From 894f43ae58d2e0c887e5537c0001f854090ffb51 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 21 Jul 2016 14:56:54 -0700 Subject: [PATCH 01/59] Changed image names from edp to wip --- ...ning.png => wip-intune-app-reconfig-warning.png} | Bin ...k-domain.png => wip-sccm-add-network-domain.png} | Bin ...lockerfile.png => wip-sccm-addapplockerfile.png} | Bin ...adddesktopapp.png => wip-sccm-adddesktopapp.png} | Bin ...settings.png => wip-sccm-additionalsettings.png} | Bin ...dp-sccm-addpolicy.png => wip-sccm-addpolicy.png} | Bin ...niversalapp.png => wip-sccm-adduniversalapp.png} | Bin .../{edp-sccm-appmgmt.png => wip-sccm-appmgmt.png} | Bin ...corp-identity.png => wip-sccm-corp-identity.png} | Bin ...vicesettings.png => wip-sccm-devicesettings.png} | Bin .../images/{edp-sccm-dra.png => wip-sccm-dra.png} | Bin ...generalscreen.png => wip-sccm-generalscreen.png} | Bin ...twork-domain.png => wip-sccm-network-domain.png} | Bin ...ccm-optsettings.png => wip-sccm-optsettings.png} | Bin ...summaryscreen.png => wip-sccm-summaryscreen.png} | Bin ...supportedplat.png => wip-sccm-supportedplat.png} | Bin 16 files changed, 0 insertions(+), 0 deletions(-) rename windows/keep-secure/images/{edp-intune-app-reconfig-warning.png => wip-intune-app-reconfig-warning.png} (100%) rename windows/keep-secure/images/{edp-sccm-add-network-domain.png => wip-sccm-add-network-domain.png} (100%) rename windows/keep-secure/images/{edp-sccm-addapplockerfile.png => wip-sccm-addapplockerfile.png} (100%) rename windows/keep-secure/images/{edp-sccm-adddesktopapp.png => wip-sccm-adddesktopapp.png} (100%) rename windows/keep-secure/images/{edp-sccm-additionalsettings.png => wip-sccm-additionalsettings.png} (100%) rename windows/keep-secure/images/{edp-sccm-addpolicy.png => wip-sccm-addpolicy.png} (100%) rename windows/keep-secure/images/{edp-sccm-adduniversalapp.png => wip-sccm-adduniversalapp.png} (100%) rename windows/keep-secure/images/{edp-sccm-appmgmt.png => wip-sccm-appmgmt.png} (100%) rename windows/keep-secure/images/{edp-sccm-corp-identity.png => wip-sccm-corp-identity.png} (100%) rename windows/keep-secure/images/{edp-sccm-devicesettings.png => wip-sccm-devicesettings.png} (100%) rename windows/keep-secure/images/{edp-sccm-dra.png => wip-sccm-dra.png} (100%) rename windows/keep-secure/images/{edp-sccm-generalscreen.png => wip-sccm-generalscreen.png} (100%) rename windows/keep-secure/images/{edp-sccm-network-domain.png => wip-sccm-network-domain.png} (100%) rename windows/keep-secure/images/{edp-sccm-optsettings.png => wip-sccm-optsettings.png} (100%) rename windows/keep-secure/images/{edp-sccm-summaryscreen.png => wip-sccm-summaryscreen.png} (100%) rename windows/keep-secure/images/{edp-sccm-supportedplat.png => wip-sccm-supportedplat.png} (100%) diff --git a/windows/keep-secure/images/edp-intune-app-reconfig-warning.png b/windows/keep-secure/images/wip-intune-app-reconfig-warning.png similarity index 100% rename from windows/keep-secure/images/edp-intune-app-reconfig-warning.png rename to windows/keep-secure/images/wip-intune-app-reconfig-warning.png diff --git a/windows/keep-secure/images/edp-sccm-add-network-domain.png b/windows/keep-secure/images/wip-sccm-add-network-domain.png similarity index 100% rename from windows/keep-secure/images/edp-sccm-add-network-domain.png rename to windows/keep-secure/images/wip-sccm-add-network-domain.png diff --git a/windows/keep-secure/images/edp-sccm-addapplockerfile.png b/windows/keep-secure/images/wip-sccm-addapplockerfile.png similarity index 100% rename from windows/keep-secure/images/edp-sccm-addapplockerfile.png rename to windows/keep-secure/images/wip-sccm-addapplockerfile.png diff --git a/windows/keep-secure/images/edp-sccm-adddesktopapp.png b/windows/keep-secure/images/wip-sccm-adddesktopapp.png similarity index 100% rename from windows/keep-secure/images/edp-sccm-adddesktopapp.png rename to windows/keep-secure/images/wip-sccm-adddesktopapp.png diff --git a/windows/keep-secure/images/edp-sccm-additionalsettings.png b/windows/keep-secure/images/wip-sccm-additionalsettings.png similarity index 100% rename from windows/keep-secure/images/edp-sccm-additionalsettings.png rename to windows/keep-secure/images/wip-sccm-additionalsettings.png diff --git a/windows/keep-secure/images/edp-sccm-addpolicy.png b/windows/keep-secure/images/wip-sccm-addpolicy.png similarity index 100% rename from windows/keep-secure/images/edp-sccm-addpolicy.png rename to windows/keep-secure/images/wip-sccm-addpolicy.png diff --git a/windows/keep-secure/images/edp-sccm-adduniversalapp.png b/windows/keep-secure/images/wip-sccm-adduniversalapp.png similarity index 100% rename from windows/keep-secure/images/edp-sccm-adduniversalapp.png rename to windows/keep-secure/images/wip-sccm-adduniversalapp.png diff --git a/windows/keep-secure/images/edp-sccm-appmgmt.png b/windows/keep-secure/images/wip-sccm-appmgmt.png similarity index 100% rename from windows/keep-secure/images/edp-sccm-appmgmt.png rename to windows/keep-secure/images/wip-sccm-appmgmt.png diff --git a/windows/keep-secure/images/edp-sccm-corp-identity.png b/windows/keep-secure/images/wip-sccm-corp-identity.png similarity index 100% rename from windows/keep-secure/images/edp-sccm-corp-identity.png rename to windows/keep-secure/images/wip-sccm-corp-identity.png diff --git a/windows/keep-secure/images/edp-sccm-devicesettings.png b/windows/keep-secure/images/wip-sccm-devicesettings.png similarity index 100% rename from windows/keep-secure/images/edp-sccm-devicesettings.png rename to windows/keep-secure/images/wip-sccm-devicesettings.png diff --git a/windows/keep-secure/images/edp-sccm-dra.png b/windows/keep-secure/images/wip-sccm-dra.png similarity index 100% rename from windows/keep-secure/images/edp-sccm-dra.png rename to windows/keep-secure/images/wip-sccm-dra.png diff --git a/windows/keep-secure/images/edp-sccm-generalscreen.png b/windows/keep-secure/images/wip-sccm-generalscreen.png similarity index 100% rename from windows/keep-secure/images/edp-sccm-generalscreen.png rename to windows/keep-secure/images/wip-sccm-generalscreen.png diff --git a/windows/keep-secure/images/edp-sccm-network-domain.png b/windows/keep-secure/images/wip-sccm-network-domain.png similarity index 100% rename from windows/keep-secure/images/edp-sccm-network-domain.png rename to windows/keep-secure/images/wip-sccm-network-domain.png diff --git a/windows/keep-secure/images/edp-sccm-optsettings.png b/windows/keep-secure/images/wip-sccm-optsettings.png similarity index 100% rename from windows/keep-secure/images/edp-sccm-optsettings.png rename to windows/keep-secure/images/wip-sccm-optsettings.png diff --git a/windows/keep-secure/images/edp-sccm-summaryscreen.png b/windows/keep-secure/images/wip-sccm-summaryscreen.png similarity index 100% rename from windows/keep-secure/images/edp-sccm-summaryscreen.png rename to windows/keep-secure/images/wip-sccm-summaryscreen.png diff --git a/windows/keep-secure/images/edp-sccm-supportedplat.png b/windows/keep-secure/images/wip-sccm-supportedplat.png similarity index 100% rename from windows/keep-secure/images/edp-sccm-supportedplat.png rename to windows/keep-secure/images/wip-sccm-supportedplat.png From c2ebb65819b12b8d778c8c740d00806fc5bebb2c Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 21 Jul 2016 15:55:09 -0700 Subject: [PATCH 02/59] New topic for wip, redirected edp --- .../keep-secure/testing-scenarios-for-edp.md | 48 +------------------ .../keep-secure/testing-scenarios-for-wip.md | 38 +++++++++++++++ 2 files changed, 40 insertions(+), 46 deletions(-) create mode 100644 windows/keep-secure/testing-scenarios-for-wip.md diff --git a/windows/keep-secure/testing-scenarios-for-edp.md b/windows/keep-secure/testing-scenarios-for-edp.md index e2187af349..a4bdaec524 100644 --- a/windows/keep-secure/testing-scenarios-for-edp.md +++ b/windows/keep-secure/testing-scenarios-for-edp.md @@ -1,49 +1,5 @@ --- title: Testing scenarios for enterprise data protection (EDP) (Windows 10) description: We've come up with a list of suggested testing scenarios that you can use to test enterprise data protection (EDP) in your company. -ms.assetid: 53db29d2-d99d-4db6-b494-90e2b3962ca2 -keywords: EDP, Enterprise Data Protection -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -author: eross-msft ---- - -# Testing scenarios for enterprise data protection (EDP) -**Applies to:** - -- Windows 10 Insider Preview -- Windows 10 Mobile Preview - -[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - -We've come up with a list of suggested testing scenarios that you can use to test enterprise data protection (EDP) in your company. - -## Testing scenarios -You can try any of the processes included in these scenarios, but you should focus on the ones that you might encounter in your organization. - -|Scenario |Processes | -|---------|----------| -|Automatically encrypt files from enterprise apps |
  1. Start an unmodified (for example, EDP-unaware) line-of-business app that's on your **Protected Apps** list and then create, edit, write, and save files.
  2. Make sure that all of the files you worked with from the EDP-unaware app are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.
  3. Open File Explorer and make sure your modified files are appearing with a **Lock** icon.

    **Note**
    Some file types, like .exe and .dll, along with some file paths, like `%windir%` and `%programfiles%`, are excluded from automatic encryption.

| -|Block enterprise data from non-enterprise apps |
  1. Start an app that doesn't appear on your **Protected Apps** list, and then try to open an enterprise-encrypted file.

    The app shouldn't be able to access the file.

  2. Try double-clicking or tapping on the enterprise-encrypted file.

    If your default app association is an app not on your **Protected Apps** list, you should get an **Access Denied** error message.

| -|Copy and paste from enterprise apps to non-enterprise apps |
  1. Copy (CTRL+C) content from an app on your **Protected Apps** list, and then try to paste (CTRL+V) the content into an app that doesn't appear on your **Protected Apps** list.

    You should see an EDP-related warning box, asking you to click either **Got it** or **Cancel**.

  2. Click **Cancel**.

    The content isn't pasted into the non-enterprise app.

  3. Repeat Step 1, but this time click **Got it**, and try to paste the content again.

    The content is pasted into the non-enterprise app.

  4. Try copying and pasting content between apps on your **Protected Apps** list.

    The content should copy and paste between apps without any warning messages.

| -|Drag and drop from enterprise apps to non-enterprise apps |
  1. Drag content from an app on your **Protected Apps** list, and then try to drop the content into an app that doesn't appear on your **Protected Apps** list.

    You should see an EDP-related warning box, asking you to click either **Drag Anyway** or **Cancel**.

  2. Click **Cancel**.

    The content isn't dropped into the non-enterprise app.

  3. Repeat Step 1, but this time click **Drag Anyway**, and try to drop the content again.

    The content is dropped into the non-enterprise app.

  4. Try dragging and dropping content between apps on your **Protected Apps** list.

    The content should move between the apps without any warning messages.

| -|Share between enterprise apps and non-enterprise apps |
  1. Open an app on your **Protected Apps** list, like Microsoft Photos, and try to share content with an app that doesn't appear on your **Protected Apps** list, like Facebook.

    You should see an EDP-related warning box, asking you to click either **Share Anyway** or **Cancel**.

  2. Click **Cancel**.

    The content isn't shared into Facebook.

  3. Repeat Step 1, but this time click **Share Anyway**, and try to share the content again.

    The content is shared into Facebook.

  4. Try sharing content between apps on your **Protected Apps** list.

    The content should share between the apps without any warning messages.

| -|Use the **Encrypt to** functionality |
  1. Open File Explorer on the desktop, right-click a decrypted file, and then click **Encrypt to** from the **Encrypt to** menu.

    EDP should encrypt the file to your Enterprise Identity.

  2. Make sure that the newly encrypted file has a **Lock** icon.
  3. In the **Encrypted to** column of File Explorer on the desktop, look for the enterprise ID value.
  4. Right-click the encrypted file, and then click **Not encrypted** from the **Encrypt to** menu.

    The file should be decrypted and the **Lock** icon should disappear.

| -|Verify that Windows system components can use EDP |
  1. Start Windows Journal and Internet Explorer 11, creating, editing, and saving files in both apps.
  2. Make sure that all of the files you worked with are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.
  3. Open File Explorer and make sure your modified files are appearing with a **Lock** icon
  4. Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the **Protected Apps** list.

    **Note**
    Most Windows-signed components like Windows Explorer (when running in the user’s context), should have access to enterprise data.

    A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your **Protected Apps** list.

| -|Use EDP on FAT/exFAT systems |
  1. Start an app that uses the FAT or exFAT file system and appears on your **Protected Apps** list.
  2. Create, edit, write, save, and move files.

    Basic file and folder operations like copy, move, rename, delete, and so on, should work properly on encrypted files.

  3. Try copying and moving files or folders between apps that use NTFS, FAT and exFAT file systems.
| -|Use EDP on NTFS systems |
  1. Start an app that uses the NTFS file system and appears on your **Protected Apps** list.
  2. Create, edit, write, save, and move files.

    Basic file and folder operations like copy, move, rename, delete, and so on, should work properly on encrypted files.

  3. Try copying and moving files or folders between apps that use NTFS, FAT and exFAT file systems.
| -|Unenroll client devices from EDP | | -|Verify that app content is protected when a Windows 10 Mobile phone is locked | | - -  - -  - -  - - - - - +redirect-url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/testing-scenarios-for-wip +--- \ No newline at end of file diff --git a/windows/keep-secure/testing-scenarios-for-wip.md b/windows/keep-secure/testing-scenarios-for-wip.md new file mode 100644 index 0000000000..ee7b6d3286 --- /dev/null +++ b/windows/keep-secure/testing-scenarios-for-wip.md @@ -0,0 +1,38 @@ +--- +title: Testing scenarios for Windows Information Protection (WIP) (Windows 10) +description: We've come up with a list of suggested testing scenarios that you can use to test Windows Information Protection (WIP) in your company. +ms.assetid: 53db29d2-d99d-4db6-b494-90e2b3962ca2 +keywords: WIP, Enterprise Data Protection +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +author: eross-msft +--- + +# Testing scenarios for Windows Information Protection (WIP) +**Applies to:** + +- Windows 10 Insider Preview +- Windows 10 Mobile Preview + +[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] + +We've come up with a list of suggested testing scenarios that you can use to test Windows Information Protection (WIP) in your company. + +## Testing scenarios +You can try any of the processes included in these scenarios, but you should focus on the ones that you might encounter in your organization. + +|Scenario |Processes | +|---------|----------| +|Automatically encrypt files from enterprise apps |
  1. Start an unmodified (for example, WIP-unaware) line-of-business app that's on your **Protected Apps** list and then create, edit, write, and save files.
  2. Make sure that all of the files you worked with from the WIP-unaware app are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.
  3. Open File Explorer and make sure your modified files are appearing with a **Lock** icon.

    **Note**
    Some file types, like .exe and .dll, along with some file paths, like `%windir%` and `%programfiles%`, are excluded from automatic encryption.

| +|Block enterprise data from non-enterprise apps |
  1. Start an app that doesn't appear on your **Protected Apps** list, and then try to open an enterprise-encrypted file.

    The app shouldn't be able to access the file.

  2. Try double-clicking or tapping on the enterprise-encrypted file.

    If your default app association is an app not on your **Protected Apps** list, you should get an **Access Denied** error message.

| +|Copy and paste from enterprise apps to non-enterprise apps |
  1. Copy (CTRL+C) content from an app on your **Protected Apps** list, and then try to paste (CTRL+V) the content into an app that doesn't appear on your **Protected Apps** list.

    You should see an WIP-related warning box, asking you to click either **Got it** or **Cancel**.

  2. Click **Cancel**.

    The content isn't pasted into the non-enterprise app.

  3. Repeat Step 1, but this time click **Got it**, and try to paste the content again.

    The content is pasted into the non-enterprise app.

  4. Try copying and pasting content between apps on your **Protected Apps** list.

    The content should copy and paste between apps without any warning messages.

| +|Drag and drop from enterprise apps to non-enterprise apps |
  1. Drag content from an app on your **Protected Apps** list, and then try to drop the content into an app that doesn't appear on your **Protected Apps** list.

    You should see an WIP-related warning box, asking you to click either **Drag Anyway** or **Cancel**.

  2. Click **Cancel**.

    The content isn't dropped into the non-enterprise app.

  3. Repeat Step 1, but this time click **Drag Anyway**, and try to drop the content again.

    The content is dropped into the non-enterprise app.

  4. Try dragging and dropping content between apps on your **Protected Apps** list.

    The content should move between the apps without any warning messages.

| +|Share between enterprise apps and non-enterprise apps |
  1. Open an app on your **Protected Apps** list, like Microsoft Photos, and try to share content with an app that doesn't appear on your **Protected Apps** list, like Facebook.

    You should see an WIP-related warning box, asking you to click either **Share Anyway** or **Cancel**.

  2. Click **Cancel**.

    The content isn't shared into Facebook.

  3. Repeat Step 1, but this time click **Share Anyway**, and try to share the content again.

    The content is shared into Facebook.

  4. Try sharing content between apps on your **Protected Apps** list.

    The content should share between the apps without any warning messages.

| +|Use the **Encrypt to** functionality |
  1. Open File Explorer on the desktop, right-click a decrypted file, and then click **Encrypt to** from the **Encrypt to** menu.

    WIP should encrypt the file to your Enterprise Identity.

  2. Make sure that the newly encrypted file has a **Lock** icon.
  3. In the **Encrypted to** column of File Explorer on the desktop, look for the enterprise ID value.
  4. Right-click the encrypted file, and then click **Not encrypted** from the **Encrypt to** menu.

    The file should be decrypted and the **Lock** icon should disappear.

| +|Verify that Windows system components can use WIP |
  1. Start Windows Journal and Internet Explorer 11, creating, editing, and saving files in both apps.
  2. Make sure that all of the files you worked with are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.
  3. Open File Explorer and make sure your modified files are appearing with a **Lock** icon
  4. Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the **Protected Apps** list.

    **Note**
    Most Windows-signed components like Windows Explorer (when running in the user’s context), should have access to enterprise data.

    A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your **Protected Apps** list.

| +|Use WIP on FAT/exFAT systems |
  1. Start an app that uses the FAT or exFAT file system and appears on your **Protected Apps** list.
  2. Create, edit, write, save, and move files.

    Basic file and folder operations like copy, move, rename, delete, and so on, should work properly on encrypted files.

  3. Try copying and moving files or folders between apps that use NTFS, FAT and exFAT file systems.
| +|Use WIP on NTFS systems |
  1. Start an app that uses the NTFS file system and appears on your **Protected Apps** list.
  2. Create, edit, write, save, and move files.

    Basic file and folder operations like copy, move, rename, delete, and so on, should work properly on encrypted files.

  3. Try copying and moving files or folders between apps that use NTFS, FAT and exFAT file systems.
| +|Unenroll client devices from WIP | | +|Verify that app content is protected when a Windows 10 Mobile phone is locked | | \ No newline at end of file From c3e562e53d62a9a4223845a2a9cf236893867ecc Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 21 Jul 2016 16:05:18 -0700 Subject: [PATCH 03/59] Testing --- windows/keep-secure/testing-scenarios-for-edp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/testing-scenarios-for-edp.md b/windows/keep-secure/testing-scenarios-for-edp.md index a4bdaec524..761220a087 100644 --- a/windows/keep-secure/testing-scenarios-for-edp.md +++ b/windows/keep-secure/testing-scenarios-for-edp.md @@ -1,5 +1,5 @@ --- title: Testing scenarios for enterprise data protection (EDP) (Windows 10) description: We've come up with a list of suggested testing scenarios that you can use to test enterprise data protection (EDP) in your company. -redirect-url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/testing-scenarios-for-wip +redirect-url: https://tnstage.redmond.corp.microsoft.com/en-us/itpro/windows/keep-secure/testing-scenarios-for-wip?branch=vs-8094158 --- \ No newline at end of file From 2067c608ed87681f0c8cc29046191c24d4887d66 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 21 Jul 2016 16:36:36 -0700 Subject: [PATCH 04/59] Updating redirect --- windows/keep-secure/testing-scenarios-for-edp.md | 2 +- windows/keep-secure/testing-scenarios-for-wip.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/testing-scenarios-for-edp.md b/windows/keep-secure/testing-scenarios-for-edp.md index 761220a087..3d16ef00df 100644 --- a/windows/keep-secure/testing-scenarios-for-edp.md +++ b/windows/keep-secure/testing-scenarios-for-edp.md @@ -1,5 +1,5 @@ --- title: Testing scenarios for enterprise data protection (EDP) (Windows 10) description: We've come up with a list of suggested testing scenarios that you can use to test enterprise data protection (EDP) in your company. -redirect-url: https://tnstage.redmond.corp.microsoft.com/en-us/itpro/windows/keep-secure/testing-scenarios-for-wip?branch=vs-8094158 +redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/testing-scenarios-for-wip --- \ No newline at end of file diff --git a/windows/keep-secure/testing-scenarios-for-wip.md b/windows/keep-secure/testing-scenarios-for-wip.md index ee7b6d3286..97a687d1e0 100644 --- a/windows/keep-secure/testing-scenarios-for-wip.md +++ b/windows/keep-secure/testing-scenarios-for-wip.md @@ -2,7 +2,7 @@ title: Testing scenarios for Windows Information Protection (WIP) (Windows 10) description: We've come up with a list of suggested testing scenarios that you can use to test Windows Information Protection (WIP) in your company. ms.assetid: 53db29d2-d99d-4db6-b494-90e2b3962ca2 -keywords: WIP, Enterprise Data Protection +keywords: WIP, EDP, Enterprise Data Protection ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library From 69719e076b84517bd1c17ff3acfd9b87e00fc6e8 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 21 Jul 2016 16:56:11 -0700 Subject: [PATCH 05/59] Fixing all branding issues and pulling the pre-release slug --- .../protect-enterprise-data-using-edp.md | 91 +------------------ .../protect-enterprise-data-using-wip.md | 90 ++++++++++++++++++ .../keep-secure/testing-scenarios-for-wip.md | 6 +- 3 files changed, 94 insertions(+), 93 deletions(-) create mode 100644 windows/keep-secure/protect-enterprise-data-using-wip.md diff --git a/windows/keep-secure/protect-enterprise-data-using-edp.md b/windows/keep-secure/protect-enterprise-data-using-edp.md index 9e052274d5..3f8df3ef51 100644 --- a/windows/keep-secure/protect-enterprise-data-using-edp.md +++ b/windows/keep-secure/protect-enterprise-data-using-edp.md @@ -1,92 +1,5 @@ --- title: Protect your enterprise data using enterprise data protection (EDP) (Windows 10) description: With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. -ms.assetid: 6cca0119-5954-4757-b2bc-e0ea4d2c7032 -keywords: EDP, Enterprise Data Protection -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -author: eross-msft ---- - -# Protect your enterprise data using enterprise data protection (EDP) -**Applies to:** - -- Windows 10 Insider Preview -- Windows 10 Mobile Preview - -[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - -With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. - -Enterprise data protection (EDP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. EDP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. - -## Prerequisites -You’ll need this software to run EDP in your enterprise: - -|Operating system | Management solution | -|-----------------|---------------------| -|Windows 10 Insider Preview | Microsoft Intune
-OR-
System Center Configuration Manager Technical Preview version 1605 or later
-OR-
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt697634.aspx) documentation.| - -## How EDP works -EDP helps address your everyday challenges in the enterprise. Including: - -- Helping to prevent enterprise data leaks, even on employee-owned devices that can't be locked down. - -- Reducing employee frustrations because of restrictive data management policies on enterprise-owned devices. - -- Helping to maintain the ownership and control of your enterprise data. - -- Helping control the network and data access and data sharing for apps that aren’t enterprise aware. - -### EDP-protection modes -You can set EDP to 1 of 4 protection and management modes: - -|Mode|Description| -|----|-----------| -|Block |EDP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.| -|Override |EDP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459). | -|Silent |EDP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or EDP-protected data, are still blocked.| -|Off |EDP is turned off and doesn't help to protect or audit your data.

After you turn off EDP, an attempt is made to decrypt any closed EDP-tagged files on the locally attached drives. | -

**Note**
For more info about setting your EDP-protection modes, see either [Create an enterprise data protection (EDP) policy using Intune](create-edp-policy-using-intune.md) or [Create and deploy an enterprise data protection (EDP) policy using Configuration Manager](create-edp-policy-using-sccm.md), depending on your management solution. - -## Why use EDP? -EDP gives you a new way to manage data policy enforcement for apps and documents, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune). - -- **Change the way you think about data policy enforcement.** As an enterprise admin, you need to maintain compliance in your data policy and data access. EDP helps make sure that your enterprise data is protected on both corporate and employee-owned devices, even when the employee isn’t using the device. When employees create content on an enterprise-protected device, they can choose to save it as a work document. If it's a work document, it becomes locally-maintained as enterprise data. - -- **Manage your enterprise documents, apps, and encryption modes.** - - - **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using an EDP-protected device, EDP encrypts the data on the device. - - - **Using allowed apps.** Managed apps (apps that you've included on the protected apps list in your EDP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if EDP management is set to **Block**, your employees can copy and paste from one protected app to another protected app, but not to personal apps. Imagine an HR person wants to copy a job description from a protected app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem. - - - **Managed apps and restrictions.** With EDP you can control which apps can access and use your enterprise data. After adding an app to your **Protected App** list, the app is trusted with enterprise data. All apps that aren’t on this list are blocked from accessing your enterprise network resources and your EDP-protected data.

- You don’t have to modify line-of-business apps that never touch personal data to list them as protected apps; just include them in the **Protected App** list. - - - **Deciding your level of data access.** EDP lets you block, allow overrides, or audit employees' data sharing actions. Blocking the action stops it immediately. Allowing overrides let the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without blocking anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your **Protected App** list. - - - **Continuous data encryption.** EDP helps protect enterprise data on local files and on removable media.

- Apps such as Microsoft Word work with EDP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens EDP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies EDP to the new document. - - - **Helping prevent accidental data disclosure to public spaces.** EDP helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isn’t on your **Protected App** list, employees won’t be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your **Protected Apps** list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the cloud, while maintaining the encryption. - - - **Helping prevent accidental data disclosure to removable media.** EDP helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t. - -- **Remove access to enterprise data from enterprise-protected devices.** EDP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.

**Note**
System Center Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device. - -## Current limitations with EDP -EDP is still in development and is not yet integrated with Azure Rights Management. This means that while you can deploy an EDP-configured policy to a protected device, that protection is restricted to a single user on the device. Additionally, the EDP-protected data must be stored on NTFS, FAT, or ExFAT file systems. - -Use the following table to identify the scenarios that require Azure Rights Management, the behavior when Azure Rights Management is not used with EDP, and the recommended workarounds. - -|EDP scenario |Without Azure Rights Management |Workaround | -|-------------|--------------------------------|-----------| -|Saving enterprise data to USB drives |Data in the new location remains encrypted, but becomes inaccessible on other devices or for other users. For example, the file won't open or the file opens, but doesn't contain readable text. |Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.

We strongly recommend educating employees about how to limit or eliminate the need for this decryption. | -|Synchronizing data to other services or public cloud storage |Synchronized files aren't protected on additional services or as part of public cloud storage. |Stop the app from synchronizing or don't add the app to your **Protected App** list.

For more info about adding apps to the **Protected App** list, see either the [Create an enterprise data protection (EDP) policy using Intune](create-edp-policy-using-intune.md) or the [Create and deploy an enterprise data protection (EDP) policy using Configuration Manager](create-edp-policy-using-sccm.md) topic, depending on your management solution. - -## Next steps -After deciding to use EDP in your enterprise, you need to: - -- [Create an enterprise data protection (EDP) policy](overview-create-edp-policy.md) \ No newline at end of file +redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip +--- \ No newline at end of file diff --git a/windows/keep-secure/protect-enterprise-data-using-wip.md b/windows/keep-secure/protect-enterprise-data-using-wip.md new file mode 100644 index 0000000000..eac101aab3 --- /dev/null +++ b/windows/keep-secure/protect-enterprise-data-using-wip.md @@ -0,0 +1,90 @@ +--- +title: Protect your enterprise data using Windows Information Protection (WIP) (Windows 10) +description: With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. +ms.assetid: 6cca0119-5954-4757-b2bc-e0ea4d2c7032 +keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +author: eross-msft +--- + +# Protect your enterprise data using Windows Information Protection (WIP) +**Applies to:** + +- Windows 10, version 1607 +- Windows 10 Mobile Preview + +With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. + +Enterprise data protection (WIP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. + +## Prerequisites +You’ll need this software to run WIP in your enterprise: + +|Operating system | Management solution | +|-----------------|---------------------| +|Windows 10, version 1607 | Microsoft Intune
-OR-
System Center Configuration Manager 2016
-OR-
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt697634.aspx) documentation.| + +## How WIP works +WIP helps address your everyday challenges in the enterprise. Including: + +- Helping to prevent enterprise data leaks, even on employee-owned devices that can't be locked down. + +- Reducing employee frustrations because of restrictive data management policies on enterprise-owned devices. + +- Helping to maintain the ownership and control of your enterprise data. + +- Helping control the network and data access and data sharing for apps that aren’t enterprise aware. + +### WIP-protection modes +You can set WIP to 1 of 4 protection and management modes: + +|Mode|Description| +|----|-----------| +|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.| +|Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459). | +|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.| +|Off |WIP is turned off and doesn't help to protect or audit your data.

After you turn off WIP, an attempt is made to decrypt any closed WIP-tagged files on the locally attached drives. | +

**Note**
For more info about setting your WIP-protection modes, see either [Create a Windows Information Protection (WIP) policy using Intune](create-edp-policy-using-intune.md) or [Create and deploy a Windows Information Protection (WIP) policy using Configuration Manager](create-edp-policy-using-sccm.md), depending on your management solution. + +## Why use WIP? +WIP gives you a new way to manage data policy enforcement for apps and documents, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune). + +- **Change the way you think about data policy enforcement.** As an enterprise admin, you need to maintain compliance in your data policy and data access. WIP helps make sure that your enterprise data is protected on both corporate and employee-owned devices, even when the employee isn’t using the device. When employees create content on an enterprise-protected device, they can choose to save it as a work document. If it's a work document, it becomes locally-maintained as enterprise data. + +- **Manage your enterprise documents, apps, and encryption modes.** + + - **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using an WIP-protected device, WIP encrypts the data on the device. + + - **Using allowed apps.** Managed apps (apps that you've included on the protected apps list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another protected app, but not to personal apps. Imagine an HR person wants to copy a job description from a protected app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem. + + - **Managed apps and restrictions.** With WIP you can control which apps can access and use your enterprise data. After adding an app to your **Protected App** list, the app is trusted with enterprise data. All apps that aren’t on this list are blocked from accessing your enterprise network resources and your WIP-protected data.

+ You don’t have to modify line-of-business apps that never touch personal data to list them as protected apps; just include them in the **Protected App** list. + + - **Deciding your level of data access.** WIP lets you block, allow overrides, or audit employees' data sharing actions. Blocking the action stops it immediately. Allowing overrides let the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without blocking anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your **Protected App** list. + + - **Continuous data encryption.** WIP helps protect enterprise data on local files and on removable media.

+ Apps such as Microsoft Word work with WIP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens WIP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies WIP to the new document. + + - **Helping prevent accidental data disclosure to public spaces.** WIP helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isn’t on your **Protected App** list, employees won’t be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your **Protected Apps** list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the cloud, while maintaining the encryption. + + - **Helping prevent accidental data disclosure to removable media.** WIP helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t. + +- **Remove access to enterprise data from enterprise-protected devices.** WIP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.

**Note**
System Center Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device. + +## Current limitations with WIP +WIP is still in development and is not yet integrated with Azure Rights Management. This means that while you can deploy an WIP-configured policy to a protected device, that protection is restricted to a single user on the device. Additionally, the WIP-protected data must be stored on NTFS, FAT, or ExFAT file systems. + +Use the following table to identify the scenarios that require Azure Rights Management, the behavior when Azure Rights Management is not used with WIP, and the recommended workarounds. + +|WIP scenario |Without Azure Rights Management |Workaround | +|-------------|--------------------------------|-----------| +|Saving enterprise data to USB drives |Data in the new location remains encrypted, but becomes inaccessible on other devices or for other users. For example, the file won't open or the file opens, but doesn't contain readable text. |Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.

We strongly recommend educating employees about how to limit or eliminate the need for this decryption. | +|Synchronizing data to other services or public cloud storage |Synchronized files aren't protected on additional services or as part of public cloud storage. |Stop the app from synchronizing or don't add the app to your **Protected App** list.

For more info about adding apps to the **Protected App** list, see either the [Create a Windows Information Protection (WIP) policy using Intune](create-edp-policy-using-intune.md) or the [Create and deploy a Windows Information Protection (WIP) policy using Configuration Manager](create-edp-policy-using-sccm.md) topic, depending on your management solution. + +## Next steps +After deciding to use WIP in your enterprise, you need to: + +- [Create a Windows Information Protection (WIP) policy](overview-create-edp-policy.md) \ No newline at end of file diff --git a/windows/keep-secure/testing-scenarios-for-wip.md b/windows/keep-secure/testing-scenarios-for-wip.md index 97a687d1e0..a741d4daf1 100644 --- a/windows/keep-secure/testing-scenarios-for-wip.md +++ b/windows/keep-secure/testing-scenarios-for-wip.md @@ -2,7 +2,7 @@ title: Testing scenarios for Windows Information Protection (WIP) (Windows 10) description: We've come up with a list of suggested testing scenarios that you can use to test Windows Information Protection (WIP) in your company. ms.assetid: 53db29d2-d99d-4db6-b494-90e2b3962ca2 -keywords: WIP, EDP, Enterprise Data Protection +keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library @@ -13,11 +13,9 @@ author: eross-msft # Testing scenarios for Windows Information Protection (WIP) **Applies to:** -- Windows 10 Insider Preview +- Windows 10, version 1607 - Windows 10 Mobile Preview -[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - We've come up with a list of suggested testing scenarios that you can use to test Windows Information Protection (WIP) in your company. ## Testing scenarios From f8eeb2e607b92f3e2582526a03f20d89f79cd4fe Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 21 Jul 2016 16:57:57 -0700 Subject: [PATCH 06/59] Fixed file name references --- windows/keep-secure/protect-enterprise-data-using-wip.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/keep-secure/protect-enterprise-data-using-wip.md b/windows/keep-secure/protect-enterprise-data-using-wip.md index eac101aab3..536582b32d 100644 --- a/windows/keep-secure/protect-enterprise-data-using-wip.md +++ b/windows/keep-secure/protect-enterprise-data-using-wip.md @@ -47,7 +47,7 @@ You can set WIP to 1 of 4 protection and management modes: |Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459). | |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.| |Off |WIP is turned off and doesn't help to protect or audit your data.

After you turn off WIP, an attempt is made to decrypt any closed WIP-tagged files on the locally attached drives. | -

**Note**
For more info about setting your WIP-protection modes, see either [Create a Windows Information Protection (WIP) policy using Intune](create-edp-policy-using-intune.md) or [Create and deploy a Windows Information Protection (WIP) policy using Configuration Manager](create-edp-policy-using-sccm.md), depending on your management solution. +

**Note**
For more info about setting your WIP-protection modes, see either [Create a Windows Information Protection (WIP) policy using Intune](create-wip-policy-using-intune.md) or [Create and deploy a Windows Information Protection (WIP) policy using Configuration Manager](create-wip-policy-using-sccm.md), depending on your management solution. ## Why use WIP? WIP gives you a new way to manage data policy enforcement for apps and documents, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune). @@ -82,9 +82,9 @@ Use the following table to identify the scenarios that require Azure Rights Mana |WIP scenario |Without Azure Rights Management |Workaround | |-------------|--------------------------------|-----------| |Saving enterprise data to USB drives |Data in the new location remains encrypted, but becomes inaccessible on other devices or for other users. For example, the file won't open or the file opens, but doesn't contain readable text. |Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.

We strongly recommend educating employees about how to limit or eliminate the need for this decryption. | -|Synchronizing data to other services or public cloud storage |Synchronized files aren't protected on additional services or as part of public cloud storage. |Stop the app from synchronizing or don't add the app to your **Protected App** list.

For more info about adding apps to the **Protected App** list, see either the [Create a Windows Information Protection (WIP) policy using Intune](create-edp-policy-using-intune.md) or the [Create and deploy a Windows Information Protection (WIP) policy using Configuration Manager](create-edp-policy-using-sccm.md) topic, depending on your management solution. +|Synchronizing data to other services or public cloud storage |Synchronized files aren't protected on additional services or as part of public cloud storage. |Stop the app from synchronizing or don't add the app to your **Protected App** list.

For more info about adding apps to the **Protected App** list, see either the [Create a Windows Information Protection (WIP) policy using Intune](create-wip-policy-using-intune.md) or the [Create and deploy a Windows Information Protection (WIP) policy using Configuration Manager](create-wip-policy-using-sccm.md) topic, depending on your management solution. ## Next steps After deciding to use WIP in your enterprise, you need to: -- [Create a Windows Information Protection (WIP) policy](overview-create-edp-policy.md) \ No newline at end of file +- [Create a Windows Information Protection (WIP) policy](overview-create-wip-policy.md) \ No newline at end of file From 717b86b4303fdc8f8bb719b2a0c0e4a292e91d00 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 21 Jul 2016 17:03:28 -0700 Subject: [PATCH 07/59] Fixing branding and removing pre-release slug --- .../keep-secure/overview-create-edp-policy.md | 36 ++----------------- .../keep-secure/overview-create-wip-policy.md | 25 +++++++++++++ 2 files changed, 27 insertions(+), 34 deletions(-) create mode 100644 windows/keep-secure/overview-create-wip-policy.md diff --git a/windows/keep-secure/overview-create-edp-policy.md b/windows/keep-secure/overview-create-edp-policy.md index abd098560f..74ca414ed7 100644 --- a/windows/keep-secure/overview-create-edp-policy.md +++ b/windows/keep-secure/overview-create-edp-policy.md @@ -1,37 +1,5 @@ --- title: Create an enterprise data protection (EDP) policy (Windows 10) description: Microsoft Intune and System Center Configuration Manager Technical Preview version 1605 or later helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. -ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6 -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -author: eross-msft ---- - -# Create an enterprise data protection (EDP) policy -**Applies to:** - -- Windows 10 Insider Preview -- Windows 10 Mobile Preview - -[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - -Microsoft Intune and System Center Configuration Manager Technical Preview version 1605 or later helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. - -## In this section -|Topic |Description | -|------|------------| -|[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |Intune helps you create and deploy your EDP policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. | -|[Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |System Center Configuration Manager Technical Preview version 1605 or later helps you create and deploy your EDP policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. | -|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)] |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. | -  - -  - -  - - - - - +redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/overview-create-wip-policy +--- \ No newline at end of file diff --git a/windows/keep-secure/overview-create-wip-policy.md b/windows/keep-secure/overview-create-wip-policy.md new file mode 100644 index 0000000000..3715e97bca --- /dev/null +++ b/windows/keep-secure/overview-create-wip-policy.md @@ -0,0 +1,25 @@ +--- +title: Create a Windows Information Protection (WIP) policy (Windows 10) +description: Microsoft Intune and System Center Configuration Manager Technical Preview version 1605 or later helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. +ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6 +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +author: eross-msft +--- + +# Create a Windows Information Protection (WIP) policy +**Applies to:** + +- Windows 10, version 1607 +- Windows 10 Mobile Preview + +Microsoft Intune and System Center Configuration Manager 2016 helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. + +## In this section +|Topic |Description | +|------|------------| +|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Intune helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. | +|[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) |System Center Configuration Manager 2016 helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. | +|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)] |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. | \ No newline at end of file From 15b0ca61017af7f2689024eb11411750173a86e8 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 21 Jul 2016 17:08:04 -0700 Subject: [PATCH 08/59] Fixed branding and removed beta slug --- .../guidance-and-best-practices-edp.md | 38 +------------------ .../guidance-and-best-practices-wip.md | 26 +++++++++++++ 2 files changed, 28 insertions(+), 36 deletions(-) create mode 100644 windows/keep-secure/guidance-and-best-practices-wip.md diff --git a/windows/keep-secure/guidance-and-best-practices-edp.md b/windows/keep-secure/guidance-and-best-practices-edp.md index fd1ffe2dcd..cfd70be3cc 100644 --- a/windows/keep-secure/guidance-and-best-practices-edp.md +++ b/windows/keep-secure/guidance-and-best-practices-edp.md @@ -1,39 +1,5 @@ --- title: General guidance and best practices for enterprise data protection (EDP) (Windows 10) description: This section includes info about the enlightened Microsoft apps, including how to add them to your Protected Apps list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with enterprise data protection (EDP). -ms.assetid: aa94e733-53be-49a7-938d-1660deaf52b0 -keywords: EDP, Enterprise Data Protection -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -author: eross-msft ---- - -# General guidance and best practices for enterprise data protection (EDP) -**Applies to:** - -- Windows 10 Insider Preview -- Windows 10 Mobile Preview - -[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - -This section includes info about the enlightened Microsoft apps, including how to add them to your **Protected Apps** list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with enterprise data protection (EDP). - -## In this section -|Topic |Description | -|------|------------| -|[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |A list of all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise. | -|[Enlightened apps for use with enterprise data protection (EDP)](enlightened-microsoft-apps-and-edp.md) |Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your **Protected Apps** list. | -|[Testing scenarios for enterprise data protection (EDP)](testing-scenarios-for-edp.md) |We've come up with a list of suggested testing scenarios that you can use to test EDP in your company. | - -  - -  - -  - - - - - +redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/guidance-and-best-practices-wip +--- \ No newline at end of file diff --git a/windows/keep-secure/guidance-and-best-practices-wip.md b/windows/keep-secure/guidance-and-best-practices-wip.md new file mode 100644 index 0000000000..fc2a63266c --- /dev/null +++ b/windows/keep-secure/guidance-and-best-practices-wip.md @@ -0,0 +1,26 @@ +--- +title: General guidance and best practices for Windows Information Protection (WIP) (Windows 10) +description: This section includes info about the enlightened Microsoft apps, including how to add them to your Protected Apps list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with Windows Information Protection (WIP). +ms.assetid: aa94e733-53be-49a7-938d-1660deaf52b0 +keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +author: eross-msft +--- + +# General guidance and best practices for Windows Information Protection (WIP) +**Applies to:** + +- Windows 10, version 1607 +- Windows 10 Mobile Preview + +This section includes info about the enlightened Microsoft apps, including how to add them to your allowed apps list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with Windows Information Protection (WIP). + +## In this section +|Topic |Description | +|------|------------| +|[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |A list of all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as Windows Information Protection (WIP), in your enterprise. | +|[Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) |Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list. | +|[Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md) |We've come up with a list of suggested testing scenarios that you can use to test WIP in your company. | \ No newline at end of file From 3ea1a3ef7744d0f5902329b66279f7701cfc23e1 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 21 Jul 2016 17:12:36 -0700 Subject: [PATCH 09/59] Fixed branding and removed beta slug --- .../enlightened-microsoft-apps-and-edp.md | 88 +------------------ .../enlightened-microsoft-apps-and-wip.md | 77 ++++++++++++++++ 2 files changed, 79 insertions(+), 86 deletions(-) create mode 100644 windows/keep-secure/enlightened-microsoft-apps-and-wip.md diff --git a/windows/keep-secure/enlightened-microsoft-apps-and-edp.md b/windows/keep-secure/enlightened-microsoft-apps-and-edp.md index bf8d546f56..c152dca1e5 100644 --- a/windows/keep-secure/enlightened-microsoft-apps-and-edp.md +++ b/windows/keep-secure/enlightened-microsoft-apps-and-edp.md @@ -1,89 +1,5 @@ --- title: List of enlightened Microsoft apps for use with enterprise data protection (EDP) (Windows 10) description: Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your Protected Apps list. -ms.assetid: 17c85ea3-9b66-4b80-b511-8f277cb4345f -keywords: EDP, Enterprise Data Protection -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -author: eross-msft ---- - -# List of enlightened Microsoft apps for use with enterprise data protection (EDP) - -**Applies to:** - -- Windows 10 Insider Preview -- Windows 10 Mobile Preview - -[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - -Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your **Protected Apps** list. - -## Enlightened versus unenlightened apps -Apps can be enlightened (policy-aware) or unenlightened (policy unaware). - -- **Enlightened apps** can differentiate between corporate and personal data, correctly determining which to protect, based on your policies. - -- **Unenlightened apps** consider all data corporate and encrypt everything. Typically, you can tell an unenlightened app because: - - - Windows Desktop shows it as always running in enterprise mode. - - - Windows **Save As** experiences only allow you to save your files as enterprise. - -## List of enlightened Microsoft apps -Microsoft has made a concerted effort to enlighten several of our more popular apps, including the following: - -- Microsoft Edge - -- Internet Explorer 11 - -- Microsoft People - -- Mobile Office apps, including Word, Excel, PowerPoint, OneNote, and Outlook Mail and Calendar - -- Microsoft Photos - -- Microsoft OneDrive - -- Groove Music - -- Notepad - -- Microsoft Paint - -- Microsoft Movies & TV - -- Microsoft Messaging - -## Adding enlightened Microsoft apps to the Protected Apps list -You can add any or all of the enlightened Microsoft apps to your Protected Apps list. Included here is the **Publisher name**, **Product or File name**, and **App Type** info for both Microsoft Intune and System Center Configuration Manager. - -|Product name |App info | -|-------------|---------| -|Microsoft Edge |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.MicrosoftEdge
**App Type:** Universal app | -|IE11 |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** iexplore.exe
**App Type:** Desktop app | -|Microsoft People |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.People
**App Type:** Universal app | -|Word Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Office.Word
**App Type:** Universal app | -|Excel Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Office.Excel
**App Type:** Universal app | -|PowerPoint Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Office.PowerPoint
**App Type:** Universal app | -|OneNote |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Office.OneNote
**App Type:** Universal app | -|Outlook Mail and Calendar |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** microsoft.windowscommunicationsapps
**App Type:** Universal app | -|Microsoft Photos |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Windows.Photos
**App Type:** Universal app | -|Microsoft OneDrive |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** microsoft.microsoftskydrive
**App Type:** Universal app | -|Groove Music |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.ZuneMusic
**App Type:** Universal app | -|Notepad |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** notepad.exe
**App Type:** Desktop app | -|Microsoft Paint |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** mspaint.exe
**App Type:** Desktop app | -|Microsoft Movies & TV |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.ZuneVideo
**App Type:** Universal app | -|Microsoft Messaging |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Messaging
**App Type:** Universal app | - - -  - -  - - - - - +redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/enlightened-microsoft-apps-and-wip +--- \ No newline at end of file diff --git a/windows/keep-secure/enlightened-microsoft-apps-and-wip.md b/windows/keep-secure/enlightened-microsoft-apps-and-wip.md new file mode 100644 index 0000000000..cd22a1751b --- /dev/null +++ b/windows/keep-secure/enlightened-microsoft-apps-and-wip.md @@ -0,0 +1,77 @@ +--- +title: List of enlightened Microsoft apps for use with Windows Information Protection(WIP) (Windows 10) +description: Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your Protected Apps list. +ms.assetid: 17c85ea3-9b66-4b80-b511-8f277cb4345f +keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +author: eross-msft +--- + +# List of enlightened Microsoft apps for use with Windows Information Protection(WIP) + +**Applies to:** + +- Windows 10, version 6017 +- Windows 10 Mobile Preview + +Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list. + +## Enlightened versus unenlightened apps +Apps can be enlightened (policy-aware) or unenlightened (policy-unaware). + +- **Enlightened apps** can differentiate between corporate and personal data, correctly determining which to protect, based on your policies. + +- **Unenlightened apps** consider all data corporate and encrypt everything. Typically, you can tell an unenlightened app because: + + - Windows Desktop shows it as always running in enterprise mode. + + - Windows **Save As** experiences only allow you to save your files as enterprise. + +## List of enlightened Microsoft apps +Microsoft has made a concerted effort to enlighten several of our more popular apps, including the following: + +- Microsoft Edge + +- Internet Explorer 11 + +- Microsoft People + +- Mobile Office apps, including Word, Excel, PowerPoint, OneNote, and Outlook Mail and Calendar + +- Microsoft Photos + +- Microsoft OneDrive + +- Groove Music + +- Notepad + +- Microsoft Paint + +- Microsoft Movies & TV + +- Microsoft Messaging + +## Adding enlightened Microsoft apps to the allowed apps list +You can add any or all of the enlightened Microsoft apps to your allowed apps list. Included here is the **Publisher name**, **Product or File name**, and **App Type** info for both Microsoft Intune and System Center Configuration Manager. + +|Product name |App info | +|-------------|---------| +|Microsoft Edge |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.MicrosoftEdge
**App Type:** Universal app | +|IE11 |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** iexplore.exe
**App Type:** Desktop app | +|Microsoft People |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.People
**App Type:** Universal app | +|Word Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Office.Word
**App Type:** Universal app | +|Excel Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Office.Excel
**App Type:** Universal app | +|PowerPoint Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Office.PowerPoint
**App Type:** Universal app | +|OneNote |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Office.OneNote
**App Type:** Universal app | +|Outlook Mail and Calendar |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** microsoft.windowscommunicationsapps
**App Type:** Universal app | +|Microsoft Photos |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Windows.Photos
**App Type:** Universal app | +|Microsoft OneDrive |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** microsoft.microsoftskydrive
**App Type:** Universal app | +|Groove Music |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.ZuneMusic
**App Type:** Universal app | +|Notepad |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** notepad.exe
**App Type:** Desktop app | +|Microsoft Paint |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** mspaint.exe
**App Type:** Desktop app | +|Microsoft Movies & TV |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.ZuneVideo
**App Type:** Universal app | +|Microsoft Messaging |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Messaging
**App Type:** Universal app | \ No newline at end of file From 28a18558660f1ef84d298c390d18e04f96dbc5e5 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 21 Jul 2016 17:23:15 -0700 Subject: [PATCH 10/59] Fixed branding and removed slug --- .../deploy-edp-policy-using-intune.md | 49 +------------------ .../deploy-wip-policy-using-intune.md | 39 +++++++++++++++ 2 files changed, 41 insertions(+), 47 deletions(-) create mode 100644 windows/keep-secure/deploy-wip-policy-using-intune.md diff --git a/windows/keep-secure/deploy-edp-policy-using-intune.md b/windows/keep-secure/deploy-edp-policy-using-intune.md index 7b23a44cf2..c9528077e0 100644 --- a/windows/keep-secure/deploy-edp-policy-using-intune.md +++ b/windows/keep-secure/deploy-edp-policy-using-intune.md @@ -1,50 +1,5 @@ --- title: Deploy your enterprise data protection (EDP) policy using Microsoft Intune (Windows 10) description: After you’ve created your enterprise data protection (EDP) policy, you'll need to deploy it to your organization's enrolled devices. -ms.assetid: 9c4a01e7-0b1c-4f15-95d0-0389f0686211 -keywords: EDP, Enterprise Data Protection, Intune -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -author: eross-msft ---- - -# Deploy your enterprise data protection (EDP) policy using Microsoft Intune -**Applies to:** - -- Windows 10 Insider Preview -- Windows 10 Mobile Preview - -[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - -After you’ve created your enterprise data protection (EDP) policy, you'll need to deploy it to your organization's enrolled devices. Enrollment can be done for business or personal devices, allowing the devices to use your managed apps and to sync with your managed content and information. - -**To deploy your EDP policy** - -1. On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button. - - ![Microsoft Intune: Click the Manage Deployment link from the Configuration Policies screen](images/intune-managedeployment.png) - -2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**.

-The added people move to the **Selected Groups** list on the right-hand pane. - - ![Microsoft Intune: Pick the group of employees that should get the policy](images/intune-groupselection.png) - -3. After you've picked all of the employees and groups that should get the policy, click **OK**.

-The policy is deployed to the selected users' devices. - -## Related topics -- [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) --[Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md) -- [Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune](create-vpn-and-edp-policy-using-intune.md) -- [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md) - -  - -  - - - - - +redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/deploy-wip-policy-using-intune +--- \ No newline at end of file diff --git a/windows/keep-secure/deploy-wip-policy-using-intune.md b/windows/keep-secure/deploy-wip-policy-using-intune.md new file mode 100644 index 0000000000..7764b128bd --- /dev/null +++ b/windows/keep-secure/deploy-wip-policy-using-intune.md @@ -0,0 +1,39 @@ +--- +title: Deploy your Windows Information Protection (WIP) policy using Microsoft Intune (Windows 10) +description: After you’ve created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices. +ms.assetid: 9c4a01e7-0b1c-4f15-95d0-0389f0686211 +keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, Intune +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +author: eross-msft +--- + +# Deploy your Windows Information Protection (WIP) policy using Microsoft Intune +**Applies to:** + +- Windows 10, version 1607 +- Windows 10 Mobile Preview + +After you’ve created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices. Enrollment can be done for business or personal devices, allowing the devices to use your managed apps and to sync with your managed content and information. + +**To deploy your WIP policy** + +1. On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button. + + ![Microsoft Intune: Click the Manage Deployment link from the Configuration Policies screen](images/intune-managedeployment.png) + +2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**.

+The added people move to the **Selected Groups** list on the right-hand pane. + + ![Microsoft Intune: Pick the group of employees that should get the policy](images/intune-groupselection.png) + +3. After you've picked all of the employees and groups that should get the policy, click **OK**.

