From 1ef5e46e08c1a1c1a727b31348eaebf17cf12835 Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Fri, 6 Oct 2017 17:42:19 -0700 Subject: [PATCH 01/15] Starting hybrid key trust deployment guide --- .../hello-adequate-domain-controllers.md | 100 ++++ .../hello-hybrid-key-new-install.md | 144 ++++++ .../hello-hybrid-key-trust-devreg.md | 482 ++++++++++++++++++ .../hello-hybrid-key-trust-prereqs.md | 138 +++++ .../hello-hybrid-key-trust.md | 51 ++ .../hello-hybrid-key-whfb-provision.md | 75 +++ .../hello-hybrid-key-whfb-settings-ad.md | 81 +++ .../hello-hybrid-key-whfb-settings-adfs.md | 89 ++++ ...hello-hybrid-key-whfb-settings-dir-sync.md | 86 ++++ .../hello-hybrid-key-whfb-settings-pki.md | 199 ++++++++ .../hello-hybrid-key-whfb-settings-policy.md | 204 ++++++++ .../hello-hybrid-key-whfb-settings.md | 50 ++ .../hello-for-business/images/dc-chart1.png | Bin 0 -> 3978 bytes .../hello-for-business/images/dc-chart2.png | Bin 0 -> 3701 bytes .../hello-for-business/images/dc-chart3.png | Bin 0 -> 3773 bytes .../hello-for-business/images/dc-chart4.png | Bin 0 -> 3770 bytes .../hello-for-business/images/dc-chart5.png | Bin 0 -> 3784 bytes 17 files changed, 1699 insertions(+) create mode 100644 windows/access-protection/hello-for-business/hello-adequate-domain-controllers.md create mode 100644 windows/access-protection/hello-for-business/hello-hybrid-key-new-install.md create mode 100644 windows/access-protection/hello-for-business/hello-hybrid-key-trust-devreg.md create mode 100644 windows/access-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md create mode 100644 windows/access-protection/hello-for-business/hello-hybrid-key-trust.md create mode 100644 windows/access-protection/hello-for-business/hello-hybrid-key-whfb-provision.md create mode 100644 windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md create mode 100644 windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-adfs.md create mode 100644 windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md create mode 100644 windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md create mode 100644 windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md create mode 100644 windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings.md create mode 100644 windows/access-protection/hello-for-business/images/dc-chart1.png create mode 100644 windows/access-protection/hello-for-business/images/dc-chart2.png create mode 100644 windows/access-protection/hello-for-business/images/dc-chart3.png create mode 100644 windows/access-protection/hello-for-business/images/dc-chart4.png create mode 100644 windows/access-protection/hello-for-business/images/dc-chart5.png diff --git a/windows/access-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/access-protection/hello-for-business/hello-adequate-domain-controllers.md new file mode 100644 index 0000000000..040fb7e850 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-adequate-domain-controllers.md @@ -0,0 +1,100 @@ +--- +title: Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments +description: Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments +keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: mikestephens-MS +ms.author: mstephen +localizationpriority: high +ms.date: 10/09/2017 +--- +# Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments + +**Applies to** +- Windows 10 + + +>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. + +## One size does not fit all + +How can you find out how many domain controllers are needed? You can use performance monitoring on your domain controllers to determine existing authentication traffic. Windows Server 2016 includes the KDC AS Requests performance counter. You can use these counters to determine how much of a domain controllers load is due to initial Kerberos authentication. It’s important to remember that authentication for a Windows Hello for Business key trust deployment does not affect Kerberos authentication—it remains unchanged. + +Windows 10 accomplishes Windows Hello for Business key trust authentication by mapping an Active Directory user account to one or more public keys. This mapping occurs on the domain controller, which is why the deployment needs Windows Server 2016 domain controllers. Public key mapping is only supported by Windows Server 2016 domain controllers. Therefore, user in a key trust deployment user must authenticate to a Windows Server 2016 domain controller. + +Determining an adequate number of Windows Server 2016 domain controllers is important to ensure you have enough domain controllers to satisfy all authentication requests, including users mapped with public key trust. What many administrators do not realize is that adding the most current version of a domain controller (in this case Windows Server 2016) to a deployment of existing domain controllers (Windows Server 2008R2 or Windows Server 2012R2) instantly makes that single domain controller susceptible to carrying the most load, or what is commonly referred to as “piling on”. To illustrate the “piling on” concept, consider the following scenario. + +Consider a controlled environment where there are 1000 client computers and the authentication load of these 1000 client computers is evenly distributed across 10 domain controllers in the environment. The Kerberos AS requests load would look something like the following. + +![dc-chart1](images/dc-chart1.png) + +The environment changes. The first change includes DC1 upgraded to Windows Server 2016 to support Windows Hello for Business key-trust authentication. Next, 100 clients enroll for Windows Hello for Business using the public key trust deployment. Given all other factors stay constant, the authentication would now look like the following. + +![dc-chart2](images/dc-chart2.png) + +The Windows Server 2016 domain controller is handling 100 percent of all public key trust authentication. However, it is also handling 10 percent of the password authentication. Why? This behavior occurs because domain controllers 2- 10 only support password and certificate trust authentication; only a Windows Server 2016 domain controller supports authentication public key trust authentication. The Windows Server 2016 domain controller understands how to authenticate password and certificate trust authentication and will continue to share the load of authenticating those clients. Because DC1 can handle all forms of authentication, it will be bear more of the authentication load, and easily become overloaded. What if another Windows Server 2016 domain controller is added, but without deploying Windows Hello for Business to anymore clients. + +![dc-chart3](images/dc-chart3.png) + +Upgrading another Windows Server 2016 domain controller distributes the public key trust authentication across two domain controllers—each supporting 50 percent of the load. But it doesn’t change the distribution of password and certificate trust authentication. Both Windows Server 2016 domain controllers still share 10 percent of this load. Now look at the scenario when half of the domain controllers are upgraded to Windows Server 2016, but the number of WHFB clients remains the same. + +![dc-chart4](images/dc-chart4.png) + +Domain controllers 1 through 5 now share the public key trust authentication load where each domain controller handles 20 percent of the public key trust load but they each still handle 10 percent of the password and certificate trust authentication. These domain controllers still have a heavier load than domain controllers 6 through 10; however, the load is adequately distributed. Now look the scenario when half of the client computers are upgraded to Windows Hello for Business using a key-trust deployment. + +![dc-chart5](images/dc-chart5.png) + +You’ll notice the distribution did not change. Each Windows Server 2016 domain controller handles 20 percent of the public key trust authentication. However, increasing the volume of authentication (by increasing the number of clients) increases the amount of work that is represented by the same 20 percent. In the previous example, 20 percent of public key trust authentication equated to a volume of 20 authentications per domain controller capable of public key trust authentication. However, with upgraded clients, that same 20 percent represents a volume 100 public key trust authentications per public key trust capable domain controller. Also, the distribution of non-public key trust authentication remained at 10 percent, but the volume of password and certificate trust authentication decreased across the older domain controllers. + +There are several conclusions here: +* Upgrading domain controllers changes the distribution of new authentication, but doesn’t change the distribution of older authentication. +* Upgrading domain controllers does not affect the distribution of password and certificate trust authentication because newer domain controllers can support password and certificate trust authentication. +* Upgraded domain controllers typically carry a heavier authentication load than down-level domain controllers because they support more forms of authentication. +* Upgrading clients to Windows Hello for Business, increases the volume of public key trust authentication distributed across domain controllers which support it and, reduces the volume of password and certificate trust authentication across all domain controllers +* Upgrading clients to Windows Hello for Business but does not affect the distribution of authentication; only the volume of authentication. + +The preceding was an example to show why it’s unrealistic to have a “one-size-fits-all” number to describe what “an adequate amount” means. In the real world, authentication is not evenly distributed across domain controllers. + +## Determining total AS Request load + +Each organization needs to have an baseline of the AS request load that occurs in their environment. Windows Server provides the KDC AS Requests performance counter that helps you determine this. + +Pick a site where you plan to upgrade the clients to Windows Hello for Business public key trust. Pick a time when authentication traffic is most significant—Monday morning is great time as everyone is returning to the office. Enable the performance counter on *all* the domain controllers in that site. Collect KDC AS Requests performance counters for two hours: +* A half-hour before you expect initial authentication (sign-ins and unlocks) to be significant +* The hour you believe initial authentication to be significant +* And a half-hour after you expect initial authentication to be significant + +For example, if employees are scheduled to come into the office at 9:00am. Your performance capture should begin at 8:30am and end at 10:30am. Ensure your performance logs do not wrap the data. You want to see authentication trend upward, peak, and trend downward. + +> [!NOTE] +> To capture all the authentication traffic. Ensure that all computers are powered down to get the most accurate authentication information (computers and services authenticate at first power up—you need to consider this authentication in your evaluation). + +Aggregate the performance data of all domain controllers. Look for the maximum KDC AS Requests for each domain controller. Find the median time when the maximum number of requests occurred for the site, this should represent when the site is experience the highest amount of authentication. + +Add the number of authentications for each domain controller for the median time. You now have the total authentication for the site during a peak time. Using this metric, you can determine the distribution of authentication across the domain controllers in the site by dividing the domain controller’s authentication number for the median time by the total authentication. Multiple the quotient by 10 to convert the distribution to a percentage. To validate your math, all the distributions should equal 100 percent. + +Review the distribution of authentication. Hopefully, none of these are above 70 percent. It’s always good to reserve some capacity for the unexpected. Also, the primary purposes of a domain controller is to provide authentication and handle Active Directory operations. Identify domain controllers with lower distributions of authentication as potential candidates for the initial domain controller upgrades in conjunction with a reasonable distribution of clients provisioned for Windows Hello for Business. + +## Monitoring Authentication +Using the same methods previously described above, monitor the Kerberos authentication after upgrading a domain controller and your first phase of Windows Hello for Business deployments. Make note of the delta of authentication before and after upgrading the domain controller to Windows Server 2016. This delta is representative of authentication resulting from the first phase of your Windows Hello for Busines clients. This gives you a baseline for your environment to where you can form a statement such as + +```“Every n Windows Hello for Business clients results in x percentage of key-trust authentication.”``` + +Where _n_ equals the number of clients you switched to Windows Hello for Business and _x_ equals the increased percentage of authentication from the upgraded domain controller. Armed with information, you can apply the observations of upgrading domain controllers and increasing Windows Hello for Business client count to appropriately phase your deployment. + +Remember, increasing the number of clients changes the volume of authentication distributed across the Windows Server 2016 domain controllers. If there is only one Windows Server 2016 domain controller, there’s no distribution and you are simply increasing the volume of authentication for which THAT domain controller is responsible. + +Increasing the number of number of domain controllers distributes the volume of authentication, but doesn’t change it. Therefore, as you add more domain controllers, the burden of authentication for which each domain controller is responsible decrease. Upgrading two domain controller changes the distribution to 50 percent. Upgrading three domain controllers changes the distribution to 33 percent, and so on. + +## Strategy +The simplest strategy you can employ is to upgrade one domain controller and monitor the single domain controller as you continue to phase in new Windows Hello for Business key-trust clients until it reaches a 70 or 80 percent threshold. + +Then, upgrade a second domain controller. Monitor the authentication on both domain controllers to determine how the authentication distributes between the two domain controllers. Introduce more Windows Hello for Business clients while monitoring the authentication on the two upgraded domain controllers. Once those reach your environments designated capacity, then upgrade another domain controller. + +Repeat until your deployment for that site is complete. Now, monitor authentication across all your domain controllers like you did the very first time. Determine the distribution of authentication for each domain controller. Identify the percentage of distribution for which it is responsible. If a single domain controller is responsible for 70 percent of more of the authentication, you may want to consider adding a domain controller to reduce the distribution of authentication volume. + +However, before considering this, ensure the high load of authentication is not a result of applications and services where their configuration has a statically configured domain controller. Adding domain controllers will not resolve the additional authentication load problem in this scenario. Instead, manually distribute the authentication to different domain controllers among all the services or applications. Alternatively, try simply using the domain name rather than a specific domain controller. Each domain controller has an A record registered in DNS for the domain name, which DNS will round robin with each DNS query. It’s not the best load balancer, however, it’s a better alternative to static domain controller configurations, provided the configuration is compatible with your service or application. + diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/access-protection/hello-for-business/hello-hybrid-key-new-install.md new file mode 100644 index 0000000000..304f4fe766 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-hybrid-key-new-install.md @@ -0,0 +1,144 @@ +--- +title: Windows Hello for Business Key Trust New Installation (Windows Hello for Business) +description: Windows Hello for Business Hybrid baseline deployment +keywords: identity, PIN, biometric, Hello, passport, WHFB +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: mikestephens-MS +ms.author: mstephen +localizationpriority: high +ms.date: 10/09/2017 +--- +# Windows Hello for Business Key Trust New Installation + +**Applies to** +- Windows 10 + +>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. + +Windows Hello for Business involves configuring distributed technologies that may or may not exist in your current infrastructure. Hybrid key trust deployments of Windows Hello for Business rely on these technolgies + +* [Active Directory](#active-directory) +* [Public Key Infrastructure](#public-key-infrastructure) +* [Azure Active Directory](#azure-active-directory) +* [Directory Synchronization](#directory-synchronization) +* [Active Directory Federation Services](#active-directory-federation-services) + + +New installations are considerably more involved than existing implementations because you are building the entire infrastructure. Microsoft recommends you review the new installation baseline to validate your exsting envrionment has all the needed configurations to support your hybrid certificate trust Windows Hello for Business deployment. If your environment meets these needs, you can read the [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) section to prepare your Windows Hello for Business deployment by configuring Azure device registration. + +The new installation baseline begins with a basic Active Directory deployment and enterprise PKI. This document expects you have Active Directory deployed with an adeqate number of Windows Server 2016 domain controllers for each site. + +## Active Directory ## +Production environments should follow Active Directory best practices regarding the number and placement of domain controllers to ensure adequate authentication throughout the organization. + +Lab environments and isolated proof of concepts may want to limit the number of domain controllers. The purpose of these environments is to experiment and learn. Reducing the number of domain controllers can prevent troubleshooting issue, such as Active Directory replication, which is unrelated to activity's goal. + +### Section Review + +> [!div class="checklist"] +> * An adequate number of Windows Server 2016 R2 domain controllers +> * Minimum Windows Server 2008 R2 domain and forest functional level +> * Functional networking, name resolution, and Active Directory replication + +## Public Key Infrastructure + +Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller. + +This guide assumes most enterprises have an existing public key infrastructure. Windows Hello for Business depends on a Windows enterprise public key infrastructure running the Active Directory Certificate Services role from Windows Server 2012 or later. + +### Lab-based public key infrastructure + +The following instructions may be used to deploy simple public key infrastructure that is suitable for a lab environment. + +Sign-in using _Enterprise Admin_ equivalent credentials on Windows Server 2012 or later server where you want the certificate authority installed. + +>[!NOTE] +>Never install a certificate authority on a domain controller in a production environment. + +1. Open an elevated Windows PowerShell prompt. +2. Use the following command to install the Active Directory Certificate Services role. + ```PowerShell + Add-WindowsFeature Adcs-Cert-Authority -IncludeManageTools + ``` + +3. Use the following command to configure the Certificate Authority using a basic certificate authority configuration. + ```PowerShell + Install-AdcsCertificateAuthority + ``` + +## Configure a Production Public Key Infrastructure + +If you do have an existing public key infrastructure, please review [Certification Authority Guidance](https://technet.microsoft.com/library/hh831574.aspx) from Microsoft TechNet to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](https://technet.microsoft.com/library/hh831348.aspx) for instructions on how to configure your public key infrastructure using the information from your design session. + +### Section Review ### + +> [!div class="checklist"] +> * Miniumum Windows Server 2012 Certificate Authority. +> * Enterprise Certificate Authority. +> * Functioning public key infrastructure. + +## Azure Active Directory ## +You’ve prepared your Active Directory. Hybrid Windows Hello for Business deployment needs Azure Active Directory to host your cloud-based identities. + +The next step of the deployment is to follow the [Creating an Azure AD tenant](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-howto-tenant) process to provision an Azure tenant for your organization. + +### Section Review + +> [!div class="checklist"] +> * Review the different ways to establish an Azure Active Directory tenant. +> * Create an Azure Active Directory Tenant. +> * Purchase the appropriate Azure Active Directory subscription or licenses, if necessary. + +## Multifactor Authentication Services ## +Windows Hello for Business uses multifactor authentication during provisioning and during user initiated PIN reset scenarios, such as when a user forgets their PIN. There are two preferred multifactor authentication configurations with hybrid deployments—Azure MFA and AD FS using Azure MFA + +Review the [What is Azure Multi-Factor Authentication](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication) topic to familiarize yourself its purpose and how it works. + +### Azure Multi-Factor Authentication (MFA) Cloud ### +> [!IMPORTANT] +As long as your users have licenses that include Azure Multi-Factor Authentication, there's nothing that you need to do to turn on Azure MFA. You can start requiring two-step verification on an individual user basis. The licenses that enable Azure MFA are: +> * Azure Multi-Factor Authentication +> * Azure Active Directory Premium +> * Enterprise Mobility + Security +> +> If you have one of these subscriptions or licenses, skip the Azure MFA Adapter section. + +#### Azure MFA Provider #### +If your organization uses Azure MFA on a per-consumption model (no licenses), then review the [Create a Multifactor Authentication Provider](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-auth-provider) section to create an Azure MFA Authentication provider and associate it with your Azure tenant. + +#### Configure Azure MFA Settings #### +Once you have created your Azure MFA authentication provider and associated it with an Azure tenant, you need to configure the multi-factor authentication settings. Review the [Configure Azure Multi-Factor Authentication settings](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-whats-next) section to configure your settings. + +#### Azure MFA User States #### +After you have completed configuring your Azure MFA settings, you want to review configure [User States](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-user-states) to understand user states. User states determine how you enable Azure MFA for your users. + +### Azure MFA via ADFS ### +Alternatively, you can configure Windows Server 2016 Active Directory Federation Services (AD FS) to provide additional multi-factor authentication. To configure, read the [Configure AD FS 2016 and Azure MFA](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa) section. + +### Section Review + +> [!div class="checklist"] +> * Review the overview and uses of Azure Multifactor Authentication. +> * Review your Azure Active Directory subscription for Azure Multifactor Authentication. +> * Create an Azure Multifactor Authentication Provider, if necessary. +> * Configure Azure Multufactor Authentiation features and settings. +> * Understand the different User States and their effect on Azure Multifactor Authentication. +> * Consider using Azure Multifactor Authentication or a third-party multifactor authentication provider with Windows Server Active Directory Federation Services, if necessary. + +> [!div class="nextstepaction"] +> [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) + +

+ +
+ +## Follow the Windows Hello for Business hybrid key trust deployment guide +1. [Overview](hello-hybrid-key-trust.md) +2. [Prerequistes](hello-hybrid-key-trust-prereqs.md) +3. New Installation Baseline (*You are here*) +4. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) +5. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md) +6. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-trust-devreg.md b/windows/access-protection/hello-for-business/hello-hybrid-key-trust-devreg.md new file mode 100644 index 0000000000..51dc7b8538 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-hybrid-key-trust-devreg.md @@ -0,0 +1,482 @@ +--- +title: Configure Device Registration for Hybrid Windows Hello for Business +description: Azure Device Registration for Hybrid Certificate Key Deployment (Windows Hello for Business) +keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust, device, registration +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: mikestephens-MS +ms.author: mstephen +localizationpriority: high +ms.date: 10/09/2017 +--- +# Configure Device Registration for Hybrid Windows Hello for Business + +**Applies to** +- Windows 10 + +>[!IMPORTANT] +>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. + +You're environment is federated and you are ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration to enable proper device authentication. + +> [!IMPORTANT] +> If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment. + +Use this three phased approach for configuring device registration. +1. [Configure devices to register in Azure](#configure-azure-for-device-registration) +2. [Synchronize devices to on-premises Active Directory](#configure-active-directory-to-support-azure-device-syncrhonization) +3. [Configure AD FS to use cloud devices](#configure-ad-fs-to-use-azure-registered-devices) + +> [!NOTE] +> Before proceeding, you should familiarize yourself with device regisration concepts such as: +> * Azure AD registered devices +> * Azure AD joined devices +> * Hybrid Azure AD joined devices +> +> You can learn about this and more by reading [Introduction to Device Management in Azure Active Directory.](https://docs.microsoft.com/en-us/azure/active-directory/device-management-introduction) + +## Configure Azure for Device Registration +Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD. + +To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-setup/) + +## Configure Active Directory to support Azure device syncrhonization + +Azure Active Directory is now configured for device registration. Next, you need to configure the on-premises Active Directory to support synchronizing hybrid Azure AD joined devices. Begin with upgrading the Active Directory Schema + +### Setup Active Directory Federation Services +If you are new to AD FS and federation services, you should review [Understanding Key AD FS Concepts](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/understanding-key-ad-fs-concepts) to prior to designing and deploying your federation service. +Review the [AD FS Design guide](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/design/ad-fs-design-guide-in-windows-server-2012-r2) to plan your federation service. + +Once you have your AD FS design ready, review [Deploying a Federation Server farm](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) to configure AD FS in your environment. +> [!IMPORTANT] +> During your AD FS deployment, skip the **Configure a federation server with Device Registration Service** and the **Configure Corporate DNS for the Federation Service and DRS** procedures. + + +#### ADFS Web Proxy ### +Federation server proxies are computers that run AD FS software that have been configured manually to act in the proxy role. You can use federation server proxies in your organization to provide intermediary services between an Internet client and a federation server that is behind a firewall on your corporate network. +Use the [Setting of a Federation Proxy](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/checklist--setting-up-a-federation-server-proxy) checklist to configure AD FS proxy servers in your environment. + +### Deploy Azure AD Connect +Next, you need to synchronizes the on-premises Active Directory with Azure Active Directory. To do this, first review the [Integrating on-prem directories with Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](http://go.microsoft.com/fwlink/?LinkId=615771). + +When you are ready to install, follow the **Configuring federation with AD FS** section of [Custom installation of Azure AD Connect](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-get-started-custom). Select the **Federation with AD FS** option on the **User sign-in** page. At the **AD FS Farm** page, select the use an existing option and click **Next**. + +### Create AD objects for AD FS Device Authentication +If your AD FS farm is not already configured for Device Authentication (you can see this in the AD FS Management console under Service -> Device Registration), use the following steps to create the correct AD DS objects and configuration. + +![Device Registration](images/hybridct/device1.png) + +> [!NOTE] +> The below commands require Active Directory administration tools, so if your federation server is not also a domain controller, first install the tools using step 1 below. Otherwise you can skip step 1. + +1. Run the **Add Roles & Features** wizard and select feature **Remote Server Administration Tools** -> **Role Administration Tools** -> **AD DS and AD LDS Tools** -> Choose both the **Active Directory module for Windows PowerShell** and the **AD DS Tools**. + +![Device Registration](images/hybridct/device2.png) + +2. On your AD FS primary server, ensure you are logged in as AD DS user with Enterprise Admin (EA ) privileges and open an elevated Windows PowerShell prompt. Then, run the following commands: + + `Import-module activedirectory` + `PS C:\> Initialize-ADDeviceRegistration -ServiceAccountName "" ` +3. On the pop-up window click **Yes**. + +> [!NOTE] +> If your AD FS service is configured to use a GMSA account, enter the account name in the format "domain\accountname$" + +![Device Registration](images/hybridct/device3.png) + +The above PSH creates the following objects: + + +- RegisteredDevices container under the AD domain partition +- Device Registration Service container and object under Configuration --> Services --> Device Registration Configuration +- Device Registration Service DKM container and object under Configuration --> Services --> Device Registration Configuration + +![Device Registration](images/hybridct/device4.png) + +4. Once this is done, you will see a successful completion message. + +![Device Registration](images/hybridct/device5.png) + +### Create Service Connection Point (SCP) in Active Directory +If you plan to use Windows 10 domain join (with automatic registration to Azure AD) as described here, execute the following commands to create a service connection point in AD DS +1. Open Windows PowerShell and execute the following: + + `PS C:>Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1" ` + +> [!NOTE] +> If necessary, copy the AdSyncPrep.psm1 file from your Azure AD Connect server. This file is located in Program Files\Microsoft Azure Active Directory Connect\AdPrep + +![Device Registration](images/hybridct/device6.png) + +2. Provide your Azure AD global administrator credentials + + `PS C:>$aadAdminCred = Get-Credential` + +![Device Registration](images/hybridct/device7.png) + +3. Run the following PowerShell command + + `PS C:>Initialize-ADSyncDomainJoinedComputerSync -AdConnectorAccount [AD connector account name] -AzureADCredentials $aadAdminCred ` + +Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when adding your on-premises AD DS directory. + +The above commands enable Windows 10 clients to find the correct Azure AD domain to join by creating the serviceConnectionpoint object in AD DS. + +### Prepare AD for Device Write Back +To ensure AD DS objects and containers are in the correct state for write back of devices from Azure AD, do the following. + +1. Open Windows PowerShell and execute the following: + + `PS C:>Initialize-ADSyncDeviceWriteBack -DomainName -AdConnectorAccount [AD connector account name] ` + +Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when adding your on-premises AD DS directory in domain\accountname format + +The above command creates the following objects for device write back to AD DS, if they do not exist already, and allows access to the specified AD connector account name + +- RegisteredDevices container in the AD domain partition +- Device Registration Service container and object under Configuration --> Services --> Device Registration Configuration + +### Enable Device Write Back in Azure AD Connect +If you have not done so before, enable device write back in Azure AD Connect by running the wizard a second time and selecting **"Customize Synchronization Options"**, then checking the box for device write back and selecting the forest in which you have run the above cmdlets + +## Configure AD FS to use Azure registered devices + +### Configure issuance of claims + +In a federated Azure AD configuration, devices rely on Active Directory Federation Services (AD FS) or a 3rd party on-premises federation service to authenticate to Azure AD. Devices authenticate to get an access token to register against the Azure Active Directory Device Registration Service (Azure DRS). + +Windows current devices authenticate using Integrated Windows Authentication to an active WS-Trust endpoint (either 1.3 or 2005 versions) hosted by the on-premises federation service. + +> [!NOTE] +> When using AD FS, either **adfs/services/trust/13/windowstransport** or **adfs/services/trust/2005/windowstransport** must be enabled. If you are using the Web Authentication Proxy, also ensure that this endpoint is published through the proxy. You can see what end-points are enabled through the AD FS management console under **Service > Endpoints**. +> +> If you don't have AD FS as your on-premises federation service, follow the instructions of your vendor to make sure they support WS-Trust 1.3 or 2005 end-points and that these are published through the Metadata Exchange file (MEX). + +The following claims must exist in the token received by Azure DRS for device registration to complete. Azure DRS will create a device object in Azure AD with some of this information which is then used by Azure AD Connect to associate the newly created device object with the computer account on-premises. + +* `http://schemas.microsoft.com/ws/2012/01/accounttype` +* `http://schemas.microsoft.com/identity/claims/onpremobjectguid` +* `http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid` + +If you have more than one verified domain name, you need to provide the following claim for computers: + +* `http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid` + +If you are already issuing an ImmutableID claim (e.g., alternate login ID) you need to provide one corresponding claim for computers: + +* `http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID` + +In the following sections, you find information about: + +- The values each claim should have +- How a definition would look like in AD FS + +The definition helps you to verify whether the values are present or if you need to create them. + +> [!NOTE] +> If you don't use AD FS for your on-premises federation server, follow your vendor's instructions to create the appropriate configuration to issue these claims. + +#### Issue account type claim + +**`http://schemas.microsoft.com/ws/2012/01/accounttype`** - This claim must contain a value of **DJ**, which identifies the device as a domain-joined computer. In AD FS, you can add an issuance transform rule that looks like this: + + @RuleName = "Issue account type for domain-joined computers" + c:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue( + Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", + Value = "DJ" + ); + +#### Issue objectGUID of the computer account on-premises + +**`http://schemas.microsoft.com/identity/claims/onpremobjectguid`** - This claim must contain the **objectGUID** value of the on-premises computer account. In AD FS, you can add an issuance transform rule that looks like this: + + @RuleName = "Issue object GUID for domain-joined computers" + c1:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + && + c2:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue( + store = "Active Directory", + types = ("http://schemas.microsoft.com/identity/claims/onpremobjectguid"), + query = ";objectguid;{0}", + param = c2.Value + ); + +#### Issue objectSID of the computer account on-premises + +**`http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid`** - This claim must contain the the **objectSid** value of the on-premises computer account. In AD FS, you can add an issuance transform rule that looks like this: + + @RuleName = "Issue objectSID for domain-joined computers" + c1:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + && + c2:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue(claim = c2); + +#### Issue issuerID for computer when multiple verified domain names in Azure AD + +**`http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid`** - This claim must contain the Uniform Resource Identifier (URI) of any of the verified domain names that connect with the on-premises federation service (AD FS or 3rd party) issuing the token. In AD FS, you can add issuance transform rules that look like the ones below in that specific order after the ones above. Please note that one rule to explicitly issue the rule for users is necessary. In the rules below, a first rule identifying user vs. computer authentication is added. + + @RuleName = "Issue account type with the value User when its not a computer" + NOT EXISTS( + [ + Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", + Value == "DJ" + ] + ) + => add( + Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", + Value = "User" + ); + + @RuleName = "Capture UPN when AccountType is User and issue the IssuerID" + c1:[ + Type == "http://schemas.xmlsoap.org/claims/UPN" + ] + && + c2:[ + Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", + Value == "User" + ] + => issue( + Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", + Value = regexreplace( + c1.Value, + ".+@(?.+)", + "http://${domain}/adfs/services/trust/" + ) + ); + + @RuleName = "Issue issuerID for domain-joined computers" + c:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue( + Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", + Value = "http:///adfs/services/trust/" + ); + + +In the claim above, + +- `$` is the AD FS service URL +- `` is a placeholder you need to replace with one of your verified domain names in Azure AD + +For more details about verified domain names, see [Add a custom domain name to Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-add-domain). +To get a list of your verified company domains, you can use the [Get-MsolDomain](https://docs.microsoft.com/en-us/powershell/module/msonline/get-msoldomain?view=azureadps-1.0) cmdlet. + +#### Issue ImmutableID for computer when one for users exist (e.g. alternate login ID is set) + +**`http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID`** - This claim must contain a valid value for computers. In AD FS, you can create an issuance transform rule as follows: + + @RuleName = "Issue ImmutableID for computers" + c1:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + && + c2:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue( + store = "Active Directory", + types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), + query = ";objectguid;{0}", + param = c2.Value + ); + +#### Helper script to create the AD FS issuance transform rules + +The following script helps you with the creation of the issuance transform rules described above. + + $multipleVerifiedDomainNames = $false + $immutableIDAlreadyIssuedforUsers = $false + $oneOfVerifiedDomainNames = 'example.com' # Replace example.com with one of your verified domains + + $rule1 = '@RuleName = "Issue account type for domain-joined computers" + c:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue( + Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", + Value = "DJ" + );' + + $rule2 = '@RuleName = "Issue object GUID for domain-joined computers" + c1:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + && + c2:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue( + store = "Active Directory", + types = ("http://schemas.microsoft.com/identity/claims/onpremobjectguid"), + query = ";objectguid;{0}", + param = c2.Value + );' + + $rule3 = '@RuleName = "Issue objectSID for domain-joined computers" + c1:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + && + c2:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue(claim = c2);' + + $rule4 = '' + if ($multipleVerifiedDomainNames -eq $true) { + $rule4 = '@RuleName = "Issue account type with the value User when it is not a computer" + NOT EXISTS( + [ + Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", + Value == "DJ" + ] + ) + => add( + Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", + Value = "User" + ); + + @RuleName = "Capture UPN when AccountType is User and issue the IssuerID" + c1:[ + Type == "http://schemas.xmlsoap.org/claims/UPN" + ] + && + c2:[ + Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", + Value == "User" + ] + => issue( + Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", + Value = regexreplace( + c1.Value, + ".+@(?.+)", + "http://${domain}/adfs/services/trust/" + ) + ); + + @RuleName = "Issue issuerID for domain-joined computers" + c:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue( + Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", + Value = "http://' + $oneOfVerifiedDomainNames + '/adfs/services/trust/" + );' + } + + $rule5 = '' + if ($immutableIDAlreadyIssuedforUsers -eq $true) { + $rule5 = '@RuleName = "Issue ImmutableID for computers" + c1:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + Value =~ "-515$", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + && + c2:[ + Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", + Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" + ] + => issue( + store = "Active Directory", + types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), + query = ";objectguid;{0}", + param = c2.Value + );' + } + + $existingRules = (Get-ADFSRelyingPartyTrust -Identifier urn:federation:MicrosoftOnline).IssuanceTransformRules + + $updatedRules = $existingRules + $rule1 + $rule2 + $rule3 + $rule4 + $rule5 + + $crSet = New-ADFSClaimRuleSet -ClaimRule $updatedRules + + Set-AdfsRelyingPartyTrust -TargetIdentifier urn:federation:MicrosoftOnline -IssuanceTransformRules $crSet.ClaimRulesString + +#### Remarks + +- This script appends the rules to the existing rules. Do not run the script twice because the set of rules would be added twice. Make sure that no corresponding rules exist for these claims (under the corresponding conditions) before running the script again. + +- If you have multiple verified domain names (as shown in the Azure AD portal or via the Get-MsolDomains cmdlet), set the value of **$multipleVerifiedDomainNames** in the script to **$true**. Also make sure that you remove any existing issuerid claim that might have been created by Azure AD Connect or via other means. Here is an example for this rule: + + + c:[Type == "http://schemas.xmlsoap.org/claims/UPN"] + => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = regexreplace(c.Value, ".+@(?.+)", "http://${domain}/adfs/services/trust/")); + +- If you have already issued an **ImmutableID** claim for user accounts, set the value of **$immutableIDAlreadyIssuedforUsers** in the script to **$true**. + +#### Configure Device Authentication in AD FS +Using an elevated PowerShell command window, configure AD FS policy by executing the following command + +`PS C:>Set-AdfsGlobalAuthenticationPolicy -DeviceAuthenticationEnabled $true -DeviceAuthenticationMethod All` + +#### Check your configuration +For your reference, below is a comprehensive list of the AD DS devices, containers and permissions required for device write-back and authentication to work + +- object of type ms-DS-DeviceContainer at CN=RegisteredDevices,DC=<domain> + - read access to the AD FS service account + - read/write access to the Azure AD Connect sync AD connector account +- Container CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain> +- Container Device Registration Service DKM under the above container + +![Device Registration](images/hybridct/device8.png) + +- object of type serviceConnectionpoint at CN=<guid>, CN=Device Registration +- Configuration,CN=Services,CN=Configuration,DC=<domain> + - read/write access to the specified AD connector account name on the new object +- object of type msDS-DeviceRegistrationServiceContainer at CN=Device Registration Services,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain> +- object of type msDS-DeviceRegistrationService in the above container + +>[!div class="nextstepaction"] +[Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) + +

+ +
+ +## Follow the Windows Hello for Business hybrid certificate trust deployment guide +1. [Overview](hello-hybrid-cert-trust.md) +2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +3. [New Installation Baseline](hello-hybrid-cert-new-install.md) +4. Configure Azure Device Registration (*You are here*) +5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) +6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/access-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md new file mode 100644 index 0000000000..c4c4dd6085 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -0,0 +1,138 @@ +--- +title: Hybrid Windows Hello for Business Prerequistes (Windows Hello for Business) +description: Prerequisites for Hybrid Windows Hello for Business Deployments +keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: mikestephens-MS +ms.author: mstephen +localizationpriority: high +ms.date: 10/09/2017 +--- +# Hybrid Windows Hello for Business Prerequisites + +**Applies to** +- Windows 10 + + +>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. + +Hybrid environments are distributed systems that enable organizations to use on-premises and Azure-based identities and resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources. + +The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include: +* [Directories](#directories) +* [Public Key Infrastucture](#public-key-infastructure) +* [Directory Synchronization](#directory-synchronization) +* [Federation](#federation) +* [MultiFactor Authetication](#multifactor-authentication) +* [Device Registration](#device-registration) + +## Directories ## +Hybrid Windows Hello for Business needs two directories: on-premises Active Directory and a cloud Azure Active Directory. The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2. + +A hybrid Windows Hello for Busines deployment needs an Azure Active Directory subscription. The hybrid key trust deployment, may not require Azure Active Directory premium subscription. + +Windows Hello for Business can be deployed in any environment with Windows Server 2008 R2 or later domain controllers. Azure device registration and Windows Hello for Business require the Windows Server 2016 Active Directory schema. In addition to the Windows Server 2016 Active Directory schema, key trust deployments need an adequate number of Windows Server 2016 domain controllers at each site where users authenticate using Windows Hello for Business. + +Review these requirements and those from the Windows Hello for Business planning guide and worksheet. Based on your deployment decisions you may need to upgrade your on-premises Active Directory or your Azure Active Directory subscription to meet your needs. + +### Section Review ### + +> [!div class="checklist"] +> * Active Directory Domain Functional Level +> * Active Directory Forest Functional Level +> * Domain Controller version +> * Windows Server 2016 Schema +> * Azure Active Directory subscription +> * Correct subscription for desired features and outcomes + +
+ +## Public Key Infrastructure ## +The Windows Hello for Business deployment depends on an enterprise public key infrastructure as trust anchor for authentication. Domain controllers for hybrid deployments need a certificate in order for Windows 10 devices to trust the domain controller. + +Key trust deployments do not need client issued certificates for on-premises authentication. Active Directory user accounts are automatically configured for public key mapping by Azure AD Connect synchronizing the public key of the registered Windows Hello for Business credential to an attribute on the user's Active Diretory object. + +The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012. + +### Section Review +> [!div class="checklist"] +> * Windows Server 2012 Issuing Certificate Authority +> * Windows Server 2016 Active Directory Federation Services + +
+ +## Directory Synchronization ## +The two directories used in hybrid deployments must be synchronized. You need Azure Active Directory Connect to synchronize user accounts in the on-premises Active Directory with Azure Active Directory. + +Organizations using older directory synchronization technology, such as DirSync or Azure AD sync need to upgrade to Azure AD Connect + +### Section Review +> [!div class="checklist"] +> * Azure Active Directory Connect directory synchronization +> * [Upgrade from DirSync](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-dirsync-upgrade-get-started) +> * [Upgrade from Azure AD Sync](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-upgrade-previous-version) + +
+ +## Federation ## +Federating your on-premises Active Directory with Azure Active Directory ensures all identities have access to all resources regardless if they reside in cloud or on-premises. Windows Hello for Business hybrid certificate trust needs Windows Server 2016 Active Directory Federation Services. All nodes in the AD FS farm must run the same version of AD FS. Additionally, you need to configure your AD FS farm to support Azure registered devices. + +The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of [KB4034658 (14393.1593)](https://support.microsoft.com/en-us/help/4034658), which is automatically downloaded and installed through Windows Update. If your AD FS farm is not running the AD FS role with updates from Windows Server 2016, then read [Upgrading to AD FS in Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016) + +### Section Review ### +> [!div class="checklist"] +> * Windows Server 2016 Active Directory Federation Services +> * Minimum update of [KB4034658 (14393.1593)](https://support.microsoft.com/en-us/help/4034658) + +
+ +## Multifactor Authentication ## +Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their username and password as one factor. but needs a second factor of authentication. + +Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Authentication service or they can use multifactor authentication provides by Windows Server 2016 Active Directory Federation Services, which includes an adapter model that enables third parties to integrate their multifactor authentication into AD FS. + +### Section Review +> [!div class="checklist"] +> * Azure MFA Service +> * Windows Server 2016 AD FS and Azure +> * Windows Server 2016 AD FS and third party MFA Adapter + +
+ +## Device Registration ## +Organizations wanting to deploy hybrid key trust need thier domain joined devices to register to Azure Active Directory. Just as a computer has an identity in Active Directory, that same computer has an identity in the cloud. This ensures that only approved computers are used with that Azure Active Directory. Each computer registers its identity in Azure Active Directory. + + +### Section Checklist ### +> [!div class="checklist"] +> * Azure Active Directory Device writeback +> * Azure Active Directory Premium subscription + +
+ +### Next Steps ### +Follow the Windows Hello for Business hybrid key trust deployment guide. For proof-of-concepts, labs, and new installations, choose the **New Installation Basline**. + +If your environment is already federated, but does not include Azure device registration, choose **Configure Azure Device Registration**. + +If your environment is already federated and supports Azure device registration, choose **Configure Windows Hello for Business settings**. + +> [!div class="op_single_selector"] +> - [New Installation Baseline](hello-hybrid-key-new-install.md) +> - [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) +> - [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md) + +

+ +
+ +## Follow the Windows Hello for Business hybrid certificate trust deployment guide +1. [Overview](hello-hybrid-key-trust.md) +2. Prerequistes (*You are here*) +3. [New Installation Baseline](hello-hybrid-key-new-install.md) +4. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) +5. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md) +6. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-trust.md b/windows/access-protection/hello-for-business/hello-hybrid-key-trust.md new file mode 100644 index 0000000000..dbded7ce90 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-hybrid-key-trust.md @@ -0,0 +1,51 @@ +--- +title: Hybrid Key Trust Deployment (Windows Hello for Business) +description: Hybrid Key Trust Deployment Overview +keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: mikestephens-MS +ms.author: mstephen +localizationpriority: high +ms.date: 10/09/2017 +--- +# Hybrid Azure AD joined Key Trust Deployment + +**Applies to** +- Windows 10 + +>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. + + +Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid key trust scenario. + +It is recommended that you review the Windows Hello for Business planning guide prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. You can review the [planning guide](https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-planning-guide) and download the [planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514). + +This deployment guide provides guidance for new deployments and customers who are already federated with Office 365. These two scenarios provide a baseline from which you can begin your deployment. + +## New Deployment Baseline ## +The new deployment baseline helps organizations who are moving to Azure and Office 365 to include Windows Hello for Business as part of their deployments. This baseline is good for organizations who are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves Windows Hello for Business by deploying a lab environment. + +This baseline provides detailed procedures to move your environment from an on-premises only environment to a hybrid environment using Windows Hello for Business to authenticate to Azure Active Directory and to your on-premises Active Directory using a single Windows sign-in. + +## Federated Baseline ## +The federated baseline helps organizations that have completed their federation with Azure Active Directory and Office 365 and enables them to introduce Windows Hello for Business into their hybrid environment. This baseline exclusively focuses on the procedures needed to add Azure Device Registration and Windows Hello for Business to an existing hybrid deployment. + +Regardless of the baseline you choose, you’re next step is to familiarize yourself with the prerequisites needed for the deployment. Many of the prerequisites will be new for organizations and individuals pursuing the new deployment baseline. Organizations and individuals starting from the federated baseline will likely be familiar with most of the prerequisites, but should validate they are using the proper versions that include the latest updates. + +> [!div class="nextstepaction"] +> [Prerequistes](hello-hybrid-key-trust-prereqs.md) + +

+ +
+ +## Follow the Windows Hello for Business hybrid key trust deployment guide +1. Overview (*You are here*) +2. [Prerequistes](hello-hybrid-key-trust-prereqs.md) +3. [New Installation Baseline](hello-hybrid-key-new-install.md) +4. [Device Registration](hello-hybrid-key-trust-devreg.md) +5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) +6. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-provision.md b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-provision.md new file mode 100644 index 0000000000..744f4930a3 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-provision.md @@ -0,0 +1,75 @@ +--- +title: Hybrid Windows Hello for Business Provisioning (Windows Hello for Business) +description: Provisioning for Hybrid Windows Hello for Business Deployments +keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: mikestephens-MS +ms.author: mstephen +localizationpriority: high +ms.date: 09/08/2017 +--- +# Hybrid Windows Hello for Business Provisioning + +**Applies to** +- Windows 10 + + +>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. + +## Provisioning +The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**. + +![Event358](images/Event358.png) + +The first thing to validate is the computer has processed device registration. You can view this from the User device registration logs where the check **Device is AAD joined (AADJ or DJ++): Yes** appears. Additionally, you can validate this using the **dsregcmd /status** command from a console prompt where the value for **EnterpriseJoined** reads **Yes**. + +![dsreg output](images/dsregcmd.png) + + +Windows Hello for Business provisioning begins with a full screen page with the title **Setup a PIN** and button with the same name. The user clicks **Setup a PIN**. + +![Setup a PIN Provisioning](images/setupapin.png) + +The provisioning flow proceeds to the Multi-Factor authentication portion of the enrollment. Provisioning informs the user that it is actively attempting to contact the user through their configured form of MFA. The provisioning process does not proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry. + +![MFA prompt during provisioning](images/mfa.png) + +After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity requirements that you deployed to the environment. + + + +The provisioning flow has all the information it needs to complete the Windows Hello for Business enrollment. +* A successful single factor authentication (username and password at sign-in) +* A device that has successfully completed device registration +* A fresh, successful multi-factor authentication +* A validated PIN that meets the PIN complexity requirements + +The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Azure Active Directory to register the public key. AAD Connect syncrhonizes the user's key to the on-prem Active Directory. + +> [!IMPORTANT] +> The minimum time needed to syncrhonize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. This synchronization latency delays the certificate enrollment for the user. After the user's public key has synchronized to Active Directory, the user's certificate enrolls automatically as long as the user's session is active (actively working or locked, but still signed-in). Also, the Action Center notifies the user thier PIN is ready for use. + +> [!NOTE] +> Microsoft is actively investigating ways to reduce the syncrhonization latency and delays in certificate enrollment with the goal to make certificate enrollment occur real-time. + +After a successful key registration, Windows creates a certificate request using the same key pair to request a certificate. Windows send the certificate request to the AD FS server for certificate enrollment. + +The AD FS registration authority verifies the key used in the certificate request matches the key that was previously registered. On a successful match, the AD FS registration authority signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. + +The certificate authority validates the certificate was signed by the registration authority. On successful validation of the signature, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current user’s certificate store. Once this process completes, the Windows Hello for Business provisioning workflow informs the user they can use their PIN to sign-in through the Windows Action Center. + +

+ +
+ +## Follow the Windows Hello for Business hybrid certificate trust deployment guide +1. [Overview](hello-hybrid-cert-trust.md) +2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +3. [New Installation Baseline](hello-hybrid-cert-new-install.md) +4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) +5. [Configure Windows Hello for Business policy settings](hello-hybrid-cert-whfb-settings-policy.md) +6. Sign-in and Provision(*You are here*)†+ diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md new file mode 100644 index 0000000000..27eba8dd44 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md @@ -0,0 +1,81 @@ +--- +title: Configuring Hybrid Windows Hello for Business - Active Directory (AD) +description: Discussing the configuration of Active Directory (AD) in a Hybrid deployment of Windows Hello for Business +keywords: identity, PIN, biometric, Hello, passport, WHFB, ad +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +localizationpriority: high +author: mikestephens-MS +ms.author: mstephen +ms.date: 09/08/2017 +--- +# Configuring Windows Hello for Business: Active Directory + +**Applies to** +- Windows 10 + +>[!div class="step-by-step"] +[< Configure Windows Hello for Business](hello-hybrid-cert-whfb-settings.md) +[Configure Azure AD Connect >](hello-hybrid-cert-whfb-settings-dir-sync.md) + +The key synchronization process for the hybrid deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. + +>[!IMPORTANT] +>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. + +### Creating Security Groups + +Windows Hello for Business uses several security groups to simplify the deployment and managment. + +> [!Important] +> If your environment has one or more Windows Server 2016 domain controllers in the domain to which you are deploying Windows Hello for Business, then skip the **Create the KeyCredentials Admins Security Group**. Domains that include Windows Server 2016 domain controllers use the KeyAdmins group, which is created during the installation of the first Windows Server 2016 domain controller. + +#### Create the KeyCredential Admins Security Group + +Azure Active Directory Connect synchronizes the public key on the user object created during provisioning. You assign write and read permission to this group to the Active Directory attribute to ensure the Azure AD Connect service can add and remove keys as part of its normal workflow. + +Sign-in a domain controller or management workstation with *Domain Admin* equivalent credentials. + +1. Open **Active Directory Users and Computers**. +2. Click **View** and click **Advance Features**. +3. Expand the domain node from the navigation pane. +4. Right-click the **Users** container. Click **New**. Click **Group**. +5. Type **KeyCredential Admins** in the **Group Name** text box. +6. Click **OK**. + +#### Create the Windows Hello for Business Users Security Group + +The Windows Hello for Business Users group is used to make it easy to deploy Windows Hello for Business in phases. You assign Group Policy and Certificate template permissions to this group to simplify the deployment by simply adding the users to the group. This provides users with the proper permissions to provision Windows Hello for Business and to enroll in the Windows Hello for Business authentication certificate. + +Sign-in a domain controller or management workstation with *Domain Admin* equivalent credentials. + +1. Open **Active Directory Users and Computers**. +2. Click **View** and click **Advanced Features**. +3. Expand the domain node from the navigation pane. +4. Right-click the **Users** container. Click **New**. Click **Group**. +5. Type **Windows Hello for Business Users** in the **Group Name** text box. +6. Click **OK**. + +### Section Review + +> [!div class="checklist"] +> * Create the KeyCredential Admins Security group (optional) +> * Create the Windows Hello for Business Users group + +>[!div class="step-by-step"] +[< Configure Windows Hello for Business](hello-hybrid-cert-whfb-settings.md) +[Configure Azure AD Connect >](hello-hybrid-cert-whfb-settings-dir-sync.md) + +

+ +
+ +## Follow the Windows Hello for Business hybrid certificate trust deployment guide +1. [Overview](hello-hybrid-cert-trust.md) +2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +3. [New Installation Baseline](hello-hybrid-cert-new-install.md) +4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) +5. Configure Windows Hello for Business settings: Active Directory (*You are here*) +6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-adfs.md b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-adfs.md new file mode 100644 index 0000000000..e68276a09e --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-adfs.md @@ -0,0 +1,89 @@ +--- +title: Configuring Hybrid Windows Hello for Business - Active Directory Federation Services (ADFS) +description: Discussing the configuration of Active Directory Federation Services (ADFS) in a Hybrid deployment of Windows Hello for Business +keywords: identity, PIN, biometric, Hello, passport, WHFB, adfs +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +localizationpriority: high +author: mikestephens-MS +ms.author: mstephen +ms.date: 09/08/2017 +--- +# Configure Windows Hello for Business: Active Directory Federation Services + +**Applies to** +- Windows10 + +## Federation Services + +>[!IMPORTANT] +>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. + +>[!div class="step-by-step"] +[< Configure PKI >](hello-hybrid-cert-whfb-settings-pki.md) +[Configure policy settings >](hello-hybrid-cert-whfb-settings-policy.md) + + +The Windows Server 2016 Active Directory Fedeartion Server Certificate Registration Authority (AD FS RA) enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. + +The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate. + +### Configure the Registration Authority + +Sign-in the AD FS server with *Domain Admin* equivalent credentials. + +1. Open a **Windows PowerShell** prompt. +2. Type the following command + + ```PowerShell + Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication + ``` + + +The `Set-AdfsCertificateAuthority` cmdlet should show the following warning: +>WARNING: PS0343: Issuing Windows Hello certificates requires enabling a permitted strong authentication provider, but no usable providers are currently configured. These authentication providers are not supported for Windows Hello certificates: CertificateAuthentication,MicrosoftPassportAuthentication. Windows Hello certificates will not be issued until a permitted strong authentication provider is configured. + +This warning indicates that you have not configured multi-factor authentication in AD FS and until it is configured, the AD FS server will not issue Windows Hello certificates. Windows 10, version 1703 clients check this configuration during prerequisite checks. If detected, the prerequisite check will not succeed and the user will not provision Windows Hello for Business on sign-in. + +>[!NOTE] +> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the above command with the name of your certificate templates. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority. + + +### Group Memberships for the AD FS Service Account + +The Windows Hello for Business group provides the AD FS service with the permissions needed to enroll a Windows Hello for Business authentication certificate on behalf of the provisioning user. + +Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials. + +1. Open **Active Directory Users and Computers**. +2. Click the **Users** container in the navigation pane. +3. Right-click **Windows Hello for Business Users** group +4. Click the **Members** tab and click **Add** +5. In the **Enter the object names to select** text box, type **adfssvc**. Click **OK**. +6. Click **OK** to return to **Active Directory Users and Computers**. +7. Restart the AD FS server. + +### Section Review +> [!div class="checklist"] +> * Configure the registration authority +> * Update group memberships for the AD FS service account + + +>[!div class="step-by-step"] +[< Configure PKI >](hello-hybrid-cert-whfb-settings-pki.md) +[Configure policy settings >](hello-hybrid-cert-whfb-settings-policy.md) + +

+ +
+ +## Follow the Windows Hello for Business hybrid certificate trust deployment guide +1. [Overview](hello-hybrid-cert-trust.md) +2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +3. [New Installation Baseline](hello-hybrid-cert-new-install.md) +4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) +5. Configure Windows Hello for Business settings: AD FS (*You are here*) +6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) + diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md new file mode 100644 index 0000000000..084999e656 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md @@ -0,0 +1,86 @@ +--- +title: Configuring Hybrid Windows Hello for Business - Directory Synchronization +description: Discussing Directory Synchronization in a Hybrid deployment of Windows Hello for Business +keywords: identity, PIN, biometric, Hello, passport, WHFB, dirsync, connect +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +localizationpriority: high +author: mikestephens-MS +ms.author: mstephen +ms.date: 09/08/2017 +--- +# Configure Hybrid Windows Hello for Business: Directory Synchronization + +**Applies to** +- Windows 10 + +>[!div class="step-by-step"] +[< Configure Active Directory](hello-hybrid-cert-whfb-settings-ad.md) +[Configure PKI >](hello-hybrid-cert-whfb-settings-pki.md) + +## Directory Syncrhonization + +>[!IMPORTANT] +>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. + +In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory. + +The key-trust model needs Windows Server 2016 domain controllers, which configures the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually. + +> [!IMPORTANT] +> If you already have a Windows Server 2016 domain controller in your domain, you can skip **Configure Permissions for Key Synchronization**. + +### Configure Permissions for Key Syncrhonization + +Sign-in a domain controller or management workstations with *Domain Admin* equivalent credentials. + +1. Open **Active Directory Users and Computers**. +2. Right-click your domain name from the navigation pane and click **Properties**. +3. Click **Security** (if the Security tab is missing, turn on Advanced Features from the View menu). +4. Click **Advanced**. Click **Add**. Click **Select a principal**. +5. The **Select User, Computer, Service Account, or Group** dialog box appears. In the **Enter the object name to select** text box, type **KeyCredential Admins**. Click **OK**. +6. In the **Applies to** list box, select **Descendant User objects**. +7. Using the scroll bar, scroll to the bottom of the page and click **Clear all**. +8. In the **Properties** section, select **Read msDS-KeyCredentialLink** and **Write msDS-KeyCrendentialLink**. +9. Click **OK** three times to complete the task. + + +### Group Memberships for the Azure AD Connect Service Account + +The KeyAdmins or KeyCredential Admins global group provides the Azure AD Connect service with the permissions needed to read and write the public key to Active Directory. + +Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials. + +1. Open **Active Directory Users and Computers**. +2. Click the **Users** container in the navigation pane. +>[!IMPORTANT] +> If you already have a Windows Server 2016 domain controller in your domain, use the Keyadmins group in the next step, otherwise use the KeyCredential admins group you previously created. + +3. Right-click either the **KeyAdmins** or **KeyCredential Admins** in the details pane and click **Properties**. +4. Click the **Members** tab and click **Add** +5. In the **Enter the object names to select** text box, type the name of the Azure AD Connect service account. Click **OK**. +6. Click **OK** to return to **Active Directory Users and Computers**. + +### Section Review + +> [!div class="checklist"] +> * Configure Permissions for Key Synchronization +> * Configure group membership for Azure AD Connect + +>[!div class="step-by-step"] +[< Configure Active Directory](hello-hybrid-cert-whfb-settings-ad.md) +[Configure PKI >](hello-hybrid-cert-whfb-settings-pki.md) + +

+ +
+ +## Follow the Windows Hello for Business hybrid certificate trust deployment guide +1. [Overview](hello-hybrid-cert-trust.md) +2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +3. [New Installation Baseline](hello-hybrid-cert-new-install.md) +4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) +5. Configure Windows Hello for Business settings: Directory Syncrhonization (*You are here*) +6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md new file mode 100644 index 0000000000..27ea8e8a47 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md @@ -0,0 +1,199 @@ +--- +title: Configuring Hybrid Windows Hello for Business - Public Key Infrastructure (PKI) +description: Discussing the configuration of the Public Key Infrastructure (PKI) in a Hybrid deployment of Windows Hello for Business +keywords: identity, PIN, biometric, Hello, passport, WHFB, PKI +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +localizationpriority: high +author: mikestephens-MS +ms.author: mstephen +ms.date: 09/08/2017 +--- + +# Configure Hybrid Windows Hello for Business: Public Key Infrastructure + +**Applies to** +- Windows 10 + +> [!div class="step-by-step"] +[< Configure Azure AD Connect](hello-hybrid-cert-whfb-settings-dir-sync.md) +[Configure AD FS >](hello-hybrid-cert-whfb-settings-adfs.md) + +>[!IMPORTANT] +>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. + +Windows Hello for Business deployments rely on certificates. Hybrid deployments uses publicly issued server authentication certifcates to validate the name of the server to which they are connecting and to encyrpt the data that flows them and the client computer. + +All deployments use enterprise issed certificates for domain controllers as a root of trust. Hybrid certificate trust deployments issue users sign-in certificate that enables them to authenticate using Windows Hello for Business credentials to non-Windows Server 2016 domain controllers. Additionally, hybrid certificate trust deployments issue certificate to registration authorites to provide defenese-in-depth security for issueing user authentication certificates. + +## Certifcate Templates + +This section has you configure certificate templates on your Windows Server 2012 or later issuing certificate authtority. + +### Domain Controller certificate template + +Clients need to trust domain controllers and the best way to do this is to ensure each domain controller has a Kerberos Authentication certificate. Installing a certificate on the domain controller enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. This provides clients a root of trust external to the domain - namely the enterprise certificate authority. + +Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise certificate authority is added to Active Directory. However, certificates based on the *Domain Controller* and *Domain Controller Authentication* certificate templates do not include the **KDC Authentication** object identifier (OID), which was later added to the Kerberos RFC. Therefore, domain controllers need to request a certificate based on the Kerberos Authentication certificate template. + +By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the **Kerberos Authentication** certificate template a baseline to create an updated domain controller certificate template. + +#### Create a Domain Controller Authentication (Kerberos) Certificate Template + +Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials. + +1. Open the **Certificate Authority** management console. +2. Right-click **Certificate Templates** and click **Manage**. +3. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**. +4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. +5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise's needs. + **Note**If you use different template names, you'll need to remember and substitute these names in different portions of the lab. +6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **None** from the **Subject name format** list. Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items. +7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**. +8. Close the console. + +#### Configure Certificate Suspeding for the Domain Controller Authentication (Kerberos) Certificate Template + +Many domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template for domain controllers--the domain controller certificate template. Later releases provided a new certificate template--the domain controller authentication certificate template. These certificate templates were provided prior to update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the **KDC Authentication** extension. + +The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers and should be the one you deploy to all your domain controllers (2008 or later). + +The autoenrollment feature in Windows enables you to effortlessly replace these domain controller certificates. You can use the following configuration to replace older domain controller certificates with a new certificate using the Kerberos Authentication certificate template. + +Sign-in a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials. + +1. Open the **Certificate Authority** management console. +2. Right-click **Certificate Templates** and click **Manage**. +3. In the **Certificate Template Console**, right-click the **Domain Controller Authentication (Kerberos)** (or the name of the certificate template you created in the previous section) template in the details pane and click **Properties**. +4. Click the **Superseded Templates** tab. Click **Add**. +5. From the **Add Superseded Template** dialog, select the **Domain Controller** certificate template and click **OK**. Click **Add**. +6. From the **Add Superseded Template** dialog, select the **Domain Controller Authentication** certificate template and click **OK**. +7. From the **Add Superseded Template dialog**, select the **Kerberos Authentication** certificate template and click **OK**. +8. Add any other enterprise certificate templates that were previously configured for domain controllers to the **Superseded Templates** tab. +9. Click **OK** and close the **Certificate Templates** console. + +The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities. + +### Enrollment Agent certificate template + +Active Directory Federation Server used for Windows Hello for Business certificate enrollment performs its own certificate lifecycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request or when the service first starts. + +Approximately 60 days prior to enrollment agent certificate's expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate. + +> [!IMPORTANT] +> Follow the procedures below based on the AD FS service account used in your environment. + +#### Creating an Enrollment Agent certificate for Group Managed Service Accounts + +Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials. + +1. Open the **Certificate Authority Management** console. +2. Right-click **Certificate Templates** and click **Manage**. +3. In the **Certificate Template Console**, right click on the **Exchange Enrollment Agent (Offline request)** template details pane and click **Duplicate Template**. +4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. +5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs. +6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected. + **Note:** The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate. + +7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. +8. On the **Security** tab, click **Add**. +9. Click **Object Types**. Select the **Service Accounts** check box and click **OK**. +10. Type **adfssvc** in the **Enter the object names to select** text box and click **OK**. +11. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. +12. Close the console. + +#### Creating an Enrollment Agent certificate for typical Service Acconts + +Sign-in a certificate authority or management workstations with *Domain Admin* equivalent credentials. + +1. Open the **Certificate Authority** management console. +2. Right-click **Certificate Templates** and click **Manage**. +3. In the **Certificate Template** console, right-click the **Exchange Enrollment Agent** template in the details pane and click **Duplicate Template**. +4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. +5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs. +6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**. +7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. +8. On the **Security** tab, click **Add**. Type **adfssvc** in the **Enter the object names to select text box** and click **OK**. +9. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check boxes for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. +10. Close the console. + +### Creating Windows Hello for Business authentication certificate template + +During Windows Hello for Business provisioning, the Windows 10, version 1703 client requests an authentication certificate from the Active Directory Federation Service, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring. + +Sign-in a certificate authority or management workstations with _Domain Admin equivalent_ credentials. + +1. Open the **Certificate Authority** management console. +2. Right-click **Certificate Templates** and click **Manage**. +3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**. +4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. +5. On the **General** tab, type **WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs. + **Note:** If you use different template names, you'll need to remember and substitute these names in different portions of the deployment. +6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. +7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**. +8. On the **Issuance Requirements** tab, select the T**his number of authorized signatures** check box. Type **1** in the text box. + * Select **Application policy** from the **Policy type required in signature**. Select **Certificate Request Agent** from in the **Application policy** list. Select the **Valid existing certificate** option. +9. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**. +10. On the **Request Handling** tab, select the **Renew with same key** check box. +11. On the **Security** tab, click **Add**. Type **Window Hello for Business Users** in the **Enter the object names to select** text box and click **OK**. +12. Click the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section, select the **Allow** check box for the **Enroll** permission. Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. +13. If you previously issued Windows Hello for Business sign-in certificates using Configuration Manger and are switching to an AD FS registration authority, then on the **Superseded Templates** tab, add the previously used **Windows Hello for Business Authentication** template(s), so they will be superseded by this template for the users that have Enroll permission for this template. +14. Click on the **Apply** to save changes and close the console. + +#### Mark the template as the Windows Hello Sign-in template + +Sign-in to an **AD FS Windows Server 2016** computer with _Enterprise Admin_ equivalent credentials. +1. Open an elevated command prompt. +2. Run `certutil -dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY` + +>[!NOTE] +>If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority. +Publish Templates + +### Publish Certificate Templates to a Certificate Authority + +The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate. + +### Unpublish Superseded Certificate Templates + +The certificate authority only issues certificates based on published certificate templates. For defense in depth security, it is a good practice to unpublish certificate templates that the certificate authority is not configured to issue. This includes the pre-published certificate template from the role installation and any superseded certificate templates. + +The newly created domain controller authentication certificate template supersedes previous domain controller certificate templates. Therefore, you need to unpublish these certificate templates from all issuing certificate authorities. + +Sign-in to the certificate authority or management workstation with _Enterprise Admin_ equivalent credentials. + +1. Open the **Certificate Authority** management console. +2. Expand the parent node from the navigation pane. +3. Click **Certificate Templates** in the navigation pane. +4. Right-click the **Domain Controller** certificate template in the content pane and select **Delete**. Click **Yes** on the **Disable certificate templates** window. +5. Repeat step 4 for the **Domain Controller Authentication** and **Kerberos Authentication** certificate templates. + +### Section Review +> [!div class="checklist"] +> * Domain Controller certificate template +> * Configure superseded domain controller certificate templates +> * Enrollment Agent certifcate template +> * Windows Hello for Business Authentication certificate template +> * Mark the certifcate template as Windows Hello for Business sign-in template +> * Publish Certificate templates to certificate authorities +> * Unpublish superseded certificate templates + + +> [!div class="step-by-step"] +[< Configure Azure AD Connect](hello-hybrid-cert-whfb-settings-dir-sync.md) +[Configure AD FS >](hello-hybrid-cert-whfb-settings-adfs.md) + +

+ +
+ +## Follow the Windows Hello for Business hybrid certificate trust deployment guide +1. [Overview](hello-hybrid-cert-trust.md) +2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +3. [New Installation Baseline](hello-hybrid-cert-new-install.md) +4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) +5. Configure Windows Hello for Business settings: PKI (*You are here*) +6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) + diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md new file mode 100644 index 0000000000..2c0b6759f9 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md @@ -0,0 +1,204 @@ +--- +title: Configuring Hybrid Windows Hello for Business - Group Policy +description: Discussing the configuration of Group Policy in a Hybrid deployment of Windows Hello for Business +keywords: identity, PIN, biometric, Hello, passport, WHFB +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +localizationpriority: high +author: mikestephens-MS +ms.author: mstephen +ms.date: 09/08/2017 +--- +# Configure Hybrid Windows Hello for Business: Group Policy + +**Applies to** +- Windows 10 + +> [!div class="step-by-step"] +[< Configure AD FS](hello-hybrid-cert-whfb-settings-adfs.md) + + +## Policy Configuration + +>[!IMPORTANT] +>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. + +You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=45520). +Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703. + +Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10 Creators Edition (1703) to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information. + +Domain controllers of Windows Hello for Business deployments need one Group Policy setting, which enables automatic certificate enrollment for the newly create domain controller authentication certificate. This policy setting ensures domain controllers (new and existing) autoamtically request and renew the correct domain controller certifcate. + +Domain joined clients of hybrid certificate-based deployments of Windows Hello for Business needs three Group Policy settings: +* Enable Windows Hello for Business +* Use certificate for on-premises authentication +* Enable automatic enrollment of certificates + +### Configure Domain Controllers for Automatic Certificate Enrollment + +Domain controllers automatically request a certificate from the *Domain Controller* certificate template. However, the domain controller is unaware of newer certificate templates or superseded configurations on certificate templates. + +To continue automatic enrollment and renewal of domain controller certificates that understand newer certificate template and superseded certificate template configurations, create and configure a Group Policy object for automatic certificate enrollment and link the Group Policy object to the Domain Controllers OU. + +#### Create a Domain Controller Automatic Certifiacte Enrollment Group Policy object + +Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. + +1. Start the **Group Policy Management Console** (gpmc.msc) +2. Expand the domain and select the **Group Policy Object** node in the navigation pane. +3. Right-click **Group Policy object** and select **New** +4. Type *Domain Controller Auto Certificate Enrollment* in the name box and click **OK**. +5. Right-click the **Domain Controller Auto Certificate Enrollment** Group Policy object and click **Edit**. +6. In the navigation pane, expand **Policies** under **Computer Configuration**. +7. Expand **Windows Settings**, **Security Settings**, and click **Public Key Policies**. +8. In the details pane, right-click **Certificate Services Client ďż˝ Auto-Enrollment** and select **Properties**. +9. Select **Enabled** from the **Configuration Model** list. +10. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box. +11. Select the **Update certificates that use certificate templates** check box. +12. Click **OK**. Close the **Group Policy Management Editor**. + +#### Deploy the Domain Controller Auto Certificate Enrollment Group Policy Object + +Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. + +1. Start the **Group Policy Management Console** (gpmc.msc) +2. In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the **Domain Controllers** organizational unit and click **Link an existing GPOďż˝** +3. In the **Select GPO** dialog box, select **Domain Controller Auto Certificate Enrollment** or the name of the domain controller certificate enrollment Group Policy object you previously created and click **OK**. + +### Windows Hello for Business Group Policy + +The Windows Hello for Business Group Policy object delivers the correct Group Policy settings to the user, which enables them to enroll and use Windows Hello for Business to authenticate to Azure and Active Directory + +#### Enable Windows Hello for Business + +The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should be attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to enabled. + +You can configure the Enable Windows Hello for Business Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence. + +#### Use certificate for on-premises authentication + +The Use certificate for on-premises authentication Group Policy setting determines if the on-premises deployment uses the key-trust or certificate trust on-premises authentication model. You must configure this Group Policy setting to configure Windows to enroll for a Windows Hello for Business authentication certificate. If you do not configure this policy setting, Windows considers the deployment to use key-trust on-premises authentication, which requires a sufficient number of Windows Server 2016 domain controllers to handle the Windows Hello for Business key-trust authentication requests. + +You can configure this Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users requesting a Windows Hello for Business authentication certificate. Deploying this policy setting to a user results in only that user requesting a Windows Hello for Business authentication certificate. Additionally, you can deploy the policy setting to a group of users so only those users request a Windows Hello for Business authentication certificate. If both user and computer policy settings are deployed, the user policy setting has precedence. + +#### Enable automatic enrollment of certificates + +Windows Hello for Business provisioning performs the initial enrollment of the Windows Hello for Business authentication certificate. This certificate expires based on the duration configured in the Windows Hello for Business authentication certificate template. The Windows 10, version 1703 certificate auto enrollment was updated to renew these certificates before they expire, which significantly reduces user authentication failures from expired user certificates. + +The process requires no user interaction provided the user signs-in using Windows Hello for Business. The certificate is renewed in the background before it expires. + +#### Create the Windows Hello for Business Group Policy object + +The Group Policy object contains the policy settings needed to trigger Windows Hello for Business provisioning and to ensure Windows Hello for Business authentication certificates are automatically renewed. + +Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. + +1. Start the **Group Policy Management Console** (gpmc.msc) +2. Expand the domain and select the **Group Policy Object** node in the navigation pane. +3. Right-click **Group Policy object** and select **New**. +4. Type *Enable Windows Hello for Business* in the name box and click **OK**. +5. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. +6. In the navigation pane, expand **Policies** under **User Configuration**. +7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**. +8. In the content pane, double-click **Use Windows Hello for Business**. Click **Enable** and click **OK**. +9. Double-click **Use certificate for on-premises authentication**. Click **Enable** and click **OK**. Close the **Group Policy Management Editor**. + +#### Configure Automatic Certificate Enrollment + +1. Start the **Group Policy Management Console** (gpmc.msc). +2. Expand the domain and select the **Group Policy Object** node in the navigation pane. +3. Right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. +4. In the navigation pane, expand **Policies** under **User Configuration**. +5. Expand **Windows Settings > Security Settings**, and click **Public Key Policies**. +6. In the details pane, right-click **Certificate Services Client ďż˝ Auto-Enrollment** and select **Properties**. +7. Select **Enabled** from the **Configuration Model** list. +8. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box. +9. Select the **Update certificates that use certificate templates** check box. +10. Click **OK**. Close the **Group Policy Management Editor**. + +#### Configure Security in the Windows Hello for Business Group Policy object + +The best way to deploy the Windows Hello for Business Group Policy object is to use security group filtering. The enables you to easily manage the users that should receive Windows Hello for Business by simply adding them to a group. This enables you to deploy Windows Hello for Business in phases. +1. Start the **Group Policy Management Console** (gpmc.msc) +2. Expand the domain and select the **Group Policy Object** node in the navigation pane. +3. Double-click the **Enable Windows Hello for Business** Group Policy object. +4. In the **Security Filtering** section of the content pane, click **Add**. Type *Windows Hello for Business Users* or the name of the security group you previously created and click **OK**. +5. Click the **Delegation** tab. Select **Authenticated Users** and click **Advanced**. +6. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Click **OK**. + +#### Deploy the Windows Hello for Business Group Policy object + +The application of the Windows Hello for Business Group Policy object uses security group filtering. This enables you to link the Group Policy object at the domain, ensuring the Group Policy object is within scope to all users. However, the security group filtering ensures only the users included in the *Windows Hello for Business Users* global group receive and apply the Group Policy object, which results in the provisioning of Windows Hello for Business. +1. Start the **Group Policy Management Console** (gpmc.msc) +2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPOďż˝** +3. In the **Select GPO** dialog box, select **Enable Windows Hello for Business** or the name of the Windows Hello for Business Group Policy object you previously created and click **OK**. + +Just to reassure, linking the **Windows Hello for Business** Group Policy object to the domain ensures the Group Policy object is in scope for all domain users. However, not all users will have the policy settings applied to them. Only users who are members of the Windows Hello for Business group receive the policy settings. All others users ignore the Group Policy object. + +## Other Related Group Policy settings + +### Windows Hello for Business + +There are other Windows Hello for Business policy settings you can configure to manage your Windows Hello for Business deployment. These policy settings are computer-based policy setting; so they are applicable to any user that sign-in from a computer with these policy settings. + +#### Use a hardware security device + +The default configuration for Windows Hello for Business is to prefer hardware protected credentials; however, not all computers are able to create hardware protected credentials. When Windows Hello for Business enrollment encounters a computer that cannot create a hardware protected credential, it will create a software-based credential. + +You can enable and deploy the **Use a hardware security device** Group Policy Setting to force Windows Hello for Business to only create hardware protected credentials. Users that sign-in from a computer incapable of creating a hardware protected credential do not enroll for Windows Hello for Business. + +Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiven during anti-hammering and PIN lockout activities. Therefore, some organization may want not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object. + +#### Use biometrics + +Windows Hello for Business provides a great user experience when combined with the use of biometrics. Rather than providing a PIN to sign-in, a user can use a fingerprint or facial recognition to sign-in to Windows, without sacrificing security. + +The default Windows Hello for Business enables users to enroll and use biometrics. However, some organization may want more time before using biometrics and want to disable their use until they are ready. To not allow users to use biometrics, configure the **Use biometrics** Group Policy setting to disabled and apply it to your computers. The policy setting disabled all biometrics. Currently, Windows does not provide granular policy setting that enable you to disable specific modalities of biometrics such as allow facial recognition, but disallow fingerprint. + +### PIN Complexity + +PIN complexity is not specific to Windows Hello for Business. Windows 10 enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed. + +Windows 10 provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are: +* Require digits +* Require lowercase letters +* Maximum PIN length +* Minimum PIN length +* Expiration +* History +* Require special characters +* Require uppercase letters + +Starting with Windows 10, version 1703, the PIN complexity Group Policy settings have moved to remove misunderstanding that PIN complexity policy settings were exclusive to Windows Hello for Business. The new location of these Group Policy settings is under **Computer Configuration\Administrative Templates\System\PIN Complexity** of the Group Policy editor. + +## Add users to the Windows Hello for Business Users group + +Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the Wwindows Hello for Business Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the Windows Hello for Business Users group. Users and groups who are not members of this group will not attempt to enroll for Windows Hello for Business. + +### Section Review +> [!div class="checklist"] +> * Configure domain controllers for automatic certificate enrollment. +> * Create Windows Hello for Business Group Policy object. +> * Enable the Use Windows Hello for Business policy setting. +> * Enable the Use certificate for on-premises authentication policy setting. +> * Enable user automatic certificate enrollment. +> * Add users or groups to the Windows Hello for Business group + + +> [!div class="nextstepaction"] +[Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) + +

+ +
+ +## Follow the Windows Hello for Business hybrid certificate trust deployment guide +1. [Overview](hello-hybrid-cert-trust.md) +2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +3. [New Installation Baseline](hello-hybrid-cert-new-install.md) +4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) +5. Configure Windows Hello for Business policy settings (*You are here*) +6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings.md b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings.md new file mode 100644 index 0000000000..2dbfc5fda4 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings.md @@ -0,0 +1,50 @@ +--- +title: Configure Hybrid Windows Hello for Business Settings (Windows Hello for Business) +description: Configuring Windows Hello for Business Settings in Hybrid deployment +keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +localizationpriority: high +author: mikestephens-MS +ms.author: mstephen +ms.date: 09/08/2017 +--- +# Configure Windows Hello for Business + +**Applies to** +- Windows 10 + +> [!div class="step-by-step"] +[Configure Active Directory >](hello-hybrid-cert-whfb-settings-ad.md) + +>[!IMPORTANT] +>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. + +You're environment is federated and you are ready to configure your hybrid environment for Windows Hello for business using the certificate trust model. +> [!IMPORTANT] +> If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment. + +The configuration for Windows Hello for Business is grouped in four categories. These categories are: +* [Active Directory](hello-hybrid-cert-whfb-settings-ad.md) +* [Public Key Infrastructure](hello-hybrid-cert-whfb-settings-pki.md) +* [Active Directory Federation Services](hello-hybrid-cert-whfb-settings-adfs.md) +* [Group Policy](hello-hybrid-cert-whfb-settings-policy.md) + +For the most efficent deployment, configure these technologies in order beginning with the Active Directory configuration + +> [!div class="step-by-step"] +[Configure Active Directory >](hello-hybrid-cert-whfb-settings-ad.md) + +

