From ebb61c760520b00a343e1fe8e93f742bc25de554 Mon Sep 17 00:00:00 2001 From: erroltuparker Date: Mon, 17 Feb 2020 15:52:14 +1000 Subject: [PATCH 01/14] Fixed scripting issue Merge-CIPolicy command had a mistype causing the line to fail --- .../create-wdac-policy-for-lightly-managed-devices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md index 6fc44116aa..309ad25451 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md @@ -117,7 +117,7 @@ Alice follows these steps to complete this task: $PathRules += New-CIPolicyRule -FilePathRule "%windir%\*" $PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files\*" $PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files (x86)\*" - Merge-CIPolicy -OutputFilePath = $LamnaPolicy -PolicyPaths $LamnaPolicy -Rules $PathRules + Merge-CIPolicy -OutputFilePath $LamnaPolicy -PolicyPaths $LamnaPolicy -Rules $PathRules ``` 7. If appropriate, add additional signer or file rules to further customize the policy for your organization. From be53411407c09d761fbc5ae2e65983b97f844702 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 18 Feb 2020 17:28:38 -0800 Subject: [PATCH 02/14] Indented note, added a period --- .../create-wdac-policy-for-lightly-managed-devices.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md index 309ad25451..d25131d06d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md @@ -43,8 +43,8 @@ Alice identifies the following key factors to arrive at the "circle-of-trust" fo - All clients are running Windows 10 version 1903 or above; - All clients are managed by Microsoft Endpoint Manager (MEM) either with Configuration Manager (MEMCM) standalone or hybrid mode with Intune; -> [!NOTE] -> Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager (SCCM) + > [!NOTE] + > Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager (SCCM). - Some, but not all, apps are deployed using MEMCM; - Most users are local administrators on their devices; From 6c352ba5598a0362510da4aa4e9ccaf0ad005734 Mon Sep 17 00:00:00 2001 From: Payge Winfield Date: Wed, 19 Feb 2020 07:55:54 -0800 Subject: [PATCH 03/14] Created SCEP Whitepaper and added it to TOC --- devices/hololens/TOC.md | 1 + devices/hololens/scep-whitepaper.md | 77 +++++++++++++++++++++++++++++ 2 files changed, 78 insertions(+) create mode 100644 devices/hololens/scep-whitepaper.md diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md index d1c0ab596f..eb7e69cdbd 100644 --- a/devices/hololens/TOC.md +++ b/devices/hololens/TOC.md @@ -62,6 +62,7 @@ ## [Known issues](hololens-known-issues.md) ## [Frequently asked questions](hololens-faq.md) ## [Hololens services status](hololens-status.md) +## [SCEP Whitepaper](scep-whitepaper.md) # [Release Notes](hololens-release-notes.md) # [Give us feedback](hololens-feedback.md) diff --git a/devices/hololens/scep-whitepaper.md b/devices/hololens/scep-whitepaper.md new file mode 100644 index 0000000000..cc43bdc285 --- /dev/null +++ b/devices/hololens/scep-whitepaper.md @@ -0,0 +1,77 @@ +--- +title: SCEP Whitepaper +description: A whitepaper that describes how Microsoft mitigates the vulnerabilities of SCEP. +ms.assetid: bd55ecd1-697a-4b09-8274-48d1499fcb0b +author: pawinfie +ms.author: pawinfie +ms.date: 02/12/2020 +keywords: hololens, Windows Mixed Reality, security +ms.prod: hololens +ms.sitesec: library +ms.topic: article +ms.localizationpriority: high +appliesto: +- HoloLens 1 (1st gen) +- HoloLens 2 +--- + +# SCEP Whitepaper + +## High Level + +### How the SCEP Challenge PW is secured + +We work around the weakness of the SCEP protocol by generating custom challenges in Intune itself. The challenge string we create is signed/encrypted, and contains the information we’ve configured in Intune for certificate issuance into the challenge blob. This means the blob used as the challenge string contains the expected CSR information like the Subject Name, Subject Alternative Name, and other attributes. + +We then pass that to the device and then the device generates it’s CSR and passes it, and the blob to the SCEP URL it received in the MDM profile. On NDES servers running the Intune SCEP module we perform a custom challenge validation that validates the signature on the blob, decrypts the challenge blob itself, compare it to the CSR received, and then determine if we should issue the cert. If any portion of this check fails then the certificate request is rejected. + +## Behind the scenes + +### Intune Connector has a number of responsibilities + +1. The connector is SCEP policy module which contains a "Certification Registration Point" component which interacts with the Intune service, and is responsible for validating, and securing the SCEP request coming into the NDES server. + +1. The connector will install an App Pool on the NDES IIS server > Microsoft Intune CRP service Pool, and a CertificateRegistrationSvc under the "Default Web Site" on IIS. + +1. **When the Intune NDES connector is first configured/setup on the NDES server, a certificate is issued from the Intune cloud service to the NDES server. This cert is used to securely communicate with the Intune cloud service - customer tenant. The cert is unique to the customers NDES server. Can be viewed in Certlm.msc issued by SC_Online_Issuing. This certs Public key is used by Intune in the cloud to encrypt the challenge blob. In addition, when the connector is configured, Intune's public key is sent to the NDES server.** + >[!NOTE] + >The connector communication with Intune is strictly outbound traffic. + +1. The Intune cloud service combined with the Intune connector/policy module addresses the SCEP protocol challenge password weakness (in the SCEP protocol) by generating a custom challenge. The challenge is generated in Intune itself. + + 1. In the challenge blob, Intune puts information that we expect in the cert request (CSR - Certificate Signing Request) coming from a mobile device like the following: what we expect the Subject and SAN (validated against AAD attributes/properties of the user/device) to be, and specifics contained in the Intune SCEP profile that is created by an Intune admin, i.e., Request Handling, EKU, Renewal, validity period, key size, renewal period. + >[!NOTE] + >The Challenge blob is Encrypted with the Connectors Public Key, and Signed with Intune's (cloud service) Private Key. The device cannot decrypt the challenge + + 1. When an Intune admin creates a SCEP profile in their tenant, Intune will send the SCEP profile payload along with the Encrypted and Signed Challenge to the targeted device. The device generates a CSR, and reaches out to NDES URL (contained in the SCEP profile). The device cert request payload contains the CSR, and the encrypted, signed challenge blob. + + 1. When the device reaches out to the NDES server (via the NDES/SCEP URL provided in the SCEP Profile payload), the SCEP cert request validation is performed by the policy module running on the NDES server. The challenge signature is verified using Intune's public key (which is on the NDES server, when the connector was installed and configured) and decrypted using the connectors private key. The policy module compares the CSR details against the decrypted challenge and determines if a cert should be issued. If the CSR passes validation, the NDES server requests a certificate from the CA on behalf of the user/device. + >[!NOTE] + >The above process takes place on the NDES server running the Policy Module. No interaction with the Intune cloud service takes place. + + 1. The NDES connector notification/reporting of cert delivery takes place after NDES sends the issued cert to the device. This is performed as a separate operation outside the cert request flow. Meaning that once NDES sends the cert to the device via the AAD app proxy (or other publishing firewall/proxy, a log is written with the cert delivery details on the NDES server by the connector (file location \Program Files\Microsoft Intune\CertificateRequestStatus\Succeed\ folder. The connector will look here, and send updates to Intune. + + 1. The mobile device must be enrolled in Intune. If not, we reject the request as well + + 1. The Intune connector disables the standard NDES challenge password request URL on the NDES server. + + 1. The NDES server SCEP URI in most customer deployments is made available to the internet via Azure App Proxy, or an on-prem reverse proxy, i.e. F5. + >[!NOTE] + >The Azure App Proxy is an outbound-only connection over Port 443, from the customers onprem network where the App Proxy connector is running on a server. The AAD app proxy can also be hosted on the NDES server. No inbound ports required when using Azure App Proxy. + + 1. The mobile device talks only to the NDES URI + + 1. Side note: AAD app proxy's role is to make onprem resources (like NDES and other customer onprem web services) securely available to the internet. + + 1. The Intune connector must communicate with the Intune cloud service. The connector communication will not go through the Azure App Proxy. The connector will talk with the Intune cloud service via whatever mechanism a customer has onprem to allow outbound traffic to the internet, i.e. Internal proxy service. + >[!NOTE] + > if a proxy is used by the customer, no SSL packet inspection can take place for the NDES/Connector server going out. + +1. Connector traffic with Intune cloud service consists of the following operations: + + 1. 1st time configuration of the connector: Authentication to AAD during the initial connector setup. + + 1. Connector checks in with Intune, and will process and any cert revocation transactions (i.e, if the Intune tenant admin issues a remote wipe – full or partial, also If a user unenrolls their device from Intune), reporting on issued certs, renewing the connectors’ SC_Online_Issuing certificate from Intune. Also note: the NDES Intune connector has shared PKCS cert functionality (if you decide to issue PKCS/PFX based certs) so the connector checks to Intune for PKCS cert requests even though there won’t be any requests to process. We are splitting that functionality out, so this connector just handles SCEP, but no ETA yet. + +1. [Here](https://docs.microsoft.com/intune/intune-endpoints#microsoft-intune-certificate-connector) is a reference for Intune NDES connector network communications. + From 2d68b6dad706c24b1e5d43a82ad0bb383165b014 Mon Sep 17 00:00:00 2001 From: Payge Winfield Date: Wed, 19 Feb 2020 08:01:05 -0800 Subject: [PATCH 04/14] created faq security doc and added it to TOC --- devices/hololens/TOC.md | 1 + devices/hololens/hololens-faq-security.md | 124 ++++++++++++++++++++++ 2 files changed, 125 insertions(+) create mode 100644 devices/hololens/hololens-faq-security.md diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md index eb7e69cdbd..3e6b5f8706 100644 --- a/devices/hololens/TOC.md +++ b/devices/hololens/TOC.md @@ -61,6 +61,7 @@ ## [Troubleshoot HoloLens](hololens-troubleshooting.md) ## [Known issues](hololens-known-issues.md) ## [Frequently asked questions](hololens-faq.md) +## [Frequently Asked Security Questions](hololens-faq-security.md) ## [Hololens services status](hololens-status.md) ## [SCEP Whitepaper](scep-whitepaper.md) diff --git a/devices/hololens/hololens-faq-security.md b/devices/hololens/hololens-faq-security.md new file mode 100644 index 0000000000..ae9f0de47c --- /dev/null +++ b/devices/hololens/hololens-faq-security.md @@ -0,0 +1,124 @@ +--- +title: Frequently Asked Security Questions +description: security questions frequently asked about the hololens +ms.assetid: bd55ecd1-697a-4b09-8274-48d1499fcb0b +author: pawinfie +ms.author: pawinfie +ms.date: 02/19/2020 +keywords: hololens, Windows Mixed Reality, security +ms.prod: hololens +ms.sitesec: library +ms.topic: article +ms.localizationpriority: high +appliesto: +- HoloLens 1 (1st gen) +- HoloLens 2 +--- + +# Frequently Asked Security Questions + +## HoloLens 1st Gen Security Questions + +1. **What type of wireless is used?** + 1. 802.11ac and Bluetooth 4.1 LE +1. **What type of architecture is incorporated? For example: point to point, mesh or something else?** + 1. Wi-Fi can be used in infrastructure mode to communicate with other wireless access points. + 1. Bluetooth can be used to talk peer to peer between multiple HoloLens if the customers application supports it or to other Bluetooth devices. +1. **What is FCC ID?** + 1. C3K1688 +1. **What frequency range and channels does the device operate on and is it configurable?** + 1. Wi-Fi: The frequency range is not user configurable and depends on the country of use. In the US Wi-Fi uses both 2.4 GHz (1-11) channels and 5 GHz (36-64, 100-165) channels. + 1. Bluetooth: Bluetooth uses the standard 2.4-2.48 GHz range. +1. **Can the device blacklist or white list specific frequencies?** + 1. This is not controllable by the user/device +1. **What is the power level for both transmit and receive? Is it adjustable? What is the range of operation?** + 1. Our emissions testing standards can be found [here](https://fccid.io/C3K1688). Range of operation is highly dependent on the access point and environment - but is roughly equivalent to other high-quality phones, tablets, or PCs. +1. **What is the duty cycle/lifetime for normal operation?** + 1. 2-3hrs of active use and up to 2 weeks of standby time + 1. Battery lifetime is unavailable. +1. **What is transmit and receive behavior when a tool is not in range?** + 1. HoloLens transmit/receive follows the standard Wi-Fi/Bluetooth pattern. At the edge of its range, you'll probably notice input getting choppy until it fully disconnects, but after you get back in range it should quickly reconnect. +1. **What is deployment density per square foot?** + 1. This is dependent on your network infrastructure. +1. **Can device use the infrastructure as a client?