From 6841dcbd025614e01bc191c7ad157b2a7bd4d5b3 Mon Sep 17 00:00:00 2001
From: Matthew Palko <mapalko@microsoft.com>
Date: Fri, 19 Feb 2021 13:03:43 -0800
Subject: [PATCH 1/9] Adding new page for enrolling certificate for RDP

---
 .../hello-deployment-rdp-certs.md             | 175 ++++++++++++++++++
 .../hello-feature-remote-desktop.md           |   6 +-
 .../rdpcert/certificatetemplatetoissue.png    | Bin 0 -> 8710 bytes
 .../images/rdpcert/duplicatetemplate.png      | Bin 0 -> 8014 bytes
 .../images/rdpcert/requestnewcertificate.png  | Bin 0 -> 33929 bytes
 .../hello-for-business/toc.yml                |   2 +
 6 files changed, 180 insertions(+), 3 deletions(-)
 create mode 100644 windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
 create mode 100644 windows/security/identity-protection/hello-for-business/images/rdpcert/certificatetemplatetoissue.png
 create mode 100644 windows/security/identity-protection/hello-for-business/images/rdpcert/duplicatetemplate.png
 create mode 100644 windows/security/identity-protection/hello-for-business/images/rdpcert/requestnewcertificate.png

diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
new file mode 100644
index 0000000000..74ee56de46
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -0,0 +1,175 @@
+---
+title: Deploying Certificates to Key Trust Users to Enable RDP
+description: Learn how to deploy certificates to a Key Trust user to enable remote desktop with supplied credentials
+keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, remote desktop, RDP
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, mobile
+audience: ITPro
+author: mapalko
+ms.author: mapalko
+manager: dansimp
+ms.collection: M365-identity-device-management
+ms.topic: article
+localizationpriority: medium
+ms.date: 02/18/2021
+ms.reviewer: 
+---
+
+# Deploying Certificates to Key Trust Users to Enable RDP
+
+**Aplies To**
+
+- Windows 10, version 1703 or later
+- Hybrid deployment
+- Key trust
+
+Windows Hello for Business supports using a certificate deployed to the Windows Hello for Business container as the supplied credential when establishing a remote desktop connection to a server or other device. For certificate trust deployments, creation of this cert occurs at container creation time.
+
+This document discusses an approaches for key trust deployments where authentication certificates may be deployed to a user certificate store while protecting the private key with the Trusted Platform Module (TPM) and with the Windows Hello for Business gestures (PIN/biometric).
+
+Three approaches are documented here:
+
+1. Deploying a certificate to hybrid joined devices using an on-premises Active Directory certificate enrollment policy
+1. Deploying a certificate to hybrid or Azure AD joined devices using Simple Certificate Enrolment Protocol (SCEP) and Intune
+1. Working with non-Microsoft enterprise certificate authorities
+
+## Deploying a certificate to a hybrid joined device using an on-premises Active Directory Certificate enrollment policy
+
+### Create a Windows Hello for Business certificate template
+
+1. Sign-in to your issuing certificate authority (CA)
+1. Open the **Certificate Authority** Console (%windir%\system32\certsrv.msc)
+1. In the left pane of the MMC, expand **Certification Authority (Local)**, and then expand your CA within the Certification Authority list
+1. Right-click **Certificate Templates** and then click **Manage** to open the **Certificate Templates** console
+1. Right-click the **Smartcard Logon** template and click **Duplicate Template**
+
+    ![Duplicating Smartcard Template](images/rdpcert/duplicatetemplate.png)
+
+1. On the **Compatibility** tab:
+    1. Clear the **Show resulting changes** check box
+    1. Select **Windows Server 2012 or Windows Server 2012 R2** from the Certification Authority list
+    1. Select **Windows Server 2012 or Windows Server 2012 R2** from the Certification Recipient list
+1. On the **General** tab:
+    1. Specify a Template display name, such as **WHfB Certificate Authentication**
+    1. Set the validity period to the desired value
+    1. Take note of the Template name for later which should be the same as the Template display name minus spaces (**WHfBCertificateAuthentication** in this example)
+1. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**
+1. On the **Subject Name** tab:
+    1. Select the **Build from this Active Directory** information button if it is not already selected
+    1. Select **Fully distinguished name** from the **Subject name format** list if Fully distinguished name is not already selected
+    1. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**
+1. On the **Request Handling** tab:
+    1. Select the **Renew with same key** check box
+    1. Set the Purpose to **Signature and smartcard logon**
+        1. Click **Yes** when prompted to change the certificate purpose
+    1. Click **Prompt the user during enrollment**
+1. On the **Cryptography** tab:
+    1. Set the Provider Category to **Key Storage Provider**
+    1. Set the Algorithm name to **RSA**
+    1. Set the minimum key size to **2048**
+    1. Select **Requests must use one of the following providers**
+    1. Tick **Microsoft Software Key Storage Provider**
+    1. Set the Request hash to **SHA256**
+1. On the **Security** tab, add the security group that you want to give **Enrol** access to. For example, if you want to give access to all users, select the **Authenticated** users group, and then select Enrol permissions for them  
+1. Click **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates
+1. Close the Certificate Templates console
+1. Open an elevated command prompt and change to a temporary working directory
+1. Execute the following command:
+
+    certutil -dstemplate \<TemplateName\> \> \<TemplateName\>.txt
+
+    Replace \<TemplateName\> with the Template name you took note of earlier in step 7.
+
+1. Open the text file created by the command above
+    1. Delete the last line of the output from the file that reads **CertUtil: -dsTemplate command completed successfully.**
+    1. Modify the line that reads **pKIDefaultCSPs = "1,Microsoft Software Key Storage Provider"** to **pKIDefaultCSPs = "1,Microsoft Passport Key Storage Provider"**
+1. Save the text file
+1. Update the certificate template by executing the following command:
+
+    certutil - dsaddtemplate \<TemplateName\>.txt
+
+1. In the Certificate Authority console, right-click **Certificate Templates**, select **New**, and select **Certificate Template to Issue**
+
+    ![Selecting Certificate Template to Issue](images/rdpcert/certificatetemplatetoissue.png)
+
+1. From the list of templates, select the template you previously created (**WHFB Certificate Authentication**) and click **OK**. It can take some time for the template to replicate to all servers and become available in this list
+1. After the template replicates, in the MMC, right-click in the Certification Authority list, click **All Tasks** and then click **Stop Service**. Right-click the name of the CA again, click **All Tasks**, and then click **Start Service**
+
+### Requesting a Certificate
+
+1. Ensure the hybrid Azure AD joined device has network line of sight to Active Directory domain controllers and the issuing certificate authority
+1. Start the **Certificates – Current User** console (%windir%\system32\certmgr.msc)
+1. In the left pane of the MMC, right-click **Personal**, click **All Tasks**, and then click **Request New Certificate…**
+
+    ![Request a new certificate](images/rdpcert/requestnewcertificate.png)
+
+1. On the Certificate Enrolment screen, click **Next**
+1. Under Select Certificate Enrolment Policy, ensure **Active Directory Enrolment Policy** is selected and then click **Next**
+1. Under Request Certificates, click the check-box next to the certificate template you created in the previous section (WHfB Certificate Authentication) and then click **Enrol**
+1. After a successful certificate request, click Finish on the Certificate Installation Results screen
+
+## Deploying a certificate to Hybrid or Azure AD Joined Devices using Simple Certificate Enrolment Protocol (SCEP) via Intune
+
+Deploying a certificate to Azure AD Joined Devices may be achieved with the Simple Certificate Enrollment Protocol (SCEP) via Intune. For guidance deploying the required infrastructure, refer to [Configure infrastructure to support SCEP certificate profiles with Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/certificates-scep-configure).
+
+Next you should deploy the root CA certificate (and any other intermediate certificate authority certificates) to Azure AD Joined Devices using a Trusted root certificate profile with Intune. For guidance, refer to [Create trusted certificate profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/certificates-trusted-root).
+
+Once these requirements have been met, a new device configuration profile may be configured from Intune that provisions a certificate for the user of the device. Proceed as follows:
+
+1. Sign in to the Microsoft [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
+1. Navigate to Devices \> Configuration Profiles \> Create profile
+1. Enter the following properties
+    1. For Platform, select **Windows 10 and later**
+    1. For Profile, select **SCEP Certificate**
+    1. Click **Create**
+1. In **Basics**, enter the following parameters:
+    1. **Name**: Enter a descriptive name for the profile. Name your profiles so you can easily identify them later. For example, a good profile name is SCEP profile for entire company
+    1. **Description**: Enter a description for the profile. This setting is optional, but recommended
+    1. Select **Next**
+1. In the **Configuration settings**, complete the following:
+    1. For Certificate Type, choose **User**
+    1. For Subject name format, set it to **CN={{UserPrincipalName}}**
+    1. Under Subject alternative name, select **User principal name (UPN)** from the drop-down menu and set the value to **CN={{UserPrincipalName}}**
+    1. For Certificate validity period, set a value of your choosing
+    1. For Key storage provider (KSP), choose **Enrol to Windows Hello for Business, otherwise fail (Windows 10 and later)**
+    1. For Key usage, choose **Digital Signature**
+    1. For Key size (bits), choose **2048**
+    1. For Hash algorithm, choose **SHA-2**
+    1. Under Root Certificate, click **+Root Certificate** and select the trusted certificate profile you created earlier for the Root CA Certificate
+    1. Under Extended key usage, add the following:
+
+        | Name | Object Identifier | Predefined Values |
+        |------|-------------------|-------------------|
+        | Smart Card Logon | 1.3.6.1.4.1.311.20.2.2 | Smart Card Logon |
+        | Client Authentication | 1.3.6.1.5.5.7.3.2 | Client Authentication |
+
+    1. For Renewal threshold (%), set a value of your choosing
+    1. For SCEP Server URLs, provide the public endpoint that you configured during the deployment of your SCEP infrastructure
+    1. Click **Next**
+1. In Assignments, target the devices or users who should receive a certificate and click **Next**
+1. In Applicability Rules, provide additional issuance restrictions if required and click **Next**
+1. In Review + create, click **Create**
+
+Once the configuration profile has been created, targeted clients will receive the profile from Intune on their next refresh cycle. You should find a new certificate in the user store. To validate the certificate is present, do the following steps:
+
+1. Open the Certificates - Current User console (%windir%\system32\certmgr.msc)
+1. In the left pane of the MMC, expand **Personal** and select **Certificates**
+1. In the right hand pane of the MMC, check for the new certificate
+
+> **Note:** This infrastructure may also deploy the same certificates to co-managed or modern-managed Hybrid AAD-Joined devices using Intune Policies.
+
+## Using non-Microsoft Enterprise Certificate Authorities
+
+If you are using a Public Key Infrastructure that uses non-Microsoft services, the certificate templates published to the on-premises Active Directory may not be available. For guidance with integration of Intune/SCEP with non-Microsoft PKI deployments, refer to [Use third-party certification authorities (CA) with SCEP in Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/certificate-authority-add-scep-overview).
+
+As an alternative to using SCEP or if none of the previously covered solutions will work in your environment, you may manually generate CSRs for submission to your PKI.
+
+## RDP Sign-in with Windows Hello for Business Certificate Authentication
+
+After adding the certificate using an approach from any of the previous sections, you should be able to RDP to any Windows device or server in the same Forest as the user’s on-premises Active Directory account, provided the PKI certificate chain for the issuing certificate authority is deployed to that target server.
+
+1. Open the Remote Desktop Client (%windir%\system32\mstsc.exe) on the Hybrid AAD-Joined client where the authentication certificate has been deployed.
+1. Attempt an RDP session to a target server.
+1. Use the certificate credential protected by your Windows Hello for Business gesture.
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
index 0ebcd33ec5..a2fecf3dbc 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
@@ -1,6 +1,6 @@
 ---
-title: Remote Desktop
-description: Learn how Windows Hello for Business supports using a certificate deployed to a WHFB container to a remote desktop to a server or another device.
+title: Deploying Certificates to Key Trust Users to Enable RDP
+description: Learn how to deploy certificates to a Key Trust user to enable remote desktop with supplied credentials
 keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, remote desktop, RDP
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -13,7 +13,7 @@ manager: dansimp
 ms.collection: M365-identity-device-management
 ms.topic: article
 localizationpriority: medium
-ms.date: 09/16/2020
+ms.date: 02/18/2021
 ms.reviewer: 
 ---
 
diff --git a/windows/security/identity-protection/hello-for-business/images/rdpcert/certificatetemplatetoissue.png b/windows/security/identity-protection/hello-for-business/images/rdpcert/certificatetemplatetoissue.png
new file mode 100644
index 0000000000000000000000000000000000000000..174cf0a79061357f757549e47450d792559acbb2
GIT binary patch
literal 8710
zcmcI~XIN9~wr)Ulp;%B5q$nU05UC<aQK|$o>Ai$15~N6xUZh#*Et4kFlxnEbr34lV
z(v%L7E=UnVQL2P?Cu_^v`#I0u`<(kc=l&qfNoKw=zER%y9bX95P*Xf}it!Wzfj9%A
z<h2k8vNrg-h4KXa>MZxB0{%tjqNON@DC%UMhi@nz$g0XB5GB!6yZ4U6_a~iDhAs%i
z*$;<5WG#+wED;E{WKdpK$J2BvbtRT|pt|Kjx9Apf|5=^jiin#wj_=EW0nStTzHSDz
zYBA8PbK*^4JO0Hl9tD|9RzXzEc_<|NHJ#oy)?>Armu&ea(bh-{C;cW2#sgUzw)^f9
zwXBYLx=&hPZms&3YgcE|QkrDh&Yq61T~3#{Z_OXxJ7sgOE3QESWKVS-e%9dp#;K0c
zjlF|ue}Kk`y`husEA#ZicBbB*d!CrzLm+UO-8M4-%&HnT*_K8<RDzQHyL7gP$Hr8*
zCj1*7v%E^leORx;Zi_t;-v9EmhTS8Xi%y#P21V{Mq2B~~qCSunCtAx-*c<*_6U-P6
zow4wiW=05~MqLOvaqoJY=(y+8BID{QaCI?vr8^B{_|sd4zYGvCt5@;g?l8;XXw!Pg
z7iP9J+N{@3k4&P@y?(x7J#sVLAQG}<3%8FPJRM+l45D}?`vT?Ml_n{a$ZxU=RNuds
zP%kbPOgd<lu4LDO=mku(J|~MRDhsj7Zb>RfD?T>PX`pZIc_pn}+F{2&I5HC<R~@C8
z5zjyEKJ>jN%&!`mG#lo(wymehsZdtP&>nvI=OAC#Mm7(jOV4nE?-;8WD~Moxh6A>i
zMid`(rNzU})K@G{eE%#Lw7=ae;+(WL^dP+_=nRtuz^wyyDQ%-dahe#z5M<a*!OQuU
z-_IULnj~8bXG|xaq*S(}mkD|I8Ea^IX>chKGrM)0K=df$*G;&(5>EIu<d|y`zoD;q
zk||(103frb&Vd%^=U?A^(AhoTmy7Wm+oww%f?oSK_)w)vxG5!^Id`tF#*JvfF(0Zy
zli_n&$Vn2)wZiwLDfuPFX?oTS&^w;CoxX--xP-Lbi+VQAl|5(LN4qletUEPzKmj{2
z_y_A{t@!Cy9KqUYt1j&H;!9=r^d<d5#0%#B>ut`}D!1JiUwvzd?rV$X!ao*}=2eU$
z>=9aAr<zVmJpLuP_l@P?RZ&rqCs?}MbnWdY0y|zA``D!PQr(p{45>d~(E#eSF3AIq
zKW)CH*skR~d`9w0JoL?NxT)1y2H(#3bb}1_R36xF4t=^lTWO{@{e3)mevMrqPfwnz
zl4h*twPFJPU?DS)HlR(m5aNwjTD3|kG^*-N;4_*QX;DqS)#mEz+WK(x9d>wR1XorT
zd-k#ftpMo72Ps<c(&_@uEtx_lVQPjmBFG0d13X(<96Y}5ay3Ox@u*Zc11n9!b#|b|
zw`zuaB2QVf(CkLxDe%e1m=NF(Q!`XzR1tM0Z9|@|*G5;vE0-1i&`;kXTIm!LZ8&Pc
zXkc6P-ikV>r^%LYVN;=YHOsi;G~$v*K44<-_;IjZ1+$owIW4#vt&s0R6M?q!Y!}YV
zF_X+fRNOa7c5riu(QIjOQB<dN$W;w*=hoD{IN&(#ieo1f)bq0w&TXCfhZ_gmTQgCY
zqNRz`(~KF~b{NAs7Aurtef5$*IZhSI$#B6v7<=a?H#1ZBOZH;Jd|va<`@9EI=6BvG
zLY!m>K>aFohcqaZu~tke8^%IXm;V*d(I#HSF2vipU~nC@o3`xm3qaq92N34Fpgi={
z@eXp`i>v3yO+P6^)%6nZm3rr>y|j8UtxK^$hnMfd$IE^5OLvLwI0KK%_Ox%}tLVaS
zj8JVfvx9Ct_@;L&Kj!i<X4^H8(Z@b~T~x#3F4MD-){B8i83-ZF5{g=VN}%s+t+v++
zSjSQ}Trrx#$j3!8n}GVd{QbP3Dg~Cy&qT1IZmzkmrgDCLWwVW7KmGZP!|ijqsZ}h2
zsc&G!kO-W4v2XC{B1?U#J%-7gCI&!!R=f%=j;v8c?h-i|x1Ekho|aVA7k|o=LU<kT
z>Sg{M6<9w>DQmiGzWpV~$dEGaT?R!a{#?W-9Rp6|qG-zdRrJd|-sJ{96O&8*?~12<
ze|*f=kjB~vs2+KZUv8OipWl!R=)ly|U9e;*WiDnmWJ^fw(ckOPP3S@XL{|aXr`K&-
zuWdhT&J6whyhD|P`^~Ro55Lua7{T2$yVx1hfBCh-isRceZ%@KFILm$>+)SYFnThS{
zOY~Kq*P0L_t@_Sw<bRM03w};JK`&meGtK>TpSy;2cz_SQf~+Bjv_c{EU%vg69o!xm
zE#Del0T#Q7&WgM07S1|%(Ed{OSs!+0zEzRkf+3bbkXG|CH9(DZNy?4ov%F4KmzGIY
zp6jdRn$>K{6h|L)t9U!?kCj`Er>_4f6wQO_41_{}bBo5P31%~8v$`tz+1*ACS6RxR
zPpH`&(xh7-wPWOyNx4Q9OgiZ8bJ1>%@_2ewQc#W{gZ*&jERzR?mN%Iu(`KPM{ao{d
zOZH|Po5QHS+CZEVlli$E=(KXlo~U&0oWICjr4m8nS@fN?mi6f_hfJjO-ub=F&Ex?z
zA^?EP&#|E{p#F-fYI;NMmvDY$)#7NadLD0%NmrMSo%)F>MPKt(^XuUL^&0fo;vAo^
z2{yJT5ivk0%2{2p{%Ub$SI%m9!>fj(WH7tpruEv*J{<lBjrYAa`}N$3F*!TBeT_m%
zh5#V28VC*wnkJeNB+n=9EZ2jBD`U0vW}FBaCEzM3$QT1$N(M6D7((odIM3M43J1}`
z47SI~Ob8J&ki45!g=6TDAx%Jc{4E)Q1AA1^BaWf5vC9H&?EbHC1j}m;+GQEnd@3L7
z@<nj{+SfIghD-F!dmU)^_^f`B@lU{Ov+v4q*&QC!32X;%TSuZm2Un21l2#<^u_xuH
zP#3;*y#Tg5K?(-RKO5zt-EK^0wsPVwcKV6keDYJTg@gNgypbr-w9ZpgN{L4cvS<=p
z8XhX&2}4K8MGBAMzU=ZS8R&cTE!r8`Eb-Xkz5PhRkJYkliPHOdyy>)Bqq^%?MhghX
zk>B~(B+jd!Vdzi)h0Qf7?KW)jx)5q~Lgsz|fbBoVtin<4I3XqBvsvH~+c~0KkK9RA
zeLb026yL$@N4a)LbR0v2q|?5a=4jd8i_4+LQL!Ub4263#yd5>%og2z&Nn=U51^abv
zLIP!Pr=PIb4PFK5m3pczB4Vel-Ri^=hr^z(J~HX)ilbolh53hzrC#A_?VPTqIl-9p
zJ#!CBWTg@Kvrz|<l$3Ox{lp;QODg|#*WWL^)1j@~V`cu8cCK1m>Ez@+bd`gNFMC@E
zY0RbQQPzAEVE7`!AR!Z}YQ0~&KmPiTerwg83<`R#_ZlYVw76)&559<Qu?twsmC64?
zID>x^&d)VqgN9q^(J^M*c*|<zoXfY}yMKObnVC?k*&ZLg?>zl$$wxYehD)t`@<Z^<
z1j^mbZNNiSNCZ6F9?V7HYP%E9lcUWB3i<(8+X4ynz1f*ODSrsqO*#&UZ!JTu{rqjR
z-amGR9TO%5wDc`&8Os__qL%3S#ywlFGExrXvZ!&Q^WbQ{FF&6s@0Ey$>BjBC_`q};
zF_@3FaDd~-p&B<H`=L^#smo}&O{|KdV(_PrkxV!|K2_rO?fLH4cY7d9&zCyP+GLui
z#M^6)X5ws}YAOceb4q}+eVvCg?lpqd^TzETK`nko)qFX~d>17T9qjHnD@L@WyE!{Y
zuKkJ89NZ3O&`NN0*h!bMg|g!Gf^r<sCP=;!h<<4+_q9gj!0iF=lubdo?TD%K4h0;j
zEUNJ66{o_4V}G30Nd(xZb0<=0e%%J~4(<H`w5p0wXQYUl+2h#gk>2x}!$CVD5qT_W
z3Gt%j$nkgI67K%P2gM1rg6sZ8Hq_6%2ceV=rGWUHyL?bHE*-`5ErPX$|E(?84lpB}
zP!EkpqqRCVp%JdH8qt8Nkl(XhBeEA_aJ(Bu)2@>0Vy%BMNT(NYk__-3X5uY=>Sk|(
z`H5V;VXc~$X@l|u)tc<8b5&|pg)YwNe#Hkyg^4~Lrh89!wg-w`a>PDZP^xXzyg#cF
z>+KuVF|{dheR3&GXZztfhfShqdJWx9`apVK;X@<M+)B~PE}A{ZtUttFD3y8z0F6x?
z=Rv<8Bnw9ID%DdlQWqu(_w(x_LQ1ijJo9<&&(R!)8>IUv-sH8H->05a8yD%#rR?tc
zrTkc@dy<tj3kzGCM0sGSYVIWCHbGf<b@CJ=gZIlK=M(y3#dmpTJ|qg9qy5elMLpeo
zE(PAuDlUY%LWjZkxPr*_Ky1cHr5gD0VY<4-Tvxhcj81O~L}5M!Bl`r=FQq8ORDj~0
z@vI%2Yyw-y&vxuZ3oi!Wfd*p?g9&Z%{d!IY9!=B*n{k-)z93;f<rB#0;7ZRG*h%Qk
zuE(s;>~s?KVQxA{#a%DpY>jKxp4!uPl`Us7fvzre-6YSTU3Fe|z`WK~3)V}t@T^9g
z?7HUr$n_Nqh+HML(I&kJ1jyco%L88Kb8@8FUue=4o<nH&)eMzf2>r85+Z(&GQ3uqs
zYZ<Dl(Dbuh-3?;gWKHY5-qOdoFp@3gnz*-bI2Z#!R<2-u{r;ojwfAxhe#_?<O!p|4
z9+Suxj3v@5C2vGaT>0EX3byKXSzE~wSzFEucEoEI9!H=cSYU2;P<<y(4y<q2hU33$
zxps8oce2_ohBtOq9QUkF0ijt8CeS_Z%7fXt_1$7C6gQpKm~8li{TFGwL-yt0bEPvT
z#{J6BRR2$eBgmR=b@Cre@9Mf%{As4T^(S9n{{;jqcmX?Y`P=H<yPY56x4Bt0CvyV?
zeYTb_&k4{V%%{jf#uJcyuSyD#c}W)<*YCh#IP*>;sHp&(OSOPu2J?hY91pTTHFsQ&
z3M0g)^S!X(?qURgTYbIM_JUF=v4YHd+wrbY1W()YvIDF-;$RKO#l8uaK1ZW7<lj)7
z0&nTMf~)i|%&MK6W2cAIeXP4y3p{-l|1pm7re7il$z#sOWU<{+5=x}W;9WmKR1&}O
z{!^Pbs?=*r31X@FRP8zsNkhg?e7-J%>U;j5!m`hEw}sOSv@6;SaDW?i;FfyIx}ufp
zS{kEJaQi}!;eM>tYB|+}%paU5|5~`TyQ5hAy4MU|Cni(5YMfhOW|Ss9L=>4nO#4hn
zH<f?%yPLc>RsU3l00pLC07Jg>Jc7;y+Sy#nEPK%9EjnL^pEfG@AEIUSn@3lFnhX|n
z{POm-6uA7UFHXGnX_v$Lf-cUwuX5oM%$Zhu4;07+!2sY)i8d7V$(cj96SC#jDAr@C
zN?S9fVU3nyZ`P}hs>Oe;=<2?O^uL&C4BV;#e7wECe@eRPN?Nx`3f|wPOC5t=uZ;J}
z=BlMam=7O5lsk;okN{j7$571zdv4Uph^wiVb8+#&PmWphRWgv#A|LR*vGBftHo<>2
z9E;{7T91T{o-4*HeTqb)Fu#6XPwXha-*Q&MZ};7<5hyy5?4uIJ+~B)%G-AEoWom;5
zENd`|Ia{~TzI-zTZDsI;(3vxK=Xsu3WuB_kF9WrzFw&p~o&utXrA75p+i}dRl_a<Z
zKA)M1q8^+7;>03SbTbdQ(TsM4?fuVYC_b=pS)8CTo1-h7HTtn*=m%|n0CFfVM|aLL
zx3vfJ>I`s_lN-+ArjnL?Bx!eEwJ?onTmoXNiMm+J0k=HWsuRU_S1W>}1?cHmCMMB*
zqxCO=52AD5-%k@G?>uo`nEjR6(jCW>W7KGQ0upYr1>1Ylq{8}$)oQ7~<dcp0*xSCi
z$(P%FSrA<gF|VnZea2yP0U@(00|kBI0F|F`4>n~eUqA@%!+(&0;<5gm7v3p^_A{X_
zAZp<h2Lj^5!Ud-lu;6is;!l27@GdI|d_F|C<A4q2VNd@3AXYe2d39qWx-X5MPHW30
zT4QTL(R!}$oW@-5cKK4MSN~7zs6lDr*tBGS(ZVDTF3HElNLxOH4D^>})XN?Yh6IZp
zM?bZ$1KXfDi+h8Y%ROhK=iAc96vF*T?4+e7(fmV=4L3A7c-2NB5%9lg!uLbJPtvJF
zxPk(Kx&WsPbpgCt0}IoXV4gK?nT+@9WcN0g$HHMGVCDGjd=n@X_7Y&&8gO}Jd`9v*
z&y99r!XCP|@oGini2mpqtr9-sL2`Lf&W)vyU(3cHV8`O-v~DH4kuLv`o_isU8&zW}
zRLdx)o~hQpmOO#fCoUW8PN>;1?aa}p|5WJdT42|wIf%GV1_@i<;TW2jh*s&A2TO~K
z)$41ZMQ{56)BTZ{)8CXzYin<#p-C>kkeLS^`U7&OBV(pt;K~HJ=Xhs4Y`9!B^?38Q
zL>fn;XvhiANyW*wBOrBxqfy#wA*T@i4qc3er}#<t+rDU46?oSX05<D=%Y`Sb?tehS
z&klM<V~yildn5dwAYV$8N}jQXqy`?Q5}O4FE@ThB?oof(yk~YxxNCp!f>7X-`zK`=
z&%yardx+9%grDDpm!aUg1>n9K$WiYc0~w#tFhM#_ylj7cxH0q$cwH=ky6LcHzBUB`
z7nzkQE&So|E=rWRY4Z4244RmnpV77<x#Lfl@VP6k`o8q@)$@%^ZQbCRFKKlbvD#6p
z;pd5JhK8*kMNK%q<DdDITm<Vh!kGWHQeWru($PaUXLeFDbHj&A%WO;sz9AmLPFSP^
zxxH?L2X87249|kMq|_fu%O5;ykt|>JKM*K2jdp|LdZ+G#`Sh5+V=aT$_t=_3qlu-B
z`$V;hr3gCHDr|2a#%E)ZrlTmWiwt~80e6c6s3s5=YxGsrPxmYsrM$n^KtBK|)kbkV
zpb&Qt{MiQg8u6l$*!}r%!gGMFZ5XaSi)`Te>AA7yK7|$ixDLz}HqSogso=YDk9_>s
z8G7n1PSM{0`7+8E44@Xubg{cL-u<Y)+fkNAQq}6&gS9z%&U_wj-Wz?&y9??b651&a
zskPE_{i46@(fYS%)|Pv7Kx8_y+VtJ0G3lzhmlU3RF~)Ml&Uj*;d;Xrpcy7ybx`N@x
ziqlx}Iq{Jw>qG6-(pNvOjq;q>Qha=6ziMpXhZLnRrMwh7Y}Ui&Z|Jk(=IJkx=i8mB
z+`BF6vDIS3qDx2TY+b!jf6D_-*~55C`xRtZ+2y1#{S`E4qKWiC?Be~cofRy}Wk<4X
zzH_vgohUX4mM&~4N@4BfT%y?x({y{ot?3O8Ro9DrGnRr1ffC~s?U_rnm5nrh=7t43
zmrGdEB8vTA(*0~my7oZado{MBMx&xqi;+~nFyfM#7(DU}m|oWYn)u?{BaH8jcHfZk
zA}(<M^wb^d@A?Vc^Ct#FM;bItrt5Dx9#&O+RtT3=p>Y&-$^<3eiD@ZIOg(~pm)j`K
zy^kcn(7rq6{?h&1=T%0Gj$|%Q0dmf|C>6Di&G281Fe}pH+KFb^0~xAEBIlKhiX#j9
z_mSyuyiAs|uGBibG4aIz>HMyf;f6#X;kCrJ*XYuGx}qHo<9X7~^!gG2a8;}Qm~a|j
z=eA&Zp9!i$wzsu*9VRp}llJo+nmgWHEBOs9pPAtf%;(@fo_JoG7G3SLnr}dee{D@{
z(=7kCsjEoaYK=q2FvB&qe^BhK+8b-|E=qm*WkDXlK5mWVLDV6iv0!ne=9*nP@7r9+
z!eFYOs61Np+FdvCgIitkojj_6<MKID>iwki@AFm2AstM#<X06oVqaNfX%7s}zeALe
zMS1XN$HeTYvqPp?@j831?%lqELXYY`>&8ly{k<E5S5Z+WEf8gwe8_zc(z2dZsG@4H
zvsc8g>k0V-;##=x>53-1%1j-G?FDGFOjSb7B%I6oS_cEp_@$`?U6y5d-eE@H-oGPS
zP;gHvfg_8Q|Esx4HSXQ}zCz8_Dfjpp-sT^|II~$LvkgAQ58Ctm6)Tx5c58=}<PC<s
zU3?6Nc~0p(Dn_=iI@PxCQ<w4bu|)EoYmoq*vqH-6Bhz&$2}rf7)ph(!@BBCCsv^;w
zxl1XUFI=1xFodogJ@K8%azfQNRN$6+@@D>vG}jL!Ju_D?R6D#gsld$P{f@=@eA9fJ
zy6<Hrp02ntH`e`axhl?hqf6WOvc5$l+ymqU0Kd5ql>A1>R9&D!d$D%kpMG3lrAp1T
z;7$pfDg(1J4fnmkt27)i8H<&$fyY~V<xc_Pn*T&U)hro^M&$3eFFg6e0%tzuOH9^(
z51<+8U*InW2;J{SkemwZFy2z%h8Kq680J;^zaaMT`gt@5h3w*47>N%utGTMLVY8F=
z_x&uNDA02u{=5RW!bfdr*&Q4DPj<!%9|OtF>0zf1Wj%blzDN#3H>`J011AGaelzRg
z&_MN@9N|+GcUVmwGU$o_%;+T`lx-Y@K80^w)ru0TzL2`Yr=gtl{1hI2*~0g?rKUV=
z7LR;kL~|04jeSf|PHt|n)u$J->3$>|%RTEOyZHdOVmK^MF&yp36R<y9pB$%JpyT-M
zpaDnQ8eYe`M<FT@%R!}`><};aSwrFDc^jvGh8`(lC8Vu7KI7T%9n=C|Y2H+P<8E!9
z^Uo=+SzagfWVd7Z{LH)?P`*hbc64JN6TVotM@N=NV9SsBjxWS#D(xv;R*eYM%nI{y
zi8f9=&NG}aMUqn~vmd!dYCPx1TCAxs&~l`43SzT(gw>rKybK`tWZQ%xtTK%md0RED
zaTCRd(~n{Pt$9k+q0atm(Py9bWlqiyhDg(&$M)sDwiz^5Q*8+vzM2`_Y*5T9{yX9p
znLsMm!qZzPF>8cVc#N^a!O|=QJaOX0)egIpN3q}rE#JfH^S={X|EoD~^;9ZtXkbZt
zbr>|7f2fK7e^mvmkiQpq2TSFvRf2@j&e=}MA#u)XI|<|)3Ihb@aX+ey-kA$A-tg%3
zS8;EGTCs6)W>HEPm)6BB3c;Mr6Of9;QDiFsJ4g?*cnZXxJqn~W)Ss*215Z4v&8w8L
zBRkq<e9ujbqm7H2S)S_^wCrtYy>2!mFofnUCGKvjrQ7a=JUS|ADUdYPKCSe+=9P>a
zHz`v(_neu-4Pr^avAtURW_Obt1mUr89jYTkx1qR9X;qEDo>%-m*Ff8jM?~D}SJb1p
zdg^b#RdPrLMB9OXPG@Fu&&C^vgnnkqj-Lp>DL8ft<fJ>QBtxhX<HzC_=_FjzTsYT~
z_|w{#E$66;YdLTV-peBIfArh%^%XuMwh<#8l5Y1t`{#aPDQ}r^RK5Q}q5rQI&VQBv
z|Chy^_`y|e(ehlk5V0;V=HjM1$K|DTDb)YKaUA6?9bn>1w;d_)@c;PD<;y>(3AVPs
z%VblzH1QN4gDv;EM91!1%WZ0_fy!xVjUl@aCnc?i(ktBtJ7&;z5(2AioesAf?6Viw
zogW;GN;z{B<qytHpZcAtFI=FiU=nkDowMIcy{&z=V6*dAiPze5p*J!*>8}eYhQ39o
z>UH)O85YF~965J@(t3``3Kz(*=gwWorZq_lTDU%#&sqLXqR=?f;8^CDJYTh<-)U}b
z!e-rE8gc^jO2?nv^ku?FwjIH=%~{adYuz<p^a)i+4{q%lS~J&?y{>?(h`%NUIlri0
zVc&#L|LbVy5T$njoLQ{p$pmuI<<|4b?%$&Pjzvkg(`xp;QZq?;oATqDc4c^7<@e3W
zEV(DP&xlPd_!B$*RSa8x7Ds@-2xWns_2!&%|CtYBX5)e0(?>;iI63{^_y2$#{<V$&
zg?auSc@Bee66P@l2=(%R)xy8yw!@<w<3o0;NFd^}&-8x(H#6!{k*adHjgwbc3dLdD
zG;tY`-e#*K6|~;EW+?WfCpN*}cr!6JvYPk2GjWIy5G}Es_D$jl3TI1XJ#*Cm!eb~Q
z!7!b+csZiprgl5#n*M4c_Tv$Rzl7<U)=nik%+DLwO%6sW{!U2NJitAnXmY=xms76*
zHT*k3F|)B*D9?5gs~V9+yPw16wBk}np{oUwbfzrBg^wWb-(;w@DGsnu{?A$eYefE?
zXn69Mg^n;&=3i1J70QNsNrw1x3^*zC)S#~J(z}nJIuM9j*dJ?Z_`{$7IDF&qdvz(;
i8Y2aKS0=lDfDktu72$396aL=~1c+3VFOoBV@_zuz{YS$9

