From c9fb9f514d1f96b6ef6cd001c1590b8caf7bbbf5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Thu, 27 Feb 2020 23:48:36 +0100 Subject: [PATCH 01/34] update regarding modules, lint and expand puppet manifest. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- .../linux-install-with-puppet.md | 89 +++++++++++-------- 1 file changed, 54 insertions(+), 35 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md index a27c84b264..8d3546f71d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md @@ -1,6 +1,6 @@ --- title: Deploy Microsoft Defender ATP for Linux with Puppet -ms.reviewer: +ms.reviewer: description: Describes how to deploy Microsoft Defender ATP for Linux using Puppet. keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos search.product: eADQiWindows 10XVcnh @@ -14,7 +14,7 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual --- @@ -48,7 +48,7 @@ Download the onboarding package from Microsoft Defender Security Center: ![Microsoft Defender Security Center screenshot](images/atp-portal-onboarding-linux-2.png) 4. From a command prompt, verify that you have the file. Extract the contents of the archive: - + ```bash $ ls -l total 8 @@ -60,7 +60,7 @@ Download the onboarding package from Microsoft Defender Security Center: ## Create a Puppet manifest -You need to create a Puppet manifest for deploying Microsoft Defender ATP for Linux to devices managed by a Puppet server. This example makes use of the *apt* module available from puppetlabs, and assumes that the apt module has been installed on your Puppet server. +You need to create a Puppet manifest for deploying Microsoft Defender ATP for Linux to devices managed by a Puppet server. This example makes use of the *apt* and *yumrepo* module available from puppetlabs, and assumes that the modules has been installed on your Puppet server. Create the folders *install_mdatp/files* and *install_mdatp/manifests* under the modules folder of your Puppet installation. This is typically located in */etc/puppetlabs/code/environments/production/modules* on your Puppet server. Copy the mdatp_onboard.json file created above to the *install_mdatp/files* folder. Create an *init.pp* file that contains the deployment instructions: @@ -86,44 +86,63 @@ In order to preview new features and provide early feedback, it is recommended t Note your distribution and version and identify the closest entry for it under `https://packages.microsoft.com/config/`. -In the below commands, replace *[distro]* and *[version]* with the information you've identified: - -> [!NOTE] -> In case of Oracle EL and CentOS 8, replace *[distro]* with “rhel”. - ```puppet -class install_mdatp { +# Puppet manifest to install Microsoft Defender ATP. +# @param channel The release channel based on your environment, insider-fast or prod. +# @param distro The Linux distribution in lowercase. In case of RedHat, Oracle EL and CentOS 8, the distro variable should be 'rhel'. +# @param version The Linux distribution release number, e.g. 7.4. - if ($osfamily == 'Debian') { - apt::source { 'microsoftpackages' : - location => 'https://packages.microsoft.com/[distro]/[version]/prod', # change the version and distro based on your OS - release => '[channel]', - repos => 'main', - key => { - 'id' => 'BC528686B50D79E339D3721CEB3E94ADBE1229CF', - 'server' => 'https://packages.microsoft.com/keys/microsoft.asc', - }, +class install_mdatp ( +$channel = 'insiders-fast', +$distro = undef, +$version = undef +){ + case $::osfamily { + 'Debian' : { + apt::source { 'microsoftpackages' : + location => "https://packages.microsoft.com/${distro}/${version}/prod", + release => $channel, + repos => 'main', + key => { + 'id' => 'BC528686B50D79E339D3721CEB3E94ADBE1229CF', + 'server' => 'keyserver.ubuntu.com', + }, + } } - } - else { - yumrepo { 'microsoftpackages' : - baseurl => 'https://packages.microsoft.com/[distro]/[version]/[channel]', # change the version and distro based on your OS - enabled => 1, - gpgcheck => 1, - gpgkey => 'https://packages.microsoft.com/keys/microsoft.asc' + 'RedHat' : { + yumrepo { 'microsoftpackages' : + baseurl => "https://packages.microsoft.com/${distro}/${version}/${channel}", + enabled => 1, + gpgcheck => 1, + gpgkey => 'https://packages.microsoft.com/keys/microsoft.asc' + } } + default : { fail("${::osfamily} is currently not supported.") } } - package { 'mdatp': - ensure => 'installed', - } + case $::osfamily { + /(Debian|RedHat)/: { + file { ['/etc/opt', '/etc/opt/microsoft', '/etc/opt/microsoft/mdatp']: + ensure => directory, + owner => root, + group => root, + mode => '0755' + } - file { ['/etc', '/etc/opt', '/etc/opt/microsoft', '/etc/opt/microsoft/mdatp']: - ensure => directory, - } - file { '/etc/opt/microsoft/mdatp/mdatp_onboard.json': - mode => "0644", - source => 'puppet:///modules/install_mdatp/mdatp_onboard.json', + file { '/etc/opt/microsoft/mdatp/mdatp_onboard.json': + source => 'puppet:///modules/mdatp/mdatp_onboard.json', + owner => root, + group => root, + mode => '0600', + require => File['/etc/opt/microsoft/mdatp'] + } + + package { 'mdatp': + ensure => 'installed', + require => File['/etc/opt/microsoft/mdatp/mdatp_onboard.json'] + } + } + default : { fail("${::osfamily} is currently not supported.") } } } ``` From 3cd4b978284ae2426ccc99497616efcd1cd58ee7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Mon, 2 Mar 2020 14:38:53 +0100 Subject: [PATCH 02/34] ensure yum repo name is set. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- .../microsoft-defender-atp/linux-install-with-puppet.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md index 8d3546f71d..8df482dee0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md @@ -112,6 +112,7 @@ $version = undef 'RedHat' : { yumrepo { 'microsoftpackages' : baseurl => "https://packages.microsoft.com/${distro}/${version}/${channel}", + descr => "packages-microsoft-com-prod-${channel}", enabled => 1, gpgcheck => 1, gpgkey => 'https://packages.microsoft.com/keys/microsoft.asc' @@ -181,7 +182,7 @@ orgId : "[your organization identifier]" You can check that devices have been correctly onboarded by creating a script. For example, the following script checks enrolled devices for onboarding status: ```bash -$ mdatp --health healthy +mdatp --health healthy ``` The above command prints `1` if the product is onboarded and functioning as expected. From d8d429c7a4ab078e8f875e63719b08aaa2c6d3fa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Tue, 3 Mar 2020 10:16:00 +0100 Subject: [PATCH 03/34] have plural MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- .../microsoft-defender-atp/linux-install-with-puppet.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md index 8df482dee0..dc915e32dd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md @@ -60,7 +60,7 @@ Download the onboarding package from Microsoft Defender Security Center: ## Create a Puppet manifest -You need to create a Puppet manifest for deploying Microsoft Defender ATP for Linux to devices managed by a Puppet server. This example makes use of the *apt* and *yumrepo* module available from puppetlabs, and assumes that the modules has been installed on your Puppet server. +You need to create a Puppet manifest for deploying Microsoft Defender ATP for Linux to devices managed by a Puppet server. This example makes use of the *apt* and *yumrepo* modules available from puppetlabs, and assumes that the modules have been installed on your Puppet server. Create the folders *install_mdatp/files* and *install_mdatp/manifests* under the modules folder of your Puppet installation. This is typically located in */etc/puppetlabs/code/environments/production/modules* on your Puppet server. Copy the mdatp_onboard.json file created above to the *install_mdatp/files* folder. Create an *init.pp* file that contains the deployment instructions: From 0635b72adb2c0810d098b3b793f7bdededcd3c94 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Wed, 4 Mar 2020 10:04:53 +0100 Subject: [PATCH 04/34] the missing comma MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- .../microsoft-defender-atp/linux-install-with-puppet.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md index dc915e32dd..7fc4188c73 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md @@ -89,7 +89,7 @@ Note your distribution and version and identify the closest entry for it under ` ```puppet # Puppet manifest to install Microsoft Defender ATP. # @param channel The release channel based on your environment, insider-fast or prod. -# @param distro The Linux distribution in lowercase. In case of RedHat, Oracle EL and CentOS 8, the distro variable should be 'rhel'. +# @param distro The Linux distribution in lowercase. In case of RedHat, Oracle EL, and CentOS 8, the distro variable should be 'rhel'. # @param version The Linux distribution release number, e.g. 7.4. class install_mdatp ( From 0122e4c86950066ba8b1fab7f790fc29d6d43a48 Mon Sep 17 00:00:00 2001 From: Jreeds001 Date: Mon, 30 Mar 2020 15:06:35 -0700 Subject: [PATCH 05/34] trying to br to make a paragraph break --- .../windows-defender-smartscreen-available-settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md index 0dabbdb3b1..5f698f3d30 100644 --- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md +++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md @@ -40,7 +40,7 @@ SmartScreen uses registry-based Administrative Template policy settings. For mor Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control Windows 10, version 1703 -This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.

This setting does not protect against malicious content from USB devices, network shares or other non-internet sources.

Important: Using a trustworthy browser helps ensure that these protections work as expected. +This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.

This setting does not protect against malicious content from USB devices, network shares or other non-internet sources.

Important: Using a trustworthy browser helps ensure that these protections work as expected. Windows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen

Windows 10, Version 1607 and earlier:
Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen From ad399f5d23bd3bb245fba29b142802c1d6b54131 Mon Sep 17 00:00:00 2001 From: Jreeds001 Date: Mon, 30 Mar 2020 15:18:05 -0700 Subject: [PATCH 06/34] Update windows-defender-smartscreen-available-settings.md --- .../windows-defender-smartscreen-available-settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md index 5f698f3d30..2ca7300134 100644 --- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md +++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md @@ -40,7 +40,7 @@ SmartScreen uses registry-based Administrative Template policy settings. For mor Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control Windows 10, version 1703 -This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.

This setting does not protect against malicious content from USB devices, network shares or other non-internet sources.

Important: Using a trustworthy browser helps ensure that these protections work as expected. +This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.

This setting does not protect against malicious content from USB devices, network shares or other non-internet sources.

Important: Using a trustworthy browser helps ensure that these protections work as expected.

Windows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen

Windows 10, Version 1607 and earlier:
Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen From c47d346ed95aa2dfcb3e1f30406807e7ab7475ca Mon Sep 17 00:00:00 2001 From: Jreeds001 Date: Mon, 30 Mar 2020 15:56:36 -0700 Subject: [PATCH 07/34] Update windows-defender-smartscreen-available-settings.md --- .../windows-defender-smartscreen-available-settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md index 2ca7300134..150df52cc5 100644 --- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md +++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md @@ -40,7 +40,7 @@ SmartScreen uses registry-based Administrative Template policy settings. For mor Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control Windows 10, version 1703 -This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.

This setting does not protect against malicious content from USB devices, network shares or other non-internet sources.

Important: Using a trustworthy browser helps ensure that these protections work as expected.

+This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.

This setting does not protect against malicious content from USB devices, network shares or other non-internet sources.

Important: Using a trustworthy browser helps ensure that these protections work as expected.

Windows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen

Windows 10, Version 1607 and earlier:
Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen From 7a71dbb1fab8ed191f848b047471d3814f2d8111 Mon Sep 17 00:00:00 2001 From: kelleyvice-msft Date: Mon, 6 Apr 2020 13:53:05 -0700 Subject: [PATCH 08/34] Create vpn-office-365-optimization.md --- .../vpn/vpn-office-365-optimization.md | 668 ++++++++++++++++++ 1 file changed, 668 insertions(+) create mode 100644 windows/security/identity-protection/vpn/vpn-office-365-optimization.md diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md new file mode 100644 index 0000000000..54f8217aba --- /dev/null +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -0,0 +1,668 @@ +--- +title: Optimizing Office 365 traffic for remote workers with the native Windows 10 VPN client +description: tbd +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, networking +author: kelleyvice-msft +ms.localizationpriority: medium +ms.date: 04/06/2020 +ms.reviewer: +manager: dansimp +ms.author: jajo +--- + +# Optimizing Office 365 traffic for remote workers with the native Windows 10 VPN client + +As the COVID-19 pandemic has unfolded, the Office 365 Network team have seen a large influx of questions from customers around how best to optimize their Office 365 connectivity as they work diligently to plan for a large amount of their userbase suddenly working from home. As a result, they wrote the following documentation on how to quickly optimize network traffic for Office 365: [Optimize Office 365 connectivity for remote users using VPN split tunnelling](https://docs.microsoft.com/office365/enterprise/office-365-vpn-split-tunnel). + +Customers have consequently asked how to configure these recommendations for the **native Windows 10 VPN client** such that they can optimise Office 365 usage whilst still ensuring that all other traffic goes over the VPN connection and through existing security gateways and tooling. This can be achieved for the native/built-in Windows 10 VPN client using a _Force Tunnelling with Exclusions_ approach. This allows you to define IP-based exclusions **even when using force tunnelling** in order to "split" certain traffic to use the physical interface whilst still forcing all other traffic via the VPN interface. Traffic addressed to specifically defined destinations (like those listed in the Office 365 optimise categories) will therefore follow a much more direct and efficient path, without the need to traverse or "hairpin" via the VPN tunnel and back out of the corporate network. For cloud-services like Office 365, this makes a huge difference to performance and usability for remote users. + +>[!NOTE] +>The term _force tunnelling with exclusions_ is sometimes confusingly called "split tunnels" by other vendors and in some online documentation. For Windows 10 VPN, the term _split tunnelling_ is defined differently as described in the article [VPN routing decisions](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-routing#split-tunnel-configuration). + +## Solution Overview + +The solution is based upon the use of a VPN Configuration Service Provider Reference profile ([VPNv2 CSP](https://docs.microsoft.com/windows/client-management/mdm/vpnv2-csp)) and the embedded [ProfileXML](https://docs.microsoft.com/windows/client-management/mdm/vpnv2-profile-xsd). These are used to configure the VPN profile on the device. Various provisioning approaches can be used to create and deploy the VPN profile as discussed in the article [Step 6. Configure Windows 10 client Always On VPN connections](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files). + +Typically, these VPN profiles are distributed using a Mobile Device Manager solution like Intune, as described in [Configure the VPN client by using Intune](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#configure-the-vpn-client-by-using-intune). + +To enable the use of force tunnelling in Windows 10 VPN, the setting is typically configured with a value of _ForceTunnel_ in your existing Profile XML (or script) by way of the following entry, under the section: + +```xml +ForceTunnel +``` + +In order to define specific force tunnel exclusions, you then need to add the following lines to your existing Profile XML (or script) for each required exclusion, and place them outside of the section as follows: + +```xml + +