+The policy is deployed to the selected users' devices. + +## Related topics +- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) +- [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) +- [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md) +- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md) \ No newline at end of file From 861e24f8e55073538f7ecf235cd5b9cf3ec36c07 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 21 Jul 2016 17:30:21 -0700 Subject: [PATCH 11/59] Fixing branding and removing slug --- .../create-vpn-and-edp-policy-using-intune.md | 118 +----------------- .../create-vpn-and-wip-policy-using-intune.md | 113 +++++++++++++++++ ...edpmodeid.png => intune-vpn-wipmodeid.png} | Bin 3 files changed, 115 insertions(+), 116 deletions(-) create mode 100644 windows/keep-secure/create-vpn-and-wip-policy-using-intune.md rename windows/keep-secure/images/{intune-vpn-edpmodeid.png => intune-vpn-wipmodeid.png} (100%) diff --git a/windows/keep-secure/create-vpn-and-edp-policy-using-intune.md b/windows/keep-secure/create-vpn-and-edp-policy-using-intune.md index 760968b092..edd007a4f0 100644 --- a/windows/keep-secure/create-vpn-and-edp-policy-using-intune.md +++ b/windows/keep-secure/create-vpn-and-edp-policy-using-intune.md @@ -1,119 +1,5 @@ --- title: Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune (Windows 10) description: After you've created and deployed your enterprise data protection (EDP) policy, you can use Microsoft Intune to create and deploy your Virtual Private Network (VPN) policy, linking it to your EDP policy. -ms.assetid: d0eaba4f-6d7d-4ae4-8044-64680a40cf6b -keywords: EDP, Enterprise Data Protection -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -author: eross-msft ---- - -# Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune -**Applies to:** - -- Windows 10 Insider Preview -- Windows 10 Mobile Preview - -[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - -After you've created and deployed your enterprise data protection (EDP) policy, you can use Microsoft Intune to create and deploy your Virtual Private Network (VPN) policy, linking it to your EDP policy. - -## Create your VPN policy using Microsoft Intune -Follow these steps to create the VPN policy you want to use with EDP. - -**To create your VPN policy** - -1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy**. - -2. Go to **Windows**, click the **VPN Profile (Windows 10 Desktop and Mobile and later)**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**. - - ![Microsoft Intune: Create a new policy using the New Policy screen](images/intune-vpn-createpolicy.png) - -3. Type *EdpModeID* into the **Name** box, along with an optional description for your policy into the **Description** box. - - ![Microsoft Intune: Fill in the required Name and optional Description for your policy](images/intune-vpn-titledescription.png) - -4. In the **VPN Settings** area, type the following info: - - - **VPN connection name.** This name is also what appears to your employees, so it's important that it be clear and understandable. - - - **Connection type.** Pick the connection type that matches your infrastructure. The options are **Pulse Secure**, **F5 Edge Client**, **Dell SonicWALL Mobile Connect**, or **Check Point Capsule VPN**. - - - **VPN server description.** A descriptive name for this connection. Only you will see it, but it should be unique and readable. - - - **Server IP address or FQDN.** The server's IP address or fully-qualified domain name (FQDN). - - ![Microsoft Intune: Fill in the VPN Settings area](images/intune-vpn-vpnsettings.png) - -5. In the **Authentication** area, choose the authentication method that matches your VPN infrastructure, either **Username and Password** or **Certificates**.

-It's your choice whether you check the box to **Remember the user credentials at each logon**. - - ![Microsoft Intune: Choose the Authentication Method for your VPN system](images/intune-vpn-authentication.png) - -6. You can leave the rest of the default or blank settings, and then click **Save Policy**. - -## Deploy your VPN policy using Microsoft Intune -After you’ve created your VPN policy, you'll need to deploy it to the same group you deployed your enterprise data protection (EDP) policy. - -**To deploy your VPN policy** - -1. On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button. - -2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**.

-The added people move to the **Selected Groups** list on the right-hand pane. - - ![Microsoft Intune: Pick the group of employees that should get the policy](images/intune-deploy-vpn.png) - -3. After you've picked all of the employees and groups that should get the policy, click **OK**.

-The policy is deployed to the selected users' devices. - -## Link your EDP and VPN policies and deploy the custom configuration policy -The final step to making your VPN configuration work with EDP, is to link your two policies together. To do this, you must first create a custom configuration policy, setting it to use your **EdpModeID** setting, and then deploying the policy to the same group you deployed your EDP and VPN policies - -**To link your VPN policy** - -1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy**. - -2. Go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**. - - ![Microsoft Intune: Create a new policy from the New Policy screen](images/intune-vpn-customconfig.png) - -3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. - - ![Microsoft Intune: Fill in the required Name and optional Description for your policy](images/intune-vpn-edpmodeid.png) - -4. In the **OMA-URI Settings** area, click **Add** to add your **EdpModeID** info. - -5. In the **OMA-URI Settings** area, type the following info: - - - **Setting name.** Type **EdpModeID** as the name. - - - **Data type.** Pick the **String** data type. - - - **OMA-URI.** Type `./Vendor/MSFT/VPNv2//EdpModeId`, replacing *<your\_edp\_policy\_name>* with the name you gave to your EDP policy. For example, `./Vendor/MSFT/VPNv2/W10-Checkpoint-VPN1/EdpModeId`. - - - **Value.** Your fully-qualified domain that should be used by the OMA-URI setting. - - ![Microsoft Intune: Fill in the OMA-URI Settings for the EdpModeID setting](images/intune-vpn-omaurisettings.png) - -6. Click **OK** to save your new OMA-URI setting, and then click **Save Policy.** - - - **To deploy your linked policy** - -1. On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button. - -2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**. The added people move to the **Selected Groups** list on the right-hand pane. - -3. After you've picked all of the employees and groups that should get the policy, click **OK**. The policy is deployed to the selected users' devices. - -  - -  - - - - - +redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/create-vpn-and-wip-policy-using-intune +--- \ No newline at end of file diff --git a/windows/keep-secure/create-vpn-and-wip-policy-using-intune.md b/windows/keep-secure/create-vpn-and-wip-policy-using-intune.md new file mode 100644 index 0000000000..9b63ed5c71 --- /dev/null +++ b/windows/keep-secure/create-vpn-and-wip-policy-using-intune.md @@ -0,0 +1,113 @@ +--- +title: Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune (Windows 10) +description: After you've created and deployed your Windows Information Protection (WIP) policy, you can use Microsoft Intune to create and deploy your Virtual Private Network (VPN) policy, linking it to your WIP policy. +ms.assetid: d0eaba4f-6d7d-4ae4-8044-64680a40cf6b +keywords: WIP, Enterprise Data Protection +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +author: eross-msft +--- + +# Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune +**Applies to:** + +- Windows 10, version 1607 +- Windows 10 Mobile Preview + +After you've created and deployed your Windows Information Protection (WIP) policy, you can use Microsoft Intune to create and deploy your Virtual Private Network (VPN) policy, linking it to your WIP policy. + +## Create your VPN policy using Microsoft Intune +Follow these steps to create the VPN policy you want to use with WIP. + +**To create your VPN policy** + +1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy**. + +2. Go to **Windows**, click the **VPN Profile (Windows 10 Desktop and Mobile and later)**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**. + + ![Microsoft Intune: Create a new policy using the New Policy screen](images/intune-vpn-createpolicy.png) + +3. Type *WIPModeID* into the **Name** box, along with an optional description for your policy into the **Description** box. + + ![Microsoft Intune: Fill in the required Name and optional Description for your policy](images/intune-vpn-titledescription.png) + +4. In the **VPN Settings** area, type the following info: + + - **VPN connection name.** This name is also what appears to your employees, so it's important that it be clear and understandable. + + - **Connection type.** Pick the connection type that matches your infrastructure. The options are **Pulse Secure**, **F5 Edge Client**, **Dell SonicWALL Mobile Connect**, or **Check Point Capsule VPN**. + + - **VPN server description.** A descriptive name for this connection. Only you will see it, but it should be unique and readable. + + - **Server IP address or FQDN.** The server's IP address or fully-qualified domain name (FQDN). + + ![Microsoft Intune: Fill in the VPN Settings area](images/intune-vpn-vpnsettings.png) + +5. In the **Authentication** area, choose the authentication method that matches your VPN infrastructure, either **Username and Password** or **Certificates**.

+It's your choice whether you check the box to **Remember the user credentials at each logon**. + + ![Microsoft Intune: Choose the Authentication Method for your VPN system](images/intune-vpn-authentication.png) + +6. You can leave the rest of the default or blank settings, and then click **Save Policy**. + +## Deploy your VPN policy using Microsoft Intune +After you’ve created your VPN policy, you'll need to deploy it to the same group you deployed your Windows Information Protection (WIP) policy. + +**To deploy your VPN policy** + +1. On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button. + +2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**.

+The added people move to the **Selected Groups** list on the right-hand pane. + + ![Microsoft Intune: Pick the group of employees that should get the policy](images/intune-deploy-vpn.png) + +3. After you've picked all of the employees and groups that should get the policy, click **OK**.

+The policy is deployed to the selected users' devices. + +## Link your WIP and VPN policies and deploy the custom configuration policy +The final step to making your VPN configuration work with WIP, is to link your two policies together. To do this, you must first create a custom configuration policy, setting it to use your **WIPModeID** setting, and then deploying the policy to the same group you deployed your WIP and VPN policies + +**To link your VPN policy** + +1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy**. + +2. Go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**. + + ![Microsoft Intune: Create a new policy from the New Policy screen](images/intune-vpn-customconfig.png) + +3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. + + ![Microsoft Intune: Fill in the required Name and optional Description for your policy](images/intune-vpn-wipmodeid.png) + +4. In the **OMA-URI Settings** area, click **Add** to add your **WIPModeID** info. + +5. In the **OMA-URI Settings** area, type the following info: + + - **Setting name.** Type **WIPModeID** as the name. + + - **Data type.** Pick the **String** data type. + + - **OMA-URI.** Type `./Vendor/MSFT/VPNv2//WIPModeId`, replacing *<your\_wip\_policy\_name>* with the name you gave to your WIP policy. For example, `./Vendor/MSFT/VPNv2/W10-Checkpoint-VPN1/WIPModeId`. + + - **Value.** Your fully-qualified domain that should be used by the OMA-URI setting. + + ![Microsoft Intune: Fill in the OMA-URI Settings for the WIPModeID setting](images/intune-vpn-omaurisettings.png) + +6. Click **OK** to save your new OMA-URI setting, and then click **Save Policy.** + + + **To deploy your linked policy** + +1. On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button. + +2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**. The added people move to the **Selected Groups** list on the right-hand pane. + +3. After you've picked all of the employees and groups that should get the policy, click **OK**. The policy is deployed to the selected users' devices. + + + + + diff --git a/windows/keep-secure/images/intune-vpn-edpmodeid.png b/windows/keep-secure/images/intune-vpn-wipmodeid.png similarity index 100% rename from windows/keep-secure/images/intune-vpn-edpmodeid.png rename to windows/keep-secure/images/intune-vpn-wipmodeid.png From 44fefa2e331ec2d0052588e71d202f97b35bfd6a Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 21 Jul 2016 17:35:48 -0700 Subject: [PATCH 12/59] Fixed branding and removed slug --- .../create-edp-policy-using-sccm.md | 540 +----------------- .../create-wip-policy-using-sccm.md | 539 +++++++++++++++++ 2 files changed, 541 insertions(+), 538 deletions(-) create mode 100644 windows/keep-secure/create-wip-policy-using-sccm.md diff --git a/windows/keep-secure/create-edp-policy-using-sccm.md b/windows/keep-secure/create-edp-policy-using-sccm.md index ee26d44b41..354503af96 100644 --- a/windows/keep-secure/create-edp-policy-using-sccm.md +++ b/windows/keep-secure/create-edp-policy-using-sccm.md @@ -1,541 +1,5 @@ --- title: Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager (Windows 10) description: Configuration Manager (version 1606 or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. -ms.assetid: 85b99c20-1319-4aa3-8635-c1a87b244529 -keywords: EDP, Enterprise Data Protection, SCCM, System Center Configuration Manager, Configuration Manager -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -author: eross-msft ---- - -# Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager -**Applies to:** - -- Windows 10 Insider Preview -- Windows 10 Mobile Preview -- System Center Configuration Manager (version 1605 Tech Preview or later) - -[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - -System Center Configuration Manager (version 1605 Tech Preview or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection mode, and how to find enterprise data on the network. - ->**Important**
-If you previously created an EDP policy using System Center Configuration Manager version 1511 or 1602, you’ll need to recreate it using version 1605 Tech Preview or later. Editing an EDP policy created in version 1511 or 1602 is not supported in version 1605 Tech Preview. There is no migration path between EDP policies across these versions. - -## Add an EDP policy -After you’ve installed and set up System Center Configuration Manager for your organization, you must create a configuration item for EDP, which in turn becomes your EDP policy. - -**To create a configuration item for EDP** - -1. Open the System Center Configuration Manager console, click the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node. - - ![System Center Configuration Manager, Configuration Items screen](images/edp-sccm-addpolicy.png) - -2. Click the **Create Configuration Item** button.

-The **Create Configuration Item Wizard** starts. - - ![Create Configuration Item wizard, define the configuration item and choose the configuration type](images/edp-sccm-generalscreen.png) - -3. On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. - -4. In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use System Center Configuration Manager for device management, and then click **Next**. - - - **Settings for devices managed with the Configuration Manager client:** Windows 10 - - -OR- - - - **Settings for devices managed without the Configuration Manager client:** Windows 8.1 and Windows 10 - -5. On the **Supported Platforms** screen, click the **Windows 10** box, and then click **Next**. - - ![Create Configuration Item wizard, choose the supported platforms for the policy](images/edp-sccm-supportedplat.png) - -6. On the **Device Settings** screen, click **Enterprise data protection**, and then click **Next**. - - ![Create Configuration Item wizard, choose the enterprise data protection settings](images/edp-sccm-devicesettings.png) - -The **Configure enterprise data protection settings** page appears, where you'll configure your policy for your organization. - -### Add app rules to your policy -During the policy-creation process in System Center Configuration Manager, you can choose the apps you want to give access to your enterprise data through EDP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. - -The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed desktop app (also known as a Classic Windows app), or an AppLocker policy file. - ->**Important**
-EDP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, EDP-unaware apps might not respect the corporate network boundary, and EDP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

Care must be taken to get a support statement from the software provider that their app is safe with EDP before adding it to your **App rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. - -#### Add a store app rule to your policy -For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list. - -**To add a store app** - -1. From the **App rules** area, click **Add**. - - The **Add app rule** box appears. - - ![Create Configuration Item wizard, add a universal store app](images/edp-sccm-adduniversalapp.png) - -2. Add a friendly name for your app into the **Title** box. In this example, it’s *Microsoft OneNote*. - -3. Click **Allow** from the **Enterprise data protection mode** drop-down list. - - Allow turns on EDP, helping to protect that app’s corporate data through the enforcement of EDP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from EDP restrictions](#exempt-apps-from-edp) section. - -4. Pick **Store App** from the **Rule template** drop-down list. - - The box changes to show the store app rule options. - -5. Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`. - -If you don't know the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps. - -**To find the Publisher and Product Name values for Store apps without installing them** - -1. Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, Microsoft OneNote. - - >**Note**
- If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the steps in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section. - -2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`. - -3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata, where `9wzdncrfhvjl` is replaced with your ID value. - - The API runs and opens a text editor with the app details. - - ``` json - { - "packageIdentityName": "Microsoft.Office.OneNote", - "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" - } - ``` - -4. Copy the `publisherCertificateName` value and paste them into the **Publisher Name** box, copy the `packageIdentityName` value into the **Product Name** box of Intune. - - >**Important**
- The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.

For example: - ```json - { - "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", - } - ``` - -**To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones** -1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature. - - >**Note**
- Your PC and phone must be on the same wireless network. - -2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**. - -3. On the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**. - -4. Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate. - -5. In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step. - -6. On the **Apps** tab of the website, you can see details for the running apps, including the publisher and product names. - -7. Start the app for which you're looking for the publisher and product name values. - -8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune. - - >**Important**
- The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.

For example: - ```json - { - "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", - } - ``` - -#### Add a desktop app rule to your policy -For this example, we’re going to add Internet Explorer, a desktop app, to the **App Rules** list. - -**To add a desktop app to your policy** -1. From the **App rules** area, click **Add**. - - The **Add app rule** box appears. - - ![Create Configuration Item wizard, add a classic desktop app](images/edp-sccm-adddesktopapp.png) - -2. Add a friendly name for your app into the **Title** box. In this example, it’s *Internet Explorer*. - -3. Click **Allow** from the **Enterprise data protection mode** drop-down list. - - Allow turns on EDP, helping to protect that app’s corporate data through the enforcement of EDP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from EDP restrictions](#exempt-apps-from-edp) section. - -4. Pick **Desktop App** from the **Rule template** drop-down list. - - The box changes to show the desktop app rule options. - -5. Pick the options you want to include for the app rule (see table), and then click **OK**. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
OptionManages
All fields left as “*”All files signed by any publisher. (Not recommended.)
Publisher selectedAll files signed by the named publisher.

This might be useful if your company is the publisher and signer of internal line-of-business apps.

Publisher and Product Name selectedAll files for the specified product, signed by the named publisher.
Publisher, Product Name, and Binary name selectedAny version of the named file or package for the specified product, signed by the named publisher.
Publisher, Product Name, Binary name, and File Version, and above, selectedSpecified version or newer releases of the named file or package for the specified product, signed by the named publisher.

This option is recommended for enlightened apps that weren't previously enlightened.

Publisher, Product Name, Binary name, and File Version, And below selectedSpecified version or older releases of the named file or package for the specified product, signed by the named publisher.
Publisher, Product Name, Binary name, and File Version, Exactly selectedSpecified version of the named file or package for the specified product, signed by the named publisher.
- -If you’re unsure about what to include for the publisher, you can run this PowerShell command: - -```ps1 -Get-AppLockerFileInformation -Path "" -``` -Where `""` goes to the location of the app on the device. For example, `Get-AppLockerFileInformation -Path "C:\Program Files\Internet Explorer\iexplore.exe"`. - -In this example, you'd get the following info: - -``` json -Path Publisher ----- --------- -%PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\INTERNET EXPLOR... -``` -Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box. - -#### Add an AppLocker policy file -For this example, we’re going to add an AppLocker XML file to the **App Rules** list. You’ll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/applocker-overview) content. - -**To create an app rule and xml file using the AppLocker tool** -1. Open the Local Security Policy snap-in (SecPol.msc). - -2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**. - - ![Local security snap-in, showing the Packaged app Rules](images/intune-local-security-snapin.png) - -3. Right-click in the right-hand pane, and then click **Create New Rule**. - - The **Create Packaged app Rules** wizard appears. - -4. On the **Before You Begin** page, click **Next**. - - ![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-before-begin.png) - -5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**. - - ![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-permissions.png) - -6. On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area. - - ![Create Packaged app Rules wizard, showing the Publisher](images/intune-applocker-publisher.png) - -7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we’re using Microsoft Photos. - - ![Create Packaged app Rules wizard, showing the Select applications page](images/intune-applocker-select-apps.png) - -8. On the updated **Publisher** page, click **Create**. - - ![Create Packaged app Rules wizard, showing the Microsoft Photos on the Publisher page](images/intune-applocker-publisher-with-app.png) - -9. Review the Local Security Policy snap-in to make sure your rule is correct. - - ![Local security snap-in, showing the new rule](images/intune-local-security-snapin-updated.png) - -10. In the left pane, right-click on **AppLocker**, and then click **Export policy**. - - The **Export policy** box opens, letting you export and save your new policy as XML. - - ![Local security snap-in, showing the Export Policy option](images/intune-local-security-export.png) - -11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**. - - The policy is saved and you’ll see a message that says 1 rule was exported from the policy. - - **Example XML file**
- This is the XML file that AppLocker creates for Microsoft Photos. - - ```xml - - - - - - - - - - - - - - - - ``` -12. After you’ve created your XML file, you need to import it by using System Center Configuration Manager. - -**To import your Applocker policy file app rule using 1System Center Configuration Manager** -1. From the **App rules** area, click **Add**. - - The **Add app rule** box appears. - - ![Create Configuration Item wizard, add an AppLocker policy](images/edp-sccm-addapplockerfile.png) - -2. Add a friendly name for your app into the **Title** box. In this example, it’s *Allowed app list*. - -3. Click **Allow** from the **Enterprise data protection mode** drop-down list. - - Allow turns on EDP, helping to protect that app’s corporate data through the enforcement of EDP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from EDP restrictions](#exempt-apps-from-edp) section. - -4. Pick the **AppLocker policy file** from the **Rule template** drop-down list. - - The box changes to let you import your AppLocker XML policy file. - -5. Click the ellipsis (...) to browse for your AppLocker XML file, click **Open**, and then click **OK** to close the **Add app rule** box. - - The file is imported and the apps are added to your **App Rules** list. - -#### Exempt apps from EDP restrictions -If you're running into compatibility issues where your app is incompatible with EDP, but still needs to be used with enterprise data, you can exempt the app from the EDP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak. - -**To exempt a store app, a desktop app, or an AppLocker policy file app rule** - -1. From the **App rules** area, click **Add**. - - The **Add app rule** box appears. - -2. Add a friendly name for your app into the **Title** box. In this example, it’s *Exempt apps list*. - -3. Click **Exempt** from the **Enterprise data protection mode** drop-down list. - - Be aware that when you exempt apps, they’re allowed to bypass the EDP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic. - -4. Fill out the rest of the app rule info, based on the type of rule you’re adding: - - - **Store app.** Follow the **Publisher** and **Product name** instructions in the [Add a store app rule to your policy](#add-a-store-app-rule-to-your-policy) section of this topic. - - - **Desktop app.** Follow the **Publisher**, **Product name**, **Binary name**, and **Version** instructions in the [Add a desktop app rule to your policy](#add-a-desktop-app-rule-to-your-policy) section of this topic. - - - **AppLocker policy file.** Follow the **Import** instructions in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section of this topic, using a list of exempted apps. - -5. Click **OK**. - -### Manage the EDP-protection level for your enterprise data -After you've added the apps you want to protect with EDP, you'll need to apply a management and protection mode. - -We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**. - -|Mode |Description | -|-----|------------| -|Block |EDP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| -|Override |EDP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459). | -|Silent |EDP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or EDP-protected data, are still blocked.| -|Off (not recommended) |EDP is turned off and doesn't help to protect or audit your data.

After you turn off EDP, an attempt is made to decrypt any closed EDP-tagged files on the locally attached drives.| - -![Create Configuration Item wizard, choose your EDP-protection level](images/edp-sccm-appmgmt.png) - -### Define your enterprise-managed identity domains -Corporate identity, usually expressed as your primary internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you’ve marked as protected by EDP. For example, emails using contoso.com are identified as being corporate and are restricted by your enterprise data protection policies. - -You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (contoso.com|newcontoso.com). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list. - -**To add your corporate identity** - -- Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`. - - ![Create Configuration Item wizard, Add the primary Internet domain for your enterprise identity](images/edp-sccm-corp-identity.png) - -### Choose where apps can access enterprise data -After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. - -There are no default locations included with EDP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT). - ->**Important**
-- Every EDP policy should include policy that defines your enterprise network locations. -- Classless Inter-Domain Routing (CIDR) notation isn’t supported for EDP configurations. - -**To define where your protected apps can find and send enterprise data on you network** - -1. Add additional network locations your apps can access by clicking **Add**. - - The **Add or edit corporate network definition** box appears. - -2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table. - - ![Add or edit corporate network definition box, Add your enterprise network locations](images/edp-sccm-add-network-domain.png) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Network location typeFormatDescription
Enterprise Cloud Resources**With proxy:** contoso.sharepoint.com,proxy.contoso.com|
contoso.visualstudio.com,proxy.contoso.com

**Without proxy:** contoso.sharepoint.com|contoso.visualstudio.com

Specify the cloud resources to be treated as corporate and protected by EDP.

For each cloud resource, you may also optionally specify an internal proxy server that routes your traffic through your Enterprise Internal Proxy Server.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: `URL <,proxy>|URL <,proxy>`.

If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the `/*AppCompat*/` string to this setting. For example: `URL <,proxy>|URL <,proxy>|/*AppCompat*/`

Enterprise Network Domain Names (Required)corp.contoso.com,region.contoso.comSpecify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.

This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.

If you have multiple resources, you must separate them using the "," delimiter.

Enterprise Proxy Serversproxy.contoso.com:80;proxy2.contoso.com:137Specify your externally-facing proxy server addresses, along with the port through which traffic is allowed and protected with EDP.

This list shouldn’t include any servers listed in the Enterprise Internal Proxy Servers list, which are used for EDP-protected traffic.

This setting is also required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when you’re visiting another company and not on that company’s guest network.

If you have multiple resources, you must separate them using the ";" delimiter.

Enterprise Internal Proxy Serverscontoso.internalproxy1.com;contoso.internalproxy2.comSpecify the proxy servers your devices will go through to reach your cloud resources.

Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.

This list shouldn’t include any servers listed in the Enterprise Proxy Servers list, which are used for non-EDP-protected traffic.

If you have multiple resources, you must separate them using the ";" delimiter.

Enterprise IPv4 Range (Required)**Starting IPv4 Address:** 3.4.0.1
**Ending IPv4 Address:** 3.4.255.254
**Custom URI:** 3.4.0.1-3.4.255.254,
10.0.0.1-10.255.255.254		Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter.

Enterprise IPv6 Range**Starting IPv6 Address:** 2a01:110::
**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff		Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter.

Neutral Resourcessts.contoso.com,sts.contoso2.comSpecify your authentication redirection endpoints for your company.

These locations are considered enterprise or personal, based on the context of the connection before the redirection.

If you have multiple resources, you must separate them using the "," delimiter.

- -3. Add as many locations as you need, and then click **OK**. - - The **Add or edit corporate network definition** box closes. - -4. Decide if you want to Windows to look for additional network settings. - - ![Create Configuration Item wizard, Add whether to search for additional network settings](images/edp-sccm-optsettings.png) - - - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. - - - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network. - - - **Show the enterprise data protection icon overlay on your allowed apps that are EDP-unaware in the Windows Start menu and on corporate file icons in the File Explorer.** Click this box if you want the enterprise data protection icon overlay to appear on corporate files or in the Start menu, on top the tiles for your unenlightened protected apps. - -5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy. - - ![Create Configuration Item wizard, Add a data recovery agent (DRA) certificate](images/edp-sccm-dra.png) - - After you create and deploy your EDP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. - - For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic. - -#### Create and verify an Encrypting File System (EFS) DRA certificate for EDP -If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use EDP in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you. - ->**Important**
If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. - -**To manually create an EFS DRA certificate** -1. On a computer without an EFS DRA certificate installed, open a command prompt with elevated rights, and then navigate to where you want to store the certificate. -2. Run this command: - - `cipher /r:`
Where `` is the name of the .cer and .pfx files that you want to create. - -3. When prompted, type and confirm a password to help protect your new Personal Information Exchange (.pfx) file. - - The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1. - - >**Important**
Because these files can be used to decrypt any EDP file, you must protect them accordingly. We highly recommend storing them as a public key (PKI) on a smart card with strong protection, stored in a secured physical location. - -4. Add your EFS DRA certificate to your EDP policy by using Step 3 of the [Choose where apps can access enterprise data](#choose-where-apps-can-access-enterprise-data) section of this topic. - -**To verify your data recovery certificate is correctly set up on an EDP client computer** -1. Open an app on your protected app list, and then create and save a file so that it’s encrypted by EDP. - -2. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command: - - `cipher /c `
Where `` is the name of the file you created in Step 1. - -3. Make sure that your data recovery certificate is listed in the **Recovery Certificates** list. - -**To recover your data using the EFS DRA certificate in a test environment** -1. Copy your EDP-encrypted file to a location where you have admin access. - -2. Install the EFSDRA.pfx file, using your password. - -3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command: - - `cipher /d `
Where `` is the name of your encrypted file. For example, corporatedata.docx. - -### Choose your optional EDP-related settings -After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional EDP settings. - -![Create Configuration Item wizard, Choose any additional, optional settings](images/edp-sccm-additionalsettings.png) - -**To set your optional settings** -1. Choose to set any or all of the optional settings: - - - **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box.** Determines whether users can see the Personal option for files within File Explorer and the **Save As** dialog box. The options are: - - - **Yes, or not configured (recommended).** Employees can choose whether a file is **Work** or **Personal** in File Explorer and the **Save As** dialog box. - - - **No.** Hides the **Personal** option from employees. Be aware that if you pick this option, apps that use the **Save As** dialog box might encrypt new files as corporate data unless a different file path is given during the original file creation. After this happens, decryption of work files becomes more difficult. - - - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether apps can show corporate data on a Windows 10 Mobile device **Lock** screen. The options are: - - - **Yes (recommended).** Stop apps from reading corporate data on Windows 10 Mobile device when the screen is locked. - - - **No, or not configured.** Allows apps to read corporate data on Windows 10 Mobile device when the screen is locked. - - - **Allow Windows Search to search encrypted corporate data and Store apps.** Determines whether Windows Search can search and index encrypted corporate data and Store apps. The options are: - - - **Yes.** Allows Windows Search to search and index encrypted corporate data and Store apps. - - - **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps. - - - **Revoke local encryption keys during the unerollment process.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from enterprise data protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: - - - **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment. - - - **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you’re migrating between Mobile Device Management (MDM) solutions. - -2. After you pick all of the settings you want to include, click **Summary**. - -### Review your configuration choices in the Summary screen -After you've finished configuring your policy, you can review all of your info on the **Summary** screen. - -**To view the Summary screen** -- Click the **Summary** button to review your policy choices, and then click **Next** to finish and to save your policy. - - ![Create Configuration Item wizard, Summary screen for all of your policy choices](images/edp-sccm-summaryscreen.png) - - A progress bar appears, showing you progress for your policy. After it's done, click **Close** to return to the **Configuration Items** page. - - -## Deploy the EDP policy -After you’ve created your EDP policy, you'll need to deploy it to your organization's devices. For info about your deployment options, see these topics: -- [Operations and Maintenance for Compliance Settings in Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=708224) -- [How to Create Configuration Baselines for Compliance Settings in Configuration Manager]( http://go.microsoft.com/fwlink/p/?LinkId=708225) -- [How to Deploy Configuration Baselines in Configuration Manager]( http://go.microsoft.com/fwlink/p/?LinkId=708226) - -## Related topics -- [System Center Configuration Manager and Endpoint Protection (Version 1606)](http://go.microsoft.com/fwlink/p/?LinkId=717372) -- [TechNet documentation for Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=691623) -- [Manage mobile devices with Configuration Manager and Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=691624) \ No newline at end of file +redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/create-wip-policy-using-sccm +--- \ No newline at end of file diff --git a/windows/keep-secure/create-wip-policy-using-sccm.md b/windows/keep-secure/create-wip-policy-using-sccm.md new file mode 100644 index 0000000000..9ec85316b1 --- /dev/null +++ b/windows/keep-secure/create-wip-policy-using-sccm.md @@ -0,0 +1,539 @@ +--- +title: Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager (Windows 10) +description: Configuration Manager (version 1606 or later) helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. +ms.assetid: 85b99c20-1319-4aa3-8635-c1a87b244529 +keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, SCCM, System Center Configuration Manager, Configuration Manager +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +author: eross-msft +--- + +# Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager +**Applies to:** + +- Windows 10, version 1607 +- Windows 10 Mobile Preview +- System Center Configuration Manager 2016 + +System Center Configuration Manager 2016 helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network. + +>**Important**
+If you previously created an WIP policy using System Center Configuration Manager version 1511 or 1602, you’ll need to recreate it using version 1605 Tech Preview or later. Editing an WIP policy created in version 1511 or 1602 is not supported in version 1605 Tech Preview. There is no migration path between WIP policies across these versions. + +## Add an WIP policy +After you’ve installed and set up System Center Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy. + +**To create a configuration item for WIP** + +1. Open the System Center Configuration Manager console, click the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node. + + ![System Center Configuration Manager, Configuration Items screen](images/wip-sccm-addpolicy.png) + +2. Click the **Create Configuration Item** button.

+The **Create Configuration Item Wizard** starts. + + ![Create Configuration Item wizard, define the configuration item and choose the configuration type](images/wip-sccm-generalscreen.png) + +3. On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. + +4. In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use System Center Configuration Manager for device management, and then click **Next**. + + - **Settings for devices managed with the Configuration Manager client:** Windows 10 + + -OR- + + - **Settings for devices managed without the Configuration Manager client:** Windows 8.1 and Windows 10 + +5. On the **Supported Platforms** screen, click the **Windows 10** box, and then click **Next**. + + ![Create Configuration Item wizard, choose the supported platforms for the policy](images/wip-sccm-supportwiplat.png) + +6. On the **Device Settings** screen, click **Enterprise data protection**, and then click **Next**. + + ![Create Configuration Item wizard, choose the Windows Information Protection settings](images/wip-sccm-devicesettings.png) + +The **Configure Windows Information Protection settings** page appears, where you'll configure your policy for your organization. + +### Add app rules to your policy +During the policy-creation process in System Center Configuration Manager, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. + +The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed desktop app (also known as a Classic Windows app), or an AppLocker policy file. + +>**Important**
+WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. + +#### Add a store app rule to your policy +For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list. + +**To add a store app** + +1. From the **App rules** area, click **Add**. + + The **Add app rule** box appears. + + ![Create Configuration Item wizard, add a universal store app](images/wip-sccm-adduniversalapp.png) + +2. Add a friendly name for your app into the **Title** box. In this example, it’s *Microsoft OneNote*. + +3. Click **Allow** from the **Enterprise data protection mode** drop-down list. + + Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip) section. + +4. Pick **Store App** from the **Rule template** drop-down list. + + The box changes to show the store app rule options. + +5. Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`. + +If you don't know the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps. + +**To find the Publisher and Product Name values for Store apps without installing them** + +1. Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, Microsoft OneNote. + + >**Note**
+ If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the steps in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section. + +2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`. + +3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata, where `9wzdncrfhvjl` is replaced with your ID value. + + The API runs and opens a text editor with the app details. + + ``` json + { + "packageIdentityName": "Microsoft.Office.OneNote", + "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" + } + ``` + +4. Copy the `publisherCertificateName` value and paste them into the **Publisher Name** box, copy the `packageIdentityName` value into the **Product Name** box of Intune. + + >**Important**
+ The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.

For example: + ```json + { + "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", + } + ``` + +**To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones** +1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature. + + >**Note**
+ Your PC and phone must be on the same wireless network. + +2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**. + +3. On the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**. + +4. Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate. + +5. In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step. + +6. On the **Apps** tab of the website, you can see details for the running apps, including the publisher and product names. + +7. Start the app for which you're looking for the publisher and product name values. + +8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune. + + >**Important**
+ The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.

For example: + ```json + { + "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", + } + ``` + +#### Add a desktop app rule to your policy +For this example, we’re going to add Internet Explorer, a desktop app, to the **App Rules** list. + +**To add a desktop app to your policy** +1. From the **App rules** area, click **Add**. + + The **Add app rule** box appears. + + ![Create Configuration Item wizard, add a classic desktop app](images/wip-sccm-adddesktopapp.png) + +2. Add a friendly name for your app into the **Title** box. In this example, it’s *Internet Explorer*. + +3. Click **Allow** from the **Enterprise data protection mode** drop-down list. + + Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip) section. + +4. Pick **Desktop App** from the **Rule template** drop-down list. + + The box changes to show the desktop app rule options. + +5. Pick the options you want to include for the app rule (see table), and then click **OK**. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
OptionManages
All fields left as “*”All files signed by any publisher. (Not recommended.)
Publisher selectedAll files signed by the named publisher.

This might be useful if your company is the publisher and signer of internal line-of-business apps.

Publisher and Product Name selectedAll files for the specified product, signed by the named publisher.
Publisher, Product Name, and Binary name selectedAny version of the named file or package for the specified product, signed by the named publisher.
Publisher, Product Name, Binary name, and File Version, and above, selectedSpecified version or newer releases of the named file or package for the specified product, signed by the named publisher.

This option is recommended for enlightened apps that weren't previously enlightened.

Publisher, Product Name, Binary name, and File Version, And below selectedSpecified version or older releases of the named file or package for the specified product, signed by the named publisher.
Publisher, Product Name, Binary name, and File Version, Exactly selectedSpecified version of the named file or package for the specified product, signed by the named publisher.
+ +If you’re unsure about what to include for the publisher, you can run this PowerShell command: + +```ps1 +Get-AppLockerFileInformation -Path "" +``` +Where `""` goes to the location of the app on the device. For example, `Get-AppLockerFileInformation -Path "C:\Program Files\Internet Explorer\iexplore.exe"`. + +In this example, you'd get the following info: + +``` json +Path Publisher +---- --------- +%PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\INTERNET EXPLOR... +``` +Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box. + +#### Add an AppLocker policy file +For this example, we’re going to add an AppLocker XML file to the **App Rules** list. You’ll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/applocker-overview) content. + +**To create an app rule and xml file using the AppLocker tool** +1. Open the Local Security Policy snap-in (SecPol.msc). + +2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**. + + ![Local security snap-in, showing the Packaged app Rules](images/intune-local-security-snapin.png) + +3. Right-click in the right-hand pane, and then click **Create New Rule**. + + The **Create Packaged app Rules** wizard appears. + +4. On the **Before You Begin** page, click **Next**. + + ![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-before-begin.png) + +5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**. + + ![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-permissions.png) + +6. On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area. + + ![Create Packaged app Rules wizard, showing the Publisher](images/intune-applocker-publisher.png) + +7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we’re using Microsoft Photos. + + ![Create Packaged app Rules wizard, showing the Select applications page](images/intune-applocker-select-apps.png) + +8. On the updated **Publisher** page, click **Create**. + + ![Create Packaged app Rules wizard, showing the Microsoft Photos on the Publisher page](images/intune-applocker-publisher-with-app.png) + +9. Review the Local Security Policy snap-in to make sure your rule is correct. + + ![Local security snap-in, showing the new rule](images/intune-local-security-snapin-updated.png) + +10. In the left pane, right-click on **AppLocker**, and then click **Export policy**. + + The **Export policy** box opens, letting you export and save your new policy as XML. + + ![Local security snap-in, showing the Export Policy option](images/intune-local-security-export.png) + +11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**. + + The policy is saved and you’ll see a message that says 1 rule was exported from the policy. + + **Example XML file**
+ This is the XML file that AppLocker creates for Microsoft Photos. + + ```xml + + + + + + + + + + + + + + + + ``` +12. After you’ve created your XML file, you need to import it by using System Center Configuration Manager. + +**To import your Applocker policy file app rule using 1System Center Configuration Manager** +1. From the **App rules** area, click **Add**. + + The **Add app rule** box appears. + + ![Create Configuration Item wizard, add an AppLocker policy](images/wip-sccm-addapplockerfile.png) + +2. Add a friendly name for your app into the **Title** box. In this example, it’s *Allowed app list*. + +3. Click **Allow** from the **Enterprise data protection mode** drop-down list. + + Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip) section. + +4. Pick the **AppLocker policy file** from the **Rule template** drop-down list. + + The box changes to let you import your AppLocker XML policy file. + +5. Click the ellipsis (...) to browse for your AppLocker XML file, click **Open**, and then click **OK** to close the **Add app rule** box. + + The file is imported and the apps are added to your **App Rules** list. + +#### Exempt apps from WIP restrictions +If you're running into compatibility issues where your app is incompatible with WIP, but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak. + +**To exempt a store app, a desktop app, or an AppLocker policy file app rule** + +1. From the **App rules** area, click **Add**. + + The **Add app rule** box appears. + +2. Add a friendly name for your app into the **Title** box. In this example, it’s *Exempt apps list*. + +3. Click **Exempt** from the **Enterprise data protection mode** drop-down list. + + Be aware that when you exempt apps, they’re allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic. + +4. Fill out the rest of the app rule info, based on the type of rule you’re adding: + + - **Store app.** Follow the **Publisher** and **Product name** instructions in the [Add a store app rule to your policy](#add-a-store-app-rule-to-your-policy) section of this topic. + + - **Desktop app.** Follow the **Publisher**, **Product name**, **Binary name**, and **Version** instructions in the [Add a desktop app rule to your policy](#add-a-desktop-app-rule-to-your-policy) section of this topic. + + - **AppLocker policy file.** Follow the **Import** instructions in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section of this topic, using a list of exempted apps. + +5. Click **OK**. + +### Manage the WIP-protection level for your enterprise data +After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode. + +We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**. + +|Mode |Description | +|-----|------------| +|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| +|Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459). | +|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.| +|Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.

After you turn off WIP, an attempt is made to decrypt any closed WIP-tagged files on the locally attached drives.| + +![Create Configuration Item wizard, choose your WIP-protection level](images/wip-sccm-appmgmt.png) + +### Define your enterprise-managed identity domains +Corporate identity, usually expressed as your primary internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you’ve marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies. + +You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (contoso.com|newcontoso.com). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list. + +**To add your corporate identity** + +- Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`. + + ![Create Configuration Item wizard, Add the primary Internet domain for your enterprise identity](images/wip-sccm-corp-identity.png) + +### Choose where apps can access enterprise data +After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. + +There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT). + +>**Important**
+- Every WIP policy should include policy that defines your enterprise network locations. +- Classless Inter-Domain Routing (CIDR) notation isn’t supported for WIP configurations. + +**To define where your protected apps can find and send enterprise data on you network** + +1. Add additional network locations your apps can access by clicking **Add**. + + The **Add or edit corporate network definition** box appears. + +2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table. + + ![Add or edit corporate network definition box, Add your enterprise network locations](images/wip-sccm-add-network-domain.png) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Network location typeFormatDescription
Enterprise Cloud Resources**With proxy:** contoso.sharepoint.com,proxy.contoso.com|
contoso.visualstudio.com,proxy.contoso.com

**Without proxy:** contoso.sharepoint.com|contoso.visualstudio.com

Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify an internal proxy server that routes your traffic through your Enterprise Internal Proxy Server.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: `URL <,proxy>|URL <,proxy>`.

If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the `/*AppCompat*/` string to this setting. For example: `URL <,proxy>|URL <,proxy>|/*AppCompat*/`

Enterprise Network Domain Names (Required)corp.contoso.com,region.contoso.comSpecify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.

This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.

If you have multiple resources, you must separate them using the "," delimiter.

Enterprise Proxy Serversproxy.contoso.com:80;proxy2.contoso.com:137Specify your externally-facing proxy server addresses, along with the port through which traffic is allowed and protected with WIP.

This list shouldn’t include any servers listed in the Enterprise Internal Proxy Servers list, which are used for WIP-protected traffic.

This setting is also required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when you’re visiting another company and not on that company’s guest network.

If you have multiple resources, you must separate them using the ";" delimiter.

Enterprise Internal Proxy Serverscontoso.internalproxy1.com;contoso.internalproxy2.comSpecify the proxy servers your devices will go through to reach your cloud resources.

Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.

This list shouldn’t include any servers listed in the Enterprise Proxy Servers list, which are used for non-WIP-protected traffic.

If you have multiple resources, you must separate them using the ";" delimiter.

Enterprise IPv4 Range (Required)**Starting IPv4 Address:** 3.4.0.1
**Ending IPv4 Address:** 3.4.255.254
**Custom URI:** 3.4.0.1-3.4.255.254,
10.0.0.1-10.255.255.254		Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter.

Enterprise IPv6 Range**Starting IPv6 Address:** 2a01:110::
**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff		Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter.

Neutral Resourcessts.contoso.com,sts.contoso2.comSpecify your authentication redirection endpoints for your company.

These locations are considered enterprise or personal, based on the context of the connection before the redirection.

If you have multiple resources, you must separate them using the "," delimiter.

+ +3. Add as many locations as you need, and then click **OK**. + + The **Add or edit corporate network definition** box closes. + +4. Decide if you want to Windows to look for additional network settings. + + ![Create Configuration Item wizard, Add whether to search for additional network settings](images/wip-sccm-optsettings.png) + + - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. + + - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network. + + - **Show the Windows Information Protection icon overlay on your allowed apps that are WIP-unaware in the Windows Start menu and on corporate file icons in the File Explorer.** Click this box if you want the Windows Information Protection icon overlay to appear on corporate files or in the Start menu, on top the tiles for your unenlightened protected apps. + +5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy. + + ![Create Configuration Item wizard, Add a data recovery agent (DRA) certificate](images/wip-sccm-dra.png) + + After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. + + For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic. + +#### Create and verify an Encrypting File System (EFS) DRA certificate for WIP +If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use WIP in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you. + +>**Important**
If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. + +**To manually create an EFS DRA certificate** +1. On a computer without an EFS DRA certificate installed, open a command prompt with elevated rights, and then navigate to where you want to store the certificate. +2. Run this command: + + `cipher /r:`
Where `` is the name of the .cer and .pfx files that you want to create. + +3. When prompted, type and confirm a password to help protect your new Personal Information Exchange (.pfx) file. + + The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1. + + >**Important**
Because these files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing them as a public key (PKI) on a smart card with strong protection, stored in a secured physical location. + +4. Add your EFS DRA certificate to your WIP policy by using Step 3 of the [Choose where apps can access enterprise data](#choose-where-apps-can-access-enterprise-data) section of this topic. + +**To verify your data recovery certificate is correctly set up on an WIP client computer** +1. Open an app on your protected app list, and then create and save a file so that it’s encrypted by WIP. + +2. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command: + + `cipher /c `
Where `` is the name of the file you created in Step 1. + +3. Make sure that your data recovery certificate is listed in the **Recovery Certificates** list. + +**To recover your data using the EFS DRA certificate in a test environment** +1. Copy your WIP-encrypted file to a location where you have admin access. + +2. Install the EFSDRA.pfx file, using your password. + +3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command: + + `cipher /d `
Where `` is the name of your encrypted file. For example, corporatedata.docx. + +### Choose your optional WIP-related settings +After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings. + +![Create Configuration Item wizard, Choose any additional, optional settings](images/wip-sccm-additionalsettings.png) + +**To set your optional settings** +1. Choose to set any or all of the optional settings: + + - **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box.** Determines whether users can see the Personal option for files within File Explorer and the **Save As** dialog box. The options are: + + - **Yes, or not configured (recommended).** Employees can choose whether a file is **Work** or **Personal** in File Explorer and the **Save As** dialog box. + + - **No.** Hides the **Personal** option from employees. Be aware that if you pick this option, apps that use the **Save As** dialog box might encrypt new files as corporate data unless a different file path is given during the original file creation. After this happens, decryption of work files becomes more difficult. + + - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether apps can show corporate data on a Windows 10 Mobile device **Lock** screen. The options are: + + - **Yes (recommended).** Stop apps from reading corporate data on Windows 10 Mobile device when the screen is locked. + + - **No, or not configured.** Allows apps to read corporate data on Windows 10 Mobile device when the screen is locked. + + - **Allow Windows Search to search encrypted corporate data and Store apps.** Determines whether Windows Search can search and index encrypted corporate data and Store apps. The options are: + + - **Yes.** Allows Windows Search to search and index encrypted corporate data and Store apps. + + - **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps. + + - **Revoke local encryption keys during the unerollment process.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: + + - **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment. + + - **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you’re migrating between Mobile Device Management (MDM) solutions. + +2. After you pick all of the settings you want to include, click **Summary**. + +### Review your configuration choices in the Summary screen +After you've finished configuring your policy, you can review all of your info on the **Summary** screen. + +**To view the Summary screen** +- Click the **Summary** button to review your policy choices, and then click **Next** to finish and to save your policy. + + ![Create Configuration Item wizard, Summary screen for all of your policy choices](images/wip-sccm-summaryscreen.png) + + A progress bar appears, showing you progress for your policy. After it's done, click **Close** to return to the **Configuration Items** page. + + +## Deploy the WIP policy +After you’ve created your WIP policy, you'll need to deploy it to your organization's devices. For info about your deployment options, see these topics: +- [Operations and Maintenance for Compliance Settings in Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=708224) +- [How to Create Configuration Baselines for Compliance Settings in Configuration Manager]( http://go.microsoft.com/fwlink/p/?LinkId=708225) +- [How to Deploy Configuration Baselines in Configuration Manager]( http://go.microsoft.com/fwlink/p/?LinkId=708226) + +## Related topics +- [System Center Configuration Manager and Endpoint Protection (Version 1606)](http://go.microsoft.com/fwlink/p/?LinkId=717372) +- [TechNet documentation for Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=691623) +- [Manage mobile devices with Configuration Manager and Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=691624) \ No newline at end of file From 1b621ca9f13e514bbb4a7507a25c005e5c71aaba Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 21 Jul 2016 17:36:44 -0700 Subject: [PATCH 13/59] Added text to note --- windows/keep-secure/create-wip-policy-using-sccm.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/create-wip-policy-using-sccm.md b/windows/keep-secure/create-wip-policy-using-sccm.md index 9ec85316b1..8d018b5c38 100644 --- a/windows/keep-secure/create-wip-policy-using-sccm.md +++ b/windows/keep-secure/create-wip-policy-using-sccm.md @@ -20,7 +20,7 @@ author: eross-msft System Center Configuration Manager 2016 helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network. >**Important**
-If you previously created an WIP policy using System Center Configuration Manager version 1511 or 1602, you’ll need to recreate it using version 1605 Tech Preview or later. Editing an WIP policy created in version 1511 or 1602 is not supported in version 1605 Tech Preview. There is no migration path between WIP policies across these versions. +If you previously created an WIP policy using System Center Configuration Manager version 1511 or 1602 in the Insider Preview program, you’ll need to recreate it using version 1605 Tech Preview or later. Editing an WIP policy created in version 1511 or 1602 is not supported in version 1605 Tech Preview. There is no migration path between WIP policies across these versions. ## Add an WIP policy After you’ve installed and set up System Center Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy. From e190dca28f1acc5b377c5e0ef2c971277cacc123 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 21 Jul 2016 17:41:30 -0700 Subject: [PATCH 14/59] Fixed branding and removed slug --- .../create-edp-policy-using-intune.md | 512 +----------------- .../create-wip-policy-using-intune.md | 511 +++++++++++++++++ 2 files changed, 513 insertions(+), 510 deletions(-) create mode 100644 windows/keep-secure/create-wip-policy-using-intune.md diff --git a/windows/keep-secure/create-edp-policy-using-intune.md b/windows/keep-secure/create-edp-policy-using-intune.md index 49a3959cc2..77a7c0ee85 100644 --- a/windows/keep-secure/create-edp-policy-using-intune.md +++ b/windows/keep-secure/create-edp-policy-using-intune.md @@ -1,513 +1,5 @@ --- title: Create an enterprise data protection (EDP) policy using Microsoft Intune (Windows 10) description: Microsoft Intune helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. -ms.assetid: 4b307c99-3016-4d6a-9ae7-3bbebd26e721 -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -author: eross-msft ---- - -# Create an enterprise data protection (EDP) policy using Microsoft Intune -**Applies to:** - -- Windows 10 Insider Preview -- Windows 10 Mobile Preview - -[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - -Microsoft Intune helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. - -## Important note about the June service update -We've received some great feedback from you, our Windows 10 Insider Preview customers, about our enterprise data protection experiences and processes. Because of that feedback, we're delighted to deliver an enhanced apps policy experience with the June service update. This means that when you open an existing enterprise data protection policy after we release the June service update in your test environment, your existing Windows 10 enterprise data protection app rules (formerly in the **Protected Apps** area) will be removed.

To prepare for this change, we recommend that you make an immediate backup of your current app rules as they are today, so you can use them to help reconfigure your app rules with the enhanced experience. When you open an existing enterprise data protection policy after we release the June service update, you'll get a dialog box telling you about this change. Click the **OK** button to close the box and to begin reconfiguring your app rules. - -![Microsoft Intune: Reconfigure app rules list dialog box](images/edp-intune-app-reconfig-warning.png) - -Note that if you exit the **Policy** page before you've saved your new policy, your existing deployments won't be affected. However, if you save the policy without reconfiguring your apps, an updated policy will be deployed to your employees with an empty app rules list. - -## Add an EDP policy -After you’ve set up Intune for your organization, you must create an EDP-specific policy. - -**To add an EDP policy** -1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy** from the **Tasks** area. - -2. Go to **Windows**, click the **Enterprise data protection (Windows 10 Desktop and Mobile and later) policy**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**. - - ![Microsoft Intune: Create your new policy from the New Policy screen](images/intune-createnewpolicy.png) - -3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. - - ![Microsoft Intune: Fill out the required Name and optional Description fields](images/intune-generalinfo.png) - -### Add app rules to your policy -During the policy-creation process in Intune, you can choose the apps you want to give access to your enterprise data through EDP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. - -The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed desktop app (also known as a Classic Windows app), or an AppLocker policy file. - ->**Important**
-EDP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, EDP-unaware apps might not respect the corporate network boundary, and EDP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

Care must be taken to get a support statement from the software provider that their app is safe with EDP before adding it to your App Rules list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. - -

->**Note**
-If you want to use **File hash** or **Path** rules, instead of **Publisher** rules, you must follow the steps in the [Add apps using Microsoft Intune and custom URI](add-apps-to-protected-list-using-custom-uri.md) topic. - -#### Add a store app rule to your policy -For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list. - -**To add a store app** -1. From the **App Rules** area, click **Add**. - - The **Add App Rule** box appears. - - ![Microsoft Intune, Add a store app to your policy](images/intune-add-uwp-apps.png) - -2. Add a friendly name for your app into the **Title** box. In this example, it’s *Microsoft OneNote*. - -3. Click **Allow** from the **Enterprise data protection mode** drop-down list. - - Allow turns on EDP, helping to protect that app’s corporate data through the enforcement of EDP restrictions. Instructions for exempting an app are included in the [Exempt apps from EDP restrictions](#exempt-apps-from-edp-restrictions) section of this topic. - -4. Pick **Store App** from the **Rule template** drop-down list. - - The box changes to show the store app rule options. - -5. Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is`CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`. - -If you don't know the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps. - -**To find the Publisher and Product Name values for Store apps without installing them** -1. Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft OneNote*. - - >**Note**
- If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps using Microsoft Intune and custom URI](add-apps-to-protected-list-using-custom-uri.md) topic. - -2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`. - -3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata, where `9wzdncrfhvjl` is replaced with your ID value. - - The API runs and opens a text editor with the app details. - - ``` json - { - "packageIdentityName": "Microsoft.Office.OneNote", - "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" - } - ``` -4. Copy the `publisherCertificateName` value into the **Publisher Name** box and copy the `packageIdentityName` value into the **Product Name** box of Intune. - - >**Important**
- The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

For example:
- - ``` json - { - "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", - } - ``` - -**To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones** -1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature. - - >**Note**
- Your PC and phone must be on the same wireless network. - -2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**. - -3. In the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**. - -4. Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate. - -5. In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step. - -6. On the **Apps** tab of the website, you can see details for the running apps, including the publisher and product names. - -7. Start the app for which you're looking for the publisher and product name values. - -8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune. - - >**Important**
- The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

For example:
- - ``` json - { - "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", - } - ``` - -#### Add a desktop app rule to your policy -For this example, we’re going to add Internet Explorer, a desktop app, to the **App Rules** list. - -**To add a desktop app** -1. From the **App Rules** area, click **Add**. - - The **Add App Rule** box appears. - - ![Microsoft Intune, Add a desktop app to your policy](images/intune-add-classic-apps.png) - -2. Add a friendly name for your app into the **Title** box. In this example, it’s *Internet Explorer*. - -3. Click **Allow** from the **Enterprise data protection mode** drop-down list. - - Allow turns on EDP, helping to protect that app’s corporate data through the enforcement of EDP restrictions. Instructions for exempting an app are included in the [Exempt apps from EDP restrictions](#exempt-apps-from-edp-restrictions) section of this topic. - -4. Pick **Desktop App** from the **Rule template** drop-down list. - - The box changes to show the store app rule options. - -5. Pick the options you want to include for the app rule (see table), and then click **OK**. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
OptionManages
All fields left as “*”All files signed by any publisher. (Not recommended.)
Publisher selectedAll files signed by the named publisher.