+ +
+ +## Follow the Windows Hello for Business hybrid certificate trust deployment guide +1. [Overview](hello-hybrid-cert-trust.md) +2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +3. [New Installation Baseline](hello-hybrid-cert-new-install.md) +4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) +5. Configure Windows Hello for Business settings (*You are here*) +6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/images/dc-chart1.png b/windows/access-protection/hello-for-business/images/dc-chart1.png new file mode 100644 index 0000000000000000000000000000000000000000..52e0f0500e43baab14570268c7479e6a417e4c18 GIT binary patch literal 3978 zcmcIndpuNY+n$s#h;kSy4Mh%#lpO7e5w-d$^!srSDdciU&)6-??We3|3B36!^=E#|md$ z4}`;DI!Tgy5owrx90pTCx;gFK7v(peQ(nqw)krkg9Ym+yO|nqpDR>MiD=l#yXph}( z6@r*tR}(hS?0l!9uic@_@5N0uednqz{p}Zn5?gLNzEdLUpW3SKVhhR%zP#DevK$&n zvvKKc;LC_n|Lg0?<|0OUFUzlMf{NL5!8*5xwz#OJv3DleuZ|w@VZvHRC0K1{`Bwh9 zk}j=y}OT8ghZWBps{i{Pshu4m)1r=tdq4h?YD<%)up*piJdKyVB$R6N* zhbNfry_J7=yOIJY5Uj}~XYTSds`)|*Q{eeT-NTw?e^|Tr{Mn9_@Nc9y+?8F;VJC^N zE7`+Q(GiT__>pjG9(PoeEA;k(1ZX z&Xr*=4`_d1vR0x&ufn-jKrd=KqZ}c#Tq2>`mG3JW`*@@#(dNn@ODp)Ylo4B2H~Fl!EqD6L~&deDKa=Y*RFTcJ8uf$*VM z?F_00lf`QF9o zF;vhat_VL7jml!ha45q5L(vawmpx_dz8wxc-^wn+`6x!nusmzdRAl*`d$t3?LF~-d zjTk~;KAH4`y|_f4HG=l1DPocp;;;f4vI~35sIOAg;v-z;ju@jsWP_`bb1DH&!L)+S zOc0?!dpZ)J;S25b*mS!VA|`A;tk^mM9VTr+#G9QQfHNmav40F#w{%d zedkVj`$ISTv}lj66F{(6b$Eo=Lu?KfwP<0(-vwxh4L}LLb4S}+A9)`ygN~sJ8|=j- z=&<@i3UJR~K|?}JX_5)up=qXcXa~7A&3;R1j>~QUb6m&$XdaMZoD6WRc(iU~_0Q;> z7yNs8YxXO%Yu^LRvgh}|2gp6ga!)L4=OO2(Z`4}Y?lKVYEd+ZaR}q`3JZxt8<9!sq z(7g@?G5ZpN_9t`9(<3HLgTUe&(6n|`s!DQp$zv#fEH;RUwv>wo#*zUpf%2rr(F~di z+~n)H0M{m?p!iJ!S9uXq)^A4+1KwI?E$wO=gzy{TjVb5>1`Xg_3E z0|Ik8^JPSZ4ajxZ>Hf!sRC>%`XYBSBije|{@tWk?NeeqRg0@Z_9#nwokNseteQ$Gi z7Hk6oBQzPt_vyC#s*^mMI7oe~R2$IfZ0{JJK%RcB{Om-Sh&7v6fBTQ_50LSS5f3Kx z74Fm_lpt@j>L@`Eml52o$9&~vg}Z^1CCOYtA1=8RAsdKd{eFkXjQbdL3GKhJQ=uOF zQPBkx7gNAd)J>@+-ZZrwZZ5_f2$C$|hgC`Y7eQ?{X<3fbtp_UMrI6oJp&>_?9OI)~o8m;;?iSG2)dWT1xa|1};=J}-=7~Gs zm~jH@r#iF9s-N!DH?(rDYg0zt&{aGYMSgw7{OPF(0CMxa5~};@;fuMv3Oo1oZ~I!I z2ZkHfH(NtixsX}%mGh}fnv}W-LRRFnW|XM1Mq>a89qhR}Ng`|vapo1_GOyWO@=72GsAElceoj&W z&FZxRPouw_a~wAOuR=j#zpi5`n-CE)kL4jAeNdwGpY=SnzuEUC2bYW3Wv_l+2Rw{c z-?9HP;YV_01cC|gBp>(nVRY^}+lrL2XWiA*_sny)Rs7x>uqNl>*Se}Fg#76lFQ=Rr zuVy}G&5}>r+e4U94otGGm@sk6qoPD?60~0!xqIc+_>oPPYw(dDYO&w>N0MHWod{l( zO&eiTLTplO-J8}!%OhkmK7rk|I=XOZj2p+VGk?CFS0emgR1Z!`cFub$ZrLP)fZNTZ zLRUpQ3V&NM`@{I6ZD6M6BBG+~SFicfi#C_8J;ZC_E5K#t+;Q)`QqTQ^5@YsCje%5K z#2SEG5XLxQGZ4g0vhW8RCO$g(*|Sx!Ypx>TUwIqEDV09Y9;0<-V8II1G7A8g25uzA~3Y8)nJTVwm5>_XlDj**Mys`C%Op`nO@>b z=lm*iS{y&eBhB|XwiZKlHO-aY>ukE;Hq&`)oxgj6Z|8xqNu{XWm z)_gu&5_gRy5>W=~v_usDmSC8}hA^(c{1#2sKpA`q?)9;mNcCs~f=gr$DrHy_TkKav zvB1I>y=Op$6L&Fpe~s?{k3c4vsvlb{Jz3}_WFJ}j*$@s@H37ksp{oSlOQEXr3Bop0 z_3nOf8?Rbf6nvS`-H$xcgf9QtUzqmS{6AkA7#@~HeNNVO@i{fS!p)!ZMXdcFpzTEr zN^p#0{)w{n@3W4KqX&4;$Cy#v=->R9=e|_eZDIC%bjz4--zH*%7ha%5u`e%6x#}e~ zR1EPD=ChBH<@i9Tt7L-YAj7d=9yW@%}nHW8_S@uY1?twd!YEl9c!_U zYI=26IX1G4|I&NVpI)(N_Rh+KC0c{qb6p5AjO}Umr9KNF#bFnu0U-9Lik^T0l~6bG z%tz-IaV&J02Py9j`yAsZR9xrh7q5AX#IM4$d$cm>Y6Va2)R%U|&9PId>JJ}(`}6vB zs~_YPZ%@km3(Kg?Du#VVSI?|WKVj#8s1EHRxY1NHNu$;uUmmKO(eFYnmv^hx@9EgN zBP7-REYi;Zq&A(7^h8;F4Z^IqeK}R6Qfddf_!W$xn+8U@W@Q6OK*u6Ou;_i@U9I zZ`7z>xwZ_{#<*6{CZjbF@UT4h;E)T8CIQ`r3Punlsfw&7fO|~2zo_T31<7c6m1((8 zm2c=#G5M%HPYUsIPr?~-hu}*hO^@0ON_V;n%iRE&e79-v$VK!EW^RiQGm`0L2v1WhO{BRp+c|y zVc+%s)`_^iZTfBOM?~~&g#P*Qhj3zl(B#UEiBg+yX;;hrU3XQ*1+sob0~PNnE0@&5uu@g*Yw literal 0 HcmV?d00001 diff --git a/windows/access-protection/hello-for-business/images/dc-chart2.png b/windows/access-protection/hello-for-business/images/dc-chart2.png new file mode 100644 index 0000000000000000000000000000000000000000..748a6a4c411c69cc5284eec12d7fd15d250514bb GIT binary patch literal 3701 zcmb_fdpMNa8XrmQ5u=?{#;vrOin6z1*oKMRN=$Siw;@Ri<5Di8W_BdqTw+HFQ=TTxOWdnPKm9p7YOn&hwnJp66R@z2En&_g%l=?_KM8zx$^h zY~+B-KmY(Bcf!`v2>_53&z)qpiTWiuO)b$N5$0rL0VwWNnHCva{mkvn0f2W&vOI4o zk^Muk?S(J^Ks8?cNF+@z`T_v*z!R3{XCpo5vT72Ct(ERdYy5l#`U#}DXJKbR3EIo+ zww#LbX!m_53G7yFc@?AJ(t=%kU7EKj`Zr~r`b|?ZvHC5g09tm1Nl8v(-UcPQE8menE2zl*K_S`jAzjzPt4jI?lj|u%baO(9cMQ5Boz;89! z-xY{ju`vnstLNp72(J%JBgMXc|9g{#%^rNX3al+skg%fzL0x)3q6P zv7z3%3$rV8D-+kwH2L7d>%u5+NRr~EvoTSQ0rgl#ftp314n$ur7QLNCA;i^N(A-Qz zY*&5yW#CkZdlmosXu5KoyTe8_4=?P@JSk@!IPb2n0Nw7b`O+3IlP4E{xL*H_1-61$ zp3ta2gcm#_VJ5OKwS%Rsf-abD1bcC#6e*EeA0-na6}6BW-8@@({6y0}20`v_awn%}tJmsc2w)kCe!m(08 z7<<`TvQfo-TJ&X|{d`iJxLP`@du(o;fr5q~T?31&#aF z|K=}Y(9iDDZP;e_P|}Brg?vYsxZ#EoVqI`3tZwXbL{LVxOyd^+{dK`_Dvn`q91rQ` zy9DIA97#rv{C4R>&ECMbr)wF!%Ap>0onGiI9_&1X_GC0j^J%3jMFrP;AYd{Rq#G%4 zBX|#X@Vk_LU#u=ETNgqp6X{(fS0?VK&eb@KjhS#3Q=ToGg6tfi)K)Bz!nsqM{8p`J zp^QFqwpLOyO~%%~Jq_B97%Qy{c18mEJM=cKJZ8CutG~Rc}vqP?Q+_Htp(kokFS%bQnq#p2i6lDTNDFo*X zt5l9a+|x&ceDuli_s6g%!s&+>Y*GV=o)k~vC(JYM@`VK+p0iM&U_G6|E9)|;R(k`N z24*v#Vf+l0O53HVo!2r*4wLY-Ml-$+MNx1FPr-NoC4?ya4@bj|3xcYHXDYq0gyBnu z`rCY2HNMcvpzTM|_j#AW^jAaHxxsdVdv?W74%H$^?J%-%I6k;2%}9`wDeY#w`h>tD zQyUDiwt2%tT-3r%bdjS>iw0?!9Y<;-b-N4~=*D^97m25T=WKXT^`fu0IPzuUY|Q5vxLvDmV!vf08xReDm3d2yWTByv8wRA30CTTBU` zG+#2M;Sr`Z)*x!9f!lYE$<$CGB_=9tIq_5(rZ0AsWolYvL};we!OLS;Lh#~S5u zu{cO8%T~jTt-b@}csF8@-9-8|T3J>IBpJaMG5c`l=Iz>;J`-@&?#wz*zk!tfh)g0` zQ>_bxKN~JW+a{+XzN{`%2A%e#wf=Vohba`O>=3uryv;<|C-zbC_Wxj*k_G1WDmCOk zI^e1p)48uN)sve14Lx+Dl@oo4Y18uKUg^eiO_ASu7{QGI+-dgg+T+FbBCDXWlWRjm z#2Yji8qvbW;$ZbZw2VK;AIYRXh;FSqz->cfS*dv51lmxjG((y;z36_XTYaSc>$@`Lmw!|H<;aOm$5dh)Qb1?fwX87^ZoufvQqe5MW7*L5=f5>3#ME}`tPf6XD}Jj! zrTxH+Gn$CdqI~ZR@y~u<5we;ba$;j^5xuRVO;$b|y;N8&C?k}Rce6(#jn-o7qTzqW z)$;xvHH(7KAP0s}slyFVZeVl1lO0iYU>rrK42tX@{qQfCs8^5iydpZ@&+Q|r<;xc* zBdxWQkNJn3aJI@aFprEaQCpJr0~IaC?;gnBjr;5`#@TP@@H>L6E)1EsTx3ry_m3QJ z`ROmpu*%%F(aVAjSmZm14w!xH!KJ2cjl7<+gRJFW33$j>`{uz8i=eTOt~eX+;QYSv zlnHHwnDMeQppz3r-(huY%}q?J zuos8d69)@x3Yn102R1yw5_l8ZxaVB^iVQKWU5{~E=caMD2b9=t*PHF2!09s&%Uk8# zFX(GO;CF;aEaay8_V+q$i^#>THJuctAFAuAhKR1w^8z<^ zv6)i6<9G6Su=1@PBlP{GPI2y_z2M#^lj)z1LUw`jixVR7Arq zt8=z{AXaukftbudt>wXqQtfye3U}&Krt4LjIGM%lJBtrS8hbRO^1(Yj6NcK62rnb;VTwiHgebT(1>P zxI{bl4L=)yRxAIJhitOQwK&U&Vu|IZNCxO#KKo1#OYj&scLZk3-0?_0+R*XiFB;CL z(!ZHSHg>OKPcI+)iMdxksfxtHyCUqUry}BN)V7x+dPM?_!I-(!caj9@Kv$Sb zUdaxb=kofnpaXr34CT1wev_Fgu{wWWK&C=MRN)@kfq{~zpid_LO|Pl1y79Zel)8Ul zr#rxi1oPAD`(wRv)CMJi9a6E+jIJD)frs3A%75Q+W+B3~Yrae+UTNRo4#$y#el|+X zZPi;xJ*je3f9-j;`(jbk(~G>p>9um*g_kHFMc$|+fyIz|6P&B@?RP>Em)&YpIt#UlLMFnFD7&90H`F|vIe^aQ_# zGWOU}p9F@RYFu@#MHeqbtZ}QY&A(O}7#nOSzmVvWeS0k9c&O|m50jDMw4s%7$yrw< zm!C_kC>>a%sg=uNn`h$CBvZ&+ef|FErukP?u3I&-cf7z3+Rj>pAD#&-I*p`Q5+!zRq*o z!_8SmNlOU?0;!z(!O;r@l9TPd6#gNdmsIu|N|#MBUd|4nsvaGlRM-+~?`jVMRc9!R z5%N-5G3tl&F(A;MblI~hW0D^N0&Vv?ZP1?&yIJzMFA&dM@Gf@p3g=YGRIr%E`eWjF`~PVQu4g7Vf>s zBpPEQO8#nHDaUe2x{c7?0w?<{zjI%WUB=Iy0hJ?l9WL1Gil_V!i#~ZUqdHMxDf&+Z z$Ov#x1l-`4(><0-4)co2GD|1=9v!S|`_p$_rzel|ijL%^zVh_wYYj;{^T4!|VX0oV z>xThsSj*_;6Zw0)@yET-|D-NERvgCUbh2q$61BbF*XYrsuTFVPXvzD$Czpe~-lwm% zj%rA<*AaEtUNJAJRdV0~f$}nm$kGCgQ|LC&S0&;anG(>;?_F@)Hg0Q!cjJcv+KZV`=aI2Z%M~s&3`EPWaSznZ~s zw$4?AaFX&(MOzbFuZEdV`kB({SvJ7H+KV(I!KMRM4ebcK$W0Mut+&|;n_ z%D*zVlgM^z+>y?DJLa8ECyFv6?!)?AyV|cE|^@xVOub%5u4Yv>Kouo*k z$TyI?5n#IfVug0*k8!XPoZ6i@yd>6dEhVI|EJH$7dPiPlM{E()1r>0Sg*Pi72_DNc zuoV_Rk{cyM$>zs3Vq+!5O9kRZq0j6(sa@FOvCuh9yhs{|v0tQFp$nuguuLT10FI*w zl%01I$6^a&wq6L(>BEgXqq7XyFW8%fsz|Z|tL7RoOTCihG6|z6CayY9LUNw(TVxC0 zrhke(lnFnOV=kzuYv=FCao9iP-#ki$H*@IWwUM85>81&@fS3$l@M=C{v$A;hNe!AS z3^Ev!7wWha?oFL=BQ$-9U>g1AAk7L4JMIW&mO@2S#|?7i1%BKjx6kT50X!VPDP*x| z@`H+J8|mi^2q zUXkWSyHm`CBj$zCuryY^Bc@g*rZ1wzvtb{$eIM(z+9)w#s)&o7KiP23MF;EIlT!Ie z)a51Qh6id>47}z)i%sKO>IaOr1Z4)yPquO<0xln#@Bc=?jZkmd{TkUA^=VaY5$0jU z$q5LrhgIi64@^xNbu{6e##gwe!qpgYNyvv+r|+gT$!AEsr%xHHcbW>8kItxv zmX}=HBPb5^KW{QPa0rb;K5Ne_N{+Y64)y<1p1=+N)d`^%Ew@3U?U?wIBhVAJu6W4^RMqK21Eiznew>G)1Q=eBtuP=;M-m1!e;FV@OQ@mA6?1wTM9!? z*~N#@;+WYF5x2$B-RQa_+vOL_iIVZ_o_JEGPbMl%HAN1e^Mk zFP^bfp~0xLGXecZ@3n7STkqqW#nM&=q*0Pe_U8z;u21vnVYb7xr8ZVye&S(_DE!TE z?g$$Aqj}PGAAG~iENcR3MhO<5XW5yATbSla_(4G~2*z)L?u5;q*=Y%?9u1zEtb!1T zYvh=JN26Xu7jlB{YNeKn58lHWr`omT zFHqZhHReVH`X&>TFkpptlJBHH1QbsEWB$6u);A z`0}I~g7*H6(X!pbl_h8^EB>XVxa?HWcYsFzfF3Mrho>ZjyuQ}0OQ~&`7Nc!PA5TD~ z*e{f25yh2Lu%Rao*!>bEDeB`^i^NmjYw*CjcZuc~`C2%Kwf>)tqvck$TGkH$^y|yV zXmR&}`dJh(7d+I0W4@S}BL0$0LOTS`nk{+u(Q>c~N_c$(yFwfw{Ym%uMib5KE zJxE4fQs|GF(ySs6N-7h4Aj%x0CGOQ@xRzUyg7&lhOr!j4>Ox9_amQPoy!ix$sY)`X zRR1gCvpEz)xRCuG8$Nn~>JaM?>+7mbuvtdd1eGNylpnm`Oa%HNBm&{!$I10!kqhj@ z9;&|P+1K|D`?5^fc916*JkzQmA|)+(yPl)jsEFvH?2`*5xS_e5u_baN8PeLVU`;@= zbRn|a@11Wxep&u?VVNB7XSC+^@rX9s_O2Sk8>Tbq)5jH(gx3<_iYBBGkG5sz`m!i^ zt8KjFUUtl^0o#x4X(rl509}HAz%bkoWS^l{$#;Hj3ll67%^gS+a0=`1RA=HJf`IES zw~o4RX*KE87`vpnJM&laT6qlZkkf+;%dvm!M_Nma6Dl;7IhyU8S~pv7*I;B!3nO`jys9Wx%Hx&L zkAS_Jcq(bhI<|PJ*mX871$=Zfq7N}e#oa_*JX5lhiE>{5?r$ul%&eTISRmDc^lh}& z1^Osxgy!-`@S0$=U#?3Wz~oK6woted5NtNb(Hd;U@@^-8?6^?kAy7@-Sxc--P{Ird z=8n^^Uf%V!is3>lU;=3;DU~{Sm#!s$#zPd+9d5}`<5=I@PbJ~20@#}=vt_Hb|7=Nk zU{-m=HP8O4DA4B6ZVT90qm#bS`ax5iD=v8=nu`b^57TH&t-l>jm!gVUe^V`HO;rAT zC>Yw)Tunq;U~TkpDPZ0?VWs3@pW3*n;ccJXld^ZBDJ5(8X`L{Z0m{{P}+QjpphOzarIX*XAH?jX4rRQzdcZw*cg^Um|8kmC?n(+e z3IG5=$XOOJM+jvahF$`>krrdNgRXp@uZnbHJ{!ov8nS9zZdi(<~ z)2C3GyRFbR@9ni5?*sSVsj3{Z)?FlR*3;IDIs(Pcxqtdy=s#-qut-in`~>X9%A-H# zn0BM*X5=Lz|6@8GmW_a3r1V>g65niB7WxShUoU;jbi?hp=|;Rf6}O<`JRh^8?qmb5 z@51NV#tl;3B((KL?|$-4{&UZWrl&x~^Zo(G1@hSSW|5tPcK((AgiwF^BJ8%IF;6ULe!U*7n|p;3#I&_fKX%OCta=>amr zF@m$*?H13q37;JhT^e5Ul}f!Tv{dIhPAnjs^fj4%o8FV5es^(3`H0fhn459Ofd_(h z9_-i6IL3i-(eq~J8CsP?v=Vp6Il{h1@t;Dfc(U7 z{ek3mHRi`1l-SC^NJ5LAfeP*0o?mlzkx=FF|B=~4RB5-sX5E8kfk`X5QC=YdMxYDz z{PUM^)Ufwm%_{7eG0}P22?zX^v6OlIWlnN@%IENpz$z~XyazK!EDU6(xMJXAs)tL3hvQP{uz~TCk_j(ZEIvc6(X-_6P{ZNEIEH=Sa-tbKK!ML~-Q&l7am8PB=>VEwCUro+ zW;Uv(tE6d$U^;f2_b@)^Gg)hj1dS;sC5JZPAuJ3c4->l`O#ty^sEtQ&{#X^fq8Ez& z;e^tHNx`jsDs}rf4;xuow6``$kCKsLLAUK#RFqnal?R-YIss={SZjbI|IR*4+l4gw zGsZn2O&=cJ5G9+zI>M_>LhZQBbLkk-n=YjFngpRlzlo7l)XS<9M6=XY&*?}K*?^OI67ybcAmT81sf)~1C;zUu&c~C96MvbHg&?Y8{ zUGHaku0X7*ku!bivWR=7D>T{rL39}#3K zM6~)Ip!@!N-)3%*;@`i8wRpffKvVIn8t|`#cO8mt#IhP+oMb4#MgJF^8zOXFmY(Vm{3^j&6uESfOrSlr_fDj@Lc= zz@g1A{X%35-5)-73poOl$+|9~fY)_unZNyqjEIlNZ!81nr2mN_ zK1IM3vt}BxNA;VJT3k+z%yLE*njah1=ePG%#1zDSW7rVefK8nTx(_JF*ws=Upq5u! zYb7yj6)>`JX;$2|b8sOOo@wDz^}>afgB9>8z=ryknki!_??tx-M__^EZmkadC?2oT z4&HG#QsGPcn^&mVG8vd_>nU5Ku5>4HrCSIc@V*0y{1uup&{6i)$XBU z-wjhanJKDw8~yGQZ^Qt-BgggsGSfS|@f*p&HJz1S6m&%V;F@5{SnR-NE?wc@#|oy# zJdru(5o(WEI7^#4wWNkKZQ4!gyN58dd-qID8;e$RvKG)zZ^R%^r4i@lU4M$c|HbL= zoSLfema5cD#&@w9o=8>>%7QohSps4u0a2E3gPq0S97yt$u`1; z+)NPky*6d7B*dfs8V9LIffXe{^>gp}IUx>^nVc89NWMrG6D+2)I@bZcL@9Npf~ebQ z^9<*pUb=FX+2FZgIi1|@g0vQN+KFB08)6H~D#yt2#q&WsBU*8Wd12x41Kh_4emWaB z8b}Y2PVGqWSF#x*m`J^|^ARCo3hQ~KDfo0<$CWohad+GdMFVHdB_AjtMINgze}au! z>_405{YYmglt;pk3ED1q>3T{11LRQpycM}Z1Z@r3fUWYoKJtla z@=etNm|hM?g63E7X+~WPeC9T0XxDux+5G-kr7>!h7s`1Aek2JWs)OhK4$gvIs^`aIz6rwWIV%^N^ZpD?k37R$V@>6M)g_KzG_u$n-e-7dRvy1Vr&{C7yNXfRfd9LH6Ct5^Q} zBClj0By1t_>Q8iEq%cn~g|ijcrrgp}gapWs>zCh(VBfepCfm4iB-&6W{$0H3Vymy# zmqDcp{b%1mLdSjclvmt-xmpKgc1!0Mbea+O&oKKUw=myBdKq6~kZias?#&_cch;ljSGq?iD!_ ze3PK8y;4b6ex;$r?Opk5_8REJPj5>xqq1eE?&3-tN}U?Rs*Ec-n4{_M7u> zCAiCpJ5w0YryF!RQ>2IywV_*0D2lnE;KRS)Th`Jc9rF=@J1RQY9Hfu_Qurh58YBZ3l zD_X*xVC4kkUP@$urt!bQ83{j&LSY&!Uh97HM&&0Pp|)NgZ=H2E=}3Pk0f4-JHs})W dYE(+<8uZ|3KdN-Cs#^Nq)78hN+Ua!K{{aaea$x`f literal 0 HcmV?d00001 diff --git a/windows/access-protection/hello-for-business/images/dc-chart5.png b/windows/access-protection/hello-for-business/images/dc-chart5.png new file mode 100644 index 0000000000000000000000000000000000000000..19d10509165061d015ec6a57172ce59689ae611a GIT binary patch literal 3784 zcmcInXH-+!_K#9j7(^68m7*hwKB~e{B_bF=Iv5dYqQd|p1nD(V5EzuEC@3INDawch zbRb9zMGY801StYZs6lE%LJLW5{t2%4KD_n+@ZN{F*ShDPbJpGE{B}9}raL)UNr)+k zfj}S$8*57!5J*TcciAh-AJ-&~s`FpF!dm%ejw0(FB?nq3o+iyPaCtw;o#Igs=5IYB`R>83CPG5O6#rL5=ust zzI2yeDB)xKr460lR>;U#U)^>0?@0&s*895%p5WIGq)T3jujRq_D0>oe3UE}PrZuAu z<@sHFjsG!S@y$x>s9sb~UB#Agt6@rm6ios* z&;8PC@g6!V(aqcOI-2Lkp|1kj-ZB$at9vn?&<^z@F=4tP{;=hI?@zs_*!Qnn_6GZG z_=k=6Ca|2}@mAkXV|I=+)&|}(pIkyUD9h6Ng+Fv-pq*~_*XmrxhCbGJXAk9z&bGrR zmo|DfW`bPP2*6C-%RB^nkAQVVnEB!on%l`cedn3Gle&WFuv}^WJ@LepCS2Uq0UDuF z%5WI!ST0THmYs`tSnqkX>Ch(!M-PgfAd-*@`pC_I(g0jBIjsKGpdQTSx{ z1_9QARsIfm}&ou<6!F(m1=T`Rc~t^H-BO>rat3@MM3i*=~gSp!&67WwKLnb9-ifq`ggpDs1r52we3tZ=4fY zqKwKijOJW8hSLzRof-H5yKj&S8F$OL@Kuv&G_7ua|GM-IT_k3=wJvQ@EZ&Wiz0vp` z5MdHFS9yriK-3>>E$mmGmuO*h#3*loxLY8lHEBjcUN8ZTK=lMc4Fc&T!~YdQLv1jC zOSttXpX!gk_Cqfsb@;s84C__JE?eY`xj2A~>euTQKDdm2_07DvA`(YN;zM%~ss=wpcRP{lVqADIu)7;@H- z?Zk$hIY}aCT)YS+M*@Yx_9`0Ff6s4WE1jDDf&ZRrfIOXN1T@%OA{x;==p2Ld9e+Pz zV~#^R!hNr8@^0q!YGcr~WZwBA+LJgdGhTOGZL#pA&y|5n7!41?5Y>XGz11WtruMUIlv@|))jXAUy*K4bG^x9MdJ$iY=hDGgZ`v0X3T?L58y7{K&2NfC10;-r8?8I5+4Rw?C34KR zoK2Lu8Q}%hTJ3!aL_4HVPwZZfLOt8w$FMCuV!o@TL2{p88|M?f+_f=<=@xg*H24W8 zE;iEQVc~RxV#*?;Fu0QXm<{ekQelaMi*}Y{uZQ0bqpQ8Iq7uQTJS#I)K#6mMI&X>T zP?dJ#%k8AO_!s0SnJF6KZMDn?#^bUGGvSob#WTKU{Qb3 zRtfFgn_OGO{_Mi)2)c3@_Nz#|>(-Qx)UJG@PNYE~l$W+*vBok$G57~IB0hb6O;Z{`H~ zTChsk#g+K1r1yO+w4bhf_U2r6Hm)gZ*s=#~3=FY07T#VVUuZr$&>a_NvQ82omQwN{qXq)?N+=M!<|MMM10-IJE9-zmjFvJ z_#lbWtP6Wf@1r1kh{eU#2CgkOSZWR^=}sreNv8@ji96D$Z(<^1QAmFv`)Rt5ye0n zpxZTn@3uiPa`CI2CwA{S;u)F8Qw~=>rlpd|GE1asEsdF32te(!ScR*N0uT5oRBoSP zr?js{-a(Ro!5_=(>d9RnKK2s2oq6? zlGQ&D)u1QB5LWdYhi;`x*cfVa{u&UVTgenU4U-2H$SCxJH#=P8LE$-g9gPMp|$%)Wvdh*=>~2bM(BsENj5H31) z&hg&=h8Ws|^%C9HnZSkSqi@&fmeG}1{w|MJWFOn>s@S`kT9q7t)n2;$t@RN?<;OE8 zdINDjGBj+4`o@`&i{Xs*V8X=Z!v+3C8u7+x9q0<{#Kg|i$2(`ytQ}#SXviHO?oA2H zORcg&(nrRC!y<{T1l-=gMJ(vZSvZe_2q9nRLv$=Tm*dfe{`5~jk~prnwOR0F?4e95 z15Y2xpb5=cODGBYfUCrxSJ;1>kN;{tc6yP2AD$T!I($bW7x3*XsU)Bi86zb4;)9?| zMLV4f55NcEZdH{zhq5QX)0P3H&Bo_UYHgHVCqGW&zdxG6$qR68jGgg`2I3i7X5cF4 zA8Fi4!!6&-Cb}Z|HCb>q{oXLo2117(t$tCKLg~-pg9hQp22$O<(-9bAPzrE&YjU3E z@H;dU)2M|n0fY$VgrnP1ya9=prS()Rd2Ubs<~y1;=>kr1zw4=^Y>l|Z0>4IrSI$2= z`_?T~n&%Gw?pPFvCh2x*HeM9i#dpw*L9PZr!Gc)G9*>Wgih`ue+sD8^;`aEtA8wUd zOCxwkpK)`@-^`t0jQ%D{j#~v95>JxyH~)m!`46Ypx!IQJ0FiaD0lCLq1lG@8z7ed- zx7ZO_#li*BuPd|0i0B~liBDI(V~9br?N%_UKIV-SV0}baC)eC{T+L6E@YAt-Tz#_!ytQcjWgAbf8f8_lu(bi7ZFz$!_S}?*=R#SaE@gN;27&dJCcXK z?EFN5UOhwui?HPWCgGiQc;@^wD Date: Tue, 10 Oct 2017 10:25:35 -0700 Subject: [PATCH 02/15] Preparing for on-prem Key trust --- .../hello-deployment-key-trust.md | 40 ++ .../hello-key-trust-adfs.md | 341 +++++++++++ .../hello-key-trust-deploy-mfa.md | 543 ++++++++++++++++++ .../hello-key-trust-policy-settings.md | 155 +++++ .../hello-key-trust-validate-ad-prereq.md | 46 ++ .../hello-key-trust-validate-deploy-mfa.md | 49 ++ .../hello-key-trust-validate-pki.md | 197 +++++++ 7 files changed, 1371 insertions(+) create mode 100644 windows/access-protection/hello-for-business/hello-deployment-key-trust.md create mode 100644 windows/access-protection/hello-for-business/hello-key-trust-adfs.md create mode 100644 windows/access-protection/hello-for-business/hello-key-trust-deploy-mfa.md create mode 100644 windows/access-protection/hello-for-business/hello-key-trust-policy-settings.md create mode 100644 windows/access-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md create mode 100644 windows/access-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md create mode 100644 windows/access-protection/hello-for-business/hello-key-trust-validate-pki.md diff --git a/windows/access-protection/hello-for-business/hello-deployment-key-trust.md b/windows/access-protection/hello-for-business/hello-deployment-key-trust.md new file mode 100644 index 0000000000..2d64b3973b --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-deployment-key-trust.md @@ -0,0 +1,40 @@ +--- +title: Windows Hello for Business Deployment Guide - On Premises Certificate Key Deployment +description: A guide to an On Premises, Certificate trust Windows Hello for Business deployment +keywords: identity, PIN, biometric, Hello, passport +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: mikestephens-MS +ms.author: mstephen +localizationpriority: high +ms.date: 10/08/2017 +--- +# On Premises Certificate Trust Deployment + +**Applies to** +- Windows 10 + +> This guide only applies to Windows 10, version 1703 or higher. + +Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in an existing environment. + +Below, you can find all the infromation you will need to deploy Windows Hello for Business in a Certificate Key Model in your on-premises environment: +1. [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md) +2. [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md) +3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md) +4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-key-trust-validate-deploy-mfa.md) +5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md) + + + + + + + + + + + + diff --git a/windows/access-protection/hello-for-business/hello-key-trust-adfs.md b/windows/access-protection/hello-for-business/hello-key-trust-adfs.md new file mode 100644 index 0000000000..986dbacd66 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-key-trust-adfs.md @@ -0,0 +1,341 @@ +--- +title: Prepare and Deploy Windows Server 2016 Active Directory Federation Services (Windows Hello for Business) +description: How toPrepare and Deploy Windows Server 2016 Active Directory Federation Services for Windows Hello for Business +keywords: identity, PIN, biometric, Hello, passport +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: mikestephens-MS +ms.author: mstephen +localizationpriority: high +ms.date: 10/08/2017 +--- +# Prepare and Deploy Windows Server 2016 Active Directory Federation Services + +**Applies to** +- Windows 10 + +> This guide only applies to Windows 10, version 1703 or higher. + +Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update. The on-prem key trust deployment uses Active Directory Federation Services roles for key registration and device registration. + +The following guidance describes deploying a new instance of Active Directory Federation Services 2016 using the Windows Information Database as the configuration database, which is ideal for environments with no more than 30 federation servers and no more than 100 relying party trusts. + +If your environment exceeds either of these factors or needs to provide SAML artifact resolution, token replay detection, or needs Active Directory Federation Services to operate in a federated provider role, then your deployment needs to use a SQL for your configuration database. To deploy the Active Directory Federation Services using SQL as its configuration database, please review the [Deploying a Federation Server Farm](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) checklist. + +If your environment has an existing instance of Active Directory Federation Services, then you’ll need to upgrade all nodes in the farm to Windows Server 2016 along with the Windows Server 2016 update. If your environment uses Windows Internal Database (WID) for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 using a WID database](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016) to upgrade your environment. If your environment uses SQL for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 with SQL Server](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016-sql) to upgrade your environment. + +Ensure you apply the Windows Server 2016 Update to all nodes in the farm after you have successfully completed the upgrade. + +A new Active Directory Federation Services farm should have a minimum of two federation servers for proper load balancing, which can be accomplished with an external networking peripherals, or with using the Network Load Balancing Role included in Windows Server. + +Prepare the Active Directory Federation Services deployment by installing and updating two Windows Server 2016 Servers. Ensure the update listed below is applied to each server before continuing. + +## Update Windows Server 2016 + +Sign-in the federation server with _local admin_ equivalent credentials. +1. Ensure Windows Server 2016 is current by running **Windows Update** from **Settings**. Continue this process until no further updates are needed. If you’re not using Windows Update for updates, please review the [Windows Server 2016 update history page](https://support.microsoft.com/help/4000825/windows-10-windows-server-2016-update-history) to make sure you have the latest updates available installed. +2. Ensure the latest server updates to the federation server includes [KB4034658 (14393.1593)](https://support.microsoft.com/en-us/help/4034658). + +>[!IMPORTANT] +>The above referenced updates are mandatory for Windows Hello for Business all on-premises deployment and hybrid certificate trust deployments for domain joined computers. + +## Enroll for a TLS Server Authentication Certificate + +Key trust Windows Hello for Business on-premises deployments need a federation server for device registration and key registration. Typically, a federation service is an edge facing role. However, the federation services and instance used with the on-premises deployment of Windows Hello for Business does not need Internet connectivity. + +The AD FS role needs a server authentication certificate for the federation services, but you can use a certificate issued by your enterprise (internal) certificate authority. The server authentication certificate should have the following names included in the certificate if you are requesting an individual certificate for each node in the federation farm: +* Subject Name: The internal FQDN of the federation server (the name of the computer running AD FS) +* Subject Alternate Name: Your federation service name, such as *fs.corp.contoso.com* (or an appropriate wildcard entry such as *.corp.contoso.com) + +You configure your federation service name when you configure the AD FS role. You can choose any name, but that name must be different than the name of the server or host. For example, you can name the host server **adfs** and the federation service **fs**. The FQDN of the host is adfs.corp.contoso.com and the FQDN of the federation service is fs.corp.contoso.com. + +You can, however, issue one certificate for all hosts in the farm. If you chose this option, then leave the subject name blank, and include all the names in the subject alternate name when creating the certificate request. All names should include the FQDN of each host in the farm and the federation service name. + +When creating a wildcard certificate, it is recommended that you mark the private key as exportable so that the same certificate can be deployed across each federation server and web application proxy within your AD FS farm. Note that the certificate must be trusted (chain to a trusted root CA). Once you have successfully requested and enrolled the server authentication certificate on one node, you can export the certificate and private key to a PFX file using the Certificate Manager console. You can then import the certificate on the remaining nodes in the AD FS farm. + +Be sure to enroll or import the certificate into the AD FS server’s computer certificate store. Also, ensure all nodes in the farm have the proper TLS server authentication certificate. + +### Internal Server Authentication Certificate Enrollment + +Sign-in the federation server with domain admin equivalent credentials. +1. Start the Local Computer **Certificate Manager** (certlm.msc). +2. Expand the **Personal** node in the navigation pane. +3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**. +4. Click **Next** on the **Before You Begin** page. +5. Click **Next** on the **Select Certificate Enrollment Policy** page. +6. On the **Request Certificates** page, Select the **Internal Web Server** check box. +7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link + ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link](images/hello-internal-web-server-cert.png) +8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the Active Directory Federation Services role and then click **Add**. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name you will use for your federation services (fs.corp.contoso.com). The name you use here MUST match the name you use when configuring the Active Directory Federation Services server role. Click **Add**. Click **OK** when finished. +9. Click **Enroll**. + +A server authentication certificate should appear in the computer’s Personal certificate store. + +## Deploy the Active Directory Federation Service Role + +The Active Directory Federation Service (AD FS) role provides the following services to support Windows Hello for Business on-premises deployments. +* Device registration +* Key registration + +>[!IMPORTANT] +> Finish the entire AD FS configuration on the first server in the farm before adding the second server to the AD FS farm. Once complete, the second server receives the configuration through the shared configuration database when it is added the AD FS farm. + +Windows Hello for Business depends on proper device registration. For on-premises key trust deployments, Windows Server 2016 AD FS handles device and key registration. + +Sign-in the federation server with _Enterprise Admin_ equivalent credentials. +1. Start **Server Manager**. Click **Local Server** in the navigation pane. +2. Click **Manage** and then click **Add Roles and Features**. +3. Click **Next** on the **Before you begin** page. +4. On the **Select installation type** page, select **Role-based or feature-based installation** and click **Next**. +5. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Click **Next**. +6. On the **Select server roles** page, select **Active Directory Federation Services**. Click **Next**. +7. Click **Next** on the **Select features** page. +8. Click **Next** on the **Active Directory Federation Service** page. +9. Click **Install** to start the role installation. + +## Review + +Before you continue with the deployment, validate your deployment progress by reviewing the following items: +* Confirm the AD FS farm uses the correct database configuration. +* Confirm the AD FS farm has an adequate number of nodes and is properly load balanced for the anticipated load. +* Confirm **all** AD FS servers in the farm have the latest updates. +* Confirm all AD FS servers have a valid server authentication certificate + * The subject of the certificate is the common name (FQDN) of the host or a wildcard name. + * The alternate name of the certificate contains a wildcard or the FQDN of the federation service + +## Device Registration Service Account Prerequisite + +The service account used for the device registration server depends on the domain controllers in the environment. + +>[!NOTE] +>Follow the procedures below based on the domain controllers deployed in your environment. If the domain controller is not listed below, then it is not supported for Windows Hello for Business. + +### Windows Server 2012 or later Domain Controllers + +Windows Server 2012 or later domain controllers support Group Managed Service Accounts—the preferred way to deploy service accounts for services that support them. Group Managed Service Accounts, or GMSA have security advantages over normal user accounts because Windows handles password management. This means the password is long, complex, and changes periodically. The best part of GMSA is all this happens automatically. AD FS supports GMSA and should be configured using them for additional defense in depth security. + +GSMA uses the Microsoft Key Distribution Service that is located on Windows Server 2012 or later domain controllers. Windows uses the Microsoft Key Distribution Service to protect secrets stored and used by the GSMA. Before you can create a GSMA, you must first create a root key for the service. You can skip this if your environment already uses GSMA. + +#### Create KDS Root Key + +Sign-in a domain controller with _Enterprise Admin_ equivalent credentials. +1. Start an elevated Windows PowerShell console. +2. Type `Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)` + +### Windows Server 2008 or 2008 R2 Domain Controllers + +Windows Server 2008 and 2008 R2 domain controllers do not host the Microsoft Key Distribution Service, nor do they support Group Managed Service Accounts. Therefore, you must use create a normal user account as a service account where you are responsible for changing the password on a regular basis. + +#### Create an AD FS Service Account + +Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials. +1. Open **Active Directory Users and Computers**. +2. Right-click the **Users** container, Click **New**. Click **User**. +3. In the **New Object – User** window, type **adfssvc** in the **Full name** text box. Type **adfssvc** in the **User logon name** text box. Click **Next**. +4. Enter and confirm a password for the **adfssvc** user. Clear the **User must change password at next logon** checkbox. +5. Click **Next** and then click **Finish**. + +## Configure the Active Directory Federation Service Role + +>[!IMPORTANT] +>Follow the procedures below based on the domain controllers deployed in your environment. If the domain controller is not listed below, then it is not supported for Windows Hello for Business. + +### Windows Server 2016, 2012 R2 or later Domain Controllers + +Use the following procedures to configure AD FS when your environment uses **Windows Server 2012 or later Domain Controllers**. If you are not using Windows Server 2012 or later Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2008 or 2008R2 Domain Controllers)](#windows-server-2008-or-2008R2-domain-controllers) section. + +Sign-in the federation server with _Domain Admin_ equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm. +1. Start **Server Manager**. +2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**. + ![Example of pop-up notification as described above](images/hello-adfs-configure-2012r2.png) + +3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**. +4. Click **Next** on the **Connect to Active Directory Domain Services** page. +5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as *fs.corp.contoso.com* or *fs.contoso.com*. +6. Select the federation service name from the **Federation Service Name** list. +7. Type the Federation Service Display Name in the text box. This is the name users see when signing in. Click **Next**. +8. On the **Specify Service Account** page, select **Create a Group Managed Service Account**. In the **Account Name** box, type **adfssvc**. +9. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and click **Next**. +10. On the **Review Options** page, click **Next**. +11. On the **Pre-requisite Checks** page, click **Configure**. +12. When the process completes, click **Close**. + +### Windows Server 2008 or 2008 R2 Domain Controllers + +Use the following procedures to configure AD FS when your environment uses **Windows Server 2008 or 2008 R2 Domain Controllers**. If you are not using Windows Server 2008 or 2008 R2 Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2012 or later Domain Controllers)](#windows-server-2012-or-later-domain-controllers) section. + +Sign-in the federation server with _Domain Admin_ equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm. +1. Start **Server Manager**. +2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**. + ![Example of pop-up notification as described above](images/hello-adfs-configure-2012r2.png) + +3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**. +4. Click **Next** on the **Connect to Active Directory Domain Services** page. +5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as fs.corp.mstepdemo.net or fs.mstepdemo.net. +6. Select the federation service name from the **Federation Service Name** list. +7. Type the Federation Service Display Name in the text box. This is the name users see when signing in. Click **Next**. +8. On the **Specify Service Account** page, Select **Use an existing domain user account or group Managed Service Account** and click **Select**. + * In the **Select User or Service Account** dialog box, type the name of the previously created AD FS service account (example adfssvc) and click **OK**. Type the password for the AD FS service account and click **Next**. +9. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and click **Next**. +10. On the **Review Options** page, click **Next**. +11. On the **Pre-requisite Checks** page, click **Configure**. +12. When the process completes, click **Close**. +13. Do not restart the AD FS server. You will do this later. + + +### Add the AD FS Service account to the KeyAdmins group + +The KeyAdmins global group provides the AD FS service with the permissions needed to perform key registration. + +Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials. +1. Open **Active Directory Users and Computers**. +2. Click the **Users** container in the navigation pane. +3. Right-click **KeyAdmins** in the details pane and click **Properties**. +4. Click the **Members** tab and click **Add…** +5. In the **Enter the object names to select** text box, type **adfssvc**. Click **OK**. +6. Click **OK** to return to **Active Directory Users and Computers**. +7. Click **OK** to return to **Active Directory Users and Computers**. +8. Change to server hosting the AD FS role and restart it. + + +## Configure the Device Registration Service + +Sign-in the federation server with _Enterprise Admin_ equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm. +1. Open the **AD FS management** console. +2. In the navigation pane, expand **Service**. Click **Device Registration**. +3. In the details pane, click **Configure Device Registration**. +4. In the **Configure Device Registration** dialog, click **OK**. + +## Review + +Before you continue with the deployment, validate your deployment progress by reviewing the following items: +* Confirm you followed the correct procedures based on the domain controllers used in your deployment + * Windows Server 2016, 2012 R2 or Windows Server 2012 R2 + * Windows Server 2008 or Windows Server 2008 R2 +* Confirm you have the correct service account based on your domain controller version. +* Confirm you properly installed the AD FS role on your Windows Server 2016 based on the proper sizing of your federation, the number of relying parties, and database needs. +* Confirm you used a certificate with the correct names as the server authentication certificate + * Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the: + * Certificate serial number + * Certificate thumbprint + * Common name of the certificate + * Subject alternate name of the certificate + * Name of the physical host server + * The issued date + * The expiration date + * Issuing CA Vendor (if a third-party certificate) +* Confirm you added the AD FS service account to the KeyAdmins group. +* Confirm you enabled the Device Registration service. + + +## Additional Federation Servers + +Organizations should deploy more than one federation server in their federation farm for high-availability. You should have a minimum of two federation services in your AD FS farm, however most organizations are likely to have more. This largely depends on the number of devices and users using the services provided by the AD FS farm. + +### Server Authentication Certificate + +Each server you add to the AD FS farm must have a proper server authentication certificate. Refer to the [Enroll for a TLS Server Authentication Certificate](#enroll-for-a-tls-server-authentication-certificate) section of this document to determine the requirements for your server authentication certificate. As previously stated, AD FS servers used exclusively for on-premises deployments of Windows Hello for Business can use enterprise server authentication certificates rather than server authentication certificates issued by public certificate authorities. + +### Install Additional Servers + +Adding federation servers to the existing AD FS farm begins with ensuring the server are fully patched, to include Windows Server 2016 Update needed to support Windows Hello for Business deployments (https://aka.ms/whfbadfs1703). Next, install the Active Directory Federation Service role on the additional servers and then configure the server as an additional server in an existing farm. + +## Load Balance AD FS Federation Servers + +Many environments load balance using hardware devices. Environments without hardware load-balancing capabilities can take advantage the network load-balancing feature included in Windows Server to load balance the AD FS servers in the federation farm. Install the Windows Network Load Balancing feature on all nodes participating in the AD FS farm that should be load balanced. + +### Install Network Load Balancing Feature on AD FS Servers + +Sign-in the federation server with _Enterprise Admin_ equivalent credentials. +1. Start **Server Manager**. Click **Local Server** in the navigation pane. +2. Click **Manage** and then click **Add Roles and Features**. +3. Click **Next** On the **Before you begin** page. +4. On the **Select installation type** page, select **Role-based or feature-based installation** and click **Next**. +5. On the **Select destination server** page, chosoe **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Click **Next**. +6. On the **Select server roles** page, click **Next**. +7. Select **Network Load Balancing** on the **Select features** page. +8. Click **Install** to start the feature installation + ![Feature selection screen with NLB selected](images/hello-nlb-feature-install.png) + +### Configure Network Load Balancing for AD FS + +Before you can load balance all the nodes in the AD FS farm, you must first create a new load balance cluster. Once you have created the cluster, then you can add new nodes to that cluster. + +Sign-in a node of the federation farm with _Admin_ equivalent credentials. +1. Open **Network Load Balancing Manager** from **Administrative Tools**. + ![NLB Manager user interface](images/hello-nlb-manager.png) +2. Right-click **Network Load Balancing Clusters**, and then click **New Cluster**. +3. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then click **Connect**. + ![NLB Manager - Connect to new Cluster screen](images/hello-nlb-connect.png) +4. Select the interface that you want to use with the cluster, and then click **Next**. (The interface hosts the virtual IP address and receives the client traffic to load balance.) +5. In **Host Parameters**, select a value in **Priority (Unique host identifier)**. This parameter specifies a unique ID for each host. The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. Click **Next**. +6. In **Cluster IP Addresses**, click **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Click **Next**. + ![NLB Manager - Add IP to New Cluster screen](images/hello-nlb-add-ip.png) +7. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster. + ![NLB Manager - Cluster IP Configuration screen](images/hello-nlb-cluster-ip-config.png) +8. In **Cluster operation mode**, click **Unicast** to specify that a unicast media access control (MAC) address should be used for cluster operations. In unicast mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. We recommend that you accept the unicast default settings. Click **Next**. +9. In Port Rules, click Edit to modify the default port rules to use port 443. + ![NLB Manager - Add\Edit Port Rule screen](images/hello-nlb-cluster-port-rule.png) + +### Additional AD FS Servers + +1. To add more hosts to the cluster, right-click the new cluster, and then click **Add Host to Cluster**. +2. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same. + ![NLB Manager - Cluster with nodes](images/hello-nlb-cluster.png) + +## Configure DNS for Device Registration + +Sign-in the domain controller or administrative workstation with Domain Admin equivalent credentials. You’ll need the Federation service name to complete this task. You can view the federation service name by clicking **Edit Federation Service Properties** from the **Action** pan of the **AD FS** management console, or by using `(Get-AdfsProperties).Hostname.` (PowerShell) on the AD FS server. +1. Open the **DNS Management** console. +2. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones**. +3. In the navigation pane, select the node that has the name of your internal Active Directory domain name. +4. In the navigation pane, right-click the domain name node and click **New Host (A or AAAA)**. +5. In the **name** box, type the name of the federation service. In the **IP address** box, type the IP address of your federation server. Click **Add Host**. +6. Close the DNS Management console + +## Configure the Intranet Zone to include the federation service + +The Windows Hello provisioning presents web pages from the federation service. Configuring the intranet zone to include the federation service enables the user to authenticate to the federation service using integrated authentication. Without this setting, the connection to the federation service during Windows Hello provisioning prompts the user for authentication. + +### Create an Intranet Zone Group Policy + +Sign-in the domain controller or administrative workstation with _Domain Admin_ equivalent credentials +1. Start the **Group Policy Management Console** (gpmc.msc) +2. Expand the domain and select the **Group Policy Object** node in the navigation pane. +3. Right-click **Group Policy object** and select **New** +4. Type **Intranet Zone Settings** in the name box and click **OK**. +5. In the content pane, right-click the **Intranet Zone Settings** Group Policy object and click **Edit**. +6. In the navigation pane, expand **Policies** under **Computer Configuration**. +7. Expand **Administrative Templates > Windows Component > Internet Explorer > Internet Control Panel**, and select **Security Page**. +8. In the content pane, double-click **Site to Zone Assignment List**. Click **Enable**. +9. Click **Show**. In the **Value Name** column, type the url of the federation service beginning with https. In the **Value** column, type the number **1**. Click OK twice, then close the Group Policy Management Editor. + +### Deploy the Intranet Zone Group Policy object + +1. Start the **Group Policy Management Console** (gpmc.msc) +2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO…** +3. In the **Select GPO** dialog box, select **Intranet Zone Settings** or the name of the Windows Hello for Business Group Policy object you previously created and click **OK**. + +## Review + +Before you continue with the deployment, validate your deployment progress by reviewing the following items: +* Confirm all AD FS servers have a valid server authentication certificate + * The subject of the certificate is the common name (FQDN) of the host or a wildcard name. + * The alternate name of the certificate contains a wildcard or the FQDN of the federation service +* Confirm the AD FS farm has an adequate number of nodes and is properly load balanced for the anticipated load. +* Confirm **all** AD FS servers in the farm have the latest updates. +* Confirm you restarted the AD FS service. +* Confirm you created a DNS A Record for the federation service and the IP address used is the load-balanced IP address +* Confirm you created and deployed the Intranet Zone settings to prevent double authentication to the federation server. + + +## Follow the Windows Hello for Business on premises certificate trust deployment guide +1. [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md) +2. [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md) +3. Prepare and Deploy Windows Server 2016 Active Directory Federation Services (*You are here*) +4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-key-trust-validate-deploy-mfa.md) +5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md) + + diff --git a/windows/access-protection/hello-for-business/hello-key-trust-deploy-mfa.md b/windows/access-protection/hello-for-business/hello-key-trust-deploy-mfa.md new file mode 100644 index 0000000000..2c31ffcc05 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-key-trust-deploy-mfa.md @@ -0,0 +1,543 @@ +--- +title: Configure or Deploy Multifactor Authentication Services (Windows Hello for Business) +description: How to Configure or Deploy Multifactor Authentication Services for Windows Hello for Business +keywords: identity, PIN, biometric, Hello, passport +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: mikestephens-MS +ms.author: mstephen +localizationpriority: high +ms.date: 10/08/2017 +--- +# Configure or Deploy Multifactor Authentication Services + +**Applies to** +- Windows 10 + +> This guide only applies to Windows 10, version 1703 or higher. + +On-premises deployments must use the On-premises Azure MFA Server using the AD FS adapter model Optionally, you can use a third-party MFA server that provides an AD FS Multifactor authentication adapter. + +>[!TIP] +>Please make sure you've read [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) before proceeding any further. + +## Prerequisites + +The Azure MFA Server and User Portal servers have several perquisites and must have connectivity to the Internet. + +### Primary MFA Server + +The Azure MFA server uses a primary and secondary replication model for its configuration database. The primary Azure MFA server hosts the writeable partition of the configuration database. All secondary Azure MFA servers hosts read-only partitions of the configuration database. All production environment should deploy a minimum of two MFA Servers. + +For this documentation, the primary MFA uses the name **mf*a*** or **mfa.corp.contoso.com**. All secondary servers use the name **mfa*n*** or **mfa*n*.corp.contoso.com**, where *n* is the number of the deployed MFA server. + +The primary MFA server is also responsible for synchronizing from Active Directory. Therefore, the primary MFA server should be domain joined and fully patched. + +#### Enroll for Server Authentication + +The communication between the primary MFA server, secondary MFA servers, User Portal servers, and the client is protected using TLS, which needs a server authentication certificate. + +Sign-in the primary MFA server with _domain admin_ equivalent credentials. +1. Start the Local Computer **Certificate Manager** (certlm.msc). +2. Expand the **Personal** node in the navigation pane. +3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**. +4. Click **Next** on the **Before You Begin** page. +5. Click **Next** on the **Select Certificate Enrollment Policy** page. +6. On the **Request Certificates** page, Select the **Internal Web Server** check box. +7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link. +8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the primary MFA server and then click **Add** (mfa.corp.contoso.com). Click **Add**. Click **OK** when finished. +9. Click **Enroll**. + +A server authentication certificate should appear in the computer’s Personal certificate store. + +#### Install the Web Server Role + +The Azure MFA server does not require the Web Server role, however, User Portal and the optional Mobile App server communicate with the MFA server database using the MFA Web Services SDK. The MFA Web Services SDK uses the Web Server role. + +To install the Web Server (IIS) role, please follow [Installing IIS 7 on Windows Server 2008 or Windows Server 2008 R2](https://docs.microsoft.com/iis/install/installing-iis-7/installing-iis-7-and-above-on-windows-server-2008-or-windows-server-2008-r2) or [Installing IIS 8.5 on Windows Server 2012 R2](https://docs.microsoft.com/iis/install/installing-iis-85/installing-iis-85-on-windows-server-2012-r2) depending on the host Operating System you're going to use. + +The following services are required: +* Common Parameters > Default Document. +* Common Parameters > Directory Browsing. +* Common Parameters > HTTP Errors. +* Common Parameters > Static Content. +* Health and Diagnostics > HTTP Logging. +* Performance > Static Content Compression. +* Security > Request Filtering. +* Security > Basic Authentication. +* Management Tools > IIS Management Console. +* Management Tools > IIS 6 Management Compatibility. +* Application Development > ASP.NET 4.5. + +#### Update the Server + +Update the server using Windows Update until the server has no required or optional updates as the Azure MFA Server software may require one or more of these updates for the installation and software to correctly work. These procedures install additional components that may need to be updated. + +#### Configure the IIS Server’s Certificate + +The TLS protocol protects all the communication to and from the MFA server. To enable this protection, you must configure the default web site to use the previously enrolled server authentication certificate. + +Sign in the primary MFA server with _administrator_ equivalent credentials. +1. From **Administrators**, Start the **Internet Information Services (IIS) Manager** console +2. In the navigation pane, expand the node with the same name as the local computer. Expand **Settings** and select **Default Web Site**. +3. In the **Actions** pane, click **Bindings**. +4. In the **Site Bindings** dialog, Click **Add**. +5. In the **Add Site Binding** dialog, select **https** from the **Type** list. In the **SSL certificate** list, select the certificate with the name that matches the FQDN of the computer. +6. Click **OK**. Click **Close**. From the **Action** pane, click **Restart**. + +#### Configure the Web Service’s Security + +The Azure MFA Server service runs in the security context of the Local System. The MFA User Portal gets its user and configuration information from the Azure MFA server using the MFA Web Services. Access control to the information is gated by membership to the Phonefactor Admins security group. You need to configure the Web Service’s security to ensure the User Portal and the Mobile App servers can securely communicate to the Azure MFA Server. Also, all User Portal server administrators must be included in the Phonefactor Admins security group. + +Sign in the domain controller with _domain administrator_ equivalent credentials. + +##### Create Phonefactor Admin group + +1. Open **Active Directory Users and Computers** +2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Right-click the **Users** container, select **New**, and select **Group**. +3. In the **New Object – Group** dialog box, type **Phonefactor Admins** in Group name. +4. Click **OK**. + +##### Add accounts to the Phonefactor Admins group + +1. Open **Active Directory Users and Computers**. +2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Select Users. In the content pane. Right-click the **Phonefactors Admin** security group and select **Properties**. +3. Click the **Members** tab. +4. Click **Add**. Click **Object Types..** In the **Object Types** dialog box, select **Computers** and click **OK**. Enter the following user and/or computers accounts in the **Enter the object names to select** box and then click **OK**. + * The computer account for the primary MFA Server + * Group or user account that will manage the User Portal server. + + +#### Review + +Before you continue with the deployment, validate your deployment progress by reviewing the following items: + +* Confirm the hosts of the MFA service has enrolled a server authentication certificate with the proper names. + * Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the: + * Certificate serial number + * Certificate thumbprint + * Common name of the certificate + * Subject alternate name of the certificate + * Name of the physical host server + * The issued date + * The expiration date + * Issuing CA Vendor (if a third-party certificate) + +* Confirm the Web Services Role was installed with the correct configuration (including Basic Authentication, ASP.NET 4.5, etc). +* Confirm the host has all the available updates from Windows Update. +* Confirm you bound the server authentication certificate to the IIS web site. +* Confirm you created the Phonefactor Admins group. +* Confirm you added the computer account hosting the MFA service to the Phonefactor Admins group and any user account who are responsible for administrating the MFA server or User Portal. + +### User Portal Server + +The User Portal is an IIS Internet Information Server web site that allows users to enroll in Multi-Factor Authentication and maintain their accounts. A user may change their phone number, change their PIN, or bypass Multi-Factor Authentication during their next sign on. Users will log in to the User Portal using their normal username and password and will either complete a Multi-Factor Authentication call or answer security questions to complete their authentication. If user enrollment is allowed, a user will configure their phone number and PIN the first time they log in to the User Portal. User Portal Administrators may be set up and granted permission to add new users and update existing users. + +The User Portal web site uses the user database that is synchronized across the MFA Servers, which enables a design to support multiple web servers for the User Portal and those servers can support internal and external customers. While the user portal web site can be installed directly on the MFA server, it is recommended to install the User Portal on a server separate from the MFA Server to protect the MFA user database, as a layered, defense-in-depth security design. + +#### Enroll for Server Authentication + +Internal and external users use the User Portal to manage their multifactor authentication settings. To protect this communication, you need to enroll all User Portal servers with a server authentication certificate. You can use an enterprise certificate to protect communication to internal User Portal servers. + +For external User Portal servers, it is typical to request a server authentication certificate from a public certificate authority. Contact a public certificate authority for more information on requesting a certificate for public use. Follow the procedures below to enroll an enterprise certificate on your User Portal server. + +Sign-in the User Portal server with _domain admin_ equivalent credentials. +1. Start the Local Computer **Certificate Manager** (certlm.msc). +2. Expand the **Personal** node in the navigation pane. +3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**. +4. Click **Next** on the **Before You Begin** page. +5. Click **Next** on the **Select Certificate Enrollment Policy** page. +6. On the **Request Certificates** page, Select the **Internal Web Server** check box. +7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link. +8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the primary MFA server and then click **Add** (app1.corp.contoso.com). +9. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name you will use for your User Portal service (mfaweb.corp.contoso.com). +10. Click **Add**. Click **OK** when finished. +11. Click **Enroll**. + +A server authentication certificate should appear in the computer’s Personal certificate store. + +#### Install the Web Server Role + +To do this, please follow the instructions mentioned in the previous [Install the Web Server Role](#install-the-web-server-role) section. However, do **not** install Security > Basic Authentication. The user portal server does not requiret this. + +#### Update the Server + +Update the server using Windows Update until the server has no required or optional updates as the Azure MFA Server software may require one or more of these updates for the installation and software to correctly work. These procedures install additional components that may need to be updated. + +#### Configure the IIS Server’s Certificate + +To do this, please follow the instructions mentioned in the previous [Configure the IIS Server’s Certificate](#configure-the-iis-server’s-certificate) section. + +#### Create WebServices SDK user account + +The User Portal and Mobile App web services need to communicate with the configuration database hosted on the primary MFA server. These services use a user account to communicate to authenticate to the primary MFA server. You can think of the WebServices SDK account as a service account used by other servers to access the WebServices SDK on the primary MFA server. + +1. Open **Active Directory Users and Computers**. +2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Right-click the **Users** container, select **New**, and select **User**. +3. In the **New Object – User** dialog box, type **PFWSDK_** in the **First name** and **User logon name** boxes, where ** is the name of the primary MFA server running the Web Services SDK. Click **Next**. +4. Type a strong password and confirm it in the respective boxes. Clear **User must change password at next logon**. Click **Next**. Click **Finish** to create the user account. + +#### Add the MFA SDK user account to the Phonefactor Admins group + +Adding the WebServices SDK user account to the Phonefactor Admins group provides the user account with the proper authorization needed to access the configuration data on the primary MFA server using the WebServices SDK. + +1. Open **Active Directory Users and Computers**. +2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Select **Users**. In the content pane. Right-click the **Phonefactors Admin** security group and select Properties. +3. Click the Members tab. +4. Click **Add**. Click **Object Types..** Type the PFWSDK_ user name in the **Enter the object names to select** box and then click **OK**. + * The computer account for the primary MFA Server + * The Webservices SDK user account + * Group or user account that will manage the User Portal server. + + +#### Review + +Before you continue with the deployment, validate your deployment progress by reviewing the following items: + +* Confirm the hosts of the user portal are properly configure for load balancing and high-availability. +* Confirm the hosts of the user portal have enrolled a server authentication certificate with the proper names. + * Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the: + * Certificate serial number + * Certificate thumbprint + * Common name of the certificate + * Subject alternate name of the certificate + * Name of the physical host server + * The issued date + * The expiration date + * Issuing CA Vendor (if a third-party certificate) + +* Confirm the Web Server Role was properly configured on all servers. +* Confirm all the hosts have the latest updates from Windows Update. +* Confirm you created the web service SDK domain account and the account is a member of the Phonefactor Admins group. + +## Installing Primary Azure MFA Server + +When you install Azure Multi-Factor Authentication Server, you have the following options: +1. Install Azure Multi-Factor Authentication Server locally on the same server as AD FS +2. Install the Azure Multi-Factor Authentication adapter locally on the AD FS server, and then install Multi-Factor Authentication Server on a different computer (preferred deployment for production environments) + +See [Configure Azure Multi-Factor Authentication Server to work with AD FS in Windows Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-adfs-w2k12) to view detailed installation and configuration options. + +Sign-in the federation server with _Domain Admin_ equivalent credentials and follow [To install and configure the Azure Multi-Factor Authentication server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#to-install-and-configure-the-azure-multi-factor-authentication-server) for an express setup with the configuration wizard. You can re-run the authentication wizard by selecting it from the Tools menu on the server. + +>[!IMPORTANT] +>Only follow the above mention article to install Azure MFA Server. Once it is intstalled, continue configuration using this article. + +### Configuring Company Settings + +You need to configure the MFA server with the default settings it applies to each user account when it is imported or synchronized from Active Directory. + +Sign-in the primary MFA server with MFA _administrator_ equivalent credentials. +1. Start the **Multi-Factor Server** application +2. Click **Company Settings**. +3. On the **General** Tab, select **Fail Authentication** from the **When internet is not accessible** list. +4. In **User defaults**, select **Phone Call** or **Text Message** + **Note:** You can use mobile app; however, the configuration is beyond the scope of this document. Read [Getting started the MFA Server Mobile App Web Service](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice) to configure and use mobile app multi-factor authentication or the Install User Portal topic in the Multi-Factor Server help. +5. Select **Enable Global Services** if you want to allow Multi-Factor Authentications to be made to telephone numbers in rate zones that have an associated charge. +6. Clear the **User can change phone** check box to prevent users from changing their phone during the Multi-Factor Authentication call or in the User Portal. A consistent configuration is for users to change their phone numbers in Active Directory and let those changes synchronize to the multi-factor server using the Synchronization features in Directory Integration. +7. Select **Fail Authentication** from the **When user is disabled** list. Users should provision their account through the user portal. +8. Select the appropriate language from the **Phone call language**, **Text message language**, **Mobile app language**, and **OATH token language** lists. +9. Under default PIN rules, Select the User can change PIN checkbox to enable users to change their PIN during multi-factor authentication and through the user portal. +10. Configure the minimum length for the PIN. +11. Select the **Prevent weak PINs** check box to reject weak PINs. A weak PIN is any PIN that could be easily guessed by a hacker: 3 sequential digits, 3 repeating digits, or any 4 digit subset of user phone number are not allowed. If you clear this box, then there are no restrictions on PIN format. For example: User tries to reset PIN to 1235 and is rejected because it's a weak PIN. User will be prompted to enter a valid PIN. +12. Select the **Expiration days** check box if you want to expire PINs. If enabled, provide a numeric value representing the number of days the PIN is valid. +13. Select the **PIN history** check box if you want to remember previously used PINs for the user. PIN History stores old PINs for each user. Users are not allowed to reset their PIN to any value stored in their PIN History. When cleared, no PIN History is stored. The default value is 5 and range is 1 to 10. + +![Azure MFA Server Company settings configured](images/hello-mfa-company-settings.png) + +### Configuring Email Settings and Content + +If you are deploying in a lab or proof-of-concept, then you have the option of skipping this step. In a production environment, ideally, you’ll want to setup the Azure Multifactor Authentication Server and its user portal web interface prior to sending the email. The email gives your users time to visit the user portal and configure the multi-factor settings. + +Now that you have imported or synchronized with your Azure Multi-Factor Authentication server, it is advised that you send your users an email that informs them that they have been enrolled in multi-factor authentication. + +With the Azure Multi-Factor Authentication Server there are various ways to configure your users for using multi-factor authentication. For instance, if you know the users’ phone numbers or were able to import the phone numbers into the Azure Multi-Factor Authentication Server from their company’s directory, the email will let users know that they have been configured to use Azure Multi-Factor Authentication, provide some instructions on using Azure Multi-Factor Authentication and inform the user of the phone number they will receive their authentications on. + +The content of the email will vary depending on the method of authentication that has been set for the user (e.g. phone call, SMS, mobile app). For example, if the user is required to use a PIN when they authenticate, the email will tell them what their initial PIN has been set to. Users are usually required to change their PIN during their first authentication. + +If users’ phone numbers have not been configured or imported into the Azure Multi-Factor Authentication Server, or users are pre-configured to use the mobile app for authentication, you can send them an email that lets them know that they have been configured to use Azure Multi-Factor Authentication and it will direct them to complete their account enrollment through the Azure Multi-Factor Authentication User Portal. A hyperlink will be included that the user clicks on to access the User Portal. When the user clicks on the hyperlink, their web browser will open and take them to their company’s Azure Multi-Factor Authentication User Portal. + +#### Settings + +By clicking the email icon on the left you can setup the settings for sending these emails. This is where you can enter the SMTP information of your mail server and it allows you to send a blanket wide email by adding a check to the Send mails to users check box. + +#### Content + +On the Email Content tab, you will see all of the various email templates that are available to choose from. So, depending on how you have configured your users to use multi-factor authentication, you can choose the template that best suits you. + +##### Edit the Content Settings + +The Azure MFA server does not send emails, even when configured to do so, until you configured the sender information for each email template listed in the Content tab. + +Sign-in the primary MFA server with MFA _administrator_ equivalent credentials. +1. Open the **Multi-Factor Authentication Server** console. +2. Click **Email** from the list of icons and click the **Email Content** tab. +3. Select an email template from the list of templates. Click **Edit**. +4. In the **Edit Email** dialog, in the **From** text box, type the email address of the person or group that should appear to have sent the email. + ![Edit email dialog within content settings](images/hello-mfa-content-edit-email.png) + +5. Optionally, customize other options in the email template. +6. When finished editing the template, Click **Apply**. +7. Click **Next** to move to the next email in the list. Repeat steps 4 and 6 to edit the changes. +8. Click **Close** when you are done editing the email templates. + +### Configuring Directory Integration Settings and Synchronization + +Synchronization keeps the Multi-Factor Authentication user database synchronized with the users in Active Directory or another LDAP Lightweight Directory Access Protocol directory. The process is similar to Importing Users from Active Directory, but periodically polls for Active Directory user and security group changes to process. It also provides for disabling or removing users removed from a container or security group and removing users deleted from Active Directory. + +It is important to use a different group memberships for synchronizing users from Active Directory and for enabling Windows Hello for Business. Keeping the group memberships separated enables you to synchronize users and configure MFA options without immediately deploying Windows Hello for Business to that user. This deployment approach provides the maximum flexibility, which gives users the ability to configure their settings before they provision Windows Hello for Business. To start provisioning, simply add the group used for synchronization to the Windows Hello for Business Users group (or equivalent if you use custom names). + +#### MultiFactorAuthAdSync Service + +The MultiFactorAuthAdSync service is a Windows service that performs the periodic polling of Active Directory. It is installed in a Stopped state and is started by the MultiFactorAuth service when configured to run. If you have a multi-server Multi-Factor Authentication configuration, the MultiFactorAuthAdSync may only be run on a single server. + +The MultiFactorAuthAdSync service uses the DirSync LDAP server extension provided by Microsoft to efficiently poll for changes. This DirSync control caller must have the "directory get changes" right and DS-Replication-Get-Changes extended control access right. By default, these rights are assigned to the Administrator and LocalSystem accounts on domain controllers. The MultiFactorAuthAdSync service is configured to run as LocalSystem by default. Therefore, it is simplest to run the service on a domain controller. The service can run as an account with lesser permissions if you configure it to always perform a full synchronization. This is less efficient, but requires less account privileges. + +#### Settings + +Configuring the directory synchronization between Active Directory and the Azure MFA server is easy. + +Sign in the primary MFA server with _MFA administrator_ equivalent credentials. +1. Open the **Multi-Factor Authentication Server** console. +2. From the **Multi-Factor Authentication Server** window, click the **Directory Integration** icon. +3. Click the **Synchronization** tab. +4. Select **Use Active Directory**. +5. Select **Include trusted domains** to have the Multi-Factor Authentication Server attempt to connect to domains trusted by the current domain, another domain in the forest, or domains involved in a forest trust. When not importing or synchronizing users from any of the trusted domains, clear the checkbox to improve performance. + +#### Synchronization + +The MFA server uses synchronization items to synchronize users from Active Directory to the MFA server database. Synchronization items enables you to synchronize a collection of users based security groups or Active Directory containers. + +You can configure synchronization items based on different criteria and filters. For the purpose of configuring Windows Hello for Business, you need to create a synchronization item based membership of the Windows Hello for Business user group. This ensures the same users who receive Windows Hello for Business policy settings are the same users synchronized to the MFA server (and are the same users with permission to enroll in the certificate). This significantly simplifies deployment and troubleshooting. + +See [Directory integration between Azure MFA Server and Active Directory](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-dirint) for more details. + +##### To add a synchronization item + +Sign in the primary MFA server with _MFA administrator_ equivalent credentials. +1. Open the **Multi-Factor Authentication Server** console. +2. From the **Multi-Factor Authentication Server** window, click the **Directory Integration** icon. +3. Select the **Synchronization** tab. +4. On the **Synchronization** tab, click **Add**. + ![Azure MFA Server - add synchronization item screen](images/hello-mfa-sync-item.png) + +5. In the **Add Synchronization Item** dialog, select **Security Groups** from the **View** list. +6. Select the group you are using for replication from the list of groups +7. Select **Selected Security Groups – Recursive** or, select **Security Group** from the **Import** list if you do not plan to nest groups. +8. Select **Add new users and Update existing users**. +9. Select **Disable/Remove users no longer a member** and select **Disable** from the list. +10. Select the attributes appropriate for your environment for **Import phone** and **Backup**. +11. Select **Enabled** and select **Only New Users with Phone Number** from the list. +12. Select **Send email** and select **New and Updated Users**. + +##### Configure synchronization item defaults + +1. When creating a new or editing a synchronization item from the Multi-Factor Authentication Server, select the **Method Defaults** tab. +2. Select the default second factor authentication method. For example, if the second factor of authentication is a text message, select **Text message**. Select if the direction of text message authentication and if the authentication should use a one-time password or one-time password and PIN (Ensure users are configured to create a PIN if the default second factor of communication requires a PIN). + +##### Configure synchronization language defaults + +1. When creating a new or editing a synchronization item from the Multi-Factor Authentication Server, select the **Language Defaults** tab. +2. Select the appropriate default language for these groups of users synchronized by these synchronization item. +3. If creating a new synchronization item, click **Add** to save the item. If editing an existing synchronization item, click **Apply** and then click **Close**. + +>[!TIP] +>For more information on these settings and the behaviors they control, see [Directory integration between Azure MFA Server and Active Directory](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-dirint). + +### Installing the MFA Web Services SDK + +The Web Service SDK section allows the administrator to install the Multi-Factor Authentication Web Service SDK. The Web Service SDK is an IIS (Internet Information Server) web service that provides an interface for integrating the full features of the Multi-Factor Authentication Server into most any application. The Web Service SDK uses the Multi-Factor Authentication Server as the data store. + +Remember the Web Services SDK is only need on the primary Multi-Factor to easily enable other servers access to the configuration information. The prerequisites section guided you through installing and configuring the items needed for the Web Services SDK, however the installer will validate the prerequisites and make suggest any corrective action needed. + +Please follow the instructions under [Install the web service SDK](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice#install-the-web-service-sdk) to intall the MFA Web Services SDK. + +## Install Secondary MFA Servers + +Additional MFA servers provided redundancy of the MFA configuration. The MFA server models uses one primary MFA server with multiple secondary servers. Servers within the same group establish communication with the primary server for that group. The primary server replicates to each of the secondary servers. You can use groups to partition the data stored on different servers, for example you can create a group for each domain, forest, or organizational unit. + +Follow the same procedures for installing the primary MFA server software for each additional server. Remember that each server must be activated. + +Sign in the secondary MFA server with _domain administrator_ equivalent credentials. +1. Once the Multi-Factor Authentication Server console starts, you must configure the current server’s replication group membership. You have the option to join an existing group or create a new group. When joining an existing group, the server becomes a secondary server in the existing replication group. When creating a new group, the server becomes the primary server of that replication group. Click **OK**. + **Note:** Group membership cannot be changed after activation. If a server was joined to the wrong group, it must be activated again to join a different group. Please contact support for assistance with deactivating and reactivating a server. +2. The console asks you if you want to enable replication by running the **Multi-Server Configuration Wizard**. Click **Yes**. +3. In the **Multi-Server Configuration Wizard**, leave **Active Directory** selected and clear **Certificates**. Click **Next**. +4. On the **Active Directory** page, the wizard determines what configuration is needed to enable replication. Typically, the wizard recommends adding the computer account for the current server to the **PhoneFactor Admin** group. Click **Next** to add the computer account to the group. +5. On the **Multi-Server Configuration Complete** page, click **Finish** to reboot the computer to update its group membership. + +### Review + +Before you continue with the deployment, validate your deployment progress by reviewing the following items: +* Confirm you downloaded the latest Azure MFA Server from the Azure Portal. +* Confirm the server has Internet connectivity. +* Confirm you installed and activated the Azure MFA Server. +* Confirm your Azure MFA Server configuration meets your organization’s needs (Company Settings, Email Settings, etc). +* Confirm you created Directory Synchronization items based on your deployment to synchronize users from Active Directory to the Azure MFA server. + * For example, you have security groups representing each collection of users that represent a phase of your deployment and a corresponding synchronization item for each of those groups. + +* Confirm the Azure MFA server properly communicates with the Azure MFA cloud service by testing multifactor authentication with a newly synchronized user account. +* Confirm you installed the Web Service SDK on the primary MFA server. +* Confirm your MFA servers have adequate redundancy, should you need to promote a secondary server to the primary server. + + +## Installing the User Portal Server + +You previously configured the User Portal settings on the primary MFA server. The User Portal web application communicates to the primary MFA server using the Web Services SDK to retrieve these settings. This configuration is ideal to ensure you can scale up the User Portal application to meet the needs of your internal users. + +### Copying the User Portal Installation file + +Sign in the primary MFA server with _local administrator_ equivalent credentials. +1. Open Windows Explorer. +2. Browse to the C:\Progam Files\MultiFactor Authentication Server folder. +3. Copy the **MultiFactorAuthenticationUserPortalSetup64.msi** file to a folder on the User Portal server. + +### Configure Virtual Directory name + +Sign in the User Portal server with _local administrator_ equivalent credentials. +1. Open Windows Explorer and browse to the folder to which you saved the installation file from the previous step. +2. Run the **MultiFactorAuthenticationUserPortalSetup64.msi**. The installation package asks if you want to download **Visual Studio C++ Redistributable for Visual Studio 2015**. Click **Yes**. When prompted, select **Save As**. The downloaded file is missing its file extension. **Save the file with a .exe extension and install the runtime**. +3. Run the installation package again. The installer package asks about the C++ runtime again; however, this is for the X64 version (the previous prompt was for x86). Click **Yes** to download the installation package and select **Save As** so you can save the downloaded file with a .exe extension. **Install** the run time. +4. Run the User Portal installation package. On the **Select Installation Address** page, use the default settings for **Site** and **Application Pool** settings. You can modify the Virtual directory to use a name that is more fitting for the environment, such as **mfa** (This virtual directory must match the virtual directory specified in the User Portal settings). Click **Next**. +5. Click **Close**. + +### Edit MFA User Portal config file + +Sign in the User Portal server with _local administrator_ equivalent credentials. +1. Open Windows Explorer and browse to C:\inetpub\wwwroot\MultiFactorAuth (or appropriate directory based on the virtual directory name) and edit the **web.config** file. +2. Locate the **USE_WEB_SERVICE_SDK** key and change the value from **false** to **true**. +3. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_USERNAME** key and set the value to the username of the Web Service SDK account in the **PhoneFactor Admins** security group. Use a qualified username, like domain\username or machine\username. +4. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD** key and set the value to the password of the Web Service SDK account in the **PhoneFactor Admins** security group. +5. Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from **“http://localhost:4898/PfWsSdk.asmx”** to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. https://computer1.domain.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **web.config** file after changes have been made. + +### Create a DNS entry for the User Portal web site + +Sign-in the domain controller or administrative workstation with _Domain Admin_ equivalent credentials. +1. Open the **DNS Management** console. +2. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones**. +3. In the navigation pane, select the node that has the name of your internal Active Directory domain name. +4. In the navigation pane, right-click the domain name node and click **New Host (A or AAAA)**. +5. In the **name** box, type the host name of the User Portal, such as *mfaweb* (this name must match the name of the certificate used to secure communication to the User Portal). In the IP address box, type the load balanced **IP address** of the User Portal. Click **Add Host**. +6. Close the **DNS Management** console. + +### Review + +Before you continue with the deployment, validate your deployment progress by reviewing the following items: +* Confirm the user portal application is properly installed on all user portal hosts +* Confirm the USE_WEB_SERVICE_SDK named value has a value equal to true. +* Confirm the WEB_SERVICE_SDK_AUTHENTICATION_USERNAME named value has the username of the web service SDK domain account previously created and that the user name is represented as DOMAIN\USERNAME +* Confirm the WEB_SERVICES_SDK_AUTHENTICATION_PASSWORD named value has the correct password for the web service SDK domain account. +* Confirm the pfup_pfwssdk_PfWsSdk named value has value that matches the URL of for the SDK service installed on the primary MFA server. +* Confirm you saved the changes to the web.config file. + +### Validating your work + +Windows Hello for Business is a distributed system, which on the surface appears complex and difficult. The key to a successful Windows Hello for Business deployment is to validate phases of work prior to moving to the next phase. + +Using a web browser, navigate to the URL provided in the *pf_up_pfwssdk_PfWsSdk* named value in the web.config file of any one of the user portal servers. The URL should be protected by a server authentication certificate and should prompt you for authentication. Authenticate to the web site using the username and password provided in the web.config file. Successful authentication and page view confirms the Web SDK configured on the primary MFA server is correctly configured and ready to work with the user portal. + +### Configuring the User Portal + +The User Portal section allows the administrator to install and configure the Multi-Factor Authentication User Portal. The User Portal is an IIS Internet Information Server web site that allows users to enroll in Multi-Factor Authentication and maintain their accounts. A user may change their phone number, change their PIN, or bypass Multi-Factor Authentication during their next sign on. Users will log in to the User Portal using their normal username and password and will either complete a Multi-Factor Authentication call or answer security questions to complete their authentication. If user enrollment is allowed, a user will configure their phone number and PIN the first time they log in to the User Portal. +User Portal Administrators may be set up and granted permission to add new users and update existing users. + +#### Settings + +Sign in the primary MFA server with _MFA administrator_ equivalent credentials. +1. Open the Multi-Factor Authentication Server console. +2. From the Multi-Factor Authentication Server window, click the User Portal icon. + ![Azure MFA Server - User Portal settings](images/hello-mfa-user-portal-settings.png) + +3. On the Settings tab, type the URL your users use to access the User Portal. The URL should begin with https, such as `https://mfaportal.corp.contoso.com/mfa`. +The Multi-Factor Authentication Server uses this information when sending emails to users. +4. Select Allow users to log in and Allow user enrollment check boxes. +5. Select Allow users to select method. Select Phone call and select Text message (you can select Mobile app later once you have deployed the Mobile app web service). Select Automatically trigger user’s default method. +6. Select Allow users to select language. +7. Select Use security questions for fallback and select 4 from the Questions to answer list. + +>[!TIP] +>For more information on these settings and the behaviors they control, see [Deploy the user portal for the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-portal). + +#### Administrators + +The User Portal Settings tab allows the administrator to install and configure the User Portal. +1. Open the Multi-Factor Authentication Server console. +2. From the Multi-Factor Authentication Server window, click the User Portal icon. +3. On the Administrators tab, Click Add +4. In the Add Administrator dialog, Click Select User… to pick a user to install and manage the User Portal. Use the default permissions. +5. Click Add. + +>[!TIP] +>For more information on these settings and the behaviors they control, read the **Multi-Factor Authentication Server Help content**. + +#### Security Questions + +[Security questions](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-portal#security-questions) for the User Portal may be customized to meet your requirements. The questions defined here will be offered as options for each of the four security questions a user is prompted to configure during their first log on to User Portal. The order of the questions is important since the first four items in the list will be used as defaults for the four security questions. + +#### Trusted IPs + +The [Trusted IPs](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-portal#trusted-ips) tab allows you to skip Multi-Factor Authentication for User Portal log ins originating from specific IPs. For example, if users use the User Portal from the office and from home, you may decide you don't want their phones ringing for Multi-Factor Authentication while at the office. For this, you would specify the office subnet as a trusted IP entry. + +## Configure the AD FS Server to use the MFA for multifactor authentication + +You need to configure the AD FS server to use the MFA server. You do this by Installing the MFA Adapter on the primary AD FS Server. + +### Install the MFA AD FS Adapter + +Follow [Install a standalone instance of the AD FS adapter by using the Web Service SDK](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-adfs-w2k12#install-a-standalone-instance-of-the-ad-fs-adapter-by-using-the-web-service-sdk). You should follow this instructions on all AD FS servers. You can find the files needed on the MFA server. + +### Edit the MFA AD FS Adapter config file on all ADFS Servers + +Sign in the primary AD FS server with _local administrator_ equivalent credentials. +1. Open Windows Explorer and browse to **C:\inetpub\wwwroot\MultiFactorAuth** (or appropriate directory based on the virtual directory name) and edit the **MultiFactorAuthenticationAdfsAdapter.config** file. +2. Locate the **USE_WEB_SERVICE_SDK** key and change the value from **false** to **true**. +3. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_USERNAME** key and set the value to the username of the Web Service SDK account in the **PhoneFactor Admins** security group. Use a qualified username, like domain\username or machine\username. +4. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD** key and set the value to the password of the Web Service SDK account in the **PhoneFactor Admins** security group. +5. Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from “http://localhost:4898/PfWsSdk.asmx” to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. https://computer1.domain.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **MultiFactorAuthenticationAdfsAdapter.config** file after changes have been made. + +### Edit the AD FS Adapter Windows PowerShell cmdlet + +Sign in the primary AD FS server with _local administrator_ equivalent credentials. + +Edit the **Register-MultiFactorAuthenticationAdfsAdapter.ps1** script adding `-ConfigurationFilePath ` to the end of the `Register-AdfsAuthenticationProvider` command where **** is the full path to the **MultiFactorAuthenticationAdfsAdapter.config** file. + +### Run the AD FS Adapter PowerShell cmdlet + +Sign in the primary AD FS server with local administrator equivalent credentials. + +Run **Register-MultiFactorAuthenticationAdfsAdapter.ps1** script in PowerShell to register the adapter. The adapter is registered as **WindowsAzureMultiFactorAuthentication**. + +>[!NOTE] +>You must restart the AD FS service for the registration to take effect. + +### Review + +Before you continue with the deployment, validate your deployment progress by reviewing the following items: +* Confirm the user portal application is properly installed on all user portal hosts +* Confirm the USE_WEB_SERVICE_SDK named value has a value equal to true. +* Confirm the WEB_SERVICE_SDK_AUTHENTICATION_USERNAME named value has the username of the web service SDK domain account previously created and that the user name is represented as DOMAIN\USERNAME +* Confirm the WEB_SERVICES_SDK_AUTHENTICATION_PASSWORD named value has the correct password for the web service SDK domain account. +* Confirm the pfup_pfwssdk_PfWsSdk named value has value that matches the URL of for the SDK service installed on the primary MFA server. +* Confirm you saved the changes to the web.config file. +* Confirm you restarted the AD FS Service after completing the configuration. + +## Test AD FS with the Multifactor Authentication connector + +Now, you should test your Azure Multi-Factor Authentication server configuration before proceeding any further in the deployment. The AD FS and Azure Multi-Factor Authentication server configurations are complete. + +1. In the **Multi-Factor Authentication** server, on the left, click **Users**. +2. In the list of users, select a user that is enabled and has a valid phone number to which you have access. +3. Click **Test**. +4. In the **Test User** dialog, provide the user’s password to authenticate the user to Active Directory. + +The Multi-Factor Authentication server communicates with the Azure MFA cloud service to perform a second factor authentication for the user. The Azure MFA cloud service contacts the phone number provided and asks for the user to perform the second factor authentication configured for the user. Successfully providing the second factor should result in the Multi-factor authentication server showing a success dialog. + + +## Follow the Windows Hello for Business on premises certificate trust deployment guide +1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) +2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) +3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) +4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) +5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/access-protection/hello-for-business/hello-key-trust-policy-settings.md new file mode 100644 index 0000000000..80a40bc364 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-key-trust-policy-settings.md @@ -0,0 +1,155 @@ +--- +title: Configure Windows Hello for Business Policy settings (Windows Hello for Business) +description: Configure Windows Hello for Business Policy settings for Windows Hello for Business +keywords: identity, PIN, biometric, Hello, passport +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: DaniHalfin +ms.localizationpriority: high +ms.author: daniha +ms.date: 07/07/2017 +--- +# Configure Windows Hello for Business Policy settings + +**Applies to** +- Windows 10 + +> This guide only applies to Windows 10, version 1703 or higher. + +You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=45520). +Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703. + +Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10, version 1703 to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information. + +On-premises certificate-based deployments of Windows Hello for Business needs three Group Policy settings: +* Enable Windows Hello for Business +* Use certificate for on-premises authentication +* Enable automatic enrollment of certificates + +## Enable Windows Hello for Business Group Policy + +The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should be attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to enabled. + +You can configure the Enable Windows Hello for Business Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence. + +## Use certificate for on-premises authentication + +The Use certificate for on-premises authentication Group Policy setting determines if the on-premises deployment uses the key-trust or certificate trust on-premises authentication model. You must configure this Group Policy setting to configure Windows to enroll for a Windows Hello for Business authentication certificate. If you do not configure this policy setting, Windows considers the deployment to use key-trust on-premises authentication, which requires a sufficient number of Windows Server 2016 domain controllers to handle the Windows Hello for Business key-trust authentication requests. + +You can configure this Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users requesting a Windows Hello for Business authentication certificate. Deploying this policy setting to a user results in only that user requesting a Windows Hello for Business authentication certificate. Additionally, you can deploy the policy setting to a group of users so only those users request a Windows Hello for Business authentication certificate. If both user and computer policy settings are deployed, the user policy setting has precedence. + +## Enable automatic enrollment of certificates + +Windows Hello for Business provisioning performs the initial enrollment of the Windows Hello for Business authentication certificate. This certificate expires based on the duration configured in the Windows Hello for Business authentication certificate template. The Windows 10, version 1703 certificate auto enrollment was updated to renew these certificates before they expire, which significantly reduces user authentication failures from expired user certificates. + +The process requires no user interaction provided the user signs-in using Windows Hello for Business. The certificate is renewed in the background before it expires. + +## Create the Windows Hello for Business Group Policy object + +The Group Policy object contains the policy settings needed to trigger Windows Hello for Business provisioning and to ensure Windows Hello for Business authentication certificates are automatically renewed. +1. Start the **Group Policy Management Console** (gpmc.msc) +2. Expand the domain and select the **Group Policy Object** node in the navigation pane. +3. Right-click **Group Policy object** and select **New**. +4. Type *Enable Windows Hello for Business* in the name box and click **OK**. +5. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. +6. In the navigation pane, expand **Policies** under **User Configuration**. +7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**. +8. In the content pane, double-click **Use Windows Hello for Business**. Click **Enable** and click **OK**. +9. Double-click **Use certificate for on-premises authentication**. Click **Enable** and click **OK**. Close the **Group Policy Management Editor**. + +## Configure Automatic Certificate Enrollment + +1. Start the **Group Policy Management Console** (gpmc.msc). +2. Expand the domain and select the **Group Policy Object** node in the navigation pane. +3. Right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. +4. In the navigation pane, expand **Policies** under **User Configuration**. +5. Expand **Windows Settings > Security Settings**, and click **Public Key Policies**. +6. In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**. +7. Select **Enabled** from the **Configuration Model** list. +8. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box. +9. Select the **Update certificates that use certificate templates** check box. +10. Click **OK**. Close the **Group Policy Management Editor**. + +## Configure Security in the Windows Hello for Business Group Policy object + +The best way to deploy the Windows Hello for Business Group Policy object is to use security group filtering. The enables you to easily manage the users that should receive Windows Hello for Business by simply adding them to a group. This enables you to deploy Windows Hello for Business in phases. +1. Start the **Group Policy Management Console** (gpmc.msc) +2. Expand the domain and select the **Group Policy Object** node in the navigation pane. +3. Double-click the **Enable Windows Hello for Business** Group Policy object. +4. In the **Security Filtering** section of the content pane, click **Add**. Type *Windows Hello for Business Users* or the name of the security group you previously created and click **OK**. +5. Click the **Delegation** tab. Select **Authenticated Users** and click **Advanced**. +6. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Click **OK**. + +## Deploy the Windows Hello for Business Group Policy object + +The application of the Windows Hello for Business Group Policy object uses security group filtering. This enables you to link the Group Policy object at the domain, ensuring the Group Policy object is within scope to all users. However, the security group filtering ensures only the users included in the *Windows Hello for Business Users* global group receive and apply the Group Policy object, which results in the provisioning of Windows Hello for Business. +1. Start the **Group Policy Management Console** (gpmc.msc) +2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO…** +3. In the **Select GPO** dialog box, select **Enable Windows Hello for Business** or the name of the Windows Hello for Business Group Policy object you previously created and click **OK**. + +Just to reassure, linking the **Windows Hello for Business** Group Policy object to the domain ensures the Group Policy object is in scope for all domain users. However, not all users will have the policy settings applied to them. Only users who are members of the Windows Hello for Business group receive the policy settings. All others users ignore the Group Policy object. + +## Other Related Group Policy settings + +### Windows Hello for Business + +There are other Windows Hello for Business policy settings you can configure to manage your Windows Hello for Business deployment. These policy settings are computer-based policy setting; so they are applicable to any user that sign-in from a computer with these policy settings. + +### Use a hardware security device + +The default configuration for Windows Hello for Business is to prefer hardware protected credentials; however, not all computers are able to create hardware protected credentials. When Windows Hello for Business enrollment encounters a computer that cannot create a hardware protected credential, it will create a software-based credential. + +You can enable and deploy the **Use a hardware security device** Group Policy Setting to force Windows Hello for Business to only create hardware protected credentials. Users that sign-in from a computer incapable of creating a hardware protected credential do not enroll for Windows Hello for Business. + +Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiven during anti-hammering and PIN lockout activities. Therefore, some organization may want not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object. + +### Use biometrics + +Windows Hello for Business provides a great user experience when combined with the use of biometrics. Rather than providing a PIN to sign-in, a user can use a fingerprint or facial recognition to sign-in to Windows, without sacrificing security. + +The default Windows Hello for Business enables users to enroll and use biometrics. However, some organization may want more time before using biometrics and want to disable their use until they are ready. To not allow users to use biometrics, configure the **Use biometrics** Group Policy setting to disabled and apply it to your computers. The policy setting disabled all biometrics. Currently, Windows does not provide granular policy setting that enable you to disable specific modalities of biometrics such as allow facial recognition, but disallow fingerprint. + +### PIN Complexity + +PIN complexity is not specific to Windows Hello for Business. Windows 10 enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed. + +Windows 10 provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are: +* Require digits +* Require lowercase letters +* Maximum PIN length +* Minimum PIN length +* Expiration +* History +* Require special characters +* Require uppercase letters + +In the Windows 10, version 1703, the PIN complexity Group Policy settings have moved to remove misunderstanding that PIN complexity policy settings were exclusive to Windows Hello for Business. The new location of these Group Policy settings is under Administrative Templates\System\PIN Complexity under both the Computer and User Configuration nodes of the Group Policy editor. + +## Review + +Before you continue with the deployment, validate your deployment progress by reviewing the following items: +* Confirm you authored Group Policy settings using the latest ADMX/ADML files (from the Widows 10 Creators Editions) +* Confirm you configured the Enable Windows Hello for Business to the scope that matches your deployment (Computer vs. User) +* Confirm you configure the Use Certificate enrollment for on-prem authentication policy setting. +* Confirm you configure automatic certificate enrollment to the scope that matches your deployment (Computer vs. User) +* Confirm you configured the proper security settings for the Group Policy object + * Removed the allow permission for Apply Group Policy for Domain Users (Domain Users must always have the read permissions) + * Add the Windows Hello for Business Users group to the Group Policy object and gave the group the allow permission for Apply Group Policy + +* Linked the Group Policy object to the correct locations within Active Directory +* Deploy any additional Windows Hello for Business Group Policy setting is a policy separate from the one that enables it for users + + +## Add users to the Windows Hello for Business Users group + +Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the WHFB Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the Windows Hello for Business Users group. Users and groups that are not members of this group will not attempt to enroll for Windows Hello for Business. + + +## Follow the Windows Hello for Business on premises certificate trust deployment guide +1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) +2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) +3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) +4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) +5. Configure Windows Hello for Business Policy settings (*You are here*) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/access-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md new file mode 100644 index 0000000000..2b2c06183a --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md @@ -0,0 +1,46 @@ +--- +title: Validate Active Directory prerequisites (Windows Hello for Business) +description: How to Validate Active Directory prerequisites for Windows Hello for Business +keywords: identity, PIN, biometric, Hello, passport +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: DaniHalfin +ms.localizationpriority: high +ms.author: daniha +ms.date: 07/07/2017 +--- +# Validate Active Directory prerequisites + +**Applies to** +- Windows 10 + +> This guide only applies to Windows 10, version 1703 or higher. + +Key trust deployments need an adequate number of 2016 domain controllers to ensure successful user authentication with Windows Hello for Business. To learn more about domain controller planning for key trust deployments, read the [Windows Hello for Business planning guide](hello-planning-guide.md), the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) section. + +The key registration process for the On-prem deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. The key-trust model receives the schema extension when the first Windows Server 2016 domain controller is added to the forest. The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2. + +Ensure each site where you plan to deploy key trust Windows Hello for Business has an adequate number of Windows Server 2016 domain controllers/ + +## Create the Windows Hello for Business Users Security Global Group + +The Windows Hello for Business Users group is used to make it easy to deploy Windows Hello for Business in phases. You assign Group Policy permissions to this group to simplify the deployment by simply adding the users to the group. This provides users with the proper permissions to provision Windows Hello for Business. + +Sign-in a domain controller or management workstation with Domain Admin equivalent credentials. + +1. Open **Active Directory Users and Computers**. +2. Click **View** and click **Advanced Features**. +3. Expand the domain node from the navigation pane. +4. Right-click the **Users** container. Click **New**. Click **Group**. +5. Type **Windows Hello for Business Users** in the **Group Name** text box. +6. Click **OK**. + + +## Follow the Windows Hello for Business on premises certificate trust deployment guide +1. Validate Active Directory prerequisites (*You are here*) +2. [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md) +3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md) +4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-key-trust-validate-deploy-mfa.md) +5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/access-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md new file mode 100644 index 0000000000..f6c81560d1 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md @@ -0,0 +1,49 @@ +--- +title: Validate and Deploy Multifactor Authentication Services (MFA) (Windows Hello for Business) +description: How to Validate and Deploy Multifactor Authentication Services for Windows Hello for Business +keywords: identity, PIN, biometric, Hello, passport +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: mikestephens-MS +ms.author: mstephen +localizationpriority: high +ms.date: 10/08/2017 +--- +# Validate and Deploy Multifactor Authentication Services (MFA) + +**Applies to** +- Windows 10 + +> This guide only applies to Windows 10, version 1703 or higher. + +Windows Hello for Business requires all users perform an additional factor of authentication prior to creating and registering a Windows Hello for Business credential. Windows Hello for Business deployments use Azure Multi-Factor Authentication (Azure MFA) services for the secondary authentication. On-Premises deployments use Azure MFA server, an on-premises implementation that do not require synchronizing Active Directory credentials to Azure Active Directory. + +Azure Multi-Factor Authentication is an easy to use, scalable, and reliable solution that provides a second method of authentication so your users are always protected. +* **Easy to Use** - Azure Multi-Factor Authentication is simple to set up and use. The extra protection that comes with Azure Multi-Factor Authentication allows users to manage their own devices. Best of all, in many instances it can be set up with just a few simple clicks. +* **Scalable** - Azure Multi-Factor Authentication uses the power of the cloud and integrates with your on-premises AD and custom apps. This protection is even extended to your high-volume, mission-critical scenarios. +* **Always Protected** - Azure Multi-Factor Authentication provides strong authentication using the highest industry standards. +* **Reliable** - We guarantee 99.9% availability of Azure Multi-Factor Authentication. The service is considered unavailable when it is unable to receive or process verification requests for the two-step verification. + +## On-Premises Azure MFA Server + +On-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials are not synchronized to Azure Active Directory. + +### Infrastructure + +A lab or proof-of-concept environment does not need high-availability or scalability. However, a production environment needs both of these. Ensure your environment considers and incorporates these factors, as necessary. All production environments should have a minimum of two MFA servers—one primary and one secondary server. The environment should have a minimum of two User Portal Servers that are load balanced using hardware or Windows Network Load Balancing. + +Please follow [Download the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#download-the-azure-multi-factor-authentication-server) to download Azure MFA server. + +>[!IMPORTANT] +>Make sure to validate the requirements for Azure MFA server, as outlined in [Install and Configure the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#install-and-configure-the-azure-multi-factor-authentication-server) before proceeding. Do not use instllation instructions provided in the article. + +Once you have validated all the requirements, please proceed to [Configure or Deploy Multifactor Authentication Services](hello-key-trust-deploy-mfa.md). + +## Follow the Windows Hello for Business on premises certificate trust deployment guide +1. [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md) +2. [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md) +3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md) +4. Validate and Deploy Multifactor Authentication Services (MFA) (*You are here*) +5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/access-protection/hello-for-business/hello-key-trust-validate-pki.md new file mode 100644 index 0000000000..2cf39d14ab --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-key-trust-validate-pki.md @@ -0,0 +1,197 @@ +--- +title: Validate Public Key Infrastructure (Windows Hello for Business) +description: How to Validate Public Key Infrastructure for Windows Hello for Business +keywords: identity, PIN, biometric, Hello, passport +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: mikestephens-MS +ms.author: mstephen +localizationpriority: high +ms.date: 10/08/2017 +--- +# Validate and Configure Public Key Infrastructure + +**Applies to** +- Windows 10 + +> This guide only applies to Windows 10, version 1703 or higher. + +Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller. + +## Deploy an enterprise certificate authority + +This guide assumes most enterprise have an existing public key infrastructure. Windows Hello for Business depends on a Windows enterprise public key infrastructure running the Active Directory Certificate Services role from Windows Server 2012 or later. + +### Lab-based public key infrastructure + +The following instructions may be used to deploy simple public key infrastructure that is suitable for a lab environment. + +Sign-in using _Enterprise Admin_ equivalent credentials on Windows Server 2012 or later server where you want the certificate authority installed. + +>[!NOTE] +>Never install a certificate authority on a domain controller in a production environment. + +1. Open an elevated Windows PowerShell prompt. +2. Use the following command to install the Active Directory Certificate Services role. + ```PowerShell + Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools + ``` + +3. Use the following command to configure the Certificate Authority using a basic certificate authority configuration. + ```PowerShell + Install-AdcsCertificationAuthority + ``` + +## Configure a Production Public Key Infrastructure + +If you do have an existing public key infrastructure, please review [Certification Authority Guidance](https://technet.microsoft.com/library/hh831574.aspx) from Microsoft TechNet to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](https://technet.microsoft.com/library/hh831348.aspx) for instructions on how to configure your public key infrastructure using the information from your design session. + +### Configure Domain Controller Certificates + +Clients need to trust domain controllers and the best way to do this is to ensure each domain controller has a Kerberos Authentication certificate. Installing a certificate on the domain controller enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. This provides clients a root of trust external to the domain—namely the enterprise certificate authority. + +Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise certificate authority is added to Active Directory. However, certificates based on the Domain Controller and Domain Controller Authentication certificate templates do not include the KDC Authentication object identifier (OID), which was later added to the Kerberos RFC. Therefore, domain controllers need to request a certificate based on the Kerberos Authentication certificate template. + +By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the Kerberos Authentication certificate template as a baseline to create an updated domain controller certificate template. + +Sign-in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials. +1. Open the **Certificate Authority** management console. +2. Right-click **Certificate Templates** and click **Manage**. +3. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**. +4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. +5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise’s needs. + **Note**If you use different template names, you’ll need to remember and substitute these names in different portions of the lab. +6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **None** from the **Subject name format** list. Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items. +7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**. +8. Close the console. + +### Superseding the existing Domain Controller certificate + +Many domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template from domain controllers—the domain controller certificate template. Later releases provided a new certificate template—the domain controller authentication certificate template. These certificate templates were provided prior to update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the KDC Authentication extension. + +The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers and should be the one you deploy to all your domain controllers (2008 or later). The autoenrollment feature in Windows enables you to effortlessly replace these domain controller certificates. You can use the following configuration to replace older domain controller certificates with a new certificate using the Kerberos Authentication certificate template. + +Sign-in to a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials. +1. Open the **Certificate Authority** management console. +2. Right-click **Certificate Templates** and click **Manage**. +3. In the **Certificate Template Console**, right-click the **Domain Controller Authentication (Kerberos)** (or the name of the certificate template you created in the previous section) template in the details pane and click **Properties**. +4. Click the **Superseded Templates** tab. Click **Add**. +5. From the **Add Superseded Template** dialog, select the **Domain Controller** certificate template and click **OK**. Click **Add**. +6. From the **Add Superseded Template** dialog, select the **Domain Controller Authentication** certificate template and click **OK**. +7. From the **Add Superseded Template dialog**, select the **Kerberos Authentication** certificate template and click **OK**. +8. Add any other enterprise certificate templates that were previously configured for domain controllers to the **Superseded Templates** tab. +9. Click **OK** and close the **Certificate Templates** console. + +The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities. + +### Configure an Internal Web Server Certificate template + +Windows 10 clients use the https protocol when communicating with Active Directory Federation Services. To meet this need, you must issue a server authentication certificate to all the nodes in the Active Directory Federation Services farm. On-premises deployments can use a server authentication certificate issued by their enterprise PKI. You must configure a server authentication certificate template so the host running the Active Directory Federation Service can request the certificate. + +Sign-in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials. +1. Open the **Certificate Authority** management console. +2. Right-click **Certificate Templates** and click **Manage**. +3. In the **Certificate Template Console**, right-click the **Web Server** template in the details pane and click **Duplicate Template**. +4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. +5. On the **General** tab, type **Internal Web Server** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. + **Note:** If you use different template names, you’ll need to remember and substitute these names in different portions of the lab. +6. On the **Request Handling** tab, select **Allow private key to be exported**. +7. On the **Subject** tab, select the **Supply in the request** button if it is not already selected. +8. On the **Security** tab, Click **Add**. Type **Domain Computers** in the **Enter the object names to select** box. Click **OK**. Select the **Allow** check box next to the **Enroll** permission. +9. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**. +10. Close the console. + +### Unpublish Superseded Certificate Templates + +The certificate authority only issues certificates based on published certificate templates. For defense in depth security, it is a good practice to unpublish certificate templates that the certificate authority is not configured to issue. This includes the pre-published certificate template from the role installation and any superseded certificate templates. + +The newly created domain controller authentication certificate template supersedes previous domain controller certificate templates. Therefore, you need to unpublish these certificate templates from all issuing certificate authorities. + +Sign-in to the certificate authority or management workstation with _Enterprise Admin_ equivalent credentials. +1. Open the **Certificate Authority** management console. +2. Expand the parent node from the navigation pane. +3. Click **Certificate Templates** in the navigation pane. +4. Right-click the **Domain Controller** certificate template in the content pane and select **Delete**. Click **Yes** on the **Disable certificate templates** window. +5. Repeat step 4 for the **Domain Controller Authentication** and **Kerberos Authentication** certificate templates. + +### Publish Certificate Templates to the Certificate Authority + +The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate. + +Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials. +1. Open the **Certificate Authority** management console. +2. Expand the parent node from the navigation pane. +3. Click **Certificate Templates** in the navigation pane. +4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue. +5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)**, and **Internal Web Server** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority. +6. If you published the Domain Controller Authentication (Kerberos) certificate template, then you should unpublish the certificate templates you included in the superseded templates list. + * To unpublish a certificate template, right-click the certificate template you want to unpublish in the details pane of the Certificate Authority console and select **Delete**. Click **Yes** to confirm the operation. + +7. Close the console. + +### Configure Domain Controllers for Automatic Certificate Enrollment + +Domain controllers automatically request a certificate from the domain controller certificate template. However, the domain controller is unaware of newer certificate templates or superseded configurations on certificate templates. To continue automatic enrollment and renewal of domain controller certificates that understand newer certificate template and superseded certificate template configurations, create and configure a Group Policy object for automatic certificate enrollment and link the Group Policy object to the Domain Controllers OU. + +1. Start the **Group Policy Management Console** (gpmc.msc) +2. Expand the domain and select the **Group Policy Object** node in the navigation pane. +3. Right-click **Group Policy object** and select **New** +4. Type *Domain Controller Auto Certificate Enrollment* in the name box and click **OK**. +5. Right-click the **Domain Controller Auto Certificate Enrollment** Group Policy object and click **Edit**. +6. In the navigation pane, expand **Policies** under **Computer Configuration**. +7. Expand **Windows Settings**, **Security Settings**, and click **Public Key Policies**. +8. In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**. +9. Select **Enabled** from the **Configuration Model** list. +10. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box. +11. Select the **Update certificates that use certificate templates** check box. +12. Click **OK**. Close the **Group Policy Management Editor**. + +### Deploy the Domain Controller Auto Certificate Enrollment Group Policy Object + +Sign-in to a domain controller or management workstations with _Domain Admin_ equivalent credentials. +1. Start the **Group Policy Management Console** (gpmc.msc) +2. In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO…** +3. In the **Select GPO** dialog box, select **Domain Controller Auto Certificate Enrollment** or the name of the domain controller certificate enrollment Group Policy object you previously created and click **OK**. + +### Validating your work + +Windows Hello for Business is a distributed system, which on the surface appears complex and difficult. The key to a successful Windows Hello for Business deployment is to validate phases of work prior to moving to the next phase. + +You want to confirm your domain controllers enroll the correct certificates and not any unnecessary (superseded) certificate templates. You need to check each domain controller that autoenrollment for the computer occurred. + +#### Use the Event Logs + +Windows Server 2012 and later include Certificate Lifecycle events to determine the lifecycles of certificates for both users and computers. Using the Event Viewer, navigate to the CertificateServices-Lifecycles-System event log under Application and Services/Microsoft/Windows. + +Look for an event indicating a new certificate enrollment (autoenrollment). The details of the event include the certificate template on which the certificate was issued. The name of the certificate template used to issue the certificate should match the certificate template name included in the event. The certificate thumbprint and EKUs for the certificate are also included in the event. The EKU needed for proper Windows Hello for Business authentication is Kerberos Authentication, in addition to other EKUs provide by the certificate template. + +Certificates superseded by your new domain controller certificate generate an archive event in the CertificateServices-Lifecycles-System event. The archive event contains the certificate template name and thumbprint of the certificate that was superseded by the new certificate. + + +#### Certificate Manager + +You can use the Certificate Manager console to validate the domain controller has the properly enrolled certificate based on the correct certificate template with the proper EKUs. Use **certlm.msc** to view certificate in the local computers certificate stores. Expand the **Personal** store and view the certificates enrolled for the computer. Archived certificates do not appear in Certificate Manager. + +#### Certutil.exe + +You can use **certutil.exe** to view enrolled certificates in the local computer. Certutil shows enrolled and archived certificates for the local computer. From an elevated command prompt, run `certutil -q -store my` to view locally enrolled certificates. + +To view detailed information about each certificate in the store, use `certutil -q -v -store my` to validate automatic certificate enrollment enrolled the proper certificates. + +#### Troubleshooting + +Windows triggers automatic certificate enrollment for the computer during boot, and when Group Policy updates. You can refresh Group Policy from an elevated command prompt using `gpupdate /force`. + +Alternatively, you can forcefully trigger automatic certificate enrollment using `certreq -autoenroll -q` from an elevated command prompt. + +Use the event logs to monitor certificate enrollment and archive. Review the configuration, such as publishing certificate templates to issuing certificate authority and the allow auto enrollment permissions. + + +## Follow the Windows Hello for Business on premises certificate trust deployment guide +1. [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md) +2. Validate and Configure Public Key Infrastructure (*You are here*) +3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md) +4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-key-trust-validate-deploy-mfa.md) +5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md) From 46c9160d9657e3f15997c6d35e6015f3d74cb9bb Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Tue, 10 Oct 2017 11:28:47 -0700 Subject: [PATCH 03/15] Updates to on-prem key trust --- .../hello-for-business/hello-key-trust-deploy-mfa.md | 10 +++++----- .../hello-key-trust-policy-settings.md | 8 ++++---- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/access-protection/hello-for-business/hello-key-trust-deploy-mfa.md b/windows/access-protection/hello-for-business/hello-key-trust-deploy-mfa.md index 2c31ffcc05..cbdd626558 100644 --- a/windows/access-protection/hello-for-business/hello-key-trust-deploy-mfa.md +++ b/windows/access-protection/hello-for-business/hello-key-trust-deploy-mfa.md @@ -536,8 +536,8 @@ The Multi-Factor Authentication server communicates with the Azure MFA cloud ser ## Follow the Windows Hello for Business on premises certificate trust deployment guide -1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) -2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) -3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) -4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) -5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) \ No newline at end of file +1. [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md) +2. [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md) +3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md) +4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-key-trust-validate-deploy-mfa.md) +5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/access-protection/hello-for-business/hello-key-trust-policy-settings.md index 80a40bc364..830ac3fe78 100644 --- a/windows/access-protection/hello-for-business/hello-key-trust-policy-settings.md +++ b/windows/access-protection/hello-for-business/hello-key-trust-policy-settings.md @@ -6,10 +6,10 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile -author: DaniHalfin -ms.localizationpriority: high -ms.author: daniha -ms.date: 07/07/2017 +author: DaniHalfinauthor: mikestephens-MS +ms.author: mstephen +localizationpriority: high +ms.date: 10/08/2017 --- # Configure Windows Hello for Business Policy settings From 533dad125cb390c662b2b0474a13fa73cca10819 Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Tue, 10 Oct 2017 18:01:28 -0700 Subject: [PATCH 04/15] First round of edits for On-prem Key trust --- .../hello-key-trust-policy-settings.md | 33 ++----------------- 1 file changed, 3 insertions(+), 30 deletions(-) diff --git a/windows/access-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/access-protection/hello-for-business/hello-key-trust-policy-settings.md index 830ac3fe78..d98896852a 100644 --- a/windows/access-protection/hello-for-business/hello-key-trust-policy-settings.md +++ b/windows/access-protection/hello-for-business/hello-key-trust-policy-settings.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile -author: DaniHalfinauthor: mikestephens-MS +author: mikestephens-MS ms.author: mstephen localizationpriority: high ms.date: 10/08/2017 @@ -23,10 +23,7 @@ Install the Remote Server Administration Tools for Windows 10 on a computer runn Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10, version 1703 to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information. -On-premises certificate-based deployments of Windows Hello for Business needs three Group Policy settings: -* Enable Windows Hello for Business -* Use certificate for on-premises authentication -* Enable automatic enrollment of certificates +On-premises certificate-based deployments of Windows Hello for Business needs one Group Policy setting: Enable Windows Hello for Business ## Enable Windows Hello for Business Group Policy @@ -34,17 +31,6 @@ The Enable Windows Hello for Business Group Policy setting is the configuration You can configure the Enable Windows Hello for Business Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence. -## Use certificate for on-premises authentication - -The Use certificate for on-premises authentication Group Policy setting determines if the on-premises deployment uses the key-trust or certificate trust on-premises authentication model. You must configure this Group Policy setting to configure Windows to enroll for a Windows Hello for Business authentication certificate. If you do not configure this policy setting, Windows considers the deployment to use key-trust on-premises authentication, which requires a sufficient number of Windows Server 2016 domain controllers to handle the Windows Hello for Business key-trust authentication requests. - -You can configure this Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users requesting a Windows Hello for Business authentication certificate. Deploying this policy setting to a user results in only that user requesting a Windows Hello for Business authentication certificate. Additionally, you can deploy the policy setting to a group of users so only those users request a Windows Hello for Business authentication certificate. If both user and computer policy settings are deployed, the user policy setting has precedence. - -## Enable automatic enrollment of certificates - -Windows Hello for Business provisioning performs the initial enrollment of the Windows Hello for Business authentication certificate. This certificate expires based on the duration configured in the Windows Hello for Business authentication certificate template. The Windows 10, version 1703 certificate auto enrollment was updated to renew these certificates before they expire, which significantly reduces user authentication failures from expired user certificates. - -The process requires no user interaction provided the user signs-in using Windows Hello for Business. The certificate is renewed in the background before it expires. ## Create the Windows Hello for Business Group Policy object @@ -57,20 +43,7 @@ The Group Policy object contains the policy settings needed to trigger Windows H 6. In the navigation pane, expand **Policies** under **User Configuration**. 7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**. 8. In the content pane, double-click **Use Windows Hello for Business**. Click **Enable** and click **OK**. -9. Double-click **Use certificate for on-premises authentication**. Click **Enable** and click **OK**. Close the **Group Policy Management Editor**. - -## Configure Automatic Certificate Enrollment - -1. Start the **Group Policy Management Console** (gpmc.msc). -2. Expand the domain and select the **Group Policy Object** node in the navigation pane. -3. Right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. -4. In the navigation pane, expand **Policies** under **User Configuration**. -5. Expand **Windows Settings > Security Settings**, and click **Public Key Policies**. -6. In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**. -7. Select **Enabled** from the **Configuration Model** list. -8. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box. -9. Select the **Update certificates that use certificate templates** check box. -10. Click **OK**. Close the **Group Policy Management Editor**. +9. Close the **Group Policy Management Editor**. ## Configure Security in the Windows Hello for Business Group Policy object From 8879c1e48a19238ed85a32af634752e182d1b5c1 Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Fri, 20 Oct 2017 09:46:58 -0700 Subject: [PATCH 05/15] prereq updates for hybrid key trust First attempt at creating tables for adequate DC content --- .../hello-adequate-domain-controllers.md | 12 ++++++++---- .../hello-hybrid-key-trust-prereqs.md | 6 +++--- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/windows/access-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/access-protection/hello-for-business/hello-adequate-domain-controllers.md index 040fb7e850..63aef15839 100644 --- a/windows/access-protection/hello-for-business/hello-adequate-domain-controllers.md +++ b/windows/access-protection/hello-for-business/hello-adequate-domain-controllers.md @@ -17,19 +17,23 @@ ms.date: 10/09/2017 - Windows 10 ->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. +>This section only applies to Hybrid and On-premises key trust deployments. -## One size does not fit all +## How many is adequate How can you find out how many domain controllers are needed? You can use performance monitoring on your domain controllers to determine existing authentication traffic. Windows Server 2016 includes the KDC AS Requests performance counter. You can use these counters to determine how much of a domain controllers load is due to initial Kerberos authentication. It’s important to remember that authentication for a Windows Hello for Business key trust deployment does not affect Kerberos authentication—it remains unchanged. -Windows 10 accomplishes Windows Hello for Business key trust authentication by mapping an Active Directory user account to one or more public keys. This mapping occurs on the domain controller, which is why the deployment needs Windows Server 2016 domain controllers. Public key mapping is only supported by Windows Server 2016 domain controllers. Therefore, user in a key trust deployment user must authenticate to a Windows Server 2016 domain controller. +Windows 10 accomplishes Windows Hello for Business key trust authentication by mapping an Active Directory user account to one or more public keys. This mapping occurs on the domain controller, which is why the deployment needs Windows Server 2016 domain controllers. Public key mapping is only supported by Windows Server 2016 domain controllers. Therefore, users in a key trust deployment must authenticate to a Windows Server 2016 domain controller. -Determining an adequate number of Windows Server 2016 domain controllers is important to ensure you have enough domain controllers to satisfy all authentication requests, including users mapped with public key trust. What many administrators do not realize is that adding the most current version of a domain controller (in this case Windows Server 2016) to a deployment of existing domain controllers (Windows Server 2008R2 or Windows Server 2012R2) instantly makes that single domain controller susceptible to carrying the most load, or what is commonly referred to as “piling on”. To illustrate the “piling on” concept, consider the following scenario. +Determining an adequate number of Windows Server 2016 domain controllers is important to ensure you have enough domain controllers to satisfy all authentication requests, including users mapped with public key trust. What many administrators do not realize is that adding the most current version of a domain controller (in this case Windows Server 2016) to a deployment of existing domain controllers (Windows Server 2008R2 or Windows Server 2012R2) instantly makes that single domain controller susceptible to carrying the most load, or what is commonly referred to as “piling on”. To illustrate the “piling on” concept, consider the following scenario. Consider a controlled environment where there are 1000 client computers and the authentication load of these 1000 client computers is evenly distributed across 10 domain controllers in the environment. The Kerberos AS requests load would look something like the following. ![dc-chart1](images/dc-chart1.png) +|: Kerberos AS Requests :| +| |:DC1:|:DC1:|:DC1:|:DC1:|:DC1:|:DC1:|:DC1:|:DC1:|:DC1:|:DC1:|:DC1:|:DC1:| +|:WHFB|:0:|:0:|:0:|:0:|:0:|:0:|:0:|:0:|:0:|:0:|:0:|:0:| +|:Pasword|:100:|100:|100:|100:|100:|100:|100:|100:|100:|100:|100:|1000:| The environment changes. The first change includes DC1 upgraded to Windows Server 2016 to support Windows Hello for Business key-trust authentication. Next, 100 clients enroll for Windows Hello for Business using the public key trust deployment. Given all other factors stay constant, the authentication would now look like the following. diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/access-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index c4c4dd6085..56f1759320 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -9,7 +9,7 @@ ms.pagetype: security, mobile author: mikestephens-MS ms.author: mstephen localizationpriority: high -ms.date: 10/09/2017 +ms.date: 10/20/2017 --- # Hybrid Windows Hello for Business Prerequisites @@ -30,11 +30,11 @@ The distributed systems on which these technologies were built involved several * [Device Registration](#device-registration) ## Directories ## -Hybrid Windows Hello for Business needs two directories: on-premises Active Directory and a cloud Azure Active Directory. The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2. +Hybrid Windows Hello for Business needs two directories: on-premises Active Directory and a cloud Azure Active Directory. The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2. The A hybrid Windows Hello for Busines deployment needs an Azure Active Directory subscription. The hybrid key trust deployment, may not require Azure Active Directory premium subscription. -Windows Hello for Business can be deployed in any environment with Windows Server 2008 R2 or later domain controllers. Azure device registration and Windows Hello for Business require the Windows Server 2016 Active Directory schema. In addition to the Windows Server 2016 Active Directory schema, key trust deployments need an adequate number of Windows Server 2016 domain controllers at each site where users authenticate using Windows Hello for Business. +You can deploye Windows Hello for Business in any environment with Windows Server 2008 R2 or later domain controllers. Azure device registration and Windows Hello for Business require the Windows Server 2016 Active Directory schema. In addition to the Windows Server 2016 Active Directory schema, key trust deployments need an adequate number of Windows Server 2016 domain controllers at each site where users authenticate using Windows Hello for Business. Review these requirements and those from the Windows Hello for Business planning guide and worksheet. Based on your deployment decisions you may need to upgrade your on-premises Active Directory or your Azure Active Directory subscription to meet your needs. From 4997d166328da9c80244642004619efb066b2db7 Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Fri, 20 Oct 2017 10:26:11 -0700 Subject: [PATCH 06/15] tables for adequate dc page fixed formatting issues --- .../hello-adequate-domain-controllers.md | 34 ++++++++---------- .../hello-for-business/images/dc-chart1.png | Bin 3978 -> 10613 bytes .../hello-for-business/images/dc-chart2.png | Bin 3701 -> 10679 bytes .../hello-for-business/images/dc-chart3.png | Bin 3773 -> 10847 bytes .../hello-for-business/images/dc-chart4.png | Bin 3770 -> 10851 bytes .../hello-for-business/images/dc-chart5.png | Bin 3784 -> 10982 bytes 6 files changed, 15 insertions(+), 19 deletions(-) diff --git a/windows/access-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/access-protection/hello-for-business/hello-adequate-domain-controllers.md index 63aef15839..6c241b2434 100644 --- a/windows/access-protection/hello-for-business/hello-adequate-domain-controllers.md +++ b/windows/access-protection/hello-for-business/hello-adequate-domain-controllers.md @@ -14,26 +14,22 @@ ms.date: 10/09/2017 # Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments **Applies to** -- Windows 10 +- Windows 10 >This section only applies to Hybrid and On-premises key trust deployments. ## How many is adequate -How can you find out how many domain controllers are needed? You can use performance monitoring on your domain controllers to determine existing authentication traffic. Windows Server 2016 includes the KDC AS Requests performance counter. You can use these counters to determine how much of a domain controllers load is due to initial Kerberos authentication. It’s important to remember that authentication for a Windows Hello for Business key trust deployment does not affect Kerberos authentication—it remains unchanged. +How can you find out how many domain controllers are needed? You can use performance monitoring on your domain controllers to determine existing authentication traffic. Windows Server 2016 includes the KDC AS Requests performance counter. You can use these counters to determine how much of a domain controllers load is due to initial Kerberos authentication. It's important to remember that authentication for a Windows Hello for Business key trust deployment does not affect Kerberos authentication--it remains unchanged. Windows 10 accomplishes Windows Hello for Business key trust authentication by mapping an Active Directory user account to one or more public keys. This mapping occurs on the domain controller, which is why the deployment needs Windows Server 2016 domain controllers. Public key mapping is only supported by Windows Server 2016 domain controllers. Therefore, users in a key trust deployment must authenticate to a Windows Server 2016 domain controller. -Determining an adequate number of Windows Server 2016 domain controllers is important to ensure you have enough domain controllers to satisfy all authentication requests, including users mapped with public key trust. What many administrators do not realize is that adding the most current version of a domain controller (in this case Windows Server 2016) to a deployment of existing domain controllers (Windows Server 2008R2 or Windows Server 2012R2) instantly makes that single domain controller susceptible to carrying the most load, or what is commonly referred to as “piling on”. To illustrate the “piling on” concept, consider the following scenario. +Determining an adequate number of Windows Server 2016 domain controllers is important to ensure you have enough domain controllers to satisfy all authentication requests, including users mapped with public key trust. What many administrators do not realize is that adding the most current version of a domain controller (in this case Windows Server 2016) to a deployment of existing domain controllers (Windows Server 2008R2 or Windows Server 2012R2) instantly makes that single domain controller susceptible to carrying the most load, or what is commonly referred to as "piling on". To illustrate the "piling on" concept, consider the following scenario. Consider a controlled environment where there are 1000 client computers and the authentication load of these 1000 client computers is evenly distributed across 10 domain controllers in the environment. The Kerberos AS requests load would look something like the following. ![dc-chart1](images/dc-chart1.png) -|: Kerberos AS Requests :| -| |:DC1:|:DC1:|:DC1:|:DC1:|:DC1:|:DC1:|:DC1:|:DC1:|:DC1:|:DC1:|:DC1:|:DC1:| -|:WHFB|:0:|:0:|:0:|:0:|:0:|:0:|:0:|:0:|:0:|:0:|:0:|:0:| -|:Pasword|:100:|100:|100:|100:|100:|100:|100:|100:|100:|100:|100:|1000:| The environment changes. The first change includes DC1 upgraded to Windows Server 2016 to support Windows Hello for Business key-trust authentication. Next, 100 clients enroll for Windows Hello for Business using the public key trust deployment. Given all other factors stay constant, the authentication would now look like the following. @@ -43,7 +39,7 @@ The Windows Server 2016 domain controller is handling 100 percent of all public ![dc-chart3](images/dc-chart3.png) -Upgrading another Windows Server 2016 domain controller distributes the public key trust authentication across two domain controllers—each supporting 50 percent of the load. But it doesn’t change the distribution of password and certificate trust authentication. Both Windows Server 2016 domain controllers still share 10 percent of this load. Now look at the scenario when half of the domain controllers are upgraded to Windows Server 2016, but the number of WHFB clients remains the same. +Upgrading another Windows Server 2016 domain controller distributes the public key trust authentication across two domain controllers--each supporting 50 percent of the load. But it doesn't change the distribution of password and certificate trust authentication. Both Windows Server 2016 domain controllers still share 10 percent of this load. Now look at the scenario when half of the domain controllers are upgraded to Windows Server 2016, but the number of WHFB clients remains the same. ![dc-chart4](images/dc-chart4.png) @@ -51,22 +47,22 @@ Domain controllers 1 through 5 now share the public key trust authentication loa ![dc-chart5](images/dc-chart5.png) -You’ll notice the distribution did not change. Each Windows Server 2016 domain controller handles 20 percent of the public key trust authentication. However, increasing the volume of authentication (by increasing the number of clients) increases the amount of work that is represented by the same 20 percent. In the previous example, 20 percent of public key trust authentication equated to a volume of 20 authentications per domain controller capable of public key trust authentication. However, with upgraded clients, that same 20 percent represents a volume 100 public key trust authentications per public key trust capable domain controller. Also, the distribution of non-public key trust authentication remained at 10 percent, but the volume of password and certificate trust authentication decreased across the older domain controllers. +You'll notice the distribution did not change. Each Windows Server 2016 domain controller handles 20 percent of the public key trust authentication. However, increasing the volume of authentication (by increasing the number of clients) increases the amount of work that is represented by the same 20 percent. In the previous example, 20 percent of public key trust authentication equated to a volume of 20 authentications per domain controller capable of public key trust authentication. However, with upgraded clients, that same 20 percent represents a volume 100 public key trust authentications per public key trust capable domain controller. Also, the distribution of non-public key trust authentication remained at 10 percent, but the volume of password and certificate trust authentication decreased across the older domain controllers. There are several conclusions here: -* Upgrading domain controllers changes the distribution of new authentication, but doesn’t change the distribution of older authentication. +* Upgrading domain controllers changes the distribution of new authentication, but doesn't change the distribution of older authentication. * Upgrading domain controllers does not affect the distribution of password and certificate trust authentication because newer domain controllers can support password and certificate trust authentication. * Upgraded domain controllers typically carry a heavier authentication load than down-level domain controllers because they support more forms of authentication. * Upgrading clients to Windows Hello for Business, increases the volume of public key trust authentication distributed across domain controllers which support it and, reduces the volume of password and certificate trust authentication across all domain controllers * Upgrading clients to Windows Hello for Business but does not affect the distribution of authentication; only the volume of authentication. -The preceding was an example to show why it’s unrealistic to have a “one-size-fits-all” number to describe what “an adequate amount” means. In the real world, authentication is not evenly distributed across domain controllers. +The preceding was an example to show why it's unrealistic to have a "one-size-fits-all" number to describe what "an adequate amount" means. In the real world, authentication is not evenly distributed across domain controllers. ## Determining total AS Request load Each organization needs to have an baseline of the AS request load that occurs in their environment. Windows Server provides the KDC AS Requests performance counter that helps you determine this. -Pick a site where you plan to upgrade the clients to Windows Hello for Business public key trust. Pick a time when authentication traffic is most significant—Monday morning is great time as everyone is returning to the office. Enable the performance counter on *all* the domain controllers in that site. Collect KDC AS Requests performance counters for two hours: +Pick a site where you plan to upgrade the clients to Windows Hello for Business public key trust. Pick a time when authentication traffic is most significant--Monday morning is great time as everyone is returning to the office. Enable the performance counter on *all* the domain controllers in that site. Collect KDC AS Requests performance counters for two hours: * A half-hour before you expect initial authentication (sign-ins and unlocks) to be significant * The hour you believe initial authentication to be significant * And a half-hour after you expect initial authentication to be significant @@ -74,24 +70,24 @@ Pick a site where you plan to upgrade the clients to Windows Hello for Business For example, if employees are scheduled to come into the office at 9:00am. Your performance capture should begin at 8:30am and end at 10:30am. Ensure your performance logs do not wrap the data. You want to see authentication trend upward, peak, and trend downward. > [!NOTE] -> To capture all the authentication traffic. Ensure that all computers are powered down to get the most accurate authentication information (computers and services authenticate at first power up—you need to consider this authentication in your evaluation). +> To capture all the authentication traffic. Ensure that all computers are powered down to get the most accurate authentication information (computers and services authenticate at first power up--you need to consider this authentication in your evaluation). Aggregate the performance data of all domain controllers. Look for the maximum KDC AS Requests for each domain controller. Find the median time when the maximum number of requests occurred for the site, this should represent when the site is experience the highest amount of authentication. -Add the number of authentications for each domain controller for the median time. You now have the total authentication for the site during a peak time. Using this metric, you can determine the distribution of authentication across the domain controllers in the site by dividing the domain controller’s authentication number for the median time by the total authentication. Multiple the quotient by 10 to convert the distribution to a percentage. To validate your math, all the distributions should equal 100 percent. +Add the number of authentications for each domain controller for the median time. You now have the total authentication for the site during a peak time. Using this metric, you can determine the distribution of authentication across the domain controllers in the site by dividing the domain controller's authentication number for the median time by the total authentication. Multiple the quotient by 10 to convert the distribution to a percentage. To validate your math, all the distributions should equal 100 percent. -Review the distribution of authentication. Hopefully, none of these are above 70 percent. It’s always good to reserve some capacity for the unexpected. Also, the primary purposes of a domain controller is to provide authentication and handle Active Directory operations. Identify domain controllers with lower distributions of authentication as potential candidates for the initial domain controller upgrades in conjunction with a reasonable distribution of clients provisioned for Windows Hello for Business. +Review the distribution of authentication. Hopefully, none of these are above 70 percent. It's always good to reserve some capacity for the unexpected. Also, the primary purposes of a domain controller is to provide authentication and handle Active Directory operations. Identify domain controllers with lower distributions of authentication as potential candidates for the initial domain controller upgrades in conjunction with a reasonable distribution of clients provisioned for Windows Hello for Business. ## Monitoring Authentication Using the same methods previously described above, monitor the Kerberos authentication after upgrading a domain controller and your first phase of Windows Hello for Business deployments. Make note of the delta of authentication before and after upgrading the domain controller to Windows Server 2016. This delta is representative of authentication resulting from the first phase of your Windows Hello for Busines clients. This gives you a baseline for your environment to where you can form a statement such as -```“Every n Windows Hello for Business clients results in x percentage of key-trust authentication.”``` +```"Every n Windows Hello for Business clients results in x percentage of key-trust authentication."``` Where _n_ equals the number of clients you switched to Windows Hello for Business and _x_ equals the increased percentage of authentication from the upgraded domain controller. Armed with information, you can apply the observations of upgrading domain controllers and increasing Windows Hello for Business client count to appropriately phase your deployment. -Remember, increasing the number of clients changes the volume of authentication distributed across the Windows Server 2016 domain controllers. If there is only one Windows Server 2016 domain controller, there’s no distribution and you are simply increasing the volume of authentication for which THAT domain controller is responsible. +Remember, increasing the number of clients changes the volume of authentication distributed across the Windows Server 2016 domain controllers. If there is only one Windows Server 2016 domain controller, there's no distribution and you are simply increasing the volume of authentication for which THAT domain controller is responsible. -Increasing the number of number of domain controllers distributes the volume of authentication, but doesn’t change it. Therefore, as you add more domain controllers, the burden of authentication for which each domain controller is responsible decrease. Upgrading two domain controller changes the distribution to 50 percent. Upgrading three domain controllers changes the distribution to 33 percent, and so on. +Increasing the number of number of domain controllers distributes the volume of authentication, but doesn't change it. Therefore, as you add more domain controllers, the burden of authentication for which each domain controller is responsible decrease. Upgrading two domain controller changes the distribution to 50 percent. Upgrading three domain controllers changes the distribution to 33 percent, and so on. ## Strategy The simplest strategy you can employ is to upgrade one domain controller and monitor the single domain controller as you continue to phase in new Windows Hello for Business key-trust clients until it reaches a 70 or 80 percent threshold. @@ -100,5 +96,5 @@ Then, upgrade a second domain controller. Monitor the authentication on both do Repeat until your deployment for that site is complete. Now, monitor authentication across all your domain controllers like you did the very first time. Determine the distribution of authentication for each domain controller. Identify the percentage of distribution for which it is responsible. If a single domain controller is responsible for 70 percent of more of the authentication, you may want to consider adding a domain controller to reduce the distribution of authentication volume. -However, before considering this, ensure the high load of authentication is not a result of applications and services where their configuration has a statically configured domain controller. Adding domain controllers will not resolve the additional authentication load problem in this scenario. Instead, manually distribute the authentication to different domain controllers among all the services or applications. Alternatively, try simply using the domain name rather than a specific domain controller. Each domain controller has an A record registered in DNS for the domain name, which DNS will round robin with each DNS query. It’s not the best load balancer, however, it’s a better alternative to static domain controller configurations, provided the configuration is compatible with your service or application. +However, before considering this, ensure the high load of authentication is not a result of applications and services where their configuration has a statically configured domain controller. Adding domain controllers will not resolve the additional authentication load problem in this scenario. Instead, manually distribute the authentication to different domain controllers among all the services or applications. Alternatively, try simply using the domain name rather than a specific domain controller. Each domain controller has an A record registered in DNS for the domain name, which DNS will round robin with each DNS query. It's not the best load balancer, however, it is a better alternative to static domain controller configurations, provided the configuration is compatible with your service or application. diff --git a/windows/access-protection/hello-for-business/images/dc-chart1.png b/windows/access-protection/hello-for-business/images/dc-chart1.png index 52e0f0500e43baab14570268c7479e6a417e4c18..f5c8d3f2f353a774a0fad46bd25a7dfb133790c5 100644 GIT binary patch literal 10613 zcmeHt2UL?w*De-NMC6DdD9r{+jiMwVP0%P9n)D(GNK=qbsDXH-2?(eN0TCimM5Kcd zg#ZH5oAeSQ0s;X-4LyY11oa%x_vty`fB(DIz5iM_Ye6!TdH3vj_Otiw*_kjMtt;$% z4)0-NVq#ZUyQIs+#DbuIezto%{eQZQ!6yA}o4f86Ri^9~{t0?xr=5zX3KLUaG~0$H zGri5~qGsaG#3T^P_}dmeI&Z_oB)Uial8U}JbUNv1^p~2%P;x9rZCfPA0O%gq#DzKu zWnRwW_D4fUx3L`z;y?7@nHtvn1@Zl+3^63@4e>?wJ1jnD8rv}HwxWTh7El$|w>g(w zm!c%(mkh#N5oBfhq+eeya$w)o8uK7j~(CI@w>vE4w za}mCe9{U}Gk9tOA`PM$o!A0=g`5#PeaZ+JGfK)c<_7=I&bH&^DZMpmjGya*G86lA( zX~CHh!);UVi_kL+u@)u0iN|1KDs7H>oi=o}-Wz(ql{YB!oe@MdKX{{r((TK%%zb{p z%9l0J{u7oqevI?emR$~6c9^ik?3STokbQ) zi>XQ3#as<4>eUmM(z!g;rzJfE#q_B{^XG=Os%AF)Feit}w*DY>fegna*(qsnMDD1Hgg|l@oZ6^wgqX!bfRay#iQ(knujju^N&8oGdO#jwS@d5dWJ1(0-}%a zvMi;BY^>$Q;k;#zcqm$|ez=|m59K(cpUzUXd#ZAqFkBMZJmEEfEw?^xGSXI#{Ow63 z$Ix!13S+rEz2<|ct90IT!Tabl!2np3gDyR>(NbevIewOgV;$7EJHvs|Ws7lVKKs*&z6cMS9-@4)wp8SiL! z(=VL_W=f}WGz*)d4aU#Ep>nY~u#durx)2`$lEsCAx9A=M=xn|bW8c;sKg00kq96j% zKYb?{t9cE@aAk)v+!M2uAcG@|2F}n->1toY0i59#J{^baP@_H!)FV+)Lv{0lMK9tt zaZG=U9FmqRK0m@9E{7en)lfEp+s@y7W67`KO(i)+2i2Hd6YFdoe!c3}?*EPo4m`wp zei~H%s`Um3ebQWE5^xqGe5%+ny!bY~Z48JRP5$`I!4)y>;)SHmEp{3eCJU-Y+P~&M zSA>69Y|Q^*sKs+C2hWn`3>CDG)CPZ};w40S>Poo%Q3%iW6FmHhER% zgJ59Y!hV67l5qmdbnD?JZyzbD9$V_Rb4gDJxA?ZJr0Xw=U4>1^4H${Zrc`#u#Y7E0 z$H{+yO*&7t=cpK_Pru78i5r_rbj?}LS%Air%UMK5!TR@dXX3_RI>2saL?;Qt9I-dc zUmliqI30NTx!tYPOwR5BTTpY8qJD(>j)9K&R!Fb2a5hBzK!n^qTcQ5FST0EX2evU8 zGjBz03+~=T?jOv~l(~H?_UG;)HHZJ;uFoP$P3BWM>Dvm}97u0( zy{@zU{mx)nOk_!{u>QW0yjSr4J!_|SvE!Z?sxxhE@RFo=+g|9oK%VB$;Isew(F%$? zrpNFU3r>3$z>|sy+d0f3+|7Uc*c4%8z2%u2sy`F+UHE;U`EU)!UT|0a)z8Fy7k&l+ zeJIMPDu!3_bx>n`eGb zVj&n! z)N&*u24p4;@lIG$a@!oQ117PHvhR#YN!e*L>=QEW({m^XY=JqLp4< zOQs2ynwGAeEt69_)HDwAbXK5g&zA-VLC8X<4Fxs8{B3AX5-JiQQS zhoEd*d9w8ULGoJbL$A34I}~~J3_|1T!*`FT>)F6qlug{4E)r4$&wP+tT6g_}1YM(P zr5lm08ym*&KKPq|LHgRRNK2-U2G5!fdJaR$=w>d01+W|5aem?5X}Q78Y4KX(pfHZI znCBw!f@oMjUD_ETuW(eiWdZ6B2(XOXx}SvH)16Y09NRs6#C@8?;bbv7|G+;~Ns~W-hYzIkITR)R&x1=f~z} z<{cOOA8d3#@+Tqowaz3blN_Oo5w;+3R$pj_Mi1T^292WmqZGDniioewrM!B8_meYK zLpLE&N>$M))v>oxK9#db>ZvuGwIrX3!5fpEJ>h+Lg!*Cpc(xZo!S_v#(58kj^t60w zRBD*wy{6~pK4Fp<3#@3HlaDL<^2Gsp_c}m+Jj*3hH;DW_8Ei_*HFliQUQfrWzfj2= zF*hgHIPG1G)=3xI*bQs;IGJibs(n3@CH%=P{6J0iy9sbX>2|1H@h1^Kvb09-Mc1@= z8{7+LkvZum1hiQ0Mo#ET6c-^pp@ME99%~jrN?wz22JZ~uNxtW(&4yvSm#&N~jLtEf z#r~@-^2=^yAIrSav&zaL>Reu^DC^}Zd^>rRgfZL9Fk&l*0iM$CyHpM)twe~57FXQP z9D5l{jlR@#M2XX&|MjDFuzMe=4-)gj>=S|~|32!AW>ur_Ta{&ED*nqkc~$HmdVE=i zs#@WmCXLQgj&bj7%*F)?UY=q;M!u;H6{BjCd^aVAY-XkmmdIAA#axEXn}&`PYi?R? z(`S^fB_1dfP%!s^h-JyubKjou+C5h71!F``<2Ft4TOV6`W#^@mB)JGJjRVjpCs3Vi z&Y{@GvQqx?aBe573Hb$Zfil4Vq$Xu9`4PtK%vtZS*)+e6oV3wMR8uzYrdH$)Pvjtn zzng&g_%bxV_U@Bi8pF;7_9f;Deha!2NVgt$J5~TziRM#TR3&cUc)E+-IWcv-(W6cB zu&ACJsy*Oz7 z9V#(E@M-=>M8Y|ZxZ(OVB1=Ku>%?xCyTO_vdQM`66U83Oq-xId{Dg^PeQ4BM_1d23 zDp*AB&E?Tlq(eLCB@q~VXbiIO?$w>9@h)>8^%)UxCCV_axonn_v%VM6L28Te|0r<1 zIr+-+TYWmWbXX--=*iotuMAQ0g{cRdplGphdQ!qeJ<|dm4PshO&NVtjy(5WXKpyR$ zLv(B={MaOAC}d7h{gBtpV>fpIVQhXw&m*xxfjl~|NgI5y>1$=kQo z)JOJLUIRV|iIS3ETo6%G=APK(dVaxk%w|# zex^x7II@93#&-+|Z-yn)5-jNU$$`amz$-}I5L4GgO7gh`#a5oi#MKD%s8_rDAEIWc zD(huI7`*<$cz|YQ&!=GYfy%fFT=A>7s)M_v`cW8jjaBeN{(o93?UNqJ{!l})9 zTewp$Q%3QvU>2pRN9yp2+v!?8!3ElYVQx@k@;D^%#ewkMfdk!;^H;>wu6M)(YKe-K z1>%5MzS4fbJJc4G>=hg+h1Ag48zWnv6*^^{>@yB|R5mV9E|f^wFq#!8tdQ{T_{xp9 zb)kjAfm9zhe6p82po4FV6PQFp+^82et_R0qJl79OQ1lIRE)f=Yic@SwN!2%#Qj@NO zDD#irWF9>eNS{4O+^mP3-xrH=DQ!3jCWd0n;^f8~3tw|!8(Ni*0VXGA0LK_^ zFpG2d*lj*zHfLB|a}@4G;lv)qsfPScgnD=c8MWeHHW~+ z!F6=#my1`4X+4^4?6y|Spe(Nm^ao% %|s%6(}Bjb5+cn8{mnc#|v`sF?jN!Y%8=9Kg}M2MAiq?X15HOR5l`d zGDIw^+8q_C(L2j0;wwJ&Y)5<0fz+cl#y)+sIe)I;x4k0cl9S|!SnUUM9v%g}fp6up_HNZT>lauTEo!h(Bjp~Dr$uh{@~`5{ZOfo)4rK~LoRPi0QZq2y$|iyjZn$~ zev~S&LD0cS=W@!#_@H0`Fe5@hZMk9c?oSWr^rPnOF2=!|o>OS2gmXt&XuW#Jo#CY3 z?6jDw<^$)y{CgSkV6EOWW8MKN&kqTk@X;P2$^>d|WY(k+ULAGB&&K>GzWViW4?;3!@Jj5Nl+MNYz)*mA#JhTl!@&g() z-vtWCN%O$^|7uOJ>5s*&q9M=7<%?%J!<24k_hYwb11)-7-XD#P3Ba`q>EoQn{in{B>E?eXzzU4jS+p0sPGEDa5YH*L0l!Pu;SrB5Z^!@uiiJxw z12XVY4Njh!37fG&5zl{F0!oyr36NhTA~sh?DKW3n z0RoxpJ2~ni$=hh4$(hMltMKk2CBAM!Rw(iWL>%2Jep-3Ic-} zi3XNzim8epueC;2J< zb%YbanleTa3UC-7f|X+d*{ddc5s}J%Hj2Nb9dL%>6ZT-N7dNPC zpKM3@>y6Ee@}tr$qjRy<`;PkA82nO9(N@TM4aR1^^5iuv&u3XlT`-36h-V{-CHJVx z1BC#TAH1@gHMDAIW^?G4HZ%6P=a+=d!qNF2SipJ_I(!gG8NtJhC|xsBo+tXm9oT+V z7A-Jg6ezC&iYppU_ay{ie)~yD^m~N*pRjNJpQ>g4*D|RvtF~s-?^SH3_uy}JY5GqX z#(Qu#@A7EQVOXK(Dk4O@+vwr>Gx)$(=On$R#whsywf8SWJ4?S-P=799YiPP(%GWyY zcd>sFu+^!%Lf=Ig73hD};Lo8iW`e)g#($;k97df$FK{sm&p#~TPXSwpuG~)82OAo(2HLNTxlu~k$MmC})l)Re1+uMs! z=lJ>D5-r1fIuU)mi1bV8M4+zw)LT{8-KL(`Jf=iO!y1}2`oUN6*E_vUZtIktV1~}! z_&lmHcb8`e!0s*&j@Mi60PZvWgqZNz#uc!A&rbio7XS1QkZ`AvPtk*>eTcT{2_^Ia zD`f>jy6mFOWPp~P-8iNu!s_CJ@S(XIy$=xTEI3}^3D~1;fDrb2l=b@v%m3u7TdZ7M zH`nvcDY{|l7&EVfXwqJa!2URk1OooM^0b6>{$LVOJGemOD1x# zRIU^M(UNp#T!t?%Le{`EYk%6h?#FV~}% zh9QT0+m`Gy6g!6%US;t&Wkwtp|8HpdZIP*c*L03dZ7C}yR$REt?S*1|ulI%GCF2fn zXm;Dn(+vk)ORT~9>b&H<%VRnFllFr;JB0dO-c$>kRu%^Y_ELS! zp5Ak~9N;Zgu{D{MX6uEj%OZGQAU}-r7a=L4;Qn@VSdke_?2Lhjc#P2496;2=Ba~!U z$66i)aLEGB|AxpUh*M?pDNBl;fdWoKqFL-!hmE67o`abTcBC2u%1)^Hy$U2-txoXC zG55tWU=8^vSUnlA>UcCpxnkh5U)s^avID85<{6s224}bPSkvrL3o`R{EQx7czzNu4 zr~STs8+SUp%^4)V`zF*>?)iTWKV~qN1j5R!x<g>|?`04*(QQFx>vGdx49 zXgx#)D$6_(#kU7PuKP6Sm0MWkSSy8qbKKWV1VTi>Dz2jd3<+m7}FWY$P z?W_6B-T=D2z(_SqwNo-C9Wz8#j_Q3I96}zCwVE98CxY`lFK7lj85qYn@$WlQMta<> z>yh|^?vc?!=<)@*xmZF7kBs5pvhtv=%e4`?JnFh`SOz!Y(GCtp{qwSEUE=*gd4$5~ zYMCht`?^fRyMU3D_T2IS^Ii+tkMo~YVO0X((5p4&GBKM-%TcED-|#)lmtXV$pzb%v z&R%(8=I3!7Ikwn)Yn|Fj|6Oq8WmjSUxerw?!xqwRazk~uk%WtgiMHTKRf_EHv|jxD z8Aasu2kro+uf9DMOtyOCu*)vx%`m2Bd+)u!;k@o1DSL(EMRqW;`38)cuBKSKr;Z~r zGP|oLtkx9+I&CbY@X<2n>7|>zJM(F#@f;9nmFJtcXYv`ovztJsU{cU zvUVro;>xp62P2#gRM%9f^UDpT>bYMV3C_E=_Gq`aoaOTc;r(-Nm6t~$$3Bk+MK+)= zy>DdYiv@(;K^*{!!8o@8PTtlpJFy+A)%yyez7zK}_m2lt*REZAMr>T3fe43#v6~)( zGaY(HUqsjRFrig>W4-V;G)1rAORL~s8vkTrzpQ$SxMEz{VSD|31$~KF`F2us&+;NQ z(km|M)NC3)Kc}mVmmcWO@d6$Kt0|Ug0=slk?2zAok+{uas>*4#NccaeUPSuUx3s@ayy&;xv@AL8e-%t-_IG`4jSolZYdnaOUyBX`A z)IU0mLjJhr$Miln<&QgkOfEKmULIt+e(2Auf=s`D#9(u6oVHC_{mFHvn5Z_!9O_`L KOWCRxcmEenpHhMV literal 3978 zcmcIndpuNY+n$s#h;kSy4Mh%#lpO7e5w-d$^!srSDdciU&)6-??We3|3B36!^=E#|md$ z4}`;DI!Tgy5owrx90pTCx;gFK7v(peQ(nqw)krkg9Ym+yO|nqpDR>MiD=l#yXph}( z6@r*tR}(hS?0l!9uic@_@5N0uednqz{p}Zn5?gLNzEdLUpW3SKVhhR%zP#DevK$&n zvvKKc;LC_n|Lg0?<|0OUFUzlMf{NL5!8*5xwz#OJv3DleuZ|w@VZvHRC0K1{`Bwh9 zk}j=y}OT8ghZWBps{i{Pshu4m)1r=tdq4h?YD<%)up*piJdKyVB$R6N* zhbNfry_J7=yOIJY5Uj}~XYTSds`)|*Q{eeT-NTw?e^|Tr{Mn9_@Nc9y+?8F;VJC^N zE7`+Q(GiT__>pjG9(PoeEA;k(1ZX z&Xr*=4`_d1vR0x&ufn-jKrd=KqZ}c#Tq2>`mG3JW`*@@#(dNn@ODp)Ylo4B2H~Fl!EqD6L~&deDKa=Y*RFTcJ8uf$*VM z?F_00lf`QF9o zF;vhat_VL7jml!ha45q5L(vawmpx_dz8wxc-^wn+`6x!nusmzdRAl*`d$t3?LF~-d zjTk~;KAH4`y|_f4HG=l1DPocp;;;f4vI~35sIOAg;v-z;ju@jsWP_`bb1DH&!L)+S zOc0?!dpZ)J;S25b*mS!VA|`A;tk^mM9VTr+#G9QQfHNmav40F#w{%d zedkVj`$ISTv}lj66F{(6b$Eo=Lu?KfwP<0(-vwxh4L}LLb4S}+A9)`ygN~sJ8|=j- z=&<@i3UJR~K|?}JX_5)up=qXcXa~7A&3;R1j>~QUb6m&$XdaMZoD6WRc(iU~_0Q;> z7yNs8YxXO%Yu^LRvgh}|2gp6ga!)L4=OO2(Z`4}Y?lKVYEd+ZaR}q`3JZxt8<9!sq z(7g@?G5ZpN_9t`9(<3HLgTUe&(6n|`s!DQp$zv#fEH;RUwv>wo#*zUpf%2rr(F~di z+~n)H0M{m?p!iJ!S9uXq)^A4+1KwI?E$wO=gzy{TjVb5>1`Xg_3E z0|Ik8^JPSZ4ajxZ>Hf!sRC>%`XYBSBije|{@tWk?NeeqRg0@Z_9#nwokNseteQ$Gi z7Hk6oBQzPt_vyC#s*^mMI7oe~R2$IfZ0{JJK%RcB{Om-Sh&7v6fBTQ_50LSS5f3Kx z74Fm_lpt@j>L@`Eml52o$9&~vg}Z^1CCOYtA1=8RAsdKd{eFkXjQbdL3GKhJQ=uOF zQPBkx7gNAd)J>@+-ZZrwZZ5_f2$C$|hgC`Y7eQ?{X<3fbtp_UMrI6oJp&>_?9OI)~o8m;;?iSG2)dWT1xa|1};=J}-=7~Gs zm~jH@r#iF9s-N!DH?(rDYg0zt&{aGYMSgw7{OPF(0CMxa5~};@;fuMv3Oo1oZ~I!I z2ZkHfH(NtixsX}%mGh}fnv}W-LRRFnW|XM1Mq>a89qhR}Ng`|vapo1_GOyWO@=72GsAElceoj&W z&FZxRPouw_a~wAOuR=j#zpi5`n-CE)kL4jAeNdwGpY=SnzuEUC2bYW3Wv_l+2Rw{c z-?9HP;YV_01cC|gBp>(nVRY^}+lrL2XWiA*_sny)Rs7x>uqNl>*Se}Fg#76lFQ=Rr zuVy}G&5}>r+e4U94otGGm@sk6qoPD?60~0!xqIc+_>oPPYw(dDYO&w>N0MHWod{l( zO&eiTLTplO-J8}!%OhkmK7rk|I=XOZj2p+VGk?CFS0emgR1Z!`cFub$ZrLP)fZNTZ zLRUpQ3V&NM`@{I6ZD6M6BBG+~SFicfi#C_8J;ZC_E5K#t+;Q)`QqTQ^5@YsCje%5K z#2SEG5XLxQGZ4g0vhW8RCO$g(*|Sx!Ypx>TUwIqEDV09Y9;0<-V8II1G7A8g25uzA~3Y8)nJTVwm5>_XlDj**Mys`C%Op`nO@>b z=lm*iS{y&eBhB|XwiZKlHO-aY>ukE;Hq&`)oxgj6Z|8xqNu{XWm z)_gu&5_gRy5>W=~v_usDmSC8}hA^(c{1#2sKpA`q?)9;mNcCs~f=gr$DrHy_TkKav zvB1I>y=Op$6L&Fpe~s?{k3c4vsvlb{Jz3}_WFJ}j*$@s@H37ksp{oSlOQEXr3Bop0 z_3nOf8?Rbf6nvS`-H$xcgf9QtUzqmS{6AkA7#@~HeNNVO@i{fS!p)!ZMXdcFpzTEr zN^p#0{)w{n@3W4KqX&4;$Cy#v=->R9=e|_eZDIC%bjz4--zH*%7ha%5u`e%6x#}e~ zR1EPD=ChBH<@i9Tt7L-YAj7d=9yW@%}nHW8_S@uY1?twd!YEl9c!_U zYI=26IX1G4|I&NVpI)(N_Rh+KC0c{qb6p5AjO}Umr9KNF#bFnu0U-9Lik^T0l~6bG z%tz-IaV&J02Py9j`yAsZR9xrh7q5AX#IM4$d$cm>Y6Va2)R%U|&9PId>JJ}(`}6vB zs~_YPZ%@km3(Kg?Du#VVSI?|WKVj#8s1EHRxY1NHNu$;uUmmKO(eFYnmv^hx@9EgN zBP7-REYi;Zq&A(7^h8;F4Z^IqeK}R6Qfddf_!W$xn+8U@W@Q6OK*u6Ou;_i@U9I zZ`7z>xwZ_{#<*6{CZjbF@UT4h;E)T8CIQ`r3Punlsfw&7fO|~2zo_T31<7c6m1((8 zm2c=#G5M%HPYUsIPr?~-hu}*hO^@0ON_V;n%iRE&e79-v$VK!EW^RiQGm`0L2v1WhO{BRp+c|y zVc+%s)`_^iZTfBOM?~~&g#P*Qhj3zl(B#UEiBg+yX;;hrU3XQ*1+sob0~PNnE0@&5uu@g*Yw diff --git a/windows/access-protection/hello-for-business/images/dc-chart2.png b/windows/access-protection/hello-for-business/images/dc-chart2.png index 748a6a4c411c69cc5284eec12d7fd15d250514bb..ff99966521ec7e584f24cc7aafbf0ec09a2c400a 100644 GIT binary patch literal 10679 zcmeHtc|4Ts->}oZkP0E8)5%VgvSqE9oRVGEF_VOZv1d1xP$Wf+U8d~W_pu!m$KD__ zmdS3$mfbAO%zIB~tMk)2@8|Qp??2D;+@BBb>vCP+eY?K*^+ZoclkLFq11u~oY*&BQ zFkoTX;}5*Q+P4Gvoh^HV4*dDS-9Ym)OMcgh8DOx>?vnN;7M7yOgIiX+f$@HqpUvD^ zSolMkKR-lHE!(iLh+V&`ammOVx{xd#IZ>V%x*GG4MGOLS9XWaNzC=&QhDpZN>R;qO z_rAg13YWoNe_`~)ne`nFTomh^MEHZeLpVj!V8$CHC)n(KIXRlFOy)9wg0fdtZwzYlNni=t(Bf#rW6-uHY(>_7bfd-JO!0)mI`jVvmhNNuF=PZ5Y@4<$Zr zYHC_`otB(fCU(1-?!8C%-^-+F^F5R^IPU}}{vOy&4j9h|w}iS+IgE};pWx-d5^f#H zwB%9IYqTm4wUq8V$=;HYq5!PAUBtcHN@6d#!csq$$*Izhh6fTw168yG3>F%5!{N>I zE%WytB|a<9i2(ll{5_Q8(bqU0raiys&7=B0R%!<&VW1%(d2MDZpw|X0kKGWXu0hmq z$cMp!eWOL#U0-AI`{m>CGu$7h&9t$2 zIIn9qakpS~!kIiau8gcK8OtQ}s9$`Jfe(a`Pl*9n%)#r&-BU z3uA&%L;0fZdw_B0`Iq;ovr&M2xiZgJ8GMKuOq?6OkrkpgZcpCp$+~%OrGUCbhCgw zf9v7=1zm1KfG2ES0dD3HWLc-d||Efg$jwVk?UEPe}M|upRkLY~J^mQ*% z&T_ZJ0;R`O;ZCS-a>~X%I}ezlCqy<*|8=X`aki7Czau($ujOk*_qFxJ(M+TN^(M%; z@hhXh$?+xN-`D;x&nvSb>K~}l_5(=JxbT>-6adTsCT(#EllP!ZVA+Lx) zl=$)#9$E#<YpJQ6_fn#akf%FA_bIqf$>&(FL5S+Cgx<81J2Bn>fW=6Z4NACUy zO@Ax`i2iRuUQ~BAfuMJUvNA>^5^2`Z#tFi|N<6B2vpenNO1B!qz$2&{Rl1KsUlMyN zK1S(9sv#Jgoz-t>qKm3^G+K%5q0D5Rt*tRyOX+~nBAvcuGP1HdG|}giw&ty`U=^J< zkx0rU$)=^b@^)kmD4OBhJ-K}*dfht(Z-&7Oj~mG6sWrV4_Mtnh++CmcVvL`(ElnB0 zmC2r{zKF?tzUjxSI-J;`NaF9;wtx=jiK^p=ZYRkVSQDPY`uACO9$!7TdUTaSdSbGa zo7uX)f~nOGdr|eWY%&-%)Lz`?D^`DcLNWHL6X+bbv=$pE7q9ttIc8DtAhHs4gPv*U z30gH!gpzaCoj{*u83WfbY{u3W@_8Jo=fYPPU}K}4O}US}5RCY$Lk1oalXPg?dw$g) zqjUp6HRLXvm^oAAa5y+E*UTDfJG&3k;$~)7%lYxw8kke-L2w1qCV2ha=3&okdnQJO zE>ANu9lXt~=*U_`(wrQk-?9XaoIA79tmWJQkAg|3a^i2wYB-zIrXFgGy`c=ytT zP_%5m^^c!P^>i_c4W+q;6(sFB>o8DS4n;L@)XiDeKT|cIV6WFyF}eO4Tcl98_l0NQ zOYV^#S*3NsjV@k@l(x?@I4NyFiBzf0t&XjPN_jJgYSG^43CO)G1*uq=Mj19dw*gPA z-3bI39==L@%cB8r2S?1eq(rK3&L{A}WU3`bonq$#dJ>SXN&I0-1AWU!>*IcDSD5pe z!9HH_D&QAG+mt-y4ugY!JphGR$7>nO4Z~z?WT$MX#^*c?WGbQNE9Wc=U4(){YKH?X zO&vGeNRjX(l+bX^V(NO{hHn*`7)zi1*s+LpUrikq-oks<$3>y|-ZtC9&085iud!`u zqTKAb4C?OmYqvwsJV8&r_Y(H3(EuHX_BZkOppf*JtFtb61CMsw-5^dp6tFVah-Ej= z*%1<0d|zxvO{IYF-0o9zSwf&-x}AV8t#7G#V?BpVFVeGg3pGY$8~fEl3_Ui9YWj)e zb^OXOk8trkF$~w+4T)W=M+H=w5t+;9V=2LgIN9^5HscL3w(|gVYi{Pj61KOeS+@5jcW3$w?Nw3$Rs>t*|9Me} zV)|ifr!c+3%oA^{s|7tk>sDPG%pRNiw3^zStW;+Zv&T?*xh}gFIvo!G^m9s5b=>EO zCk0uyF44M7yEc^1TSgoqtAuN@a1{iU*blUeEi?3ust(!qrf`!)Q*={3#o@92HLRYG zJ_CuR(`GlQjuyvlxqmS_qeerXI_W2IYyCs>;wHUUR8i2qq|^_wzY@`AG%P9QvmCJ? zFS5L|Zswvowt=Je; zm=^y<-VXQ7r^sQ*wf3@m<{P(M`E^w9!~g*+wP$szd$|Cdl~4}Yvvx=`Cw{uP(f7$G zZky*m^@A^wM0nKu0Q+?KVBKQ9vU)kBt zbW;y^0WmaKth3|Y%UH?V6I9+=2d4L#`%7bNmfb9+rTm`2Ebe66cZaJ91&>rkx8rNq zGB+uiL^-5qe|w936C!s|qGpZz<4=4WVjeL{WpCF>>DZ?}9+Q~bujTZ=Nm-rZzK_D&aJTy+UGXidS+2)TJqmjjQnOaTK8_UvxHqt>g^a^x#64#-YTm6f zNQwCYYkcBE0VRqtG1zve{=wv)IPMYp+D!Q>A9ktxy!gXG3lOrtnWsxSMORjjlq1Rb z;E)-DEL&Uzok3S|V4<3TTPH5LnMv8X#8o%|2IRcwcgi3^g|jGdnMWBX(qXD}23#|4 zYwuI*@kBB0@!7V3+IJ3b?!S|bSa%Eir0JcoVo-_6t=)6StClQ#)R*I$Av8nv2?yS{ z@>#l>SFHxGFPyxN8(f9ec)i?XxSV0=S6jKi8#0N|poPhD`xdRf;z#ce+^S6)&vy*y_5^&!tM(dq z@LVX$B1#t9o|nT;y2kVrKkc{3(??0%FUky?+5z z%#IqdYX%Or8sJ&vy31ES@q>?HCBv{yxe*u;h(k=pV=R5>Q-M9e!qU6m_gi=Tl65YznZLj zi*Gr-tv}9RSTdm(O)|+J%F*Q zMVA#=BP$stT<8SZsi`+NOQGXxZ$7LfqO#xmBW4)ALsSH%<;3TgKtiRzY!u4BWxg^_ zt*~A6<6rho`#IS*cn&ursDqFVtgJs>Z*5|?0J!$2_1U9dw?3B(Ff=b$&crn|m;`$% z0vrr8+`!Rt{>q(_3PG3}pMbGjT*n@7`Va*qK8K?C`Yx_z+&EccT%b@?-PLS@V?9O6 z%c$wNCcSj7t+tlTxRiV{kYXU6XW7!61~^)^UwrMeCq`LP!z63bkY^oYf}ft#ak} zwB9?Sf2~_lg!Vd2jCMI0p`t%wprB(2&G&f`iqsePi=VH#VqX0$LLK9D#*1{6_Ari< z5&wc}?_A4iejuP6-7ptd-_Duu?AaTKjIXFuOc(^xl!qT(D{I^~d(0+c?qe}25`z$V zXO#229||e~%WJg;^LCW7@AX6T`3BPK*ObK2mv+B_n{#+kLEWjUnu65iUlV&X3qrX( z$9s{4deq`(2UG?O)s>k_C)>*2N9y;Rf}B68r4Ew!DwfTtN`a#LYo4B$MCo>O;@!+_ zY9WJ_dwuDg2y5_9+WE*x=TC@ZCO|Z2#LkrHte?LcG&i;N9_@NQ&jR62LYBOAS$p^X z@in$mT{e(I2V;d4NdQ$`kxw=ZbxmA1_>$9@-|q4g{yk16aq|e; zBI8KeDEPcLh7~Fk#NGM#*QY-Fx#F44xZUA;-(3W3wT4~>3p4AFhEsjpL;7tt4ypH| zmDxNf+$XyYx<9v03mM&ZW41LVFaHNke=hRI{7)oLS{$vSirddEAduSF^+3dH%jJZi z7r`r&-S1FK%WBHwmWdxvl%H=@ZCdF1ptfdI(loZ@((x2Qz@67!o13hF1(K=r)77vZ zb=7*>%0{(wor=8j^18g*7P-CUjdm(HLZZ1jc76a-e(q!VE#1=tB~^bn3Z?>(F}>tX z8lX%jIaT7ZpohC5ol+K_;dk#vS1VJR0(p2tP>F)NA&yoq^|sE@d*v9 zBlIm=A?j2eL)PBjtgjO8sMng}WTS3aE4slNr80D2J4-Z^tr>xl*9~CJ$GKXgj$^al zOx?AiRow`ON5tUgDZXb;MYuTx*4) zh;=b)kG<9nc|Y_MI+{1O4LI~{v4sR`#bQTwgtZa2XHAgr*q-@)=zLQQ7U|`8yUX(j`OW45xf50c4DTIKCPiek~&ye zvyM3JU}o9cjvYp!aFv&~g1bz(@y)F4XL~7QV>qLM&J;HkOq3H}&J8!;zDc!y8RPWu z3Cbd4wtun8s3v4j+77uJ?z!e3N)u?j(uN}k?Q$Biyw;_+=c`Ee*K0O#Lgl#5g@<6~ z48~@?Ja!k9&cp-_)-0Xb?OoDH!1Dq(6cfX#0#BYoQjmjQ6h6pj-| zQ*yA`w`I3VByM)f5xqSzQeMU_8kmJgbKV|~1vq!@wS(!U``RT$PAnMXQO!q-mQVZ1 zMJ;Hrqj00qDt!C5bI5FD`N(1@V6m+z3j@|UhOE&qsGK2>PA61Of3%uE&`v9}oZs)4 z^FE<=F98JHZAMoLth3F`b?r zB6v;%$fJ7N+5%;iT`lquZ4N2e6_ET}?e=Z3?NAAEP^<@~_)aycM2HtB9S z3U8M<(~Z&b&a1RQpqVMkh4&wmIBZhT%;qL2W|2*l(>|Z-KIDPPgQ>v+Ht`^Q4|M_y zw{z=9HLqK%11>DW$8_Okz=b)sb72E9r}`0gASb7zhAOjSW9x1ClCms39DrI7$Dy-k zqC;LHaJCY_2wJ`cc>n7Iq@Ly&>(>BWaf<{1Zszm(0i(Z{PRyQXyZIQ6enBn=hF=42+yMkk*gM;ST8^G%q zwu~%Qqi^-H!`O4@h6?Hto2!!*W!$p)ynK*iJBNV|BT$%1^zH8c?IYkmW&~_tMnE?V zn_Nh%&KgJXc6sObp#48F@&DhJO-W(!{y#nsv#=aHa=`Hd`3>_^UWoZ97%-}b+}cYh zz^5C+0qX@E@XMsZ1`tP>RoOSQ-zUKKJ@Rj6{{Zl1^6CK4fMnKy-^_l4E4mnn zZ_JMTH?!Z8WdnpQX2tpK>|ewJxZ0q<_5Z(O;qPRDW`kT1_AOMiI4QK$BD6z}u zP$=*LZTVyHk4rKT4?kaJ)f2ohtNE>``fARArd|8O0PK8-h8aw zZ4yWxvK1+OoT0B?V^E0h9 zB-#{v_InUj2ng$9$BO{OkKhW9vG`P1UB=9c_R!dACB*x!tt)F^@yZEb)WGn72i#QdkA7f<8^u9TR!=L*Qr@krXVY=xU<+Qn{!YL{1yaj z&c$bgI|>BE?G)@;HL~Tb6U!#*IAv<&F_$v>i(3V;TA;VX zmoS=s#w&@@*;>2|+*Sw=gVQgPPBa;&+)@}xP5K~@*5{KKmZy{7{rW;lCh6>I2kS_S z(cFiOv$H9DTR0|XNVs@X!UK=pTzrw{?YI634Jnba@EaNs-Phi0w2!ir zMCiIaZ_^~(BWs$`8^*Jl(^I}tjmxEP5Uh_y*~ZY3QK0i4iWcedN^L_*TO}K&~girEB0h%o8J&ZyIye0H5Ur8f6tRcDI+P8 zd^)(cqF2Ow@wJmap_Dk`l(3Q)F1JSooQ8kVsjfz(yju_LIu;tDlau(6`~Y;j>#6{# zab1quAjWU;3}934T3mDBfp!V;6SWQR@VtDtaf71Y^UmC9gkQ0vGT@ykwKr#lJEnL^ zU?^6-JZLGD-Pes{V^FT?gQK(jE3F{iaN2l*(fWE1i)%pu&aw&x|6Sm-rJC`Bs!H4qg*TdxCj_mlB@iQ%< z93ekF!Hi87-6eT9NqaSVzv`{6s%vI1J;B5hbyhcUNA>=;0rpPkv(BXEE4<}$-^oX_ zD}$7gBuPF!T$^jPF50sjy-9_?nj7u2-=g(pPPnY3f6N<%Eb0C_UY+z^V>t&IR_tQX? zQHn#OVf2UaU$Lt0B~qag=l{VMTGkv&b;mf4iqA@V?~TtpU4C^X}~ZIY>RhXklh)53Vzlm_oh0VMcemc z87Y||)mp3%-0m7c4W0D~wJyKUxynfs!!(Ti0ct-C)9-bv~hWZyHJ-+wjd$m z+4|lINX>%_IuHS=6Z|~X#LtrPSs!!}(|Sz-Ozcs@$ws~L$wr!PZCm>daF72XAJq~N z=ZhU(tRyt^iF*>$CHd|?*fu^eC!6XSEr|7hFAs>o$720|svrLA3;N!35BmRmx#M~D zu2aDO>t)+C4mq#=*-3=6{&|g%=TTxOWdnPKm9p7YOn&hwnJp66R@z2En&_g%l=?_KM8zx$^h zY~+B-KmY(Bcf!`v2>_53&z)qpiTWiuO)b$N5$0rL0VwWNnHCva{mkvn0f2W&vOI4o zk^Muk?S(J^Ks8?cNF+@z`T_v*z!R3{XCpo5vT72Ct(ERdYy5l#`U#}DXJKbR3EIo+ zww#LbX!m_53G7yFc@?AJ(t=%kU7EKj`Zr~r`b|?ZvHC5g09tm1Nl8v(-UcPQE8menE2zl*K_S`jAzjzPt4jI?lj|u%baO(9cMQ5Boz;89! z-xY{ju`vnstLNp72(J%JBgMXc|9g{#%^rNX3al+skg%fzL0x)3q6P zv7z3%3$rV8D-+kwH2L7d>%u5+NRr~EvoTSQ0rgl#ftp314n$ur7QLNCA;i^N(A-Qz zY*&5yW#CkZdlmosXu5KoyTe8_4=?P@JSk@!IPb2n0Nw7b`O+3IlP4E{xL*H_1-61$ zp3ta2gcm#_VJ5OKwS%Rsf-abD1bcC#6e*EeA0-na6}6BW-8@@({6y0}20`v_awn%}tJmsc2w)kCe!m(08 z7<<`TvQfo-TJ&X|{d`iJxLP`@du(o;fr5q~T?31&#aF z|K=}Y(9iDDZP;e_P|}Brg?vYsxZ#EoVqI`3tZwXbL{LVxOyd^+{dK`_Dvn`q91rQ` zy9DIA97#rv{C4R>&ECMbr)wF!%Ap>0onGiI9_&1X_GC0j^J%3jMFrP;AYd{Rq#G%4 zBX|#X@Vk_LU#u=ETNgqp6X{(fS0?VK&eb@KjhS#3Q=ToGg6tfi)K)Bz!nsqM{8p`J zp^QFqwpLOyO~%%~Jq_B97%Qy{c18mEJM=cKJZ8CutG~Rc}vqP?Q+_Htp(kokFS%bQnq#p2i6lDTNDFo*X zt5l9a+|x&ceDuli_s6g%!s&+>Y*GV=o)k~vC(JYM@`VK+p0iM&U_G6|E9)|;R(k`N z24*v#Vf+l0O53HVo!2r*4wLY-Ml-$+MNx1FPr-NoC4?ya4@bj|3xcYHXDYq0gyBnu z`rCY2HNMcvpzTM|_j#AW^jAaHxxsdVdv?W74%H$^?J%-%I6k;2%}9`wDeY#w`h>tD zQyUDiwt2%tT-3r%bdjS>iw0?!9Y<;-b-N4~=*D^97m25T=WKXT^`fu0IPzuUY|Q5vxLvDmV!vf08xReDm3d2yWTByv8wRA30CTTBU` zG+#2M;Sr`Z)*x!9f!lYE$<$CGB_=9tIq_5(rZ0AsWolYvL};we!OLS;Lh#~S5u zu{cO8%T~jTt-b@}csF8@-9-8|T3J>IBpJaMG5c`l=Iz>;J`-@&?#wz*zk!tfh)g0` zQ>_bxKN~JW+a{+XzN{`%2A%e#wf=Vohba`O>=3uryv;<|C-zbC_Wxj*k_G1WDmCOk zI^e1p)48uN)sve14Lx+Dl@oo4Y18uKUg^eiO_ASu7{QGI+-dgg+T+FbBCDXWlWRjm z#2Yji8qvbW;$ZbZw2VK;AIYRXh;FSqz->cfS*dv51lmxjG((y;z36_XTYaSc>$@`Lmw!|H<;aOm$5dh)Qb1?fwX87^ZoufvQqe5MW7*L5=f5>3#ME}`tPf6XD}Jj! zrTxH+Gn$CdqI~ZR@y~u<5we;ba$;j^5xuRVO;$b|y;N8&C?k}Rce6(#jn-o7qTzqW z)$;xvHH(7KAP0s}slyFVZeVl1lO0iYU>rrK42tX@{qQfCs8^5iydpZ@&+Q|r<;xc* zBdxWQkNJn3aJI@aFprEaQCpJr0~IaC?;gnBjr;5`#@TP@@H>L6E)1EsTx3ry_m3QJ z`ROmpu*%%F(aVAjSmZm14w!xH!KJ2cjl7<+gRJFW33$j>`{uz8i=eTOt~eX+;QYSv zlnHHwnDMeQppz3r-(huY%}q?J zuos8d69)@x3Yn102R1yw5_l8ZxaVB^iVQKWU5{~E=caMD2b9=t*PHF2!09s&%Uk8# zFX(GO;CF;aEaay8_V+q$i^#>THJuctAFAuAhKR1w^8z<^ zv6)i6<9G6Su=1@PBlP{GPI2y_z2M#^lj)z1LUw`jixVR7Arq zt8=z{AXaukftbudt>wXqQtfye3U}&Krt4LjIGM%lJBtrS8hbRO^1(Yj6NcK62rnb;VTwiHgebT(1>P zxI{bl4L=)yRxAIJhitOQwK&U&Vu|IZNCxO#KKo1#OYj&scLZk3-0?_0+R*XiFB;CL z(!ZHSHg>OKPcI+)iMdxksfxtHyCUqUry}BN)V7x+dPM?_!I-(!caj9@Kv$Sb zUdaxb=kofnpaXr34CT1wev_Fgu{wWWK&C=MRN)@kfq{~zpid_LO|Pl1y79Zel)8Ul zr#rxi1oPAD`(wRv)CMJi9a6E+jIJD)frs3A%75Q+W+B3~Yrae+UTNRo4#$y#el|+X zZPi;xJ*je3f9-j;`(jbk(~G>p>9um*g_kHFMc$|+fyIz|6P&B@?RP>Em)&YpIt#UlLMFnFD7&90H`F|vIe^aQ_# zGWOU}p9F@RYFu@#MHeqbtZ}QY&A(O}7#nOSzmVvWeS0k9c&O|m50jDMw4s%7$yrw< zm!C_kC>>a%sg=uNn`h$CBvZ&+ef|FErukP?u3H?q>1#NNC{1dNC};&s3?diC=nu{0YRnL zKnP6)gaD!UP=x@Yw*Z0U?pWsNQP27Paqs=(K6gJ4BztA=ue|H~-nG`Z*1by?H8^(j z?`C6Tu?dB;{B$hSLoiXx-&cq*!?7NWfKmqZw3mzF5+6vjm-hDX= zSvLH4G`~AGaR1KV1$A;YcP2Pprxe|&+_Tx-LT$L7v_p^t)q*UVEad*}t^Gk`Q7~|u zE|2z0W$R=w8E@t?4AA=NazDv@(8fh>6_ZX(4Bn7%+xEG=Lgsas%@KUY?l8ocN83)f zxShS^_3P*Rr|e+}fty%?FE7Yn^6LA8i~Qy3lpEN-JI^QBKi?na;36w-hbVo%z3%*c zqVTUH_%G^oeudyT&a`lR{`oTh5xm=P{{z((=ZnhwdVElDE zA8_QO1)yT8l(U!gd{|<$q0UYn+(8^3xWV=VJK5N-{}G`7uuv30A`I^eNHN=WM#43DZRNzOX2BtlES^ss?0^&P z_i|0^{SEl}uhqCe-5{5|EV;dVSUPuasQ1ohGPx|xwl6B=#nY81M~CStXl}AqU+r|8 zr@$M${zpI~OT{i&?&BhxK&%yk_tLkSdiH@k(@rxy5hSVo5v#DdjT{N$I=+8csp4hG z4s*jRzD`|1kxOf&UuWxLA}1pE3Xe}$w)5lf9hq0C)lOjHEG<$(PR#&NOvB2uddcLp ziKog!j}(kAV1Uw6QzD|)+8*C}BWn2I+rp9(dQe}9O0^nh0c*MN2ZghS^h8`iC20bQ z1wddk6G5ixePy3?B6i$FDxA;n^#q?t2|p-fg*zqvl|1yB@<;$*nt`7cC38I%f?L{Y z$XB1!;%hp&Pj3|v!$z$_EIUix#P+>;MFb+_dUYEbiJyv++6m`Q{Z(ILBB~cd?Kgh4 z0UmK)+v&}TE)(~!KnUWDp}$iU+JIaK5xTNd(H}D8hmsGg*RV0bk;-1bMr`VJZE}?-@fgAwDz>m^7oBm2o8BvLwJsMhTNd^ znumP9?Xxg}Z-mu7Gxgk~WwtFd%YP}m{sYyVv1}pab~@u)V7kZo(g~#hQNFRAzmO+W z!w~nhKEr&__asH&!lNZ?AGB9gR_Y8a#Y}Snnffn^St*PLHX6}L*B>0cggW;uDw^q z1vp@H z`Z`6;tO^{{uSfIVic>3-;~CYq_$w(=#lTx-{h=Ks|5)z6gljjiq8OLo2+_rbZQv&&<1BL!tdH{E>IGbosSz7efxy(4XUz1v&aDHL-NQ#!*p(`6*&$l=iJ zjk%_ITqh`-Xt%ynQVvPjP=nh!p;88Au)dy@m+dj6NZC|xL{1sws z;nzR1zVt5vIZjqO>3+HRf~-y!yux&Jfp&?n{+6AU09YEvUal5mlJnvo*^)r7-MwR5lkT%0S1 z9l=-X>Ra4`frGS@Bz-qlM~N`lU>T^FbCEGjh7D$1Q_eWKKu?Y2gy-1}pthFvx)$jr zBNP2S3A|U9mdE-cSHXh(E*lQ@;{?Ipp|L2P0HM6VX$EGt0w*4y)>A`Jy|4D}kvWuf zyJyl=>LLGc)OXsIpa|CbVuQI@dhUjN#`mo@XX4uo~4XZ^jf6 z8Hi~dZxDovl}0{eG8SfP$AffToCJ3scT&_9qj?NK2G&;PDV#?kN>BH`#&n|PU+E_> z_)0BGw}|B@-t(nXa7Z`Z+6R}s(mt$0H#lkRW|XojzdRYxtO?iAIX5|yVwPR#URdXE z){TneWAC&ZQp?XnEAhcXevHUm)|nm4e;ngj<`UF(FQ5*kXy_GEXV$5kHf))FVsI<^_XjQITE5H` zZFiyM36r{+()MtbK=r?yHle-?LhvZ68D^py+uY%52ff(7ujm0J)}hp><2?aJj^YhN zkciuUE-kX z0GL25<1`qs2*bte&E}Pa>a7a+tmmze$+wRD0K3SGQ98h?$@+IzmXzY*Y^gS0g=* zfYvUq37_k1Ng=GoWSY03dIRc*?0X*b!ro0{N_`?rCT%CUy3+OxfHz2gEBZVeZJJ(L zS`K%bT^Vt4H}#(bh>NG@7lcKvy-3*U~ z&nsv3v;O=f#jU9^J+)$+XpDdX$VN7)l(Wu4iAol|d1_7p{*}@@a zcT6c`1obzbopDIN#r#P-C~nDt2z^k8AFK9x=tr;z@h5auapXckWQov@Vf@Pp9*198 zf%2#?;9A6j2Xef8F5Ku3Y0Tn?|G^C2yXi?Xey^8NBQH`(g3y#QsPQ1!6NaF`T|l+= z==MEVLvh5yQh8Xl2QFumdp*4;0bLet7eI@P!dgDvMOf=e)3HdzMi_rI8-N4KOY> z95HY~=Ywo&kll#Xn{9|i34Eo!^i+z%Cg_)P%ER=hws9)N0skLigZ|L(0q~rnLg_%%Qs+KRtwO$*U1S-RcnsAcWf(B9i5Q-flW@Z4k ze>PE$TM6i~wVKtaB1@rAQ1eT&BofHAm6bQEjGPVcKYT_!WuriK{nTn*-?b3_82XII zGUGKGQ!b(kA6|nS;LP6ErB1L%=e)vny5A@^yrVs9WEd(WAvHB@;9-VV|6Po%^2;1iE&i}FQNe^_K`$}`ER2elhi9*>Emr~p-P#P zi93z9yIn06Wb)f7*ZR7+JfAf--)uH?{2gRCIGAYdJT2Uwng0LZ0BNB*S6zO`bCFu=q3?S7lwfosV}vW z#{&@JU5!YBz08#h>3?==AMk-w{S%ac49+wi!@6%>@{*Dp^Dj1888+#OLTfRh2dFRa zzT1M>&om6fr`EH|Q0YeKsoSZ24znu;s9DlUWkltcYWIuTGSZw^h@W|bE)fOoD)(wy zg%w^tf{#aQ5(1aYPoK*lap+m}cOFFq&yEoZJrB|8iq zDE}rJ*hUc#-Bi#$d+rg7P3Ep{^~1s%yit#$ZDXs500b!J!~=Y2-kOHsgQc3-fYN70 z!w)XTRX1W#ZO0HVn11gEl8b`<$sfURZ}U%NYPudOH(JNZ7n+oBt`xu;=0qNpM~F&u ze55-|XwB?hf56vq_Vwi%)(oJmQat$B<~^MtA(fh~#0+4#GKBK)2w90@{&icXT!NqY zj)tBEmu4_2sD|P5J>%XDi3Y{*8lTGeUE8wEi;RB|Sb8a0_IRcDG&OZRtA<8HkN8Ya zrN^Hn==hW>*Tf$rcP=q6Tu>4^-c64ij&JIxj&Ja_4S zP9josp;&>28xy)|>e(iw6FH?#|+|>v{kCz&Klzi?C=M)R!bFCvPT&9VV-*ZTZ_i z&>lXDS@dWMS0(I~%R{#`QQmiE+ErchQh9<2s0%)$bC22ZezRx5|8+jshU*G@mK{UZ zu(+%d6XADqq0>~Otq>Tq$O(*nZ;DtGjp~&tV5ILsiGOG?`YRsjRcXAri)_Q?=2Jq` zPFE)uHklJh1FsOihj{0R{z;T-5IrGi!sqX+7(EzG>dkOpWGX6mj{c0`6h=tsevF>N zbZm#R$J&+>w$|G77dYGVoxw7o=nOx;6xg}Jgd=!JtbM6qU(rtgjTn?2z-mEurvoI9m3Y!MBd8%nd3Yr9&>?{i}QHMiYCZB ziseLCLr&4s6fN&fJGnLsy2Ws`r1?#l48_Jb2naalXdL%7zhrWhX_vFW8^FW$y~fAu zn*kfwEo;qMW<){6D5tYp+_86ueDKA}Cg$1vkKcw#S{Qi-__fF=r@aLCMXVg7w@${q zL9BZ1*@`PpE?T0Hbo*>ZLkA5Mwz|N%TVXl+JOT0{=rMbaB`}XbP>$otAHa()lV2q! zCNhIfxBMp|P#&=s_Qya)16Z&V2Dk$^rLX=GQ;`C~^HCDY<)(XhHWWOAuccbov|u;p zsl&~fL58s4{_u$0?j$~f^kM2#W={7+xSIB^?@}CI-|bqyF-8`tT~FsB1O0g7p5k+$ zAAusq=ng4Ukt=mt)?4?2Y5fq~W(7Vcm4)Vdb-W$%(clQ!gc%dg@wJYjAL}SI3PTkn${h**Uz6XNacRmbprX!=z zGu?NE!(fMN`nckimYM5RW90y=*G0z6?lYD&t zhIt*N4M4-(XdWB$AJI61k2q@LwPc)?V&B2clerx4+PpY|we&I}UTDdv^j1AlXu^_; zezHo9AP=%KID)m09T}as+kIBFBa&Acl+Zn*%qCGlFv*kA2S> z4Ns8cqon87AK=dW-Od38Mtv##`dd@cEGUP-IS~oWs|m#>hf|cohgeHPT<{k4s)%sE z@&f8`-YZ8Obt+W}jB-Nv526ZH3Qn0Q^RSrlsIR$E=VxY&Iq*F*>Hw=s*`?g0_Y{)> z%6P?1z5^-9-So~qQ$+yw361;r2E4r;T$wMz6XCl>6{)N}$J{Kow%!p^k8^T;RV`dO z1a~&yWQ{TEIga|@JEZeu8BRJDMslZ~h24i3R z>O*rLT*`sA@*KJGHFn>;_YtL7zy7&~<{MN&7Tb*Tp`9cw#|bwXwtwrj&$1eb92As9uB)rF zl&B;=qP<@^^OE4rm({Ku?3KGyQ| zj_&iZg|~hx(SyM&Mq~#hHp$`@k{yF9)V69zmE7pj(-ZH}ZW+$&-h*dK(1kf?ov%*5 zLfMuC4Zi}XZZfW|bBsNrAm?U8nkJb&k0N?EauEIYoWWSxT7ON;x5>p1V(Q%83YI*f zSBzaBJ8K{O8O$@|sB5{dr=6unuvkm_c7a~;NdeCHB;hMl6e_>lO?}~c3Vdg-VgFMM zzj?1p@>-NfR}})h_~NIWQ z@9l{%s4v`}&g>SS^LGnOGVs)6w%xA;P!*0>2%IBZ;;~W1H+O z^_b4{DJk)#ffsk=0LtJ$Q-+KCqRbG2d%8Hu$&6ChP~wh%^y?v1#E_QTrr`yDjzadFc)qF`Dp?y~fEY!xqZST@s7cQu2W2a-e_#ebAFv~01ay*o&;+5U43iGda;)I6 zJ&HrO6_Mn9TqpB0|nhX8+G}UYqhI=lv7Ct|WTX zSIFo3&a^o*w%TihP>VSo1-*g`dWVL08eY=!BsBNagf%kf zJ?%=9GsbM%_UWFbx*SzW+POW)CM9F+$HNHPuefFtq#F})#0^5oo`^AyR`31&4ToXU zl>*H*%C+Z8$4|%yVynas$2uuxo-wVd^OMV*4*@jDz+L%f^I)95YjN}4e|w3J^g7D- zd32v>i;?>e{PNbm=OMr^+TjTE(F6u>MuE_~8Gcv(NZriNl$TD_QZyuc-VX^rwrwma z9$1fDY$pfN&Xf+5#;REy6Wg-;L-*eMVMT8r>)zy0aFYo6;m`>9G_wiPjERtRgWQ7P zf)|nW?CX!0o^DCBkTYLHkk-rGug>NTi$phyO<}*GU?Yz*SHv>kZOvX|(t< zk7TQWB>!T${WfsC^V4-*>g+$~71@UB|8+2utw`=)#~|4<_x^L}k?lXcBFSXXncF5; WtS;BjU;a3I)r4F;m#KdF=KlgYs1Sny literal 3773 zcmb_fc{rO{+fS?BTB^&4rKm7f(Zy1wsjVsXGOe+;N=J(fs%nVRS`v~DMYj~C)+W&^ z+8R={mIj%kAyP6zg$7|_ODPkvG!jp~L_6>I&-cf7z3+Rj>pAD#&-I*p`Q5+!zRq*o z!_8SmNlOU?0;!z(!O;r@l9TPd6#gNdmsIu|N|#MBUd|4nsvaGlRM-+~?`jVMRc9!R z5%N-5G3tl&F(A;MblI~hW0D^N0&Vv?ZP1?&yIJzMFA&dM@Gf@p3g=YGRIr%E`eWjF`~PVQu4g7Vf>s zBpPEQO8#nHDaUe2x{c7?0w?<{zjI%WUB=Iy0hJ?l9WL1Gil_V!i#~ZUqdHMxDf&+Z z$Ov#x1l-`4(><0-4)co2GD|1=9v!S|`_p$_rzel|ijL%^zVh_wYYj;{^T4!|VX0oV z>xThsSj*_;6Zw0)@yET-|D-NERvgCUbh2q$61BbF*XYrsuTFVPXvzD$Czpe~-lwm% zj%rA<*AaEtUNJAJRdV0~f$}nm$kGCgQ|LC&S0&;anG(>;?_F@)Hg0Q!cjJcv+KZV`=aI2Z%M~s&3`EPWaSznZ~s zw$4?AaFX&(MOzbFuZEdV`kB({SvJ7H+KV(I!KMRM4ebcK$W0Mut+&|;n_ z%D*zVlgM^z+>y?DJLa8ECyFv6?!)?AyV|cE|^@xVOub%5u4Yv>Kouo*k z$TyI?5n#IfVug0*k8!XPoZ6i@yd>6dEhVI|EJH$7dPiPlM{E()1r>0Sg*Pi72_DNc zuoV_Rk{cyM$>zs3Vq+!5O9kRZq0j6(sa@FOvCuh9yhs{|v0tQFp$nuguuLT10FI*w zl%01I$6^a&wq6L(>BEgXqq7XyFW8%fsz|Z|tL7RoOTCihG6|z6CayY9LUNw(TVxC0 zrhke(lnFnOV=kzuYv=FCao9iP-#ki$H*@IWwUM85>81&@fS3$l@M=C{v$A;hNe!AS z3^Ev!7wWha?oFL=BQ$-9U>g1AAk7L4JMIW&mO@2S#|?7i1%BKjx6kT50X!VPDP*x| z@`H+J8|mi^2q zUXkWSyHm`CBj$zCuryY^Bc@g*rZ1wzvtb{$eIM(z+9)w#s)&o7KiP23MF;EIlT!Ie z)a51Qh6id>47}z)i%sKO>IaOr1Z4)yPquO<0xln#@Bc=?jZkmd{TkUA^=VaY5$0jU z$q5LrhgIi64@^xNbu{6e##gwe!qpgYNyvv+r|+gT$!AEsr%xHHcbW>8kItxv zmX}=HBPb5^KW{QPa0rb;K5Ne_N{+Y64)y<1p1=+N)d`^%Ew@3U?U?wIBhVAJu6W4^RMqK21Eiznew>G)1Q=eBtuP=;M-m1!e;FV@OQ@mA6?1wTM9!? z*~N#@;+WYF5x2$B-RQa_+vOL_iIVZ_o_JEGPbMl%HAN1e^Mk zFP^bfp~0xLGXecZ@3n7STkqqW#nM&=q*0Pe_U8z;u21vnVYb7xr8ZVye&S(_DE!TE z?g$$Aqj}PGAAG~iENcR3MhO<5XW5yATbSla_(4G~2*z)L?u5;q*=Y%?9u1zEtb!1T zYvh=JN26Xu7jlB{YNeKn58lHWr`omT zFHqZhHReVH`X&>TFkpptlJBHH1QbsEWB$6u);A z`0}I~g7*H6(X!pbl_h8^EB>XVxa?HWcYsFzfF3Mrho>ZjyuQ}0OQ~&`7Nc!PA5TD~ z*e{f25yh2Lu%Rao*!>bEDeB`^i^NmjYw*CjcZuc~`C2%Kwf>)tqvck$TGkH$^y|yV zXmR&}`dJh(7d+I0W4@S}BL0$0LOTS`nk{+u(Q>c~N_c$(yFwfw{Ym%uMib5KE zJxE4fQs|GF(ySs6N-7h4Aj%x0CGOQ@xRzUyg7&lhOr!j4>Ox9_amQPoy!ix$sY)`X zRR1gCvpEz)xRCuG8$Nn~>JaM?>+7mbuvtdd1eGNylpnm`Oa%HNBm&{!$I10!kqhj@ z9;&|P+1K|D`?5^fc916*JkzQmA|)+(yPl)jsEFvH?2`*5xS_e5u_baN8PeLVU`;@= zbRn|a@11Wxep&u?VVNB7XSC+^@rX9s_O2Sk8>Tbq)5jH(gx3<_iYBBGkG5sz`m!i^ zt8KjFUUtl^0o#x4X(rl509}HAz%bkoWS^l{$#;Hj3ll67%^gS+a0=`1RA=HJf`IES zw~o4RX*KE87`vpnJM&laT6qlZkkf+;%dvm!M_Nma6Dl;7IhyU8S~pv7*I;B!3nO`jys9Wx%Hx&L zkAS_Jcq(bhI<|PJ*mX871$=Zfq7N}e#oa_*JX5lhiE>{5?r$ul%&eTISRmDc^lh}& z1^Osxgy!-`@S0$=U#?3Wz~oK6woted5NtNb(Hd;U@@^-8?6^?kAy7@-Sxc--P{Ird z=8n^^Uf%V!is3>lU;=3;DU~{Sm#!s$#zPd+9d5}`<5=I@PbJ~20@#}=vt_Hb|7=Nk zU{-m=HP8O4DA4B6ZVT90qm#bS`ax5iD=v8=nu`b^57TH&t-l>jm!gVUe^V`HO;rAT zC>Yw)Tunq;U~TkpDPZ0?VWs3@pW3*n;ccJXld^ZBDJ5(8X`L{Z0m{{P}+QjpphOzarIX*XAH?jX4rRQzdcZw*cg^Um|8RpD1Bxh8lsaQWYCr^}MudnMDIy361d*mvh0vRdf`Y(E3q?R9MLMzCTG1Jmj~m-OG@f@p<5@kE+vy4{&i3{+wW9>VAkc zRo8>>`D<*vFVu-m4bS%1@Rq1kbE-QxX`Gh>USNLS;19u(Jo44Jm-zi>Xu<>w@LKuqL-@ywIPkn7|2Uq_^s z&z?fz>NyW8$#^3l*WG5XxcyE|FhaY^1z7dzwliz(jf0_16-aSDVC-=*gH!H0#V4`i z`fN*1m{Y^3qlZ$hwx(&+3^_o#p>upxUI~v8<0OtK5=ptJ>cD%5z<$%{KBbk`nTbCb57aUIMq zN#*!MvhRa4J?hrabsX3FvU>hgzKswcc!ro9V2FLq8dX+B`>1!|5{@Nz=L?*nTK3tlt6o*`vMG8S-X%IH$fM)}fXTOLjVw+|rR z1FEIbW`1lCasYJ(yG>f_o>O{Z{9!~W%w?d<@2=xJDF`H;Jlc6|2x}JGJf`T`3KB<~ ztH#&rwS`Yqu;R*k8BsICUhz5PI~N$>jQfveLs9&khA(x#UQz4m{9;B#U6iFA)~y3) z`Jxw8@JDC?MFmN3Bf3g;oVDGmD%v{EcJ~@qQ`>J17Dq_bc|xdeHko4|(^UZSA5!w6 zf!}F-VYaNj&Dc!z27w}dI3(oi0LwK?am|(IeIv=oloGko?W}QuCoMFfSmSc!fNan+ zv<|QDApE3ySurDEdXIRFvzscMLC=O3IsoIhFB24_#P(`WLG9YN8hzSFyMF0eeLN}P zmfpR`@+soNbW^buwaW_!N6e*mDnhGG1p8@|U7H z-@Eog7w7(4d!kvpAD8hPqR`qoR~NP2@OYlC@`L{1zS{l-ij|YIA_>7w*sOW!?W1fv zWm~OPK(ZBI2ZUnst(9D{6x#0#lU9lAwavquqVl*K34SVAAz1bs?K84% z;2Y>LpcZ|}M>JTlv=IZ_Ah!Be|yOO`Go$wE9BkElv?WKxIYXX81jg6U^1=*`BqSWOC)(+|Q zW`Bg`N6UMlSqAE@JvN`H`!1ui>kWM;SkK>Adpj^DX65atC5D|@ZZjZor@Eq^%4wdf z-G6Xl79@1Fz=~cg!-h*X8{7`%Un|=F;mT04$rc_LKLT+u+n6PE+C+vk#cLC8=NkCY z?PNf^pUKREl*fw$XX&8_8%F|4wYI{TWh_#{=$#jxn20)(^V^aInNNK$nW)XX75<1P ztPwdjuZruE8qdB|i?)3LG6x6zRb zkbD(ZWy11ZS~1u#l>xg9@1t!fWDGwj>cQ=Q4RvBXGd|P#X7C`wt-`-Ity=;YA4=@= zM9;EDQ|UB%AjkV*h>REh0PI{4PwT%vKKEwfN?^eL-Y~tNE&^V)f?b51W@JIl@y;Jp z`g1lOq4%PR0oD1x%Km`e&Z`rr46L_JDSq+aWZGHeh5w%+-jeq^g3m?E>;xz}3cMF2|ptqmO*P)?Ruo zaoP1=5W>E2&bwtPV8a=GBsJB&%{JVde14tNPR<*Q&@P%DZ=FQXcVl}{i=)@y#l}^N zi^qK!N^Lk;3XPsV<=8C|he;i37Uzc6!7e5poTgJ7dSl86P@Go0-oGXyp93L{e*Ta-4sI==dlNvfyo zKfP?expWafYhz+l6*CldUl40;4>~I>jpc^jsE9Bg+YbhF>)f}HC#R-#Rf$6mm~?828k#FB@G=?5a4sKKa2MoAyIW5jIa&3pY3iVh&`~Kp(fzb)83So{%wf z%VYYbhIm~(#j!7uSddI}9)8rr7?l4xpdv-6yvn{4~C+~(5G zANN*v%O!f;C$)GyeQUmgbZ|jlt2~4qk}x;~wfntVhHmc14u+jI8B^vS4WLh3L|Mc+ zw_rE8uV+@rY1>bqy62Eu@r7-g^hTDppxL<`e0N2eyK()u!idDBQB$<7Io)zTs-~+w zhR5RLv7{+eg1qY8HMy6$dSFbg;g4f&cXDcCec zEY0n~)KG;4pT|r(>Z|aPAN8sskY}Z-h+8Ax-7Pyk3*m9t{qK**`~w6;a(S(jMKq+Z;A+ zSpowLb8|_b6gZOAgX4yEt6FdYVUrD=d)+mZ?N|kq6hZs1cy?x#Iqw7U5Rg~wufUlH zHU%Dev*@NWs=l`*B$q77=$(aE4~jd~31Q<1B5GuIih)Abp#v~<-tBU%F(tyUqnKzj z^L6k`Rpy^op=?dQSm^0!Z!pae0VP6DBu(UPp>*4<$bgewO+S;FkI)C+Z92*8LSd{_ zkm_oGUoEzZ2o6{B@W~Km%kUcZFIx36kwkl+@OGWMy~%#M8ktz5t;&e&Y{{D)^y3S@ zD9K$8UUQ~bu`u*Ux@JL>w^Y(vWtrWg9}Ri^eo^s+&ASsTx&T^>h%7}dZnHl zKZX7*JY;$}CqyoQu=){k&ueI2oUy+} z;H&Nu1x5QqZJ}K z3CI{*TiYv8?!x=j=c}>|2_&i$NN%gH=F$?r&xTCzWZlJuflodeDv!nzfRNcDXOc={ z+`F-j@?(KH{YsT9JTXrPiw7orM5LEH#WKgI16CY=V-ry4U0G@v0*@b~alX00yIi=E zs>lqHw~AfvN|Waabt1=vIf1;3tw&-yQeTDB{T$gL^1TlL-_WAmV7CHrUBtZlakORP zDu>ZvclBwBjPcdm-eZ9U(2&qq!IcN**+gYb!vM*BhovPs{L2^ zL`IL+W%+UFtF>+{IZry+>Nyd`JoP1ZJk@8`VZ>&3 zdMhl zCXcvZJZu@Y<@2oP@~&rYywmAnUnG>Zy+zDOU0?PTSHLK|ELAM&A|N-9WatiQ>zBLeZ(hUFR8N1w^jHV1Xw0FX3uezB6QJ?xOu zllCZtsiDvuuwij-t|uCUv`(Tx$L;O*gY0pEi_2E8(FT&r1bNdu#FBkr)0<`PL0pi^ zIkRGa5ojq*~^K*sN&YmR6p zq0lIY_b}w~Rjf~$cmLAatvDYn4%~MR4WlS%t7}AU3xEhffwW4{)t|Hq7FO8z)9&a+wu>sSo5Bc&ckiI}x7S zg`sVnlbrAr!ePRXoARDXJy)u23Y$PZ1&|Z!`OuF>8L!)ltghJ?AWga0ts0p;M#J48 zIdsP$bZV@tJ_cTXJ;9=tJ&4Zb_8EXM{ZO&=s+N4>A6U345l3#m)P6J;ymT33*D0qHJ+&|zxt$#n}* z^-1Yd9m}==+)#;hG%gZ4pGsA5$#tlL#f3WY_>nH-loKF_vt5lUh28+$>$M(8&X&@Z z$!nQufd+&n8nvz-C7vF5U7U3(R(a~0ZTAtg>|>Y(x#V*AiOq4#=C>yuY!6TfwM@ZM^w)j zd9`zTgYhwl(U2}C*l821s!DJA;QK}0&i9k^aR@DYSjI6PJkc)Hsr+3btj%%oh)Q4t zrU3ckbPoVd^O&bO0CLektw1t26Vhr{T{mwNiW9oiG3C=(tt(!|V-6bW%!<}P8nn=>I+K4ICnG|94Zy#AI}s)j^@G!_g>yhE7YRpSt(&HUGCxV3|Yo z?0@bN?le?B4!z1aetQIY`?E%ZK~x&_`gk;>RJnEd-VeKtzc{x*-+ub~ic}(I{P+hg z$^UBctn}f&e))Ual$BMVB%jcoTdcdkS*BDC_8W9NubQ%^p)ANgVySd|MrLsCK;3nm ztP=l0_QsYC&xooe4U9toeRUQSK%os3p(5rn)Wy;v;nrZ|Eurcy)ne*Ik~3y&(gG83 zwf|EC^UIkRY&)%bmY5-qZZ`Aeq;K~Aokh&(vuKws@}K!MRq5~9VKzB%{Ku2~mDNjNvR zgpC}#61K5enwDDkrrn$)XxOZg*5~?M0BLB{7Xh`T zkI>-L2O{v5Ny{V%mR)T=#mkfZP?`WpDa$#PO2Kz2vi~W4y7zm zG03FDGe-;>temQ_Od2_?ynZ{BU}}J&!F|q< z52bH2LVjaZGh_7^BaUy3Y#mB;hosI^i;UqF%}{p^#|uF2p12NA0vVTY8tWQN@v^T} zluDxO*=P8C%b(Fg+d;W^sFbC#yF*`<)G}MTFyps_uC5ty?vOkl@83cC$;>IeBGBlztgtqpbz$arnpDkL1DXWst{Hr%iTM>sX-;LQFuvgkfM$gdd5d59>`kl$ zW=5nV-u{0$aWy4YVheWyum~8lgI&ilM_u1IFsa_Vm_0nkOMJ`EZmA3C`?lGwXT%mBc|7f(z`(Ji~>$0uzGMI)mojZUe<6k6QN%&zY{%o70y!9G`Z$zmJa22$$}=uDK&!*d33vbhm;6VP8>} zo$T$C|8sGo<~nyIm3@&EaKeV-zJeaAOl`x>AgHcDH{!W1A<7w@}-x zPuPMyQ~Fa{u5Z$kekg4_W*$k3lQM!Y8|I;`WobpATM}|4Z+E~Ileq^SW;ac!Ww_~mGJOA#QkN%=R#9Oy{1BnfUQr9PM_R~Ys4mqu=PLg2 z+e}v~_bv7K|v$sl!uV(WD^%!3<-=nM9kuQW>TP?o#tq?yCZe*kl6VF)7^ zz<0~F725i%g}iz)AWUs(+RSCd@wbubsCh4e_o=iN;q=_4gi zVzkCh&&hRKN8a9{0kz2r01_GWd*5}#ok{FX6R+vj#C3C7t>SA>0C(KRONe9(WOU`F z)kqr&@=f3FYZPjf^rJ_zQ|J8hc6q`-j<|T8S5Xm}~}4@fb(e|D65D(wHj7-H7)K4`8FP_s>c#~yT4ib zAFGEU(S-;Hd@I)@<&e6Ok&TV1+CyHvk^nLRSNn6qtpSy+U~{c$bO5*G2g{t@|MKo% zVi!tyzNFu@?(40+5n+aR%$SgK2^u}La_%O48Em!hghM~L(4x@aFP{9Ovc|}@=ffr5 zl8-;OKDK1gjV2al6U1t&0Mm!dh>{cDG0FGMauPO&tUMRorz}smd%Lh7XiW{~GKR49 zHXJKS`zfXSwCN}tb$}Ak!mGQ_PEH=RUD4nIN68MK-ePvU2bjfj6QS&1Wr=TKxAx?% zYcbT@RdOv@!t!TYuD_%=TlYNxv;+>i1V&<0T|o3niuSJr{dDjZ@ zs2ma)Z5ZtORQpAw2@w+_c(5_SbT`56`Nq78u$2!>H?+4sz2^^8wT{NxcjLs2jaM9U zpYqdz>i}3-?Z-sKdbN%S*2etr*cZmFSD40v9^)mWVXt;2$O@Uglg!xZRn?&EV?(+gn%M(~t z9QexKk5)UrkVsfp$}DoIXaKncJ3rg3b{c5FFoAvQv|MLHCaT%(2f&6)IkUFD>{h<4 zMI0*qkxErB=9s~9fRY>;sn72(U8=RJGf1OHOr9F|iK=ZlTJrcuTAr%`;?9va9c@zw zT#ic8)miI65=z$so}faiEsMpJyi4uJ_|g+K8xV2=jwK<2>%CqN=4pi|bT%|?1Ky%) z04FvdaEm?4pYuo7`-H4XJ5b7XHHYVxP@rf25rjBkt0pk2CUP(HW394Cal-!O4osSq z)YbZ1Uq7~3oG81-N9U+D4pA99zx6s?ai zW4a}&eOj6Bw)Zxhl3L1mlNIr={fqP)bvgD3|$ zfQ*qs2oLgjo3r;FtQAr{`boRje&D%!Q5E$;8(VP5;EBbWxxE{Nhl6jNPM-#qcbbwD zQ1yT(-J?*gmbw8>8Lbc?VsjOLWJ^ZCRJzh~qHV^2fN{D34?F#FRgW|rbtCW2Si{=q zA#TqAKjm9~C#4kyl?`W8oc&q^qy$KQ&ZxY}Bj%B-93|N&TcT4x1UzzGQ(xw58K^3_ z7Mv^kQ&t`fR(k*>bMnkIrDt#D%`DSE#S~Y2j?-N)$?vaseHi3(G{Yt>BQ?}6y2BLf8h|HZErUF&q7pU0wZT4 zhs=*1i-nZFO^ivOf7L5>4sDq9AW%T~l1y|+1_<7N@)XBxgY0Cp@k`+`X7G6+O7t7z zMx-}aA7tjS;IwOhJ8rSn(pthV*Os3SblyKwa2sM0#QF4rxa>!oc6wP;Aol+I$Q}Z6 z;l$JO_8rm1t6w^f8?U(^1WO-lw=+G1Zq@0m8*_Q{WretOj{!3+4trglm~A10x0-L% z1oM`}{D{wXl6%tZqio&)hAf1X-d{S{=&(y61ALlKyEnK0 z7vx1F%FPDRtZQBgM7#a7ifuS!+n% z`n^x<;?DgHzI}0lvV{&VmSR9V%-p3P$7cHQC)LmbvJOMt3Ow+i>lxAoeC{>iIPIqe z&;S1dhcHkv`9Bw5C8x69v;Aj*9iaO5eE+!!>x)b4mP?yS7ekxu-zg@`LiKK8)n0S{ zJu%$y?FW%eWzye%@5tnIVCT1xOb__fcYY_y^#6FJ8BC`LxkXTyj9kl07%a3PIvS{p Hw;uf$P;>}m literal 3770 zcmbtXdpwhU|6fUNgzlUV8S2iVgfg?6EN5=vF&z{oiR82pqP7(`I!ykmC?n(+e z3IG5=$XOOJM+jvahF$`>krrdNgRXp@uZnbHJ{!ov8nS9zZdi(<~ z)2C3GyRFbR@9ni5?*sSVsj3{Z)?FlR*3;IDIs(Pcxqtdy=s#-qut-in`~>X9%A-H# zn0BM*X5=Lz|6@8GmW_a3r1V>g65niB7WxShUoU;jbi?hp=|;Rf6}O<`JRh^8?qmb5 z@51NV#tl;3B((KL?|$-4{&UZWrl&x~^Zo(G1@hSSW|5tPcK((AgiwF^BJ8%IF;6ULe!U*7n|p;3#I&_fKX%OCta=>amr zF@m$*?H13q37;JhT^e5Ul}f!Tv{dIhPAnjs^fj4%o8FV5es^(3`H0fhn459Ofd_(h z9_-i6IL3i-(eq~J8CsP?v=Vp6Il{h1@t;Dfc(U7 z{ek3mHRi`1l-SC^NJ5LAfeP*0o?mlzkx=FF|B=~4RB5-sX5E8kfk`X5QC=YdMxYDz z{PUM^)Ufwm%_{7eG0}P22?zX^v6OlIWlnN@%IENpz$z~XyazK!EDU6(xMJXAs)tL3hvQP{uz~TCk_j(ZEIvc6(X-_6P{ZNEIEH=Sa-tbKK!ML~-Q&l7am8PB=>VEwCUro+ zW;Uv(tE6d$U^;f2_b@)^Gg)hj1dS;sC5JZPAuJ3c4->l`O#ty^sEtQ&{#X^fq8Ez& z;e^tHNx`jsDs}rf4;xuow6``$kCKsLLAUK#RFqnal?R-YIss={SZjbI|IR*4+l4gw zGsZn2O&=cJ5G9+zI>M_>LhZQBbLkk-n=YjFngpRlzlo7l)XS<9M6=XY&*?}K*?^OI67ybcAmT81sf)~1C;zUu&c~C96MvbHg&?Y8{ zUGHaku0X7*ku!bivWR=7D>T{rL39}#3K zM6~)Ip!@!N-)3%*;@`i8wRpffKvVIn8t|`#cO8mt#IhP+oMb4#MgJF^8zOXFmY(Vm{3^j&6uESfOrSlr_fDj@Lc= zz@g1A{X%35-5)-73poOl$+|9~fY)_unZNyqjEIlNZ!81nr2mN_ zK1IM3vt}BxNA;VJT3k+z%yLE*njah1=ePG%#1zDSW7rVefK8nTx(_JF*ws=Upq5u! zYb7yj6)>`JX;$2|b8sOOo@wDz^}>afgB9>8z=ryknki!_??tx-M__^EZmkadC?2oT z4&HG#QsGPcn^&mVG8vd_>nU5Ku5>4HrCSIc@V*0y{1uup&{6i)$XBU z-wjhanJKDw8~yGQZ^Qt-BgggsGSfS|@f*p&HJz1S6m&%V;F@5{SnR-NE?wc@#|oy# zJdru(5o(WEI7^#4wWNkKZQ4!gyN58dd-qID8;e$RvKG)zZ^R%^r4i@lU4M$c|HbL= zoSLfema5cD#&@w9o=8>>%7QohSps4u0a2E3gPq0S97yt$u`1; z+)NPky*6d7B*dfs8V9LIffXe{^>gp}IUx>^nVc89NWMrG6D+2)I@bZcL@9Npf~ebQ z^9<*pUb=FX+2FZgIi1|@g0vQN+KFB08)6H~D#yt2#q&WsBU*8Wd12x41Kh_4emWaB z8b}Y2PVGqWSF#x*m`J^|^ARCo3hQ~KDfo0<$CWohad+GdMFVHdB_AjtMINgze}au! z>_405{YYmglt;pk3ED1q>3T{11LRQpycM}Z1Z@r3fUWYoKJtla z@=etNm|hM?g63E7X+~WPeC9T0XxDux+5G-kr7>!h7s`1Aek2JWs)OhK4$gvIs^`aIz6rwWIV%^N^ZpD?k37R$V@>6M)g_KzG_u$n-e-7dRvy1Vr&{C7yNXfRfd9LH6Ct5^Q} zBClj0By1t_>Q8iEq%cn~g|ijcrrgp}gapWs>zCh(VBfepCfm4iB-&6W{$0H3Vymy# zmqDcp{b%1mLdSjclvmt-xmpKgc1!0Mbea+O&oKKUw=myBdKq6~kZias?#&_cch;ljSGq?iD!_ ze3PK8y;4b6ex;$r?Opk5_8REJPj5>xqq1eE?&3-tN}U?Rs*Ec-n4{_M7u> zCAiCpJ5w0YryF!RQ>2IywV_*0D2lnE;KRS)Th`Jc9rF=@J1RQY9Hfu_Qurh58YBZ3l zD_X*xVC4kkUP@$urt!bQ83{j&LSY&!Uh97HM&&0Pp|)NgZ=H2E=}3Pk0f4-JHs})W dYE(+<8uZ|3KdN-Cs#^Nq)78hN+Ua!K{{aaea$x`f diff --git a/windows/access-protection/hello-for-business/images/dc-chart5.png b/windows/access-protection/hello-for-business/images/dc-chart5.png index 19d10509165061d015ec6a57172ce59689ae611a..5671c2ecf7c99077c8583d57a8de866366b1a14f 100644 GIT binary patch literal 10982 zcmeHtcT|&E_bygO5NseyRS}RHREi+QmO(&@AVo?L=>nnmIwCL3lLd$RXF&))la&)MfZ)YepCVd7+B zU|?WTy?#xHfnl#d@cr3uJAwaSNb6C7KReuXRIV@-yyu<;8oO;SYg}evD2is@Hs1rZ z_c>p`?Z&{s6HfoPBYJw-ih)7IPxad6Ti%fQl(W%8zgHHl!tXN(-x{6R4q?~<9k<4g zp3^Ye1ufT_YzT!(RSYz|*!i@Zd3V;EdVQOVy9y-6KT6Tmv$j58`g6-SoTXZ*y9<#oc|2!tK__0;0m707?v-O@9>;K&Hokw{VI%b z3FD}u?Y`?v+mJB=dhtGz>r3;MJfQl}|Ay+|lqF}cLPB82I8}HKF+Mv^T{y_&QdwOc zbiwV(vh!lJt0AN3Hi?xkw;Wa@%w#Ng2IUx0>;Sa;nGSemwf4QiUiG$AGeN+FxqHw0 zARjai@X9n9hA0d#ehdZ7yL8k~_h7jz9SW-f;8%r*&SexPPV{vRr`+RtDS;V=zAA>3LFKyl~DqtMbutT%^o`EOJ9){Gk-ompKQ8gO>3$xs%4 zp^8Tj`w6n(mXRY5^10ctGT_@XfEI@x25!|sA_jkK2S7ohhueu}3tO{>@v9zHT~5Kw z2L!KaoSO(j323>H?rfX*Tq$9WfZF&1qJrnm z4Yms7LXbn5XWD=W2qvoDgJu*b9D+wcoQHb+?HuzY!Qc$i#I5i}s{*xYmz3%mj-yx! zz8mIeOw&jO4d+wm>5)+$Zi;WzXN`a+BgN>>PO=f3-`^u(z#1WJlGevm34g7%2X&(kbAmY*>-k;AT_%eKtEG>mJ>#5$ppsCdmiX~%B(F3Je5(6|{-kK@Smx+;K;ssS(fYl8BG#335a zrdkOjXASNt9t^|h+=?}?Y#C;b_-JHqcE^9Bh!RtOI?{$l{li{H`2qj-9w60&P45^` zeuT07ZCt!&<$bM{>({m_q@$k-S2ty(KUk~s=W$GRzExY;>k^3^Le?LvDxR8xUXtbM zdRU#!2$<4;*t6`w53y{Uba#it9i955gYdLgy$ZWH;aWQh`7NY;-}6NwV?)9l^H6<44u`Khz6!&8+8#Tqb&oE!8UFa$k(Z4_8+q*wh zC{@W+Wg*%->a|u92*$I}ED>{g#tbtaSUKw0Nk!JbgX1QY%l_iJ)c1B;5fJ&xvrs*t zzx6W4QTK@zoqWQo2G@JZ4-X3TCogYS2}((! z>Te|F$M)2ic*e-qD)epd$i(l>J?Vkj65W3<9#?16q3=Xna$>zJNFe2>7<*uwj|1 zYT(N=Bl~-+77L-o=_b>NbKNyJng?(`b5CZ6IG>jcyhlIvfswXb-d)`6DQR0@!7B+i zy?NS7oC-w_wH3Ge3fBotD#WWgg3bw@Rc8U^nyTb2ha&ixvnrkRs9821AY8^8ddZYf zeRw9BdUkI$kf=?6q%^MiO=7O~>oMnXh>QyEuF@Mk@e>CcU?c zTQx)sCxbs*@q*u(x6LYLUFR16s*i^j|a`gkLFfXT&7AO5Smt)>?;))J#kj-c@+r``O z(T|+YdVI7Wm~*VT7CGgkCG@8^3x~6FGPP4U%hXxKd9gD{n)*M zI1aPd$CGQkI;shG@tnBaJqSLE;=>kE&5HBBG&J>8P7TC_WkC%AEKx68NI7FZ9>(g= zgT$#Zv8Ixq?<2L6D94xN+ty_UlHqnwc_J>s&MUw#~o3A#T6t-1H2g;qDMeV4yqfjk2ji zOizbXSzlWdxMI!VrFCFkYBFuN?D!&x-1LMEdq+B{%2t5Je^zR#;@WhSNV|u|#R zspv;3?(<&!S|sO zht*#sG)feN={XG}cdB9M$S7J)$1B-(-kN?!?Aw7kpPA$KRt6BkxDUW~;gQ~ZgV+(1 z2(T>fG1B-+=eu_|?A~6HDL@p}{*GbMw}^HU+!BKnh+20*CN_>5-2>Q?FQ#E}`0exz zB&?CLtqXwS(c3mTv|Oh*&jZ6A{p4e>a zKH52u2zR5su+VltuP>J$d=p$;ohcHQbU{>Hyp?{DR zVI5{RaQmjYUUd@}V{($aj2{FPUqR)l=DvBTlpoYc4%rOY2d;2?Q3yd*GDoVV_!>Ya zNHm<|sL~co9GOxm50C3>^XMInEItpar7SO$cQN)YbsQ17Ppp8T>Y9&5olT9F*4`)( zqjlS7g~7{SE`lUbRlE8iDrJ4J^01eT-`d2er@H>I7y!vtBy2$aVilA)DRA%hmAiY2AW<$h z<4;Yi~c>AtqIoC6iDsc5#XjU+>m>gfW|sZX=U)oqfBv`s}gQlZI% zgpBP$vlTpg&&KMV11x<3fmvML8Hup?II@SdtAZ(Ix^>+A=$F%E+Z;&ZlP0 zg+qCRm;v>i63Efu7`u8i#)u#wqEnX_o@-+Uu^!dw+un|C*X)BSXW9LE9e8VoQYje- zf_jWmABUW9JisWav=yAnMz)_kEU0<*g45GM!t}d6UY?y|(2?!%C?Dp@j;m`Yo7T^N zq`xRJufT+WZK0yb&0EvTo&81>LUd4b(>Aq;?8r9Id5M&MTb2yq4DN1AMRSAx>M*Mf z+}gx*`A={(BHj+-iX;|j4x#U@t5;laN!|u6^Xc@jh9j%;`~!|tyN0%cNRF(stx6ph z)V~^p3+@u9n%14#m00B`)~`I4Z)d_41u5~+?rnPqs0OwaydQiqZdJ3Y$KiEnp_rGZ za-|ZVP>(SP)shFOr;0WmA?S!!Y!|x_faDUSW zyWS<&8#;%1h@zpZhC3Hq1gj{%%K{ID6H{|D!r((4wBn9v+=w#SZOrIJ4dgvLR$}wR z<5Zt>uv53DkD~d~=rHzz37cL|I@2^&Y1wyM3$;7y5ZNvwPpu6g5Rsbat-3xU+?ZD!LgwIX0GlR^)pdCTX zdc$JU=scHNBO>YS*5ZQ%HTF)xrw*8Q9ar8QrNK1cIt5CCyG)k za3Hg^!b`JgXmk8j`w``uES?gZ0fXx zROxZz9{kkvE(3kWhZX^jVjThGYZw-2L?;;b=$BiF|Jfb-;2rlA?nX{AlwoSAO^{09~9e=_% z5|CP2A-2*PagECu*v2QYVN*@m+c@fX7R19BGmu=B+{;~s96AMJQ7ye38gV0Pwog6axV_G4^?N3zA?^GetxYi|mR0?*h(nwoZ-Gw*2ap_`>6el$SSE{ccWvEIKLRm%|7;%B54B<-2tE zCrwT@W8IoFGE_^gtKWGjH$xOtjob9G(qJw=`Od(zqBZ(&@eEBZLF zt}5$~RH}=Vz-IDT-JW&`6j=vt&RAJpM9}>E0_2lO+G}L3EEORFZW->((U?5ioB{w5 z&2nZySJr#>?k+WAHwy&S9~`6T5dxQxd1k4F9m{|LkGnKElL6OYg!~5gecQg@2B}9t zVQ48q%-&B1fh$P91~bHx%FE@u%L6g(m1~=k<}YP1X0pWRcrs#?Ld4A?nht;|Em^}8 zq@|g)57Bk*6fuXqgIwChSf&~i{>2N;qRYdg7*J&_&) zCQbLwIP)wlx|K>RlTieOP1=(_%`>eH4}Rf#WuqwaUuQ30qD@f*9Zh87mZOZV0<@D{I^EoWzc zn3liTm>U6=W0mRr;LO)=ulZRK+BHV6g0AGkPn1L|{$0twiu8bu$qnT-5~&@;$1CKO z4ZxOqjZ2db8wb{3JQw6cN;1C1mMrsU-3QV~$5zxe(p~9?O??{#_dmIX8^vm#` z4Ib4Vb3KAvp$*}uz88hQ0Q4WW50bXC5FcAQ_(t3pTla4?J3NLHPY*g@0SmU6VA|Ph zP)vP=X&~a;ht)4!MKIw6DfXf6`+ z_SPiu7YL+xB_EV7&@b($Eb(#}l+A z_6R84vq)er13*bbiZWyn30d8YmN?aebNQjVUMNsau_*tOamnZJTIYJSp(neeFoKh+SLpWn?uQCCto`D=H&5n<+doOcArvhJ| z7LjZYx_~j08=vWri}BbbYf(hh5^hz(WeT{t^op}wms}$vMFw=`yycpHkDGhJjedGJ zO^tYq6{1;mQ@}4tO&uU~;^7!Yjql~@yvJ1aXL5nwtHv_~1duPMF~73|`4Ry{L$+sv zeqGGojjEM?Lyk5js-)*QIjEB0h4W*nOyg$_Z^Tj>yHc5;Dsyo{TZGI~*67oG5n|DG zl&u-Eiw9+s(y{2;R@R1WmbM5{|4iv)Unsru3#ChZW_;jrX}oo&@6EZm(|$(G-w5$G zKSCKzo(<*6@*A4}tm|4pfT8q5v-(rr z-+AMo#oq)t5I_I5LJU4XBLD;d{rFYv%6G>2XGQsu51pxj1Jpe*?Vr|~zgYTz)w~vD za@p5KGD9%eC_=QFnTkyTtuZ_AVy#_=1ti?$CxP8id2PT3UiAey*WFYP&? z>wc_lP^*y%-H?an<+ADT1P+^i=4Ov7>~@7fTNqop>r+t_OHWx=7P;%e-lWaP4m)HA z3=(t+0uFX1mM)%-S&`w1_Rn@Yr0q8z{F$Vru?z{>WLmT3KyZV86buGcX%JN&hfsAl zG=`Q>__@!tmG^cB3CRvElsV2lFO>C=sx52`n6Ootk?<*)vVTolHe?*3&L%7)c44yf z`3TJ#L@VW7a2~ucLqiq|M~?*ty29>31wNYps|884na>u0!4=d!yt8KMP6{WLd<$M6 zUfP$weYEmGS;F^({Od@PAwRQU7PocgjI*+v`ZK?%$04Hnf)>8}de!?oGm~NJ5a)z4 z|E`G;wf+^gII=S02sfBSCH!dj+6TZOTA zqUZhj-14s`H)JywELqUw%n>z!8Uw0vGYawz>1O5=&_^ui9PC1Vn)7hfur+lk)@l+s zC53FScT)ebm|S3nH`;rSE^=qxom*SWZ!Ih#*JdmdP>$QoOKGxCPxl4dE|3e$DY^o6 zgV6E~$?_~oQA`@8vWsi>s|8!63nO@rN?2f+@0G^H7qbG9oY#uZhKW0Vi`O4%XGsS> z^e)J+*x`b?Xv=iab@R;(E1}kxAJ#v}KJv5@TJ&}FPpiL0Ta}coEuFP3QCzERY2M|( z0q1dPP(HVMwQM&%n9e^wJErzRWzg8^w!S(GMmu7#fO94J!D1g*e zmo6!J13WkR7tMaR!M#bdE5`_hHrzJKr9~~~ge zg_G_t@5-`ZxI^ty5|aW~1kV?QMV@td`%9GX&{1xrqpa<&4k0J@VyK~S@wV{7BY*cJT|)I)D_sXj3*lS`73NE_j(RvX{%?T-grwF2Yfn8 z_)kP7zuS!!|3d{8Zx3kB7EK$1%yTuiZgXcAqLB@01__m179snM9e>Wma1ZK<8_UG%~;Jb=Edk5jY>>FPw6;K z+ZaUvd^(tph;(6UM9<&^6})G{Z!vIL_TT#jCwEWBt&TnwrHd*%Vw8A{9}xe3$A} z`4AN7v2dbq&TK6Eg1#drtj|#R<4N>Dw~M z!njFbb(@{^BxCVezoZmOKRGyvN9gzSvEi8@_rcQwhv%E6XIn2^)M{oAbOyLg;GK(g z*XRK}tyT40P{^PD^XFxUT>CFH#!LQ6kvOjI>}{EJKv5Z>X!*@1tapobWj?B3%2T7D zH&e)t05h^XBu18RLBNG)OHzbU?V8=#M(4DV)Cj0szrUrRx&CYROb2#{Y;*Nvzsk1e z)zKI+F1`NN$Kt5SJ?V`B<-u&LY!qQkqg`OQL^D(Oi`#292Re)K>w~+Id?A}|8GY@&;PomgR5T z%Tew+6#@MqW;O6HD<2-}WDsrii~NAAD@r!H_gwz_RvVuT?TIz<%3P&dsLwt)pQ7w>y{&!J=2c-MC~J tYyEz|lA-e4_uG^Vzy3+iHhGc8ILFIUD;l5gN?)p~f;F!dT)A`qe*v@EYnlK6 literal 3784 zcmcInXH-+!_K#9j7(^68m7*hwKB~e{B_bF=Iv5dYqQd|p1nD(V5EzuEC@3INDawch zbRb9zMGY801StYZs6lE%LJLW5{t2%4KD_n+@ZN{F*ShDPbJpGE{B}9}raL)UNr)+k zfj}S$8*57!5J*TcciAh-AJ-&~s`FpF!dm%ejw0(FB?nq3o+iyPaCtw;o#Igs=5IYB`R>83CPG5O6#rL5=ust zzI2yeDB)xKr460lR>;U#U)^>0?@0&s*895%p5WIGq)T3jujRq_D0>oe3UE}PrZuAu z<@sHFjsG!S@y$x>s9sb~UB#Agt6@rm6ios* z&;8PC@g6!V(aqcOI-2Lkp|1kj-ZB$at9vn?&<^z@F=4tP{;=hI?@zs_*!Qnn_6GZG z_=k=6Ca|2}@mAkXV|I=+)&|}(pIkyUD9h6Ng+Fv-pq*~_*XmrxhCbGJXAk9z&bGrR zmo|DfW`bPP2*6C-%RB^nkAQVVnEB!on%l`cedn3Gle&WFuv}^WJ@LepCS2Uq0UDuF z%5WI!ST0THmYs`tSnqkX>Ch(!M-PgfAd-*@`pC_I(g0jBIjsKGpdQTSx{ z1_9QARsIfm}&ou<6!F(m1=T`Rc~t^H-BO>rat3@MM3i*=~gSp!&67WwKLnb9-ifq`ggpDs1r52we3tZ=4fY zqKwKijOJW8hSLzRof-H5yKj&S8F$OL@Kuv&G_7ua|GM-IT_k3=wJvQ@EZ&Wiz0vp` z5MdHFS9yriK-3>>E$mmGmuO*h#3*loxLY8lHEBjcUN8ZTK=lMc4Fc&T!~YdQLv1jC zOSttXpX!gk_Cqfsb@;s84C__JE?eY`xj2A~>euTQKDdm2_07DvA`(YN;zM%~ss=wpcRP{lVqADIu)7;@H- z?Zk$hIY}aCT)YS+M*@Yx_9`0Ff6s4WE1jDDf&ZRrfIOXN1T@%OA{x;==p2Ld9e+Pz zV~#^R!hNr8@^0q!YGcr~WZwBA+LJgdGhTOGZL#pA&y|5n7!41?5Y>XGz11WtruMUIlv@|))jXAUy*K4bG^x9MdJ$iY=hDGgZ`v0X3T?L58y7{K&2NfC10;-r8?8I5+4Rw?C34KR zoK2Lu8Q}%hTJ3!aL_4HVPwZZfLOt8w$FMCuV!o@TL2{p88|M?f+_f=<=@xg*H24W8 zE;iEQVc~RxV#*?;Fu0QXm<{ekQelaMi*}Y{uZQ0bqpQ8Iq7uQTJS#I)K#6mMI&X>T zP?dJ#%k8AO_!s0SnJF6KZMDn?#^bUGGvSob#WTKU{Qb3 zRtfFgn_OGO{_Mi)2)c3@_Nz#|>(-Qx)UJG@PNYE~l$W+*vBok$G57~IB0hb6O;Z{`H~ zTChsk#g+K1r1yO+w4bhf_U2r6Hm)gZ*s=#~3=FY07T#VVUuZr$&>a_NvQ82omQwN{qXq)?N+=M!<|MMM10-IJE9-zmjFvJ z_#lbWtP6Wf@1r1kh{eU#2CgkOSZWR^=}sreNv8@ji96D$Z(<^1QAmFv`)Rt5ye0n zpxZTn@3uiPa`CI2CwA{S;u)F8Qw~=>rlpd|GE1asEsdF32te(!ScR*N0uT5oRBoSP zr?js{-a(Ro!5_=(>d9RnKK2s2oq6? zlGQ&D)u1QB5LWdYhi;`x*cfVa{u&UVTgenU4U-2H$SCxJH#=P8LE$-g9gPMp|$%)Wvdh*=>~2bM(BsENj5H31) z&hg&=h8Ws|^%C9HnZSkSqi@&fmeG}1{w|MJWFOn>s@S`kT9q7t)n2;$t@RN?<;OE8 zdINDjGBj+4`o@`&i{Xs*V8X=Z!v+3C8u7+x9q0<{#Kg|i$2(`ytQ}#SXviHO?oA2H zORcg&(nrRC!y<{T1l-=gMJ(vZSvZe_2q9nRLv$=Tm*dfe{`5~jk~prnwOR0F?4e95 z15Y2xpb5=cODGBYfUCrxSJ;1>kN;{tc6yP2AD$T!I($bW7x3*XsU)Bi86zb4;)9?| zMLV4f55NcEZdH{zhq5QX)0P3H&Bo_UYHgHVCqGW&zdxG6$qR68jGgg`2I3i7X5cF4 zA8Fi4!!6&-Cb}Z|HCb>q{oXLo2117(t$tCKLg~-pg9hQp22$O<(-9bAPzrE&YjU3E z@H;dU)2M|n0fY$VgrnP1ya9=prS()Rd2Ubs<~y1;=>kr1zw4=^Y>l|Z0>4IrSI$2= z`_?T~n&%Gw?pPFvCh2x*HeM9i#dpw*L9PZr!Gc)G9*>Wgih`ue+sD8^;`aEtA8wUd zOCxwkpK)`@-^`t0jQ%D{j#~v95>JxyH~)m!`46Ypx!IQJ0FiaD0lCLq1lG@8z7ed- zx7ZO_#li*BuPd|0i0B~liBDI(V~9br?N%_UKIV-SV0}baC)eC{T+L6E@YAt-Tz#_!ytQcjWgAbf8f8_lu(bi7ZFz$!_S}?*=R#SaE@gN;27&dJCcXK z?EFN5UOhwui?HPWCgGiQc;@^wD Date: Fri, 20 Oct 2017 18:47:59 -0700 Subject: [PATCH 07/15] Hybrid key trust On-Prem key trust Deployment Guide landing page TOC update minor types and fixes in existing content --- .../hello-adequate-domain-controllers.md | 2 +- .../hello-deployment-guide.md | 10 +- .../hello-hybrid-cert-new-install.md | 3 +- .../hello-hybrid-cert-whfb-provision.md | 8 +- .../hello-hybrid-key-new-install.md | 34 +- .../hello-hybrid-key-trust-devreg.md | 453 +----------------- .../hello-hybrid-key-trust-dirsync.md | 37 ++ .../hello-hybrid-key-trust-prereqs.md | 46 +- .../hello-hybrid-key-trust.md | 12 +- .../hello-hybrid-key-whfb-provision.md | 34 +- .../hello-hybrid-key-whfb-settings-ad.md | 54 +-- .../hello-hybrid-key-whfb-settings-adfs.md | 89 ---- ...hello-hybrid-key-whfb-settings-dir-sync.md | 58 +-- .../hello-hybrid-key-whfb-settings-pki.md | 111 +---- .../hello-hybrid-key-whfb-settings-policy.md | 71 +-- .../hello-hybrid-key-whfb-settings.md | 26 +- .../hello-planning-guide.md | 8 +- .../hello-for-business/images/createPin.png | Bin 0 -> 28388 bytes .../hello-for-business/toc.md | 15 + 19 files changed, 230 insertions(+), 841 deletions(-) create mode 100644 windows/access-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md delete mode 100644 windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-adfs.md create mode 100644 windows/access-protection/hello-for-business/images/createPin.png diff --git a/windows/access-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/access-protection/hello-for-business/hello-adequate-domain-controllers.md index 6c241b2434..1f5c6f440f 100644 --- a/windows/access-protection/hello-for-business/hello-adequate-domain-controllers.md +++ b/windows/access-protection/hello-for-business/hello-adequate-domain-controllers.md @@ -9,7 +9,7 @@ ms.pagetype: security, mobile author: mikestephens-MS ms.author: mstephen localizationpriority: high -ms.date: 10/09/2017 +ms.date: 10/20/2017 --- # Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments diff --git a/windows/access-protection/hello-for-business/hello-deployment-guide.md b/windows/access-protection/hello-for-business/hello-deployment-guide.md index 877770ddae..c202596cd4 100644 --- a/windows/access-protection/hello-for-business/hello-deployment-guide.md +++ b/windows/access-protection/hello-for-business/hello-deployment-guide.md @@ -6,10 +6,10 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile -author: DaniHalfin -ms.localizationpriority: high -ms.author: daniha -ms.date: 09/08/2017 +author: mikestephens-MS +ms.author: mstephen +localizationpriority: high +ms.date: 10/20/2017 --- # Windows Hello for Business Deployment Guide @@ -47,7 +47,9 @@ Hybrid deployments are for enterprises that use Azure Active Directory. On-prem The trust model determines how you want users to authentication to the on-premises Active Directory. Remember hybrid environments use Azure Active Directory and on-premises Active Directory. The key-trust model is for enterprises who do not want to issue end-entity certificates to their users and they have an adequate number of 2016 domain controllers in each site to support the authentication. The certificate-trust model is for enterprise that do want to issue end-entity certificates to their users and have the benefits of certificate expiration and renewal, similar to how smart cards work today. The certificate trust model is also enterprise who are not ready to deploy Windows Server 2016 domain controllers. Following are the various deployment guides included in this topic: +* [Hybrid Key Trust Deployment](hello-hybrid-key-trust.md) * [Hybrid Certificate Trust Deployment](hello-hybrid-cert-trust.md) +* [On Premises Key Trust Deployment](hello-deployment-key-trust.md) * [On Premises Certificate Trust Deployment](hello-deployment-cert-trust.md) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md index a60357cfcf..421a89896a 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md @@ -9,7 +9,7 @@ ms.pagetype: security, mobile author: mikestephens-MS ms.author: mstephen localizationpriority: high -ms.date: 09/08/2017 +ms.date: 10/20/2017 --- # Windows Hello for Business Certificate Trust New Installation @@ -23,7 +23,6 @@ Windows Hello for Business involves configuring distributed technologies that ma * [Active Directory](#active-directory) * [Public Key Infrastructure](#public-key-infrastructure) * [Azure Active Directory](#azure-active-directory) -* [Directory Synchronization](#directory-synchronization) * [Active Directory Federation Services](#active-directory-federation-services) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md index 744f4930a3..c9a094726b 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md @@ -9,7 +9,7 @@ ms.pagetype: security, mobile author: mikestephens-MS ms.author: mstephen localizationpriority: high -ms.date: 09/08/2017 +ms.date: 10/20/2017 --- # Hybrid Windows Hello for Business Provisioning @@ -24,9 +24,7 @@ The Windows Hello for Business provisioning begins immediately after the user ha ![Event358](images/Event358.png) -The first thing to validate is the computer has processed device registration. You can view this from the User device registration logs where the check **Device is AAD joined (AADJ or DJ++): Yes** appears. Additionally, you can validate this using the **dsregcmd /status** command from a console prompt where the value for **EnterpriseJoined** reads **Yes**. - -![dsreg output](images/dsregcmd.png) +The first thing to validate is the computer has processed device registration. You can view this from the User device registration logs where the check **Device is AAD joined (AADJ or DJ++): Yes** appears. Additionally, you can validate this using the **dsregcmd /status** command from a console prompt where the value for **AzureADJoined** reads **Yes**. Windows Hello for Business provisioning begins with a full screen page with the title **Setup a PIN** and button with the same name. The user clicks **Setup a PIN**. @@ -39,7 +37,7 @@ The provisioning flow proceeds to the Multi-Factor authentication portion of the After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity requirements that you deployed to the environment. - +![Create a PIN during provisioning](images/createPin.png) The provisioning flow has all the information it needs to complete the Windows Hello for Business enrollment. * A successful single factor authentication (username and password at sign-in) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/access-protection/hello-for-business/hello-hybrid-key-new-install.md index 304f4fe766..e073f952ce 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-key-new-install.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-key-new-install.md @@ -9,7 +9,7 @@ ms.pagetype: security, mobile author: mikestephens-MS ms.author: mstephen localizationpriority: high -ms.date: 10/09/2017 +ms.date: 10/20/2017 --- # Windows Hello for Business Key Trust New Installation @@ -23,23 +23,22 @@ Windows Hello for Business involves configuring distributed technologies that ma * [Active Directory](#active-directory) * [Public Key Infrastructure](#public-key-infrastructure) * [Azure Active Directory](#azure-active-directory) -* [Directory Synchronization](#directory-synchronization) * [Active Directory Federation Services](#active-directory-federation-services) -New installations are considerably more involved than existing implementations because you are building the entire infrastructure. Microsoft recommends you review the new installation baseline to validate your exsting envrionment has all the needed configurations to support your hybrid certificate trust Windows Hello for Business deployment. If your environment meets these needs, you can read the [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) section to prepare your Windows Hello for Business deployment by configuring Azure device registration. +New installations are considerably more involved than existing implementations because you are building the entire infrastructure. Microsoft recommends you review the new installation baseline to validate your exsting envrionment has all the needed configurations to support your hybrid certificate trust Windows Hello for Business deployment. If your environment meets these needs, you can read the [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) section to prepare your Windows Hello for Business deployment by configuring directory synchronization. -The new installation baseline begins with a basic Active Directory deployment and enterprise PKI. This document expects you have Active Directory deployed with an adeqate number of Windows Server 2016 domain controllers for each site. +The new installation baseline begins with a basic Active Directory deployment and enterprise PKI. ## Active Directory ## -Production environments should follow Active Directory best practices regarding the number and placement of domain controllers to ensure adequate authentication throughout the organization. - +This document expects you have Active Directory deployed with an _adequate_ number of Windows Server 2016 domain controllers for each site. Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. + Lab environments and isolated proof of concepts may want to limit the number of domain controllers. The purpose of these environments is to experiment and learn. Reducing the number of domain controllers can prevent troubleshooting issue, such as Active Directory replication, which is unrelated to activity's goal. ### Section Review > [!div class="checklist"] -> * An adequate number of Windows Server 2016 R2 domain controllers +> * An adequate number of Windows Server 2016 domain controllers > * Minimum Windows Server 2008 R2 domain and forest functional level > * Functional networking, name resolution, and Active Directory replication @@ -73,12 +72,19 @@ Sign-in using _Enterprise Admin_ equivalent credentials on Windows Server 2012 o If you do have an existing public key infrastructure, please review [Certification Authority Guidance](https://technet.microsoft.com/library/hh831574.aspx) from Microsoft TechNet to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](https://technet.microsoft.com/library/hh831348.aspx) for instructions on how to configure your public key infrastructure using the information from your design session. +> [!IMPORTANT] +> For Azure AD joined device to authenticate to and use on-premises resources, ensure you: +> * Install the root certificate authority certificate for your organization in the user's trusted root certifcate store. +> * Publish your certificate revocation list to a location that is available to Azure AD joined devices, such as a web-based url. + ### Section Review ### > [!div class="checklist"] > * Miniumum Windows Server 2012 Certificate Authority. > * Enterprise Certificate Authority. > * Functioning public key infrastructure. +> * Root certifcate authority certificate (Azure AD Joined devices). +> * Highly availalbe certificate revoication list (Azure AD Joined devices). ## Azure Active Directory ## You’ve prepared your Active Directory. Hybrid Windows Hello for Business deployment needs Azure Active Directory to host your cloud-based identities. @@ -93,7 +99,7 @@ The next step of the deployment is to follow the [Creating an Azure AD tenant](h > * Purchase the appropriate Azure Active Directory subscription or licenses, if necessary. ## Multifactor Authentication Services ## -Windows Hello for Business uses multifactor authentication during provisioning and during user initiated PIN reset scenarios, such as when a user forgets their PIN. There are two preferred multifactor authentication configurations with hybrid deployments—Azure MFA and AD FS using Azure MFA +Windows Hello for Business uses multifactor authentication during provisioning and during user initiated PIN reset scenarios, such as when a user forgets their PIN. There are two preferred multifactor authentication configurations with hybrid deployments—Azure MFA and AD FS using Azure MFA or a third-party MFA adapter Review the [What is Azure Multi-Factor Authentication](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication) topic to familiarize yourself its purpose and how it works. @@ -136,9 +142,11 @@ Alternatively, you can configure Windows Server 2016 Active Directory Federation
## Follow the Windows Hello for Business hybrid key trust deployment guide -1. [Overview](hello-hybrid-key-trust.md) -2. [Prerequistes](hello-hybrid-key-trust-prereqs.md) +1. [Overview](hello-hybrid-cert-trust.md) +2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) 3. New Installation Baseline (*You are here*) -4. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) -5. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md) -6. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) \ No newline at end of file +4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) +5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) +6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md) +7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) + diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-trust-devreg.md b/windows/access-protection/hello-for-business/hello-hybrid-key-trust-devreg.md index 51dc7b8538..fb5bc8c75d 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-key-trust-devreg.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-key-trust-devreg.md @@ -1,5 +1,5 @@ --- -title: Configure Device Registration for Hybrid Windows Hello for Business +title: Configure Device Registration for Hybrid key trust Windows Hello for Business description: Azure Device Registration for Hybrid Certificate Key Deployment (Windows Hello for Business) keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust, device, registration ms.prod: w10 @@ -9,25 +9,17 @@ ms.pagetype: security, mobile author: mikestephens-MS ms.author: mstephen localizationpriority: high -ms.date: 10/09/2017 +ms.date: 10/20/2017 --- -# Configure Device Registration for Hybrid Windows Hello for Business +# Configure Device Registration for Hybrid key trust Windows Hello for Business **Applies to** - Windows 10 ->[!IMPORTANT] + >This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. -You're environment is federated and you are ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration to enable proper device authentication. - -> [!IMPORTANT] -> If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment. - -Use this three phased approach for configuring device registration. -1. [Configure devices to register in Azure](#configure-azure-for-device-registration) -2. [Synchronize devices to on-premises Active Directory](#configure-active-directory-to-support-azure-device-syncrhonization) -3. [Configure AD FS to use cloud devices](#configure-ad-fs-to-use-azure-registered-devices) +You are ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration to enable proper device authentication. > [!NOTE] > Before proceeding, you should familiarize yourself with device regisration concepts such as: @@ -42,441 +34,18 @@ Begin configuring device registration to support Hybrid Windows Hello for Busine To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-setup/) -## Configure Active Directory to support Azure device syncrhonization +Next, follow the guidance on the [How to configure hybrid Azure Active Directory joined devices](https://docs.microsoft.com/en-us/azure/active-directory/device-management-hybrid-azuread-joined-devices-setup) page. In the **Configuration steps** section, identify you configuration at the top of the table (either **Windows current and password hash sync** or **Windows current and federation**) and perform only the steps identified with a checkmark. -Azure Active Directory is now configured for device registration. Next, you need to configure the on-premises Active Directory to support synchronizing hybrid Azure AD joined devices. Begin with upgrading the Active Directory Schema - -### Setup Active Directory Federation Services -If you are new to AD FS and federation services, you should review [Understanding Key AD FS Concepts](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/understanding-key-ad-fs-concepts) to prior to designing and deploying your federation service. -Review the [AD FS Design guide](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/design/ad-fs-design-guide-in-windows-server-2012-r2) to plan your federation service. - -Once you have your AD FS design ready, review [Deploying a Federation Server farm](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) to configure AD FS in your environment. -> [!IMPORTANT] -> During your AD FS deployment, skip the **Configure a federation server with Device Registration Service** and the **Configure Corporate DNS for the Federation Service and DRS** procedures. - - -#### ADFS Web Proxy ### -Federation server proxies are computers that run AD FS software that have been configured manually to act in the proxy role. You can use federation server proxies in your organization to provide intermediary services between an Internet client and a federation server that is behind a firewall on your corporate network. -Use the [Setting of a Federation Proxy](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/checklist--setting-up-a-federation-server-proxy) checklist to configure AD FS proxy servers in your environment. - -### Deploy Azure AD Connect -Next, you need to synchronizes the on-premises Active Directory with Azure Active Directory. To do this, first review the [Integrating on-prem directories with Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](http://go.microsoft.com/fwlink/?LinkId=615771). - -When you are ready to install, follow the **Configuring federation with AD FS** section of [Custom installation of Azure AD Connect](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-get-started-custom). Select the **Federation with AD FS** option on the **User sign-in** page. At the **AD FS Farm** page, select the use an existing option and click **Next**. - -### Create AD objects for AD FS Device Authentication -If your AD FS farm is not already configured for Device Authentication (you can see this in the AD FS Management console under Service -> Device Registration), use the following steps to create the correct AD DS objects and configuration. - -![Device Registration](images/hybridct/device1.png) - -> [!NOTE] -> The below commands require Active Directory administration tools, so if your federation server is not also a domain controller, first install the tools using step 1 below. Otherwise you can skip step 1. - -1. Run the **Add Roles & Features** wizard and select feature **Remote Server Administration Tools** -> **Role Administration Tools** -> **AD DS and AD LDS Tools** -> Choose both the **Active Directory module for Windows PowerShell** and the **AD DS Tools**. - -![Device Registration](images/hybridct/device2.png) - -2. On your AD FS primary server, ensure you are logged in as AD DS user with Enterprise Admin (EA ) privileges and open an elevated Windows PowerShell prompt. Then, run the following commands: - - `Import-module activedirectory` - `PS C:\> Initialize-ADDeviceRegistration -ServiceAccountName "" ` -3. On the pop-up window click **Yes**. - -> [!NOTE] -> If your AD FS service is configured to use a GMSA account, enter the account name in the format "domain\accountname$" - -![Device Registration](images/hybridct/device3.png) - -The above PSH creates the following objects: - - -- RegisteredDevices container under the AD domain partition -- Device Registration Service container and object under Configuration --> Services --> Device Registration Configuration -- Device Registration Service DKM container and object under Configuration --> Services --> Device Registration Configuration - -![Device Registration](images/hybridct/device4.png) - -4. Once this is done, you will see a successful completion message. - -![Device Registration](images/hybridct/device5.png) - -### Create Service Connection Point (SCP) in Active Directory -If you plan to use Windows 10 domain join (with automatic registration to Azure AD) as described here, execute the following commands to create a service connection point in AD DS -1. Open Windows PowerShell and execute the following: - - `PS C:>Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1" ` - -> [!NOTE] -> If necessary, copy the AdSyncPrep.psm1 file from your Azure AD Connect server. This file is located in Program Files\Microsoft Azure Active Directory Connect\AdPrep - -![Device Registration](images/hybridct/device6.png) - -2. Provide your Azure AD global administrator credentials - - `PS C:>$aadAdminCred = Get-Credential` - -![Device Registration](images/hybridct/device7.png) - -3. Run the following PowerShell command - - `PS C:>Initialize-ADSyncDomainJoinedComputerSync -AdConnectorAccount [AD connector account name] -AzureADCredentials $aadAdminCred ` - -Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when adding your on-premises AD DS directory. - -The above commands enable Windows 10 clients to find the correct Azure AD domain to join by creating the serviceConnectionpoint object in AD DS. - -### Prepare AD for Device Write Back -To ensure AD DS objects and containers are in the correct state for write back of devices from Azure AD, do the following. - -1. Open Windows PowerShell and execute the following: - - `PS C:>Initialize-ADSyncDeviceWriteBack -DomainName -AdConnectorAccount [AD connector account name] ` - -Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when adding your on-premises AD DS directory in domain\accountname format - -The above command creates the following objects for device write back to AD DS, if they do not exist already, and allows access to the specified AD connector account name - -- RegisteredDevices container in the AD domain partition -- Device Registration Service container and object under Configuration --> Services --> Device Registration Configuration - -### Enable Device Write Back in Azure AD Connect -If you have not done so before, enable device write back in Azure AD Connect by running the wizard a second time and selecting **"Customize Synchronization Options"**, then checking the box for device write back and selecting the forest in which you have run the above cmdlets - -## Configure AD FS to use Azure registered devices - -### Configure issuance of claims - -In a federated Azure AD configuration, devices rely on Active Directory Federation Services (AD FS) or a 3rd party on-premises federation service to authenticate to Azure AD. Devices authenticate to get an access token to register against the Azure Active Directory Device Registration Service (Azure DRS). - -Windows current devices authenticate using Integrated Windows Authentication to an active WS-Trust endpoint (either 1.3 or 2005 versions) hosted by the on-premises federation service. - -> [!NOTE] -> When using AD FS, either **adfs/services/trust/13/windowstransport** or **adfs/services/trust/2005/windowstransport** must be enabled. If you are using the Web Authentication Proxy, also ensure that this endpoint is published through the proxy. You can see what end-points are enabled through the AD FS management console under **Service > Endpoints**. -> -> If you don't have AD FS as your on-premises federation service, follow the instructions of your vendor to make sure they support WS-Trust 1.3 or 2005 end-points and that these are published through the Metadata Exchange file (MEX). - -The following claims must exist in the token received by Azure DRS for device registration to complete. Azure DRS will create a device object in Azure AD with some of this information which is then used by Azure AD Connect to associate the newly created device object with the computer account on-premises. - -* `http://schemas.microsoft.com/ws/2012/01/accounttype` -* `http://schemas.microsoft.com/identity/claims/onpremobjectguid` -* `http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid` - -If you have more than one verified domain name, you need to provide the following claim for computers: - -* `http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid` - -If you are already issuing an ImmutableID claim (e.g., alternate login ID) you need to provide one corresponding claim for computers: - -* `http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID` - -In the following sections, you find information about: - -- The values each claim should have -- How a definition would look like in AD FS - -The definition helps you to verify whether the values are present or if you need to create them. - -> [!NOTE] -> If you don't use AD FS for your on-premises federation server, follow your vendor's instructions to create the appropriate configuration to issue these claims. - -#### Issue account type claim - -**`http://schemas.microsoft.com/ws/2012/01/accounttype`** - This claim must contain a value of **DJ**, which identifies the device as a domain-joined computer. In AD FS, you can add an issuance transform rule that looks like this: - - @RuleName = "Issue account type for domain-joined computers" - c:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", - Value =~ "-515$", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - => issue( - Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", - Value = "DJ" - ); - -#### Issue objectGUID of the computer account on-premises - -**`http://schemas.microsoft.com/identity/claims/onpremobjectguid`** - This claim must contain the **objectGUID** value of the on-premises computer account. In AD FS, you can add an issuance transform rule that looks like this: - - @RuleName = "Issue object GUID for domain-joined computers" - c1:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", - Value =~ "-515$", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - && - c2:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - => issue( - store = "Active Directory", - types = ("http://schemas.microsoft.com/identity/claims/onpremobjectguid"), - query = ";objectguid;{0}", - param = c2.Value - ); - -#### Issue objectSID of the computer account on-premises - -**`http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid`** - This claim must contain the the **objectSid** value of the on-premises computer account. In AD FS, you can add an issuance transform rule that looks like this: - - @RuleName = "Issue objectSID for domain-joined computers" - c1:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", - Value =~ "-515$", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - && - c2:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - => issue(claim = c2); - -#### Issue issuerID for computer when multiple verified domain names in Azure AD - -**`http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid`** - This claim must contain the Uniform Resource Identifier (URI) of any of the verified domain names that connect with the on-premises federation service (AD FS or 3rd party) issuing the token. In AD FS, you can add issuance transform rules that look like the ones below in that specific order after the ones above. Please note that one rule to explicitly issue the rule for users is necessary. In the rules below, a first rule identifying user vs. computer authentication is added. - - @RuleName = "Issue account type with the value User when its not a computer" - NOT EXISTS( - [ - Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", - Value == "DJ" - ] - ) - => add( - Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", - Value = "User" - ); - - @RuleName = "Capture UPN when AccountType is User and issue the IssuerID" - c1:[ - Type == "http://schemas.xmlsoap.org/claims/UPN" - ] - && - c2:[ - Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", - Value == "User" - ] - => issue( - Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", - Value = regexreplace( - c1.Value, - ".+@(?.+)", - "http://${domain}/adfs/services/trust/" - ) - ); - - @RuleName = "Issue issuerID for domain-joined computers" - c:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", - Value =~ "-515$", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - => issue( - Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", - Value = "http:///adfs/services/trust/" - ); - - -In the claim above, - -- `$` is the AD FS service URL -- `` is a placeholder you need to replace with one of your verified domain names in Azure AD - -For more details about verified domain names, see [Add a custom domain name to Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-add-domain). -To get a list of your verified company domains, you can use the [Get-MsolDomain](https://docs.microsoft.com/en-us/powershell/module/msonline/get-msoldomain?view=azureadps-1.0) cmdlet. - -#### Issue ImmutableID for computer when one for users exist (e.g. alternate login ID is set) - -**`http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID`** - This claim must contain a valid value for computers. In AD FS, you can create an issuance transform rule as follows: - - @RuleName = "Issue ImmutableID for computers" - c1:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", - Value =~ "-515$", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - && - c2:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - => issue( - store = "Active Directory", - types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), - query = ";objectguid;{0}", - param = c2.Value - ); - -#### Helper script to create the AD FS issuance transform rules - -The following script helps you with the creation of the issuance transform rules described above. - - $multipleVerifiedDomainNames = $false - $immutableIDAlreadyIssuedforUsers = $false - $oneOfVerifiedDomainNames = 'example.com' # Replace example.com with one of your verified domains - - $rule1 = '@RuleName = "Issue account type for domain-joined computers" - c:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", - Value =~ "-515$", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - => issue( - Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", - Value = "DJ" - );' - - $rule2 = '@RuleName = "Issue object GUID for domain-joined computers" - c1:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", - Value =~ "-515$", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - && - c2:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - => issue( - store = "Active Directory", - types = ("http://schemas.microsoft.com/identity/claims/onpremobjectguid"), - query = ";objectguid;{0}", - param = c2.Value - );' - - $rule3 = '@RuleName = "Issue objectSID for domain-joined computers" - c1:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", - Value =~ "-515$", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - && - c2:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - => issue(claim = c2);' - - $rule4 = '' - if ($multipleVerifiedDomainNames -eq $true) { - $rule4 = '@RuleName = "Issue account type with the value User when it is not a computer" - NOT EXISTS( - [ - Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", - Value == "DJ" - ] - ) - => add( - Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", - Value = "User" - ); - - @RuleName = "Capture UPN when AccountType is User and issue the IssuerID" - c1:[ - Type == "http://schemas.xmlsoap.org/claims/UPN" - ] - && - c2:[ - Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", - Value == "User" - ] - => issue( - Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", - Value = regexreplace( - c1.Value, - ".+@(?.+)", - "http://${domain}/adfs/services/trust/" - ) - ); - - @RuleName = "Issue issuerID for domain-joined computers" - c:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", - Value =~ "-515$", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - => issue( - Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", - Value = "http://' + $oneOfVerifiedDomainNames + '/adfs/services/trust/" - );' - } - - $rule5 = '' - if ($immutableIDAlreadyIssuedforUsers -eq $true) { - $rule5 = '@RuleName = "Issue ImmutableID for computers" - c1:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", - Value =~ "-515$", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - && - c2:[ - Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", - Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" - ] - => issue( - store = "Active Directory", - types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), - query = ";objectguid;{0}", - param = c2.Value - );' - } - - $existingRules = (Get-ADFSRelyingPartyTrust -Identifier urn:federation:MicrosoftOnline).IssuanceTransformRules - - $updatedRules = $existingRules + $rule1 + $rule2 + $rule3 + $rule4 + $rule5 - - $crSet = New-ADFSClaimRuleSet -ClaimRule $updatedRules - - Set-AdfsRelyingPartyTrust -TargetIdentifier urn:federation:MicrosoftOnline -IssuanceTransformRules $crSet.ClaimRulesString - -#### Remarks - -- This script appends the rules to the existing rules. Do not run the script twice because the set of rules would be added twice. Make sure that no corresponding rules exist for these claims (under the corresponding conditions) before running the script again. - -- If you have multiple verified domain names (as shown in the Azure AD portal or via the Get-MsolDomains cmdlet), set the value of **$multipleVerifiedDomainNames** in the script to **$true**. Also make sure that you remove any existing issuerid claim that might have been created by Azure AD Connect or via other means. Here is an example for this rule: - - - c:[Type == "http://schemas.xmlsoap.org/claims/UPN"] - => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = regexreplace(c.Value, ".+@(?.+)", "http://${domain}/adfs/services/trust/")); - -- If you have already issued an **ImmutableID** claim for user accounts, set the value of **$immutableIDAlreadyIssuedforUsers** in the script to **$true**. - -#### Configure Device Authentication in AD FS -Using an elevated PowerShell command window, configure AD FS policy by executing the following command - -`PS C:>Set-AdfsGlobalAuthenticationPolicy -DeviceAuthenticationEnabled $true -DeviceAuthenticationMethod All` - -#### Check your configuration -For your reference, below is a comprehensive list of the AD DS devices, containers and permissions required for device write-back and authentication to work - -- object of type ms-DS-DeviceContainer at CN=RegisteredDevices,DC=<domain> - - read access to the AD FS service account - - read/write access to the Azure AD Connect sync AD connector account -- Container CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain> -- Container Device Registration Service DKM under the above container - -![Device Registration](images/hybridct/device8.png) - -- object of type serviceConnectionpoint at CN=<guid>, CN=Device Registration -- Configuration,CN=Services,CN=Configuration,DC=<domain> - - read/write access to the specified AD connector account name on the new object -- object of type msDS-DeviceRegistrationServiceContainer at CN=Device Registration Services,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain> -- object of type msDS-DeviceRegistrationService in the above container - ->[!div class="nextstepaction"] -[Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md)