[IP addresses or subnet]
+ [IP Prefix] + true + +``` + +Entries defined by the **[IP Addresses or Subnet]** and **[IP Prefix]** references will consequently be added to the routing table as _more specific route entries_ that will use the Internet-connected interface as the default gateway, as opposed to using the VPN interface. You will need to define a unique and separate section for each required exclusion. + +An example of a correctly formatted Profile XML configuration for force tunnel with exclusions is shown below: + +```xml + + + ForceTunnel + + +
203.0.113.0
+ 24 + true + + +
198.51.100.0
+ 22 + true + + +``` + +Note: The above IP addresses and prefixes are used purely as examples only and should not be used. + +## Solution Deployment + +For Office 365, it is therefore necessary to add exclusions for all IP addresses documented within the optimise categories described in [Office 365 URLs and IP address ranges](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges?redirectSourcePath=%252fen-us%252farticle%252fOffice-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2) to ensure that they are excluded from VPN force tunnelling. + +This can be achieved manually by adding the IP addresses defined within the optimise category entries to an existing Profile XML (or script) file, or alternatively the following script can be used which dynamically adds the required entries to an existing PowerShell script, or XML file, based upon directly querying the REST-based web service to ensure the addresses ranges are always used. + +```powershell +# Copyright (c) Microsoft Corporation. All rights reserved. +# +# THIS SAMPLE CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, +# WHETHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED +# WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. +# IF THIS CODE AND INFORMATION IS MODIFIED, THE ENTIRE RISK OF USE OR RESULTS IN +# CONNECTION WITH THE USE OF THIS CODE AND INFORMATION REMAINS WITH THE USER. + +<# +.SYNOPSIS + Applies or updates recommended Office 365 optimise IP address exclusions to an existing force tunnel Windows 10 VPN profile +.DESCRIPTION + Connects to the Office 365 worldwide commercial service instance endpoints to obtain the latest published IP address ranges + Compares the optimized IP addresses with those contained in the supplied VPN Profile (PowerShell or XML file) + Adds or updates IP addresses as necessary and saves the resultant file with "-NEW" appended to the file name +.PARAMETERS + Filename and path for a supplied Windows 10 VPN profile file in either PowerShell or XML format +.NOTES + Requires at least Windows 10 Version 1803 with KB4493437, 1809 with KB4490481, or later +.VERSION + 1.0 +#> + +param ( + [string]$VPNprofilefile +) + +$usage=@" + +This script uses the following parameters: + +VPNprofilefile - The full path and name of the VPN profile PowerShell script or XML file + +EXAMPLES + +To check a VPN profile Powershell script file: + +Update-VPN-Profile-Office365-Exclusion-Routes.ps1 -VPNprofilefile [FULLPATH AND NAME OF POWERSHELL SCRIPT FILE] + +To check a VPN profile XML file: + +Update-VPN-Profile-Office365-Exclusion-Routes.ps1 -VPNprofilefile [FULLPATH AND NAME OF XML FILE] + +"@ + +# Check if filename has been provided # +if ($VPNprofilefile -eq "") +{ + Write-Host "`nWARNING: You must specify either a Powershell script or XML filename!" -ForegroundColor Red + + $usage + exit +} + +$FileExtension = [System.IO.Path]::GetExtension($VPNprofilefile) + +# Check if XML file exists and is a valid XML file # +if ( $VPNprofilefile -ne "" -and $FileExtension -eq ".xml") +{ + if ( Test-Path $VPNprofilefile ) + { + $xml = New-Object System.Xml.XmlDocument + try + { + $xml.Load((Get-ChildItem -Path $VPNprofilefile).FullName) + + } + catch [System.Xml.XmlException] + { + Write-Verbose "$VPNprofilefile : $($_.toString())" + Write-Host "`nWARNING: The VPN profile XML file is not a valid xml file or incorrectly formatted!" -ForegroundColor Red + $usage + exit + } + }else + { + Write-Host "`nWARNING: VPN profile XML file does not exist or cannot be found!" -ForegroundColor Red + $usage + exit + } +} + +# Check if VPN profile PowerShell script file exists and contains a VPNPROFILE XML section # +if ( $VPNprofilefile -ne "" -and $FileExtension -eq ".ps1") +{ + if ( (Test-Path $VPNprofilefile) ) + { + if (-Not $(Select-String -Path $VPNprofilefile -Pattern "") ) + { + Write-Host "`nWARNING: Powershell script file does not contain a valid VPN profile XML section or is incorrectly formatted!" -ForegroundColor Red + $usage + exit + } + }else + { + Write-Host "`nWARNING: Powershell script file does not exist or cannot be found!"-ForegroundColor Red + $usage + exit + } +} + +# Define Office 365 endpoints and service URLs # +$ws = "https://endpoints.office.com" +$baseServiceUrl = "https://endpoints.office.com" + +# Path where client ID and latest version number will be stored # +$datapath = $Env:TEMP + "\endpoints_clientid_latestversion.txt" + +# Fetch client ID and version if data file exists; otherwise create new file # +if (Test-Path $datapath) +{ + $content = Get-Content $datapath + $clientRequestId = $content[0] + $lastVersion = $content[1] + +}else +{ + $clientRequestId = [GUID]::NewGuid().Guid + $lastVersion = "0000000000" + @($clientRequestId, $lastVersion) | Out-File $datapath +} + +# Call version method to check the latest version, and pull new data if version number is different # +$version = Invoke-RestMethod -Uri ($ws + "/version?clientRequestId=" + $clientRequestId) + +if ($version[0].latest -gt $lastVersion) +{ + + Write-Host + Write-Host "A new version of Office 365 worldwide commercial service instance endpoints has been detected!" -ForegroundColor Cyan + + # Write the new version number to the data file # + @($clientRequestId, $version[0].latest) | Out-File $datapath +} + +# Invoke endpoints method to get the new data # +$uri = "$baseServiceUrl" + "/endpoints/worldwide?clientRequestId=$clientRequestId" + +# Invoke endpoints method to get the data for the VPN profile comparison # +$endpointSets = Invoke-RestMethod -Uri ($uri) +$Optimize = $endpointSets | Where-Object { $_.category -eq "Optimize" } +$optimizeIpsv4 = $Optimize.ips | Where-Object { ($_).contains(".") } | Sort-Object -Unique + +# Temporarily include additional IP address until Teams client update is released +$optimizeIpsv4 += "13.107.60.1/32" + +# Process PowerShell script file start # +if ($VPNprofilefile -ne "" -and $FileExtension -eq ".ps1") +{ + Write-host "`nStarting PowerShell script exclusion route check...`n" -ForegroundColor Cyan + + # Clear Variables to allow re-run testing # + + $ARRVPN=$null # Array to hold VPN addresses from VPN profile PowerShell file # + $In_Opt_Only=$null # Variable to hold IP addresses that only appear in the optimise list # + $In_VPN_Only=$null # Variable to hold IP addresses that only appear in the VPN profile Powershell file # + + # Extract the Profile XML from the ps1 file # + + $regex = '(?sm).*^*.\r?\n(.*?)\r?\n.*' + + # Create xml format variable to compare with the optimise list # + + $xmlbody=(Get-Content -Raw $VPNprofilefile) -replace $regex, '$1' + [xml]$VPNprofilexml=""+$xmlbody+"" + + # Loop through each address found in VPNPROFILE XML section # + foreach ($Route in $VPNprofilexml.VPNProfile.Route) + { + $VPNIP=$Route.Address+"/"+$Route.PrefixSize + [array]$ARRVPN=$ARRVPN+$VPNIP + } + + # In optimise address list only # + $In_Opt_Only= $optimizeIpsv4 | Where {$ARRVPN -NotContains $_} + + # In VPN list only # + $In_VPN_only =$ARRVPN | Where {$optimizeIpsv4 -NotContains $_} + [array]$Inpfile = get-content $VPNprofilefile + + if ($In_Opt_Only.Count -gt 0 ) + { + Write-Host "Exclusion route IP addresses are unknown, missing, or need to be updated in the VPN profile`n" -ForegroundColor Red + + [int32]$insline=0 + + for ($i=0; $i -lt $Inpfile.count; $i++) + { + if ($Inpfile[$i] -match "") + { + $insline += $i # Record the position of the line after the NativeProfile section ends # + } + } + $OFS = "`r`n" + foreach ($NewIP in $In_Opt_Only) + { + # Add the missing IP address(es) # + $IPInfo=$NewIP.Split("/") + $InpFile[$insline] += $OFS+" " + $InpFile[$insline] += $OFS+"
"+$IPInfo[0].Trim()+"
" + $InpFile[$insline] += $OFS+" "+$IPInfo[1].Trim()+"" + $InpFile[$insline] += $OFS+" true" + $InpFile[$insline] += $OFS+" " + } + # Update fileName and write new PowerShell file # + $NewFileName=(Get-Item $VPNprofilefile).Basename + "-NEW.ps1" + $OutFile=$(Split-Path $VPNprofilefile -Parent)+"\"+$NewFileName + $InpFile | Set-Content $OutFile + Write-Host "Exclusion routes have been added to VPN profile and output to a separate Powershell script file; the original file has not been modified`n" -ForegroundColor Green + }else + { + Write-Host "Exclusion route IP addresses are correct and up to date in the VPN profile`n" -ForegroundColor Green + $OutFile=$VPNprofilefile + } + +if ( $In_VPN_Only.Count -gt 0 ) +{ + Write-Host "Unknown exclusion route IP addresses have been found in the VPN profile`n" -ForegroundColor Yellow + + foreach ($OldIP in $In_VPN_Only) + { + [array]$Inpfile = get-content $Outfile + $IPInfo=$OldIP.Split("/") + Write-Host "Unknown exclusion route IP address"$IPInfo[0]"has been found in the VPN profile - Do you wish to remove it? (Y/N)`n" -ForegroundColor Yellow + $matchstr="
"+$IPInfo[0].Trim()+"
" + $DelAns=Read-host + if ($DelAns.ToUpper() -eq "Y") + { + [int32]$insline=0 + for ($i=0; $i -lt $Inpfile.count; $i++) + { + if ($Inpfile[$i] -match $matchstr) + { + $insline += $i # Record the position of the line for the string match # + } + } + # Remove entries from XML # + $InpFile[$insline-1]="REMOVETHISLINE" + $InpFile[$insline]="REMOVETHISLINE" + $InpFile[$insline+1]="REMOVETHISLINE" + $InpFile[$insline+2]="REMOVETHISLINE" + $InpFile[$insline+3]="REMOVETHISLINE" + $InpFile=$InpFile | Where-Object {$_ -ne "REMOVETHISLINE"} + + # Update filename and write new PowerShell file # + $NewFileName=(Get-Item $VPNprofilefile).Basename + "-NEW.xml" + $OutFile=$(Split-Path $VPNprofilefile -Parent)+"\"+$NewFileName + $Inpfile | Set-content $OutFile + Write-Host "`nAddress"$IPInfo[0]"exclusion route has been removed from the VPN profile and output to a separate Powershell script file; the original file has not been modified`n" -ForegroundColor Green + + }else + { + Write-Host "`nExclusion route IP address has *NOT* been removed from the VPN profile`n" -ForegroundColor Green + } + } + } +} + +# Process XML file start # +if ($VPNprofilefile -ne "" -and $FileExtension -eq ".xml") +{ + Write-host "`nStarting XML file exclusion route check...`n" -ForegroundColor Cyan + + # Clear variables to allow re-run testing # + $ARRVPN=$null # Array to hold VPN addresses from the XML file # + $In_Opt_Only=$null # Variable to hold IP Addresses that only appear in optimise list # + $In_VPN_Only=$null # Variable to hold IP Addresses that only appear in the VPN profile XML file # + + # Extract the Profile XML from the XML file # + $regex = '(?sm).*^*.\r?\n(.*?)\r?\n.*' + + # Create xml format variable to compare with optimise list # + $xmlbody=(Get-Content -Raw $VPNprofilefile) -replace $regex, '$1' + [xml]$VPNRulesxml="$xmlbody" + + # Loop through each address found in VPNPROFILE file # + foreach ($Route in $VPNRulesxml.VPNProfile.Route) + { + $VPNIP=$Route.Address+"/"+$Route.PrefixSize + [array]$ARRVPN=$ARRVPN+$VPNIP + } + + # In optimise address list only # + $In_Opt_Only= $optimizeIpsv4 | Where {$ARRVPN -NotContains $_} + + # In VPN list only # + $In_VPN_only =$ARRVPN | Where {$optimizeIpsv4 -NotContains $_} + [array]$Inpfile = get-content $VPNprofilefile + + if ($In_Opt_Only.Count -gt 0 ) + { + Write-Host "Exclusion route IP addresses are unknown, missing, or need to be updated in the VPN profile`n" -ForegroundColor Red + + foreach ($NewIP in $In_Opt_Only) + { + # Add the missing IP address(es) # + $IPInfo=$NewIP.Split("/") + $inspoint = $Inpfile[0].IndexOf(""+$IPInfo[0].Trim()+""+""+$IPInfo[1].Trim()+""+"true"+"" + } + $Inpfile = $Inpfile[0].Insert($inspoint,$routes) + + # Update filename and write new XML file # + $NewFileName=(Get-Item $VPNprofilefile).Basename + "-NEW.xml" + $OutFile=$(Split-Path $VPNprofilefile -Parent)+"\"+$NewFileName + $InpFile | Set-Content $OutFile + Write-Host "Exclusion routes have been added to VPN profile and output to a separate XML file; the original file has not been modified`n`n" -ForegroundColor Green + + }else + { + Write-Host "Exclusion route IP addresses are correct and up to date in the VPN profile`n" -ForegroundColor Green + $OutFile=$VPNprofilefile + } + + if ( $In_VPN_Only.Count -gt 0 ) + { + Write-Host "Unknown exclusion route IP addresses found in the VPN profile`n" -ForegroundColor Yellow + + foreach ($OldIP in $In_VPN_Only) + { + [array]$Inpfile = get-content $OutFile + $IPInfo=$OldIP.Split("/") + Write-Host "Unknown exclusion route IP address"$IPInfo[0]"has been found in the VPN profile - Do you wish to remove it? (Y/N)`n" -ForegroundColor Yellow + $matchstr=""+"
"+$IPInfo[0].Trim()+"
"+""+$IPInfo[1].Trim()+""+"true"+"" + $DelAns=Read-host + if ($DelAns.ToUpper() -eq "Y") + { + # Remove unknown IP address(es) # + $inspoint = $Inpfile[0].IndexOf($matchstr) + $Inpfile[0] = $Inpfile[0].Replace($matchstr,"") + + # Update filename and write new XML file # + $NewFileName=(Get-Item $VPNprofilefile).Basename + "-NEW.xml" + $OutFile=$(Split-Path $VPNprofilefile -Parent)+"\"+$NewFileName + $Inpfile | Set-content $OutFile + Write-Host "`nAddress"$IPInfo[0]"exclusion route has been removed from the VPN profile and output to a separate XML file; the original file has not been modified`n" -ForegroundColor Green + + }else + { + Write-Host "`nExclusion route IP address has *NOT* been removed from the VPN profile`n" -ForegroundColor Green + } + } + } +} +``` + +## Version Support + +This solution is supported with the following versions of Windows: + +- Windows 10 1903/1909 and newer: Included, no action needed +- Windows 10 1809: At least [KB4490481](https://support.microsoft.com/help/4490481/windows-10-update-kb4490481) +- Windows 10 1803: At least [KB4493437](https://support.microsoft.com/help/4493437/windows-10-update-kb4493437) +- Windows 10 1709 and lower: Exclusion routes are not supported + +- Windows 10 Enterprise 2019 LTSC: At least [KB4490481](https://support.microsoft.com/help/4490481/windows-10-update-kb4490481) +- Windows 10 Enterprise 2016 LTSC: Exclusion routes are not supported +- Windows 10 Enterprise 2015 LTSC: Exclusion routes are not supported + +Microsoft strongly recommends that the latest Windows 10 cumulative update always be applied. + +## Other Considerations + +You should also be able to adapt this approach to include necessary exclusions for other cloud-services that can be defined by known/static IP addresses; exclusions required for [Cisco WebEx](https://help.webex.com/WBX000028782/Network-Requirements-for-Webex-Teams-Services) or [Zoom](https://support.zoom.us/hc/en-us/articles/201362683) are good examples. + +## Examples + +An example of a PowerShell script that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below: + +```powershell +# Copyright (c) Microsoft Corporation. All rights reserved. +# +# THIS SAMPLE CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, +# WHETHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED +# WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. +# IF THIS CODE AND INFORMATION IS MODIFIED, THE ENTIRE RISK OF USE OR RESULTS IN +# CONNECTION WITH THE USE OF THIS CODE AND INFORMATION REMAINS WITH THE USER. + +<# +.SYNOPSIS + Configures an AlwaysOn IKEv2 VPN Connection using a basic script +.DESCRIPTION + Configures an AlwaysOn IKEv2 VPN Connection with proxy PAC information and force tunnelling +.PARAMETERS + Parameters are defined in a ProfileXML object within the script itself +.NOTES + Requires at least Windows 10 Version 1803 with KB4493437, 1809 with KB4490481, or later +.VERSION + 1.0 +#> + +<#-- Define Key VPN Profile Parameters --#> +$ProfileName = 'Contoso VPN with Office 365 Exclusions' +$ProfileNameEscaped = $ProfileName -replace ' ', '%20' + +<#-- Define VPN ProfileXML --#> +$ProfileXML = ' + true + corp.contoso.com + true + corp.contoso.com + + edge1.contoso.com + ForceTunnel + IKEv2 + + Certificate + + + +
13.107.6.152
+ 31 + true + + +
13.107.18.10
+ 31 + true + + +
13.107.128.0
+ 22 + true + + +
23.103.160.0
+ 20 + true + + +
40.96.0.0
+ 13 + true + + +
40.104.0.0
+ 15 + true + + +
52.96.0.0
+ 14 + true + + +
131.253.33.215
+ 32 + true + + +
132.245.0.0
+ 16 + true + + +
150.171.32.0
+ 22 + true + + +
191.234.140.0
+ 22 + true + + +
204.79.197.215
+ 32 + true + + +
13.107.136.0
+ 22 + true + + +
40.108.128.0
+ 17 + true + + +
52.104.0.0
+ 14 + true + + +
104.146.128.0
+ 17 + true + + +
150.171.40.0
+ 22 + true + + +
13.107.60.1
+ 32 + true + + +
13.107.64.0
+ 18 + true + + +
52.112.0.0
+ 14 + true + + +
52.120.0.0
+ 14 + true + + + http://webproxy.corp.contsoso.com/proxy.pac + +' + +<#-- Convert ProfileXML to Escaped Format --#> +$ProfileXML = $ProfileXML -replace '<', '<' +$ProfileXML = $ProfileXML -replace '>', '>' +$ProfileXML = $ProfileXML -replace '"', '"' + +<#-- Define WMI-to-CSP Bridge Properties --#> +$nodeCSPURI = './Vendor/MSFT/VPNv2' +$namespaceName = "root\cimv2\mdm\dmmap" +$className = "MDM_VPNv2_01" + +<#-- Define WMI Session --#> +$session = New-CimSession + +<#-- Detect and Delete Previous VPN Profile --#> +try +{ + $deleteInstances = $session.EnumerateInstances($namespaceName, $className, $options) + foreach ($deleteInstance in $deleteInstances) + { + $InstanceId = $deleteInstance.InstanceID + if ("$InstanceId" -eq "$ProfileNameEscaped") + { + $session.DeleteInstance($namespaceName, $deleteInstance, $options) + $Message = "Removed $ProfileName profile $InstanceId" + Write-Host "$Message" + } else { + $Message = "Ignoring existing VPN profile $InstanceId" + Write-Host "$Message" + } + } +} +catch [Exception] +{ + $Message = "Unable to remove existing outdated instance(s) of $ProfileName profile: $_" + Write-Host "$Message" + exit +} + +<#-- Create VPN Profile --#> +try +{ + $newInstance = New-Object Microsoft.Management.Infrastructure.CimInstance $className, $namespaceName + $property = [Microsoft.Management.Infrastructure.CimProperty]::Create("ParentID", "$nodeCSPURI", 'String', 'Key') + $newInstance.CimInstanceProperties.Add($property) + $property = [Microsoft.Management.Infrastructure.CimProperty]::Create("InstanceID", "$ProfileNameEscaped", 'String', 'Key') + $newInstance.CimInstanceProperties.Add($property) + $property = [Microsoft.Management.Infrastructure.CimProperty]::Create("ProfileXML", "$ProfileXML", 'String', 'Property') + $newInstance.CimInstanceProperties.Add($property) + + $session.CreateInstance($namespaceName, $newInstance, $options) + $Message = "Created $ProfileName profile." + Write-Host "$Message" + Write-Host "$ProfileName profile summary:" + $session.EnumerateInstances($namespaceName, $className, $options) +} +catch [Exception] +{ + $Message = "Unable to create $ProfileName profile: $_" + Write-Host "$Message" + exit +} + +$Message = "Script Complete" +Write-Host "$Message" + +``` + +An example of an Intune-ready XML file that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below: + +```xml +_truecorp.contoso.comtruecorp.contoso.comedge1.contoso.comForceTunnelIKEv2Certificate
13.107.6.152
31true
13.107.18.10
31true
13.107.128.0
22true
23.103.160.0
20true
40.96.0.0
13true
40.104.0.0
15true
52.96.0.0
14true
131.253.33.215
32true
132.245.0.0
16true
150.171.32.0
22true
191.234.140.0
22true
204.79.197.215
32true
13.107.136.0
22true
40.108.128.0
17true
52.104.0.0
14true
104.146.128.0
17true
150.171.40.0
22true
13.107.60.1
32true
13.107.64.0
18true
52.112.0.0
14true
52.120.0.0
14truehttp://webproxy.corp.contsoso.com/proxy.pac_ +``` From 42f39c854e6c84add34bdd95caaff2602e602852 Mon Sep 17 00:00:00 2001 From: kelleyvice-msft Date: Mon, 6 Apr 2020 15:29:28 -0700 Subject: [PATCH 09/34] Update vpn-office-365-optimization.md Various revisions --- .../vpn/vpn-office-365-optimization.md | 39 ++++++++++--------- 1 file changed, 20 insertions(+), 19 deletions(-) diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md index 54f8217aba..4f6cd4a450 100644 --- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -15,9 +15,9 @@ ms.author: jajo # Optimizing Office 365 traffic for remote workers with the native Windows 10 VPN client -As the COVID-19 pandemic has unfolded, the Office 365 Network team have seen a large influx of questions from customers around how best to optimize their Office 365 connectivity as they work diligently to plan for a large amount of their userbase suddenly working from home. As a result, they wrote the following documentation on how to quickly optimize network traffic for Office 365: [Optimize Office 365 connectivity for remote users using VPN split tunnelling](https://docs.microsoft.com/office365/enterprise/office-365-vpn-split-tunnel). +This article describes how to configure the recommendations in the article [Optimize Office 365 connectivity for remote users using VPN split tunnelling](https://docs.microsoft.com/office365/enterprise/office-365-vpn-split-tunnel) for the **native Windows 10 VPN client**. This guidance enables VPN administrators to optimize Office 365 usage while still ensuring that all other traffic goes over the VPN connection and through existing security gateways and tooling. -Customers have consequently asked how to configure these recommendations for the **native Windows 10 VPN client** such that they can optimise Office 365 usage whilst still ensuring that all other traffic goes over the VPN connection and through existing security gateways and tooling. This can be achieved for the native/built-in Windows 10 VPN client using a _Force Tunnelling with Exclusions_ approach. This allows you to define IP-based exclusions **even when using force tunnelling** in order to "split" certain traffic to use the physical interface whilst still forcing all other traffic via the VPN interface. Traffic addressed to specifically defined destinations (like those listed in the Office 365 optimise categories) will therefore follow a much more direct and efficient path, without the need to traverse or "hairpin" via the VPN tunnel and back out of the corporate network. For cloud-services like Office 365, this makes a huge difference to performance and usability for remote users. +This can be achieved for the native/built-in Windows 10 VPN client using a _Force Tunnelling with Exclusions_ approach. This allows you to define IP-based exclusions **even when using force tunnelling** in order to "split" certain traffic to use the physical interface while still forcing all other traffic via the VPN interface. Traffic addressed to specifically defined destinations (like those listed in the Office 365 optimize categories) will therefore follow a much more direct and efficient path, without the need to traverse or "hairpin" via the VPN tunnel and back out of the corporate network. For cloud-services like Office 365, this makes a huge difference in performance and usability for remote users. >[!NOTE] >The term _force tunnelling with exclusions_ is sometimes confusingly called "split tunnels" by other vendors and in some online documentation. For Windows 10 VPN, the term _split tunnelling_ is defined differently as described in the article [VPN routing decisions](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-routing#split-tunnel-configuration). @@ -66,13 +66,14 @@ An example of a correctly formatted Profile XML configuration for force tunnel w ``` -Note: The above IP addresses and prefixes are used purely as examples only and should not be used. +>[!NOTE] +>The IP addresses and prefix size values in this example are used purely as examples only and should not be used. ## Solution Deployment -For Office 365, it is therefore necessary to add exclusions for all IP addresses documented within the optimise categories described in [Office 365 URLs and IP address ranges](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges?redirectSourcePath=%252fen-us%252farticle%252fOffice-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2) to ensure that they are excluded from VPN force tunnelling. +For Office 365, it is therefore necessary to add exclusions for all IP addresses documented within the optimize categories described in [Office 365 URLs and IP address ranges](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges?redirectSourcePath=%252fen-us%252farticle%252fOffice-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2) to ensure that they are excluded from VPN force tunnelling. -This can be achieved manually by adding the IP addresses defined within the optimise category entries to an existing Profile XML (or script) file, or alternatively the following script can be used which dynamically adds the required entries to an existing PowerShell script, or XML file, based upon directly querying the REST-based web service to ensure the addresses ranges are always used. +This can be achieved manually by adding the IP addresses defined within the **optimize** category entries to an existing Profile XML (or script) file, or alternatively the following script can be used which dynamically adds the required entries to an existing PowerShell script, or XML file, based upon directly querying the REST-based web service to ensure the addresses ranges are always used. ```powershell # Copyright (c) Microsoft Corporation. All rights reserved. @@ -85,7 +86,7 @@ This can be achieved manually by adding the IP addresses defined within the opti <# .SYNOPSIS - Applies or updates recommended Office 365 optimise IP address exclusions to an existing force tunnel Windows 10 VPN profile + Applies or updates recommended Office 365 optimize IP address exclusions to an existing force tunnel Windows 10 VPN profile .DESCRIPTION Connects to the Office 365 worldwide commercial service instance endpoints to obtain the latest published IP address ranges Compares the optimized IP addresses with those contained in the supplied VPN Profile (PowerShell or XML file) @@ -110,7 +111,7 @@ VPNprofilefile - The full path and name of the VPN profile PowerShell script or EXAMPLES -To check a VPN profile Powershell script file: +To check a VPN profile PowerShell script file: Update-VPN-Profile-Office365-Exclusion-Routes.ps1 -VPNprofilefile [FULLPATH AND NAME OF POWERSHELL SCRIPT FILE] @@ -123,7 +124,7 @@ Update-VPN-Profile-Office365-Exclusion-Routes.ps1 -VPNprofilefile [FULLPATH AND # Check if filename has been provided # if ($VPNprofilefile -eq "") { - Write-Host "`nWARNING: You must specify either a Powershell script or XML filename!" -ForegroundColor Red + Write-Host "`nWARNING: You must specify either a PowerShell script or XML filename!" -ForegroundColor Red $usage exit @@ -164,13 +165,13 @@ if ( $VPNprofilefile -ne "" -and $FileExtension -eq ".ps1") { if (-Not $(Select-String -Path $VPNprofilefile -Pattern "") ) { - Write-Host "`nWARNING: Powershell script file does not contain a valid VPN profile XML section or is incorrectly formatted!" -ForegroundColor Red + Write-Host "`nWARNING: PowerShell script file does not contain a valid VPN profile XML section or is incorrectly formatted!" -ForegroundColor Red $usage exit } }else { - Write-Host "`nWARNING: Powershell script file does not exist or cannot be found!"-ForegroundColor Red + Write-Host "`nWARNING: PowerShell script file does not exist or cannot be found!"-ForegroundColor Red $usage exit } @@ -229,14 +230,14 @@ if ($VPNprofilefile -ne "" -and $FileExtension -eq ".ps1") # Clear Variables to allow re-run testing # $ARRVPN=$null # Array to hold VPN addresses from VPN profile PowerShell file # - $In_Opt_Only=$null # Variable to hold IP addresses that only appear in the optimise list # - $In_VPN_Only=$null # Variable to hold IP addresses that only appear in the VPN profile Powershell file # + $In_Opt_Only=$null # Variable to hold IP addresses that only appear in the optimize list # + $In_VPN_Only=$null # Variable to hold IP addresses that only appear in the VPN profile PowerShell file # # Extract the Profile XML from the ps1 file # $regex = '(?sm).*^*.\r?\n(.*?)\r?\n.*' - # Create xml format variable to compare with the optimise list # + # Create xml format variable to compare with the optimize list # $xmlbody=(Get-Content -Raw $VPNprofilefile) -replace $regex, '$1' [xml]$VPNprofilexml=""+$xmlbody+"" @@ -248,7 +249,7 @@ if ($VPNprofilefile -ne "" -and $FileExtension -eq ".ps1") [array]$ARRVPN=$ARRVPN+$VPNIP } - # In optimise address list only # + # In optimize address list only # $In_Opt_Only= $optimizeIpsv4 | Where {$ARRVPN -NotContains $_} # In VPN list only # @@ -283,7 +284,7 @@ if ($VPNprofilefile -ne "" -and $FileExtension -eq ".ps1") $NewFileName=(Get-Item $VPNprofilefile).Basename + "-NEW.ps1" $OutFile=$(Split-Path $VPNprofilefile -Parent)+"\"+$NewFileName $InpFile | Set-Content $OutFile - Write-Host "Exclusion routes have been added to VPN profile and output to a separate Powershell script file; the original file has not been modified`n" -ForegroundColor Green + Write-Host "Exclusion routes have been added to VPN profile and output to a separate PowerShell script file; the original file has not been modified`n" -ForegroundColor Green }else { Write-Host "Exclusion route IP addresses are correct and up to date in the VPN profile`n" -ForegroundColor Green @@ -323,7 +324,7 @@ if ( $In_VPN_Only.Count -gt 0 ) $NewFileName=(Get-Item $VPNprofilefile).Basename + "-NEW.xml" $OutFile=$(Split-Path $VPNprofilefile -Parent)+"\"+$NewFileName $Inpfile | Set-content $OutFile - Write-Host "`nAddress"$IPInfo[0]"exclusion route has been removed from the VPN profile and output to a separate Powershell script file; the original file has not been modified`n" -ForegroundColor Green + Write-Host "`nAddress"$IPInfo[0]"exclusion route has been removed from the VPN profile and output to a separate PowerShell script file; the original file has not been modified`n" -ForegroundColor Green }else { @@ -340,13 +341,13 @@ if ($VPNprofilefile -ne "" -and $FileExtension -eq ".xml") # Clear variables to allow re-run testing # $ARRVPN=$null # Array to hold VPN addresses from the XML file # - $In_Opt_Only=$null # Variable to hold IP Addresses that only appear in optimise list # + $In_Opt_Only=$null # Variable to hold IP Addresses that only appear in optimize list # $In_VPN_Only=$null # Variable to hold IP Addresses that only appear in the VPN profile XML file # # Extract the Profile XML from the XML file # $regex = '(?sm).*^*.\r?\n(.*?)\r?\n.*' - # Create xml format variable to compare with optimise list # + # Create xml format variable to compare with optimize list # $xmlbody=(Get-Content -Raw $VPNprofilefile) -replace $regex, '$1' [xml]$VPNRulesxml="$xmlbody" @@ -357,7 +358,7 @@ if ($VPNprofilefile -ne "" -and $FileExtension -eq ".xml") [array]$ARRVPN=$ARRVPN+$VPNIP } - # In optimise address list only # + # In optimize address list only # $In_Opt_Only= $optimizeIpsv4 | Where {$ARRVPN -NotContains $_} # In VPN list only # From c22a1b44aed424739b1995b64868553304905ef5 Mon Sep 17 00:00:00 2001 From: kelleyvice-msft Date: Mon, 6 Apr 2020 16:00:28 -0700 Subject: [PATCH 10/34] Update vpn-office-365-optimization.md Updates from jajo --- .../identity-protection/vpn/vpn-office-365-optimization.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md index 4f6cd4a450..a8f7c610b6 100644 --- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -26,7 +26,7 @@ This can be achieved for the native/built-in Windows 10 VPN client using a _Forc The solution is based upon the use of a VPN Configuration Service Provider Reference profile ([VPNv2 CSP](https://docs.microsoft.com/windows/client-management/mdm/vpnv2-csp)) and the embedded [ProfileXML](https://docs.microsoft.com/windows/client-management/mdm/vpnv2-profile-xsd). These are used to configure the VPN profile on the device. Various provisioning approaches can be used to create and deploy the VPN profile as discussed in the article [Step 6. Configure Windows 10 client Always On VPN connections](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files). -Typically, these VPN profiles are distributed using a Mobile Device Manager solution like Intune, as described in [Configure the VPN client by using Intune](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#configure-the-vpn-client-by-using-intune). +Typically, these VPN profiles are distributed using a Mobile Device Manager solution like Intune, as described in [VPN profile options](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-profile-options#apply-profilexml-using-intune) and [Configure the VPN client by using Intune](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#configure-the-vpn-client-by-using-intune). To enable the use of force tunnelling in Windows 10 VPN, the setting is typically configured with a value of _ForceTunnel_ in your existing Profile XML (or script) by way of the following entry, under the section: @@ -75,6 +75,8 @@ For Office 365, it is therefore necessary to add exclusions for all IP addresses This can be achieved manually by adding the IP addresses defined within the **optimize** category entries to an existing Profile XML (or script) file, or alternatively the following script can be used which dynamically adds the required entries to an existing PowerShell script, or XML file, based upon directly querying the REST-based web service to ensure the addresses ranges are always used. +An example of a PowerShell script that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the documentation in [Create the ProfileXML configuration files](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the initial script. + ```powershell # Copyright (c) Microsoft Corporation. All rights reserved. # @@ -662,7 +664,7 @@ Write-Host "$Message" ``` -An example of an Intune-ready XML file that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below: +An example of an [Intune-ready XML file](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-profile-options#apply-profilexml-using-intune) that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the initial XML file: ```xml _truecorp.contoso.comtruecorp.contoso.comedge1.contoso.comForceTunnelIKEv2Certificate
13.107.6.152
31true
13.107.18.10
31true
13.107.128.0
22true
23.103.160.0
20true
40.96.0.0
13true
40.104.0.0
15true
52.96.0.0
14true
131.253.33.215
32true
132.245.0.0
16true
150.171.32.0
22true
191.234.140.0
22true
204.79.197.215
32true
13.107.136.0
22true
40.108.128.0
17true
52.104.0.0
14true
104.146.128.0
17true
150.171.40.0
22true
13.107.60.1
32true
13.107.64.0
18true
52.112.0.0
14true
52.120.0.0
14truehttp://webproxy.corp.contsoso.com/proxy.pac_ From df708e9238eb2d996faddcb38a79d53d015188e0 Mon Sep 17 00:00:00 2001 From: "Jason Jones (MSFT)" Date: Tue, 7 Apr 2020 01:07:54 +0100 Subject: [PATCH 11/34] Update vpn-office-365-optimization.md --- .../identity-protection/vpn/vpn-office-365-optimization.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md index a8f7c610b6..4d5d2a8164 100644 --- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -437,7 +437,7 @@ This solution is supported with the following versions of Windows: - Windows 10 Enterprise 2016 LTSC: Exclusion routes are not supported - Windows 10 Enterprise 2015 LTSC: Exclusion routes are not supported -Microsoft strongly recommends that the latest Windows 10 cumulative update always be applied. +Microsoft strongly recommends that the latest available Windows 10 cumulative update always be applied. ## Other Considerations @@ -445,7 +445,7 @@ You should also be able to adapt this approach to include necessary exclusions f ## Examples -An example of a PowerShell script that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below: +An example of a PowerShell script that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the inittial PowerShell script: ```powershell # Copyright (c) Microsoft Corporation. All rights reserved. From 2421f6eb9762f33c9b95288f85d0e2d0b4f643d9 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 7 Apr 2020 08:43:37 -0700 Subject: [PATCH 12/34] Update windows/security/identity-protection/vpn/vpn-office-365-optimization.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../identity-protection/vpn/vpn-office-365-optimization.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md index a8f7c610b6..94d87e5d5d 100644 --- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -19,8 +19,8 @@ This article describes how to configure the recommendations in the article [Opti This can be achieved for the native/built-in Windows 10 VPN client using a _Force Tunnelling with Exclusions_ approach. This allows you to define IP-based exclusions **even when using force tunnelling** in order to "split" certain traffic to use the physical interface while still forcing all other traffic via the VPN interface. Traffic addressed to specifically defined destinations (like those listed in the Office 365 optimize categories) will therefore follow a much more direct and efficient path, without the need to traverse or "hairpin" via the VPN tunnel and back out of the corporate network. For cloud-services like Office 365, this makes a huge difference in performance and usability for remote users. ->[!NOTE] ->The term _force tunnelling with exclusions_ is sometimes confusingly called "split tunnels" by other vendors and in some online documentation. For Windows 10 VPN, the term _split tunnelling_ is defined differently as described in the article [VPN routing decisions](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-routing#split-tunnel-configuration). +> [!NOTE] +> The term _force tunnelling with exclusions_ is sometimes confusingly called "split tunnels" by other vendors and in some online documentation. For Windows 10 VPN, the term _split tunnelling_ is defined differently as described in the article [VPN routing decisions](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-routing#split-tunnel-configuration). ## Solution Overview From 7f59fbfca021838f4ed57d5eed29b243bc88de79 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 7 Apr 2020 08:43:46 -0700 Subject: [PATCH 13/34] Update windows/security/identity-protection/vpn/vpn-office-365-optimization.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../identity-protection/vpn/vpn-office-365-optimization.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md index 94d87e5d5d..5c5d6ccd76 100644 --- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -66,8 +66,8 @@ An example of a correctly formatted Profile XML configuration for force tunnel w ``` ->[!NOTE] ->The IP addresses and prefix size values in this example are used purely as examples only and should not be used. +> [!NOTE] +> The IP addresses and prefix size values in this example are used purely as examples only and should not be used. ## Solution Deployment From 142072d917445e1e6bf7c1150e47000eb0c9c5a4 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 7 Apr 2020 10:03:08 -0700 Subject: [PATCH 14/34] Added a note --- windows/client-management/mdm/policy-csp-restrictedgroups.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 959f35a071..8053b57d73 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 03/24/2020 +ms.date: 04/07/2020 ms.reviewer: manager: dansimp @@ -149,6 +149,8 @@ where: The member SID can be a user account or a group in AD, Azure AD, or on the local machine. Membership is configured using the [NetLocalGroupSetMembers](https://docs.microsoft.com/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API. - In this example, `Group1` and `Group2` are local groups on the device being configured. +> [!Note] +> Currently, the RestrictedGroups/ConfigureGroupMembership policy does not have a MemberOf functionality. However, you can add a local group as a member to another local group by using the member portion, as shown in the above example. From 14cf38326b4766666fbc8737b898e1bc3d99361d Mon Sep 17 00:00:00 2001 From: kelleyvice-msft Date: Tue, 7 Apr 2020 14:12:22 -0700 Subject: [PATCH 15/34] Update vpn-office-365-optimization.md Updates per feedback --- .../vpn/vpn-office-365-optimization.md | 133 +++++++++++++++++- 1 file changed, 127 insertions(+), 6 deletions(-) diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md index cc51ad08ac..e5f40a37e2 100644 --- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -7,7 +7,7 @@ ms.sitesec: library ms.pagetype: security, networking author: kelleyvice-msft ms.localizationpriority: medium -ms.date: 04/06/2020 +ms.date: 04/07/2020 ms.reviewer: manager: dansimp ms.author: jajo @@ -28,13 +28,13 @@ The solution is based upon the use of a VPN Configuration Service Provider Refer Typically, these VPN profiles are distributed using a Mobile Device Manager solution like Intune, as described in [VPN profile options](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-profile-options#apply-profilexml-using-intune) and [Configure the VPN client by using Intune](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#configure-the-vpn-client-by-using-intune). -To enable the use of force tunnelling in Windows 10 VPN, the setting is typically configured with a value of _ForceTunnel_ in your existing Profile XML (or script) by way of the following entry, under the section: +To enable the use of force tunnelling in Windows 10 VPN, the `` setting is typically configured with a value of _ForceTunnel_ in your existing Profile XML (or script) by way of the following entry, under the `` section: ```xml ForceTunnel ``` -In order to define specific force tunnel exclusions, you then need to add the following lines to your existing Profile XML (or script) for each required exclusion, and place them outside of the section as follows: +In order to define specific force tunnel exclusions, you then need to add the following lines to your existing Profile XML (or script) for each required exclusion, and place them outside of the `` section as follows: ```xml @@ -44,7 +44,7 @@ In order to define specific force tunnel exclusions, you then need to add the fo ``` -Entries defined by the **[IP Addresses or Subnet]** and **[IP Prefix]** references will consequently be added to the routing table as _more specific route entries_ that will use the Internet-connected interface as the default gateway, as opposed to using the VPN interface. You will need to define a unique and separate section for each required exclusion. +Entries defined by the `[IP Addresses or Subnet]` and `[IP Prefix]` references will consequently be added to the routing table as _more specific route entries_ that will use the Internet-connected interface as the default gateway, as opposed to using the VPN interface. You will need to define a unique and separate `` section for each required exclusion. An example of a correctly formatted Profile XML configuration for force tunnel with exclusions is shown below: @@ -445,7 +445,7 @@ You should also be able to adapt this approach to include necessary exclusions f ## Examples -An example of a PowerShell script that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the inittial PowerShell script: +An example of a PowerShell script that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the initial PowerShell script: ```powershell # Copyright (c) Microsoft Corporation. All rights reserved. @@ -667,5 +667,126 @@ Write-Host "$Message" An example of an [Intune-ready XML file](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-profile-options#apply-profilexml-using-intune) that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the initial XML file: ```xml -_truecorp.contoso.comtruecorp.contoso.comedge1.contoso.comForceTunnelIKEv2Certificate
13.107.6.152
31true
13.107.18.10
31true
13.107.128.0
22true
23.103.160.0
20true
40.96.0.0
13true
40.104.0.0
15true
52.96.0.0
14true
131.253.33.215
32true
132.245.0.0
16true
150.171.32.0
22true
191.234.140.0
22true
204.79.197.215
32true
13.107.136.0
22true
40.108.128.0
17true
52.104.0.0
14true
104.146.128.0
17true
150.171.40.0
22true
13.107.60.1
32true
13.107.64.0
18true
52.112.0.0
14true
52.120.0.0
14truehttp://webproxy.corp.contsoso.com/proxy.pac_ + + true + corp.contoso.com + true + corp.contoso.com + + edge1.contoso.com + ForceTunnel + IKEv2 + + Certificate + + + +
13.107.6.152
+ 31 + true + + +
13.107.18.10
+ 31 + true + + +
13.107.128.0
+ 22 + true + + +
23.103.160.0
+ 20 + true + + +
40.96.0.0
+ 13 + true + + +
40.104.0.0
+ 15 + true + + +
52.96.0.0
+ 14 + true + + +
131.253.33.215
+ 32 + true + + +
132.245.0.0
+ 16 + true + + +
150.171.32.0
+ 22 + true + + +
191.234.140.0
+ 22 + true + + +
204.79.197.215
+ 32 + true + + +
13.107.136.0
+ 22 + true + + +
40.108.128.0
+ 17 + true + + +
52.104.0.0
+ 14 + true + + +
104.146.128.0
+ 17 + true + + +
150.171.40.0
+ 22 + true + + +
13.107.60.1
+ 32 + true + + +
13.107.64.0
+ 18 + true + + +
52.112.0.0
+ 14 + true + + +
52.120.0.0
+ 14 + true + + + http://webproxy.corp.contsoso.com/proxy.pac + + ``` From 0aefce7eb4ccc882a25bfe74b7c1ff2ec2f195d5 Mon Sep 17 00:00:00 2001 From: kelleyvice-msft Date: Tue, 7 Apr 2020 14:19:46 -0700 Subject: [PATCH 16/34] Update vpn-office-365-optimization.md reverted xml for Intune formatting, added note --- .../vpn/vpn-office-365-optimization.md | 128 +----------------- 1 file changed, 5 insertions(+), 123 deletions(-) diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md index e5f40a37e2..381f6eb333 100644 --- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -664,129 +664,11 @@ Write-Host "$Message" ``` -An example of an [Intune-ready XML file](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-profile-options#apply-profilexml-using-intune) that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the initial XML file: +An example of an [Intune-ready XML file](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-profile-options#apply-profilexml-using-intune) that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the initial XML file. + +>[!NOTE] +>This XML is formatted for use with Intune and cannot contain any carriage returns or whitespace. ```xml - - true - corp.contoso.com - true - corp.contoso.com - - edge1.contoso.com - ForceTunnel - IKEv2 - - Certificate - - - -
13.107.6.152
- 31 - true - - -
13.107.18.10
- 31 - true - - -
13.107.128.0
- 22 - true - - -
23.103.160.0
- 20 - true - - -
40.96.0.0
- 13 - true - - -
40.104.0.0
- 15 - true - - -
52.96.0.0
- 14 - true - - -
131.253.33.215
- 32 - true - - -
132.245.0.0
- 16 - true - - -
150.171.32.0
- 22 - true - - -
191.234.140.0
- 22 - true - - -
204.79.197.215
- 32 - true - - -
13.107.136.0
- 22 - true - - -
40.108.128.0
- 17 - true - - -
52.104.0.0
- 14 - true - - -
104.146.128.0
- 17 - true - - -
150.171.40.0
- 22 - true - - -
13.107.60.1
- 32 - true - - -
13.107.64.0
- 18 - true - - -
52.112.0.0
- 14 - true - - -
52.120.0.0
- 14 - true - - - http://webproxy.corp.contsoso.com/proxy.pac - - +_truecorp.contoso.comtruecorp.contoso.comedge1.contoso.comForceTunnelIKEv2Certificate
13.107.6.152
31true
13.107.18.10
31true
13.107.128.0
22true
23.103.160.0
20true
40.96.0.0
13true
40.104.0.0
15true
52.96.0.0
14true
131.253.33.215
32true
132.245.0.0
16true
150.171.32.0
22true
191.234.140.0
22true
204.79.197.215
32true
13.107.136.0
22true
40.108.128.0
17true
52.104.0.0
14true
104.146.128.0
17true
150.171.40.0
22true
13.107.60.1
32true
13.107.64.0
18true
52.112.0.0
14true
52.120.0.0
14truehttp://webproxy.corp.contsoso.com/proxy.pac_ ``` From b77781017a9c44d9d022670a8ff8c5abe3eb8810 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 7 Apr 2020 14:52:38 -0700 Subject: [PATCH 17/34] Update test-scenarios-wd-app-guard.md --- .../test-scenarios-wd-app-guard.md | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md index 6f9c6ff4ff..63d54a2991 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md @@ -8,7 +8,6 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 03/15/2019 ms.reviewer: manager: dansimp ms.custom: asr @@ -28,9 +27,9 @@ We've come up with a list of scenarios that you can use to test hardware-based i You can see how an employee would use standalone mode with Application Guard. -**To test Application Guard in Standalone mode** +### To test Application Guard in Standalone mode -1. [Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard). +1. [Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard). 2. Restart the device, start Microsoft Edge, and then click **New Application Guard window** from the menu. @@ -84,11 +83,11 @@ Before you can use Application Guard in enterprise mode, you must install Window 6. Start Microsoft Edge and type www.microsoft.com. - After you submit the URL, Application Guard determines the URL is trusted because it uses the domain you’ve marked as trusted and shows the site directly on the host PC instead of in Application Guard. + After you submit the URL, Application Guard determines the URL is trusted because it uses the domain you've marked as trusted and shows the site directly on the host PC instead of in Application Guard. ![Trusted website running on Microsoft Edge](images/appguard-turned-on-with-trusted-site.png) -7. In the same Microsoft Edge browser, type any URL that isn’t part of your trusted or neutral site lists. +7. In the same Microsoft Edge browser, type any URL that isn't part of your trusted or neutral site lists. After you submit the URL, Application Guard determines the URL is untrusted and redirects the request to the hardware-isolated environment. @@ -169,7 +168,7 @@ You have the option to change each of these settings to work with your enterpris The previously added site should still appear in your **Favorites** list. >[!NOTE] - >If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren’t shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.