literal 0
HcmV?d00001

diff --git a/windows/security/identity-protection/hello-for-business/images/rdpcert/duplicatetemplate.png b/windows/security/identity-protection/hello-for-business/images/rdpcert/duplicatetemplate.png
new file mode 100644
index 0000000000000000000000000000000000000000..028f06544cec83604bb366bafa7fa5ac715ad16a
GIT binary patch
literal 8014
zcmd^kg<F)*_x2KkfP#ofDbh&yN{V#XQj)>~OM^5EDpC@wvUD#cD=oRwh=g=ENJzSL
zxd_O<51;RK{r-t}_L^tnnS17(d(JsC&$Ti7x@xz{8OcE)&}|KMWe5mFzzozQZV~}c
zuk2bspdj#ps40Rfh93L|8pMtYItn0ARUE~o?F|r!a6w<&NCl6_dwF?TSXkiak<!x0
zd7zEQz(D`2U3UQ)1j7Jbpup+&v{#LB{*{sLg#plX*XMkUv~{swr6Epvel|%CM$u*(
zAvy}aN>3IR7QSS@a(^z_+S&>#I>O_RV1d)1z;z7%42hh+!XHgePL?<Sto^>+(9i%v
z?#$zlkVU|NMI;uFpE$zck1j7STi$^#E-vuc9qGX7I{Z;fOG`yCXgV2$Mx!x!{Cw*o
zvS<fWG%ekF2Acp->zIkN`PLm|>yf;?{QmxaXEbPccNdR8o5!CG4Gm$j*q6CKM2w5l
z($eO!I|Bm)1cB38Sy@|KTbrAk{r&w&?Ag)L5fln7E-o%CEG#G}$j!|iA0G!5?R0c>
z;IT&->>0A>Pkb*fzPC~uU=svl^_q|dNkYnT@#P3skff6Vs53L9H3?o9<CWuWmFQpy
zGN}9%XqV}3_ThzYxS>k0h8!!%&gpuF35WndF%E(RfIzZ)?Ij5kK)eQCA?>c|2f-i$
zk|2;IKs^$J-`^N4EiDBAoSd9E9PWJ7{`B+|7zAt*5`%<c@GzJ(uuIZNB*?%{+5ni!
zPFg_n`}glZ-jS_*BFf9l1IGIJ`0N0w2=x2+?_a-uNl8hqudj>3ez97tPEAc!R#v8`
zrxz6!<>%*r`SJyixt<Rs4NNS3aBwg^J&i=d%4|U(+p?o0pae$`A6@6+XfW8;77R8u
zHQm_Q09rvoK_D3H=)V`>>k&uM;A;>71#r>B!yX<UAP^Y*UoI&rdHVF}|0V@Sfq`x?
zFdX>V4wu=^&COu|E-)Bi1zTGH9vxj44J-yjBBfy%<UBwVARUmA7??C5uQUt^BY<J9
z@IVbF4bTJPTU-zYiW6UmuHm&^|9_T1^vgIpK!38A>SjJ55M{@8Civl5WDf!{UT7#Q
z7zJAIT5Th&rv2ox%H8AfBzD?&4xbBChIUd;OH6WbJT}hieh{LGrFh2{vF^oy!+76i
zqKffyV|Q`AcZXxGFaF_NNlw@;wsZZPCCp-p^bOUVTJc;Zcl&u>cRDkjpN+KTZsROm
zcUy*5hn!T!N*<h8T<o;`vCFRcBkj8HGu(PHbT9VFSMH#W*a{M*N9LXjM=$$(Ek2am
zo&}H^y%H9wZckgc&4q(2c3!nP&^w_r>tmL@eLcP}lfX-SEH*o`=Vdab1MYQg={#PL
z)k8RVJbDc~nH{o#*e5>`aoJ$dnP@mh!|yHxcdPERxiiZ>zF*Uq=@c})bt7Z5Dxbd1
zBGZyn8W+Of^~gxpWV<GK*x)cLF7AzD^CokU-ezJzoImQTs_`w+XO4V>9cSS&L$BKc
zLIybpWD8bBw=Y}Ih9p})AJ24tR+X9h6gvbucKVw;M|D$L;y4ZWesR3P^+YUt*dH9X
zr@udYE;X@;C*4N4=LnJa%Ie>Hfee#Z_OadLi*+w{yWAT(|AiP0<`6nnf69F$V|xM5
zGVDuK;K6*13Q+4G9n6lhcT3LR6^}a!vG`o$_scL&BhFVn)-HN->rwVaS*AIc>MZ#D
z@8OPI&(eiPG1RN?b)HDQCx7&x^2PC4sq>z#ROuHfXK`C{VZqa$;d~>E-aVF9>QtQJ
zN@y+x-X@$a10vzOaP+>)Kce|YfwUdny=Jetk~bT2&_uNeO(`z5>2$cNJpRU6x7s@L
zsaBLs$fXG1$R2x&=*FWfBZob&;}h<_!)nG;?(RsY{UxVjE(iV`@%>prv7wKnY8q<4
z<>I_RqXs9)2J`M8YAtWWwfbvA-{-Rh$5DQ6YWnxatdEwum%5%wNGC?@Uv*}VC21sA
zWaD|m=Ne;})#(G7JwC20;>B<c^9{S=CA7l<>f@~%p%R>W<bVmTLdc#Mo3cK!(>gm_
zT+H*pkSa`N=7~%fWSK<6Fn?gjjc4O<SdLCr?C&z<;LyY1^I=)4=<3{vz=e0i>q;a&
z@ywHpT+5)GmkEnKGfyN&hZhYaPxmrLcT;=GVeC~2_Z!+h)T3Q$UW>#9>(Nd%xss4h
zhkJ{N-DOC-`P7%);^y9m_PVJ>vAonovnT?tc>3=6oeyM9&NZvHd&S>_0tUY=u+tTA
zc5?VK+*lx;Wts^k2_AM)XjTi>(^|emveEZ02%0y&{V(0&E-KJ-`r^f`LpoP0uc!co
zgc|HIdo#clBR^W_aj$C{)wuinv;3=z-Aoi5_La7r@YSBJO=r02k0g#~FHq0ZU}mZ{
zQFRGj+DPnu*IMzuH()Avp9{2O&flJz0P|7aXC$f5JFFskj-Yf012q(S)^9+sRBP-2
zL=Xx<OoU;d<s`>NPJPG^?1cOtE6Gr6CQZGoCEP_r;NKfmNip1Zzy^^*1@2!o1xGpd
z?q;0-rf6A2&})v<hmRZX@9$Z?VX;Uy(`-JYlhbT?SvnxfniE{cq#|OnpyDRD7aveD
zNtk1qmbvcYJ)(Zzc|_J^i;7IOzFIW3VImuDdr7Y|(}Vr|XX|}p4RU5&Mz(JA=t<6*
zA)QCE*}Xc)h&6i`jK_$qb|QQT7nFMV=H=;#&^v~UfX+bg-^L=7McXsEqCN)yiZ|QV
zt!)343a3Qia#qvk$G5HQyAqom6sMed9ouI^l_M=2Qeq@=4``2HUDD*JZ!ny9O+lR=
zm15~n{sor8HLF4y!dA5`yC16U{^`uoN=3cW?N-O;ohL+a=Ukx06JmM?xCbAz_n5u(
zXECr9aWjMoo6B1(?>DFo_?(M<?vhP)LZ$N&1)%x+WnX8oN_|wyfr5fD2W*WJb!r}G
z-)+TGA~s)qE1EeTOOjoy%f1b!Q%cEVHVYiq5|W=qnlZz;G1}EMVKRFRZKY=e0rD1?
z_LpP+_ZF)0w4K~-Uq@tw$F>J)yHpPicmip2B+-bKnwCWZp^MY?awUqEeba$(lBPyZ
zd0aH-mI&iSz<_lA(|4i5q7UAX6<l({>`szjCk`A7om^qRh|KEhz1CCJWVXz3kP*|n
z>ygax7CapqyV84lZV#W{XoGK&W<E((TeOey-G58}yYD=Gk*{mOT3cz%`T1=U`ll4z
zk=6f5W8)E{vSKqu>|Z|7Yt^He83XGth!<RbTJuQio8Gp4S-zbTm-OPiJ+=QRp8bTm
zedIgA$z&WuL;u$x62nB6<l8MR*0&3)l$9u;&(eb@Bv0s+{oi^r?N3j2(9U4|rVQ4K
z|NdlO?}%cSvSenSpZ#YWR2k>??8WY#@LO%hVtRu88}WqMGl=-b(7k%?K`d7^!?zxm
z0umj|Oq?a+<?Wh_wd5q&<Jes_LAfC39|fr&Z$2!9U!@TBl(R++Oe*bj9^Yzv*G}6v
zw#*Ce`&41EtZLn!sKwHnzws@b@W;ZpdH<i4(c3qFCAtRVa&5f5tAi)d8`hrTnIusI
zDs7i!I;=F+6YBp$^|?B<Kf|glzi{7A2y3wr!JQdu{fufYAa(a$RYY0N%C-vm{fzYM
zpG|Kh9td8Rhf+2e3u{Q5bi5`(+4Uw0VWmd|f`;dEWvWyJi9JUViq4N6Vg+{P5hpfe
zJ53~JDwh+@;5+*~{ba1fI%%s0zg&gNkAy?>?};Nad?yU(M&BxGX#3xpfeN2~3CEoU
zXb_F;<90`KW9~M1Yen|4Ma2j}h80sO+jZY^jaB?Zk~FJpA=S+z8XVnOglJ*W{^|mZ
z!UPVw@KG<8S`}zXyB^CoDRas+(94(yfp?}IUKaKj_DgsBGs`vl>=Y>mYPG`!q3>sU
z>$jnlv_&X;FOC@VWiQ_yC-LEFR1g--PygoiINI1syQ_sQ!JSw2s3~hNAh}s%Nb027
z<Rh;GKVPT%ytCg^OKwk73dTG$FqO{nsm@a1pV_!qov|haSh*4-ZHHxcG~=!Ng`F`z
zT7A@MPe9rJS$CDjo>h#++E?4phpCMQYibp0l{Thnt}|9Lmo%mmQYc0b)|#3ZIUX?5
zoQfx6ju|NorV_YTptG{BwP~6vHydm?IrE=th8mB}m#r!8JmM|O@(b0FRUXh&Rt*#N
zn>AO}&=;W^AM9$UuwN@=5kMc+<q_~CKN0M&h0f$yGHy=XsUx^C#RIncG9$M8DV4i@
zK&mR+`)*QkFWCOsO|QM*8(l^jr27lbB7V8>_gY2wZwnYP?}Yj(e@G%M{q)rmP6y2~
zi{}xIiBdnfSEpr&VO!zo*^o-RZ@9n0=j<Tj=di)>#@#gaVe#7%`h0NiH|cdzf6Yy!
zbwi!I16eflJlq6keEm9%qI366H8&cFTnC?P|Fqm&URXsGzp~iOC|QfTUl|tE-)s8%
zFv%}Cs7Qv(^XxoB$k@{I9_iXbL2BuD@_b#*P`|OO%AEH_Qhzl|zj0Vc+7+S-xGduJ
z*%IJaD>m@yIOd?O8Xy8RPPrk9VW@wNl{NTh?HmHAY7Zrm4zpOy*bOAZjQ`f|>55NW
zv6aFE>Ae~4#YYIm2Xmh~CAr;obcv3PXWzX~5bx8g@T(uT)P7h~2Rn-uLbLIJnU@)t
zRqxMXb0=4Nwo86Ne<{rd-!%B1$8R^eHd8BGu9x-7EX=;^_6;AW+)4haH`pFF#PjWB
zw!}bpD?X<_6UN76N07@VHOl0uz7EBo6+?2*%(YcSUtypqs>uO%zt)OAKa=(YS5n?Z
z8XI#++|^}V+o|`gyqC8LAvq>XQmTu${QhyJWSUAfW0Xk>{ieNW139PhEQjHrCeH^Y
z_v+!8M-8>BqYq{LA4qwxjnNMlAd1I2psHDl?-EZk!nN+wb5IFN=vkU}^$@~>p5pE_
zyU`l0PAn8Rw5CUyn_=zEd|ezC*##s54XnT#&40V|I<*SK>tiV_HM%gHf~2WK)%2nv
zR5Z=8QVgpbY#&w-pJ!z|zSvqNZ<o<q{eX|<UE1J`kY+Ak=j9e{7k?P&6$lY&ee{`v
zdaM1S6Iq#D6s*59YDZ^yxVxpQ9zw{hjS_W4qdT9bD0SE{w@dS*1@|4Vw7yLRi*rE;
z7@S1#f6~VThGKQ>_YA&_N)<J)ukHN(edvAJ*_(s<DM4vs{gtI#kR9e)(8IB4p+#;W
zRMJlpv(&JhwGifps#9>^%X1+x+MckK^1{|r3Z{ogY{_jpl!U;Ya1XlYhBvtS;I?ql
z-HL8qDUqR=-L+f}iiq+))!$cz(<=ulREss>=WD$x(f7HBRuugHZi>eR54(k2HC*Vm
zN$|Z(Z1>xfVOm>^qd=I;hx#Uze*iYR_LBp$($Ys_mZNI*G<)SIUOJ7G+~uBG)Y{Ms
zDZ``=N2!j8hRsVY$Bm`T<TvjJvL)f$B3}8B=bGw8!OwKx`#^k%O9LU!YXd{mhkT@*
z;!Vtp;e3;M<dECDe~X<ZsEn0(#SVqqBoI2P2c_eVUoP2aykfBoz4o!%zeXXOd|Jvk
zrz?87Vnp~;pX<K-x4~>(LFv+d|M}mCV7a>b;iVsL@CWh<3c3$qVReMt9CJMDfZ5A5
zaiP8ddh<R)Z+vzW@f%0$1Uw(*Wf_(uw7$n0p0SJ|<)dt5t?Xp?MQDak2Dw+<OYfx6
z;^AUb|Hx44?_yVgll><SMthuhKS8zl_ywR9nWjr9$KPeWGw-a>c!6v*tF_FOyk08R
z+ZN^e)>nXiuo^z)A~MOE>Vqt7t$25frCLF%`YqUA^|`<JVf?kv#H4Mq65UFnOy81o
ztxF>>Cn4lbn^O=F-AVrGceFUd>tm-65H?1$1z%HVm9QyLNRNf5#lp`ZRq^|SSAUF%
zUhq|7^31|zVShZz?+gAL;=JRYXp-V2Q>x-gUzLZM;(*xS{UShpOw7Z;Z`Esm9MNSI
zY-h@3Wa}`=+rOgI(wbVgn~g{fFxfA4?kv*GGrR*ep&xYYi}BJGq)t>At9u{ehH6d=
z>YWNsaYbQT%D}juy191pQLwWEnHe*r|EY6<IU^7=)yCK4QkH$g3;ELRQTq!uDs+Y+
zMl&v~!5{p_L!f=xXgvRy!*P?YdPrKzi`RLl`$1MuYiR-<NGFmkM^fVN_9634m_E5_
zXM01l5>dI{s8^VYA_;cZ^i8Xu>9Ji#F9bfpD?Lg!R&)&yc#3J!>!vR#=GttR6Z^gM
zKYN{zMoFL_P!Nxi{5(V_ivvo>p=rO4I#K`D<VxojLZh>bxBMjQ$L}>8i+qeEw0bj0
zQ7&3wz=U=5QV!TDLhe2OW<vb$Dks9*2>Jx{hp6^5HJpM#>{RFG<OAE(YK|Jlhl3k%
zoVwJXgS-x!D5~9^E8!qL$;$C0XJI{l;`+-BI`eScW0(757RBFmj+;o#Nmv-wX}o3A
zxD&Q-j&vfW5`Ao+3^S<-TFq6hjujAEXb)~w-7w~1SkW~uJ(8qFx0J#2j0cpSpuv<Y
z;>!9wdRd^4WGG@wuC+qC_mGPL#ph5BUrIwSIaYReXpfsT84$GU#r(XzkCxl_bpPFz
zO8;@+h;y+i8Bqw~tns2sDWbz#Pt}f?pQ3W(SaB(H9CcZ>O6u?XM-oLo-VMFM8px(k
z^Sfc@nNqlH-v-?0B9daeGCyeLy9+;hZkl$`Q$uG|I?OzsxLveQbmZk&J{R>2_=qNw
z?RLEQ^Q6I=zL_)kH#Z^sqX@2g%Ho2Z(uhwfiGDp%gp?SJGLzX@LT^N_DE1i<6ED1$
zYok4i^$p_Iam27(Gn59c1L32|{mIIHBjxz%6bB)b27BLDgST;_`14xWqFs@EgNsu`
za_Egn*rL=2ooe0C@<heXIZk%CZ_7XjLIq5>)kEf@a<up<sR{;_Df|YGiAUL0y<_Az
z4?Z@s=EVxXwvy1dQShMsszH)zUaB4Heix+2k%P!wGXPWhqZctGGKK`kw|XqU%lh+M
zO06;)_wqvvwqJQtW<i|R@6CWAB5e0fHNsVZn@N+H@t0}PN%o8S>Z?~&!Qw^K1={W6
zO<bL_HnfjF2qY8EbI>3<8nOWndlAJlA@&2jx$~m+BSP}TP?Xp)#g7_~__BE4t>>Pp
z96MQ&XdVDStX`)H8?!M051a34CnJo<h)-xXsK2Hy{oJ;?I)O7d`TXL+S2L~NUZun&
zW`rcit{yPgHhGi0C}*Z~-d06_18aPFOge97%LF(2??R;TQ#NXvOm#YplX(ZUiTZu`
zHxf|;P5u4L$a5Ml@=e`yud`uwedN2iEBPVHOJq3a-+0&M_me6_&99UOdCgFFZhEy0
zfhqlKjZeEKCPm|J3-Tr>5RcON#3hMIO$Dpb2ljSedT6{|Rch*r*N<%Y(Wl$qTT5X~
z?v{8GRtw?xNKpF^Dsg~nbiYX{Se*GH@b~)}8@kII;pz#7Ee(o`r6alcdZW`q%f8NE
z7Mk$wWQaezq0ROu+pa|#fArk&<)Cb!lH}X<(H09&slO#He3lYeDt`i_P6C!fc(+74
z^;fCMU`KR-LkovelMuf7a+2TmJRu4<Ahh$(_irii9n&e51b$qpGsaiZ8T@_7$V%Jq
z_|y7Wy6I6xeW~ghsuao|YI4y2@y(c;{ZYI@c)6VD+jE+<6u}I*?#|`}|IoW?yXcu1
zb->(6EE9t|OL(0tAE$HgX_p65rE2-r@E}s6uoJ+i%$?*%QM@J6B$Q9DdW#agB4sJe
zzT~{cu*i5sIvM9(?+%7=Uqi<5M|Yz%?jU6H<s|IWXA8(Av_CwEN@$W~SJ?CuGWbE&
zng~ukzOPgAbHpFcYbM&0%o_7lJeZf#8&?gM(#`+Yy}9}bOD_tF`)v|gQpV`4dHhMn
zjqCyzdDO1bXNXV_bx*K%zp)seT|AQ}4Ic?Wdrx+Uln;;A<+pQYaOle`@Ds(gx*)@2
zZP%O(&<k&KZ9WiMaNp*gU`q$AyIq!WN84&cKG&S^gt-OAlv`2EA45E?({H?@ZQUK$
z;(lBE)tv_YQhSa#;2b0Qz@6It)`TUc!@@w|jFQ~a?7rrRD6zv@5#(C*p-NvR#MGiJ
z^+Xw^;ViTE#QREZE}=xp`=&gVI!9vSx>nqA6<^?tmE3ehd2<?hDW+r&<{fS|3fJHY
z3;?beULHf-O>hyS;V6w{glMIxK^e^JaZcO3H!vDW$+ccsY4`~qTt8Bm<uc&HyJ4M7
z##-wTUzmQaQqa^pOOD(39gfQ;hm2f^IJn-*kon4lR;hP?+<UP7(b%6soup9RAp9RW
zMvfr(#w80>p)fzTb}3hr(o%R&pi}yoaYtLCpmr7(S%m8IY&5iCH!F&*B`9yUU9hNs
zCu4ZL&aZRF@rPvCG@nR;S>^I&fjEMiKfJ_*+%5YA%E;Jvr$OLxrsH4$x>5SEdSncl
zdQhUm+8nR4>T}H?74)|$vQYI|g(TqYPCFkmYE`IhQ_b?+d-gCwg?R_YpfO+y$@tkh
z=?kTBEvPf0=Be}x+t;VJ*N|~e7_2!ip);KK&*hrnc;zxRlSu44C8M27K)F_UF;L$v
zI3VqwQkn&X6<Q;3D!8{`S#HG>Ex01*E~8JwxMA?Y8=@qP<Sb$G5m@Z-1}8|GH~=E=
z>}ZBQRPL2sI_xr9O2=-rBQ6A+t6p?NdEb0l#1PS5bR6Ogt8QQ=OV*wp3*-37T_cHI
zoSjbIu1}?Sl^FqUAEpc?p)RmTbq^Um(d&o0%!LLC?mim~F*MduGRc@<P#QeR*hw{0
zg5-EALJTT(r_}A_Y|BV)V02e@5Ew&pA3Zxq-t*`pKasjBBHADC@k2|L9PUlO=m>(c
zlS`=y86Wp_xd5@9N1X$9N5uPBJOFKSb>eI%QrAjE+t9aURCjbx+(7w9FQ10{v;9Yf
z0m4iD>U=1NX7u~s>PX{jC6xso3FmbYd)g1{)8;Tl#vju?FZM5^hOtW|Z{cffgdcnu
zZQA-wN=MB9(1fV^<y+nKuF?d|mHciDgYx^aWtaa$QabOq9jAI<xxeKkrF-yfmw-Jl
z#vIXD$U&pR@1$T+kXD=!y{>ID&+}%_Y-Pykp+Awq-<pqo1&)%pHl7HNHOn%e;^y{+
zP7b(LOCoZ^7;8T10*6xMdp|(6z6~>0H&QH15l+7fJQ92+^Jh`zit_K}g8`qtzMxBW
znQg2x^#{&}Bfa0IViW<~=Pfxt(7UC(OT3Qz8roqg(Kzko8&@n59+SDaft2+sD+5Cy
zo<G{Y;||0ko}O#^8e#ipgvs2dHn;T&bUPT}!2SN>D(ZRPxZ_g#OC2$?h2T3-W57s@
z*=T0`8&&rk$i=6Ece<H!39nv~4EjLjTbXY7cvQ&a5jko)3ODbmMX;Ml18%9nB@!Mz
z>UYW<6`;pb2c>$mw=&@tzCC@!rnH%tkWM`Mtcn+iY)0{9ZZazSW(C>BJ9i6`l=b7v
zJ}O?4T?92tLPRO=@B!BQi6t>jp%d_+a(^_0$FeLYmP<9dGnDr<ofyWV@vTeq^S3Dt
zWpA#^-Fq#LAN<kPTHyu;V?-nwv?_|it3@37|B1r}hyxs}jC<OJ)<G(}=87X6iE7%V
z9O@(`e-;1Jk9x*GcF_=suwJPx_Jhl&-Gs1vM`JIO@tJ+o!80`=EKd<nah?f%jH6N~
zZqz92|IDEpj+HU28tUkJPi?hEwqfQgQ5UN+l@Xe&!4;QgqJg|+&uN_u`0Xz%FY;?;
zi}$s=phG=v|C$8dK(n%l3baX8=MP2f9d)Jh5i(W=wPPK?iyp(u!~l^+0cR*lb2ux<
zpAAk~yy?LC?PyK5WyYHNbD5lDyK){rjy*P=3V!-g=8##|A!#irM#X6Kf2zGC>iPvl
zNL|{7Zy3XaYj?c#>&IK-Up&{2T(aRw4ymU$Zq0C^D5H-$|0>MXWXjjn!A7O8WY|SJ
zCR+gZUX94V4zLP>*VO$dhp%~~+)=EyoGp)Efh4(b?Ms%_*zg!mrP5oM$vv*2R{^i(
zOvqM}!WG~76*Pz$bLHTl>fibor!5EP@jH`%qo~=Lz7v)*R<$mlhZ1ijaGCp~DRa7(
z@C$7Lr6E4-RT<w*4D0S~(4QaT(I#zH8$7XiB6PaMoCn<<Vc@?pkcNt`a)qKz*#863
Ch$N%{