-## Follow the Windows Hello for Business hybrid certificate trust deployment guide +## Follow the Windows Hello for Business hybrid key trust deployment guide 1. [Overview](hello-hybrid-cert-trust.md) 2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) -4. Configure Azure Device Registration (*You are here*) -5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) -6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) \ No newline at end of file +4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) +5. Configure Azure Device Registration (*You are here*) +6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md) +7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md b/windows/access-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md new file mode 100644 index 0000000000..0605f7fa14 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md @@ -0,0 +1,37 @@ +--- +title: Configure Directory Synchronization for Hybrid key trust Windows Hello for Business +description: Azure Directory Syncrhonization for Hybrid Certificate Key Deployment (Windows Hello for Business) +keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust, directory, syncrhonization, AADConnect +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: mikestephens-MS +ms.author: mstephen +localizationpriority: high +ms.date: 10/20/2017 +--- +# Configure Directory Synchronization for Hybrid key trust Windows Hello for Business + +**Applies to** +- Windows 10 + +>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. + +You are ready to configure directory synchronization for your hybrid environment. Hybrid Windows Hello for Business deployment needs both a cloud and an on-premises identity to authenticate and access resources in the cloud or on-premises. + +## Deploy Azure AD Connect +Next, you need to synchronizes the on-premises Active Directory with Azure Active Directory. To do this, first review the [Integrating on-prem directories with Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](http://go.microsoft.com/fwlink/?LinkId=615771). + +

+ +
+ +## Follow the Windows Hello for Business hybrid key trust deployment guide +1. [Overview](hello-hybrid-cert-trust.md) +2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +3. [New Installation Baseline](hello-hybrid-cert-new-install.md) +4. Configure Directory Synchronization (*You are here*) +5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) +6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md) +7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/access-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index 56f1759320..d31a4393af 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -1,5 +1,5 @@ --- -title: Hybrid Windows Hello for Business Prerequistes (Windows Hello for Business) +title: Hybrid Key trust Windows Hello for Business Prerequistes (Windows Hello for Business) description: Prerequisites for Hybrid Windows Hello for Business Deployments keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust ms.prod: w10 @@ -11,7 +11,7 @@ ms.author: mstephen localizationpriority: high ms.date: 10/20/2017 --- -# Hybrid Windows Hello for Business Prerequisites +# Hybrid Key tust Windows Hello for Business Prerequisites **Applies to** - Windows 10 @@ -32,9 +32,9 @@ The distributed systems on which these technologies were built involved several ## Directories ## Hybrid Windows Hello for Business needs two directories: on-premises Active Directory and a cloud Azure Active Directory. The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2. The -A hybrid Windows Hello for Busines deployment needs an Azure Active Directory subscription. The hybrid key trust deployment, may not require Azure Active Directory premium subscription. +A hybrid Windows Hello for Busines deployment needs an Azure Active Directory subscription. The hybrid key trust deployment, does not need a premium Azure Active Directory subscription. -You can deploye Windows Hello for Business in any environment with Windows Server 2008 R2 or later domain controllers. Azure device registration and Windows Hello for Business require the Windows Server 2016 Active Directory schema. In addition to the Windows Server 2016 Active Directory schema, key trust deployments need an adequate number of Windows Server 2016 domain controllers at each site where users authenticate using Windows Hello for Business. +You can deploy Windows Hello for Business in any environment with Windows Server 2008 R2 or later domain controllers. However, the key trust deployment needs an ***adequate*** number of Windows Server 2016 domain controllers at each site where users authenticate using Windows Hello for Business. Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. Review these requirements and those from the Windows Hello for Business planning guide and worksheet. Based on your deployment decisions you may need to upgrade your on-premises Active Directory or your Azure Active Directory subscription to meet your needs. @@ -44,7 +44,6 @@ Review these requirements and those from the Windows Hello for Business planning > * Active Directory Domain Functional Level > * Active Directory Forest Functional Level > * Domain Controller version -> * Windows Server 2016 Schema > * Azure Active Directory subscription > * Correct subscription for desired features and outcomes @@ -57,6 +56,11 @@ Key trust deployments do not need client issued certificates for on-premises aut The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012. +> [!IMPORTANT] +> For Azure AD joined device to authenticate to and use on-premises resources, ensure you: +> * Install the root certificate authority certificate for your organization in the user's trusted root certifcate store. +> * Publish your certificate revocation list to a location that is available to Azure AD joined devices, such as a web-based url. + ### Section Review > [!div class="checklist"] > * Windows Server 2012 Issuing Certificate Authority @@ -67,7 +71,7 @@ The minimum required enterprise certificate authority that can be used with Wind ## Directory Synchronization ## The two directories used in hybrid deployments must be synchronized. You need Azure Active Directory Connect to synchronize user accounts in the on-premises Active Directory with Azure Active Directory. -Organizations using older directory synchronization technology, such as DirSync or Azure AD sync need to upgrade to Azure AD Connect +Organizations using older directory synchronization technology, such as DirSync or Azure AD sync need to upgrade to Azure AD Connect. ### Section Review > [!div class="checklist"] @@ -77,22 +81,20 @@ Organizations using older directory synchronization technology, such as DirSync
-## Federation ## -Federating your on-premises Active Directory with Azure Active Directory ensures all identities have access to all resources regardless if they reside in cloud or on-premises. Windows Hello for Business hybrid certificate trust needs Windows Server 2016 Active Directory Federation Services. All nodes in the AD FS farm must run the same version of AD FS. Additionally, you need to configure your AD FS farm to support Azure registered devices. - -The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of [KB4034658 (14393.1593)](https://support.microsoft.com/en-us/help/4034658), which is automatically downloaded and installed through Windows Update. If your AD FS farm is not running the AD FS role with updates from Windows Server 2016, then read [Upgrading to AD FS in Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016) +## Federation with Azure ## +You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated envionments, key trust deployments work in environments that have deployed [Password Syncrhonization with Azure AD Connect](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-synchronization) and [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated envirnonments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) 2012 R2 or later. ### Section Review ### > [!div class="checklist"] -> * Windows Server 2016 Active Directory Federation Services -> * Minimum update of [KB4034658 (14393.1593)](https://support.microsoft.com/en-us/help/4034658) +> * Non-federated environments +> * Federated environments
## Multifactor Authentication ## Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their username and password as one factor. but needs a second factor of authentication. -Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Authentication service or they can use multifactor authentication provides by Windows Server 2016 Active Directory Federation Services, which includes an adapter model that enables third parties to integrate their multifactor authentication into AD FS. +Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Authentication service or they can use multifactor authentication provides by Windows Server 2012 R2 or later Active Directory Federation Services, which includes an adapter model that enables third parties to integrate their multifactor authentication into AD FS. ### Section Review > [!div class="checklist"] @@ -108,31 +110,31 @@ Organizations wanting to deploy hybrid key trust need thier domain joined device ### Section Checklist ### > [!div class="checklist"] -> * Azure Active Directory Device writeback -> * Azure Active Directory Premium subscription +> * Device Registration with Azure Device Registration
### Next Steps ### Follow the Windows Hello for Business hybrid key trust deployment guide. For proof-of-concepts, labs, and new installations, choose the **New Installation Basline**. -If your environment is already federated, but does not include Azure device registration, choose **Configure Azure Device Registration**. +For environments transitioning from on-premises to hybrid, start with **Configure Azure Directory Syncrhonization**. -If your environment is already federated and supports Azure device registration, choose **Configure Windows Hello for Business settings**. +For federerated and non-federated environments, start with **Configure Windows Hello for Business settings**. > [!div class="op_single_selector"] > - [New Installation Baseline](hello-hybrid-key-new-install.md) -> - [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) +> - [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) > - [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md)

-## Follow the Windows Hello for Business hybrid certificate trust deployment guide +## Follow the Windows Hello for Business hybrid key trust deployment guide 1. [Overview](hello-hybrid-key-trust.md) 2. Prerequistes (*You are here*) 3. [New Installation Baseline](hello-hybrid-key-new-install.md) -4. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) -5. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md) -6. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) \ No newline at end of file +4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) +5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) +6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md) +7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-trust.md b/windows/access-protection/hello-for-business/hello-hybrid-key-trust.md index dbded7ce90..96aa0b240d 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-key-trust.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-key-trust.md @@ -30,10 +30,7 @@ The new deployment baseline helps organizations who are moving to Azure and Offi This baseline provides detailed procedures to move your environment from an on-premises only environment to a hybrid environment using Windows Hello for Business to authenticate to Azure Active Directory and to your on-premises Active Directory using a single Windows sign-in. -## Federated Baseline ## -The federated baseline helps organizations that have completed their federation with Azure Active Directory and Office 365 and enables them to introduce Windows Hello for Business into their hybrid environment. This baseline exclusively focuses on the procedures needed to add Azure Device Registration and Windows Hello for Business to an existing hybrid deployment. - -Regardless of the baseline you choose, you’re next step is to familiarize yourself with the prerequisites needed for the deployment. Many of the prerequisites will be new for organizations and individuals pursuing the new deployment baseline. Organizations and individuals starting from the federated baseline will likely be familiar with most of the prerequisites, but should validate they are using the proper versions that include the latest updates. +You’re next step is to familiarize yourself with the prerequisites needed for the deployment. Many of the prerequisites will be new for organizations and individuals pursuing the new deployment baseline. Organizations and individuals starting from the federated baseline will likely be familiar with most of the prerequisites, but should validate they are using the proper versions that include the latest updates. > [!div class="nextstepaction"] > [Prerequistes](hello-hybrid-key-trust-prereqs.md) @@ -46,6 +43,7 @@ Regardless of the baseline you choose, you’re next step is to familiarize your 1. Overview (*You are here*) 2. [Prerequistes](hello-hybrid-key-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-key-new-install.md) -4. [Device Registration](hello-hybrid-key-trust-devreg.md) -5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) -6. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) \ No newline at end of file +4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) +5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) +6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md) +7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-provision.md b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-provision.md index 744f4930a3..b37bea59bb 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-provision.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-provision.md @@ -1,5 +1,5 @@ --- -title: Hybrid Windows Hello for Business Provisioning (Windows Hello for Business) +title: Hybrid Windows Hello for Business key trust Provisioning (Windows Hello for Business) description: Provisioning for Hybrid Windows Hello for Business Deployments keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust ms.prod: w10 @@ -9,7 +9,7 @@ ms.pagetype: security, mobile author: mikestephens-MS ms.author: mstephen localizationpriority: high -ms.date: 09/08/2017 +ms.date: 10/20/2017 --- # Hybrid Windows Hello for Business Provisioning @@ -24,9 +24,7 @@ The Windows Hello for Business provisioning begins immediately after the user ha ![Event358](images/Event358.png) -The first thing to validate is the computer has processed device registration. You can view this from the User device registration logs where the check **Device is AAD joined (AADJ or DJ++): Yes** appears. Additionally, you can validate this using the **dsregcmd /status** command from a console prompt where the value for **EnterpriseJoined** reads **Yes**. - -![dsreg output](images/dsregcmd.png) +The first thing to validate is the computer has processed device registration. You can view this from the User device registration logs where the check **Device is AAD joined (AADJ or DJ++): Yes** appears. Additionally, you can validate this using the **dsregcmd /status** command from a console prompt where the value for **AzureADJoined** reads **Yes**. Windows Hello for Business provisioning begins with a full screen page with the title **Setup a PIN** and button with the same name. The user clicks **Setup a PIN**. @@ -39,7 +37,7 @@ The provisioning flow proceeds to the Multi-Factor authentication portion of the After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity requirements that you deployed to the environment. - +![Create a PIN during provisioning](images/createPin.png) The provisioning flow has all the information it needs to complete the Windows Hello for Business enrollment. * A successful single factor authentication (username and password at sign-in) @@ -47,29 +45,25 @@ The provisioning flow has all the information it needs to complete the Windows H * A fresh, successful multi-factor authentication * A validated PIN that meets the PIN complexity requirements -The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Azure Active Directory to register the public key. AAD Connect syncrhonizes the user's key to the on-prem Active Directory. +The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Azure Active Directory to register the public key. When key registration completes, Windows Hello for Business provisioning informs the user they can use their PIN to sign-in. The user may close the provisiong application and see their desktop. While the user has completed provisioning, Azure AD Connect syncrhonizes the user's key to Active Directory. > [!IMPORTANT] -> The minimum time needed to syncrhonize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. This synchronization latency delays the certificate enrollment for the user. After the user's public key has synchronized to Active Directory, the user's certificate enrolls automatically as long as the user's session is active (actively working or locked, but still signed-in). Also, the Action Center notifies the user thier PIN is ready for use. +> The minimum time needed to syncrhonize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. The Azure AD Connect scheduler controls the synchronization interval. +> **This synchronization latency delays the the user's ability to authenticate and use on-premises resouces until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources. +> Read [Azure AD Connect sync: Scheduler](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler) to view and adjust the **synchronization cycle** for your organization. > [!NOTE] -> Microsoft is actively investigating ways to reduce the syncrhonization latency and delays in certificate enrollment with the goal to make certificate enrollment occur real-time. - -After a successful key registration, Windows creates a certificate request using the same key pair to request a certificate. Windows send the certificate request to the AD FS server for certificate enrollment. - -The AD FS registration authority verifies the key used in the certificate request matches the key that was previously registered. On a successful match, the AD FS registration authority signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. - -The certificate authority validates the certificate was signed by the registration authority. On successful validation of the signature, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current user’s certificate store. Once this process completes, the Windows Hello for Business provisioning workflow informs the user they can use their PIN to sign-in through the Windows Action Center. +> Microsoft is actively investigating ways to reduce the synchronization latency and delays.