If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.

**To reset the container, follow these steps:**
1. Open a command-line program and navigate to Windows/System32.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data. + >If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.

If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.

**To reset the container, follow these steps:**
1. Open a command-line program and navigate to Windows/System32.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data. **Applies to:** - Windows 10 Enterpise edition, version 1803 From b46e44a835c9becc724243fb81df395f1455cc87 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 7 Apr 2020 15:16:38 -0700 Subject: [PATCH 18/34] update arcsight --- windows/security/threat-protection/TOC.md | 2 +- .../configure-arcsight.md | 26 +++++++++---------- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index cc66e6e688..17bf4fe48e 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -583,7 +583,7 @@ ##### [Learn about different ways to pull detections](microsoft-defender-atp/configure-siem.md) ##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md) ##### [Configure Splunk to pull detections](microsoft-defender-atp/configure-splunk.md) -##### [Configure HP ArcSight to pull detections](microsoft-defender-atp/configure-arcsight.md) +##### [Configure Micro Focus ArcSight to pull detections](microsoft-defender-atp/configure-arcsight.md) ##### [Microsoft Defender ATP detection fields](microsoft-defender-atp/api-portal-mapping.md) ##### [Pull detections using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md) ##### [Troubleshoot SIEM tool integration issues](microsoft-defender-atp/troubleshoot-siem.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md index 0b7d271c77..c714e0a848 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md @@ -1,7 +1,7 @@ --- -title: Configure HP ArcSight to pull Microsoft Defender ATP detections -description: Configure HP ArcSight to receive and pull detections from Microsoft Defender Security Center -keywords: configure hp arcsight, security information and events management tools, arcsight +title: Configure Micro Focus ArcSight to pull Microsoft Defender ATP detections +description: Configure Micro Focus ArcSight to receive and pull detections from Microsoft Defender Security Center +keywords: configure Micro Focus ArcSight, security information and events management tools, arcsight search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -17,7 +17,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Configure HP ArcSight to pull Microsoft Defender ATP detections +# Configure Micro Focus ArcSight to pull Microsoft Defender ATP detections **Applies to:** @@ -28,14 +28,14 @@ ms.topic: article >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configurearcsight-abovefoldlink) -You'll need to install and configure some files and tools to use HP ArcSight so that it can pull Microsoft Defender ATP detections. +You'll need to install and configure some files and tools to use Micro Focus ArcSight so that it can pull Microsoft Defender ATP detections. >[!Note] >- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections >- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details. ## Before you begin -Configuring the HP ArcSight Connector tool requires several configuration files for it to pull and parse detections from your Azure Active Directory (AAD) application. +Configuring the Micro Focus ArcSight Connector tool requires several configuration files for it to pull and parse detections from your Azure Active Directory (AAD) application. This section guides you in getting the necessary information to set and use the required configuration files correctly. @@ -50,7 +50,7 @@ This section guides you in getting the necessary information to set and use the - WDATP-connector.properties - WDATP-connector.jsonparser.properties - You would have saved a .zip file which contains these two files when you chose HP ArcSight as the SIEM type you use in your organization. + You would have saved a .zip file which contains these two files when you chose Micro Focus ArcSight as the SIEM type you use in your organization. - Make sure you generate the following tokens and have them ready: - Access token @@ -58,7 +58,7 @@ This section guides you in getting the necessary information to set and use the You can generate these tokens from the **SIEM integration** setup section of the portal. -## Install and configure HP ArcSight FlexConnector +## Install and configure Micro Focus ArcSight FlexConnector The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin). 1. Install the latest 32-bit Windows FlexConnector installer. You can find this in the HPE Software center. The tool is typically installed in the following default location: `C:\Program Files\ArcSightFlexConnectors\current\bin`.

You can choose where to save the tool, for example C:\\*folder_location*\current\bin where *folder_location* represents the installation location. @@ -117,7 +117,7 @@ The following steps assume that you have completed all the required steps in [Be
7. A browser window is opened by the connector. Login with your application credentials. After you log in, you'll be asked to give permission to your OAuth2 Client. You must give permission to your OAuth 2 Client so that the connector configuration can authenticate.

If the redirect_uri is a https URL, you'll be redirected to a URL on the local host. You'll see a page that requests for you to trust the certificate supplied by the connector running on the local host. You'll need to trust this certificate if the redirect_uri is a https.