literal 0
HcmV?d00001

diff --git a/windows/security/identity-protection/hello-for-business/images/rdpcert/requestnewcertificate.png b/windows/security/identity-protection/hello-for-business/images/rdpcert/requestnewcertificate.png
new file mode 100644
index 0000000000000000000000000000000000000000..322a4fcbdc28143bbc16493bb81adc52c0047403
GIT binary patch
literal 33929
zcmYhi1yCGq&@~Dqgy6wl0>RxKg8LHOA;{v+;+EhR+}+*X3GVJJ3&Gu;MK166fB(IA
zs&;m#YNj69p6))UPlx>gNTVVVBEi7GpvuZfsKCI$Lf(J-fBy7-{t$=x@csqstRgK2
zQ#DC^_<r%xTvSmM2BtO|`Pm5m{Tk6hM%x(%2CeVE5A2YAi75<BAgQc`sG7UM=?gqa
zeWj~9;%sTXy|U9yS73kbdQ|{=<}<m{wPaw;Qm#|J<`@$55f0Y>Q}aK}jKI&Afq^ih
z{_-*ZaNXXIsqu{3^IPFPl#k(JRyb-UT)uw{(+L)($pZL>mfn0okLk-T-_*)AY#qEY
zgCqwU8XIR;SLG}%`4GeC`unN6-2E2H)XRN8yea<uBT%AI`GltV;e2b;+5gwE+rh~}
zPJMkqNOYgWE&t#G-buAiqt$}_QMYI!y}A-MDM2wzQy&ZjiZ0&bb6#syPOo03_5xJN
zEtgv$my{UtLvM2<`$*JOrcx-kU|57F)?8eie$~qvUT180v~{B8q}nU{2R&D}n2Wel
zZUI_;QF1Qb=5~fa@c(<FzB0^fpZIgvo_POheBcH@vv=>$$7Wx?rz{a30O?=XK9n>f
zD^%%nmD^XjpsM!?tQQ%4hEz>zh*d#<sHX)0$_wS^WHpneyye{TaQw!GHHuHaQL=s9
zCyB7IDq;Jdff;bx%G63d(>>uJXLd}xkEPfJ(s2Y{(co9^Z^3%Gv>a(-hbV`%Kt3A2
z$cBd>o^39sR3Y8mAgEVcNp*RCS8igKaNj6dZkIvkY+-);QjCl}0=oT^^Y|O?Z6@Jr
zqV3C*t+<wuKFR#T;>_~=q@jbrdbnr*z35z_$%X#O@u5`yVV?cL#wr=p|2LDnq)(&<
zu2h^CpOx<cBIbS+LAx7l=u?jS85~jIJ;dq7xOChXtAjf?OxJB*Ydj{?=jBTjGNIqL
zXUUceozzxO4LhbqDk|V2#>J$M^&ZFEm~sLMyBE#~1UxG!%_d7SV_hM)cO(UBuJm97
z-A=-~Sxh=x_r7i4$Tq?jm(@(FdM11xGZe}}!fg=u=hJrT>ZZi`2JEBNt~X)fn>;)s
z+bE6)yPaS|v$>*|goYQV(sD7)ceAipRmuS`>PZiy+84^T%FlhJ$Yk~m@&XaIH5zL#
zl|EO_xyB|le{Xljxa9)EwJBHss!EEe0uyj};!00#P=93$D;bv7YsHdKOrNZoVwhL&
zX#?&(gy1klKvt>4<-#qNMnbxSg_8D8uA^0&ZY|R3nCWu2U49GaB<UsTPVQJa<r@v?
z##Le5SIVbaG$dUA7X3y|g^B5ueH@*4;621Rmn3CU`;!?%lCUqWxNWbAfKp!fW`M9W
z&d!~6!2-5*A{eLpd+D_LyUl{<>!&;S6cx3(Awr#|`&_Yc2J&Wr4+Djj1?F5anHviB
z_9Bm|h{QE%GNUBA?Azy?9o8f0V$Gaq;h}p9tpu7tt?LR;POdd!HzZATr7B5k+J#hG
zuE)U85JQ^-aRAhCYppiG`?c86sLcl9YuHKyry2%HoQ$p}9zoAO{_8$E0nb=?OoE_}
zm0XxRwsbvgn~%QwTB{?9rX~yXM!3XWJ|)8;o3uBC&*=otgX@%H^mJz(QTO$t-H^jP
z6E!!CZ?twb$*Bqo-E<v}Xumuh<&UM%HgdakbRIb0LbcNMLOnKALj0W-nbs21AJ@Y>
zS6)UQ^zVSP4R!36Dpjxpk0~6-Sl5@n$B`~@qjNOq*Uvg<6~qX<F6SVQWdB4H{$u2p
z9k-8eWMuwx*NL1*NVD$VBEboPU!J`Md3|2KGUZjwZ75G!7T-SapZoS*Wis~z6X~Jo
zw9{j0hhrpJzwJhu?8l2(z8aP~OvgE}z$j^IPOf>6f3I0nOC8`dBwLGmz>L+;t6&(B
z{l+ew8nVRf_y|C$)}DXTzDX8s4%vIsv9cyQ@GP2Mk_UKWD~|*P@0u541+6aLMVXgf
zy<v{@I{9Rdhj_cpNQnE8a4j@8H28Eo6v`!*xs{ve5HaTHYG?c|Do;-dwDRwhM~p6|
z5Rw*m*F$zJwf#)08WZ2!HQ-0xf0;cT)fs-Ag(LDA!T_*N>Fmj3?z{SV>!R_m#T@Z^
zui7Yk0$?_oH5rCri9M*dbF3sh<ef!D)V#92TbHaP{OmTUTd}L*&fYqs$@;qLA2^Du
zaz?gazww%OPCdB~u;Fk0YM%O>2wytkb7MVPv%;QkiOjfMw~&_UB`71Kv@_kKf8xyl
zw+RP1)xI%0Zxz>$v}teY?UDtbX|@0K0=tdydbx4NUowKH#%&5$!F*y*P6C$>U5VYf
zjSt*(W;P})fH`)fzFu8yC&)cv{AW(P@2Vb2*kr5$*wlcZ)fKiRm?G%Shhxll)$t+Q
zhbuCue*fpOOOW-etM}uC18%tYsbjmGBoHZGbHa2boatn}5o2!U+9O3-%IOyk+1ru0
z#_4+4OI2kg*(=?#epUVg=cakRzv0WCrd9=HV!OrWMHcl*^dOC?SR!!8X#X_TjypRO
z>{|Ddg9pqznbjekIx6JQ>hvTMaMd=VetpZkvTE_NLCE%gB5~el8C>VNNTol{Eh0mP
z%&y^A@Gt`R3N95gSTp&M7o9lR$7&iwOawIRt<DMF*X8Lx5#(cMzTQ$KKBpz>Eythv
zp^!5`PEyqUl329}kUD-b)onbVLZ`r$7ImFEL_zcJ{-5}6g$^{Z3+EsZaZ7CuAdW4l
zX+b5+H?7Xy&5C_$w%nSEhXH4ZD?9e&<!yH>ci}|e9N@ei(S~yC?7fe)2qwk@zMM1M
z#eK+E*u%)um$a7WXhu8#xpq=1*ya;wl#RA;Rnf(ty626ntFY-FBkalWr#<q}%{i<(
zHabS5X(~Ht;!p;tYqYE#8N%|dI6phZxjmKD92Nf0Q*m4*%uYZ<3u}DJG&!KvW(#aY
z>7K$s@hgdOZ#<)SH;^B=(JoyfX`m6Krlw?Vjb(mX$!buCUhR_<nN^>*MeW0uSN*nP
zb#hjPW>sEZT2YbLR26$>&h7TI8HDRPbWW6%t-cJ8Fs`{G^4rcSho{IyQ<W|$e{%Ke
zP*bWO`{>v;K<Q+6uDTdgb1jcC+f8p`he~&()TW@Ym2`>;nRR1Nahb|3*oQ6bqD}+Y
zoq~L)z^bFrDx<3VC2%CtGH}PI`=3Lfv%s7tukeTAd9W}NNM5(yaf6(6#~N)qhoI%J
z9pFSi^m6nCdx>jiRWG1#l~3!8Z!l3D{OCDP%x)dxTX1WVqnmk)UoT6k)isoPuq>ex
zkIA=RAAhMD*%Ggod*bZ0;kgLbS9$d{_;XvBpt0C-!E?n96cQXA$I&hII!o-3dQPfm
zpOr!C92j>rtevBY8LuF=N(*svluj(`M(ZS>oscL#rV?uZoiLBdPHOw@YWgi=h}%!R
z;rdO~=)$)yUTnG13XT~(v~}JXA&?xMJJ<E_+jGtuxqfN2leLYn+mDpY_X=KKv)X9j
z3aFK$G~`r|<z`Q8GT5Pr9eyBNR{a%Wj4z(=?uX$iLwQ9pYP$I^J1pJ()cSkVlDbOP
z6XGID-1xcm-y3@#HZJW|6=Xk@#}#o|40>IUJ9$rZdQvX)Te6w9S_eU9Qz_#Eygr+o
z(}RcJ&$~Q~x{cwx3`uO@@jxnp4mw(eKHo9=K_!l%9+8-&eI1eA!H;!LBi?)C7&Eu)
zeQJbNqSeAtCtAa0A70=6B~`8fcr*<5V-e(Xz-En*et@obYMISvw}<Bb^7n>sQMHrU
zTgPdy*$logk#H~$d-s;XBrBI$JXD+1@Zx9Ei0h}LucLV^#%%Tk@cakkKB2X#bfPPY
z!IerbOKvQCV<d@Xr?7<(;qmd*aylHE%896-b5}tMDO}Me&6JX&l|dwXhF1exlp6GJ
z+45{0Y{2S!_{s3|;oi!SY_)WBU?&?0%H?j$ZhrS9zEM8W`m;H*G{SXeePfCbYHPFX
zmr*iJ#7hR+*~uj5M>Wj!FTn53ug`Ay$ubeXchM6-d~-)tyJKn8RLAPyCmhAwPP)7L
z=esK-&z7d&lfO`vuW3?O4wINUReJK&KNW8rCMwxAU+gGX^0c#a3ib!wOZeR#sv!)L
zY`}1*JTE`L!<lkFM>WjVz&S*|!j1n(T55siA*hR9{rvk>*IehBxQk_z`!ClS@RGE%
zE!utN8^Vb6s|fZd@9%kY8!?~*Lpqt3-q|2zg8Ca~)anxbO1aj7oy~mSSMq_HL2`_*
z>w*ngvJ`0wOqGRYb^hU3?1VaCSs!ozL*(Wk#xNT8`nb;KkwYvpZ-A2(ndVp~T#jXD
z3W*i!Tx<5VxHSM1ELu6Mt`I&kAsTb~#B3%_Lg8Wtf<iiPq=5F8#BHepPv+l3iI=|P
zlivd=jO#M4+J8cI7-(6T3iEtn057Kf>w`8Y?rR^mP>*kpY^)1v$fG+t1m#ApF?N&9
z6MWA<n@ABl@-(j14CcHVh)ogyoUN$j#Mgj-JTu!lNK}hJ04{4|z}tho;HnU4Y*HFW
z`hMsy2Q2NSZuQuUE2}dl;@~8NJ#)KRhY9YFHqfP)unNvZ^iCljFc<$2R2Qf_W1Hzu
znf5>LHk@obA1fH)kS+6hdJqCKAW0FeWoz)=yJC24WXt9&e2$##wFaZ$o?R4lQ~^fB
zJv{hG^lkNUW2<&2O}b?c?i#UcTnE)ArH(cX(KRGbsH7BeF}faN^@Lh}pLekv7k6?*
zHF>47dVXv7KBt9duGGc_F`(0(gRYHPIQ(82?@k=e?k5+<YxJZwY>D8v1Vq5z6xOa<
z^;4c?+;^llI%ebc!jHj1%+e$DGfUGb8iuNDL`e$UVtQ1lmP>4Df)Sy{FK-6YmMG2&
zMNT}$AKysiAC8={T>09zEb1dJO@^E<yj$uFoh}gfw8nb|2ZK&^B{!W1T%C?WeE$T|
ztBb3@=hEvcQzVx^yWK$|$<YE1kAcXVQ8s(8lWzg6?Qc>&yXeCrk8e5CZ{1%UhB4>p
z<{sAAg9v>pchSqc(-HQG3HTh5(j`ELUdve0P$6CtVQEh%T5EGfAcR|bQm^AzNIBN;
zXjK_R;Q`a@Mr>4=&V2vIJxbQP<?j-5Xdbc2sn4YZYzvrts9LE6wG;QTb=F<HuFvN6
zGS<h%h2)Xi+k-VW0Uvyal(xK{KMHVbv3ra%0v<Af8&@9BckxrL>0g<}R0oaYF;bWs
zarbF+C{8gViWSY$D-rf3*4HvJTCifp9{QY#F)@Z)uZ736e)eC2KcH3^s0xu}ID&gG
zM&_0~?|-$BkrIDF=g+=&8<utdHB-Z))pSp84#@u5(_-X(bBjqOhbr6}U0P0z8q2iC
zSBJH|08pZcdmd&OPvuYT1cXTXPHmnXC`j1hD4S=d@Op9qKONu(XBelgz+Lq_*Eh4n
z#w%yno8}84YD-RW?i|`NnSq}jBiZWzLdMcx+MBLUX;qn}u)`{K&I~R$FJiGW?wn1Z
z9tZ@-ODIK-C^%>o2L~TNn=@zNVq`Le@fE_g>894N?BgNo>+2(p6_4*|tlk?|bDD{m
zmW_z1lo7Rd*z=kE;a0J4K|K7Og_2$qnuk`oY&L*dPI=&|vs}9zsvh+^&)M+9Fm)h2
zRdwYA<PRw?uH8PETf)40qo<qBEKNEtB_d8jn}q=>NhgGT;9qWBj;vgFOSFxSIyX<s
zE!qi9<cpthoiTfelE@JLYr(+~J{qni;+Ds|NAIFoIgd-jYCg+rGkIjVTcT2UG;#Z}
z4Z@FlSbGoeK*HzO9~Ch~%;z;9HFg#+%lE*8{q&5wyZ;tk&y3abuRTO{C~DKCFmB2A
zOKR+w!0Rd|txBDqJzH=KMp8vZ^;p!P?UL(a<;E~TfNWMit&|1Oe}3aa_^Gp;KD=vS
zl8b@QM<6t9mJ!efRjp_sKKpiYLT4wvO9$n`rP|zgiMj&#glfl=2DFEwE!r*rGXE<+
zdOXH^*b$<b?&^HI>N07-E1Q<fre=4*)fE1m*;>r9n@k12-C}}#yl87&eT|4D(H|S{
z5I~~4RO7gf%e;Z;tD}D}bwo|Q^9iA;%KY>QN9%lD-l0r5TnVvjJV~*9dD}7cc&XZ9
z^qziV%SbEXCPj70|9~xnh3D+I7MgDzV<MI#5x6p4!k5QnpYBYwJSu#iHHxgWsNn0u
zx3j5K4!lz3Gh3E09;G^u2|_qZ%*4}x1)anpx+R|q-PX7TBAXV1-0q>PmJ)=mmOs`B
zpRDftYoB(YGU#2SU5e>7t2IFZA=N)Nil{iQxXtaQx-JFAvc>I*4_&cMxJ=lyc)ATA
zM!i6Rh<gmQ#|K*-r)J!IAMu-p*$sF(Xjs1G<|e{`Zy7iKNy}S*y_R~(iXG(8GH#85
zzuspXSk8a|m>Joc$qRnGz50F+TgphS`^l8JQC;$b69%H1`*g0c!zW<Iydtab%;cpp
z-gj>oT(@pMhUDsXly6tsRskJPZB4pJAvZ&VGHs9V)ws`y;Z8RHd@itjSO>74l)hsr
zo&~IfE*U0@m^F8LBB(wQT?^j_%@Cl17M^tDlaBNPi<<p<Oj-08vjz%}u4L774~mTL
z$fO6Bw%flB6>`3MH?Hf-wQOubb~1O4K@b73jkGFM#_h1p1Y~8UE#UmE{l#u}c}>CD
zgwmz4aXx{{#8MEp`L8*$)J!rlzQ{&+Fd6NHAiBP-Eul3o%g{<+BF<RzkAjBf<36uG
zu_Qa8q7zCS%Adk6>t;yE?ArXc9|6h!mY9#0RyH|BZE1UxqJ>89+*N0+0TQHb(O2r+
zX7@T#@!KBfPmh)?mc>OC9jI_W<NFP*>%?t!#{gzsO?<YQaZDw2k&ey|t@dT&`T^Zx
zWgVM)XR|4G-<Nh4#|y#H)V`1uZb!KGs5R9nk!EYuh@}Tw^+BV3G-EU4sQVH5jBW=w
z9yh})E8Wk0)>F&M)GZGgd&@?K%<xpPnBHmUUC)F9)pOWO-re8UmbChh9^)^O=~*id
zH|xM=zEGuZVDveO_^AYoG!M(p_LTJYku&C-xSc{KFTqfKosltFvyYnzw-2fG)F+3#
z6Sg(M=&<LK${h95r&>=sP&ydO3#tr~|C$LpATPs@T06|K{I?rTuinl2f`1@)+py$#
zy8M;9T5IeoG2KA~Lq;F^eFrS9GEFj>)%}-%OklCPVe8@%0p+HNzh0WS{;(uhIU{MB
zVQ8hvPDq2O@{;fVmj+eM3H8&JWs`2D$;+hAnj%wCb9*K@gk+_|1tAQ6gUq|gaIXK4
zJdG@E2~Wju|9_O;&zr2IJ7}Cp^Nyw=IOWa!4!zst$C{Pf^S7T9de#d(1>7C>Sal_Q
z7j0L2E`R-4%_evd|BrRbOBTCVq}s<X!GedTp~VClEqIPWXBbH{0t~v#2=kt5r(Z5-
zjhj7jt@W$A<IjhHA&uj@=lmArXe8^pN%hv#0{Z_MfY3|9^unE(6H|Y<n48}1J&FB8
zWF<xtbRlfF2lqHjWH0$2zN3f}p=3wCirerpL{wASc-e>8)z)NdM_X{%{W8=}BvEIq
zo^PikgpPV|O%8vpQ#Pc1L5v&4YUe-Fp}9DlxUCc}3lWYpY>Oa{mOPC%34sy8OAdFE
zp5d#|Ev%(%vy6O~qHCJNk?rhUfNXUMr7S5FxsK6hhpTkjhwSDo2Q1#-=xkH7IxsP9
z9`etd$cj<H^zAHD&%NTD>q4zlVgv1;>oAe4kLo*x6+H|7T@|S4B7!K{C@~;J!G6RY
zJL4AmB`Ts*)Y2c1s}^cG$*1J8>cXto9k~JIxe|9%jq&|cFv=`clO3?+wY`5;C3gQZ
z(_U?$@gIvDzm5ii2gT8^4$HKVe{W0N(h>;YMpudZCt>g)JZo1~#03snAC%E4!)(PR
zoH&%$ERg|y6PW$ef7OI1#v@xHZyg+oYjl~qdhz1pYe%yXA&B%BEoxEypiAUG-uQik
zN}J&z?yy5UvpN_vZPU7^$V~e|EZ?D2o=1~0WI(0aTbu%j7GScI3tLEsp(AR|%X;Lq
z8%=HAi`R7GU&WI7OWw-3^xB}0gUOiMi}Fv-zo2}Xv!A1l;~Z~Vl^i_C=(Y@oZ|OlB
zWdE1rW5@+VAc|5_pB^8d2z(8S%yV_6wO84mh~RC?(M5yGA3y=0$Us~)BWTTEHCuSk
za=s$DQj2)AT;7w&(ptZef>b3<iLgn=L!*T^qx%LgPkHk3&CP-gC2$VmT%E`e%?^8p
z=ne&&UnQZa6<)qC--QiYPFrsePaS$TLhQSBMi-2g$-gL9>s7yRbS%>U*r8%4W}AzP
zi(VTj%z1y3F5sbCVM@H2_wlpOt$EHY@~HmJze>!1m3M(seir<dZ=BDNv}3V@1)+W%
zo_NzxOoWU@xaM>Hy>b!2;3j}OI=+6T!x&>D?ew3hrAR8=XsT@t)8AyOyTr<pc=#K3
zpn8LYM!6QQ<tS+9`IEM>Awk&a{S>=c;t*PeQvAXqT*Bz3v9<;fy`a)2-UIWnIO5jH
z&m-ewci`E;To=ll9sH8oL09ts{R1`sBl<(e#}y{CgvK7P_YINOd!`lXOY>Q0Lb_Jt
z;hN5V9DO@M0m5|ww^U!5mJ$VBeDWH9o!M>4`F?JLjeNC&-FJSX!`eqi>mDny-*@0H
zPk!jdyaTt?xQ_|n>7!5?z_8GM#aX(JzU22!ngD1bG9PdC4!|thto>Q&;aHnoq+>+`
zj2K79bBuA5{49qmp6!HL<L)ENDGcpikVF}DPbKL?wYL9FRgSy9yklRqD8ttNBN8vI
zcIfB*?W5t@&j(q2y`e@7?{-=IB%1?Pk1D#sMfLdI%VROxEvjooKJmzN$k>WVQeDOM
zUv+~;wfY6XBOs8DjK@ry<ad9E)GJ)vGo5(-Yj21oulT9tS9z!dGRYwezeP>_);gSY
z0LcLkn8*OR4Y`#zOB)Drn7@YE9<OXo()k;g=$vZS8etm+P)Oq@Ipzras3$UT{(7wx
z$zwRlKP2x?;%t5sm|C%NIyu^zr6*%a#m<JSnjfa1Yc<jIVyBQQn8_BQhlqu7dir<n
zd4J=D2y5xYs5lcje$aQKg=$h_{vInSp|?ng+s5hAY@n_%GTVIOWmLGz;6gPQN_woA
zQ*Jq4OmT}eV97%VKvmQG_F4sS$Y=J(SqLNL#990HmHtbz^L`8N!FSsOB>wOZsC55j
zkkyLSsF1EM;oja}Uf*Y4SXfw2Zf?RR!3B<KrYb6)!T2*I`=@U|uTKs}upB1pi+MI;
zg*VUiyaw9z1lk6kf&))kg3exYz6(Dtp{IU>X*HgZ>LL(9PPbkmzFrwBj>mPT=!mRY
zqbI(z-I1TOCFb`?h!)BGWp9c_MPYx2pmDkR5R{=<MWd*Jhb(YrFoZuQ6d3M2e0XNe
z9+%2G`8ge2xYq3#tMtZ7SY7fd9QrZP-ryg2bB-@DkE*gN{TM^`A)~7&X=3c*;+QQ%
zX4dKDN*1T>ymtL#8!9~da9isy|6zS>8eUc6a|ziv<U{nP*f$Ff{ler!%Wz5_flu9D
z(THKfvg$X0vg@0<<I?}OMCpA?*4Ffx4LVBH*vx@Ix`oLpYnZmWu^;}w>@*69R#n_U
za80X>x|<&?>fwJnf3yf{?|0JNgXK&$*1dy0+BQIgctyj5-d>ax^qMknqq-g>)njH5
zy(-PFj-$IUV$TSRv>AbMrF_m!Bt6&tMuXup4|a5NTuy2lUv;@{_pUFC80!R-WGn^J
zlbMWyu1RJE$R)qC7Z+ykI`7r5v;1yHXXbbU@9Iq+Q)<HS@v;+R)oW+SEn+&{3T{s@
zYIpU8DJ~vAT8)2<qA8p9*|?>iwyg@yV}`({O&;j(HzT>}6|_FkmfknT;@1S;=rRm<
zb_Z`sThqD!lpM_Dn%@)2#JktNRo2&_@HOO1(BKy2u-#5C&0Z`bEIUriLSfR*BI<$F
zC9(@DnweFRR`jXoXDp>x7YQ&p&a4Wou#ut4jE@)hdyDX^n)=>ck`&2m&M7$wLY#Ij
z0#ARf7^%UDSqNyN)aO;Kz)Ko)Vbe7<==8ov%J0gUYOOH1YQI6vFcqg>`f&VUH^^TF
zY`{=nR`_9tnk$)^(diI4Q}5<b{ZR-;vWxxWGikpBhf%-8A{k<@fy4mi{wbB3zj6UV
zdRG5KSkW@1eCHK{9Qka;hF8}<g5lstj2k(Ef()QpsIxm`9Is@FrL2N(29$dX7-J7%
zwtoaEm7tccn{*<Abjyq_#;<Xvg%EI<f6x&jBJq$Fv%Rru=R)ZsU4Q88CCkz9$9uYA
z6<RK#(g~^qT|c^}YZ@_jd6`I|n=gMuo<!(=l~F%kXca_?mJ}HhL+5$EuirS1V^7R!
zqRUo9E~>Z4|G;LcttVh#Y~wYD_>{)rgcvTDBTrrS9!|*$-@S2Hmw{y`BazC8#XZmy
zPJh!K7IO2$yg?F;BCoNK!#4ZZi7%}F2lpVVK&r^XUE$kW%(iv|6n%`+^){badtuIP
z38&)OY1t|z+rXGW_whe}ShZUMCJ;Kc+Z=hAVM{YQL6PT0wmVh7>;Tqe(n`=eZ!m0=
z057Z2mcq%0x-c0<)1#I!g)D}s#`}KIlS1U8`<K<_sXxEAy>DZKet9=z9ttCQ41c6l
z1yD6^HrSJ7qw|<;zlx7%^Tiwb@WY9~Ldx-?t`^KAKGUk?LWPeMbHHjC;`(=AEiUkK
z3+lUqd<$)IS@hhrPRMolvONd+MAJvY`0QmwtJ_Xw7^wlqeOZ(RJGjaQ1`6KZD2OWo
zLo&XtvvB&U9qt@k*5xJnond?2FDG{kBRnabM(>o)$eF+@QKGH=lS?ErZ|F!kNvP9*
zwPoJ|14R85B_1ZG)5O1tgeZ`fUiv)yGjeDTVcofQtc!W&);PFaw!1Yvfrvq-r7duI