** + 1. Yes +1. **What protocol is used?** + 1. HoloLens does not use any proprietary protocols +1. **OS update frequency – What is the frequency of OS updates for the HL? Is there a set schedule? Does Microsoft release security patches as needed, etc.** + 1. Microsoft does provide OS updates to HoloLens exactly the same way it is done for Windows 10. There are normally two major updates per year, one in spring, one in fall. As HoloLens is a Windows device, the update concept is the same as with any other Windows device. Microsoft releases Security patches as needed and follows the same concept as done on any other Windows device. +1. **OS hardening – What options are there to harden the OS? Can we remove or shutdown unnecessary apps or services?** + 1. HoloLens behaves like a smartphone. It is comparable to other modern Windows devices. HoloLens can be managed by either Microsoft Intune or other Modern Device Management Solutions, like MobileIron, Airwatch, or Soti. There are Policies you can set in these Management Systems to put Security policies on the device and in order to harden the device. There is also the option in deleting any unnecessary applications if wanted. +1. **How will software applications be managed and updated? What control do we have to define what apps are loaded and app update process for apps that are living in the Microsoft store?** + 1. HoloLens gets software applications only through the Windows store. Only Appx Application Packages can be installed, which are developed for the Use of HoloLens. You can see this in the Microsoft Store with a little logo next to the application which shows the HoloLens device. Any control that you have over the management of Store applications also applies to HoloLens. You can use the concept of the official store or the store for business. Apps can either be side-loaded (manual process to load an app on a Windows device) or can be managed through an MDM so that apps are automatically pulled from the store when needed. +1. **What is the frequency of updates to apps in the store for HoloLens?** + 1. As we follow the same concept of the Microsoft Store and pull apps from there, the update cycle is determined by the developer of the Application. All management options that you have to control the update mechanism in the store apply to HoloLens as well. +1. **Is there a secure boot capability for the HoloLens?** + 1. Yes +1. **Is there an ability to disable or disconnect peripheral support from the device?** + 1. Yes +1. **Is there an ability to control or disable the use of ports on the device?** + 1. The HoloLens only contains 2 ports (one for headphones and one for charging or connecting to PCs). There is not ability to disable the port due to functionality and recovery reasons. +1. **Antivirus, end point detection, IPS, app control whitelist – Any ability to run antivirus, end point detection, IPS, app control whitelist, etc.** + 1. Windows Holographic for Business (commercial suite) does support Windows Defender Smart Screen. If an antivirus company were to create and publish their app to the Universal Windows Platform, it could be downloaded on HoloLens. At present, no companies have done this for HoloLens. + 1. Whitelisting apps is possible by using the Microsoft Enterprise Store, where you can choose only what specific apps can be downloaded. Also, through MDM you can lock what specific apps can be run or even seen on the device. +1. **Can we quarantine the device from prod network until we update the device if it has been offline for an extended period of time? Ex. Device has been sitting in a drawer not powered up for a period (6 months) and has not received any updates, patches, etc. When it tries to come on the network can we flag it and say you must update on another network prior to being complaint to join the network.** + 1. This is something that can be managed on the infrastructure level by either an MDM or an on-prem server. The device can be flagged as not compliant if it does not meet a specified Update version. +1. **Does Microsoft include any back doors or access to services that allows Microsoft to connect to the device for screen sharing or remote support at will?** + 1. No +1. **When a PKI cert is being generated for trusted communication, we want the cert to be generated on the device so that we know it’s only on that device, unique to that device, and can’t be exported or used to impersonate the device. Is this true on HoloLens? If not is there a potential mitigation?** + 1. CSR for SCEP is generated on the device itself. Intune and the on premise SCEP connector help secure the requests themselves by adding and verifying a challenge string that’s sent to the client. + 1. Since HoloLens (1st Gen and 2nd Gen) have a TPM module, these certs would be stored in the TPM module, and are unable to be extracted. Additionally, even if it could be extracted, the challenge strings couldn’t be verified on a different device, rendering the certs/key unusable on different devices. +1. **SCEP is vulnerable. How does Microsoft mitigate the known vulnerabilities of SCEP?** + 1. This [SCEP Whitepaper](scep-whitepaper.md) addresses how Microsoft mitigates SCEP vulnerabilities. + +## HoloLens 2nd Gen Security Questions + +1. **What type of wireless is used?** + 1. 802.11ac and Bluetooth 5.0 +1. **What type of architecture is incorporated? For example: point to point, mesh or something else?** + 1. Wi-Fi can be used in infrastructure mode to communicate with other wireless access points. + 1. Bluetooth can be used to talk peer to peer between multiple HoloLens if the customers application supports it or to other Bluetooth devices. +1. **What is FCC ID?** + 1. C3K1855 +1. **What frequency range and channels does the device operate on and is it configurable?** + 1. Wi-Fi: The frequency range is not user configurable and depends on the country of use. In the US Wi-Fi uses both 2.4 GHz (1-11) channels and 5 GHz (36-64, 100-165) channels. +1. **Can the device blacklist or white list specific frequencies?** + 1. This is not controllable by the user/device +1. **What is the power level for both transmit and receive? Is it adjustable? What is the range of operation?** + 1. Wireless power levels depend on the channel of operation. Devices are calibrated to perform at the highest power levels allowed based on the region’s regulatory rules. +1. **What is the duty cycle/lifetime for normal operation?** + 1. *Currently unavailable.* +1. **What is transmit and receive behavior when a tool is not in range?** + 1. HoloLens transmit/receive follows the standard Wi-Fi/Bluetooth pattern. At the edge of its range, you'll probably notice input getting choppy until it fully disconnects, but after you get back in range it should quickly reconnect. +1. **What is deployment density per square foot?** + 1. This is dependent on your network infrastructure. +1. **Can device use the infrastructure as a client?** + 1. Yes +1. **What protocol is used?** + 1. HoloLens does not use any proprietary protocols +1. **OS update frequency – What is the frequency of OS updates for the HL? Is there a set schedule? Does Microsoft release security patches as needed, etc.** + 1. Microsoft does provide OS updates to HoloLens exactly the same way it is done for Windows 10. There are normally two major updates per year, one in spring, one in fall. As HoloLens is a Windows device, the update concept is the same as with any other Windows device. Microsoft releases Security patches as needed and follows the same concept as done on any other Windows device. +1. **OS hardening – What options are there to harden the OS? Can we remove or shutdown unnecessary apps or services?** + 1. HoloLens behaves like a smartphone. It is comparable to other modern Windows devices. HoloLens can be managed by either Microsoft Intune or other Modern Device Management Solutions, like MobileIron, Airwatch, or Soti. There are Policies you can set in these Management Systems to put Security policies on the device and in order to harden the device. There is also the option in deleting any unnecessary applications if wanted. +1. **How will software applications be managed and updated? What control do we have to define what apps are loaded and app update process for apps that are living in the Microsoft store?** + 1. HoloLens gets software applications only through the Windows store. Only Appx Application Packages can be installed, which are developed for the Use of HoloLens. You can see this in the Microsoft Store with a little logo next to the application which shows the HoloLens device. Any control that you have over the management of Store applications also applies to HoloLens. You can use the concept of the official store or the store for business. Apps can either be side-loaded (manual process to load an app on a Windows device) or can be managed through an MDM so that apps are automatically pulled from the store when needed. +1. **What is the frequency of updates to apps in the store for HoloLens?** + 1. As we follow the same concept of the Microsoft Store and pull apps from there, the update cycle is determined by the developer of the Application. All management options that you have to control the update mechanism in the store apply to HoloLens as well. +1. **Is there a secure boot capability for the HoloLens?** + 1. Yes +1. **Is there an ability to disable or disconnect peripheral support from the device?** + 1. Yes +1. **Is there an ability to control or disable the use of ports on the device?** + 1. The HoloLens only contains 2 ports (one for headphones and one for charging or connecting to PCs). There is not ability to disable the port due to functionality and recovery reasons. +1. **Antivirus, end point detection, IPS, app control whitelist – Any ability to run antivirus, end point detection, IPS, app control whitelist, etc.** + 1. HoloLens 2nd Gen supports Windows Defender Smart Screen. If an antivirus company were to create and publish their app to the Universal Windows Platform, it could be downloaded on HoloLens. At present, no companies have done this for HoloLens. + 1. Whitelisting apps is possible by using the Microsoft Enterprise Store, where you can choose only what specific apps can be downloaded. Also, through MDM you can lock what specific apps can be run or even seen on the device. +1. **Can we quarantine the device from prod network until we update the device if it has been offline for an extended period of time? Ex. Device has been sitting in a drawer not powered up for a period (6 months) and has not received any updates, patches, etc. When it tries to come on the network can we flag it and say you must update on another network prior to being complaint to join the network.** + 1. This is something that can be managed on the infrastructure level by either an MDM or an on-prem server. The device can be flagged as not compliant if it does not meet a specified Update version. +1. **Does Microsoft include any back doors or access to services that allows Microsoft to connect to the device for screen sharing or remote support at will?** + 1. No +1. **When a PKI cert is being generated for trusted communication, we want the cert to be generated on the device so that we know it’s only on that device, unique to that device, and can’t be exported or used to impersonate the device. Is this true on HoloLens? If not is there a potential mitigation?** + 1. CSR for SCEP is generated on the device itself. Intune and the on premise SCEP connector help secure the requests themselves by adding and verifying a challenge string that’s sent to the client. + 1. Since HoloLens (1st Gen and 2nd Gen) have a TPM module, these certs would be stored in the TPM module, and are unable to be extracted. Additionally, even if it could be extracted, the challenge strings couldn’t be verified on a different device, rendering the certs/key unusable on different devices. +1. **SCEP is vulnerable. How does Microsoft mitigate the known vulnerabilities of SCEP?** + 1. This [SCEP Whitepaper](scep-whitepaper.md) addresses how Microsoft mitigates SCEP vulnerabilities. From a24b15f4e699d9dad2c4af096ba2e28768d53b8c Mon Sep 17 00:00:00 2001 From: Payge Winfield Date: Wed, 19 Feb 2020 08:03:00 -0800 Subject: [PATCH 05/14] added audiance to FAQ seucirty and --- devices/hololens/hololens-faq-security.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/devices/hololens/hololens-faq-security.md b/devices/hololens/hololens-faq-security.md index ae9f0de47c..b56e555f7d 100644 --- a/devices/hololens/hololens-faq-security.md +++ b/devices/hololens/hololens-faq-security.md @@ -9,7 +9,9 @@ keywords: hololens, Windows Mixed Reality, security ms.prod: hololens ms.sitesec: library ms.topic: article +audience: ITPro ms.localizationpriority: high +manager: bradke appliesto: - HoloLens 1 (1st gen) - HoloLens 2 From 26281a7f4c315bf4e2a2ed3047df152fcceb0510 Mon Sep 17 00:00:00 2001 From: Payge Winfield Date: Wed, 19 Feb 2020 08:05:37 -0800 Subject: [PATCH 06/14] added audiance. Format changes --- .../hololens-commercial-infrastructure.md | 23 ++++++++++--------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/devices/hololens/hololens-commercial-infrastructure.md b/devices/hololens/hololens-commercial-infrastructure.md index 568bbe92e5..f241deb9fc 100644 --- a/devices/hololens/hololens-commercial-infrastructure.md +++ b/devices/hololens/hololens-commercial-infrastructure.md @@ -10,6 +10,7 @@ ms.topic: article ms.localizationpriority: high ms.date: 1/23/2020 ms.reviewer: +audience: ITPro manager: bradke appliesto: - HoloLens (1st gen) @@ -50,12 +51,12 @@ HoloLens does support a limited set of cloud disconnected experiences. ### HoloLens Specific Network Requirements -Make sure that these ports and URLs are allowed on your network firewall. This will enable HoloLens to function properly. The latest list can be found [here](hololens-offline.md). +Make sure that [this list](hololens-offline.md) of endpoints are allowed on your network firewall. This will enable HoloLens to function properly. ### Remote Assist Specific Network Requirements 1. The recommended bandwidth for optimal performance of Remote Assist is 1.5Mbps. Detailed network requirements and additional information can be found [here](https://docs.microsoft.com/MicrosoftTeams/prepare-network). -**Please note, if you don’t network have network speeds of at least 1.5Mbps, Remote Assist will still work. However, quality may suffer.