If however you specify a http URL for the redirect_uri, you do not need to provide consent in trusting the certificate. -7. Continue with the connector setup by returning to the HP ArcSight Connector Setup window. +7. Continue with the connector setup by returning to the Micro Focus ArcSight Connector Setup window. 8. Select the **ArcSight Manager (encrypted)** as the destination and click **Next**. @@ -137,7 +137,7 @@ The following steps assume that you have completed all the required steps in [Be 16. Finish the installation by selecting **Exit** and **Next**. -## Install and configure the HP ArcSight console +## Install and configure the Micro Focus ArcSight console 1. Follow the installation wizard through the following tasks: - Introduction - License Agreement @@ -158,18 +158,18 @@ The following steps assume that you have completed all the required steps in [Be 7. Click **Done** to quit the installer. -8. Login to the HP ArcSight console. +8. Login to the Micro Focus ArcSight console. 9. Navigate to **Active channel set** > **New Condition** > **Device** > **Device Product**. 10. Set **Device Product = Microsoft Defender ATP**. When you've verified that events are flowing to the tool, stop the process again and go to Windows Services and start the ArcSight FlexConnector REST. -You can now run queries in the HP ArcSight console. +You can now run queries in the Micro Focus ArcSight console. Microsoft Defender ATP detections will appear as discrete events, with "Microsoft” as the vendor and “Windows Defender ATP” as the device name. -## Troubleshooting HP ArcSight connection +## Troubleshooting Micro Focus ArcSight connection **Problem:** Failed to refresh the token. You can find the log located in C:\\*folder_location*\current\logs where *folder_location* represents the location where you installed the tool. Open _agent.log_ and look for `ERROR/FATAL/WARN`. **Symptom:** You get the following error message: From e1d67beba3519bbd6953214fe8adfcb2b3c4a3df Mon Sep 17 00:00:00 2001 From: kelleyvice-msft Date: Tue, 7 Apr 2020 15:22:39 -0700 Subject: [PATCH 19/34] Update vpn-office-365-optimization.md minor edits --- .../identity-protection/vpn/vpn-office-365-optimization.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md index 381f6eb333..e7df3d7fa3 100644 --- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -26,7 +26,7 @@ This can be achieved for the native/built-in Windows 10 VPN client using a _Forc The solution is based upon the use of a VPN Configuration Service Provider Reference profile ([VPNv2 CSP](https://docs.microsoft.com/windows/client-management/mdm/vpnv2-csp)) and the embedded [ProfileXML](https://docs.microsoft.com/windows/client-management/mdm/vpnv2-profile-xsd). These are used to configure the VPN profile on the device. Various provisioning approaches can be used to create and deploy the VPN profile as discussed in the article [Step 6. Configure Windows 10 client Always On VPN connections](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files). -Typically, these VPN profiles are distributed using a Mobile Device Manager solution like Intune, as described in [VPN profile options](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-profile-options#apply-profilexml-using-intune) and [Configure the VPN client by using Intune](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#configure-the-vpn-client-by-using-intune). +Typically, these VPN profiles are distributed using a Mobile Device Management solution like Intune, as described in [VPN profile options](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-profile-options#apply-profilexml-using-intune) and [Configure the VPN client by using Intune](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#configure-the-vpn-client-by-using-intune). To enable the use of force tunnelling in Windows 10 VPN, the `` setting is typically configured with a value of _ForceTunnel_ in your existing Profile XML (or script) by way of the following entry, under the `` section: @@ -664,7 +664,7 @@ Write-Host "$Message" ``` -An example of an [Intune-ready XML file](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-profile-options#apply-profilexml-using-intune) that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the initial XML file. +An example of an [Intune-ready XML file](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-profile-options#apply-profilexml-using-intune) that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the initial XML file. >[!NOTE] >This XML is formatted for use with Intune and cannot contain any carriage returns or whitespace. From 6bba322b67448e7db0f22364c2662c4dfdeeec93 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 7 Apr 2020 15:47:34 -0700 Subject: [PATCH 20/34] Update install-wd-app-guard.md --- .../install-wd-app-guard.md | 24 ++++++++++++++----- 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md index 11045f435f..dc55264dec 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md @@ -28,7 +28,7 @@ See [System requirements for Windows Defender Application Guard](https://docs.mi ## Prepare for Windows Defender Application Guard Before you can install and use Windows Defender Application Guard, you must determine which way you intend to use it in your enterprise. You can use Application Guard in either **Standalone** or **Enterprise-managed** mode. -**Standalone mode** +### Standalone mode Applies to: - Windows 10 Enterprise edition, version 1709 or higher @@ -36,7 +36,7 @@ Applies to: Employees can use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, you must install Application Guard and then the employee must manually start Microsoft Edge in Application Guard while browsing untrusted sites. For an example of how this works, see the [Application Guard in standalone mode](test-scenarios-wd-app-guard.md) testing scenario. -**Enterprise-managed mode** +## Enterprise-managed mode Applies to: - Windows 10 Enterprise edition, version 1709 or higher @@ -47,9 +47,11 @@ The following diagram shows the flow between the host PC and the isolated contai ![Flowchart for movement between Microsoft Edge and Application Guard](images/application-guard-container-v-host.png) ## Install Application Guard -Application Guard functionality is turned off by default. However, you can quickly install it on your employee’s devices through the Control Panel, PowerShell, or your mobile device management (MDM) solution. -**To install by using the Control Panel** +Application Guard functionality is turned off by default. However, you can quickly install it on your employee's devices through the Control Panel, PowerShell, or your mobile device management (MDM) solution. + +### To install by using the Control Panel + 1. Open the **Control Panel**, click **Programs,** and then click **Turn Windows features on or off**. ![Windows Features, turning on Windows Defender Application Guard](images/turn-windows-features-on.png) @@ -58,12 +60,11 @@ Application Guard functionality is turned off by default. However, you can quick Application Guard and its underlying dependencies are all installed. -**To install by using PowerShell** +### To install by using PowerShell >[!NOTE] >Ensure your devices have met all system requirements prior to this step. PowerShell will install the feature without checking system requirements. If your devices don't meet the system requirements, Application Guard may not work. This step is recommended for enterprise managed scenarios only. - 1. Click the **Search** or **Cortana** icon in the Windows 10 taskbar and type **PowerShell**. 2. Right-click **Windows PowerShell**, and then click **Run as administrator**. @@ -79,3 +80,14 @@ Application Guard functionality is turned off by default. However, you can quick Application Guard and its underlying dependencies are all installed. +### To install by using Intune + +> [!IMPORTANT] +> Make sure your organization's devices are [enrolled in Intune](https://docs.microsoft.com/mem/intune/enrollment/device-enrollment). + +1. Go to [https://endpoint.microsoft.com](https://endpoint.microsoft.com) and sign in. + +2. Choose **Devices** > **Configuration profiles** > **+ Create profile**. + +3. + From bc9ff07b62bcb038d3a4efc0670be66bc762be9c Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 7 Apr 2020 15:52:58 -0700 Subject: [PATCH 21/34] Update install-wd-app-guard.md --- .../install-wd-app-guard.md | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md index dc55264dec..2456b17225 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md @@ -87,7 +87,17 @@ Application Guard functionality is turned off by default. However, you can quick 1. Go to [https://endpoint.microsoft.com](https://endpoint.microsoft.com) and sign in. -2. Choose **Devices** > **Configuration profiles** > **+ Create profile**. +2. Choose **Devices** > **Configuration profiles** > **+ Create profile**, and do the following:
-3. + a. In the **Platform** list, select **Windows 10 and later**. + + b. In the **Profile** list, select **Endpoint protection**. + + c. Choose **Create**. + +4. Specify the following settings for the profile: + + - **Name** and **Description** + + - In the **Select a category to configure settings** section, choose **Microsoft Defender Application Guard**. From fdda31c6ce313682464c63c0f9ee813bb9278f8a Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 7 Apr 2020 15:53:41 -0700 Subject: [PATCH 22/34] Create MDAG-EndpointMgr-newprofile.jpg --- .../images/MDAG-EndpointMgr-newprofile.jpg | Bin 0 -> 93564 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 windows/security/threat-protection/windows-defender-application-guard/images/MDAG-EndpointMgr-newprofile.jpg diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/MDAG-EndpointMgr-newprofile.jpg b/windows/security/threat-protection/windows-defender-application-guard/images/MDAG-EndpointMgr-newprofile.jpg new file mode 100644 index 0000000000000000000000000000000000000000..428f96e9b55e4a71bc9514bf9b27e39bb6e02795 GIT binary patch literal 93564 zcmeFZ2RK}P*Dt&oJw$KO86`v)B5EYc5K*G{=)$Pc%OD~mN{kkrsEHPJ^b)-XK^UDO zy6APBx$paVp7(j)?>*(2xD+ku4*!okJECmPv5}M$jaKr z*3RDHrN=8zFK-`Tzt>@J!rw-`i-gA~Bqk+)OiBHeo0nfuSoHZzWmR=eEuyZz;af*% zS9ecuU;o(nkBP~tpVKo-%PXs>we?>co4*eZkB(1H&(1H%F)U-_;DB)O|6myl+Z*!> zBFDjH6UL)>q=o;&jgnm?gn&vRE~lcMkV8~^pW4!Wl!yi_w#51S53c`Y`aj2W=>IFG z|H1P=SiWfk$O*9eKsq2S4EN+%Aabmm8Gsmsg*gF{19HIOd*oJFU80^LK=A+&27n&G zLt6xK5i2T98-v0D83H2FR?0EkMy?0L*?4Hex8ZS9=58 z0pzNkTh~jnPLZ%^fMrI){BTm^a;LRBm~@As{Ctc1`eb269{-;RgD#b}(0+Y4Kp^7m zJJx?a<-aucUl{w};V%LW=annhYyTq`rMy&HFU+=}ku1jf>4}HKD`CzDQW$=yPB|lR*?7LA*YQ z`-7U5<)i<1oKlApE-cE`ev7t%IG%gNP9TcX1XvRwMHi|NFHf$TnoiE})&WO#O$6;8 z*97e~kra&Hf`=qH(~AL@j)6u8g0c%ka3KYhjY;TmMR{K0ywguwl1@f~FSUgzzg zfDJY=A!%y9&Ic9K_Wmj|!k=%l0F+NQeoa|9%ST2H`Va~TPAn<`LRD@3)<*7OsIHPh zuxm9I$P1gnI#k~Aa4_Qcuz$e>d zRgx6sN#Jy-ndHR}8n>w%;P;{6wI}SFV2pn3jPKdkAI@czIxKZ+5V{BVT6CiC34<5z z(v#DBQ%h=N^@?H5Ko*U4sv-w{wKmB)JN4sx4RdL4iD%YngLNJ`3-r@=fNBo%KJ<55 zb}g#;nmiewGnSgaj=W!2Z7@A;>1(9k;^ozlV*vEQl@z6vj6Psr$r|R0C`uRYFj7R6 zv64v>ic)zs^0TQ7KH;MqP1Sohsrd8`@ICh1L$7ETZ#Uodz6e7O$PQf6k}r@XcbMJb ztKK6nXr5KDba%V8$ydJVGuv(^n9g{V$N+8_Eh)A-NOS~LLd3kLyI>&y@Wf`xR#X<2ksB`B*b$lGxC(#-Em*&LRl(UYZ7Yb-SyTK zB7Xc|ac8XMs?dOxI*q zOaG`IEkdEiGSME&EI(}0(0cJ~sScO>P493UQBo@jM@zjy>8`CkalHH(9hrza$!HA< zr{w7~rTu{<5ZgCbHEaf0__AlTdS}G$WP5rWZsYs+zGVcp$%BK#p@KZ0b@6PGagp*C zXKy=bW~j64jZ?VbhN(O&2VMXL4`=+4twsOV`t~;tKI&Nphujw##H}Ri)oRj}!)^@K zAC$5CTuqs$-6%>L!Liq1(K?R`@>uXy!8fkSCdxuZPtUuV#s*_*DS8Ci`cJ|cP?bNU z#_!G>DOwQBPzl|8CIY~(WI~wv{NKN(B($m_C1!|%55at2!XYg$f?Mr~yMXiC-`^yA z2ubqub+EY9CN0g&TQ(TWv%eqI@zRqG9H24h`eB9lRCuZG-1qUr6j{a@Egz}k|!Bs1YBF###l!=Bj@j$`7+Pbqqu}33Vh(Y2E%K1SjI^<&wetw61Qbz z2NMB2!2gyv92uz~895dg^OwM>+OIOCW^|Inatw7;2{~V2s!G&2pO9VBgR7$Cf%)u4 zUu7R$s&VpVO0b(sALzV-PY5EuJsY`MSJ?v9AuY=Puw8rt|5W8SGZ?%3O=ry zP1`xB;09={vkjKwL(qPGn#{k(s|=2AyoDO9KqQBL3FkU&Lb@?rXEzvkr-cT$k+1zA zP9=d; z=k%ccgO|X!?Auu#zrV&fWNVKXD+L#`OS?4;BuB3j7Y*@t(OfxWT~*uo>U_sZP4{RH z_CJO_iz>c*F z8!Rh{r(;r#TI=-}_{b02cwI!z(Gg#Xy%cf~vLj}jtMLxczwVk7FoCW&D(g!&)dg zh3*NxT^%{Okcq;RGB0r;+lH^4EN`q&jJ&x@!xOiIZrX#SJU>1#Wbt&h-lhJl|3sGY0H=D}3-1PMAD`I@^buEMU)$h-uq(yH4 z=Aj$FloTDB*d0^g{_r(v^-%8(U~~gqkmrdMxjtmHd;R){AB)zGJdq8U%wTby!);y0 zV??rT*l*D;AK-g7a++Q%Jn?R0{PPZSyaphV5@O4U@JPaaH><2LEho(MZkPvfcptdV z%?e85W_^Xv{Xy#X>l%Qk&J()yQ$oGH*U8ULvZvM_i+I~t0CH;ebJcs>m-%gGHI}ER zV^}SGP$eKG4`M=@BzUK{_;B58uCfI+Jjo5F;K5E#mnWhNuAh-$6u>Y8lKCBVnhiYb zcV`O0mn8N`w~`z&am%b*$p^$BA;CWxe`lGI2Ccl_d?2j}LVs_wkOKUo*YQCh=@UlM zM?Inpkyyk$?oLmOS3lCJ!(xqX;m(Ey@P{|K%3!o!ZYH)@sHhVC!7vj;y*B z;yOuyyuEE>Ech;-RvY`DIsgrBYgr0BwO8Y%k%4&U@jrTVl1--%w+R|@m z)(}|p<&bib>s59s^*jIdE-6k7{9bSwn|9S}c*nEB$gIuzpQIqUM=MbBiUpZfvlH1RMs_3V0a{i>;7uGXZEdypOXuR{c@K} zuy4Vn+m0^hD3^Zjhly)AOhqnN?X?xV5d9( z#~Kk(YE;Gz+Q*3sxZ^l>6X0_@KTP-BBw#GIz+QbQQ>$|D=>}+ZKvQ+9%cj^lQmTWs z!lKp0Ika76Ds<`UYY2Ad;wa!@Ca6k%Ynave#EiHBd15C_q`Tfr*R?qAkWpx3cDZ=E zzaJu=>Z0fmo@w0qVtuK?wLGIPR^!#^ASG}iM(9w`=wx1*M8D|!Bs!PB=j-YPas1fZ zXAY*_5Qh_U(*{pmZIWqKi5q}oqtz?}GNoGe>d-3kE-g-IM07gL8x)TOwNjHjXuNOR zAVdGjp}4D{u~exn&3e>#i&04^zmmf&n8F8{9!2(Om6>3O&@>O>yx=3zpXSdAt1EP2 z&Un!Gj*XSAa};d-PP8K2$Kt1j5Cm6+mE2f0YUz`z@s;dJ#hmPyDdVy)-Q=Z&-Z3+3 zb7RK$N9RZEMw9LgXgsxnw(**KvCmM!$Ynx)kt#e|%Xyxx(!Ap+wNQ&pmF)5~Hapc* zYq=yfm2F2rjXf&7YjNye#%1(?-tkI@4_Tx=tCJ%4bU)4S^_EjN zhea}dQqk=tu#M(8lpqcbsb{?)WB5UYP}PF+K}yX9n+KqKHif7)g<_icpiO@de?-e< z>y=y_(>DjNv;HjCgBml94&2W0Z*D!Dg*nn=Ds= zLaNbF?6}HrtKeNyQiq1EaEP<14=;{!$Pq`8G)wP=o(Wtnr3;x`g_yT5q&e3~oKh<; z{}4Lxj2kevWAjs-2$#Qz>t$-kZS2-)Wgb?$0M)(J=3U%cVhw9LvjiEDL zR=SqcZ6=HBuiJr%hobLMZr=J0RZwGpB%DSs+x?kXV)#uww2=(VArn?5PA;S z_ni8vC>{aUED2GJ?gX2>x{_wRLmpzep4NNLtzyQXsq)4(5+(SgY8;PDUs;oN74+vN zgtLc*L$t*_kx?iOCy}eRxL*1ZYUijG>%{Szbm#F_I~VSP3-UYPy{8h3=hT!+QApjg znK;RD@)==9XDfn1EshtL!_OI4R|BSjDDolg9P#*?vKjq`Gw+Q;s3+T0L0Y7DrTWZ} zKhkrmCDowmp4fp`h%>}87>i!&tuCl+Y1WfE7M#>nHrX=bj1Is0?RS@dr(pq6bTYQX z;TioYigtLmyAJHB=@$KSRZts?Rwz^$*VpcY?>(u{Tv(lk<&xYFDrtwJM-0yKx&oeL&%`|5)-Fr#%CgIK2 zPATtPxSE;at6vv8r$@W8K2G_}&HC!--R6j}J7&wTx2Flf(#p|qBJqZWqua_&)+5Vp z#LD~l&%OL-PHHb-YSa|^dnh|YC#P!mYA^iaTQXiS@QNUdA*Wd6q0<}HFdBa=$s)~o z^`b`pBR{_r{^7fMtMUGPrGZk3t8dlb5Wn3<>fU*V^CUrDjSL@5%$ylss$Db_8C5nD z^SRWl?_~C^Ui$N7F{k*XXc?Lv@1NGf4r5X0Zc5m>6dM$=>6JyZgr?Isj ze3qSc$UF{oxQLovp(}k!9v@WhE>E4ux^}Lc7!PfxQ1g%+damz12TnTm_oCePbDfKG z$`@`TC%YRT%m^bKVLV-qwUgneEt}LZSHC}QE`Rc2YCf{|)KTqp>e+mr-u^~10r-(K zmWC)XJ254&`{Jj?>&%a=>v&&u3i11wPf?>%=9OOT_g`>&aw6`hLGqhtTGC=K1yUv1 zf8IsbL`3j84~u8s0I$|>fD+f{^b;-b$<5)-$vI>7{*w>p4xITJ6B&E8E%LPuj!L%J zvr1*7Nqlsgo2r#?`BgF{sgt4G>El``ZwIkbZ`-oWjC(|Rch=VQ)Qji)H>OMdV#NJk z9$yNflx6kx=rO$xHe;+-?@FrKa3F_3GmHAgD?d5mOBKNy<_vvPeY0X+RMF2;vFWoY zW4P&el8R6xk;g?i*s5{EvdwoJJYs%3J~`Roe}4W>=k<)57h;QPs@L*yfeKp3at=wP zq8k-l+DfePG$1;iGRj?8eJovH^u3ztxKXjG-)7jC_7;OaiGm@gz4C&n#Cu0mGnCss zgG<6FrcOq(mZsl5LA<7t#q%P13(AFMsZ?Jc&5Xq~zN|T#(l!)pd|;@%9POR)C7`Bz zHwV&0RGd1r% zxK}CmvVt1l`KmXiBaxol4fu}pUOeW7!|Y>%D79wJXpY3EKy`L^hnJSp3c{85@m=0W ztfV1F@3M_Up_WQ2tL%@lEAJK8O9Xe`wOJ)jKj8{yx;yqF1DduyZ^hB?%FafPE$l$L z&qqj=BQ5SDBZ39JceEklL^Fgc@}6OrA}d=Qids^=YRe=#5aGd2OxvKXcq|>Ha4Y8{ zTqowPF+9)L85B-Tl-T{4q}d+J+ktZ>h7G4%yT5?*-4ANvQ2LNI?jZ$yJ^WywUeM|t zX&xK9YJyJ+D#Fa{xOv?o&)NtrM3f$CVt;FRx{r*DMD@db9D{9j!!AIci>DQURZ32%fPe zyxy6qMTa$`CuCR=5L3=u6u*?o69s*AtGUfo^{X&k25a%a9^3eq6q71$JtBtd-2kqv zkw?WeAsr5xDm;%_iPR53T)&6j0MeF!4OIY`B@#A5*Sa?YdjqiitX(+l7Q8&k!Z`m4 zKjP~5d-QeTnI_hMHTnOf#z4u6wJZmJGZ?erZ{BHsPaZg@4vWp>H&{vm)Aenj%!l9c z%g+K~%Z3g&fZ12rulzhwWBY8-f8qxhDNoJzHFA1-8CUHX$Y}OB^&_U}^mB1?b(5!A zo+*38>MC{Z5K-X?rCud<*lQen|1T@n`BX#|Y8Ujf+ERF@f1Y zB? zyr~ODf*kz3-app#LPyl8C+SNcYMY4G;dUonf<|&!)@aAzv(i;REjNcpW>Z!I2b$hEVdH^mRHDOt$4ss_t4)!m=g@&=+i}`|O;-vKS3uZN< z>W5`e6@RL_A$LoI7;?%hv(!s5&`7FaywMSQU!Aj{uaq{88!^hC?Q3m&NYZ9;S-XDv z@lZ$}2cMNGHv}0hEK+`#r^}&tT(5Qd?A1XFN-4~8b-t;u&_A%)13Hg{wb5Ph_I`nz zNWD>d4_1u7wLKfQz3C;mhsRPzDmD?MH~WIxE5A^pv)ryVZT!VUT8OH<*RzKQR{~SU zzWm;I0^}T{bAFOUrBnaw1CQszn%n!ZV8bRFv z8Z1leep)^O?@|UcP2ARdXS9Ag$IZQ)qob4R?Qr3coNME@i!k|Yv~#83@T`xsI?Lt@ zqM$&H_&lu{eg?IjSVhkBHI6P!sXN^O-z1?G>=X|S=B&G)ukoQQ5Cc)MoUY2Ov>K@xyNrbuXYAf zOvUmldU?8oa8bwl9y@*Nlsx-q#MhOHdM2Uu44Dwn-Jbqm2ld12ifuM%&Qw$?Ut#_zGEC$eoN>=#YfXMa| zzf-qAm*0MGc>10(JU_@q!j)HvfL)LA(jV1B`2Y+zHvZ!0jx^q|qxxoG0GUHHUl^M? zZa9BYXLye6k+x(!AyJ$l##mmtPp*JTs8m;=W#Mdmfu+m>@d;DqM3>Ce;A-%P-FLn4x({94tb?zePT7u7dL?Fnw)-2w0J6JS$e17sHVXfO%mzqV++O; zPdK;l9mPVeiae&WRFaZ($~l*e3KeM%uk4br{ZuxtJwNH5kZSa+W?}hIB!-%=t8ZFt zrDj|!>bc*`BfkJy#jG=BXw35P;20r@B|e_LzpM?48E07ni*9@A=qgTYIK*hc^waX# z!e!C;=IG?k-29~rCwP7);3<3sGDq>4xY5hxd@0R=FUgiINSk5JQfVojxrs=tBq2SY zX{pb~Gmt`ktKhwHU`HZte=ecX_*tvj48)nBTlx~&YctDUG5(*dwvJMZtr+ffgNR>`{nyTY&?{x#$G z4rcW1(9x9v-r$sXnk8XmdUo;}gV}fSC1-(!vnNpO5=TCQL=I&IcANMb+=u!4`ZTzEeN5ipTdeBoveO_gofK$y4EbaPCIj z-P-W2b@%px0-jS%lbw}#dy*#blMG}gNIczcBc8!P6~1L3Z~H^)iPpE?M){etxW$#Y z=GwS!K!l;)wRC_k-@4kSFQVl{z!uVf9#hWVJ(e9;!L>8ENJg{+c*ce<#?UFw4uMCN ziG;Ny>%tUksCWhYi37wzA9}zq6oNIlUze^O&^W%!iy8G&%4z^u^%YroiG`GThXK29 zt4pr(jM6O7j3MbLbGr<5k#COlr`)jXg(0E};T`UKqNn1)Mz1?)l1}!V;1A!b=@OSj z_D)8AqNlu7{eY*;Js(2Hhd^Z$K^A{f?Oi_oGQ12?C7>MiOn4fG8%1zZH*7Uy05^yq z0yqmpckYdbYOp2t%Y6(ec?)4rG-ePA^7-)9;;~1j3M(jg?C7kz*rq0W;0vu(mh-ad zj1srKE{iB5kc|~0e}~>&>-;-b;xS7G@PGS9{NO8Hj!V6J9_Way3-Oo0F^u#E=oJ}9 zH(T5QqiQNPfw0b`OvY%l^;d9JH%4+`td7Mu6b?LLtP;MJ&cpc;H2t?qBrKHvv{2-Lud6RbLjiUr0wh9 z^7yL%&kcHUY*@9AUfAKTD*g97V!r7IMDO-{_1HISr86|4^|iIMR&Eqd)7 ztdz7dKH56k#a!K3A95`|D4{IqpFJ!FlohbDZ_R7NUIi%x-+d{O zx{+HwX826!S3KA$%~i%Z7G}b)M(M*$T!i^>M4;$jwzsmLD{o*rq7J-;spHxDN@=@W zvDw+60S(2gH-N}vV&36PYArS42W^@nkdrp)F{IWxM{LdS+B8on?ytyYDgQoxD+FB4 zRxx>}iViwW$l@7s+ap{hgXxDec2?2|8U%xLL;Yc?=4n!L{8G3pKQ)B|^3cC9#F_t+ zlJu@zgB+VYenQq9%ZF@Gzs7ECuO=3X`&4}NrikBT(H^f*3ta(`{oIAo7|@@{SdAm3F^hlBv_~`qbSCA}*Kf^vcOkD0c`y z4%(>|I!G;#19yD@0;56kN^Q0Vn@Op0kL`)S4`I*txJIZqcCQoBm_P-ThpP6R*eYHt zUy*joEu!%XdM}pTrn0kf|A!j?k4%LtwN(ri7nEHgB;%z&K|OctUT0-0B0NuD(hL|> z2$jcH_J)cb81;n1sh@Mv@}`~Z+ID|O1wm70$%@IS6Fv|^SF{;e15dVjuzUW(z->%| z(;dYD^E?l(9lE#xB9U{tsDb!IhGYwFcV`wp;#G3h3y)V5fymf$K~p)3Kn9bFspXjE zHtD3pcBanfbf)aD66!QdHd~t*2z`2qBYO>iZ^bTKEqOP9xmzuT=y$=@yTszkQA=(| zOuw)hQlQ(PeAn+XYUV;X$b^crldQU30q*_$+FYYwQBcZGqoAg^G#5A|+c-a5=V0wp zI%b2aTlA1uRV$J*R9W-3e6caAH4d{)6l^CEBlcjA`5WYpBzqlAGzaoo?J_EqI(YVD z%P{x_JM=kgpQlz5tG1cBV6sb{KNDVYk>RhT_?NW#mWZ0@{KVSTFFfES9U5-X8z4y< zfaHJeD=COMz{wi059lOC^@o5p{U09IymgC@EUo6Gsa28^Wd8PHaER}D^&|y^|Lp*7 z=SgY3c$WCQUZgzMrbNyREW(}VR~GEd<-2qvtOH$;m6Z7&<49fOH9MlZ4UJ!`1` zBm$1&pIDJ)Rd%YhPLjCs+e<-4)R0LO_7a-m%a^l#>LNAS?1>_Z5=k z$lUC8VJX0X`OvG0XVX&X;1MXBLU#kGR7Vn8_rLHmp-+-2{hr>=wJ5ub=Qp~(?(%J^ zHdFtaMB_gK`F|=N{m&a>DWNx+B&p}O7q4g-u{IB*rrmTc&_R^*yX)kn@Z z{bH|&qIhidbe+gldIjnknSJ);?@;=>DvgO)vnR1V_aMV_{gPe9q6ol!Kw?-5OxoQ` zOEGv5BNTDmHbbjdv$YdxoM_m<&cKJ)YsP}+2dZIDjChLfm^R$=Pz&C-3KK{_o)C(tO;TNt| zE{VgUCe=tSXMrg{zDC)y>)4F07p4JEDb}Jm@rT6HAjQ)!x67xE{dXM$7AP7sstNcg6Zzzp)1ubeY?@^SEwKP zs_`dr3AU@d853jENE^=y{(wIA{jP~GU6ocsG4piR(Q7^(zCpHHoRLDmyXi-NVAAux z)nX0#ysdni$<$&ZH77MFxv(}!_0`cb%4&Ed(W(wtrNehYd>fv9X9h3Jqu|?yFP{d7 ztT(N|1I=3kT138KwASaL@g16YI{+1+i6xKwZ*LWWhes@vAETnpJEF^;RcQz&@e}yV zL=wgXc!)LDC4de}xKEAUcN#SKKLJP=F@?;a1&P&#Dk%wT=NX0%^}h(gxATs(ZyjOv zpN%|9>ol@5GLm+i1y4>1oo9bEQZtSy)0Paqn%9XYQ|2YqL7 zlBJJ3E@Iz1R}VzL9G)S#CtwG+r$LobPn4RnyBw2+ceOu9eUR6^{VYg+GGVlCqi1tY&op9SsNpG-^*%^f=qK16J}q!|SwUupD4E-cxWQ#bJx%t*E8zkKN0NKuhAfvSfa zE5~SnrMRb&+nt38`?lL0pynWpa@`F&WiFWU*=;2CRsJ*ihdD-;#T zwCU68A$II61 zT3oRKwey^~2t0jmulXA9i5nntYaFh1^)s_iVByjo1{X&&`EXr!&{Ap?RY9bbEPW?m z`Rw+kA%;j7homKOR0WWld;uf4B;8$ei|#vU{nV7IiR ztU0lLUyUHuXM3?BQZWXtMkt}qnVYk4M;I(lzOVTu^(EsYv*uGq_nhxGS?+cDjol(n?%V2%u1t!v(rXZ%C&^it+p2bmM9;f9?mu-@blFD}>0gaHwg(Y3?O$J) z9&d{u^f%lujhezbeVR-&BEEb}xj`rCE_>|YdGidNsQHHTSG?5`Nsn+;mrGKc z+|_Hvq{4bOq;fm>sS1wu^CPERno`%7Y_`SqPLjSFsXmKm%G}^iBni(Awf&L9E+Nvt zZN>ScOBTAU>l%ZEHk&pU%YNpXYw>PPn>D2!-fG@C4>G3lG!MUc-RB3jMBH`zj9jSK zkCbSMFeCtndctSy6LT9#d_L)<(lhn3v8wfQ`2$VY)bTFU~4$*orNOHaPQ(;#mb zS0h6-i#X;+=~64~@uh-N+%TGA>JmBIai>zw5H8QijU7)cH`kaxib`b|QI>GODBg#> z$gM`V$s1s4d_46Ac(3m5{}zruX=$pxN)0lmJD$ii zIp~M9q>db)?Ckb!BIkBb8(agBsKWQRZ?