-## Follow the Windows Hello for Business hybrid certificate trust deployment guide +## Follow the Windows Hello for Business hybrid key trust deployment guide 1. [Overview](hello-hybrid-cert-trust.md) 2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) -4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) -5. [Configure Windows Hello for Business policy settings](hello-hybrid-cert-whfb-settings-policy.md) -6. Sign-in and Provision(*You are here*)†- +4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) +5. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) +6. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) +7. Sign-in and Provision(*You are here*) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md index 27eba8dd44..901edef2af 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md @@ -1,7 +1,7 @@ --- -title: Configuring Hybrid Windows Hello for Business - Active Directory (AD) -description: Discussing the configuration of Active Directory (AD) in a Hybrid deployment of Windows Hello for Business -keywords: identity, PIN, biometric, Hello, passport, WHFB, ad +title: Configuring Hybrid key trust Windows Hello for Business - Active Directory (AD) +description: Configuring Hybrid key trust Windows Hello for Business - Active Directory (AD) +keywords: identity, PIN, biometric, Hello, passport, WHFB, ad, key trust, key-trust ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -9,41 +9,25 @@ ms.pagetype: security, mobile localizationpriority: high author: mikestephens-MS ms.author: mstephen -ms.date: 09/08/2017 +ms.date: 10/20/2017 --- -# Configuring Windows Hello for Business: Active Directory +# Configuring Hybrid key trust Windows Hello for Business: Active Directory **Applies to** - Windows 10 >[!div class="step-by-step"] -[< Configure Windows Hello for Business](hello-hybrid-cert-whfb-settings.md) -[Configure Azure AD Connect >](hello-hybrid-cert-whfb-settings-dir-sync.md) +[< Configure Windows Hello for Business](hello-hybrid-key-whfb-settings.md) +[Configure Azure AD Connect >](hello-hybrid-key-whfb-settings-dir-sync.md) + +>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. The key synchronization process for the hybrid deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. ->[!IMPORTANT] ->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. ### Creating Security Groups -Windows Hello for Business uses several security groups to simplify the deployment and managment. - -> [!Important] -> If your environment has one or more Windows Server 2016 domain controllers in the domain to which you are deploying Windows Hello for Business, then skip the **Create the KeyCredentials Admins Security Group**. Domains that include Windows Server 2016 domain controllers use the KeyAdmins group, which is created during the installation of the first Windows Server 2016 domain controller. - -#### Create the KeyCredential Admins Security Group - -Azure Active Directory Connect synchronizes the public key on the user object created during provisioning. You assign write and read permission to this group to the Active Directory attribute to ensure the Azure AD Connect service can add and remove keys as part of its normal workflow. - -Sign-in a domain controller or management workstation with *Domain Admin* equivalent credentials. - -1. Open **Active Directory Users and Computers**. -2. Click **View** and click **Advance Features**. -3. Expand the domain node from the navigation pane. -4. Right-click the **Users** container. Click **New**. Click **Group**. -5. Type **KeyCredential Admins** in the **Group Name** text box. -6. Click **OK**. +Windows Hello for Business uses a security group to simplify the deployment and managment. #### Create the Windows Hello for Business Users Security Group @@ -61,21 +45,21 @@ Sign-in a domain controller or management workstation with *Domain Admin* equiva ### Section Review > [!div class="checklist"] -> * Create the KeyCredential Admins Security group (optional) > * Create the Windows Hello for Business Users group >[!div class="step-by-step"] -[< Configure Windows Hello for Business](hello-hybrid-cert-whfb-settings.md) -[Configure Azure AD Connect >](hello-hybrid-cert-whfb-settings-dir-sync.md) +[< Configure Windows Hello for Business](hello-hybrid-key-whfb-settings.md) +[Configure Azure AD Connect >](hello-hybrid-key-whfb-settings-dir-sync.md)

-## Follow the Windows Hello for Business hybrid certificate trust deployment guide +## Follow the Windows Hello for Business hybrid key trust deployment guide 1. [Overview](hello-hybrid-cert-trust.md) -2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) -3. [New Installation Baseline](hello-hybrid-cert-new-install.md) -4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) -5. Configure Windows Hello for Business settings: Active Directory (*You are here*) -6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) \ No newline at end of file +2. [Prerequistes](hello-hybrid-key-trust-prereqs.md) +3. [New Installation Baseline](hello-hybrid-key-new-install.md) +4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) +5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) +6. Configure Windows Hello for Business settings: Active Directory (*You are here*) +7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-adfs.md b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-adfs.md deleted file mode 100644 index e68276a09e..0000000000 --- a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-adfs.md +++ /dev/null @@ -1,89 +0,0 @@ ---- -title: Configuring Hybrid Windows Hello for Business - Active Directory Federation Services (ADFS) -description: Discussing the configuration of Active Directory Federation Services (ADFS) in a Hybrid deployment of Windows Hello for Business -keywords: identity, PIN, biometric, Hello, passport, WHFB, adfs -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -localizationpriority: high -author: mikestephens-MS -ms.author: mstephen -ms.date: 09/08/2017 ---- -# Configure Windows Hello for Business: Active Directory Federation Services - -**Applies to** -- Windows10 - -## Federation Services - ->[!IMPORTANT] ->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. - ->[!div class="step-by-step"] -[< Configure PKI >](hello-hybrid-cert-whfb-settings-pki.md) -[Configure policy settings >](hello-hybrid-cert-whfb-settings-policy.md) - - -The Windows Server 2016 Active Directory Fedeartion Server Certificate Registration Authority (AD FS RA) enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. - -The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate. - -### Configure the Registration Authority - -Sign-in the AD FS server with *Domain Admin* equivalent credentials. - -1. Open a **Windows PowerShell** prompt. -2. Type the following command - - ```PowerShell - Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication - ``` - - -The `Set-AdfsCertificateAuthority` cmdlet should show the following warning: ->WARNING: PS0343: Issuing Windows Hello certificates requires enabling a permitted strong authentication provider, but no usable providers are currently configured. These authentication providers are not supported for Windows Hello certificates: CertificateAuthentication,MicrosoftPassportAuthentication. Windows Hello certificates will not be issued until a permitted strong authentication provider is configured. - -This warning indicates that you have not configured multi-factor authentication in AD FS and until it is configured, the AD FS server will not issue Windows Hello certificates. Windows 10, version 1703 clients check this configuration during prerequisite checks. If detected, the prerequisite check will not succeed and the user will not provision Windows Hello for Business on sign-in. - ->[!NOTE] -> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the above command with the name of your certificate templates. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority. - - -### Group Memberships for the AD FS Service Account - -The Windows Hello for Business group provides the AD FS service with the permissions needed to enroll a Windows Hello for Business authentication certificate on behalf of the provisioning user. - -Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials. - -1. Open **Active Directory Users and Computers**. -2. Click the **Users** container in the navigation pane. -3. Right-click **Windows Hello for Business Users** group -4. Click the **Members** tab and click **Add** -5. In the **Enter the object names to select** text box, type **adfssvc**. Click **OK**. -6. Click **OK** to return to **Active Directory Users and Computers**. -7. Restart the AD FS server. - -### Section Review -> [!div class="checklist"] -> * Configure the registration authority -> * Update group memberships for the AD FS service account - - ->[!div class="step-by-step"] -[< Configure PKI >](hello-hybrid-cert-whfb-settings-pki.md) -[Configure policy settings >](hello-hybrid-cert-whfb-settings-policy.md) - -

- -
- -## Follow the Windows Hello for Business hybrid certificate trust deployment guide -1. [Overview](hello-hybrid-cert-trust.md) -2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) -3. [New Installation Baseline](hello-hybrid-cert-new-install.md) -4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) -5. Configure Windows Hello for Business settings: AD FS (*You are here*) -6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) - diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md index 084999e656..69700ebc4b 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md @@ -1,7 +1,7 @@ --- -title: Configuring Hybrid Windows Hello for Business - Directory Synchronization -description: Discussing Directory Synchronization in a Hybrid deployment of Windows Hello for Business -keywords: identity, PIN, biometric, Hello, passport, WHFB, dirsync, connect +title: Configuring Hybrid key trust Windows Hello for Business - Directory Synchronization +description: Configuring Hybrid key trust Windows Hello for Business - Directory Synchronization +keywords: identity, PIN, biometric, Hello, passport, WHFB, dirsync, connect, Windows Hello, AD Connect, key trust, key-trust ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.pagetype: security, mobile localizationpriority: high author: mikestephens-MS ms.author: mstephen -ms.date: 09/08/2017 +ms.date: 10/20/2017 --- # Configure Hybrid Windows Hello for Business: Directory Synchronization @@ -20,45 +20,21 @@ ms.date: 09/08/2017 [< Configure Active Directory](hello-hybrid-cert-whfb-settings-ad.md) [Configure PKI >](hello-hybrid-cert-whfb-settings-pki.md) -## Directory Syncrhonization - ->[!IMPORTANT] >This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. +## Directory Syncrhonization + In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory. -The key-trust model needs Windows Server 2016 domain controllers, which configures the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually. - -> [!IMPORTANT] -> If you already have a Windows Server 2016 domain controller in your domain, you can skip **Configure Permissions for Key Synchronization**. - -### Configure Permissions for Key Syncrhonization - -Sign-in a domain controller or management workstations with *Domain Admin* equivalent credentials. - -1. Open **Active Directory Users and Computers**. -2. Right-click your domain name from the navigation pane and click **Properties**. -3. Click **Security** (if the Security tab is missing, turn on Advanced Features from the View menu). -4. Click **Advanced**. Click **Add**. Click **Select a principal**. -5. The **Select User, Computer, Service Account, or Group** dialog box appears. In the **Enter the object name to select** text box, type **KeyCredential Admins**. Click **OK**. -6. In the **Applies to** list box, select **Descendant User objects**. -7. Using the scroll bar, scroll to the bottom of the page and click **Clear all**. -8. In the **Properties** section, select **Read msDS-KeyCredentialLink** and **Write msDS-KeyCrendentialLink**. -9. Click **OK** three times to complete the task. - - ### Group Memberships for the Azure AD Connect Service Account -The KeyAdmins or KeyCredential Admins global group provides the Azure AD Connect service with the permissions needed to read and write the public key to Active Directory. +The KeyAdmins global group provides the Azure AD Connect service with the permissions needed to read and write the public key to Active Directory. Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials. 1. Open **Active Directory Users and Computers**. 2. Click the **Users** container in the navigation pane. ->[!IMPORTANT] -> If you already have a Windows Server 2016 domain controller in your domain, use the Keyadmins group in the next step, otherwise use the KeyCredential admins group you previously created. - -3. Right-click either the **KeyAdmins** or **KeyCredential Admins** in the details pane and click **Properties**. +3. Right-click **KeyAdmins** in the details pane and click **Properties**. 4. Click the **Members** tab and click **Add** 5. In the **Enter the object names to select** text box, type the name of the Azure AD Connect service account. Click **OK**. 6. Click **OK** to return to **Active Directory Users and Computers**. @@ -66,21 +42,21 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva ### Section Review > [!div class="checklist"] -> * Configure Permissions for Key Synchronization > * Configure group membership for Azure AD Connect >[!div class="step-by-step"] -[< Configure Active Directory](hello-hybrid-cert-whfb-settings-ad.md) -[Configure PKI >](hello-hybrid-cert-whfb-settings-pki.md) +[< Configure Active Directory](hello-hybrid-key-whfb-settings-ad.md) +[Configure PKI >](hello-hybrid-key-whfb-settings-pki.md)

-## Follow the Windows Hello for Business hybrid certificate trust deployment guide +## Follow the Windows Hello for Business hybrid key trust deployment guide 1. [Overview](hello-hybrid-cert-trust.md) -2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) -3. [New Installation Baseline](hello-hybrid-cert-new-install.md) -4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) -5. Configure Windows Hello for Business settings: Directory Syncrhonization (*You are here*) -6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) +2. [Prerequistes](hello-hybrid-key-trust-prereqs.md) +3. [New Installation Baseline](hello-hybrid-key-new-install.md) +4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) +5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) +6. Configure Windows Hello for Business settings: Directory Syncrhonization (*You are here*) +7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md index 27ea8e8a47..cb21c9a8f5 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md @@ -1,7 +1,7 @@ --- -title: Configuring Hybrid Windows Hello for Business - Public Key Infrastructure (PKI) -description: Discussing the configuration of the Public Key Infrastructure (PKI) in a Hybrid deployment of Windows Hello for Business -keywords: identity, PIN, biometric, Hello, passport, WHFB, PKI +title: Configuring Hybrid key trust Windows Hello for Business - Public Key Infrastructure (PKI) +description: Configuring Hybrid key trust Windows Hello for Business - Public Key Infrastructure (PKI) +keywords: identity, PIN, biometric, Hello, passport, WHFB, PKI, Windows Hello, key trust, key-trust ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.pagetype: security, mobile localizationpriority: high author: mikestephens-MS ms.author: mstephen -ms.date: 09/08/2017 +ms.date: 10/20/2017 --- # Configure Hybrid Windows Hello for Business: Public Key Infrastructure @@ -18,15 +18,14 @@ ms.date: 09/08/2017 - Windows 10 > [!div class="step-by-step"] -[< Configure Azure AD Connect](hello-hybrid-cert-whfb-settings-dir-sync.md) -[Configure AD FS >](hello-hybrid-cert-whfb-settings-adfs.md) +[< Configure Azure AD Connect](hello-hybrid-key-whfb-settings-dir-sync.md) +[Configure policy settings >](hello-hybrid-key-whfb-settings-policy.md) ->[!IMPORTANT] >This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. Windows Hello for Business deployments rely on certificates. Hybrid deployments uses publicly issued server authentication certifcates to validate the name of the server to which they are connecting and to encyrpt the data that flows them and the client computer. -All deployments use enterprise issed certificates for domain controllers as a root of trust. Hybrid certificate trust deployments issue users sign-in certificate that enables them to authenticate using Windows Hello for Business credentials to non-Windows Server 2016 domain controllers. Additionally, hybrid certificate trust deployments issue certificate to registration authorites to provide defenese-in-depth security for issueing user authentication certificates. +All deployments use enterprise issued certificates for domain controllers as a root of trust. ## Certifcate Templates @@ -76,81 +75,6 @@ Sign-in a certificate authority or management workstations with _Enterprise Admi The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities. -### Enrollment Agent certificate template - -Active Directory Federation Server used for Windows Hello for Business certificate enrollment performs its own certificate lifecycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request or when the service first starts. - -Approximately 60 days prior to enrollment agent certificate's expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate. - -> [!IMPORTANT] -> Follow the procedures below based on the AD FS service account used in your environment. - -#### Creating an Enrollment Agent certificate for Group Managed Service Accounts - -Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials. - -1. Open the **Certificate Authority Management** console. -2. Right-click **Certificate Templates** and click **Manage**. -3. In the **Certificate Template Console**, right click on the **Exchange Enrollment Agent (Offline request)** template details pane and click **Duplicate Template**. -4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. -5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs. -6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected. - **Note:** The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate. - -7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. -8. On the **Security** tab, click **Add**. -9. Click **Object Types**. Select the **Service Accounts** check box and click **OK**. -10. Type **adfssvc** in the **Enter the object names to select** text box and click **OK**. -11. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. -12. Close the console. - -#### Creating an Enrollment Agent certificate for typical Service Acconts - -Sign-in a certificate authority or management workstations with *Domain Admin* equivalent credentials. - -1. Open the **Certificate Authority** management console. -2. Right-click **Certificate Templates** and click **Manage**. -3. In the **Certificate Template** console, right-click the **Exchange Enrollment Agent** template in the details pane and click **Duplicate Template**. -4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. -5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs. -6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**. -7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. -8. On the **Security** tab, click **Add**. Type **adfssvc** in the **Enter the object names to select text box** and click **OK**. -9. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check boxes for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. -10. Close the console. - -### Creating Windows Hello for Business authentication certificate template - -During Windows Hello for Business provisioning, the Windows 10, version 1703 client requests an authentication certificate from the Active Directory Federation Service, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring. - -Sign-in a certificate authority or management workstations with _Domain Admin equivalent_ credentials. - -1. Open the **Certificate Authority** management console. -2. Right-click **Certificate Templates** and click **Manage**. -3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**. -4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. -5. On the **General** tab, type **WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs. - **Note:** If you use different template names, you'll need to remember and substitute these names in different portions of the deployment. -6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. -7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**. -8. On the **Issuance Requirements** tab, select the T**his number of authorized signatures** check box. Type **1** in the text box. - * Select **Application policy** from the **Policy type required in signature**. Select **Certificate Request Agent** from in the **Application policy** list. Select the **Valid existing certificate** option. -9. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**. -10. On the **Request Handling** tab, select the **Renew with same key** check box. -11. On the **Security** tab, click **Add**. Type **Window Hello for Business Users** in the **Enter the object names to select** text box and click **OK**. -12. Click the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section, select the **Allow** check box for the **Enroll** permission. Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. -13. If you previously issued Windows Hello for Business sign-in certificates using Configuration Manger and are switching to an AD FS registration authority, then on the **Superseded Templates** tab, add the previously used **Windows Hello for Business Authentication** template(s), so they will be superseded by this template for the users that have Enroll permission for this template. -14. Click on the **Apply** to save changes and close the console. - -#### Mark the template as the Windows Hello Sign-in template - -Sign-in to an **AD FS Windows Server 2016** computer with _Enterprise Admin_ equivalent credentials. -1. Open an elevated command prompt. -2. Run `certutil -dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY` - ->[!NOTE] ->If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority. -Publish Templates ### Publish Certificate Templates to a Certificate Authority @@ -174,26 +98,23 @@ Sign-in to the certificate authority or management workstation with _Enterprise > [!div class="checklist"] > * Domain Controller certificate template > * Configure superseded domain controller certificate templates -> * Enrollment Agent certifcate template -> * Windows Hello for Business Authentication certificate template -> * Mark the certifcate template as Windows Hello for Business sign-in template > * Publish Certificate templates to certificate authorities > * Unpublish superseded certificate templates > [!div class="step-by-step"] -[< Configure Azure AD Connect](hello-hybrid-cert-whfb-settings-dir-sync.md) -[Configure AD FS >](hello-hybrid-cert-whfb-settings-adfs.md) +[< Configure Azure AD Connect](hello-hybrid-key-whfb-settings-dir-sync.md) +[Configure policy settings >](hello-hybrid-key-whfb-settings-policy.md)

-## Follow the Windows Hello for Business hybrid certificate trust deployment guide +## Follow the Windows Hello for Business hybrid key trust deployment guide 1. [Overview](hello-hybrid-cert-trust.md) -2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) -3. [New Installation Baseline](hello-hybrid-cert-new-install.md) -4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) -5. Configure Windows Hello for Business settings: PKI (*You are here*) -6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) - +2. [Prerequistes](hello-hybrid-key-trust-prereqs.md) +3. [New Installation Baseline](hello-hybrid-key-new-install.md) +4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) +5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) +6. Configure Windows Hello for Business settings: PKI (*You are here*) +7. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md index 2c0b6759f9..bd47b15b29 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md @@ -1,7 +1,7 @@ --- -title: Configuring Hybrid Windows Hello for Business - Group Policy -description: Discussing the configuration of Group Policy in a Hybrid deployment of Windows Hello for Business -keywords: identity, PIN, biometric, Hello, passport, WHFB +title: Configuring Hybrid key trust Windows Hello for Business - Group Policy +description: Configuring Hybrid key trust Windows Hello for Business - Group Policy +keywords: identity, PIN, biometric, Hello, passport, WHFB, Windows Hello, key trust, key-trust ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -9,7 +9,7 @@ ms.pagetype: security, mobile localizationpriority: high author: mikestephens-MS ms.author: mstephen -ms.date: 09/08/2017 +ms.date: 10/20/2017 --- # Configure Hybrid Windows Hello for Business: Group Policy @@ -17,8 +17,7 @@ ms.date: 09/08/2017 - Windows 10 > [!div class="step-by-step"] -[< Configure AD FS](hello-hybrid-cert-whfb-settings-adfs.md) - +[< Configure PKI ](hello-hybrid-key-whfb-settings-pki.md) ## Policy Configuration @@ -32,10 +31,8 @@ Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10 C Domain controllers of Windows Hello for Business deployments need one Group Policy setting, which enables automatic certificate enrollment for the newly create domain controller authentication certificate. This policy setting ensures domain controllers (new and existing) autoamtically request and renew the correct domain controller certifcate. -Domain joined clients of hybrid certificate-based deployments of Windows Hello for Business needs three Group Policy settings: +Hybrid Azure AD joined devices needs one Group Policy settings: * Enable Windows Hello for Business -* Use certificate for on-premises authentication -* Enable automatic enrollment of certificates ### Configure Domain Controllers for Automatic Certificate Enrollment @@ -78,21 +75,9 @@ The Enable Windows Hello for Business Group Policy setting is the configuration You can configure the Enable Windows Hello for Business Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence. -#### Use certificate for on-premises authentication - -The Use certificate for on-premises authentication Group Policy setting determines if the on-premises deployment uses the key-trust or certificate trust on-premises authentication model. You must configure this Group Policy setting to configure Windows to enroll for a Windows Hello for Business authentication certificate. If you do not configure this policy setting, Windows considers the deployment to use key-trust on-premises authentication, which requires a sufficient number of Windows Server 2016 domain controllers to handle the Windows Hello for Business key-trust authentication requests. - -You can configure this Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users requesting a Windows Hello for Business authentication certificate. Deploying this policy setting to a user results in only that user requesting a Windows Hello for Business authentication certificate. Additionally, you can deploy the policy setting to a group of users so only those users request a Windows Hello for Business authentication certificate. If both user and computer policy settings are deployed, the user policy setting has precedence. - -#### Enable automatic enrollment of certificates - -Windows Hello for Business provisioning performs the initial enrollment of the Windows Hello for Business authentication certificate. This certificate expires based on the duration configured in the Windows Hello for Business authentication certificate template. The Windows 10, version 1703 certificate auto enrollment was updated to renew these certificates before they expire, which significantly reduces user authentication failures from expired user certificates. - -The process requires no user interaction provided the user signs-in using Windows Hello for Business. The certificate is renewed in the background before it expires. - #### Create the Windows Hello for Business Group Policy object -The Group Policy object contains the policy settings needed to trigger Windows Hello for Business provisioning and to ensure Windows Hello for Business authentication certificates are automatically renewed. +The Group Policy object contains the policy setting needed to trigger Windows Hello for Business provisioning. Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. @@ -103,21 +88,7 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv 5. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. 6. In the navigation pane, expand **Policies** under **User Configuration**. 7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**. -8. In the content pane, double-click **Use Windows Hello for Business**. Click **Enable** and click **OK**. -9. Double-click **Use certificate for on-premises authentication**. Click **Enable** and click **OK**. Close the **Group Policy Management Editor**. - -#### Configure Automatic Certificate Enrollment - -1. Start the **Group Policy Management Console** (gpmc.msc). -2. Expand the domain and select the **Group Policy Object** node in the navigation pane. -3. Right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. -4. In the navigation pane, expand **Policies** under **User Configuration**. -5. Expand **Windows Settings > Security Settings**, and click **Public Key Policies**. -6. In the details pane, right-click **Certificate Services Client ďż˝ Auto-Enrollment** and select **Properties**. -7. Select **Enabled** from the **Configuration Model** list. -8. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box. -9. Select the **Update certificates that use certificate templates** check box. -10. Click **OK**. Close the **Group Policy Management Editor**. +8. In the content pane, double-click **Use Windows Hello for Business**. Click **Enable** and click **OK**. Close the **Group Policy Management Editor**. #### Configure Security in the Windows Hello for Business Group Policy object @@ -160,7 +131,10 @@ The default Windows Hello for Business enables users to enroll and use biometric ### PIN Complexity -PIN complexity is not specific to Windows Hello for Business. Windows 10 enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed. +PIN complexity is not specific to Windows Hello for Business. Windows 10 enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed. + +>[IMPORTANT] +> Windows 10, version 1703, the PIN complexity Group Policy settings have moved to remove misunderstanding that PIN complexity policy settings were exclusive to Windows Hello for Business. The new location of these Group Policy settings is under **Computer Configuration\Administrative Templates\System\PIN Complexity** of the Group Policy editor. Windows 10 provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are: * Require digits @@ -172,33 +146,30 @@ Windows 10 provides eight PIN Complexity Group Policy settings that give you gra * Require special characters * Require uppercase letters -Starting with Windows 10, version 1703, the PIN complexity Group Policy settings have moved to remove misunderstanding that PIN complexity policy settings were exclusive to Windows Hello for Business. The new location of these Group Policy settings is under **Computer Configuration\Administrative Templates\System\PIN Complexity** of the Group Policy editor. - ## Add users to the Windows Hello for Business Users group -Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the Wwindows Hello for Business Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the Windows Hello for Business Users group. Users and groups who are not members of this group will not attempt to enroll for Windows Hello for Business. +Users must receive the Windows Hello for Business group policy settings and have the proper permission to provision Windows Hello for Business . You can provide users with these settings and permissions by adding the users or groups to the **Windows Hello for Business Users** group. Users and groups who are not members of this group will not attempt to enroll for Windows Hello for Business. ### Section Review > [!div class="checklist"] > * Configure domain controllers for automatic certificate enrollment. > * Create Windows Hello for Business Group Policy object. > * Enable the Use Windows Hello for Business policy setting. -> * Enable the Use certificate for on-premises authentication policy setting. -> * Enable user automatic certificate enrollment. > * Add users or groups to the Windows Hello for Business group > [!div class="nextstepaction"] -[Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) +[Sign-in and Provision](hello-hybrid-key-whfb-provision.md)

-## Follow the Windows Hello for Business hybrid certificate trust deployment guide +## Follow the Windows Hello for Business hybrid key trust deployment guide 1. [Overview](hello-hybrid-cert-trust.md) -2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) -3. [New Installation Baseline](hello-hybrid-cert-new-install.md) -4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) -5. Configure Windows Hello for Business policy settings (*You are here*) -6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) \ No newline at end of file +2. [Prerequistes](hello-hybrid-key-trust-prereqs.md) +3. [New Installation Baseline](hello-hybrid-key-new-install.md) +4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) +5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) +6. Configure Windows Hello for Business policy settings (*You are here*) +7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings.md b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings.md index 2dbfc5fda4..38de12b175 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings.md @@ -1,5 +1,5 @@ --- -title: Configure Hybrid Windows Hello for Business Settings (Windows Hello for Business) +title: Configure Hybrid Windows Hello for Business key trust Settings (Windows Hello for Business) description: Configuring Windows Hello for Business Settings in Hybrid deployment keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust ms.prod: w10 @@ -11,20 +11,21 @@ author: mikestephens-MS ms.author: mstephen ms.date: 09/08/2017 --- -# Configure Windows Hello for Business +# Configure Hybrid Windows Hello for Business key trust settings **Applies to** - Windows 10 > [!div class="step-by-step"] -[Configure Active Directory >](hello-hybrid-cert-whfb-settings-ad.md) +[Configure Active Directory >](hello-hybrid-key-whfb-settings-ad.md) >[!IMPORTANT] >This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. -You're environment is federated and you are ready to configure your hybrid environment for Windows Hello for business using the certificate trust model. +You are ready to configure your hybrid key trust environment for Windows Hello for Business. + > [!IMPORTANT] -> If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment. +> Ensure your environmenet meets all the [prerequistes](hello-hybrid-key-trust-prereqs.md) before proceeding. Review the [New Installation baseline](hello-hybrid-key-new-install.md) section of this deployment document to learn how to prepare your environment for your Windows Hello for Business deployment. The configuration for Windows Hello for Business is grouped in four categories. These categories are: * [Active Directory](hello-hybrid-cert-whfb-settings-ad.md) @@ -35,16 +36,17 @@ The configuration for Windows Hello for Business is grouped in four categories. For the most efficent deployment, configure these technologies in order beginning with the Active Directory configuration > [!div class="step-by-step"] -[Configure Active Directory >](hello-hybrid-cert-whfb-settings-ad.md) +[Configure Active Directory >](hello-hybrid-key-whfb-settings-ad.md)

-## Follow the Windows Hello for Business hybrid certificate trust deployment guide +## Follow the Windows Hello for Business hybrid key trust deployment guide 1. [Overview](hello-hybrid-cert-trust.md) -2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) -3. [New Installation Baseline](hello-hybrid-cert-new-install.md) -4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) -5. Configure Windows Hello for Business settings (*You are here*) -6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) \ No newline at end of file +2. [Prerequistes](hello-hybrid-key-trust-prereqs.md) +3. [New Installation Baseline](hello-hybrid-key-new-install.md) +4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) +5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) +6. Configure Windows Hello for Business settings (*You are here*) +7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-planning-guide.md b/windows/access-protection/hello-for-business/hello-planning-guide.md index 1e51ed414b..331d1f28df 100644 --- a/windows/access-protection/hello-for-business/hello-planning-guide.md +++ b/windows/access-protection/hello-for-business/hello-planning-guide.md @@ -6,8 +6,10 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile -author: DaniHalfin -ms.localizationpriority: high +author: mikestephens-MS +ms.author: mstephen +localizationpriority: high +ms.date: 10/20/2017 --- # Planning a Windows Hello for Business Deployment @@ -70,7 +72,7 @@ It’s fundamentally important to understand which deployment model to use for a A deployments trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory. There are two trusts types, key trust and certificate trust. -The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during an in-box provisioning experience, which requires an adequate distribution of Windows Server 2016 domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. +The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during an in-box provisioning experience, which requires an adequate distribution of Windows Server 2016 domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the in-box provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers. Users can authentication using their certificate to any Windows Server 2008 R2 or later domain controller. diff --git a/windows/access-protection/hello-for-business/images/createPin.png b/windows/access-protection/hello-for-business/images/createPin.png new file mode 100644 index 0000000000000000000000000000000000000000..91e079fecaade5d4db80f5aa2c4bd6ce4bc5c729 GIT binary patch literal 28388 zcmeFZc{r8r_ctt32vJFyB`G4A=cyv|Oy(pr+qlV`hz3I?^Gs$oneA-|MVZ-VHc6&! z44Vv_=e)|@egA&%_x&Bm`y9{rc>Z|5e>g6C?`t@(^E}sDpS9L!t>+qQ3KV2?WCR2R z6pD9mYY`9-1rrbu_K=()AUM{*8u1hSaLi3hL5={?#jpTA9JiKLl_el}A9-ruoEUs2 zb-ruhMnFK>4E-Hzb;^B6KmhYnye+Hq$aEQVvi95n{xG0qCNVDK;H;`j82kH{3l_pH z_g-ZXKDnCq_^~YYyL%evbb8XXf?hmUDt>X!R?G1ofu@Yi@dcdg``hdIiw%l8U5E9N zqKP$&A6Dx4V@EI>hD_=nTOINBbN;hsXinXF|6Eyr3%2tFLJyAJ|F<3)fO@b`D(V&(nTTq%r)=fXv9N<_Wm8Bs!Ms_s95iG&CdI z%VSlcF|nT}Ld@B$z7&<{6&c10IgSoTi`n$BXy>RU_mk-vGe|rtvF&^Jyk@ufCaI#d1Rq z#TWSwE$1v^&j&4$%x3wMDN7aXSrz@I51^;=I)3=7bh=Vbe^x4zNpiG))sYD4Z$3?` zri^EI2r8p4dt3j_mGsvuF630OM1$wrr#f%EiU^NmuWA}^NtE;vqIbDr^W5j_EGy%$ z^K6^1v6H|)z60~~T`z9yLXb{nu_=tH@ArH$)Wuvkc;K-*;W*osY)>h^#Jll{)@*oP z#FW`@^Yuj$=lk>JPk&9;+){!5@X`N&O&m0j&~v-ZY95E*lZQR+Oc3NMrQy;Gj)@(} zxbt%OndR$F`Tk-NTGL1AUI#mKxAw&2g&vGmI;yrtFm~QLE&1@Y?b88jp$8Xh!gDF8 z20|$4<=Wfrz-=5pmO9hlqy?kY(J9Sv9jMH3Oy5X)mo)zDD*ZpVY=~&4;v=t!2mj73 zJS!@6KgELR-+kaJq!_;cv8r%*-`2(}K3J7Y;oSa-usg%$uD81!KV&c-`jNQukR{Gt zo>@Avzt((u*}{0N+}48m6VkH%JU?t)1YK&W?AA;n948xe!q0w2?_H5m)#!GKm)aTb zlCY*(QALLjd`H)h*ZZMF=hK25wo5JBJ1QN=R5UeT`w4i(@|ZYy6`R&+ae0`Lf=Bfd zwqJEfiTZfrdM3D!mMKgI??u6-u5WD2V2F_ZZ4m$`F6laou(1alHVMI*c^Xb_z4AN?Q z1+(Rrbc509A(8y6&J%_6wDi1B>Ks29Q$YhFiqRaF;JB6}oaW!sM&t0|dJTn${a|5I z(}@nPO8T{aZFRv+`Eau3*dqQek>+ur;yfhOC4SttVGN}JVt6d}h8awqqXW9~{aI}x z(duIjU$$L!p?l5=v9yIy#LW#q_KNs*U>$TEKVz8ka`>@1Vu9H-CFsvDM<@IrJCIxs zlmEZ*7gs?L=br`7D6n;e$;Un2lpn71+15%md8mE-?YD0ajAq+#2tJ%qgPHK`DkPB8 zS9JuMI&6Xs?m7hnb5yYkY)T30-DqdO^>U2ewho13dklA_!{&UihrSMG0hNCCipo`7 z4OK4*eO zR$;6>R>p0`+~@Bv+UdJ@C5dJOo3^#l^z@YKTvxIx4m+?sSK~G}iW#Q=!Z;bgdITzu)feJ^w$G6HYHI^pf^QW$PiLZp#q;-a-LgVXt3i-h6_d{R9Qw z!CFO-2C^F$XvcIO=oT; z&~*K61vNJA{=J&WKWl}{Y@3)rc}CxJ2w_6pygV91{Cgkq3Ch(;;WyF!bDQ!%yTn)H z#NgOCrD)EP?#Z1l&yL7|eTziB|_A{vU$ic>MnZ<>@z?!( zNZKRi<1U6%-M#Q%|3)B0A$lp3`jR+%xJEHPz{C4dz+3wNdeVQt=s%zTx95kKR`9~> zUe99Y2b0o=4FQR56s^7mhf=ha44=uud1;^eeIcT(g}sem+sZ!lWrA&SrElLjz*~OV zn?HQJYGK|USlC12ra2rdacUC9nttNy-`~`JeD~ByC2RME_Z0pt&F}jK5i>goihC@{ zi0Z-wuDjQLYp@Bv*h7-}d-t-`QNt$dG42a}pFH$|*4LXcfcKWV0o}5LXR`?W{ zydLJS0BhhVO-n-)KUidx$c&#?$n$?{_x_^V8$9RVEe{zs1(WfYp0Wcn_#5y zm-UnRWhIV@nhX5WasL?YQfU0wxmM~OMX5l+-$gC>dxg+l8 zR++yfrrITQnMoLy3Q|&P(_EZEb>k ze`|9vd$^#mC{w2WrM69?uZ`->T;Z@;%_9W_%ZZaDCUu;t#Tq2kP48eNQ7|9coljNg4; zgWvb3vv|jtQ-h#y9na_B+RITf|vp$n| zwgb0VJTd9L$i0Vfxo%oJ%n-2u!wQ&}%IikIS2b9$3Amead#eqT?#rVCOwLZjCFyx) z4fWjm$-oyK@np=`I9{`YTvP#`p+h{~yMmmM^e80!TN$E7Bc5&wxNQz7r`jL#V%deM87|#n^2w*>hA3!0WQr;<~K_FYvL0lq2arwm;9Jz4Xq1+n5jS zf_a`0*O&~d%=qNb9apzUEtR$_;l`rw*A*FM;*XKGyYY9riTz&gCjU51wXF|Cr-y4b zP!7AL+t`8jl{5KWUCH9hsJ4D}RKzH|ZWZFD`?MD2oa^=FzOJ~N%_%OKm@lWL_j}5n zCMQgDau2Liys{k$kZSMMQ>F6wU6}lTPWAsx5O#vmr)Q598u0T69QYcoVhf5Zr*#;G zyHyi~DpD(6F4D!!E|;U#_?2U>D++#a>k@6HghCF9QLxeSFDq~COa&Qd^7E@WelN|^ zLg+<5#pL?|qUQU0gn(eR3>fvxob;SoWU=jwz7TcJ+g8%g;`^XZ`phdZf`5S z)<9)8c7LN|wFw?cqqch0xnd(WMB=$JY*k518}Th;=?0<4?~wwGDyFX;?%-sMDONt9 z>9hB_|JN%)8tA;GZ7}j1>yW9LA1=CPAv>`nC)M9h8co7=0;nhvx^zm_d8!Z?cWi)<2#Vn)ma}U_|cNdEtZ}p>01)5&SvURXT$cs1(^X}DqEE{h0Dc=}@VYFN7 z`lV^<(|s0BKRY_>zS(jF@`g7LQ1vuH@^P|n<$u2RXT;Rk-CtX@`2^mCDvSDwd>p_% zCj|Zn1=U2Cu4d9sQzIfR`$uFA%B*I{{eCpJMZKv<{H5ArRCkdXzg5(Vd@cvmg2~X_ zg6P%)zCFJ-T*I?xa1Y}-={O0WgP9!b1KJne5OAmkZ@=Vc@*AvcP`_UL!jW3O3cTZe zy@pawC$@g(z*Z)ojwH_sudOneTd{nu(dubBfq5fbS@d5IzVBJ?&^JW$3l*L)4|o3b zf=2XKIB%f@sdtafpAi*OU-J1q{6ALjvHS&!-&dW|ce;6p-R#QS)6i$uSG@o8U#a%$ z^EKDo@@%*DHuH@G?%PP;z6Jd+_N`x8ZjY6Yj^wqYI=W z_$o-qO7Ow{xE#UbArcS)E~X|qMqtWDMMzL9&vKmLQMe4re@^^sdSoi;!k&G9B^@bv zc(6Wc<<~oxSGp=pZ&B&HUlWgVu>UgWl&zUpze^z;O-Fgni`jCk0aneuEkBGr$w?JR z^;vJ2d6{pxc+Zs7Kh!gyO7CCygH{oBKFg44#NCjLcCE zdEL0tCbSgbNJgz!{NebJ*9rB`vHP6Dbmw>Lj+fqHx&82z)Ue$Pk8|-r3lr@1Z=E?V zcN_XTo^T3)CYu*8UZ@P@>vjTD>o5Xh)yf0$Qhwff-9D~AKG7zsC5t`XIwiJPSk}=J zPJe5URayequWhxrwY-Jm_ga5AmTVd-^Gt+_gxWyp;*_qwiRECSfd#Aq@3D8%5x-G*_u>Q3qWB0&83=ryxta?k2UK>j?0fxE@xvw)*L z3!GR1fMh~yrX$2VI^y}Yac2HImSqkjeB#E@oVp#r8|+9u*yQl(QvtK0jf(++uNBm) zl-o+pTmpy;j_^^q0pmA%*46#Z)3!*FZzN-@-=oxpK(H)$q}(=2lGPe4Ql1N|G}s8x zd$eDn;@s0BfL`6!)Mr_c{-X{Lh!t|{9s)%z2*r9RbYe|B;=T5kt2)bV(MxL$dze)R zMoSMeE4qUpt;|*M@p2G6FVV^wMaevByOuNTnOx+(HDZ01r=VBn0A}iG;O0dadu2Esh z)iL~9*6!Gp46!}_!j!YMZy%@&@R&s9+7k&oO*lXie5djve`I=1El*x z6|9tr_GmaG4}+1Sl@qv=_l6GgP%hIgTcaO{Po0kgsfRIo*8=0fwFG;_d%XL_r)}aWSc>md%Seg&Eu+C2H*0zlD0DLC z*^?$~wf42KGJ*%MG4k>G*=6UmS5!(?k#8SD@!-U;mmcTJ!;rSsu=9u+9Z3_Xyn{%o z-Q2osfl`Yh-yy&|bPG8pXu>@m%It45w+Q67WX5lAt76+ox5@}cELX&Ak|_G%BZ+t< zhz;{?kGnh(@jk7_b*~$K zvi%91fmkkDdAHiQW-mz%7u22(BW}8%{8eQ9(dJ5s>gsBC>V$f8&5SFWysMz?Z8~bI zFLnsNXsC)IFb7e}Jb%~)cqn&6VhWcV#^uuQ4Rn6yLi)jDq;$W}w7(j~feVJ-GQfPs z^0jS!(?NAB{$zmD#;Z>6f~yOGJW($a^#5A?<4tIFY0QDjP`)mgTfe5li1fRtE2^c^ zPL=jUT?f9x0AFjDS*iN8SFkI`3?J-@YBZl_5a~H^&r7|8GYAOA@u&O0(dj|2(M7i8 zEMcMO*y&@ikPBr(%z~anf&xWx>ZyU%+KsNV zR1*_bBkA-l5D`oYIM}IFnU?tR@$9mCYC_7a;xu)*5gy)A=(RDsb>11--pLjz@nE$) zb1D)f6voVOf@T)25fxSOKI>mNmemWP$SFEe&_2e*j7}bpa$k55z&9Xm6*`>x_V#8-*sl5?lp#z`3>P@fDzDpITU#+`r?xU@F0oZp~&8lvGz(Ml{< zZNKLc&Dv%thLKB~08Pq9=UL~CTiVZ8!Rr(QtF#q)K%;MLo*-y%MTAUL7^vBv@L5J( zb+%=kzn2+fh8ex6@l}&Wi=}^!Os#6%^`#^%_pGzKxLDC?RqKgbudKncUHjx~_a*`k z@g63)70lQPN5)pS_^KF%F~vp=@tbt9gXy!nGYR$Cl2#oT#MQWq2crj5BW@raepEH! zi%k4gjT&{~6+sz{bjxe=@=M-5r4dHR8J<%|yHL}gjyMD8P)HHVv)uj{Iy0UyJ%V;1 zSF<@KP0Lh_GR9x-DZ&D+$oyGSO!i835hvM^5>^S+;7|@Gt}4}Ffpgp!L3u38MUa^~ z-FtnchNC&CI7|G%UJ*j0XNa%}!-{;#JBQPe(v(H&EFH|p<-VT<_TnWMn~nxKS1h<& zm06Tj)AuBKz3}D>Xl~{BhkBz;T1>k}ANZ0TY%egcb)(X@T=F^*LJ}>TEc@uC# z)Mg|iAYnOhSy%JubuG`5OmC^O>?6Oc!}f1rIui8Dhg^x9${qEn|JWtG?}Fl4;8<32 zi1_Wy#99FhG7B_Y6`mycGk^)VV@?HXM5^||A2$H|xy%+gj(g&rXSAsmKd&j{UHb|N z;$2pIHkXDXW#aIQ1;zDzAS+qf%|>2-biKU%XD&RzP*PxqN^cXI_fl>&Djdp1B&Nv#m4nnu$)wL;G!y5SaBDZx#kA-|Bb? zuhL~EzK75JR!1ueF5Y}_JI`D3?j@@FpWj}3BWuBUk;RlYqkRen1{=9wP^)JQ-!iDg`zkadgrH=rS; z0bfH{@*g1LU&;=7NIYIir`}(r#K}ZB_q*hhIO)U4{|}xEi~zlp(;MTYJH};dC+4_Y42=p#JGM z?&~gULNj9VAD{9+p7g&le(+fpXEx1h)o>zVMOYS1Z@$Qsd-u2;i?Vq@dHeipMJ|;e)~SgWW06&<+xoBUMTVD# zG*;O<{SUvKYd}AGH?lrLYxQF{+3GMPQz<<2E99zQq9zHv{uJNKQ}!mT`$TPB)P%yCqge$T

UEX95*xcQP1%+mgNunB{7w!+K}sR?0;}}txUKw$4CzhS^RG5>^|V2=j(obQ zrt}9#Q3Lis=e>waWfrZJ_ft7JCtxst*sY)2XFi|*?fFp=vOa(;4)FYfWuD!GV8Z#p zwRr24_p7UQ+bNLS0TK@p*LZk%baMg@53-~}cfJOl?%1y1u5+SDRKr_$a>f@gkKNj1 zlU7L<8>qJzN3LpssL6ZC@w`qr1)_-#bb@vdLns;T4%TBEex(`u3-r5_oSR514__-V z*%Fxpf`TfrZxEra;|cL82Wesfoc=a&tU5tV-f{b8D}%*^-?j<5*2@izFcB|vU(ovH zaZB${ot_0x5CG1Tp!C6y$WB0u>i|gpeyFVfNUc}dMPSMn0Jp#<;OIRKjyK(Tc|QIm zvu}^F&vL~q2;T?+`kgRjUE5=C2m?}2MWbq<^T%h@kUuB@LhAewOUM$6UVu1v#k6L2 z6-elp`QyDI;u93*-+(e$>z`iICPIva{oSF4%8S8L-5_Z&?m6iPID|qEL%niyb3aP} zeu5S79jEZ5zg=%jY7&~@bG4BBd|0iTDuoGS6d#OP*nm6XJM6heOasEE8`>eATvFv zk|MEV1U-)!!UR9RK;ERfjp#b_(GoG74!&v(pxcvQmi#WTme9%p7;^@|nCrh0PcYaP z01!h#7uKUwOG$!}405r2<9^#1pV~0iu6BBXWQcX((EwNtTP8y^*l)i23bf-W*msV< z=N`mPa;!iQD67q#x)xQx+QHwgf)P?3A~B5ET_+6Ve@I}@rf&{$COsF zIUhU#j2T-2F{?3_Y;WLs@PYK1xm^;O6_RmmZK}Bwcv%UYo`D*)i$j1odQhx?4EJ+LrCrvh<+bEm=FW|8Q<95?v3Jbavc z)V;TEdbh^A(Woj~A=~SVmFe~s?EdnXl$HYA4QxY>BlWoHNZ-$KUhlqV^a1_2GU2~= zXa`BdM)KnZEvsrieqiKfUs{)_AfRwh@HfPbaZx%?Dn;RIcfZY z`fSCJX_@6&4mE*LMvu5SwEV~#x@D?jovrc z?XS1b0&(F3ET_uIVl5enGT;ToYuQh$0tO;?5Ubc}uF4yS^@y8G4VZu;%t9iETU8Ae zi%zp0@p<JVF_r<}^iMU$uETKmSQ>O!XA-if&`tW)3 zHkhgrmaGLRrX+OF7BfE*&WRSGSu*x0WUwb;T;L%ym20#%1Lh^bHh~M@0RQc$EtEYTG z^4x)C9MB{1Y(_ZCV|aY(l{aqAS!n~FY$J-y@7%4j_&yOHyCZBF`d#2wrJWzZ$CM{?y0zOX`=-Hx%LbQHvGM;0m^M*1k(V4~67StsR)wQ%|+Iv+Hv+RiaR0o9-= zEOz82*&{N6jk)fsMV%2u%ExqDuFQUCZ#4@*`g5ex4_Wp&eojV^$?>G0o>1ONmI9UL zT$PLIr-H3h{VENrozs&eut=}L=4e5lDya&KZ%7mQ+?5LZp*Pf*s(>&W!~|*t+{Z90 zaXh-tIc&DN05_>AVE$fudz*=2FkDzfO+R}#LMkWHC^cx>y_t&&DTcT%Qi~Kc<~`+s zYnDQV^+cl_jV{lO&I?o4oeXtL#rW)sG-2oc0Lbt-c}JWR0V`>!UO2H= za{x2_2Ap2Vf?jWzA^8~oTj`HTkp;K$yfvu4ZtwIq`FL5HJ9dtzZa8X_oI^zjo-sNm zuvP9$qqvADY&X$d{L9Xf2Rd&pjik@W0wUwh(~_GSdI37PRzvI8A-J=Q%pK=$Z{FT3 zaaGtzpN1{WBzUZm?r1JAyPoxY(o_F#2JJFbdR#cUf?kh_<_|7QR}1SUw0-1`)>L7*YeW!^z0IXHv=DsHD{E~PAIZc(KV zAShnA?b9yfBymrKROu?5`XP&Z{kl$?NCa(rHt zvHQ0$o|ip0YsFV<(Sva7r!RQSdJJ-qx0{IdxP!Xt`=4{t#kQpTbLk_>8+AFN=lh7l z^<%YjQ+5{}hNS#<-|r$f$eNs%$!}Z{Cf2LKL9w7k zLa{pATVzelV^Wy`Oa9=x|D$!x{y+y26(ry&oYYe6HS}B*d40M#0AC>Kro%C3V+g55 zZCp9!-u9{!gjH`$Y8+~-iGD)ZC(qY@Rd;D8Vour;jC!o4~-GS2BFUji$A#x+?ptjjIrQ+EqO2&hY4> z1*A9}rOZ>#(AIDK!QC2}AMxbQWWC>Vd?qJqF2$z%-lSdN{s#h-WVgsPIsL;5H33!bC=WtJ^*1u3?CzBg-DJOf%U-@} zW!v%cb^s)g+z1U2gGXm0Y|+dQ@ITOZR>{s|b5iBu*!lw&55O}zxT#O2mF7APYyvK% zt#Z>Kz*tw`Aa&*8H^Ruaw+r);6;Gl{@0fg}A`d=w{(8v}K|W%4@qtJ5B8N6Hg~>a_ z*Bq8?F*3R~62a9*ncT>`SalOiNL)qz=Cmt8L>Yn3P@Mpb`JAZhOL> z$cLAT^FrRZ$#%}mWnD82N6Mp&w^1tm8FLGX3kQ6!ix+Y7e)3)2RTVo!5>_ls-qBFA5bK9+;Ajhk(7CU!ef2Gt! zVP>~xWWdu>ZOzU3LY@7%Ii?W_OKQYr!jj9+75>?#4@3-3Ts?g>iod>flL>;FOHR8p@iaAx<^E_8Dh<%z5VMXTNhK=+-=zYWpFc?^h++8!`e& zfje;o2}uZ9*H8TNJE_4gsfGN`8Q@0@3zpdg~XBT1BhpeXSUYUREphhLI;;M!`y;a*i+Q=9bOQkmr79SIQIr3VP~ z{DyjF8&z`~y7eM?Fqs2L-j;4I-I6?W7vs$rl){$|lZ;VRSJ$XYsZC3iM41aj+!xOH z^DLrt(_OEA_@aRa0tJXlSy-iA5j4?MdMJ|}r#`|V)j#dz1ZVETIe*FPdNbbRkxYA; zuEa(ZIV->Ei`%G4!IO;c8g@y~LjHPB@?h@+49MvwV+Y+JepX79lv)J!tkBVv%zRMK z{45Eg?GzB~4osDQ?Q`@ZdJ!_YGDGFI+E9JXJ0x(G?f3Go*VVs^)NVa=AH3#@2E;ve zmfQZ2!+pV@u5J;5f~s6@?TMOCKb<^6;djV`k=3Tfpr|c)%d@HFRKpQMeR+Wdo)`2a zeWH0+{2!-(T0`3i^|jWNJxsXsNxWn0o8xC$@fR;T6+VeKRABxIy3RhxP?G-ft*~_{ z9@E02fJ-W?c__Y&_o4oWt$A_}Wce>oQU)(7AB?ZJ4d{1|Bs!##!OE)t#>slYFUW#3 z6(WUDo?JOoG&3M9KLNcFA$f3ZsShZ^>y!XF+H85*sIT*rY_PUpnM zd9%aa*t)2&Cuy*ducm*^DWF$%avF_-BF>D~|VE6{2*h22U)Pp=g z0Q}`lV4yTa=kR+A$8FY7h6l_;?_j;m?sfK$_?k-V006cC@SO=o8Fb^XHNVR;USb{u zQ74uM)!~RekfJEXKrZ02HGGj=2S24(mGZ231vqd6Dv3hjG8fPI z8iB-erax-`8lDD=MA<4`*?ML`{OMOw-VNoQOXH2)gRf3PNF-gRy6$_VLvO?bpT1MB z>YBZjWo5Y{?qi=o8t9kSmJ6i%TVDS+T)2N|j(@3SVk}wu&oZw$7N$y`@(*Y_3M{l= zqUuTzJmr%n{nPun&OPbLP9Wx+d*A=W9pp3iT+fhfUtjv?cXBM_sFKyFTYtqVE|3N~ zuQt`I1CGP5=o3%{An7UyVlY*<{kgB>MO-rSbPHlYZDm5u!S3R%#Z_fR;wC`f9Uli= z6+lcDO~*HrU*Kgauf6otFO}g)S$a{CoR<1|pWkQ8Va%ioW}*#TNP3dKMRwNbGWVeR znAD0O=XUNYs9Mx;RQ7_Tce(9&^?PVp^9;(e^Yn@mplZgvsja7fkM?>iQF@oeK3MD2 z-9njrIckg>dy|LtI(6?ra))O4Nos*!k)8ieyIF!&XTnIgp)h279JT?ip#$t)1-CEk zu~a0QanPEAJMlGsiQ-6vDpt>P8^&GJ&K?faI93WYS9_FWM!Jv$FD3dnR+72% ze`(mp2~5^y8X0VtIL{~?N-dx8wceUc2rIa>{ClMQRD z?63YUthvV`x?)*+HlnY}p!AbY?FQQhno~G*i^vriMVX{?Bsj5eeTi~=M53WGBrIw? zR9GB_znG$k=sTd@JQle|buf8|Z+D*`ZQcL=_NCk+f#_4{JW%f?9BseN`{@&NVw*mW z{OJ4_&U(p%+3S|ca(l<16aPc=`-|rH&urHJk6Dle1O)0J;sy?nbM69GC;`C-?aP27 zNv`KC*BU7eCgpO&*hRn9D*Lk8QZ_J!#%As=c3$kmR~P!w9ZUu(vdI!;qaM8 zV*DT_Q)7PV+ z-xyeVb9>vQd@|i!{jYOcU-DP0ktlj?jAkm0Hf{ zDzm2^d^tv@NiRQmvcWk8LvS@#}9jBSm&-NE*%qLw4u3iRe^zpr?%Q~$xIe{zI zQSYf|X{*8nrR~H98SY1R)GTgSN1Uc%SrVrtcp4l`CDXTMF9Bvps&{F~A!(%ed)<0? z)T>rb4Db6VVZzc5qMzJTD?Zg$9x%_&R2+8iTaMaoBqwIaE2*a3*g4SoULMpE+ZcSt zd|IZSWG|xCJOE#Wo~*SxD|g64_(AHH90`jHfIy&bLU8Qm3l#wA%luj?zrRlwf5G{& zl5wn4ftfbiSG_Xc5wO?qu&;_&ISGFPD5pS7uu9@aj0rbc2o3XGSe^nh**74-D(wU|=$;BCG#Fx6x5S&9~d|MW}S-Vq10p{Zk zupKNe;2#NSK-OR>?;5L+n!i>P#h>05tuq6TU*39}WVAy1!qe#3&{-!yIZwwEEQzl; zJ)H=`ApES*YKkPszLNvf^!z0&tM7EUa7VPhsV&MH6bg0$h{_L&!OH9gIMI399H_GF z?+#9+3A=TGy#ytG$(POapyGIlD4o0oQpX*Dw`-wDB^Uvf&2`z|3m~Ae2b|n&;6OsX z9E6}m;R*5!_aSO~8DMkRJPTTDBOJ|4Dg7B*c2iJpezICIeP8@zn2J-OYx``WcxwiA!y!^ z0C|P8AftX0RFdB;GOXYO{|uW0mL0?%7v5HaHr_6F#i3f z6FM#Iw|D}zF3q>Sy}nSc3WE8X$?lB@@wxTcuT#Q^+i&B>%W*5&(``Df%PRQ}APbS_ z?XAunDz#{$APawsrbt|-y!LqA#gVtpBqodE4He<%i(n(2p|y~kr?0XgV`%`g@cSzT zIg$_je>NGwW^3es2J&AdhXLsG?mw5&YRl!K@HMD|g|e0Xxs`()agXewSU@Dds;jWN z5)o()kNQ5#RUPK-xhXoV-aM}s+GwdMT{rh_{a8IKkX?R&{x0)`1Zyb1O4;)SEsaL4 zNwGBn-jwM~JjDm`Z_+>o*@*RVPTRIm!3!Xzh=58wmxwlT*PEF4zno=Wv97x^B*!hq#l$wNH(m2ynT7M8hH%Sa20sUk@Q|;)p^qo@|FFsOWc*7Y_9zT zT+K<){HRq*#T0%L2oUoDVrrn+X|jHj&ZF@O@oatpf)51xRiYPI*P(7Fsvl!`OzaT# zyLOPkyForRL^~b_DW|Q*b@PqPQqa*Q4v6K18fdBzV%3{*Coj_{qNS)53gUneNvB7F z1E_hO-9)Qbt$L@`pOF(TJktb)@ufuez;3VVzSh5a`}ByuT<#9J+Q|>~koNkmw8C=2 zqyRM{+qBMm7OKw#^K6679r^wxs*^p|_yMSrOjhc7`&AN9I4X@4)6THNL)o2+Yu8_h z?#^d+f>t(Ka5@2-`}sO~4|0Bh416LKm$X_Luc>TkGxfviCfaZskVh!vq2?Uz14S-% zxIv>?s5Auhe^{x)+SSy9WOW?Kg~ovbow4o7gRLs7-OYu{u9P!PfLa1X3=&yY&$XrMR?Q z%xXFNE_e;pXDhKgGzM#=3f5ahh_*P4lz#Fb+>Dmsys7(OzGeEV?11L&&LOC_;aUL{ zC1+GGNl_-jP|HOV$7-+oD3jm}R_eA*wLyvZ1}LQkyH@luuz6j-tj2{ia_nkK?(h8Z zyFxqKd_thqc}!h6x>vIl1X_m5?FQOFDN75~M`mkRoL%om-R2w7so=9q@L-@z$&*76 ziv2&~oVi&1if4l|Bdd<<4yX?9H=WE`5U?NYVETbx$i*@hl6ZCK6= zsZ~ZX_Y%@6pubM2U!>TIRUu7RX5dgwc+6?Uo63K(A`P}H1D`ICu`}_VPs&NkkAbZX@a-9Lt^$oUW7kc3{JMpEZkXEe;R1_ z;u`$cSSM7QA_X>g53Wx6QY|m##Ce-`wC4hcl!(JqVc_ygJWZKTy*&2|G_E0cG_xSolZ51GX z1;lxN-VRX1GUX~T#`d9};*EwU*iS<7whj|djAc&NK>&Wy>{oTiT=&3$?{j31YN8cX z`L$RNxK17nh%xRV(4NLI{*9zCPiJh~lWdjv2RQ|ol`(X&*m_W}lZCZKg0^uL?UK%4 zWl(O?z&eku0tyCyPKtN_vL4^k?9@|Q)4LSK=02d-BQz0YR83-_);L~1phL}4?NfF| zY_U0D3s_bK#ejZrVzZ#24r&TiwviQl3*HKN7p-|e;Gp+{zq$?rSNQSv#=F%Z`YNO@ zKnRf_dUzT(Ay_zTwo$Zz6;F4u_ug&%1|@Pg_5i14bT^@O$SeR8VGR{%(c3a@nxNMp z3}kYi-E+4-S7nma(VjvYL_fu0E*o=$p`*bqb8XQYAYU4w5ZLFkLHEK_r5>UTU|1$%>V*jfd9oVPJstN*9+l&`^?>}a|GHli_ zRnF7z1ZWdmp;189<;)sP<3U}aW0YKx#Q@sfAJhtt!QV*L8~?4X$w|{aOe@$D{og5y zr(tt4DU}d9LQWGBZg|{KB3NVtsN7xw*{`lJuao^_98`x?E>(`f%EULsb~Qj~wcptl z?4txg%E-#jv9+D^0z5ho1tSFlw5NAPbHNXLe|n(Iqcl2mlt~0@XS_bhzgea5f zGWj;FHJ$1N>1&I(I@sJ76DAFuy7_THLYqBM57WVOJ-qshzAK3j8HPahODp?a$F!um z8)miJ^N!1le}~OYhO2KBy3CWjogKmLbvpT5M4j6C67B>J)Kf%`{oG|81GVYf=q$LU`xxNN#n21?eAvb}63>+3Kny9bP*b3x@K z6jkxW_vTk?>AiT>OM=C_Ou)Vmc}xP#mJNt^9{Y_m z&X|?5dg;;1QU8q9*Z#Mi;cr!J>*2>W#iCVy;7#MmLOpJ0IZG!ROM5ZH!C~c zFV?rak6HD%4v^{D^^kVAsTH2|EyKT-+4!29`bNB{osv;34lq)(bONC8xvIMYfZ#cq zJ1(T@Ed^dZo_cVn>ZucBQUiyeuL-b*kJtY)JIkB)Il9jSJti<+B_4*l2u4@N8jX05 zmS~OnyAXC0pP(CLI-bk?e^Po0?8{R|i@P74aO@rOM zCrVn;X?eyQneP-xlVUU#Q_tkx_v;nYCoKG7%M@K$P=BTvOf0%9HbQT~1~BGq3nl<8 z@j+3JOORjW`*?*DivZoQB8rOuS(&!NIYIxT0Aat_T&^z;1NqV1Xn}ISaZk04 z^kA)x+|`PSXcj?-;T{jLuP(Su4^+AhRG=>6kGA)*y9k-vQCtom zd!C_Mk#Z4N#l>jwBO~>ocb}%Qu+!)u)Sd;-Fwnc67m-anC<&B&+Ert(`+F&Ho(dn!r}NAO3O#J1 zALSy>92;;E|4P?TkmGW~vtHK>t>stuGQbu{3)NgUtbY;R!sN zij&lJu_as`FW@gMC2R(htoea*oXJjy7b9UKLG7Hd3yvJ&?W)SnSvOvW=)TEB8wgVL zuE8#-Dp)4m5Uy?e$eoit6{Fhx!YBZiGBD|PdO%u)NgwgU)&yy5Z&dBLl%4JxZ7UMJ zP!{6Welf{2e8`W|KXstU-%uJ>FQBF`JY0lK&<|I)G~|I77&qG`aSm+?rece~t3OW; z@zhbk-!A+vFvM^f`kx!O42H`|GWIai=?(%OxzDYOCVTJ378kQGBjuHZKlD`Vn29H3`~XC+ME^`0RrO{Ysm(`3 z;lhv3()IezUtyp#6=rc6@>@^?L_Oby7G6Up%&b{ANB^b(tTVNx$P3Mj6n{6{jrnkA z2s9Lc9i;msQd+VSzZ<*v-q~^?&CdZG&mvpw7T!GP=fVjIY_YA46z(%&_}H?$ef?V& zyLhPD9OZz7so(^{LI(0O7Q`3wixtdl5)7F-3tFQ6JL3^f^fw;_i>_2pJDgc)5d zTEiG;LO0F$J5OZ0DC3u{hU~ zE|f9TgPK*GG3-vrp4DAcpYEaX9N(5-Y~+rdRYVVM4f@(A!I-$t{PCi1UJf38jgBaX zeJK{Fushj@!E55-r+hI*TDWq4#K&9WF-V^*51HudYocggr3)2ABcPDK--4h#$PeO& zi_-x>`(w*cWcjweZ{to+S5`|_vXZ2{jQB|70p03F>m>8m%w&Dc%^y&``353b`T5Jl z8v_F-w<^vSdi9r=YZr_ia^37tzKVIYdG$Ev!0ZbaVgRJJ&%wwur}~R5dy_8-IvJ*b z_H-j#L%y~QNH!~H(+VPg(3p1Y;pYK#rhvOJsI_GZO7~B2^0d~$sN7zZMeEiuC8q6o zPV3gJjOXuY@})aw&*)2IWYHLEbniY^EymCT*gI794z*;q3~4TxwqKDjyVB^7p)HM! zbn#%$UXL*q&+L9aEM>VjETv7y>`U@&6<{lDspZn84yMvq%^G;-4G3w(zahnFYEOm| zQHp%H^4Ks{>`lRCnPjk%jNLMJmIz{O-`0&->%lf^9 z8ycdf+P)JwFh+CxDqsc8(E3kaj zMt;Mr$(T+gWp6b+^OB=IyFb{aRlvdYFaUuXw!qQ&mQ2(rHk7*PRJis=@v50KJ<2QZ z?%xXU6_p)_ns_EMydGu$4Qiw2dAx#Xfk`|)`Qh^8{Cbar=yUTnPds=l%5qzotJ&;F zYX;qR#sz?}s7bb6c1J20h>VWtmu4m_OE$@%PhGi{u|vl6wD%GGT(4xl3~BJ2%W#zK zf{rTtbEOw=hiy`#zuPGcFK@nx(I-vcV|X{y*M)4!W8-XPa8t3n$DWPE1eEwYdsR#q zDhO5wYdoK@%}I`-GZkMOy{TW7awF%qE=GxbbN_#}cU@6UU|TfkDCjt%v5lZI4nz@9 z90V!Sj40A;L_}1S4uW(P5*&>pqk;-Z4Mbunlbx5uy}PP)LY?0tqG(c;~8v zz8}|HZ@rKAF?_L-tlZ?@bI(0@?|pWvU-n~)MvD6xWb>{DoQ)jQSKdIZqy3|;3&klq z6u0;Q31^e2XmU78`thcCFB0MKf@>X7DTM4FbPcYZ_Y;3@V~?}#95A$me6iS$5s;^+ z-=mRb)n(qZ(@-pS%3YFGSYu}>)=qr9Q#5Ox>*&A(;;NWu9{iZQ^hoU5%e#7Qapc5} z&9sW*&D}~vA2UdOHAV*%)1}t%CWsy4YjSd5#Z1XZv@KNvv0`gk@kqe^$IZD|!Y#Ar z@a!gwGg&TJ_fWx2sb4099l>0C^8^7q$ z5AO!z@(bKWwc1ncM4aIAJIeb0nJ) zDNAR_)?4@WX;%&k=dmSpf?{?D1SsQfrcl#-Sjs9v4cSmaQco_8b8n`x1&dhxbgijOMgmv-iq>%kn_d$-_Hg#+TX0xw$?FV*IkV{XCRRl|2VuF(y} zhl-68QjaLGH8v7|ajlM0Pqs}OH|8ld7Y=z)D!6?e8LmmP2L6p1 ze5P9WlzTAFTh1y>)$9~AUyiAy#C9GJM?Db(au`x1@?qRJA~3OzMZU$kvzEJlXbVS^bKw%Bd3lhvalvXc!9)Qia631q zh$XmP@b($4r6r}IudjsgPAkc+T!S6Z6MRr-t@^$*D->4Yy4g&(`Hxnt345koH#9#h z?%ZYlCxfcbT8O4$X0)+t?vFL$K8^hYPTu{wVqa5&Ka`ha^JY&Gc;YLI@$XpdcQG0n zkT6zpI_&30kG1McIaOJu2}B21>GHZMJ15_)-6=n3b_8@zsXsmY5Nw}QWSe(Ao0 ze@&s_*5VB445mT1Wr2TGGb*Iw|7KG5pDD>JC!6bUeKOeEdaw3gV4%obz_Bsb7{r)J zL*UPYf3h*~;jyJrSbUJ7TmQq$R@NJA>;qzj-I)fB3LmfGUMg#%lm(|^w5suPF;4Yp3yu}OD?dSZe?i_tA z%P6kXceU0j|D1zC+mE-VpSzVOotRj{Q9br>ksrVviP5GS^;HNp@pA5e*ba>=)(HqP zyw2I{cH*G!6Bzx*95g%K+NNTuM4qh&II++R?7XX02n_OGeNh7AwTTme|0eA{N!be= zfLt-jGK{s1)EJTl-$BDd)JOxTe%#O`Ai`Y^F^eh+fJEs!B`2lixR)-_5wu3VErYA~ zanl{cMV3NzX$`mV{aImE?A&sgEsPun*7N>wKlyQW_ofW2rjxZnf{_^Na}m<~dy|!N zq=UiDrUW6d#US3Y))`(@ImRC!q&4UWC#<%)Kb5s(_>6X!Z&P77HC}%{hI$c!p7~Yf zQkjoQvf6EHe*AC8Jo%s!chUwL%2N2Ls@9$N>55B)x?MVcYLmJ@?TRy2W&IENF5j%l zMlwKgg@{tIwgo?R%QxWqoLb#_sUZ&Fz>d7b-ca=>)vS$0>16s^V-;FnT9} z$DK@{6wl00`1L_BzMmm4K`AT>F-MHhduH*8lvy=*4N`5W{Q21JHVak5*Em9Q^ z4*uq87jX+y;Qz|X4iwqImg0tqE*2!Ia~o#|018Dy)yos181x;R3{3-qp5&iYkn`#2 z=QJ~MGr{ls2qnmhSXs-(yC5P4o0Gr&`qys>7m_AXe)5u$7u6qi?5l!t<8WGinRywq zx=;f2g20VUhiSj>i|xKR8(>$L3`|@kU$FtxcDFF#?~0o8?rgEw7amN=rA_*?^CpxgPnvPt4$F|M`a-p!Ig9r( zbM(cXX|Ce<)Obr0GK~T8<6We%=2DVTbJuV&)3Y=L7UOg9sbTA$n!ZDJr$_`1sF!1J z%Z^daaX@*WNwy~=Zb4uI5a42P6$}F>aY<@ny7ElIq>q`$yG)ENI~Zr!0&l7McqWM*_`y5&VeDfnRVLRg)<1m8|dXI$VJCPXq= zca>SEcR)w*IDarT31u7JVyfZO*YU?9e*=uM@E&`4<*vo*_d8~4#Ysm18FzV<^?DSv zj%K)E$hyiiAMea~gu6lWgdF>0y&37Kb5p!Sl=c?nkP5E(CB3zxQl3En;^C9w4>=g5 z%0sd}O+++7-(E34!EXGY@-~NNH(w-qD-BJp?;AiVzogZ@V&i?qw6+hy?>lWEeSXQ( zgBJL*3`hR?s@o4VHT=$=4CW1BB}E*MM<+~@>U$&7hn)u_DeH&j!)C*FkN|H9Bl(J< z%meH3pAm@PJG9{4{;RVNM}~$i@y(*VOz3AOd4CwWp)gSm-Qgvp4#Gl2BLB@vy}D^z zcv=ZjQ6}??kIewke7-}3=Li%)TG+*c*;m3bi^bzF$U;(B{=?@JO%K0UY$-aG&wR>G zGUVIwS|KH?bx2ic3n0(itT6mpV2z)TL@e9*3GN5tJ?s4BRqq99HPX_1E^S5q zzFHwX<$K}cW<;I7Odrz}&F27o$rOd9LH;mb0;9^n!mUIOYlw+|YkEiC1B{s1(EHf4 zGY|N))hg~WTqfGLGWu6HnPjkxeb45ExlO?H3U?F8uHG|xvddc#U2K#tCkU$l5sQp#KIld1J+c$vqP ze>Gh@H#OT>{{s+R&XwG?mgOI(SsH|P=2bk!D@XbQ@K@V{x_!dg@M9T565BPMVHMD} zSq~DLWm*zh|i`-VcS)}dYex7Or;QG9-9A2WTa zeBm*VCcasy>tA8M6m@aT!tQye!j2ZJ7j(J9UaS8<(0i)Wr**B$YujE4F_`x-*%*vE z`_cyId(_R;C-pYhWy0syaWI&4C|2MZy3Bfo7yPTO9^8t{)F%cu@eRz0AM<|1$V$Pt z!CZ-+vmh;`In3p`s{SI5)>7?7m>Zt3Fc@9ag$80h9vzL|@luptwNN#TF7NZ>0yBJ> z!#!ueCsKLaLGbS`_-VC=T Date: Fri, 20 Oct 2017 19:01:27 -0700 Subject: [PATCH 08/15] fix to the TOC --- windows/access-protection/hello-for-business/toc.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/access-protection/hello-for-business/toc.md b/windows/access-protection/hello-for-business/toc.md index 6cd691df62..24e76f57e8 100644 --- a/windows/access-protection/hello-for-business/toc.md +++ b/windows/access-protection/hello-for-business/toc.md @@ -13,7 +13,7 @@ ## [Planning a Windows Hello for Business Deployment](hello-planning-guide.md) ## [Windows Hello for Business Deployment Guide](hello-deployment-guide.md) -### Hybrid Azure AD Joined Key Trust Deployment(hello-hybrid-key-trust.md) +### [Hybrid Azure AD Joined Key Trust Deployment](hello-hybrid-key-trust.md) #### [Prerequistes](hello-hybrid-key-trust-prereqs.md) #### [New Installation Baseline](hello-hybrid-key-new-install.md) #### [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) From 1cddb86f87a4947499cec88e4cf350a8b2134b21 Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Fri, 20 Oct 2017 19:14:43 -0700 Subject: [PATCH 09/15] fixed skip level error in toc --- windows/access-protection/hello-for-business/toc.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/access-protection/hello-for-business/toc.md b/windows/access-protection/hello-for-business/toc.md index 24e76f57e8..66af9ca614 100644 --- a/windows/access-protection/hello-for-business/toc.md +++ b/windows/access-protection/hello-for-business/toc.md @@ -28,7 +28,7 @@ #### [Configure Windows Hello for Business policy settings](hello-hybrid-cert-whfb-settings.md) #### [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) -## [On Premises Key Trust Deployment](hello-deployment-key-trust.md) +### [On Premises Key Trust Deployment](hello-deployment-key-trust.md) #### [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md) #### [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md) #### [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md) From 177a114fa6e38e74b22be47821103de45e108dac Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Sun, 22 Oct 2017 19:10:58 -0700 Subject: [PATCH 10/15] a few typo fixed New features page with images --- .../hello-for-business/hello-features.md | 133 ++++++++++++++++++ ...ello-hybrid-cert-whfb-settings-dir-sync.md | 2 +- .../hello-identity-verification.md | 10 +- .../pin-reset-service-application.png | Bin 0 -> 143195 bytes .../pin-reset-service-home-screen.png | Bin 0 -> 105939 bytes 5 files changed, 139 insertions(+), 6 deletions(-) create mode 100644 windows/access-protection/hello-for-business/hello-features.md create mode 100644 windows/access-protection/hello-for-business/images/pinreset/pin-reset-service-application.png create mode 100644 windows/access-protection/hello-for-business/images/pinreset/pin-reset-service-home-screen.png diff --git a/windows/access-protection/hello-for-business/hello-features.md b/windows/access-protection/hello-for-business/hello-features.md new file mode 100644 index 0000000000..c8e500f815 --- /dev/null +++ b/windows/access-protection/hello-for-business/hello-features.md @@ -0,0 +1,133 @@ +--- +title: Windows Hello for Business Features +description: Windows Hello for Business Features +ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E +keywords: identity, PIN, biometric, Hello, passport, WHFB, Windows Hello, PIN Reset, Dynamic Lock, Multifactor Unlock +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: mikestephens-MS +ms.author: mstephen +localizationpriority: high +ms.date: 10/20/2017 +--- +# Windows Hello for Business Features + +Consider these additional features you can use after your organization deploys Windows Hello for Business. + +* [Conditional access](#conditional-access) +* [Dynamic lock](#dynamic-lock) +* [PIN reset](#PIN-reset) +* [Mulitfactor Unlock](#Multifactor-unlock) + + +## Conditional access + +**Requirements:** +* Azure Active Directory +* Hybrid Windows Hello for Business deployment + + +In a mobile-first, cloud-first world, Azure Active Directory enables single sign-on to devices, apps, and services from anywhere. With the proliferation of devices (including BYOD), work off corporate networks, and 3rd party SaaS apps, IT professionals are faced with two opposing goals:+ +* Empower the end users to be productive wherever and whenever +* Protect the corporate assets at any time + +To improve productivity, Azure Active Directory provides your users with a broad range of options to access your corporate assets. With application access management, Azure Active Directory enables you to ensure that only the right people can access your applications. What if you want to have more control over how the right people are accessing your resources under certain conditions? What if you even have conditions under which you want to block access to certain apps even for the right people? For example, it might be OK for you if the right people are accessing certain apps from a trusted network; however, you might not want them to access these apps from a network you don't trust. You can address these questions using conditional access. + +Read [Conditional access in Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal) to learn more about Conditional Access. Afterwards, read [Getting started with conditional access in Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal-get-started) to start deploying Conditional access. + + +## Dynamic lock + +**Requirements:** +* Windows 10, version 1703 + +Dynamic lock enables you to configure Windows 10 devices to automatically lock when bluetooth paired device signal falls below the maximum Recieved Signal Stregnth Indicator (RSSI) value. You configure the dynamic lock policy using Group Policy. You can locate the policy setting at **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Busines**. The name of the policy is **Configure dynamic lock factors**. + +The Group Policy Editor, when the policy is enabled, creates a default signal rule policy with the following value: + +>[!IMPORTANT] +>Microsoft recommends using the default values for this policy settings. Measurements are relative based on the varying conditions of each environment. Therefore, the same values may produce different results. Test policy settings in each environment prior to broadly deploying the setting. + +>``` +> +> +> +>``` + +For this policy setting, the **type** and **scenario** attribute values are static and cannot change. The **classofDevice** attribute defaults Phones and uses the values from the following table + +|:Description:|:Value:| +|-------------|-------| +|:Miscellaneous|:0:| +|:Computer|:256:| +|:Phone|:512:| +|:LAN/Network Access Point|:768:| +|:Audio/Video|:1024:| +|:Peripheral|:1280| +|:Imaging|:1536:| +|:Wearable|:1792:| +|:Toy|:2048:| +|:Health|:2304:| +|:Uncategorized|:7936:| + +The **rssiMin** attribute value signal strength needed for the device to be considered "in-range". The default value of **-10** enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The **rssiMaxDelta** has a default value of **-10**, which instruct Windows 10 to lock the device once the signal strength weakens by more than measurement of 10. + +RSSI measurements are relative and lower as the bluetooth signals between the two paired devices reduces. Therefore a measurement of 0 is stronger than -10, which is stronger than -60, which is an indicator the devices are moving further apart from each other. + +## PIN reset + +**Requirements:** +* Azure Active Directory +* Hybrid Windows Hello for Business deployment +* Modern Management - Microsoft Intune, or compatible mobile device management (MDM) +* Remote reset - Windows 10, version 1703 +* Reset above Lock - Windows 10, version 1709 + +The Microsoft PIN reset services enables you to help users who have forgotten their PIN. Using Microsoft Intune or a compatible MDM, you can configure Windows 10 devices to securely use the Microsoft PIN reset service that enables you to remotely push a PIN reset or enables users to reset their forgotten PIN above the lock screen. + +## Onboarding the Microsoft PIN reset service to your Intune tenant + +Before you can remotely reset PINs, you must onboard the Microsoft PIN reset service to your Intune or MDM tenant, and configure devices you manage. Follow these instructions to get that set up: + +### Connect Intune with the PIN reset service + +1. Visit [Microsoft PIN Reset Service Integration website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using the tenant administrator account you use to manage your Intune tenant. +2. After you log in, click **Accept** to give consent for the PIN reset service to access your account.
+![PIN reset service permissions page](images/pinreset/pin-reset-service-application.png) +3. In the Azure portal, you can verify that Intune and the PIN reset service were integrated from the Enterprise applications - All applications blade as shown in the following screenshot:
+![PIN reset service application in Azure](images/pinreset/pin-reset-service-home-screen.png) +4. Log in to [this website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent) using your Intune tenant admin credentials and, again, choose **Accept** to give consent for the service to access your account. + +### Configure Windows devices to use PIN reset + +To configure PIN reset on Windows devices you manage, use an [Intune Windows 10 custom device policy](https://docs.microsoft.com/en-us/intune/custom-settings-windows-10) to enable the feature. Configure the policy using the following Windows policy configuration service provider (CSP): + +- **For devices** - **./Device/Vendor/MSFT/PassportForWork/*tenant ID*/Policies/EnablePinRecovery** + +*tenant ID* refers to your Azure Active Directory, Directory ID which you can obtain from the **Properties** page of Azure Active Directory. + +Set the value for this CSP to **True**. + +Read the [Steps to reset the passcode](https://docs.microsoft.com/en-us/intune/device-windows-pin-reset#steps-to-reset-the-passcode) section to removely reset a PIN on an Intune managed device. + +## Multifactor Unlock + +**Requirements:** +* Windows Hello for Business deployment (Hybrid or On-premises) +* Hybird Azure AD joined or Domain Joined (on-premises deploymentd) +* Windows 10, version 1709 + +Windows, today, natively only supports the use of a single credential (password, PIN, fingerprint, face, etc.) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system. + +Windows 10 offers Multifactor device unlock by extending Windows Hello with trusted signals, administrators can configure Windows 10 to request a combination of factors and trusted signals to unlock their devices. + +Which organizations can take advanage of Multifactor unlock? Those who: +* Have expressed that PINs alone do not meet their security needs. +* Want to prevent Information Workers from sharing credentials. +* Want their orgs to comply with regulatory two-factor authentication policy. +* Want to retain the familiar Windows logon UX and not settle for a custom solution. + +>[!IMPORTANT] +>Once the you deploy multifactor unlock policies, users are not be able to unlock their devices if they do not have the required factors. The fall back options are to use passwords or smart cards (both of which could be disabled as needed). \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md index 84044525a4..36c163ea27 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md @@ -32,7 +32,7 @@ The key-trust model needs Windows Server 2016 domain controllers, which configur > [!IMPORTANT] > If you already have a Windows Server 2016 domain controller in your domain, you can skip **Configure Permissions for Key Synchronization**. -### Configure Permissions for Key Syncrhonization +### Configure Permissions for Key Synchronization Sign-in a domain controller or management workstations with *Domain Admin* equivalent credentials. diff --git a/windows/access-protection/hello-for-business/hello-identity-verification.md b/windows/access-protection/hello-for-business/hello-identity-verification.md index 68f001e2f3..7e3e2523b8 100644 --- a/windows/access-protection/hello-for-business/hello-identity-verification.md +++ b/windows/access-protection/hello-for-business/hello-identity-verification.md @@ -7,10 +7,10 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile -author: DaniHalfin -ms.localizationpriority: high -ms.author: daniha -ms.date: 09/08/2017 +author: mikestephens-MS +ms.author: mstephen +localizationpriority: high +ms.date: 10/20/2017 --- # Windows Hello for Business @@ -65,7 +65,7 @@ The table shows the minimum requirements for each deployment. | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level | | Windows Server 2016 Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | -| N/A | Windows Server 2016 AD FS with [KB4022723 update](https://support.microsoft.com/en-us/help/4022723) | +| Windows Server 2016 AD FS with [KB4022723 update](https://support.microsoft.com/en-us/help/4022723) | Windows Server 2016 AD FS with [KB4022723 update](https://support.microsoft.com/en-us/help/4022723) | | AD FS with Azure MFA Server, or
AD FS with 3rd Party MFA Adapter | AD FS with Azure MFA Server, or
AD FS with 3rd Party MFA Adapter | | Azure Account, optional for Azure MFA billing | Azure Account, optional for Azure MFA billing | diff --git a/windows/access-protection/hello-for-business/images/pinreset/pin-reset-service-application.png b/windows/access-protection/hello-for-business/images/pinreset/pin-reset-service-application.png new file mode 100644 index 0000000000000000000000000000000000000000..bacdb127eaf67f44d8e68abc2dfbee711fad6754 GIT binary patch literal 143195 zcmYJaWmH>T)UFN1-642!cZy4aqQwf7LW@(ZxVsby8rRx5miG*!h(`_nNZq``WR(+NuP&G`J`zCP^qvnk-r>Pe>O&b zp?d16Dx&-xr`tzfpxY^EDWISL}*+=}~ ze);LV;NJH7$ad>(%xG4A*Y$XTw21F&fe4J&dk3SwzTU_(d1PnZrz1tXYUBL2hgrKN z%RIywkwh(`g6J^$NhrTdjfWSXLAB^a$&iGlBmXG+5F+pM&slty46@SK*Jri(Mw^w7 zIe;7Xo~l}1sU`Lw|zi?<|f}=yFe-7$IukKaKnB0|nuBpFOsp}|z z>v9%iccU47o`0T|48uJ=$qjj>>HN~I*bcrx&5(q_5ubrC8#G4wf7e?of1!6E0NRI& z1&t%yhTIXW{WmRcxPni6R`}k9zQJ?I+rE8a?D=)hi`c%f9@f3Ct64j1`asoDL+W-B zHAx2CrZs(6%PI9s1C}F+xDW_E_upnKtcC1Ex*q$Ye|UL7f9eC&-B$UNb5nsJ6qgj5 z*WMfV9}2eO$HF>y`)x#MsooX!KWnfKmnH)OV51!T!yDq#&51h$=-M?N^7@Sof}Dbs zJ~1hbuvA-Io1WVP(W-jg*IY^{t}ypPbela==*My|&t6 z4V3(y7gpyQ8{r*)viA@uRD}LX>T%dS7QFS5Wh3XDccp-Q6ivI7T)B#p2PGd-hn*if za_gCXTtAKAGxRCf<0^LGG171)cW3nfa~~ zRf*82`3UQDn!meKR%jQw6x%=EfZ+&W(5>pVaga zF(vt$e}0YYWC(uzcPUZDwRCEt5w2s~z9c_mtYX*FA`LY%GP=NDQW*^3%+Z9W*hKHx zZw|ytJl$*wSwrx>#jkG@B+Z2-(kp-cGJe{{6^mB-Wi4bKS}!AQBgIhl!o94ap`o9k ztxwlqPM~EvsGyIBZ7?U7sigfS2O`7E@GP-v~ zyL8VorDwxljCZb*t}Qr`n3$s1B1ZFTnACK5?!^3 zAGHa^KH3IZQ^PUsXa1&Edqc0}ap1g7VfO0ku?&2?yaAZbEM;ZbbN3>4<1>xZQ&Zsw zbzlZndT;Wdt(&--*@6ngwyz&2!II{rGqb7r@rj%~3f%PbXL%IACKo1vZk)Wn!r9Zh zJlCX4dsMiX6RRqXIv^#I*7DA(G_~Kq|K95o#pZP<5qsmrf8;b`wq(;gGt+#1R~gnC8A~u}w!!7#cFM0|J^DV(e-yGpGaVC?t&0~RJBT{Ze$g2;G}Kdc}+qE_n`iA?vr&HNUZmAekH+S+IH*P_qqX!4`%ERPRbH=kc53u>nY@u+k$1Z z<>f2G{&8tguN`A>S$=YMrO|4xteO?MZ;5Q7i)ar-s@z)o+dsXswT)8+34pS&OSYc3t@ z1E%mYt2etZVnIoss}al%)Z*Wx^ehK80zM4!^NbO;r! z|A~h1acj2n;NpL^GpjGPm23D_7!Y}Dn4k6E0~Qq$WC6yl7@}|Q6e;a@Fc-P2C|w?X zih#;Jq3g&zpqC!u7#JADP;4oNG7+K{(V~KB5uqncm_)QcBV{r);cky-XTk&4@9^Q~ z5#pxG(vlKX&)w19qNfWEwu|7qi^)a!n>FI>CM zF`ur%Ft-st@r@PVwZT}9!UQIzyZA@S*MWgN%qcO+57ZJj>q^A@$%h5TPINPK`&0^vuZ55``Gqk~38tj6B zyZHDt@IBfOtO@Ol)5;vXB;+)63rj!(@l|X@$Q90$+lhkTdavrq*!9@(@`#28$=d<% zUAg`=8m0c1QZ!-y{cj9k>)g#*-44pA2Va|^(Cj-oZ%zJ}xY((Fg-tKEQh>jh>b>%c z>P>RYS~dj@$pJ5P03J|Zu|7v0!&=_LY^hej$^m?bxA;91L z4L^uui3|V`@@|5{i*%g~_WdlX*6)(uiIW8-K9x;Yn|(4e8fD~_f8*`_iof$j(ZqMf z+sG#4{e*!LQG`B4G$DOlnzod>x^LZU^4Ec%4Ap*{|LI`-&P{rI7#D zsntIEbJU;v)604DvgYy^97RDgKqA`2R^m;IKZ|v8l+I+q>%A$e^bw&?2O2@Ar$g}7 zs!I9XTz&hRg0VJCPA>PD^Mkr>Aj$WiaS>PYC^ZHQk3fP!!%r@WL~B{#0RcTZS3=CQ`=RlH~ zlzuTaed|;dEvI@vOOac&VSz&ZQ(AAY1WKhQORM3%AwOAi-v5C3$SdHcZX-GGs?K3( z&&p-nD##q29_dT~&DxYE7^`6zElf2(GuY$#aZXXhPv=f&_rwWCuHi7I1+wT=|(_3}02#esQ*?`i;*8B-#+)Ojdx(nYvspD^1X|xh+rJj86cQ91KzuKGd#E5 z6OO^=<_u-77OVksL9K+YKfZnQApK%#Imu%5Oe+n%LZ@YNV4R(s% zO%s-^4FdOYJeG`PzNStgoAF(d-{xc%39jJ=Bg_=I_TXc^?0%hb^AMlpb{h3zy%eu5 za%~!G-qcsf1$=_)^!_?E#|#sSw&%) z_R=BOS^wO7NwD=A@}RM|M;UgFfJ}pn?i2Lu^4 zy&Xphpldn8XhvUB7x1;aiO(F@LXZXatH^-=K17*& z(bRP5Jn1Em+Y|kaC%ePZfBz?C3)C;(UOmO6se08CUZ!pT4 zT&aI$6V+Ebfa@3{xSd%Xs^m51wzL|?)d9w=5x4MTeSzO30o}8;v~2LR=$8si8!JuY zwW~b5Qn@vyRFh5WJd3f}^p4dok4p72OncfYQC&|Ec@CdE_?Z;(?8iB09E#R?v&7@K zo}$`t_lIf0A0~UUb-iYFQT>X<(OFS{i>~v0m$tonl|+^9YZFwGswn6QqjEf#MK8%( zTZSS@=9V}2-weXvx zxVyW6i=%%ZRzSgTx~zstq;VF*=6H$=i(~vVe18@H>Y~2YI+^MZgc_54hx7;$A*8} z2kWf`Eko7bb3;E|HG4Hp}c0Ag~rds8T11D{qInUi9IS-l_C5J~8in zI$Gkg7Q9sqHjOa-y@LI;Xui=}MmR*MS^z4zl0>O04B?;K`w-XkTrZL+bw%#vvA(zv z2sUkq>%5`N13|#%PXb?nwWZ~S@rM}O$kT+SPS*^X8$G*wFpmJ#y7; zqBCZhFA_m>?0Uok3F~IRkF--#j`yYCZjRj>I~4s&&3-f@xrDCkWi8)H&Fx^$A9P_}q7hxb ztK_}9vHW|+lxH~mm|yG$Nw8am{C;?Ekaq0nLFK=)lE~{6#@0&5C_G|?Sp)7qq%-Bj zu*kSoC*PvELkq;+dCBCS&qUt*fvU9(te57!JXnvV`(?B`kzs?q ztNfZ0*Xg*#wB$Dio(G*VYjV2hmAQwVDlT-9xoEnnT81OU*p*V8+SrIU!op^-(Gpv- zmw}Gdc$H-r!Yz zw!ZX9bupv<(;(Ko%MOJ12gXL*PuMV@nO7dw)!xpVI$c~iaN3*;f27Zft&eneamB)G zsSY*OKk171uY4AxocK^f>T>*-WG{afrq5kYd)5)$^|P+xLy6K(@u_Yopr)#=m3ecO zwj1iUVYgShk|rU)X6Fa+1iJ8BdVI&@e#!de^nc30?7Ck6CaQxBq zdoKrDxK}SSk~O-K@1(NP$oc5`tl6#p_zjQPvJ($0Z57jeX5Tk7 z#Z>kN+sK|G&y9*~*^NM_#yOgsk+v-B=YE|*+XGkZkD%U!g=DAVi*$=Md4{jK9s)nx zZh|IbjX!rX9JUO}Ex4caohCIs0~gb(93oJ~e_LBeS?AY8MD(R#&C!v2j#%9)C-oz! zXz~BnJa3n=SaQ@wUg5#W!t#PH zNzre{UmIp~C};v_C8*LU=v!PY>qw%@8h+)XuNipY$9E}qVbGLlj?{@ftTL_qd27U- z_&w7hg?G?>QsWKQ#wm%^H%6uthE#uSOJ9ac2dKBZDLqj;v1c3J-N28Gf~@<232DcM zRX+lxWJe6%J-PSq-4kFKt2a$!xVk%4qlfr+yn6M@^g;xoUw3M{!19L$(J)kam$QDy z$a*&@l?-Y`e?*R|yrF^xY$~pk+SbvyR8!kh)aWBJm*M;NLQrB6+tG=^hiWBz4);j% zOH5ikm>tigK!sm03Y-ki2^>2CP;S{oU|Q1PQ~$&XeCN&IZ{s&(moRk5-sAiE#xUy# z-JbV(mQN?yxBg>UkKW$!3M;p)c>Nq~DB9*RdBKZOPg6QR-b?|2ht8n9H{9U;p}`3q z5Q6)4I3LJ0n17x_fk8-s(0$?AyS&c{A4eO<2;A5KbEuXcs~FL7F_C;Qli7Z=!2J^H z_4{$>!hHTUQpLzr1)Q1T(^NwiD%>^Da-`B&@~V{_cs&;caAXxcbkMR0zIEzYXL|aM z4PVU+RjQ_JPaGiyfd05EW(DSsNA^7MHB zUD_MFWxuR&BjyF1Nt>_OrI^7Az`BRNQd1X)BYTOt!inC`gkQn|pmbJX&@$3QTl>md z@VkuZ3Eh`OP(Kd4438R1I!0}8e{G>GbD~bBn0nb!&__I}!0@-4A$HJ5IlUSIE}5!N zRSx{jSxYZ1EF0(|hP@|>6|#kG;(lW`%@=B9;4UZoTDQ_z>FjiE65lK4aNsI;WZR#o zSFFaMG4160LGlbMC=kZuL>)arNq&w|-ioPQ2xX#m6u4Q+Cxf;h1n%;M@De zyYS-~u1J4iKtu?&-6^(KW&8#iegss64)>DiQ6#7`zI`-uB#`x3Q~F4&GAjfiMk{|xJr9?N_WQZ-vKB;jEtY7k_IBHPp z{XHT|<4y5F|6ZYwf8a%`1cH!3HcIBS3D+)GD66m@}9j}7P zl7>zTf2!>PO|~h9VJwo{lDhD1g!d5#+D%GJ{h7R>=}3e|YxCLlaQ&T3jh?aZ)i@q2RS?ALKRs1sn&CO6XrDzvK+5 zV;a9uE!FZZlLrv02kHd$M~+?WGy7l&@?E&DmMqBe&M9;bsi01)^)v$>hwQQmD~Cis z3O?dZ{h;K*47mP48IdRJb|^a%+g3o*SjgdittJY2QAIAb*Yp!b4;#A%HW~;sM&1dv z!Ehz>MxR$ck#fb@LCac5M;X>%{I$(CR379m2%MdO7K;Bdmw((9?pW~cb3|}`v+m=QXQG`s|Mx0FJB@5O; z8B*SsbgTO~o5F#4;xBhq{Ogm%4sc3ROE_&GudU`|Z+(p&{=40jy9mpZe9P>V>g^noU3#xf~{Gv3Kk5H#Ww!yN%MjMlf-vcdO8!uHbek|_u=g`wH7+TZ&~I5P|;3M zingrd@pQ6Szi-mPXTEToxnzsfPq^yBBjO5rTHqNplgPxE zOqHQWL7wJT zMn)a&&@2i{a0(Jc@4lffq?HfC0y;Kqmie|cThr&I$e*FIm3Qa!M{#p93M*(s#m*T+ ze)cDmJW5HO_|0>0#k{Ey#2Co9WCvZ{hW&7?^p0oz!6k8y7A@zA;qiOBq0x3@J=zSP zk`-u;`>GC4QRavL2-Toth=JIB+` zTh(?LyEv|0#~7t$Y+2GNnVoh2`+FXDyTk@=&$j?xw#i-e;o%6ip|TU@y}q#h z5e}Q-Nt_2+&0A(8|0Wq90lOgI^St^5Vfnb;#&O}X2ceDAKWq6EUmE0u_sp)e=-3%T zlz^<+o==oA!i84il~qP{Mn(^Mf&muBOH<=WBk?~kv3D<6uZT2tdMZv+i#m7Pqw>!` zM6iljLO$Rhoz*54ngqp(wFR=3fG0WeDdmF)*`Y1*8=ts$A6~R#L>Cc@`Z*X(uUDWt ztKlH>=6Gq&Z2cIh1hzZ-W}#b*!U-QUs2xcAb$-=fHAWfV}99 zI?96nNb6p-+^=rmdLq+J3(-i8SHk`^s%{^3dObk2yg!EmsORCL?_i{*C z>b^G@ot?L~0Mi`G*^(torE%Z0<)eg#8>n=^&lk~6Lb|a=(x;`&HG7PG#=3u?!-m`? z3LM%5TnskU;(8-$GV(FJjeKyXX(gPOMDdX_z)H2_jdbcvp3L?u?^v9FqJrdWB6s1R zoCyGeuOF#T#5a5u=s(lo11Rf$gw)@#^&%42zOh~Yuh%(3l{pcIpe{)jKJvdeZoQs% z4gFeYI|^}Px>y^}#nI7{Z^j4*%ufJYx(mXF%pPBm(F`P0M66Mmxp~-=Pq$V8tegWT z?fr;5RZEqVYo`Gm?PLKo(4a&WX#(e~R#MUNcpO<;v_0rWx=;{Mf!Xe=aa%-_HcF5H zUG&dbGA&SHLly}2BqLg>?d?8{0DGPy1{`q}N>yG+$_sr?1dGSAg4x8>PNnw=6raDB zy*|uQlCc@Lhjqq$%j-<@{c9L~0vu-k#uJjg5(ATaphJW{lhNoIZ)*&1@YO-efws;5 zLD>^az-Y5)@~w}kayhRC({^|fD*R(AXm&yX{mO-Um3mD|vVd@#ESqe9R~qy&K^djJ z{b(>=s7SbF@<7@It!eLCQV2FsVS;E&%u+-aKLWh~EPa`B3&byhwJ7*jW;{{zTYAy- zmvlEG4fX$Bdx@(Ym!zdU=rcGikL%xYZX9f7g}(};4}TZ5xKTS4+ih9!h<2`r2jum9 zk|i!mDgw^SJ<-TRwIwx+(*!QDX$Eam=&q_CZ?=+Ta`%5z*2OTS9{D7#}wDSv?;fxme-nWFgTHtA3)e2X;e) zzRG`NeyPXUmU=^!*MrKAgtqNhWujFt@) zAlR`^lBFb)e-LEX$}Nv9gj^!6v{DtR$CS@xyVRt@{A#^!YNh_=4NlmyRanG_rm*1g zevTWuM?o2yBUQ#=QI$lxn#ghD!0EstJL;bf08Tkr6Mj5;PdUhet#0`yio@B1m`C9$cmv;3N|z}j)6q2~8= z`m`V4NxC7Ek?S*=fBDi>jO})aGr4!E>gGv_TuLvNd{DGNXklsBefu~AQ_AN{ad*mj z<{UAbBAdb?q;;fB#kKtc$hw5IC9=eZP5m~aG=7h{4y^$#@#!RVBiM6n+t}4%h`~m! zE+yu1hQO<1&vGKfx%B#ZLQ+56xG7@GQshD#g=PE+dHKV(be2RX`g#B6g+b;1G$!`u=7t zknGJNMwvOykZ6p0xqUe;sZ9(8$Qg|^1nuaNY+^#JYp*h^D6+8l)OmL~^&*d{Q+kc0zs6L+b3)ot} z{}D~77-4bK$@b^2Pp!4HT8Ax}D$qxve3f_$hm4(*%Swj|WX^y?v+>WlrC>aQVyJxkb8-7j-eL(9#bax!{gv=S+IUs0b z6--U(UE25AkH+LrdeCMk?1*FnSCBRckyG=eO6$#L{OlSQV^A0#f9vb$nW<-LyZjOt z(TT;qlZ|M`FJ-8-cmT1L_`flOjYOpKsZtELk0-uQ59d%A&sy*`efQ(lr=aJ@>m_SV zk3V+m3vskrnU3Tn_f~)^x(}0N-NSVSRcslL$ze!|)4f*8k77GF?Sx}x!5+PSCDYML z+nLOEUaUBv=jAqEhQ>8^D%j%P+7_D-Fnpd6~3G(j{X zR|G@+^%&!lx)=efkcJZ0*gXuXHE$M=wEWGX)bgs# z4X8Z{?EinO;Z&*fC1@&g=+kMMTv!V4{Z9B*dV6qmY0#Tt})-f z$^C(ulDeAUACWExUw6Tuk(oNR+9Q43s#LgQ@E1K0F8Mi2_Rh8Q6bR`B;#@7HxCyQV zanKy{ywN$rCA_*I9qjss9!sZAy8`2QFjHSuKlXE>!Mrg&32MW_tB>osRX z#$mEQ`%c#6pUVRjXP``|wNY{sZ^!z0!EmNp9V(nSEHbLRNEU<%ymL3=U;dIj1AuRU;Fa?NAtTxn`98b6Q!D+$jx?> zj*#CT@u-87?i92}_CJ$e?4Oee+t~wQ_buE}bOzd+B>xceU(i=u6jTX2Rp*xKlKiL+-)uv+w8Ef6cG<6g@vsO;Y$;jlELc8e$y!D-HaW;9ur#4rL(VCw^zi<-g0gC8MB)3 zS#?4t1$4u`v9hY&yI)R7z)r4{}EGh{TtNJuYtR|wVk}a2c zuHC)JE(kRBS;YAMvz;3Wsfaxw%aoN`RWeCs!=sOM-_cp=x5gK=F7-m)kGp|CeyjzY z(;wD9YX7kvIHB6yaK9G}S%&&OG;lOP;AMigRig{<4^XB$qCk z4RaqIEh7lTdbVrybvf>=+S3<1ml^rnH^`XIo&z`hYlXgOITL?I+?5w`aObS46)w8p zA5p&y()-!6`o%Hm>M!gYPo;KF;^q9miH5VC6^WhoXvEOQ?K5c5HMEJqXW0^;P-fj? zG+PcYgJQ?X@j@zF)IF};j`V89*Ze34#!0BnayRB0Qs!W@l@v875Nq{#^|nXT;eaqx zU98eud!fYo!^YP)ax9@`Z9e6fniuNKW#ZFZ?=a2;x)z>qoG{f%8ng|Jc$!X=Rco$N z(y+;d+N=TqcKk_m26_nnfDq~bMJ~-5y1+VJZZ|45H~hf|&Ot?qOk~xsm4D;UPEQ%J zO)+9UmS7f*p^t~|QW(^(67A1n-q_7qeKLPFE**sbu)TA>A*RW%PEN24emrvh57BFY z&^T5L^_jV^c0Ao3xIf*(zLP+iZs@F@k2?@nNSb1@t(NX=7!#E+o=xH~13LZOFq9vI z94xTdwJeY#y3YyOwew?Gh@O#+YFtHKFhP&Mlp16Oe!L>xZ%|fJWBPXkULG2d!^I}S zV2A;o@3N3oT+B2^c6U5~yBaO`ZQyB3WBpA9(v+H7s44_4)z&S(giiYW^?D)MQpVLO zS(olFzAPC#&6YdBb~jK!@?s^I1Ljy+V?ESg05p(lrKNs}GWWWOyt=(L0urA(1alWe^)x-8Q~!`k%?gXz4#;03ANq z9byY%?G$&WsTBLoLVV67!3Mkp{zM8EAJODn(5fEqjUzELSmp$2(Hi~fz^6VpkB~?2 z`0uwV0fzZ>+;1bo%I_Yp*M^Wl+`MJ=TEM{%4c$bUGc~q-RwS(CnMBhMD-8U31^3M6 zgN?0)K0j(y0vKXtqnDmTlDd#~luo>KY$B`j)LBxfNhy#ZRss}!)*%0|A^32=_B?mt z#_+V0Wu6EU`}iS{?9W*Ck9^fYX`zbN3xON+F&k}L0-*ZiSk#ycc#I|Ka5@@<8ua<1QHC@8ehq4BB z$9t7F3lpr03VeIS%I^AjqWGAv0<(>cUtXR?sC_=>w~1{JmkP7V|2N_uiN2N>nNyxi z5H`TebOehv}yTd5`4r;p+IW;eblTbpX4h5Hy;nC3G{$79~ zCeU$cPTHmVcOu{bWJuqL=*Fu4X&KVA?D;ClB~4w}RU*LClbp&th(tr9zxAXq)E=z| zNt^xXzh0D>kOqUI1|KYk$EIFhMowyR|LHU3Brfd4>dT_f3m;Zu?1zS4DtAfjzBm^i&;N^?v*w zL#u%_0<7yYDrH=+{@@T!!oFRbj1`I@NlO!2ti8JSc1@~*tx}^r=id~_rcZkm3zHQg z%IrEnOtI@^^~$Hz#h1Pa8GP;fJBe@2Leg5H@Ke`keH`=%hOWF6XyIG1bK76F1b`GV zfk;)c=AV#fI5y@bpVFJ-jCi>k$}-8d)dZtQUMJx%T2B0tg-lrQKaij0!`f;i5w*3@ zLQ(yn)jT23_iG0+^qJm?hfHm@O6%s&@QYl}Va?~ORZm)iYMuqZ6w=M!OVPc$a@OMbgO!l` zqf(CFbCc4@q3vfPwpGAlebboOzdcU0L{19<`RIqHNob#yGWvnK7-hZXB;x$75dVX< zznC5h$EjqNzn>{XI)(-@VdOfA&AKg2=AXVl>xP-h#<|MqFPtn@8UZgm#iecGm-{{) zx+M4qGYT9>Nba)1YH+yjrQ(}_q*y^#roLs@ZZmDLlT)v%`D57Mt;#ZI4Kzb~LAqE! z8k|rDPZReW4OzfK6=~>#O!^2@I$!c?TD0#<=BmHVdCaZZ1%X4dl)WfLjePJCe)rXQ&Tkx4CX7DO4_YuQ0*|m{DrPeUEEW!Z$btU1C2wz6~rdB zsg6#>qga*Vg__@+KWd@9tRmLcF_yJFeQV`#fuuJ-YZ3u< z{&sl$f$PflsN$N}bC4S_Gy7A)R-~Z~4uby*mEW53Jo!IS*nf9bdPzlIFkw7LNig%C zT1(Yz(`x2cF(8|gaMX^l`PZ+PCX|#BgCNJ_P73T;yOhuDe0L>+7m)uIg1P!VQ9E)1 zNvQd0(lUl84-|@YiNF6823WQ*78=lKfiBh9{zZ-cwzwpTsGr3=usR@^>zzo>V_9q_ z$$!szfbcI_cqy=om)mc@_!fH4dTKiRLlkL_pYpuc)^0ikn4idDgPh(W5w7MVIgHRMJ04Y!|#K#7tqj5RF;*2RUjQ zr3-+l0z8KNcrzKRNx0W2!5m`aC%I*^2_;ej6Xrr+*=x!hMqR60x=|~82dwek+f!Ic zS>rm*4~Jx?X_J#LjRY5Winh}Vr-d^wVg~co%gdeoq@Au_FT}r^OZRFsRh;rf;?khq zMUf3?Wy9`C$pVr+t-rrIuznr;iRz!`Z;p4QXW{y8o^1)*|J>CJ+aqU0w08y8qPs5X z7vqH-_BUXOb`~0~FH3qg3CZW?gQA?p91})=?yT4z2Thqxw6fXnrFN!qdZJ1Zdc(d?NLcKA!6z=9uC9_t zGt*zN9v4(=UOa%RglFzn-+2G=cXZSwaHCn(7AW|zoPRGmr4Crw%G8Fj$)bG^>?qK#N-6&Vxt;;j7IYqbbO8r6u50)2DzFJ%4%R}*>N0o@dVZ5KxpLn`Bq zR)D}h64rrGLoZa={P{aLE*wiXs}}#Ste%CQ`z|0U-H$gZwSL=1jAfq^%Mu0O{6l5t zf?C*Z2yfZoP8?$7di!43+=vjwNV=Cz>~}RvHpVx`DZqE|hia?N??S6q_8VA|3Mvva zq}~&}$?uRcAST*e+`cp^ukvAn2uz<84N_Fc(U~&3xxJNjA12%qSxa+>Y(|;`mdFt= zS0C!e#ha9`k06k;ndPW3RqrCnB%nCWNNenebd;wPFr5x?1u|lV4kx{qLU;9X4;-l} zW7WKx8F_CQC!5F8X2BqSSsW-u9rbD0wO%IXZjWwR<|<^ng13X4Rh!JYgbr!vAs4UK zML5M8y;XC7EGG$Gr(S|(ZYd7a@KOhRry<TrL%u2|9a0@dsGSyo^`eszU-ENa`N~CgN~n;N2R~^5 z;b4`!j-pP4DNa{d*A<97i?@^e(R+OvD3Zf$kce+{2^!f!;r z|JK|1!35e+5(dJednCmjw`PsgPp1fyqlQJ&qh5Ei8ae6dRqiZh`8G+StajQ7B{KU9 zbV`EhlyOzT41=bubevSNFPA9O&UjAWE}87eO`4V>>A}+GkN@w%NYzxm8)s_RhB44o zdeE7WOsY7E*?KbYI(W7XXijGX1D@lAYqarxY~$gGkk0}ZB8A2s$jNN|exRK;*r=x!7}%vMzKufhW*4)JfryH0lPr>rfe#+%8>aFv94 zGo8spmEMN0;@ah)f<9`X%1}5Lv;7m=+PN3&3J#%sIZ5R4c~KzELwED4*x=!W@bbl5 zkl0mh`Y_`WU)t-aB$q}nd{q~qz3`Mw8n81Wv>A3N!c=`Rzg+5ZTxAD?4MSqJvaWQwLHi= zhx0Hc6>H-ha!H36t)sl~3&M`7;PqIQsXCkR)Pozi65o0m(#{m@OVDWzx+^-p`ST|} zmNM1x>P#PTl086XXs`Z;j@(v5(aYEuYUpc?1w*g3=% z!uv2P{EkbLRA4d8z6VnwoFHs)U9H!uzIXiQ707oG#OO3?w4fqOMmQ;}Y1ZVPCP+|- z>1CJCZe~Uc9^Bs&RSt(Xc@E}J6BWI3*)5w(<_xf|QkvC9EnkG&C2CMJLai+WB6@sRjXyfhBVu87;&qWD&C30)gv=+!3LVgAsZi5{i+@ zR4@3P${J9{;%(Ad`nJTn4c08ixGYDQ1Do@G;J_4#J{(E;U^0?=?Z55K%!mG(JYghH zRo{_JrW1DAw?pD#E|{&p{rHu5c$k}24lb-()X=NPv`;!NP$DS^ie$ZpB#RMvK&ow2 zUqIU;Fnb~7xS-&zEMOZGC%&g8?InOCR5ea$@0J&;-mF!|z9q81QLWP6)H?`R?6fr^ zARxHwbU4`vFYvOj+e$Z>;vWm=wvJcu`0@UTlPuNr9qMp;)nT3^*z%U(FHVxW)xrZ*a*X z)0g+z!nhJuGn*ms6=YUIl$n@*LjAA+Q=T-)Og|qe$FkCUva+d@;C}l7yTNx-$+QeU zBKiIzT^I?ZD5K>)(Qzp%ysz(U$j_nJ2X*KJ@Lc2)Daftm1X#@?@h)3sNEretTkVt7 z*t1AC`K44o?2a)JpD~$`&cIrqgXh?waUEhf+l^{Ai)8Erq5@oLt&&59%vlDqxtOT| zX>v_!0`Vpy*gtQ=9&=qm8I*~-gh@7Bku_OIB?tRuR*0islVMdFA>`STH1HKP6^2t};OYS)Oq0pDa2e*{mxyxW@aE6h+npBa$G`LNd}MDXP!0 zg5V-oxog~->8*!wLk~Zkd;Pt2G_a7!<-rQ+#90T!6Pklb0FY^n4@}<9nP!4}x#|W2h;t zjnkdD>dLG@0bQa$)x-U@`!oAi186!}hb!m*5q~b6M)X}Zo<6FRC!j*h_WfZgZ^99l z318Yz^9S-^w)V2qE|qkXAlV|;YfX;Fyo-~rQ4w2r9SG8xM8S`%Vnd=Eq=IX7U>(o# zGmCCS1*+0ayybE>egVX+90_sI` z^B*wBMmO>sPcsD?*Y5u91w1kwAYwMsP0KIY=$W99~YJRA&E@-s`T0@ITU`buT2_)zP#dJ})>Kz4Y5Ae7&20 zttlYmOTlc(A-V2md^JN>ner7VNz3S0q#`%1F$I;l<*%edAT2X}@SrrYF*4v5x575b zYrJ4*rQ`UKKIDeq8kI0+=ai|UMdUQ+oSACccGPvvlHupD1K4RNjD7=vlR~^z>b(*GhC$J()BK$f%Zqe%`F_jX8$wO_X@^N^qvjno zmV|siqatc^Pg9r|*)*xW;K_Zd?FK|MsLWm*vsdi}Z7@{x38DJIvMV#YeA1=4sh>lB zq9u{D2R`_gchgKA`{crl=)(KxsWqIWe>taeSY=45sCH)FJ^UZ0&N8aXu8r0zNJw{X zknTo0q`SMNLApDnyHmPFTDrTtJ2ttcyW>2*-#KF(e)EGdSkH=k&UsDJOo1T?me@g5 z#s!{{H5~I!t`IMvi)PyQz_+Mvg%H?=jWV{%zN`Zyz57vv*L+_ph3u#|AOd+PzmsEF zP2xXr7SMGNz5-mric^`Pvu`lmUJR?A7If^Ql?uecWmO$BH1A~DhGAm?k&5h}Az@uD ztT1a)$EF_ZpBh)*e!J4L4hH1^+;;1ir@KKwn#|Ry%?2zM-!s`Nj$L+NYK#ZB0s9H> zDd1`dmhKD|v+F|DLN`qz@m(yoexCWJRl*3axzGG&j6;C`i;7ElaE+}%4?Ad^weN1H zc72$AbGc7KaDdU2=o%&sX1^2x06We1kXq*03s$c)ME^sXg0JUu zxcl6vwA}cKj1RL`5`vyNr@>yGjA`2xXn^+{cg0KW?{8h%=~HFtPcR-hQ^rax+eHO* zgbw)cxdl7n+Hxhx+JAfuQX}-!uxqO&2Xy&7)4X5b(zl1umA%=A@CuZz5o1T`@P+FX zCMZnwy+>FeDEV!5AM(D!iNGMu8>@)a!lZ9lS7sCv8Oj4tZBoY zSt)#-kkfHUn%x#YI*L|NFz2kY>_%UF_k@J~n-)GD*P^(tyJ)ms3=lLuUyjaa4R9c> z;<1^1yFFgM2SnV9*Qc|iZ5NofPG)|?0Zm^(Q&w9tmdN9s?b&b}7}Ot|E|9RA-p9*a&7{}O!ZxNNX0hEP1~Sj7aER< zd#)v_@P&Y`Z5jUrV5F&A``YRqyYhpxJVaN))4=PsIf!N>_|F*BjsNsV5JhKGxf|2n zdR3&Nx6C{eC<^t;!!>W3e~d`6yc>IK9{7Ew?hh2fvQO`KGamy3&1rNcV{=<+!pK+n z#u35~zTYf+%fpp~5%Lo;^-!Rxs;U{?@%x1azS=W4tUK@`8rWb(;qs$fRkD4WhkEKN zD%*!D+B3!Fb4Cq8B#8Pguy+pK$3Iz7(g(NqlPFm9FOdJZ8j>QR`M!$}mAo79tE{ZI z7e%nVec9`zJ{5gE%WVTMl*scJ{wrY*(WgfxvWt`2$uozMoJnCzQwnq&Is4W>aKXKj zCRy^R(Fu|7BFx zbQ6spN-*sHVe;(^&${)+^*pppX%koCtwSy0&a$aFIyVRd{{8|&7HgC|ztGqOD zim?4df9mH%$$STSD89AVgpbCCoh&=C5@c6jFBs&HNR|lR0JFjGw7(3;S)E$}2zAFf zjw3YE=W@Mzn;kyM-Z&DAiI|D^gqv!kJ}}cM;$xZIAO*fB!MTRIogJo*?#Qb4@RS8t zpNVuHkDcvybfOnq|}|QUB;KYyvxje6^y~76}$sbj6dI;VBL3gP-rPZkxHD`x*nH>({2WE8~#t4*MDST-|%STrYO<2`qX%=i5%~EmL z7M9O?WPDd(GV9NBz|pO!=g`v&*z?&IS);TOKU!`ZSD&%VqI5qJdtZ0pC-_)Beon!h zp*6Xxo{j0F@Dm`u5pHWPCb|K0AH0GRspR?r?I*Skm+iF;0`Z5u1VP+}W1HxH=yHXY z<+Qwq3uinx6MGBG9^c=(;tFY>u7D2x^>$+Crve(|Gqc07p?S?7TWvjUK{)HY;yG>K z5$C&KN_2m&ICD75;>;yo3>Y@>3l5ZT$EEQrMRw}Ew=2mf;7ASNJRyD%|=SiG>8e#|%QK87@ld8t=nB6caIU z-C79}?vC$0(c=2Of_3{Wk-OtDXVczFq+)tSzy8x3kssd~ZB#s8xyjj2UVm8qM`#p2 zZ_e!YBfjVJ`Bbj$LK#45ee1(OS^EJ?+@yhZLk39r0}E#CGTvA|We#&_5^fNm*W$T7 z&|^X;lO29dwWjL1PW}vPczwfGABI9-``tP$ben~prI?ghy64WF%kth^UpFjq)N8&> zDY2xyM6^Csfw~S9QL|Y_`mfI)S1*;*2?IzTjP?R=+;v;JiYJdSyqKfEQv0j&F>&O| z2(H(~*`!vEpy*-sf{F@FJ?YVvpE11oECk_da zx8s7vcQ{1pHPy*9_=G%ZE}IiB6!?9YG*H!x?U@3t?Rn%VZRW7Y_etu(=TL0gl$)^W zz;;N+vq!*#nW`nSfVy-LFMTx-ngC{(pWWL5VN{A|?>av>&gfxy^otD z+Vj&t2-01uLbU^&? z;e!qnn-ikBb;38kDmvJvMIU3)$>qeWbSV?GprK-TXJzciC~>I1u%{H%sk@Ge9nPOK z#zk&B`4(o<^<(dO1dv=5OcSRXkj^)BJ%9K(HY!QE?*ya))8CK6M6=-Avb&asbw2E8 z#E^(xeHg`f`9n%#QCPuT*a2rIpMm!%Mh`LqazWbxK~d2W#pM%a9s0UytdC{!o+SMy zUU)1MnXe`#ZW}VS0S&=)Wup8H*+G?LU#*lRUpDWsm5DKY$ohDhV8nfl`PKDY)W#|^ zC}7Ma;cr|x^$Iv-PcpUV5Pu1YI6=8StygNg?7}(N^iY+M8GMl9c5rVSm| zyzcmW;6DtJU)r1VpYQf>xwXcLep;49UgY!0O7Mg$os2+Z5D@J=V4sxrRoe8sT{dsp z|7kVHWhP?pp#Nv_=pTQgFQ=nh?BMOAf&eGBTl+ndZTp2bqSJWKG%U#9@AbgNMB3Z^ z`GS-AHF43QcR6(DS3zvQzYTJCw;vzjw1eH&QZMpAAX8g3T3PG>JXKZz5T?)cn&3vy zLHQBDFrc}t;y%NuWK=k4u=Z?YR3kK7=54M2!ks9HPA163bVY62W78K&A=O_?T zE`UBr!xpw_an~?VBH=Pan%q7~ecuSTQO7VBiB|PH$I1(k{2&a!ZOs38&Xg z+agBcddIouj6n7hvfg4@)8b8%inFHn%sGc4{ApJMGG(~n4=|3P$4^$zQjNVtt5 z+`Kcw;TYr*BrqA8cvZ zv9MHm@W{0Zg3kB1kYLX*%j|Zth!5>Y-awId9a#}}o%hg#&khFFGDW2w*glV{GFu*^ zVwC zjxzl73x>T3k6c~S8~E?8?8WDFBMq~z3nxv8>N;Ca9ihMfZa&`CY1fW-pl6?bf0su= zdnY=HW^>{p+LJGVAebTi!4PZlZ=ZX=+(yt%&fvVIU1d4-1mj0KJ1BM8F+lU_^M>c| zM#&+W*-~_RdLPoYjY+ia}%w@@Vgr(o`KSjX*%f%%Gy4WiO zWm8wSYN#ussN7XkdCwF|tzdKj{uL{fFBsk;*?-Lk0b zBp1zuj@V5HXHDs6Tt40u5jgc7?3q1td#K3`)v8YO+) z^}6!(=9x=1&?xWFpMmsPRka6PvQ{pfhvGi&@5r{nqQ#P8R2ea3t!SV2&>gk;g9DamUjs z*G?3h!$m*NktDvpf#Wa*&&;`k-(#XY@v_I5fbu{?pU)kCcmv0T#@!ZRN13N#KPqpH zS@8xu*6*pZ`iMMA+_Iuwb!7rT9OPZ}1hqwNe+mLy2JczY1birwd5@XP+b33*Oc(Xe z0iP+g2P2xWpy{DCq2rL@{fV7h*MiO&Z3`(ikZg8c_RuJ=AHZL+n3@x9on^TDUGsQI zhL#$@<1s=$Z_c^l99rlErH4VLU9CW-Tx{12hOzEgHe0gTiMAiDXr#-FmBM@3omHs5 zV&pZhs9)%j<6I8{fJ3!e3%+&h*mZ=jyRPcx>Th>ZeSGeYi2j&8 zsnAp;8<8-1Ncg)jD4teQe2sNIM(ZMRyaY5HevMj;MK>Ce7ObGj2#0ThiElN5T9`~g ze#!njG8|UoeOmlG{=HHxI(2M$M0a^m-=(Rdu3J?(^MfczR8MZ5@cO|eNM!TSSGt;e zh6GI}_jj9g%*4j|CPF+Bk4e)I>KAn?`LrPGpMlSMo;i~b{2Lz~6<+b9GGHiYy9b~+ znC&O%tC~?k>uE4OV-iI<0FdfPaS5=B3KwP(Reo6{j2;J!O-!B7qyp}DG_v?_M3v3^ zM%O2T?`Ucg7By|iACuk}nPS}^uAVVlnKAST`AIa1GNuYiH9<#@N7s4R8-}^4Y0gwn zcpl{|xZD>UX@n8nRqNLoVzfp4_L{h+n4r{1=rh##T)!%2BEkm6?-7 zg$1#!U~6(IK)}z974fSMgD_PMbq;Lqj1UXw`lsiRRGOof2nw4e(bw&mju= z2ye>^`>r_*f`6A)_PA|&M-CEsK)bCugmMJLL+7|naNi#pyhWf0ddoR?X=WKUt>Bjd zG5vw<)|>&E$ErSHw?HgRSkWA$5k;f{ou~^&;2!869y;+2ai`M9C9izg@)oK~$>%;E?htYv_s-Fiw(E#2M2C5JuM^ zizml!zLXofs%G)48{k>k9R!cztR#1O+fDN|^Zh^D)Zc(y1MgRsSF*mG=!!a|bO%C` z?seAFjw6`$mz{VC;sIcjVld<@1~cm(YV13hR~&Su-+wz21Q;%Mhz9{3NW;97A$v2BJhh40A3vCcSe{J~cJBY#NQ-Qlt^2I3aZTDQ!m;r9`)!i+A5 zBCzNpsfumQw2ane(^{4jJZ%p!u?u*L_$>h2dNz zyFQ7v>wL!6v2Eb?ZQZkDc{mt`gO5jgXtwhTxAl{_w8IVu9xg+&<};5vif~s16@Wu@ zrEDO(3)o7rXN%=#^{arDtSt2oX+7bOav#A@XXhUoAkuKY1$}e==L4{WGe6nSio}w- z9l#6>d$(6rei})W=)2HFC6^i29T>v18K!$z`dj?%C;pf7wuDn)fUKwnzD7@|j(cbC za{P_lUyfrH6Gz`W9vO*<%Oou!b)kVWYxHoRYqgEQ>H86Tc?(UV!}i6X^wRv2QzHXK zw3e#IO>b2CEOToEmQ|F#96Unw707i-sB;*g!O;!FyFXvqVWywS0hExhLa;4jDE8V& z;U$=lF+`Wdolo!e4O5?Qo7)R$N~RY$f<6eE}I6f zE$F<7j{@6qM?}bgr>c4q0v^&GT7o!w(ZEk{bc!;=IzWz7Tjp6z%v@+DSJQt-ewHxc+yf=r_wSH znf!0Dj)+qvhix_550jiN>d%LYm2(Q6;A(>*FL|$}MqqPBei?W!@*S7a6MYfO8n`45 z4{~0W;rRW>eKJ!3$uG$nV}3rFhgMp`UuK}@BI!)V&*u?(uaO{R)4HYz!emikcmaW_ zMA?3xLGA-Y2lXGQ{SPzmXIJEU^IDbUp^Wqsh9l1(0;;t>)A@lk80~lH9mveWybXgwXdM%mo-CUD93v-&YBO z!bRq5nm&<;@Z3&KVccFC`qMne3NDJkH5_Bh{fF}QQ#*(0j|X{e`Iy5=OA3s!_cn_j z)dF_!PHMPD@M3h&>SpELA$g(IJY8fLk0_U24JM^1=!oCi3?r;w|vFMhjB!V8lCXjw@E+|`R6 zPZlEY!$09X)51$Q_tut z-?n;D3XhvbHSBFD!X~6FV!4KEej)Y)TUQwvBPx>2!yWYLqceyy;oHC<>k5$#PJ5ED zix`D?MKh(*iOovWLP;#!odDr2MECZ@b%_W^&l5hI_$lGndnSDIMbg9+PHfi6d`wi< z*Iu{HBab2o0tZofXSX<9auPMSt(EPn+#KXq0{Tp5rL|o z1FZtrv9ra+OOqm<#8w(j3SwO%+E>zC$u&jfKndjwC`%@`&8UJ?)0fB^fPekM*ay)6=Yn{w6Xzx zcsf};+j{k?>>nVg2>ef3qLAS`Z#%jeBC(D6(Q5b<(FG%>ad1mDhn5Dy_(DAz{f7Gvuw{CTt%#7 z&&9K4lFlxylt%}Um#zi;sap$NuGMzo8HP+3BrnxUWCq>5y`H_D&ubXu`N}6wgj4-X zO8rX_JIB<*@_X$qi%fuzf+`)E3Y~$7rKcU>wx4M}nnNSh+ja3e?|gef0bH)>DLNdF zgg`h#`{k?r$>ZIreTeXu|aKza=@pD+`&4jakeO|Bj`z-T0)zxNcWF z1T`?dP#8^|S~%}KO`&Y2wp7`v!N>6KQ|tQN%>UL|>gvvWZOcjFV=8kNhf<8a1Ub&> z_F^ZgJUYryq8qN zx$5t%##IE2p#jMsV4-3Y`CTh{zy8H>->K(}k0?3sZ4}JaL;S{=bl2-9xIH@AA!@2c zq5V^v+2stvl z$UnO#z82qB*m`Nc2G(|DI+_LAD2_wtJa)4t(cZ zWdNj5$%(%248OIk01!mY=yK%jYcAKHUpMD>u_zTA^S$FO2NH48 zD~)U4ova&Q8hEHOSGQ|2tAJ>T@Jy}rC6GYXpeZ379`?Ak!GApmi`+<7Px~W5c{Aci z|9!py?$boA$A1WJ*PIldAL`iZN_;B5X!Is)=;a~#$*uxJ$%uhsm}hXTUze8oiafxX5oKSrWlsd$4pM{5?U}CqZ*Q{JE3$7eez&gl=b8^X**c@UIsu z^=sw+MRZYu(zMt6D{ zgSMI)tN ze;@2hN`B=t&Ea}EvO%kX-Wy_;gJ&Q_m~4O8Z(VuEZE^k%M0@7{N)r%s&YR=5{r8ho zBby%SWz;@Z*0n7a&ofR8i1`9Ji_OGxf;NqJHp_2^DhFQv3wg+gi>)qSZuIoXdd(*z;1j7vKIRT@e)L( zLD^fV-pDEjPUG{*QwYJDT+Hr=AZ}+GIx+jY=(YJv8n@((uxv-&*84Lq&X%(K;@sA^ zhac_tR+Y`-uz6Gp+hKu-p%18tzjCX1fT`L*0rw)8Tpwsslb*(tlL~>@c+ky&KIqln zcDI(hFL;=$e;t(YyBF5JA!HVY&o8boV?!c90^P}1v&}rnmy0PRII(d3zQiEF_g*Lg zGFwG*u|M<#okO+U7zEH^{<9H(83a7lR@C-ox*d7W>}q5;-aI< zxCVks0t8#rx&rr)bcko%;2=k3re3*^W z>3Vb!=a!U=7?#GhRkA%P78@;8nThaTDc(9UEhCr-PGk$-*WN6R1)dk4=fDrune5(h zCJPCQ{3WD|jSvHS-T8|ifC|jLZ~ZT$rFr{p41?l9Oai}EzKXA(x8I)$XO{HZ%%3$h+!n6*5-fHv&7j}7PQx+(=Y-M)C zG}PiiTMF1=;ICvA-UEZ!nkl*;^qXmSOx1;3Ocp^-OF_B^V%y7YwL-_@8X!o zf>}Wtf*Ap4C5^TC=}eMs@Yv`H4zrJ90TWnO9yTEx1PT56Zdc&=-6Q*WS#ccw&(px# z6FF=C1>J4_*Y*@m7xlkY2MGEPKN3umLa{2ZP?-Z9F<44mmsa;1gV2KSTZ z-D4a{VMF&asWVs$N!Uj>s*ZU4H0j{Yqe3h-SKx0n!uXlD6|b}S;5|Wm8X3b_R43Vz zhsseOTtM}Ugy%*KcHa@w=WXlKb$0O6*w%;GvD7Heiv^FrbN_jE^9GOV1aoJzZPuH# znmYHW>QCX8h7!H>zSwRiU@GW$(#QE3wB&a_Ytr_5fphP9i5XQ@Ht5D?25z;S#hzLi zWuR^%$%aDrx-y*3Lf`^ePnjZT5ApGB7{!CxTMGywyS1pbshfzcRQHHErdAo24m&cnDQ=fnJc_J;mHNeqc|H`sGKOWeQ+{ru9CUdRa>y>G6WsUvbfC;tuNXrI;pNEtQs`LiZjWsQ0h ztr6**lN*l#HnPG7P5PQsBM>#GI%->t%301cU6=6Ddj`UBUZ(W$aoo%pNz$xuu9M>3p-q*s-N7}C$m-0u#Bt$dWn5_CBge9r(Vl9dH+g>qKomYt9F*Ubb6ZM@T(xc+S_+)qY zY^Rc4Um>P&oT@N|>=VhO1pgnHANw%5OAnooWsADFn1pxtAGXP^N-)MACY0h2g?bO* z{jyHuFIuVtQUEt8;!AecteCL8#Boa&TGyr2L6ETt;ngO|k@fizTvmZ+rsFr=CjHF6 z&!Z-p;w;&`c2ha%gAA0Tk|l^0Zd=3@_+y6<8o^u6|CIVo)GzjA2=D5nzptQ9Sp zEWrhtEgFAieeX9*U%nW+>-S3iYA*=^LZPggZW|u|lGx{c7_s2iv(5pV#!Y%RrWqoqaUFI4WoobCjCW0n_U+Z?;P6e-bD6( z$vPo0Gr^wLb49u=D?P##TEo34#gF5se2*)wJ)$Jzr5i{;mj`0lfuZLqHmq#I<;GG1 z3+MJ8xsO-(d3osw-~Cd<dVyaqOt$@?$P=tmqWPlz~`^N@b`2*#x*AFR7e4l*r%3a5#cR#hkOrF z)}dzfp(ZiD6UoS?(aW$Foj9Zseg&aPW*;pn-L`KpOz`)wv@uGfoyft(LT7Mq>Eb9a zGM%7FEU9VBi>nx}NgU#v63(9SJ24(cglydw6hSXSn(d)qynNMYUGO?th*2VLG`X-; zKt<1o&b*kjW>^3dO0-5~+j#Or5Odn9%3z32(1qJ=Ki&)M`p_rwb^9W+R)q*5mhQv* z5|*gf@Pvfw^G}T<-i99_j=OB~=_ij>vl-dA)4cqWgFdkRv0MU~eo-Y?&CTG%XNbO7 zlWwp#8VzzIM!z9;WZN9|H|5&igoV^p^ZbWHT8992UFVX;mNh40K}xnC+*SB!qyS%eIZ3KWh1mu;@DunI=kdG?MI08p;308A(tU9 zmxQ6gk}~J27*r(>Ps*f{nMotc38zf$(;%H|Fu=V~uOVK-74n)L8$3Y*%6%}AKQh}{ z9Ah`THEXh`Nwn~-I0zXjLrOWpNBqSleQ}R1!!<@ZJWZod1p8 zj4(VN{GANN{Jo17cg60rH~6zW&jJ0tbT8LV-RzVBoRdI&SLTBFHL(CLUTH(H>hQrlU#%CBYKBgX|}_wTm+y@-}*bX9$$8*U5YukHaVNsxRoAo4yRMJ_r1ob`_xW z)r!VGACy;Eo0Dj+i+dGvO3pQQu3fU2Sn}H%U~w{kuWx2pSFOCm#!$h*=j(s z+fI;SoMyH-ufFJx^NuvY*(WGe8rdvvZq|Z7Ny+{Y%s$IL=$fS`UHRw ztw5M?)Yhq~JhEY4lgA*3W!l*?-5?ax+!u9Ju484CKXig`jwOM>cV!?9AvF)vRPWBw zhg{ob>m-r&vy)F%h(NjubTOR~b}TKz3w~1uaYS1!Mw? z8Y;1Y!?Yv;f+FyW3y8X~0k4XAjZ86sQ5xYN$_n5UxFb>F@2IJPR6FK4=3rJ06vSwum?Je@*F6AGQ2(Jkut9b3X%S` zN}aaaZ38qevVT;nHNY>=Q_*GJJjj0O!;oU*j9)^>lm;t~$sW}D14-2ug#hzUSbx7H z4illc!ezF3YP0v1nU&PKxN^_89VkP55x4|o0UdSxeX{S7iBlQiJM!xw5;CxTb>I{m ze%39iB{MUbZ;xRP`lBdmIqf!}ybT`HTr*Lgn~1Qerm3C5d_wutzv`cvuh!%?GHa zA#pGf9X6qO@1caXCk!b~=1Z_$LBJ|XPT(*fCk6_C0FZ#GWu%1U!AE7L8+;1|K+8kW z??gF@(ncrnpPGda9@;IvU{5I7!0HyB$vlN;-LA4s?D!!)4rFwXk!#E~A1Yf?1(g3==RWZ`QG zq{D-`i~y5zq)KL-qKvmTcFILWu}y%vU8j+Ca9nR}I$319q~d!>Q(`z2XV`QeAmgy^ zvIrr3EH0*IY`=EY_1L3GWA|VMzGQV>pYhIf0Kb)A-Ubc8_yA7~dJLvxrR&;Tj>P!@ zoq=&z7r1FR=fKGIgk4qbM#%r_ft>F&=D@X4G81pjclPDp@)>%~@#tn~HxYfZ=)RZu z)&Gk+aWIa)`}YnR_&1Dczu~`i5Qy zKx{P2D{MoIpMm?SQ$WoSX<@9ld8tfZZ~`akyGxPNlvyq_Bet#A_F|%*Z|Io5N;A#y z;{)0xf(IwU46}AjouM&aqS#wS#YsNXCo3B`uArQ=3Z#JT&aS8AHP}Gk2cIk}%6@0^ zTg33MHH97)K-Xe7q|U(cp8p2T<#S`C=_LP=(}Le$)erBhP@U0@-Nj55-Qbps52uO_ z*;*#V_|RtSIWM^z83QuL-IbJ9V5dz8H>x3@IiDtRK)NqLBtFG-njTcPS}Qx+dLTyJ z6gU(yF8p$W!;cZk(R(!7eKtx;(ZaxV8&eA)y8iw2&xlnec$(gjZp!}ZjdCXV{dgx* zsv7Xnggaz}>nuH2p2_?wev%oFP6N zlX1>YHkvPVyQ>u9HTcJldYj}y9e;Gkz=+!T1d5D%^>UZ>b$_J!n&Q#0Cl6LvjaHab zWPz^`w!B*=V(>-20 z^jO$L7nF}#N?KT0Ob>`uzOJwVbWF|H8g@w^h1}QS16Ji$Wdc;;!#!!7PF2M!6Hz;^ z)sa8bQwOoXz8enj#M4TYbY^4+h=pj(B_$bz47-cr66S#;;tpy>^ygwKH}fJ*t)Tq- zhRq#qP4rUc{sSG*`&|G2C=Hcmv#WA+bTNJp4-8UG#=`sK;9=sc*(n#Vcz}>0Q)dX zx;#HWnk890`|ZM;feOQ%YGt}kVI*cYimBQo#;mULF0l1NjN0Ka?b`wT{GcyC?4A6I3Oh;sWVxmFE zc~ohXr;5O=t>&KD^DDtyL>G+Mgk0)KyU3a&jaqHQY2TcbYrOD|(YmpeZwwKRR z-&1xvkjdP5$MMyk{YOJ!6L2);xHz1G)|-V<@AKc^!Im z+^$&BdFU#69*(n6J#1Zv;Ed=|##(ss-fp-NL+|OGwO!e&-kgxZv?8Rw9npGUy|{7x z4Kl92+0XdAu@TX@;R#FZdyYn_kP)L}+W`fZlpMZ&4@>9|#PoJ{RTKtb2+Ha1O283x zucb$7s_LrwzOGrPjNKu%0N@nI>-d7#L*d{1Wd=mq^lh)}$4fHANuK`#xZ;Wp^Z7;U zE)+%X);Ch!G$I9y!onS&dqpO{7e}E#$@YX*4k7ntFwSgcG#$23;qj=;PX45FB>TsQ zQ`wP>F?Q|g{K#U@Hf_UkS66^L-f^hK9WCZKYjTK!m&&m+3i)C3LLb~AvAw5%=POmh zOAyLQ&>t>wTpW0^ZuAgVj0F}rjhXoGO;D}*Gmf_0O^Aojx{nsO<%e)$Jdb0I#IjqSl zxOuhK+THYsplissctNYQeO17wL-i~JmE)|=rbuCOD%-1hp~Kv|1NA&aD_vdnq{XsX zKU!LND7FZLXEzooMS1*ld>^~D5{;t2{4;Y{;u2SuWtYE-eul#4ig@#Kkxcz$A zneeYOI)QByNyECU4hSS7=;Gq!O!euMT1Z#{S6I+#-#V*o@-N>rza&JZluugvgEXXB z&__ijLj=M=uWnC|!BZLsy-+SbX3(xd&NsC$+1eiFC2Vo0p1VAYQ?YRVxX0L2_97bxbcLtppQZ0b0uK>yDXJk z>fdE$E)-T1d3(Q`TkPtg^_35CFG2A)n0fdJZ7fyg=^FJmWljhPP;BU3{z2J2Vl}|} zX42zJ*v%^R{#V*rXF2N(Fb6F~!)|50fy^i_w&#Ajz1ce{*sIpby z_4UpvX_qYvxYcn0JUFZ716ePCT`)RI*76GDbvUl*4ZMF0h_tbA3ZeD`_>cL*>?50# zRs#zMqj7Pnt`5+y!s)kJ{(_Ct(VAGX(5Z`LV?E+^D-k`C(Ur^$oBq6Sy7a9_=ko1l z8i2mru)p2>zbo_+GLIjYtfTmS*+1^O!?9x?hoVmkq6s+t=ka z{gQN6l3>#*8y@Wsm(*HcYhFI;I)W5nkmG#E8#I+sKE&k&%{-GWi~ z82N7!IFp0|VgAOwk%)wBwciPJ0ok+yD>?fYgaqJ$7c-dSjw$$Zjp4dv2n%AI%zGsC zoFsa={3G3@r+-|3Ake~3KJ4cqR?2rIB%_1Salef~0m&qO`)3g5dsNc^#VqQ3$w_>u zCi!8dz6L}>cx-wKPk>DAAn#clfU<0oz!}{6iRarXa~iJ4^ccl|)6lrlvyB5iU-DZ~ zB6fc_XQz+s=2O)!WKDf4xlmx|mh|M7n}461>5s=5De;w~v-$eD3E#O{P_}uy%TCP>AsHRqgupIAgSKSSR%j)i5$+Bf_Hy;p=L3L>4 z9?SR0ob7eWt;g=T)&&3S_i+KjhC|b{|9iET+`WSB1HgGGBBu3G-yQ6?(mH7lL{end zyw2L)f%SZo4j_8P8WWuNXF}C*(m-(TgdEmsaqc8A`H7O-%bz8y_40q&{8PSZj4FTD z>-dZZVrrP^3QvHsSc!x_tNn2&E#!|ICX17aC`3aQ`+8ySL~5iGc7F{?D9|`9qWNm_Xl53PsMV;Nx~&YSmvGsobSvtD?WLWZRp0gRKC zuM4&BOD1LCj)MzTjd?6z$>ba&VOSjMIU1Sx7SM$&VQgGb8Qc9tzOiaun{11qrKJ_K z^0?e0N$Hl!e6{y);-!~#4p@f<0J3F40krFehq>NEcJFobwm^4Ch~V49q^5DSl4lOx zwgjoKRBS;Z*9ukE1X((}^k@&Tz(juF;<&fw)79XBR7A72XlHG4{^WZ#Q4nPuVk`Wy z_ds_<7ug`&mJ2J4yE2QrG7-BRS>H=pI^TOeO$(6?8QQto4jb-WRDPac(A zMIsI#B~Z)Yn_ii;R#F$D^#!@!_wJy7B-LH?o!H8nL=cy+vdHSvW*S_Xkv z1v9U{9%O1dAxRXd8nLR`Qtv>54nJzw_l0NsCugRPf*g(OGvBujAE~RUp6$iJY0J)$ z!@KgfT2jJFDhI6FWTmhWbh*!`c+EM9&bvkSf4oQj5;ps-&Kl%XfI}wLDDR%_BQ+|` zI;kZV*7MQ!(uBmFNu<06_SiA(C%ri}x+eGg#fM4bEJc`Squ!ooi&s4IKv)UdgRV6^ zUH|lUqrU}iR>Y;4>+DI~G5Wu|b2aGg74imT2m9oPqT+l~*LFHZe^zX7FJ`1hB+87@ zH&1_aNAo(u7*>VNB7Og4s%x(5>~g}w@LO(P6YQwIuP2#=4A#6q%ML_J*H7=GZd#uZZK=PNghsneUTPpvt%;D|6%DI!{cnbF5D(`e%lt{^o@?)G@3qeL`fP2BJlSAX$C-|z#Uhm9_+qP# zxVaC9_Cy)dlik$x4gVv=#|D&#%2=Gc(WJz{FFL4GnXcD5fLyWTgF5oBIyx%R>^9}! z8a1)Xd|xQYwhqvJ*Jv1H-8p~5`-g@>8qZ%R#~S>;K2Z3*!*7exkiOhBU@)E`xs)dI z{UoWiaW`QFlBP;eEa3#t8$bl1S5*Mt&SDBUtju(BbU$BX&DEA_ zHPO<$Z8xRT)BT94RNv7#6Pak|JKH%D?HsV=Qt@#UH%Ya#`JLIV1CBwV*#ry2w%HWf ztoP|wVPqa+ycsM>>@;r_o6azbx&+Qgvb{2!2X!7)No}@0!t@*stq!wN;F5+F1})zN z+Sy1pGyGCiwYnW;qTAp)N!A`GnqiDm3>6%+g~Wa#y)z5hLKSNQp6Tyc#oO4!9jL!T(&Tj_@0!IcJcgPJ8GJ+rU{D_$6F zi7uYwnM_0_8WA&jDyWT-v(m9qV4S~VY@J<8A4p7$Glb8FEQcoaC5plx#Xn{b>?a{~ z6e{Rn@stYaQuh$)S$yP?Ii;o0Z21&@KbQjNHaoMmbrbu{Cg?mvagi^&MSy~85$i}! z7drwTV{mAiKNTZO6qb@1wZM#>D%Gst~#S{8+8kD3~#67&i+HYJA-HRyHIV#L)w7B>0nV) zp_GEt`KDU5jB(763?XR$bc!1^6i^}dX6q06YBUopxqOqZ>2|fSwnn=-a99Otw`Xnc z$M(Gh2O;gU4;?MbdN;A&zdt6%YphJ(HjBK-HhD&!$rLl{s-r}Sey?)cy-pCN7$op7Z{bHQ&DEu>W>bRpb-D5oOE}ktzBsK1q^aUzPK5^UDWA ziUOF=zM?NRqDXAuqTV}H{evWK+bU3Xx5lcAkS`-s>(;nWKsf0rp~b$pS434Uaow>z)Egd2=fefD`*ssR!&ICPI~f^3HLz0Xc-(%=n6_Cm zEh@pEk+jaAi`u68QN!TWsWKr*&O|t1Hz64LSJEPE%+rn;;ObL_>D1Y zw)3$hqZjMj4GtI?3=Qt{U|OQ9)f{wPbs_auD6C3KY3t!3brb1;_Jg_+GjxIdo`xSS z-6x?7D?bVoGH%p~D)udRrlhC(Fn^rnCPZGmd+hMdJ_|pRrY{nuyHur{*N?op@dGvX zGstG$v?znw@kBixAQSydfJU>t%arOC`Kcm3n#=+TO=OD$krVt=45@0)sLW}BhX}@b zib#I&&o033k#q~6fo?qz3Vueo)Lu0)vFtjwY7d|S{JfW-B90~{ZS68gZ9~I?=u0Se zF3ydVqRif?buX%)>1}(Hr-IM7$It-A?AI`0w$kZNP}2!PoLh&nYP;pkbl)=NznO&O zJ}2Hkg7F(3X1$y*Zo7PUd*eAh08`q<_M-qSdwPfbIHC@r;OS{wfqQ57;6<)(K8fo$u~@PC6?)<~D%O=mwd8M3}M1|DcuRkOkcEuphV zBMcRFVMR#RxtFex#5fJM<_W<4%*V;#+RaoF>TB-*4ph~!Pb!6>VN)`2v0R*y(Va@V z#tD_NCQn}g?SP0M^p7$n^2#$_KP7D?T9815l394?5qVIa)*y*mC-Tz@4r?V8g-Fi5 z3#s2@`dxS$>GrjM<@bhYRmeH`QgWDBS<4a^ATx1m!wY0$5>fmN~c_NQO}F32YF_AF6NNJCHfr4hh57v8G<5w}&RA^PsSd1aSm z^MhGlewR0pyCkt+pGPiL4g`d|%5K?Q#c4)d@tg^w#oAx2suwAw@Jg={H(wlXbol{E zC~A7sy&=ggJ*Ha5+e1*tWkEoS(^g-VRc_tilwX||3Ouw10!;(8Y#CZAz@-U*i%UlR zS+5C5>6VGv34qJQ#0W@;3+NjT1r$IWs_NzoViTFJc*t5bPy1P3sy&9DKT`BvzT2pE za7kK`mVQPInO_^y7t?rI*1N&N(w;J45?mf_PE4TqOG4n&%lkgB{whf4>fQ6Z38T!? zWkk&p*5&qRj6(=vF8a-mGCh`>APrGdbSknu%toOUWj2daXl;I+K#dOR-l4q~5c;9> zO@s1h!>6ujVp!6u5^*gD9@w+;mhzBh-i@HF!o2z_32*_lLA^S9mM0Ht+;?|tXc^SO z!hn@H44Iwoicw3(fqK9Dx^8BRY2J3o$t zA>R^HFzR1V=NezCWiPH4usH~eG90klpI+S3?T=iX52~mpr;}xk}$L%akz_WpCPTc|nIIl6aY;Hd%v)ExNM6<8BE{{<& z&;%)7v0-53G7|3tA@_X+N!sD)irlzN9am(Q9jEKOsar8Y#A0$+`d6ci>JI8c1a=FS z4=*)VHVe{fo2$qJxnDE?zM|x3@*erKRn8T*Y(C_926^eaeH45>usHGT40(7fD&c+} zo$1phO44zq`4`?};m^J4k6t+;=tfhLb*=#RT`TbcVvOlM2?02Zi*(La5l-b*j&&rU z%Ns_D{o!lq3&j-DjHhfXAXF(=W}lx~LGfMkWEII8$E@h{H#v3soQBFtRK@_?85ep+ zDx`yxc;ccJ>$+5mu4;v&6ih*vLm-4g*E`HW`JEzR7FvvG_U72{NU$K8-;```c6_es zJi)Nw_cKtVwB@oGH(fj)&IT^QRJjXIqk+!nJ(tNVw4h0~&}cr$h6C`?5PuI=#u9po z@ez+}7;h3{`zL%?q307eEw9(xe`pVO-IO8%Bg?(`>$UkTFW(l+CZv188*U=!UA7g6 zX9k?;i~u2mN~SZyXVj~Y$Y*XF8m;fccFq^6c2&njZhCF2QJus{d=Nf+A>2=jK^rmq z>%!}A9Nd>XGb|=QywdHbrHdJz%2OHT#vVbRFe6}+Z1<{ zfh>2TGp_>?_q#`9=ZDRA7@BsiY6>PtU6hcYd@{bI>Gs3Y3;Hz-7XxBZojPu(ega+{ z$ajloUfOgU%+fuA&nKk*Ph7xpzOSS`rgxtKh#IVHW|gG2fQei0daWGxv9^7 zDZ=5RQ&rU=y-}wY8n0?}w@$E9Nj*^3YF6bpA)^1(>WO@1nH2quQ2j{1BG_<;!KOPs zgrRRy1_R|@{F_=t!lfkB?yHBUEE}!tDvsdK?6dwZ%6WIr&keG++WzpHHV!U?OSN(o2vv#op&a$eITF0a(4eV=f7v?i2itWz8e}~ zcI*F2TCl9YFoUfGwHDAh9_?CK>o( z0|0`fi}bZK>AMGu`2uZl-x9?e+yi;R_!;?Lu7n#ld<>9ipjU;>DvC znB;IMF?Q@m@>x`nldid)3zSw5)20p($g3$S`3%Js$z*8X^k@K}>r(IJuvz>oeJ~sy z85$0xDz$29X{kN}%U$htDilE!JvsbQf$pV6CQl`^w*fKa zf-Pjefj|G?6s%Y!1H=D-f#ikmzWlXD72d&c0Clp5rXra7Jq>;*b3Q|SO(WZODCG63 zI4)EreLQ4*lhcZ*C@3=nO{;TuAMwY+e_lP#I)NnP?QW$JhIs zswv65p|XS*J8A(w?&5oSzq6MwD<8Y}N4tOX12fzvARGtYWxg#EGGhy_Yl6O39@x`Bt>Q>AYSG;OI&>{0h27#YanCTl#LC_BXOl zr#GVQNlQ<6JI+~Dw3A2feQJP6(qM+*=JYtpePp}S?`{BC-ImggaB*)B@<}ATf4{%zykQKCY_b2CqSOuq5kac zCqXGc3yE|UMTywae233_uyK^+jFQy@#M60PC>REO6@Q4adwO0ocBL6T6YOljRX|OK zOYG1m?6lqd;vDOU)PBC+fDAQvgC2VzMVTSqxsU185WijS4 zz14gHpQ(~{AGS79XkX`Ap=isHfdY~Bck}Mm?CF2erM&qbx{$*hn)>ZoXJ4dEk4< zU}T{K$}s2c2rm0S9CzF`18<#>$h|a0>AwHyffXG${6y{tL@Vwy9haN4+>HG11f}1n z!_|nrK1FqK0fm|e3wR%$f}p$CN#ogvbo(tDb+?K*n@OJ*2nV*ReM`R0iX@#dLPsJ$ zMZtHhf5?kKWPIOa07&x(iP+aaUkDAsU}-1h;aJ0~OL~Afs?5IJg@{FZ8B=XFn8`Ce z@Yu2yQ7kb2sOVwRPjRE9h*-+v6oK&6`c8ME8w$TXYEvvQMy85t~vjIe12a4-+7#sFLcYOBew?2mFfrbwuN4VA>aL?GWHzh9@tN$bGl4y&1E9 z+$uXUz?o(hx;k*;uLf{mgEC#Qx+yS=qv7=JLhdWPUg-kM>hX4xgjo~1uHPTIjO5b- zdlUsf?|M9KFa0SO`R4K&xY|+Y@4Nx7!VpL#?hhT0V^;R+@4jEOp8hMxT{lmmeA$h7CYzi_tjSCumPRyWQi4N(xK0bDBq}`~9xzWxlkL(G9s($4Q zkKrW3HDw7^3cwf799Y(5HWBuUhw@V{XSB>jcig)jqg%0R51f0UDAVw2=u{~hhD1MM?6LPT z3t)+^Y39Q3Ho-M}c*5_7;GIt9jk4`&JGBjGIvb~Y&-@v8-(^8V0ym?XSVfSlEvk79 zfvc5f;xARZ*nQ{{^4{stCF$6f(n}|c76&s$U+;abep!kc1{_#Dii{Gy78d@p zipt5)N0_Qlz6*BqC`DeTAm%2^#$b^~2wH>oQ}B?I%j72nviBIZ4u5=n^hnR*ON{KI zdc=u#+Q#ycZcyw9A=rkM)}EdV^v(~+&wPwCOZ5}4CB*cD4iSpVmp$U}Bo6pwtLQ%7 zp{t&J|1Yytok&l*4RERH>*T*3S9GY_@(W!wVJ6JZJdl+X$^Eeq{@#5*;zq&h;tV13 zvu|=+OR1ZbVLYboh8-)#&c%kLs-aT-G5bb4YKe_$SGB>4JR{-iaL5=HE0?#?D&fHz z9HDvUK6Q9AsDz@C68BU=gvSxz+4z<#cc z-4VY352S(gW+;DIQE>3OH&d80C}5+Rg-R_ToX#61$iL;Am^8$m;!%jcwhWr$mkCy; z5;Gc^9dgt*sah_s?0oug_ql*Zrs58=hFXJ#F&pHUSV1HB=N^GY$2axl44Ax9xudAo z9TnP8_iO?q!zA-1X*us>xWTHX5^3xRJEcR`vC$1VESHj~+A~=Hn8Y7i0bQT@vESBx z_U0txlj45~8r58xIWI78wo>6EaS!NzZEbDgW_I@+4#;}}H9HVyah#nhkshJC;5S*C zM&_21`4*ax(~=ih4}}#Pu06K8FN-|9q_ZC| zrT?Eps#abKLiV0#w0%`#k!Kj zmkb0D=Ifx9{^VMZQR{m&JVF?s;<`Q=;~8qJAqs1?R%S02@>lQAoA8hM;#F=