zEF!d{=2xh*vxmcc;Fz?=7u~f2&=LU(Warao`H8`v7ecqIc3A>WLiI8jogdyv?f3jO
zrgOfF0{S}|W;CLRbi7%f3R*$Jy{IU@{W{0`j9}x4{RJ&x9Q?{D4KH;-rx&qShlhwj
z)cTIHELketmFT4<ulvWV?-G@D1Mf}%(T=7n^!gsdP%q#`R8zyodDr3lmosyF2M%c(
zB$z|uo7TSVE8#e+CwK>FSmhCorXZ>pybF-&_fhWgbSQq6Uc021S38WofE&DnJ;djx
z*M~@svJ~J}*u5D2YK&kc{UnceRQb%rC?eUTYIn}uK=X3vRF^*`qFCJg;a;&mrG7n~
zx$oSf<_X$ZAho{vFAH+w=t!mDjR1wZ1g>{W{_7jc;M)m`K9}WYCL9xazN2hfCZjIS
zOG<#cx#MR^N;?w(h!`J={a#6|@7v-vRh34!p=;=JbJ^Y15jPJ+y!<Do_rg5AbK#cu
z%)1@kL|(4vgZJaMX`q*RJnA~DLAU2IGU0*MOV(EPQ@K}6Qp174)iiwydq?;@5Z$~+
zVnla6$)bRp^QDo$(YnDq29WK%6M!tua4d}No=OY~e`7o$G}`<fDET>JDyD|$W02mq
z@{eDk6wJ=hbq_fE>|M_s5zVS6$73UM$KAAZ$+lU{euBF0N}H0~HSU!q*PQH1Z$E~O
zDS9Y!$tXto&Nq~Rd*wx<+1P1PEfyn&XrEc7B?n=Tj`8@DYiI#_jbQRuCIXM*;oB`@
zg1qlBiMrnnl=)gEf#JyEW3&vaLi6tqQC`Z7nu>}lA!+o!e8m*0+hSv@mpJ??j+Q~L
zu;RP793I*e@k2ZL%)f6}^~SWriew3ZugVx-zX5T6Xe$d__@suq?>e!`vKi@hd#8@^
z*nP>2`?{F;1q*{7=`)64i%0z5bhlO)DD_gcA)fLRQ(V213<~;JM*6VcXB5&<TOK<-
zyzW|Xf!TiC7v^Z3N99S%*=Xdw)kb-}Ht&Fx0u)CDYV`96u>xMRYRFd`rM29`qL|Jx
z>g#qE=?MRQAiWNMXvcOR=QUqTE7_p$n~oXFhLn}4FhZqS&Cgq5LC6}f_bn-5Bfm~!
z8I7mFG|n%TpR_%XACgS4MeGSCMyGmMU$P8g)@X3S*fD79`;RXOcLW`0ILCetkCH>7
zyMc9R^kZ^|*s&^Jy2n_}O=YA<XJ0Vv%%z9sfS1iT|9n2JEiM9d+k+RI07j3GR?Th}
zlGsdlesKUIeH{}0G`wu_Hq|*vHzjl-2*je_O|EJ#)J2~VRY#u(!cPK$2;JP?h5LY>
ztPkSA0ttdgJ561`ZEb^Xm9D2}=w|VtH#Y}!$wL;6kWu@mtCe{C>N@q;sBYt8H5Rwg
zpgXZ7MWP<hd-;T<MAbBs9=&b46OhngU25O*KaWhQ$L~Mh(@Bn}kz8oqBgoL~ab5LE
z61>iUd@-2l`r~UJ_G68mwY6&HQzyvYo(%6fn$5Pda+aLo=-Ic38B)|Sw~#2sc6)8e
z=6FY;QK>glR~V7X<;I35rZV!UeQMTYPa&;4LB5C1Pn5yt-Jy9r$>xF?eDxah@bw^<
zOUHz$35#yD>H!}xROIEy1nLDhB1m(})VoW)pzk4#WWXYfi~kZD#akb88PSx}F=0Dq
z5_Tv<JP98m)2e#1A*QcL^@n5&fqWr<^UhIMDl%2cEMHLP9iXd-(1Fws3lG(D%b#AF
ziNEa6hf#V1o6=mBbC^F1jWlQbPTqYmz+T|N@?H$G#44_v8zc~rCb|QA#HYjtMvtML
zWa=$9da%hSo#*H2SDI-QT74J!0D>M^j}?Bsr+3lDE1l|+P>rg2W^9q|E>bzU_Fa;e
zT`rqef9cXKU%0w>B{>m_o~7O(xoyDmJj4eulkO}ugxh<v$fCnJ)YkVc&IIThX<M|f
zw)nk#=5B&s-U-QC>PNgv=gKA0OWLEiy}W=LHB>S@1D*rrvA-Em8@BKs3cAQLs|~Hp
zWcUTtjUy0udm=|itnUP!=JMTR`UtTc30}U+1XUdw`tRQJeEs@+IP^38-~VdOW4DVr
z;C$OcdPsI&sBHo@Nde<Z;*}cDRX$pblL;47ssU(8xTsLjzkRbu4^dc2+h1sa%?@M@
zRQ+?W`L0Ew2dQ`8Cv9xBwD9@|1gIaBsoY{6Hs&x0%ygGFkTj}&Yn|2gLD88!gt-1*
z59Yug;KRVHi7fa<WxB2{*%PqPYdzA^8Qg2(<_UU=x}Pdhl9m-sQn>=iD$-C2{gJqI
z(=ih!5fNVsEQ(W`%xaT5bvD^@v0kMepTKvTP7Dx2x%+n;aPLLZ+&ngu#&7A@(?sLj
z)9PE1Ei3*ESt(UsPanH}!#*tct^J?5%^fFBCyF!`6np~$AUwaTtLmeU#!cYr@N%AF
zd~J021Puasgc@mRLtS!M2V<{Hc}7*&N@QG$$w!lJq|pxAcA$Ct^BRAkRa^>Lf~m1&
zFR^dWr!<jdB0-Pk_p$2NcxuweI*2}?^vEl`jB6_T@Rq+Q`GuxUM^Fy565cyPhH>g2
zIvQb8`2=v&wuPPf@n>fSo<KvTfjW_*6TdRi;<<Z>_gxBEQ=p!_Dy7Tq?Uo+PYO(&I
z+v;4oNOA_8O7TL+&u+51K&#@}CAFfBuP{)~Xyf#vfYmf7N566ltjA;@wT*9Yo+3g+
z5zXaE8viNal&UqwG^0AbAFqIbY~dHFe+#bj%Bik_S#2CY4hyq8y2PU784!Z*e+|Y5
zUs?>92fUu|+0Yn&aGP70v5^7BJb7AL+o@bR4_H#oX`bXYRQ*ok7RL)BD}O@Sn@H<@
zT(;^9Us6@?b=ga;q;5aeKG+M%Hs37pNJ!E|MLZb&jZRpO)Z);Kn*PCc8BFr;FD&1h
z;n!U%$A@fTB?I+(_Q{KX+Xg4D4G@TF5PXg0gxzeJZh|OomJJ?84PZ&qMVTHi>aosm
z!`FsH&>cTsvOO}=@Iw^4r!D3WdmB6DGec#-w^wr(6|FhBW?Dv5DLvp`q-+KFRMFV%
zqxqCx&i5U0G>gl;8w1nSXtO>(1H#I;MBV=+dLo_wWl^@|A|i&Vv*+Wf9HyqGw8sWi
zh>$u{vNr3FKgJ-r{fKgzLGa#*O0A4~-WOrk+m&JQ)2H6BAOyOd0<H+R&+f=vc!SPI
zPUNsOLM!JE;Vlne0Qw%^Lw*OjcsLSY3o12g;No(AG~^xRW?*n_C8g{x@RvVJe^~N+
zksh4X1N`0o_`)`D*>Vc$X;UP+=yFB>v*{FpMOq8?{2*|Wap73sV_bye@nor=RYHD+
zIi{eAN^s!na<7W%77&~LLZrG^Z9F&VqNS~U&H6Q@x8tYY8d|LOdZ0#>%6y?R#dp5Z
zSOEAI<r{e5gH~0tT=)LaO&D@0lRfSb>i6bMJ4b~z$lQ1qf6xl9ymq}AmopxtX+*t<
z`oyV)#H#+*CR4tuwh&|V@fYP5V(n7Zmg45<yDJbe$sJb4S7cG2ouc)=mA>>29p#pz
zD&U(62d*wzQ9)kXctSgGD=9_03XG0ywYXk@Ot)^-MZr|Eu*#xgbY!SNTiapDXz%Sm
zVbU?@n}eH2Jorxpx#*MWP8~(anY0$e&};snV8gioeQ6tsRB&){=`pG^Y-zc;)Kfoi
z0*|b!3%^}{fh<VF>**h|Bz)*5!_MxN1cZAb69<vp;DV1aKZ5ML2-~8gY=N8H=7lE8
zlRk#8&zspb4SHeCZ~E_=Mw2W5(|J0R1<|u@tjISTG;NZXZ-yen1$284q#}Kr@x`)q
zW#sgK1C)fHgpvf-!p3L|O1~umBZ}*R)d=QFWJbRSP}ZuYlv4@DD`fMv?6-$UIEJ*@
zO&ASPn+s}=SBAUEuPEe;CP~DmPxD!y2%RS;!e|pv=bvzBWotNj7FAXC<*mI06mJ{V
z)E8%F^_1*fKfwdJEIwNB@APT@k_WFyIr=gO0o4lxFU+eBRkj$i#G2*3$wuSOO!$q7
zp@JVu?N8OpQn*NL)zmcT>sLY6Tx!_+@kz0gip~uDu#ds~eCO65{%qAZG-UK66ccct
z$geSfQq|oczgm`2R3x#5TizvzPT_X?xENA3Lq55(y8K;Hor!7d{0<HF)DCq42fm;X
zsG_4?j^egFt0wMh#@`wQglo}(zc`G3Cb&D@=gmeh(kXzf)BUBt)<{tDG~;e$+Vbr8
zt@|~tVW{ZpN$4?9xb-^fHb3Qmm~8W(sPyH=)AnHWfSZvqa(gJ+`SwUXEiDa2*Px=R
zNhf?ua3+Z?Pw8(H&s0>Fpw~d>BV3(F6li~R<m43FE#lV25xnuajU6U&`ehGHCxPoi
z3!b%m{8?v%ejBW_|2$ov@|kxpY?r)y!kgw7euj3%2CaH>a8N6TW*lL{0L*@4WNK|f
z%?|O^)%69qIquS#d%MmVC&I0b<I9rSx{&`&f8h>D5FA4<vL$#u=qq5leu(zn?X_Y>
z0`K@d_R6lgTleoZqczig9C%jNY#Nv}p*LFf0@k*%>vgA8eTK`Q2Hj6DsPyqIWh$^`
z4cm+jFzWn_ik)GPE7QR~7^Q8|T$-c<4=Cs~q_;5>d`J2jam((MG*etuANAK6FrI2P
zI&Z0((hg+dqY(Sk?iY+>%~RtzqGvW~Fp#!8_Zaf_a_`MGld-)-7Vq#zajdx<r>i}w
zJ#_ngz40bQ=EL`U+f7W?*MXE_OvseSbr!NPoEZ_7GL`i=fo@K#bKp<HxCGjnLD*x*
zVM^*`@9DER>>(y`Wzn^p-&?ac-#W_1SoDmAZj0k!?8;VJaT?&gUM^E#ms+-F;aaU1
zc!-T<#ti<h=2}Thi&6%73;Mra6uAwvrA|j1VC;9fC0W?^sIERv2n+G2<>4GSJGdgA
zHd{d=`<~7OlTK-5t(2^F#;#ydJt6$v_N0j?*lw}2PeH#WfUu9_>thj5(b)Z*4ZcT}
zmPFQ^luq0_{r5TTF-uJ%>J<F?)xn6kJ?1BC)f6rhOgv-jgco$%j6oVhzoD{5jS8Jc
zf2xS&njuJXCIhbH#k@F>tTg=Lcs%>{#jUN*(_>^lNSuC_DXcqeCNx^B!4ciH3F>&k
zD<$e9a0zP{`C?3Jxh4E<<Ko}_+XKU0Mu(KI9XBa>pUq~}DO{&PLJ#zFM~jkKIGloo
zC-sFv;b9B>SfJKSH=T%D*I=7?qH8gZdk@q0^n}1=XC+-ehvCvkw5{#jijyRzu8qch
zyjMHflMOXLd6+Wv`IR{(2|MBqYveZ=Ne~6yWlhsbLlijgeX!q)*I5$vv7_Y}j4~@9
zqauX=LNP^R+A!>A77-N)4#DSe#2l&?qF~|*s)=z>nN#_U<|*SXhC*|)$l<i5pnPGG
zPyS47GUOcsE_5Iq5Q=DV4W-+2ZY7BoRn(@2E=`)`zc`|uW=#b?rpt~oQL^zxbs%8~
zMO>qGb$6SVziW+;ikBF28OmdUE_Lsm*KdaMR6}XZwpNTu5H5c%hQp~0n8ilCnEm$)
z>~6h~;;NK3OOGyA=k0Bd7YG@-iJu_nIN)*?qC^26_majJvSUvD^Yoc>c`BGiIJ5E>
zFehhPC2{iE(WLe=x}cjcz;e*!T`5y&gY3}QJMZ*?O3`T#hsk#0PlHR7gUvmhSykP_
zR1L-ZJB8Nu<O%DMIfW~XeL%=UrZUZ>*fJ1k??+Q*jhfC=)weqMXYEMiT{+DLd@!C(
z=lrI3ZM^jvR)x>K>4(t{j#=6`MNtk4dihEPpL^`@Ey=+EtnrMx2ie;?Z<g}ok{-Ji
zlqOF-(J|EndZyxb9fx}M&H9-^Vvx&FA0!c2PtCSyjJzMU%<i}<hlEmCuzDk%5^iyA
zWs_P*>^SlvUpYcHe*3;@ug*IS5rAisU^|1S|E^*Ud+4_7wcfVTAidDMT4v~~@9Y$s
zPd0P9iJ?qisv4a2#?D3|lXS=mp7j4wl&Y{J*YPZ3-)Gs#mK~KkDaymrAqdg36aGE3
zm(I6uJ`^}Icp?mvljyn~6*z9fYg&E<>imCcjLySsp}by;!|%L2ioR9N^7_W46IL4j
zt5f(NwiZed2AKBfC=l!h2-a}Z71p@(9`OtK2T5aU3Xy;zA_N-3!|Ija2?rSm8z|`1
z{L%55pj%B-NCFT|1hz)hiX8k^nY(;`3|QF#S%r1&P83z@)-=}-_Ky1>Z$3_|4w)fe
z#$+1zG{$^OlZ#tne>X4rMH3VAp*9zyR@_)=pc!p_ab%zI9~^`ew_5K(iLO_>nfsh_
z`%b|I3VrQPK_!o3hIYx@{JEop!jKdOQl%Usmb}hVlO)6gZib-v=g{);bdKnQXR#AJ
zrM^{xAE}m7^t+Q73e;M{zpGA~!Qjfx@CY0%Guwie#*o)8JI9wgj5yx1W|ELyEPOLg
ztar_OMkd<U&emk((7Wo&Xee?QT52~#s~<@pcV=wE9`-9`KexQFnJu1*TGf%4sLEze
z+>L+$74AWPe0k49{}C`8ta`(_-EK=T7~zT$n;`3+!!oE!b3t1iuy`V!653tek9cs$
zWzudc*r&Mn@5n=DX9Ce2kB52fPmbdA+ki;RB+}T5LTYCu0-~gxfd9H3$?6&Dt|}m%
zMg+K2(R2Tj{PTaKBNYfJGM15%!2?&NCM}QS*z6kT<b`V4Tq)Dps^KX2&kD1;nu7T!
zpK>xTmap$u(c=Bfhk0T<;<QoJ?nH}K!`H4B3W21Y1MFScWtG^zzG+@qych1$)h$lI
zQ`@HV8D_2QR_<5Q9Hy-mLw)=)jN0|Nx%AL}g}(K?pRq(!Y;JgGk~9osr|KShd}k5u
z<ut`rf(2!gWI^hqFCF^4-kX@RhjbEw{nLy&+*+qDRDx}fF?Cl+g+!A-e%Xnt!PF}#
zB92xSOG}(z8Ld(p_a4YsMZQ@HTf((D!jdXH*ulzjc^>Qq8yN51r1mFqIxKil<trwA
zNmK=h1BC%&Mb|^o<FZw;e{yfmdAZ;~3$4oI>6{95Uj~ZzRSY!5q~s`K*)H|2)`LgJ
z2l`EuXV=t}49t)oC4p;#MiG}=5G2rUMy+}&I=;XW(b@-!nWKh4LkAq?CvO#;1G5^3
zD+#m=H1#u=`Nx3B7c1D*iOe<rjz8yvsn_Jf$!TTu>~a1z8Jzy=+%yTn8k!KE>z-o6
zOI}TE%&PzbmdQ;|DxJRtnSc8h@uzg;B3rtO_C8(B#>-BPeidK|m@V@xi`Y&Pu=)m#
zhR`qz#yJ0u{@jZ9_c1-X-|ZM_-%c>ERq;CF`2N2Rm9lJuYDmnH;zH$dK^=KqTx3Xs
z8N6~D6Qghh2bpThYs~XJbccF_ieZ!c(2+;>PZz+rALyh?#_-cUdjZS?3jTdEd#gh1
zm%cETgqfwwLZQm{LsFnkm;{k0nr#a7K^v}(&JDooH%L7zS-^m-1JBm1)#*)j3AAm{
zG^?{+QIJw3oO;GdsxWNNfWK~{eP<N{o(@Odnmy=5xAbroNQJ^nRR`I9uRh+9qUBUI
zrHF%*IXpTrILsynL6huufrVI36CqT(dL@=KJS|5yv^|!m#KEXUL$$}~p`AYAK^)w1
zE6b8fCTK*slS2&TQrIm|vMrlq#M`LG>A_Wl#%ny4KS%K?izYG#o?b{ZF5R$ZpfckV
z$u+(!#^bo!;a<}chF(+v4d;imbmfOnf_a^_#P>|{DZG=P>sRVixXt;N0=8SdZSdwK
zOl^h7BGr%G;*_;UVj&SJz{co+MfucbUy&#<W386guVC&K3cden%QC2H{sieZ8wpwX
z@w=+x$+oPTf`=w#bx@<W0zuqMTHsb4XbRk!SzZN*EAsJaKXNu4kTogZF6`{?sVvQx
z-5A=IR+Dp6q?GJ%mRXh44m0I+Jz9Etj!CIP8k*;035jGKetbccrJLt!rnLlx-&z{`
zOmF{CsgtufJ}9Uv3(R;n)<HR!16uDV9bxA6iI33I=5-bMXN-GOMW0sw*)anut7uCX
zht?dI17B}F7D0#8P28~<l(XolRONcE9!KOfd{H&S`1Dp~wDjZoMY-CgclM>s)clMR
z8Tl!bJs!xj`--ljWtH^g6cnK~HMC_%gtw6JaOV*^#@r6xY`sVAxN64cro)gzZ%>wW
zzyA~TlaV0JIk_M8Emu-xg*mgyn3Y8w0yRW}YfmDqAE1vWI;haQo10lmgy=8RvxJ}0
z@iW$cB?hZs=@*Bl0JHxAVBK2{ib_?3gHLAAyT0Bh?sGlA?7064wHm0^aU|sveVX$=
z)D;^O9=zg5*nfMx0e)mg{&)o`XFn;7Gw-_{-lRgv%vUTZB(@&Dp6dwn+2M-d-2F>>
zMVv`NnA`|ohhG1x+ASD!|9>H&e9)Qh^pAils|At4cMhub>9A1jp6UNkT>lFiA>z&5
z>Fax(N9>b7;$7ob8&v0upsMknaZe}mH!caonK#g`;&-LM)Bo#vy{1pk^Xp4fo&%jt
zrL(`$>|w9;!q@uF_w)TocaLeBMM&6}`sc;;xj4diC+NJG4Vp2#f9;cmq`%Pp@qcqC
z-2gi`O^(D;--JOe)x<L?^&&hj?GRerzlvS8Y1Fj<U5|*pIB1~6+8&@pWcLz*Hr%yP
zmjPkV&+pb*T$7tzrSgfT_CMvtdenPKzD{z#d{D>NU^PmIJ|1#d$%i&!9;hUKto=l&
zq?&Xhb+cR8uiy0TbWzUfyprO4o$&JB3Mp^xaONE_duTZQco{FSAQkfL&ksTOz{eEz
z*p9gONuF&`kB>_N$S3=b7iD9$&HnlGr%e6rJy++XjZZE4F9ke3cxTD<nT(B%Wn^WQ
z|3TYkT^5xyJtEhGk$;@RzZVa8k#0i{Dg~JT9?P}<vUdp%{l$T<oPNrb_tQ&-Y&Czb
z0snn?rU7Mqzgw>^eEWWdddn1@ihp)urAEi-GT`ydW4urnE6$3CL-jP5bf!hG;j#sh
z6jPq$Y~;49-`c9G`8v1JO~g;?Vw!iU|A)gWf9J50ysPzEdrMV|WdHzQ+lx`z6Nb5{
zX;qrMH8~|(tm(=x)0Nm&PI!nBpIa^if7LuB;EpM3NA<toCtx6W=VZG_xu=*ZE+b0G
zp9v8B3>xj<XHoUDC3GIAc3`)e2KkD#dLEt~7Hv$w$^!zcy5`hhgtay3#?Fub(VHRa
zYyb0oez;`VpZZUJbbOdNeTw&uj*d>5y5|1=-p}?z?jVT@I;~InSBIHgck7#&n7I+G
z;UirVR32^CkddZw$!~E`7mFqr`T>h{-b~2s@<y^h0e$>7UsK;mFpJwDqw`=YOOZjV
z$q`|OZ(({as=JTy^^oihZ-Y?V;SP{c=jY-28Ol=uyu2!0&gux1`di0H^;xOAp4bgC
zw&>&gjVj1-exGsa1EALBMGn`#Y0t6E_seVEjx;g9E0Q6et}6+4P;4M;R7+-|6b)cS
zS#f&6Bq1@04*kDo&yY4M8{no+RJDPQ&Qs*v++5;D2cv|BhDO<YCoap4HBSLO1A{7c
zb+YR7z|asw?B3Y?f`Pp3*4MW3Xxf}p7SMd3x-YKWH2+Ncc}e!PLEGQhwvVuoWQEfu
zwJ*Ul=G`XqAY?{7roUG09EF4>vR%DHe)s6(8^`^pe~C^EjQV-6|0Fcs#@t=-8v0$*
zXn-@xDZ4YCo*i(RQwDuC{m$0WelFx`^Je(SJWup_KZKxb**0cgH|NW^JNUD_-QHJ#
zw+9;k>hjuZ_tM4>>@*$>w;hk1zhl3O<+|)KH_9*+!SNk?JQebTm%sKzX1HS|B~{{-
zLsYn5Z0v14%+D;W3+p=-8;_P;HO&!R8oA^)b#T{q7{X!Ev9}CvUN!&gH$Gbmu8Oo1
z7Z>My*Oe?)>8tw2u&8S4GD+5ES&X60Fpz`et)<<nIv*N}d6d3$PsN@Q3xIlcj9M$1
z?V$3x;20wR#}wrgKJPT5CAbz3k&Hb%zT9UVYH$A37)+o1vZS@2W`Hy~huY=k*s13g
zDZR*Q)h2!6mNbka<Q5`QC2wOv;r1jpvpWsD?E9ZLEqnz_hsUAUq?x8`%^b27XUa)4
zNj1yvNFnFuVYb33L|o|#eb!qU(nD+{of#C$FfGoe9IE?TDy82w#Z~1Q5>c7X$JJ3Q
z)p#09HC|S$EYETp$~5SL##U2%)W_eOv0p7;bfyzcrrv9Oj(g(-aBy%5Ry5kD&+H?z
zC)fFUGuZ9<V=g%ia~cmYtBkPAHeR3=*U`F+X@hv92yQ4$V=eey#=1H_#F*L|8M)7m
zCu!Jg^FR@Yf||M-zNN*s6qy58yOt0(5Gk9%p`dc!?n0gI%j18m+f--N$G=#m9TD-S
zNUDEnI>=6xh7vj9>5duUAyDddHQEvciP&?bWeutr>Plf+mxsjrz=NcjsM;&D4KOxC
zK4qy}ecEYogXcOWRyx{o@TTcPwBL}%<Rn%+dH1l5r|~)4He!?ui8vrv5N&K_q{Bub
zf~H%!#*6&jJNngS8a*;yiIIcT>;ij`$R6xT@y=-<1X3TvkXS;4Y!9%1CFUe%pIXj3
zv3n80cW}+<8lpieq!}}~vk&&y4{?X|`fu7j`ZbRc7A)vO%?>jTKjI-BaGSGESa1&c
z-=dbDJ=qO`dI*t-fVb`<Bons{77hJ+x2CIdL@28JanJ{BlWw*>-(b?kUD@9XX{@PG
zZB$c;K;TN9&pgp;lBv)|pXm-Jds@TIjq6<Lp~_i2U{2J|MIft|5KYR`A<CD>HSF+z
z)`?%atrZE|CjJx6Vxi1$#P=Or-2awOW~M_eHNb08$*klu4dS28qWP8HmEE)>)KGX*
zD5TD7oBgmRU9OdMtfP7t>f%)zxh!+Tbxh`4oKDso80|N4kczC;=){*4vE;x(9Wt9>
zjqk@5vP>@&se46P%gM86l%;iMYr4UX)kR|2pW3brn%^_2_r~Qg)2>sNXqQi_+>}yd
zzWlwO!U&G|SCrQ=?Hu{+%^RUvX$(z6RUi=ft;n1lqX1|*3lH11J3^VB=<tgy?MsT8
z%iHXcL};>GQ2?s{!93hUJRl9nBFAP0MR@SIMxXxAiiz{L-7DTBa@j_ZA)-DXZLrP4
z1NGm;Ba2e%vqk3rhpM-XYO8Cbb_*0JP@s5=gaXB_SaE1^hvM!|fC9n26u08;R@@2h
z?ry;$XmIzF=l#BM&N#pFFC%;Gm9_Vp^P2OHwX1-OOa#*Y9<=%fqAPQ1Vg~vOcY%Fx
zv$O^S;w~HaxYOQ57q6V@1QtH`orZhzk)XACr{K{lZl3yv;n9xA#OsJ_cw$cdVB@sD