** +**(Please note, if you don’t network have network speeds of at least 1.5Mbps, Remote Assist will still work. However, quality may suffer).** 1. Make sure that these ports and URLs are allowed on your network firewall. This will enable Microsoft Teams to function. The latest list can be found [here](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges#skype-for-business-online-and-microsoft-teams). ### Guides Specific Network Requirements @@ -65,17 +66,17 @@ Guides only require network access to download and use the app. ## Azure Active Directory Guidance >[!NOTE] ->This step is only necessary if your company plans on managing the HoloLens and mixed reality apps. +>This step is only necessary if your company plans on managing the HoloLens. 1. Ensure that you have an Azure AD License. -Please [HoloLens Licenses Requirements](hololens-licenses-requirements.md)for additional information. +Please [HoloLens Licenses Requirements](hololens-licenses-requirements.md) for additional information. 1. If you plan on using Auto Enrollment, you will have to [Configure Azure AD enrollment.](https://docs.microsoft.com/intune/deploy-use/.set-up-windows-device-management-with-microsoft-intune#azure-active-directory-enrollment) 1. Ensure that your company’s users are in Azure Active Directory (Azure AD). Instructions for adding users can be found [here](https://docs.microsoft.com/azure/active-directory/fundamentals/add-users-azure-active-directory). -1. We suggest that users who will be need similar licenses are added to a group. +1. We suggest that users who need similar licenses are added to the same group. 1. [Create a Group](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal) 1. [Add users to groups](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-members-azure-portal) @@ -100,10 +101,10 @@ These steps ensure that your company’s users (or a group of users) can add dev ### Ongoing device management >[!NOTE] ->This step is only necessary if your company plans on managing the HoloLens and mixed reality apps. +>This step is only necessary if your company plans to manage the HoloLens. Ongoing device management will depend on your mobile device management infrastructure. Most have the same general functionality but the user interface may vary widely. -1. [CSPs (Configuration Service Providers)](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices) allows you to create and deploy management settings for the devices on your network. Some CSPs are supported by HoloLens devices. (See the list of CSPs for HoloLens [here](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices)). +1. [CSPs (Configuration Service Providers)](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices) allows you to create and deploy management settings for the devices on your network. A list of CSPs for HoloLens can be found [here](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices). 1. [Compliance policies](https://docs.microsoft.com/intune/device-compliance-get-started) are rules and settings that devices must meet to be compliant in your corporate infrastructure. Use these policies with Conditional Access to block access to company resources for devices that are non-compliant. For example, you can create a policy that requires Bitlocker be enabled. @@ -144,7 +145,7 @@ Read more about [installing apps on HoloLens](https://docs.microsoft.com/hololen ### Certificates -You can distribute certifcates through your MDM provider. If your company requires certificates, Intune supports PKCS, PFX, and SCEP. It is important to understand which certificate is right for your company. Please visit [here](https://docs.microsoft.com/intune/protect/certificates-configure) to determine which cert is best for you. If you plan to use certs for HoloLens Authentication, PFX or SCEP may be right for you. +You can distribute certifcates through your MDM provider. If your company requires certificates, Intune supports PKCS, PFX, and SCEP. It is important to understand which certificate is right for your company. Please visit [here](https://docs.microsoft.com/intune/protect/certificates-configure) to determine which cert is best for you. If you plan to use certificates for HoloLens Authentication, PFX or SCEP may be right for you. Steps for SCEP can be found [here](https://docs.microsoft.com/intune/protect/certificates-profile-scep). @@ -161,8 +162,8 @@ Directions for upgrading to the commercial suite can be found [here](https://doc 1. Check your app settings 1. Log into your Microsoft Store Business account - 1. **Manage** > **Products and Services** > **Apps and Software** > **Select the app you want to sync** > **Private Store Availability** > **Select “Everyone” or “Specific Groups”* - 1. If you do not see your apps in **Intune** > **Client Apps** > **Apps** , you may have to [sync your apps](https://docs.microsoft.com/intune/apps/windows-store-for-business#synchronize-apps) again. + 1. **Manage > Products and Services > Apps and Software > Select the app you want to sync > Private Store Availability > Select “Everyone” or “Specific Groups”** + 1. If you do not see your apps in **Intune > Client Apps > Apps** , you may have to [sync your apps](https://docs.microsoft.com/intune/apps/windows-store-for-business#synchronize-apps) again. 1. [Create a device profile for Kiosk mode](https://docs.microsoft.com/intune/configuration/kiosk-settings#create-the-profile) @@ -183,4 +184,4 @@ Certificates can be deployed via you MDM (see "certificates" in the [MDM Section ## Next (Optional) Step: [Configure HoloLens using a provisioning package](hololens-provisioning.md) -## Next Step: [Enroll your device](hololens-enroll-mdm.md) +## Next Step: [Enroll your device](hololens-enroll-mdm.md) \ No newline at end of file From d7cd34b946c29c47c0e085d4762da2da8090d534 Mon Sep 17 00:00:00 2001 From: Payge Winfield Date: Wed, 19 Feb 2020 08:09:19 -0800 Subject: [PATCH 07/14] Minor changes and added audience --- devices/hololens/hololens-licenses-requirements.md | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/devices/hololens/hololens-licenses-requirements.md b/devices/hololens/hololens-licenses-requirements.md index 7636395a6b..3f398e81e7 100644 --- a/devices/hololens/hololens-licenses-requirements.md +++ b/devices/hololens/hololens-licenses-requirements.md @@ -10,6 +10,7 @@ ms.topic: article ms.localizationpriority: high ms.date: 1/23/2020 ms.reviewer: +audience: ITPro manager: bradke appliesto: - HoloLens (1st gen) @@ -35,16 +36,6 @@ You may need to upgrade your HoloLens 1st Gen Device to Windows Holographic for - Acquire a HoloLens Enterprise license XML file - Apply the XML file to the HoloLens. You can do this through a [Provisioning package](hololens-provisioning.md) or through your [Mobile Device Manager](https://docs.microsoft.com/intune/configuration/holographic-upgrade) -Some of the HoloLens configurations you can apply in a provisioning package: - -- Apply certificates to the device -- Set up a Wi-Fi connection -- Pre-configure out of box questions like language and locale -- (HoloLens 2) bulk enroll in mobile device management -- (HoloLens v1) Apply key to enable Windows Holographic for Business - -Follow [this guide](hololens-provisioning.md) to create and apply a provisioning package to HoloLens. - ### Remote Assist License Requirements Make sure you have the required licensing and device. Updated licensing and product requirements can be found [here](https://docs.microsoft.com/dynamics365/mixed-reality/remote-assist/requirements). @@ -68,4 +59,5 @@ Updated licensing and device requirements can be found [here](https://docs.micro Additional information regarding kiosk mode will be covered in [Configuring your Network for HoloLens](hololens-commercial-infrastructure.md#how-to-configure-kiosk-mode-using-microsoft-intune). -## Next Step: [Configure your network for HoloLens](hololens-commercial-infrastructure.md) \ No newline at end of file +## Next Step: [Configure your network for HoloLens](hololens-commercial-infrastructure.md) + From f2447b6da59b96007c7f614400d258f31515fb5b Mon Sep 17 00:00:00 2001 From: Payge Winfield Date: Wed, 19 Feb 2020 08:37:07 -0800 Subject: [PATCH 08/14] minor change to provisioning doc --- devices/hololens/hololens-provisioning.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/hololens/hololens-provisioning.md b/devices/hololens/hololens-provisioning.md index 7eefba6e17..392032737a 100644 --- a/devices/hololens/hololens-provisioning.md +++ b/devices/hololens/hololens-provisioning.md @@ -54,7 +54,7 @@ Provisioning packages can include management instructions and policies, customiz ### 1. Install Windows Configuration Designer on your PC. (There are two ways to do this). 1. **Option 1:** [From Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22) -2. **Option 2:** [From the Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). If you install Windows Configurations Designer from the Windows ADK, select **Configuration Designer** from the **Select the features you want to install** dialog box. +2. **Option 2:** [From the Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). If you install Windows Configurations Designer from the Windows ADK, select **Configuration Designer** from the **Select the features you want to install** dialog box. ### 2. Create the Provisioning Package From 5673bc21779b3e6a6b79362b199f6dd7252eeda9 Mon Sep 17 00:00:00 2001 From: Payge Winfield Date: Wed, 19 Feb 2020 08:43:29 -0800 Subject: [PATCH 09/14] removed a space --- devices/hololens/hololens-licenses-requirements.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/devices/hololens/hololens-licenses-requirements.md b/devices/hololens/hololens-licenses-requirements.md index 3f398e81e7..c89587c100 100644 --- a/devices/hololens/hololens-licenses-requirements.md +++ b/devices/hololens/hololens-licenses-requirements.md @@ -59,5 +59,4 @@ Updated licensing and device requirements can be found [here](https://docs.micro Additional information regarding kiosk mode will be covered in [Configuring your Network for HoloLens](hololens-commercial-infrastructure.md#how-to-configure-kiosk-mode-using-microsoft-intune). -## Next Step: [Configure your network for HoloLens](hololens-commercial-infrastructure.md) - +## Next Step: [Configure your network for HoloLens](hololens-commercial-infrastructure.md) \ No newline at end of file From e328cb2b81710414f3669a5b5455aea117604e22 Mon Sep 17 00:00:00 2001 From: Payge Winfield Date: Wed, 19 Feb 2020 08:46:00 -0800 Subject: [PATCH 10/14] addded content to FAQ --- devices/hololens/hololens-FAQ.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/devices/hololens/hololens-FAQ.md b/devices/hololens/hololens-FAQ.md index a183165e4a..a75a6e8676 100644 --- a/devices/hololens/hololens-FAQ.md +++ b/devices/hololens/hololens-FAQ.md @@ -43,6 +43,7 @@ This FAQ addresses the following questions and issues: - [I'm having problems with the HoloLens clicker](#im-having-problems-with-the-hololens-clicker) - [I can't connect to Wi-Fi](#i-cant-connect-to-wi-fi) - [My HoloLens isn't running well, is unresponsive, or won't start](#my-hololens-isnt-running-well-is-unresponsive-or-wont-start) +- [HoloLens Management Questions](#hololens-management-questions) - [How do I delete all spaces?](#how-do-i-delete-all-spaces) - [I cannot find or use the keyboard to type in the HoloLens 2 Emulator](#i-cannot-find-or-use-the-keyboard-to-type-in-the-hololens-2-emulator) @@ -204,6 +205,21 @@ If your device isn't performing properly, see [Restart, reset, or recover HoloLe [Back to list](#list) +## HoloLens Management Questions + +1. **Can I use SCCM to manage the HoloLens?** + 1. No. An MDM must be used to manage the HoloLens +1. **Can I use Active Directory to manage HoloLens user accounts?** + 1. No, Azure AD must be used to manage user accounts. +1. **Is the HoloLens capable of ADCS auto enrollment?** + 1. No +1. **Can the HoloLens participate in WNA/IWA?** + 1. No +1. **Does the HoloLens support branding?** + 1. No. However, one work around is to create a custom app and enable Kiosk mode. The custom app can have branding which can then launch other apps (such as Remote Assist). Another option is to change all of the users profile pictures in AAD to your company logo. (However, this may not be desirable for all scenarios) +1. **What logging capabilities are available on HL1 and HL2?