This might be useful if your company is the publisher and signer of internal line-of-business apps.

Publisher and Product Name selectedAll files for the specified product, signed by the named publisher.
Publisher, Product Name, and Binary name selectedAny version of the named file or package for the specified product, signed by the named publisher.
Publisher, Product Name, Binary name, and File Version, and above, selectedSpecified version or newer releases of the named file or package for the specified product, signed by the named publisher.

This option is recommended for enlightened apps that weren't previously enlightened.

Publisher, Product Name, Binary name, and File Version, And below selectedSpecified version or older releases of the named file or package for the specified product, signed by the named publisher.
Publisher, Product Name, Binary name, and File Version, Exactly selectedSpecified version of the named file or package for the specified product, signed by the named publisher.
- -If you’re unsure about what to include for the publisher, you can run this PowerShell command: - -```ps1 - Get-AppLockerFileInformation -Path "" -``` -Where `""` goes to the location of the app on the device. For example, `Get-AppLockerFileInformation -Path "C:\Program Files\Internet Explorer\iexplore.exe"`. - -In this example, you'd get the following info: - -``` json - Path Publisher - ---- --------- - %PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\INTERNET EXPLOR... -``` -Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box. - -#### Add an AppLocker policy file -For this example, we’re going to add an AppLocker XML file to the **App Rules** list. You’ll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/applocker-overview) content. - -**To create an app rule and xml file using the AppLocker tool** -1. Open the Local Security Policy snap-in (SecPol.msc). - -2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**. - - ![Local security snap-in, showing the Packaged app Rules](images/intune-local-security-snapin.png) - -3. Right-click in the right-hand pane, and then click **Create New Rule**. - - The **Create Packaged app Rules** wizard appears. - -4. On the **Before You Begin** page, click **Next**. - - ![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-before-begin.png) - -5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**. - - ![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-permissions.png) - -6. On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area. - - ![Create Packaged app Rules wizard, showing the Publisher](images/intune-applocker-publisher.png) - -7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we’re using Microsoft Photos. - - ![Create Packaged app Rules wizard, showing the Select applications page](images/intune-applocker-select-apps.png) - -8. On the updated **Publisher** page, click **Create**. - - ![Create Packaged app Rules wizard, showing the Microsoft Photos on the Publisher page](images/intune-applocker-publisher-with-app.png) - -9. Review the Local Security Policy snap-in to make sure your rule is correct. - - ![Local security snap-in, showing the new rule](images/intune-local-security-snapin-updated.png) - -10. In the left pane, right-click on **AppLocker**, and then click **Export policy**. - - The **Export policy** box opens, letting you export and save your new policy as XML. - - ![Local security snap-in, showing the Export Policy option](images/intune-local-security-export.png) - -11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**. - - The policy is saved and you’ll see a message that says 1 rule was exported from the policy. - - **Example XML file**
- This is the XML file that AppLocker creates for Microsoft Photos. - - ```xml - - - - - - - - - - - - - - - - ``` -12. After you’ve created your XML file, you need to import it by using Microsoft Intune. - -**To import your Applocker policy file app rule using Microsoft Intune** -1. From the **App Rules** area, click **Add**. - - The **Add App Rule** box appears. - - ![Microsoft Intune, Importing your AppLocker policy file using Intune](images/intune-add-applocker-xml-file.png) - -2. Add a friendly name for your app into the **Title** box. In this example, it’s *Allowed app list*. - -3. Click **Allow** from the **Enterprise data protection mode** drop-down list. - - Allow turns on EDP, helping to protect that app’s corporate data through the enforcement of EDP restrictions. Instructions for exempting an app are included in the [Exempt apps from EDP restrictions](#exempt-apps-from-edp-restrictions) section of this topic. - -4. Pick **AppLocker policy file** from the **Rule template** drop-down list. - - The box changes to let you import your AppLocker XML policy file. - -5. Click **Import**, browse to your AppLocker XML file, click **Open**, and then click **OK** to close the **Add App Rule** box. - - The file is imported and the apps are added to your **App Rules** list. - -#### Exempt apps from EDP restrictions -If you're running into compatibility issues where your app is incompatible with EDP, but still needs to be used with enterprise data, you can exempt the app from the EDP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak. - -**To exempt a store app, a desktop app, or an AppLocker policy file app rule** -1. From the **App Rules** area, click **Add**. - - The **Add App Rule** box appears. - -2. Add a friendly name for your app into the **Title** box. In this example, it’s *Exempt apps list*. - -3. Click **Exempt** from the **Enterprise data protection mode** drop-down list. - - Be aware that when you exempt apps, they’re allowed to bypass the EDP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic. - -4. Fill out the rest of the app rule info, based on the type of rule you’re adding: - - - **Store app.** Follow the **Publisher** and **Product name** instructions in the [Add a store app rule to your policy](#add-a-store-app-rule-to-your-policy) section of this topic. - - - **Desktop app.** Follow the **Publisher**, **Product name**, **Binary name**, and **Version** instructions in the [Add a desktop app rule to your policy](#add-a-desktop-app-rule-to-your-policy) section of this topic. - - - **AppLocker policy file.** Follow the **Import** instructions in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section of this topic, using a list of exempted apps. - -5. Click **OK**. - -### Manage the EDP protection mode for your enterprise data -After you've added the apps you want to protect with EDP, you'll need to apply a management and protection mode. - -We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**. - -|Mode |Description | -|-----|------------| -|Block |EDP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| -|Override |EDP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459). | -|Silent |EDP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or EDP-protected data, are still blocked.| -|Off (not recommended) |EDP is turned off and doesn't help to protect or audit your data.

After you turn off EDP, an attempt is made to decrypt any closed EDP-tagged files on the locally attached drives.| - -![Microsoft Intune, Set the protection mode for your data](images/intune-protection-mode.png) - -### Define your enterprise-managed corporate identity -Corporate identity, usually expressed as your primary Internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you’ve marked as protected by EDP. For example, emails using contoso.com are identified as being corporate and are restricted by your enterprise data protection policies. - -You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (`contoso.com|newcontoso.com`). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list. - -**To add your corporate identity** -- Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`. - - ![Microsoft Intune, Set your primary Internet domains](images/intune-corporate-identity.png) - -### Choose where apps can access enterprise data -After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. - -There are no default locations included with EDP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT). - ->**Important**
-- Every EDP policy should include policy that defines your enterprise network locations.

-- Classless Inter-Domain Routing (CIDR) notation isn’t supported for EDP configurations. - -**To define where your protected apps can find and send enterprise data on you network** - -1. Add additional network locations your apps can access by clicking **Add**. - - The **Add or edit corporate network definition** box appears. - -2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table. - - ![Microsoft Intune, Add your corporate network definitions](images/intune-networklocation.png) -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Network location typeFormatDescription
Enterprise Cloud Resources**With proxy:** contoso.sharepoint.com,proxy.contoso.com|
contoso.visualstudio.com,proxy.contoso.com

**Without proxy:** contoso.sharepoint.com|contoso.visualstudio.com

Specify the cloud resources to be treated as corporate and protected by EDP.

For each cloud resource, you may also optionally specify an internal proxy server that routes your traffic through your Enterprise Internal Proxy Server.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: `URL <,proxy>|URL <,proxy>`.

If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the `/*AppCompat*/` string to this setting. For example: `URL <,proxy>|URL <,proxy>|/*AppCompat*/`

Enterprise Network Domain Names (Required)corp.contoso.com,region.contoso.comSpecify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.

This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.

If you have multiple resources, you must separate them using the "," delimiter.

Enterprise Proxy Serversproxy.contoso.com:80;proxy2.contoso.com:137Specify your externally-facing proxy server addresses, along with the port through which traffic is allowed and protected with EDP.

This list shouldn’t include any servers listed in the Enterprise Internal Proxy Servers list, which are used for EDP-protected traffic.

This setting is also required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when you’re visiting another company and not on that company’s guest network.

If you have multiple resources, you must separate them using the ";" delimiter.

Enterprise Internal Proxy Serverscontoso.internalproxy1.com;contoso.internalproxy2.comSpecify the proxy servers your devices will go through to reach your cloud resources.

Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.

This list shouldn’t include any servers listed in the Enterprise Proxy Servers list, which are used for non-EDP-protected traffic.

If you have multiple resources, you must separate them using the ";" delimiter.

Enterprise IPv4 Range (Required, if not using IPv6)**Starting IPv4 Address:** 3.4.0.1
**Ending IPv4 Address:** 3.4.255.254
**Custom URI:** 3.4.0.1-3.4.255.254,
10.0.0.1-10.255.255.254		Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter.

Enterprise IPv6 Range (Required, if not using IPv4)**Starting IPv6 Address:** 2a01:110::
**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff		Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter.

Neutral Resourcessts.contoso.com,sts.contoso2.comSpecify your authentication redirection endpoints for your company.

These locations are considered enterprise or personal, based on the context of the connection before the redirection.

If you have multiple resources, you must separate them using the "," delimiter.

- -3. Add as many locations as you need, and then click **OK**. - - The **Add corporate network definition** box closes. - -4. Decide if you want to Windows to look for additional network settings: - - - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. - - - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network. - - - **Show the enterprise data protection icon overlay on your allowed apps that are EDP-unaware in the Windows Start menu and on corporate file icons in the File Explorer.** Click this box if you want the enterprise data protection icon overlay to appear on corporate files or in the Start menu, on top the tiles for your unenlightened protected apps. - -5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy. - - ![Microsoft Intune, Add your Data Recovery Agent (DRA) certificate](images/intune-data-recovery.png) - - After you create and deploy your EDP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. - - For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic. - -#### Create and verify an Encrypting File System (EFS) DRA certificate for EDP -If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use EDP in your organization. For the purposes of this section, we’ll use the file name *EFSDRA*; however, this name can be replaced with anything that makes sense to you. - ->**Important**
If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. - -**To manually create an EFS DRA certificate** -1. On a computer without an EFS DRA certificate installed, open a command prompt with elevated rights, and then navigate to where you want to store the certificate. - -2. Run this command: - - `cipher /r:`
Where `` is the name of the .cer and .pfx files that you want to create. - -3. When prompted, type and confirm a password to help protect your new Personal Information Exchange (.pfx) file. - - The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1. - - >**Important**
Because these files can be used to decrypt any EDP file, you must protect them accordingly. We highly recommend storing them as a public key (PKI) on a smart card with strong protection, stored in a secured physical location. - -4. Add your EFS DRA certificate to your EDP policy by using Step 3 of the [Choose where apps can access enterprise data](#choose-where-apps-can-access-enterprise-data) section of this topic. - -**To verify your data recovery certificate is correctly set up on an EDP client computer** -1. Open an app on your protected app list, and then create and save a file so that it’s encrypted by EDP. - -2. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command: - - `cipher /c `
Where `` is the name of the file you created in Step 1. - -3. Make sure that your data recovery certificate is listed in the **Recovery Certificates** list. - -**To recover your data using the EFS DRA certificate in a test environment** -1. Copy your EDP-encrypted file to a location where you have admin access. - -2. Install the EFSDRA.pfx file, using your password. - -3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command: - - `cipher /d `
Where `` is the name of your encrypted file. For example, corporatedata.docx. - -### Choose your optional EDP-related settings -After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional EDP settings. - -![Microsoft Intune, Choose any additional, optional settings](images/intune-optional-settings.png) - -**To set your optional settings** -1. Choose to set any or all of the optional settings: - - - **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box.** Determines whether users can see the Personal option for files within File Explorer and the **Save As** dialog box. The options are: - - - **Yes, or not configured (recommended).** Employees can choose whether a file is **Work** or **Personal** in File Explorer and the **Save As** dialog box. - - - **No.** Hides the **Personal** option from employees. Be aware that if you pick this option, apps that use the **Save As** dialog box might encrypt new files as corporate data unless a different file path is given during the original file creation. After this happens, decryption of work files becomes more difficult. - - - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether apps can show corporate data on a Windows 10 Mobile device **Lock** screen. The options are: - - - **Yes (recommended).** Stop apps from reading corporate data on Windows 10 Mobile device when the screen is locked. - - - **No, or not configured.** Allows apps to read corporate data on Windows 10 Mobile device when the screen is locked. - - - **Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from enterprise data protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: - - - **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment. - - - **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you’re migrating between Mobile Device Management (MDM) solutions. - - - **Allow Windows Search to search encrypted corporate data and Store apps.** Determines whether Windows Search can search and index encrypted corporate data and Store apps. The options are: - - - **Yes.** Allows Windows Search to search and index encrypted corporate data and Store apps. - - - **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps. - - - **Show the enterprise data protection icon overlay.** Determines whether the enterprise data protection icon overlay appears on corporate files or in the **Start** menu, on top of the tiles for your unenlightened protected apps. The options are: - - - **Yes (recommended).** Allows the enterprise data protection icon overlay to appear for files or on top of the tiles for your unenlightened protected apps in the **Start** menu. - - - **No, or not configured.** Stops the enterprise data protection icon overlay from appearing for files or on top of the tiles for your unenlightened protected apps in the **Start** menu. - -2. Click **Save Policy**. - -## Related topics -- [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md) -- [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) -- [Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune](create-vpn-and-edp-policy-using-intune.md) -- [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md) \ No newline at end of file +redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/create-wip-policy-using-intune +--- \ No newline at end of file diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md new file mode 100644 index 0000000000..f36b3b2b65 --- /dev/null +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -0,0 +1,511 @@ +--- +title: Create a Windows Information Protection (WIP) policy using Microsoft Intune (Windows 10) +description: Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. +ms.assetid: 4b307c99-3016-4d6a-9ae7-3bbebd26e721 +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +author: eross-msft +--- + +# Create a Windows Information Protection (WIP) policy using Microsoft Intune +**Applies to:** + +- Windows 10, version 1607 +- Windows 10 Mobile Preview + +Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. + +## Important note about the June service update +We've received some great feedback from you, our Windows 10 Insider Preview customers, about our Windows Information Protection experiences and processes. Because of that feedback, we're delighted to deliver an enhanced apps policy experience with the June service update. This means that when you open an existing Windows Information Protection policy after we release the June service update in your test environment, your existing Windows 10 Windows Information Protection app rules (formerly in the **Protected Apps** area) will be removed.

To prepare for this change, we recommend that you make an immediate backup of your current app rules as they are today, so you can use them to help reconfigure your app rules with the enhanced experience. When you open an existing Windows Information Protection policy after we release the June service update, you'll get a dialog box telling you about this change. Click the **OK** button to close the box and to begin reconfiguring your app rules. + +![Microsoft Intune: Reconfigure app rules list dialog box](images/wip-intune-app-reconfig-warning.png) + +Note that if you exit the **Policy** page before you've saved your new policy, your existing deployments won't be affected. However, if you save the policy without reconfiguring your apps, an updated policy will be deployed to your employees with an empty app rules list. + +## Add an WIP policy +After you’ve set up Intune for your organization, you must create an WIP-specific policy. + +**To add an WIP policy** +1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy** from the **Tasks** area. + +2. Go to **Windows**, click the **Enterprise data protection (Windows 10 Desktop and Mobile and later) policy**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**. + + ![Microsoft Intune: Create your new policy from the New Policy screen](images/intune-createnewpolicy.png) + +3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. + + ![Microsoft Intune: Fill out the required Name and optional Description fields](images/intune-generalinfo.png) + +### Add app rules to your policy +During the policy-creation process in Intune, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. + +The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed desktop app (also known as a Classic Windows app), or an AppLocker policy file. + +>**Important**
+WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your App Rules list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. + +

+>**Note**
+If you want to use **File hash** or **Path** rules, instead of **Publisher** rules, you must follow the steps in the [Add apps using Microsoft Intune and custom URI](add-apps-to-protected-list-using-custom-uri.md) topic. + +#### Add a store app rule to your policy +For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list. + +**To add a store app** +1. From the **App Rules** area, click **Add**. + + The **Add App Rule** box appears. + + ![Microsoft Intune, Add a store app to your policy](images/intune-add-uwp-apps.png) + +2. Add a friendly name for your app into the **Title** box. In this example, it’s *Microsoft OneNote*. + +3. Click **Allow** from the **Enterprise data protection mode** drop-down list. + + Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. + +4. Pick **Store App** from the **Rule template** drop-down list. + + The box changes to show the store app rule options. + +5. Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is`CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`. + +If you don't know the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps. + +**To find the Publisher and Product Name values for Store apps without installing them** +1. Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft OneNote*. + + >**Note**
+ If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps using Microsoft Intune and custom URI](add-apps-to-protected-list-using-custom-uri.md) topic. + +2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`. + +3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata, where `9wzdncrfhvjl` is replaced with your ID value. + + The API runs and opens a text editor with the app details. + + ``` json + { + "packageIdentityName": "Microsoft.Office.OneNote", + "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" + } + ``` +4. Copy the `publisherCertificateName` value into the **Publisher Name** box and copy the `packageIdentityName` value into the **Product Name** box of Intune. + + >**Important**
+ The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

For example:
+ + ``` json + { + "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", + } + ``` + +**To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones** +1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature. + + >**Note**
+ Your PC and phone must be on the same wireless network. + +2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**. + +3. In the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**. + +4. Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate. + +5. In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step. + +6. On the **Apps** tab of the website, you can see details for the running apps, including the publisher and product names. + +7. Start the app for which you're looking for the publisher and product name values. + +8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune. + + >**Important**
+ The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

For example:
+ + ``` json + { + "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", + } + ``` + +#### Add a desktop app rule to your policy +For this example, we’re going to add Internet Explorer, a desktop app, to the **App Rules** list. + +**To add a desktop app** +1. From the **App Rules** area, click **Add**. + + The **Add App Rule** box appears. + + ![Microsoft Intune, Add a desktop app to your policy](images/intune-add-classic-apps.png) + +2. Add a friendly name for your app into the **Title** box. In this example, it’s *Internet Explorer*. + +3. Click **Allow** from the **Enterprise data protection mode** drop-down list. + + Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. + +4. Pick **Desktop App** from the **Rule template** drop-down list. + + The box changes to show the store app rule options. + +5. Pick the options you want to include for the app rule (see table), and then click **OK**. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
OptionManages
All fields left as “*”All files signed by any publisher. (Not recommended.)
Publisher selectedAll files signed by the named publisher.

This might be useful if your company is the publisher and signer of internal line-of-business apps.

Publisher and Product Name selectedAll files for the specified product, signed by the named publisher.
Publisher, Product Name, and Binary name selectedAny version of the named file or package for the specified product, signed by the named publisher.
Publisher, Product Name, Binary name, and File Version, and above, selectedSpecified version or newer releases of the named file or package for the specified product, signed by the named publisher.

This option is recommended for enlightened apps that weren't previously enlightened.

Publisher, Product Name, Binary name, and File Version, And below selectedSpecified version or older releases of the named file or package for the specified product, signed by the named publisher.
Publisher, Product Name, Binary name, and File Version, Exactly selectedSpecified version of the named file or package for the specified product, signed by the named publisher.
+ +If you’re unsure about what to include for the publisher, you can run this PowerShell command: + +```ps1 + Get-AppLockerFileInformation -Path "" +``` +Where `""` goes to the location of the app on the device. For example, `Get-AppLockerFileInformation -Path "C:\Program Files\Internet Explorer\iexplore.exe"`. + +In this example, you'd get the following info: + +``` json + Path Publisher + ---- --------- + %PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\INTERNET EXPLOR... +``` +Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box. + +#### Add an AppLocker policy file +For this example, we’re going to add an AppLocker XML file to the **App Rules** list. You’ll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/applocker-overview) content. + +**To create an app rule and xml file using the AppLocker tool** +1. Open the Local Security Policy snap-in (SecPol.msc). + +2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**. + + ![Local security snap-in, showing the Packaged app Rules](images/intune-local-security-snapin.png) + +3. Right-click in the right-hand pane, and then click **Create New Rule**. + + The **Create Packaged app Rules** wizard appears. + +4. On the **Before You Begin** page, click **Next**. + + ![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-before-begin.png) + +5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**. + + ![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-permissions.png) + +6. On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area. + + ![Create Packaged app Rules wizard, showing the Publisher](images/intune-applocker-publisher.png) + +7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we’re using Microsoft Photos. + + ![Create Packaged app Rules wizard, showing the Select applications page](images/intune-applocker-select-apps.png) + +8. On the updated **Publisher** page, click **Create**. + + ![Create Packaged app Rules wizard, showing the Microsoft Photos on the Publisher page](images/intune-applocker-publisher-with-app.png) + +9. Review the Local Security Policy snap-in to make sure your rule is correct. + + ![Local security snap-in, showing the new rule](images/intune-local-security-snapin-updated.png) + +10. In the left pane, right-click on **AppLocker**, and then click **Export policy**. + + The **Export policy** box opens, letting you export and save your new policy as XML. + + ![Local security snap-in, showing the Export Policy option](images/intune-local-security-export.png) + +11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**. + + The policy is saved and you’ll see a message that says 1 rule was exported from the policy. + + **Example XML file**
+ This is the XML file that AppLocker creates for Microsoft Photos. + + ```xml + + + + + + + + + + + + + + + + ``` +12. After you’ve created your XML file, you need to import it by using Microsoft Intune. + +**To import your Applocker policy file app rule using Microsoft Intune** +1. From the **App Rules** area, click **Add**. + + The **Add App Rule** box appears. + + ![Microsoft Intune, Importing your AppLocker policy file using Intune](images/intune-add-applocker-xml-file.png) + +2. Add a friendly name for your app into the **Title** box. In this example, it’s *Allowed app list*. + +3. Click **Allow** from the **Enterprise data protection mode** drop-down list. + + Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. + +4. Pick **AppLocker policy file** from the **Rule template** drop-down list. + + The box changes to let you import your AppLocker XML policy file. + +5. Click **Import**, browse to your AppLocker XML file, click **Open**, and then click **OK** to close the **Add App Rule** box. + + The file is imported and the apps are added to your **App Rules** list. + +#### Exempt apps from WIP restrictions +If you're running into compatibility issues where your app is incompatible with WIP, but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak. + +**To exempt a store app, a desktop app, or an AppLocker policy file app rule** +1. From the **App Rules** area, click **Add**. + + The **Add App Rule** box appears. + +2. Add a friendly name for your app into the **Title** box. In this example, it’s *Exempt apps list*. + +3. Click **Exempt** from the **Enterprise data protection mode** drop-down list. + + Be aware that when you exempt apps, they’re allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic. + +4. Fill out the rest of the app rule info, based on the type of rule you’re adding: + + - **Store app.** Follow the **Publisher** and **Product name** instructions in the [Add a store app rule to your policy](#add-a-store-app-rule-to-your-policy) section of this topic. + + - **Desktop app.** Follow the **Publisher**, **Product name**, **Binary name**, and **Version** instructions in the [Add a desktop app rule to your policy](#add-a-desktop-app-rule-to-your-policy) section of this topic. + + - **AppLocker policy file.** Follow the **Import** instructions in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section of this topic, using a list of exempted apps. + +5. Click **OK**. + +### Manage the WIP protection mode for your enterprise data +After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode. + +We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**. + +|Mode |Description | +|-----|------------| +|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| +|Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459). | +|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.| +|Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.

After you turn off WIP, an attempt is made to decrypt any closed WIP-tagged files on the locally attached drives.| + +![Microsoft Intune, Set the protection mode for your data](images/intune-protection-mode.png) + +### Define your enterprise-managed corporate identity +Corporate identity, usually expressed as your primary Internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you’ve marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies. + +You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (`contoso.com|newcontoso.com`). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list. + +**To add your corporate identity** +- Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`. + + ![Microsoft Intune, Set your primary Internet domains](images/intune-corporate-identity.png) + +### Choose where apps can access enterprise data +After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. + +There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT). + +>**Important**
+- Every WIP policy should include policy that defines your enterprise network locations.

+- Classless Inter-Domain Routing (CIDR) notation isn’t supported for WIP configurations. + +**To define where your protected apps can find and send enterprise data on you network** + +1. Add additional network locations your apps can access by clicking **Add**. + + The **Add or edit corporate network definition** box appears. + +2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table. + + ![Microsoft Intune, Add your corporate network definitions](images/intune-networklocation.png) +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Network location typeFormatDescription
Enterprise Cloud Resources**With proxy:** contoso.sharepoint.com,proxy.contoso.com|
contoso.visualstudio.com,proxy.contoso.com

**Without proxy:** contoso.sharepoint.com|contoso.visualstudio.com

Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify an internal proxy server that routes your traffic through your Enterprise Internal Proxy Server.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: `URL <,proxy>|URL <,proxy>`.

If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the `/*AppCompat*/` string to this setting. For example: `URL <,proxy>|URL <,proxy>|/*AppCompat*/`

Enterprise Network Domain Names (Required)corp.contoso.com,region.contoso.comSpecify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.

This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.

If you have multiple resources, you must separate them using the "," delimiter.

Enterprise Proxy Serversproxy.contoso.com:80;proxy2.contoso.com:137Specify your externally-facing proxy server addresses, along with the port through which traffic is allowed and protected with WIP.

This list shouldn’t include any servers listed in the Enterprise Internal Proxy Servers list, which are used for WIP-protected traffic.

This setting is also required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when you’re visiting another company and not on that company’s guest network.

If you have multiple resources, you must separate them using the ";" delimiter.

Enterprise Internal Proxy Serverscontoso.internalproxy1.com;contoso.internalproxy2.comSpecify the proxy servers your devices will go through to reach your cloud resources.

Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.

This list shouldn’t include any servers listed in the Enterprise Proxy Servers list, which are used for non-WIP-protected traffic.

If you have multiple resources, you must separate them using the ";" delimiter.

Enterprise IPv4 Range (Required, if not using IPv6)**Starting IPv4 Address:** 3.4.0.1
**Ending IPv4 Address:** 3.4.255.254
**Custom URI:** 3.4.0.1-3.4.255.254,
10.0.0.1-10.255.255.254		Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter.

Enterprise IPv6 Range (Required, if not using IPv4)**Starting IPv6 Address:** 2a01:110::
**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff		Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter.

Neutral Resourcessts.contoso.com,sts.contoso2.comSpecify your authentication redirection endpoints for your company.

These locations are considered enterprise or personal, based on the context of the connection before the redirection.

If you have multiple resources, you must separate them using the "," delimiter.

+ +3. Add as many locations as you need, and then click **OK**. + + The **Add corporate network definition** box closes. + +4. Decide if you want to Windows to look for additional network settings: + + - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. + + - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network. + + - **Show the Windows Information Protection icon overlay on your allowed apps that are WIP-unaware in the Windows Start menu and on corporate file icons in the File Explorer.** Click this box if you want the Windows Information Protection icon overlay to appear on corporate files or in the Start menu, on top the tiles for your unenlightened protected apps. + +5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy. + + ![Microsoft Intune, Add your Data Recovery Agent (DRA) certificate](images/intune-data-recovery.png) + + After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. + + For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic. + +#### Create and verify an Encrypting File System (EFS) DRA certificate for WIP +If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use WIP in your organization. For the purposes of this section, we’ll use the file name *EFSDRA*; however, this name can be replaced with anything that makes sense to you. + +>**Important**
If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. + +**To manually create an EFS DRA certificate** +1. On a computer without an EFS DRA certificate installed, open a command prompt with elevated rights, and then navigate to where you want to store the certificate. + +2. Run this command: + + `cipher /r:`
Where `` is the name of the .cer and .pfx files that you want to create. + +3. When prompted, type and confirm a password to help protect your new Personal Information Exchange (.pfx) file. + + The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1. + + >**Important**
Because these files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing them as a public key (PKI) on a smart card with strong protection, stored in a secured physical location. + +4. Add your EFS DRA certificate to your WIP policy by using Step 3 of the [Choose where apps can access enterprise data](#choose-where-apps-can-access-enterprise-data) section of this topic. + +**To verify your data recovery certificate is correctly set up on an WIP client computer** +1. Open an app on your protected app list, and then create and save a file so that it’s encrypted by WIP. + +2. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command: + + `cipher /c `
Where `` is the name of the file you created in Step 1. + +3. Make sure that your data recovery certificate is listed in the **Recovery Certificates** list. + +**To recover your data using the EFS DRA certificate in a test environment** +1. Copy your WIP-encrypted file to a location where you have admin access. + +2. Install the EFSDRA.pfx file, using your password. + +3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command: + + `cipher /d `
Where `` is the name of your encrypted file. For example, corporatedata.docx. + +### Choose your optional WIP-related settings +After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings. + +![Microsoft Intune, Choose any additional, optional settings](images/intune-optional-settings.png) + +**To set your optional settings** +1. Choose to set any or all of the optional settings: + + - **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box.** Determines whether users can see the Personal option for files within File Explorer and the **Save As** dialog box. The options are: + + - **Yes, or not configured (recommended).** Employees can choose whether a file is **Work** or **Personal** in File Explorer and the **Save As** dialog box. + + - **No.** Hides the **Personal** option from employees. Be aware that if you pick this option, apps that use the **Save As** dialog box might encrypt new files as corporate data unless a different file path is given during the original file creation. After this happens, decryption of work files becomes more difficult. + + - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether apps can show corporate data on a Windows 10 Mobile device **Lock** screen. The options are: + + - **Yes (recommended).** Stop apps from reading corporate data on Windows 10 Mobile device when the screen is locked. + + - **No, or not configured.** Allows apps to read corporate data on Windows 10 Mobile device when the screen is locked. + + - **Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: + + - **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment. + + - **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you’re migrating between Mobile Device Management (MDM) solutions. + + - **Allow Windows Search to search encrypted corporate data and Store apps.** Determines whether Windows Search can search and index encrypted corporate data and Store apps. The options are: + + - **Yes.** Allows Windows Search to search and index encrypted corporate data and Store apps. + + - **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps. + + - **Show the Windows Information Protection icon overlay.** Determines whether the Windows Information Protection icon overlay appears on corporate files or in the **Start** menu, on top of the tiles for your unenlightened protected apps. The options are: + + - **Yes (recommended).** Allows the Windows Information Protection icon overlay to appear for files or on top of the tiles for your unenlightened protected apps in the **Start** menu. + + - **No, or not configured.** Stops the Windows Information Protection icon overlay from appearing for files or on top of the tiles for your unenlightened protected apps in the **Start** menu. + +2. Click **Save Policy**. + +## Related topics +- [Add multiple apps to your Windows Information Protection (WIP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md) +- [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) +- [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md) +- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md) \ No newline at end of file From 62147edd56c84d4e2c0bcbca60c6c4659449602b Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 21 Jul 2016 17:45:50 -0700 Subject: [PATCH 15/59] Fixed branding and removed slug --- ...apps-to-protected-list-using-custom-uri.md | 40 +++++++++---------- 1 file changed, 19 insertions(+), 21 deletions(-) diff --git a/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md b/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md index 56525c8a4e..74316d36c2 100644 --- a/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md +++ b/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md @@ -1,8 +1,8 @@ --- -title: Add apps to your enterprise data protection (EDP) policy by using Microsoft Intune and custom URI functionality (Windows 10) -description: Add apps to your enterprise data protection (EDP) allowed app list, by using the Microsoft Intune custom URI functionality and AppLocker. +title: Add apps to your Windows Information Protection (WIP) policy by using Microsoft Intune and custom URI functionality (Windows 10) +description: Add apps to your Windows Information Protection (WIP) allowed app list, by using the Microsoft Intune custom URI functionality and AppLocker. ms.assetid: b50db35d-a2a9-4b78-a95d-a1b066e66880 -keywords: EDP, Enterprise Data Protection, protected apps, protected app list +keywords: WIP, Enterprise Data Protection, protected apps, protected app list ms.prod: w10 ms.mktglfcycl: explore ms.pagetype: security @@ -10,17 +10,15 @@ ms.sitesec: library author: eross-msft --- -# Add apps to your enterprise data protection (EDP) policy by using the Microsoft Intune custom URI functionality +# Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality **Applies to:** -- Windows 10 Insider Preview +- Windows 10, version 1607 - Windows 10 Mobile Preview -[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] +You can add apps to your Windows Information Protection (WIP) protected app list using the Microsoft Intune custom URI functionality and AppLocker. For more info about how to create a custom URI using Intune, [Windows 10 custom policy settings in Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkID=691330). -You can add apps to your enterprise data protection (EDP) protected app list using the Microsoft Intune custom URI functionality and AppLocker. For more info about how to create a custom URI using Intune, [Windows 10 custom policy settings in Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkID=691330). - ->**Important**   +>**Important**
Results can be unpredictable if you configure your policy using both the UI and the Custom URI method together. We recommend using a single method for each policy. ## Add Store apps @@ -28,15 +26,15 @@ Results can be unpredictable if you configure your policy using both the UI and 2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, right-click **Packaged app Rules**, and then click **Automatically Generate Rules**. - The **Automatically Generate Packaged app Rules** wizard opens, letting you create EDP-protected app polices for all of the installed apps on the device or for packaged apps within a specific folder. + The **Automatically Generate Packaged app Rules** wizard opens, letting you create WIP-protected app polices for all of the installed apps on the device or for packaged apps within a specific folder. 3. In the **Folder and Permissions** screen, keep the default value of **Everyone** in the **User or security group that the rules will apply to** box. - You want to keep this value because your EDP policy needs to apply to the device being managed, not a single user or group of users. + You want to keep this value because your WIP policy needs to apply to the device being managed, not a single user or group of users. 4. Type the name you’ll use to tag the rules into the **Name to identify this set of rules** box, and then click **Next**. - This name should be easily recognizable, such as *EDP_StoreApps_Rules*. + This name should be easily recognizable, such as *WIP_StoreApps_Rules*. 5. In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules. @@ -67,29 +65,29 @@ Results can be unpredictable if you configure your policy using both the UI and ``` 15. Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.

-After saving the policy, you’ll need to deploy it to your employee’s devices. For more info, see the [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) topic. +After saving the policy, you’ll need to deploy it to your employee’s devices. For more info, see the [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) topic. ## Add Desktop apps 1. Open the Local Security Policy snap-in (SecPol.msc). 2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, right-click **Executable Rules**, and then click **Automatically Generate Rules**. - The **Automatically Generate Executable Rules** wizard opens, letting you create EDP-protected app polices by analyzing the files within a specific folder. + The **Automatically Generate Executable Rules** wizard opens, letting you create WIP-protected app polices by analyzing the files within a specific folder. 3. In the **Folder and Permissions** screen, keep the default value of **Everyone** in the **User or security group that the rules will apply to** box. - You want to keep this value because your EDP policy needs to apply to the device being managed, not a single user or group of users. + You want to keep this value because your WIP policy needs to apply to the device being managed, not a single user or group of users. 4. Type the name you’ll use to tag the rules into the **Name to identify this set of rules** box, and then click **Next**. - This name should be easily recognizable, such as *EDP_DesktopApps_Rules*. + This name should be easily recognizable, such as *WIP_DesktopApps_Rules*. 5. In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules. >**Important**
You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future.

- >**Note**
We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.

If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.

Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass enterprise data protection (EDP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed. + >**Note**
We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.

If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.

Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass Windows Information Protection (WIP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed. 6. In the **Review Rules** screen, look over your rules to make sure they’re right, and then click **Create** to add them to your collection of rules. @@ -117,12 +115,12 @@ After saving the policy, you’ll need to deploy it to your employee’s devices 15. Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**. - After saving the policy, you’ll need to deploy it to your employee’s devices. For more info, see the [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) topic. + After saving the policy, you’ll need to deploy it to your employee’s devices. For more info, see the [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) topic. ##Related topics -- [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) -- [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) -- [Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune](create-vpn-and-edp-policy-using-intune.md) +- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) +- [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) +- [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)   From 3903ea006fc8d49f8a42072b6947694775cad5b6 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 21 Jul 2016 17:48:41 -0700 Subject: [PATCH 16/59] Fixed branding for EDP to WIP --- .../change-history-for-keep-windows-10-secure.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index c3532cc64d..13dd970533 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -18,8 +18,8 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md |----------------------|-------------| |[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |New | |[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |New | -|[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |New | -|[Create an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |New | +|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |New | +|[Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) |New | |[Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) (multiple topics) | Updated | |[Device Guard deployment guide](device-guard-deployment-guide.md) (multiple topics) | Updated | @@ -28,7 +28,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md |New or changed topic | Description | |----------------------|-------------| -|[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |Added an update about needing to reconfigure your enterprise data protection app rules after delivery of the June service update. | +|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Added an update about needing to reconfigure your Windows Information Protection app rules after delivery of the June service update. | | [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md) (multiple topics) | New | | [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) (mutiple topics) | New security monitoring reference topics | | [Windows security baselines](windows-security-baselines.md) | New | @@ -40,7 +40,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md | [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) | Changed Internet Explorer to Microsoft Edge | | [Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) | Added errors 0x80090029 and 0x80070057, and merged entries for error 0x801c03ed. | | [Microsoft Passport guide](microsoft-passport-guide.md) | Updated Roadmap section content | -|[Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md) |Updated info based on changes to the features and functionality.| +|[Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) |Updated info based on changes to the features and functionality.| | [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md) | Updated for Windows 10 and Windows Server 2016 Technical Preview | |[Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) (mutiple topics) | New | @@ -56,7 +56,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md |New or changed topic | Description | |----------------------|-------------| |[Requirements to use AppLocker](requirements-to-use-applocker.md) |Added that MDM can be used to manage any edition of Windows 10. Windows 10 Enterprise or Windows Server 2016 Technical Preview is required to manage AppLocker by using Group Policy.| -|[Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md) |Added pre-release content about how to set up and deploy enterprise data protection (EDP) in an enterprise environment.| +|[Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) |Added pre-release content about how to set up and deploy Windows Information Protection (WIP) in an enterprise environment.| ## February 2016 From 80951b3c084d5e91e9bffdda9e1bc96ef93119f4 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 21 Jul 2016 17:50:21 -0700 Subject: [PATCH 17/59] Removed beta slug --- .../keep-secure/create-and-verify-an-efs-dra-certificate.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md index 5f9b52ebf2..e925b57589 100644 --- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -1,7 +1,7 @@ --- title: Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate (Windows 10) description: Follow these steps to create, verify, and perform a quick recovery by using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. -keywords: Windows Information Protection, WIP, WIP, Enterprise Data Protection +keywords: Windows Information Protection, WIP, EDP, Enterprise Data Protection ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library @@ -11,11 +11,9 @@ ms.pagetype: security # Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate **Applies to:** -- Windows 10 Insider Preview +- Windows 10, version 1607 - Windows 10 Mobile Preview -[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you. The recovery process included in this topic only works for desktop devices. WIP deletes the data on Windows 10 Mobile devices. From e8f62165685937828a73704f220e89a14e26540a Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 21 Jul 2016 17:52:33 -0700 Subject: [PATCH 18/59] Fixed branding --- windows/keep-secure/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/index.md b/windows/keep-secure/index.md index 08feae0e2e..4d81cd0545 100644 --- a/windows/keep-secure/index.md +++ b/windows/keep-secure/index.md @@ -24,7 +24,7 @@ Learn about keeping Windows 10 and Windows 10 Mobile secure. | [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) | Digital certificates bind the identity of a user or computer to a pair of keys that can be used to encrypt and sign digital information. Certificates are issued by a certification authority (CA) that vouches for the identity of the certificate holder, and they enable secure client communications with websites and services. | | [Device Guard deployment guide](device-guard-deployment-guide.md) | Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isn’t trusted it can’t run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when. | | [Protect derived domain credentials with Credential Guard](credential-guard.md) | Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets. | -| [Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md) | With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. | +| [Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) | With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. | | [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) | Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected. | | [VPN profile options](vpn-profile-options.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. | | [Windows security baselines](windows-security-baselines.md) | Learn why you should use security baselines in your organization. | From bfac0d815c111a0acbf623a253372092339b9f3f Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 21 Jul 2016 18:00:31 -0700 Subject: [PATCH 19/59] Fixed file name --- windows/keep-secure/create-wip-policy-using-intune.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index f36b3b2b65..f10d78cd8f 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -48,7 +48,7 @@ WIP-aware apps are expected to prevent enterprise data from going to unprotected