zDlhTmBbE+}%x_jBZ)ix``*nRKErQ3906j@$0O++04&fCw`3R@(RtPOyhlffJ=R=e-
z(ys@}!`*d4WkLuC9`Noy$6|@*9TyIJ<!*6&2&Ru6kU*xLWNFYKqQ!B0MuZX&{O7L`
z!JmNI*DaUuJ=jC#8sz#@BT>%Ghf^)ET2c4s2T^x@&Vr^Gd<#jXzn^6Ewcqg;M-Rz)
ze0Q*85)@>$|Mbiff4{-QVQycrd)-VeoY(&HLOVAC|6Xio_&ZDa!|Hwck6Ukz`8<`;
z6mSOmSQ@4;J@untJL}|i$myn%BROE=`T5zqe&SyIv2{_VS-MU5Z^a?_uu<dH;92ea
z!ldI>AY`ri8Yvp|1l-dQj4u<pMV(bw5z+N}h-28{o>B^|kQ8ARvf4<PEH@y;HZ9t)
zzFDK|68D>>&JXhTr{<A70@Dxl9lQ<cqE*u*_0-gSIcDA@y?u5Pu#a|Q9;cXtwWtNz
zM9AItJr?_T-pK9aWC_1t&w00c6QuxJ6_lAkYil`x{XLt`p0P&m%v^m<AncrR4fg2z
zhR~-FDFtqM9BOJdC4W3Uz7++09Fy%>nJS*h)3qZQVLu)pcX7yY)LDqLU02+L0=%&1
zPAlQ4B{HV?z6Z_CHi#B^TkWyBS$RCCS0Ah3s(S45i$T=-@XMXP3z<+~l1W1qN4^U1
zlo0z!Ul%~YK4ML~o?32t7cu8WYuoTU^eC#@0Jit3(sT3vYJMwYexgBipzpk4QOpwg
z%%Gv;Fl$&QN7^mpmboD-YD)=M5kq;x{ofA_L~v6@`XuT?)30+%B3Atm?LW+a63h{#
z2w<TX<hEaPQ4P2>H`kj=u5D$vVIyPOTJ~~btyRn&SlZH2!MX&;GXw_;N?ix({;B#5
zOcY)lgTbzJdgWgXp=@S>#RBMPMI}G8Tz*`Ls+T8^0BC({&}ZJEB|>`J?LXWz?77jb
zm#k})PI_YydrZ!4W-Je+uJYeizMj60yOJQDeV8f*hiG$?U2R}zY1T-7cWp@{>Uf<I
zX+S;7Il@_wlvU!D1x9`K&cn;{zOi^Y-#++g|I1?BKW$O`hVEx&S*#DbLHQf6EL<{j
znZq7h(e$3B3~WhTQ~O4BY|rX76|v5V6G*8<mvC`k8v)Kq)TP6yZd;mdQQo=Cp~k#$
z$0_`+zo96rd%rZ|31;x=TVDiktp&T&jicRwMO=zw<Z%nu-=Av{4W+U}m2YE7LnONE
zyp{NB__SQs;}X=)7h1n&)Fkf^$GpVRsblx0FY;?Le;rt~q?sv7VRwmT)6r#BTAwe@
zU#F+kNO^e!x6Mv<Uiu5_o9(oR+0XcW;_rT=?4MGw!I&Voe6bpp1qLdS$1+av!19NT
zbZNOiiwzL}bn9m+Lz#G6Dc|hqIynPhIP6X|LPku+OrVu6;PB_ILzG>)M3yh~A#*GZ
z6iin~cR+t2+(up!9JI~{dVGA`KRPNf(7cDuO|E`Wlpn?^iN(TrRL<O&)oSIgx1xoU
z21Jt2A$+S8`8g<h(Qgr&swn&Avqp&e!|yDo8Oq3=9lzjx<0s$hVNI&l_`a~*6O1jS
z7gmqZJbdnexQIATThrwj5aP0s(a(<>^)8uDh{1Sd$+E#<Tm`U#+nO0FNZM*JNO=Ai
z+^+6d<aa@ca2efiYi3}|x`vhkYflXw+onODS5Uke8{oB8s&6>V>cy?&XQg4c$zX;|
zh>?_}X02M#iEz{I2yl#<e~8r!F3ii=-8ILNZU~#8IXonZ|5u|1fY2b!{m|26mPd@m
z?X@))F7VJ^5LXFU)X1a0t{`_ZFQat+0BU*rtF*Q|h2IF##uY#fF4NvA2rMaKpRRSX
z0@@a}=!kX6W6sXb&rnP!X2-kR;T?<|+MzuGV-}{i2OQZrB@ukX2Ti<1sg5)F4ljC=
z*<1up5ZJD+oM)C-=q?y8W*IP$Gh`lY%OhuJXQ!Cvt$KMmGmeL=(j&(xE47)45pG(m
zoFV}Hv6neb!;={on!Nb-;iEcwf*Fp&Xh$r}dSte<bE@InI`O{;Hatro_HH2ocD}4+
z*X}!Fk1?N4MAiSWrgS&qtf@*sl(Jwll4c(h0@2(IqPtJFtS%^Rizlv%z>iB^tZUqu
zT>BoOQjQa$vR(paTsnxcp9IZ_cLCC*V+51V?#Q45WH)czmgEj|wDk(Upq4iWT`fa$
z)w;t)Dr5I<$@F*)dY#lbKo&vMogJ+w_doRHDYo5w|B!4Zdb|W2P_ed1ZD6|h&)l+$
zZsjNt#^_IMR)veMd|9K5gN13BTdnKCzYodnu@RO;>8m=I1GJ8?_ZRxGA36vCv6Gl>
zoh!VT(k0WkrhoN_JU#03kqw}onLY9KHiPe)#@EJN+&sxm`+jSU>a|BnqTQp*)sxAu
z2p{#WG;wGF>tmRY64^|G2oCB|_R%e`5BYdZIwH`V%8L*8iz+2);UO3n1R*s3@`i+v
z$Ct89{^(Cm7DnEK24Wq=#^kzNezp8JkTT6?FN~u^#cki$ZQ-vT50oq`(Vq{doJo%r
zl(bdGr6F@qGwZLc?EstpzyY>=q4uEXcB=S>uno}#8Q`R}dO7>RC=lS8KJnKeHV`~R
zxT`a69#cTDK*?eGkI8U7toUjD_0pGp8H7+|FFwuuJL!y{R?~=$h$CDJc6L)#p(pEY
z#RuU3_H|%1onYR@G_ih?I#V>@wDK@(!5*`DRZm{^%cF8iRonw9>*1xB6&;U=Rt<(U
z_x$AFEisEB>QwX!96aZgzh@@#14~Ny$1>oCvA@HQ#T3Y^jdrbZb)$Ms5v)mW+f<bE
z1!?o=Q%tlg(?)4&w<Mwq^50i@|HU&~P*%66k8asQ?yoiaf$fm~RsyHHv3$(Mw_uao
zs`p86nRQmNFPHL<nVf{Wg4f3k+g%AIXC6~bcq3nv8`0AKVpZFt-58Bo=Re{ti#~No
zcWS$@n%<!B-=OY>Nol-v2zf>aQ-UrjSvZ_mTw%9-eSJ<Aji6@$7h?RT1?=PF7^UN~
zvsjkvhVbicNA1+}#~kd_nl)o4yxrq`b%^W}CU$=$ad6A4H~`}v3pZI8w@Fgm>SWG$
zjc=BR*7PO=D?`9bEHTKs@IMFj7R1#*sI+WpCgbNAx1m@aJtfGyJelni%pI#wdzG)f
z4c>Occc<J6d}n>!22P!<e`8BzPRQ$xw)UYrob_?k=-7GfPpO!wPjtnl+f!4|5zlt?
z$Yg?Fga!KZrA?}Zy<#E${<_VMamkDCSTcoso(FD!E!Txe*Q&?-T#~p$mTbR!kcCB|
zDy#k!U1{4+PEB*VxPVL5h+0Am?~^#dyfyYXaeKB~4!_<aa3c*dRC=C}!M8a`C9)oG
zQXz2emIkhfC?{-5+aF6?UIa^=FFA(2Ncb|$w1u?R#V3a+=CA2W->lB<tmrYm=*$0z
z=NIIA?nRy`Ev--O-N#RDUSncC)fPo-282Gl1wk+GEyyoAgi=S7#dYrQ(pc{yuj!o)
z*(^AL5A777=d%wn6+Pu*a`Q0rStiDIj?~T$A3pR_5@y($;82!i>e<*9QW-W~KR0TF
zC)u{}%em;w`9e?inM@xyhF7fT;+A{7a3m+e<8t+;HI9C$@T{Knb#(Px7+>Z0(efJ;
z&mt*z*O%PqAOHww!v9T>?*nT@vh{en7Kc`i5BbuZZLhwg(cwP9PS`(|i*zcJV4c6p
zMdUAB+nMAv{Z7&>rQNn;@74Lz&9c+HN6on9iYmU0eK?TWx7L<f;+^>8?Q=Vc`MaX5
zdCukArYTn>&J3Z`!Lt0xO6zz(azES&51+~8|HSW%9LW5zr)0Lp98s8Z_Bro|mXF&C
zU^~=i@Mu2|EEE~oUr5@-DAOqNV*uNbb3E*KB8~3+m}&7beZ2qigZLL#%HzURW5mkz
zt&KIkvSf}hMM-&@irlQk(H1!_wk;#|(#56}q>;#Yl*lCemE9Av7_hraGLJ9nnhWD6
zE?bHu(JjllL$Na|3qDT|d$rdm_*seiJ3K-X5+3fE7h2|=;jC%_$OCU8s=EJZs=WjG
zd$2wnKK&cI!W9w|tqAcG$6wL>6<^aEkiR1Q*>KKS3aXVrt=k8@^D<^M`1xFByK`~B
zEe4$>R&UiAl6WtQ)U4gA(z$%}wd3BJGVYtZN&BkgVy3Xy4S~wB2=a&LyP34_uGi86
zDlKdVhC@ZWQ80Jik+nFYyUQxJveuPOHXLb)zI-nTYX0)o3yYD3u=a9L+UK?C{K@L>
zEe((-T!&JIs|M@`KCb^Fr(q9`&STQ_5<sooS^IIX@x0BPt97oo=t%iCO$QmVu?A-@
z{D!1?Zlre10w+<&-Yt4rLa`&Nsuq=v{X6$oS)3n4yCw~ST>CJH&Nr~ql=uaou*!9f
z6Q+R5ST4FV%OnlP;+QdoXK#mH+Xa`^y<A5Jyvp%nvugZfr$eM6@>va`tCvBSP&cY?
zwrkydjEwV|w!OC(w&NbBM&sI&#C-KvH&@E|-U&lADot^^%;U4S_|3<HAT^q=uEVOW
z6|{qr0f?)`+Y2!erEvueJlMpakf-Z#i=adwJq}vidA2@dL88iaXzPRm%_kB(y=76o
z3(P{fjL}sPf{Q$X&S(epNV*WXmOBAib|yJ%J@X6dw;uOg;&8ZlOK2zb-NT`cT~jey
zAzXbS?=@bpy0^&dR`9O9)Q20s4xmrIjtm`fw2JLGZqP3`3B~PKvl)cqKNNq+A*?uR
zoP+B~X2}TN2o=7T5fEm{f4cd9B}eHMf{2bx`BA6Igy%yP?zZW8TDB1o{#wv96fbl-
zANF`ld3`O&Z=*c1@%-R<aN_=ByF#e?1^Hm89V7}j%vQHnFh8cqZyzPRz>5hAD;ueC
zBV@TN_e8hLnZTD@Jrjf-Ro53YpsUG@7Dohw%CjC0@sW7?xI172)uY&3E>|eS%O<u#
zHD7j^poa0H3vY0n#_zkU8Mfpm>Z;W}I&#Ieq51Gluj@I>pmKpIQ85yJR*C)FHsax;
ztjJzVU%KG8A#;|uMYU!6K0mjMy8vO636XK;V_#`Yssh*So?GViL4Pt`45vd1&_O*D
zJnZf;M|NTe{(hnGl||ycSM12q*{X5WL5+7j_<FL^s@I|oIm^dHT3xgyha%w)f1)P+
zj4|T%#>V9iMQLU-mouuQv?BjAE9!b%;wU_46pIp51aAsrkoi|pyc>JVGP=MsIk`ri
zDcFWDiTc%X<zt1|khI!^+lH$j{kA%BHpv7mH152Suu^~oKwfKfu|J28zCpHH?RQR?
zHdJXPx-cg${)6*U0@Gw*>T$RoJNkI1_O$<l%9^bAg|kG|r#@&h`?-Mi-rz}Ka^;$+
zRvb!sLtJVNC3=|bzp~1L(w3x>m9KK`pQ1(re>rlPgvv?La#6$%_Hrt3Q@xWNR3Z+*
zv^$2MsqgAblAr=<j)<PTGfF@pjFGk~DRz=s_M)(5_m5w>A8_c05v>u<IfF}Xho*u#
zD=nCa#U=mSS}G6PDtYo*Hm8uE)%qA!adq%+x8+Sa7`hlL3dH@IT<eAm#*>A14wKeu
z^>sY;tY0iG9^C0+s7EnNwfF7zC5~na2ankWTTS1nWM23op{_bCgCnn7yh0)|y647`
zI`D$E*zK`MZUNNH^Z@%7+fmM}A)$_=I+DfoPo5c=;e-qawwG6V`UXAXcL_bfHK4e-
zS%Px?rIW}4M-KKv@IgdMQ@XfM(_Q`z<Eflk4@1kykBC$-PPkxu#5c%<55oTH!1(2A
zd<G2tz>D24$QVKIRE&AV_1HZ3nxH`ZB5IrH-mBN`MZkqEE(y4&6J8H&)|w!eM1A3O
z#3hepGh312h9jmhJ{SKOLKdEoy>b6q?t8DYPqliYS_f`_qb1~V9u+K}(1~sY?KoPU
zywKmy`Q{jGlie%*v9ntg-<?R2H1)}Q6APo9sSs=4+{<7i>(Dl6^IA)=Qkjo6^Rp`q
z0quoKaW`pGp+7|@bC_|)iPr(^t+*0*3qLCANUA@-0rfR4^Y_-41x%(5d`;y;m?`dO
zO6JC!IiP{@lYV#5XVTeCHDvb&jA&FEp5&^nyjR@rN8{hM{iU2;I(KMEFKc#vH5HNh
zHO{7M>TQNgAMnuQf?%Jfrn49Sv{MXv|G{e-Aud#X#}%ZKMLxECAn}nzr^@XBy#W$x
z5mQcJA`xW*9hPTGV@rscF~`%P99KyjV!)A#AQp}siQfJ<7HzRQO8-$YYvO{7-M+L5
zKpOCxW6Pv#ITQxH)Uvb^2TCABsn4X;j|a8cjHa|qC9al^CReYeNXUby*}cx%G@fss
zmobY=N=us@wozVQUc|)3>6xGO3oCB4WpJ^l^qj>ervqO^5avY?mT0pSu6Fs+`6sDX
zbT*{)e*2xs7T%Ef*~!QX*M}l_T|~crq2$8u77=k+<BT(sD5bMK&iVX6ye;9=PZ%AJ
zAHSd+clj~AX~qE_+y~0h@vDy!QbQmzqCvth5PQuQNQ!5U^cUoet#IGR5buG?OP+n2
z+J2v5)OEQ{(@rFS?zMR@IFE-&O~Pc8YIHAo)B6F7ZK?~XWj=1#fx6SHYd*YK?Us%P
z_or_xf-AQ6U9f__333z1tKUQD%W#U$2+x;(r)i!N&h>YFcy6D_r(n8u4YeeE1T$be
zE^!U==A)!}LbsOr9I)(hv)Ciefu{+EP8wxI?lEWT)0nn|dy@>$4tgRs)!5d(TqS`>
zLEcc_HWbN)lJ%5eVi5G7iZk?HOkC^`wM(gUQX#l7;Gz}O{d?=5%~5vE=YX?Gw?pk6
zKcb6d#B*SnI!fl`L0!B#?XS%`a-vhgFC4T1i~rtQr)H7GiyU}RQLcsMzDHzD-)+ny
z*Fdt5Gteq6t7IM9-3{a*74}Kx??Rge*Qvy&m54<#Q)1W1M!{-S69GNEuPS0iW<T}+
z7Vnhm+u4`UC<|oOgq7}3TgN{IzYP}v4-0j#awhCL?X7%zQplnZsQtT}s0}da=v=~B
zkeZMq^8fyxz`2}qnsA^{(&=SZno`+GY)$M+CtZ5OJ!TJ&(w;(EhN!6Z>fLyVjgZp~
z?ouCgUkpDTKqMn3LTrV$DMlY-$FoT}ZA-9F5%uf(<arqm#TCQz0DVcPjfe(I_9t*$
zx3u8vd_V;|s|T{Fr{nSdc)i9-9PMYuvXN>Pn%V{Qk^k6E1MKFpXI0v_UpF!EC>gIP
z%sqd++l`ZZ$9ftRB|@n6(SfB#Zpo$32yI<1vj^G|?S6Mg!2)6WBxpkApM=F`wB^N)
z8AnX;C!^o87jgQ1QO9P@AGUCp$s8u<YWs0HV6@OiECfA>gmvfe`7=P!%Wu2zJ|e9t
zs_lrddg`9i(WUb+jAGhD%TGZfdfkSAsp}IfYUiY2B#XFMDU9E(<A-_)11k3Km`SSd
zOL>Z-h18u)I-?%cHw->Cl@zO814Fg}w+UA7(<QH4uHiCOdsewb@lQ|lMoHd?+(Ov{
zNC`Qo$V<7}OQN?M1bP-85H$rl*eAgGRq1D;k))2`Fz{V_LemefCmtl2pocv7)!JqE
zRg&t8cC>4_V>8So9)Yx%$nUI(iE++{P3j%9!+zW==UTb@^mr!>2rbb(eR*Efr_N16
z(gB4-*Yt6y8QtNuH7x1riu6IM?NU1P+Fb?x4blSB^bxLm%%ihaOTv>&=r*b^){Y+h
z7u)>Mco`Vz?WOy9a(%Q=Tr#Z)d-?yIo}97&IX%_iWPi`=Bb3uz`myJ<rFZJ5dHXFd
z+QQ?-3<!ENn~C|H`?Q_5tYL;zOitaypvm~YC#^VMGW}d2fBRU(grtIDQaN*r3(T<P
zT0ueAQ*5$cbX2z$Lsa9tWB0frn-fQ%$1v``Szm;_!hSW&8>9M<1KX~=H3R9D1H{!3
ziLA`)al!Ofk4Un_U7mDwm75Auk!KLRHaI010RMP_KESPOW(O)Ns)Qg__U`iHVm6?A
z(-)8vW%>dB&x-$J;aDlw=BT`BQ1MguX(*D0gxG#VceBX_x05zIXneiz7r|b=W0ZS#
z0iXq)AeJNNjApTkVz2H3&E?4a7s@#cpvHrrNFppMDZ%;%)NAva@}f>8=dNDKc1;1+
zJ-yewIYlX4-bnXB0NI6A4I^ta`w)<LexnBh7VYnMSXCwut=IV9q_uAu54gT@Im{dJ
zst^HbiyAUg4`tv!>^jE(Rpk>VZ7nS~h7%ZNFm@M^D^x9PFjFY7>dYaNiOorgy?S+D
zjtjZ8JfgRDdsjKbo#h>ME?9;|7I561A=nN2i7_W2oC6x}Yn2SQ1gjpRzdUbNyMHlR
zOi<P};(6%&(y<@sHi(2KhgfpSC%6H%LqezI63cY``+gJXVh?>em~t==k-9|#^^Au}
zxo+d_ubt_RTwP-+W*=40$07{`OggJ>)tR%<s94Y+jOkUyk{C5{szc!^N4H%jgNhZ#
zC1eV?@+hbtV3Lng^v~6VSN5;<T%}Dg9hszw>VAp(Gs~0A{>|;J%FmzY693sV<uoTZ
zfGwnQsrM`2yCbi|wkx%8@T!7B!Wq$c!SRwW;f<bNLg1+J&Db<H?x;%fOQgxUhPk-R
zWa+ebUt9Qz2c^by%XQWhiom4_>19l*oDVDl&Hd;ir)ys*s5G=BAR@+#RES9SIK**3
zEWjcCX(du44Bu_`G4ri(kOS)k_%Pf24jC_`M;L!}EGoMDU<E=Su+C~oM7#z?soSa=
znU<X&%*T$M3;v+4YBawea%JsvK2DcC-Y`{0eHl9Kq|ZoKnED5IQH4@+p)!sE|FfX{
z4O%GX(n`RRvMTae&SqA#YNqe}4)k;~738gm=ctQS329aIlclVD5UJfA@XaMvv|<(P
zPmi#>+3=}J*rnjv8Sx#Yf}CP#MpJcD!tT7wT!{gM`8Y#$VV*wl$o~`;zH!&UG(k&(
z0QYZYulfB?3~Et={7K#X>gyX?Ilv8^Gqa0yE7{uDHcd^%F(oC#S(we!HQax!=Q>nJ
zP8;FS&%eE#$0wv+TdmB};^NTdWo@XlAN)>jH#hSQ4-fkg?qhjbKzZK42@z#I0|R(5
zi0$Ft?}|Ej9Iu31we*Ezgo2RT&3F9J4DK%;ye#EF))zz#DiypAdw+wtpP!MOez&ea
zH0AK0Wx+kHBTXMgv*W=Dv{fRgZ2h4@?m7!x?@mBb6I|6(Tq%WbKzIsjzxfl+0jj;8
zKR+Hz`{ZM&g|1zFvj{^n_}bLz`Q^WV2yMr^=JFcvPW~EpM70*u*q`uk`iJ_wwgv!+
ze}SmS{ZMZtI-sa9{nH!=IQ*d=f&s<xw3NEcFJ*~3oPIB0|Hatpp7Q?Z&1_*twxq>J
z+(W?x_}w~<GkCjNxSQy@yGwXZVr2_YHYQn}lf?D7VLh#_5rdplB^Y9{eo~=!(OnfZ
zEk@5zZ>tt~{>5)hY!>rezEGS>c1p~r^EIYyrH@`>%+=RuuD1<RT~i!FtAPVaJ_Z6G
zo3-Up1G$cMrH(e_WP+y$o{n4MF5&B-#5X3<d$T9(%EWyn<Q5*Dv%vSrICw&lUC@$M
zD@m_fBPUiA2_WYrE9yAM=UNgH)7O@`>g&s2(Usp_<uYBZ$MvnG5T2G7YYw8w@%jF|
zYz|my`XSL|RQP*ARmVgKe7cfX10Ab?x?Aa#HhM3SXZ67Kue)D2PvY#dSy+JSWo4Rd
z9U6dn#(%D$J9bb7X)|YO2^rYZ8J`RO>(C*RE)G;W!qS0d*8iP`qoT=$X(%bT5@zl(
z6aP<w?&_Pa9|J3$Ymf}lzsvlNlaG=2?VM2ZoPxn<LL6jpLS{DmT;PspLvGzFTo~zN
z2tC^qeyMy7H)G+(wDI|_cbzV9s30X#U!$pl8`bl}qQ+YPl}|taa8}3bcEH!9yVXpS
zS*PC^1CJ&xYT#v*%Pc6Tp%7Sr5%k}U3&;w#Yw)YkDC5&_g!5p58E@U}p{)oYGxFxn
z&hKV29oz_&>Amfgb4i)aGl&hDO7N>?$=2CqNL<ansd`gY`8nr~vyp8qQIj|H8T&m_
zaZ+NQr#hPh%&l-tPf|b6XjCG=1C+tZ4bDA2DJb}wYNZmi>B1a!lBr){lyoQQYrv|V
zVblplxW3Jqg5#I6MOGSXTy6gZo!y_*3KiL@8jKBJS#SYlMmw(Sj!zDR-p_5S|K>(Y
z*75$g*B{?U<}gw}o~^dJtE5;-{ni*4xMGlo(?sqwdQQ4ZGT$5Svfus8_=D_4z(2)0
ze@(<I<Y3#%<$&8P{B`87s)iY2_^uZ2N1U;nz!@G#;hw63=-IQGGF`SvD-I^jmj2Z8
zqrJ;g-xq!%fYoTI&L(~VO6|ySXvA+OSXp@^K+lwi5Rm0$Ui$dyZKAXrY@%kVmW?B8
zTt-J@I4u(y<lfC?E|>WObWnS{d6gL`r*kS|CW<hZV4V*S&{q9#pUd>c2Nmo9MZtEf
z%AF*{#3i7AzA4SiHuTbGxh*ncwFN9!L_CuQbQ{{Ab?FQlSJF<uM;m*3^xphmM2MEa
zW%tc)=`Ewm4f3NFhi4ok`&yYon}5vt+jIq8YI^#Zjo=(HLG(`3>905Ut2u?m2`g0`
za`)COpD>w8SKHr&Gp{`iy|3dcOXDUe3g3(`S~Gtr`*epY5tEiNy2eFV)*yUos{FPX
zVP7Iaz!TfJvdIXZ8EPsBomCx@a;5tY)^q<i{0bu~CqLVuIWF<#oqt^y=D#_*OnihB
zanEJ-Zqzqut{sMHhur7UK^5wy)O2)G#pa1;3D|c@#iiwm-J00VGHq{_$PUJNKLg<m
z&>LVTQd<+&es4|ssJ?bZWjN#oecyVK+gBhfl5MZCqvOq%oX_JqK6`3&qsK2USr>Pb
z8;*bUN#cYO>5-F)<^~@eux5-f27$pPjp1@Bh6*kuv%Tpi59w<7bs(p%`PfsMG^a!3
zH%UkpRrd9~>!}ra=1P!K^51r&;`~29R~2NlJMVwjU<nVd@T$Vn7e4!{PPJ`N0evke
z^-*{+5Pp3XUKGV@HeRC2AzGK?F+SVGKMR==YFVE!W(J(|3ABUtcbgQ4YF(A1YXqvs
z7}30xAF`NUIp??Nv-jgzP81V=p^$n|eaC9Xa_A7mdpws;xYe|qp|2ABs5|5zeC_rn
z?D5qUlBVe!MP&bYbRG?tfEBQ?vG-<+RnUK#IbW9MTa{A_4=0QpbJrpM(@Saaups+x
z@#cRomhRpbL6MsFvbLiQNg`lsVf>kM0}k&Y?FQgl_iiNP-9stsuMYe_mDdanjk@fx