** + 1. Are the logging capabilities on HL1/HL2 similar to Windows computers? + ## How do I delete all spaces? *Coming soon* @@ -215,3 +231,4 @@ If your device isn't performing properly, see [Restart, reset, or recover HoloLe *Coming soon* [Back to list](#list) + From 83e7b41be7335b95530609609c83ca2743cfd874 Mon Sep 17 00:00:00 2001 From: Payge Winfield Date: Wed, 19 Feb 2020 08:48:55 -0800 Subject: [PATCH 11/14] whitespace edits --- devices/hololens/TOC.md | 2 +- devices/hololens/hololens-FAQ.md | 1 - devices/hololens/scep-whitepaper.md | 1 - 3 files changed, 1 insertion(+), 3 deletions(-) diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md index 3e6b5f8706..c93f45cfd9 100644 --- a/devices/hololens/TOC.md +++ b/devices/hololens/TOC.md @@ -61,7 +61,7 @@ ## [Troubleshoot HoloLens](hololens-troubleshooting.md) ## [Known issues](hololens-known-issues.md) ## [Frequently asked questions](hololens-faq.md) -## [Frequently Asked Security Questions](hololens-faq-security.md) +## [Frequently asked security questions](hololens-faq-security.md) ## [Hololens services status](hololens-status.md) ## [SCEP Whitepaper](scep-whitepaper.md) diff --git a/devices/hololens/hololens-FAQ.md b/devices/hololens/hololens-FAQ.md index a75a6e8676..ace8a93088 100644 --- a/devices/hololens/hololens-FAQ.md +++ b/devices/hololens/hololens-FAQ.md @@ -231,4 +231,3 @@ If your device isn't performing properly, see [Restart, reset, or recover HoloLe *Coming soon* [Back to list](#list) - diff --git a/devices/hololens/scep-whitepaper.md b/devices/hololens/scep-whitepaper.md index cc43bdc285..438ea3c34a 100644 --- a/devices/hololens/scep-whitepaper.md +++ b/devices/hololens/scep-whitepaper.md @@ -74,4 +74,3 @@ We then pass that to the device and then the device generates it’s CSR and pas 1. Connector checks in with Intune, and will process and any cert revocation transactions (i.e, if the Intune tenant admin issues a remote wipe – full or partial, also If a user unenrolls their device from Intune), reporting on issued certs, renewing the connectors’ SC_Online_Issuing certificate from Intune. Also note: the NDES Intune connector has shared PKCS cert functionality (if you decide to issue PKCS/PFX based certs) so the connector checks to Intune for PKCS cert requests even though there won’t be any requests to process. We are splitting that functionality out, so this connector just handles SCEP, but no ETA yet. 1. [Here](https://docs.microsoft.com/intune/intune-endpoints#microsoft-intune-certificate-connector) is a reference for Intune NDES connector network communications. - From 440bc999d01aafb0939c45fe863ffd4b45332c14 Mon Sep 17 00:00:00 2001 From: Payge Winfield Date: Wed, 19 Feb 2020 08:50:40 -0800 Subject: [PATCH 12/14] edit security link and added expectation --- devices/hololens/hololens-requirements.md | 44 ++++++++++++++--------- 1 file changed, 27 insertions(+), 17 deletions(-) diff --git a/devices/hololens/hololens-requirements.md b/devices/hololens/hololens-requirements.md index 9487a2f331..8216a270ff 100644 --- a/devices/hololens/hololens-requirements.md +++ b/devices/hololens/hololens-requirements.md @@ -13,14 +13,16 @@ ms.date: 07/15/2019 # Deploy HoloLens in a commercial environment -You can deploy and configure HoloLens at scale in a commercial setting. This article provides instructions for deploying HoloLens devices in a commercial environment. This guide assumes basic familiarity with HoloLens. Follow the [get started guide](hololens1-setup.md) to set up HoloLens for the first time. +You can deploy and configure HoloLens at scale in a commercial setting. This article provides instructions for deploying HoloLens devices in a commercial environment. This guide assumes basic familiarity with HoloLens. Follow the [get started guide](hololens1-setup.md) to set up HoloLens for the first time. + +This document also assumes that the HoloLens has been evaluated by security teams as safe to use on the corporate network. Frequently asked security questions can be found [here](hololens-faq-security.md) ## Overview of Deployment Steps 1. [Determine what features you need](hololens-requirements.md#step-1-determine-what-you-need) 1. [Determine what licenses you need](hololens-licenses-requirements.md) 1. [Configure your network for HoloLens](hololens-commercial-infrastructure.md). - 1. This section includes bandwidth requirements, URL and Ports that need to be whitelisted on your firewall, Azure AD guidance, Mobile Device Management Guidance, app deployment/management guidance, and certificate guidance. + 1. This section includes bandwidth requirements, URL, and ports that need to be whitelisted on your firewall; Azure AD guidance; Mobile Device Management (MDM) Guidance; app deployment/management guidance; and certificate guidance. 1. (Optional) [Configure HoloLens using a provisioning package](hololens-provisioning.md) 1. [Enroll Device](hololens-enroll-mdm.md) 1. [Set up ring based updates for HoloLens](hololens-updates.md) @@ -40,37 +42,35 @@ Kiosk mode is a way to restrict the apps that a user has access to. This means t **What Kiosk Mode do I require?** -There are two types of Kiosk Modes: Single app and multi-app. Single app kiosk mode allows user to only access one app while multi-app kiosk mode allows users to access multiple specified apps. To determine which kiosk mode is right for your corporation, the following two questions need to be answered: +There are two types of Kiosk Modes: Single app and multi-app. Single app kiosk mode allows user to only access one app while multi-app kiosk mode allows users to access multiple, specified apps. To determine which kiosk mode is right for your corporation, the following two questions need to be answered: -1. **Do different users who are require different experiences/restrictions?** Example, User A is a field service engineer who only needs access to Remote Assist. User B is a trainee who only needs access to guides… etc. +1. **Do different users require different experiences/restrictions?** Consider the following example: User A is a field service engineer who only needs access to Remote Assist. User B is a trainee who only needs access to Guides. 1. If yes, you will require the following: - 1. Azure AD Accounts as the method of signing into the devices. - 1. Multi-app kiosk mode. + 1. Azure AD Accounts as the method of signing into the device. + 1. **Multi-app** kiosk mode. 1. If no, continue to question two 1. **Do you require a multi-app experience?** - 1. If yes, Multi-app kiosk is mode is needed - 1. If your answer to question 1 and 2 are both no, Single-app kiosk mode can be used + 1. If yes, **Multi-app** kiosk is mode is needed + 1. If your answer to question 1 and 2 are both no, **single-app** kiosk mode can be used -**How to set up Kiosk Mode** +**How to Configure Kiosk Mode:** There are two main ways ([provisioning packages](hololens-kiosk.md#set-up-kiosk-mode-using-a-provisioning-package-windows-10-version-1803) and [MDM](hololens-kiosk.md#set-up-kiosk-mode-using-microsoft-intune-or-mdm-windows-10-version-1803)) to deploy kiosk mode for HoloLens. These options will be discussed later in the document; however, you can use the links above to jump to the respective sections in this doc. ### Apps -This deployment guide will cover the following types of apps: +The majority of the steps found in this document will also apply to the following apps: 1. Remote Assist 2. Guides 3. Customer Apps -Each step in this document will include instructions for each specific app. - ### Type of identity Determine the type of identity that will be used to sign into the device. 1. **Local Accounts:** This account is local to the device (like a local admin account on a windows PC). This will allow only 1 user to log into the device. -2. **MSA:** This will be a personal account (like outlook, hotmail, gmail, yahoo, etc.) This will allow only 1 user to log into the device. +2. **MSA:** This is a personal account (like outlook, hotmail, gmail, yahoo, etc.) This will allow only 1 user to log into the device. 3. **Azure Active Directory (Azure AD) accounts:** This is an account created in Azure AD. This grants your corporation the ability to manage the HoloLens device. This will allow multiple users to log into the HoloLens 1st Gen Commercial Suite/the HoloLens 2 device. ### Determine your enrollment method @@ -87,17 +87,27 @@ Determine the type of identity that will be used to sign into the device. More information can be found [here](hololens-enroll-mdm.md) -### Determine if you need a provisioning package +### Determine if you need to create a provisioning package -There are two methods to configure a HoloLens device (Provisioning packages and MDMs). We suggest using your MDM to configure you HoloLens device, however, there are some scenarios where using a provisioning package is the better choice: +There are two methods to configure a HoloLens device (Provisioning packages and MDMs). We suggest using your MDM to configure you HoloLens device. However, there are some scenarios where using a provisioning package is the better choice: -1. You want to skip the Out of Box Experience (OOBE) +1. You want to configure the HoloLens to skip the Out of Box Experience (OOBE) 1. You are having trouble deploying certificate in a complex network. The majority of the time you can deploy certificates using MDM (even in complex environments). However, some scenarios require certificates to be deployed through the provisioning package. +Some of the HoloLens configurations you can apply in a provisioning package: + +- Apply certificates to the device +- Set up a Wi-Fi connection +- Pre-configure out of box questions like language and locale +- (HoloLens 2) bulk enroll in mobile device management +- (HoloLens v1) Apply key to enable Windows Holographic for Business + +If you decide to use provisioning packages, follow [this guide](hololens-provisioning.md). + ## Next Step: [Determine what licenses you need](hololens-licenses-requirements.md) ## Get support Get support through the Microsoft support site. -[File a support request](https://support.microsoft.com/supportforbusiness/productselection?sapid=e9391227-fa6d-927b-0fff-f96288631b8f). \ No newline at end of file +[File a support request](https://support.microsoft.com/supportforbusiness/productselection?sapid=e9391227-fa6d-927b-0fff-f96288631b8f) From e252ae3f830c9b3e050ff56229b30af87fd4ea9e Mon Sep 17 00:00:00 2001 From: Payge Winfield Date: Wed, 19 Feb 2020 08:53:09 -0800 Subject: [PATCH 13/14] added audience --- devices/hololens/hololens-requirements.md | 1 + devices/hololens/scep-whitepaper.md | 1 + 2 files changed, 2 insertions(+) diff --git a/devices/hololens/hololens-requirements.md b/devices/hololens/hololens-requirements.md index 8216a270ff..f856f571e8 100644 --- a/devices/hololens/hololens-requirements.md +++ b/devices/hololens/hololens-requirements.md @@ -6,6 +6,7 @@ ms.sitesec: library ms.assetid: 88bf50aa-0bac-4142-afa4-20b37c013001 author: scooley ms.author: scooley +audience: ITPro ms.topic: article ms.localizationpriority: medium ms.date: 07/15/2019 diff --git a/devices/hololens/scep-whitepaper.md b/devices/hololens/scep-whitepaper.md index 438ea3c34a..06b7527960 100644 --- a/devices/hololens/scep-whitepaper.md +++ b/devices/hololens/scep-whitepaper.md @@ -9,6 +9,7 @@ keywords: hololens, Windows Mixed Reality, security ms.prod: hololens ms.sitesec: library ms.topic: article +audience: ITPro ms.localizationpriority: high appliesto: - HoloLens 1 (1st gen) From 4d04dafeec038f6de6c0e3602627a8e6defafc6b Mon Sep 17 00:00:00 2001 From: Payge Winfield Date: Wed, 19 Feb 2020 08:55:49 -0800 Subject: [PATCH 14/14] added image --- .../hololens/images/mdm-enrollment-error.png | Bin 0 -> 76632 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 devices/hololens/images/mdm-enrollment-error.png diff --git a/devices/hololens/images/mdm-enrollment-error.png b/devices/hololens/images/mdm-enrollment-error.png new file mode 100644 index 0000000000000000000000000000000000000000..77b695d1cfa73afb96f83a8e8b0b7ef58d30f65c GIT binary patch literal 76632 zcmYJa19T-#)GmBtOpJ+bBGOWa5c!XJXr!*tTu+#CP8B{@?wpSEIVt>b0tO z)yA`*{aZ;v5)mF39smF!N=u2U007`Z|DG3Nq5oZbsui#Q-N0N_Bt-z#Q~0OUF^4aBdC9UI7caM7XW}D?7tH%_VCsW0Qf4B786$U(7*UN^d^)}VTjoh-1qC8 zc9{;_&IUR{w|BIsT{z>6xhJohng44^w(0-cY6_0&c)cmh{y4GKW|Moj)wmMB`ux=u z_xyFr-sHqc00AoRlRjAb%U55nbd%c#6Z-X1JL3^%3D+Qvf>VTQ*4_hWfgm2>GWfNMm^l5!kJ~;@c^#70R&WAw=4X`(H{Jp0HX9cP1 zPOiU3-toyywppP=)Mt8Ssa_ar> z$G%igrXhqHBiR?(a*S{%s1ZwTsXxlel!0TjXVj#wfr6-kd5-ez<&$|lv-=O{r*=Z5 zy?fx81e@M>HPzJ;NzLD4{@*lmMf^Dc1#V&t!YEagRYeH2 zh*t8KbP&2^g)-Z)v3|Joc?i}MtwX0RiM`>yMc;HFT{m!uu~6EsQb)S3iz!N)ReZRM za1fvkim?8_pEm!+_6khxwN@g4%j3X3unK0BA;u_TiB1zvzC}RA@C-BxwzMT{EK1;`Sk)SkBsjdZ1;d%RH0`8LH$Ic*`)pO{7+JYy6x4~4#%1%+Px?%Y zj=|>+q|7>z|3{qemsh&?2UXd|k2dsB1fn1yR&^g%H8jgihpeGnVx`MHzdlk|dp;4v z;mikI&{u}Oc;$Z9c2Bvde|D2M@#1aco#lCJe`+369UfFm>IB#Q_36Fg z4O%g7&l49K0gRsyNJEOVAcxfX>KKKZXw62SYqHqCbI~ixhzJ|Shaf;D=Ry>-*-!~m zVIFUcDCqxKPy32G8!GjFr|4;a-YPb@s}Zd`p*4#3Mty5)c4Ru)y73M( z{=kjoKz~y@lH4*>bhW`!IIj^;6o-Wcd`LdfO(J2crY4%LMs!=?E8w~^ZJqs%GUXWSBCPotsP&%aeK`zTL|q8=?fiSgZuH7cEUFt0fq+hFS*p$jl{&lJG-Y!2!`WxM zi;Add|AszWzn@iYc+MrVAShyg0Qp`gbD%#wlonQj7S#|8yxk;E5(soX&~`&b)G+R! zONSIfbh_Pjsi2Y#SJ)YvGWo5!ET-Lz($Cy|K00B;PJl&0jp$KlJt*=%-}4EP(c%zx z{!GX+tII&3srFnG4(dl1;Q z%uZf%Z?J#Nv%GSu_&i1AG z=OH-`T=_`rx4k`WN3sFdtFpM%cLt)cgUeSgw894u^~;e;*|B+s%eVXGx)i%pVPd7J zleLGdB&lrCyrnxO({uWEl_}aP6?R4f4uc3W2Csm%pkw}`B5#Ft z$kVhMGifD-vJyxxdK?<4CrE}SO% z**&C#b*~9b{j{j}k=)-VoBwo|Ro~9vN(p+GFRG~G55|W0V@lf9uyW^3O|IJy$9RQ` z`Ho&TU-5?}g`WSX6@8`3Ap#cOR!0ADRW)#LD)pSDEpe}|+Q5=7l=+&4q;Z>pe}Y~# z(;7^noZ)3FP0s6{rL^!03B)mrgr|Mde^pl6_S1XmY_Z7KDOB+l{W9P#7ocs1#SG+- zmn9gNUe)4*c4AdA24{t2Yg!8;-|x+QNV#$bnQ;-w3)bnevVjYN%eyumDCP|hGpi)h zdNM#rl0uTyrK3`i9RAtwAUEIoIbBxbD211t+$IW7g+l&0SngcQ=awiTR7@jR^dsd1 z77OXR_p*d3im6ONwSX;f@j%hKlSeDGN|rKTIkA}QnS4@CioL04tehTEu(T|#wU4(p z^M%}?iensnCMQQbP;>&YG-Y%#Z9MJ6U%x^Iq0Guj(%U*LokgYK$p zW0G3xzqvJ8n2pQMLKFX-Z;^Pl`>goVan8pPCp?@Nn_lLz)=s1py_9Vb<}f>CtL#`S z4SIvWeGgEuDvzBPU)_eXhP2PZkjD(S5&t>oDy>PY8m`S#bBJPyDp=zg@sZ|oHhES4 z>)=>}{(5ntHg?JD^w5k42@p|B|6~t5G`ZcpaYg#c=N8aNJ~uY$J?CI8Dk+e?a|T?r z#)>>on5)%t|If=f?VqiI7CLL>V5Q1K4PWUo0SdhJ`x{OK(|E)u#uD>3ME&WLAY&1? z8%hxhx;5P>s4*9&S0AQP!~x?5C+aBb^q3j4nhb=*k)YHhvxo98LN-0LfkZu-m|-pW z{83WNlkk$koUD{)G@@FCgIAKJBGb-FM3Yzgv|{;ZIGmiI5B2a;uSZ$|`g$uq_KL;# zu5@y+nSPLs{s(4a%iympbOS(mFYC$hV81SNo~n!OmVZ(}P-mTek^*9KH%6{CC@GmMZ|n2FATuBm&NM0CEjGo}TP8G5$FOOvO4?6MhQ`ZmJWq4_x~fTYPO=oP zlj`{u%u7wRl8R&OE4PobGMuw@*LgHU-KbN(Dhw+vW=6!d(b=+D?GAJ=CjgW?NBIE{ zs&)&~i+&!1tTrfl=_=3F>|I&a7*qKE3tAcyo?JbQkWOR7C=@SdiqrO=;W_r{QI!sGm0V5~ zH1;wY-yxjjfZvBtef4u{2Y7sm04nfJ7(>+Kdq~yTGS3txbLbIg2P1iM8|KdJZ$n&* z5yP$~3?