>**Note**
-If you want to use **File hash** or **Path** rules, instead of **Publisher** rules, you must follow the steps in the [Add apps using Microsoft Intune and custom URI](add-apps-to-protected-list-using-custom-uri.md) topic. +If you want to use **File hash** or **Path** rules, instead of **Publisher** rules, you must follow the steps in the [Add apps to your enterprise data protection (EDP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. #### Add a store app rule to your policy For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list. @@ -78,7 +78,7 @@ If you don't know the publisher or product name, you can find them for both desk 1. Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft OneNote*. >**Note**
- If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps using Microsoft Intune and custom URI](add-apps-to-protected-list-using-custom-uri.md) topic. + If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps to your enterprise data protection (EDP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. 2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`. @@ -505,7 +505,7 @@ After you've decided where your protected apps can access enterprise data on you 2. Click **Save Policy**. ## Related topics -- [Add multiple apps to your Windows Information Protection (WIP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md) +- [Add apps to your enterprise data protection (EDP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) - [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) - [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md) - [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md) \ No newline at end of file From 46c1eb6fa7894888c824815805acca2397b08769 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 21 Jul 2016 18:04:17 -0700 Subject: [PATCH 20/59] Updated branding --- windows/keep-secure/TOC.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 86c984bbe8..1685cb6d60 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -22,18 +22,18 @@ #### [Deploy catalog files to support code integrity policies](deploy-catalog-files-to-support-code-integrity-policies.md) ### [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md) ## [Protect derived domain credentials with Credential Guard](credential-guard.md) -## [Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md) -### [Create an enterprise data protection (EDP) policy](overview-create-edp-policy.md) -#### [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) -##### [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md) -##### [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) -##### [Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune](create-vpn-and-edp-policy-using-intune.md) -#### [Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) +## [Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) +### [Create a Windows Information Protection (WIP) policy](overview-create-wip-policy.md) +#### [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) +##### [Add apps to your enterprise data protection (EDP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) +##### [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) +##### [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md) +#### [Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) #### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) -### [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md) +### [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md) #### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md) -#### [Enlightened apps for use with enterprise data protection (EDP)](enlightened-microsoft-apps-and-edp.md) -#### [Testing scenarios for enterprise data protection (EDP)](testing-scenarios-for-edp.md) +#### [Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) +#### [Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md) ## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) ## [VPN profile options](vpn-profile-options.md) ## [Windows security baselines](windows-security-baselines.md) From e6f539b495af410027f42f110317bfd8f08e1837 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 21 Jul 2016 19:56:01 -0700 Subject: [PATCH 21/59] Updating --- .../keep-secure/create-wip-policy-using-sccm.md | 2 +- .../keep-secure/images/intune-vpn-edpmodeid.png | Bin 0 -> 25315 bytes 2 files changed, 1 insertion(+), 1 deletion(-) create mode 100644 windows/keep-secure/images/intune-vpn-edpmodeid.png diff --git a/windows/keep-secure/create-wip-policy-using-sccm.md b/windows/keep-secure/create-wip-policy-using-sccm.md index 8d018b5c38..29f3869319 100644 --- a/windows/keep-secure/create-wip-policy-using-sccm.md +++ b/windows/keep-secure/create-wip-policy-using-sccm.md @@ -48,7 +48,7 @@ The **Create Configuration Item Wizard** starts. 5. On the **Supported Platforms** screen, click the **Windows 10** box, and then click **Next**. - ![Create Configuration Item wizard, choose the supported platforms for the policy](images/wip-sccm-supportwiplat.png) + ![Create Configuration Item wizard, choose the supported platforms for the policy](images/wip-sccm-supportedplat.png) 6. On the **Device Settings** screen, click **Enterprise data protection**, and then click **Next**. diff --git a/windows/keep-secure/images/intune-vpn-edpmodeid.png b/windows/keep-secure/images/intune-vpn-edpmodeid.png new file mode 100644 index 0000000000000000000000000000000000000000..80852af30d509225ba4c4281c45ae86c2d442676 GIT binary patch literal 25315 zcmZ5`WmsHGmoDz^65N9aYdpBSyIZiv-Q6Kr2n_^x5AIHIcWc}sxN|w@o4GUh{^)1F z{q9;;Rcn=WM=2{xp&}6>K|nyD%1Dc=LO?))ARr)_5#TE-tR{$%Fh3Yg=26s#kcn&doFPs<2QFM43OaY#a$m za{>h+vj1`Eio19&-wgW)ja(W>tG73bPGx_||h{%ZEj&4XF7A1^p}yi;Ig^U+S)peyRQ&N^bi&!|mDTJGnwG$JNyp z8yA<^TRYYm^}39G>Mz^e*!+C84j_y6Vc#bq@8Ic~8B3#+nL=dF$Zn+itHb}%fjQyW z_$X_UoGR|-<~C?HgR|e4;i79XGG`Op+4;*5kj|p_XHD*pF&c@`#KY@7`A*Y2hRflw zlcc(#1bpg$MsBYXZ=$mEc4i5)pdoW6^+@%Q{Ea^fMJR@sL$G$|p!~L4Ba&vR%Y{nF zunV=fPRh~sy&CpY*g>q$l8ex3CE@i*8K0f*S=7AVi!#e&<{RlhgM~Yxm8|MW5BjOA zJN8L6r^R&dSTlnsfWpk$yq^Jyu_$zry7oMuTkFLpZv(1v1w%Zh(?bNL?eT zUN)MC6!u-S#%6YC^ZvYSXLB7A)#=`p$EiSy`ds7tCyRUVo>1L17e0aO!2T=#a*o_L z(r(+x*jkGF`qfCp2iIAT$aX#H_e(W;oRL)=@af8Y;_}}qac%GCaU zA8-y3+1-Dk{;sGnzH!8yuqyTXV}CyZDjS7mUZK=(7KIs?cT??cu%j%%{wgW*ur4nQIy z#DT!}(`aVB3c4j`1x=QgRrTS%L$l3MpeM1pNs7}NSWABtDo5AQ*`;P;m)#{9ciV!6 zL?Nizg^A8ShTGHCMewg;R58Xc(`)w6*;(Jqbo&Pe!QYgjMvh4-Sb5OFV3TG%qIpkK zDkyzz<-i|5v|(Vw$f*V3WEgl$5_yw^Y4gZ?&sJp+P!p&R&_t}onZ9!%tLR)e3w=q> z0QF|u&eowXb+T?gaXfF7i?9z@m)Htqd?#wW`Ry8-)Cg;cEMaa(`30GgPXSQ=dEmh_ z9)2~x13x+QzPK3%5wXeXRq`SEO?+Kk))JHYOI~hWXnonfBlTLVM0{L?^nN;`v)?r` z2C)aSc{$U}5V0K@$JHo#nmUClA1%9w%6uB*+`w@AizPK8IIli1> z#>d3gB4=Qa(obfasRs5_)9(0tRoa26lXedewP7Mc^J^;5Qd8%pJAKe8a>1vyNloW@ zzr<%wk%u_IzX=7=={gP2Bxsm@-6$jV?}wN-CNuFA!&^0#J_*;{hcUR>5UZ-G4hs?u z#M_X!9PC^ah^aqr!5XoUQSdV&V`5?=pmYW$4(pl6iWj8p4fN_TluF7ve<4gpXzapt zk{M80Pgv;g+lQ9d=ZBx-w#V;A|l+q9*ZbYlnZty}!VtjYd0LaP7 zZt;#}d^(BN(}>$-EoB<2U0-E4|0+yyc=9#qCgChU8$wO%A@3JCyqN*huL83;wp=@k z7mH^k-~-g@lVGs4E@3-eOVYC}wp>$=KWy(K0RtlYkDa}E(sh&`i|QyWm_f@Q`>%+N z71`_hfQw`aHME6Yp{d?U{JvWMJ-elwQ#4YoC_&BDU&Mp**>Sc}yyC|{k&C}4!`ICu zUslDjSA3S4YrRnK8Bi`CJMpxjX86Hh;RYfHM+>yoP_#@h>0Iuu8wA+liPnqO% zd(~)j3K10i#G2!>gGZ-Jcjd$n5Q|e1jqbnyG-o-5R|>8vh*yOBw@enz@tf%t+!f3X zK{@dHdMxI_V^ilFQ1yDo6!g&$sp(2J75Hgnlgay>onu7RzGAk?FgO#AyNR zXJ#o)MT$E|-LbpZ@_dtF>i5Yp2Fb^ItD!|raOU1@w;H&|;)MxDidN)DMjUoqlciLNqbIS@H3e$RhIH zJm|k;h5wQBRr&k9SI6KPqWI1(_-it{1~%g<;DulHi!;U8NDu5g)sL=ypU6LHvYVA4 zSc?{xhp~(3*iIQXzd%0kTjHoy!hys@>y>ynWMgZ)kerDj_f}xEIL!~Cl`z~L6GJ&C z=Ff6AiOMaGkX8*{bh4Hg#n;CMZ6aR5&n2?#v}Ggk%q{e)kB?1 z`Q&R~{d&x!kn+HZ>3?t<*QZaeiy#Y7N?C67Beo1GHbZ((gu#(~p;QA5Q2!L1^ur*A zbl`2b_2-~xxSi}p(TK(@C80la z`tmOkJnA^<)Vu==Xoi(3hcz3CMzvUQs*jjwdnPeEJ7}kkr&l{4*>0^pQAKmTw3k5! zIifL~NWL-)BVALT4*H*st{N4{dsijpgxmLzZ`aO{=HvG0cx*Onh~ zHqztx`SjbrQNYy8fo>c<6rutFeGXXm0ZY67T?tB-aVZNXJNc8tlR0UD1#7L4{MS`e zY;1ikHNR)|W-#U7P z6rfcM%A>$xBMQ`IR#F(qb4-1B>)irxc3Zn{#hb~^esrkwI; zHNc6qUQ8|U%DCjx4fxNT(4q2KSlz{roQge__0~)ZwJS?0PV~y}|Vl-&nvRZFP z;lNU9aw80BTQ=u`r;MNr(1&M{LPKuKPHm~Fq-G^l98?HZO9^x0mYh0w2pMI!8IPBX zPYA8#U6z|QfkP?*{&Oh9owzHSE1XnIcW~0;E)rv#3Cd%{tQpe2q>H z0l+!ezsc`hgxF_dr<>cT8Z^92E8ca>lUFjkw@pS9TPLgwrg?4rrOUIXC&C?X_4ugI zi{F9!$&IL9#qcsNZIrc9r$T1ao_ZyEsFJFZDyyMtowf2uNGR+MgIM~_ig?$N#8Mtj zOr%IO8VV1j@AU)o*RU#(TZy%#;1-yc!iF;(MZ}_(%ju2_WoiUH+jpu@Z!7R4pO3Yh zo)^7MMwMEkI@8v3tvHD8#nJhhK=4)O-@gY1)21Z0Zqet$(3WoH9XD31 z27Cs6{`M1qPt$fv#d{7{G1e+--~l*~vOq3Ymk&`ohe#g{X`AFunG+z1xZywC915O` zT%n+RmeC1h0;5pf#tB%kELS@dUiCA-#LuUhwU!g1c=M49u*VD=k}Rn_Y$7Z>_Z99zaxRv&yb};p?kNNQ6w3dF+T+Yst&#h8 z!^*5zX8c@?rTP?2?5C-8@!SUt0;2r%ROU~gHbpi!Gz-vFK7)K#s6k%KI=~aN8SgV& zC9QsB`K#+-B(map0q@F<#u}tNnrgKymRvYUdKGs@hfLJOf6pkKRFBL&87(`i;rp$ zn?&L!*Fp$q%TYHa--j{H%Zym8UQ!1JTf?~2NvOKYQnWe0M8EqZa6VkVoOWNg>J#=7 z`X0l(pVUleZ~oeaebpDxBnc+-%3Lc#*ha%`UWW zzkh#A2^X(eDJa1$ubigD5thCCuKZb3naZ*>dW!lEAvh6%LPR_fLx-njS&R~N|L&u- z?Mzb&^GfX3m3?q4Jt24y@1nGJ{~ABpM5DMV{ThG@GUz0X(6gvOeE%JEt$L}#`PPlW zwRsUgJl2H>>P_B2&Q*IP(PmzcPnnaKCoo3p2tRY;=Ii(rRFBkp(8*etqy%-O_j9Kyi%z z>wGP~oPL!;rh9ZrvQeUo+*t0BrftYN=K))$MGmAL7|N~Iad|0LMFyz|_<+x&;U?x4 z^Z%wHaHVzGN$L`c;VODFWA;)0W}9;k`e9(8-P5fTm~@7!od1RoAW`W&h62Mcir!Ze z{do2v-`>HV>Tnahd7D1VSU{?l-jYWZ4*jf~I-O@GEIwG2x^gS*D7*P(2&h?Uh^+TY zCEIb4-`3wxPr~dg1WbFCRWt2H5ZgC{T<9ulLxsXr8WKE|KUwdC8!OT@P87S{WjXcMx4{ z?P!uUrlJA2iTl~8)O*K`2#x2P}dex3DVv3ceMe?}%m)W`Y=hvM^v@pBd7 zT^c{lAtdPN=l}^8<^1Ck;1yX_BxM@>f;@igvu9)gvyCZq9X11RuLKM6GL*1sLbh=U z-=()=`Sut`a5egh&&DOZGQPVJs(s(tOKbSn5L;t<5LNuMuoIjvGv!^5};0GT*rb(!ps`F2u85C1Ak|GT57{xjmB1yJM zlBMvKL{x61BOF}E-%8DF$W1bq9iemX{eVatL`kOGQN zKeYZRK^SXzgRImI_&li^AOM7WVv=I6?Ko*#pq$&M*dO82mt#Z{!dE(zD2HpE^0~kU zu&!4aLJKLBhQ6PZ5OD1KFkRohOFj+kTN8bdj$#`1F_CZ?$ z%!@vg`vc_s4Ux$&FMQ6EDKaewn?`G^7`8^oXGv|v#=)Mc%*hV40~z63-#m9*c7_3* zQU6WG;5r1!md9q`6MZ;3x778%!lfml8$hG-os8QqUdLr&D_mPg8h1aBs(0)1S{w7+ zHuqYZc)A1h-rvpOagoCttt3=ICCl6qb+@U#Z5h3PR+uiKI-j~8LVI!Y%OS)PXjmsx zfusI=JAsk`EjtD@{qVX{!a67nCn*2|x}4|&y#1GzV;BA4L+JRyGpJ#{s6$avPUmQ| zmq!OhCHI@(Es`iFNe8XS2qJ&}ums-UNXm;&f0MN-Jz8or<9NDf>q}F!Q6d3oaA{HX zPWG+OLt5JZ6xp1@xRc|is+}uCO8J;Tf4Ui>)8xtpd89j@f6CdfW=Id(ucnS}_&v!g zvQ*7PsrAgrGZG)Idu;l#*p}kEi4FDIj5IkTE6jhJ&n8T=X>Sml*`c!Do0jd2{JO$DsF&J* z%-;HRwR3!OwEb$Cb@^;Wd}+uK#Bn#M!LC`~X}w-X`Rxahh*1-&FY6HABIDRlh9B|t zk~F@??xLCYi!O?Cxh1Og3C}=I#KfyuklMUPS>WjJB-6-Hyt2i)@E~x=VpWK&90^5l#K&n4UL6?6cR@pa+&|0=^YYaT2kuTwkE&KGEiR&ySR7 zb`(8<4v&uW(g$#wUj>Rzb&gHnk2KLdyW)d9t5NrMZrt4Z8#E9V_->`7L-#9=yO2RT zI;B7OYEXao$GT}v3epU+q~iiK7Uw$8Z2uZT+gnE+JZ}B`!ZwxO^>xm6neZ*Qmgqh` zODk|IL~pvn0oN((n}}BR;l;>TBXl=m?!jsZ{F8o*K z1)TM>+n+zT4!JPfQ=c>emTlc_;S{Gu^<6t-Hi_pqe**%_ zOwcYCY=dxD6TW5))W|RtR%>jzW(Z0>S#FWbFe&KdYJ}_lwr0Th%i$fB{5DfiN*ygP zoQ^jkH8gF2h#c0I$qaXM8q_#w|F^KlcCwS;_SG6NZWJFg5Vnkqi1An%QK z*OERN+~7dS6poT|aWZ=D$LCwGMM$(?qDPt)SU=0GZX3wruT}@!E#~VJFZwk_&4UL&B?xaDolLrv8Nuy z)EBvX8>!M|3HK9`tGUkEE_kr`q4TpJp49uWKvpl>H=SuFO@`c&^M~FOLGLWAFMt`* z&JM@-o(H#i?lsMQvnKil$C+FXeI7D;vl(S3QK&n!ktLI3GlMjTUImFiT*IlR9e01l z23#K8X;U(276HNxgMRL3+%Q&VvZUqBKq-_MOAqH$w=s`8(F4US@=o(!=RrI6HA=$@kDQP{eXFMZzj>9@v|~Cjl5&ep zcwCUYJuW^AFYt&-nY>*wM=E|MMWft!FWu={1RQ)+j^3R~s(}N3Bc=}BD?j#gllUk# z`z;r?L-4WwKb5Asds!bwYI;N&OvBvfc0zHs>>>Sy-M*S#&%l*OR#+kHZmu%(W)s|E z=5MVo1)t;3MO0f_Ej>&>#N;N+P?!=_kE7=|t&0V_!T1T#b-ZG*(s3VXzL1+=psV*J zQtL@VLh@&$M`k-yYP2FUF*yde5nK6ooX5ESc&hw*jS%pm;tNnHYoYOOMv9C}xj|Kv z-nH@Dysqx{-%L)o6_iqwKFRMt3R&i>DyeP{m*rMk?T0wri)RA9S#a{!lvSO*TQmyHzh-2I$g>X{-8z1M5Y(wi`=0Fv|EWtxP97v9(-XN- zrn9?Zz1|>vmlK~NN7tcR9rCX#Xu86W0bnRZ0sZ?(`Ir2sH~t}0R7bi$vijrAzg_e} zLDT)0fW=n9|0DO`0&t4|kDSc_RI$@)V`N9x*MIdKxoBx=;lH!9vrEW+gDYfRYkm;d zM?e;{wl1-gl|`zntE2xg_k>hlTs*|$_H^|l1r+{k%NQi!rOHi52Oo+dis02Sy?8*N z_~97>MJNW`|9}rC5kHvTZkhiD{sTX}`d{3CwfYF=Kh6IGLRztRWz8jvHD7p#D{PCj%lkZXZ zZ6EF~ZT5va-*~gwAayksEPCU_#HJIv`FXX+i>U&?@JnP?Gg4+p;^R=_biUaZvSkLp z)#6MDA~`d$u%NNEwTj?H#-n26+)hOU#psg|{L{(p58Yn(S1dmi^|X)eyLjWJx-R^C zC8mQ3u(7F5xNFhd71u4dsH=UqQjqGv^=>4ePS0u%o7@n(oJmScOO=bLsrHX)9?ma& zdjiSf6hC?q1*8Mz(ARD8SSOw7y{_;$h-8>G(GJa_O0L6dx|d8-ELl!E+9J4?YSpd#u^%(OgXupW(4OxWn(RSoc}CmbDVjX)EOqefAn>}O zw7vL(51Nqag2j?N?!oCb6?4>|HoEZf%~GV*)&{}Q&s!%a$nQJFNf|x|f0ts^YZKmk zUay3F?nwG?o6X}cTp4(JYc}5jGaNHcce|JmkLM!tvOfW;qPotX;>mcK8XtQXC($8; ztdb0rhyO`~-902w01HtB?lV=A=PRW?ezkh5)z^{f{L^POi z3O+ufS8txdcct&PR?`!izEI(%OEU~k8cV2iVM6TV9 zz~A(Xd^7u&&JTI+tU%~pvCW<|SOWmH^2hQ$zx@1=OSji2p!OsFM|C(*OC}*f;V{RG}=06q3=A;1@-;xIQ9!}V(n*>!#6)z#|?5J>db7w;C+;+<$Ad!o0{boGZzBx zq@W-3SVtzVes3+b8f<>kKJtJnV^)iB9|EDmb3#=g9}NtMgI^x6wM~T4Dm!!Hd{96i z^IFEd8x1gd|5envb?^=pt4>W#U7|6r-o;uac(h>vbGia0WyN!fhJYJXt^E6Yky+QG zH=t!AU5}Ow71TB65iyzjb$4%5!oia0P5%Ir*j7qkd3WS_&uS=&?JyEnP7D0a4(oig zD?jRg&3kRFnGP+(TLh zKFZl9X3#9D!wFgV;KS6b>ANmMBwV|eywpzG;PH<7Pu~qJmh9*LLzV7tz5#Z^-ioh3 znyN#)j}MN12>8(o2nZP4OhYSl)rb@QGhaAh6t(VgrByAz*$H>fs;!%rIL}*>neU0A zrOO?(cC%gvf4U_7h2&jU<+YidzI%oab#SH7rgAC0_%J@K+|0XdV%3fNc%K-uK`G6* zW0$f$U9Ev2+$m@0Av&xP#s^#hv~K&(*$W7H>$Vz2zMEah=jSyy3ci8;Jx@AVS@(aI z@Oaobn97^xEwZ<0VdqQ6)dTY2Fm@2ooMItiQ>HClxd$oGoO%hQF!BeJWJHv8i;CKg z2(1qt!bxo&x@I*L#Hhqwt~K*4-xpVG-4=lprF_N5FW)X)$~a|tozE?{pBfketpWJg z&TwGww8+3@ampm=Ng<#vwG9dy|IV0!L|eBGYg-IUwQF}&rfKBBco9pr`Nq#dBbbTZ zkR$?d{h+;Ytu~ThT-1qrNV>e3^Rbw}lna;UWL7XMtW@s&qH_#OKpW%*HV_N=23K0o zY9^-5ghN!h>dfIoR%}+(+7};yeFmjymW5yf35gIBDemg}dlUu=GMEQuTUwR&6m`7Y zi>0BTdA(>ag4NRbJz2>&<}02WZg%~+Y1d3i^i-tsVBPP8}{0Qog8GUQoJuu zogsmtJ8Y{D>1KMBngnsa!NJX^mBYUW%xHSKwa zUb*HE!NOp!eeez47WLLkf(2(JCN55F$|)s_`9_-m8vY^@0J@f!7EiCq!EcOZ!}|~p zgwIis0BuDLJ%RjUoA#XmScR^iuoOBpyV7Y!SBJFAvK1S-irBEQj_q@OV~Dqb-j|zv zkmx6jj>{*w+rra)$qz~Q5ld1w@s{i1X%L&|<53fAH zN1)P&H4lm=|Gky3yExK02p|;JBxhqXNu^Jx@*aem$c?!()AdboifN(~2|m-$Atr0? zBE)^*p+Qeo>8!x(reTNrt?j>#wG5w0J;Ja!g&+argP-k8$TL8+uE?cL3$svGPld@S zXktlJRSyHsji?~5C0xQ_N1f%^Ds&1i%9G;+I}|In|8kdgYj-fRH03abiH+~Ze7w*;l`Re=3ss0(rz(BZ{8g2v&Dys7hjj%IL4!X-v98d9(hjW&P z`8+b-4OYX?h5)&Lid>B>dB{qvIr){O0QhXWw@ykn9=3xBkfFwky3zlL?q(Z`jx`Q| z@6$+EGpQR6H2Vy_1Q>_7`u(5Lb*Fea#j1?Qz4Atvzq{|`T2|2OOHA6ReH<*!etBzY&L$Cr6I1Ct2@`bU(q<7+ps^`%sa zakUu*)pNcAtrmqKRmgt|Q~^FJK$!Fj@p#PrOP%oA$YdQ-K?|w6&pIxuZ8?m=jFv0uTvAs0Y^}$p%pkm#tr{ybBf|lXHeY(q=diT-a zjjwPZA~=2SvFqFJ$D4>r-xeh@yc)+D;_UX^FUVQ^ouSxG1xgM!pV`CFenb%^e~`i%@K)1jdy7yn*%j4~yhxsMIi-_d{ncNMH;j@X^H);X95Ttl5TbqS7hWIF z(qPfSri@-nOnJOaY(QmV+VEo{U%7B$?7WeI;GA6o@$Y@$4+^KFN(D`ZiBe)PwBL1nm%;`Q|GgYK?x)l|1 zN{gPtd7()RN#@#1E$u{qw6Z~iUZcdot9I>|>7w~8`w64Ea*9o^W=fskK+SKNy^2b~ zZ?atj+zWhFinrd-w!-nY2blbmFJg`zm1syquXzI@G9=LNd6ckBD0AWi;}mX{tuREI z#j;X9*rQqZwC;}dm@V-#Ri$?R##>j+!5hls6T~^ys%m?!+{fClrK1gNHQ_~HGM76l z>f{Gr15%6vkNI3iHAhJEZRjzh;a>Whab~A5Zz%7q9P;ogBDd1UoR@ z9#BG=#&ul;RY*SS!!j}w2=x}w$qX^tdw-dw%fDJ+$Or4VNf;R)FKK5-P?Yc~;n%B` zK_(N)J64f5tE9Xg6O2mI4{j%>i4BI}`ELVZA%8u0F0$DEc;Loo^Cjpe4>K3AjCKaY zb_yXN#RUfz3a{Go@pW?I+!H1qTZsBjmGdiZI-XCVdMKH8Pemo#o*0*L7;o%mFJTOh z;N}Dt$Wyq^z-u>6VP9*()Yc7}K7{r>ydAF(CB(RG-B)EvSZf2C)@9!ZeqdrCCO4oK zBp2rHjIvTl*AP1~<@~UQw3L5A@lo2`4gaKF*07XO1G%Brxiu5LUi0allna&NsCOu^ z-c8zoYII0Hp;Q}}aNvx8+>yDAn)kuZ(`Ywxt_tmW3oZa9=Qreh0Y8OYttuWK2Ag zKKnM~1@V4Tz!2nbJ?V9I*qo@o%jH;!$kn>I)w|hFK}`3eiJS2DBk`@yF;Onsqpd>^y^ zf=P-QK5#KT_UOL1sfICq(}qxSnURY6J#@6sBhc0>!~gPXq)BT!CfKi;xP7sOkO z4bAUv?AD4fG+EF+Z2UUW0)6>6E1^ajl3Oa&wCF(oRM;gZq~r@&q5bVAe4e|cDYD$X zX8aQKmn1(gbfJ6QpfVylg!#0dh_KVw#;hHGWJ)pigP4qoJM2KjJ^|pKKg9*4;zrzb zeR^)4jgh)>kIy=09Z%S^2fZ&O?c;+O2KLaMV0hUAw86;;W}6r4zBkMEOb(Yjl4f`S z`gt_od+fX4kpis3{SJ{NQ@ zcagO(yJ2Ie2QKB~Hy@5Y?(nl&J?Z!N*KiXM1u6|G4&)+xJcLs7Xm^s-?3OFDY+g<& z5b%t`o6=doznDP@k#fUinrVC2=023z3fo0*Mst;mVGP8BM|nxLN$bMyqwAk{vUaI{ zaD?m)tUP~y-@DW$KujHnOyKk7En$^Z$QVtJJ3C>o5Z*>xH*MC5>u)BACE|psPp{}n zJL6Z@6-k!=cZpKpGS8i|4??cd2Ue`t{w&gkUSP?Iu+8vdnG}(DvT0wbgjYrOME|qx zM6%UjgI{q@dQL!(F2q2Z< zi)`hv?%}0>AEDTD=oK`!+UJ8zEqvA=kuR8A_N9?lu`vMkI_)x0hrurr9p00&X=RBP z_;$O8w&eaobfDvQbEUI5nO}WiO7Nq2N5v9rpVbI5WAKQujEBlg2_szL29D9Pt$Vp! zz&BV!ZdrS|zQhHptH(Gn%d4fa;#%~f(;N_vN5r^CAl!_8XOJqa`P-Hbd&;JnCq?n1 z3R>~@N!Oaxuur%(_G_!?$<>;8`aYi^oH%o$ft82G_%DE2mXQ$ zYbo4oaW2lwQrt~}_;h}y;5w46Q(hpcx+3d&{uqw@brv!Sf0I4rK}w-Y74W5_U;5@{ zQM!agk?+X1m<=*ul)YFA|5VOv_e%EUoBZ0oNQY_K?z&c5f#)SL>PG^;2&E&K;JXx5FjRM%6Bj9{s*E$4geYBB448I zi4VO&ItXbMrx_;Wa|7L?^)5M4AMkt%>3Sgqt*S{T z0CXRSC*zpX{1zUqD*xe z{^j^U1Y7-ceAl9ra!U+KBC-buf3)x8X^t_F6W4=;YJ7w$yoTZrte+jqU*@vdI`@#_519(f z+N^Jq(D%k=%HuFwVZ#|2(Iz?m+fq&UedfVgSN`)D@e&z0qN+L2~uh+z=&$jpU+>_it&C%fwC4Ftg@mM1Hc#LqrEg zz?WHE+0haC{-sVaWo6yzXdYsnNcpIIADF|VmSU_xh@cDCw##zUZk%Q`f=UWp1<>X zlGA_U4U%_Rp$-`l1Bwp0%?ew#+b$Lw(vF;o#=X1QI2L!cCY+jOiG9g<$3bqPB=)JK zNrmgXWQR`2>P(4;*PKsvng!v>^8E(kdPb6DngYtw=ria#dne-}&9O?#!~foXGd#}m zS6J`VA~Z_!E>^JPcGkV|6%B=)5Vf1n(tTJ1!WWd|tgDq4W zgVDpsEFZ76xh_#ktfibp8noHoCgmH+1q;$k@RBW_r}o)8yB8j)F$o`&r`l*gI8e6G zi0bxwhklPAagaujyqXm1COuKc{0h6Z=D#G{O2=&h3+{X-6AyEEp6+q5(|vD0q#?6Y z7+Tq5OiHRw6WSE2r}4Dv%7+0>s8~FCiaU}n2tM->@xv1W2m#AWol3kQtt3K8r8Uc( z?^1)VZ&P0l1U9naLES8n05MhSEfg7sOlS~49_++Eh~r^d@IJQy+a>Ut852#URE87;^D?RAm&omOXVrz!0p@CxJ0j zdPTB|mc)aZ=yiwQYX92(7{P4)i7;el+YD;LlWGf;{ds6L2I3&~h}6!@g5fjg`gMnD z7Jkik98aQ_a4bEKoHo6Bv%n&FLH z$75x-=E8qGgO94Z!O%How?CT_^>}LNfq3PohyYVYy4c5r7VY`wiXDXEXrJsm`YbO>IJb zAATvTk%m)@pz9#sZkx_kd8mn8Wn97wi7l8Tk8n!{ptd!oK$moko}2u z@F&ep{&e1J!)(gI_H@L#4hA5=d(l9d_C$|R1Fzq7J`J7S-w8{{Xr$J@m=|~OFt>wy z0J@8AQtIGR3)u(2;Q9tm(~t%j*>CG?F%I8X_tM>&EVb=<;ixzL^fgxgq#f7bV}B60 zE7iK)X;cwp64z2hN$lvrCdS%x9|vV6(TJ5fE|er1QYzB;@K<>A@q^PTAR+bI$8{Z7 zJj8kp=(^|AY!5I`l23}cY+8!KzZ-TcREUGW@WB8dtjat1a0FeCs534kEvi%@SI3~! zj;B7H^(h?&xwyyAngL$B9D8~h$Hi~k*nx_R)Z0N3+2T4UHU1m0PB2XYUmqXl+#nCM z(pPK$c990f<*>eqw&ZtECFju@>@||vG9=uWiJTYGj*~I+yrTO3R*({d;;ww*XoYXs zOzs&J6%hI5v+Et098Y%Q0(0X2spz6Ls)ZQ}#AyQ{U5br+wyV8%43J1YC;d$TyyK?b z$$IyKKl6LCmUwskz(mDo1uOOs>L2Ir)FSQb$jUgmqHx0m)33usDfwq_J^l$ z1qY=nDw@$97hQ2=Yq`*h-)FvIleRzOnj>6~6t@47dNcd@H8_ub>x}5-$xu2uXM_B~nSP12HJn8Tg{SZ1XAq-m%<~E##*+SA zue_Ho`FVg1Y@;&djOZ;4hryob`Eqg139^qtp^t#R;EqH>>iGG=-$#<#1Hriyd(Quvn{aci2mg zdr{6m12koEvi(js@gOExd>c=iZ(i4J?_d?HH=t{v7yxbONg=;$@=f>HJ46QhH+XEr9d^LHG%rObLuv zMJqP?N-1wTi_!_j~qT7fJ0Cndw)jfp~Qq&!GeO- z?*fXuuJ-`s=;?frV<^^_#fyf4%T;Qvw&|f<3Ct39?ipxR-ZkL)Vqia4c&oH}_t_!o z%gY3R6*hnZulqI0*{~_+GV#q(pQ)ns`oayO80g4H7N4``M7Qz$0Ara|5d&GQ46ZZ+F7H+z0>o0+m`m5K1wi%LDzbrC}q3A$?xK(rBg zQx7X8iIEkw+QpPfaHc>n5kjxeul-ckk5j3&GeaMoD)hT|>huADGAj$w^mjEZgj^gi z6{(hkRYL!gwLqsS$4bEhWj;bv)9gglN7=oLFCP_vTJ&MLsZ`U_W{c;W5z|J3r;VNrEo zqlln{bSNpMG`#eXDk&gC3k)S7AU!ZN3|&fzl)wOzLx;o&5()y+!q7-}OE=sD>U+QY zeb2qWzwSTG!`|zx+N<_CdoLbZf~Sp(mlIuG80S!{!@Er$`*fbYJ)=)^1d%_URZTW4 z7e@!oYUW`=F4>cnDn8t4|FTZ;3b}X7aq6wC|1C9Q8bW=~jXVZ-wk(^aSE`JVu=pMx za8#b%Fs8nq>z)2^>zp|}I9I&-_MQm;1IoZ4j;tRKD?eo3KXKP);~2j)hDRXOJkd#X zo;9WyamV?qenx6zq5}r`;#TvzfH;|s32k`^ProGr_`47__p|7PRtb3AfVJ`#K_o6d z`IKtXz95=5XzkSk9TR2n;9c`+TX4Rvv!L+L@VLsC`Q7OCn?s{8?S2~<`6B0%`3Uc# zOb&CQVoE_die+hvvvpmKgfTV(nNnO9_gZxmjd1@^CsN!P#{LFes^I>HyQkwbo7Ar} zTBw7qH5|8Y5-}sK?F-9Hur#sv*UNV~k|W&;yZmG8|FHM@oy&sN??!lduXsP#)&_9hwWB2{VbSp_x?8geb8(+=_8d?bx|uFDy+u1_=Yw4FO{ z(~)^Y2&(=`kqF*Y&(99yn)?Xc-3L|JN%Q|v-#n4VT5?G&mn7T zuYy9GNL=@*^gVCCr7x1z3Q1nsJjFxE1O_?>?&Z?FjT}P2`$PmyDpgFZq|JfeEr%Pa6KeS@slI9Djx7Drem=gIaheX5DURIAA4#V-$wG{7frl_jrB@wn zC+znEFH$>Y371eAJ6b!?i+S?_Rq*aznKP676f&#EpIE1aH8-tGn#3wxmX~QRdX`8{ zREtZ6eUxgxoN1eu+lx-G=PZ^Iel!cq?WmsF=G5Zz#BQlsDa(|4BC{?fUUWti z`3IIN9o7;Iv8rZeSIZzA+;l_`c3mW}5*gb2NYfxR63kGO*Zoa2mw09_Lg4ihU*2gQ z_GnGsW+UOWEk~=B&27Ph?gls9_C4}@$y)LRc2!&P{hHaK4xpQ?%J0T!y2HK~WysG7 zv2m-<)eo*^h#7m?EC|9ozlaLRa2^iiZI6y=gL1R0ZLQ6ewy1&U~E%xCC527Yn*bO%4=d(8mj=7gt2YrtE_HmTI z^Fyo_PV?Auo}KuBK701#fwNG1-YNM<&u|KRdPYTRrp43Iez~#;WsBD#!|N91_Hxrj zoE@#@%=`n<$p;c4UgFF(Wq4*{(|01G0{6Gc!g@+#tEuQ|0~%9qn&OA!Vn+H`G=LK8 zQc5aMnz6LLO8tuLI1llQO;#(!B#Be|2!ci#2i32GoCd1!dl;D?Y8j}@Lc*fTn`E!{MlmIbd1wJ0L~G#YR%N(z^gVlx9~ul}sFF|0tunKDVdH_vS3_XB46josfGKed?^(-i&&9?* zWg)VJn!f&2KfNH4=zfd8Mx@q-zAx~0qn`+O%CG_fT1@=2+$Y;tWOc1NYT9u(Ig^Bx zAUxr1oe}uWGt3I#=HVt%{w38<+d0v>1bbF$9bei3p}8p6s&DpGU?GNvF?$%SnUv{k z6eXdAs&|^>hZMLAtSM3LuL+(wcX$*y+wx)d_)i*r;xtg36wHKAWHFY`J0iF@2k3lp z+RJgnUPs>Lo-lJU0Oy`1I_=!&XJZx5qp-p z?z|rU%LyivZ}D_%BVsQ!QkmgasX(^WU687-uDXNJhR{74D!KRRoJ|5WY+Ejfx&|XP zbDM~!?MXu9gXujNF%^pX<4W%dbHe-zK#cH~T1o#330?|?=&?*Y|Lu_%4)X~EilPX} z^ckMH6~~cWHVIBubIZ_^#HCSdEQHEDfrRTa@yh|D76=a2xb6%w1)b=p^gitmsu}h5 zw~Oa9$crl6=50a-kZRIKI;>MTJ4|3B5oizaaf!}gy(q?r&oAnL@H?2E?|lU~I2Cj& zDOJR?;UP4+^E>kxvNS51a7UKGjyI@Nl8)}}lqo`)dftNbhNTS|cf}G5@_2-SML5wv z_R8?MhBj^^$RY7sWLS)%oGpkIKi+hgdVJwKF?80x7RBOjI9nHMnG+YZ45 z^L6ne(uc;Y%gP>`x^BA}A-?^wnVU-l`Yu)^>vnc;jVGe|6gRw*$E=Sy=EI&9zAYFg z@Q1}gT!U_(%#D=ae9F1eN7sn~@*00($s9DHznIGVLnX@DrCZ|5;5g2cL|VQ9KhKxa zDf)W)+BnL}qO0Qyltmi7s*x@1NhRieRelwvsZECz{c9KgH{8_&Cj#C)zoYqGe4v-i zr<{s(#6@H{t5$B9KfjTXAMzx#z@s|2U$B3+d4|$E;mfa9KbW^EUJ@<`=o5PjLd~SE z07Rfbv;qT#zv;~Jco^i)6hh4y%?JJX+khtgH1{}+^0IycciyEb-#~0r;p#}M2V2=D zQb>AGi%)D#e%W&@D)JjE{uM{I_qc5H;2K+JKbt$c*gzVu>U`(>19n$ztpZRf0!4XZ z`tPG-b#PXb@0@z|V1o-1?yvYUd)OGBF%gqYvme}%C0oUl%z+*TGMVU27DQc45D zRSOMi`>><)<)?;M$=grfJDw25FDurC>Bv+s;^JAS7@5^8?*P)Y>U5kmN;;?NMFr!0 z&0NS{u>DKv9`OF^ z9!T$+EU;jI*9w9-1C_?KNB+|H|B?+x73n1Q9f$o^iA^|Y;$Y!E(S(W zEO8JS&~t5u1#1Qi_zj9>KpckK+!gfPV~f1BNFdcL-E{`WAA@k4Jks06a*}Msn+ zqrk?Wy3jYSpTt=zW$jHZ>~t)zedn&dBGQ}J?t5lLVJ(7ghuw|$7E<3%Ed3s{HmeAL z`$0*Ab|;~htZSc36>NTeh~D3ByT7);->ChXe_^oL@)5!LJXvIlgtCqX+5>1Ihrxir znyFjj122euj8Ar!n>(o*a=6?#-b3;0Z}6HUaZ155^ z9R;Vk3)X68jP>XTkTku9zH9R&M4HF7xfP>fIq7OE9hb#~b~Gz)z8pyH+jH|gO)L3J zM1?!My?Ng>%>{io>}%jyLhk(-@tdFsR)Q-&a9BMM!2$x3PbTz-`nN7N6ua>ybIE3G zv@!qu2Fbg;!?smT=_>=uf3a5OwT^f(wLc^Sh-uQk!Nj;>jRc4InbQYNb=H( zv)INnx}WNFUf9dIgU?#`S%mWTZo@&|$wCf-nkkE_YR%Mx`_eg^N@Y>?We&w1l7<>I zga(zR&Wz3_1tQjk??16jJX6&~JuepYYBpL}TwEUSI~Q_l#k;aLVz4xQ{FI=xGN__h zRWDg++HlZzO#L;LTNJd`ux4y~&S?#MH)~&U*wy;SD%`L>#s)a}?^@-;@^DgWvm+_6 zK&v5way@K6ZM<>N*Lvq&@sO(3NuG%dcG1s`KJyKnWBCio5cam2`Fx=DAPy^IbTw2- z1pRLQa*^!ByKk|niOTn>P{H7USACm}uU1?WrHa~y1sz3tvK7AN6j2JtL#Y<2y|EUv zg6A`O#Zt*0Na(|LbnNAYLi}lGc!5^_yVOgLL(9Q~wXAi7L7MfoRqy2CBN-iy!>osV zm6=aY3Y|l}XAt~(QDa0&Ogc~UPv2=%HnPrig~v__JgBlzt<;w8-EUo)#oqt@^au_T zovbVhcjlG6G_Z=_qp^0tr(Hopx2U>q+O$I9i26rXz2Picuc%!egH(ukltIT?@l_Kt{)}f;IKjzTJv@!mz zPA|%yt~e|e+A%}kx}$f78V*CX6<|Z9xK4=4qXTB&eX7rDHDF2tz+sydzcVu;7F)J0 z29N0)WAa{ncE}%J;9~O^H$3QYM;@aqdKX}k0WkP&_HLi4_+5L{+H=tfBpfxE)){Gw zd5s{88E6D~?fO@t23UP!poQbVp@$e800rOxN;plp*ILE&IJ-t!LNi#%lT{1f`M*Vs+R+1#<#An6Y+;ZtEba2_v7<~3A9PE9z z`Tzstmu^g2S_Va-FcUB(3%XA~J3D&>^qwRJzYGN&+;V$+KvQ)a0AxUXCwu}T0spqv z04NjS{a2$w3<$Xe;M_UTLy@DO^8r0p?xW5GZq9@Y20%g_){ip8J*O-PW`!uN*oP_u zpB&A^yHiAlcNRLgJTF2BXtc8A3D)l0xRQ)@Xk1>L4;Jf-h|)%VrWbhigJFLKt)NqC zRF6F6JGUAs%a|Ct47EB%t3ImQDwhkVeDmf_e}+tG-QimMj|`dk*w{coX;(q%3DDvW z+Hg4OwR3ogYU%n`M?1OTbZ$K(IMt%>P@kibqhtlJ=(aA>f4E-JJI3T*%Gngogt#Su zdD2Sb@apF$$BxcUO^<2(?udv-kROXLY%HMf&=-Q3S_L{N?&21 zvDcHEhPBT5KltX_qIJfr?c#y6o&U0bKM0ykx|^q-wXXhD)7tm){II^sO8)kvqv@M+ z3JT-zETXK?xsj%3X85>B(aV;*##*wnL5H;p(ezbv&SRBU!SbNUxa9uoQ44k|R!^kc7dD#?w(LLJ5#LFRaQd&yH?SsnQCQp2JLoInzJJvZZyx}g(b+C{f zh&usJP8T!Egp3S>m6fk_WfvpZWOZVfJyL0QV%o8!U7)3IYHAu2jQ)ulwZGsY0bC`B zY?Kja2~G}Xwl`~yC>Jnk!t&bdkJ!;JhG-+fsXO$aExM__QWQWog9X~Jd=~fDhV9A) z@L>{7H6FVbbmFdEl%g=;<=!)|p5>GMwJMjj=cUjzNw4P)jpx;~b942>;Smv)*uyxP zF=*?-0(Mc+(Mij1LM$xb8cJ#wYhBiCMfW3IlckdTMyLcVu1x(pjo;@+xN+vEIH5@D z_V%2&gr`Ii@*tJtQMZeQNE#8XQX@&PCvQuk)Qp16>B`hEetqf^wuNDt6Iqa#d+x6WE3Gc|q;j%^S&;mAO~#6ci)8QR)h&BW zC+1w%Ice4wRTX_m(F5ot4}N;!Dmod+9;#EMtN!)t*JLSpZGHdG!_*XuZ-a4rkw18h z>U061ss(h#?ButK*^9&=^j=>?Eue_g$DkX3qDBiB!UCL4qQvYe|1;txb;fQgz`wZH z!TO5fh=9wgmRDbtM`>;;GEH}b_ zOaR88$YW@|C9<%^V_56H1WlGxbXgm!8sB}g?@aPnQuzz+n1j5J%D5dPsf9ioC)>~WM|hq@L6b$(EgD6KpQh^N*kkQp z(GRrUC-TORUs@L)8p*_gmE-*^Nf8C!V~h3oN8jwf?XTH+_7`%*vYXRa*trP6w7 z-OigsqX>o+csl$bsUv~gCf%lEK_1j?$(*_ff)Qx;AJP@e{i~TnMUcwtF%;H@eu(h< z!I`v;w87b1y|iEfrRCFpcjGQg=Hv#utDeJ&EzzmN zHpjWRItVVSTglkUHlo%G+eXrMPI-2GqqC{>KZVu6D=kya6`gLCwzc zUQgQD`x4Lth1?Y$_vx$YzojxT0Jy?`&sRXX2@t=|7QX?mOYHxc_pT!B{};sngTW_P z3cJ==DJ!d_9A^S|-}-1peNrRC)9w5uq9UTG2pdS1gzlr9`APIK)$1h+a`Nn#XY^N@ zG5{*&ot^fmsH68$7B0RF1wFm}Qrl>j_I7;2nCDr*4*lc%{XBF!k%{T(f@ZnX1~A>v zqIQ4$_%-Lzbly$eKC+=^2L7~ArYi+u&3L~GhHaGFZdFU5G{<$i)kZCRYGdN{*Wuqg zVVvUP$~Ds&d?`Cz)WpXsbQ{y_r|l?leiUFw@b8NIoo7@ShNhB?>e$^J2lGDK#XpozHT&^{Dgqi# zOiB-pq#LO77B9@=OyI5yVsWXl%mur@(^$nwuz*6=RDS-A8;nX4UXLj*HFS)-&cLw6 zu5y86w0*%uQC592{HxByK&Ck-e0PI(L)?+i*BQ3!9nYpGXIU~eYEkyUJ@r;^T-NmN zL=bFwARYyVE^xd$!`Q!Y@_&%AnNHCYJ075wDXUKbdE_h!jj*?eG&4 z?CUP)XXG&CudebZJTU|dobOl-desCsk@d%s)8#8Iq*z}JscrnML8macskWQoei&aE z$j=KrF*&)*VO*1t5K2Fg^h1tAuON_TDyMte@5w54*~n>4Ueob$QDh^i$-}jc^lvpQ zwceCuR(}_^8aBBq;r{VK+;gh4F}ZrZPSR>~uR6~5-5mobP*(>vs!Cdd)i>oq8mx6s zE#0a!&W%snJe{Y|#mlUyzlvRLNiRH{_Mlgeqz4Jv*9O}+s97M5H6LB_Kq{G)a*uCj zgb$jHu$cp!%3Yof%~5{yO6x<>8vKOfOY$oHLC$K;mt)<=EUxvRS&{;bqcc z=Iqs;Te7%YNow@1ee`$SDK^oK=a+{LxX;6HRS9x1T)zKOLsrGU9#^##;8}I?#mj!! zjYgkyM0IRw-LO&3$7e&xYV{d5gf}i-*skFnKdl^TPl1Er&{1jb$naUFF>C#!7jdMT zyP*tZJ+x}^54rb?tCS?UR)5lkhY;GH8Tr_aFBh^;S%ar-;R96_m^zyu7ZVoGGoc?} z;r!vz5;02kMxspB#KdG$79rs~Y*uO{wj^nRs;WK9mBba$Z)Y@P73wCz`>n>rc|V+Rj{?*AvjCRam%a!R~guH_89bU;o#1bya*`y~(%^ z*LmM7e7av6oKe_~)0YsWT*w2R0VITR&&TZz6`y^)lWsDh;nrGvAdc!H0qwUI{jH69Dv4R#eiyD|6DCMCdRe;fWN@_|FQnW zfbMSiHIgIHDSFw0!s5sBS>)Q4&U5~qFu literal 0 HcmV?d00001 From 555df31f64105e57e93913b503ebb3cf9597516e Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 21 Jul 2016 19:56:59 -0700 Subject: [PATCH 22/59] Updated filename --- windows/keep-secure/create-vpn-and-wip-policy-using-intune.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/create-vpn-and-wip-policy-using-intune.md b/windows/keep-secure/create-vpn-and-wip-policy-using-intune.md index 9b63ed5c71..bbc18a1b86 100644 --- a/windows/keep-secure/create-vpn-and-wip-policy-using-intune.md +++ b/windows/keep-secure/create-vpn-and-wip-policy-using-intune.md @@ -80,7 +80,7 @@ The final step to making your VPN configuration work with WIP, is to link your t 3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. - ![Microsoft Intune: Fill in the required Name and optional Description for your policy](images/intune-vpn-wipmodeid.png) + ![Microsoft Intune: Fill in the required Name and optional Description for your policy](images/intune-vpn-edpmodeid.png) 4. In the **OMA-URI Settings** area, click **Add** to add your **WIPModeID** info. From 86d92266f4e845d98f86e5be90e1ce1a3156c6db Mon Sep 17 00:00:00 2001 From: LizRoss Date: Fri, 22 Jul 2016 10:40:33 -0700 Subject: [PATCH 23/59] removed en-us reference from technet and msdn links --- .../create-and-verify-an-efs-dra-certificate.md | 8 ++++---- windows/keep-secure/create-wip-policy-using-intune.md | 2 +- windows/keep-secure/create-wip-policy-using-sccm.md | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md index e925b57589..1177660c61 100644 --- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -19,7 +19,7 @@ If you don’t already have an EFS DRA certificate, you’ll need to create and The recovery process included in this topic only works for desktop devices. WIP deletes the data on Windows 10 Mobile devices. >**Important**
-If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/en-us/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/en-us/library/cc875821.aspx).

If your DRA certificate has expired, you won’t be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy. +If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/library/cc875821.aspx).

If your DRA certificate has expired, you won’t be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy. **To manually create an EFS DRA certificate** @@ -93,15 +93,15 @@ It's possible that you might revoke data from an unenrolled device only to later The Windows Credential service automatically recovers the employee’s previously revoked keys from the `Recovery\Input` location. ## Related topics -- [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/en-us/magazine/2007.02.securitywatch.aspx) +- [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) -- [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/en-us/library/cc875821.aspx) +- [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/library/cc875821.aspx) - [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-edp-policy-using-intune.md) - [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) -- [Creating a Domain-Based Recovery Agent](https://msdn.microsoft.com/en-us/library/cc875821.aspx#EJAA) +- [Creating a Domain-Based Recovery Agent](https://msdn.microsoft.com/library/cc875821.aspx#EJAA) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index f10d78cd8f..ba9f93f731 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -206,7 +206,7 @@ In this example, you'd get the following info: Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box. #### Add an AppLocker policy file -For this example, we’re going to add an AppLocker XML file to the **App Rules** list. You’ll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/applocker-overview) content. +For this example, we’re going to add an AppLocker XML file to the **App Rules** list. You’ll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content. **To create an app rule and xml file using the AppLocker tool** 1. Open the Local Security Policy snap-in (SecPol.msc). diff --git a/windows/keep-secure/create-wip-policy-using-sccm.md b/windows/keep-secure/create-wip-policy-using-sccm.md index 29f3869319..5084e72368 100644 --- a/windows/keep-secure/create-wip-policy-using-sccm.md +++ b/windows/keep-secure/create-wip-policy-using-sccm.md @@ -221,7 +221,7 @@ Path Publisher Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box. #### Add an AppLocker policy file -For this example, we’re going to add an AppLocker XML file to the **App Rules** list. You’ll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/applocker-overview) content. +For this example, we’re going to add an AppLocker XML file to the **App Rules** list. You’ll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content. **To create an app rule and xml file using the AppLocker tool** 1. Open the Local Security Policy snap-in (SecPol.msc). From 8e4d686bc1053b7c9d73e0329a85a1082257babe Mon Sep 17 00:00:00 2001 From: LizRoss Date: Fri, 22 Jul 2016 10:49:25 -0700 Subject: [PATCH 24/59] removed en-us from technet, developer, and msdn links --- browsers/edge/change-history-for-microsoft-edge.md | 2 +- browsers/edge/security-enhancements-microsoft-edge.md | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/browsers/edge/change-history-for-microsoft-edge.md b/browsers/edge/change-history-for-microsoft-edge.md index f10af1201c..feea3e788c 100644 --- a/browsers/edge/change-history-for-microsoft-edge.md +++ b/browsers/edge/change-history-for-microsoft-edge.md @@ -9,7 +9,7 @@ ms.sitesec: library # Change history for Microsoft Edge This topic lists new and updated topics in the Microsoft Edge documentation for both Windows 10 and Windows 10 Mobile. -For a detailed feature list of what's in the current Microsoft Edge releases, the Windows Insider Preview builds, and what was introduced in previous releases, see the [Microsoft Edge changelog](https://developer.microsoft.com/en-us/microsoft-edge/platform/changelog/). +For a detailed feature list of what's in the current Microsoft Edge releases, the Windows Insider Preview builds, and what was introduced in previous releases, see the [Microsoft Edge changelog](https://developer.microsoft.com/microsoft-edge/platform/changelog/). ## June 2016 |New or changed topic | Description | diff --git a/browsers/edge/security-enhancements-microsoft-edge.md b/browsers/edge/security-enhancements-microsoft-edge.md index 9db29bd47d..653cf175fc 100644 --- a/browsers/edge/security-enhancements-microsoft-edge.md +++ b/browsers/edge/security-enhancements-microsoft-edge.md @@ -43,15 +43,15 @@ Microsoft Edge has a new rendering engine, Microsoft EdgeHTML, which is focused The Microsoft EdgeHTML engine also helps to defend against hacking through these new security standards features: -- Support for the W3C standard for [Content Security Policy (CSP)](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/security/content-Security-Policy), which can help web developers defend their sites against cross-site scripting attacks. +- Support for the W3C standard for [Content Security Policy (CSP)](https://developer.microsoft.com/microsoft-edge/platform/documentation/dev-guide/security/content-Security-Policy), which can help web developers defend their sites against cross-site scripting attacks. -- Support for the [HTTP Strict Transport Security (HSTS)](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/security/HSTS/) security feature (IETF-standard compliant). This helps ensure that connections to important sites, such as to your bank, are always secured. +- Support for the [HTTP Strict Transport Security (HSTS)](https://developer.microsoft.com/microsoft-edge/platform/documentation/dev-guide/security/HSTS/) security feature (IETF-standard compliant). This helps ensure that connections to important sites, such as to your bank, are always secured. **Note**
Both Microsoft Edge and Internet Explorer 11 support HSTS. #### All web content runs in an app container sandbox -Internet Explorer 7 on Windows Vista was the first web browser to provide a browsing sandbox, called [Protected Mode](http://windows.microsoft.com/en-US/windows-vista/What-does-Internet-Explorer-protected-mode-do). Protected Mode forced the part of the browser that rendered web content to run with less privilege than the browser controls or the user, providing a level of isolation and protection should a malicious website attempt to exploit a bug in the browser or one of its plug-ins. +Internet Explorer 7 on Windows Vista was the first web browser to provide a browsing sandbox, called [Protected Mode](http://windows.microsoft.com/windows-vista/What-does-Internet-Explorer-protected-mode-do). Protected Mode forced the part of the browser that rendered web content to run with less privilege than the browser controls or the user, providing a level of isolation and protection should a malicious website attempt to exploit a bug in the browser or one of its plug-ins. Internet Explorer 10 introduced Enhanced Protected Mode (EPM), based on the Windows 8 app container technology, providing a stronger sandbox by adding deny-by-default and no-read-up semantics. EPM was turned on by default in the Windows 8 and Windows 8.1 immersive browser, but was optional on the Internet Explorer 10 and Internet Explorer 11 desktop versions. @@ -68,10 +68,10 @@ The value of running 64-bit all the time is that it strengthens Windows Address #### New extension model and HTML5 support Back in 1996, we introduced ActiveX for web browser extensions in an attempt to let 3rd parties experiment with various forms of alternate content on the web. However, we quickly learned that browser extensions can come at a cost of security and reliability. For example, binary extensions can bring code and data into the browser’s processes without any protection, meaning that if anything goes wrong, the entire browser itself can be compromised or go down. -Based on that learning, we’ve stopped supporting binary extensions in Microsoft Edge and instead encourage everyone to use our new, scripted HTML5-based extension model. For more info about the new extensions, see the [Microsoft Edge Developer Center](https://developer.microsoft.com/en-us/microsoft-edge/extensions/). +Based on that learning, we’ve stopped supporting binary extensions in Microsoft Edge and instead encourage everyone to use our new, scripted HTML5-based extension model. For more info about the new extensions, see the [Microsoft Edge Developer Center](https://developer.microsoft.com/microsoft-edge/extensions/). #### Reduced attack surfaces -In addition to removing support for VBScript, Jscript, VML, Browser Helper Objects, Toolbars, and ActiveX controls, Microsoft Edge also removed support for legacy Internet Explorer [document modes](https://msdn.microsoft.com/en-us/library/jj676915.aspx). Because many IE browser vulnerabilities are only present in legacy document modes, removing support for document modes significantly reduces attack surface, making the browser much more secure than before. However, it also means that it’s not as backward compatible. +In addition to removing support for VBScript, Jscript, VML, Browser Helper Objects, Toolbars, and ActiveX controls, Microsoft Edge also removed support for legacy Internet Explorer [document modes](https://msdn.microsoft.com/library/jj676915.aspx). Because many IE browser vulnerabilities are only present in legacy document modes, removing support for document modes significantly reduces attack surface, making the browser much more secure than before. However, it also means that it’s not as backward compatible. Because of the reduced backward compatibility, we’ve given Microsoft Edge the ability to automatically fall back to Internet Explorer 11, using the Enterprise Mode Site List, for any apps that need backward compatibility. From 9c7cce797e3ca8dab9107726b430bbfe9ccf17fe Mon Sep 17 00:00:00 2001 From: LizRoss Date: Fri, 22 Jul 2016 10:54:13 -0700 Subject: [PATCH 25/59] removed en-us from technet link --- .../system-requirements-and-language-support-for-ie11.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md index f087763a35..531d4b4564 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md @@ -21,7 +21,7 @@ title: System requirements and language support for Internet Explorer 11 (IE11) Internet Explorer 11 is available for a number of systems and languages. This topic provides info about the minimum system requirements and language support. ## Minimum system requirements for IE11 -IE11 is pre-installed on Windows 8.1 and Windows Server 2012 R2 and is listed here for reference. It's also supported on Windows 10, but isn't pre-installed. For more info about IE11 on Windows 10, see [Browser: Microsoft Edge and Internet Explorer 11](https://technet.microsoft.com/en-us/library/mt156988.aspx). +IE11 is pre-installed on Windows 8.1 and Windows Server 2012 R2 and is listed here for reference. It's also supported on Windows 10, but isn't pre-installed. For more info about IE11 on Windows 10, see [Browser: Microsoft Edge and Internet Explorer 11](https://technet.microsoft.com/library/mt156988.aspx). **Important**
  IE11 isn't supported on Windows 8 or Windows Server 2012. From 616bceeadf5d6dad58c2943046ee052103425d4c Mon Sep 17 00:00:00 2001 From: LizRoss Date: Fri, 22 Jul 2016 10:58:35 -0700 Subject: [PATCH 26/59] Changed Insider Preview to version 1607 and removed slug --- windows/keep-secure/mandatory-settings-for-wip.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/keep-secure/mandatory-settings-for-wip.md b/windows/keep-secure/mandatory-settings-for-wip.md index 56b79bc283..0790cf601f 100644 --- a/windows/keep-secure/mandatory-settings-for-wip.md +++ b/windows/keep-secure/mandatory-settings-for-wip.md @@ -11,11 +11,9 @@ ms.pagetype: security # Mandatory tasks and settings required to turn on Windows Information Protection (WIP) **Applies to:** -- Windows 10 Insider Preview +- Windows 10, version 1607 - Windows 10 Mobile Preview -[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - This list provides all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise. >**Important**
From f6a88b16b3d75f71784390edbf53d504f12fc1a1 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Fri, 22 Jul 2016 11:02:18 -0700 Subject: [PATCH 27/59] Changed System Center to 2016 --- windows/keep-secure/create-wip-policy-using-sccm.md | 2 +- windows/keep-secure/overview-create-wip-policy.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/create-wip-policy-using-sccm.md b/windows/keep-secure/create-wip-policy-using-sccm.md index 5084e72368..ca3c58a866 100644 --- a/windows/keep-secure/create-wip-policy-using-sccm.md +++ b/windows/keep-secure/create-wip-policy-using-sccm.md @@ -290,7 +290,7 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules* ``` 12. After you’ve created your XML file, you need to import it by using System Center Configuration Manager. -**To import your Applocker policy file app rule using 1System Center Configuration Manager** +**To import your Applocker policy file app rule using System Center Configuration Manager** 1. From the **App rules** area, click **Add**. The **Add app rule** box appears. diff --git a/windows/keep-secure/overview-create-wip-policy.md b/windows/keep-secure/overview-create-wip-policy.md index 3715e97bca..4c419a1aa0 100644 --- a/windows/keep-secure/overview-create-wip-policy.md +++ b/windows/keep-secure/overview-create-wip-policy.md @@ -1,6 +1,6 @@ --- title: Create a Windows Information Protection (WIP) policy (Windows 10) -description: Microsoft Intune and System Center Configuration Manager Technical Preview version 1605 or later helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. +description: Microsoft Intune and System Center Configuration Manager 2016 helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6 ms.prod: w10 ms.mktglfcycl: explore From 55f3561374ae0579340b963079dfd1e8f371c19e Mon Sep 17 00:00:00 2001 From: LizRoss Date: Fri, 22 Jul 2016 11:04:18 -0700 Subject: [PATCH 28/59] changing file names from edp to wip --- .../keep-secure/create-and-verify-an-efs-dra-certificate.md | 6 +++--- windows/keep-secure/mandatory-settings-for-wip.md | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md index 1177660c61..c7453f6ae7 100644 --- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -41,7 +41,7 @@ If you already have an EFS DRA certificate for your organization, you can skip c 4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as Microsoft Intune or System Center Configuration Manager. >**Note**
- To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-edp-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) topic. + To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) topic. **To verify your data recovery certificate is correctly set up on an WIP client computer** @@ -97,9 +97,9 @@ It's possible that you might revoke data from an unenrolled device only to later - [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/library/cc875821.aspx) -- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-edp-policy-using-intune.md) +- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) -- [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) +- [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) - [Creating a Domain-Based Recovery Agent](https://msdn.microsoft.com/library/cc875821.aspx#EJAA) diff --git a/windows/keep-secure/mandatory-settings-for-wip.md b/windows/keep-secure/mandatory-settings-for-wip.md index 0790cf601f..d25ee7a9f8 100644 --- a/windows/keep-secure/mandatory-settings-for-wip.md +++ b/windows/keep-secure/mandatory-settings-for-wip.md @@ -17,7 +17,7 @@ ms.pagetype: security This list provides all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise. >**Important**
-All sections provided for more info appear in either the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-edp-policy-using-intune.md) or [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md), based on the tool you're using in your enterprise. +All sections provided for more info appear in either the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) or [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md), based on the tool you're using in your enterprise. |Task |Description | From 24d37403b64cf1f9b12b4f931af6d09a869c0cd5 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Fri, 22 Jul 2016 11:08:44 -0700 Subject: [PATCH 29/59] Replaced remaining EDP references with WIP --- windows/keep-secure/TOC.md | 2 +- windows/keep-secure/create-wip-policy-using-intune.md | 6 +++--- windows/keep-secure/mandatory-settings-for-wip.md | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 1685cb6d60..a5080b3900 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -25,7 +25,7 @@ ## [Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) ### [Create a Windows Information Protection (WIP) policy](overview-create-wip-policy.md) #### [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) -##### [Add apps to your enterprise data protection (EDP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) +##### [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) ##### [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) ##### [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md) #### [Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index ba9f93f731..d06160e666 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -48,7 +48,7 @@ WIP-aware apps are expected to prevent enterprise data from going to unprotected

>**Note**
-If you want to use **File hash** or **Path** rules, instead of **Publisher** rules, you must follow the steps in the [Add apps to your enterprise data protection (EDP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. +If you want to use **File hash** or **Path** rules, instead of **Publisher** rules, you must follow the steps in the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. #### Add a store app rule to your policy For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list. @@ -78,7 +78,7 @@ If you don't know the publisher or product name, you can find them for both desk 1. Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft OneNote*. >**Note**
- If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps to your enterprise data protection (EDP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. + If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. 2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`. @@ -505,7 +505,7 @@ After you've decided where your protected apps can access enterprise data on you 2. Click **Save Policy**. ## Related topics -- [Add apps to your enterprise data protection (EDP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) +- [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) - [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) - [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md) - [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md) \ No newline at end of file diff --git a/windows/keep-secure/mandatory-settings-for-wip.md b/windows/keep-secure/mandatory-settings-for-wip.md index d25ee7a9f8..62f17352a0 100644 --- a/windows/keep-secure/mandatory-settings-for-wip.md +++ b/windows/keep-secure/mandatory-settings-for-wip.md @@ -23,8 +23,8 @@ All sections provided for more info appear in either the [Create a Windows Infor |Task |Description | |------------------------------------|--------------------------| |Add at least one app rule in the **App Rules** area in your WIP policy. |You must have at least one app rule specified in the **App Rules** area of your WIP policy. For more info about where this area is and how to add an app rule, see the **Add individual apps to your Protected App list** section of the policy creation topics.| -|Pick your WIP protection level. |You must choose the level of protection level you want to apply to your WIP-protected content, including Override, Silent, or Block. For more info about where this area is and how to decide on your protection level, see the **Manage the EDP protection level for your enterprise data** section of the policy creation topics.| +|Pick your WIP protection level. |You must choose the level of protection level you want to apply to your WIP-protected content, including Override, Silent, or Block. For more info about where this area is and how to decide on your protection level, see the **Manage the WIP protection level for your enterprise data** section of the policy creation topics.| |Specify your corporate identity. |You must specify your corporate identity, usually expressed as your primary Internet domain (for example, contoso.com). For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics. | |Specify your Enterprise Network Domain Names. |You must specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics. | |Specify your Enterprise IPv4 or IPv6 Ranges. |Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics. | -|Include your Data Recovery Agent (DRA) certificate. |This certificate makes sure that any of your WIP-encrypted data can be decrypted, even if the security keys are lost. For more info about where this area is and what it means, see the **Create and verify an Encrypting File System (EFS) DRA certificate for EDP** section of the policy creation topics. | \ No newline at end of file +|Include your Data Recovery Agent (DRA) certificate. |This certificate makes sure that any of your WIP-encrypted data can be decrypted, even if the security keys are lost. For more info about where this area is and what it means, see the **Create and verify an Encrypting File System (EFS) DRA certificate** section of the policy creation topics. | \ No newline at end of file From 5a4caa97ba74639ea35a3bdcc6dd7365e633c71e Mon Sep 17 00:00:00 2001 From: LizRoss Date: Fri, 22 Jul 2016 11:11:18 -0700 Subject: [PATCH 30/59] Changed Protected Apps list to allowed apps list --- .../protect-enterprise-data-using-wip.md | 2 +- windows/keep-secure/testing-scenarios-for-wip.md | 16 ++++++++-------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/keep-secure/protect-enterprise-data-using-wip.md b/windows/keep-secure/protect-enterprise-data-using-wip.md index 536582b32d..ff092e9a8e 100644 --- a/windows/keep-secure/protect-enterprise-data-using-wip.md +++ b/windows/keep-secure/protect-enterprise-data-using-wip.md @@ -68,7 +68,7 @@ WIP gives you a new way to manage data policy enforcement for apps and documents - **Continuous data encryption.** WIP helps protect enterprise data on local files and on removable media.

Apps such as Microsoft Word work with WIP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens WIP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies WIP to the new document. - - **Helping prevent accidental data disclosure to public spaces.** WIP helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isn’t on your **Protected App** list, employees won’t be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your **Protected Apps** list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the cloud, while maintaining the encryption. + - **Helping prevent accidental data disclosure to public spaces.** WIP helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isn’t on your **Protected App** list, employees won’t be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your allowed apps list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the cloud, while maintaining the encryption. - **Helping prevent accidental data disclosure to removable media.** WIP helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t. diff --git a/windows/keep-secure/testing-scenarios-for-wip.md b/windows/keep-secure/testing-scenarios-for-wip.md index a741d4daf1..75f3ba3987 100644 --- a/windows/keep-secure/testing-scenarios-for-wip.md +++ b/windows/keep-secure/testing-scenarios-for-wip.md @@ -23,14 +23,14 @@ You can try any of the processes included in these scenarios, but you should foc |Scenario |Processes | |---------|----------| -|Automatically encrypt files from enterprise apps |

  1. Start an unmodified (for example, WIP-unaware) line-of-business app that's on your **Protected Apps** list and then create, edit, write, and save files.
  2. Make sure that all of the files you worked with from the WIP-unaware app are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.
  3. Open File Explorer and make sure your modified files are appearing with a **Lock** icon.

    **Note**
    Some file types, like .exe and .dll, along with some file paths, like `%windir%` and `%programfiles%`, are excluded from automatic encryption.

| -|Block enterprise data from non-enterprise apps |
  1. Start an app that doesn't appear on your **Protected Apps** list, and then try to open an enterprise-encrypted file.