-t~ zPMbE`nHAB64M$3jz)u(DGQ;vnv>-t&DHBqjj&+n=x+BGoCt=vc_QFrK9@@_kzB<-w zUH#d@;`Ab5WFv84ux&XHHeS*fxZXlRArkab-HxEaMU*moq8ZkZWa@$&ik&SQceQ|y zoF%~SIYf>!Xl~9ZK1uD!BljUqrf3)cUixiFD5`fmbi`_A4N7-iaHE1?XykkeO(L7U zI}6E1@6}>T_2xQo$L}JSW0BrLwyC%0p0QR2V{&CBG!)Jl>CJbNkE8P6n5)8%qGk)Y z((+Df=DWK<*$LA$q4?65@kimP6C~m?`gGJ1*szeGlkrmqG=lorD&jC$B+Jw_QUZ3n zV|>$4_*6KRyYZVCKR+^xD5qk3eUGqfWQ}@EXp!OCNpb1Az1mT35V(dDadPo@ei9X3 z@fiFWz}~||&`2;;s#(oMFTP6G9AJ%|FxH5Dn&;Li>$G)bJbL*-47S(hfR;bDuzIZ%X_^f^--8 zrmNV=?gUNBJv?2OiY}GQhItV-9JdV%QNw&5{9IGr{&ED4l;RLyVq%gH0g&>2KGKiU zjpAyF3cgrvj3$I_2^{+d#2h))Auc70T5s}lenmI0y>MM^7A9Wzd+hGtQ4r07Y8WuX zjvaT79r~oHgHm#oHy<%(H%kobQClJ*rC#ZhN2Wa7_I#768`7FDyB6^{4KRrVAvh`R z3;hfR|LblU? zG@9clL(7oQk|04V*0zJLKSB!Rp-?cfiEb>8Wc=md*SUAOOqvPAfJ(#i=;y>J>S*SJ zLxsm_zdEK~~5VROA%xbZB)gWPTB`E5; zn_?|3-a#0<)?aAUHo*Z)hFav~bKbw^5{Menx2t2U=&Wr)zVvI4|o*0lxrA_zXeR3sYx=q(6txuR0!F&HtpArGp10j{jAipE!oy&7KkY+E8r#^B8&KU(0sQr#m49oYsiUEVWoP-4j=YuW4k*TJ=5J7 zNhRRPuNuJN%UgsI$zIn^Y=`HhWwGdXO$@%t&RDnHLYtyN0!`TO$A|3+0q6~$$fCvK z>Xh7y+={G0n!bRYpm8`fl1M%*vIc%X*B%!y7v%OdI84ZMjI+ztq5T_L z?{JuB-HbYJWf{th7KN0pIGGcQnT5;IwM%Q}T&X*qIR8{4hk#GVNKczc{xSDMO65)Z z?MVVBTS*c0JPN3`cCpTq`0CsiFpT|al5!!Xkb&}O@=6}mqTR!0cky;sE)W+Wl!ZINiY3ZM5)vRVQ1Fax}W#q4q9Cr zIGZ1MehPOgVWtyB??yxV3>p8of5CNB06GVKUrD%#xIXRI%zXg1SC8jKH!SMHoEzosBRm1~8q!oz89#d)N9rE#2A{77b=0Xa*}r_IoNStm!{6k$ShLkR)SR5^ z+yP^A@$9>y-Y7B)W~S|jy=u}6Ccmd9UA06 zcmXE^_a{thAn%7rPX)rE@6-Nj*q1?wB7$nAoV*<-T)D>8DHW_cL7*{2QQN#{IsRk) zBC;=gUAtlFDRrblz9X8lzVYH+Y;_pqNM1{5AL3^(4>2!w6-M(+`rfu>uojEVLG@zT>eHx0d-Bn)|fU{ z)9~cmmz#z}0~!M37?whxo-d{kQ)AL`sN3b9y-Zmwy=h@uOyf!uF0+jp_XWNjp6Rui zFC%=##3A$2Q8OooNaPIB(m4HBlHcBMMF8es|crX$-Y75AS^3U!2qw?J-$%#GV=pN|S& z4sz!|%nw_lqAdY`p(+t$>WpXh_}e7RO`uqT&Ex{S@qZ^qOt`xVNK*572#>Iz7tY|uF;PA{tUO&aoJ zt)={#1GR#U*#>2@hs@DZw4lTKWfj$-5~?MdtUVzl_7tyWjwJUs5J1o$`hC!XoVTB1#ar%CAVyFT)<9 zuRrW>Y`X^koI-zu)2K>d>s|tOp-m4ucq`Szf5a|Vi5MXg z#A!38*Rxv=KtIPzP94{@t3^?{gKLW1!e}*62~oad%(r$MwF)%7f7ibX-lDaoYquJY zxKVA_Na-lWIFLMP(X#z~S4!>gj+9e*7vne5gm|JE5*tmd({bR}haoufZIg+H_2T?p z>D#7An6+CWh}J7McUx{d`F{ey=|Jt*HGrSpMJ5L6Cau;%HK$=rNRdz1eRTg7M4*+0 z!RD@|4Zn0PI2e{AkD${IWJ=N^HlkQX{aSegRsC;uE-W z{q5gb)^>$-@b|EWD*fB}VRd65&-P|5q~t&#Odx?A-$4A!rp{}5x+Zq~^@wq|(q~vE zx1$U*##AY5#`eM*>bAWI-bmLhDJlZH9evZVmLGUC=esC=5a};Ak(7#ZgZ)Xk0Y9cC z=q=wgxYs{;Ns*7rMlx^SE44ngDYB-)ubH*)Pg{o(Z8>Akqm{Q>+AmeqJPB;NOPG(d zM$cnJ^BTt})c-l#NhPrU922OvKie=w%=kil;%*+(WxK5HHWTsV_bAT{deVbT$=Xi( z@hRU@x~cv6zaj*PemE1e;c9_fYcl>Xf4VAr1bd2>U#Kn7s0Q5RJ8P$xq$u{`+r*S| z{eP_5qNuXGa3|VsklJy%&?j0iD0SSA4fx+y=pJm8F__x#NHg)DDRo>=A>D=a@V013 zh4ok5+(}8_^j5QY22RU)4+}F{bf)z&<)t=Tw==gJ_|k6}mty?aG+fqAaW0uv$ts%!N(QOMG5`-=Z$<8X>ZidsfNmRWVo20nls7wsp;~O2SE`14_vJRu3 zjgy0=oD>ae16uwrKlvF?n^Z{**k!b~fqM+jCF83iHtPSMKT&6#sX!5dnA8+FYQr3_ z{w!61qpbcCXfI0{2NNKwAK5aMiNeJaX$R~M8kIAn?G!5^E)vNzFX1<_=a}|4t6{F% zZF`jkNh45quJkB+PD)1%1;CWHgTVqB6V1`F*2*R9zk0i^tgHY&5gVRJ@CWRU=EMGD zn|;Ctz)hz>tK8@Dipv~1Sj*vOSXb3Vy{}Ub;?(=hK_j7 z4MB`VBeHFS!!Depmwg7*G?(NAm*i7xfuYgFw>3uOWCLG1!@~V{QHiYk-(PX%BgSF_ zv9vs=3X*vocp(Idzo+7(Ubs!I%zAq!c&=Vq?cJCHd8-m+SW?`BKF?QgSFgQG2F1Uv zWqG-udLoe5yom4D?2=YSMxH?%F1~M#{nU4P*z`$9$9U zGq`4E^W2)6ny6uYyzTR634x}amFjPovd5rEm?KyM`S@|88@{7O=nh^uDG+!u9%3Q} zHX#O$#?FP}mI%<~A%#eP!cyGP=!hTjj^7tn80O1`$=1$C6yZ@8edN{(QS}dKeZHoN z_xAvU(kS#9ooJBFj{g5C7X(Z&Kw_gmq31eVG5Fz53&GVLI6E5KR6yay+!qctP5k^# z2oR#IeU@1Du%oE@LU&~$&YP!-Q;CCc(uxMaUcQr#sg2<=9-Az+^PlQVP1glg#0%=s zM8I*?2L7b>cBz;qj(gXo!@rNTGPaER4}@ptZ17bzntwp!9cs6xF0sn=cU|2e=yR_R zhgw)(Jl7S}G<4Xav>jO}+s9Uouz+JLFj|YNyk(Cz9pJE1Ga$m{M9`J&o^$*J*S*Zq z7(ZB%b|eSIo3MvQPtbwLz30RsX0|PsWQAr`Ak-wm@7XYv4TUIhaNmlpdT0v@7WO-P zE~1vLIxBN9O)`k2N`$;?`Cy$o^AJgP4L!s0g~S#@@$=LOy@@I3^b&GjNfv$U_Yl74 zofgxVbp|A9g?pvD5h*vZw|aW&zI;xH!thjkkzBN9`3a85XDc(^=jysA1AHa7+FPP4 zG2=bQcZW4%L5Z71(umX*rJbE{z)fuq*&F|C7SiNRzzmtkweGEcr2E#zQ{YZzDA7+H$l<%HI3 ztSvhNhFWT=evr%WOP9ujLKFwsiOz)kUQ_-LE7LDk+p@D$aI{+rb_7TLP+#u zed;neate^gjfsmV!6aF_-K6m9UnKN?$k(RsT9o^5&>vs@CyniU&G5eI5zA1##P`Nw zJ2Fkd@IdRAu{`*LKD`pLysbK)zdDI;HeFu#hNzph-BunAa%>F!rU2lEvbFYUq_ddH;|17mYaP~X1o>USFRdYbK7fe~KvQR2)s>4u;0 zMa;m(5@Z2?`AOL)LdcYeL{(TRA2))iVnjOJVW`q=;oe-A>n;NQ#T7IB^f){w6D`EP zbtu2w^oS!6@qUuGOO5}k2G^AZ@?6r)I}rL2je;E&ZG+wZ<_ZNMJUr7MlR7$29b}1W z$-kma$3WB=bLmfd)5>KnW`BxUrYI@3O;=tL+uFUd^rIoHlu`c~)d_ z#V5X#uBDr6u?r@oIaX4VELel_y^5aa|M{O8r3z!SN%#x*KY}NCaZ=3kiCyIst^jw zOiF@cHaN0hahq6O0H_2T$e%998rI*0+|)jjNZUBBKa7t*WfB`VwzSAvI|XfY!Nz{r zgogO!tLaO{4dU)vT}4J3_s||Ne!p+eT*_Eo{+G=tob05wJoERjq4w?Hdzq@EBQp{i z(dDJY?q_0me}_4Zq@5-LHcG{=@9zBzc}-OTJM%%!PmX}GWx+@G%^lWgeyslqfVlvECTy;C zdvqeV6B{6mOAOE^)Pa{Yt&d8Ia!X2J@7KMAu!z~9fWUzMw2F?%0xaFslvsn*cORil z4ya3F-KEZf9x6_Ow!giP?d$>&~BbldSy5rGHpF?7zlhN!opKkSoRWeWAHao>S5J) z<0w{G+$M0RR8$Yr;KPDaD2yQFo7?GDmSxxl$a}B3fiH<2aCE|5+0rL6m^1?Kd%H1= z_WQ$`${JgA5}>cXKd29G8%zA6)H09`&vUbevsQey`%WWD!xoOYB2L`VOkB{vXzc`^ ziTD!dynK0ieM9Tlp!&{C_}GXgKZWt%>qQL_-;6_10z;|Sy&H9-o%|NCHkQQfxQLv; zGDXeGt|vS?s^at7ezm)vIWKVAuf`Sk;|)tLjs0VmCtwR$b<$;TsNa4O(hiPO6hg=3fK*za4fR^H zV^Vlpy-eoR<3DRXRV8pcsRGsXOijnup7Xn_)3m?*g6g3b`yBEvO_dS;&tk;s@X)v& z*#n5r{KW2;kyGZ3(jCuI7Vg8*tEQ(%wywk!`xEi4B6k~BF)+!Yw_ohuk)cl-q33X$ zL6JhcAOerEzG6JB5Vm_hA~h}hkCd}4FVE+_fRrGFLsd6y9sHBZJ2FzC)->L85QYDG z)GnD@j}}Sj<;!U5ww%O%=$mz6kcp z6eFuZM@f)_o<%+t3mebC+ShXBm2VMX z61l6jNFb&H5%BI~rKaLfE-qRUGJUsuSvs!R0Pt0Py6;bF?$={nCg$e#wbX6C4x`cT zqshF8hB4Ib4>xS)jpMGxS%1wB7u=!*rnvt^J`(k9q<&O)C`hPU!yCzqzl?0Czvheo z&OMx#X4%+PxIgh*b~zSuH-lVP;(8`Umv@$DgBRsn;m@z{_7z^KMH{c=Y1sQr?AOBI zTPz*(Q4e9VYXyR*>n9;}^I8M>q|dfB@P}zUc$M(4d3Q&?7AB znSvd-nLPzn56a6+hvIW-QvdgQucwK90zTp`DPgOrtpl)zX*irUk_CgjiKWc4{aitk z78>74C1j-Fl`w(l!p8;cwqGX==j977MHbe>C2sn4-(D9Clh!vj#O?qfF`;h+rw(9E zOSR0ZR;tlTax5%DJDZ5{j^*AFf2c#%O5c=_b{_#0I!qf~&%~X9$5uaf?q(DP`(N+Z z49rI9XlYU4lCrC-R~(Zj3QN-CfPd&*@3VsJP|$ftR8f{YoSKeJz-eU1n5yQ~S`aUq z5$Y99oKbFB9p<4pn*1%|prP`=^wf(ku@f!N$C8rQ1jF6pl5)w|&0cUJc?|P+Jk6=8 zC7PJs zTwI&`Rj2Jjd@Iml)B@5wnSq_3WPDiOjf6X~_=cetbO5-0xH*xzFOIPG5~o!WO-w;6 zso0=gHy<`(qMX_}^=NoQBI;elFCVgvre(f~usk+5L`@{~Gk z;aI8|GY8T|?J>PjRAF+Gzv1L1I!-@@`KIl?A+`vo|-DqCEK}W%gtElR6C4Ki4Gv2ZBcFlyK2rsS_HHNVN-fogEXsTR1b@Xm-`Mlez{s}P= zj|U-(#UcwZ$`pV$)+5q_jk8>!{!~;^ZpBBO9)gCz5Is<;Bwfs?NcsQ@YQT=E-T#oy zh*XAkZE`mFqZpJPUdU@DYFG~WS|qFrrQT9_2^gr920TWyW8!vZ5Qg6jN5dR}RL4H9 z?IMHK+xZ@$vo>f8!qa5lnwZBI4pmJv`F0f_+U6-qcZ*99kp9}|ydOPk7@e)OR3oy{ z*@M(w8mJM>X63ik*xA0{8t#{xkgH+cqs4x8v|BJ-=yw#$D}S?M%jbo;c)P?QkB$x3 z(KCT;nZG9TNq6Q&Rz?OTOdR#6pfisMHIr*~p_hqYt79Q=hFJ1vH7QQ0(VeS#1o`@B zyd92%^3f`i>k(~>Oz$inX^8a#M0gW^i4disxZBuinC=3-TKoE3Su+xx2CxH-dR&P| za{rbG3dNLm#?&+>uJNWvBau_<5g*nOeI^!2Wn+zi&kcEve36Mj3k55D(j)I`H-QEB z&}FG|^2>(gMW$PS&GqzG=kpckgC-{(%v7Sr8yC+TW4P@HvC;0XzC0=h$MxM^l?vuj z%W-!U&oBIY&NReHIzD@+{+7=WeELXMF#EHa8m(=yX9Y5PH~Cfy&Tmc~>s0*69_QE$ zS_=V2NTau1@2pzw_xJL9=m9CsFjo~xTmf%)uFL}#LRevNIs&Jc9Ys5CU)nF%1kN4z z^%TsK=3P`a9F_ER#tb{G5v%7=;ZxU|0WvA!$G#_uE)Zr`Z;!3Oa~-AbxXV#_ zMwzD9!%*Kp`ecNj8QRu%&Z;sm3VbWqA!(e#Ai{>Tvf#gZ%yv=c-4<(mmR%-Pr`JUk z*CyCgg%5QV-?AN zWP|GP1cYp<2#pf{jr^-lAU&*TJzc~P60xf^3Dc&i9iD(H^Z|nchdD`K8P{};Ojx$? zBbjg=BUtyB#UK;QKRv}Uep4yt{iS;v#e^(4D)`1^_?M*0n^KW_WmV&;&c|&HHWxY2 zn|*3Jy`g_f!K`TF?06y`tMs#z9Y87_u2hySZ6x;|D1J{rxB-G(RU1>6W7Z%j!)YL3 zUprXaX#qE(jv{#qQ|jl#hlgp?{8W{2H|$tcps{x#!#$Yz$6J`Ums!L1gK zOGHH(c35M$5AG{!IGjc}tRj0>(%6AaEC_t3O^`Zn_YNR;)1BHh!R^-ZJ$!Oy6(8-p zb$mA>+YdUP=L{#Flb*?|Q@*^hXwt_DsF|V4wMKClNm9&tbwpmxFZ$-qr&!$2FG9?W z%U66#zvE7zdwxEXrLsSj&uPSUoRhwoE3Z^~OwlI~aSf1N>jWh`{cYO^y=y8uXC-W& z)9cPa*|}C%$}dDQ#I1aNe#>Toig~J>GVd6Q2@gdN%RqHEkinw_$BCPDdQW0OV1TB6 zz*e}2K@`xT=&wD*jP9W*7L5HAFN7=|867k+O>uxa0tF$wjyimfk$#Rg{P89X>jy^` zt-?=TaUhsXdN^TZI-)gxMM#J%t$`LPehnuPZAl(30~0TqnIVx`7$@XB#?iq1=1%fT zQzUGPLAB~+?`o++)1KNhy0=J)uepTQ8YhKeuWdV#WrXqJbSLy)o849M{p8uHB`quk z{st`gr>C|g;wd%Td5SgjmzZWQF7DghUg7lhlHJ-g$+^V$>HHb#uokvZvp~mF9nOWe zaJMswftGnYhjCg$n&DIN{^!#K^Cts8zS<#l{gl!|yxrH)tCm3lfW;yyAw@aFeU!R! zKl`mc-|lKvwjmo`a@6-eMXui{mbOVA*FAhB|SB!Ddt(_dYy*c5xHqAm-4js ze`7lIiZzurx{-G{{`+is@3BQzm7>yjW+0?y@P_i}R$;kw9F&ruVhK-o`)Hf(HY7r~ zy;gSAYL~OF(=@V7Yx{V=qiUqI0c{aKzpxMtxYY0$@whD0QC)9qbsb(4ivKpLlsNL+ zjAcCRq*YYS>AC6mI5hNrpuJ&Qd8gL#Jmg?k+DLc1=HNwz3Q?roSP+X6HZNe|eycU8 zx(k)n-@B1Kv0ur$SRrr7W7V#B%w4!{@ahc4oU4&KLM>a~~|cpEVc)FT;dI$k84gciCA)?zDC+Q0a?1IwmgkG3k@9G_K;PpJ_q@Gbt zC4$RmI?axN&zXKsi2~=3YGu`v{W0O;tc9lj%;RFiCt09o{0?IB8nBi@HN3rY*4EaO zW6(*R3JXyx++eK5De%I2Juk1Dr@l|-)D2UvgW+?dd#MlV#WD~jAN9)s!Epn zSpGW9&c4sfr40>iRz)EC+SOP%IX5+Ik65{VR6Ft>t>=eoAUXcqO2pW0<%$W5p~gBP ziY#8wlU#duoj|SsyRrQ~m7-JF?3Tk@`Q1p7d!e3=YmGLTy#!=}-oT7`jYeq7RjE8X z^-wx2T~8++S)!{gNsDa+kr`+DUPgZE>KB4>X?Vj%e=Z3DTk!3W%Wz1_b}K2h;0jAz zd@J$qL8-Q)NTo`3f=g#J(a(&_pXpbLaCt)~jJ?~^aZXEaWFxKdTGKA~M-(wzX}K>- z{O+^p_Tu@|jEf5ecC5HY(U;25S}Rh!f{9(a?;ePBB-{80vzjmN@vyOZSh{$pFfuMZ zq2XG*600DCj6~RBtkboL;m^9>zVr$dQLHrha%>hK(e#9}=uYFw0X&TtCY}*zjw8w~ zoseBWmGp>p^DsTmJnYX5xaws5R^K_Mo9|+F_`m-QAKIlVJhsJ+8oOph9L%CQ{2u_0 zL2LfC?W(f8gk~Cv;6p*!~%*uvNV`yz}wdGlY_F&QPU`Xd2c=@Gk z+B$mpT_a4e1gB!oY8#Y?r4#*{P;Q z&B`Up(~nv1nJ@ZIa-lC6$Tc!7KV}81m}fw3mg!@@Cs+>kiS^0lt@{Q(b->U+n=;1=aQelGxC8bfDaUyn`)uy$`Syzf+9O9gR1duT>A5;6O{zN#zx(6yzkc`1q&%D()qT6txcoC& zwBV2zDr*WS!Fs5DfviVY@>IQv)c;b_S4+IIBWRzd9P6H+ZKIE}SrSv<++@NJfyJFK z>%z2j`P9L{QrgA1=!xA+-=R!Ug#D6dEYn?TLlnMO-W3n8v%T9ZGa-|!vY}Dlb+Jq` zvhqqD^{!kl3>G-)D!d}}f*L#tIc?Om$tIiN<(FSJdljUwz8-7Gb*Z83=;|<`^X_}^ z;izMdwjG>bdh>O(vB4X>_!tZvJP3R5y%%n}=_WMKnq?JImBGLSfAjIjSbg=?vETmt z;IhA5;@Kw>c<7;rN!<4%dEh+-oWG&C{XQ^ zSX0v(q@0lQqC==WA*M>2p^n>50V%bGf{^vJl#Z8Qd<04Qn%I23)v?V6Yhl@8wb*8( zwfTDuY_;ARSb-#V$4%D9mh0;II#_1pP*hTTh*1KT()iLzGd#K_^pZAM`y-Po8jE1? zkXkD8X>^iQ_^B~9HD@t!P&pzcLA17IF?w{FjWFb>%+}4SM`K-!bwtEUVn`*@h%=75 zA3A6dW;b*oqt1%@Cd{5On~G=}gKBFrV|t^dSLsjlohei5Fl&0V5pL~l-&o&f@3qps zk1dEc=}UGpq5NG{UPYxRfN4`2QOYn!j~If=@=AM8?kcF5i_lAfmw)|U`GwWUdTOa= zX%w#ua#h~h(Q5fTEzDmj+5Vh&wS4APzoi7Ys~YoPdka@Wf*hjG;3o<9Q4#c!#C5Sw zWvFW;JCo$sB+fcpKCfu2vqFR{OL^59kK3LS(rIjSND@RTwK9?`z8w9`-#cU47!5<@ z4?l@0ulnf(p_r|Hvz}Y;V;SolZ*!3n65AjWB!XJ%lG6G7ye3Hg^*Z%dyQ+Jvsewd_ zWuSH-3BAH&Iq<-*osWl=1AF*=$Sah2d0c2Dr$y)m{Z7THz%ovnO_gfzKq?hy{3!24 zco|lVGS=${&WEcbPMEK)jSUDeUwMak3x#1SVeunxWzY;;vwrwf#v9ejd4!QhI<=^L zS6X#JsTY~AHkqUxvBM5EO-s4M@9g96oH|_ey>(Iu<08sFr_nNt93mv@B9gMRc8ae? zSq=gs1^g{SFK7m;0+%dpYG}63)7qL^#$9n@*t}+>XsT{9AJn<)eX)6iMaW2Ipq%-f z*GKiO!_=WOHkv9w=5CaI>WuJH&KnDG&q!EB=o=e5*apR!U!}D5^LGwSO@f?E zP8~OtM@NVE&BeoPR!ukhhUfApU##*_ws~K;59Fr6UGI*xdh&R`yH&b$|}snE({$!6y?5{9V0b; z)@&@c+>+RmZYO>>-p-KDkigGwsKYkfY>nlXTMnR)LMf`aDsi$qk zVDR7pSaY@2@yRD&qH)@EY(;;TUurNLA7IZt_Q0ykFK?q_g3b&-`}b#Jw_SF_aVMOD z@e?)5W{>8L`TZD06wwELdvJe^P!*HPrRAnZ>McunL*ZppiFM$%l*q2MDc90vms_F? z+ikiccHVLs?7aC3Sa}Sv(`L(Hr_EQv_8TvWRhI^K*=kvAx5-M_e$!R4{OEEc^dWi^ z%25eUCaA=xQ5p&$+0kjlHbSMD5+3dCo#<#ySc9r{w*v+YLRiyq84bDX?97_79}Y*X z0n|vIp6Pd4Sp`ig1`e!2M`r?!O&PWuVa%FYhuO2zsBdaUM?8U*R$dkDbl*-lwYAmA zP-%_FJ1~7_8ylxECQqHjhCdB|(1(_mCJY)JF#_Mv)PkCtC^Qm2V`e7_eu#u3iopX0 zAVw0M=t!_JPTS7;wY8NNUo~plRIj?a0;7l5V)W=Cc26A|rBpx_|MJoZh72ylfa(EM zwjxI0LyUJ>ly(DZC@)i%KG{n_E-x)LB}g3!O0)85_Uv}dm^u^9&8?P?LN>)FQ;Ig< z>;J0JFDb`zSG+FhRmMm|&Qn5l)f{`}uV?R(O4Ttn+>TVLN|{>mD;Gb?0}U{!^GjKo zp%R;+@+~D?9r`lTRcs`O%AzkAK$>JOMN+RU_LG!0wKUr?kge2LT3g$U-1$htA`#76 zDeVr&b+(wsOCzE;x9rzZcl?|TLnJhW`p#BXsi2KnGG;b{8z^C1=s`rYmE>NstHm4D z9z19m(yZ483q)UEhRBESkrBa@wFX^#8IgBAQ-#(`y7o4d&`6NXC)!&{h-j4$s+4je zLRk`|3=0IAA1sA##3`Ae0%kKHb4WBdVL(kaWlex`CW)%SgP1r!GE^I*;x;1j48wIq zv7nos{L;OJNheW$$7~{ll!me8R-B@ETDq&BPm0p|9VA6LJ%?r&^Nm2HSSX9?knb#V{4}}#EIwf&SYZe9}lCIHz z%hK-wiyocPp~7YPY-rMq3*M>|glYahIQ`p@FVnd^SyShR;$2=IMQ5UuWx0vJ{cK~H zKaB4pnQ7CZ%`AJ+(WsGol^v4F&Yld=XY`FmHm4Yj;^!U146PDQALVZn-fG%g$^p)2JhnS8=)Os;ltnXP;s16;{O&M;w8_|LrE#Hp=9HZP?V@+=Ac!_P4g< z@*8iwf%>|c7%`*_<3ITfZ@l>qPCM;1?6T8Nc<8|g>^P?|71+m~coL1xS;W}ZKKRf> zxc0j1Z3?ue;_8^GYp%K)4?K7uuD|xL7`504F98n9#KMeRgqd1I5x+)An26BJ*odPn zDT2GmKC(19T54UkFUWcypaPkRBTb!#^cw@qfEwyF)igQs$Xd3CGF569+xR=mXKa(? zE<&lEZO>8>OCq3Yi}YJF7fUJdwM)B3w#ln)daF$rXB#V}u!4$dDFf?lPuu9Tdi6D} zyt2GXd(@$_vKqAmt8J!Ff@B~R($r5X27DGHvCdFwqJD>p>KYr@s-XLdsv7Kfz(E)} zY77wHiIawK%^ z6sGDLXl`jhhNM`&YBN#2pC-X8sjRf$ie0pXvbR-x31p#}>8Yf`VfguIc(LyZ-;z)J zj%II7yYfD)VQdD{(nx;_piwt1&r)ZJba<|cafgK5WKrhp&pK{KH9nutK zT8~Uo3U`@xFdb$gRC@1YC7e1iT%7dJZ(9RojZe&HhvkXHcl0q-C zJ`cEMdR_b;9qsKbw*mO+kMh`0As&l`SXSk|pEADM-f3+Wp$o7c^rYnnL-|Dgf9foc zAjfKJEe=9?nSH@t&~$E_(rw>YdENJZ5rUap%J^mTWKRQ*Ei8X7Z$klZ#_qzvk$N}F zMd6l>X;v;<&{XZv>=zyOXaijKa|1%*0mEs6BVORDbkjgI-JKc0N|?uCAH>c56Lzvg_v>+z8i z%uHv7PntBzrmXF>(=Isc_h++mS0XrQFya(~B_TDx0V<&1;em%A!nS2u4|_P+=Pub+Z<0m`6Qlv{4qR5qxF7e z!-iwu{SU?^7hhnbcAcy|J~rMXN#2#WIx|{vE2B`>y=I0v{Gdb^QN;J)ztR)?Glo*H zx+Re(@*%;jHF;{jv&$aV&K1u&le3RD< z38n27MRF^5nray!N!C=#2o*oAg;d94f{l5syn+g!4{;KHT{Ze0rYx`#F$(`SwslR- ztrYw|+i)c#0-zD}Rw``tR~u)wb!v*dx2Cs_it6k}Z92sFsSHk(PbJZ;Btr$!W+ zhRUico1)*;+{t)_QC>k}5n?!WuZ_7PB&V~ZLO&}PPyC4Ytrs1Qt1aj9KT~o zBM)jZr9jW^DrTa3V0Ojp0$rtvFdtQCG&=0AQX(|XQ_rbV@{1NRH>6lMH6k9MT#%lk z*@8)Rv?bzpN`^Mf3s5IWWYTC&bZCz|w5Q{k*<6PXUK6a7+R;F3>H{P~B9^+Uj>;d^ zC)Ecjy&{yVcV_rU3SWN+^4lfjaol+Ab=Z27E%E+)@7fH4YAX5CU9`;n@B)gfNidZcvzwdo{9{jGpS}0Px@)YCwboh(2OoMQS}1IN z)DbfjRv&)!1?89G%Lwzong^r6{8nb@kL4|eZmc4PF3O|B4munwEw?gOT5%PeeDW!{ z{IaVseR`dj@BD6Qep~sWPKPem4Ubamq355Od^^-__}phpJN4U-=GpaT>|RPDFB2zE zvoK^{e))AAaKIs0fBlWI`yPAXy$?S?b90*)Ox~o~uB0g}{SuaDId{b4%3p73>GTN` z@Sp$u$9{{9ikN>NL>xsBeI%AKo$E@}&zeQudnc^B&U)B%)2*@EYOCQdfB6fh&zx=p z>#>;9%5vVx_Gw{3o%)`C{?q(d-;1HGjd>Ec_M``FJorJoiDAA|MJX(_^Xk*0g$S6I zGN?wDllW3wmHfYeSj_7<7&NGc-=y6L zy>uh-D>r&SFD!H{=Ux2g3(DaXzn^493Cp;jaz-<3eCl9j{(Ggy`wp6duQl~y5q!;- zDS$pzj*64=;Dd3ZhZ#N2W+@1Mz{9|sHUv)lE4+O%nQ%`ih( zS!ER~+!_sEVY%h8-+ud1DNkU~kiqtG-u>tu6Gnqa50@mS5?YEiDg0l1CAM&e%%A|JLk5xv^P4%F`3{Yv1zhNq}VRZ3cN77BNPm#zsqrR0YKNbH- zd714K;@A1}1}Aym2!@Gq+P1p;w0>p zok~+#6^VWc^P6Ns{-qd)(uxwMwZ!rg!60e}M`>4Ket7RP;_4x%(rg_Mmf!O-{-Rk3 zqYf}56wG$->a%jG-%=BFm13+8GX3suznuA>!2+n4Ro+E;rfK!sKumH#1T~ROvn=Nj zj+UUjrV1&47J(@1FKcAd--W87gAk*x5bvULs1B?UWfX;&c42QK32KgaAkF(oX_WP( z!rT0a`Rplj`3&bJJ2zFTt&>U;Wml>TpTGS+hLlxd!e?KjB;!YbdTW^G%eTLPzden% z*$pTq0hm!g3(vjuB0l=;Q_7DNN}?pW3}gDN)^44!7ZeSPlZ=$izDBZG#*1^0y<2ha z?lqk|MA_7ZY2Qw?8Iq@-bvDkw=n|9-8is2wz6|#~@i^+!Nn7%xqX{y6PqUT6rDd2r zbtWEo_z}GL`s=7&Y&g!j;QtsQAD(>SC0y{A%Q3r!Qjld_9atjb5-nb*R*+xAc3II+ zgD>c}4Vh0q^%T7H$}2eOwA1nYOE2T|v0vNl2BW_uY4XDiz4iQ~2j*wqsH4mbKQ4_n zz|&@mn!TmCJoUmWc;L||El=YK&7%Mo8#UZ??zi6i5ZByzJ$Bi1cl_=4Tk*iZAGSDZ z2Yr1HtBcC?fS+C~UHtt$D2*~MM2dR!Yp=bA7hZS)jrnC3-iSB-nFrKSrBT<;jyPId z+HCKE0c=k+kaoZU2jQ7#p1~uJJYqVsX1>1j&O7Gq?Ai4w<2PCuD5+$qMrO6VHP2f$ zB#x@8sLjUchB@{wUQPB&r}tNXdg^z7zkVpXQmlz=r!{)3r4#{vdwmu^%SCoxGb!@% z{XU4)YdwAbuA9)09s7-43yJeL-+Y_@MLi}OT}W~{{}?;=JG)kqFa;i4E6S3&$UQ3`Q)s1nzv~AWdH{ix=uSAO9@QRym z#gD;yj4Ne}4oZ>!*Fhy*BlOV< zkpy)_Q0bS#Nt2{T7%ru<5DB4bK$YEV+h3jWUJ@&1+bnH?oiT`M`T}ucW+fr!nWL%j(ErXDIW(Qj18FW&i z_0g`enO~33%PS+i585&WonNn+6@e0dQ~K)&WxrQ`Z+++Db-}NyJIY5vonFq!-s+UI z<8M38j`^)d(Ic6j{jVNW;?k5KDeY^)@~=+3vf2uaTxtodxcbW8QAn&mY08vPX&57y z9D^~-FM+`$hhpgBBXHswC*#1w55~q@ZiW$KMj*&C-^g60j`7Wbx;q)`* zfB&FE)-CBOLuv1e_dj^|J*>UjTBx8r(2-?>1`Nb0r=NoDw%?pO zEeQ(!XlUucpkWo>cb8GQ;p-|BX885>{WaR|UES|OBjr;@Gd`TrBxvuq*7-|j1xW9Xgy!b`;y~ zv@72K>@&1=Ca~jfd*Gh?ZbzhoLQq-sFqUI^rFutgIkut-`9S zFOTI{S`iZ_O+*KUmfZS6)FpW}qi>S`?GbxtSg*`@`2-RMjripxWBJY(-+qS=KL3KU zkdI19mQ_CJEWx%W&hOsR(T;6**d9wSyOee6th3=ds2)&h;i$t?ZH9tTeCK2Ky`iD8 z0b%OVdmnTV{_uxCpoX%xxv9x^^8Y?)34ms%mBymfbIX}L6(W)L*%&%>D2ba7qehLw zxqmnpTW+}}9((LDn|`mg)eTJz=5|4${OE?-q|#C|8ca3hQE6hfbnBv?AUK{&N=5`)+}$vkD$-f+T!iqFem27k)ICy zZr1Uk|E#PR^82ZfwXwd4+-ugA%8O*UgUyJb`?lFlxccgAZIgA)WO49Lg^_=BG~ZAt zgkF&{sY-6Y3-0xkpVO6JXL>Jtniqb&eE&f{yXp6W)}9qkN$K`7%FJe>RgAk=vZxO5 zr^$8x95Z4u&jHP#frI3N@ZK+_8;#USC?is^K@Ckr!+JqJ7$N< zDy<+k#4#dfnYrS^i!ko)Evydi|GkPqg49%jE#H;{b=dvvJr5NW@|)U zqu+Y2-*O|hNF(%`BA>}o`7we{w^UBz%ro7`%3~I95&X8!E-Jk_ipB`SC1J!apsClx5j341UQnNqMGxklfJ5 zZGP$rZHZ3Svow}mc1i5K_wI;Qm7zV^Vb3&6Wt$zg#+ao?^Sv~x23BEa!))CDulq5( zX%-GW@-Q^FHM8E8lJG^W{%d)Oa$1{Vs^fs4&WvPU*!ENJ15H2DF?=M4+LUjV)mFu* zF{AOxm!G1gjbD=QzV^oJ*m$!|(caNv^>BLqH2n6cqwwM@Z`=1wF>Y61dp*`&e_L#_ z#V&aE#n&n6BG_=Vjd00duEnOC?}*0MMk8%kUvoXy+h8-Sw8~m`tgi+Y6}LCvejnRx zw*&py2>Ty+82$B#{!M?s9h+^rE!JFTJsfrHarkoVMC<4~{IH{KXzdiX} z{syK_pNTcsUKjWL>p$3HhrO}cw!guBk3MSUIKjkfe-Y(LdrK>Z4c! z`_>1aVY^-T!Yb=*h+|GX1D|~}1?OFSB_4k4Nxc8b=U8^N^)24oe_?vv3|oJ_=Gtpu z#;obM@Z$foJk*GvuKFe|OxumO{vE5XvjH~Q`Zu`e;YTSuft#+s9)}-(I8Hj{4>w`1T|fN*`mE@k{#3v*pS!MR-?J8-KL-m%rabj z@nx7WVG0s)9Y+W}{O}|A@{6xc4^jTQtBiD(j`pMtMyA=$mc>e~k3xG!=y^+X8(6im zIO}zWZLgkv{@Iu0G(&8Lz@UKx%w4=QZT{%D!qwF}v3QkX^V&U4-*p`H+6<0xo3;}vI#OOIg^n*3$_G^A!i)ZF`zVz1``rKV{doEHmo44_*69=j)^C~S zHXT2zG%%g~Ci*?Au9bh4AFe|{wseq><7}2iODp5A`?!uE&7-bf8=ulH<=H*)uYcjw zk3O>BopC*38aw2lgG%6!hehtY_l@bTDF@or$0OGU@1Ys*sk`_3iwh&u{oLq3l~ZP< z?#;O}I&bgn9PBxb^GjFvyMGjBb`eEV60~DO zVHpER+9UVMX%T#_|5gcuTQNlFycpD<4iO()0A3wL_h95=qj14F=i;w_zRcUCin6>c zPoi|(qGbD^nkvk0Zo$3x+>ebn+}K7lb+ob0f^TX{W7-rd$2k(CvI^XA!%aBsu)}!0 z0kfOh5MuGQnZjgL(U2dh&Nke7%inPPF-Ky162Qm*{V-NsW=Tw+IvsyJ>r9-Uw{ z+wAwj2OYrg*pBnhy8xSQvN^_n`6-@#=1Dtdw4*bJ%PzYdx8Hsz-h1zLEVcBqc;JBt zamHCEV~3r0#tJ0ApM3NtW;e89>hx(?Y~Vm!{u!nY`^GCTV&;r#SYpXBB%pVi)>+@u zg1hdz%l2t__nkLz|3eSr`kQXVSdv-or}F8ipBk~h_3zi&@y*(AYV24NVqzRgzVc+v zHP^(jVZ+cuztoTM-n;MO=%bIu-h1zBqrQ5sQRiE4z0=6dM<2b1>#n;Fx7~IdKK$@g zBS!{`1r4f+3~G-n#{p-vyso(7iblT6%3_#2c`7csVpqHup^>1!&WnHwa1m9 zvASoUeU=1$TRYwA;)^fFkw+eh7f2K}m0u&kT2rstx$;;0^gT>MFT#D}jW^9Q z>#mOzes>am%i+tBFC*=EQ|29p@Czh3!goO<$U zIP0vl@a?zX;>8zVwDg~O=9w5YXb|qb_g*8gT1xP}kOIPTR7!FuLfly2V8XJztjr5D z59O&wc}q&X4e#D%{)-T57P6rIxMt1rW;TSwep{=~Br}hEOn1VgH$*z!Wk-4I^sknd z4s)wL7G$So$oekoFiEh!MJWU1Pknu}eKYAsrKMp^n&d5I*0KiKYjZsZ#Z4q#a2xR{ zZXbXAv6U^!YY}rTRr%rz<}05sx#ZFqIIxy-BEfGTvAA}2dgNMD@nf;5%_Pu?2$Ewu z?L%eK?DFNx4b(=$UMG%FRZ)ewPP!m;+JozG5E0fIe)UJF`OsDQq;xBNTH7z^netE_ z3==0#H9JA4H8_&&XIxvFlSsB@P+l5Csg9V;4@Ly@z>!i^4vtDjRi$7y! zrFQZ|I}4}fy{3B;-7>Sa0~O`k?A?n?X=#XIXP93Vs!Aw{M)GZ74jrw0hd;B4ECvl5 z!XFtV@~3fxm|yA)lFQlw6*g^HV6ysq#QDJ1?|u|9jrB3T)T87%w9WGjq{q zY!OBL+MpVwwm?gm9({VK#(;tPGXt97zj}HMk-#)+*3+$&SzH z#!TLwGkWHky!*WIccl@aQvXAY-VJ5b2=-(8b1$QJx{cZ8=$_Z=Kj-?hKiSNGtk_ut~<&h97N=wk$+Ki!8 zh_%7)2k*a)ct@L!$W@d^NiwM@Qc3h_xe#TNPfDEhIA*#QQ1lB8n^FiSd>Kq>oQbK; zGqCL*+vDxe-ba1B1^<5bF`RhzsR&er@x`}aP-!HYq+DBaP9li*a9liT(E3 zi}KWuF(az5+Da>$*Cmv%iwzxOX{(<;6>q%!0**c6x9U-~v(HaH?gTvh#D7rY4`Yjs zHo@;tJ{4bn{3$w`IuYvf;Ug0NJ$K#}wdIxOX762h$LH^UfOZn0+A#yrFmnc~f+eWc zj7jE!P8aEzRgYm&DzGE~XzxHd!!98?2{Zj2%}rQx^x`;Z&%N-)M;|e~Q!L-=rc8w| zk;3rW5Nb%S2G>+$IEnKzBdf9D+UsE2cjHk_a-oTmxlR%qzv@F8Z4I+<=)Qa5na3Z+ z%F8T;ryuzjeAJAmeK!stzVQYQ*nLl&_}im!+6gC6Zf8+l62+>^E{lgr0`I!zA84*? z;dcUVz2OFYMG~~{?z>~HRo2C=B%nIRbH=3E$R?8*Npjsm5;3f{97_xvia66z9g88# z#;ht2LD0xhx~BLUYaw41IyWy%z+z4qGJWtW}oUY#8x&YFV! z)KgDk!womZ_S#x6#Y1105Lt@umcePmq8s-1}?|*N{N$<1IK1j%KGDHz1M?AIB zpEl_mGiDgc8n6cQL-C$8_G|03(B`xoZM-SVN*hKjy%cuaeJ^}Db{t}?YhA2An{K)} z8XD7BZ@u;G$jEiqUDy2GdFP!;K4V5GwS++Vr+oWfFiR2*t<01zEH->NUeU<^CR>*FTKY6Xu-)RpN{+PyU+6T)KhVw3{Oe!; zGV-6Lyw@g-+Gu?B)z`Lsefi~AEx&i!Wfz=r#u-MsMczfcHA7n8UZ;bpLq?rIyY04{ zxv8nC!If8Di4#sZ+P=BsR$i|C57L$%k!z)YtF5-f5{oZm9VY4=(2=#f?Y0M2T4^Pl z9idGwzxZ-IKKtSeoOb3pHd~~&x)$$!_&!cQ^9AyE3{K5;b zF#mSMYOAe@OD?&L<#C4X?;v}{uc@icW}$rY$rqM)>V$Yydsz_bq*4dS>Z`AV8?OJm z&2EUqw6R|j?@=D@xA$IHV~y2u#~rtkJa?j%W$B8mufSUCtV8>C`R(2|LVwJ`zeNkn z%MCYNXKw%Wr}J>Yf%{n)nv#F`5l31%`{TKPVtks6%)j!=+c@Z;L$KIlOVRx${3dKm zsZ+MMwIWtghV8f60dKzc26o(LE3C5o3i#|}#$WQD-~G)uU&rQ~?}+s_*cN{{_k2s| z4cA^}9exKNd@znX{sgOgY8jXmTV86g>H8iF{V_22mh%U~M(OPbuQaS-`?M9=XDvx%oqHe~Kt#LGZsg^8Q1SOteu6Zn2%6 z{RxtH>fzyZ8l|jaF`7~~x>4p=ghW2fdKdC#5ux~t@V6%C>&%J>6;J7tGEusl!_Xg@ z5@x#@d$;Qc8^y;Af0yR3&h+Pg4#PB*P|MfWd-}bgSMOb2`|fBT3UnYeJ35GA7 zL}h7&By}1-qjI|Bs1aCh@i7=n;`!xAAD}!;C6e+aMMA&snyX=lt+&SVB>$7Y8H;S9 z0~LH;8t|ia)@+hWl6rmvUouWZp(d37eA zVZgvDOr1I&%PcVlgQ_YqbHaGEH`F6a{l-siu&u5URV6W0m-9`Cl%3rhwuC+e!JiPl*bvg&6t73 zs%j7*c`b=VP)=ofAc@r=n^z4CA5e{4LlXk(xM-+DHr{~&ia&34+^1$M>FE1V8YKS# z)Rctq{>v}p&F7xMe;&94qX(2xn~fvT(T>HaASW7<7(mT7&9n_D37gDL%$~_-6-YNX z!ru{xpWn)cp(A0G`F$8sTZ0fu!?A}Rg!f;46^&D;AjUee8VTYDFTI3+lVrd9!i#vF za2Gj$?Vh%*a8AX!JAQ zi9uySq?$UAX=yRSZ^xkcLN+05=)gf(pJep_62r$HdI-yo9%FU!kOL0FXYapxHr{xBbda<)lPC%0Rb_Uhv`DZvtP?a#Dw zvKcVlWbwrpH}d}3r=MZMgimnpx#yZ&kxm^&Jz>HGlB6~0-a9r=N3d!0={Mha6;oMG zpL+5sewT=i;%eEgHm-Iv1O)!H-z`losN(mQ(Pl1oT1;6fvdv8-^xt5}u;FOs_l~n% zXcNQQ0W1@ljKy(9l1mYJjY=z=4DFStB1!6`m?tCxS#(NjDv)EndG+O2u*@>c;Q42t z!-apk0Jqz4TIhPgDLMeDFbBbkU!z!$Rr%`s=UFPI;qQ z0{VU$fz{}_M!w6+O7PliZ&@dfzL%hpW4YgZ@4b!ii|8v2njN8z1a+>c<3vkJWUrYT zS{5PyE6S^kn7{JMD|q062W+N<$giO9At+uOY_I_iIN$(_yVmV1f3Cm&di?Hpzq8SK zxAVTBk!XESVYAIP!gJ3(jdA0?Cb{1Vx8HudmDT5;f7ars&J%UeEW7ODR%V5Aow`9N zeJ&0vvzj@fnHzuk%cZv5LLER)Jn=Zo_xqOT`c`^JR*V_F1RmkD_U5FOe|1FZIP|yQejDF>_bonR{ZToWfA2BRR3FyccwK7@HC-P92By&O4KF zW-V0tE{|c_ySNmHyt>-iTS$MY}z2Wzgq4(`7H zJ{-$$pgMQc%{SU9Ze=m%8`G_{^E!?wyf8vA*_c5+pX1kt~(@ zA7D!ICQ33;N~7!dnUX#xnvHuV^TV$F#p@Ska!ff~&s$*fcXH>EITb$WBAWsF z!1r+^n(U@;K|bW00z!jpm8tvB%b1;ik(jL1xNiGSGHBbjwXx ze)tgh+Pvwu*`|6dx#}>WjgcW)TxqG1Kz$uLCNs5DYR$)Q zXv7MuuYtwN%5lk=XJgG(NuH-p$FmPSi1JuDN`fIgd+!6(5BV|JE-bgo3i$moN29B5 zHokn}Iqb6G26*ts>(M&lTRvym=xoRM58kogOAn|)z1E5|E@h<=1nHOU_{L|#YyWx# znOU>ZF?9w$di8Z|x&C@+o<0N1lOTWj;fE}5UOjyK^|v$}h`|E}+Ni1!(Gh-Z&xQ;e zW@Jg^MTBdKC6=(~8a?zzb@^>brbYNQk}qQRHOX%-+l8S+hvBB1ZpNfZ(@Cm8KSbh^ zBsL`^SLNuW+ot*!`jIw**xsJTSuTL{}r?-wPEweh)wMXQ{=P#NwkDhd=Bmp{%974_|!o4Z3#Rzk8QTu z*2sKEM~e12Jo)5PSZb-IY>IbFi$=*~SZl4dF>qkDm9M?`-UkyWP9mucGmmSq*Is)Y zVb;|AO(+jUM%A&PJP;B7^Pm50vnw=Q=+B#GO%`#9Y$jU3PWTW%dRkhY( z(9w}0Y4$n=X3VHZU0pNIKKoqkyYK$E?9$8a#00t1x^+#(zwf>WaQ>gpK_b;<P z;AB56!?=%J7UvT07VZ)6##+qxchtp3#!$!}y+in}iv5N$}jpgE|HUpZ3l+Y_Y}W zm^FJQT02_t%(Ktp(I=l~UGb*Zqs{AV(98%;&o3!0!GJ*n?a1_*vu5Gl_upguHo{sY z-+NQ`ws&^en);EW#^9cN@5iLc4g6LKzMr-kb83H50095=NklMVj-S^(cDywWlLcb}lxbiBz{Vrt+ze#Ibi+wjOC74~;W=#Z( zQ18s9`TXLRwB;yLPZ>OJXs-Wxr3`c?35j|X$X z_hsDoJujk&{^5Euf4#`Dfv873*^G{+8R%@Bh4#AXXq_0V4CQ@Y3dI%jWo>)Z!+)m zSKZIe$bDZwEFM!QqIuf*1->>;W&Hc`^Ot3mhKV%ei`O4;ZD#(dtSc{7##9cioY{4{ zjowDsL}|pm7pkhC`EQUCVYLH~Qf&{Xrq!iUu?rUf?N<6Hp(mDeYjZH{3H(3Wkj7p4V2!+H( zsu`FKU3(*1b3>rD6Uz=9imDvH70r-vDYjjEJ?yx_hDMYsvpFm?cqn`#l#yzb@jHI= z!AG`n)c>7(K9(3X1V{hAH*~ZlKA?gk5NkEXB`Sm({bmVgK}z;JFT@Q4&P!^ z45!k4#D!;B{EpmW6CAte9ysIZqj3B|2cl|~<*@Vbj=}aDt&furKNP=Nc||0d4_mLb z2C7$B-2AT+DHUpYEi1!T8?B2MA9?_{Ty}|PUx1n4e8pf`AcqXe+vHJNfy8u{T|O7a zzxNha89odX-=_jhCAV|(1Pmp4Ut*oLnQjv5f@9Y*%`JHSng0MohXdb@$6}gIDVJikZouJ**%WfXak(R>&`fS&)spt0sCS3-)x1U>#l*T z&iwW~;8Ynyo4S>tFwB>)o|?f<`s3zWOSX#%*jm_PXnCWFy6H zv{NW0iK}86)u^b}wXe12IyQnU0{Hj8|D8m#RK<&=X?gQsgi-!!>an<_qJ=(4sZ-ev%lgzc#7 zKroDHGiG6%EjGh$yX=bNPdE{SNa}N$6xv%`Y`U`sxiz{wyKbftRS`2yWmZ0lFlt@D z{5s-@Bl4-92Xv%do&%`!!Rcf}h7Yp)6;@c<@)C z);I~8x7J?YOPv66UtL{>ufF=$$n}5$-b@8S9W&|}VfI)V(8#eym6u#{6vmC4Xrx== zh&XCGzs=CF`~>sA87G}|lFdrE_10T$)Lw42v7$O)G|OU(Ew-?k4BGQRc{Fk2M4O7Q zk@MA8UjrjYE`|5sf8R!`wR~XcP;c|_p+g7YPk;Io^YBO;nZD_!n`}u#Dao&lIu1@b zNmVxMq#P;@1>lo0!7;nD$D#LyY-zdO;GiJG_c(InUYBsxO2k7g0oSsLDtXtG8N$L_$`=NI& zwP%PPqhzAEf9|#7hs= z25M*^Uxt1toJ`Z^S5m~J@D$3r9~Vpy$*q!*q1L~V$K>C{OTTA)*ivo<>g zkq#|apbYT`C}WfGnL95B7auc%3UmXek<2YlVyBTOO|Pw~8DQjQ+}N+Fz%9oh{Fpj* zsvT{v^on2%tQvrhX38~^_(&jTJ8UPrl4!}c;H*#X^deBiuL~r8URC2Cl}pVi5ZR9S z(A3h3Xmzbs%Sc=!dujM$1FfB#HM<#$4XR=>?m()&1C6LaNm&Uhw115492>Oh_$lok zF0fq|0WFV3**=3LuNAem6;}V78rx{E^5{prJ&9G(|TK)=R*32XZ4=S^h zOM*d9H%TP3$fZfUdNS8HA~IDGVTiRGPCLX_Q7%m_BhjHroF*{QIGMuq>TrTonKN^}mWp z3Al)KcXucu(%mH>AV_yNi_+cQ-6h>fN=SDtoeM0nur&Yici&HV%4=tLW3x7w@KqbpnS{i7DMA{IX*s9bP7UaLGY( z*yYtO$WJ%oI0lXo82k{QcX)a>9OFXwUrC(*auT#Is*Lc*e#tf`#g9jx4&s>+m3~R) zb?}03r0Q@v9da7F!`i$WI?CR?T&x?xVI62#aA%(B$Op{m#tjV(#ODibwyshZ#r;## z$^t)6kvCkMj@<}C6ErTwtP4unB?(O z>`tjvd$KTWc|-^f70;(6Ap>W+C!4!$0qb#*=dT%D-8X={?{chpIS~-4pW7b|+**r% z0p~et{5RYaz8;82Wrx0~g-x8nJh#t)E#$_iPc;p4M?wcrT1k1?xcU@uYp zQ%0XKXWF>GGNEhdkPCFDRJ|J<#&A1WZuxA@JrSkQb_q~RxZ#eXYJ z1iLK0MIP%eonwx}rufEdiVM=dGYXk5gJm}>Rn11zk!1wjE@%~CcA;~e5hT^hmVT!X znYZ3Oy!*y!?^AmGvc2b*D^Hr&UH}2G7=Y-h1|AjvwRuOJ&z&u1$rBkp{>Hc{-DvY_ zlhkQQwdE*W{$CHP@tkJLV5w1o<7Vr^<{q*Ax5mm4b`^iprcWfwLhd4T6RCmXgpj^x zFc}z6+g7&%Z+HQSWIsYF0}FT;!Ogy3QhY1F!*j5q&@BQ!iX&fR>rstwn)_GUmw$P- zmCAHKuykN!pkk<$jo?EdpxC1N&7|he?EUq_E;sS&Ov=5Z>bK+O?pY<<08P>O)8z8} z2+@EaZmFskBU+mr`d@|>T55Rw_i0ua)9tdX8CNH#P$}&i&3RmrPYJ69dT8D-Qr!ar zMp<7XLoGUU>rbXUPKPCepaODZc(r2zGDrA#b`b&*zXfa_pXM6B?hkz~xMSGd;3Vrf z-KUgabwd?=A&tziijhkwtxj{>?9Wu~Z^9S`Z7{z)73WO*aM$5y_^~9FhiUo#=TKLA zG2r%7q?Qw_p?$+S@|Jaf>WP?pP`MU!Lkf#5e0aO7FET8F)8{vZ9(@iKT19kHf!&Bp z!$fwJN;+6&hW!d6)*}y&os_4u zSbz0V=9f*1gd8rb1qClI6Xh*QYsk3#pHONSH;8sp_bB>~j0uRsW(U3A@9fAHk3uUkRytKR+QJrimvz6}elyS^ zt-q0$lZ))ID%1=#*iul32WXIGdO-6XTo&w%EMF$zr%R|aZ;P!_kkpQiKXe3tr%bfY z@=M|`?;7LN`wqxVbi-HI?-#-M>#41q!BACQqJiV3dKn?hxCD5LR=!6crThK z^2uKfi9eS|K93@AEn|HD9A%5w0_(c}R+8mbuY)SjUQg3?YbI3Pd1^&{Pi))pq6y;U z{MCJJy>>jk;#)>lQ!iQjiT~p@1VtZia}%3aT3rfsF8dC;V4EI2$k1&Oa5=n<{&d&; z;dUqC-+atv-`p&W)Nua@tXjgcMIQbGoDUI2_5qmle}Gxpnt0uEFz|YB(Yi+X*Ynf8 z5wPF^>dMIiVS~y|urFF5@$d57O^Y__4`%J84y&AhD0|MB@;Pl9Pm&2f8uO6(!q>l; zHYTa^*5M$fg)mpPP{o(wzMg&a`)a`;rW3I=nruYkckI}5ePmrb!c<}Wk5VAd-WAM+ zb0>^gB-gWTWgNTya59@<8y0v`pO=SLko*<>oJm6Acfkh_sF_+xGeHj}j zWrvTvM^NTILmC)F*y^0^7E{d$xm(Ig_9xaHxAT_QRVHy+U-uS<2sHa{Eklc1MPcKF z27p_M99_C^E}^8Gsr96O&yt6mD)VGj74!Uful{}VRS?U)64nDQ^;JCST?wIkH5kTud;kjv_gzNoyq?Jn?O*~wQ!gl2Td-@tn_aA1V zoR%BiGN>v%pK&JgJLJ9u;RV1&S-419oIuH9HOJmX^Y>XN#*ftX3;NX&%3lUuD^qj5 zf#o-jeX@3qrvf3`FZ?fwMY|Op`#0juLjE*hr)0U3w`gTh{fUFjF^5!GD$}$+Kl*Qn zF?HbtVr|YWZ%$rUkA}wF>R%vlQXiVru6w&T#JU6fIwsVndn^{tmrjuZ(-ltwWAmm} z>UwOo<0Dy@1`bu>&74hm#EgC&xtMz#H5eaUL}<|cCXk0sh~i{I``z(z2BlfZJ7`}D zvqzk@UOno5$~%PG+LAW0{~WpoG#Qyrrj;sp%R+kN`qODHIg^Bo(wZp(FO+T+&u(?U1h?HkNcP|b{ZH2ud0jN_I*%RTl#Ziy{?Q5T&+nY&^3+n_%4cDsQH*uz7NH z+0L_Wp2segSdWpqz~pydMb(*R69wJnsu?bANzq6iXX$RYrU-VE zDjYo|IVoSj>~<}tOuhpaj-xYmrS23iI%Gpl9k}F`fm8o5=2FD0_4nV?p9-JKU9rVW zsRIbYVuqScB8S=`n$pI}mS3-;k16C#p=a>5N;#9a~dD8f3*fq<|pB>Rq9xTH6 z^9qF`$5md^cj?evNj}I}*qhG`I*m7_VKyT4tl>)r^;~ZQ@avDig`(%ltGf+SRf16UjH##Xf>vE=*-;Yo`C?#h7 zRs1@qJiBT4iKhsIPiF?tF0sonk}%?w#A~PnA6>uH2}7&<68!KVgYVWyfnH_n3D?Zb zom}xel0+1Q$so)KvnA2 zl8LoOsLo-79MOE%A_^-IO*u!i7~Mo__I^va#76i+YOqAW$FIZoLCrpvH3@GaUQl^A zk8G-TX*b3NLe5)zM09pBV{I1!;I_&AbK++!dfm0%84*ga59p&zq?4~cW#wIv9P2bQ zer?_BVHlPhe5Ek{Vfr+*QwrkhS|}=l?3Y~`QEKw|F}*=w@`%^%Adcop)YE-Aud}rP z)T4H%e%hxqv3lUi!{5;CNu$uOpk6@>w1&P_eFy*gt^M1CDfxZaYh|^gS%+5jAF=d? z5e&Ve-{aG<6KKOyqVv)?L=90%1%_z}B$*O6G*M=)6n#+SecUmIZxvvfp^EBI5@@B8{(g|*`?3_t z8b&FI3ypcfq>y`E-Uu6}&>x>TYIBmEFH#-7DSHLDk8yH&vfd-|QR}ylbb;#>#`?dWMoO!dZj=&zx6 z#8RgzzpnRLr@j)d8`zKYT0=%UP-w`j2)tD#{4J^cb-Qyl%5(JjRyzCOxp~Sx=f6hT zaa0@nJ+!ifJj0ggRHZXz(KgLb7p8^x&2C5R#y@jEMvm}S*at~DXjkleQt#Av*Unnr zbvEbm+S1Y&ihNLmL7sm)I4L3VEQ7j5LQ!Px<9%ETZl-hK)h?_{@11B*a1BX{*tfca z$c+&9RN*&QpL_L%>(ht-nFW_iA3M&hDXy%3crVX)$$iV=fX9b+Tc^&g!S+_sF8X=r zxdxXLd@_e)?&Nip*(e6zLkb>+8^2cgnF^Cxv=}*FsBTBC~|Q+ilo}zZAxy zabp$fx7-~<3O|jTJJDN^HoS!+Thi-wP522o$xhn$uyQzAm+rDHn|t>7VUIkJhX;8s zSY!L4TP#T{XH3y!s>O6p9EuWmm607VZA;l=NZCiEDl=5*L)xsnmWeNH{fw?L*4E{) zSH*9OP`tYLzq4`Nt(Y3V(&w54-E_rb(JnDOS{fkbTs8*y0UwYCy<(E&EuqR!*01y| z?Ew7Tuwp8Xs!eYAy+o+%Us+dIUMs5(Zc)FggOy~j6I*i7Owu7|`tN zj9WWCKvATYYVyfHR$0y`<}=2!0p*J}v~%{gGf3+~XEhj_{$QEQGA|Tlqm7mJ74Oid zI3@0JHA;Z1WBsC!a80m#@6@kXA^D`YLxC>kbb&2Pkuq*Bn`PN2>gmG1oOz5Z?#R?+ zVWF_SuER?zW7bnjdh~q6KGW25_*dqR%(Bz6Mzr=4?Hn-;R}Io(#21GTIBeVHL)ZgU zYDlZOkuE~+NzwFTH9e_a4qkcAH9a6lI#DEH|M7f$^pX>Rm=F^LOOiVBRbx+NZaDhI zl%9XvNQCCAk35GKHQn6Mkeip+qX5cQ0i7hr%{r(Xby{B6sfL6qbZzc9^QJU~X)<61 zW>_}Jz9k+&g^BA%$ZhZ2TO>k=XQpw57=NoJk-`Ao9k}+f7OY?Kp}5a5)y0)~(lcl% z=g7`~!};v?G|nzU#e|?whVu%#gE0Ms7dQgxEc&m875WItdo2wt{Rv@2O6Hb1l4z1z zk>?R6PHy%avr;lYe2+dPJCJ*i$21Q>{ zaPZrQpS6UBpQY=A{(?`X*2lO7+?NQ~?q&QRU%)1(yWF@w9i?*B!Pf037?hkB6C9ZB zLS&n$}x@mS^_$@{nTE^wAbto{6a^;oHCgVdgF&dTcvet95Y~Rn6+(=Q)+tFUO zIf5{PE7?O51-314+PK_p{iC^A=z>00)NLo_y!0Lp>N2C;a1q3WpgxX$oBa_jwPRX{ z6n+L3?ktG&*oQ=ojADysApvXS?*;Cbv>Gy+7N#01k_V>n70|!uMq}^X3wKReMJQNO zGAL^Pd6{yq<|0sPhCIeE5Qh9ZlatB1B``VM#PR_yqVwu;qf6O}*AQFWb@p>)urY=r%V zC9}tbs<%6A6|XJs{9&JcbfW9&I^y4zjr#JvrK^))jEDP zKJ<^+CeJf)$v*bZVZ?c&`RF%lm8;xLu!E29;Oij^s{+O~ueG`rloOESYT8+j&A3+Jz=&cBdiZnvu6US99#vR=q z->ExgW`>xBS5^jB2_eDdQNN9?ZR5VvelE=LCi(%&JhM~G!4}m0-fca2osrPrxq@R& z<8#qOkj}xp=mZ>Kp^-i&A7=0^z2B2v_rU8_q-SA)jbP_-h}`W3ML2^*3?Fd0WOpTY zXGRimozve$St$i;u8yaq6mz9qF!aCH%qyx#rqyTc=W^_yMoTnf;B3Q5B$AbjYH)pj z*FYX(NT*~>F3ptsHzQEL{sm%{TZgdCnNExFGuKMA1EUI#rU_w7oq}&on4P>-2=hHC>E<{JM&_N9q{&>vbEh!Qk>2^q5rix=2pTF{OfLZq z4|pMW_x={@FmpM!`soFRJw6=nmT!$s)SNxS^X8e9 zM9)KT(eT^(&OJ{{c^Z5_E)tQSK1n1h8c~m3eB~~CUeq3044G17Fr$X&-&KEH5OiV} zFo=6*z5nvmtPmT`!)0&2ca(=z&l`9A(M`p2mfz_xG3yj#hK*~@@M+Y*GvEGbJV(=D z1iORU#S6)DhHh$>+3Ua z?PDUcz?D%K8p*G24@XLvwf*&U)n!5jq~YBdt^mveIEhI<=&Ev?etpu$#?y*0{3g?r z;6!1nq7rbLxbd%uBn4~E+T08G^5f@t0#wNmNyO+(vPo$7XK%Nj`Z9y#Q zv^>YLpPv`LIrY2q6@njF-|Vais9%qndmTyb2@mxqP*NqvGsbg9hkoEvl~GzN?O1IE z`HFhepi(Uz{c`WTrYgNyxMg?unukCjYn&8Aejo#WFV>+f)XtsE-f3snC6xz>%J=L` z?Q!m{+8?4F+Oym-_%9sm|C5Ns?V>gq|G-ZLyI8QjI54T{1(LssGY0B$_wXt zJgq_+pHPFc@a|47)Sp_$U!~O4G3TRd7i$`5NNM6}^0g^yLDL#p{y@oCtdRfTRl((? zFD$v@eRfr2m)T5sd4wwr^5rl8H(6+uiaoYb)*VDn+1wXdyN`#4?v<9`cg~f+kjt&1 zpXe`O@A`>C=0~=!B(t3tLe}St5D82%@Fd*sy2o>0cjte4Jm@|Hib%X3(vXCWB3MEL z1&no2LCW;zJd#RWGA1h^_nuCA9B63W>c@|?2YL~is29=`64|`dtf4-@#}}PIzAdUH z*~FikcX1QOcU<5Oq7{_Rk2;=2MHiQXeRN`L0X>Ty7=W4BF0^;nT=T<^NBy+T)-*|R z(dAEfN~TL4b__fz-P;6){01bAhC5e}js!@)wgvUx;GIJQN5TcXR#`xzuew)WHDuq? ztIGecaR~S+;3FMc`i}W^UTGAt$q**`A0%orj#|zBn~)4Scp5(`A0ewss(zjr{1dJm zkB_RFr<|dWbal7HiZ<)I6N?u77PYBootJc%cC57g;CHO3PW+Tsd>`Ho5-VTQ`fqam zw!?`XRR(1V3tD?SK;~Kn>}qTM5Rf98xMCc>#KqNDm|#8&&KAWMvnTB{psV|M+dtf# z|0{O!cBPSN3i~fYNdEMr8jD5XSCtM4|6MJkuwy`YkMMZ9-RJbaws9`-Xz>WojbMNR z&(ZEj*Wi)P-kG@|#v!H6A#DDaFq7KeDK4Z|$3S_N^soCrR-wW{WiG>hh^~$K6=>_R zzIj;hOuOVmTi!)AS6*Eq*Y1%vf8EE7p9R#AdYwZQPv9*MT#A2xh^Oc7(*H}EzPy}x zW{$-!(r2Mz$v!6Owz@gtR}Ij54n=x7>#v4V3iwC7Q<$!xBEgDNFo z4Dq*8l3yJ_y7DoL3XQx7|7J{+1|sbCXVUs87lY)XrLGCmE6D>RW{wy8|k>+ zfZxA2QRmsBfIT7cXw-$#XHz7;H4DeeS|3_IeN&w`1o1swqi+VMBd`ZH%0(y3#-AR7 zB@Mo`c{!RpZG49?>B}h_wG}I71OqnZ$*!3}VtboIykBqQ@D6dO9414%b`tNqe9^iR z^e*fHk9q^C9sjZgwcrcUK&{OY`%YL_4HzoC25sIdV7!Tniu$*r{RJ=wiOR@?y?F2p zeH<@G2lTb$EC%{++5Hlgf(rJRO(voup{=hvvN5VVS}SDQR}TyZZ(-A==KfpI;%jD1 z|J71z@hoyLWg{kKc=U?*XSeVYh~v6gacBvz#aK_8W7i%+MV+nxOgRvZtqyo!NVO=m^FML#^}P6#s8CJGTb3c zjimMj_QPa3WL$-jN9QrQgl;3c1R_B*8#;4M8oX!8Zj?qFLY-y%$E%|Hr*iiL>PZyZ zO`YkYYeK+*G%_X{t?!(aXA^PVtsDnh^j{`@Hs9WV_>}dE>S`$VOEd3z zJGYDod9 zsWeIx^iz%}t@gx26Q?;v9{|Mgm=m0*Pkc2sfbXQ$l=Ql5*Wj+EFD5cZ?V7&I93$f< zDB@l$s2bZoYubR2L1L5NmGc-{9D%K7rF^3Y+#RRQtL`g;+qvu4vAg52AogcGIJzL6 z@#z6`1V+tuMTIgcg3Np9S*afUIzT`-d0dz|fDCFI6o+7i{gxcRXEa$B0KJ)1Itf1Z zO3w@$L>ztt?o@e+(F4=VZZDOOjyAv>a*y=|n8xSf{Ex?G5WdYwd0<$g3h$B9#@`n@ z2=l!ln76@y`wf%U=HL%B7eaHJ_m73`A4zrq{^Np>M7kZn7hC&F`cq(UE|T32iPiVB z!+*urA*SA6gKtxK5@}lYM>wh@5-h)1C^)wfyfi3%Y+&ozKoc1oQ%JcG9&SOMpZcTL z@1@m<*=46a2u(qfXFBvtVHCJ=T1no6M|hRFWg1_o;2yHenW5S2A8j4+uWYHu3tDAv z@&v3ciksO~!Q8YxVv1+eGeVuY_bZVRK%OaS<2_a@+>{cVh z7t6Uu2N=>bAI=(=HOIEX@RrjZ||rp_gb1~T1f!v@@d~|Vw)eP$vUsK z^<9&KO0dHIko%F;bUz80jisBq`8`4n|7}o-8fZjS=m!C=j!`$VD~`P- z?bEUs^e>KTaxE%~&VE25T8Ad@Q{GuwL0RDYyhMl;DF56%;B5bZzecqE&RZdPV%q42 zD^a?PL(YR-apsIjDPeYoq7T(g)hh1Foz`=V6Vl3dSMz=DCdCQUOf1`|G<(xKK8ow9 z!_n@J2w`KVeOZ#joD;!dnG+wxd4%m!T%%talXbu5TyticO25{<=9{O#?rpvYuNRqF z&^PJ;hf+#Q{%~UY-SOtk`!+3y>u1OLt*7bJYmcjyq;-MGKL>>C^W7YZvEW;{{!R!a zj@Xy^NhdGiY+CPzby}MIBW?0#v@~{Mrus$k`W{Fjrhw# zeCx)wiVgLf9cJpndf8LoYh)#5FwMyHUC23bCKjd}O4{wjluay?6n>3Yba8i#)2!Ii zc9-Kam_KT)e~G!2^#5@YJ6NL>;L~+}X|aTaE%bx)```xf9Bc3vEfBRjpcOP}+q7Fn;>%5I**6r|?~I~B zn=v1+wQd$nZ^C0rzg<5$f#`x6x8m9B>|miQnpEYjMOAvimW}pYDZlO|M)Zi83UPq- z2X?y4^t*3dgk2_22iS29^(|L!sHG?lKOn%@`u^+u*?=2yb!hoFJZsi&9x3ed-^PtasY08+Z>rxI z-_oLdKlrWIfjAs3wa*?z@ElFlDVX-xP5rsBssFFe!rDGh2#sRwrJ^I92S_|*HouZ7{LY5Jwlam^z?D%7GjtQE$?a!` zb%kifzZs~i69@#lDb9QFbGD6fVE6{$mxjJ@0aIgYXl-=yrIoR*?SC^zUA+}G-2uJ` z!I$fb53iwdwa=H;_-{e@nn$T>C8li08zJAy}fqTcdjpS&oBP~-B1!# zt2T)ra|hrwWUX&TqhAF`^!r#bbgx|Nl620AI4mYNZ>ppRH0LipVUav!2s)tFgxI*F zV69z`zbx=hKRJN>W&Lo#-+V^;^b`dt+7v{wM_`jEAW-c6xUrI!Htk5-wvj%3yKi?G zdeZhviaZ2KnAzlN4DN$>qS{mR(%A@OG(87foe@D3d!{?~d57nRC`33S2FUtIGSh{& zG>dQiMx!$)Pp`segDTv24YVhePAyVJ`1*dZ|;L zhmFnC58iRFLtfyi*r_-k*?V2hl7U=&W|-%z{01Yc_j-oB$=9U*h3mH|rSj||(eNY} zVTc8toLsV7U<4P9A=xqUMGtoCoxjbYi*f>tCxOVKym;KNWO$min=VJ4&AsSvCyzY) z)5zyR+P_Yful2O%i`7u}>@_mwx)U@8sfmBZ;SxahlO(@W_%p_DG#C@cn)NR4P2- zyHWGB9Qw*-HaVGJ&JOD0Yr2|I%d6n~6M%0AXbhNb8ysV={MN7+y+PSD``4~;=0?3u4(K+ks zM2{DiH-?x<&1JwPh`m8eE?Ao~p@GZZ)VSB&5Es$z+14@yyglM2n;KOZ163ts#P!Tu ztdPhZW)`$|o%$n($E$_y`WTU>eGt?5RXvf4x}G&c&cxF4KU!7aVv=F+h_RcQUeUyM|0&5wFOPtX|I z6q-V7?~-@QGhHoJBnbkTsY=u)^Q)g>YqCR+;^wU73MX}kApeq^zg0ltgM7mT;65qE44Mn2;#?8M zI|_-~A+;Aw6-Gm`sfT)ccAf7pzcbM(zkEFDPhPRHGdfxlgmnaPPYBIO9lsw34orJv zZ!9c1{lP#aYb#mLj?=Rfurn;y|3lC4A>QezoBue@`s;4{LjXDa=61UzMONSDPscbE zS=73XmrOfDT>Qy|K_%YEjpZHiHP8-&?t4wp2d2ohzCwaVJ7r9*IhU*8hvY)7h zuP>L3aSi$i#~m)Hnr6aFcCc!!o@sybjQL@Oo{VM>QcK)EN@eP$7Dx;EI_~s)GIT)6sy8cs-quJ9;}jm{M5n$ z05|#!tUoqxCKdm*daNi$c5P@%7<%0%+l2Zfv~weh#S%{x=L$2*3_mLIOYl&Cuj;$k z{(58-fz&VPpEnEmYI1NCcmC466?msx|1Qxi4vg0RCJCz4e_8NwuH*{xdTXgv;zP6b z_ucEcsdgN%*2QZkHAuJomw2B2%SP| zER4rOlH#odlXyOvNy69}wJQ115%ljTB34OL&HjfBeg2Hw9a7&Scw?j0y8AZN+b>l@v zm8Z+n{C64X2WRQHgWPwFQ-qNPTZHj_$EX!Tutj`Y=H=t{RwqH5Tf&(?R7-YN%v(sm z0_FyYOo_ldfWd2PeN3C-!jc6J5rdqbas|A`tUKIkJ4%Zbm>rCH#v5g8Zg3?~$lx0g z=xI>RE-vDq>@-QwdR8KoiF2k>k@rYllyGAW~_# z1~;}GtFTz`GmXgHIj2{oyOwY5w^E7I%9%u!wnp+F6iX~=RXSMdW4V~Kua-`_pP!nh z()ga#4gP^vuK!m3$uT##1yoS~q`$7OeA%~HN|rJe|o)vf04|e_ADdF`SO$)G(dCix__mXRu(ly?My{FyeomuZYU=%2`j(anL z*z=U}{Ewf(S1?17P5fSii){C9!?#K?Id!AY$HA))Z`BF3o{qk43Pd&Wo9r(k9*#sO zd}A_R{=J-s?r`kPK;EhQBZ5wgc&$%u{E1ve)?Q&mz7>wFW5sRNPAFXhtyLJA2=Vrq zfyzg96!J@GAIdhI4norZ_X1qVu{U_O;H)Ss`^9^Sr6$psHd6)!m>U-ih~3v*@voPy z*)!diEsKZbUS!s&zHAG#nhjY1QA_O%7h{*Xl;5vf-tJ@Efhx}2jH44stW7>CNG>Vf z1FA&BSw1c3O=*>AaC&Xx#P~QC@wt|-y{#o*UIMjcvJ;HrmWFaFO(C~YSTtWz`++%u+{3$BVG`YAMsxpb8 zzNxzZ=f_W^ldiHk!CvObB6~e(Zz1ft zF%A(FBG8FG5>O{CEdO9{P2p)hLpNhHD5$3@t@eeeI+$HMD0s=z=XOb>e?_+Tu`%=& z3I!py@nS4zDHExLVIK`l1E)bSr&?_%!jEh%2k9Hfa-qrs4B1Y&Ubs%Ey?YpkW`Ccu3R@O^1HX5KOu+g0Z zT=c~_j5Dz)x8wVxot?OzK(tOhk&W&HzTtT8!_X4$-9QS#aEt7dOZqA^T5^6>!Pxwi z$lXB!-%ED?>Nt0hXPonJDsX(BzEHA;Cb3i9A5|tj%&V1GH7$>9m1F7gUv;gQ&HsBs z-SBiO20h>BTGjN9Z|!0rFB&ALzPXOPc09XwO6}XRu$L+U4@Fgv4=Fyi3MYJpwO%V9 z>{HkAaovvokUG}<-l>XsnuacUHtHUZv^RUBv@$jvKF*5g>5G0qZ>EsHkLZaBkR*s7 zK}+D5F2@*&K|~@v+a=$78Knw$zbAxM3x0(_-D8NU{AO(Fi{k9O*AN#W9Q?jhf7o&c zPu=&1P_WTudcf7^1?gS2d|9DC8|jSq`b z8Zm#7`EAKwY7u{0^Lu`5IrGPGI2`bk689B8ZH49#a9MC%L!6aO)GZqtxhfMEJ}?uZ zn|C8&|7NnT4D!ViA^`LmDQ&*!c321LbK5>8KwAH_XmfexutLh8D+--q9VM?&yEC9s1V0rjBP_?VJ7IqkC`) zw8Yr-qrVI@*fdRLf9ddI-BC-bd`B6%S&w638J^tl!RizKjFU|AmH}R>9C!bNVLA%NycANXz7?LMv~q)2I;7)il)6D+J7hD&8c&P2O9qfq~JhdRDJor4P-%89+bnkvY&yEeFlFJ_mihv?8dfN$VSEaSft>6mBALEpR>&x3WwcEjks z_t6oG7dw~to2ysmLJS_}UF475uw(ejo^yIg!>Bilpx)`X=zDTeLzSVJ>@OY%*Zesm zzObM!*asK)qaDK|$CGJEpP2De*SDUBJi{zRte2kL|l6c6m8KB{I#Ha2~BQ%@89M2;d`$)lL3H5t|clTbA#g zw!`e?vJ*eG#;KL6diO{cw;Ky$XbOc?lS~iOxUE<#tFwHc{kF>@O?!L9T+?$31m{#E zVg~Ut?4t1vJV7%hW4~($f|o0_zd9D#-ZcEJlV1^7Ji~Q@lPv{=}6>=OF^5n=) zc8_Rpf&OftT)d;bUNl$kI6KC-uo*Fe`Cj)mE*J(EC0F)@3A1*7MYyVF7o%gH9Y-}UC`yKye{%D7Ftt8&P*ZvxP{-Rj9hPw4!>ZbjC zTXsE%SHo@Y1+5z0MSfj%-B+RM@rvs5^6F(K$>QG@Omfjr@@U%=Ht}QDmTxWRsd;N{ zdD5ToMBk0Xed}9^)Hd{coupaRL_Vlipj~KKWFugG=pIRxD`EV@(To7kHi!wiS3cmP zrKoY(>`h}+Q*K>8&ag&&p@DVh?%)J$UhYEgr{#>Qrhp+pEXo;M6L{E%{21h4@5vV_ukkx39p|k95>M1IIqMsHRWK&REAF=;B z%Ev(y8#*PR(;}1-&snbu!UZzk9sd1U z5Bg=~!FW@=x+3^hNbC4#-DN=)tttOz2I*o&)Nhw#O+YN01w%j5obT0nUITlSgDlSZ zIL|h|c;8>IH)KK$?JQPIT{5i!%=hVgHFY&0&#_pXTR(vI>Uc3s?@j$oORH5pyL2=^ z(|)JcKY@Qr{Ma1Ra2fkOYhHmf*(ryfJZSJKy5WA08a?9eZYcS3oKH>`Orq)ge{zqi zD^TmxvmNp0C~X6;Tdv!ytw`|{x*fU6TC$6^uhrqzFJ;^t`waQsy9>L$-KI>>Ex3s6 zBD68A?Qnk`2UaG~^>q!D`e^m|g3C)Oq8HDk`d8!481f^nZC6}OtqJer@LeL`o@4aw zH$?or9Jwjp_T(y1 zDbgo|c+GHYI~z-fhgZgl&c&f6-G*(8Le;o@Ajvs#NyD3PkpP_}&PNrta(OG&w?4ZC zav;|zA7OMi&)ckNy9bF>+whmCTb=o)yN%w{?a`JyD|MsYDMqB~9WR$*{>XgL8MBs) z6j-g|B-ZnFbnA6I%?&*BO6Oi2^#w-CgeyG%^rU7ZYMgn#?pH^iPU6sBybKqq!5f~1 z7~8U!NkQ>tLx{>f0KT8|{>~QV{^Ro8@Sx;t>4TyJ%abCh;l?L534?+IfIpC2H8X2Z zXe(9(;u3we?Jdf$ufZWURSKePrcB6H^|n2wk>rLz!o;zK6Gv_&A#g1*8iVkXEvf<6 z{Vew;+L!7jN{u%ool<+!QAAM$kA8{aW9l)V%y8spZs`>>ZLE*x(DJ5gU*p`}1LF#@ zT^BOI4mMH9;Y3Q4U`{`RI_wedFM5m0jTS@;;F5PdQ$oBhg-Ja7rwBfL*hy_83BaXHi5;!9FlrggL)pjnn_>m zZg+ptpmm-$7raCO95mz4wjaxxtQ|(z?fVwKchcfg!KpYpb5qb2L6UIM8e_^6O@&NX zdKH|&mJ%X6-fAoPE5VnbbtVIp?-7`YekXbRA3aFP1tTAROjIl#R3Pmg3&}37xPiW{UK8qWcJjGII`I>U+C^RrhVgkN)WQ#o6=NEt-1L7Z4Du2&|4NYIp-VD(e1zQo`>0k=*B+n6r&bFui+y5ni^EhpLs7v4R?XQ zjZ9HHvGqP!Yi}7*npg#d7YIAc#rarBQukSmU1fVuWMdP}mY12@63LYi@8T%L+v&Tq z%Y@)#lQw+x_yTboc`%Hud**$;6NiwWxKui6oxB{63HTw>JFl{G<5iCWS2ktOiKPms z&_K^RL|F@Jdb@r(?nj8s>oFx7o{jq{O3X^G7%cyhOvt0wHs1u@1gxO~75785uP?!F zi5TCgzMVoP3Ys}+OjKk%S852w$L3=ne43OZ@FJ(g5!vze7gzy0x|@vnM~i>9`g`eC#l*{Cg3 zhM21)FPh{KA6DikYdRn@%Q>odGF>%x1;^CIvAy;QO41fH&)g}hkFu2eM$?xq&Z^_p|%rq#vS3+NSk2Mj~#&rFi&F33Nx9lFj*2z&6wpF7v%79|&wK(-fX1 zUE&Y>I#5`R4xY&pZZWD(s}ZNEHx5B@ir>}VtT_430q*&sHuc_h*$gl_R*>zsk|_0c zPcAtoCML`C$wO7t1=0D5`+6>5=@f{|^BJKcidr@DW~k~{ zMKSi=B~X-=qz?)ZvR=)fTf6>rWd_u>LYPJZ4lI=Og9`;AX%cigbwZ2j(ZInZk4Osbl^d zG5-4}6zI`;B8153o&5Kdr#GOV5vi#?&%q`T^U03-Qr9WBB_b3GiRx-EgU2VuD<8G2 zg7-*vgAG#3`>8MzujcDJj->o zfEkb`Ko}ZQ@NXZEq$UK(Xx1=J;49DvD00fx_|DVnw=MGqt zB|d?Yv))n#-W$8d5XdSUx)}S=M7BhW57gM8VwLd?hPmC(T~fHvb(bC_-S2=p3hWK` zMy#>#jJA!c6wwZVJ zVyE}P6ALoY4et7-G*(2N#bMT%rF>%mdDh$}v8ytEgzvJct{7cB1heP-54kKf_*z@Fyz7b@aWz%^ z`JS+LKoD2vY+)i^`?9SVt^Vm$JIbqqSyp6LsT>n0%APUjuA)Z-9yzNsD5C0kIMJ5!UYK z^BBL_j)we9i7kM^&#l(IXxvC6oJI3dRDIEu-*Vc-yBjqb{|_BLPQ*w~&btm*58(sa zEic{&;g>3niXz<2bU8*n(@jgSF%K3Gz3Y4E8l%(eg=*(;{i`lQjIwK<(uC z{lx~mLC;qbOsyE@zwQOatQ3rw79F8i#?n-aKHv$DVDFlg>3XaB2XBV+TW)l8A#zmo z@T}&&s|RE3@RA_p^gKJuZF7M=uTr64uOnGXr5sb}R&Zw_vd6&tf0_)kJ6U5eRqhgEysJyWP$RWz9sq|gY6ep6Xl{UIGLt= z9y}?ox#4SrQA;=k;VO59=VK{&J1D*#N$6&4Z+VohNO2IQQI2u+he1N!`CZP{&BEf2 zs|=IkQ3w9)E$r<=b*hB)6VnHGe;53o6W7FH6E9(WFV{9k3n^~JPKknx{2am)M4uti zK2Ls)0r*JWsazceE>f1oABG#2a7VCR*6^qm&MU7%dDP6!dUAfc&&BtF+HdaDq>Jjp z@QxtLnqFF_01jM_G|hm>#Y@?{-3&C9y~)RK`B@T)#=r-CrkMY|d0r>CX$ju@<)uSO zs&w6qLJ-N%!^Dc~Yc1!JG)@0&3pD}PeFgIp1SZZKH567$iIxiH0oeGy3pBofbm@vE z&t|7nn{Bpiw13E7O4Y(H-w$0}b$F$9KRj58aT=x(&tI2-^hu@5w2m;i$9}A?VqwNB zMuyg6|M3_z&KYbi>OE*tJ4BT7GA=fso)0O&Q>}&1z_Ze{VyRGjFfl!N5Kj`7aWA7c zA?wunZvif=OHN~&;YX;6HoSqeeiY1#_O7x%+f=rG(j`3!TA$!;E;QMhTrr06!Zrh6 z3~khrX~`1iR{VbelR<30m`>^s>3oOx!a^P1f@ZBLpIp5YbT1<~`Q-SIVC95)qfUQC z&hmg)<%>(Ke(UJn_BQ&PzqfLr#|8eoYav%~aCVX@&YhD9?q1KVJQkoZuFjn|aKUd@ z;8xF6Ci=cFX!GD+@`jk(z2YGEg7Q=Mf}7nfcZG7T&~3M@EXaT7uZx#^CijJK=}f4C z=8+GYY4fgv!sshYl^=!a?(4VYvCBKbg{8R3FFh;t)8*y-!mGiH7*Ylmkw5(54@TxS z1z%?$Kl$X7cr2Of3VS_bKP;u;3rvZt#)&?u{v>t!^9k$2QPd|+tZoD21 zv+FHoM<00%ImSzQcIY-Rtn5DR$a@M5*&5pZ?WBW+gVyqIPN$bnU97eIO(L5aKOI% zVV7O^#+Xr~OhKPjH^X+i-fZJdaOtI&VuKCV!^a^~aAM@eP;Yi^VbA9&*!s0B*|GYfwPK#hFa(ArkY-e5VPVacT|0<M2i|8`ZjSNJ~_Jy>{6j z>#n&GzWa6(s;jC^PtuYf&GxCO*1jOEHUmcKnlWQWcjy1)2@?=4D?=w0#h5zU`2D2V z%AFA<-fNkopx+{o^2aHfj)2I$P6!fNm^pHs)M;rIoPK$}8d0zg&u-KWI8%iV9OOsQqlb z*;Zv`B{ta7#q?EGS7Z9LY2A6GL7Jwf7PPZ$*oZHU27Gl=kFjLm!5mxmSwI^{ZIPd{SVyVt*|G_Jk>E8PiE{CBte_83c(VlQy-WmHAm8D$~udU z4kBu3pl--=#Rqus;m0s>YMTwlw70j|w-M^Cis10J6*Wq9Y9sI5qA3j#cbzM^rIqMJV*mi?lh49l}E6jXs zsGAz=(c0Ewc^3!;S+_z6@SEF-DkMNPHI+!P42EN+Rx20*!sTdD+ETu2l{M`7J*+Gtt%Y!p?c|EDcC%HnkvGp?4%3Bm=sa zF!5g8OyyC7fQ~FHu6m|A;K-=_m!EPgcM4Z-RPS7QcJB2|0|$C0I~PaYD{cy3`J}iw zB3rm8kBstG1EemFk{hmL!41eN{jU7#x$6wjbA{RWnfwu&Tbd~!GA8R4j`mej;Z^5r z-U;K)eB`~dO7*}S%<<&D;;#Hq7&3~N%7N0Q?;<FI|f7#q1l&xn2&h$oxGhhnR=uC7_ zp@@|%L8U^1iWMo&4_VqtFIbS15gUEe{v{n9ji`uKpuJfeTvd7j1XQs7xci@vTH)S$ z+jXsw1Ol2B0JJ4q5Q}PblERe2F_rFMV_D4)>#b+=*~y>k6)t1A6n(ial*U8`I&kAH zf1~`b!BIya%mSyp(w>C`Dw-?Ts*n;Azxs{x zRBmLL43$0Qgja1v+*y>ppS|3{ln~b_=Sgb5{Plt!%m=LO_HwHLo$x4x(wa|if8jaI zGu*!Z=7oY_8$szgg|X~hytL)NrPiA&tiBDarxuRu-7VNyNPbB1p*+%CvNfmuZa5^9 zPgi$7$c}JC#5z-m?tA@l?-lWDhm&bP#YTBrX`Aj!Bkb#~!1T94P;AQQRv&__Uw-QG zNAB`ZHd2Gpm6Za;+C?Jnw;r<$349ChyQn;sQ11FoNtGg{bVVYimNt!u)znsC!o;so zSrtPm?K|2tC@mRa?QUKD6cP&!R@BmjkVZTFv8lN0@dH@J)kbT{kl#k0MW)ojkcoF9 zNaCRSm8G(`=~i1{=*Ur6XM+uK+zG$4nMJ9N42k(Zf>tI91e`qd^uGVIxDr=aJ0lf3vGdTLUzr}}R zzae34#fATODgA86?YG~6C!cy6_fUWN`z<$XNF~jzX|&ui#di3)=Uza2XNPqll(E=l;yM~sZL=Q}$A5=?_t_8s zckxBoXroQ=@h6{{9yom12vk;U?-ynjJx!*yDXR2<7SvXTnQrQVrRAEmiAYdnL$bOC zCmeh1;n-)NU63WI4n(z~BelGidc-P8n57@`m0U|B&N=5CoPEJxFl2BUBFYrC zCDs8@2>Gutd)vEV9bcjiA?onj<7P&E69!hs_zf6;ma9lv1=?5-V=QjrbQAvdz(e@F zF^H3XcPJ{dt$6042XMhHkKvIg9z#W%WTqs5#@4L87o{?+d<^sM@ox3+2*$2D`;tJih)4YnlN zBbgo-lMHZj+sW|0bze(^71u)fE;kC>I@#YuiRLM!yuMOA+_Alo05Muq3nBmWgY7YC7h#Z%uv{<<*qTw#iID~*bW*J+zY zIz!oM$AJ4WWy%bUSZuh}^MWWb9Lh|}T(9#bM{d_{9eVmc0d1yK0EMAAiOeg0GMZ_i zjtTdDW!IOuyS#C;Pk*wF@)QY0UT4Vfx#yl{=Q2`jxs?#txF};C3LBhx!ZlRPgg6@_ zeJs~_sfR>@U4*{5p@~8#Oo0(bS$PaIX3S!yg_waoVd_0A0BljRB)e^_fD-tcPNsj# z%pfzmG~d(hpgL1OyU|2m4JCAp{%VSl^?LbB5Qwn=>LFVxpD#*bp<}otfYo>^ty)d5 zO-lUMKcSgzQUXNivzZ*qRDdbSJK9^3%d&A{qyN@huVeWYmZEzK&p?ENpaGMoOeLXL zVGm%&%o!92Oe+hwf=;vXNK*o**ot%{SV3v083E;`>ZC~8bi`$sUWPKS!iZ2Q3wAOQ zx8LfO65JYkeLfYiZYThmB6>j;vj~FOP*^;q?0SZzq`(`Y@>^VBt@ z^uODo>^&E~(kXIp1Yaiqyoe%xVt89>eLv*Nxm3SkkVd=SN7-IGg-}!GHI3Nk%VL#P zR>UTou16v`6R~o(zri%aietU?SHr5SEk{q{B=Zs6dix1D{Kx~a*WSBe)aYSU+*&Yw z`V>@ESJ;u2UVWK6JY9!wShs>~Q#C>_LLXq`ucd$5p!b<)p2N%;vu%_&77OA(Pd|$- zw%F2?R~xYjM{wW0_jS*jDE_Wlu}pEZ5Djhe^!TVznv^5w=&?G>~< zv9Eq5Jwf(@luGG3>N}h|xzRFKOBte(C`w~h)NedV^zw@@VaBWm%xcusUCJ*TOwha| z=06qaWtUmTmLv`xGSE)u89#m^npzsL{cpCz-FN?u;>Tx%zP+=}!m6z)H9{{p8dqs+ zi<`0$)M$5xB#+-x#|CR8fA!T?$Fj>VOC@`n5qd#ssHl~CDURa1s2)1gz4+S}SJ zACzw*^nx}*)rh*jV0lFe2~Zi{dgpDt_x^{}o$_DS<~cJ@+S*C#Ct%Gr*1%e;uR%Ss z1naD`4whPCX_7I|zsBY^6P+3u(!14Fl`L!C$YN`U?CB46I9Rz6`KO-6q{&TZV;y$c zaR;3J$KRtx`X3X}#j@%V40FzOsbk8!HZ-)@h`jc65#(NkUds-Y589i`Cnc1GBtUY~ zp8x)_(h_K6X{#&Dqx$;Uc;~G*(a_Xvac&{`?61mYr8jnZqqBu*YS+H~>NF#vYv*_5 z?|}oV`5nUuFdw9kYg1V9lPqFXkKdw- z<=(5eHO$`%5_%2Nsho7iJ54XP*#ms;jL`e)x07p1%WKd$Z5GZv?s&7E8_HwU>sdY& z%@_&2*CpUV)2=nUTNF-UyfxrIxYm-OfI^r4{(A0AgdaK8@6QLLM?Y(Qzh`Kr; z#f|k_<)E=q%bNA=J?^A(q-WZ&_reP=VIFy%Kq8TPF8{1tQEs?d0t#DKLGDD}6~5zW zg6fRQuw;VbE;sT|GDPlF*F~mfuituKorrGVBFPhXRT>qJgTgK(ukyzcdc{qUKWChA zhRvv!jBXfGknDEI1cOl6nQ$i5pacKN8dC~bmxsp6pcD1ORQ?OCL&W;iH( z#mA*zaTf~Xxgcf>r%y=!#chI&eT-$rL{=u*PvA3uf!xEeRT z-`eIC97n9GYO763HZX8g3RaVhhgTYyRx>? zmVqC!y{!ZB{1g}!5}~EJ-8RirFLSw(`3Q39ELzz>ds=yfex@#%B3Y#3X{ z6+eeE=fYPiT}mD16*uKZ-o1Ohk9%9MXvXDD-Y)-|>m=#Ure47p_$7Pi(BS#yzDN;8 z{G6cC>-j;xbbGafP6PVz!wS8?YHzI=_gYDCQq4+b=F-6Z@>Mv`L3fl zZ@TFwthe5J*lMe-@b0_s;`7fw!*90R&W`lmdW$VkPvv*k%$d0T_S>=Qs;gRu!1?E& zZ&UT98@&Gd>$c=?>7|#p&4V?PDEmhrebnqVW9;CA55r<3YVhSp<8jDAhagT8yz6dz zPZqUjrC2KHdV)cdMEizAsG))N2;o< z#?{wdgCmYS-RwX3^UGNv%Z$KD3_Dh>Fu+BQ`@w&ffNnCW% zWlYb0IO2#SNrs=7>Pwwfxk(AGnIY6CBass808#JA3H4e9oO+=(qW-wgZgyBDT6 zB=Px|ld=1*yV*B8=#azk^wV!zd7JRX=h$nH ziR01K&`4c1jdj;v3y(eWZ|v}!?Xcdu>vp$yGOBTfSLxER5HmRwM5MF|jRgaEeev&$ zFZZTQunuOa^IvuK<(N2m0(I#ub@~n)AS;QKqM=^<0szye%{JZH65q$T_3xw+y`XyS zMp?xd-g)O8Y`Nu@Mz%%ZL?j(lPaQ;WI>{N*EEt7;*3?vxzj!jJyu6HL-Xpo%u(z?X z$wu7O8R1B*;E1FMqIj2Nq6oX(ifoFnIr1sD;zDw#cN}k%8$HwLvYttfDGb@WjtLEr zia?9cxj|M(mR%mmt%LlKpNfkk|01v&7}Zi}k$TBW$tXwW9kjH z4RV`}$&HgX?suX2b;4E3Up3UVZYF7ijh(_6j zoRl~zmo!rJq%iKf>#j!3*=(Esv(!>cBU%zOMOo81HL9llZUn9I)SfqT|DXT-2e;jJ zo9)jdzocYqVC327o->8_pa1-)5eY4Qy!qyvO&PxGs;f+))jmEq-gqOv`Q{tjyjUZN z+9X#e+}w57UAA;={q;A%t~(!s(Idy;!DpUiz9sSM>u=%2Q%=G4x8IJn)>xZF_*xwQ zyJIj|N;Um&YHnwqQ#Tkm1VaW5GG)2Gp#|@~`vF#3X%*Br)lvTnQDp+bc*@!7se%0?QYzbB~e03qgOtMzIvBac3g6;@sa(BAI?4p z5B&QP>-gDbn{Dh=r_R=9oO`3EO|^?f2ic@AUqMALHehU*)&G5XT&KB(~piXMU@H@xum?WPKbkXb8xitrO(l zyZ?dbpMM^oe)0j9S!zjKaoMG)uBr0s2tP%HI{5wf-i=dEKC!2rqA~rp;A&MwO&2v2!sYX@VS_|D3^Qle z+jBvC8;Dm3x=6+4~&qCm^!FlZoc{EM(E^5by!e6cBkveU(uV=(h%MFSqD8g z?l@_k(9_W1jo3@h2#TWWv-p*!={p`JStuj)#L>HohdDSqy{F$U&EjZ|go-F@mbL1) zWR43%a>sQ@XwX)2*O6%*6)v~|TiHwA2}-}~cyQ!j?>o05yY47*J#%pq0am(|F6Ez# zhi0k>dZzbWM}TCX;^bySD16BT*(nd)`+CRHMgFArLo(QeduTROh23;K~=hCqH$sv})FY(jsUkyE+5}<%Qy*w98Im$vC*Q&M&;Lxd@?5QwF;a zrVpi$sf4)#rUbZ1st`G%>#Rl?6&zh)Q7xN;~hID5fxl|T8 z3JFc6>*#2+07{~MBiF6%jcoK-$QY(}%CEK_rkriqC+PfbJyZ{)pcw($i1h#2`wjrR zit7FE_4oE|uj!SL03i?(Kzc{2AOfNyMJyB*3&_uc3W)euK?N*;pr8WMq$41`*HDv? zUU!ph-+jIQ&v)*d-IvX7>O$Il$=SJY?%Zj2X72f>IwW6y$aA5fR9LA~T#px%MxVkg z=QO~Ys%q^RU;$%1xg>#m4p8dqoaFG1t66K~HgHXdv=$8Kw1Dc|V?h7GS1Qc)^|Rle&LVI|t!{Hv*Hd7)kFThn?Q z4(`s*&D{f5Mi>!*24Ep;4Tr$v{dvi*v2!4xvj#X4f5ef;;Wxke4Vr`)tytBnX&`|oF{WNfy_47M zAmAu6NhnWDBC#4d+?kq7vdU5?YN4ddSu3oNxa>S-3T_vYdgF~Z>bv5}NsUb_lpNEa zJ@?vQH$P-&3gg9mCutZliffx4Zw^27FwCDnUx+ZUV9{b-hU(_5(C%*CV3||$>Gy#L z9iXG!p^#TkU79?3qE6vv$IF2S9)>S{=}W3#a}?2RpvI^&jZ7c!g~YQiA>w3KuOr!X;}DEhqC19_e9oCW8{ks6)!A>paUSN)n};t?-xojm+BbBN@VQ5yz^R}4 zEPni>pD3B*jEP4cd0gwq*s&9&4BjXC;gB$PuCa_ynX-r0O%lKhFZ{j^ewi5*FTL~< z_Sg*OyC1-~oZh8DT%NxOtLkc^hF1_?p-G_x?lH0Ki@!gsZ zNIpZNec^={;=cRt(@iJ26oL72{`u!?=Lb7>Soc`&Sl?Nn*v7GKqZ_sv42yZiI?a0i zr$7Bk<4ilgQ+DvNV~TAL-7rn88^8M1uQVT6R~a|f0d`{XWHWZ^(GQ+P#yt(LzUDXD znaKBZ@4f%QNhh6zn{K>W+Lq&`Ogt-P(CJ*MuCCIw-FVZDn7YSqn7r#`osGdX%$hYz z)4+~3c1UvLQ+D#OQ-b@YFmE_(=)2$juBP{rOD@s!!VW^VTZG}rjH}_!>w`5}G~btz zb)nd8K^!ul)0fF!a`ql^T{l0pT<^h`%br3ud~`?m+(D2q8$9$>(qfah_(7G5O0w)? zqb9#y9=DQn!s(rH+?H2YNC7JlXNd>bLGeDg*6m#$y^pfK%@U8TQzS zUuE1NPrzMhwF6fi`TTAv>;ZWWs4OqhojMb-R3S6ndgO^mE0`01RyM8~%jJZ$YgkDk z+D@ZfDe>}4e)viPdSnM5;|v6@tM4pK%ODsJpGTC7q?1=fXLl#kg*8@H^yMp zvtDzL9&QBGvyXtpJ(H0=Z6r5#@k@NzLBe;zj}1o}*aod7o6UDJxQ}n)+JI?0Fx{X^0g<@>cQxl|4i?CifHbtPNk)q2r-1Q5( zGO|7>c3Tu^e<;4a7H4bvSNPrY41X7Su$o^*@mbATk$rzqcWb$?Sl4}nb%bSM@d?AU zu!P;f#p*UdwLosITMEvu%2hrLRK`ffZ@L^*lG%_gaH--H{dg@PaUGlp9dX>xO z;S%L8L?SQWTaHe4bUI7_NLD5bnf++iOi`|1$MK&z0wc$cK+`H`3MuuJ4k7u|rcTAY z`SXMPs^(#HP_p4w1s-~^0qZ8AnO~s-Gb0xoD#p|y;ho4>g6OA|bLz*ylG`hRe5EV?` zm4r{lN#37sRnHeK*OMmiB7T1#Z@lpuI@{V&TUUd>|LqpM@!E@+`TkpY@%iVl-@g0k zJEp!R$<=4mkvNY3?5RRH=HUJJ7vSEz?!Z}Roq#5lZP*YQ_?;N7~eB4l{9Q`pu9 zj%i8x^t-)Mc5|4!bQvCb;%Pkn^s~6}#=okQv(NbocAYQ*|9JCd{NlzNBvUfjWAg5J zN{Ib0es+bl7bOS@`6e0s;~%fnSuFS8f4}O*@4WMY68T3TeONnkxNIOM+(4&|YaMmg zw3B4AQ-kRuc(N2blt@rX)_(ZIA1aX}5hkhT8f(@??(y)$AO8p!U-ARYp0fb&$@}=* zt$)X}Qoas6_#nLg<{Owfdmesv+0SwPpZ1PE2X+`Y z9#>p;Ieu`_#h5*7Hm<++Iw|wbQU*ej2J$!2v88}~{_|f@g3Wxt{r1~6ugEE1dF3S` z`KRNWYkn*7@#7~y`H{ABoZ-P!&e%c1I>6uT$mG$x%nQC3cIsVw?X}uL^W1aK>FI2o zHMDGbBYt?vkA=v8PSZuwfA78b;Jov{f&bipH;z5_U?dBJ=I!kr`1{}gE@715xo2O% z2k(D?Pkm}H%$YM=emvNKS`Ut6p1*e;Ri5!^jN(7^2_>8zW2TF;L0nn zkUD;+z9+NSiJ6^16ko3k&X>qQDwqnN*WTD(VR=!1i|iEU21N^%BW#pNPK_X4*aYG`nWWGqa6DaM9+_67^=h5o%&4p*Y(qPgot6&S8)B7|@SQ$pZ z=M{1t(4AAmp`c`j_#@&IDU(9Z-zF})Gh)GCip#@MfWo!h50`M~?t)uxaWB8v{%AN} zDjedk6n2JH5^_2u=+*(#BL>sull)M^??wfuqA?Hk!^tm>7r~IY(cf-VmeuGw4?1Bu zdQvY(3FKOjyVm@7Oa5|q7ALO$5Fci^+&Chno4J&fInU@`0%CIdm=iZgm|spuNUvQl z7;z&+v74<+NYD#(U9MRHDEtUIk{8K}Wb~i7ktFjM7j^QCR!$Y$5Mp0E#b%oTlfz0c zLdAw7NK}7Wx>%x}QY|pWrI37mOojE58%XjDcjsuxVyBMKj`!$}vbwvT3;j_HCxkU+ z0Ic!6L4STwRAq63)@PYoN5NK0I_a_Jv^lm-VwlIZ$B_4UO_ARsda0JiA*JZ5;DAQ& z9mYjWV@Xj@3U+Ey^hRiB#A1sEmBPN@2cKd_P&NgdyG>#XyFTb`g`Ey-ZhDu?$K|`6 zfXC1C(IfB$+@e@^i_V_YsoiDrz5L+AxuS?q#gU&rRFv9x#J#jm@?9>gC|6?o-h18n z&wbC}p1YqBCEkaM^6`krLn2&m$BuJq2SOO6ZgRDp1F1s=ohX$^Ni}jKE+*?QNiEyM z00#%;+e{^s>+Qe%#V_FhUG)nbcifRmmfNGvaQnFj0B8M`iVrR{iGn$9%vkKd?|w?i zNisO1&yl83n7WP|)wMO~igfE*@Bcp&9e4fIRYJDfwXp%h)oPWY0o&=s)~R;?)0>E>k!^0+Xz@lqBu!tmIN zq+D49Bo8^lTPnH~NB7yv1id8wKKT}Oh+YK5Bi!4^51%(9dJwepA`wksryVEgem-0d zsYd~MeQ58F%DZ$FnLYNHj(zt26t4aK@3GhPJ+N}QkhKRN#)x4JNJ|_Zy#GN7L&}5b zpu10B zs?j}`azZM7r44YG)Z@@Y4#I7>{0Sw#491KeDdk~^@Y@igosFoJ*R#{klQHAHS@`ec z{{=T>eE);@MA!3U-~B#?|NG$&;O9|)63$(B-=n8AnD&~};A0YpSUiFhNl?m-p`#|E ztG!Fq68ZXi!rEEjOLjwED{AU$_5A#3TN8rv{2r2y=U;mrZ@l?Bc*I}4yF>EndATmb zUDhCeTG})t?CXB1r1_c}-=}5G=!|kNu3)S73bg801?Vg3bC7;?DSjR7abX zH7{za>XB%T=)l_Ih0AqctTWH}5+YqOl!k*i^USmG(n};^6NR+R#eGuVqEct_(q0Z5 zF$6c={1?qv(jbyScAT*Tg`>9YIOL27l6uxPj+k>)mLvAs@lpUcV?629Q&3t{1y9g} z59WS^TkpIblc!C^5yu^ai+=n=y!Ou9Xl!lP-^0fYmwG2fsA>=5Cs z4|W=`gNxzt+rf5$q}Ch<&W;3*;&arRBiT2dJT2qMBaX%5MU7Hr{U|G~mOL0I_aoS4mz{9Tu}4X|0;sF6mUlBj z<3t#fU>w&M)VKQw>kr=qO&VevD}p`a3Rbj250SZ<=gu{}Ploe}ni3E0ro9nnen9(; z@t5&2zt?=8BfYD;FE;zS7j0y%zv*5G=NkU>=dRcs$Q@0wTkW?zv)b?VF&Pe@+j`8r zm}aDiWnDXIz1&o6?lvirN}}A~tLP2{pESs9dv)QQ zWP>i3ONkOBx(7QZxRlJ98Ax|7#3E^DIhsgIb2p+9QIhfjA>l4`w8uq}3?mjzqqU_= z6j>j3sEa{8p^k!pb8bf-x)DUKxspQAd!%3zkC}A=iSJ2Lgc%JoU$z(G0Is- zNkxCRDU(H6Jy7?l35L7~mjzK;&b@HD^&Rj%lfYB4<8)b0GyUA>KBr14i91K-Ic<~v zn)SFp`N>aoDmstCqr%SVpB%X+iQ)88PEVym&T09a_Ri6HP7~!+TZY4_^PEOo-%za` z2jeG=1JY4v+MlH7%yYh?(_h;foeqI<RZs% z*eKsqm#*2LKW{eb>-H&()R*Ip*I(7?^aRNVXA%qr2RfaWX`b$zisO$y z5~rSeDvtT|r}5B34{6wLd1svAQBzxwYkv0!eEl2e>GWs%#VPPq)XzNQbRE4sVE=vf zUGv=>cId%E3Z1pmtD2e$@5QZoFlNjcC0CrrOss6_hRYkm$YFJ&E+sK_>QwynXU@I{ zoI1=AR&IKD!3F2(8uu@L@iZ+vXPtGHcF1s63EKfydzQ@!6UOUV@f;8DjwFRNN%@w% zPD@>gMB@ni-Ee19Iy+;(1NO(cUpq^QCp&qrx%N6-cE#nGD$*0R zg&6sf_XaUxr^⪚m5H5-qUpCa@opOc@7vkq!wqKc{b)RSR~-^rX81oG>hI840w?geUk6ML*KgwLFX>;L!%A+znc=%VlAD`$Nh>7=x~(!3?*!WZbq%2kc1 zo*;yr887*MwLDCK@)j3Yb1xEnp|1=|iT zb>eq`*W9%Iw%cygvd5|LY$w^V!S;#mC*KkERo3e-3w@HnoW0uM4Z6Q_rj3Ukd%%kG^0&a6Rsg$s4PYJ8N2V>oKMM z7qGDr^wb5pC=_^BGsg{QVsLCZkEDDMxX}s~q?CMM+0Qi)*wC=Dnu<$B!TDHh1LxEi z!GzhjF)D6uEG#TG3{+}ZUrqbLI%ewGV6-13AoPnPJXBmh$#d%2t|pL1SjT>Q(ck&J z6-(cdR+_Ww!t#(C-~R0FNOe|9`zy+-5CI<9N>b1EEt5?ODVrk7_F}ZPw+Nw~q@yo0 zXMUh-k2%`O&8lkZs^vP2k7mzBCg}ptsE>C!`C3w%LoAts+f|_>^ci%)6<&^iKKOOf zy149*ot3@sgygVz6pr8sx!JIZpi*hvP*F5WKb1^#kMXA+<6sm}qf`=9S{WV{Qq$)0 z`_gx0hok(Qu5ZBgvZgb@_}drkG~mb@VctK(Fy+ilE#|k&px7_tmT6(yIeJEa_}dT~ zf@vuJO@Ha9z7q+b<-HijUlW#z8{Dqh;T<)7lrIj52?`cj+|F*cl5SLy4 zb9A=0=n{?7Pd}YeQgCYb<(FUHliwt%7hQCb&c0ze;#zCs+2>xs%GNdCQXw=d^)3}=!@nrz~_W$=Y`P!`nOl(lrNo$apOne-19Efd}DF=)vvD7&aA!m-lI^C zy}0+jd!>wKaMDR9f;-PIZ(54;&b2dX_yBeZGTx z?zu1UpT`fco8w2@H`sWZ4|XvLpgkLPHd0osSlKwCl1wGV zfOZ7y8)a(-+fH8}LO&3=+r5ukyeN=VL=tkDDD)R{;7Q6*jGR+yQ{C3U?z z55sfp3BDte5GrPTFEkCICn=<|&3DOmk>r#LKgk|RDv6AFuf;ILl75lE5+pfPJWbom zHrKSfByI*I$Mn~PXNV*TtRYfVUd<*=1fOBt*`D(`f?*qwG*Wn<$|}PvCg%oBr#XU( zaikkVj_DtNGaTj#VZtCuW%_uJ@iZ`TGG8*hr=U1%6K1V26KC|v#PUtvY_ z3RKio;-X7_fS>-~r4kR9hR^)keYfd2`skyTL=PEKqjA`0pZ#>LHHjZ*jx1i>sA=SR z{al~TSr!H)uFMPOH{UbM8|wm3rQi%4l5B36#ttTi*|>bU6s)|i#NB1$4w$z4RQ&p? zUtz}yJK?h@o{X1Xd=*0^oX?+p3XVPMXdHRO(el1x*n9e((q?&ey*WEbNY*(refHUB z>r{Wvdf+S*mO~OoPDSVFJv#%qaU0*&OE0~mGk7@D=e_sd!BI!=tMBcKD}Es)^>^5H z%5)rl#1Xm{KO=2mM|&5Vn|Y4BA0?p@v`N|yIN$(Hhn8#k$2#7!s=22u@;!5ny+2%{ zWzW<Ps0f~ zq&^!!I?h=UZuo*p-2}>&4KwS;j7^LFz<#YN2*B{ z+3pvU6Do3490@AGoE~pRQTeW!?`)shcCxLeQf@}}cun$2P?0v|lL{!?Sw2fb#BYl! zALd)YcS&-`unln}_>6JG@OY2m6NZ?XZwLJtsNB&Xx}hKRkA6_8XLx>Q+ zq=ml;`pw_;nS~>(LK66eFL2#5bb~~KI#MjwEoqc|V6&9> z>WNXNOc%%7ly#OnzBdvl-Ya&)GGg+JVA=?#Z(X2Eu4?x4f_)j0B)S?neIKY`UxyHV z)b-{Ak(0QmOUe)+(UHa{o6JbP_Tq%&PQ(Kb-|wVJz)cGq8fqjjr5%v`=hXPp(jZne zx1qkyIUa7s$`(BF=p*?2=TFfz@I8`PGi_YoZQdL6f$!aa=*1gVhe_Yoa99pN_)z*qi;uJ z(x#V`OFm~culWv4ogn(w3%(zMd0^_gX-`-VdCm7iF?Gzq{5I~n#EGYb2@_yy#Rb#i z5x?a-Ao49v$wxYURCQ1S&(h{I<{7}eeCcitL&`nT^VUkH_yr%TNPz#H#2W%Rg=D{h$S}hB;LrJ}u zPCv6WI^t0GZIl)`AXO+EOX_*HS$SZ4CiPUTOp`+Yn9jb9p@oIT#=$5e1nX6?3It?EeN)n}GV}J!fD#Zu;2Q2gB@_?s|xri{>}FfDyiOfac96I6;B7yhPS z{XIvRcggnvMnSp0$8hML3OoJe^M)8P59lY;Qw)y8Gp!uaH{d&BI%rR`zwdA{!KXW> z&7|2pZ{o~*eBOw8Z;UhD@P6NT8Sq`Q6M}?{pj(E^cVnjP6Le?Z1^uPTc=MeS#(%n@ zoyiwNK#1Zp$Z!ZQSIMQMT+ozS=$5cMIwD#p^Fq2R%ANPd-|2*NY_re}1bJ*gJ}3F! zCFQ4DM@|_I{pC9tr$Oc zRL`K3F=x)6i=8J;Ks?C~Om5mK?>Z$qUY;Fb1M6}e9cEm(&jyc!>s!wlSGI+vrR93` zb(f^CvWjIXEAOUDh(0?9b!(IQSor5PK@v&&&GhygP6-dRA@yJD z9jRx$3r#q~Vc2Z{*uFA6)7Bao<*^w2HZc6+ZvmA}#@~$46ZDtqFr!cmkM5{olDv_$ znd$zF2mRywWEo)?bWa7JZh7DMW5D|igZCM4K1)JnM)nv-qdJ;$QT$yq*L1^o!E~At zNt(Pze~XppzWGCf%diNVyl;p+VU%!3p>{fM7-xn-&|ivCRUeKQ5GVd5SQ*Qc#MAYOP<5>JY`hvBXiz2xQ(!;&S#A%xZ z$rzWhzoWNk^&+1{(j_`lw~%i=;Y!Mtq?1#puenfda5 z7A{(fv13O{{;^|C?BqV%Gsc5?%y-NDW&Sgd84fq&yXBT!aNc?6X@?>0Nr)M?DGM5A zdsOm0ECh8qh77G2uO%H4Cd)-UA%s{@`=VQ)ZekZIk@i5^MIO^go>*JubXG8`Ev+r6 zt#LX!_=MJ5pOcsJQpHkiHBkb&j6@tl&#*K)6amx3O(B`LPMymk7MD6%sPA2D*ZrK` z;{2w2wsEFj6sM11-DCRcAM2N?Gv=Kb_kBBGn4k2U9Z!VmEamDSXgY0pt2_4D217R&+<%K$|H<)v|d_O_Q*veUGPd{P~!HW zDpZ1iREU}H&k#R&)SW|Q`vV(^;*Z$2M(WMStM5meai9!F7#0@WD_Bnn*4@EsFN$Fl z=gmUusfke8V6uvWT9+~-d>bd6_AmIoV^I>zqSWnEBIJK_ zq#MbULokc;%e1XDi{G1Rdl@#}8lgMh<1in&$~aY^kU+-2}fgCJx1A zg=y~lPWc?e$ zX4IMf@>%*tvcNd=nZE9e<7(a|^M@wy@p;-aoqUdIr5`5W%w~YbA5%6=`i!5(Bur;P zZ<&#{g$y;HMR$z5jgzPdfo-VMDdB{PGINj7)iDs!ce>hIQC?kz?#`GV56Mm_=4WyK zFuw>VtlqNBI59oNI*@tiyvKJz`{MlS4~!y7eOjI=b4h&^ucA^tQj#ZC1%C&Gq(k_< zo~Bq#Yuei#!p4#MV#L_N5%OuiFpmR%kF*n61iemPGu@1{i9g=~QCw$DhlP1Z%pcvC zN%&Vv$d_0BO6gI9I@l_4An9kj=WoW#gvD!fkKl9s z&G>Sp+-#i3a>4cAd>`f=WHQcd5pJZ|^Srq0it-3Rc64O54Ad9MJQ0mWQCbpq-mU1& z3Mm&_kOcWmUY}<=Br4*+w9S6jxu}#A(-t}3Kh`V8heuDd{Py@KZ7}1?JT~uuDDE5@ zs4X)vb;Q&qQ&;&M(`;rtnT=2Bj`1-^ri-R4MaWaAUyj?jd{0#xD(W^Hk5 zMt@)D7PMOPM+4 znA?TakAh2-Th0t+oGFr=p14y1<#iAG4nXJ;bwcVn;-nj-`lS7rR^BCK#KR4poay&z zYSx}4Du>1JtLsifsD@e+Nj)QN+fa+G6;fGP2Wgs-Q=`{AKYC#98d5*dNc|@X)@+h` z@^5caVkpg3f<#z;uihop510;m(6{=UwDd`nW|N?AzHD*}X*}Lo3|iisloe+P?fPaA z(Q7|Y^w)^idOI8leRJNRzxaJpV4V8qTfyv`-qq6C_qqPlu)d_e-=~YiGuMohA@o@t zwWN3prUw~{+k>=7lAQt8wB}Z3rrfTANI4d}q$q+(A?qo(SAM(ISS4 zUC8;6%W!kP{*^Hc3yV(zh8PJ7?3(;#y@)m)+Ui>X^N~Fq6hY4?p@@9aPVM{HZP#D{ zGC~v;D3&h@Va(Og_t}ld8a}xAQD4i;;i#n3(};CduNot(70JxSXfwWIH>T57Vc%6s(Q#8DoVd-DD$GG!~>rv z4>z}t_PB*`yW#PB;1Bx5^y<1`x6cEQ&#kkq)-*XawM?W!9xoU2ULoR`9yixyS4y19 zL@K1wuR$VKieQKhe^~ck@iOk)y<%%&u{p7N1>~sx`i`Eb(*^yF_1MUEi^7c4)v}X6 z`Vx5lmLG-R#aUM@YoI?zl=TL`3;oIF#yaBCZyML}%m!k0Uy5E}-@K-f#Iq+qD<3eY zAIBxHeof(${|q-Yu%3>W_tm zg@wfif*qqI^`ecFBy)Y@`XJxcjB-yF=~N0yQO*;|9HQ}*m>Hy{0nbW%Hb;17utiBjI1gD>b4 za_^|V3HcL=tLkK7VX+xNEzKi;IjpGQuKjFM)}vCoq``5HB-{MZ=u++6Kyz@xR!w~_ z0`s+yx2xSMvg<4Bz?#lY7)4=i6ZquPwI*-Z+||kTT2A^p$h)}#4W}LR2m|>D$~D}M zaAO(|MV_=`Wor|!5O{tPD8<(vsR&-F7ZfG*QYVf0L~su&}V$P~?!$ zCPc~L#&e=tNPEk6d3{h5a>18r7avx_6KX}UyaWEy4tPphgtM;_jeRBHUkP`pS%hY> ztPp8}yQI-ERph$FT=Tw2a0ObsKSU(GQ2c8}%}^IQc+|RZ0gsUV5I031bmiK@!eXPq zbI(~H$!XSsyzcrh7n`~Mny7A!X|6X3J)TgH?W@c7`K@lPzPqJi_1*7z#ob}qZN&=V z^&l;mW(WNFt2&W!d%;cd%=&p9p%?e&)p~TovVGAOTO+s;l4E*u94B&1o$$ynr={n; ztW+02*Jfto2=O`@$Ix&ID%>8t`NnI=3iIcNc>{qRUzx)0_r$h*PQ8VN#nuJ0Q~c&R zr(U#-JXx}|gSoI6(jLiW+o<*1^>+>MtZFJQg#oxsQdAmVvzeu?)1O%ksxh=DijyvO z(rh9w_rp~k@-rgWA!IW?RQOB98{3XrY>kitt>s-z);$Gve5WcD!`#(T@GWHbdoG&H zAPYS~ojVtEb0pSV#%CQ(S2~`6*B>k-yC}5-q{TD~ee;Dg1vUjtLtj7F7Yuom+a7(N zY&1JXB-3)vF>tz$K^s*1A97~r6CQ44%641YYkgL2*F+zClYf0NFn8R z!uhRvTJYca(F0x=KjSKN&Ez?EkV3cgTP`*4xQv4CO}PCF(%-(@>u;BJ>8uHs)GYfBi$VaL4@KSg?Mrj}#1YOA1+r)J`!AtLhmK5_vkx zt)ounlgP4T!Vv$SG!@LXpuc<>3>5pjA?7BdC(X6uCdrPjBi3u~`Yn}6C8v_pHE>yZBqMI}dOTQ5A_Y&m4+&2U-cTNyTpG!Q zO9;IlZU4?fS3f5_ItH+jbZ4{z*K{l^pGaS=NzzzzE*$LfJ1RFITQuDzP~iChZa5-(gK<~RN7^;h#r z#Ke`7;l@KEIms`N$A?r(uEh;^4tD8c!`?I%=X0<0g_B-KFAm4r}#j}`- zMgSWo>?W{Za%>S@z=gOW*RGh|EAmR6;di!VwK6HCCwfo;X+!ose*D(QYVIxQtby2UumzG#)VqY zPv(PThCq#|<~}ktATfXoNJ<_#EV2CC#GB88FvHDArSJSqbn+5dEs^I zaD|}oKo6Y!G5OVt)qg9g-fWQ6>Pu%+#WKXV#10h6{=#yT96M;FUbxaZY4U{Hrz2=6 z4Wi7O#XGOPCO$ajcOXz{)^cH|-+wG9E_J=R*|*FYIO*;G84HW;51-`pdwvfikqElG zyAh2>kxI$8y`MI4%n6?_T=in%{dcNcwxf(&dwV<5D^?*lZxM!-m!mtAM0jWeChj>E ztCBH%)U+Jo`dTIT+(E@FWZoy=nt-r&zclqc&YmaNM@zDzzp#r}?D+i@;dfqV*okSr zgZxbJ(sc6jns(YzZ((7vQ83f5O`T(Fpn7Pb-m$Jx%dMgC(kzuPDFg5HDkPR9N{O!s>#H-}J|iF5l$d!PvFFHYS5)l6rTVds#WN`Jv&V|R z_;FJ^@-8iv%X zHc}waJ&gspOs5^akd3O>nZ?jzak&f1Dho{>ghc6_tkaxmefPE4KM@FLE5+*wr z7_>Y=(_9l&yb>a%rKM=^>_AyXIs8FC+B!N>TEg>sCFSDY`BMy&SG{?r=u7g=a)HeP zNu|DQ$>t3r^?o7sc}wcI0GLv@W={4gXMNt$z|UD&Y(My<*VLP~iNb5PMSameYRAG= zFDe&*r0!RXQ%rORX-7X+WTmB$Mnb>cBFD5!0!t#M;xXM|sBXMi(*20%J4&*za5T`VmgF_?hVU|WAJwnX&z9jsb1 zr*PGa4JP$5sWAhS`T!DQckxethqNn!ln}I2zwk}mb>EXnq`gwdvN+<%eem9lSJB?M z5>+KZ9I@X%ICTGU2>2u7M+{z%e3bJ(B~c{2oDNR-azc1X))P@B_?4CAIwPlPRR=;9 z)xt}?2+E_8?t;4k5DW$ok0(?~F~o|*hKfrt7(|YT&=Nx8*-$WjronK)_?TA4x$j&! zo2_(f`NJs18 z3X3l;c!P|b_$O{O-tvp4NvGfM(|ndJLw7WZlF|U0TRRad4NLxck%~IcI*}_v4|(s+ zI|r-(HtX3p4nmQDMZ~XPf(ZX zr-N_}WQ7ZOgqvt6Zd-pXwpgt1cW`h?eLjF(0Ql;+u0_h5K++w+7tg*BH{SL*()kkc zFOTC-*avUF@)TN@EXDA$N}PDe;W+x>Dg>n_Wm26I9!Ka4BFY3u;|XtGl#0BNQm+dg zEzL^mbtK;{XVt^+5rqOw9FW3s>_|48b&=ACdFm;T6r zW9N+AJ8lW?F%YT@psh24d?t&EvT}q1LY(BwpOYxDjfq5if?R>r)4iMT&K(v0EdKZ^gs8cZOh}%U$!*UnG&Z%O zu6$Shy?kXWe8DuTt80-;=5_6VQlb_W<&FLolX{|<)TdHuEMB}A)wMMkHKGc07Oleg zG4*KaO2d;gO=97J9u)F%Ez|FvFfFOyRBX?r-onCSfgz)IKzZ#5)Q=j2ZXrRQ zGB0X}RimoD9B!W%@fZ+`=8zF`Y5a1Fa0)vk=m@V}@O$Lh+FImA$@qU){R+n(eGK;A zYd>7}v!COmk3NE)lP?UE&-Q07U9=SOXt%C)cX3_5ka%-Hol2-_;=rRZOt`#u_J=1O zFW5#eu&>dUWS-n@B;MzYAHa$-i%(H`k})}+roTYTLsP6vxi*slB( zH+5mTO*i40XP&|3mtT%OcH3Rt zaYH>J-vgL4UVja3D^|iMvGrtg$R^@&k=W<5$fr3uTJh>%JF7ekZ;Zl+6=;%OMSs5npT#wy%+Z8*EAB+0BT7*mdx)(ul+$epI z5A=zY1^l?W;YZg7dN8-n*i{x=h?T`LKpa6jl1WS0q~m_%bcF zQm`%~8;DZF7Vme4k@^zn)VNH+*w#ySXfwC^rFA- z<)D&!s>BN#fhV4O885u{7M^?lWi&3!;f1H3!Rs&l7tcTWZ_Iw@RlNJ!fAGeO58#8h zpT)9eb0Pd3$t-um=hXDxC>d^5%(1+p5L8!JqrAKv%|gzJaM+KsQooW~?wILS5i;A4 zxoFN@#5=oD;`NF6g{VSz%M7|b2)KKvek;LrIRu*ImVR?F0LiU$?cAfAVluj-sU4;M zAVv%sijc>L&Q)FLY;J=qlS6r^MB_l>>y`9!XI&?51yW1ziu__uI7B`#_jSU)+^6aM zb~+N|p(2pX=eQ9dHxv{P{9Z3YLc{|;zi3c7G&eVcGrud#$`K9);AH^JcOm^eRlvlD zQXD@OiE~9Tj1^0kp{}9|LCHg=r6LqY`^tzeFr+)a13t@p{hH>!F^leRUOp|6u-J+r z?~nDNr%v>~&te;Mtwqh0x1Q(BT?-3~!G;;BHz2|1G=J`A6AE!384C*w3kwU2jltlO zdhyK_2BJA3ci^-T zXP(1VmtBEh|KgX(#*>J&b>PxVeu(||`jpynV>^x*+oAt?N?rhUkEox)_G=rb!AY~^z5_G z;!9up0zNC@{o;zt(cRgBfZvOoZu|?LfBtz~bnzuP?X=Ty-F4TYtE)?=Ui|AHx8m8S z{)cOS{|B6U@=3V*>fd11s#OwfQsY`xRVC>I{_&50=rVz>&Q9|9$5> z2uj|kyJL9ojkj^(c^BXdpF0JYeCPX^{oV&ibVf90`3js=tK6yQ%~N7s)`ou zu%ib%jQ7DWj#J$gh;#@kPgG#Uh!NOva)X|cp6|}X!!y(2Y?SA0`OXpG96ZRtlTD$j ztQ5Iy8sGfRcQNy$MM%3ms2?^K-#qsl*mw7xaOz2)!Fk^}4~HFb7#@4%F?=-lBOEJ) zai?8&!c|vZg=3FD7Q0W`9gCJM!d-XXrN4Kcv@_nFH46_u{v>{Q>4muF>Kn0W!5sYG z4=%=tAr1KFKW@VtZ@h+c&pjXG#*M=pZ@!HOAAJF2cfbDw{P@Q| zhCARvH_z?&_)roo$JlB&<~A-tFc824_dKib<*1|f!edW7j-`teIPd%m(VbX@zyAGi z*n96ou1uYmlq!#V%^3J0%{Ql}|v?Igo_TZY| z{|@JU^8(!{FBXg8LLv1ReEVCNBzbtz_x}&S{q5C=MkCre^3$LG6t~`bBR=|Qfi98w z-uJ(Q{r1}(H{SR!oi%XIIcMYPr=Qkxcghz|LPsKxXfmN2xN)gKDCCkj#I;kRrlwNN zfj2?ibVz~L^5)FQV13|>3|5f-kF>KJAoIGGM9-eV^Z z^N!DRwhm$9p3S7>S*9V6OfrSEyep3{B*Nn_9VC)jsZa7-EI3Q0y|o$D)m3uGdB)=p zz*U&BW12>W%`hnDy;)dni(tKD{o9guzqhcku&}VOST_b&ix(w%RVT2^PD60;eurYp z_~{tk030-Z3ijN!3NO-SS<{O)(Z!$1G|PyFO3Kf(U{?}WzXD^Oiojs5r8U&v@2CmeSI zX1p~6<3^7|q$?tddj|Ej^$3V=&Q0GQfAn!&{QZk@)DcJFYhU>qW_~mWoe}8B_em$6 zgn$t0U=TulJUHx-gRtAKyU4u`Oqei1$;PZ%iuN<= zkKx@9<_IB3<8!B;BBc8tI{N+mOE2QO>#s*Lok3-Fm4r16)zy`lJ8y}O&Xa7+o;?!{ zL+T)WRX6RcmGDXCL*WucVlkvLX*3KSsw0E3cpUp3cmQs=={nqV-@W+x<(FaJ!WN7k zI|jeK`f9xJ@=LfuNc%&NKB8fb8&!oRtx*geIz$P?4L96?0}k8|S6*>B&Oh%P$O$uP z7BW40^eAM~Nl8aii8@Khm@#9})}F!+Mu_#h)Oz3 zgmkZJZ9(ITCb&Fqw6wLMvZfj?uLt4sGWdc(!>~H|LqXI_db099J0$s(L%vA%%EeEP&K8%q%^?<>29kLSJ8d`vJXu?-QnTAS8Y|Ek+(`DKD(!d~2+)!r2vppjX2m`d@yGo z!a`I7qM&C*S#N4>MVBb=yH48?4I@Y5otZPSsId`M!v9-4yWsJ=gs^(W-xOxeo{dyC zgHj;?t!>SiG2?9v7xK-~!Ka^n7Nf_FM!2*D?|=9q=FFXo5e+5Cd)-*PVmT7|l%zF| z>iTND`sRB$?Tph=H+(2syW6q%0sG+I2k%Emq#ITB60kfIt|-IXvzH>COn|eJmn>PL zgk{>)JrGYsF>~ezs4Oo5FI6h^CXsNU5VgkyJw7OHd??lFD*Sn!GbYLiXC*+p%Irr;=zAJDQnH zR%cCEY~3J9CXrvZY?+o(f`pzOH|)sj?CjK0c@lqu9e6AcwCA(5udJ+8lh4%E)u}uB z*{uXWhq+Q836k?bz^B)2Kblr`A}xHsqce_{)=q@OAuN@8CIPD(Z_uy5={KJ>U>#%F z78Vv310jhxQhE8lWir}^P>N^zSW<6cVPRqMabkl>z4^5V15vPruv79h`Cr7j zcEKmawOmJgyO7CcarQaq;J9Ot!P#Fq7yoysUx(99|1y4c&2KSg^8PsgJKx6B&%B8Ct^}%TsxeYXKgl)8 z1Bv{OJMM@d{pd&d%x8|rTW`OC^UptD6n-EO3S#G7Cu9DKZj=f+C0QT2!#I@JR^y@{ z{TM&L>KC~1;_qYJq#c#q9`%`Hu(G`sr=58^K7IU&_|`?=L&oF6&XYz8`K}fc6T{T0 zV{yo#2jQ^84#8EwxDumAjKK2c%amYvye^CzKL%%<@eQ1O^2vI%-@ykTEXo5gcKkS0 zSJmLEtFFRlPd-JSX~I{&avI{X1R~KGH^9eY;W0URS5f(0Ra%DceeZi%uy~Pf$ama{ zC!kZ}zvq7Y;Q3cy#-|QC0C(MYFAhHPa5Rh@4u44qqayQQ-!>bdMuXr^2%Fp z;IuD)37?ktIBnWA-D82HwIq35Bh5|+DoDl3(dH71O~?KB->+qk8zQ!~wdrXV%-hEw ze;hyj;SVu!;zZp5lIwbpKmK^#1K_yhj>CTY?S~UiH~}xe{4##?o8RbWkq}NlRci#O_{5VdZoj!dZ^_$CeX3m_gOIsGsovS-- z&U*J?FEI`_Pb$WvE_js{dr^{+NDTR zO=oVfg~is3LER{io4+$%^HD!!1}e*D z!<}A$aty;r|5+GbzZW8&43gfQZcHXI5kE=homl|hTn6PKAF|1Wkkkmgz5t?$JbYmx zijfp*YJ%{jfRmGGxSE)5_()!LkR`fl#dxT5>1V(P+QAs{}N}H2Ojy@yWL)$s$W|k!1DH}kXC0MFQ+9p)P%8M zZZn3|m19Vy7ad)#h_nL3g)~PJ%kh^RZo+>1o``9C?T%)yOHL$FRZ}a3CX3tt{7dY% z(?lF{_z4ov06v=6g_3H?bI&S_s2+*dPQE7+7EU$J=^Es)KPd0fFN8mjlm}=RJC1;c z6O5Y2sNQ>_&Nmk8{pBM@QffIN$&rdg!5g&66H@io?}cU#&|?mM&eY zooWP6Z{RcBUxM|6>*>!s?>r^v%)ej!;upHF#Q1Sz5caw7^{<|TOMd)QEMDG(haY_c zKmWxq;gU4YU$7KcUU?<{{HNV=+vaFoXxRWBJN%)DEkKHyG02fp8G@Bg!yOh<-E; zgexi`d{mVG7Whlu@CJNBAY!PiFH`bBvaz_a1-@Wdo>>BaNhyYm7==a48WGO`Ng?7K zQ5L>{uFix`50Ax!n3t7f#Hi5{$4YcW5~vgc+$6-r9}2O!6U%L^6%q`dUOKL7dG{ zRoj4y+M#HVM6t3hjmp|`lvVIp0YBz7Hld?S8a#Q8LCK3;-h+~G1=8{kQ$p%oKEFzJ zUA=@6moU;|pU29M4#d-W$-h!`NdEdIzHyR3NlSYq4VTv^c^6cF$>N8NtcEWXL{~I} zwyuoiUqId!bk6~H1aS&)?4V-q*4k3<||Lt#o>)G&* zM=bu}2S3m~9tcC|*;&MyD6AJ8Ij4J?oPy6a?;Pc4J$?7xcM&cv#rrcqLQ7W!<0nnP z1d(NpE8+F~Sp5+Qdf;-i&N>|`E{_-A{r-1w)o*`=2OoVLc>ztwO$vNzn^L>N!DS1Dlq^Luqu z!HeQ|YTm0cjTB)3>ou@GZZ;QUh=@dyS_BLs${*iv6|QXNR@g&gMf2s$CgqCh7yc~OXk zG)tXo2$mun$)Q0i*N!#7;d@r#Q19^|N9bwtH?O>b68MFPb|ob)a?K6Vxt2Z|&!N0DfIvwQ&7B!>n?*@!NH@L9<}*sz zc-NnVe(Cd;A?0mYx;6ii#5PE31mVlHal_vmuEww@aMA`ArAp$Q$j$5?7Ce6@yCt0#I>}%TEfpGoe_#C1USWW>D}Bpz7%O; zyt?cl>k>}vSO4;o?a|tn7xvEvjj!#Gm zkdl0Cm2kQwoLta{jCkADm5{K)LWJs3Ql`O3`XxW)#m41FTEa|ASaI=_$ABd>Sv}e- zlVv}qOFJi`LTZH7Am{ZW<92JFha^69!)r~GgqhE05fw7e*&ZDDrSLiy%V?*E-xow& zt`m|*x67;PMpFTE|VVH0nLNBFI zgyr0+F0|EpAi3j_^m;jZFAr1XvGvAajm&RpAQ{eNdXFAthm65<&pn4d_Si$oIQM~= zHEWjEH9o@=8_Wy?{w7G+`I|Et%o=>N9EKpl=k)t~@4Z*w(W6hjf^)y~e`txcVP$74 zDr-h?X1&7Y;vN#L*HXWw`gF%2^`Q)3`_{Sm&Gk3ov@_3BKNtsg7?=(F2zD-6SZwRq zR@4k)KI^9%-6F!nheR z;S~(ca=FmMg^H!uP?(~)MIq0GCJ}&7#IOHWn=L63re3T+O#*rnLQCNq;+`Y)e9n&2 zTWsxEvjhu?(wZ!Um;HavU&l&EGI>jW=yZDp$10uieHGr6X2K;ciAM-C&zJWJfei>@ z4vN&5=P;ta3}c5(!mye>P#WA_$lYkl!-7&_6xNL-^ zlk%w&7NAp>S>1geRM$0NmnlN>zOocALHrcG`6pgoL1bgp3D+C43D!o&S(eAC1XV_d;cTt*}hC=j`Cf%Rj%6 zD{&-*6>gGN`Y-Y6Ne{1Aj~}nsM+QpEdZV9b`7ST%x3+-AQ8dhdNUjx4i19 z2PO|TARk!9wl(OCio$*f1UJDep4NZ+?YHCRn{USG(W7zCJ@??2TW-;H^(5?E%f52u zN+r;SP}ANJY7%>b8|U$wyWle%b_Q_t|J7ID#G5ldKuyC?l$BN@SQ5gj=JuXl?^|0} zqP*PMQJ)=lrBZ)V(pHU~umg74eGgRC);kU@EVff@i*3?20e-s0NN2M0olhYxx)q6> zqis2QgWoH}M4DZ9ZnI2b@GYC6u|ryl^t05Bj957mj-;FZ+4U!eT2!Kc%=}rR0P)pxB9X zt&Ol=7vD4XYX_AED(sb&Whg5P>pH!3n!Ck1M0#_>tSx4|7@t&18bfISOG^V7!t?qz zGlV1QMsjs^mEd3{<7jq;XS_#^suAK6lsH4~r!_q!K1`1tg;_U>%kcV?M(qHQda_yv zkA;F|&+HYz5p`~C$LaNtJ@yzDFJ7#tG?2uzY;q$!uBkUi({Xg3;E22tj^4A=fcsg{ zG)K;H|B6EnIYdY6M~xVc3FCLr4>XT}#tB74Q0D_^KkVy=FFO`&4W(YJJ( zXHGlkPE)9)lLYkl%qJ}*AtcB&87~r&uC6#bI+Fdm|0IQ@l#ClWPgj>P`~s56ypp5# z_LSHsbcB@oNjs8yriJ<3pPyC=A`E>^dnx}?xaCsCfaRUD6gXYmA@+qjuzGdb?!fY9 z!2C1d8g*`Xci@2sYJDQOMx7me@4x>(PC4Zi-N5hSi!a6wJM5sRAiVL$8%o?+-pw&~ z^q>Bc$eRuT`oSsvvuDr7(MKJrBNEYgHx<)5#QQi zlb}~7=&j9Ub`VU@#+W7#dX6gEuw)TRZY@F5{5*kav2@ zT{$6|CP%OfRo_o;+d7E5S}a5`3C;XX3%%B<~!V=Tv(V`@ZokF87?75()*iJ#xl>Ta#D9|Dp+5n ztr1Nzn@J<+2_O|uz%8#Z5u-bahlCXtLZ6m;Wnp1qVIkl!E`{R&W{$QoDQvb?kt>)6 zIcZ##b#0(2!mVn!;Vkz{{=`j*0+Te5`H4W4Y!S&%c5viP{!$nT6QSbwVMN@7#j;v{ zRLhI2K}gIJREU(ybqK*NiqL1Wab&ggePEEpQ%nJ4hmRJSf@xu4u{w&I;?<$8i38K7 z5W;H;Bbi2o^pcEIQ5SLUJDb+^C+TEHNTyWeoK#QlLM_+XbV^N1f6si9!p%aQ4vIYT zIU)AxBvQ$QDEvv0gye&`8$g&Bl>Yo(Z|TS1VsYXkq=Xrr7gChqF8g_ugaZ1TZnDB+ zj60^mBd^lu71Hk!!rI5bVi}b9Z^gn7dymL(l6URtE|hOW=$ZAa*N)Yv;cxHYXgUcu zp&dm9($0~3j>L1LIxfSZy&?F7+3|kt*s|5&lYt47 z-}(N@y%}EVh4ZqUO$1jL{qx?*B&bKY(|t}VX|J8R z?rUb^F{!^P_@wpbzAZFqPctBm{6Nor5+)_y-Hn_O_@HS0Az=d{VFO%b;1!bM&Sl{f z!b0~0nMT$Y&OoNQrVQjiCoG2pepHo&;CH)_6{5s=F}`WZTgI39>K8)9`}|GQEyO6p zbKeK>*O*4u7SC5UbO%>$o& zfCE8MN`3NTyS3Zm?pEC03dP-_NRi@h zDeeTPP~6?6NTC#WcZcHcPH=bqcAw`x=RM#4kuk^^B-zQ{Yu)!+*PN5^TkK}8h(d?F z%8xVdV_+Ntl{6N#?d2s6ZEv8)bn&>96*2ppvOqaq5zNh0zvmrwSKyHdP7J@%iPu7Q zHMHM$5myjnnPY5eGiRUWZt3JgXw)sgvkj-gL3TBFmuM)+x))2yG}aTMKXuGhph3TA zT2}xmV=?#%C-)z+wg=b`u==3L-^i-TYRk&G3%XyJQkO1Grg`{VP|0+`G3p%#c0DeB z_3~G)t(eEJuyvq8K4d;*Dp&AcRZDR-Y}Qp>t3ReQE#z41Cr82k9<64?$X%|&F?v^z z?4|QgDGs!*hE3a?k+?Pc{FV! zjX~Rms_Lt5E#`~8X2zhjK7t@A`V1P zD04*TUxeuL_HfXXUyH>}(I>#ZgNIKoFaIS{)E^06&G0kzKWv?gp2k|*lyZOeb0A}9 z+kd$ub05>kQw{MfaJfOy;2yvNUu0#jVK+VBU336@hi{g!W_LQtR)Sh|R1Ch=Ak~-; z8`@r`0TU@|eZ~B{j<=#dU+4vUR@Erf87N`ksIGerHb_bb)H>P<{Cv8RjEyQYje+yB zOi+u6P!rI|iL336`)Xm+8`*%AbU^IiTcV{d`P%3!iW_wJvj&XCtxWIa&> zx+PtWF=Y?M`Z-TyC5OPL&8R{IDi?wPB?f74ciyhmH>=s~P&t^2{M-g5A1h1aJ*w5S z#9j&NFgCZ2ctW)=$RZHbU_7=V&3{ybyRjn*K zUrXzBw3$@8t}WEi>hLTeIpd>eaZeHvN)!#Hn-Z$bIKSZ!>7`Hs!H!BY3@m*pT5B{(OW z-mW0(K%fDm;FEHzyxb@W=H%t;uAa~~whtS8UAbv?p@vH_&Fg zv-PA=rMrY4hgfjK=Aqi%=KC0ppW939) zav%XRU$8UMHq}H<;92rTn|?~k=>1sj(_z}xZg$SoaOvix+|^NDE^+&6WlIP9^^-N0NhOTmF!V$E`bn*{b5^Lg`(3Ft~o?k$wXq+tvgDwbf9+0w09nB|0V zwn~1tU`MNwk&wea&26^Iw{d*X6dRs2B)o(6+M>uukWe*rJeI&=cJz(k5*<-V+Pf^} zqNsZ&X2db9z>z^A66`J_c)>=a<%1ls$QIHWsc6N`TGJ~J~2BTlEKwG~4=>%7}Y7=FtsB;hwU^Jz8i2BBJ#FdqmbJ}_R6_Igs z)>fqt6fUQxFmJguiu2Zg+|`NmUDVwng+$jwW5!QP&Qs6Vw4goqd|V-x2Z0T+^YXhrb=_@fT(J1NYX_OjUyn8>s0R61JKd zl|RAMB!cct+^NYmM$!m&s&~kN(5-H3P)_121EfNXje2fiqtzqgEtc6$ovQh!QP2=3GI za%xd0tH;RRC$HIBXo!pWH!EHSeOmbn?P#G_oTrb`GLOH{%KO~NnAEm6rr`Sl{lTf3 zd=l@uG3N?t>MpEO9SnorT)i10+J2jHF;h<(k^fm1BszW|g@=Yt z*8qIc+tq&y7QlSA$=FTeCUkM4!il->K8SWcs! z52|1voJ{lg98G$yTDBt{Aidmg;q}v{ya9ceIo&QE{3P+hWfk)F6K>=7#?{>I9KlkZ_*)Q!yP!-+Da!$#H`vZ#Su7jLjx_xuIa? zYd$#rJ)l|y&T^W)v_{0YuPi|#+^iF}KDZ=>O9}Q4+#5S$1pFj|Hp?P67jwSo4dY8M zEcnsRX|LTwQ$1LW!)NW=;4-ej9l1rTjt6-{AXTVaG{zd$5Oz zxwqrksSFDljqeiJ@SnH+`_A4*pJfI6*JNf-y=`z$yd2)1czDAIMZBvQYR9i{&*~Fi z8`_vLU(Z>vY1oRS5jeA@H0Laph=BVBCn2k0T(0kp{8{}om6f}@Rwu-Wt5qs^I0;$l9&VdJGldJ^_W%)mkyLqy@z6iwA#)d{Y zhDF*o0s6zl3Q(#ih$iSoXHFO1WpcaqNF;aY*UmftG~#poolBR4O52a|!Yg02s`Z!0y$M(XNNKgP?_ z;^iqr1YTtVnvo`*pJe1V<==-*k<8`2^BWzt{m7B3OWv}okueCQB^rdAkl%)F4Z5+n z_P+EPvyX6x>m$!{J|3GiwW*c)zrCrebW;IOeg+caW2Nd6;~;Dw|1tC#qPZ47D2>|!F=qFOepkrqY5@b0~H5zU)*fQ zK7z2FLoA1ZYRYy6A^pIIX`gPv3JPb}O#roht$c_lF$PFVhTL6dzm`BJ5(%v1tz@U4 z;E2>qu;B-cK~&AsU8Q_;Qb%}=IrE#ERJw+*(BDK; zkugdHj}=U5B_t*N)_F01FQcB~ih0%Ygajil_vHIhJ$&9yoBe%mE6K|-WavVQT=HFc zfB4sk{o zT79F5_4PmyJPjHe`Wf@M6V+g9mgtzg(c=kt3R=Tj%o@}aR=Q!|$B_7h%20$R2z0*h zF3uovpp7n$9;FlRHsy8UJHF6%)dHoZrPZvktqY19E@Pq|b{ZzwxpG#WRFqYDQ^-G> z@b@zTNz%nOasR5&>QIxtdf<*3M;+)@W(Y}afOvNQe!M*Docu6?s+O0l~lNBl}3t%o&gH(2Z~H8~ZncrdD@l@*7jrRCWZ(pYX?9j-}# z6ppb$klF`Us$6ck>c$duT)fFtXfOTjmjdA;Q}tz-*kQ*SA=;k)(rTQcp=UW6nG=+G z0#QfPfx#P8ad_Ev8CZTkz6AWXSD*x{=Q?ZLd;*jvdbROEnY2NswhWr1_@r@a4rpMRyCU5*ueH^pqG9Pukb!=U4*I@RGwm*;SX z5LIbB)e+~GivI9B56yyk+19b1EB((yoRC}7D%m>$U>7^wlwxTLqZhR?EDW)gCTwc( zwnI^%P24rjo5&DdRBfWiDHvH?X2YU*kX zvGk0Ls$y%?)4BP60WH77poPnOk^_X|N9b}Odt3;D{OCM{->4dY{)Fldnqka2J=w)J z=qm+N+4h7O$?f4WY38>NQr@KpWKrHzT~J-cK_?_9Gq7(D@J`I`M(jybAW&h_6I)QF z=ofrvJ9h_gQL5Hq&ycV+S_$SI`=Th+;0iWmEbizf%JWG0efkN|0JH2~GK+<{RuO63 zHi@H!IWF*m#X6YS;ePBP&n7z5nwFY~^oj@vNDxKs`4-Fv&g2y!B*rPiD{wle#Qxl1 z?HaZ1FoJO%9>2?@69< zyXiuqpN_B3x0JY0L1^VYLx~u=9{a3k)2d4Q1KawZO8r1C6qV98yKkqi*X!e2e>iJf zSiB-1!Q(L)xFE9o0|uOam(+uf-5C-)%6%_iou@Y=I7T}F5ANdao2ucm4v^3#0m9{* zmd6w8gal}pp;zCR%QrX6PNYYzw?Yk5Ej9!q#R-fTuoY~!ZG^?bOQ?b4;piAuq zl3p#m0MKwY6>9BqRq_rXvnvQvDMvVa$Ekr!^I#72;lybMShO9byVF(bH0p6n`Mu=`nnEP z17C>%)4lmJ>~=Ik>(GTzXgocT856><8m(HyS=MyGAfGLy$NvdP^a7733<8(>96m3P zzFSMet%Rgpe3bV`&}VXVWdeoUGG7rYWy4sHMldf%AG#EUIjsDrHe`2ss{=E2Teva} zdpQ_?7Z)RG5TXV3rlK9uu~oy&`+c_l7a0FbjU&^*W=_|K=?j`pqjMq`_bbNJlChG@ zXK=#iNzE9~4Q^FB_8K3x0Ouy;0#Z{;G<>PL*IZ5!3zHY&*=m~BXV{L6%w0hedO8#T zl2uf43MfZ38|-t?ty_O0ULmozd~0gr%XEFZ+lpqCJ=r_z$PbNo{(bfPOYzwd|9oc8jUDVCv`R&K+WhMx-S&>q3_ z@ju3_=AGmE>cFd>M;V{mqDz_TQ=fS5%n=H)7;*_h|{G`H77c}Ir?3|K;{Zovi zu&zjz;7>nqgLb6fobhJ*WDIsW0*76O z&@_4hW#@mZP&W2o+BAt*n8KewR-w9>5VCn~!XpzhQu)dYx~`f?6M0=p{L$mXDy=lH z32_7bdWIy=9*zi_!avr#=*&TzW76jFsLHOHL<_1}6ufI66M9@PD%2O(v6906iWViX zNmsel3>ta?!nWz4Z(W%5>agQ!6uM+-y$fhXqMX|=h8X#nv&j(1l9;so0VTP1VXKoK zlPs(B@$I~c9g*|6=whWv)o`qJR1Mgr*Evi`mQVWFZDhY;`D?Tx?OT5MEcadB=MiO} zTwteZu8*6$-s-`1%^Uoe?C<G=ae&W!? zT0XTefO(FsDEy3k)c(3UR65@dpr4uHh1ovp1D@P{(dplS5e)O^Pm%~?4t)^1n;^+x za^~6kceKq3Y0?>sKS!M8?8fhpnhe7uq3Bzn;y}@JygL*Wy2&lb>o|^xQTAQ-pon7TbY8`JjSr5cuE0LLIT0NG~nf zwU=J^)oAQO|L-6VEFty$KqHQ&Y(MLAay!1pJ8Lf_>COmLUiMzgblaK%v4Lh)bni0r z0!vQbp-rZ=^_THH%;!z8IW}NE%u2M$JfD&h-RE8?V0tgv)NjnSztqNEuedIu01;i0 z=#y}t^|o*%`2u#662%($UGiH>YQ*3rN%Ev4u`UkgKJF|xW~ur~o=P#1bXFL3uV2D$ z^O5HZeT!J$mU08?rYYsRf`UXb$4_UAR^_2xFYf`nTV{cqc}jdCFZfmWTO0CL96DCk ziI2BbdtO0v=9E={Xv}Me5wrn>Xm^%qRXaZjipDA2HihbYCz2HPgT$!cW>zVEIQzpf zwhqify+F|vTwLC!{hW8_JsR~w^b>;m(4-;4%YANjlseHt(D&B&&4ztoOa_Bmf<{QT z@`!jrYi<{%JBGOSh3nm!#}mL~stW(b*fZHXMxo-c;;4|qYrlWwp+phQp@Ha8kVvn) z90X`qZVY~U&OP3)6!qF|Xmz+(Y727`sumu){B$-B)!v&I{iNt+*_Y$VxqekGgrdY2 zoxJ8ldYM$4r<%2eOLSD0HyHbvaQ9w`+JkRAiAlSJR*1=Wybx zF1^ISVt2oZ*B+uwDNUYeuNXd$ogYtNVIsAak0l&z;VCaJasZMhG(kEh<1n0m4*jGg-b<#`Gto&Oww7$JF zT%lT{&2*+tT~@RpP$*d2YAnY(mSf6Kk_iAwg1BcECJ6ohw^2MBW`R`vo=+0L!g z1}tHIQth-QsuC4@ZFMT~s2# zN{?%f6AlL0!-bVmM?YXJAToHlNT$|znh}&HWG(`;X-*y0x9&esUFec$C-%r{Z7ik> z%uRpZPV2tdq#_8VBy(=%N{~R{i%}Ts$BV*`F3Nj4qx5$K!#)zJgeIKwEC3wW=*}*HNtUl35qDWN)g%4&7^_q5bC@-h`V(*NE}<*#@RQi5aySzKXEg zfhE30sCxG=Wqcuz2&w*F`twb$^pNgTR|I+`^3>f8&8x!{CEm%@UYBNOZ>ae zrbGJ+5AFRP0d2fzJceoW5?fsv;;J>~3Ns_RUL|~9@u&5%f^{6~l*MAk*+7B9zVND} zp@K~6s;jTe>&{MP-Zr+jeLxn1M*=#gBIaI^D!3nxv;~fYyMJUAmr3&*P}<`q>p!Sw z_^#Fm7zS4u_sVf{A_KQQ0EBY4okx}ff>(ZNa67GgVa!z=&)gguh9@XLZR)B0BC&kE zw0^ZqS(-TXZ$|Rp>=UsF!Mm%%=oq$SqhvkTi3O;PD!bVqPJ)74a`CFCK;0+3vK;jZ zZeCPW*S-^m=e!5&Z%~rr+?LaHb|w@w_XFiUM9N(^dMwtdApH~SSMcSC@07CF%kB}h zEA+t6thLwb>}TX`!E>j(S#H*zWF=uNm)e;WZZPk`VbG7JCf#R)iXRBw!Dy1ddZLpJ z++l)=T~oHV)G`%1o}u7v1gzGjg?S&;qDFUZoq4{9FGYMS zOBmdbjcn9ae@a%DIgnZb zAaBXCyaCyUwfouIvvQr&j+aN$2$LvYK-%+=lr=grfzxgGvrTE)3=uWnV|LN#wgh13 zDu{tSrN4&`E$nrM2T58T8%>yPC_IC>X2?d;Nf-c9=QS+rzeEg;K&+`z~+x0GI6NA;>(J{kozDnVuhiPhx1N9HavdAQ5i?^*XQ$h@7O z5S<*`fueb4RIf1^h+!BkWFf!biHqWzp5tiGc+}IAO-SabCzhZPC|`yuAER~%-{bUg zH6FLyWgNRS*Tjw59KP*n+2F5$OcPclIpypBP(7iJEO22jfQ}u^50ro^U11!buY%@S z^~7OZQm4Q>?g;sTmY9gZ6x|x;s==Y+_aQ+|shebqwQFyv)&2zh;^$7v+>0{z3f~+B zmvMalfkIJJq4+&}eh!I>(-oK|&YxR84(;h>QFwDdS-+!5Y+gxdzgor|)9twtFE;s( zsAg{UZpz>#;$jijYh!p+7W3#U|3(0oeHTcvESZOJ@^(He45XREC+#N7B993nn&&;j$ z{k1X3e%TIA6C6~7HS;++v@@!7H(ccO{A*zPce0udRG8V+fD$C65l9T-6&_vsIprXvcL$-b~p8sh36OHk4=NFEcQd)Hxe5w#UrVRrDRk}I$$~Q=#Q$o7x ztn6OAY#d7Hcl3w8K6C0FwQ<>}!MuTP9>cb7RFi<^UsEI$J@mIhKt?M0!j4^>XZ2gs zvHIPQq3;neyLVxAiH^-7PzXFA40I~zt7HdmLQw4ZrMu9uGn=3QVU`gAg+gyw7ifXK zUe7LMA>y_bB+%q9K+ow?nPl7kucQsjOHH_olNVMI*p9 zMY9B_z}j|>?GVCyoyCTnSfFY4K}*j(8!P;x%0r&0nIDyZ(~0Ndm#RZw@>q9lFfhI; ztYOiTcq5`NK2FhHPa8RROGK0}V>sc0DUu^{nG)hb*A>XuNpW&=tHZD4DBat56^^}# zrun1ppZql&TM&+I^cv2(keo?TXGdtWUP%2{f4COdpN5LC{Yr;;Zy*_rPk@Ii`$?9n zO@t0fxCi8^u<*HEGiH%&JU>|cbzK!iqOU~ z&!0ip8^vE&bFppe-M`I19IM{r-N}+Zi2arx1!tQi=_`XMLnrfqz~T7G6AMn!9YiF9 zyAUhl$?olGsl{g$c0&kTKR-XB07FD_kS-x9Qp&71 z>K7?LPOXVh;EoNon~4;jYnB&=3$>hjI%TWwwbI^vk@)x}_7eAM?+;EnzcqJivW<^E*?HUd#2G~&kQztY2XQO-W z^pi@G1MAc`Iy{g80oUK>3x91J>{{=WYTlA=&SOQ*FMSx{sY+=5gvCIMa+X7p_Tf;tN?)@%0{G{EUQ8 z zvu%!n(05}9%R6FOvR@?2rL&p^3O}Hxj)mcth!5wMtFjxw$#9~`2*|qe#>scdb`hd0 z^?r^Z=2sb+R0;kD2KOhf$N!1HA_NO%H$&2t*|%o`BwrEYY=dM|Vy#@!W01!q2^t}4 zZc+J8YFW?=4L{paP*CJvWd86nD1iku(og8L$lc5nY_hSQ=S=R_+AAUv5jm+r14+dKCvE)eH@p6a(L!F{YR=DLmM85^ll$VlPW z?}|AF1%{Ku%~;@kJ6O%Qm|Rx!B9+8S*0NUug!O$1+g{_>Hb~2vq%3=!kE%}R*jyn~ zvDfllCQh3Tn~VKtt52>+4NJ~P;IlSs770wc4fy7=tz@>IssKU{_*@l;fQk=6FflkQ zAP@=97#K2p+a5_n@C>{#l6AchlDL>>_!PQE`G)dnfb}y)J;t#-%J%yaJIj^By`yo| zT5|EAufcC+1rAvcB?UHOT&5iQrAC=bjhca;be48jbrgHOh))4|5`i*3uoZb*-U*zqM6)E2Q?|*rY^ksa`k3meQ%Xy8BMB*wFi>vz-gGktK@IE)Cyl*UP4xS%uG9LV10 zwJO&jlW*CH&m-f%8auAe2|JDTr2i1pctQr0qfom9iMnY=zl^e~u>zpo#Xmnq)oJa? zw2Goy2sWwQ7D&rgh4ZqNpx(WJeZLi{-b!d$Py;$5zn|f0mA~1;5IoC(~2?lss(^{jsxl&StV@_ty=_1bamcW;u|@tfkPx4#h)=?>MQwQ@R634l=GHh6Y!? za9*OMc*{(0y}1e>p6c}Ij4kiDpgTMu>ybXi3=7Kd+A^J_2qajLlHb6?qKH(eYaZC= z7%vbt-mmJIuB+?+GaUDRg=#e0yBguN{jzO4mXtqo4JY39S7%C&Na>lSqgkAXYw$e= z#-PmSO<8qYOArMJ+FnScb1EYxA{<_NkROXaz~84;((0j?7ixu3!^mBga`dI|UdB|V zX>cbHPd~)_c0of|rbV68Xb(NKhwsN=0mM6p+hZadD>s@0$PvMI{p%R|7d$xZ`8IWG zp~nPk^;mI;I^CNe_x?BC;{7`<0-0FmzK7e6U2f1;t#4mxVMpI)t!?WmjuI(m33}%Kf=~& z(OU)ZrXGWt7Hz8t@+DIt9p2rzZa|#)^Ihk9U+kNN%Bm6c#sQy8zspr3PU2Tv3n@LD zOxplydkG&K!_Pp!$oP-7!`~^0kNroG<$!?j-cyPyG6uek#1>90S~~`w!YUS;usKJ{P-S?@c+MrwLz;q|8aFuL<#Avy#2^8mY=%%F3L<^@QbV;@p>}dL~ zGbfTtNEVt9LOAVA^@zjj$l~WCiftrb$mp=ATCD5Xu>)7;wz*r8v)pNYUG2fgxyf=Q zd8f(}EW)R6|MX!0^kD~@-$w{2l2dN$ghoKY~g_tqI~ zcsrPxVg00K30}#PEN{flDVi7xrLwcto@8sHfO7&SXsfAnqgxEheuW}U&W9u(jj)Mmk z-^T*ZiPWdqS)xkQYI9$uL1Vw#{`*;R1K!R}-%9T_y1Lz8?7%F2?A$Nc%ETPTaEG{) z7)vImw-dv(*x9$5+? zv52EE_(Yf5*9r>MQXym$ZgrqlJ@U0N9#gRn?@TIZvG6DHd0@j!=1GbM1xwtyfC>Sg z?&=4ZG&#un9Q2C9a!g!rv`;-b>m_e*0Kb1gd{i z8rT*71y$4mQh+j+pbFM^>7Q_qbB~&jUng{0*=v6pKfLZPXoW%wSMbwQ{l|poFZY6? zGM3%y>V-Cq!7@FspJ-{u#u zrsmq&LmKWO%!$7pJRbsk;;L4)xdpKnVI7{zm`Bg_xU>R}oyynzcp0iZ%rdxD^h-bP z1}pD3dX3*sg2o_w@zQ(TIz%U_r*~UABdl05B!9p{qOSrl^&Z`RnlUBmH$`*Qc7x>+ z@JoW_+kxRmMQFvb_hlz63CW3v*B!tHSJ%0XcSi!?!%p%aKcRn41tpHup5gYH{?3Z> z3Rca67^ij4S>*NC;`o9AElud4ESAj88QemNbd8#!XK`0Rcpw-vxpce|-$)^LntBS+<|#x0zqO zOYrdQCC$F06!VQRfO*CL_UX0~EtKcws;9F7FQ-$z|Lz#wLu~nC*`56A9T@@Mn>Vb& zvJ#?dHTF^unVvv9yW1qTXO8oT{5;A7QOu)AyNZd6I_|0M{qP7Aa+F_DvJ29On540Bdc*;@$-s!wb!pQ(@1{{1-NrC8tP4w7Uf5zqhm8VSFDIw;cl+&S)Y z8Mp@9i)8o(@kVg{*Amx{3^u)V3Sg#WpR^#KB`7;}@v(|cA|9Z3G6 za0hSPS~Bj@JL{mg;zqk~>xy30uWqnA_xW7A45*h_GpZnqUm-;0tNstws)Wo^bn17W zBo`vS$t##7JxegLUnO^f6cz>)GF`^S!D|q|enuDV1}Q}u*yQ)%r5v9QhIe3$daoGDbc6jj# z%a!0fYD~#EB8{v;&j$DT#XJeI4iqos9GZ=fh^RQv(S%g=8B*4pB2@~_RaGB?&*FcD zkB{0fS5?I{+`{KL@G&>6HZ=2>%}wX*jUrc>Rs%-!gYsxo!x)M~NfJlA45rv3X}#_B zF39ST-ns<@mAw?F3GDrN3EPV=0=e@}I$=@5WXG^}mG~1!7?nR{mg3~AKB2=WClu}D z^3O_kVPXOkOLyJE{}jTHdoyKlNK{uunRug_xW^gLSphyj?dQR}EPW%lLjI3gJ_N%7 z)00A)+6AUU%*vrO9NxSg@7comWm!cp`oiSsP z6v2=1;wO(Hx2;(5-cCpBVLhq`42->k!w(`;A@ftry<6Ae`?F0+BMwe20+^vxjtfKr zy2<~!sQ&VynMU@qg7<~+p-lZ#j=3gN*73rme+&X{cbUJ{x4b7Vig?nGP^W%*(?8eD z;eO}u=QI8KQ8X|sAdReuD{mnidfvT*Em1ARK4Bc)1M-W!zNg<|7y%mlWtYr{DM`Z2 zj9$IWTJp=6)Tni*?aH5l(z(22*x!vla&s5Urf}LRvbByfL4z(i3YJ7b4A%V>#KbC| z;n6irqfuQSL5&s5_!T|@KS>e-WM+5Tp4huWnHd5PYeI?(r#=lCj#7_A!fnK{E%WIF zCw{e0=lnlKCGq#)Z&m3b1KL3nvk>%~U8=Lb;LA!wNe*4J#9t&IVXyQ0O|*32^u6s0 z$|`A@BTSw6sIz@a(0Ke6x;_E>XFzA4Kj};YP^-ljvvE^C`;$AEtmI^=0=ehN#-S0e zD$cI`7smcd^;A%p@>R6O=wUJUB>@NKZx3LHuJKxJf_O zJN28n4pf0#-4d39SW0;_dgWO@2ARe(I-oj$T>%uf#$%~W3@RBOHP$RdO?<)7TL7x-6%1 zr^^qbHcHXVx4u&|AIuV;{nEf zI5K$2JKBwRW>?X(RIM9afRXeN!SmzpXXg5^7OeuzXljp8!MUfafd7N-dm92M^B31q z|D6F(9c(x7><1>@)sPm}H@*$;h(aEx6O`$Si-Oy0h+@@XmD;Z`_1)}HHyz8t6t{~; zvq|w1%z%w9sn11sCTTw*V|MDRUnKM(6$Glasl(Ar}{p0PFJN zb}>j>`E^2f+3Rw|4RDbF{FxyK&t+u|GRS$-Xj5z9xXjAJfAOU`17Bjh)@xkXRd>*z zO#XV%^UE&urTh72?_#InX15|L|Mjx5ONGGad4{XFdwH6|Pl{i$&OFyI9p@ffPCAWX zw^72HW#$dKS}#J9lGGt$E!@Mxx+JV#ol53PDF5fOM))pwP}JpQ%FKZ0l*GBw&3lP~ z2je5t&8FNS4gfDXtG=(@TGL&X!wD+^^N_O#PY(9-N*ul1{i*0$Kk0slDW0epC)2jt zTAY4jFcFPHT0mc4pFbnq)iC@Q->~}?s28@D?^TN)T%rc%xEvBq-;$s7-1hRCpTB35DW651Asa3D1##V zjDm@Z90m)V=A9Ouj{q`wU_z8UmxkE8cbVHlGK-klA`?bbRG)&n>v7Z$G24Mo)WuK}2+_8L z@wbsxtZT_bM-gFb6)v^_n-9+8enzOBPq^@|)LU<#GE%Ms^8bGMqBPf3Vfiu9?H{o0 zym$aUAgZ%QurM#Tg{Vjd`d&ip`ne9L7(Kj)%2`^t7_JnZG2pZcyvB7y+1!+xBLX$5Sxd z%?d=M<@Q9r*2?ZsO1q1I%Nag5mTFl{+q~tOr7waYxb^k{TiWjW%oyb04&egzJW$cqW!n#7%5Tn35vYF>d= zL;1_(PedtmHT=(4Qw|$}c)tlb_;cO5TWpBGe;n~i&nP=JmIY1hsCm@a!70|qO$lvZ zs2Bzw#;btC1+GVlTADch2gd0&wYc6EKT%e6eIyEBF&Wq7f*EEkG;tVIEBT!j<$kYx z7L^ioG0{w}tLk3^{pE|+i5pE;vP^o%xC=r|O3UsML7{b=S2;^j{`4E#rm&k))cbUC z#RJ-rlhKfK?UPbn}(F9AElDV-&54OaZl^`@{bHIp6zeGD?hfyMG$m|4+yv3ezSy z85mck!pX_WBj-<7r_a8mt&yX40vGtp@tKj^&-3YguA;w2klpUZn6thn)VRsjez7_A zLCE*TOFm1WF?c;b!o!~hL3FmR;^tl+-v?fHz6mw zr}6d;tOh(p9nGh0!Fu4#+(WNMpO;u^5>br}A`it(h}t!3X!_WeXb0Zs>e5!pNdY*N zIJoH(2x}Tt^c=Nm8}=4WlmvvqJu6jfAjS=hm*sh)1sL=ky4}}moKJ?c<`@m2>t20- z{oYTjmEpAUj0W2Ll^4|$&MFxFVAOqnbvf3lN+PCUrdejthd0JY7~OvN?)UJgvjalX zeVKjX*K;%?*Kt3$$5M^6v%KhaJKx827J9eMP};Lq&(pz2cOqaG^Q9IZ>nSSC3IiBe zw7;804l`dgEL#3FuMY^$E!m;rm;8iXI*Ee`#%FWsr3W1Ku4MSv8UN&g?mxMSrOeES zK4$r%y?Wib3%p(|sq}%?1Mv*Hy`u#J)9uYH?84owv^ldJX?1 z^XkrqYojtI!vtgxP#38hCM*AEQ8*J{O+`sCky1S#j34a9=f}$-EaEPUPAP?oF`4R| zVCFEjTqTyU%|;W!&^w9+?x=#fWOMjKhg|&sdb$d>sG@bPbVx{dcM8&-(jW~2LrZtJ zbc0AY4Ba3pDLF_>3=P5nLwDyL&b{aEAF!YO?Deg+zIdaCxBd7_@9OdL($eYWjGFmK z3bW8)Kos`MMt>wEvn+r9uVCY2PWD8Sp4xH%8W8x+3$3t@rEbbEm&}E*@8}xsBQ~%X zGvrlCOWpx{G_7U;Hq)eh1zo_{7McRr3+89n%T70kZE7+!n1cUEydAAUmkqc@O-)*x zM6x_-13=kW_vmke(mgdr7|iOoqoXVy2%WO>2yTv#8E2IlFw%^!7rqCz>6okJjx=rZ z%tXZc^Ny|6yi+fKcVI#o?)z==!oAHQU*Y2>T>rlFy_-&-ivc^VGQ4n_fDqO2iRzGmG)n(@gq>R&g$8<0)FQArLK<7 zKH%-wlQ%omGb(u*Fl8@erHLNl7xs3_vO2HV6v z9ws4-etT}8C(4&FgO@6pF$d*eu!b?_70uIt(xR>b|=Qiczw)gK+3V=Yx^B9Z}gQx&(%M$#}4&(-JsnrXB zrEK&4|EGQbOPLg{!anM1sm2qIC&z#_L}9ipig*j2%K0s<`v;YuIUGs$?OZNRXHNH7 zDS6+9930SFpV##e?Lb#aHWLckSV;Wj@u77R$#h|${P2MBjs2BBdTx~&%YMstRUgFODXKwl(6q1+Ya-v zs6l|hqC-Z-gWR^twgH%FcM&cx--#*y=)B?wl~#QN=lR*$yRNzt=an#Ju1O0t%4vJ& z?v7SS_`^sWA4bEGo?914=N---M%Uj^Mgd@@K2~7&708!je}6o%cEC6L0UC(LJ^M$S zXtsF%%X>T33Whv&+Pe?H@f4fH#KZC2d9Q$Tv`{ETgyU3tK)Tt~W!6Ety~%MYwM(u! z+-woqO63bA_iAU%BnWjtY-CNoKrO^9G~J@}zu%qQJoBsl4gYdW{OmS*;{v_1f}8|B zb8~d$qdKnA^M}Cq>m5rr$mZ)dZn~oWdfZ0mKKg&#NYKs z(;PA-&sqw?e>*E>g-=ElM?dQtFj|O3X`7|vi!Vw}O)qu4wc;Cfx$jJvb}Q9TJm<}G z?rZw*Ab6o$V%2x*_uDExT@uK?;)j5AE++gEAu8W<xY z;02pCon5kV7}k>|>zTA5&)|6Hi-D4Woh;%i;{!{!wQzdu7r9>{>fSIo-Q~02$+(ON zMZZJqGx_?%HDWm9#i@dA_#zQFlM#k z->8-}ou*bVlm-qEP!=5q7tM_|HgpO9zMsK#DEO`hq8t&2vrC&OqA~5xPtgf|KOSdd z^VzF6=%J>yssEeZGKSCASTJpZfHDO1{<5CwmYVt`CrfE)>&hEjzX69eoCqO2$N5MU zj@sQ*)}8%)N{BE-3QQTaiK!8I3?P6|51;5Z(z^ zm!+1-$&|21?YJ2G^$PS zI~g&_uh2YQl)l!YUsqAjM?#W|72K4?5e|Ixo{gok$Ht8O;CZNLWH;${pm5H3*oNzw zFN6W2^drmC;e~|Zs!o}2w(&i}R787=jXZ}2av7-S$kkm(JgQzhTsylDFc#7WpYvLw zfTzl;K-#c$=yZp=&QOxwzvg*>w2DeR(}e}6>Z71W>#}3Vo|bPdZ@%D+{y{es;J1lJ zeUT3EWxierz@mp5&PS;rmxo*qSqYnNF&yb| z%4;6nd4c;1{uhsRv=W@I`q4d~sZ42evV@zuF~_BLl_D`CMI!nu;#9_+x? zTt!rl_ATU$k3nx?)E2bs^_R~p&ixod=Uy;c3u`bV>XK8>6HlE$^0!<}_x`IZvO?&+ zU&u))LXcm?F(ph|F2{C5g1;ORZh(Afq(RYD$lV5SskcZ0nsFNMt5K6Xn=dnP?uU@K zomIShKK+cwFZQGN$2Ee+v8#nhiN=6Zu4jn72yM7HJB4NOAS@&icydx|3nyu{Xk^l5 z^jQv+IJ?3Et{3Hm;VJzNU8uLk+}#-)sw*&B*RIv*G%i0Rmc$ZnfOHKLQPM{lA#Ko}8*1p=?x%65&5D;NLJ)b-yXSzL9*>X8Uwusq6&pLubl+>66|ePBnDbP3A{ead zV9e2Z`jElr(7s?41|yHbH|QxoSsX=UUy0wg%L?O^gwRo?%#%3&V|- z$V{c^lvC3a*wCc9GT+UOq*k`Pf0Aa_YQmciYf^zZnv#bG{4SYjilNp;78vYF_AZ`F-7<%4ntsfG_O1U9EdR<_I^7A1`rj&0>FX!fV)uZ8y4z|E$Xe)z;iVFv`O00~Fc>)k%e z(*iPw?qzUWAD2|^m?HM20gTBLQ{^QkGJ2OpQx%T z?POCgNgcE^SdY;4J(QJL_Sr8ZE%<0p0dh|CuICEe$tg2Rg|)(A@l=oq~L6pxVTvpJ%rQt@cfw*N#;T6zJOrI{y2uz}z!I*4_EvIq)^}A(W-Cjnf=Fi`ZyIoPaR3=z+;2PG<2S?{U zxD#uOSmEMa?4OwiFOzdLPl`!|2NE``jwUdd6DqPz@t3>OM#wNqOlevY^%xyIPrymO zA4}y*JEV=`{aevvzII8vkKcPHHaDcc{V6qY1UGANv-{z=pI6r? ze3YYOtn;tk4szke?1h{rxWdx7i-4zEPK;#^o%TNW{BgizEJv4n-5sX&Q$#-s)gY@} znAX7L`Y1Uh@=upVo3&AkI{gmj)N0=M*R?Gz==S&{I?;&aXte2B+qx@7JJ%%f~<(whM7`GC!(LcsnbafNC zI%2b;>8*d8@&zkD^##<&JQUHo?y+*c7;z!?eToFJCdenaYu3MU9-#BK?kYs>i`F|f$d*dYy0 z?9YO^_31;YHN}{rx~>yN%>F_FaBoo550)|U|N8~K-W(+CNrX*u@WpR?mH7Jm)dGdW z$(Q-eC*3B0?rs`282Z8nBV2xmL=0N%>GB)G>j4A~Vo{wN;*$dQQHU3xi&iE1a?uW0 z%YT=RHiB7<*~;5-GBR@;2)wk1D&QpCmPWCLA&KG%zBR$0x*S!-@_lxQ4Fkq`+afj$ z*6$g3@OPe{#9_XtFOhebZ6^IbOzEUk?$?wrw{m9&{HxZf=rbT>F}B+*21d}|EkDvHaVH?<7M#-IlXQxn5#uuuX#&Y5 z6c1>a=HXI^c=R!8Rd98Rb#^g@)$OmQk|^a`JK0gQ`HWzri&q2e7evKH7!7C6?(C3Q zFP0M;;Vz#BB3XW3Dk#m`B`OAY7xRxsrm;LnDaKH(4ajgrXtX3!)d5)XE~DAtBHY=$+ zUu{q22VF2-Vrj@%9o#dDpDo`$uR+-&ACE$@%s>f8x3e{^rpql3ZQik^iPezj$d|V# zDOI;qb%v3C$Is|F{Q3jPttS#rwGpcP5&jJEzgY5@G^s+v%^I30(Faj6F`or@iQJ^08#f>5G{ zB9WL|Ron&(CJ|mEgDN>qF`L}O@nL>x<0r!op6&{Zk0eFo0iIMEsZ}~girq56uMNRn zalKu)M~RP%gvTI2!&6y6r~?vo_H&v#|J<;T))te~dUpWBv1(YYW|ad^lc|c}2@R!31H)HXMUSjK^ojx)6+kzj7-Uidig)Wp=}ABE;PwUrTVQ_hG9+)Sl?6zTFkl zd5KHPC_bJN{p@l;=dTw=81vl0Gck8xSRM*e-%d08(~x63Ic~ZA-)Wk6B6zZ2Qq^BP5Mb>m-~P{e zv~RIRV3Hqn6X{_q(QjDPY#CvTxrcXjLKYw9&k}4;w~OJUtvmnJyHh?j&W4Y~*7(4q zu8a=HXyKj9mTb~yAWGKf>W?F$peRZX8X%$95VIfMB=NbQ_4hs3|o!|7bAS0MHH8kGQ{L> z7IFRuW#WDkkp00zj!7wE4NbA4VN8Vxcsrx1`CoAv23(~w>@GV*S7wBx+&z9TaKgy3 z*%$fGWlaWMF)!9Bcy}!pzso0NZBuRMZxS{gl@^!+5g?ufe<4FOa2{l+czNMcq<1L# z&{py>OhX`45B>4mAQra(U(a$&Vn(3J;w85HPJ+>Y@Qz9#Ri(`9VX5MiqT?%!4~;H%oKxet&38P>JavuDI1T|>t%7d zk)25N(E>QcwvkE-FXnCth%}>$CsX%6gDruUV5=>y$<5tShPz-&&1(GN$j-8*m2ap&#b)rY@MY1UDtv7Vn%OOD}RZdKO;q-(XBviCjx@J3X& zkZLYIZWGht2E^eHO`Qy>XWG%E{-GHR^I;D9m|N1JzPp^_ftqF)?2E9Qd6(1tm3&Vb z%^?u^Ji>S^oc%hN-~?2fj{=zvK!gvb7+f^G!t>klifs|HtIcNK>=sifN& z9oJMn!+CN(65xhD9tyDbcB~7(W+D4q@0i=B-jj}Nk-+2K8D&D7EarF^J0v{IO6wIr ze4h348Dl{>6d`W2db2oFsPcqPrO2k}e40gw?#t!RBJDk>7?@U4r@t`D`>ES|+2vEr zz|Qx7vsnmTM@jW+>ciZWJXP8}P^NFc{6rC-=+b}m;Lh&R6Tm|?cb)d&vVF$C9;*@u9IN`ID(u(-3{x2gaqe9$)o}1e zvO;Q=QrYF)vQ!W|c`dW&RUP=SWfq>I%JMYxjS5j^{{e!n zsdD8r3!GZAz#92zW_W8x25RSNG{IWA*$@wM_pHJK-J5{I7)n%M>i3+I>vMR8(Z#52 zg?>7ZQotasRH@f|;q{O8*&mtCnh}Pl7NE@SS2) zy#~7ZF#b<4TpfXLbE=)ryQ3b_8;htvrlk1WI_WWh>`ZTvO!5Z;;-CKG5w77YYpEclD zmyHA{x<+ktOait1Z4(M%|$m+XBf!Wa^MdU=f#}9sLa!i@t}6 zOTpLZ>^9j8TJRiX@h(0+BkWSpi2@KgK*Rm>SZtw>X&|$%} zo9Jz^t6Qb*Hs-!NMZFBj3NG`g*2*c5t@=W#16KO&GQk5YNPgBlQd4vE>n`I|J=~nM zcDm7k+shMKgz@ltrV~O0lJSuf8o~N3FHBghb@9NyG1;!yAgNYO^GIo37@nu}Xr3*b z36(5Wk}5Pg1|nyd#c-t7M(2Lv{|dU3rGef1pACQc|9cyR?Z5t=#hB!EmOj)*AQ+L5-cpAr$)tQzd{yUY9-?f zFml&ZS|llJx6s?m@COOb3=97%B}slOYQI%U7+cy@HMf-%0JHn7vsAC6co(C4^3}zk z;~klmJCiY1I&uH@h@y-7$?MjrN>2WA#yxfg62ZB+hwm{&DXTvC&=gG9&&=6xbCMRb z92(h3T}}^BDikTyxp(~)2b1*E7no1N{!Aatg08y5Gv$(_Y3}I>X89L3Qn;b$Nx1s@ z!EVRrd1<~5pFZ`Q(Mp17BpZ3!6E^(^15UL;1*p}kJ%dv&6A0?Dsb2=0W?MpJs)uHk zw(?Q7^P5*RIO#-6OH1vUfgFA9iL!(75P>oYv3$@gvqz)CVwuHnpd2AUtJ_EEf0vEp zlTc~ibnuJj)+yz<*8tK>*infowzU-0@~`qJH<{tAu$6dHq439#<{^5kC$zMFf)TP^ zV3_&pIWOZrIc$Msw!i(~S{cPH#3X8ht4c%*QYM#vCh|zf$hpeXpIA*kuP-YV1+(Ir?TsRg7eQXzIz$GyRZvVZ7by62H%`ecp%vmg|43xr=RWa|Mdl4 ew+uAk%_F54yb1rqk>UCq*rOn;DpMPx#1ZP1_K>z@;j|==^1poj532;bRa{vGi!Tx_$3!-lMxgkPuNq4D7-dyJK{$(Q)kV?ryOG6+y9E6crIgKtj5C{chL!f8RQ1 zzjr}Y)cHBX{O|YPzUQ3Xd+oK?Uc1h5S%Bn`M;>|Pv01|HT=U2yk390&43QV&dE}8t z9-A@pLOhQ=^2lQ|MqY^Lkw+eRY{tk7@jUX#Bah7(c_E%h9(m-k8RJiGF+@6CI`f2b8uEh(ykp68Tx~Q4ZoF|kBFqM)GLI&% zMlhWm3**ijQftS;q|j(bY*2Siew+xMu>Wf?#rj$Cax9u?0hk8^rQ2UYnDuh85#(m< zugFgxeP2;j;|v&?lKmgU*PiXNRhN~bc& zhe!&~u_VGWuQ}n60-iD&p0Q{xGXi6N0SV+a%S-}xJ=%syrBZ4LV;7A^8~y($!Q3Q3 z>lFAdnISKu%;Z7jGo2!z8!9*iVE##e8Z9H*gVqz>MIw=iwh@9hG%RK!jk-tW*}i@+ z7>aS)@hVK@id=Wcay|E7M+!WV$A33AS%{k^rFE}NKpTkTcvL)KRthB-v`LrSEh#v~ zlVEx<4uysKSMO-7Dr9hV$EB_zA$9dx4Hu6?ph;3PiI_%BeZg(3=n!@g`pW!`5joe* z2h4GjhN?5No`rD8WYNGuH%Y*NZY)t6RxE1P?Q#S#!ln_L5s)wlM?vmV`a_7oo+6Mw zDa3W`0|63GCLp9iTg00|8fiR}s&%#1Du7ZD;NfIU>6}DerQ%8PxKMX^PO~08ZiGc1 z;t3>+v{1(sGZb2OtujNj*J$nQuYf|C!aNp3nohl@(yo$wJ3ypjIbiv~c?Zdjxt$ZarmZjLq|usQiX_Oyuyh4!J$+UVV&6V~F|ZouiZ{}fF1tOr^e z^V^`{CJ(XNJ?P9i(q=~!4Ej-5;G;bLt6+279|7wb3>&Vkm1sjf8edR*>NEreE82_7 zx4r$0qZH8HB^<*qWHW^u1xaCH5wu1O>EjSA;FSc%_VHL+8$28Le~WhZN5Gtu{VBq! z6}!=%ltK`+f{w7NzD7xRYgVRkbv4-U0!#;tN8^JM47=|Sxm(T$M7!L zKufv*o;&4-@4uG^AA1rmP0gDoE1YV9Mwo$+ps03p4mbc|l9u}LO1bcodt}6rQF7E# zyU41QOQlt-BDwtHt7P6!HFEF0cS-BE6&g_*!%u1ll;KT+oGJXpO#dgqj*3(N6ym;k z9GW=pylBK(ztk;QEL$CNpxk%w1G4vs5fXv0@B}bcNi;xX3rb1_H-$6|q<<2froW^R zPY@JY!~>FOpP5Y{ex#I$%au3WDX+crxx}OO(gJ>6=?MI|r2p1i%l-!+B149cfWY)a zFd;uAC4}_JC!Z|Q!jL@r*du~k5-*3*iKHYGF$t9wId#gcQ20RjBYn;ws4$@8M%p(8 z0$Gegn|1f#gAd9LH{5`_Zlyw@ZQHi8eED)|-@d)KBn(EnMO@@nzW z!BB&i6l~GqajMJh^XT*w{jlh$C3`IsZb{UEAEO&oAUf1KDK2Ryt5&U&7hZTlzWnk_ zS-EPp)YjHXS$T8WYwx|~kV6iVo?Sa5@b3i^WQRf^y`R+wTdo5e@b-3imc|Xd# z@4YK23^$3=(o!gbDH*cu5E(gg2MGiNDquKwXqaXb`kVi1aB7>=6COWABpNr{8;SM! z(@)EF*IqAs?KlF%Z+NmY5RTA>AY@mqTqW}st&$A-E6NYfon-9ZjG^_y(Jwm(8c1-l zk`bw^sh5k(;H2zy0lRI`@C^MHk6OAAKYwu-F}N~(PsmVG z3>!8S_oBkwOn>F^--SOd#9Op%iQ##3c>#@)*yxmpX$gc5t&{T6Cm%v^mr3)A=4xF~ zh#@q>?sv#x^7k`Ok!IyZ+UrA>sPLxQoQHBOKIEm-PB^d1hJx~-QGET?*V3hH7Zn1@ zL|Xh109joI&B%A(eJ7uOK2`h(OEF3r@AaV*us}yNHm*a^=&qHF9fniq9?L65MSeVs z)YfoOQ=~(e9&*eHC(1o{Lrb49N#@L5rS$b-D9;7E^DntX&N%KE2pUddK|`m;nSy{v zr;~N24{Vq#unASdvT{D02#3S#)g$jI7}$A?8#hk*XYAOq{}mlJOG%SV*o%^UnD*t@ z5Wt_1DI48w(dP(p$CBk@nG?~d`1~Qc38Rngw%blFf&d>da3DO{7_#*s*?-@?q+|Pb z7;!R&e-oIG^XoT)8o)9)}wl(ry^+5NM1> z$XybI*%E0$Aw$s4gdvRoTrh6Cqsi*_FuaSUYNzdn7o9qB<}0=O;Fr5cRD0q?J1fRxsb-hSdQ|ZHLfoMe2VEn0 z%1F+nDTak?an9>WE#G8u`AAKE1CIM-|MOtEWV z&8kXM6~71yX4AQoUZlB!p*QU~AAZCUN65m33#F>6O6`f30x62i?~P{ zjzqaVlyPztQ&(FlQ$C*}XPtGH`X#c6mm{4dlFT3gr^C38#5~Y2eUmqnuiDyLy^;oW zCyx_Mmq{y+B9HVQkF%`2+HHl?KlZ|@i|gAc7elg6IM>hZlc<-J9iJ9L`Hu!|CY{u^ z70#10%!X~o~>4H!q z5l6fMFj5eWojV-ttUIznN=k~faTXUBs}{r|EE&XTeH_x0ao7OJSZ0?58IuCWFcTNm zC_rdOrZbFb{O5vkGhX^*dVFRcs991V<$^TvBhFX^LJLb7RhYTeSOV!?;J zfF>aq=e!Gafzcl-)cMvzlvPDNG-Rg5Er4ujOy5#E;D=jEpqZ1@k(kz&gxE1K42J^j zQGwyZwv%tZ{#wbHj5J6x4gn9r6hQ|ZM8_G4rtIk-A$+VTA%6P3r#x3{j#hXJA2ZxT}LS^D^n|i zxniA=Pc@(L&Ml!{NJ!ghf3jAkbs+B=T1!}h_vkY3CW>ws?TWZ5QIM|?Kz zjNm=<%DOdW%j1t@lPGAD-oSZsF04Fa^kIj|XH!0x<;z!zAB`o$p+5fX`BiGsXq4o5 zRQzibUX|mHKMum0jAn#5B6R!Z#W7FG`R84VA#6s9OQ8M1nhe3pjz+`s=9_QG=+TEr z_wHS#ckjNk->3uRlTW6ASu6E67h zbm`Vzjy>);Y1OrtY%^dR8S~teviCu|NcUD=x%0N0HP$pa3>OWwhEL^ly?*k?1D2htt=Bv+_7hZT) z$4{jtel%W>oPYK|<%^F#gI1c5k3XIwyYIV?bnMklw%T@EdGMh}CEAeE5fi~K!w6dg z)3^<&O&S4B+S-CBsAvNbTPiJ$AJUlh&pNpO{`)bK=qcU0b(4b*I!K;+>M7kl zL3dqOfnOs$UVH5|Ir!j%wY~-p9H>(nYuB#TJWzO3kWe5p{fjTYSVoK(p>g)>*H7o_ zNl12pWbtdSx&D={9PV;GhG= zF*1Ah>_*{NP*5ZdPzFvM&0TOOV$Y-B^EeGs(xHPY5DGxn#KRStkd^7zUIq{@p zWYuc4&wxv+t2lDCHGQVV_FCUiCr2H9n0!BTIy&gIyf$f~Jn_U6xQ8~4KW3DRjVrnUH?W5SP0zm``>N-+ue8%%4AB-hSsD z>C&;YoO05M@)k!cXu!R;=qs;Im@Eq_*Fu;sktZI1Le?ytD^sU_DMuf1j7)yzeOa(3 zCMO_2#~yo>%=+vVsarlvuD$epP!v%>L(G6?yw}YJG+LXWJOn&DqgaxSk5q*%++1F0 zZ`_0qeEi`@vg^(x^*+PHM#7PfieXhc8CAG}!Zia8F)r6$b3Hn~ujGa2o|naQf0D6d z$IGmlGeMWr?6d(cYO@}51v&3Y7o&x-;To-*f}6CX&}H4wo@)TSQt)vrBEwTCeD&2= za??#WsWv-r-aM_xd+)s$9r!0&H>Lw%J+SWRmvwc^Ew^ZWk#7ti@yfbop4jO#{9ueE z-+S*p?d;z{eNo6zE-O~7(DMPo0H+SKQdb++`k^+>@D$`mabWo# zfBbP3fZu=rJvxC;Rfv8GDAPd@piJpAy(vS`sFZ9|+cq9R0?j{3Rhp3?*_0SvLX#>@VI3qVkv9s z(k0g4{&uSM+;et11hjHG{|s-x{kDbP-h%M9AY|1J3~E8UvA~qpIp>^XfqB%PKqIrl z;jrFA2w2cOtfP)PO6?6Uz4THG!ddSj94!b6y*FUo1hh8`4a@>l>oe^cCm33v>+0*R zLH+t$tLFZMh@vQSOzlVSetcYo1ldZW zJSo&c3URYOl9?2KZTc~c6<=Bm#_o@FJi zX$*L8>Ipq`!BPa_3UhN2UqFQedWEOC!KT>c<;5w zFc8Gn1s7akL15}Lk?S8FuU^r~S`aSQ!i5XxCzuw_beeCH2E*P!~-qJrb$3l}f-Tg2!qiRu*N-X5khCpQcd**_3tp<(FGW9C3sN zL1)#}*li?{LCvLYga1apd-c^ zOBSzIyLjBDM?7w)HF45->!g!Uw4xEizu=y19DEejrz@_!*m~yKC-j~e^UUMcZMWa( zJdu8B@b&`hxZ{qs(8<}>fXTDD8op8a#`~E=U=F1cEk~fLwn=VZD;Y3Q#A6bjP>^Qa$!?$ms!Ine*H#~v$SENJ;ZIzB|_Fa${UTS zvdbYi!C)kp8~N3#61Ald`^swd`Z!0=MM!AcFkS?3yEzwK1g-yZXh7xA(uSaJIHcyB zwjV?Mm{iwP>ij!T91>`ll1*E(*ZzBJ-LgDf#Dnlr_al!w3fk+(daoJ7KSyB(Joax- z6WEKBoK~O~oC~f&yz#~xIvV0|d&eDj)M*%|#W0_L{<(DT-d(oXVvEM967mZ*d4d`s zHEuJt$LR=aog9^Mq{upAeX%UOaz33SC~EyX?68AQ2hfdRU9n!Ntq&hDLZ*KGr8K0{ z;^ru(z>U!jMmWwqx>g^8k%gV=(z*x+QMYcF?&x71p|b_wc?CjTr{Op{y!et!WD0j3 z!5?=4>AP5v2Ztqeq{!(ymX*B2{4$R$GxyYUs*Y1Fc8Y`rEq|r->)%&8c4{R}OHCQw z?#QjDJB=JEHPtoX?^PHD+Y65_XxXG?G8w^WB-=RYX>Cmx*OoK2>gW&L^2u~hr@6-*mmvOsb9JoL137R49Fc4=70mi2E$=CK_NoFEEffZNq6z$#hOl^ zK7AUe3&_-*uVv$-fT7>rcHK=@E?*{z>MCutgb%`&^dbfL4w`_^FMbN7EII%TVSRX} zPm-K#lRoYwL76#MNmxod8mCg=2K7(;fdZWx;l7e+JSy*h^tzmS`eE|M0fWP_CllBB?>N1%3$0IO0iVWQ_0IuouHf+Xw{ngBXI3I$(d<6?MAb{`>0`0T(C#^{;>F+63vx=`nVK z6vC{xop#!(QAjf$8s>$dP@&*uIs^qi>w{A+6vnJ8Q)diE;l(s41ozlu4-G?i!qh9l z{MA<1svt8(@}e&Ebr9fNm5rbS>x9!Gng%`L2YRV^{9b*BjR6n+9Dn@ra^p=mNaxO- z2M*~mn@niE7q)$5j*ZANt8bX^H+zx`B0^=ovvoTjT)JdqUSUR+AFN@|a zKqKc46aa!Wl7)ZVrXV0(ejfZldE9>SK`F|>kUG@%*uAAP^=PyZSkR0q&%J5*$sv1%q%yhno&_>mtIy-tvGKoX&|t+>Zw9gB>_V zt)dX~qmMmOo_Xm-89V+JdHA7+bis}q8HF)-V6bkeEwh8AFygw!s8OR-OE-&XymGYF z5rT^vy4j&Z(0!L(c9EknO5oZEVdlVT7(e|}fUtw6;ld#oK&goEnQ;sqvaKwfGh5P; zD5;}}r=l2zfcEH5D8Gt81J;cfwBimR?MuOnE`I=Y06#+6@PodoWE6bKx$d-d>D*QR z`Hz3dlaD{4bMhBla4C2tV|NOm{Hhg;<-K>`lCE7kpp4y+w=K1-G+XrPFFkwpm9x%1 z587^xZpS4G!Apg~0%_gK5tN~zZXB?fA$LIh7@0Bd6OKJbCQllxezby|l0ERy!*a$y z|D{_}!;WH-MLYL;NmK4zN<)iZCIz7aDQ?{XJRnjBGO*)U;SK)HU?gXc7PHa-`hNV@ zyE3r%0O{VLhxF{$3-#1nI~guqb2PEsQ$mk<^QXfG0to=@p#tdj1x1<1? zV0l?fd*vSB_B%FMHa-eW`{g{gK;TQBVtnf%q!Bgr4Z+6Ba0CT5cP1F7p*u~_)|D=mHwP_&XF_EJX42~JUUImPB1P`_fXTO;GsR!GnzVgBXFBm z%d&D=yKbE>+W%Qu|>dUd{rZySSjl_Ymy)=PBoFO6L zi;IGC)zw!>?b2y7Z^jH+xv)+qzWj;ozxUzL$V&80lM2S6m5I&+DzqNs#}l<~-uNwa zaE@nM@!gb`E=KbS`2+2|D5H}j$JPO&rG{wNfDI?Lg@5Lbkua!RadEi=9Gx~ zLA{aYq#^I=hl`F}+~gt}J5pXb<+XI_QeCX%0vzko)E9S3OvZ?V3xhml^YqhCYbVYj zJ*U42))_T+3iFvWXKF{xMQlz3Xc|8)l$Xbim9{M^8b@5EWu@W|*-8OfOBW>71)~t~ zVHS0l#3(3?bf|1l$Z7qeEIfsrWjyEvyb$c|+P9UjzMLYTeEONZ_~Lkth4s+TP%j7W zx34T*vs;mcwDSjY%d}i}E0cXe+ekdv^E& zwFbT*3-Pei5Oi|ds-gLBH*~nnnESmfSTG|iMhyOhO3^qZC zZyb#*0%kEsvJ=U;3iAUGI0)MKCptAi{P4q%s*O@(3WGrzx{=2WoaY3F-_dv&3}!!9 zRFp%IuY-o{2u$QS7NfR~#(*$9n8JqM7{NwhyW2N(dFB~y%=E(pD)h(BfWkYC20%BRT0vnsl#Zj36(ZjG z3l>PA01e35vrXacf!4z!+r>83f{_NbDTJd9kHS;B`Z>Ll;V8zm;2eMq91hpk)njPf zpqf1(mUzzLn=yPMZ zUx6kE6_sLvT@?id>CL%Vc8qM`e5M9Y=o~!ihypkl95Jy@=te`ZgJvDDZdsq~EV)~P zbI{zW!fk}y@xprHd^vfSg4>L$7>*r)5!eK$WB6=@qNbT_+Inh0C4%uVeU3be3JP^k zH4WdnLia4nn!@Oe9khiw>+2gN5{}Cqx8E+4CcdUTLq*8%wjtI7lsbttprZ>)X+@dDYarASMLNm#fu{8lqfD84 z&f|~ccL;IQOmhwD2aSc=hW)^wjI?dr37XXqXg_1rdd7_JrFXAh(xPQ^Xo$rSB2Dvz z>%*l754flXxu{brZQHd%qjp1Uu2CO6mL3XubPsbpme9FYUEm|f{R%jb$i+ztTY`*4 zflaXCaq7cpX=a#B!cjy}Gf{v!OFQg%V#ez{V6q zo;iAG+paC=8Z>NL%WTt=H1MF&@R!w-M@+0M(~N`pb88;K!)g@X z0puZzjyR3*B^ad^V#E}MCQCPVXq=YVe)}DrMN2L?a&b4M<>TvXSrw5elqC>4;D<*1 z8}Iifc{Xer!y&M%)>TPe%{mD~;I3X>sqZWzEC_K^hultRKd}s6Y1N^NtXi>JvWaS8 z7gk%#(FW(k!4>RGR1SD0<8etL6sB4zY-_65!VXSeb`3T&kY1!eVLH$}{y5fabH4~^ zXEyAn*JQ}VJTh!o1hox4)B}e6+uu&Z5b*_Bv~U@Qeye2A)`PT;>Bq$ObMWM2KztZ# zq77*7*eLcLwU4~`(o6P} z`OL=6DHrY+-*3PDG(6p@^|2E$!*Mbm<1+KM1cePX{f|HXSmULk*2XJ^0vn+pCFkDX zz4qBxywC)7QX1d_Q-G)7a8F9w%#OQ^OTQ|^xqp%)z?KUd(T(r&aO9zVb!ft&3WYJB zIYmnm7mJ{?LIgIQ=#f(*&TS*m5TU`lk*8d0+FG~~1GWIyU{2y0))B6`QEd?IdeHF9 zrgM+X;>PaqxaPp&Hm6DqNOz8qs4W_L5~Mrn$}0r|>B~B%9|~(zpERsDhU0n&uN2Cx zS1v-czNigSFdIHGyuoM2%RCsc?&-$}ANt9?lHcggPB|0|Y4NzDO5?*HHE_D)Utdqb zYf)j5<}(CC#h0DVk|oP!`LadG3r2*9i_zODpiZf@;L2%DFJA!vD_}V0fgQI^yOfl- z>ma>)Zy}$2`ngR1<~!-ouCsLQ*ioV>bTWQ#<5XKfcQ`Q&jV;8>ic93($?vLr5d4@? z&oC6^$l=j`gP_)ja+bew_mhzyxF(9R}w75z6S! z7843sY9Z9LJ9X?PTW;A`9(wp;3|&iP(BNJgNqx8;Lf_UvHwLnLBpT6S9Qy`tYa2Oo zNBR2eFZHkqc}m+oZc0knxZsZ+L*t4%-R-;)hI!afxnRkKurXuCXya$Yp+B(3twoH}d10 zxw7y6b_W4{Os}DWkhstpQsAn_4H|F-g6|(FX;vm{*Q}EU^c6u^#i5140dazcC^x4% zb-I(#+Qg5GLI{e!t)zn9ct#i=>TqNDt98jRF!q%{e5)d~B{-6j8YSYe<2UpKt?{cP z0^35vbD^7{9q)|W#-Lsu4~(l8nz9j!TwEmG_;y1hSn0;87HZUQzx}p`GeW=!Ytows zw2X$%E9;hE-O(SxI0z#+c<6-N45|GaK4JPsOJrwa-l#}-@(erf1q&8v8pfW6;mlQ) z8bqgGWd1syEn4F-I&Xz?;xzGAI*@V^E6FnL46!joHe+G$7m;Qfzf%9N?n7wxnV%2PDz zY@M`=hP*;i;DR~1GK;XD0^Lb8dEy)L;RjQ7-6a-@BYtk>Mc#Y`80~U|#*r@+QRp~K_;+-J_cvCJz4I~Py6hy3y@u9P!Q zKTGbs>n>>lEk(B#IKn6rsYe5fH40DW-zJMkDq6LaFQ$G9;lEhIalSlkjikA?67DJ8 zVhJFSy{(U-xnPV3xHoY708m=Q_f~*5>=Z}~`sFB!g5&C|uht{s`|rQMrcH2{#7QTeB$r)w znJ%sx0mDv&cBhj{AKgdZwry*BE2@(}=7HB-#N#|Yin=kCu3KO-(x?AGS+;b!?$YVq6ABj4 ztRx^wH06-phiP4<_5H^HM|UVwk3PNSj@xdOQ%^ow?!M~*iN+#GBc?CHJL~Mz<*BEi z(DMew=+TEu|E>DTk;fh_Pe1jPwh^{3)(h*5ZIN}J$Daf$eG|ZwSUhR9p|PyH@4nNT zJoyc)zTQ3sm&v3oR4VVRNF;2HA2-2DC3y0ZZkAP3zZ`D0RybN|-G19W)~n+_5l4v=}EKf1=3}@E*?37sZ}>R~xVoNll(^=qxW@3_;N_|~Viv?2|0E1M!c5>^t1rCQU_ zpx0z7X(bZKN2=a>_MyA1S0=r#)Yf<-N$Z*`uCZp$_}&hi22HX_t07k3NSoJRoM2sf z;iY=dbE8QVAcHIEuSXhbkT(cv_4CLRk6TYZ`;4ZI5uDnQZia@dKnI@MoHE5e1)5uL z^z-PWkLrnB)*DYh@?@id@yE1zY7?EQ)vH%8YoC4gv7UbVX|-p31h1yPR2~SYgSkf z-gl>U_@M__!?qb@?Y_&-)>T(tZ7o^M_JF)25VN0Q9B4NNUwt*zI`PC4tzpB4Ss3YA zmtJjpT{0~(t;pX zS0V|I4N;x~CJ$z{}qYpf6?J{y#YwJNR07sR-h+Q(n1ljnb6uhjqvHIdkSrb<5+=W0St@15xjo4Z-f+?&49c z+H*5HY9k!}p)z%!Hy1R)2jcU)B%Q4huTKY!=;Z^d`DN1>!eaF6@>C->ZtcTx7s>Gh z$sR9_%}mv!q8x22-n7>s3at@bXX#pm{bJI#Fez93f_w`%=dF`3q$a%Ckx#;0qq$M zp3wSZp)}`RQ4VNTY53(=?Ky%E>6|yT;#5XbS&x3Nl#9dhSX7FN3!u#IlMy$0aO0k)_= z{P7;y)~OQ$wBQ077qy94GO2NMl*6eG)*0g>t#ju{Nk`hV&P*McI?V;$>Ce;|!)>g7 z4IdCDZl?W9bwyCiX8GyIOpk3ikIQ&Xnwm$Q_HgSL^1YxN4M#e^gg8&mz&~liT}n0q z5ijb1?Pz1**oW^Q=Q4?IS4A4>IMNIHgdbBO!*Fqxd$?H*ZvNs~-*U-m9yfP5*>u<9 zGajU$OtK#MK@tzz8u`ga8rro@D~{IS9rwEEk^>&~;=*~#vR?=6_xdps;o1#n%YRN| zru|EGmB*%I6NUIM!!!n4IC414if3c9-%-rh#`07*6cq7?AUxgNa+HuH1h-2d99(`q zndygYNMu)u*HsLmQphN50q#!ekd3dP^?EqB33db%r738m9)>qvku4tNHV)sL|pia;USbEq50@>%6Br}4t zr88`ZUVY7JF@-$s_;M%Mxp>G2jh(M8Zg_?~rD0J&Lr8)y8W!}|8q&@d20d>onSrnepF>#l2tJnw^(+MA zCGVj-bW1X>l z2%kY7n1-%dA>XQe;F)-29NNfX0S_uL zSnGHUK!9VUtJ(_}g~;Qa6StXz4378^CI(^7udLYdlQHZoKe(XrfWgTeoCjrNr!fuM zfQ)D~DZ@MrV;Z7a#N?bT?YKZ@;xR(TW=i|;5kY%0JHzuzV+1+vY+9gkv$G0eWB^So zn&7-47n@j4#GwraR*vC?v(s**L0ae$YS{4`ZE4PPQbWf-K{`-4Fh!=r)kq$)AxA{l_)MAxyf=9z=xzkJsY~X~c<$LA}Lf}Vuqvou6vWGRcz$OixbeJcC@#-%K$v-B>?W+vy50Y1r z57b-Gc}4KgzzDRBQNY6=>XDr=!$%_a`%Uy+=ZKft<&WQwx`sVZ9;ebV@D&>+qoV%J zJkX=fa}e<;A85w%Fg@BM|Fko8X*yhvbn^If_|uv=8x1R+Oh)834r=0D5aCv5))~YU zw7~{2Ljs*Nhx*0Z{?lnNj0akKs2)8zD%>iAA2yyim<5eceNh8P8ZKKqg0iE$&Uh)5 zI90&L%!WipA(N0nm@f(k1G-Z{6Kv=#zR|dNPs1?uN4v&`B`=G%=s3okVZsX*lB^zO(D+p~4ks-?#1rfqV zQwemg5Z+b_BM0OJ!|9NpFYQ8HsjPOU)acz9A?a2(6wHNuvB7e&)TR#GvC-!2j*)f5 zj)Y&&_xd5A9KInRnR+uk#A|MNg7>7Usk>ZS^P20IFn&zk7?^w76MUwC=hX<9T+koW zr5{4e0Xuda%x7-C4frk@9fpEG(a>P1nSvjXKTZo;)J{;RAcxiic|+?M$U;MpChZSm z@CZH2tLd>*f>7lLKJ1PfolOKC7djFPBQ%#Ef)<^&H{jNG6~L9$(O;I8r>}WM@0*BY z6oB}Op}AMBt(1xu6>#F{*B*hg1L0nA3T}4Vq$R~Zb4X#0jHu#38;(Bob+zoMP)_a} z*RBjSA^XK57}bTq!wAPRnL1;ca_cLP-;X~n#5V+E<1m}=DlRPKk#-0dYLR4O)k655 z4G!3$F(g8$W*!TM6)M`2DoMb<-_=YtJm}bx&PE`N`L;j^IqsRYpb=Qmh`^lWBYxV7 z&4pX%2&Q8MEgKv)Be**G}?Z|v=SoCW^d+u-`Q*zavS1mWf zbNYwcZ90yI;6b_2uSAjW5a*$(S(ldUNY{h@1;vwu@--WcBghkJ$;6;Fc?(q-XHsd2 zS#j|f`{4r(4}Zud{&0tQ`1ZprItm~BvpaAhnGC0(f^KO5O<5iu5$C}oAAUV(@L7J+ z%LBV0-Kb%qbId~Eqhb2lIMKi}$g57FkRB`-{85-7nC4S|K@w`)yb|n$Rfy4l(td|{ z0QCU}9gg!TI%#P@I?|7+2f_$Ub_BWapr*YMzNS7Ho}GfxoC#A827ES#U^u!Pe@u%z zQ+UwGbQrn9hG`i4TtURV@PHNtpl&NJXdK)Bk8 zgd_D*$gQq?M!YN^(<8n4iMcF0Z^Xeld+OSeXiU=xgust*vq&@21RcH~QIjV$VQO16 zd}}BCupEq&SGLK#0RQv&H_V9}V>2_SR2rENpdBkYp5S5$HFh35h7Opau;HFryOHvx zN$E@thJeN3HNF-VjgbCT5I9T+Ll(-U*kEZ-K4JFRK-@YMEG#V0251_zG9ff^=8s#P z*r-k8Ga4NkmW_}87=|#7hM-?