#Hx3>e4{pG3#sbB2h3*ucF}K{kTP3WnZv zC%k|Y@|DZ!Oz=HT{7AL^O?05DW5#|DwCE)z!zyuC;rOA88<8t;D1F9E^SlkwkhaE+ z4Ik^#w>Y5JZ~ ziIMi}v7{A=(*gCA19Neh-75IT20lxBW7!Ftcd~t7X!u*f?;<`Cu;Cv^ZR^$_3^tr<3sNa{NkwB|LU@LA*6~ z-SSOO$DI0#2-4WdSkyeQV5V~r{I&AA3o+^1w@DN?rI`CuJ=~B*ZxZ6P86~l5N6glZ zhr_h*uk8y7=qO^t-9~-DLE88f%cJ%(~UDcX#Oj-rTw}97M1>eu8+62sNu5S$&b^%6Z)z9z~m__k76CcnV}K5 zwF4I42$Kmq3EAB#I5{uoy!LuJQFrFyci%tlW9W6p#8AAlm>Yi+%tHK~_5O8YzW5fK z9U*o9qr-Pk&D;Zelp0!GGEOdA{P{?~_;b1>A}((LJD{2VUv+sTBlxX_Hojxz^MbTi^Um?kkI_1J!$sRU7lwM4M*2P*O{Uo#~}VGhjQhGp8u-+w>E zKIM|?NfMhU?|e>?OAoG_kwJVS9I>uQX_jkK{)Hx34w-y13r&4*$;^ zFB<}$tM2zgcgh2{-mM-4D>WRFv%GSmd(1LJKk$_X%?I;)Hb=4ga>1`Y6^Wt_DxX&> zI)fIMuu&Noys$CQv%BleV*FOi*x+aPEk)cfbctWHzY-KxtWZ=t4oqL2+i=|gc<`gU z$F*53=%;Y=Na#hX%VMb>gX6%fn##=Owcq(k7ZB>T<{J3^$ZF*fl=m^1+$lzwH4|4D z>kiOiWz0D0IJRoB5lD5pr$H8pSv0VXufm)j?{nfa==IoYNjy>(P(AvD!3Mjn$LO*5|o5Kp5$B^u(p!PZ7bS z{g=!h*ZEMrp9-(qX_I4lzVe|FeZs;CJ?qCVW{#fg=Z79f=w$P=+hL{rm|pX$)Dby3 zviD*wUAwk zxNbhHarrS)x&JmotPd)NbfA!t9llszD%0M4B0-ZZIv|~NDjxL6keh^Sl;`7JptXN^ z;5qc(h0?-n$oVU$;?0@Oy_uPUYrj0pnKRl>P2(O=m+gYhSjkayfs2?4fAeymSg^X& zXy>@`XQA_o!HQlt_OENDjaRd;Fe$Ccn^OaWm~N)8m8SIxI!NJX0RNAsIHnFos>utl z&n|X6iFx7(TK%yBJ9cOc+vR(2qOyo^j>LCVR`kd{RODrS`DsDoDbvJN*<7gzt~8-V~he{WCz{IWEXq0+FsxFthE6vlx?s@p~ny3L0a2yhVkQm2&prwIL5jePvX zJGM=U<#P)jKX_ID!vY?W8b?T(9*4`-I3ukuB~B4k zaC+VFxfK8!P#prX<(BMj6Ty-u6K7f590;!H_HCb)Z`%uH+@)*Bd1L8qqf9SXzIE}7 zW$O6a^PW&E9EXGOVdE~yUeC0QEbh?4?nN7PKJS1B8xN{Vmuo=jPZRH*s##emYhYP| z<@|^f!f0_k1knA+R3d$&8)>86C~qhADS-& zvR-WMV3I|wU}Z2~xBSnA>cggNXRq_H^fz>%_+UxNwjRlKWIkZ{AJ%Zm@L)G1lrTl_ zMc7?{2bYYlEi{iVL<-BMk7(Lt1^@It8_76}o%!A$8d<|gbWXHW?EH+D$XzuID@1Ad zQM^=Q#LrgG2;2;NtZt}@-Km=e@Ce5`y-exW5`?CO?`s>n*IfvXp*}DSO+vNj$hvZiu`OJ5wu=$ zv%TE*S6z*)C2%Tc{pm{4s3nON7J*xf-ld7#rO0FHJ26Cg^*cj5UJ2=e3pR)2X;29P zdxV>*iR$DMH8ELjr~8s&R9L7AT~J8EZ6V2gPU~jF(KqmfwMBR=m?x|AI=g{5-2!D{pE*$936j7hahMT@RVqCo-CE-=1-eBGUM^3Iu* zVfo-&UPL4@dDWM9@>aD9{p&dvKF<>YCZ>PUJjs*6Fw|R64ruDl+uh*`6F!^dImOY6z zIZSN<&kf+)DvZV~#w%YAoyTG-4Ep~@l==T487u?E%WY?u`b`<-8o==XVmabDmpiv^ zsntS6DFg)I6FB$zli-ON~WHa+l7T`7)l?}dn?DeDX@Dm=F`1{Bibr|kC7XIbH@dBesOLu zI30o61%n4UZe{JFSu}=YTz1QQY8tPul`*w+ndWc(PtN^(H@T-ZG{nt^0)?*^dbZBB z23wQlV*O9g{ccS+*JF~E;U|cLtLuPj+U*{+ALP8e4AyuSDECkjBO>$U-r+F|2iiA? zX%C6oSTD-5;fVbQDP<9~0a|8n0rgAJ_GCS4fq4>bo>iU{dX0hm2t@Aw@yIERG@o%{ z&OFw|JgexO<#1qsH_IhCH}DVf(0&8wKrz1azB$E$%e(!Dln|#|-2j>eDf{%g* zm9MHXy3&L-?!@MZdB8k_)1=s z7NY^!Tie#;Vf1I;*~`0_Q;ec^&?AUV7%1(s`1j%A;T73+8b&x~^SOg7^TgOctcNl3 z4X}NQe*IgrwUMP~U}WI8<%!Gr`WeQ8-Xr^F-m?8L%=fXRUc#z&F0!2dlrAePYw_*& z0!F+8^j`AvRY_n1MgxX&_fKyCyM-g>^FMTnfs0_*+bYpBL^{ge-^@3p6xxwH0-b0VH{*pQPLjkg8LFVsS{vtH+?>S2Slk1U@ zk$nv6FkE|KL~AV$(vuy8t>Uc_H71Ox)Pf5?Auh%W2-3nyNezQ|F*)W6t<-9G|d zwoG5d|7G9nAhXba0Wjj%|2l%NivIM4=F6*Q-0k_JA)K`lnNPOLCr%>%xgnv$Elk`0e> z3{3oI58XI9K>T+gd;`cO51I|_jL2OjSD6p2!*rT)FNOa?-XOior|r zzu=`Z$nj6S$Wf+UR$K)%UA5Bu%^fh5ZUEeMkL^6z00y5Y7^9ZayniLEU#Ib$qu~aKq1Dud?~Smx!{!?JPR?QZv*MpXe`4_NMn0@}hRD z3D&c?9rp5J^pTgoxF)-z6v(|woSCPWV|B)LT{X3jX-xlr-GT2jzNA4Jf7 zK>F}eej50V2ID<(CwRua?PVhmkY_e8An)E_>tg-x=@}^(d?Pa zDhz`k3F8N1^rSxNu$eSH;iZ*|U+WzKNMpP9r51RiBR48iZgGItcpP#qu!yu0mpmo= zS2E6q0nz&`3^lpFWL?DZ5wGJL%`|Bj@d$_uJvZN}6MS zoI*x{os|%5h*>kpSg&+M+Uq#gArLRb(x}AXT~v!-_1Z&L?fbfk;}9=;LC`C6#_uL3 zA0v$I^<1eZ`jj20^`2Th<`Ir(7iPaN$=`tslzXo{vZ)i}V~ciu@;sN4Eo@jE`->4t z?u+yt?5Aaed_q9JT$BL+?j4BL!GB}#y~CRN)@|XHP=!bbX-a_5iv*A&2%&{gqzOn< zdXo+sKv6>P5JE3f1Ox$*UIghKq$<)o*yt#N6z}@&ea?6GzGt8BKKK54@A)TB$g|2^ zFUg$mJKizI+1JB)Gezk*@g6M;LekZ8wDr-*ZZ?#wpqqusZIt1a^ zNj2JoIm$MVOctCTS`3BIBZ=egi7aT~7ikD1;)Jkt9tDq*k=vAz^%V*3pR<2rQcc%7TPr`|%MyPq#sF*C|@9bJAUKy|JafVtX7IV{kNdsx)GU6jP(dQ0k}yn^dP`uFiX( zASRC^nU)!1vcTzmJTrP?eQUd1i}v9|Cc82kTF!9uHaVEMjj8lYshvYwSwRh8Jf^4U zpsE{TPmrmcD0Cl{T;&mBHsuKWNUMW0SXP%Pi;CxTZ>KWaOyf ztDb-mqA~S-3v2)qZ_Zq>`{ngWRVhSLqjLypoSQ?A%uK2j?Z8{bCG}qgY}h91M!@A; z4rgZX5f6gW%aP|p3`g?DpikYs^|Wj2sFXyr7`q@HY`!Fkn9c@BI*k)i zYVCf?R@s9Z;Ri!B<`dEWO@W*RG~uqqPKAg4JpCFk^n8i%mvfJ`4`Sd!n)1(_6rFSv z%}nxRwGLLLMEE73m@vjD2X1G;@r?HiGuoPB7*L+%k6RiQlQo4h(r|XMn7fGC&Ct6q zL$50KNT)UIm&7A#8~s-GCeFUyuC1wop;f~&urE1W&_pF9@qp0i>dcR?cB$&|o5)+k z=-C_Hm4%`M>_uG-J43D-T6rCbrV2Y#fZ~c|Q@HoU95P;sLIqm6$X-~jInv`rpdr5t zm+9~j-kF8)EX8N?=ej}#C@_1qNnH7cr^3<@puk#9O&e9`k^; zTeHSuHTq;N530Ks%%qA*ynh2;`JCOunKz7;vE6yxOk{$##%5=fUk$kJu|`vJ@!+Mk z^3KSrJYkzv7*o0p7Y&v0+6cGULEs=d*RR%ucud1LRztuwUI zC%hM9Z%FlmomO~4GUx*)BZH#b<{&!Usv8MB`joJ}JzwbMKR?eu!*zaqf5p%)uGyYx zrz1pa9yhdzyKZ`%s`XCobv>6F!xim8#9jP=ha{4{1n6yYoXI|kHrgu&8KX3Qd%7H% zBF8jY;X*fWmOtUNXT$YnWPHH12y4P(H!%G~_WQ$lIrj#%nxWB*)WPJ9Zv68?^$>Sx zusxBdH#c&J8(`9n*}(UXwMWN!!V?{y8`z(B6B>5f1^yXc9Z@YHd>{}bhb>QMvFD5=_1a&jg-&$S$~UB#k0?u(`}EVP;JBZ+ zgp+b_(H3OvVKY+pi1+0^3 z@y)wSII$#wyaR2#p3PwVc_=JRmT!lEjQ6#J74Qk@h)%_5I8A-M7GXgkRfPLK#=@xYdFu)=nv2z-*J$}*4ta?x*7*ODe=C>$L?~hg9Mdk?~6FCucq%-DS zHovNTRn2sJz%Fi(30@-n4*Qun=o{)MI}L_p_McdztOP-f3Jn#RWp8>ML_ToQas&r& zOd$uv_`LUXkHUa^d9e2eKg$V7c4gm8qd3D#rN;25J<;{Z%0!%wSAy9Tt--qm!rjM~ z)pI(V_~?|KEkf(3iw1rc50mv7lnMPnqebxa=vn2rX_lYur5nX(yC5y(53n7*5pk$^ zMs`7-`=Hs|_Vj9#jI3qtD>)2>w|smkP%KXa6r|=Jww;mv0qUtt0zvzm_Q2(Y(?>tZ z700bqne{J{8P%=Gc2Gxv{*dm;(go2UV2(^!G2;)gthlG~Z01$qXkp+n{U2b~=|657 zlFBjs2iW5{<~(|@b@7xNylC#lq`HXW=fGnSh<0VKyl@05bbo*j>iP$khhI4^i2ndb znX+K_5@dF?2cBB}`>3DRfb9BQ40tiVKS1sHe;$I$c4peyZ}mSwkmC8vc(cHfzwUc6 zEo*%Sq7h&Kf;n72w0)jXJi7!2L(+Tl!uM}CKI#~v-UJ78Msw-_5(pH)Dqvan58(VS zf)O!yu1W?!4w{s2AI!}3&eb-zt_-kAv)rGZomwbb_$4hwL{|ygDg6Ne z#bG^?Odu{F?Zs&%3Qnq*hjJQkp`Wb12Goyap#JyGTrYNd=05pq+wS^IzPaTDS#pf= zdK%M+@7`wNK{F)9u2Vt2kwJ0nl`rT9ON&ly0Fs1PKhKdbb_xFv80+w)l&Z`YF%C?6xLJf6P$@j6okg!S9ebLvX$+{uNp-X_jj>BbWCG8vRTt`vdHMpRdvTw!6~Yp><|fIS7IoAvExTct`u zqn=diX^-D>&ibQW6h-|w--0SL0OMyS%KJKIw~XCJF*uCBb{A#(W+b{F%&4JYBFtji z()QM*tPv6NE2`H&?=m9Jh8e}+)ebxasB&z?XMY%8s7K^F!=-QHe7@{5sd}h z01dFT5_YAF-!%OEJXM=E10uw`zb`VG@0?;U{ITaZe}A7}EPp@ZZb|P<)Bk0XlfcK> zS z)bV@e-r^P(b#0^c`37NArU{t~5{5}~n0$*vgqTjabEiIZ>NI!oH!ZN6Hhh~w^~1na+nZZ#NQj%;I*0*6WGC z93*Z)5zHO;`H6BOjK}N3m4^@l?sR?y0>TfLyRP>0-q4fI>mnbq2o+{5*u-6b6Zx>? z^1{!;XI3>h?VTzHQ##edRt*Z=N#DrLaAxa7)Ro-s$A;FFgC*>5E50l|bBdx9fQ7j5 zcBQyVeO!nukc6b26`x3~#I(5F>|B#zZ%DuF<+k*8>ZUaI z7E{;b7>*NE(Rkr12`S5mcl^f13@ zn$gIY_Cs7x(ypBz(Vgy0hf_ZhsX@m?8@)(W!nrfsL6EIIQi0p%4IXp97Wn=&@OD$i z#JwsVMCQ`3$Y)-ZZ^h^sX9ux6_AsowQGf&hx>>#YYCMR*MvHOBB`42CZqSL_ZuA=; ztjlcI?m%&@Z%5Mj6T3>2!qWJ^tob9u@Zx2!c*r3*IPmPN0g5|Bf1-8{BVWzkK#=b` zZIX>7Aw{!E3;XfkHwEq+HV3rhiCGupPvIoww(I-{7RBNxN)j7eM*jF0>!H5N3{@&P z^1jH2{yMa4j?ctwtOpf(=;%3i_IVlQ-?t(4nuNt64708HAvT>}M9qN%WwlWltaMR} zK!g4wHXJv|2~Pe3z!=fmK53d@mHl+{bc&PZus@wffdftCP(6&Q6Gc5(NPuPo52n9M zNl(XUe=FfX??x{jFveWG1M?d6DC*klf5gw6VKuzZ zVdW!>4i>>)!lmNCeP|PRVzRC|da8Lx<8rc|kf3{4 ztkhS8yO=u3O!S`aLdO}Zj79YetAF1PHyf=jo05K&3JI|Quq*-ei3I!SU2^~NMC&W; z6YVY@N92KL>>|B(f9jg)d>$c73-o9OWWGv8I3op+{gVPbQFP+WGY2}}dY~6!t2E#Q zrQV{Xk&3Lx8R1NM^vcUB#c^x43@7)}NYz$`?8ZpGyYRcQs)u1~w^-4_!zMvt12z~6 z86##Rc7PxH@t-=2{~r~A0doKIPQtIWKY%g=!~uuAkch+W493x zUD>Z;ZqRLN&DWjYqCaTUHCIIQJqzdQHc1;lF&P(|`~F*&^FVfX-9@n+PkAZ7aR$LA4U&<^SDf1SevN0r`Xy2EVtsN*s0|j7zxWso!*~HRlzx|l~Ido%JO~wBvbW$9|My)JbLTS*H3Dx%4ru_9P6-H~XEq z+B)y_!KtpXOp0*XO&fDn^Abr9Cb`058lJZahJ7=92-hR&o)E4O>DI`AAM#{)aayrj ziYZKy?OYt8uEwCVg96a@f$J6r1N-t4vbdQiNz^|DQAcYT` z|AybnJ&C^6Ae5 z-+n1?%%eQYy!tx%#R?G%69=5G4=S!A*4{oO2GhB@ULh@olA!PUZCK)Jn2HpW3)mEW zDMR3qug74HuFKvJs`kN?R8Kt2w}<0$t45)PVTGRIVqqaW-eTI`0TWR1JiD_NK>LDm z^1ctYU#rR&BrhhxQ%q7u6t*S+GG_M-BRKS3aYStfv4?wMdFs9^XD&6nwS0rH|Mj>g zn~vo7&oj{`4LMgh?Tr(slYixxg54iEtT+pm^nctSx10H4y z_XdcW44tf4WZ}T2lXw)%^@xX!MGd0O_9R>p!rhh8T&e-v13+OCUP&ZT$F)@a=3un1qbY>CF-Y|Zir)@PoyrUt?-j-1-*479ifT_d7?XL|wn^_&uy2i0$Pj_m zO^x$!w?j3@#?*$WHA?pQOQ8($CWV5}?1W3Ix!KoYzw#*Vw$g=fVnW?E%+ZE}K}8Gv z8u#s$Rr95y5Z;%R2U&s>@rFj*mXYjzei(E15dv=gM- zPeLbyRX~0-E(_Zwna=U{0K>jc#6-`sf|`r31@3>Dy_b0C;0$;09^x7jtiF;sBq*MX zmzeLD`i=4GjLTyxca@x8k8&MAn+%Va$^~s`jwkhc>c?sv(>*f=a zgholaq<#^-uP3o~B?U-`gY(=xR!MQ(Nu6&4!g=|9&BH*GZ-gKV)uKkff^GPyMf|ry zz}eIp``iEh+Y}xq#TMQE1n!dcoH(KEpX*dOE9meiqV={o zgP=GR|NohM_H#qilE=fJM61w6N{F>otC*7-$ng}uSg?BiW!B>_ElD1G+JlccHRXS@ zMjL-TsZCoQf`?4z7Ap?cOn(|Hd|Q+i`?{OhzE^cTF@1j%w(~73&F@=Q_!gMD&gs>m z4`!W=+I?yVgQ~6tbk){-U86dT<)zxP8Y31dH{mK{E3>M$wU+26+UaMbI+Mb{ZDrv> zV`IdX-=xxDuV8!qqs>klwl;GzPxDPur~Ou@21?pP36Dr!F4kx;X=;riRnq;GT8g(IxlQ#+hYca zY=ND(?9XQc_qae*F@Aj85j5Mu^__tRbRhE)l5hepdsCJRVCn-ERXpClHucQ%7#7%n z>%Y(bzcgxeb6>Ej6XjoCZ>m2pDoQy@CDDK^gliHcVwZExbP6-Q+)Q`v(sETpziCw5 zt=S@+CB8PvV2t>^dknd-!3mF%+V3uL?EC@lV4Mzx(r>KDm7`V2=B};i{3II?9v69| z*Lk(soeX~10FO0b@s^7Vw9;oSk7g76QbewWb;6~Mh`yKXFgCV=*`=^>wB(V-ECkrn z>=?Wmh`xb`aIGvV%I7ByU9Tp_liC|>5rJCuniz9w=SQCR3^YV0Fdw-EIcY6C+c)Ab@GFc5b@0QgCn%0+snOlVsoQ|5<)^a-_i<L|DbU3M6v-0}}jFi6NylWc^2sb?5c^PY)5cx8lTG(IZ zp~DV5y3^{Q*NfJ{nuX3yC~*+?;N50(vT6kE6RZNOzR^eZ(@1d9*!oS8=Ov<&bYbL%ASR8+BLF{gFuQ?A*BrQ?}U+s|K4*1FqsCmVA^ z4VL$wWPQwN>b&Qtxw?w>sO25!mPd7WzdTKA;_1K_7HNkuno2POcs3FgykU<&#w*oB zCP{YaBo~>&!Z=35I>V|~ApmP(1S%gWL-FsKSO&6lxd`Y1@_pV;XO z87vSbOZSAtUJ(1+5?J`q8hS#ck@ZKXh}60H8Up&Bg<7r%HXz7!0ARbB7J+EX5tvd9 z849!UEWvPED10EPVqJfPVoyjMdI`nZT*oQ1U%E16Vi(1&gupas+K|&?+5&E8M4%Ii zmiI~_#U;m>Z(?&jLfxYt?nk?vK}z=6pr}}G{)BXB3WsQ)bsqyH!+%+-*}+l)Njel7 z&rPK)ye%iJN(OlmSA?ceCxz2n^#YQ0OBC;4-)0Yf6vQ3&VmdJ~c>gwinEfL;w)c1H zY8nRFJWVQrkPDi~_mjg1WMP{c#A-TABAU6JNuKC9Y|yp48wPioMH-3jcXch<0?I_bPp$klHBa6yD>)Rb81(P(mYq3^%$RaTzbuJ4SK$8PQ?KC587pqg=Q_9ubkDP31R@ z)gtY*m9oZBnD$u)$ieZ|>Ltf)^G%IHHg0%L%S+6n1xC8X#you}a7c+u!m95OxJ?}# z>Lb(=Ij%0c*J`>T7@nB4P25B$Z{CTXLy;HS;%Ok9dk^u>USA#Tvb*FZF7ZY-WNk3W z@j;c^CAdNFGK1W_f}^PtE!T56fZsiTo_0}c1D?xPwz=5~FZkZlLe z&LLON)JR#2tgY5!Q)il?Eous1S@LvcQN)f%0Cceux#?m=d3!$QUk#jt^(Hj96f;k! z-F1b@kZFP@TU1|s*yDB6UpGYoW&X>KO`?n59?2ox%!3)wQ6K)e3`+%LQ9q^57Nq!| z6z;M~01`oSZ>~?O%UgftY56Ea)pB9Q&ZdTLdPxtUD?UB?=ae zZW|0jRrZ-C^ZLo#T0IcX$m?Z?))MIT+1sHH_iQAlijWyERi8RTlna zF$T00$#3LjPeHAA9O4b^sP>08w%F`r+ZK{}?J3%sc;eTdx3f?#KZ$~kOLj7}n|xMN z@S(0DAGSIvwy$)sUQcWcwahKhBWc)Uc8W%9vY29{XpnYy7`}`bT?V3@Lz4 z1|W5`!_C>tLoqYVZNaWX-O=EMm2KFp?n39LTaOf;Vj0Fr4p{=#1pg^TwxmutPW?Bw zn=`C<)sk}d_$5O_^I*BVg*XY_(+R1vO1ZlT34m%l&ui)(j92s}sZNoQ)W`DOp|`%y zW;?T@pIi_3O*H+cdl?_&yC);47so%tUs!8w_NaRHG@Ij0$XsHB$jj51IE7JX zBFvrjjwiWQw|^PG9&O^CK{SPq3%6d<%DdXC6I~x6kJwAug$^2ymu{ZtwTg$$ZmOs9 zoFH6brD-sTukPN}itM{~72ny%w1dXM-llr$rjfBvs`vK8m35EoFaz(NDBvDt2l9*f z+-=6LhUpbQF>cV}J%-UV>&cGE%upT#+p5W++>eqA(1S#Ss&P_&pa)>iBVqt-a4w99d@)W?=f)&&e$6$J-`?D{gP9X3H=UqjGbiH9pj+us0r1w%#^J|F2pxh$BUS;)MvO?63$-7K5fnmd_z{%GGHfSbq zt;J0y#B~t5jDy&p>Avh0pDaC#{4BT}mJ+Pq=r&jzJ4nk$HA7+;?*y&!>(Y+WNVSSD z<36z!p3@tewBq(5x8u)P)T|C_!T{6}J(;fgrbQ;*N><{-uCXHGrCXLxSmgEt~b>ouPxfxv@!|#NX&0o6=Xw=5{eJTQYCu7&50lQev zd%FiEaJ$bS_ktq|{!9`=J-b3f`TG01)VxM6e#fdTWOCDn;W2>(&_vwf#L;fP2)Da{ zmzxODe$lKX`>0z4DEtE~N+hH|Id{iC*x*IK^+v2?z(_d@ZGvhThU!%3gjvvDPil|q z?fm8qzJHO<1n#fr8vp$H>mu7|sQCD<$K=lsy&NuQ9&O)$J5Mi`NXg9k)kW_7a&)U~ zRBVP`eNF!!dvAJec%FW1SZvT+M}=+~xJm!|y;nfoX=Fgnk(7r3E?FK&bC(bw%xBFN zT$G_gcPS4x;P&XW&Zp_M*(#asMmkX+x0*mSg!A&ns~MVpvf)7!smV;>$>krZT8gJk?&@TwA}N(+B9r$DS6bED_6 zGG-@lAAgB_pS7!LC_|%nI_%A$S_`9`b>R{QQ&xKy!s^hqfvQYYm$Hg?2tRaYEo>GzIb{nf4{DeJN3muBQUm7>_wCy$lXofS|!>`i*W zjavJusTFg5D_eWdFE8Mcs@M${%>=Pj{5|bg^tbiZqY4(fY;ZK|^5iQ@B7>$9 zLcy0x>_MICT|7LLi(H5RuE_$q%E8|-b~g*v_*&)hB6uIp_TbQ@qp$%s;X^@Sh zi|k#y$foNIz6z#})Ts-}st4}@!MX1ZBCZYhU0#fO2ng2i<6e21>3bbA30H+8PnfBs z-3@$D^e#-Z3zPGGWa%_l#5BXn7a$GE#4&P_9@18a_gdXfv1rD0oaipCaQtTM{O zxXYdb?#rd}CdQ>pmUNljoZke;>^l(G;P!Of-<~+%3obV@#fg&rF?ps`?eb8(hj?{A z$O8^KKIzsB+q+fC-ho8+QoLGt=hF^+h#s=2Qn{MS$l2M&Mh?Zm2m<0MddtH1%>%+@ zxBSh3aG6KngP`|L%H_ZNQ+=#QLGN)7H*g?rm~Jdw3Sm1i>VUfg*X=$&^xqX-TdZGo z$QDY6`S3?iBan|W9CB1aIv|BKlyo%|=ej6WM_UED+3mzGG#&&m4=|@tJTD}PDzbAL zkX0iwNklO|Qd%V@I99v%jtoYsDk8YIy5;>LvBlDIsFlGZ4&_xmFI*ptah=%P;LQWJv()ey!=_6i*e+Yr)52@C z7*Y#;zi2Z5H4W{WTlI&Wb$vUZ=;3Ns#E9A~c3OUlwm>1=Y-3e(Ts`lFtV zHX>}z%&N?&eEp16&+b&iaP2As62SLwE6IOKP5vhxu07=_^OxUGyJqGs%6+=JUJmF? z)=E(d+xygp;JOdvTZ~FHzBAXiBuV&$-YeoSo~dnSE>tlk z$P7gox*G;li9L0eY5a(9A}13MVvwK7MiV z2l%4=7ka@LNjIToDf(MITq>0-fyHXo&`bD@3w_&wy_-WD0 zFdIf|!iv7O=$&(Tfd)}wV*lVBwvMO1TD`|)Mhp1+8B#YZqT zW1_6Tng&tXT*+A4I2mzg@0)bIin&+(PeH0-p?j8^bHseHck{Ca*;=o zu?YHiHQG*(R-dk2SZ@{2?OSfTIDdMqkgU<*4?(I^4<|JY&};U~CX`4h=my08V0glE zWEl`Rd@K3%nb6sL%VW%z;^%_ErB`jo3)lYsMAY^QOVNLTzuI>3T^Em~&wpqA0piBD z9A}>HgC8H=**<=ANd4a@{vQQL+~p~D@S9Pv0CoDwY!Tx2G)W{$iV~-i%!ucuZHRudL7ThSK=lZ7x?C`tOwezKK&X?KU7Ndmjz5Cff;25sW(C;wv zZMZ^l;lfn~l7)>rn_yr;RY>9=aLcpOq{B_Tz?2h>-{~6;(khgJzr||{+o@bBE4xYK zKBYFIbxVGuK9F8||I2 zEybXYP1D(eU(Tq_b5V1{6E%xcLB+;#qgs9G-A-k~pEy8`b6s-`&E0v#2AgL#5GjbB zddo#&0?>=P{8|^)*3$N5+996Nq(2n8d=j(XqTpS+@{u<#=J~p$0VC+LEDS3H)6JgW z7Ui!zgC*l=@DrC1U2}uIx@k$9>axa%Ffoe zs2}{3Lu%Tov-#dS8tp`gUwp4_jY`6v{sV7-^nKg!y5B~0xBus^t;>ac+WF>>pGOxh zQ-o8+6|i^xrdfp|(0yrCbgB6J8=uED((<40?5A`_ZNIh>@VaDAWiIem06Q$J6NIRP zujSV6Nzl$iupEs2pP-AF30`r3ZM!sA!SMlkkE*l0kqLjhqQ zbE`uY?oci@GUp$_)1~N*kgdD?(OfOH{=-zK7OkgxRoz&6#B@rh`T^N3%r}6yX5VMQ zR5!rwtSD%lLB1^Ed8dO-ekL`d{_8J+>AcE?5EM-=v&QBLZ5PAqCT=!9MgL5aLlb{> zw;KPYx5;*`;|Fnn0De;6GoFSjox|a1kl$M)MQPeaN4u#0)APFCN#5Y7It?}f2$h?t^2Y<10WuPn6XNkC&NdYF5JWZl?G12c$YKg**{V0w>OatJ10$0m0- zrN2_H_?i_)i;Nto8IHR9><41q77si1U|JBWJrq2-Qyod0jqohviMlMGqi^4J59t6K z!ZSedD3Zt)Ki;5w@H_G$Le$UCc=;DBebaJvKpEwKby z>^ivz)dvy<(}3@{OA+@fDjLZ=B_VDB))H^K7|3^pgL&>CsX=&+>3a$-2SQ<2oTmA# zze7<3Fn{;S-9vKD<-LTBu9rw9vTfwbvrm5Pv5dmS4rkD;&@8_WV7P8S`xCo5YmIz- zNi|dSovf&QLyR&qX>0q+Z~ghAE5g!Vc*;eNeZ$`^Ll5@yJZk!c1__t57MY7qXsb9Q zGXg4?*)`b8s3cI#^%r7oG<7|l=>BoFi~NM0moEM;aa_nu!UX2)YS@H%&$ zfe#_w2lG#xSczCFSlS$e_j|uF>#BIjE%vCWaChJ#+N7O75X}+5HHtL#z(53k(DvBt#f7XNR;GMpy`R z^pmdoW&OHxN8?J`5gk`RmC)x@ZU^P3?XO`u4#;}_=lRTIq^kFCiYskqd9nFB^S$RA zs5drwank8_zTOGC>=@aI4iixTd5dzXh$oXQ2QB!ol=vp^SEBM`>CDQ5&5goHf~hg? zS}U^Y7K6gfhD{azkletS5?193l}@CHH1}bVk_B1J&I7A*Lkl_VW>S??W*k{- zyqVWhE5yQ?qL;( z&GMHYP@<&+^;n2l?Gjs`$fE*r!5tgO94C(w{1u#zO8gRgNHAJyc{wpBG#YsH53A2# zexCn@a@EF#m+D0a@%}zHgGvG`*uD^>F)&nBz-Qp_jyL59&KFCxtp4%T1_yX zBK6oN!gqKCau$rEpDwmTZFYk694hM#Yanc+km;y+wbt@lA_cE5UL;jeAr zsdH&qbSxZT@{m;)5}QR`G2e&n-PCZAr{%1c)-R~ot!=WuL`N7OI1FaQik^=YJ1cSm z1zu}W>rf}R^>A|Dw2^tk{{4>29}-x3C+iKSj^TT>;WI=`(-4mf`U2Jy!t70SbWwkz zY4zqhUurY@r$-H)X{;R?naAJ<2=O)9L|#ApQ0;(E9l=HqF$5XvA>NO4mCh`=q5Pns zW@-DCx;6$26Vusw723mM=qe@!(J17`8pXSLgBWRynNn^w>tD_e>L+$vOJ1m#DX@1o z<6qk5zd|Y3(P~?J!g&-C8L+9w2Z-ZQLS}v+*WHFg=*4J-W2?AG;};^bMA-lq4i^%+ zgXpqU2H<-FdlGk#2P;F=jG4-H68WsYJIwqNd>KwdReR;+f}dseCD#V}QYa7fH9P2xsQ-;zp`8L7RLuk(q#bAzHGr z^jWwa!u$;dy?=Z$J1FgS?N^kYEk`=hvmMj%(wQxk_ zfOu&wp~6hDK_s6)>zS`@OY-H@I({uCt7OO*1_^NfeRulv!Gu237Nw41h8lwIoPz(PQ!J7T(c*X>mJSX2)Ay`eOg=+N%6Qv<(Y za!N`{nz@hqv-d||Kix42knp(8*tW<2{IW)dNg&9o!*Oi>CBU|NP@kE75MD)?lIg^$ z?!D)B9~dB&U4?kXUM~DBe*maV4_}OYYWrOO96aTd;#r0oPO+wL_hh>`aQOzPi{aI` zqTbqma`D7@>G-k_NHt70Av%@24~pk!eJ_YW`;P;ACgA_hD|{0sIOVH0@=pXEGJi|~ zfpdG)=eQ$b-FHZ)5~6-l#VN(pZP4zD75Kq%8I+h2&doo4TKesES2TC!UYqWxJIqht z><|3~be|2kY8_N+V9GK`Ze4^C7#Ow^A&ZaVBh^Y9H?>U z#85Jnv&`5$ikCWQCn)nqhUzzOj*zlB5o0gJst96-yCFOu!sC@0A|4rGr=gf{VQ2MS zB;Rhj15IR655E>^`5~4N75(}8zk5gGl4=2l-UVHu2o^L9#qy-$*6XfWktTnJxk!yf zBYTOHc>)ph6p}cDN8=WwKMU~MYc(BS7rnvla7C=J<1vjrfw=%ZTdpOUB=|hP(HM@T zCuy?{m2-C(u#B7`HSk1DiC;%k>XZp?vgFZpcLizn| zeZdSS7SP-E664(`0eLIzuA+I3-%!HNX0KD;WjL)p@ykczW3O&_)P^R?oD@3S`(vvK zBlaU2%Xo4(dHZ4u#(3ichr|r|dgK1?H>?pS=*|x9Fq6wMgn1aAGG;Y~$$@Qz-V1?< zaCM5@mCS|Hb`!0mS}N;x}yxzIU;H#kO+dVx2G5> zNQyIsKio!j0~vpYuiD^5A+}U0Du1r^UFVi`OD4E zi$Sb0+7!PO9|pFx{ieyIl!Qc;pPwrJKGi*Eyy2ni3=)Aayrjax<&*Mkyt@DOFPuDW z|JLJ#{PzA`6XuB2cbB7bB)rSs`TDEcC#Pu>$G(SNE)%Sj z1-sxr!9I!eINb`eBH%L2eQ>MPRN*_#C5xZ4k7G~u08rx9VaOy4?tLNCtFhzN`&1?m z0*{9?G8$e7V{a?dP845!s89=xyHSKeXoyc6^$*sq*5buw)Mg8u->i@%0bTIo&>r+NIS|8w41L=nI@v-)}c zzRub~y!nUyfnVQI6r5^2!6i0Id_;&KoW^cY`;V*qfFC!W%MG&-pZ- z*-sDRGKgb12*tzG2TTuT(DsH_2jZf)0pptew7Ki4i!z8)`2+@j(2UKRyU$A~jZ}w8 z5&n_^DNHF~KZhs1y=GLE(X;-b(!ZvMO?6{Kg!mN`BJxETT{ABBYKn%Dw=@yz5_SBt zv&30c3w@txxww5u7510GX{x2+9${Tsk>YWx?%VfpDy zDxBeBp)KcL8^}IqQ}_ak=Z1av&O?*fQp2=+S43m%Yd-f~!4qs{273h||Uf;Z$&q+at*#sn(2k6wmS32q@Zr{Momm38pay)`uI>kGz0eO;LrN)z8Lnp4w2d7P-a$W@!`XPy$vr%q- zN1GiZ)4@Ef%?J&@ZCv}Z6~t!myio65Jxc+;*B?9Iicz8(fY1?fq!zJZ_uA{XGJz=Y zDZ8&4vkOJ1=afIM|6Pf2pA!`Dx z&{&Fqyfv%_V7T`)*@27p(49Oo<0X&uBY4K80S*E8A_eX3Rh(4GznTpHmS20xy(ObANs(yNEVZkyr0IT;MHu6}ed`=Z8H7y|do@vDe7I~1Y!a=use@evmN;bLOaq#1ngi?~<< z>#di6fMd!>e}G=+Cjx<>zJw?Ol&@SHxo>&Q5IC&Zu&wyD?E<Ik@@%w9omJ1-S7u07BkkzE6U661bQg5H?{`LS9-v-Mw zhXniUAQ5xf6I8o|%nX5aUTDHe#L;>2xiol|`I`#~_3E@=fqOE62TEHT;DZIJpLLx+ zo4f#l{AH0(e*l((8LiW{V|K+8_>njG)oU-fus&}C7sA`1#D(emA0T#otLS{`jEdt7 z|3ub5a9JM&{{Q(AosJAHb}z`NFEF>VLB26Kx26Yr%mz*do{_x$1FT8@cLe_TBVdqv zA$K~Y1RV@$vcrlH@0Y%r*|bO{+_-O=49O<=F+QN8&Am~lA*6YITWu>#K&?~!U7f~t zf5qBd^uv#XJ}Ljf)rFuK&3YH&we<=9h!>wzMV|!vftoVEq)(ZE&DZ+Gsz>2G4&PLr zE}dY#Q3EFmy1$;?&(TbonY%2ewFLs zHicICL{u`IfSx)h>OPpOSx;?Bv>d-a`7vS@ts2ToC35{{ zq9N^o4J|LQEo>z6%}8Saii5l~gPJIjJIJM_B`#|5@wjbQ6YauIb z#|M^WkAI&A{kD7Z@h{%U&+`X=`5wvoo*SHrHcLFto8DVu3@~Vnxywo#b>y^QM>FJ$ z#Y7=4cmNt`{)y?FY(VK77DdO9K{yD4-S2&Z&h{_RA^ggItnl{Tgz=>D@9Wv!4s>xI zW!5M3@3J?~Km7h}?$Z2y@?8S-OfSvkgSpDbR9bIV)$rB%TwaF+IUI3rOR1Ukox1j3 zNUzVZc>2nhatFrInORZ2%wNkzF1P4rnl)}b{Qb_&Py0#P{~+%z!{XT1ZqdSBgS#~D zO@ah>3&9BlcL?s9&=4TFH0}@}I0V<=(s+O*xLZPSk`RLARMuL1eQU4%?Qfs^?}XMF!<2!snOjzefP@s|dll-q4aceL98^lQ z#ThBXf(O1v^P!BFQBxG`1}Np(1B-f{T2nkL?F!=0oF2}wKS~JFI@X`WzD$K`v+@4jK$Gy;YF zxuh86eJ8k;t85H&*r_igo8h=GYKEIlj;&dSN0Or<_@^LSjCIHw zx6G$}#1gP1SIzn2+K$7d@9HTtbM(%n;u8t+L!e?jY zGiz+f^N2RI(19?a-93Oh>HBAuEHXdVc*n@Y!Lh~Rd);|;DbaGdv)l}v>ePan@)m|h z&t|Xyn-}riU$Lqf1NNwx~W~hlmR%fmRpo4GeWHl8p=si{76XnA|Yf}|K^>Bn{^r^jT1$bWz??U z%K6SvujcdJ`@na729QFpGt@57VwB0d9z{usaL`P_v@%2?wKZF5tgB2^4edE%crJ|_ zGyIsQUY)QroN95y*(}hB&Qq}-P0&R$;Vmw_-MX@ zfw@GNOm8YNbsA!k2mO#FN}}R;LoK6GxIFiCuV7sKdXv||{pJkDm z`0UW6$Zq=tHF`Sdd>1)mWe|{a-BP2D!`8UNIr5F2xh(@mf*5&nR+NJDE%#REZmZ*m#Mq(E6ZXO}KJqyi&u-pvfj7+9O@D{fGW*q8%6e!heHlI&M% z4z+ssXZ> z(+a!GRG@)fL(G5V-l5ib#m2_N97go=)wzd97pqfKg_|G793JKDt9m~4Y1glBYMw>R zzYSt`-1y{T8@`jWhDOX?q6+J1)vORqW5QriSSdb08{&A0lFI~#=UdmN6(oi_UIKqzCDUrY12Otn*XAQqL69Ai6X=a+Kc0F1_h|bq)Ctd z!j1jkiZcExO9`s72)w)J?06_VhWBQZBg6{EDLq1H$fn;WYfEQc(_vyI9LD@`^&Kv&INux05nW$~o>snT zv?L*`X3yZ@ydDWER9de@UYFC4+E_yP?jY*$DjrN9P@nX{I8-*(RgUzhtLIT@Tp0~^ zHF(CG$ALuA)h^xf>azl<0>fphF@WoTtx!?YzR2`|mS@X1voL$ykW9^oja>yU9IvF0 zMAW6E$L45`d~geSzriD}8HEzL^~fugr!R`Hd1_}Hk>?kW%Iv<>M$KIn0+YB;W~<-; zJmSOwJWz-bs4!&=m@?%T5+s(t-PXTtU~0h)%tiL>+N?J|VFwpP(f|+=6B?E2LE8>0VR`&^N8TvtSarl(MY%zHMDdDADn&Dn)AS zSP8D+vsDs*QKrLt>_a2PO$|-6rrAXs6`FoQmZ^GIZMwT1rk}xF>JKnd;<^(gesZul z6*XDp)H-``^eTH&D-yAMtLvTvEY+9d^c6t1U{-hfKFBJBiC&CJl|@)Y7P6=O67VZ|gF(Stug#W7b`0lxJ=nYAtGkn(|Kb{;)Y@k1i5{iVZ zY^2_@zKunuJ}O5F7Aw8zpJ3K$Yf{jAU?9(L5%ZLg*AJ#m3sM-XV3Df2UUaa14283(d4K z<7ie!-f*tvMxbEeGQY{8^K*Og-A!8X<#)3ZnS4&Q)}@Jf&FQI~RQto-rb}7QGN_Dr zId^u@-e@xKwrm06LJ-fi*8-Dw;B$y4q|DSJ9WGjZq$sU`cfP1-06+`R-z6e-yKdm% z;F+2cxn>_im6%#Gc`fA=WpMxPU> zM09nYRpKty17}6Jp@3g_Gogw&%%tVJP02z{<U%P* z+MyU#+@T!X0_B8!H%Pk(Ub0BohRAtY+or16>N5;XgD}q8Np++BJg0xzQfy?Geb3-^ zKs>ON8{-x!Fv-++C%GLanynF@^)TDY!MSqffoq;fl|tXtPA2)m%)kdtbQ&3mx+u~5 zD45g7Erg*rUG!_B3AJL_282& z>6T{iR;bZZcScy0K8ud0tD{BuVgVzUD@GassHy-FOVZTsQ=!~V3rt!2Y6(IV;;>Kb zislV+?lf`X!`Y;RojOJAnzU}C2vtpVP`dh9wR_fT#s$)5Kx|lIduL-e?c=DeLzH&C zc>RMTNttF@TqAxkxtx#pWiD14(ypw%85mh)7%{K@&X;I;m`*dF)7?|R+j2k6qI4W`NSRcKMfqt-U}*Up4`bX$XZ#PC{kHWS zNRzpo@rufo;!>(kmU>uFX&RqQUs^Xyv%VK6efjxE@kJbSb0x+Cy~kv4bx`%83#$2{ z!OqR8`Tmd$WJ!4npvkT6{rG^4f5eyTk}x~)l312b*NCqU$B){DvE=~*o6s8j05`kG z9I2bHe~n>|OHjY02_)1gN|TEeQseSUmOl7so`HeM969}(lZOCt#p?2GY6o+`)P0`*V8qr1 z0N;-Ec+OM<6S>(Q@)jdcfVH+0p?r6z4{do+*OGVI_S;K$g>}T^kMCF^X=F1wd3)Kf zB)t#0i!@c*$3w=Vycvjqi}X3iufN(QT2W+W(IsM68|ks;EaD2kQ~-n@e1E!e)*_Uq zGk!L73YnnUw+{8IrPhw>(#4@EcW29N1ebTcWLH!aGu4w<>FzHlUOhIR@P4({dzYp2 zYoetgn_#C08mNDErq259GD1%geKrxh_M}^-HFnTzjvOfrdufH-V=1PNDhbz}o!ZqF zuSvHB;n}9bKutv->UD@U{(0AA`7-axvI%qyD!j1SBx!VD0_#P!mkmi2{VYxU3nKnc zEDpE!ivg?R{Zf^PWns8dCUYAQ8q%Yn)w_pUC#Cu$h*!6cgpAdjYS;9@vbn)g|6<9; zRcH5?ZbQ8_37#$O%K1}-TIq2me>?S_nj!+ff-~ZG@@?}T*yL+ zqBT|py6+B6R$0;{rb+e3*iEK#D=2cv)~caqPU4C__`%St8yOy+3ZXtm6mdl)339y$xkYR%i`BAyZ!R*=+R|#px${j?lS? zyn1sgjoHFqe{9IiakIYv=vBb;_?)kwrc{9l9>qn&XOr;4bn0do>gXezRdf&CR40Cf z2*iB?Fh=D^Q)W2B+$P$`+-FC!|6`+tWO=psQL0*iO6{NbVJNw$>Vxl_;y=@F+U6|^ z>|6$Z8*wKV(cx@-qAD0PS@P(ZF0%k%QtHl=cCi@8FIVdQ8m@ONR0|%(&x`LZd1puqH41A?X-^Cn|1L ze#yGQo$5w$>2bFZv}&+Ucfn_3AmiB{9$uw1$Jd4lOU_m7r)gK0COZV;jmaDKcRomJ zWl86(J}(4l%!S%cT4IYM=f)U&k-B5>ya+1cIxQKVID8fXM3i34jf3vv+IKL~uT4WRr8puo@okY5m1vv&LR>z^&8Hn>_qna`(kpasB1 z@U<-{JfsR{;rG@wL5a|(Al6F>N(~Wr1YcgflR7c;1##owl#Tws(FsaHQ>#&Hn$08W zEk= z+;GsP%V>&tXjJ!pxV9QIV0|t(%$K9GNEoh(UqgVpCP!E6!W%tU&VEIHYzJ4fQ*ev5 zvBhQ9*>MgRY~)H1cn%(?