zVhsaZzDslYEjhR98i6<PN(-EZ8_p_|A&@|Y_=bH;&@~Ifu#jX!^7)t>6{)VS!>_7=
zuBlKCu$XCOR+D1PpOaDg-Chl>RLtU*6u}Ys#eL_L!d*Fr5!t>T*j``-ta(;9(|`3u
zPZxWlutle|>~z+$cs#Pt{8e8;Unnr64etOdzt#SF7NB+g2=%7`Ky?={xEUeFPaoWZ
z2|>tmxE?%i!okQbf^1r+f6i&R6Um}`)XHunUhlh(2xsV@V0;sQ>_|`Y*?g18bt*I*
z>6$b;^mkk*pqlFBioIM4-%pC@czT@~56Hd#_Dmzae5@24ygDvgWEh7#?$5swyD*sE
z@ckmwmtKY8O?36KfUBctH{)i*>({A;05-#aA}tmHANrKREsK)-m3x5)ZJq4o53lP)
z_OCYQB%&HGpG8GPcpSFgg6-GUOW=VYVw{6rF*x(&_960(t>m)L@(l2;A+;$s-G9*2
zH{-O(H&x94QBR1gJ{3)xMhzk`drc~5h$r3*q3zxwJ*|WyJ1t$?Z-tn>iwg$pa9lQS
zfd6HJX0zwRAO`=)to?4RW~r|viAz_C1644a`-8Cv##M~xnH7oL9uq}<uA0>cH68u$
zKh4^dGX%3Q{*-=<&ggEtvPNhkWVqlsUu*bNOsH-;51O9(sOY{l>1U^*f_7AdJ<$E|
z?pW}7xD5_*?w$`ldvPzPqn@Mv2@3qFzb;dRi(?ZnVd3rVz2D4P7j84@?3#D*_h&U=
z5qC|-8RQu}ogg=Je{m=~Cmd~N#LLB%kiqZD5J^GpW}rGJFq`d3hw1W=xnbaYts|7$
zo_boCa!H=$GqQu^>Oh2(g6n|hC(YwY|JjFF-u>ge?7Lw)8^g4k7tcq`ux^wh+83Xi
zEWc!n+!s=IVvzUWt~yLCAUY5qryNiwlPUhi&U-QX_1yPG_&y<q%O%E}@&eYyuQd=$
z)^g`|^Fw#*;cAi?#Dd)2of%-r%d;*+A!g@^Yj!A>DhRyb>!V$l-;G0)y)%DM7RuyF
zJBJ|l@|x<4XQCFd&T#5>v;tBz7Ch;b!;TicTGWcAtAwaBtw_A9BXMIqOmV1aQ`wCp
zg&U%e7I%G-x5p%_&=MvI?uiFGHrw|v%Y=&@*ZXQ(HO9es;;9P2mYJt3eL>&jVXo(z
z=l)4sAaG~7-bTji-r1jVZb@5IqKZuZlc$x!n!L#q7BQa7bi8HNU5k)ia8<o>`N{`-
z`Kj%>KL$$|Tk|8!#AQjN-RHW0i~{wU-E)|d+x)U;f#VRnKDTuGT63)`<1AY7Nayrr
zaJ+rT$Dt{b=)urt|Gv9|FC^Ke<<cgHlCOiNjEX4M(Vh^Sv(<X^IQp5C7DEb-Jr>%}
zOpl-T=gn74V6+`urD!T_Tq*uBF`sO}OMkUXDiJLIMdbnCeb;CQA0N-1Z`|1hMP^CL
zn31eD+cooBS8MSiF%EFds;d3PPg2m6g?Dk_pmD3=dR-D1O&EOUD++1oXMm@y=ql_~
zX`rmEqm=C5A`2T7&V6+ijlGz7sprr~vobZVm8zNWp*uT<CMJ1)8V!AJfL2kQW=Px9
z9S}x*Bi4ORs@det*l}-8?b!_?m5Dtib|!sa(tl$_P=P2m+@mivy4~{2OEq*gk54y`
z-ysx8g#Eyxo2TuN=sV&R65M8^N;1A_+ZbvV?S|%Whb2_uK_iHU3J#&cT45casM9JI
zTHAJwTKD>v-V{9Z3ywzAp=7s=9r1L$o~gXt_f)3ToW?kk3DNT<o~-oH5{{#T+HgJl
znm{}ZdnJTZm48%e6*ie=v~k7krpPFLAL<0RIC&)N=tdmVG?axOC)T!l6#I=@9}!sK
z;JM74J#7Pa$uGRggt^fNo2eq!(l9+LapDV~kRu2Dg|^E<dY|VdDMHebem#j+<1|<r
z^AC@W3vZ!2FT`EDYB%az`nieW*O<oW3w<&f+*={BmB&Xl9`QQH+hMNhUs)pBVgPY}
z(Xv`0P=tXm8;WcP(4n;q^Y221_wF*ZTJiPNH|6E$+{gtg{pKT0>||tziRels=9iTf
zIj`)q$gy61h?HulM>k6a_5O+s;Eok~b1wcCkTQS_K6snC@;SGJ=sUP5JT_K@m_IXZ
zqrEciVp@clv!*}=yRSI(kEB?vo_;y1nFU^PbqwNrD9B2ieu%Z8)-zj86&otv6h9|)
z>(eYLsxKpeV-%CW8=vD{v946vkkNW2mP<($`YxK1xAY9Hu3#BL96TDLT0^4hZTHc9
zdtlpBQsC2{;aEEp0doO_^S&?ZeBD=}jMDb|Vl&CXJr#YUUsHOvsGYvnRP8*hrj?~|
zCz%Xax80rA?rd*54FX{W^`FzB7`u)fIjWtlM=6&j0OG`{in`ibj+>jC;agE3R@76D
zFFBt3JO*-$e)0n8EP?ecw-=8;NtVdx0u+@=7?1VtymmlBA5BJGOLY_IU`jx|@NcI(
z+c9x>qo7Yc7UgC;A{wN~Qs0^%zV;t}8L#%fGrg*vyZk~m3X8vL#naI=qMat8m?p6q
zt(pTY23a{Yl1-Ri_C4M6Q?)1Ck0gd4d`uy^G<fm#9qI7qz{9xxirkAEgxjpM>U9Tt
zV&6S>-o`e5Y$mzBGrOq;E$9nn9Q~I49YWdHln4Rr%;3z#J7F5^jf`LBL}a#nDrKA_
z9rG)IxSZbuQDf|XwU7+l1*U2FwkdR0XppY=l|eD?FM+fx$iRf#M)Y*3=c3QgeM{pd
zA4&McfDCMCz2^Ndr8o8gmqtNj>q9)X?p}Om96j>1m+LPB>zAkNV_g?wh&sB_9M(~^
zE=B~Snsp(sH|wuazAr%H#DT4)9mlXKCtcppCmF6H9E@0tXXp9SPn-N4{pFVyu7>FS
zBT3<wo_tvmdV^0r^gP0Y#t~C)FC(va{61VOzXOHNDSeNbY8`fFHVdB|%IK*U+?~EZ
zbqt9N8cID+Kjo1qw-tMMwur~8N;ugfj5&)duBhsWnMC@TIwM@G-OsA;Dyw9QI%|DP
zp#H=;i$AsS2waEU%9CZJQXuJR39jVX_V-y6UN(5-5KzZ_kG__xTa=J@6?V{AN#QhR
z<CQ;N5pD>mu2ui5q(lp7$0S{CA-zoCUjm!sr0F8<14|7TTG_nL`rJ<PRbyQSP-}UQ
zhAQCI4^_kmSX?8gSx*Xs8lo&LEW@tK63wj3_Wypk4s6Cf?PUdX7>(fU0tE&&@R(B$
za7sBzmtpS7!V!4LJw0f!7Q%sKtKEoI;!bT;i<hs)D2b9(OP@aU{0qgqTTo0g%37H?
z)N8pj3?f4{>Eb4thb&$`MkiIX7DhAc2j4$0@-m&vn^sEM*A>g1;?^dPZDUL5RJErL
zz)J-egX(H}2BO!!gwj(ga28Ry8ScqKK-8dD0S~m601|je48=Ed)2~#s!+1gnK~F;f
z`3rZ8=fxvit)|Bp=^a6tbelxF_ikT}x8w?W`!>>6dK;&*E`)vTyQ4PjTpmd`^Bfo#
z@fgM_D5WO$iD~3gy5rlh6CSU2p3D6zTxD2~GIYfsYPDQAQ@k~(J{g(z$3KHLtDR7N
zAMFhcYqk+}DngFV&o&pbqD>Pe1?&)mY+PWQw+3Z>68W{SSI+PgfMvwZ3SkV0q}26f
zFWR88N8!77UN}d`y&c2lO2DEE4RNW-PuM#t;{=QBMoEWJt!m{J*_ibY%sMNrci1=w
z+HU<@xJ&(fF<{|{tO@iE{2Tp9T=%qoo+BMM8teoKNBe=(_szazvDno)95;^qtAc`J
z`Yy)3noe6zj@6kKqw1$RGV<TA%v>Y-qQ8{36E7sh-E9+5X*N4jk0dhpnQqY)me)WJ
zwYZryj%jzM)XKo8{rw(PSOXQmhOPKXGFT@ojtW$~QZfbMFw{&9x)$QiR$n*|56`}T
z$xPcXIH#+p^?ZNY@jyndkUG-w^muv)EM^5DHU=YqmJ_SHC#TwD^L(}1g@lDThoN<3
z)nz(x?6SL0ka^W?{Cjica!cjKZYPL}>!Dc-AMP~fFfFP9TsJ%&&1#1aZ!=|_F;5G*
zBK#^@XyNpGGcMw;XI5{N=<~xiom1hGe$Tg7QL7Y~8&t>_z?Gn;ad=Mf!8_Ih3G~Wo
zjL_2E1vTd(_u&d#$~-S?z>C@Q!WMYj8DSx}tC7cCUB%n;8;SBXuIOy@>RA)G(qEPE
z0&6<^%f_K`aeM`3x`;H{>@W8M?=k_T>E>!Pr<~<Dzu`=J`+*zbt~ye<?OL_7+_#KD
z-w3UXFV9AJH0QKV{DeTr5IHTd>xUR*;G)-Ax3v#7PfpXbEix{!%6!2`=*b+ZVM{<i
zI#!I+x*xGR&%l4N;qeW5<Z{3Nphuw`UiON+WK(cWeQn)#0C4yC#&Ej3+)L2s?dt<n
zwJczBqwl*ADM!FHH-tBFdfaro`pE;P%mfr)13ulE!`{AFT8EpohD;_{y1r@cV0r^*
zd{K$DCvEdo^75LP{0q!gG{N2^9J|`M@$|v{Fsh4KzmsGF(}jiYwyAjfM3Q%*p|tFj
z>1Su}lre_sq&<6Unrby|%>plrJ;l}qyJ`qVw3-|-lX@KE4@k0viw?8aFIqm3kd(fc
zW@ve8vm`(GZ!NSv-QPLGi2klP!{S5gA~by}V)G7&3zH+Zg@Y!#P4gI478Xrvy5gwU
zz@Iq!-kYQikP`liS6V#uNLK7GBf`<fE_FTKo!A|3eE07TZ6Am``MhC+uo^-WA&2~4
zV$>&gZPuAZ^PztubFxojBHYVXAY7Ql-gG3x91CS-yC+7XtXX$rlXle)MbuRYLT<&&
za8WhhABEk|WH>!s?p3=e30oNbk{9#jF{>-b-9*2~u7BEHgJ-2lE;yi}qQPdH*O)1|
zpw+OD`Evy8tI-P$;R7^;PCZ>#EGHNaXto%$`F^YKlGY7}4O6Y>c!Ybp@Z@Bk;{~6m
zO<jsTJlL?UZHy1coom{ychNenI>_(u{pIOD8C84XnNF@>SmvSV;(N0y_VaHe(a6Ah
z3j6IZ6iFx4>=rUem2!U+ci$|17*(#4la$!M;5bNfwILgM+OfrRf$97*f5`7JdI-S(
zIfe1bq3+WW5`;H(cC_(){Va_QgKZVqIB~S9>Bx!Y8WZK}n03*vt)2sK!N0gXaNT-t
zKwovu&Ouqdxxsqy;N!Iir@y|ezc8AowOLMIO)jj<-|^D+dvjz(m}3^-Mj7+DGYIY3
z;Sdl>ciwXdgbj-n*>=11y?xo_Ho#3*j;!EI(V`OCoGC6HDzj4o%uZyfTu)X3tC`jh
z+ASe|aLf?wPPQF4#kllozNb3EZkGkT!)>x)gqLFyc&+}zX~sP7O59s*3u}oPZ})_1
zG8y!q(rQ+3`%tk&qkm=3?C<byNB2BeT6dfb^?h87=R$xsq9laa(mY)bj8sP+n=jqS
zKMf6{AGNTzso&_!nk<x4-mKDhvXzlNrWrjQ^ccyxPIN-mKXg1B^AN5T%OHL6RxJ!Z
zAzTpkI?D+3t3V;IhT$#vodZo?j$WU!pRD}BetN93-1Zw2D%@4u`cxGcx*E7kPGG=o
zm54+L-FcP}mk|`Ijiv87nAQHVpFEPg`tm33T98nq{?IdNBgg>wm}pcQ9paU^b=DZR
zia-w(%<6q|R`)WkNy)fPi?>;F;{624)=mUM#^H4v=ica`;|YVkg{(-!_Ut_)2VafT
z#S!w3Iyj6KB<w3lfRP14ZZ36QKHIF4U+lBdw5*qT5-u~njI>S{YvyM`xm+q*|7!Qh
z?10UuRp-L>dU4>^fa>3KU;6ZLImHwk7<8ww8*U=ZzSLb2Jk}_|&3Nm6daV47yseL+
zL-QM;sqYZaVe7I`QvpBl{ZjY6mS0;mfO7J<0NfIwua{=*kq<%sxKkAt0D*7V#MYAu
z^Dak&(M?^z?Su5jG^r$oVD$xYk3qE?pc8dvb;eo+At3X{a4I5YG+hvNq@Ev5fgu+R
z4*rV)VA8M6dJ0l_;5#~7vguQpz^HSvK2R!6T(`mI-AAX>Bo`W6Q2AEPDE3C~`{K0^
zu7MYS>d?0zh)M-=cvEwz>nUebf0n#}b*X9=;SSA7{U7l-eE5M32IIQJU={Prz3Mcv
zx|MJXC6?{Nw2RWp{);(M#`YA`aY-sLymAdYdIM2zk7X;s{`$b%xHVJFg1u^`O{G}o
z1@xP~hsmY(@&|2j?r^ezH*v><C8v`vxuC5SwPEAfh$5`zy$yo&Qm1qSLqm&WlJ9ep
z@5U`5!0p|K7UVs&4-<RQ>mM(t#A0sgOSRk^LV6CKN2}{L$b}6C*WTg$kVrb41Fv5c
z7qHqP{>el-73eE+b!6qASRuq|<R$mw3c?PG+>WM-_*(7lr}B%UzjpUr(t(*=F`epU
zjBnn6*=)|ovt8Fq)4zgLwMVed4=s1&oSZxwPbtDEAOkfks=EK%kMFlWhz5~qJ-?|^
zNQV#@Ni2j&z+`DWIJT&J#+=?1zE8`^!jWtiqcp<1$BPr>LS$VQcpB{14+28zKzejQ
z8!39+Uh;6IaK>nN&(GY?@s&Hr0rv8J-kE(xg=t!@ESTH8=3dp4F`>J=US<cqy(#8i
zP5U2CC|N~w3~me#UD5S;tNkiu1<tsb6<1cZ!W%Ad2&$vHS>pQ|;|O*oJgNi<94bKE
zVa8Uk;f0^vd^z!R7@1#t($dl_ZEbwnVJ4+Kg~i2Mq_hnqLQQ<k%$W76>Z((-%k-4g
zkv;}773sfprDa`st!(F`U8tvt|BLQq!PPc1Fg_Ve4i^lANxe`a&RfMSOS`3|3D&L^
z6bvgRSsILTVk;8{gkIMx>l%Y(xJqTEsCAxumRzW^Fi(8Ec&(5;DVyK^dk{~Z0}7Ij
zCo-lihVTC}Ff5L3Cq0=Itnnwaz&y}n?PIPW8ITkQ-e8-=`I6q`jLEnX!%tMy|I(R@
zC>OoKh`0VeC5S;RIrXqMt^A2v+#IU}7WM{zURXPP>;skqOY}SU3QLCyIu~8m8P}h<
z2c%xA{S}?KE4>cv-Tc4!iPD1Who3)s`No6#Os2V732kD=gSL%;E%D=Bg9-&<^Mbkh
zWkjD74%R>H5iB^KIUswUsxb~Q+{=GhIB$$+rlneZ%tqORN3FshDK58gR)=5Gka_+z
z(A}=m|C3qT&3&IwaS0!blk%!E1@l&Ay{N#!aTZ7$|6)v}8abx-^G#TMd2EXV;oc&Q
zd}ysD!Hotjo6#L_ATz|=BKswCah=g{y^R5OLQuVa2A7GCSo72_`Qh0I18(L7Y12PE
zF%OIWb=d*k3Z?=LMPGVT3*VC?EaF=;UYxb2jKBDmQsO%0^FiqZo4a}pT78L2;9ZVd
zgC+e@Kb|?w=4z*1FNcJVL1Ese^`?8-I3>${^_D2d3luNvkGn7Ia50XNd2=^m_OZ^n
z;%%hc#t3RtjbM(Xd(l2~uH^lTeKxW3w{NjWJCh-h74Lh~QDPU2eE{y+$Hl_aJ;rr1
zA^BJF15DT{^E`IC25<12B3)s(jM)C~nOViS34SmQlwr4;b!@2Kj<gnlN8!!Yy^}ya
zX_G8W_-_=?z<1TVwkymd(;TB;#7GM{<eZ{FqDKaZ=`EE*bo|v@%LJ3Gouj2IvzK@T
z?wy*^fWf#{uwv!GlIQia%>uSX@%y^-(LHRv+s8du6ul*AzQ9yK(A9HY(*2aaPuTeI
z%q-L`&dW(~4n7WJ_^MFo`Q4|V!O~Hn0w!ysz$tj~Cggqbd%bHH*Qu3R8O8P6(jI6k
z1sXi=Xs`hf#C4259IhR&S$s5a2ya8#Z+A0*=O8QK=8V}b(kF_xP*6s_YLWYlhAYb9
zbN0zQP5^<>5AQV`N|y4^57WxA_F6Fxu4E~$-0wbCQnPl$4aMUiRTODRcR9vDd<;Bn
zLFNGZ)$7uM36Nw_UK4P$4CB_Y2S;VD{g`>z7Q~<esPYaV6DOOvp|4<7fDWS>48H}L
zy)71jOJTRH*v*u=xH$33W*)Vg#f09(Z1A+L9b7_8z`pRjJ;5O*EqmfI&}bg#D`AhC
zQt<_pw2JNTF-buY>od{)AYsu{>W=AAHF075jL*f=u2csVn9D?wZ7WlQ1j5)2_Uq%Y
z81l<B?4W9&TCST+3-~w;j5P#T)y;#}EXkBg;obsO=^b(NkIdAy$4fXhvGxy!S3|Dw
zhDv&5g8!x8;T~e5Uq$en9F=%L>uGldVuWx#^lwN_i89uYyWC@V^DG9xgtG(3BW8~0
z-Z<I+&sAKWQKI;+^M75%64!d}*>@uo49^y#hd#z|UYL~_#qn>qf|f~B&uZ0dw8TPy
z`V0+#G}02TLp!?&S|P2L9>MF+1N3{sd~Ac+k(A^`IlL*G%jH`p{#37TI8vv&IIQ?-
z6I+YbY5$PCHO#(MF;EeA_QrFM(a`+r#Jn^idOMF}j%gsLC0_rZAsUD(su9JMs53J@
z^+y4#&v^^)m8ER+mq-%a_LuVPb9P`o#Vk!qOHFO`yscpOZ+lx=X6KXe1tc5SdQid3
zVt9nohbr#2|AlFTQ4c2O8<V%@=;(Q_MPe_X{^vxNraH+31Z2bj^HMSX2}gcPEQkEQ
zE^!|<I2c^jDbfVrevn7;N$l0N=u1D|alM&Y`Ww0Z03A)Y9)``$_ZIFsfGVkdUvGU!
z2B;!=UAR<9bEx)Hi7ty$*t~<#F2N^M9ST%#kUp+TK{>9JKYcX>Wx9OuU3QLg)gliT
z50Oj}+=6>DPp?1AADo#D0tOHG;Hl>A#==DP;UgWoQcrFcd&|7s96dM{P-c^sN$3cN
zFcQ3yvHfnR@+60&um4YVWEX~BLgnWyjAvx5E40QNf_Fp!)s?tY!zw{RW6uouWztqJ
z*n9;!k&|u)ygms&u1@^@sU$s$$r{1r`k9wLfe1FSQ@Izzm`D!L9{M^{V466uq!};i
zEX(hFfSt^4#8aVRVr9GVm&}8h>QYM=dn~`X=3UWPVp-iK?bd@)zdSq5SN6c%EnQvi
z3FrvCmmu4{fg<70N!cc$Fa`+PWQrgy!3<w@6;QET$5{q6y-(M}6^6&<@Weiut)uqP
zH@Goh4G>7|vJurt3?diu`u9GQWs?!x2kyIC(?^_Vm(I$*nTt6|N7{FU?T-`qjp1dF
zIV&YXO>d?h+tRmA<#W=!Cz7fqWCyw95tQxk4V%4KG2z4L{$%uk{!sH$PLH|m49phO
z0B?CD#ydwv>WkrXL^mBp+G_T}J-;glQa0Rsqw{<Q7MnpR+vZx;Bi3jwt=D*~vTFUv
zUp<!@Y9Lv*QVEU_qM3<~{JPc)i%<~!(Vh_e4^EdH1qGoXHzG}XFRW|1xBH{U!WSl}
z1ODt*CBetf7i+pbUDp7>Dq{=l6QAfb_`>z3b{F%8s?=5zs5fl>XA#y^aP&x&feUEN
zAta*QM{7oMiLk<Pc)l8cKkz(PukNF@H++&KoAaHBa@y6Yes~<!V!bzJe{JF~;d0zV
zl@$0Wvm`ut5+BPxrR!JTr@On1jjCvF$tQ*L&kX6$jC(Z$dxbU8sxf{|OFINRUf9i&
zY_E2S+HGYIZPiRlBOw}r@ah@+^~ygLE7B5;H579JsMzu3Lq}3nl&k6QEch_6b8)i&
zSC&WhhH<kr*j6&N4wLNQ8)9d}Y(LPOd0*&kwRdGK3LV68N@^SiRXF6khREcyeBCN#
z(+wFdtS-b|XU4c+B_ACG&M0YQDyn&79Lu{iWqgfl^U1jaLk;<?c%q2%_9sDj4nt@&
zDHtKc<%PASaj`3)uu_snXiMaj${wDM61-Fk=fuY1vWu2*M_8jR-RtrzN4ws?Z~4m4
zYi_?p8Q`0rT8CZ-ZZmrc=KJ@m&6q>vgGVK`1*um94e%jq;-cMHhsF&mL^kr?WiKi$
z3u5*KeAbL=F*?0_gpQ}ov{%zK&3vivi(55~ENrW5u775yk$Vx3$YXJWh&PICcdL%I
zC8EfCy6bJ0>Rjk|Rk(l7&WX-qYM75EhXwY%hY!k;S8r;}^uc`jX7lmo`WKd-kCcH1
z2T^(hn|By}?e3`AZmZf#7^C=tdce%QSp;|LU^myuVzoPSB8H37ovvs}S$1t1r=DcW
zw3*a#QK`p1yp+;<?sU9T4L)dMZ;-q{?VpNRbLcHu2*!%cQ#qN(dL7M8|F_%<I||r^
z#P4yP^Nl*c<xuDfkM$68wAKn=EvEdy$mZJInw*|V_%!oBNyv{j*b4{G25d%I`>(kA
zPc&OZud!=+Q1~&QJjcCzimCbT<n(!+=Z9vjFvl9YO0xY@h^(`N(5HhGd<{;413NKA
zTJfe7Q=+7)oa5YrVy%4syIy0WjG&rac4sk$xzou1NMfFi3_WeQ_UoHD#Q9$B<WLMy
zvL5t*__4}LRCyh;<1sZ*$UoQ4<FUEAP-k0twYqQW(<@3pRJ?iRoy|CB6DOBdnWLUD
zP+C4BP9N66S)LAV09@TEl7&e77{7b*(V({l7SwL*DU`q+f`1jIl?ByW4bg5>LU6dt
zt%Ga-g-ceb5f10US*6)*$V??w?|SC>x>l_6j09M{w6){_HcJ<GZo^3?gY-4B5N^RF
zCyS29a=8iHYAn>od4|{=;o{V-%v0Zxys-}6<VndS#cE&^4$5e0z)RPX^_{?0e5r)@
z`c%WIv(NwIxUj|dgEAaUhyR)7&(%*YYf7rg3p%S6<QJGLsV&IZgA;4Ify&dh|7;1T
zs{PEpZR-~+{ezm(*{5TNVk-Ud&%$i*zt4dhl>h!e0dN72{+B^=avH_ubt0nH&jnpq
zBaW-9r@E||{DNYlZus!^w_kJUN*J~E4GQ1~-!Ijw{}QXveG5{dtNMNNkc95pgBXoo
zK~7s23Ac{3V9pBm?%9UP<cZ8!xP^1akFb9ELdK69iRErjD%!h<z3In-S<BhAa|?53
zm@;CrG42;0(%IchM?*1wj$1LCK9%WHr!(1PF(+@O(A(e5{qr7JELzSgiy6$Evxeo1
zjQIQi`S*M=ekR8Pg6Qbf!+G#MQ?2^P`e%S{zxdZpUytU6e%~jsmr|jt`hD_HhHh?$
zj+l!F`RKRbar$v8m8EGcn(zU?`f@5kX=N0~U1#i9!|=VELQH@&AN=!&cwLI1rnZiI
zeh2t!lrh0MRowI4%D3aq2~NnNzNV5(-g^X;=Mz`j$OAuXe*LRI<8%HYrB!vLJwDCY
s3FA2PC|!BKEAuq?eyLXd<K4#pADjC%j#lPp)&Kwi07*qoM6N<$f?agTl>h($

