@T@mX_av_YKR(5pDHq&Ka%mjP1HJ{?zo0mQdmf0)_jyMsGv)JNcdkABkr! zFdwpahBcg>tgz8Mw29NMDw0CCJsA=NQ~Jy?$(Ig zYKu`>dL9x$n`dKjsxn!l!~K6?Z?Jo8B<{TA(tM?o%o`&0h)OP>;u_?INPoKPlJbdh zwh<@?iP@mpjkwuliUupr6LMG#@GRW--dq^@KqN%vHP{dL%^%usH8X6(cPhP`+gFs@ zgrSNq0QdX|hbY#5uGPTZ(8Z~f0W*{wuYjh!fwh>9%4!Voy%AH$xr1>-nn4RCvUnS5 z8vfC&T-4AntyIktd_Mv-8>X9xS4jMkm#6{pr`IqXz1@6Oqa$JNX?H-w3=={Sx zw_Rt%ALRZM?rHP^ag8fsak~*ukA40+TQ5AXPAI(Ew`r1BbtomxNV+k!)NVoDBfOb$ zhHSHh#S$~p`lori%Ay>?C|Jci?QHPIU0l?sGKJIrhsA27Dt_Z)C^C%zzhrt{qqBiv z=XA32&=>X(Dkxn(m}GRfhrqlJMeL9&OjjmbrDj9dJA)XJWy)U{u%$ifBM0%pLrlU=|ii1Cttk3`gd>mQqG1b5p!?_%c+alZ@ zV$YZde;>)fW1a`g0A%YL(;dQswx?&s$|cGD$V-+15s?HUKRSGvn3UI?-tSJK0bTi< z{Zk4AFTfpQSLnHEyi-ibPxqMN6Vu)$CGDAlZO((RX8p0q{?jF44q$GP>*hohC$=ZT z)#Zow-iN*h3#gl1hTFy;PJ7JNr@to8a^%sotvauF#r@{oK?(l60k@C*t)+Z5UBW-1 z*y94!fK9u|I!Gzp?Z!y{@6cX}>mP?-4Ic2R)5=zkUZWR0ebsAoqS5PcD{?(qh$7&6 zr=z3eN>geS)NH$&qL?jMXS2+CBXww?{PLBCB6ZkB*oF@i)J&*?E>=iE^SL5u0ja7; z(jAfHkDip?AM@z4dt*2{i(FK7fR{T|<=ECY!oFx6UC-=Wxd)dzF?ju` zr)0!o)@1fKsbnHAZvn1<~I%1#N`lxCn(Ke!? zIq%HAzHtO}so;(YZ)Rj7_l;a%?l5BYE$1=1KVHRWw8eN#f;5g}+(bHW&n)vadN&B^ zLC*)io;F}VU#j0)57o$z?jMmlj@)|@aFi^5^z*ZQ6=`eCj^`|qPM5Rn@C+5WjhZ$r z&EYU+3p5^eMG1{9T(w?LbK;E=qs)~u!hE6GAl|5t@)NuvXg?Gr!hvw#lphX}w|6fm zz6W6o(9Z}bez+KOAJqK&&l%psWu@NG>{{6m*XCJUuARIt>4P|8xpqVX9+SPkH(H?i z=D-P>Re)1gKJkv(n+8nzrjh+Zr|#l|oow$+1#G%0aBy>!I_k7=78M&iWRdmy-jLIo zSWbX#rDBco4+{X#{G{(RcRrl0`z6T=<{8+s@$duBwfmsNZ7hAC{yb&jU zHJNi1PJn~zcd`qPhM*Rv_t7M)oFlaz{|afx*~LJi+T^op6bSOn$ILMCOy4?wcYL$JcgI!Ve&2a)HT+tsl@h9c zxl#E4V?RWDXJ=KPsq*m)ZjR?w=j)867Amz0UM`+G)~v&dx1CI>rrlFi6Iw%i<8JmI z3BPW&$l7RFQS0N~*A#zcGBwDN213f{5w4y!;+bwmQYaV;_Z$^iw%`s*CBZ#`K@+}| zHv%Hsn?N1f<58J?nXA0_ua+Jk>R`A_G$9VtUP6K2#O9=V#BFgP;(P89a{X417`UsWcFiS7m$h0gbfi;)P?f=Im>f#4)X&Pyg2N{yGRSK`$Y+0T(qASXqrokH zGO3KJtU6u%iQ{F|3v}4}os}$OVyc)8Vhvnww*|4YCHV94Wx;~c<^<> zl{cC|ti)W1Yun?sRR0#kSd(<~WL@?nWlP*y6>t{e?2rD9QUPqhvm|r0L+9wl{C6HR|*S zvyu+_MUJUVNaP7us~8F3tUZJPkFyrT^Yws_iroW7l9u?_By6*42I8*7XzzZl6!cRW zz3jn5(&&S@8N})4rJp9_u{LJ+Et?$DN>SN|4bD(kUX=NwlZtG7YpfA{j=^#Y?XAJj zeFN81mi=)wZZ=q;v2=d2siG!jsV#F~`PORp*ySp~Sy?(Y2&^Gn! z)q^oo(;}xeg=-<+{5v3+z!g(5{4#2ig;sD6BT_=N+pA6_@HWIr+B$5qd_CT7Q{g*w z!e}z$@+LOo_ua8Bw27#X$N+5A5mw+NIvaLaF>bpMpJQvrHH*m#VobfQDM}3+`yF0f ziHE(QH=Y@`lje=8jMtiD0_5mp;GTO3C*@*UF3oDmM|b=`oV{gKT-%lgdXk)k5ZoPt zJEU+YP&fqy2yVgM-4h7z?(V_esbE#OyA|&4g+9)?-Tk_6_q}h7_j`>|WAEB~%{Av| zTO7{AtMRFP#rBe@E;*%Qot+Mv6t|f4Yv&+ZJV}F=K@DZR3!P=2kiE{s(8G0ch{Cps zVZC^1w8_e=fSln!n3YVEf5PE?r4$u0Vq#(rms^ua_+8M6iOZgny@_97#SskirRKUH z@9(Lxdu=FZeK|Eq2m7xzMG}iT#y&Xo91z?3JJ8>=3HJD?P(-N?bTFN~33GJA={f;L57(3fiRyZ5?!tm;*0npXK_(6vgmcYRwR0I{xl0dzx(bV zE^xj2K@luUHj<$!=c=gJ=mTN84m!xy^U+wvCLIpwB_Wvl#mm~j`@5^uekt;*`)uNX@A{J?! zzp?82Q}JXb?@^&PdH*A1YK>S@^?IY0wPSM_&EoXwUikF7_Q+gti>g$d%r?wLN2nt* zAj0W(zuj~Up2JNBYJu3WdR7F($ANp2uw^EtyBvJwl9DACc0<+1)F~V|48G~OVlfw1 zxqp?f5ka=wxS4P9nm_+Xz&NtW)OZf0l{N3;;Jr|mw?9@6cT<%seTG*GZkM#-zO5Xw!56K_8$Td4ZDXU3Blh!d3ASgk#__m}ngIPY?-ATRhvoq8E z2alUUVYkM9CCKr`wjU3KzWF_#8hfNIvFMY*lw#$?o1E*Zr#FM#Og;vIfu@v!BI&ySJ8lZzCy8?su{@jCb)3mtRmYl{MNH0Lcn zI~&Fw=~srnTLrE{JMdYdd`Oh=X=hc(%Qy*4-Q~~^R($U{;b0#r&>LTwHqik2M6-b7 zsF_kUVEsB*XTHtuipb|w8`e5nWw86T)s&%#d#S(Wi{kKv&nXbr)HlIKM`SAYvSs2;*+KZQcBu(!O zKD)eE(-nhaP{EfUd{M8SUU{%%X27|q#5s!tK4x4QlS1ZEJSS-`8NYehV!t-QH z{#OZ7N{9(GGtTY#1yUfmApj?oEfRezdksrcUniL2{q|O#%)^`7O0X)eo z#+RZ1pZBQvlPmKk|51a)pi~#a zd|jfzuK?}B^-&b<>t|8KJCf4o zQ17dRo2?GM=Q8V?x;4PUHIIA3-LyUS-oWHzJEkMzd!Fwrr_v7(>t9VW(6+UI&{S$> z#x}mBdNq_)-0v&HU`eVg@3xw1HUg$L>b+e;Sf}fxwQMvhAW@Y{z^E800NK3xc2eQ!??5jsAZMLxJQ(*^Iq*zb%dBxp5 zod=+(XK6)Er@Xu)nh|>;3F*RxqbZag=>koE#(9VF7zktmTX$-FcdV|hQu;zR(weYR z@=~2|o==nRZu*!@uy^L1$|`j>#>O|wV6K5ElC0HU0k0_c+dC`E-zmDL2tr?<+ew2* zKgW9PZ>1LFNAYU6yAxr>ZCGJ%fS>xrRSA!ctR~S)VEH7%!z}}-v!JV$nti}c!kKLh zhuF)B_(G{-_D{ZW@&6$-NC?3!WfL@xuSB2LT`w<-z0;EEC_PWm2#ufqqDlX*n1Wj8 z0tl{qKmbpH6>J88@dmK~uw5ug8aJEmmCJV7($JC$LUQ9Z*S&3#1Eb`oit03dsSlY_ z;M64JELAW1@M>)RTgW1^Mw1DD?erP9$q0j%iw4v%iTRu%i}LyWEGe+~uZ#IhOpqG$ z7ZOl1AO);rQ#4R1EJE%@S7Etu3Z8y=pA>rs#i;~%9w)^>|bJb#aS6Y9&9WpF`4!4IkO3 z{FdG$ol}VnKq~impiR#fMk{t{4*6p!IaO4{Q_wFiH1Nx5(w9Z$w@aYV=x1 z;%VBT^oQoM@-+bcw9PYeOwlCyJ{IBD)0^&5 zQu7Rae6W#YKKKmddWvXLJEroYi~6;e^$QN>MIaN9h&zSFJEKK0Wjl-@{&nmBhjb%B z`h3oa#tp-)HQMM#{H6E7L)?z`Myz4tWM~43ob%dbru%L5R~xzQzNiuWoNl(Z2F4ha z4`p360!Ir7#O`&+W=@;16}5N$uhMCd@1=rFOU)I+@q|9_6j6f&*ClIGM<@a@Immo!=kF_j=4~AM>!AV;z*Ep2#@zy-SU)qQ39?Ufw&g ziNkm1<_l>e#C=N>ZnW~a7ePfgF;o;2gM^Ayn5o~5MS&ij+CBc)FGu&|M|^(vG}6E#HY6<0LJ6|14!6(T_Bvn}#C z&w1@g&3;m3csVy&o>*@tJtc8v#G91!{-E6{&47yPD2rYJp(w*`bJg6(=I5e$I8TAa z7aK=AqQPEee7KjVYO=&y@%$_C!likhR5WKkwr|bUvtqFZSx>bODrgfwS!&u-%qA@b zHP&LIl1!jju~O#!ysAEv;UZa4Ce~GKaijqzqL1#f^&4lmZyb^^0bKU2yh66boSA9e z3t<=*C!B7d{od}_Y_DVH%H6R)g}FRjk^7nkBV2F&2)NZo-@sjFhu1qEm0)?lZ3?wlA`S$JO5sqU@h|r%fwvX)R ze;B0)?hd0jzsg1CR6?FmkHM|QSZ@S|_7zzOQ&}eDn`NbD60`+aA_T6x>*POLclBK^ zL(5JGKjjaKx)jjk26yG%WvkmqYHJ9F#f)+oPvLHsed|7s?nc;sRFqCYBeTI9O!JBCR!q*j@{K4m} zF*w0|{bxw~FMB5iftSJVXbg-V;%|Zwul?Kn#Hho~m1l!{Zj~mM1EP#sfQWmT=4?wM z%VoJgmRvZ%CgW;D#`aD3rsDEsCLzXhrh5Hc4t01byd;NyHuj@ze8Q$-ME}qFbb*b~ zxZ-T}hd7TN{3P5fgNN0X+{5EbGLGPBymDSE_jeml!+Vz__g)VZ&?&3=015V+Pe*0K zCB3i27StW=hWO-(1wq;+;*Xf$t+%R*>w`%qORW*)9+ z=p$-_OQ}NK?8?^0tnkk4b-Ov+GrlbAyU?fGHA=|FYTc2#TM?$V5T5A!T6UAI-$KYI z&=4dg>mdL6{0kL_dT!>=u*qM=zie2R0yZA>@GrFy9R}W6%VYMTb(5T9#Av?5Z zZax%jT(Si#3JYmi893Y1!RO0H%iwc0=qrBtW^3e@Jp5VuJ=H@X2IJk0vD?jv(*bW_ zruU6~9~WroJ6l*Y1tHL>n=At#KKUotE$*7HLU?RHB7Z>V2`2%+9pFGz%=5JKVD7`q zzBC^0sxRZO4$@slnDE`QM{Yl#CMXec-x`V_k;N~V{O&F*!QN}fNn&wi^4y&5xu6`4 z`~9Y?ql|N`puL|Z&}S-e9>ugIaCh1L)aY*o#$O#&9L4|a>z|=^uCAurLn(EZvyuNv zOrU9q$CHf(p^=&N1Y^{hjr+ZN^RCJkCdB!85{+>Z0X}k==nf};#Q*E-lFsNIx_QAU zt~eEnB~q*?%5{+wU&xIazcNk43SKt3eEX#9f>6)-fO38kyx5}b zky|po{`8xL8oNAB+Vzjrlt{!bs~&Db%hzzn%TxKT8`RYe0$Ktu3MH*X{MR=dOUbGc zi0>qZY8a`aEYk@D|^a^-|u=AOTsUMA}Y{EXYMn}s=^!xfn5d(P(FI%KjA2MJJ4 zNY%mmdjr51TZ6DOE{l&Ec+v$@)7OARi0j z7lxb4IK&56JOZ-rNJdv1J!&8n_(8cmv9BY>?+e~Oc920Z7wxPJ!ulCx zaJClg45sV?+bKpQ2h}lth=$g%ew$in51g@qu0D=yU-nb5FT}XrQxDlpW=QBMnD_(V zDUE~S09AlN zex;+iho#5C*PTX0sJaVvNKfDU(DK3>^DC;%40nGl(mjii4~jJYJOKEcyTcDXR17Ig z`G&jRE9v9IiB+7U7s8(=magraX49OAxWYR4+fPv8VFNW}*x>Vthh__5 zd(0-aoy>30#v9h9OdUq#4dBOy$U+&S2G@^zBhLfq%oL2rA0%7AkWKOyP}2v%Ix(`4 zaN0QE=xI*!pzXs%cqX*AN_L7=DRKsVnJ-F_FG9oXcU-%RYWn^Kav0ZU9WX?bTk{Rq(?IaHCkQDEkXrR&FxoiwKXI(Pr00@P0e>TW&Bl@G22x0vN>G~ zI`kwJR|!L3tA-s}e835r4Gryi!gdw3df`hThWNSEr1>z7(W#|OFV<+-cz_I z$~fFJy^86=m-5E(U>8}Jpe{+JAxY{3-_TNH8rvF~7I~_)W-uqeW`ptk($OK7^JY=1 zerqAOvs30yglXnZ@2sAR!nsffx=BzGBQ-s4*|P;z*xkvNlQccAHne{! zm|X70VcQ^nw_t*vDDnUm*y!P!s3+aUPW#>J9_P~2m!qBk1gg5(v@`PhLobDg{rx=_VYCDmj&K}+&IxGu49xS{$knl`kz5Wb)AS@-(wj2A5N z3@Mt1vob#@B zLg>w`@U!r1O)+71`RdxyMh>^UcSntq1_bD!ibo0wuNy?NV0(9sq4p#_9K-Voq_*=r zqTM=OnR~%Vg9@Eai+y#8U>|&SNk^@ttaCCwZ8Tfs>oB0Y@9%)L+|h#GqEDK2{`P{S z>j`D)o)k~^Q1xqfSxDW4saBJjL?AC}U@aVI`Z_Fvj62aR`RkU;G~)*`r} zJ-6u!(Y!WTX^q9qX{v4ONdMMp-SLq*Zm#!(NY!bwrC^NK z8;vWnvLrQYDyB7?2*eg1HB|3`ILt$r6MRD-f#M{5I?1lQPZ-WikZv#f456cex`OQ` zhUb+nk=SLccRt!tTylvoyU{@$=rki88G1^GK}UPek(9`lV>pZl_fDiA%wVVQP4_18 zWG@S3A!?UJRApzNNqVC?SXlh1?ly;IIsFYg0eaNwF>JQt<}P$0ms_9o7_`x5L!<0# z7M3ZVY-Z2Z>t3XxR!T|flhS`pXS`hCXFxUY;5B9Eq^G8O2-#321p2JfKz!$dD+UBj zdUx)YJ%<7v%yoTDxGj5Lr%?e6C;P*MLsv|h@h2_l7b(Qlr`_oMy+f8W?y|KEKbDfP z+qJ^vzEy182pRpd8$hc2A(U57;wC5mr*>b<|bD5J$ z1I;u;XoZ6C#-FcX<2pX6z#C+3f+r&c8-48vT&J?y;BpGpTz9ms759?%AhYF>@Csfz zEbb%H-aAl(PIt+;wfW*$v_{%P-Hqo}kGLn=c*;RO$Zsl#KzMUuYMm9rnht!Y<_elg!Q%zmg5=(VgK zKI1C>NWJ`>39VYCpfZMsX4aKjdPKHrUike9^u-rLJAzFWv+sx*cJ#QrSVam0KO=!> z?h^DYpZZvxQ%`}=<{`nu&>{;TK09$+;zuV7cIVbNc=0Xi-(m-k^cS)apg1 z)*KF{5|UEi2gmKg6av*kljM{%!-|9yDRy?jQRmr@50fADICh|f4&vSyp(?xwDnXvERs2tz< zk(FaOalFb8nUyc;s34=I+0nCsN-VQhNKV%Wpz%==C&JxzZj?OIww9PZkYu0Z-0;T1 zM4XJT?THiYeN8DGffDnYy8I3w@f>)VuZ(XucUmEopENyf$ARZse+eT3qQVKymp^3pJh5qF?Vf^+4^t)BMq93R;^RE_Lh?h*1Zp_L@TnKpJ1 zL^A|HTW^W2{}`H9djMGDCs~0v(AZwW27=>Qu^b(hJPt`< zsW8ij0R`BD=x~;W;zeno6JdRt3U0sHi)c88v^{IS@_8h?#c}F>*dkND;sNldU8$&u4SQA-UTwwEDB+Byqf z=j781R>t+ty+sM)(WH*wd8ZFP?cQjV;k8aV?}_{LxbIfyda@I?KfJB?E$Kyr`HK7F zk|cXD#2$p6Xb}P-&fejWy4BWw*y+)Zu+sf(7F=a$nf0Ev2udo9S;Np$`ym8-E6WI& zabosyq|>#dq&KPF!g8cDOLJUDElLG?WFJmX0Te_?SmkwGG(+`w@-gXBLW&IgZ6+f} zJ3jw2;*C(Q`9HmA^e*CB5mLfig=5ZN;_K~1}JaY-4^VtvjA(VnUcCSPs z@ZNzfV5)rPu#AqHc@kL53bbMuxST3CNT%Uofh;r$lSW;ADY&P{@y!mSXX((Rj*oZM z*aN#&77DH-&dRjh0xL;rQ6En73h0YA^^f3_4rJqKTgjmaAwKa8@OVB_y0S8x7|Fxd zolo`8H;Ls9MFMdSzq=P7KNAf!Yr*{OrxS~M>I}fo@+ABA3r^JKV+l@0^~iTpNkSy9 zhSafB;??Va)F0QJ_u5-n9W&l%Ho)Q}>GkGIrpoJNcb|OdPQ;(ixfma(Wq9iZY~9o9 z-3JC#bS)R{8kcJB>fkEokY=T&?^2NqRhzytTQS0(oePr^u%Pefi(^%P4NgHs}tJYKPVl_seQ9G`R)(bS?1E}97YjSlm!Wp5Tv;mmBgl+0%`g4k!|d;- zqo5r}O6q=hsKFccHVn7c?d&x!(^7A$9I9JB-jbs*C}b1%H@)oIiY@rzjc}&cU+zoP|9qo2 zrT-_hMANSfG}mWILG-y@SqNL)LUGexq^fJywo&8Wur-y+y&%NQxRgF$l2&aa65snl zB?hm7b!E{b5GUK+BBQ#bNjc8YF6mRw)Bji?B#oK?JMvFUdYLvo&mjzY)OglEl{Y+= zgH(dRv)Xcn(7pMMc*dBood51(ys~*aXLq948q;%c+vANim16bDjVeOh27B%a4BK6K zUL~1CAGD@|SR>d3)Lu;GsYZ<|FFsMKNk{7HYoxP=Oa;yKqJ}_dLHyABm#{#$phVk* ztnl5o@$a(>M_b8izxv{6okH^3ee<>k^-hOQFYs4nRHHh=YDA||JU6JreXHLhHLUz* zLI}+o^BPKSC?61q?G!Ce)@b4Yvp$T#G0so3AO7|yN|t%oTttIKv-kv7 z!dH=h_is1^zcjk!52->jfn0*`@nQot@Wcfb4{B&CAhnpfJbYn zd*16<(19%@GOd?s!a%T&^Fgl0tG_C(vuqpo<^I40RLcOl$}BwwlCRO3aK|+fCsVIz zRfA{M?{>Z9X1PWuEv^}8(s71|r#Ayd$<=I*G=I}&NDR#zK?9y=(1%fIpgyFs{7=6t zvp7t;QjiZX>hHfA^c3}Duq>nQwAB`G_+DqwB%3u_gT_jF`*gKFVP+W`X%0rP$|l6XskFwG?1{@26y3400nbD{zT*l5?psQkp`(iN<_{t$xX^E_8JZrcnnGLs)0AG-7Y?E!mrKE zFi;>z;crcoj=T0Rak*@kdN%tHKB;s1dzSKKp^xYAP&&`$9LbgngEy6F2YxZbc+T zOYEFmn6hp68ZM*hT}x*h_}uywSTypTr|Fd3>;uOF=;Z)0u=Vh6pyNE|2YrhNoLWeT z^5eTtYxSs19jSd0=UhP;E*Er*g&?DbTMBNMhd*f)QuWUTAZXpQGqN@}mf=u{HJ)p9h-1q@`-PV|$@ zqG63NA=JA-|KM0rdYA7*fN15Y5^H4?ipvYhiWeWs`Uk;Ilf4@+imzVK8X{|~*m;&O z^A~x|Ui72>;87=y1Jz)?5QG@+q)+SqET9QNKb1&>5RWyZd`_`O9)pAg1Vw~-_Ck^? zJx~8A;oI*wLJ!es^&UIJv+&J}%H8%oE@*dsqG`oj8`Dd3O;?n6o;tyJ(!Mso7!K%I z9h-awTlU)&GD>K6wSHn9Zi}v0cMeUajg*GzR3WmsqJ{`frF2hrAZmHe5q(f^C$a9xK z6S8r1EKOb2Lf}u^jWn0@tB{z3wV!Ufkdt+giSxc(-ifKc8)L$k33@61kj_TyX`Eb0 ze=&rDT4XcjD%&(osBP8?0avjZI~Hg&p%Jd-9chzyj6AnJ2-nK_>6yG{&KEEq;W@q@ zwRLzsLMboC!0bkLp#pTGe4(MKA>GcSuO)V;Ot&?OSg;uY@{s56EJSxc3Ku2!WBeWn zzGMml%gd)xppSflVWJm%hdKa1yq%Tx@1+ZT2|tlGnm-*`x0Hh;a`LzoDN6qQceSpr zlJ}`0j6N8KhS*AvqRU(t7`s|e`1S=0oVq#aIdH~)TY;fj{_Bh4cU207IbXxzZ4C#{ zdx2CnqJi|`20BR#Rehn**1+Q9BA~`bY=p-T9}!F*R-=$kC0$Zq(xOdEH3-#slaGZRcSAv>@aU;#G6e|yvE zp|_v$)cco=?$_89`6rXfFfsEORQcPJplx7h$ip)*sbXb5|7((+Q_Le}&D;G|^LQ&= z$cjWq)~mNZj4E5Diz?W+mdK+N#*F#-JMb0OHy`|G&`s`>1B(-#U~$?+_bhJ^kaHe? zY0XJ2+X|QfMLxxx1@!C`hTNzgTBvoRGlPdZe%>-N0!TFc$!j5FReN>|f|JPv{D;-p z;_)U3m`;wpdDjMf$9UV7FL?Q&fzT2^ zK4w4G{}rtAkM=r~uuA}R*2I&P9?Xm#NEG`I2%}m@Br*D&54!l-jJkP$=5s#d#Nj9= zoKsUI6DA{CIXp&~8|9ATC@qxlv0>hk%o(ROahs$%^;nNnuGN^YGHAkK4vV@roUI;Y z`C->fy!Bd(urBAs*CTf)*%|gG`30bM-ne_XbMlmQ$Mj<6BV2*7$sYEfQ~thwUF1UK z_zfm>{o!cRBI?Wrl~~|sf+z70oFt({?9YM1K1r(IcxrKmEgRQwQklgUHA}257dp7D zB`S;t6X^WneZGa*2eDkbR|tk#$5w$&n=LVV_k@yJEP!AW;WHb&H(YwCqVAx0h$}KJ zz>F2i@VK}%rdE!ZyediG_@oXk ze0=Y|$+mzQ>hOpt3`jxo*E+v%EH|6_(vxkjtT}BheG>yI;~|j!$%m^?b$4X+l7WOj zq0~cz%VrOC-vPbbf9MkPwv^vuV01yEkL2&XYWLr}(0N1Xz5G4VU?`327c`rfXnyg*EZ-WL3R0o5ihJjAAEBqUMUEyeR}m zg+-;?-+zT$u{nI8|C-g6R~+n@u6{YPg8)l|u zFVvipa#Jri6{C~g00d$LG`lXkfWhiY>fdKm$>!P0N&QE0?SN;jgNT$O?M5B+8!Z(E zl5POCN{l>T+;uN{yE7ZgGE`YiJlf0h^{<(McH!Kj`i&!LcD5FK)`*p>v1c+hV}X_7_7Hih*J5t!>h53&81C!@ztmx`-!(rMfy*~((hpbR8UW(!GNS6Ow zL^g%KZyveaPcWB}35{S!YO-$tAx+=76zv!~IUa3E;a!7PhmNb$ zmjEB)%3Fx%Il}#k-Wj(2;=Z3nqheYGbBaB)D#=LOv!vL^P`Rgf9lZp@qs~E+3s8F) zOtQI>0>5BB+F079H}1}oI1ZfAWYm4+6)YT^u}&l`GR7OxB?tn){Wi2TlxPQuc} zl-&PiH-;IK{nb;WF+bU_?6dausOes{aI2|JMZlcYKk;zf2;E`~Op3?r{ygkMgc6gMu$MH?)rRk?rHAc;ofkh@$+ zU+Bu{UfO(69{vfU2Q_DhGBFyoyXv=_(*2lW@4wJfXvoSLqha$#mUiN%f;hh!udwVt z)s$=Nrf4hQiNW0|DPKG54{Plzc_JHM1Csm_e5PO(pdIPGNj-B(0;ZqKVey^^R5&=; zQSyQB*(;;KeIxub9^#=t1)3axf8RTC61BatE_2Aat$xh-M3KQ&yEzyIKT0umKif)j zliqa)jOuyb8~SK`8&-9-Ruw6@Qx(@W;w#th;bz`jvOwhT`dBm3!AcKs+L(z93CAGw z$^zfM9u4zpe>fl9-&w(n@c48jLr+SOx|9(1Ug_94{Th@v%qTamV;4EO7kx43UHbEz z@UP%ls$ke?;;VM^J6+pEP00=Q;$^k|VmZ2j*Uu>Ua^`*PqXN)cgAuh!cw&-X#)y)m zo}XBv??b7BG_e>_ZG)$4s;|IH0;QOC{N%3QfAQP@OT=2@6fYbf5D>5)WuDnm&J+tQ z3wF_vvrpyCCkZM>L2t(}Kqj||i+0QCAUkJWcem!nb3xwR&lz75;Cu^3Vz=kfQ)IUj z;C_oX$eS-*L7s{y)-i~=&3T`$Nyho@5bj0n@G?Zd7E8OfhtRxY1Y4c0guZEqPH62Q zEpU(LOt(#gYW;4{4dd~f9V};GOYCtNjL`72Y(8)Y77KSaq$NLy8k&HFd-ojti~k5M z1s z(^H)kw`EK~xIa~Em%*tq@*EsNE?&X%hFUE#Y_%E+^u9IKfCG`_W@eb8_F3ct#4 zl6|}(j4`<|dl;a57s0tz0VZXBk~!L0kN74(AGUY>yv2h3{3WZD=U-NU{E3jrNC*TH zSZg|JU}-4}0wIfwD|C17X&ZQQDAAw`u?@7MFlTU`l z_rV+|pE%7u-7G0Vn}bval-=GC2o?osKb-LuK<8YAjr}?`BIDCiqu8FYH^xIrtnb;b zFNCZdn}&0HFYsYGc<&n4mK43;QFGy-j2{pJzs_H&#}nkDBnzy43{n#3K7o&{2V7(Z z>~>rsu)8kWu_#QHaq*?J%@JwOwV`(RB8^Y#b*~rT@mLax3DCRgtw19#Xqz$KhTtqi z4$;{jt>=A)NFBL_mBK{r1ROFgi)_|1$-DG&j=#D(+8pY3wItjzY1Rc#A8^|*(PO}z ztlzy<>DJ(WhBq_JIz38)z{EW*`+m+45GN+8wkDf6r`XlVPX}4Y=vBgF==PWA2;CPK zRB*=of||^)Q}X6_BrF8hCbhe9PoW7+nhvr4J6<6eo}66mN;Y&IYM{ARCq%|1CjIV^ zIAZ6k?a*;|;*o{Y$3E(e@b`FD4VgX166im2BQehuRKKIJASBkhUpW8@Wi^^D5_aPl zXSJ=WGlr1V7F2edK`8<*BdIt=tw;q_ba0p?wyUXZ!%_ zsOeGFk2t>WK+kbX#X6LU0ath!lj$)ENdIO>D5?g~P*D||?Doge^4hQeyyFuP&`#R` zQ;xv=R?|GNsZu_lzk07nTlbebPSd*WUbD55!)jTO0Z~U*f0s|RVzkTS#LmE<DZ_jJXE>!lNdu{qbmxQRsXKO^nu86(RJ(^b#_BrFaG?Ah=_A8uz zZw7-d77S=3-A&9xv8dAIep_uL)M@CCnpD!&utnBB44UlDqy*>(n|1WX5jngHGY4n$ zdvPq|Wo`Ry8QaWhLuQU?NEO{*oIf~tE321dF-$hXZ`&_yl3N2-eJ3%qjKRgh@(6k0tmm9QQ!^nAM_sR^M@4kV>(fnceRc5U? z2**Fy_x3?!oo|VkYXV;t8B~o%QZM?V@gMm9UX?c_s2Y!{ow=UN((BEEN8D})*up!` zFzdz71sNi%{v>;CHCuHW zMN{YfV$W^V`*wdsr=1%=Zx9tB;`?s5O=?-lBb)>Cq!Nymkf|VH&qc5A`u?R=U7jR` z{T3`E5ez)eLN;CG6ed<~J8RG$sk7amc)F+vhuIG6Le<-_aF9+IXeCjMPcM$t4KV!k zr0DzGyHZ5zQ|7901TQP9@6)j&XCv(&`=lUsdkPnKi~yHGn#8XT>(_>-y$DktM`|l% z;H(JKqtmLnh@*4W2SvyCWc9p#z2O1?O}`g`UK=wH*x*mY=VFoJQK9_iVA*9W4!Pf%DTgZ!86rCyh)ib`Lk28)y~#6{0;!~nHs4(4 z{eNR20koE5(6&-m2ChE26EC$S zzA`mv#?k83DPRAWU2m*!d{Yxog-&Z>YHnzSZo7d^3tUMw(-Lg1VHp-(4{*6x$Aq~p zS*XSlvRtGx4n6`)sl%_m1$9#$5O18cUXaw%eA#U>lVAo`rBi-zMg$5`^?LD}?ULNs z(+sQQdw#u8$2H!Z4`d9xUh^SpMLM1I!;w`;`~+Io97H!f8->@mAE2sMrbrjKob z<>OwKcK%HUTEsI$Mm>(q8b+8s!`c|&KY)eLe6f+>$_;J#R}|t->?oLM_TLPUe6XQl zH(z%$PBGJX-fb7jkd~TAT)7#;s!?&y22NacCf*WSjWZo032yc5YswgOQPy(fu3D62 zE@*sQ35Dr{Vq|y)u-x>i8!c|6_O8K1=hwTfSa=w|^S=MFq`$g1Ef%+Pe~!Z*_|1zb zO~0p>S>3Jg%|U38@w?7x`f%%e@c=Gx|G|lq;V*NlicO_hU()Ut5(4<37}p&RRyLO= zpv0ON@Rt~+CEJz$RpS!+dAb_=!z9L~1z5IDf*ot{{Sqt*xMA_>&W$P2Tw{}#)DXVI zOfcy{zeq_glff+`%%VS~ahV7CLzOpw!{d3PUkQL$Gt}Hx!;T{Esih!1%EcOk+mV*x z|Ga7$Q@GT9oe8+jC1I6o*mgN*&Sfn()UJOwq|UUSN>7nL0!NP(1ts4ctK*__uKkjt z?|N%`@fdF2l){eJ-S@?Gf-@48F#LG2UEN*~v+>k=r4-8~ z6n|~V@e2_a*3f3>yC`JS$8K28a{&Jxqk{Xd4NOr=nwm12nyD6{q(WZ!SXfv#%Pj@E z5_;MXZlzTe?L(){ZQqx6m*d53^L~$hfBl?b&>HKN^ZHpuRI{7?8;baPeQf4Vsab+c zsiOWEVVBiQV)S(EzBBe<&NKm=mq5Gg?Hac4Gj)Ue7koKU8ANmO&}xI;3KtyY@$(^Z zF%71z&F_u)4Mu#-eDe90^^lSFqgr?reSjMW$Qa5WO@o0{=kEY)7Ig`st`&MKpW;wRn68Pn(e{?M{Cpq z6Tc$c#rIPp!zWt#+hAJW}^9qY=|t7S-vv`;-uV5a6m8J<|s2u{?N<`@E8hllbEBb)f4P9t?!>v90fvSRwv+ z&zV(2F`0;!$B3URuDA)eG8%%C?5*^C&!ZSzu1_pk(p}C{S+-#7W_#6|3p&S)%(-z# zg4AhuaVhTl2kw4W-jhi_Mg8?|e_GYBS==@)*g zdl>jT0r~$N*dGk(3U`hc8+o1g<6HQ?0>txjb9>NsLkHKNg!D-Z-L%tX<$G{HP$KtV zPth(~21sNw_F*g%+rDvVSNlLvTv;oCQ$8l6SBkRX(KrSc$rTy&zAA9F>E+sdr zg8oQVAcw_RkZL&so833xcb6x!CnA&t0*=hBRvU-tNoJb%(&t;saQ6=_0g9oyKf;c&|paVt(p(7IO1 zOG2uUp|ft$NSd%>Efn43n(X)Qr$@2HK!C-R=*&^;z_8JmN*1*U2#-P8CGV#iK)tV7 zHyKI`yIJ(EWEQDYR!yuvg7>NP7ec1Hbi?i+(#&Rx8;-xYIljT)3Lic4;pFzo^9}jk z>;q1B=*y7aUCBH#;k{;-WCy!?68bLx5E8r}Z*=7jj3gXQ4FmAdcc@B#TBBJ{?ufX( zPIKX~osa8$a}UV2wQU)i@4iG@F|v=a41-Q66rr+TH|v)$HGHKfAHHD1!}xf4()qIQL_88ToIxi zW%qP%)Ka<4C1%&UcZIzvGWNOhx{KtJoyp(xQ(Nl)kp$uTw$xa8s(jxumF60{rRGJq zj%n(IFs4>SZ~>xhF4<(pyjWZ1;X<~O?iRkAtgcPYGtj>4Gbi^22C({`W*@w|Lh5nD1v{fGUaE zc*z@B13~{f@VcoWKA5yO&dr!w62h@|L$>&(s3Tcz0G=~c+Fwdg1M?pf^?W_L2N3IV zUMia;?l1lp{A;_KcGfk@a23z?Vq0NjxBjlh1g9$0;bLC)aBs%HV|tpW-NF%v!2So#*Gu?=Ya|F_d%q>KH56t#mRXC7UQ(!Q_I-@4`FW=5ZAVCi>@RD z*Wm8%?hxD|xVuYXg#-`5J-A!p?(Xgo+#$HT7j|p!^Ui(m-M!YipR+#dV~#mS@4byC z++)1E!4CO6-W`Le6-MDnxF9@LwLAjmia8haF3C|k6^NLbxD?~RfMjtQU%ruPW$};@ zbTl+l48`wi0?J{_yBKtaI0-@rv6%^?HhOfaK?NvX{X)V~+Qe0A;puS1V#Lq} zKBwjniK7=aO5|N$(ttp5(qr@<{d=!LX}VUZc4*Ytx$;`PGRGTzdKsPP#Ah1#G$Ao-bXlTg}| z_@!W}A+*>yxkfzL*cz6ATeH~0dV02`+x~R%wdL~4Q-a@a_=O-MS95b;ENc_H8TRX8 z^>cHQ?Zj9DdN3$T{d@VLYHO%WP2(o$b4!UCWe_?cEf|e{S78MXr{lNF`FLVL=T=#8ttaW+n~gw;ifeI$9A|AW{8G>j)!If{l3c2 zl;n|AiuFu}kCc`|ytF0xgLGH4A{IXeG=utewgcDo>RZ+UTfG zci;a0h^N>hLHF!`<}Jw-2PKW$bG7ao=mmxyK5_((TyUWc6D#0Ixq6>2S6sGa;%MFSpM<9m2ZDbTBG<$ zt=~cCu|h*ZevGAg3&ZC3&5O_VOtI-a^Kj0Cs&6pW1V1~#(^l;>FDHdM&ObJCkUu91 z<`AV+`tXmy!T%L3&(5QW*=`rVo)H~UK%!DA`*~{w&;FBk6qZz&G3DhJRu+Lh=QeAo z3Idjg?K1zH_x!ilL@`P-XhFOq{ZK1k9ESo)4$vQHem_x=GEq@@ol`BFQ?fQC|JwD+ zhzzyO57GhNtzdEyH5m2ee$rzxQ~>pvY-e!Cp_x`y{9%3KPv(jch-p=@8rX%ovHC*f zbSUPLu^KC+*y1;lCtJ3rbAE7f*K|v4JrH32R_Eg*zyWxAUmfg1dwB181rn?Gy|aCJ z*Zk*$DMmpf4&rW(6bejJviPIpyrUGC{yk|eaCZC78eVlW9?b)z&2+~}NH9sS%XJs# zjD*>WyT!jv`f^R8_y+l71{eB8i@yuXCvWBnl9hvY2)a0>FGl&Hh*K~{`$T)g?*U-o z^=e+a_?ViUj#s;@N3(20WT^L`Xg+vgcrEe19?6GY1(EnLQitc~#Fsx+5X(`W?|lD~ zFL1y4iUIFj&cl&|Bv{tfBX!X+p?lFjkv?B`v+uX@M@nDJVkto-XF|WE@S6--KcU&` zFaP>y8yb4Rjw9{d`LonF&n^FeEBQj-#}C3?uUHP9H&_l`uUu7~FKoh1gyX&GWY^lV z8>5X~;vOEFPP{B3Oc#x&8CkdoY$Oj;gD1HP#er^urJ-L~{kKtSOqWPjd{}V;%2;{c z^LCt=ZR)Onb~_2>@z3u*VH;qX-as=8EhgzGGyhd+LECGHzu|{AYVm?? zlp1t?9#_k?UO7{<&&&$%SZYmEBwbKSxZ_DM6MHdMoU$Htm^a9s1&y6X&7G@`{D3mG zUw7+WYE00}a9pY!V##c+e-jPCBIjp+R1=DJ_fZz1x$5*vxv?-EeAoz$T}u9!pTf@Y z6yMmfAsU3Jxyn$HJJl0?~vg*T2o!ZZ>2kGlTd(##(c=9ZV zzS`NIC2O}(meZY;8UOYi_8%WkDs#0c&8aShhYau3pHLgjyviyOecMpz3D}+J7fwCc zwrR)t`%1HQSa(-z%J1kY|HR(xXA{K0C+v!Wm6;f_L=`gOa5Ana#oHnT@M{B*YYt4X z+}>6=MpVQ8TWR+nHxV9oZ0J6)Er72YyCPTni2Zg8I3VRreUB; zUgXX%17)gTKH+P_f_nTsh$yQa5IY0pFtecSo}5YU$V0BIL^KetP3xeY=cVYDH>p%* zd1~LVO_X-q1r4;+1ADo#X3}|AWJBvuWzvM^XT<412>GvKIa;|(p^v3HA;(L;$&pPU zD)m~1T@r=c%rAHb|MT=9h-8g9Yrp>e~}SsRMn5frlLlp)FABVgTlxroT1&H&ux09}5Y|oQb$bH#vB`5udaWac{@cxXS zWyR~qY|}?aOc8pYB?3k?Q*^+%OhB&prMBPTY5T-k_|5)@ZRyK~fi){`7`HIrb2cYtrOgpPQP=!{Se#vp@=aJbsKy=sffsExg6!v7RmzjZ$_gI+M_fP*=7azw6bR-)Fs zO93G~z!|7`Q>m6+jOZ>KSeWfjOU&SjXLg4Qxbz8o;9eXiH`ln?Vk_ri+7OWb?TuL^ zob-5jex4jB|AtN2_X=Ti&Q>(f0${~wjGO1C?XSdmhgc}&Xlvj!W%1`l)@xE)6jmLpxb_9EcxcdvJXc@S z-tn81{)i8kE8$zMpS`)QC?%g!fJbX^(b+sBcirCv#4;gVkRL~!C%<>{djPqp=HQAa6hQCkAf=^;xK6H zJsZM5jl3qr5-^=TpMOLRz^UD$DPx9qBo~mqeS)W!LbUi@2hg@7g2ZTAXAx@b;IrmQ z$nh!g_t=oL%PVjJZB!kgA;P2d##P?!Ot~*3yZvXTPesJn&$eCHPyLw;tM1Ve&xky% z9YUP8NC!9P)Xhn$A%nH0q1zwBZ^gOWC-G_(n*;@qz2*9#qi~yMlMwb6M~mX(-7;sz zq;eLOGEhP)o!7urZqyIX=1*GtIJ$LnoMEDN)hQICze^N5jOlUPPVg+{$6Gpb^HS>i zJZyuov0oCOa!4oa5H0G2i>7<=?VM4_7@ue&Y&b-lwmxzN(OZUD=@;`RV{@B~hbrG@ z)Wm-ZiE$d;Wht6WHO5XLpBxkjzi}|-a$^7s7P9!gn@8)l2Cb*|>CF?5iJHpo8%E`H zyRt+4@~&5yp|&Jb!MXi<{x} zA`+1htH-^0;4v+zv_SWpTjz4NUKNLUC&o@x-eX7*7`?43oExxJrKD1R-aXilODE5_ zqnGv89;T-OeZweVHFz6EogioIP5MNbUgKR!%1=(hJrRe0;-#uIKB5`ulI4+P8JMMR zp!trGX&|M2;urvW+!?Q6jcs|2DM>C&{u2;#M@q$^HF1UDPf=2sheYiXlB?UnKUPJt z6^ktzJ&PCYBak4J>2AX0Y$YU1_brZ&&oku}J?$pG_~tVJKg(wyR{>w>g^*C6J-RjA z`ymI%=w6F4bv*PSjr}4ATQg2<#7%c(DO+;7@|=nRA%gRvMD19bZ`?nOk;p(Q$`gbP zls}6`b2VpV#IF?JTnf{2DyH&QHiLlD%iI+>(~hLNqKTYI{~vWXF14z}yXixn;e%%9 zY{_JdD#Owth^SoR=t;uO{d6KU2BvO>7TvwUQ9+oA38GGW6LDwK&{If7hix4+!yiH3f1=9 z%}iLXx9cEWky!VOcZ>J zRMUV=u2Z^fg^5C|y`9R8z*>L1Im{_k|xuNtMRAN?w}aI1sKu3EeO3R;<`+!HmnJH8qJ!BbhgtyV^y z#*Z-$g@>>0sLs4cx&d<)-B=Khe+nnoqtuBbdrQIoMF!>G+*tUN)YF|6-`f9xmH3jX z&f=kP_GgrfUnd$mG+>YiSp~k1RvwI+ddTZ}qoWKYFtYA#&y+y!g@)r)eaX(Y5_a?B95_QO z@GX_SHWZ>Kk4KCHVqN%%`Z(_-3r0Wpa}hu|spwZUp=66b2s@ppGTF$sJQ>=Mwn3sl zL~e!D4Us^iPIItkL@-KfeZ78{$gc!Mx)LWL)zPeHG0w}}ZF2M1u~NNBOr{B9cw+&v z#ls(E4j&JObUjsK1E~?tHRi+F!UY#BK&`6gyG8}zmH70%s8;8Ce2@RDk-^*|@-IZ9yi~d_lor%s_ly21K z#AbLTZ&F!P)mp0@mi%xpakyw3&@;edA1mgxq0RNO5F6ViZw{<>zWMyQfU}W+xBv&F z4{@umVEHL9br%V4h7r`Q+({_r)1D~%6)-#KYj^rUt~&mudSr@1c#Fm}yTM4ltiUef z2aRhqZSWzboBMHqeUyK>+jzGEu*x6eY#e48_7s;{B7{>8GSo4v3%o(VyPOF{XArQJ z^?!yA?pRFrU5{c#eP8ea^?yjCBDjsc=vk+ zsxE2G1g3S%2K~q#n##Qw?ytQPs~`<vIiX3GtAB_gzxRS(~pSa&BS1S{(Gg~ zW;J_Z-Ga^I8lzAtb9}c%HI>Jb)K-zl8Is!BNYGp;ob>^6b?y`LsqkSp0 zDqdXJLY`=-zr{0h{i1*1uY#WNlfB^ejgi~eV{)NKdy0-^-8=y~SyMajBX*D|^}z${KOQ%)!QzGi&e(3G^NDRJ}ENs(>}wi6Wmfry?z{|08`F563Rb@%)iU zKx1C25P)u$I?DWI8%dt)s)rK%hESKtwchPANdrE4=_!9D(n`Xg_)O83)tx`mJl@8jwbW=$wi5GYxV0?>Iux2c(0w9M5t-m{QAIgyX!^ehOjFRo9ff z=$PyY6h$jSwX<+FA6<0#T|Fhea+Ga4pZM1_x^5*CZqdEzz5zFby1TwO=PdF8I)asc z6YCk@gYoTJs=O{&)W%)&Mc3PQVpt zP0W#G7xElyAb-A*XyF>dYTVA_KplQ#y2Tc0PqkCloGoGS9YEN-9gXzZcu(RP+QM%O zHY-%jqFHfEn#bzgeb(FEgeL>tYI)Tr?qIr<(+a&9UFtQ*D@`H%#5mUs%`#Ed|r7w?~N(Xyl!(hai2 z@g}lzY|?NDWc}-eO77D{?wV_Qf{w08Bn+ex@_M;ZSPce)Q~6@!lCarg>G*GzCw2j%i;s3JXm2@81<-J@q0(_=P~;<^^Tx z>GU6zM<{l~OXt0V685Rl(EsG^JJH()xRcn&;^yyd5F_o8pp6A;nRtuq&E8x@*(wta z92o}&No}KNNj7>mA4>TbB5!&f!+txFR?lvy0LNxadk0DbUHj%I;;XC29#hotXuJB5C6K^snw6 z2S%8`Y(Cn-%hio2U|lIc$GR&Chu_S~pxlrx$<@!UBP{-)`54d_7K6b$$@IHltC&TB z0RI>i-J<#x(O-raM7?Y_0MVtDMM@b5T@90RQ_7B`aSJ5AwRwi$L!)I;T-yR^c9c~T z6h*({uo{QuhvqIsHhvjqP$4G^!ve^RGENIsmy*efe(*S|5s%LW1lKBgu$aKbvUcK15McUo$Xq23S4<_p%i_-MDP^d{ z6xgNo;)nDQqq*qq%bG}k8IDlAyZr-S`d=}$kRV#-`9AsI{}h<}e~ak-w-aydTHlTy+dI$S zgzhE^d>BZ;GFOGj$wl1sTHu4iowsSRR2n}oUnO8zkg?gu#6$e?{@pnKOCa$7s~=9zqpSePL6re(E-@zZn%3QU

#&{01rM}fzOzk)~0k~_p z)5I^7gtv;6g!ba6g!adnyLMkKfQKzBS>5fRqVZ-^zzBMiCHRI+ zn(@niHywTGd;I<>XvOA%T^qL-^88=PPO*7?t!$4sQ%`Rv%um~6%#Ww>N{=tI%+@?R ze}OSO;=W8LAp#jR6^afPKWW))`|EFH<6ELUoW1p5(qp=srI|M9%w4JbDTkmm&961F zW^!S7L`U%ciC5_MHf+iz$Yt24>;CSE)J;t;I8cS1Fuldoi% zFEjmXXdhQN0`U|o%QbVI9esrhg<+Dq!^wj<1A{d(CNOVA^Cb!J2hWWievkjbODA~8 zHq(SdX)YsDm>S&<}m)<6`eD z>S&>QiM$kPh(XxP>owf1#3&|rneuD&138gJ-!d$1eE}ioO6W^}3{_|)PtcXqP*SN` z4Y@LfT?TXgdOs1LG0iZ?9@iyjCTTB$ZD%QzDF3EWrt|n~02Rr7L-FSY)-YR8;5ur9 z$S^7>2+{}}oJOqE+yjEf(SP|!?g|#*QJSfJTdIMfK06NeVwBZc@_L;M90XQ+1*3riMJM8wWSlw{a92WJhsVCjuG#yT1Dh$uX;~04d#=r?9lL_m)9$mW3tpYs z6Wsk;`{2e=#UURM34k&btDHj!Q}Gp1QJKOYd9m49r({QT=qOYe)RAY3aT z$^p_4V_u|vOZZ&!fu{xRG{G2L4~lyptp7>6;>e^cO8Sy@1y6EyuOZnvpH_qZ;0%J? z=+};f!FI2Lk^Pl%OFttAnT7Ce`JFNB7h?1HfDy5h%blXbs9ART?n5ltw)@iR-zxd@ zqQ;ke1)&a#)zBWyzWBUc)iw?pMy6IoecIR92t1%dCB*+ZRlpA=vG4iWsidL6K=2K zK}$-LHd|xN==Wehk65XHssBXYlx<$8fQr0TLgo%X;wxk_t`8?ON?sx0Xq_+RVdUUO zgy71Qx%1+oY7ZVjRVI2CaLO7&bLq<@@xlg?3)a-M2b@S{p@_&7K`FPp7`=e_} z0m20&UGd7K*PLkHIg|WhCFM47eX}zXeYJCaMj`+*8R+~zjbiDY`7;bdVT?XTj8+?D z&{bA6kdlq+ z_-bsx*K@BMcC!YHTSV%{|6iDWu6q6wcCPgQM(u4RmULtTYd>i?9o$OWXBmi#7$iZq zN)C-qLPwB!ANEXpESlyH`=c#A=P%fyGkLE9()gj2YUa*Bp7#QRjP)1|VJ5SSz3^A8=3Z^>kY?qjhKB!%%%~hX#U3+58|QA zJ>W0|>z8LY2GKZ906i1Q<}%I=QtNiJkjp7wto4`zO9aiAXH%K`)!y>Ojohc9D65w4 z(9iUY)$MyCJXuTS=K;QL!S(pHu_a@X%Prb5XA!Hc%{N9mt{nT-a#S+;Dk-jUn1V-|J5>5o)eFpe&pDs~q0TOk8U^0kv1$ZE8(EacsP1i^|6 zd42ahWH;yUY`2=hR;;u=2Rut6Ay=jrECU)f&3e_FEI}fCuBkP%NGE1j9}et?%b(aw zgpH8-n*f7WCz5Wb%Mt2EEcelcDJLko5B!^#LzWXq4QBK}#b#qn464zt;Tnh&bomW( zlq8dB^P9*0SrcjVE#3jwgjqGj=*!-K4=Y!}zyWLdYLY)Eblr>~F>`~GtX?J1a~l@=n8T!|L~y7B&|EK>+{4+K zcMgMeRAWTW9>WXV(6nAPS3E{G`P#6+z!B4Hke{&6Z^Ye2c(dA+e^xy)KFw{?7oDd__J=lwTw+| z!h2zBqf}?nkcTotE2TwZ!ruNSfY_I~Oe53>s&WMSU>8Q?$xcm=X*KoyV#HspS+^oC z%t{qcdJ(=q|5#mm^Y;FoZq+8fadl;K#kI`tPURCkVA`ahS?;Ho;{%lFM<|5K9+{s| z(m$Z0z6$iO3zDASzX>0#<@jSIxxSw^UD!VFZ)Du80kg=Hy>5Kf1# zjy&T-t;G}?GC;5IZKN-??yDN?bPD9@c>3eC^g}~F zRQZqg*I(^PD>w-1NuKkE4ZV)|wgs9Et%jHlqKQEUiLOoR)ATe^_1#0hIQB7LLN$s+ zXFQW!2&5u}8TY<9GYR{O+@5`PX}{8NTPMK8^ZGe=_UWnUh_sd9S`|H``fLt;rxgv< zqa&%K4r$e?Qjd@45CNiSt7IT{EiYlAb(R{+g_j^(KfJ=ck3-oai;t!8LB zh3acO{k7a(7KfJctSIFqV2wgGxy!+eWr5SG$Xca?z~iy?`XGa$i(kCtQ9|YmfyVL% zLP1K|_G7~>)I1e#y%oRY+q_#JDJnHOtV-W19t);-1m13e0?(&)$DL>~U6+=Tt!I`k z&y=OJ_r~BN8Tk|U6kBjW9vp91jEn+y?fao?z5SdY{jI6L6)*2JB*)beYv#Ds)$V>sV$;%cX}$nI!0>!PZxOK)x0Xo1 zH_YRd_=RDo(a_XAd}TCE)ea2im*2pNR{zGE3+A#$aXffTP{w%&2_i&O6~C$#x?RDQ z3m*+%K2RGGmPEI7#@8QAQzA#P3_d37Yk70UcVB-W{m8)j1oZQ)*BydukncOxisIW( z_pJ3eEQ_oi`(r19wx|89eXWBK+?Ww15qO*@1kbK{cSdp2btdyJjNCiZ^y5VM@vUC+ z)k|4YTk@}#PK$B-2QK2SYudb+-L1@6(V8hT$u%fIz>?xrkpfLCLGWDG8 z7`5u7Q9}`*>J)In1xG9!FqDCQrAIfLRCb2yUTFu}EvE6+ycnVxMEwSPe?)ByUG>Hi zcfT~aJJTo%cY_vnSZnW8xG27gjCgo+PlD#rUsF5Z;&j4|5%2VE$Y@$RGvJ8dQiV%9 z1xvv9zzT=1?->U~nm*6nfn7}ZiO^icJpZ$LEPb(tdP!ko2(xNKMlFl0A^n|~#ICdKyZ|H* z6j9uj_p$0^vJ{zlx^Fa7!PngY*-Mp{GjR{&IJsLge%D8eBn`>KwW>l#+QVt)IR(ix zL}>Nl_iIHKqMsZ-sg7u9Qj*$kTzs6kik<)*9Gttlw>QCvb?R=yoJuaUl5Q&VWSu1Y zR#OGb`u^0_Eq|W?Aao6vtKls8Dm&!R->RM{)ZTI*!H})+z@~8n+&)cH3R+;>%6xMH zThWFf*q+0S_dP_K>%J%B`my}X9Xv4 zBI(@7>Q8Nk>40lJU>8UK9iaMYeu{&?om(M)K0-C6`I7Ae*hP3vV<9L}x1Go5Aem0R zNY!LBhBX`iDq^#}pWD`iCstM7wZ}NAYd#5W!lKSVcZkscu+rd_v+|SYFkEaU82#87=cUmSH z++_Rp->ZFNxTBjz`d@RY>f-59(6{TjeD#>nJ`mWI;aykU@qRGEP z`*}vA!D^nfP9C;-rOAY4qzVpMsdP=bv1H&R;p zLI%UJ(t<**6kml!H{c;>FX06!{259_#~b6vLsknS7x;(M4FRu~N$7`>Hp$bPBNyBG zxGM03#rZS|s8m(@YPHv2=op9dV&p*opnA>@S7Qvzv~e_8LMp&1VsQbKq>Jyr7)u!m z-Y4I9FGlFFJnv^*bew*Fwe~+Wz*#O#2ceGkYbB=W}+5s$cRp$$>#2D5&3^t^UfQMmA@nmkHIwQ6+MbpUQ%|o6n@_8I z&Z~QXwzEL+$$lIONi)2E$I`$=6$%))pAWqB=!<`fEW|Dv;hSh6XV3&<%cT2&R>a&q+ma17J&wIT4~kQt5s&4mnV6RAzRDH zV-qlMCBSMT^jz?%@Kqj*k;}5>iL88K$><$1vH&#PiT-^dyWJBotqj3oz2M|qFBlCiu|g`@Hm$Sr7Cp7BvH?x<5B$+Mi2*o_zAXt zi_1c4-N9s;xd$3fdPU52+q_zvYF1Cw<5#9k_pOXN_Jc~jEj@9Hw~ZbOJp^jrs$kg} z+G$CR&Ut?{14D-T%ap@$<6_~TK)U~;_xU=Mp$9+1AUBtS7Z>@DW3tv-Xn{6fZ zd<>aYAHVY(bS=mf$2(ux&p6vS8y2UI|0{y5m3H>Od=>cTAQ!_&!%fsL0%FpmwCvuy0iNPNdwAc+0FD*Bsw-z8(NB<=t9Li{I{>ll2HEG^#}U;n`*rJ2z~6GzphK) z*SQb==KBwKaJ=jHo;=0re(E4UNh~{qojfBNOwAn3*x-U1VhrGEtPyrQ@dW;Eg?ZNS zowAQ$I%PTOPNFQTqR!^v;zXzAtobz8{BNze<^_ruk*9zslDTw0(Z& z7=C=e7827vLL!T1GJ_bBSY1m}drtE8rmFN&XTM2Ja+CIx$3rGY$j(Nh^e;vQu|l3g z-y`r;CuvfPP$3gIWVgeTii`cLq+5;u*Hgd#fBcG+W6*3<&&){+YHk1HrjGF~Pczq7 zSKmMy;EH=JwZ8MOE*WxW{2wO>*v7V`f-aARKYGrJTU}Fnc1)pa&dR;x8Wf|7TAQ^y zHYN#uRxP8Cw~ilj_*|+bc;yhyb=obC^$#%mHcd zy^)F+&K_R^?TjjA@HbwX1&I;YCKl*RaJHk<5%Jx-6y}QNi+xh6qb7i!S5toNV^YK& zW5S!~5)oXwJOr)*0;RSzUK1D@#pF2nmOa zO4pEvaQjl1^5G0^0Kyso;g>j+^hmS&%Cg7eM2%y>#UeTBTho8`h9z`U)XRS4yl7nC zT<~feMZ!7rD+65AaZA}2#YU9j<50HRXH!gVy|zL2RRjb9A?x4QVj^e9&Z=A0_keZ; zP6qhJmF@gw&&ukZ6q%{AO$Wq9+9zT1El^Ib%ckZMxD*%Uy(cWT88%@|iX`+_^s|Om zW8A`iafO8M(uS+j1YZ!(ket#lMzCFN4vnw2#-jZf_y%BX_ z>(((!oTYi)Xm(WKN5^;W@!#orjvp!r5q2i(AFq{1z9wx?J$B*w!d}~m&7IfluFnfMLC9mV6b5_&p zkUP~WYW!QrjmL5eLtPwjCu67M*0URBTn`5(& zpzk=(fz`v0fL?4Y?DtCHQ>@hu=cfD77=j?mR+>h!gFouF{eSE}&-$+%J&VER)vn)m zVN-QUJTUXiOAsXIE3m=~%brv5b1q>qh*bfEb3V^)kR|jz@pJx?j4}lR$;Y%1{p6Zt zPC+j`!+C$hmlseS{`~4-DQ5SbU7(#`Jd&)(3%wAc@~#|lDQD*Uoj1W#IKI(0KsGPf z5#?69Nf>JIj{RxcR8=0=v&;RI5cGq&xiS2yrMy`2(mokxVt1VyJH;E z!bS~Lq4}>^XRHT8RoqKROs9iz5U=G=Ucxj9*-B%?1N}HVr%jH?%?{z{5A@8aS{@fQ z^JdDbu5p|bU46R~Xyu5NBx;*kZ0c`3O865gLtQ4(`t5vt1!~Dert?FDIQKo`<>a=Z zGpjaU!y!B5QMj*ay8GFR`!hbR~P`|f{Er&{RX;9p1*Bq zszW&NrK?pM;J=*E$xO`3wq;k>+IQyK>>x?BQ*t^bVMs9ztxiI@KYOSp;F^pOt0#hz zI-(^$S>DWBrt>5lsni7;f%J>Y9Jx0%-a z%iyGlrTb8fs z>5x~)_eyYca;ban$SngIp0ahAaFO>cWx9pj&`&t~N)@Z-`yh!0%5z2|ppeZGEWu%%K5!fG3`8lsBrC8#MQS!bAbFtNbIfXN0{TJYw!DO)9gCXmh zFdo`RAz}e*eEHaaDvE^ZEMuhCL1^n!p77O(W(TfS11`QhisE^b*;vj3$NO^j<0Wy$ zA>Bm^Y3(kz{3zoWZ?)RSCOq# zspP9EHgEE>pyzcAw?*~3FhTblr3*PM|Tq7|dP%#9;!UTvEl$O$*by60@Vm&UQ^qnbxoIb{o)*0GXM1Q=V-&-o! zjWyst>9L0a?L;-z%4IHkhT<73ou&!3^AGqFNd?S7L8|$&|CO!S9U6qqI@~iOKVt$4 zg-0S65O}GCM?fOw6AG&bt+d9*bAOuN!V#X0l~Bah8*5eUTvdZc(VDoV6e-?_x7v&f zm=(^MTHu&8EBJ+77m&)_Xf$5&l>@em5r|`dOUb_A;Z&%_$n8q4K?ptjb|*o6CIG5)K$nWP-eEUzy4F2<_YYF*e;<^hrB28&Qh^V zsNx^tNnV~ml?ofO*;epVJACeS%7?Z$K4$JR>;1)eI$6O_Bn+zMiCM#8RuM?5_Wq6S z{nGY;Q^Wfa+x2)(gTJjhm2x1s1}_Y(m_>5MRj$cef{ z*eCo>PeVWe+LYkCu5Zc8+x~LbWxcXg>lCoNvp(%vqD~a{|2Zlg|KFnmv%n)zzm{rx zH8Sm#P;HSsMkeO(!VE9V|~@Aq`+lsgn?`7k-xmTpXpmmN&ZfcMB0 zfV@0?k=YsPJBu0$Z5vZTTToAu{j*)*`dFRmbI?G7nrOp@KmVs`WCmw>7N}s%EuI+M zAFi7VDa1OmWkO{~0OvGEK?wy?b{Bs3toQ34e=B8D3V?<7s&T!K4{}@lP1vG_JGL0f zahn4xc~lzf{5Y=HJfRPic@#|8WW>?+>0gmj1pVp?tqo0OvX|Nm2@R&grje?=$@5@` zFoDp;UiZfncFC8*Cs@f$|Hw#oJze%F=BQv6_h)r)HFmMXQg9~L_)}Py>DAhmyz8Q* z0W{F(Ku;2f(=zzZTrpv7O=+6q8DKIBoWSL_Lg#OoLalKB>qJdcMO9rUh|hp~F|Pz} zEhuIH`^ETBvh_@rzKnMu$)T0?1#q`di)V7OvhHmAgsYZ7U^);&h1(Z2*H>kZMqf9zt%A-6$%6*Vnjva>k4l!LnxVC64#!Cm;ITf^2J0^raIN2;Mmvt zkZtr7(y`F+NFfo1a0RPwgTShs`uDvTVwL@?N8(?1oNwSV9cWs&R0 z3uiup0R|XbXI~sGlz*;Rsn2aF<#N4KubVpLw87FKQWrlIBWM6L4{yZ=968(~0iy>T zMNrJWmC@xZ zn4H>GbVWauSQgfp_7-{1TXT^YE*X_Ix;`%`5b&NvX|^WqeBN^4PtKJjW;O1iMaC|5 zJ=`+*5Oh?;!}n-9=(8H7h<YJTW49XCQQP1qzR_$fN%hV2`u*799S+-E)LrkkjL23zEf`;5J&?%8=#HOvob-)MV5zj(loRcWGnTY7pXyU>N7vG_gX zLwE4Pk6q%C5ie=LIx+ue`QIz>fNHIzngo6@D=#7&1u>y=2IlHKTEmK}2hAt8`tg&f zKlG{Lb9RvRiV`!HMxl0GOOuNu*`sWaQIPjX0iW%7+Z~9#9?s0){Xd=ZokyMAowkm3 z$k9whkq=+7Exzu^l>Zp@lKP;rtDL$U{mhH4*b0T3YN)W)0q{*oD&PC%DfpM4lv3}k z+;JzXfvT8{B9_c~PyWH~$!3DRmN(p95L{qJr)Z8Q1Ki$<3jA;c3gw?AOi>eOY0U`E z`U+4fN35e1Oa|ZqvapM8Q%s6_mjleI&+xfq;VR^FJ51;Vu`)J^L<0-cNxx(~iy>K7 zowepuMEuAEt)ULixo?Rot=mw}cYppDYi}LY=GwiD?v}QcmO_EzR-`xtcWKe$#oax)JCx$?F2N~JXmyFC0|EU5moSgaB~`RF;+Fe}Qw{<}~7-(BPHpKP)J`7-_cQxSv- z@RN#yhC-1QjiOndW1jSQ0lvfoV>Nso^yu~<=%w4$``o8vJgp&D_Yh;`9u8ePfh4n0;$oy#?1D< zZxhdyWbvd=O}2v`t7x8eSR@IQ64SR@h~Hfvn2mb8BFj(jfm8}ExeGLaZ7MyTtIFrd zu^9M5>>1Vv+{sBEbN=k;6yvvI_pODTuHC4(k<{i$9O-i{zauLpgDVv=XJS*!iMI%a zxN1ugOL+oUoorZ%#CnSGAc=Q+LN`RjVrg~nVDSM0--*>N-8SBUwn{0l2z;OQNGhDVGnPji2!FB50}1ifTpPCruW zIFA|cQ6h%GJOA-CYs!_7A` z(9$Rom^z-MePymB@b-X<-5l=#gg;bi!0#e2WTj2C5nb!2H4{*yz%{kHJNuLiE-a$U zqbiHaUbX9oc>!5xD&9Yl{rOzro$imacWQcY!SX+mubk1lqFr_a!dy7?Wp|4bJwbw9 z7G}M%PC$qwm@2pdF>jo%s42!R5Q*P(R?8)!rDZH8^btSB+ftr!s$@#H8L+Mq*1eJ= zcd_m`pGg=b1oi``d>yR#!i(%t*YdDTuE#ZaX41>e#^1$G1?bLv|9n2Js1ShT*&!T@ z<&fU;-Fj0C%F;UVYdwGe8x1NR%d8vu$UD%_pHKmV$DfWCL*J^ZZ!ldykc*)c6Mj*3 z;Y342BR9l~g4}9I;(p?So8R;0zom)E$Z!X*pa}=~qot;aJK-uOtjon*=is zclX4`X^5_9fuu6o%NxJrQ=fDdK}EriUB-q{c4VO9qz_i>%JQ1|PKS;xlY@*aJ0l6@ zryg`Wj*+FZb9>z%wsOIbg^r?rkX9%fZr&pkb{rJL3Qa8%_zoqmj69|KKxc4JW5wPNKs>~XYFXG*F`#fi*+kh6v`8VD*n z2v(j;Q~xGntE7eDm@8>N{#9`f7n4ZT#f1(nT5bJ_zi=v&yD0{?~?!;OC{t6GzPN0Sj=vs-%ucVWO^rH9B6&loRSwdoa}l$9RA0rRsYOew6|)4YBKmivcC z)j6x5OdS!y0FUl2{=J!mS4K0~_0`TOOVtO1Kc68aG4|tNtYy*7Z23zDU~y~r*a~tq z;^s{QoJsTd ze2C#jhxebR8!7D`l!rA0ci!nV)934(@rFGL6)+Dw;3)(~81_4NCRdLHJ~Z5b(^>A^ zs0Ukg^XF4E*KuJSP0ZOk!Di$*2OrY}P@KBP;B*DjT+($_ zB+l$)+67R@Y{gbOpXV7O1*5YIs+-eJU%6f<4s#*#nhBj@tO-fPlcx8?>0 zuaMI_rp3Y5ouW*6RZOu?4OJ}sfwNs?7IiqX1C!}EZ1YJ>ov)be_FpK2g4civSptIh zWq;lyIWM!L56#7qRG;14k+{-#seZ#ZS5irs=$VLrypsUx7Z*mjlBc{>47z96?o2P+hwg}UwNyBpNMVyBZ*|wS^GK0IS*kL1!qN_0&18J zen_4-b=K^+?jJ6sEoHU`rC3 zB_sAsU!iJ2zlMJGbTDc(Al^6T$bvS$kSU<*TuRS+*{x0Ik|5uzDM(Ga*m1%b5u1-^*@H_(t;fAL<(v%X38?YEBpl&M zdELD8y|d_H$EJ~xS=DDrEqm1KZ^S?&-#%dF7v>r%cpBF!x5BI#IPKqx*!aZ59VYXGkxHZmcWT^8}K89Z#`}s77CCQmPJ@k`wNvf1x zjuW%w0c3Pxs*>%UgyhJYF`K_NXt!g6@GxzP*ttyCt~pWnbXT$&c>V#<`Y5aY1a)t| zn_4=HOe9wEOqIl_vX9f@Fj0D$+!{5M+uAwhqvs6<#~b+I!*g{tEvMxP^CLmPgL{alVONutx!RV=~dj9JL3$L6{f zq@xCTY7><$&sGFkBWA1jCKj~SPJUCv>qUyKOX65Y2;j;v>_tStc@katbmrEpCS>V| zsicHjxC;cogUBBu3-grsGWkG&5|(PODFd!djFzm`HtJ)n?@Dq^|XT4wVw-Jq+zub0}xu+EOyDzzlVv{PELyasEY@s2OKn8yLwDBO{P`mERQiaKKA3p$~kE&pB>#q z{Uw4=vfELb0k_y_0R|WBjvE}gnr2Ivef>(!WB{}#qQ#Yzc1j98rPDp1n*>9upEZ-m z;5LlEC%RIFPAb+A-au`&nEf{+BMo<=|EfW>5>0e2Jf+wR;o{RK=>OhY>t=fEYoa0k z>L&1xDQ^PKBiUkAODA6-+73GF9i^Sa z^=Vu~eX$W~{D$p%cL){@@{)GaygRMtxKCY_VR-e?2hQPc6Mh&@E;K^kCS4ftFUGk5 zw6eD?t*g@Iw6w(7xGBNoqDSC*IVbY^8%)gcVmP&IJpV`)OS_m{c;NQ@^EtYh=sUgT zwUT6K-h@!Mq(ZNCqK&~ZhGzY9x})&LA8Jvvpxb87F`-( z;hb8+`7e4YSLKqN0UCBA(@{eT>InOCuRFEbixe?gbB+ie?v+MoX4(Lb4OCI$QMW;_ z%e={NM7p6zqwu)^myiXqG#f7GxYz=ACi9;v=R4E>Cy4qd41+n$dz^?(53xj`+BKmy z!s%(Et$W;>ca*X#%V?q2qLsS?xK7S{-9L34jZQW!nh#$KlLUjwH8$T}N60>2zmrZK zHrk7~@l-5XvFVP+t&p~aZXq94{|E<)mZqrVG{<7(Tc3KC**c^bJuYRhG8g?YB2?o6%IF5)-GEAd3YE)H^cHC|-MB~KXozu$59F^DMO@?4=Q;GpYq z@({bVb}-5VW%R!Jw_S&;8IeyZB=}78FWkMNpvp}0-zF#HxEGMI&R;ywM;SXUceL_0 zAv?3C@|M+wkqbEy@7Wl`j3;uV_B}&7Au5%67eM7AjXgH=ifJz*_ej>xyps=dX_!4V z3zR3#=wB3PhBA*)jAj&tK|MR=gzo$ENWDd*M~mzN5|USA!B-Az{f8{qlvpuddu+`q z+2@Mc>CIoIMj8x+jY;xcqg{^pf}#F4q@l10I&V?{q2UG4yjWSi5(slDo@!XZ&GVcr zqVVl%bi7_r53H@mH-uiVwJxBQeK%aCwSE=MF=hJ(bxN01Vo%h1avkERwGs9pqg-0v zrCwsaRMWZdRIWFs052TP@#$Q%IdA*mk&^x}$aJF}rZQxLzg9bRgNZl-9uUwxHF}#F z5eQZ3xlVO6Nt`WdvH!fN2dbzwDymOd9hnwePXSPJ+k%j=ukh^KYfI1Xglrf1lB#%Ktu&Vi6x5z?boFR+7VizC?UfR!&fscwa=(BEPdTJcaXv&Sx>MuEeB%g=BEm9gfxUB;ZY~ zumOcnVSS(;@0#qMKn2Q4=c;&1YoLg=*T}qhErI;gtM!4q_awrE|Gb?1uZa~k0I}>+ zQHAQSv!eg0=l@pso&PUS=f&u2VDWL7MzJ7VX>H>;FLy|#{yB|wlay_jGWxJA>9FG) z@k8TWmn5`ZV2^)}B$plswo0J5Fi+&B=rUeE3tv%5!`WQd(-7X=#iD?m_j;uhNtdkj zpDnth2ovs#Sn!pq)IO#Hx@TgnhbN)9kGY~6d3^(^-TsN5lE_u5j-J7Q(6p17aL?%a}l^=T$PRxdbyIK`DK@^?Gcz|MW6@e zD7U;f6tzCturW>6OR#GiNj4PG>hcO9aO zuk+b2uleR8nEr`}#1p~L!f#M|_o}hKj*Q0`)x;U4+tyQ-VIME#E^Ab?1|KrTc5vCN z%ByrkNG#U;pHN+!Q|-_g`R>lzblmF2+5yWkvNQ$Xr{MZ&9C;6pHQUF(_J$|XRT4f= zUPw#b4JCS8@nSc0L4$ffV2g({_73pP=YpeFJj2~Lqs#sc^R0*Kfps|U3Ffxh30}Y3- zO7s(vZet4GUq$`%O`d?a#(5rA^lmr*cn`$2kEb|t4m>;zDfC8#m)x!_I6 zaoWF2q#z`%gxk$^17D>kubL#OoS;0jzGLfGV_87;UV`(0EnMpp7xa8&iTDk9 ziiJ1o7za6+G;i#BN0bMC-DSwgSUvLxpD8&POTIoC|MTNeP)m^Auer!Y)DZGP$hGu) zLHkwHsF1uw8D9caD<99U6F(`VR07A^;?nbPLdX(Vj7)wsJ@C@>hwM(Cl7ZzXPA4l1 zrySIq>)_j`Zq_G<+{&rYTPzqo^Kmht(-mZSF@@uNsvJdchZ<+?CYquo_^=%HV~K)L zx|uWMfjjPu1fwpDV)t#@P`kRq1N0@ypth%ZK5KB#m*LJI2uZU~buHa)z{uf|wmu-kY4u)rx!wAntJO{3_~n zpK>%;o26g^8@aT^HE~Sxlq)O&WU)>}4}^*`S0wIgn84~D!PZ0Wj1E8LH}4icHh)af zTnZ1{pUJRp1AaLo(%P9Q#q6n4uAu&$?i9)0tNQw+_s`k{C(GiXa9Nn1>#JqjzsH{O=0y` zuZla=Cc>Zymc^b!O(BQiNczR`#^b(X1sqVM97fvoToGaqoQ>0wP&InVHq-9H16rRz z|59^GX8X ztc9A#xtVr79ZqE5h&s#BH&!dmmlG5RdbU*z4i7H8%Az zL@YOnEX2YJcE)2>w}_;Z+=PupUMhiUXv_jvFnh@6HWV`cZ&{F+(25%dRrSto@ktL%%$B`)v0I_3BlsuxTMxZfujxg^OK`bTK%$QCJ1$^)NR#% z60bl3vAp4%q@WS+j@MrDb=3$Cp9>4m;T!ata^|Q^&$XQgNirf9w+Nk9j*L&wFv$}| z>^q0jY(Z@!fo-12ZOxZ>Wnj0GQtg`q>+9S#-Fy&){9Buq&Rb!C0Y^{L7ui~)#}ics zT>hjgnGE$4TlTAm?^hRFzj&(CY{ST2s%` z$6{w?tSEH=Y5W9Kp#ZLR^GOUuBXgm9|u>Zh}~pp%3+L7kFRVw`}L@l7i_U z1wj>9gH3T_Xe)k4L?x3aJp7MV)I!QrI$}tAxwkWnJ6k}VcjbESlZ1ER+BaYZdzckJ zA-_c@W!YuB%enGAe2KUyoLEL&Zr|ZDz_B>Tth(~ouW#h{-^1sw$h`{m;P(K~T9nx= zjD(tJ5NSqAP&NqjysGdcO6kbv&{4c|VDMB2i6aYh6*UB!ej%1%p6Q|CHUbGfu~NpKGaLY&Cp-I?X+$diyVp{?2;S)PvP)kqZsBBV)51@tVIkUC<9I-wkXuP4D4}y5Qa>zA{V9R9GIGkxo#RPVX2@W=Up( z#T6NwCwY;75IE3Crm^okt?to#AU7V?8tl@V;>67v3L@3rQm>U}HcD`tucnSowyKSo zp~OJyt*^oW68iI}%~?2JaVL}-rKpSPI=xZi@=4RFNvxuLXwbGhY6a&}^`(BE6Dj6$ zNEqUGRb0AdC!>#&BDw76k}2c-x$(z3WJ513DY($4WS75&LmHHBVx)ldO;B0hcxVx7C^um&ZF*(rB<7t~d$F;; zsZCI~6VcgNN}#=vjG#<7Z9W>YFfdzgU`DGf?FD);5B#Pcqf>|VTYioI=U@6Q#@2`a z|9`sL3N!~7($Qve3P>x_eA>M<#>CEr^kkj4I%5 z%WAXA_J+GYX{!@iAF8&vbPqM~ZK;slU%?g62wJwG>L%C`jfB}$c4SD2`53lFm`a%4 zj^?hMHI8*D*}YYowHZHSlJljKSc8kk^I4pV5b)D6ddD@eUcwF z4n1w@l`z9cTFE#|d3;RVJ|#!q-$MKw`?@rFJEFO&)R;YK6be$nDZ^dj5LNTNo(pEi z`=TeR3Ev>HU&GI!FqC@A#OTYPt!8s*zDHg>HG~l^xhk*m_ys?zf+3};lwD6>{$v-x z{b%B*TCz@sY##`G)3l;0aGC20S&SjKTCngE#VrC-J`Y5Orf{y73Xa4};5=HLb)8>Ds-)-pGuS;=&4g_JCT|M~gtu;(jf~EDKYsbw21` z#&*-)^g;k3UJjKL;;TCv9TUGQpI2$A_+>Yn{Xrk0BRF`7T;t)fH#L9UjWFn_)gPJV z7I|Expd7&A7ma-aog1H6pFnS z#_+W4eWQUYLiz5CX+MpUIdXihvb4e(^MvIj1>7{-fdP)deLlehQBCzq`#v7qU}wmV zY2@!{e#4|rmDuYqa*#ZAkBZEb)PKU-nT8ljI{Mq~?Ag8ltW(Vv_;#t9+2l5+s;jUe zU{LBU`hQ8jJ34~D$Rf|jpO4aVh7m`cun?-Q<3No(S7v|wI1woKV-nS2bSz?V5&^c< z)Bu$~#c#wb!X_4(QYr#cfCo89G=*b#QDy!9=?i!I_wv>W?uKhhZ)!G-fNk;e%5viV zzyf-dYRVE8{5ePHHNaPGMP<;@6BnkKsPav%$V#bcE;(J@IzC0aG(kaG)U2qH9#A09 zCa={PSevybYQu8IGF zPP6_So#w)#iY1z)$MQ=Q^M+LNYMRte5+=GzGCB2ewf{o}E-tj97s%!op|_?FZIs>^ zs4KCR8kx!&B*qfSPJEX?!fLRJgIG(Mh~ZXG2%&Jw-TAqehCK0jJ=q@|?)H)U!@zg> z4w`|YzBlW;eFg+e-cg-m5!;Trr6`9>1Htx*Co&}~0T~E*&*kn;$QWH~S&U7_>o2z4 zhLAKT!`D(x8ks#8*m%$D_XzIX919ZV%r`j;mh-*Cz?Yq=l9T!8EN+n}SSp-ZZKyUY zx=%#s-kU-J44OZqM#;7p))89Wwx*g-)F}BGx%y6i>enb*3UF7cp$Z39c9ezTj5VMc zcltpWO>B7VCkwtL)b_60tS(IH@>LS@33#R&OSdiOTrFi;UVRyK9PVyfjDS5K{rG%8 zfpNE@j`4B1teSW_*5oc-|6)T^2qQdW%uJx4D!lFMazL=uV<`rGYIW{!i;N2dLyKp` zNKKU-u`W_iEOBYf?gleqG1-z_=cDr-cJ%>^f1T6<67{6>Fkwg`l{3`r-Z`oEHi12- zgh{6jF_BhVQ$>r(gZz8#S_oCW7cxgE8cy9!0v4!<-(x%l%X?3%jATz0S0(#WhLu`H znQ?3z;Na1MbRddz)~&L(J$sK3aODy$J2b+)Bm_s)4uB9RjslIRzGn8v5A84$PUh|; ze)X>&ROl*v-x>1BPd=1tKv_y*chwL3LMa}%)FAeopf8fB6=Z^YYPd?H1t;okDRN6r zncW4mk7h%O-bcb${0XYUSTU-}pKC{qDI9LX*omKFv4&Dl`vQ-~JhNXyJYnPea)`=r zM?e2r`Qd{X{RZ?!J_%9Yf5}gNDfXwK1zN}Ft+2~L;wK94U`z>$Vr9P|yPG8`%6Miz zkq?aXM4#T5fZqzc%j9(Pm~+Kvltl*L>(wEQ+V;#%r$f3yHHu9~%VWJLtm%7$I9I~3 zVWhbTKE~3w!kx4sMG`F`dy888+SZ-<^cvH}z)+_qR~GiYDSdPAl+Y74Lo?#DqCoIr zTH0vhq9{D$4ORVDu8;|L^)sIUl^N;?PMn(Hp=Cma9Kg>X}UjR;A)LoiahDnh_UMcHcr(H;ha=S1q)AW z3t^CGthn|%igC;I4<^2;3VN-J>QkDG$$SUzQtBLb&7WV6o?6Z^m%d2e{y^fa43ZP| z&Ka2kjT%k=)q3xMV(k9owUWKHK(^+C9hM5@nTO>$tMx+*wR9`-*T{?(-0KU72W+1& z?3TFmw3tOnZtv!C;U)}kPwL0x^z-bpeUqK3g&Bus<|*(*%F#hTVVlZk_j^Y>mI!l1 z=FV$;{-;77j7iNk{rnWQ{h#d>2iH;;D+d&oX0x8}TihHBbkCN~zJw~{yt8lTA5QgX zV@u+H;JCfi@^$rFQP3dy5mM-Qerw9$i%6()C#N74140;3ztHVuS1H|nIR0t2OBDvX zO?U~#Q1U)2l9?XJ9+~}Bvcow@N)tRz>`v*}szL}67jTrsKvd>c+tLSd<__!5$WAptT`>af>h=!}>La#2#Bg>!kjbhv;n$t{*FtI(b z%2}SUEu{aoJq=mnlH70LpQ#S%#Z)Z%cgWv=w4#2{dZakt+ql{jOXk)FN{lWdsP&P1 z(S^3Dl0??ql0JuY$#>yl$#^#tkhJRLQvrHsJhp_mmpF*ez~=qIF>z29r{`CJI*Waq z0Oj~VpNeeme45~!5SsHv{8PwtrL7qbm)AnxFv6;{9k*kX*TM)V^URU(dyv_DNGa{S zYrwyS@6O=VPJpiE^knL;Od3G4-}__7b77aAnE)Hv*V2l_}TIU)&a1gd>%*hGrRt?wh^jjPP6_@ZffM3?K0aikOdmvP*d zaxZtBx%2gl6n>6qMh`gYWSWyRGXFLLVEC zh0zy31uJUR=}s?+{>tkX9WKJU5WK^4ytj9%GC$|!f9h5(9)7W0aO)&=F;MP(s{UPMnrn`-QSD77Tz<| zA+>E|l72jWQRZb37HmnQQVNZY!I5=PBuCQ5x3%Z`*=S$W6;BzpQs*PycKxG5h`s7e z`6GDr&}F60o;=;VG<~XV{RWk?k~Q;3+}LY7hGFPBsO;o6R`zTUTYK462`~Yx5@1;^ zN#MghQVa$?YBG5g#XP8D1l%_hzLlB3M;^T!?HIIp&VFtTCl$8!T%(l|PsKx8hr`e8 z)h5e6$>OmUjBo>n_mIGE18=?hon@N^V~e2W4&vl&m)yAg1F9_gyhGY*Jy?;f%;(n0 z&ieLyN4TfZcGYV*OI*ja#xaC*@jz2+XbO^07pjHQI9=VoJ9tH(`84}i2Wj@#kWf-~ z{^;`#pv3OWj@cInlJQtf^V{|m0RHfF_4L+Yxuz5K1)nw#?idt%ndM}SuX*bBg`EzY z_bY1r2b`c*_Gf-zM{=kb8YaH1p&JRud9%U;6~FIzglqLfHEqd~)o@|3WVv*}I${f= zM7_jLGR(rEvBx-)Tt7SK>(J}v$`;(J)V8lzObJo~AjoCF?$NGSnD@;~{_Qrj@s{>3 zXm`|md=W!U8oA_I)fL9ovSPjaSP+ZVy3A#vfh)`VJY`F*9o*r$;e1%&(&&BJLo%Zo zgu5ShtD=P~`m)J((BXxU*JQ#C3ezq}9(MplGKHzd9D_e~b?}l!FZWZ=_Li}}D4MI1 zdJa4bKlLBC=V0!!0y)@m`UZ9tZYZUg#T; ziv9&`)|5*P8;HQ=Fe7kkObhn4QQUC zFL3dj6N;f~bvNNiSOb1$awf}z!Y!CJhSN5j>T?yNPJY{WS#czPjgk?h)Wlb1aRfb7 z$mM^MTff^kZm+ID-k(d%A`@fMos+>TuG(0yepl~8j#e7^KD^8ONe)Fuqw@qIflh|e0HuFT_q%gVS!jQJNVY4@|4w2|} zOdcwQy~S-A3paODRVk7o01TJtbT#`RFv{)WFqaeiLZx$-L{Vk@aP&o_TkmLwBiUEa z%rtOZR-Jx1A7wF9Wo46o58bS)*v`33RX<#Q25e9m!u8@rX$#|V_F$-)!RD-V!DD%a z{A&(H$rFchCM>I|bPYr(s}_O?H7-2sT*O~Or)o0KV_O$#TyAiJuj))Uj2A1Nb>zS| zh4Mx$V>l6{H2AZ8nGs&vbz^d6+TvuldQtTXCHHCh3o;Sw_m^`cHl*5w2rXJZv&Xaq zbxA{XFpjmx2bNzBXueJ_me(A8=4tnmnDst*-kQ&Gr9AVktyr<4>f0T?B|U8O^}81T zv%XQ&4!3veQ84hhuh|-M9wJKH@aPsNx-T4TcnZ~<@&uhVA=+7q38d9stW0cXq?PaV zj5;pab~R!ks(1}}4LD7!SL+Q`qjHuzy*B!EF;?eIj1>0xwtl72l3FW8S~t~v-IL$` z?1_Slt=k*_pRcd~djXPzA!!PqCQ;@sOR@}>TiT;b_0C#FHl@X@*Q2I?5cYo8W)DA) zzv6OH3$Ky?6T$w*vxlVrcc=Abv$H@jt>lGu8UP@dx3CC)-U7BqpblRYY94rzohFLD z$DGVL)hC>m9M-mGSV{=`esmHooQ@}IbxZ*~eV(;>Sr_saK6RA#XJ29Z#Z;#FZ3WQ) z5*JIraj1QejYc*Q4NXO{fqrt}>e}UbL^y?jAsd_8RwntY{_LR8Nc}QNPDz4=Y4<*# z?7|^(&6HB2rkMY<*$Ws{k}o2F_>3*oYY3{02Fk0e_51Se37TWzNsQS^F?8Og2h+X7 zo(%h^w7I#bi`Y}lO2K|i*sps_S9{33qw=tJ^WiaB0W9XqRknF~yP+>>l~wgy zEx0rehL@vXzJ#gINhq0hxu>mGU(i@6&SBQgs+X@#zbq}<(y3Ui^%CpHSO{*Y_Zh8UJhQg5bCcd_yY3LYT;~(kHXi1Kv5let*YrjdI z%(BrYr3I0z z6^;1$T1}^rt0@Clu3!h)sS~++uCo2JCRptDar>6XrIm&#{mjse$G4}p5{f9!f_H-+ z&ac-fOAT)}-lo~uZgjL?q|Md_vB`+1MHHFS`n^XL|HBp%i4{a~I}?RjOB5m_xQX>u zEf4rx;0K!lwKutYXN4^@2y1Sj69;m=Z3S;4h1!{(%gDA5S)pJW1yrO7$hgZ%bz7>5 zVR=8i5pss=VOuBJa|rpVLY9Q1w_A|Lw_1&rLG5%rwGmjB#YqkO=zYLalBKH5!76`>iBn2vOKc~(e83)UEjER^}%)P5v&b84+j zAUQw=v6}Q1iQYEy-C-F@Vx9D{49fy zq5{0!SUg?mYQC1Lg;SKm>~6m%XUlM!3~1P(%$>k2AV7iwm!xTWeid|X$`d#ImcWK{ zL*lE&8*wA&fE>ZsC&&M$RQ*fAMu02WA9IU+Ro^NpPxQdzot`F-Xp7{oAO>_wa0zsG zvgA{q+<%QTgBw3rA4#cu)j!)hf9`p{_TTdL!8jX)imxqs+;jFA_QPK4L|W+po`X3} zxHc75flNh~O&WPxZ$GV3_S5dr1B+g*Ltja97uY@zcW6{bVxYlt6M%c8k3r6BT@ya% z9JjPfm!O`YnVcj6@XI!DN9F^u^eJc-o++6=z|K$+aLaq?+)BtD%2Xwt#8Uie6Fr)Qf21Hzs`Uy7?k?wL;4S#Nd7lYlp}0Q0S6f=iqID@%hSGX0cR_JD@pvMw0rdi zmQSkBwXp)8u=H<)&Blw~zxAP-W!sMC90HC^$m*EQ?`CzBh5P4m0sJK!;i2`I-rL<+TI4N=@H}8u{$G z-T|G#EMf0*WkSm?nLMD}JIJZegJY1vc%?v^L55=T)?IlJSMpAX%f-YLqXr;-+F>Th za|_;Dz=(uUuCcUj`fq`@ZnkumIY#(LE8yRWCMZE@^Dh(yPd@q#^ z1C!GrxHCAcs_SsSGZlb$5~!Sm!riIMsY2;jrjM_T^dt%XyKt+BTeEeqa%2hHd@?MDlRBGn3o48;OLcog{xqK<*k&T3*+-T29_v6&ScbiF<27t;JzB}tF zyvBTZG`I^3@w&vk=HjvKbi`NAFiQ)k&!*Bjh#j*TF5@uX+!`78Dn+10ru`ro6!<6i zUeL@M`FRS~{WK1 z*pF9eE~dES+|@bmfhZmjD;~$kh_ZlL#yR#dx|TfdWCN`k0T1fhIR-nC67c$BR<6J8 zhbDTce!qk0@N{>u-y3=2n+uhuFuv!+bA%T7tuY3VYQpn3(ig7LAL;={88gZ~bDAHs zC|+~SrSIdk1Yl&j3NLYyUWhVsFaV4ry1fF17JDnCThxwh;w&GP;uZkV;?n%hTPqo2 zHCfOQzvfVI4&4pw-R-5W)E;~F-gI=t!R(mv54IkZ9mB;6ghK(a@@taaKPOBSl+%2n zqiShO3)n|FWDQP+oGPfPg?Rai1&v3xzi{dvgzB4}8L=;syBt*nhOLgm#}hKr<|o3} z_S!o2EKT-{dF)JKb;Y0?G{mWQdBwtQhYtlOIl)Wbr05nN6*(`m1cStWM>_p)b7|RZ z3h<&s@xoN;VHsRnIxz=VCQa}Es0Q#~`Zp<0|6fk8R5T=|9Y4Y1jRL@pRW#?>jA@nA z4_!@CA5SM3^@qdAHupJ6)1hc~K!Pun(D(bCX}z(Xy>DmoX9K|-{af%n6JZ0&fByT0 z1^M8xdB1@!H&rwnJMu3k1?V1L4DF@%$c~HOyr59@ea?vc_vYX#Kv7%fcqWbiw%>=^ zG;#f1IbwE@b1oy0HW)5QdKrEC4?)t|OUO+P_%VyJ&Y;d2d(QdL@QO&Ic2;L2%o{5p zFF`&5|I4ovvNXQ##Kjw>oi5GGE@)qBP&4rK309_8Hk?fX^HsP+oT;_M zZ*rak&z*7V$b1wUDphKs=?f$Mx$^wkvtV+t($wB?n?Dw_N%Z4hF5|bDy*8 zf)BBujvBmw2i*RCQT}V5I6DJ;%8Twf8HL&W{510Op?2@gI}XK-L%H$l$~%Xs8+$TYs$7F*1FlpjRTWzmBc8zMk7 z@59Mh>}VA-9*|?LhbqMV&k>293{QVJR~3t~1YEM~g>jE?Ebxw8!NYF{)t_XoQ{bi9wwy(&+wF82BX zT=>#;t4Z=g;6+*b_u&-#r!Uh`w4*+sll%cKcYmjCjgABqA76ZPKxeM|{96G1sH8Nj z&L%xHFa~@J;|eV5x6Ql_NT<1L3b{9!*yMU|R@(}Zt zHHx0MpWd(*5K^cF$c%R@#Ffq-F_r?|rQq`2Rh$Q54$YPtC2S}$!!$bwim`&Y|7XS) z(6gtLR>p4te(AAi6tvZJQ&WR9LVw*UXiR}#X9HAOR<@**8NCGV-ehW8I}q0hWH9p8 z`?K#}pa)6^FrH6osqMyuYze*0zS79nQ-3&|ke>494`Szt`=vmOb0@4IWioC5&C%edmzAt=LgQYgNP+>>z@(#7^dTA|s@`N#btuJJ@uXw4(&_PAAHn)hSanYU6 zlFQ6R)g#pPPJqS5{6%0kvi)H;NJZ(^HBY82P}lVQeF2P+^fjMedp)#O7cTY^crNz= zkH3bt4z!Kc1!lEGaaC2EbTzO)xh>9*AwhQy~Xe1NC=w zB!bu*$kW$@7(1SqK?M4JFR*t~F&+4#j<;Rp-vFs$zB2UGZ`v2^UXN?L$8YwqOVwSF zGL!z8xPSA;`lTnDuui4%ssf0yG!aRGeK2QFU}<%MGVFTcY~;iv(lUu?s1Y*;t6Oum ze|~EF;pU9@scGq~KqaGR8?@lsea)F+>v&f}kqC|o=Nvrz8f&7n=`70+H3xZp-7~V^ zIX$^T_9)_!94=VPs~gJaHl@ESsNU)<@EW0QyX6D49@Diw#iJ2lROvPvU{Yi59&^id zd97DDXn2Rip3NfEygOc=Wmj;+Yw66yg-&NEVQ+47qdQumNQ)5|uPowN_7hgGZySG{ z4eP6lu+0@tm%VL%T`4rhd^vJ}JJy}TmpuD&Bg>CK{pZJ=w(+xA)SG-U4zH_Ka$|z> z4U1hX(Wg~|fEtbV00&DctB+n9Ccl=pt-}sRV;^I0PXh%Wqp_nn@1t-~S>ET8U+04BCmerDQ>ST^N z{27oiM>O2zypr1CdK~0(wk3Lh37c|tEF^?zR$ib|{aU|0*f{T68oPa1I=K%892W>Y zzR9@?JUclL?b-z1F~;u`zZHhWPMjIOJDZiw+*qRLN>IxTyb=I&hWwyCV>&u{>Fs_0 z67KkuY(9oSZ#oA?#y!U5l(l|%wB%&@aU~n*pJS1=?FRJ~lQdsmwVmF_iZ-8jl(}YI z@o$16v#V#59}rrzV{fk>)p9^5*K3hycc|)T7hqk@svIiu>7KX(eq)=xPsIwd(hm(u zN7A!J!C_CQo{tviwAyYbbsntQsDu=$W7_E)6fGR(YUvz#*Q*tFKe(NUnfhkK4R+HQ z{Tf%gwAK2)=3L>h>+;NoHHpwG&dhlZ#x38i5!} zZse%SAV1NFk>x`TM+9r1myN`>wK@Pl^vKJs3$Z0p7pNmq>?M)+EvX`q ztIVVQrwYHx>Z+W_^gfx_*#t)Oc{N(wqcN5iJ4KZIDHW3U+MhiP+<}tAI~jv#igbfW zVnoD zq5DNrEV#p_7ahE!@t4m_U|(ZN1~qGm=JsIZ6L+sCEV2(0D%|bx1Fr7B1Ll$$9onfi z(W`AJqsi+w;36ktiWjGkHjjSr6fp+kvw@wHIcu|v3%g4!pur0^qi_4&{y98ql`bf> z$|=A0T1Ia6w+@o*cwZi+SkNf2>)o2sHhS}gE&#D{Nk3n_Xyp%VC`mmV4sA(t=MVf= z(>1nT6ZUZ6?r}AvI9W8r&O5|LLI5vZXdqU-W_zN?(Wzeh^llzLOPp#F!HcGZF$@+P z?O#8>j3b^6{|rB`c}?C@8)n$lKtM1VlXdr_qJ;w$hA?VFI-JDxXyToJfJnHb%N^NQ zWz15vcZF=a=)*1@i_OHV!-+W%%;3$2R ztu@>lo7|?fcfF{tBNkm7!552bbF7$NpNYQ-#3O!r@@~T0r2ik^d{)~Vcsnaw$J%!Oj+ek^}a;H@0xA!fF;#B#cIXF zX*ANihi1_)J!$Al)S6Lu-RjZ|!Os!6!i8ONb7?8XePt4m$S%kn9rsr9|5SILVNEUn zzE@EckRpf*QUpXqI!LcllwPGbX`zH7ASKj|^e#vzfbN@o+LZJ->y?eS zWSTgdfEM4u+M~{0=l*YqAAZ+_i?u_`K(S_Pq2kMf%&pYpFMPeRKYMg`V1$>S4JCpY zVp|pKdy=Oz%LL1`Ds;BH5-FM|jw~|0{2u1+K~>I=50J_t34Q#n(QN7IzVNA2mKp^# zVxL}PoKV}JG?usH>~CSX1iZnLZpT{My4Npy&iTFj1Uokvi8){eO*eW=}fxT?uTPDrT15I zXy6rR-3R>Nl$#Md;~GOYqql2_iai&@vKdF>-?i%UdCuH}B&5$)1{0bHMLmP1nEJ;~ zpVL$%%WAqzfZHmg3QkYG8}bb1s9v*dUu4P@aPb^V;TMkC70HVZ&Nz9SNqBJ9>9-9% zZ;5v+*xKhf=>f#^KbbFdWp-n!d76sIg;2trL6}g|IhCzw0Y+zGi!7fk2E3%IW9bLF z6(H0arJ|HNzTg|+ri6*q1&FpiQ0W<3&$WQVt@j+b83zB}+M>8{jB0^*WdmB1tr&BeQtm-&O3cjCB*-&qBc8>>-oR%0ujRS1B zuV&Xu-F${y(7WK`rbZGseCEuawn>W=)s)Vlqt8qi~6!0l}bg}jJUPXkLj4=9Z`lyG7?hl@S+>v14EW>7H7 z4iZEh{;kxD#(6wyG?w3Dpz}M8h66E_DPTKgK1AyHf*%8=O#sj>%^|IPPSC0+rV8Vd zwH+hS$JIF}yw`#pDdSEQqSX+gvDi|e^(Xsd;u=BYE(JH_&*$a}#|uMIg%d|8ofn&3 zR<2sgnKnIQvs>Wi^HEZMlc3p3^JAb)>RX_wA=90PC+?Y8J}6JFzG#vV^iRc!l}Zl* z(gzu5wijjP=E)z2=`X;hyQVVbZrvH>qdI#ERo|_Ndgo82a_Z#q`5lBiXc1o_6k{&9 zaWCq$;Imk1$^bZ!-M5uLw@v?7fhFYhn0SP4sWYacmFh&%Gzql2v~{?$x+ zU{usYUOv9-oy70oWi;ZJ&{BU#2mV~Yx(TTL2YJ`_Gwlo*Sp=Jt2Gug>cK{NCIdk83 z8*%OU>94yCbk*J<@0b}%z7F5iP{@kEA7<0|FK^uA4~&Ao&@7xKS8{m8yCR0$Bypwi zCnP6IjhS>-(wawWaf~t(SYl?m^`A48+{>B%=5Yjp)DaHAmdp@YPcR^?7?)sb5a`pr z;(P|nM&(>Meb$_yR6x;xkTnCGbB-luad5%Vv?M`V1Ih5@x}2Y>&1488^qO!XYH+~p zvTT|VF!kYEVf32vbZ?V{@%iPn>d+VE&Sb(8B^tf!jlpA3E~QLtlC$=pB`;QfYAj^; z+A|~Tx{VZJTtkqX5HS~6=5t+t>~}5t9$eO|ro>%pUKCRefC=W>Vm(}AET6Q)4{Re30?=1wy>1)n;qj#+mSyV3lzRT6siq=(^jB$m7{8qR;m^$V;0oubg-I zWOsy8NSRN4{k5Kk(dl)*&Mil90dOC4;)O;yr8MC*~%mogt~Yo;fQb_F`HS2`}F;mZeUV z5f7WvMl^baZ%z+OeJn=>;GD6`7C~iu-E452GnNFA;{J&I_`9wsJd(kgltDLkeGO!9 zOGwo=n0mFvvOev0n{RHs3u2Z}X|n8@GJ4I$v@u~N$Z4m^JlZW}$g>+>pq%EFg5C6d zyyYvO^TI)r=<1M|$&jn()dozec0)YC=5j~sxLMm?gGD*pz;V5eC(5@ojLzb;`m$-p zpAz!X#27Z}e7!sw+pb1|gC3NueF_(Oii(Ast30LdP48^6%$-=LY=&u5J@7m(hilsLIa#uJ(G?ZUgAZ!^>W_F|)*|3Xtx?*3{~) z(|o}qoGarW!Itw+4PJc~(t$_wxix8p{JyL!QH}b1zSD-kyxZ`hk9(@8olo zE~eT@oa(yrUQTdu@bb#a#_g5%=Gqm-ze)9%i#ML&zsd6BS|({9er&xl7hl!--j-P{ zPZUwfl`S+CmGdJXw+()YWZ+@Yg0>sK&-c5uiz&Lb&s=1 zMbM{1oy6)qS(w|NWUFAOg9kxYp1_>B_NPoB$`MPlC+Gx+zG8bO>?k2R^u+n~>%bQr zG-GsGTVLUAthJ5@!t|FYdY}1H!7dsao~-ILV{DR(&^~^4{o%kTY1-k`kz*|b-(!hA z|6~3vACa`+lSy=3aQ%2v>F{B<1Jv$SeOABwq~2G@on|s}&K*my*>Js*oqctc!Ohh< z6>llV@CEm&FPWW5w7W)c8mUU=m1Z{%x{XABVPdqV-GALb)hrsH1$@hLiOKLSs4?4c z1|QX;dnmk-Nf6q?DwH0XE<_{5YxZrmg=$TCv&gDWp-{R%-xp-es2fa0u=lw2^z6?O z9JDuIZ#xSVIx<##P|jY!j-_e7D0X8P&aTYWB(m{H-^f*0xj-3YPXCO7;~K46jcfiZ7fuiDpF`4JRD%O*^#WUrf1Z_7%QVF@!#Zka&Z~ z+iU9YV7%uRbGei2J^kaXJparnMJH-4FxwZMQeOlAOwEX@WQrWUEbPw?d5eqtP zb+5G-C3?Qdp0j0O3uWq`42YgNm~sz}+#G-FBjY2$EXY~y(Z`M)mgwte=O9yMm`0I3 z7b!+n!HMb(p-kVuzJ2QESiGZWU+5Hi6|a$cXDMBuw@sA3<$?~E032j8Xw9eETFmcP z&A}JyfcncIYoX5QA|;G?i290_zU_iD%m0LmUODwWvr zfS!08q4t~6&bKxjUYRZp%$-C5FG%R$0tY|HB=gzN-Kpa;`IY_a@mGke$zr|h5XL`VjbPqF46SfcZI(4wGXc~U~DPJE7r9-@K{obtB6-B@45GW zRAQd4tvdJTyxb$dh_bG6EZ|_7IGWh!K+m*WU4ivmXtr*%36Yy94`HuFJN#My-_#U2 z@xRfN8N>Olc>9vVPZlkh4yxz_Vr7hrFHGFK8r-Mu!UKC7=%012wBj{36iQY!V{qkC zT;RIn-{S>)&T~_VsOL>TLA!-C3!kL*75wH6=!SQGt=}I9e%T8OH5ljug~^HUr_b!2 zPK9n7%%jj*lB;Gj3*z;Dv-der9ZJ3<0*h*0C-A_Tt6#i+-;x9_P>mDZgl@gmq^gU8 zb0voROkCHC>)8Uk?=F_!ArkQ+rF@=a6CZt20Qy}f>6QjY9WKLPqE&B% zT?@P%X#&ya8T?E-Cu0F!*?P13n) zbKhy{w-PfDSX+Y=xZ_i9Y^vo_iGP7@BDmr-dnbXBoU`1_VKD2cgJ{$3Pk+`yWT9Vy z3D?3>tbclc+WwcEhtWO%9%~#=vp8!)i5eqCS_52`^t;skS5OG&WB(tMIxhb*=(4Ij zMXE4YB|zyJ7A6w*epg6MmtSRKylK|{;0t!k!7@b?-E`8y-1lo}E4W zL#W;E*y;x)dQ-s77f?iWyPJ6>KG&)*B-IY8BlV8Gih#fqqp4#b|eS{$fqTof+Qy)JCx{eA`v zki~!b&B#DWHD0pHghdFood?6S2E)N!D__|-IoE_r3xqRVmcbuxEhtz$P7w5oB|K=C z|5x6MnzlY2!2;6K#1tQNUwbEX&NpO0SG&lMOHArrCufeB?jMln!}HgpnYvoOEFX8sb=4{ur0Y!CHjzX&R@BDEay+w-dRF^JrZ@$5V+a1zj zv!c;G(D}6P8T99YeXEIFd{X2>ytMO)-zqknDllEy+Uo7uJ#gul_;-F6N0a) zonNkvK$g}(LuR(i6Y}>8-(tyDs6vbS#FXWdN}6U%XuRLl#Qyg8BBUcZDq`omynTtP zeZls;omgCd;ym`))Hjj#O5N#~sRI?iHs#|D8QENg!|9=AQ@^g-ih2D84+7IKQ{6N` zNf$_g0mXlp33g$~z1MZ#=dAi+Ti}ym^{i5{G^Jq$i*B*8({NO;A>6wUoBB@$Ktid ziQG#}iro_9!OC7bBp@q@TQU?V>G-?V5g%D@_;XoVEO|UHjn|)q_*vhfM%PsQm$>P2 zYu=02do-}}7okGcck1~t^%SXmS1(Ow%=e+LJ0J0>eTQBud8lso=khf-qjBYn-a}cE zVC16UnsuxsjBEU8KY7m|&NA59m{w+dQdz7H?Y#{r#-42^!;jb|Rs}1u!SJM^Y}Z+a zhrR_IL?ofkCiK|`gvFr^KdV_(vM`kJ=UA|*7&@uxxN^7H_K&g0vYkYm-zp(?2$fHr>4eMsVT*@ z(@1R^JT;#!+FMCwL8bow3y50oowuI2%L5rvzYnLG;v3l|*2Zo-$chyrO3tniGk9xrpFHswy4a_yMCTaV8X@|m?)}D$0MDsk3M_MNS~c7T$-)gzRE)4 zj_H`I2B);H&$(QwRjY4cm~ZmBF~=8aob8^;^-mjWL`~8QKGOUd>1MbbF1pW0!$|OP zRxW^Jb*C*GVTi3F`T9~u=0RGlRV<+8B=SUAh$iysz43*q{!4#9sZhz&UUq3WZKqNK z)ZAR#L+osNlrT9wKZV#P$Ne0wCs|7=baMdmW=DKr`?l0Y zwAmCOznIoHh|;OvtO2*uT|)nzvU~&WxICne_Zcq6)#j^Q+LbUSYf#?k$Y$4GXy14o zP2Q;_Fe*_q#dvZiW)Vj^BbA;;(UKU&pFC4 zJ0*8BC%9iq%N(gvrOze$6n`ev4&yRvN6kd<)W4mH4mA1M zin4|sDHZZu^&{DZXac>R-|#aeMfqB@(@NAYl^N78u{wS8v%AB>BHqspnG@%+BRb-$ z&X46Gdattb*^g|nuo7xFVlL(?Hr--LbY!4{(ww8yajedpT{{w5{vIK5tM+Ybw-o(c ztbJEU4ykXuL+8_s(4XDRS$}y=R^dd6RR8f^Jfsi*HV{2BpHc@3Js^Vq?A;?rT+O7i zasbu?Y+7z!*7CnYxHv}6e(*%MsiCsl>XU(74pw5GT$}=86aS=AvngF&OGVN~dvZ__ zp+F@YAG+BqDor+HvNb#i{duYm9IWCQ4_;VTa^W+Q1 zXb*wq-6`(#=_aYS&kr5j>X16pOA4Ij8**B?&~Xr!(chkz;OG~jrjksbh+yJ^{~0mY zoW%KFNwS1}?7;zH3wp4@sU%P6h%xm3Rj_~>)j>DHfqTI<9_ygYVV#=F=9- zWBhhsR{}!{R|VvnZE~yRYqFil1Ep5|)wsw?2|G<9;a1^x^EX{|*AdgR6C%ft3RJh( z_n)--U(ofs%NZfv9YBQVpT#7O?XVC(4r4I8isCn(z&jsD<%DKXw^hdn=G0i z(H6tg{ULr9XNS64Q{)K|5<`#W_nA0>f~$gi3c8(=-4>H1ourJfLAJ&8dEJ)vwO^+d?HhWY1BE{eVndjqjLPcR0y@FYL*(03$Hy}roB45SUhs90r<2JCfRD~R_~S) zY=4RF+R`zhQf%3BdGCKlDuF$s_e7&l&jwAK_{L^}Bkgv}xjZVh*~*(j7H_k?e@oR7 zA#UPXvPOWLfk2A7x*syb&_iyr#)8IPOzQz;G;UaZN2fw7tvj;Y@?`}5AN0v z&ZW>MANG951CtKbmD*$Pi|wv1r%$36bL$*2cz{LJJBO`;ElK~OuG&^_M{FIbL5RT0 z?zgkH-I^-WnSxorFU6!)4;i}Kb9nCM>}G~Ic_J|1)6+{OPYPc?r96cFY@y846pHTdMK`FTRCB66;j$2lleIb#}xXzVq~+pyga+*W%5`jyJBSZ zo@wxO!g`{dbI0&N-fPp+hlEG9iiIyG)z1YrCoXAl$5|X=vcC6OnB9(l$(2n$Hm<fajpgRCGoVUs7nkZQpN2(OIYmXq%}_<}a-<2A|E7fbCJgqsBt$Z9 zwm~ETwM`zFR;KVVg0<^uSDwO#iiPgrg*tO008*1Gm{uYD{5|UKa|D~42y~ypPk#QA`eqk zz)g8(bi2{a)(`jM=94O_)z#JGy~QjNT9J_&Yc&D;DXCANe*2nU>~Y-m>YC%9CB55t z_i5O|C0<`==hrshi_L)C_V)G#6JV)t_}3=}yR-GNJQls&HX|?Q=I7BHg2~P`R~a~a zt8#&-x^*;NW1Y%pO%iyYbhUY}4G}m(!J@jJ6*8tIVIiA(bW9=r>$%SfPHmI&EIQf0IOt%Q#d7K27y{FtW`c9A80M=vmrt2|J| z;Ye9oi<^~*xFC~I^wuPz*~1A7G4+nl5^;OO!^87YM+fO0g|miX*H6g91YGhPdGhdS zyHC&bDukncL7m5pSIP%YyM?4xW0(+=;D}m;dSW4+J}mmHd0j&i_x2~oT$&29M=pPf zwKLz%NL6^J6J&PpI%2@bB^UePv^^yG^cuJa3(PGe<&L>uh%5X0VjqbTib1H(+B(ma z*i@_rY)MTJ8(G^6$U#HP$Kn%2lK7)nt%(W%8mW8-|giWR+x-3lCR7 zhHU$73229ED!L6URcES{Z0m=ra1m&z3|i(ioW_5G89w6vP?NG&?|b2X zAt}0Qlbl3IN2u|a^y6Pt-Yxul*JERvH{-^33bk4 z)qgB=~;N{%ouA2YLDTwL7d zY<(sFlc?G&abqXbsE$dEY?V|iqf+Tw)*6$VE8^z@HplCu?yPn&e}F(kPHyfFV|}A* zmPXi}$2n4lfZlg}@6)QsqILjl=6egRI~kc;1Y*e>c9vB=|44d;LJ1AG1M`f2(}GH(9JdOa#*zqK zBlT*{n8Rl)+v#OHqm^5hW{N0k&Zh`+5$zU_HVNMi0W`gc979!M!j^=5k%C?M^qb>E zi0_tqqfrbbZ34yI>JGO^tF;O9x(6R63Uq(nj0BnaG21FleMYwz7rvLH{RsA+YdIV@ z98}E6hQGR3I*+Y+>u4MUaa1b{7H+T3j8#gMh(w~^C>#7R+i3#I_EGl;Pz4UF&6x|% zd{S`$h4dOqKd{ZPEhcjqNJv;^e6O#s?;c>jn;uPTdL-c1N~qCQwm1Z=_?DiT>1Zn7 zKL@b1oTA@xs#wk@yZ2f)pbpluH>|ya7#oAdW&mh7*w|_Y)lC;s(b5TIV+PU;)W2C( zjdM}q-&ab)5>+|k4hxm;@v-yG6RHT?vA#VWMyV`&E9=Ub1kp6&TK7xsI8Vm`ny(5i$^n-cec~4XAOJwYS?Q|6DsXp<$)X5>y7L8R5@b;&lsbFlmh_{hyh#CRgZ6dXGH6*aPb*;zm zLY&ZxK`~d7tA4dUv#Z31yaKHS(e$Sp(+4uq zzy_nCsvpoVpKXiqJ$CbSS$b{WWpC$lrNaq?ffoGd*0CG;&8Em@CRJL7esPx=$} zEc*81Vye}YQ5xDs@`9^(r>qUvjMy4!5n$Vdn-nEM?y(PaaWlaC!e;6)KdqhDU^Mb6 z@Su7nB0>qdddw?a8dJLb`Kv^1#CSwl2Q}vKI|hq@+niN*MX*(8-DL=>ok=04s2Mev zAaN3~ui&pS(vnCsvSqMaZ8w2KyUJ#L*hdoH;Z{EZGO-@~TSmluI_Zaqyhdrl_069Z#`aeYLYmA)1j=GACNQ~ks{+JfWfLN;|FgapoXa>N5fcegrD2D6Ft7nr~d z3ej^F#|pyb+S;=$4E0a^H*TJoH@&T-=*TXs#l zKF;Y`BhsiDwv3TCt+k0Gr=WoEg|WVQ(_{mEc+1FX^`kz3B}Snpcs(HubnDiw$&V>k zE@wu=7eb1~wp5s=>ahhapd*5hmtWGQN_>83ZR_IpEver;s5-5OCuM1?Uja3t>`i7aWI_drkPuFLIBjf(J>Pnn-XsB ztO;)V4io)0U&UIeBEH4NnbAM$^S-~zuVG+Na(w)y`DG#5y_>sU{8A6QbCpXLEJ&zv z^ZC{tn&8*JB?&b=bN}lCoB{pccLBJNYgB-pza-m^q{*tbB$WF zbq)xek9x=Oro&QO6!i2?NBqQ6gPzyFETA#8?$&jqEzbmHQ?>Lr2D22LQK|t_%mHhsYP5WK)SeXA~5;3l=6MCB47TLH6iT zwk@K7m7QH#t56j!OnURYTc6X#y^|os;&P;?o<=)+4Z82@ujSv>8;`Ud!6%k7P0w*A i;_nM@{Wj!~zs3_@%NtnzL>hDRor0XIY=!ivum1;L+;cDh literal 0 HcmV?d00001 From dd6b49e747b8deb810ccffd93f606c6d8c51fb49 Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Mon, 4 Sep 2017 08:30:46 -0700 Subject: [PATCH 32/51] Fixes for device registration page --- .../hello-hybrid-cert-trust-devreg.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index 1794f87811..5df093e046 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -13,7 +13,7 @@ localizationpriority: high # Configure Device Registration for Hybrid Windows Hello for Business **Applies to** -- Windows10 +- Windows 10 > [!div class="step-by-step"] [Configure Active Directory >](hello-hybrid-cert-whfb-settings-ad.md) @@ -30,7 +30,7 @@ Use this three phased approach for configuring device registration. 1. [Configure devices to register in Azure](#configure-azure-for-device-registration) 2. [Synchronize devices to on-premises Active Directory](#configure-active-directory-to-support-azure-device-syncrhonization) 3. [Configure AD FS to use cloud devices](#configure-ad-fs-to-use-azure-registered-devices) ->!NOTE +>[!NOTE] > Before proceeding, you should familiarize yourself with device regisration concepts such as: >* Azure AD registered devices >* Azure AD joined devices @@ -51,7 +51,7 @@ Azure Active Directory is now configured for device registration. Next, you need To use Windows Hello for Business with Hybrid Azure AD joined devices, you must first upgrade your Active Directory schema to Windows Server 2016. ->!IMPORTANT +>![IMPORTANT] >If you already have a Windows Server 2016 domain controller in your forest, you can skip **Upgrading Active Directory to the Windows Server 2016 Schema** (this section). #### Identify the schema role domain controller @@ -106,7 +106,7 @@ If your AD FS farm is not already configured for Device Authentication (you can ![Device Registration](images/hybridct/device1.png) ->Note: The below commands require Active Directory administration tools, so if your federation server is not also a domain controller, first install the tools using step 1 below. Otherwise you can skip step 1. +>[!NOTE]The below commands require Active Directory administration tools, so if your federation server is not also a domain controller, first install the tools using step 1 below. Otherwise you can skip step 1. 1. Run the **Add Roles & Features** wizard and select feature **Remote Server Administration Tools** -> **Role Administration Tools** -> **AD DS and AD LDS Tools** -> Choose both the **Active Directory module for Windows PowerShell** and the **AD DS Tools**. @@ -118,7 +118,7 @@ If your AD FS farm is not already configured for Device Authentication (you can `PS C:\> Initialize-ADDeviceRegistration -ServiceAccountName "" ` 3. On the pop-up window hit Yes. ->Note: If your AD FS service is configured to use a GMSA account, enter the account name in the format "domain\accountname$" +>[!NOTE]If your AD FS service is configured to use a GMSA account, enter the account name in the format "domain\accountname$" ![Device Registration](images/hybridct/device3.png) @@ -141,7 +141,7 @@ If you plan to use Windows 10 domain join (with automatic registration to Azure `PS C:>Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1" ` ->Note: if necessary, copy the AdSyncPrep.psm1 file from your Azure AD Connect server. This file is located in Program Files\Microsoft Azure Active Directory Connect\AdPrep +>[!NOTE]If necessary, copy the AdSyncPrep.psm1 file from your Azure AD Connect server. This file is located in Program Files\Microsoft Azure Active Directory Connect\AdPrep ![Device Registration](images/hybridct/device6.png) From 56cc38ce504b435becf47c137e0c48d107d710d3 Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Mon, 4 Sep 2017 08:42:18 -0700 Subject: [PATCH 33/51] Corrected Note Syntax --- .../hello-for-business/hello-hybrid-cert-trust-devreg.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index 5df093e046..54cba0f3af 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -106,7 +106,8 @@ If your AD FS farm is not already configured for Device Authentication (you can ![Device Registration](images/hybridct/device1.png) ->[!NOTE]The below commands require Active Directory administration tools, so if your federation server is not also a domain controller, first install the tools using step 1 below. Otherwise you can skip step 1. +> [!NOTE] +> The below commands require Active Directory administration tools, so if your federation server is not also a domain controller, first install the tools using step 1 below. Otherwise you can skip step 1. 1. Run the **Add Roles & Features** wizard and select feature **Remote Server Administration Tools** -> **Role Administration Tools** -> **AD DS and AD LDS Tools** -> Choose both the **Active Directory module for Windows PowerShell** and the **AD DS Tools**. @@ -118,7 +119,8 @@ If your AD FS farm is not already configured for Device Authentication (you can `PS C:\> Initialize-ADDeviceRegistration -ServiceAccountName "" ` 3. On the pop-up window hit Yes. ->[!NOTE]If your AD FS service is configured to use a GMSA account, enter the account name in the format "domain\accountname$" +> [!NOTE] +> If your AD FS service is configured to use a GMSA account, enter the account name in the format "domain\accountname$" ![Device Registration](images/hybridct/device3.png) @@ -141,7 +143,8 @@ If you plan to use Windows 10 domain join (with automatic registration to Azure `PS C:>Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1" ` ->[!NOTE]If necessary, copy the AdSyncPrep.psm1 file from your Azure AD Connect server. This file is located in Program Files\Microsoft Azure Active Directory Connect\AdPrep +> [!NOTE] +> If necessary, copy the AdSyncPrep.psm1 file from your Azure AD Connect server. This file is located in Program Files\Microsoft Azure Active Directory Connect\AdPrep ![Device Registration](images/hybridct/device6.png) From 48e65218478b3004c718df1815102cf70e3053fa Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Mon, 4 Sep 2017 09:06:20 -0700 Subject: [PATCH 34/51] Incorp pics on provisioning page corrected style and spacing on devreg page --- .../hello-hybrid-cert-trust-devreg.md | 40 +++++++----------- .../hello-hybrid-cert-whfb-provision.md | 15 ++++--- .../hello-for-business/images/SetupAPin.png | Bin 0 -> 53044 bytes .../hello-for-business/images/dsregcmd.png | Bin 0 -> 83251 bytes .../hello-for-business/images/event358.png | Bin 0 -> 81668 bytes .../hello-for-business/images/mfa.png | Bin 0 -> 108740 bytes 6 files changed, 23 insertions(+), 32 deletions(-) create mode 100644 windows/access-protection/hello-for-business/images/SetupAPin.png create mode 100644 windows/access-protection/hello-for-business/images/dsregcmd.png create mode 100644 windows/access-protection/hello-for-business/images/event358.png create mode 100644 windows/access-protection/hello-for-business/images/mfa.png diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index 54cba0f3af..a2aaaf3e2b 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -30,13 +30,13 @@ Use this three phased approach for configuring device registration. 1. [Configure devices to register in Azure](#configure-azure-for-device-registration) 2. [Synchronize devices to on-premises Active Directory](#configure-active-directory-to-support-azure-device-syncrhonization) 3. [Configure AD FS to use cloud devices](#configure-ad-fs-to-use-azure-registered-devices) ->[!NOTE] +> [!NOTE] > Before proceeding, you should familiarize yourself with device regisration concepts such as: ->* Azure AD registered devices ->* Azure AD joined devices ->* Hybrid Azure AD joined devices +> * Azure AD registered devices +> * Azure AD joined devices +> * Hybrid Azure AD joined devices > ->You can learn about this and more by reading [Introduction to Device Management in Azure Active Directory.](https://docs.microsoft.com/en-us/azure/active-directory/device-management-introduction) +> You can learn about this and more by reading [Introduction to Device Management in Azure Active Directory.](https://docs.microsoft.com/en-us/azure/active-directory/device-management-introduction) ## Configure Azure for Device Registration Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD. @@ -51,8 +51,8 @@ Azure Active Directory is now configured for device registration. Next, you need To use Windows Hello for Business with Hybrid Azure AD joined devices, you must first upgrade your Active Directory schema to Windows Server 2016. ->![IMPORTANT] ->If you already have a Windows Server 2016 domain controller in your forest, you can skip **Upgrading Active Directory to the Windows Server 2016 Schema** (this section). +> [!IMPORTANT] +> If you already have a Windows Server 2016 domain controller in your forest, you can skip **Upgrading Active Directory to the Windows Server 2016 Schema** (this section). #### Identify the schema role domain controller @@ -113,11 +113,11 @@ If your AD FS farm is not already configured for Device Authentication (you can ![Device Registration](images/hybridct/device2.png) -2. On your AD FS primary server, ensure you are logged in as AD DS user with Enterprise Admin (EA ) privileges and open an elevated powershell prompt. Then, execute the following PowerShell commands: +2. On your AD FS primary server, ensure you are logged in as AD DS user with Enterprise Admin (EA ) privileges and open an elevated Windows PowerShell prompt. Then, run the following commands: `Import-module activedirectory` `PS C:\> Initialize-ADDeviceRegistration -ServiceAccountName "" ` -3. On the pop-up window hit Yes. +3. On the pop-up window click **Yes**. > [!NOTE] > If your AD FS service is configured to use a GMSA account, enter the account name in the format "domain\accountname$" @@ -190,7 +190,7 @@ Windows current devices authenticate using Integrated Windows Authentication to > [!NOTE] > When using AD FS, either **adfs/services/trust/13/windowstransport** or **adfs/services/trust/2005/windowstransport** must be enabled. If you are using the Web Authentication Proxy, also ensure that this endpoint is published through the proxy. You can see what end-points are enabled through the AD FS management console under **Service > Endpoints**. > ->If you dont have AD FS as your on-premises federation service, follow the instructions of your vendor to make sure they support WS-Trust 1.3 or 2005 end-points and that these are published through the Metadata Exchange file (MEX). +> If you don't have AD FS as your on-premises federation service, follow the instructions of your vendor to make sure they support WS-Trust 1.3 or 2005 end-points and that these are published through the Metadata Exchange file (MEX). The following claims must exist in the token received by Azure DRS for device registration to complete. Azure DRS will create a device object in Azure AD with some of this information which is then used by Azure AD Connect to associate the newly created device object with the computer account on-premises. @@ -214,7 +214,7 @@ In the following sections, you find information about: The definition helps you to verify whether the values are present or if you need to create them. > [!NOTE] -> If you dont use AD FS for your on-premises federation server, follow your vendor's instructions to create the appropriate configuration to issue these claims. +> If you don't use AD FS for your on-premises federation server, follow your vendor's instructions to create the appropriate configuration to issue these claims. #### Issue account type claim @@ -488,27 +488,17 @@ Using an elevated PowerShell command window, configure AD FS policy by executing #### Check your configuration For your reference, below is a comprehensive list of the AD DS devices, containers and permissions required for device write-back and authentication to work - - - object of type ms-DS-DeviceContainer at CN=RegisteredDevices,DC=<domain> - read access to the AD FS service account - - read/write access to the Azure AD Connect sync AD connector account