~Q!8?~-aCNTn(6=Si4cP#zeMv8j}{XeDkst%BvYR?mbuZg$^vb1Vyvb|jCl5hK4(#}iXpoI@5 zWg}o$Ik5j#b@ zMp$fO!X~UPMg2-_H=+f@qQ#=hdWR%u!_|ZhHCaQ-GxU>d)CnC4|3rAUR;_#KjNQ7X zO8{@KUz?Ryd|9#_8XP;NHsYpACXQumt84&zFBgt0KGvO&{9ZPqC%CI|zG>&t5(cp0 zY;)QMH^k=Z;w{MRHdI%AYA32!v?idbBajtwz ztWoBbP=m2ljJ9H3qn>tnEnyYE$!!+V;j~8r zFodF2Ub-zv!hmyVX!5P9q*Sq!2mt4m4wJ3o#_iPV8Fq3S+6)LyW2ZYGSnd_yI3HV^ zff91p?6Lnk4`&>02Vz zP`-;w#7C#Ij6C0M^|=L@x`A9_O2C+2oLw1?`f0S5OwC+4cVua!+P=noO=l6h8Z=BL z_wf`!8tiNi5AHwL_ch>Q9iUYCQ^4B?*)Ee^BsF)Pv?FiDoMxe`%P7XYRB$2x(u$N8 zA1_4trFCdk`KVe(&Chu(Q}dsX@jb=h#~~$-OX|>3>9=5NdPte zMyU2H+i{(Rq{8!$z-pMyZ8j@P*-3s{20%JZ;s8{H!u(sZP2(8gr+*x8xx`A0^+vII zs=wB8ptYU0HAvU=h7Nu*Oc@VnO(hR8#o4zh5VMo^qzM% z6bwqH=$gQO6`2!eb$oxo)QpKmAKsmi7VlBuDfem9!Z95ww1v1k7@0e7rOnRF5gp5& zGJh^O=t5IeNtkWa2Uf1vA`6cX#49G^QQScTRIIOEu1Sg?%lT3mJ^h*>j~-T+DU7I3 zv247(R$?=CM_4Z;GuK|+xCPAfs_&bFlg=z)Fx-ELBC)Q9^ zzM^6e2_BY`n>}ft?kCOcf9lRCSQWPj2ZEs{hg)Gk zc>AgHkogSwO}N$Z+g*@dI5oyDURBR@QAblp$z~1b~$aJ4#^u)?e#6&=0^#|4a zV(lE6n63vl-L*)cfs^|H+nI)v`&M+ya#u!1Ha_PQ916;l!^drocjvdF>yT&nDSb;I)IXi zE_j2oFMX5aKv>@%c<02Fu&^|@NVDhW?-KXBh8!s8O7}F+rWDLR%(0F4cLc@@>ygNv z0gfDY7sLD3oiOcI!#Eb`5x>cyyrJo!eYQa6dI8t%!!k zcjx>2T{u`Tt^?b^uc`y*e6+5ZD&TS#WrecW(ryCG?;ww5*0ixhjL@RkXKQ5!FYOrnianK)dwa%win1mdZLl_>_XJ)* z|3zV)AyKxfZG_AgLcjf(cs|oOZJ|t0Cq83^mvVhqA7F9yM%)xZsMD`7Fq~n{I(0V% zIBcCq+jv*WULhZ1m*Tpc@ z$kb?_H(X6>Z-k8Kt2j{nI*x)o#~7%>$UR7mN?PxLnR-CV%NfK|9`2>!$s?>Lu*|KT z6grmAYE5|SmTBGAQqbAwDym@5!KaRyM8|nlfe^j*`1?Qbgyf_LGC+lJQ~d3_{7m;@ z>_{G33j9pHba;zheX6K?W=={$JcU`tVm$F>Y4Olx#0(A5rpp}0;o;H#U6IX7tVC3==G5z;iXDd zZE2FJT;51=Su_^g3$X_R4){pT%Kms&3uXN>t}%m7G246hv4-Q7IveEs+`z3aFXKH> z-AcU`!PTZh==OCHiJDePXrmaF_}N73jMVsSPh|lbr~PJe-RiI3i6sTw0btmi?(|F5 z`XLpmOntJ0C6Gx8U=mC74JFTxXA@5NyuRSlF2nhg&$&i-8-rZVFSrW1ys^NN>D|2$ zI%--P)hFnHW`^_#Ny(g@R}aVHZn+*;cI+@M@zCB6ixM z0SFy{txr7iH>*<7fu!0%AS|p5=c$|0=KE!O1SHBs^8VjV-B$0nl*u%!h0N5{AYh3C zF$oEnsAR0@_OBoomm>uHl@=_VQ=DchxvGok!y;!L4G~Opd??xiY91K91#uu?n&B1OpKkrkZ;uV^yChE(<&|jqu$cb>56u+Oh6T< z-FMF+2IqscpRO3(r{P36B>=uds8+W}XlG!gYo?(V5Sjj03Q(O`Ue*d|yAb*IlW^}W zdHv?ilzFoeAI-q?#gohTl`VxqHx!jjB2Vzpb0{i(rP~CCkl#9}UFb9v8~ZE{B=pe6c*XpdX*tDfBEG&*23}_GPf~grts7aEs|2k{v8+PkEgL);W5` zs?<(FV{WGW%EpZaV{RCuU#pU&A7SnpYy}$ZzA2|_cYG;v8=34|qXDtzM zc(8wT{On)e_6yUv)G=N?gOVEei4baq2BR!oj9{LR2*?W@b6xIc09F5u)#`DFxgy{0 z>s$ri?8gf39mixdXN9&u_mWuNh`PMLNfMcCy@z*^@{+hUOCxevY4=!Yn|9Rs$6;T2G*9L>`&eCZOgvK6&(Y?TJ|XUTY9 zfsf8$$?k?=4utM<$lbDBJMm@%y?&d>;X*Bo&FxbpGk%NfH=@tt#We7Hp%Hj{rDJ=& z$h{rx`DA*(s*nKrb`jmaEN}1LPxqK}ukE}}@*bov;$(tZFSNo<@hM13_@SmS{s`x& z%E%`;FPjeN#uhNA=W)M`3Ek!tyQh?|^E$LXIKadqj&DnXb2KLup_Y=C_)ruaI-!YF zI>XFUrL=9ZW^$g-&C^}iu-q<3M0A4WwBH(9aoV5hd_e}asZvGZbHW9MA&GWyFx@kzmOUQzSHbo5}`-`Ga8a`8;OI{23hPm|GRkyJTqtgyd21maBSu-tPsC zFEbu*68$&xSF~}=xa0{3%@7Z7Za9429f*vy=LF87ly%+bCWKc!Pn2R?XY(+R`G;aB zdGnka1V*NrjIb?`6G3n@I|ih+*gUqum$TOE%?zQ4ctht#Credy-5*Cbjh44$&30O0 zfdwLx&NPDTi!6CUCjQ3vtUkBbUxviYJ$bNjkim9q%_f~17gRyat|ur@@dBWy^_tn8 zj#sTNYfPDlNV`xe@99nfK{PCiov>@XokGP=xX11{45E+mVbIBbDClAR$gVBVt@fA$tndlv4TMJ)C9aBiN)L-y-gEGe27 zYvv}?D~-h$XY8YC#rFbxO(i9>$=1TK!zNZg4d{(jUYx^Q?eUYunUK!*_V=j*uIW71S z-uuEjH{Vd}Xa%m*Xd}7|{sHs+cVt#U*Y9>!)AC&uXuH~mCk`o#o1{#DOO4Ts9M&b* zkq}S^{?c~3Qt!vl(|j82&{G{7L%?H<{kV>Ox7_6-`94!C@cMWW(LfbL%Flpk;P=>c zN)IN5sG%42{eMu7nVKyK(@ecd>k~gnEJecnz*jT|-KM^}`D3NO%C(aK<-at+gkjBy zxr?mu3$U!k%|w9_ii-BDBh(QQ^(wZT^#p<+E4bM_&%NdBcyT_*g!RsMN*ekx_4R19 zd9L{U?(m5vQKE@Q21XA9`5p-w*6_mX_yuw$xEVM!!@GsNGv(q`av5CH2s1bFWR9Q_ z)Z*0Wxq8-^v2Tu-Lx>Yu{F$MJVBaS)V=GhtSsy!IKik!zsF#;<&0AI=I;I-vg*&~~ z@fBMF885&*y1RdLUlKKji_9%qHTFeP1b$3ViX;FsYftcpWk+)b@C~|lF!;(ccGnK0E55#cM2k|;aFBO_0uAh5aB_O+}{Ag zA2U^|$a+2Q$R99Ky*ngijt?MIzG*2*WzP_XaX#-m0G=jAfl*h@OvupLQ=*zjniA&V z=o6;2dzwDmfiNqW%9kI+Oue`)eOeEI(_vG@UZ0Vcb}U^3m5{GBcGKG(HT>y-+K=yO zGBZq3;00kgmWay4R6amY;|S~bb0b#B(9=~F9jHuO6#<_aBP0Z~4(Ho#p(9@zs@Q#> zX7Xp{&?2zeOYlVXi{Q-vem)lezg^plvD!A0;Rz?`Zry5*y@jW!R~S{v6VQQzSlc6nhlx2QNhp0 zU`KZw@C?5X$;!<}#Bb;tJ7Gk+#*^)ct=?Y(5n9Vr&bzW%JWf%>T~rxt_TkyQ&AOko zDJc=G`ldT~Aue3rpD0fko2Eb^)nbOhTbE_Ws|oI`9!EkfdrC53MVx$<{2;hchP>H_ z7H!>~&5%MbHGc1vo$gGYzHg;YQ_M2~fc!mwm24rUp?aal<`(pq8$4J6l2mrSGO0fiX|a@$&xAXfz@jRBeT&*Y-FthXIgj`$=e*@ewc>$+0)mrhD?Yo6p;d z)PBo5;Gz@!EEr+Q1|Hlm7jdkdR;DfI4eoTw9e^v@N;Ro^h9M-=NE7a;E}* z3kB1wCmvg40M%Gxh}M4>Bd+He1-WChT9aP!OV=^Y@D8XI`M?dp!`c=rruTK~&b2b; z{XL5r1s;($1QecVSyFYXZj~TA6e>PXVe^y<-XDg?bbGxwuLb;o9fWGbX16BKa0>2@ zm8t8i`8jgaoj{U)Tk_3=w$^RZns)h`yIfCv2fGo6n8p_;6gMzmR+QKvaBK+2%*p%nLs(Es}Q&llnl`ua3s@mvGvGsiVz z2&3`+Mz=}~`-EY%89@PhNK|BY(+9uvF;crpk+Fi?b!YRD^bj4zahIpTYT7Nik}N-{Sk=g;E4*2 z4)A-E7v1Q3yGZ`!oWj4rSpFN{w0LtMz}}AQt~xfCCzd>5+&KZB7q6GVvc@b2zEUA8 zEVjos@Eo}wLCy-IJ;mE$yIWLg4fX>D(TsqT8rUS?(UBD5-jw=I(8@;&uF@6 zz0|a0DVQH$3|1_}(S96_4Ro-*QVlU%wyc!Z=9&x;c>zK-RVju2P$PR8Qg=O@LE3D0 z?~7!^b@d9{F3n_S1**;*WKynl->=Xqh{2nU&VeM^fy2&cbBAkXL{B)}PnpAz%aa)> zrmok~07)*~gVJ~CgvOs#xI%WlvHfqH`TNtCH(&49iY!zlaEA}`fYCF3RV!hUZc8Y5 z_*~=O+S!v8Z@w|O&TJSM5vewBXuC|#p%K&u7QZFd3GFuA7s$0CRG=CG*Sm5HY?|G6 zU`@|!-|Nl?3^Gd8WpsV?)&lPpdQL_%4daOLUV=EJaCB|NPDOpeoRuh#w=un5)PT6^ z?c#B+;mnTF38y0@ zh*Q!3c56bFBV*%W|hBfghS6Ke4%9YP*KHlWg&E_Qqj#j+tQS6 zTnfVNa2=61UbWB|#D_b`*gD8kL5KRaIm`Ipn($esha=774 z-IcLqVKu-;P@*yIfi{T({(6jqpiM9|BJXbR>G;ho0IKYrP22!Id5%H|Rx|#CcB9oD z$4;kt$iiSj^ecZqE+gH70y$1`@-A(*VHgBailj#Dw2PmqOqj+t8ajJ&Nf|^(XBiik=hng4`US!{SA*sc5Q>A28`|CY zL_E2h|GDCM(0WLQLSt6`iYzgbh(HWBGc{l}aZmTY&&l9)wZ@+k>o&mGgiz4Fu%7#f zl%$iAzji!0WHx?#Dw%84|Fp@mPux&5yr!%hlF)%QbJcOp;`yY5fd=^PuiDl`cwiyW zza!v#tN3-}?Rv@sKCO?D_6s4N%J<=Kxz=LSIVLUhU)Y!pow9hOgFCxEbh!vtPIXsZ#M+cDF(mlU&iTKV_z$(YVA;B~ zNj(;uZp$W^f!m4EdZLQY%|ZG+jV?n1V65=7Ul1A2dG4-??3e~#(AQ_%L~WvQ1fdMr zZ9{&9O>slV3J*k@V?!m$L;#sRZj>6&*kE5U*J>-?P<06jcwD)0vM#}T_<_y;Fo4)oZUfV!V$X|ie-44I1V5YPQ zB2{r*AIZAzr9HJ|vajnb>!dyu>+C-t2pdOQXI%pNhskLlFM?qy16pli-lKYlfRs z&o`0Fk4P4Z+>gwlQ|KG(=aKWn@_oG@^#Bg?u<0-92FZ-olpiydQ^{rvN4}guhd(ZX z?q`74cH`exZMqv`;5x{QAH`*?`c+QeGdMScQ+Pbr&v@Hs>d8#dh$~s%i^}vmrC^IS zu2|1nIW99q`Jl#aT%+~pbN8>@JPEe)UrN8g@)QMLkr(!b%&z~MK<`k1@knSn#9Q+x zQwf|1XRy2Ac3XULJA=6TbRbN&z;)LkTpwS#8*Mic$RrS3rYFLaauMOVL8t*P`d3oJ z_&FtfLb>{z|JKhtQ`*2UeQvP2)Ljb2{{UeD{10mYxy7~htYrv%T}q*g+e&E2{N}iKqOtH*2^Wf#8@3SW ztj3&C9BYFxkfaS34Yqr^9 zLx=09NfZ`~&wfZ-ViwyOb!@2^wB7DT_eWK^;>m};fdfysZBnU%UM*L}wUNvF=hfiy zW9H7ztSW41ADag5ro?Wc5!X*cvi271a66dTj6TH7eD_`xF&TA|uE8hLf$fhgvM9Y; zun=3q-`_d{c{< z!w0$OXTBFbsid7z*hbjO0YJK2E`x^ z`q)B`6mOOF+TPcv6#wyIFE2=#@QIH=Jl80c-j@Jv5`6}I28HhQ#+y7n1n=2MjQH+J z#|~<~$+Fn(!M+)uJ!U>zK^AFQ+ci{T-9CHk**O`PT!F;KZY(=EbJX{&T5KgH+`kZ{;28W-5k?X>4nH)_I z&19NqQ_f_s=bVb$3q4%Fz`7k4@FUSR3Ig3QqCK>Zn8EQ8^|@+sHg$YsCt-gIY%@#Eg&!UW)-PtGD=hCt z$)d9P5V;|-U*SV4%UWm*_F%SW2(EseN{y~pV%&*P2y%O^uH(XUSQN?Sc zo;4_*1+yHU;c8rN<4K$~vVFtb?1L$V$E(obTu~?tl53BmpxsQxxLPl|^0ZE&q!j8$ zILyWNwRWCLj*=)VQ(HU2fsDg%x2uvp!?W{P_;K_>cErh8Q#~%#q8FNXDtPAJ^QFO^ zhbLQ2csk7&p~KU6melEuW}^v9YQ%4c{DJX)X${P%P~uQ&>~7>OBOyU(akdIzM{XHG`d(9Bk^UA0 zaFy3un}K)RZNtD!Z3`s@!H-%~pA0`{k1Jiz$JY9+JL!sGAahid2#5b7N>;fm)3d$- zUCB2(tYV;3q3@`lCZkN*J&T7==aBE0IAj>j7mJ$9J$BO-o1R*SXfbtERxNrrvcVjT zq#fpWF2JlT+gRnPFC84{fF>rH~~tw!&XqWKLIon7ALC z_!v#%a~b{A$frQssR;}pLbVig!`BH^P}?zpZ@kL!wJVt}`1m;{e?Jy+rcs+oul?8u zO@c|c>98g)rR?3b0__lLdbUPWk?pMv(fJ;p9+9YD%~=VRSg_px6!X~Ii#{mjLAic|=h6bfR&d(0dnV}5_+C08d}~|@5W_6%Q2ry> z5%gW&zi)$Ec83fw=OG!Cv$28kaI*Oie~p!}SEhLvGo|egh+`OsONuA*R?N69PSDuD z%|5qOy0(eRHoTOcq?X><{C?e=$5?{6#t+zXOR3}t4_66awE#6P z<@8UTm{-|`I@3A&2aqT6mBm4q3ag5(!s$hzAS(&x7O2ZD ziY^Z?n9Vh|ddd9;T8Nb9`?z+P!C1z8v!H8c`%heq_RPFT(a&%C0)xHwAGa=HVASL& zO`}{#WcLOCz~^L)Haq*pmQ~A@X~NatvHq4}>|u<=h7mc3$OpR*p`Ml^gWb;u>g(ZE z%bL!eQ}yS{MmXBvH7;}##-y->@z-+#yokQOYM(bSn^_&k4Nv-;Qv{J;&3tvoM}s80 zS``#E>f${vMfdisKruU@-cg&Ia)Qb_E!lihy*6hgf)3=~-F?kG4n zMR~?@MCzk{T|Xk#5(SZt?)e*L{#;KMU)<`sKvx8!xo?6T4!`$UkF6L7Yt67RM-eD} zE2C($&d8&J-k$QL&yiN@kMkIOwf*5WcKeo!O26d!ZTXXJfl5mld~0a=b9-%~l=vgE zU16V>cqRh_+9RcR=}~D;O94>&rhGCI9g6mGVFTbkmz_Jq72PkBGn~n;9PVrDHQ26B71#!1>P-AY3dEh=xr{ zNN5*bn*FveUp5GdTHrldE95U`)Cv@d-Kw1M9+Cr0U*n5)gc{^O?`TUgz-3f|7GTJc z^e2;Q8Eqos+^=ERnm=$h!zM_C<|65`i+)UYYWo}FpAs@GFUfFJcxvVaK~>U^4NlzR z2RB)V9fu4qnP;$9!C@I~cFtNpElP5^(yXp+3+0>Y_h!10q#vUMSw-Z_Bpq%@hAr_k zd+MN#bza=xnP(UC@r0WTF7zh^`<5C~sq69_MpUk1yl+Fb+7;jB77c`wev7(?-ZkIxg9t_)BoI-9&Ka`vO-yoo3HOl0=$t zi(xji<8Jf8E)kmfWgf}gROBi*-`FFep5d+$qkpko2bb%=2FQFS z03PmGIuRietVT@h{2Z#^l;m2Qdxvz(;c6=L`FAWc#|nVP>uY`H@E<-rVI^NfV)6?k zt(bT<%aPRgcL#$`Hb5qF@+-Ew)$By*r7~35crnwTASP@!NAeWPtKN6<%sR_k9r_=g z!4f~eqovCA&rtwRTTs5G&<_?A-Lse+nfg3G{>0|BCxsuE)z-iLQ|1ev$FDn6rH*dP z=Ql=^nU*&{7MoO({9D5LK7r<6Zir@zPZ~I=_+k4e$a*xXiqB2hOS)*S!WRO82uQe^ zyk=KWiv*zcafK4}+Xk2%)riCc;#?AchbpDrLI!mp3B4&mC`)}am5qR;V$F^5+?`Eo ziHfSOa6CNF_gQEp(;#XS*%yT__!qhYYt3c+8?Bb`kFWXMqHtB=SiW$*v9mf`-^Y-& zOv2-dr!I7Yq5aAe<=btb!13uF)|YfanPHZjH!ct`8W#Vo6zoer0-~aG<)F8 zsqBS>!*}GtXvqF1sM)Tzf@Qxd_ReFyJSu`lSG-CM9sL-200gS7)Wc<#g z6-6PNYJy{CWSA=ex?8`lHCq;dG{*aBBZ|q@;tBUJ3I=n}={Z&l5(@vgA44cs1u`c8 z*&dvE+BUigZu8JT{F$*45ZUJy|3ZwDEnqJKaGf#LB+7)3d*ppoP`w+f4UvDmE(#*eV8wq{c{u{TsH@ zP74p#Gd!lv2jRIfFQTRfY(v#QO0QnE0ZS+b^P?^R{r8~-_CaKkyn$Mdr`o`2q z3+OD2eb?AF3kWXgck7Mc^)fKm5C%n_S^lk<=10*gD-0kxpY@rsy%8@QZk{V(CQ@UN z%5CqkL3XzGvt*_D60H;A>>xi~vnYRTCOI!Du@R`M6@9m0b20-`MM$s1Zp&C~@>0(K z9|AY^YXewZiijyuW24#pEgLMWT)YrYjzDJ!n6LNFJyZ8UXOVPi_~c0V)erutr%A!V zDDH1cTBjDNsi*L=MFSFgD!OWU93u5u2=5E9mMjD5WN){F$B1=a>-u==JVtz6&OW@| zmg|_mJ3iR}5i08KfYRydpj+mO9YH7|I=@3)wqGpv>`(T=nnyAQXXNdKKbNESt=CT6^gzMjC2tJPDdv#|0FmCwz|D>2z(TP z9WiJH<)!X6xvJ{^&OBDgSG*=!@j77xM_n|79e%bI&*ZqQytdTBq3mVlaNBub-M#J5FGX5 z#s@uu02RJNonIAH?z=yu*O$SB)M3@k4P|mQAW;Y$ADxEiTq>XnVb}YI&S)z^>J7Sw zbiPbe7kW|9L?2{eO7#!|m{U1CXvoINJ*I0`z-%DH``ywOlGu2y@h2pk-RyTs z`z2;aYcigb;1;>Qi zaseWD*oY*Lw+ybf%aFcah(f|FW_g|9A-3ltgpt(Wip+|Vz{W(hNe)F=m16FU$AqL= zWawyjXC*vRq=DawFaX+GSOE6E6vVfGQr2)-S~{b+Leru*<3x8E9th{@U;?CR=B8$@9M94QbE6sGBVn6#x}Lr41s+c6Knv(*=tzz>8p|J{KjkN)L*>+D>8ejYPLNii%|Y>jx=HLmgC zQp0x%ppe&dQjrPu$al-tYH*>0S;9Yt+Ka<*0ZWX!;fg)4DFJ-*9&v=Pmw;06WNt{I z%QvIiqNqz~S<@l(l%UD}b2Eqp-f(SNE`1l{frR>^HBZqj z&h*hvzf%Ooip}*Q@^mC0wG?ozYy^X7V3FNz^@0=ytOBZF6b6z?7GyAEh_)kY)?EAU zeuN3$ASfXc>hlG}APV;V89X-t%gbXTqDzqz+keg7-)Ou4ey7ft4~w&>QzQo%=G_w* znXTY|$q#T{+bFk)PRaqx^Ua)XlP9YbbeaR>a8+raJO0`P#JS&42R(!33BJ#uR@lNt z;iE@EcCDrfmQ(3`Ex==47wPzp8=gi>qptUhOZ*@s%bARzPJ$_EW)MzP{6u_X>7ofk=0r>SCM$U;4J6zwWNWI z&su^#U2Fv?Y(nnl_nTre+snk6O!lOs~kVf>qQEwk7+_J^!s)09ypausD)-7)^6at`#=b5^z z{VR9qlwOqW8D!Z0|17_R&vzVRT5UIl%=XlTq`%Aax*1S=uyhB{#>dq^K!QDQ*pUfK zeH8@xJ=mjGJC$6#Ucg3%AKBN!iV`qTACfgY-?ku4Yo6SN8`-pA%)4H$P;v zx~{Nc*R^ECT`yM5eHPmx65RbQ0S6NR9Dq(e$v<``rB+}NujXDyjbO8L1Y2F+D(>4| z$D~U5PZ&TM+oG43f+2~RICeN`@2tO8CezEaKM^27*a8t4$bV)41Mqzpg#phSe zVPN{UR+*#93vNK00$OnXF;MHJHEywX-`|??@;f=_5wr`48_f-=A_cVno+9#B1T-!K z;&RX%2!2jXqp7@U%Z8hj4C9=NT~cu`2@qZ8m)+JzYVO>f7J|xdpI18jJ@G$>Rue6^ z@?p@Ba*U+4y}(6BD|2Qx+C5Qunl6L!mJ?T(j4BPfa2a&b_%=HZg)CE;E?jymp%tut z#^jszzos>tc8!L|n$4P=ltX*_C_+@7$(ZtWL@N;ZN%WBHU)24S&Yf#$S6&4<49@>H zop=bahM}e(X-c(qzgj}q4p|EuCV#2GBKh^dpECTgy1t9JeP9GckUnqGG?smNLkP7kAj2PSMgPZrHagJ+BldP4%tWXKvTM9Nes+x+ReG zR4rCuhoYkLt{9%POA(3PoWtg&jEB~U#fUVpvffGoOJY@*F8oD2b*U3;e~E_<$o7D; zHJwPx>L#K@&_=&A)a`R+v)w?TBH{srw@l8QDI4)a{c~BCG?|J>%+LUjrz)MWfOk1SRy_!W%RAP*E%N;Zf ztxjd-a#@l1c^*Zd#$8QK`G=7wc@5{6AfOqc+6!#wsfGU!053t%zF}VWLyR3U9HYk1 zC%`GgzU|BLbJuRTaP>Yy9_FI9W4q|ZenEdJmL<$W{cjrJ+?gB3Q-tysW;*3a(f73UA;-^Y7<+b#fd zz&Y<%)8rF)H~`X%otsyo#n)fr!ts6Bx^EBaw;qV($Jq=+-dWygZGd%GiGVi;YnLrX z-+m);_jWR-O&N|JgNNZ+W})E$wXZ$mP97qmN?f{h4D|?FCQX=SUvH1FAL!u#?FIID z{Ro7sSWhy{k|xDhWC0Y)e3(X%<+1+dFTr|l zn;zal0BANImHTa8k4YJ*iL!mOQtqPjAM0cLhTYJcnkqq%BtRxWO*zzzRG9LqzM>SJ zUva4xQeoA8bb4n^*iSDnO7pb;Z4i3&?t)Y2^~sV+=rds^o)Z8#BF{9%1lzDUHwB~n zc0uBzIk@XZw02F#=$!2o;mkji<@S4UkWqzlFT&mX+M8HwDxy1;h*U zIDTj^KL6xDurMJJK7xG#Q|mLTUNIt28)A9wX+X*d`49R%Si5!&8vXDSjvPB-FAh~Z z1Std2NC~zs9E%oT{SgPQJ~Y6n<>}WA_cj0uqa^DYTDEF~5z}TPkA2(vT_B7~>X;dm z$D+xPEpah9*=keo>QYjAH&!sPMWbfTaQgIVDkgSwCL`r-BWoH)88NCkDpbv&08gGiMW3D> z(4|8=+`j$T6pEMH#`#EP8BQJFhoIV>eO z`l(SvOioyXO0@&EvDph6@siA^7}0Aee(pTTjHidlDag^fjJbfD1Adqnubodul;PUR zo%rm>&RBcwx_uJFCjTQ<@Oz7}Dk%~58Z^b$od=!o#_8?VGC)x|woQ~Zq9qsBRk7aH zGG#2<*ZUnl|HuC?cAdR%OE}Ia6<8B2gYq^>Bp*(jsiwpmf7R|adYaIgxl)lH-MoN4 zO~1m%#5w3aVhkGhoq;tGcGF&Aba zIkl&n*dC>&Ss2uR2tNA5S2%f6A8i#k4jJ%KOOr=Np-7Npf*-%9igiH1#dfksqg7YI z3Y_1v6!pJrWRJnC925>q=N$mV#5BuOnsE<<+SbF+N%QdBqYo2{FV?G;p;(TbC%4h< zvj$kXWUVc!_}QzX_G$^H$A9635an5KId5H% zH?wb6HEY!eD|a8YfkY^%r9{C50)K+aKuI=|W{<|W;dNgna1br_4v_ zl+9_Mx?rr-`{&X2r2F=5J7G^qb6c5K;TyvS}D z6w?e)qyQ(6tizW-wL;>yeeVT88c9{!5{DPQf;1#?w5~ls4>JGrJwSKQ?m^41{srR~ zthE^+fea}>78V7$nHVx`0KRVU4VEM&AiuDPc7m~$2#+;X$eIBP(!k~v=Gf;nmM&O{ z%PbuhkwQD)L~MhKuRg9-}~|%>aE{|9hOc z{~T4!N3Ex&r~pBQzR~5S0TBMNN+)RvtW%4x&}YCtj#*VYe27tl@9r~<<7!{i`*KYzKjp%8@ZRSGn8H(7`f~xDP{4~t$^AozZ zYK(vUUA%Pg>q0-~S^OUDZBCy)E_aMr> zEVF=siXi~BH36S~`W1GbyX`#rBw4e6HS}u$qviQ7-iv|nK#N$ zbp?{I9YObwKjOQ_&C#&kK%9S&W^Ew(v9c0C+bjw5JGXB&+W+)D>NoxoEjkZH4&_YG zomrj|RQ7qjY*6(04&|{yLrhw<$?4w$j=U$3XuX)SC-A3cVDG`D)7#Lrd1JJ0(-D`? zUxim+P-lHwa^fN4VKHe{ZyE-4=&VU0{1t{`3}Z0u#ZSXs8(LXAVK5 zkNyP*u0AjTWHqkDtZ;7uAoaD90<`Pc4x?w!L}pc`16nokpnfdO%fyr!QFR{I zO|TBHPOOd|(NsE*nj#L;z@E8uh5)D?e*Uo)=FXap1E-GR_PzUf_AnK9c)W1^D%P%F zjh=l5qUn#Vv1QW=g!~m|+-(Vrim8^MONRI4u?_g@r#4u%=Lq%ByGvjykzU9jsI7pn zEDH(aW}IGb{xSt! zdUr;HrVTK0>J%J4d=z(Y-NUm-&+v%lxOC|}Hg4O1ej^8>@lQWt>5|nb=V)DkFU0iy zN{1PGa-L%5*gp8E(GOU>W()4$yiLP;4TlaN!^>Rf`&k-UZdo!F^&2$C=|^d{1g6om zo=OrR5pRB8zX5(QK= z5Q=OQbbp%x%4d0Pwuxzm2^d0J0%MM<3fse@S(KU*TtBu2e{9?atB+o>57O#mlp2L= z6Ky0^hI6M6phN5C_^D|V*27ZD)CD|x{Mf$aoqXpG4j(;+@sp67rk|M4HucIX(~jqN$BCJMC~5tA#{MaaYc zQAM$?#*u?3(Bh}2XwmWqEKOK~^XJ$%9z4Q>lzX^-`xcI#JdcHom*M9&ZD{N|GT_Iv;^)b>1U78)d^{xp(lVuFK{F>| zR3KQHhg~z5;HU3@#I)thaOw7C+(>3$rHnqjrw@p-A2E((-pNPxsQwe6bKcLTWtvb> z^~4i`7JbdVF!v!Q4)2YB_@{rxkhv>R?y$$(l0C_zmNLmH0np1w=g|GvEJ#mnai zJlmsP^LALeED6WXoyFY;5ApP2GM?PKhO-whVfpH{=+=q4rd4xn-M$kA1fnKOY;S?9 zU=4LrumGFqjzH5-{tYMYJZJ5(n;VdhRS?6y20*-~ZmY`ANBb`AF>=;am}Hoz{+1oZ|H1=sf^PUH46=&qrwEuD+VWRuI-|qS?eJr>AJFuN#^}$H`@Vg9IohqFlF|MPZT6$uph2?ldr>)Pgy`pJ@?LT> zW=@!bwyoQsS^E~~J8&R|^c#+DJ^P?*zusv6Q!@-6HX0{RpQD1(l12o2h{nr={WAJg zw1^hq(wS{&*KZ&;A361l07y$L2KMfQUVZxE z#_hY-N;SbM9Nf5s_0t>YQnKukZW)hYP;I1oRhnd5vrsl=QH$&scQIjDXUtu=1UXf# zKWgttRIrbR?8!9@>e&;sS8YdrC1WyL!0&*Tvg}k$A3c@8X*OPZJT{Y3O#r0#xd>X= z(hXBlq*^^G6wb$^%Lmb-*AQ$!f7|&4ik3~(26|CuO(nwqd?a5ziSeU{;)jL}(Y|ea z^zT0a0|yU6pZ@*PqHR0$A2I@mkDo(Dr5C4mtiU(_@&Cb&bJuJJ$k~&jw4BY{#=$E9 zBo7%$Ejf`x88-UMWNEaH>N4CoyAi#*bVsidbCIJemv=VH5fi z;Ej?