literal 0
HcmV?d00001

diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml
index 8a29bb7d81..5c90875208 100644
--- a/windows/security/identity-protection/hello-for-business/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@@ -103,6 +103,8 @@
         href: hello-cert-trust-policy-settings.md
     - name: Managing Windows Hello for Business in your organization
       href: hello-manage-in-organization.md
+    - name: Deploying Certificates to Key Trust Users to Enable RDP
+      href: hello-deployment-rdp-certs.md
   - name: Windows Hello for Business Features
     items:
     - name: Conditional Access 

From 1d5552f41d9240aa2d556311d8e231cde883cf95 Mon Sep 17 00:00:00 2001
From: Matthew Palko <mapalko@microsoft.com>
Date: Mon, 22 Feb 2021 16:58:19 -0800
Subject: [PATCH 2/9] Adding reference to Generate-CertificateRequest
 commandlet

---
 .../hello-for-business/hello-deployment-rdp-certs.md | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index 74ee56de46..d7c62902c0 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -13,7 +13,7 @@ manager: dansimp
 ms.collection: M365-identity-device-management
 ms.topic: article
 localizationpriority: medium
-ms.date: 02/18/2021
+ms.date: 02/22/2021
 ms.reviewer: 
 ---
 
@@ -164,12 +164,14 @@ Once the configuration profile has been created, targeted clients will receive t
 
 If you are using a Public Key Infrastructure that uses non-Microsoft services, the certificate templates published to the on-premises Active Directory may not be available. For guidance with integration of Intune/SCEP with non-Microsoft PKI deployments, refer to [Use third-party certification authorities (CA) with SCEP in Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/certificate-authority-add-scep-overview).
 
-As an alternative to using SCEP or if none of the previously covered solutions will work in your environment, you may manually generate CSRs for submission to your PKI.
+As an alternative to using SCEP or if none of the previously covered solutions will work in your environment, you can manually generate Certificate Signing Requests (CSR) for submission to your PKI. To assist with this approach you can use the [Generate-CertificateRequest](https://www.powershellgallery.com/packages/Generate-CertificateRequest) powershell commandlet.
+
+The Generate-CertificateRequest commandlet will generate a .inf file for a pre-existing Windows Hello for Business key. The .inf can be used to generate a certificate request manually using certreq.exe. The commandlet will also generate a .req file which can be submitted to your PKI for a certificate.
 
 ## RDP Sign-in with Windows Hello for Business Certificate Authentication
 
 After adding the certificate using an approach from any of the previous sections, you should be able to RDP to any Windows device or server in the same Forest as the user’s on-premises Active Directory account, provided the PKI certificate chain for the issuing certificate authority is deployed to that target server.
 
-1. Open the Remote Desktop Client (%windir%\system32\mstsc.exe) on the Hybrid AAD-Joined client where the authentication certificate has been deployed.
-1. Attempt an RDP session to a target server.
-1. Use the certificate credential protected by your Windows Hello for Business gesture.
+1. Open the Remote Desktop Client (%windir%\system32\mstsc.exe) on the Hybrid AAD-Joined client where the authentication certificate has been deployed
+1. Attempt an RDP session to a target server
+1. Use the certificate credential protected by your Windows Hello for Business gesture

From 87690547171772991a7f69b100ffdd0ddf567d38 Mon Sep 17 00:00:00 2001
From: Matthew Palko <mapalko@microsoft.com>
Date: Mon, 22 Feb 2021 17:18:51 -0800
Subject: [PATCH 3/9] Fixing some acrolinx issues

---
 .../hello-deployment-rdp-certs.md             | 30 +++++++++----------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index d7c62902c0..c7010d3796 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -19,27 +19,27 @@ ms.reviewer:
 
 # Deploying Certificates to Key Trust Users to Enable RDP
 
-**Aplies To**
+**Applies To**
 
 - Windows 10, version 1703 or later
 - Hybrid deployment
 - Key trust
 
-Windows Hello for Business supports using a certificate deployed to the Windows Hello for Business container as the supplied credential when establishing a remote desktop connection to a server or other device. For certificate trust deployments, creation of this cert occurs at container creation time.
+Windows Hello for Business supports using a certificate as the supplied credential when establishing a remote desktop connection to a server or other device. For certificate trust deployments, creation of this certificate occurs at container creation time.
 
-This document discusses an approaches for key trust deployments where authentication certificates may be deployed to a user certificate store while protecting the private key with the Trusted Platform Module (TPM) and with the Windows Hello for Business gestures (PIN/biometric).
+This document discusses an approach for key trust deployments where authentication certificates can be deployed to an existing key trust user.
 
 Three approaches are documented here:
 
 1. Deploying a certificate to hybrid joined devices using an on-premises Active Directory certificate enrollment policy
-1. Deploying a certificate to hybrid or Azure AD joined devices using Simple Certificate Enrolment Protocol (SCEP) and Intune
+1. Deploying a certificate to hybrid or Azure AD joined devices using Simple Certificate Enrollment Protocol (SCEP) and Intune
 1. Working with non-Microsoft enterprise certificate authorities
 
 ## Deploying a certificate to a hybrid joined device using an on-premises Active Directory Certificate enrollment policy
 
 ### Create a Windows Hello for Business certificate template
 
-1. Sign-in to your issuing certificate authority (CA)
+1. Sign in to your issuing certificate authority (CA)
 1. Open the **Certificate Authority** Console (%windir%\system32\certsrv.msc)
 1. In the left pane of the MMC, expand **Certification Authority (Local)**, and then expand your CA within the Certification Authority list
 1. Right-click **Certificate Templates** and then click **Manage** to open the **Certificate Templates** console
@@ -54,7 +54,7 @@ Three approaches are documented here:
 1. On the **General** tab:
     1. Specify a Template display name, such as **WHfB Certificate Authentication**
     1. Set the validity period to the desired value
-    1. Take note of the Template name for later which should be the same as the Template display name minus spaces (**WHfBCertificateAuthentication** in this example)
+    1. Take note of the Template name for later, which should be the same as the Template display name minus spaces (**WHfBCertificateAuthentication** in this example)
 1. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**
 1. On the **Subject Name** tab:
     1. Select the **Build from this Active Directory** information button if it is not already selected
@@ -72,7 +72,7 @@ Three approaches are documented here:
     1. Select **Requests must use one of the following providers**
     1. Tick **Microsoft Software Key Storage Provider**
     1. Set the Request hash to **SHA256**
-1. On the **Security** tab, add the security group that you want to give **Enrol** access to. For example, if you want to give access to all users, select the **Authenticated** users group, and then select Enrol permissions for them  
+1. On the **Security** tab, add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated** users group, and then select Enroll permissions for them  
 1. Click **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates
 1. Close the Certificate Templates console
 1. Open an elevated command prompt and change to a temporary working directory
@@ -105,12 +105,12 @@ Three approaches are documented here:
 
     ![Request a new certificate](images/rdpcert/requestnewcertificate.png)
 
-1. On the Certificate Enrolment screen, click **Next**
-1. Under Select Certificate Enrolment Policy, ensure **Active Directory Enrolment Policy** is selected and then click **Next**
-1. Under Request Certificates, click the check-box next to the certificate template you created in the previous section (WHfB Certificate Authentication) and then click **Enrol**
+1. On the Certificate Enrollment screen, click **Next**
+1. Under Select Certificate Enrollment Policy, ensure **Active Directory Enrollment Policy** is selected and then click **Next**
+1. Under Request Certificates, click the check-box next to the certificate template you created in the previous section (WHfB Certificate Authentication) and then click **Enroll**
 1. After a successful certificate request, click Finish on the Certificate Installation Results screen
 
-## Deploying a certificate to Hybrid or Azure AD Joined Devices using Simple Certificate Enrolment Protocol (SCEP) via Intune
+## Deploying a certificate to Hybrid or Azure AD Joined Devices using Simple Certificate Enrollment Protocol (SCEP) via Intune
 
 Deploying a certificate to Azure AD Joined Devices may be achieved with the Simple Certificate Enrollment Protocol (SCEP) via Intune. For guidance deploying the required infrastructure, refer to [Configure infrastructure to support SCEP certificate profiles with Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/certificates-scep-configure).
 