- -- Container CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain> + - read/write access to the Azure AD Connect sync AD connector account +- Container CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain> - Container Device Registration Service DKM under the above container ![Device Registration](images/hybridct/device8.png) - - - object of type serviceConnectionpoint at CN=<guid>, CN=Device Registration - - Configuration,CN=Services,CN=Configuration,DC=<domain> - - read/write access to the specified AD connector account name on the new object

- - -- object of type msDS-DeviceRegistrationServiceContainer at CN=Device Registration Services,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain> - - + - read/write access to the specified AD connector account name on the new object +- object of type msDS-DeviceRegistrationServiceContainer at CN=Device Registration Services,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain> - object of type msDS-DeviceRegistrationService in the above container \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md index b6f18b025b..23ce3d4770 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md @@ -21,19 +21,20 @@ localizationpriority: high ## Provisioning The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**. - +![Event358](images/Event358.png) The first thing to validate is the computer has processed device registration. You can view this from the User device registration logs where the check **Device is AAD joined (AADJ or DJ++): Yes** appears. Additionally, you can validate this using the **dsregcmd /status** command from a console prompt where the value for **EnterpriseJoined** reads **Yes**. - +![Setup a PIN Provisioning](images/setupapin.png) The provisioning flow proceeds to the Multi-Factor authentication portion of the enrollment. Provisioning informs the user that it is actively attempting to contact the user through their configured form of MFA. The provisioning process does not proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry. - +![MFA prompt during provisioning](images/mfa.png) After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity requirements that you deployed to the environment. @@ -47,10 +48,10 @@ The provisioning flow has all the information it needs to complete the Windows H The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Azure Active Directory to register the public key. AAD Connect syncrhonizes the user's key to the on-prem Active Directory. ->[!IMPORTANT] ->The minimum time needed to syncrhonize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. This synchronization latency delays the certificate enrollment for the user. After the user's public key has syncrhonized to Active Directory, the user's certificate enrolls automatically as long as the user's session is active (actively working or locked, but still signed-in). Also, the Action Center notifies the user thier PIN is ready for use. +> [!IMPORTANT] +> The minimum time needed to syncrhonize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. This synchronization latency delays the certificate enrollment for the user. After the user's public key has syncrhonized to Active Directory, the user's certificate enrolls automatically as long as the user's session is active (actively working or locked, but still signed-in). Also, the Action Center notifies the user thier PIN is ready for use. ->[!NOTE] +> [!NOTE] > Microsoft is actively investigating in ways to reduce the syncrhonization latency and delays in certificate enrollment with the goal to make certificate enrollment occur real-time. After a successful key registration, Windows creates a certificate request using the same key pair to request a certificate. Windows send the certificate request to the AD FS server for certificate enrollment. diff --git a/windows/access-protection/hello-for-business/images/SetupAPin.png b/windows/access-protection/hello-for-business/images/SetupAPin.png new file mode 100644 index 0000000000000000000000000000000000000000..50029cc00e5c2ea8435f7b74686f8be3fdc9801d GIT binary patch literal 53044 zcmdSAby%EDvp1MPaEB1wEd+PMAVGpl2<{9ngWKQop&tJm#RQMa&)*G^xh#9oz+knX`A-k6Ijh`xGN8IAS`M1Vb`*h_0Uy?TY&{nzhx zpIw2;t5+laG7_SyVEw}-Bu%xQC#2Is1g?}NT7`vN%an1UXDzc@8LpJvWSgLGtIM7} ztv3-wwx%Z-s8yn!p<#XvgmBc9AAUhfIi8+=ezNGNIrj?QadBc_gjS;;L!^Gsbp=z1+&QF#;l zV4JYeL@aOTh}yg1XzhC5F&~4G7?EE*NgHY5df79+(RX@wC;_dj=1%L^f48g%(coDR zg6{)vyvJaESwNi*De9aHnT^h${2vD%gLQUv?lpkytVL#Z-hvNgTCR_559c!wGpB?c zIq)Jq&36p9-xzqYFOt2GZ$(W#QrnP|Fu3)c^!GI%VCLv}DlLkD=!P)$rR7&JNrEHU z>)kpVhVkuXhWi4@kZ>r7qTLY)&ITU2p&oBL+`L~yM&?wj$!z?c>_@w(8^^-@N|_%T zr%*4$-ghabEt)iz-TKEdMd5E54%%w9sr;&Y&K}^Lqj%}Vr@R1Dl~?7Oxw9a68Zp86 zZm2JjCZB$7e<2GQ>I%QT`s91q-``^pWG9wMME;eaX$}8{X1B?nPJZP0HabV-E44a} z*A60j+`?GkGuT{~o)m)ARi;zLJcyTPnaqFp^cg)wI{4=M#crbj*2_*pR;iuh2+q;9 z#zywm3`RYm*YJAr6^Kae((rTAxwTFErKt73thR^faP->_xkOrLc(OuR5-m9LDIaZb+-cM;OY4( z9VZBd-1a1liYd%AiRqa;pOE*+M1aArW)GLSHkZK%V45S(a3Sqq?9L$B&p6q327e!G z5SV5wMJ(`qf zj)L(Z&OyfbNGO~|9|IGGNQVr~sxk|0T9>zZW%)nVg#T-BntNMs7WJ9#$O2dtIQlS7xeR-!kNTsE~r(riAu+fl%$eq zoVaq`k9!lL1jhp-FBsOWKoVr(eOEh1^>&Z1Ck(F0KxLCC)Y{W#_>6)gryOg3+@ zJb%ocSunN^IvAdet=-SCc+1j;!=hw$u(K3Dp<^pIkxk;Du1Tz)QUS*n*)CAs#XHq3 zk`vgTGM)|7<@Rab#WVMkOU;|1e>i}e0ZFe?J&~ogQniD_P&Vhl$oroO%MI!w|FfO` zYX|WkdXIlqx%{epc+L^weJ1ra=w>oBbwz`CtlS=yg60Y(5OYG z`j7K3?c~*1yfk4}eFsCnwa^g04!}z8H1EW2D|_+654D@E8Sbu$Um%I1&VT8?{&xn} zpx;{S#crg+GBam`dj9;=8;KP=yR-4s zRz=+hu5odULraq$8hjuRJ(#F8oRvu;TQp3m$2VipF!_D-X)4RHWWfM#)EggcuU*Hy zK$hx+wz)379Uq<;g|9Q7zPq({uQqnvjj#D-iC@HDaoBZ43xNYU>5 z5+TRe2%cOqRX`d4sJd2zdm}`%06j+Q_yO8kN(Lnr@obWBbHktP2P{c?Cum2Z$@xcz-S1|K_N-K1mT+{^ahV5O7ml9~iN^*ki3m0K)IHR3lhU zV-UKXzMWUl&J%%IiM(#!YlU`C6+8{sJ(#sPIV2;dk+vyXe`<9Ab!@M5Vt`-dGAm!F z0;+QW?|MMu=UHfp+!Iw8b4Dk0-T1tQT*^z|7`F(xJtBVx!>Fn98HyJcl2w zevf2tpJ?7Lte&~P)Y2<0d#!L1RS))lFaJXNwb-g*S&&7m_~^SN%x!&XP1azWErUdy zCOieWhTC=!0ZGm#Zt*p?rbB;R9WVHjg-bm=9I&?2SyW#Q#)zib#l~MlH)>q(iRod0ggQj=|4w0MNFYlmeW7^TUdyGiQQ(YrhI z2lvRR?AMDaFM+I9q`c;`SRJ-U=W+6*x?L~=Xu;j`#hSDgSd|!M!d8E@SXsQ@z}rHr zkyoxg;v^1l=y;y+B4m|#v>LRcH1|q}=(=H%?V~FpThno(yHF*siTIJTg!&jrU@Zn? z>vs5?eZc3^pmY^d@?(5Ivfri?YmcYWnX4&L{B{ncO#z!SeU6_mM^GPI+>iyXixs+1 zRN&a@o|0(w(-k#)nbU7&q_Ez4Yv^+^(}BHPEkkVU-s$5#Lrvc+U-U7Ug_K03$NU*c zQDAsHT%did^DVl5F;2H;;}V&7&D-`RVIXK!W4=*{a>Y3^vHBH)EJt zc9ZQ9+3A@j@uky$bQM~EOx%m&x``@qd%3WSJrf%fP7~1!^?XNOA-|#OOKy|o%4`)q zT?RK;gXzfZtHo1NmYtTKh)#20T`L3D&`^R-9pz37fCv2RJ1d$MPA*wG~Pbt(x#QX zhphDV8NFn*YU280|E9aU?dT*Mj1B)1Q%w9jAlB~E%^nc>1SD{e)!W{)KBH%@3$yA|7zH}BdCyzW|k9`*{o z8I74S4hT?C`-*hs27Xn#=sQ5(@~zztZ7qbN))zH4 z0%zTpC5vj5gJ+P8;eO4Sl7zh=d=!9Ttc}7T6C@J=&S@xli?)74shn^VjajBWe{b^h z52xVi2^ABziv3j8inBORH?4CVl7DW}HLgFCJWnFfD(R~?QBf>JuG!!z<(CZk81H;b z6}tPk6jHq!iK13esX#YCJ#&xltj0n1Xs+EStnh{9X4oZYw)ri66XtLpUKEO6^lZY< zF3`z`#8}%~sM0hz{48YyZgCQTP1dG|P@UF#M2lipUivd?|2uGScH=ik8`xfx7X&El z5@C3=M%2iy$~J>_Edx0aZ{2+17UX~;_@=0ZH0v?38*cy?*IP)djnT$Lw%HHw%f8QE z$K8&aQ0(>C-cn}6Rr{%&U7i{;ON+4f1NVNNe3qUUV1@h~W3kv+4f8D#481!TG$EJU z@oulD&?m(6vzr_>${m&UYW5J3y#2i~l2Hh52q&4x4C#U|iwAd>leSV<<%&N{9Ri4S zs%6FEbUBmL_VWz%TqX+(3u-_~7Kvqjstk0YDcaS00T_UcrgFZLwWp@ZX)*&h-P(Nz zkITGrIXm*~ys;7ipj=Kpg@i^ikuZmNYV&d3zuBuXQIg?(0FFri=Sb@ju zHJ?LC#eu#3mOeHHqvmgY7?8Kps@1(+Z?~_Q6P#Y*4up{_%ff?@3Fx%rJwLN7?Onnc zVS};Q$wR-^vdhAg{>6p4)$*Tjzs-%4p&8Wy6?^iE_X9pW6#;i(yGUr$g$>_+I)(?(Xe?8e!&txQQiP&U9R(DskyT_(2eWAkD9?SQ{d05`lIRheUU3H# z331=Gi>dOxEubxGQFro3S@81p*l@2R6fW6dPw#}q^2)1D+Kt?*4T_@U#}{P471uPa zL(fBU7%-!LK~^+l>^d{Y+GGhuDV3f!;p*ZA28_;=^trK^N#p{5+7&&6PgIH85yV?H z4s2ZpbZQ@8n3vSxhsfTF}cBw4rFiJkb$;}(^ZU`$@uR= z*E_K%p~uJREf7jH1=Yq9a`j}dS9(=2* z+GJ|pv3In<3*M3!%m=m!L(yE1a>b#Z(;K{;r?J3y89XnkWLJrWq>J&0BuE-Rx3`TC zN4PkL@ZuSirX%=1K4~)0H&wzmJY8jb;yl+3cED}+(k3?1cCib0qH-2bdg<-d=OfZPl)Lgu#jfL_jD}k)Y9He{nSRJBK zMd_ItFIFkFY?;1lo1MU$9on_-x&DeDFC+&6ydx+R$t}QyDC@=umtdRdPt0M<-_uS; zW|%eP#25zY%$F1`iUl&!%^7H|t$EW=e`l@T{^7yP8}+L2J;8i5>yRz&-m;Ay(VRwE z7@GIbl#|j?^U^*D$czr}SmnXzNz6F`Z?6(OnLOt(SSRRInad5o6yc@J4_1*fGxD>S zsR|e$@nUOWvR!*t;PL69`Im_R>abd zW;9^wE+z9jz~Gy{d)es6xq^Hg4J)~OX%w#QCh_nNcs^xFfEK7WFJ2d3T^Ll!*y||S@*l9`GslANRQp)ON);kZp*);!hz=nD*Ta=c|0fES+-R zdM4@Q74hzXVO^?8t>xruf%k72-Fpd>s3z6gY5J5~@khyCW|uLXuG0gQ_Azg5p}~8D zejJcFJS8QC9_DfhK|vFm=jjD3UQF^^omKL^fMdc$FJz~kMkCK$0!i9LDs~-#+8mNR zTY-|&i>zk=(Dhm}8l|nOjjkg3M`^2?-9?kP^hXyQqJ`OhnT{$OCf*Y%lVzO6CF4?3 z1GkR}cgPF6LCK+<(eiPz6~w)LSjO5-Tcy5u)ofD$6y-_l_{1F733sGYp*#R<+aX|S zZTc|n$)4Rni1MnB@6vK{L@wy4;36tLp%)$yt+9`uPZG)lbCNu%iu@vVZ||g{fDfJG zVA}#Dqu;Fej^VnlBhb*hv*t6!p4W>XIq`k9Q@#`FU~XVGN}R7a$+NcWRu;*#GHx-G zx0wlbtvj8{UcROU4R!lTsOh+On46=Z-k5Iinp1#FYjv}INHo5E<7wWSIOSLO3|hUj zbL%wqWL$P#3eoU<)4?Y>t!8^mtr9yqM{t9s6WC`IwWcM-*3<@F{`AbEk}-eO&uxF zo^sD26wT=do7TMlcY}Pr;ejZKsq~YHW0dYW{l?0ZUrdc4Q65z>J17F_-3cH}&GBPu zMg=~N3DL&8He&M{ZVIT zo(&}PA+XES2U|TMqq~6a$El)F0GU=V@(O)lMq(DFz=*4|6 z)aqLm{6JZsydry$o50q;g! zjDxHdd#&J(z2E_x%hoQtmK|;eDMfh5lIL0dx22?G+^D|bpbnqo48WN<6u9@$-`lfFVY($uWNUccW>9sb2Qe5daJ9L`C96kF@WJ-96WSbIgekl$?^Re zJd0DtF<#PIu{Z{wI3xr%MYiYF;1qXMlrE|8 zvT=c}muxnPqOfo2!N7Ls+nAtFAG}qemU*Kx8dGFhl$oG+9kUv=oSI(0$ zOD;yf8l9%Qini3~^y>Hoc#!m}dT3J8(?fq-BVAFTq<>lEK-%EeW^%@EW3^N$$3mS< z9am|AzR{#an5Y1=%-dFZ*p99Kx|SiZ7`RU!94*Q7?1(_51Y19@io#$=vv;;ft6}EB z5?M!I3j>=p$#nvGUke}MMF2d5vQJ|9liL1#D-}oe;WKTQ-w0`2k{J3U_U@Vi}oQF+g4$7TcdBVW81+*JSX99rxy=i`dFnUd=3 zBf`lQadKk-K$CHS2I?^(Q|+%wVlU2N44X7sWi_d?`xuTN6A`RZbaVTH{KJ?ZzN_xb z;1&(a7rGa*Q61=~%<~rwDpAPr$b31%9gnrQa<^(Jt&MlcGVt$#` zHyiLqDtr=l^S43bQB2S=|7hi17hBPqnAeq;Gv&lHNYx}TTtu%r>O3Pn7Qe5kQSYRy zcyuW;GNEOCAc@v`b;`uPD`_Rkvo^g_K4b5-mMp(y44%RYSveP{M zd$OVH-$jFyAGUW8R?;UAVQ}WvmB7qGx5HdCVd2fpO!D&faOM4^a&@O7bjVVvLDj9G zuGIt@-R{|UdAFY8F3;vXvkWNa`v;s!+v`29P5)xTmO9Ko??dK1Y@&@-?e0W@ykt<+(k>V^X>)>1DNuB_yC~O^**VLC)8N@Qeu1(6{GH?M1#*{U`m zYp0G{@JiW^mQmvVS3 zp9iHS%d3CGSsk^sz-~qU2{v^%0ik~qQQ%nvPUEbM39Od-dMo*+Nd9|cVGd)JX%w56 zTi*47vd4ZR7`h9DvDGl6XyLJcl`^Q@dKL+jQ6I+ncLa_Fb`fot2!*C}NhRI8xfD!` zy#V>HgfLi#FX;3lK7t}&IJIJy+cqq$9ck>dJ7{(02BFB zIi9)>&85J^6%4TbO@GiuZ1~5?57=(<1qSG(8JhGjjOr`#cxhl_d|FbxH8u+@RvMZW zPW2Fi(Lnl}Mz!8ZR}pQqKCB5m0ElMdk#)B6fgA92iv{`e7f^(QEk)M9R_fl;*;T9X zn>=6M?9LkAsIsQP+-?8#3OcayEf3d6PNG!6Kk!)%b#=nm;qTAa6%eJHmgO!G`IBxat`c`M-|1&%YM5`E@M&hLy9Ve4wp@1pimq6CNu@opBX0P7@ zS035Uk25S%Rxfw|@SDRsL*X@uGoM z%(e7KjjrjS646!63g_8Qo*5)*%9p&F>%4TO2@jyEMIMcaES?QLPSy`-mn8RdSH;X& zaz*5&IdHBT|2Th?nW#az=!rG&+l;lbS!dRgRLiXCCN$HbD9zHvwXuHSLcO5es9ALa zcbpOvY(A-&HN5M!7xM8|1Hvdjchkx{oQ~&+z1B#w&Ed(>CdzOq^33$lf$hAK)ywgc zr8Z@E1_FnX_e^LmOf;j=;}nw^3;B!cx|5{_oM|@eM%aJ9@Vkm-7oP`Na|pU0@k;Q==`d`-^8k58H6)QvR%f4_!IcvwjEjJYE$uq$0voJ31wm8iR*awZ` z-_~sU;}f!=oR##xJFXr3%gsiQ$rNFy z?y~dh3Wu1O9}i|o6wIR!n0ce#v|yt#H`Q0dR}0|-csrFIHbHMHZs@2?6WAZ_{?L*Z z@Q1^j;#*8Ee-1Jr)~561ooP1E@;Hs9Wd7(wSbrVa^(@qUpfCv2c8)PN?QR9F29eAXPX+KOT+zrW%ONr$G%ACQk) zalor-Lu@zc>u1vulv+wxml?f0C$an_RBK#(@|*y+O)gFzE}z(PkW=ZiCW{lYe|5ux}ZKv&?khf#`M&HpQLH7 z`$)9X6ADg zwIu?RNegU=Is{2paIqnOz=SXt?kEe183*EqBnl79NJ#Jz{AWy~3sF9*4D8k-G882P zO>QGmrjv3ouYV;twSW!oC1EYF z^asbE5Uj3XxpNL-6Ov~EN>V1jdP*T<@#!YPnAkY18-+VCv=gnc*|D5I{ZcSWv*LQ^h;7JRN+bfK)Tx-K2xxGqr!K<8#+`zBA+&-==XCZX zfSnagGV>VQ3RDX1Q)q5EStasqLhz3^(F zu3%K$b|o{MXRrBme({KqA}wn7lxLoQGNu$<6wMGsAOGv9hGo9tXOhcp)v0Gvno!J- zxKf3izphE~%Pzc8tu2&d_0u@+m|+2&?N&%whCAOjK)T2CKP6P6*#zHpc|Z6Jg~qzZ zZdqJJECf|jHJ|P6emZ)l5$7GKb2plgIvL~TN2*gKw~t?x zq2CpItNwZ)0TsXn#lsKKXdoj3xUn1*or5OJmeIM&6MRMKDN~{&-r63aw&G{)`X;O%9JXHf=XX zJ%xNS0FD0X*uI>W9%1=x-&E5s=<_UKO+%jOddGhBc3Cqmi0GWqHCnFoTS*S*GDc&3 zZ&J#IkXZ?o_2Cbj*{_69QRpWH>^ddLrro9lJJ0}DP9+b$EnV1>*p14Ulrru}!iRe9 zX9xHr=?bZ^%Zfp!gkSX{VOkH)CtwE!|cob!waXv~V#oXmTx+F{s@!!mY?r7-WV;J+2_Byp{{BfkI z09Yrw;@WQ1;8s7yow`cnWKguC?xoiEqfAQaj9$8I-JTe_)m(j;f|!~gc2>7F+7mXT z{zgJQwUlpk?V7n>VMG;rM`t*mfSW{5nw)myN7(N?|yt8IXR*;VuH(Cj`Z#|Sr+4b5Nw+w}_g&$7%F8C~!V|-Ug7*2;N zx`W%BLI3dJyF)6|X*q&tjW>ILU7Il7yGqZS9G%nGf&gArlJ%`O#bj(s4aa~W4W#CE zt{XTT-R*n5+fW16XC6xg#l!-F*$Z^OHL_Gm*i@lxFI)yT9+h)YryNf!KY&xcqX&bgBQ$2|pUG(8FQb zK8+i&e`{iE5IomBcy@Tn!y{_3;3ITDWDrUdjI}=PK5?9*VVDHExppaLr(wjKbS3|> zf&D#0W%G=i3U2NkOnhTX-QxDs;)1E#k<9|Q$e4v~7pWJzTWfuKUFBtYKua1=nU?0% zW~QB;5F#qA@ohy=T%we~|5PBEti=!@h|<3AzE|HW zXn3C(+o}I1g12zo65QT7Tg)T5kePJ`E;>;Y9NuD%@3~jdp8j<#!fu3*=nm?Lns{PY z=68>t^G}=4Djgm5!wTmJfGH_~iAWy6 zFPE>A1R7Rp65sZm3_-fRb$>Lm5^p!^oUO%}L=dwM?i~jIv0M7lD2!;9@3PA!4%au1 zf#VsqI^17n>%!@VDKWJy{+^W)g7%%RqV}d!Ds^;~f+_s0qMGUXAl_djTE2T`$fjc4 z&*bBLlL;kNK53>4x`ezl_winWA5t^@YA@9?d$e>f(tfj|>C197OGl4Z@tNt21FZ=@ zjqL*Y(1K2(P4@^_KF(J!R9BVyHGj6*oP#gP8j5W@Y-yhtN1p62(8Mf8LqJ+xN(TnZ|#eCxd&#_^RV)XmZ&2idE z%;5;Wn4*fQaG88`1f?ym>6Pd^T}k$gh`$%|LiQy}4E>o4Mo}g}Cwv#MHOKIyq56$7 ziJRdA$JNg=R1nIH4B#~O$q^(oIKld9q8*S|+MVZ3yiBt78tKFvEX^uicf=B)C&gB> z;`t>(C9K_IWobW1xUyH8ML2SS%=qlk-T*ycpj?ZH*L!cI~$Bc-gts+FAowADjli`wlZiBPy_RW8N@Ey#h?36fLweS z4$8?@(Kwo^-q`I4#ts&vh+t-UNMBhp*knearJVdhNSvd;A8(xX8EpDl*oU$2!5c;F zs-|4q=c6;o z6c!NapMNcoQ|NCu&9C%PtAJu4erv$Xre=11%8N7lzRK2y7=_g3t8>c~CkJeyH zUW-}lb)@lrioka8a-Ne^O;i0u1vuaXH9s< zth`fBv=5%8!GY2Ww-NqPG+e&0ZsT z>(6Z z_zpO>FFS|nb{WbDf$oYea(vLb&UqzrL>ly?81?i#k>pI5jn7%jO&^e9cXCfVoI<$&xD>i)X-Vpi>n;oLkTj}l}>q+#rNFyNO|Z% z*L5f7`^d7%4H7X3DtGl}o7QHhAMDpl|DxbnbuByC%VO-BE$)SINN@AGxe=&Yq3(Uy zN$_&CSFR>>^gHpf3|2NA+7{{c&aPTUE$E1-H{_Yd*WU z;^^-ahRAqgc5!oJMPs0MEXb_`joaV0-x)C-HX&{(m}|7mGa##QwfQT&ynXEN#}Jw! z3)aK3Tb!GO7fO&A^e}lbxqZOZtyA<#BLBghRSl;UEz{d>CTVE2?eGZF6b2n7=IqQn zRT&6ZxS;p>w(AF00u(zy<=bw3Qw1zwhE?Qw=gXdw(Gb;Vc!L zllswERBK^4UkhIKDKr~y@c=s_+N`{%hm7HjVa024o&yC-VX%`0cUP}n5t4sqZhDt- zI_IPx^&PD#LMJp)H=OQLz0)U*$!Efo=XiHJ@Z*Bd*u0a3mzDwv9?oh;S*R1|ag%#Ztb5d;?Q+6Lny<=MuYF~I&?0qXq9@@wzpRmq)18c%`Xv{hc{h z(lmi*vGM7hBh-r7;6~yowSBFLEyGOalwe z*kZGsk|lOMex-oc9KD&m$hJu=Ho7n}A4l89GT$rn4=JPYk0}T(EU&G0Z>)c#$(N+R zTSj6(yLnfJTTs=a)c&I=_5_aJ>I1r1c3!q{UUrufThD%ldseDyD6Yi|;j78i977Mc z*sa3xS;TJI*H%^wSF!HIRhA1xb+{q)NQl(qS4P;lJg+AgHfVoMO=d<0Kvy2DM2vJF zKBH-T@~(XFr8^`>kxWhW_*1GH>T!WPjt`3~>0w=kW0ps^(B{_s^3eLw&L_D$>ZV33 zI86e|jjb8iissezeu$=836OApf<>xkJ1_UVpe^0`#??q*w{Tx)sCFn>aBmwE^+b#%Q#AISppwqSAKB| z@K{j7S?jM+uI{Lp*uN_2?JKUlB^9JaPTVWk*c}mUpJWBye9i~j)ybg|kY5ntX{upT<7E;~B$VKhgAw1qlgO4TDa{t>aIyG~n)%{)CnnjSt}*m( z+HOPTyJulmL=V%a1v9eB2Ug18i$+&JE~I0=C|`EveT0d{6D2B5TSkjaBFp@u&*z*% z^KVS8Yx`AX<)D{T{iJ4KFr*K>yDQYf(K*}i zL0&SJnu3{0Kcyi1yl;BiA&UVQFAoS0l*?J;@N+*OpS|{`OS8RpzRg7!J0CC{olLCj z{XHg#$kEGoZx<7w9&GXoU5qn;ASjH=)>%#W>_C6eC7MCmy6gWUlC6x#A#@H0nmR!e zC|cp2$_xrgp@7XVp4Rq0{MF54dphvqj1-Yt8Lbnx;;26$v*|X3Kzmdd&sQl7FJ`3W z0t>iUaCj(Slb@H}mbEo$ceYB>3cRR+2MMSA79qpoVfybLV*js-_bY6smrtHU4`7BKBR=QDN2JP6r$p*z^*}aFAmyY;8z>+A+ci?@w(;^SOS7aWbP;g>IdaC3 zr0i!-Q!R71bH5|=gQ3+4V|`*-_u=mAYF>q>HCP_86L#cSq$Z-K zQw+=UB-P|QvfLPi143r+2U{@wPW!*NA;0I3%ui#P{L8-I_*V$ylZ#NqMbHEfj7zrW zsjH1A3%h+D>HJz#h+4~Fek|H7BlxJ*ba(|-gU3~*~~S@YHS?IiA%9V$f$Jjri;zYrZ?t??N@i1 z4(ZS4#wWpkLm0Ti85(2(X2}d2&6Di2?(2Ql38( zRX#&kh%1$ABuE`^sy-qtIHr|QctM=?E})7{gbX+O=TC(yeGTU!*pdB5CkOIDF^U-e z7srPbC7fq2Dr7sB!JZm6DN(nro*1z=5HJj^2m&q>;V4skO+WmRYoIBs;R+*hvL0 zkmA?ZYC|iJLLU<=nT2eCOO&w55AZedK+~v7X`RMT{%001_9iwfVU|wn9nA3=MaVZt zY(3>3NE>Ibf$ssD^i;Yp!GzsqBvML?>#JzZqjVMX#nGyo9|Wr3gr(<1N0d|eh1mcMw1PbJlpW$s3&SSQrwY>F zWT&g+-%Ic6-IpoHRfGJmMZw7$$HgxSBZ-I^T5yxO8SiY^b=5-azN)2=ZnjN29=S-? z`tocnuuUeITeY_=d%=877iA417D%NWM_ot(mb6vxp=`MuQY8Pw@A}p6bmBu)NQf;b zVirDsA-n1e7tFj$V8{CZr&k>gJY8%#XMSdMm>bYjUk!aGGP@HVb88PP=hM?0gu`Pa zJ6`?15~&pPLh=%bGU^xC)P3{r?LOuU2hE1-9%lQQpuG;3ui%Q*OS6i3Z+>@O4nfAz zE@s^Q9Amm=N)Vg6&t6cNcjK+&pc^}&XA_puoDh6E;CE_fhHxri5qbn5f%`vdaiixywx+%7(&<7@om7Y&fx3?F2N=>Pdhd|U!swh5##g3WEJbl z`UN4u&+jo~7+`A$LDW&@`qF@U@*#7T54=^~R!*3wMT^2?tp*O8{&A!VHLiQ)4CBCG#C>B=sB zI76B%JB=^4SBl17T$skYyOTOS!J%UR*lZ;KNG=}%4ScR%s<`PPinx%LH1uF>3+;!b z^&cY-Fa^#&8#h#Yb5FRQK*GFDD~NDI*_yzHMt@w>1hhlj?@f$!<%OSx>E9qJlJ^~u zwTzc$Qf%8WbvDGnwQ!7JJw&H>)%=kcEcKDA+;<~<5pbxESSfsJ+emmMjTjXS3pQ=E zTAWD}M8TlwxeEe{+pnH6IMH@s!SCb+s>nHh_*ZDBK=xhTV9%=I=H#fdx z+G-{@Vm%YVK8)-PS&EG+eYoxx1d+8x$xA(-ZKw^}i+_di9twWdcUd7jsJD%=xs)_f zrN%VL-RM@p4On2Z&jfkO-y$9nyilanA~f@XdXM5}jXDQxLbU6vt$ajGO2ZRfn%3`t z&wmy?312T@$rvISs(j^?45EPC#yF#sk_Y*EYy-Whz1&6%5H<=XuT*qJfb#x7bZ^y>7cFe@AC zE3JAdbVsV>&%qv5oMVlycWzl8MzZdj_|fLcB#h1sxn1=JgTWCXCB)?!pN9#IMufR4 z-!jcz9RH4^z$6m2qNBt?cK4PDr9KhUl*cE8TMI#7^$6|vh(K=_fBWt^iWqG>{Xd`1#YAH<1X~`Qv+}bXob~J*n^zv(GTsh88r+rq2xF%}h@i{f6MC#8zlQ)dstZe1`#|hukaKzy@|Pk{hH< zubSkT@CQKO+Lf};yyFg-p33Vp_wg|ft?2Ie>1Som(s?$G62;~0QmnqPN-41+$?Kc& zKqk{xCU)~!lBT}5-EOmPj@gj`7l($AeJljL1|?m{bBX!p`0G1MTblqHjJAUtV@N$Y zR977x@KMz5;KZMfE1MQ%>g}NOL**xyiaCXZPjOUhnuKY)4+jUP%mV6ZcouLTA^1LP z-FL9}yMR7L@L~6hcP+`yHEKtzBb-M24%B@abtsndaVuaxtQCm;Zbvq7X%27Y8s!rt ziu$&6un+pG*84$%wQG<~_IDHdpd+RROE=n}D@E6R4nfgzv+?Yj<8AIS?E78=gtdp% z_DOQ2h1uVhq6Op(bx~BvsRuy?-T5^eP@2bYyyaS5o;ytvNxv0Tu_4R~L6(jm1U}va z^}IOGRcK6z2|y$BQ8f_?6>;u9Le!{qJ5l}igO$pnP@7z&Ix`b%0;YWed0~YmtoAhH zTfGNE6@|W?^_(d|Ij!;*O4sI>T`Pu~Q z|Hj^12F2Ay{hkrrA;E$}fZ!I~g1ggL;}RaEvEUj!IE2tZumpE^_l6K41aI7eO9yBi z?%{dgd*_{+s`)UtMr!Jws{YXD?B2c3K5NU_`?vm^D6DEkpf!?N$*=lZ0ZFu!f!Q5x zI|f*o&{0EUI;2`dT44FXH`23LK-9;|WKBwJJ3ER|3NtO)Fv=EI-rc5c5(mWD1mSxr z6nzZkzAz2W-%<2-;(DjL>nbMro^g4{+2{J_Mz>tLE#o@T#)M$0>|jOryHpTS7^;hb zPW1LxpuaMfJQL0DKuDkoLdxAJNcK-ue~T5P!RN0}nM-7IKEKF@7uukYt(G`dDz1Ea zRNJma-MgDl?$k5ArgboHVLH zIP%1-OI6imHRO^Z<-WTgswP)^x6$-%L)XiiwB+MoSm_lJ6j7G{6(K8_YU1tG z!&L8u?CUfEpQySMQkTIw+mLJ8EhI`$h8vHUB5d^z`f@UjYeYYA`9eyH=kFt=48DS& zER1y;&`PE0>xOL)IwcWc$XWjuxg9ZMwNLf;=k`EV9;Yrdk{8mGtL(4TSdyqPm?<>>?*as)cChC^X&zXU5(Lw=F+j3k@$ zd2om*gF2abUhzbZZ_G~+k_quVdoDl&-AMhYprGvM{GJ5o#bI z7ukoG?@zUEm+A28NW53atuDT+**ag2Mh7?5Cop0x)#P42S;k`R&2pP)Wb+fu%xmgn z*`tNWn?%|AUeOIZp!zzo_J({>6^b~LU#V(bZP|6;4$z*SY_GjjI6bY$&izs^etA+R zUD3+%W2C={g7qXKnRHP`U!UrEF3BgUxsV~u5;am_)n^(VtcR*d%s`yE?Cv4ly1GVK z#tq6!JRdY8)L)z*cyY|R94COM_HdR8LHD{<1J$UfuH=X^Rl%%B)6^!ROruYg|<-&bxoQtr&>RYrUi- zFFZ7ztL=oA$A%xNOsK11<15y?PDBFQTWhwPNxylKr8~P==Xtw1kr|1G7N-Y7oHKZ+ z=VWLNpCpBsJk+Y+odzPAoXlQTa+j}9yG%W2Zm1soNnQWAvHi@TW4#vf*`h&=o6cZR zbSJJYkgZ+EBXWiPPhi;za|Yn(%^!VA+$k zC_lvY=3DmYh0rWHRBsn^F_M1Ujjp?nB(NS3dme-6CD7kIT1g;}@*@Cw;sxz&$0UAP z!uVu{T?HXdBke?$ysaX_*D%37?l(D!U5QSBzGU#ebJ}!Ln^^AuJJfGY-t?SCujBsQ zaxT!HDhNgLa6M#6G`hw-fY6kBJ>u_QEOsd5+N`GbRrX2*I8l+XfFvMiJ zWZDpAR~ZiR)1;)%sUya=Jast>*~%(<4|^vI85wY2nI=m$infW0bS*3A^Ux>M+cH>o zsTFQRX-Ofs_56254RDX-yZniWrldgHQP>gJymNO>XBLeIh?2TmAGd=m?e3GMKiH%M*N@_X@f zTj$r#Ly>0vMz2$|`d7mzTt&hbenY-uhpgZ@Tw#G z=y0$%kd|jZHS<$~BEwm3PCCQt160%Ny{L1=*`3j@=6C)-8=p(4{ep09;f2e!EudtKdR>cOMFKJ`d z(C%YUySfi7=hCAbh~OntYJi2Q;{m)pQ7eMk+O#2P$t(LaWHCIfdh~L>9mhxY<$8)m z!8B)+m zu#wqd`A&6e9e6j~@9Ln0!2Q+;XXzLD>z-)1gTprO3fw|mr7VFkJL;_1w4d6q+t3-D z&4Q6F6*hFkL&BQ0%x)U56$ZN(IWe^S@bfO;(V3>DU?ykc1YMd5&w!}Ivoh<^D%l5u zNK(5Cv#@J9Geb+V%KheEy{=k{@?*pSrVCDxw+8*zDeDQ(JE{eYLh?dI+okobob@8g zC($$3r3t@kMWrgB*&naAHPlIZ9NsG+ST?o@uP2Y>}jg}F*l|1Kpf}cim+%r>7)PMM< z$5}p~j?ahq$Q|dm1f{d58?4LNbG4$yb?!sEHf!q^?@#o7{4BXll;DamOQ>#`7fg4( z(Q_oR0n&l8<~xF*CSsA=iJvRayS#A;I;^<=gOs{-`;KmUp5xz1!EH%nQxA#v#8dm@uYoQ7()VH&Q(aqLe7uVfJTC{_Lb;!8aQJ z920b=<%Fje9m(~MVF}@!emstz_V$)do0-{L${JT)q}%v0;gBy&wXBaJO_z~=c!3CGlJBrMqvPkK{2_nSG_4-M+y5`%x^P@KA^ zu;!Py-Yk|hP7s5Wfo?$=XlVW3FZaV)KT6J-KdaVLF zO}p)abCBKqWxUj^gj~|1Yi{})!~p0Z!=1c`AFOMjy-)H&pyVaT>5!a zFCT1&Pm6l4n3{?#qD`c2Jq9zl)>Qau&OP4y?SeN#M)89B zG`*9&hcQ~~WoO%Dlz&KjI@&Gflr{P#@ zhYwt!*yH{2LS&nMb~glB$<6UY7OFS!qnVD4r%~rgHYEuy$cpe_^I88US#)}gSfa63 z6bwqdIxG?B?d;AybG#Vkl)=dDt0+n-`Ub}O1ivZOg-qw}OD!8xvBAF$C1$)nC9OtE zTBlbj4qShMll>)eDEhp&t&YARm%S%w5!;457{k=&%Gj!?Kh)d(9s3Llr2Cq_MKNjh z=gOCl99u;vWm0yZ&JFT7R6t?QDwpUg1f@@K4agEeS6i1UKigccw5@MX#Nk7M$LuM} z6=pd1xvc&^v0>~uQr-xb_Lpff7dPlut+OKiFH<&V85nGGnl>70=-xcszg<54@q6af zSQ?Xh|3x&TnGv$*tr%)w(G6X`CS0%a!qS2SNzE!#)hsRKzlOKsg4t`qRzEIWYE@Hm z$t@CQ>mXGeQnz3E;cqi$cjb~{TAfVeVa8i_Y*qQTV5uR=K(gQ?!n8I-VtoJ#-qz6| zU-BtWeke1VQ)Pb+IvRt|-7Cyq8F=jmK2=J<=|JTsw`0;>J!McXNvzZy**Q78^C60} z+uxbx+MKVf(`mjUzb3%NMdeeIA*HWM0>CZ9^M4IxDbBy7k)Z5FFX})UQc}K-Jw_g! zmL=CW;_$~YJ7$#?)ns1Q+ju12WI?TTzHEV&rfhqWhnmdF=c58d_G6sz=~f%x23%e> z^q`g$4+k1Kmq}KE266io?gyyw03bV5*DJjdP@Z$)WW?m zx|Con;*otd<@2cgJy|Yx{k3UbOh0b`sf~WP`FU;qRtb06ya0dsb)zpiNyCDE&ey^k*M`!jy88jC zhCQ3xOE+NJjUH_+p$28JfcY4nd|x0{>{J$7FY2}U&+5xb9 zqxa{-W&y4>*Xk;eKuo5(4)h3{teJ?iV+N4fW(CM+k7XLKwDg1Ag0pr#qLkNPxcONQ z=Th*)&p7#64w(6?THF9=!9S;fGQ^YQ@|DF2Y#D!Pn>!GVjV4_MQeiNCikn#@ZCdbm z@nI#rQlBAV?Km{lMi^>k?qN?nnvLz+{(K(GTBT76-l{)OtYFzegW}0W%qY&MVX@{AtEQl=Z{LUVZb~wuX9<%pe z#UC-1*0Iw>k6wj~0jvJyE+$0#!b|zvPbH4eyJ9X5;~25{Y~9Rt{@k2A_@}ePeV%%B z*Vmg?{;Tn&_G8#qFHU)!E3OML&f(bKl>KSN`a;k+RA=R}YS@@}!p1z?5G2zU%$LRDgPCJz^|s50`qG zNR>0Klb7PI_s59~m-FpN)f1UK{Jt5Bmd2p0+#lR5yfpZ6;20?_bk{BvcL9wXTq-KR1jRI-jXZ~>zPGS9#=Lj7AQTDPwD9g0S)AZ{VJ3S38*lTrn%WB> zBk>};D2dj+&EM9;N!dVndtr*r&#tH@(H^YEnX;hs2sKbjCVitO_8@!ldFsOV+Hz`8 zX6L}<)6F!g+z2v&=#=U@;!x(eD$n95B|?f2_0q%3>@0y*iss?ad-{SKEnMGxPVYRR z`sofg+bidA%6SF)!b=nJ-Kj8Lc#3(*rI?j=E*@ZA{qTV>V? zLI?bB4(?Hzn;ihhw2nQVLgXLw%c{qdebMtJpEeu9TU39ZME@*aBBbaVb?rzB;8nJS zGGRXEx0P1j?iSP}j^*8%U)*jzcBM+#3rdrJXo(*#cv_QXgN@l2jzXzRR@RP!lMI?$ zpB>}i_pM@-d|QC6ZrDk{>%Gpg2Lv5{AaXF1+*XJaG=_VZ?&!_;%1iCNZf#^yC~aYD z_dE`W*)<-h@-&YL_6Lt!$tZF9o9(CsEA=1#YnN^iMhVI~tUkf)ewmJ2#8GtK<@qPG%ih=MK75Z#);+z71qGtQlQ*& zjHu$Lz&s+phE^9x(X(#+K2l%v)d;?3nULz)TU>3qiost4H7?4}kM?))bwu&Sc%0Fx zp)XGS%px~VEh_zXFpLx~$WZ{BL@@rS~q9?Gez2`fuZ*|Z2q7#_p)^<_l;E3Huq>xC3Xu^Vs zV_#Q9dH3qcG_M-FM0#cRj7PXm=|K=I?$X^Y7NwaqkdMbCL=r=%_ceDxssGSCDRMFo z(cO&eU9a%wI&dF5^2?+)q0zIwy0l5ShCl#uGV1oIy&<``vueI>IrUDCLF{;{+*$#_ zxqB_MzxIcdqJf)}A7oy)%%wySk!wqNmrTc;STFa!FZ=`EF7DB~$O(9A%F1lR{eGdW z>?^dj0`{&w^D7Q9@ZknQLzP|0?A{dY75hb*)AVs4C~j5)ZNfBwJ-7AxORy^5o%Wq- z^d73+)H_T@9_gREVsNGF1w0>io0~5?EL{qWfde64kYccsA++l5KGV}N-!jFe$)mQN zsZ^_q`A4$;jJ>sIogAWBS~T5UDxMLrk-~)+Q3&uh$!; zGGl*Rx*~eM|Eo48uC`=X7Aa`#)aO$Mn@v}r`5quq^QiCn(43y`HKX0ZTwN zgDwktTr1d#zuY(Pg9I_Ak$Y-Zt_3$bg1{P>5e}Ngh|BI|to}BvH~!Nj7kCarAKQ}N zR)z@*s4XEp_%jQS?pph*zAWGBOFJ7req?1wsY9zf*@SD%b}t7DOGG;>BPOQ+xb`yT zcgBPA4#z(5iTPAKZ$&WU#mJ0gqgt7J>j9gccKOKI$nO9w zu%4+OO`V;^ixVb+fcJ(;QM>;{X7zf2rK$f7nMDN_#QzhS)sVF&{`ZIQ#~%hb6b0sK z1z?6=qXvP|_0uG>@F#C{-U>Xt!k+Y-G{069$-lFl6KY*0;jgH>hPM}9x}iOip8q4e zmA$)d6+l%3HG{Mj5ZF+dATMkbFLO`2$*sWAY2x~Ec*?ufC9mkc#~$$sNoygMhD0OEa!mY%3na|d-k`9pdha%kicadn8P zt#vAD67>~eOp8ledd`kZjJ$y%iU=2G{r*Y2ZsY?QO5HUvzJ!hP)LUTjS?wSz>Y8pw z)-hadp^{seeb!8p(1Z%0(nYq$(j!`DDm(HH6q)Fb92;hly9j##0C1)7mWprIk znqCCgJRhsxELU=c_*bCr737={C(Fj6)&5v} zIwSQ{v;2o0QV)=J2?$>(>yPya3S1a~}N;?0O5Kbkkji zjf@i(m2;7AcWzl8EZQuALi#}x^sQn*ssqtOU&?a7m82~w%$ z8raK0XR}$^p8`>Ue}|`0ikn}XH>$t!m{^{(+;Fint>bF|7q+RZ`E~kz*(n8Rjmo&| z_oS2HytC)KhpxP%aaW%mMVYzoJg_>|72R=xhdDcV@W!H8;#Z&&tw+dJm)ZW<e`XzPAAV8$a$J@d#g#{mf|0HSnA`bLTIT;)Vx zanwq0h5b~z$k!46(td7%nl=uF+Sox^Wa{d!ziMCI0I-`+gRI>?p#*o3X?num+3B~c_aJt!V zHNei&znacwm@hB|Lp7y}y(mB7L`o@IPZ$u4CGI)t&HW)6*H)T2dZd#dp=N0=3|l!z zdDR|r*<;D2^#M|o;wER{J^-|xK4y@$x4HJiC&{V5j9-8vaR)w+Ff-QI&BVy>%=e(mJq`qYH^zoZ)(>nmivSV>&ueUK&$hcBAF({}P}!aI z2<}G_*h?p6F~k5Z43uVVGr3fn%cYpS53J|Rnn5FuRimR4$nKF9{x`ciQwCK6$$%@J zB?4XNT=HGwGSQX)ay5ioy&sxA7yzM&SOb&QJBA|>SRGgY(&2=UWt>4AHhtuCpL{KK zxe&Cr-;c9omjU4K#s6`UDojB8=?u2?gtKdLdDZU9n>@hESAfsgHXBN%d2a%E{(XAiHjki$i6DkrSAfYNKzTR;SZ2~dPA5iBNE+m;b8e%efx)wy;hb0Ex8m3A zIKT0w34=mSlL7GN-xAOg#Mo9Sa%eJ>FQh}Dp-fT)FoQew&xnY^L?#9QhdCah)$rcA z3IhgWTYBvuT;`8pImupz z#aT#U%OhF-Sn3EXDFgl9B#P4rC`A-dBQYK=o<{lpS@&L?DBN`Ct-^nQqLl&|Wfg?J zJ(G+7qvU32%L||Jl9S&EiGRuAxX~+l(mc2o}&Gs3q>*Z?>bcPY@iPrk*C08 z5`XmYrD$$WDwSlun%Ay3prP*1`Rx8|r{gipAwFeaBU{QEc`>5S9-Zhc=T%1_fUR4| z&t3b{O;G~pN*~WV=@RH=P;_cNbIl9WygTM?AOW5g@uTH&c)j5@faDMpRUN}w=@+Sspo$geRaYzjBv`g8sQV!DpV57hR+g-Ua6Vt7v@`TMcM{5|Nv#F83Z4SFT>Hl%o9k`XzDN zvT7jFFuZWsb*KIfULydb)1%RmC!hx|!)W+qIOwh zrDe6d7foyf6N-MrJagZuA`LCOw$=w=;&P`^Zw z!XnoT5Nt;6sm$d7SSdCj{7W2_OU<}M)Wph^jFj$lrqfh}(_CCt|NJeR7B+y{GE}Gh z*j_%;=9e?bzSm*Clf=XR7?%fTTZ=Y3Lrfweo|p2AGg?TnSL@(iZ9*5)D9>mx_S0J- zF6EGtj-n&PYkOc`!x{yWDbB;^_~LyS9XX&?EaC{~n4r;+9en|KWRxO-X}dR}Kov5T+qhg3myll)@H-}YDT6!P(~CeH znOrDP&8KAdP}b7o&>D1w*+Hc;>qLUzg# z`2JtwJpR8e@AE$m;Qg;#{l6&MH02(lKw{BfsvY}@b>O6!=uoe%3RmZ%ECSf=D7|v* zq}0{kyTfJ(GFn~g5J5e5%>qp9b8W#>;-xH990OJj%i9hkfRP=&y@*co2qT8z9$KO$ zbvi?npM{_ZKEUYqzO}3pSai~rP|dUXN|-wKp~Scb{m%sNu_BKVw8Y6K(~zP_P=f;? z!hy~*w=gf{WNkz@tdYnQ&{Xe!{owWR-WkOG<0NT5jYgBzqWBqy!ZWq-uQr)+u{vvp z9kJ-MSp$a*Zb@KZF&QHK^fZ%*QpjIAgLD1z;n(}HFvsb7ApRWpv7&yBFQ9i6!vIYS zTAv!Wi!*4jwi;9Zltjx&u|@Q!QTlHLy~9>KEq)fJa2T;PB;)PBr=BV4i^nvpjbmbt zIe0Uh-FK+1Raqq#?wX;YLO?BBWG8oWIs%K%dq~#o@CRK!HDf4G06^C%_bG?4gjl6X zT-pKcr$;>%8(0Kso=@%r{ai1+RSGUsoC#I;SjLjVG0a*>A@b05gxx&GUyd(6ZU~Pl z2?+T`Mcc=m`0?PSVlfU32qQ+D^7$ofw1~j;J~V7MK{t%L9Ah8o<_YOaD7&e60~sC%+gnRMCuI4qZGYt$rUs9>~W+5jAgHUAO-B zh!RX3=Af}Qqh$zx*bvMK8_gtgf7PN=CeYP&8H!S3(>i!kGJ*D=zUPLTo%ywd;$1Wn zZZ=I}?HE}$i}8W+64_h1=ke}*s#xG~NZhSW!S7V1_#$v*Kg^0f#WW+yt!&vqhrgnf ze&L@gW+T%N^;Dy@?T@brxrKZX57aQr2wXL(&RnN?kQO{ z?W<$Il)eA%-s&rfVmKHa{U59CZ#bs7A4&$w8B6_#D5MJo|vb(*N5EZvVG5@q~ngNm4bBp?$!?`-TK)j2;iPfe@fM1dgF^ z2Ed&^9^@~vrTm9d^QWG1M%SVxOI55(k4b*-^iRZ#{52{HW%&=cE2`5|;Hch>2N$PS|;%RJ_Hz zrYQC0zP93zYWUTji!N$Ag@iJDc+tN7;udYVO@{};qes(K)8>!xVC&2Z$x@1ie*5%R zY+@9h$&ZC8AETz`LY4yEOzal}uzH|5SG+cxn0<-n+tu);Q(_)weHrLfLkTgDkXJb8Wym zOnIlVIO9sHJZ}1K_$ua8v|^9ObXhF!OhMYT$Y$e*8M|`a`Hwk64~6okYL7J-c!xrz zGl9OOb{+t&4h2iM&ne*Qgs%|44ASO?H=ZU*PrP`~LOFVv-)+y_WVB|$|FCUuWLS9H zRebVNOg?<%!HGBSC)?>1*p#?}3{te5Yt*62VkzNVEnZ6vfqQBT4ZEr447=~$Z);l* zw?d``{#hu3GK43pS`{t-wdcC9NpG}ok<=p)8LFM~KG)N*C|mwh(m1TuQK1JtesePs z*s}Pe{%_Y2@7~U5e;h`?d|F3q_{I8&rlC>DESheI$Auf}S`CADZqSqKft2-k781+* z``;n@OI!chLg8Xdx3V*{6pQrJSD&%hHrcGvm?{6DB9B?26dtxDaz`wNay-b_&juQ~G zCXI&CsukUt?bHLdf!(t)x=)$HRXcY5!9P#6c|k?VwWQ zz5-V7=M9CE=9j>(71`d7dapclgd!QA@<4MzYGu%o|7fmXl7zV%?$y~Lwcix$FNsui zUp7S6JX{LD+&t`AFhki8I1lFqg{RF+-5)n&vHcjMcO0-^|haUu5zcP95Zi}3mUGOUPmoee~w*YU$(wA^$z`5cW}C~~)s!NT5_ z+}SNwYH&E_4ZM@ENkm!8(3Tp~{<0OqRG4>ppmcW6OZong&*R+8uiZo*1?WR-RzcTEGUSOw6lvgusb}a zVJzwth*4bYAUAqixLoMNhb4W;Q4Fdgz@wtb?^x2k`J2{yI?Uam7V4EHfA&{)K1jdf zAytRV@y8VJagOIbyNp9(?$2Q3cOPl)y`Fw3;!NEQY^Oc=Y7kYs zWXJ8L8D5r==tF6JM>QoFIg^95$C8d~3}o>{hbSx$PoAWa76yoxyqcjqefA$cFoTtp zVrrf~!Hmsb`zvs~S@(hSMt#%g`>lmTAaoE~BOFlIl$vAlO37!)>hh`@ISQ2=wEVCA{OkIGZA}X1%0#n5%j;x>1azl3FbY2H zC4Tz(Bl*(O{Tog)y^I2oV^bguviZ%5zT=laI-H5JewEgJt-U8J4}b_&z!}_{QhvGWX(7T z>Ih+;^w8|We-oba^8Lo|_>ErtZN#+hd?Q-b$?jDRS4zpg5w>)4==G=~DDh@By{eHO zh(uH55bpc8Vh#-%5d7Y1S*zj`v|NK~zoZtAtKBGa*_pGW6b>Zu`+&5n2a8c_hljlk zWI8+z*_)wC@K5@f?tq{BZ5_u=IiCK586z?UWO;s#5$=X7ozYeXN$pg}IGBlBrOsQrazzC|%n#>#mPM!C7Z^p| zl-8ikF9D(vIEKq(cj$f}2kgeE?CJa~@W9O3-vsWA z_v3IbtEh$iN%lG^MCb^*ScyX!}=n$+DLw*TUFC=6^L%4rx6YQz~ zd&!!X9b=d*pVs}8oaLH@J2`QAfP`iT2oz-W@8C7m{QtqRYyQa9$Q;Pq!|kPM#>?>8 zqT&br)ue1GZ(qx|)cYGo&TxUTU~i}2SYlHp_q>5WH5BC6nx5ZU*dKov?WAV**bk13 zRM<$-l7e$DAkUjNU}^m{gYs*s9sa-?@b=R->hIo8j$}uBtA%{`XfAG{h7%OCM#5O= zf{XA`n(?@V9_Kcd3=!Ww4RC56I$Q`qcmMu^Pmj&Z_&MHJ=6#*TWr{5Gb9_tci8S?g zR}{LRTB5o*!|Pswh4qXLlWO24^qQfyE&hT-HnD4;C8tnp% zXjN(^;a%q!)7NJv&l!Gs>T)0CiyzU{U_Fpg#EOcjn0dK}4;#YUy-@CXe`#DJ{(iM7 zxvTT|`^Cc4?E#A#U0-IV#EFKY^VxXd8pDI%(8e~5hWWjZ<6VB4q-o-Z;AQW)dZ5o$ z@GbTzhER>qFDZ)BuKLf7S@Qj z#%+Bnj?O|Mv>;-9NXk<2}v!z_eqZ(NC32fG2s}u(efZX}e zNG^iJAq`^^ZmOkFHmBs93$HrI*`=ks(m$s#6VSlfQZ3bmXMunZDVr zE^@=Rx+|={%LE=vuXDgTbiDC zYlmzhs{S-2!Q8u2u1>PI;=9H*`jT$hS*AjGoWZEM&kN>?jT+@0f`pgFr#4j2DTF!U zLO$iCjamzwhwk9>v)@IfHzT1-4mW=ee<&Q#HlAwjN?4 z?hG@|W^8iJz6UMlns6SJs@T3$I-j9&#bk(EU!)y#lD_}T$P3#IQx+@`VbJ*Pb4468 zu7q(o#BP#~{$}|{D2IOKy4YsE^E)g+p(4{Gt7=v2u)p*356@jh0j*?+g z9zks*hGP~~x7;>Xi~@|zb{ed=`5lzlMbg#Z^-Y_2G?7aK1?0vE?=D3m`lj?V~KC`!Fr%O{WhE@+t5KtA5FF0%+@sXM- z7~^OHap{j0*r(a|-7MB=)e53({6O$4Nttx~1aI;bAvMGsk9Lg%Bx=q)MmD-U#o-%< zGX>D1EWUgVy98&%N6%%={c;IO&_xE^rsQhxXuN{=AynLcVT>Jiy<7_W=IiK?z=BAQ zhuW-szi#qe*4cnBpQp$^TfxTOQC0*iY-Hl9wKcPNR^Dzbct>NuIa}3CW@zb{NrQH2f>R1$6L#vf zKjX8TA=mO>C>Ik*7Zl75X9(G|8jTwVD7-xFFO^kM=<#!;w@Yf-w+lYK5sJ`Pi0rlI z8gMRB>`%>+dnnNsn;&s?GiJS6MNP<^+!1yzcv;O* z2y!K~+Kw;}oZ$(pGA^jt&!(pPw2)jy{3%DCrspWm^`8ye1zOn9Ye!0JaZ|Y=^_4hD z#f)N~Y{XFiz#@cO!yvAMS=}JhdTk4;5j5 z=E`5uTMMF>>qulJFDE5oB$xRQK{u^Mrx%UXtUX=VBWF}%t4U_@m3Mat&mk$tPm28& zwK(9Goi46IO2Rb<7ub}^o8mVEqIuRqA~%-G*A_pItnG9>*1$`6jc$tv0kuh-34G_) zutT?`hsk?71CR>=-d`cUGVH(V5*R})Fbb=wx6muyHue;&l@DPD9aI7Pt&(nR0J`fYb?jTjEEpr$AFMkG{2R_i z`_YQm8W!yS{_LCh{oLE{BRe>Hyd<5`q_d}lZoYA5+>MtL`t^EvJ=8X4z zT3Bgv=mal1pLz|uODrRD&b6QXH5E zHy+(!4yeX4++S~CwwRJYx1s4h?Yl)7|8TWts+6H1_uM}_f5XYvU3VD3?V*D@!`#1a za%^(B_KwL3V9f1>volhH8(3JH+w=)63!HCr+X{x-^ODg6#d)zrPmvqJpR^B@79z}s zuGFX$_?KU!*4dpgJ#J<1)VFnC-l4eCiQSb7%O2JucHwN6oB3{P*Irhp%C_APCOICg zc|Pym%Y){iZW5;Q4#z2J>kgugXPKwJfjmOYX&QWDE`W^wt~zobk#j{l0pY&t&=2Xp zjN0Pqd8WY~ZC+%($Rik4t^f9U0hzFbtY|9SuE3kp$A2MTUF{srH6dDiLA|2|VQ#0r8u~?5<+@t1-_gkCMPYo5;cvY_>9INd7 zMce>U>aQDas$(r5rxA9SC9f*4^`@^PfcSxDkFQm}z}64}yaJgWpN3ZyUEh%Y6O>hr zzc8t@PaL*)7|7J}a3siL&|wqlsg>Iipv;MP&(lRfv2L~XOx{GZ*<2Ng%8siX=7Ut< zJQ|0^bZkCT<)oaFYj1ti{K1%BV4E~o;UCNhj<^Y|6wZ6}8U_iRp!B3@%9eM$Wp*Gs z2Dv{lPT`@Y#>Tx~O%r3qHPFQ~qx%b1v2bKv-&QBiacbC^jvGRRg@huWQl9IO!)AKC zbAu@w3O-E&pRBe;l@J*&go3;_5~ymoly zi0eB)jY`IDN0c^A{g5lrc_WRNrSLHC7TeGyQyK#jT$Fr6M3>R{{o&{|ZJ&gLbV>qa zw5q=ghOR$Kit`{NX}<3796RriL#I_{{Yr3gl8xHV2enxPt5L%epKe%EyRgCdiGCZ` zEiJF$QFqmpT;5AG4fc_Kd^u6q*=Bxi0=?WKy`YI;}@aDp)hW* zXu;NjBiKwnhS;1T()m60@87j2%{s3?$7hC39+=PLv%K7tZgPR40o{iMXr3_k3xrQY zap0a$VWJ?Xic$xEk?-|0#C-VWg64cY(v9*5r}?1&ydF$#&i^0DWlGuvauC5$a!7Ro zzC_|P!Cp}#2WOD#*AP4g5jTdT>>7#|IXUl|DxBkkgqn;I!qYfbjPRGaMhhcWsvS#H z>;n;ojmH;!g7n{uQ995g83I?Hw%c>vlrR5b4Y0b(c5CNXZ*ZO77?I+(`Y#ly7eAFz58s%z%~=h9zCME%D_K z$*SGeiXPS?!f&MJo5mB7f>f(3U6%X;vwy1K!W?}$o$7sSp#zt7b(C!9%IU^)Wzv7j z0wm3Y6V5mqH17HcHFcwS_IL~%@G>NlFj!e(XBJY;Ch=-*huQ~z{BJP25<|Gf)kK-6 z@Vv@6Fl=&GR&J@pq-Td3i+kyDu$#X0FrPnJXAoF(@-Vjllbp+SMJwI)8dM6nXC?t##x~um4eW~U_b16Z(!?Z+klTM}d-+Nvbi~xkOJ*p*?*$^t~ z!GQ;C9S~o8tCSIM4w0sp!2K~eyhKs2&kb65u=(-6Tn!wGep3O1W-e)qjoc44&i}aD zoJdNVGju1b3a9LC9i?#9U}pJR)&!=$m`1g@NaA(;W9m4%7%o{1(GAd~W-HyfHaFy) z8F;LHm?IWn5O=&w9WmAZ{L)a+CvyR? z&}zMgFe5Q3tKhK7kl3sAaOz4M>gND^Cw5qe4vX8}5t_&xhYH@<$90Q7%+NgVT0%Bri z!&}d(T^<(RUZZYp^=y%qbw34W=xMeif_^IXGIUJI)wMn@=*G;f?*_Z^ux5UPW5-lxb0>SJy>q*KRkFWoXq`5%m0;HF)VfoN1W`n;{8Stq z**pE{w&rGbOk8c&u1>MdZ5xh+a-Bmff&G2M?-u`AtTMr9SsPArz5FK^PCehb%r+4i z#jf&a_pePpfK!>NDps?b)n|}v)j2`#+$=8OsSYPIi?R^^?W@{Rkh2t@sQhYI?Gn6Q zWoETW+&UWwvmZ|7@z&(5g}eXl$ymv^-^l8UgLRlpyNM%GqcAVMl|8fw!Y(?MyPuo1 zyErtNx8FcY+1bd|r9@q7W`|mBE_+eLN~7n$9_rleN4E`@ZKOswZILaw zV|FiS8+aMk>J@7A_kn=1chJ-W6S~=%iN}+x673zkkJluU2(1(*5^4YvQ&8z})v3=S^yQPULf37Fzz%B7R-i~!Sogng}NN&9ndGEaq9X zn62viG`P*zXFfSf^KdOfIPQV$MaQ0U)w8~_0h`h6Com5V{#`W~!Yff|#I=B%r zUbl70ZW3pkpBCWZL=*@xDR;uh zL-EXyGF^Odh7h_iea<-=8tTw^cw^COL#LZ#eWUh`m5-x`DeHczusX?JuNiTSi~!Wi zLz?#}(PrL02Zr6>hRt#F+sBUgKHtQ;On*`QWZ8cNab>RlRwDZa$k_)U7b|ijb&uGD zramR`961Dc{c6Eeo%4brKnAYY&~qT$Ufcosr9o}`n_6Y+zGyY>slD%fRi~EA??wxb z%+9DjnZ03BADjpE>+i2-j>=@)C7G#%%G&TC;uBDa*_Th-1z9;1dSDbbFL&%dzsar3 zY4SobA$wx@XkxGK{X+`neo!pl%=Nb|*FTX>q~!xQd3`Q1tn&LmFS<_@E0!cEY2p{G z7pn>@pf|Pmj4YRv1VM)>0+673{o$!(qNm;p&;n$Sh5Q@SoaB$_ZGP*)!%CO4nj_nB zkn6DAtg~?D1;345U@K>@&t3H;KP9mJUfw_gCg*h&qG2ZfI_DNTDl%s>S z$OnIxfwr?$KXkcnrNKKHVv|}bxNxN{*+JPj#qZ9CTYwR{E{6~9_137+-rvQYsn{J0 z7BYXo)8}cP)e;xbMl8}c98)(}6^Y?l(@eP?Q;`KD-8v6zt@*RFKY#T6ds%$b=n5LT zb5pMMbj;lJzg{aB+8y6(zTBYszyT|dIXGpozuELZqw&Eh-GFcH{{y*_q-vC2kc7<-Oe%X1Qz=6DYlid5qNrRv-jF8h4lG zu7jE?(mLp|>*(va-L%+`c3zWemKN`P<1BRl(}q@vP)Z|CiK^V#%msId6q(TOYxr$6 zuN@&MxH;UI-zz|1x)0}C;z^|GLm$KKeH< z(24uv45kzM9FeTP$Dxp_KAVV~dCQzWKKy)d0n2%REp!DRw=aNdij8-VSY%`YjSHst zN55+GuH6iS`e>`9!`C)Tf37l>!cp{kHOiu=c~Yx`U)%YsgU+Oc`0dF8om8_*$Mjz; z_;%^g-vju~YOvJ3cX?_;eMNof_3!T@lXJp;8xuVimv^5CZY}=7$fnHijQc=-(0V!Y z@U&SCVzt6OKlr3R$!;3#JiYy7LFi^O))f};All{?oi;SKH`Lx z9i>i?#n*q|AUdoV+FOXFp?ax(id$>#YU?GryTP&TswQiV0ZcB#RpF$~iWYy&S&kgb zxIP7iUE|h~zK6gHr$BBz9Hb_0QV?jawBJpR)ii43*ney9JHwj#x;-O^APA@+RX{`$ zsVXH(7Zebr6Iv)D(g{6;7OIG%h>b42ClG2Vp@V{gbP{SnKx!aCAcW3@|IB^gd%w-h z^UQpiIp1=!*WRoC_FCucvv&wIg|89)mQtb6->P)Sl6pMZy&zV~)%0OLNyY|-o#;r1(@}wCo&~mn{Ik~W64rc?0 z9y10ceC?W|TlI}dw9it2@YU?_FV`2dN5z1r)nNHgC+77S5l^_sz(IhrqPg~m@U-0H z?cUzcsPC^gzs#@YF+z`AETz}0{DgoxyJ~dG21|DysL&BrA}GSPi!dhU<&K31V_!p{ z@F=SD-#INb`tIhN^Im;BsUWGIMuqvi3l|fEzO{MionegK`WvE>g0dB{+5ycG9@U75Us!5e-Lm%iD-qqMGyC|*)5%!5KFKZO5nQy)I{M zN30#~b^u_Fm%X^g6>xLeEH>qY<(LP1OS6}*Mwyv?nfq}Z6_AhIzjqn7ZDA3qYiAdr ziJL8i@5QkaK`r^Wx-8(x%>7Q#=O|YGRf*_`CtpUmF$V>tu0Dtt+Q;_mOlA1DtnGLaE4*OKgST<_7#8Gdp5%jCgq zA--wQfh_pwCW^Y37iM;cKbv9F_{QYyoBGFv<(oYs5EWZ;U)!7Z^Z-N@z0EsG^%qZh zJW@VHG{!PE0&iS>%VP6w?Yqx~g?37f-orY0J5Qd#gYYnzaTzYCeHwYTP0}#Hn|w(; zH7T#j(%%erTR1&mYq(i44^eLPIBnmwWANvgwf{xWpZlS!sWGviLKKm)Qe+5v^$PG{ z!SZ39q?G<~QoDPRqTKuRF0;2v&wviB{tHg?55{K{%=pxu4XB@)3Z0z|r2o4r5~g@p zhSlv8uEX?77&d-A+mJyD+3I}D^FplR;mJClKEwnx-T61=d>zi(ny`-`5D^4aL$ll$ zGzEi-WjuerN$2DALz53VT1km&mxG=xH&F)iM0C%rU~TMXDDdf%dg9CssSvAn?-C|)CleP1IsM18bPsBg ze$xX2Emm&I%0;)p_4D_2D^@0}gZ8!Xcu1+Kc(O;EyanfoSJ$(gpq2(OrP_Zo8THm! z&TX^+iWxfkn-|H8^^E|6l1879Ck|Gtn^NUnEBf@3OF=Oz!@lXAqR+YlwgL~(&W|dI z%S~!AFnCrE0+TkBN67F#_;U9}qIM8)`uynnCsX4D^vQ=g!kD+Atg$i65jaXiw`NCY zL@4DzwsGb{`V73mw8RoAhOBGI5GKGnY6($LH|qIQ+r*QjvT41PXES>@@CtLZafGD| zGuIYcMBi|*W{U|{7{_92dcL+#nY3CJUjo5<8#`5pg6|qPO&^%k245KEuK8ub%;DU& zDvQY@1W8yPM0lXwXWlU42IM+L1DW-VP|y=(Uj)F$|n}`!#kcoyFY)aCx|r--_mu$Ud^7V*K8TP zJL0efF=4Oq` z`aLya#US3A<^I1_)yrG@pzMRIrMqi7=rH>tIPfymzv(9r+98HmW51P8r&;YV%bpH_ zaIMwbH0-R8Mu8wl6;UAnZ!wk+oFbpQEBH*X05*EAUz~e^kh)*;$0nD(VuFMumKrrLRrSwe~{RtxV#)snNbT(G`R~l4?O5T;R-;XF>H;1I1KobPx>4I0x}q~ePNKV=j*w{wzF2u$XdCaOOxS{}H5dzhB|ZYh zmy{9*S<%DLL?}R7jx-R4Ynj zaY$OJzSW;8rgO=?Vmt`l>|D*H<#59_@HTBMDN7lK79G2$S6*?e^z+60MW;&QV!D)Z zzJKk>JFlcCYA8-Yh7U=cW)HaF60tCQyThz_dp21zdpHBaQ9 zyl58>vex?xHApIc|7PI@75o{gj}HvS25($dnzTn{z}*sE^;EJ3xqVHB zl%_kned5#W2I$l#NweVjh5@^E=bjk((%}OEcPykvzdwDuqVrv4x!cxPYe@CECYV8$ zyUMTBiaVDv9cppHE{Dzf5*J@l;CDRoi2BxrFkl&$85PCHozL4h3v;R)2A8@swGoMNxj>?6G^4sq`}?G&#)e}I zqzXPCecp|A)VtPTbYfNBrTwh6`GY5%Emb8EZ(n$Ue3RrmPr__MPYEf&UKMwv?((e}aMT zdc-ZeMci2k=lJz=$Ws)vG(WyWL6i1PnfSf8s#n8KG<6&5=cOOVKbHMad`_W1%s7J z6P+n7tgE&trS)Lh=Uq-gh^SyIjo1wBnXE9+nJl*kiGhPO;7a1T8uxa!(!+hW?{ZH} z8+tWmW$aOAJ7KbXW#~y*&lI%ue^ zs01{F!u9^yVL-n7(bJ~=cx)><7`u1{1~UNnPe_e~?LP9H)G^T=Rgo{l;-pk?xg6To zyf#xWDuc?#%e>#DFxJ@S9nBC8SKpNeWepnK6rU~|>5WN{?G24bTjcTCTHf)CPbsfq z#P$wkQ7ED{&k?H<@_F1(h+I!cJdJBy`)efj-yWf0VRb>uE-|LP+=O*P_<9#t+4}VZ z1}bh|yEvCulIyJ*|K0V$^90Kaw)yudMf4N{!mBEi{23YRxr|AU(HZ$0_9pftJZP>8 zBT&N&7b1=V9oC_RhW0)|NQXqHa#NP0mcT5dH^~~vo$$cf@@ISq`e}>eE`@i7<UU;E5i@rdoWt;$9J7m z(U|PT3XXwY#4qgG84zd>9C{Qk+;*cDNW;F9iJ62{VLEo;16 zC8bLQ9;sh-#?00S?@h+H6I|^e13tTIN8`{ui7XpzZ%y0k#C3Ra21H?+_ew}P=_;P6 zWZ5>+QD>OB8O6EMsXeRUaLz5>tn^Dgrl0`s0Xf_aziCQzmDNryM7rLf?xr$t0yj@A zb;{=%Q^wQ{U9-kwankKL`(aN{#VMK}TnV-CFo#~R4}Q4g;3T?M zX+-=86D`MB4S3h*OzXt@nq|k88CU_I8}4uX*)zAOXR0B{nZ-Sj%#6L&>qp2VbEdqH zfCUYoa}LEpNo;zCRhvB*Y>L9Z<*(L^as+fiwzhAIf_iFZ(z@1JDe@*KSL>`;WuT;( zL`mTAgBaX$pCQP#2ena1L+}mY1mBkv7#xv>d2tBa(Rd^Ls`c9E>?@2t19~2d#ZUi1Fxyl-yvW#|xI4df*aejVng(0^`+*LW!&X6eX`= ziGT)Z%-pS_SCh6KRVFoCR!z=b?mstkuc!nxOIE=bo0;;blglje_#Xul2i=NkqpPl6 zGeV_HD-UWj6brE##=&1iCo01>aCe{f3!?^!Vr_yG6l_(Ec3*D)|&XWdP zr5pBFBfaNM##g;Hh0;bo(}@aaKmQ{Ajp+LI&rS#*UxpIm!TMPtbCT%%(?+LMADNIAd%{OR!=T zvW0J6R#Rjeo{6ti=UATV_K;DwirG;7i79KDgz5Mhqh*vP!`>X5jK=*CCZyI3kF4=g z);j%^hF}$Dqn1jJNTZ3%N7!a#7#WNz#INMbkpg97kgg{WX74qru-D1y4lCgy2atOC zrX|GY>jlhs=*i2`^$9Tx>?pk8*ElJd?B>!^sEuXuBsr`X1h&vxnm-Gx4ol?s1gZgH z=_IsH&#VsFO6Wim$6J`{vU7l&pe(?y$17KmCeWTzCJB7weY7l%xaDMvk6_-G{7SlIvUL?L9()Mt_bg`dJk9 zGTt{T@O2-ID{Uwqz<2iFQ5401sdMrBYlSvti<2*9v39lUK+kPs(9oo0>sAT~hP1r2E{ym*P#)}l6g z^{(Ds2mDU-=z<3C$q=kwzOaAf@yB)lo|veoc_Fp@NHDS2a|#Kzl>-JX)(pZO9qR5Z z{TWfR0s@CVTX(H(T3bwa{Ah9z>e00EU4m`ZQ{IDN0rgXX_I}&%|{CA-P&el5^GO$v$SI6C7VuOx;I~D6P)-AN!Wy?RkmVZ58lPZB|Rl3`lvPN zt3oGI!-iWxVAfbA=@+~MSme6&WQVU}hOMG2j06DeK0K>-==U*e5!!BT@J3GG24zf? zU+RJlG=+0}A0Cd|UH1fdky-@qZEmW4JKvt^AeCe`?GWZ1l+5{is`z;)oo1JAd_^XH z=i7}x%qembg%BTtz-uVk_aS*VXi<`rrE1nCQ0*P(S$zK>Ve!wa%0|eS2I7=USCV&# zQv3VNL2w*m|8g3|x`bS78`THKt&|44#P;ALZW zc-S&MdS3Qyw7+K3aj;%eQut*)&fzn4JABqq0oD=EMpJZj6{WtL$^+wj4{TrV_GS*(hXB zy{yLa1*VVFvgRH)u()8;e7^*dllNvVpHN3u!ME~OreceyZzBb3-Tx5NW(R+{dnlB$ zn7-odwgOu`V;!scK2{S@*lg-|AZ%p@Z0SPB!}%+NGK}r(`ux}Dt#cjDjP4}x=5Os} zGv!vS*nnS7PR0#kpkqrl5*~0Ad@5Hkbe{jfurGlR)dFl!W78|OQt;5OyYy%jRkKdi zke}9l*cfQF9Op&YR6~O^A+?aCU;)YD0*gT6wjs&HxYpLE+iNPs)V7x2Gp!V5;|1%v zB6U-gdALmU!p{2`TaZBUjLDPXK-xOan6IvNqnnwYZTqC>T99n<=mXxxBO7PVUA0`?96v`7K~cE#>B_L zWp$_g&LR=FjCy$6rEf!?ASC|sLis&$E{v*uI;F}=tAb4LZuyQ$^@>$im5+76)~e5; zb3AP6XXQ>kOr0s%Q?OIX{*G{H5zvQf%E(BjTM_qRy78rDQz5cJCkpss|MEV+wqKFX z@4$VFVlI;_k!DYro<~&fR3U3iTk@Ku>}KVJJ?bLSi^asbCd|#ytY}H3dL&ljvKEQE z-ZmbXR`Q8Mz8_Mlrer37BlS2Tb`bGoFCivzW-~+wMv9EfQ4boJ=xmtP`p%7zb1Opy zj!(2&>n}zoM1yLp_+|kH z+Jws;u<&=V+41P&a@8ifAV}}hJ_&&k`HL=epd*Gl$Yun)r0Ko9_elb#B+%$6`2J6uo zicZIvK??XyC<~g{BHK@rZpyaSPU{2tpqUCiSY@9lMg!Vef(yLjSkyO##~@5AQOlvK zo~XU2C+^CRMq%SQ!s<=|c3n*8InL@ZPZtY&>TeQ%aTVRy=EPO^xv$^Fl&k`noN~z{ zzepx1@T=$Yp2NQvV*IvrIEbPSA|7*kN2RZ#&yxI)ION4IW>`SJN+Q=Z=8T}Wi-m}> z;IGlloL|o+M_@eu6uQbhYmP39kT2{LN#_Qd^#b{fQ#_1I=f5J-g4S!^lV7Bpg=O>T zni`1o>Hr17XCw|YTRpV&xFKV)WWtxdC1!~iduKL&JBD1AB%vs4Uc|!7vP{C6 zIyG)K%j?2zlg!XH=nsc~>Y9S`I<@fke`ihTTe?2PqYIg=X2aLj_UF0jq2RZJJIWv+ zWx9CevA~KNEbW+w$;4@gA3qR~*H`p4o5{@_?>>IewKj^!$t3|NN?3H1hi+bB1LdsB zU~TuJ`Tc;q-nn5!u8L~BizVTW6H8VRCBfOd?q2Gtq0O_Yh}}{YQ(MkTsp`Jk=iGpHAH-$ z=KV&#Wl&f)VI+q=rOh(Tc$`=M<_|x{&5j$T|tvzB`53G}G zGN!egt0b1qe-(!1L>xEbF@t#cJxL4BYO7o#0k+b;`xjBY43^bPb?9=B?Q?6nG^|0I#bwf_jUwW}L|0 zD1xUcM1NTpLtKP+xz%tkAX2m`LfW&2Hwjn4<`+!4QAX)FEtutG+fc%KO(3 zII`D)>>&?TTVn(T4IR1!2H@)w178HP3#H#LN1JxAmjLz4N=_aDCytfND01YKdYdH7 zhxCE|Ri)M%LF=&f7F*c^T@~WkhMr;EdRbxT+Au^y;?R<-slHzi+HLNf*)R+#L@XZa zgAjWmAe)^x8G+D}^|VI`{BYHH*_0xkR7l0Ms&7nhB6f=r70bLzlvi$IZfrnCUIoL7 zo@Rq_6t{fGB6SaTL8X&!6R?v&+RVh{#JYYNYE+EPboncW+x6bMy7jU~3SRlOuF?2U zdMG@15Ys~gQyb;Bd4?%kzf4Ad*r^pZ9&udsw|2Ih;Ei*yGh{9-8IDfyt(7tnwC>kG zF+VAp<^MQa5NEh&k-41cIBepumn6DnS)gssJEM5`;dtD!5&b#A81haV3eMY~uUUQ0 zge88N?@8+)GUm|EB*;wf42Liw4nV;;J^YJo@^|k8KgwhbD4%4NP*h(9G>abM9S?ANfZ zAAD)xqo$R&9$)+R(`vx0l7B^hTz&rs-s-^HQ>4dZ1J$32KE2I@!^lo+e6ih`CK zR9kAi=J0@g4eBCWr#O$Il}OzjR9J8n5#q#$^>Nt=L_jm}3?HIJnXJQB(GSnNxPk6M zOOLI9x-BjbG#6gE8+;FaOQvKH{B+)aWRwNx-GeU@XvA6`?agBT_FlnMOxz)`HyEEU z72hHVSAp&Z=3YMMwBm_3L;C4Z7yv+ddqPFHkIND?R^PU8QysU0TQuz&yNglrjypE* zN>@uMc*`R(h%bw;2^y~%&CIT=rhNHbQ%bR7()0-KLinA??yGmqidqO>1(XqM)Dk}9 zmKQM`udOzG&-B+2;?qr6QY}5cNKEOSfgxPoUlF-BP^dD9%4jO;*1jZ;4n^JXGOniY zt%4-Z_lT459C&XfoyMiDRqbbfFNb;4;_}}w%!p@DOiL+NN)Q_ya4di+F^m3!c1-v1 zknc>axJZbMgly3VrrT3ywqM=I!7jTz)+4~`EY2xyV zB)826mQG79LY1}|jz3$PM;ymw+8>MCsfAe~T1NN~zHWV^P1ao&8&z^ecT8)Wwou0t zKiW%SvAJ$Qrf=jW&4x=G&ExJ@+_Q_`4q%-dM- z`wn?=Mxc=%;{ln5=%Ilq~cc=EVb>JUnX+$@g%pG@L}C z^^3-Lb^CP{O2Yhq8ASqTM6Dsic=X4+%$yV6p2J3FMJ8PfnC5A%bV_U*N$GnbYIG(o zuKHd9!O+dE*1ZG{?DNe{^$)T7+wG&|-j%{M(&C~FUie()_a?5I`kQD)I3+m5;E;#V=?P6 z#cbamU-836-+V{t+SI=Ftug#np@zl{W{s)COMxgzk3>fTL4zN!=m8%e_D$MSrqF=% zB#D0Ce}v4EF)QQklfUE6Y19ZE2JY0<-RoFb3QYuOFy)VLIoUG76l-;f(n!schViEX z8D8m?J>8`ZwfrP3^&}dQw@UE(CyC0&;Hw($b$T96(~2G@ec12T$mL!_Vn0e#236t= z^`AQaF>PaJS{>Lvncl=-*8Je0yP!c13jM36358s2KHk{9H>K>IIaw2Mu(o>yZS)Eb z*b0I&jow|_63r!Rb;r0WIn<`=P3QB#3pH`+;1h!d8GOoav$mN)YQt3kK-F9Q+N02V z<6*1t{bm6|-V!5hr?e_m8`yY1q179+aPIwbCZ|R{w9lh|{%E8|V(f^mS@1m*JlesQ z764$kKdYAY`_C3nT3S)Sw+9r6B1^~#?5~P}8^W4`=9zRBP?!iQr6ag`z ziKScJ3SkdpYfzcS)$)g5bFfq@fC?LRrZ2cAzZRYS&bcS^SA4>y^)0rA^ptaH2B{8KdSQ_C?X<9bmA`6 ziGI7CRr~t1T2I!%L}foK?q;0M5c3L7xY~AgXPghqUcN^Q8#Vmh))^a^lm7geToYOG zhOv`b-VRSyB=x}sK-G{Rv1ix?D?MN&qX=HM&-8_-b zxDq9tM%#%W`<=>=JWxa9FORp%p--=y*E?*wuTta4ymY0HzWfL0f^Yi9xMk{q8hR@qq$>AWSfcr6-h zv(@zd41U*7Gd7Re3c`{Mn9`@AZ_cZ;ztdqB^CYo-x}v3JlogUgv#>9=8xrpY=Xds4 zIHJ$}l8>-lE-A?hZYo4Qw^>%Fc73?X@DdQ-evRF!tRkv$Ba!Xw7B_?SZ$=Bi1*H+A zHm6_>;-5^V4q2%}H0bLR3hp9R~Hw1Q9REZ%y|Nvgs{FHsV*Oi}Txz z_Co%AS7K%lsAx$5{yA8n1#I{VQKK)^+d;x40bz#_Su{a$zxy?>F%cPGWB4Qec!dU3 ze}iPm8sSsuRt*WKA$}QNqn}e57d+g3%SH$`O1QGG35xFCe*fjCmLTA_%=OdWZb#HT zqU+fWpZJn1`_LKeyu;O@ep8Xd`vOX=(^6`Q^^>3aW;=&@25#O)w!^Aahnp_2giI z24L{))X9c_DupYvE0{l|0QQ~jMB)ed60S5hf^0S{#l$@U!CWJK4s%@S_* z?DRWbE4kdHNDX=_Gy=RVzvqkYK38FS3C)Sgc6PV%OmU_TRB`*G>is)m5d)7Ts7@QH zaVnhY*>>a0=zkMlV$gpw@-Kb4JiexQ)3ApYkd<|cO@&t?Hop9yA^tF$FKdK#98*Id zrc^(%&8rbgDgy1hqjfW3Mx{>))!eQra>f#`BwkzE*x^LuohK>k6ZyTMv`acz|A1|u z6EV+DGU&Pa*-;} z1BRF1`A_vlEmZ;6G?i)Wl75NLPfJPb7>d*#Z63iBIRDeXnhb>kho-}nutIKn1Fokt zC#8-=l>*|h>0`Vt%fH&uN0e)w+HEsVl>zYM;WhE0Q!fZPz2$R};jPT+NHeFmuAXhb z{!bg=>8<~HvhRu)gCbV4g2POPg*r)xR&4&E*)BWdexA*qLhW0b<{EaVhW*1!<>*6h zGJX5qG?pT@rAO)TEjC80gDjd+C3pVVa!OdJd0UHO&aE`R;SX4aoJ7OqQw#6?Lo4zs z!fU_HKDGKl48Jj_!?7#AyP*D)SHO6)J3c27%=MpI3P*S?w&n73ehBKbD!dF-ENF$Y zYB0l9e#BklsdcB^cDwE%pyZ(x&3wv^=jrV7{<)0WGL2nlO*|AF?Z{|D(qry*y7tR| zopv9xaxXPBi{ag?%crb7J{3bmPUvNq%+>&mr+y_I6)bmB7#rG;rrfqa=(73ouBN#? z@>I?Ls8I86!z-`V<}z}C&_PUJ97_-|?#<<$(ATxUqNbPUBocUII&gwiU1uf#;~ea{ zZVXP3G`56EyGCIlIhM_|b{j!UcGd?by3Apowsr2Lk5{5k?f)Na%c(6tg#nW)MqfRd zhwkX=N7K&Sw$k54@@5)fiN&d)ANp*)Z~qfF7hVSHDtVcVsu+*b%pMu4X9crl^FC?J z+TPN(2Kn&=KmObLns-@Wa)aNC_#Fvx9P-~6WLWgZN6Bw>-XeDw1x6pIwz2&ul`lq= z`}b#4jk0ZhKr8g}Bk#{TN<|s#Ks9{kkwjtnDdhim=QFgTwfp0EXY>fEcYoJ9_|v8K z*Wk;kZr#&mvgFp<8L6@l|87f|&=4A-K01Z|^gHw1;u|F@+StTHR2q6Rs%=%F+agJ} z8rk6N9S5Emv%x}%>2mU0s)P5TU;ZU7_{U-XiZeO2(gI~^XqDVmi+5cmyxW``M%a)mel%>_rS4vty3Gr(@+(NRH}VWta` zyz@t#>GfL)D{(QN2(KBK&9#u(gl3NI&_i#wK)hA+8^?f2GZ{VJoBxv9zfv_IXWH1z zc{)4HjTj2kUVuHwp-Zs+#Pnp?KP;Emw!~AAM12d1hcn_gvN}DKuA-;fU;kT>P#U`# z7dM%cA1&zL8z<&>6cg=tB0QC<7zc||nY3pqM6wCIx<{&3APTAO0(}*OM;1?0WFRA@u=${9|V2*Z-BDGH$Wzjg1!B znMkb>12aIQ8>^6`z<#Y`(3!uvCgRT>TsG{1kx_^-PW$M8EH!#&S(24@20Krh*cq_@81U z@aNlrm-DBd+I1RXl~=y2a_PoD5gWPb`-U#-`{ExV$I#R4>uSuY?o6*MTX15vjPqfO zMbA&7A8T8Y9$ z5uwHsOy6+?ueL$#M8I9Oe6MyM{*!n=%{%nsu-7qvOvLY%rv63X>2ZMZ{GJMiT z&5$rnM&>IB#{cOt8aSEH9nz{xeVNz-I7Oj5uXz$fu5BCG({(eOgi~AY-aIuy^uw&FXJN5? z%StqnU8(>;=%v%H0Dz6#r@d2IW2X*y==}Qm9Nz6yr1zT*1yb^Fy<)&`9csIc%y7E) zx2|~v3R!an5hV26x1~%)?F8ghL{l+7dlB%P_q5Sl_UO4!WMpiy=!|cod>j}tDxHXw z4k>%Pa^F8C^+F2rtt-nGF@Q&u#2_X0$lhWS$r7NBk;j<4J_c(8X%MHpVd9>? zm63g2bhC-lR;LWK;^G*z-KXiUhj-uK0mzzBLZI7(ch?|y!qEEzZh*l%sz$Qz`;IcO z?C`r7)GR%1k_#%9cPJ@;A7-itSeC!5)88ly0?P2_w#f0t40}}bFW-4$-B~uk>yc@0 zUY1^`3Y6jF9=~O;pM0XSRl8_UPIBznp4r*g>UuJ*w4XAVdT zd;KcS|B&apK zT7&0AdKZKY{mrDMrs1cE$WA>{Av@yDiu`;mm_4MZKC-{D_}TdJM=vgiP%828X{XWJ zH!fmMln)M>tf5;SjMK*bk#@jHDkjjK<`E($n`hhCPFSwW=YR#`Z*ft}kAYKISG%cw z?bopjiVNV?{uOigQ8bPol4eLUq*iTck-Jkz-xlqr~cz8_Q5XoW+r2t3l`$0p^@PjLL%Vo2w zyJe`4gKZ+zk|EsqA0*WF_|tEFEBR>oJjt6~siQC!(`8hbnJYn0EeH9iP)5D}cXUZ5 z`v(dCKl%T%8~%UQ{onUGcDeW+^McVOKEpl315oH6DoLAczI_e%CZk(^8uHFqLX0uWKQd zBund=y{00&B~5g>s?)60h)+X?0Ls0HoG&B6Y6F!g3U{g6Uqi|#jcSBXTqy;Xyw_fk|Su5NkG5h&;z^ourW}ABFba2#2$6zYIE1BLlfb}Xe4YICNW(bUJI(-+0$Aw4{wBi2WoSpyVQ~u zAii&5u7$(Tdq*wHcZH57BIinrZCwZ`{q2}hxz!3-{B5^Bk7)M{Cd~TKr}&f7Rk+pb zp3*K)39t8GF`7;jK~u$uY*P+#Fr=UPC4R?cd}*c#!CPNV&e)oei<|r#H+{4ihL!A% zyMMfGtkET9u1S5#`p>*N>V}S2CpDusykP81IrhU7W>H zIVJm&h*dMc-&#Mcp1whjA;PCO8{H1pu<1UlamuNhxRBfm7X=804oFJ<_QNSKk*T^I zu-vUEI98w8F}%LC=#eTWZI!v9XqsfoaUGBT5SZ8#zej*w{x3dmo#z~^Pu?KnKBenmb*-_UEMqM~LuB~ZJVtAGCG{RjV40gP#yLE@mU zKur^ewNTL3+QGCN*_;0QDVR8(G^%U{1_TAvH*S9UxaCXS7Lc6Z9i8eI>dDyU*;8zI z$EFf*+WDqzMoef)wzi}(GbTxzJ7&av-;QbYU*JM5QvN3rn*Zl!5}Rw)C#UHhAY?H@ acs~qu8Nx%lzbAfr=gDKeM<}&tk^c>#;}Vzv literal 0 HcmV?d00001 diff --git a/windows/access-protection/hello-for-business/images/dsregcmd.png b/windows/access-protection/hello-for-business/images/dsregcmd.png new file mode 100644 index 0000000000000000000000000000000000000000..85bc6491cf276090498f88a3e03bd7c3622c6876 GIT binary patch literal 83251 zcmX`ScT`i&_dR?=B-8*Z0#c<{Y0^6?(mN_3Rgj`|0-+P6DIi4>HLy2jL0RVuisyx>NfIA=n00V@0008>O zFm;G~0dm(!?e~e%Lef958{eaw_ z@@?RiFMMbEW%&pB_y7J}OG!&t`bt+~Gkm1sr=Gjp()GE|OTUKQQ%SacM*6Kqsmma8 zq*E`Go{8`eUf8&oqI&8TTwMtQ!d-^0d3pP=no{iP&KoI6NrRzJ@=F2)>sDDCRiZs%$KHB<>T;z^qD*zGiK24u)F&Lk0(t#ElAb9)(_Pzhdm zxgq;7)FArT51(D~EBT1KqC*YGIr`F&(WIJk>8lAQ=B|=zSLMjl%ag`}IUyCfDGvjG z?TYV0nyt)n^c$Dl%tF%A1T7RQIwe(Qam7SpQA;!~3ke;37TkjY0{s1}m<-s_70SfUv$pmx8L_;iOxqKWD;IeqY$J|lSg z^5CnKA#s~f>ilucq`KL0h_J>eRIJ5H$Iutyc+V>(~#zi*;yO8?De42CPyeiN( zWo@S?mpowCY&;P*0DUvhnV2he$SdfAq(wIsOF{CL(&0Ln{eSr9vaVNAq(JT@McqR@OKh%#zlRHk@gn>4TpYYR+YS$@C+4eg`LTW*D_ zAiS|KDk}>R4+f6Eh@^O${I=AGs`h7)Y(pu>Toxiysrb1GxBV`P%_j$ zkz~c|djt*9?4w~J!imUP{MxCQrso=E3z|!g5;mJO`yL~MWLGd@JGc(j6t~Tui@oqz zXws!_;-+#}%OoSC`2O)BMNsy)`1zEgl@;$IQyt9MQdZD(ht;$He!TZC4epM)W zX)3W8V#!XGX@XJvBgE)IdKOS}Q=}q|v0hIQSyhO<>&&fB+~rJKMf2If95TwV4h!}-4bio=YDYqoj+0?E|B_lM4J$nrR1B31NH8=Z0e2e#;qUUm zlk{j%%utR$b+NiFG+Hs%k>E5zo8iGzto9%o2P;ExFH;dpk1JZy1)@L6@}6K8@BbcKM6R&Ymj%Dm zr3Xs_U#?lC7N(9P!CY}77BX!@7QCaLq&YxG<`-jW7lO29q1YqSz13l+&f&!1^lls2n0oe2xqFHCPg&i6y6h97&@lClYWvu;>Z5x%~j$0~7q| zrms33k7UfB`y$DLZ$&eyW~+1d81>&$g})sjYr&&c$WTg2Iu?w}cfR*K zh@W_x;MEhR3|gX`bWhT%yIEEMl{(HN-w8j!g*1^cTJg2hT+M^0_}KZz%3BL0FU7$7;GSCpmK zaaGpvr1I9;{AYvw_ZScfAHF0cv(XeylMfjq^YJ6y&1+FuG}#jiDd%dikNcMY`=vFF z`awK`Er7N=f@vaZPp_yqpR0#`k;`n(HZyewEbmde-q?_aS=27Znu}|pDCl*P{3aDs{`Q~lr+!H06RJCZk?^3i7%1_*o-J&@$z~ENf!BDk`a*I zUY#vDQ`7USb|9V#TY2`K$EcP(G@yaPxfW@bUDol5!sG3kg#i^KQs<8m zlD9J_k;oW{-plKKd9pmX*WRuyoD|P}a=B!yhGO%fs%5>xY4oexzegPlp{eCq%)xxP zKQ&w2kl_d4PUw(n!rz0d};qD9ZOu>>z zYky&(neYV_kdFdVlL;tXapFUFm&S>mHMfsveoV77Du@9E& zdpm+%m#emEB$6C!=-&~ra&Wap+HK0nDZ8PtcfNYX@rm-VJkwM=uTh2WT_6R%EBItS zw|T&qs*sQ?h0Og~;lyzqXCKbtDv0=y+4JhWZs6oz)BT33?X-#HkGO zW*84O91BKq*zNU)?+zb~x%(PCB?00MAQ^EB_r5T16kmAYS|%RN^NvbN z#x10#^4sI!SwNKmIBctxg#$7dty%7`+FkyA$;{G@9Bw%Mg2F!reG1BXdZB$Cqr%`a zGR3$A+Mh%2$B=^!iJR_J&o#t=i|~d)X_nrTmlA+_mJHB9@|>ksBYH?~6`e158y1g* zq+IjsNtG6`)Vsp_)8^_ILR?~Xh3 zeW=ns2cg5z?>1`~SjWoc0Qek81s?g<)RZ9nMY^!wyDQ;^>?tlW3=pzv(G&t!@Ljmh zG0Mhwc(65tcL+wufDDNjfx6qy+i4*>CR~9#0M5+4UlLgSa7BHo&ygot1P14C(Z#pv zx;OuH*W=y{O}ICYF?+#jP6q5KoPy#R0QmS;dWrOEIr$^<#hbf_-)bgx2&wN6 zyGzU+W>3Y+QKE0pTT=pf2?-Edw*+Oizs1#l{J|HrBZz-Xrm&6YApta1Eii5LJf~lK z@`@>HNjEJ2?x0>0suD42LP*?gvQrbUy*Ea_s@^l1!f_8b>oq~g0RY2r9 zk_1404h$CLl5u~=iys*!>-IXLnVZbrtSL(WC&-9c?jlo|qI{~XlG<3J47;?jGeb^V zj<0HR_wg89sLgekI}__O0)hg#kSGF1>Cps;OZkhs#E~a=uD;V40|ofyI7?4H{=Ta* zglAJ$m+etwp9NN6U|t}h4Ft+O5@oq2{5F`F9=JQO1v%YMnUg=K_q}L1Y0WZ9qtS2x zF9NYd#LEbxHz>muLd>#|RqYhVdjcHiVFVuDp-5-w1nq+u55iQmy2x06&AD|iP%MFB z)$bPIYXky`!HnX)??{WEHiOOtO-T+PryXT~vYztCrr2cNeJ&YHM)u^G~%dw(RGJ%)+L=KUVAV ztUWnR(ssD3BjwN2bF`kD{bkAN=_=M}1`%RIRskIg$apn=K3y?>GI%f>-)r*z{-mKH zk_u(1Uti8r0qlky{#47FnvXTAv}x!M0aHNUUbzj!3c0$@UTIB=y2H0VO9G46S@vWI zyvJ$M|A8Hzl-YIzlLu~E$*n$meZP-;jLR@8G}*IUu!3|=P0|ovO*|Q*mUdI?c8yBM z_2LfV z7sl!|RWgNgQ5OX3JJzX}g7>9ox+<~AExF;!;MlLtN*@US z>Kt5+Yfd?ge}nn*Q$iqYWE9LXaZUbZ=YRIe7PzP+2=a zuj#WT5V~i`4XByB%ligQ;AQ?vGNU9*;`2)VJKFFM{Bq95vNQhtE^B77dHYg2^oTS! zx~8W%=(MofhSnW?-v$g!@O%{GDaaB2Ja2!*6_Eu;hk(()NPM<62MYq(-bRtT*nXE! z4W23oHYU+H~bbWr`yxAw>udhe?-p>X@V zxwG~4>Oz_Xs`trIss7kLmDE^uXbSptjs^+iNUEoLXkq4Qjue>oBfalY|1X(VsNF3zh_zS2(p z!glC;G&HY#`Qp8Ob%9ROn8j(&Fy*VpXUp340yUf4Q{O*VpX@Ra{jAsisub|$eZ8gU zE3HOZ*{jm6u;GMe`l-%0|YKR|m?o($_SC?<0^e>O8e)sf|Z>J}*`_B8&BU zXDX8d8(}{wtW>B2rTvd{t;j|ga~sg;E(;mvYcgs-Nrnq&39!Cv2b{73N4 z2dG_@<=14D;za7tqHUD2DmXnKU?vj<*B z-)i|5{qm9ZHxr_%H%(hUT!$-L@xJh%wK6u1e43UgpS?&|RC*uHV~j1?BNwr^=czfn zA^R1dZ1JZrN2yw(+*|WAmS=G<~|=F3!92GYYC6FpMl55LXj_H%%}| z$s~z0vgg+y6FX?XDB{lI`B}^%$wHr;d2GB%Ja**x$l!ilG2}PA=Fp<#p|`WPvF2Fxs`HE3&W}FhQl9v28O-mo)%%L zUiF93NqM=qu)G*o#MsmI3#MCa$I!a+B9F%qO+q}xZn zeF*)TnF@C@m7iPi#zrGGS6+?CORhfVpD_-2+anZ-CFGFFGN^`Wyoe7Z^ok!4<=$i! z5_#RTWp9jLrgIMx4e9rwr7!iP+t2kMqGs_XN3j?*zE$G8k_i^CVlJxy{rG&ON(n|$ zDX!PRLQLogb1&qkfhz9NX+$kE)r^AFI>R`3p;`OE zGq%0sR!Qul@J~JLHVM@{9FI;d8+vA|IzCFC7DKkC^?`0Mw}H@~xyY2#5hef7-~+f= zAVdtPAen*qfn&u`;%#T!1JkHi0dqFIO>wm9&*;2XW)vJKwBRpk5RWs)A+x;7N_2z6 z!i3#$Quuctl=_f@Qzf__<0A6WT4Uj=l(c480v zk`Dd54hj^B8cZW@`~4RQJ`O@q6_zu=Z9nSznG<+upAJ-{G%1FX#~w9VEkLrUTYt2X z@ADcv(bnV|35YhJRx#@nNwl@47}f$T0e@=UZve$c>4>0J(5IuoeRXsiwVX=+jBZ1D zh|6+VOs9B3j;HmgaXK}m>l%pjz6WriDnK{qGvsr&zEmp&v;+3QtEWQ{6Y%7@olaTM z=W7MqnmK#^LU&Giic|#Cz2DZ$slmo1ub|cxxaaheZm_`MI@*Kc_9`=HrC#Hxm?7aju+FAoO zGe2H+_)lik=2cE5n6VvybNyoZ>qTV$>AYrJ`{kYa3||t*-qK$$+h@$OggsM9*10=I zL^wXlbvVbVXI6xkBC3T|>CjCF!dD16SCAntyfPB=-WvudV6*u0p!xkrAg<_G) z>zYT})eqR2<;)%KZHds63GK{~t*Hz_qU(7F9nt<{5D6PChj80uJKn(-qh}6uX`o_f z2+08$W31!(;M1+9!&(_rnpAoreop2*d-(p`A(oK8+d?&VR8Uy<0-InlhZ%&lf?b{@kC99Kxu!b) z)}%%=0daVetWB5vX*PpX7>Rc9PUMSGo$z*$374J&0W+T+!T$!-p8t!|T4%o^O8(^J zh)6|{@MS?o3@^5$1e6J<$y=Kcg+Cc-HoSgR%=ng$4%p09ICL)d!0i8EVfOZ1Q{NQ2 zX4Bdh0{1QJMOvR&avL&MK>hZUe<}tup_RjcNfrmXv)CC0pYV1h7Is=n;L>LiJ@7?% z8uhoRag*uy%{1Z^3}~pgk^6aB&$C9_-kKm&Ar_i;j^IU3qviD+r6)@lgP}X*sTK@- zpHr>O(h62T$m^_hTS>65XWNh8_7hfL$-jKsN8%lEvW9JxRr=w_OQ?^$`1ThO(o(Un z@mTZIVjy$&%n?fO1Ncy`_%i*~?VEq9^{J-ywG)X`yi?gBUnU<|km7RH>rtJ${R}SP zUTEn_MtL#9wm%EpM?(AH6PHPO>L)6+s!$ z4fy7q3Sz*wki9JEi~|wu_?}Z9Kph)QE7T~r+xopHa`hucQCZHQlnX$uwz>MZ;ou`D zaQ4_hJ0yTu9-xYH1Yh-<*nyj_I>d@X8Ylqu+<6G&h8QY004p{)nTySlX>@D$tgmZ` zL*VFT&M;)y>rpE9U>o_y{I|pe$nfs}Joo@Mdb0o6Qpk%=z>yV#CP016I|GR`qTzPk zV(8``8gh}@7CeiaNinoJOXOZ0MvTI^nbJSqdd^*aZ~uuAX=bKD0blkh7(?ggb;GEk zGDn^z7TX`-1OyPHsD`E?RUm6e3p1;?89xIzL>M~{eM)Gwy1eacv<65*vv14^)n$)P zUUgf-%))F(jg#~JG#|QW{;muXWF*WDn1?tyhcMa6SV@g!hfGc2y&8~^FWMJVpi-I1 z-OfLJ!klyBzf`1>3sb^>t z$^8MI3ugcBw#$w&*__H#>C1|WJRUn#MUaC=Z*D_W7-oBcMjlXjjYFWs2QX~d9sJ4B zA_7Z5|HVA{=*c%ckAy>VBehim7gItF?Y~SGEdy@QM`FPbe@prUuW+fcc=`0IjskgX zM3>x8E;7_4|2(rl^5j93n@n2g+yCH)`BKAg&|s7^PDT%P#DRx9x8Xf-jnT~Gj#C**sN9;aKNqltURnB ztr+TJ;aPJQvb#WclHC?Sx$1bt2+;62qQrxZ=`5Pa5j)KlAZ)1p1gRe#MT_$t6qPO( zoCkGz;-Vj@^r;0mkf=P`M6r+DC4S#Atb?hhBQDoAb>njkpPj`u?MS7 z*JRZu6P0~E0R>p#O7N_IYXPbfgt^+!6DXZ5{Rxg9HH;7|8t6+~BX~+zr94$+D~^vF zYEo?fmopg7R9*(!)-QS)gA_=qnQK0lRil+;VW^|d)6>fYe?ys|H)JnJ_x z^v@t?u)|3y1R(~{#@$ctzfnfYWE_p9R>AiUB>On|E1}W3clf__C|!&g=Y)uGI`PPO z)GZqmUTX_I!BzZJStp1R9U&C;!8OY^q`eS-;LFGA!E|U5?1`bw+584a^Xbnh@e@xK z`j$0hZh`Z%D|h{4&LeGoHJP)>QoEGMG?nPPS+^~g+~%*EbdrVj*d*ESg>tk1Q|itY z%w0Tw{tsGZGdK+Si2OnKV8-0LG{3GP{ThXq)8tYVm@C}>mF}nB({Yx7cNrTyG}hMe zQpdRS0n6ux4_ztAtnYLQtHi_nA1&Fuw0Biv-8rbBloG98FU3LVQ(-ry zqrwLv1ING)@tzlNcEtTi2qH7=z}5#HWkKGTAm9~oWl-io42K;U-r$d~IP)hyd=wI$ z$L>N`WlN{v8T2VJ@qL8(Z`i*zPFr%fmn_RY$S2X;p_RrTdTp-+}`iFi}mw@9ZrBYyYfr7YPKP0 zPkop#PzY}bcwkMXRDXeutZY0L2#|UEJv(FJb{)Q1G0YfnvhYReOMth>^`3Z^a-h`s zfm_Cikkrkl*S@ua62nc$;v$mlovsSs%u+?9_=rw>K1uGvuZD}0m&sF8l2@g*-zsoI z`)4bWGR{zn?4r1oXd+!kNlCi_wd7%y1k^kX>FYdXw8P+C{!>aTl#uhSH+ zt~)j}t*(-rx}rIUKJksu5|>CA-zod6-rr`^H71m3H2t!qAm^Lfw~XO}WTkVbtS2v< z6)7`WO5JOI!aN`QXZ;Wvc-+TcEA$y&GQZA{U8>Dnpht*bzWr#*f7$aduk5&RuUgix zFJDcJ=G%Dx{*2SgTdMx!u2W3@Z-w;Kwp6lFsZNB8L#tG6ktVOjT4dng2c7BolGi5z zPUBwcob2x3eLPcU&HrT2D8uD8$s43(ul)AUy1Fo>?&TtEI>V7!I;N#2@w5(8hmvZ< zjhW4_0-kAHP*rDGACY{oXA@rE$S}x%-D6O$SywFQK%CcYldpOzNU+9UAMv7XvyJv> zsxI(kV5`HNeq?G-KnW-cwRU{u4EU}G)=OO4i(K8vWZ_$Eb;<(Qp%App+PQWCC?#NT z_vT(umc*Pb(MiHpy-aF{&i~RypJ|m_?0$H zMnd{>XJ;xHccp6Sxd}%9_4Rd?apusbU zyLqBMgEiu}e++1Vkk{J;Atj)Fc82l!dglVIx8P*z;y9qlr(Fct#QRJDSX^?^0lXpz z>RWG*19uuQP~=}G4&>snU5y<;iqWWF7S=zRdW~@N(SGsoFUBDJvyS{UnbV!Ch$0`| zNijh3QnGGBnx@;RxiLuD_IzX2?l?<1SNOI)kg&0?#z%5nzE6w$dv;yIB<373GJ?@i zuf7u|PjmNc@l_4%M^ype*R+TB0aCsDuMH*4a#*jcDP5k}*#mBym(uISARR`Jd$mu( z24v*!dW(fz!<~;`Yrhx>&s?|k^g=tx=dNJ(F`pV^S##Yww;Bst;!0HTmSZx!qxDRXB5yQ`da!AyKtc6)W zhYgMR)%SMv6T6eC3ekA%IE3QjnGCRhXay9f#lwTvz^Ok-LLDUK#=W1}IRUVO9)!Yk zZrt(WP*D)MepA9p3se!Mfe>_>*`UFx7zp4**ayY&V;_nXQG{+d^53e6)asy0h&5JzfZ<~1IZHg07K!es$lsCc^iYV;vDc8AJ?^h3GIkfKvH45I5=tBp* z2PpaV54)xfXmgi+2@M{J0;;N=?hXmbg|kOB65A0G?`oa{&r2W*wq9$XW}38Ok}?e! zM@GJn;}DCLur}Tg0KkVQ0=Q%rL({|{I#0pCOsFH^ceE;p%#xJO#t7=Fv$KV zS|An6XHR4YSj=n;0um7|B4iMY$ls#CEgi{Xop=T%j^KHN(MNtc5QN;lNw)tct-1u2 z_e0b6m{eWJX*)^2{Mz@i_DgK)sOq5a&V|8ffkbU}@b8+^H3Zb1W1$NDmqfG*8}nxkwE;`=$Cua6zOIv;F&KYZ zVhte(%^~@9*vVTOfP>W;D87yN1+tx>X?{!cZ5{5Wu{2V7s`1ev8gBh;kcEs9IQC{h z8AkP8A1V5V`jeI&FdmVCo4c_HGWbPp5Bc!JT&|r3?=g)a!Ir{2FnJ|_t4JN$TW{K+ zR)BFz!BkwiT3otn{GzR^tjXLF>dVK$ zoX>7V>f#IkC1@xe=&5~f>K*Q+1x^BIrJdOm-KHkf&{Nhjb zYuJ1q&^s>>Sum*5&?+QZEizD8XP0=@om-T(^0itng#Y`~0$NvtmU8HuZs@P1_B$3t z2DGT)ApN@Y)$$?;fO^kOi;%zc2YV%yAs`B;13K+A>g1@|VklxDU<=er)LRIuV%#5* zgEQN0zQ9Y@Hkswsfj?l$vvfhe!Pe!8+{LncafjMHPC@w62!GSP!zz@5h@F>Y=FKqT zN8Zz?46X8G$)C_R6>co1TuZQtQq=#t!u~rf<%L+tmcu5I4W~2EfZd}-6=U%F8bO11 zSNr)jF)AaAaG_Z?YXkIR!tmeI{qtqCoVd1R*ogZ1*RZDr*1L`)n3Gnh!u4Ki=zZN5 zp#-_vK6HV%#z0%mupeT;p1-l~vT1CPTM|vxW}Pz8QC;JT7~XJ9PmaawjmZavfKUhh zEp6fmjtvWNk;oxL&?UEFM0E(C<#8Q|t=25`pM|Qv%+P3xjlIp>(JTFmQ7S%UK4>uS zwyUe3Ggq1k*`E#~C7&hgn_uvFT9?UbG70B2iMlZUZN4D|q_lAdzE??=%FA<+!4Bce z9hnpdm@F>qEu;<}+{qsG81#qTJE^OdljC1mjV4aYo9I7q-P8|rJP>l_H7WK>LTO7v zCz>2c47n;me%o|FSL(s;wMrp39YVSnW-{074s|o`Q$(b%I$9!9ruqg&b1p< zfGcTyKb)Yr3y1H)`pmf`zz3yq!0zm)IB@GvIPL(oaQpaW&w(Uf+b-yWjoBd6A9L?J zY^LeBObnQVtPKI(x*$paO_!1H%KE#E8wJtos@EXouMw9zxjA2g7TAd_EI`jbA@1$d zNo?oI^&Pq8o@@gt{HNiqN$no{-+A6N9hlH2J$k1%ucM{GhsmAu6x7D82X42KxtClH zn$!igQPAHfYxH5^N_i1r-}wMnc4FOsNE;j32jF&m+Uf-X9lvVW8BC;mk8Pto=?$}v z55M9>O3&g|4*f@~rwme#(#f2-N{M+(i?ES?fj?LIF<+u!C!g5}jJ^a4p!@y^*r`Au zsZP_B3b3X&4@5URqFq>{3U6_mOAbWgRjk%qx9cl(Fb3qV9X4AZzjtUOlr;+IQ4=oU z zSS@$=KMYj~tTugXNEw~#J7=Jmya#qs{w-*Wf4Yj;jDL5I5< z11mQ>#DN$$jcFPhRHC>a1x<6?kx6|K(9MY?Z%>e;D4d<30~FU&QWEs=S`K!%4YbGZ z>&e}1zM+-LwWsyn_;4llLM>Av-;swY|49WX1Pki!NjuuY`!>{nxXxg+ujzJ_cK7xyA4s^M-99V$fzm8H}8QR|h|&=~gzZCA{u4#El+ zgUrbK(0^dUvA&f3HCe@eySCF}rju6TI@JQcIUq&&3tvvtbWbKV^8}K1Ial1Vw{$ke z$S{C;*5#Tfu#k(j_wp##Ca;LE1Bv)ktCZpPHbu@=L%~EKUbq7E`({9m4p@AAA%hwI zos(%?Li)OQcv=v`_c#nrbPd~smc(S1M~Chup6Z8ZHDCIp-qaLJz7O7yaC zc>NmA_j?_Fzt&aBuU7mG?E(=8%$_u<-Tv&_lwZ-s$gfLg>#t(zjX(IoS~mTfEJfml zpa6a(hcgha1a{H0y=|riG|vr2^yh9p*Il21)3$H;;JK8cs|nw{jQ(i!AG<}cQ_Rv-t+*s1!tdYg5`>=&Q|ytfXVXJ^n#6#I1b-n4xi`2i z5%`-i4qOR7N;x(z0P$V57y^9p8K71qp-ZlBHmJ7`TvV7#2G*?p*<`tkJ<`9S*B(*4 zf`a-#)F=QNnz#hd|0xPA-&vaj?09mkG^%Yida^)O#W~J^98)j^SbLTYs&Xy5Qu!r$ zNqy_610;TS1P*yscTLC-*JZc*%{s+7JKK|D$H_=83gE+g7T!R)7^9fDJUE=90dww{Ze`g0wz9#OO6|e*pc*7?udnSWDC@KwjZRoe%|2-jMgP z&&bnLqB&Wp`$uvza)KQk2|b=UbF7b@*iRAJsB3m7Mx}-3gR1^21OPg)APF2rc~q&M zH}x(&Z!frnwV%EWKIKRFjJAPOL7Bk{u_gp`i0{ZE??f?w0A}%*%yi~~I*x5TUA;iz z^Lg8Of>lIsH#3YpvCXPiNaP~_*yYs%Rm8Je^3 z#VXLJvu$&0Fk0ZMXoT}p&C+e%ssjLepQ?j(#G9Xs@EEd*{8?uFx2x^mC`JGUdc*&t zx$@4y&}lr?EC3h^8-Xc~_8N%OFXi(5tsw_tm8}j2qC~wqyn@*wTI(}S6&z!0M{F!Q#b_t z=6j}?rWGb23W?Gow4eMh3M%Mv0}w{wwEU(#P?mmUJi%|X9?mS=y~ID9jx@Um;heU9 z@CE!DS&};_zEL`bD&mBG-@r{c9XR=yZ0g`)zI;d3i0s}tPW|pf$*wjN2||F#oNAD@ z?d=_?1s^N}T*M(F0>D{&MS$^-kf!CwQvW$L2|@4PVNxcKJ-JyQ1kTvVu6=L$q_w{b zLeRER{*?s(dF23pG_zNLm)Z(>lpBzoItErj{zAT6=WekAFni&N2%M8_-rzy`_-@;} zvLH!OL~(3=hxkp?e{AyS?LM7l4QM}a;Kx^tgBYKzA#PDE$OStf3Kc1}LNauP$Cq)4 zy(x80&aMu9L@5QcCY6yhO<6JtK^kj0B&}9q_SW@B6=+aZZ5WF1J*Py+&numqudi}< zbQAv)4QhRnEg&;rpoBd(urce8%`RAU0~=Y<%9 z^WQkSIE-JdYPW#L$1R;uUa_Rj(8uK-fAedy<-|cVKy!-=i4(xk0U7-{)xC!|l>f8+ zU*gVcc2xdEt}FMutyz)Q+&ZatYV=5}m;T=(%DJ{22red+E5!fy$ zu99EKDM*~GF91}~RQ@N!|LdQO2i1Z0X>ipfw;ZCtidGUuXtmMON#d6#0TogC{{g=A z)_OfYTLcl!8dNljwUf-J)7Vf6X{hB5O46%?G1KrfXOSN8v-i2VQnpzVtC&Tn7vObl z$$|T7C>yMA<*V_zmD2>_*%A&Hj5WXRd}}%S8u```FZ3C7j4QFlF)`W^d{)UI!A{PP-`%Y4o!GM?$jmHTU{OWi-%~9SR>_|g12+1x2`F0TJ*MgD zrUig4R22k8YenS62s%U*h0HrqKeMqmf;18w zC!>CQW|l0yJko~5bqf~&o6FB^4ftTxMXV^|*wqC4^3x<>LWeewG+K>W5j}D2d;$xa z{iLxzqp25=ci$wO$E3L0AZA?8RJUi^nFE&x0&S55F3?96LFb|few?b(hcuR zxhp%DWgE2ey2a~n3nLJb53-hzWrjYo3o=bRkA`l*zQ^&i_ckQH`#ALa{x^t%7Q#RT z80P5!LW<+`1$~JudJJ8`8^ZVYiTr=SE^^+7L_goCJ*vm6Ojyb$X>uWAe)kE^ZJ!vK z$wj8GaOg(r!6;#dWw9I2-e=gxT%=fawZFPAo$|Gren5xHth>~NBbSEU4CRFFaESvkex@6mn z%I@AF1Rcora|YoIpLTxJm+*W|zcM)Wd18TrVys4?C25zFP(nI}3E0r82Mvm(T-0td z6XyCdFNEw%c5{lS*5!ag=KskTdVtYha@8Jw7$%7?Bv~Rr6z&{(y#X=-qxp449iRZ> zBx@KjtN_JQ%>((S1QtWMy#o93e-g>Beo~KD?a>4m($|YUcRSo^BN76lop|nzVdeXt zXB<}%5=wm)MPM(TXwWb4!ZjH!!7P^Z}3|Toc3TEgN`2|5!f&OQ8QA zGdlw@S2VbGp-W9B2=T973}7S}DN6@gkOCDEYGAaO#lX!VfCiyn#fc(nhrqZTw3VR+ zCf^&=DR9GrP@cN>0H5z>=^;cRZx-%*X5<%OZSJ2GhU{N2oC+bJABB6E5Cg9?-N9(G znB$Ml4&%Vt6diG=q+`DWmMtbQTvTREzwVY8^}dT1<$IY2h1mmugVZ+&%JGr(<(PgM{or3jSz)nYL~JGG)u|wl5KQUlGlM zg&5h{0R~Js$HASnh)d#)OMm7j}zNE1YHoylX%zT1-eB%1Et{%=HDbi-ChM_e)LbKWy1H>Ii(?Lm8nlDcK$ zbi8aoGkhdgM5dEURaC}+_Oa|$%(Fc5c%0-qU<%%Mw0H?k3+32qXhVLSNz-B=*A|7{ z=&~VGMQpO&C!lX4A?SV;kB15AxGSG)M?br(;S;8}M4^IvAunYv&hGXdd}n|RRu`h9 zW}nVpNlW`Ne8!b9uFLDy!m#rYISx@^4&MzYA+V`!Hb@y?J*E0~|EUl=D>pamKT}TD zKaEH1wrru?zGlW}|AgM|TdM>_ZMATF^VnBaP`1!@9@L0X`&tdY4oTF=1{LXnA3ZJt zO$Nv#A1>C#G}6APY9E{i?6_^SyuG=VUyu#QO0b8svp+t0Jb3fsK0Deu=8*4Qf*T<* zW|%N9QT^f8v(l9CT$3E~KaWpvBiEZ1NjQLG%|lde19L)QK|e0883IM4`hPm&Pn1)A zaRR~z3SQj0dt6s8zY_<5SD{V-?-2mx6HD#I$jP&`K`6pOZFvJYCHPHf^6e-vNko|| zw>6*YY_2%?>iznu#qnj^zSRP0N^zyFeB@FG##Df4%Zn)H0X5546;;9P-ZhQC7LTPO z8F=4N@4nMYyWWo?CRp+QhM|lQ{%hfS&LON;@zll{+aJiVGq+oRaWZyZD4@l7szT4f zFg!fayw-T;(HfLGr`Wj)XJz+Qe8_aH0=ua{>)>uXJG-lC?l+SA?8V4yd8k?SnJ*{# zY`%On_{YU|p&d8-+R1Q2cW!F}A79N}=8tU|`d$B{x9d;-v?IX$t1XL`CP{^F_AW4s zOo8&2fg`IcAX4r9Yq zed5j{f1Ww3Y97b^UQHML|974r1~SQQzG5_!{=eq4`sm~i@#Qkd+x{3_f77A;7r}?e z?gg*km27W|baK=-B_COBJrI*l)B1E+W{4;-GuxSOuwp6Sovnv&oz|zmspa@(-GA~& zBe5#zW2*?eA$xdWfZuiDhiQ4X%~@oC?{w_~YyJ6xcv(VjsoU}S&`hOsOO$edl(_SJ zimY@dt;yBSQxc2ffuCIPc+?B5$jq}H`BeC{zrrRgwmuTJT2P=!#4jFS}| z-jk(ME4JsNP2AmCe#R!ZM?b*%M@*)^URQHUxL={wYsYZsYugc~YI7eJI|DLXIrnboN*G9x7q~+5ee53j;4E%Jv6`EmkE6o?%y8g66#1q9HbC}b z;58?%`QxC_>iD{arBSjcY#^XA2w&>3|KFR!g}ot>UhU9@IA`IXU*b)x=2x%JW%y+gj# zYx;dm(j1_%9*%>}%!AEQ+f`dLsXciqwKz4{@ZRm=Wu&=)N^nx4jXls|jx?9?J6;;O z=^CjPL5POZ5~W@{H%O)1e>&8m{`4HQi8qwsqbTBW+06=S+Uu-@o$3?(x>{@q%(D<) z=}j}EpnfguEVa2*+rbg0WZPJV9OH5DWGxqS5p=);qnKQXg8s0XWwnv@D=#cD2WV@k z3B9zs*V1TKE`qS41$$LDp(Z$;YQ_G6M4B?qh;_hc*MR}+Dot~zJTB(8)xI$)fM!hN zkE_%>{%*5(Li?Pa(HPCf+2aZ;Agz8iOB~baCh|*OVRmRKBno z$(hva&#*qt>MhXIgaRYcy)#+l6Pmmm8>YaW~W-eZuhsn-^-zI zz++Nasdxn&hYi^E9W55@ZdRD4Qeu`_>aqy-cnV{q3Np zZ^sa0C63WA=69$4e_VZaT$5qf|2>CJR5k?(C59p;(hV}EC`brO2uLbONOx^8Q9%?$ z3F(rS6r@vHy1N@j*MKqj-S9l0_kBM<|B>B!uIqeHUgtV@j&6$kmyqGdU9iRT@=l4E zh1%mG724BvdeZUey}Q>H`AkhY<(EQeDSw&n(JKD<9Qk8;UlsMVkcV7RDP!;}uR#jD zFL&$*M@4W!o^fe3kE+|#-(!72E-722p*PCqZg*X-%)H6#PO%Ps35)Ulq8NY zhU5J2nJ;?x8)%qLV$lMJuMgGYPlouN4m!L_<10_ToRmutZ{4Q^TT2+e4{w5f(!Fv3 z*aN200Y1|H%2m=c(_kkF%d5+gL7NZ(8w|R(Gxl{%mZ*NQBRxTUz=y%AyK~3&QO)Uk|f&~TZSP!=?A$r(1 zL_FsR_F;`@LT$uAbRw+sgTdEmj=%W>cSO=HbH;Xx1V2wd;rSb3f^^%v{M3NBpG(8T z*RCJ*+=ag?=HRtV#FX14FHg_i>5#$AclofC>Sqp7kNes-bvC@O&!%U#@Lm9Lo4LE; z@Vw(`@|WO@X@V1EQp^%EHuEtxf{HgvIj|;g|?qaO#f#t+fdA9w=zR9)tdvUiB(_0t-8z~ zTcp5C`>*6J9m;L}i9F@gJ$}+{za8>5gzVZthezVV)I!%nEtVj;qI6R=29245C9Gsa-KejOUSkPtVIE|lSycL=~x zXNeEqq<^tz2C&(*A@EF8j+Yb=_p*oq>rwMi5TJ>-qT1Il(P<;EwtBj8n+*_gFjKkp z(Vt5rCxjn=whb3eCMxo`*Se-8%gWiXH(n<4hF)BAZzBDjth}6o?;UcoYA`YAs(^Xt zB=5u;_eFhobE-Bkuc0lVtLXVftbz_XmG{A~{~Blm06n?|Xx%W38ik`2*HPJ$)=(a< zSTL~}vwJt@;VWG_!J(#^CO9(nNwb#1QnkfmbQq?7^JIBV>W*6Ef`+U}?<=t6E!-!k z-e5B&!s(;2_IM!?_WhgeXs&(?{4$%W36^=3zaQVXD@3^eLEXf&>Q1svWuQRPd;M{X zE`mJ(sPQKvI)gIM&qE?e?@WK%RsRS&NN8jE+Db!Mp#lv5-Rp+srdysB)!y0eY7mjtk>`-$Y0)ri6m#YA z`P08g>i(e6nHb6m{w9`0#3vQVu<1f=aM&YEdxw;$xOjT>JnUQKbQDLNm~Nfmr#^v< z9Hgk!`>J8nZ3saB6o$N-eeUTT^vNuACx83=RH9G`VsWdr*bT0SvX=RNbdewd!snd(TgeM}xk4u=r6I`z- zksD?UYb@)~yuq|dsJ&=)5!t8>umPed?>%b3*-vrYg8YRr1P#I-5!YldDKs4B+p2)`-ybT1d?tpgfjM5o zfRD@M%0e-}JV6AVJ;{S^9qPU7wX!p1v8ipx0)&$S1VlJ{}r!CjLFAxIC7?O*G( zyD)-`*`-oX*wV4#EEk{SM8@K#FaP`@1uFog3AV%b718~$PH(oc0EA!AAoAW!tnL2S zZ{-q5X|C(jL$M8k@CX~S^zzNikNaT^S4wmVdMtqlp5GO7S~5d=KC4J$P|Qd)+;3(> zLlUT_1ZlcE16VBzen(uDzY}};9Dox}Zi6L7LD~;J7z>EFhxf08Bgy@tv;cKfF*rZI zfX#oH8WP*JTHStm~RIsSrTW@@J;glM6}w6K~7$jc14G~FFytVK7*H79Fpu2zH0k>@Fs-uPqW2?zp~)u zr*+RmYnagt)wn;}r{EM)bZ)5KPuj?0+or^O_#2H zvs|9uem{ef%DPb1lt+5B&xOb*sqa2v;>3nI_i)Z>0`KzOUgaWg)i4_Iq~9O_x}*3i z;t~v9Q@{+avS>E!19``Y^4-*Q+EaL0B4)5Sd%y?_SYWZ}a*So;v2baUxp9pP?auDn z$}mBrw7q?I3g0CWo!wyUwoPQEPNttX?2Z(EMG?iqI@{K!{%^2;N6U=V-3ODi9jtPaBg*HGxbPE7WA77(Bch zW^8jMvkYOF@xA8wt$?thSDR=Z9$$~q(;uO|-M%cq?&XYJ~U+>^niTdGpnH)gAcH%ocq{Qfb#@=znyI+xU{_e-0!7HZZU z>>j#DWDx`}(q^xSRv>Fo>T^O&VfF@)T%SK*p{>l5;eUouhA$tEfF2BYq7%a;41x$O zXgC0VI75q1r5mphg>YSDtZrmi=I;a*4-FowJ5f$BPHNm`z3;k!?|Rz0Stc_-om08i zb-u)>I{%zOj;+ymSE-jD^Z74X*_2wVRZ;5Q=n0tBUO4;pOdOK!I~5635m?#c0MS$zGN|n zCw`gqEq&ZA`vw1zcuPT!s(5ZDr#*bCA z55tN(KGRUb&@VF)W(lufgR>FhzX?HPpsEK+caEprR>{l3Me9>JpMwVZ(U!%v)Hjl4 z>_Dv1d~2}}=!C)*Ij9nH*p=QBrC!}lXso(>Uv&D-)t^(ba@*8Ln{MpMEx$XBouX!> zqMB|pxB&e)P<#;Q3-m7AzpH_K>+TLE;_L`loZT7Ly?cMnDcCum;JODY8Iy8^i^kdM zYTpUU7;kk8F5U9TRZ~(MYs&RGT-YqF$r9;3K|M$27_~ej>CG_$Z6r#@~m1t77rra&U3vP zZ+sXVTN8XA@HZ+)G>uh*yT!qOAgjt*=A|C2L7Vz@@VqaR5oYDBj29U@_ALJDWj`oN zox)Sj*b$)98s9exZs=NE0PeltL`^=}f#?VC<0db>ScH0KxfJ#pEU<1b=WIKd(nPO# zIJb$G**;fE%%OGpn~FpspGkSB)V#s-Fo8~siLtjGx*jGbYN%Az-;6<%(UKrQe83Cj zq%<`xB)0?N#Ts-w8kT@;PVGK_9;XE?`95<$9jCD<()0w_Jei&c*z_)xfluc-JLhsCKO zhleZi2(pakk53{Ey|x8<@(=O{IZ2-Ad1$zL2OILLW)|KOk8HxLe6T7a-j$-wi7QhX z8C*Sf7z*?~N@ zu5QeUL4YIq#t(8N=X`(*RJ0xzju)KU{q|J}`@l;gCEJu*Hv?iQb7KaIx>*+&>?nOl zz8MQ-OkcnlKd}|Wpq-!I*L74K*lDD~pyxcqmfCH1s3-;wx7QD@hVGQc4wdGWAHFQV z%_V10<_r4KGN2Vl9!`XG+<(ww)11%lD(!soSakDcXE8m3@h^!SsP;BzgmEAz8FBkK zx&F@lXavV?&^J0Y;QTWC5JwH)48nlle*8oap9?yWdvDwc0YeX2@Wt zS$QAUi_Z5g32R3HmZ#bix&?9Oc(x1aq6l}T6vt6)L575_omNLiIBD0py}#xVaq|mv zBjkmx*ninMt8m|4heM?ZeP68m34Im6&E4;+zpSPRU4O8d3v)!+CeOKBq2|A$^lg6W zy!d(?GoA-eZ^z8s%E@QR+%aq-uOY%-_vG*Ulz&JXSirSMO`HIR7G~QJWJC%px2vD8Ed*q0=3=A8FKY;2*bZ@9c!tB08V zhT0AzGG0R8(iTg8&pt4oID`SXwv;y5MgemrL!BzBx@8c{B3~%dI#pU#W!pM&m|7At zZZK9kJ;7dGU<6eAbV|S{Egp2iW@m7}tocx$Yx3(p$47dYF7=R2-^&a{3mujkk9lB%-4?~m<({BZ0!bm-;` z&Wxlz4Ey8i4gPNkC)4RvaGhvQtlj>p$XLpkV_(YG;;B`K(tQ*GD5*ptIyK)NeT;YI zPHQ{-a^{JS-B^c4FCptVt5|3-=sv2&$NHDIAwniO`uI5SWe@0#0b5hf`5UdzDnc_2 zGINZK2ZTx=l(Bwr)Y8Liv5nz*2bAW$wR6VVeR9X=Nj*VDN##DZ#kQ-S=$_+6<{-4Z(#X(izot&|M#gfv@EsgRpYAKm=mR0;ng@L9Y$4->QWTAT}6 z2oUZ8)5e76*42mRYPQnoggqV4Ou>;~d$pxwh$lrpXg-E-3qaQ;yH zG6U4b5P4-+zRL-uB5xvu6*Tl{dMgyTK~Eh6E|>{R+2_0;da_Op0w|L;28*@@%|cTK zU_8g#ntz*?O723`CnC=``laoGcXW~$I>1r0mC%rZ1W@I zM0;Qi`zj04OC|XH!{Ogm*7VtG3#e*3EQrqPL%{~vEIj@Tf{&jb54x_C7dn@rf1qN{ z?yjw<_{A09@EX`;EFVY(KSh9p~EalvHXGNGoD~1 zQoA$>4T3gdamA1b3Vw@qXsIrq&^u25ti$X-=Ofx+WQjtP2E?LV9HwGG3hkq5QEQ?>359 zv|p_RPY>;qY#9w!3JSX@t@q*nhlTHsJuk0;VY5iI@(gbF!XHG_A@Sv=^@c8{dQ@v( z^esrLV7Mj2RSY_D*EH*l7DG^vABlSZq36J$qXe1VL~{k)pCb10HkVB&Zp2<31?jaE z16|kk;})w|bI?DTO9cDPj9rLQT-==I#4DR^NS8C72w}K!U*WLw{(oN1kHRqkIwyhh z>|iUo(gWP}Dmco}WSSREks*B=Ez>JTA)de|A33sM!O>fCX3YRj)Qbu9Wd7R_&XuQC zX73zNG*TKopnm)QOIt*uCa;_(FBh-qMsRv@CK;f0bq0fDyaZmn0_Yn0p_qxWfr;)< zCuY_uW@+)h#+aT^(mu^Y&l7a2XjLOUjWAX%O^_OC%Qsul;tT<*F-x=1eG_yd!VvbY zF2&$n@hOHZ6u{I3;RE{~&lKzQbc2q!prsiJl9T;nTzEX%@UqWq3?