    The app shouldn't be able to access the file.

  2. Try double-clicking or tapping on the enterprise-encrypted file.

    If your default app association is an app not on your **Protected Apps** list, you should get an **Access Denied** error message.

| -|Copy and paste from enterprise apps to non-enterprise apps |
  1. Copy (CTRL+C) content from an app on your **Protected Apps** list, and then try to paste (CTRL+V) the content into an app that doesn't appear on your **Protected Apps** list.

    You should see an WIP-related warning box, asking you to click either **Got it** or **Cancel**.

  2. Click **Cancel**.

    The content isn't pasted into the non-enterprise app.

  3. Repeat Step 1, but this time click **Got it**, and try to paste the content again.

    The content is pasted into the non-enterprise app.

  4. Try copying and pasting content between apps on your **Protected Apps** list.

    The content should copy and paste between apps without any warning messages.

| -|Drag and drop from enterprise apps to non-enterprise apps |
  1. Drag content from an app on your **Protected Apps** list, and then try to drop the content into an app that doesn't appear on your **Protected Apps** list.

    You should see an WIP-related warning box, asking you to click either **Drag Anyway** or **Cancel**.

  2. Click **Cancel**.

    The content isn't dropped into the non-enterprise app.

  3. Repeat Step 1, but this time click **Drag Anyway**, and try to drop the content again.

    The content is dropped into the non-enterprise app.

  4. Try dragging and dropping content between apps on your **Protected Apps** list.

    The content should move between the apps without any warning messages.

| -|Share between enterprise apps and non-enterprise apps |
  1. Open an app on your **Protected Apps** list, like Microsoft Photos, and try to share content with an app that doesn't appear on your **Protected Apps** list, like Facebook.

    You should see an WIP-related warning box, asking you to click either **Share Anyway** or **Cancel**.

  2. Click **Cancel**.

    The content isn't shared into Facebook.

  3. Repeat Step 1, but this time click **Share Anyway**, and try to share the content again.

    The content is shared into Facebook.

  4. Try sharing content between apps on your **Protected Apps** list.

    The content should share between the apps without any warning messages.

| +|Automatically encrypt files from enterprise apps |
  1. Start an unmodified (for example, WIP-unaware) line-of-business app that's on your allowed apps list and then create, edit, write, and save files.
  2. Make sure that all of the files you worked with from the WIP-unaware app are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.
  3. Open File Explorer and make sure your modified files are appearing with a **Lock** icon.

    **Note**
    Some file types, like .exe and .dll, along with some file paths, like `%windir%` and `%programfiles%`, are excluded from automatic encryption.

| +|Block enterprise data from non-enterprise apps |
  1. Start an app that doesn't appear on your allowed apps list, and then try to open an enterprise-encrypted file.

    The app shouldn't be able to access the file.

  2. Try double-clicking or tapping on the enterprise-encrypted file.

    If your default app association is an app not on your allowed apps list, you should get an **Access Denied** error message.

| +|Copy and paste from enterprise apps to non-enterprise apps |
  1. Copy (CTRL+C) content from an app on your allowed apps list, and then try to paste (CTRL+V) the content into an app that doesn't appear on your allowed apps list.

    You should see an WIP-related warning box, asking you to click either **Got it** or **Cancel**.

  2. Click **Cancel**.

    The content isn't pasted into the non-enterprise app.

  3. Repeat Step 1, but this time click **Got it**, and try to paste the content again.

    The content is pasted into the non-enterprise app.

  4. Try copying and pasting content between apps on your allowed apps list.

    The content should copy and paste between apps without any warning messages.

| +|Drag and drop from enterprise apps to non-enterprise apps |
  1. Drag content from an app on your allowed apps list, and then try to drop the content into an app that doesn't appear on your allowed apps list.

    You should see an WIP-related warning box, asking you to click either **Drag Anyway** or **Cancel**.

  2. Click **Cancel**.

    The content isn't dropped into the non-enterprise app.

  3. Repeat Step 1, but this time click **Drag Anyway**, and try to drop the content again.

    The content is dropped into the non-enterprise app.

  4. Try dragging and dropping content between apps on your allowed apps list.

    The content should move between the apps without any warning messages.

| +|Share between enterprise apps and non-enterprise apps |
  1. Open an app on your allowed apps list, like Microsoft Photos, and try to share content with an app that doesn't appear on your allowed apps list, like Facebook.

    You should see an WIP-related warning box, asking you to click either **Share Anyway** or **Cancel**.

  2. Click **Cancel**.

    The content isn't shared into Facebook.

  3. Repeat Step 1, but this time click **Share Anyway**, and try to share the content again.

    The content is shared into Facebook.

  4. Try sharing content between apps on your allowed apps list.

    The content should share between the apps without any warning messages.

| |Use the **Encrypt to** functionality |
  1. Open File Explorer on the desktop, right-click a decrypted file, and then click **Encrypt to** from the **Encrypt to** menu.

    WIP should encrypt the file to your Enterprise Identity.

  2. Make sure that the newly encrypted file has a **Lock** icon.
  3. In the **Encrypted to** column of File Explorer on the desktop, look for the enterprise ID value.
  4. Right-click the encrypted file, and then click **Not encrypted** from the **Encrypt to** menu.

    The file should be decrypted and the **Lock** icon should disappear.

| -|Verify that Windows system components can use WIP |
  1. Start Windows Journal and Internet Explorer 11, creating, editing, and saving files in both apps.
  2. Make sure that all of the files you worked with are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.
  3. Open File Explorer and make sure your modified files are appearing with a **Lock** icon
  4. Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the **Protected Apps** list.

    **Note**
    Most Windows-signed components like Windows Explorer (when running in the user’s context), should have access to enterprise data.

    A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your **Protected Apps** list.

| -|Use WIP on FAT/exFAT systems |
  1. Start an app that uses the FAT or exFAT file system and appears on your **Protected Apps** list.
  2. Create, edit, write, save, and move files.

    Basic file and folder operations like copy, move, rename, delete, and so on, should work properly on encrypted files.

  3. Try copying and moving files or folders between apps that use NTFS, FAT and exFAT file systems.
| -|Use WIP on NTFS systems |
  1. Start an app that uses the NTFS file system and appears on your **Protected Apps** list.
  2. Create, edit, write, save, and move files.

    Basic file and folder operations like copy, move, rename, delete, and so on, should work properly on encrypted files.

  3. Try copying and moving files or folders between apps that use NTFS, FAT and exFAT file systems.
| +|Verify that Windows system components can use WIP |
  1. Start Windows Journal and Internet Explorer 11, creating, editing, and saving files in both apps.
  2. Make sure that all of the files you worked with are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.
  3. Open File Explorer and make sure your modified files are appearing with a **Lock** icon
  4. Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.

    **Note**
    Most Windows-signed components like Windows Explorer (when running in the user’s context), should have access to enterprise data.

    A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your allowed apps list.

| +|Use WIP on FAT/exFAT systems |
  1. Start an app that uses the FAT or exFAT file system and appears on your allowed apps list.
  2. Create, edit, write, save, and move files.

    Basic file and folder operations like copy, move, rename, delete, and so on, should work properly on encrypted files.

  3. Try copying and moving files or folders between apps that use NTFS, FAT and exFAT file systems.
| +|Use WIP on NTFS systems |
  1. Start an app that uses the NTFS file system and appears on your allowed apps list.
  2. Create, edit, write, save, and move files.

    Basic file and folder operations like copy, move, rename, delete, and so on, should work properly on encrypted files.

  3. Try copying and moving files or folders between apps that use NTFS, FAT and exFAT file systems.
| |Unenroll client devices from WIP |
  • Unenroll a device from WIP by going to **Settings**, click **Accounts**, click **Work**, click the name of the device you want to unenroll, and then click **Remove**.

    The device should be removed and all of the enterprise content for that managed account should be gone.

    **Important**
    Unenrolling a device revokes and erases all of the enterprise data for the managed account.

| |Verify that app content is protected when a Windows 10 Mobile phone is locked |
  • Check that protected app data doesn't appear on the **Lock** screen of a Windows 10 Mobile phone
| \ No newline at end of file From 6e2bc53213d91470634694bac18132fcef59a87a Mon Sep 17 00:00:00 2001 From: LizRoss Date: Fri, 22 Jul 2016 12:41:41 -0700 Subject: [PATCH 31/59] Updated based on final tech reviews --- .../protect-enterprise-data-using-wip.md | 44 ++++++++----------- 1 file changed, 18 insertions(+), 26 deletions(-) diff --git a/windows/keep-secure/protect-enterprise-data-using-wip.md b/windows/keep-secure/protect-enterprise-data-using-wip.md index ff092e9a8e..49c6d501f9 100644 --- a/windows/keep-secure/protect-enterprise-data-using-wip.md +++ b/windows/keep-secure/protect-enterprise-data-using-wip.md @@ -16,9 +16,9 @@ author: eross-msft - Windows 10, version 1607 - Windows 10 Mobile Preview -With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. +With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures to their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. -Enterprise data protection (WIP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. +Windows Information Protection (WIP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. EDP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. Finally, another data protection technology, Azure Rights Management also works alongside EDP to extend data protection for data that leaves the device, such as when email attachments are sent from an enterprise aware version of a rights management mail client. ## Prerequisites You’ll need this software to run WIP in your enterprise: @@ -28,25 +28,25 @@ You’ll need this software to run WIP in your enterprise: |Windows 10, version 1607 | Microsoft Intune
-OR-
System Center Configuration Manager 2016
-OR-
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt697634.aspx) documentation.| ## How WIP works -WIP helps address your everyday challenges in the enterprise. Including: +EDP helps address your everyday challenges in the enterprise. Including: -- Helping to prevent enterprise data leaks, even on employee-owned devices that can't be locked down. +- Helping to prevent enterprise data leaks, even on employee-owned devices that can't be locked down. -- Reducing employee frustrations because of restrictive data management policies on enterprise-owned devices. +- Reducing employee frustrations because of restrictive data management policies on enterprise-owned devices. -- Helping to maintain the ownership and control of your enterprise data. +- Helping to maintain the ownership and control of your enterprise data. -- Helping control the network and data access and data sharing for apps that aren’t enterprise aware. +- Helping control the network and data access and data sharing for apps that aren’t enterprise aware ### WIP-protection modes You can set WIP to 1 of 4 protection and management modes: |Mode|Description| |----|-----------| -|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.| +|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.| |Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459). | |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.| -|Off |WIP is turned off and doesn't help to protect or audit your data.

After you turn off WIP, an attempt is made to decrypt any closed WIP-tagged files on the locally attached drives. | +|Off |WIP is turned off and doesn't help to protect or audit your data.

After you turn off EDP, an attempt is made to decrypt any closed EDP-tagged files on the locally attached drives. |

**Note**
For more info about setting your WIP-protection modes, see either [Create a Windows Information Protection (WIP) policy using Intune](create-wip-policy-using-intune.md) or [Create and deploy a Windows Information Protection (WIP) policy using Configuration Manager](create-wip-policy-using-sccm.md), depending on your management solution. ## Why use WIP? @@ -58,31 +58,23 @@ WIP gives you a new way to manage data policy enforcement for apps and documents - **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using an WIP-protected device, WIP encrypts the data on the device. - - **Using allowed apps.** Managed apps (apps that you've included on the protected apps list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another protected app, but not to personal apps. Imagine an HR person wants to copy a job description from a protected app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem. + - **Using allowed apps.** Managed apps (apps that you've included on the Allowed Apps list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another allowed app, but not to personal apps. Imagine an HR person wants to copy a job description from an allowed app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem. - - **Managed apps and restrictions.** With WIP you can control which apps can access and use your enterprise data. After adding an app to your **Protected App** list, the app is trusted with enterprise data. All apps that aren’t on this list are blocked from accessing your enterprise network resources and your WIP-protected data.

- You don’t have to modify line-of-business apps that never touch personal data to list them as protected apps; just include them in the **Protected App** list. + - **Managed apps and restrictions.** With WIP you can control which apps can access and use your enterprise data. After adding an app to your allowed apps list, the app is trusted with enterprise data. All apps not on this list are blocked from accessing your enterprise data, depending on your WIP management-mode. - - **Deciding your level of data access.** WIP lets you block, allow overrides, or audit employees' data sharing actions. Blocking the action stops it immediately. Allowing overrides let the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without blocking anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your **Protected App** list. + You don’t have to modify line-of-business apps that never touch personal data to list them as allowed apps; just include them in the allowed apps list. - - **Continuous data encryption.** WIP helps protect enterprise data on local files and on removable media.

+ - **Deciding your level of data access.** WIP lets you block, allow overrides, or audit employees' data sharing actions. Blocking the action stops it immediately. Allowing overrides let the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without blocking anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your allowed apps list. + + - **Data encryption at rest.** WIP helps protect enterprise data on local files and on removable media. + Apps such as Microsoft Word work with WIP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens WIP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies WIP to the new document. - - **Helping prevent accidental data disclosure to public spaces.** WIP helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isn’t on your **Protected App** list, employees won’t be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your allowed apps list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the cloud, while maintaining the encryption. + - **Helping prevent accidental data disclosure to public spaces.** WIP helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isn’t on your allowed apps list, employees won’t be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your allowed apps list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the business cloud, while maintaining the encryption locally. - **Helping prevent accidental data disclosure to removable media.** WIP helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t. -- **Remove access to enterprise data from enterprise-protected devices.** WIP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.

**Note**
System Center Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device. - -## Current limitations with WIP -WIP is still in development and is not yet integrated with Azure Rights Management. This means that while you can deploy an WIP-configured policy to a protected device, that protection is restricted to a single user on the device. Additionally, the WIP-protected data must be stored on NTFS, FAT, or ExFAT file systems. - -Use the following table to identify the scenarios that require Azure Rights Management, the behavior when Azure Rights Management is not used with WIP, and the recommended workarounds. - -|WIP scenario |Without Azure Rights Management |Workaround | -|-------------|--------------------------------|-----------| -|Saving enterprise data to USB drives |Data in the new location remains encrypted, but becomes inaccessible on other devices or for other users. For example, the file won't open or the file opens, but doesn't contain readable text. |Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.

We strongly recommend educating employees about how to limit or eliminate the need for this decryption. | -|Synchronizing data to other services or public cloud storage |Synchronized files aren't protected on additional services or as part of public cloud storage. |Stop the app from synchronizing or don't add the app to your **Protected App** list.

For more info about adding apps to the **Protected App** list, see either the [Create a Windows Information Protection (WIP) policy using Intune](create-wip-policy-using-intune.md) or the [Create and deploy a Windows Information Protection (WIP) policy using Configuration Manager](create-wip-policy-using-sccm.md) topic, depending on your management solution. +- **Remove access to enterprise data from enterprise-protected devices.** WIP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.

**Note**
System Center Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device. ## Next steps After deciding to use WIP in your enterprise, you need to: From 36817bbf6ff5b3f0d36cfd6f11d27566c0ba0148 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Fri, 22 Jul 2016 15:22:42 -0700 Subject: [PATCH 32/59] Updated with final tech review and trying to fix some formatting issues --- .../create-wip-policy-using-intune.md | 52 +++++++++---------- 1 file changed, 25 insertions(+), 27 deletions(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index d06160e666..453c702e3b 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -15,9 +15,9 @@ author: eross-msft - Windows 10, version 1607 - Windows 10 Mobile Preview -Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. +Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. -## Important note about the June service update +## Important note about the June service update for Insider Preview We've received some great feedback from you, our Windows 10 Insider Preview customers, about our Windows Information Protection experiences and processes. Because of that feedback, we're delighted to deliver an enhanced apps policy experience with the June service update. This means that when you open an existing Windows Information Protection policy after we release the June service update in your test environment, your existing Windows 10 Windows Information Protection app rules (formerly in the **Protected Apps** area) will be removed.

To prepare for this change, we recommend that you make an immediate backup of your current app rules as they are today, so you can use them to help reconfigure your app rules with the enhanced experience. When you open an existing Windows Information Protection policy after we release the June service update, you'll get a dialog box telling you about this change. Click the **OK** button to close the box and to begin reconfiguring your app rules. ![Microsoft Intune: Reconfigure app rules list dialog box](images/wip-intune-app-reconfig-warning.png) @@ -30,7 +30,7 @@ After you’ve set up Intune for your organization, you must create an WIP-speci **To add an WIP policy** 1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy** from the **Tasks** area. -2. Go to **Windows**, click the **Enterprise data protection (Windows 10 Desktop and Mobile and later) policy**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**. +2. Go to **Windows**, click the **Windows Information Protection (Windows 10 Desktop and Mobile and later) policy**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**. ![Microsoft Intune: Create your new policy from the New Policy screen](images/intune-createnewpolicy.png) @@ -43,10 +43,8 @@ During the policy-creation process in Intune, you can choose the apps you want t The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed desktop app (also known as a Classic Windows app), or an AppLocker policy file. ->**Important**
-WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your App Rules list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. +>**Important**
WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App Rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. -

>**Note**
If you want to use **File hash** or **Path** rules, instead of **Publisher** rules, you must follow the steps in the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. @@ -58,11 +56,11 @@ For this example, we’re going to add Microsoft OneNote, a store app, to the ** The **Add App Rule** box appears. - ![Microsoft Intune, Add a store app to your policy](images/intune-add-uwp-apps.png) + ![Microsoft Intune, Add a store app to your policy](images/intune-add-uwp-apps.png) 2. Add a friendly name for your app into the **Title** box. In this example, it’s *Microsoft OneNote*. -3. Click **Allow** from the **Enterprise data protection mode** drop-down list. +3. Click **Allow** from the **Windows Information Protection mode** drop-down list. Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. @@ -70,7 +68,7 @@ For this example, we’re going to add Microsoft OneNote, a store app, to the ** The box changes to show the store app rule options. -5. Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is`CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`. +5. Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`. If you don't know the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps. @@ -86,28 +84,28 @@ If you don't know the publisher or product name, you can find them for both desk The API runs and opens a text editor with the app details. - ``` json - { - "packageIdentityName": "Microsoft.Office.OneNote", - "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" - } - ``` + ```json + { + "packageIdentityName": "Microsoft.Office.OneNote", + "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" + } + ``` + 4. Copy the `publisherCertificateName` value into the **Publisher Name** box and copy the `packageIdentityName` value into the **Product Name** box of Intune. >**Important**
- The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

For example:
- - ``` json + The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

For example: + + ```json { - "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", - } + "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", + } ``` **To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones** 1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature. - >**Note**
- Your PC and phone must be on the same wireless network. + >**Note**
Your PC and phone must be on the same wireless network. 2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**. @@ -144,7 +142,7 @@ For this example, we’re going to add Internet Explorer, a desktop app, to the 2. Add a friendly name for your app into the **Title** box. In this example, it’s *Internet Explorer*. -3. Click **Allow** from the **Enterprise data protection mode** drop-down list. +3. Click **Allow** from the **Windows Information Protection mode** drop-down list. Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. @@ -284,7 +282,7 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules* 2. Add a friendly name for your app into the **Title** box. In this example, it’s *Allowed app list*. -3. Click **Allow** from the **Enterprise data protection mode** drop-down list. +3. Click **Allow** from the **Windows Information Protection mode** drop-down list. Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. @@ -306,7 +304,7 @@ If you're running into compatibility issues where your app is incompatible with 2. Add a friendly name for your app into the **Title** box. In this example, it’s *Exempt apps list*. -3. Click **Exempt** from the **Enterprise data protection mode** drop-down list. +3. Click **Exempt** from the **Windows Information Protection mode** drop-down list. Be aware that when you exempt apps, they’re allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic. @@ -349,8 +347,8 @@ After you've added a protection mode to your apps, you'll need to decide where t There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT). ->**Important**
-- Every WIP policy should include policy that defines your enterprise network locations.

+>**Important** +- Every WIP policy should include policy that defines your enterprise network locations. - Classless Inter-Domain Routing (CIDR) notation isn’t supported for WIP configurations. **To define where your protected apps can find and send enterprise data on you network** From f9a1564750c9503b6e0dfd9d62cdfd2984ae044b Mon Sep 17 00:00:00 2001 From: LizRoss Date: Fri, 22 Jul 2016 15:32:07 -0700 Subject: [PATCH 33/59] Updated last references to EDP --- windows/keep-secure/create-wip-policy-using-sccm.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/keep-secure/create-wip-policy-using-sccm.md b/windows/keep-secure/create-wip-policy-using-sccm.md index ca3c58a866..c7bc241299 100644 --- a/windows/keep-secure/create-wip-policy-using-sccm.md +++ b/windows/keep-secure/create-wip-policy-using-sccm.md @@ -50,7 +50,7 @@ The **Create Configuration Item Wizard** starts. ![Create Configuration Item wizard, choose the supported platforms for the policy](images/wip-sccm-supportedplat.png) -6. On the **Device Settings** screen, click **Enterprise data protection**, and then click **Next**. +6. On the **Device Settings** screen, click **Windows Information Protection**, and then click **Next**. ![Create Configuration Item wizard, choose the Windows Information Protection settings](images/wip-sccm-devicesettings.png) @@ -77,7 +77,7 @@ For this example, we’re going to add Microsoft OneNote, a store app, to the ** 2. Add a friendly name for your app into the **Title** box. In this example, it’s *Microsoft OneNote*. -3. Click **Allow** from the **Enterprise data protection mode** drop-down list. +3. Click **Allow** from the **Windows Information Protection mode** drop-down list. Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip) section. @@ -159,7 +159,7 @@ For this example, we’re going to add Internet Explorer, a desktop app, to the 2. Add a friendly name for your app into the **Title** box. In this example, it’s *Internet Explorer*. -3. Click **Allow** from the **Enterprise data protection mode** drop-down list. +3. Click **Allow** from the **Windows Information Protection mode** drop-down list. Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip) section. @@ -299,7 +299,7 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules* 2. Add a friendly name for your app into the **Title** box. In this example, it’s *Allowed app list*. -3. Click **Allow** from the **Enterprise data protection mode** drop-down list. +3. Click **Allow** from the **Windows Information Protection mode** drop-down list. Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip) section. @@ -322,7 +322,7 @@ If you're running into compatibility issues where your app is incompatible with 2. Add a friendly name for your app into the **Title** box. In this example, it’s *Exempt apps list*. -3. Click **Exempt** from the **Enterprise data protection mode** drop-down list. +3. Click **Exempt** from the **Windows Information Protection mode** drop-down list. Be aware that when you exempt apps, they’re allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic. From aa4114c6222b9297c8ae679f93249e85c97c2dda Mon Sep 17 00:00:00 2001 From: LizRoss Date: Fri, 22 Jul 2016 15:36:25 -0700 Subject: [PATCH 34/59] Updated to fix formatting --- .../keep-secure/create-wip-policy-using-sccm.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/windows/keep-secure/create-wip-policy-using-sccm.md b/windows/keep-secure/create-wip-policy-using-sccm.md index c7bc241299..3dc367a539 100644 --- a/windows/keep-secure/create-wip-policy-using-sccm.md +++ b/windows/keep-secure/create-wip-policy-using-sccm.md @@ -112,12 +112,13 @@ If you don't know the publisher or product name, you can find them for both desk 4. Copy the `publisherCertificateName` value and paste them into the **Publisher Name** box, copy the `packageIdentityName` value into the **Product Name** box of Intune. >**Important**
- The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.

For example: - ```json + The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.

For example:

+ + ```json { "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", } - ``` + ``` **To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones** 1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature. @@ -140,12 +141,13 @@ If you don't know the publisher or product name, you can find them for both desk 8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune. >**Important**
- The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.

For example: - ```json + The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.

For example:

+ + ```json { "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", } - ``` + ``` #### Add a desktop app rule to your policy For this example, we’re going to add Internet Explorer, a desktop app, to the **App Rules** list. From dde3c52484ee3689e95e565d7bc20e024a1eaa90 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Fri, 22 Jul 2016 15:50:53 -0700 Subject: [PATCH 35/59] Updated based on final tech review --- windows/keep-secure/create-wip-policy-using-sccm.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/keep-secure/create-wip-policy-using-sccm.md b/windows/keep-secure/create-wip-policy-using-sccm.md index 3dc367a539..928d01192a 100644 --- a/windows/keep-secure/create-wip-policy-using-sccm.md +++ b/windows/keep-secure/create-wip-policy-using-sccm.md @@ -498,11 +498,11 @@ After you've decided where your protected apps can access enterprise data on you - **No.** Hides the **Personal** option from employees. Be aware that if you pick this option, apps that use the **Save As** dialog box might encrypt new files as corporate data unless a different file path is given during the original file creation. After this happens, decryption of work files becomes more difficult. - - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether apps can show corporate data on a Windows 10 Mobile device **Lock** screen. The options are: + - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are: - - **Yes (recommended).** Stop apps from reading corporate data on Windows 10 Mobile device when the screen is locked. + - **Yes (recommended).** Turns on the feature and provides the additional protection. - - **No, or not configured.** Allows apps to read corporate data on Windows 10 Mobile device when the screen is locked. + - **No, or not configured.** Doesn't enable this feature. - **Allow Windows Search to search encrypted corporate data and Store apps.** Determines whether Windows Search can search and index encrypted corporate data and Store apps. The options are: From 2feb9a432edb88d218b0f48e5ad5426e474de0cb Mon Sep 17 00:00:00 2001 From: LizRoss Date: Fri, 22 Jul 2016 16:03:51 -0700 Subject: [PATCH 36/59] Removed duplicate text and pointed to new topic --- .../create-wip-policy-using-intune.md | 40 +------------------ .../create-wip-policy-using-sccm.md | 39 +----------------- 2 files changed, 2 insertions(+), 77 deletions(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index 453c702e3b..1b39097c5e 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -422,45 +422,7 @@ There are no default locations included with WIP, you must add each of your netw After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. - For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic. - -#### Create and verify an Encrypting File System (EFS) DRA certificate for WIP -If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use WIP in your organization. For the purposes of this section, we’ll use the file name *EFSDRA*; however, this name can be replaced with anything that makes sense to you. - ->**Important**
If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. - -**To manually create an EFS DRA certificate** -1. On a computer without an EFS DRA certificate installed, open a command prompt with elevated rights, and then navigate to where you want to store the certificate. - -2. Run this command: - - `cipher /r:`
Where `` is the name of the .cer and .pfx files that you want to create. - -3. When prompted, type and confirm a password to help protect your new Personal Information Exchange (.pfx) file. - - The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1. - - >**Important**
Because these files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing them as a public key (PKI) on a smart card with strong protection, stored in a secured physical location. - -4. Add your EFS DRA certificate to your WIP policy by using Step 3 of the [Choose where apps can access enterprise data](#choose-where-apps-can-access-enterprise-data) section of this topic. - -**To verify your data recovery certificate is correctly set up on an WIP client computer** -1. Open an app on your protected app list, and then create and save a file so that it’s encrypted by WIP. - -2. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command: - - `cipher /c `
Where `` is the name of the file you created in Step 1. - -3. Make sure that your data recovery certificate is listed in the **Recovery Certificates** list. - -**To recover your data using the EFS DRA certificate in a test environment** -1. Copy your WIP-encrypted file to a location where you have admin access. - -2. Install the EFSDRA.pfx file, using your password. - -3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command: - - `cipher /d `
Where `` is the name of your encrypted file. For example, corporatedata.docx. + For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md). ### Choose your optional WIP-related settings After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings. diff --git a/windows/keep-secure/create-wip-policy-using-sccm.md b/windows/keep-secure/create-wip-policy-using-sccm.md index 928d01192a..2792e078bc 100644 --- a/windows/keep-secure/create-wip-policy-using-sccm.md +++ b/windows/keep-secure/create-wip-policy-using-sccm.md @@ -445,44 +445,7 @@ There are no default locations included with WIP, you must add each of your netw After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. - For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic. - -#### Create and verify an Encrypting File System (EFS) DRA certificate for WIP -If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use WIP in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you. - ->**Important**
If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. - -**To manually create an EFS DRA certificate** -1. On a computer without an EFS DRA certificate installed, open a command prompt with elevated rights, and then navigate to where you want to store the certificate. -2. Run this command: - - `cipher /r:`
Where `` is the name of the .cer and .pfx files that you want to create. - -3. When prompted, type and confirm a password to help protect your new Personal Information Exchange (.pfx) file. - - The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1. - - >**Important**
Because these files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing them as a public key (PKI) on a smart card with strong protection, stored in a secured physical location. - -4. Add your EFS DRA certificate to your WIP policy by using Step 3 of the [Choose where apps can access enterprise data](#choose-where-apps-can-access-enterprise-data) section of this topic. - -**To verify your data recovery certificate is correctly set up on an WIP client computer** -1. Open an app on your protected app list, and then create and save a file so that it’s encrypted by WIP. - -2. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command: - - `cipher /c `
Where `` is the name of the file you created in Step 1. - -3. Make sure that your data recovery certificate is listed in the **Recovery Certificates** list. - -**To recover your data using the EFS DRA certificate in a test environment** -1. Copy your WIP-encrypted file to a location where you have admin access. - -2. Install the EFSDRA.pfx file, using your password. - -3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command: - - `cipher /d `
Where `` is the name of your encrypted file. For example, corporatedata.docx. + For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md). ### Choose your optional WIP-related settings After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings. From 8f1a35661fa10a6910a401263c80e57b1f506672 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Fri, 22 Jul 2016 16:05:37 -0700 Subject: [PATCH 37/59] Updated optional setting --- windows/keep-secure/create-wip-policy-using-intune.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index 1b39097c5e..c207992e98 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -438,11 +438,11 @@ After you've decided where your protected apps can access enterprise data on you - **No.** Hides the **Personal** option from employees. Be aware that if you pick this option, apps that use the **Save As** dialog box might encrypt new files as corporate data unless a different file path is given during the original file creation. After this happens, decryption of work files becomes more difficult. - - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether apps can show corporate data on a Windows 10 Mobile device **Lock** screen. The options are: + - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are: - - **Yes (recommended).** Stop apps from reading corporate data on Windows 10 Mobile device when the screen is locked. + - **Yes (recommended).** Turns on the feature and provides the additional protection. - - **No, or not configured.** Allows apps to read corporate data on Windows 10 Mobile device when the screen is locked. + - **No, or not configured.** Doesn't enable this feature. - **Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: From 9d8a34ebf886582390d0deab9f3b146ce712baef Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Mon, 25 Jul 2016 13:10:55 -0700 Subject: [PATCH 38/59] updates for distribute and inventory topics --- ...y-management-windows-store-for-business.md | 17 +++++++++++------ ...distribute-apps-from-your-private-store.md | 8 +++----- windows/manage/images/wsfb-distribute.png | Bin 46793 -> 53197 bytes windows/manage/images/wsfb-inventory.png | Bin 0 -> 27905 bytes .../images/wsfb-inventoryaddprivatestore.png | Bin 24652 -> 34447 bytes 5 files changed, 14 insertions(+), 11 deletions(-) create mode 100644 windows/manage/images/wsfb-inventory.png diff --git a/windows/manage/app-inventory-management-windows-store-for-business.md b/windows/manage/app-inventory-management-windows-store-for-business.md index 11ddab7ae7..7d5d242912 100644 --- a/windows/manage/app-inventory-management-windows-store-for-business.md +++ b/windows/manage/app-inventory-management-windows-store-for-business.md @@ -28,15 +28,20 @@ All of these apps are treated the same once they are in your inventory and you c Store for Business shows this info for each app in your inventory: - Name - - Access to actions for the app - -- Last modified date - -- Supported devices - +- Last modified +- Available licenses - Private store status +The last modified date tracks changes about the app as an item in your inventory. The last modified date changes when one of the following happens: +- First purchase (the date you acquire the app from Windows Store for Business) +- Purchase additional licenses +- Assign license +- Reclaim license +- Refund order (applies to purchased apps, not free apps) + +The last modified date does not correspond to when an app was last updated in the Store. It tracks activity for that app, as an item in your inventory. + ### Find apps in your inventory There are a couple of ways to find specific apps, or groups of apps in your inventory. diff --git a/windows/manage/distribute-apps-from-your-private-store.md b/windows/manage/distribute-apps-from-your-private-store.md index 500ff0c7b4..d7203f89fc 100644 --- a/windows/manage/distribute-apps-from-your-private-store.md +++ b/windows/manage/distribute-apps-from-your-private-store.md @@ -25,15 +25,13 @@ You can make an app available in your private store when you acquire the app, or 1. Sign in to the [Store for Business](https://businessstore.microsoft.com). -2. Click an app and then click **Get the app** to acquire the app for your organization. - -3. You'll have a few options for distributing the app -- choose **Add to your private store where all people in your organization can find and install it.** +2. Click an app, choose the license type, and then click **Get the app** to acquire the app for your organization. ![Image showing Distribute options for app in the Windows Store for Business.](images/wsfb-distribute.png) - It will take approximately twelve hours before the app is available in the private store. +Windows Store for Business add the app to your **Inventory**. Click **Manage**, **Inventory** for app distribution options. -**To make an app in inventory available in your private store** +**To make an app in Inventory available in your private store** 1. Sign in to the [Store for Business](https://businessstore.microsoft.com). diff --git a/windows/manage/images/wsfb-distribute.png b/windows/manage/images/wsfb-distribute.png index f276ca5211de3e67829072237bdb062727c1f878..d0482f6ebe76747d4b70f4dee2d0c9670ea74a5e 100644 GIT binary patch literal 53197 zcmbrlby$;O`v$C{(x9LqEl5g9Hz+8`NI@ChHM$uLm`I68$pEP#!a$_EOQact(cRsh z+rIg}zxVt1`{Uyn2kd#a=egs$&-1*`>v|%!HC4z-=t*wfx<#(~_O;HfTX&Ri-MXDg zbO(P#%=XJG{GZ#NIx32{iU$}s@o(L*avQ&Nj>OI(W2SXTVGwv;5pHy#F85v2-B=k^(NuQ+Wma8O zn^V9!=t>OBI)|WNkDBR`2L}ybc;6K4Y)1yF*!!Q4N)^90FI$F%FDa(|`=*qKv3skf z6k_#17vduD0QCLmW66y3S7SA%hhKn=()SjdulF2%)0y^Ka9F{>O*Pi}!1Gx%+|{_! z+^2N3$G=8&adf54o#ZAr?bu8ZX-_fC9fbRIO)hpRU=NFG=6v>>%-X{uVi_;z&YQ>g zBp?3oh82I-6>yiaE=vVw7zZPW5BPd|-sOFF=EYyGxwGn;uz)l0$&eXp0QteODie3J z?mVj6&BOnncBem{!(q>5obK(_Zx>ge?R;#1VbGn4*|GcA@bG}M+I2W2hOy~1sXe0Q zqC>Fy0~c#vCBDBa-R?by1HR42xoIvW(y{>;rAkH(%R2{1*P!E#q8jN;xwDB9*M{Bd z;f#l%bP$$0OX`CvvDVb1&fnCHo^5o?@xO!GeKM~4&V$5 z7lJO0nE9Ej;&v$HS_^tGTW#`hc2>H}WZWD8*NeW*VprdM_v)|&5DKUhsz?<-Y8ZPW zNK8Ng>XhYb9)21l2wmNKG52X6KP(&PZGotjtOi z#EqP#=@L_^aShxyid8raRfdJ`pcTy%o^>TqnxZk-^A=#u^z@QfQbw-|v)|u}vx9cZ zf&`zlmvq+`W%CO0FfL|XpabM_+xDgw^lEtiqEo_cdUN64Ic>|u8%6eCjLAeU%hg`= zH%qiFZUi+9d7sj5rsuKZtTGS1mug~JuIDI&d~h|*=Y!9>HaXqyAmpyIDdjG*_iunI zb5-lzYnMCWl(;ln=v5}ml~@$?dfd!Ik2DbNeX@+(B;WVLDFktzdhSFh++-2*S%Y`V zx|qQW!EsGL|2l+5F#B&nC}jh7(#)=q{h2qmdkTz@DYQy+&@w6Z5E{^?g6oQ%#eID- z5Wn0LF^@f~ao$wl2zUdQzS#n{T;Z4AdWvhNcus5=be$tB4|m=JZPB&Yoh~3!xSm8c zAA|{lKV-lsHKVWh8usxopGxQ09`~}tjqKQ|6%-VEe0B+QdgO+X$ImFdKcMA$cAxCu zm3u=(Bt!&XHR^+W^S}pLX3)(9=~7s+ z3^-P3wE`7@30Cn|*j=8#q*d9Q@?2Iqn+dSfK`&3i8TL~lqmWoREQ33EahNVM?SAw1 z>{;I18Fjc4<>EOrwxdjN_H-M1oq2N=i#@hN;11SMl>Chl)Sv0|#^pT+eGl(5R13eA zRveL{BwY*kwB*pS!TsIhk~2=xinKJyNLt3aKt?S+0b}4&PTS%PGWzbDHZ9TG%4FG9 zog!`OQp3Q->cZOIB+gb-)xcmH-MmQd3O{s8uJo(dn{IHJx3$GbzD`6gd<5;Zu_zw?fjziWlmxa+&MSH{x!oa zkwR}4*0CEBzPQbhOpIAGCUUE052x1vAw|d?W9E&Zv%6175mIp&3BgPCbd)K!js=?u zKaRxp9V?ugwQLN(!&c-$cNCq@fnRhqozE30gO+k> zC-JL2kTvL>73Q;EhC8KRtJ|-u#)^ft>X>d!nZIK*Aw1`;EtVh+t`RyK#C{ z98;X&j*>f{h|k2H^a0d$5Q`}i5ixHjwC~ao>j@XjSS-?s2 zv{%QrRCds1pP57Nqi`obP~oyz)I7Uq`(InOlprq6 zjwpU#%rff>M&J4I7*MiQYSo|0A6fVoOHxLSiPxEgJWVur= zibUlkCk96tFw}Zv zXJl!qPxIbZ377Q$YThnxkVUwcKF;}j7#|z3l2{VJ!5|c{M4kCSA$q0_Es*y4<`Zq> z0s_wuX1G%`+^QKC5z)1Jn2x*5#7VuHdsQF{Rvo}anVztXQ^qjMJ;y3%TR6G8?#s*_ zQWP8iw!@>@w}#dyM9Wqz*Ao@+Q$9HVK?uvu548*YHG9HnLx@a(hsRp`x2qFqxE1}G zjUf#dO*7>Z`A@7#&PjlKlmkUWZg=_)oSsHwEUcOY5)$bJ!~#yTSys)qypD-4GWG-V zjD|Vgj__R>u0*B{Je-vcS%F~#>k2d5Q?RBR8UU8K@>FE>Q zCj+>&`5Rj?E}FiOICVQBoNK@`!z`7xfA+*@gEm zMX#W*VDmZU+8l<^cNWJd=W*UJcPaqfJy>iPzws`CWE8}aZQlBc>4M&L`7E>FHL4|t z(pvWpqJ zBv!!cnrj zrV0KNrBTVnaJSfc!%paApDE|N)PW{mO8>@PdX#V~54(*LyEe#h%xd%D5#yYD7nAj; zoXxO`!sm5Sy3cDmWJ86@ztTQreiHdTIv0HLh`~yh{eHZ5uigfEra{K3{~CuoHd+x( zmGB5U?OYT2MMy-$Yt_>8acD&53Vp!>Nm&z~Seq}`(vXfc0Evi++NHs*90iNoIS0q& z@B;~h_qH{=oL`s*y{N$-`4c*S?}n2e0->kC>SVZ4Pdr*tzy6_A7dhYQZ!6CgZ4et# zVmRUS5uT=}zMkniyh!Fz&#MM~iqDtI8480G4)MvpZMHnq35h1{B@l`F^FaU+U?*U- zOZEM29H%95amlrcuvi0mjvZqn7wa2pYi2y63}$MIOQyx( zUM051dgJk#&o*6$Jo?a><;U=MY+k2+b9Yb!Oe`0zW-VJE^d6?BqkR}(z1h=}h)uie zoxiL(@U)_iM1V!!lK|p0&BU{!Baz4uo{~0LA!tySyX)e6eGa|J&>9QEj4E6Walwx& zP&bn(c??U?@u&i3%WnScVyzEO&An^jd$X{?;1Y}4-mhC7z+H5kK#x~ftT3*)DHL{i zTE2e0l`tW}0G92`flKn~>neuK$poDjL_p(}9PiDyfZF$~t}Vc9j@`S-EDp zI4qMZ0h^bZ7UCt$Y!db)6r zsq-?{iH(x~Niom|JX&D7y76@R204Ed&2tx2$i+gZCbvb4*N#LlOQ-ogUm=DCg;wh(Itf{CTcRJ?qS+leVW!2$%!a1uch0K zWDW28W8Kq%V5fG|uvp}$Up`I}K4!L}!g(s~&enR5z3Pvpbsk+v@2NM?&2|+zbOOvGvwwq>J;wd%R z<3>GNr2#;C0`d5Pjg*6)U*q;P?V228n%42~ao!^7gUjU7jAgo>Zoy3BxxDVo2ZzNJ z-wE=5Pes+{Y-=^!-mMf0*AuLhHQrN~4gDJJ{YG}+rq<%S`|6gYi)Gl8jj4A_bx#!l zz)(Bdk^EF%f1^bme^JxSKaYxk)HVJr=Z8O}C>k(kj&rDbt{B_0-pAd^2oKP{Zo>;S z?6fOxfyr00prdmQR=w<2Fkz%sUtnI)U6{fb1i&euth&tuu-B15?-7<7b*y*Zg^37A#F9i38QB=%*_(nlCK0h?0~5ckgvhbOdC!Yi8ohyeJB!|j;0?*wVkRLd-U@=syw_PJI+ z_zJFD=+HRuS`RxDCR&2ug^a3#1Tj~xXN@<(a?sNSC{EsYl!Xbh4!3fh_uOgD3loxV z+^wEAew8Q0z|9^v<{lgAhHeWXbY4Er#08W*?fAI0(bWIVfT*@tWAzjLo5+>8%Im*U z!gDf*^c~yZ(_HF%q9}(AK6SPAMP;kRvQ>byR8iBx1cZ&xPYqY_+9_XEhz{4CrWNY2 z*o}VRWiL>J0G3@)3YNS3A_}A^B%m|LI9RjNn{FQGu0>YwtXGDmJ*H7sg+68^sOE_G zTb@A3%f`3fJ?z0gz5tryA9ge33(9Pgnt$uK+pSvUe9n^!X*}td84Ru&oJKt*!}2+Gt#XRjfiB%!(`EuOsOWsj$6-hw=NjuveY& zb&7Q|teS$;)6tbFvyYjXiG{L*xg;J0a3Pwo*m-P03*^GAX)(UZck*+Y70V5hwPY?K)jwv>};mN{u^u1A}gOS0QY_UqQ?BJd_dG9}k4 zZ4M!e-$IrdXPBFRcl8mlA%6Mi9}MALV3*vZ-dW;@fNYnF!jyYEk25R3d+$^8)4}Z zvX;M?%M>kQnr}c|F&OMnX3G^p=FE9#1L6Ep zRiJB~uNqyza1$!voC|t5yxS~!bFCY=Cyw_JX-Q4_EUSE;snoN^*#F0-3h>{+m|n@n zoqcE2l1_gKB7g>6^O{}VBsZTR{t0ih>)w{DX<*Zh*Q$5Pm6~}9-a=(+Gt0q;Q4Rx} zd(+O&AalYppc8MsexvnSxF-m{jZM9Zie<^G%$vDcGombFp89*5C-@&1lFltKhV&(b zTJX7K)8f^3qS`W+(d}TNEt-PeY(utE`ea5XMt4d~W$vush+^*BKex7lKw{Qwm|SXr zR$@ND6T%{RpJLvluSkWWfO5`lIC$Gt+G`o9LOJhoLew$Px;3?}9&B|u-hHe9(>25! zaz4*i_)40ap18K~q1**Zy~}SFLqi1axY4OpIF2XNP^kCs?iUv&(ojC4r6^>qeOO?U zqdGv|5Q65D<7J9IdHnL9Bgq(%?!C}@`%<{8ZV7Mv#;^A5&Nkk{pXei(n3a`pILy=K z9ftvF#a(K#ooSA0gbB8w#MZSVyMv6}%66aCt2BqOwBHH6$kU@Md9P#sXTuERNkCFh zLe6!H{z4|hiCX3a4J6Bxj5*v08sL4nunHwCPe8jg9(HE@sNANUl@tOmgIhd2Ev)@) z%IgC(0x#>Qj>L*av1zW&4-t_^cr)06QgvQ6wszEcw61k^rUlwU03LAo=Z{Oe0vZlv zgKXOTD`e>$fo6Pw_7A74N>DvRCI{#DG?X#w`{R6q%!L9>^eK}soo1`5wx1X961vLz z`_;%LF)Hbx(=k|_n8)))(bP4M!%kU$@G#cFfU(_w;rd@As>w_v!CDPn31cuU+=01W5r+otIJEjbl;6ZRufh}KE4-ga~;n_ zIEUjvZWh@?gDaly?n2T3;uv_pTATjo(Id4xp$pY-ds$z0*R!=i3>f_*EnQqRU0B_^ z7gpZgK1w7~OJH4o@>B?|ucm09mnACm;L@{CT-lY2aVY70e(-}kg%K%WyQm0RXfkgs z_1;YWt%6vxcB&~^#ErmuL#zvB0X!we{m32oG%9<%B)a*aJvkapF(0r@&M+Jut!FZ+ zAktJeWN64@V#;D>$YM0hJs05VkycMzHng)-s89T-!|qSV2UvHHyT+_TmGQS9L+$+<@&(Bc2q6fueY+f&q9JP*gUFx>}Pe{@H={P0vQm@%VDvccR~Wv z(19I$7GYEn!8jz&yQu&%kL+VuN$EZWTo=7vj`z}PTI zby&yNjqDsIOUquzvvrH69^Q|Altt`sL#e^cPOb~?QH!%%`Eq6rq*!8qI&J`)@?e*K zOSJnQ);Y(i4_W!3G_p|WDV$G;FoC3_&(25E_g#$Tz{@vRr{j8h`0Nz=OmAFVKnBr4 z&k>OP1RgYu?K|(Z0)QlZQS*a|NqZee6ouold}fe7k8}P$6NwUv`-l#jhUW+!)z2=v z$XbJtmBDhE#1z^`E;dardPs2HV)KagLM~UA$u?V=Xf+ey|0XRpPk-%Oi|m@t?QUXb zPfAI}pI_OZYVoxSOqCzWyrVIDyzaS*i7{oJa1P$zc6Y z(#W$sc?6x}pyOu~v9Tj(3co1K(6b02MfyRfmDOsT?$k@GK%d>K{4fIQiXNWbsa|>{ zxrCH>C86p4S~)7_>Cn}Ml0FTP+_A)thMHCyy12onZarzWNup#=2^2xe;;uRqu(Mk= z6_~$y=jjWRjoyxDA7w@p-3S|=jIFKts1|z78TjB7cv_B}r9-6S!3 zJl!t$=@!i(vaxI;PP;WUO&l&U=j92#I*iL2>s;Bv=3f#}Sf_>{y^pM~I+q86WZ7Q^ zjV&rAr=jcDTx!MnO-O5Y%nFzdt}2X@>Rk-#&(;!yU`fs%mh*>NwJGXEEb%{K=@s1)f}EE)FNC= z)%(z=H8bFLZ2P$2oCgNYzr~>UdO{reFL9T^&EM4{$z)~n8X#ioz??F-kzXXCM-h$M zLy^cAw zqcM!ebu+M}f52!L*==y>x-K<993jwwqG4&aalu@bog6=f6gUzfSEz3aWUeYY?0!@_ z#x`RnRlY$r{?m)uTPfSQjO+L4SVk+)57`#0jbdl~Pr5Z~7@HT@R*=Z)7*1ryC&)4x z>)K+T?a_#MNgpHjrg!XMbL&3O+s){g0*zGdDM1DCFi>KPc1lUf$(;?;>v%!n$gX(OQNg^`uDw|$aHkE`TysM34WNksHj(Yso)#Yny3EL z(VoG<4;1YOsCJyk&azLwI6%@wq@^JLyUxU8n7FVoTd?v^7AB?-2|RtP9#w{NDfK6s z8XB8&TrNab1f*ei);V=l#_25huJsCRF2oZI?}bE0MmldKCG_<4cz(I@ng~aGc?UTb z70J;)8HKNX`4rv64f&Tl=Y1%n1)_@EsVgu4*(r2=zTZW1qNb+C#!C~W_%&PWAT%|1 z$i5$iQUP)gzfW2zAABwHgE+m5r9LAgqr+iEC;zYH&Zx!AB$-sIt+Bp7QC)>?l77yE zl@J+PT3TYp@57{okl?#F6lC)YoprkGu+%jVORIK< z%rRajl^0G+sD4im>8XkEU&bAHPdSp#Qt3%lQ3XYo+yeWCgO(@T-DejIPPU5C?ZrHn z)QY(?KZ&J=(^>jmlAYo)WWcPp8FNSo+Oi8RrS+LzQO?!Pl0?mi(o6Gp$_$Tnx!SZM>djq*q~78JSI?K#;YA(uL?UB*|*Ve&$Dc5=2v3lRZ>lgOX~hzJ;;1V6V0-IO6J-;ygY2-+JQp za@+AdvmcwL3dpBDCK76H{*gC`kE^_KH+uV1o^!70CquG&zQMJLmknL0O`0mXer6f1 z>iXK-{oL%j(@^RTfQEyzaN74|x~V8Xl&ep+u`w{gDfrF;&C>6bfk)PhlP?o=Ivt;- zm6nxREL5uK>d^tWel0WKxc3qT_tXT(gniD0 z($kIUC*AKH(g44*RnDg?6$Kt}+ejvpkmm@6cIq2^PdI3~C!4cV@%Ti!V|As?e~96Z zXNtx{+G!h_#_X*+9Yd$Ei=r697s=ZEuO^agQT$_AeL;j+XZYvW$x}WKf;)$-Vu2!B!5XY;gqT>p0r|RUq&h7O1Il__HZ4fWC zN>49kI3+AA%+vSuMf)bX9cSN0v^slhuJO zKb&~5r{w+?722==`@c|#AT)kH;RiVWrKXM!{wRAXY}=R`^N6MHz}c%I1?MBVy>qxqgX+4G>0ogwtOX4MlS+sGAx zo}UupcO)|s2E4r$U;G(P8#V8_p?>Z7_^#(|f~)T9fKGZVsjUYC#NloOvC+c7en%Ql zgQ(r|iCP_)13>o~(DtiffDhK>DSq(?6z3lnCE|Ol_HkAb z^pW-BLK&?dk*EVv$gfjHI}x&xEHZLy+hFU7Tu%SdMOK(YYGIA1lRlLuh~=}uXWMQI zY7faCV;e;~K~@GT#jTx3aRSswQje8&-d?rx-6aZSWCG81h7_NPa6M7#UzO<)FW**oddiOQNyp;pT?Tn_VQO)z&l&i%`FRa^VUbTzgt@7J5za`Mhu*W z-bcj!Ya}6R7GEg9xccdu>w7|Tie-6V-O%U+K zz*{xiPf>6FLznK8cwPDU>winHvZ^fw>4QRIx9vvNRCrtAE zzfv|JJAU1Hxlt2RFoLI|8J?kV+W%D@cyFPdTw-Q0N$1iaf^zl0vP7!*?T<3DaWg1J z#8s+R1m<%rpd?esC?!Daf~U?iq;JfN1DL(X6V`8tc3Mv7Tv1WM zz`(HX70>2ZWylX{vRSaHosjb3S}Kl{oB{6|9Tc+m{Sf66kr?&*VptSDXI(Qi^iG2; zkJnRPRFqv}Gt8$GVCEme8L(EXxF}s;dv{z^!2W5f1+_VG=nEoy&Kpm(#&@)Vg62|Q zk+cdJS?N08Tsyi9Z}B1$CS8Gzg-6wsBlrac$G5%x?iOTKo>cmfS^;?}+}tO-Gc>#% zzMj_HUW)FrCE0llQx+tbYTE2@aM!j{5EjN@F5Vd%oSVDed-}qJkp%gzVk+S=?OV_VakLnHw7J+x(mQ%Ole!Ex zI#vA>j|9Hlq-FNhk83@fd|ioQU(qvaFDY*SPB0Z@Z=}*gB%TV(^+@aq)6xP`-M4ov0o44Sg$EN>Qrbf{8Rs@DYjdBe?ExHuu-C zn)HbYFF5)@ugP@%6?O0=NrX6;RCag08-taS`UqUUD}e$(411yyu?-wAeN@6~$egzs zwS3qK3)I5T7}sOc(E>!w3-R#}M}&ohhV&4U*Mw=Sle($wpU|IziQaY>*p6@v{i0i7 z?*%squSkx*ao)XaBuHN7UK)bO+gfH(GP0gndo7oA7Q~w`?nK9bx;0keULp6oO?5NR z)#@36(w~9_?oCmrKl1=IJnbf}Mui~jo>kB0+#Xk&6`!K%9|%FGx2Ga)*LnE4qn|E6 zea`iw>6L9gS7fb7 z`K`k^b;HvW6UYTDh@IZ8y_xiT`$r0qaf`5UanVBY3`X^IwM2Y0pW~igYFU{Os)FD_ zxEu3PI;4Ak|*T!SU{!(kbNx#?+%T34q+Nf~i55mWo<$A$?VDUtbO7wLWk(|7&np(9ETblyUzFDBKU(BH1KNYq5o>YVW5IyCDdm-}N~YoVOs z=u{U6|F1{{&$8}th|<0F%Fr=1lyI6SC;{vVkh$&iml}dEB+23yrD6FTTXXSo;S?m> z{>reNfTKd;x^Ws67?1|@Q@gBN=dF~dw=T~ zb6VFtsxWcotWZ+ke)Wl*v?0CB7VoML$;11A0W4kEp<~gzxEBQ@>Id#)M~$- zd}tH(8tj!-VWFk(z;AC(9&bY+S7+o}G{5^s$FQ9zo$qZxwuj-J{mOM^vNax7MOAt( zg(JD+YNxAL{mOy1(6V~jmH=HxtU02tywoG17~okYRMDbsU_Y>@MNVUv>|*ZJ-T&t_ zvD2ZdPP)m>{&#sdf7*NKFZm|ZVnK;@3fMO9=-AW@I{E~8Nl;W5(y@g;xnb4K)1A== z@d4?1qYdE6Y~hMFe&yvk&97~K*UO3;YVshVcq>8}pk!Dx=g(^u%#0Tz8$;O+^nXPZ z6!zW1x0dKAwvNoRMM0Ke@RNs00FLtF3crELx8!(nQY%~g5|EaXa(LGdnMVO;EALwT zgE!8bgO9wR3=nMLHoRcSW-mjnOjf(8n=jL4fWzIw*j{4{DFZ78mXqO*u zoC?WspeWMAZ}e38wr>^VBJ_S-~1E)*9v?9~D_B%=o>79WLw%*~$I z*swoRUa1D>(qa~)Z))0U9i|w(5bT<(K>O$~O;Vl`UPTFT4Wyx;HanQ8LNA_U za=jx9+@4!?lt4kR$g9ZC~EC&Z0&qZ*ix;}y;_ZjJTv1ZXjpRdFZz`g zT}s9eb^AhRI+)%s-_sKrgoa)+mzr7_S}}E)ma8|EJBlk25m_Ba$EVItphRtAwDN`z z5fi*yFZWut{>cyN-uIdI;+PubA9pQSiis>sS>)v6t@sO=@4-pxGQMTy|`g=6DGOMTOizmt>E3`O?3tbrleqaPpSn*MfRf%i^ z^H}6oGVbs4P5!FpJ>#O7OlK40?ch^&UH2kx=YS=3GhKx)3V>dvx_t=f&yibuPgJ3c{;IZQZ=bg`)%|*Vd%OF? z+qMq|Dzotl{u0A(P-uN5RD(i6iUISoj)Ip`=${FF#trWPJ$oZ3yJ8y=azN6TQm#C6oZ7L=!rIW&^N&Ib30_Yjy_3z;Xs5qi+OMl$j;L&K4 zTqB8jq&(mNyeklg{<7)1+tu=`PQupC4m5C~_t$_G`H2TXegdTL>5`jb!JD!9DBp23 z8avoUY?FYd(i@)EHG3T#n5bvjPaJp@WOWTo>itfv!1~;-3RXYM9X*NeQUrja!l>u@8y!di)8nr|yN>nL`1%UoozJvccWffpOu zAR;o|3$$ee;tSNKkGSt)BW3@U&uKvq+4-PUVbZP7ooqE>{UEz$m=ksvsVl(R<;$v!(Yh z!+9WxBGGZSsYywxrv-sn$Itq=Z@N=^2vN%Q?(WZoqYt^1vb2db4s-{Zk-C{zBmaml zVJ!2q->w&Xa_CfmR1ERx&XVQua#jLSMMPdu-X468_MaMtD~k_4(x-l-Do{(P)*qi)(NnyHFyuZ8_)^=*7}i|oWXG`R8g0sZ-L*ljD3*0p8>XMcoabA@`I5! zhBQYs_7;HPT$KmIfsMNEv{D2SgoKRh`C4T)2#uR$?iM5OXCh!@oJIWVH2cz=2-)Ee zsRI21{3g&qZ%|#{$XkWS-%6*5VQUZc3VpRk>+^ogB~-y90d2cY&?Z@t2H)}}#%f@S z`nDo}R%PUreUsGk`}$^~rus33!5Y_jeE_IW3h}0g$N5}`e&Uh18y@4H7Trpb7ir~| z%vQjNyu-WE$@4 z&wLVkUxaSp7HfWy+<=i}WSR8Dkm8D@uy*Qa>LYwzy zUr%KG8bE5y2S~UFk)?n%T;0FV>43yuk;zB7!mA9Bmpd@gF#{@qW3&c}pIKJh%yf@m zLKm$H&T>ofA`?8?IxYBnhZ2S;9|i3Z5r44-o__ww?xv{am(o>rr7Vm9ZJ zN@0>Pzt^}5iZyFpnxWoH>Ee#TyC%aH3;+U|(IoMjSo8e@V^I_FuXpY`u^YLEwJK7d zSt}9MclUdRC6s1$SzPc~YnB&(k5LkSQan~=^W~T4PEf5ittP0=+U*?=e@_^<^RE(U z^%P#q5IPRaRbA+L`}3*EGoah-4sT<)(*kmTR4#V*-vkq!CXUXnRK#pXT*T^5d7Zz{ zcKto3Z)l)zmSSdx?^=eDQRcG}o^8@?Rr~=ZbA0(~$f{u)I#mR}iGG&ozyIFP)$E8B z8ySi|l3Pm=?CrbbyW=h*M63Ab{Z@|1Ab&E@f0*kV8Z!DB?HRL1s!yG2Js|)Y z4&&bg1&Lx>G}?ghi6%Y}YfO25VP&;b(CnFnW5P?%9cH$y26Gp1n9Q=GoOT?;_}S z_j6l>twkO@kQ(kX8t#ZXiR@yh&V^N%l(=T;7!gAn}i9<)lVdAE-v8~LpL~3R2wm`@*tl^v{_)WuJZ7yWZYC{S5cFgD?y-iaBRvOfCA1A= z3hv^gF~;6>(J$r`T40QazZGeI)M@3MrDMVkO!|^o=TW5Xe8Op_k)~$AkNJJdiP+_@ zsgF8E|2bMZjYy){Gm{3JFD_(-5nR(s;N_VsAERVxDX#Sfi#cXsAiX|MUZ<)5a=Nm7 z9d@Pd>|ZD(qT^VtH)f{?%u7zT(@VntvnHNoCo!f{P*m1AGtzHqb~|&lp7VJ^(dO6@ zRcgAC$u7f_Cyc3l?~}Uvc=N7wrbhMgWo@Id`>)>n5E6avJ>-?=owz*twp?PEU4QZS z^-JpesHGCj(LZCaFC34ucI5yB+FrDD%J}LrMe6afkAv6l?l#M>ysidAwftdDZ2vwL~BG`>pFjqCWVimuYz^f?#3c~LT z9KQt!YmH>wjK1L0iXsD5a)`R;^$Wtra7G{jUQ6K3rj>-4v|4=@N>I!3L{&|mYw7#q zf$Ufho2>Vy&y#4PRwq5Gw2RN#|B4q4aPtQ}ZOIdzHF7xv(qj@iLz+FB7E@$Pp@mY@ zW-b&PIzU6rPM+ax4{bpr9zIX&d#0+aR^#zCJyYSVB8~-#mk4<$3De!wUnUaoCS@Wo zw`O&t(KD7dKE=(IGy31R_jccaG(nqM-YYDWssQ{GYM5nKyd#Ns3+~9JV?D}dZ^Np~ z%m4g1zRejDLSI3q+;(ws5vH9=N69R^VN8UMvu(f|D92$98+Wuo888|a%DURTN-Va` zwrUS14s5eaT+Qz_uB+8fPvzI^QbX!v+Vo>!!hyl5_9|7=(wP!tS5zHKAzE zY#zZ+FP7v1PNQ80&)#Ll^1Co^|(MCFO= z_o^N~p4pz7-+AYnVtH#xG?Xst>L@Rc7I(2>tiShB#Z`}1@Cgn5X~*aavgdR(?6e9G z7n7%}msP8mqln8Y#O3K}-RbBhhBtJv*Gmx;W@rVfYko1VZ{Wf&cuKi9E%E*>4?hn4 zw&6cr)Nrks{Hpb7f=L6srJG5QOA241QrrfAJav#p*aY0CjY6-jt-V-vu9;ms`mAD( z*A01JOXACVR?wr~2oxHX~XU*Uzlr#@NCMyoVna!n5N9WqEqs~eRP?!XQPnJ*mnUGl1=>dwUtk!R0sv>@G(ILzSyBjw`xrokmg)eL}P^9Yi?HI1+_OgGhUeSQ65 z+WVzKTY-~&o~(t6loUF4m4W$`es}R&ZrIvrB7~|jT@ggPNgYdvI7I=sMG~*<{p$0? z$Bi-sXc^S>izKUFd@xS`{RmLiG~lp0xu=shD&E5f@DOHjMG7)bn5CM%4azCQ9RCGe zyY}wzSJrcG*Zy`aM~l7NO||!l{t(d@JsIsiGbW~&+vxH$JwOppu+TKL!?6f*G_iL_ zeZRGJ@NMJacU{B(&KNQVtjF}Vk-~h!qN=) zvSKdvSGB*RCuVfA=`;n~>s9f+5mPJq!5E(I0P77w7+!H~QvjxK+~b1%VwWTAl2$q-KJYkzEBwrFpr@85skn-(tVjqC7Xdl{e!lGfC%`FxhddN`Wp&?QOj=Yl^vwhPvlHQE5+Wn(CO*M9 zv@sRl6i^vTTI3f~JNu<6VolwF60eR}?RNLaTX7v-N=uo8Pq}w3Gtl3xzu!>dngd5u zn*BXqZx;-l=zVLsGX;bTB+--Vb|4hpv-H2ipYQRC)j!|dmwpM0snH=Ff*?Jb(JkEur6BRW z{=VY6c3tq#HqLv_6Zd^T_mS7Eo%tnNR>%@^A;^htp2{>!P0I(567ySsU1e)G&QXjk>ux5)Y32}Gu^Q>!w-`?y+#3ac4K@O><4hZMSKgCI+ zG}YqFu~Ajd>5^sl`%L-Z>yvmyN*2RqEhM|irjqRj7&v*BtN9nRwkCtHwzOn09IDXP z^qF^l^4ze_tyweCg@ed6?Wo%p%Z4BZT9VB?K((&l>JBE*CouH}AAVmGjqY*$1IiZ) zik!Iu3-+M;)oUB{I3!Egn^Ygxd=ngK6hWaX5!XbA`kE(XjOe9Emy1QvSI7OedRMlR z<}(6E>4+iOvQ^R7hq+z$Xt!9}-TDS^&FKKPL-cs`(}RwP0L{AztrK=x1A>_}c{`7~ zHZg4@O1^QM7Cn`N7%&F~8&%TMP(y?2ch%R~7)VhA9e`_@81JhGjen*bJlKZA zN1-P!hx^~dB=Q@!qApSsKd^Lew}|@F*L``zv|S%gQnAljg=m+dvY3EGf0~sPlaes! znw~AMdOx!h&{}KkTAfB+q5a`J&DsUEY*;e=8s?&B;!G;O-gy?@;BT$A)~3GNH6jF& zVi(fQO3lQ#;0o7GM>jZY=W0RR{Yb$1bplc;TE?Cvo5tUXfuLyxaHyM}8;|lEVDQ)%oSwZFyX=(Q@yn%@zpa2kBQ&Wk2RO@-q!*XJqwi-(Qj z*~L>oOhwxW9@~#T9||8Qbv@*nzA8RgLH~%goLq>=m)GYzuqI*>@RZt)qz`$1}p$ z&|&YMU9Ai!Bh%oB880FhXw~)V?rLxjFl;gGE02mI_=keDDgY=*RPw({F@`(#Uz$n@ zfvDZKj2yYwic7xE{+MZ+osr4+G%_|VycyF>|2cLPjqK|`arE&}Dg%MichhHpYRJ*H?~tbw#J$PpB zu{ac9t>R!qAs7yiicKAmMRb(G%AAa&egBpyhF!79cA0>6{=O2TX3Yx<*1n9!q)I~ zT*adql@$_Ab|8eQ(J6?9?mbd8m@jD(is^u6Ag76`>s&n@eQ76Y1hT-w)pz>Sjx)8j zTjN*FHQQr=l?~lL?IbU|uMFy(@Q9{T^;~71M6ue~On3j!UE7{QnR{)bc zDCIXNoC8JP&r1GQ2#z*lpKmvATzfkC*jS*3B18OT|Gaae%hip!J?!Lh`?c&nL zP8VnAPYN51Z33VHP~6zD{&BjI(a|zHN-2`eh_ffd8YLk?AKvW_<`WK6c4OaQFgg;Y z$5Es?T9F}zd#QX~#S>|q;-cAJqqac@Upe%O9=jpOlNL_9a_=Y`_w6G!7~o+n_4g}x zJ`50jdVuHYE%d*S-@i7ClP9>D3)KLwFA-VGx~A4Yxv*^?yf0hrE^QR_8N}ENXao+3vPP znx~CTav+ag)T(B-uTF;Ct6D`b`zp8WW9cTLb8}IS@vAXItE;!k>x^07Z1pSH7No?9 zNp$a<^pf}0vYm;5iQo&hoNa^iteM2GIKVh$kZD4p9)@t|7KxluaZb6o*9sg8-*Mi% zXA#{88r;GBL}+nb>{|hEK#-zq{Lf#>6msMVK0Nq-033Nf(W{j4@6Bt0%TlP(Gq|yX zvxldnN01{vN*tAzgV{KoLG!(Tx{Jte+nJl)nH43Uo!d<#>NY+ZW^i&krTJR|rTCnx zxjPr-RG;7xF{>Wz-zX%xWWh0)K1(oFb+YVj1G8$;E9a?!jEua|VCnpAm|>J*VbPPU z(768vZLA3ZGCg*zNU4=j*(OFLaWphi9XUfKV8`YyA~{*MFNDV^lmx@dADNgf-kT05 zoCJQ!eFSi3@Y(;_t~@C5d>{6YkN2s+(>v>B+RW%%_yiE3&Jo7vWkUtbi+`q14D*GI z7ED|vvX6P1+G5eKsMzgye(5{G#4ndOyLE(b@@#zG=1X)MPMVt2d_*SF3;60Ea*I4v zi{Ci9o*p@Js1jbtrmC1JF18=4C-_@@5S)6x1*}UVwZS97Q!nmeL2hn^nf-OoiqAD6 zwhk7JI^5|_X(zMqhY>dmVX2>+=07?oF}5}Fw-B4=ne+fMB2FH_tmWTXI|Vk`n#YeX zp`rR65+-h?p78dd|_sCHlg;MeJkQzb^2 zTn5YN2hvf!(U6z9eLpSjOX$C#ng;H+PY*Y*mIX4pt})F&N-}%C1CDq;1wbF!WwZJp zwlA$wdgVlV)MhhV^q2s!AX%UC3F}tOufE!{g&0ozvW`CFR+Kzu4Mz@E7~gssAOEX= zq!CT8BS|&!}VUMg@v*OBpSJ} z9>9IseQtZ&_UphexVW+1dhlq`(Jf@{=g%+TMn?*+?c>#i&jA3S1A)2xr~a`1t-JWG z>kGJb7Br*(2-R1ngEFP#nhOM1t?E?hmsZC;+hH3>A1J0K>st-SVAj4Y7B#Fdg1}i0 zqvmgzP>n`BjP=Oy8Md5psBwi8x)vmksuDsV>}O|73}&g-xX)32iyJ|~K6ch3U(ylR z&nD!Z5DT_W)dHRKD|3=kLV9I-d}k|d>?B8ufOCZcjDUbZ(|<^}dO`SKgWT5Emie!w zc)y|syJl`YYy+t5`032|X%~DFyc!65f|;1IE0r=4Nh4D#o)HKHl%V;Hjms=cMu8Sp zF`;r-Jkq~)w(PU7Dc0|H%--qUh<22Yd3RU*o4n+6app~*ql;Bp+oy&aL)Yp`a(nv$ znyM?ziDBcar1p2DgRds#>awJEjyz1QB3M`WsycV|kDtoz7n?|+fr`X{Jb{t&U&0Ay zSYH82*-wF^w+XaBDZnFMVm3D;BP6h#v0u#+q6PIV=QrcvgODd1RU}>iUFbIScpFqF zu1%Ry`Nl2;X-S`ax#J>;B#W(nF`fS;+O1PuRJUfS` z8X}6AgX+(f6z>KS(YhTeId7(6&P;7!jU`%ZlG=v{sxNy#>Kd~H#U&LO`%wL^ZI@Sm z%wC+A#+MJ(N0T_`L-d`7s%HEm4f>fYb_Io;ly5c9$fV~3mTgQ!eJq{=I#9yKUhJ;p zIS)>>$U^bYnpW~vJx0*%@i2bc>Y+O(g_CbZ%?Geo^dV9EjqeK^_g7DXWVP)mYR|OX2>Mo-HO(JsuesL940J*(b(r}0y z^{PL!{@2REcWb8>tqOIx{Q$u!*`^oS=BZ7@i6Y4%%T|N`g*ubc0ryJiC2xwJ5fnzKdK013(s_WAZrhI%1O9!v%b%b#7 z?@_&iVKevi0Q}Wn(pAMOr*@2R z!jh1J5lVHTIv253Q;b^H|3Q@~`uv|Z zpA{^~6IS^`=H=@gj*=jej%Kl`tZU%|IEM59j0WB6`{R?w* zT0RK`PlCo+yrwYQux@HvsQk)$Wrfg+p!kX?6}^S}7oD6h+tE=NH=Thu6=ZfgC2lX8 zNDILG<=mHQ{B0XG#`Wq*KL3*1Md{>gNvhQYYRy&H5jFQQU5#&|frsGTCiww_9_Ud~i(eV*C>9J|uD4>U9<%b4k-Za*j2PZ+MTn(1_XM>VIjo<^!5{ah0VP}So( z<3E*kpG+;(-=281NJ#5tXz` zBPuBIh3sk`fOAWa9BPc2HT4K+s*$-2grzxF=~cnGE^DIx>2Uw4Zhh~4&c?J=dx2@n z#`y@JRowI$Yu45_Pak+zf3UzugRlDP*1`2cf)=?J*%`UVxg44e9QXk4%UJBYf)Ax6p^)QTK55us|&sRI>k26#)QDuVCHtd~p2>X^TuVYF^R6M`^)n$}TXU zqSZx7b9rZo8)`xPT2$<{k88yU&zq7EETQ~{>)-*6|77k2TFG}nqFGr10|57W^5U|m zTiFZ%hVwv5q6BTpSy}%<8N$GmS4e}|lHaL_=;ctkjU-G%qYk}pP&;2dy()M9F;Q9j zJk!bt^$IhHwwig%k$W~oukHU9Q=8eKg41SYleNC*l*dm4^|+5uNZERWsIg1JEL{Ii zFStcQ($w|%_;~3WU?JQBci#QqE{xTLp+&2vM4v}FdBxuJZ3RvMwT)Zts+s!By?GBs zwKYHW;Z-z1F=(j1{FM=el(>}L+}WkvG{H2wcAza@svUesEB{suBH_8AOWLxzDwA7k z$ql;ls9elJTU1;x!-)gV-pty;^lTf?@JVGQeuh)kGUyT^=QKMuJU2MO?=UFmyvkUU3O!F)Tvliq!DNY z1X1V1OmN$biX&kBw!R=bv0QjW%+9YAYOgfEC6KBYQz}szcRj31ydrMKUinb)VA`wV zvzw)@L+R|>DgK2IJb@|e@F8~A%Kz?V{zc9kcoPs&fx*?fPx?rU>M_38JBSa0r@B*K z2bd9gm~TED?-XTZmoL?9m}vqU<9%wsn<`M>1>*72RVMLf9rCthDydEps7WfMO*g4O z#;Akyg(Z=2nm+!75{&$ zkme4iL0Xto@#y20lwLG55fY^knd%MHMlgGuZ zX}?+J-9qkWF>~o~o}mP5#Mk`bzmbu+7etT0)96LL5G$Jau_P*Gd$AfCnj3oi{r08L zk8iT$mLY3jf-k<}^s_<#;zr@w--q_}^qkxdmdVoZ!JEG#v_m08{#jj2885_!|1>{j zcYS}Mw5$!BTIPY*;VTeW;Aj6wZY$--AMQjB2?qjGyL%9rg(VxMmHBdduZ!R3oZ)hn zG2cn;^ix)y;dkdOYa%M)LKr~?y4j{!N*9Aps+2pm3cZBYaFAxieeIlgwhT$$N^Y|w zZK5U8!s-9GFe>M+cuzlk3=J4TT({mPEVhNQHVroSXAkz_2&Ga_M}A7yG# zL^8xQXf#b`l`c|GvW>p2Ci}RQ7TvaFr$OPfZujP!W08;=QNvQnz^LfjGNP#u4Yl9D z^W5-e%z=cwoqs#f^pP9rljh})#!APq$?HCI@_@AlwmCR(ELh@_nXGCpV;UePFfaE{ zp9fl94}aG4QDORg;D0)C9>=?EdUyM&O&=AgYzYkzUGLb~(v5|$hG&RkZEn62pw({{wTXHYJ9n&E3oVS(N z??Hoo@Ft&S5<3V`)j><#>t5#hf9nc8KR-8dZDq|w8rhc`rDxL04^BQP5oDgPO-oBl zje4l=!kZU0!gzlpm!Z@~u#lTfXK7P@hj9w0fT|FyL~w8Vm0%u~&mQA<9I$7xrpwZx z&?F6Dhq8YBUG#Y(vqoxiBA@ocAt-g?b%+cX9^-b3qIx-5f+}|1-Gd1402V#mERoC) z*rwh3Uk&gZ+4vhgq(0%z<_k!>6lc#aEq&g1oU*}jFUQ1AU~Cp2Jnc!vd~ueHuZYEf zFuhY#Q@JC+=;C-2A@|&?ZVdcv#ulp}6N$8PD4rzPDZO3V}p5TB&+H`SO`D^n8`ii`iiphO_lJwd33^*+OxZg?abG2twt z!~wCfxuC30fBW|B%TxNW^^y5cnuQL`#RPXaZwGM-TQHR~j`^aE>x_BoxcwhSWx*o+ z>D71&>2xoF!G@zFXR)|yXY$5cAxCYc>vfs7`6xRP;g7W)jvdNnqe>G>ns}^~D%iN? z;yBPYp`ItrST@A<4*@a!