#2-@cg1cp_?gz&lcOq*etCc|)^lH2nvG^7|t8EI%d zMY@L@f(K=Tyc9o-1^LD~aXTh^8iTWp5S4JyN482ed}|4XICJL3ALk+=n-Lg4+!_cv zC!$FRO*A3|XWL@L4Qcz+TLtJCDa74uq>P(MKnQVLA%zTw=@DpzB|$b;q{68yZXreE z<1uia_296bLYwuVzYYns9V3i(jus zPrs)A49#grLqECo!1!rz>W$B=b3Pk81J)VsOuY1G;>%6bES-`ifd6MKYp2uLM@{`keYgB#7TGtF9wBc}0wxCcQHqn@SjAf%iQS zlsw((f^eoV=2V)U4<^ey5+7Go7ON7)fvsIG@@P60g%6kby)2iVCf%6`->kvS1tFc2 zXM1z<1|N(^^9R2fMC<}z=_?_iG^iu*;ckED(;jUZu(PEw&*P8d->!-OHmFIMMg#6> z;xYggt}qRl&vYWY;&>n`unU=OU zCk%}?Psa)I8+XEq#I~~i*`Upab(Y7b!4QpCL-}8T@v^Bf{(mzZJ>+^e?aY978$&K{ z89(;5iHn-h_>>#n`d;$*H{w4a#Pi4_k391DcVWY>IFCH?$Rm%<2zeo%M;>|Pu^A&T z#Pi4_k32SGJ%62owBHwBv!c$+(na5lo4NG3e1`_^0Md zP{{G?IuvS~GgvOuK@t3_&nvIIB8wL_|rn1 zpQz#srU(izTcfsLLi9_ZfHOia_e#x_pWfQs!S_I$&WTr!RLsbPuPtR+Da2{0m51}+ z8O$S(JpLg5v=FDz=7$&veS4Zt8Q8CR{UvZpfdY*F8J?j3ii+mzy`ioN6!gEo;K{c; ztmos`y~Dj}Cyjd5pWj-LrTec(%(wEneZI!G=apBKO9{$U?3Al%`iSprCiyKXgl66p zEAM_iou9ijm8I$K=OBeNW<~&Gr;?N2&m+zwk39a%u}SYvY4VZl)l!Z7y6di$&Ye5R z(MKN-!3^ya0-RqE|6%5AIp&ySB_2=8(@#Gw-+%YLhS_SXL2~jbC)!asxa+QaW!9{j z&`4vlcI_G&FtDG*Vo}*~r|snM!$!l0OWy?N_Z7&(pBBrc*WZvC-%gk2Ey`uL-FK1Q zcHI?T_@#XaP-KyBM&lRc34VoS?D$vYtvBC9C(%q=RFuhy#~vXq+jo-}UU*zu_1#{E z^zSK!d^?{nA(LKwMw;~+DkHWUARoT_p-i0orex6BTztXbr8UxXxr;U4@8>R-Pd|Q3 zX3hLcU-5d#zK6-qJMJP@kzc5DXRB7ql^0wj@r)(&R;-qS7OkYbs6bkjw~&JmJ6wit z)lZhrnOW3T)A=TuwOkbp1eX zESZrYKk@*v?Mc_ktZ84%lqCr{_3-_quC7L281t;mm@!idnia^dyKFCe@3kl5EY!UD zA+x!BoIp~1f1;0XO0@W%55S3`4>~9q^wx_ z_ZtXnXx9*?-+lLuy!YNaGIFQg<+x*ymp*;^%BWHM$(CF8m&p){&prEs?6LbE`o$Q= z#P9lT(YudMHMDEjLH6Bu6s~P#$hO-^D#L|N2&_P!%NASolS2F2KMVOkKXr)OnLt+>Al?$aTSK7#G8?>rNz>{drygZ{j%L2 z`^pa6Z6_T%b(Ai>`bk-VTjqW9fsB1`x@^1aNGbJs#gk1-CR(en6utVgiy*+CmtFVR zTXq<+y$tTxPwH!{<(~T=mKBwCvcs^!66Z$%(n<07e3zpwm&Zo%jAQ&9viLU)f+Pr3P%5m>kd_NMvTS13 zy?D;Y6nYly#?A9sbjFsJ4_0!GvV9-fmQCGwe}}BB8I0FNmY{I>ENMrXeOq+hjq}tt zOpM!gN)%L7{?SWzS$NgZdgkZY)|Nac>$%FQ{j0&)SlxaFdEP*XIjfFxpwPUX!GC6S z-gsYAdpwA$&R6*`ak^IP!ZYqPja{k@!z324?OURruo*48GP3-4-m15Vw>b?oGZopfJJ zZ9i{d6b%e0Z#fr5ErLE|RrP$>Z0TPezVKQ@j^sc|^9WO?$cIWhIB>;4m zIx=v-PRPThzryiuY(&QB9@GchS73{}Iu0MId31*pRc5wmW2UB}H8L;Hb=%c2K*JgWmyR4VEhY!Wu?G-4-Hmk+j%E>_ z2yOJp_kbThZ*;h$J|du2Yg6L$G^N5Z@*3!Sm<9&_l!^#oNQ{=*p?@DM;?PeWK;%-? zZnCX-{j1xo&9YY1XuYNNwBhIX`fs8pL~U19z#rJ3ybd{&4nA7{6C}clzq^Ay zTdAp8F7EV52gU;_ZBTE6lTwoY37-Xe zz|Arb68COY2!x(!_|ec@RC#oHJ^(I55yEaVYi6vM)yL;eWlUT6TqVqVYqC1X@gk(6 z3E`H{Qi7fFYJ(c>cGLx8hIH>mEI!x~1!~w$Mv>1{FM^mt$wa&N#O9Hkx$dPC$BSk` z`eJty8mMv_SiGMviIVh`31cNOvf)qY=C`947nfyN()T2s2ID$4ElbiMZ(q@ITF`m} z*gxd=9`)kthbnx#>9)&He97wn1cDwQvWMW>~mZ6$p)De|%ivF>XdC#)jE-wkpk?o*-wti!)Ge9FCDnEl+z!5A^}A)q{`w^C9{ zb#w-`%H7{jxal|Zq<5>IZe#UF70y+?Q`1xgV#+WuXc!TguSUG_yX(wKe{`^v2Va}) ziUuMzyUeOG^nIF(6zY%_xWVXoK?36PMY$pKbH?s;##jt{1=HEQQr><#yNl(S#}V)? zR{eOkjOK>+MV&Z!I(NerIfb^e!bN7r%ZgnHJ*N9#;mU1k2yo@IKJ#XHoW^A5f2&Gw zNT;-2Ue5{3HtQ3!Mk2);z@$pGo=)2XFgblFPs;X(CIPu;h7vfzv)KAb12T0{!im8} z@*;-qFUbz4L%jIoNY5-QU+^J0yGE$y4eZ2i}*|WRp2JSgZ=Ll=3xb=$PgBA#6?du;v*B1tb#p@*D)vzao-`y=G62o~9y|k;NxJGz)A^s6C#84r+CILQzf*9T411k-^3k#+Cs+^Ay3NM=PH- zx8+RU@8@e!Ro0|Pu#fR(cKMt2)Y3Ci)`bM9=4+Sq*ifdnp2O(wsyA~%XT9}zC7@Qj z(6WtYAxabBPbFIw2-vrUs~aIntgH^Gb&)}SpbG8BqoGsJpwnqr{Y`}{;EU(4;cEY( z?d{OO;>>-ThAf9LK3DC-vx&lxU3dZ=?&*d>N=gf75MJ0^4aqKc6&c3dv79JeAFwB406Jdjz$a=_JeDNrE<1GC%SR3vt8aFiV>=SlNLXob#mnHFBAZ zJE&}0>1WkOW8ku+Qbsa;^Q!RibT;jT2Ax`fEE<~dMDQ;I2J`^IN`Izf5{gnQZnsO= z{4Jt}?ss_>siNdSCU{SB6a^Wj2H0CgIJwGMOB`6A^`*y;BkK<&6Em^rDSE)sJxvbHv~j@1x(Mp`S&y@xQ$oN1QrG z%ltbxZoenbj*ciT(uagC}V9YTkwl6zc z0}WcBfW;)!styp~hR91PnQvaUDesbrlz}}e6%!cyr_t9E)2_>iX_b3_jG<*0 zNaYP!LvJ{(fk5BnJ!MkCbt(<2?L@3p^#+;&3+x-BLy#Xp%y*PZ?w zPGs@`zsVEc%Fki`rC&y^HQZGTcKp7}GZcp@_-&%{xN!{I6(h zriTnb798M`DouuyqUX9T28V15S2uuS+5c!1>c`ocd_QxoT{Ca#Hd%vLaemcn5 z$RPyVskggcGhpgECpcd(>)E#6nqk)+T-87G7am4X5~T8jwIp`M@(8(&x4P`b^&=Pg zt7rOCQ_(F3anZpwtwodGz)DLWt^QO>3zCKR5Tho9#Gqvwk09=n#7;nt4x zMhibek|gIYcd<^9oQRB1!r%bJx1^g8H>|Y(+=t|&Az9iNYOBX?Dbm%q6oe!>H4L2n z3zzSM**+&{Vr3%Ms@Zu&-cS8N#OhFEbyJ2)$id}ls;3r%XsCP}9t`_QC0w4A5=s^! zy{D?qyhD_(4Yo&^s`YqD^x`uQf7?0_9gIkGAf5lSGSQ!h{@kiwdAk|_eilsjn+kK7 zdv=={V+-CrGX-@7ZXv&boQ34n>AfQW7 z-$H*s<7?wT!(&J@b$dz2N3?9?XrsLd?_v?hMEYi=^3A9OLeL zf0%2EuXfnzjNIhd&zsG$iy8|-znT9z*Rn;$N}R*hW)bV!(abpSJDdXnOp`PMAXIQm z4#5w$;xhzBAa89Q+m?|=oG)0ft*+PX|f zVX#mokZE&*G4r=rq$w^xL-$kuSjV&WLT*lH(KoaomRMVp14YPs>K%|?b%`C;n!;OA z1s)~?60q(MR=WTC9E`_Vo2isg_FC8SUj*Og5q9PHG zGra8TOS2mtECM3{O!|Jf@Cmq>BDT_N?C|EsUCtcIMZo5hr!VC_lZo!lYl?7K91Pc} z@s`dhli*}u1%}|)35;UT3sL7~S>B$zh_bRST?oXGvRaq$RqLlK*W2j8;?~Q4w{1%l zTu7^(?6AYYP}@7ipVM|ZzU!a z0E*$jA(|fpeo8v?jn&l(7=0RozEe!V_JKs{`ZAP_V~{P5tUNqB+k?1M55MnFdUlIa z@ZIRa^ZvzQDW^Da*!?L22^{rpTm}*4N=*q~k z>Js-OO;XK*XJ&Y+`xPJ<{2goI3vv<7*;Kf|6KgriEo)q7VJ}l?o0Y5Fw^|$A~n~H1W__f$fAWa zu6s}~#w#ujIgacQ zbCk!C$qG&tnXI0c4{b;Xhi!tZ3<-Y}8g@QEc3^XtcGq_}O~t9+On8us(Gy1iJ8T`8 zMpw9b%#O)5jf*sLl64q^$$g)*$9iG#qr?)veEuaKAaFm482S2Z`kz1?uP+q4T=)rl zh8%?Pr$|*O2sK_B(Nv9CKa448<#n00_nsOr`cH)bnGe)NRWjlw_3U6?;@e`MeI!UV z?)thxV=0F)UCEGN1H7Fx53Q`3p@NV5Ff+*U7ig7q2C_ruBYO8u2_M)IbI>UxU(MtT zL{x(ft;JC}1V;@Ep46k|78w?4ftOAq#8+9K{SC#!nT>*d?h}9Z@80`VV+_qgGaU2O zMU4k3Zj?RGrDDrNwYO#=|vDLinslT?V&RUr!A-Q+u#ule5!j zjTK~5^w*{zX(t*mvzq(~-H%Ra%9J4JfjYl`Wb~iv8-05;>2{j=nE~l+_YfuElmYN% z#|XRKL4&GcZItPoVl{nZ)7ZAh&Bq_!@90L!$$gn*CmX_ql_bebkR_q(25n)bwSqCy zqXS_C=aiP6Q`tdIFq~!NXQgNoCLF!n7ZE ze=WOns4&rM<8yOjB6FFh_Bg;xqW>7f8-L?Xt(Nkz_v>ShNo+o_Z5Kwqq-sj{pnx_< z?N@315Hg<8E4wH@ACcdBswEa~X!Y^mSLZ93gH%_Fp5TUZ|Y%LQuUKDa^ z&0W_!u@i&l)wt^$y~##d?po}6(U9?hHe07FB}nBF2@%(i>$g&6}ciEyU zU@2*%_(}!3%pJPm_oz|ploV2Ntk18+YTdD^zFHLBvCBzp8M3Eg zxeHRWbbW5agQt1}cLX_F%2EdRXE45=mkOecOTC3Hn~#a|5^=Pxro33!q^1TZoz0RH~i znzF{k3M;pMV>@e*6(7x5fmQUUOe36!d8!lD9hmF!^#@ByN81T84vPwMjcC>5aNVw# z1Y;H9XQiKK9E%I^ep{L6I;mz*c+q-0?kwqaJmdc~9K-Y|clb78d_PP9D}{$+@pG*1`oy8EF%V}!cm|AO0@f)}YiS;)+Lau>CK_kK~`CoQ@wAviWKW>|b z2#T2(0P{-OEE3-4yox;IUgJCHDQe|+7AGL_EzIm;T4iIMPNgnxDl;n1-O zqE+|1eA98mhUF_+!{su_u7b=Ii_&t`^MKE?93S;xyvray7@}2a8J@Nfr^WzAR-RE6{-=ZGQ)=*1#8% zQx0jU63wxKSMJbPqH3{ z)`or)h2*g-f%`J0ki&^Ux+? zi0dFe%zGb5r(Lfd!r4It+p5@0yTryO?FXxL9CAcfW$9j@QqypBrU?txu5vR>Tnj6x z!hpIF7#NtYO~VZbt*awQVl7FF6D8S;nN&QHIu7JOOYMS9HjlfwI`6c2-29&pA=dA+ zPZqzZPl@ix;NI>AZIW;p!08Pzk&k#bZ&ws`;4lW=sqvOLxa(CSMAypS9({PSo+62R z=)gQ;`!kdK1iAzLBZEs|+`1?Dc9AUbCMi5>D=V>cUdMkQXTJ`H!yh4re*6v5@Hc2^Co~BWh#>{k$7xAuAz8FgR7OQ5}?+{~$BATE|!?AoP_v zku_9tbcQ*6?#(&TJ007&$F~8I>oLPJ8=nIdc`mpD!N!dF+_U&}421Jc*Upu@gLD^J z#j=yz9*~YE8&J*>q`YZ`A5T9V|wp zz1eZFuh+syqfOYmhvIMAMJ(*ektw{*f~b)NRMER1Xz=#Rr4tGQe_Pb^Uj4R43+ek! zO;7WaI=~+uLo&Ywnb=2Jt4&)vQwfzr>A(&u~B{0h#69E$n7gjt!M>$IZwLorF|KN={~*&&uV+Wk;f*yw4@5wJh@~Z$Yt(Aj5V{G!e&gn~Y+^?Oe}C)J=41 zzuN~jrr%*3_hv5y^M>=J2->SsggGJ1jlG^wee5GDj=Zq#+$+w^;xbhmdRz&$UZ=v| z*do#G@xf>a2;mIjAa7xT!cMoF0lVtHXYjbF8!_qYe62TJ#$#=c*PPvieArSR?tVdK zjY0jaTn9RKizk7_2*(5vJz)sLa}2ig2UwC!KH)E=>92Qm?NcB(RsKa231@oNe@#@$dEquz#nBzgnmJbIM_6T7N*}WO z@%t@RSy7$tlE-cM#*Hq+NO0Td+Qs7|g3{!06#wWDARkCE&3IijYq>ZkMVXVILCm(G zW7h-oMG)Le9dB3SN4m1@5oPcCl%yh`AY9~k7eOgal9`Ac>;vUY;wJEh9PFalUf9Q| z+ohWUF@6}-qMy*M*G@&R@AYaq3exj%#VvXK^#Z`N9|gI)5qXw;XBT>XsVGO47d^_r zy&fDTrh32j^LJ%kT$UFmki%DmPKz_=eLV!s15GwDUPqD1jsr0oV`8aU^gI`wqCjMY z+U8{h&nLJYNU)?U!&Pyj(IuYcN#%BLE%|P~+@2~@eenI=`o*`N3xx4J`5qTl*mAtC z+9a+z@8#EQTDDYIH@$Ycl(qD#9&cOxvWk7(_}m4wbh^|%8!xHcw*BJP@jIWXv|cWe z_F>yiH*9^5>LhXj)m@OI)m|5j*M2WBFOb4$q(Kc|4$YGvwvfL?IHDcn{2ZdQ+@>w- zcl1e%^)}4zww@P`=0*r+IT<@od0*~EPjdYzPO_Y0EA=|02l#G!!RD*13D4%sk;Kgf z#)4rOCz3S`h(y9{$SHH2S^L|MmUZlu176a3p z<*FnCFQePFal?i~_dHfO`?XlH!~>}QVe|22EjFLY0pfrfGC+fJ-dUX3w!xCSCX)3^ zm0G~eGvXSf@5W(C?uZ{3dlkjybO%aSVbRt&`9!1A^JabAMe}*}-Q&aAKY}oI?2ve( zpX~ld`W}yJ=on8E^{|KO=EI}ztlsjBoloo5|Cuyt3e{IsMFwb9FCPx#_!FCLi2aFo z6*%|Y+YS?H=We!?o2sRo`bjKubnTA{aM*Aez`MgCA2%0~ii!1U4gBt7yx$&GX_o3C z2Q*=Ck0xk=d*PB8HP-Rx)m`$XEPruG=Ifj=kx6KQbUy>nb?49dNy${(Y~bh^VDj`a zbhnsRO0K;@G=a$&dXvGhGxdRkFba|H+#;Lv(aw8&c%ZDZLMNXv9J-%n z_ImS)6cS}cwi<+tOquOn&x^3fVzOaF9{Aw4V{Xv)^@dyYgZ1-Y6yuyESYr6#(b`E4 z;Jl_oe_4EaY~#9<`r79qVE*@aP+ZE}y4rl5F{b5Kdrar&8>Qo79pyxQGR&I8M*dwt z+zf3@)gN7mUM}<8D$oXnT>fUh{k&yyoLKB%;wSagKd8K;WMqmw?qOe1`@aBjJ>Xm4 zCD~IUn0l3a;<0$t3cR;vbh?}xwjH1B9_Ljpi#dTuD$&DbdrrU*B!#>;!fV6%e?GlA z#KP)o_5TtJumo23xjy`2W>cR^6kX5F@-?&9hpCj(nRm;MGe6@-$B$?iujZo|5?Uy_ z`?|GZeLxPIq%o#H<>mR0++Q*Jv$KD5W+V;4VM_J*ev$#V9jUw6te5i`jweKKFcO=^?1vxJmC96+)%_ZR?+ zd?u~E!230Lz+$~jcLq;TU1J9fr15JC(E09#VCEMdn}Nu@JzbK{M0==Tb2SYjrtTz6 z9r%F(&txdaFZIX+U#G#upE6s1-u8h4J;drF?3_|ef4!8Ie+DKPG<9K8@w`56lk(@Q z%0+rFA$8Yk3j=nM(Q`3KSgQ9E8up9ukp0|OYg;orW*5pP#s2CN0c(d)7(s3*A z%jkjQdv=`Uy5rd33S~Ib5$E2ZvGcZSkFu(^zqsklEg`QblE?ejic)n`y=hN3_hW;} zn!;!)ZcL*nzvl_*=ikpXiQE*idyG-9nw}vAbg5K=t)ta}*m=&-D<=ytaz;r=UuvZDG5 zE}Sd;l^2AV5{utn*3QCWIb30kVRn{7 zEIl|^OV@$?h7=#`ZO$c+jJI4e@9RfHeSuZBFC~y7(I}Sah`oClh#Su&?4)$Um)X{0b|~;&4Z{(j^lrqd=fD9TO@Z6SWxmO#9yk-b{*7H`~a!Ra+#(^ zcBNmkN!@A&SX5#}ii%24z&>`}x#byq?gqR&a|gR#ap@CaSo=8??))0 z9jX^ghY<47qrz?{p829&X8$;FD$w(56+=Wf zv4)FvQ{-`rwq}VQV!WPoT}6t7B8db!r$#Tef_Kn=j*3fh%VGrh4C4k8O-o1Y&~Izv z{~>NCZl$#*ez+Z^chQ{;V&g3>#=hcG$ZF2>875u7wx=|pv6Tu#&CPOJ#zqYj^zxWL zzdL%M-oHzd!oN#wT;+_fJxVbn7ekFw&F5Ua!Ucs>T0i!ou2DTz_5Gm6wb;W=`lw4hCg2v8H8NR=Grc`4Mt&IyHafIDbni zg@>?>B&5G9R=Vp9xw)>fPoH8ut8`cKJ;Qg;yZ@@mi=4vX%spvEk|>M?{iy9s<{LM7 zUSTp78G;Pophn8`c3Q~B5SW1lEH~LDq!uq4nZb@}Up`Fql~ByD3Q=QLq&St~j2dK* zr?SEFlM{_&xwVyB9Vww`xp877d*d7sPjds=FKCT46ZQsL5&^LUzo2=0I3=0LpIR0k@VgztobwGs)EL zE^8jH9`z|T;x-xVvDC;TfV5Pzbozq}qEWVc% zHEVjNT{}j`I-BFO4aY>U?|}1)6f2(CNN<&nh3+5Ca1O+&YLzhhxin0pqPy-3rr#P; zB`m49)$EslUydYrzk~1< zo>-6Q_^~6eVsqhRG1DzrR~c|T{7}Z{Bq3!~29MC8__XT7vF5XqfK|U!AaV^HLFr%) z5_sPTX?3_(!P-u1Ir%mg6ae>%4iM#xha%BW)Bc(~{$tA{$MpI&+sGqjX^9fNum^M@ zyN%Lw?1b#SS)8qQ13KUSS#xJG3Xa^r6^+%y?)ilHwjIsum<(s7BQqS$yRCL(b#0Qs zVbUe4oz7;cC5@{nbd|kM3q#Aln`PX=Kd(Hlx%zLqU%H&4{k}VD1a6HR6`GzdZ;UtP zJzqZWPy#KO6ymg-XNhyMVRlYrp@>`R6#mUw;})T@wk~SL(YZJEs=y+c4oBj|>K?6W z#w2kA;}uPi5+^|LKEJ00)97p)sjviCXi9yqEU`(tm7d7F6a540!%UC}`gIoA{B z9VD=@f%EmnpK{v1U1!DSxsW1WMBXxe92T_kD=tk>4^TU=_a6&0|M(WZpEA$p3(Xar z5&5@Z0LyVFVs_S7 zSyLC*h+WZj&7;UH_`P<_Il0MYzCnW#{$M9CbT0+yahAPmz4V+K`@$N|b^cdAUz1%m z2aJ>I)8wyes4YvD+Ul8PMpoAk#1q#qsRx<<2&V7B=`q~qeeC${(q!Lr)6#G}#vb%0 z^+N;#Hj#7|rD}LKB}y6s8I1wj!BtpIZNg;4Xuzc7(luVt2=}m97*XJf6FPE;+hD!G zl$I5P9fzY)w-NTrH%}cFT8&a{a`_a~#S0}`V$jL|CJ^cfry5^wpi7mTx9lcD}ZoMBV1`~RIblVa>F)bsIy ze`1u$VF#nFs&u>P@!t!g)jiw#wdeCq*+8ER?rF4Zf(Q~m0z%Udd?#G!JPcsZ>xIs4 z;P=&Z)#rCwzEQl0AE?8zRt6eCxuQ_w_rff0 zz+kyn!WOK`vG(^{-SPPKWK0J+)CNwb7_a|=++tl6t>5A{k$kj5MtSt$W^ZHSK!KMA zc$iLCyGFGR?X}-cKqW-iSs2`8@CIB!_N}CJm>WoWd3CC2^oC|vSwmiI^i{_*e|dTN zQvFriitjkmggV_yY!DSR#zfmUr^0fz5EQJyl8L6s># z5NRnUz_%bm6Xm%X+mYvyYu+&e7bo4kCxqf#w&>LBZ~@dEj7-dp;4ujNX1(K2f~8GP z;<@V3(Z_oaM9XvHe+oVzkB&WQ_Oeao*vX+Ijs}H%#3c$N;K$i(@n=CvIHJWkWx!S+ z>>qNP>sDUZx;r?42pQVNq|x9lACCdYk~)HT{RU^>+oGN|WPwrT*95}}u@YorfW`?d zJ^la@V8xcSga7VCGs9Yc{=cLiIDl7HsfPly8 z;C7hxZ`9w&H=J;?Uq>Uvy85=n#_)J~L31cB{Y}XIO$azXl1(j!;X9jj^WN(Xh}ag> z)-PhL7FJcavcSXAEL^m%N{_D`j(>_t16-e;x;gthw%GBP&-sWoQL|F0Xyy+NFPI|! zX{wGBA-A3W#deFAA_L}NKkhal5fZ*Qr;Orwp&25NY)Q$=JXi$KMB8@9<_u>kUG|zz z$)sHjxFLk`3TufPzYRb!Upa^3H8bM{#RTc-1*qj!^4X3OTpX`nB}RLzY7!4(vHA?< zh%Vj7nGZ2@q)e)v|CrH?3z^wexofZE8?h#cm(JAibGe*hZPyskEMp)YlMOxBMc2?V2%9s6VKvSyMbIoIQ{q;k)sG|WG`hyAQ9?`Xb+jk^|4vEsy= zGdUTdPo->p&omGHwb*;3O-?AByL~%{^Q+udbET4o(O)Dl`PjDRGvL?%`(h zWHQ;sa_pxMc6pUdnMHJf)R>v5N5k=3pFU_1zf{re?4G{L0uct*1SZW08xgH~RdU7~ zP4WaY*;HG9;BRPg`9Jrnl#7w=E)}YRc~hrZ`6-akmWLJm?eZB-RuBPK2~9@O>Tjgq z%3oj+OsouUf=HEQvr=O5aaalgj<$=iBs*9cB#tc{Q6)JEkdm0NH{dN7#RtmDi?R@$ zxU4gFr{4VBOa#*TiZUfQdBqYB=}sHGbkNFYAb2?}hl;5i>9e1< zx5n8w$g-KVb3@vWg#ZW26%ip3WN3kJpN>@|MfxoWC-2k9-lgchP8LS z2yoQdt<-N4CV@fx-oswhX-jFckZQ^CDXMOk?nqBc7R|*6>Kg$je4%g1yB{~KNFKNT zKb6{WGH6bvb4b2D#%HkuV)wWSYWH9yW%~2T&&guF@0y^pQhuu~hMp_dNP;Qw3Jy-E z+4+D|lO-HB!k;Xs)21dRH!A`!nSvz3F$f;E+RHx9L$8$}Ff$M{F^)GSf>=R{3Z_cX zdNznsIska`OMr%6jBq>1>z=E8AR+ypcJR&!m&;%P{EfDr8iKx*43;;pjA#<2F;&#Y zx$v5Y@X9gVn>>?U1_6&`_0WwA?Cb^c&6u$_vop) z2=$bX7kOm&l&r|gG77_@*V_Y~MY1@-h7kTrjFg(%0#XiFHoA2pYW9q*ftylZjt9)E zdn&#ZnQN)nC=@CKqou75DN>NhJ%9e3BsH^ipJmn-8Iz4}P-H42aE*WQH(^zC2rf4Z zSwA(pKrra%4H}8t_6-$Rgr2rCyc^@b)G2Tf_lsjtqIP|tZ#%s0Jo)bVDgK~VlNVw&081dN4 zW$6{?HAoG1Xk80^TjXMmqX5jK&HRj+GzWF*-)qb1JOnytn$#vzJWWf*jpj-`mxgL%w zyCjS=2=*1!Jk(WPja*HC2-AM2zk(!qTHJP?NU7iXzCYR6i>(BFI8NnZ71GY9&F~-A zHMWW#D7h^nop-_G)6YoSdzC|MKjpVr~usB zmW|t#xzR_0G-WdhFP}U-RwGIal@f>`OJUc}+8-M1|93N@M5PQw@dr6Gnn__pudL@s z&g9e{Iab`9y`{nm!kT|JiVs%wu}Gn!8xv6m{~r|6G(b#DAjweSKmHnaEDlzfmMbD? z;f{STAz0@V7@h!7So`3kMH$o#XiUv=!#2a~pu7WG{l3T9?gWr0UOX0IJg4rAk-bl3 z*G8qj31R`zJS`&VCaR>dKtTzu&1&e2_!+v;qQz05G;o^*sGObX;@0!8A3zGBIw&$c zl12U1m+Hn`f#>_~6CMO;iI>G-W%ZN_qCf-3+j2_!8Pp4Z%S!SAG<2WuBV}R-5-B+c zcAnsNN?OA@KzsSNg&QJRDJg~0xuM=Zz&Vv2$^YFgNwEP3>gA`!(1yl8qYH&srsSN;iwJs z7&}S@?!lYAPQ4-T8w83xBtwD8JclE<)~y>MqBy) z=p0Ye51hwpt2fZx>J@E$v3re~8D>7-FkKTewl_XHP&m0mG zcwi|%pXtF&6eFdg0tG%W3$(mlBk({6lN!9lBN{-9uh#;mLYfIF@gKwHLSw@Pm0}Nh zPlMCEFvXkR2r#2@I1OeT-ShX(ABtlYk{#|=qw8RVvkC%)Cv1Dik7)FI*9`f$6OYz- z$56R1CE;{mr$F0r*@5_SLIlt75He8T_Y6)R7z?DeWlvrX7At9<6&45}IIfvmEv!)R;Z#Y@%TvF1(=n@+PYli-foK*OfT%6PJouq2~=0Fd|+&&%+<^+5~~O3t<3Ce%$iI-V!|crZ z{LITRU+gd`6xT*|fyG9mQICmN`L|zU)(_uyp%?@($A=5YL==BA>F)awQPGF4zs$4b zxxq5bvbRJVYpG+n#hHF;zmteh>|0>HE8#mB^Kh9$NRn>cd||?avYDmsE^(s9(ECR) z>2u%Y>~;-A!5*xM8cs6$TiW~`>wBxqRI;zm-fCN5lIUFbD7rJglcdiimC;=U%RL(& zbeu>UIgS;__@Xb9Ua z4vtv+finARzDW%FWWxp%p~TH13n#~^r?bUoB`z$FFZ$=U>k*jKCK<0UiZ)YdzCh?N z>RtUU3%iRy#t$nLe6AuvcWlQa{-Qyds1Zz-*t0%-{a?7ftn93z1WyfmklXhOqzul% zG<;J`xq*Xc-lsFSR*n_=2oa7#UL!nW8QFjHk!-NnXE#BzaY#!-fEv%3=(L~m2h1Q} zWbCrnE%0}fa1D=6#x11pRtn%u6ND7Z!(DpIY(`* z|8&Mo1q^WD_hVmMW#TRldt#WdzRPbAUdMD47SxI4vE}~34eVipHvH~OH5N0~y_bZ; zLbx0hV+^L)duj38-F}%I_Q&liRRH`ocD$c?7xxp-n`Me-{+Ew(JZAAa_{I;ty87K5 zAi*PZ8n0=_pILvuefxY;C#1DP8|HA3Y}%A-gZnP6RM=d?g6H*~!yuRL!oYqCZhSfy z{>Wt^B9+=q2I z^=Dlq?1|P!rB4Mm8-ScyCEmMDRhk`(aVjP0nX!;3HRe<=KJy17>CW6mK|`u<6!1J_D)pXI+dK_ zy{?Q+OWykvULIc#SkKj2`sdfw{-e4zBY~+jPU2&G4$SOZm$cENa%d4Un2{418f=D2%Q1iYvL4y`V7=#dGz>OAI_eVy}!sxQ#-M z%fr3DG!aa2D!#W9wHuHkvzD1?|3ga6I)ov?)!-S^(s4j5_1JL zqE@Qney*78E7uDA9sEf|{@!}&g8%(-f_>gnM;zmO{@R1`-Lup{ZFiNtI(xMv1u%%d z-pN)Z__qAmfxZPg8vb*3pmG{l{@+7(iT|f+=|rCS&q%Twoq)Ly1Vw=$5%ZleFYuXB z<6q+cSqXr%?LWh#aR2u%Q&|6B?~B|AZ)S{mgx$7r6~^%aJbT7R@9BgaucuwxWgLge zYk?==_rXK~?^`12J3ik7aKK6LZHY0lOST3686WiNV7`%E^BXjp5Zr=GypSL4&j^ZsY#E%SFW9pA z#Ll5pE(PrkAspC+Zvvfug^(un#=NW#jS1zXoyX6RTOCTNTnht-gg^89AH*i{ zHJQeFwYP zm;+6X$(nrYl{rbE1pK4m(3071#vhDxX|&FDZoDy9*0#AfW&`9pt>spLKxC* zXd1J^A6jh4?Xa``kixdOv}1#Cq;8@51$hX@#DO0ZxASPnON(5ij`qd)|06K@((w8L zWxhQUP$} zdDy=OKTDSuP6q8;J8vrLbKHmx^UG%%mbCFbo2z2O zJQ)vqv3;o`tAg7JrLS`ZHBCgu8piP3Z(&pY{TA%3I{DEKhR->%!zq`uZF}=<3Sh3z zg^wE=6U2aa4sxA;=5@V?TvwAvW122`Y#fawH#fXCTH4s)@jr@97UJ~SlyN86MoO~2 z6}bgW1WWr(-fj)qWNaax8}~+{{6EG9De_URm^ThZnLFO|nggdHHN>}IF=;sfC^-GhBTz=s_c?8Hw&%Wg^-A!4TNptU9 zjCHPYoEt$q2gbVzn#aEv8>OqU+=$~wto|c#IPwpGUk-s`A(|o~i$QSln|}HQk=$ZB zK4EX$<_JLi*uHW&_Adw0R$+_0>tY)7Z-jVGzBKcA&a#}i>hPcC;D~~gE=_`*s{r;F z>>YY&*c|f<*hFvtHQ2DLW9f;;yyq5zjx>%PFC69AqaMIb8?WPTyEbaR2uDhj-%K=( z%xB`H$pNkDWdrL?gi$ic3xJz3aS_u=Tk~u`+X=87Hh(uE_bKPzj(B~TvJj001RQ(g zJ-1A1z+QR$d2FmoXtCaiItLrE`i~%&ZGI80|*nrxPh zlBt*mK;cJ$rXO!*NHm1Txa^qzdLTdgi8JI`g)SGYSXk!S5iSO7G3Jw3gqDHy$<4cc zZPYJ~5Q51iA@6?%V-dE< z(8(CWNv`o~>>cEK&Ao5*--w@CDqDAPnKn72c+d>-c6bqSJ02fYtw|!sWdwV`<_U{T}jAYJ+NbG<18n`I)3P;@xU>i z;&wLV&B-r)m~z-pct+hYyw(HqO1~z3BAMhiI2*b2F!r=dF&*dL7y~Vr6Boho#?IKQ z9plZ~`7nMAc;A>d%Ef+9Kl02iNp#0GlZHFW&iq@Dit3^TA#I@=FkcMsAe)mk_bFnnfPBPjFKFUf{fE2sYFb& zaS)e{j@L8_gnygC>5&2&!9#b*Ar(HZA*GeFfXy{Hi-bW&l#tNfdEEa1dbBuDQk|-Pfvcefq!_p6EqK%uBVw`L|2#jDvXLC!RuH@I>Jo zi^tS3ewWkmH7?{kT;Cw+B_|yN=8fTKc(2S2KfE#w%d0$ruu0TW7Q&2fjEi(8O#F!LO2)o>1->cnQgA*%Ih*=@i42G*!icG=LjB!X)UL1RpBx9Vjhf zkhmJ=!Q_W|F)(GJp}Q%!@(_931;L$()2GsyDUkNedLlvIpuj>svrWK076E@HNgJC! z1Zho}^a&~vh)Io|HWUZ?SKgt$oloY6VBEQNnM$OT76uFxjYc&L>C3ueoW?B!L6tz8 zLlLx&*txLXnD}i!c6=s%x)ZdgKjxolGj8&baU=L_%FDJ&e+1()#(-}0OGA6cNATX1 znRdL=n0N`MXTs4iPq}uafuXbEcOyGYUU_fIO*^F*?h~=N)YsOjJ$Wjgu*;D^yHWwp zeB$3$Ho$wRiv)Qd_XZ{}e-$=Ch^wxl1$1#r#OFgUE%5|=;tJv!4h6vw*;~9`4+<3) zPsody{ZfES3WX!td>)qsgN1Ala3iC`Um%D^?2y=k=N@*vPcgE zq#f^-iBVB}CINXRYHMrNKc9IeK^cx=OxV)WQnf262(Wl)2wCy^5ML}J;p%nb4S11$ zi4>y%Mc#lExI^M&-NCOffE$02xR?j6P`895am4MFES_1H(P#_}EG34&GYGoI*oa7cr0qo-LBC(z2;UI48xZ01_*Cns zQ1io`LR>o^n1X@=jf-)T9zoEWsHmvWXZj~iO!~ZMIMR(YCbP2vFb>uU?dX^8d?q}o zJP+!gd3WR9>+?d;L^TWz;~?)aJ&M4L(*cqfINET5H+(@a+-b|aQozL!FB&y{!Xf~E zV+YSNk`^g+a8*@R8h=4SA?hGv(;0b6X(wh28W$76H3|RBJIhC~Oe|-8eZ7{0ehqDC zZ)o8S1SDKr10MB(7o!>I*=ZGT$+IbPaw!RK@wRxE|C;eFd41~W0;jJ`hXyk<*hN%I@M`Xjur4kx)=qw427t8F~3*eItJR*U@5DH5Iler-nV)f$kqTqNYVN7KjW+I_kp=1ma%2b{K zD~Eo`bgVEM!_@Rgw~s#hNLsaOC1b{nQ8yys2Xm|N$cirnfn8h#+lZWb&QTC_eWbi? z7diOY1LcP~OVFU*^37LY%K861O;)X5jf!>2iq-4H;}6=M6^Gs+X+a<)0aQ54=0O=F z>l);&znvlF&6`U}tLC!fZoA0rxpUD;6w2zgYmhdC6dHVWRW&*`G%n;d1O{UJ4j^u2 zN(l5+CMC5E^_p*LzHZoik@V(vkt3x!@^REr zM=31{(vyvbG-oHstI>eiIQYyf{WGqTk`lcd_YdBCU(Wvf8K46?CgeQ{CNBsTqC<~s zzEse_Xy*bNMUh?#BN1w%UX)jtQ8?l4&dS3NJuDx*KNXE6h%!(Rzzv)9#0YC!t`#G7_c6%GQoLD+ob&;Th?>QU7UZ z<&3im^~*E~PT#TJQ^;m8vP)+nOsMW4ey>9_hB181`*p~R4>V>Qqa8qA!E#JkK;t`B^R+#$`HQ z(q!Sng|heFduv%t85lo18eVC~a3()YlliBe5$4Qu)w)Vm01D6!i%N<$KGsP9ZJCwI zI%mx_$sN!ZyiCDPJ~uM~rmc`p%==#gB>Wr5S{W;WD@-0B>KMqjw&Yca01!43a6>FhFEL55kC&I>JdZn9zxnHwpjdk2{$64Qg`>lqlsj0Ru zzW6G23&-Qg%4#cKx6ZOsVZ`&Hb?uF3TCcx8(^_4VvZj3dv9;^&2V3>ENh_OP1@|>p zJe9TTV=3gD6tb)|4D-*__?&@zw9YOgapb6HGAG%b%XG+ zQt_sOXA_7C;TdTQZ#LVg6TGw57z2=|D zb!!CUcEZ~6Th^-8tF){H%f@m+TWowbFn&`}^bR!ttiK3CV$td_7 zw1fNG20j5^XA(vfG96bmEC8TAzIKnN?j?kF;|F0IXBfR!9d!3kW*Bvfk;= zdN*y*(1`S7JwT8()`#H_beK)F1WZ^1h9Te4(2eO3hTjY}d}f@?BhxWq3~w5FK+uoj zYr^ma~0so^It_gj$uLy+A6dFmlwkzC=CzXbD!)uawl1~YK06RG7LQxhb$uZ z-FdSdI{HYNwJa zt{N$|l(Moi`RS*hWd8j5vTofv>CmBr_HOJ6+4E1IK3#id_Shhx_OOc=FP87W|Gsgk zP0;TbUwk1Se)ypreDJ}lQH&oyPA0rIS$5lP4-AztboR!@?Jb1CkleLOKKyvPbm=%y z`uA-w9a?vim&Q$!z4zQhLWL=52q(l>P>Ml=OTM4G5dH)5?e{a;Bcf+6fIfzyvV}PP zQ1Q_jTXh+E_>qU@z{3xg*5wt_wMP#v7l&p&abFZFkflqP%Hl;!bRn&{v=n6EoS<7) zg0|n!nk7{jT9-lthVBJzH!ah?n=W8JDJUwCLTC?5SFMz1p~cj|ZmX>aLxX^Z3)KO2 ztaSL`gAbG@)WC_}y?d*cL^ogvUasBS~^eS8Lk;X1B2!};gt#U72@jFt(#P|Xd&xr zs}M(4zMu00G*)Q5;0K*bg4UjFh|1#S%Vg=2#nQ56D_OB(g=%rsn4*!W^3Lqpvvq{R ze9pxvX(ecpL_SNwgOUu(?D?}Wl9?fXPmwfhTY?c^sVrNvTADR0k!ZYHvMAfC73Ar; zlEBEIMa#C(&@d`VLZh#Swu*c#LHg)Kbvm!Gun4r_@ZVnC_WS&@Y~?cK#gh7(I*inQ z)Dce*+9b7nugfd77-{_Yt$ulw5}i&wS7^utV5lLK*O)T`buhQ zYNVpPT%T)dYL&L+nPtnCX*lMSS}5Dr%9Sg0>Vs1$oVFvq86WA&ypea6Xz<@3)quPg(>{8U#~=_ot_SuyUV7iBKOw`|u|+O=(`3-OgmbJmZuB^`&1gBD(h zk+BQ>TUA|yda03ev}@**X|e6FJj^rg{;#n~LYxb9ejkRSUNp9N2E)U&cr1^+_14>R z;wdM}ZFk--ha9pmhWsV6X7xgu^xAmYcmG4=?#Cy{g{K`OtH5*@{OfvY*`kB=>e@zT z%=l7nz4cZw)kK;6_UE$uUL$1wqPcSTVW&%7O<3m7nISuk+)-YA^;LQB!3W{*1(^jw z#tP`wtCu#u8*jW(UU}tJdGW;;WQ#5O$d+67)rx!Ifd}NJmtK-Dzx-05b<5D9L($Nh z$&p7MsY0Jj!FZl{;&EBDaGCrtd#P-<-PY2)yg(u~QSk>kR9Y(^K#2Fx~lmUZxkjm=+TGk+~KV^-6SuMA1_ah8H2pk z%kbgDWZuG`8DfW-~$ejwaZq@g%@5R)4rLeo!<^S?WA>l?)m4*%j3q&lutjC zG6+g`kZggkPn;w--+ZgQ{mwfwf5Ch?;)o;U+H0?s6%aPpUw=LL_)RU}pslx3L2}of zcc3AU1zjdcuO8i{UFRNh>BZ;CD-+(4sndRxp1r!D<0zEvwm(YFJLd#RCmQ6HmnX`D z_dfwXc|oRq@ex{9q4Xcn7xk8qV~#ln`CKM%BaIhcd|s!(25z;bPKQB%=O|tq|MfTD zEN{O1fqaQ_J@V)y^5dM@vit74qt1OYXU-hC|GxX>;fEen;TdfR%b+3K=;GRAk3B7S z-gCFSG5K{U7!m2-t-DSuPWj?vx#Ny|&_>2W(5;f0-~S*(wjCxtdUltwFOHY{(N@O2 z{4(0NNZ&qND4!&uAcR6eS-y0!oPEweq!I%AKEyp`%4brI`yQZa^X3)c*^lJLn{JlZ zC%q=$&X^&s+qIYW?OMys@6dL4*&T6O=pYtJIfVF8M;|36r6qFfEw{=H@FzR1r@*zfD_US7N(Rnf-e#o!~QSONo zCTOQX{^e9~5vNhnR;Nw*LN2`cV({ED`DyV&$gxqf2%Yb(cibkgf~Vhw%$xN3MA`p< z1I6$1$m3AXKK=X)*>T4mwPVo^4egGCoI;!(%l|p3j{g?o7~-YVaSYkAR0=bn46_2iRJ>OF@{2OfB!-VR#&C*5uW8m<=Z&^@-t`FU^z$#WuDkbo>*ibUQNOc48*5#1>ABW|x~R1RLo!ck zkyTmEX(Y>f{OP-`%dWiEio}u@N2_TTo+CS4kJ)}#>zG4FTPL4+x^?wUH(0N}K2gIE zyY9McC!}U2~ll`_TOkw7&ezE>Cq`trf@c`2fSyx_miM1G4 zV)g1Z*2tZA(fe`Z##sj+bdVKxhQ^Laz*c^6$^z4g(@YF7{9oDVvEKii&~AbqlN)^pT4?YPseNiV;P z`>gfM_y?`wJ2lnWz6Xx7-hBN%y`T2+C)P!0ou&80y|>?KJ^iR%*Tmt69c#^=v&fn= zZ>e?IktbSfD^a(=ms7sBf}vt7ilH;7oX+{@KdhT>yHVXRMz&Tgn`=etzze{nm!Gk& zx#lV>mf(;%YTbVCebz@mu28qCC9|xK+a0LWIB&o5EO_E#Yk8eL=w34Kduz`eG-+LT*`-$XiY3yt!u83TwpR5!M&)eWg+Sc+Yhi2TJ_lK~5qs+7>lxo#SKNP}mCUZQCcpZ))n~*$N*CgX z1#_(~1NvAENt6|m{Tj5V6Hhq7akZ>Y-jc@YqnppW#Cq zXzNoaKlRa=6-%eBxr-ND1BVP%yO$JZPh58S<<`Apo^YNl>$=--u`ay&3cddV z@@DE(Tb6Okhf^u&kafC;=C6P~-|!po`7l%wKd17=7YIoroRmydblYG!9Fs%#KU5~a z_NG{=h|He#qjc)hRXiM4BOKRgoB2bk5v@zQWZCL!iDJ0BMgJjE!*#$SFXFbO1vH0> z4xLpgBi?@d4cT`T7c97CF9{8|vo1>h^wS~<1if;@^*71B`y4C}J@BNIVMx1fU9}GF z*^3)&zy0<))FP-s5**eM)fgU{t$2wPw`x%%WUpyq$m9~pOX)jk3mH6g8yPfs8#(oa zqv3{O8HS}6$`Qjzq%Izn0sVSPMKcV!txDN)ix$uictc90eo%_JSQWZU6`G3sie8eA-$ zlCoCi(z{=8a2OYiW74*LdwJuP=j884?Jk#HaDgmYy$Ee)(yTTa0mz9=Dw!|-Ckg8*kEuhu+lWEgG7mq(H?K-uUUj6$ZcJPkhD_t?t;g(S= z6NgEnsGJf^NqOt`(tYq?;T{Zbe%pFrUumdYA(8MJnLB@uobSjBdF@T|{j8<%zep;eF}G+_rfs!li&oOTQ+M&Cg4|mm zhaYr^TzmDkGWz6mWbwLMDQ}DX*RDn$L1|Y;qU(N=J_Gwn_x}AP8eWHyPPq(#7GGJn zR+g=tE#FO_DSPd8i0rb>AdFCtk++~ZS0PMsVN&{!*pn~pg~pwcFh+obkgv24bqZb_ zvgJS-y!Bw^QBE}uY}-XDYwc+}FADAEzD?lr%P&{W{j9UkljW<{Ni><2OD?}c?tAEA zIqbL-Wa;WP5(KZiQ8%m~*4`}ea<|^SH9VM4`fb@y3Xt!`Rn=09w$Y|@C+QA3BFIyx z@(O7QnGrJNwQ#! ztRDOUT-;8`P9lmJxKjsSSUA=@cS}I1opsJRa^lfP%c-ZHDrcW{mhR9fMY-AWJof0L z@*IRSry=gU?>-5EAqET{q*D-k?7FKw`p6^l{SPyxU;hC*?efgC&&iE9UN2KHlsoD8 zQ=}FGlgz^%8tjUK&YUlq*~KB98~4anprAx{-FuX#$)RsiX{qeA4)E!k0Y(tE z9~Em^bWHY&Ki3SnTSp*NC4mOpuRmyYw>v==R5OI4U6&G!!gAJlrFlMZIus z$rf7VC+^naZWBV&MCZwlm^|HQ%f52u_1DS6Pd%aQD=)u3NqY6|i%zdlEadmXl)Jn-1}kV`H9>=f}Pv_uYNJ zv~Jl+w?0xqVp|9X>|Hjs_4S}G`499%{ZY`-o{hhf?G_yjk+QNIIu4fS_1M4pyjfs~^9_nq)s#TC9 zw!7bvU|e@&dtsZ?cJ~*;&cSa14CW=_p-pp(FXx#^jc>o50qu94q{A6G{Fo!;-aGG? zwjDZ(+gGgHv)Z<-5cHF(U8j>_@j=iO6$ErKya7hlhpWy==H$`z|5(oij2 zYVf)Ja{Tef%gs06EUQ#tALN*OR(2Y6SMMHZyuEcEwpXw2(xr13 zx#NyIR9JIylM9(fGiT38=1~CyaGMsnnIa(^#ubgvTUL(R3`ph5H4;Nd!9|WrXo!`u z8nGz2xgD)pOI<{vhFemE5x`1lY6@uQv8061NpYT;d|%f9!Ac5aAd-Lt;QTO;6z#v? z{?f5y2YDVEaO>8sbOgc0pDx|HNXwQjrE|BgQUvY(+_TR?hgT>=wi~82r}lW$Nna*9a6G%hzEo#Xju%cX!-Ib^6@9{X@}IaM=yC};v}TkQ98EkAiaBZm1czn z_LfODAT|(Rsm}e@L))XJ$KwZW?2!~&mt<1h*KHrfC`6tkiIl8f2l@xRa?s(2$W1rj zAZ^f*Q?u^Wp}ll~cG<6QPnk3G8+rf3FCkn-rc9kGYcZyLTV(9Ji=J*n0!AvbGL_#v?I|)RJ)u8`KTmQFj~^r{ghef*@bb?0d^2#BjkCaCreo)%B>m;3F%AstOmj4q)Vp`sM9vm38PGk6OTI}EzlXDHWjHv zQaoVDq^fgJrka<7)_hq3fPBP|*22Y$)Q!3Z7xh{GE3UXg&roy+k1YZ(agq44E3O4E z70Td2{Xu81)Sy06=v3U=BZ&0v(NjM8;A5Hp;ZJB*Isv>b_P@wsYr1X02QCVN*ibXHv!O2slk!}kWT58ow-r_?<=KX8V`D_RxMk} zOXJ7Nj@$1DmyDDYmrBQ07|P+v1A*7KXIF_fc+uWG^5BzCC`0TtVrO~ovBwcd8MOMg zGJNpXQjMr%5ZdL*Ps1t1W{jvFsq58f6U^ay$O`4=#(?;~wGc9nl!e2KcXY|{pG*;?Lud$Pt? zT2`twi_}BIfOd-3EuGr8mu)sLf_0qXx7hP;* z^ABfgr2oKy5MG@mR@WfgZV!5(Lm##8-ZFpAkFxh+hsb^h?I**A42DKnF6W{eXP|T0dDnd~a%`@nMj{G9+M#Vn46%DjJd=<}CM=U)e@k}Xb1ymOxRa%% zqNVic)j@x<(l&^llvcjLicR%y~7BNr{}iYXy~df8C9sUqpJ2fW~^)U9v^juF?zUs>`mGHLI&JIEl*J zZ@mSr{T}Jte~<*xVP1O0CDN*0bItSORm(7H>MNICa*3RH;*rvQ>!E128J!|cQz0mA zCOhr0y)2$TTgu8SbU-G(GFDz4|D0^mzJu(r<4Ae=m5HzqK{+ay z)-9UJI$Kwg=B4E_u+IR5@ad?I2i!Q_svHXqYP;Qbk=~uVX_+f9a`8jSqvFSNB(2)D zk*lt_O0K|2qjSeL(it7|KqwxgFp@m_=)+{Ifm>;w_d|UV`|q`f9Cqj-a^&d4q%;u1 zh&?6~UV1^Nhz4)975J)~Gm^_n8QRWp)L&V%W-8XWKwMP9#r}vKf94q&$<3F2_Z=mf zhNv8T%u%x2$X%rG7F)>3kvq$I|2S6$bni{w79D1pbnV<(sQP+?JGqF!$(DM*4w)(95Q|B?Epv5SSQj@VurUL)x?#S{G`n!iBUc{3N5{gHfd4et%2?$u8>Z7|E{u3OEQkyY{I#^s9 z+EX(pVsQ&v3p5~hRItyw8z2CiE2Gt-hYmn{DyDYbP$%vJs0-dg4DMap17_k83Ho_5 zFAQNxRxB4p$F{2)g%3RAV#{DSl&u;=E*{*Ww(di`BpY{$nC(sm)V$pAlM9{{WcfHH zM6KH(nufN6GE+Ng0?G;PpWEa(XYGa%u`7y($f6#dW6v;wLJmlqz+o@b&@Fn<-2KS2 z4#S}R@uXiGT5&KGlmvJopkq;x4rS$ett^JJJRwL#V|IDtanvq4gj{4S`*jYILOR^D z>Z%hfS%T36(s0+J?gJ3sAuuV@@`B=73|=|pMUZfPtrR(@U6W{ddTJCM_4>$2U46Bb zLUS~D=iSd`^4sso)z@)TR!U02M{L%lM0Oif;1|kxtj34x8x| zfHxC?8%K6c;K4U?2st7RdQh23p|hnj!0BPFS+pq&#zR$=@D%D)LJYjz%#YD8UnGY- z@>qAq3Q9q!RJ|F*kzWr4yRUG4`xKg=*UQ61tb_Fh3Qs3@)?-zp9xbVX?#mEC zXvt~vIruLOiuf~V+ni(cx}+|Zkm77WXZhBl{TI7~sAD|9d2K2xEq&{^2lAVjgmaKa zr%yiPHch^eEQLaICrFUfdIm@@4gQUSynMG)u~FGGG07r63T{t9v4p|@%wskQnz1be zf}n+ICpO#bSv2RF9T6CDJ<4+GmNNjkiX!Q6*TMfSnyB(CV54<`+I){h8VpTjK|~ec z1UZy!3wOS(NKazIrUCV(%u2<;YcUA* zI`Bm;{3fIXyms*gXUmaC9w8^6at=lyFUcW??1zp8b<3mlC~yqrN+FGsqB8J96nRZx z1Oxh_gU+CESqMH0=}`!0k!0rovG)~#b`{6pbNxPlFYX~q5+Wp!;4Xn;El{*TX(^?+ z6lj6sMT@&jupl8of+s+LAW`D(o;<&9=llI;&%SpP0u9i9E&twmZ|~W&GCMmvJ3G5) z&mJgkmJQ=wd?1O30dOrl+K>jn_@--2`$rc1V|!)c=iYg?5ucr@@&Vl{>vZTdSqLKA zFNv~>Ip~5j>^B+kJrpd_K{Uoa*TrT0W21EiOq=)?odAumw3lHn+ zP%nTnRO(*n364g3`5@e0Ozm>PV#&ga3!?XW zaxvubOUe_L4AK>OAcU~iQ?O>(uuvah9QRzBSA7XwyEKCuU&SZWpfOMk#80nOj676| zQyJ!AwYJ=&$uR3^x$>bFElV!(d)V4&I1gI~VUS-mBD({G96vfRGd&j={UHdV5l}CA zLXCv_Q@|Z4BCel8#8p{^AZT9gNI;8%;t(QTXU07(0qzyvY_w)|SZC13P~|=HQGf_` zmchNYT$?wCXEmQ6!@5yGiO9T6V$y5dF&IdxP@3BiKTM-}NI&=pFN`Hr3w%VI`Z(*- zf!w?pL={AfSUWZEi2~_KFK16dmtJy@={Y$0eHgrS_Qt)lD2K`mBru+eEyK=H1Vm{J zrik!_Fd##gvQ7!g=Nf7ne1vjCxjZL?J6?1^LwlQ60#K`f2r5**s;{&nY~tq=Wy8h> zDJrRw9=&=?uWp^GYfz5Xo*9*PF8k5QAjdq!MTJFEkvREaHHY#s8_jqUP(sMVogR#% z)td#)tPuV)(C&W72-|{;(c>6UchbX`dB|=*>#c=@4=9r|ltUgWL(VaS=o4IbMkE|% z${c%3ezUfuk<#q}4=8)I`YAUw4ESn34F(?u9=1E>g6+XnoFRBAqe!P$#F4y!6Gz>$ zk_eQFAAQf8s+W1oH%ObVJ*8C`ZAgU$8bY*uIY2|{a~2@5qH~xrr9D9jV1)Cc9x2Sa zIdB#6WKvW%h0a8}DN~$uq>+#PBa{Knuy|6%oB?NHy+fu@sR)#435*?Dx>S&4qkWLb zfzQtJ$Ql)0`oUNB1X^ikp8oTj9 zt#r_=Z3w=>s|9J_V);}Mh77lz@sC85N$MSw&xHNEVVjh=?IV_G<=R#O3CTQ7040e= zfl5Uouv#DhsGbDLV2+7kpyMD6jP+4rBVEo*^-bZlI0!7%g#KH=7NaEd2ef6;kPr?o ziP(6J;xZ8wiMA+v5y|8g^;2m=CwFK`f@Vz)ryb2r$FOGZn0UI)fC;t?#Jx+#R>9)i z9BgS@0~W9~jAnTUT`!MrgrI$l6ay%{+KE_42(1a-44Bu@lov|{N5~_IAB`vIDa4us ze55r;*??j+_9d(({9zslIWcEy5ZE^KF_*oX@+^nx=ar622c~lp)FLz9&A?!8mNZqe z$^(|i?WKsJc=(}MaPLoJhDU{jdn$JipJKBi@*4yBb(Y}XHq+{YLDTDM-`D=Zdk6dKC5-Sv!)}GsXjgi2V1RpJ7)Fq8RNPIpT zD=@M+p92ffs>>{Rx(@`(GX>pS?)l3(#kX$_(^U6g%eF0 z5n2xfvi_urH6a!)hLyDyW&r)X5(yzcOdT=MaYns)GSw~GUwKEMd>L+AG)zxhjx<=h zwf_TDcUz>4U^o;02VvWaXDT|@lFr_L%kf8>3eGkHnMOOo)7*_<>CzIXWyX}cx{P}r zJT*Z+9_#;i09t@O)%?S;DUF{!igO8`NT&^`Rs~xWP6J%0ad74i^mC|!xT7w*L=Irz zW*o8e`hx%&n9n*3#AC{Hi)UGzImTEXZt3#*oA3S^Y@PZou{Ed43$+9@F`a4XX3$Jb zOa9WYKY6&!z19t&vf}zJa248AKfmtC$3X}d7~_b~@=P59tfPWq4yK`NN~kw3AdK>= z3x*mGD~*4YBi_^HgH1+9n%!#?FoMABh=47MG%S#mum`c%u)pAfd>GykL)kQ7>!bnH zFnR+?q4L*qC^cNRGD$2~G#S9&+krWN2%qAC^2Hx1AdoU!W>Xnd(g;+%tQ*VY%ogFC zIcXZALVDIh^RpO$DbqLxS$Y(gdnITUn7~cjy}2Ub8Q1e{{n%oz~6( z>1Nwg25gvm;8;E#e>g#At@F)Z4$%K;_>m;IHQdZuupEVDVycW=s&IBKOrrQO57Rhx z5EkVp)9V0$OFpW93i;*#po}iCc_4`BfYw@K2xZvZ(HcRBqUJ;te~6<`^D$KK5yC6; zAU2d$C67==17HyCS30UVqvq&bB?wRwkY1JbR-7ftl1H4{ra+@sI08A-QmMr~ z{j7@@bZeO|iOt|5)Lsv#!fmexGz9tRsCrlf;ltPx;N`*nuTS6SBemRC}T~>C~XJRSLsYvCgh?BC_!LTwbjp=HEnn* zaq>qmh6Vt6O}tFYyu_~eEEaJZ@22I2eMiY+0Dxf{%|hLD3iK1F>s7F6=zzezsB20C zU^i#kN(aHs!wZ)eZC=u%I00^w|2QZXeQ_a}OjHN&tUsFdTvn?}lZNl(_ zxRPJ~k7XwnwKff~&|0&U5T9#JC~C%JRduV8>$W;+XDv+~3H(JIFB)K!n~D3^fs#NE z5!)MErVaZM@MGv~q6PKV!5T=uRXhSrn^RT6>D4HF+s54RXbX**;=!Se9`#h^$=Yr_}*c@0u@4FA{0J^xkz%9=beLkXI%tA%5Pl zmh>A#hJSqcZ@5a(eyn-fON{leV2f~_<*yC0_XO*=_q@<)xvnEu%Rt5P8Ff+=MNj+ zH2$`NZGxW)#9=y@p__k3Xz4QwT&YyQjWd+90~?>F$BjwJJ2)fh#&1#N!B&EPJXmDB zT0X+h+aKbX)zt6%AU}r%`t$0!Wi%i^h*wii9&6MXi zf5@R|3>Q?Xxp=i!>ZOmIAwOJb^0?sM>xDmC#w)Nq_Br#%GL4yK{K{(`o${Q98#)y% zZaPDzdQD0fY=8@@6y5u#bV#G(LO%hx=x@6J55iAW;uILeu+5yytR}8$F{UW~GSs^7 z27}GwfTtB1fh>k(uNt;awXL-pBOE>xRgcK390COt905`%KwU$=Bz}b98{n)|F z{xsEC!B};~YpG?7nf#LPO}w&TJG@J?#YtcgTZ?&2uuTM@muO8Qxcn5xK4m#g&!PxT zM7mkv@@Z*GN>nz1_Cf~miU3vWL_i0x1txL9P2B{{p@2Y!=Nl-5yq3uWhHakCgf*u% zcT8hlbF7lgAiaVDjWz)`HR;k|H739bGD`!Dd>cOj{^nu4lCMqC7A=0c z*wVbnVt)xXjI$NjYr&#+VT)S>O@Z_n$6DoI>6F*nc6m-APZDhTbQ;Yc-k{Ip+C*AY zyvePrSh!a|16@$Ri^5I*ABVi!em9Wt%^j;x$8~S(-#iV0!o+E<3FEI(mRzOegAi4m z2yRLbkK@fsIvbUo6P0ADQI%vYj$d$$!mLWuHQUXoj4JS+&gCk0EZ$52wXs;dYK8EyqIfJ}o@OIo z#_N^1gak##SK@Xy7oXl(hq_vRa?ykju*iDuo6|mx2yQ*&mP}n==Cc<%DmE{dT~Lp$ z;e|sA_42A75Wu|~D$)4oBRt(KstNhvo^fnpf^F&i7XP-h`03b>nBImlr}|AKJoxc| zBYca~WBQ)?<)6vJuVOWAAz&W9|LAU$G!HM?PPj6$2{euuy@jV~0N~Z&rkSEW9ziB4 zLyGZh4#v}epeD_F&V*DT9r_GY+lmmF*}c+hZ#M%sE%EYkDtFEEYX5AF4ZpT@mM?~q zEus`7_sp67IcAwn!A+y<_q^v1qM1Tphk=K6=Nl)g-~n!y|2S;h7Q-I_?BJ}st5eKO zXKUbcfkbff#qEd!CBwbj4UJJLE^Ti*V;b=Y^FTh?Q9aN`y5ArN#fl62WQs50pgQ{P zOaNb;;D=6&i;JKX(6qoqIo3|$)|%5lpR~R6cii0@E*#soZQE#U+qP{rwr$&K8gnM< zq_K^*aT+u@^L)>F|Acpbob{Q#X3ea9?|WbO1-1}r3s~-@e#Qe2dF>(Rej1`wr20Ii zvzbguqAR)6trS%I`EYg?o4WeAe+DlV3hV3++Ou)De0eWm}vraa4^5ENT8 z_+e0D7{3@X4a|lmH+654^_Vo}F3V&LVtTHCcxbPEOd1e-*;;M`UGhuhW(g{;GN1B5W)EfF9?>hnosFLTPfZtG>{kTHXA z-I%CzTn5r>>@|BD5{HnNK9r}L zziyWjx=H{IeutD2E_0LnUJ%)D=P&4H1rtfSz_XTvIJpbj0k8e zRJ!x}(DcRQDlLG$fZX>-q?%1Y&Rh2o1q#sqe!+_eWjCeaepLZC}hW@3fixm>#>DPI@_I zMLY#GTpWIBZ*Tn;q9e>?MsLeBggU!c8Bj&v>?WiduPuHInJxIldtqueiQ;~1*a~%z z#r_3*sAe&XaE@qhvw<8NK|h<2DNrxn<27P5Iy9DW4;{w3JmXZEn$Rr^$Ba2vR#|ht zy}HQTGfn-_-3jMgPODfX>H8e17e{J8Ri?@uX1X5#*F;ofj3d(F<3)+@6sEWh3z)x= zzAMOyxi9_nwKUwHlhTOe9I58a+z;2oIjs-Lqn*sax{IsoLhvHjKNWOA&_A;m-x?E# zv-i;wT-LDA@>s@XAootH#Hy`c_y>ive}?qi=~HJUbLSx#cc=#Sj>-oy#3Z+Mv4gxI zTi-;UQ&CBn0)6`Sf{-+rwl@#n%03YLYF5L5Fk6ClVrKr8bvz6E3#5~6@q#oZg=(_~ zKRNJhgVq6KqSYc-3h^adf=Rn&*TW$)D@tl;;Lkyc!KoIEI6+_2h*weoOUp1rS)BCk z4J(rz8G?+B9IPvgN7h+ELye+wL)l_?Up|bUrd;X|Fd1Fok!CIX-)c}01WK!3+r4>z7?;wRSAzn6i& z7pj3&4t}(&`%DkE5HI|D`Nmq@xeLU zALj$Wr9iuUSk;NefK(r;S2Q9WGijsQU`nnp(Z~gDtZg8VI0Ykt%p$iWH}IUmVForh zgQX>dOrc_MA-`K$RdDdYRkoo(kt&U=I~AP1oYg*GHeC&r~`>lo7c z&bZB}JR{1Dp$;6}lnd|hpcBoWJ-b_yGbz2rx?uO_Abd|}Z<~!&2{9((%0(m>GLy}h zsCiF}c*O6)@_Is)Y{xp7;N_YNf61s{KP|Z(z1B2|m`{v;Jj>u0Ko)(kh^v9G;7tn$9}Z?uAUoiAAf1U zY{+m+jAJyGGx%>+w1^zf85757yg=4-`OoK)nnt^`;Tuedj-f$@CVD*#)x=VMu4$Ie zF+b`3twW{hZ7Ro9rlDy*aO!r1-81%^b{~Dr8{dJuGRoU&I3=4>pJapce2HmGd@VKc zaZ~34b*`t9U=b!} zrI8-8VH0WO@ZMqin7$xVa+})w_*}0lWGw}Y;ftl!Psw%&bnoz%?7KXpxiT0+m$b$}u-_QaBB4_gCb#^URCr=W$%c#5FyZ?n3_}mJBb}JiBbqTj&$_ z*^;?aA{M_d`em~AYfgy1fo|jewZQjL48SdLVAIfR(OYt=;z}m&xPD6LSV?O1mc)as z60l6=(``&TJh)&LrsEXEv2QaXsDCdamMii4RXF|20M6w+d{0@f7lI!GY-kAtJdXB2 zUmx%%LQ%~I;;7TCTIa@gMtU4eo=Azat!z8lpCI#T#V$t#oKX9 z0W3WWexJd9dB=xthhlCYRRo@La{VpkGX(tDeJ^l<--<<;4<-K)ebQjIoS%rJDLxp|hSh)!x zRx3YD^F_n*=ZthJ_i9ME+J>3Ra!msj)|_4-?MvtvB5trJQi=Ih17yfFZ>_z^0-WZI zxSTd+mI^Y^PuX&#;>fA0+q16V<|OhLi@PKuH^Q@g5P&twPSzU@DxiuAZH~XQ@Z`Zv z*Ms7!L>jhds-!eYfvUwkI=lV{HcO}SwF{&ibJo_N-vJ%|D?)_#rwkiGxjQt5#Mx=$ z%!Q|mSug2bET-ST>;~UjcxcLk%2n{+U5{!j_pk>K`pY3=Zras*fjw9)?vyY z+R5I(ca0hv?SS7}2kFSe`t_x3T&hVP^Z(6TU#vG5CWQuM{T{k60rdybD}2ekyKJnq zzD#n^G|-@AHM~LQA%LSW69HsH^Ta5?3!2wKO#ROl ziF3#l>JY)V(OZ93n+#!LxwUjz44AB@2dSTS|Am7d_gSB2cKo&xfz7&fDWCGDfv>VH zmotFmU&kfW*V*~pHGro4PHRw=1C~QsxBQHvhipGM&rag1?;jhAuA2o!eI`K`?=Z9? z?2!9`)Z@Js?iFLw$Mj15vx?ocskF>xW;J)jhVENkLC8`C=ilp)bMjQ>X*X$59^F02vfTpk8bC zlUb0`P>FyB-%3;F{YP;9;M2xhhyR6U-9u59PKS#~hch@^Z@(hZW-KXR6Pid)bqbl$65Usc~$f0Ms>g>9!V8G*llh9Yhd*i1XY zD;MgXTkQCIy}bid@#vdG@5d;Y^GZbwN!Z)%-4wCgjKi?7i4>%2y#;B&%Sw9ma};F& zSOa(5HXaAu(c59eHxA9l$<0+DQe;Q?OW2x23+F)vVLjE6Z!a=$z@$j>ACh@Z5FJ`VIU21fj@D~ zNq@ezEJ&$WM$rvUCkc6AKd$IpOq*1~Q=-922g{XI1P~A5GcE>v|1k0I`d4mypoM)$)qre@(5qg?+?37X1fu6$Yf5_Ib-&Jn&=CtEIHe(P1*Tdnx5e`uGwwf< zQ;TAnE_+wu&Hm@A%hs$Lr@-g?Y23-VRcelc*&JScg16(E?qAV;3Bj|Z`|5T`q`(uQ z{MOuiqsNMBS2= zOGIQpVn<(Bw_J1X08IJtF(rqdDAur_1kaq_9>>RcN)UFKs|5QQIHQI?v!)@T;pD;M zNR7StS5&Rg_#(wZ^3LicLyl*ktp6IUoSV#SfnHaKT6iAt>t$Tscn|TMM^-(L)_vTU zkPcj->q($bUK6R&a#dFDC&=X$Y!Z>)``+%Vm5yhm!zg(*kx#xWq>zY_=vv0mSg14` z>QevN@{#aU1uT3+$u1BIeZokfhe<>Y5$);Gz5MlTTVY_u+FF-&$Yk~Y36;>%Q={vd z4)?z9#X_8YmqThZ`ryFTr)EYdWKFL>*%?ia$ATPNjm;utIDo6p@qNH!gO1Wnxq#sx zNgsPc111}hpZx}`VwEOt*#<&pwz@*Qc6UQ075`pTk%&Xb+Y$Na5~Eo5w3eD^wVD5! z=g8xlSu5bJ$ZH`zn^{llAWNw>h14fJeZr8iYy2;$N1EOo*4kVW3jQfi=8_uJx9Plt z><^7K4WX`OME$fEHav*f7<>(#nx#U_ugKeU@3$AECvLkfx^B=zzOE(q{#%Qo502rv zE871U(%rg0C?=3CA5Tq)@sE&ihNj8y-LH4Tk<*ibyCa5k#$dg@pBQc033JYcT$6B@ z^i-9+4hKb)FA)v$DqGs-fa8p;VU8=5S)IK}wL(DshCXXEa0@WbE=JL;w8^B_GIZBk zHmo~*S#gc}Ja=RpVt}AnKpwuJH>4Zyl^?w-kS&nS2S1uB{-JM^p%hwls~(U2`$?x6 zQ!^au&G>+x*+Yz^;&EKGKRY{nfO#J*TTRQ+nc|`$2twQs6ew2tQmMWQ*VJHd~sU>j6{L7W&?h z%d?P=ztZ{fau5INfO=$|9GaRlv4)(-=u_Ch!F$S^T@I|fnha}2)HXw!{l5l=0dopk z)?h6dm%}E`hS$>$ZkUxyWmmY3l1g#)3fc*#3LI_m{n)E9EL}wlK_^z*fEHt3-IreZ zDF>X;r}nN2sHmL$J1qtAhb8F-b$ve}!(F=~kJ$fA4myHgJWt4Rk$Yv>;<)q>a;?f{ zXFw-PumkG7RX5f2p{hNFY|^(@{gCkzl&yPxrU~h5Q5#ds)TJ>#A+<$bvoTmIa>vJ+ zskx|5j@Al})y`0E!zH|C=0AVg0S7EIk_#N3$XyZXYLZN)U zFMi76v6?b8X8x+?F-Eaz2sEosC^Chm-5YRWu5Vz8Dw3%VVVbhWoT8q zHth(V7wZ3w9+sZ`<55LK(0urvlbgG=R4Y^}Kj`*Yc)Y9hu*@2UD2#Pw#(! zdP`9Vxnu%V`2BCpPsC4BUF6BOBFexw)BZ6v-9ub;bz`$_r`GRPc&pgto5lWz@#=NK zg^M_4J5{sL>{+1%S|9aVHDFR3HRm5P+M}s3noirfjN;helo95{jLfW3(`rCBb|Iyf zZwGk!LM|CeL2fuGOB7A>mhoS(@_x8U5ak@^;$%s)*w$R&x){kLy!5lXZoIBwHLzp{ zhEnL3wh)~|S9d$EI6kHH(7@p^WII!!4AcM$%N(x81Qk1nWz|=;0u>2yMwCx&->a zZhMTYxcklEn}twd?-GI|Q{Phj#}G|AW1Hzi)rjM3->~Xk(m4EX~(2)6ng2?n%Suq?i#<R2h*8_-o;E% zcMIvSwi+-?>I1i#GnD13W##mn>Z4&AH)sF34YFMaKeP{ieh71Y>^xOVyP=S(zum7j z$Kmd14w$>|gtS82yuae!omW=c9M+o6tn*JR7J_m>W5Vi0hc*MHC5__g&QVRib%R$FYBElzpz{oUdkCXAdRXQ z`$FGe>#1tTPJ71aOZ=r+Z~0s{vv){B3d>sqW zUo}ijO=|admtw2BO>|9b(98OGonN~gJnt0ffn?vv6BbIaL#_S)neJ3cr(R(x(VlG3 z%gL9DLED&^X#1{P&|j={XKM4e88(_W8_Kkrt85K;g^|I@3d*L*81rm#R=M6@UMhn}@XF%L=** zlE`5*rNRe?;d=ktR`Dh5sa1ZvL=N~fuV(}3n&om|N&yYX8r@cDaS=76<4)vfHVPyoTdBrVl>cd2t1ulJrA%q9Ml%q`scKdUCp# zi=gxgqGZrSv@RGeMUAFO41+_wo$CA6I$cJD|G|0zJ4=z8ka786I%wT5CIH4m+nh-s zkyz{_i?|=u_wv33K|Bn?_}R#<=Vt?Eg?Qd{xw^1omyhXO{_7r!Zczy!E-Gs!8gvINAo)eYB#OLY~X19dg0PZg6m#}K6x^y?Dl8JqaOGmzM zRV5?QK~>NC3ms}#6C*L1)>sML3IxxSg)%X;tZ3G|=SM5fF}c6yr*>h;Gmqz`A{D1d z*i7*FzAm~C$;gt*sHh~z-j{exsdKfK45sknFlOS-|!wh1L{gz9#D17-*vi%W{bj6;9J&b^p0QB;6Chv|mNVIQ8i6wEeb0M$fUm?oZPBX*wd!W>@8}XZJ!3DP-hQrpT3^_xy4{-xT9_Uvh2)+uzL^S z5dONJvJmuo(WK+_KFC#ql#jmfHOfL;s;acBO_e26FVA6+IT2qS%7P|!q8JgZZj!DJn@V-P#T)pC}k>(-{NG4%-xSPBiNEPrfvU zbe^D1w0B|?Ojn~ER&*-HDK4H`^yy6KN-kmEWy1mKUA4qBcMTW#NO4QL8(2~C*duJx zLu;s6QS3w_Y&g(cwZB$vO=%%6yY;Rb1j8I2iU!yM4mpPqPgqkoT})5+Sz>g#;T5ID zXC%e;$He_$11vl`gR$+NEpu!2{c>b&7JMo7#SA9rgO3F-4#NLh;V^roh0Q5V2SIss zh$Jq@V&A=JfZIiq1M!N9jq-Jijfg))til6KMlI8qFJ!jGIl^-5w_5cuIMBT`pu3~^ zXw&*ehcp0_YcsTZsd_mC7z4#9)uCyk!$kyI%h~1Y-fp0&$}y+wG4a*deZ28ZIIub% zR%p_TG5rm;8D+jUV7tDkt)3TI^|URr8U7ApvLjTs`z6t)xObNzK;Y()rYcNvQ_{uV zI`0Ngz1!*f@<=0gh!n>GVXI*$=BzGKm8iIY0vC*1;%(h|N?^d&?7mS~&KdjamFCpK z{7bFvAx(`1h^DP97l<$)HKV3gHz7$umSeFMZnJSyYWM~G$L_&>V$!-s6emq;z3}*1 zF2D4N=joOi)Y9@8*}lcnr81wqa;vdC{7c?TWE2x-zs0PpYr;Cp_F#!qOiUQ}b&Wmo z^M4Jn5t`bF2!F0KMoh9QVD(rJVqy@MXg5wQTryrem7E5t2;CpW$At>jP^;#+{IZF- z$Sbws5T_hQG3tReie)YIS0UJhu^`kxcvFXt=p+qAhysU8gQ&5}@7TD}F%4+OzowdB zly%x{!Ot1pMU8mps46|7!y1v@yTwNxM3X0e19yIIF`soOi)`JECF9Q@%Q&o zyPlB;*}?Ul?Z&KOq8APp`SKIpIr$TI7rzYRv-!rXZUR|7915olVhc&!i`JFwFJW1C z-^+j-jWU|CC~>m)sK=ePzkB{l%J^RQdhi5qb~5stG%ZD~65OXQvF-xssF5e2C#v z>AY{;;b&}DozTSa;g|bI`GBi+|16fYpYhB&&ZbY>&&5%$Am-I()5qun&n<$8#amG{ z$Tv4!9Ji^5i5>i1w3Y*KzsWkZ(xu=>^T3}*5VwxNyl`Vi8kIpEVWdz{`?VN1q}K22 zsfCI{s-QyHXBgo(&f2phy?oHkNSE)^J*VuGBfu$Xx$sd>C3{^z61VN?%-Bxse_3`Z zS?}q91d9HB4_k}!Wyal;eF&r1zxZcL!TjR##Z|bnG$^5;G|6a@>(cLGpAPvk9RYOz zUA(vXd7PLSV!Am(p`;nI&TXIh&(|q6rUf@sK6+kr?r*BYb*k{TwN^nqU(&Rn$6jih8YL$_vUrJ-YSHmjNN>N zJyTb6jo^7f@Gz(Ao|sc3&s+O#qFoTjKfm7V-K6mGol*R=WO&=CRJt&JoL^Z3zN>tk zdA!SY-X>2tlfRJ9ZTaI2vVkD_))`N8#_WAIFK`lLI*0O)IoCQIVf7kKWZa{?J%Qz| zljE!q7x_40gZ~S#H)e%bPMh@6#j{L88HJe!zUPbeNtQX40@$2Bf!2Yim~&5}AFbn{_wGa>*4!x04qtEL~M{*VSJ zkqC)3$&S{^B=17q8es*B@XH8}xjjsnm^D{ToXa;UOB0Z*`OxCO7Q^(+WQZyXbj0J& zWQ8W;C~C>jIVnWb>qSNu6D8M=7t7hS2)wiiPDRd`P$=l#&`bF!H}n!Kd$!fz3z zLAy|5e-Q_LDAIcC0cQz)LI24E`UzZ;SN$P#R2pNuH%z7<5mubN=qLExg1jek26PQh zr7m8O#}dk-eQz``%+Z=Tiv`D0`cH8SVGVoKu@`bQ_K-wUzQrqJk!7VQU|V_bUE7vo35>rBn7D(LB}}t zjzz?HdTc2^Z!~htPDz3*3>5Yzy!|@`bx-q}fVjABX_LAWR=aG~k33boaP~EdC?ryn zY#8A#WcA$VM@6RMNS~~946{v0wa5<&YaGWl$xuh1r6Yg-2$1H_QgS2vtTK4$$}ZUSK<71-h8uktuG_;Rf~rJh8~}LNjz~<&9v)4h6Y6x=cW)L^GmWB zqAMn1W6p}`2E>X^?On{Yl8~s%u}_Wt#K>1)o@U4yJaMYe)<_r4!&_~v_ubkAhd%?| zpc)7IO`m4P_O@A{QC)%|vp0d9X~8UYRq&N1ekV zNyTY~i`l{zhBEFKUP4SP0z4{{hj@|3p=4Dh7JN(5izO;u2*Ukn0;1%`R8>{pDzudZ zEj(Oej%33`p|ik9jv`5k8>7dcz_u)q`dpDlUt_zBEEVG{1N+eigd1T^)no=>Rlx&8 zac>!khnsUmuDnJR`qjNrAe7?9%U(o?zc@jG!8qy80DYZLy)0W4K0psQkVQqFYAPh+v3B3|ciPU5y&#(pRy`g~7R9=*w`rU%6xKS8{54LR zCrTQNfhdNf5@pVr%8rtzO3y%_8blW9k}5FaPSX}B9v@Yb3&z1pzLlaS^jKvp^LW06 zIquFi%T*zEoL^h90M9Kw5aXgC9UP=&+}TeZkvECf1#;P*U-DzKo%Al_0{ZzDHW1;z zH31WQzYH_}(ruR9Sq@aBNKQR8C(!XE)=HEbz3Ky~Tk?%?C~ZGQ)N4R28?g~yIK4er z(w0p>RxA__2fBicX53A%%V=m4`ZAl{aPXKsoL?$Wex zo4mU;c*x?m-9z`8+#@GP!-LOajjliW%_EwKkZe>gK8ABX&0v0ei9n>hD=mgmWj=i8R|a4#?oXkmd%W?!76>F&lA=#mMJU5g4p?L3FgCqcSi)G?m*Ga|O~EYo z`Z9Jsa7Ko*h7$x>6~pmGT`{bS1Y_Ym6T2mSAynU2KW<>Z;COB_>(MP`jE=J5IJB^- zPrpvrXKGL=klLY6hkQ5yE-lS2od{woa_XeOt5)rHX00>NyV%mP5KHSLlbpf zMeH&%fM+#`@fGUaT9;f{L6L3n4jt6uY2)F3HM z!rxT^Dwq?AjZE%8;X}1(0!B`7m+=a;$G3w}kH}rPksl~gaiqaqm*_F$Z?eTd@Az>~ z$Zxj_UZ2AO$dbr$X-Q@U{EuKh8@Sm=-1;e9Pl3=ivwkr@OpRaS)gtmTQ%Ur6dj7+6 zv%XfcH^5rUr~7yJwb;yAI;3@iT!1Z>b z^;?|Tj71z-od2-M`-2w3+7Ag*c!tw&`-8~f#%46%U8<7JYNZHtWgYT8YCViD%B;S)o|*mo}PGidAOsXi8CAw5-r3;mOMHK-J+ z7N|4CbQbUpgkdC%-Z>Ks9Y*Rl@}Ti@U&@}X1JoNG04E!n1-EQ zai^)-#h#kBy}_}Mlet>fvmG{fKe-oY;z~oA+U1L{(nCUi{~M5Pg;|~}`{wKaj++Z8 z3Hn`sBKGz?j!=1rYw#_w*cGoXR&)3i1Ux=B`%ql|og8tRYG+JED%`W?-L9{AHT)?_ z_-_HIX{1GcG_98AakM9wWR@cM7oq>=(2I9(Bm(-RMEFWWDd?>)^#sU1oS`kkxI9$S zFx?y)6J)qG>#f4 zEZuAhHKYXW2j@+MkEX0|*8_6EKP%sg!NaN(&B*+R#>y|V3E4oJ?3tPM_Uk&!vyR*y z?m12{$j>nH83Mk2p`lhNMwjW*`n`A|6YYaZNEwN(Z;3@-e+2`@ZRZFCuLr%VWfPg= zrOHuuJ>)Jn8f%03ZoQJPJ4477BoMWlb=(@#d;V-*)~+P}VMRUn<`HHq_X@-5LKE2JhXk{AEG(N#tnpwK{D0 zBSX2y`p>`#*ml$yF)q>OO^*BmKF`VNSDCYy=XJ=_tk0ThZ2-bsgV3VO>>gDC?=Kj)%%Yr%}$UrJ^Qc#5;%ya=6`h}jI>81Udv!W zu_#9%8-?6`Y+zo-3RG!A@30b~gh0it*BsqV5(R~rdW*P|c)PTAF1K zg-f{z$*ow_f$8EA_Wpn6(N5+2Yb_?V36CE^$A!r;!ayNm|}ei{+3kVYT3&$Ane}>m03wM4O*p z?6XSjLy@CL&;cjede&Cm0o=ZyA?P_~B9I z@ab>k-Sl2D-E0!In0+G!9NuM9tN5EliqIWRz{>`{4RzC|+Azmzn2S#`=$pyjM@GV= z&B`6G=HWdsawXCFG|8YYov`eA-*;!g=kjcIM23s9Ui(Wd%C0Q#O(%6pM(-{WHQ4j3 z$k?y5eJEAvQojGNRj;9xGA4hkSx(6c$KF=M zMvHl*p52B#zG?g${F-pufA#8g@^-(N>-6cH`*xaTrpRbE0olK7r<@Lrwys7NdZS?Q z-7$v6)R-Em$C?9A-mms@rCa~M{q6zY?=6Z8-4i~G+)u_MwoWN#=Kw~ z!@n7OMZpB#igx}a*SC$s z>PH_Fzjzbqax>5bfRLMgxRy?}-x6o(q@^9U-AaMV4EgnCdtY8JO-R`JuEux?6@t|{4Q$b-65aN-hVp(sf5Uo7^N zN2qCSBn9u$>1Vt3Oj&n&qOwbr6?mvLSEvxgGXj@0M)wbIt$kjqhRRLN3J~EEX!n^j z4i7Od&muHaq$22OA(Vy?EQr@yb!_I}@8$~Sr)ZDavt>e5-;x;-y-_7MDo;P!o)i7y zl7l6}d<=yNPqdbC4W#b|Ljj zC%n2}b@kV`B*$d8<5D+NOp>)PrmK(*{{st$5w@x(_@h|0v?{Tj`@Szie{rFG7VdDL zjiu}|y?@_}r5k)$I-zx9TYd&TBF+YKW2sfsmV5;o>JOO(zr-k)aw%MW`-DV@Lkl#H1yL9-$Lddcnja#Q(TzmghwhkUn$h(ZNf5dv zXEn$0LcW|IvV#xGwhB9oUpuuBpK|+g%(tbKVAhL#K!7021>Aq$>&MmjW}rVw|E_z7 z-(EoC<72G4$T?1jZlDtVaxtks0m}z+$wNjr<3= zzBNV!eoYaYALN=CEJq0+zj`l-UH(}quArHH5cH&Qka05 zCO__NBN*qBSRSFNMfOEOg9H4Vf+J7YqF8vt*P(IJ8;=fLeXvH$PIJ|Kw zIz*16%NhkB)k^j`_SzElu{ai4(PB)z3LS?_x`i4~Dh{1L_41Mey>MC&6^{zIPxOsd z1iHu&w8+}kk7M{@*&B1FRD>{P8QQSru%7IL;At_;sEX5^tzZl=bLSPI{Np2NA24RB-wH(O}ioin+3ULbNczvl1&IeQLc?nx0szQSL&l=^w&Y%V2 z59ipEFsPnctf$vEb3P&ZtlsHgn8T$T9SBbf8VoG6)=0&|%w(y0k&wgBA*KfHzRfrP z763+6lQ z)C3YqX_^S6%*8Rru+aPI(?41-;H4lvFm{*J>GQRX#||uSU!d7|sfHwW^*XYBqjng; z64U)&QjIWYSmh@dv3J@XujrZU{op zDCj>VBo5OJ-=#$0xxtd=l_qMqVRa34snN8QC$aMq5XiC(+naKCNdk?MpSxq{r}Wb> zH26&PvL|h2r-+b1Kpp$Ro2-F{7r~r|$na$8264a`Z+<)%{;hbc*Dt?FZ{{hh$Dn`} zRDTt|%-4~Y8+$OQ;}KiNQ!CAY^EG1LGmQWEKxgJ#ujwlAKc@`!P#z>?oOD#wa|Clt z?YxidT)hNw{pchnz`hZQu7k3s0}|DJK_aB3-t3w%)a|(_;PzlqIu+~WN6_Oh(NK~{ z2Dq6aNoc!1={N!g-5OrTUI^kky_#Cy?CjU6s%UqmM274>{C3Xo_w9%U}UE6FvN>Bp7oP%bt{cdkqJrIgma;7vd2_WiA53PHwxhXWTzfE}g21 z7z}jOcyPl#`ZSoquD_1eW~!d6tRAsN#luwyP{{W+=F{{LNMbN7Zktm|Sdu4{$)Ea% zC(N4KJLdGg`+&`+C;q`vy@2?2=k02;i;`-Ckyja3gdBwr-v`?{UlF=#3(6S-2*7ti zMuTY@?9fhRV?(5p#*@m;rhywEX)!j1;EtGPo{XSkM8s|EZduZ_EVr@OwS7$;a zIPiF57;k(kfO|s9QAn6J#)*=Q1xGaq#K$e16wUwI<%PcEoQwO*%7~_b;$<}~UiUhG z01+K5_+ULukJ7l84pQ$oR1pfd#PGsu1E#g;M{1Hl&5wrrD*-XD^#)ZIs(-9>7w&BF zz+k&vEToR={E}dvzlm2JKj#6sk9_1C*HC<6K0YhoLQyt6DxegP);k3S{ejbQ?c4k745G?J<(2U`Lhpt;hPQ*FXGL~}60_N<0r{bdRG)Z2ZEKe}O zhHzIaw}w)&4vbeoUmB7UdQOELPd;enT)~jcQaLwn*$6UbW>Qq&DayjjRZ`Hc+QP0&U;^wukwF=WLGDL73kJyeAP9m_$Hb&iNVW&3LzvW{+ z(^ZV`e<_9G1B%CRWbp~ZRxe(oThNi{H5NW;-#{j{;BXbIL3&~smo`ewyOB|h_%5(g z|7lJ>i-7^vw;l6m6xJ}7SSatu76wf$8A9Id`s!j𝔠7FG9oc{OE%PhnuTmS#|6~ zk7NDdIZ?xWp-ggIs+WFIH~pO)udG>0ZN2e>pE;4g#}>v`hTu+!>@KeW(*xnu@~iE% z=%1hgI`c;l2dO`SD7tT#EHQlewuTA0C-$6Eg?=Zr(v=7?KLD!{@Ck+*6>&m>C=dJe zwl7%IDAHDS9u)MU3x^|7oA%lXs9}q{;yY zRhJ`_MfX;GDjwtZu!+^AA19n}WMGoZxCYQaI`80W@ev zHDdU)m!3Eg7bx8~yo4ku7APz(Zy8J{8YJ(i8=X8b_QjqK*Z~ZVxSf|bv+ zluNF&|HxsM9ruu({n>H&$z|H=DKyPpDF`ym1sG&yDRrdKzWk&RVjwiaLXvk;`R;(h zwPw@y*wKF%iP{G_s6L~TSs?>MKIWhPx>W z4cpv6{dEJbsC5QCCNgl`@ZtO%c3+CY*5SNe6GkkJpWrGR{&&yZZj(?qU7;XowDB>& z3&yw*fp+PLiFu7Mm@bYbI%?|NfeTX%Vrcas&vB*QwgZy&-M`=WMGO~-aTDY z4lA@y;i>peP*rVN6DKZRIcvqxeX+5&?TMq`*ag$|=f#;NoKU)6rjk>e^n${uUK{G+ z)jS`*8f8_8^$*KsvRN~;WIw8yfY5$fDhvfbe8=tKL(_7$ajAZoWvpzy`qW&e z;iVyXjohm`x5D!1aeB8cSYY>by7Pe1R~KXMXSNC6IhX+bHt3>iL*52y`JlaY zke$9HfC&_7o1t=6;p9pJatJOu?NE-4%E$O+g-ZmxImL)Zv0tWW=kX2SD0(-~0ySkB z)|8+{^7#OFc^KO?#rCeS{+S5aq#t?ag9DJE6AWjPl@SIaf%Cw8_sPK$pv> zNp`h0Jj~L+dX7*4qEchUV%1u!yjvHExIgV^k~?HU-19~JI+MLPP7Qo;ytIpWl(j(c z?BZFgn1qm{U4SLEBI)n{nLuw@vr=w{ECIY@tceXvmZDO!+CU>%+8OEiv=Q(mSU&}1$m2&tWpW`?%0zC?MY%j5^tpks zI)qCVeEp#Lwog&}obGGL4*nT#Z zzsE-w{r?9ILGr$5B~snM)=}Uzkn3TbB2fg$Z-%A0u4h_NsbRNa1J)-ng5%1B>10|G z7&LS}F_+ctYi#RG26;JUPjO;Kaid`QrJ=qS*Q_q}kapr>nbq+G{OAIpBgcnBw3ew% zn1FZyam+YaBhr^hBR|5UoElmh;V8!-MH0!R(vi+WGsBb90nR7IRYh{-@MD!Xjzb4NyakTUutT&$;{F1eA-gDnn4Hy z6XLy4su9qbVEG_=Bg*k>O##YF(Bsg`0j*>zfOX@rR@ZlvmE(>^NhoP<8GDpNYay)wX4B*YlPs!O)$wg`v7@@08~7dAb(*nsEA?^Zm3h` zm`G;OrYT9L(GS2RvNuZ_NoL0M8atqI$AxLPrR9Tn$4H++17!M?Y4V$sej`&pcvI?`Kh|g-+QRS2 znHrK5Ze{gi)=^T7*{V)BGE!MtDGQgcY-%@3x8a`)MDjldzH0%l|2u&qLC_TlG!P%g z_`s|&&y1A8`|l+!I<}V=?s-^NZ&)wghYXYyI#y*#7!6t^4V!9ZEy7DMwFVc@FD)vThK5G@>WeRB+0vyF@CL+J8kRUDD&82CnvENzs-hCQ7M;GXUN&xAFO@A@ zqS4ri(D6Wn7s{f(x>}}x^R>)dxIp|xVQJf{JtQ(EzF%3vpdiD@$+orut{(2fZ zQC6y2wNT-!Pt?nzrAwrJ%eKg$1s|5n>^U=K<;wNayH__TBy=V|Bt(8H?KLQW4y@f} zvu2=!CZwW$Cn@#$W$~0r(rUZzGG+R7Sv+?Rrkg&gD6f!MLqyW4tSnr;Lh9=yGG)?K z-C@+JLpzCccL`8?F+=bb1!X<>y<&B>^w_SWD#hiC7fT=*(7}b>df|%IQjShEcgYIW zH;XB8NFICiK{?_0UrK3tSl)bpifq5*VA;My8+0vhQKLmBGGXK!(r3s}NfmkJgO6X4 zHf=gcsI*eD2@LAVI+-_rj!d081q#?BEnByd+J*+1I%9_P?bZ#Y5*%5Awhe~-aA8@s za+A!QIZM`{y~1d3J}~2RnJ5M#&KSAGH_KPf4SfWcJ?~C;fm{}&7eLgD=2kK z=15IEEv>uvLVM4ZbxYStCn!ySfR=koViC|XWri$XHV5*Sl(LexFh&wmSrL}BKHK6} zV4tj7vP5Q1o+>NXZjjEMI!UfRDl68ml=T?U=1rd_Yv#?A*4uT$3?PI_tw*1W%v-oj zzM1`%>Vno)Z6TT%mW%vSUA;=CPo4t4Z<4AOWfFq&oxNbKl!hy$Zqs79`|dlX(FsVe z?R!Z@S%thmeU?g=WBNv)R2 z-^`R+r$Tnc8tL3rh zUxtFOkU@P0$Za=XEu&HH^5q;*JkqICM|mE!yztVCGHJ?WS+Z=Y^dB%l!l4j4>m+&V zi6`ZKl=IcZFT@uvlAhad4`sn+5e#aume?tLzMw?vqVn)VkH~~CCrB!ilCJ0gb@kQq z`DdSrC+U}mAAC$c|NKkouw57F+Npy~ne~nQ<;u(CcPE@G(`L?)hwpn(KKS56S-fbO z?6c275-#;g8j8k~frW?}$X7EL$%79+Az!@ns(d!_OKH_}2kF_Nt=#aJi{z8(^JE5R zMDLB2@#8;~9zA4#=a-#{pB*9O}+otTQdHG2|5rC9@rliBqpOYFEP7%`<=Js zmDk>s!wwlPYu2un3okrRs-RT*57<%OA3t7Rc=6^K-{H!1>A3ke(1NDEus#bN%2AIB9!;oBTvZZpH7sI#(gS9Q1&|v93b--%##t%y&$7r ze^WmB^m7Rpm&h(dcElhuU7mUBN%?5}2lB<|Ur5)^ZKZp+uJXi_&&l&6-;&ugrpi)S zfE_w@mUgYHw zf)a%RG3T=}^6U$vWyXRP(gXb3Y0wVx_JptH;U`{_&p#XkgJP;ITfR(o*kNZ_pJDBD zL1?GiSgpKpC;0Z|WZ8hhv8c)~+qG>WZ;g3hmer=@-PcFU*QiTLxSjOe0Rx{WC67EX zQr;N-zP$g*D=?JekncXysbdw|JuQ(qhGdUdzMlN0Jayl_^3j;LQAS4g*kgBDHT@eo z>zs2W4x{Vsmq*IH$zRBvRV!rIVMD}^na1chKa_`_eh$2Q7qqUFZXNndn@$xnXU1fC z;_(OMqfb7Qci){NWmP58rgMe-^{+QezwHOh^0^b_>E~aBqFxRos$4o^z}feh^W?(w zPLcA)jWXtqH|2p5ugR28$IG;@K9!z39VG2w7)+h?u{`$lt1{-@2@>BhOJ*-xBIVt7 zmi>0>4;_@1IDR?rDyBt5E4)d6|L-VqPBH%}q~LPhD!n>hWLlbyNykq4des_(0C3t_ zzjwxe{Jyhx#eC=VKb`MPUb~qR#&dcw;q4yX3={L?lZn#?gggb7%&3S3$ zOYWWH-1X>#&d4`kSN|!$Je-F%y~Xw6y&HFT2rjb-Y<1JpW`a2e$| zy*l5!;UU5$P_0dkv(rUeb=JA)D^Dq62`d|O}J?E(39jE@so_fr=TKiYu# z2RfoU;on849PV6p-7V@TJoND0&YgGPuKuy3 z-f;TtwwtpliADp=o3Yf{amQWQgzB6~1Z~yeWO5N_z)m}n-Oki$)0`8IKh}Bv`KOt} zx$64sosTDf<7`ajoZnx3ne*<1Pc;0nL-%r)%^wFubDiIucbPMC${ghj`2o@u?mqr( z=N}i{?w}Gqlo_DeHa#Q=qolR@zI-k5d(z*3^!$ZQeFTUa2cBjeP zd;0-SG?G+*L#?UV@O}1mCVld;`j@YxEU*DY_w6S!Oxr|~n6{S5 z;30$I2YOiZ3l=PpOE0}tdiL%qL-*QUZo2+DS-fPitX#iVE%5^mJV5#Y-;P5D%2-&8 ztJiI48tb{sL|?0i)tJ%s`=n&Kf7*rW>KfT+?|r1IU8Rsgflyc)8@N^}Qq`&oGaa1^ z%D(&UBe7Uajz01@Suk(0);k>H)Hf#$b+zItDw9n$DY@phN9FS09U_-rcB3>JG*VR& zl->8(Tb~LLcHM25)YjKXHj$L}ZQ8<$9UzrKv{#8Q`Xe4Y|% z+rB-f(;H+V>VCqBC&=Q(i=-h^CtrN^wd}FeKv-~&F4fpoVJ=f-`3gOFj7Y5s`NCLD z!MF7?j_f{cS6xqbq)ytkZzuH;!=G;350XdjyhV;X@=!Vd{PRGA5y{`4da6wL_!ISS zT)$rW_UR*1)Ivs#cup?8$EIkV)@UmT{g2!mAGw{0!+<}cC*wuc;gsN}friy2nS_TA+Z z%%1N0$DNq|50YNJ2g`ZqT`1G1&s3W3y8BK!`j* zdY#sLF_Qw%wOukPsjaP+wUAfxXyN?1D*wf0Mfx5A*8=+X=`A(&jk>WXxv5@4-jGCM z4U$`0D}Ki>H4UU3DMLQ#gV|uaHjpX6fC2qw{`~ps|LpTm<@HxbNw1!JOCMO~C!h9P zT@K1*eVEz!Bmsih7Du4ID;F)2Glm}`3+F7*yqQfKrAN0OGN4a)$TEbhxJriXI9RG7 z?~CWmmIohvNcI@IyY$$xyPSL8xiaC?>9Tr7LK3Nj?7sV6n4#6MnwU{_VwaX=CW~1! zYnwtpSdaGSLK{R5v!)fR*GmcfGpEgxn{Rzcb{@8;^y}4IPCNBaG95F@6>B%?5^Dec znDvr4wBSJp9jGtO8J3%6RrNRhuq@j%|2JTpl(;LSc^(6v9F$hdu(vcAM!X|M@YmMG z#LMk#@TVK1vhV%}KzM6q`O4*(hJ7kW?mt}WpcwqYpcG-+rV07_FceM(%7nttb0OBP zTaS*5a6j~8xJcLR_!7Z}SiSg)gAzc8pE_x>y!P@da?k<$$nCe^F26tLPr4z+%a=;f znfY2TH?}n%YM4w*K6hP;4jQDnC+9VCi@gX}E9be<1A2|c>@kOv=rKyJJBHu>viSIOi_^Yyu_lM7&~ z?3ay8r^z!TUYDV}9wawjeSzF__q9@5UZr{0ty?S|+INB z5H?$rC~R1_4jnfRhLcm^IqU+)@o|$%26P$UE2yohlQIwhb5z&ZeW79ud?LR-U=P{8 zdv|$x)F`>~^2dp$~g)b-N6(v%R0fve!laA|i zq;~L!0(^4km0&0!aT*$+EmU4CPC6##sGGMf2K$T`@=uD9Hy+pL7NnGXEGa6HBGL}v z1IL?hzD>TE@V$8Oz z`dA40xsi>77N6y`Y}+0(%*VJMV^qLM<0IVq#zyJA!$9Gq(eB%|l`~I2PF_U6`+U;J zGHu30dG@)-B$tXxt2V7L$d#(>vHe%BUMWj3AR8{&-8~kXeg8|aO-h`JwA-o{&<#-v zjnGm)Sa%UfsJDHk)I}Sl29|P%%3^)`olT|1S5_>+a6tClb5A+r^xw(VS6!t7+_|ca z4BDYTESHC5=8Rdg0oKVQk3S~E2JIx>LuIgL_L0fcr^t*?Cd%3+tL3>7&&r}@OQjLY zrd4r;6gk|Vo|BEW8zi1hO50A|q;;zfGWN~4Wc})mve*8H$Y&GA%d0PsmQA%A< z)v$EE4p*h2_@gPQM12WQKJ%1(^UXI>(V|>({;X71l?o;-QVMP33%8JHu1KbQ{(%hZ zTOy6VO8Io+*V3?It>$gtvAdjc#u>WHVD@w~v;??8L3)e2V7tgB zwEwDQYoxI;%GGqucgL-_${FXJBLjyHlcLrg5#pDNF2799`s42~C}h>zttc-QFWSiq zMU$fG2gR|mx>k1-we8qa{Alj4rhO@O4fRUb-h1vXS6%s6nKgf*OoO#I_T7)AOZ(Q+ zs%4e@=?`Z~UClAm)MKCjj_1n5diG20-Gz@gFOB@Qe zvZ|#lT)0sA{Mw5z%F?CFq-WnA(za!V@Vx+x3Q`{CeiuTe#G@Hm@byGkr!na}a8K!t z0sSv`Jp!6H%EYfek*}xBkv;bw07D4LF+)nDjrbsyymBg1GGodN*rO5gmbZbe6U4Y+ z9!~S+nR+N(!kK?KS4O_}JdCDI7>Ho0XNx42<-R4a#2exed5^aH*f-vkiJ0y5+-WF~ zV+M?Vl7Nx)&WG>GNAJBaYuBxn@o$ciDN`}4?J-1l+V>z?xO9=MT0UDMsR-<=A}K2m z3C2z7(xtoH|G;Ci3fA?Uxhv(JcRm6oen~XeqXR&4vMK4i{f-i^HwH@zGtS!Ov!oUL zC2hM(9P(7XsYa5GDIG{Fple#U>nt@e2=Bk|VVS#l9cJ8h^6WD&%Z@#}C=M`4IJ9tx zu)0YtlphJqZJk1Xz-AHO8wL38*v;?$HLy(&HmSsuu#)`{VpT|(Zl-bn&EokoZ1-KH zed`voc-bOYv_2WS^AIRBOqnn}43`v1V?%?4!Wf-l5x(-u%TOSHk`@*26tLe8QdU+b zmtA(5Jn+DSa>8#;mf!#OG{j`2HKuVryKkraN+TE?_BiMO*{*v}*=eUCI*4#9Rv6Yx zht6%~>uHnaZ&zOrtFT6nI_yYHN&89r_Fd$Fz4w-PfQuZo6Z!aiHjmVfpkF zKP>9TNWC}^>fLtTRnoBp2A#FC-#+{54wx&i{F{t;euP|g)fF;qmqC!t9OOSC4hD#_ z7Hy?nsZUNj;n%WeLtJ**?-$akO$!+^sIR;Z1#-&Smt&B;US4?W0Xh4;i!j|k7BrsTQ3*F|(HebIS;lEaQ1E+?LTy5xdTEf`D!o;WP@u;jc&Qi5`pEt@CD!n*Cyp|d^= zU9xbw{O077r3ka7BrNlFt5(YnsDJzRZDrP+IkL;Hd!rpY$kN4&WoW;?(zbO=$Oy+r zDp!$(>sHEk1A9xy4js_ZiZIC4W7u;*_YTscb(I|VyVGUXY*^d<21)1My)acDC}E5( zRi&`HznLt*|NZZ!9GZgXAa?17cJgH9#=l)54?p;Tq@k=SN2Mj)yh!j!S!J0NmzT(y zXZ-<+Y=sQobr9O5Sa#oIcNsQ#C#itUo%OpjWWvWE%TY&yhn+gg@Zkr;`i#qQCmbiM z)^3zN_d8I!_Z``!2D77Re0yLQl-SqcUXAJBSzCDOh_CmHeBSU=gYYMsnkyg;fd&@V5(1T#CYjC_5xTGl0{Ev5H>zA|#e z)AIMfUMC-YGERE;+(9~b?jU>Yz8Cs|$O*@vB=hDjkbU>wL%MbBrn_Hu+HrvH-dVhC zwUnYi4eCEg;*mzl)UK0#_SzTLdPnKlwWr*6%WZP?)z`wPnJxq_PEMb51JG$3WkP`nr1Oi!UZ>-3g?L^|#mj@O;RjJOY%xUM;UI zpYkDwxO6J+BqMcB95@>{N3|K8b;4232cJ%L?+m0AXTXkAf=~M>st_--T(rDLoI_1RUrcE$)278T6 z5O|*jPn&=bg7X0^VQdZMhEd460k{+c!eXgLCz*5GEf2`!M1u5Y^h){K8f4HWTeb&* zbZyE1EbdvCEy30~ADDH^GE*tk0oM$EGBBmnDO5=Nht1Dx7JRjjDh=qS064JQNu}NN z=xd2+J)>PuhmmanE`*$@W$N0|VL-WwPD3ghyb&by|zLNAekV}Z^y;ZU*o7JMTFR! zQ}B*?wxn^}z_dtSZhCBh^}CQCwOJkohS+woR|8w1`Io>pEvF!zg!Pasj4&8V0>PlZ zkids<1aw;6C(W&T+@H(zblg9?3Rb{*=ba}LCQOiHk3CkR(WnFh0gdC@Bhx_;)taTB zz++Ci1uBt@G?l^QZqaT?gE0+xNdwdKP^nBNjyRr-#+O12j>g7Dc?8xH%N#y@xIFsk zqjJze2TA|_{WTpA>*6ed2Q&FFZROiLJb6vC!=V?O`jSSznS=ObEUqsl5V+PpWXMjY z9ss5#Uh+WCv`8kE7f>2n2c-*W_|~SupH-_phNtHFo*!lb2D zn?qeCS&y>7ceoT!5d!e!M9z3>V`+)hY}BHN~le}WPaMnkjYx@CM9)ZsXn1;Z-Y%iwa>)$F%@bk)Wwv$QA7h@Vx2d>^a zI?IGkL%l#>lJ5tQ9$Zm3D1FK1_^czRuZu@ws2TXkJc^5%m;p12R3e6aDSdX*7;BU` z^2RA+X~+feBa6yt7U4WAh4stCBal(FBIOZ4dNC*}KcK+TCVs6e^Cd7-j$qcr6aQk6 zTk@ajgRq3T{?E64vpgIgbm!ubNt7)m0ohc&NgwjYYa^11CRGlCC_4-~`HTgl1Y2Fw zki$%t62%AaTr6_=2FJ3=$2i*39zVg?@S(!B4fyPWydwDY*Z>Fg^New{rKy_IrAuU~ zr0(x$0H0@ZNsj%M?*f>X)TIAXuy{8sV2eVwEW0VsW?*9t4+vXN_tU@wX8%(jQ1McU zQ;^tMxx_$VgR#T#N+G4<;=>{OZ5;DXn>J0lbm^jwor`hAVXsU_;8IOI9)*A;(C8s4 z#@!*G^G zVGIVt0+U3%EE^qZdz53Qv+c#S9Arond2)dI8Vcb#0dY4s| zOQfMu*QUF4?PAjNoEGrC5k>&dFew7fJPU<`F@c9!v0su#@|<~iPny_2=&!GDlol;Z zH9hH%L>kcs0l1>3HsNkGpD!SO7zdceD4sx&eGWY3KmytKVPvn1$0P{FZ+1wbeg>&N z?*KJ$4CNgN_<`Vx)aE&DpoP51{HV=K`<_ey#{O{Xz8khliECrBRRC1twqsIJQel>t zmunn>aolauqD2d}FnJ}g6EQE9o5g3Zv>y0YU0GQPItp>{gf^dc8a4PzXH!k|!(@D6m#&t-umUGsD@5398H?d@P^oXx%GVj%YccQT;C4ai4`E zWCv`3CC|F&4{QXML*+qUFimM`sp6-i;#;IiD2;F#lqAy8u@kc#?xx}3Kx>?X6JK5T zLz(k!)2t_;2hsUpm3T6+bix&q125P?{X8`=TqGN6Vp4*#!VauV&=^7(A6jD6fOwPN z$dB~oIR~OR?s;%ou@7l{L3Ai?>*UU$dbR39fiOB8KVng&Yr9D(oFo(#cUaWdHb@z+ zro(aobvqvFX$Mg%L#xzlYHFma$|xPiS5#D>p+SHbGY+&hEkiHx=g@I8X!bw?{0=zM zfV!53(80s7@+))4;Fez%O$W}f~AAb44jx9AdGFnwx;}8APvk%I+Y)AYzu-_ z{J^ZTQB)K}dJYu)FhiMIt$dRf)zUBuh@k~-2wSl+8k3@6Ih3`D&Sj|NNF!n)t9*?; z5Hf8Zk7EER3QH8$Ye`Wt;uM{pucIH<@IjU#56tI>obYQ*4ip{VGG-gmA|;=RYu&na z`a&Js#3*kJg0O}|z@I;`vYs>+$P@CYva$mFCw(4?LE%z{fKX?t93abELe>y(`V{&d zlsM(n7%_B4wuq1Y!1z<(8)O~z@MBiO;;U;nN-+lKBGi*dEYR@ct}p`W*Lr{fX$*|P zpyemq1Udq^i^3(+$Scdx*nh1O|1K~?=YKD3vl3^+^J*0!f%g<%HZB{$c4PwYnTMU) zb|wmvReaWBVmfOX@jjcS0;8e{$cByUrK++GI)D#2*fGs?+5ox&Y4Sjc!RnwzKnsb& zMx{yo#7)Nz%Nc@IC6{F^)ib*zp<9Z~|#19s-5d;$)m?1iErr??G^Y1wgjmIarRSf3p75jbFkft#y1+~IkA3A=8h@^08Tny`z{AHc&G`X&>QTN;v*x|`fmTh^#D|ts{$u?oR%6ssRD>CGK z0yBdIm3CygH+a7~_xC|XhzHl62aN@!8(Y6QsoQ(q*(`IkV8L}x%MmI;X~UdFoj{<{ASNaPuhbfDu<_WmjI}QcXe*$D^~es)YY6gv;Y$#8ZIYxyvoVVt5;nOdui#n?u& zoyuA~^fQc>x7VA4WgXMCGp>Oe3%m&NhNUb&00E^%KntCMk%qNKrSFG;T5G`4W(CA5 zRnkr%Ek;;4jWhLP82tp^Gu|p9hUcf}mBPyUQBm-oz&Kl1(n7!GNe&&KOC=5*r^^kE z4VZctOC%c6gMH$dVsoD@t!PyWqy^>E>LecGpaiJmQDx6p@{QHrP~V{Ez3_!ATJ!-3 zJtc=0TOj0@M4U$hm^vG)i;4w&L}yXn)3V~sNBPg?EIxA}pL{yy<UJ$am1QaCX2uh!9CQCFWi3aX8W{#Xu@SrpfvR*F+SSmK5;^X==l@-$y7iEv_ z#sj%PFY2tzeqa`l7EnL16Bn08xa@>#peWD?WoxZ*wiTCZR1rey^KhvsW&nQlp<*b1 z&5L@P&*;HeKwJpCPbbWI;9OGSj4ul#!XKuLaKJ<#MPZ?!kqh>HBkMGBjG@3QmqZf4 zV+=4Ve>>nA{!u1~$H>n4HpZb$l%j?bv2Z7nA3Pvt zi=DX$9^lu}68N}1nudYx6Zv%6ux$my$$tVypqmThJ+EvGGKn3PjhJt>Qn68y^GdJ; zGLAqT%*%#jr=zg&-Y6vsxEZCXz^Q<312YXfAeo3;;Detn3O`4EwF2C9yecjL6*zIQ zTl!{wKNjQ8xCx?Uc~7^=j9Rz)3E!IUs2F( zfyz}C8aiFrACxdUs+Q@BL<$Ok4#?w#G0Yve!jX79jAjQm(9agPZgp(Go z^Lx28guE<$cr@Ei-Q{J zBVW1P!E#v`Qp*VCx8)*E#)JYru!t&oi}mc(F8gMbP>je4N9BwJ0oa!9PntLxcN#t|q8U6V!}ANX0^92}@T?2-`c%JNu_&Ct2#-m5_QTznX-P& z!_Gh}oWLn*oIHV8(lSn9s#+W_mMAP4&OCquG=N^E0~QV}_*5z`4slaj091Vu2)8cR zAgGa_+5s+fSI~wyOuZRigmM!NHImGvBn`#G=Wy(hNq9wC?%k778cpOU2D4CW29BMtPD~jAy&^o|bEzyBJVT5e9me$p^Khk#&zG zc&q{}JJds)23Iy0Kbp(^+{9(uz#0Z@H{0&KvJR9n@|UthM|$|o#y)^I_4H{N<-y1r zAF!LHA+y_th5(mJxQ2^?6`fMs6m0=<)poSB5P0fl5@k{65gf3GiimB-T^cFK9?PY? za+ytMGmvKvkPvNw@r|_HD8St=uz<-!)Q#V=4RTfrd8bk#eas7TRB>}AL#v)gKG4rT zQNMA6gu&l1-{|Dh8^Qx1lgB%AhDX`vK+5uoi_C7M41yNQd78=y^z%qqmPxw71|8T~ zzEwpWYh(&)wAICt!onve- z(nupT4W4plOC3R;68M1=Dsa+4gG$>J`MBh$Ry=zgJ3EpiiIz`4h*jf>^3S|1oAswt zee@&1NZmgHHii=60t=+YW0f+&Dlr0yp^~J6BGY(JWk)75F9~OQE_0BP>}WhEh0IPv zsqoWp6kaN4o<>MKyi(|?>;teQxs<@8L)qcE1i_92wAz?-w!_+if;dPkAF%OCWy342 z1X?dlPpgnY&pQNj(oVs^wv_N5+|@6#fiGvfuboKbn;^w z+R;Jl;?*nUhMWH`OINJWH2dtex72RhqzaA7Gu41u1(YiVLOTnD8$C}2y%EMQt*4^W zB0V0J-AFrqLme8_>;wtHQiggGKVQ>^z<}|}x1y4;#L$5`AO#_CdekiZl(!H%IqSv2 zgc5hhowv!g*If+@E+&-~6-bMY3dat@9UEDUCPjhb$mERBrAED_N2H|6MI!0{c}OgLs053*{2+XqUR!o@`&v;PW^u zr&Q3CPs%0-f-vOD3);BsLs^zxZ6`@`YDlmJ!cAr%O&Z-f*LQ{?RA8Ng;x~ zG?K#Ln|?6mPv=T444iP#jNpw?^UQ_IJW0qTm&}NdBRgj*tUr0k_T=?P0R(TG0hQM) z1a`BRCeUfzmku@ubTYl>$3d~_l{jp8a~N@Eok+CCNoQhCQeO&ioSK?y#Hkl~Ou5UK zFV!p4rP5I+9*^k#rcIml3dP!l*Iq3>=)8Kh5KSeWMx-a^Gzy9&;?B#XUUP1|)x4aP z1YIniuDZVYr3*B^mP5cyL+it`Y`s{=E#aHxixkg_jq9DWFTKc_GGm5@ckR^K$s|A@ zUlNI>%zFz!6RoaSx)QNEC!46&R~g8a>gx3jg##T(w@%-$iK1O1n#Q)yDv(#F#7CS& zyupd5Qd+)3uEEJ=5{j=bgZ6OSG{3#FIdeK-GDZHT!9&v~3X0b_^49Vh9YpJH`E3Ep z(e1eWgI%Uh7q9f70T zJKA~hf%{Fc1?FR0x~OX#>)aQdvY;ZZfA!HijZ2bO0Ja)^JfsrJ2;|}}3p$cK(b2qQ z^Xd2xoWVneI2T;<7bPc2a^bEx|If}d51Eq%8L=wwL{JM*#2SY|NMGnO{BRL8N!qu; zzE7m5J+e?bKqB7EYts&l$byGS^kr6_c$qopq#$n*@W7Vy>RV%+Q+|J@`guwwPiC}` z%cY%2q!!McDrtf3Z5`X$>MpiB6ukNgnMB5^UBiCW42|i86GQsH-ExC-*F&bQ&OPT` z=k3wv6i$aPT*WAhX=l;Gc}|Cpoi&)Xh@u$QL^+mb9Zj8#+dAa;y={eUdhMPg7p+ZN zG8|QqPs8o0X*}hRTbs~{^=q&qH~OHm#9fz4{`~E6dibkgvb|N`~${ zRNA+0BM;vHfSmdJGxUT*T1ZaRoXWRs@iOt0lu21>2;nLDdhQA-Ew7YTWu+L|>%r4G zuPw*oVqxU8y<$gBm6rCX;C5?QlE zrp%ZlORF2DysShj&`z~=^?HUn`LTWjPmN5Vo~6p)1ql+m6=H^5x5w_p~%<3C*58TY2BmP%rJ;w}<6aESXqR7B5;XUR0nMyz!*7 zvT((62~`$JAd;4~8>?kwJSuZ$&j+vCDo<%CQzj`}w8%gI{Bz|qd2Y6~I%;9D{VQO7 zQO;VnY^fGE+lg&PYn|(-q?HyM+ivpY$x0vb5I5Ig8!*E$UuUWZo`q^ra!X`IMKR=j z11!B-ovA6_WnVmQ5Qs=)Q^4ik1kglUHAR6?K{`I}GSA z#gN%ZU4zuF#VmmG18ck<kgZ_klVHE*2{L=btPs1gdT#=Ssv_GeOF=0l0~Th3bouz(T3dO zx}kc5OrA7Zj{VgyC4n|tzkaQJ_4QY}RKu@KvCX{RfVMZ=gEI%t4k$C!BT(d+A!YQ8 zBtGnBzvbEa3=^p&E2&73z^bpz#N*4$Z=j3s2x-FBDvpc}UD*-LtC-&@j< zn;c~y^3567M;}j+V@^0xKK}SKOoWmWEGm~`SmkV!SYreF^8%SSbGp`;{g`|tZFKBE zq>ugPhrqU-odTp(N~{cpn~uv8=bUqncAQb8M(F`pRM-zb_@Lf@`Q;bN(18O7%2!`~ zC67P;xV-ezOHcsQ<=A77;S@kV9QUC-_4Ly+>b2Ko@|3BvX3ZMeZTDSd>9Qqq!womc zfc^uac-zRVS+nK7`|gt=Lk8>q;vs{FC_S&gK1#ZErx4`i$tRwYC!TmhCQkf9mBz4P z!{jyK9Wi2rj2t;ql?Ml!jvYJ77hilK4?OUIo69e(&>I%rLt___4%-CMsD zL$N2nI6(2#!{d%6GK`{j4P{jF~Aqw@A( zN-LPs?!Vu@a@yHv3r{w!U%yIDKJ!A^_s}DyZIMTwef%NR`6+pM%miuMsk;p7-3iKY zzC7^6bMpKPFUi-FzLIqfUfFv{KUq9ys$6l^RWfhMD*1fkL>Ye2elp^T2W8}IZ^}z= zd?a1B>n1z&=&EbwROFn>j~MX`gmOHl;d{v!Urm(X{r(S_B8TO<=U$XoUU^MFBG96$ zrT7C}9y7}p=bUpklsI4P>Z;T6C!cy!j}YEzr=8@68*h-YW5>u_W8RdnzxrB=ODbgh z?R!e~s!ejtuaA~ro%$Q81pefP^|HsWej%5feW@&+Jxl)l=gVa7ij^`6bRWF$e!51P zN%P@(sSf^6KmC-99Wz!&zxjsDojV6guteLYp)mrP8KQ&5n{U1;d+oKSeE7lpa_@cj z>v6)Hs%z!pM;_6$Qw9te0KR;tA1L9pdD7RDwJmwJ&f9Ne3jeq3b$R8{#~wuo{Y3WJ zXK$%$QK{cgedMvH)zNbA{rAcjpNx|U zpMEU+A8-Khe=QF^bid5U;I$e?!-4znFHb)7xXhY7Lv|m&r=&4>op+vJQRqs;mB{A21<}^B2qqzj|Q+Z3)?XS+4l&-&CPL{q&RaGI(;> zVMk#QDnb9BB@aFP2>R}5`SjCIC0rDgzJ2>aQlLc9rz!i~X8bw&(sO8smtGhNCHC{P2Fq}JYzWfq>ZZzn8{k7NS)sZjCN(}mk{^D@q=l))K^)-3?i6>?B8?Q@a zB&Gue4Lg>>rJwop=gEZ^UL?mHbF}u~lTSKPsyA(vy${%5K6&>8c^Yy*{Ln+>qDwB3 zlB#m)*}aGMc^;F!$FN=Hv(G-2ZZK4MWG|l`kjFg9v%02M`v%V;dh?ApP{*d4Ffg8tQ#H=}F!kg@gQm__ zJ0qTX(0OR&Yno=(^pBkVjygj9g!zl+J7=ExN9UVw4DBbLbeuE#4U?7=s7xk-DO(aQ z<*Z-74m6mh9?rD;_S;P-hO;*=asKqTbDT*tCTd)-cHN!iCQLg)N|w{~dNbW0)_FT; zeKd#QjFYHa=Jeg;V22aFrArq$ryYNYQ@@GF>O0Q7T29=mohNVmi}TFOFKZZK_|d=B z>D;`zpF1ZVf0Q%ro7oz^Y~@_1Z@2B#&-mJS(utw1I2|YbgqL4>+PU)|H(*NJ=uDeF z+37c6pi_@@gp2=jmGjV}W*Q!iHX;w{O*wDAHOjg4(n~aa!Jc&dJ9d?Tr4~ z@Y)=ml5uKk%(VB~Yp-%1eay%fVdQJCI_F( z)19?z*6RJ7#mk)Gzx=iH_J{B3{g+>j*DK-9TkmsjzV0sga*(yRoF0RA)u}Pz4`=?# zdG6Vf@Wq|6uRibm?)<-Pwy5yoJMTI7-uDptOWcV!u5=c-a*WBpbNQvGL$1t+NnU^D zF6XBEScZXz@3_}_^7=>B|IiJ0Ik*4g?4470q+PUygN|+6w$n++ww-ir+qP}nwr$(C z%|7*wb9;Wmd2im!s{e%Erqz&*0ed?Qc0<>g~^R)%N_vIIg5)Ft$716VN;Ax@~zG z9S&pQJI?UG+FqQ392}V|WgW_LFPjH_)t{C=Z{ZC6;gjV$CpBHb&@99BjbZPq%pXc&Mmv_O_mdjcPS-ux>na3L~!|c!7Zn2Yb@Y7El)`ieq_8xlrpyJN z_l)$ZSp{Ikp3Gj9`>nHxwBzyWe7fQ(vpJgY>&6Gi5Ab+5l%CSH%_ZKpfNWZ|Iwld$ zO%xALpHmPZJ6*2G402hQfcdajiE1A6z^zO0eIGe~(=JO;0EA#n-CS00{tY0DP_?z{ zs`Ofv!`sr`a%IccBRKsET)YS1Izf$c%(%|p*Q{2-OG*sy~4L`)z znjD&|G&(fF5ghpM{Nkf(*Jgu{A7*%N$LKq+3RL%WJ+Hx}+zVz10jnhcxfwUp>UTcq{?R z9Y`e9vyqHE7>a4K&E|`$d>?0q>U^f-P!PG)lc%)CDnS$v_Luhb!?Cjw%KDO5M(r#h zMSa|e-iCA$RJy_qxFhi-f#y~V_fmLaS6l6oxV~5O4hQz56V3>H^uxzyxzPYmc9GmM zgKv+p%eEoIy7TMyQMZEJWENJVvy<(5Nudvl0x4BCPfNlhLyv3>@4>J3*P2Z-*qso4 znL^Yxnk`c}sTm0=q^hVtb&y_?;AXSVuzh_>zy#1}7CHPN(NAiSv@T{RT4*u!#OnCmSxDQfsVIWQ+t9mdztrSEpXbd-Ai)^XW!#{3Wfov29F!*dO*+N#qYlaR|(Y`NtTUW};fldj3ETCbBWw{MKPVMDZl>_~KGlX(PcIRZM zBP==LHe?&$lQ|yiz7+YP*U}#FhR$e9C-~Zfbm%Gicnmw>@|JL#ZeCBf3eE zeBwE|wT~KCkx)1FWs)JC`GscU>M72(J5gPm$d<`2p4;OcAAyos^)3sNhl%b?L*EI~ z2CJm3TEPOxV47z)u1xnNrugxKO}P1bK^ZPwXtj#Pybbgn%&y+*)6V<)C62}S#fSwk z5=njr%JG%FwRNkxX7|s!ibIAh0(rDJY59%c%lTchaWDHHJ_TNCDeqk~q2=ZF-GMU7 zbba1*9s~9|eSl-?sT_Wo0TmK&kLRS`U8h7@ky)-+-g2!@O!HMg?L9Ahx3L3!V zo<$uknkj}JL*;VrZR&air`%ePmiLHObAphBF_v@MgT!&7vX|{XZg2achSZ-Gvf2DU zZ-y!t+6>#)t=mVozMq-e4&%AU7TT7pwF+Jm*Ni|lG6oeF!SaZjhJW^bh$`4wv3#ai zC~pqJSlKUDN@lWo@=+YLh?A@gqnB2eFTP1)d1;kOWaDvadPQ%*Y&~4Bi=&Sx--ALw zFfcMnU@UMh6!;;T=6HB{K?8_*Nh3N*8n#T4laQr*TP`<56#w*DD~IBHHt;?kM0Pmt z)r;j|Ox;o;rAhM9lK?95G>l<1o`A+|wg*4J@T#VqA{CkPMJ*}0VzWkQn(bM^`}5{K zmYA4n(*qYUiX8y-?eJ?Cv@dR00j$py%&TCAhkJ!Te8#FT-ikc<%ZsW+Fy{9O=ezzE z=QpAKY)&_;2p4y54j!lq?i_|G^8yB_n}&P%ScrvF1oHm6?0$me+@KDe#J*i34Sn)* zrK%+ai3*NtZR!O27D}%FRdU|;q?2`uJcgw*NuZQg6-w$(3Y}Js{kpcaBq5Dd3f-c$ zo61?H_UUezxl`tf_1rj%!&Cj}f4Bm`^k~6O<|$e-Bv`-ndL z0YF4e^wez|qvQCeL*IV(*PCtYk|r@dkzxYi`=Ke#`rvW58-fJPXgLe=v$kE1rJ-tn zy-bQ+m4BJvH*V+KgTrD&4w@C>ONwGwD2xIkzw?d{_B;h627JDOVEjh}M_;lLRe^ny zAV;*5tdmk^#jeBw#dl9+7!q(g+IpNx#K`egh{nFT39t})w=b`$QO!zfr$j~S#r%~7 z?X@4`x$=Hu2L@Y?E4nRThPxDOynMlCwo9B0*RwsD?F7DNvDJ^f6l-c6uNAiAEXul9*>m$g%{uu7O zyBz{>@NJW0XglQNeopF*XS}nJL2-RQ-;Yja)<(z88|o$lOnGsDc~jQ2+I=S_@Lrib zFyyL=fO@^n06=Ei6?oZj)pNfu##q9{Ye>ZMYXhCBk$Y^1!SnCT%~+{3V0GZ3N=4BU zXr0Qk?)e&e)q(`X=O>FkS--5J0M0G&J+BPh52w|Pw%YEQf4c1}lolBM7S^NE3}K^m zH>K5B#ySWphoGA5G@z&@KyZ9l04p=OM4m%Y^Gs;g)1&{NPx$L1)7BW~m+kwHzB0p9 zn}upI1dV!!)uCjY|kKE*V`o!2#g$_NOio%o&bp(7gm3P zs>Y)MTmt_&s9BwPc+kCY-!u7ea6>YJ?@N^9o6ei0;7NTh;_t#(-Xc(lY6I$c&7f-a zdc{`J;ry`)sY>~OsvXAh2qkSbJ2gt4>D~G@OC;4c@`GcSlMb;oLwq}w<_NtV1Kopr zY~%WzZ{BwbVq;;Zxv3W)G7gVuzRBf@z35MR)tia0yTKX~=~tX~abCPPLQDCAG5%=p z3zN0t_D}?@$&!^R%E4EJC%~5<&p1Rd0_KYq)nA7%5XB-YmQ=N6Ls1qyO=6JtTPxzw z?{^P)vmshUkFhHKEg3iMUBm+9RDysaf|L7ZO%S?_t?iM$AvK@+7F(0C};Y<0fA?$5!iWV#rMowl8F?6i6nEV+aL ze%D4T3c)+D*v@!4+?$miFj`IsA?#8>Ts6~J zOgXxFHTWcBWtqi4kmZ2EOn=L8Y=y56u|$wW34}2W*9})(V$Z$Qp>J2ae}BFv8l)BT zJ>3N^l;~hOs51bl9qjGTEj-36Ps@tC@-%Y1FHKke8f>xA`)h){xWA|?G{^lzafw@Z zJt_f-KjJBLI+Q4UIh3C_?m%UMzw)XrET{V_csJGvEmx}s_mCHa?l_h9#b`gQdjp%S zwn4nfYd~q7BLlm>1d&X)ZF|34oOW$^@EAD}Nfp*bVNZ}KMJD=K7&ji#=VjIDSapA1=oiIt($m z?w1yicOdWs>J>^%zYxU{s;xnuv%UZI&zUz-!QnA{NWfal!(}&{jeEJDUdzonA38kl z-uC+`lY4(WB?2M$+Mp zgxEs2KAp<_em;UKhv*wjZJYEY&qtc!QIe9Z|L}s+Mw5BrB)Red-~_XP@9YRvwo@#P z6M^eUzWth@^>R?QDWWa(iK-C*=z%4=jLwWoYPuy(?0pmbahNA-AfZL!i|*b3xSU@@ zt5aug*!B6uq1h6WLQz#>)1zeUwEJ;dS!Xtx+U#Td)A4dfx%qkv2E#^g{DW)`A%YDr zaAkn?bucz)AR$T`a38cyD@EiFqzxVXwxU&dG)5AW6v&9ia}>9KAjb1J98INUD#Ym$ z2bjo^1NRHZl2g19_!V7n*p**4EM2jngB<{qA|Y;yoqI7XUI&ZW-^jE_in6{o!~M*2 zmZQ2s_&|p}(?)Flb5o>U!fbA*1fOq+zkdq5_r~JzAj*q}UCg!{f~mu$$pc!B0&o59 zf+qp8H%jFqmL}b94??meSXvHz2F9PlSilg{F8Lqmdn&v8&rRnidNb~O(rXsK9w|Z3 zbHmrenW51xNo?|=&oj*LD}MP6Nq$*{Bc=hoaPoeGSX6^J$wJVtmnW9we-znn2>=97 z9Uo@TR{_lO!2X}LdKt@Rr$qU&Spu_m_0j z;;370AdF`iQy|`UyMZBwqrzA|kZm2KT>vSCfj^fLb({UnF%SYy9?L4I3g2hQpaD?q zF|bq}>TLb5=Ao#g0V(IeP4{!P6aCD={o~^-;hheH<1` z$#@)*knwj&GviO2?JpA)lU&zr@6avZT_HwhkFjxzY~sXHFEV5Qzux*4rZo8qZI02` zCQ~XHn0LSHWK2u#I3iT`lux=&AHu5FBGkP%4f_F!%KP9Te-b03c<<=pzvM0U6NWoSo zO)eKj69(yo#weCVzSQ@zA0MyU*3kDfaG)hp_W{rpB&1dZ$+H*95>a{hOI(4|GQWbd za_)h3?a)O9szU`$cv8W?EB?G?k0~<~_an;X{py`BIr>){!>8*S88>Zyv_FZk<=n@@ zPithLX`eBUl^oPJO0J46ny$Bz;iU!dfIjRO;qr3y*J9YwJ>+^~us0yzr2UXc(`%3^ zWL?mm5;EtnUkLNP2{sYMQMCE6y`F5sX^yWzP3Hyk`BDqmM!>!k;n1~&Mw35+Buj=! z=R?{$ke+ZLuAf}`k)-tA#GlOl%J@1uKTBb=L9acCiLU#yq`=VVI;-~ZScfv@`N2h0 zTXi%DT5zvH5K#rfSLfWK~GP@U5 zjq=51LLDd5C2{`|*PT%#)YhX$j82hx2&YkCBZ@DgQ$e-3LfH2-Yc!0;aU++|FEb>J zmqPy0RdFD6H+X8^^g|Yc9Im5P;0=&m5e4V_D~}tW{3?amJJLn3niY-_{Z&+&$hHTp zjf8zOJu{4@PF(9>+|L@wN5Cvigxo6d21z;>%oqM%IwFQqJd2P~jkZt7X`w!v$6Y53 z^>;y{d^CHjqi+G&pOSoi^oz5r^}+c)^1UZ7MmQz<-j1F{gXee~{-;luQa)je3sj-+ ztJRR}ssTN46={EXX~gu4%P=9Ey4qjNUO5*gjD?Kn^X#2;(ecGh7g~4JNwo6^oxGzF znA%b#^$YDbF%j}ii`^15QI%?NsWBGMRUa$MwQ=OmKj`KI`+dTI;z7pLYrf<87REi9 zvwh$}l=q6_FEx)~Eb}S;3AlSc$NE#kyq=J8vQ}|GS{4ZhQ(#G5cyLXU;UBQs)(I#G z#J_nPY;TO%N?*`)<^`U&g(?R_f<2@uFnno46b?_TO~h-zg>)f*uV7~6eQ*C-)|&&=516z)Pp)Ss4~$6PXpOJ=}h=a z$8u-*wAN(rmFIN|{A9z}_hek3t#SE1 zhKcwzU}uX>d{72Oz(8;a0U3ubLxRXZCm!AhBnDR8)lYDQE|BLx>trU9-#AbgMo~~E z2NH;Vl$4!d8eQ6LwwkqM07M9Sm}YTbZA7mlfejmA#Y$*RSMotcY4Fg0Z^Ecv2)jh( zFF=}IooZGh;FTwLF0762yvTCaJ`C5G2kTbx%`C!ITIMHUM6sEmCcWM*E@q4r@KX3@ zM3rck>J(5L>zEz}Q7izjyq?ZIzxOAxa7E)Tur&Um4YHSYNdTXUVb7Tx9~hw_BZZ1e z%}QWFsQ9E#){5l|iRse~BQFV$8tEtxBhp+?~`Glyvm#C*T!h42Z~zL7x@!%iZZJE->QF+BuZWsk;qncDRN z4x2>vv<^WD5H}@n8&qyEN$p?4OlijlWU}qvRo9ar!R{A!vBC41`feu!avlGRLx3e! zPF;;~kHv8L_t-2tdohrk&?}(Zr?i2o1_hm(5*b#Z%}8p_p{(^Wl115X)M-Fwt=rA2 z8EKe{Bbc!wKmzP>w+Yb`&$c<+e=g(No})l8_^b6p);WL6!1@ji`G%O|2c0ffnd|T> z+gXX@2TnASOAg|P^Z1PaNt?I$vcd5RF>DxL8(@DLd@VRADAy|_$smfQxd4Mfmm)H$>X4LFv)z)Yn}$upM=id08t&t9Me7bM+|CRVY)0px?~HjD0VOrKgaC$;bQgfcAeq!1bt z*3e&pPCg;xOd_cYO0)Ha2}2*FRe~>1Lb)zv&bKomE1+oDNuh(rh)C#Af&|FFNhelm zQHLI^uIfgtbOC#Ub?m&_hK2NZp-fMd1`(0og4T-KNYH;Un~7|uAe85N`%oVJ!l=g7 z0yD1%JnDTm0@Gr@#F!J2&o@lTSO`57>nzL=DgR%E4fFbCvQ8G$O0zP zr8>JC`j;X^-Al-u*7}9EluG9tPSS69(bF1)10#+FESBqCTvqWoJPG~#V?9UMfI%T? z|H8ZpNPdL|5Ka3Lg^4hs#!Lu-N}$mgdA$#*d-SU0e+|8KXarb;nkc11z`Uh1Yg&H| zNGf#b^40|x90(Qf{fsLsVATNyjc$Pu zk`I}TCEw}rQIp{y=(c+Iqovd}B`=bZQ#SI}Db5g0FTzD7)Mh&C?w4gGV~p)4VI=#O z9>#28;^}aEOmW;34_OJsi3XN8e)gKqe0g#I%&T$ z6L3;eD$yE+EtL(sFD-vFz#CX70eQW@!a|j$!4L|XsZ&prkm-0Y!!bw1*>gaAON=KD z64I%orwx{zVI1;XFz<>GKBN`hAzUb#e|Q5;Rf_OmNXFQz{P`7!fL=UZvD>!Cn-YFD zr*1XMnw5_i2(RebSVaippVJ_lBx3}O8V!P)vvbUKEl2G){fjX|1}Z=97#@feIrv==aLMdyzj?S_Y<7cE-hn zoW9oLHzlFNC2X8SE=Ql`*~$C`{?j}S})7()9X7=`o8=17lC0zLi~eZ#W( zii{KSAK58|XoB#((gI+zIw=8I)6aG}GpgM_cn@h`QwB^_hzy`m70qW>eX4}~5u_bs zTTsA#nkL}2_c&cL5~#4Yu*j5uR!5)SXYOXeYBch{!|0%nwulD!19$f3S)onl>U2;a z-8o(41EZJ!KvvP67-T-q?CmtXRK@=tMp%c;g#F%Bo}pXTcSf^7fv-_$f5p!8AK7Di z&C7v&@P80tNvol1Er*S>0U!DRga8|MU^eNZz9lRWi?;6X7o|28dvD%0?xJ9C$j?i|8kf+Q1TE~$zuN`O2q0vdNtM+mZ?-w|iH z$WfDX1UL;iK4n@)yy_EQzTu3>fmoh&`r5+YqRC-{6V3*EU)qX~br&hrx{v^73NC7b z_%0|UEdlU(;b5uit%^1(88tFD5Cd|B-?;9v;X&}fg2MCrGZI5+~>M7 z1YE3m4n0@yiSG@I<4ce`mx4~(^CQ9=UoSrkLW2@)C?Gk6%Y1TexB98#@szbRl~XTp zz@T7AAdWpVaSyGJn5$|-`s<(RDz@V4#0q)vK^}CJ?MTf#=dJ(`1DVhZX>{oHi~KlFn|g zH4hdj;2gWtzNXyHI2V;8io}HR+l3rNU(s`vl2fJvXp2=(vsA zqQv!<4er~9ulqFC8GI@`G8dgIIK(gV9tk2DW3kQO200Zev-1{6)V`oJ@wYQ&rFqM# z19o^)uagb=Nnuyqw5ZJ)YYP-7q`Il&7boG)SJz$VrU9JZ7|93Q5YYGTsSn{=&b=+T z(E97*XvjF|wC@fOpL)!A5IAGLQpXyR;+J*-puXQzz=6}ENp&T!NVXlU@>(Y(=7 zWbk=b&?o)Nze2bO`nOL&mdG!4JsYvfGYHVOqJb~o`nXeF3KS-9o`r?EC{IiM&3L?Z zO2JH9DMlt~+Z-k{czDUQf<%jEOJ|9GSZ`5aY;CPkGvN9P?K7}ucBUHaBDOldR(AF> zD0R)91@Q9?UVofW#%LBV_UCWkYj3EmY!&Yp$5-c@E0%SP2E;Kzb>aZOh&EsXi|V|k zf|QDHO_6uaPj6>|GCB(p>J|$TniP>GVnX7uG(?w#KZ2^D5@X!yQ_?2wpC3D)zh~WV zr=x&bQ~b7aPbFr&XM48WXaD)mc%rYC+k}>)c>fr;S-7Z!HdB zYkl>=8zxwZCwLKTyu8^Z&DL}%<8eyw8E2tN3;>y)?`5Nm&z3{H*lB5UB)1rSLwspw zy1ypQgE#G$#I@0^og@!q#pTA^MTNGgSuZR^Ge%1NM{=RO(FjLvS*>_u!Lj>oP+#Rf z5vK^s%?t(z&hn2w?AzgGTzSACR=w{p)qB1KqKY0#nR>b4WNj;-g_gGLqJrMfE~4LF zWcWu|J|U)ABRf~NElXN+cbf24bzMPMY&}MzsBo}@U^G}WtHa~Cg;oZi>_YQ0#OJ;` zb-TtxsW8o~OlCUc|Ja|EIDR^I-ZkdZixH^>#gafk5x_%ZWp{B`fl%Wl!iJrbs1l6QDI9|{I?r#A@`9}_r-4HJE=C?vVN8qPA&s@2)^WKY1K1`HlOqO=Jl~h z7nHqr+iutaCIib=+~l>Vv7YPl_mMkgy+kFgP6iwL&uVCWl#qmU$9)sDi%v!HrUi?N ze5~m&1hKHg!o*#OiEL5+KZnZrADIr>HjyKb&b<=NB>=^*viHhiv?n$}Ysm8l+egv- zN%(BYcHaK}i0fvFgHDtfUhE_95(!lkQl)_}A9jydk6q9|BK2EQpORROK%sXI3*oWb z;Hk*HRF;)qAIwX< zOVoI|OIWB@i;V25IZBRd{u=jkFcoJ?v`1wSv4!jn&GM=Fh>+cp@F*@Rw!mZ8t^}~D$N6BlYFAk;Qsd4kM02?dqSuE zr8QoL|BE^l^H*JYkbojO0jR|$y^O!gP~Y@-F|9S6iLugdH61rIW?i)CkmV^WPkhD% z4*5{^s$GYJY|Iv*k&BhXP1vBmw~V9>bd{GMJ&4kzpZncHb*3 zD467sV+BzurqoRgBUYR#FCq$_Q%9CtKQpSgaCm7?3b%nrK z7?d4!H+1!O!289J)~-YQ1nWIXV^;&)JgO>`sj2^ z_EVVRiWLHS(2`GowwD^&oiSsDl>TWk`lC$kuTSz4MDt=ZUATYmq{#=kmrY-JsuawN zJ#Y+E;kW)Uil&{}yy1oHB0m-U^aA6Z6cD72d9iYtuu4xSUMPYY9F8=6|mas0#5%e(KO7%lvY)c`=e9+Ro~$C zD6%AZB&SH%4pu>8y?f|gzkBs!|qBYnL$vRTO!Xgj13PPlVAm5 zZ)Z1URNC8FFNiewj+(P+59H}WHlK0#mlf>loIlJI9#)@GiybF=gGX~JEKgJ*5A;Ok z9Ghj0!wr$=L#$jt3DZq5tU2*ZBh{`dqQ^gQt;>@i+9aCc5x4B`VTukWm0O)J?PM?6 zg-g{~57Nti%r_=3Hru6t^6Qv5JZM$eg@y^QZxKpiJ7VsifBNXNH|Ij!iNf*skHf^& zCu%cmqM4RyAF+it+6gKDY=uZ__D<% z{~RluW*mnbk+x{~e1ylqV6Q&oXkcn}!#=KyGo(7$JvwY3+8aA|i!WUn+UK=z#@~q2 za^&E+;zrMfm%yW$G7?R_QN41nXH1c=)B`79dYmmb1MXu?66f832n4X9X^+Vs6z!ku zgl2am?mcKaD&7mmbxHTaBAE20NuKnG;fiJU`-OQ(9>fzFW!S=P3XXs68e+9EW!zlXKH>{Zb4MeFgtVdA@;AvLwO|!MufD4TjQtVZ6k<;p=t7^S7OUsyCjPOXs@7a&H#CRrY>C`gA)&8j^n8 zNEl4z@IY~R{quagNVOScxbcJyc0j&X@=Dv_f>qNO+weBlu z?S_vmkM@8e3wjzYwH{RFv8<9ByHAXxS(6o5T*eRKNF9kf-!^G|V<7Mb7x2ZUi^q3z z1!HP#h2yq4n#rvi>?p+_z8FU%jN2thEQC@VqAh{ zTKgrsl|KX`cP&6g&RUrKP|Q>eVWOQB-^U4WrOFqb&qs}g!rAav9`lt!FE;eH9fhX_ z;0k~-+^NF9+UALx)o}#oo< zCz5^uJi*hF)57Me?Z)z7gi0)L7@Zt{^!6uwMu$_=uX@*Apqic!$tt%qU|J2YuJ&+J zO!NM21m1}A>_q#)>(v9Rl=i>Fpl&vs^jn=@y{)%;LF)Ov#o}DZ0feF~u+oXewk{{r)ZZtF3q;J}strD!w7TpF_iE z**k-EdG66o&V-@YJP`N6lRv-o-k*w1Y`j)$d}z~_{fjBOz->J*x!%S;ccN-!@t`tC zMKI_Fd%cbc>|StY2V=6SUihCY^kKm2Jb}_F#^%*H4cy*uJ_*D|i_YIJPX8h7c<+Nj zjuehrDED!G5`^E8yK8 z=5*RkG^}Qn2giFM0Z0TTp6O61=-GB42XxhLE}OCs#+aiF>R}SkEd8BYn|3>!42-1I zXpS>YRAUy~I0`eycKx07PNzwh@G03|AZ*K=ish`(hJj&;N3bwRuUn1;J}#@DKCXMo1ff3-q9&PvY?wy?#S=UChj+E0Aoe zj~Ck=)OU{+kH+Cn|DCR2a%ye$k7!)yRGu>T$sFo&!PE6UDc>NnJ!y>n?NY+Uvrf1t zz=$mrP^bwAVetfBPI*ZecAqeF}MkcBa)XP zp3de6i&+GQOUhYi_A|nMdrP$)HtoF^s#1TavD)P`d$2X&f4#ls01?yKSj6k!a1MOC zP_ymNcHN3pW-in@`;sLQC*O93?EvG?e7x%f-EqCgsS50teMANJBBTS)ei zF1wKd4`cD?6%^dLypDdNS~-peASq=LAVw9{qG|RrPL|2fnjw}FAZ&8Ok*b1BDP@6o znn{^?glm1)m)mtTiI6i3Z{2T*)r+as^~3`pq`0^KO?uuJ`~EN^$E(7=yk@SbDN`V; z^rVq6olaGj$oGY+tMN2Z3qu%UktGsvN6k6x8*q9ui7!j zxyL~voYwA9J)s0qDJ7VM(7~w60OyEB(7|&kida6bLwk7;$uRK#?^0UZV_eJr*p$9s zf?}H4m>L0U+908QR7=1Vf~CM$G$1K_(4V=WYBdK>i1RvW@orvfHzbn53#RAp9AW?K z5k15CIzA4g+Pb=gKI5nJ{bV#wa`ZmuH7mBY>l)VS^@(^gf=tPsHm$cWuA5X`iq%5a zAai>?0AS#9cAM?ojk4bStS|TBiHC2KGzFM~r4G>1eKF5k-*|`;*!Y!xF#IjEog7%h zDRQ*~33fhq$!8|eChvzbmN_4@9HX>S!Ht-y21~i&pQ>19`eJ<@a1`5lUtSURT6k-w(fRu))p%+ksdB-H>3MyxRHfk{yblrfQ|Kc^W1IQ z`l8@%XQwUkfThP1HMx++;n-6hgQjXn@Z5f3Ay+d=XYyjeV9XTjpZ7Ddpf}h^c%5#x z4iMZM{@%3z)cF^!PN@(1@%z@D;l_|VsNjmQS0kF_O#e%t&35edii5r{kme?M@Pjr7 zKWHX1Hi-J<7tj7yYj&_@%{#u6LWC-@&uvKO{f03`x{y@%UvQNdbDb}Pb9=|TK`k56 zHI&h#9rmVH*Zk7oX1^lfrxrV|bAB;;D?;>meqZB8D=Uz6?l`_W7?p9UQ3lcX+_9iS%zE!5g+2&V>p$kI*KM-w#4SQ{@B2#S@~~i(!lMHl(E<$ zwRSYIp|{kv!OkFNsn+R4AEo1lzxBNJtoIpQd<*^e`p<5Hsk ze=+g0{_WY8y{PG+1?PU{^_z|Ueb+Yc2@Phi`P{{Z2Z!u z{l&Sd!OT|sTO@)Hs+!(68GtM_$a(YTp2lhpKEw5i>-E~XdRY7K#MW*AN{Z2ShZnck z2-svMEoS7`u-_Dy%H;-*@=z?Ll>v0&QLdM#Z z$uN6i6IF94k9KndgZqdBNLi+;bP|E)fr;&a>zvY522}g=VuBHlUVFUe=6fkf=yufc zq@ofG8&ZC{^2PUFY=_XPU-z6&&Pg%Xs35Qt@}RNrAZ6!-r+@r3`3E1q|Fof@`7TLI z{X6EOI2_dL04q)4#Tjb^%a~^8lA$cPIIE*TkPxLBRiM5!60FE!0J5%+wHyxS0!^=0 zLz_?;3b^4u?}>-)=saj*TDnhbzX(WworfgTpW#_~(a&~vc*}q8$WrS(P*I!C72|@Y zG@`x>_PT2T-O91c?|E$a(XBl(Z>r9{53o1ee%YTh58=+_#9Vm>IgIn0Iy=}`&#bT1 z_TJPGO-NyA&11XegRZPgNk=lb_~!v^c`^H@xouW6TqP7LmJZrF*^%cL-=w0_+)8Q# zDAgfjhC5SS*E{I)F#Jb0#CyJFc!HrJCO7BbkQHL6?8wS?I}81;T*MfVbg&mn`Pas+Hb62Sb_?ZjK3Ni>+#XpD2cdaMBs)Wa3= zR&cq>fU9gYzDnh90jg3=1@u!4eIhRxyiuS$pw>ilB595FD{-B0bzXu zd>i#S0)K4hLX5!50lnH?fh2)8{ z9%>_)u*8ODcR}C}SzlRNBYu@!iIs~Sc#*#&Y5_B^F+WH@<>yZRUDcn(H)BOxg;y&D zpEFp?>~87d^(7?^^W!Ot0_KBwzw`%2j`2mgXIjOwh&JcUSbFq10{?U-!|z4Sd?ASA z2(GYRO*_tj0z#>CKQBJ2VyBZ9)xA*G*+TxX24pRD^)Dhj;S9I@I5z$(eM-UNNgcj2 zoSfX9wqa?ZrdDAIeQv2DBb)g-6){cwfJ0P-AQ9ouPcIxK4x@Cd6m-N1oO)@fUGWL9}sTZb& zf9mMj<~rP?u}Kl7O*1%83e25@gM)`@B1nkuD_UkPBmDTS;x*$9y%~JZGAL5uO9)(Y zgfC0=Sc|qb>4hg25W7i%k@96<7jC=6A6D?fHo6RLwgGpkq_Ea>FTusnDGJP%4ML>o z7g40y%!fuH5c4~QT1OI;{+I#EAI&tZ;tov0qGu^6+0^RJ>b-=`^5sdeEJ}j3+gS+o zbF1$53G<%N;CV|mr{?O3K?4TIc=yig-ZAN~?X z{V+i^Y8Lk|UN5@XLnB+pAfEo@A9HNT5z z)P$vD|Avwu7||Xq8h86^MH(oq6*W|Nj>GV9-o-`J)l4Tl&FsfIF20%<-gl7kHm$H( ztbaGUIn}OYkw~f*PI~*Av`=?R2^mmTd@}ZpiroaJG!=NH7ok8jTgSJQXPHgvmSE5< zp57M`KR?_&F+19##@R7%&EA99Y~CCVtQkTjqT@KPTRTMZIG(!irnQ$3G>3=Wp(76M z&{tWxSeA|P9X8xFCC9Q%tF&Cq)Id0i1T3}etefnH>SHktz+uh)ED&ihA-BzxPO5y- zDlICylUjl`32RZBZOLq7Gnvcz{VJuX_%xkT6NS?w!9^&0QtDGElWNoW-vS4b(rY4i zi9RmbZP@CXwD)dm3$*TkMv>PPn`DrqQIit-9%?K3|GJDjlChyxJ<2;rWl=5_y(z@D zXfjODTC-vwCqxccij*P2kCh)>aVIRIfQG7FGA!Yk{Fi1xI0np@i(h!1$T;j@70Ezp zt>kz|_R$!lNue&5{?4gPwoHyx3V-&RIcVv$R5cpKJyh#%o(BvCg^V4Xf_-LjaKlu0 zXB2&+=O{=k2PPHi!a*ONm5dNctg$%FM_J@(Cc&8Xob0yAYGXX4pnks7S66ip<2j(4PzJ7KOcND38?6mO%{*vyS@ z(kJ9UKh6l=U=5jT}`9EDYd@ zGzlWJ|L;v6^8fGuvkoJ-5(jLLv(4Y}`|^Rt?}e7#fJ#=P=3pzd_Hte@Sx^>U+~+~} z-fMOjBYZzFpB+kJAlzgt8YJTOvHmOoLiwDo=%BfARGTUD^f| z0Mcv7Y2Y*aVx@=2&baHVSxFxWy{qGAxh>0FJD^?OS^oSrK z4VvbDY>=qG8=)PWAw+ydM~;EzqWI;Gs6DdCpt0Gaq1gtT<8d~1Zt#xhj8K5MdU<`o zozuiN+0&<*!IW7yJ~`0EZl_#M24bXO?#W+5o!=Hks022N%iB4Abu*O4v5u| zbd$|-a|5Bn6<)&c5{aeSC(9}V$yG{dpG2OBPKEQ)`Oz9fI^ z1pCk~mNJegWr=3z?!up+_2x3x|5uOVdt`|(5kisW!tz9DT#K5RR%yKSAZt`*g777_ z4EgevvVN8>Nu_&?H`I5F4xtRT@Fb(!QaL%Ke+E7do)T@k70d8CHSkvk8Yl-;F$-)5 z4LE-Bp(INl3*!Tm*PolI)8dtF8 ziXZO-%`H6))O|Z#M$-38w{#bp4nDu80`HGTDb8x$JU%R*IBbGx82G_N^K^e;mV0;p z{P#~%V;b{fKoB1$m8kw}FM&d8C6`=8cR-$>QF_Sn!`89AjK7flZHL(_NL-UxxQqm7O1G>*bpGUXuCHerGyarde;W%YSW>q(L=>LrYrzuIjOD1UQV9WhB1Us#m2EV5|PD#fgU80FRDuD zuS$%9{IvPFNj8KCc=<9;R<@+Gn)kqrdvbxsjUU8@V(5mc+W+b8y#C?(x-d=t8;PAXRp2Y z+Ru8vOS`J2OkQKT0}Ex8aY?F)rBRB~5h8OF`Njc%9_weU@J-ZH!E!*zmsvD3)(=ik z6fxonMD9k|6h8yqGY}FGUHG?eaTe}}VBwMVo?P9seeKySJw?rFRkRIl)_U;A?W1cO z%=LF{zhGVsMgH0swi6V%H#w>WnWW;*FHb-VkOe8#Hm-IgDoM_~=@HetAJMpL9$G!$ z#g91x2J^XIK0il_^n?x4Ia@J7b+W=K zmcfQinRw$xm|wCPQER|Uvc1WsC3`O_`N|wxtCwFP2zdag-UGh3pv)bp)o}2&z#N;d z47qPekCbUX2(o!`scMC{m2GLl1&hduA5B=%s1SvIEDhIR+Ni^)Kx_5R1qLt+TI07P zS>+=@TdVybgI^S74kELijM&^U%Z>DV6cGl3b94;S6W5@qpMz&EtmF?Ip|{;`R9lYAZGZwU#mVlp%~CTlqf z)c*m!ulCBD?(Xh<_rDCrz6@3MD+B0$;bFl9`Bo2HUu|gy@Y%a3`2lA-C&(fyTr|>` zWcxsSg{3+p%H?xb)Qc%oeZKR;1V-g9WA!%9=vj5*0&Arn4(p95I6w{y_8J!iqY$Ki z#Ks-Arln+bYwZ;ttR)C7Y_g5^Bjzc_U-g-EdSXO=W(WU%%C4tE@hP?&!ql}7=~`>H z_C-NrnSRDO^J?gtXL0}1cZ&j*Jh_(kC+CF{r#A**Om1tMO4k$}n8uOo*L&52XsKnV z#>SW~jdP$i;``(%quH`X%@f_1Q@lV23U{?IIz-HVaTP2FNTI^7v{})(Dnmw5fB9>@wgO8jt7{( zhs`;0Ss;`RfAiU6_V40gGA{U#UE;qvCxD@+?YG1XZIY>hLx!bX8zMn$r6l~va1IZ= zoJXeRALh!up)oMBL&sZCib3JO^z!!P6&H?cvX|mCZqf~S$}EQGM8@8NT!&s`BhAj#^n&~k!t8iHV*L*g|f)ovo{9%9sjMb zc)wHCmoP-BR3p_Q^Qnz!fXR`a(pxfL_>(?3h2va3@r*r^p-5&Afy*H9FE_T_rUSw3b`O_;>ZBB~e~{!K?Y=dZzM>EVn0mZJST3 zGNiuJgy9ppAKRNBcf7cqB9`^og?#vC&;PT-jUa}0tOx)1JQ`1I;oq_ktpA1M>7!zT zbJt%{u!p70427kr@5wkBUu&r3-r6PTr0WxNmbC|r*z{69ZC_g_=&`o_nWilhQ%4t7 z;|1FH^byl12`x9;Bv z%e~nOQfB{cmBRdo4Q{1;+T|FkbRqj}GWv%<=leZqsU_(e1GLv?;FuC_eeYx+*T3WV}igr`qy;x=DX$bnI=jC(8(0a>3TG0SJ2B@US zgnrvhp8lqJgd7&aNPQhF#zFTn-_RHzvRu>NXSt*8Ya`#`*0DjqLqGicqp1fh%iKqT z$pfjDm+}iGKI?UsSDJvJt7fTmwwJ`Izi@Pg)_Y<=BvF(6n4y{{TZOwdx zvrB!eWm5`jG^ak#Gp)Vhx|$j%hBiCO_aI*dBfFErXw5sGKQSgXA8G8Jmog`ah!BV= zWwWMOoUwxe{NEQ`I`IMj`o~@kcxLBzUp#mUO5V$&;{yevOC@LiRlRSe!kA12?ste` ztTMaZ9(A_9yNMrsuXh}ee!RCt(rafZa)-<^D`~UaFFu56*7)sN1nvd+SX)Y>5ldo; ziu&EtLafQ7R(G?YPrsOc{*ux`8!(&=$MY3y7#ovGx-FxcJ?UzgAxSbK@}ki%>KwZE zs)3YGG7)JJ#B{4nhk;V^%UGnO=r^Zpn3|%|{_N2pev5~5Pxo^f$2viUZy5J@_f5L( zK;@3~Axx;NCpmrPbnZi>U!9{>zwqC|c{h2+(vH6*Ic@tA(jg3Ys3?|!@oxl_2M5u8 z>t(f%maT#}FZBh|VjHW_@c#lnEd4fShA<>*dOq^`aH*cSz+9yMIZH4V!@y+mJJP$D z%i&?JRk4S9^5rf9Jq4G?dI|wTs9ciBVP)ok1U?q!@jv}_j5qq)&nITrLcTJn!!*g{ zX@pJJm!fe){D`^MTdLb=^R7-24hO!OrbPzs`fr@+nHa-Iq2;2A_Bh`~qXWN?fD3u^ z!BrO-Pnn$D(1ly#aRWx}5DW%U1TA&J6{|qc);qI*c3p1j*lTf3Q^|j=}jMN zNvzjgvutuk4v7JXR?i$iM9BSZ`heU1dnEa5V}p&A6?yTqegHx)4bXcw_nuMdZigwu zbA+;vRIwyIVW{w#25`A&LYJiZ83l75i`XAPSm~@hGUWcQjG5A>n3e(GwIo|R@ z=?-Omh#Y>nc0YC08`LTZo^iSMxc>gq>&cJQh2JwhU4J*!8r&36KmbgiW}% zxpsc2T8`(|)pov`E}I#bNw|<@i7xv%J}J=gM{a~s1@jd|0s*H057GKEVKy zJ-uS|CYeI`FSk3;;~TP-OTQBk;+T4|^A>y2>qNH+LoKRF-e~vzPD%7tK26v%gfk{x zpS3U1(c*d+xGFM?sQ!;In^wt)6J<1EJFwnA+1&ymwML!0~XK55u z_gy#GyDlZE%^a~Wi$2{kd}NmQ6#QEm8)xIE;23p{hYQR3Id*p5+cIA68aHFYn{(=# z02rZJ<7G|S{msP{B+Jiro~bLh{S`ffmKEKUyjV&2UI=(a$h5w(xmR2it{M#P;9)f!k(J(5p#mFRu%$)dJ4w#4>JJHVQFSnq77A>fm5| zXO{~p3>E-{#E15l8=9yIAInm9A9i>(VDzO4fG<+&rm{b5@2*Te06rew=1~_;T|;k*f@Rz8G472ajf#vdn)ZptP6AuCbvE&!o9q`3NnV- zJ{3p0>XjEnwp1YMp@sv?`?l6cyAi{xnoJzc3=Nac1QvOu7O4D&DtvrR$ZS2`5VqkR zHc`0rn;8Oobvc(wv{fY?O_FItaj5gO%CcE#wN!YKQrMf6qQxy%#*g~jNH)f|ItQ+ZVza$$(g|Ls{@VNea-q;w6!xrMM2mk0X@ol;=XFH1jeEQX9h*rQe<{R ze+v%AJ+6Im(C8}0=xSK<*4{Zeel{L@;?1WllrD9@up%bp2D(xdwJvdYBW6Y=EjxZ`stXNR{sbgP`plkA)=Gy~mA zY&S}GVksN8Q1PanN-=Gn;Wl0Q&#U2B=;~nek2bde%eZ^IfodQ%WMwPcXQj?q3Hj%o z47eo5?^lZRh#!<92FS!eb`o2=%`Sm-UjHsa;KP6%% z`Kcl50ZY$|4wRl&snSiwh)Bfnfg?vmw#a}4r@Pl`xwHS^4>%5CZKGMPpGfSOzw6vo zPftPlza+@w?LLIW;W?O8!H$k_=9nW+pe+}$lOAcSKWg3 zDrF=^2if;mpSXH5#YFALYeQZF=i@>Vo}^ShJIoe*6bC+WG)W-pirGDK|3=F7hP}bevbY!G?bmr zBgP$_=d77VV|@}9w8QzL6}GftnRq_xh%CgP)%XP2nmO)-f<98Q-<9(~6Xb%H z+^=}!2#sYiJB&j&bgu8oQFCXY!Ve``hyn-WZmYNj>5KyK4Qwc(p;>u8okMt&9{R92 zoTLF3Z3(f++-9;_kJRbruSx>X(B54FCTp6fe}+B#6zltuX4OhA3F5r1q04lc07-j^ zo>{DgB~3nEZ{c}SN+Y@JU$*RRaG|v8%N9vJpA`KP$^=$$2tpJg7*$K)R7JYO+e`d@ zzfQwKQ^P6{F7;~f8IU;V8K7ldD?1C2pX}$?F`mYIRrxDs?)Sgl z;n2s>U0!xk8U~orr`Jw%y{=^iAAqA0)XEG&^lDqQy2E4P5Q3SAh@|qT-lfC~=-^K` z$X?wxqz9&4CF^k~w-Neb(%$nM+FmraaVouxA#E4-GT`~=OMTw{RcflT6f*=+T;*C5 z;l#}=cj~E4m@@2= z!tYXdAo={W5$_XSi}OEEud-`eWHz2l55r#!xTkcBGXBXjc6r?-GZhYtH*{U75GUO+ z9?QDDnvQ|>Cp#IoWIZi*3OC5lhQ%q5a0%2I8h*u^xjP+Ig;C83`q-HLSEJJ|UCSAH zMlV}guKlA?HEG(V$>nt*b%m5YoY?#02K&5LG5Z%^NVuYAR^9Bg7*8#N>BuL3z7YCj zvE#4-oe#K(M__2Rmdkkxxrcd`0*%*6bb?nHDI~op=LkyWlQ2%>V3>I#>rbN+{-VNH z5}6}~wlO1z*XO6f1Ww)46Lqj27^N8%Kew<|Orde8i|5-`VUt1) zFDnoq${*0{mKkI_YWg9`d7ZA}x4zf6fdfc+hGDr7TX zbEcbCZr3|grCOXvn!L+6JD&LV!6rTNPKNFU)Sz-9PbE#Hr`TQJ(Dn-&Z6Ks5B!KdV}W F{tx!nr-T3i literal 0 HcmV?d00001 From 885bdf03a0860b1b1ae6c27bf09206c00468b964 Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Mon, 23 Oct 2017 15:09:41 -0700 Subject: [PATCH 11/15] Final fixes before going to staging --- .../hello-for-business/hello-features.md | 146 +++++++++++++++--- .../hello-identity-verification.md | 9 ++ .../hello-why-pin-is-better-than-password.md | 27 ---- .../hello-for-business/toc.md | 2 + 4 files changed, 132 insertions(+), 52 deletions(-) diff --git a/windows/access-protection/hello-for-business/hello-features.md b/windows/access-protection/hello-for-business/hello-features.md index c8e500f815..2e4ae4c446 100644 --- a/windows/access-protection/hello-for-business/hello-features.md +++ b/windows/access-protection/hello-for-business/hello-features.md @@ -2,7 +2,7 @@ title: Windows Hello for Business Features description: Windows Hello for Business Features ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E -keywords: identity, PIN, biometric, Hello, passport, WHFB, Windows Hello, PIN Reset, Dynamic Lock, Multifactor Unlock +keywords: identity, PIN, biometric, Hello, passport, WHFB, Windows Hello, PIN Reset, Dynamic Lock, Multifactor Unlock, Forgot PIN, Privileged Workstation ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -19,6 +19,7 @@ Consider these additional features you can use after your organization deploys W * [Conditional access](#conditional-access) * [Dynamic lock](#dynamic-lock) * [PIN reset](#PIN-reset) +* [Privileged workstation](#Priveleged-workstation) * [Mulitfactor Unlock](#Multifactor-unlock) @@ -50,27 +51,27 @@ The Group Policy Editor, when the policy is enabled, creates a default signal ru >[!IMPORTANT] >Microsoft recommends using the default values for this policy settings. Measurements are relative based on the varying conditions of each environment. Therefore, the same values may produce different results. Test policy settings in each environment prior to broadly deploying the setting. ->``` -> -> -> ->``` +``` + + + +``` For this policy setting, the **type** and **scenario** attribute values are static and cannot change. The **classofDevice** attribute defaults Phones and uses the values from the following table -|:Description:|:Value:| -|-------------|-------| -|:Miscellaneous|:0:| -|:Computer|:256:| -|:Phone|:512:| -|:LAN/Network Access Point|:768:| -|:Audio/Video|:1024:| -|:Peripheral|:1280| -|:Imaging|:1536:| -|:Wearable|:1792:| -|:Toy|:2048:| -|:Health|:2304:| -|:Uncategorized|:7936:| +|Description|Value| +|:-------------|:-------:| +|Miscellaneous|0| +|Computer|256| +|Phone|512| +|LAN/Network Access Point|768| +|Audio/Video|1024| +|Peripheral|1280| +|Imaging|1536| +|Wearable|1792| +|Toy|2048| +|Health|2304| +|Uncategorized|7936| The **rssiMin** attribute value signal strength needed for the device to be considered "in-range". The default value of **-10** enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The **rssiMaxDelta** has a default value of **-10**, which instruct Windows 10 to lock the device once the signal strength weakens by more than measurement of 10. @@ -78,6 +79,8 @@ RSSI measurements are relative and lower as the bluetooth signals between the tw ## PIN reset +### Hybrid Deployments + **Requirements:** * Azure Active Directory * Hybrid Windows Hello for Business deployment @@ -85,13 +88,13 @@ RSSI measurements are relative and lower as the bluetooth signals between the tw * Remote reset - Windows 10, version 1703 * Reset above Lock - Windows 10, version 1709 -The Microsoft PIN reset services enables you to help users who have forgotten their PIN. Using Microsoft Intune or a compatible MDM, you can configure Windows 10 devices to securely use the Microsoft PIN reset service that enables you to remotely push a PIN reset or enables users to reset their forgotten PIN above the lock screen. +The Microsoft PIN reset services enables you to help users who have forgotten their PIN. Using Microsoft Intune or a compatible MDM, you can configure Windows 10 devices to securely use the Microsoft PIN reset service that enables you to remotely push a PIN reset or enables users to reset their forgotten PIN above the lock screen without requiring reenrollment. -## Onboarding the Microsoft PIN reset service to your Intune tenant +#### Onboarding the Microsoft PIN reset service to your Intune tenant Before you can remotely reset PINs, you must onboard the Microsoft PIN reset service to your Intune or MDM tenant, and configure devices you manage. Follow these instructions to get that set up: -### Connect Intune with the PIN reset service +#### Connect Intune with the PIN reset service 1. Visit [Microsoft PIN Reset Service Integration website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using the tenant administrator account you use to manage your Intune tenant. 2. After you log in, click **Accept** to give consent for the PIN reset service to access your account.
@@ -100,7 +103,7 @@ Before you can remotely reset PINs, you must onboard the Microsoft PIN reset ser ![PIN reset service application in Azure](images/pinreset/pin-reset-service-home-screen.png) 4. Log in to [this website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent) using your Intune tenant admin credentials and, again, choose **Accept** to give consent for the service to access your account. -### Configure Windows devices to use PIN reset +#### Configure Windows devices to use PIN reset To configure PIN reset on Windows devices you manage, use an [Intune Windows 10 custom device policy](https://docs.microsoft.com/en-us/intune/custom-settings-windows-10) to enable the feature. Configure the policy using the following Windows policy configuration service provider (CSP): @@ -112,12 +115,54 @@ Set the value for this CSP to **True**. Read the [Steps to reset the passcode](https://docs.microsoft.com/en-us/intune/device-windows-pin-reset#steps-to-reset-the-passcode) section to removely reset a PIN on an Intune managed device. +### On-premises Deployments + +** Requirements** +* Active Directory +* On-premises Windows Hello for Business deployment +* Reset from settings - Windows 10, version 1703 +* Reset above Lock - Windows 10, version 1709 + +On-premises deployments provide users with the ability to reset forgotton PINs either through the settings page or from above the user's lock screen. Users must know or be provider their password for authentication, must perform a second factor of authentication, and then reprovision Windows Hello for Business. + +>[!IMPORTANT] +>Users must have corporate network connectivity to domain controllers and the AD FS server to reset their PINs. + +#### Reset PIN from Settings +1. Sign-in to Windows 10, version 1703 or later using an alternate credential. +2. Open **Settings**, click **Accounts**, click **Sign-in options**. +3. Under **PIN**, click **I forgot my PIN** and follow the instructions. + +#### Reset PIN above the Lock Screen + 1. On Windows 10, version 1709, click **I forgot my PIN** from the Windows Sign-in + 2. Enter your password and press enter. + 3. Follow the instructions provided by the provisioning process + 4. When finished, unlock your desktop using your newly creeated PIN. + +>[!NOTE] +> Visit the [Frequently Asked Questions](https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-identity-verification#frequently-asked-questions) section of the Windows Hello for Business page and watch the **What happens when the user forgets their PIN?** video. + +## Privileged Workstation + +**Requirements** +* Hybrid and On-premises Windows Hello for Business deployments +* Domain Joined or Hybird Azure joined devices +* Windows 10, version 1709 + +The privileged workstation scenario enables administrators to perform elevated, admistrative funcions by enrolling both their non-privileged and privileged credentials on their device. + +By design, Windows 10 does not enumerate all Windows Hello for Business users from within a user's session. Using the computer Group Policy setting, Allow enumeration of emulated smartd card for all users, you can configure a device to all this enumeration on selected devices. + +With this setting, administrative users can sign-in to Windows 10, version 1709 using their non-privileged Windows Hello for Business credentials for normal workflow such as email, but can launch Microsoft Managment Consoles (MMCs), Remote Desktop Services clients, and other applications by selecting **Run as different user** or **Run as administrator**, selecting the privileged user account, and providing their PIN. Administrators can also take advantage of this feature with command line applications by using **runas.exe** combined with the **/smartcard** argument. This enables administrators to perform their day-to-day operations without needing to sign-in and out, or use fast user switching when alternativing between privileged and non-privileged workloads. + ## Multifactor Unlock **Requirements:** * Windows Hello for Business deployment (Hybrid or On-premises) -* Hybird Azure AD joined or Domain Joined (on-premises deploymentd) +* Hybird Azure AD joined (Hybrid deployments) +* Domain Joined (on-premises deployments) * Windows 10, version 1709 +* Bluetooth, Bluetooth capable smartphone - optional Windows, today, natively only supports the use of a single credential (password, PIN, fingerprint, face, etc.) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system. @@ -130,4 +175,55 @@ Which organizations can take advanage of Multifactor unlock? Those who: * Want to retain the familiar Windows logon UX and not settle for a custom solution. >[!IMPORTANT] ->Once the you deploy multifactor unlock policies, users are not be able to unlock their devices if they do not have the required factors. The fall back options are to use passwords or smart cards (both of which could be disabled as needed). \ No newline at end of file +>Once the you deploy multifactor unlock policies, users are not be able to unlock their devices if they do not have the required factors. The fall back options are to use passwords or smart cards (both of which could be disabled as needed). + +You enable multifactor unlock using Group Policy. The **Configure device unlock factors** policy setting is located under **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**. + +The policy setting has three components: +* First unlock factor credential provider +* Second unlock factor credential provider +* Signal rules for device unlock + +### The Basics: How it works + +First unlock factor credential provider and Second unlock credential provider are repsonsible for the bulk of the configuration. Each of these components contains a globally unqiue identifier (GUID) that represents a different Windows credential provider. With the policy setting enabled, users unlock the device using at least one credenital provider from each category before Windows allows the user to proceed to their desktop. + +The credenital providers included in the default policy settings are: + +|Credential Provider| GUID| +|:------------------|:----:| +|PIN | \{D6886603-9D2F-4EB2-B667-1971041FA96B}| +|Fingerprint | \{BEC09223-B018-416D-A0AC-523971B639F5}| +|Facial Recognition | \{8AF662BF-65A0-4D0A-A540-A338A999D36F}| +|Trusted Signal | \{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}| + +The default credential providers for the **First unlock factor credential provider** include: +* PIN +* Fingerprint +* Facial Recongition + +The default credential providers for the **Second unlock factor credential provider** include: +* Trusted Signal +* PIN + +The **Signal rules for device unlock** setting contains the rules the Trusted Signal credential provider uses to satisfy unlocking the device. + +The default signal rules for the policy setting include the proximity of any paired bluetooth smartphone. + +To successfully reach their desktop, the user must satisfy one credential provider from each category. The order in which the user satisfies each credential provider does not matter. Therefore, using the default policy setting a user can provide: +* PIN and Fingerprint +* PIN and Facial Recognition +* Fingerprint and PIN +* Facial Recognition and Trusted Signal (bluetooth paired smartphone) + +>[!IMPORTANT] +> * PIN **must** be in at least one of the groups +> * Trusted signals **must** be combined with another credential provider +> * You cannot use the same unlock factor to satisfy both categories. Therefore, if you include any credential provider in both categories, it means it can be used to satisfy either category, but not both. + + + + + + + diff --git a/windows/access-protection/hello-for-business/hello-identity-verification.md b/windows/access-protection/hello-for-business/hello-identity-verification.md index 7e3e2523b8..dbe821c879 100644 --- a/windows/access-protection/hello-for-business/hello-identity-verification.md +++ b/windows/access-protection/hello-for-business/hello-identity-verification.md @@ -71,6 +71,12 @@ The table shows the minimum requirements for each deployment. ## Frequently Asked Questions +### What is the password-less strategy? + +Watch Senior Program Manager Karanbir Singh's Ignite 2017 presentation **Microsoft's guide for going password-less** + +> [!VIDEO https://www.youtube.com/embed/mXJS615IGLM] + ### What is the user experience for Windows Hello for Business? The user experience for Windows Hello for Business occurs after user sign-in, after you deploy Windows Hello for Business policy settings to your environment. @@ -80,6 +86,9 @@ The user experience for Windows Hello for Business occurs after user sign-in, af > [!VIDEO https://www.youtube.com/embed/etXJsZb8Fso] + + + ### What happens when my user forgets their PIN? If the user can sign-in with a password, they can reset their PIN by clicking the "I forgot my PIN" link in settings. Beginning with the Fall Creators Update, users can reset their PIN above the lock screen by clicking the "I forgot my PIN" link on the PIN credential provider. diff --git a/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md index 345d436c6b..45ff52e819 100644 --- a/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md +++ b/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md @@ -66,33 +66,6 @@ You can provide additional protection for laptops that don't have TPM by enablin 2. Set the number of invalid logon attempts to allow, and then click OK. - -## What if I forget my PIN? - -Starting with Windows 10, version 1703, devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune), are be able to reset a forgotten PIN without deleting company managed data or apps. - -### Reset forgotten PIN on Windows Phone - -To reset a forgotten pin on a Windows Phone, you will need to locate the device in the Intune portal. Once you've selected the device, click on **More > New passcode** to generate a new PIN. - -![Intune reset PIN drop-down menu](images/whfb-intune-reset-pin.jpg) - -Once you've done that, the device will receive a notification to unlock the device and you will have to provide them with the generated PIN in order to unlock the device. With the device unlocked, they user can now reset the PIN. - -![Phone unlock notification](images/whfb-pin-reset-phone-notification.png) - -### Reset forgotten PIN on desktop - -Users can reset a forgotten PIN from any Intune managed desktop device. They will need to unlock the device by other means (Password \ Smart Card \ Biometric). - -Once the device is unlocked, go to **Settings > Accounts > Sign-in options** and under **PIN** select **I forgot my PIN**. - -![Forgot my PIN in settings](images/whfb-reset-pin-settings.jpg) - -After signing-in, you will be prompted to change your PIN. - -![Reset PIN prompt](images/whfb-reset-pin-prompt.jpg) - ## Why do you need a PIN to use biometrics? Windows Hello enables biometric sign-in for Windows 10: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN first. This PIN enables you to sign in using the PIN when you can’t use your preferred biometric because of an injury or because the sensor is unavailable or not working properly. diff --git a/windows/access-protection/hello-for-business/toc.md b/windows/access-protection/hello-for-business/toc.md index 66af9ca614..5a8d5dd5c3 100644 --- a/windows/access-protection/hello-for-business/toc.md +++ b/windows/access-protection/hello-for-business/toc.md @@ -42,3 +42,5 @@ #### [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) ##### [Configure or Deploy Multifactor Authentication Services](hello-cert-trust-deploy-mfa.md) #### [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) + +## [Windows Hello for Businesss Feature](hello-features.md) \ No newline at end of file From 16ad3d32a0372f5ae9798404de1265f970054db7 Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Mon, 23 Oct 2017 17:07:33 -0700 Subject: [PATCH 12/15] minor edits --- .../hello-for-business/hello-deployment-key-trust.md | 6 +++--- .../hello-hybrid-cert-whfb-settings-ad.md | 7 +------ .../hello-hybrid-cert-whfb-settings-adfs.md | 6 ------ .../hello-hybrid-cert-whfb-settings-dir-sync.md | 7 +------ .../hello-hybrid-cert-whfb-settings-pki.md | 5 ----- .../hello-hybrid-cert-whfb-settings-policy.md | 7 +------ .../hello-for-business/hello-hybrid-cert-whfb-settings.md | 4 ---- .../hello-hybrid-key-whfb-settings-ad.md | 4 ---- .../hello-hybrid-key-whfb-settings-dir-sync.md | 4 ---- .../hello-hybrid-key-whfb-settings-pki.md | 4 ---- .../hello-hybrid-key-whfb-settings-policy.md | 6 +----- .../hello-for-business/hello-hybrid-key-whfb-settings.md | 4 ---- .../hello-key-trust-validate-ad-prereq.md | 4 +--- 13 files changed, 8 insertions(+), 60 deletions(-) diff --git a/windows/access-protection/hello-for-business/hello-deployment-key-trust.md b/windows/access-protection/hello-for-business/hello-deployment-key-trust.md index 2d64b3973b..d924194aa8 100644 --- a/windows/access-protection/hello-for-business/hello-deployment-key-trust.md +++ b/windows/access-protection/hello-for-business/hello-deployment-key-trust.md @@ -1,5 +1,5 @@ --- -title: Windows Hello for Business Deployment Guide - On Premises Certificate Key Deployment +title: Windows Hello for Business Deployment Guide - On Premises Key Deployment description: A guide to an On Premises, Certificate trust Windows Hello for Business deployment keywords: identity, PIN, biometric, Hello, passport ms.prod: w10 @@ -11,7 +11,7 @@ ms.author: mstephen localizationpriority: high ms.date: 10/08/2017 --- -# On Premises Certificate Trust Deployment +# On Premises Key Trust Deployment **Applies to** - Windows 10 @@ -20,7 +20,7 @@ ms.date: 10/08/2017 Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in an existing environment. -Below, you can find all the infromation you will need to deploy Windows Hello for Business in a Certificate Key Model in your on-premises environment: +Below, you can find all the infromation you need to deploy Windows Hello for Business in a key trust model in your on-premises environment: 1. [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md) 2. [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md) 3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md index 27eba8dd44..981d5feaae 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md @@ -16,15 +16,10 @@ ms.date: 09/08/2017 **Applies to** - Windows 10 ->[!div class="step-by-step"] -[< Configure Windows Hello for Business](hello-hybrid-cert-whfb-settings.md) -[Configure Azure AD Connect >](hello-hybrid-cert-whfb-settings-dir-sync.md) +>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. The key synchronization process for the hybrid deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. ->[!IMPORTANT] ->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. - ### Creating Security Groups Windows Hello for Business uses several security groups to simplify the deployment and managment. diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md index e68276a09e..54223b71a4 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md @@ -18,14 +18,8 @@ ms.date: 09/08/2017 ## Federation Services ->[!IMPORTANT] >This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. ->[!div class="step-by-step"] -[< Configure PKI >](hello-hybrid-cert-whfb-settings-pki.md) -[Configure policy settings >](hello-hybrid-cert-whfb-settings-policy.md) - - The Windows Server 2016 Active Directory Fedeartion Server Certificate Registration Authority (AD FS RA) enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate. diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md index 36c163ea27..38c71a7599 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md @@ -16,15 +16,10 @@ ms.date: 09/08/2017 **Applies to** - Windows 10 ->[!div class="step-by-step"] -[< Configure Active Directory](hello-hybrid-cert-whfb-settings-ad.md) -[Configure PKI >](hello-hybrid-cert-whfb-settings-pki.md) +>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. ## Directory Synchronization ->[!IMPORTANT] ->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. - In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory. The key-trust model needs Windows Server 2016 domain controllers, which configures the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually. diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index 27ea8e8a47..d7f825257f 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -17,11 +17,6 @@ ms.date: 09/08/2017 **Applies to** - Windows 10 -> [!div class="step-by-step"] -[< Configure Azure AD Connect](hello-hybrid-cert-whfb-settings-dir-sync.md) -[Configure AD FS >](hello-hybrid-cert-whfb-settings-adfs.md) - ->[!IMPORTANT] >This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. Windows Hello for Business deployments rely on certificates. Hybrid deployments uses publicly issued server authentication certifcates to validate the name of the server to which they are connecting and to encyrpt the data that flows them and the client computer. diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md index 2c0b6759f9..ac4c7d3339 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md @@ -16,15 +16,10 @@ ms.date: 09/08/2017 **Applies to** - Windows 10 -> [!div class="step-by-step"] -[< Configure AD FS](hello-hybrid-cert-whfb-settings-adfs.md) - +>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. ## Policy Configuration ->[!IMPORTANT] ->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. - You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=45520). Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703. diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md index 2dbfc5fda4..cc34481466 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md @@ -16,10 +16,6 @@ ms.date: 09/08/2017 **Applies to** - Windows 10 -> [!div class="step-by-step"] -[Configure Active Directory >](hello-hybrid-cert-whfb-settings-ad.md) - ->[!IMPORTANT] >This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. You're environment is federated and you are ready to configure your hybrid environment for Windows Hello for business using the certificate trust model. diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md index 901edef2af..4a4a25924e 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md @@ -16,10 +16,6 @@ ms.date: 10/20/2017 **Applies to** - Windows 10 ->[!div class="step-by-step"] -[< Configure Windows Hello for Business](hello-hybrid-key-whfb-settings.md) -[Configure Azure AD Connect >](hello-hybrid-key-whfb-settings-dir-sync.md) - >This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. The key synchronization process for the hybrid deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md index 69700ebc4b..7518007d20 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md @@ -16,10 +16,6 @@ ms.date: 10/20/2017 **Applies to** - Windows 10 ->[!div class="step-by-step"] -[< Configure Active Directory](hello-hybrid-cert-whfb-settings-ad.md) -[Configure PKI >](hello-hybrid-cert-whfb-settings-pki.md) - >This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. ## Directory Syncrhonization diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md index cb21c9a8f5..3d9691dd88 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md @@ -17,10 +17,6 @@ ms.date: 10/20/2017 **Applies to** - Windows 10 -> [!div class="step-by-step"] -[< Configure Azure AD Connect](hello-hybrid-key-whfb-settings-dir-sync.md) -[Configure policy settings >](hello-hybrid-key-whfb-settings-policy.md) - >This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. Windows Hello for Business deployments rely on certificates. Hybrid deployments uses publicly issued server authentication certifcates to validate the name of the server to which they are connecting and to encyrpt the data that flows them and the client computer. diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md index bd47b15b29..75e5789a7e 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md @@ -16,14 +16,10 @@ ms.date: 10/20/2017 **Applies to** - Windows 10 -> [!div class="step-by-step"] -[< Configure PKI ](hello-hybrid-key-whfb-settings-pki.md) +>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. ## Policy Configuration ->[!IMPORTANT] ->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. - You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=45520). Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703. diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings.md b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings.md index 38de12b175..591af4f0c8 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings.md @@ -16,10 +16,6 @@ ms.date: 09/08/2017 **Applies to** - Windows 10 -> [!div class="step-by-step"] -[Configure Active Directory >](hello-hybrid-key-whfb-settings-ad.md) - ->[!IMPORTANT] >This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. You are ready to configure your hybrid key trust environment for Windows Hello for Business. diff --git a/windows/access-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/access-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md index 2b2c06183a..540da3aa71 100644 --- a/windows/access-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md +++ b/windows/access-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md @@ -22,13 +22,11 @@ Key trust deployments need an adequate number of 2016 domain controllers to ensu The key registration process for the On-prem deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. The key-trust model receives the schema extension when the first Windows Server 2016 domain controller is added to the forest. The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2. -Ensure each site where you plan to deploy key trust Windows Hello for Business has an adequate number of Windows Server 2016 domain controllers/ - ## Create the Windows Hello for Business Users Security Global Group The Windows Hello for Business Users group is used to make it easy to deploy Windows Hello for Business in phases. You assign Group Policy permissions to this group to simplify the deployment by simply adding the users to the group. This provides users with the proper permissions to provision Windows Hello for Business. -Sign-in a domain controller or management workstation with Domain Admin equivalent credentials. +Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials. 1. Open **Active Directory Users and Computers**. 2. Click **View** and click **Advanced Features**. From a84f120f16e9348687d14f6e17313ae76c8d93ec Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Tue, 24 Oct 2017 00:54:29 +0000 Subject: [PATCH 13/15] Merged PR 4022: small fixes to WIP for Biz --- .../waas-windows-insider-for-business-faq.md | 209 +++---- .../waas-windows-insider-for-business.md | 577 +++++++++--------- 2 files changed, 397 insertions(+), 389 deletions(-) diff --git a/windows/deployment/update/waas-windows-insider-for-business-faq.md b/windows/deployment/update/waas-windows-insider-for-business-faq.md index 499a40f62a..169e3ed2eb 100644 --- a/windows/deployment/update/waas-windows-insider-for-business-faq.md +++ b/windows/deployment/update/waas-windows-insider-for-business-faq.md @@ -1,105 +1,106 @@ ---- -title: Windows Insider Program for Business Frequently Asked Questions -description: Frequently Asked Questions and answers about the Windows Insider Program -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: DaniHalfin -ms.localizationpriority: high -ms.author: daniha ---- - -# Windows Insider Program for Business Frequently Asked Questions - - -**Applies to** - -- Windows 10 - -> **Looking for information about Windows 10 for personal or home use?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -### Are the Windows Insider Program and Windows Insider Program for Business separate programs? -No, in fact just the opposite. The Windows Insider Program was created in 2014 to help Microsoft engage with Windows Fans worldwide. Windows Insiders are the first to be able to try new Windows features that we introduce through Windows 10 Insider Preview Builds. At the same time, they can provide feedback through the Feedback Hub App which helps create even better versions of Windows for all users. The Windows Insider Program for Business enables you to incorporate Insider Preview builds into your deployment plans using your corporate credentials, deepen connections with the IT Pro community, collect feedback within your organization, and increase the visibility of your organization’s feedback – especially on features that support productivity and business needs. Together we can resolve blocking or critical issues to better support your organization’s needs sooner. Incorporating the Windows Insider Program for Business into your deployment plans enables you to prepare your organization for the next update of Windows 10, to deploy new services and tools more quickly, to help secure your applications, and to increase productivity and confidence in the stability of your environment. Windows Insider Program for Business participants collaborate with the Windows team to build and document features, infuse innovation, and plan for what’s around the bend. We’ve architected some great features together, received amazing feedback, and we’re not done. - -### What Languages are available? -Insider Preview builds are available in the following languages: English (United States), English (United Kingdom), Chinese (Simplified), Chinese (Traditional), Portuguese (Brazilian), Japanese, Russian, German, French, French (Canada), Korean, Italian, Spanish, Spanish (Latin America), Swedish, Finnish, Turkish, Arabic, Dutch, Czech, Polish, Thai, Catalan, Hindi, and Vietnamese. - -If your Windows build is not in one of the available base languages, you will not receive Insider Preview builds. - -Hindi, Catalan, and Vietnamese can only be installed as a language pack over [supported base languages](https://support.microsoft.com/help/14236/language-packs). - ->[!NOTE] -> To learn how to install a language pack, see [How to add an input language to your PC Additional](https://support.microsoft.com/instantanswers/60f32ff8-8697-4452-af7d-647439c38433/how-to-add-and-switch-input-languages-on-your-pc). - -### How do I register for the Windows Insider Program for Business? -To register for the Windows Insider Program for Business, follow the steps below using your corporate account in Azure Active Directory (AAD). This account is the same account that you use for Office 365 and other Microsoft services. - -1. Visit https://insider.windows.com and click **Get Started**. -2. Sign-in with your corporate account in AAD (username/password) and follow the on-screen registration directions. -3. Enroll your Windows 10 PC to get the latest Windows 10 Insider Preview builds. Go to **Settings > Updates & Security > Windows Insider Program**. Click **Get Started**, enter your corporate credentials that you used to register, then follow the on-screen directions. - ->[!NOTE] ->Make sure that you have administrator rights to your machine and that it has latest Windows updates. - -### Are there any management capabilities that allow an IT admin to manage settings for a corporate environment? -Yes. Starting with Windows 10, version 1709, the Windows Insider Program for Business now enables administrators to apply the following group policies to help them manage their organization’s preview builds: - -**Manage preview builds:** Administrators can enable or prevent builds from installing on a device. You also have an option to disable preview builds once the release is public. -**Branch Readiness Level:** Administrators can set the Windows readiness level, including Fast, Slow, Release Preview Rings of Windows Insider Preview) and allows administrators to defer or pause delivery of updates. - -See more information on the [Getting started with Windows Insider Program for Business](waas-windows-insider-for-business.md#getting-started-with-windows-insider-program-for-business) section. - -### How can I find out if my corporate account is on Azure Active Directory? -On your PC, go to **Settings > Accounts > Access work or school**. If your organization has set up your corporate account in Azure Active Directory and it is connected to your PC, you will see the account listed as highlighted in the image below. - -![Device connected to Work Account](images/waas-wipfb-work-account.jpg) - -### I have more than one Azure Active Directory account. Which should I use? -Register for Windows Insider Program for Business with the same active account that you use to access your corporate email in Office 365 and other Microsoft services. To ensure you get the most benefit out of the Windows Insider Program for Business and that your company is fully represented, do not set up a separate tenant for testing activities. There will be no modifications to the AAD tenant to support Windows Insider Program for Business, and it will only be used as an authentication method. - -### Can I register multiple users from my organization at the same time for the Windows Insider Program for Business? -Yes. The Windows Insider Program for Business now allows organizations to register their domain and control settings centrally rather than require each user to register individually for Insider Preview builds. In order to register, follow instructions on the [Getting started with Windows Insider Program for Business](waas-windows-insider-for-business.md#getting-started-with-windows-insider-program-for-business) section. - -### My account is listed in Active Directory but not Azure Active Directory. Can I still register using my Active Directory credentials? -No. At this point, we are only supporting Azure Active Directory as a corporate authentication method. If you’d like to suggest or upvote another authentication method, please visit this [forum](https://answers.microsoft.com/en-us/insider/forum/insider_wintp). - -### I just want to participate as a Windows Insider. Do I still need to register with my corporate account in Azure Active Directory? -No. You can join using your Microsoft account (MSA) by following the steps below. However, please note that if you want to access the benefits of the Windows Insider Program for Business, you will need to sign-up using your corporate account in Azure Active Directory. - -1. Visit https://insider.windows.com and click Get Started. -2. Register with your Microsoft account and follow the on-screen registration directions. -3. Enroll your Windows 10 PC to get the latest Windows 10 Insider Preview builds by going to **Settings > Updates & Security > Windows Insider Program** and entering your Microsoft account that you used to register. Now follow the on-screen directions. - ->[!NOTE] ->Make sure that you have administrator rights to your machine and that it has latest Windows updates. - -### I am already a Windows Insider. I want to switch my account from my Microsoft account to my corporate account in Azure Active Directory. How do I do this? -In just a few steps, you can switch your existing program registration from your Microsoft account to your corporate account in Azure Active Directory. - -1. Visit https://insider.windows.com. If you are signed in with your Microsoft account, sign out then sign back in to register with your corporate account in AAD. -2. On your Windows 10 PC, go to **Settings > Updates & Security > Windows Insider Program**. -3. In your account Under Windows Insider account, click **Change** to open a pop-up box. -4. Select your corporate account and click Continue to change your account. - ->[!NOTE] ->Your corporate account must be connected to the device for it to appear in the account list. - -### How do I sign into the Feedback Hub with my corporate credentials? -Sign in to the Feedback Hub using the same AAD account you are using to flight builds. - -### Am I going to lose all the feedback I submitted and badges I earned with my MSA? -No. However, your feedback will not be transferred from your MSA to your AAD account. You can switch back to your MSA account in the Feedback Hub to access feedback you’ve submitted and badges you’ve earned. - -### How is licensing handled for Windows 10 Insider builds? -All PCs need to have a valid Windows 10 license. This requirement applies whether the device is joined to the Windows Insider Program using a Microsoft account or an Azure Active Directory account. - -### Can I use the Software in a live operating environment? -The software is a pre-release version, and we do not recommend that organizations run Windows Insider Preview builds outside of their test environments. This software may not work the way a final version of the software will. We may change it for the final, commercial version. We also may not release a commercial version. - -### Can a single MSA or AAD account be used to register more than one PC in the program? -Yes. If each PC has a valid Windows 10 or Windows 10 Mobile license you can use your MSA on as many devices as you’d like. However, the main concern would be that within the feedback it all looks like it comes from a single user. If multiple devices are experiencing problems with a build, you’d want the ability to submit the same feedback from multiple people (or upvote the same piece of feedback). - - -## Related Topics -- [Windows Insider Program for Business](waas-windows-insider-for-business.md) +--- +title: Windows Insider Program for Business Frequently Asked Questions +description: Frequently Asked Questions and answers about the Windows Insider Program +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: DaniHalfin +ms.localizationpriority: high +ms.author: daniha +ms.date: 10/17/2017 +--- + +# Windows Insider Program for Business Frequently Asked Questions + + +**Applies to** + +- Windows 10 + +> **Looking for information about Windows 10 for personal or home use?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) + +### Are the Windows Insider Program and Windows Insider Program for Business separate programs? +No, in fact just the opposite. The Windows Insider Program was created in 2014 to help Microsoft engage with Windows Fans worldwide. Windows Insiders are the first to be able to try new Windows features that we introduce through Windows 10 Insider Preview Builds. At the same time, they can provide feedback through the Feedback Hub App which helps create even better versions of Windows for all users. The Windows Insider Program for Business enables you to incorporate Insider Preview builds into your deployment plans using your corporate credentials, deepen connections with the IT Pro community, collect feedback within your organization, and increase the visibility of your organization’s feedback – especially on features that support productivity and business needs. Together we can resolve blocking or critical issues to better support your organization’s needs sooner. Incorporating the Windows Insider Program for Business into your deployment plans enables you to prepare your organization for the next update of Windows 10, to deploy new services and tools more quickly, to help secure your applications, and to increase productivity and confidence in the stability of your environment. Windows Insider Program for Business participants collaborate with the Windows team to build and document features, infuse innovation, and plan for what’s around the bend. We’ve architected some great features together, received amazing feedback, and we’re not done. + +### What Languages are available? +Insider Preview builds are available in the following languages: English (United States), English (United Kingdom), Chinese (Simplified), Chinese (Traditional), Portuguese (Brazilian), Japanese, Russian, German, French, French (Canada), Korean, Italian, Spanish, Spanish (Latin America), Swedish, Finnish, Turkish, Arabic, Dutch, Czech, Polish, Thai, Catalan, Hindi, and Vietnamese. + +If your Windows build is not in one of the available base languages, you will not receive Insider Preview builds. + +Hindi, Catalan, and Vietnamese can only be installed as a language pack over [supported base languages](https://support.microsoft.com/help/14236/language-packs). + +>[!NOTE] +> To learn how to install a language pack, see [How to add an input language to your PC Additional](https://support.microsoft.com/instantanswers/60f32ff8-8697-4452-af7d-647439c38433/how-to-add-and-switch-input-languages-on-your-pc). + +### How do I register for the Windows Insider Program for Business? +To register for the Windows Insider Program for Business, follow the steps below using your corporate account in Azure Active Directory (AAD). This account is the same account that you use for Office 365 and other Microsoft services. + +1. Visit https://insider.windows.com and click **Get Started**. +2. Sign-in with your corporate account in AAD (username/password) and follow the on-screen registration directions. +3. Enroll your Windows 10 PC to get the latest Windows 10 Insider Preview builds. Go to **Settings > Updates & Security > Windows Insider Program**. Click **Get Started**, enter your corporate credentials that you used to register, then follow the on-screen directions. + +>[!NOTE] +>Make sure that you have administrator rights to your machine and that it has latest Windows updates. + +### Are there any management capabilities that allow an IT admin to manage settings for a corporate environment? +Yes. Starting with Windows 10, version 1709, the Windows Insider Program for Business now enables administrators to apply the following group policies to help them manage their organization’s preview builds: + +**Manage preview builds:** Administrators can enable or prevent builds from installing on a device. You also have an option to disable preview builds once the release is public. +**Branch Readiness Level:** Administrators can set the Windows readiness level, including Fast, Slow, Release Preview Rings of Windows Insider Preview) and allows administrators to defer or pause delivery of updates. + +See more information on the [Getting started with Windows Insider Program for Business](waas-windows-insider-for-business.md#getting-started-with-windows-insider-program-for-business) section. + +### How can I find out if my corporate account is on Azure Active Directory? +On your PC, go to **Settings > Accounts > Access work or school**. If your organization has set up your corporate account in Azure Active Directory and it is connected to your PC, you will see the account listed as highlighted in the image below. + +![Device connected to Work Account](images/waas-wipfb-work-account.jpg) + +### I have more than one Azure Active Directory account. Which should I use? +Register for Windows Insider Program for Business with the same active account that you use to access your corporate email in Office 365 and other Microsoft services. To ensure you get the most benefit out of the Windows Insider Program for Business and that your company is fully represented, do not set up a separate tenant for testing activities. There will be no modifications to the AAD tenant to support Windows Insider Program for Business, and it will only be used as an authentication method. + +### Can I register multiple users from my organization at the same time for the Windows Insider Program for Business? +Yes. The Windows Insider Program for Business now allows organizations to register their domain and control settings centrally rather than require each user to register individually for Insider Preview builds. In order to register, follow instructions on the [Getting started with Windows Insider Program for Business](waas-windows-insider-for-business.md#getting-started-with-windows-insider-program-for-business) section. + +### My account is listed in Active Directory but not Azure Active Directory. Can I still register using my Active Directory credentials? +No. At this point, we are only supporting Azure Active Directory as a corporate authentication method. If you’d like to suggest or upvote another authentication method, please visit this [forum](https://answers.microsoft.com/en-us/insider/forum/insider_wintp). + +### I just want to participate as a Windows Insider. Do I still need to register with my corporate account in Azure Active Directory? +No. You can join using your Microsoft account (MSA) by following the steps below. However, please note that if you want to access the benefits of the Windows Insider Program for Business, you will need to sign-up using your corporate account in Azure Active Directory. + +1. Visit https://insider.windows.com and click Get Started. +2. Register with your Microsoft account and follow the on-screen registration directions. +3. Enroll your Windows 10 PC to get the latest Windows 10 Insider Preview builds by going to **Settings > Updates & Security > Windows Insider Program** and entering your Microsoft account that you used to register. Now follow the on-screen directions. + +>[!NOTE] +>Make sure that you have administrator rights to your machine and that it has latest Windows updates. + +### I am already a Windows Insider. I want to switch my account from my Microsoft account to my corporate account in Azure Active Directory. How do I do this? +In just a few steps, you can switch your existing program registration from your Microsoft account to your corporate account in Azure Active Directory. + +1. Visit https://insider.windows.com. If you are signed in with your Microsoft account, sign out then sign back in to register with your corporate account in AAD. +2. On your Windows 10 PC, go to **Settings > Updates & Security > Windows Insider Program**. +3. In your account Under Windows Insider account, click **Change** to open a pop-up box. +4. Select your corporate account and click Continue to change your account. + +>[!NOTE] +>Your corporate account must be connected to the device for it to appear in the account list. + +### How do I sign into the Feedback Hub with my corporate credentials? +Sign in to the Feedback Hub using the same AAD account you are using to flight builds. + +### Am I going to lose all the feedback I submitted and badges I earned with my MSA? +No. However, your feedback will not be transferred from your MSA to your AAD account. You can switch back to your MSA account in the Feedback Hub to access feedback you’ve submitted and badges you’ve earned. + +### How is licensing handled for Windows 10 Insider builds? +All PCs need to have a valid Windows 10 license. This requirement applies whether the device is joined to the Windows Insider Program using a Microsoft account or an Azure Active Directory account. + +### Can I use the Software in a live operating environment? +The software is a pre-release version, and we do not recommend that organizations run Windows Insider Preview builds outside of their test environments. This software may not work the way a final version of the software will. We may change it for the final, commercial version. We also may not release a commercial version. + +### Can a single MSA or AAD account be used to register more than one PC in the program? +Yes. If each PC has a valid Windows 10 or Windows 10 Mobile license you can use your MSA on as many devices as you’d like. However, the main concern would be that within the feedback it all looks like it comes from a single user. If multiple devices are experiencing problems with a build, you’d want the ability to submit the same feedback from multiple people (or upvote the same piece of feedback). + + +## Related Topics +- [Windows Insider Program for Business](waas-windows-insider-for-business.md) - [Windows Insider Program for Business using Azure Active Directory](waas-windows-insider-for-business-aad.md) \ No newline at end of file diff --git a/windows/deployment/update/waas-windows-insider-for-business.md b/windows/deployment/update/waas-windows-insider-for-business.md index 32054cce1a..b3c5ee1517 100644 --- a/windows/deployment/update/waas-windows-insider-for-business.md +++ b/windows/deployment/update/waas-windows-insider-for-business.md @@ -1,286 +1,293 @@ ---- -title: Windows Insider Program for Business -description: Overview of the Windows Insider Program for Business -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: DaniHalfin -ms.localizationpriority: high -ms.author: daniha -ms.date: 10/17/2017 ---- - -# Windows Insider Program for Business - - -**Applies to** - -- Windows 10 - -> **Looking for information about Windows 10 for personal or home use?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -For many IT pros, gaining visibility into feature updates early, before they’re available to the Semi-Annual Channel, can be both intriguing and valuable for future end user communications as well as provide additional prestaging for Semi-Annual Channel devices. With Windows 10, feature flighting enables Windows Insiders to consume and deploy preproduction code to their test devices, gaining early visibility into the next build. Testing the early builds of Windows 10 helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft. Also, as flighted builds get closer to their release to the Semi-Annual Channel, organizations can test their deployment on test devices for compatibility validation. - -The Windows Insider Program for Business gives you the opportunity to: -* Get early access to Windows Insider Preview Builds. -* Provide feedback to Microsoft in real-time via the Feedback Hub app. -* Sign-in with corporate credentials (Azure Active Directory) and increase the visibility of your organization's feedback with Microsoft – especially on features that support your productivity and business needs. -* Register your Azure AD domain into the program, to cover all users within your organization with just one registration. -* Starting with Windows 10, version 1709, enable, disable, defer and pause the installation of preview builds through policies. -* Track feedback provided through the Feedback Hub App, across your organization. - -Microsoft recommends that all organizations have at least a few PCs enrolled in the Windows Insider Program, to include the Windows Insider Program in their deployment plans and to provide feedback on any issues they encounter to Microsoft via our Feedback Hub App. - -The Windows Insider Program isn’t intended to replace Semi-Annual Channel deployments in an organization. Rather, it provides IT Pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft. - -## Getting started with Windows Insider Program for Business - -To get started with the Windows Insider Program for Business, you will need to follow a few simple steps: - -1. [Register your organizational Azure AD account](#individual-registration) to the Windows Insider Program for Business. -2. [Register your organization's Azure AD domain](#organizational-registration) to the Windows Insider Program for Business.
**Note:** Registering user has to be a Global Administrator in the Azure AD domain. -3. [Set policies](#manage-windows-insider-preview-builds) to enable Windows Insider Preview builds and select flight rings. - ->[!IMPORTANT] ->The **Allow Telemetry** setting has to be set to 2 or higher, to receive Windows Insider preview builds. -> ->The setting is available in **Group Policy**, through **Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds - Allow Telemetry** or in **MDM**, through [**System/AllowTelemetry**](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry). - -Below are additional details to accomplish the steps described above. - -## Register to the Windows Insider Program for Business - -Registration in the Windows Insider Program for Business can be done individually per user or for an entire organization: - -### Individual registration - ->[!IMPORTANT] ->This step is a prerequisite to register your organization's Azure AD domain. - -Navigate to the [**Getting Started**](https://insider.windows.com/en-us/getting-started/) page on [Windows Insider](https://insider.windows.com), go to **Register your organization account** and follow the instructions. - ->[!NOTE] ->Make sure your device is [connected to your company's Azure AD subscription](waas-windows-insider-for-business-faq.md#connected-to-aad). - -### Organizational registration - -This method enables to your register your entire organization to the Windows Insider Program for Business, to avoid having to register each individual user. - ->[!IMPORTANT] ->The account performing these steps has to first be registered to the program individually. Additionally, Global Administrator privileges on the Azure AD domain are required. - -1. On the [Windows Insider](https://insider.windows.com) website, go to **For Business > Getting Started** to [register your organizational Azure AD account](https://insider.windows.com/en-us/insidersigninaad/). -2. **Register your domain**. Rather than have each user register individually for Insider Preview builds, administrators can simply [register their domain](https://insider.windows.com/en-us/for-business-organization-admin/) and control settings centrally.
**Note:** The signed-in user needs to be a **Global Administrator** of the Azure AD domain in order to be able to register the domain. - ->[!NOTE] ->At this point, the Windows Insider Program for Business only supports [Azure Active Directory (Azure AD)](/azure/active-directory/active-directory-whatis) (and not Active Directory on premises) as a corporate authentication method. -> ->If your company is currently not using Azure AD – but has a paid subscription to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services – you have a free subscription to Microsoft Azure Active Directory. This subscription can be used to create users for enrollment in the Windows Insider Program for Business. - -## Manage Windows Insider Preview builds - -Starting with Windows 10, version 1709, administrators can control how and when devices receive Windows Insider Preview builds on their devices. - -The **Manage preview builds** setting gives enables or prevents preview build installation on a device. You can also decide to stop preview builds once the release is public. -* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business** - *Manage preview builds* -* MDM: **Update/ManagePreviewBuilds** - ->[!NOTE] ->**MDM Values for ManagePreviewBuilds**: ->* 0 - Disable preview builds ->* 1 - Disable preview builds once next release is public ->* 2 - Enable preview builds ->* 3 - Preview builds are left to user selection *(default)* - -The **Branch Readiness Level** settings allows you to choose between preview [flight rings](#flight-rings), and defer or pause the delivery of updates. -* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/ Windows Update for Business** - *Select when Preview Builds and Feature Updates are received* -* MDM: [**Update/BranchReadinessLevel**](/windows/client-management/mdm/policy-csp-update#update-branchreadinesslevel) - -![Select when Preview Builds and Feature Updates are received group policy](images/waas-wipfb-policy1.png) - -If you want to manage Windows Insider preview builds prior to Windows 10, version 1709, follow these steps: - -1. Enroll your device by going to **Start > Settings > Update & security > Windows Insider Program** and selecting **Get Started**. Sign-in using the account you used to register for the Windows Insider Program. -2. After reading the privacy statement and clicking **Next**, **Confirm** and schedule a restart. -3. You are ready to install your first preview build. To do so, go to **Start** > **Settings** > **Update & security** > **Windows Insider Program** to select your Windows Insider level. The device receives the most recent Windows Insider build for the Windows Insider level you select. - ->[!NOTE] ->To enroll your PC, you’ll require administration rights on the machine and it needs to be running Windows 10, Version 1703 or later. If you are already registered in the Windows Insider Program using your Microsoft account, you’ll need to [switch enrollment to the organizational account](#how-to-switch-between-your-msa-and-your-corporate-aad-account). - ->[!TIP] ->Administrators have the option to use [Device Health](/windows/deployment/update/device-health-monitor) in Windows Analytics to monitor devices running Windows 10 Insider Preview builds. - -## Flight rings - -Flighting rings are used to evaluate the quality of our software as it is released to progressively larger audiences. We will flight a Feature Update, application, etc. to the first ring if it passes all required automated testing in the lab. The flight will continue to be evaluated against a set of criteria to ensure it is ready to progress to the next ring. - -These are the available flight rings: - -### Release Preview - -Best for Insiders who enjoy getting early access to updates for the Semi-Annual Channel, Microsoft applications, and drivers, with minimal risk to their devices, and still want to provide feedback to make Windows devices great. - -Insiders on this level receive builds of Windows just before Microsoft releases them to the Semi-Annual Channel. Although these builds aren’t final, they are the most complete and stable builds available to Windows Insider Program participants. This level provides the best testing platform for organizations that conduct early application compatibility testing on Windows Insider PCs. - -* The Release Preview Ring will only be visible when your Windows build version is the same as the Semi-Annual Channel. -* To go from a Preview build to the Semi-Annual Channel, use the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) (for PC) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) (for Mobile) to reinstall Windows. - -### Slow - -The Slow Windows Insider level is for users who enjoy seeing new builds of Windows with minimal risk to their devices but still want to provide feedback to Microsoft about their experience with the new build. - -* Builds are sent to the Slow Ring after feedback has been received from Windows Insiders within the Fast Ring and analyzed by our Engineering teams. -* These builds will include updates to fix key issues that would prevent many Windows Insiders from being able to use the build on a daily basis. -* These builds still may have issues that would be addressed in a future flight. - -### Fast - -Best for Windows Insiders who enjoy being the first to get access to builds and feature updates, with some risk to their devices in order to identify issues, and provide suggestions and ideas to make Windows software and devices great. - -* Windows Insiders with devices in the Fast Ring should be prepared for more issues that may block key activities that are important to you or may require significant workarounds. -* Because we are also validating a build on a smaller set of devices before going to Fast, there is also a chance that some features may work on some devices but may fail in other device configurations. -* Windows Insiders should be ready to reinstall Windows using the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) when you are significantly blocked. -* Please remember to report any issue to us through the Windows Insider Feedback Hub or the Windows Insider community forum. - ->[!NOTE] ->Once your machine is updated to Windows 10 and you select your desired flight ring, the process known as "Compatibility check" will need to run in the background. There is no manual way to force this process to run. This process allows for the discovery of your OS type (32-bit, 64-bit), build edition (Home, Pro, Enterprise), country and language settings, and other required information. Once this process is complete, your machine will be auto-targeted for the next available flight for your selected ring. For the first build on any given machine, this may take up to 24 hours to complete. - -### How to switch between flight rings - -During your time in the Windows Insider Program, you may want to change between flight rings for any number of reasons. Starting with Windows 10, version 1709, use the **Branch Readiness Level** to switch between flight rings. -* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/ Windows Update for Business** - *Select when Preview Builds and Feature Updates are received* -* MDM: [**Update/BranchReadinessLevel**](/windows/client-management/mdm/policy-csp-update#update-branchreadinesslevel) - -To switch flights prior to Windows 10, version 1709, follow these steps: - -1. Go to **Settings > Updates & Security > Windows Insider Program** -2. Under **Choose your level**, select between the following rings - - * [Windows Insider Fast](#fast) - * [Windows Insider Slow](#slow) - * [Release Preview](#release-preview) - -## How to switch between your MSA and your Corporate AAD account - -If you were using your Microsoft Account (MSA) to enroll to the Windows Insider Program, switch to your organizational account by going to **Settings > Updates & Security > Windows Insider Program**, and under **Windows Insider account** select **Change**. - -![Change Windows Insider account](images/waas-wipfb-change-user.png) - ->[!NOTE] ->If you would like to use your corporate account, your device must be connected to your corporate account in AAD for the account to appear in the account list. - -## Sharing Feedback Via the Feedback Hub -As you know a key benefit to being a Windows Insider is Feedback. It’s definitely a benefit to us, and we hope it’s a benefit to you. Feedback is vital for making changes and improvements in Windows 10. Receiving quality and actionable feedback is key in achieving these goals. - -Please use the [**Feedback Hub App**](feedback-hub://?referrer=wipForBizDocs&tabid=2) to submit your feedback to Microsoft. - -When providing feedback, please consider the following: -1. Check for existing feedback on the topic you are preparing to log. Another user may have already shared the same feedback. If they have, please “upvote” the existing feedback to help prevent duplicate submissions. Adding additional comments to existing feedback can help others by providing clarity to existing information or additional scenarios to review. -2. Provide as much information to us as possible: include reproduction steps, screenshots, any detail you think would help us experience the issue as you have, so that we can work on a fix and get it into a new build as soon as possible. - ->[!TIP] ->You can then track feedback provided by all users in your organization through the Feedback Hub. Simply filter by **My Organization**. - ->[!NOTE] ->If you signed into the Feedback Hub previously with your MSA, your feedback and badges will not be transferred to your AAD sing-in. However, you can switch back to your MSA account in the Feedback Hub to access feedback you’ve submitted and badges you’ve earned. - -### User consent requirement - -With the current version of the Feedback Hub app, we need the user's consent to access their AAD account profile data (We read their name, organizational tenant ID and user ID). When they sign in for the first time with the AAD account, they will see a popup asking for their permission, like this: - -![Feedback Hub consent to AAD pop-up](images/waas-wipfb-aad-consent.png) - -Once agreed, everything will work fine, and that user won't be prompted for permission again. - -#### Something went wrong - -The option for users to give consent for apps to access their profile data is controlled through Azure Active Directory. This means the AAD administrators have the ability to allow or block users from giving consent. - -In case the administrators blocked this option, when the user signs in with the AAD account, they will see the following error message: - -![Feedback Hub consent error message](images/waas-wipfb-aad-error.png) - -This blocks the user from signing in, which means they won't be able to use the Feedback Hub app with their AAD credentials. - -**To fix this issue**, an administrator of the AAD directory will need to enable user consent for apps to access their data. - -To do this through the **classic Azure portal**: -1. Go to https://manage.windowsazure.com/ . -2. Switch to the **Active Directory** dashboard. - ![Azure classic portal dashboard button](images/waas-wipfb-aad-classicaad.png) -3. Select the appropriate directory and go to the **Configure** tab. -4. Under the **integrated applications** section, enable **Users may give applications permissions to access their data**. - ![Azure classic portal enable consent](images/waas-wipfb-aad-classicenable.png) - -To do this through the **new Azure portal**: -1. Go to https://portal.azure.com/ . -2. Switch to the **Active Directory** dashboard. - ![Azure new portal dashboard button](images/waas-wipfb-aad-newaad.png) -3. Switch to the appropriate directory. - ![Azure new portal switch directory button](images/waas-wipfb-aad-newdirectorybutton.png) -4. Under the **Manage** section, select **User settings**. - ![Azure new portal user settings](images/waas-wipfb-aad-newusersettings.png) -5. In the **Enterprise applications** section, enable **Users can allow apps to access their data**. - ![Azure new portal enable consent](images/waas-wipfb-aad-newenable.png) - -## Not receiving Windows 10 Insider Preview build updates? - -In some cases, your PC may not update to the latest Windows Insider Preview build as expected. Here are items that you can review to troubleshoot this issue: - -### Perform a manual check for updates -Go to **Settings > Updates & Security**. Review available updates or select **Check for updates**. - ->[!NOTE] ->If you have set Active Hours, ensure your device is left turned on and signed in during the off-hours so the install process can complete. - -### Make sure Windows is activated -Go to **Settings > Updates & Security > Activation** to verify Windows is activated. - -### Make sure your corporate account in AAD is connected to your device -Open **Settings \ Accounts \ Access work or school**. If your PC is not listed as connected to your account in AAD, click Connect and enter your AAD account. - -### Make sure you have selected a flight ring -Open **Settings > Update & Security > Windows Insider Program** and select your flight ring. - -### Have you recently done a roll-back? -If so, please double-check your flight settings under **Settings > Update & Security > Windows Insider Program**. - -### Did you do a clean install? -After a clean-install and initial setup of a Microsoft or corporate account (even one that has been used previously for flighting) the appropriate targeting needs to take place for your PC. This background process is known as Compatibility Checker and will run during idle time on your PC. This process may take up to 24 hours. Please leave your PC turned on to ensure this occurs in timely manner. - -### Are there known issues for your current build? -On rare occasion, there may be an issue with a build that could lead to issues with updates being received. Please check the most recent Blog Post or reach out to the Windows Insider team on Twitter for verification (*@WindowsInsider*). You can also check the **Feedback Hub** for announcements and known issues. - -## Exiting flighting - -After you’ve tried the latest Windows Insider Preview builds, you may want to opt out. In order to do that, go to **Settings > Update & Security > Windows Insider Program** and select **Stop Insider Preview Builds**. Follow the on-screen instructions to stop flighting to your device. - -To go from a Preview build to the Semi-Annual Channel, use the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) (for PC) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) (for Mobile) to reinstall Windows. - -## Unregister - -If you no longer plan to manage Windows Insider Preview policies for your organization, you will need to [unregister your domain with the Windows Insider Program](https://insider.windows.com/en-us/insiderorgleaveprogram/). - -Unregistering will not allow any other administrators at your organization to continue to set policies to manage Windows Insider Preview builds across your organization. - -Your individual registration with the Insider program will not be impacted. If you wish to leave the Insider program, see the [leave the program](https://insider.windows.com/en-us/how-to-overview/#leave-the-program) instructions. - -## Additional help resources - -* [**Windows Blog**](https://blogs.windows.com/blog/tag/windows-insider-program/) - With each new build release we publish a Windows Blog post that outlines key feature changes as well as known issues that Insiders may encounter while using the build. -* [**Microsoft Technical Community for Windows Insiders**](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/bd-p/WindowsInsiderProgram) - Engage with Windows Insiders around the world in a community dedicated to the Windows Insider Program. -* [**Windows Insider Preview community forum**](https://answers.microsoft.com/en-us/insider/forum/insider_wintp) - Answers is Microsoft’s forum platform and there is an entire area dedicated to the Windows Insider Program. Insiders can filter between PC, Office, Edge, and many others. - -## Learn More -- [Windows Insider Program for Business using Azure Active Directory](waas-windows-insider-for-business-aad.md) -- [Windows Insider Program for Business Frequently Asked Questions](waas-windows-insider-for-business-faq.md) - - -## Related Topics -- [Overview of Windows as a service](waas-overview.md) -- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) -- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) -- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) -- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) -- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md) -- [Manage Windows 10 updates using Windows Server Update Services (WSUS)](waas-manage-updates-wsus.md) +--- +title: Windows Insider Program for Business +description: Overview of the Windows Insider Program for Business +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: DaniHalfin +ms.localizationpriority: high +ms.author: daniha +ms.date: 10/17/2017 +--- + +# Windows Insider Program for Business + + +**Applies to** + +- Windows 10 + +> **Looking for information about Windows 10 for personal or home use?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) + +For many IT pros, gaining visibility into feature updates early, before they’re available to the Semi-Annual Channel, can be both intriguing and valuable for future end user communications as well as provide additional prestaging for Semi-Annual Channel devices. With Windows 10, feature flighting enables Windows Insiders to consume and deploy preproduction code to their test devices, gaining early visibility into the next build. Testing the early builds of Windows 10 helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft. Also, as flighted builds get closer to their release to the Semi-Annual Channel, organizations can test their deployment on test devices for compatibility validation. + +The Windows Insider Program for Business gives you the opportunity to: +* Get early access to Windows Insider Preview Builds. +* Provide feedback to Microsoft in real-time via the Feedback Hub app. +* Sign-in with corporate credentials (Azure Active Directory) and increase the visibility of your organization's feedback with Microsoft – especially on features that support your productivity and business needs. +* Register your Azure AD domain into the program, to cover all users within your organization with just one registration. +* Starting with Windows 10, version 1709, enable, disable, defer and pause the installation of preview builds through policies. +* Track feedback provided through the Feedback Hub App, across your organization. + +Microsoft recommends that all organizations have at least a few PCs enrolled in the Windows Insider Program, to include the Windows Insider Program in their deployment plans and to provide feedback on any issues they encounter to Microsoft via our Feedback Hub App. + +The Windows Insider Program isn’t intended to replace Semi-Annual Channel deployments in an organization. Rather, it provides IT Pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft. + +## Getting started with Windows Insider Program for Business + +To get started with the Windows Insider Program for Business, you can follow a few simple steps: + +1. [Register your organizational Azure AD account](#individual-registration) to the Windows Insider Program for Business. +2. [Register your organization's Azure AD domain](#organizational-registration) to the Windows Insider Program for Business.
**Note:** Registering user has to be a Global Administrator in the Azure AD domain. +3. [Set policies](#manage-windows-insider-preview-builds) to enable Windows Insider Preview builds and select flight rings. + +>[!IMPORTANT] +>The **Allow Telemetry** setting has to be set to 2 or higher, to receive Windows Insider preview builds. +> +>The setting is available in **Group Policy**, through **Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds - Allow Telemetry** or in **MDM**, through [**System/AllowTelemetry**](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry). + +Below are additional details to accomplish the steps described above. + +## Register to the Windows Insider Program for Business + +Registration in the Windows Insider Program for Business can be done individually per user or for an entire organization: + +### Individual registration + +>[!IMPORTANT] +>This step is a prerequisite to register your organization's Azure AD domain. + +Navigate to the [**Getting Started**](https://insider.windows.com/en-us/getting-started/) page on [Windows Insider](https://insider.windows.com), go to **Register your organization account** and follow the instructions. + +>[!NOTE] +>Make sure your device is [connected to your company's Azure AD subscription](waas-windows-insider-for-business-faq.md#connected-to-aad). + +### Organizational registration + +This method enables to your register your entire organization to the Windows Insider Program for Business, to avoid having to register each individual user. + +>[!IMPORTANT] +>The account performing these steps has to first be registered to the program individually. Additionally, Global Administrator privileges on the Azure AD domain are required. + +1. On the [Windows Insider](https://insider.windows.com) website, go to **For Business > Getting Started** to [register your organizational Azure AD account](https://insider.windows.com/en-us/insidersigninaad/). +2. **Register your domain**. Rather than have each user register individually for Insider Preview builds, administrators can simply [register their domain](https://insider.windows.com/en-us/for-business-organization-admin/) and control settings centrally.
**Note:** The signed-in user needs to be a **Global Administrator** of the Azure AD domain in order to be able to register the domain. + +>[!NOTE] +>At this point, the Windows Insider Program for Business only supports [Azure Active Directory (Azure AD)](/azure/active-directory/active-directory-whatis) (and not Active Directory on premises) as a corporate authentication method. +> +>If your company is currently not using Azure AD – but has a paid subscription to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services – you have a free subscription to Microsoft Azure Active Directory. This subscription can be used to create users for enrollment in the Windows Insider Program for Business. + +## Manage Windows Insider Preview builds + +Starting with Windows 10, version 1709, administrators can control how and when devices receive Windows Insider Preview builds on their devices. + +The **Manage preview builds** setting gives enables or prevents preview build installation on a device. You can also decide to stop preview builds once the release is public. +* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business** - *Manage preview builds* +* MDM: **Update/ManagePreviewBuilds** + +>[!NOTE] +>**MDM Values for ManagePreviewBuilds**: +>* 0 - Disable preview builds +>* 1 - Disable preview builds once next release is public +>* 2 - Enable preview builds +>* 3 - Preview builds are left to user selection *(default)* + +The **Branch Readiness Level** settings allows you to choose between preview [flight rings](#flight-rings), and defer or pause the delivery of updates. +* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/ Windows Update for Business** - *Select when Preview Builds and Feature Updates are received* +* MDM: [**Update/BranchReadinessLevel**](/windows/client-management/mdm/policy-csp-update#update-branchreadinesslevel) + +![Select when Preview Builds and Feature Updates are received group policy](images/waas-wipfb-policy1.png) + +### Individual enrollment + +If you want to manage Windows Insider preview builds prior to Windows 10, version 1709, or wish to enroll a single device, follow these steps: + +1. Enroll your device by going to **Start > Settings > Update & security > Windows Insider Program** and selecting **Get Started**. Sign-in using the account you used to register for the Windows Insider Program. +2. After reading the privacy statement and clicking **Next**, **Confirm** and schedule a restart. +3. You are ready to install your first preview build. To do so, go to **Start** > **Settings** > **Update & security** > **Windows Insider Program** to select your Windows Insider level. The device receives the most recent Windows Insider build for the Windows Insider level you select. + +>[!NOTE] +>To enroll your PC, you’ll require administration rights on the machine and it needs to be running Windows 10, Version 1703 or later. If you are already registered in the Windows Insider Program using your Microsoft account, you’ll need to [switch enrollment to the organizational account](#how-to-switch-between-your-msa-and-your-corporate-aad-account). + +>[!TIP] +>Administrators have the option to use [Device Health](/windows/deployment/update/device-health-monitor) in Windows Analytics to monitor devices running Windows 10 Insider Preview builds. + +## Flight rings + +Flighting rings are used to evaluate the quality of our software as it is released to progressively larger audiences. We will flight a Feature Update, application, etc. to the first ring if it passes all required automated testing in the lab. The flight will continue to be evaluated against a set of criteria to ensure it is ready to progress to the next ring. + +These are the available flight rings: + +### Release Preview + +Best for Insiders who enjoy getting early access to updates for the Semi-Annual Channel, Microsoft applications, and drivers, with minimal risk to their devices, and still want to provide feedback to make Windows devices great. + +Insiders on this level receive builds of Windows just before Microsoft releases them to the Semi-Annual Channel. Although these builds aren’t final, they are the most complete and stable builds available to Windows Insider Program participants. This level provides the best testing platform for organizations that conduct early application compatibility testing on Windows Insider PCs. + +* The Release Preview Ring will only be visible when your Windows build version is the same as the Semi-Annual Channel. +* To go from a Preview build to the Semi-Annual Channel, use the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) (for PC) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) (for Mobile) to reinstall Windows. + +### Slow + +The Slow Windows Insider level is for users who enjoy seeing new builds of Windows with minimal risk to their devices but still want to provide feedback to Microsoft about their experience with the new build. + +* Builds are sent to the Slow Ring after feedback has been received from Windows Insiders within the Fast Ring and analyzed by our Engineering teams. +* These builds will include updates to fix key issues that would prevent many Windows Insiders from being able to use the build on a daily basis. +* These builds still may have issues that would be addressed in a future flight. + +### Fast + +Best for Windows Insiders who enjoy being the first to get access to builds and feature updates, with some risk to their devices in order to identify issues, and provide suggestions and ideas to make Windows software and devices great. + +* Windows Insiders with devices in the Fast Ring should be prepared for more issues that may block key activities that are important to you or may require significant workarounds. +* Because we are also validating a build on a smaller set of devices before going to Fast, there is also a chance that some features may work on some devices but may fail in other device configurations. +* Windows Insiders should be ready to reinstall Windows using the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) when you are significantly blocked. +* Please remember to report any issue to us through the Windows Insider Feedback Hub or the Windows Insider community forum. + +>[!NOTE] +>Once your machine is updated to Windows 10 and you select your desired flight ring, the process known as "Compatibility check" will need to run in the background. There is no manual way to force this process to run. This process allows for the discovery of your OS type (32-bit, 64-bit), build edition (Home, Pro, Enterprise), country and language settings, and other required information. Once this process is complete, your machine will be auto-targeted for the next available flight for your selected ring. For the first build on any given machine, this may take up to 24 hours to complete. + +### How to switch between flight rings + +During your time in the Windows Insider Program, you may want to change between flight rings for any number of reasons. Starting with Windows 10, version 1709, use the **Branch Readiness Level** to switch between flight rings. +* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/ Windows Update for Business** - *Select when Preview Builds and Feature Updates are received* +* MDM: [**Update/BranchReadinessLevel**](/windows/client-management/mdm/policy-csp-update#update-branchreadinesslevel) + +To switch flights prior to Windows 10, version 1709, follow these steps: + +1. Go to **Settings > Updates & Security > Windows Insider Program** +2. Under **Choose your level**, select between the following rings - + * [Windows Insider Fast](#fast) + * [Windows Insider Slow](#slow) + * [Release Preview](#release-preview) + +## How to switch between your MSA and your Corporate AAD account + +If you were using your Microsoft Account (MSA) to enroll to the Windows Insider Program, switch to your organizational account by going to **Settings > Updates & Security > Windows Insider Program**, and under **Windows Insider account** select **Change**. + +![Change Windows Insider account](images/waas-wipfb-change-user.png) + +>[!NOTE] +>If you would like to use your corporate account, your device must be connected to your corporate account in AAD for the account to appear in the account list. + +## Sharing Feedback Via the Feedback Hub +As you know a key benefit to being a Windows Insider is Feedback. It’s definitely a benefit to us, and we hope it’s a benefit to you. Feedback is vital for making changes and improvements in Windows 10. Receiving quality and actionable feedback is key in achieving these goals. + +Please use the [**Feedback Hub App**](feedback-hub://?referrer=wipForBizDocs&tabid=2) to submit your feedback to Microsoft. + +When providing feedback, please consider the following: +1. Check for existing feedback on the topic you are preparing to log. Another user may have already shared the same feedback. If they have, please “upvote” the existing feedback to help prevent duplicate submissions. Adding additional comments to existing feedback can help others by providing clarity to existing information or additional scenarios to review. +2. Provide as much information to us as possible: include reproduction steps, screenshots, any detail you think would help us experience the issue as you have, so that we can work on a fix and get it into a new build as soon as possible. + +>[!TIP] +>You can then track feedback provided by all users in your organization through the Feedback Hub. Simply filter by **My Organization**. +> +>If you're signed in to the Feedback Hub App using your personal Microsoft Account (MSA), you can switch to your work account, by clicking on your account, signing out, and signing back in. + +>[!NOTE] +>If you signed into the Feedback Hub previously with your MSA, your feedback and badges will not be transferred to your AAD sing-in. However, you can switch back to your MSA account in the Feedback Hub to access feedback you’ve submitted and badges you’ve earned. + +### User consent requirement + +With the current version of the Feedback Hub app, we need the user's consent to access their AAD account profile data (We read their name, organizational tenant ID and user ID). When they sign in for the first time with the AAD account, they will see a popup asking for their permission, like this: + +![Feedback Hub consent to AAD pop-up](images/waas-wipfb-aad-consent.png) + +Once agreed, everything will work fine, and that user won't be prompted for permission again. + +#### Something went wrong + +The option for users to give consent for apps to access their profile data is controlled through Azure Active Directory. This means the AAD administrators have the ability to allow or block users from giving consent. + +In case the administrators blocked this option, when the user signs in with the AAD account, they will see the following error message: + +![Feedback Hub consent error message](images/waas-wipfb-aad-error.png) + +This blocks the user from signing in, which means they won't be able to use the Feedback Hub app with their AAD credentials. + +**To fix this issue**, an administrator of the AAD directory will need to enable user consent for apps to access their data. + +To do this through the **classic Azure portal**: +1. Go to https://manage.windowsazure.com/ . +2. Switch to the **Active Directory** dashboard. + ![Azure classic portal dashboard button](images/waas-wipfb-aad-classicaad.png) +3. Select the appropriate directory and go to the **Configure** tab. +4. Under the **integrated applications** section, enable **Users may give applications permissions to access their data**. + ![Azure classic portal enable consent](images/waas-wipfb-aad-classicenable.png) + +To do this through the **new Azure portal**: +1. Go to https://portal.azure.com/ . +2. Switch to the **Active Directory** dashboard. + ![Azure new portal dashboard button](images/waas-wipfb-aad-newaad.png) +3. Switch to the appropriate directory. + ![Azure new portal switch directory button](images/waas-wipfb-aad-newdirectorybutton.png) +4. Under the **Manage** section, select **User settings**. + ![Azure new portal user settings](images/waas-wipfb-aad-newusersettings.png) +5. In the **Enterprise applications** section, enable **Users can allow apps to access their data**. + ![Azure new portal enable consent](images/waas-wipfb-aad-newenable.png) + +## Not receiving Windows 10 Insider Preview build updates? + +In some cases, your PC may not update to the latest Windows Insider Preview build as expected. Here are items that you can review to troubleshoot this issue: + +### Perform a manual check for updates +Go to **Settings > Updates & Security**. Review available updates or select **Check for updates**. + +>[!NOTE] +>If you have set Active Hours, ensure your device is left turned on and signed in during the off-hours so the install process can complete. + +### Make sure Windows is activated +Go to **Settings > Updates & Security > Activation** to verify Windows is activated. + +### Make sure your corporate account in AAD is connected to your device +Open **Settings \ Accounts \ Access work or school**. If your PC is not listed as connected to your account in AAD, click Connect and enter your AAD account. + +### Make sure you have selected a flight ring +Open **Settings > Update & Security > Windows Insider Program** and select your flight ring. + +### Have you recently done a roll-back? +If so, please double-check your flight settings under **Settings > Update & Security > Windows Insider Program**. + +### Did you do a clean install? +After a clean-install and initial setup of a Microsoft or corporate account (even one that has been used previously for flighting) the appropriate targeting needs to take place for your PC. This background process is known as Compatibility Checker and will run during idle time on your PC. This process may take up to 24 hours. Please leave your PC turned on to ensure this occurs in timely manner. + +### Are there known issues for your current build? +On rare occasion, there may be an issue with a build that could lead to issues with updates being received. Please check the most recent Blog Post or reach out to the Windows Insider team on Twitter for verification (*@WindowsInsider*). You can also check the **Feedback Hub** for announcements and known issues. + +## Exiting flighting + +After you’ve tried the latest Windows Insider Preview builds, you may want to opt out. In order to do that, go to **Settings > Update & Security > Windows Insider Program** and select **Stop Insider Preview Builds**. Follow the on-screen instructions to stop flighting to your device. + +To go from a Preview build to the Semi-Annual Channel, use the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) (for PC) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) (for Mobile) to reinstall Windows. + +## Unregister + +If you no longer plan to manage Windows Insider Preview policies for your organization, you will need to [unregister your domain with the Windows Insider Program](https://insider.windows.com/en-us/insiderorgleaveprogram/). + +Unregistering will not allow any other administrators at your organization to continue to set policies to manage Windows Insider Preview builds across your organization. + +Your individual registration with the Insider program will not be impacted. If you wish to leave the Insider program, see the [leave the program](https://insider.windows.com/en-us/how-to-overview/#leave-the-program) instructions. + +>[!IMPORTANT] +>Once your domain is unregistered, setting the **Branch Readiness Level** to preview builds will have no effect. Return this setting to its unconfigured state in order to enable user to control it from their device. + +## Additional help resources + +* [**Windows Blog**](https://blogs.windows.com/blog/tag/windows-insider-program/) - With each new build release we publish a Windows Blog post that outlines key feature changes as well as known issues that Insiders may encounter while using the build. +* [**Microsoft Technical Community for Windows Insiders**](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/bd-p/WindowsInsiderProgram) - Engage with Windows Insiders around the world in a community dedicated to the Windows Insider Program. +* [**Windows Insider Preview community forum**](https://answers.microsoft.com/en-us/insider/forum/insider_wintp) - Answers is Microsoft’s forum platform and there is an entire area dedicated to the Windows Insider Program. Insiders can filter between PC, Office, Edge, and many others. + +## Learn More +- [Windows Insider Program for Business using Azure Active Directory](waas-windows-insider-for-business-aad.md) +- [Windows Insider Program for Business Frequently Asked Questions](waas-windows-insider-for-business-faq.md) + + +## Related Topics +- [Overview of Windows as a service](waas-overview.md) +- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) +- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) +- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) +- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) +- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md) +- [Manage Windows 10 updates using Windows Server Update Services (WSUS)](waas-manage-updates-wsus.md) - [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) \ No newline at end of file From 41b3a59244a677696b2c44da9d040e936b24a424 Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Mon, 23 Oct 2017 19:43:52 -0700 Subject: [PATCH 14/15] final tweeks --- .../hello-hybrid-cert-trust-devreg.md | 1 - .../hello-hybrid-cert-whfb-provision.md | 4 +++- .../hello-hybrid-cert-whfb-settings-policy.md | 8 ++++---- .../hello-hybrid-key-whfb-settings-ad.md | 2 +- .../hello-hybrid-key-whfb-settings-policy.md | 2 +- .../hello-hybrid-key-whfb-settings.md | 10 +++++----- 6 files changed, 14 insertions(+), 13 deletions(-) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index 57457517cd..e8a2d57970 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -16,7 +16,6 @@ ms.date: 09/08/2017 **Applies to** - Windows 10 ->[!IMPORTANT] >This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. You're environment is federated and you are ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration and device write-back to enable proper device authentication. diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md index c9a094726b..3d490ebdd1 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md @@ -48,7 +48,9 @@ The provisioning flow has all the information it needs to complete the Windows H The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Azure Active Directory to register the public key. AAD Connect syncrhonizes the user's key to the on-prem Active Directory. > [!IMPORTANT] -> The minimum time needed to syncrhonize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. This synchronization latency delays the certificate enrollment for the user. After the user's public key has synchronized to Active Directory, the user's certificate enrolls automatically as long as the user's session is active (actively working or locked, but still signed-in). Also, the Action Center notifies the user thier PIN is ready for use. +> The minimum time needed to syncrhonize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. The Azure AD Connect scheduler controls the synchronization interval. +> **This synchronization latency delays the the user's ability to authenticate and use on-premises resouces until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources. +> Read [Azure AD Connect sync: Scheduler](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler) to view and adjust the **synchronization cycle** for your organization. > [!NOTE] > Microsoft is actively investigating ways to reduce the syncrhonization latency and delays in certificate enrollment with the goal to make certificate enrollment occur real-time. diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md index ac4c7d3339..342e42b0d0 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md @@ -38,7 +38,7 @@ Domain controllers automatically request a certificate from the *Domain Controll To continue automatic enrollment and renewal of domain controller certificates that understand newer certificate template and superseded certificate template configurations, create and configure a Group Policy object for automatic certificate enrollment and link the Group Policy object to the Domain Controllers OU. -#### Create a Domain Controller Automatic Certifiacte Enrollment Group Policy object +#### Create a Domain Controller Automatic Certificate Enrollment Group Policy object Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. @@ -49,7 +49,7 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv 5. Right-click the **Domain Controller Auto Certificate Enrollment** Group Policy object and click **Edit**. 6. In the navigation pane, expand **Policies** under **Computer Configuration**. 7. Expand **Windows Settings**, **Security Settings**, and click **Public Key Policies**. -8. In the details pane, right-click **Certificate Services Client � Auto-Enrollment** and select **Properties**. +8. In the details pane, right-click **Certificate Services Client - Auto-Enrollment** and select **Properties**. 9. Select **Enabled** from the **Configuration Model** list. 10. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box. 11. Select the **Update certificates that use certificate templates** check box. @@ -60,7 +60,7 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. 1. Start the **Group Policy Management Console** (gpmc.msc) -2. In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO�** +2. In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO** 3. In the **Select GPO** dialog box, select **Domain Controller Auto Certificate Enrollment** or the name of the domain controller certificate enrollment Group Policy object you previously created and click **OK**. ### Windows Hello for Business Group Policy @@ -128,7 +128,7 @@ The best way to deploy the Windows Hello for Business Group Policy object is to The application of the Windows Hello for Business Group Policy object uses security group filtering. This enables you to link the Group Policy object at the domain, ensuring the Group Policy object is within scope to all users. However, the security group filtering ensures only the users included in the *Windows Hello for Business Users* global group receive and apply the Group Policy object, which results in the provisioning of Windows Hello for Business. 1. Start the **Group Policy Management Console** (gpmc.msc) -2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO�** +2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO** 3. In the **Select GPO** dialog box, select **Enable Windows Hello for Business** or the name of the Windows Hello for Business Group Policy object you previously created and click **OK**. Just to reassure, linking the **Windows Hello for Business** Group Policy object to the domain ensures the Group Policy object is in scope for all domain users. However, not all users will have the policy settings applied to them. Only users who are members of the Windows Hello for Business group receive the policy settings. All others users ignore the Group Policy object. diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md index 4a4a25924e..034442fa81 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md @@ -18,7 +18,7 @@ ms.date: 10/20/2017 >This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. -The key synchronization process for the hybrid deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. +Configure the appropriate security groups to effeiciently deploy Windows Hello for Business to users. ### Creating Security Groups diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md index 75e5789a7e..9f795ff7fd 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md @@ -129,7 +129,7 @@ The default Windows Hello for Business enables users to enroll and use biometric PIN complexity is not specific to Windows Hello for Business. Windows 10 enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed. ->[IMPORTANT] +>[!IMPORTANT] > Windows 10, version 1703, the PIN complexity Group Policy settings have moved to remove misunderstanding that PIN complexity policy settings were exclusive to Windows Hello for Business. The new location of these Group Policy settings is under **Computer Configuration\Administrative Templates\System\PIN Complexity** of the Group Policy editor. Windows 10 provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are: diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings.md b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings.md index 591af4f0c8..2d6fa42c14 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings.md @@ -21,13 +21,13 @@ ms.date: 09/08/2017 You are ready to configure your hybrid key trust environment for Windows Hello for Business. > [!IMPORTANT] -> Ensure your environmenet meets all the [prerequistes](hello-hybrid-key-trust-prereqs.md) before proceeding. Review the [New Installation baseline](hello-hybrid-key-new-install.md) section of this deployment document to learn how to prepare your environment for your Windows Hello for Business deployment. +> Ensure your environment meets all the [prerequistes](hello-hybrid-key-trust-prereqs.md) before proceeding. Review the [New Installation baseline](hello-hybrid-key-new-install.md) section of this deployment document to learn how to prepare your environment for your Windows Hello for Business deployment. The configuration for Windows Hello for Business is grouped in four categories. These categories are: -* [Active Directory](hello-hybrid-cert-whfb-settings-ad.md) -* [Public Key Infrastructure](hello-hybrid-cert-whfb-settings-pki.md) -* [Active Directory Federation Services](hello-hybrid-cert-whfb-settings-adfs.md) -* [Group Policy](hello-hybrid-cert-whfb-settings-policy.md) +* [Active Directory](hello-hybrid-key-whfb-settings-ad.md) +* [Azure AD Connect](hello-hybrid-key-whfb-settings-dir-sync.md) +* [Public Key Infrastructure](hello-hybrid-key-whfb-settings-pki.md) +* [Group Policy](hello-hybrid-key-whfb-settings-policy.md) For the most efficent deployment, configure these technologies in order beginning with the Active Directory configuration From d8a3a359dee5792900fbff41b0fe3173f9fc8168 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 24 Oct 2017 17:18:11 +0000 Subject: [PATCH 15/15] Merged PR 4027: Merge gp-settings-1709 to master --- .../new-policies-for-windows-10.md | 77 ++++++++++++++++++- 1 file changed, 75 insertions(+), 2 deletions(-) diff --git a/windows/client-management/new-policies-for-windows-10.md b/windows/client-management/new-policies-for-windows-10.md index 60db3078d1..a92a034a76 100644 --- a/windows/client-management/new-policies-for-windows-10.md +++ b/windows/client-management/new-policies-for-windows-10.md @@ -1,6 +1,6 @@ --- title: New policies for Windows 10 (Windows 10) -description: Windows 10 includes the following new policies for management, in addition to policies that were available for Windows 8.1 and Windows Phone 8.1. +description: Windows 10 includes the following new policies for management. ms.assetid: 1F24ABD8-A57A-45EA-BA54-2DA2238C573D keywords: ["MDM", "Group Policy"] ms.prod: w10 @@ -8,6 +8,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: jdeckerms ms.localizationpriority: high +ms.date: 10/24/2017 --- # New policies for Windows 10 @@ -18,7 +19,79 @@ ms.localizationpriority: high - Windows 10 - Windows 10 Mobile -Windows 10 includes the following new policies for management, in addition to policies that were available for Windows 8.1 and Windows Phone 8.1. [Download the complete set of Administrative Template (.admx) files for Windows 10](https://go.microsoft.com/fwlink/p/?LinkID=625081). +Windows 10 includes the following new policies for management. [Download the complete set of Administrative Template (.admx) files for Windows 10](https://www.microsoft.com/download/details.aspx?id=56121). + +## New Group Policy settings in Windows 10, version 1709 + +The following Group Policy settings were added in Windows 10, version 1709: + +**Control Panel** + +- Control Panel\Allow Online Tips + +**Network** + +- Network\Network Connectivity Status Indicator\Specify global DNS +- Network\WWAN Service\WWAN UI Settings\Set Per-App Cellular Access UI Visibility +- Network\WWAN Service\Cellular Data Access\Let Windows apps access cellular data + +**System** + +- System\Device Health Attestation Service\Enable Device Health Attestation Monitoring and Reporting +- System\OS Policies\Enables Activity Feed +- System\OS Policies\Allow publishing of User Activities +- System\Power Management\Power Throttling Settings\Turn off Power Throttling +- System\Storage Health\Allow downloading updates to the Disk Failure Prediction Model +- System\Trusted Platform Module Services\Configure the system to clear the TPM if it is not in a ready state. + +**Windows Components** + +- Windows Components\App Privacy\Let Windows apps communicate with unpaired devices +- Windows Components\Data Collection and Preview Builds\Limit Enhanced diagnostic data to the minimum required by Windows Analytics +- Windows Components\Handwriting\Handwriting Panel Default Mode Docked +- Windows Components\Internet Explorer\Internet Settings\Advanced settings\Browsing\Hide the button (next to the New Tab button) that opens Microsoft Edge +- Windows Components\MDM\Auto MDM Enrollment with AAD Token +- Windows Components\Messaging\Allow Message Service Cloud Sync +- Windows Components\Microsoft Edge\Always show the Books Library in Microsoft Edge +- Windows Components\Microsoft Edge\Always show the Books Library in Microsoft Edge +- Windows Components\Microsoft Edge\Provision Favorites +- Windows Components\Microsoft Edge\Provision Favorites +- Windows Components\Microsoft Edge\Prevent changes to Favorites on Microsoft Edge +- Windows Components\Microsoft Edge\Prevent changes to Favorites on Microsoft Edge +- Windows Components\Microsoft FIDO Authentication\Enable usage of FIDO devices to sign on +- Windows Components\OneDrive\Prevent OneDrive from generating network traffic until the user signs in to OneDrive +- Windows Components\Push To Install\Turn off Push To Install service +- Windows Components\Search\Allow Cloud Search +- Windows Components\Windows Defender Application Guard\Allow data persistence for Windows Defender Application Guard +- Windows Components\Windows Defender Application Guard\Allow auditing events in Windows Defender Application Guard +- Windows Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Network Protection\Prevent users and apps from accessing dangerous websites +- Windows Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Controlled Folder Access\Configure Controlled folder access +- Windows Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Attack Surface Reduction\Configure Attack Surface Reduction rules +- Windows Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Attack Surface Reduction\Exclude files and paths from Attack Surface Reduction Rules +- Windows Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Controlled Folder Access\Configure allowed applications +- Windows Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Controlled Folder Access\Configure protected folders +- Windows Components\Windows Defender Exploit Guard\Exploit Protection\Use a common set of exploit protection settings +- Windows Components\Windows Defender Security Center\Virus and threat protection\Hide the Virus and threat protection area +- Windows Components\Windows Defender Security Center\Firewall and network protection\Hide the Firewall and network protection area +- Windows Components\Windows Defender Security Center\App and browser protection\Hide the App and browser protection area +- Windows Components\Windows Defender Security Center\App and browser protection\Prevent users from modifying settings +- Windows Components\Windows Defender Security Center\Device performance and health\Hide the Device performance and health area +- Windows Components\Windows Defender Security Center\Family options\Hide the Family options area +- Windows Components\Windows Defender Security Center\Notifications\Hide all notifications +- Windows Components\Windows Defender Security Center\Notifications\Hide non-critical notifications +- Windows Components\Windows Defender Security Center\Enterprise Customization\Configure customized notifications +- Windows Components\Windows Defender Security Center\Enterprise Customization\Configure customized contact information +- Windows Components\Windows Defender Security Center\Enterprise Customization\Specify contact company name +- Windows Components\Windows Defender Security Center\Enterprise Customization\Specify contact phone number or Skype ID +- Windows Components\Windows Defender Security Center\Enterprise Customization\Specify contact email address or Email ID +- Windows Components\Windows Defender Security Center\Enterprise Customization\Specify contact website +- Windows Components\Windows Hello for Business\Configure device unlock factors +- Windows Components\Windows Hello for Business\Configure dynamic lock factors +- Windows Components\Windows Hello for Business\Turn off smart card emulation +- Windows Components\Windows Hello for Business\Allow enumeration of emulated smart card for all users +- Windows Components\Windows Update\Allow updates to be downloaded automatically over metered connections +- Windows Components\Windows Update\Do not allow update deferral policies to cause scans against Windows Update + ## New Group Policy settings in Windows 10, version 1703