+q-*uVh73jji~(BO@#q zak0b4x)c#UKzct4ql5DMRW$XFOhO;t)Tb4GiB-9MO|&hcwizZgtKrEpA^lb+PvQ>7 zU7=yg=^*`hh(xWSoEbji93vYRF(3!Z+cpvDE*&!RI?(1fPbjO8)7aY)4JJ92IVozr zVpL9KcaoL)uuUn0N-NXyd{Yme1hr<)LZQc~OpxCiAOSBOkhvvkBBP&}<{Ximj;a4u zM!BEBn4IP}_sAcwY9Yrx$e|~$fcUZja+Zua1VcQgrh@oMz!`;#se_5Za@$ey9*8vj zu5Pe@4teGe`Q=V}RA1Qn!{0?rGquz{OkojviO<}?ULNl^j1c7$k$d_aaXC*mY^03` zWX;SmGLr0BTrFJdTC=*uA4sLnvgYD@jy0=b5u{YuWinX4(8HxeuNi<5lOvoHiEmUE@5u_4xH8 zB8uQS1S1-C4W@B{S@~vNpW)4?} z;w*}}S1m_#z_$~HcFxOwpYD(rsBcrrbGv_tNfLYYOe=HL)`b9k1qS&gWMVeIdsa7yKaSnl7%pW~_+96bvm*8k-|?^GnJl9mi8 zeg)iFb3gU&F@|#chrDlctJ0e(g*{TL4J6>(!$_gI0AQ^fwH7U zfFoDITl@k5JOdeny00qD+VC1#?K8d)e7yok*KiTQARoACz6%L-Kr&aca?YblAiT8l zSg+XZe`4{?(QC*gt|wE^rQ7b%Zsz}0s4co(`f!B$p#(!lsd4Fm*H65O5kEeZ#8)3f z9rNbr$}c!$dvbeIq2oQZI0O*#=Kxp$_VexJOAyQj`v4PJW;!Cg@qeMch7{Vzee)T3 zOrbLo{G@J#63+Mn6@M#dOJ=BoqT-e|BPB|Tb!MmZNd3f8I>Y{T{b(UxsI;{lb*W%t zYbN{vC_pw_{cbGM3TvjUEwwIKy&ITlnmuv(=YE*x)cMl;SZ8>~4xkR2$2^M%$p}MM zBwCdPC%g;c{$Nt>>6jkwx$Sms;$6f*yY{^Dc*^>e<0#Eg#mJvk!{>hvaJJk{W$zZr zZ(`6Xi_khMaH6yn8}@OwI$~chpq6K$kLahMx~b`+#0p5De8T|QiD0eOg_#no!mQXY?Q5~+h=xYYQ8>-(B~*17RaVH@9*D^Pg?T@5+b!LwUFes`I?H=44G+~@mjNxIBRCVpS?C{n+tO_Bs>REy;Q+Tk6u}g>R0}4lkl?Sy3(*MM81fs%`ErC|i}gLv;Qyur&&*bYrz9MAI+0n1<%nl+oJlC6)0+7MN%56L5ZI_3 zOge(%^ppNc`&n|f&{qU$JFpKdTnIrJa^(b6USnqgg${&LAXIA>z%UaatCXPS@$YC! zHQhMybNz5l)-}?0JOv1kB*);w2$11s#o~}tml;fsMwHEaT^#X@IlSg44pxT9V7H? z8`8d$Aqg?z9H#;^Gfr<#A3kZ_2m7={yOcZ&HcR zD(hPLsvHT-*SR7$Vz(eJNH?URf93Oe=o7mC$>R?iu2pyiUN@nU3DY=hy&KhFd8!vb z1k{}w7`9Ze&Iz|h6$`LS0zda^``}Ka0h4dFW@FOTuiuS^l)-3%xAfgC`A>u))#+S= zc{RhA&Nl1z13HJ34WC*v?-QV&-b9jHCbrxVG@V- zM>=<&N1A@LOLXvj_C$N#=UvHNKgY)YEcbN}!N^3xWyjq0k7MlrelnkWiXX~nD9q|^ z=-NmPT@`$7Rgdmj0e9hxCyGooz&b61Nvx8wvQUGRE?j1fKSKBU_?K^~uaIc2)iDIG z)u&pq!=q1JGES2~@Y_mNFdvA&uyPLs=Pj-WReXD*1XCjDJ3A^v)VFY?c`p)qG8 zDtDc(0THG1CK}A{fvK?hhwRAs(P}W@H1_lDfUQ8w^-R8u(lgm!`s z5_S9YI!p4INP?UsfMAxMS;&# z{$$jZU`LB-PISHm#rgd;@7f93l#`I}+xG6X2kpx1o+^|M^?OL4kt?dq3qexy`MSw} zK0oob15VlH_brA}O?bZr=TAE%aH&UqI>y|i@oCHBE3`jJ5Yt(|%LO)jHGL?j#$ded~viW|sbk7Qh>;yRVjNnb!#X1e4R}--S`e`>Ia&gFiA#;}dtuw%>LenzX5kpG?s^v5xZs$%93^M&e@I`(>fI-HyzA}pC zAQQFTKjiLE*3rkoDRHv%7kOkcujLJeFQq!^xwz}Ux>ybzXl`(+D)yC$m&|^*VpYpj zM$&LUwqB1QwFY77U$-B-EkQ~7(q%*VsyL=&TP&#qU%a@u52-IR_m}>;w2P37-t?~F z=ReO=xkl{PeJ6x(#@JGxE0b&VLOJ=lkV>7$N@vv_lb^RDhubj%vW~Xw`={P?lOUJQn;kDUPT!;8o6PfW`J>`%&=k(uqy59BTj!7WiN6&Yuz-zh^XP-T&CabiU+aI(b#z76$qKa$M@BkE*5574kGiue z_^8W`PCom(xqx!|wwFN(z?kP-yB$V*-IZkjWGdKKs%UX<>R_QF2K;=4NFd>c4YDj5 z;TveqK#tY0}_eE_x*U!I_qENj%9*c1P4p!p*fs%bqOCVbfR4pID2zsK_ayAHi~ zsFjS_medf!oynVH3$z|(1l?Pd`5qm8w}k#ZNK<(t(=+hfw&JU-T887sP*lHGp)^@#x3kUu}q`peSQH`_`f?>Ba9Wse;ia#MV&Z-c3wXLgS9k% zs@o@T!BxW6x4!}|5Y>TwT{>yF80PP;=UUfu3L#Ic>u4ihH!5-<(hR2ys^>vB-bn-8 zxRx-NU%{v942jfj2vOlyvwXT~xa#`R_I~9}{odQp(9V0OP0cI8zLHU6U}y09^A@X@2sNX&LgS z3s*-3g6&~K9aBxI?rA#it$_u*KR4zkco8R#X<^O-GrY=ymG`BIuN-#`26DibF>jZz z4|)u~h~%G30^3LEI3D%+$#)3UznF!;kemK)bv^eRC;JzqNjW{(@jVV{fkfxevOC*M zxNTS2i2cnlFnAtLb?+;vDqH9n*<8*2_-`1KCd%DpoDJlHpz)MVT#HZ4=1TVuYRD8m z*6L3Ekmj*TNPg6BkAWm(kycgiBlU`d@t*Hm1z@cK`%Cr=Z&*{JfX z`~**4*Me6S6WB0jQQAO{RPM4Fm!lk~hdS)}EuZp6Nj%-F)9YxVk)%QlM0q|^+fu4P zxEnuM8!eHMn;swYSTm$9>9$L6V*E?T?6?nho3?tOm6;~{A|b@GUtH;13Hx&#%Mi>q zd=-_tz6dRD4azMJEi~4>lu%2?%iXo-{U~7Jv{9+?^IHc$8yn-+Voos4`Nlpxo^0%0 z(jZ^i$bK@PFr$YhJZaZQqKewnUXTeOS`|I@M%0xqKVO>^#wwWch>t zP<9N9lN>YedHda8yEnTh)zq{jr`@Z>b2o5&sK~|hWTB#GJ#`Zz6plKa{v^$>A~L<- zVkE-R`}gf0L}Lr;Xv93AZ10;R*jGmtn)|Fd@|jZOaslg%>cumT71G|h3Hin)`2F79 z+1V(n2-dRNEg#p8DAzn9X&c#5U>E2-Dt_hCH{l85N{H0EZX?A>c3sK zGe=1VFx}=3KruJe1^sI*zNf=Ie(+|HgJGTlg`Cz-xN<3iPbwocN<4$S4Xa^^CwLu< znQd(KUBXuXb4lz$>VpNKdZeX|t-q)Ma^+a%73h(twedrwE!8bN@*xv;v*NrZ6 zUr)jYI4y$;6o>$Pd&LojEx5; zyc&20y1wp$I^*3;?4(H7Z|8XbI(`~&%9f~qoyokpmU>h@4_UaFy1DWQpQ@OLD1VT2lgve9G>E82wp7`Lquz4^v@ zh2hN$p+u#rwrMLb^Ln$>a>TOrC^Rw7E;dE^=fVc)fPX__nt z9Hah~gtS_RFqSC@$9&kr#+s=(wI(UZxZi53JGH969nH4uzM=NyH76hJ0Lqp+silF)?QN6a8*Y`f7B~8+opHO3**AaR_2;^KXebjEzK0auBTFpv$<`m^W{m#io%n{Zv0gZ!3gS1LdM9Kk~gfzo%MBbeA@MAe?#vuQiMSCzaSA=UZ7!hMA;EZSFo zUbk;yqjlP@{D(ZBeyR1#RYlVmmm;JFZEs3>+Pfe3)GykE1s)q2(#!>|)Qi8o%PR8m z$>TSo=KoZm_oy-&D5TETNn{2uX|p=4gt4hn{0IoM`uAoppF`2)^G&YMf$JlB+-|0K zt47iXQ=EwzZH}}ND-Nn}74GE28syi<(=}+)jOH^^YTPR1=kHmCS{rPKYCo3~HW3=( z0Kcon7NB}5A|^aeUd|vUmL%p5_D!BzXbh|pL%G{;?entB8N^0|(%a?5Fn2>+!b5`% zdn-MBEZjO0J5Zz;R#hnAL^H=L0p>^_suojT=D?XIg{ewBW$ zkWahpAH68xhU>wNE5O$(F<_#7FRmixw(is@y&7K|T z(EXsOkSl6m99egcb8<^PFRk?7%G}66d%%H}KOU@(lJ%B~fXzaOv!uILfE}f0_P`x` zplm{a72}|xf6l&;=XSmm>}v7sIO>3sQd@(v?E-Al9dBKFQXM*Z+lbtFh;wV}3pP@M zo>2~wP%YNN^f8N%_l@sg>Yj{GY6}3STE|w7gRg(oMBZuJ)uBpeQ@G)VW3RwDL$enK=cefdzKlw;?frXkcq|;HzIKluhL&=< zw7UPK@K=bh?)f3J*ltyCsIFl+X?2Ced8)#K{LN>(FpZ7g1xJYKUzW=1S%eaeo@fMX z6Cs!Qefg9Ne?{7TDz|#ppeFVJQN>^dkriu)F*xw2Z89n#8|y4D&u)&XHin}ba^WG*xw20U;ALZv-UxQZ0G-+C7IKy*x)!gFJfYWftzK5mTjJev=qQ;RDeR~JJtMG;jQ8F2agf0(~sQ-Ile zj4)QWEXAE0zPfS!Dlp;?@_rGlRWv>D8b1tn4(woBTRWPo?<#Y7c=QykNCtAdHef#$ z3nYOc7oh0ET3Bvn@u=5Ae|w{;&B??_;+Tiz`W_hX2p*Pu9S=#_0f`DK;-jzi7~WG? zIOJZO&*QFOXBqw`F#6D`VoJYW;#q~kIbhKTeCsSwx0C<6$z`ts>Pp(PUx?9JGktnI zF(Q48a^3Z!l`L|08Lx0Twjppczx1svOXFPsP8sdG)6G2{75sOUA!%VKB5zQm!U0WR zV-daWzA$Sqt1{a2%zu2Lk2G<926(Y_6BMa%2#CSIkWXW@^`O#{l$5K5NroMH@UD;E zJSHH8#u5^$dR=~RU%fVb)EW)fd6;-7&&Qq2u@%W}nRQL@L z1B}cVB`8!*i8&7vV+5{%PG}#vtcyJlo7g>EFAmp1`3Ou5@4}g-BH9DAS$yPWvSP9j z5qii^tQ@dvn!jkCza!`Iz>Yg>&?gJTQcMCtxxOxt5whsZ=A>VdtpyvnVWS|!78pa3 zlei2xjz2TWxHc>FSNE6wC(FKTRGj&`=fX_-Gw__mXNfJn>+)BFDi270C~lsK-xp!$ zLG;|JWflx2NszHD~GnTP*g(Y{8@ z<@_i|lb)9Ut17wv+vx&mT6UPKeT@09?H2>dwQLlD9%jw>K75d|1g~%XMU#$WxretN z2gY{3`unJP<=HA(zJ9(+^J}Lo>ktawzReUeiA-I$7#}>kJ^sxI1X!gj<9%xj5KEv> zrhUCaqUnok;qjK+O6Ht};f6w@G?iR3uwc2zV7VixvYx|W-^Q4E7yx;x3#CD+xc<*i zU4Ypv(p(t*Y(8Yr-G7X>?f$t9N-%W}7>z{Ve?5 zAX>9ZE&}u8JKHT)dRfxsaPWqHI*?zC4Aojl;PieAP*`sJpFXIC-`Rld^pMV1@DLst zJgfy5E2{eqS1K=_-U#;TAUr-by9x&02m>9k@J<#86if6wSDkutj7CFxjWqg062Kqn# z^@G^&Hz8?qxD;F9P%W|!O{(eT^VE`+1iOTaiHzQNn)vA!ixoBaW{+uR@}dgqd3GgB zxzXibu*nd;oq|ZeL_m8+%WOJ^H~8``aC2kV?c=O-dMOWHyjo`QiJeI&iw$$tPE2P9 z0HIeal^hPhYf>usBAo-86CKtMHz37z8sO>B_<_A-RrCN%t*GugI_T3$NPeCx7`EcPpfV z7_NgI@OuYbf#a^+j@spG^D_Fe%IF1)TS>h4db_zHgufxOlV2B}YO0e{m6bCi`GeE* z3q=N(D3}{h)6=$fupdl=+OcG+M*Q_Eclu%-BfxFYEr14))dlt3PxujqJ$81 zUHiT)*i!NmxP^cgq;w8G`TQA{tTRcn_!QRoFW}q%F;*%v#Sb<_7lnzb1>kpV5*uC7QuK|E_()(9VX*$#I9Rm>mqwOo(1?xvf_?kue zij@>sK;*m_aQ4!+ddLSwG&dYa6C^$_chj|5Haai&yRsX?=RNUOT8{;XtTY|FPweG{ z$%w|>X}UXv?b3pw8zNIu5T3h#cxkk^RB;T@o^jLE5X;G&Sj5puE{)w4 z%D_tL!Ds)yT^$K2pO^;j2EHo<{kiJi_^0nqU(X>1Sdl<=u0_?Ea`qba8<20iURBZo zXFi<|ILp8Mfd+8^UVW++Oipic03#3Wh^~RVj6mi2(<+%$!|Nu76FXO3D+09A{+AEp zJy;heI1c%TeTo2pOMyJEkhV4J5ZsN^nHGhi@o1a#xC8J1vV9%6gg3AQqCd^OzI&>6 zs&BqtseB?1ydkaA!OJ_TNkEA(Apu-FgYiuewqVH9)6u-*8Fj|UEb#Hy z8F6dJNC|46N|2qW$`U*lA`T1?2>o6HFk8^eI9;3o^%^&vd1sBJ_ETYaC;#m30PxCL zB?2+9JNe`@l#c5RF-9O_++g3Lz{>s1P@8VXvx64kLGhk8tXCoNK_EDTU=L7`OV=6E ze~7m&7DqnhyaQLO55YljxB$&CvYFU5l86PBGz`nSZ8|lPI%8EmZz5D6@90MT2LIzw(YovK zYPvTE+%G<-cDud^)BeGtE{8}At4$y_h?Ljx$J`OryC=&!tX!yBNl z>Bv`h*N_1h=-@wH)SKMcrrmV4to|ePQ+9IWg#G}$nzX&-6!AuUb$^G%1oFmk=~P0I zkZ)P0>9%b*?)`<3L03Hpqlu{$iP#P@7B$q6!WHCqET3Td{0 z+=GLH<9Z1IyWOArVZr#v9utnZVDkvSN+B8n0SsS(V|ghFLtl6v^~4T1B7>`#r+YZE zqxuBz+wzAfH#!IqczF%NYVR#b0nHC~%eOktMI3ItPX&EW<};kc=$(Kcl~cm3k<+XL zqg7^F^^ir=4X!29_O3*1XFgAk*P;G@ZhuV|cSCshj`20HeHSAL(GuuJ$_Wdv#oXf- zC!mYR6uT!N#VhPnAd%6cJ?{a0Fczg|;Yf)D!%LG>9Jv5)gb8s#z^|eCOaBU+Eng=% zO*c=GDGN0GuW2`%VFZukoX?OQpL61hmyUoIm$Aa*mxi(Q!J}l^c}dq=TX#nv@kx;3 z&V)i#$E%XSbvF~!dqD#5d~JG@s2{%$m6V`=AtF0`$L_g=>;wZ(kBhIv8_^#cQU_{| zWURp+D>tc--N-926`w7N%DbiQ?k{gUT@_2t7F)`KtT&Xe->ZcO@=;F2#XXT-%KB({|8tjop^v{F=81Z04%u5c?lU*b z0R%M5_;}rLaA5Qa5OXa%ri>%|Vz{r0L*kGv# zFbtVphwS_l`ovGElL%IKSG+S+VbvrkauHzJ-`-CGW_r>5*<2(;ZN3nR3PkXo*xJ%q z{_(!g3L7R}+}!woQCC|z=-op_zYv<(V2Z=#`f$92=JGoEn_uOn?H^W`Mj>_d03yxrBcbY&RVK8_z3$qwN!~5yI><8| zH{+}BmV5Nq1#S#0^Z!ZnH}+1r&PCJGWzm)Lxu>!67uO44Cn@1*pH(OAj!ev(MPUh4 zav(h3yu#m-<#~Txmy@Am47u9x6p1g}lNAqo>{aZQUM#$~{E)gGNeK+XLAY?jCRZz) zjyDv$=RrdP6#oN7V+&sGa#FDCdurXY{tjaQqnpJ+7Dg}4(*qx&8w8IG0k|PI63U$; z5auW^^DIyQBB&qdPo=LO68^QSD^da|c`qsl>#TcJrBRKajtY=iv3}C9fETZfR#k`; zkl>vdO`*HA?X#V~`X|K3zFXbbDZ;(tsgq&Nsz^-XA zCPv@aJbm1Q;op-8GS*Jf&rT%q=qydEvT@%JA+;8kap!W|LFzxlnTw7QMc^)%@2>@~ zMW%UO-&&rdPQEef5_o8L^K(o7c0aGFtqA-3bY%e85D#;yGTc_W35j(NQ4!mg^Gicgry=FtzFXePhS zFRz1@D!9YgzBnmG;2_N$7H`q?s!YEES@$ZRKe7Nmwhtc+GPwTDuj}4)gt^+LT|9G?mdMW z*d|-?JnH#kzU0ef|BZ#vuSlXUWPHNIN}%^3a_Z}g1BIY1-YEdB0$}I>>cCkgQ35G= zSK2O5wyM|p6uyHm&eZc$*%PB~zu?P6oG`)3svH{swMw@&#>Z7Uo+~(opd=xo-DhTU z4IdNVn!d*kh@J-G?T-1oCm$S_clgagk6P3dE0dE%iyYxATE9Xi^}FZX#5*OW1>p1g zfWzhKQ5b20ikUtUKG`>TZ88ei&V0H`%&mv;`u-F@P`OuKtHoA)JZlbBxIzyocx-s+45q&+$pIKgTwuT9>bNRe5e^>S$y&K=vE{;!+jRGI4ePw^Ycw)M=TY3k=^5ykd zkli)2=fXiL(XkdB&f?l5?;G^_o~mWp!>+!~=3B~`iy|3zf_{mC6pgn&uT@O;om+~# zg_k8N;CO*u_ZFc;two8jS9)K^5l@|i=%Aa)haf=Pkrdk&_=$tzDnF7lKf{X%ndy4n6kb2%vb!V-RK(|5G7@-yOva zZLE?(KRHm(3yE*(-Ie#-c2_-#slSl@7M)&LF8fnapMN6c%YY)QEn||kyR=yv*hVX% zr^$Wn+6x_0;4 zli zd8fOxpCy!sRmzUn><~xQ2k*d!xVKBOJu+QsCPYfF#rL?MuK$8yPIXg?WNlC1Ucgwa zZRLM@0kwK&^#%U=QIXd#&3R9jX|jN0;b<6C0KBrMD9bZWbRj4$KMoxjgDFj9rM2RP zx7`W6yjPd@!o3KAX1kaysCAr8C0Y%ykl$xX1mwV{gZ=|hF?U|_BP3eUO`T|DGY>r0fq?3%Ig*QFcxn*u8L{RmkVJFZxO%q6;8))QVm zW;I*7H{GuIAMfNdF{&?xAL2?m{Y86A)hTPpgQ`ztoNQgNP!z84$!6h_crIc&;~RnL zJtNaP)0;-Ki*sFK#nV)1mpi}(!GiuDLsXC{0TudugJ5L`rs2r7Vfcb^eC!_84!$#2 z&9TPD3*&@nNwNFmm*XoZ-UIx>g2l`o_Mv-L_D~H0U>X+yAJilOzS&AW43l={t=L{I zxgo9O>M`{*`eQ4diBhz+rkZ44ExCw;!8Ok~?Pbs-*FZ>0*&4v*)R^j(WeCS&5%g0S z=)TWL)De1>F(Kj4e}W|yV6}z?K%yyWF8BpwusR%Od+Z_}#{QWK@*;RV%W{HQg#5>x zRAl*TU}`z76F9DC0YeSVxQjh~e zFH_8P4~fpA>pmNEIkV@`_ot0viuQ&RHTR67L%*59B#KR>1i^b~U`1>TjjTf)ejY!!1i|#-#I4+>$*`jm+^n=hkyrLUX zci1lgMLQm?m+wl}Us>L0;uApkT$Oe781v0jXMO%qCq`gjM}_b4A8ZUpnL+_&9QG&W z>>cA1CadW*8S@V%qSM|C9vhE(R$M94jkx+fWWRPd54~ zX4z>Ym$pEoM(xRqi@L_Rz7}toVJVy z{S^g|5a^{|ht-WhtGMsrS40zPV0AnrYtX7kt0_Uo=$aPEjw9qOgFqAfo13RV92#C% zEK~zq1aPu%?{>ok9S6@|OFe8e)~ut|$QED97X1qMx5??8@~ui=ZF#HZr;l_ZI$nmi zh0Qh1gAnhp?-vs~VH5Uh^nE7bCa3;V_&I}h9(q~h@O55q{;2_R3?)IXn@%Oxh)b}0 z9@_Fd%LI$)SUs%BPSuHM&WNue+qTU!*$001U!{vLz|aXn8}K@Ud%f%=D^}B1{&2k+ zY209ZIv=CpkEG97lQ{>%B0`o9NIo$jXgli(5C9707-icU9Vb0CdhDvalbzxfgnE+pTMG!<3Vav==vX+9N}IK z#wfh&I;dPN!ERatAg~3}F@^*pz6hA${5pXH7?59#;G=C*PHGz;B2eMll&&TRGa}Ia zid|eGv~z%`Mbx0QQIvgF{`tq)l80mAMd7#6G1!pmEY$Xl)@Y&vw0*#X~iM(*B{gPc+Zkr(?EBLUasTaP*k5hCd756mA&;pM(_ChFZBdgm2o>ZawLT zd8684O8ZMH6e-0$Kb42@tr z+@w^@nJON~!Vc<2L>`s}@lM}H7notpg>GFVtC!UBxGv_G%JL9F)HdOL7vkhJ{8#|L zQa?X2cfVyw%GX2gumZM)60Bror(4<+NZ46+h6?d6tnMalLOqOs%K|NI+e?MU`J~5E zPHd7dp?Y=2`Ee#4-H-smt!ugLmspwZ-s-s7RZk#h{w|}ubLLqsqiLM%iOP35C_@Qgc^+cB4{l@!j7xm$TvrC?}{W6%n3y3#ehX0 zCImS!^XG5NZx49g#V+O17hs0BPeP~ggo`lvJeWv%$ZGA&+m;Duw;{iHq7PW_S00k9_Wn$6u+fCUH$~ABqSY_={~%_A&U3!QBj-fpgx9!Tn}ZVN zHj}Y-^CftX3m`G#!a(Fllvcw%XV3GhG!@!2+kj(g=PWTo{5)7;0kS{Nh)};l4o(5G znNNHBncy<0VWa>!;B_Yab>;PH5a!}&-8nmRsqqYwf|xMH5j>@{DD zrHr+%I$KVTlSER0Y0(VBp&=Tp?uZp(H<@@dovc%I@O%Z5R9q%pl~o-i@Wjpzvw6>^Yp<(HO*Eq5|vnZFsrh@e(b%nwCUan}0`T7jI zuuwy|1}g$B0s0Zd1Pw75`vu1!7B}NXjT@%@FO%V$x&;de=f~n9xH%MmH);RAvAE1H zQmB6rFqeo(x}~xYf?e z-_RWmb7*#45`3-IyhVLQwX#olgHIdT7cg)=@0m|=buQRj+kg7$Q?#f4^(DF z^M!A8jb!uH^*u`16^(Mk8E8-6PConU#O^L2|F3=BC++2K-w*VM370|Dp3V=`bLsI+ zB=tBM=T-shzjF7$?DqmSyO}TC%Y!bJV)3aEdUTf=G1=d>LO86Q3%^3pa1c`bOeu8o zBYl7pABRk>{D%}OMa~=u{qCz3y9U*Q@tTBdbL3lY_@hP-D(j#r{rZ27g;Uuvgh6Vk2BISV+7 zvVGbAK1}Fd{#s^f&(-(%OxeYO+Fqc1e1GS2N;3{$U#hG?De}0O$n^PFt9?A^*~N^X zTobLrnY6s*=c{Xl_$7}c-X(MD!0LnS^kZ{a{8Qet^oQj{pZLU@*yz#)lHfw19Ch7M zTw4RXZ)#v|p+*$#47}X{Jz^2ztX$EH^LrFApZ9Wt{*z2w2P@?&5{1Rs=oDf!i^H%I zShstyY=Y6_@1x4gb+;xkviU2!*{sXv+bS_<$6uV414;9x)*KXP% zsd+memHiT)$oivog*d*#PSWR2&Z`Ldi0dr}1mpY=4N|U8#v#g^SEm8BS$aj=D?nIO zdhyr#)bpKXOv=IgaUxa3+ny6}a!CTe4rg4UgrjD9kW5bNhV43xgB^UiK(EO9ZK(MW zdj9Lo&klPsS{&nVwpJ&UV2*nrws)D#%XVD?iGn^2U>cMrY71x$dqMh%R~*e z4!of#u9Iww%1uEE`kZ{6Mm&wY1GKN>ExSJxTH70kpbxwQ(0~ zD)f8ojiF)#^zlns0)R>#U~XZjtC{0vbQ&? zz9T1>O(#Y?j24GrKO3(D2W$!gSz2_!KLa^@%qN77=H2I1!Z2MI`~9cW{|%zL^L;N% zy^}qJbxQ}XULb&3Y{CwmivCYtM~xqCkm}R;4562EiZdm_0ZbD%IVaE?n|!TX8*A3r!K{8Ris-bC)!(iZj^*f`HDHOdCFFmrv6 zmDb{z-gu1~6=8D9r~nvBtH=ldn-8rMn!%@3Yht6^>mazY_{QQBd=dp7c*9f@;*rgz zYM$_F1i3u4JeD=Vhp3J~zc3yEQOFB75=+^@y0SU^;1C&RjmCe>jerY0x+@E5Q=@ia z|7&n3p^)$Dj=FD%kqP@v^G|lS7j_pswa3H2(7eIsz}tY`oMcD*)^HD&<@S+9X~zxS zf8Q#r8g0WfmK1yCf4&?zBI7s=h)K8uLP-#=z(IrP!jzpNJzx2(<~$YO;+b<+m^>G{ z*9P+(_UTFW5hDEfYPtj|T>szC0H|C!0QlSjL_G10s50SvuVjE;jCE7>8)+*XED}@? z&(Q9;zSL;Ht(DI%)OX|2Pv#~?KsTiT*xnSiu6K-~Pbh^;lj^p<`%8u9w zfG*KW+?c{P>*GH( z;Lcp!dPPr!3e{>9AACManOJ-M?E$zi21~7&1Oza#T^S@w_NAA~CyiYAqL@SHne2;{ zC!uhnTKNv~+v~Ghs|p21|1;RZ++(8$CcPW>(_vAb;e}^OH}a2VQKv6bJw4+WffFfq zPX5yo@@8%n`}X<2uL0~F(ful1RU7Elfdr!`aJ`zMtM53(QkS+gi&@>bEKk-;76GlL5<{`oi?k+Mg%xRlP-`OLxw;l`B-i zWQhTj<<7-2!ty>YBZxq-E91NdHu@|@Y{>QIC#$zvbugA4L80s=IK+!ZWTrUPMP3q7 zOD0)OFnl51@L&^X%}=^FwU2+Fy`P$FR;uK?zdPfTRx1ornv~%BX4vMHgl-s4V$L77 zU&4rLhLHG%DG=hB-pfCIH8A!NbJ$kd(W-d$scY2oZn@eQ4edakoVTR?Quv6Qh-#$i zE*IG2p!t83`V&|lP>&2CMg;a^aM33blt!Lmp;JzmY_y9CVsg5GxZE`lK0V zW#R#7%2})jm|LN7U&!;>vc>)22@*z0;sVgN3e|j%y*$_vDnW;8z5)9Oq=!wb8Ufuh zA*gWMfV#R(3=a?d)#hK16I`0+rv+o4dv=cu4|_S5oCAjT8zK1&^v5VZN!}U?7@SK@ z=9}7pdAs4-J)Yo})<1VUQ1v==oszS!b+=6^3;Gc>lhkN$V>rTPS>+&HWD~!{aIt)_ zQNT%Px=b%-1)4t@uP*l_tj^3>l1-*gGY)#D&8xj4W`)ojXwAP)eM8bDil?kkzY-}r zQXsHal!AH+g4_p(P5IyI8h&3j zQcaZBj4S)m{0$LRo5_?Ag?UmC>2>6!$c-15TIp zRy+?yt0sF20M3FwPP=rfzF45&6%AurDqSk)$-1qJJUmC@t&}e9Epy>jtc9uk;j+-Q zQl*GaC)_za{n}OWhB)aP4?G}IChNmBFP4yt1gP?~GGM4sO6A_m*)P_0zaJNdRn}$2`hg5zJ({bk}7r7XCSSH;*k} zI|UgM!L$^58G({!ORLH*Ve_dq^nZ}50Jx2NbcPjFohR}O^gW_#C*Ma&J6?`S>O|-y z@yRTw41(;M3bk-peV;0sLX%5>q@=~QoQzQ`?=W#`$E(ugEFPY5Xv$AuXBvflD>k); z09{8@7x8NeXQt+3bz8r1K9qQ-tw?j_@9}K>Mn_y>3t*UT=CB`SI>b zu#^Fwji<2e-@S&?D2!b2F*%F_3+dj$n>>-`D^w_Rh5X9vlg2;bS2$zcCS0{kPxFxY z{X_S!Nj8e~wl~y!ZP1xj!CQCMX3X|YB2ho{6n7m6; zp!hg%RKUi)5cJ%2(5fF;u1RPc?2GRK=|tsKy{vOrLG)!zIJ!WtL$*+S`zl}*%=#z( zsfonG+7iWZ*VvTj-r3?MYOmxxoZ~t4*KP-z7^v^-MCpZ<;7ll*WJU#A9~G?Cyo&B_ ze&lNR+k5cGj-V}~dXMGlp0ea~-ty6GbUKjGDP;Tlu_#a`RDAy2#I(gB*&|K}3Sm~qOkx04S}`D3F7g)?BWm#@_M_}ma^f%m zk6}XqAnyT!na5r-l6j$U>j5uQBr5Zsm~yRZ;H(Mj1LM{F({Hjpt!k+Y$?w{hZM8f; zhvBoP2a#{5ijq4@Cq|^rV})@qECDLxJ^aeW1LBUjCnQssqyz99L|QkF&!`6G$W_;; zXY6+K9t4Vwp5UzFH>C_(czi8|PiFm^r~wUk0q7CHqFvU6ncZ550Exb%J`cTa!5FRQ zUrUTw;$Fl#=*oJe-np$?L6!Tve=c&@yG|Otf+}&wnfw75GNk<#?`)yjWd63~C{|Ga zB7p5BkS&s*OlX6>zO_Eh~CIXfIB-xSK`Cc)IP-)>0rt&@}W8V|JlIB z`K?(Fl-<5$t%^l?lTed+9{hm^y3P;&qLmnWC~X>ADpnsn+QBG!yD}*f2$xg`H2(>1*?WlqbXYqF5D~7b)^9 z7BaQ@>$)$7XBvYYTp4{*1VQP}#e!54)%ymgO^nw#|Lp+TxmZ>Ib9y(6yJgsmn_-9N z`UO+VTJF8^)(v-l)Vks*wNth_)%g!3#0Xvq8^6!&8IS7M-7xvTnmAUmz#-8vjM5Nk zyn17d!;%EafJ274`WiopJKNIke~sLSHq6)aN7wF5?5|RV?_SWSf4+z7(IcvdAq1*- zXo6CYT}9r&__C&h@lD|d>qSXseTBp~%)k|1o)~ZO@{tA9=rhSFh6#Fni zk>HN0Qz|F{OAItAJ!04l7eJFfrqmHDRg*h!u{qEcUhgP(?BH_RzO!GOzF5qf=T>Ao zQZo&vR1y_x9Uig-_^apx809SVlcuy#B*kG<4%j(MiWPU{`#pdxf*qht1!Q#v;+G3{ zeh*tv0-aEB$_JRUyTN<8lw`+bJ~njO343>9RN zGEV637xTrrGE^>KE#<$)F6#ek>=K8cnQKIJ$i8H%N=sNtYhF(5;VzfV*M65Bq?4l) zp%9wYS}Q9rVEOj`%bfI>w4l|O&^*@P9)V6x)iQL=htz?#d>4VNxzPVmCIrOZhd4_|1ovlLF1oyW;Fg} z^9{7GntbkSyn-GAs|~p9i@5HH_>;pm+vb4@*r%_iE^*NbhURj$<>KezC|igw#co3= z()V?y$2alDH%&N)hBb@Dg84RE6KNk=AP+TbsSP zcZh}7r}jzZ@V$(XsXci_ z)(U&vqf{+*?{&PlVTs-Jq4~rmj{9Jfrbp=E!n(0COEFVmca*C?ujS9%})U8M_@GM9BE35mG*9$Q-NPGGA>OXHJyo zj#3z69gveMb|2o?<7{7?rLBn4`tzpSg}MYzRAnjs|J?wB-Jh@tMowd$M2#vV{0oQ( z!k;O^;0cxa>+e7&;No9^{&Y5tYl{u*4V;k>fgFY*_)w5r zSoA>ILo7zeFEhQmj)l;V)=J&4Y4=)sux4bL5?qsizBYe2H=@_s#Alm;qUZML-X+4^*be>r);n- zSzK>N$e#rmIBfb4gj-&x%as>xud7d1I2%q@U1HVrg-9 zvx^YSLjaEfQ=VUswelbP@e24908L2#ZYn;SoEC!g%D`f{L51FjVLh`w&+0{buNE6{ zuIxtIM(YlNVdYkcCh=86F6-V3L}&*tYiYw`ts*UwA_mS20}?dTs_PV z60BhJxkR79a(!LdGs))e*fLTUSuY zgLAW0%pA8dHM2c1Yy1z|QT0xzfZ|LF#!;XbQ|Sbm5>0+J_Xz!q$c%?aVlWV!$!?!V zzjo^2oZ875{>}OiZ%(^vE+@%l$7GxQ1f$l5MFcPBuzi9hNdPAS$SoLxW?uvmaKLjV z5DD%VSuk^~QDZ^^_19M?m^<0I0kA zYZ5$PPYCSaV5$X!A{zwH5j-CMg33<{8qi@6*cvU@FMyyUKyRRSzy^LXG!ozqSCQys zkAF=-fF@+Zt+7#*>H5)#i#qE)Y&O{m3VOFhcn8s?eiyoEI(E5$x)*+Vdx({$2?vsc z4c~~w5(eG@KQEpgW{T*_1_|Jq!=$OV?&1?(FdBVt;y9*NxI(r(i~|lX)TBn|?mg4T zfvW$YVlLVJgP=|8Lb>oR2Ax02VW9V*U)UmxJS1%ZRNxz7&3F-^vbq=yk0Mt*=@@6c z|81l4dpQ5<=6eoM=Qw-d0E6sc7FXM_9KoB2Nq6*ZnE$g3_$1AXiJ_$(#UF~^N5Q+@ zq1#0R)bd;4%t>oVj}5#^6SxL=hg-ODDyRKBH656@HY5dVVi2fKX}zdUDV2i?!S`R3 zwLBDpyllimb5B@`7IhAY(QesCj9(SDrf!+ckjwllQ;`{Q)@FcSg1-Gv*F5k*86QhT zjgkEZH1r9cWQlHPAH&l4anEpB9X^>&>!@k+d$&Ejei;?;5kP`iFe-$`d?sv?FOPU} z{uID^J+rQVwI~2Zx=n*6&?N6}c~PWt6=>37KcR&Rtr`RW`^E`$A2dJ&zP|=mKDZ9m zt^4h&Ty!8dDtz-U+WF=K?kzy-_&@zs0- z*=cGEg`k`^7*CYv#ba@saDWWmU()M_HO*9^v12FJIZjnhyGO($TI)%&>aiA_LpCys z&4E?623KO^F1gXHDJ!dRJz5$X5E9!8q;yw`BvBH+Tx=aJa@tE5(Y&Qa|M@$PRE_?j|TO@PGAf|K*=z~Az=Q%S8qt3OsD;`gK;9utte|^ z#+1QW*BGv7V{UrGo91=mbm_>Nt`(UE4n@WaoY%^&$ysw3v8#0QC|wM;&~$V>Ampa5SFfZiG2+M!a3gT0o-Rj?Ht1qOY-?lrah=-{5Y~ zAfl;#6YM~&6&*;&FXTepBH{Ns{F2tY9hfe)*s-_&((=VFTpc?K`x4^8=NL~f8;c#O z&?$e1ast_uP>UjRS1G`@XuFW~TPj}xYJmiXHJ}LlN567p%B)!3oEkNB*^pI@q3n7Z ze!Hz>v`Q|Ob-$|N%K||#>H4YA>UkR${|c5O@i{Z)BKIncxuVTKG~?KnM=F0No2e`- zligyI_YdAJZ~B_QA~bWA@w4^RsYU|WkCkVcfZG;QnJ=Dy{-lU(^ zGGOlfPoW*Q$nS-hO5VRn?L|$S1d#DZJHl&0=2cxsiSb0 z=C!#kq$X|gD86N?^VAHH&8gHe+C1@DCXvz-)N67H4+Xwgqx4GJgj+CJ3 zgP|c2Ii5?j#Y8_&ldUuWlK>lUy`b&fMYU6cy zR-DEYQSp%$4C17~ez5AiUgKVco5DHu!PhGaD9&>GbGjjZ6Kndou964U8OETPG~7tOIM)u(*i4lPM0?J5OJ=Naw3m-e^)C54EhQXTkvsBNPOv z_W^P2{Yk4(p%oIqoL7ZS#=(zhPU-zq=~2IYGudAG$-!D$Nxxm+Q9Ir?4;1W*Nq1GtYTJD6X1Ie@5ch5J`q6Mc4A3k5~1%Ddr7G3;S?Dh`L0O zvkd3macfAd-BXI_yx;U%)WzRGx&JMfmMzzGJ3KXl4p~(NV^EjO1>VEgvTnA>-0(7~ z7h3`6g6Mh=j|_i5b#HL}gs17sqhF7x@N3x%-yhLE4>2eG&|E6eOX{|QKayt~obP&D zp}JR!rYvXO`UQS+>klgEgG;iotM!%*W2Y?}o3|?0YW8UVO|P#XLu{y%KC%U$UuBdx zCH9m3!c%@zftX3DWeOszzg0p+HpATPXFv86RXJHZQ8Y>LUE*8tpMS-p&2g!Zs(A&` z>zyZjV}m!_JSKgqswZ8FE0f|MPE&TZ2YzhI$Ti)*sbUOcrB_ zQt|oX{T%SZ{15PwXCIHMC8ugC16@Z4kKMjZzdOt)r)Q}3x4H#CiXeKc^F&qdlfUGX)EhfB!Hi1z z*TRy`SU`p$t42i4)eB`}#PtagrCjN{Jnv5z3IvbwRgJaoQt~_E2D)p*&W9-$0`~mt zc1IuHt|+kL_GZi1Ez63@l>M4>t5WX3VE3%sXxUl=X$9Ow(3;9LOGmd2!bzwQzI?Ky z?Ze^4jWs)y(0-vg4l2N6=KgjSbs?A2!4YBK#){fplMKGIg}rqwck25KuL? zG8HJ#*Ii1+%jXPW3(fqRQ^hhjYw( zs!~@+E?|a;tn&wfIz)wBv!Sw_E++^ynlZLrK?fiQS$AI~GUD&c`scBHw#EZoo`|$u zqlU1W-BzZ)QhcpT7W@%<%aU6KlKG7|^-M)v z{iU35OliaQnH*_vj=!{{swnGmz4zcLPf|`+x%1B6_XZsR_45%=Y&wUJ04#aKQucGt zYWub#9=yGXw!b0rvjQcow{X5(WuCZ5&s}W#HQ4*Zu|ZO7mFbP=l@c8= z6cNrN%G8|+oz>CX!j)rX&WV;+$iRONhIcLBmnIF_FJ*-Wto?Y}t9aLrh>UjW`Qql) zB;3N}(Z;Tw5na0h&-Z;QN4PmRy?%&9Fg{Nu^b5aJ7Alcv<+8tc`1TsrIcB*1?5NzS z%n2xKuFwQJcMplNGsdM-c}c1sph`OrC&T`jchwC zp_@@^B}CO`Fk*kfPJuKv_flE*7rz_@EugO1C4ZvEb@T7Z=bll!%kytJ%G`pkmYglP z{8V|Z%hp47@<~R>&C#XUtyBH$vYtthSZU)+SLZUPL-D`aFDR@gOGeCei?}1|H*kij zhEH=&cvklBvrm%`M~P9{pi{r`Sw{5E4Pq*+ns&iZRsB8b*!WvjoH#j0RsDqbj`IPoHr)o*pEwr#X8f(tBe`#*IIz z$A0pZTem4&v0R9j+vzMw)!{Kxp{ZDmswXV;=wZWEVg9jD9?lAK8K$mVGG?#h1MZ% zgC{=zx+chMAzWY|Wss{AH1vAXp3yL27 zMObcVSCl);Ap(zMirm!CD~C%w6YUZm7I9&U^9 z_dA`jU)|++$LLc?9@qp8%&AKH)WB?kSi~yij=oCwX0gZH&KY&t_V2UiuU?(WVQ4G+ z9Nmyx$&Xe1`O>~WEj?Zxx7*t?eeJrJ#XaCTAiu|=KK{(VWp^)WbKEK0GB26RWu5Pf zloFCorGsIs`CtPl`WZVt1SVOyuO8OI1ED#<_kB>hR%=49YO?5o=}I<2Y4!y zeY$$P}k&}^h|yzJo365&HAI4 znbwiAhee9apT+#lB(}Po|Ep-)OvMuNltaN*2K{jU=iv}WgLD59RxVJBD>e$<(EN8R z&FJ&mz3;+#?|jML$^%#*EjPsx5xGy;{QnN#fI_o_Xx35Rz+nS3zHz=I^icU~q{Q__(y#eNZVTgC zV?sbtXRRmNpE_PM2?zM_n7bekO6c+K4{v9Z4H?ozR{myvMJ zpN|)wJ;NT<3{#ri-iVmR-TkpH=;p|K=xV>+K2+Zsk#lzP@Zp|%Ri)@rp~Z?n^?hm& zPX43$0tq0-$fY3-npa9f_$CI0d&@=y0O6T)pac6weUjV}nx$)kDY<@5WgO~suz|3G zrw*=L+b!n44S)Tl;)Q>#CGF03DO8Gn$3;znqt=zGlf0j2`^B@rV9)^~wO3OxZUQkR z@G*zf2)U~8rvvHT2Nj{`<<2Kw>I&zW#rjSuGBJi&52x2XMJt<%K7Fc*)#Flb?nrK+ z$h>4|Akn^XniCOm?(PB3U4K+n0W@GO*6aS-^lUDDiSF4_Z=4PN$qqERCl{|Bv>!Ca zi>%Y^rUmbdt;Mk1Q_U1%6Q<9(|0Xg7&iaY1W18&Zlli`MNo6tgWy21pfp~?$>71cbgWQVx;*CF6-z1*@H@J zFnZMU8qv|RC>%LDgQedmM3Zl53J1{x~k%~IwyDF$_Vbr^__3Z3O<@d^5| zc?zd2O}9)u2Ma}N^;4+O)A6ld@|ikE`Af;7{Pv{rnN_?8tB^Daw*pWKTelC=swls6 zA{)-vc4D!b-55_p-OGPyHMmfvRdoco3^^68K(jwJGns`f3aSZAUk(hrLdJ1%T2!qDdSSo`RhSHA& zq3e?zcR97~Pv^Fldh@4tGP*m-th`n#4o51;#0YgT2X8{1s%-CS z@cv%t&I@H_C>vF8=C5JYO+8x;BNgbJBHe3dwvMK)3X`$c-_YczCyNV!PE~9mlIyZa z<_{O`zDAPiEA&(bLCeIV-Giz8eR3x>Ph%B2JH)IW7hTIzuL=M$<&T{m9q0S64hNYj zV8t1z^P}VKDji+S&hWinF2`?Rc`vP7IHjffKBYo`By10;rsh{HBYgenesQJS#@>kt z$>qm=JvIxkkQ2;Oa|e&3*5o#ooY8~nSpJWKhlcMQ zOoZ#)#E9kc`L?)_M8R&>qIaDjp14iU8bxvhN;UwV5Xtig4gUo8Kx9mi-t^d0u2^ho z($KM@g8AvaSBS3j#ubdNC!Z#$3dK0^9MAPP6SA|3t?5$lO6d|xojYTu=e`0ZT3BKk-FqaQ20i{g%Os81!{ztqLRg@j9k8M2j05hrjtkxsF zCga>Q`L6cqdk?0mRi9m2rPAZ`CC*!~trBCCjqNh!-It&y>yvAsYHL>@Kv#yXP7wNh z%9;78)!YfXVJu~P9ca|h8(4Kd_)z;z^&4SF-AQj088~>|L9O#Kjw(SCNzJA`}Skq|aMO^sw-=cQlwju;&cF z`0{ar@ceLwa1DO@WI^9Fv@P*bE3wn*{hMyFF|@bdK4hetr*MDu+TC9NSmQ%-YaJ3z z&yEwxlhuPnvx=IUA!xm0s%aEmt{<+Z?u2fzH^clz*LBA$_)cw|_ls6qy$VFe3|IN_ zka~ES6NQlIm#bGXyjTK7M!3&R;%BLfNb$De`jYNS`pA71}e#3*I#n3v~ zu4tqg4hLg{&X*=c7eDQ4Q;}6OjS^y~`+ksI9{uY~2ksx7Z>yM$*g3}xfs!wM?=ckq zv@82%5jfmp9kX^*!~N>7zcA~+DOS(8y5%Gn-9ngcfmXmarg89ipKJ>@Z$br z@&8z*v*RZ#vy?q)ZR=v06<2Vddz0JbPLfQ*-WF~f9wculs%qTJ{&CH4Wv~hM1?;1} z0M??AC%T)GHw@Sl zSXKGkdV41!{!B6(|EJbFhS(d+X#RWSBoe3IuYQ4C$50ZY&N=5e7$ zb(sp{iTa}-7l(VjQ@`S8*uBc9T#oK$AI1nRaY1&sb>bv}>^3}0!|T#NAfu@GUVh=1 zj+zX~#JyWWqQC#FBT%q^7$!BfCdKXrI}^PxpH$O&o<3=HfjBe6d7gXm2b`)U%8rXABGp|HGfnyBJpFA?GNubq#Wq_ zVTinyVH!Lez5Y772gvDq@5{B4joJIY-R3IH=o^z-N#4usUv*V%X0iPt-$9S~nHY^M z`i7@4ul6?O%TRJ}bC|&WTNzDe8fwa>xeje9vb_05y>ijXZ}Mgy<~uvoQ(!6v(0(q=roBiEYbpB|C;T;DK6o>euo=^iC}epJ_RI>xyfX7QA} zY*&+_&+~C~GM{>boQvtTl=f)Vagm!(5BloZHBAL6 zah61nivwox)e=sRh&F3zCWE$5z;&yXsCG5;jlPigFM|bW64pXE-}kmg>NYj4W?LxN z`X)6%AwRS?ZgP%2?EcKe#n9Or*)(L-;>6Yepl;-=p#r0_90$WmdcO*%Mi}cu&;olh z_b3tD-7|F-54M0%QTTV2S2YFlFGJ)SoyJ2H_Wil)*~E>d+7s4wOz|FvYE{;eD6kuN z(%sE3YcLBhmsP7}r=t=-}l+%#}fz<6g!P z+9C9Hx4X>{d3?#RW8_(LU&~K}Jk~GfOU}PXo^h7HVXVA2cqi2JjH~QTrg3wbYkvbY z-G_UE|y9};Fi0C;OW#UP#9i1SO_}f;kcEW zE-v2?`B^THlWS$Kr;IsNl(MwR5D-IK!_x55=-+DaJ z0RGv~W0;=H$|Y$m%9J^Q+hm{E*kU+A`uikd$Vj1T?aNSu!b`rP*8@&ukdFDxi5Bo!>6vF-?2y7F=6p=7(pE{0FFnj|R6IUC+}wHFYoZfR zI4xc6*X!I}J-K_5zf%>c5EmzM+^d}1@JxDxlsUh#g4E-7QyOntX&9|3LkOecdj~6$ zsB-470(VweRCjW@hO9FEwWGDOy`nllDx`k?CfQ7##HF1J{8`I)tLvKKZA%4n(KGv> z%Q}r5H(nSGwKI|4HIV-PJ4E1xYQ`JWdHe!18u+hV-r%IybsMX?r`yxpH0*&@qO4_m zqbF56Ys{M1fDic5vr)<^JK;e0Y~0XxPqZbkhC^iQUXJc(gVzRtG&TqVdF*w*sk~Vo zan1<{Ru{K)7jvQ<{i^p*Lf8Fi;NB~k-_m522b)R_kcn8Xq=}dyffs)&W5d6zA(m)? zal{uGYI&C|-%TH%2p7`F=Q!2pad-4Q#@zbftMJz0{$8X_7z*_I?uvESR#EM;JUZ6^ zJ(ZvDdm|4-i?Bbop!aETe=4{sQNVw4zLlT7hdKMX`yGD&Kn9HuO_NW8QxJkGZxd7s zS<%3?&R0qkqZ^@|&fBXvx4%^&gX`wHJGzao2(eZD6*#8%#`IwFC;qgJ=mt7g7Q3H} z3{?i2-|ZBoFZ?Kbe@$?RyC5PGV^YArpi>KuJ;c5qZJKaf;mXYd7EPSKk};PBQu*5Q zREi;LKHMf;NT)AqP#g0=Mr{88rnV9PH3+sYA}q%TJ0(vz=%4E#WB;jMv2!GGLSB8q zE2K;bFJ{YJ9w1YSk8|C>)ZXyu&x*;3RHq^1S8mfrdj$^-)mq;u^@!5dl|~P)Hv|Oa z*o-TrXQULt<$YC?loh$O+xhpzgrX68sC>*;MVx{QCAs6Hra7x;Od>EFy1P|Xt6~*Y z?qbUxF5PZD`wAREum_XJhnxwi(Jkbty(Ml>0U16VPl4^heE8P$>bYP=>!S}FLEG|B zmGHh2SdVkC4i><5V*ZuvSq@A=Mqm;#KG;8|sVl;X2 z2Pa-L+|v|hUC}gt$TNBp?*XCYL~$RydLtupW{Yoq+Ww^hx-X^$)TY-Q99CAy);-Xv z2IGjyu{ES8ex$}*5>>g5;u9!tm6%q{yx6@k-gQm)TUrd%Gp2@7z%vm?-n@0v`$UUO z_sK#q?uQ_@{POP$tiM~#BH8DH;fk2YJ~9c*QG<1=BUdSrvkw=FpQKOSc$2oy_gzJg zT$U#X2$_K%r}+7v`0-^{KT_|KeJkTsy+;O67C*@+1GLmRX98#SQjjVBuk*3Fvm!F> z28cQ>04AIrL>`>conC8k{5u<-6|S=JT>EmwZ8PzzfdhG8jEM;&*E8CzdZ}fcLY(F4 zbWe*+eGAj)wRhgWl(D{4!K@`$`&{}(as-`J4CIs$7efwN}ZM`hGy5M125Nx^gu#F2>X}IG2(*%P5Z0gm*%1Z2g zbp;KzlOmmR$Fw*X}Z`*U-i3-?#Wsm-tu=Iq-9o+xJO)kX|iQCvCrwx=uP z|1JVK^>AU_$vQV5U8+{6w>=whz5m=^Jso9(pKx+8_IvPTmh-=>In$ed0-;x;C5%fh zQdN9-w7nhC+FGTnb2_?z@}DQ7OE`|m(c!tD>t#}Ut!8_^iHam3mXf99oI&v0~xmQr18-1{?_hE(N5xunw^Y{h4;Ul_lk#+gn#_I zyrOx($8sf)%%);ExcByN<42T4Yzqp#E^BCLdoK}BSa}*Du4+}p%3e{L<=V5`zjs_n z)T(UZ{hFzYF7DbvIyG@i|JEv~%z&x|f1Mcs$jj)0A)h?c+jZw~UOvGbAZqVpYIZnq zr9BezW*%$n=!6B)JYXqNE0WxMn`apwI4E+GvYY)eaUd{S^-beoa_4pH-vUa^HP4Kl zCmU{irroAZ6QyBvIAPjjAIxy|lt1|%oX5k&PDwo{ls?QiM-Y)^$*+^v_7Nkl7NkDn znek}JL&wQ%NnDQpXSrqBuwOKfN3Uz`86LN9$~NWn4qTa<`PIcJnv=>Kpuu4`a{jL| z4bXSh9&lznGF}B;W~qP8H?M4{&&Y;R^_;=cSB^&7;j4Q**NTHcbg$5APc=@(&tDZH z6#HG1KHEy;18eP0(#y4TH$x9oj#bMQiQK}|{vLb2PX3wXvrN>|?O-|jHv7vj*1F;u zlH3eSVIBDs3o27);cwkp9}pz_rv-A+IvgtmCvOoPW~+T_o-?kdKGK)93`?y3nI2w0 zTYOZ77i)eP&kQ;0cx&|QV7~H(M6z@|pF~5CWg{o5yME9kq&y4dB99!{yrgHBG`r!4oM z{={_2c&MLXP+Lbm%Sb1ln?HW`HO`xjj(^1PlFFoAv!Bbb9X0o`yA+y2*5*o(SCDoZ zxRPx9*&~n>I|YAfL~^2+4%B^MszIhfA&#dZz*adPu{S0f5%S93 zT^ys05K$YyuQcaV=W_r01pI%zPP@ zLGTv^tf$^i^~EmmmnB>Pm-gtk`|`Bva;U5fNr}6ymB}EPj9)__?Em2Ft>dD4-uTg7 z_TwT7f}jG6l!bwU(z&ZBph$;=geZ-KbnYrBARs7+l1q0f-7DSQEe*?33oNm55BSyl zd)?Q)cmCqFhcoAynJ3;)%nY%W|1UbYls@~qeD5V-{)}tj>j#19#D%+{c_d+P3x_SB zE^(gZrn@fbSz3W#i{)p${%Eu8|9CURo0NxLi?XN1e7p=^sh>*pM$Ub^3};mFd8=0; zVfeiIfZWrWBUeWu&mJsahD(-~;Mahg!DRC&?hgz0Suj#JV>za6MGjFyE56WLd)^_-fCt} z$?}gZF{w`jULN|bsS9on=xZw*alk$(;A-}C>}&UZTxJm1njX&db&4O#rD{7F3^qVZ z*=dd-cMo<7yqMkXb`Nm#pHJg_Re#CVJ)^k%HopF}4g`aYk4_veG|UgJ=)|YGydFCU z?|+TkZTRYoZK{8>wVF${Ws{rtc#J=(E;9oYy#Y3C z%J0=C6}^`#QU-R4`yJFu)APBx@61?gj^PzIuRhPVj?I2xtXneF!l{*;%zIPGRQ2ZV zTWJI0OFzxt+Vt>G z<7~}rE^Zj@9Z;&guscmt)N3Cw5^~HGLK9op(rM(a>A|(%A$c<_nEf}nE!H=MCdrLu z_{SIX@#A0O_@>3aDSwKolyO0-B4BVJ?bP zx$U7PQdRn}??$xUg=SGhV|IIv@TVr|%ovURGhSMa5rd_Zm2v8X6Z-oriT7^srM`C{dv0^P39YPYSc%HXIPUh?P4X*WJ5vhX?V=DREBXI5W*p(*8HA zy*xB62HZ^pu!0iv6LS<8B@Jf0WyTHM7fhGm!2q}G5TV0d}=q%q{$Mvx@!aMia) z(3wSPiQRlJ!kJIbx9r*Ta?`-yC2~zN5{j_v&a4(kP}ayT+njd#VDnM3y5C*Y1#jSL z(4&T;iS(v5a-WUtwFU7`OQSCQg%nRu?(}5n!9N3Nx-y)v$|cX5mMf!3ty7I1Fj+Ai z|NgCh`z5H4$EEgv$OTno=JXQur2`)Dfcp=G2E>^477Q{R6L#y|`(t$td^YSy`5{Oc z?|W+gAFz4VZc7{LM0)i1t$c%jk2X`swR{lzNw+5Kh z^84m%YxJ^R)WT;URbSk#qwV3WzDT#`7uleeLq9NW;rCkgX_Pm2_uKT>ZKHQprEq0E z&9WT#j(Q#EPrV39o^-9k^67T6pv1Ay>U{DapE$xRPi*s6sfvTap4|392}6&(N*VH= zV5L}9n?9vh$~$er+A^FUYf^s}NWJ@5H!ss6ZM$Hg@0>P59o zHL=~K?`aSvxTM{pY@K&j?0Kiw9wU>AR}Np|Qc1~!Y`X>y?$2C{-_Gvx98rXM*gh+b z+6E4FLKWuU1wC#ArL|>8-7DoEL}Y->fY-z zQ7tJgvvZcMx2r7f%oP5US9hhSCOY*EY;a7YD_c36@MUUJJBZ;HgL?U@w9ZQ@y%vwT zxCoMZ-j{2Jwzs`zS>jEqjtBrvj0_)wuCPK%t0%&T9u{zDk9mQ98T!+Cbz4&Tt)&Ua zw>|#O@#1@mfl=|L<$iY!&L7;Q80@k~VkXA3rYz-awUd@oojV)$@z_=78qG#e_(^-e z`l9+*u`3pL<&rULXx)R#xE0s4ipyCqLGShXj=qU-SrCSXB63Bc@~pb&6zuN>T0VIR z@>~D@!NzzpW2-8qanfLNYO5|lMX7a0A-$eyKXI7HYH7AO{PL@v9`=WmnEd9Qt+JS& zX(O(6M!{6{Gbt=dl>=H|e?#%57#;R%6!ymFn{nNNwZ%=R>WfP6)g`)1u|>L4MEliR z#_TF3i?-F2VTCH9$+m`n2zs`_550as(rsYDIE@cv4*;B=UsQUgunebC^T!_mmFFkk z1u0w-aN-1o{v5q5uBJ{q0`_Kh8VoK#Q1<`u^ari142m2nK)TK&DnC%l-ZB|3hrB0?>{1 z3s)jjgkJphB<6TcX*ZgebNg!7AfX@cA}GrPOON^5kJiEpN<0TLQq=BbK^RW2r&m@O zX72JbSlr)%*z#Tm=ZoCAI z<=BSaPLU4{m!&!;aQNJG8qj_1^CnO=mM>~S8uM_g4kYzIECUKM83jNkcUJ{D@zE#n zWZhq-5)j$Pf-xYY-Dxo?--BImZ^PSd6TP0a-F7`yKZwGw zczZ0)pK47n-znNw9{_ABrtr`ES^zAFx%NRL*t$1n9Wv)Nb8$tcA{XwI9jHKVU_n67 ze<(#J1vdLi;jzkV6@Ym606K3)N4#z^>2kN8r0 zqeIf;b!8E#oy&#(Q=@_d$E%`!;?E)v0!U_??Y1{i`Y)gLh6EbC@k{k$D$& z$1CQa2wXCSK}xYZsZ(foia-#!w4OhDXD?^V1=xsk++Ie$re&zWW>*rrbmv&6Kaspp zo9H&67!;&Meaw)Pd=w24C2~k;aab# zVE(8#(7QhL<|U{SIB?;pVO~8IgNBNLd*_i_-|k{o6DQ%y|00DCOj#h!^AyU|ug(JAH|8l`rhYpIwGy;-<8!C<{IUiO;2aL19X9XxgZ!)oO>;LfsaO1+BP~IL z@iPiGcqx&`200JC=q568{^#duYz=ajo%B^1q@5_vJBsc^8sDxDO3V1UUkDOFwyWFX!DUL`(fqPLx-z&G?u7^F_Vbqg!hKmgAKwR zzpnH6ZHp^tra`$1v$~tm&-Qq_)K0azy;OL&WB+85qmO}hqv!#-}`8&ZW(l_ydESZmSP3bkv4?%vXJm_iOY$3v$N*V{-l2PL9Xch*Ww zu1#^S%lr!5*^QgR<=0kz%;r+5+_?m_U6ha|=#Umwr~*m$ za}PYvZacXULCOS+cTN99SR*NuC!Yx4EpD~qwzD|7+;)%Os-qe?ISnkQlO9jW_IZ~2-O(5GYk2d( zbLUZ?VHk6Q<+nuW^;*YT%I`;^5w{ryl6DIBB4G)N0lkWc%yqHk0Ii-6dmVg41{+DL zo+f9O*rB!%kvtp2eR0I4pk9Rm7Yx0wRV?oupMJH4?m!Bo7RERF)Kuz$Yvz*Va1XI|-5O?{+ z=`Y!Pud3MCQkHn+s~0;5y1FZsyc-u%;)Ky0zXp=y0=(%|-rYDXxyC&l^CxcT{1#a7 z#Y?C!FAC=48mL-Ob4%$;C~l?SYJ3DTz?+*)e1#&15Q*rYN)E09kBQt zpyKC{$^e*=K)V+%mYT-&?jiZ`!VVF~! zSV{fuk+cc9BkAnZr_I}QA|z^3)49mSrwcRlZU$tzt?qK~O zQf8Af+C%fJd=(j~HV5_q?wG!$tqWPALM0<}z~Kqd;TPJLCtDh9v!1TTv^i1l7h6VY z8GWt~ioRxbVzfV#^+sE2OJKZe>b9WU(h$p*NMK^bO<4MZ?^buu3meV4edeVg+LUkOPO1%Q&XEPjM^wKiV^k?vrEPrRUM0!biu^T~(4-P4u(fCZDGb45 z>rI6G7;qYBC~vwg@WqTnb2Qd%046i+ehQeUiuzhu{5jC0H5W_J`02t~?H_7NcwCvJ zlLFP%N?P|zg{H1qxnO|El*lO6@|rOapFdSCR3^A>=z5c4@{Bn_HDvC^GiWzo*M;njP-*j7uq1R?_8U zdCyqxZaePa=Q&D}+!m~tT*dK?-`&JNhDt^+1N5z4U>g8wZOcWw@~NCVXc$%enPQa= z7OwZV^=1=#JIDZ2gLoRG;l1!*k$}QJxnvQ@P4U&dBCe$BXH8ups3ob}TB`d*RVXs` zU}!&p@uQ)l6=%v?H^NQgF51mt5UHATimlsO{cy<1B>jt(4vt~r;fpG{EViAMm3BQgcz{Zy5^bC~N`taK$ovBu zO1V7zpA4Oyw68;PlCbuLa7A5(_li%>FL##L5L?xkf~t|Xd_JNXZ+1vzwlKbqx#MKe zH`N^F`|aYuokw4>=pDmxM|a1?r9$hS(FsrSbba3cbl_+k;@6Cpu5>cfR@l>T*UP*d zs|@1I7LX4(Xnou`q`gz;MuH8?)uQ{)?K9wnuerOK<`}|!zLM^}Fu(zxJSO)?uM>)w z#CBQ;qjv>s#%c*rebkB@phAc{pu};xKe7eF800^on@*>g|C6rU5ksI1Q1cM@VxSPB zdt1QTSPBJ0B-uRqbir0}A=)uI`U`V@1X{k-X?SvK^^NE{kMY7KTdxTEd+xZ0l{+KS zbx{&+DQ>uxYu5LEU?wX~DVc{kR>C64p428uOuFBdXT9XaFYjczRm{)Ep2tlqX99@@Tra%5%{ik%RqJDx?Piq1_%(P)DX#8xM1mTmVGqxCN}^%8C~Jty zY!Ze*O$}<8x#q^0;nHRb*(md_EV{ON6FW)fpL$O=Xfe+dmU9E~BiOu9=~yC@#kU)N zVOx1K1mfYLzUVpfVgu_mcepdpzHgXb&sy$~1jm(&-?yg%c}}1w`-Q}D*Eo{=Z7+cOsAJ>NlG@t(`0kJem;}BI<>B7~Q$?s2G(9%U)|&*1T93mB>4d z*%gXTqH}(iX|XFfMF-z}bX4xWK(?CBG*MUowMqkW!{-|hU|lr<$Zq7A5;pO>+Xc%j z@Kv}?6tkJO^(o#1+TgQ%l-S*#odbz?RZj5An{lqzuh=M+8=Ij+9EaOxfb+utK1B#o zeUg8hAG6sDLy$Dmdq}n3^&$VoL(MbH#vh(%dMZUH0gOwFW&E~iKPhXq8}~r`WN>f7 z$Vx+tV4yDj8EyHJtwAe372ja_mH8K@-j!|*2w9hx&#psG$mDkO8*X)7Bkr6C<02I7rYwd#tC7FOML4GYlsPMB#FsFF&jE>vJh8m=w z$xRCEfs2FolCTVLCE1{rJ!=}$S88+=^}Ph6m|fXH4V)Sqw%@?x+*2p@39AV=%_MmZ z6?BS}_Q2COr`$9g$FSv&lQBC=z%}sk`yArDirML0AC^Mh0hXU|tJqJQ*0g>hT2i|2 zGE3Oa8_InkgicDWVM}}H)dHq-hd;t`7n>3}~3$L13GT`b5 zc|gzw9zem;QCq##W`$A%g^m;G{+G%FRW#JXxGsQ#XS#OdhoM5KLYu4qVAMWuHduZM zxXAfeevSr2V+;#JObRfqxlPRF4odLMN9cGkZCs41_$W6b`i9d3ZBM919>!os_qw=~ zA1)szk62RN6$(2oOT6|tGDY*slSXSoDg$SckBNc)OaZT2Nm-jQ@=6ljP*^H5Zts5T11aNDw4qoyeG zHkkfhrAZi-y8WG1OSMif@&%=DmQ##__L0{UE1owb6%TRYDBqyzoM%nzs(6cg0hksp#fSflY_Ip^IyqNn8BfaVtohNnj$MUpbmc@J0dAc2OKN#`JX8R`DFjgCdEL zqHZb~fxVx&xez~~hD@N}6O0+f1{ijZSyJ6~ihS>cu$Gi6cL*m>ftar7tiY!Y>08KR zd!~my*?O*c|IG@BK6Lh6j!`#}FK}w!I#p;Dbe) z5+^tL!4#v=&7mFLE;6Gyt<##90d(tzu%ccz-t8iA7S6KG%HcX^$z=ILF_V(y+9ub5 z@-Z(58YjV~t4x3^AZONx^@~fIw=u?vw8L32BO1@Orjc_;QVPm$0%Vd@0y=F8x<#nC zUwhhkuC>7Bq(J)?Rz>nafAv*`&XD1M8Cl>tu7f`Y1*t;CG+)1U?|&i z&93vjl{)fMt9qPD+TVVh9JoEpOf^MqXybE6#GuWLRitG@c-lN#Z$FwkLr$f_dlaL& zFmbaoT}YZ4QtCFABI%kwowu=gv@^XRA9|hg*e)Ba#%gpLbT19+Z(3AsmQusg<~(l& z^1jp^*DMk8?2QPwC3b9;=TiCSGuQ5`bI6>Vk!|&tEW#Q}HV;d7=*(VWii&5Vs7OMB zEIw16AZ{-$srv8ZlEReFgv5Pn;^PR+-rTd_-D+%h&d9GK->u3_f$C%jYxO+CzdgS& z?+n}{)nr`r%+`DIpveb9UDLQ&n}ja;MI_+GEUGMNRz$gPz2I$8ewaNJlEz$vE{XcM zaPk~hEx~z~vl)nzpo+9}pmwdOU$E)hNjp+)Bvr_j-heVOp)ay`7Z*H72WwcrIH7v~ z^SsxY_Coq_Q2mYbE%tj(;ys4gAdszQ6rxGzrNiucQ^AEBsJgH;9-fe;_xcZ*;ES1A z3K4UPuTSlfSSy5nzn@dH{Qk4B2yk(@X$s5pGaTgkooYM|UDQBSapu8Y4P37$sYsHd z`;LQI_Qtb6ELN`W-|)^|JDO;O(JTy8bFO>;wF={AkD9{XCTG^3-Yrs*{=_19%kA5| zzof*OSl%Srgs?1?o4IQioikuVrj2Mhv1HTuom7%PzKRVAk1H}aRwWM_{ZU844L+3fQSxPnQnES}Aj)U? zZ3DlYJ=8%jru^P7Qz~L1?Zq#91#TSnn96BSE0C2e*2DCspRp?k7jPTm)uxi1=Ula^ zsU{z;87&pY#t!kVT>4dG+5ao_Jev3PPo@N?)zER|=WFJ(%YEWq?wujhmT=NHDC{7y0 zU+Loo5b=6F3^9IA<0e>@cH0tkVOw@SByv+__014yf&8-AgaG<}=vd+6q@03ZoxK!s zs7heUyWj3mMcGr4%)G8%qI#srKp%u5CzR}+ z0)DA7b&jF7cVFu_lakVP@Pnl{cImxN+QT=0#Y~;xo5&1U+^u~X|0@WQ7b13z(njpx zH4T%|t__ci2@R{0;Bnh8gHAW6tPNQlJO9IaTBT>Y^T1zTmqA^zH-`Yz(wlvM>u0m6 zX2(P=VgTLXsMR=LkU6)?V>#0=KexM=iYHaAaQP9$c^3A1aC&8DFifh#59BSxmBPvP zU)~;{)B;*P3+UtEwQt2XbPS5_GIU&pTZMp;_OKMr2H(7jIwL?_a&?^e39W@cI)5j@ zm*4uweH=*;!0UibWCrkv<5{EobSmv14+E~nKA(WaPqL^#BfDFQHf7rln#8#q zZoH|e_^1l!?UOluLSRQ6VJDQ5mU-70lyZ)>83;xL9!~Yo1{lWcTIu)mgubU@WsE`y z2v)IGecdM{A^70t2{e9ecrqwcd_j$`($Ib zNTN8mkfKjv`uL-v#Lz3`0sB~#^U3tJ?m~#qTg1GcgPZ`eg@5raHHh}z*3gCg(a#k$ zJvvk6aC3Fe;UZm?wmw10Ms<#`BC3*GKH~QGT9HAD(o!)`AD#cu&d?fmsGb^ z;|`bR!s?RJmW$LOrTaloBYZBtSZ--k?rD_t(@M0Q8D3kc2@FG~>OtDYa=(wl7cE`k z?wcp!mpxv0BZrqWCcIzK2F`?&c{oY{N-=kS+S7GQGj@}Z?*gOpgy&zN#>H-uw-SfX zr-S9y1mFGi??HuUYVmz&Jo);~e@~K53~2w*JhZOPyE>9A<1|bAGlQ=O#xurqdv0TH zxuxZ@`{!@VgCH;*9ri7B*H-XHL8WBKT+J`I5>TSkeWcT#7O zu1K-=0EebedH^v-5Ur{+3~MJ>o>N~}GXUgX_2;B<*^Pnr(9!^1-};YP^4fjrzk@Hl z;&~MPQSmaY@bi83hb)KT1%{}I#P@=2izZ6_;fm5cd~b*1+<%6B(c|m7yl>0WLXoG7 ze=Me2#<@?z*a9(N!y8W#{~EMM1=E$2)Xy`5@XJ+%0RH} zm5PYcg!u{d@Mx~pJMs3XxT)K3w;sr!5wc0w+E$n<^TXqy3!Qta2=ifU_5-XodQ550e4zwE~8J;c!m% z$B)uWGJiGbQ>}Dxe+Rq=YKbye?M@qdw5eP$<4Y@q@qTk1EmllWHcOpku7=@!z=0=aPqTlw4ZSwil2&pDX%J`M$T#*hP|mOC;&BdX_!8h$8eCO* zoevE)ov$ubyDgYB`G79JNqZ#i5jVConY}2rkkMHvyLh+ojlbu#0=5M<;d5;U{h!qS z+;k{~FtZ{2+Bo%qu(h0P^=cB-HE>5qAP3qVf1Et&3`-HhNa;iUpCFhaZ2chHWj%_7 zGuse&_gqRsN|31=Ojlk=3&-MUHsaPtPxs#|Jz%NUu0$j`o2h7pWArBR% z2u-l~5lcED%=!CPt*8AS=2WFMklXKQL(4%d_?Q>95d0y)z5ea@O*w48}E; zx$WXF@NZsO=}lGaN$I>5BkIP{E~Ec5I4sS)YUhA2atOcvy9p>WGlCBnLi6DaukvWD zwITJlASr1q4If}e>`RW5nVg1t=gN`;Urr&Tk@o-U9Wx9aRIbJ~?9lCLKJzys$qcQKU3S_CIG zh1AZKHFc9$8U^MGI_j>7W|dKl;+XEyi}PHpakIKNyMvanjh{tl9HuP1zTRno1m?G* zxfeEV<8Xs(5R?f5@@M=~ISEj0KUtch#l7oi5{pj;`|_+?9;#5l`$CK%BI~B-aK=fk zy7_mmOz-juVsQi)B4P9f{rqbUSFf_?D)U-&vg^#B4b0No<4O*e*LkaC=$P;eJ#A@B z^m$o>Xi5H@ww5~4i#T6NGe?D>V7SdWcoFt@j;zaJSByySfyl%YY8QhvIKU>cuU^n0 z4q_}(yPx8(3V~RWzc@KSETQC0R@8RX08$WG$G+=vaSx3Oi__nH9Lu7fn8bF`HuF|I z4h-0SZ{uEa;z^8TUXNf^VbJ1zffeLIWuI*ucRKP((j=dg3wBScalwTBqDHBpRIH~$ zdwaBBmV)bs5vnTl^BY zva>ED78g3|+RR=|bM-4=7k<6fbXvZcJ*Zoxx-in_b1{*iz+x;Y-h-<#nxr9ry~U@5 zJOUvSjX;oo^7NHFi0?fkADB`59`jobFydb#RVP~?GJMad3dTjga{VuA5q=4zPNOpa zdzS)3)gS1+3eHB`WPr>qQJnwMtQ-nfs11I^O$ZS-9jgJ6KRdPL@p6|M5ooc4UcF$6 z`dH2?KDsZJIOLYj)u_Hs(|FnENRmMkzhsBNmaJSi-x?>-0)gQ#%lG2-=<6vA@#-}H z(HAo!=(-aKLAHb+O5P~jz#0N4`d+2O7avt2L=z=8tUyj~GqP4vA+N^UxsOLOPP9ni zs8h^&;}>+8n$xdZQICZXg}m4bAxyf3Z8}&t3Wh*}4UwQLmIvMP!|10i{ksX|j%24x zHyLZMvCAgxweXduPv3l(hNaEkJXR{GtJx}$_Odgf9nA+isrm^}bJh&-&A3#)8Hs#* zIz;#2#(+0%-6s6U{}Rs8Kk}g}UH^%kK)AES_k-YSnN?9|2~3I-_vyNOKhNG*Ui7eS zl{%x%lE>@riqI_hzlQJ5t8{9@Lq2|T$~L`ZwFE-_ql-px zm~%JspxM@2$;j!$R(BiQY*Ahi;j(sp6JpI4hmlx7Mc#7T4L ziJ&EiFP`AUxfQB3hB04kxicI5 zAU&)zgCyzd#@1%``SQ>F&u#)`?EVF&vVB(TSutc_Ve)tY}B?Gu#3D9U+%Wlz=RK-wB8^*snzS4 z3U1lgxf|CjuZ2hCx}%xzz8@{P@Xv* zW--XII5e$=BiY-1|Jdz&R4=-ld=YNS! zR=PSG&Hg1gc}Lk!fpv;a5OY2V^#<4cpbWY+@_xJ@~N+&aw5m zFRkY5_-JDf1i(Aje*6ON1tNdl<{KOYjhK2(@!giE7(dI0ns>_1gg2(4wOL{=_FCDW z37k;t2vxc%vsh`Tq)2LTbUbKLO2*&g6S@gER{QCG4|{0e`FWH^Crw#_<*JV(YpYL` ze#clbR@BOD!bawlo>NlV`457=njG~TmG;cqBO+Ec%A)?c-y(T;CEAG-kIRag>DHTQly}R66<^Ri#uEVFnUGBy!p^h z_o~W($6+b&dAqt~HyMD4&E}G17!9S$`GM_9F0d!5ad=uB<9`qW=;PfhdPv`FhyvwX($ zX4mi_5T7#C>6$h+UK1zrsB1XEl3*Zd|6_hTMq&(ap9415)yDd9U(1XXLipQ#$qclQ zxH@EH%ra2BYT&Wkm;LQV=ZGVjdL}!vXM6O}(%Q(tkGy$})UOjm5(@R>5WGxAqMk~u zZ@5F|TCYinu)BjmkC-1nysx2?t*vQm=3>kkpGxoh zBHDC4#@TD-JkPqFyOr{sjYoawjMa8GKD6uIllQKh^$su0uWX5VW8h6X$|<8ct&`=V z_Rxh@7_KS1t*gdoQ_F7D17@>UNowevG_>J3kl$?jKg56QQ{AW{A@6WvbGBi5vFU!3 zfVeG2;!N~_kSp2B1C#rXRnj}kjb|aD6FdKwmEsw>2NBG)SY1q;oeF_FPVTJ(Weuw= zr>#)#C%DYLJWh9a<3T+^Gq$%0K?G9UP^-IuYZ{p*M;z(-9eD3K@!9ioLeHJ-E#0(TLf~=nQTW zW8NhdC?^Qq8x=d&2LrstO^6uZ@Ba^l5Jp`RyKG+i+imtv{?9J4N#WuDcYR>j`{1(J zv%@Np`rxpoMV{`3NNVw>XwJ;>@Ue;6x1QH{_9)!(nF z<;YfcZY$yxqWo<6QTs+JUwH_OxhjV~%)3(&LA`oZCxiKENvD#6Qw?%-eu>h@GSycof9hXt!=~rp<$OJ zfUSx$FzNQxrXple2fDs?w8aesQXiQXMtrz87&DWPyyRo*M zu^S=tnmF%a@|x&*$i$R7!3w0duko@zZLRr9)!9fLh;P%*hTw4p4Wdp~2yq*dz0G&Q z3Y0PWz7_qV*C&5S6%uoK`84@|QSV1?{c6b1hPjYAW}ONLWWhz^j;3LUTxPlmuFWmwmUd_Vd z-595(_77P8BBqLlURXSEpzt#fKAmiE>iDqwLC|jd2g>C?)tsoK{N{lRSaZ4S!ekW8 z2r=F!4VmzLPr3Q8hl1gF=*B<|zbd4Eig2-@zu+thaI3!mH|1&QZ5Fm(HdIp*cAc>4 z5gtv>+93wbz?mdz<7kdGy!LycT!{7r-|c>oY9F(}$C{%49981c+f){7n%+ZjbJ+|%5q`?hI z%)>8xlY1^Cfnung5a|mHk?zcH5DX;Qfo5F~RCMryE`kZs84BkwgMT>C;hQP+V2Ciz^TJ_tSFcfEXOhTQrx_2>07^kx1J>jE6@i=&uZrD z;sNIUc(>>2{Ieik&U_6=h>Q4(Kz2t2H@T!{k&&Vh7+Bo$#&|f>& zZtO-EdWY(1*%_6hLqUPw8sKRj^iQk;@T@NY`OQ>X23wIV@SK&!`2QgW1<>og$V%vv z`9Z3Ey>kL|I(oD%cGHuug3KQMu&m3QWhG+W#dfXO5QxCwy71L*l*s89F?)YPRFXh} zm@%sgnQqs>T`B$l(s?`ON3Z3Q zN{Mf0aPfsr<|^r>sf-tyXf@M4Ay9+NO9hS83sE|d=}4oa8AeIBS%L7B|AvNseXs=G z%UUjSdRX)0Ipq1Oz%M{Jf{`xhfr9>eR^?kB-j<-V?6Npp)}Fzu-m^8uF321H-Qe(f z+Cfmm;`aZj<<-gr!;)ZJ<7Wl6Al&~2Wq70L{fE&O4AMDmsQI+v`1^_+6DCLXUo z!NrZ_L-XtO=_U%9{oZcE5QIGKvuKuFu=`or4<*MjbyNUQK$tnMTtXi6czYm(P^Dbf ztzo%A-m~qxQwTM`YC#f@F|nxzr<$8Qs}LAx@k{qGDwUMSJ+=$!2Q>uvE0zo?8hCua zBoxOnA=X-h?IKkSflu;y^CeG~Cx(rtO*e@>WVssi$I)s&C4{m{g@&%cb=CIk1_3?* zl;t_yq~oWc?w4+K{O%GAdfDIz0QM#C%+^T#-!VYp9I$LFsu-$r;QjIQUt0+%5_&fWK2M#jg z!0J=`cm4Ox&nHZ12wbk!P-UArc0Lch_f~hk8ri#@A>6#BFP#(3d)*>W|Fv3_gtV;+ z$Kuyo{edg5#3TpeVAM!v|5IP?RoqZ2^#TF`MX+NjG3o;70c5H*4`LCm1qs#kTK~S{ z&|rl^>@UaN4BTN}(Y5TVIn!;qrVU9JnQ?imQE~Bnf8~J}z&|DTvn+?&dgA^trZE8d z9+Lv6pgBOX1)%;dDYpzE=d{)2a;zT}yowe=mF~q`GCtnZlD2{6f<3>6{86Mv=e2Ud zlOemPU`rGMC zxM)-}ck#ankNT5X=2x%+rGciAGT>0)K5@{!j6FT9Bamx~eY^gIafoxp2?%!qEk6)Y zjIY2zarXMZN-^iaj$DX;Am};mTodSToHxH9TLTih9YS%oLW!`Qozi`_In{otkv-x;tc7r=CLG}_V z*mlc&>SC;Am`)$BaS}kH=vPd+5W@4;>JF*u zPlXT&(~w^XwIidAg!7>OQPR~B7sm9%giyEttvUZUz@n{KV#5xS4A z9ezrOxMc8=JeWDdmpbn~R0uFjnT5m(keqS3-8S@zQq>~-Y3ZW(^_t!wi#8s-gW(TFyg2McS$ah{t z*6|9~?v)(}6;h3e7!azhZBz(BwyjM}fR>5|1(MIIzf@dSku0i#_2LDD zI#q8A-Hwwyc3+-|{pOBU{wR@Gz!{L>Bvv4ZlW~jwQS-!gpqF>NPomg^9J}L=%%c(@ zYOH#5XL8~)0nne8n%IG);KxGXeF01$yYt!xkYuWOf+WZi#f~8Al&o}<8x{pVihrwj zuye2DIqx=leUas^uT;PEK#e)GG|5#G{`p#G5sNNgtVFcBM4#1=cYAqbO2RMKTcSAO ztoHx^IE7PM3kLSBi1h*E6_ z#Hj%JZQOHrC~MS&wt)2CC@E3m>F~OeWI#;U$FPe-$oN@SklmxIfQqGGa0lWa4MkGJtm=J<9<>}&_UrcEnu za+AyDlFpgl*dhFEwgUCzh(>XM&H7|~(X41W%KDdCq*2vFmc$qaJh7B)#%>!R%rT)u zSj=#!*dulZavm*DHk6+kEKdULN7j0pcG8|6V5yx?OZRBu-Z+gENgCB0X^jZQJV-wk z7x7B^9Z<0j#P0vj(~R)ufVTvGr9xG9H%65?|3x`U0FUN773y3~71f5Fgb)I#=2w9{ zolzlk#Zo-KUmJg5xgNNqLWur&sIr(aD@bTCT_yc`_7ykJJz2yX(?;qYDNC&>gO8Qz zM7Eb(E|`=DZ@EU>$>3Fp;fM-h%HAZ(lbf&i+5Al}vf^G>cpn3hof7Xca z?OO~<6z1k~?#MMtP0n58;jq>B!M@%S9ElmmXxf0g zd)A_`lkq}l)fDq$#2RUE&aX4DK~G$6Yeco)X!1+Nq_SrEmQin{5bx_ZU26jVq`e8r zhf!`VzhkCqI8&pkd6bMXNG3B>tV)vnyI-rZO329sS>x25H)e9RK!LkP+KE)**(v&> zK!0EtD0|rG#qaGta<=-Dm2(2wf#PHT?czt8Izna*@Bh$TWZIhM1{T$&w>+8CTc0TU zBV+GGZ%D-*%XOT(h^-Rx()$$`0F(xr0Z9840K7duh{{Dd*f|_ncZRQAv@T*sbNLLO zlNt8;BHdDBJ|qoMq>G0L;B!$GcX-IZBn#)xh@mAV?}X|-7aE*dcyYZ;fEd^=5_q%7 zZ(N8(-Yva{RrGFta;D17q48vyv%7xdPy7w5)p}(IF-Vo@=~czWGzFwSxss;uS65n{ zw)Z$_8!XIC&v6qz>Buygg1CFQNkHylXkc=@<<^%vk zy-YBWI=1!|<;l^5oEv_<)#sYttrMyLIV@F1Q|T-_&*5rk#YGo=C1T%}N;CVZIiYmUsZ%Lj?i5(%E=%t53ze|5^ZvoS5r!NIRa4`EIQQ$}zN_HyJSy{ZTUi`+$ zy~ZU3s4plr9|ZD{Hw~~bu2z?vEje-$i2I-=afXjC6Y%I{rEW($u%JbwnKZitQ(}2z z`F6yg8i!BB)O-`2ywBiI)z+7W|-TO?& z$XxvmY2FskN9HQ~ugdYlCNgsB#rH}Y+LWi@XH)I|bHv%I4e^JgJKZOo+`NgiWt=r^ zAqB{Z+4>f}8o1M7KxWfzAh2|f*@fLG9lCTL^lHlqNUQ#7?Jtvnf*KZ-bq*}P*$XfH z4+$>(_=*MHC*|ovnul8dLIC~{A)o+|BR&(U19^DX)|ZTO`)D|NzYy43v_Y4&Z#rlf zvYcEIQ&Cz{sN`qsJs{FneA_Dj_mgKlskxKCB%fA2a`lTi{xE;Qz)=PBh_~|tprQzo z2q){|)CNGrSJ4CU>^UtH^?dsMB}Cfihen+C-6YapfVZQDK5mTAl^&J6$14@x`(T$Z ztdSVbLtM@C6#a|-CRm9RA*UYob{r?8G2ZzGbPOF@RJR5}PY#$X1cg8uV+&S?T2`j- zb&;l5R%W|dUU0J&{tO+;F3W=D+B~Y*RUgQ=c9~_}TF}A1vEbtSl*jtuT-!%KL zr{#=Z2t^APtzo7JaPfY~ge#P2<{F&ZRXqsI?~v=mKVHM`yQ5+>x#!U95=ycwa5CG| zL6CYYYFs^oV*ccSr^36;5=GR#-m@nh-P;|UsWkP}jOl@!N)k1kT~m=UhRC8g9?}HB z!J!+D5<2W`JanmtU3uV2C#Q4~(W?R}{ubQzjN|ox>anf^F-G)w&F+~I)uLjSlV5=y zcJjZN?ctVB2xb*ZjUVBaIVUhC8Q=)aPmd_f|JB-eM>V;0?*z)AW!#;bZNs{5qgj((?XZ9kj9`X)rfq^&-iW=S~Y!j3cIh?f3K(` z6;^qqHA0OV*Nd*9W5^94nc!s;2hwr8raR-kkP67Z5<3GBC~c|V*N0@xQzY4iCK=W2 z-rT*uM{onY`;9Fa{-SHk9>ZRp0FiuxU=Ejy+L+lCdI`I^Ik=3Iod8@{yH;9H2ZrA* zyWA@$fxIeZT|>>i+}BJASKsn?I+%Alv%Xzkg1J6D^CB3nIDCISa)(}TeI5ASO2#i} z1?|oP7^xJ+d@bfIu}NwEr7|rbTaC}@PVcI)IO!?OcU(b~$1=?BCP{X? zcWj&1XNcY(S2as3je5S?KsbN#sqe=Znl#0ptAnau@1vA*46V;2>wWH`mNKw5#jF>j zus(41>pRQ`k+7wk9sdWX5;^TI7(Zl0yLb@II-kK4%cL6b>V~3lNR8VF>)>rfVh2MT zIxFLJV|Kq)w+|ToRc&R-w6@4GEJX&K1zN}FBJ73>IxKvIm&c`(Y%EE!%mt)wg)rL0 zH(*OYCBH1E6a4CQh3lS-{8?QzWAHp!^w(LR#?2kve5M-QmutZcn|Z8M27Q6Ct1d~u zcSknAFb{b){f$ii=!`QTT|Hf(%fYx6A^NJXd91nv#;&i^;oDeRb%@o^XXBlm^Qjy}E80jO zE^Dm{y&r@fLlV!ug{HV5#jxmSp3Aw@zsF!t%kT?=K4*7CRN$GXbDu5*VmB!eTUXeu z5T|B}sSO*Wsy*xfK&LpI#$y@vT!G`W?0IZp=c~3(5Wp(g8h<%%$O^Vk}qyjZ^ zBH(wgF$Ge*0O?EIm`sA6R~hTLnZ|r^fqdykig~ zk!3V{I1&FCRC}lu*1o@^a`gTA(j{4egh%eB0l_TsVr$2QuPS}=Kl!P!j#R`E<8Byy z_p+_M1~N&agiG~aN=wDiI_k1b++!%z=MF})^WGRiZ8mLWjf38S_w($fQFke52bi;$ zmN`ArU&N#y??-RCC_LiT-URR`r9@(cr-jgi|JfXCr--Noq z!leLG8fTO?<@ran1;QJaP4Oq|1iec0hGv(Ftlev26o;otbd-?NW(Cpv*C=O1eFz?A zwD<4m9ew_f(Wv#hlSM)O3qkNeu_DgH-3|5rJ#oUdtRY41))4HIy-4N^3hf7D+-KLs z4PjmP&S3V6BRrqaJ3ND3642X=*YSjJXua}u{~-2^X5Inq>R%{YKD=Msa4z^NLwk*Ys^{o6u|$K;nk!}gsw zryJ6yn4dt`Dl<@Js-xBSh#${qje`|>D;}Ibp;e;yfl>z~6J>mV8MLsSA*sbD^$oM^ z_4bUOMx4QcL3WC&1K$uEv==1Kh{vn*UngY&}5;0Yr>D0>GtH-k%M|P%Y4ZtqmkImlWWh z4=#~ntq?gwgF%T##y^0S2%d1fkwD%b;ZfCmG@pCTdg1DP7Q?1@{9R_fBP+4Ukp9H> zWbTClb5D=44{`n{{k{+-Hmit-GjxOca?1^}0y?Ll^px%$L5Jo@&Ev|Ym2D57hYXKf zR25FY=nS=4pQ~^^N&9p!viDbjkJnb3WmX3!UBdS5mG7rk<{i(yfd!Et^JblD{+b#I zLKxrWrGu^n3E`3G)G9PjZg#sm)Hb^4D`n3i$`hzdYh{Wb(yA%-L6*b;ztR$vlkn;X zJs3jRd~f2}<%_p!+S58BgJVSICGCH(Nn)v?_!Wy+8W;7`5=l;ZNGFxmeb-FIyZ2JC z?q3+8o_SXFO+9U~5-)8>F84ydna8;5WvFmcPvMAS_6og8UlL%ey#J%i*>a;8;3#|# zeSh)xAj__^iN_Rut>AwS!;?M=`f(>(!^11zezK5+%DLyicfPUQU6!$#J1j@64IKJCz~ zsAC~`*x)C&%t*#HE2N8OXpMl&lsxLS ziWzf-EULnf(>l1FNqzFNayC=LBRa_}3lE$1FVEQzzQ_sxhCE%u0iZg=n#fP-5SU5v zu7OLCdoQ)mre*#@7Da$$$*OM1yui<52Q7!vZsNz!A+oBraqFWpv=fct(JMyuIX2Fo z(0JujuWDO9p1FA^;z#`g?0-x1FJZkOL6LO3AEI6*P_kSRb~5xBb5#JA!VC+kWU&yz zh4e$HR-qqucB~;&oumvSHuumXqu(>X`|fK#rHH@`NI~f5RaV76f3_5-%tvanG1z6T zJvbLL>oBHyyilL=opL65u?v|@INTe#Ty{dy1Dj7_^+X-Vh;n1v7kd;yy0xvY+6PBW zSgB(kqp7de-9=kVTc7?tyN1S=w00I;r#>*zKwcD4KYOW-Q>?OY`NvZ%1<96wt~@3_ zETj-nME}S|3-oiIQi?<#17*0a5T$>CsKlp2)f@Ms-%qIqBi*D?Z^wBsdUlDMaVryY z;Pue`_(SM-HH~k>tK5vgTdV@|nF;x+wk7Z6z3-tu5^L`k=euLxK z4f5~CB^rQi!wUtYHD*ozMlBe{n)pO(IKIS<?k(SL6pWQi%856h-2Y1^uQ!2ax(@ypG`t=f9$zq3T%z3GP#O!`y&TQ0@Pa}AT(#A~x0WE)A9%>vdLBZY$?L$^hqsd>?eLUBM@gRAP- z7Hchv6O3gjp&p#H|ORyEO?s&(LYgGT6!(iPs85v3>G!&DFEbX4l7epbVkW zdRmt_Upxu$VviR&%-@k0v%MjxOKm6d=kcsaXZJw>ob$VVNI~msO^~N~zY?u;>gB)Z zw@slv*r~La{;lKT5(ZcdO~?!@;xSr{4C-5aMxDfK1$j@A{}7mf#sO&Z?&gLO_J35B9A-VBHU?aa^6|g-Qvq&`n}*Seun1Nl zEMMBcvTUwvf8pO&ih&RaxG_l!0@~wa!M0*~6feu}Dn#QA6YJ&7(-YWJ#6Tx&LwvSD z?JT)x71SA}+O(Z|e>Z^erkKAD{##&4YpgU%BLeUclWw-(^L$9z0qSLOOoD8y{Pzn$#A5!|nU>)^T2Pmg<*X{xg=)*3_v2K5lVbXS4*aD``IYrPDe!Mz9x?i| z1c(H3DW+_FS^xfmtSG{W`ol2<2rf?~#7(gt)$&48{pnIQbren#p+lKtVnCTOPL0Hu z?W`vE*s9R=uuW~u#P%eY^~CZ!+Tn03E3q$yhAPB9PNk^>aV;P)fLh{Ra2{pBB5Q4w zr$Fb8QqT`eT)0Hxr_1fgp#;va_ojkywj&~UB$QLUWPfc~g<3f|kFjs}lCG$L*{Z7T z1+xWt9j$B)#3I3OQmHet>vk6$Bp)$F) zuR5y1F+la_{*IXxSyli% zilCwd8-+c^-wWIr^XLC@Iv^SA3E^qD>DS*%;R5qN-2`xNfghL(yslX)8n}Ys+C3GQ zel)<;tluXZ_)GFX)c%Ck(L937_*~f-YG(pVzc7x2QPPb`U(yj9tNb)(#P07(7YdcC zA>ns$(vJ$AnH8lnp}|Sm?3^nq-)S<-)eY2W8Dy$0*-JsipMQrqPx-NT+K6-9ZJYY~ zg!|i_6WBFxx6q*Hul?Ey=-naf@3$l*_p8ZW#8SzLn90ayksGLSmR<<+k=3WwrJNB; z)H$_}rFhaD8}UMe3i9`?#xXv zva_axHkV!AdVIbX%4rdBH*A9-3@vv#OfNGvJ;PHX_S5)Eb(0aN5gKOLbiW~fb_#Lv znULc)uh=5hn<=&N9Ghq^gQ^3SAqDc7$GY~O$=jBz{3&0qy{S|RR6s_BDB&xn0D^9_ z#F`kTL&-uV&`5kN%=yP?O?aI&3Q)YRl%FY+)soS8C|S7yG9JK@E7U-h?DGYeP0^<(7Io0p{A&sEcaCZUH+#XnZ~BF25YF- z>YRkwI*G7G3|;HFUv%RQ8@Wq=#Vn`IB8(zq=kz>}*^lpb1NhS)mA=U9JrLi-GYDnH zBrtFW{}sr89Ca;vW;g6KD~#wd-`)Q87087S)^AsS(50P8VIp=<;qS-s8hP!CJY4RZ zZjjy+UD@1=&gME5LX1|Br0-$!e~pTl@duMXxv^(JgT>tr5oVD-jaw5F%_l_sHg!!x zYym&cLw_9LU>+4FN}g_tHkPj~Q_9k0Hhl~3&-3K*{RGM?V~~UM=x_b}@L#{iui^Al z(yscjp}(ceelC8Ao0?O#X^MY3*W@`qP27}~k~0zO;Y<})KEKT1z{b^=%A6^Ofd^Fw z1yCN?xFy^@dtfOl5}dkQG;plqYnM7pT4)Z%uVEI+;G_Wyet)Rxe4~8tUhlcXur3-_ zlcXdUMstm94p>j}sF${+cOi$8!{(^>A*+I^h(Q>rYYx(G-vqE=>9UZY)B zJLE0TQ_7s6U0xr6X4w5WX@7@*kmKQ#!4^SDnWdKGfVBDD4ueO3boVRL06xSj0yGft z5RnPbD38Bl*L29FcqYcIeA9WmGjcEW&c>~qGmBUBtLVZ`9{H}%PSypdZU|PQ8KFnk z0sym{&WKnnOk{(LDv`Qe>Eu(D0K$yQ*Oi@C&(x27u1mL8?%=yb5oW`pkS>);gA<*- zN8>Qio67Gz&j)oXeq)hT!ZT}xt$2(MaI|Ut_EBkWaaD@QEt5)5ln~3(Ump`9Vf-&x zA?koBpma04;bV~&3PA7qK)i|c7$N+7{y~kwl3B&|>#ujY#j}T7z8~7qO7PqU4VTT>d)jvG7}43eAUY&JM(#Ww`|Q=V2YGUHH`__ge8AA7Eal(MehW{4y#?R{+js_uC^so%S=N=uyYOVT1n)OU-2||(`d`Pvx!C(1vywQn; zqtz{oZ44d{_(fVb=&XPQ7~rjTN16T*NaR^{o!o0LQ9GMwMN9P;Mc-Imi0ZOql)GT@ z-giHp7{A>*)g6(<7-!~@=YD-l)LZ93pu-NN1&dz5{*XCFeFl~>SH=v zbu;kECWhEvrkz>%M>Sc{93~xJ^!b`lh|xmq{a#D3o}{{` zcQ zf!sR~b2JRh#wGARZB_+5 zyEVPjROVr;REl3h-E{7bKwQS|laZmB_EGc;ozlQ##(S5(&UtGod1QaD8sdX1v-NS_ z77zHsCEwQF?Dgp8bY^|~O*}s_)DQxdzSA&0`64Z{JF!ZM zk0d<)sXC%*lWrf$m^j-TPl0u3w2BUFqY(|sQaL74Fe=dUXaUOC^68ul+ZpF%pX-Q; zlryhg!(s}Xw^$L%SV&(4P%6scnT0t3F*d*=U6Q}$Ngj!ocYlTda!bZBC3*ojSlnIzg{Djf zPampRn*tHgSB6YvT|w5`XgKAq6S4gen~Py*uoNy)Ij0tGa%w*Oq&;?T ztV`q@RDRn`BfGCiD8t-aR3{}`=5R2=BvCiT?s9kK=L?@+e%D-JqGYP*zAcw?=f*(C zN_yMyt$w`y6z<}O;$A%$+pUz5v9peAl{cL+zmRvuN1Q&Gx(ldDp7)w(=gE^Q4eM6587gDkvlHdbo)Foqr|b`bo&tP`iX zzn?^|i0z}`Hs+(Xyq@m2^6B)GsxNJJiRb*{P7-BY{%U_vg19qOo%iHay+wJF@xI?r zw&;(=0`F6Vmb*fV_*LRKlkH_KA_kr_vD~)(NUFTKl=zG3M|`vo1NwQsXO#0L+r==> z*4TJ#=y-h&AD6M&6#)`!I!_sWGviC5vEDoQQ$}qs^7dB$%(rhlz)Tn)0+21tPpCHk z_#Ds=X6>1UA7y5KQ$cw>7f7n}61cYGGxFtYW$*E>Q2SWr#h?OtK6*ZhU)pq{-@|VF z<#&XUka%~3)Zod{P8*F{r+A*76+2&@XYS_q+Hyv-L)EVDC%0%mZgJm!%4uWTX}(V} zPuBq}s!+`6+1!VKpS9wCuAjvvni*TR>D(@UGC90^{2uHiuSyvzY3fBg63?r+=?SY8 zMLaw(`dqd~QdUyt0kbJOSWbNjlzspi7l*XS&$D75Zt7B_)eMeXzvYnF41Zg=bR1If zs)>&Q3{l^h*BX)eZ@S$ehz+FO2wP=x1`x0Fw>DrdktyVMIRPW-DF8zsnNART7)Crl zaaWQwy?tVxL+W6=r5(F2O#lUU)}gQiY_k|Mz0IUZatA8w>@_{e zd5v!Lzb=GJpbf3yYZco2{RRwf9GK&O;`IX49H5K^x-{%RedY&SH=jgWYRsn($CDe2 z*U3aFUHpsAZ9vbfUlcTfzI!t~_N*^xn^+hqJ}}b-OKm53KeO5iq#cMt-ELgrNQ!KL zIkny%5@`+^-Y%TeG;GI>ltvE*cWs)|Ra{shwTNLt#zcdCo8T9JWVkkP1)Pl?Hj0Wy znTicCkw%4+U&b+-hKwpex+;TT_LBAm(NYA1y@P~i^Mvuxe0tcy3NEtjQLEJ8=b={# zcU_XAds5BKddt7=#LVQF+_qFPjTPzf2?-nEW#_*UoaASe?(@>Y&>2oe6Hms^+(PY7 zv}6l}567bKNgS?((ICdT(jzcNC_>yX1jGFzpt61`)QP<9`1*qI=x#@wLqN1mqf(hk zy?*iq-n8`B0(Yu+mSPSHf?_T{Z*v-cqyhiBiw$}xq+fOCftfpx-;l}xf3s5AYwZ~G z;`-ufn|Z6s8)30bkFWXL-IzgZx-g>QbOIW9ry;jrqSEX(RJ}7sS)(@ zgYU>23p>75Ml~LUZ;OPfD4O@Xe(rDdDn}P&cFABtB;BUE|EVD?i-QwRTyj6?_?kOE z<6*b8Qy+_)&l4#!kqCfOx*KwRfPQ=lQr~2U6oR{Qy+*x1jf@fc0(G1}h%9N0FjWD$ zVa7cASB&&RYpEak6@9Nmtj1<`{r9iIgqete3LBv&sYfuI8A3{vq~V$CPNWI>4c)j% zge9N3s4eYsu0*7(QE~bY9(zQli^m)P$29U9{7x(>m&M@3xBd-EO@?uJwI`OEON_(Q zD?6Q5p&3O+Qwr@Qaj%VZX8NgK^gYkbSjmlK^KmJu4zj>Ai-Y|GI4Nq$$C$7PiVHsB z18>>L`+D7_HsC7KVl`tb%erXZV*bLL@I{61hHPsZaZYbMFpAc5#SlhqGAF-q=GD?S z9o6de^5Nc+!jD`UgUVN;yNYJtJgrQ71ipG_g+1+=vDxZoNjur8m2R*yxH!jc;|&gS zheJ=87}zH*r%H0)osb%I5dIKbwP|GIzCP0kRbAiY-CXm9YM6VRm1|+1a$bcG;MQGC ztM;mF6TD_{ZQgBRrG7{|sY@r+&lKMNc;~Ot9On}*kF1`nT_qSjUbLAL*l@OjqRiRo z*Ss(A;5Tr?`56k6jJl_b-ej6rvc1ssW{XRZ`tU=Fh4x@KAx%|eQ23UHSPffI*4rTc z`emQoM-mzAXI@{wGc>)*U_E2toLD%ic1rd-9=w6}x=dy)%k1up))Vo9CAUhtMMP0) zHV^jFcQZ)vO~N6xcNvnuFOI;!%+;gJxL>8s^R_N6_Fe!}tbNr$(6D#u{@yFc;rFW8 z-h_fcG459`{VS1!lsu1btW@)_y!9cz@~blKe`A_ed{^bxScoclXVi7DLpm^PcC8-m z)r{xyUi+cHv=M2Z4tGBYqoHQKV6;KoX}RBHKC&-O?CK;|%ubB;4ETG!FWiKyd5|}C z+4c3Z=C>*d`~ljO(!t%UsPLt$E;SvLstGlkqi^k5R9kf#<$}pegeo|)PdR1R#MFSh zY<|EkZ$#J??9!{YqO!u$tuddUr&rwlF%TuS&;RNRj`3KAz~kDISdle%JT7N5&Of{_ z=Y5d!h=P1UEZt6BvT5L=)}yVn=TL=R!z1BA^QQxE@C(VLesaxY(ZUn1lz!ph$A34Q zOY$ZnNF2>-v+nxCCq+%MQ`W@pho;o?qy}g_KT7XBw&HLwy zwxgPIfisk5w!Wk&8Y&tbEm(P{^~E@tUZfTMt3L z4;dmO%pu!;CgJs5b(M8#@;8Nx*k@Ccn_S`Z~-mzxoMVo?$Y!If1h$uvB$ew^Z_wSZqt)8(z*wpJhWI zVqMeB38@@|uMlpNV`74;zieV+1_F}v2#^njEJ5)@~|m5rm7Ke}y6kThiY zZ`&JAg)Kgj>Ke**wf&TnF2$M(MH;Vp+hK5*lmDKyw96u$IG;M>#(3i7phfF>MXu?K z8`08)OqK_k5f+87*mmoevC^<_???hh&krX=E}|l0lTh9k$efoTE4*Nee7H&`5!D93 z&*?Qdd1nJXF2z{{m#XocPqQyi>e8LSxu)X;kfQRqbVJei_C-lg1$m7mxp(0BomO)= z%z1Zjy@T{%m)HtFeK@|(1=|E>6^;hQ%N!is<^=~abhc#No#DeWTa;^HaEDyVI^1C! z0B0$@KW(brr-Q}D$^kG((CpM_ZA{2)an90u@|=-xB|**m@s^{F})lTqjHupw=1Ee z8SU-0%Pid!*1+|3r}wh-VQ8=j(8okw--Y> zCCNS4OC-S?ZOh0*Yt9gGwnN-VJKO#VQeK<$%$k&)mLI+lyLjd3VLQgFthLFo4<1aP z^0`xeEl=p2BxRV*EZ<7z_y9nKc?|hoyiPzA;}w+a6Xc!NF&Gv?4^aGVYwLA=a-}iF0lt0om zuBY;4utG+BbeVq_{9KKKA9xJIvRnlYzFc0Tkwn&sKCDdCcr;D;l&B!`np=x^cEZLG#uroxlX7&rv%&#~?D)N^SO*CCV~ z78+MOR0K>UJ~YfI@zUxyz@YRSGp)P=;&(T^=lJ!FxVCuvhA%`}R#K9@Wu4Q_@* zCGU}RR~*@&_tF^%;_}$u3H0`4)T<_hg?;W&46cj)Wp_GpkApCoPT#X)_1X=Yp7Fv> z4{f;))P0>62}=Q{ocz(oo~Ds0Ad(yH9i{@?OM6Q7_Vi2I;aS#NkzZw9CStye#Ys}Y zViQBTq)DTJ;p0fDgZkF_aj*bXF-Bg_(~UaV1oAF^TOfZsaGXnOpK#EMMh#ifZU8AG z?wi|mFy77NGHjMSL~m3@!aG||n!A^3Qa)}-Pd1%UKidcYM4DR_oUGTA&!wZ}XiMAL z4aPqABs8&&*Ell-Ki5zkaY~(-QJH{}_Y!o-ZjBgSZ~VlV+@39p3)W}MbLh>1Ak{SM zt1S8riWv7szwfLiUAvB39nN?^%RE2wu%w~(jqpRI@KMieNalN-RNqV2u-lmdA0lvN zoqI2@ObCgF-dGyRrv2$*Ix0JrHSJF?4fWoi4Qy7$ zsE~0>xYqe}F0KTa8z_h$n(!`=vKPEFW6#m;n zDjlh-;VhG_RW5N|(|JYSq^a6rSMG=S!}0w;iFq8}+gWES)Ugx`XIu%{{>^CE{sc|U z`HhwO=4CTGm7szXb_SjfB2!tlQDWQ(KRv@WHiQu^GZNVEx zefP@`?%kV4WVszKJ|Bxha-WYQc6yjh)K(yaWdZ!`@lP?SyXw^7j08T0QZ-M(I4G5L zK`LbqO(uD6Db04(n$~^4E-iWgXd8)e{Cw7^SE1T;C901eR92Q5vuYqD#K+zAgmDG;KZucv?!b zWVH`;dQ+i#+!JO|2bPKSDytf3TlS6QW1G2o+)T9I^mL`va ziO5U=4snp|Th6|5Lc6C_2~akH`IH9q(7l$o&&ajV5{>Cm`n3{{j4p!tix-bMx?K{P z?cFRl=Yls*X%c>Q@>HL6ts=~mNsOsv02xOHB$x<-*=jMw_e3_)7d6gPT%!}G?W9Z7 z_)!d%4sCrV=+nz+IBle}KXp4*Li<<)*y1S>Q34)kxsLHeJ zWyurRl8g^6(x?UXdG+utwx2+8Prc+xvjHTd7WJ8^i{PBiI@?W@-wFMURtc!_MAatYUX3HEpj5o5Y${N8|~ibz@o#A*U*O@wrO+bJmF>uSj| zcD&pkxSO^pIGH36!X@dkyT91V3-@Z=b;j%TLAL47aMy8Exo?Ck=WY&`;Z8v&ei?sv z%l@J4zt3N@V){Oc4wqCt$2yU3Luv>h8Cw8ZNZ_@j7zV`C^mNTM6@bfWh-_=iG z1yWu5PC|%!(3SpW&3D{GIXG>&V#pe6bU3*K=;DK>Sg}Y$iVsI&fIj{>#O_s?UUl}5 zS0@f+U=3#$UG_=i<2`ml?uTJcieIWeP7RB?ua@jP?#ix}$$EF}xFgWP zXddyA`h((ygH!dbQ$q_Ua|>F5Pia)1YRZMkKG90Uq?kILx!84oMt&wDig|=jE9^xooi3stAKv<6d8`Jo8 zWjLD3VxpV6-{f7OZ>)A1pmrgouM0G|Ts?#7E(D?;-vQPMG?_@&4q!exR9W`q2zZp2 MQF)yA(D?2D0wYWgu>b%7 literal 0 HcmV?d00001 diff --git a/windows/access-protection/hello-for-business/images/event358.png b/windows/access-protection/hello-for-business/images/event358.png new file mode 100644 index 0000000000000000000000000000000000000000..70376c35a11a3fb27c6c3c66aab44ef35217c030 GIT binary patch literal 81668 zcmXt<1ym$Gu&8ksU)2O7P2?SUiSP&2p1Sv^TWe^b1`|r~71MK_TiFASPy8+ZiSwa}3W*YDGy8>Y$ zBqsy{QXdQVZUp&VhjEnDasdHB9Q?08~@(%IbsTHt(J4(_@9rMFq#GXSy9w6Q}L)(sZc|M`qk$)w0O(3yv#S+w7XOVgxQ zJJ(lUtS7hgC!@cJnwnC*tDTIE{v8!~ul{p1-~T56608Sjfz#P0jyFrYRto^+3>JunMZ#-n$7R zh^YDYbfOf>5LAdBB2d%N=K+QKIg$_jFJu^z_4cQ+0utD0J`S_rB|=ip$KFfib&|j; zM?(&u@8jN0iF(;npzBRJBsCw^6<{J2Ih)nL+h_l5OJ|1>#i##zxLD%YVXbYu-O}}6 z`9Ec^#;8ZmW@TU4IiZe183!}IY{?L1+KJ40+TwAQ$o8shT3^#L4SGL|jEYfM$JL)! z0rwLYtrRqSD;pkfYnP+Q4;Az` z(xWwk?1dC~U_<%V2Ni4HeM#RZ;h%*D#E5AE#wdR~ZgYM;Zo(bf<@=5AtKy(?YNQ5M zUt4TpCXUDQt_Es4OladHRBb$5(4E93t=zYuT&QO!3Il#A9iy(m^fb$2Y`>VJ9I-%c zq}8ayWUip6RTBHu-1HP;9%)-{l+e)k*?Yhlw6+x{+gh6*JkmRV%*!8hkfmI?*^}Cj z3VLb2RJqp29Do-KV9g07;PXPT)r|G`*oZjwjdD}9cs~xk?eS>QN?|SAVlR|HuMJZz$A;8vtdOL4s-w}L;S`m#h_r5HY;P!KR$V=d4L?)_0=K zOK97XU4l%Ba&-joJ-^nl75B3=h!5mcD&R~;&I0cuEFzBzmpI@=y~l%o15{6r{v9mCEYKO=-0{!B7>nZ&Ct6)b8+AX$ zgI0!DmLIdXP}xO|TJN8M47Zui>s%LAHI)6fs@We8XHB0}8zX!j#SxBl`2s?^L5aJ! zkL4UcKcr$z;1H+77Fl(?;BzP4NAMd`&&oXE!5eM2C>1mKzwKh@_xFz;ldTC+mh<^a z(+ZV|{_p0e$7;TH^536_)5aP@LNb5!*j8&@b$nh;k5yfW8ca9wK(OdR=~qiBIRku^ zuT!|Czlc*$?f4bFGXEZZ{M{$%dn`#lY<%%KtZSvyBZcR0a^U^(;0nfCYx7|#Sd}(0 z#JKN~T=5q14P_N{m*682N zCrz*8SOU$67|QM;Y@mh$9}JRta|x+$eSX`PCCxswKkTWdtbThzIPRMuo*1SF)W&P4 z&QD%H>EP~OMc~$iTWNLsoIduWnd@F{qK#JZe6I{ z)U6Qz=@Tr%w5C7r&c=<4rcR)>H@^x5e_vZk=7V#c-I{qD6B{BeBIZn0#fl}$6U)-U zulPhFBA<4y>^rWj7opx&uGV8^VdAWEREeSow5Ugi(URi+Fbh9F-}pseXru1&>&DQL;l!J!x`a$bOZ>Rp(=P-txpJ` z{geLXW7${4_tjY;LbawA{-JM5f%k7kF=H&m*U{Gw;Y?=Yo#~D2K7a$7!tHu0mVfDd zXRiGRan_#QZssxQ03zl3)+!sq7K>+1jdvXxBG^rT*L{dZgJwBBX4l{@VUqMjx> z{q)r8rx|s38Y4%e*oIMq=+VvR3uRDq@Z=D{zOYKk;9CwvCymfWODX8G1ZIAfMjn zARE=$(&*?PZb!q7#`mwY!GHV9 zqRzUV#IKtvj9ojRixB8~kr9%eQ}yRG;qUIh=b;W$!dy;L7k;E@WfL=IV9Ckb0BW@L zfmVcm-I#GAakQDPQn1xcoPOQ3dE(RJu)3OtBR%5~GIVHxRDhErK81Uuwf1Td7Nbfckcu48h2hmbjf>`( z4FA&9&Y$tnZ=bn^JwhdVSkcttPe#JjgQI>nHa~CqSyr4=x6nebeKrZIgwu?Zat*eY zWC$6{2x-Cq$&wlx$af!#RKpIwl2M>mDG`a9$kRGOLU^+ZhV-=ONXbc@S*DC@c)ILM zNeCq8&qTuf82-BTztlm3cWMb}_b7A6ea|4^9n^(^^47Jl4H5fw-YH?#<3{j!l`aawURtT zF}`ba+cniRu{5gqB8@FpvRZX6RI<6qI{27TQq>$8|8d)=i*!B{GcU~%Mw@u@+s(iT z9$~|#=S0HU*kFMXn*LQP0ONz~`2+1^>O=&1>#q8Hk0yR*H@NRf<9E6w6bPuy9JXrc zl49>du(I3z1-Z;zuLPYKC(n82z;!y{)_g}$856iERR)p55FFP~Z!|u)f5e~6*<6zx{x~oaw!4$B?wN(ULMJvtPh!#z2==TZ zCKEP~rty&Ua7BiGG#<+T*Nxzv={s7WjNK%jA}B|66>!6WjlDCnuFDP$5*pi++kocl z9)@TW=j2z??;oa|2I>W>^s6{2{K8DTToJUNE?+x;@f3{(ya=#WLW8)8$I{}CZwtqc z5*TOCeuUl*n=I|YH~y2E#K>{KY$?2GN1CuK(zoZU_ViFDl`=x4QCB6x7uVc6_Czv& zlFd;1wJPd*cii_)Hg~fnEAOQ2VnROuV=XXGIgoFG^J{nLJl$`EY3uy0_F;(ppRNmC zh}>FiopALo`O35r1Jom$cy*IGosRiw59(7SlB+g&KD|`s5n>9Z_7DNwwtuw@@xF&v zRggsvvp)n*yKSh%#FbWm>j>m8!wB&d=>ogzc|21xO6f|YrJ8Zxnh-mOUhL{Lyp#2M zxtv;>6i4p!{Yx6+m3?znOsz}f#AD;sMC9GZ`7ACKJez&&dO7pwFphu^RbrO)PrIHk z?G;O-Wgk+yLSwBso6}9ddw%P`e1>P5ynH@i&H8vp8Jf`uz4iiQrRMiL*`GdER#lyh zoba3i{9@XWFbsM=$X@#|2%X1iGBbR-xu7!G81@wXjk;JXcWlqYE*ou>M^!!8-!l2f z=7|Zw^Z*NHrlzzICRkmVwqT6aXjuDV(6VQaNQ2j~Y(dF3PZ>9S8g7r*!|w{U zIW!^%;4yHVh@AZIgd1;Y9igbc!O*8FQ| zGB)s?*S1i%ynb)gsD(NS%}}%cUOR=&vewZmRm|IA0?&djNnf#KH%24! zaCg&5?;#w*5EDG|nPK+PDGR0pH+wp#`qzf=>K1uAeD^Qka-?rQjLV-eOO_}u9RR-e zpDuW-2?XRp-9o^6y&x*WfqXCjnNawb?%!G!e;o9Bod(!fhbX;#Qte!>r~A7U`ExiQ z{AMHWLb_}WulX&z{n7c`0dPQA*MIb5!-JoO%9TpRM@vtWpg=)k;CQ7RScD*CFCnGdH`LRWhL_tb}uZU{9nQLRV^P)arJ82zO6{-OJ)0Z)^>p6rPMqv< zp66L>4FRqZ#p^jEeb5%a=4X6mgDZGBZmsk0-|W*(MI0c)$U6DP#i+u$Hfngb_Du7Yn)4?NbfT~?!( zc0uECxM5{b`%|sZVXObxPz#~n&IUYv93Ey$rL?E^Yv50T_64#_RN=lBLrp-yp-S#< zPt5hA2BS?J#3OgS%TQQf0KX+|eQ#eF>omPp;|le{q(=B9$*rG56i1XJj<25qnUM`c@2SZ~ z%4AC8h5EM>_N^>pY<2eRj8(0B)Xl6IBz;rLOUm(6!gH<ItUfE!GjRxKE&x*tdl&wZZbv3qFDJ+inWPWUNT-qb&`7$e+hi<%Pti~i~u}KXC zxI!q4I)XNqt%$Z7&HOJlhHz+?Le`+I<1-cSvib4FpX6URahocA%!@q1QSb^ZDiW+! zs3915a@+1)kp1m%o&S=dSGWrL~5 zofFx)hD_?wS}N>;Q9l3S zd%HBa2exA=CY`jd<}8UMLVh0c4Jykm4a%d99EbAGTedx4;nAax5XsZ1T?B0VtZS$r zR~m<|%__>3_^Tckj`-!Y+W*;teeA_(7bY@zy%fHz_}xxzS6z9sJ*^)Bq}I2U#5bk> zJpX!gr%CQOIk>mVzz^NeQ9XI!RG6Z4oV8#qn^7< zsJrs*im7And(e6Gkgt8=w8SndgU&uopAWqJZI6@I+Zr|#G2!of>SZ>}I4~?6WRN~A zyP)&j`xrvjRI{*^*(0wVYYPhMAUIjiL;CuLJ8(e5Mp2UHR zU4m`VHsSfTQIBRJhBXilJ0(}|3&m@N0EFVDzIJ?@)uW=w)F5?AZLk_1xs?%vt|-rI z+=8?^*z}4jXnm36;RM0V6ubiQ;bS5ZFIglFInbjD?I>RCWma_~{BDv1r!%7BLaz1@ zvZ=`a#REJ(ofo}4F9Gate}ai21zYUY#uUV)i>&zzZK(^#ofMPpm2W7ewYQrP*)Fnv zaSSC~#W(&zI|hHUc{Wpn@p-HFZ#xFO_6s$^of!P6jnp}@N66BqtJ8_>!|sG;&Mq-A z3`Q8&iPw)7n%k?F%84oN`e+-C>23$%FQ>r&9X;rIiv1M`6h4UZL+dMs{RM)_k*#S1 z9lge{+P95o_GZmdKnYCQ#;*`vYBK5&FvCBhU@1F5Of3cJ7-dInU7T#$5*IfvsAg>{ z_6x;7dN0g2TtV6{+Tv=T{14NGT`s;UD*uj8K1PM`2*)&~e!7`gdHk43ZKM(AZS;05 zX6Aoharpgp$El#^w(lxIfBn{Jo&Z(?9Py{U3&qH`t9cWe{J(i(PrvBW(mI#sP07o zRvXCIUbD~OcViFsdzmqG?|R?=YF4nwWh=OC#mmLbYwT+XZ->z+4*w?CNkW{P`FnJR z(c#*ph@`(qE77+=3${MJ8RUn8$8%4o3^({HvqOf(v1o9oX4z zq$tG8f{WF!U*Q1+&I1}ams?v|8e4z$ass+JnQl$X%wqre2kCjvueCvc(hz~J25TB( zUkg26;!7GE>ZSv9hOUN^_}G1J8E?k!Jil!>HRwOv-SygjA~opo2zS=?vF$GOF`50= z8NlLO=Q0*g!Us?ZL_HZuP&MKNQg!yR*AC3K((ly0n}S9ZYOz2P2c0aw%5}atVn7z9g&nG44Cuy0>g+qm zHcDvm5y)x@(t!wS89nhrOQUeppPqrs7vQlOI{HyvF<@X`XV@8R|4v-!xiyo69++iJ zIRd&@cFe9&u&VgDS`*o)9$wRgJ$pWaq9TzuU3f@F^YLJ*viDm=+oYYpOkR@ld%w<;ZV;(qjPhpyskSH1l}~q?CBA z4E!2!a~E>^gIZ53M%FiMicqpRQ~2=di8uS!$?4L)?Y%>)cb!W-4+RVwyJ%i7X&@tSA&n`L-S1wJqe_k?~h4-jyU3|*Mhf{L%C88x=5Icp@m&e zut_7yyFhfPc&Et>&cZhU!E%<%fS&~H2pGotbUV7%Rc@ndm?GI zITy}On4xYvuOpumGjM?rxZ=WT8lQcme56Y(EvV_BP(u(+cD0Xe1{T%-sdz!ZGX>Cl zgW0h>mGBvaypwN&%dDHXPCXFBakQ~*GoVomb=Stf7Q&VOZMwa%abpW1Smg05mZSO! z6Ykm>#Tn_A`@=x{`VDzRUXJH({pQK#^6crgAce8|Nf|c`j*~7?9zHX9C=w8F zMI+)u?H>%#Xx@Ew$H%JsX~^?=6Asqr9?sG_KnDD*`#GP~$R=qv8~lv#u|&sMs?xTU zwbaQIa+`D~vWN#i&)Ky=Z*~#nn3V(>h?N*ysu1iIJB1(F>3eJNHPX!5t4HBd+S1V& z7oPOXL#GJY5z;4_;Vz;ujR!FcyFnE5naDYsqkcYT8bb>QFK+nh&C0Pyh{vSOlXP+) zko?3Dcsp=g{9xbXfCJeoUUCxK?vSC|`aIp24&&{+U4+sL?6K0hAO2Drt*;frc%1d%ZCB&Q1W zRjEJik?J?Q+~yRLwoHcF#eNMa0)&K2$6$Gb`O;JvTX)ie`k3s&QsB?Ok;Fk+z;ALQ zOM(YlfzxiF3axd=GY}(}cq#Onqx!*Y`U{CJmwsIM%Y2IgOjm8yN`YnHx4HJbx$!>! z?$0ypn^QpRdOBxOvaFWYWKl9PL5xQW*Yjt4Uzd3!@-ypEAOF!Cg(MdYnM1>gs&r%+ z_#X#E5PZJy_wyfUcckl7kSp^sFpk-4Mx!jZ2GidGebdH9>OmL%Lg}J> zfS1N4Vn0r`zHH<)*80!$NWxXogQiOCU}miWI5c@#3`>1;*lX@#(?=lpyO`k^_CwiOG3_t`E#5hD4LhWF5}hQdg2?St&KGHzCH54rKdxCScK-n$42y`0*_6w>FaYY}8%i z`^LDaLeDbKXP2@Tll?1{+4|Pr^sKZ!2qSquD*S?%nu&~G?_oPvk9GeqlYbSiXQ;D$GhH) zR6BEwtN1N1J!2QcW#obO{y#GL6*BL%QxL_V+;@>Q}#SJ%tbC zVgHQj={X_BS*~wR->mt}4juVplVf*It*Y) zVEL^n4PsBV8xb0CRiMZ1M_M>`;uRIJzt2V@_O)t}AdDwl&$cv)uG+&i+lZ>5k_Bp% zXN4S@{`?&Fd2l;I`^R6`GbrV>c{z!DpND^gP|fcC1ALSsOq4$7Ee%&AebLKOM4Ws% zYry7r1h`AqQ*8s1qsb#7H!(vrl=4D6<2Lnf+j_de)MZpe5Em;i29gI$UU~R5o_0SH zm`qFJN9fOba0`l~4sT=byN1fPyLNJxc~j^0*nssc+_ag*F!aq)J$&wCwzdWA1zn_o3$1$j- z^0EPA4>;I3xPgEAK`?3lPZ$S$Ye9fup3XL3x_7{oq8SF`kG!9fmJOUrAViO?xVZ}h z%uUyvTgoZNJOyyx0cQA{RD8c7-d1ttX}&X5tcYXTPB})z*uFdR;{qJCM;(P}oK`&! zdo1m|=*sRkK9_D9B$iJf3+u@K6b_m~R~J!YUgpL?%1L)w5*Z{WJX=($ys06*X3(h^ zX|8zH)}{tN&~-dV@Q^VFXihouD|fA*%GZ^&qx&?nLL;9#Ckja01=;CT;d!(GOQ56= zVW*ZBKYH^Yuuo^2{(N%@dH{F!$IQ3?nsY;D%ORIH@xrFmal7)xBSKu5quw@dd6USl;)7Yq(FOIQK$ozZ8UP95(R~$D@(=U?H z7vpyxvGYh)0o}L^Mo9iq(p=MGm1u`Trd)1(>0v z=hkjVpL2dMJN&-MghDQ_Yn{8HBDQ5Wp}@7(Hd4=%+jh+I+wDz_mp|tBK_tuWT=?q> z_jXMNWa-DX|GoRMyDJhv$3SOASo_}n;n`E6TY#Cj-TT^J!QwlR8<}~#x8L->x#^#O zNBOVneWpi|kRJbI_VJ_5Q=_{V?%YdbO!Yg;!(8I|U!?JWSVR9hcr6x0RpH7snSd|- z2>)aW=XttTL(2hScFRiM++|8X2{Cjr*;lkN+si{S&8lrJKc4&8ud|Erh>8w0*>Rj1 z7CRm$E-_wAk;}()7FrMvA8W1z#RhWp{4&YM)DI_*?AI2`1N+N?mjuPy#qVef0TjW} zFv{D*xzpgUSN{*Q^g?AI<>#}&r^u-H*Lj$0c-p~xCt};7{7-fJmgu5w2i!rHC2`XO zZ@_c5cR0GI(#u>=1QQ6W;UY6Le9(}otQLn4)Ahx)9fBMs{+}t!$5+4{rFGV$yFf{D{A>hBBZ2d9w zHmnLyh4rB%1|Iv4@^%AH-Aqg8o<*W=q3hKZJSo#c^T-T*xt!dK5+f?b+q;X{qu=MJ zWN(1C+g1owsC7>l^yYen>!u45ANFj*~h?>f{@>k6q|HTHHJuX?~%QmEo_A zci?SATSy$YsELc+|KxHt*;oxR`#E&{Q<;&sK;cjeVcuULSNGZ(@s7c&N3mH3kn95C z%rWwV`mjL3Bl+v(#DW@av`)qG$9a@$iDvnt4Leh6?IyWOw05&PO+mV{^P+WJ zs9dpiGgDYUBz1Hg*dL*c;I)i+7OkJAKmX=$Rm%nIW~_)nvxL$Y4krY_ z$uY3@H3zH;8KF5>d#W>kgM)TqIA?I9c4g>C)uOCXnqSHk2IY%>dfkP1aQ~U#cSnmk zS{BUG>e}{nQoHQ%FQ-5KKXKd8Y5Y!BfBx3_Tuzrj$pSoYG*3{sj~3V)fL6;hTJ;+?e5)8yuxI(5!Bgw=3WhjaW(Z99h zh_xH-7UMlxSl)Ss|7Ka4V0ap3&Nt^CFYDF#84lKO z=U&hPOtSS{(g2A|0DEV4=HOiw=gyxDvHLBZ~HtFC5)CA zETL9IDITwzNT{uy6QameMK%iAK~{#<>s2YJ$|o&!?hrCy8@ve2-GB;QFI?`OHrg^HIQ>O?W80w_` zmEY|*upLdz%(&J52j_BMcD9Fq*$yAIYWc3YhSz|`v$O3cMbqCA4e{FXf8oP{`0`Gc z7d$|kW)z_(GlUVWbVUn=KgU=zYvnDNb9-rC;JCi)0T0a2$tM9K;e0pM^hVed4L{=1 zzcpe@i6G5eD9{a4{5Eq(V(CWx3@Kkj#L+#9&$o+?!$OrJ3q^WSs#x#q3NKM}F4gzY zA)@*b|JO=cLgH$!3viym2(FS0k3GwGilOIsiX=YmQ%5uDoVi{zP|g9|`xLox)HVC# zL-$J3c!@*~3N8uOwujI&QX~<(89bHBX{C z0@WT<0u7#C7%xMA8FRC9E~nc*PFA)V!ix!k`-QY^Z&V$IqU}rkNv}KAtArslwiX2o zv7hPUFOuKB=s)6&c}ap4gTxyEr7522Q=~w>?pdI&gIi6+N(WkV6OFtXbSD>9>d9Og zdysgJzsUvzgHXw48`bSQuxf51UH2WPKe|EqbvMp`D5;)eB{ILC{Hv{(}(px5ahOav}5TaMtV^^(BBlq4o8p?!#moxVv`x|yLm^qp$OBOOWyh!K0BFvX4 zfy2B=v$ypt25!J%;YnlR85$|3>8SRMS+ZHH?yXd+&%j^M(+dzI=QOomRoC!qWo)vB z@#s7*A3cGo_bhWlywQHlUcJ$(P!?f)++UYwTjtK1h7|MqVlXC$=r^;;@(pX&Tm ziUHqypVAmVB{ks>*paBrkLrQy4?u#)nO_|M6F8{8&%F>` z2UH^n=gw^D=!gt$EKWh!M?;%D%?NL#Gag>LnR_~U3dm}c!f*wBh{O@7vajlV^HVIP z@g$P?AFV+PWo(ttYKUQtJw1s3oYS*L4#$dEc82mE{3fZ;rSmM`Y5Y8`v?}NK)SdGF zLv8VrgS(El7&^s@#1B0aD+NB@|7F~LL+no;O>F(^Yz{SpYW4ZnytTL6=NE%H7iL2m zMe}ewJ{VdAR-3!xdEA`H8ERdOqooEu;LJXCh5OUiM01gtXQ>L1OWj2&s*H*#x(?}@16HfEX^m8VJM~X{YIER79u7!jUx#pY{-Ae% zq8atOS*$U>bNy3*E_!zO^M{+n(j%L0j~95f$8sfyfZQ%GP*|vOcn&A?hk0E!u&*&% z7b(H9Xzv}9Zirko?1hKPzwJ1WC@;TnfRtX@pz1KgJgvzJ_u@d;+-?uZe?%Z>Keu`w z9}mV*ksNZ@U%jA$jhNG0M4WSn8D585<<~mv8dzv~FoIRyCf)8tsimsG{Wsc1Pg?ZE z>JzIq%L83$w|Lf_c^Kz4*LpT{LGZi12%Nal)ag{|ZYRJ+!b!DM(5%vYZR3NhMa!A3 zQ@yD=q@mrXP^Glz+9tFp^8!j0qNc_Wf8|YaX3{ZxOFH~f)1fbCrWWVsu<^m<8rjtt zFuGJGOwLZTN#IF^JpH4!q#`I0!q2cZgv?S5vCsi}56fX2NU2ugb&(Eo=OEo=U@4_# zNRz{hYNk3FtV#6r=xXI((K|}@JK7!$OwFFHWVjf22@V`h$k2;5&O2sGBwhLqWeg$y zO;`pek|&!}YymskkHhHxG)o_fwbERR-pDicK6LxXg2*ay$=niyeG5f4i7tfmOz&mO zYE~0Nz#f<~(7v6|mw3EFM+i2|-oT~O#u7vry5Q;l(bwwrExlF58G2(J$A<9zHNR|T zqe(gRDxLhDXI;N0+V%0CUMptyl4q^zFy>pYc>te=8-Lvj3*V{m5;~P^-i030snWoXr#d!m!s&fH>hrFgM>E2s5PDMd_8HFMC_+vV&XT89;nkuZd$&3MtfcaP-OE~=B0b5^IhEK|3dQ>Abo zpNRg>_=B3rZp#mm=PdDJjz{l~@31vIaG0-C5!(Cvy2WmJN7sD!;7azPM%nqiBU{JK z=3+`xv&;H;H%FV3z?*j7XSruHnDMz^TW)9nU?F#$Lm&QGbFr=2jedq6t{B%K{4{IIkDrIP4s>}14^GfAIh-Zj)Gx9QaeD|{9;>ms3 ziq^t-tVjL4P?PjQwj`8f=a(C=VLiW$jbes=_HV3i<&s6g<=C3V1|;3vj}x_8%$`MU ze~iA&Rrf-rvnCeyXVDUoLUj{8;h*2zN8ub(k|FareZFi~eTi|3k9IOMknW-n__NPj zcmc||xU8FT)bZ0xd+yT)Zb;3oyAvzjOpu(P@8^%UzRKpw8j8gl&M(GheFrH_RIPkW z6p@4T!2-McU!OCNv6r>EA6C)bSA_BC%FCEO{k11O`^&O+&g#jSC9uob*6(&Q5-Y6P zwv`P`iAh_Tt-hW(h1$HXM@J^t@BG3V%PFE^?N~qm!dRaZ(0_yU)fB8`HLr=@Vos>U z)Fd``$ziE4?Ro3uYe|vUGhG{f zBgjndHCbb?b}`Clp6dn*0`UXAHnfJ-1o^z^%zybCD(F`2YN<1CffZ#luu1eul!)^m zjps}nBF^@!Cb;u%MLXITjlJz+9&42RxXSpPwtNn=B894s#i{mO{Yy>9Yzjj{YV#n{?JsOHBDYPJqz>L`Mp}tX@*q8^b30*jVrr*4 zV!0{JzD{prM&Tyb2WaU~6cjQaN`UHUCN$!q+iW)1cr%j`(?>haWcLLAdPi<#9F1 zoWDb5-V@&q5HLiLdu3g2!ZCurJHAdwb=>|*4#VG1#IwE~${wk=o_m2HS3OPDV7r;d zTFz)c*@FgB*iEZyc4Gg>K>P~ zNJ^xIk%y#$tFoQl!p62|(*EJWVGlRIqMi~Xq`;=NnTgoL4ozwYTmA|ba+qkTeQg;9 z%fm$Q)>8DS_hiwe9H?tyM*$?;p*3+By>Q0-?aNXK{y{OH>E`0FrN65fcmi&Mp;ugu zF3!c-N&i_g@1PusQ_(#_y7ac1+5%U@_;9pql$Q8SBvc+`To;0k*rEm?5P-48Bra&n@g~; z&_kgE-K$qyS66UXr=onny&{0v*S_PO^Gdo82=J4NZhCmbGWqY*9dZ|ISTG3Z7~bqS zQnKh<2jfs4OD}vM$a_k#{aAcgrELbMTdJgOgea(P2&Jv#hZxxk=za5+--!s$}h*TwQh2(E)ch{~K^T9H8 zjwB6)s`(q6(Qq&HSP~9f1>-|qXSoTY5ZW4=T2KRUqU~b+D)}ZIHGODZ%$*drMT&>H zq|L zqo!sN7hX|mgZYZt9F$#gM+0ku$t9DCs)?RE#}uT4qq&)mYk7);DaEB4^V0{TN44!5 zkfuk9XjM{Ck<-DXYY_G=^yIhD?`bfnw@iHI4X@$;t%)Z67aUlN4q4FE(iXlc%OLo- z!;;`+VX_(mrYk-t5e~t+dfo>jcmq6M&WK?Ao!o|pfQya(YS2B)Q$!!}q?!GLL;mFb z7M3|>R8-daG;$6B^Nxd1&v(JR)f@Q9?$2Y^4HpC$D>MBx>jP#LwZ6rcAD)wF$vx)I zRs`QP=Hg_>1Nc5;gEtrm^wa1H&31S?n3SOgojg3cYu$gkb#?ZxZp?w zF4KCjYBy!vTK$?hhntY8Oh`O~-C7nc#H?eM~jq*tEnpY(sVP12uzDDs7>@L=G|3Qmk=1}AB|fnjwUSv?}?T# zI&L`4D=T>dS%VEszzgNa%IPZ8h#QPTiV6yFHiGdltxwM=?d2!K%gCrrH7_z(VBG~X z?B12dv>N{ifqA1VJKGBiI=hVgw4B?ZrLmC0V@@VZa15Lf#k;V&!de~^ox?wBEfe~~ zF0STzNCSBqx%gw0h_lhVk(r;;%wClfNs)ZKJZJi78aX=%{9-ldF=Cj2-M6}?Ia|;a zaY{w*r4QG{rLTVOCLV9}c_^X*V*#8oN#R>fYDCl(8#Dn&!PArVCIN9HI!EUf#C(p? zkAKHbFjy?WiM&G%@OY*iWwO;WVNEKG34DEYhhb*h=Dpqo0ReI8Z@l-FuKzvgq-FaDoKh8NZ|qAwP!`O zRmt-nS^t%0nhP2V8#b?LOurr4NBX+8H7diGnq+VPwZ;z`IF(&^#Mic`Eb`k!`syQ& zVcD5+cp`Zi&o!ppGRl!|H2P_R5Z)dD>+2y?$Iab1Og$+>ccI(-w%=|xZz`yYQQ`%g zmE*R%@))=V(%ZJWn)S%^_HXk!Z~XN8)f#Dl