_D=i@yyGt`QS)fvOdT6s2j#knUw#~eyuP{$z`UXTOM0Rb zp$J)vRL?vXWnMyc%J~2Gh>hB0g-XR@IvQ~VvnPa-_eFZ5f6Ga#QF8@TdxaS53=0jO ztz9+2dH8Lu*ngC;#rc|gncMxQ#Z-UM&GgAMS(WnKie~o$j3xxi=MFIeLEp*OwaZy` z!w8l5mXt@;DO|e@bM5i9Kg4MshN)8s+?9rzC}5rG#H2n#YUT<`Q$3(oOPWGy-^$hO zQ%1465th$z*>u=e(jvlQG@sZ!749$(TZ}u380t3!YpnOBXq0g3)zhe1GP6u2SHY=l z9v_oFu_{K(y7}q8H*4%5rR^}cB9ouZn&B5&UJU6mOU@JOmxFafWtnlm-lNea5EF@d z*jP-R^QnZSl@3aET9@dut~k<_NNK8Hh^M?jK5E$bF5>(PQCWjCw%1~z+BYzQQbY9)cqN$VPV@(>eOFPVLED`=J$l9@DdsB zL7c-l)iv%_(kCB2YvP=aG+{HU;nirQVg+aA!O+%^sfnAa@w%{PG9wQK9)(j-DETQb znD~U--Vxa=^wg^smU~~^iv&uRK^R@R>>pu&oqrjzoXiY1*s@A_Qi%M-$H~O80Ea9l{bPb4iz&isnB2>+uM{X*(}_H}&-`zz9??-gZx)cJ_xJ}C0R zz~3_&2;YX=cM|SOIcQFC^atQWpWME9;XIwZjj|brNAQHEP-PA71nl?q;M?G`ZN#rO zYDYc1`o`tVd4iiGqzg*D$AcClj z5fr0vbS|qZ#z{U^z{Y{fC6TlnS!-uP?FmWV)rRLW)z;Qt+MZ_OIZzUau?b`=D9GzO zEt*(5e|Au(Sb9EmX1)|pyyS{%*h1Z|R#)fV=A(y#P_4!v&1;%OJ~VFY1S=uSdD9Lm z`VKrB8_iuSNj}V^c?SEGx9L=}Mx+>_YL$(^pSebTIwFQV^XuU0vF2=P2Pb-Vs1VDe zjrQVJ%9aBTBK03-Y>GTeVDl}959;~_F&vzQ2D(?eY7vp)DCz>y$oiOC=OW|QT#$jz zLE~`tlx_;AFspUrQ~Jj}$`p*t0^j1fg=qr7Rxch8gK#?zh`Vz=GGZ9p-g(Rplb$_# z_k4b8FDH*e- zZ5OC}zLB`<&l_=+27EWu>mii&YJPB@_R)vjK8I;TsY@^U8*5y{475?Pcr25+j3;#l zd4qtm+4?{kMoF-cJ${$;qYwjRwy>c16fhBF5?=Y(Dz--*_XORMbBhjp^96tBU1fS# zS90H1JW*S-vJx^WdxZi5dHpxON-JgTACG!XAM2D^EeVieZkxyk;Uz~O+UjEoU5BPw zVnq40?#}qhy~aEBeFQr+K&VeeBWW_USFaq$0HbsiZP&CxPN`N}cel zrbm9$fJ%LXjGoY2N&ZQw01YX^3d%aERD)k^DNA;dBR@|(veD91TPuf$Vl=tFhm0h? z${FochY9qO3qwHK=Vh%SCC=tKFAZ9yLI{^;K8 zfjBtf<6`=&#M&UwYHlyo7%{}UdcL67ZJ>RfT<4T*Ckzsr`*5mnU;LE#V!es14H%_x ztCh9Hj;ZlhS?=9xI)8?Be<>Ug-v%qB&Rq77+#Z}6x7HTunK-5GIHFobUYk&9PVFfw zy`j3JV}QtYbP_!z&YF3xb`n*_y{vqVQ#%Oifeq-&y*imft};E|15^Lj_PvvD@T?>A-9TziRaN1JPfEy zLHb4r#E$iC%{0fWo&_J}T=bM&+_W3+ zQZw(L5->96c)EM__tlgEi`g-s?+=dZe$nTwTK?dT9`$dRgcm7gK4{kz5D_Du0#{sO z)xg8`vy}IkEyXg8;zE8LTZQV4!gtU8_7gu+La1zn?fUa*ZvoqfCq^#hHsbb{&OtAe z;zJqkP3?bx27S`frK4ZMb``gUDw{<*VFvPXVtXI|L`U|_Kg=w>9Km83G;%b{-g^|N zo0Y6Nh86+4{Y*8#@JL|ny~yN$N#+O4e&^9rV^c*%8Dc3?u1A>!V6ht2+%)v?_wJm+ z@E!32&1#oOszQ~MM>$UBO|A^7Qx%{%+NlrX2JMw>XB87Cf4Qr>yFX4tN`inzllN>wL&lK>oGC8tFFO2JI)4veLb6tEAladmD z`BGd&WN|6|mT(8M3BrNsPci3HYgLEfT=YAFuW-tU z;~H7Og|@y5TXK!*mqE~;4ovzZs#g%W{elYd*3XfY6r?Q|?xX;Dm6#n9L`;-ZEdY_} zh)bM`DUFZs$^O&#P7W>9EjSw&=l?CqUKU%Qkx)%UlE?o8PHGZt)l&$?v;1L}|LND`Z~ zgMUIR^9v4ngGT%MNfjN$aTkdti@9B&KuwK`Uv-zZv{*9M_Ro`r@eapm8$9wA1RUxZ zL@zWno;q%SFfecQY&GV3oshl(HLE-*hfB7Bh0?4|qO}hc7eqL6x5|&J5D=gmPfL;b zg+LS;!JGu7pD>1ds-fE;_U=0CGD9AA0<&OAA@(%qX?*NLZ(Mh6Fv?WDCWJ}9eA}@~ zNQ{rivvW<}CD)?euMvyI0zHrtA$gE7}y z;D{84D0nfRjICu2=M&Nv>v1nJQLS{LDiP+NU7EeboU6pDvxWiD?am**>6J;fC`tvG zsnv0Ac{3uVv)w7FG}3ElD|Qx2qhH-Kr3%xw_JL07y}~WAM~k!f_aB^XOlI&JVKxdZ z34fS=4*hzTKPQw;MjiSq>G<6`A>Ph2LNyxF{t?R4yy3AuQmF%-SM$oXTVKulFn@$< z%%S~{QbciWpU+d0dc`1vrEm|3or}%;x8{XXKOkAZVicbt3?3Lx2fmv5i)n=liu`um7bjbiZ}9Ih-q z$!_NQe(Q#Gs23J+QY>UvW;*1Tmr4uS`2Z1LNK`Xz8d)`hlynx^2{Nf^iaoB1-wDC; zE`h)-8^aj<+9Nh15v^M_6MGM^XoiR}9%$K%i3OGy(V_X%ag0{Pp1Anw$_8gxjC9Ei z0Z8rs>2S&nM%+jvp=QE3S{E}UYQ!}@a{@+t;p|Y*Ds9+=8V$8f_hX)zAgfz-Mz|1P zI35ydM1qVx)k(kzTY2xkc6J4~3_FV2DFwWk6(mru;JFErsQ+mXBPLiI1^DCNt1)Qw zmVpTrn);)5e5@g)$~i6K8lB8LRfOmPWrq|D@BgqY#c@%yl0K^ZjhY+(ZJ2nL5v{ zlnInsGI5nFseL9MYkMi`4!*Qq$MUGX_TI4lXis$^0u^HCZXRe|{2_1H{Y)0NuUe&* zQ90-I%>Eub`)QGnPWIyldE_IQ!P3zd)Orme31?3m#R(p>BWOC~GWmr1eF9f|w{^T& zr^CBwIRGeoeB&?>bI0uQCRw-(Oz_68=4?FLM8_NAJ;aHX1Es>?FI`PhHK26AdSfwo z;|6&Wday3Wld(&?*_P1X?~OZfKB!;r8ormTSQ=Vy6u4VZt@WSp#R(V|Nba;!lbGau zQ+z97*1Gq?OZw)uID=5ilbYA){Z4ikdRw)${Bcc~{tsg%*Se$1$M?ODHD%f< zL=MhJpVU=IKEz#oEBdwHP|WYAB_;L~HX?Bvn*NO#wxUz^`?O;2UG4%jxCbK)$U+6x zR3AGm+Lu9o!Z)v4Qf=}8!4u~neC)>8S)z>^Nn@$YRFg+f<@KX9_WYwmt_spckKeI{ zDpOjCq~8*l25GTohbN(lH3l=0#GY)uM@RvFuv|i7Gaf^xwtbk^vDEusi3qWJg0Box zZ^Bl045x#xYzAs!>n{{$N7z0<{pN{?F=>D(T3)W8a%Wz<0izjue^qDm)3+ws!F*bp zrDvUIem>g9Qsd9nj9~mX50pGDe$krzr9>ox&DRse^FJ+p8=+0Uw;DrFu(5ffG-exYhpng-DJ97+jon6^ z3g`34Cdp%!Zf)rOM3M)U3WnoG_H07%NS<}Ph}-y}+(5X@Tgz((8m-_aXC=MgYbcBz zW=Y6Dfep)3wbA?Yv~#qx zapK|w0jc(5F-1?5*5cscU~g~lABe2)V@52kk8v-4s@t6yg`LWN4(3wi+g+DQLWh4s zk8mh_X^G|>!;K?R1vqneu;805#Y`B`3HRaPj!scA1>X@-`l8K2eHrJ}5uJ1{(8 z!ZXoBbg}V@bf^zynD8rhZMm0<=w|~(-F?;?B7R&ZmG88Kz< z=Cx|%j>f!O$_ZNt3=HJq0jzL7&LD~9^$VD6lG-lP= z<{2}BMgQTKhj6DYhsIu(8+0NjX?jyTv6r2H|F!OrJ{*IHBd2Z^*yD+O5#3SGLcqL< z{SqB%dv-6=^FGm&9U_~3!}M^DC*{fd^NNskLnMBGl1lOp3g51>n|Mg2(9@O0HMDHB z``#ax0j?s(uv(pZ&hE$#zya0qWvc)uO@KzgaQd(MeQTw4MK=&mSh;uukiBHJjX=^G zvMTEnvP-OS(f7rkD)jQ%EQUaEDq-fhJKGbbd79KBnK%LbiWIxHB#XRZ`;-v$a1j$P z#x#|TV&qr#wWZ=ZNzN`!7cifs;h>vP9J0w%U1)uiEKnpO5_Hm|Gm7uFZc56Mky9&C zOh)=XBX<1LG`Hmf;`xLJMN)aJgEfF&Cg>wUDG?jyt@GwBO(6%1~C zoxG+I?pdJv4aeS{n-F3s5ba`XgCd-Uw<&THB5+*yM+dvyCovh?ZgG!T`!QQoXP#=D zdRATqR3l#v`51$Y`F5f;>WNpGq`>kZ!IlA8k2;ocR>9O0dJ1`iBbHFMYFJl+wV&x@ z=ta1t$$V@$sGZW)JfP7(g05)Zx1liluh$!0<17DxKRn4fyumlY4lIL;stGE_oRbb0 zVmvuQTW74~Gp*I?Uh=9**B!@arheV+*umI0fr0bcVj>ImNrL0)`QGYt)xHm^`xB!K z9T{xP%IjMn7`a74;u$kzrpRjhih=hLAs!m5Cd|R5Y68S&&QPDoN(y<1srS5d?L(-E zGgeOKi+7N_e3+8AN3W5HxoaP7<1(wdl_jK*b0CcO1?)6Pkr0Jk@b@Lz{9Ps{{AL<-0wzhUVvGf z%NhkJHh1^D&gOypql_+ZJdAZ%b-2D`nW9P>n!E$>CS!m5GSgxGoubcjt7uZ1SD4)* zk`P7)iF=&1lg}V$-#lV}I2&^u$cKY8=|)tEZO1K`c?_8ksfV=1k2(ts596nPzY={u zr77{}$J3VYb?GcAxvQ=$h%fla*|K*o?&{RL2u6FZerFTscN(86_Gxle8QGUSQ|vxF z{|Yf8_*P%d(7f`lA{m1~AXtjCrb2KqdhFtCH}+M;966N6`+O9-{hhOeT4Rq&Xj8;i zmgO4Z+L|(Yb%@)~>8Nr#fxIaz-y^MugUDTV`XPtNB;gr=?GRxZ5pc*1_V-_qpSOiB z6fm4+B9nYvLRZ!ChKVJF7v?9teSJi*lW*{i-0<>aczsG_>CKkj$sO1@g-@#OO)ovN z3RkDU>ncVrwA2B-L%zp@9GwC)y~#&trhOoC^OuBJmCOys1y=1RzGMUOicS7|FqdK*Nop$P5f(D_Y731 z&t1U4V{K1AYt-|@dV0mvX$9uK{A4tsqKtLF(69((SNJ{te9^qr*5;#}KgE>Syqn zePH0<$P%to)Rkjvt$BIPGp=FXnKX`wA$-;u5Ie4_APKnfT;8s+Co(A14yC1WNH)BM zKMMI9`lb$c|Xydq1`m4B&Lz(~V7tGp7JG#%u3S<1L4N)4%&&&ZeTLOS@l1O}SQF2l<5Z^S74t{1 zI`zjP*o;TTT$X(Ei@lnx;?D}KN7xPFnaF*=dh7t8?CK?}5Ycx_%1#=wHpkv}#Xjb; ziT#j-qpF!Yh74MJPgd*U>RZUslT|B(o6;J8Q?kY0!OBP9`$>|sO2cvAqA{0aTx9q0 z7_YfZhkKrQbEj}~r=ErLm@Axy`y3hHe{_3wrW{PY&NF8}OXKx-f#Ym@C*bN~I)$j( z-yeLt+dA;G8e_g^Lu!{6jgfRf@>j$K?uBE$ud0ACvSq#GCvD4&hbxZD>RPA72(f~Y z(X{*H#JII@lIvxQPe)E|avq9U|>`Vur z(GxX2BB+);@v}=%4wwKa#>4&aP5dbhGCqk(L?g_oNUD+QT!(rrS5shDYQUTJgZP$UJ+&7gO=9lYEHgx0a|W-OJ>YGt!v5^A5;;a#0P&+gsb zuUjIRA1EJncvKx0K5tv(Dgp84fAL^=UK&f9kx8hgl+r14@`xm(*st!eJ8pHgj?s2? z-cMW}N;dgO{T?Va>qMaY8DMj-0lVRFsW!DJn@%4--!^ut!Wib1gY>AmIjRr>MyOW( za>+UnoTeg;Z4`{!*W2Y_o`D7-bQe)P;wb;Of=4VURSwSrp(4&xJ z|4e7-MjJq8mOjk`dMvTOr= z@xuLm!s&LNeUYS${LzQcDsV-vU+MAQ505XV;^E0Q$>ha$3FA%fbteGMLWXGjJ`vHA zqaOPsY=ezf=NCDRM{mJdpixcuPHMXmpe5%0RuY4ePf?i3V%_KANuWTV!Nfzy0k4|| z))FCA=J%jB8#gI1FEIhz;M`W_LK(ghoxrDjG@*5L8<|x$8tK6R?^5RZoZm1)I@pG1 zbuXqcK}+(pgxo@zW)NysVgL)tMu;InCmN{Ml%^-0lhT5UWK;%R9=sp1j~roV?2l}Q zcqdp>HMZIYu_)qcWT@UuZn0-O;dZ~f^~Pi8XUUu=xe3P|&G-)ZVB1pThC{-U5^Rqc zK|LmxYI=-Oat>HR2O}Bx@;kF%6voyqaaIW!xKtUWgs7SD%^IiyHxaDOP&-8&ocIly zWGU%O=VuSv15P)K0@@c$%p?GsnHut7g{}q6S;b=(;M`e7QMcc3KKPTzU3!{bQfeDy z-x^v%8z`|&&e(&_)ZGA$F8k*oa!!2@u-Tm;F_Z+y7yBLvX!=tuKwBeXgsc&o8;YMP z%d86<(XsNWYm?A6(q>z-yA-l3Qy7cm3qTjQOp_h=>!={ww~U_-4F>~WQ6Q8!Weh{0 za841DECOOX~JDlXVotf09h=TIZ}8L|e`xL@x31JTwZ+xDN>P$CF_4^PY_I`{j1S zBXCCN&_W){+y}%HjY^-~hsUA#iUyxO_N}T{z%b6X3*R@tpTs|9XQ%la$)2it`b2}U zSpEwA)+fKP;d}`J1bv;w+^AQNm~C`>3U$++3(U+x{!9n!>$Smuai?nD{gA4b02(>w zn_mlY&KnkzOiMb-?pFA~1h=g;v`ICU_9DPY=b(V)RZS=y7}$EaLlsr=g292BR6JoM zGWeRADk}r-F3|0AeVQd9Ka?HCZKD7~Ws=ZnhzKvVkDige&rJT@;}4~MYrP%^qs;IC zWc!MQF{{oJj|K9NkKY)a;~@rAnqDt)~1btC^=MeC#L2PO7h; zQe#_`g}f$Xqx8HvM@v@ohokP8+3z?qKq3oF6;1JUuDYG+&)G=VzXPmc-t0|RglEhewO+NgSTX6K(isw5>ht9!!IC! z`4R~LlF1k*=3zbt!C6eF9x11?HIVt1Rb)v^+2ojJpV23!>YxFEIUY84Uq8v2GLamF z&~#tL@tTq&o_bj3;|ShJ`AoUFfHADvu!N-yUPnfL zk>uLQPwO8aYN&m}7y3E@!WRk8Gf?rEF{NY3P)Tn!MZ~8?IKse47h!1T`6W^xWeD8= z1QB%%hjs*P=3^6h3ED6#)K86~e`%k1*PG{NPJ|Y#e)C?Z_c#G}~ z9O}GF_2L5l3ZbN1wP%0!^%WI89bh(A!WnW6zx&CqtsI40!ZvVh%i22B2lf~eL6}B# z7sXar8w{Oomxb|)1k6Ol@UK7XAK*1oMOfrymcFj|zWUg~{Pnh&)Jg6_?X~8+@4z^2 zY%qm_1cKYnJYBJ=kwEAx2M*Gp+m7vynkFWf6+1xu4gbwF(??SNdIlDoh1AU#p;ARq z1ZlH&c!|u-K6H1q9fzzoE-vvdTn>%jd^9@v`W+D}eC%0s<`K%TS?>>{;EP`ORGmkB z`t~iwF$L*V?6cJ`flFV^UH2Do)^H5^3R?PnX+I=U5vkR`;v3!*7Ewvg<|kv1Ln84i z#|n;Q$_t;;MB&ywEkBK4ml^mkfHR+?hmSv)#Ctv%D1zh)%b3SpZv|e9=~EsmpiuZJOXm%ht9MJ*fQ~w)Csj z_TN8gc-FJQzmr9YUf$3(F>#Lj*~5W1IK6JqsU?)UIlh=E?mMqD@bEd}5nt)~9WKE0 z!=|u;Zb^{Oit6n};H~YQQ^^MuxD`&T_pwN2++0Xm z&XjM1g!KNC+T9nkV}^u|V^jpf0YFtyDk>7r7Dq%#Er?@n;8U9zkzp`3PfQrog@?6C zJ0jn78i7VPq9V}g%jfmLjq)dZZuD=@-e^AuZkDD8Uh*o3YtE011oz`f!P{RgbW%e8 zYB4GD$sDhGs|>~vF&>57&Tl#ss%8yz2_=@+hV@Qyuo{3trFZ|7?-J3CA4Z4Xq{VJ>Wkm8pH?GqAbY z2<9dLm_FKM^ej;1)Q}`giYO>6#xE!SXqw2gr!c`iGt|u=F5qY;@^~U<1cDz~L1fkS zk}YlGJ<37-DXwMSQ4RMBFp&_6wMpqC;clJxlW;x!9ovJRs?}1Z2#uZ;1$p-jMiM~{ zpdTQk7JmQDQcjr?DO(mxdrDpUvNb(-xs{P5g*Vz^)QN%dEPO16qen&%Ym}VD>W2m2 zm!Ao*p5KfXc3xldg(Ro9n||>;`rT>df3qvep>eatjc((b@dU=J2Mnv&l(5tf9YOUq!3sU*N_F6tCopZGRN+CNF-b08pIs3<7JnC(n# zhBW8NQrj+8sak{*k4}Y#)*{KG`NZWMbSgHj_8K?E*hVA*8QUWSQt>A^WlMgM*H74X zrhT`3Dye++nu_iIPF3+z2X!FNU&`?dx>#66B;)4O$m{ZvTIX{Mak*iffg`aZv!XyKebf^OK&S{9dtiDP$%ntz_c7WV&C%m4dm$% z!N7i4C&%s7i}AI@+HQg;WhFSs9a})yU{gX2Z+hcUAof~C=EN{a2TrCX^-SJ^E3IGw ze`tMuU8Ld&poW103@lSTkCZKpWrH)?W)c%8VlR7M9cm@$JMGgagi=2D++bCjC1iA# z&;+i@O9K2s5}PG_JOUYR{8&(AuN70;P10|L?L7&@N2~^^3JfU3vv|YRv40_$hbLMn zO(GQq9S3ot)He0dKkE}7r@;Ng`6H1m_k9#0VpM13-`h(4zddw5H@%W0ePt^`+y8TV zbQDk@&vVlLy>X+s-4VPyrI%?uTy$cYU}w#4#ya*bM~6=_5<;S!YC4*DeDZXuJhL*# zD5Ok%;5%`EWimq`R=ly$EMMSIksr5Cc{}I1TBUPJ$TwrNnQT=V+d%=k9NYD8xLEIh z_L!$W4D(hm7X7iY!L+NIsd-nXN(gT}Q(%=!%2_L!8VBwcyE?O>0F2A6B2Sq}MZzIb z*FR$ju(53VJ4>zG@RUo9?(KZ|*7HoG(U|Dtj=+Swz*oZ#oPaU(nIo}@Van)WT3HpV zz6K{$IFP!ZE&fGn zK4Ti}Szc-4LKFYR+FJ(I^+j)E3GQ6n-Gjpo?(UkP3GRX51Pji^-Q6XD-~@MqyIXJ# z4i~o`e(k^0c{}Y)XZjI19NByMUh8=n*JEuBbhFLRP=ra|i$bcZsq2fAF48cRec(k+ za3op$Ifoab7BT^Dfn>ivw8Ac4E&l`)Nk3&ivrbDiP8v)jRUIx6gI>6@(I6GW(WvX; zuZF(JMTG=L%`==bkR>6@$Y`SBMIJC=@X3eN>yh`+{?_Tc&vEDT_TOmIm zt{_Uhi4c0qWB0R`mKL(xB{*tspeKv+@fSNSNWDWVLLWA`IqnDJ7f1)`6AP_ zZ%$6}NAZQ$-b;+vq}XRDauY%sf9MK%=Uk}=x*?bLZ1Yo}OxFFUT%%Yh67lPGBheMM zIAAykFf%V@=7u3SLH#A_z>i;db5x0y5oFT-fLztm+3FWeC`_gR7R;a0H7Hj62RYxfde%Dz4=OP`r6B<0<`^}eNpXI69^ zA?SqUx4*9QS>IOgHZXl}%M73XJ*?ied!4osG?*h0=?6U?8ou0tJVZ?zdun) z%l$sz)bATG$kX^2K3@YsABnQOr#w}R4pI@0DkK`3FoP+CFxcXcar8<%c?h5j*h!px za2sOS+FoTPt~uBQ<9r6)gEo!KQX~_o$i4&M0v78iO&c?lBhau2oGc_t3+o16M}^VB zAr;%T45~-l%X1L;Y&{UO9pE3oj&*kuIS*46x=b7Ibznq?QVW%Ef+6`O3&d* z!hyQ11f;msGB{<@{zk3=@?zRoWhT}!s>|KK^Sb45<3^cNNCu2vKUmKZiq!jB1XGoU z@<*7Cy<=J5uim2YOUARS7T~(He5ZEdA3dAtO3AEf;ecmZJ^uVt|N-db$%?JFU9=6FFCOLhu!D=SHtSRmFu_| z?;uN(;FtD`q{_!D!-FXk|uUXUs%d1geIO_C8O;eIG%zjU6R_gaV1*u zh@8X%q-_DY;XeAIN1ag5Z887{5D{>YSW>2o(Ml1>tmF+sN_*@|LX_5r#442~dX)b1 z3u#&mKsWd=RTB=V((@*nIXErT6YRjq8b9lUG>m|bSBpKCyqOOn^p_ydQNQB%o_2rm zs33l9eViPLi=__OPKimfuiC4MM}pfJN!L{5C(EUZ*p3Jee-@g1i)5Yu6B7lh@{)jg4uh04IeiN z3@_qSjNW7Zrdn}&t}78nAB>BeLlilC%Ny1dxwAGn@?{~$2U_5^4(Kc7s{QJheZ9lT zUg^AnaWq+g=F-rbPo8i2Cq*CnpTF(oeGXhmdi%4op=bBy8ewbG3Ot3HMCoXnnwr2e z!?IjV&* z2ovqziq&^M&#B<@xb#PdHN8q#Ofbk)=LSyV(M$#(-QTR7(^E&-nOhrQ+%>8AA+Zi<7?RdV z$kPs`^ZW;Ql)wN5MPc0 zHZa09il{ZUHlo7xs}n)BDRiMMaM?o&OAtJ5)np}yHTCCrL+Q_!YqxpocnoR#JNV++ z!1_JjS^NIV*t!{qi(PI_)e~w<{l!9p{u_1bL93&yI&rFgaw1NfKrAydb`c8^#lLCz znxAZoQcFockSQ-sD6IuFc$8@!>$jPk3WQhD7;3jUWUQ&xiNEv-@8+kp%vx}+%*oCr z4@GeWt3URFi0iA~$A!nnhHLYNif;#C{o0D7BDK+|VbIB?N@ST$@9UdV>J1EY(G8&T zWV++5j0Mkj8N;m0PJ_N8KO$ao&M}jdyK^g|&3_0y*l#i)@kPUWN0;MiNJ+<=D_b$cvz(LZ1yjw@~elmu%mLsGVw}zAH zx0nP{*mK+I_evaWYL8=JQG?mN-}>ve<17PCcsH{bw%9TA9M|SpJ037yq7(+G( z!P1tuiwo``mC#L3zv#1LVQ9z*d}ugg9Ruw-VL%&*HhB|H+~Otvrg^>%V_pLT6Vvyq z%<%hMZT8jTxX&CFCX;{(0zvWNaJ8wJbwuUEW5;PWAvqITl#-n$L^k3Hwg>yhDBNE; z7U+|BxW8ZFrs3x?=7m5YY_YRI%@KAGYjhw!n!rY0m$)dg7&%cKmdiR`KoeB665fD@ zSwsav1V;TiJWY4Ll#Agk`kI&o^v$^GCcMb)r^E3GosEdxa@B6|Fuuz-p&!StLNy)C z@;~4xIs;cnY;={|_R7dmtq>1TnOfM?i4*N{C(9UPJ)?8Zfv&};@PWe-#fVNFi5UW8S>#(+o2*$u=L z*=KR>C;L`q3@V{EyKWl)eggP_W55@ zf7DVcF-Js1TAC(F0Y#?72=VV>tyAJvnMmaKyWbv}`__}PcF3~L(ZVqVrxmk|a~Bm> zG7;8yD#4nc|&)9J`pJiF}H?=n1r7pZ%)G7@^LC?GcNY)r>8M{ zI-!kJ*De&+Rez_!38YC_PW)aF-0n|R0w#rU_x1NPFfc^?*^JgqHv(uerKrE)p`33G z52|9Ls!m&5mk?qU)&Dr~c6^^bW%5J+-pqDD!9+OGz}o+g2HlZJ5yy zP|t}x#I!w%Uvux3iFO<_Gwa0}B2_hkD|(W@>79`461U6XN^Ct}C*hkM~+TU0G~E`*ScVGURag8l2r zp7FlUf8~x|!?lszBW|W+sT8 zGNG#=K2qHhI$bOB(P0$k%vkZN1gpH1L|nSut7MLT?RTZx?&!@iEvdRYj~(3D=BE5( zH*{u&T;%%g+ZIQ8vUqJrho}g7%@#|Iml5;p!^(?&;Vn@0#pn;?`%9)(x3?hf+#H?s zBuIHj;KrR~{Y?s>A#>480+JA7KWW8g|2#J%b3d;yz%WGubQ^Y}3HL6iLI7fU)38<6 zeHV9yGYi(VOEh3yKY^Q@J8ye*b*XN|F4Y?1Xo+r|JPQ+j81MEQ%hVLfgYKy`LU~o# zUTC**DOPRii|Ea1#Ud{s$2PRyj_CN9Ow8JmUej`4zB>3{g%jL#!>gFMs;5gUoB&}% zjkotF>gOm+rYGy<+ap*?ZqGF0h~5wy;wXsHXnC5C700LQnZ!_CE{-7dEvF`>L5Q!S zxrGtX!ufpL3zy?gEo9|1uzCj7BpyV3X@pM)nh7M$9KI?R#k0Y{O%jvjyxr)Rvfz}W z-QW4EA3LBA2U=8x80tX;^KHr&@&yi64+2%;6 zuP@u+kK~7I;}PF(J~9CN6Qyxgz%S~VuqkK5YelgWvaqYPoxv`9vjY?Rib1zHxi7;x zpXR@Ro?opv;ZAH@{_a!xL|0GBw3Ojw+(-$9kgE$K8BYd!*GBWtM;^b7=l!Jj?ni$5zuLgeQ*+>BUZ}@h?gu-QYeOV zb_@=&+Lu;|P6)rXHj!)O(q>VcVwgrs1qqUS)5ukvu{|5n8@bv_lz*m$+131&BJ$Y( zDe<3<$P1bksZH9s>9lPyy=Zzsoxwv-$wqf>OxqNyNvMGewT~-EAFh&jAOq5{fbUvn zz}gNZV|9twhsv3wqK;2M*lDY12{U|5mOZ)tscU&Lw@C`_kpEg+)CCO-UIgGc;1=|&v` z)&iPKG$M-wBf2m3+ni-~O4fow79r&XlR|{$o1k9YsC04!a=Zw)e42P{KGTdv-d-$4 zA>A-{@}@E_B1=ycU8yNw)NNdXJelw;r1XFv`5jlVpJ~4-Tih9lyT&*d-#PLlqG&Lw z4;u1IaRF9FEZ8;9v|NvUe5Ga*Y_Fzw`vEb{-+(fR-Uh)&5l7?bXZ6Sk9@S#_*?6u7 z3!3O*R?Oo)?wVo(GlkFXhSy0GLp$O%5X#v;9Ni7j#Pq5nhdf%{w?r?>9yj>y95lmN zg88&{P;)Hh-(VI2${pyi@HI1(#rdxFuE z$7=8>Q6m1P$X)sUo=jS31L0TOSU6bYvk_!Ej&+pkAN-i()n>{tB*ZE~S$CGed`qjp zRp16C+;uX$-^fVw{+1tJofJhIbdscAz9(=&NovfEq(;4YfqiUTMdb8a(}#T&S*-c7 ztmD2cE-nt>S3i~&y^j+daa6YOemw8zoO{jT7_!|rd6`_EfC$ZfGQxn?dg_bMq5j%^ zzwe`LvhmA;X$kZQQmLBr=AL!XwfY5ei&Q4Rs8Sc2?Fm;eNvfD%Pd4T<8xnd)1qdd z{;oZdDJ#h$H3W6sMs$er*tS1kRqBWO$D%)W6SSWJ5n#0birf6>Z;Lig(q95tlMzBo$I88(AV^4vAV%@UO zkb}{tnrTT!QlgYcmnnSxCO}qavV@kN3NS%$rR+=4sU*Q^<~777t`A)7jTxM3KcyqH%YK7q8F7)@-HEd+o7+ zbaszHMOsh!WXnsDm%DMCKDHhe%C+@&ITH{w@BbCaeM0=bm5xD}0=l+~55_NUljoQnUYC-23+Gq320i}J00x3cHp2$tp z?>I}GAMi$aFf!V6CaO|ax4_#Pw1tMB4XXM~mA)1+44*GjSo^;^UjcW-`yuGoLdx!Y zH{1q?1+n6H`K9ju=^Q#_i17(M5n%y|7jEe%hFX4+W;{N+tz-zaprC-E1wF^J2SDac zA&q9QGB25eYjHg_GpLu&UP%(yPW{Yc%RNsNSH95-$+_v|?mn@r^|yQkbrkpsMOze# zdfWk@mG)`P3QX(RFJ9-rS14_^dzP2nZmvUn58-X?0(m?Fr6A6t-hV!SP#kTY24m5u z;wR`#5M>cC5|NO;omed6J!8TbuGDK4wjv718ca@Tq&h;L44SMf?>|MhfTH z+>4*2)m2I9>bPk;r2={_laJWR)vbSC<%cK~QNJOk4PtP(2GTUW#OqF2%+{x4`vwEj zb)A@Zy(9d@Aitf|zq>jx5J}NY8m~l2H{4pdMEuVI1hn}kwgzKlk{*(_ZjwRQuL*Sd zXmt_A<2oYiB7NwnN_t$;FqNL>nKemP+bz~loF-Qfb?KOKTP$?$5gXjD$bk{_`(6f- zu07uNbMz9kmj2G?)KKv%+fUHpz_OqzkmP#e2<|QA_!-*_gmIo6JBLOga=R2w#6hk7H*F8WpolARSfdf+!$P zqGf8F;7VY0y`!8ir0)-&_7`tOmm2`xk5DEEPFjOp=?ni!g~oEtm4xXt*p5M_daqxr zjz9$`(el+HjW4_AVbYwsQJVoT6TXYwJ)pW$VeTt8K=1UJK~0lC zM&b!+Z2{>X$u}emi3(5F-X-;D`5jbT6DpWpetfIOo!p*WW(Iy@v?zNWk&6ME6AjcZ z$s={XjFyw;;df_q7Z)|1?JrNK8CY?Av>WQQK_j*SZ$KGLnSF3Zxv-243j-&M^2uWw zPy@!um>80XSla-}jM-|JVl-{{2wk=Gd3=d0jX)gKlr1G=w<^}u1s8-1BaOV~wz#jP z%)de@0KV7XHZ2>8Zi^T;iycMBBuA<$II1#mU9{fy@*F?z;mq1%i9nRoIg$IqS>kAz z02*vmFM|Hz66z({WG7a7~#kHcRK?urYR4Lyp{ zGSqBfx&X?K%7VD4ngtHcWklLhO8v(4h8c0}k4R9oDZ*uOVpO>FRL<7Lmn!Y)WwyO+ zq}xc~`1Sp%=%3E1T@+o2y*RCqQZ6sL&)lTelS&@r4BaBDrYe{LUl&a>P z-u;kvJN4{OGWOfVL|`yJX+y-Z>ctnjE!0zPFmQj7BsiW7oWr+~f+91bFpSnrY&=NB`wy(z@gT`2tW<%0|@q7R8Pq2Z0YDAiW1=>Qw=vb}$y9{5YPR4I&FV&ckPreQ>L>)F{6r`cJk+I+` zOzI*9UnhYyE-(OxTirjc8dqxV!Wrs4O0uY<083@dh>XN8l1;!NH5xB+mGx-CrC4v& z2|}a#?)4@$SXD^Y2>%=h2FpP#))r|}dYv00o5E3Z1tGEz8i7ER%dxtV_rp6=&96tg zNrcUhVEGflHeU*R&oOeFO(?~U;6mk1N&H6;$`vcq-!gzV(sHB8P)%JMH)&TNUG%B9 zLWho0&>8JE>_sl^U+T&lEbYBb1^SsLmzS551-2=F#`=piOZX|}Xf7>EtR`~OG!4hw zgni6ME3!Q-${{62giq71{2OOOR2z4=V`br4WY3>Pd7M0KuA9p8K+-LCZApnr(#=5U zPr-RM&Uf2`YjQ@s2zqOTQQM2_7VcODPf{7`!9f!hhIW&mD%RuM+sFD7gysc;4f*6~ zwSnJlP#LDgN@&U%qHbzxnrtiQ@&i5w3;nHgwc}#I6w8ncoC0|y%Bse6Z?^|1?5`1# z>0PyhMS8ND!b{b=w98z{8mlNL`gMF4-9!!vBO{yIO!T5-r-3aM1`ML0-~SZ)dN4(g z7DAHQdYncswkTe1Uk@kLKkK^^O+Np;>gf30!hE-!t<9}+_q4CHI4Dn5_VDnK)f20= z|9*>N6(EAm8rkg6dL>7W8DF;%DjJ;Eih$jgZPL+_mP>S^n}91qR@X@WXs+XdPXSky z7qm_S9E?*^A|#thLb;~5m6b7Uz*r15t%c(ntCrUJRWa@haFS{$Ivfzc)m(6*A7-zG z#y(l(=dhFbS0iXTSiox%`C79wWDkE#76dUhq#2qm8 zAdf?XtW20xtgwCL_}?En1`5>hYukM0ln&}LUO{9@IM5`if5T_S^c>1_$;S%(gUQJtm|r(9)}20a#Kp{UI54FSz8zR6PQIiKxy1 z!5$LW`w=RsH%Gz5oD3Uw<-*8}to=#A`D>>-+LQZ_aDOg^9?9rWAY~(NE-q|ZOQh@Y z*6mnyuod&pMvj$Y~2|bCt`aVossy{ z{bOr4{MCvfgEIg`7TU%yO{6W3LsAL)#ziU|}W_xI_G1R?bsr@7T}x7MOq{*GA5#+MDJtMF(Z1UBbsQOK6Y? ziy^LlFRD^zGpHmv1x3HZziM1UEQa7Nk9B~hTsn42I+>S^Y{@p+gn{Wef1T@SUYA<_ zjsf0TfsWovk-<2l!Y(%IU*@69ASP{DTiN+`s|7U~q2T%M}vy`&`8IFiB}j8Z-wD_+g$DhNG20i z?GY*7DPu8>iUXmqU^xbrMOZrI%_M3bChVvR)jGIV^l3~i(+dU)R=LR&T9ntC z_6sgAq-Y;+7J$DWQ_oYkETCMy29xpsrsJjo8XL3TkZ`#ym6uSUZM=JLe|WdO=#>A% z!eWq@T;P>1i>#}9P5AdSgq@dw7lTY_eRrgKIkt_;Ao(ueMP-*1TVB+58qVCe&$AXybM_XW4j)IX6( z+;c6{qNoY;6>GK1{xDjAp}U(lOiv#NZ@*O{QFdFTdA6-~I&{<1n*&`*L9B$thtxXJ z)#vdN>-`?COY~GOg#-{y28~<~qolK+!Y65QYYgq&+L^3j;bBJXl9MZWE z?jlWyC0eYG$k|WqL1}eCxtq!yk?HRbgW>gc>)izlf)PHqNiNcRNUsjDqyu5pPUH2C z(;^F2%!XThjSdSJf+n0v)Cw1VYEnG<1_wYL`Azt7pUEdo6sVp7z%`4rlDvNxd~)df zXT#(I{ejPNR@{j*qfstE3{VQs1n=k~e~_@G%;8Gb-?0L|n69iydoaBrx9%1WjzQxL zAeJxu+>ct<1>p=?7;9Y!)#V_6WSdF=}!XMTg2|@pi~4CAUKDf*yPMPqzO~?M4(=t+undz;ytY z_pK1nuljdd+M3$bGyxr%WK`e2?fqPLp1g92eAQ<-L2LZv#|6$yuFyYhBPy6e$96#B z==`oq&NFXmJ7c7(2gOJz+3boPp;j}gWFw>KFOO31FnX_%L2QBo?C*} zktn$#7p(l)6~lIy!pxtJ(V z*eEEsVA&FL>!pxQOIPyRDh*ND({m;F&1}4*ALXIVM^_;6zF!7#;2rN?`9{Pf%rh1M zyz4t~G(Ghj+jTL4}_c1cI4zSz^7{;K;(g+G8`j>P$wmus; zgd@{`p|lno;Zr&i2yHUK4WUDf>3nB#rr}6jkf7zz{#YesPFME=a2CC=K^K^i8euBv zEwyo`G`X{R0ioHoy5y~D@ya9FaA*{Wc%&D?Oxf#c+F;#{$?rPnR`wg;^k8r@(jSp` zuGrwr|8ecL)#`Q0DY49BD**s;${HI=FqcnBd9(o%|33~?VDfMPoD~ps5}Wv55T4S$ z0Mm^4D!DYbHcjVSuI3_>%MfWk3IjP}ZaFjD4Bn7Z0JGL~6!%rQ#WIjW-@ zF&r1Vl}r|L)~MLri0Es<9tc|L0vH~WGwkEvFCBl5;mIgkkOz1u1ul1aK+X3qeb()E z->?L@-O*M8RJO);cl-}Bdj#a^#C&V8e@l4@?4t)d#1Aq&L{_Mnr325i`YN6;>XHl1 zpMFN3Ahm?mPf4*GIyfoMoMMCLSiJX_)U0KWI7Af4dDvFY7`@4X>7vl*`Zs8i^44U) z=o-+XruWa%3_%loG9%;TmY<1!6ZY#T=3}CRy8S3nBW~up`LbBm`-}&~hBzRAd4C*u4aNN%}TO(x*ExoxG;ZC?v|nh;M6zzBo7Y>rCJCqcEoE zz5Wk|{<{tBj@!F}j*($&MWDKYGiG`9=jw%HkvPWy;E*1qy^wEdOS5PIExdkE@o<%C zB0W__F$D&$_ytqosOXgjBkq94zs=43Pm!jSQ@j!=rgc&Ux<5WxffsSiHf~cG$ix5S zXU*bi%Jt@%QHIr)VD1I!{gN@l$!VVXV2UMvAV?; z(f6Q3>^uWys`pdu9B`kJA^JGV%F1y}mQ$iF1w1S7+@tGzrMRc3>zy1oJx+(2jvtN2 zv)zwUrtR;>d>#x3wiDf$)``~m+)ITTn(G|9nOGO{ z|H@$zyS8L)n$-@!NwDB}P|-+tVQQK`bZtt4kSk6~*6St7n5*(9QqC&WI57(=)0!Zs zPdTiIYt$rZ%yiGu;Z$Fs{V&oKH!2F}9UaN}J~l_d zq%@IaP)UmFNLQZ})aE|*!zf?3k@dz(cn&ElS|7H&H)&j&t2qBt;Cr}x5ELPSNQH(l z!w-HC;#|ao#od?qDNO)LNmCB!AmwBVT=>|Q8lwvP-aoC=v1M%P+KDLzDPSv z->o=K5}B)p&4ar}6gKQ*H(rJJPx;W+agBI%giTs5K89#|&p|YYB&xh^HMZSMBLP_S zxF_ZCHxt=xK70gby<##^XlUb}$Hcwb@ycB!7#uV}M}Y&$q|;X;SQk7ZB45Mzu`@P+CgVnVk9BSy-O^%76_wB87F`;N)uNfb z29cCID z5w_lTz3|0&eFb`OHsU~=HFaYwteFKB+<vV8-RBQUC4;dQu(3(T)_i)dlH9NZZ`W-P&KMYFMkA>eQ!>kVp24mnFvx zGA5wQnh%HC5x%f7E3ZyPE-{Xo9sc*ZH&22=bEgr>9)`T#0o36<^Nh_p$WrRLtq!&8 zYhK;c&2vA=%}DE0$nfd?xgEv*;>(rwnpOK%$jkWN-*1noO1kg@Z+N(U#=ha;~%6$c(&-{`Qy!LM;Ft zbL-Mp^1;9b(0r-|*2Lf5H}#dzY%t5*H%X$;!}g+EG@@PrY`FK1CHZrXq4!JnY?g?~ z?&~Vc;ds2F`NjK~y#zxIe^Cog7cw=oy71&VQ%Vt-jVd9fjYmaA-9aV)WqmeUz11$- zxA~$;jHHO*{zdpnOUxqnpb7oEi+R9C#6icna!E(aKymH22#(r2#jfpCW+;efV z7}m2+gH-@^3X^aEbNt_JDUu>7LVOyNDUcw35>g(s-bS6y` zDODV$+WQ6NzUiJe>k|`#c86NMU!0)Kn}}tCH$q{=Md@B&b2vm1PR8zF8?zoMRXj@^ z`6TKC%%w|LqyX8lKi8(U{Y??jkx3BnSHk+s&Euh^_a$A9`~F(n?K8>ROG4bd@96=> zv+jA6sQXA_I+Fax&oVYS2Su7PvK_vZ28 z`l#au)A0V6@6(YzAXKI)Gk;P#95CnXdvL0FzmM3JkrY-x%K;cQdRU62lYcLiM2pl)n zP7M!$E+v+n5?o}@L?Zh1vMiXgwh-U)=8|EX-MByf2!p#_&=#qWI^4A86 zr?ahS!y5#ch!F^xh8rc4E~S4EH5I-e2o=8*2Dw^10Iph&J|P8!W;kEDTR82rdcFm< z_RSe1oxPi_{FgZXtDpnjmD0qT3n_VgU$`pqp`iHO&BFZz z?BKaJtImEC{4YPB#zH@L#@hY1Af@ny)st)1oXFbs@@xK4{z2_OoX_w0$O)9FKvZMqYP9|4Z_gWP zo{@%Ss`wDWq&9+tOhbQ~7$@Y_r1Hhg7@cF~2wB!B-W~Il)*WId(a**zL$AqifTO{EWex? z0%3v@ zW&Y){OV!7_3#ws_ZI(gTr)hm*^m;kaQVaDJeVAl;xvcIt?^hK)5iPnb1tZstV!u=V z8my2|qxRoFd`MqGNuoE;o1z`yQ7i>F;k{EHk|>gowM$mBc4GdJo(Nn@xy+I`wXKy~ zmxkH#FsbVMJWb&X-HH(wB0ss^_Vt~6rb(iIr+gCKc744a;(K)}dcO^{zTNpgcJ^#- zM926%%Wq-6NEgZf)|Dt4{B>*8A$YfWlk+^5Bl^^r=hVr1`YSS0KO zydxd+uiFCU%7+&wS)76S%APOv;aIy7QY!=(SEhSsRvpd@iz53+?(RZI)!$ni4iD9U z|1p1u&TMOMZ(k&;KXSLf&lqstkHDlrg9{31W&-f42q0p3mX?<8@Z-T77M7OPNJh9aN*`|_@30$tHA+fK&WSP# z9c4^i28zSEu{?A2Q5+2eCNW2uoN2OQ`lzGiZqW!a`OlBlBBj&7_r`>ofeV=%dg;^2 zZ3PNASRQim!(2Oz=ne=MNFf_|C#m^-z2!oNx_iHOfL9S-l`b6sx4U-!?P}oUyh>HvktMDV2 zi*V}2!W%?l`p_F?MQAOJxuG(ZpNzC8PK|AvYbPZowcRBb;RyND3NCuf<>!6QgvInT zyxSZXS(=Klm6T%2N=dy_dR3gTP`Tj2 zR~5y=`oXbift&=~9*_Q2Gyj*HNLecgD&-_z`>zm^YoG5WvC}>q6t&{tEr!XN12;%4 z04K-){rmUs?oPUiQ>X%no`%ck4zJwY+}wXUNxFaf`;}Kz1nUROqD7cfVqbQFL8Ypa zQdN1~Ho{r1O+COn@8Ugl4LZm7hhMVmA2t4W`Qf_>^~YB!N}rmWo3pU602tPzcYv$Y zM|Y2oSYp^jd*AA$EFbf{B>S-6?DjsqNut+q{ZC<|g!=~v<;&Tf-V2oigbp@LtO(pS z$set$x5R(zZmKg!%_hI?yfaS`Z+AbZHjI3O<^)aRxfSyF$6^_yxe^jD3X4Pp-m||9 zJol;n*)u?*{0|_Zjd_z+E&^o9>qzk)-rl6aE4N)6Co~mca`no2{m-9w43ibfDKUS~ z+OV>++S%H2v~E&y%Y{nRvBD?ObCE+oUNgmLTN8fq@bC~6H@374*&(!(^2ba2$QLBL zJ2!_9pRKK1#(`Ra4W=*YcMQo;sAH!PntK z`hYu#3zhuGl+L~GN1~p^MIu3Nlyl|_To`tp+~L1jPn@Mgqz`Y8PuPK>R1 ztQvpQX_=*!6;efR7RlxU}7O*6d{cv&?zRNnULyF_uuB|g#Ytq zl~X!OlW&HZF(O`6(=5A)`*}>5yTV8Qp%qqd7)i5D5&>&x)PZ-u=K*1LcM+0A$%MsD zbyi=ugEMsltX2c98NQG~(c42N48qNDqpw;B1(o2?5|<5F7Ro5+gK?bK=Kv1HeMX@S zl%%Ft4@mdx{^lzcjgE}8df&zW(W?kXbUil2+{n57M;4EEvH1rT*b0Q8k$|bhIV*6s zkVj2x>&i<+s}q?}spWWf9(Zo^5rl|TR4sNnzL=0PdEnyqND@Om`znUfQ#!Ibnw#@2 zJG<+@hLeq+S*K5H2EKG2jmM};y;B@uVU)G*oLYJDhqPj_KepBh(uwk6{on%RXetp< zDkrc1H@yqvN^*1Odlv#IY@%%~pli!(qWdRgP?>cjLNpmEsh@JdhmjV2KikZ0YPl&2 zzFv;lp)gFh=XJY|uDHK)$HF2~2ku|QWM}&AG)nK`SJOoduf_70<#)*FNwD)%hfZyhF`gTqCB%qdPv5lfJ@u`Q9cA1*nkKUU?oU3JF=qvjwk1x8 z$D(FDz=fRPg#ae*2OF@~lN!YObqxf9!}?zKqsJ=tPzxTMq8|CE__MSeF!%};&U@?aH158jRs z97#HUs$?qzR<4@*zvX=x(y;vMY;Wvr?^GX=ptjU&v-gFW48>4||7aChjPZX@ITgxt z4;PC3pSOd~cGJCTkIv@2NRDBLwr9Rwr|5Ydt!@%1K`>r-@H4Q3G$mk+UdfM-60)R! zD&3_d)JZy?Qip%=aQPO@z2L<+S)8KQKCM6Qidb$=dhh>V_PHg&^sM2r^4Zn*e{N-3 z2FAE{kPJozBF_K)=72DLw>-V9J?6F9p~%Uxo^JpgiX7d4#=edq1abNA(+$br11!E( z!^7W84`}j$Pm%pkOuIHV-jWnx@jv3KVa0_5Lc^#Gh!}MPpho{Uzw-Z!bNWAT(kNza zPx^iDkX?WsaIP{LJv}{uxJfGrK4auzzW#=!Jo*3dgCAerVe{)XjanF2?O1|T*ZW;C?sTR%H<@bvWj_U%T5RO|&25fSJs z2Rgtro3Mbw^y$%2kiXMv(x(i3Wax@5k72uaQ+xaK(IPjm4G`+d-zk{>wXfF$+77R~ zySu;hy;+2MwgK+&Wa_|WLDbIPzOuX=l$MbZ5j4;mYo+pBuLV2Bv9q|i2n;JcoOVBk<_R4L#vDmmbBB&W`gt&8wzh`cD9p)fTt46URn&Y>(umYhY5xL z_T3)PuIWojoutPnK@ej5udjJ7#PIljEI@;%fJRR;8%NmQ@zQ}Xy-a`WiI3_LLI_2K zpMHT!1Fd60Bup~hBJ7?KT~$Bw!*^3-DDR-1rs2Y*ST>y0^#t#tsLppBzGORr$9eIw z;=FQ|it^sBbWX*fG19#GEy4!@l4iKhYsOF5cVfhMR80$Vc=aEsXoZ6O5oV?DP>LpD zd3WX(kjkoc3n_9t2$CHRm;nHM+$0s?ulp6?%@FEBKKN5xJh_UVncVIdC- z(=)nXY$NOQO5t61vjx{t1_V#>@bX6J32cv4oa`#lM5!!fa$=9v{r(M!-EVy}IrWk| zWd#VdRdDIt{QQr6{*)OQ>p+D9R`GODp>Lm?4;tWcwG)fM$qza=OtlBdIw$JzQ{6ho z?1?h`>0(x}5un23*s1-uu7A%+VxVH8y)<(6g;`lylg4j(0>q0Pi$?}%5>%{Q7kSC$ zH|3V64EzI#k|oSe}mj7n-RUHW`l(rb{+pZNjQxB_+_( zk%IMpLG@;9zAHroiot!XrgD{DSJV|orqLR4_9VDEMFlLW;e*^R0)iG`XvCn`=$@0XUofdTmnE1ps4-gpjg z#wh9+X{l{2u4V;65fO`sxyJ24u=-MWx5VSiFh4Cdbxg+ON8(RUqXHdCz}5vu)&bU3 z>TC4>gJX#dn!5L8RRq8lY}6CjiMU)<5zej>gh$DVfTv<$&csjCuteZ@$}Rv^G+ypQs7^2DmqHPnH>U3R=XKk6LAb{x;Xw ze{79J{%UWpNjU{1X4trmK|rZthuWi*(utMxy!r1}C6b{QWH!XG5meMpp-5GZ5>m$@ zU|Q?SQ`j^5)(D3%@{`t|$CArDBX#^Apz>Ldza13&qD?HC?NdNTud9YnKp<%v8Fu;j zC=_q%P|o$iRe)?WQabjPP}60oCYAH)oFC8m z{0pD=>+^a&U!TY4Q}pV6fXohZ0QZGpB7rlK1mNJ1+G4U;*m5WaQ{I*DJ#nc$MVJ!S zfs2Wev`Zw~I{4H&fj}hF+AmQ%RnfA(Khr={tmZpbq&i*6wm307GQvB30rqjlMj_wx zm$7=C-tUfZlsPa`I-M>!8x$DGz?5TvUd`DZs(@-v;-#8({sji5x@Uf4+3XCs+jyt; zLx=K0>BUwD>LZazWPLEg15=*?`MD3rVf47;^`>&{`eiYQvtK zNBIWu#A*eIWK-8^(ZP2<+!uWzcJahxw6HJv=Yw5i1gNg@iq_HetJu&R9p(GLI8FZA zYwt^WTD?}#m7>t0UKR9hzEdmocfCZm+HY^(UohlcT4;QXPk)FSO1Fj_vanDZX(Orq zYZPi6Mln1zrBp&qyN#ZVA?G4B^`6kQXj8}8QwllnHT(#;<#49NSXIXr+ahsDa&ag9+bR-frSN}MMMTwvyX(H3K3aRkR>_R zEl~EE+(uq5KJB{E`@1GnNNynsCK{Y6pqsOs_PE9Cj!IzMdmXIV!AiE7*mRKq``Ph$ zm4ruju;Qy&L>TD?>oV-M6azm|T3cREM+wF@Jd$78&az=n8M#P9b@Gi5@V>jpuPn~S zV$pq=a)>~}no)##-WnKFF8`2Lq@M}80tGK>Kg{#*lit*Xo5vNr}Yg5 zCA8z7M78Ijsc$++Mkc9oLK6fMh9HxqeZL5rkvD&(|3Reh^$}H(z z*Jf8+TdUn-wJW^ZChq0b^z;r}TgK`q{;K$GPB|LO9n)mL&XjsGyH}ZNAWa-_dqlR&j&vVn)&SJ6~aX7+BpqR-CY?qfpVEFGwQ(#j=rSJB^~}g8J!Rb1<}ss2%{!H`np5h zP@5NxnQ3Zp0}P{T&W@myHAq3u`lQx5@Kq9W9T8b3J(qIS+Sx}#3qzmz6CA7vl)N@B zB5NK#H5?A8CU*ko+U%rqkkh7^mvq5vmJSCu!Vi%Z<4#7R$k`U*8@}vUPTT z*xXFMIoS6pnJ5LI!%AHRa>?su9Ed(g8~%KSms-vr{K0Bh*uLa`(3(ze`{6}{k-o9B zgP(|to6_QeHAcdEy5--$Sy$qI08&EOzkt*e^s@Bava%g!nK1V^T8RSNtFHwpk2O5 zi$T>+5+8j;;4DNHMWLV?;*npB03UHAM;R>_C@8f4|6XVity};URI9$Mgeb&w^)%;5 z1ACM(JS&4aH_=K)$o++UWjzgI5E-J44Ym3-K$Hi@G|DuzQ7qX{K1Tu~iV=q!DM3LRUx#cKG^{|A zY;e#qZsxIz09u`}xY4RAmiaG>N`3&|&9^S{0v`rO#>ZDb`2heN6v2oY8+)In_R`$Z zZJUD~b!$ViRUp@C4RF}p{KU=NC96n(^H?YJ4-w_P`9bP%p^}wn7MY&(|E*B zAV%XOn4chAZOz`48fzBc%ooqmACA8rtPKYzzsV%~UKvMw^R}z%8!d~2uB8gQY20O_ z_4si+UVN_)PJEj*{0QcbNmfld7P-6xa+J2(t#W*X9Pa9MG1++it`G`aAz;bBuXl@% zaH5bcm7*ZnubA%fx;1J5$~1DhwnbL&BAeFnmiZktK@vS{w@}=mnZG}-9k^UZO`jgr zmiAgRAmAMOydQsbK)Fl94lfuzE?~c#Potkb!UcX14!0aIopF~f3hKpzcb&cNSWr<> zF%!UohTXIFKk900<6>iH9L+t=&b?T&7Ho~xgeM$rO-y$7#?vS%DHQ@J&?!)Y40FKc zf$QfD>q4~bfAzAw&QFy>~PtV9ujg=YL`lE{IBZ%Z&I76Eu zhdv^zI+4_=PK&d@zn__vHF|M$M9x@AhL}1GZ2Q^Q*SEK4R_*EHqW061Jy6zp@SlT& zgUJO$Z4yh(?3ud@Q--G$=R=V|sE0tN5pAD}x-U^>?<)n=L#+%In~+d#Sj}^l*f+dS z8g23ZCZW7IYdq^b1iFfCxF&k%m)OtFHH?>*RGuD&S6_bIe@XM0#P#F!`6U8R&fP@h-ev>#;>{K~4UysP=t|2HbH_3s%?E)wQ*;IXOJ+ zy-2pVvN}3HH<$GD^u&)>#-CYPkzFgO>KwYvbJfsD8!NW?($>@SNzjom2b`D0l~vQw z;ACjHxzc1|N&&(;0|tRA19r@zmX?;n2aNv=>(IhIGqCb8VE&Ru^GgVsI>^e&F+&Sz z$o#d_N926|@*-d)==Npv@#cUjE!s!PbTU98$_ck6Q9RV&?CYb$tn0CU%6`Qaz4M6g zSrM?=>1;n9m z!upmR=*5;qksQxm3AwEP-QCSfIzHWESyQI>j_fpHsv3DK!i{{ZFp|l#w+)`)=gi4fq|?KQA45+M00nE}qU4O_s6u zajGDJb+ri#%nG)auP3W2Vni~;9_Igk5)G%Px>)jdq`Kuz&sB7)ihvF&5NRj@-F|%7 zdO-F3lXA4?mKMp2g1T~C3HTH)EIu-LWMpJlJY&Rm9H4?rvPz{00VJ^XtBYC?nI>!S zV0knFc{S)gZpbJp<_Z(mM{roiv6mRC7Q@K%{+#5i0*rxjcc#{tgD)Ffjw*~WH+N?` zRM5#5=_4(dDD#n!a_H@?&@kijO8ZozV!C-qQulqk*i-a!4e*S~Jbc*NTR<&vxrOvo zKMP0CUFK)lnCjn6cT;#9I=*i!d!BAPrbCp!Mts_I<&nKB`&%O07C+5|6|RajuVyHD z*<0jf3e_H=DdyF3sRvGmh?l{#(uMpjGbsSNq7?@zgaoETLNP~RvHGWj8(_Bp2VlYc zIh7a%V`Q+=c@mo|4_k$zofMWgZb)Mlj1sCx7{T@+tGG8NN9gNtl!Cq}7o0UI=f6x50z&v;0Lq$mtN@6mIg^tqjJ ztNP>1#SA2fVys_hzzCHp$&%<8VXTk>p!$fZ{P++D!7IG%W~!%b5Ws@%$Ug$ih|gF^ zv)L(myKQnGBj<^yDjGr%Tz&v+<*TI8~RGws0m>>VL5lrK+jUCFV>Ta9*h9`)4v9z7+Mi`-g2+YKO(Gz5U+6<2lRbHsm#aA(@+VrVk*7x(+^Z2OlV1$5~%(R!|#6r?Q5ciqJYs2t&Snow0>vR04rE``Iwa79}3~~ zEm(OS+^1GK%+gzbF<6@Fn2`WWsieuJse0YNkQDn!SsaPIp7|sx=uZ)T8>S__nN@|` zN~jEaLHn}8JFRA$M~4LD%6igR(#a8Z@XWDTd~?_$Yf{U4G9O=2-sM&UY#~+zJ^hCC z10HMU2ClOz1h#bNu~JdpgJ8dZ{nA*M9|1-Ty7VGLkw9@OP?%0<5YS{e0FO+2`NdMM z_A--cdHhTQ@4|`l5aNsdR3)Li+??d)s>VnArtB(xv|HU?p1Vhx-8=U^VJl+t?CcE67u2c#y zSGB8^DXE?!3n6Im`aa#_<<&ANqCTfp)Yg6-y6cH*_c$W{udI|_tBr2o=dthfJkoJL z?AIv}LfgD<_IG~86A=;$;ll4(=;-Lw>34nm5b5K18nZCCf3KYQ-glbtp=|nP$?_)I zr*Y!n$Khp0E2$1IoDqT54)L?j3b{&&=K)+sQ*olF)zjF!6Lh z$MM-aNn>h==&GnjlJOn3Q4D{E_u?`B%9HH& z^}JhLia^#AunODPhwHuZoF}TXDz+W#OK;n)9Nd{O;yr2#TyiQQq!X9A?(6oCj>96L zWea$H@k#^o8wKt~=uwc+Yhg27#)i+1)8ng2YL}wVJ~5QX&pnk_!-U=#Ra(m9;a3v@ z93Hh?d4rG^3sZ}l-M`ZbqE^mH7IxGIU9irDu3$Vwdh*jTblR&;$?!&A2xp2 zwS)$amGJZN`S`7TDI*qo_kFzHTkr7rzyNDmI^GtO*`hwrcV}xo{{AK=ltH-eAu=rG zg%Tf-c&E$z{$9}-&bh4#Dl};KWkSRNxLDta(nN`ts!nqBPX-EYwDiBP{ zqD^T}wed#Pph0ovt4@A*aewjm*OH*1AR@rQSiv>Yw8o;W+b%Y=fw#T+SK7+_JO>Ad zDf)+H)Ela|c5tZs&U{Kn^j6tX64%JA+s4AevdM~L49tWLS@`?cA+~_=cLN4AToc<6 zbcE*zG6R^{mBkcsiJ3XEZU0PAODhC+A#E2~R1UVc?9V*y03QOpo}Zp}>8p8%NQHdL zr4L8bItb={b5APvBSMPMjuVsO%Hh7B0Blld`cs@;@{xU5CIxoCyFZSy&CcLa4)bub zN&G1lr(WiTh-MGU?i>}-lO`S&iKs9)&#tUgNV=Yi59u8TVjsvK4AE5OQmvm|H)OiM--*URl3zRxy<#qZ{kkg4t0zYVZ%m~3J zP?RD5V_j@1BBfPNtgdQTt;4vdv|iy^@C-@wKvs{9=gv_G0L*a7QhKMsV>JziB6dc0 zePbWG=h(TL=uXlxmeLWf z{yw>Wg2?UhsxX+$T{SvMvgpdZf5cKR`dgWrX;CwH5OGjMwULP19v}F2bGO+S>`c`x zZy$@YABAAx|NTuxIO_qYijdx?%wx6RL&-|~wts>!HX>vKa*C9VTNEfb8hp$TrY%5a zHOOQyW7sk1V%M4-R*T*jOA{~Om2dN(h<;>)`Bt!=09PaLLi#h!vj8-SZ;Hm#I8oh7 zo4}vI;T$Y%uIrB)tw2f8Pi7GPEwMq&xU?Jw&F$p56_%-f+2;hr%cS3lAGwK_mH^oJ z)qeMqb=g4Y;A;yi8AW|fYt(iDDnAEVzY9Y^4UQqg$rg-V0hP4X z6)>1eLbovH-^H1vFJRFwLnxMKG9~ZtUoopfQrUb{PCRJGHVhkL>%42R@Y@Urvnvsb9S8 z&wkd%cePMY9CMW4B#G>A6MT&fqQNH83XchOm#O zDs29G_R2_(yi6f#3f7jiMAR4#rqner8ExpqL}g2g``r4qlvrMmKC_ijHP|hJVL5Sl z9XGe?HkicbOZVQ`z{6bKwU_Z{BE?^e%Aj%n6w1O+DRKfF#dz5s&034izy5%&Bl4cc zg;I^CG0g_WQPwp?ig=LuZTb<*OS0IkjE*$Pb4}nVPcQ>xmO!&`%lS@`c~UWXd+wz^ za~|%*v7i?A2h8N7v`hKuIPS`m0M3l}CP%i|3N+SNyOylhL_9GgDa zgKcT2uqX@`6KLdAD7R~}TfL z*$d|%Mpdq^8I_{BQ?K5kjERVZFPyX? zkuRPI7ga9s%-hb57c?*ohA$Gf}{(su{~$irJYK z9@JVoKO*c1n8Y{(O-W;lo?|3^diXnsqB@QpyUrKSTEWEkDb>#U*hBCH?p={caf{fh zlL3auOTLY>e}~p9m_G)uE+sk+@4_<>jDa46DJ~evKzzS;4E9_rSPJP2llmJ8r5=g_!oq?5bi`7br~NUdHx~B zR6mBBoOa=%$rs4`4)cF}Dy&F}N->H=8LBU!50WCWGT}cSB=m!nDF*+SOrcKxk&M+- z4X#%FFK&FcT31=m_a85Ep{l2{Kls1ARHOnAmB3Hf|CRCZa8(8F{GZI*XKVi-WmN$G z%l7|YJ)K&p@`ZG_&jahbkU#!tq^tt9&JmGs2Jh|M_QVdpmy*S*-Y%N%FcvC68s`}9@p}G0`e2?9n zkgk+;`QhHCo3-?k zA28#s5-JGx;)+SHeYc>->=dU4ub&K4IWu^V+OVamuQy1Cxuj{p~)%}_DQsmeF$$*>kJxZ4BgeTS~W6&fw?%`hnX&K>PK#b-C2T7ZL(0CyRlqEtv5oPzu+q;Un#e+Q@T3gGb5_5WcJTs-T~7>Af4m+X11V z^py`}Nx>8GQ=bC}*sdIW0n@4pBxU9{^k-v()GZ0Janwcb*Vos%9X4)VM69BxoAN#P zE)QoYUEgny=01K|W}u>z;Wf_&d(qB6#tKM8h9o_&49XSuXEHVn_w!t;tHFB{+DragP?eT|ZU1)rPOO>#kP~2&o4{C}-?>_Ks^5DbK1!Egh#=;o z1ZL=0PP2I)8cg{U`Q67)ZfX5~H#+#!Gb_``qaQnH5koU$$+nVXS}5g{AK^OJiGx_T zPi@RmNL!BS6#)c3C>XP`^LxAdFTZ>CEC2=-71%x(b@2bHby3c#Jl0tlJE~P)_pZ_= zl}qs;$fyed%4kkfwgFCp+l+^6iPW;inf8iEms#0oG@VeyI64@CjD za#UEC($M7fNcl1P(-M>%e|!AnogAe(DELrcdc#z*Wq=?dSr(l7O2kF1T;lX}gKIo` zS=slN+n)S>?pHCWfONaeF%Y_PiwmGo8Jm3WWR1XI%Qkn?x90hx2xjpjiONVaUJ5GU zG4A?NKvyb#C4)2I2MIj1N}vG(HXq+MSX%^93bS*7g&7L|u-+5)90t7kuUjV6mJ8Ve zM^_eKIztKs)>Y7S*}Up)3V%iRBvh-w$;}gP98^n6dP{+9RJ-N2zdYI^}{C> zsM0fuIpkdLu7+q^Y_DR-LbX_eKA^=5s>yx4@d!TB|U&AUNMzDwnu zcUf8OZ{FA#gM~OW7YgG)eOqDrwS+O(l$~iHsN0y{(1uvYy;mLyeRknXpiRe|V_n&n zef;q`thxnv$jRxp<;HI}S4^7br+|*<01-ZNLCE>t$liISt7|g9-Y(jB57m7|^WQq$ z%31aCjlkg5GWm&6htHlC#Pa;UlXla@ z?I4`p^Sl=B(c|ZNKV>k*eHZuZ0C=zaSjkCN+#$eUcOU1U;GPTbt`~{L5QbpC;%oY( z1g8C14dJaYhEV8Or;vxwb$`BEp5|HR_^t4P>{_J=e;c*Xm2&~+jr03(`lVHF!&Y<4cGR`D7PLE(8#HaB|P|LVrX z#)Qn+na`W-#69B`F*(jU^UTvVcx7}gQMC=38aC(LuJi-5(lVTsC3F4VFSiEx-@8rLvWMz># z*`v`pk1hyx__8(oesk^rcFzr#E$F|elBlV#gPz$}g&~p~U#fu*1zr7q zbqdoUmp)hKKLuIlNSq`LX(fLHY3NCu(3q&)sbnOK7)XnRmKAMb&PB1e@lr4$Pln(q z#_McvJyr|1mo(L+uiJD|vhwECe_IR>(KKXYCmN5{+MZc%<wjG)1`!naRl3n?NNro|_H({R8^<<~YiEVbgFIdxh#8+c!xQ-Wo67TQ-xc z>R25ObA2<`Zpur(#&ja~UyQkK$u@QhUwbWmpEO{TqnD@%cdV!4!-y0^e>jVgCsl4% zxqo7WQp3G@yB!mCEXw{P*w2Hy$k2}x8xWWvwanY7_2>tF!GzH2lTqu@fgDAkuRdEa z_C62W6Vj)}d8r>mR+4^kf*;~(H z8iRUhU=^}l&&p+~xqDVm`ZWMLhq0EE8TC4P$`$$bNhAF?xr#_FC!-)YL!4HslN&@g zvtHHL5ymXWyuJ>ND2-*ED2IgxmzAM1SmAFykFhSBLY;Mp4?$zMsTn|)|rg?%+zN(P^~=2Fentr(WkO3#8Z&C+ult_S(6r46sn}*Cm%=8 zqai=MEEG-Oyy}7|=IVW&_6xsTEYyUMot8oJa93ZDFW{lqYR|9-KaXF4S5QExqWjRo zLH=jWYs>OX){k)MU;l=KA=ifNPPhAdT~{hXaQBZZ9JtzsTNV9>4_3~B_lrn&5QE)UxF{sW$+xcuU#FvKK#rypRm5_j& zkl(E%&;O8V1E77eabTUhRq~=$L+fGYOx07Wo}Mb-*nf@z6#`MkKq@tE5^twF0gwXy zp}#68ZM~~?ASCV_;IiRU-QSJ(*8`Uk2jRRTALqM$B&Dj1L)p->g7w3%q4-DK4Wa;t zMvf+}uLjG#nJdCa$QSxTZ+j4)$`tv%etWu(j0{i6SgDFobqamS7qgy#6=D9zw$3zW zJoo&lRJkKVhvA=gM0_dUGv`BsG4(s3YkSx;_2R$$L4?l4=5KH)WYF0|m+*!TU$m9T zdHZZ)a%3Kgh1Q0O14Ij8x;+CgijD6vgMeSFKoBUR+H@f7(|(0z5q>8%ygfk)d^+O1 z+@-U+aMEBOVgMakNQGi=wj>$!NZ@*Ei3*Uc68f++zx^^aAHwa$c^6IU394!3b z^J&YX4GxBtk^EWL+M^W1%YzVjM&Ma`g#)H3?uvJciJqbIl5oI==vcWx;_$&lJfHh* z>k7w{pWQ2jb{OKQr5Mp%+z|;0awv_oFu&L>R1;R=d}MHiL!m#ZWLeN+-Oi_5X2i8> zi*btgNyfsGp7RE%cMLuU01R2AuIipAc2{vP<|DtA6BchJ_Hz=E33 zH?AZ0f_l~zlPbv6wu-3jgbnp_dR@4_+ajsx8Eg$F zw%LmvFtmG57JgA9q3Rr%oN4!