@@ -133,7 +133,7 @@ Once these requirements have been met, a new device configuration profile may be
     1. For Subject name format, set it to **CN={{UserPrincipalName}}**
     1. Under Subject alternative name, select **User principal name (UPN)** from the drop-down menu and set the value to **CN={{UserPrincipalName}}**
     1. For Certificate validity period, set a value of your choosing
-    1. For Key storage provider (KSP), choose **Enrol to Windows Hello for Business, otherwise fail (Windows 10 and later)**
+    1. For Key storage provider (KSP), choose **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)**
     1. For Key usage, choose **Digital Signature**
     1. For Key size (bits), choose **2048**
     1. For Hash algorithm, choose **SHA-2**
@@ -156,7 +156,7 @@ Once the configuration profile has been created, targeted clients will receive t
 
 1. Open the Certificates - Current User console (%windir%\system32\certmgr.msc)
 1. In the left pane of the MMC, expand **Personal** and select **Certificates**
-1. In the right hand pane of the MMC, check for the new certificate
+1. In the right-hand pane of the MMC, check for the new certificate
 
 > **Note:** This infrastructure may also deploy the same certificates to co-managed or modern-managed Hybrid AAD-Joined devices using Intune Policies.
 
@@ -164,9 +164,9 @@ Once the configuration profile has been created, targeted clients will receive t
 
 If you are using a Public Key Infrastructure that uses non-Microsoft services, the certificate templates published to the on-premises Active Directory may not be available. For guidance with integration of Intune/SCEP with non-Microsoft PKI deployments, refer to [Use third-party certification authorities (CA) with SCEP in Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/certificate-authority-add-scep-overview).
 
-As an alternative to using SCEP or if none of the previously covered solutions will work in your environment, you can manually generate Certificate Signing Requests (CSR) for submission to your PKI. To assist with this approach you can use the [Generate-CertificateRequest](https://www.powershellgallery.com/packages/Generate-CertificateRequest) powershell commandlet.
+As an alternative to using SCEP or if none of the previously covered solutions will work in your environment, you can manually generate Certificate Signing Requests (CSR) for submission to your PKI. To assist with this approach, you can use the [Generate-CertificateRequest](https://www.powershellgallery.com/packages/Generate-CertificateRequest) PowerShell commandlet.
 
-The Generate-CertificateRequest commandlet will generate a .inf file for a pre-existing Windows Hello for Business key. The .inf can be used to generate a certificate request manually using certreq.exe. The commandlet will also generate a .req file which can be submitted to your PKI for a certificate.
+The Generate-CertificateRequest commandlet will generate an .inf file for a pre-existing Windows Hello for Business key. The .inf can be used to generate a certificate request manually using certreq.exe. The commandlet will also generate a .req file, which can be submitted to your PKI for a certificate.
 
 ## RDP Sign-in with Windows Hello for Business Certificate Authentication
 

From 66d2e9ba317efd6ee84aa8f418d3e437c928620c Mon Sep 17 00:00:00 2001
From: Matthew Palko <mapalko@microsoft.com>
Date: Wed, 24 Feb 2021 10:42:58 -0800
Subject: [PATCH 4/9] Fixing RDP feature page description

---
 .../hello-for-business/hello-feature-remote-desktop.md      | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
index a2fecf3dbc..baf32bcae4 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
@@ -1,6 +1,6 @@
 ---
-title: Deploying Certificates to Key Trust Users to Enable RDP
-description: Learn how to deploy certificates to a Key Trust user to enable remote desktop with supplied credentials
+title: Remote Desktop
+description: Learn how Windows Hello for Business supports using biometrics with remote desktop
 keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, remote desktop, RDP
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -13,7 +13,7 @@ manager: dansimp
 ms.collection: M365-identity-device-management
 ms.topic: article
 localizationpriority: medium
-ms.date: 02/18/2021
+ms.date: 09/16/2020
 ms.reviewer: 
 ---
 

From 9928a289f76166d9a76ec29b2b4af9b91ef409fa Mon Sep 17 00:00:00 2001
From: mapalko <mapalko@microsoft.com>
Date: Wed, 24 Feb 2021 10:46:09 -0800
Subject: [PATCH 5/9] Update hello-feature-remote-desktop.md

Fixing Description
---
 .../hello-for-business/hello-feature-remote-desktop.md        | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
index a2fecf3dbc..15ca2f22c3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
@@ -1,6 +1,6 @@
 ---
 title: Deploying Certificates to Key Trust Users to Enable RDP
-description: Learn how to deploy certificates to a Key Trust user to enable remote desktop with supplied credentials
+description: Learn how Windows Hello for Business supports using biometrics with remote desktop
 keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, remote desktop, RDP
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -13,7 +13,7 @@ manager: dansimp
 ms.collection: M365-identity-device-management
 ms.topic: article
 localizationpriority: medium
-ms.date: 02/18/2021
+ms.date: 02/24/2021
 ms.reviewer: 
 ---
 

From 90d94063413e5691fa413af21e3de2eac884d543 Mon Sep 17 00:00:00 2001
From: mapalko <mapalko@microsoft.com>
Date: Wed, 24 Feb 2021 10:47:46 -0800
Subject: [PATCH 6/9] Update hello-feature-remote-desktop.md

---
 .../hello-for-business/hello-feature-remote-desktop.md          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
index 15ca2f22c3..73e443551f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
@@ -1,5 +1,5 @@
 ---
-title: Deploying Certificates to Key Trust Users to Enable RDP
+title: Remote Desktop
 description: Learn how Windows Hello for Business supports using biometrics with remote desktop
 keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, remote desktop, RDP
 ms.prod: w10

From 75299fa943c240e4ae89b1d74b24654a8f87ab1f Mon Sep 17 00:00:00 2001
From: Lovina Saldanha <69782111+Lovina-Saldanha@users.noreply.github.com>
Date: Fri, 5 Mar 2021 14:25:26 +0530
Subject: [PATCH 7/9] Update microsoft-edge-kiosk-mode-deploy.md

---
 browsers/edge/microsoft-edge-kiosk-mode-deploy.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md
index 7c44ef1c3b..3278989d8d 100644
--- a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md
+++ b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md
@@ -162,7 +162,7 @@ With this method, you can use Microsoft Intune or other MDM services to configur
 
    |   |   |
    |---|---|
-   | **[ConfigureKioskMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode)**<p>![](images/icon-thin-line-computer.png) | Configure the display mode for Microsoft Edge Legacy as a kiosk app.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode<p>**Data type:**  Integer<p>**Allowed values:**<ul><li>**Single-app kiosk experience**<ul><li>**0** - Digital signage and interactive display</li><li>**1** - InPrivate Public browsing</li></ul></li><li>**Multi-app kiosk experience**<ul><li>**0** - Normal Microsoft Edge Legacy running in assigned access</li><li>**1** - InPrivate public browsing with other apps</li></ul></li></ul> |
+   | **[ConfigureKioskMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode)**<p>![](images/icon-thin-line-computer.png alt-text="iconthinline") | Configure the display mode for Microsoft Edge Legacy as a kiosk app.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode<p>**Data type:**  Integer<p>**Allowed values:**<ul><li>**Single-app kiosk experience**<ul><li>**0** - Digital signage and interactive display</li><li>**1** - InPrivate Public browsing</li></ul></li><li>**Multi-app kiosk experience**<ul><li>**0** - Normal Microsoft Edge Legacy running in assigned access</li><li>**1** - InPrivate public browsing with other apps</li></ul></li></ul> |
    | **[ConfigureKioskResetAfterIdleTimeout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout)**<p>![](images/icon-thin-line-computer.png) | Change the time in minutes from the last user activity before Microsoft Edge Legacy kiosk mode resets the user's session.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout<p>**Data type:** Integer<p>**Allowed values:**<ul><li>**0** - No idle timer</li><li>**1-1440 (5 minutes is the default)** - Set reset on idle timer</li></ul>  |
    | **[HomePages](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-homepages)**<p>![](images/icon-thin-line-computer.png)  | Set one or more start pages, URLs, to load when Microsoft Edge Legacy launches.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages<p>**Data type:** String<p>**Allowed values:**<p>Enter one or more URLs, for example,<br>&nbsp;&nbsp;&nbsp;\<https://www.msn.com\>\<https:/www.bing.com\>  |
    | **[ConfigureHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton)**<p>![](images/icon-thin-line-computer.png)  | Configure how the Home Button behaves.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton<p>**Data type:** Integer<p> **Allowed values:**<ul><li>**0 (default)** - Not configured. Show home button, and load the default Start page.</li><li>**1** - Enabled. Show home button and load New Tab page</li><li>**2** - Enabled. Show home button & set a specific page.</li><li>**3** - Enabled. Hide the home button.</li></ul>   |

From 463e89c2a94e7abd45760dae95772c91de984b00 Mon Sep 17 00:00:00 2001
From: Lovina Saldanha <69782111+Lovina-Saldanha@users.noreply.github.com>
Date: Fri, 5 Mar 2021 14:28:12 +0530
Subject: [PATCH 8/9] Update microsoft-edge-kiosk-mode-deploy.md

updated
---
 browsers/edge/microsoft-edge-kiosk-mode-deploy.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md
index 3278989d8d..7c44ef1c3b 100644
--- a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md
+++ b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md
@@ -162,7 +162,7 @@ With this method, you can use Microsoft Intune or other MDM services to configur
 
    |   |   |
    |---|---|
-   | **[ConfigureKioskMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode)**<p>![](images/icon-thin-line-computer.png alt-text="iconthinline") | Configure the display mode for Microsoft Edge Legacy as a kiosk app.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode<p>**Data type:**  Integer<p>**Allowed values:**<ul><li>**Single-app kiosk experience**<ul><li>**0** - Digital signage and interactive display</li><li>**1** - InPrivate Public browsing</li></ul></li><li>**Multi-app kiosk experience**<ul><li>**0** - Normal Microsoft Edge Legacy running in assigned access</li><li>**1** - InPrivate public browsing with other apps</li></ul></li></ul> |
+   | **[ConfigureKioskMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode)**<p>![](images/icon-thin-line-computer.png) | Configure the display mode for Microsoft Edge Legacy as a kiosk app.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode<p>**Data type:**  Integer<p>**Allowed values:**<ul><li>**Single-app kiosk experience**<ul><li>**0** - Digital signage and interactive display</li><li>**1** - InPrivate Public browsing</li></ul></li><li>**Multi-app kiosk experience**<ul><li>**0** - Normal Microsoft Edge Legacy running in assigned access</li><li>**1** - InPrivate public browsing with other apps</li></ul></li></ul> |
    | **[ConfigureKioskResetAfterIdleTimeout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout)**<p>![](images/icon-thin-line-computer.png) | Change the time in minutes from the last user activity before Microsoft Edge Legacy kiosk mode resets the user's session.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout<p>**Data type:** Integer<p>**Allowed values:**<ul><li>**0** - No idle timer</li><li>**1-1440 (5 minutes is the default)** - Set reset on idle timer</li></ul>  |
    | **[HomePages](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-homepages)**<p>![](images/icon-thin-line-computer.png)  | Set one or more start pages, URLs, to load when Microsoft Edge Legacy launches.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages<p>**Data type:** String<p>**Allowed values:**<p>Enter one or more URLs, for example,<br>&nbsp;&nbsp;&nbsp;\<https://www.msn.com\>\<https:/www.bing.com\>  |
    | **[ConfigureHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton)**<p>![](images/icon-thin-line-computer.png)  | Configure how the Home Button behaves.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton<p>**Data type:** Integer<p> **Allowed values:**<ul><li>**0 (default)** - Not configured. Show home button, and load the default Start page.</li><li>**1** - Enabled. Show home button and load New Tab page</li><li>**2** - Enabled. Show home button & set a specific page.</li><li>**3** - Enabled. Hide the home button.</li></ul>   |

From dea2b4dae74a27eed055d8e9c07ba90ea7daae0e Mon Sep 17 00:00:00 2001
From: Gary Moore <v-gmoor@microsoft.com>
Date: Mon, 8 Mar 2021 15:50:44 -0800
Subject: [PATCH 9/9] Corrected Note style, added end punctuation, made
 rendered vertical spacing more consistent

---
 .../hello-deployment-rdp-certs.md             | 124 +++++++++++-------
 1 file changed, 78 insertions(+), 46 deletions(-)

diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index c7010d3796..5d728241b0 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -31,18 +31,24 @@ This document discusses an approach for key trust deployments where authenticati
 
 Three approaches are documented here:
 
-1. Deploying a certificate to hybrid joined devices using an on-premises Active Directory certificate enrollment policy
-1. Deploying a certificate to hybrid or Azure AD joined devices using Simple Certificate Enrollment Protocol (SCEP) and Intune
-1. Working with non-Microsoft enterprise certificate authorities
+1. Deploying a certificate to hybrid joined devices using an on-premises Active Directory certificate enrollment policy.
+
+1. Deploying a certificate to hybrid or Azure AD joined devices using Simple Certificate Enrollment Protocol (SCEP) and Intune.
+
+1. Working with non-Microsoft enterprise certificate authorities.
 
 ## Deploying a certificate to a hybrid joined device using an on-premises Active Directory Certificate enrollment policy
 
 ### Create a Windows Hello for Business certificate template
 
-1. Sign in to your issuing certificate authority (CA)
-1. Open the **Certificate Authority** Console (%windir%\system32\certsrv.msc)
-1. In the left pane of the MMC, expand **Certification Authority (Local)**, and then expand your CA within the Certification Authority list
-1. Right-click **Certificate Templates** and then click **Manage** to open the **Certificate Templates** console
+1. Sign in to your issuing certificate authority (CA).
+
+1. Open the **Certificate Authority** Console (%windir%\system32\certsrv.msc).
+
+1. In the left pane of the MMC, expand **Certification Authority (Local)**, and then expand your CA within the Certification Authority list.
+
+1. Right-click **Certificate Templates** and then click **Manage** to open the **Certificate Templates** console.
+
 1. Right-click the **Smartcard Logon** template and click **Duplicate Template**
 
     ![Duplicating Smartcard Template](images/rdpcert/duplicatetemplate.png)
@@ -51,11 +57,14 @@ Three approaches are documented here:
     1. Clear the **Show resulting changes** check box
     1. Select **Windows Server 2012 or Windows Server 2012 R2** from the Certification Authority list
     1. Select **Windows Server 2012 or Windows Server 2012 R2** from the Certification Recipient list
+
 1. On the **General** tab:
     1. Specify a Template display name, such as **WHfB Certificate Authentication**
     1. Set the validity period to the desired value
-    1. Take note of the Template name for later, which should be the same as the Template display name minus spaces (**WHfBCertificateAuthentication** in this example)
-1. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**
+    1. Take note of the Template name for later, which should be the same as the Template display name minus spaces (**WHfBCertificateAuthentication** in this example).
+
+1. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**.
+
 1. On the **Subject Name** tab:
     1. Select the **Build from this Active Directory** information button if it is not already selected
     1. Select **Fully distinguished name** from the **Subject name format** list if Fully distinguished name is not already selected
@@ -65,6 +74,7 @@ Three approaches are documented here:
     1. Set the Purpose to **Signature and smartcard logon**
         1. Click **Yes** when prompted to change the certificate purpose
     1. Click **Prompt the user during enrollment**
+
 1. On the **Cryptography** tab:
     1. Set the Provider Category to **Key Storage Provider**
     1. Set the Algorithm name to **RSA**
@@ -72,20 +82,27 @@ Three approaches are documented here:
     1. Select **Requests must use one of the following providers**
     1. Tick **Microsoft Software Key Storage Provider**
     1. Set the Request hash to **SHA256**
-1. On the **Security** tab, add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated** users group, and then select Enroll permissions for them  
-1. Click **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates
-1. Close the Certificate Templates console
-1. Open an elevated command prompt and change to a temporary working directory
+
+1. On the **Security** tab, add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated** users group, and then select Enroll permissions for them  .
+
+1. Click **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates.
+
+1. Close the Certificate Templates console.
+
+1. Open an elevated command prompt and change to a temporary working directory.
+
 1. Execute the following command:
 
     certutil -dstemplate \<TemplateName\> \> \<TemplateName\>.txt
 
     Replace \<TemplateName\> with the Template name you took note of earlier in step 7.
 
-1. Open the text file created by the command above
+1. Open the text file created by the command above.
     1. Delete the last line of the output from the file that reads **CertUtil: -dsTemplate command completed successfully.**
     1. Modify the line that reads **pKIDefaultCSPs = "1,Microsoft Software Key Storage Provider"** to **pKIDefaultCSPs = "1,Microsoft Passport Key Storage Provider"**
-1. Save the text file
+
+1. Save the text file.
+
 1. Update the certificate template by executing the following command:
 
     certutil - dsaddtemplate \<TemplateName\>.txt
@@ -94,20 +111,26 @@ Three approaches are documented here:
 
     ![Selecting Certificate Template to Issue](images/rdpcert/certificatetemplatetoissue.png)
 
-1. From the list of templates, select the template you previously created (**WHFB Certificate Authentication**) and click **OK**. It can take some time for the template to replicate to all servers and become available in this list
-1. After the template replicates, in the MMC, right-click in the Certification Authority list, click **All Tasks** and then click **Stop Service**. Right-click the name of the CA again, click **All Tasks**, and then click **Start Service**
+1. From the list of templates, select the template you previously created (**WHFB Certificate Authentication**) and click **OK**. It can take some time for the template to replicate to all servers and become available in this list.
+
+1. After the template replicates, in the MMC, right-click in the Certification Authority list, click **All Tasks** and then click **Stop Service**. Right-click the name of the CA again, click **All Tasks**, and then click **Start Service**.
 
 ### Requesting a Certificate
 
-1. Ensure the hybrid Azure AD joined device has network line of sight to Active Directory domain controllers and the issuing certificate authority
-1. Start the **Certificates – Current User** console (%windir%\system32\certmgr.msc)
+1. Ensure the hybrid Azure AD joined device has network line of sight to Active Directory domain controllers and the issuing certificate authority. 
+
+1. Start the **Certificates – Current User** console (%windir%\system32\certmgr.msc).
+
 1. In the left pane of the MMC, right-click **Personal**, click **All Tasks**, and then click **Request New Certificate…**
 
     ![Request a new certificate](images/rdpcert/requestnewcertificate.png)
 
-1. On the Certificate Enrollment screen, click **Next**
-1. Under Select Certificate Enrollment Policy, ensure **Active Directory Enrollment Policy** is selected and then click **Next**
-1. Under Request Certificates, click the check-box next to the certificate template you created in the previous section (WHfB Certificate Authentication) and then click **Enroll**
+1. On the Certificate Enrollment screen, click **Next**.
+
+1. Under Select Certificate Enrollment Policy, ensure **Active Directory Enrollment Policy** is selected and then click **Next**.
+
+1. Under Request Certificates, click the check-box next to the certificate template you created in the previous section (WHfB Certificate Authentication) and then click **Enroll**.
+
 1. After a successful certificate request, click Finish on the Certificate Installation Results screen
 
 ## Deploying a certificate to Hybrid or Azure AD Joined Devices using Simple Certificate Enrollment Protocol (SCEP) via Intune
@@ -118,26 +141,30 @@ Next you should deploy the root CA certificate (and any other intermediate certi
 
 Once these requirements have been met, a new device configuration profile may be configured from Intune that provisions a certificate for the user of the device. Proceed as follows:
 
-1. Sign in to the Microsoft [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
-1. Navigate to Devices \> Configuration Profiles \> Create profile
-1. Enter the following properties
-    1. For Platform, select **Windows 10 and later**
-    1. For Profile, select **SCEP Certificate**
-    1. Click **Create**
+1. Sign in to the Microsoft [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+
+1. Navigate to Devices \> Configuration Profiles \> Create profile.
+
+1. Enter the following properties:
+    1. For Platform, select **Windows 10 and later**.
+    1. For Profile, select **SCEP Certificate**.
+    1. Click **Create**.
+
 1. In **Basics**, enter the following parameters:
-    1. **Name**: Enter a descriptive name for the profile. Name your profiles so you can easily identify them later. For example, a good profile name is SCEP profile for entire company
-    1. **Description**: Enter a description for the profile. This setting is optional, but recommended
-    1. Select **Next**
+    1. **Name**: Enter a descriptive name for the profile. Name your profiles so you can easily identify them later. For example, a good profile name is SCEP profile for entire company.
+    1. **Description**: Enter a description for the profile. This setting is optional, but recommended.
+    1. Select **Next**.
+
 1. In the **Configuration settings**, complete the following:
-    1. For Certificate Type, choose **User**
-    1. For Subject name format, set it to **CN={{UserPrincipalName}}**
-    1. Under Subject alternative name, select **User principal name (UPN)** from the drop-down menu and set the value to **CN={{UserPrincipalName}}**
-    1. For Certificate validity period, set a value of your choosing
-    1. For Key storage provider (KSP), choose **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)**
-    1. For Key usage, choose **Digital Signature**
-    1. For Key size (bits), choose **2048**
-    1. For Hash algorithm, choose **SHA-2**
-    1. Under Root Certificate, click **+Root Certificate** and select the trusted certificate profile you created earlier for the Root CA Certificate
+    1. For Certificate Type, choose **User**.
+    1. For Subject name format, set it to **CN={{UserPrincipalName}}**.
+    1. Under Subject alternative name, select **User principal name (UPN)** from the drop-down menu and set the value to **CN={{UserPrincipalName}}**.
+    1. For Certificate validity period, set a value of your choosing.
+    1. For Key storage provider (KSP), choose **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)**.
+    1. For Key usage, choose **Digital Signature**.
+    1. For Key size (bits), choose **2048**.
+    1. For Hash algorithm, choose **SHA-2**.
+    1. Under Root Certificate, click **+Root Certificate** and select the trusted certificate profile you created earlier for the Root CA Certificate.
     1. Under Extended key usage, add the following:
 
         | Name | Object Identifier | Predefined Values |
@@ -145,20 +172,25 @@ Once these requirements have been met, a new device configuration profile may be
         | Smart Card Logon | 1.3.6.1.4.1.311.20.2.2 | Smart Card Logon |
         | Client Authentication | 1.3.6.1.5.5.7.3.2 | Client Authentication |
 
-    1. For Renewal threshold (%), set a value of your choosing
-    1. For SCEP Server URLs, provide the public endpoint that you configured during the deployment of your SCEP infrastructure
+    1. For Renewal threshold (%), set a value of your choosing.
+    1. For SCEP Server URLs, provide the public endpoint that you configured during the deployment of your SCEP infrastructure.
     1. Click **Next**
 1. In Assignments, target the devices or users who should receive a certificate and click **Next**
+
 1. In Applicability Rules, provide additional issuance restrictions if required and click **Next**
+
 1. In Review + create, click **Create**
 
 Once the configuration profile has been created, targeted clients will receive the profile from Intune on their next refresh cycle. You should find a new certificate in the user store. To validate the certificate is present, do the following steps:
 
 1. Open the Certificates - Current User console (%windir%\system32\certmgr.msc)
+
 1. In the left pane of the MMC, expand **Personal** and select **Certificates**
+
 1. In the right-hand pane of the MMC, check for the new certificate
 
-> **Note:** This infrastructure may also deploy the same certificates to co-managed or modern-managed Hybrid AAD-Joined devices using Intune Policies.
+> [!NOTE]
+> This infrastructure may also deploy the same certificates to co-managed or modern-managed Hybrid AAD-Joined devices using Intune Policies.
 
 ## Using non-Microsoft Enterprise Certificate Authorities
 
@@ -172,6 +204,6 @@ The Generate-CertificateRequest commandlet will generate an .inf file for a pre-
 
 After adding the certificate using an approach from any of the previous sections, you should be able to RDP to any Windows device or server in the same Forest as the user’s on-premises Active Directory account, provided the PKI certificate chain for the issuing certificate authority is deployed to that target server.
 
-1. Open the Remote Desktop Client (%windir%\system32\mstsc.exe) on the Hybrid AAD-Joined client where the authentication certificate has been deployed
-1. Attempt an RDP session to a target server
-1. Use the certificate credential protected by your Windows Hello for Business gesture
+1. Open the Remote Desktop Client (%windir%\system32\mstsc.exe) on the Hybrid AAD-Joined client where the authentication certificate has been deployed.
+1. Attempt an RDP session to a target server.
+1. Use the certificate credential protected by your Windows Hello for Business gesture.