6MzVqvCZ_azc=SBu;a zzy~8|)SLmK6)_gP6mnx@d7TeBD?J|ISsei8OmJ!m7W0!!qe~`9C^V$UbEhLhoy z{PmssADZpboWJVIRA6Z(Vqk$IiBlx|LU(rZ%ghV{|W4K}oM6uA}p z5d&Ce$zcCMSr|ED7dZ&c?_)rxHnU*JS(8Oi;;1ELB-}ZnMAwZSJM0#-sEMf<_}hqV zpBz1-v9v(h)u3eM>S}ldl zXH))jPpR*YbdHjXun(nv%F)6I(+w;=UyW(ZJhpX5dit~1DGPg(M6v1X4T6y}1}9N+ z(-WBkTU}S6_Tozk?H$;{f~GW%4u;u)E5c88w4*wj9WS1c!Ixi%E#};mD?wFlMMgU* zKe0$0j%PIuBxo#N{Vb0{Ca`qfoi(-l<-V2!|IAjkJ%?=J@1Q*>%;>(B!kL~$7-)Jq zz8JQg?{}fKX0W%*kFl(!@`AbO+JQIWcr^12kT(+_zlK!(xp|Mb+W|Wa`9q}!CCTQ= zNOX9%wDB?)4_U|~vo#c3<2ift5pLxvigCW_X^|U-)c#LuXE>|#>hf(?oQjmVTRhpM zPW~KChgKi=Y}l=}iZ+whIeQCM=tU#L_?pknHk<586xwWLc*@~^8%eg?=g>_^S#*qy zeCpK6sX<};_ci;Ql_uuCB0PBgBH*>?0z?LzUS=vUvWBXH>MuCM^JBMTTu=J z{}Td@N6M^NqD+rVnhoVCRhLnJr%l#|h+`1$(yYShY3La^p9Ut~r_Pc$@#FpSYpctB z*YlQ>R+`hDRXEX8gK7tT9CTbp*c|oTME{Yf3+7K)}8W5rHwA8E&X_ z8WUqBRAjSU59E>ls;2V9KJhQ>H`LE#7FmkT4w=+5{aM*P=v`7ZG@E=!gEDvk|;p8`zv^d%(wJW428LPF- z2?mSN;o$&FgXGW=s&QpIvok?=vpZ7nVXgR^!O9oo?MU%#If`X>Bv+Te-Zmz)<+mI2 zuSqx7wF7bjZx19j)bMi9e3RZXDy>epuqT3EL#cHH35&;4Y3VCjx!J%^ROZ2z9C#`= zn>qi48NkzX^qdqXo#eEv^_R`Qe9dyiOn9dqK*3Lzi^yKBHw#Ok#wbv}_RM9GYzm(C z3<nLUJ|WI7^ja3})_q17VZ~xkjN5UQ z?{(kmxwLH<0_>YRF(70MT=ckAka5!_3`^>2O{Qft8B?h}eF-%{SgwTM%`7A=_fzf$ z;{b?Gk-_loANZQa8BEDUL3_wl1nniGW33|rtP&A&mv3KY7CLbw53p!dW5YiW^!M+%y})z0Mx3g@ zM30v`n2r9C`l7<(>E4p(1;NFp8brxI)<$2BtjyZyV7Ux%6|Z4YR#GA@z@VgaYwYq0 z7b6W%=-!S^SxY2UPCGiN>zpJ_^i!R0?$^(TJNi1*xA$rR%S#!Q7-~GnZr#b#R1Di9 z!b1t)!cP#o3b7|Zq^$#~L&TCu6V(0IjWsMRL@GhrPXvWJ9)+h9i>gy?S{EY?Q=16z z?T}K@QjA_Tn!|+~upm1Hf{p{%3+HU`%k0&DWqTb44+ROpn>($sL| zdlu)k(k3r!Uw({95{_=8)J{ORv$(RPuDY+Z_aelI$;S-0JNRNsZG$ABEn3kSAH{P| z{$r>O=K{V3$H4x3NAA@wOW}tD$*|{l{lz~ZuUQcY&V#o}jL|kOl*tH@)^s#c62=M% z%In4_?lAmDBvr|cLdrzz4ok?ZWzJWvKO{U%pklb_0&Y>zu zXblsHGle>FSFv{U1%s+`Tf?}iZVUO3v;ywsMrv9HawpqeuC! z$!b~fi#eDNQOjmRbZ{ibbut@-SksY_8V`b>n<2r?_=*|6PUwZ6=6(-!@IT3Hm^6*y zwgz(!j|B~8+32Ystb1gfcu{vaZ5&+qO!h3r_4COmhe|Muf3sd=siW90vW=QMODOV@ z*`?~7)y`opgE4-9Rz6?9UdyVGkzl$Ew}P}A*YQ5aiQXn4=k+R4U^Tp_^*#7-5h2oBU0@Opbp!*nIKg zX>?3Xi_*U+DNXB%*tVQmTq--8;<~3#_Tnx%Olo)ys@lLUt+w7+Etu$0-QBLF(Mf6H z(nVhwX3o=upa@A}qq@bO^#IUKo~SMKTUx6PL|d~EpkE{Ts(0kT&8$xrEPfK5bGPk@ z{Wm3`zxUVGz%XbbvIQ-{u=@8r_8JoFRR0<)6q(8shaX*2*M*d>^F7E4@Kc%>lhl=HLS9Wyj z0?c$fJKZBc;LR^&F0h=C@L%30nsp>xLfgjkwnS{*DcGif5(aKW`e0`l8NR<7p?CK$IvTgi)5tKliaMK z+>w;MnUeQ4NB2hemc!#RU@57xS6BPSiFcl&=`qu|>|9PAlMHQR;h}{3d>Dthz9>YJ zPV^S(sSU=IcxY$xk=|MU3f5M;BNKECILj@+kLAV0Mv!#(nXx_U%CtPz40Kru`Iuq` z3!{-K*ZY96gtKVmB_?m8Ev0!stevKubM$4LWtg~fh$4(e_~W-87uh6UDQ zY~HzZn-i&@szysx)JgJ!u0s(Fscq<;(w{G-}{tO{Vvrc9j}+lG(`eN+U3(qF51-wMT2Re z!@1Rr!ZK~FY08d7Cljy3{jC?-st@e2_Hh+8^LADyBd?;K4}^0=B@>6$Kg)uGewC|0 z-mlM1$#WNXr@DKG23$7^e{9nNMIMRpXB2I-%}VL`1^>dzBqkmq&>ww<>loorNTe2*KqR$ zAImuKXWu zHs2%^Hve~Y8OWLK^01*R&n%BYtjN8>76@E9z zBUE9<1D%;K_HJkWfnMacXXi=b(jm~z_**-1 zbZ#X(TqYOY<6M0?cwGiE3o$k(^Hg(#r@L?4DaRue*y;30TqYVwaLvo?2)0=6zHY7Xc;fEuVycxJ zZW9;YqZJA0nU?*8hVDHXoEZ2w?(FIUVouG)E);EZ7n?{9d3JlQK=;(j=s`?SEs}YK3&|WL9?^ZS7lCkgLpj*6;67eyhMy`nKCDv*R5`W!pEo zpX%`ow|MTx_GQwG9=pBt7B#ntvuC-!+y@?&73ju3PtK=DPp$#(aoccEVKyUDn31kr zT!{1!{c7SkSHAPKODRfTdcRqFX%xHTX=fTaO>mBv8mDKdG;--@ipE>AH0QBaFUhKF z^&Ujuyan*E(Fme{&UGI^XX_e2Nzf4~SOJ;f2V6dmCh|$ki=qJde%3ll3g*Xm^HAbfT6QhORgKpr;bK_JOIcA0 zS$S!(^(79&oM5_|b{*M9wyZ55`Em}b*L|rTLXw4&_q(o-u&enE?DzS7xt0AI$IQsU z$VU1dRzdq&jTuB`rxW$5&jO+trLEX$2sz0vPyMQCOVB||(Ss5p{UA&TfmGqOzka?R zESP(hYO}pq;h1#BnOqU_bMRO>MW3OVnFWk<41!VjW|adZZSgg2r~2(Du?&yIA`fP& zv&{U{_OrIIS(LGZ4u!<9`K#Po8GEvX(ru_{TUy@xJNK6Y5Okz@G)p=Ul~Rpv+&XE! zwJTsbOT!k=e`45)-Ee&=|BcCb61w;=6&SEECzWv6>LK%2bPi@TJ(&dojYRsN zv@qpv^yEuGoorWA@?T_f{lzJNggt?ERVr1|kY#n_yMW4r5k>{luo-TEeAo1kjzK^c z^J?r>?^q8%LLUW)rr!9-1r-?pLLY8Lo?O?>z5Y&%Qskj*>dMp?pi2n-F9LOMLmP`4 zU17%)uLiF5IbFmG_@_feew z3qWNrpu(l!l=8dw`EMEVaslIRbPy-U^x|lvR;HBOu|5?&w-A6~o2v(?MO&yEvndbs-`)tmYVo&tbeDXJ3)KH^e7?QRN!V+6 z(hbMtQdD`+L~5|Ee*1WjWez$l$1G(nFWJP_*F8TNlHuVdZ}u$#nLW&sR2LVRYu%Cet?>Aw#DX;b!eIvAH$hwTao&z70aNLW+G@MM5{M`R%9Nt zpGPh6vSDg;bm{9-B`L*G?2)$xNDNb$8#Ob(CCfX~Mf4DScLZ-x4;PWm*L^{}s^r^Zk1X+l_ASR^q*u8A`qv+<%7f z|9)rWn?$F@JU4OibE)*uq}vFT(!U9k38iPD3#;S38Gn4kEk<SvOx4rHI5_!D#{ z?b}9_s7J;gnQ_&AL8(EYX=HJEmWqNM+o*hdyyoUPHT%kY&rZ7`ia0sO%+mtwzasI) zKc$I^h}f4x)!(t+`Jmb0YYbvh$0Z~rh*?T@yt0YN4i|Cg%|Cf~e4T-RuT{5yG_;Nf z6>5#UWVe01k)+j9MCglZi0Z98>5s7@jhTbc%-kqEz!YWi-@Fc!e)F*lEPl!X34rEK zw(nl(KIJo1#}lRV+h}@YZ4wcWDu>j54-_>nal5<9DR&#@=*PMzpxTzPGO%79G+uW8 z%W3g5cy*oX^J`&SBp!I;<=kGvXNukpB>w9Dsl&n$`5+}bmMfDG5;O=`j6(f>R(#xa z?xem(NFwl~12eVkCt=cGST?Ja0=JH^T7SWk+Z zweT~+uf1YdKAEfMZ3t4lJ2BD!nn=OV(OCvUS+G#Xz(^NgG|U8=`KZ&IOjcFKJ#L}- zQIOA5O^4p-uyi%~7E(jrYC=T*;MTq9Ox5NHqnr> zbl7y4U=$8eRUzGu5kbRM8rg+SQW~XJ)Lur6H%YQGZ1+=Bq0L7s6%lA3rb4R*U2&_9 zok7E~z>EJPmheU&U5gPdwY4Txmv(LbJqyOBO8-u+*kc1Fhd^iElG{gN2SFf6A6p*3 zgJ~w=Tq7?v`6DHJ_m8IJNNHbWJRKDiDThy>%o+|p&gyd{558;SudE{p>1x&x&6e1N zzc%>++27I|U}qZwemLvP=m@(cYsoC*NY=P$21W=Rjq9yT*WTG^*yQBR7%#z3o5ghCD}cDH})kT zZcI8!(Hw67hZ7&Lx%3luUlU!-6>Jh|uVdj83!7Da41HV==~mHk($!f_^I3k| zAKED&(-qNlMMk&-qRm;lftUp^9bFSForRg2MZWjs6BuQ~NBL*@lX2h0*|$>OXp#Oi%Df4f+TzB^+dHoVWu+w;>03EzuH)fbTz2rb^hZ^!Uf*nRN*K8|J;GA z`F%a-MJmS#NNX3tkM*vKF5|cmEmpyi=J9nEX|q4(0y;U3Ss9U_y?c(JhpfOCc=}xd zSP*0Fr??f`3R+#vhgT|eHHRQ&*ST}ZZwIy`*?_<;EryXDM8=cpDnhQW`!G+(K;}lr zoj9tGofx^}DeYxKyKZTE=ynHh_Y<=9{Os6)Lc{GgVJYUYF3D@U@8|@4j7*9Wo8QxfK4X?;%4!xh z(nGb~AOnaTW)tKVb=V#4^UEaiVrez5J0*Ooa<5aN1HJ(N&O?C^ZyS`{%1r9qt|Ax&S^Gb zhnPXB8o>cTD}Su%P6xqgPN2B((|X|l@0r5<*V-C9=f9vdG7uQeU(z@4IOXSrQXl`#j zyAlHtZGNNO?l&THtl8V&94l51kAnc#?O=rN7db-vU)Q?r;^(@h{sb}Cve5?* zl@%^U^75#`!Qz#-g@O(be;A1PQr-djE3I9y_`^gn2ioBQ^}(p(n*TNT0<-m*)w$bb zC0_LbKS|&x{dd*=Dz}Bv{R%$S3bZQpjT*u_GTu6Y2cA>=q=*sQSOlVtX>{_%M+G#m?@UtplZN0jIiun-4w*#Gm$hX;Tt z1uP+|h>0=`b7hTfyln?b+TEBA%Q|2cJ7OaMMrZ=72?wnNSb76C5B?~Uhy3xIUpGkx zuNxCp25-y#1jC{0`L0;2E%bzq=u;Ev7%6rfj#K>_?8?2XEAHpe9L3wbm#g;Ow4A9rf>GfOB;(o&fmPa0U!7GS)Cqt zz>8(1K)Hv#qfeT4zFe{AlM?1F*IYt`rodoHc#n|h6f)f7{tZ8Rc*flx!XueK1aN`v zMpGNsJ6(R88o=2h_dw{Sc-zWaOWhfr zg!>{<>aLxgN0!ViV%nuT%Nk>D==jxE7T+&YjeUaU0;TBn!60y>2EGdE9>BBBS*>2( z(1gaS-{Dm?ca+`Pxqu1%r5z>+o*jA=S%A3)ByIo*q@!uS3o4~Jhzm>rG$%86AMq?$ zL8~>u3lK@5p?>nriQP9)PP03_8qHxA+5Oav(Gs>0N<^Grj;2x!t%j!KQfd~`q**4Lq=)6!fmUn$=T0sXN-#I)ZiVOGxTXKV>?B;U3mG;{wo8- zc51sg8SDM}hf|zR-4v^Be0w;=&f_E-)0y`jrQyW)Z8ephYzAnvf;zHp@jIM;Mf!v) z=+`fA&htdHs*5rHB@XC@X?fVC@69plo((y(w3%0u*T2w|!#nYfK8jr6KSuDp!>`p@ z)NP%Wq|R8MuI7anl#ui!2NL81>*HeTHF8|U_vCD>DWs6)vr1dEQA}FTr>`t}?h;fs-w9^m9Qw3*rxE-D1L@M*c z0<(t^3d3`8<%bO$k$A}CzBQcFb+B?9(>(TyC}8w>%wdUuUYMi(*Hq!$TDl3k{=#WJ zv>@qKw-~>r^O7pwA>az1bSm>U@17-!54qYM(>C4&L~RMNuXOtE%i2%F!;+tQd~`!t zdaoOKuY#CqY^Ur}2pk-kr7I^d`a6cF?w-o-?fxR@ z4K|+!3^Ct#Z{Og`3r_+iw2;6s?^BedYihtnDyi=%YydQVCDwCjJgMC2|z* z&~?xEon=huxDjHYZcR@Pp9F$%Pfs+o$&x4PZ2Bpn57%lhLES?^0c9tSe>G5elv*qh zOu?+z3FEnHJreqs`ZeGO0H@#wS(tu+lkn=*cnM_HT)a7RR_|784jywBpQq&{{Qs&& zc7lG%ZB3b=`h8lq9;&z!^#zR=JVPh8C(6}&MzT4KS0Yx`PtIqpMZNiyKA*3Dz;&B>Q2s~Y{zMuLO&18K1pPmLzX*`iDpG&aXMu*M zI8p?Ni`38DX@iL%`YGI|EZjvwvk7Mn);>271Ysfx9uvK*{R3Q1t%L>uPurEx>*q^B z=WD5kV~j%=8z$qqs)dEjn4j@z%L5`H=QMrIICahT@|b$KEo>)bAwi(6u>S`1s@2g! zXrOM1id3ldaOOp5J<4PP%L~qa$lm0p4Fa=;L)(Ron|JE{BbgI~AJO3b5bSkgk_g1- zz1sKj?p3W?Y3-lmb4bB0yr22L?PiMKljFy-YLJ}jnA|*kcpNUs5?0x&y&CaR@0@mJ z=bpARJ~Xj#FccxX#Hdt(E{tbyK5jpr?ISgkPV!G2P3tY2z5Lb|aaZj(T4>|Q|0|HN zbt`6@%OXDCaxnKV8oqaNzPwBymR8_n8FWh+R~6;q;zIwDDSe$>JBdcJUbk9^%t%5B zdR9S+@^=XzDZR)H<2{53Zx&&@>42&i#v9ITmHyMm^~Yq`MG>6uMbJ4~S!My+yPhX# z+$E@)M7J_`>JxMVtk*i)O&sLP8vZiZwK(un{c4!=I;bibR4NbmIiStk<->2v{|oxt za@m2A`mG9|l@&+31+B>uM^{gg9&WgPp383+f4)NWrAM)r?4hr~&1ex}Zr%T4^Z#$K zd@+gFFz7okcX+_{1p0LlJhoeCHRD6oJyVcqZUUX6LMIAb=5`Jg+7-%PRY**ycP55A zC_t=Gd90%K8Krfxm?TWGob#|c=(d`XCvf4JArgv}n5zNLRO-eW4>fnb>*EheZ;87u zM&sJ`&rs<0FmGJ3#)VKXt9+bKxBMWDdmR24CP%s58>fOhk57=0ngP^zKaKHA3){;* zy;4dpRPl=`JZ3i!&~@tGaE#QAz;>4qT>);zyrZch%BiW|bL7Rcn`HCE=eL+Ke=+TS zMrI7(-x}vfT^_9tsk`%UPha+o5-9;S&kR(%Crh9_MQipGSn_^AHLJrC&Og{mt^}cG zz3)Us9TP19hYDpw9m`S`A{c)=`%Ok3)yWzP{PFIJg@EGf}^*1_7L*?GY zsyIXa4;4Xt4h%AvX#}e+*`#124XM^1xm=2;p%zXQzDC1#x_8lb| z;~$?2#*KM>HBcoT+$EfcQ+2(3E z{I9Hmx@)b#SK)F(g=y?PH5jFP`Ko~o7p=0W@hN8Hsc)!{H}dSX@6f9afask?L$#Pl zZK;$AWVD5=QgFUah&5WjG`o{=Vtsoc&^IA1ktkt9|L9DU5W6SVuZSS_ML{|2ER!a_ z!W3^4aZ~V3CH|DRy)XP0WN&q3cjcRsl!T+gs=pnS@vHYvv}i%+@rFNU8*MUdZ2h10 z?pk}1ORWq3;Xhg6&}G7?P@BxhP^{LKl-5vQh-az|{Hi>Tq0%m#^(cvPnKNS0O`tR& zB(SpW5FeLReweBe0KCw-zO9IfGl!=IsD1qx)0e`e8`o_LiRNhx1yeLaQhP{fh|S(< z%00}O$*#^ZG83H?b4s9=ev1nwq=DRbS3ODF#lGPBExO zRS^(lE8mkETk{tFshM%??-eHb=gPKb@CmN`4d|al9q*PB2qV=`Kee{ihQN^!-K7;$ zYfW61rHt25*6cGqyTq!K4K^a+on2$KYDEuS4`5GQ7)@g@3INwt%mCE&ZLBLxZ6FO_ z-RyU_xT5%ZAYo}Sa7W1ZmD^^cA;ODC4U285Vi=qv<3e<4m znw|X-0NWXFXkh{eUf=`g*E+%t^`cGoAlm7g5)H#6oD^s?9F4xB`gCKNm8%VUj9%w2 z$ZU2*9$7LLWa%y`B9uZ=h9*`roI>#08rJ4EMKK2NJM%p{BT_oN30D}^l$yCZf5Vxz zI!<>8Pf(?hAK`${n~3IQ2hAPeHfS;0IjYO)!;o^w@g&nr_AjH+|Geh+>=Vj8U87)7zqtg7t!|uJV(=~AFcq70ipd>A* zWJr(O(C|u;<(mMzxf@TpCqGMfVQww-W=4E$(z*}?B3yHgCTf;HzcKxmbG}=pQz{{* zI%L}UzrRsGE))PDW!wTlksS&}DDPp-3SM@)HeMVLL~jR++)?WCIet8Qr{1rb8HybP z2cx?nUoe8wH7C3y6%oO&N4qsS8zmHENn^G)<@R2`H79tQnkbT0p}Jw+G1mv#p_Ufg z-Q(9;UYF1{Z-4Ky?nH9oy{aTh#JY5sZyMz)$!^6Zs!12N{cjN|-3rr1fewbl`6aim zSCejTR*GJ$3C0FH7@CH1!Pj?O*uZ3TUQY+@`{=pfI=L350-U4j)#TQ?MM4>H0MOO>v+jkPfqk?~r`yx9@B7>`ip_vLE|dQ2ojn&V8R$yOlOzlc10rk@ z<}r-a+eRfo@*EPXkZhV|=q7@`WtyqUOB&JhZ33rYuM%xbmS~8?VZ{Dr>B2}-h^-mjR)pKk4w^3nZuhxiNe#CeP@U3VffK780I zY5!M&vFHRTrWw2tgqvWCF5IxKg)1f@)DCk{>SX0EtwHY=p_8d(zOaWS)_CLbAFEOg z)O)9OwqY=A|(DF)>zp)4`oT zGwmO+s#5mtj{Sv+>Dbj(K%dd{I0Z_59(UyZz>Jo)uB00t z1$0Fo)C_d%mo`6>B#uXVL%+Yz%~_{;UdD1d=LcT_7liP2n@&cstXc<*yRq%`A$@rI z4^Mcv@X~qg=hiB=$H19k6}n}3I4Hlm4t`O1gTEFJXDfYuS_~aR7WxzF2MKFsX%F^! z_hEvE2Bs{=dO9PcZWP_t&2@xfG6gbiyARKUe~s1%N0B9k&qKeE z=X&7m16wX@**U80cZlnMTUuMKDcKH?d9mi@FSRxP%^CvYM@XLvy&MW zRq)ym65QzKq&7RmS*w|6;>A+bX8Loq92tbNN9+@SVg5{Cbx0r0hMHlEQe|> z*cjgncTruBpsKom0O2H!t=31DZIL#*m=xrUY~9IEp#>rb;U_>6s2KPJ(sPHI}ZLoooLOHD#z zoqT)cabi^KQjaufWih0XrX{G_G#4PiEcOhk4SX@qGMGPfMf03z0y&_UJid`4M`>Zl`~kZfp!uk}T(7YbKKttkK67CT(7hnT(+eG__## zLYzUWxuRCZ_BdSwVy&_@NYXcq6RP_Y)!rDoAouy+CJT2v0xmk)eN`f-gv6QitWxey z3}QQ*lH)YJGx#pWS=l6DUjCmUsBAQ=l1lx-czdAa^FJ_B zo#CI4%Sp}r5STP2GOE!De3Dv4%>1kFwtpSyax}D-p7$D>QL{FYFMdmBG9H05Yh6*i zO?Xc29{whPzJ3x*M-_gjsa5!VR)tYX7_gVL&0;_8v-L+Ds_I>BMD`vOQOh0rR1e+o zM+7?L{wznLh{tPA{P*>8M#EY&9NMH=98v*1CgGtCRpZ@Z1iv};60wa&Q`SU**W36< zzOWYvf3s}wixzlin0O@68OAeQ2F?L5h#9oqV!^qe4BVMSPM8(Q z&eYLl@5D>uw9cAHNQ*s7<51jvD5(I@b%x+QPm?k)5b!xqu~bBTT?vD{#fs66EKxy#*4Lm^{KC?dCnL*t(F||8LXS)IIzV- zXe!C8u&P%3z~UGCDKj9p1B|^Ho4e|;>j9kJlv$p9s;3z-Vb+9bxVoVRjKT$fn#?ob;+`otTXN|hzY-0W>|fMf|x`PTOlogkY`rp+{> zAK9i+LF{RRb%=brlNx$I9-hXVf2by~2Yk0{Xsh!5J!GbmFfZvcixO;NX@-fR4gp15aj;O z)09`CZO%hzQ&Rmeqxa4~Ar2*}y{ps6$|8F%5!Q3H@SM;)u07mJ7%>1UucY2zsZ&!Hl3=>E!oJLmx1xQ(q3F3 zu=t1xj^O5rtoY2iGX-n4J@9{+i1 zcUhM|Fs^zhZm=p~^lXdYg5h=qcR4jggrVJz6OJfI?ZrApZ43w*wG^WD_XjSy5_#|0 z?VuZTWsfGFMFUxkiA68%D$Lm+<%!%b;cv__kF}FGd`>3C-oKnNl2^of*Vw~ry6rNO z{|w*!T0Y^0@h$Z=kYBo*g=%v^L-W;!JTh*g753inMG~mBr*~qloJF+EH6(-RTv}-z zd$yy5;U$@8Tff#;_c|&)25yV@uia;o3wyh&LZCguJ!P@nKucXY3r7p=I6ED-uH0&3 zKhLo3jl99$?Wf_b9-kiW)Hv+@W^#&hp#Py2_wSH6^XgwPW-9%Xz^%wo}x#{;4H!x#GXZ{Bb3fcPP@7bcXx;wl8JBvz{A+Q2+cm3HAD7 z>N4CqwfeS+b_(%KqiF5@#P*K{%AU`Fz}ozvk2TmZDa2XofD(T3Q{Elcqmoe#Oo^lK zrc$GlnwFKY!8Vhfk~Kv(0q|sL$vd6Rw(kcEZXIu3=S74jZ1@R&{D{hw5{QD96^8aUD?S=G8$bKZvAFI%OY**d z*a%K@?_{}-aH@~~{9lu%f|z+K?c23Ut*6X6xb57umKamTHAPuS%0ef9@$L5S-t_1; zf$v8%yNx_h4AQB{G|m4n1*maqjvhvdUL+G*c(j2_M%Ng=CL2)v>wLq!!%!l2ndM|# z7a6tuXRo^1vG_6$_(lH;((}M(IS;D}*<+f7q+gw^gQX}d^=t{Q*DZ_0u+Tab_2umu z&pon6bZ0AO+#{#YrKWItx`iAk6q?h}7LFD)hf0kq8?Z`=mp`D+O( zU@eKj2);?2L`8(IrAZ%YY~4_pftk^8Do3~Ky5Rx7CVR+eu7W3MBG(x`^MEM~0~nyZ z%_g3NBPBzF46EUVKH(46)VIJBD)8b|Y9~YxQ;`n=xRrU+-VcWK#l_)Qfs6Uh@!=O^ zl$(|uyty>C*CRc?uKtl=89XPnNoKU$DJvaU&lDxhy;ctWko_JebG~kPPK!vP^Iw?b zeBuv8aPotAC*)uL5ZZ*^pw!#sA2LUMcExZRIcd%(>~Z{){fl^pBa79-A91yHs8PS# znN?jxNs$06Kca=>R$#lBI=9l;savV90!qam7&b95!76O&ew!%%t)I&gENv}4dg57> zDD%@@lE1(|m0p>>k?}S1DJ{t`>SvRjNRf&NnUuRESSi<%hIVMiq-X%2faBGPuFn05FLe_7Pfa)!cq4tWuztR`E!B(T`bO zos-9JT*(Zg9)ieH1B7Aa@zUxvN{J513;e+$s>7;Ot5i54Jm1m}OEoHfi$i|O@oiXY^pwJ+ZVCUIAB9mdiOwj| z?Tr)8@+vHADsx4U*EjN&8|H>PFX;PEj9fq0kH4bm8E#KXft~*)@S)*r#(*N`XCS3K zou=N2r_$Bkzm9uGsK1)5a7X!ZSVp?QrW+ONw_;44dsSB@7(12KHQ;}aR=aud3{Uti zS{@-1IsOr1W8)R5?=vj7Mt(I(j5m?&g6c(aaTf5{u#wAYY_OpXEZ2zqS@|9c$pOz| zb!Qc{vi9N_6MZDd9pp{*StYmA)>ZE-HYlzZ;f{+BdaGa{fd+M8y7j>`9?YAy6v%BY z5;qiY-ZiIf-U{=`hCBHAB|LP-kwhiFaGT3xhuC+59P7?Q4MzO4aB!-83^GZsw)~HU zzWG^pNNiy?ReV8RM#C^5FieQGt`S_T-YJdsT+OQl{bdNlG`>j04;VKatrlDO5-ND8 zkV&MbyNcZVI$;*l(pwK=`@$%hnhMUfoB(~CcO|*{**Q!4GtDK ze7v)pu6lpcLS%goI>AlAN>y7<+*eoASxEhguEDN$c#%o+6)g7+^$#OkH3wS?Cb~*c z1)ok5{zB_8bm#k7*UK29=~bQWKj;E;GrAuvf>rR~OqAz2{Xe_je8#gE`c6q>6i?iW zXE(Pk5Q}N83zOg5`u9vWU%BUG%XFoz%Jh45BD2+f+_=Q^b|Vhr!3tg~qI;UuBODy0 zE7sajWj}qME_{K}ql)Bj+>+axckjNh(vBI$Ae-m2@~Vu??X4D8^@qQqH(e_7vAslZ zN+L!=_v{eAF9n#=qSr?t?<5zTfPeL&PDtYoc(U_iU3BPtDz0h%fE#=aAxhgaP4{m zNaK~c1dbhUX;E|jid*!i^6|m0`Ezls4h2+}ridolU|se-%y_M&Gps3WC{jlgE*vP- z=G(tN6|(%rZ|n|PcUvM;9p$>f3GhBF^1AI$Cu~;eLRC13+HgQbb9_d z6^aU2LvEB19rY*)6wWo2dq9#%N|hb{0jaT1LwLQmM-X9K&q;M9t!?&?yDEu=RH@^& z3^=7l>|~4-DFpXim!zMB7qpc&5Zon?+5q_gO9okeS$3}S+%hY~A)WIqvt4R@9X-vL zgosuht+kx_VXt#|KYikquCc^)e$N6yc$kGjA-l*W|E57RlVAIrpMnq%fj9}(fq4Kl zO-jW5{{46VtW=Qyt&PRqx5Rf{aLq8JIap$9(BTh(p*qu7jY_%PhL~D$Z z;=8L3q)3(bp2m!4qrU!becvITZiu~7I`LwzV-y9YZS88Yda>XuT29!CjpT=9 z?J|jU;&0vnoPpl|8K<~P^*!V;%#*D|!}HYApINB)CNIfYi4Gw1z+I<&-ox|v)x-!c z&X4QZN2jK%#VK}UPUy4xR$0peGD|&ImAmfg<&PGT&5SQ{!{J9{5NI!xn{S6a@y7?L zg#S*(sD8LnHe0xS@1!Lq=jUZ`g1NC5Ozd}muqCTr?SFl$4#Ll!K-%N|aQDU+#EOf- zT@CEGo=T2yw;MFY&hm_bw$n%skq$?a=Gvo0Cs>q*F}ICe1g~(}@5U4+7)=U9wLV%8 z^dBb*>V-LVO$iGWy^eP2$fCNe;nc6U$Gs7*H>-a$cO!V}+iQVnK3*BDDWM4MQ041k z+pOVfc>zW32se$*Tb72E@@pfhukYIFyCh2ga$nwFA6rfS@FF@gj)ef*2k|}^{_bZ` z{bgoiw)RljvgaSs<;Sj|)UG~82C5~aWF&30uM;F?PY#PX6#h(ogy-u$jGxM}!zRcs z3Ciu(y1nqTz2uv=N+4$`pj#w2ZVJ{50tcrOf(3N=+`-jwu1Up6;4BpId5>p%D9r9ma=*UC~%GnuiRq(qHjy~Hb%1)sI;*PRBy2r1*I0)pjZ#lm^OZsHA9f?E7^7=aM`=GNbmk!Sxr%%R?Amm`% ze_9_4W{o07Y`L%exZ_2lq)Rk$fE1!Mhx=${>U-Sv%3Bt`L<97xR8Ub>O@U(^ zm!R<9kwVG|@|F$S!CAh7nF;wA04aXK*BedBd0UDioAyRg1~tE1+4#^v7^Q$WAzj%E z3Q5!BLgA{att8x}z)LB#(8M^4VULm-!FAZD62N-zU!DrZ#Q?&h1>7PI6)42TggB1q zeGGGH#8sD~r2|?gW?65~RX?p#sKY4EXh~O`^kPn&BF+hO$giH8x20vmSp>K9Di7rM zL|H%UCKZ$p#n9Upwv>Zkqk4GGddJm_RrmYrj*g-Obk#KKqzWt965HzQSxNH?ii|VK zGp($v%Pjp}j12S%PMAtdLY~_8RoRj1S35A1OjBss>a`R+fjGmE(b|l(6|9j}!rZVx zK?`n8x>uzNh9Q4eL82pfFZi^r5DqfR75=-(PuNPJ7rn-nr~lKwsoi)mo|q?i5?%q~ z1{rRwQQ%vQ-orDcLUzwgIgGD?T{3>Y@Qb217mdBsb#oc+lcexv@{&p9;0D1as^=JuLq!*kMoA%CrB&)>j9``7CP#!68U+ zg1ZKH4+-w>?i$=JxH|+VxVtUx?krqIL2eJ3mKCi87Bn2!Z?mNwkin8)iRKCB6-58Jr}JtJcRMJ<+LR$@a~zC z**3qLoet_G-_c9wCtx)P z`rVcQL)3QMvFmv%Rp~n+bz5W;w}O%ie2ZH@muWFYL8Co`o@;og+eDgF#e7|cK zCN{9M-8#if{g2OgqaD-3Y4_$A0>&XGW)}W@&P#nix|pjojZE&BB{-$I#QD144b%M~ z+_{9Wr4#Gsex5Bn`rDXkF7Jx(Qnt=wT4K&UCevN-?49gMi?crW<{677Zuyf(8GNvl zcQ3p8h_k7t$Oens1?H+-YFgMPz82h$h$`iI$0eqEsd2H4y!6n7 z<3DoG-S~Q2w+q>|n`z~;G=qwK|JahaNxM6-R5^rD!sf~EvPGW%<~vWc7Qp~sjXm~>$=tgNeId0TL1NcRaW|%GKMwuM|>W+5(bdr z39G5hF()0cJ%FH2)Z?ggf2kE`9u9C3Urcd$NGZLmMMx`hVEy`3^k8c3u3bCR<4ii6 z_2ueR6gSV@nc+E@Gm@(aJOYWpj&E@O8lUaSzv1_xm07Oo>}kNQ z0je-0oy+p04lwHiG}XG}u~x3M&iNp5Qb_N zVwEAzit~re<14{ZkaYaG63fjZWcWLq>+x2)f_&8g*u$6Q(Bl}I^^hI@eKKG)lF?ao z#9#u$pFilR=Ji#&K}cJrl1@ie%vlPaZ?%DrGqHFp3{y2@br?lZJ!o$$Lvp(`njn6% z`6oouDwdISp6@%o9jaN?!a z%(I7?%R!Y;ZBXXIz-F|E5?S5YEfN2yHZZTguy=!qQx*cI0jWrHl`s63GGx43`b>wO zhImV5TnZr)*dSu~7O&?9Is`PLW=F4Y(!M3bqibw~BiK$?M532)MIqv3hED~h`)lUSM$#Wr@PXOEaFSo;tJj)K^-#xby8APeB zRa?c(vf54+agSL$$3%=+NKziVsZGIbxRl>KAUqI~=!O>scrSbSQ;)y?!A;k7KEHU6 zD3*%6QOaY5BcE!405BnAVjbXEb{>YWQ8T&)e=p|XZEJIXKN&asRWetYWzAj%aje4G z2s*JLz|^4KbD}UNB>Z>2xMBFZ7__p;6O z;&*_1rAkSm4SbCwdBvhfvqS;GJ{syMxkX#s^7mmh4SG6uT`t&yrIYWl?(4f`p<+Fq zz?;Q}qM9T92p;@KQd@XU%dk;}ug=d)j^^Pc6a=_!7((R+GXwQ99$d2OdP7@M4Nhxi zFo+ZzUlRLaKRB~>kfx&RmYPhYy#*@f2c}Aj23PL!=ABB{1}H3S=4Tn_PA+Iu5MRl) zex4>`s3>jYvJye2t@MZHPjY{4?C&Mj5jM%N@G<%=#ei>qz|(50xH8<1fhF|K+`@?l zqm3tRqhokGj9kR?+2RfOg{pIv!7W?|5A-Xf4`XAKR()EC`VyTYIXdmjhk z=XLsP-m}9VPweCOw*epvHZpKdoe*> zP2N8Gjp?nW!ht!~J)Ic42zbc>t8`$Pu3B6(7Hjff!yoKob5Lz!rZivC4SAk<+8b=t zO5?4s#eb0O16f4XXoz9DJ;WjHl#gS8Se6a&;N1wsvg+#GJMU>T!%ZalyHmr3dxSq#U zf$=TgaNgl;iAizLd%g$bcxYn(LSL;o`Wd;;u53JQy$9xYlNkIPljY&4KAMCt;RK)j zPbR44A={qZO3}32vH0(QaWRzshl}Cczi>JKOX3~2J#f*ZjbJek3m3V6$t9oM2H4ac z$00^oMGto@d*TO>%d6hW|L{gfm#46g7kLCTG5n7-Xfg1Sznop$onBDj^8?`({w2&j zVOen-b=*rI94eP&#{Y;&`IC|;n+Qb?CH9O6&<4l{Q$nCTelag<$$h+EUz?PhB#8p| zmT&83&u;$f#H_8oCD+9BC#*}%f@r7{%t|L|D+BU~rgtZQ%Zrf{ZvGcfv3mtUy= zp}KH(NO08G)l(f&p`qD~da!)99wUU=$NVn~#=o&f{|l+)Z3<8x3#ElaLCtG@=lYrj zOEe{m=G*uXf5WwgvHFXo8<%mEh{^;LnIOss?!>y85LYH;JdPmwuaDETal>U3ve?zHul6Rj=Rs z@pW1kD563?CyP+k07c?R#%V;~*g!G3VI{?OL?l0WrIn#(Dz-+sYy#W3$oA2fp}TwN zt`Y&9z-HfB2Xw1zZ59@;<2gA!Cr{}^A{;2?_`GIBUZD)T(MQqDh)iMhhyQPNGm|vQ zDMM8ReDpCx#N;U@KIJ^gg#n6JR=+C2@a5cAf)>H+mjzxQ?{+V{4^Q>Jq~FbuRRcg> zS$Rgo#1P?93PfFzAp11}^CkcZ1zGlds?$My^GnVm-_}6qUvNEo5v^` z_UFZ+9dNbHnX;lUwC`F|yD8^Ur*93-v&ui&>9@Gk+8ZdtbiAZphC(u3P3!Y4?IM!!ib7w+U`YY%!^V!8KM?c&q+w zM0HP|WfIcIa%XsbdOl}uENcC~qu#rCIXv3nF^%Lm9ao)?$^0tat@?(Fqc~OT82DA1 zH!1bCL0!7F(Zf~5Qg^p54q63~y`c5Wdq4J3u{|P_92o2Q)c1>zPeKb@1V^bXEr<-= zZ@A`t2si|8;*nXI{B7ywo?K6Gtgq}XrF1UNuYTS<>!M)Y&WFFFmXV# zzwTUIb^bc~Q+oX3nB0y}&2Q6ahS`f@L}_dQ@w(TOS9zv^>m3noqPqmYpr>XO1Ad)( z9A-6Psx#U1#qNN(arDhYRb%MZub?6aTF$jc2by>`Jt-89dXBYdFYYJ!P|tJ>7SmJf zhqwbh&Lb-AwQR>daFpM#%RihKH<#?yA)3Wj0~0P`e%E&`A3N6>Y(~V_K^SbGO>VZI zCd@V=&x+@KGDlcv<$VKf+X6spaB>Ajfs6O|<%X9Z2^8X^qT>@U##6Dc5e&Z{DjdNc2>jcx>(wI(}0WB!&qUTwhCA4r#9QgBA-K#}`U)9h^*i37_ zlPMmPLRw>qe>dXb&DIdr=m|IB4HKufs~tbSv-(`}8Av8#%o}exDH4;3gz}jVzTYbO zMAWh=jy=vFAXdX49q=eqxe9Tb%h(D{fKSR1e8sVF?XoYIVbN31gUpMTA`*B@oo>cS znwSw))I5<9ZD2p&8&b`D94>8@wng$HIr-NbPu5GL7~XkO-7y8Kp30Ds=I@LW9V0y0 z{t_C<)E?Iq|HGxuI|eZ#Y~%zLHyf5276gvQ!bnkIs*M zlvw5!&^neLC{Crz0Wrpz^{f-4sm%u7CI6cM%d6w;I^c36Il zfe~zPoA2G8Yqa_)qZ3_jK4Ihl9o>ZG{8efABN}Wlv~IMcub{%HTIH` z{Tm%LZO~U(1}QPYh;{fGgo}_=y;v?Bb@AK#FvhT4KI6{(v}}Ss5+ESJ$=ql=GK){WsxfT8RL^GH1uu#ba@>u(Sqjw(5}ny?tKPaih9kok z3*ALHIPtucHj1Q<(3l6;Al&&Ai-Au@%1R*Q0FeO+K0_@&ygwinYXORntc|q=v3oqN z1J~D5F>A%}>v%Y*jfZ0;RD8-Qw#^8pbQF+dA-3}wEV?xl`ezul)8A#^FuD#v&CMp7BG zCPJoW=PFy%TcZHueSK6%m1zo?CEAq?7xE#N9FI>@mWqf_L<5lvQr$o{esBLT-&#$d zCHCiyh1Xpw3RiSjcc}}zi#juD;=?|M4MF~%ronA;1&}9Iaxpf%`1HoK@GcTxYET4K zO+ibOIWpKqac(coKktFoJ%<9XdNh}&RMU=USbpW1i>)FuGN*&L6#0MJ&gsv*W7pv5 zKO;Fe$}&kyUGz9p{|$dM4hQi?w`1o5PWQuzF3EqTd)Z3H_ZT!ndCDtmtYnm{;9Vvj zVXd}8N~e}p$~kRb46A4I`0KDg)NbR=I)2rMd5<}F*`sZ|ul=hTIR|XagL*tsfW&PM zC&m3#BvLeHdlvqt5%M}EcrL1 z%2*Ix#!NT&Hf-} z&AGbbY}RW2XA$~7nsFX#pFe&)cLtw;Jd-#;tpanJC2x+8AaT+n@z-+qvAi2{nv82C z?Bip1wg%>xYzP9APj>DpR2*k@jN!WPD0upX`r66+{p}JD=(cvDg z*|d`ADy87OZ5O(eQzQM_r-nBV4?9(TVz)s|$*GH@UCQtEhIl1R_BJ9=&4n&l`%Wbn zZ9*aLJaGU~Z(-pBlq*QcG`@bg{wW)fGiuk~{dQ`5(Ux$lNCE`C(FyX3^VxO|0pXe3 z6JscsDD5)CSj4hPNnP&+34SW=Tg_gBMC-L%0mVIocnoTWo7wSoHIk%& z&Gxwn-f`y#w~pO94u!`qAwPIv8Q(;QS-Ke)A|l_S(&`M3mOHtP7@J*b?0E9P`Ugeb zFXv($P8OhNL7UFGI?_chDrFthe5lV!R_~Dfh66zK``tI?CgqGCyuK1Ro=K~-#>EU& zqHiQheok}pBAIP&bBPu6LBI$28~FH$VJ z%JX2APBdmW8S}|?ZS^BE%~ts%LUp%%O=8e?{92Q%-qZTQA*b8nDIxhW?YRq9MPvHo z&TJ8nbAn&vqlHZ{>SX69?VOCZ>zYpk+&OE{mS}TG)TP~{8a?M_3EmxlRNJ1@Z~VLX z<(%xpBoP3+qq#Qb=0yZXydOh-(1(jrp_9dM_jk{uNkPmFVe|fbYA+r*NlAtZ`D+XV z3Oaj}xM#~Y#EdOS74*)7zZ34GX7LX5SDYZ6HqqCN5{;A+TcN6OR%KGIExoNAxfEik zzCBT!rn+@ZO2=M63DpDYbvs**6V=L1?0So6)uJ!olh+LIFjO@Kl%B6+hWEDLaGC9B zeFE)_AUSpsR~e-&U8jz{utWxO2!DEP@pdPW?M$8PZU_@iQrRT3KH?SQCH;?4N-QVTz# z9BKwGtdU3HaH+hIMH8b*Np*(7Aoex&dm^1F0c;@sEF>jWV6>A&ZjA{esl37vE2OlQ zTJ|F5H0}@neWfvb7%7hzZleGTE=`&j=u)N9#not~zrrMroo)U5<%Ja(U*ZupcupUe zEvDn(`DhWc$nf|7kQT9R<{#+`Vc8D>`vjkrm2zKpegsZa;OX?~K203{-EcdMNGOG) znYbAh5^FDv;b!> z*>*8_Ud{k%h%+Cf6&jqHMa7dJJDq@E8Hez?%V+0By*$zMuF0%L(vS2CJjhmK6A?5@ z6}s-e*!@hGc8WtP6}ULXk>pPfc@je?9yWFV#sfZl&Ix>YsRNuL(!C0sxeR@rk>%wP z1CS&|PrtYAs>bHGvd9>iSuZo@1n2#jXMtmWh!7W^hh`&uh##c*c)EC22W=tt@q6gP~~;$kNwH|CP*R{)THqYZTAqu!RN zr=75bS)#6!WF!thYz^yZhQn41>kz0`09TMe<|IOlluSln-Ay%|rQE@b+cL98ejjj5 zd3Ve-G{bU)6q&No#(=lf-J6}QmWC6dc@8Um0Ypr+AlT}$@i-L&0e}eMf?E7+*(q`y zzrld@PFetjv;;joa0&(`GrTsI~fmSa>w` zbu^5o*PfOaKLso*R>|LgmW{gVjd*0KT`6@jp82?vR7_IW(tCGF#ofMgbpEcW!TMO1 z6yX*3Cn>x@BEhFmskeQ_G1JXikRQlKF968J_@r_KvzWNkvFk`Ka3QI2ikIdw*TLMp zJi8tf0h}LiOtgInlR&rH4k=C4EitikUvO zcY}}Jy5E8g@oj=FeN>Ehg>E+d_jGxR$2SACWYNhlu$mTn7(BKBA5pOCH_{o3?WU~T zM0u;QW+ir;Dy3t~J9b?bDQa-mXK`vX#+8FUcJ1RR9NawbPh`eI;+~K1yjTl)_HGRD zg9m$1Atsnn737tym-wovRww2st(mA zx0JtVX=pP}F7cf}iQY?!vkr)mC(v)f>mTakp*xVWd<_VbF9i)i90=lKl+M#Di=0AF z5U%CevmYDrvQT5D57Nj>A2*g1YW8qRmH=eap<9{^09p#b7BStj9tAaNaWLJF;o<^w zIpk(L&%tFE}3_L-KU)ktPgkWTTgR#UJKx`CM? zPIe7*v|e^R2b#OUSQVVpi_XCzQJZndSETaRab8O*0!FTrAam#)AVHZ;`zW} zYB&Sm&?N&s57{PX8FmRg(lEw z#Lj(MW0huxqI376A~v=RudRzOdP+X|6w{xmkfPV`6qjBmZ=~LjVyYhH~!{5i)7y>yLcACyK(QVaGtP- zl$<5tg18IP)~6zBEFJ& z-@Kr|t&qF9Isv9Q(Qz9z$@*c!uOOY94?9jIk*9BT`b~l`{a{HhYea#BP zEtDy8H{bh_ER(3*K~!Lhg-uO~|E=MY%KPCiW~6=+D*d)1tbe z;+Wpt%ud|pZP3%L(l#Z7=gUKbS%M%XMz-E~Dr1pAvQu_;&g0J?I+q$&?>Ci`U&8dW zb5?-IcFlIn&UdSZa7d0#T5rlmr%iKPmzym$$m8RO zpvBAR55&h);`@CM$&JS9sU@a(0t7W8`8O%o6fRO8M23LJ{U^XgM~RQsFZIL}MCt4D zZx6S;{W6P8XvDq;e&2EFtq7y-HlfNO4+QlwS=(ApQdu%D)!hKEG@m%v;t0fgP?MrD zFa)1ZL5`t*D+(#{VN&)4UqiSi^FIM+0R@H>so9!raPo+SThFYX%^<)YXHp8^+=c$$ zgWqFO#m$&M&|F+uAC#A!(jXLh?&(uR)zVM7(;$#J)@@kk;AKoy>%@(Kz zX;zFiD^;$4YhWS>IPVti${v2SayZtM*iQ8afH6iL#U7vJbuWC`^si0T*HQ^_YgQNh z9`9quxVm0)HWO;)$5wL&?)YKG1rD0^FY>cF$w|{beu4*pkn<<)=gt^`?N0~U?gK+b zJ0xl-39scaURj9^b0hYl0P4s_t=#rY&s^Q;>h!$I`GdHt{BmzENChLosx+Q#dYM(c zQj@ZhnxFi+pu9eGicfGEf0=sfhFj1JASwWyZ3Z5`x5}9(a=0ILEhqHf4vvut8DtQj zq$E6Bzj-UJf4&c!uKw{N-;8_Tv|pU;yXk*`a^wj`GbKo>4@HHNL=o!eVh76ju5jG8 z+xewb9@VW1#JxB7GbEqlq`X1CtBL;na~$BK?iFb4mNr|ET3TV2@rV4A*ji|TaU_CH zb4JBbL7(xrN9>~8A9+~eS^EhXm%5T5^yrCr?K`Wi9uN)7h^kp`jAk`o0qdR>TaItZ zQi*>h0bTTjK)K|h^iyiiuoSdBbx4lvq#!vVzpl6dYc;l#1BTLfRT$5n8^S+catTUMXAm9N4Hat5@1n{*^yo=Ljht-E5y$o^RO<2)iDf zQ7v4b@t(GhA1~`a=lVdkU_G|gKSu@m@gfjd<1vK4&T$DNsUVtwx@f=-Q&(Top$|tL za*UJjmqp&3*cVb?mj8McQ2)#F``5UzMGC$aNJz+!bs1GZ@WIQu;7=W}2)hN|P zgkPsNQx!QL&aIaClihkjeJBtvw#lOgU5=v=xyg-SIFG z-G7p%sUh;`p)Xz0S?{n2p06{=Sf|1d9lXiw4LqdrrKam~9%!UO9r)JGIGvs>Ah2`I zO>uNOx))L|?Q6ve-|l?FaVK{o9u60DJ>vCf{X(Ab*?b*$G@{s{@EAeSHva0fDP_XN znIj5#EUI^2#&x?ThEE+U0uQp^NR((&%#+pB3Mn{{N$uZG&1+c@yt8kEb-!Jj1>zA= zkH7Uq!~NC4egYkG-Dt)2Y0kLm>hh*&5cGO}9~<0%#`$NORJ}h8LTZ2~j&EWU!>*m` zt5;gZV~u>$+)WRkmYn;?ZDe1gGrkQW&lKuTK84$>hKjhrsX+rA;(-@79q|9^6g5Cq zK#;dn1?mzbEsPOVXh;&t`t&7px)Mg8!Dn$HV1D6l%_*sb>VD z9-_wlvVXX>qewzBS(|2)Dzo2aV`l>u5xy$M^D$t+jD&<_f$V8$XK3gP89PKCKb)0C z2!upgZf$OB?&^wN>49joSkUSaixn}3m>XhtPMsix+F61n`S?MGuF->W+3hAu74N{K z6WL?5m=SwCM3;<611$s0Wm70s$z9#v{<~s;jTl7Lfl%XR@bC#3plDycvl^6NlF@{E!A$!U%~YDzx$ogeA1eQj#WLE@7riT^Oj4 zn0*YEKP6$nLkqv4uEe#9zMeqZu}>}WFrZxGw3wR`u-$42<(IhTGNHX@WEPo!?Sc{u+Vp+PPh??yeM?d^Cj zOMsyLZ(D((9e$tQAOa@~Qjl!w-^I<`xY{vpPe|{dG@Ue{#ofl|&<_Vj1{Q(p0>{Lc zvxdjUlj)xQK=d3sQUeEKcTTm$Vsd&h7<&8VT`%Qe9Vnm`ZwncmMTkl0nl{ z$;qqUt~I#m5c@VE2_Mgrg^QbppNE2>X#a<)(E6dXA%};!s~uu?05N;{)zh;zBPTiU z-R=}o2t`40=<{=b_hHFBQ4UEK?rz>|yLZ_kPt)AB zI>S`M%Ut3q_xlsa)7oYyN2%PjQ`@z)xwqldvowpVcXYYeJy-cJ7lUhIgCIMBzxy5f zov+tpX)A!Rqd%f_cc=E9O{*2QgoLHXc;EkCHVj6N(GRQ}HQMDeufNrM+#v-H?~Z&v z+Ym$ZdD-N(e!nug5lT&ss5b<|S|1J`Ljl&9oT=0pvuf#9R+87%U5%Cs8HK2UqQ;0X&65552Q_f07wZ6YZI;2s^t7YDbz$R~d))R+)jQ~QZ>LOH zL4Zs&KQ5e{vkQwc zhp=&TA{h#y)_u_NdRFNXdSc>RiaOl>(%jb?Du{VTlKTSE`1WkU`ZMfs;zn_8);H1 zA{FxFV;uh0#p!C|Vp+xa zyn$30xLYqR7G?rekXC&n*?4U{w&>&luJ3MC)`W1h&XBDfF?c(_=>0HsO}8hNBGD-? z2c=P69cKjh*gb&O$4*bi{hUv8KC1m**{e`w*DJif5Mib23W;=&W5Nk_dhI&=pm+3Q z5V{ol*!*}P_MW2-YYPkyW`i!(lssh&duaEX8so~fR(`$xx*=?%_!JusOFN81PPOX*LUCuNg1?P#RjL`A>Em=EmzrbM5J4Wv!9CdR0KObqHq05tt)1ABu` zFPSpdh9DEgr3ppWEj19@x9i*!qplGjkdDDv3Xdkp8vVo)x&ga^X{5u za?0`nVxM0;GsB;Gdh`t<7*{e7*Vfgu&&;z8vEaKR20SO_FAi4>28%}4V@>$ZE_k7e z=JlLL;R>Yi2=NO8mCN`P2)@)&6gq0(&yW9cf7NgH-c9t^3ho$tT&TKzr4*Qk`vhy@ z6wsG7E)n9A=i#g(YN)5_ajf+oGc*9|O0tp6Bd%W#vZk_4oiMRXyURo~f( zo3pjTxcVx{)b&2w5EUJLe))1#&2`b@`54k*ht&0^Rj-grkhDo%51Bu2&ibkW%oj)1 z(be4@jVqW)x%{mv9Q#3qKgNJB;y^ic$|L`NlHw=mh!bsw8I${HuKZcw`th_TPAU&% zzv*kspB@O;>H%nV-{-1~U=UlCGM>)S>3HoR7W7o%n(%mTHdg{#oaKw#ZPn5(4u736 zgpv4`D=}4L8;xHGPDhxZp7*M#q=P0x{RKG$qplbh$0%uk)ilv_)z!pq&y|ALZ7 zkv$cLJTzrP!xu&3g2pb#-ozz7@fhNOCIARwouh~e-a=J7DV;;2D%cn(l3S1RiCqmc zb+ObmMb?jDOGE`;SzW9dR8pJf^KZ;(I1J-(>5A4HwSN!*#&N3Dz`$ceRCVnR0pb>& zyU=O{lP`!2M>nSkE^B*@A#uHof8XroDf@!svt!${p$Ao)JR$yDu-kg)M$J=gmrKc|b>(u``WqsPN< zZ@Sqdct0?&AJ0JB>$;td$1vprjr;ri=yo6n#`5%PJr89B#%U-<`?_`|;9sz<_K&%? zu1n$&`fsxi6-VMf%^Q6%m~NYpM40@@P*6}iK2XTVDB*n2(9r!}uoNIP@N+@RgyWVm z0$XI4@Y*}vUw2c1{7*Al^;G$QF4;#mj`n8n^*Pt3)PPct)_jaI}8c< z*|7Aj0Sh!wvwhRjO{OOF_FSy^0k%%8_E(FUIz^Gf+H~mr_{iP1Oh_F<{r%l@9z}NE zlUTH~6J~!W3ccK~*;D=?6R-ZDoqw~&a^oDM{9NwaLwxhoq4~HV6oXmA(!o;Ga-e%K zT<@bb&puws+^c8=>Ud;v6+5MpO{WS1;vZr9y#`Uy-2?#KMX)0ZtMe5-*WK2BKJ(#* z1h#jD{8Bb}xEH14bh>>^>Oa?S$I~@6&&R`&Cv#G9M}B>Ty|%s|FJ31#9e?UoSSHpP zD=u;D_&KqfmUTWB8CG$!Y?k$^>(CrlnqSJbtN!Ggp;s%UfWD>gR#LxqhcB4r;Mo5q z9Lsz3$E5K_h31T3C%$qd3FV#2k7G+DCVxXEBN?J6#ImD0P@8HKoQajrTSC1$tGU{X6UQ;$n2NSZ?i+ zC8$=3I{WTQ{n8dEIrQckF&|=8;*x>k)z`AgWQ=E2G`F@DI`gX3;O7Z61WLPa4{u*0 zXLr~8lta0wk*eVCcT_or3pKqMT}-duK^u@9?vvOG8{)ZvJ9<2UX*6xSI6*X*-38y#y8 zR=75OO;yL9;%P_SbPkl-_nz%;T+JKatHS(e#OfbnOZy^R%e3OS;rM;Fs=IYF3$ z=Wm?(iL$X3ES`~p4r(^j|8({-;6z)y^FBt#t7A}TE0ZvGlE02c7GXP{bTus?WxHY?C2NtIsbm2~>NceeOheq8TR!GoW$ zi|x|=(si>?aGh4L9(6!{ar>wB0Zjr(`i~ljf_3ko-=hZn`wIelSvYQyJ**sp$*GCz zYD%z>U>EG2g`e4G`fK(|wysjw#i0+{!$|E&$TMv2b)oD(Dt7@XRykwU*|%sRWV{6k!#)nt>-DvMK&3sXogg)3fo36KY zk)>z!?{;1_eKk$(&8R|atRanCNZEW2=@^v7!~1=$3^8G`?LXeVTH=ff#W2!tzE=!+ zqRd(pN?T{iDeSr#m=JtPYx4{?^0v07noEnMIbPg5C8E~em?~^eHq$f`^!YBP$u5^E z>vOI)ya=5<&)dbsoAiW23UrN`frW#0qh(Udta?_g7ImGik>3Qlz2>fiw>y0 zUo_Luy`fWt(i1)2*1*Ust1$JOPH>I{znJ_sSt7dXv zG*IuSXjL8pRNxE^g&~)k#H6oWEUH?Hy6d<2Zr}9i%=KV34a)Xfj3JXKiXZ#Q%@9N1 zouk0T{kAl&ja8_BRa|cnh5${bSzHgkj?#Y(IoTCLAjto|^ZxgyC$epXO1Ju9#FE&K zew2`8t|-E&jBiaUuU!36jI!*~Qy4W{P@jM}gRNJc=BjU>MdXfq*4ajQ8(Z97ZD&*< zTP50fi7$ejj8Bs{Bcc{g+MB;KU__EOLt_XT2j-D7wLyN8Bw?4A>;6TWJa87BhCsK_ zVG;&%N08v7)P8Q~T@c&AtAv+>45BIatIuu5=KFTpSXOz?D@U0p;mVT^klHog_9yy` zfK8UH$L~rxPgW6!?D!CF)kI7U>Etx-Q`w#>7&!bk$-z^pj?H!-_C%aSC00hI964dg zo$Q;HzJ!3gw}smFtuSl~JU&=y#3~`BKf!z3No(P!1zGJSxed?Z`4|CmenFSW6&ch9 z;`E{&(g@!P?Tgv2qP<&&h=$TMdA2#AFM`Lcn%f^x*pBe0$MMVDwc*iCSG0P)8$@ zg7sdkETQi!s;gL__xG~Url;?PTJ70xjP4dVn_tkCS0h#N7{~7>Uw`*z^)*&75pm`9 zyMC_P(^HtkM_|)PBUt%ikd<7H+I?LZIFNl^F$z;UDWM-2x+%NihBLhx_?t7QNpa zduJM{GhKx!Fg0y7f4%i~TANGg>8)#%n42HAzqQ6xyGr@|KDDsFF;SyDO`qRxP~z;Q zqnA&FvHbC;yP?b?n)+dT<4!b15LMFnrD|Pe%4^Ub(T?xM+lPy1#njG8>X3oMm90&s zt}j2n7bQISB#{8xnnmaG9gKph-BI>96C>1oFLtNiv>&O~V88*6N*y%I#=VtRiVrLP z3wN5uF}BuH!X9!XW;44;FvfFny6A}U}-|=6Ru@%$P#Va8;%&rWN||w#a>uS%u>YY zyV%U{%iE~QeqB37rzQhPJw?f6%F-)@4H-Qny@|RXrxgehUeCnUk5s8D2SxpZ z*i&dhWUnS-HEud$mTFSd(e$;aq13y&6NNkggj!nVhBr2cP|D!$9%6`Dh0*f@mjGN% zjKc#wWi=(m6&9a{=9QQdCMn72$-oPcT}~zWFQ~xXT>ln0&(_dAtb;=FpK7ic!L!lr zry_wS(d!Ia<B;pzdVDi=;=NZB5n*GdAqB#F6}ikz9IRz#{$%mW zyhg+TI5Vgm-3eSVP>U)r)`KR{$a<3e@U zBSm2ziO}uf&<6SZ?sm}8j%<g$$lZd$aHkihzO-62uNss(x%z_FMOB-m;8UvVTuO zB0OU$kzkr=-WV3xWPt;lEd6hlzp%64mjWiN8hAbK<{aU}+`dWxc|;{i-Ky6+cO73u zES|YT%vpS^VQDSi3X}V2?&;grzU3|vd~;P-k*|>_rqdhDOF{12QCd^W<}ziSQ(HB5 zlzK>$!y&vE_Rh_>Zzc*dl{>qfdNDJw?{l(>cb+(oF>fz>RmD|pNg4hPQ}*1@Z<0*> zx9sF}5!Lk2g@JCyz{SQB?i$b+HS$B(CT5a$s1}T!z7u=dbhw=p;P{iAhveOt9fg!LIYgZo^Dl z&xK3Zs3D`$bH~W{@O34V8|*#6Q-FpT<$oJ0i|6v?Cn(_%s5JkoSfZh|-o1=C2^oap zcd>Ue6)k}7*P2>h(*sh1cpcsY0kY$`Wa*3a_g&$5ZS0v`jVQyOuHSFh85Fj)nULWi+q%5}`w5%G zP>lm)O<{}smnW9%OTBk7{;aX2%XB$G^R+qO9q+qP{x zlZkEHwr$%(Y_EJpbiJa?5LN^H^u25jl8jw#YBi|-=fA5hFf${`EJilQ)wR> zjwLrmFN9xy4$0?bhtvwsRy+2mPSUYn03Z)hQLRHVK7$YON3gR(aMxD|5cM};k@ER` zTGZ@ze%gIK349$qX0^uazMhKa!c&tS?P>hMD#PSD+wxH z+u97gU4EGzf*SOpX9_Y5F40TFap9nuK>tcWefcoZC4A8#QOSWK4rHBs9e*ErT$!$e zf81A9P~a3#%)^li88~D(8z*`P&SL2m{=F;06iq)&qpv@C#Jz8Y>8Bh=P44~e?R;n9 z;PQ^o(Apa(Xg0PJM#c?6N$Fj<6Uu_++s$t?F3L+;1S~j*dUC4LiDkD{r)QTbhp-#p|ZVB)}eY>fELVj|);IU?|5a}PV_@}3gBDCYo`hLQw zL0Xv9KYrTu%jxn8msi=%+VzC~k4qUy+CA_)Xcs$wQx=VYPd#p{|FYuATkzw_!n4qkogcoSWvg;}Zh`S?v2D`tyGTCR9 zrD?mRa4^xrB~ZREs{>^(;28{0@bmU#E)WV$PRbK6V*0F=ZYCqj5721ae`E_BYx+Nc zQ#kZ)+P2TdY=$vO%>*wQ#&NiG%VdieQuIlB{ie$0sK`}A=E&!=%IL1~CJf4ql#dw& z;mI+2SSi6BYsm;_{9I3^C+TLt@!1fs$YWde+;c7YZ6Q|>f~4n#SzuLlIwDiBg=W&A zK_;_CcQ8^#`UcI(kZ;_5oOHcU1c<+sca|s)K2YeAYNubogVys=n9;oqmQ>hmB1p4j z83?Q0R@4TNY|I?=X$`5LRZpq6Y?JV0n%S3>RiC7-!;}1Ju{~OslE+UU)7plzJwhm8 zj{^ezIbdbzZ0K=EUD)BQS`c*gbk+j%xp{T%X#_utk=*Agd_VrNI0(?xlvQhyjY>n( zp)|Fzv1~5-3pz(`3(jEGrmG5WjaW-0vS;mMvNcVqY|!2AvC&3Jt#4>+Yn@YeKF#=D zQ=I~f4H2`y4OInRG(AlHnczKf>OqYVw&}M9+aCR@mj3L)gyY4P~j2wha zgoib3iu0p0kNweZYMEAHacO|k=)@rtkr{?#Q&}CbL=;Ah@8Q?hQPX9UO&rVol#)SH zVP!>5Wmu&`K|vcsTwa0AJ-%m4ZUcj-%Rv{#mSp3kMS;zSupq$2!KJ99vDqb#So?(C z4-oj87&!mNnj*2DEqb%$dO58wrQ_lXGb`ew z?u@Rkt59bNQ+t1P{kch|aUBO9B^!1*9sRSEi!+ML>1cYX=aVcS`Q9D6M&R3-9ECO) zird1_Dl=fZVU@Wq_bAe^riPTf@@DmfrJB=%ipDl;SUN>a#Ka7ZL&g=2bcNxPdv9`k zP2axm+qKXc5@63k6-u?}0KRzefUR0e?qgY|Fo3qF(iK32x1@9&r!KQyo)l8CM&*Ea z$9Z~bsT*mxvsm}|w-u-8IXxEfsD0Diu&OE86aA7Z3&?B7ff|?CH zcwCy%cH}nWkz^h}BIVv2%v z@W)U%RWjZ|gHyRFHa~kVYn#R9jFb@gyb~6ujXH+D!FRJ!u+o;eqzukeHsL}(#fwep zN{v#`3l+e}q$eEQ&V250r4j=BD>yi#b*9BGcca?>&BkVq=l2g@ zcg9trFj*B$F0c_osA{4*oVg)*{`7YA3&?R(mNiiL+cPoXkNy3slws{iNFTitS(U@{ z@FxB{4Oi6_Zkv{J=9HyhO)9FohNt20b+7{uYb-be|f*J@ZSX^g4>))rlK<{;eYRJN*0qS2)2@PWG&t?TW6{?|j(sxne^!AZ} zwbh;S!dl4m{(QqK49^aTK~yj|*{li9S52+T5<5dx3)lGqt(85Fp#G%tR45>H(!o;g zW!s2AIsykBu<&?hAz{j`djN)|rM zKW55wu!y~Cfx&a}`uc;)O(`G;cH5IWZPfb;DxfY%(69aQDYRm*SLgeGkLwvID(Ou; zEts;7a^gNhd!eJBpexJDAHz9f#q{y7Z%{{c5=5+m4Y#Ja2K)!cqQ$m;g+uD8+E4y+ zd|jL~cKWnp5@Z1bA*}+D2s!|WZFH=A04C;HVwgJAV z{tVUohv2(kUAS0s2y3LF{eCAct-P-EK3h_^im$^BcV8*zgVQK^|r%EggCw%O*eFz4<(xR7TVzrzm9&K4+7G(dmLBcvrB z*D7FfkxNoP5Gz7i+M1vfUlk%_-PF>>5A}W8W7VOX8_!MPRRb_km z-R0c12(zo%1)WCJtG=l&@Q8-A@*q37!8J1k{8co|{@%tnBX91`6|(rSSk#}JFB(=% z6W^v92QqNUr3x4O9&odm3YbrJ6;@JO;S4L_xhtJpU+P@?oNg}<&ZElwZm#6W3H-h& zg!=pggSDDqkI89cBwEc(C{c_i?c}6Ey5& zBKyd->{M|x%?x2;j*U;P%M&(F|BdY79G@rFk40t05&LZw#z&W}1t+#fKk$_t!3Os# zTgma635N_gCylAu(~q1z22<85OVE6QL-L79e+mfkwJB zI+*A+4`wJ-o?NY!*bDlp$NvP+0nJ=Ii{rwC$GZSb-(}A;=Bc zw?*1oQ^rG7@wcUb$V0reG?rgGdaSO3QYt=<5^EGjs67f+pB%CiwbR1iKF|y1P+8B* zM9A0B`gVT~NW;t&rdnY{;7*~e(rf8?7>&@}k%1$%uu$N1=Jqsec4m+J1$yDCeP`9_IkS219U4GZr0~SE_L5QfZRSocrgiO2$=^DJK zByq*?zY*v8Iuwv>(K#tQu47RoYH~2Dl^elG)vDt^Y)dGrkj;jO4EL#;DgCjqlvFlg zQFvB@iUP$Ltp8#Rerb14rvy29g%CX-5Py2AdhH;PAzBDjV1x(N8FxR~Ytt&13C_^q zhvozPpOHXmQQ9c|yU>j>eJ|b&_4(HgkhvyCghHiMxj1KvXg)t-RK@a6YC|BM);5#m z?B2B_jwv>IsjZ(8^8(Zw2}qv17z!Bw3%?t2qeXA1ysKFdk(?cZ`wX%po9JQ_8K@Z_ zG*-svTsNy4sL%|4)J=k2r#74EL$2{KlO?#u4HN2yI@EUrGKN2C0);GrxSi!b!Oy1n zJlNyfYBn!Fo}hTm(Q10fH->=#rDHgGr{c5n_Cu=EoNfe22)RRP$vZ`V0|ht;NbPs^)R?}NYq~mv7Kuh@*CUNvI^Pf z2rWy?%N%ls>g-~)*t1%P(mx|5ftr3wbd|1-cj^U9x6q^P>NYxX-bsXPSk9GMHjCJf ztxZJ@Zt>!UkuGe@9F0U0h8-FbnYsYr??*yx&EOO+snFwl#px8)1E9W_E!D2pX--A=(=KP9QPbquI{6O1o75thp z>QR3N5FOS z3^8I}6_m>epm%p!xMtNgSjMAA_;$3!#W|A5t7n##U0~VLLrd0}Th!E0S7tSVWS!Q* zvJO*IWkax5MB~4g|2jMZIg-Li8?|qr-_+JtLiFVzFLXByT!sy@YRoW!GWsQ)yq=%5 zbB&rOFQa=Yytusl$lyT69kp%V1@h`K^NgWFSzzjVxYk^q#g}q;q*QMf;AP=q=H-`D zF6W%^!Mi>^oYVM=+&Yas?rx>zB)4@x`#qUB-m$E74KHulcFxIdIF3T`TKDMPrby;3snOit0xn(tLecvMpEDwgq^uGPAr(|QZa!s5eijy&Pi&~;UJW0JK zts`za!tPSe+G>c*%2nm;XN#$zv$fPhH+!X!Hz(>}jwB`OCf zEDUZ~!n=-bC~e3%>Z+Z76jv3r^|z)r`W8z&FsdJam8KFh|8(sju`RI+w}8`)VbPqE z>@sNKp}}Bs_jhR*ScijQd=VuG;8%-HgwjH$K|78fjQJX|s{yq7dZ;ZXbzu#imD0=avQ$>Bjdtp{kE%%zpK$XqU0ohfmFR_ z&W#;OcQ*!?a;C=bo5)+o^{Nfnk@C6=MQlO-J8YX+yB@!}K09rmW#(Wi>uKp|&LDTJ8 zMx!sU&E^d?T6F|RCY;{-H*#Iq97jF|79^Y%`={n2>bEUK$CVumr@aL)x$TcGi@a|d zGET6~i=#mAZeP!6|5l8UXXR}O%R^DALM?pNO0#L#AJ45{4?X<1;^q`gYAikO^G!9i zQXo&Tdb3c)gkT`@Va`HhJIe}Uff8O9d3z?!P^obM#Ym1{~z+vaP{*U{Ht zlMN!%rUU(r6>dZLywexRY@VQ|t=0SHsAsr^vp{EEy0E-M_h7*};jbpf_U+tA&StmA zUcy^25N(XKj{8v6V$!60j*a=s6QvDO=zQ4aRGXCTn)a5!71OIgiM z3rNi!Ojl{sY!4ol7(W&;rZdxl%gV*7JYO0l`~ozKu&bFSN?DA2-waCQi}*K}<-K?3 zPt8lXr8(zq@^kjkMJ(ecG+=!(cXSuOA4%>hJfjWan>YZp)B*OTE%jo$nxFiW!InjU zmGWOgHyavRtRaXXyHDyr_Fufe4K9x6>sN4-Fw~cp)Rm2Y+ANjYwOzh8+hGbY@Q99k zi`zB^iLXo4R830CieHdaxI2lAwW&lHR+0QcIiB&or27*n;QRnH;h%Ig{DbtVin*{8 zTzJ1Lx3T?p{-0Kl*Xo~bI}T&WXOX3uJz2&src2!$tOJ+OWvcT_YhOcrYmIjR$}lKB zv*7?2z!Yj~a1K=1zfRW3C9p&F=y(}H2X{l(p=m`?mTT-#`&*D@L2J^$PuDAe&D0>L zn^PUMWc(v!UuO5d_b00La=GDEVf*`~?=YB{QQSQGci*Ru*i*KmwH>ZK#HR*Uujxh4 z2?}N7x}%TT$oBeO5c++0OmYJq7&P}OK_+tG5r*Xw=-wvVv4ZcrNoV=9X169Wh##I# zcYBpAa;*EY{O|i<>*C2mTIL;Yx#>3tM8sp6JbUQ-e-h=@bG)HIRZ_KdFjbjU4D!Bkb#k+A~=uX4h?2(H2Xzx#p3_9FC- z=56OvJjHpLD@eHDF}?yf39c-_r)h{lUKAV7jf`K{(((YO>YzwP7grQNDvoOfVFeeH=oJb*(x&{u?}viHXG_=ZA1GtGTL09< z`+i7NkwyyKz)n_C!}XjcFTsU+*^PflH?CHvAY}~jb@kt#>AS#zfC4nkdN@S4)C#>l z>=k3>a~D&Owh*+G{!?zzr{lz+bAK_Up{1m?>>TenK)~*7GtIyz35!)kgi+1c=h(56 z1C)p#l)0XyIqcm%j9a5X6p?Ksg}^8fX@ixxME%T0)Nl!}r}zN{yPj-ylY*@zzq-x} zDFiPxjPi1j`a#lJOhMD}i6}yT*OLU6-MhAh2e77@mV=R#*ulAUiLKr~rlOn5rJTPW zF|X)_r{wAhSVmcWesOuUoty$ZpfZvI<{iEwFCH z9mh}}J(z9gX76cI2Q?uIV@cUEKJVx1aNI@W2i~HuijmabTGDg7b0=-@o3Hv`9?W82 zYa}NSfm)e4N7H}W=j1n;p8+VMGwVP0W*BuzJ}2E~nfiP? z3vE=Kv%B{~_OAKo)#)dRv?IA@;2o=e;t*EK_Q;FOw zExj0Za+vuqT(GF}q4QQG!IHv*Uef~_XLu+Pjmydp^nUS7>cd*^? z?eJ0%e0E0YJZy63*8Io%+PYbQ+)|?9?{Zd$&2g(`$VTkBL5ZwK&mzM5YLwKJzlV=Um?p{c^efzr6 zVnkVZu#!Vea1wElfY`$TfpzgN{#Yr*-xqKgg_93yZ6i~;k)K4aIb~{&=qU7l;cyW? zk`5iTSX05GPd^F@$#RFcUtIs=n&>H4ySz^f5oyZe8nO=5LRLmbMD>1U{nWkjdSJzKRe`S7{qXCT!*?pk{9q@>uxB~asnhnlWs>x8aB`C&-l{SalA_ zhq_2583|mbYg258iFrNF@pZd6yg1{q3u?LIf_D}Iaa(yUsyVq`-t1W(69jzT*QR(t zX~eO^>oX%@g{RdOmL}PJDSzpo-`B*E9IsUg!h#8RYg!9}+|sC$(HfAi2SRtw}9&s;BSx{Nq)B4@iSUl3Q4wVV0+V`^f0Hii=Nk zhS%|6{_-qQUL?^haedUy4uc+8)x#~TsuYKYui%cr0XNldM`{^|I<*FOdHv}~}4 zXDH!dV&LfMGSe;YpnPjq$W}i`#d+gZFasPMt?EnsilH3F7-g>N(fg!B*h35&VmQ=nH`07ZMLyh*y zSnC^LzzRdovU_WV@pzbl&kIXeMhD-1soM2>FV?JqB#^nDdPeN>C6uk~anUKb*R!uh zryP8oCV?bfTwBsBvc(M3y&F!cBbo=SHV1pzu{Fa?+BIg@SRm>-l!)DU1jK4RG8+=` zNCn*>cqDFQjJkT`H({s!xRZ%u?QeyPU@HxNC!y?Dp7S1pp1uwq`L4z^l>HsAP+3*Ocr7T=K`0wAxVb~;bV@YPRr{%A$ab8SO#umi{2wXsc&tK$iRjZJ zilu<=KxMBcJZrbtRMASAd9!H2J6h-u7G>8J9vseq6-Y4vV(w>hhCvkygE8%^g1R$u z5cWOq93I`%5_*jHRg)(b`q&&YFLbmK=((jCseA7s;1I1Lm2Oe%J94*6SN|iWaa`s_ zWDD!W$mREA$}b2fKACw-M~%sYX*yD)K-9Ik&#W}}33SfP6UrPe-YuAKH`Ig(h^6ipA?$7U0V`ifLSlcPk_6h1;0=u(;c{w$-x3FAy5uu;Is9PDa7k-jRM&2# z&3N+B`8fmQORYWE##FynuY2#|WgM{?Cw2lB)PG%JgBf+I!~NadSu0wD-d6XS5Kg+& zs2*rAadY;?Yx{{ipduda!F6_Rg>fz4M5NRz+zRZ_{Qfn{mA!_Ux!5}X5}+w&)Ml0M>c;->O6@X zT;p(WV2Bi$Hr4sKhBwoCc))irDB>t6t0iV9CG}KH0vQ3Gu>Uh8T`T(%Y9gyngSNil zB$|Dj8+OXTe%D$5{HjX?;gG#+EhQyDfn3+m*95 z9jyVhxR~&3Vv=Y32h;bUkc#`Z{(XR@80B}dztQ0D)|C?)+Sr0xCV-^iOf7o7cTj{4 z`F`DJVPhybl{Y!KS=n}rF#Rad7RPev9r(_=4<=-jV&HTs(roK6DY|FtrmDNg2+xyf zPiGx{a^DNC95#oAp|l#UicMQNmHiiB&FaGP79rMj_PqmJ?~$;u59tP}v@FHWn8#@G z7%kxiXo8|XX>U>}$0bo{R-=;R(GNnXYRn31NLRb`Q%Vl?HNmUJXlp0Ar+@c1h2D^G zKifCC`r36r2BMn}A}UIe(kSp@`ASxWmU1{v|y~+@>c=m^R@NQt6V^4(7s> zky0J;dHenaeCbwyCZ8`mJ<1Y%Z!!}GOI{cK9E3ToOq5!gK!0;mR}Pjkh6=W0$7ZyV z@SsD1qAY3UiFcXAuVh6NE56V6+&gyv6NENp1SK|jvi=vo`LI#uXkZEaJ{H6VTO|Dt;0OWzG@t*KqNHSe%KjOQn54@kIe%eH6{&2_;X(}e+ljdG4==~? zuz+cw_Y$ZyBiy#7YTmz4n_N-gPBT!zl?3G7oK4=D-SO$&B|$;KUEBJ(T|jCUbqlLu3XA==%frlcHT&)a&B2{6J#d3u|0_`WC)xP@gjm zboYsBn;>zGvvB)&5;xR4`=aAGEkWK@->1_&mdO(kst^%d+gcmi-+mjvfBn8wWt2P+ zVS2&3fa0IdsEmpdtE{T1k(#Km;6~`&%EE0p$2os8m6aLx=DAKFa3@joFNORc#K7_~ z0DM~;l-i+_P3%A?fIa4!xgfA8r=h}_nj>cpr*S=mV-a!^3Q;7Cznh?;{FLfq3le5ky2)F|X_@t_6Lfq4F*$Ejt zMguHHa4v`tycL})wx@J{K_zw-qY`Wt&fnInUunhctv`{U*^02@Wo_bdZ%2^|qcvMk z^jXl0;bO*I&pYNK?7ewGp>*NZ_W%7iIN9LNhKLBNn;|Ic1q0)R-zJYf)TYa5_HXWB zy=!8oDix&QSH>MD4#VPq(FcN9bG-jkV^g$7?|PXJ`gqtCU%EHy682|d(};9P@Ax@-xN~Xjgm!fBi4IiNIg5JS5?+68|FgX$8dJUH0f zGFHOyw(ayM3YuCo`c_UQB-Ih|ygicoqr%R_me!`VH6=HV0NbR6qjnzbvyLOY8(mzy zSqIlSbzC*7BRkk8qEjT64GJ?RE!ne{r^gxTs>@w>&#pK*z;U@4D`EPw1Tu6)q^_70 z*v-;eS}PuDv>B(BpTV6l_;5~IHhz}&DtGTRy&c^Q2M4=LBoW?PT%>nD_pB_5A^N@Y z91Q|TF{seDoL$~}c5_y8cZ=QsgLaIfqN<~(smLpV7%{$C{!O~pj`{?Mo<69M9lS9A zlVjvH<5WwmPx_DK?*07oEv|j#^bK40WNAXSH9}+z?DXY4nd9T9y%URlbc6mO37l;u zHx;aqzTLhK0yb%cM(Rb@MbzBmBQVbcCX5-lu)gSddSjS0XWG7wbLN#SFI^>6%fsBl z%K_cUQY(qNEg^oG+7yM3~z^C5zxcaT^p@^{^K>6S2-{(7y5O${AA*8%OI zg#wn1lMY!~kdk3lSY6mpm%&&EXIR9i@ogv%^=w($4ceHyEN;S;k;KR=+>0uB!qX$t z>3?ab3DK)i1RpCDEw;e-^J=pffOl7jn<~L{?#?~M$RS5nJOboyjTmkHq~>}m2|Zlu zi+TI8!plCr=W%}P0tE}PVZGR@5@LiPIrYjuR${4=QNiV?G& z@w?+R_u1F}Kl<7IE^o(Nuf{3dgWvPm6~AMIEjOG3STGD{r5l1j0}@l9z9Rg!0c|(K ztK{lpoaj(`L=QTbL@!5(SkmJ~Iox5wQgdfN@;MRn+4!DoC9ZVa6Cqf)^zSD%Qn8l# z1JUVedsAl$86gWQ|Elb%xiiwy$eGUGR2I)Q^JcLFPSb974tAS=B@N^7D-#JbyvBkv zX}5{1?ERnaiBkQj14v4v#{0P;%tr0zFpf_A)=8v6haW_~pq0PCol{DEhvG*L>V2IF z%s4LPWyfk;EQOFqZ8#@Gjqx*X;2&$*yRc{mFMh|Tn&QzJqtVQWw<5gcwqoe{|Mi zgq75^jCj2k9S+y zKd+KBmR6$AafNerqiUIkHTs=$87a$qBEJ(Wogx)!K!dVt>C4YwByJ!9o!gz<3=-Q$ zYO2Z|+C9bFVtG)X$H8TSB2?x|FY<$X-wrzTaM8EHcHcP3Oe+{adxQOHk&=)gQVeu6 z5s2U-R)y#DxyX=iDwoi8>6REB>g3WNx!rGTqaU`X$;Y(Qut9#a2{>q}ni{G}IjPVD zL_af6?r{ZR;T=kL%|JcPIjGT>RQtDG(5qcIPZ>uy>ntUIvW&@2_T)Yq%8`m342WDZ zq?w#5NQM}QYf6iG`N&GVZzlg7DgzK+D&uZvXG@9o_xWQEP8Ux%Z>U#rp0v=RxdTBZ zc4EG|Uob>qH-{j2&&n&;a!F$FJN%cu6Z80)&_{pXr(;k{*i@-JqZ|2ceK}KfSs(&V zM7UGqs+QhzJ8?(s?H6qm(4zB!;O8p&GqTmj=@2^+ArMy_;O7ElW-nMPWWjbJZ}?1! zK`~^}nBq==kQ@XzY&ex6-*n3gwN6e!?Iy3WMESle^Rhj(sgGCY@@f>m{W*B zOJaeUH{rm~5H9^4Icm?491)Y~LAivlfUPsqtwn)(h$(^Uv6&e@tg<2}u_BU!M-ZiH zvyp2ovQ5dc_5=1>egDXo?$D*M&_=Dsd+ebRT0Gp}HCih~|9RDV5!-Y48R1kz$jC9i zzd8N)L@8;|dnffOP8=&E*o6 zcU^44XTd#mJW$$3%-X1*TGjphdtsxGmUL!dAzh+g>OeF}@Fwe-m;GW)(+1u`ZkUWHsK;h0(A?TGl?&A( zD;ngQRE#)W)?ePfvJYdu1O~51unOVQK2HZUFxD7B3mu+)fYr{qY)I zPEeIcO{X1Qj02r)=SWAMATzoIXFIyloa7z`_iVGuE#FLd(A9w*JYL^I<2b_yt*1P> zQ%FQcksUanmT>gDAQ98Fd0*!2Rwf(b_-H4t9PYTJ0k0uQcsBPWJpk_Ir^1Z>$!qie z1tyyYj3uRg_XMT_hD1*TiD#@Aa$Vs%|NNz+G&gweiYM$+F7xV=;|IPN57YF7-jd_~ zFkZfFZUf>?I$eFSi4M>u7p=U?JDRshx0R}8`=-3^Phg+^%3UG^jbt(aaE)wQTS@fHq4)^~uP|Gx7ku1jFJQ zo#gq6MM0)Hkf2OQ0Sj`=!qB7G|1a7iKW)&9g2ByVFvMlta39=H#Lih7NFd?xH zFI$3yq*}JQ4~M5cSR9vx5wTZ}mR?p?nl3JByPLi0*xk(2!o#+{tIh;v1gM8?`Hus> zioinf3XjXdr2e75yY(h$C@joEUysesrnChM$keuNJrW=*tDa_UCD`biIMiWkIH)gL zeli_R?oQx{5OY52@^RGjZz*yYQxe}bzoMxe-^F*dNkqZ+?0}z1pGqvKQ zDk^k%h%W#i`Bm?`x#qAb%c*;76tLd@t5lNK^L?!6>+wmgk5(5sW%A4doNsw*k}|MqLx%PEdqrI0c$^i!209G!Bh9xQMXCv!YV)IIz=bLsnEp33 z+CUwuMb!r<3is)TTI8Eu{nno(O}Ci!V3>Zg#tUQ0VT_-cTZ}AIGg``fqw%w%NTPf1 ze6`5-yP>Mk3I+%ALw!GQ0;X*h)3_nm=!A7fP$|rnn@3pA7K5k1+3qyUS~S+dqrL1I z!s=z|4dCd5hgXU<+MivM2j2b7u*NMXZIt-u(rm|QXY-RdB+)uhr*B0S{<`?(wVmAc zFj%&T;~~o4=xEWf$^?om{32mtNtIeQy{DQ5?5INZXz3b~OSMBfYn>srz%qn_E9UhF zpS#IGZf-`NTWCk{pmTU@cXM1q)H2S)aJGSNUvTndB9!sGfXz-6K?Ys#5y?^u?O5_E z`s{_Ufj?bniLC#Y)I=XW<)v_#(jeTP5nvUoN!>`uCTtf9&A5!a%-;c`a~%>?Bs7{( z+U~c><}L{282fHEruoLXCSE0I3n)2}hj*2|{~fhSz0zAO^6_>`R@rH);!D~>H3*3+ zp~61O(0_WseTJlx#zUIP$)2Wim?vT|-Yi?wkk1i>5Hc7v@YlA})=CUj=s1`xc20@<4L7eWXir@lIU~IpyJ8)t0joixIcCRNw zo(>F*|5!p;NO>6-lM>ZKnU4aYpvY+vixHjCvE*kGmI-W*fyLfm!cM9BaTXTLbkRcE zl8l^&DttY}f3#(?(M4+&mPrF$I*taLg-cKO4&GuW*CGL0NDY`~oLq5cjZRKxCTK?Q z_ZDnh#^$z1eK)V0;0}r$-{&$o%1-;kdb=1PBAx_?-Qv@%$vBKr&=Qn-rmVzy;G zJ`PFf==&52>dX2!2b-=K)0k_LI?RQ_dN$u=VXOY%;jl*P?_G7X3v$v}ECVDE><*Vv{ND%`7D)yC zL}-?@90UnGjWd2ouqzh0!X9TwbgWGig#z@?i8Cd}l#N*%3OF9P3r^x&S2!Hb!t^r) zJ^D0WwgZUW)Mp!uFoDPq@iXs|Y@WghJ?Lh$ox%VQ2=OXuyR{y9pm%N=_7MiiZHv`{ zneftaVHfpDqNmVS;#{XsTzyGiF7XBY@3k(!;BKq2jDCaELz2xj-KL1Z4;OKAbQ!!vhFycb<#&UWo zmZ^N&l(qPgZql95xsFN%=?rrF5-b$g1vP)^^)7N$-`+Y|J^sB5} z+xOey)vx26mD=tG_}wfY{UvM$m%owJjvGmEhy+M4_f9r{jZ)G z1Bk`{zoJedp#1oMrJnx(+cc_$=q4y|15)>hddai4v-{=#SE@<})QR#Rhc)F6eQ?vV z@w+75ZrHwIn`#l;F{~d(u1PL)nz$*GdWvQT=p_G%H!&R1MRY9P_SdD3OePj49uAu} ze0rpA)O5c~7A%5B^q&CK-b>M7mcyjDtmNa(ox`2I*ZJM*$Vf>=ffPs#IOG2$q?CZ& ztrcjeg@dGDU|+ehxwEyi{@Y;sLkztPl$@h8TQw~m82>vqjspy=wu}eUglT1E`9#DN zL~MMR(6^-uwI|m{|7o!DU;jHZ8MnWt+fq`J1$^IESGF*=hof+weL5R(|KCAC;AYsNs+UWt0J!$GX4hkrtb%d`rZ3uY2|+=RGE-!L1pU ztkiHZ17Gs?P@HAro@GrS%J2VNsUz@j>zDWc`|zLA1V}e)mk%_l|09_7KYCgJzneh2 zXhkhwT-d;32X6L#5-zW-a7j-WEz|#xaMzE)2@jrK-^(Lg=G5%9oDaNgekGd4*qr|n zvx@;u{@c(s_=C#>haIr_5FOnHPv5J{ppVg$Wi)Qc8ZJ&$=fg z=InFY|C95Q@p#*<{J(jHbcN!I>{)WNu-3bAJm9 z2RD>oE68T%^MATwi7m93=m`+=I{GglmE~_pepK?KdjH*b90#B)Lij(KF@mxGxkUrg z731#3z?}cT!rn5dj-cxnCJ@|$J0!TfI|K{vF2UX9;1b;3-5r9vySpFU?ci>gJkNXU zt6Sf#y1%Asx_ZuZ_dY$l*WP=r3q?z;|KSMxu>mkHJH*7O$#Q8IKi$7jQ>T$Tch z3IQrzp>U=|rV&1I6DCuYI<8c2F=xVTrkvGesQ5P?`(yd$EFZ zOC7p;3&H&X-p!^)bDP{Lz6o(DI&DEW>D(b~-|77&UbT$LN6ud?U$KDob?f4L|I}m~ zJ?J)xqUUdEK2gbq=C##&zR%l~c(otsIs@l{aLMcy=ehF=*TEupl z!57erO+9x@A{`v+S?DVgm?g~tBb*$Yd07yB``iq_Svo-t3t?)GRgibP1*?6fe=Sk? zIJX~Q$$Uo)bvJPyAmB~7N~)!yfBmju*u zl`UTj4{adjG#3M-N`uuB*&`gt;BL)yysf?b#DA~jfB6rO6~)c*I#=$m!pd@~a*@`U zpGSz#>yZ&jh`3%I^xZU-2A+ zn~#Nn+C=Jb$e8$NWY3-Oe?}A1yT@QcJVYI&X>?#K z@JhlPMn*(Eg4^!C{J=@n>0221g$Mzm^2?sUwR|PQCSvkLUHzO&F4Q{zI-0xoXFLtJ zpQRLkEQ|!p(}q47U7uIsN(Jl9u!9}uuviZ;LY#*w%c?b}b(j6@{OleU~%RolNR9{mgQkPmtaw z8(e}18G@tU1vJ#o;cf>ifX{>f-C~$h#duCKxUSFAlu;{xKeSW_zwpVmW%faGkIcS! z*cun4`*ZZI&BsNGHhVR*;^sy?hIH?FT5y@z#&%R=h`1=KXd^^xe+@D0y!X`4OWnc8 z!pUg{TdHEQ)JY5$V2C!Q1O@;*>~Oc_9N@E;$q`v7ehPdF#F8F~6o;8Q-0>FF{MCxJ zANP$=gl-0yqZHPEdDc_DC!fjKX%_h|Bazco>9cX?6Zk5~94eu8LOG;FOR>?`K zlLo|pa4A3bbw5J}%}{>QvyD}YOEzpBsZ`G%D|a)_nJn2okJkMGt+Ex~-pFY-VQJ^RemL>s`glpY=bx;3R2w0i{RfC`wLr--A0! ze_ST!??&eKvS#}hG&aZ>c{r&5R=xY0X3d_8G4#@K)#N2b@uZla58)oaL7Sf+CJgTG zB1-O0xR82Av_i+Ife43FhBaNXbyeAr!P7~G2JO(ITFhP|I{Ycf+J}C=V$A!=OsgAm zD)Fo8Y|uWMqPGj?cy$+ys7BV1SyJ}dLNU%T4&MDBP;$jafD+`|E8K3mH=T=a)o;eB zA^N!fOOGqozs=0A25Pz4a1Uv@KsM-fOro?OpIP;rhL8f{XH~hp41<7$q+A)nkCKGE z)X}3YNBiOvTJ9~=BCh$N1{Vwgd?JncAk`z~<*eC+0NEgIIh;zkuoF&Hf&{)R%jE(q z=fooLeMvOaYUpo(+bh)rnGYA%%?cHI6*6UnN>usZTw(|j{c5$ zJ)5M_{y~?|bnZczseukkx)x~K&13LUK>wsA{8jkX=l40v@o!sab8T&NZHrW5xil0k z8sdAK+i;x!LnAiei0f}bY}nsN4uF< zn`qLZAldiDc~Lc#cuO0B8_C?q%ih@#f&qLI%M1;=9(K@s?m8O4zBC;?sTY2TO@`0w zS2gVy-zb;~0XKI=+D*yLYhaJg9T*c-SbFOcF6&+U69vMWS`@m3j?}?0+f}3(?iQ+C z*JSu4;($()gr!$5glc9$T~lLiZG8~; zZ~u7esCzZcB>-}>`&OUASQ^glnkFi)-#6Y8Q5!nUN#xu>P5% zG{*okJ47ft_^vi6WvzAc8fBM2J0A~6XMOP4%(x7W0TrH;G39x_@lj$2kMt_$H8yQ( z69_YcEGxZF#5%a|a%yXXkN1{vKV#Z`6o`^Jlr0L=bWbjM3n?4LWbr|go zZh#SWcyVJItt8UTp1SAiK~Jb=wFwbExPN;1{?PB1U1s4|hxXH*_qP->al8fCZdX!H z`Wj=oiWf4drElLh{iB$d;xLg?%%p!c%tH^- zq$;cF<)9pX_+`fL33YqZp}fsEL`xcN!Z*B(&abx#zNCkSsGoPX(e=LaR@0@I^XYd? zecAOm7p&&j#x*-$0VAT)TfHT?t-YJy{CIkP8+x}{;_FREetgEt_R$p^5^hp)`t62w z<9yr#?eVp2`EfKEd)#4g`%7BU3{D`lBO)6KlHOp`;13{6J>&?}TmQvHO7qKGYV>uD z?fP2(_rp9fORs8iV$~?8N#S@)2`jIr^ZQDfa#C-vUmP zkYX>tGa4tCg7*)V4PoiFxzRvP#&ErnSY78YEX#eI>TgiWc{Pr;^?j}jwS%>jpy$HZ z^y;shF|0V8>3mlk8xI$)q+bG=A<+0{)Oo*p+DT5TYKiq_rEtXS#Uy8BXfnD~>@YO! zL3(T;hfS;$q+{$A_Lls9X!F)+puvBY)*OJ5@xHQ-(xW)6ikVtkYKdD3st}xd>A8ZW z3=);in2LsR>N?H#SKloUA&C8TJd#>yP1)`K#eOKdFHU$%9PZLmIxUEdA}KDA`@kJg z(X`~19MU?HsNlLd9EHG{1jm!1B+$ycw4}~7sgN!ze#%z!`O51IXRD~;WNjpjK1(lI zARIK(*p(TM4l9y}Fxyj1Eiqk*u<`8gVFH zxS$}O=20rmep~u@)+1`!zdJi0Z!~H`HNwR4X6E7C@;hC>tRS!L{;Yww4w0A`mUOkd z&{Z5udM@@vPW>+vE)koS-?&FEhi1V}8Ocrq5dT<4V$0jWE0^ zglivElqB5bO+FdLVbPQxNr9yoUBVR>7Vgvn%DzkNiia zK7t6kV_iJ+U7 zrcbxfgBIVrL3>l#!?d2vc}2#44i>+~2KdLDejiN#cqXs=wvwXILTrq-%|;gecNM&g`C;Ok&r}J^2rQkyTks(YY9MwMFhq=|&UAFFsVbn90 z(zXv$ce{T>O6Rzc<1=<9H_xNm;v@By+D08}$4-V!VysqOUK7jpfRIyT6#3q}zqvo$ z1sQam8(%)D_$*-KWi(c-``_N7yPoC{rzqa}J986%ejOKfa~eRkZ)yK){Sn~7sG5l$ z#MzA$yfLhc!u{I+$+f5WbolW&8ZKHu*Yi=E`RH+;Y!fqAI&f z@Kd)>aZ{J37a~I3UH9!*!X%?m`ODxWUjl~TU?)`uj*D*HVAQPJb>T8K!P9jZz`&<%?F6_ZTG7{0$-1Qr17A3c2YC zHcxf3x@R8+bt7!+V?Q*pPE)3@Q3z#ge#fjFC=SGisuUC!hOqbN*#WmosXmmw^b?eux*e0h7EAwj8Xx{O_`3<>%*Z)Ytl z%%fw2dKMkD(dK>ls~atOXhO^BdC~5+Lx6Aiw725nfPYjpoK>8Kt%opr{i69veChlz zI`1sDI(_45!P-9P3QeG}ndk>$i}%$)=F0;R+%fISX;93ttT?=Q?fm76ES^HrKde3l zZO?7)&QGqSsYwb-tRmOxaJ}R37~}D1qxivbttr4$($?kg7{*pBUznxF_QeGE>5DjI z5byZfN*Y{9sirB_2I#xLK&l4IUsp;rLK&xoDU>W9NUOm<%#X4{!_sFnzQM!Q!=($b z>`pmt8(W@=TA!bJU+zFfCr+Zy1*Rel~mXQxQ?% zB7)~+ZVdeVOTf-f!qw%Iyz6?E!ttpp{xzg+r6Q+li8KJ5LxnJuF$g;&iK*OZZox0r zUt|b-vq=9!?O>pxnxU^Fzjc~8Jd8s*Mo*xwnvDwJP7Qx8_TBztMi5z9fOR}Bf4%g5 zV==AlTXk^5;luF-vMNS$D=% zEjgW?l4t29nL46L_%=nx*`LRePx-lji0wb9_#a03|0yhNINLAbS2IN4-rn8aPE>(L zHpZvcOLmml%_ZxC8XNbl9Id|4C1i8SzELxkinckD2&ygJx43t#SA4suj(E7cjgHiZ z#I4hr)XPrC$Hv{{Q`KHY*+Eobg6$53u4<3h7!SSQ_fBH(NC?!U;4}>GfZ=550%vDt z3@o73vxD}0S$0BwUPXxORp5DN`*n=|O5ca0jl83?r-Stn{==sdDp2?^Le!Lzdf&Z# z#bnkD-5^!Eg2{g+`Ib9S>__Yv8C>S1l``rH;SY8JE`JMA}b_V8sb|%UNQQ zR>YCk|6-_sj4JlvirXN25dwIm=`&%XOjK;siDd9mWDPvDzfZCpy>5&)&WTP7T2MjqHJz= zu*`ho_deWD-SMvWNbqFmb~r$=ZGSVz021&<)f4zTMvfFX=*(;^`RXd;b%^fWM)4>I zh^I+Ao%=(m8kIXJsm%|Yx?vnQL_-KpT*+D{=6k{PuzO~7x@W3-2 z=@O1csuQkXO*+O(R)HcKbezY`U&xsqZEjQP~f>uPj*oO31LFZua7Ot*}f>K)|B@OzZbvzd-DS2HP_|jX`($G4F_YOGb`VQf6ma{ zuA^kH)4@-eN*7UJNarlAg(=3jN+gWzrF(m+m!<_$-97k{jHI9AaOfyk`9qP(k7%SPQnJQugf$$%HzFxOOlRWt55whxiR|C&S?TGD!b9|7XFFVSiLNu8D zeQCOJiNVb{DqoV2(DFRDhqnbUV^8xMfA8C^76F6^^I-D)fw!KXjk+Xk6apArl?q1s z)C7K3^PMRpiMR8N)s{XEiw>BY_T@n+RG%D@DSG+pGH$JQP_Q6N^tYsWus3H_<$Zts z$40{8PL*H-pR01c(3)-3{nXiV(lDFB!4*0!cbN^gzg74XkRzX1psn*Iq}=|wQj0at zS-nI{{he8t9xIG9Sj(fN&y$*BM3T&sl5CoxFw>JbZj4n7 zqiS%o&0x#-m-?^HI}PnqZu>g66PrC&-NBX2VWd&@?JR@=QOpKIbnZ5dkZO7fLa}p&ztjWGR9x7L4Fp45W}yqmin1;D_}x>*ii<6TjyzeG+RLWlRoXPa4Sard8r` znvJ2}ojb`bSTqqV=v?h};~uehD0&Q(aqyLh*z2I0=YJPb#BYFOBbYf$W}>`)&v3TF z%oKuGpATI3vnaklrfkB+KPZE8fm*9S5#pIYrge#5D45~0QiNwWW3^1w9NBh=6PMpb zRrzQq$eg)yC=#`0KK|^XR>@kp7-2=#gX5E~Van>2E%*G?;;UZIeaUAXtiXl4gp1D- z|Cv5`L@Q8jTYHq4lWH#8_4G|j=hCA08CvBugcaJfp+bGS@3YY zytUi_t~d@kc={nHw!4Vk1kLyiHwn_494sw-PT_ZYmel6LSzyV%XxQ$`aUr*D6x^Cp zTHN%AYq^`mCsFSXdd`K@Z_oN@tHhYxSE^+6xQ3 zksl_oc?*1ZblF1*DLrD?Nj6&gV38@p!;R!CsEfBa`+m6OjGilPtEot zMfef;uIV^WBCwg0<4d8NdqrUMDxC4rM-iQkUQhdN==5Tsk)YgX;X?N3>rT7cPL%*5 z@?#x9cWC%^{PlV=HbvB8O0p6JqAanX$hu@CSb4CaaF&~zV)zb-ivBFv&DAbe;MsWg zpy0xK$cL)#Ugc`-p-h|nHC(PkO2Apm411<|Vs^9;p%Oc3!(7?>N<$7{?3?^bVDiJ9 za^GdPb-F6q`almE_q%yF_C7MiX^}n8PZ@g!3>^{~d%`b2gKtYK9$(!Hl*@a#;+@Z; z0<_0O!tPx1%^Oy$9pJ(VD^A`=5qwH z${k*4+ubZ|ylvd#$I;HDv6AKy>h}v4=tmavQcv1vRb9<3L;-Tpd3lWFxlXZm&GMP? zDFQU?YZ$ldgYDgr)Hp6vUHXZJaRiG-2X_@r5#$3druvGWLnz60d~AxD82CD~L#Ri} zlDj;X_1|nm0iR^1HyA5Dx^kY`k78I2C@XO9lXiJ}V3)SbA6*?h9~RVFmyqvRx9$SB z?r&o+r7u+rmUr%__nPZ(&l{jJP?^@gimiq_K?=$jQIpSzZ)$?jft#4T;CEOh7{hNu zae^>7!}!coBtLEhktE8VGhwJj5iO28B!N{^$RqqORt~5)d_1PhZ59%F?4=sZJ8@}b zjf)R5j5H=|;Z?zUp%GH$y%jME9VIBl9{L3(mgYCm)`TQB{voW&TqFRhzli5^Mu}tQ zq=>xuX*m+?FkWPQwEh>W&Q$u}S)MhGL>zd6O#W&P(4cjk*TJE+(-T(pu?ybIEXx1l z(LM3izFv90HxHAROr?x~?@H6v1XL3;)Qw$2w3IH{Jn$dziat31#?W%1^8QW&XLBPq z^woOK0t1E7D^opi#rWIKi=+qF=;#;&+Ymt|W&Y_EIfLyDj1ySw3B5@fzJuUII zh397wsqdf&xghv}?M9{Z372p6F8JYOuvGIQ31Losj$@2{?fX=c89LJ0*i31YMe^f; zb+J=fD}mHfTV{-hVGSn>)q$9Wxr)+MA0+77RZJ0>IEHg>Xf(5GWY41t3%Y~$M&Znb z1G`wiPl}jLbJ@30g;ueF(6QR`2iryh1KSD~Y=!^>d;IYY1O^7?ee{?uUs;0JBX!nU zZj2=G?&O+bLSS7+LqbhSd23-aRzbMoIfm)c&UWqKD*szh@rk6W7pVoIJi4q(4+a4a zradX+BjC^_?dZH_rYHFi_@p=x?>h{;#IR)j<5p!IY?2s{@`y|v0^u~xbz z)KUb!nO3zcPyrnq+b-Wi`rSZ%SMPU{qkCA@S4c=;iP#vTfW~H}!Gv?-tv!2mf=|7+ zYURiiW_I#Wk=E&irAF*WA-y>tXxsZyarkY>DpN7wCrPY7CF;~sttP25@CeMoDxrWi zeSwzyn90QdLFa*A0wYiaIDKXWA-)p3t^4&fbp0VJ&$oR`_GK}wK^tbVFX3QT1+0n9_8JT_Y3DOU!wiqfy zdE{~wekqk~bMZ>`kjq3MM9R{^Ex1Jg9P^Bzs74)xj$tV$E??09X1}x)fY~-wlsua( zQI8?gYwFXkyIR*jD~yR~ZsK6}+sWI!Z*O&ncM$F15Q{J##`2W7@~-1dfp^lH3xYzq zj|;v@Zi}XJZIO;pu4HK}Rc>)Fog62%_d9(wVswNoABH)8r*7ac{>>RhHNOST@qqW< zd7JCTxe3t&-HYxOT^Y&!S$NI@4O%D}U`(hg`Su5e1h3NJUv3?j;oWaeVw-2hWqL@W z$A)V=^i$E_pP`@2W*IQ5EOO3ewtJVcEq=%KE3OdWK6+_sk>x;dyVMI`_cDS9YG`w$ z0b}~AjH+^=V<`KlTZbJerGa8prrx)rEepdx#*zC{8KW>tfH7mkSp(aLhgiv}R;Z~x zIR@fea>x`jo%j};)NTs=Zz+@q_9lZt!9ylTs4PH4R8$i&l;P4L`2LoSl+DbLYGGQ( zyBLiI=1?45L56Q%O^Rb92NbBv<3n;oi*M;R=V{m>4RQEFu(M92KYjuOrjMD*laNo~ zkr%`#&^XX5_OEhtYjE1pz4<1s^HcZ(MRK7OJ~M9y#$Ggr_<)cP`MLpZ@k^K}ON_O( z(~d7Y3%zb>K$8vPyF<_S=nwA$&+Zmm*&x;^nZ%+Z3?wQ9c7p7IZznz`zfX7jwqt0W z`gP5>2|)~INjH6UvFQ8ni(Cj1Ma|{WC7#myiqcjJKiy=NcOY^hWMc-#KRp13sjpcA zC>b-XRBUbE!>#tbdEABeZUa4JhPz&eny8+_Y4eAU8|`8CxnK`veXbVNM&wj72E%&} z!MkM2g)Aasj14JYn?CLbR=RU+J6~x_UGzcTC#8?(eslHwu3TsC@Fs7Zn_`#Y%5ru7 zb>gXMYL0s9&T^V?N_DZ!;aX!UZOMee>%SK>;Kw_=Y8%Loq+z-gSjt&WFtsj#=Q z{F6__B}g<5n)Ci#er!t0+H!7-6VRVYL>!KD13+W8e2}NpDO&2>uw~@ajcImvtJC|G zo?bgJB(sbQOPPDr*#;-|RJ#SlrxR(|R9lQ^3+$_iY)ncb(;Yd<%s!$o?UdV|z|4ri z+qXt2(w3>pSj20%iG;*)gDJHQw$^rAMhb2lHR^99$Bel8Q7q1)<(P{ugl*GIi0w&M zhD(96+j>Dt-e^-IeRef_gQAh5Qn~V)F*DyZJL;HL%WY|4t~jwYt;LPntxc zDzSTKufHH2KSXW1Q2g~lDGQnY;_r>g>JIT(>C26==7N$6SE}ePb-0#jPXe&@DnOi0 zfIy!AhZ7fBG-_Vlg$(7k0H30c{0#XtsEe!f8qYXhGT*(3n~l3rDTmFG;uNiyW~BZ& zfF>5h|7+&PNxeLES7^K3bTdaPTk@3W{Q$?8!znMfV~ayW>0=^>g9imV)m>@hv-J(P zUJ)ftcdSXMR)EdRB)#m+lz_NMcAX)8$-OB*Z2Y3%aR%3fvUcZEoet0wLl!wGZKop5L|>vTy|i zfV6rr@q1M;r-B`-)l73!9AV^n=SJ-jgG?e~`Z6e~u7m=ZL=$9JM%Z?bg6mn82 z6vK$Bf-^=Jk(E$Z*cDWA1CC7P4MJW&;Wm4N`m)}ho8eq3YAWn`2E4AWF#K8TCNAsm zWNp60k$j&Q3))xtAy0q-)$%yNb6?jDtFi^HtqF_vPW)bi@7hJ1_SCCX(}#Z=>#)@q zdrK7X7<&!aX;jn=xSJ96G5-$yvgN<*f?YY;^^8UM=tkJIuT#<3tW6QV2Jj<6twqLtF*mXc@ z8rrV6eVaevIoPCyQJaMtG9N3wd*Y-TGi`Cl@48Qc!S4ub!MkmK+qF?a-_MZ+FLcfACsUW3-9l9 z+fJoZFP(&F;jNM>6{f}?{zYTvp4ZeG5FV2EN0Hc?`%Q8Zt#c)p3^NP43ZIPbEA$v3gHLVZceStUyEJ!TDCsxibyaCeC6uH)p3S?KO( zkdBg>WT-f;w1aFC9rs=9*-07+H;NrSsnH^#1N zf=y-%LVo@N26lOTHD(9>d8U~6`**qg`Dv|SV6W5m$N(V^<>}HA#iZ-sVC3atswkga zgOX<6YfSIw>E+HnY_5^}5-meTX*8iv+?OUxv}@0OqP9~VWLVRoyzvXAMY3$F_gzDw zFlqiB6z@lfuy+S+pfG3g!slvmyEWz z6Q=Q`M?;QS%TDr7q8F5qX~(YYoK2SZnP5JAqtiCt2U*>&m*|;IYAYS5JUX7uNTX`v zk9kO7o;y(<%{M&s;)R{^&UX-tLb&TC7aFBkTU(_^XvVdildV09N+dLs?;8O za)T4JITmJI6CB=a5iL(UGZFP3Y@G%HgEBA2!kx1Y(a1j$XBKqSG7-@&_{pK##*_1; zA44DSFV%+EOswmerd70LOuUpwVnXmbAZAI}^IuI44j{ga9;ZWej;00juiB&L*qJBg zQK2xQ!zILU6Q5*s73A!soRp+(krG)gFXx9Jx6xhj&1>Sh<9F!Jb50;SqQ zQ+2IYYUk(P)q3;yi$ptypoYG_i$-I27MAvHwf0CQo`jk8xsSsaAD&Y>B0e)Xq=$;S zjp8!@VjBq7_4hN27!GO^WWP;60TL3+Vpg{c%~4$;P@VT}mAwx-AA~Y0=)Cv*ESkht zNoZeT!~ToNnb)G`No4e$uIw^izMv|B(?bH*$ZaC>Zx>NuW>xw|o9M>hZ?+(Rf_MxE z%A83a54At-8Ur42ST9g;CmO2_9c-|#0t>|gUe(RcYL>pk`E50qE;{$J_AaWiQ#NE5 zH3{-Q_qs}BHl8sYr4DM>NiSSrmv}?`K(9K6$e5&{lkiawp7L2OiV#w1B@^ZI)m5|C zQlLg4q=U_FI>|*Y45^cnm@?bX-59!g?>FR+3%MWq+uJB3mCGcdR&_d$$eZr&=*4To(o=7iA2lEk`?fi{7Irc8l4He`~E@$U7gMoH!Jk z&i5Jv#MJV+T-w}sY~1w;R2zjrqmuksxOO{watShX5{8I4YNsnuO=)}yUgU4E;V~XR z>TG48nnrLswC33*ejpip#fK%fp0^f57FUsAYte_V+jzW5INLR=AzxV3#~8ySO=mWW zTzoS&%`rDM__8x`?s=Df(FJ=Iq<3HBbXM^lFlTtL&MhIjCiAh_RuH5q+#Wf{!%*$> zA=IpuJJ7gZpTQRh!7Syndfl-rHGPh57KPYDv?wvTky)gZx$h>!r;NFM-g|MjNouSn zWE{J}#Lt@4rZ)Yzyg?AXzwWl5uXXP`aQk{ENoR0%veI#b!eO{*WrXK${Tr-B=;q67 zS0_B&T@V=v5d~Qn6(4kL@1aapU-)n=wbHiM-WIm$EEl&*dp@ zkEXozAvCM)*J7_V^r17ZN)J2e-yfC#u$T-}$@*m1QB!;Wb=5wZEr6n$Ows9QeK=<>CpZ}&AJ|{uAgqgHp z$c70Iy%vkLBodEW4q^NKSSx01Jl!k=ITQgICNip8d+#I>c-1S#6)w3Ml}r7*D{4z$ zTk^9yb3He+oSw2g+vJ;gwH~J<75Bk)lm5gFe$S}cYTy)jxO?bhPp|KqoQes35&z_p ziG-8zf>M_5h>!q7@EMd|dI_X~v##zO{zC&`&_%>uF7r0%tH&;gR}1SW?)~JQ)FuWZ zsGDYWyUOOhuCBNvSAQd&fG1#ky?u{wgS^1x939F%S$SHz^kHhd+8t!~bhqgZc+TTE zt8GGP$lp6-EjWkFd=Lw8KaFX_#Ogn}({0}CKyAaan@wN4CI;%nC^d%DzR)wy;^Ce} zPPwv6-I1LskLZfFRU>(MatJJ7fiRNW`zrh$$c>8`mjN)tMK_7jf4@WOABr96UXt0G z%@P_sAiE@#wx^0uHlN1yAUAP*MM#TH82({ZQW)YBUvw`OA+ zexp2fNizzr^W$~RzqqOH;mn)Mp9ZWQ>7Nq>Ch)bF01T`f`TzJJefxhl-J%3~?B(G9bD+9C z>^*zE4srH^J|E}HQB(J3AKa#!4`>6ffvi7oZB;H?-^;8YY|Fo$z8wGi?tw+I{TEY% z`L6>8{(phn{?DcjN}!I*(v`#B-6tZ~z8H)B^yrq6MUrl}eA>5e4PankpedBBRP>;g zA5m^m_BNvV{1NY-Mn?~0H&OanqLKJ$%uF#X_yO_8oxdE2fJkA(Y3!&#=M(OK1Kk+) zZZ6*|BXPT)F_=vyVg)Wpp5U99f%##lws@rZc|q#qIzcVNia=Vsnl z>eC#RV~${fh;L&D94WNWL$Gj?thp!^290@D8VDd@tma#H#v)^Z3@j{lWpy@D+c(06 z=>VlHSJLw&88QApO}+*<2#}H7RC{|pA3V+(OW&NIjuh6R5ul6^Amk=Yt7$GW4`Uwd zu{{p{cc|XR%~Bd257(obhep+K&IW@wb`;g@BEd!+(o9PuUVu2oFhX9O(sxIz5!x&= zj4{aa=$)?i7~RFy3_LXTfYomuce%01uIgfALoS12Ux9AEyH^E@_t)TllD!+zTqrBS z$(Nx=uOS7UD!9x7Q+LS6MkPjpLPmt=n)Vr&S5!mt-!jv6)DOoD6QDu$M*=T0ca3(@jAeZoVyWg`nKo^LHn4y(?0yI zR%NhLB##9`V0nWHG^AQP;p%+9yvx`3~(@a{T)HEoMtX8%pA&8zK~tqg{Tz3G z&rv=1_9TySWbeLRq3|&j00I=@p-tG#BAY+GwHN$=h%{E-$NWOaS%HKU?(Y#6FIjN; z4ngm?=0_91G@OSx17!>0-CkQ;O9Zkjk`h6MORcS`$z3}7)!D}k^WR-`03ghE^hMxv z2CieUu6?m)C*VN`P%bt4SgXgy7NLF*D_;mIsz;Og8Qc+gHd~RB@m*>%QKm<@)vtoX vKiAy1DgG0Rj&twJ#Rr5yhNm~X4vzU}GuSUtS&=H?-+%rWVSJ*U literal 0 HcmV?d00001 diff --git a/windows/access-protection/hello-for-business/images/mfa.png b/windows/access-protection/hello-for-business/images/mfa.png new file mode 100644 index 0000000000000000000000000000000000000000..b7086b9b79d762a82fb37fb21ec2b29a8ecae451 GIT binary patch literal 108740 zcmdqIWl&sQ6D}HF5(t3_VF&~U3ot+k?k>RxcXxMpO>hE(3=-UfOK^7&Zo%E%-OiBr zJ73*Dr*55df81O52Sx3@YxbIpx*1ff?uQ9im5rgc=5L5`46GT zCeQH2i>IFup)ZQA+WSq&y6;`$w$L41m@2qx+^($87JRH-C=#;$!S5qql58a>w_UQY zT1Jqvelqbd@748nz}cb?H;8a}F|nKH|C)pXvas~z(NX|YFBW+n`HpXg=T1;bMM*{F zN~V8rpN+jg089(`0{wDBQ{Kd6FK;B1Y3@SVoVWi9#(lLe}h| zbsHk2;eAdd#D$>Ios^ZpSdsliUQ;1bL@aM;udScm<_#&-)%vy)V=IPp78Du6pprHg zyd}D1OtP{RY;dNT0%Ax6vHrsF;-%YuvJOaEyytt`r#(~hz`v_+-)CA)d%Q^-Yz~b; zsOEHXF%=?bUHG#pXx;f~7pcF~29;v%q6oM9(;X6v<>cAY^3(mGlWX7POZ*3Az?{QA z&f{vXi*DCTSP|%9@LnMov9%!BLz^W5z8ruZXMdI_Cu&p zV)1~Le5wQ#5!7X3hsgQBezkjU4}DAvnJ}FX{*wx_ZViV{NmEY-x9xWJ^B_r+0#)9> zGEV#Qk5x)IB|V4(CJr#`EZK<`!H+%?Fsv`Dm+Ung7SjGHQn~_7c9tQJ!uyHQkRt