`eVkXzsoJpYDN4cO*;CQ1WfxpaDYka3WV#LjVobk}&7=9dY7Ty`p>Lo5ShVq| z?SoT$s_hJWJ{GbWB5fg1!%nho+WYv*$@1m;?rqPztC1=zD}3i|*2BTn8;jmaC!V6r1#R5x`1 z5X)DX@e;$w4adw?OOYG<{$Z_VfDBaz2x5!z^yNb&tVkf}Z-LgW+M|2VUMyn|^dHa< z9lG^EkKTQ;dFvLGl@+4w*;RCD_9ce0Ju^8_v{^FCEKYHX(}$w>03fMAbzk?W9?z~$ z0HBx2>031dL4kl5Il0+*{O|!zpE`-PYgS|7!ueRWas>_@JU~Ts9XZ)qG{6KMG$^iU)x9=n)zp$8t zE%77`%y>N2(;?bJVBgRQ7NW8&9S>f-Ku(#ap`FDL(;HHtRLG{U=&Kj+MFXWM;fOvf zEf?ila^pRP*Id6;oW<3(e#x@{Q}(lDq!$!(^h(`k`zIL6_V{Rw%rbH$S?R67gzz z+oSff;LP7w@d9b7X?Q{4DXLfrn2XBc-GqKGiFMihz;^ z1cFtzM~i9KXitsgLH~?jT%2oV+qLrm7TG6I7GTTv9XNa83Z6ZGfe?X@u}Y_>mgLli z`sip?ekxK@Qwda^4aLrnNab{7Q%-TU7bfa2LC(`#NX^Vb3G2*n?V~o<5*R^DsDgNr zgO{8_oVk7tTla3o{)4-5`}Q5S0s9IQvxyx`Q2&mRXK9(E(umz>IA+K8RJ*W#qZKGG z%0g;J22v{tj>QzwlKQpkTUF>J?k5NPhwO^qm@k_}XG#JAkCJqzVrnKE{D#N3m+n8YC^Ai}foLu>bHe z+ReDDe<0~!uHkruo7RmN)sAFeK#U$t zDB=&|MOGU7PZlbq>lDUNC7m7?AV_1+L6x@(_wPK!sZ(dMk~(u);$o~{zXm5cAWF|j zN7!b8DLc>apk;$EF?J3C75lc{xUa0^6sI_SIC={JiQI1XW_QyX{Ob|OyIoOFg=rJ3 z^Emsvo`*Hj&^oP zcV4CQ%GD(|gyS!R@Md-Bo&%if#??ktl|v)jw@IPo+!#(Q{z@U&<&7D=u6vhWr>Br+ zMCy=KbX^}O{%hXeJX2|2=VwOn74f1DFR$Z?bf)`n`PFF$g?}AKzYcKH41u$GI(CN# zJslIG0jLh^jl-Icpm~hSSb4E<{sR2lAHKoOCt0W>g8>{=cgX6`IekS=eJQM)nDZ;J=d_1>VquKrS2q>cpJxp0Zt#9H%xiibTJ&a~ z&dt~Pymm1%W?q-VDeG%;!C~EoRbAATDV^1gP!MB$1>z3C|#m&)`aVLa) z<(yxWEXI8m+fH340BRqTU@c0}-qW`o8_BY6QJ85dd!B_<2>h82oaoc=cC zyfQ>iGpdx=*kDLAa}fd_LHO!wfgsJC(h>ZNRsOcfJggYV#|Z}sB^XUanN9BG)z!a znEL{g#|}foMnB^0wTGx8&e5I_=gB$29_<2Q=I;qWP9=?;{yGX z*BIc}lV{p|9jVbgruLCJOJMqR(3W-U@XhC6V$s5-sPqPHw$t|ASGZ}#3@dHOVZx2l9Cdnrl#5xnj-a!P$UF<(oj+y+kaG5QI35( zcA#0qM(Ez98&Xo9*~WAA5(7YSnT}JOJ}AWjP@Mi^^gaNj(eU|GC(*S{D=eBh0~b%9 zKvlWk?Bh@<97NiSRBYI|4&AzU!Pj4Xj`3s1;rWY~&{O%E^$A1;ezZB2hC~}k34Y$* zd|vl7PI3BMk(R!0-@c6j0|sF1*s<8XdpGj(a%~{s+>atZKO4u69KyJfBT)aVFVV4G zdtAA6*`Bo1!*-H&djij5#3@d3`cM=HKymu3l0Z@F<3|`hpg-z=`Y{^U{{}s}c0#XS z-3WL(qYFV#tM+a1$Im`NcgG-n@Be(4YZ6|NL{bYu6UNdiOBbvqx97Z`TIjeEl`*(@hya5s&Uaw5LZ!_DwS# z>EaR|r#O9BiUXiH{nbgI1u4zV!`-V_v18K)j2}A^-MV!`kDgsIbi@!WN?d}2M~@)o z*)#iGfQ*13jyuQmu5e>x zk2e9AoD20hr*r~8dd^V`zOfr|ic_3E2*m+Voc`*hFXY$g+Y0u!X)1Qx1S)l}c^)eJ zTIZvj5dx%Y3nQywF<(2o{$=`4ZpSH3e-+YGUv>AwX*S3qJsIYJd=pj;2y{#5bg=`S z;Ex`c*M{j>_&CKWP9KEg04Pp>eWIcl0IJr9(99mx66}N!i24z()%T~O_L#6Ua^@&H z5Jt5=VPSz|RzlX{PtbpIJ5F)>tB_<^vpz2H(RDZ+LL{u0eNz7QB2axQME~}pL<0Vp zcsovCA=Aqqv=urIfZ`OV4@q$V6sNxp#c+(2elQe5I2yE(uD;wA)dxJo0W%b~AHu@& zN1qB{2*(iUI%X-}L%-l1r#SshNFYedVRdJK^i|o~D1l8K#1lKba{4lw^TLNX0E$zb zJ~aK`1Ayvkg+D>RGT1NDZ;JO{&E&sCQk<^xe4FGS0|oy#km^mW#u~~wXsoMG14!As zvpser=JZns{K&cY-b26O{VPam*U970Na`-ye z^nPyVTW_jL2d9b`z0u}1>+M~>-%kqr*Q)1tdDB^4_nLTRgQizk zbb4uO9T{^x>x6OY`;|wW{>Rhb1_0F+yt*z%@AZD$({*)D)iqqT_+RakisyE*Sn{vQ z^?cj?#Yr90*#!AUwy%Dq9Gy4g827INygset6(e1_rL9})za_n&)7SK;?!Au`_U$tM z39{r_hwg_d&AIX1eBVmb;?!~PP~GrqpLg5QiKbsydR+;o->X3Gefh`e)jhkaLvCIQ z|J$f;lJ8CWodC+qc^QG=O^q#G`grcOFT%@HD?EZkweT@K{oJ@#6vyZoU?R^7C2tF& zAJMBk6h)pYo7%{k6>-g$J4a&Cw7hcO~rIFwQmoUj@|9ThjgNo?X=; z-B%h4``f5)lJ6v2mtF;O_?Bck0ElHX0OYZ6UFkax0zhGfsP!_uHU%qS%rTx!Qw;;! zW?!CJ3Ej-?=#<+jxjfV^Ojzw?F`W4k=PDLOUseAb0igF&-SAGF|DGh?T-kAWbj#(s z*Q6_j{V&$@Zzl3&eeyML;#OC3uWHqPcohRcx^`qFY7%BzRAJnr%JEzPC=v%ie^>P1 z0|5O3y>Yv4_&096zEpF&ouSU{-#~6Eb=`jl`bz;Ik?y!<{pC>qcT(N5{R*;*qV&81 zKawOj{x3MU$}FyP`Y!2)(sH!z`vK7F`>!;z{ND&DKbI%c8~5sx?z?IHHu}XR-=mX`+gG(}KW80WuNEH{ErjjuR`KMt`50gZ+XW&_48YJQ`mP>ic=l>@3{xal>pa?-u83- zNpE|)s&UchmSwlQI|lk#XS_FKhLsbLa(@lt=#S zEe6iwmcE5W7^5g+&DawFa^RD*2kiB1igUt11UkAe03-=_LhvjGfE)Zry#av4so;(7(MJ(p z361kfWl5C0^+eHq;e z!Srkokj$1dGo&1JwD=zs0J+Tky^t$EF>;IlP8G=Gt+0PlQhsV-CqI`ZUA=1eS43X} zK#q)v6vlzr^5=cWgF%&ob4LKk2_2`u2l`C_$ayb|BW7Qddj?f%>0U-`+YN2tSSnx3Oh>paZQ zwEAmO$S8kY&g-W6K6;(Un_=tL$=g&nj=qv!Q=>P^vTM@IF)|9IyZX`cm^P7Wq^$aJ z!dQGN0ljeT^~(lXO1+KNv?hbu6yldcu?hREx1|JG$p@lI~4gL0+Y;Ukkw> zg>diJrMkS;<;kVG`r>`}-{Q!lBGR9ZJ~-Q(N+ zU7rQ1s;WXbEZzEM-Y(URU-$T$e_hA!y>Z3k8)@pO_75;_0Hq~m2t{K1$k>+Fo@!DP z(+Hx~K9p3Jp(>$@O!?)(!J^U5IpMb?00<9(0i~bwHH|;n-Wm>)d*S zoO@3Hams3?8X z_v+^3z8O}>y75H1uWQ#&_oGpE+G-kyu%CWX_~c!mh7h|vH{NJGstJ&ywIM`!LvK)y zvhMV$33cx3DBC0Yx;*+W(cvS9asS~XgjHAclZ%MQ82>KMZh6F$d+nCP_195;I?Dg; zHj;DWiQIJR-j~d{X}s;+JQPRdUf1>4x$9g%)g1-QWTKkoT1br*onhH z`r>?u^~Y%R7q6^4Iy1(sPt9yZqfR@Tv0yxF**Wm}d~fikFfKoJ&)syD zhYBv6CBDDjnssnspndj4C(Dw;VI&MGzr>5iXoRfh)Ifqmn%N=&v@Z zVO=@$9YvUB^oPh7qp>JfuUd)||0=gzFFJSoVxHw{6~2%Ui30f^^6+Ihx(AU zz4U}-z&os`u=P*zOL^e^TJ}}`ysj@D8CKOA;kElAU)5tRU0puv#!;KOJnLFV@hx)n z!s{~0i4@oMuY0Yd+b4C;?Q3=G!3`%sDn3IBuj`mB@Pte=UH6)#G(#+RlyRc07sXc| zZa!|BI*Ozd4;(mvjEoGs?}pcT-DBM}T>e~M-%m~*SblCiwZH62jR)mr*;u+biTRgV zTSTcVYt)}roi>sUqpTta+xG3jqqK}zd%ezEyy(1c{_efEok+*JWsq~*)Abh_FY5mm zMiI>$c{#Z_b?i9OQlDF#Fw14SfcF(nY`8p`d~zUQ`pfi)_^Lr}ZXWjSJxCppYiYWC zxa5{c&gIkP(Mk93gMJkNaw|p7ttipKg9p*GXHQ(GLessv0xyAeJDuxqic0=6Dr{{z zrfP~t21Q{)MBt_vq-e}YP*`}bG}Iy0(cJW1Aut0+MI^Lq3Xl1^`3HkR3nS<9Bj?@^ z1Oj%HW8oN1qk%9DNCh4~dI&EKi1JgpFI>2Y`STXg;CPrPg@~*v?}%PzMp7OME4OFQ z9;{lm%D{$5@nwvZuc$8n?)QRR;OO$>rlrwJG~&n07pZv34jK-y91#jMJFmj21B9b~ zggDX(@jSqK2nj&a0MyF32t1hr=QYzWC@8?P<;!u7<&gq611p}aUYvHQTNXK8yY=SE zfP2raQ#YLITwz2ildg5o@AsRZo3`S(X{j9)*2)vRUzZ0rU-#O*FF!e**LCs}=usP0 zv!22&$l_0}~W!QL>QLAA%1IJP{G>##bDZ;vw z;T3pRdIC#2io~B=CpuCBc%S8AyO^BDTy;d?RBfYpN-Kmp^JZiJ!2f||X@0KEyF9sJjW5-w44ayb zM;STsSJ&7%z@PG}KFEMU%DpeB{=>3Id;}`R*t_!(4(z*(vXTny-Ma_#mnLBLg3;(V z=w}QVG77WjCt^1H(EbBQ?L)T$K*5j$?wx@USzvn^z$b5r`rxn3!lq3tvGu?q6a|7# z`-ItE1VA+rwnI2b*$PnZs}Tq}eNlR&M*K>?#XFtKuX0KrUA^GegZ$0K$`@jrS92hw zfk#yRMUvXt#aWv3+{`~o?a>`%iwyzt{y{~h(U%J;iDqM&z%y>TP zVIT7`d1W5%dyDkq#t83OT9kLM`mFL{o^|ta^LCv`gJpdP_BMg6?#rnx;@9P)?zz&d zTLytsiKnAkMDCUHX4|SS#pp2t2mR{y1)bL|-~V*_O#rB_kgDQFj2MBoZQGim*DR3yMY`uYH;&TKF(8GY zv{=VdRi@{3q|&jeY-v7?+^E>h@UT%q#S&)63xwFn3ditun@IT@Ac-k#Q`!t5h3+a9 zmuHt3IhQ|?H9o@zD6~T5Pl>+g&Yy=D=`ZZQ;-|kz$90a(Lo(zN63f@$GHm8ZV^ zeCN)cSD?nt&kZN4D|iYga>L3`BqLtUvP%iCU%e8$x9;NTT6M#`XrQf=vjc~!{j5hS zSt{Tl^YP0NXv8W5uaUCVvXgg7NeNcdI9|AX)r`ChY>-DAp|TFei+FH(ahkGymp3D20oNZswRTcj+&UH?qPo0^#8chl zsZ*!0aN$B5V2a!{>dKi&Wp?UW8k^~}9A-!4_@DkP4eOFt;?9j*7G9c0k|Db(wdM@w zln(3L^oCMVAL3wLa!Pvk>;)DtT234EFjnT*z* zDWRU>s4L>7FO^5A3f`&`RC%k|*_=^{M@w#OK#gpRi;L}OYn_rGDn0=r8JS{^)MV_- z%F14KCRYFi*mN!hqHv{Ur34N79#yq<{!E+>8iD*Ap%Hhh3?y0=;*HQ6xPiZJm-It%*MeU_@-&Qob?;gdM@>QL?{w}$)T2<*qNpUI4 zO3M-Oliz^kQc7QY5h{^iki&K_L?z`bOatx-cv0jHpn`QLAQYlPlA;RuJT?;$2~;8E zqYL=p*H`Q*&lQwC$*s>%8Km+lD=$HMdfKaYRoT?$g#|^%N0j;7j3s%Nq0|grWqA>b z3dKtS;{~v2$wKTsc*xpAeI!8OBOB|0AIDHQOSV*WsgE&p)>NE1L%>8nbnnE8Qyl#* zW<6I}UC2r1)Q+yqi7$m!{j0sK&$7=%2_9-$KY=O_{8b#(@LT{$W$?1hMXdLHwrfBG z67t~ZQOgdf@geBT#@ZE|v3>Jd>)6)5?A_6tEG%C!30wB;wZ5fR4KXk2djUvI-ACA; z98kmdW5I(}ev}vFp|T_smBml7WBY3CV7apWVU#m%#SQqYP+nTddM$#7{E8&^K3{aTTe2vba{Husb9I#DP4}f+#G8-)m3|*Qz6u(4){VacWrf)+Uj;(cL+e+q z!KhK=@t8)Y!mBi^SyyG04fZ`xIf~iOJXICU!;wp`KY+ZV5)`vN`~;VpVF~gm9wfWc zi;`o>w64XM+D7N%PklrE&y{(#m)m!=oHTXnRLq(+%fhIg+&-#w6i!Y$((Pw%Uh-Es z9bKKI0jlIaApODcn#uB%m!UL22L%M#LDsouxD=;?eO2WNF`NL9o1WVzRnIDi{6*q* z(V|7TfB(Mmru@W*;y5zx05ZiBuWA>C(SAiyl=aMJH+x|x_9NM2eX-wERZ73)T77CD z8)AO|icwbd1U)(oBCwzhAwVuJ$)?<}uX!j)?2l}5l z#HZ>`dc^rY38G-IGeJf{?2w|xKySwZ|-6|BA^ow zs$-G+pOM66`^W=+h+oH>Cz>Z{fr5}l+VeNCvoAz1?=Cy-*{TE zV1bR=G*hIGqPkUGs!S_at~8$4ujhz4J)QSGxN`ms`gG}xK3#ia>4F3t+JD##yaf5c zp*>i$aTOLOEWrA$8*%;4U7O0TjRX<&mf^;gi&&kMh{Pp}ux{-d?B2Z_^X4zaxr>*f zy)FWweje2(Hp*hV$arqwzTJ3Ox^$`Wtd6aYuJT>Gb`3|49I>=if13Jz#(Fz(;y8{U zKaOR~mSM+^9ggv*5<7bIC`Zi+tmlPTvu2Hjkzx_4j?SNV>PG3UUAq>UnVGSU>wsxj z$;ePC-$csO@@31hV#SJBTE!M#r24!{{x)pbjAe-{k+5_*PMthQqvRM4m1D<_?O2|) z1PO_YSk8^e$w^1@{o7cxb3d{w1GdZ(VseE9$GdlI!@cBdZ1Vt~+`ogv2lp}0V_3ar z9rlpt@`_R%JAMeK&m6noLO%tG<>mcj`*V!-o%BJ&H7NIdtd{Zr!@&^k2%qW`J&7zKWAa zjR99NE4U%M)f|>#-Ba zVLT0ua`N)9clS1|N?J;ni1q8%<3;*QvmsuOAE!>7#wE(sg>&akb`uj5O|Bk2dSr4W zCxg6`<#F$8Ry2iuFvPm8^m}pe&^{bFv==81?#9-2Nw|OO3ND;Fj{d#+;OC#aVcwz@ zIC=gW>n()s8!6L=_u}-iL&i_i@Z^%wD({$IhH%ds0WTu;Sr) z>T~Scwafa8+D3gqU_@=F_K-d~efqS8QNPg=lJu&;j{5#)>Ykr}{uy1mbTI>bg9A3D ztN1c(Y8wGm^{dO5FXQ;JW7emo?@m)cDX*hP*`JmrT0h>m{{RXJ)NK}sAn@Lu+t|8c zJ=QHJe+%Ye`-XKWAuugwe@jSOfwb%#8$4-1s(d9+(!1hK{n0h5A}xVQ@2O1M3#2j& z5J^vHe~{v<%+eXsosw6DQM+k2U8I!E3RzdzPYnkoUfjOP{=RMv^G>2oScILs_n?gZ zl0BG%zbEL@b^xwl%)p*K2a&LB9`);7?B0A3S-6< zdR;uI-b+|6k;>%i8}Y1uK6L0%v~1ZD^XAR7GRn>fz^W{=4{G0K)LGK;SvlG48LTt) zV%D84KPzLpOoEry3CpmL{bk?2y;w}WxnNlWjx(Lo(kh0P>{L^JU$9-bV8zPCSeh^w zTehx6UVavNixL36z@mkTc=Gs}@%ZrJL(>DY)2eUrBAGu%d60fqc~u^j zEzKHRdw(=KbPcwYt=su7U%6somM1MI(71~0*RC?$3M^Tg$WD{5Nk~)f+J8d*YIK1{ zzGu(QC@!M$tEnQ!DCX!p50fVj!HP92EX*}3>TW%IVlBbL#ful2?sXcuWtcyA9&&S> z4PSZL**MO|7U+?}lad=hemovNcxd;-4jev)r>W0u#^5wT*z!dSI65w+!uR0L^^2G{dpdUS+071mm!RM}-Bs2@ zIf0ckEiDBgz%YOQJj|Fe-HeY$Ko^r;$DHPH?QK_?W@>%U>9am0c2$7v0_6s z*f%kM)-*HXw{Ko&eO+OFC1Sw9!8l6*6lDFYEqs~@VmoL=t{JC|RC){9rZ>pTl`EGG zl_)6qT*U#F-m@n*!u4VGs?``aYy|dFaU`>iwc*@V;;I|lXA=#xv#+8IEg{f4hTBxm z=a`n#-bRq^^=KKk8Yc)IX3d;~!-tOJ&g}=dc;PzJyvNS1rO78ItGjpaqS3#G%U93i z(v>p=1X(zC@)(9ro`q~LjW+8<@|p4SC8kfFh;yd|z-w{g%n1w|Jirv<#miT4kBX(d zya6=luEXw+Drn_r6*tm~5b7oKp z-?F~2Xwg#gR7D^dVBK$eH2@IE(KNjjx@1$zPC!#eNQPH+Et^ssuExHtRFX>)ke{1R zk6M%6u@ffX5JAwjTQ_JhiV!4F&@zbWg=i%r{&cKgy_LZ8Jg+rSswP-rT}GaQW5hzFTqO8muBqglGhL!7Z`|>3`ym1FXyz#-(a zB1#C*makrm4eQt8@})Dlb>j-wQ(h-do`Fh^n6&|X$)Y8gFm3`4(xBhGc>`CkUNwU{ zZ{B<}#Nt^-_0XY%xJq56e!GZ$Z4r%42?4YxvAxLojjlFq|boN~XTsw`)6w3?4{%U4y*`4kP*QeS*i`7&LM$ zZa;o%ah^XLj`4$huCYkPstoH9LO)8Z+cRDfEF!G!lQ?&#^;F>Cv3}#z_0AKWM6|C*+uCD)w}wlbb#Al ze-HGZ03cO_Mw`x*yF2Z^bLTFbK`F>%=cgcCzHkvEhmRz%zQi z+q`l#XRlZ?>JwZ^g{+XZ-b8%EP9njfs;AV=tKELgb_hz#W|J+|-~K>E>zrw%PL%!* z*ET}DG`Xv8W;~RAgz-oO<7qiwx&|i3?<s<5r{^U|vu-ZRAhT z&lGFx)#Jr#IVo1VU8}MR%aoWiZm&)9*12J?YTrF*0G-^DcLU~bhl zEotL^oa=XjqtCugOthdcF#9f?Vn*r;V=kEF)rSj(y~1bot@@$49Dmp=7CM*GsQe^! z@RarEbJ}67Z*PN*P=_vUX7dW7^uQRX<68a7+`n`1(tiZ4wn+iSASi;5O*^c^Wh&o^ zcS}*T*j+*Ih2+T}r6=t0Zua<)oA?v_U|6h1S}X`S(8(zeX9ceW;~l#QlAT}`^Z0}Q zTQd$K{0x+-&M8RXX|*`qPLJ&aYtZ8kjW(4!VH+|HJ1S$~Pyfi00b!$dhLoLYzsiSe zCIQdwv>Q8e1t>U37~_SDK_{Bd%=dFRL27YF#sud~z_?1G)_pZUce;ZkB{av-L(caGN&Cub zI-Ui(EUgbzU|yCi#-fP{&D}7?jd!*vun77Cp{2$eJy;V44l0mco?S@dt(>LgtHA#bFl-1c_KBC`(^IU+G9X6M)a$jQvabC?7~ z=8N^8JeHi|Nw4g171IfHh&&D<++CFTj%(%DTM;(NINVsNErRaI=_aFjuUFDZX28D& zjo>`WdUD?m(_;*zu9`gCu|i(IqB(vH`k&hP)(?y5d?dI%I5Sd)D4Tt^V!7OfPGLbVMFM6B^JE*FScSnPXJ}fQA zXALYTl6H(2Kz--$ZRz{WI(8sSHN2JV{Ki6lv^P6|q%_UELWxE_s%-28hy&C*P3QjJ zRnrJs%gr!F6+zU6SW+H6-CF24)9=v%$^pT&X4p#vgcDBz7K$AkgXn-Zs#q zOGcpIjkmk13F@%6-Opz(vc!Ac?x)>#=_*EB{cDu7awCkzB8@k?ZE4K;KGq^P9da-& zjFYn8(OfGQMk?ZUt&s_~Xc*@Qk0IfkEdRlJl^Wa%b)eE~QmcB_loL!(EsQlKk37+w zVGW&|GGzZmqD3a~_xbZ%WqKI`AEt}l#V5vX1gc_0Bq_{Yh6TU6u5Ptr)AM0_M)8!x&s>{lJf0|aL~4s$-6>tY!?Mv}gg=1+9^N&pB5W^q zw{1uI)XI%HzEwTM9X^)Tfr zzb$Kvs~qj5EC`iTDmQPxaOrfz!aT90j5X+d9)HN1%nXasAjqG^TPeH!ffKJAwYb|HoZr5b8)i8cN z6Z4hSMEId$6))|MZ|HkA_bxS-KzI#PC}A~X?Mv$lKWKe0ioQ8SOP&HSjMa0PPy z0a@-mbKXiNHFjQ%-l}cK>PLr0c32#q$#(Lzb#>*(P}xAzGBZNLBy61yH#tKN*|Wxy z?_Mlx*eOYI-7OO7tokODvZB81bk(@mQuu&0{jYE^yGTZ_vs;tJNz&_dQ?@!5Sm(`* zdAKBp%O5LR(vSbxPRgOy<;fuot)Z|ena0jfG7pnY5;I8o?y#VcaTAnsJ;hqzfn`(P zrU-YtXhIzJ!7?w{WN%~saRh8g7fJ`_Wb#pL6_iXQ#L@H>Mh^|Gb=XuA|LDL>MHw@~ zph8IvqO(J0SoN+?FkY|MM+)v&{$hsnO`<-@CUEUt*#nxbr*(ZLIVc+_Q5eZ>eGI=) zYQXE5@lMrtHcZ~8HN3P{=e^D#5?Y(iA8CJYb)uY0=U+i&HBR*xvm*}=Oi0V?M4R8t zSHUlW)UNfxK&8-jo-{e^7-ReuMyvmD6g(+Ht=v7KnCpGS*7H*=~)AC660@&xlv#nkd*+pdt*OpQs@R+|lYt zJ%qvb$pa+%xLeIBD`vG5R_VZm*4*0Q;3p8qI{Kwlu#%Zjq-Q6l!_k|3E&|e;MBY{cAB8?p+tDSCayzf;c!pV{TGz?!F)AcxQ0up^P z!88_@ttR3P9D99SewWx@Sg`p$Ms=xlG~uR>?*4YTNEB$zK$^M^x270CEta= zE9{qCx9Lt7fqN6Ur2%ce-M;6rt2H#QgOfoo&^FiuY5%zTDutDjwpWDNoK6^k1MiIX zX$DhN%d;r3`dHd1Af5LeVc_2YsZN_!{QDhmiT+N)<#IRj^_p#zIXyZ<#%f5_QPwOk$InGno6RFo*pL0=gxm6wi=~$39`410Q1b27I+l8?*c!OxmfLDUrzE zf!InF%_o!>?1hPH-34VJ_v&YuvDHwA^+5xs&Z4H<^%`=#PMgH9zavS{WFytK?;A;l zF2=~&>c%$_8d-b+Ty!sa)PW0y0&!aqK!UsKTAWaU>;Zz?u$ZbqfQi{KRaHgbb#4v> z4C*b)VxP2sFa=T^lYYPL$0|e&DqUdAo$b2OOhT)j;r0$s{$kNor`1{wIJCg`Vvj$d z&1wVk;D>!euBQ?S-wRj9>~2)$6xeAFD6b7YlD9VxRGhxD&(*SdE&)(nne7_|j`uGx z+S7w1RgC=+&zXlg-0$zb+-k+vX}61P$nPx$T+Cl?HxLF`ZQ}TUA+=Exgs5|6I#7~Z zzuDjgaycU^*eO6txpX%Bp@J@E*8)oz@eRm@V-9RtEX=9iEDt%dzv&4;+MHfQ)CPV$lp9T-UP=2uM*)u8wkwz~ zTu#r(9lPWBte3S;&4fCAD@>~)%4kZ}&v!cPhZF3-Xq8VJyHN1CTY9{%82$)?MxcCsGz@_VEP-~Ing>9w zyQ~JDPb*-o)W#_`5-#@2bMSU`1%jWeZ0*S?jNDPvdj0*4qzd~=RK`CtLPiWX9oy`< zgLlj01afxEvb{(hFW?u zug41~_IyrUr8v@<155)(VDG~6Z$KQrP;}87?9A0|G8zd4qGtOK{0pVqkusi_B;p21 z)>e)AYGwnY&$j9=mnVY8pj!S03Yhr?SBpIkG0dvzAs4XtJ#2@~RJe;6#<>u7udicc^Pywu@haIE46 zNnvmkGG&44iByW!S_$#QKvpdclh{JT-X;`8+AG@RX16EudcEPo-y8lt(v%c*kQ^?1 zJgGo@JLaSeps+fXlf%QFNk73>o|*4Ywk!vGdt5ArtT_9NhC#zQH<+MRGSFvb^mCZa z1@1M2uy0ze8IBFdpJqY(3!ti$q;fRRF!%uZk#&Iym2uFNNNWgfkh^9!5R78uss>RF zXCf~9z2J5}{Klkw|L>zpP9S!dNW(!G1m^r-vo`=}Ss}uXm6{ zn7)~sX=RN!0^JSjqiNh{5!^*6ZARALp~ka$y(l}s2!yS@F{L)sUb0u5+%_zBc|1`7 ziFOl%N2N~egR^9FZvIaxt{s~6SG&PHE$PmFGCS+}s_lSv|R_p4!<*x55`y6PvBm9Ap$j(?;rT5)ioML8GTfmVW=bz2E=kj4T)SbMYoKe#ykcHFU9ChBk6 zbB3IS;9G*c{Z262PDK-gVcFNhpPo3?swm+utYhS;J z$ipwf%RgY2GH9mo<_6Yblur+@N?Wtot(h|B^<%%kkdBAr#k9IiP{-%AV)O!$zP8C< z{|3;&6+%@>(E8%Veb}mG3#y==R)% z3M$h`6s~=<&mJ59`QXKVD8}wUVF+|uKJ>z}GUoJX>?^%iztxX|J?FvAaCplmk2{;w zbBkQ0B*n$symxAA&Ay_dsDN$eiZl1O-k->y8bAOxt5FoxP9&o)m+LEcZmBul%U9xK z2-xTG6M7z>|G2WRj|Wp9#(OPCLgt zsjML+nkK{0{x_eBrcO}IGTIIXUuX=F#V6l_xuCLNxU)fDMMu~eMulc8+3yTYxRurN zPB0g>+xs7@WCDShX#=Oadk4*mP$Hxp*2qb%sI!cqg+gK2OeRPEd~y*lrIh#fOi`n; z<6aA@t)`=?Wi2TV?db3ryVK>P0bUPEx=4^@J&5tL)x{rDhs`LV8>wE*8!*YQ9Y@pPIX&@X#!_CUhyK9Ksag zrgI*&%n%LFY11uaJ42=Lz`W9AJUVb%e&Q5I!wOdYNMM>(8`>gwk6&utl(^f#tEyr@! zHa(B<5XpFA(ny(4n6S|E?gc$(yxI~yC1KmD`Z-h4VbYC-3yn8BUpQ8ZSc_Jo*l>KJ zMZ|bb4(?l_g8qnr!Q*X_FsCKtxvP9vCDh5-Dyyi6h70! zZ1$K^pHuU+qHXJvbvI7>hL!Q0G}%4~hP=tz?f=ADv7{)f(=yDn+*3I(H5;u?pc$G| ztJC5Ig81#!peSrX&6?+^r2*OpC0; zkLSOPS-j?OaQ>j`8L0dW`JvUeo!TGd1czQUJMX6?^=+Ue9Ygb1Cr)M$gl4VFZ;t_G zRN&O_^JCBHxyscDxLl`m!|VOEEEXS7X)61Q#9Q)&1DmhrtK@2TL!X4YtZqlVeGE^| zyIOFL4pctB?xSy}el>Y*(OrM$g@qE^X7Q{CEEovq2fjX+H0mC%I1$wrixa&1NRwdi7}(~a7FCBfB; zUd1%tf+&;4&xdMWOm=!IB>W2s-1))|uRNMptP#ezbq& zunw1AIty~-yF>6s?HbG!ojYHmriP1MV~$n4fca(LFj?Gp?+?@avh1qKwP(h+%WwRw zL6O&!Hu=%3nX7Qt-?HfuGU9T&3(p+hd;K)nhBFm#yZUdc9Nd+g+ah01nyE+ojJh^Q^V z*_avEI~$onzoMQJ86|^Z0$IW}x47AeCfTnua)z@glZR+mpnhMu!