{dvQuCD8dUIaPkndDPsV-~o=OomYLi`T!~Ug)_JL^X64{ zD|#p{;5Fliy{|5D_qZ|4?9eFt(*upWrq*|wW+Q#&5gQ>{&^3N-%_~g|=o;>|{3qTU zOC`9nvnD-Mvv#|>EQ^vHHFBF@Ro}){@Pd zA|t$!^zQ&$wUb%Bz{0?9h@G_6Z${ZxZga%-+#iyc>g)*UHtWT;hcTri>l#fhl&GaS zOZ(zfk4E>Wbh_?D9k?78m_c`nB8;MNic)z)pz3Z(_tHkvD){mwqkxh)xuRCE=qW`_v+!36ufNxn>yHyisu*4zG zUK;es?f~4wC;0{j7M^9hx72}4!HtdS_|rG9#LVkuMoGC(lx>yx5*iVo7?X%$ce!t= zp1j=`B2O27xk-)1m~LHftUP_`=v9l0!f^-8j@rxCtC8n~GE%U}t|Mi2_p96f1T@>b zUuYU+S-3GJHua_qN(|bo~OKg9L)hq%Sr)8OW%aEF2z@9{Ls<_`#CeTFI|=7 z!H^2ULhMK9*gOjhLg>cHC{khRwcxwPvF~;*Z_cVVy4ySKE#cMl8h73#uZkP;}maUpDP0`@^-fhupe>3_ZSu*V#M_Rlz^00gTItiztnqp5y zK>^+beQ!Y1^CzzUWollFVcJSKSj7nzPp^!SG~g!@M8n+jxzSac{KzoT@1Qw$9GQrY zo`J4n_IAS5Idhtr%95$&H9Ans2f!S@sI8sg>{Nb=4mKT!gSo7P4SjG_n*v7q5yT%=EV zMAMLy-Bk2!uBrr#%rt4)+_Mpe9`O?zlp}VOqTlH=DE~nsax2K>u3zu#pWkUQgYA7SBX=~RCzw}*?u^61>LASYARhdP$<)?^b9`4rg$eb zsyjeBjO?7nBz`!)^Yc|rSB5Pi^sG!?icDv|M~)Rl?jb#=-kV1!7x|oZ!os26HqpXX z>8iix6Id5(p2Cn~*{EUh;sOc6)PWH67!4LzFNleFN6O_q4(grj1^ zqifg4@1vzYu%Qyg3T2S>=fXxajZic`O38@;!WVrs(MnI8@T(&9mzw3xlAy#g{7j0U z1)mENF`KWOhng(F?m2t0R~|CJvPudFIR46?K~MY*PAT- z=&BNcX(Q|>2n#lla8q8dF2S(CXrC@ z>|-9-Bd`1uWcN3P$lq&?Zi97hBvXsKrofD2{ms({4maJWV?S2@Ke}zvkB{E!g)bK(-~Cu&dT0)-ugG5wT8gKX7JT)-(}tzbn1ao~`8eN; zUk3Az^fzC05k!`TAeI|bykU#K%{Fn7lWYZ2EJ4gyu58Dpj=&Oo>oBNdP%2!c2`!O4 zVH}h8aB=~PT%V8uC>LOunE5SfwGgYL^`YPwk}u4ln%x^U9J8NI$%Mr2)Vw5?M+nOz z(Z5-dre0eFlMDN5-XYGLj)jydOGQ;gly;ia!NtKPiXT4X)^cISdUU5ZZWo(VT`V3) zZM96V;;;&nbGZC~hw0Efm~d(#qR$U{5CfShLLR$%S=`q58skpozNtjpOi7a;{djxh zNZRU(zWq+tsJ3$|_}UC_#jf_MZf6<`6U8l{wTl6j!3jUIqLeN*JeIROTTy4?8mel( zz*Unx**_T}VF{tOHgrQF90Wu~#2q&;^JXYE30Ss0jg87175rzU4pwc=nk*ORRXpAD z?QxH+h(>m{Lwm@+_?((1u9_u@gzv`LC~uuIU|s zJRm*J8!)WiYYFGIHDj?z2ud8Y@?cgmv_>s{3E$5R+4) zTxUb)MK3+ISIR+i#4T_*89vpQD02CGf|WGdjyXhi6ES&2?s6v~bc`5_hEc@<@Clxezu_K3S?pD9{w zf}x*A!4_-#u9PEiX_3j~;b!t27N8N@6!+`^k;l}02Jtsm*cpFi)aTtx{OOAE z9g0E@+*n}%3kdIJ7T*%730KtDzR-TMe;(~~Z2RRhXR`5*`$hJ{$?4?xE;VV*pDhje ztXe&Zqln(ik-~*Rsa}}kIut4}{P5<9%|qRp^5_vZmp= zXAn2aY@ye86#ts+4%y{{SfwrYP_@T}Piz{gPzWq5)}u>W4A`m}>f|^-8W@x`&)o8W z34$(0i)IV+s%ctxp(>miTWgf|>0@yw5e7rPsx?=>u`jrlJ@jEzOmoPU9RjPt0g=wV z3g|TcEHG+>pj{wQqkF_cB4$KxxzS_8$dt>Ir4f=0zYAvN6PpNSCG(0sARJ;2-PT0a zG;;i?+0g1>%9fFQry`#T%_h#bW`3YjDx*SWL@~jQ+a9HMW~()N0d0#sC$>$@&uZQY z$?ZO_&%R0l-f!fwKgh=Twp(iNaBK1242_9J@G)8rZPMg)`b;6P_-rkymUhot&|_th zO1%nMo3!34_gE*-Uv;gx(|5q8R>M^Itfh9v>;55d0 zhSmC#C8>JEj`4fy(DL;FiiX@t=*L;ev3NQk)hPPST7V9j^{yhadff(C7unHF0>?zV zcLHrDGaQKrX}9dLNwQRGb{xc+CaDI}`;XkE*%B3#N)ghO>v`P=T%Px9SCTr`xgbdwG}arr)a@e$kHpSxe9Cbh}&sHdyB7*{hmgQhMM@o)>ZVcJ2GljZ?RozN;?vzXD;gg}wSf zD8I}$VL+(Zb7?#xrbO8?cA@efgidV8M|=#Fc#wqt7jYa%#oEvw;!>_ee0)sA7ZHfH zXXsOVq<8;T8R);x_#dHO570T0jwZae#?m3xCG2$-F@Z#8WRI?Z0JX=1Y-4np2!xnM z%ZnyQt*|yTHtx2fqvDP(>)bC*9}-;lLLy&%oY;ia9-DHgcuH2xJ$H9#nHYlZ_q7KnNt&#NrzwTi8*ZCalq;)fewNxb z6Gw=-q`cyST~*xiO2vlfED?W_X^`A+@#>KqLc|HL-wmLliG?BU1EAC}$d3PmasB(B zx~Jz~=s#q{u@wAMRRY>zm9JyHR+|i}hYYG0Lnx-?dOY+#6;OJU;0#JqU3@dU<%JO( z1iC8y1iI@%P|^zswpt31y17aJ3B(kjT+uB}gN`Q$-Pa}n{rtDpgr7h#$j00J2;2@g ze+j<2;`<4ZOJjVKXaSk}YYV~O+X1P%!#DJ|w;+Rb@Ga8+?b9GZ?%TZSh|+rabrMIc z8OrZQ8HpMX742m%yo>bgpI?{)FW;a0-%F{>xQ-m?Q{NxegtxhgM#W?4IUQ*#i)w>8 zDsi)tp``8{jeJTt3uvY%f7zU>4ZHnPiRqbeH&&?~#@WARgr$p+e?3T5gg76B$Y>qr zeIy;FJ*X?>eU7H6JPDZN>vmOs`TZLSsjl8}YY)MAB;lOu(}(xVuZ?%IAl zQT6TBEvsD%rPv2i{B?X`rm*GxKqzvt2R_nWBtvnvQZ@Q)k}k_byGvpv7ClSLUOgP5 zX1_?0Ui@Oa96&!|P`_STHs}O1%Yr+wc$9Oo{yIAQY|N_)IRZ&hWjh=wTfJA0B{tly z!G_L_zHmR=uSP~i=+YwAV_VT^d@**({Vj^G#)qmV6_$t@z0|`=2#UB(rVJ$j{muPh zxk@len(D8QA4&1-M%E7RHd=AG>M&fj(6w{F+e^8BXDzN5S^yiTKt2RtV*kqie^z~c zTl(WEngd_ME$Od!k`7g{>$S&iOK|B+;YvZPcsgh^d5gZh%N0k|oly%2yaSPl=+f*> z7|Sw9=63TXL+G)>i1&ulM(%V9jG7>6?J~-rhu+PT6BbECb#udx&=$6?S;ukQ%yuV9 zCQX79owu`Nb-uq!!ocGqpP1DvNO&Jx{wF<^Mn|4K>!vxG?`qq-U`r9JLAm(kD#hcwGv*(i!g zPgl8uAGr(#Kw50y6O}m|8eyStpsUkp@qFd!7F1WSpP=x8;~S5XO>xWU!L&+4p!|gg z7LoJ_ccqv)AcKII?}=31R9*k34V^^y0c53va?fRZ@)~#1efZ0sR(cBXhNB$C`mc#B z`ZLE9l>A*0I?3_~k8G5K4X%+!+Y9SR7fV$mL7AkNMC$vx{)0;5kDe0)RY1PDz)yfN zS*~d5q4O)dxHOi`nC0<`vI8yXV{>0Y^d8`577lIumljNF+3Ku|lx%1_glMaE%i{+) zTjs;LFe5i+2ri*#y#2R^UsQFgTbVy$+OUD*ZsW!-6VNhhEN_7u&hAjC` zVr7%Y1iWonM6_se3VgHulDcjLN%Sc6XFLj}pYEg@6t7w@Yw|1)G|$L64=f)tJdY0} z4EW0o41b>i)A2QPv)M}W-xac}{?ykN1NF6~{zYH=7a{-GN&i#p|6XVMkJgl-Yl{3V zZ+!(+Hz7=cxf6`ec?KGS!5I{Uh({jI&g*DSf8L)z#*^f-Iw>Kgtz11;q2kO1ZG?+( z!=*_!mCP~m`^RE!tfpJ_@3uGA)kfT=r?87H9`^QH@p3e<%bI zLSil@`J0*Yf3d}o2QQ|6Q(j8@oAQ!=Q^l*OCoZ`UVB%WgxKU|o@=+c$(3fR)Xqg!R z)E9w)jB9YqQRS6iks=3e-_naw z*!BpjGgGLH0JAa2Dik|ZNe_XZ{k>G(NGAw>`5LPT)~I?U4{v8et|)mOG+;j8tB7A5 ziUqKonx+E!ff+qXadwAmD3CpC@XiKm%Hd!L2Re@=;_N z8sDa^xMMT9!@$$TDX{y5%jd8rJMC_+s)XqWvH8?#R+C<9?RYW5QGZmLcn3CbF9-eX zBH@SX!sL#n-e0J?K+*xf5(L#s!tC=o0TyBM}somMo0Z6+c720z{+gKsNlbE~uL z32T8W>$^1`WRyJpbkBYQ$y|&s#b|81n)b*wMH_cJS`7<=S?F}rw(wX#J@AB#w&LG$ z+3r~`HMbk`C6cD1KZ!NG$vl|K&^8?GZ$57wr8E$}2oCY+@M&QQv9)C&4DO?S6?t8v zq_wl8ki=}wQ~RT)ICh=gL*^Wr;pq}NfD0x-1=WeTIcq9HkT(?(m^^)7A#^-1G29r| z;aHaTKum9z7tT&u`Y3hw2V#?1~bH;6xDwiR+NC1({hRJ;_>lFFwUCsh+ zNnO2IrEpqNO^;!|^VXFJCK$KM#>9QOv=FE?jm@*qt~zH)=UiT{ofrUEdIdVm+L&$;Z~YMF1I(mm}95W~08O%ppk6)mXZ7t2pWkb7B!TPBR88jPcZ*$E;{x$EZYmL1(oX@Sr-fkb7t z`ln!dSI93xxUSRRDzGdaeDpsg^Bne>sCc)5oP%jro8_|y`!YiNatxVs9;kS8_D6wi ztMuP#K>4=pWBOlJW8U3Mi9dlUuI_8pR*=Ww_4nWD|4;sGQ}k(iC0E9|CcGb)?26|D z5(AfrdN!G&CQ%7C#9B|$vH<(f4F}YrH62qlqvUs*R(yxd!wQkswa}_EpXijwkfnr{u$ZuY2R>|Dk+5=Q!5JF@d#jQBN&`RW^Q5 zw?HR!TriYhH5A|f(_mm*z_+09QHm!j3KEOHkLoWgyIu_L!S&vxp_7U}5!&7IdAa%W zV2`C?`mEZua#qf>f6mdjbYO%n@ATEM6V0*K+vij6q0dfwkBuo>?|Z+>@z)6&;iPw$?$}hbrZsN?yk`9~$ZizhYvHFHB&s~=@EZ@OB#nC<@7avly)W<}1u=VFj5daJ`xV}*w4XLk) znEZ}2r5{a=(9QDFfWXaLrBf;ZzSytaSa;uvhg0qi4XL5Nf_)|x6Rj1-h3(x%Blo_I z7*A;m$BipC^V!Mo{w_PYmMU8W->P8)rD+DKcN}>i9;8uYt)mprSj>0{GB&JGWX6!5 zZTIbDM%Nylku(T8LtqcdQIKIm-OW6~oog3I8n;X^g2QaHW8s@CaE}%V2Eev+R}(*h zXJCSAlO4ESXu3TQUTc&39t}t}JO97l2J%9uC3ir1P0S9ctZ{?7w@I_ntb4}hg~IsW z{$&Gzlob53zYM_wS1Uu9v_>55q7A8xDBCFTOsz7zQ&9GhAgSFF8JS%k2LA+}Qy3c%&ljdHZ7%q47hi*9vh3ii z8+x!{Na>GmfA8YOxA!luuR&7k8i*5puaL<338a~U3OEeEbulj0TqU))yLJoese?d| z*1_I&{Z;-Y#&2C%{PS=VejDab0P#m31c#LbmzN-ot$P{-oOFL5=-#c&Z+&D0I~xQ~ zO?2Pff>2X*(Qo6FIwSZ$Iny+rRG;*VVhbb?cU}hzX@Qwjmv{c7=fFNGhDDjyVgMJi}nnqoX$yFe&sTCWfEUjFDOrx zVxfo*d>S@;d{h!sDJwadZCu_`rL%lmM`=qLis3&cXM(FLFkA4qQYVpY?YXosOH5L5HpgIoSmnYwz6o=m#p$JEGoHuk#nL^QAl!5 zK=jzaVy6JpgbjB!4Pj$(@k?3N{x>JgMDRmMh^5XhWB6DZB{ot+@#n?xopDW*MQUrf zC=MaS5-z_)A;4KtHeO@tRF{e^L_%nQLZEVrU(XOb=5nFYn%Pn`^f|LIQh|c(Z2_aT z!!yfuP9a{3<;T83(l^kEh9ez}-wq@}(GN0o&d zHv*VJj1dp%T+|08ZM^Lpe6O1eqkWa`&2w1%=+2ONn!LW>q(`jMcqhzH0*W-OB~AX< zY%Rx|YXM`HqTKq?s_9Tnf|g^>W}$SgbCSu!Zhka5LL`s>DYf!Pc@v0P7RE_|?9^Y2 z!F$l9sBRDb`2uHGm6uR8T^+{|6|5JA45Bn2j6PQGaofA_OZDLexRFdA@>&bYl6IjS=>nZcE7+|UQJ-f20B%6Qu* zQ$+za5!7YfG~~e>a2v+o!LH^0u8`QzUCPa5vvgHmmlrf=L!p%{O{}(A8AIN5jy&G5 zU^IFfO8f|}LQ2sWf|WFMGbCPsO#s%qlXcx|Yxg@s>l(An^oDXc-EA(bDItpT8#t)F z?%Zkkk%V_8+IGcxRq@_^Uv^}{J07&c#D>CZN=QKKm*Es z#t@=AiQ7#m#~3q2Udmi#GNSlqMQe=Z0YWvUwz=oEw4E~a$;9R@V%IfH?P3|+l1r;7W=MJk) zi?0Y}7!Ih6+b~4AF2#574fanLJi0v_`|N{kpv9ygzp*N^Hb&p+O*z2qVoe|D=~k$f z&mwczQ}Xy2-)`k*=X1)^1`Ym$_So$AG8O-Hz@~(R|;F zRC1%4`B+8SG~HEmMwI%>1MWu=dMr8g?W8S)k4XOPE%Pg_(4t6*mu5P#zkN{MyXKw& zD={^q2q2cEjC9nV>_!?xK0cjmxn`edVV0R{LIu7uYUKDkW}zk6-fH_i7MDHt7C5E%n9e z3)227xbI1{DZL5k1>Kp`5=R48I~T>@%GOand+VN*Cu!bFfw8+Mz8N7 zOu@xRoKgu%Z)U~_X<`Y>QJu)Ws3>;|>~;8_h$aRkhc3s>!%qa5{ugA1jIZn2bCB#& z{5P@(`zCCXj z#v(Ll?ablO7>c?0y_Z^fNFcPE<139<0cLl@k@%K}RTH$HJ1`-`t+E?Hmee|bEi$z3 z<{1s7EUpM}TQ#zzTM^g7^HgTpnW=2B%~A17~8IfHSXw z`LM0x;XLPBAmo?Gn#z&@xW8q`U;s3} zd;+hBD@pO)$f}VGHFlO~VewMfK-w?<;=hT?@Ku~^He29*YGB1xamEojk}x;C^Lboh z3arP?0}~;E=dA{J&CXh6ad|Y&vWEB=1P@yNFzqn50Dh?P8nVIkde?LOtv2K4%vVTQ z=vd(5h;4k?_o!^A^cs9hxWFx*zr`Q_3G8Wjc-~~?2)Iek@W(5&6j2OVC&4xOL?u)p ze;&@i^Wq$Q(rT|q*qX9-R#onvJXY_BY+r(BEP~?afO3a4F|G)JH&0QNmjC;K{b}@5 zpzu@oxnRD0N>r$!zpeK?W~(f-9C2SSVa>z@Rnjg$-+2qf?V)n8)UE1IU|jScBNCK# zRB<7LBtO(A>*2OKWN_Bh4C#xF9g2%UEJwR1vj6L-5H_<9MoGWCV_<)PlL(D2M5aMX zSp+yeN`XXWunH55D1QPh!MilCZ-cK>LA*1a%B#hf*m&6h>#?pb=N#8-G-6)aZ~zW* zQD*TxOG;Mamik+Zq6g*zH#wydG%MS2hi~TZz-jY$dHJ_P&fWf-;fxGc^>KjVZ^PV3 z>r_Vm6Y7Tt$sw@}kmRsMsLGK2zmC68%wf|c%A(OT$K*_94X&X*97sHnCQ2#Ji~l(I z_sfWH@W*AEx$*(yW=Zh5M!o~$LH~NeneVJd;r8{ShRc$lZ!PN*%cd>l7Su7=0q}ri z&=P(Rl-n}9eDRMNN`4UQhy@|O_daV4ae_8aw)tEhZw`;eKDXFe?F#s-4Spy$nM=`AE)zLhVdo0$CZ5^9a#;xM zza?)uIa6kKULsha%5wRl;zdgke#q!{Ff&qzs!E%@6J?clFTvww2bxL_ zx{m{}D173%mzUAM;b=Sb$&LpWdsT#c%9q;AI$+^bn@rD1I)axj76&LfY}jwc^GO=g z*#~vrPceBZ%Bf>Jjbp!}5>88mBKe%&(pV(9d4mw;D+P@gpx8L33&0jnq&~`2WSDEKZlJ;u?|h z0K-@RY~aC;GU=^BV7zK#yj(1zf2PVoHay{1YzfV08o_#G8{AlzY32|^?Iz7PQt~9t zXYpxMPIz%s%xGrJVdU#LUFGjw%m)k^Z<&WKxtRD6ACV@zBfe&58yl;6LJpmM$*+Sh zjUe95*1Muc0b+yfkJ!9y6{v{?!hnU_kq@YG+#ZcGhL0iV*@WVf@idM%p9@o`3Q+H+0sDruJC|gn+3z!nz_{*X6cV+L?gtpRnpXpB{glVg^&++ zHl6Nws4iPoiZxh4!hG`1v3D9J_RCEnyf-6@Fp?$pxrv$3s{(^9{0RmorE{JVTg-tl z8>S7wVD7?FDtDw0u+iAKaW5o$Qs}(Z94`?gf_(%x8m;PxA{wn~0Q&d^UZ+2um&Vcg zn01P-Z0#4DO%$0#w=G+5+UR~6zNPOM`&KZSl~zW5##z!Fqg1vkvSKd~4JiYLLntaj zgPZ3jLR*Hc`nQGTUwL=O!skB-K7YOUJDI-YMgsSDGX27{t}0OZBJ_V)i~f!maxAa) z+sh(`{V6dkCg*9t74Wn)ZwllIN|OdRSKqLJAR1WnaY}M@igMsVGDahe! zvb^0HzC{7whC?9L>wU~sI{kM7DNvOYM8yBM+ud*E8spx_(01Mfo@%5I0%j4`xu{9} zUKWX?9+=;lV330UM2kLr|AmaJedB{b=$gPm5#$!-`u>M^pL8p)+1nm3d36o5IH}VJ zM%QZddvtRqH~6fsefZ(>X!c&9x-EU<{Ah#1kn%0EuFxC?8U->AN3ZGkib};-RHl=S z#x^rIdWT*=Dyylc(^Z?q<^4a7s7g3bFMe|@YIrZ9<-<{wVauihtf$zR6BKePPk82{ zHUgT+f~b_1B>3Cwp2IrF!yjPCvaxW0R%M-F68txZ4(p>>erYwprwYi*Zi(B4EU~=} z$bSMn{>SrT&~*tu77rBRZ_xtt+oe{`ZZI{$z_!x=w)T`HA|70pAIGS-Mz7ki!;28M zKDtq;R@}k@m)natmulxuXhYIWiKASbhmuOVVPm}K#1YEYT9&aIsHoqNxmnKN_e zyWd^w{>5s#tA4ertE--8@BQp;_=H8<>-x<-kwe9Sda#d=_j#w0{)mKVmncLxx!;zU z2$>vrUUBuks&f6qQapw$IM}v*mhtwWN;-oGDljtuARoM2(CXJFxEFmA4FAhiNAyf} z7()!o-Qo~^hMl%0%*)7M(BPeO>S#gqs@fo*v$dK!9$bw6KAhSwC<4JvuKh5lRTxU# ztmo+E5m*wmUrJx1AP8%Ba!*!4)qCJ^z%e?&;4~?{+4BV?Ye9Bp4F}9xDGwNpd3TH1 z4}!&Hz>7L#u$G|FxF$>lyEJy-${ED9r9^Ts7}!7fs$+#ynaYjB;o|9jSF>0}071I4ABu4Ulk4YHd~bB2)tEiYbFJmzkFobE0Bp4b4x z@^~#=9ts#V4wW&Pk;dd9im8fF9PCe(xcz&TEmIt71y_WGI!WIvONbdE;q42#J zL!NZA2h^3*uX4|0WelM>`{HuCaAS0BZRj4v5<=FWh_1WTD`%9m6CbS zH}?mC;Lf8-o)iIAwCV;qrLy!v$7;hmbX&#FIZ~Pw93m7f(^CXW*JQ>I(^i3m-j~{9 zgHE^}m6jUmN!1;w5muV@;ylz@Md-5eIwcRYQ{(m7P^-d zCLF;WU&Kwjv~Qle30@#y&yKg~C^Bki9e&mlzvnHfOO?+*ahea%AI9aH&cx4(hdL{-~Yg(DncP*l=;Zcu@^> zxXj|#ZfU}{@QN8*H=!)ypu;kgL38=9q zv234WX*l_)OD1!xcC#+03jg$d$>vrg2BF8CcUdSMb8^=deM_Ghnkc=YVsuD~WvpB) zpCVCaW}}Uev82guTuzkCd;6LqRncal)rswRyY)p+eufEM`RPej0B>Q8gh|fN4fgO* zbI(-n(p|b_b5CLcJt{3|X{3UCNVHi|x{SPN*^f)-k5@IPteRSCJ1?Y7ZuhVPmRVDA zIxXs`v0lhn0(eBX43{rBA(b7GrOTa~d-~n9Mhk!KsJBC~n+r0gv;ps> ziz?<~&`FW3WFv*@BmNz_H}a@UVPoZFy(-7L7I*y~>c?5m-j{?!+3+U>ipHc*&M0)Z z#;c3-Hx>n5bW6wUY`<-G+2|gTAJL9=iuWW$7IK-0KM{0(eD!&reXG1~V&-ro^?t<+ zp9|K>DW+l0UHuql`o|S17QBPaW(V>9;{g<|z)H7%$W1mi$FWvaq|xOQu@kd4|_DTPp_80VM(L%?d+)dy4Oc( zK|K5t!Gg?W69dX9UX_AA3?ia#FIo+nb7i%5-`-;`Is*D)KFhZzp-d2^C zaYs-~S~H8{vwl5E8mJOrXl13lQnhtn*K~i4z%>1@=I^gWqv%GXrvc$_ggv}7Ov>{H z&b7F^g=)ktn%CUZr@E|`suCI`l->x|k8zW6hATjEN=}sHNi^6W z2uJvReaZO@I1ED>&K5AG{`3Z7)7sF|mpRMw-|dSy@$($`g8mcEYqG<2If+ zHdK0ZM(0bVVc>}=sr?)LN#fUzcoeh((Svoa1M8X;{sK4Tf5$Vv0%!+kUW zlaPEGHcGal`Yh(HjPPqYZDBkLc?EsTdeY;PVxf}{BKQE2Pn%kX?W++vU7rGFsw7wi zw*xzI*7X2|((yI#CJupHJbGsLjFlUA<-F^Jk2vE$Rg;1WBI&%_cME^x4u1pq9{fJ~u=kVYV*axFd9}zN_wjp22*C-GVYGfu z>n`-E7t~9Gy~v;W``>X7Oz4U~~nk&K?rj4Y76O?^) zE9F#AY!Uf#Tc;48^}gxT?9W}dw!^|7e3$3JC(U3XKJ)$OyvxS*ol80f!;DC7_ZkVuOb!4EWHYc8 zCJ8u}2k7;{j`lS8_F5S{S~7?}{=JRq1%n0P_+~>urE4hx;BogVg2k7FqGb_0&2;YH zjdW^}plB`uq1qkHn+velNZ?c^>U^mn`Tfxx{F33}h{DS}kXop=x2t^$=ic9In2$A_ zLI}D7OQ3?7vj_r5LGWl|{u_Bn#g|!d7WNLYaYZ`noA(K#3fnu#31@8uMYk+)s{fyV zoqr*^(?7W}UE#o|m3sH`^P;@XB*(js!Q`1)$Rm-aivFl!u&?Z+rL32kS+FqlDC4G|go!Pql2N&iyP+XxdVyI>wb+;WL14Qp zWh@nfZM<3Q{>_}eyAf7&e6LW|P}v7H>~x$ktZ_!lnCV9ms+OD~@dN|^4E{iaO45Ta z24JgbAoc1}GsHm;t5kY2pq=o93}ORru(@_vo5}sw>(zO*GEc*&4gItqjsc|>FLU|k z!M>a=^x2vz-=HNuE!I#1nHIMbS(9$w(6;nUK zx(w5otBh8%<;q-@UaNNP=tYte){a{F`ueeQN&E>9Q{|D~0`n&nhE^obqv zjl+~|*Ky&#W2*FAeC`m1{T-+ew*GM%8F2;4fGD>rPERcA@>l=x*l&H@4dUF>K;7Gm=e#(B=`Hn{@quNWEy=YHjl_LDvHh(jQ4m|mIcoP#v5p*9>(4*r) z#=a(?9g@sQe0+2q)NV$?jwRA;Cp-e&+VjAm`n#cZ zVM)jwYC}qoxMdq?9j)8Qy^Q}JQXSl>?zeYyVM!EPkZ`1EkYIb|DtL!BJcRM!4&|j0 zar~`W4B}oSXd&?z$zj_84+)<(JOgb&Zre)Qg#If$YApZ6x6rgoF2_H;H! zDB6}8!2(iL)UoBL9OwpCMDAFUL0H@P0Etp1hc^?s4EGQmAW()K0<;Mr9Tuc(BM^o@ zfuc(sPa~mB2X`t9dcL&!IuG-A(UeZGW?g*%F9&%h8bTs);{Eq_Z%!q$-(@2IgkTb~ zX)|XEnh}zWh`A1t>+8eYlomjvD=vjIegJ~tG-puUR$DHA7+gy;o`t|ON9dIRoetp#oD)~UUml|NZ{rJRg>?Z%lX)k|7RM{gsSDs#( zdtm^3`#H`+GIjF$?)UBylZ37LAF9J?UrW?Oe0P*(?=P-3)_wP2III!Qy*vO(lK{{+ zYVGL{>1u)8lMOJ$`w}{OJKhm6`V}nbLGTZG=awQ2Axby*MhH9 zu|dh?qgzzzTe)Weq|e@&1vxk-#+{C|mBup@UXT`@G8eAb*OxR3eyNVSCT*L$o3>0- zRmPB!VComCbWnN#ZP5_qj;0mNp;Cu@0tZIXh*YZL2UOxUl5680Og!GM<}&D4w8E&T`q&p)Ss}R_}+J`oQdTkndQQjp*hOt zF~!~hmh-g{N1ZvX1x>UwDz_V@(%Olu1XX%ZfAlFi0SLp zKmwL|(iGeJqu%b#u1#lW-VWySNju)+r_DCqR3spEVK1lak{|v=u8Trgg zoI7;940rX)-fqWRL)hCtVRBOWZj?68;|0kp8ZrEU#W&i5R>$s22wlDkcVOzB$TGB{-r^oo%ugWSm~-x_rgn zrMN*6EjmOnuKN+-yJi`G#m=a#g0~kj*WBLH;hVCpgHJ?+$=$nO+2dN+P9q(0@R*8v zM#9}Zy3cl=tG!(k*u5kV*GujSL4GW7w2jZBTm154>%#9>#Oz;+BOec+wr0C*nuta6 z4~P;e^?#Sr)R0zrAWm`gBzhI!gB0)xN}yMKF!Vyv@>_i8Ey*yYRa9Ca8{1l9;up4a z|17th`aG|55c#Ex8b4YUtQ$C4R|HvX1`|fQ z({U-hSkfb4Ick6*sEDan=##dOVl<;mup)%}HwW&GBj`XYN-yvyDy;?HNdyCa;rYwF zV9UO_Eq%42aVrYPyk?n^zP?fX4e$q{RuJI__tONv$}Iv_#Ocx(^8mwPsvTHyoif~< zu>Fqu-;(Sx+`a_4&{nHoLm{BKr3v_AbRyt@l@;p)X6!h&o$~S&{kv_veYZ5zw1=rri zOhbk8qqivb5ZR}eS#32~svWD8b;;nd>M(Kw$FI|EBn&gnV8!doKp|U9fxY&$rQM92 zA|94SL&BV+CnM)Chvqbbq2jqB32(r9aCI75E2pQ>z^};R>P8tLIHydC(eYY9z4YCX zQv=?10Tock7n_4k`67GWB?T75mzAD;AlIdo7bct1IVgc)wC>a<(oXmwQsXZ9p^kgl zOedb8P#En}Y>3qf{D1m{p&+Q%83RP^7Gs(|h&o|1c}!BlR^O`IL4E+5nDNE|r2*%& zzX7tsknd8|zX5R|OXb^g{{`a4{l(6IjnLiFXh8ov%Rb*UX3@(<-)55_hXl!brIE2< zX`%*2_n@RWRux{*PWwt1B_TJCO%=#4`{4-|I_6*cMQz^ zTRUEYb>j`k>}f{8(e%R0FY3IdE~(wxAdm}|ce_nfsMd$2pqF81h2u&yDA7WRDj+HJ zzEyOtS*4zf+Qhi_+oD5Da|ik2kkY=CKIH=uGXJ4=RFfKq1I`&(z4dYSxVu$+YOTF! zk-oG*x~w9lmpIn=byp6YKeOXraK6&Xeq-DaHe0S3@j;aVIoPloetpALVf>iTAxICly!az)qz?y3o~6ri6CmDt@m7acb-?E4VG7{y1iMk;<4j0;kG+=BHXTR}zoKa(G)DJM854AwMi4$9GD=V09X=GX9ZmR`jt7 zuG03p%5s_}y7%EiO*jSDxRq`WONz3!Q<3HIQliZm{wU-PGK!IV4O;sRp#G^I?CqQo z)v%U0jF6|af1<&jlAep|_;iYpx+Hn=BT7m;8p5vA$paR#kr!bZFO7#2Q+a7_0a$Up z*x;)POrG(Ghcx{I+fMeYlc9R7j8oO+lgyUXCvm+$67$1uU{5NTp%Ve2XmfG%wR3X9 z9CjU~sXd|ZixbS=#(mF@!vQytcu$K0$K)f=si27p(uQJ-^A$! zn4?Kgczqb}$E1ioOm)!3mWtId8#t~A!7xUI$<1_P! zVH;#4iJ-o?s#VHv)1;mD^IhiFMds|g)Jf&Z3SUm#RNwhYEKXcRA7?9UO(u=+UN)T6aiP#b&8axcjkijyJsX}h4rJ+s-UcIz&COG@$25}gUF@$qqkJ^#2G zikLth0h$Lx0;I|#t5hKa6`^b_zQ*_*#S7zt?}z*CxuoPvG%u2#eVj;oJn8WLbfBVA zGs(W_c@#%Q&TCwtMw-p~Hf|0CbyZR)$3%4@sPN^(J28 zHJG}hEZbkF#d7CGP4H8VOz%1ELK#^;rA3>|1MA&ccYVKi5@IE$YXh@2gbUHGMNRz2 zLDM9c(YRK=;R~AboJ8fjYYBtzuC&)Dy$;?uw$kwM?0+2g%06&W%>J-&7AIF$nixR7 z&}brM#FNoh{JMP5X3GU5$I_fCH@taVr5Vv(-zQ2%1%r?pP7H1+k_th13X zBWIpX{djyls`+n(J*;ucHIZ8tDg3-N;{KJN%*fMq6T`k|@*$ z$9P$Wkwg&&S&a4hy;mZ-dCPOF|Kmiuq2BrQs$o?9xh4p8Ac6$N=_mdY!usPFTdsGB zp@CTJ_6inl%qOd4;_!YdNE)pbaZWl0LXcGJ@LB^FA(B(U&#X^k6c#Tqh{?F#Nw2=U zcAAI1_N_+Q5ayRj;ZtR4DU9|SifPW1+_$t!MFuf(xt5HC8a`VJeo1z}9(9Pu6jh97 z^40C(66oVKSZZg-Unj!#<;@4e#@W<@09^mh&kbO-hko{N0Mo2>@AEFh zT%{?zA*~vgOVbT$(wI%<^ zKv?rqRqb6GLX)W9r4CD3t4^#Vg+)OOh73{zOz5HGuTYM^fC@F{U&cIOfer(EqO4jHej-&?C%9k+1d_IFp~_ z13KSM@y)4k=PH)PIJ^`tZM$PAD6@L*vIdW_y0|W9T}v5rxAaoz#D%)v)6@N ztDh?URoZqr0gA$aj@L~ojF6@r>+*A?CIH~vvWK;vzek)(k7RwZB5}f7zDf3 zREy`IlaCYE^6*WBWWVybSk^Z*+4FohJx5VAE6mX*N=1LG_b3{hE(LBuIgn5T$+#tH zv^IRr|Ht`g;Kkg~yw_!BL9(FuYJW45%_2fLAf=;O&bg5c~$=?k>=9E71}JUJe5m-+-5`9eC-3re3)|(g))KM_?j>)fCvX zH8Y%VNnd0D(p8QiyhM2QBllVj{9%Zgo*ZD_{M5K*1r5ReqZO_H)r!*r|M7x%EMu57 zkwx-PP>KM;JX##!#h)`W{}wSd`}5?#hH$-aTlerdZkhrln_lLYw@ibs9HGCI4;WZS zEQvFjQ&jJwMvj39s`SFe^*z0IwvB@?w43BvY}8R11lxQ5pC`jR^*#-2cgc4+3uLG- z;w69i(#TdfS?XM%Y>|$mlzD8x+s#P4fx+0Lu80R2#mpF6qix&^?z2!{@sfY!RQ`tf zoH*&qLHJHLaQ`lsGGLX#svp3kgv1iGlz?ESe!{fd1XYJ<-%8i8^x^*F zuND0z$YUaJ)|DyEX%VG{t}o5uxFTw&N3`XcuT`+0FH4TK4pBONTeHUEh0qhD& zBk9yZj5K!Xm~b6V@W=U&3hpwhb`WTY+QZ*dGCvDD1BF!hdm!>iGlL+k5&Z}-*tt9f zq{bE|fETY@ih!#JexUH`fBRz~1`z|O;uZE|(&`Xf{9A^8`1#+Ya{qv&{#CRx3PRxE zbnu0URb7&}?TlfvI~XvCg?uAUqqk-j42jccWUdBqNw>dw6@If{iS8hOgSRb$(QYy= zNda@hOhg9u^`Y4se;I4cOe5w%k9ui+4TBSZoJEsin_=esTvPH& z`>`-uH9J}g!1avk(&*|PfR!;{8jIxe-|rA?wh^bImZ8lftsE%9V_2bij*Q2){>GiR zxS>Jf%l)3!M4`tqzHAf?p-w18A?MMMK zp8M~{)NdeoyWd>|YAUcAOrx3w6Nd*ncc5dh9q1X>`cA`Iv1N&N0ep%a7+@h&XL((E zco`|#&FEqvBDqKT?2$mY<$wUer#e7nQ08lXi|XaNjaSOz2regH2hx~Bp$pFcD1pt> zBnn#6h$bNq=%>njW3I1n_%Q3jr7YnaW&tK5fZ>lw$toO$&vKN|RxhcsHmEp2(w*;6 zJ1K1!>B+ickg*&dT}eFKjzFJ5>1{T~khgH(VGbYyhn5O1BA1~-_9+JE@Pm{X_0ub^ z{x(PGGnw%vX4c+yQ2}EoV0vutZr_IDS2jZG(n2JfnQ%xKX?$k18MYyYR;qhR7)X$~ zTuFCjywny&KX_-Kp6?iLWygyP74GLORoQV0iY%Tr)YI)h0i;ZXOur(BN(E@YTw2J6 z<8m}b&r)K|R8nf`e`ow-iIH?2EeGbwjnErH}HyA#t6(--Ya6NFoqrN?6f z<5Pzl0@Hm}de`1GAKC)mo81bZ@Q@ z@yj3S&m1-g$kVHyx|o^Z3=o32$ z#<8o?7Q!hlXUGmf}(w=xxCxm=v7!xy=HKEJ#3Z>l*YD3Y3A7_N>A@yFKu9PXL9|8Mr zlJ+PP*P_?(GgQ<+1t_9(#kE{$Q~kN9`uj>thaym2l!2YDL+VrG>9!`l-aXVg1OQCb zUiEIl?{I|woBr|c_rI*7|7!LR2k4v-ru;|~Qt$n2hS*AewpK4vOZe%ucBf;oxNKok zRjtetO5s81YEz@%*9;|VOPY5nP@F0Sz>rFXJozjr@C|x0Wic{j3L<;;>DF}~Z=cSF zq`O(MmesGw+1c1a&?Gybg+i_G%^tujf>5|csj*G4*!`kL8@azlL&|m8J7SvT>xg$u zSDCEM&oAZFPEG9Nmat@8le@zfyJ9zi9yb(2YjYPc&r!rsrs3V9=CX>JfIJ3uX(El$ z6_Qm_Pqg^s9Bs&5cvjpk*tKSq)~tOg?=Z3|&-S5O9kS+fmvK2W%OmNqWJQ{WcGk0- z@&(f8m}Ch=Hepr>4c}$52_l~1t}1?|q)G!gD|YmlxO_CLW{P$mx~DVT>CjLp){CBritykJX4zFsoJM6+% zN@LTF_vWGpDCF^vQ)Js|Q4|#5EDp2JO!i>ruA3|qc&w^foB4oufH&<5g7Z`9vaH0=F z;1`T(LTaAl03vZRaE#C2*@2n+=-^yoULLC5kN@Z+C)8$k$W@PUmS2uA`;w~`>nZOW5*1z* zLBGxlynVo=Kl9Rq1LX6Ij2u0iyPXr72GiI}Go*(~Cmg7v_>Q$aJ? z-J}SJY9DsN>7@JI7sJewk9M!v5Q;%>Cgx@%u8-Ghi+_CGPBeQheGEO0>G*(^CmoO0 zoif5DDV$@@Lu_!}Nr5@?h*uU5@r<7SaK?^L;?>FHo$Gl5H<{{*EB>i0REijyPz96?TQb=|D;)- zhe9!o1NBadz4ilQ-9X|@yzOQ6n=alBd7TUZWE`;z69$%VRXvSMr=`W2XP;u7g%J$9 zRokyWv~{K31L`FoSu;iLE;w}h)7m5_Zq;?ZiKz%m})FI4ytw zSoe9<6&EqO9HIYh8n3FqAz3u-s}@~>pvu-&4vZ0$%?OEb^7@YsDDk~SKu2UH6z>ykWwjPY)-qLWDmj?*Z1FrJ2Fn}u{0bz7m%>quj2`QHE_8aXfLsh4i1v{sSbX}hV7gk z$L#iOZJFl_p-7(wOI_wOSeVkPnN1enz-wgSVo=s{nrkVR*uJ|2+vm5pOKV;l1!^~4 zp95@%nIDi(#2&w5C)w7YgU+_0i8Jt?_Kmo@ixm#S%D*TZ9ZeaRJ^iA8qqtj%=`xec za{WQ-+i$=QhG6cF)M4MiX+J7e;lP#D)w6xtit2+p+2rAG*-jsD(+dT~qp|kWmXoO! z<{swZaVEHXOrh$&W*h(Z=-bV%c1W(Ok?C0LhiQo#2T!JFV%B$D8kF#qphJD_`fSqk zE)OEs9gL*wbM!w}6UkdBX?ZfS1OdE@2gLDhJ5onzME8#G%YzGE1t*tBTbFv(fpNc+ zq?N&THb$?k(E}OrsyU#vLHEVP->$6M{HPbJpZRG#UYVhJ;Na@rPx0*$z%P8Z(-YLW8@Vjn!U< z>Nxh!UKw?7CnoaSv?j+CE<1cPfXi(~Gw~c;0GU!ORr&a(4R(@$`bo#^Sy% zY?#uBKAU+hg1Px>^d8(=6sO*cN&g2YufWGTBiNhVOKV24O&F^8gCq8DYz`i{ zMpYe&_#+kd;*3kZ$v6ZeDb`+S{Ly^EkcrsyZ*gVd|FdC(s za1iFMQe+NO(8j4kf@!cs@&Fje`s(Mw1?1KO!99k-TVVdegV9g5rv{!!MkLQ_#I`ZF zgp7yxste7HVFa8>Re%q35Or=>4FIFIt{6bAY#w;4Tw-Yh1GjGCKxOL~s02AASp;LZ zZhJv#*LQZ%;{w|SWP1WEL4^AUS->?~-LC{L>B`f9pE%ODC`O;1@0K(Zk zpdm1b3cfJC4FYu~h?L)eWe|w`e_~yN$Z-zF2+N!Yl9Bx5`x|PQ{laq}lp$^XB{dsZq0Fp2TFLCdJH~W;nEg{8Lr|C zsajx%iMEL4CLV{9lT z!JU_={425;R#YU;{e37J%R9Icc;oV^Heih=6zY*IhD1e2%E+6=;sgl-ELD)yw-*Wv zeW_XLv%`^cRLPbaOtKv)!c`>Do<|qF;vs$8q5x_r zCj*0+U~`)%-FYO?>;zRIkAAvGhU`1|7)iMn zlSJ`IBXhjdLJw_O_|mA+;n|G@eHeXXeimykmv`g$QK2ubR6fC~-YN5?A#tQ#R2eo? zFo;R=USoU!3+bKLjjgWh@7vgB|ziGo!hv!~Tg-QM-XnItw=JDfiSEY4=XA}A(&z$zWGDEJ}2)%nb*I@_*0ynH))N6l&Y z+~`!Qa@xy6x?C71Swz^9R zv^n@;OMswann2QkS1)^?T?%XT?M_;syuT;G>tH;KP*FPa+PYQ0pF8I$nXyqH+h`Ui zf557*$dgK3S<}}b!4#ngPY!ByCUZ@Z@I-VtEI2C|AwK`OpDzbgIA&sUl^C*|ocsoe z=u32Eh9_V5Ak6v|0ZIiMQN@a_`DOeb6Gr2mraFp_%_TFg=*pV4_ zcuS7G@eqg`SP^C5?f)XZ-MHc{m5$qMob$PScJVkM&!es9Hz4(r>d4UOviv|2$w*^1 zP1D4jlGUne#D1CLrAevOS&^nRtn)s<>U3*%bZ~I2!v1a40BAC!fnwY< zHXsU%)C*JUgQ8gxDbj~f1JA(u3TQOC97GS^4%#h(Ljq#JGcw>d34p{V{hUl zspW7atszASs!KrTayk(FlG2uUKV+=vUEP~k-Y6_$ETtM*QR+LfVe=n&HSp-FDbv3S z@l5#dvZ~1-o1_;jc5Hq+IKC0jKihg(?nXWqa2xZ#eV*3b9GK&6f#B<1&2-_g7El>{ zHP^o$Fvw2rn>i?W8ChKP=>h&YT_Gw50i5tceRm?%Ztal-0{!)jl_7~Vj}=MUY^uI3 z;d)QHt@+0wguLx42Opm{Sun*HWjyxoRlEw=Ba$Y86D(^Cl<*<~P#hS$oTP~+c(F7! z%HF87K%U~01n++P0Pj6cdeU`qRW*WvlPDR}RU9CA)vLn$m}4o~61l2Gu1O`5#+ag* z3Vb_ddm89w7fIGaNSXHDX#akqR&HB1Mi(X zlo?|wXAIFtHXf=J*Rw||C2|CV;1Par7mZJ}BQui7+5S9ap@^v=9&1dwWsp)3re{~1 zV<6&%P;*=TZV|e!YTq9#c;P{2Rv&99>&&Y(;CBJG9j*W}yDkxPlUs46>l;f%od^J%OE2GYv{MM8FI~+9?