ik)5jiai#r<Hl7piYV8Lq z_oNR!iDnKVi%;QuIL)rEpMPDU)`nM&CA$@&`xNj6TFGcaqnpVu+-kI%u(BvX4ckLl z56u{);{c1wf@~VvcFCc(Y{l5VWO5Orj4d- zUqRy~@jlPfH*R&CbBA6_8sL`-^lZABs_$+#?3hGJ?tkZ<`BkQhY{%t&1NSFL{?~{7hDf7TIH{0fq$#^~}FGD(>onoAwAs=xM=c>)V0RW9x?Cz%r zdg{gX@tD_Drn>=S_4|3>?`9ICo{e$@ErSwC`8irut7c(TCG9(#(d-HjXd}B_M2w-! zPBs};%(&$@c;#S@$-Ry!>|KijIppxCBc9>Rn{$k8?kj-0Ok>{WoyVF4OQpHfE30RRQY2Le7ULn*%ZJY%`?jH?f#Qu0EyG7fxnlDCs3N4b?y%psl`JHr z&}lDPH_`&??7)>Xiz1{@8q=dKk&U9tawX8oyymHhVo+vY6!5HI7DO9~0~!XHveYu` zPo1lgs^^k|a!qUVS7udm=UpX9SPX>{d3wL)^>f`m1xm3VLCZ*)17y&gL0Sa>=s2bu zGCNx;;)+@KHvLL-L&&ra2jMI;7BBypvCeoKeZ@FyUOax%VgHo&Zl@Y=KOYFe`d z4mu1WE_EBY7au#IALLd<#BgIV=PvbcFOlxcP0=^s`wGt<|zP;6T`t4z&eLdgZWAdb0$cS#o%)JvmZdzLQq#>pJNBa8;4+(>K6?X*W$#RTjnevzAUo?p=ekq(gAQY0Naib_!uOl{cnq~1C3nt#<7R&C&(_Z24b*Io@oDMqXBkVk; zduuTN7ClauRa+Q}D=#YrRke9!zU};K+BtGTi$?YYD0akatU_05gy6BXP#`zEzhL82 z@eAOxC<_KfU(HvVR}UMv8m_*xUtYg(!Vv^;`s2kiG8roXG9?IbgfCX1!v{Y_igLS) zq9%7ZYT;z0vu}8n&n&(aDHjGP~LRX;vLd?PMSs0H~2?6(@Bb zB(v${*s!Kf?*<9*Di$jK?j_#C5AM&cFY64k(=?YQ5C2^(Vj3=$65(FQyjr5wFxXs@ zwZyjCZjWA)J!$I68jG_#z}n1^W|!5R?TJjH!u2lIN<|epnC^$je2Y)Z%#;&6Of(h0 z;89}{Iwc|<9d9mJ?}EG*5%>$$s}zz!Hrhs{an=PLV^F7Cg71mvhJ3?9>QLHjC3DyB zg9Acb-KDH0P0L8@e%(_x>v*&EP!aGyewgD<$FHlO`hry0iUd1)EXod|-LE~XOgX#? zhM8)X*z`5y@G49@0+>c;eSQPjVe>su*TFy}>V$Ke|J!*^p3fA8HWHux85;pm(JVCu%7~A-W#{(^y{fUrVZy)|K+3?8d%s38t~8 zPr72K;0=GI_oOLiU$<&wXc1NKd>hViH$=!wXSJC$YP%dW({loVGJ8+OR-iS*Zxt)=dgd-7jo7baj_~| z>M?lb*>WKbvSC?uxxPqtVt$+FdeL9qty!l3%2*~oNG;Tc8Of0eNdz$t*``$v_n>f; z>bLm>Q;K8g(zDdJ6d>hl+%J_l3QDbYXN)O5C7aPO0=bcGzKVdS#RwSOS-N#8)m+; zh;$gKkW%K>7c+>O$dLjchuP4=TJE;E?7FwQOfE$_u_7zj)!*VS^nbi9L!^on!y{8h zI`vB|M#GnQ#7nVym!?!qDCSm;)Ht7|W1{;H%W}M?OAs`EdUD?OvKon*o=}$Z?S7)f z;@92LEg}1FQC=q;-vB19g`-P~6M4mQ3;O)b%hUL5Eb?1Lcqs?`mYb>7`!PHWTH_Rj zvfk%z;2&=)zn|N*y6P9r*oMh{5Jz(EBC~FN<8Qf8n0mN5_AP@hs!ax!Pm z-K(94c+Y+Hkp}b*7i{%l*|Jejep|`E$ML%?9_5GG<8Ka+5r%%C=|l$b-fw}C8> zA0}JK&r#PMR-vC<^f3Hhbo3RyHc$jQ+sS8@n(ZEdYIvR^7fgIF|65p~0#}ilQzC!! znN8#RWYxsa%$9b8N9qH)I=$%KAx(F@=2=*1PntUs-O-ia(bn82ye8LEgO9njFB@GF zucnWErsx*Kxi;y#Al?h^|4`&Lte5@c%3JdFsNo_;chDB!TtLqZr9CKHZzEc5`bmzk z*{k{m8JTeH$`y2%sR8q$8sW*ZPrc%sDQb)|^s(pZzJi|Bz(wO}fi48GVHIf8S@{Fw zB;o#Le0a};K4boC{U!#Rs$MaIRVh=z{g%yYZ51dg{uE zA|>Tj7kE&Uo&n(6epT!BawjkM`87?v(k)?$#^aktrMXGO8Z>pg=?iT6L)D;7mqR&e z{FZwR(CBw5owV+~rLul$y&VJeH6N)@UF*IwWjhg7*9s77X%>&N^Y3@M9+X7CS~7F) z-t^>qcr);WetBVm1U0hett>{UkzuFM?r1c4eP+@6siI7ui8ECMLu%m_-c?@lSOv>6 z(V{mF+00d&%d%kOs^tnM8T|&4z$Et8#=D1R1UIS}JSxV?KXxqQ8ktdMN>&>IhRbz3 zNod*os}C8E(4OPHPZyp74YR$tqIk?_hE$ajx7i3in+k$I?>HiYGmDbc)P5>waL=0? znzh2K699XD@APlx)R(iVUIiF8=k66tpUGh5Mk?wmnx{yLP=Oh&+S{-J#>U=<`BGlB9lK7h^a{u^Ix&7@EDX4Pq9rLjeEv-Z{ER}b+2kG z0kx*ZoNw6~2Lt6ccTZENve$J@K*W5b6|7n%A;nZS@(pq`_EpPn2ai5NCf}uo zWieR)Lm-w4Y4(KQ=-wx$DR)Iy>FmJueY_uYH$|2GJaA-F{zx2MD#GY&$V43Dl(7*L zg=bFhCQ6gTz0o}a{6Jn}r!O8Q%93q8>Vszs2~ZCpKM84EugUZLAQCesg32--ERURH zRoKOB-kH%Q{mi?#s#$b@o5PK^9Sy~??v#rOA-1r1C*LT+vg%{(6`(eJ)G?8}kE6XW z3+NT1^_l(8wmpMC88)Go?U^do{RxO1q`fz8LL}AB?}@+C#HsP3+vK?-$Rv6c)F9o( zeyB(2_&qPSC)IG!?Tm|{tR$^OY4Sc ze<=(k4bF(Q_P5Chba&v(PnnppImfDyOGdn z9Q5yz&`VU0y4T0tCtXj3X~VSF`2U#5kZLS#l58m==$%ot+byuATQfaR9Q3NV- zzDrUm2GRM7hp>O%kCrgUNKk^lo|WIQKyeE7hWl$gq>F)p}2ka(?q$fRO5UJ35-lzu-xCBES4>@y5=>{Ur;;D6#jHViR~%0dJDCtUQiU( z0t}<3B)IfhdwTESMY8I}CCD3yPrb!UM1h9}~Gi(37ci@gyb zB87ZwYOEEPOhbZ&qKZL zE{R!KCOwThmqTLwnZPI)UtqtM0>By8@sR6rvOW5m_5e4dROtblEfeIriH=kp@BOfg zZQQ+?-9HLVLjmsPKZfruqPAlr!4m)~ls^Bn-{xFo>9PKOo8z?)xDvMVc8vB@;=L7m z;9>>XuOEUiS+@Ep|1&CcPO|h@e92HuS=jL@3PfOmT?GhxwH4c-SpG^vAh73^L_I$k zg-%KgxGUnqD%$T$p@V#?6)ax3JN8{J#-CwlL886oX}Dqe?8bJoeQETZLW%Do;%KSp z>)ADK<(MRiV8^?MEF6}GU&o&=nz7waR(Ba)&GI60zK1~+J4R=}gR;>1?sn{Nr-Fie zN4sA*xJgfW2NfRC1*mw%p+DV@6J_n@p`Z11ttmQCCEFAU7#fx{Ff=1JYAY(&e6;8w z+TrOQY1o8zK(u9VpM?5x=VR)H0WHqvBs5Y~iIzvC8yiO}H{+~D9;Gg+o-~j=yalm# z4#W2JkgcFuJ;9LPK4Y>B9|3zd#{O@SXn15|F6}`yIur6!p-vv#SQLQ_|JYi$s%%Io z9i;)@bj0LOj;-(7Qg!; zqpvPUVFnLB$pf}j&w4$nedgllwAf^1wczgdU@Fo62E5K0$&a0+q~=#!^jUJKEDFUU zDqc%C#P}%E|1oUP#lW#T1y))Q@FtL2K$Q{*K}CoA=`j=WTzE8n2sIn)aK_s)rjVJ* z6wHVmC{4anpYbx9xMPkQD)2M$PxAc>cuYXQ4$4XMhmIO{yJ30$PBi+03^c1?iYw|( zN^XOdFgb@YTj9X0JH*88)2jG%GF1eg<3mh|EqIC?dg%Rm5!%E3e)fmB}SkOG7r%De$L!?U=P3g^On)n6*qnY*IIo0bsqO z=Tm(NCZ^Ewj6#mudFzy@22SWN*byG|N#TfsQOy$4_QRx576MH_UAgHq5Gqd`{4LErNc0m(?NZ z1)hFdBQlurmCW>|;FzloMT4K%FPJTaOyu)f6%*s2G-R9qH7@<IG%bb<1xH<&*ry*-aKJB?rQ zRY5TwEWcqo{GQ*{R18@JJVUl9u-gz6gf(O=z(U)=BX{GZ`w#C;9BQAT0Pm|34~Q5R z0hX1gUGYVI;WDc0L&uZSa_u3K53e-QG8seAOB9gPuUo;hS3&4Ho-D?1PXeq6vOUW9X{Sj~NAM%e8J1SDOY~Cg! zh6C)DSi78eZW3;Yv7lmoVaMWFMHGKhu4Q{RcaV7VVd97dLHjSsZ8D-N_tD>_lk{|r z++p=DXoMkG1U)Bq!k|Nsy0&=luR-u&NhU?fl0+?E(Pt{mJ7j_}j)dQkm+2piIUNh!>zMM4e9j|b(1kO3`De3Ysk0Qi*&?J_IyOCyH_&6oCFO~SW~P| z7K8?n{U@361J#dXPuJeu(9We`(&2bE(z9lL*2PIvGXS#=J4n0nY!|7acw?G}> z&?htI=x#9)Rve0n8Rz!n<66ra&e0?pmopi~Lzw~Aa6EPLb+F{`%~1EjmN@IqHu7aj z2d2bf94<3UX9p8#r`mItzK4x)?sbVL8kWcTjHx*r+@0+0IVX2TZaV&Hq$Nio8{&iS zK1)H$l$<0XQif%%!5EobO*0OF`JL-94@FX>X8_8PC5jA#wMEiBtdqOn9<0=$=!0BXQXYch!STHJ@o?O6{h3BLHRv?;56(TZFxVL1 z&VBRzLD0TSY*=+O+q+jdE6M}2YPqjbA`p=3p|NFy>754LA4phJmP1ajIA8ZS1O zaU(Sdo}Mhql*6@iR8sMj*OX4gm7M{>r|P?$7+O0b6Y6Z;rQ{AJtAX$}`h=}# z@nfm?2cNlG3wYiAIL8D(5G8*}oSO=z<5LLxP06Qus2-UIedF|((msDITCkOQYc|bW z$(db|u|J&mnZf3LnTc;v*rSTr%ce=m_cxxQr5e1R%cxXCAg`M#KR1j5B}KIV=P~D) z3ym&AJ>oX#!?>{-F0Ml{GA7$mcUVeQe038-M{kUvxTR`iNBCULl)cV9%L=l~URE<_4lQ=L!9xA&}&(S%<(ZGeP-mNaQ~h*oq*L z%1HeEg}=xRM$-~S5li}!5#uTNSu^)hEf9w%%RQ%U11{BzF_1~2H+83V_^J}s8$O~G3 zAV!iVPJ5r2^7^2hQM)*@z@K{heW*y7S0RSr;!Kd7k7>LAR1*Cui+J_Y6miK!zzi4q za(%Hhb;hmjXf=o$EJ&N3c&xsg)425x^V0rb5IP--4`#$m81ci!+hfo}w34^y5fi}| zVOhaS{(8=tk%=USH~)G`VBE%*qgy}UKP3Hm0(HaRVJ&?C*FdP4-h2$y6QwURlndWLjTgLngoXO_HS~A&2llW zWk!Utu2IRJ$^OYGj|pc82g0N#ik>&`&%S$zvYjo1(<)cJmH*VP-GNrqWJm-oAO~ zh(|}o!Rx^?QtJNNA=w3BRDC(eEFo(W=H1oRessb!QqZ7KQQpj}Dt-wO>+8KBwn^<#Ec5nOLibR;gC!hX+o@`+U}Vwe)Sy-B^&SQQ2qii}&sr zd2#6l+6CU)we@_r?S(!6b4IKr(<4(G$)aYj83>4cUrs=#ZqI9F4g(Zx;4*q1;WkSN zQg?E8ykA~=AGbQFuEzXI;ai(QgM2m zh07sSl1?!59e%-JdYI^)6!yS`LWzJpNc+;0H-qTcH6=Qk{uT25xa4`SdZg{V7p!pJxeeWRc zk618&5D8?u1zs2l7J)To)&1%=stDp$HsuCroJc8$&Gc1-j1_AzV$Jv{vKZ02KTHqu zeF#~64G{pC$+TZ)pP5+KAy-gwdqcK6<25N(E5d}0Dr08WOPOP4wqq|ehuOdpwbOW4L5+6Wt=Kay;BBQM>rF+0(XBEU0iB)~LXpnXZ zO!(r)QozaD`#ISaE@J$~mZ_n@P*$cvq5U`im&dZ(yD?vtf!*>cJrHv8M(*dm)JOX# zTeiU>Apc@Ms1A4wsuX3r0XVxQF!MPMoohMTLT`*G))DC~I5AHGh<9{)DjumG9q zH#|AB>h!)X85eXp&%5)ig1KE+h?7P2a91e>U&$?(ki~IyykGZ^E@PP<*Qb!QwP@d; zn}y*gt153RN*(SOo^DO38%yUsCmB+uv`jCxZsBJg87d_Zh_2OXxW8i`9YfQ*R`2y| zaj!!PT}f7kY15MT>zzcZ=q&*i1~%bf)`;rG+wVGe(qt=t&Kph^4-u!i>AvM`WuLF~ zO&i8=I}?DUPX<0Ue`5A9r6xO)h>d9dGx1#}^`3+GbFFlfg`z9Y;9OzO4K>$$y^M_G zR8HS*l(Ute=sXLC3gdQ-yQgg~MMIviJfHMA63q-XPd)eDns8{sx9F`LnTsj5I~t2| zn6^X`e}|5Y*dC5F=Fg!%+leR2AB}>9BFP7Md!+%v(NVK_taBtlmabVvbF#|ip!AHt zQzbi0ESH2@a6?d96NG%ud1IOH6Q3^Hr!<3*m!^XrXtd{}pTa=7zOduoDAG4WzF1Vs z%cIC~HDr3XO2p>nS{fW`Md_VcW*XZS+KWyvDDI2;A=CD|kvDIy9T%e6uhqiUDLv~R z)F<j6=$DlmO9By`Ck-kY*M4X)<-~NTAgcBuSjFV!*^rTrI{^yVK#Nq9T zC)wyTU3y1_(z78q7Tdr@pXXTx!>J7y9bi6x#_eU_YNL?7)V{uj5Yhcp@SO zpH%m2I{MW|sctbMBI{*qx&!kGdN2x0r?|jkMMBJ4Yx`I5I@P|?X%r=BQ4M}J5rl|wU2_M(R#Vo$;2v%ONEg&mQQ{zA+X3C3;xSa z;m7TUIZmIE1RI5_899AM;J|o@9-4hmkRsC;H)GB71g;cIADoL+QX+`{rC~B4rfCW{ ze6SDD-m3=^AGs#LNR}WjU?d>j>WoJ&S8l)HQoU}`6CP#eF$;^tz)hg5)wI2D$Dwz5qWE!C@IljY0!7 zn;wvFZV6L3z=CE;O|;&YQlV*_YL6`hXM@)(OxH6PpJfcd&S#W55qyPZ<)i|;Lah|o zzNRg(yC{bfwrQ2}oBTgnK#ObzN4hiF9GuOCA(0f<1}r8pz+|Bv4}7^BL9==bgH0Ea z88BJedxT27d;a=(cun~m`C!KPMEJ0}LYtF9OSDL8*tOuMdkgn+-Ax^QN@*42ztCK+ zz3Tf6`}fh2F1_G&oT*oDy*6Knfr zC!Zmt6^t)Mj;DP1#jsv5!NM?6D}mlO%ygzi5GX&^U66!`EYrx}>E8rTs-V?0e*;rY zM)OH)I4Rz7Hfp!swFfeKE-&z5V4m^pI@ z()I*d4LwD$$fBb>3of%Bby2p^WqKsF))<~NhX@y%$TKHVnUh>Z_ePIXEmA!t@^$+m zf?mbvEetto4<2#bKa&RjH6$EWzIIEw7fZ=G)vFZ_-ubKsQK3)a_S@w0u^{%CBqb`*YGdDLfj-wIJDSYtH9+!Ar7rX?t2G0*x z6ecb*%w;ee!}XH|0M1SF!Np2Fa(83J=Dgf1R&0ykO2boIuWUB+HIEOyP%Vxcw42zB zF4y9KQ`ViwNG-;DF~#t z=}0c+@#+uF+KkM)zc@kvp?^e4Bu#k#a+ntHo00I*XyV#??3m`#k{52&W{f3^mpq=i zmjzcBLjP`l)U2eM^A~^@Aqhs$JQ*H|&(&TrcSK-7rmS0@0^n6JR{n`P{yhbr2Zp-} zlERW+rBThNdFo$YEd2{?bHGSezSvi84l$DKzQFLK3mcRpldv8?{R7sg;wsk&xRi8 z94IBh_$=wI`S{#ch0<4)CZ8^db-VpaGcM!Ndlrb6LtL)(2c+=q9H-t|Hpb?3xVSRj zSxIWzSJeBMIgd(9raBTd^DTEs=**choxKE^7K9Y03g7-#+^>Z$3Z}*0Y_r5S9=lT~ za1lJ6rnR(UMw7Q+S-nbqXvD_cKJzLrPNz|mY~EpLT-fdq0v-K)vfeQ2@V*XLUP+HA z>`pBPkfE?-)1b_F8}dpw6O&cm#CMo9u*W{QCda}LKwT@9T$Q9i?}m0jRpp@Osxr~M z{ZgYRjb;eHpuM7IsI`AdA#QZ((-J~MW%f(H5u&oA0gUTL=~zeP1DjS8A3y|_^%n?) zf%kghDaYkbR=ys@CYAJU7G2^PvZg)X?1|)kC4`;W>;n?Ud;+M+c=;MsZ`lzIR;3pxhl3(Vq1xYoebuY;*1kb}rvT2$G$&O7n zB;-VK-SK&RFm>S=R|bn@@?WvSfjU zif*xX|4C_T>e9B!q%QwwsT4G(1U!vJZv!4$4t%PpB1_>*j_iBI>eK>a_}l&nbd2?H zgqT}eBQ4=?bYOGSe&6jjQ$*|@+0#XFJ?f_&pw3shDvJ6ysYRB+=qZP-z;iRO$UxDY zCqDRD^^gJnkSX`*g|^UBnWx45 zwn*DYaxmSPd0C9n440@tQJ`Et_ z$xQWIrz~+HCWM}KPTR@2&lj`x5j!kZ88M-N$F-*L3rt zOcOH_S&O|XfymDLaz1y1CgE8-La5brO^7wz@X~tS`Y{N0>a%!Da#?*V8-Mv}^T>9* zlDCqzX7&7=mh0fmOSZQwK~sOmE4Al29zo2WchraOAM$d|ik4*_*V8{dab%%|=NL14 zEBh9v6$1AdjB+{x1#nur%%@EfeUxm;x6USR&I82JE zKzgS>+-gJ;xmjJvs1A0_MG!m3)AoN80`ZZz1cq&Qo-^`_xN?x|Jw5YMc zIJ5nSmaSVtdV5~a_$x1bNNdWaS-Hm?@rCw5TnClc9y8;z3s!~E+^Z(;f-f=H& z^t+AsIW10a(9vZU0^}-Des|P5uhTBQGgn`{nS?iLpEn67NlHGc(feDi+eIZ2n2eS@ zi|3k+83k7Aho=wbMK?oKY(Tl8_?>5F4QCtcv>K7o^c=(ElqjDX3r8)}#F zt1d(WLP`EV>F3P=Hm{1KW_3?v`C>?X(NKtq9ypzVA)invmt#&_V~qo)xbsq`ozenc zQb=6+Mm(vlEYV^7OLf~jCk>1Dj}*)E{4=ugv1GSy49FI0S*#~7_(qc&7&dRR3J94k z1ai1smfxbKxiMDW{N5LT`RsRae#FsJ0_$|mNssc^(o!1ENs`w;cNn{|DMykJnDqGu z`84|QZ`OuNM6jC`afVAxr#dQUG9-W9rM2`g$=p6bEYmem>kGi0Ql$^scxm zMOpu(jGy=Qa8gHE~dd3IpW@kOGL%30W8RtC>2mtKAzLQZegYV1oxC@|0@EA zrN8{%zrObrmPoG(Z@3|Q%OoXjW`ycOdXH~1lN~*K1>xGmzZywz5YDyowP!O0U$nmD zH{>#J57D~E(4k*)H4kyv-&7%{sv}~&-31KrP6fO(#FFg*h*&Jz@So;2pc?l8aZGy)F`SBp=o#o@_gd=5^2WLr=)Pm@q9x z-x+H{rj&FHKR9b}sO+W@WtU$OM3L_|U^YPKyJ-N<(43e{`Zo)zS7``T6Rb(>Vx&Ss zdj4qCg;JaHG&D2)jzN>cl+H1X4lJ1!hKLpXKla==Fkw$A4w59bJKz zri2i~&b?|7mkvoq*w*wNh2}4z{YX!t&d<$9k}Tw<&Uz$PyV9x$t*cJuE|q`DASXqJ z1eu;EIZ^ns-%0nvpX)E_o_K;r!qSW_>k1>skxG+qs8F()3hB+DcnWV8a9Zj`$W|LK z?2WwsiexWY^inZZthZgGN&=jS@q)Tg562~Q-`LB!|N@fjeCB`wrPX7?~2rzoRF9|OJM9QL*_)lFGjX@@dX??0Ve}t zK;~3EhR#ZRj6QO^e8I$^U-5cHJQexBRZ=xLTb&;M+dnqT)e5bGC^7PLHX+O@3R&fj+7L=DGJFis!668d!KmspMo{r(p28xz98GUXPg3RpxZ2>6@N8H(lkMO5 zQ_M}+aHXeRVqf7*1&(okm=JFt(Vv}AL=j`9o`FWni&rxyI{P74R5vhKY0wz&o3_#? zTEA?v$xQGc2z!G}{=U|zNAfT1sY2LuS_3HqlnjL^$Rn$+@nxw{66hI;G;D?Juuc%k zGBNdHBK2YwMXl`&ZZDhSPh*hBT_y}nLr{q=oDIZ7@S+C@7%`Q(7-Db#?GVDfyWI`% zV7Fb{32_-88P*r9Oww(rY`{M0mh4LUz1Mz%pza&1ghZi|KDjl?_+z=@mn;? zGGfO;+WERBLKo}&TrjiqtRzhEebaN6&?nOaPJZhqlwW(};a&YPExFj*Bx(@ba34px zvL_F9(t<+3blh=w+(~Tl8cXfh+h|r5Juzab=re#d1r_bmBLBqNX6`45nS-M=d>Z9H zlIygy2kIGpfD&>+f6`c=rD2Qg>;S$e z>hT=nDKPrs0K)=Q(IVocsDnV+azK9ep*vnCo13jLydPxwC{2+0`sP8~zwu8n!_i>} z^Xz$Y?FOFYLM5I;nnmX?U!HhaP13GFhkw7zpZr5FE`tB6T8?7v+`J-UNeLD_IORj( zON#9Ie+qvJIU0Pr2(n4%w9P^k{N3CY?DAIkx}W8>2Nbi65Hs}#!JyhRsEo@Zs<8q| zjydfZOGn}KKqhzPS~4M3aX=d{=qz~SF=K;O^9w7Q+Zwz9S@ogCtpTBki}Q zvsF0nMkjD~UsC{5yT9XwBk>2nZ7ZJl{*85(dlZ`}k?WTdioX~E2SfaRNbL}GCaKri z=&d+6awhA-8u zlKTUoowmG1{JnV>M12OEcc?G-WV)T_Bc2rJ*Fdk>U=PysSsi#*uNyJ-k<}B!+ zc95v2MUqNid2Tczp474a7Zo_c#AJ9BE3yTzd<4MVae zYir+fgdl|%VZZ8^Q%^-6sD(h(wlxmV;ZiPXxQL*+{o^R%c zyj+*v{;L{A9+7oWSO#Iugz;oNz@JK_G zD^bkBy4+UH-S3qQ1oBZaCZL}(Zi;81Zd@s<0wJzbOdcE77ESp7B2YG`@ZdK&weGhd zUfSzICtC1$&W_Es(@)ejwu!YVMNE5GU=&K0M6wudao2h|r%>!z&L=hc>UnzNh$Jyq z$B)z`X{5rMvXnc!!&&a!Y5$%d%L7u9^854EC$e#*gU!W`* z5t*K0j-636d_p%S8+c&183tat87YmnC7!eoHH~)EGom5Wv(kW_oPn=zfXSX{6k|9J zGM_srJSo;)!*V$iWE{(HvnB}UEQ7P8#_}zazHpSG3&p9+$t1}P`Xr$F2Ocg zW%m%MPQ64vh50DijXSv#BG4WEyD zU`HTjN~tv#1e7dkhW79R6Y`WR9ztpWz z<2}1o-_ZfB@(7nR1(m;2^DYS5&qb;R9qF;WT~@u1(SQ%C6oHeKWrI|!i6-sOKJP+b zg0CeLoiR@dX2Rf9wYle4T35l5BJAX(yS1~yTY=Pidj2b3^~6d^%4zNXVi;9T9fPTP z0XRb%K9F&dUgcmMID4|H=xorhhQ031YuR>1W;KUtZokltG+&#~t9w>~RKuqsAyU-E z2&xID_UKXOFv$5!No&iznW>221GF)kv|uBJ;#|UzO@7IoXjTrWH+h`)+1d6DQro@d zU2oWDaY+i2v4UTgXWEi`zD{4)LPX%bH+?oK#X64%~q-Xsxn1g0Vr_os8byOaP zGGoCR;FXn`g=nD`8Op0K+Ym6ytBi;!@Oyt=5t!_|TO5eMmu-XpZ{Ga!&L069Ec@=| z7o3sc*RTHnbIF86llSpA7rm=@J_NU|^wpPIX4N{CSq?hC^-^0m5|WAFw;`;hFZmKJ z=uHnnU*J|6>S~Mmk(~5c2crHF(2t6dL7tbrN+Tm(&LMn#l38{A!()-T_71S> zOD$NHBi9wtr{UfSEj2c%%>fk>Cj40ki=?BU5dO(e809Z1+n#-!ugRVO3lM~EtWJogo@EIUCs|Lx*vQAwN8co*!LEc-xMcI9C!?%hw$PC>w3?Yru zDc#*IAl+R9C=A^pASn$)iF8YYfPjE>4Bg%Nj-M~ypYQwp3D5H*$1&H%-fQo@_PN$N z&vk{Oy0zoMm!^Y=;I+#jT0iqgB1E7J+I+sDfYIGd79s@1Q86@aVa|; z2=W9%oQb}FVWIAgpYwVzyf1Rw&{#c~e01G{t-mCrddsd{0}SRsn64EuD5_9Y!o=Su z_6;FLTk&rJKUv%u0kmszsQhnLIfxSuB=P!3;*)>`VT|F|%uWWFqf8>g+TkncyC6|C zyT@^Degl>Aa^H*QO`5u30+2NW2ux2b1^Qp}&6my<&5qHxrvk}7!SlkE#p$yhLQ&5o z#EUQtLJuKJ=+5pzA>tdF9aXUQw*cKk`>_=HTy#v@s)%+N7cn3ky8m~w;f_bTK)o^< z$F1jq5wUK6^k1tTgu^2Ig+iO{ zZbdSAxMkhEBapK&1}OmeBXmFBN{r>1^*BQu3p;k*Vb`q6w?i`3yN1s;*uA;2jJRHt zp-gPljvTxf>)feZ{)ag zhxJ{zhjdCUQUt+Z@2|zR5-%sFVNWr)D^nqZi@a@rbNFKJClnlk1J*iWSklShg@pFe z4-by#cfnEyp0`7~+k#PDq?;aE1JmKeT0+u`dpt?@MLBh2z>$L=c2(!Tb-E;m?go$h zWRnW;^ObPhe6~fPSzqMOEzfWAUr?EOkx9!LWVd7botL<;uv4|L2pt81LIK3y@+i8t}Ty<$(m(R_%{LwtZA3}nW z{J5iGFSu4_NY~@Y za%zTA%pabCmC2I6K$)r;6su0!p(+EdmKUTEjm~wLgBHBmW1OqVv^H{b@#6Ad)2$J0 z^SNeTe~UiJw<~B>bh1(t1Md~Sk!!XRj;zm;9F;a~ssruRhF$g#-y^g7&-Nj+X>ONc z+uqt{rRFuj<(i#8SV(&FG^0G6YWYWZrM>nPr6>w0=^QgE7qPo}iT`lO?NLQL4tZ@) z6q9wgwz%vz`=mNHQCRN`1JIQ5)F)hDVJW5dx3Q`*(S1j+k3cW z4nwtKgn!>pKCBXcVBfFs#8u~5*~wrW`Q?nv>=W*IDen{Uv)QX@`&w6VCHdhr`7$O} zhDTmloKa(VVA(IK?RK#(M@U!kx;&xt9^e1sA!u3t`$a?gqc2Crg98bu7P-n!TEqi8 z=myls-@x7-HnUn9yat>NP%TPYqd5blB5p z#2GePoKa9{^k1i6hWhONB-Xn6xLa&W+qidtWqc;h+a&nmH$G^-I+Z~8)E%*;#>*Af z?{G#B)2<&3T^sd-8b7*w7h0k$ZNcYzy~S_*de^~V?^ll_`Uik$_VB!bU^?&z3;lZe z=(HK9orXSJTn5%o%1hJc$$G6~PNBFgD@1vtUY}6%*X1GE3qOef();)LVIwj?4%k~c z=*QRZy{#wdDK)M`{Cx&JjeFXK?b@4syf7(0=CV-kzm`-vbYd|5zz66NP#aD8nI7(4 zRwdK|c{wO2Eqxgjs%#_p(@Q3I(O?9%h*#n6m{m zqwGfw*sz5;*tT4sId43YRuhiivZ!h;c`kyV#o&{9(&gVgW+pc|a*gtb&f~9-MeBs@xoOH@x zQv;}sdV9g~kVuqMz%wxo2;V(mI=D05QiWo^?Nkue{RHB1hQp+J{|r!LaX=) z2-JMM726p^lTteBsm`lS=**KF_)wkvyvWxRf16szp@i{r0n=Y8(bVh<2lr=Hig%E_ zFewI-WmwJma|o5_wu4R!OANAGUWwYo(CS3qqotIPyvI~C%=N!|>hNGwH|u@30CUfJ z{Y_6DB>njBGQ_ow=e8qREtN_{<%7v9iLoOGJl@#{ImvXB(TJV^G2F6L%5P!P=D&{w z%g+M_%5j@*IC{f)VDwTJNBc?yU#Qy8{mPM;sg50UWh0fFB+KUWG9)a+R9UiOM|dB% zCqgg zO6sygtuTNhx91Z^*2|L)^?rTCH_00m!RrAv;N_Le9JQ>ojp~;U&AFu z-RU(HG}1f1_jE0hL+~r2VFogVG1t189g1LSDYNIiiqb$#othAF?Vx&9?k*^>G5CM> zx#LIB>KjB4GTtHB*SkoSXNY|Svm%LCk0Y(TVk$eSxcnJKB`Va!$u$sk$k93wiADVy zhGV$fPTz`}6&%Itc%6|CqRRdYiZ-Y^-g-`2LF_r#6FG{u=t`T_vk9TK4<-_6wDPiurSoW>7t*s!57pR5K_Loh4;Sg|La><09FI#VV!1=W`?{H$6)1Z>I;e7Bw{F64xZym?^ zKt?{=u=Th^#S?~N5fB<1Rofj9v&RV1PNZ=1HB(hs1%a!b{>9a?YlTabS1e#PxAPKJ zZjjcVh<3pv8NJ)*)$|pz8^ubb`>*D)Pc(4AFQwEv)`eSs3)NA?Gb*}n>>iak^1FW z&YR4a$uQg-MFjh?9A11pz(4F0XZX*3FYrpY zcUq!mondWxc`1`yx~OcMcKUY}O1sv!o>JNuONj{YYotY?*^OL3ioO`*<$j`*AATn? zK^#9ryoB2(J^9;}er+req^2A!4xPL4Z7T-UlD^jW6wbrpTk4){mhImiI2%?R&MGmy6C$w^8nlIOj7i*ZccKAJ3FqOm} z%DgXSGCyu_JVZ6cr`^GZuQR{DnZ(vGSlJWBucSG4T;brS<`UfF(L(n3CND)zRwoHid&=P+C~2)<$eyfzYA+NzyHF}Jre$PmeLR1-cY_^7dC;3{O8Moe zR~de2-2TucrO>o}Zstf&$AeHftvH{*oOaMUt7-pSPa~)EqGo^pU1p>CnMkK^84>l6hg&(uZ)f#$*@nz z^1?6cj>RsqTVoC`NP#+ShYm7bWuacK{NV&Ffd}e>1sag30IN2ng$8nq&8Rx2;e4xp zP(k1Qb?S!WX3LEes?TBL9zDYWNyz&3@XMrxwFckJiB zu^7W>l(iL&Xi{lH9bx86SEQoj$E8=N|77Z&;9#o@7b5Yp?-V;Yv^kxa z>^Q2I&NoT`b@Woc=IwNdFvvjh-`m<)Jr$Q)$5S?d{JEuZSUh6~Tl_noel~`&sKvy| zm#-66rN+cvlEHm+rH;vA{a@X1lG?s|N6MoR*e8cEZt1tCc?ly)Wo(-TI?WoAq z?!g4)zQ#MGtLMO0BCr+?r|x`Uc@u=&{SKoif31R_UD9$*{Y27?Xc9eo)xO6b)99dM z6Vlq;5nb6}Phzefl7z~9b+y7O${E=h#w#gdNj`i+h;UG(zHf46+)sYbN<)7`W@5w? z860C#Z7kiKof!EIohT~q5`7K{BRo`lBgWG$#_L!1V;q-?P&hg4=XTAs{W@Ja$S!f3 zENO1Kf7^NvlXVkHDN?y?b2MLV-dRihlxo_KPK&;c9rZl>{h)p#*K{WXQI+|XedNz+ zOfCf3q%1b_MPl~F-EUsuD!s0M9^tXCHuhejNzS(%w>3z$y4XI&xPj|u+ze{@3 z6-VY>9>L^XYP3OxT@UOQoh;`d{BG7M-2C*GGF@A%lEO>Jv|jE%^sFd)FPaYDe(1HxFM|6EX14lJ+NZnHJ>JG|0W5|k z(RY<2pkFe!#a!aCwvx89A?&=FTxi6HL$&jvIa^P=C&{(L**{Ng!<#p##gdFn2o|TB z2u>!ESrVu;TalgQ4LQw|o1D%H_;fQ)&wl)jh><(!_B;86h;3&n3Sp(J1QFuup0l~* zV>guhS4ADW{11osaKm)28z1WQ13S(emVRMIw1z3Y>P$rrM-ef#d*eFdk2*)S8N3v;Um%gC09COHJ-Pezm*~? zHREDOm>#Ez0AkQy54WRa%0-)T*wYCy9~rLO#4r``o1~ebaOJSXrIp}z1~I>(-aBnb z)uisqZ6TG&FB{3T69M#e?dJBNhBZj!h*$~kf)_1Sw$UR#5D~XTE4V9|%}^POMOvxK z5P9xFb;vTEGI$PC61hVIe{a~aB?o_Y{k;R&+ZO+9#&4UVwbgzbo;vV;vIyE0^ynK9 z$WFZpRCV<^5Syl=Dg*4&+V!3{SyPpUZh zs!ZhtmL_O!kPd-fH;Er1Sx|WFl0lvmadfRg&PJ6DM=C1qa1mx}oCjwQ!GTJh$x8T$ zk#qZ3nD}~+g51sl7JY1xA*BW8d{hf`Tx8|lrn6j1D$QMv2tuJf5~{0+%22Fc2OBkx={#31cY-NfY{CwC~Y(zMXcH@y3$O zpO*e$;m`VFBh5l@V8ZZ;bB$$he4+KAK|wSB#BWVBUHz)ocKv*P@k_`hseYF)lmb+vG zoX1jYciPhwM=UrpzK>EX@Jw`MjfX!w)e+cZ-=+}uMYf10m%xSF2`Q{#kMgi8k_&yn zEmSPdEh>zr?176Fj{95=95=rh+ql$K%FVAKw$P1%Hxj<+*qA}S8SUipn$b3I{b(@O zE_v3l&7Urm?H4#k7n75}hI!7tr`8!m$sh1$NNP#Y1zpSjnxd>Q8U_#9^x$zSAntuZ z-W8Wy=vco_I?hc|aNwLS>EraZIBr3z4aDqWI_7t6SK1U*yUfG<5Qkgn6zorVoymN< zxV6&jSiNovkvOpz@`ASRpq=@;V*XDO7yeYDZw2>K{ImQ9uLMy&1_y1_f%=NLJVBUE z6zM227s*f8^m6JRUs-0fWA-0V2&uhq+%<+k54)U+BJlyi-g7|eQC%CR*qdqiwT=_S z$1ZQqyDj!+V2mD-bGRZXhUI9a-!ZlU~T zVcR3)opC=k=2>%SNb+MW;h!`;$8N!$!@Yf7f#W6Wz7{hs?1qJWr!vn=Gj1WdEDY}c z>wPSvVl!p#iUQ)8RwsaBmJ|H!wE$ywZ z2?f^Lmqqh_Ot;*t_xZLQ+Oie!U4s#&_Hbm*=@J4%6~p zU&lIpy?KjauU~^Z!J7A>Z72n0Q6($nfU79t$_+Q?G1dcsRtH{Pt|rmPtAF|DisgoL(hf62L7gPB5=VN= zyvML@36n2~*y2x8#t{JGaE~GZVd5pjwl7Vt=Kqcym>dYM6ZaZHPKWMRLxaPjxaMMzX}{^GkEjn2cf$%B;yK7ucV z7?iV5vg)2&M000vy{|f=2z&DA>JULJ8+&i@J~}SFs91nT=s>BYvxwB^j1uQ+>7cd$5E}G3if1CHZfC z;VXzkT>2a6Np!Zot>lfMlume3(QP*YrcL8_E1duc<=Ex!`O(Kn**D^S1Has_#3eG~ zv-o@x^ZM$vasL}scJNAUS_fubzC#NcCd#Pq`3Q|9iO;UYs8&$+6XmCzaj#OnNZK$6 zRhh_VH+tAA9fr>r!>y?!ppRfnt=VU1{>)|~lObf1Yj+vD#{ak57_#XDmR!-wvl z^z%ZTZYXMO5*;E6qBj8d-x_i1(J>3rS#O#cBJ-|}Y#wX?vq)349SpiGa#P6LN6Ne` zU_zdWF}iw&KUd9T_CZt&v}zE|luTAQgT>d7!pH)Ahb{ax%tMcFd~EB^Bk1+LGe6<2 zApr$$($O<>O;!I!rwSELqc*EMVQPk)#HYb?J_(5s{0&O4JqU4%}|9C1Px%Y&<~!mclj#+I97q%fYDzt%eUrh21L8F|DBC zFyYYjGY*UGrCXf_r0GfEf02vAfcUfBZkVAdiPN*= zJXUy6K^;i(=~N_gEWvmal{_wpgt657%A*>8gRqF3s4dS6E6#oI(dP9LGKyWn-#51* zIu)i>kqMrWD*@!mYKW2|<=@(>DD-1`4C*stMAyeP*1M6l({^zpp4QH9DR&^zu=~F| z>jSEPV?A)C_^JGQ)oYi?LjJ>*q)X6QG|1Kcl_-S;Ag+;AjWIn`(Zwxg-L}K@Hs4aA z_X4lxeeXa#eUl^&^4rI4{}CUaQ?uPDWd6PpOQjeoj6N93m7ACOUJcRaiJn*&gqfJ+ zgj}4ku=0KLDIw@rn^xz~3n0dWSG4?_pYJr{O^H!ZNB&eq7a#4w6N0MqcALu@ok9}d z5P4uI`fDPCTZ5Q9Z5B_bMWE_L?=mQ?d!)MR_er3Sj3uGtsNf1~2M-LHx&LZWZ#*_j z&S0mnTFLagMjj#owDIUR8ga58_7!@7)SV#AeCyGyuhrJwp`UylPfozXKotSuDz>3| zv()EW!J`{R*vwCKD{xN+Z$g1dtG6Cwx?r`M)VC&)Lpf%7!{jnRMcw(Agf()Oq>pIu zDtx5N2%_naXqHFyiiK(Bmb~AQyQTJ3aQ?BAD2k}ouba$E!!Tx+rj?_P@}(W@yXTf@ zqkKB%cu_IRS;pT7fX3)P?@9Wd-7@}n#!8~zletIjQ#V~sB-rZ}T56L7aR~@hM`J<+ znqAz)4l?7;+49v4vP4roD^z|iQ?0Z}+}Z`=8_O3Oj(-Q1NzQUMmWhR%t;|a$9n zL9BbEwvI$jjf#f!x1VP(nSz8JUgW4+LHJs@t8_EETo}vV+ApfaEDF|5>gOW@0>Z~b zM+iC)5Xm|hJh_fXk-eoLGFOT)roxIpu>XRC|4)bv# zWmHBkeZ6O;305g=1jHI{aN7GE3}mH}&97-3L>xw`w85|rnIL;aizrojdRG%?6=voV za$I!%l=_~q=QdXeGNL*vn&9JcoUz_5>MBn+ z-fHt1SoG)%wBT>jSPd#k(+A$rfVXlBNcX+Y6hOqtU)pY;!rv&B`L&8Ec#=@cfj?Jn z772%U5p>7rd5Mp3+>XqLl?bM&FMS8c8+bO7cgjG1+mEncxsxb1v^I&62T+DLA0g@t_ePU2t+Ed*mw+@2{P{a1!wfH|o~8sH1N6i83eCrxA7vSRJp) ziHw%iKP@2vDGnOV;2BY9B^lb<@Q(;rnr-#yk`QH>VrW9FnfgZ=UPz}M-MWJ-h-I?e zzIEtDk6F8$TL=-2DD1wY2u7-@J5T$Tru{XF8#$4xy2NhBVUBf2bm%uq=?~y(Sr`y4 z$#|TP(1al))M!IeKNHKCF>1bqy6Cn1&lfDh&xABL!GIa|s^(zvDeH1gF!&Vxks%{3 zk&@D@I8rtK3f#n^&{xro zpqhrDkdiLD*lzQ@Q$~xwExLdZ1@w0hkkWnX&aQ~YdkpEFvY>*q%wxtP@`BBzW z|5R&s|5w-UPtYk{I)lsux}#?tRyK`0rd|~abvVCf2(|1Sk>;|fIE@BmN5*#c!ek~I z8JLY?I=R>58o!)ZhTUcVl`$?j(F-SjQ3cUa`m)7vuRYOZ<^5+QU3&^zM8y6tilGB& z7FjdiP;;AnD~WwOVWi3;2Fzn{kUcVt{ON>({{@trnm5VPVce~OT4?RCnR+lwBfT6k z|BbLy&cjsth?^r4CI!Qk(zyNbnRVQ>C)ykMPVi5g=tMh3U@pqTrw8WXUpFZ@Fj|NC zh0vy~;?8l9kY8W2G7(*${Ht?%cG~x|Y*sZ?QV4#~&%e39KV&Ed_8=Hbt9%EaP7j~W zIEbr>q>|VNC&5f#xNj2c_^5-3gz&SCOf17&*plakg=KNnss-kYR|QtTy(}+Zth=hS z|N2S~L#4AfyPAkYDrT6Q{;DG{b%b-JuK(P_(pJP@ z%~0ZA`dx;VqQBiP9&hHleE}BPrUS4n@1RORfvJDtM;-`Mz=q@1r00Fs_HcnU%WO7G zc*XO}Gc=AeZ$62F8olv_kH+0TiH9l5@#^$g7>p}U!E9o3wxRkv-&e^w!9v_U_Lsmn z@&LtY!@wg_zwck234=@5(SL;*ZTKnXl(v(rb26aCW6n-Zhu&n)M(BL@?^~jYlo6KFE+yV&uxQ zR1fAOwliGylS$}|hIQdqQBJ9A(YC{F(tOI5Ej3y!g9s4bMSezPbj2KB+oZA9cbmGv z?`y*uHd2JlOr?vEr~o`-m8FDFLFI-U-+ejSG+&|7a9}+~_5$KX4Bhf{%SFc#G)GZO zrvB<~SVkK?v2Kc(I&uakQ|9q&>m;|{xH2}mAq7scm+r>m@C#XpwFmuxvjus_;#`P| z!-2$Z+F8myhsK9l66pXp*?@#BXDY8f?v$FSU5G?8hE4!@Jk}?(Cxb&@#!=5# zPon6(^u+3((uC=nk6XQ&9CJK{Uy>#rbC0fssA$z+gaI_plrvz7v)pGubP+KjLUSmJ z&%_W5gU=~VkPSF$=c532imr3R9lE@^gY8R2=-D9%QnU7rU~uWi#cq2=mfOqSnmeK+ z)n}5otpKWueX-4*8^E0=b%F0Vlz4WRsOenJ&DOEUoZo!cwrjWW!k7>3fDnRg4I^it zwimzK$Dg}Z&!rMh`hxInpxMURi)EQ>riL6t(aFCf#L12~j(%q9l8#!I#}Fw_AeytX z?Qp5f59F#pOmpMf_ApuX4r#nK#sgHfM@?aYduy=uMaCj$)I(y+C?coCzky$2dsRIV zTbzrCog`(yJ@ZBN3hHUokN8@L{qlMq8QiQF)1|-_Ijs`t#BUvUtBxfT=Q;DSdsxj( zyBbC8WDhml48wN`Yf#rtO#^Oc_jI@K;BpIhSp-etzt9!(Aks0V-&lac@KMilM&)`hCs74tmV$iRz(yX*B z#8BfJJ6^?o4gp4y8^<72VOF0Je9AlKM+eFx-q$4FfR1T!ATo7L(xqHOD1kqp7zO4_ zg7d}Wgt2DAT3+dq9+reNL>5@p>yow2i+xJR=qy4fQ=C`~tvgrApDcp4uX0~duaX0) z(T>{O$$N^FUVyHvo)MjuSNd?APqYx-7z!q}ZuU&@Z-0fp_oQ*+lsP1U;cVc_)lRO| z@n0Ap|JKE1b&bWrlAODH9lUshUOufI(furhx;1;ic#AH0h z7U_=eD$!INxZnLOk-~YnX-PRmS2%HIUN)KyNm-nHcQocx8Jbt;s7Fo^Kb7))c-;7j zTgB?Oqu#S5!Ld+;q`W(n)19VM8TS54MKMkZ64TdYD1Ix*iYOCTKOX693_x)F;JA~B z27V*koB*=tbB#czrb9PuarO99>DXq*Y6U2Vp+eQ~pggP^B1Gs!)A1g-6w7_S99~D_ z*o}gP>f=C}voI4=3~s$#oHSi$#0vEu3e3~m0mzuh)7PxP3eQ!~v|@Pq1w4<-`1G$_ z%c#2SC}2c8l_}8r)6c%zUjxNuDk>ng6sEs<*k5N<8h30X^82A^G^daGM8pt#%Gt&H zfQS|~B;+FVi|SL6u!_Mb8>6`hCsG7V5ZyUOOIpIWu>sU&D;faVOXmVdocV)oU5)2{ zNBaR*hhlVqG3fMm&kPM!Yd-XNhEF^gCjMZmsl+h z=LO!ksp5R`70mj>bkjV5%Ko6ye2U2Bn;3#79EEwL2}IwYW5?%bQYzfRDXQ>xg<;Ov z(>buHkiB-y6}abl0TJPDshY;}F*(FaLXaZS6bdByZ)A~MRjjMV129syOXqA{h&7gO z5EFd8#l5B|zc!y|Lrx@X@(m{9c5XRqulmAI&8jy~!3UrqN~UQpMq~t0!hb(b8xKe3 z?@3G$z?ctZq$Q5u&5;R6;Ht+l(hpQIa~BJyrQUjzAd@;aIg6>1R1eUD_e8-+RvF@^ zGz%Fz^2giK!CojwO&f^99Edh?OQW_6bhB64Jc=F$|rtSR8Fb`dhqg z@gDy1w>_~-l4@-;_eaJHuDz8WX^yLS%uKrvrpmE^zt397eHVFUeWD+%{O){6G#*D*58v>TH!boT0R z=$)6I?`Sjv^s$cn+3{KQMLN{#bWAVBiAj1a;+-EH2Aw*&zM|Tt)CY@eNo!>ria07*JB6%mnn5Zx_7oKE$zq&G`;1mr6VZ@=}SeO zg~Axp#1pzNFz2HfFTq4K5<&!1(Nq%2d<8r?w%i&i8lm!4rmps!JsbSv-PcD!6)OW2`#^29q^9Zp(}-&9VV8u7f~mS$^l^OFRY-P4)qL)%=^)Fvsx z=hWe>8PbJTMOmLylt78GsHg({NdQuBI?3xLeNztG!Ov+FBc8JUzZwE_Vpc+Oy>**<}TgaU?Vy?33>n+M7^Re z!Q;OBUf*l&Y<*;a^>G7!|HDm3^f)XDcT|yJURR;vX=^5M2^XxlS0nFPZ@@D>Mg!{T z6ZD6Hi^QezjquP$fI#8uIs;h^=|LysIqSkJ4g^``{xGTqw;q-YV`pj#@3Ig>I(tLj zB{g9QcB7X0cK^#XAUswGkr&Fg`J1Q#>5Jl1^~V?^X!HA{&!IHTG-BJdjzN;2-XY1v zO7!)vMuv~PMT>*tiGfv~^Co4zA3e9E^INJIs4sk#4K_!7V59f)SEM~2T$m+%N%jrx zSlE$`^a!c7(_IhZD{A^m<0jKRd`$Vqa@@a{bhj58Tb>LdqCo}IBQ+Mx%+oxoj?ecX zrtUA#6WcHt0uU7K4TP2;TTP-q8myhGt!_+4t*;EHwPsH?yord-l8<|#rU8Pr#cA(i$-G`i_M z`_m6qqj)l5w|si32P^GdweHEJeQ{?L$L+cT7RN%g9@jxo#e~iOFKT-Wg^Voo@j-E#N3lLN0h5Npb&!m)K*&)$hM{@<-U-u@En+=+uqUal~xTTRU zw*GkWjO)k9dIFvDbtS1G&sTU9>tV|f_D#qzd@IK9d!d8I^69;Ua)UcRM9M~`;SQh7 z{*q{i+g5VIM`G%m3;(wtM(QVVME^25=Q+1E5Bu3M7|Z5!)QOWOsl!;arA?1CNP96{ z$ceHJ#37o!208cO_Zp_oXp}~IvTU>Yu)ccv5TL=*kwC;DrqF#o%A{Q$EE?+G*~16B z+-7SU46-RcR_n+$)(1HIYt5aj`^Jz_uj<^k=HY!(@;AZ!LeI$Bxo%+;vNvz%dE)bZ z$EJJo3}uObS+tu=>>aa(Vs673<~cd^vNOQ zj-a;rkPCa)n{?-Q+gnQQ7+gcvT3as(Y$xocN6h<_Q4|QLhaq=TdQqw{3Q3-Z3sYV9 zSH#9{alklXNOX84bc2yYF7)w(KUh*mw4nk+DP*b9LB$bQ(k7Vb@rl1 zg*zHcFq`8O(+z+(n%IM3Z-p>8_{zee7GxNav|H>I0Q)WSaz%sad2vg7a=O<2Ai(m26dSjJWK)ojxr4>5e;&x`to-P zmziI{wJDfsuNvLsbSjuHJ>f<2{5{3iBfs7C9l`XGAkiosfOUW@n6Z++|9*T0U;RA4-i3G2-$RTVJO)MbL+Yy=!1T6-3Nd8Le9{SvIuiH|sCb!Ide!$^HeWa#0sq!>l3(8XGm;P$eeCtZP4!XadFFtUS4tAl8N?frgcN)z4hZsBQ$NLsjQu)9DMzJ22ust51nyNZGgB2o zgY8Q?Jx3k2155#kL3sUn1d+)U&yujVhE1bDgM(9jGY}b+R|tQFiUVINw(=ZCaM5Gy z@kZz7B10&=QQuhnY;6ii)8N#^e z8AJ&-v56~|I~SA$pAcVpDIkv{o@f!pV`u0r7wYV&*Z2g5`aS-ibOq=d%OG=wAl*k$ zy7t>|0~lQ*Q}|4so36rEpL326+K9A2wBumOZjvDUFaTgJnhYx4iuW>;mjWo#zuS6_ zn~fI6#y%NUOe%Dh8N;};I;ZhR2{>;rq@xEnh!zWPY_&! zKirA`tcbTh)JNJG@)^m91)%?dp#RFgD_=|H`Q%Y*$2(_!%0J021b^l~OOy%B?ucUd zngBQKhsDbL$cK&KWj8_*Wm>9Hs(*iCY=yO+*ch8G^_oM1NFMSL0i<3c^3>6|$O$t+ zh^@1!^k|*aSkw(%7-+ZPAL1QV^!cXDY?D*rJG8 zW1jwWdc$awLm9FF(+9;MJ&hW6)XoGE(NyCf~j z09ryv4a*&H?MaYCU$Sv^#KCgc)pb<#TJ3g$C9zr`Zdc%66dv{5HO*m7!( zJfAfn;h!1YzNqs*hjH@>;5CMHa8>vffla%F2a7heIl|TTJcyhSGx&jqSg;ED%=kx! znRy$)xT^O1hM*~;D=Pb0Qq(16;9w+F({!pK=g72qc5|if-12tOs367HT)pkXyu}sf zy%lYeU$nUcMh-^FrjP4NZ;n?KT3Ueju)WJ$?!fhy)3!U*huh(YNdIg9w(lM_QdXMt z4(UdVDpu!M>3&f^`)~gvDs`7Xssu0d#jU9Sc@lW;ANu0LYgi6>1HD}K;VzkRNXtAH)t}8L zu)8b1V#_B(#J1nweXgNXD}>W1^=^aM<9=r2hlP&pA2 zZ?xn%)G}NPpfg#h?5v9lf-fpzb)Djh(&B!eVvgNX_f&(f;j2~9O_dwZ@=SDrS~KVZ z9@J#cAj1VYNk@Fa?|bXY_Z+lJZC4K}jp#gjT^!a_r$t2mS6(+VR~?`WvK6W%G&Pkp zIj(6Fi-7$&Hy*M;u_TK+t6g@Re4>hcmgT;b!N;mdfuOl@00%T%-a*od4G_!?FD1&} zycB7shPL#ikaZ~xe0tIQ!R97HDgg$HMef=n*`MgF3X}wVcn=#|aA_hB6jng1Cm%T= z+nC;WtBFe|YVd}Pw=Lu21na{GO&21R2<4&Z;CX(#kJq=`9&%A}3=sO6tDx=Ki@P1v z{Ht=m`GQ~zhpY5P!@N>YbV|W9B#g$Gzot+X*Oyvfv2>kMh3VK3D@Xl%c~B}^bP~kdc0$h zjR+ounJ(_?=!y4U=Nu`8GNapYFTS;I)&=uz?WV8pmd~j7^*`l|_vr=4CQ~Ccrxo59 zzl8-bD7l_W?FdP26}t5}{}S-yH-&9y37pqiXENUycD4-~4VWHT9Vy5%0Zt+&s)gde z`Mc7H9u)g}Zkmxc%l;@ln*F3VzJV0(_+w7*)1hZ$i;-~1f#RWjgi4h91Qv>`EI};Ebvmjk~ntbF58r|Ds65Aiv;~7 zncsC@u;vB_w|qSnmi9co8XqQQmGI~;S=%_&%NyYHWS4-ZBE-c|3LsS$C!guiRmMvf zu1HvHmWf079uo+YOCF1k2_R{~hZA>D@JVL4^sHVr)qhQ)8fe$P8Yv8GxSt(CnfTd) z&)=$Pqa_DDYzdk%wJR}T`g}~Ui_LqK?Io?!egERHU4$}IrzWoxSbP7KcroiKm#|-r zE^a{(W;bKoU5ze$@p!3|qc7yfoG!OuD^a)q1|{aE?!g;VDw@0}j#>({bvpP!hQ!BE zsXH8>afT?~wF($O(@}2%j5$E9^{*LDA&dckygfT(EuP$iQvr@QypLEtTKgl40-9nL z<4eKU!sXrzL_|1<^ZCH#ZJEj(Gu$i0z!MmOlk(vQgx4}emX>jH5-yS`30+Jm9rV9wSxroBrfmdz+{Gl9~L`- z@Sqp?WY`K^gx2!ou&B6g~zd>zG>P_QgM8AOgp2vIBmbIKK#w4LjivJT3i&!4=ua z)R9$DAu{zt5LK>tzk0cCMEPX;0Z`rmXKDLXjxiZSRKkEA{RNb#A}0-fIeptXw_Izy zv!4=uaZ$7UVTHMQL&$tEe%1M6e2b&?lVO&~U?6E^m<$qcLrm^Msd;mmx^AuK(e{wP zDJEMkBY=w%))QX0y@eZTCg>ONLlIpJIu!cqA=rGWGu^BtGA8c968z0DczhJGK^gP%a>xo(8 zzvIlT9c@<1$jL0eqa@#?}ey`3KtP~72^e%H8|` z<})H;Q5rsN+9mtt_&(YeP{BKsx1Pa zYUSbnyKJn7Z|&Jw{gf-e$uAf{b+Zd~`$fK=gmn`p0u}y|3!5SW6a+tk7%b|ejNk#e z14xqpjN$Vt!~+ElxdTM@*-WY{l>{ODCtjATp_UIDp+%HPg&yH61rA)G#%4S!3}Qhf z9QORj9^~tKJ9ynaF}o&BU52d+y;G}+&3TPN?f>KIEgYh5y7ys~T6$Sh8YGlPQo1{( zySp1nfu&QB&IP4Aq(izxy1Tm@-u3?KeLuhV57^n6`J6fDn(Lf%jXy;zDfD9F3{6>f zL#Ga*7Lgc)wk9-vvM!?*!Rzg{CNTW<=o)9r1x()*P>;eSdp8NtP+8Q4)BH9wVPEin zJ+Z%kDTs+dWz3CXs_IAA-YZl1|dc z;Q`GT{Da1!A_UhK1$aumW|8o?x=a)207}@3`=JLJR=( z2LpcwAjs;7P9{KK0v$On9)sH?j?G+ef-~3Q8L38|02YcGmcsPaGZZ56))__;2unH( ztCgQfIKCVHfux`kO!X8`Hm-yXIUaDV8}dPG$vwe+HsdKN)||u-=MRK>X_6jVrWV&o zyGLv72OE?Ps{_vB@VQS&mkb_plZ<2raL;VeUHT0JUy>8@@S?sMCrVP*R}EC&Wp*P)6e?wH9ft|C0ug@r1Zo{=MZA|EhrM`i`oxiS)n;&TeIWJ=yqw~c5W@r|Aeeu9YKnH} zh(S`tFG*Wp>ngHhMR)cz!JYmeaSZNtOd4q0e^^L5<`mFG46L#U6NU6`G)|m!c6m zn!Hrz8V7Cu{pdgsI$sDGaja&3KM7SNl6ID%#>lOW-e<%3Wl3Xq!JogF#*x@_bTtM$5Bjr-l!>#Y}Wnm7YTtfErNC@4h0n!jm)st_i> zjrbUq$UafFq}Ct%^Cd&{WnI>V_^7L2nj|cZkaixoyv4=M<|VycMZTYU3m3&C9V?Dk z5Ym6br|vDMLp7knaG)dxEfZ6=j?K!!UH5$K>gD)#MA0JPAqc+lAWE}lPazqpxZHTT z@SGjKb=)yQiGBjayUyIQ7^ZJ;J~sK;*C_E$bElb_PZv@42#($%)c+YuQv3t>7(|l3 z8ZkW+UK62WtSHN z6pe`N+~*QzPEF^SUMJSs^aFUV3gh7M&#&0MJ~M}_Wp}p__&&EjHEWS?Y&LkF`L33f zS-YEwqdD@u&wzPLW&mxM`|a86aiE%7v+-$AO#q2+{r1q8&YW((z22*Q*h-v!XPS6O z`9<+k99!>IX!yv9%*ORusT^hPQO9`C>1o?5Tu{Lt3#@sbtxGC^K6`vV`WY^sbR3!d z;3mKE^QS_oFC$ONjON9DnsF`|4;#)I;LNpAqr^`V7pW_)01QYj^ca#UfX9_EzF0`e z91@$pEZH@yjyeXWzUSEwWoiDMnpgutO9Otd4M^JlbNnMlMg@W-Ma>Ldqlc6iU8sX| zPi{G||4spI8?FezK)k|l7;F`~e zMXk#$>KJ~nY!;K70zx4dlJ2<}){~6SJVT%$a|J4Ukl5 zpQ~NJ=Q=iDGgamn5>@*LWumAdX1S0L1b&ICC!w4UUBoV4W584g?a}9rBq!$g-tyEh zp+W;G*JSZVcK=2#==y)enMi!x!y`isFT0h_-WxTXnroKw!J+H;@cnYHf!}vbqx=Q5 zKjAUwJUxWg{!Ip7PvOZNB15zONo8PZ;YYK4cua^2{cpvEKXGaGl?Z2P+ma->D$Hua z^A+U|BmeW$j8`E%OA*Ghr2jUx5EZK^w9MZ3&)z`goA%BSV-qQbjtZX$xpQ$E=0qiA z-dQH1PXqNZ*$iwIZ63qf&+mQb*@$mSwAy6BwtbQnJLnGht zDa6_SI*nheS9GCI9{Qz>niV|FAe8Wq|AYU1&Sbjb@G-PcsNxO7Kv2j9DTqQnri0~h zYfnT-sPzvU!Jq)9t8;+!61FWwqSa0+pUcOBiahuk$Ep~%U{+8_Ee*{PkVlME7koOy z+?|I_sziW9AGgQ6!p$B}uY?*GRO;a$l8ZqZTu(fiuAwU&4+#+2@$Jqh6KY9MY2b^2 zo%NX&W=hsUaivHB=OvSWvvnut?^_DmVdY-UivO*zH}YqUVPP;4Q#8q0$qbINM?RNz zE33avrSDG>SBD$5M5vA^I2I^uK1;4tBmsVqpoW1KUH|0-wetbk zO^xGzl2!|Ndiu)X^)ueRBz+M@y94+`=ocG-z8#~C1Q!ybQ55c%avOWlTTapvyp=o;qWP9K2IvW+i~jNa(gt-6PR!W zEsUJoa6=7Q=ywGFO`t=q&m{k1te1>2CEV# zQ#>b%ukDqdb=$f1>q1odrK?e`ncHgPP%rcU_)o0W3uO^wd=+)a7A>N1>2F9@H^X9u zPZ2aRT|M#o1W@ShgYWfXRfH}yM6@Sfm-_aUsq~doJ`&xjbN-e`gcmNNMii7&hjz;R zL&Gy+#Ll36sRL#ncgCRBgpd~$=s={v-3((+p)s_b0CI+bIzUSffJmbE+p0;81Pz78 z*(R`=Lg>l*zkU9l;Mm=zU>BBf=wbkGE5CUU74@lGR5$*>&3Cb|mg@S>q9bL4t5V!S6f#5##-X^UVos zFju&qc4=1(W}{?wMXDmrDC+LC*tG3V&#-g^W|RSgRP zxJv&fZhTV{{Pc=l$jKvN%~U?;qC8r}kwzlt6_&~R6nL$n7>NT^g2^b_%drs1-|K`h zTr0Sk_NcecLoRU+$-go5)#goonl{EN`c%Waqt=`iUo@?UM!%<578~@z4__X1a%V0o za|3PkK+SasZtY3rA(FR*YyEbeKcZO0ELI6_wnV$oCGH&ml2&hZf%$+A*F3+&+~aWK zIbr{#hsq&tU!FC=l;Y2y>RGQx|GDC!yOq$C#HDTouYWn1)yNCbe6hM@Rv7sSi2RE` z>z$^3_O4QzLb!EPFu(Mps*fd0&*-R8?_=8i4##;0WSTYTIqy2H_z}-+f;EU@@;!de zq%%C7P8F}YbI~;g@l$VFLN{LK0Au9QCf^VM%J#xFnd=BKl)%*zT7aCJT(AeLUjl4!((&%CA9(YF6hxnezer30Nx^E#B(b zVwv)^=L7>wZER|bu*X%O#4?U=i*)1({^q6HQ@{PJ(73=H^AI^1+0~y=)Yajdz zHA$vy?^XM5f)mw>u#d1?o1*xfNcc*Z!~3JrR|d>7U&wK+>7-26m~agh5+6_AFl|23 za~?eaBPo(oF-w`JrZ{DvU#jWWV#`y=kndKnU8TDYYX0y~SOMY~dwo7bAh$nTG2>iX z6P@t)`bys@{21j%*8 za-dNL`eewmc575i2XparX8^aIx?DiiTJ9u&me)e`*sr-TBE7>vD?6ALUjs^6-&fII z60N01L})ok$6V1X>n`Z+(=>Y_@0e4kf=fjGU}NaJAia_1DH)6gD|sJb<5cbR4{_2Px+5z@dEFvT?utLwoISeR zG-SMdNQ`S}^ZPDe%rCdh7;2%KZd5_`g8js*XndtXuKEWeVH})zABRlCN zSy$j_5qD~@USA!lT?)lsM;J3= zZzzG7zjYT80bloItual(!nN2N%bmw(t{pTi+k26raFf?g-bjQbypfGdydkwm$swjc zkcXl-&pT*E3w@Ob*_2DpCVI-Z7B!o+JXo;nf)#dOg_XV*beaplw)9p{yTp*2@_L0U zD`~fa-d4fCwFWE8>^7{)10!EPl8jg$3l4`nHl0`J?^ z2X5?joM|2ZEVa2Vyp^GMN3BxBS#P5*8r$J66zLu3WS7l8%{1b844Rea^TRBS{@Urw z#}Y@y8MOU8@i{&^wyuEx+=;P;UQ+pd{=|a*V}^RLohy%+-YF;Xb4*K>H+_^lulsFd zz>WQ4oWOeG9*5^4RP<{!016>it;si1RcR4jOX1@IB~o8<4Q>k-v!uZ6BE@q7WR%2g zM98BJ`RVt!AK~|BvM7r(g6y8zsd@qtt@81|Svp&1%&X^UZ;d&&hssAg%1%0+su;!1 zx*3d}`gTt2rcurh&^(A>9W zZl)5td)O77$m~Ez$sHkgpWZMbvOK-HAFN1qUMp@%UXFZBnVX4Dr96moM<1Q;vhaX`)9ZiaHqx} z2nOxtE9oCS<`N>0ZRDYAMrvJZL08N@r~_T#LZBTxAc&~7Dq|W`+;-^X(N2)^A97*o6QewXg&d7tRXFi3>nvd0Ct@)C?;fNz6c1l$7<#$n~%Xo z-WPI{|#X(4a@ggPiB$lofOzb=2+qw9aV%Iq0;2>Dg`x{;oDO zA-;ReS6(g+e9+EjNxdV3f5qpWIh4u|BRAFVo~=}|`}#hpl3TDt8UBBn)(jwLbAr~Z`mBu=Y>z2$OyKGjkUINPDichmZ}Z_3s- zewHb|H$h56u-xV4_~q$mc9vkc#l}%^eL~$*xBd>_jimVm@(}c{&T*V!f&UG>k?mYa zv|}kNRYODouKfQY2&f8!q_!VHLSUU$9RtQVR>Jd%qLNLXSl8_>}k& zNso z&3W7*EgrFF?lq@+sS&;KiP(k4wRP#oeiLQzbJD=bBhe8FsC1E8)G|i%m-IFL%BB zH*1IVoDTXN!=rS|4ur~+>zL7tISFrktY3$%Kg*<>pG))&SgOz6drtN|KW@;sK@#oD zXM@G7XiqzeQp;&tU*)0IoA-I$lwqvza5P~S@fY_Ls~opaJHGJc^v0SDmiwvo%%hSg zC)0c-r~SbQCu*WO0O#(dSYFGEWj8B_QMG7XZQW|ZN=1HOn#U&szJOXw>MIVPpstI> zgyE<>h@Ii`ySu{{J^9wE`tJ_O@U=<*cYvY9fuPbyX1ZEc$cvCG zJWHj6_X6XJ)dS(RalHNjRCvpK$>nW52T|&gUdYG01+$i=U{s59Ma>w$TJvH4Ry%^` zT4K9KiI2#o%I)g|P}#E@z;c-s> zD{nBkG>7$F3=nB_pK;2zdBSSCG~73n@YN*nhCc@nB#GGg(3j{W7O?Bnpl z1d;#y$d$pbrg_DO4PNs$gN28W^iMwhrkahd=#HGkBbwp3Q)a)Pajj09De`GlJ5DQV z8E9b<=>1mo<%=u7*AkAli#T6DaasfN!V?2X&?eRFk>pG>lAYS{+9u484Mn<3Ka}-@D6Y>uSnGd+NR)}4R5~Da% zB6lQ``i$fED>Scg>=_g)u<9cEwVpeEg#7R$`1Yb6tb#gBw~c&$?VPkUr(#9)MrOF| zCr_cV?={Wx^TwIps-y%gR5Ro^j{xnhdA9L@e{xbH5-W2pvUA*Yhm!AVWR?+^e_w&Q8G*zr7MWc z>1R#e;HZktOtXuu%3a^w2eg{?<8%Dt&;RLPnZd0gCbahPFKzl(==^8X6S*ZW#Gx44 zu<@!oq|d%O^w3ZwKgdKC4x8*4q$2<#%ycUya3e5_JoDW8>QQd4!;4dD11*O8tyl5S zEgYA;x)T@0h)2!Bwh%Bc>dt(^7BXnA)Py7XiFlC4McJB1M(AI=0ZYV7=jC4Z0sKXyOOh2m#cBY!}Lzf7)_<0Q39l9p<~ zCzA|z=;!#GBDDWPzOj2Fg6r!aMi0;ygl~k>4;ox0<{WD`-LtpbI1m*|$LBTK#xD{o zG-?6AOTvJEHi{%HhBCi=DfNdqZ=IW=;(bjZ;)kFeI%po*$gKc#+U`={x&`xGDpDs0 z$~iCo<$;7T-aj3OOBH2HjY?ueWFx~N{Y*i3Ba}i`4?1P1qF1&uxipTp^;%Hoj`1&Z z2f&~L@#tiYK8Q|ZKOL_wev1opeM3{Te*Z}u+IunZ?!f?&YI~Nssx36M$RfGG*CQ0! zN!n8v?4>uFYeYZc1iF`VADi=PCp79D(~Pc|YRFn?gk(Gp3HB6t2I@8-3wyPw9u!z? zG=42SuHU|IKyFdn6E79>IDY+5(0~?|8@DxjwPLrqiO%JO(xW_bi_i+KKkv>-cSh6o z_`kEbN)9b9G$rV{$o@6owZ&NJgb}xzJyO(uW7wmyOcHOZgnOh_>#5WzI7Gvg4BN{A zqt~!lr)B|C32>s>n}_WcQZ|dcYHNrg$vQDVkYAtIokTN!ovJe=?ma!tz6-k1`a&y_8Cu5~K167fc{=K++SH-act`=I}Wo*n5yQlMkxDhF8MM%Q!YRzBiwh+=@PQ zK9OvCm(erfNXX>?e_V{Bw!CiaL~Em*mb?0(zOJg70AqQ3%F@*JiwtT(V};!i4` zB-|cL(q3qc7(9M|`#wS+ce@H;^sDeojM0KtbpYTzy>8Qlqq~f~`&9JWNy^Go6inzQ z>jTTdU-2q=m&5RKO+8i-6JL&Xy@0?j3p)XQc)DtZS0kX-qATMR4sp2UWzR$au2)k1 z8oD{(xPNQ-NY3Pig_o`yQgYes>Ft!b#bYZ;Dxo!&QCH6hrPoE@{DkAZSFnQV`I>x@ zkL-I}(bJUlnOhO0ZnNg_9M8;`AJn^^u0J~5Rik6Xohv>cim@GR76#b!`Jz9mJHvQW zA@<#3pnkuL-I|v%&3snJN6PSu;D=rJd3rk){Y*<4amn4fQgG59#5VKj@PWNf^R%f7 zQEk(vO?*~*qD~a?wK?D3Pi7EBPeGj7sHG=jB*og)lqucgx$(q-dc@W-t^H?hP0br1 z`_`a}e9p~)r*2!%?3W9u8oy^>sN^+|c(?%aq(`i?EB=UYBgu8%0`l?~nupMq=M=jF zOKaXh#_Npsj`}jlsr>%r`zp(41_tRzb30z<^sPhD?tX&PStax$hxO-Exh5aGroEBI zeNi^(6W`%<-nDT+(LyL@a)U3{(@R+u>)`IxF#- zbfyKQ)I@u|ed8m7ihs9JB2_G4`zjj{?VS`PPRkeYcxX7NSDPAEkmLT?=8(c)X8Gy+ zWW=mn9+ZEji2i1T_WV5SiQZP%&$37o+t@g}n3`HC*}Ii_u+->zZ40tz+>520cVw(1 zAYf{~)r)Uwen^|oF7OoMC6!g2t%ZRkf9qc=Z733YgP*}X~6 z(Tx0ZULxoGIqgJH8WFycng>*ur}{A(3AVf9)OdGg$#7=g!y0E8iNPN6y&u z6BD(L#tD(Hx9-u|7tb?2E9dT2d;X;LZG;om*>s!IQ-;U5U#nqC4fCMZ+>j$Vm&jL z;zm4f3^-^{en^YH=470rTcVpA-Roo|WH9~#{1dI6L}$_}q+ppy?4nrS3sd8;01r%t z62K&KlOZ@mJ#GU(e1)J=B~Z0^os%ab@|}}eMu^5xb;V@x2gQp=RyoXzu&YN3uX|H2 z<^}~JrXnGs(EyR$QmsLZ==i3;|8EJPdh>Zyvdc}MOii?BH}>ju{}hxNNj-HUkOgu&9q9@d<#Il2Hh zijZnPP5=|w02l-i1hiLqv+bcX9|BkmTX1>fYT;4(SPY&ES-EEYJar31w1-_WeR4|_ z@F*bW=&h!C^3^${6RI5@Y_?w~37LF13klH<_&x^5QAc;IzKy$mulTg=rr@bq$>qTe z5XOTy2sz;mU=lkR)Rt!waJRS-{gx2+*th--6hU{w8kFqoGvG2DWTAw0zaOV++D%r2 zuo|)emE$=eo$z7IJr1`mlJm^(CDPNwyT6hZ$8_p>j=nOPnAf~jvyGmH-babu^%`}E zvDeqr1)hu)EAy}Ri$#yZxy!x!1$gcb4jW#oA}~JoK^OY_Lqo9rnP{3(I<~n-xh>|e z(c0^bIgY$Ue|%96szcdlMe+qkG2}l81}Nww#Lk%#mfL{c3&6x63;C-lC?oOoLGP;~-RCId) z^4%G~E^Nh|w;BzBA#SCI>BxKnrsAS^bUckz7Pmzl-TIhv|jZol2~=5*YV zw$9HN|LLu^lDch&F@`l>90zAoUw|T%fc3{p_yvIMfg10EhR;d4zVBiodXCm~^2=BF zk8o)$52{tAZFZmV&=Nj2OU6Gr@kk8P*x-2aivTOtZ4{x~9wdlI4oe1zOh=>|L;>mc zQR20fi})AMxb=&im!I?haDpyh#%ZPRnhZFX*cCNQN(s zl3H&R3XD=pF)qm)unN5XO*%!b=q5FO#0wL|Yi9xogO9PnQ=*?_fnoKL zn#wdUCs}{V4Co_+eP;y*#HkX=1z)i8%}A4tKI?Tf4Z*-C8zAU=Mif{>JW zM6z1giH2%w*7N>=!0Hsp7w|)S3T$PGc;s7i`<{Mm6XbQDy$wRkpns{pav!EFq=>Mv zl{H_i!0=~Rhu;8PQj(9j{d7VlnL zM!86;J0d?|3&XHYMxIJL&lSv9BN)h}92MEMdKoP0;i>GP3n9ak(JF`k*_kSMh)X&@ zvfh0bEJXKlwSN-y*`ft=Dd02zLc0=C-L?sW;VU{Ly zp63Un5xO8HL&xg8Jn|xcRpx8kh~aIuoZ?Z&zgvX`_IRo7grPm~YMo_ZqatH?>rMk3& zbVxL9VcQKHHq;IG{&mAXWG8};+Q$M1;bT9Hr}t+PWcr!D)fvNsP&!IGq2;TjUK~UFcgjHUkPu}KiW+_V z?rTGX*(tT?{@qu5+Dxm{cwow%IL!#~tZYZ+Yb}(M$$Smnqy0di$NK_xo4_CXUrD2J zJDPYhZNSB&^nZragk9}=6W4X-MYe{F*UWEQu@Hv6=Zy)~s+u!^K488b0H3x-!oyAX z9ZSAxU#J*udMkB1Z?oa)Bm!59R||L*|3b}Yhr+rEudKvbGi#S_>h`a9F$1*2qGDG3 z>>H^cleaBl?;xQ9^lW)za1VqtG4pu>Xy~VT%SdGs=bdXWaW@g@pr;|2=FhC;Fu{)$ z>USZMIu+2|f6;<^yd2BR97w*P`LpE(E5wCra60YIrLdTTwf5c0Ly{8`jMwDeGt$&@ z&Lj!AL4HVRv>RQ8T8=d^tCKj2q=c>Zs&E|nuu>gY{f}i=1B84D44&zz#TdVSmK=X! zT}cOBGx)Kx8T9q2Tbe%I4#@sGlc2UqVR6Puc}$Mwsod%{_)eXBytB_6m9vT;^w|gh zdW^*1Fo6FX1{b01R^D_TQ3WlsdsKFcq%uken)Led)1g9$g z`guBX>M@seqD=Jun^u5r>gTh-B;M*_FuvY5SY446Dcy{9O-P063&1c6*t+mB6jM|!rLZoW8W~b4?-rUR-m{ z3(6-l&i*I`t#_G_zOc3lZy>sVfwQlNj(3~yqnZ|I1nC^>GOd> zBM)}9kNedyeLH_%iZ_FTWh1jmDSrReky%PE6Cuw%Ty@!*Dk6_C9 z)r!mSAu%zLSS%Bt%#fNAAm%^b?1Vn3-Y`SQ$oV@41{fDLH87)3Yg7-0q9cG4kp~sz zH2d9DaEH?hc-KKoSA!Rqu&+WHmO8{gOuONqL8_o|#5H|2*$SibYJ z8U)noJ*lh(CWYbzqrW&|7zYdzGLTGI+${kme+&ahK=DEN;ca_AvF?=<3?@r0IaN(3 z();=M+hP2G%TK9X{b~50!|)9UNLi_9%hmsjXI4O}dxz{=c*8>EX0v!mZBUjBi(1Ty zx9ps|rbs1noSM7b2iY|*bJq56?-BKUdkawKB1gHp-U#}S5QD>Xo7Bo;e;WQ5i-rYv ztUHqo!Z3L$0iJ_2mx|>3w{tHp-%GVO?`wlTZ%(b_ymTwQ2~gNgG^s(?WQBwHrr_(3 zdm$60X&F=q)%-O{Vc;Ei<4uLX;ykLi;M;^LEHDmNiP^_@9(fHIsm+KLhQ?!ad`S~c zIfJuv$cHcUqm6#C-lWJSpNu=F1dAHx;yw;df3uyP2F=P_>0L%6hGU2Q`6TUuu#iz{ zx)BmD*_Us79eF9ee(^gc_bjrJ#z_sb!5V!`2Zc=uEIxha#=W4qc_J>tcYV5l>Vc`` zQAHp|6fi2Tw7XlNDv#3+f)^vB75RHoNf8X(5StAGzwf;FMras$%Pct4MYk?cmW&1- zp%EIT~;rgcFND7s!J;|XiO4D%*`VBrmst{qlHN!|SF z?eO|Ra7KFcvFd6(r3deSph*fTDapKJ48CKtutThTax$J9Bm%k1 zu1?Y2bfTp4+6KuaDvXyO(EAmV5mMe`&|i!xy{T-PFn%qKIy z3Ks0W`|>xc`uUHV>3hJ1xf7*R3d`%nkY3DYArd0uqcWkg*&r*kq*k_vmR3;!Y+i1o zx3sOA3EL?CSViw3X4#xd%TT0qRrfbIZ<0tmWY`|~nA`a!p2 zl;vfbp-pWftkJXeA)%6gDU0;r*%KPG>WPIo@%}^yiy9Dv{p-IyDz~5;!AUBUsWHn-(GT67_{E~pn#;qs(1OkjhbqL2nsbk0 z6HdoXiSjreU&o3Izs<=+J{?Jm(?AK}t+SK;u0ZK43k?vX|GGJRu4&-wG62&-~@YTiv}7ZSG2(lAv(Mi@M;Li^7WB`&X3c$v|Sg9*#F|y zVKM*#cV90nZ=hie-tu~xrcq!}o;vPgjh^2UlJGvQQgfv2b;>zf<7}{|RcH|8a9@E< z5;K-Q@f<>x#92$&;n>^_8{a8|aAy*4*k=7`Ibq{J#vk4FueVrD^B=AJ>0|1Qi*Dm6txd{++8NgXlM~CCRMq^M_5-*SrRLFqQjN z9&=#4b(D% z=HBnMcOEX#oEpIJ5C#sOvTSAmf+TQH)DvOE0SXED8~$E(2?G>f$LzMj*tugQn!JX< zXY#KM$A@fyz`+k$!8)C`zhoAoEtJo`TK^^wCa2BX^hv~rl{pDGza?K+eK zn3Olwhw^#ov7|C-It)+c%dw38f z8BYmTX!nEHHmYge$%WQr$dD^3pER+V7FqtyJOBnFh)2~u#U?LX)_3*w2u{xEbGl6tyTfPyRyA@va38l@KhvwdX|* zzga&0me%=iEQaFlXG>N^7)I#>M%h+07XxQS$~6|s2nsCBO^2)%t58j&+7EL$JLm#X z?@HV8Jn*mp){lM_4Qp60!x+~ykMRZvuQvZxKtlLt35{?&Ibu8c08$Q)=V+rjLWAUq zCF95Mt$0PeH`M_Vmn!)P9ortvUKt1-XPx+6rW(Zxe-9=U^&%$AU5qgFjDFCi@IGL} z-JP`XAU5FF0?xI*y39$yi#re~(~btG`M_Bkz(HV>XRfKE`0gRA{8y%?P>T$+x7_NC$rqzO( ze*Pmz%WnzyO?9&2pb*C$T|rwpHa5uL(1~^ducGo5OrmwSKt-qAx$&YlqA=>3h6%`C zwpmIGesxs4o_{_ZY;D!~8s|Tf1Ip{@A+|itn&7pT52gt*OAIP-kK(;gnFBlu&Y&bO z$-e4aCY}*)FSD|J=Yeanodmj|Ibk2(XO~Y%-4?_}te+7j?l@s%qk2J4d(rzy6QQBD zStUi?Aju@2mpJD?;=2dtyD~KPLkMt8>(+l9_#bRrjne+5YLr_=h+@F+UeAS;dA#8% z3w~u(J6b&(t!4|6@H1aKOXm|(332u!^1=>}8?DEtCnbtomN*0q$-5b6pcS4=t0OOOF~2i=pW1L{>0Pv%;^2 zOm5;;TXTz*oUfJD&&vQU8`om6b$P0Dk<>y3(NY#CoSb{LnT2LcnLDkm@S*Xq|4;n; zeLXS1K>_E*uVzdyw3G>Ls){F_rb~@UMB!poUF=~_0a%{Oq&k$O2Md5tZTq@AOnQ;7 zDOHPR{!}@XgmycmSAGjtoU$@6X=l0};RFYLSngQv`wK=X#qc=^7qRKH(H5hkf zxQMkl4TqX*F1&C;qTxk&ykS5*-aF`%4^hmFo}-_R#GHrYU!-gKuNKkR-}lojyn)}{ zUSgX}YI3KBAE6h2CPaWwflL>ZPViIFslNRS%;^13vR7HU_NpVx-@(cP=eh|e1jz>WkbJX`gt{nWx=k1Q#f7@q9C)-=8_6qo!V4#%~GUf zVC9H~3SKUZy|jMSe-}8YksI7i=KE02y$6&GFu!vE`CPI8Ok$%suhqVjaDG zm=ETFZ^Uos`{s@Gl-gDWKhx#@nBT}J$_pAMM-@sj{<4>EuP2cxH@ce?Y+68vbo*|7 zPT9|ujtg|T<}#z;tmqnS_lp{&h2~0lZxT-gqmBCDt&792l ziMAd2xR&^>_(VV20}N<+cfOw1Aa*c-3RmI2gItGN@tZy4d32Qm@26E#TsxA2b=xBc znhirI&w9XmQI$efe=m-*K+Ba|m~sgPQ)W3FU3Z6 z)u2iJa=-K8sRf)~*)8$7oVi%?80I0ePMuc?cu6W4vEz$X5!lkncTkGCYf{B9UN5I; zMxUA}mfk4`oNfZf|4aqz?dN{HhcEM-D*eg<{Z95C;5NYeKYs5R1FYEB61S%$1^iOr zwC9tBE z8`N;|{Z;UOG_=DSw8H82+prnp_Oep~Tsl+aGzc8F!>BN=iNTZZ5)o&mlME;xcSg>c zcV8~2!Cgo{{{kEy|55%*8KE%Du|CS3FFHYT$l4%x24~H;tJMm&xb7Q22p8D^i47;) z-*q2cp4go;j@$H{*pq?P-S{q2<_%+yL+K%2X6S}f)1*g3_$XRRCPE{3Db+~A2}ev2 zPUBTm8J`0DMWm)3vi+-G2GM1W)Z!NtWfE{UZ>s$(;II3*&|9^mJf|o0S6GgrgwDVC zAPve9zc6i#$>$YwO50)8Yqy3Vq*DU8u|pB1@KWya!wfyrad2~{4H?OCJvLi#6B%Y0 z5_W$2ek&Cp`6PFtsTN5L@?Tt<2`#ld5Q?sKB|AuO#(R1qM$yrU8kkl#YWqcxS8k6f zCN+bq^*v8XImhY?ZsKMlDNjAt;*sZTw=yUWbNOmfDO9hc6zVyxx<0l&iB|OgyNDqP zIlXTtK-_8(?S#Ux{M+Oe%zG_`AO>WL1DyI%omb_J3&-?+Gdf#t8We){odHYI&~q;O z{l;p{)mcY1^m*`R6pAaRDFJ##f*kdSr(3ocIBy8=W(85S7!B&Om96c$8K!~Sy8eoW zt~t|3BCXh<_7C58(hmf@?o>O6=60$C5Ct+Z*n=PoOSP^XM{za^i2sA_m;qg{;F{OK zOX%ZqtGMyfZ66$Fy=uE&QNz={OWbAnbO2;gmc|lRmey7d(v@D^p#aktwS5n#wbxKY zN$o091N@{pZT$S<}cNw9!aqr?!yLTkX@B zZ;iTX6vFB|G?oPO5zmaCl7W7QZ7Jq9D1T;_S0T&_{k#y3zj2NX@VI0Cp4n+}r_{zn zC^69X!Nm{evGb@w8t59ovfq+5p)K~#6oQ~AeK8eoZWQ@_hg=n}qWYD=h>Fx(uF>5g zM`w>b{Kcik&?CD;vFYieu}c%?K8_;bsVnN8cO3!Z2=*JFK!Qir#5X?Qp;0-(=qAij zCWf@hFw&YM4^O9xaEH$bx&8RlY&G&6_h2>nf7p*z6v2F|{KWTCy%Gt6WW&OG81$aMqBoovl##fr_HDqpev;VP(+Qnnz8o{L zWI0l!Q zwY?PCq$R6a;+bpN@0r1w+%g_BeQ7?hxAr<~e!g*ZbD;TVfa88_vqWd-a@h95!wuJ? z)pv9d+1H3VsN|javx_cD?7UA=Q=QADoOZ2k9%6eaC@M}jU#PYijv*`}iH+H&-~dGThy2jru7AiiCOmX!)?T+4U`+3sH4 zIS++h4O-lJ?q)y%z9Fn>50^CjqE=GM`qI6t&{6wcko$gvPSS&6BrF7P%et2IKIX@3 z-eb*Rg3R+ZA4J)EweM5^FR=k@aKKa1CaOxEtcy$wZ0!sfz-hpsf=u_#WFjOoECtSY zt&t~sVla^5QJdmX{rq&iuW~cs#n{lK7+GrQ&AYT5UV7Yr*r>9@;CyFKoy`|-k%~sT zDqSI5zr4N38{$y}&upi6~Dp#gzI;ODW(U4*!30fl&JV3hR)}U|QI}tPwWD0^#e6 z16tD=6TuG+*pj`HqlQ<(cTPtqiD^* z2O9?FBq(RilcR$uR|YLWLS>@dW3oagA9+m-ed;GQ#70cIevo1U`D8k_VoG(&AVFYO0zNC$gii z?Jn_k1}bb+rTMV}#ogHZg`>3+0i%JovuGDGAGLQbci=CY+=!sKw(|dD@2#TZ+Jbh` z1PJK{0u2NjCwOqTV4;Hrch@G6;7*VL0UGxRE&+lEcMpxbyF+jb9{jHCefG}&&ppp~ z+=uhlqsNk3b5_-?`s%AW|G{;L{Wz#z_({quzfkr>L~3hB?&J9_%Qa*hl!S5YHHr|? z-k_Fub{xwp`bo6`;Cteg-qM_n-fYrH5nXjC zB0>zX-xZP!!vk^c#-7|p%-5`~SJjiS73TvV#D^;)e5HZ}~Op6IjF{~Ay{c~^}W*F=+EdB~Bmu;|}a zo$ru>w)md^t!Y~?fsC6Iv`Dv^6qj8S{>p@IUt7z6M>BRce}lOl(l~K}fCtU^N?f{3R5v1+e9%e|n%a>xhVpIs56B-YG zS5AVzSU^bnP5hM!Bl4JONUO@T9TP9IAm4u637ZostIz2B_Ou6Mu0q#Zd4KUsj+P8W zag0NMt);NHfWyUrw@7E*3{nQG`X}B~gP1=Xc5$c$!_0oF?$NIDq!`OXWPhG&?>>*B zTg%2*hzr1r#uTQ%_t`dJZBs`*FdffurZl_2nr20i{kCo-V#>@`A83z7tKB_kf&Ij>|oakqkIIDbvlhh`k<2gmO`ceW)4LP|sC^tZEeyz#jVQ#)E&9oWncnTSjm zWMllwjO82~m3y50=F(o23yuanBj83Y31^>p}hW9^mpb?G@V=B(t+$J6*J%iZgFiIbs#tX6B5#cT)xm&|&O~IS>P=}_ zJ8n`xtYaDJ7==4dV?|Pn-|_QqV)L%Z0IG2AwpFhjP|I_;RrDQ)dGlmhvWYOmxri9>=dbpeQr72&#IxD>N!+QlHp1KCK8GuS&F7J zJb9Y`SeDcFf6(@{p+ zT-4L(z4h29Dp;p=l>{|*29;oOK)g@?c(_r3gL7Y0){g^bn>jic{F3oS->$0jL@)E! zDUhMp2dB8O{>+F%dzCShL6nrhw;0y@DnUG~XV}g`ux{(~t{L&2d!Xzmb~KtcP-SMg zYcRN%`GtOyVmXpS6{!@#30s$x;|P?~PTVRp{2?5L$n?(I7MHgrM(=TaX5g79)q4^T z95_~oQ@1 zcx*EAj`Q=&`D^V}f z4ZK(~MjqT}PbJ#POus30P(hD>GOG7N*_s0uF$8^oshy5nrl_T5;KglQzo)pEdG-(c z?zhL2>ihJBrIi-Q6C@4wD{Fe7eiZVLX-Gf6eqfSJl~7QhP=5MqkPrpAI_mN9vEV_nJ|3UUodzs4xIRF)7St!Pu?SvmgVhkM}RZA1y+~ zPEa0Dc}A3>jH@Xr1hp==rHXiZsm&Pu%=H zHY>4^9PYRFHqggFoe{H;z3JBoU||IRi~k8&*h)J0kWZ1GbqP{?nE?3Am zU~|Gsxy6+<-f+Q~AJe=`A7f|@pmGwKAj-x=xUO)gY{qH$=JLc%OL4z4*h9Y@`)Lc69lf@#a|MnUPnkr5h&KXcCEU=Jaoxl7!7VU>6 z0!``z0NN^mBI1%D%v<$rnt@knPD#deDZOLj4zl z_xn;jAeYBU3oq#u#B-`&DuQe2d&ewrpD9%3Fx+&$60mRgW11`bhBC>Xhm2USLg8n@ zi~Y2!TkEs;K^EgbVI|-&hD%;y#qU@W`Vkt+L!^QYfcdcpBMo1gZ8GK(pkpAX9&?H= zPNvl0!F7^YGG<5ARGv zIe^Cv!=0b$&qiA>W~IE7%AI}L<@|)rfQ6&o&X4d}lLg}7-E$wJz?boXbhQqxaA=W{ zZop2gR(B!$Ps9#k?+x8}e3>;vk=}NTja-4lC|)&-R?F{r|DWPmG91A@bevF32P&XL z>+NU6pAmJt5N4q7JC}*S5ULUYz;>_l#)y&s7;@LVbqkHO zv#g}EgltzKA3XYQKT7KIFpxl9Zs_ysrP&&uGv2%2e0zWUkBFsBee#=ZJT3MLtiuj7 zc)%q=9?RQC$S0x`I|)0lbE|QlwLA13$_uT2wbxZVLxF@wgSw=7?G7oX6cdRq&X_Ld z)94q{rR$~7EW2k1pI~VKAvcmyDn9VOQ!j_5E9WJ>jRbs~9;<)B7mO(qU-8_Jqmv6M zz$tEX95(uKb`W4F*&dedmP{)cMKK+20Yrzb$yCkGxX}kDZGG@?=6qy7{5?NQrQgp> zGlCj(2f>b)%0`XK*#(b!c#bPKKhVpa_$ZKk`p_&xD*6jg@;L10?czkzO9q_S-V-?4 z&j$aG0>O{kgGz5xCTRy1jU5~Ubfk77+NX0rD(fXAgw=g?5um#N%*UHbwrM_COKc`m z;~2WM)A+rPPOjv5NaY&~i=XLRRC8foa;MiKz9dp6LH`!+Mx_Kwhaz5LHr641{L+d!6%wllkd*d00z+E`=G(l%vT7@NP%8L?yXzAF!696SocaF&wO%GAazn#^m;vo)+CjqaGa}uSIE!oN4S#Wq(ifd$%k2u5a$nW7O3xw7IR+-;+*wr;UPCSvfk$hO{}l z_SCWYo)F1)$&+Tt!zeyu2XU%~Akv@X(u*rgse{T9&&tU)JOAPSDuR);CrO1VW)*R{ z*yZLaF9gK>4vz%!^toMSo&za~_=FKs!QbAv3KP6FF}{0~*)31!flWifEjzL5NoUQ+VAyCN6k(ZLTs?Epm&VXo$ZO+y`l#~5>r1j{lD1}5 zqR)oy$8-mD_46$hZt}-=Hu^GMzeZ$ter1|~?O9ikPSZ}dZkfLu&9P^@&*_I+~1WvDO!{Fku0VIR3`@B-IIy} zwOs-Cn_OGGJ(v(*awOjr4@zO40R0f4Oj^JbxJ5kBm3rD@fudxi3{yIMkel`tJh4L< zcEOs*)#B<@#dTh`-RJ#?tzlWyFMFAioS~domZO*i9x3WnCN>zD`sz`F4;BJ-gi3Lw9dP%X9se zKwYgyD-Trui_&OChaV%ZEqR=cfu18)pqeF&>2->6ibt(Q=B3(BZGyWAl$vC-< z&-a#J<5a|suF`>m1}w^2emQH6zTqqj_jztx{!XVnuzBZ$3G}0cyaPp6rfO+@_-abmvdQm&OeD0kpLYS zs5f+VGCm1EpgRnvuSsdfmPhcM$KtUn1;Wt4C89bMrj9C%3KBVW5XN5V%J_W-!#>X8 zWJEFjmUyx?Gt)Hd@&?}6Q(g()$7Z^Y;3941KvI`r9&%zS*lvCR+^x5O)c@B%5x0m#GzFtM1K`nkFQ2;M3x$ zAQn>D7Z5X<1hKW5T0vflXI$D%(e^7?A@8|+ zrHiE?HJw1_C=*0bt19sT*>t^j5Z3huvrI z$e@orc6r3Lzdx}a{5_7$ptU%QYhh+A>5X`!nzT2bZQpYOENb3-$45k084r!txRr3w zK7dB_d{^r1YiU37wDdMQeH%wL)dciqp#$`0?F+hk;fK%=V#_Cn!onetk^H`&>E~;2 z?GcEjHR2i>*w2hocfu;5Ca=1*XfuKh=n#fv6-VDkrKH-UFnSXK*Q$3Y{S`w-$QVSl zrlik7g;RL5f1mcnJQ)L(fFex!_xmQVZ@ECT?7+Yxp@E{zCz&?5KsTIX0g)ugLgD0m zpknrF28~o<=(Ydtq7k}@5YV+G`^#^LGSJ&PT?S-<%5y!2vUWba_+l*T?mSL>DiRQ$ z{>-SN!$?46G8!_1&U1>z+Z^WW{hAoD2L;R=j`O|4sOf$47eq8A1-gk$>l0c8WF*}L zf(HX_4RL_LR0!ucLJX?jQsv6BH;e1ETu+;{V?E|Jxw} zQ2`Swp8k76fnPA0hXF8P%79r>iO^4dy!`T{Pa6LU61%D^}8`o^m z9Vc+_k!ees1M8bU@fc)jt)o#nrxMp_C*nGr#fBcCxvz`XV+QNe0c-_Nc$aECI8Zwi zG|(YwTIMjE%c9T2RUU%NDEh(S@F#7UNvJUWZ;4rcaTh&^5ES4dfEuKRgh`u`s#sf# z@W3~FN1p32|Mfh<=Tx+`ZanB83weLSA8|e^=X44O-QMsr|7=$378!W*+&2F(5kn%ZuLvB)*@rq6&*nGGK{fDJtR z3Ep#1Wmp)-a=XWe>z}mO{-9-ahJfhb!iz;d^S&0yR!WPs7|mYpilH%|34BCqzxG)x zBRji8SaedgvcXb=j&1u+fQ`Z$A9kav5nwO>`=Q3aKPy-nq{BiOHr|ro)U+^{D(sFo zY2+iqR<}tlkfO+~u=7qAGRTC;WCWCh{P*`EU|qmVzhP@Ky)*K@pu4@^5Hp=DGBDRQ zH>WQvFIUmiv!Y0|N>Kr^4hH(Ll!KRpA7AhG1jr<> zey@Sq(coh+H!