^88UKVIweG@aYc z4;Rk6v#yZP3u~4imGuC(ebX5R3}9pnv>c1&J_S%t5@DlZUz}3P+52Om$^1r@AxA9fcS}kU1-bxV=lDySSuUh^ z&L;*r)tgkL;NDg+M@f{)Mh2r6w<{%FODqf(U2^I#kd;b>2_V8TDHjk;5`6kH8wmmS zLs`*)Y{-RxzX|iCQelWN0b{i}*0r_CVM`Tn29(?Ps)ts{U6GddVy;^y%}iiuxB0u- z=?tpO%)6v9~>Ka*o5T)}LS)G1=cu`moW1iAr7j|z)Vd-*)kFigJ)1%bYppX=fg=0co$t_mfvJ(h;4aF4ZXU2<7Bo51&R_SE4GSv`kD9y4D z{@rNRMb_)7qyDlw#3`!kn|)8Zq@}j^SQjJ_C@+n~dM%5Ag7V3cRzkkI%A3t(wl~Z7 zp~g*xerqvrnLSpeyI`YW$Pd4Rm<4@b(Rl|jwq|LkA}yBYsW98X?5{iQMwQJGV8Ae= zWNEBvHY=(&`&@C@?R%qy8weOnjmZDi2n0KY3aUDNn{T8~+e1aKJUK15C4i7nkx+Is zxsZ*!+kox;btk2fkrHvMl<$)ZFWt4APSMK%`qLF~pL@dB_gofe&Vb zNiQgox2Ugfl_)Q(HWG=39k>k~mIo{9o%&&|H?5MTkew$0D&X@=h`v5+3JVl`~J#@&myAX^5G=EURHs$gHYGfpz2va9 z=zvm+#$h5HnSnr50jSsEQ*AjFR627arNw$XOt z#TVF=HVBWi;8v0E<*Sh_USo{6QHkwxS@n-l3v`D)-^mW+@8*HL&UCeR$`Op;D-*~j z!;j5g6`9D(3m3FvWN$}lTXN37oauH}CP2Np5`Z$@(GbGblp0VCkPQroh~q$tbnr6D zCi)-uW2+?4!s*>woi2#$4m`mohPdvNn6H;>;h(o0bd-D$BR;WjPpy_PRkF!BK7`S( z>*Qx1r1lbsiUqt8BB8I35ic$Vb0Ak5T^ZoFCSBSdMNWNz^z)pPV;~KLN-<)_YW?LcyUidO$M`=@L;T z_CYvg_GX7WB9$UuWPrb<(d*>YW}s0b?llmqXo?@KH%KgEEyLR3U>HBfF$<5)VE!8x zhc$-KWy*|y;9pYcg$kHLvVJ`^vyg``M4AXMG`aNF#)fDQT@uYVEvDk#-P?pRJtNAPoLl*1MG9%1- zQC|%Lw5Q`3@c3WlRvoq)tlbJ|Fld{bWp0z4Z)@W}eN%N7ly9a^hC;fH1?GQEheugA z`^*^;9k|l74H^JpcTho!xFGD^tp$ziE+7A7tD}!BENVh>5Z@de$6w&!b)3XV5&Mz=&xd#AR3$J9L&AEtMQo z-;o4E#dFRZGWB2^#{vPmf-dJDP-MH3`T25(c;S2{={5C>14P&;wthmEOCY_Eh=-|BL% z5iuBcpg_Ys`r*x~VYT~}|E)q?1QTvYCGImj|-CV1UHZxSN3g(>24 z6tYqZw%%8C#!Xe2eXaYq(#$l&4YTe3$Q==%8)Ix&817nOys#}Hoh5+!g$(q)qL32Q z@%EWttghFp8P+fniMT=0?9@kt&9M*^phzKX&DMKxb(IVahV5u05eTEdpH8gQv2h=h z!_omh2*2YgoU++GAX2av#xpeJSj;wIc9mvK0%u3IFz`BqA6{}QMOv0tYF+-BpsM{_QKmAWrP-Wxct0u%ST5tGihhA3ITXNKNU{-4CnP? z7+UFJl*y7%=JZ)+NP~*4PBbj>UHQA&ea})cmm9G}E{WQdFoMQN&Ev$oTO_H_z@n~$yVmGQao7D+3vC#U!y4Hr>+3d0;$=_d# znT3~Eq&G`?xFT2to0h7wYRzsj+XT=}vtF=w=OhyJ3uDUf-ElbqeiW`LS$LSGRDE_A z){(c^EDCYN)gDDhe7dzQ918lIs#8jnOIpzAkU$Z7s-S_Ygi_tzG$s>kxgH7;AGOp* z9Oz}#?yp!UA;)ZHmKUT#x#X-$v~+JFLJ3ZsHtHAi^bDoNC*jW-OQmP@^o+qmhsA+e z`GwxtOCaVI=vx=t0t!!C@EF;pg;oP?Wno4;pax(f?F8|cunGK$$V9Z@a9#VCz&gw5 zzC8Jzc;<3#dE;il4zwSa$(whqigH$HCN2+0pEm|odN*9UM)`XI(UX=aN|()?NuGc& z!I%UkgD%#`^x-96qPyscB39cJ>tM2#hy(A({IOLf#Mxi6Q33DYYg(9rqSjbKR^)9SK^jJDL7&fuE+m~m zKu0~D;TFHbo_Hqk`9^5WD^I6nmG%zt7t+xlM8EB$>!fG9db#2sh$};LO(&y%r!c0DL;@t-*`gV zPFv<(vLq>Y_5@v(M^HI~9R+V_@`LD@8*$7DmafN=L4|g7{Rbb4lN&g2u`NaD-gByu z%LzEsKTPq5Yqb-iCNi93{e5QaK+nkU{vGW5f~-61T?{jOdsBLQKl#esj(VgBosC7C zPBfd>{$f(;ms2mUlB`iSLG^vehmcO9fzT2Tg22}jX#%~?CmBQvB3bh7#qQjA5IUIE zKLmrIoTiJL`v`LN^f;H_+Y&gKpPz@r?GKY&dYK%P^pBNx(|5Vhq@3szjT6(iFU=G4 zSmjKc(kH}5#oW2}s0xP`NFmM@=ZuYVZ*U48n=YD@|knL5ATk?&)P1zYoynsC?b zs=(NwYF-~9>!O4$LE4G2Zky)WUso^vWFxkW9N{-SHDS7df`wWDFcs1312Cg50vAt` zJWx!@zX$f2>}ez8Ampo3)YayNNTc88T#)3v*Gyp~(_Nsv{gr=^ZcDeQbCIrLx}dv1 zsaEF&s#dP!wY9HG|MY-)O6fJW)@1_IVID6p>q0qOZWuGiCXZ!+I@MA)(sm*9Ft-Q9 z{%*GKW&q8sRBnutD}8((LT%#h7F<==lXOLFze9bru!adl#D7| zKm1db^cs9Uu9??ZCz0BQO5nmI^U2k#Hi;y|+UV)BXHzd8y9?qJ6j!_QwViWTQI4CL z!yT=ckdWlwxYK}Ta`u+s-ynN^mjV88My_I=Dao`*vmv;~!v9<3Cqb^x)sFe6b8Qm- zJSu&)qo}t#Us)CicWry(v~?R@FKNmd$~E5lfzj_oc#m$=YdvZ1qRSMh8G;hbc@o^(Au8brB3o#p_ z4dtur<2%4~)KV(%B&qQPdUBWQJytVr`kBTxFF@Z@W)8B})*<8X_!ZQg6+`At!CWZa z)kG%qRJW!9c;+6Jd3vsr@r|G%_;s0leP6TX1&mKPMMud%gJe8OEAu*+Y_3c{cc+4X zuF~{$GP)q4@`g?`^m_)CyFzt+Loi_2i^ploy|}N$fY9`F=S)Z3cZzLlW-}pIx5pyV6aUlH$5^;J{+$EQFYfXl?S?`k9--?~g08sbXB%}HVyEW% zqcj)J;%3>;-q4M{CcHjrCBp`T>m&MC4GkAT*@I)woWv2Yc!$)NTziGDfYQSp;$Z6| zZ5)**w`x(;AD-1q#dGj1{$(QGDljj1g!AT$j;$;@QV2FT91KUnY6AJ=3Lfnlm`X)y zb&N_#awVLMOE#Jqh)YN5I{DI|8cYQi9PPYND@#!6MZ{`r){_M>6KVz>2AgM`Qcg4QKgHW(reD*3il-?q@aYdAR=$|=jI9+Q^HrY$<*_mw z_$;#~HLo5cpJ?u6*Cj=I$55s;sTCkIh~};r?I*k)$W7R zTQI5IH79bu+~m4qLnakQ&$t9%17jDuk&5QUt_QefIJ~O5IoT}IHnAkPM8ef zp7r*yLl*cE{T;d86L+loom$ces=1vr5G}Vy`ZzrQ`xDTL1DoNLF{cnp`L%27P%V0W zY<4@n-q>p^QC_FI`hj+A(yg(dQeo#Ew&tA1`@%{&;UfLHg;gU;0E%8RK7sWLu!KYe zglWmxk44fth3OQE(OD8%vbNo#Bap613MCa6m8-oJdN4h#=H zeFbWv_Do015P#f~Z1Uf2nHqg#RHqu-5^0|NH0&o@RHNT68unL~$i6aYh-;CX_tbq< zj{Y=H+eMS4ghEIix7J&+l!3$zvs_!b``4R)yw+#tsoBZ-#IXHXHE%?e{!XVfjVy~P z>vrAXV$e<@8a9?T_jx9cszZ#=N{V~3!jL&{%m5!dG?i=`f#?D>Gep9Z5oy^d^Y;*OKO6@ajQeBXX4b?5guNXV0S^a zU5LQT0eOOo-W7hhYehJIP7|*obzb6XVZs1NOE#^WbS~}StMkF^!&B7tCM&d=5@PYe6V}NWRKWGW_-<`(l#a+ zUdtb@6`i^P;eLu+rD#)Ze0-kWC=D&O5++e)w6r3X-)t2{RwUMLz1YJWg{>>w*)*Lg z+BqFxuVCDrW-0Eby(Q*0dub~652m}U;ki^-^h{Jdw9?g#L~bYGlUc}_BydgLUQBjJNsbDWLSuE1%pxG~-Y$xn=am3g>cwn4`G+J84T3_Km zev8B8lhIRCJ)MlZB(^41$lgP^{RJOOf~f%!)kBBq&vd;`;T~nfw>FRAEQK0%#6SvM;QP&w4S~m4GeW-cL7F$ z@0ozInJSNT5u-0xw5F~d^wWr(J{nuFvX$QnMbkw$rLiNs?)q)aa;ptkw4LwNoF@OS zt-PNAp1Z2V&ex^GJ~yikND#Fa1~PiOqMDVPJ-Dv1zf zN2Zuha-vGcXdPZ%uPBu+Q*KI#|F;HBqMTCsT?EH1?=bS<4+)XNr?=udAtbFhsxtWUF8ho%zU-xMc)XHkN&94n{UtO0->+4b@ zkxqofAS%*30nU{EdztCtUm7T$40j1l9??a$o^6+}xP^{0pQQc8Pl?@#k4~7OEoG>2_0Dklk zlg}2OMpA8x@{~2;YGweVE89g(o-WxE#HgZH7i{sf;?tTKz@Tgfr`d%4PhlFD5hn9J z1uGTWmkT@?6ykK(@9gJkcq_ZQj9e)dbssD@OM4;K(jk2V4UOYu{j(O7eyJZT>pF2m zJyqzWrzs}R0f^9@?Neu)XfshLk;D1NN;<`AM~)YMFf&q>2h9t4qxF5iOLuC;!WqZ; z$pUN&?J<_l^iyky0&xJtJ0~sn5)^yV?c#bRQ`!{AWi`9;)8*PQC^AG+;90zwGDI|Y zsO?qp?U>PaS-xdd$pq z%GBr#rQ%NRNrH$WTJtivcCvx5bEAb@H906++|w>ktqHlMO{5oNXlmnSNU3~oc4HI@ z`M82MN3eiN#J0VD_j=>!MI*3;S0vbrErmuJp7CZcnea9ij4m>`x-bcq7bcuYc)cpo z;tAxbvX)6xlX+E4^E_3`w@n6_`4@wB83c35d}iL05!gnfRee)hscMo{L$wpVq1rE) z?Ep$-KYxTq{0@j7G;PEVSrpKztk(BQjQU+Q`bN}hB?Qe8yG*7S!Oq|Unf@JB*(Q{U zZ)H^_;q6WPdkyT{Duu@#e7rmOF&>>n)K{0kuOHur#(yhubg4(vt!LBN3+K%giQW>D zPTK`ieOP6=ei^eV#S|eQo3EqGDo@(MY$m7a{ByYc&7H!4f=s_(K+dM8e8t(N4#zU_ z?=d?wUEXA!!BHGt!N91?W*Uzts6bi^Td>cM=N-_VZ0a`%I_bhZJBfLo!!QeoycCQ= zq?;|+*7atoks_><-$S zV|Z1)15eNEzDDu%vV>Nk!b&w6#!dh5*;(r>n@Y{ z(bCqliVB&|6#gB9j9-@VS{cHWKvydWPv&dmASIPk!-Jy~E@w90xvUw@8ZLbR*e0aA zvq={COJ}%Nh$||-93R9~QR14}Mv46C%*?Akkz}~`UgqBu;P&MA0ugo@c4{#~FS(jC zL!;en!~gKwO+EaV-W*o0-+OM!`%=|8kylgZCqW#3wNkHIz^3AEB8=R^`|aa#;VH(_ z3F>MhRW`_;4&a*xdWgl~SM~sRFM4@tVt!3+*D9%6x`{2%X_dR5oN{NLo@w`LXp$7w z+!JYG58O>3PCjL+VCoWX^DRHptFgYD!ELdY=j*e-Qi`fg*E!>x--U{FTfD--_crGs4EH);xC1rESX zZ**;;eoRVUwL4~+LW7pHiFvaacZ94Z^hof%UYbm0sh9zFS52l?t!oqo6@t8YJ;;P@ zI5i5|K3^ah`YGuY(lb1&M@tb>-{Vges2`>^=$7t=uufoqATGu32PDqlSZO$`}|Txh%rf?TW7 zAsSqA+cT6x9FuPFSuxkC*I*Sp$`{f?*Q&v9Cpq{kccrV|e%%n|RKn8<^xskcuX{q5 zveL(Fulyr()3TRT7VFIV#6BvZ5*8IdRbqrK5-2xNH}QSG6hE%%SfagpC;L6aLO3t* zjzi?wE`_Wi99=Blc2=Z2v4?#cuHW~OCCiz2*&!wo7lm}lEWz3PoFp*7L#d0kL)S=0 zj9Fjh!t}&Dq^zm%)tcTmb&_n)EI>^vr_FaR+-%uIh|6?HMTe+wS^&?BIjmY-)v{Rr z+`4PWtN{+n*@pG+s&*cmeovaeen|OKN_Irwz0M1~CYqr!h#{K(P@H6yF0vdkAQMNE zsvKWNLahW1m6Th|EL#VBYZw(nkYCFA<9rb;uv%T*7sQTh}ISAhnmA3VzzHHI>7%f!q;HQ#7x zwK6OTVsxs>6WX&g9yA^U-i=A;iV`$uIbSVz)o+#ZA!6EmJyQ(O<7VYAex{y4&)8b8 ze*-1#pgmxAhiI3f%0r9`)7&KHZ86%WHqs6*t)WqG6>) z0^yk>2{|^45`Lv?V;dahOs}RgS*3zNIdUgyc2*W+Q#3BkR0^7{oSWw* zBUt9!b;l0m`bJijYw`cA7__&6@RV+`y27}Ivd`X+|~Y()fGB)Pj*Gy zq( zmpf*`YrSCIaIkKltO~`-ucO?)m@yiQhxtLrM!4G%8Ko7t^p%`1Go=q2rx`q{}J9G5$$5Ad#?$WAzqZH5}+T_ zNIcL*0tgfL^-Dc-RJzHPf1O?(P`y6TQW@YccHkUn{zI;O^;Bs)y!YWB`5SL5@TOc7 zR|{fPv}`a&T_VzLJw~!JsrGKsS_UFt9kbz;^)l{8DhT2KtN|SXl#S)T)^%hAlN9`4 z8$yH@`~Ng?;Kl(nGy1PNjSQiXfdAJ*@sT1xaB==?yG|?+lY{@Y!-!B)VW|Jv4}$+c zd$eIRNVq5|<^R1t)X$mU^{~p^1d=Q`>bn0MHSo{_NHN=A zvO%6yG8Zn?$OV})xGamKN zO#kDCk6#h@uu0}}UGW~Co&85c5k;W)2%iR9;(IrL6;EPfT&QW#qG0w^-~g9~uczNd;k>;11WN6Z2R9r%%uyOVR_x& z)$#-yV$Uc|BrV4@VMKT9zGrBo?oV3@DZSbZ&Hlh%j$Zp48lk&{`4d_H|Et@P~@`o?XrFIv3Xi8+5o48qK``e2DUd zfS;WLj47ufD$qci9w9YK_|g$Sk3mF}FGwTjRo%o-qH_ z<>`7BAz$%GvG!J6@cErzM zH80?J#=3OG^|vjA`q8tiZ=9abyNebh&ce7w4Z1uap9&H60ZaP0IVKGci}v`0J(Vbt zF<`ItcD$Z)X(}SVF>&YdFJmI&bgFz*wzJ>Y$+jCaOK_+A%df6Q8~7XI#YaF@u_I4$ zmTVvHn9@)0580P&q0NN3C7{Jto;0JVXvBDU*GUBf1fkH#Xt+@ef?pWm zPzb_0I(XMN_-P{Lq=fulELe;>Vdv)-(Zr_C3$Zb1Z2lU!ORzz9eJ@*fJY zt{D`3KIp=Lchm?3Tnhh&p9GP?zb{9WlKQNommjQDd9(hmMQ8kXbVRVh%3zfui%YCK z5oAC(+s|-#-B1F)a}A3xZW@p44IGOm&=XJYd+&#VU@2u?0DR?2ba7}To!I7T8SLVZ z#70Gun3xzAn^hX1^0MY#s~vlV(!{Jby9y};4bC;ofWF8H9?b7%Mn3#+!K+CBuV4QU zS8o{>b+mqglG5EBLpLIw(jnanC(ASvBQN_TfN)RTu0oS~*wtk}uxI#e4W2gv6%6epZyrd$i01hni?%=e z@s7otmfeWIiZpti`RDk5mxLi>971HjCuA=Rz*;}*%jFt7Y~YKcWoRB@+4r~=NoL+x zvxXLduW$MCoD00KHgvt<7G~h|C(3qGH=_Q9;Al|&R<4p}E~~QE>Ik#AMp?;kP&G%y zm+(9$wGvdJxF7Yo7&O-16DVHi{^a+0#RuI?iBlt2Bs9V6yViTt_#1uBTJLd=95F9a zhEKjvcJ@vRcS&nTOR`h-i^Ip+ougXHz2) zMiD6DlY0OMTB#rtdG2g^+@z#Qf%mR-T#uC3JUroC& zF0U>&1Pbe9@eWjEaJpUT6}+B#{(*(&(QM(d|Nc}uGnu>9U;9Gb+uB*MV-u`!)jz(a6^W0WLv3m_RGIW1GYSoewBEc3S%+e3he1)Bynua-xs1II`$ z2LQ)jO}EbZOz|@GhqT6SJ7i1^0-4!j ztEo~5)J3kSl;q;hX+?;jGm?JI*j`bPu3vlck}Iq=9gFbxKL`}fvgCbH;gvh#H()ix-GX& zZQ#`%pUt1qbOVn?KYx_`#KsV?-Lw^!4iT0*jn02QK4^J7U*U6~1@cea+LdwkMqpUG zUG(v8|1^K*JnuMRxe2-;BF;*Wv6M_smOc;nzi21ITlXgm@?JnT`sF1|+jWb(3Z`q` z%nu3@&pUfSqH9idOv|H ziY`yIuSp&97@-Hd%4~DJr)e(q$;We}zhI)ibHF}-kvb2C@!tS%1y?sH!PfG zkw$WZ6p|T;r_B5*i{SAf&Ffd3u$i;_ZPw=X_|vL0Hqngepo@-@>Gp$#uAUAbiHOiI zJKF17@kRbZnet$ti+SN1!o zFIE9=ZlR^7dWGOoqB4m|DGY}>oRyHK3hnvNg>wJ5sHDwB*QzB#+|Ko^gg129Fc2Na z`hN7d>a zLZ)J-%|EvJ3bKkU|Ex3*Xo2V*>(9hP8hQP_U#B2hZ5IPrPf%U9Z ze7pWl7g)J)0=#=LtbN(EJRQ>*lDuCHO@8%G=53E9)8J%3$R!ZL&CLydH!$t_lX}={ z^ew?8h||p!bNgb|IcLC^XZIGp3Gz7|9}=^#FtJZ>k=CDo2;=6k%dCd|f&5YL>fKav z6A6UiYb&Xb|3+2<$z$Va_W+L}bpRMM4B5m^qJaEL5N%`Tt?Vds6W#8y@Ej3)!dI;;=ar`G^ z|0&WcCEYXQ4`PAT2RvDp7G0J=@K#pI8V|tdz~CnE%>L$B9O1E;Iw^`{j2z0IcLwIV z%k50q8_n7&UwNU)$D>X7VmrxT-}7PB{Q^KP=F9Rq1C{*mz5XgoKac&H;^|@=k*1`l zfZ6dJRy5B72huKS?}?9o;hSKA^@}IMbAQuelL-P5lM{Z&8(ZL2s6Rn|Ej1Zt(oRwH zM*rk_pz-l9Ojg{FTYrY~hKfKpvV)=AY;}U&XJmuhfH`}4uPu%C>77qEPoF7y-Za_c z(t27O!$ekjQP={ngEG4E!p^g*Z?qIbvgJ?zhq?n8elyEJt0|KZmIiuJ@C`t`qEoYa zA=*XKy(caKVMzQnh!0qOq1=v{o8KPKyBFDurVj1;1)5i*d!D3}+`I%ecB%W-@b0^> zCCz)Uc_qW!F51Yj46FLvAL@XRd6PQNrS}l#zV@P}7Tw{gl|Gij@(Su}7L9@6)hjk{ znm^Gq2MV80KTBLebd9>)u=d9(!XGcX&>V#>beMTXTIn<;R*0UUw|x^%j$r5sXtTz| zg%H_ax`|dI(a#6L7tMP!we6xeVNp+{e{kL)(^}@Dbn5;Kp27iw)WZ#q#2xI{Fg#{* z8oTGLsfc+q+|&~}$AU3RP{3X+ul-iosMD_!|A%V8k26;Z(?ZciR$tYkZe8NqSqiKY~`g&c>cSYS4Zen zrl=IfWSVRn=g*5MLtL`NC5qqbEmPBlSX6dgJo)N9&dvD@-KRuu^foF!|6L1-`&rIK zHedC8ej2>zp|0)zSfVseEzcT+NtJKs!CTxSRJ;~?FT$7om6C2Pkk<|lBU8->0N{2B zS?%o@^KC8rZq_vBmg~wDpZ6GROV@(yZeC3aJ{h$0h8}tsgs1Q+5gpB>PFfuK#r1lI z{B;n^-AB;dWTm_w+ai`i7P~Kbq@;!HQxI}&ZrKnKq#Hu$O@3IfqCYWWcFZFkBjPd{ zgUm5QA&ZPB7Q+ELzCH24e-VnfCxZ+vKl41CcH|T3?~SpKO+XNQLu_$)DFr-h#B*ir zGP>zw>kJ?TMBns1$%@Q7|B(^148rAYTcd03_xZ{N_4^G zSksx-(3?Lk7eCD{-9|8h0nVr6Yau3iK*A0wy7>7DRi=0O@f)kl$i50$Q>X4$mau?T zkBe}lMn4+TevRHWpN-hrx$h+(XirzZM3&}V#D*e27IoI3Ff&Jf6%AzcLq~*;KY=V( zo;^f<`vCkTTzU8VtL48N&18?fz6m~13Al7KKa~g|&d2km!;^jzX`&I~(Z4OMD|pq2 z8_lSegB;7?@U!3@&aCsk`S&@Q?dS zkj2TfDY>wp1Z~?dH1CT^CHp_90e9<;!27XQN%>^uB|tfoR^1WHV4#sPzHo=KZXtt^@Y-ZPEdsr3TX7#d1uk zpG0zMr*r`g4#MmLpe*yU1Q{(E)5AmWLzEMnqq9jW|xfGLf zqn56%z~B%(x0gU43%eIhZEchAK_PM4wp%G|Vx)BcOL}PMGijdxCgNC*I0fC^S)~6( z2TrWLS{=7Pz${?*Z97x{r}?U-!|NVL$Wq7s);J> zw!K!k-{ALL#hw-E5b<&qUk})#Xone?kL8L}0itjQO!1_nTVvy=w9I2I12?)olBGFr zB}){=T!w+ZcZlh0}zmAI4?GdVlV(~3~?T0n+C+Yim_g9W|uWfh!#F?i;KGrS!!r(v?{ zuVJ!sy-YHteB0NZKv>6Qoyjmkto?ET1LysEIG!|JVnplA)Z@~S>xMu_s{bw%?!L`V zEbXLae=)@-GEel4xVbo@`;Wp)`n=$6R0bJq?bXG?Hj7106ua!3aI{E-Gi|^prt{Mu z2@06WDW(#p|L;30M(_i_eI({mowH-JV0CQ<%>MpqiY*THxON#?#IC&uc3wV)8lhJ2G z3L-gf^raOOPXf&4-1d+KJpZGVl9r8Ix)PgnMg^YLm2_RmZQfpQa~V2CEibcomh&)W zXGx?9UA9DdzQ-8-{Utq1^C4pyYL~k+F4kxBXJvL`(Lu6EbnTBq?P~{4 zH;-k!c^BX}ceG-d&7+ZmNA|$Y)FJSxn#;DS zM)(zD=CA^#22+2L%??{Seqy(o{L10vhj!j}Yj8xS^K<9G^1j8@;@-O*dPVhB#GfZy zP9vq>wIbu(kyekCPH8gBY^YR@bz4XGSD`4AjD5V--<|T(T8EV&L8KD*|o|J~N z()<7Ri+?MLBNn!zV{Ku?^D`VwRi0gC=7?h-*pj^O{~`2aZa$2Zr)Gh}s=3_oXXC4b z+Ne!Cub5QtiVJgJQ|HBO$}QJ7m`C=C@g2C_d89yOC%X#vp_1Ns5s!Uh_#AIYFl5{% zrQRD0#v?7kt{9dUG*iNanHQ8kglyg&{;CcC`@UbpQugNlagP-XvJ~2> zPUrl*!J>Q%gnpC+7lnkv&Y`hy-<6RVU75nf(r0-KCv`Jo^Xg%?^0C^=mBz`*Rpp^I z%)_X|{~}Ct#KqRMT?)uF#<1rmMtxbSfbvw^yky~lv6Om)6x5tvgrU(m*@Rt*N^zFv z?5KwP`HpmvS(@^$w%@BsP}KJE_O-3CN!onZqkR(uHijLSN)Pb{fw5r6P2c(KrkQd;WpiI@ z*5262qI{GqqEJz9|H{&ZMWWXqWztCL)~{~8Xoi3&mo92cK&~%j;Cu8p`C0FCiEM$i zX#9KRm=UXQ1L>m%BRqq-qI@oO4Oe}$OYRAyPdq=f_6kBtX-qk2qWwQ(Ec>rX-C!vk zGe~ndnexzl5rs6G2l-s*1CeRYqU0GCceDJ(A?+?#lwEUr4B1c$4$HGq2R0IKM z6^<6H15NR&d+7ER{QB}p*puUmOlMheW|?DvUt|=L0Lh4sKOKss zUXSizG)ja@y&_ceT#*i=+-)AdA(&(TFVXZNRs&`Dbveqzim&8k!PT|y~LkYDc*r~WG9R)CcDiw||ddGuPb^6N=W>j85HQqFl{7i$Q zEWs3*1OR`b4`}Es*5fRP*<}k>&!qQo+dEtp#Qh+}^sM|q;$}gaMtjnGLxQN&_wHs# z8Et2{t9V?`Gw^7LJk`5+$`Ez0xsxde)v#O}eV_K$CpWze?z32W?HuB({8%;_;cAW=8#bF9oqnWk*i6;@F8+71LB*Tj z2vy%BX6*N>>@|y@n7`_Mph5NuxZ&5oo{yjh|Dqj>=hw@AwIRBQ2BDxl32#fUtZs0I zGiI)me{m2C*#ycu(owghp6vJS)9n11x-nfA;$>PN`haf+i9ap%GxswOUufEUC~JKw zPcsv>mjN^-IrjeTeoRMGZ|ygHm2W~wUw{^eFeRgE$MlZECid;2HaDf``DHYQQda(; z?nQH@vfG@zt6PwlXJX08T4>UxGW&9PwZS$X2Kj=30ZN3bYAR(F*3%)wnJkiw%N}d$ z@~sgs%K-7Ge5xn`DI!BR&o-S@hE&O=EExuo)rIomI-MdBzngd^Z36lXR)C!(4;eno z%oaFR8d`3p3U@`MNd7eCOZeF<@T303Zv<>2O9IjJ{_+QCL1s*C{sc-4V|nyLs0q7m zNTBS!L8f3@Vox*nUF6`P;_lww*5y{;@Yq;?yYDrh?F99$F|{)hAz>{%fRI|mRR+WB z-;G^E24|GAiFF9FaYKPqSuCp3yO!jUuj(YVun5kQPWgUzwkTDBn0R$vCLuE`)qq?>H6nvw8e9 zF&>RMe9cbtsie`{zjpJ(6zb=d->AkWLY76Jn?HWCtQ^j)HXdHCgUbx_@kM#uQIwMD zGS0NA$?o0Yz9=i!Y#d_AS68EKoSX{AN6Z9n<~(wr^hw_5IJt`CxGtHxwuln_6sRH$ z_Tu|lNSAsXqsGkQUy*o7il^{QoU6@$IPRo0YQ(M;J|shjwpW_eHSg$R`Li0f7o)a( z4CH^;?g@-02CP`qD zguPA?UDt5luAD=^l3q@66-Ek5*=NA3j8?^w(o&t1miN((g#`wo1oEp19FT?=TS$>K zw8)uvJs1)l9MkpG*44KGJKKnZ;XL2D1an;pr#^M*pLY?pUQdX_%Ph^USXSEPVIpAR z5D^eOK*k3=w16{E*nQF1Lzk%l0wS{L1bxnw)Vw5;BhEUTYn$EEmFU1WAM1;A$;B=g z>4`ikz~DYoTs)>*>+b8*YHyKKT#?U=t4&Lr_rE$ixyuGmBJNl^FvX$+Q};9eDou;! z(OBSs-ZekTJeQ)-VKg?T-i+`Q*?Wkji=_YUs*ca6!AZPjNLiO_{wV&hwuO4m6x0DH>0 zE9i|V6rRe7f3R=i0*}48g@dr{ci!0dQaTWU1vfPH-E!{o1u?jU@|S7 zqD#KC@6rTJYwlVn;J+rxPmhS`2d2vRvog`MyD=EpR>^o92sPO_$vDyS#=Syz=0L_rO{ z`^intPcsE^AD^`uVEmfuYNe>I9w(fqUs0SDZY+G;TQ=Ezds=AinD&%u@Mei3*`;vl z?}%{!`|K%3w-W_Ws>>aJf(vcjYC@$(()^0E(kChH-Y4%a zO=($>nagJ9BV9K#o>UB4n{vZOADmb)e>%>B@IQ{?1(P!e2a+^5x~SZXQI|Y`UT(X* zSERdY{v!%?9C zZf%w>-QJsbUl2xFyclbQ5urc#k|VXAHqkbQ?q9BWFS8goUY^ZI?j9jM_g%az(nFIk zPqr;jNh@v(G(Ouk;upQuKC7WC7lh59FIuiOn0+u2+YZj#z`gOj+iUmha-imo9+QrZ zw--L^gW?_jTe&{#1iprMpH|w0*Mm;D+aK>twu5wG>%EmOoitMy+mAL?pHdd)TWDWNPQ31d@h@c)jE6>UdDyZhMw*>qQ#A!GjD6!`nmV?