_2?ys5)?d7wV zwuue?!%b&a&a+w0vy;v~BLX?>C@TM4Isd|Fa&qyf+t#m)Y?C&PNu6K1`Bu=abL*Yu z^SuAWh89x3Lpj&QPNyu!ke-JnHR}S3zCk9jb@Cb%o;$T&pT^x@nI3`cQ0=cl9O~`&~RnPfo(}PgP)ILOPSbvxl2^&c+ll z1p`M2++~E|M>SF1D4qHV$FFe&@lI@R0UuWGe=0nFJUfaeNEsY)-5{EF9tlLAy>K_o z`T32*0#o4a50foO3bbBMG%S&(vVp3WLc$$o3_X1RF6BDPQcZdi%Xj&yd{QS27~a)& zQL2yxb24(SUim?9WjkAan7D>*HS6TG2HUp`I@MNdG5N=Cx^nU`s* zJHU}?Y(K*;hg94Mg>_>qy%yy!RYRq%iFJBdCY@#s4Mr5|8KZLSc@|ka$p@w^Gh@Bg z!s*EuJ0)DeBf}c$n0|8^L=lfdF13V~LcLMpZanKdsYx|Mxh4Robn+AIF$vXVS7@Y3 z@-!)w3)DrZSNo*XGsVxow#V|(aZpRIMosEXD#|D17>pSjG0COTMfL0G_rjm3d+B>( z6I0+25-ZBdlc#?(7r-3I=!yXmW7}AsLM{0_j_Mac{dX!}W`2d|#XoO8@8oJcdD%RM zs{f75Vmq926~>OXZRUN zU=49E8s7lc8UZF5INGX?9U~=+b6s*A51_ey0syRCuzH4kp6$jSvMW-C?P-czrbrT$ z`bxb^gyS12X{CP?)^}GWD#j(@R~GAsxhijqGj(NSq+izq)CTT=FnE8NGX!v`2F5k&s=pHP8aW&*LV;^2KWulrlIC38VQ@(a zK|K5MuY|e(0#P01ccC)bIu|PIvauVg>PB%gsIsh2;n#+byToWqJ~Sauv5nAmOd<#B z7sTuYQ;CWtj3refSgm3udn%hFb$M@&i=GjF*^u3VQ_q-2JU)#SX3>@BDmc)#;>YrD z*W~L@ytn(wak=Ww`Wz(7|AjMvwBVuW=uVLLsDIq+&MXh_eq(lpu@{jn?%J)1Fde_v z{uxa4t%CZEJ(S$#Zd^Jyk}V~&DP1FJXvE8jmRxKYuvR;QSlGzb3W@}HQRuN9sK0qA za=Q%nwX;t}cB?s4beinYCZ)tg^7d=|n*=)~yDw{1xivP-mBKgpl5F7J$;vv3aKg-< zR;?Jd*2x^(P~t+Go@qJAv@AL5h*@dz?kD$lQ5B%XVYLUTd;i0nMI9gW02(g$4k}=h zM2vOPF1Q?S{fwiX8|YlQit>|?m`2ms%o438Xy#23XrBpUw6pGUYrul_j!;H!%s zKt@@f2!-k=>nrLth?G>~T#r*hY{O}LLRAH9u;D}%aTf7+Vlk#daV3<<^~L$~bwX{p zHh8*xthLzw3Nk~tK=K6%Dy2o13OF3NWxb*PCqyGVPt za3~jMLur}CZKDbEwWv3E=}MF)h!!1KhiUSriWUL6TNf+Z?7*#ji*&D4c+YEMp18Xr z4%0?p%)4gBOV3}%*XQ96M!h#&ce(reIK3TU?d!<1wtv9E&9WEv1PeE8P!r>(IfmPA zS44=j(o_}>dx;qdiopJedlRNf@m%cx2B+0Tk|RZgr%1F@UK^2bL?MV)O9`X-t`J_$q;rLhL#fb zeeR}CMRs6St!t^1nN^#64115nP|6QZ_x3w^{ZKg{+smfbj7o+1H$FX^_|DdPBupex zTfjVu+E-Q5>s*;H&(hHxeXC{mnvn#LgY6~2M%6DHGk*4TnCtQRS02&*U7ObmJ9GM8 zwZC4SRH{`p+aS|hr|?u>U$;9AIGXKJGO#6MWzI$y_Y<4p2I}>{nnjv^%uUVBUAiJn z2%C$%0eO_s(UV;dO@GBBJl-nYs*6p>`1ZaR>He>gJ3)l6F*Bx@i}w0b3n#Z74}a9I zsg8fY66&~9yTJN+&r`oPlC>dRh*7@XRYhtpdT;Jcx$kWBvD=ru3PH`15?wT^35b!`?8b_&E&=2%J057&(ySD;mdB_ops5q zTQK_AT-8)>q+7!|R6g{CeR6P$nX4XzW(;-T8?VOCDlw|Q;@oK5I$1ofHwCc+ zF8tfiU*Py>0mv%Qqq{e$P$qXmK7~?jPQidlQ;mLj@7>~LU6H#q-^KkFl{@#kGeY*r!#H1C5D&7Y0hi$}EXl4y@yfA_IHeO*mV6CR z;ps(ll7E#0FHLu8_lrKX>vxo95B)@ve_Wl-UVo;Iad>y?a>D53pcGyHT{eQUI1yzj zbc*VytwlPqL10z_oXOzTZsGV$0H~B=x)S%bzj+zja!*xFZ(ZhT1g(W&;fkh-mG-B~ z;Ny4_SAvrM>}Po! zo2O&{cHZ}|q2Iq4>(&0bVq|dLXP&TCg_%ktR~9_6VbA;!EUHCbK=SZh_L>fUqAvt2 z&Jy0Lfgq3b)oq}6?)h0K7|I07yk^0oFVAH2<_2Uo)@HzLii5WAcYMM5K1bJ85Jf#q_Us@_%#$|3@36 zd`)@h>A@cBKoh0QxSUwlNONQaVAvheUsLuZQ;fed;~-1dhea4|81Gs!Qr~N>E;f3KK_f=5>XXkq9Xcg0PqM;s zXPt*REbsx5+#CN8ybl;JdMZo%IXlmMMI?>pdzi zKhTK0e@X3S1G-s}exeO_DE=V6R0K`HUW#2qdC@Km(D+0-vlmup?NN;YBW~Y;pMZoW zY6s^Jz;ev8T`$ZVQCrR9g(^$f>jfF<<(FdK(tpF{G z9||N;f`e9^u7cRxim&e*^DFgjA`jrCf07wsCi(0vXSYRBSxX?tDix!PkfPZm zX>L^p=_ic(b~B>3oa@F#I|bn>^xGW5=NfIEQ`?14ba|8iM||266T*QXK4E5=Jjk{Z0vnbx{a{dCo_14I z(_$oXDq%=HcY6JDUDcPyI|UnuA*7puhai>sacJ5WfUVKLnHG&fIBHb>1a9L+>DPXV zUe^HiLE=70;}tKfUz&KhhnAtA*+J!|Tb+9(@7c2&q$iX_avc{{>`y97Nl3_q1jx}< zv2W6!=jX26cUf`Y3tN>(bXBd`6+T}Z>N#4#6~~YcB^R@nwzK zE$8lviyjp)pQ7Mdi0Bqcc(+~I zh3F2Q8vp34Lyh6b*8-2^3~AtSu4krDrxXF$k=O%%^HU#b5+{QX@G*#Y5tB}Hdl81b z3`s2}Y-b+~OKwW2@7?ZM}V>$Hx0Uu+}V2Ey`b`s#O%n7J&b zzn~+YCh+;k%G-m?=jTeq7TrI0SB;MjqUXG1L*ULys zRT}AH)ZOB&ie&T}?USRzfgY>!Ml@tCK4@Qj(5BrycGu{R$->!I#C=K}C_yAu0KPDA zVN4iGqvGT==^YjOaj2yHu0oFpkwCNEcydl|c-E68tNEm-+D{Szl4tVV|Nd?7&mOUV zbX9|Hk&~Q|psdw9FWQ+bxfWSu?7XJrl}#hO+Hr|m;h-IL4*(GgczOn?l`Js)0iwi? zfz6vSpqD^AAq))xcemzWsHuN^LL<(gG~sH3qWI22(2;IM$_1A`{a{s&6k|4wzC#vA zMBfWAn1WOVg)u<{^=r+uhhMBDK4VGz0>=J->~~22m>xk@tYIOgV{!?j99?&aSLSFx zR^ShEhi?dF7FO;ojeS$8sh=(5$=qE#+*jyU>DvM}p=`*tX zqoz!`qT!d5v#2U|Cxb0s0qW?n%I!GxAxNKSR;5JPjDG#qNIU3h}H_u?A3JiJO0V7!;U3sh+;WP&Zsxp5iCtI}~b%h;br~JZ2KFU42 z$0f0O4spzU{_F2y(CSc7nI%hpP^_IH&ffZ*O0d}-l^S{eR4^YEoFNRH9oPRJzw@6r z*OLIIUw=D68Ndg6F82g_-T36lTOn~7^!z~`{Xyvk-OA*Y`yfnA0OlGYligW_Nv|v` zb(jTt1G!;!X3?$eRGkwRXL9RNi|jo+Mk=o*w|-s9MI@|pIBz}kKHNNH$tV0%F2-sZ z^4;zF3k-tdD-1MbY#4V7856WG&e;x1mB9f}2yP-Z$%MsW6o-L=8E9fSRb3s}Bla$y z2_rRXh^vv@@k2Mx9Jn`ODTp3CkkVc=m5-rJGi5{?1qX)`-x>-8l|xA6oXPV{WU->d zHLF@7a|I9vQ^%*<5Te#}+dG^NitKWnOQdOrRDA~=Z-T?|S|JP;%*t3}Cy-P>H9Q<7 zZiLP2_>P!^SQ9#jzMLkP_iT$oM9evZ9gDT3%_F1%I+V>pb{{T| zM%G;I{P1yU!w$%IeNSXXl|X-SPBZ2$neAZ*wW%gi5u2%o%7Aq1HO@2^7~+#G#LRqT zO_K@6FA&uUV|YaEF+y#E!u0mEdBK-hlqUTMDcet!&v&3~9T~-0s(X}puh{$JQV&sQ zl_$|gl5CbkPG&d$^-`qqyVY~sIjvf>@Y4be4bB_^19O2Y*FD(tx}Ta4YvUUVx0(XB zJ#Q;rS~0Z=>GW)vc{&J7$Y!b=C?5|X4KBu?3F4%v!~o7$zA4|;jI^xqIb9tp9A7uD zhDTQFtD({jrXy#KCr8RRq~b>y-1QfCmfaF>(14M`8>Kv-qoQpGZ7NL2eL#mGyQ?IT zsP&rdf@)c!%U!?Q(_J1B>t}?_RrY;asKw&PV{r>42{n*hlWk8-$ww11T=`c_jCC&}d#|t=nK; zNtKG40+SLmqh7F`77YHHabK;yFJ#dC)dV4|>%vj)_<-)tl_VOI&ZXT#`)l@ZP|3vd zLCVDm(lsy6@<-^wsevQqk z%)eL-*Pss4 z$E7Z}y=T~3!5V$%lI>*!m5DlnvWuM7u-C2bY$b#@isg127c#8YX%y#MH;cQ-F=yuO zW3+QcT~^AcxhgASYpU6E2gWlyH{x{n^(RnW$T8cY{IbGC4{a4w?$e&Zl8)`BVivSg z?`zK1#=Kp%-CK6$_Tb2WJDzg?F3zo*;cWuyuEV1jmJ~@5UWef&q^nH6&f|-7f%`h2 zl(X5IOt-hT_H8^TEwkQ4o0K31_epPCpN-X2xquBnw*U*^^f0QxjDLLr=K`KHQxI6+7@pqT0C@Z$^d}8 z2`+lr10q-F{-{e?cdSdP2IaS9Io745{Z*H;%QM3$8ag77M)B~KxVz5AqKc2^0_r6S z#mOCn-`T-w8SsR8!**b<55L3<$x$ku3Mlabd~O@JyA&C5@J`=oKNk^BBZyaKY zpRZCq`-O+e!t7Q(4&H*7xC64iRl40B5?RRHvuFsX5U(Xi5=4$sx&&Fv)^lPGb2i~B=l-HAhZZb?%kRW^(NOT?tS#*kR zjzMnAeCeGHx038qaoZjNjc2JJYN`a`lF|<5J>w;H!?TZRYWCGp?xj=7F9WnnH^t64 zUvr?nt!3t?-$RzPe@l^6eTl8cT>LiPmX~b0!);0G`!neeP0956vLo*p;ZdqmRYjOa znA+~goEl8TiN)u~?y@xlg3u(CWbk?U48=(1VC>o244$hQMd2cj^LCmRPMDF5gwz5M z%FhqTJgnjf$zY^oCYW}?y5?8A9APtE;ugl_`U-_A$BCvp^oS0SQ}p{1crk4Str5k=L|h zsBM8uhq$*{kouH!TeX#>uTMK_t(#~INBJ`?B&ha1Vd7X2AqOVq8n5yz8P2jAcb&FX z7o1%TlpLsMCGl}wc=T9ijYUKNGVm2JDu31OE~pZKAw^r7F3U_rel6ijp0+lXLd9I{ zDcsHl8Gy)=DVdtDy@b#N<4V$(CFh4)hn5(_zwphP`{*ltE_u8*e7lgsc)UU}`^y_6oMHdNX5bV+@ ziK|A22gEEpw)f%CB{@nG{M>8x2U`!){yD7CjgCdX(lH}Y*HN3iWTQdzeUA$E*X zIVOK)Xs)fEHGWjahT{0n&auv*XyfP{Vpd^U0<}TB1UjZVVg`0zP9MtyUKTIaJeCWT zM!b&gM=XsI_k#F_s0&ASm8gdVhu*7~5Wi>*Zayy~{R(jPKXgwyd?NRD6(KZJ-~R2@ ztNos|{cDq^y1M3UPSBvt8{ZTLN$v+KQE0F9>@n9%i79Gk3eChV-@Dv+56RwPmy-%$ zo&umq;4BSfRFkw_w5uK@3>P7$A4}{rA&Eh20ezem>LD}e5(@;xYEH-lvH@Egpqfq| z{oZ>eFn20`(VY>&-mTV6oVX3%Kn+$fDVueaFJ>f#Lu%Bc9#z}r-D`qV$w9Y4#PN4s zLJH;pqk0&f3&%QxXV?o1n1r%iIiOuurhAFujJw;!`b23lU^)ZvfC_^Ypcdj^QW*UC z*!|e!_?OK06GtyFgv644H}6h}QyA3S>TM@gG6tMWdsxo~MSBaM$0p4=IG}wIDPZym zD?4yZUjA{RF)9L=Qyqh&Mnu0em(q2rr6PEz1u#{Z>)|Eo!bx@tA}=ZSJNw`nH*<^_ z2373cNq%Ifb3{Zq5#}ew@TiWM!^$a5pXi*hOKGYcp!CQ^rs$?{=wVtIHuB7Li;nA? z$AmW*<*C$3n)piXWtfTxz4y#{>$?vgd4NV@O}<-i=Yq|WGfgjf7TagT-iTnq$xLD< z?4^YXJW$#MKl1Lgmg^bzaS`fsge6QbsZ_{1r?iRuT!m?6F0`v?0Tw-T3R)Lc+%-?a3_@n`Vj!`+2NoV0{4yz=4GV;K(_Y<_Oi!J_IuWu~`ws%e2c zWSlS6mlGGO^T$E|Bi;QYoE^Fyrvr&ugSTISg=G_BF!iAOk;)-g?YmdXHX4DuQy%9i zpNA|2Z9IEf$|}4cO{V!&1eyS9_7n0k@klrDTUbRxgjXNEnS%+hOd;tdDKcuk$We6g z0U?`--ZXbFwF3FpnFg;{PPnbt07aU|Y?IX3R4{faDitXjcT5sFV_dO*=rSaqDNWs& zy!y45B&UNe^vxRPj5AV6(h@vokPo%l_{k@mNFlXH*}ZOJ%QHB^p>L90Q?UX~<4;p_ zARVrUOA6!Q&~8e#rIABeju$&Dg`k7`(q}Ai;l0F0L(V3mni9>Uv>xw~7rk)X=RuFy zAJ!mnI`S5Nu4rq@(OJJ5d;z})7SPX2?PY=WRJzJGBE3k3$}1al1^0UTf|u?7S<35n z{fhOla0yBQ(#Dr%R4WId{@j_$FXi_02><=WquYgB5>1Dor@;4B8Yq8P_)Ssn+wcCv zAWRZ=DA6r3YrkxO+OhtooTnq6ue(n_i#FQ1SKs~>AV!_{eqZ<4k*S4t`00|c{!qI& zYbxjNhxAVjDtE0q3?k6<>8I1wt$%q`G|ly%?6q1`x)gBXSyS(HCfH55FY}S z5`Gf{90n=5_P>h(f<#=!-^Bpc0s1?j|3Bp}h{QP73bX=Y8bZ^k4f>ix~C`{opyJpHv0;kh6!`qLE(4v_S#{*%k)WuC+ zzO|Fj_e5!1&I31gNOIW3 z9sDWSjti3MI;$_f;NG6PJ!M zy9^I*$!*YE;xZEWPCja>g`puI`l>LXGs&EhQ@UQttf#N@;KX%?H~1ZOdwRD{1e3i3 zl51g^JXCThazC>Dutj@pW4&VLScJIp{EkK|Pj(qJ13V17(ELL_Uz~`WA&U|?8$uxX zT9WoF;Md9-?XsT;S_IqTufMr;Dhvv2jh}w7T#%uMWg{wm-E<@OcSH(zE&(6y!5{-NCO_?PF^mIuml6I$$=$ zg4zsm@%fG7vFq7jkR0fXlYFbMdm6n*#l8F3t9#1SCUFigz{FR5&J3A*Ge2_q4dm`; zbGgzpA!X!m&V3{mXeJpdYnVUmY!IL3=6s_6ZV8EBAx`~f%`Powofp5zLqi0A{XrI0 zJY{?I^|RL4>}o`v?z{|;5gofs+F3AQ8sq95${Z7@OL38xlfopRVD#-MT z{RgWJXEYPs{XbrGrG34~;d(01sZ)e41U<;81}oOn?9_COk-ttYl=%T|v!By*JtIl5 zE@dQ}cEK;5_D$57pG(35o<tWB2vA2^DS%%5N)Wx~;#m%|S3` zQZs+ynw*->;k?t8eW_bT?}-ninSTB}hE^Ukm4-MEtvM;V2!MP?RMlOrVkKCYe7IZR zIo}m?KBh1eaiwsp`s|ZDBjIrI#mTM4((Z{w&4P`RkJBjPX^U(ee1qzR&ufKfMMU^f zA9tHQ>JUFp<8uCBT6CEoj~PLL^!^KKUtCFgzTABlCnu`M(~q_W9YWSJZ`SBr??)${ z8FN`JA2}pt7``M_6?591n+@-(l&Hs6LVg=A+T)*I1diWba#m`z7L#F~MMu6?BPr^`Rv|ist{WOIo7md2Y8j zNxWdeMl$>&Z8ak15*p0Mp^c97Nan$>z;NY}D`IJze&mDouNsu@U+z&39U$i7c1n&O zXg}9Z{0oki?~f?g3>m%>&A=2CTvt(x>2<3RHtS>5;`45&O1Jg44F-b}viVo2zXCL1 zAcMX7IBRkNm?Zk6#O%4UZTmxzd>fFSpg%ozoSOMQ@rh^I7USIaijGq|x3T)?KNC&o z3cgIip78)z`P$k0g6Lh2R|V)@t=|Q$;NHKhSRqWq_Se9o5eXnwCj!Lp79ciIAOR>+ zVyV3E2yF!l{z!fWVt=5C#WC=r8dil$viPJzJbw+al)`k&V)B({+P>AWBk@=)(t|nD z<2d)M=g}u!v~)3I2yU3WZ{nJVPGXdT29s1jx|4|8l zV9YzHTHnjBiWIh;Pq_NBiux&@AZ4XU1-#RSumm9KtB$09#U_%9Td*@}*-R!XN7lid zHESI1!G?Q{$#}sO5r4ge-Qy-i8OjBRmJ_U*Qg^OTDOR=u?$KKv?f6n3Mq6wpQoMIT`x3iy1GZlaVr|`Pi_#JB`Pm zoxBh%8Js5NFy4Tv_@35?NriJv-c)jwq&qMaa}k~tE0zYQFr76=QKeHJq*4@=_n64L zS5=4TOtHARl2(yXoUyRsGCdmSiFEZ7BwFnBm6~V(h(Z)JhiwQMZ3h~CZyQr|dOSJ$ zfCshpHNMe)PI=0KPRD3Jm5}2BC`t|37r|MB9Zbh1)e#~>BX9Kzfj?J`j?Ps(N5~_20XgKmN!s0 z@GIKEa^ukXAbS>M9)g)p>Q%qFAa(19`dd@R!Bz2>T+lu2-TxVe!aoU%{w?&Me^TGK zN&SZ~Eb5BP>w7UR6MMGI{CL4cKGT>5;Yu8B5T_xgJjPM@KqY!Jy7qtDhGw|(jU)UEQR&l9eB2;H?x zHnmprGJEDzH#fBjYmj4tY}g(B<*Kk7rDfN&btq1^-{N=aJ?IBYB5YoZ3EMUs8qO|5 zsjrm|uj^g+Gos-iH&t|WGKn(1TkQ#t=#=4|2uQukGCL3lYGLnYzp&Ok=MyJb!l|4g z*I{s3vIPEAErPRnHX6zQ1H&0wBuE38ODnm!KH3fz3UPd_qs`Vf>6(>fRSS zvz603U2Zy!OY$vkR+M}qP#y??Rl>bEx7cf7sb_?{NO6S5&4T}tZQe7H*@zZ(8j$A?)9+iKS--6Hbo?2^| zk0>)?#)unpo!;Lr2F<}0&~t47x{v;MUsG4~@Lzo~t0Ds5j}_u$5D)wq5lgplb_K*I zU~_Z^xWy_zAOJj88by{W^8u}6d$IoCX)pe1>p8Ja{F})5lQe9*AZn)H7m!~f1_L~G zx**vb<)4n2z6jF1J(>pUH)4+&-eR-M(|cVAUx3bG+x}po9;9^(-xE68ng$8oNmr=R z`}QD(yq7KnObt*8vd8}?lttl_syI-$w5OD{n@S-551&m=eJlKO&iG9!r@T=~3K`Pc z!+l2o?ldXe%td@q{m|f_bpjtp$TC$#e>k2>HM^3rCOdqk5!RmoApS@6gtO2+isZF7 zmwk4-ScVH`3G;kP?2b-delg=lc6}zPAG;u#H8z+^kDj-0!rq|m%LA-CT(KX2*;!49 zL<&-x#|GA3jJ>+TSsRhI6b8xz)KMR@b6Pu~+CVtlG!dFyi+gns=jj!C^k;C)x#;e0 zBMxTkUk70wJ)HUe3|8~^KaU?L_^lu|0{^Et7Qd9qR%9@;PAqm$;%IYv_L|r1(xZ2v z9~wkQ<8z+fIq>eI3j^np(C1r*RUUI-H1xzT(9&-oa-#C4z8~K`QObDR~P5l0G;Esgz zdl%{bu(lHwfL%bFay$~x8h^iwb+RSLgZ0}N6rC*Z%TeR^VJXtvR|`POePMUS zM09Dta#S$9V$uXA=^+Fao(r`kwp9k%M*e|&_kG9tNs?+dpgk1|YKsQ~e8+$OBPQ*) zjq;D$O8noR|NiRF-h>V!ImTV=_r^fw223JXe6oC|3$#*Zm=CFPm7|7P_xNbumpLgc z`W=-J@2}7w?bgpJMH+OX7rE{t_zwCXe7`HlTpx4PEi!x9wIQ|JF0qt>*aKa6AvBR_ z%{`tae-!sCoN)#)&)TfP73=56HQO)yX&?^?9!ae_3^F%hD!59taul7?%dVaSi(K~-4hscI^x7C^QRo|K)r!8>0 z;aidGnS;%X0{EOJB0^_KE6VK>w`e@H2?axQ;D+KhWEnJ}nV1E$Jpf)_v#tq8HkbNc z9CrMWLmJ<%P#*XPSqKC4HuB=Qi-e9bXa7%5R40HXpl)HUc(k9CBn8)!wZkKTn>py* zy0Ee?E2ktY0Bx90g1klYrwu2_zkTz}pXHHg=tR2kgG{IhLG*1rmeSX!C8?u9uT?O@ zD{7-(aX>7$6cE}U zl-qyVlQ?2Y{>+LVl0(fW)gSEp?<*7AAD5PVfg4M(K_t@_{WvOvPsFBn;Q~``_6K6v z$XB2MERy$yY%1g&P~(Uc9#i1D!qXhFF28Px(e_JCbTS7IT_BFw!_axfvyUKMws(sVOxhcV1-U9sN2EK+fXJp1)c`BqY; z$@>{m5?2bNjV&~s14EvRT-vypXiGJ{nNhnGH?1&RrF7qxLutAU&wFA-?npym|^_)3cjXCLHNwxWpe$4Sxh5!A?=DJt{J zkq$5RRVOdJlW3dgv-cBcuTo;y52IVK&3C|^$bzXrXh_fHU`Y6?xnLwY-yozHuuD#O z>3y@O`qEe6k>HW;1Nm6ZkjRB7MSW3`TzwXbkrIUgmi}yT-wtY)K=smta;~$Wo~DhF zM1sL*C?C4D#Vrht8B%!4lWRm^O=WO>mQgEz9Tw9bO-4b<+W=*rF(lTRZ(gjjDzj4Y zjuS{@D|F4*DIW3bEEcd<&AmiH*~|BE>z%+<+t8&=oN3?Vi2qNPnV(PL;}`zxUPwIZ zoOUS&2Z?;%a~Ntn^vQsXLuZ3wXzpPPpoLO>^UwwG$o?R484!DO{3D&!y|7*+@ue$r zOOiMVPt#GU&>p2*`~8r`%&fy@;BR>We>Pg721X68VGFC2j)?$2Y9D!Uj=FMrOG(DpAl%O*p!`B9CVJGiDhay!&xRq3Pv zl;qjv|B~nB_pRVBybgtdfV(gm^cLbW@Sax^n+<3IC{v;2fH9I#84?Kmr*A>VB}>a+ z6~61t!n%=IjeR9QBD9*7vX#eUnF#P;ZJyr81K~rr!38wkJeBzJ&kWuFR2%+6GyjH1 HzP|ep@nejc literal 0 HcmV?d00001 From ec9edd52819855361595ed880a8bd559baf4970b Mon Sep 17 00:00:00 2001 From: kelleyvice-msft Date: Tue, 7 Apr 2020 16:00:58 -0700 Subject: [PATCH 23/34] Update vpn-office-365-optimization.md --- .../identity-protection/vpn/vpn-office-365-optimization.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md index e7df3d7fa3..0cf4f9d635 100644 --- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -73,9 +73,9 @@ An example of a correctly formatted Profile XML configuration for force tunnel w For Office 365, it is therefore necessary to add exclusions for all IP addresses documented within the optimize categories described in [Office 365 URLs and IP address ranges](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges?redirectSourcePath=%252fen-us%252farticle%252fOffice-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2) to ensure that they are excluded from VPN force tunnelling. -This can be achieved manually by adding the IP addresses defined within the **optimize** category entries to an existing Profile XML (or script) file, or alternatively the following script can be used which dynamically adds the required entries to an existing PowerShell script, or XML file, based upon directly querying the REST-based web service to ensure the addresses ranges are always used. +This can be achieved manually by adding the IP addresses defined within the **optimize** category entries to an existing Profile XML (or script) file, or alternatively the following script can be used which dynamically adds the required entries to an existing PowerShell script, or XML file, based upon directly querying the REST-based web service to ensure the correct IP address ranges are always used. -An example of a PowerShell script that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the documentation in [Create the ProfileXML configuration files](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the initial script. +An example of a PowerShell script that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below. ```powershell # Copyright (c) Microsoft Corporation. All rights reserved. From a6b741c73680a79bd4d35cd173d96e1bdf615231 Mon Sep 17 00:00:00 2001 From: kelleyvice-msft Date: Tue, 7 Apr 2020 16:03:27 -0700 Subject: [PATCH 24/34] Update vpn-office-365-optimization.md --- .../identity-protection/vpn/vpn-office-365-optimization.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md index 0cf4f9d635..9f6582bbc0 100644 --- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -670,5 +670,5 @@ An example of an [Intune-ready XML file](https://docs.microsoft.com/windows/secu >This XML is formatted for use with Intune and cannot contain any carriage returns or whitespace. ```xml -_truecorp.contoso.comtruecorp.contoso.comedge1.contoso.comForceTunnelIKEv2Certificate
13.107.6.152
31true
13.107.18.10
31true
13.107.128.0
22true
23.103.160.0
20true
40.96.0.0
13true
40.104.0.0
15true
52.96.0.0
14true
131.253.33.215
32true
132.245.0.0
16true
150.171.32.0
22true
191.234.140.0
22true
204.79.197.215
32true
13.107.136.0
22true
40.108.128.0
17true
52.104.0.0
14true
104.146.128.0
17true
150.171.40.0
22true
13.107.60.1
32true
13.107.64.0
18true
52.112.0.0
14true
52.120.0.0
14truehttp://webproxy.corp.contsoso.com/proxy.pac_ +truecorp.contoso.comtruecorp.contoso.comedge1.contoso.comForceTunnelIKEv2Certificate
13.107.6.152
31true
13.107.18.10
31true
13.107.128.0
22true
23.103.160.0
20true
40.96.0.0
13true
40.104.0.0
15true
52.96.0.0
14true
131.253.33.215
32true
132.245.0.0
16true
150.171.32.0
22true
191.234.140.0
22true
204.79.197.215
32true
13.107.136.0
22true
40.108.128.0
17true
52.104.0.0
14true
104.146.128.0
17true
150.171.40.0
22true
13.107.60.1
32true
13.107.64.0
18true
52.112.0.0
14true
52.120.0.0
14truehttp://webproxy.corp.contsoso.com/proxy.pac ``` From 847fb01f9279b48eff2936ca15ec5b7899ac054f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 7 Apr 2020 16:05:15 -0700 Subject: [PATCH 25/34] Update install-wd-app-guard.md --- .../install-wd-app-guard.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md index 2456b17225..71e4d63802 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md @@ -85,6 +85,8 @@ Application Guard functionality is turned off by default. However, you can quick > [!IMPORTANT] > Make sure your organization's devices are [enrolled in Intune](https://docs.microsoft.com/mem/intune/enrollment/device-enrollment). +![Profile in Intune](images\MDAG-EndpointMgr-newprofile.jpg) + 1. Go to [https://endpoint.microsoft.com](https://endpoint.microsoft.com) and sign in. 2. Choose **Devices** > **Configuration profiles** > **+ Create profile**, and do the following:
@@ -101,3 +103,20 @@ Application Guard functionality is turned off by default. However, you can quick - In the **Select a category to configure settings** section, choose **Microsoft Defender Application Guard**. + - In the **Application Guard** list, choose **Enabled for Edge**. + + - Choose your preferences for **Clipboard behavior**, **External content**, and the remaining settings. + +5. Choose **OK**, and then choose **OK** again. + +6. Review your settings, and then choose **Create**. + +7. Choose **Assignments**, and then do the following: + + a. On the **Include** tab, in the **Assign to** list, choose an option. + + b. If you have any devices or users you want to exclude from this endpoint protection profile, specify those on the **Exclude** tab. + + c. Click **Save**. + +After the profile is created, any devices to which the policy should apply will have Windows Defender Application Guard enabled. Users might have to restart their devices in order for protection to be in place. \ No newline at end of file From 425de973c4246142b1cb3dfdccd5e268d8bc2072 Mon Sep 17 00:00:00 2001 From: kelleyvice-msft Date: Tue, 7 Apr 2020 16:07:28 -0700 Subject: [PATCH 26/34] Update vpn-office-365-optimization.md --- .../identity-protection/vpn/vpn-office-365-optimization.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md index 9f6582bbc0..537a6d097d 100644 --- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -75,7 +75,7 @@ For Office 365, it is therefore necessary to add exclusions for all IP addresses This can be achieved manually by adding the IP addresses defined within the **optimize** category entries to an existing Profile XML (or script) file, or alternatively the following script can be used which dynamically adds the required entries to an existing PowerShell script, or XML file, based upon directly querying the REST-based web service to ensure the correct IP address ranges are always used. -An example of a PowerShell script that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below. +An example of a PowerShell script that can be used to update a force tunnel VPN connection with Office 365 exclusions is provided below. ```powershell # Copyright (c) Microsoft Corporation. All rights reserved. From 90b3112ce0963be717604bbd802f163b8b77cd7c Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 7 Apr 2020 16:14:07 -0700 Subject: [PATCH 27/34] Recovered first Step 7 and made other fixes There was a "7." in "Install and configure Micro Focus ArcSight FlexConnector" starting the paragraph before the correctly formatted Step 7. I also replaced 'br' tags within that paragraph with paragraph breaks. --- .../configure-arcsight.md | 40 ++++++++++++------- 1 file changed, 26 insertions(+), 14 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md index c714e0a848..70890b48ee 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md @@ -35,6 +35,7 @@ You'll need to install and configure some files and tools to use Micro Focus Arc >- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details. ## Before you begin + Configuring the Micro Focus ArcSight Connector tool requires several configuration files for it to pull and parse detections from your Azure Active Directory (AAD) application. This section guides you in getting the necessary information to set and use the required configuration files correctly. @@ -59,6 +60,7 @@ This section guides you in getting the necessary information to set and use the You can generate these tokens from the **SIEM integration** setup section of the portal. ## Install and configure Micro Focus ArcSight FlexConnector + The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin). 1. Install the latest 32-bit Windows FlexConnector installer. You can find this in the HPE Software center. The tool is typically installed in the following default location: `C:\Program Files\ArcSightFlexConnectors\current\bin`.