-Xc87+y>d<yZw(Ai4uU8?eyK+PG~n~% z$I$n9Z#FPuI=C@R)~5qXd}2w5^QhHdQU~(6W6&Dx;Sz|8MZlg;8HE9xa6E%0+4XCLm;Ns7$SqR_Z!SEkx}%MF<4~5ZQ-W&i(eBUAn3GahmXwp z2K3Ua=Oit}{-XP-PZYmeq96U&92EW;ydMn+W!j=4e+S9^_bBIHC2yrqxph;m-peR1 zo;*i!^FXP5%*4q^2jICD^xiWwgfc}a-8!BU^~g)$b4x@M{?dVh@&ECud>F~WiK(bW zEFEFj(`!S6H5ra4{Vd{lee0|U-&Y6DZ{k$Mz{G441t9v*B)AoC@bb-xbgaeR#0_^$ z^mYK085h34tmWGTJ21aC_kL@!BNgnaJVXbRgejoPhM)R49Ab_p4Z7-C6^KE`^JtmM z89yfm_PYZ4>hYddYX2?OY1qFLp#KGOt2|X79?5tVIu-&kcTaq|5YUqj*Tonm50)Dj z*Oe$z90gi7O`tHLm~5B7hsj3cUmg2l4HIxA^yYK-t^L~a3xyoip=6wX)if2Lyp^Qk z*VeZV%gx0)8+;?Wr#~Ev6fLt=PaG#0WjAmgwzTxMVhcUnDh#Q@m^mNB`OEZXssIJ7 zxDPzuPX=(cA`A}it+}cC12%uqFPDdDaua9%rNBEpfAn{z6cX8^M#Ulpk9{Fg6ml?X z2E>^SNKp&yw(NZEl-n7EFIr*cUy84J#q#gCjVvHIj2bVFI+1{IpwnL8Exhu0DfVX#)uY0V8 zPh4x=i~U@!U+Gmos(gBP^kB~YR3JRz9k(c(*hVes!AErCmoMU6>%wcr5O9-WgmcKtj2vDOjmqF#mZs_rh+K z?0PmWClkrfYW%qoad#1Q4!?RpmZ_9>frFJ${c?Y+hvCp-z$Lh!o$olY*?%#UeWGHebiuFQ=R&BVIVg;= z8f9{W$Q4t(U+(QK)I=J`g}y8C*3{XnJ2Ck4iI0)*ryeF9hM8C=%9xB`rwe?!SJlR5 zwFtcuM4ZL;Y`$WEe=y)$4Dc1iK5l8d%<)ohO=q`XYrebBTushbmPJ`#$-f#{`*vx| z%qZhbnJ!zt4rOs)XnWR9XI=ThK9LKm;dF77S?IgmGjCOdgHnGr#g5qN!ScYZsWQhN zAyzXTI4!QWw0%J)fkCowBYHmZOkXy)c& ziQOcj@Y$k|#CG8PRHGHc+3tLhZi12LPzZ4~mgHS`)arb3Pl?qag#dq(zjV=lP@8Ai zlAyX(Re|12>5A0#JUKhnUeQi;#lGApE%)WTh1Zd9mx?Nw5OGTiIlFOHij$MeL${Xi zYFG%g=Hfy!kEV8O#@3vbB=Ga8fae6i4MN^1wScw;4h;juk6q#hHw(hfbeIeE+P(CSIC@!n>x&u@fk9 z4P*kJD96v`W_#9hwx+xr61+sDj7~Ww>|9I-2V|{1oUqX)+n*d)vYKDj?Y?c7Fsy?yLW<%p9Lb$Thv(NwoJ;Fa_YaL!=nGFD=-x2AmUd zLiY-`Rc>y%YgYD!$qI!mL`Np;wTzt)9xgv)q8yNPZR%>qoKN$ZeD}UEE~+&Zr`+LS zEUT%q5T_{zWHK*JG;H;_YK%wht}nN1G23JaLA|SWkv|{hu7%w}en1&}nkf3q$|7@U zm{soZ92&5iIbT-PcX@X4+P<*Ll-gdUXH4YOkw)QdFN{Z*gc}sSH!RJHc4d3x z=4lZ}&jm_d*j9oT!na!|v@p(inFz64YKRY#Vow4O=4w2LQrxbDrc0VnHWc!2f7$jC zd5MH3*9D+z^KLELk2;x69AnlMd#I~3xg2l3J^PMSl4meY(2CO4DbdX47vW|m%If?G zgo@06Wi>$5Go~WNFmMiUvwr&Kxj#v&pa-m#y zNO075;OO?`<@f|y0eP0lcz0&K!$y3!Tj{#Mwvy(`)&f|&Lg7bWa}q<(&!3ccwL<&Tp00 zG0tto6*lo%G-{ESt%I%BXT_gk_}~ocpiNkSxApGV@`V87`WMR8Q?i~+PqKK=$>-Nw zQFlm6SXo70QocpK(p8et|9fels*JCSBEnVwu*cdsh0yMJfDh<;_8oONv=b?VYhIF@)4 zBp#_`ur?cf*Xh$jYHO7?r~%sPYnse3?@fxwyMSJ&rTYI|;ny%vZQh0D8c8M3X}%{d z?rv%Mc+_xo-G6p>_tdd(p{xKbs^z{wA#?e!G@+yEV;hoB5gtsisU} zbpg-DK3RW{xT#xSe0JXQL8(WjxS8KFsI0KAZq?qqlq9q67JOHHpzy2VI=+G8*iT!W zMI-}=MRkb*FC-4cqRYPkN&>61=~VI=BSH$}K_ji?lZ0a>E5Z3luLLJUP01mj{V#J- zvQ8PEhJqg1ffKj~$jWZIMGFDSLMn{F)4SC-q$HNBHL8yv;y zEgO`sHaFdkPxz&GOC%wG*H!_Kw~cSQ$fMq_z#1mIY+; zy1i<1>tjBCsS!4F*RFp(FUk39RB@i!QF(@bD*sT-SzKYj5X;#68>9YCvAfC4rvxfxaRU=J{A3qo{EsLi`-P$s_Osdx zY}*zW&r>Uh1T~JGKzrjQccxgkonk8lLD!!`yXr){T7Pz8_B(LN_1ZM@-S5eSnuoWF z)ROi&*yvm)HWzrHu6kcAw!FNGymv1*_oalmx?4em=Hfh%nyOaLZUCv_O0>nMwL|zq zJ@kd0{(~EbqD8I1g3G8D*@J}0)x0dDK(a#JC|t1%R72-(ii9-w9Zc$Dif&JjiWQeR z4qGnS^RmG=9CC{cf0m>Hggs0ps}_4XI+-hmbC1u`q?uOYiNzIFY3~=GL~I`X&#E3B z$6!?OLco{Vk+2`q!Dz1it{G0LofTNFX|<>#uLaR^(xb>2j;V$&!$$_TA)1jFM!$eF z6-=(!$R||t+jHjWqE6fIwlD8BXnvG8&EtvnDZ96ts{e*WltoTEsy=8TxaY+L*Dcqv zK`)1U8;|J~(}ZI5?n*POa%x?W6G( z_dai)ijmPfq8F||Tm7DD@N501z2<6r*zM^7>!Kjy*7AF4|MAbeTUL~)^=7)Liqjm; zDvhunc1;uOU(KdtesCJx8FJ0ZYx7etH({#>RdEN%7LoC(5=V5nr=jno&u8gxt<4tH zbev2TKSH)SLCU9*afin~4G;Aq?r*|fazB~I{W5Aiv_B&eD8PXq6p>iJ^AV(|Ta#jO ztJYRPTJLA(+@ZcWVpSWR{An@pD7c5<<#^7A2iuX9ZD9%3R32?E+SfB$Q;l}b*1chm zdPg1hrb@d!oyui`DtEW?o6^ZfU6d0#*fJ;9qcpw!gyx~q zU)ARWuOvWPiR>iKVv75-fjPz7zPQy{ORXyyWCA6#;o*rwdxXN##~Id2i{(r#O&8*Q zIyY2IZ+k^Q*>$eu6iZGr9;>+M`>f=b{yMxmoV$$3oot|7>fDWwE6+^8==^1;k4p~iHF~yJ^>0*ZBI*wW(lw2+m%#9LU4zjM zIH1MW8XH5A7l!(xN_wEAD6W}U*c*l+@3z-&;a!rnpHr#dzDBY|Ei?I+HOZO|T0`qX zAaCUuIZ>wM0+i|l=|2;D02@2{{ROkw=>7+s0WG_YK6?XR?h<}012TbEbyDZxd5r*E zVQdy}S<`}aP>LZvGMq3`9j<%dR02J7H2GIKSx~CZfcb|>`P%_lntYHFDDO9ZJFfd5 zKr8_g$$Vt&Z1Mnot9?m{1`c3s3SVx9iZX8`jaRvo@0%$fVx}8%!OWDilJ7qHuGSwKR)-F98#+by4*BNW9WUGM#UxAh~_|SOY;}nY}xn+ zxP6U_yyHZYsAn&dk*m{}w0YTCZ$K2)saU=}Z~k^BlH0ennYJe-pJ*tt@Qi^&|0}EN z57uY>0TfQcn=!1_9`oO~X2XZ_rcPxiG;`lhdwfR9eerIO2SN;Gc(-$ zb0~z5vb5Bu;J(Y^`f8dtMT8!O8|WMpXU>VgsCkWEpW7X!sNu}@E2}%yGx9>(=r@oy z^ap)&B&53D`k6qDI3AXkFqik8-CoE;!>h;4%7PG9@KZVS;l1&uVG1Y4o|b06{92Fu zc|{_=3N%pIX10|D!oS!_*_B{#lt;)UV?Q2!k)=pm+*{thdDMsf0>^zW*y6#M9=XX_ zkWP+ZU12s`=HAyIYO1XrDA#97qf5g3y z9q9CKZ=)}o`b<;KPL}TT^p|QKOCL>5l;t0PGq9=R1&~J!?Mp4ce}njBNf0{;C;lBr zEy#qL-(NyNs{a_S-^5TdW$?5gF~q#0!=}1sO#rT_zMZzXony-JMzNNTJuHUC?LCKC zg5e`6o2gq8alr0VW>VlfMRxI=t#qC1|Q zT|P3zo)Uue*L7H%eP>!p#mr9NiZp}@7dd>sc!UL2k(gRhYXooS_u?{ z5lN$IFSb%?9Fuo5v@p;44`_C73n2Kzs0MY;FSM_p_9fq8G+do>ov;>(bOQC3s*z^w ze}mH>EHJmju2;Co2h<4am%!#4p(j{r%qUvgRMZ88+Z0Ad&8B+VeANl;@mNhNaAxjJ|O+u6fBsP?JX zyVzD1D1T>2ygrV{dOdF1@^k&f(Y^x_xmN=WJ~?#nmr^iYO|T@X)XPV`T-nI|rZ^u= zF`q{ryj_`L#4+v#H-=ZaIM}hy8(s)?*Bmyv=T1Ty@tfrLLwyc7vGvZzdn$AnCF`t8 z-TUQ%3eqhZPE(^??5Kt2xG6NXwoXj+)cbXjuA$MfDAMQ1iDlknuFpnSRrc#iFN2Wj zkIdqgH|4~?J&F3|hVOsX#fJ-thg_gWxTcc;)u5>ijBt$@<|6|xYLLN8hEREI{N-IA zS!RRd4Kaef0e4Gg!$quuEC*x7T4BO&xkxsGDrh)Y5ocBY@+cqKpBl$ z8%C6-5xJ?(fHdEKuKl4asYll`AvjTb-J&2zGzv9jhAW;59&Z?Udo+XoDlUZQ8OM|I zJfYkaG^%$d1Q}*GZu8k)Mh!~$^e{}m2^+mC%hBNTDH&4~x7@-8+tu_j<0>pHbpgLGwCanAPC z^cvE?#%8$^4r10CslCdIMH8zgX`@^ZD=>{d>hnSS&|=2lOb<>?+qPvt4%3efKGB(f zaf7$nDc1i12BkI+K})=Ej3Tpe0pWr@y|ZCK(%p$_Ae6G+-pd+W!`v_O!&ks&~rkAKDJ@m)xNzHw<7i=RLfx@CsmXG)E^^Xhi5Pn_m zAQK}Its>lJ;XHjoPJvD{HYPFeCaCE~oT+?FHE#X&#lxs!LdiYH{Ea7(_z7cj3gN8Z zK6Mgore$ZWam3jL6V`^wGK#BP=7GLMex0VZiLJTe*c1$ZW|@nTC91Sb#-9-|aE*&g4N+^w4519erW;fNB+#$#K%GZiPY?Mr_2o1`Wvst_Lz3O@T>T1$`PiH1V z;X5j(v$XVag{<8+#fE2MV4xr5;eOq@_$yW~u$iY-#5bLViF8@ zPoXwT|GRptv$go}-xSVKlS&?sD)|5(wljhWrbf)bUPFl0Ujiq48xL9YvrUSdIY%d; z*l7$D%o&lLAR&dU4CGxg+}EF=bq% zS)(K_V=F)7IgQ7gipM%}cp zTh8S19dpCrCROn<8y+9a9J8cOiA;b<1OW?P<8c5pI=hE#%ycBElj6B&M3zC82tG?CUD&ZaI?U62w1@;gxM zR=H1>ypDW6eYg4Gb8vU;)_U^u`l;!9AHEQS<1NCo)7_~oWj&15AA+rY0b8g*vE62h zZU~@10Ne@P=KmoM{7w+j-88|CTj{h_ln|{+-AiD4BFqk)L>NEO0=_RX6lDbJBnW*I zs(c0&$E=ulTDH#ocs8krTZb0Y{A zt{;|;>vx6AH}zsso9f;}?fS9;MV11q|N02dvynGTHfa&%;B-6&yxa}+j&3Jn-HMe5 zAH?aRrwllV*$_Fgq1I`w?*4pe{&I%{u|Q5uAXKxY2RWtRtpCyzw8>@PrX0H z_Vu`7JuyIm)wlmJY&qVYU^6ajUJ^BIZc88qZ6@bD0f=&opqzq$71?l0nkmy2zeGdD zf4=Vbp7@K@8I7z&d1oJ*W(~5v^F|5Nvj<<#4O0h+e02RX>+VVkkdhqd+_9;E#jw)$4`t+l5#hz1 z)OO$un^Izj6hl7^I>MhvKFq{q;xK6{bWxVD*Y`CnLWWT}X>6Zx;j`9zrq)BwlGNA+ zx1{t{KG(W=H*{&r>*mq2>G9JqdMHFtTEtJ^EKlY_=xS&7J)nRL>Y7 z{Ae;0{9BC%R;&uSI3vJE8i4jj@g<&~J_~GJ*M;U(=a#U&Y5pE2UhZ<`+jgK%#pB<~ zvjDx{H(~X#4mYO2ar@K8?ftE*RlYR6mNc=Xuh2vRtA z7jUqaFd;6N5x>bng=+tf_t(z>LrP+}H6~6Cu~>v5ScK2gX~MA+z3N(CB_f7=EW*5r zv9W+wIZnOQ;xBkA7IeY5>DCKJ6ROA=d<9r8Yl3%%+UW=don~*E5!y%DVb)r-`HyeE z$XSBfSXrdm1=(|=L911$B8pzE_&+dPuHVCm zAd9s@6UICW@I4Fr{_sQb zS?5+=xzzS4WQ|C&kMTvZpdq678id;{6Vp`kLv^%pEZ7(m@3qk1^oyQ939halh}41K zu#TEaj@=bFkXvw#D1KfagfAKGoB%`>5`)ar>aJ@1L!)2~&(5a7QtAp1v1g;cHTpQz zlHpeatks4-RivC2Y!W%oB7REJ#}Vs>egP;|zct$Xk4E$1!-Q-{QQk9%LRso%X4QWF=yy4eV$}G z+G+JpzA|%vB@)x}RTYu*DFsIRH_@fyUq2}$1c8wocd#RdsZ~XsdLS_eeAEPm^Wvvu z;<%DN1vAqY&9EuyNCSx&DEMM+lV4g|suI1k6erPCY+$BvLZ6AIAJ`xi$X8vp|7hl; zfRZ#E8{Qpe)yJBfk{kN`by=}btTjVolBakI=ve6+L!MKgwL0>(s86d|uu3*qbXNqA zvXyqzWe0E<<&rr#nN73cK3|l{^SFPTZAzjIx;g1DsY|pxAGQ}{19W%(r2+c?Ysj8p zq!T}tqLUdS6cf9(kcCxE>Wa2TpyB2c;kFbNSPpp>&2}js5JJsyprw|iU~A-J-Rot$ z`_>;`9BUhfWw0iy5F@Xd+Sa=cA;i0Js}^LC&d3|LR7|jAU&fl71nsOY$ZLau3Dt=# z7E|?qHwUyAAntF3EREq34LJ3X4)eUBkmqK-&bUt-e@Og5GM#7}2G}P+>8XigwvP-f z(_exLF-zitX+w<@*fQ&Elrn=W34ha3dbQmZn94jznLo@*)3RDdVyYZB1oxj(i?gT1 ztd)IbpN+WB2X27io{VZKZ$-wKrlSxI!$1#1Abj4>Ony72g2(?lri%sGo0Pj8ZP;c# zQKMZVufd={^9#Q&m2D<*2LK1 zD!l|V9iH8771DS7gs+(F(5b>j-7sgV`CA}7?zzy}svFfCIg@0v@-9M{K>Xi}f#JU@ z@Ov>}_wJA0VuH;uO^D6XjFJT_;KnfL!Y0@1heRrg8v83xlAC5#U(`@Lj>_4hc7GXh zibZXFw?S~pE>JvZ0j)lelRLDMkf@FlwyS6;%6-QU$7JHPcNGkLt>`^UQ7AP%Fe2Sv}j?wRI%%WmqI0*zS3Xz^k0@89~GIP9HIo& zDEUlRHpC)tDi@;>szoEuP8_q%;keNWV70ax{kYw74jEcypmYTkC296Mub2)Q zC&P5ty$XXJ_V>HIFC_Rh_3l(o&7b=}Ou7F*?-mFV=!nSWyI|>kU&qZp5yvDwXWs217^~KTYy- z6!cv>BY!hdHU9&A0Uw^uia5qC0&M<8c}lRhYRG_`E46%a2t%29QCOV*2<_XPA=P_& z)V;~lm?ro$?dlJchOLeTAs@F%@2l(GjgYT@fRt`g`#!6Q*nO*?3iU!GCs5bpzgpLh z3o2oQERH==I}D3W&q7q<-g=dro*A`ktm6>W@=_{p_bUiJy@~(v;?C~P^F~o?_VEg< zi1WgS-L_1dY7CfmEw>{lByo$5iIZ_%uv#!2P zh*(QA-wTTMvi&Jnz3&-#Y20Y8**lW?2TC5GN3_0PqAUVXpt^^Rv2mH6O{BQgri~g) zCv#$Zc-ulyj*{IJOz2YtfXtgeV==FN<;9;dA{-1A5AAjiz86bFJs7ZAtBA#c+<5Nu zVswp4kwKq|22phZY~@;r!>}g-Iwxq3XnB$8&_AxmVb=4QLlLmX6 z*RS3IS-P6@$0MWeu($AmAPVl5+pFB;J{5r~O3buIY*V|&hj!MBHtRP}#+89u)neNu zZ_}i19f?H%<#O({o@R+`6#XBtAPhLZKpVrG9`?&9fUdvZ7ac%?i!O{gb4KLRY>+ju0QK%@{epX|u(qu(Sg zdYqv2buZ&A6k?e6|B!Va?r?Tp+fPEY2%{4%I?;*VVnhpq=skLLg6Kr_-VMsBHi3U?0DhF@3~m8rnOo?O z2+y}2X=Enj!{tAbFkEda5l|2WX5U}&2=S*o4{Y= zJ`=!QBlC-`Ygmf#m6w<*FpgV7uF;OUuM?LVonUdbZCFwzwK;wej$Owr?=rA#QQoyO z@}quBH4_zfNEseRwCb{J&Yjn6`y{&wO!S@p`>5qn-t?!fMuiUPABN+41+w2f8l*1` z@|DH3gIEeqr4PfMm0N8Iep=j+7#Ks`yTs_|=?T$#4Wm?1K}5i46r0d|(3LAQ-FF@9 zTkk<-O* z-YNs(P6pAH`c_q!T2kTVTXYY@1)W%TVL8>zFM-9o>oKz-6y`adKGkH+Ot6zNa`jqu z8ZCP3OOqp^3M%Nu0dT&kgy)-y@RXxiB=rb#q#K>Pz+fR2_8gh(l9qP+ zFm?*|eQS)Tl>3Hs+{eAM9l0IAz~Re0aB6K1#A`LP#e5+NL86_(nF$F%XOJ(dwu8sB z$MZ&wCkJyIaIQ!9-2TLi?28OHT2ZP9Cs_+k;pY1$%!7bJxdQ4=1k4?{sna}C4LgHu zoC$R_S@867&2wmgI~VS!FdK}0p3--hE|y6Met7D4#zzRoaHMS*S9UizpLSwCU|;N+HkQ zt(D9~&u2naAHl00&VKsfLp1O$!#(#KFPsslGTy`j+9Q)TI2r4uzT{rOsW67b9bW7f zIAdc&rpT#H^>_0M?4E_H26osH`12|GiOGHR((MlHacVuQYH>Qy3?|?;a+9j<= zl*?Xcyy6_4jqZ*dR{lR!!mX^8CuwHFipQOj@CT|Z!m=90lqKh(cU$1w9i8@`WO4-V)85uF4Ptm#!V4iak1kn^lhgmpFF4PnQ%SkxV%KjQ*hV1 zu_!S3$Uv_EM}*-n`Y8#YOtACESr%bBRqd+{*DWL@2U>sTcT0Awoo%kNM)t7Ue!)c; zHg9^4&}qN4W{hU*Sd1j&tsk#Birm`f%K%Az37ZnBw7#)xd{LuTpeH4Ew(GMMK! zs%0}~^*VPARJbEv8jE>JtUgz!S2Ia#$5AFLt4HD!FR6&>_U2iGuVu;((_Oa#(FV`C zi&oghZ(;0JYv1l#VRXnD>&o1d=dq1aa`S6mMM-d^=kU|Un-uepeH-7P*OWRI^gd^D zH6!CWz8LavcS7;kdNP_B&e;9(*6T);It-CssYoBwgEie-ug5#8RKLV*G>%G^Zb{qk zHb%yLuD!iXEN8nSJXg*A+J9s|ae*f1pZJ`LGZxEl zhM*LOcCU*iI{0|ob+~(IqRgMT7KJCE3fe$5tdHSCSof#UlOLr-0}Ry}#BFEx!p3Uu)Dz3Csm zbhwcA^qVt&nJFGDB81;@#+`j_+L#U)0Mm+9Q)n>w$4ME|->%%t+>zb5RC_*bMxF@q z?Gw&B&pCLyZ3ul}&5kN>M@rnaEBS|s=^S?S&tg!O&PLj;2E;5O?>x4|K0TYqjEl-l zH6Nf>0bZ^o1#|~F?FZj%_#9KtEFK2Tk$B}$cixrl^1Qe)nwV=@8BnqjK7Qs%CHlBL zh^1=jiU0$*{TUN|W^)Bg`&?WxLqOEh_NTkwPols@i7BsTedRs`JO5&-E|t7cq`Kq4 z%-SH|afuajx`cFaPZaUdJc*J`5sHs?xT|qk(|+Kj+-<5Z>B>s&sFaAIT99 z*p-*qa0PGE+g8(hw>GpN0sPq^dlw(Y?}T~q#WqBCW!Fx#ily#I953M}{fImE(0PCA za>|wtH~5)<9TnQ$t-6(iBY628{BsvW*_?qbCmV{8GqK!H5A2 zv&uC5AUq{(-U>NDmGwDKh!S>QIT3Uy%#gJ`Z&`Js*1R1j4zOF<9ww_*wHqlqWwP=d zlj@4eb%pYpHsR#9mg8bxZ=ccDERY*%n)-<*#7&kysW37blyw7&7nEI+yVJkBHmzvW zHaIjIB2(h!a;@{F*IqeQv8WQ&{hRSY06Lkmi68Z4Cv-hPWYl5I23M-%KBiXdMTrwo zi8-ZFP6%pz9N5v>mOgmDxP3&ci|(&9@zAhy{o2r%Uh(bUy(1LlaB-)jYa?brWTn-< z4(5T4Pp_t@ZObhwQw!9g8Va(3@R_g2f^!D{B=hS2rl-+mu`ILA$bhaUo7hwNEF9h? z=mV`h3F3aGP@59-k>q!7Lmwm2y+_5mLi*B~Qb+S6mh*Sckt36gKHlorSYBKkZoncK z>nTyzyDyEn)TXt54Y=o%znljpMN6TIgYIU7owlbVF7%7F82aCfpywke&rzuvIxiCX z;6;=ev#d%C%vHQu?0a8ZlQ$aao(kjQuY+ycK!pwsW53l!J02-Rg@(p_ykiUQ3d=IC zO>Rn`@9EU2TpDjv;QQJo2S^Q~X~)08M*)=oDI=nCAJb;daj!T7BW<2e+|awW$=Ww_ z9es!V%nDc0x+03GiOBl&^o&RsE5n22%sj`5#diuX-Ng1sB`OePA^a_S{ab=u5E62X zXrm9KVPsAB&XV1ypRFzZL_!_E-(B>G1gP3_o$2vo)s<0FQ0JiE82MSOKqfj3f0iZo z`AxR<@$h0^QN=i7^|Y1qCZ1jDuKKl|L^ciola{y}X4`(3A}KKKlZu^C5lW8?SBw!x z^OVD(-qX`FYu!$rP4eAJM(^uPDjU~G14NzMbmER`s@aF>_v`*!0?>&Sa&YFoFop@} zi_--af^)`yr`unsJX3JoTY^m2o6E^)Qi*&)1Uu!Vu{>sE-{G!??r_W_rSayv@c2x9 z$zW>L&pgX#J0b7C1Pz=i*iq?$!$&K!&TwL#JX~836k*KA`9f=RB>9HFAr~%Ac6V#` zcy%)(IpVTAV;8NNAdfS!IyS(-%14k6m(jnFAs+Wd473l?-7k3tJ^xDDDA&Zdz;AFk z4{YO*BQoxWZ}k<4@vwS`^>U@$=!w}wcU?|QB=ZzM)IqnF?J;{vyyjFv>PwhVh7|f> z4S1i-Oi7ZM^V;E^)Zm>VH*)l|4qy4J&62sHk9V`JTx5z$Qb`+et7X>AYgHq=E57_B z0e%*B1ZibT%g?@ut~$UjdU$*~evhf7f{WvZyJ2Cm<`)emJTBLS zTe1({`f7xm#2Lo6HJiAL-YQDeb3TiU2r(GKijp@0wn_Vv6d zY}`J;bUu1bEol<}MTDEwpu&94?AB})xR<2jcY1lqyF5!GTr_1<64XPxcD0&Soq!|G z`<^&eWXGj?m9rbUtKbXPk=?Uvy>JxBw4?0_FhRb++wu3iBb0ox5X+Vzq4qGlw zSZZ}eYtF)p`?n)`;Huw=nd*W3Y>MidgI_jh$x+VzMSyw#r*yEn$Q@z{b4`i=4uT;r zVukUk*m}FX|NKlqY{~Z-Xyj%}xzux8(9L_(T%`Qz<>|PpMT@29(MUkgDz)vamUw~X zc4zBZpK1#UNuPTyDq(DUeKDfAA%7ysxnGENc4nvy3#Hm!znLNECUGyCOyeLeq`H|% z_j=Tg!=vA)#)Gz=O87IwBwnduom{;eZcTRU4MuOFS9!qOon+&ecfzf+Ym& zrb4*YkO|*nNe)>cwpd;(M=vnj;zf72;sG+ zbZKh&eGdli&F*tw&sB7=?hy~yl`O|%*;s=s4wu*apfgt~6nnIA{s^ysSks@Mwn6G0 zs{xM>^MvU*f`3$GhgVZ5vqQ&AXyv=XQUWbPB2B8`35}15KVB8l6PCNj6{*|#Y?2+d zV~VMOfqOA2&u8t;herIm8U{IW&j#}4WB;c{hWnWyDme%+;$#0B@vW_g+blJt-Mzxv zmV(~R|EqyTIXS3oCd3%(@qL8KV@Bfe}TiuOJTAZ87RqB&4v3(;EUflB~x$yXl@sEXukvjQvv)O2|%0q=R zcZC2k_QbXR&?b&SM(W}`O;ZGegB?T%%h-ITVDXEh$X9$l~ z;n*zkSpBxso={94t84GH(CIua&yU?np6%yY*pkBn+Yra5lJ?M2Q7_Ikbtws%%@PT3VpF}B02 zN95eymn>E{$*SYQr$lyb)Fm$JZUpChOOe>-R$Z3aO8y?}SGK#FSbkEJkkkBr!FsMv zC)%kCJt3>vSv@i}@6-QEFcbhGJmUQ!TNHSw182+Cu=D5NzdiCBHwuS-qLbdru#GvN zVHES%*TKr$Xd-TVEnC}Xmq}4va~7f&kpdH>Z^t!9k-EtST#)=9J-nhdsD^vHy_YEa z02p3~TE11qTp*`G!^&sl`__X8nM;nH1u7Y8s}djd3-|JA2X^BQgUsc5!D7WQmGP)# z*ve;XN-*-=z&_F42y=bSV_#ZWP)E9AzJU8;8oV%FXF}5-cDu8aC9Gcvk^`wu^Er*l zfXo&)k=_ozdin+FYvz*)S#vHo8u-$Z%}`|ttCNR*g>!pL1uApvGBsS>syZIHi>v#W zR^wKhnyKbd=5bA_iz{E9)R7B{HA~kyO|>oaQeK`c^$sZx_KO%g+n@GC?FD154}V&; zEMZZ~PPr{nR<@hvwF>H;&*4zP)?7}W*Y~eEfoFm_CvV&Zx~k9wP*Yat(DH<&{25hp zaUJB`Tz=BOhT2Pe&)u|Emg-Suh^K3$SR*D z{-hQeHwM^c~?5j7T7zV%MMJ+U) z2r4H(M=zom1Eo1@P7R=y(JG=Mi7V<)Q+vM~0Cm+;ixMYY-=Q>f3^%Rvcy)T}i>e}A zCt{Ue^2N7~MYvO@*0N1~?wqky^PGpE^P6PZxI+jt#Bq0e1z>oMU><3(-2D_jep6pZ zo$;y9he-;pVTt$2oN}Czo*vBFNNqd!f7~YNgOkXKg8C38&H{=C z{DDsz58+|$c14j!U#MuQMNUs1k@a$y^8|IH>lZTJAr+HvJZp>NM2aA*6wgFonbgYWN4-$9;JfsNsWE?i4t&19MYKLJYv0aPlw6V0I?P#ut+48Tw-a68HEbSV^MdY}|HNzmvKFqSK$cEx z2l++iebBE=`q9nPoP-sk1T zT^rDu{~iETpfy|g;?oVL!cb-U*!SP-Pb@_MIaO%pq^YKZ-#_AJ8qqjY4jG_2&$yg6 zkiMY79dI%4Y{iMr(P0AWMtbFFLBqtaKEry0bWpw~+VU?@;qHG-IZ$%(ew45LOv;l{ zHb_Lam$93^dQed(j_ZMbJ8m0Kb7Z7Kl0vfaaBe=X;IPx{*Yb~9x|&ff`Mm9aqSA38 zm5O&Lkwe{MP0Wsnk)yA>w?=6I!7&r2VU}RO8YNycW42yy00D8rI8^o}=&i(Ce@zS| zWT@U@$=AVXLVFsD_{o#o7p185;;1_V&oB>^HJVC0UKab0d`10lg_r|)IliKJIkSEh zuD~f{k{i(67lRcMi}&+G$$M9ust;VjDn>GARpl_4P-oG1P~fQR)oCK&6Lu|;!sZug zCAtZCq$26qB+TX?vN&Zy6zF(D@JXa< zoYBAD=0$+y9&iivDvHl_P9B|Aw8ty5w5}d7o1+@>)-~;+^fjL$x_xppndY8qga!PV$!b<~39U=CgG?2)`bzY*r)NbDbo{=-oa{0+%b z)+n5O=RDpvvdVDx)F3vXoOU9js?2b_NW=inako5)%F~`3~En9pw~s&gp&EK ze=Wkg}dW z9j)?d9yVqqO4n36^>-2d4n_Tl+P0yu(M?B;6zG+?$M^f^BReS!e?r;4)z{O^gC1sm zC>7<_RZzVvAf;e~+YsyKM-z|uNKlxG$692F508H~CJ_!NMQw0=Ui6=0x!vDlxs4^A zJ(aXZ16^W1{P(s177~ULP5e*;o1dQa)x_+VElm<_JK}e)!#|8QjWI*UNM*b@L1fLm z{<(|X4xgg;fYYp@n`b$3fa~}(X3mc*5kgRut#Z^c>HvW1(47imukcBP{bQz7_ScRC zrLwAs=u7SiZ zgIrxt+1Xvr-eAgYZeIn_2R~dE`Dd!G|E`qTcUU2pxCEVoTUxk+k%`w0KqA|=Igi3`Bgp@itr-2)h-`oU!xFi&5fr}&d(!P;kT-W(sjxEHa%slx{pIbL#4#k4E6~{EgE(ShCcq2sBr-=g?LfkShDd z$cikaxmmPH;(`UnbT+x;eKIgu%dhQMCPHe(*<|x!bj|%>1hxomrSbARyH2#-sQU`D zQmHYvY7;RAW0t+U2EXhZ$&$>!ch2w|H4+9b@Kng_oJ-aE14|Y84l@N&EzG6b?+Pml z>#{-av%fw57+(E{Tu%V(Tm|{n%%%gFTL1~0zlyxx;-<6T{K$)9MsYtCm#`=`5oH&8 z$+jzAQA&Rb&C^Fn>={S#+f=eVcnctBKV^*(n5Gx{P>(B`ivyxd0yNlNE(Yo@a7jKB zoG{=!Gn^&nxGn|KK#jH9qiF6=`Nhw@Q?5?kI&LV+zou*&#mfYvD_@COXnmF@k&xL z&5dD6YaVD|^J9*d;}FlYi%_ z{+Di;RlrIKRu&@seO8U<=o*`Cwm!gYIref%NZ=vjW z>tg6J=~+7M0&p+Lf6Y|#@CKY7!v{2r=FLoKF6Q;x@2Gr;c)QJUtsPh z&KIY+d!o&l>@?3JZb3`3=WTfj070s_A*7~e?eb)IH%7kNi#qxd55< z`ZcU#&%{Bjq{4zAs%CRbq-(`tvYb9&G&j3P1$xCB00ekH2Y zYP@4zG)m^U;Un=dS^`+*0VL_f&*YA99R>W^lvUREoPZ`98_u{rh&m~Kd-_VzcyVq7g zksFZx=TrGhAz|y&;9x3(fw8rt2|KaD zV?;x|(6X4lp)dYH5%tid`G2hS3T^C3iZ=+GYfR^z{*9b??o%xxt?it;0#}>%# zo)oe}tMN2oF;b;EM25*}Ia|yLf>wREFVp*eroOE}TD$$LDe@>^KK<{}Rt*p=JLKcE zJr?c!@N?Ja$x4%9JI`!ij(FTWzA8IGt@}s}UDI2B-RNvG@=1kdhs>C?mnE{iTwRH; z5c>RIJ(wI?NzFeM6Lh*fd2>A7g2%Y^c>hfJ3jW0VV42*3B$LeZdHOkPu*w;=_L4VK zwkJYkFguH#_ImgDlNHWpdsm*vH= z@uTC0!<7WtitqIY&m$edILCP`@8_qh$i+Urr14zUqAD6s6-fc=>ELxjy&BBz?=un* z+Ss;|{oVJMt|ofgAhH8rswHje-i#Xg=WwSKtCTXk!j)f>a~4PmUFWMa-PP2xi0NlT z6Dm{GzY5uNehno-%m=3vwp`B^rf;$;dY}`grQj>abumpqd)E^oq?k7z75k0wusA&F zF*hab_}1a^YRl7Kvp)|lvP7wVdJ*s+vUT#hf3TA&uw4uwy}wVucG5;%!zXKN}I|0 z8remgV>TQ*h-FwaY*&Bj;7CQ|-5>ZBUeS9r$Sr$v7WEj}j@Kes-r405-7)QAPB2x$ zZ9H9Tz&IBaW+fS($70zeGbf8h+hfh*!QeHB=Bb6BD<0?{5ufAtMDpXF{C3Gqn#dso zqNX-r-1Txih&v4~D^n&O);AA(eA&Xry^_X}J2Ers{Gg?>YEc=Yxq?XL1eZ6Nn^98{xd=%&>MAVsEV+1bGO&NMUs@g&d zM5?u2Fepd7?O+$f+m$zRko$FMDzw&Si)1aOZQXTozIhTJu@&f;)$$#&rKt(U+_2I@ zVmPMzQoh08lDG8>yg5E`ZyRlLCClZv0=Fv-0$)Fz!nD7L5`vzVZ_V1gTr5)$DS{j) z!g;>Avbb$eV6QnU%bXo!_@2&Z>E5N3vS)Dkh>>kOi42~51f)f9EttpO{T56>OQ*jn zn)8#eCKh$y`I0S>^9vcm?|jr~ge5Bs&Wz*AYFX>g&u{@w8Hl+GH@ojda!HscAbatA z)92CfhnK>MstZlHydI5k+~C$h@XfCGBeq`Ju$^x!Atq@OK$X!kQ$dkBybNm$eO%@h zh^HKVeskf#t`$OYVPRuq4Qsc9m$(($Q>NoTt;cFgs6dS+mC_dLY8yI@rk*-8hcupU z=QqM!89uJV)LRqz{AR1nYbWbhQ?8l;ko> z8wLB+cl?_V{%XLXi;JV>BXO#I3X)(AIX6h-`KgDLf%oRk)LKze;LbaImZ z=C0-V^7q=nLqOR|pe*U67@em@JFgHkm-ty>IAVnD~J>>BX=&)vnUUm2I5a27g1} zZquV2twtVqO~Ly9fos=l)8ZL3(m0oL~v$U5TH!JUm%N9SJ-@fnP-O2$kidUqH z2yPA+HvYOmcn!H444yiX8qpnQfIYH~6Ey;K*6)dK)ZGqK_{u09y|!%TM_HcE`8~S% zop*in-ogA@%<;X(!``LFM?OO%6<&l0ZuZN3`P9Fkp9GX#+tk}ZG3qT59WjN*9*|tO zkt=g?w#-$VO>SMse3=TAAWzc&3OZXARcs=RP~gm z+iLQ;qeJE8Iq<+P2oa>@{09!S3nX zaIKpPoj_nMkf*^#Wgm>7|8L+81#)z<5_DoYP!sO~Nfa819TJ|nNqgOU6VQ9V(fq2c zgrbyDfk)qz>&>Z`o6)_<7i+Rsglxl-LSEy}RmAl*O1`k((N^Izw5zH~kc`~P;fy=; zl_3B!(X|ZL5~FBAOkydfQPw=-&T-AQ$+1yGz799Tx@MLgi12+`UGO5#X7358; zkD;sJ*~eO9MW~=ZHT5nAW%T?1y&7L*wL5{-??vAzM^d_M_mFFAMm`jo18|LheWJhY zfR1+WTFWRt8KaJ9YqUvGGIqr#+=ED0<_M+5?{|zg(L_U~hWfrsQv3j9+ZA^RybtKN zBllPsQW#R`RDr4fT8;6s+@bU3^LcsDxMpMVV=1WRP(gMw7lZ1&HRyE0+EQQCu^q|g zYlDG;zDhfPqV6|GEi^sgykwN0@1J;HwPt}L7FykHT{pKsL4Q7$ z5|?0bp}mli>e}xH^VeXMhyZGFeQx!R^aJI&&94F-TQ+YN(6_KX_)|Nht(+D#Qa9I2&P&6sV3poyjVXu9Lju)GlY zVh}}_wzgObwdP30*&VzM+KpmrTq%Am>{d-vlElJrw&9@7Z)i^41xJ)af)t%rkM2Gy zQzm}ysQ^d!`!SoXOe+f}#I$2e=G zI`fS*IPe50UZpGe+;X+-0 z5_UqtV$GCsBaKg6Vt4o}bxUK7uM7V&`?a|M=B>|s#o8syA=tUkzZY`)S8e0r=9q*8 zbELE~k0H2yz$exwBX8Gye{p|3_d9RLV^Y3g7>ah?L2jypegB&#B}=QV5c-F`IYbci;CSoN#!hm%Jb?! zdscDV1jR1>$GMfT8pwLFQLie;E63%=An7XBX>Bj79A$@fy`fa4Dn*H+U0)89p#Xu1 zrnmFA?*!<_Q7(nU+_JB~me?2+qg)ipcn58{g8zVy+7>((A*1A!YR(>1sebRUsieZK z9l->T4Pa~Mbg*3e5f`cx{|H_ksc;XR(AD$w!&Og|b0LQ})&)F(qvF@jYH_~N%kj>Z zmEyB%YTkM+{JY2aQZC$gr(wmc39>sSCOwyz(rFjV7KWk-jdV5qk)QqKKG0`W6a4oU z6n09pvkkP|s@uUzTvrnQOK`=R>fvHg{*?JC>PiW^y(5e^Y8)y(vU&SO{7&KyB@b*| zH{q7{J@IbyZ<%?!KZd3-;7NXSwi<{MCUt@Cm{5|$|C||gDDwxlC{pYwMc4Ned>|1W z9yvz#Hw9S^ZLbijVSW-~DxEAR@Rm>C{c?QrOBhpgmkfmte0qYma0w<}ww>py(m32u zq+2ZP*lmLt_*fy-Tnn&;5s?wP?}Cjo3hu<4on#w#zfYl}u%?S+$O!-rD@7Bk^Lerufb^EII#>wQ%I zt;FkA5B0z^MPbky|L2MPbi`h78uTwa&%PYrmFE`IoPKRm>Hdkn2GV*?SEI}5Vvx7@ z*x+(+u8!!#jMaxH8_EeSdU%GC73guT`>#jVsfSW+>W3J;%0f5C-9`2{pC#?ZubEOO zUE<=04t_E>Qzz-&?cjT3I{twF-{hmz->j^@G**VG9o=4%V_mcjR8RBkw=#?LeDbRI znAck`GYn@8X7q6;FMfeJ#R5~cZdZSz&An!J>Pi{Wdar5vCr~Y7BzRN9>A>kA%5`o> z7|T}lOE{(Dk%3+AK&~pWJL5a4|HGW^1F@9GjL>Z+fN@RP?}Nh=MYu7h%(Mml;-_B$MvP;Pd z8srQdKDFAvq*fKeSocI#0vO)u&UoUj1ku-`1;ID*U#-RwNL? ziOm@Ji9S&Ykg@U-(#I9}iIC47tZ`uH@s8};x{;S&b%afGp4{X|SupAU9Rx8@3B7Fl z_(a&aLg0h5=`<=+ZlD<|JwqagantXx#+pa3d(QRM|B<4$-HMcsT7(LFk38q7`s3d8nKMa_2hxeWjjqa4>f=KBI7Cef z{#~71npl*W(l&_{4%;VBl$T2RPDhHm3zkN5h7gCzsvJxfvgQ0sVV>N*Ob4`@~D~<25|~Umi8A(ihNWf zQqxr&p=-fH zGucDE1{W^i^d%K|d#dldN?FO>TJiJw9HPxpi;eg8u-N27hZ2D1h>O zgp26md?4==XnZ_)K_RF9k)T0^#1qrVxvyLm?yIXfhAq88N1C9f53S$fco?&CD61OZ zW=f>%Jo(F(=zlHF)c$9M(eqeA39IXM;^|k<0$(d{3*m1O(DAF7X|LSN$HTEko1Gew8}8oDa8bbol@Mx@& zc-}kc>+lSv#Som_ECPh#RACaJEHpG!Zde;$!-0Y)k@0`0dRPYQ#!?hrN!Kkt$)BFC z>thzVmgX1mHeLcDNiSbeU8d@LU(Rq0Js4IlM@gB*3#D_?S1CO0AFc|KfR}ZPDUqYt zA5FNE?~i;k65`9qpiYF1ueO@P?i|o({gu9ESKy-XM(6rpp2RJH>$n6n6XtmISqe#* zou6>AkPw}^$~&0h-YHWbm8*%9s?qo2XRt!5YTZ&nRwVSVmk_GhDRqpU`-wsTBzc4l z-SDC@Y#WT~j{eB_!;VaigjBXit!Ipx?-SkN$@`oU;B&9baGE2;rF z%31nhq0RbB$pxbRwWLyQjSpiJHQ+N!Aibt{`Nuz;aQfPj^mcd5sx?vfypcaH40_i(;r|UoQLbhIqT<+6M09&Xun_jtrZMg^&DZ%q z(vvSkWHHlhcFsQ#QDgvYq2D6k8a9_qwnPiMUnK9d^n)3Fj`mub-6o3vUm=r9d3AGI zlS`Oa7I_?lHh_+KbB4Y@ozKCnC|g53X5;u8x@O}f79ao7wqf!x2zj-)RY$t^`)eGB zZF~Ivb|q~~@7cdb2abO$(6xa8W~+u6fbFii+ebF89C(jIiNxl-WB|Km<%e@$!GC^m zw)VHF1?|``+tU>Q&gWvA`XW+zsEXXjw|Ur)X(>7(`uM=_ zzMJv_Po92EY)tXdo-94n8_lZ84f=@0r1@zV<5l{^=MUo_U;)~ygMNI~(q)7-8qK+w zMWMgt{=mpI1CB7+W8d~!n!m{mdW!Rsbq8w{3tW8LdZFjD|FJ$S8UZ!5E5~Out5KY) zJHpAmc-G@1Us=Wf`9?K3^XdzekKFt!Uj(An&x!cZ)srm`SM)IS(5e2yowN0j%RM_- zEmw_Il9!H-*z93E04G6CvKlbVB>*GrWF+w^%pa=usp(Gv%`leyh}~}qqU|sM6#NLh zSZ<5ll{@Y@j?(quiC(oXjPps~2g8Cc(p&fYU;L~u`%x)^U@5B{<~TI3_xLb4s{<@j zVLp`DDfdW>D0s}1&E31=-SX>9oNHT5X<6I)2XC0uq$Lb4f;pco=tgL|?jC`&@ zgS1eX0NtDz@b0GwoN7+|1W!yIZZTd2 z_1m@mq#brTO;+MaRb|w}bRRGV1Aipo(*J!7v!)bnN&`X9X6 z4WfO6)i%ideo-V?TekMcqQywqPQe37A*$EM<=b>W>+wvhEB0CD+B^?eEX%<))a)fW zY<fai=5kUjFn;b#YdA zW`2HjCMKTo>cnIkd0$Cpx>Kubd)5yWvXz6Oan;DhI~V(dI=VbMW2tqH7gB5UlmKxC zuWYiz<8?&i2(dH#>4~3mJNrN5ytT%`&ILUA9IO`p@+2W7-a#?2O5`K9y5gHS21&&8 zU|Ao(qVJhnQ}UGv%vO1*aH{$v6^y4uT@>(PdRJJG4!U)V+>RIFQt|8}{*wHgO@*Dd zAB(wlBgDTL``3)$@qJLhBEbnUla~4K+ZbdDrrbRuyEuJr4U@&0V*Pn8pY?@@a*ndBCfOHxxBlPJ_(< z4xwwVp*rxyngSR%?G-Yb&{KkbWSa>0LgmR&Z<2)tHRl`;2!V9J`>24Ph|q;g#C}`f z%(iQ&5i?sULWEf3%fPuV$wo>Ei&^_*<}pr4IA*LS!)`fkytAI zxM5iUnDu>SVA~nD*UWk#?ndB2eV$iI*9oU^x%QpNXDkmZ$r)o^y?80jiTn(BH%mp4 zX@JG)n%3mdhffzZBSasM~AZ zko%pV(UJ7Hg>-SHe$nnn`36d}12CfhXWL!j|95#MYSU#(9`vw>g%EdqX?~DD8kcD; zpU?sgyIt^KM_hA}slOR>QBYW!{GDR0*XXBl*#bkdIz@l?gvlmX?%SH)G&Wr~MXxSM zYBEOdqNbid^2qb({1_*v!B4Oi)ztFOWZ#CN7V_g)K-SmKnxyHJpI)?L#IiD{t6;GO zG6x0V$P-7Lajy%;IgmWfYs?c0XEDZ7e`b!2O)1@fppNq+XOPQDj<4%dJv7mn^KIl%!VZ0i_NI>ji9URd1?4z}AaxI#}SR<7&b`2>w zN`&Y#*qn_w<*~YA0p2AM#;#k|KSu{K+%^$U5}tcgDIM-vS|R+~#Q|8udCq&8P#5phUg{__pQ zwbxX=Yw(RP1~mKFpV=ngXTcpy$+P_F?&%vt(Mr2n0L)JDTZ2S|2X!Y2v!Cx`HO8Ao zW0T1B8^QFqV9=KzhGN0*IGiZf@RKf>f^kBCym5a&9GirlXZ1XO+u65838~gy_3K6sIoj11w&b;B9&8Xx zQ$EYMU0n3o^`lj61q$=au>QLW@&3CC`9J{2>6rHE#US87tYycW^Ttki3aQSc3PKs2 z-}b-{d}~9>Tw=y4NxA;b9R4IcNSCiFi?F<%&9vG&&xfK>g<&kQr&ML_pgAJNnCJ>Q#;l-ZP*NvMd(O1MNbw#b`W9uc=k_2ns)OOSW0aUUUIM!W+v zB9VJe#+hth#fXBrR$!X=U7)1v`;iZ>qz(qJW@-=BX92Qae$xc$>z{>kIow=&_h{-Y8r6@_?8=|^#g+ey z4Au`ftda9VE`r5w%Lt~P;VH{g93#TRo396ALxXGMaK(SVJa>P;Jg7}L`^;++JCmMm z*uTTZWQO?H$)<3m!`)Ij!5h=*1Q5M7o~c<;;n3Bb<(HKBiUqoLNy=A(`P;PqJh8tq z-jFdtQuyL(Mc~F~A}Z6f;cSWWgi9mp$`e z1iQg9;HOXBgGV^+&Ea1=zLI-Kbqx}Of4n-$-rF4(sJ-|^5F+M)ls$*v3@uUjo`jMI zq#e;x{JBC58vNbZanFMl*_5@1YQM0>0uJzNR6j#}b;pQbJ3O(p3?PhLI01f_l#(-)t?AeIb=#ucW%0!d4z`2lQWaEl@3QnM16+CvA<3TK);}&jVZh zj|YCE_pFk!f7n|^2ySPP8j-ALA|6(ITVBrZXF}GhAVIXJExRMbM%8B7M)*uwgbRi?>7mt*~sO0K812g3Z*B`^cz!(C!3Ze+E5C= z9D2W#z4vPWD?KFe!e^}t^Ojf$4|H9KJN2%{>mzn1-V65o6672brfA@9);kg*+PE0@ zq(fnmgc;Ir;@MXy>r(U0MBj?^!Gh&^MJj(~s!EhC2Lm?mO3u+MW5t6&v!aWGt27YhTAw-o2DxV4*(3Uosjd1$9;zkIFRkn!ff zu&FbXz*dt8t=0X7gXicJYRps^>Qc2BXJi; z(7EJsi#ertA8M`eGwp6*r6ZZO8Dn=sdC`1v{*6kv7;8o6xNZKIY3HZICYl$8GFTdw z5y}6%vsnMxSsYuCb!&!>Wl!MB>zn0{F$;`yWY%^XiFgi~kJKp})DX-J7kZHOA=+UX z`_!!hrey0y`+Yf(m)GJD?Tgy5^x%guzDEP=G}yb!H_w+h>ot*fq*b9Oj&c$10g7F@ zjE<9^#av_jGTzx;r;DFK$80m(@0~|X$iqcp;w`%Cvf6)d^?x5|`9AT&CR)kxp-J;x zCSAiPAE0*IyrRp7kyBoNjG69*y3C&Vn-eqQZJjX&j6bvUz)Y~v$La9w84X*4+&Cn; zF)G-XLwQxpwOuldDcNnLbK6$YU;te8amY&j8HqF4lV{Q#mf7v5ONMMcO4QBfcFY{o zAKuZ*zD4g@`$Db8bcU+)!)kQhyU-_kz_MIkwsU{DK;KU|y_Dw!RkulAU8N*KS{hPG zto~QxnEkhadkY1$e#0i@Bi5!xfL#`?uw-h;N0B@3CV&(?2Vrr=#jlUS+j^g}f2^V4 zBYIs9pa~6yDUF-3o%==LmvO84=wyShtF`sr34`|XwU4ce$h!}LQq~M3K6k8*#_pC( zLx-u7?LAS5RB;uZXLL#(!}q#9zuA?N+W}RjT_@Y#4px)^OgwV+Q$M8vKRd~dNR{zs zWl%f%$M$oK?Ej6kBS`*tr=ye# z9UawmNM%p*$ix{M6%_}72Kj9!;h&0d7h7Yp!AJwkkdt*b9V5%Y1Yo)J)zxM={F3xANNl?4N$S`<;LZU~Rxi^_RV zqWIV$#<+Y~J8S5n6H}Qf`#Yz6d~BT^jla1b1|r%oe3X^bJW1dXyfB4;m~*-i{jTw@`TTJ|M?ep^%Zpj)X)(N)#Fq45F@!WMix zg6nxYx)j5Bw#f=U@x(cqJBSv0ZYktB6OV_Et@3cK(j=FgwTL&Q9m>HZ=rwHd9Nx4{ zR-ZN#IZ| zFmLIO{sBHzc3n|9l-^Dj%3E|JJp*?{9;g@vEc5f{66Z;jkQ+`Q`+H^l#dqqs)sWg008AX^M#gNxaI z<9k4zrH_^4O^5P+?EXcr1oox0%{&cR-d?i6GPvTOl$sTo6~I# zw3pW!oi@a#{%o{wGeFs$Uu=&-+{cJUH^kLLc@*B#Lp1g9PCeP57v+8QKVEboJIF}u zOI@L`{`uwf+3xFYO!W(k8{dIlhc1-mt|cTU5Fj$e=S;7ppp8#+3%57y zzSj`KWF#YAqf;h=tfwhE4^?kXJZ77IEHo`66HltjU329A5+h)Reh(n}WF2pm_0B$n z9@VW=ot->6kJLYEQB-tbsnfIuGM>Otk6VXW>mz>QKuLA7t|Kxf`0x7q`d`F^L)zQF zS?>!Wtl-F{VVRBxC_~+|aTfPFgI_?1siI&4UaG=wrv7Gm2Fc1u?{@9)f}6JW&y-y6 z5Y*gX1T2=XnJEJJL^5n=1Ua|6IK-GrN%As2mrx54SpgZfbp~(qTT)Mnv&7oWB;D(F z@5&s=u^_-S&D$g+;mFA=i7#r;>M9Rc_!5B;gM zYYT;EKog8g`eWI{)1RXvZ~41Vq$RJA7QOqq;TIMAbL}m@7`*yJpK#<&RX`ay-tMqq z(r#M{LFTP}VY}h`59T zp-%gsmSld6_-1QJs24CPc#yYmJo;vJ`5p{=;mWiTj{$|GDv&eAn?wpC^cCqqh;(qA z%|Pr@uj8d5?@DWm^WD3d>F;4@oMKQWc|Q&WCLzwsrj(TVqcZk159D1p%nd6JLMhk0 zpAv>w3i8jbq1Dw-Ow=11s{Ufl|62q9;TTo?CSy832|9u9OPd3%`ML*_+PDVrl9$;J z4WRW&n95Gu8q{R&_UhvW*8vJGL#9InQas#ogNSyU!3Py^2ju6%!k`H-_l;s@aB*Xg zG94hZ|9D#c_7Kk#tYf^@mU#(&K0u}ndet)A5!>rc)E6h=b%%6A&yq$ZaHgOzEu5`f zX1Vm@wH0yq&M=)O9`|Vg(?&vfb-ZW8Y;AZdT3@lfC(;HAlcVuiCFgfx?f4qr0YsHp z@gtqLYJ`YoTL|2>A1@SPGL>0P?1KpoUId)r0i2t%cjzWi^Z0=ru-67Og- zJP?C}{BW{OQ|Pwh^WYn4=OB9@I?xNQ5Uw!SFB#TT;tHCU!5ZM0ZlF42*z+`qSxsF< zFv==Vt`y=(wlX?S)KdJ*0_Ubf2yYki<>aGA2$u>84d0;^bAHw|xIhFb;a za&o@_!7nMlF~wV<)zt4PyKN;wVKQQ`q%A(dpP+?cZ%2&_GD*36YGTeA6I4$m!=%mQ z*vdrV#Y6H%fV0Gf&ug$lwggCH9>jlY_eR@e!l1pbxA!BZwKUzOu`r|r3!0kSrmE8@5v15#s3eP{a2M0a*_@B3dvD{+o#1{mfht5i=j z(B6%tNvwg*eII-frk2$Sa^5M5-fMt~ce{@OK4i0N9gWmRM8N8N2vTCdGZxFZO|l@S z+scH)hjnz`n3}@W2;1-b8RJr|!Y|K=FI&#~s!ss1FEF4uHs0q~4ysHJ<|Ey2MUa=V zf$Z;CNUWHPUC@N;tP$>)Q1!_#^sb?D@vl(_aFI9eyf+DUCmQt}SL4@gdIh0d^u_Pu z*^7ooHuffA@0|AACD@yGZSgItH|MK)UTL$IQtX+l`I2PQ*Iqg@N&8oEYpHl#Qy`0H z9>nPyAunm1vI~dZbxrf-!0@R+oBtnxJ;(+ZuLvE_R5W_3y-*it8D<y4w zF+X>SNKAb9v(q99u3~pF-*;yN^L3Tmh0JYu|4=WF+%eh?6g3n$> z$g(*soL=w~aVQTNr?az#$5Z&8Br4bN{vwu4eq$>_;EJwsw|=}1ue*TToh3sWcm3%% zKt5%+`8^pGPrnH9J||upPp9N{Ih5SLA_r>0mIAq~pgUX*RQ&O5)ajN=V~tfBu# z3hfMvpNU@!rH~?X?sfwb{U=TCRee*M4BkQu#MaLTs&ec&_oOb3Ud$V6O~D{W-<;8^ z0Tq?Ry{<)$KP87ffuSaVAIz=MhpLJb-kv~H3&cEXjC$hX<}kB2d}oG*e}2t%`4s)UOEA6`i=j^YJ}n;7B2;+Avj zj}az*DLtagm?n4#Q4ygPMR%Y}3?lZO<9yBPJ@qLU$(Vbv)(#n-dy1ary_$^0u~d!& znzpEjq%XcVHL^nbmO>`ZLe(a{;3N3e*=tk-WKxP!;OCMtN7H2OxGD;FO|fyzcSRf_ zB(eT@A)St^dL>|hOczf(-e&)OOsZg|JPZ2wtI(cL3al&ccz$`GUM7d9YVg2Q?xpZ9 z>^p3p6NnwW{#3X|*-8F*o>#`pnkw{sk-qKh15H6@SMZiw;dTZ_TrEzs)ye~DiV2YmK4ascf2JunO;{tE}Y0>eQf3uVV_q3x_q6*p~tlg)|D zEa)}PA^fdLz|2;KWikRCPg^{V$O*B}ZMN?ZOE+hJ?rGTSti#Ci2`5S!LtnxWdCfUW zxAY0zpnrgQtzA2Ki^g@~W<}<%Rr5#UoJeQD# zPt;cB^0Zw)uPh4fE%6yEZVY`9RNligU}p3~Oxo%`6KOP44;XSHzE`$O*L#kvS`Y~q z+LTcFV$&|K2Dy!7$?GDM!=zxA{8yLheS^1|WrkSqAsG<`M;mK8JKqEiWX_pe+$I%H z^Z(%M|FE?6#8%dXLY_q+`b31{oK0ydDTBuN5$uGjY@F(T*a#*be3nTPVeh(V(c2Hess z+cpjr-&k!8VmMu!RT-Yt=zZZr)#Sj>c0C9r8Zqa3qvL)=G~RwCCf4Fl$QZ9}C3`*L zRv7KVgyJpGXJy7@vB?`8UJ{Qp6IzNyxa?c?vqiWs?W#?OIN_zKp2$v}45kOb8V;#~ zL5}pw9doU(76p)K#Y?D+T2s*1^qlHJO9&oP?53t*E?bWG+nx8+KsC7$YSqP)y#bq( zpG`tRzm|b4TjYyZCCJ^Vn7^Ts$UnQ}u~ft;?R)LVmUemo9!7BZw16`yd+c5Vybx6% zbq;)Vzv#!?gae%$;OI!4!2ZT0FpQ+X@S`2s1%jO(ql=j5Q>0uzj!YW59P9un3r3p0 z;GZ804hhN%OYJ-2%x&)pox2XUZD{QavFQ!)AquF9zrXzvyxbxjvuRk8c=(_=ak+Y^ zOK^MI4w%yv)-PUCy?~tUh}?#fAz8I~MJX|7MIqk~uBe=EtJXZ9NY9V9L?=%)Gp>e;!7LdK^rnT%FF| zh(PXt0yzgmmv!((z>XT{AQjmKV1w?eCZ5}ZSOYgAY?fYK8s~wKkF1EoRG;cFmEFPU z%*emWdPOfr7Fpv0iu1XZ&U|3=%aVfOqQyJ0@Nq3DI-TvpJApNHa!Xa^n1J`!QmcP! z+*r!V_Q?6}HA#Yma0ak*+K?1+uTNf)Qf4Fh`Zqn%h*@VA>*ei+%XL23$rVlc)+vF( z(be4sW-^=aUnmUpx(rwuJ3iookEl$HiTcmG158|!H0bd+0d7PdAxl*{wNdPo5{NXP z`=G0y?B45auVo4pE6GBv>Y{&`=P}1_|3W>*@URHCz|yY;LYV-W$SN7}ZVRsdzogut z$bV{eoRoWz{46MhKzWp-<}F_|6Cxuf|5mY}h>*Bo(MSR>k(ros^*i}^A6X&bk!s?1 zR-a{|6eBUg=7cR^*E4GM+WLe&jI-@t4yR1p+c%JjZBxMT|omTW`)BqH_};&tyW^_V~Xr0wAh%?AE=?mB5hK+>xaq-xMsx*RoX#bMpT! z-~&4mw1`aoqqp> zuB5rUk7(!gxcXcRPsH}kwk|n6^W-9v+s|mR>v6h7W;m*vM%6*_e^JV}BLpQi>wiWf zu;c}Mk0>UAk^>VAxZ5o}!A=n}sAQ^)$qfvjY>4e)Bvg(<(M5hGA^FWDoxAW$gGXG( z#@{liPV9UEe7LO$x@$e91Jp>+sW+!rJ#wZ7$;d~P?@x!E z6M0_$aNGHXH0vl0^(NG4^CHXy$~5E;+5z*L!Y+Q4CZ3<+d$v9C=Z#uh&1oLw8wtIn zGRTQ5j4YR=?0!)OQa?2nVM05(zF}olNLYFH3s@;HG^VI!3oECtLGB* z`6RcKerN`)ij_*jr*C;IZ(mA!w!NSwu#k*$*@A9L2#b~BsPexVp8wz|MqnrK91U_7 zDJX&)+Y7S2noO0Z?qaG3FO1)310q}Fes9OK?N4(~zi`d@>cWrK=H}mscn_%Y2^Fkc*M4bM|^h60C1+$M)sgQN^z0rN63a*z7RoQ*S zlzEE{CKp5?87?>dQ)8iEG;Kel0-VuzWsE}J3lCd+Y!OPqLw1@QF~=GdLXyztO=#hN z=pqxc$|uu5;wN`ZHqLUme-Uf+mF_cN%lbEMIQ&A=sxv&uIHYkH|iRTrdLl z0B?e$T7+U2e{e%jdVo&t!32z_ynZ^jw&YRdJGAH7f+>i|szy7AAkpF{{a>;n-68mZTK_T{8$1josyUTI% zcqrAaUdHJBYB!RBz~IL2zP*T=`hg+9&*@GQQ}4XJlfg`I>VdY-PSC_d!T7XrDDd#- z;x6TKorUN*Y%BXw$OwT0L+rUlbiv|dlF8H#UWCbblbR<(QPEYQsJuYnW$jqr zZjT+WydR;Y1L(sVclE&`p>3UPl&8`D(p=&1JE@O|EU+6MKxAyu;wFB-d2G?|O=(c5 z9Ue{9lfvZkkQHH9`D-%N^_XFkE7BL3AJE37fMuEB zyG@~&cn`pF3CzM^O`?LxxIauZ1pZHUI|V=*Tfm#q7A$r{y`pU1%YxA#u7py_Cu=D7 zCJp3(5CaEmS%unf>3NpTL#NGaPw|ygKm5i*^BmG3E@TC!E)SKhAHUyyj<9pJAZZ{q zF%XIrxR`gbg)R%X$wrc>Tck&+6Ilrvzc}Jc&1qlel|m|8Jv%!~6-jXaB`~YdO+KeG ztX-LZFin%%D)s6~m3fa1u>Gfq&9X2y@UUUReboh+!=Tzdp!Y5);zzI@5#z}I#N@z4 zh&9QSOCv~VQp0NR&9V~Hly)tv-R^s8Lr@~L6z^9nhU-+(nkfNF)WAx*aJ7a>Y6=Br z@&VWEa^odLO{!B{d+x17+y*0siVL!_D*~)#`-<{B#^r zIeY|^Y!yP><4mY^+`m(WoBGRmu5Ae{Di7%83bMCYoc*N$kOqrqd^hj+O*pKv}G__>*i zL5Uh2<)3#r8RE(0$IO7fEEQPjSOAv_{|YX(Xz8StS`dkKg_!=(zoRAmzd+R(*%q;i(^=xf-(6e!S(<=t$3b z>t^Zv;8zwNdJ#U~(^L!!*%sb%1u`Isvr$9plZmpmsNW_X379?V&+|wnA=n)x2l-cZ zB?Zsgx|sm#)Chzao_WTzA4{F*W_t_6C$E)oH+0)AU)U1S%(aItigVR$rh!oHz66Zs zxk^Id;)66~!E~#pg3LK>KPYykDoKQTVsA^s=un+x<2I(cV1%geS>c89?&n`>LD=Gk zos)f!O@HtvV9D&Frh2Q3K4Mg){J2GEodn68*L4Z(+QM*yGOW~X znT~Uk0P4 znH%Q;R$G?SV5$^xO9K0Hi(ca>LABdB?V{+i)Qzn{Jd$QO8E62r_uV!9%`38yY~oue z9@k$0N{5PFV-GcY<*5{Vcx*%><5rWi_VpUmgdKH_d_$--K;c}kCFh#rlEwK8&ZM^+ zHMDYAF`q=-tRy3mp_iT3CCm^R!ShtESlqd956LohYdQrKk=QwF$3h?I=T#n3Z%%j>xK(=zYzl|KKUx?!*qz zwSirf>m_>WWV4UZkV!jE8rHD23qH#I9It0{@^znbT6$jfi8Jo@K;;fCQ)1zHTfpvB zGq&n)SH|YQ`v<2nl-&&ntydRwS&u;;_YIVstmxj@mV>apC9ywNNt&Zm>V8Dua5R|O z$tephm!nnY<8&C(p^rcr1-pGVR$)g!NO%Dk1i$L3nAx-T{-IuoJ@yNVEAX?k^NkYIFw z{5>%;W7@<$|2Sd)MPWHFPbQ=^bI;O<9+p?bzti1rgr*I|Vtw6wTD0hzqUO3?Y{XR; z<42AGB^bPotPK#3AKAYUs2!mT7`8zAGa}c{D+BGOcNLERHwA)=ONVVY3?8Z`{-S{( zEY0OPlOTqjTfak0wbT~E!*H~bIe+WF-U_-Wxcm#eS8 z4&QVARitzTy{+~@dSZ*;82W`;k(9GG?(1n+ribnBnTCHAiMj)soly8lN}rr_q`zBo zu*6Gxt_2x%HATrZEGA>>Bwm1~@ z1{pxCKcZcbcnp?VSM^Z!k0g)exJeniY_Iug)~ze$W^_Ixeb7xIkF;OkE4gqOG#aL9hcRT1we$4#yzh@`jvt z^AP@#gowI>{#9LZmE5zo1ibG+W$2H`PVWf?0#aN16|GXG!sr!l7FVY4*+p2^o|XG+ zc2SC?w3vRu8@=zQ3JjC)kSq$5lf}iVO-b_7uZN2i6+%z)GsC#3TI;E#{M7!{0 z=dBm112fuIr3TrFIUgre_K@xtMB66UnmFn9ZzU@b@g&&o2Oz*{1W_k(z9UBz4?y0W zsb8qD0{1yno4@)Z>*ACG%2@SNTRO#%V<8_&%%3cD+(S$>#GMaFa#AEW1 zU1pf@MrVmEsy68a<=q<*J0aYr67eHs2@Asv#!6W3l|<{NrD#4;p)?au$bi7D}8=ov~sz!;7lPtVN<8i<~QUKRmAP;d_2hX;Es*ShR~2CCmKYP1s!3u3YOA^s|P zR>IXsI5=jZs8tO3P!kkq05942@lKW&W6|!x(A;*+7_=gd<6ry)7Pd#sJ6Ff7fMm*v zq7;hu2?C-Q565bwXCeuUXkHLn4UI~;E_|%Wf3j5|WJ|7;r0{-_g@iqU%JHkwpz}(t zn;f#V<$hS&mJreW_sn(>iWyOO@)?xgpsMrDwNqjSbM|KMnaygz*i&C!i7Cj0C+Ovt zfl{P(!{yUBPr4q|l7S3YvSqJL%*^vHRJI?#>SfZCI6_--SZg8fJC{32plPnp?VW|4;RYG41)2m<; z?TEucD>cbl^8IAGzkjkDDK40fi|GNL0LwmM+~*cR{n9q?gcvrf*@{A3Coyu|yEzTz z;XmZ*mGo6JjOIXCdV0mAnX(xUp)Nm4G_Au>r<#m+vbBWf>02f_VVM{{?m}!11bwE1 zzg_TH?or#Lo6`yk(;Z?d3QIgA37l{p-T#LvvL$0{c|N113h?qfg+k?@oSMI>ZB{Dvzuqr z{YA#IdB1T(Eo5{@H?(6c)!cv#GeMDUH^xc!M3mjZ1R`T7G27HIBT3+z*t*Ur^XH#f z5274a<%(1@go#feEOLT|IZh(gTWe8F&I?MX9KYBYCTwJ-s6Hh_wO)|SZlpo@Ou3`H zc+_>VmDoRzRMjV+*Mu_5F4wAjP1bGuwTf7b=% z)KfrFOCFUJn9qtm_9{&SbkIp1>*8{ozbU9XaP?T~mG}Y5|n$iPQsFR+g zFB2+R>~7p__u$fKhSE}A{=w-p=kxm$p57!=CpJs`Wx_AQgda-=eSMpV^dm8aGSChE zzpWR0R&e*K&@9}}x4dC@sKBjZWX=lt#nO4XXfNL_2m#mQ2~#@Y-2G(Kiqst$dee4O zqnuCmcJ{z7VoVRigKL|?uG991aOfi;-mQXiALU#ha+lucTve@arGMK3x4eWRc2FHc zyuVss!e+;qU;MTQ>P;#&bFb7QjtAGoGK+ai5{*kL_blo4U0MuH;hl8KJ`OL#=zMHz z;@BN7IH&mW3RinIq53|*cN$YG`T@mvA`jAZJWUXfw9lcal{ zNmXi|gCbvtTa|Bq{u+Gqy2uOeNxvBK($qX5EF)PV zf#N3>U7Bn=B;W_AIF6&Z42_u3L20&u$~KxY0Xdx-Njxs(i$_?A2fC2;%=;P1V%av1 zXcfL@Iwj?@z?QJR)u-$$J_7+EwN-sZ`XUv-NNhxl>pGigSCWDaYD0y#jr-TY_JImz ztja;{-EX6}o2$PhShuZFA^e};nqt)KJPr5(KpdS^zn@$KEHrOBS-rqDC6wB1{hZ3# zn(>>9`T|APRW;W9N53Xq=#jeUZZ&)7LcC;7G~??@UhHh@w|Q%NhIwUI0=tD+a#bHf z9f6!c;DA7obF15;Km`$~SU@e32B8KpRlf_4d@mP6R7jS$UqayZX~uSxw%nrAc@`4$ zY_T_gi1KaqM}nLW@0?9x@8fRtlj#)lI=}gx)UJf8O0~urCL>48zp{L;)yfMM4D(@z zZLAzG_<=+v-%ikQR!hR|2sODhU<1ecUFRmsU-8V*mCcoW@rTSdMtzr^>G$>+RiU2} zE?@WD*gHC(Tvg;hPFYS0djTQj{nHcnefN`3%dvjB6PYAr{XzTsJ`Ti6OIfqj-ebDQnA?UNz~OzhqlCSCj!4Wxft3Qn@-|Xug1I`A}is_X90{B zS9^vF$LG|1h>d@{SN7Q8JF{4!=`m)^jBNVNxF<`tcg(Ph4oj~6Uzu|irpN7_X>UX8 z1mHh=1Pye0G)Ia2^df!rBJc9Emp;cguAl>XiCv^vPuL~XcYM8aC!%iWIFcMQuI$u4 zWmGoj;dH(RsBZ*=KH`a|-scI@>%9E>!c;&g`blb2+BuB58}Pwpio!PV#tPr2O=e5D zjDS%281v8PQ-bP^qC(~O^ea%GgSs;J4Le+(ms)v|R7j9Ch{-1g6ZsEK2g~)dAgerp zr@#*D**aYB3y0ubK7|xsZ!mQ`1LX1ErvD`fQDH=0Qz#n`;8J^RS<^An<3v;-j4Qtv zUv%=o`>a-*{cz)u_Xp?ZyXo3j>cOl3_8#HFa5axyGlhBVtRPA!&j1=}pcDDwm{GxR z3!<(g6j5PG$LZ)m5#f_gO3a=x6=nuh)~!Dd2U4fVmBF04UDPWU!6U{7syEB);^yB4 z@+$bW&Pc!f&PVCM7JLWsp0C=%C3bUv0%5QI`=)&V&#?Ce$T~aH*HoqHPmB+Ixu_P)a{{H#%(y+~dl*7T&4&ew9T%^r6}BOU0Kz*6xWjxbiS|AFJiA|1eR z*>^67OS5gDn0cInjQz!0x&u9XQ8=w~Dmi>4H2p(7G7xuTLv2JVW{O;enL*Q<-7$8m zN>FmyfhSSdk}AWt0SQ@8&Ji&jlr!%$MMZh4sDl!H2diP0dyV>1q6!a6Nyc~NHcX$f z<f!gR);5Ipw!cyE&0qI;<$gy6ry!ou*wS9L|S>kAkr02mC-eo zC*|sOiyEkVFU6lzpzjc1MT%7WgVzy^F}czk?q>(YC%+A^g}xLv&i*Ip0TzZfK=9)O zOMO+QDXF4~$3pd;LTa##^;}sY*hb6}>Ii_UMcPqrGjhnX}4_W;L~y9S8s2aQmOO zr)LQiuGRo>b zw%Svtn&Qa~2xEh7(kr@n;q&z21VSwuWT}(IXt9twlyr9%HHbd&8YJ3YORERg9UcM- z2n+QoMTvaPx^Q6l+ry}uR+0F?7ln;g0%3RVV0K1F=~?7#rzBYDqigsgqng}gx|YV* z>MlJt>EoLrC$p?G7T~{JI1_02PF|5!(1#;8kNux+gTT(IqkXsE-ysu8izUsUsJut6 z#7zJ~(m3JvuRh|jGhF7AZGGoLI`rU`NKI2Xik3|Xyos<5c6Qfdt6${Dbx!wAZ7E*4 z$~W-$@fO5~^88pL|Qww^#?n-E5IL4?VjA zaz)+(elBB(lald_hWNw64+{NblioJd5E7D(qkD-qP9@u8v%~#TPaG2i|`SqZP;%73| zM-+Dc6@B_tFgTFMA8E_w9!Vj^ppZSbuG&Q7J?ZTEoa(oo2_P06O_t|#vz509NGrYQ zczM}7C;IzYU9HDA1{G(9HcY(MyaM-<_^T-L*V2>is-WNm_c{O6b8=GMBPwA>Y5$SYam7)+JPfs|G&yTg3?EJFRN_i} ztCR@a(BgeM$AV#&L7`56Dys0sI=G}AvT?_zHxCFq<_(&#E3OT;Hml>OaM+Ee=T*0f zZGMeJRN`oLRLt>??Tyl?C@taw(`Bx864Q^IJVYBRI-fTJINk56BU2WdQ50Nn;;J2L zCFA`3R6st!M~t&-nSlp8w(1v5lNy!`pEO0@=`>XM!?LTXk#x~u^7#gC@>Qo^yC>|O^BYjPWsz0lK zU1+`7kk(ljvFK;&K)*pAXSuJyiaLUOTo(|+Hki?$(la5BlZ|_k(5Ireb;g)5{kLpD zwFRk$G|5foY?_Oelj6UlbNlAbR__^XA)A)FAG)Hdlc#DUDb$&o_Med7X}y~OTFT6#h%^yc6>>4eRO9&)Pii`yfo7N z><3%kF8|ez+qPxn<#tVJB}3K4p35;LPX6M`&(YPTr)&E<`Z)LDuk#(G8>V9|G~Vx; zzN1W__0`;U)YO&Stk)UGrzQzTY3p#;rjJXmBJ!RizuYieb$qLrZYK)`v_VTdlA0|- zaOCX}^sT$qWjeg5>g!xwDi9jMS=S!l_aZF7%>erWWRai>(|cMX4gtp{2@yR3PMvq2 zY%b7aSB|j!8;qSOtb|iGuMM5j&{cF@1q`6K2k9*%mJZW5a1a(lK$5ll`b&YU+uj6U zcn)$eT6EuLF~J$w*sGaMozJ-JzAA|GPCgwd71yo1U7tOnWU5BFjlE z00DyQ2da9wRgtcFuN^R$8wXBA2C~E~v~|$4FrAT#?McdwN%ML4X#IDG( zY0LQxf6HF1nnP&k@%U4te7T$0OsuGubWTsZku0FUcJ0$F5z+e$fabM zxnm@}{Uhda+l>fF&Ew9iv^W1O5pKB1HnzSg9O{Z2z+vP50O8Ax;)rH(@*DZwNNm2#QLD6jwFFf$Hw&@Vcdu968ze%kWsOU8kE#l_ zs6-}S!ZJSO8p6ErWslW7Wg$i_fj~Q8M>9B#ob?kt>TIcwXhAW2sj<$B=;JwFW7S+_ zoK_8ASX8c4L5v(rvI}dvHiF_4qPBhuwX(W5!I1w$)ho?cJ6*>%|Ldi+?JIUp_%(|^19R@$yD;CnP>i2> zFpUDX?b?+os_jcO>+8CJW!|>0J5-g`mkBL%0-+~-7cxg)OtTHFuLidD02b;1tH*zg z7&)OUoN&mX$p4oSE9|&YJ{TsfC!)Vm2#C41oH$CXicdv!OHu{0K6`&1MPuYf=r)e~eToVHlb| z73b=wMy@l#coJg zU`MDpTuWhKTVh?sIzW}|;9m?AWALtxP94^Db%CD#zAbNHN|~+V7yW?;H(`a}?y$vo z=3O?8rl%RMr^}W%dmU5aYsxE!HNZdY#TmRlx;WH)4QSXu!R)kobbd@jnm_& zxS=3fNq^=V;l@*ZtfZ)XPP|xINrBypou7RLz^>O6ld(?(35H2GSMWs#PK5ZmG5Pt# zOQKa9nBuJU(cg_bGBfJaOlhFh>QT=Z_SG|S(by260rp=3s+leppg8BBdG!P-kShnO z#PB@~WyTrO8~9WgFk4#%sU%WUsh^)LiYV$$yl|%?XUY0(^Ztl&se?^@P3Kz^#wKdX zfAJ~Mf7drInoxR z!tjCPJJ88>vS!|*-ZbbaFM5rp9x z&liyc5pZDop@z9zB>oG~TkqK~(rRqY4`tUzY+c;(5_E4=WDG~%3Xy>gsQY)hYTZsz zRGT@CA}5X5>7|s<3lRz{%}ZG5cqPbkmt^hDf1bUJSrqDV z;Je?y9qQ%=*@=VaNODZcaQvWnSQB{Q4oo03^NfUF4LL)Du9ScYtg(wXsnG?3Eb>yX zMo4>hCPwiM#8q>)Yd@l~jF@m=zCGNmy75YYf!K+MpX$Spso{Uw90YL8UasO}hWhqm zvOkL%``2O`M!L_qI`lf8wh>QE&~|O*Qch2b;9giB-8J&T@vbR2F8gQU#3)ry)@7>b z0G`-{Nhq+Y6)3crR>>j$06yT~`apf5zvsp_-HMo`+fEU2fk==~1G)Yaps@P%QaG@& zBj!2VW?h&tE{KjsCcRj8!+~i@+`yb+(c48QNQX@+=mZszD>ebAyvw#=rHHT&{xeZz zPxh`-+e27vno}5-MUyl8?`-YgsG5|I7hsN&OcR(pmk-svP{I*sI05hv*BYRLJAh}8 zFNJF5HS^?+kUxKhX=egmYe}rc5x-~bn99S}5Wy&U5$d%?gA?x$LD+`kdnz??x^`$O zhoZNx2e$^tw@oGz^%&Wm6rs*pc<)>fB%gji&t0ow7b!lZgW`Nenpv<6n0oJLfk3-jvd3i$r4%uw{SfM{EEseAQwz$t2dFyiee`XC zy6*4xLxjJ0w?jgY$JmGVrG#$|W^B_>wJE39Na!xVjo%WvYE#D{##?_D6;n^)yI3MU z#q8R)pMM@TARLi>yflK9h`v5s2VaQqS+GjRTyGRuUCfcQdY!nDGowR;ccRguA}kaT z0Na&U@`aeBxkg;=a$!_rAS~3{1G0 zb+}ziu_%Rutx0lMZz+CW8+z4|GS6)9ScqX)+F$w*`hF@8q!q8Y{DdCD{Xkc!6zBzE za_BbGc<`9rW!(u-d8g#?g0bm+2Q#}m<;AyjvCj5VQ=Gdy`k>Yvx28Wco&elF74eDI zue7^g>zOu%1`@l@TJN(RL8&%!PbtSXDgS!z+P=t_Sl>(!-d%A)A(?O8wt_-R-;@OV zL~&hWTNlzfmZq(>w@Ywtt;YW| zp^Ti|*}+VE>#Ko{kUI*%fVJbZae8s|H~ZPsI+HY71e|oFCOs-Y?(=iDp2X#!2luZ$ z@_TzYu%_cx0$Bh&A_}M^#(Xo!!#AQX>5u;22A&iAhz(dj7}lTpcKl6NP_`tOVv9g` z+mb(L=W^}=^)&MYfO{K(UICdM1g!1BERKyHKusVqV9+VKf{g`9bc>8C9u1A5o;HpO mI{j;hruhz6x2wiK{xhC^f8 Date: Mon, 4 Sep 2017 09:32:21 -0700 Subject: [PATCH 35/51] Fixing notes syntax --- .../hello-for-business/hello-hybrid-cert-trust-devreg.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index a2aaaf3e2b..d358dac1f5 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -30,7 +30,7 @@ Use this three phased approach for configuring device registration. 1. [Configure devices to register in Azure](#configure-azure-for-device-registration) 2. [Synchronize devices to on-premises Active Directory](#configure-active-directory-to-support-azure-device-syncrhonization) 3. [Configure AD FS to use cloud devices](#configure-ad-fs-to-use-azure-registered-devices) -> [!NOTE] +>[!NOTE] > Before proceeding, you should familiarize yourself with device regisration concepts such as: > * Azure AD registered devices > * Azure AD joined devices From e62b650a964402344b3b243860cd9096f1c8d4a2 Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Mon, 4 Sep 2017 09:44:30 -0700 Subject: [PATCH 36/51] Correcting one note syntax that is not rendering properly --- .../hello-for-business/hello-hybrid-cert-trust-devreg.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index d358dac1f5..839a502215 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -30,7 +30,8 @@ Use this three phased approach for configuring device registration. 1. [Configure devices to register in Azure](#configure-azure-for-device-registration) 2. [Synchronize devices to on-premises Active Directory](#configure-active-directory-to-support-azure-device-syncrhonization) 3. [Configure AD FS to use cloud devices](#configure-ad-fs-to-use-azure-registered-devices) ->[!NOTE] + +> [!NOTE] > Before proceeding, you should familiarize yourself with device regisration concepts such as: > * Azure AD registered devices > * Azure AD joined devices From c0fdd260fe83738fb6a7cd382fe1aa0a762a419b Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Mon, 4 Sep 2017 14:39:03 -0700 Subject: [PATCH 37/51] Major changes to the organizational flow Next Steps sytles Step-by-step styles Updated the TOC --- .../hello-hybrid-cert-new-install.md | 46 +++------------- .../hello-hybrid-cert-trust-devreg.md | 20 +++++-- .../hello-hybrid-cert-trust-prereqs.md | 23 +++++--- .../hello-hybrid-cert-trust.md | 6 ++- .../hello-hybrid-cert-whfb-provision.md | 15 ++++-- .../hello-hybrid-cert-whfb-settings-ad.md | 14 ++--- .../hello-hybrid-cert-whfb-settings-adfs.md | 21 ++++++-- ...ello-hybrid-cert-whfb-settings-dir-sync.md | 19 +++++++ .../hello-hybrid-cert-whfb-settings-pki.md | 52 ++++++++++--------- .../hello-hybrid-cert-whfb-settings-policy.md | 45 +++++++++------- .../hello-hybrid-cert-whfb-settings.md | 7 +-- .../hello-for-business/toc.md | 8 ++- 12 files changed, 165 insertions(+), 111 deletions(-) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md index 99ae12c00f..e334bd351c 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md @@ -26,8 +26,7 @@ Windows Hello for Business involves configuring distributed technologies that ma * [Active Directory Federation Services](#active-directory-federation-services) -New installations are considerably more involved than existing implementations because you are building the entire infrastructure. Microsoft recommends you review the new installation baseline to validate your exsting envrionment has all the needed configurations to support your hybrid certificate trust Windows Hello for Business deployment. If you're environment meets these needs, you can read the [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) section to learn about specific Windows Hello for Business configuration settings. - +New installations are considerably more involved than existing implementations because you are building the entire infrastructure. Microsoft recommends you review the new installation baseline to validate your exsting envrionment has all the needed configurations to support your hybrid certificate trust Windows Hello for Business deployment. If your environment meets these needs, you can read the [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) section to prepare your Windows Hello for Business deployment by configuring Azure device registration. The new installation baseline begins with a basic Active Directory deployment and enterprise PKI. This document expects you have Active Directory deployed using Windows Server 2008 R2 or later domain controllers. @@ -91,38 +90,7 @@ The next step of the deployment is to follow the [Creating an Azure AD tenant](h > * Review the different ways to establish an Azure Active Directory tenant. > * Create an Azure Active Directory Tenant. > * Purchase the appropriate Azure Active Directory subscription or licenses, if necessary. - - - - - - -#### Multiple Domains #### -Federating multiple, top-level domains with Azure AD requires some additional configuration that is not required when federating with one top-level domain. - -For example, federating the top-level contoso.com domain requires no additional configuration. However, if Contoso Corporation acquires Fabrikam Corporation and wants to federate under Contoso.com, then additional configurations are needed because these are two top-level domains for contoso.com. - -To configure your environment for multiple domains, follow the [Multiple Domain Support for Federating with Azure AD](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-multiple-domains) procedures. - -#### Device Registration #### -With device management in Azure Active Directory (Azure AD), you can ensure that your users are accessing your resources from devices that meet your standards for security and compliance. For more details, see Introduction to device management in Azure Active Directory. - -Use the [How to configure automatic registration of Windows domain-joined devices with Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup) procedures to configure your environment to support device registration. - -#### Device writeback #### -As previously mentioned, Windows Hello for Busines hybrid certificate- trust deployments that include domain joined computers use the device writeback feature to authenticate the device to the on-premises federation server. - -Use the [Enabling device writeback](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-feature-device-writeback) section to configure device writeback functionality in your environment. - -### Section Review - -> [!div class="checklist"] -> * Federation Proxy Servers -> * Multiple top-level domains -> * Azure Device Registration -> * Device Writeback - - + ## Multifactor Authentication Services ## Windows Hello for Business uses multifactor authentication during provisioning and during user initiated PIN reset scenarios, such as when a user forgets their PIN. There are two preferred multifactor authentication configurations with hybrid deployments—Azure MFA and AD FS using Azure MFA @@ -159,8 +127,9 @@ Alternatively, you can configure Windows Server 2016 Active Directory Federation > * Understand the different User States and their effect on Azure Multifactor Authentication. > * Consider using Azure Multifactor Authentication or a third-party multifactor authentication provider with Windows Server 2016 Active Directory Federation Services, if necessary. -### Next Steps ### -Follow the Windows Hello for Business hybrid certificate trust deployment guide. With your baseline configuration complete, your next step is to **Configure Windows Hello for Business** if your envirionment. +> [!div class="nextstepaction"] +> [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) +