_Bzxu z9`4$l`)GVtS%P%%%13j3bPVq<(x7V$x9v~3u;AbqJV?Cq_W<+dBDvzk!n>pA9=sse zxzx9S1)l$4+z*-o{D_RoIxYM0`Nb^s&XT`%4RjLJ1`f9FL}r!W$wWAAm7x+d=M=G7 zP7Kk@S-wuwkWo$=I_n>}Zbz1m6l%sV4N;r+>|^$Ak{- z-cwS!LEkYf2gr`;1xh%Wr3v@9s>mKjU=zT#1%tsa7cU(v@y-7vNO}J|W^T-g4obwx zI>}KHo+u*sN-9XeL7Az*Gh#b5LRfx%mnFs)_ z+Yv?zdCE}{0jP30v?ns>6S>37Dae|?aNhDXv3?xmWa8Pq-~KEmeZ-F{q#=+7g|s`l zqN^~z-5z5E>jRWs+QF}$H}Rf-{Qp)lg@eerHC3#nCKExF@FXiC@|sXydy9gJC+6*i znTy5bbD+bmZB75_o}H>N+*UH-K?U4m}m((FoR~3K)=xZZ(k+-dDbtk5eL=Dqo3gJ^^0G( zfT!Pvz!O6kRx1;5;@B5(_sO=PkSY#iAwka#s9$ zhyTtqEw2S^)`-hAGjvSwWUF4B06oI3yaDNZ)0zC%o(}srI%k*g^k2r?puV`>Th}+g z@x9U9E;m&IV1MWnsDudZ+3kU6w|IX!=0;cBG1PRkeoP&0#?PWh1pJ$vaCavRy8D&y z<-a9l)jzyI_8*;N4QnBKir}$zVyRKDuVfAt;D&zpt*$jQ=|p}c>}T%@%>+Y**H5B zz7Y)qd>k{2X=GDR@hC4vC-Ov+mS%ohoh`qc&B(G^tH?OK?LnZP5a+c&?;f_a*7B}P z_xP6D<}XdClUYz)D9c8*vA>P3g=N5Po^)%!bU7=gmE%Jy7p>91KQ0b8<3k+#DnbP6 zTEi1`V)#6=9+zIizTMQrjN#7nWppkIpoClgr*X}+1+MG6x*hnZ;0r&Ab)=VJg!2HH z{er%@bRz@x1K_f19)e)reV!OOzx`LYmXm#~8rx_0k3TvK-s)ggf_`0(S8UfazKhRI z`f_ls?^l^d#>nH1cucjD(#nKUNy;5Dv)2nN)+;Wlj;P)zw6YoRj=MERhpx5&n-KDG zXe(_F^z;|3j&~^*b6PPpN~tIu=K&sSLZ4}y8D;zw3Jj`D>yS<|ZF*LAd&1a%rQmmA z2gs7$p{9Pxt?WeK*d|jC>YiCgGWiRd&%|)mNNbSu@?y^O9h5*4u-aWA{NFDA_C--7 zoPFT`3NZ)t>_M((}xHL_m5kt`(Hc(&CDI9|(>~W%%A9eH{Afb&`_V zKw4uX%z{H3y1LqT={jeh`b9}&yL$cUW@JXHMqoEoeZ=9wDj~+Q zKClA+c8WvD$dL@Sv}Wm^(6mLL$d`Y>O1DDzSJoYQqe zPFU?ict4YPGi(8nO#$Q~6>0>PTVzRS2Bpy!% zY*65lwJs|EQBJnxL6DGU5jzQK2}Qjj^rZb0Z^4njdJ`kaQQPf27WqwvN8;ue)g0b_Ebh0SuOff5Xqpy9^i#@uw(i0ZdE${$(~T-u*m>YL({AgxFY zv7=t0B1pU4lsq%}O$5$uM2}6MiYAAi+zMJy8c9AKJ`I`x&mR`_+7qb+Qqzc|Gljkv z`W>HKgt;>~N%~35pGB^~MYM3y+COeC4@3Nc8e9|C>NT$DPECGXCY|KscV|j`r{R6}eK)>tkk7-eIg-IqtQ;ok;5-7FwdyJ45zD2IL6=IH=VamZg8tUG$URFFOmUX;q~u(o$&dNQ0oc$ zrF{PqpLk;MV`&|`Z4?KTC6M^z_-fe^6y%tX2v5~e#19fkKG5>%ZRYwfUan!1VUjS7 zaJ&IZ<{U)>9AUSwj`zpxwIg@ANxD5g0`S+@m=lfXrweAGEGl4ZHXTI074D-w6ydH2rBr} zEmV#{8ixH!DWt`WpqEe+E))JrjE$&CC82}I<9T>6GDn-`7r8$EmMe4aKntM$A%VYp zfE*b*wRSjFbQ%0S`J$cQw`t2%!}5U}+V#}@;vIR(sELfv9ZWx+TL53+y*ebY9xfBG zyvQ?MY_>)7J~;24SpBejDOdS;w*|L$I+hTC!>Jb9mY+%%D6v@5#3OjI6&YV6UCX$o zc^TxR@;R7IFynE%kbe#n9jv;#$+=z2m2u!OLp?}8n7$uK-JpM>Q0QkZj-Zpo!DPo& zU8Y_DNB13@Se0t#59TcWg40d!h|SoDof!DjqRk`RyfB$$KV)QUFc`_s&Qh6ul-F5D zm?7NmKUQWamVlvDLezrhOT}a2;$Blr`k}*vJ@G|j`jq5x>3UNEO3R-v@;Z!aEf{Q6 zeQhSPOFm{QzZ?4?NOxRbnm>3wDII-~?@v1^$$Qm{bv$todOilt3YW0G+{4Rdg$A~b z$MyS5*5E7FTy#~#^E>W4AGKVM)1^`&Ejb5FAQFf4d3dvQ6S|X)@prCg^c%A|>OuwRc6MPm zvhIzb;1=A}t_%b+e1z>P+S&z9lPi209_Uvipr5!Pa3930)QK=H$9gTjQ_w(S4R!AE z%ScbBzt~mTJvi9;TOg;bqB013xW*?FrUQeq_=8};8@PBw(*Lgi1k{z(yzYn9^)T*o ziT84eXNcZKuIWCf&sBJ98+>PL&i1C5$)xK-7O5MW=BiVOBeHTd`2w3<+2eiQ=B-Jg zdx0oT&j%Bwc6G=;@4GxJHn!c8yzmkp^QrIO^1=}Y{N`o_U-sec6hzbN^nyAzJSHWN z^gV&!%h~MRkk^HiqBz30+1ajhj7jo*2 zye69^yLre6m{|I?tJlMxL)bN;^Y@%*m{;cc56oMX{b_+P>GTqIiZEGu@x1zPjswCN zfQ)k3hWIDxwwgZ-pmNhjxs0I|u>fyDGf3uQ;CES*mO#XDvqnqMxBrC-@2$3ajPO;P zchSQ0d6hLZ&JA=(c@9C z**WD6n$#2(UuE)|C)v;ZEcb+G2(Gb9yeC(5x7q_AmF92nBug8ZH+DVjf6rL;oKcTs z@)EYXQMjUe0n>5t{CT}nWZo4N2dn)o?tLob=2mx1#k840l2OJ6(vtPjwI+IRVglkw z5<;5=fXfJU|8=Q0m|+w6^kJYme+k%oe=VmDvkCFzyoSsADp|(%DBU98YFxB858x?X ziP>So+vgbq`pn42+FfWk^E95AabD#YO)LpTCnqP>Q`6#cjo>!rc;zDHFEQ%HXB9<$ zrajh5y|#O9ks{P(l^`W!U(u1G;@VoR#3s0k8XpV>$9$)Y)|7fcxoE$}^}7pDR~~Y? zym)!Ofb8)Gmn*ve29R}W_7Z^dpKnSbe>8&%BV24HpT=g6t-GncPB}pL0W|+a!;4>y z`UeL&dWVL3ST%CAiYp2Wk>Il+=D={Pe{JCou((`^-KofNA9rkuAks|<*%CTvi}Ee? zS-~1^OzCN3^pTPU<0>pE#7Sm{jyoeGBNsc+u)y*+5M22B`Hg|;9#H=7VkP{v`g2HaBHeTb1DTk4Eq z2#>ZnPA^YGo5^Nkd?H}o2s`KaF+pJ02|k~edAne*o!icuG?LNb`}m?g4mwIg zCx7tkeNbRZ3J4g|=1Qvhr1oOD!NJX~Uwq>r%=K?hVM8#e6dgY@V(4JU#5R{M)-)Eq ze9I#8bA-^JWEM#Vg;1nr^KB1kLtb2<(dkHVU=lE}yTcHKy?t0yY-#*_hl2`OR3?yp{@y+gaU~`*nZt%k##IE`Vxn zTrq_r=(jksZU3+fK>8V+3|_QOw%qIvRaR4z)6l?$i@s-l|4mf6c3ftlr`(c~ z^$Zb{K4>w?!m2a!x#goxtV#&ZlwMnxI3D3o6^R>AbDDGJ+NF@QODlYipf6uI-7`M| z$KOfa`bjNdVn*INURgeXQ3L%l>_{}TmSpAR!u|AmA1LEVxph43M5fZO1w~xKuT^M$ zcL@ZwZ@&|21ndnDz}v9^*k!b|o{7}Y%@y-C3UWAen-%e;xHPY1d=FYZm{$$o z%mh;mwo_n$R8q}Qc%EDHu7Fxf(BJa z1?w%)tl$SSIjIElhp0#pO!~4L`8eR;>k6p>XQ1Pk)YRabG<|-nsv74v*ai0jy=9AG z>St8RTsiV=B4U6V_YX1hk$x*Mx3(_wYv>c!;d&hG2B1dH{*muZ+n(z4k9lhTW$vNq@}WI6tdo@ z6XU%Wuy zQyN8STE&H}W_Kg)ydK<+Z&Y%)Iii%5@q4^^M}cZDRhdonp9pgb`p}lC9gPZ}lJ=?|Z$^ zz`*d98)c|Dhl7KI-=Z6VLGfVAy>*4`44|T_sc9HLk}6S${ej{eNJcmM$dy1kDiz@< zwFH0lj^!Obk|)egN`i-sCwDEHLZ`Fj=%m)!i;yMZiMlTWVXm=3h0>$$jWx*zmM(mL z5spOuuU0>l4;l90I>HR<;>5q)+8&U7m&1n(>VOi~H`}mZ?Oa16tGHyn?}QX$PQ9b? zzYEGTP1gx>QUR0_!zRf>s^<`coB|V5@=&j>Eq@7Crsf-%a8_`rfno8y1+^_GWbs&Y zs_hS`rA%W#760vP;d=iz;5E;+rtGeFTS`_|Y3G2~wtU{miXRuLYqRCp-{%%RcZ!L5 z1FqQb5jPDbb`5QRSM}o36|VWc=NTJ(<=B23MHF6f-1g{&CEr5s^nJ*j;6sH00{{E{ z<>8uxvx9J+r2I19*8~iZx*3ZU5BF7cw3WY$T5$lhrlQF<7mJ`VB)#-G>)Dvt!`pd( z;C(LMWe*zN_PDSggAfa@5-#1)<3(W1A0nH=s`P8u5D(i4E9I9?SuH6A@Id@Fk-TFd zhS|}BkVYOz{=DY%yPP+OdtO4oVm|6QcqlyI{&>8cwsu`ge)(c8gKmkwnOR&U7MaCl z-dbESK~ONhSu{;i^vzJD0IDncR5rgG(_MU0h3#}&E={t4Y-)>m?@~+AiBMJ= zI(3(%z5dXt_mkFs>Ae$t42Z2=E39GGi(JZ+@a{qqH-81oWaiUnqc35pMS}ogRy3SF zR`9lChZ`&a$NS)O&)AZHw$pW)HbwMMBJyK0z0JAAhjyc|qnT0$aepkVXtk{P2=ehB zc#bf<Qh{uwj?ImNw4WJcYswMY z(6FdwY#ez!^1fk-##L0(s7(w@P4~4cIDmk1d-qu-9?O5|GAELPTM>Pr&Bu|XGx?gpU3*HJL5EL$Q z^qv!UtJB)IBId408vX)sh)zJ*gtDb2Gcq5y1yHgcgQ&PZAc8pHxoF&h;Zy*B z@N)n$DJg@n51!OZ0GnbmW%SaogPq0HfYYUK;jsXzJ_td+Rc}9qL&+XAP8awv*X(xn zL2$Lk=JUjIgyoLyPSJDt+YQtYx`PETh}y6jXAPK5BQ3tgjv>L_42XhSwpLusNV&4 znaK6~K~uT{(SerUC;U|$Hxi;W-<+BKS9|a)DCaTs_LnoXz7lrMz%Z~ z3#xwOMlv(A5pJP45K<)%RkFwm3k%cZ-zY=J;aDuysWQUDiM~7<|69sN^76=QAWbzo zH0M%<)~iv!1z2Yk{B>$e#>o`9Jrv*J`+F_cPjT(2E{Y+YQLr95`PL#BNI`5M(cN6# zP6o73N24eltLW29(pj|k4~mx?Ja-=C`Cnej;cXY;Jz5=J63CuLm#N%PHQO+7Ta#q+ zm?mUY&eJ=>pMFuapkIlOhT0-^`Q~!GoSeGmc?X%J!j~U5zo#Bd<}2yzlT=hzY;B58 z&lgTmNJ;Ihy-G}MtmyJc3wAQih%ikPIf#H|^&H%n1!>r)1)1m>g>7%EmDSYfkE-$I zS5#pBsZ@ZrEA>Y=k$zvr7nyBsW#l#u{E(2JW)4L3+3?E3FZZ7-<%H0*O21rpb<;gf(W#hdKUX^RRnkQB5)BIco0#A9 zE5Jfze84EcMh@94v6Xc-l3b$Awo{s=tK>@1lC_&LC7F?WPS zpnel>+4Jc*Y?2z-GV};R+QyB~^dp#rfdaB4{k)@b^$-0+X5iRfL-r*YS{kgg!FMuMghm?-bCbBbECRyn zhB6+fl<4$}2$Q9te6;?j1YrMnk&@6uYt^#8VJ`=8U>bJX@8{Rwbbw6kxcZVX^t}NqUwnR#JAZi}rP5XpR zZ*)v&L1Kx6geR!58R!GQ9bi4i_i-PDrC`^X4Deo=xG=hJFmhzpUKk%>cs(c<2RWwZ zyAaSEB|9aNf~~u7|0JSHKW)316Q@6Tt8|;TlVHn=7c*JZ6W-ocg?&2#sBefa4c@d{2)c#mFApE7monu<|9Nm3u!I0 z(27wo;`zJ!Y9OB}n#`S$)(ptaV85-T@=b^r)(#Y)RkB42ithI+j~6fp;l0YOpOa@N zzrz$I*k-Z}BKRqDCC8UTc4?6^C^t>Cg-$YBb}S=U!Xf>}$hnj_((4C!DxSHC=ruc< z+Q`k*h|JXO3IV;@ShaS9T><~0Dr09&N(5{v|B0gWzT=`ix%hb#O}hIYa20P3Lze=oO`5&WqoB=W{|{?^Lch>IbmHuWikPP6xqD@U@dR{BMDpR*&gucNwOgqzs~+wT zkXS|7U4G1BO0d?(uD9~qRr=dA>dl11JR8T>aB?-I%D^Fkq{jUooo5lEfD%J?(*+yt z(lfVzdF*=ehrvHPzq4n(t!9QW3t)FK8lfhcbG?nl6PLVYSsC(%v9b+W z%kOE=tVBH%#ZeXh%yrLg`AT)b6*K?35Mf==$}R`8JZso~-am|VD+71iiA<1>AbYec z*dQ~#EKGdo^FH(Y)*FsOPBQ)68pxlsHwUM~PZi4?yboAY1S+ylRUe5DE%M$?5^}yI zsVgz5)!@MU$XK3++kL5|6FBgbmPARhMYe;3V*0&x<>yaZPxB*O^Xy?mnFSbEE2%Pd z5?6(^3hTBF?+zRK%h%%t?gAdX>-yDz51dquF1PShI@MIjnHNl`+Y`i0SGj3gB7lj- zyLoe@3s=!55KbijYofK#9?FKWtvz{l7Hb13cAIv3%kFD%2R9W=Jry$eTa?h09s;+^ z6(2usQ2Nx@G;(};Zh)V_j4);z=HtJQXWgK+4ftaZIS78Xh24}&>wmGz2X15R(LE_| zpU6$?04!k14L8ENkr%jJc7{i!Q|!X5$ZI?jl*7DKRg%sta!IABTOVm*%6UAkc|P?+DCKI`rtSutgz! zmuUAOYlK;URyFyiTB7i(E`6Eg=*M|u+|B#a5JuxGh^wL2| zJ|XG!j7EsaQrZ{(fpKA7^>wq{tzzVq>d$4O0$c3>g2W zg8C3;YJ|-IC~KPa+LH33h{rg2dC_OR75>rx$Oy4^kr3s{W`Ke6_0F4wo$4lPp%TcHP)bd5sH)Eo8 zMv-5bY(oECoc~C|tUaXG&-=TgEVUkd#x|JjOtw#8LBkmITY`}wBW0HW_gY;UL)(j) z!b+ZlPgrymNyp6ZPyWY}WffNZBg2Y|UwFp1iS*kI4MinHzh4atEvq#XuS}#VyBrnE z(?E5(ax2et%Uu5T>H?>@5vQ{RoZh4pWI7u3M_~XFiwKTeVx~&elOrIqn=8%jKRjqi zyevz@%y}jQ8Vx9jDKWtYC`0T)K_uUUX73|c3%7~W=oudoV=s0%yWS;}`Kk0>Tytz? z%f2C$0vT3U66yg|-znD<1edZRG;3n3{jHuCbyG1C*-W=;AwI%XT}St2N-Ac^OwXS} zS22UmnPV89kn&5j1C&bJ{nSaZ-T*&<1~@68Mi^`VPi<%Y*Yx+sed!cO*ND;G-Gaaf zNeO92D5Z1{>2Nqk4rRzkLK^9ikQj`XoTHRhaDb$ge(rrg_v8K(?)P7CemIYF-q&@W z*Yia?=|ZKOgS?J&5YS05AqGQlL89_^ohb;5zh!=nfO^>*HG%`tzYMGb(!L1?i2Nn$ zYp)+{BX`#D9CtGwcv=>@upmOtqbQ~)#z}u2LKP3Nn?zU9&YiIN|reQ4px# zyk{asgK5)2r(T!5GoF(*F8ApsPcjYni(EF!NKwnWdLp%ca3m;AiRhI5TH?37XdRvN-j`FbI-gAj>7kaSH3HffJD09+@Q)fmudqgLa#1sg>$f)KdMmui4fKwmwas?i@o0v zycX|4b_I4qB}O$_2OX}8dP)4TlIoa%ajA#9k4!$^KP3-qJFkKJqK#@y9BU1d%ejVA zHa8&x(vM$WZV!)YhZ#tkvF^SBXV1zt1Q$o_qw>6pw7` z!?GI{$dH`AHaBEz3}Tr2s$UW;BcBapV}ap^Uo%eL7?;eD&SKpA%AJ5kYB(zH)z0wEc0B9+vjHjf|Cz+mu-H5SJYF=t2=I!Z%K(= z7O=MN=leGMivN-Yog!NN)bZ^s1q=^gh1s|HlI>1q4QJ<8F7PFDM-Vm~w(PilbMPv+ zP(hpfv_kWOYx!OpP?_hHvTOZpDZ5+RZdrqcN_4`)Mmj(oD*Yon{7DJpT&LHRFM7NQ z)e#87){Q-Y>Ls1@OYxAr`TRz*XJ2 zSSuw4ldOd`evH7A2_+_^Q_kDE8+=8xl?2$Vzgf`4BJ@4@n(?M>L2&YD|0?M3BdT#J zh5p4s`eGR%TnMj@fZ;k-B%JcnPnJ3KeWmk}9$wKLyHmv(SF-;jVl3eL)a`iOt7yj} zpl`$T;jpHU{K)^rOe_t>ccKP6BM)hn0!#^gD!rMTq%2wSa9P`islmOFE0t^{Oq1ew ztsx0f78{96x=)^-OIxV~MO>(^E_k_TANC7%3ZPZV18paU-j`i?Nje}J(GzZzlxm7h zi&zq@U=2FMxzFaGCF>y85#a15gw7s4uV@FFs*0X;gz0p!8~UlQ%(hRLO~WNkj-{qS zKn-Y=(;4UPxLH5G#V-oryDxZ-dk|WKMhLzfaOw>v%Sq;)ECv}g{%AHXa_!~O4Ao$f zLSc#H`p3 zE2GHl5?h@-kJUbX?d2rZa2 zxX1qGSk3gjP*$#*lqJ7~S&j{lGZ9cTm@@;_*h6-w2mcNkmVW>*yHkW8u4OI- zwE#*QDaF4880giWDRu*RL2}PNF}fIXeLc9+U=fn)f0=26Ytp26C|MtT3w>HAWw@WS zQ>ZRaE{-f;$7N`=8flAs5X(QAG>C=p6$lBqtv0?BsjX#nsTh+t^u0J-%Mw0%L0XG# zuspA4AntP8&@g?YMK9ap&HD^XyeGeC6?4yjI(ScbFYj z!w1rs+OPe&W5WzVPi#C58*^@6$l66BQBDxF@aM0rF8;z`i>pn5BPiPp=)>Ww|bI)Ada4=|G{9HMQgG zLG1&Q*ZKL(rFJxFD({;|fhx<0k1E_P z!gu?Vn}!+#{tW`Ta{I`0zK3(C;UBJ)FX@V?#W0lg{0l$J@K$J7oe?=0m90hP987*P{Fi$RUTPRu8T8LNBgUnyx$_ilxg8d-~z3+70x9<|u z6ER~eQV!_HH4Rmmx0k-Fp{DW1c&uEISiQLueDNH8_Bwaw``Ue6&*2@QB+%>ZT~`-z zKJ&2HQEF;*CWkUhQN(r)w7{A_dB`wW7HSKG@386~TCV4urezTVKMd#zOaV#KVbByQ zcxv9JOe7qr*-ke9eG;=XP7W2NYj>Y|$>v%2Iax0g-BheD<36Y|>DossUwMy^%$Ae~C9)CD3*3EdY681L%)D(x*ea5|fUNI)`vpw{aW@ zT+qG!%CW;eZqnbhNQQy4V`osD>{H+_69lpe_!LRTA|PSq+VZVc)+D>+6{oWMY$=n1 zqEa=+4H!U8J;0}8ss7`XS~VE5SYrwj@>@inRGPg>{bM*SQrwPJGkq&V=BMP3P+}mN zh!WJQq%KnMM%54v)C3;3uy`sq=3` zQ{A@^omXPNn#KwiCmJObnQfGWYxegoY(uG4i)?v~Xe0RV%6)2MIjQ=1y`aHZ1W31< zbOpdBCA+S10~tPyH|~E@!$v=UiWh{?FB(LgW8a;ly8k-P}d~ z{Pjcfw+E&@Kqb_Tm4kD92b_{ji-a^GDyKL*)_-hxsN_bFDuHGn&b>FW-fHrTdC#$w zyXMXMAm7b5I7sfmQ2+ovU0#!<@&qi2xD5Ljhn4ynNZeJ8#E5vd# z5X2CSkr?s%*~}FCEAILBb_roO(#D>}nPA1Y{WR;EaCv`t z;^!;nj%}@gpy8!e+bX-$C7C1?S*49tv=nqD4?O(j=j1<)-*c$GLh!tU9v(>bx*9-MgvG}-R-JW@%2SCXaY zJ1$mEvxicJYAHQiBIKu&`0eYbAG;5a_>sk%$GbE&3~SCSB! zOA5tlQLZ$HB*&*%hFocA6>K$no;#rWLLV=O%L8@eC!~tHclIngqr<2l837WXUijP_t!~Gqq@ce|Rn;HTgqaxl*mk?geHYBL1?Y_a z^CO4C{9ce6h?jAf;R5X`XU@8UI-O?!`Op*x(rKaKci*$>OyOsxj{WSYhW*~)zma)i_L5H$hD2{(J#iUXPtcR`k9^T{wu)g>da5^bUG=}r2Zy2?*(ik@HP0J(4L}1Aj2y#x^?zIHL>OHW1GpUjx zEU%uZ+>SCiu$5m zKQ#Eu2ba%u8A0!gTI?!pYQ{|n7rTmQoeM?BL=uhgZ;#7$5X5shGQ%>YZPBRriQ7Q| zo-&2X0p_p1M@0GIGl$4as1#%p>y!eqQk2;p9w@>6Pe+3zT0jU5!>7m z37YUjew);d1`E0U8JIuV7J2eV&gQ!b>Q+n(#nc0JmSdR+dTLu{Lx~7EuyT1s zXfm@nD?gi_*N0iZXH?8T?8?41kfoW9`5&WE(Lu@4iKzh$&%FmFpdp!nRe&k`iL4TS zoSAw`8W}>|^Kkh~$_NMRnvO(<|(*7-%l4P%ciR{b*YM>+9H9+;?aHwKsPw5ncQ-;ckcO_nNH8pyW~rbfQ&wnuP}8IGUWbUInra?e+w1>Fx)O~dw4YEiT;mF7CO zSO zrZCOgOGdPWXp+ZWQ_&r2m&UFJH#GS!Y*=n^hW}r^iW3)sPf|G-#8U!86)@Ykk}c$Z5!!?$;Qp4yOB(dCZN4j%T%L+tTY8esq^ zMP|Z7iLt%18v=GMvF$8j6R~e5>r_24*Q6Cv7G0KU@u9+S_fGZL=p0|A+3rTlledGf zZ#7g>ZUHu4l_`K%82Fzk-*0Q!_@*HY#A{cmtt7XXN?r(#=^Mh#NRXqp-{A*?ObZq6 zl6f)b_*2r!qS>oW5bf^jZ_xdA&SE+~v!V+N*nV5rmr+49jaTckttaOJvbWuGNRXt_**2`@z)wxhxnO*WccF{>U*%V%)K&VdNKEgCKRI}3%IKixQ%07l^qa!OeobO4a zfGD{-y!d|0gy;b_F@7cEmdbC*eqlNR8Yum*##62@&Y< zbuAJy-q|Fg^}<1tXv14M?_^=|k zWw;$@@b6t-A4_8V1q+k2N>*o~JriouZck`L*nMZ*h5?&8JW;?e7?1+sl`VKDl*u*A zqlz)-X9_LFZxi*LZdi2PkeeN@Bp5LYZB_wfN*nr!LcUKA!4JCE!@Fl^W++Plpg#SP zFY7}Cyd1tY$5H=&wuq~KP+wF=&$KBtqOL_m$V9Nv`fgUNW4tN1U80&+Ix%d|#FLij zfkCV6VT@clDBv8RXF*h>nl2*b;+fZTgr;I)7D*IY;LP0B3e(Ht-S~&_5WPjONt8hO$q#lM z_<^35>PRrE$IP?dY}krn0IPIv|I`Yv0Fq(1`ex9oq%7ar?AyT_IPx0B8W+`>N z#vyNUVbkAT7E(E_d$Kt!(jYd}TAkYnxq=uO!OJl4e3LJbof;r+6;*JMEWK`EI>`sp zq1a$8*kXl*-Tt5>lsAAyW?gv2^UKa>dFAVQ?NfkF`RCI>T*cj}_MGI8+d9ASp;vly z_-k6FkpDs<8sL7ML^Q85A2+%L4P0m>G{qnD1th=7SjU!l-#dd z_hQGm6x##~RYRz;&sX?g_HTGlAX)?2#f-%*ErW=xg|aZErf6#t@8>(?|Qvs}K(+s`0PQ%tyU9TAN#pv%W3- zQ5gX7?DtC3^G}C6vr9ZM0~(itug2vuGtbvm6kx+5DkxZ%_FkGOja6gFzi|?P#O$0N zQYG0pD07A9E^WGm2L-bOwZeGuy7!uH_7(QkssTzk{&d_g%AwGHG1c>^)e~o zme-k+Sm+|rsmC_4O3kcfl_xTg6MqTE{ESzea!ne7gyIm{KQt?PMbjC8YnI|Nf+4A? zj*WiOP*G?1j9Jni2gscNq9V-l3}&*QHa=U677)fjEXRT8-ud;5AdEMC&Sq|QZy4w9 zg+95pk?ODY2*U-`{r$GEX)=WLa#*%i~|J>)R? zMvXfy{OFNE^ylod^kUYexj7nKi#o-akqLpuWkFAsq~!b5Zai(_*M3ogm_N2}3s$^1 zTuN%ned2Ce16VC!*^`DLP|Zx3--qb5ql>}ogBXN3=J^-6#9oo%the7t1x-|;QVfUH zoE@(wKMAAv!=aRB2Bu=Ql5a8P)NrrKPi|=TH(Vz){8> z|G+}y3zOD7F& zqKWzW8KHxc;$AZT)EDscA}l!CPsU@@AHNo3C5>ZiAK38K4~7t$T=a=}s&{SG3_r2u zZj(Piqf7aAz)le37(XwnM1?(80) zti#PV@ln3|IXO@xl#SK62CYJB;oy?UXn48CcV$d{b8TYZ zAr`EkENUnTxT4KQoyQ&L5og$Iz?3F z^ycMWOJmICZvNevlq#p1x|GjbsrBz^9h*ZIO4Ecd4*St#j7?7$)ynI@L&hN9{QSil z(dlCKG!hEB8l#z5l1zRjC(2{=EI*_i$se>qEMa7ZwgO2!cI*&I+y#(?1|Ho<3r`|7 z+Do%(K*q%|7&V%$;lWEpbA<`3$5`{DI@ZJ;rnwFJ(q{JwrE*Dg%s#WYrK5GN?b%LZ z4rE~AmcLCdG(Pur(r9k9q{Exkit34=L%itu{wJ3!2g)~JGGMIJrR(@8oFGA^Yu&)a z#V}N7D_WpH;P&D$StyHuK1dix4QH*OlSC(Qq9B#rGvKR$06)FBZ9}}?awb2mlYI5! z9(wjR7Nrql+pE8`@*w(}&2dqV&@zW@5x+ z`JE=?6HPC^X(@~yYe2vJ4%y=_ zXO-w5yeBl&7GcM=&1$(L+cTsm zaODM)RGRt8rbzMKXA$yn?n%sWh|Mpx9^b@}`vY16Lc{K3R-jW@0bkT(j^^-#0VlfUz9!Br)v zk9xGy*rGXNzUu!pRQ{?XPYjAn5*2usA#SjE@O}AyPJ_df)DYmdE2XZE)TNU+M%Z)k z;CPTfIpuesl$IKG2%r3?UCEui0Nf(^2fM=s5+amJ9!zvzcng=JYhztfJ~oWECpT*r z>{>75-F;^pu)FdQf>J#mJZP+qPK&iN^r1=1D}im0^}1ANS<`0UGeZIZSqqYG*0mNf zV7BrTr=j%Z2hi}OGG&P(f1}XObAtJfx9qcc&_ZJNBe%YfrrbV`eQz3U*Sy&m#XmRa zU;H-y%WY&BDWVZ9bLo?caD*pJ+^x(*@-yV5D1=&!CR0fDHA`XMMCpwSQ`j$m5q;47 zFh3vmINF}IS~&w@H-1o{K^Qmvt^tk*1cQqdGv0L!4C|9G!L3}RR7Mv+4S~8_Ybod$ z*v2M?x|ExDL{h#T<;!S}4||vp!et54$jfelZ;ghV#tx`Y=#J{a*jSMb?x54-awN>3I_MtN zYuXy6oJ%QIlvVgNCk?nLIN^TBS=T>Vxmy)4YIgIKn6w*2rnf}dt1g0#U5}0bXyi!U zkY<_dT&JikLQn~AE#(6}0+PqpQPB<+li`XCJNZf%VAnvCYv6`YfS>gNBO(s7HHB%x z-*ZxaS-+p3G|}$Px%WAP0LHMfg{Dah=)@+MVjHvnZA7HXykh@mMn$EXUE79xE_>+S z#VdZzn_6fWc%4xNYh)9by>mOlQj%xSBXd4aN%f90&FA*A9fsiZnlvI7c-vU7lm6T~ zYTY&~n83VPl6_r#Im_xe9!0O@ZEXt#algCT%HioWeUKWnk6Aod^{f*c*$ z+9P05iVs4>8au+=1w{E&txn5dQ!tjly*zzNO_tXqU@nWlRVuO`&4i^oWcq5?ceYERt$9YNG7kuN-@OX$MoUG&gK3L z=DyO7MkU3`VY%%d#dTo?my&XeS~)5=2y;sL8&bQt_wVdT!IUM}Ppbjj78Y=%=a5ZS zY>v=(&g>tTOO@MMmgcYh!h|lq7HloQ3 zMkmPY>qpCTzXjp*LSY5L>b>|6R;(BLMs{2}`tf&^Z))+i=Jnt!LfWhk-`EMK+q*{R zb}7Pfl5BLmN@-Mbe0`wCGyA0^k!lF^o!0OsbcL!~m_A1-y8!W#M%4@Y=wcH?i~jas z;T01qq+^MgsJoqo7)q7;4)Fv?g+`)H{-ieq6aK1xXZ;YJ8CH;-nK~=|lRo{I>$p2% zdXqXd(u8Bv;+Yq!^mLAc)R`;BmDuFzZVX*x8P?IB|mOIQL}vraS`ji z;NkK