You can choose where to save the tool, for example C:\\*folder_location*\current\bin where *folder_location* represents the installation location. @@ -79,8 +81,9 @@ The following steps assume that you have completed all the required steps in [Be - WDATP-connector.properties: C:\\*folder_location*\current\user\agent\flexagent\ - NOTE: - You must put the configuration files in this location, where *folder_location* represents the location where you installed the tool. + > [!NOTE] + > + > You must put the configuration files in this location, where *folder_location* represents the location where you installed the tool. 4. After the installation of the core connector completes, the Connector Setup window opens. In the Connector Setup window, select **Add a Connector**. @@ -114,30 +117,36 @@ The following steps assume that you have completed all the required steps in [Be -
7. A browser window is opened by the connector. Login with your application credentials. After you log in, you'll be asked to give permission to your OAuth2 Client. You must give permission to your OAuth 2 Client so that the connector configuration can authenticate.

- If the redirect_uri is a https URL, you'll be redirected to a URL on the local host. You'll see a page that requests for you to trust the certificate supplied by the connector running on the local host. You'll need to trust this certificate if the redirect_uri is a https.

If however you specify a http URL for the redirect_uri, you do not need to provide consent in trusting the certificate. +
+ +7. A browser window is opened by the connector. Login with your application credentials. After you log in, you'll be asked to give permission to your OAuth2 Client. You must give permission to your OAuth 2 Client so that the connector configuration can authenticate. -7. Continue with the connector setup by returning to the Micro Focus ArcSight Connector Setup window. + If the redirect_uri is a https URL, you'll be redirected to a URL on the local host. You'll see a page that requests for you to trust the certificate supplied by the connector running on the local host. You'll need to trust this certificate if the redirect_uri is a https. + + If however you specify a http URL for the redirect_uri, you do not need to provide consent in trusting the certificate. -8. Select the **ArcSight Manager (encrypted)** as the destination and click **Next**. +8. Continue with the connector setup by returning to the Micro Focus ArcSight Connector Setup window. -9. Type in the destination IP/hostname in **Manager Hostname** and your credentials in the parameters form. All other values in the form should be retained with the default values. Click **Next**. +9. Select the **ArcSight Manager (encrypted)** as the destination and click **Next**. -10. Type in a name for the connector in the connector details form. All other values in the form are optional and can be left blank. Click **Next**. +10. Type in the destination IP/hostname in **Manager Hostname** and your credentials in the parameters form. All other values in the form should be retained with the default values. Click **Next**. -11. The ESM Manager import certificate window is shown. Select **Import the certificate to connector from destination** and click **Next**. The **Add connector Summary** window is displayed and the certificate is imported. +11. Type in a name for the connector in the connector details form. All other values in the form are optional and can be left blank. Click **Next**. -12. Verify that the details in the **Add connector Summary** window is correct, then click **Next**. +12. The ESM Manager import certificate window is shown. Select **Import the certificate to connector from destination** and click **Next**. The **Add connector Summary** window is displayed and the certificate is imported. -13. Select **Install as a service** and click **Next**. +13. Verify that the details in the **Add connector Summary** window is correct, then click **Next**. -14. Type a name in the **Service Internal Name** field. All other values in the form can be retained with the default values or left blank . Click **Next**. +14. Select **Install as a service** and click **Next**. -15. Type in the service parameters and click **Next**. A window with the **Install Service Summary** is shown. Click **Next**. +15. Type a name in the **Service Internal Name** field. All other values in the form can be retained with the default values or left blank . Click **Next**. -16. Finish the installation by selecting **Exit** and **Next**. +16. Type in the service parameters and click **Next**. A window with the **Install Service Summary** is shown. Click **Next**. + +17. Finish the installation by selecting **Exit** and **Next**. ## Install and configure the Micro Focus ArcSight console + 1. Follow the installation wizard through the following tasks: - Introduction - License Agreement @@ -170,6 +179,7 @@ Microsoft Defender ATP detections will appear as discrete events, with "Microsof ## Troubleshooting Micro Focus ArcSight connection + **Problem:** Failed to refresh the token. You can find the log located in C:\\*folder_location*\current\logs where *folder_location* represents the location where you installed the tool. Open _agent.log_ and look for `ERROR/FATAL/WARN`. **Symptom:** You get the following error message: @@ -177,7 +187,9 @@ Microsoft Defender ATP detections will appear as discrete events, with "Microsof `Failed to refresh the token. Set reauthenticate to true: com.arcsight.common.al.e: Failed to refresh access token: status=HTTP/1.1 400 Bad Request FATAL EXCEPTION: Could not refresh the access token` **Solution:** + 1. Stop the process by clicking Ctrl + C on the Connector window. Click **Y** when asked "Terminate batch job Y/N?". + 2. Navigate to the folder where you stored the WDATP-connector.properties file and edit it to add the following value: `reauthenticate=true`. From e389b8a9faee558354dd082d1c52ae356741f928 Mon Sep 17 00:00:00 2001 From: Kelley Vice Date: Tue, 7 Apr 2020 16:37:57 -0700 Subject: [PATCH 28/34] Update TOC.md --- windows/security/identity-protection/TOC.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/TOC.md b/windows/security/identity-protection/TOC.md index 8dc6b27a55..7f7f58c2b8 100644 --- a/windows/security/identity-protection/TOC.md +++ b/windows/security/identity-protection/TOC.md @@ -71,4 +71,5 @@ ### [VPN security features](vpn\vpn-security-features.md) ### [VPN profile options](vpn\vpn-profile-options.md) ### [How to configure Diffie Hellman protocol over IKEv2 VPN connections](vpn\how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md) -### [How to use single sign-on (SSO) over VPN and Wi-Fi connections](vpn\how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md) \ No newline at end of file +### [How to use single sign-on (SSO) over VPN and Wi-Fi connections](vpn\how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md) +### [Optimizing Office 365 traffic with the Windows 10 VPN client](vpn\vpn-office-365-optimization.md) From 1e09c9819810b6cb300159ad7ffb90b7df05bc64 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 7 Apr 2020 16:44:30 -0700 Subject: [PATCH 29/34] Update install-wd-app-guard.md --- .../install-wd-app-guard.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md index 71e4d63802..ba7d091e12 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md @@ -83,9 +83,11 @@ Application Guard functionality is turned off by default. However, you can quick ### To install by using Intune > [!IMPORTANT] -> Make sure your organization's devices are [enrolled in Intune](https://docs.microsoft.com/mem/intune/enrollment/device-enrollment). +> Make sure your organization's devices meet [requirements](reqs-wd-app-guard.md) and are [enrolled in Intune](https://docs.microsoft.com/mem/intune/enrollment/device-enrollment). -![Profile in Intune](images\MDAG-EndpointMgr-newprofile.jpg) +:::image type="complex" source="images/MDAG-EndpointMgr-newprofile.jpg" alt-text="Endpoint protection profile"::: + +:::image-end::: 1. Go to [https://endpoint.microsoft.com](https://endpoint.microsoft.com) and sign in. From c0f05d9ea9ddc5a50ccea23618feb382f5a7369e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 7 Apr 2020 16:45:15 -0700 Subject: [PATCH 30/34] Update install-wd-app-guard.md --- .../windows-defender-application-guard/install-wd-app-guard.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md index ba7d091e12..cdf47d7a4a 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md @@ -121,4 +121,5 @@ Application Guard functionality is turned off by default. However, you can quick c. Click **Save**. -After the profile is created, any devices to which the policy should apply will have Windows Defender Application Guard enabled. Users might have to restart their devices in order for protection to be in place. \ No newline at end of file +After the profile is created, any devices to which the policy should apply will have Windows Defender Application Guard enabled. Users might have to restart their devices in order for protection to be in place. + From 052b071cef95f3df4b5180a5e2f42016431a0a76 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 7 Apr 2020 20:13:41 -0700 Subject: [PATCH 31/34] Added missing metadata Required metadata for all topics: https://review.docs.microsoft.com/en-us/office-authoring-guide/metadata-for-max-content-on-dmc?branch=master#required-metadata-for-all-topics --- .../identity-protection/vpn/vpn-office-365-optimization.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md index 537a6d097d..9f786a363d 100644 --- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -5,6 +5,8 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, networking +audience: ITPro +ms.topic: article author: kelleyvice-msft ms.localizationpriority: medium ms.date: 04/07/2020 From a0ecd213e488b4e3347692187b0c372df0371926 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 7 Apr 2020 20:32:27 -0700 Subject: [PATCH 32/34] Acrolinx: changed "tunnelling" to "tunneling" --- .../vpn/vpn-office-365-optimization.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md index 9f786a363d..ededaad10f 100644 --- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -17,12 +17,12 @@ ms.author: jajo # Optimizing Office 365 traffic for remote workers with the native Windows 10 VPN client -This article describes how to configure the recommendations in the article [Optimize Office 365 connectivity for remote users using VPN split tunnelling](https://docs.microsoft.com/office365/enterprise/office-365-vpn-split-tunnel) for the **native Windows 10 VPN client**. This guidance enables VPN administrators to optimize Office 365 usage while still ensuring that all other traffic goes over the VPN connection and through existing security gateways and tooling. +This article describes how to configure the recommendations in the article [Optimize Office 365 connectivity for remote users using VPN split tunneling](https://docs.microsoft.com/office365/enterprise/office-365-vpn-split-tunnel) for the **native Windows 10 VPN client**. This guidance enables VPN administrators to optimize Office 365 usage while still ensuring that all other traffic goes over the VPN connection and through existing security gateways and tooling. -This can be achieved for the native/built-in Windows 10 VPN client using a _Force Tunnelling with Exclusions_ approach. This allows you to define IP-based exclusions **even when using force tunnelling** in order to "split" certain traffic to use the physical interface while still forcing all other traffic via the VPN interface. Traffic addressed to specifically defined destinations (like those listed in the Office 365 optimize categories) will therefore follow a much more direct and efficient path, without the need to traverse or "hairpin" via the VPN tunnel and back out of the corporate network. For cloud-services like Office 365, this makes a huge difference in performance and usability for remote users. +This can be achieved for the native/built-in Windows 10 VPN client using a _Force Tunneling with Exclusions_ approach. This allows you to define IP-based exclusions **even when using force tunneling** in order to "split" certain traffic to use the physical interface while still forcing all other traffic via the VPN interface. Traffic addressed to specifically defined destinations (like those listed in the Office 365 optimize categories) will therefore follow a much more direct and efficient path, without the need to traverse or "hairpin" via the VPN tunnel and back out of the corporate network. For cloud-services like Office 365, this makes a huge difference in performance and usability for remote users. > [!NOTE] -> The term _force tunnelling with exclusions_ is sometimes confusingly called "split tunnels" by other vendors and in some online documentation. For Windows 10 VPN, the term _split tunnelling_ is defined differently as described in the article [VPN routing decisions](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-routing#split-tunnel-configuration). +> The term _force tunneling with exclusions_ is sometimes confusingly called "split tunnels" by other vendors and in some online documentation. For Windows 10 VPN, the term _split tunneling_ is defined differently as described in the article [VPN routing decisions](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-routing#split-tunnel-configuration). ## Solution Overview @@ -30,7 +30,7 @@ The solution is based upon the use of a VPN Configuration Service Provider Refer Typically, these VPN profiles are distributed using a Mobile Device Management solution like Intune, as described in [VPN profile options](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-profile-options#apply-profilexml-using-intune) and [Configure the VPN client by using Intune](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#configure-the-vpn-client-by-using-intune). -To enable the use of force tunnelling in Windows 10 VPN, the `` setting is typically configured with a value of _ForceTunnel_ in your existing Profile XML (or script) by way of the following entry, under the `` section: +To enable the use of force tunneling in Windows 10 VPN, the `` setting is typically configured with a value of _ForceTunnel_ in your existing Profile XML (or script) by way of the following entry, under the `` section: ```xml ForceTunnel @@ -73,7 +73,7 @@ An example of a correctly formatted Profile XML configuration for force tunnel w ## Solution Deployment -For Office 365, it is therefore necessary to add exclusions for all IP addresses documented within the optimize categories described in [Office 365 URLs and IP address ranges](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges?redirectSourcePath=%252fen-us%252farticle%252fOffice-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2) to ensure that they are excluded from VPN force tunnelling. +For Office 365, it is therefore necessary to add exclusions for all IP addresses documented within the optimize categories described in [Office 365 URLs and IP address ranges](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges?redirectSourcePath=%252fen-us%252farticle%252fOffice-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2) to ensure that they are excluded from VPN force tunneling. This can be achieved manually by adding the IP addresses defined within the **optimize** category entries to an existing Profile XML (or script) file, or alternatively the following script can be used which dynamically adds the required entries to an existing PowerShell script, or XML file, based upon directly querying the REST-based web service to ensure the correct IP address ranges are always used. @@ -462,7 +462,7 @@ An example of a PowerShell script that can be used to create a force tunnel VPN .SYNOPSIS Configures an AlwaysOn IKEv2 VPN Connection using a basic script .DESCRIPTION - Configures an AlwaysOn IKEv2 VPN Connection with proxy PAC information and force tunnelling + Configures an AlwaysOn IKEv2 VPN Connection with proxy PAC information and force tunneling .PARAMETERS Parameters are defined in a ProfileXML object within the script itself .NOTES From 73a2ce8c240b33e148a45875d7e041e61693ac71 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 7 Apr 2020 20:59:31 -0700 Subject: [PATCH 33/34] Corrected bold to Italic for emphasis and special use Formatting common text elements: https://styleguides.azurewebsites.net/Styleguide/Read?id=2700&topicid=36402 --- .../identity-protection/vpn/vpn-office-365-optimization.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md index ededaad10f..22d084bda3 100644 --- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -17,9 +17,9 @@ ms.author: jajo # Optimizing Office 365 traffic for remote workers with the native Windows 10 VPN client -This article describes how to configure the recommendations in the article [Optimize Office 365 connectivity for remote users using VPN split tunneling](https://docs.microsoft.com/office365/enterprise/office-365-vpn-split-tunnel) for the **native Windows 10 VPN client**. This guidance enables VPN administrators to optimize Office 365 usage while still ensuring that all other traffic goes over the VPN connection and through existing security gateways and tooling. +This article describes how to configure the recommendations in the article [Optimize Office 365 connectivity for remote users using VPN split tunneling](https://docs.microsoft.com/office365/enterprise/office-365-vpn-split-tunnel) for the *native Windows 10 VPN client*. This guidance enables VPN administrators to optimize Office 365 usage while still ensuring that all other traffic goes over the VPN connection and through existing security gateways and tooling. -This can be achieved for the native/built-in Windows 10 VPN client using a _Force Tunneling with Exclusions_ approach. This allows you to define IP-based exclusions **even when using force tunneling** in order to "split" certain traffic to use the physical interface while still forcing all other traffic via the VPN interface. Traffic addressed to specifically defined destinations (like those listed in the Office 365 optimize categories) will therefore follow a much more direct and efficient path, without the need to traverse or "hairpin" via the VPN tunnel and back out of the corporate network. For cloud-services like Office 365, this makes a huge difference in performance and usability for remote users. +This can be achieved for the native/built-in Windows 10 VPN client using a _Force Tunneling with Exclusions_ approach. This allows you to define IP-based exclusions *even when using force tunneling* in order to "split" certain traffic to use the physical interface while still forcing all other traffic via the VPN interface. Traffic addressed to specifically defined destinations (like those listed in the Office 365 optimize categories) will therefore follow a much more direct and efficient path, without the need to traverse or "hairpin" via the VPN tunnel and back out of the corporate network. For cloud-services like Office 365, this makes a huge difference in performance and usability for remote users. > [!NOTE] > The term _force tunneling with exclusions_ is sometimes confusingly called "split tunnels" by other vendors and in some online documentation. For Windows 10 VPN, the term _split tunneling_ is defined differently as described in the article [VPN routing decisions](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-routing#split-tunnel-configuration). @@ -75,7 +75,7 @@ An example of a correctly formatted Profile XML configuration for force tunnel w For Office 365, it is therefore necessary to add exclusions for all IP addresses documented within the optimize categories described in [Office 365 URLs and IP address ranges](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges?redirectSourcePath=%252fen-us%252farticle%252fOffice-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2) to ensure that they are excluded from VPN force tunneling. -This can be achieved manually by adding the IP addresses defined within the **optimize** category entries to an existing Profile XML (or script) file, or alternatively the following script can be used which dynamically adds the required entries to an existing PowerShell script, or XML file, based upon directly querying the REST-based web service to ensure the correct IP address ranges are always used. +This can be achieved manually by adding the IP addresses defined within the *optimize* category entries to an existing Profile XML (or script) file, or alternatively the following script can be used which dynamically adds the required entries to an existing PowerShell script, or XML file, based upon directly querying the REST-based web service to ensure the correct IP address ranges are always used. An example of a PowerShell script that can be used to update a force tunnel VPN connection with Office 365 exclusions is provided below. From 49a19c401e1717e953ca63fcdf96cf14fe9a4863 Mon Sep 17 00:00:00 2001 From: Tina Burden Date: Wed, 8 Apr 2020 08:33:42 -0700 Subject: [PATCH 34/34] pencil edits --- .../test-scenarios-wd-app-guard.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md index 63d54a2991..a5eebdf2a2 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md @@ -108,7 +108,7 @@ Application Guard provides the following default behavior for your employees: You have the option to change each of these settings to work with your enterprise from within Group Policy. **Applies to:** -- Windows 10 Enterpise edition, version 1709 or higher +- Windows 10 Enterprise edition, version 1709 or higher - Windows 10 Professional edition, version 1803 #### Copy and paste options @@ -171,7 +171,7 @@ You have the option to change each of these settings to work with your enterpris >If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.

If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.

**To reset the container, follow these steps:**
1. Open a command-line program and navigate to Windows/System32.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data. **Applies to:** -- Windows 10 Enterpise edition, version 1803 +- Windows 10 Enterprise edition, version 1803 - Windows 10 Professional edition, version 1803 #### Download options @@ -201,7 +201,7 @@ You have the option to change each of these settings to work with your enterpris 4. Assess the visual experience and battery performance. **Applies to:** -- Windows 10 Enterpise edition, version 1809 +- Windows 10 Enterprise edition, version 1809 - Windows 10 Professional edition, version 1809 #### File trust options