@@ -169,5 +138,6 @@ Follow the Windows Hello for Business hybrid certificate trust deployment guide. 1. [Overview](hello-hybrid-cert-trust.md) 2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) 3. New Installation Baseline (*You are here*) -4. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) -5. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) \ No newline at end of file +4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) +5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) +6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index 839a502215..00d616a17c 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -15,9 +15,6 @@ localizationpriority: high **Applies to** - Windows 10 -> [!div class="step-by-step"] -[Configure Active Directory >](hello-hybrid-cert-whfb-settings-ad.md) - >[!IMPORTANT] >This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. @@ -502,4 +499,19 @@ For your reference, below is a comprehensive list of the AD DS devices, containe - Configuration,CN=Services,CN=Configuration,DC=<domain> - read/write access to the specified AD connector account name on the new object - object of type msDS-DeviceRegistrationServiceContainer at CN=Device Registration Services,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain> -- object of type msDS-DeviceRegistrationService in the above container \ No newline at end of file +- object of type msDS-DeviceRegistrationService in the above container + +[!div clas="nextstepaction"] +[Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) + +

+ +
+ +## Follow the Windows Hello for Business hybrid certificate trust deployment guide +1. [Overview](hello-hybrid-cert-trust.md) +2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +3. [New Installation Baseline](hello-hybrid-cert-new-install.md) +4. Configure Azure Device Registration (*You are here*) +5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) +6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index 22235193ec..974cec1a99 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -18,7 +18,7 @@ localizationpriority: high >This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. -Hybrid environments are distributed systems that enable organizations to use on-premises and Azure-based resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources. +Hybrid environments are distributed systems that enable organizations to use on-premises and Azure-based identities and resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources. The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include: * [Directories](#directories) @@ -29,9 +29,9 @@ The distributed systems on which these technologies were built involved several * [Device Registration](#device-registration) ## Directories ## -Hybrid Windows Hello for Business needs two directories: an on-premises Active Directory and a cloud Azure Active Directory. The minimum required domain controller, domain functional level, and forest functional level for Windows Hello for Business deployment is Windows Server 2008 R2. +Hybrid Windows Hello for Business needs two directories: on-premises Active Directory and a cloud Azure Active Directory. The minimum required domain controller, domain functional level, and forest functional level for Windows Hello for Business deployment is Windows Server 2008 R2. -A hybrid Windows Hello for Busines deployment needs an Azure Active Directory subscription. Different deployment configurations are supported by different Azure subscriptions. The hybrid-certificate trust deployment needs an Azure Active Directory premium subscription because it uses the device write-back synchronization feature. Other deployments, such as the hybrid key-trust deployment, do not require Azure Active Directory premium subscription. +A hybrid Windows Hello for Busines deployment needs an Azure Active Directory subscription. Different deployment configurations are supported by different Azure subscriptions. The hybrid-certificate trust deployment needs an Azure Active Directory premium subscription because it uses the device write-back synchronization feature. Other deployments, such as the hybrid key-trust deployment, may not require Azure Active Directory premium subscription. Windows Hello for Business can be deployed in any environment with Windows Server 2008 R2 or later domain controllers. Azure device registration and Windows Hello for Business require the Windows Server 2016 Active Directory schema. @@ -111,7 +111,17 @@ Hybrid certificate trust deployments need the device write back feature. Authen
### Next Steps ### -Follow the Windows Hello for Business hybrid certificate trust deployment guide. For proof-of-concepts, labs, and new installations, choose the New Installation Basline. Choose Configure Windows Hello for Business if your envirionment is already federated with Azure and/or Office 365 +Follow the Windows Hello for Business hybrid certificate trust deployment guide. For proof-of-concepts, labs, and new installations, choose the **New Installation Basline**. + +If your environment is already federated, but does not include Azure device registration, choose **Configure Azure Device Registration**. + +If your environment is already federated and supports Azure device registration, choose **Configure Windows Hello for Business settings**. + +> [!div class="op_single_selector"] +> - [New Installation Baseline](hello-hybrid-cert-new-install.md) +> - [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) +> - [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) +

@@ -120,5 +130,6 @@ Follow the Windows Hello for Business hybrid certificate trust deployment guide. 1. [Overview](hello-hybrid-cert-trust.md) 2. Prerequistes (*You are here*) 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) -4. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) -5. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) \ No newline at end of file +4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) +5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) +6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust.md index 1183ae9b8b..17fc099500 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust.md @@ -30,9 +30,13 @@ The new deployment baseline helps organizations who are moving to Azure and Offi This baseline provides detailed procedures to move your environment from an on-premises only environment to a hybrid environment using Windows Hello for Business to authenticate to Azure Active Directory and to your on-premises Active Directory using a single Windows sign-in. ## Federated Baseline ## -The federated baseline helps organizations that have completed their federation with Azure Active Directory and Office 365 and enables them to introduce Windows Hello for Business into their hybrid environment. This baseline exclusively focuses on the procedures needed to add Windows Hello for Business to an existing hybrid deployment. +The federated baseline helps organizations that have completed their federation with Azure Active Directory and Office 365 and enables them to introduce Windows Hello for Business into their hybrid environment. This baseline exclusively focuses on the procedures needed to add Azure Device Registration and Windows Hello for Business to an existing hybrid deployment. Regardless of the baseline you choose, you’re next step is to familiarize yourself with the prerequisites needed for the deployment. Many of the prerequisites will be new for organizations and individuals pursuing the new deployment baseline. Organizations and individuals starting from the federated baseline will likely be familiar with most of the prerequisites, but should validate they are using the proper versions that include the latest updates. + +> [!div class="nextstepaction"] +> [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +

diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md index 23ce3d4770..80db6db8c1 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md @@ -49,7 +49,7 @@ The provisioning flow has all the information it needs to complete the Windows H The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Azure Active Directory to register the public key. AAD Connect syncrhonizes the user's key to the on-prem Active Directory. > [!IMPORTANT] -> The minimum time needed to syncrhonize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. This synchronization latency delays the certificate enrollment for the user. After the user's public key has syncrhonized to Active Directory, the user's certificate enrolls automatically as long as the user's session is active (actively working or locked, but still signed-in). Also, the Action Center notifies the user thier PIN is ready for use. +> The minimum time needed to syncrhonize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. This synchronization latency delays the certificate enrollment for the user. After the user's public key has synchronized to Active Directory, the user's certificate enrolls automatically as long as the user's session is active (actively working or locked, but still signed-in). Also, the Action Center notifies the user thier PIN is ready for use. > [!NOTE] > Microsoft is actively investigating in ways to reduce the syncrhonization latency and delays in certificate enrollment with the goal to make certificate enrollment occur real-time. @@ -60,6 +60,15 @@ The AD FS registration authority verifies the key used in the certificate reques The certificate authority validates the certificate was signed by the registration authority. On successful validation of the signature, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current user’s certificate store. Once this process completes, the Windows Hello for Business provisioning workflow informs the user they can use their PIN to sign-in through the Windows Action Center. - -  +

+ +
+ +## Follow the Windows Hello for Business hybrid certificate trust deployment guide +1. [Overview](hello-hybrid-cert-trust.md) +2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +3. [New Installation Baseline](hello-hybrid-cert-new-install.md) +4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) +5. [Configure Windows Hello for Business policy settings](hello-hybrid-cert-whfb-settings-policy.md) +6. Sign-in and Provision(*You are here*)  diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md index 6ed257222f..9f445aaad3 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md @@ -17,7 +17,7 @@ ms.author: mstephen >[!div class="step-by-step"] [< Configure Windows Hello for Business](hello-hybrid-cert-whfb-settings.md) -[ Configure Azure AD Connect](hello-hybrid-cert-whfb-settings-dir-sync.md) +[Configure Azure AD Connect >](hello-hybrid-cert-whfb-settings-dir-sync.md) The key synchronization process for the hybrid deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. @@ -62,15 +62,14 @@ Sign-in a domain controller or management workstation with *Domain Admin* equiva > [!div class="checklist"] > * Identify the schema role domain controller > * Update the Active Directory Schema to Windows Server 2016 -> * Create the KeyCredential Admins Security group, (optional) +> * Create the KeyCredential Admins Security group (optional) > * Create the Windows Hello for Business Users group - >[!div class="step-by-step"] [< Configure Windows Hello for Business](hello-hybrid-cert-whfb-settings.md) -[ Configure Azure AD Connect](hello-hybrid-cert-whfb-settings-dir-sync.md) +[Configure Azure AD Connect >](hello-hybrid-cert-whfb-settings-dir-sync.md) -
+

@@ -78,5 +77,6 @@ Sign-in a domain controller or management workstation with *Domain Admin* equiva 1. [Overview](hello-hybrid-cert-trust.md) 2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) -4. Configure Windows Hello for Business settings: Active Directory (*You are here*) -5. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) \ No newline at end of file +4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) +5. Configure Windows Hello for Business settings: Active Directory (*You are here*) +6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md index 947af19002..f0773eaf3b 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md @@ -21,8 +21,8 @@ ms.author: mstephen >This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. >[!div class="step-by-step"] -[ Configure Windows Hello for Business: PKI >](hello-hybrid-cert-whfb-settings-pki.md) -[< Configure Windows Hello for Business](hello-hybrid-cert-whfb-settings-policy.md) +[< Configure PKI >](hello-hybrid-cert-whfb-settings-pki.md) +[Configure policy settings >](hello-hybrid-cert-whfb-settings-policy.md) The Windows Server 2016 Active Directory Fedeartion Server Certificate Registration Authority (AD FS RA) enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. @@ -68,7 +68,17 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva 10. Click **OK** to return to **Active Directory Users and Computers**. 11. Change to server hosting the AD FS role and restart it. -
+### Section Review +> [!div class="checklist"] +> * Configure the registration authority +> * Update group memberships for the AD FS service account + + +>[!div class="step-by-step"] +[< Configure PKI >](hello-hybrid-cert-whfb-settings-pki.md) +[Configure policy settings >](hello-hybrid-cert-whfb-settings-policy.md) + +

@@ -76,6 +86,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva 1. [Overview](hello-hybrid-cert-trust.md) 2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) -4. Configure Windows Hello for Business settings (*You are here*) -5. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) +4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) +5. Configure Windows Hello for Business settings: AD FS (*You are here*) +6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md index 3ca478b17b..7509e8ca62 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md @@ -15,6 +15,10 @@ ms.author: mstephen **Applies to** - Windows 10 +>[!div class="step-by-step"] +[< Configure Active Directory](hello-hybrid-cert-whfb-settings-ad.md) +[Configure PKI >](hello-hybrid-cert-whfb-settings-pki.md) + ## Directory Syncrhonization >[!IMPORTANT] @@ -46,3 +50,18 @@ Sign-in a domain controller or management workstations with *Domain Admin* equiv > [!div class="checklist"] > * Configure Permissions for Key Synchronization +>[!div class="step-by-step"] +[< Configure Active Directory](hello-hybrid-cert-whfb-settings-ad.md) +[Configure PKI >](hello-hybrid-cert-whfb-settings-pki.md) + +

+ +
+ +## Follow the Windows Hello for Business hybrid certificate trust deployment guide +1. [Overview](hello-hybrid-cert-trust.md) +2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +3. [New Installation Baseline](hello-hybrid-cert-new-install.md) +4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) +5. Configure Windows Hello for Business settings: Active Directory (*You are here*) +6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index 35b02c4710..731c19984e 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -17,8 +17,8 @@ ms.author: mstephen - Windows 10 > [!div class="step-by-step"] -[< Configure Windows Hello for Business: Active Directory](hello-hybrid-cert-whfb-settings-ad.md) -[ Configure Windows Hello for Business: ADFS >](hello-hybrid-cert-whfb-settings-adfs.md) +[< Configure Azure AD Connect](hello-hybrid-cert-whfb-settings-dir-sync.md) +[Configure AD FS >](hello-hybrid-cert-whfb-settings-adfs.md) >[!IMPORTANT] >This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. @@ -47,15 +47,15 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e 2. Right-click **Certificate Templates** and click **Manage**. 3. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**. 4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. -5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise�s needs. - **Note**If you use different template names, you�ll need to remember and substitute these names in different portions of the lab. +5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise's needs. + **Note**If you use different template names, you'll need to remember and substitute these names in different portions of the lab. 6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **None** from the **Subject name format** list. Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items. 7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**. 8. Close the console. #### Configure Certificate Suspeding for the Domain Controller Authentication (Kerberos) Certificate Template -Many domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template from domain controllers�the domain controller certificate template. Later releases provided a new certificate template�the domain controller authentication certificate template. These certificate templates were provided prior to update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the **KDC Authentication** extension. +Many domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template for domain controllers--the domain controller certificate template. Later releases provided a new certificate template--the domain controller authentication certificate template. These certificate templates were provided prior to update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the **KDC Authentication** extension. The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers and should be the one you deploy to all your domain controllers (2008 or later). @@ -79,7 +79,7 @@ The certificate template is configured to supersede all the certificate template Active Directory Federation Server used for Windows Hello for Business certificate enrollment performs its own certificate lifecycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request or when the service first starts. -Approximately 60 days prior to enrollment agent certificate�s expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate. +Approximately 60 days prior to enrollment agent certificate's expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate. > [!IMPORTANT] > Follow the procedures below based on the AD FS service account used in your environment. @@ -92,7 +92,7 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e 2. Right-click **Certificate Templates** and click **Manage**. 3. In the **Certificate Template Console**, right click on the **Exchange Enrollment Agent (Offline request)** template details pane and click **Duplicate Template**. 4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. -5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise�s needs. +5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs. 6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected. **Note:** The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate. @@ -111,14 +111,14 @@ Sign-in a certificate authority or management workstations with *Domain Admin* e 2. Right-click **Certificate Templates** and click **Manage**. 3. In the **Certificate Template** console, right-click the **Exchange Enrollment Agent** template in the details pane and click **Duplicate Template**. 4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. -5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise�s needs. +5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs. 6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**. 7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. 8. On the **Security** tab, click **Add**. Type **adfssvc** in the **Enter the object names to select text box** and click **OK**. 9. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check boxes for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. 10. Close the console. -#### Creating Windows Hello for Business authentication certiicate template +### Creating Windows Hello for Business authentication certiicate template During Windows Hello for Business provisioning, the Windows 10, version 1703 client requests an authentication certificate from the Active Directory Federation Service, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring. @@ -128,8 +128,8 @@ Sign-in a certificate authority or management workstations with _Domain Admin eq 2. Right-click **Certificate Templates** and click **Manage**. 3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**. 4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. -5. On the **General** tab, type **WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise�s needs. - **Note:** If you use different template names, you�ll need to remember and substitute these names in different portions of the deployment. +5. On the **General** tab, type **WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs. + **Note:** If you use different template names, you'll need to remember and substitute these names in different portions of the deployment. 6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. 7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**. 8. On the **Issuance Requirements** tab, select the T**his number of authorized signatures** check box. Type **1** in the text box. @@ -145,17 +145,16 @@ Sign-in a certificate authority or management workstations with _Domain Admin eq Sign-in to an **AD FS Windows Server 2016** computer with _Enterprise Admin_ equivalent credentials. 1. Open an elevated command prompt. -2. Run `certutil �dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY` +2. Run `certutil -dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY` >[!NOTE] ->If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It�s important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority. +>If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority. Publish Templates ### Publish Certificate Templates to a Certificate Authority The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate. - ### Unpublish Superseded Certificate Templates The certificate authority only issues certificates based on published certificate templates. For defense in depth security, it is a good practice to unpublish certificate templates that the certificate authority is not configured to issue. This includes the pre-published certificate template from the role installation and any superseded certificate templates. @@ -170,18 +169,22 @@ Sign-in to the certificate authority or management workstation with _Enterprise 4. Right-click the **Domain Controller** certificate template in the content pane and select **Delete**. Click **Yes** on the **Disable certificate templates** window. 5. Repeat step 4 for the **Domain Controller Authentication** and **Kerberos Authentication** certificate templates. -> [!div class="step-by-step"] -[< Configure Windows Hello for Business: Active Directory](hello-hybrid-cert-whfb-settings-ad.md) -[ Configure Windows Hello for Business: ADFS >](hello-hybrid-cert-whfb-settings-adfs.md) - - - ### Section Review +> [!div class="checklist"] +> * Domain Controller certificate template +> * Configure superseded domain controller certificate templates +> * Enrollment Agent certifcate template +> * Windows Hello for Business Authentication certificate template +> * Mark the certifcate template as Windows Hello for Business sign-in template +> * Publish Certificate templates to certificate authorities +> * Unpublish superseded certificate templates +> [!div class="step-by-step"] +[< Configure Azure AD Connect](hello-hybrid-cert-whfb-settings-dir-sync.md) +[Configure AD FS >](hello-hybrid-cert-whfb-settings-adfs.md) - -
+

@@ -189,6 +192,7 @@ Sign-in to the certificate authority or management workstation with _Enterprise 1. [Overview](hello-hybrid-cert-trust.md) 2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) -4. Configure Windows Hello for Business settings: PKI (*You are here*) -5. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) +4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) +5. Configure Windows Hello for Business settings: PKI (*You are here*) +6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md index bf62e333c7..6046525c76 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md @@ -15,6 +15,10 @@ ms.author: mstephen **Applies to** - Windows 10 +> [!div class="step-by-step"] +[< Configure AD FS](hello-hybrid-cert-whfb-settings-adfs.md) + + ## Policy Configuration >[!IMPORTANT] @@ -174,21 +178,26 @@ Starting with Windows 10, version 1703, the PIN complexity Group Policy settings Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the Wwindows Hello for Business Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the Windows Hello for Business Users group. Users and groups who are not members of this group will not attempt to enroll for Windows Hello for Business. ### Section Review -- [x] Active Directory -- [x] Public Key Infrastructure -- [x] Azure Active Directory -- [x] Directory Synchronization -- [x] Active Directory Federation Services -- [x] Federation Services - - [x] Federation Proxy Servers - - [x] Multiple top-level domains - - [x] Azure Device Registration - - [x] Device Writeback -- [x] Multifactor Authentication -- [x] Windows Hello for Business - - [x]Active Directory - - [x] Directory Synchronization - - [x] Public Key Infrastructure - - [x] Federation Services - - [x] Group Policy -- [ ] Sign-in and Provision +> [!div class="checklist"] +> * Configure domain controllers for automatic certificate enrollment. +> * Create Windows Hello for Business Group Policy object. +> * Enable the Use Windows Hello for Business policy setting. +> * Enable the Use certificate for on-premises authentication policy setting. +> * Enable user automatic certificate enrollment. +> * Add users or groups to the Windows Hello for Business group + + +> [!div class="nextstepaction"] +[Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) + +

+ +
+ +## Follow the Windows Hello for Business hybrid certificate trust deployment guide +1. [Overview](hello-hybrid-cert-trust.md) +2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +3. [New Installation Baseline](hello-hybrid-cert-new-install.md) +4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) +5. Configure Windows Hello for Business policy settings (*You are here*) +6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md index a858847f04..e30c8e8e4d 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md @@ -36,7 +36,7 @@ For the most efficent deployment, configure these technologies in order beginnin > [!div class="step-by-step"] [Configure Active Directory >](hello-hybrid-cert-whfb-settings-ad.md) -
+

@@ -44,5 +44,6 @@ For the most efficent deployment, configure these technologies in order beginnin 1. [Overview](hello-hybrid-cert-trust.md) 2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) -4. Configure Windows Hello for Business settings (*You are here*) -5. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) \ No newline at end of file +4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) +5. Configure Windows Hello for Business settings (*You are here*) +6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/toc.md b/windows/access-protection/hello-for-business/toc.md index 16fe1de0d9..23b513ca85 100644 --- a/windows/access-protection/hello-for-business/toc.md +++ b/windows/access-protection/hello-for-business/toc.md @@ -1,4 +1,4 @@ -# [Windows Hello for Business](hello-identity-verification.md) +# [Windows Hello for Business](hello-identity-verification.md) ## [Windows Hello for Business Overview](hello-overview.md) ## [How Windows Hello for Business works](hello-how-it-works.md) @@ -14,7 +14,11 @@ ## [Windows Hello for Business Deployment Guide](hello-deployment-guide.md) ### [Hybrid Domain Joined Certificate Trust Deployment](hello-hybrid-cert-trust.md) - +#### [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +#### [New Installation Baseline](hello-hybrid-cert-new-install.md) +#### [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) +#### [Configure Windows Hello for Business policy settings](hello-hybrid-cert-whfb-settings.md) +#### [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)  ### [On Premises Certificate Trust Deployment](hello-deployment-cert-trust.md) #### [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) #### [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) From c3eef8edd2f0a255efc15ef6771aeebbbc3d2b9c Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Mon, 4 Sep 2017 15:11:36 -0700 Subject: [PATCH 38/51] minor edits --- .../hello-hybrid-cert-trust-devreg.md | 2 +- .../hello-hybrid-cert-whfb-provision.md | 2 +- .../hello-hybrid-cert-whfb-settings-adfs.md | 2 +- .../hello-hybrid-cert-whfb-settings-dir-sync.md | 2 +- .../hello-hybrid-cert-whfb-settings-pki.md | 2 +- .../hello-hybrid-cert-whfb-settings-policy.md | 12 ++++++------ windows/access-protection/hello-for-business/toc.md | 3 ++- 7 files changed, 13 insertions(+), 12 deletions(-) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index 00d616a17c..d018eb1f54 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -501,7 +501,7 @@ For your reference, below is a comprehensive list of the AD DS devices, containe - object of type msDS-DeviceRegistrationServiceContainer at CN=Device Registration Services,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain> - object of type msDS-DeviceRegistrationService in the above container -[!div clas="nextstepaction"] +>[!div class="nextstepaction"] [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md)

diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md index 80db6db8c1..e5eec9afa3 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md @@ -52,7 +52,7 @@ The remainder of the provisioning includes Windows Hello for Business requesting > The minimum time needed to syncrhonize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. This synchronization latency delays the certificate enrollment for the user. After the user's public key has synchronized to Active Directory, the user's certificate enrolls automatically as long as the user's session is active (actively working or locked, but still signed-in). Also, the Action Center notifies the user thier PIN is ready for use. > [!NOTE] -> Microsoft is actively investigating in ways to reduce the syncrhonization latency and delays in certificate enrollment with the goal to make certificate enrollment occur real-time. +> Microsoft is actively investigating ways to reduce the syncrhonization latency and delays in certificate enrollment with the goal to make certificate enrollment occur real-time. After a successful key registration, Windows creates a certificate request using the same key pair to request a certificate. Windows send the certificate request to the AD FS server for certificate enrollment. diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md index f0773eaf3b..e4307b33f7 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md @@ -47,7 +47,7 @@ The `Set-AdfsCertificateAuthority` cmdlet should show the following warning: This warning indicates that you have not configured multi-factor authentication in AD FS and until it is configured, the AD FS server will not issue Windows Hello certificates. Windows 10, version 1703 clients check this configuration during prerequisite checks. If detected, the prerequisite check will not succeed and the user will not provision Windows Hello for Business on sign-in. >[!NOTE] -> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the above command with the name of your certificate templates. It�s important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority. +> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the above command with the name of your certificate templates. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority. ### Group Memberships for the AD FS Service Account diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md index 7509e8ca62..3f5bd3b811 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md @@ -63,5 +63,5 @@ Sign-in a domain controller or management workstations with *Domain Admin* equiv 2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) 4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) -5. Configure Windows Hello for Business settings: Active Directory (*You are here*) +5. Configure Windows Hello for Business settings: Directory Syncrhonization (*You are here*) 6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index 731c19984e..990582f963 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -118,7 +118,7 @@ Sign-in a certificate authority or management workstations with *Domain Admin* e 9. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check boxes for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. 10. Close the console. -### Creating Windows Hello for Business authentication certiicate template +### Creating Windows Hello for Business authentication certificate template During Windows Hello for Business provisioning, the Windows 10, version 1703 client requests an authentication certificate from the Active Directory Federation Service, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring. diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md index 6046525c76..28ebad1414 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md @@ -137,13 +137,13 @@ The application of the Windows Hello for Business Group Policy object uses secur Just to reassure, linking the **Windows Hello for Business** Group Policy object to the domain ensures the Group Policy object is in scope for all domain users. However, not all users will have the policy settings applied to them. Only users who are members of the Windows Hello for Business group receive the policy settings. All others users ignore the Group Policy object. -### Other Related Group Policy settings +## Other Related Group Policy settings -#### Windows Hello for Business +### Windows Hello for Business There are other Windows Hello for Business policy settings you can configure to manage your Windows Hello for Business deployment. These policy settings are computer-based policy setting; so they are applicable to any user that sign-in from a computer with these policy settings. -##### Use a hardware security device +#### Use a hardware security device The default configuration for Windows Hello for Business is to prefer hardware protected credentials; however, not all computers are able to create hardware protected credentials. When Windows Hello for Business enrollment encounters a computer that cannot create a hardware protected credential, it will create a software-based credential. @@ -151,13 +151,13 @@ You can enable and deploy the **Use a hardware security device** Group Policy Se Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiven during anti-hammering and PIN lockout activities. Therefore, some organization may want not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object. -##### Use biometrics +#### Use biometrics Windows Hello for Business provides a great user experience when combined with the use of biometrics. Rather than providing a PIN to sign-in, a user can use a fingerprint or facial recognition to sign-in to Windows, without sacrificing security. The default Windows Hello for Business enables users to enroll and use biometrics. However, some organization may want more time before using biometrics and want to disable their use until they are ready. To not allow users to use biometrics, configure the **Use biometrics** Group Policy setting to disabled and apply it to your computers. The policy setting disabled all biometrics. Currently, Windows does not provide granular policy setting that enable you to disable specific modalities of biometrics such as allow facial recognition, but disallow fingerprint. -#### PIN Complexity +### PIN Complexity PIN complexity is not specific to Windows Hello for Business. Windows 10 enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed. @@ -173,7 +173,7 @@ Windows 10 provides eight PIN Complexity Group Policy settings that give you gra Starting with Windows 10, version 1703, the PIN complexity Group Policy settings have moved to remove misunderstanding that PIN complexity policy settings were exclusive to Windows Hello for Business. The new location of these Group Policy settings is under **Computer Configuration\Administrative Templates\System\PIN Complexity** of the Group Policy editor. -### Add users to the Windows Hello for Business Users group +## Add users to the Windows Hello for Business Users group Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the Wwindows Hello for Business Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the Windows Hello for Business Users group. Users and groups who are not members of this group will not attempt to enroll for Windows Hello for Business. diff --git a/windows/access-protection/hello-for-business/toc.md b/windows/access-protection/hello-for-business/toc.md index 23b513ca85..989f35139c 100644 --- a/windows/access-protection/hello-for-business/toc.md +++ b/windows/access-protection/hello-for-business/toc.md @@ -18,7 +18,8 @@ #### [New Installation Baseline](hello-hybrid-cert-new-install.md) #### [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) #### [Configure Windows Hello for Business policy settings](hello-hybrid-cert-whfb-settings.md) -#### [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)  +#### [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) + ### [On Premises Certificate Trust Deployment](hello-deployment-cert-trust.md) #### [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) #### [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) From ff22840df0b45d5263510bc70ce43c1efe09715b Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Mon, 4 Sep 2017 15:58:10 -0700 Subject: [PATCH 39/51] minor fixes to hybrid cert trust deployment guide Added "PIN caching" entry in FAQ --- .../hello-hybrid-cert-whfb-settings-ad.md | 2 -- .../hello-hybrid-cert-whfb-settings-adfs.md | 12 ++++------- ...ello-hybrid-cert-whfb-settings-dir-sync.md | 20 ++++++++++++++++++- .../hello-identity-verification.md | 5 ++++- 4 files changed, 27 insertions(+), 12 deletions(-) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md index 9f445aaad3..fd1c811ee3 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md @@ -60,8 +60,6 @@ Sign-in a domain controller or management workstation with *Domain Admin* equiva ### Section Review > [!div class="checklist"] -> * Identify the schema role domain controller -> * Update the Active Directory Schema to Windows Server 2016 > * Create the KeyCredential Admins Security group (optional) > * Create the Windows Hello for Business Users group diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md index e4307b33f7..b7b3e29e76 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md @@ -52,21 +52,17 @@ This warning indicates that you have not configured multi-factor authentication ### Group Memberships for the AD FS Service Account -The KeyCredential Admins global group provides the AD FS service with the permissions needed to perform key registration. The Windows Hello for Business group provides the AD FS service with the permissions needed to enroll a Windows Hello for Business authentication certificate on behalf of the provisioning user. +The Windows Hello for Business group provides the AD FS service with the permissions needed to enroll a Windows Hello for Business authentication certificate on behalf of the provisioning user. Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials. 1. Open **Active Directory Users and Computers**. 2. Click the **Users** container in the navigation pane. -3. Right-click **KeyCredential Admins** in the details pane and click **Properties**. +3. Right-click **Windows Hello for Business Users** group 4. Click the **Members** tab and click **Add** 5. In the **Enter the object names to select** text box, type **adfssvc**. Click **OK**. -6. Click **OK** to return to **Active Directory Users and Computers**. -7. Right-click **Windows Hello for Business Users** group -8. Click the **Members** tab and click **Add** -9. In the **Enter the object names to select** text box, type **adfssvc**. Click **OK**. -10. Click **OK** to return to **Active Directory Users and Computers**. -11. Change to server hosting the AD FS role and restart it. +6. Click **OK** to return to **Active Directory Users and Computers**. +7. Restart the AD FS server. ### Section Review > [!div class="checklist"] diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md index 3f5bd3b811..b6348b63b3 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md @@ -29,7 +29,7 @@ In hybrid deployments, users register the public portion of their Windows Hello The key-trust model needs Windows Server 2016 domain controllers, which configures the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually. > [!IMPORTANT] -> If you already have a Windows Server 2016 domain controller in your forest, you can skip **Configure Permissions for Key Synchronization**. +> If you already have a Windows Server 2016 domain controller in your domain, you can skip **Configure Permissions for Key Synchronization**. ### Configure Permissions for Key Syncrhonization @@ -45,10 +45,28 @@ Sign-in a domain controller or management workstations with *Domain Admin* equiv 8. In the **Properties** section, select **Read msDS-KeyCredentialLink** and **Write msDS-KeyCrendentialLink**. 9. Click **OK** three times to complete the task. + +### Group Memberships for the Azure AD Connect Service Account + +The KeyAdmins or KeyCredential Admins global group provides the Azure AD Connect service with the permissions needed to read and write the public key to Active Directory. + +Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials. + +1. Open **Active Directory Users and Computers**. +2. Click the **Users** container in the navigation pane. +>[!IMPORTANT] +> If you already have a Windows Server 2016 domain controller in your domain, use the Keyadmins group in the next step, otherwise use the KeyCredential admins group you previously created. + +3. Right-click either the **KeyAdmins** or **KeyCredential Admins** in the details pane and click **Properties**. +4. Click the **Members** tab and click **Add** +5. In the **Enter the object names to select** text box, type the name of the Azure AD Connect service account. Click **OK**. +6. Click **OK** to return to **Active Directory Users and Computers**. + ### Section Review > [!div class="checklist"] > * Configure Permissions for Key Synchronization +> * Configure group membership for Azure AD Connect >[!div class="step-by-step"] [< Configure Active Directory](hello-hybrid-cert-whfb-settings-ad.md) diff --git a/windows/access-protection/hello-for-business/hello-identity-verification.md b/windows/access-protection/hello-for-business/hello-identity-verification.md index 89c2110b38..31b440f9c4 100644 --- a/windows/access-protection/hello-for-business/hello-identity-verification.md +++ b/windows/access-protection/hello-for-business/hello-identity-verification.md @@ -78,7 +78,7 @@ There are many deployment options from which to choose. Some of those options re Windows Hello for Business is two-factor authentication based the observed authentication factors of: something you have, something you know, and something part of you. Windows Hello for Business incorporates two of these factors: something you have (the user's private key protected by the device's security module) and something you know (your PIN). With the proper hardware, you can enhance the user experience by introducing biometrics. Using biometrics, you can replace the "something you know" authentication factor with the "something that is part of you" factor, with the assurances that users can fall back to the "something you know factor". ### Can I use PIN and biometrics to unlock my device? -No. Windows Hello for Business provides two-factor authentication. However, we are investigating the ability to unlock the device with multiple factors. +No. Windows Hello for Business provides two-factor authentication. However, we are investigating the ability to unlock the desktop with additional factors. ### What is the difference between Windows Hello and Windows Hello for Business Windows Hello represents the biometric framework provided in Windows 10. Windows Hello enables users to use biometrics to sign into their devices by securely storing their username and password and releasing it for authentication when the user successfully identifies themselves using biometrics. Windows Hello for Business uses asymmetric keys protected by the device's security module that requires a user gesture (PIN or biometrics) to authenticate. @@ -98,3 +98,6 @@ Windows Hello for Business can work with any third-party federation servers that ### Does Windows Hello for Business work with Mac and Linux clients? Windows Hello for Business is a feature of Windows 10. At this time, Microsoft is not developing clients for other platforms. However, Microsoft is open to third parties who are interested in moving these platforms away from passwords. Interested third parties can inqury at [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration) + +### How does PIN caching work with Windows Hello for Business? +Windows Hello for Business securely caches the key rather than the PIN using a ticketing system. Azure AD and Active Directory sign-in keys are cached under lock. This means the keys remain available for use without prompting as long as the user is interactively signed-in. Microsoft Account sign-in keys are considered transactional keys, which means the user is always prompted when accessing the key. Windows 10 does not provide any Group Policy settings to adjust this caching. \ No newline at end of file From ca17ad069a195c38e9d287476a64c56c1932c79f Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Thu, 7 Sep 2017 09:14:05 -0700 Subject: [PATCH 40/51] minor updates --- .../hello-hybrid-cert-trust.md | 2 +- .../hello-identity-verification.md | 20 +++++++++++++++++-- .../hello-planning-guide.md | 2 +- 3 files changed, 20 insertions(+), 4 deletions(-) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust.md index 17fc099500..dd470a6917 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust.md @@ -25,7 +25,7 @@ It is recommended that you review the Windows Hello for Business planning guide This deployment guide provides guidance for new deployments and customers who are already federated with Office 365. These two scenarios provide a baseline from which you can begin your deployment. ## New Deployment Baseline ## -The new deployment baseline helps organizations who are moving to Azure and Office 365 to include Windows Hello for Business as part of their deployments. This baseline is good for organizations how are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves Windows Hello for Business by deploying a lab environment. +The new deployment baseline helps organizations who are moving to Azure and Office 365 to include Windows Hello for Business as part of their deployments. This baseline is good for organizations who are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves Windows Hello for Business by deploying a lab environment. This baseline provides detailed procedures to move your environment from an on-premises only environment to a hybrid environment using Windows Hello for Business to authenticate to Azure Active Directory and to your on-premises Active Directory using a single Windows sign-in. diff --git a/windows/access-protection/hello-for-business/hello-identity-verification.md b/windows/access-protection/hello-for-business/hello-identity-verification.md index 31b440f9c4..b4e0aba47b 100644 --- a/windows/access-protection/hello-for-business/hello-identity-verification.md +++ b/windows/access-protection/hello-for-business/hello-identity-verification.md @@ -86,6 +86,24 @@ Windows Hello represents the biometric framework provided in Windows 10. Window ### I have extended Active Directory to Azure Active Directory. Can I use the on-prem deployment model? No. If your organization is federated or using online services, such as Office 365 or OneDrive, then you must use a hybrid deployment model. On-premises deployments are exclusive to organization who need more time before moving to the cloud and exclusively use Active Directory. +### Does Windows Hello for Business prevent the use of simple PINs? +Yes. Our simple PIN algorithm looks for and disallows any PIN that has a constant delta from one digit to the next. This prevents repeating numbers, sequential numbers and simple patterns. +So, for example: +* 1111 has a constant delta of 0, so it is not allowed +* 1234 has a constant delta of 1, so it is not allowed +* 1357 has a constant delta of 2, so it is not allowed +* 9630 has a constant delta of -3, so it is not allowed +* 1231 does not have a constant delta, so it is okay +* 1593 does not have a constant delta, so it is okay + +This algorithm does not apply to alphanumeric PINs. + +### How does PIN caching work with Windows Hello for Business? +Windows Hello for Business securely caches the key rather than the PIN using a ticketing system. Azure AD and Active Directory sign-in keys are cached under lock. This means the keys remain available for use without prompting as long as the user is interactively signed-in. Microsoft Account sign-in keys are considered transactional keys, which means the user is always prompted when accessing the key. Windows 10 does not provide any Group Policy settings to adjust this caching. + +### Can I disable the PIN while using Windows Hello for Business? +No. The movement away from passwords is accomplished by gradually reducing the use of the password. In the occurence where you cannot authenticate with biometrics, you need a fall back mechansim that is not a password. The PIN is the fall back mechansim. Disabling or hiding the PIN credential provider disabled the use of biometrics. + ### Does Windows Hello for Business work with third party federation servers? Windows Hello for Business can work with any third-party federation servers that support the protocols used during provisioning experience. Interested third-parties can inquiry at [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration) @@ -99,5 +117,3 @@ Windows Hello for Business can work with any third-party federation servers that ### Does Windows Hello for Business work with Mac and Linux clients? Windows Hello for Business is a feature of Windows 10. At this time, Microsoft is not developing clients for other platforms. However, Microsoft is open to third parties who are interested in moving these platforms away from passwords. Interested third parties can inqury at [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration) -### How does PIN caching work with Windows Hello for Business? -Windows Hello for Business securely caches the key rather than the PIN using a ticketing system. Azure AD and Active Directory sign-in keys are cached under lock. This means the keys remain available for use without prompting as long as the user is interactively signed-in. Microsoft Account sign-in keys are considered transactional keys, which means the user is always prompted when accessing the key. Windows 10 does not provide any Group Policy settings to adjust this caching. \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-planning-guide.md b/windows/access-protection/hello-for-business/hello-planning-guide.md index 3ae2518616..4613069b73 100644 --- a/windows/access-protection/hello-for-business/hello-planning-guide.md +++ b/windows/access-protection/hello-for-business/hello-planning-guide.md @@ -208,7 +208,7 @@ If your Azure AD Connect is configured to synchronize identities (usernames only You can configure your on-premises Windows Server 2016 AD FS role to use the Azure MFA service adapter. In this configuration, users are redirected to the on premises AD FS server (synchronizing identities only). The AD FS server uses the MFA adapter to communicate to the Azure MFA service to perform the second factor of authentication. If you choose to use AD FS with the Azure MFA cloud service adapter, write **AD FS with Azure MFA cloud adapter** in box **1f** on your planning worksheet. -Alternatively, you can use AD FS with an on-premises Azure MFA server adapter. Rather than AD FS communicating directly with the Azure MFA cloud service, it communicates with an on-premises AD FS server that synchronizes user information with the on-premises Active Directory. The Azure MFA server communicates with Azure MFA cloud services to perform the second factor of authentication. If you choose to use AD FS with the Azure MFA server adapter, write **AD FS with Azure MFA server adapter** in box **1f** on your planning worksheet. +Alternatively, you can use AD FS with an on-premises Azure MFA server adapter. Rather than AD FS communicating directly with the Azure MFA cloud service, it communicates with an on-premises Azure MFA server that synchronizes user information with the on-premises Active Directory. The Azure MFA server communicates with Azure MFA cloud services to perform the second factor of authentication. If you choose to use AD FS with the Azure MFA server adapter, write **AD FS with Azure MFA server adapter** in box **1f** on your planning worksheet. The last option is for you to use AD FS with a third-party adapter to as the second factor of authentication. If you choose to use AD FS with a third-party MFA adapter, write **AD FS with third party** in box **1f** on your planning worksheet. From 2205ec078e254aa1a9ef8408754844ac6fd36da6 Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Thu, 7 Sep 2017 14:16:27 -0700 Subject: [PATCH 41/51] final edits and changes from public comments --- .../hello-for-business/hello-cert-trust-adfs.md | 2 +- .../hello-hybrid-cert-trust-prereqs.md | 3 +++ .../hello-identity-verification.md | 6 +++++- .../hello-for-business/hello-planning-guide.md | 14 +++++++++----- 4 files changed, 18 insertions(+), 7 deletions(-) diff --git a/windows/access-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/access-protection/hello-for-business/hello-cert-trust-adfs.md index 9b673f825b..a73b950e24 100644 --- a/windows/access-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/access-protection/hello-for-business/hello-cert-trust-adfs.md @@ -36,7 +36,7 @@ Prepare the Active Directory Federation Services deployment by installing and up Sign-in the federation server with _local admin_ equivalent credentials. 1. Ensure Windows Server 2016 is current by running **Windows Update** from **Settings**. Continue this process until no further updates are needed. If you’re not using Windows Update for updates, please advise the [Windows Server 2016 update history page](https://support.microsoft.com/help/4000825/windows-10-windows-server-2016-update-history) to make sure you have the latest updates available installed. -2. Ensure the latest server updates to the federation server includes [KB4022723](https://support.microsoft.com/en-us/help/4022723). +2. Ensure the latest server updates to the federation server includes [KB4034658 (14393.1593)](https://support.microsoft.com/en-us/help/4034658). >[!IMPORTANT] >The above referenced updates are mandatory for Windows Hello for Business all on-premises deployment and hybrid certificate trust deployments for domain joined computers. diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index 974cec1a99..2a2f19ee41 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -79,9 +79,12 @@ Organizations using older directory synchronization technology, such as DirSync ## Federation ## Federating your on-premises Active Directory with Azure Active Directory ensures all identities have access to all resources regardless if they reside in cloud or on-premises. Windows Hello for Business hybrid certificate trust needs Windows Server 2016 Active Directory Federation Services. All nodes in the AD FS farm must run the same version of AD FS. Additionally, you need to configure your AD FS farm to support Azure registered devices. +The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of [KB4034658 (14393.1593)](https://support.microsoft.com/en-us/help/4034658), which is automatically downloaded and installed through Windows Update. If your AD FS farm is not running the AD FS role with updates from Windows Server 2016, then read [Upgrading to AD FS in Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016) + ### Section Review ### > [!div class="checklist"] > * Windows Server 2016 Active Directory Federation Services +> * Minimum update of [KB4034658 (14393.1593)](https://support.microsoft.com/en-us/help/4034658)
diff --git a/windows/access-protection/hello-for-business/hello-identity-verification.md b/windows/access-protection/hello-for-business/hello-identity-verification.md index b4e0aba47b..e8eb9401ef 100644 --- a/windows/access-protection/hello-for-business/hello-identity-verification.md +++ b/windows/access-protection/hello-for-business/hello-identity-verification.md @@ -99,7 +99,11 @@ So, for example: This algorithm does not apply to alphanumeric PINs. ### How does PIN caching work with Windows Hello for Business? -Windows Hello for Business securely caches the key rather than the PIN using a ticketing system. Azure AD and Active Directory sign-in keys are cached under lock. This means the keys remain available for use without prompting as long as the user is interactively signed-in. Microsoft Account sign-in keys are considered transactional keys, which means the user is always prompted when accessing the key. Windows 10 does not provide any Group Policy settings to adjust this caching. +Windows Hello for Business provides a PIN caching user experience using a ticketing system. Rather than caching a PIN, processes cache a ticket the can use to require private key operations. Azure AD and Active Directory sign-in keys are cached under lock. This means the keys remain available for use without prompting as long as the user is interactively signed-in. Microsoft Account sign-in keys are considered transactional keys, which means the user is always prompted when accessing the key. + +Beginning with Windows 10, Fall Creators Update, Windows Hello for Business used as a smart card (smart card emulation that is enabled by default) provides the same user experience of default smart card PIN caching. Each process requesting a private key operation will prompt the user for the PIN on first use. Subsequent private key operations will not prompt the user for the PIN. + +The smart card emulation feature of Windows Hello for Business verifies the PIN and then discards the PIN in exchange for a ticket. The process does not receive the PIN, but rather the ticket that grants them private key operations. Windows 10 does not provide any Group Policy settings to adjust this caching. ### Can I disable the PIN while using Windows Hello for Business? No. The movement away from passwords is accomplished by gradually reducing the use of the password. In the occurence where you cannot authenticate with biometrics, you need a fall back mechansim that is not a password. The PIN is the fall back mechansim. Disabling or hiding the PIN credential provider disabled the use of biometrics. diff --git a/windows/access-protection/hello-for-business/hello-planning-guide.md b/windows/access-protection/hello-for-business/hello-planning-guide.md index 4613069b73..60573f8596 100644 --- a/windows/access-protection/hello-for-business/hello-planning-guide.md +++ b/windows/access-protection/hello-for-business/hello-planning-guide.md @@ -68,7 +68,7 @@ It’s fundamentally important to understand which deployment model to use for a #### Trust types -A deployments trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory. There are two trusts types, key trust and certificate trust. +A deployments trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory. There are two trusts types, key trust and certificate trust. The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during an in-box provisioning experience, which requires an adequate distribution of Windows Server 2016 domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. @@ -160,6 +160,10 @@ If your organization does not have cloud resources, write **On-Premises** in box Choose a trust type that is best suited for your organizations. Remember, the trust type determines two things. Whether you issue authentication certificates to your users and if your deployment needs Windows Server 2016 domain controllers. +One trust model is not more secure than the other. The major difference is based on the organization comfort with deploying Windows Server 2016 domain controllers and not enrolling users with end enetity certificates (key-trust) against using existing domain controllers (Windows Server 2008R2 or later) and needing to enroll certificates for all their users (certificate trust). + +Because the certificate trust tyoes issues certificates, there is more configuration and infrastrucutre needed to accomodate user certificate enrollment, which could also be a factor to consider in your decision. Additional infrastructure needed for certificatat-trust deployements includes a certificate registration authority. Hybrid Azure AD joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates. Hybrid Azure AD joined devices and Azure AD joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates. + If your organization wants to use the key trust type, write **key trust** in box **1b** on your planning worksheet. Write **Windows Server 2016** in box **4d**. Write **N/A** in box **5b**. If your organization wants to use the certificate trust type, write **certificate trust** in box **1b** on your planning worksheet. Write **Windows Server 2008 R2 or later** in box **4d**. In box **5c**, write **smart card logon** under the **Template Name** column and write **users** under the **Issued To** column on your planning worksheet. @@ -267,9 +271,9 @@ If box **1a** on your planning worksheet reads **cloud only**, ignore the public If box **1b** on your planning worksheet reads **key trust**, write **N/A** in box **5b** on your planning worksheet. -The registration authority only relates to certificate trust deployments and the management used for domain and non-domain joined devices. +The registration authority only relates to certificate trust deployments and the management used for domain and non-domain joined devices. Hybrid Azure AD joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates. Hybrid Azure AD joined devices and Azure AD joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates. -If box **3a** reads **GP** and box **3b** reads **modern management**, write **AD FS RA and NDES** in box **5b** on your planning worksheet. In box **5c**, write the following certificate templates names and issuances: +If box **2a** reads **GP** and box **2b** reads **modern management**, write **AD FS RA and NDES** in box **5b** on your planning worksheet. In box **5c**, write the following certificate templates names and issuances: | Certificate Template Name | Issued To | | --- | --- | @@ -279,14 +283,14 @@ If box **3a** reads **GP** and box **3b** reads **modern management**, write **A | Web Server | NDES | | CEP Encryption | NDES | -If box **3a** reads **GP** and box **3b** reads **N/A**, write **AD FA RA** in box **5b** and write the following certificate template names and issuances in box **5c** on your planning worksheet. +If box **2a** reads **GP** and box **2b** reads **N/A**, write **AD FA RA** in box **5b** and write the following certificate template names and issuances in box **5c** on your planning worksheet. | Certificate Template Name | Issued To | | --- | --- | | Exchange Enrollment Agent | AD FS RA | | Web Server | AD FS RA | -If box **3a** or **3b** reads modern management, write **NDES** in box **5b** and write the following certificate template names and issuances in box 5c on your planning worksheet. +If box **2a** or **2b** reads modern management, write **NDES** in box **5b** and write the following certificate template names and issuances in box 5c on your planning worksheet. | Certificate Template Name | Issued To | | --- | --- | From d5f5d72eaefde47d03958d40d3485724f426d05d Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Thu, 7 Sep 2017 14:22:50 -0700 Subject: [PATCH 42/51] Added Hybrid deployment guide to deployment landing page Removed an unused hybrid deployment guide page --- .../hello-deployment-guide.md | 2 + .../hello-deployment-hybrid-cert-trust.md | 40 ------------------- 2 files changed, 2 insertions(+), 40 deletions(-) delete mode 100644 windows/access-protection/hello-for-business/hello-deployment-hybrid-cert-trust.md diff --git a/windows/access-protection/hello-for-business/hello-deployment-guide.md b/windows/access-protection/hello-for-business/hello-deployment-guide.md index e58f3a1e6f..390e38b4d6 100644 --- a/windows/access-protection/hello-for-business/hello-deployment-guide.md +++ b/windows/access-protection/hello-for-business/hello-deployment-guide.md @@ -47,8 +47,10 @@ Hybrid deployments are for enterprises that use Azure Active Directory. On-prem The trust model determines how you want users to authentication to the on-premises Active Directory. Remember hybrid environments use Azure Active Directory and on-premises Active Directory. The key-trust model is for enterprises who do not want to issue end-entity certificates to their users and they have an adequate number of 2016 domain controllers in each site to support the authentication. The certificate-trust model is for enterprise that do want to issue end-entity certificates to their users and have the benefits of certificate expiration and renewal, similar to how smart cards work today. The certificate trust model is also enterprise who are not ready to deploy Windows Server 2016 domain controllers. Following are the various deployment guides included in this topic: +* [Hybrid Certificate Trust Deployment](hello-hybrid-cert-trust.md) * [On Premises Certificate Trust Deployment](hello-deployment-cert-trust.md) + ## Provisioning The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**. diff --git a/windows/access-protection/hello-for-business/hello-deployment-hybrid-cert-trust.md b/windows/access-protection/hello-for-business/hello-deployment-hybrid-cert-trust.md deleted file mode 100644 index 3c35dfff7f..0000000000 --- a/windows/access-protection/hello-for-business/hello-deployment-hybrid-cert-trust.md +++ /dev/null @@ -1,40 +0,0 @@ ---- -title: Windows Hello for Business Deployment Guide - On Premises Certificate Trust Deployment -description: A guide to an On Premises, Certificate trust Windows Hello for Business deployment -keywords: identity, PIN, biometric, Hello, passport -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -author: DaniHalfin -localizationpriority: high -ms.author: daniha -ms.date: 07/07/2017 ---- -# On Premises Certificate Trust Deployment - -**Applies to** -- Windows 10 - -> This guide only applies to Windows 10, version 1703 or higher. - -Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in an existing environment. - -Below, you can find all the infromation you will need to deploy Windows Hello for Business in a Certificate Trust Model in your on-premises environment: -1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) -2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) -3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) -4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) -5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) - - - - - - - - - - - - From ab7ff9fa66cd1e1862fc5d6fc0084da35cdec2a4 Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Thu, 7 Sep 2017 14:41:45 -0700 Subject: [PATCH 43/51] TOC change page title change --- .../hello-for-business/hello-hybrid-cert-trust.md | 2 +- windows/access-protection/hello-for-business/toc.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust.md index dd470a6917..591ed20865 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust.md @@ -10,7 +10,7 @@ author: mikestephens-MS ms.author: mstephen localizationpriority: high --- -# Hybrid Certificate Trust Deployment +# Hybrid Azure AD joined Certificate Trust Deployment **Applies to** - Windows 10 diff --git a/windows/access-protection/hello-for-business/toc.md b/windows/access-protection/hello-for-business/toc.md index 989f35139c..ceb776ae4e 100644 --- a/windows/access-protection/hello-for-business/toc.md +++ b/windows/access-protection/hello-for-business/toc.md @@ -13,7 +13,7 @@ ## [Planning a Windows Hello for Business Deployment](hello-planning-guide.md) ## [Windows Hello for Business Deployment Guide](hello-deployment-guide.md) -### [Hybrid Domain Joined Certificate Trust Deployment](hello-hybrid-cert-trust.md) +### [Hybrid Azure AD Joined Certificate Trust Deployment](hello-hybrid-cert-trust.md) #### [Prerequistes](hello-hybrid-cert-trust-prereqs.md) #### [New Installation Baseline](hello-hybrid-cert-new-install.md) #### [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) From 4871b3b6b5765570f12450b0804d16fb2ed7419d Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Thu, 7 Sep 2017 14:54:41 -0700 Subject: [PATCH 44/51] fixed grammar in FAQ entry --- .../hello-for-business/hello-identity-verification.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/access-protection/hello-for-business/hello-identity-verification.md b/windows/access-protection/hello-for-business/hello-identity-verification.md index e8eb9401ef..93623ad200 100644 --- a/windows/access-protection/hello-for-business/hello-identity-verification.md +++ b/windows/access-protection/hello-for-business/hello-identity-verification.md @@ -99,7 +99,7 @@ So, for example: This algorithm does not apply to alphanumeric PINs. ### How does PIN caching work with Windows Hello for Business? -Windows Hello for Business provides a PIN caching user experience using a ticketing system. Rather than caching a PIN, processes cache a ticket the can use to require private key operations. Azure AD and Active Directory sign-in keys are cached under lock. This means the keys remain available for use without prompting as long as the user is interactively signed-in. Microsoft Account sign-in keys are considered transactional keys, which means the user is always prompted when accessing the key. +Windows Hello for Business provides a PIN caching user experience using a ticketing system. Rather than caching a PIN, processes cache a ticket they can use to request private key operations. Azure AD and Active Directory sign-in keys are cached under lock. This means the keys remain available for use without prompting as long as the user is interactively signed-in. Microsoft Account sign-in keys are considered transactional keys, which means the user is always prompted when accessing the key. Beginning with Windows 10, Fall Creators Update, Windows Hello for Business used as a smart card (smart card emulation that is enabled by default) provides the same user experience of default smart card PIN caching. Each process requesting a private key operation will prompt the user for the PIN on first use. Subsequent private key operations will not prompt the user for the PIN. From 3f428863e6fda5e834c62a2a29c57fad2fba67b6 Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Fri, 8 Sep 2017 13:14:14 -0700 Subject: [PATCH 45/51] Updated publishing date --- .../hello-for-business/hello-cert-trust-adfs.md | 2 +- .../hello-for-business/hello-deployment-guide.md | 2 +- .../hello-for-business/hello-hybrid-cert-new-install.md | 1 + .../hello-for-business/hello-hybrid-cert-trust-devreg.md | 1 + .../hello-for-business/hello-hybrid-cert-trust-prereqs.md | 1 + .../hello-for-business/hello-hybrid-cert-trust.md | 1 + .../hello-for-business/hello-hybrid-cert-whfb-provision.md | 1 + .../hello-for-business/hello-hybrid-cert-whfb-settings-ad.md | 1 + .../hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md | 1 + .../hello-hybrid-cert-whfb-settings-dir-sync.md | 1 + .../hello-for-business/hello-hybrid-cert-whfb-settings-pki.md | 1 + .../hello-hybrid-cert-whfb-settings-policy.md | 1 + .../hello-for-business/hello-hybrid-cert-whfb-settings.md | 1 + .../hello-for-business/hello-identity-verification.md | 2 +- .../hello-for-business/hello-planning-guide.md | 1 + 15 files changed, 15 insertions(+), 3 deletions(-) diff --git a/windows/access-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/access-protection/hello-for-business/hello-cert-trust-adfs.md index a73b950e24..2c593badbf 100644 --- a/windows/access-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/access-protection/hello-for-business/hello-cert-trust-adfs.md @@ -9,7 +9,7 @@ ms.pagetype: security, mobile author: DaniHalfin localizationpriority: high ms.author: daniha -ms.date: 07/07/2017 +ms.date: 09/08/2017 --- # Prepare and Deploy Windows Server 2016 Active Directory Federation Services diff --git a/windows/access-protection/hello-for-business/hello-deployment-guide.md b/windows/access-protection/hello-for-business/hello-deployment-guide.md index 390e38b4d6..e2e2a39f13 100644 --- a/windows/access-protection/hello-for-business/hello-deployment-guide.md +++ b/windows/access-protection/hello-for-business/hello-deployment-guide.md @@ -9,7 +9,7 @@ ms.pagetype: security, mobile author: DaniHalfin localizationpriority: high ms.author: daniha -ms.date: 07/07/2017 +ms.date: 09/08/2017 --- # Windows Hello for Business Deployment Guide diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md index e334bd351c..d07cd08f33 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md @@ -8,6 +8,7 @@ ms.sitesec: library ms.pagetype: security, mobile author: mikestephens-MS ms.author: mstephen +ms.date: 09/08/2017 localizationpriority: high --- # Windows Hello for Business Certificate Trust New Installation diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index d018eb1f54..cea2b40233 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -8,6 +8,7 @@ ms.sitesec: library ms.pagetype: security, mobile author: mikestephens-MS ms.author: mstephen +ms.date: 09/08/2017 localizationpriority: high --- # Configure Device Registration for Hybrid Windows Hello for Business diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index 2a2f19ee41..93e8ea26d6 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -8,6 +8,7 @@ ms.sitesec: library ms.pagetype: security, mobile author: mikestephens-MS ms.author: mstephen +ms.date: 09/08/2017 localizationpriority: high --- # Hybrid Windows Hello for Business Prerequisites diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust.md index 591ed20865..85a86d24c0 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust.md @@ -8,6 +8,7 @@ ms.sitesec: library ms.pagetype: security, mobile author: mikestephens-MS ms.author: mstephen +ms.date: 09/08/2017 localizationpriority: high --- # Hybrid Azure AD joined Certificate Trust Deployment diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md index e5eec9afa3..9e7cb908e4 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md @@ -8,6 +8,7 @@ ms.sitesec: library ms.pagetype: security, mobile author: mikestephens-MS ms.author: mstephen +ms.date: 09/08/2017 localizationpriority: high --- # Hybrid Windows Hello for Business Provisioning diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md index fd1c811ee3..27eba8dd44 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md @@ -9,6 +9,7 @@ ms.pagetype: security, mobile localizationpriority: high author: mikestephens-MS ms.author: mstephen +ms.date: 09/08/2017 --- # Configuring Windows Hello for Business: Active Directory diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md index b7b3e29e76..e68276a09e 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md @@ -9,6 +9,7 @@ ms.pagetype: security, mobile localizationpriority: high author: mikestephens-MS ms.author: mstephen +ms.date: 09/08/2017 --- # Configure Windows Hello for Business: Active Directory Federation Services diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md index b6348b63b3..51d3af12b8 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md @@ -9,6 +9,7 @@ ms.pagetype: security, mobile localizationpriority: high author: mikestephens-MS ms.author: mstephen +ms.date: 09/08/2017 --- # Configure Hybrid Windows Hello for Business: Directory Synchronization diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index 990582f963..27ea8e8a47 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -9,6 +9,7 @@ ms.pagetype: security, mobile localizationpriority: high author: mikestephens-MS ms.author: mstephen +ms.date: 09/08/2017 --- # Configure Hybrid Windows Hello for Business: Public Key Infrastructure diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md index 28ebad1414..2c0b6759f9 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md @@ -9,6 +9,7 @@ ms.pagetype: security, mobile localizationpriority: high author: mikestephens-MS ms.author: mstephen +ms.date: 09/08/2017 --- # Configure Hybrid Windows Hello for Business: Group Policy diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md index e30c8e8e4d..2dbfc5fda4 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md @@ -9,6 +9,7 @@ ms.pagetype: security, mobile localizationpriority: high author: mikestephens-MS ms.author: mstephen +ms.date: 09/08/2017 --- # Configure Windows Hello for Business diff --git a/windows/access-protection/hello-for-business/hello-identity-verification.md b/windows/access-protection/hello-for-business/hello-identity-verification.md index 93623ad200..a866155093 100644 --- a/windows/access-protection/hello-for-business/hello-identity-verification.md +++ b/windows/access-protection/hello-for-business/hello-identity-verification.md @@ -10,7 +10,7 @@ ms.pagetype: security, mobile author: DaniHalfin localizationpriority: high ms.author: daniha -ms.date: 07/07/2017 +ms.date: 09/08/2017 --- # Windows Hello for Business diff --git a/windows/access-protection/hello-for-business/hello-planning-guide.md b/windows/access-protection/hello-for-business/hello-planning-guide.md index 60573f8596..febf4b56d8 100644 --- a/windows/access-protection/hello-for-business/hello-planning-guide.md +++ b/windows/access-protection/hello-for-business/hello-planning-guide.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile author: DaniHalfin +ms.date: 09/08/2017 localizationpriority: high --- # Planning a Windows Hello for Business Deployment From b41ad23f8c389e857143dc66754cc02c0e510939 Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Fri, 8 Sep 2017 13:33:20 -0700 Subject: [PATCH 46/51] resolve conflict --- .../hello-for-business/hello-planning-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/access-protection/hello-for-business/hello-planning-guide.md b/windows/access-protection/hello-for-business/hello-planning-guide.md index febf4b56d8..e74710904b 100644 --- a/windows/access-protection/hello-for-business/hello-planning-guide.md +++ b/windows/access-protection/hello-for-business/hello-planning-guide.md @@ -89,7 +89,7 @@ The goal of Windows Hello for Business is to move organizations away from passwo Cloud only and hybrid deployments provide many choices for multifactor authentication. On-premises deployments must use a multifactor authentication that provides an AD FS multifactor adapter to be used in conjunction with the on-premises Windows Server 2016 AD FS server role. Organizations can use from the on-premises Azure Multifactor Authentication server, or choose from several third parties (Read [Microsoft and third-party additional authentication methods](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods) for more information). >[!NOTE] -> Azure Multi-Factor Authentication is available through a: +> Azure Multi-Factor Authentication is available through: >* Microsoft Enterprise Agreement >* Open Volume License Program >* Cloud Solution Providers program From bd84268cd6de8934232dc7f5190fd681644d674b Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Fri, 8 Sep 2017 13:43:25 -0700 Subject: [PATCH 47/51] Revert "resolve conflict" This reverts commit b41ad23f8c389e857143dc66754cc02c0e510939. --- .../hello-for-business/hello-planning-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/access-protection/hello-for-business/hello-planning-guide.md b/windows/access-protection/hello-for-business/hello-planning-guide.md index e74710904b..febf4b56d8 100644 --- a/windows/access-protection/hello-for-business/hello-planning-guide.md +++ b/windows/access-protection/hello-for-business/hello-planning-guide.md @@ -89,7 +89,7 @@ The goal of Windows Hello for Business is to move organizations away from passwo Cloud only and hybrid deployments provide many choices for multifactor authentication. On-premises deployments must use a multifactor authentication that provides an AD FS multifactor adapter to be used in conjunction with the on-premises Windows Server 2016 AD FS server role. Organizations can use from the on-premises Azure Multifactor Authentication server, or choose from several third parties (Read [Microsoft and third-party additional authentication methods](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods) for more information). >[!NOTE] -> Azure Multi-Factor Authentication is available through: +> Azure Multi-Factor Authentication is available through a: >* Microsoft Enterprise Agreement >* Open Volume License Program >* Cloud Solution Providers program From 2817f2f16067d301d081bc6a3c53b8f3c27c06af Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Fri, 8 Sep 2017 13:43:59 -0700 Subject: [PATCH 48/51] Revert "Updated publishing date" This reverts commit 3f428863e6fda5e834c62a2a29c57fad2fba67b6. --- .../hello-for-business/hello-cert-trust-adfs.md | 2 +- .../hello-for-business/hello-deployment-guide.md | 2 +- .../hello-for-business/hello-hybrid-cert-new-install.md | 1 - .../hello-for-business/hello-hybrid-cert-trust-devreg.md | 1 - .../hello-for-business/hello-hybrid-cert-trust-prereqs.md | 1 - .../hello-for-business/hello-hybrid-cert-trust.md | 1 - .../hello-for-business/hello-hybrid-cert-whfb-provision.md | 1 - .../hello-for-business/hello-hybrid-cert-whfb-settings-ad.md | 1 - .../hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md | 1 - .../hello-hybrid-cert-whfb-settings-dir-sync.md | 1 - .../hello-for-business/hello-hybrid-cert-whfb-settings-pki.md | 1 - .../hello-hybrid-cert-whfb-settings-policy.md | 1 - .../hello-for-business/hello-hybrid-cert-whfb-settings.md | 1 - .../hello-for-business/hello-identity-verification.md | 2 +- .../hello-for-business/hello-planning-guide.md | 1 - 15 files changed, 3 insertions(+), 15 deletions(-) diff --git a/windows/access-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/access-protection/hello-for-business/hello-cert-trust-adfs.md index 2c593badbf..a73b950e24 100644 --- a/windows/access-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/access-protection/hello-for-business/hello-cert-trust-adfs.md @@ -9,7 +9,7 @@ ms.pagetype: security, mobile author: DaniHalfin localizationpriority: high ms.author: daniha -ms.date: 09/08/2017 +ms.date: 07/07/2017 --- # Prepare and Deploy Windows Server 2016 Active Directory Federation Services diff --git a/windows/access-protection/hello-for-business/hello-deployment-guide.md b/windows/access-protection/hello-for-business/hello-deployment-guide.md index e2e2a39f13..390e38b4d6 100644 --- a/windows/access-protection/hello-for-business/hello-deployment-guide.md +++ b/windows/access-protection/hello-for-business/hello-deployment-guide.md @@ -9,7 +9,7 @@ ms.pagetype: security, mobile author: DaniHalfin localizationpriority: high ms.author: daniha -ms.date: 09/08/2017 +ms.date: 07/07/2017 --- # Windows Hello for Business Deployment Guide diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md index d07cd08f33..e334bd351c 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md @@ -8,7 +8,6 @@ ms.sitesec: library ms.pagetype: security, mobile author: mikestephens-MS ms.author: mstephen -ms.date: 09/08/2017 localizationpriority: high --- # Windows Hello for Business Certificate Trust New Installation diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index cea2b40233..d018eb1f54 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -8,7 +8,6 @@ ms.sitesec: library ms.pagetype: security, mobile author: mikestephens-MS ms.author: mstephen -ms.date: 09/08/2017 localizationpriority: high --- # Configure Device Registration for Hybrid Windows Hello for Business diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index 93e8ea26d6..2a2f19ee41 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -8,7 +8,6 @@ ms.sitesec: library ms.pagetype: security, mobile author: mikestephens-MS ms.author: mstephen -ms.date: 09/08/2017 localizationpriority: high --- # Hybrid Windows Hello for Business Prerequisites diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust.md index 85a86d24c0..591ed20865 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust.md @@ -8,7 +8,6 @@ ms.sitesec: library ms.pagetype: security, mobile author: mikestephens-MS ms.author: mstephen -ms.date: 09/08/2017 localizationpriority: high --- # Hybrid Azure AD joined Certificate Trust Deployment diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md index 9e7cb908e4..e5eec9afa3 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md @@ -8,7 +8,6 @@ ms.sitesec: library ms.pagetype: security, mobile author: mikestephens-MS ms.author: mstephen -ms.date: 09/08/2017 localizationpriority: high --- # Hybrid Windows Hello for Business Provisioning diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md index 27eba8dd44..fd1c811ee3 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md @@ -9,7 +9,6 @@ ms.pagetype: security, mobile localizationpriority: high author: mikestephens-MS ms.author: mstephen -ms.date: 09/08/2017 --- # Configuring Windows Hello for Business: Active Directory diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md index e68276a09e..b7b3e29e76 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md @@ -9,7 +9,6 @@ ms.pagetype: security, mobile localizationpriority: high author: mikestephens-MS ms.author: mstephen -ms.date: 09/08/2017 --- # Configure Windows Hello for Business: Active Directory Federation Services diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md index 51d3af12b8..b6348b63b3 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md @@ -9,7 +9,6 @@ ms.pagetype: security, mobile localizationpriority: high author: mikestephens-MS ms.author: mstephen -ms.date: 09/08/2017 --- # Configure Hybrid Windows Hello for Business: Directory Synchronization diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index 27ea8e8a47..990582f963 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -9,7 +9,6 @@ ms.pagetype: security, mobile localizationpriority: high author: mikestephens-MS ms.author: mstephen -ms.date: 09/08/2017 --- # Configure Hybrid Windows Hello for Business: Public Key Infrastructure diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md index 2c0b6759f9..28ebad1414 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md @@ -9,7 +9,6 @@ ms.pagetype: security, mobile localizationpriority: high author: mikestephens-MS ms.author: mstephen -ms.date: 09/08/2017 --- # Configure Hybrid Windows Hello for Business: Group Policy diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md index 2dbfc5fda4..e30c8e8e4d 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md @@ -9,7 +9,6 @@ ms.pagetype: security, mobile localizationpriority: high author: mikestephens-MS ms.author: mstephen -ms.date: 09/08/2017 --- # Configure Windows Hello for Business diff --git a/windows/access-protection/hello-for-business/hello-identity-verification.md b/windows/access-protection/hello-for-business/hello-identity-verification.md index a866155093..93623ad200 100644 --- a/windows/access-protection/hello-for-business/hello-identity-verification.md +++ b/windows/access-protection/hello-for-business/hello-identity-verification.md @@ -10,7 +10,7 @@ ms.pagetype: security, mobile author: DaniHalfin localizationpriority: high ms.author: daniha -ms.date: 09/08/2017 +ms.date: 07/07/2017 --- # Windows Hello for Business diff --git a/windows/access-protection/hello-for-business/hello-planning-guide.md b/windows/access-protection/hello-for-business/hello-planning-guide.md index febf4b56d8..60573f8596 100644 --- a/windows/access-protection/hello-for-business/hello-planning-guide.md +++ b/windows/access-protection/hello-for-business/hello-planning-guide.md @@ -7,7 +7,6 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile author: DaniHalfin -ms.date: 09/08/2017 localizationpriority: high --- # Planning a Windows Hello for Business Deployment From 2c4cd9ad6d67b4eee5621a00b70721c89bbcd656 Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Fri, 8 Sep 2017 13:48:55 -0700 Subject: [PATCH 49/51] Added publishing date and fixed a typo --- .../hello-for-business/hello-planning-guide.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/access-protection/hello-for-business/hello-planning-guide.md b/windows/access-protection/hello-for-business/hello-planning-guide.md index 60573f8596..e9e32239db 100644 --- a/windows/access-protection/hello-for-business/hello-planning-guide.md +++ b/windows/access-protection/hello-for-business/hello-planning-guide.md @@ -8,6 +8,7 @@ ms.sitesec: library ms.pagetype: security, mobile author: DaniHalfin localizationpriority: high +ms.date: 09/08/2017 --- # Planning a Windows Hello for Business Deployment @@ -88,7 +89,7 @@ The goal of Windows Hello for Business is to move organizations away from passwo Cloud only and hybrid deployments provide many choices for multifactor authentication. On-premises deployments must use a multifactor authentication that provides an AD FS multifactor adapter to be used in conjunction with the on-premises Windows Server 2016 AD FS server role. Organizations can use from the on-premises Azure Multifactor Authentication server, or choose from several third parties (Read [Microsoft and third-party additional authentication methods](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods) for more information). >[!NOTE] -> Azure Multi-Factor Authentication is available through a: +> Azure Multi-Factor Authentication is available through: >* Microsoft Enterprise Agreement >* Open Volume License Program >* Cloud Solution Providers program From 0805941481dcb584f2004384bdbcb5a02eb938a5 Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Fri, 8 Sep 2017 14:04:15 -0700 Subject: [PATCH 50/51] Publishing dates - round 2 --- .../hello-for-business/hello-cert-trust-adfs.md | 2 +- .../hello-for-business/hello-deployment-guide.md | 2 +- .../hello-for-business/hello-hybrid-cert-new-install.md | 1 + .../hello-for-business/hello-hybrid-cert-trust-devreg.md | 1 + .../hello-for-business/hello-hybrid-cert-trust-prereqs.md | 1 + .../hello-for-business/hello-hybrid-cert-trust.md | 1 + .../hello-for-business/hello-hybrid-cert-whfb-provision.md | 1 + .../hello-for-business/hello-hybrid-cert-whfb-settings-ad.md | 1 + .../hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md | 1 + .../hello-hybrid-cert-whfb-settings-dir-sync.md | 1 + .../hello-for-business/hello-hybrid-cert-whfb-settings-pki.md | 1 + .../hello-hybrid-cert-whfb-settings-policy.md | 1 + .../hello-for-business/hello-hybrid-cert-whfb-settings.md | 1 + .../hello-for-business/hello-identity-verification.md | 2 +- 14 files changed, 14 insertions(+), 3 deletions(-) diff --git a/windows/access-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/access-protection/hello-for-business/hello-cert-trust-adfs.md index a73b950e24..2c593badbf 100644 --- a/windows/access-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/access-protection/hello-for-business/hello-cert-trust-adfs.md @@ -9,7 +9,7 @@ ms.pagetype: security, mobile author: DaniHalfin localizationpriority: high ms.author: daniha -ms.date: 07/07/2017 +ms.date: 09/08/2017 --- # Prepare and Deploy Windows Server 2016 Active Directory Federation Services diff --git a/windows/access-protection/hello-for-business/hello-deployment-guide.md b/windows/access-protection/hello-for-business/hello-deployment-guide.md index 390e38b4d6..e2e2a39f13 100644 --- a/windows/access-protection/hello-for-business/hello-deployment-guide.md +++ b/windows/access-protection/hello-for-business/hello-deployment-guide.md @@ -9,7 +9,7 @@ ms.pagetype: security, mobile author: DaniHalfin localizationpriority: high ms.author: daniha -ms.date: 07/07/2017 +ms.date: 09/08/2017 --- # Windows Hello for Business Deployment Guide diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md index e334bd351c..a60357cfcf 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md @@ -9,6 +9,7 @@ ms.pagetype: security, mobile author: mikestephens-MS ms.author: mstephen localizationpriority: high +ms.date: 09/08/2017 --- # Windows Hello for Business Certificate Trust New Installation diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index d018eb1f54..57457517cd 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -9,6 +9,7 @@ ms.pagetype: security, mobile author: mikestephens-MS ms.author: mstephen localizationpriority: high +ms.date: 09/08/2017 --- # Configure Device Registration for Hybrid Windows Hello for Business diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index 2a2f19ee41..7c56e7ded8 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -9,6 +9,7 @@ ms.pagetype: security, mobile author: mikestephens-MS ms.author: mstephen localizationpriority: high +ms.date: 09/08/2017 --- # Hybrid Windows Hello for Business Prerequisites diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust.md index 591ed20865..576a4d3481 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust.md @@ -9,6 +9,7 @@ ms.pagetype: security, mobile author: mikestephens-MS ms.author: mstephen localizationpriority: high +ms.date: 09/08/2017 --- # Hybrid Azure AD joined Certificate Trust Deployment diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md index e5eec9afa3..744f4930a3 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md @@ -9,6 +9,7 @@ ms.pagetype: security, mobile author: mikestephens-MS ms.author: mstephen localizationpriority: high +ms.date: 09/08/2017 --- # Hybrid Windows Hello for Business Provisioning diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md index fd1c811ee3..27eba8dd44 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md @@ -9,6 +9,7 @@ ms.pagetype: security, mobile localizationpriority: high author: mikestephens-MS ms.author: mstephen +ms.date: 09/08/2017 --- # Configuring Windows Hello for Business: Active Directory diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md index b7b3e29e76..e68276a09e 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md @@ -9,6 +9,7 @@ ms.pagetype: security, mobile localizationpriority: high author: mikestephens-MS ms.author: mstephen +ms.date: 09/08/2017 --- # Configure Windows Hello for Business: Active Directory Federation Services diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md index b6348b63b3..51d3af12b8 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md @@ -9,6 +9,7 @@ ms.pagetype: security, mobile localizationpriority: high author: mikestephens-MS ms.author: mstephen +ms.date: 09/08/2017 --- # Configure Hybrid Windows Hello for Business: Directory Synchronization diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index 990582f963..27ea8e8a47 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -9,6 +9,7 @@ ms.pagetype: security, mobile localizationpriority: high author: mikestephens-MS ms.author: mstephen +ms.date: 09/08/2017 --- # Configure Hybrid Windows Hello for Business: Public Key Infrastructure diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md index 28ebad1414..2c0b6759f9 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md @@ -9,6 +9,7 @@ ms.pagetype: security, mobile localizationpriority: high author: mikestephens-MS ms.author: mstephen +ms.date: 09/08/2017 --- # Configure Hybrid Windows Hello for Business: Group Policy diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md index e30c8e8e4d..2dbfc5fda4 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md @@ -9,6 +9,7 @@ ms.pagetype: security, mobile localizationpriority: high author: mikestephens-MS ms.author: mstephen +ms.date: 09/08/2017 --- # Configure Windows Hello for Business diff --git a/windows/access-protection/hello-for-business/hello-identity-verification.md b/windows/access-protection/hello-for-business/hello-identity-verification.md index 93623ad200..a866155093 100644 --- a/windows/access-protection/hello-for-business/hello-identity-verification.md +++ b/windows/access-protection/hello-for-business/hello-identity-verification.md @@ -10,7 +10,7 @@ ms.pagetype: security, mobile author: DaniHalfin localizationpriority: high ms.author: daniha -ms.date: 07/07/2017 +ms.date: 09/08/2017 --- # Windows Hello for Business From 95d7619884bfc946e1cfb83988515364d7038cc5 Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Fri, 8 Sep 2017 14:14:49 -0700 Subject: [PATCH 51/51] removed the date to resovle conflict --- .../access-protection/hello-for-business/hello-planning-guide.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/access-protection/hello-for-business/hello-planning-guide.md b/windows/access-protection/hello-for-business/hello-planning-guide.md index e9e32239db..4e6d68cd69 100644 --- a/windows/access-protection/hello-for-business/hello-planning-guide.md +++ b/windows/access-protection/hello-for-business/hello-planning-guide.md @@ -8,7 +8,6 @@ ms.sitesec: library ms.pagetype: security, mobile author: DaniHalfin localizationpriority: high -ms.date: 09/08/2017 --- # Planning a Windows Hello for Business Deployment