}c1qK>_$bu+M&Z2w%Y?hr>G zY82(TeT(X)_SvFCT_3+BL>fm)23xk1`t;(WuN5AAn;76Phrh_8DW$V$)6x;Ol}~ZDZWV@~Mezbx z{Yu>o$1b+%D3~^#I<~Zys5}h)Z#3@PYl?-%LkE-)Pz&9{&H0aXJd{42+V21*0EY;> z#{FGeIg)=`B|_J~d>asK0|6>@Ob57y<^LR)9fcoI7$6RixcfNUU^q{e-Wo?nH#677UddX>4IPWgTduJb#I*KzK!|?)S1DS$lX8X0}cmmY6 zE)P9z-v6yN&3QOX#k@od;kSoz(jiZ^hV3WWZE2YJ-TPVIpu=1XsnZj?>)Sh=I@G#t zbc)9#f?+B^d?eYQI+xG0b70YV$njL6n~79NdV{;ZlGJ>*B6O>33AzZU=#uVUT_rx*(?XJj|NK(uBj5DSgM@Y__xUCi2$QxBvM%dMTx zQJ@a(&)*QJqpl7p1C&1SITAs20)7$nkm(ev1b>j!%LKCLArWl%Bmm!U= zIV~zHXyqW^6g&b+uzyPD2+dVE@KA-OC9%0IwHrY6@o^r1Z_qY8IU8osBB;mYn0tct zzPXqn+hUATliF=~w?`rxjF!e@N^&@q!Is0Tr|=WM2!DCYfe{e-RB_>do|Sin!y*EP zza+!^kUkX{3Vu2R8r~{=a=ZkFy~Ip+CM&MEAI(Y>3$zXUwGDgQ^mv})IsgKXnTW70 z>rc@CBPUW<9+8RB$W!*VLXU;sP!L_06^`ON)?eM@+JzE@qEuY#PL=VxuP$PoYRo1- zAF{U{n5xCRI!$kElhQn^}&V9%WhL_H9&){gHfEziXLU z=7LFVKEj*ruLjR1U}WEWWmFj4wBgrW3HN|0MN7pDG@!7i`IDl;EYt-IG#3hvhoEeL`cSWDq0Go1y4%Tuq-W zRSy2)0wYVxjo?0$RL zXVU@BVxQGSOM~Vq8=Ilwm(g-d-P2!~cFkhSw-^0qT3E1FRxgNyaSxegPyYJ*2b18* z92urzGw<%`)NKBYZ$5@OD=YcuoM4QYIK2ZZJQ;eG$f<37*vuF zvL?vr7f)Sw^WH|VIRz6Du}M2<7F~Vc+qHg86+}~_jUfkMX2TY%1Wdk6@L&Gfp~u}` zn6;CKIx7l~n`TMH{=9{$@qo}J{WyWigh!&K(x+5$Mge+Iso=rfB|TDXTxC$(8n{DR z<}^Clv+?YR)6dKIZT9edSzBv5iiThuB%V*&RbP+{GhCXS9!0`R)=?%v5AgfdU`{2#2(KJ1P7(htbZB zqavrHPcgJ5_RRI|-x?9>kDHk)#}fIgNx;bjRLJ z=OaHrmz-MjvS?^^;?}>?&OVNDPpUGQD=z>1AbjUC(P{nGRzxL)j zRnyscT$w{|Mn;O|ww!i8-3OX?7zA1;oo3fUs1lqms(Ku(N661WpReVf$UklPmfX6Y zSF7a4;nn3_B zOLU2%jCj+B9_HjwC|)#GKsDg4k&?CGQ;J-7DG0q;v&*n>6@9;@b`8xUoXh4^VPWN^ z%;B8w+|ZmRvaqa^08lGT*0aua9jcie0^7e1D1HKG&j!MtU+mk7O1i zl_`foQl#bGj*Dsu%6mxV>{^*aI%)g7&A7|i=h@l5$$Y&OYcB@#J+_)oEYyatmy&Bg za)R5MvgxU>uL>;qS#7IBxwF2mfbRDA5H6G5jAlR*UskLUFv~n&!30Vu6U_2bUFVa4 zhQ>0?>ERU=;uU?nvrvIH5net&zS{Zqu-PXR^&={F!BO=|W=A&@v%d#s3^N30l$-zY z!Q4E7X8x&qA*YOBR+KHh5nfHnVdOX_nTEO8+?0Zji7b#oW{heD(ntwcVc`-6@pEe8 zJy!mrJrfWnZK|=EsF~s$W%1UrcYs)5 zqVSA^0fO9lFB-P1a#5>AE|}HCs?(+XhH{~fwtZQn7or|C zBwZ;QQeR_)k5p@ph@SOa2OVSl404V5HB%Ej*>Jgi$X*_hfP~`R>HkiuV`XfPV{W23 zAp#SEFMc8p4NcnX3!ew=D$H9TBh>w&jmP`b@`Kb%m>TW`?DkOCV3)E8(Xm$b8#iO?aG_D@(=m!lGp3|-cdUm8U)G67)R_p9!Z=--u@ zV6AFErmBul(S)wH@(tfSFl@WpUdf@`oaV6t$S2{pLiQB}ekN_Yh6o1x-RNR0Z;q$2 zz8-)@Mm248;%chZ+w1sgTZjspJ$oBRMl746HQCmh-h2Lh@vT+(=a~Pk-#RK~5|55- z&5Zrf>+u5QlY=(p_tGA(S0{?NaphQZg7ZQ7?>o9F^jq43p6aOTCtKQ# zkSg;FzVAldGuFL~pln<2;P1!mIxyu>=q3G^Xth-(qmD~^I(iFT?y0x?E3gcA9D91T)VgaoKUZ%9AXiEl(t3t6HlrX36)-Fof_f5F3%gmyxjqX4c9+&Dk4$>z`G()4{*f!0W!j~FbS(S#$6 ztG}hO9>vM$!=GY`R2A)o=u)c$&Mm8oF`=BlELa=;`RfihfBbz(sg~XmlI|jvIm}4U zg7FR_e*W#26$qS0umATRjYT|gC3&|sfM819?;R0Lx!V#(zH0wNJTO3&up-tog`liV z6i|-%AS}_%a99yN5}d+@Tr%?bt+_n%yQ-%&2~${CB$@&;(?!eNf@7P9Pud_V(w^(f zZ1X%JvZ49uSa$@T&c!F=938^e)Qpn;ZcjM)bOM>UBC1jU@S1lj>+w{gWFZQC%O^_f z2zYIk4w#9VX%Iz?)W6r|ETu!YFz!DHkwyK+k80%s_wE9u;_Qas9aZ2krDa*zD68~h zuqKca`fMVb^r$+9t*|@{_ijzg6BK9)D*J`qFh9$XMti2v)(wJJEs;V!FcxeP_ioOc z;>OpV+Z`mN2T3T}VUqqnRt#_c{=KkHm1<#9JneH&_Ro6?8tVpt6;UV>C@KmdzhX;j z88_2J1HSUtd{z_*io-6Ql!^2C`DU-;yTUQuYdhGweM;Bs0QXG%xzylUjRZVipCIJOs*bZC7xwySEk4>qf_w z9)3IONCyKyPOIMlGS+A1M1YH#Z*neLq5vmSBBlzBFHxs&scnop?XUJI+*E^17>q_? zxDp!m2?HfX#VKd&%hzTmnv0$8M=jsNfYD4Y!>WNr{r+O1d6a|7?LJLAw}V15F}Q(1 zJ{?0w^`&2Oe3kT;Vt^F;Mfkn!o9Z1$E|OZE4tz&R$OQXBRu;ARZ;T%h7KSO(jGsh` z^fp3;LB=K{(@98F)}jYWJ295*o}v>-C|ISRWgr^$RJoB>s7VgU5x(P<2Hsye2W!bf zWEjm_*&D%Ga@0y+)zs+nDpD?Y%X?L~*z;jND;bc14*~Dmjiu2PEtr+IxEf-B-vp!4 z7B{7Qg;msit6U9+_lKPsR;jk!@_uP0@D^Uj@o=7w=AY!5l*t1dd77A(%T=K}dU(4{ zbLX(&09eM&P_R@4sk^B?&h~_g4u3cezTuCe_>SgsuiQ{S=SobG^dRt4=ov(z7!T&1 ziw|c7h@kJd5_LWHY;IbZ=oC+VNDJn391vLwP~|TO4WX?Vy~3OUamcu0f^8q1K{L_V z#i{EvScAS6+nAtE9Q15ntVyX}GXADdDl}_+dlj__1u+%PW0MIYTNxTyOo2YQ$!Jr zG(d?MgzFVV^{|wzZdd$a#oPh;FpVWiC^CUQ{Z5Oxr>LT*nzn`b6l2iQ7I!io2O8bl z(hNU{_for-adyMh?X%_F>a{9$cAuys&&~}qklRBk!&rr zkh~7(+WX?2aqi?g-8il{qi-w=%oFNcqB66#RsPjtKQC&q=VM8~Lv3zoZIJ#tePKw~ zKEjj?O{8gJ;;^`$bpehkaSg*eWfej{@kr&gAqMe)9k+Z;#}~j&K{@zezU9m#|WV4!>GP zr!kV!Q!f`J_o_G0IBTntMH|-}#x?d8Ml~vmnw46;cSa0;Mr#ngAv-sQ#K`tPvR}Pi zpGy(mbN)gDoo)^PQ=EgZrI~}rx5Hj-mLKLuDP5Uw7TqH#>S*eEJU-k!bo{j5wT@S( zPeM$38ps+^k(0yN%vypXh7|)(^mmn`vE=Svzp)~(-g$g$i_|Kg|HsJrIhyzCk;|-w zTJHN5A4$gBm!3f#9jPw;@&7wR7eFxW5^kId48W=_7*{|P5YZ|%UT?Hi-B$B-$y{gg z_!}A}J6WGR!$iB`Ms^n%B^>uBVRZ|5CsDl;CoK5E4Pl5!yk%duv|Q>tKpNLVE&w{k zB>8#$x}5p`T=mC_#?Pc@kCGW*tL5MBYqP!wl7~swD3@w-L{rW~Gp}ZKHqnw17uCO# zi$gXG5UF{hDP4nGwj^qsGw^}B;!ytFH1S$oK}_&kcsmiOrreF9W>=0pLA%`e*>1A1 zO-^!c$dnIs)o559(Z9jML8xL$ZW&PCO73{}7X4$O{!={D`!K&i$LG;eBxyh#Fq;R= zFu!^_H&o|pluZT-M9nmWZsE#HK3%yEqz6bsmrt`H1FB$G6zIUc!kj(3sT#0f{8$v$ z@4CL*t@BcZv&ih2ZL5m@vINL+BPZ`;WIko$iAzKO=L)CcKYoV z9E_!La+%7n~8=AG@dUDrE{FIYg=+&046IYALWAbuQya-Tn7Wk*kx~BjP0AK?q$m&p9zP$Ib#S;*MPg90L2{YWh~)0F%~+I!EFfZa zvkWo7$;aoVLo!tF@tOL)8tOpJ`SMlniT{6OL@OjS4Z5Ad+6Hkncdp*#E2!zJKmuwF zTYfOKCM^`)=qjB}_^nJu}3F2DFVHKAMIt;cF{jm*QKz(}%8?ly3mh$0%2 zRENR0V^Jd-+Q4h)7bt9vHO6o1x6(+ZxAqC$Wxx;2Bho-M8&1XOq8~Hwa;`#BX3naaxx4-ny_`Vq(3aSzC%5|_-{X8=+14A^nDfH-76+27 zyE>^9k+tjhI_@e=gF=pz+er~MG?I_& z3YI1@itn|Yi#8-O@_NC|^TsX!AHaN2jidz+UO7e)`D!&4{(Qp9(oir5m3E}{`c=HY zL$_yz0@Kh{sH;0u8@7=vP23dR{Y17tjRMhL8BI$`bNdjXjwEbnNczl5O?rsA=s=5c zU7o#rs+Ax8=dk?p*z&p(3BWF-uIyi8M_=X|#>8bg6sZX2+B-L>-e>^w5UdhNc|@l} zhd1;LviWHWjrCR20U^>(J!#J=Mhp@`6J-kRh2$sbLO7Iw?m7N?r9M$lZe~eW6gKP3 z5;+^5&*R0FoPpPvXiY|e^=--1uR>2Bie>)B#pGLUuJXjuE|LXY+;{+7u_xw^N3@(B zPbIICnQLmA%3pH@fC9jFnFWL^9SY3x)2Gd`z^B$&rza$jps%0yukjLg(2hKfAj`oA zKq6+;i)|AnXIE&$vLPN|#RG>W4vw|Ja_3{ESHg-1rhZ$MRs9mAHASncDR+cNd*P)c zaj*g)2n=x16x8;qLQ25QPyA8rbGrOXh8&lx86~ZlQ#E&7ZE!%mLY8!rr zzEeW+f9sDf5<~3XP%tZ6EW&q6m@t^73!j|TvZpU2GDY)bAscbxnZ#T%lBurXQ}T%>LcWS>He7g=~~&tw*u{nUo(l zwWA9xz7hZ<&U&I~$%@LM3DG#|LaRX&aVdm`e%WeM(W`L_9$Hk@pBw2UDl2fVA(=u! zto%fckT}RfEKFgeA0m>`qVTansS330y93X;Cv;aZr=3Nrzhnc!*Z7upKaA-P)XGgF zDi_%+7CO3vjJd_^Tk1;pZ^p}XVM|KBK@gLI*a*rp*F|)Zh`*!*(}BzNMqq{%U?SEJ z{R_r{TGfW1nVk5Iw%E5Une|1c!dM>4k@eneS{Ai%rvRDS>Ph zaC_sszp1iD>M zj-DMM=$elrzhI&~z?0<{Y)M`50_R~S2COKu-w!eebLw3JszH$y^dW0{s^cF!bha*i zJojYu)w2S83*`UL7{_vbKG`N*GBC>erKLro^;vEWP9=~~YWs}k5%DhWMN`cAoO*i9 z?lK@3A;Xs$deopw20APEhk5|)F2|uIsoyg!yvhLQ;oxY2YY|)&MgBach}gWEQs~aI z4|F!F+W+c|r)OeS z3~Nh!K_Q=f=OHU@%zmGQpAiDkax};8B1KWU$!Zal(txlmu`iHJqM?o*4(X5d(h0PybOD4In~ zl}EHOJfQ$Ke(ap_zy!S~g>#AdjW6(Knf7Ufsx|%;|5~Gew`BVn)psl- zWjzsZbXFZ_&O)m9(vspYARkUH+-U@O%3} zqoBYZQ3s%8x>4Q-I&SJ{~lx)%M8{Zq-#hdY4~gM&-7$p?kL zn5;W?ia4!jcxs-xzFwGpfjZ!YyToMzHXI16sMjQ+Qva&~-y4i^ddDJ!-n_Q;omG6< zuTJC~ooB^u_h>+r{4YP;=!jYf1yP^A#=8AcH!JD;mLni({b zGfT~6XgmbRMQMtUWvVf<+-n$Gh zdTTLRS~AMhQe+ecy<{?QPJ6RC2)>v~@}ZY>QnVlPu>a#^sVAt8@y+gH%j0LtOIY}u z^wdMy^DPVLZGeQzF7KjHqKHE#FQ_n)IKKqyr97{KbiG`6;zq?mN=y_b;!(p3X%Gyf z+BQ9)7Z4ajO09ClmU&zE;I~c3K>3ov$6=5a&u0u3Lj=xFoe2_zQQKmc2>rN-j|wXx6U>HpC5j^ULwUBh;4TN4`-XJXs7ZQHhO8xtp!i8HZn zYhr7{udnBRzhn2_NB`N?-L%#cq&KWMQkuYWydq`W_D|4uh*== zugjoirQRUmR;Bx2f-eyMe9Rr`byE?=aqivr_ zlQ+HsH!Yrlh<6%2xEH0dgdA0;k8 z{O^69%g#rBhYREFLGyWu#j?cToRK0{n-utSiD^3`osNgWv!SXbnT48+3U$UG(*}43 zzd3ta_}YH4ySuyC8oAhRzlA)C+~Y?aGZN^pX7YBfX>Qum+sV<}RpG~AQ%-w_6>ja> z^@q13$$2RqydDm$55BJtW~JR8? z+qda5!}nJ~kCC39_v`(B9$a`%(h)w)U{nexw7&Oq-C)`Ob_l!o{cfU#Oaeiyu>NR4 zT`GR=ZUCOK_UBLk`>7u!T9*dCw?iXD0T&8ZtXFIzqqmVLdEpa_%w>mcT(y$IV-^Li z(y^kJ5k>LZB$cf7fwCG6LrOS@!*Tf50TjIG(6xG6c5v6-&-!TAI1zoeMOl)RuCV5N z#fp;hh_v8U9ViaHA5R(veoOrQlVbHGV87bh#Hr>cYFQVEdx2nZ)*0TC+mZx+XE_%= zmUGT20&p6b4Knn;umzBXWCLN;-c4^%pASUJuU41?)NwE;;iT`@r}og;j<&h>JopK#sB^gpJ7W7 zvEVpKn64xAeSJS!psPE0A3eQ?&XKr(*j1SztH_X$XW$A~`2Nq*?Pal}sA3v1PuKf> zaKI!WJKzF{T~J^UU~_M2PQ#SHPVMOESXCZ!_xJ$WcR#j0MOG#ld%L>3<31m(eE~sO&6DVMIEMwR zc*JaL=zEy~`TpKDh7^BpvE`)Fj-iQs6Uj+R6mLxCoiEqfMfl%uM7)mX%Vg+hoyIx$ z9#;(7se9&WFM1!BbvA{9FPtNK@27dfYe1K&1@@%Da?y}^pnASO-@L1=q67=RF+I%p zdft-Cm6nSIBb0zLv9m)G-sI%u1P898VeO_k=lkACmB;?}eynD~D_)_IGv{J~!zpt~YXg(f|C)ss^+o-AUflF2*H8H%&WEbjNLtv`- z38Rwx+s!Jvj-(^_yVD(=5ca_XxTbB8Y9~Q?Io%3#-<^zPIcPY$9&;rH35$A64ODCc zlgvWubp%8GS6FSsYNpQ5IHGHZ_o9G1&+8Z0%bUjaqLS9elJ1C#GxUXz6xMEZg@-r= zM1s6ihsjilgmfehZvwKZ5*N=V6U(lH+o+#K;wzFRHky8=8_cyHO%|R_K9)@umcfeF zV_PC|`Nu_0O>AuXgjuF_z70xvP6Vg#A1^%;$Zp8rz9S}Nh*ORC`n1%Ph^XH*3wYg; zZ?_wAyPaXI@fFMaK#0{wk3<6E_L+h6V4&07)cfVwkEp=uev#R^-hCO=CnhH75AC@C z=5AslLY%nL;qte|1hg0Sz3kg#*TcMwKlLx!WWy=yhkj!5%=~=u+L)LaYN#XFN|K3* z2|OTmA^wrKigPJUbhEuH<(9bFR}1@Ic#US-c|68f1QA5CcC89jDt-H16F1e(^Wl83 zw6=%=#toCRNZY`mAPa~FFh4Ydv4vSQL6HwdoKq3W@IOD{`~hC!6-g2b5obJ`Ft37& z?OQf|VTf*uQ%aGvr-VJpTbxGC!_I5tWs_K@4vK)FM|pL2LwX!14&H0Sym=ApW<^{< z$wy8{&f>Z0xPl7u`kf%FN5(`yUu;ks&pe9}uDF6ji&)4^-IthL#OxK8>_9kmCwvNm z8v$>iL=j%89DQ||g&JuiSn5hk91Yd(W_uL|LV>U#q0C>l^iz% zzXq*miUh-QLr1xd2wI46npFI6D$Hz`w*a`SEWsZ=AhHu?`WU< z=>tWfg=4(BIe8VZDb&A}Uje}u(XRwMEgWq0BaCwV<*M^K5e#oW#seh?(!?^UywsT9 zEPL`UQm*IYNk=s%zvU)}0mjpjTTYKM*CNLD_(ZrrmJ0mi7tRKZw8Q479v;oyiHHSp<&P9@YgEVsSt|$`u{>@C88O1R-I~xqvMH-ss2N=PDkX(F zsmuMb94i`@`B48u$s}slEs_6AKXv*MY^l_OV^O(bkzJm=WaM2JDJNPTXC_ZVY=oU$ zx{U_a22UU^Qb;$yR#3TbAqPPWECy(^3wbBg0RKT?6fiBtgk+nLZdiBY&Gf)tKAv}C z5(Y1{aV)XeaBm%n^TS86ys}A}uZ;#CSy26P*CyberB2T-M5873^lH?V%pK~ETedYE z;OdHNDmvfny=q%0$4Mc{cs^idH8Rp4D5ok*6fV=9>(tg4lv}mUO5fr^JzQNcd=$s) z(=hL9ck`XVZN~Puq*0Rg6d6XrBubb(c*fy7=lWq@VBARIWraW!3PE%e8EjRB5p8fH zT~Ljm>@tV=JrS*x#VHnRzc*_IDaI3U1yd;XihHg~=tFpr%^T&)RWe~rB(jcrw!KXa z9Y=j9yyc-h0uwnUy&3)X!TVgeUYq(T93S7@Z6Dl~qv}4ExzC4Bx#r?QYwsKqR3s^5 z@-!7A6#N%KK8S7exBjdpnkb0*4RzsTsYoKr^P#}9C;0?Hq9PMbpj(H&HzI=Jn}8SQ z9$1IISASoLr?Sa1x;P=frsT26kry9vW-;xwIcNh3T2yRu8h?fNeb0z!OEbWCdi5@Y zo0CCU!xkYd`(fDUjyje4EpsaG^Sc2BFo}G$xOsROa_1_4XMwnn@9r964XgwCl+ORA zr`$JtQr)G!DiRkc=nhjm3u)7zf>1j&x2VD(+~vte(Pg)g`UEJ3)B$02nuT>~sf~Iv z6!aS!y+`sVI`DftRV!gnU0j>Mu?SLUQcgD=S}>H{$yuAeVjW*e(LmI&6vGb@qaq9l z8}YW=6Mmb;Di-}NZuZr$3BTv-UlL=M&1C9!%@#ZysE{FL6-4s-uNEf1rIJRGHO98} zuTmf+h7`lNSBwqkk#3-Czj)l#fFZ~0y}WPHbpZ`+v*&o=C+ZkKIw3km3V(u>``h-W^gWlsN?o3jnedV{@#V@ z_)lRUgbk5W4yKL>8kGfVop%p`$n^=hORb{9#V58zZs8=>D{1vry)DP%QN3036--n5=PU(8;={cdD?4eQV0+p})iLS&UaKw+ z-Q>23(8d-{@QQgY!X$&u{H;s&Yv_WHilJ_Kn@V-y$_N-z(QSQdz;?2U&||A+IHWi( z-EhwvEZVZV9nx_1=Qz?4rX9v2eBS2R5um8K3$_sHl!6+v>L2x>pnEq?s?=;yaX9bw zbfiHOOu}4W5b==--;t6p9-Git|E2I{=i>REz9V}1=|Ft-b-kZb>8^$MRXo5)?d84t z_6+wGp;e?zgZ!}4tQMl(Z8WMbCu7;;q=KgDjh9MiCk`#WiWcH081?IAoYo zX(bvlFBoCLC5)o^(wkxMuA4x?E@JXTPfLLUB6r4TyaVRGTWxLb^=*sm*5{7&<=zPP z&`+6bqh*grdj-;A?B4ApvoYi zkR+vKU`rvDp_LBOpsUgBs~)VusuoM{27{xEHqr^k{Lr?gBrou>Rdz^@IZA&NgZ&w0 ztU@On95Mkh<`k{JaJC5Bp6z)X*W%~RB8&6qTcW)5CNDsG5e&lBoG$Mmt1YnE9#9wEgwN-pcb zP>YV4;89a{yie+wO&Dp&6UDVE{7L@po~k<&1gZoFuY(C6Z}G$7!790G7hUP^3xj}_ z-Q}^}Qt#W9!52G=_n)d8jQ|1;`?=NNrJldH3;fpw-19S)f%XH2P$5L=hpR}+!!X~@ zeN>rZyz?_BO{#*WNFQ;MX_-Q%6-+Y~$~Ma#)f20S^7XD9GJlSDNFAS5imf}EMF^2! zHrl5a;9Y`}P!?*+UMN|XpjHVblx#L;OJL-8+ZrExh3<6?Tqvgh#cL1Xy)8GFmJ~;V zfvCK}^hMn|`a7xlV5VE1k(VdOhln!378+pbxIJzX_)ikX7;`?NT}w;L7pVY*>E?}^ z1!AX$hK3uZH;~{N2csUWRH}zn4NQqYpT}c-QY+%qx8F5-E=N8_!~mJ7cU7?;xiaum z*r%B7R!$`~41l~$2;eFo!glE}|5gNnb;SiG$po!NX&t2l1*x~BVV65FWEvIy%S(0` z0*w&LBE~sO+O>z7UIhmq^dyROmYH6u#Kv-*(`AN4zl1um4arsMbCyL;)-+iG`l-8{ zo_m^!kC-UJnB@U4T7n1f5eKIDJor7wus(xn9Z_8 zgrp~lg&j_=Xl$Z0=R0>Z7;)9!NRkdCdI<$ch-sjxg$fgfh5v9mMcxc+kZp=PrFepAC9-Idmt2BIVB9|yA4#thd6Ek0;0Hw{u zhaWN)jyfL*^Z`r1cU7H*c|v>;USSQO1o6Lt+iL-xrzQ)6LL1Tm*YKq$67KiY_ex|aS&Ac8(kk{--i?9o?NdfA|A)|9`0ufD}@wuv{sQS@uoR@b}W zyF0Vl`9=P&tQFG31Bt`Q^6Z0kvL9A{Xj({n&H~!1G0(6fo?n!{RSd$CGKr*3*jyT@ zf4;1#M8u`V`4@<#PKa}Nwfn$qvOaWL=OQld%>x4M>_ zk;B@JZ>gP=wou*+HCRVZMTCos8xE&8pWMx$R=N?^a=K(&X?TdPy*Q=c(p-~U!^xb#IAjL4KJJE_7m61}O_L1Y^_3eYG(P&b{8hZME&8?$(7>YLq-!OT zA5@(>&WxQFs%9JPTVkt8bmtffSq&~>g{95SeEXORlM5fQaB!^&jg*x6IGM&A(Pfk? zr8w%wJyEB8*h6=HXdsGx188mue00b8IIhV*5ZghHVn(1aU>^p~RMB(?;ekm?wo@!z zN#nD*8vIj*#Qn>- z%Hj?gPBtKwua1O5pp0&DA45ln544l5BJj$buH3z;!u3_9)Rh8?!DRehf22Q7O-)%k z)?P$S6-Htkf?$;yf|#Z9|IYU|YZ&s_#N_h;p&hl5Q;=X0CcC`JX}Fl9RCKvGUg=L^>b_R$<*YfVU$hh-4$Ws1f{}&F zPYW+++doBI-RN^po9DjebzU6W|N)lgUJMJ8| zyoCDuqV3@(o`Zu9t({`7}8s+f{8UBWg85p?!t!RFn8!oaAnLSlwNy#v=0UEiJw{rEU z8xh|ShZYC7RXj!{04J&2b@R;zSfMPeJS%)VI!DOc8+OyF4xiT7Qz3et+P>K=Zt5C3 zN4`K@xw2f<*4sIWQ&qzTV-QB4WB#u@ya_SsMJgP8bN<8)>DW-x>$Y1jxKGDZ zGBV^h|86NR_kTK5Mln7bj#kT|tH7|Q-qz*|u=|%gBMtw<)@4NQKXC$Ie$lYjBejBB z1_R|Tx25CD`|g3R;=4zk>gQ|NfSU<9c>bNc)ADG<4QtBpH2Q5u8v|}S7yJE+{iCCb z{WFy}T2@E%`*mVRYLH?092(1hE#1@8Nq!#~Ps%-pbxL9RgA;n+c+PpN(wvb#u;uS@-%)Vtn=d`aV!>ZELtqr?@ zRY-MhecK+o3OXSBM8Kzg0mB5yB_9CcLB&FROZdK~7Xg6*C;PGJ+Dmgex33RXbn?E# z%z8DYV`BsIBrsCv#IF;#dgw~BT*4=R8Hc=!MU@laSu~oA{D=J5AB?KesQ>*6;KcNL z{k!voe*)-?&v!34fEWVc+sdn0OYDon)S$zAc&JOT6}`P*eXfs=|Ncd9U+P+o)n}$n z9Na$~O97}MoNi~T)EK0zivSm+Qo!fwB8^VNcw^xXh|l>^jXvRvrVtv5^1&c4hW1= zKFnbM`g%si;rYt$CHDmv9*e$DZf^h}#WaSK;+F(hKQ5Qr={Lz$5;uv`5?A(3@f(%# z`8*vS9~8VW$(tKaYb8V)3RG$OhYs%B8T(L;2ktJ;w@%faXBeyT&f5|B^jUeFX=h%BB6aV?=4=ZTT=WG49mw`J+O%$qcrOeeNRWNxxJ z6{V%3*Nor44?m=smKT6}d3jYAn2CXe>?&kYE{$2MwtB@mqOXB%0>R*Tnd{v?KT;ZA zD=RA{8DvR!`l8DLe&Ks5gJ+o3VGS|?XQ8`Hq$suB?fRgUlT~pGn|+(+WyG$_($+%E{-NVpx3&85D^(Mqc8i^%#8iY1)3#{HG zDy%-Xxf?wVOc*7|RGaUl`MH^suS%OR&qYaoA<0`G zq-68XyAj=OiDQlZ?YlVTKKSbii2M=GGz5MFsvBdbz+@(GvWAq+S~4`y=2~yHwzGJi zokG;A!J={R&hpT<43l@E-32v#1wUY6ey|G{HLM~cLKk2gKe3T43Ru5q6kz5*EvgXl ziIvHG-IUozPeH8W>XpvqX8Ha{&t!OX6`>27zNbXNv;H=U%$W66R`QIQV=n_%MPkTo z_76|ILNXE^-rnAp&K@2W zmuF{ZySuZ%yY#=;rkCLUc2~?$FgQueN@^0i}BFzGL@d8;K z*S64@33@rLY70IVJHJ!*+bqm0PeSz2$)9lQ1B5S2vV$yWS`ctz)bwOT-jqK1a~`IJPqU{1C0xwt`EZ^_R_I^AQo0H>DQ{2N^GcW%71$l@m zK4j({7f%+7bHpHw)qaRKi-IxLMcL?#b!d z+}ct}OtTL3vJp2I7uQ!WwM^fcEX*E_HAXMG*M8WAF*=|N6ah5(dX#O+8Ime-itP$x zW`vc_z{Jl07~B6QxB4+1jzu%s#L`mPty!A$oNGme?8y6tjZ+fRNWa=pf(6)HcsY{iH)jeo|55_0y>HhJtxsY3qK@N}4XN}8t zrUfb^|JeEcao0QxIdI=Nn7p-Gh4Q@XPC(RlCBvLX%oB zrbMijGYPsg+&m1XXuDV#ots8`hA(D^%V&-k{+EhdbbgInD}hbx0Xx#W>s0j8@`^C( z!S+tUS7UPc*}KY^h6H08`viV`FWt-G!GXb9o(6tJodb@e-8$~ur=q4;w;eF2~NXkxJHr+?lr5(fEY;ukNuG z)q)$wGJ{^Vn<(#k_OI<*quZa927fP*F=wuH%FL&GJ>O#%yk2_;;x2aMddj_b9L9U6 z7{A)~wsOd()S3fCw{Lfc_H*9z!{DB^&&-MNr*6f2gn8tSRRgi6NQIPy>~c9Oz*MU8 z2!tW$zKJI4kNJJAma(d_XEgVETZ~lI_wu@&T)xX0xSkTp>6p+@{kjeAO6aNMpQu`U6DaJTyvF$8 zGJBq1LH747y~FUhqC>X(IIr4t7+08_*?@^#>=fv9c&vfum|W|P&p8LwtV2Mv+rif= zPklvY6GN=R*8I5vGY~4XN$b}%-ZaVe*G8T=np%h)2SlO*Lkv|3Ly0M{B$&9kuoy>B z8NKr~9En&ml{^>>Zea0a?#=tV1}Zaip%0(y<+cwHjKYPn(>`!|MTI<(W8HXA*O{)C zb6wYcTm{RMh`zk}1obhHk%m+aQlHx}I{-m?6fwhwDK}FRtpXgn^C2+vp!Tu44BlO| zpR@jQCt<n*xvpkwxswnrZ=AHB)G(sIJ?IgLeEPs=MJh*EO zqsmzdmpz$BMV}9KSJYR}TgO(`$#eRah*DS{csoUB97k6Vj}Bce=r&3{@#F+xuRhM} zw|ZWnt7O~PGTtwV<+E-bIs3ZQe--uErk&7%tdp^tN^R=ScUP{Bn*}?lLF*{@-)v z^Md$bYI&JDK7pDACwKR73-f8FUA4fr_mS>a#s^hE((0Y;r{>$D#*0ewc_a_9)}9Y~ zNZ(1q-rI!}_L z%jl!em!qvg^b?6DVa67$P~R)-AD!D9m9bWgbl}ImFCx>)nEu@AtGUj?dK#vd)Zoo$ z+WM$}gLwwi76a_l%qt79*UR!r1&FuFNslpC%}$>u4IL3dzz~H@g-?Bsv;tqQ*RU6C z;s%=9zmvAngNuS=wUY57|-9Acjl5x6QoD+N2PWAh*pUjlmb&#^9sa3IZnc? zt)U|oY?FTyi6a}Ba?I7YX_C72S=NQ7OT_9^dmeA@SA?Qjg3A1(f-ap93aZr5A&j}3 zjSBIk)D8L~DFJiVXr8fOUv&x7M}ll3QkC!>?e83;eQlHELzHj!s2X^y(~&jIaKEf7 z6A``hoGu<%3FyZx6|#~^vhg(TLEe@YNg^}@oaSNe>31rA>X~UjC4`;C5<&k7!fz-Y zU{xUPNYdcTbUEjaXr|Ye@@z}Bkexk$L_R#vDBu8Ij{~#f6-{3|CrdS+z1qsEDQnnF1c?|nN(#h#0 zPf_Vav8XiIR!|dIEv+0V4j(2ug$kuHgLwnbpdS&1Pl^B7HG%G1TJHyT=Yvlr*7p&$lytZ56|&}+c(G9toYXs51!GEP2E$*))EwLY z5i#WoymQ)Of9!M?Xrk=T>8dXKV9@b({&`2WOK<-zBPv2S_*9Q5hbK|FY-FZAp!Gm} zDhKLU*12(1^v+mr4Yf;WW~e9eb@DLY75HVGN;nR6L-9W^XE(yMGNjuIEaN<__|BYZBxofmEa0yMsAQg5ZTjco}#xdlO(FlPYn7JksvHGq$xO+C9GxOIT7lS!EE=zRX(2D);eQz6JRS`rq}$LMPjc94 zLmp9KNU5e^jDIv7GynC{s}Z@~vVZ(F&K zd%ldElv+a3sf6PQodW)Ek1PEGWwRtF{;e{Q*3t!=8|b(IDj7RuPeQAIYwKGKAt513 zd`=F2eO}Va55{2%%O4DeWw8EC)+=HcXo`UD_&$1}5#6aGXzb12uj0D(>`gTz`w z;|V0LeU}LlSB`FL3`Z*ab7{V1{fyy-Kea$r^?H1{1iJt*@>I?bpu)z+>MF>|p}-3;mtnXP3UlcP1e`6!>6%jI%hDwT3^abas`S0S6#?p9RCX&6y^BgF9@rJgLI9GjP{5xzHkLvaa#zT)+haLL3I$kDKyH&M zWQG%n5-3BMO@ev2EA zGxwMKrS`DP@uU&c20hr->Cz2+4QG_r!!1OsTn@+HDqu9!8j3F~qfiaS|A@f>G{V1r zO(72Ww+z=QIEbx7=!4<79D#sOVB-du=%BxYAJJ+2gox?aZODAZX5HnlDV_!=4e8x| z3x!38Am!oYY=E%1ky#Vu%|@C0{CG3^mV~8v86+8sI&BP(5BfY;A|V1&D~v-h6}5VJ z%QzY?(r&vpKt4oTNEE<{dZ0NB(>WVT&dbM#+mKiDQfr*?U%vr2rT$Vj@%;+Od*iTO z1!+S|*3r^JonQrtr}^FwS0Ww<772QrL?#jaidM_CLVuz-3|bYnAmqM_e^SvV!VenX zEDZ_=Nh?#!LN*UySTG4rmOFq0CaBU7#x#LoUF-!Cu!|hazD4hd2G>PVW{ABRn6erq znVHlPj6su(S?X)oj(bBvPBjiS)vqfU@OZX_VUdX{r~oC%4|*(&P>dUhr#ZkEYB!rBzGj+51!yOL__e$g|d;+H@%ivEE;&`o!v3jvS&I)HC~=l*YGsx=v4C`tf}GKDvH|UaBGow zsEKtK%GwJEoM0h&(BsN~n;VF|xAqmwni;qm2AG}HpJ#Za)Dua?nuLi^pY?d2e|3Ib zE?xCrs@U=bgcEI~0+(qDHVw;%wKY80Z5bS2?kGWi?e&7Az2*!4(n|S=0-l;q-4duR z0$4`t>ob_hfu;gJ>aSlCm*aOR8NQATn#*ffSN}mr4Ouj#?nes-D7k$dmYRkYBw+%E z4rLV;M5qw$y5&>X%S)n<__pBS;P7y$qdNV11sNH1lQikFx%Y_fx3ekQ&H<2IgOrXb z13_VG|HuKhf8Y`)$~zy{0ZasYt)=h)2&P^?1WbM-ie$?X7eFCY`~ zzb`1*xidf99m&|eA7vP9%{>A2G5}8ZkH~ij=d(o`zS+$U!0}LL(95q?l-D?r)7$&u zSHJUql@Rc%dKbS{49 zZndGPx?1{Wz10S=xUV)_C-W8g9~x`3)t*PUrwbL3Iv9B+W$g|-Sn5?fr8siv=wqVAI#!D^8>B3+46f-f zfI|gUfg-9^SkqL9s#?Xi63_0reN@e|5?Ms#mjgQdG@>tN1Y*ECd|Wq!8Wvj3 zyybhdEA;Wj%AFg27I$6z1AyV(b_vV zhMd*a(cuaBe0Lo8JRC)34Wv{F=KAvoD2DRy1AO0Vp&VE7Vzto(=#ZnMqiG@{Ak3I$ zcDCEcBMAVo=K}sCAdvu^Keo^;g7IvC!qH_smFC7CsCBUoxFwE(UXc%@;SwxZ`&TR$ z1E|%2y#Yw*rKjtiUI5t+pz-ngf^q&>K(bH^i8WiyxI0h&(tnjop{&w|osIZ-2NWS7 zzcUopHl0>$Og=U5qj5}&>?)6wSrY3?(%EGl&XXj{jW#><7YnKBd_JH3L0G#ib{ln| z5Ri&pg+jq_Bw;Is<{*ZU`&k}P?no?>#9aPZ-&?$E@C;M2R=%8Lxu|#gxjXg1G9>ze zR#>dj%*>27?lW`%u&%STX7F?4qR^p?z7njz)F&(Iv}gWP)6h647@CL3K7jp?Kd+l7 zqR{(qd|cYDfZ0U6H0T1Ouvg&%-Lh(?`j1DNr~!%I0o2C@u-f2{7@J+L(~(1YtS~lP zOzB~7Wft-kVy9IRAGd5pR#H;hy9mE_28M}gSVC*-%||8kr(bL56wUPvoOnDF5@F-^ z&6@ylJ%oGw7$R0h*0R8fKw>Q1_X{ly08|=i0+tu&yJzJH%NAwCauPH|4EqGBFiNNF zc{*R_Xgv@Ls}wv(F^(E2JmWU$&A?EF1`Ly_em)t6)M?Z+e==r|ffgI5rwM@GA~?3V5*{ z#r1Q3TPz0e=Y#pK8IXY^Bss zR^Q;DJRD{i#?;l$SB~L2h}4}=OMxeq-$`gM}B56A=DH&X0eFZ?n2qZg5PQu zf^0U?iSkZ1nSl)q;>;T}f-uD4jM^~a*D$AB;_%Y;+x8_IEV#x5hWCy8y*=St(jl%& zSq;|dllhT3nYh3H;ji7Tk9|;*-|fj)s@H8<5@eoTC~0hN!%5a*pMO%6^+8Qg>N0J_ zGpU2x6}H>5v7`ExzU$yE9fDKqI#$L&sgKbIN-cWMB#P3D=KAXlWB*(+GyI`n0Srg@ z`#nS8ck!6PLJHB7ujGL#XQrQQ+I5`|RHh?>zpP!PN-?VRz*d<*RfXKHywSx4WB@pLSQ>GJV=ajXrI(r_uy5jIYmLi5hdw%(&W8J9h zaVy3&z+3lYC5dHWJr|eFVGYrupT7yVQp`CLRX%RKjKPh;(G)~r@(1<7gBy|UER%=Z zr_1#OhNQs^!*m~Q`K#n&P5ZIaG!keKfcQZ7gYFVaK_efHEvA}=nT9DaFiYB+8B^m% zgmM4YTuU&^O(*H8t2J!w;Y@h2FIFyj+aJ_u5|(Zf27aWq8_R$c7P`_>;QQZ+FG}OF zAv1TIFMbzo?7+6RaHFY_PutiZ`M8X&%cgZLhRKo($&sK5;8On`Gh=W_y2H$(yW6{I zCRFmxU9Aum2Dv&34J9d$c@`M^t|=~Zj~-;XmMx6qvLwdTf!f)u)sj-`{~iA@YIg(6 zb0TvOTo>oF#D)#zZ$r!v{3P%}Ju>N+(vbYTZKxKU$kG*)*RaLN5wJ7Ag;F$!#3H@X zK`(IrzC!4{%Ug1CO}?A{>K8mwvo90Z!hcrdc-u0F$=Sg zd4pMk1edPg(&8qlDWyDCbq#_u+<<_52s*YwlSyj$5bm{Ek3}pIdpv@IRlN^I)=|q- zY9Sa*NuV>B3yO)g0ZrAWxtbec6LJ54Uk}5jhoFEonD@iqUUK30>M#x`#FJk(z_jh(6-slTBSR^Uq>q{uu{Y+7PNa%f2U2~ojj17i|6 zF5@wkm6I`n1NiyxWP2FSM0q_fH4c~c(1FatRv@h*dA=wtpt5&*?dC&3{5ava$yk6^ z5q;U#=xS3_5m}E6AbK#(y^W5v5(&QyfwOpu{~PfCwLS)CfI`Rl^arD(rzR@(f6rZ? zin+;n+(w^nNsq8f)UtbCVDbAGacvN%+jw?ShtDQ|A(MyY2fP0N{!e3P4k<6Sg*f&{ zl-C$C{m;}Cl`h8QE4{N*@Iw=M7Y;MsflTX9*9u-%wsZ)bU}PQ-HF16B+Ux@~>7?4d zGgi32-h0k!--m|%vW~wONnv0bl{;RnlWKvJMg2c9Aosz&^f4q4kwIfRH9MIY$xNa` zTDWh@-`EVEhE;{o5o&S%u_UDVC3+MY%*vzBj6>C_mI>LUC8>8xcns8ny!9D3Nv5yO z=xD8^!>zv!8*w5`kZNLej?W40P75F5`+=VmW|<`61!TT)sVkFV%d%OWW19c(>Bit3 zP)j`f^yokPJT!Mqr7NZa?*P}EP+J-S5-t7ljlf>EXNcc+G)Q|_B3=_2Y~Xi7Xi<0n z2PTwf95)K&+Ab~8%dRcRBjRvSaHt!Hej}(IoaNRt>FJDAEZW`|yo756TN$6n_#s~d$;#j>b_Fq!CvWT5Tz)CCf1dFI24 zIyyOpS+$At{hFX>LMQ@0OiG5{2aYhJOtu%m9<__KNg^9YlF9RC7g+H=U#z(RY0-pY zJt4p04*S-E#lJp3M$*X7&=e_S&w=HAk%%eH1FRg}FUEOMU)1o-)WaVwiaju*VnXp~Ung17s)HaQ3K5^C{auC$kBu~ww*G~2mSl|m z=C8dcHh77l;|97V&Iwj7rkT}F4~IsLy%G`M{5#(2fq9k9%0J%-Exf>}Nqno;B@_GP z#Xn5{lkvAG%vf}w2<6+HyJiL9xyLw}^) zKWe*uL4Sfm0v!hfVVwoAIZ?oqjeoyOh}f{=Gm8k3Gt#KEMVsL)r3d5ZbTl0`iT!k* za6To_Mh2#;j zB*NQOO2fv+hP_BE>PE0tB!itwnlRDjl1J4?Wb6?2!?7rG{Jg8!gOlYirZz6ek+@2QYwh@Y3QJ;;}e$v$ITIcc$AR=YY{i(c%u8FjNyrs$a0Nww5G!qx=ZJ2a<{@ z{szVXWz+xa8S4KrM!4eB?J>KNGxFiiE+1G|?&xW4YXf}z>YYFT3w5(yZ2+uFr*#{! z=#-=7R#y|TxUAJRHJC{*+g)CZyrcp#SPXbS>~j@;T(@UP_E{~aA6O;g@Wd9v*89zY zVW+J$dwnP3i%o~t1wB2_`krzWdf*ak|tk_%-AsOWG<1D7fG*I3YXidp3c z6$@EU;o#+ubRen@Z>1!7uNOm&<~x4ZY0mU{J_YyLU+6;NMPzW82+*G;golb$P`hzD zaRbTMRsc#CsdCwaF<7#ror|F=QQch?1%~wXP)#??HMsv|u7o-8aL%;{tef>$d0jf| zyvi#l5Y|RBm_&I;bwZz1Rt?Pk@R>@%R+B+HQDjWoC=hvtzd>p;YwQ*+gbh`-wV`EE z=u~()DaR;g-D&-G{3n_6<0?u@{Sy7KJ9iT1hd1#|C(d=wtXLx92#v?{cyeYRsIxZj zFSqkceRg=4Q?8TCRMqzv<%#51s_I8~RLAuut_$X? zc!pXHtrGDm#wO&vrEtL%^RM`67y1X3nFqO%*d0udI7EMWS)7x!N$(ha>tzUIRF6}f zQyuOvkwFA!L#YqEWJCwHI(daTigIS&yP7m<0}`MQxi=J!F@fNZr5@MB$*2e%o_hr9 zJmz10N{!!HmoG=LXxdZhhaYKau#$(l3p88M|NVb;y=7cnzY{lF92S?QxH}Zr;_k9I z6nFRH#i6*nTe0F&D8=2~N};&BJKWRX|GD?`yt%vxo9v#PWG0zRCg04gjn+?VbB#u7 zR7?k2QKZs(;ml0-7u+M#Qtw6gjohhqCic%Tc}VJ%eNL5$TiD{c zbvUq5{r6VQSamDM;;HRpW%bGJ?4Ie){;ivB!d>>mg$V%i#cCQYGHRe8!Os8 zsWC2RNvGE79_qF^UsaY&FEym5rmEwKs3V4+T(>@VPaS=M`4R-WB?a7&_52M20+JC6 zdM8(UjG1P{$5_OctbgFk?2&2!d@Qti+Mv5$WSTGDQl~qfxy3aG5o;0g$@CiRZ!Vl7 zd?ouvRzeMa6b8?X#Dl1KW2r!tgJ{Yp>Ej7_yO2sjNi+_+!8p>=GXWHz1(6<ok=o%7!);i!DFN!!e5;Gom$+XSjRF!Eq2_Y-V0(k-FG~ zTBFlyhrhLSVI@&G5F3h)oJi4}0+Z9(*pM)rmu)!Kii6Hw#kGwpvo$VBlh|bA9g0#| z(v6+SG->q!U=<#3&+=837@B@<=^>T{W;iu?<}V9F_@0V!LIVy@i)Kv zQl=*N5BsA94Mjo#(OmQEZEX@#e&)y8RH}*FG-;ZWaCd@pg-y)JWFoYweqzZ^@okIZ z8%0*QngUnFUIQ;%_OXHB-+y zPtA4?qi=IxM%jbrnki+ht<8mM;xUUm2t-GaQiWQ9x%R;_Yt{u-6&U}(1ONmA@F>8B zL=eDwfcLtpHcjmVRi}p1Csw;1Ji2+e9 zVLt3(ApI?D^SZKlFUYXJ^MNOAtjYDcU5yENIq>$U{POkwPgI@&plQ#>Q)!|7n=N2k zDL5m}m<9*B8I5Ohc~kTP#>txs$MzV${~8Rec;~NoKk-9>4#m0u)iM=P}^E63OIop z+Lc6Qj@|*5<9jGnR8%tO0Z+qC4K01HCNt(BBEUV$4FI7QH33Xa3?713Q)Kq!gTP72 zzcUe80L8vz;F(h_z^GX{h05h=NtJzWisOt-^+J=M{2#|s=)q$CT2;D|-GJR&0h6$z zsK-1_KMcekASx-@55zEMTfZD-p}mm0_JzwZS82;11q`|t6WRDl19+@1+cGr~X{0i3 zxY{2Nq@i_dm`LL9V+eU{bfeO@%K_KIURT>51zPb_D(op&tk=bBEy$~-JqJ8%ty@D4 ze@KO1$EEXzCv}8Bk@z02JHE{w7+%KAI==3gzdseaeePI$W)rr2Ieyq7jeR~Yw0)nCrI_{v00K$bG;>(X2550-5(AGWQo!8o=p# zGB^Vode{2&RDn34oP?8R2LR_u09G84V~(;^_0Sm^3BXb(s6~z~>U-#`h~~`9!%%s1 zu~N#^v^#rG?FR3CSba$Vd+hC1=3Nn-WxlLZ=DboH`aaCBD!;y-z4@Jxz70?Q7WRKy z^gnxkaCM{x!xMn%gfcodBN>4q&>tHAj-1K?2*AEjse?(z9?!#fO#gs8h6EpeGy4US zudN7+7YQq~X|1M~REy44dNc4^mS6BMZYU-qsFlv=9ZeaTg zP#4U@M-a%sVZK{~c?KS5d%9<%03Av7AA0+L#kos{BINp!n+mNqw|9CAm9wswiF6>j zxw^V4oIl2X+91a6VKrj%|6|`go-6n#8d^r?8j;(f{YI012(zFdy*{=jo+6iEE6L@i zH(DC7z$Vh=Q-v znj&_q0s{&!LkKom1-6V4=E5GX=SN^;0hrtW2#S=1hM8a{1PY^z91oS{)kpDzKM|oE zQkIs|kcXiXS{OhfwIGu3_o&d2jG^LP+9tyUBDA3@1!!`5|5NvH8df$XeGv^pGc5V$ z%lTZfUMzZD|0jO{Ev3(ZBdNW=8oH3F#}vBD$)FaI!*?==Kg}2W3&BZh$5Y8!ywkvt zzF_fM2#5K5LyG;n^SRJasYt8paG?ktXSg{%Lv}S}ZD;{8mN>#IG;;uNTS`Z?V;g zG$jPwVc2TmGn|v?;Y1LBQq9@~sh$VnCzQzyc@x=^Q&)T->F>Kyq)wuZ9CYJ3QkJ3f zXV7cg=uoa|w>*zQ_rF1qChUBRV)?Q9mT`0Us5e*t)|2`ogVAjG`!&8F!cW4-b`+cU z#qQ>BGtzY1+w+a1_-4@V7v@CJ$;pnEp|I~Ii}07*nwn1M)+|X9uiZ&ngJ(-s@{`~! zt^GNZqKsOsU>X;+pm|7%bn%boc^n>wTjvq`e84*ojp!^``4n)83KOImTqXMp?97O5ZJKC z^wZzM&75yeP2czDf;^PN9O+B#zZ6|JoR9DP_L;PQ-s&F{v>a^zl5Sw%m+JBtZ%N&+ zytXhEc2)$&RsNIqq;3^MrLd;!@g}PLn$J@0)!6(u>b%^yKPQsEgeF*i)!G^EgaS^h zPinS51Y-Ml{M^tUKMdY$PG0QL*BoCGs~{7o1RW^v<#N-i-4`?X`a5hq7ID>7eLT+z zS3D8(e_ALIo<40x){&;{$8Bob+$-<@E?fyR@OM+{zUc3_v~Z+f^L@tp;Nm@8x^*cW z`BxXSe#6Ra!&z%u_LNB$9Dv)|c3bidpXm7Uo`Geh-DB4k9wYAU%Frx;(D{#&eo5nD z)SqYMGN#SP-GVDsxM>D;(Z&mY83A>?`opf>OZgWUIq51siKpE5J)($8K}$6cf2@WV zv$$wT|C~r}1}zdlwCio_ zEcL5S=UKg*$5j0n^)0X7N!6%dOuxsCg7!ek?BcQ&M(0cg+bc~)?`y7bHqJv^>ybaV ziTNJv>MyS?6M7sGl4vci()0P8+`c?6XL)$!{Tw0nJt4hw^m}0`4~l1y0qgdUsWU&C zS=hLdbEtX!P*^U(t7F5Cn4#rR+Y`=+lL*>?`x^fvqC(j1eH~klY(;)XIl$;P1MoF& z7SI_o4GdMd|J5XMqzMODWineDRx4v_Bpjx1SE^PUQ5Di`F0-DW&+dNYv{mkQJXD-d z)J3U={wM?C_h8pP+A4^tx~d1h&)j{fHgWq~fMh$`DCj|WyW0&$sK|V#A)Vu?6jT+L z2ZGhxPp&QyS6NR?ji{4a^_F2y{BST zg}<@IeXx8@(w-L;UHoHFp|mo(ZJrapixr6=uGyaN8@RJaoqit1mGVGUwXOT|kWi`( zq{O5|3d6V*2E;X$(EAo`z9xiB%<>?0QN;iCG9;b>`1D`)yoI5-#cQ`mV0U*}DHC*@ z#ROJ`BiFzX`UV2-m%Ks0+(L2RX$yH!ELhsHN7ZWS%B0tViJxnt7VVrTK`A6)H{t66Y zVnLHW#30%`z^NdhUb?P^goa|KB$fCBK%uL>NlRrVD=RAri9SHD`2C6gDI_FB2Y@<| z3S}q2f`PMtI(y$5S)d8(qMk_%Q~OU(PqUSjNC0x9&>S5dos{35=|cxSR4-z(5paTc zJdF;`?@CrBZ1PX1lEU-z^V>#%hj&3tiP$O6Q>-8>2K9W>2uy$~3IWc8%`GenL4dL- z_Ri`Q0hK`F*Cb+qdmd-TF+RTbY#g`K5z>Vb-t>1Z7N2vGf9~aeRu%uBIv6zqB@`4C zoSayReQ|;;CxTbW;D>r`9RQz()<^gv3K{I7nbCN7;_+nv+$yfHY;QW6eo}N3dOwg7t6X{GcK|hkuyRSg+8|nECO6w~#Q{&!Kfaxt{39WGG3ei*{f~+N z8^gem*7!FY0Pf0waXw2!JVHEwR^*rQcVK^(#{4MwzQA=@PfP4?$E=NJNb}anT9YIvF(qNOPvuwUtX>H9`uzue~j$Gwo-W_}^M5r?nIgIvQZ#>~R3ue4a2 zNg;>0Mlq||0rSFoSYBsP1nq+c28#sVOqvCN>Dl=t^{Dz#4>XJ%U=AX=#3!{-o|S#> z0#8{pOUtYn;OJSfncbF4H7}FudLC(drlJdaxrJ2TxPgIT)<`zV)WHrdT3tIg@oDhb333XSgPcq>q+%a+T} zbd=FgSit3k$`nOkIFrWTQB&ctr*ghybHKiy1To(nFI?V z>kv~{$EnM_*Z^*A$wf4Z8^(nrhuBdLpsfm0h1}cXkW+0(lL!)6Z`he_&QC0fA;Q2E z<+0f>H-Z^8ua6edpU63xpmGp_D1K%zFq9Gq+}yw&R`!TL!0aphrV+>n707oXm7U6+ z;~?Z01;76Np6Y|pxFCgbAm3LM{CbOVf*I3+=-%obQ;GpLB z4{qZHyF7&p4g@o>wiNG)<^{ucn;_w5rKgwi%ZPbOfoE2E684)4U;)%uQNbVtFp^9< z<(48-Eo}|sT)06Q=Qjcy^tn>#ulcZUkDdzSvMp*WzdX(c;)+78R^GZSYKg{Rf{iEj z3Wr+gc`*Ygg06q7BPJ%M zOb>@3Z)6L3myB2uEP03(V@3SywPZ2P-unUs?;)lT410NS2!(YhW( z43Q;-UYNxIY-deL9)e+j&;zV1Vu%1Y|LmRBapCByl7 z;A;0}BVI{=iR|g=q2uDGV$TnKXdJOfoooSp=fSE*h$^J9uI>RM@)44fI!?puyi3ny zS{;crh>fW`rkqz@ak5}Y>eV=&c|4KGQiJmilZ@v7d>FF0k;+sOGn*JJjNuH$!+q92 zKD1p^K!8k4N!60tuVjpG7Q`99E+P;qj)BLpK0_p#8INM7nqkUUx@B#q8hF((z;2DU zC%{y%%yrv3z9XL)V2mLbXued(hGGo>a-g7~aHa{#gb?JqSYlD*X(|vl1nm?=avWA$ zAzw3zKf00aB0zcVcVisFc-3}9aV(g{na`}aB7UO^N9#fQNkLm0A^m}uJh3;gyW(u& zOJFQ9KbAxYSI2$taji@U8p^-EBpeL3_O-&RQpUh)t$Ke25hU#yy5##WCr zB}ZiR?ys^9rHF6j+F1{@4g+jjp%d>@_%NC! zJn^<%EhwJX1GD4N2rTzkescJr(Vh}cFln5##lPj}lPy~{k~VC3l=>T)Di)qjH4Vzh zOtrIi=Z7!xzrMaM@EE{376W%D*{1@Qq&&aYs4^{pt^4by?Wo&BjY?dS$wn z7a~SOAqgd0gRjS9u2V62@{~J0#Wg@6GL&+o*LWC1F2yAx!0|e=1@C6*%G1PaddxB9o_xM8o74LNn&zL`Rd144+1U4!A9i zdX>Ie)4%K?Sv9f7YpVHV$_hthjBGE=tIT}eSSM^D62IhaL1~d!j-N9$J;FD+B`D&& z#7U4;5*2ACA&qB6gZYq$=6P9UkMl~FRVz*vC^;0y;4Nk?t}wcvh5gle2CMJdl(=KZ z7^mX`_5$<+tt}KceJSDV=d*~aKHay zoWfuex+AN=qMk<3E!|Kro{XKPOT?ieL>`g-e1O$^vRQ_K+8FhI|A9*yGnGtfMS8WvW~J%iz=jBI0dJ&cs|uP(?yz`7!=S&7M5uN37zIKSU0K)_|&un+#rEJvGk_$M=k_`_b?}B zX}))-Io$X?eu}^D@@1~c#4AP+K*v_usQc08c>>12v2%(^o$N-6MQMu7SIl)&ycU)5 z=t6(ZwH4$+TxH7e_MH9vnA0j;KI*UyHpA#-Iyq`WYR(OZ8Op=vTOlfe%QEatK0oXR z8kN}X@lWVgZ((QjMwOU|>z?nitgfi#$Y&JzBB@DB@|Ml4(ysdx@m#^HA~+j(?hyhe zL70@~4bBQkus>JoqS6lu5K~>&Py{oFCuQJ~oTCFs=ENAJ^hRtyXRAL=NkRBpQ$j|b z>D#hF_1jgU^S&aHV&B)|^9ND%5Lr?-uzq64zR^WC`M_yZ?+2?)l!K@eN59vL2%FE~ z29@^~8A7;qOKBorpqdM=#jfLN2xZd0$^?Gck&7-grID>%sw^ejD4`YYOlhGg(0IjprR7{9v!7x!sL#1qo} zoQd?o9T2c?@g)+Eh!%LhaA^gpy|7U|w%#kexK_788^i7+$ujD*Pyn}B5&#W$LOE{1vOaG5p;)2TVeE6EN*+dXq%hRtivF14bKE2> z0zso8#MzdR=SR0|cF6UwAh%+GLHYz3&Eu-aF*xp0!ACbB9FYh`Imsqi&BkP1B@H(@ zWeMd{m`dUCVlj7=ksKei_&WN+Bdxr9e8;Xa{CWmjp*X^I4UJ}UMjsy6hnW4?3AZbYA%srmP7QR5giExo@MKn)ZcK+ zYuC%dQ^N>%(gzj2HnKlDNIl37C3?9L0D+_|z(-iMA&kEbe3fE`+md%ASj$Ot(^M)~ z86~0$Qy=zaL}XV*|zk03oVQVN#IwBqdIem6#Gk*^;`kiMJtM+@&(v$e@hnk~9t z@Wr^@(y_ZTF4{feLcTV80e5s(z_+*$IPRr*oW zmsG5W@Odwcaaz$HQlo++37KOA5}X^*i}=6)X0uLvI|Qent%r8* z1_XR7*)9eo|Mzpv!;IRy11$O!fuwBq&OBBxRVHu9X(JmZF$Np+fD6Ahk1yp>E>q(} zDl`!WDHTiP@M=+xE;IedJ)*L0J$Xy!_Tt&E;qpBj!D$Iheppv2z5S7GL19dZ_4xAi zOw<{T91z|3^f9fvSnpK(#|(6fy_E725z|>xeAEbYD(2gy@)LU_z zI>WeZ!&;mk2QMoxKW(GbQ-7X>laI+7%m~>PjcXh6qnK1}$;I)Dx5z*lW`WD<{{Xd2 z7qb3?;ffZU;Zuznw*0ukR_>+}EC#XbP)mRPi3?02h(}Avo+$occ_|Gh!lHOrLjr0| zf(omWAvHh}F(b&T5qJ z_F2wXHYD_UKkYJTSAtMM(_+xhouRCZRB}rTV<~07nG?Qs8R&(+0aUt0SQY{6lwI{y z1pAbBtDHhGcl|U4zfDnxMx^C5?u(nUBBPBRf=Co%sgdU4iHf9i#;`TL*NC;BfhZZx z`J&3ZSU=Eg3-u28W>!{hT3pWI18yJ-#D?wB`a=|f2}#AMQ!&VtL>%0V8{QYb*6B~m zvt;;#a9rZuY56Cwv%i8Kd^Py-YGiNg-7sU$t{Gc-2&@v%fslQ<#GlGd69Oh!#_i_x;gIa{&&W(3lR*d*p~UEnF-tQI3`;poKusp^M|*U+lpD=o?y!X)lI~MfMUtA zsQ-!HN@-TLK}EPd26`}mmd&OY6>-LzjF7l!(uPneml^3C3B%%4!)6O*KZ_SaE4kw* zP--$*PJw@=a%l*^f8q$kJe;km0GmdOgc6Bg*cdCN6BR9AHS^cSX+xp5oowrLmjax2 z<{ZOLa_i3R%UD=f+@V!q#^AEl1MlHDlw}TPRgxP2mVft43;gpmP z!EX$BeauM|SXkU;y@b&&)x;J{hK_C#*o8P3MX1Bd|$CZQ-egD5SF%9p~_kaZL$28&S*ywlw<@o>04n}0%fzDe2 z9gSDat|oA_?Vo(D*y*_<3 z)s;)NmagGgwpV&{=TjZ1MueKK zpsyzpNxH~_H?`KbG^cEBv7SH)+kaR|ft->s4YRC zI(mi%0zBes2nka>J{R3K#Y6T~hiWBVq!!_8FE5|Cq9`rlin65~TjinxO)FITrh<{y z9lWuJ8{I4`d}?2kmC7WOMpo}GR~3~v^Rlytx|uDShQ%?j)V($o$3(_kUFJ1zI7Mf* zm$%*g+rM9Zu1X!~mnX-mjY2xO-7=)H8i5;iYYcImts(g=N=HVH1TAK$zubwe$y$aL z(@Q(CSQ@^5AL78p8gAMvRTuKRi&R^*tSQ8rU4@GRK6qZLr``k(iO5KsKx`lms-%^0 zJ@lwsP>hl;z!dAJnh5R3$mz03=tj_Eq{7bhum`qVyEc=AgUm68Bi#lZimv#CTRMwg zdrKbKb9!pj=5PBg84iCKjzsDM|^iP4R#i@*^=i z2Ge|2jZ!7{P^#z>zTk8l`v|`6q6As^Ce}w?OG{e?TQtj4KD`{pM>vMlR0Chpe6NDE zk=H_#br#EFP+<6(JcxQMwNI9tF<#V!$v@MmBZE*UILi}HY}qX_H5i`m-l9myEc3zo zRuv{il#oV1lNIK`nIO4{CCTu8Cf8mS$(TVq1}w-2;b8%zq#9R%{bU$9GyiVRZ`Z5y zdZQr-5(s0re(y_FFNl96OuE>tbj)GeRd$|Ye}D(y=-Dd^^^EyV0$jufG5sJ&jY2{l zL($9I8ni(^mkCu=bIgLTPoTwnVbU%O--fvZ=Vp_R?|JCWD36*M$@O((II*eXc_o%KvAh{irP;fyBYK{hi>9mn7LNkE-p(;zm(TD1V< zq2#-DCGNLLs^(sCuG!4tjQp0}0#{+CO-#v2vj!KQy7_P5Lx^NU!hoeoR=hWaY(qdp zcKvf=fA*xGmgT`lun12hqBGI@EFn@yX5jW#;ugEC8O0xw!kqh~t;g$*dSfX#wlT2} zpwVuqfv|)CVH73h*~~~cxUH!oI!;~9fEAwBXbKnwN}VtpQGBtrbcuJb40fE}%}g3a zu~sTVpy?J}K`lC=J~UOdB-3cjKOIDC8D*T5@{aZC6c(GqcUpl=y@T}EdDwH~-TCaY z#m}`0iYz2MrP4pbdNGCqn9FM*WT87oh=~+{388d{2nNkHVY3TUE!6in3SmYV0{!u? zSt=O=;X#p+K}CwJZ2Yo>8>}KHc(W0+ccm|GJRmc5OU?-d-u z7P@Oddo1Xd_Y6cAIcrX5z7fEU7w(A*Cx3pJrya3M*A` zd;*BQc1tUV@NQX2!>PsG;at&}L>KmWy&qak4=j~ZT(#sBP=>CxQNL|2>GokOglW^& z;g~pV_iff79mal;6aFpBKN1P9RC74Fe)p4(5vRWz(?66K1g)P#c78_hpAUHJu|L zVRw3_Q(1(hf+N+uTKDe$Uvqz1!1ZLl$BUwr^VXv*e>UT6PA8=~r>890G7g{;h;#&@ z%gG5|lHEo4z#+OdQF%(ZFm+KZYr%WSQyX z44Kzw88~hYHR0lTg5`#f zjHIPU29J!)7)-=Rm(dEM(iK-Kz>L-ijpX}^_u)v%Yn%do2it^PQ(<|#k)@NS;@_}w zkKuX?(8m2>$u<#I0I60Qj`Om86rDyBS< zUzDw)8v*qjlXna{3+ytB7&PEhFIROp~K_K zRm$f`exfehXF!%JbJ=E$LqEs(L|O9PFBLBmAR!S2BVy|yYRoVEi*a)(d?%KBYq6fZ z3z;sW>{LEFnIQ!{t%8jDbQSnCC!KS*I&CW0PeJU?=0?L6X)O)q>5Os7<$1agpvS?c zaL~(2nAS>Bv@h5h86s&k<7}{<4L}g3vS(bVa45^EYgw;YIK6pw^#K!Tp7{H=c_y6A ztI7a(6=={#y^-uj1&W}H`>Za&hksqH3(BGme_fFjtyjC1wYOHXDgH@RJ$n7+J??NH zuE4b2E5<(O7mB}dVC_JDvFesCTqcGG3Bgc2o0zBfWYQy49Spd*F6wpn zDsTxcma-r8J#BIdKsLkPg&w*%0Lyuqwo4*;X=%;Gpj`)OK5Hk_81y)q#zssFgp~Rg zu60b!&uf6F29zl1ikmp;1_kkz$g<_{!~hc|BaU>GqWJvYh3?nAe>p&XH4iQH6!!E| z-_xq%8z9(>dY#Owp8MD0$YwcXr!Lmc1d|37sCM_8{`08Z(Va%_;s=he!#_z(lPo-k z`9_qove$Dv9mUUxj=WP0{ylaQAn;jk3@0V9d}~c+i3l@J&FbqwvG8ID5&vG9PKk)1 zFR^z0-__NfRw@k~Y=N)TM?BctHM`kf*+!OL1+9sdDUG`UA5jX%Zf>|>G)q*Po15jl z*<1_*iEQ`oKQf~+TxP!dL2oTDvx9-QFF|kC1Ym`QP_N*})eBNLVMip@(NoUN&Z_Me z3oDUzNBF^)g!l!qatKggV1LV?XQ-Hh)={oRu6FYB8je!@yqSBJ6_WZ>^~%=t`-pdn zG+~&Cd>hey_wXH>9L+=n3H~TU*W5heWndR}rS7+;n(F)lAbQq6k;PvrvPNs5^&LD2 zx0xcbD=T7F1S-r^xlQ7|eeZv6-ivG2Sc=uQv=UeVcfr-r7Vl^*+L5$;{lx&;&0mY* zK|aXUxEDiUw=sZ^lMqeh-&*=K#P3Ne5Morxy}eHILILA{)8C*Q+evY?uMd?|Sba+Q zUxz1j1E1SFJL70Mgz{_E4qqAx$Q~nHgd?n73~3&eoLpsnJUz(Jp0{4K>!XfNFg+zO0cYjeBmo7 zszz`(aoI3k{N+0a0{UY;_WY4n6d=6p5MUW&d|-_S5MbLwBt;aW5%uKS75a$;wx4zC z6k`jvw%&cVKQ8-j7V>!_wfu_R)Pzd-y{#>+heg@u-m@nerVkFGrtGM+|M8AlLGhR4 zAaJV+Fta7=xGH~A*Yq#pA2j8av-_1)hg?PMbP6Kvf)_6rd+w<$U)@f=?E0Hho2LZG z|L+m!{3Yl8@x{N5|IHR)D+o}8WueLS>A;rD!G||%H0byc#lLy6Lm_ASKe?NMWjEr= zZ-l&E%Oix)_a!@?^6u+CDUbD_enu50VZlZnQSOwk35QiY@pKvcGLrpvY)qfOk~Efr zF22M(e$~Hq{4WLzH*=o^-x1k@5Sru5&i7|8XnxW-iVo^*Dh}$)WC#Wa)j&x|OCFns z7=vd}OgTJPR?m=l@FBZ+T-PhmZJ0)!;LhA)5o} zKG?th&`x&CvI{CGN>5;JC6au+wy8V&AG?lYz*7M}l&pcUNT-L$cd{6>M1A4b9j5Aj zjiN852UmhhT@%1AGGURoCE+!_OAwHkBsf2&O5h);J`s^6R$|>Z>Fen|&;DIKqQZcK z5Zz&VCV$Icv8?5+Yk+(rkQa^bOHD1kd9OsqInZaJG0{oJ({M*wklw)Iai%9Fj|fMk zyD42auN6WQqcKg#&mfYc^WnbHw>(14KUUJuFxe&pnk{H74>e8{` z`RiP$K6gZaNO4aGbOyQbLZU=HGym_Yq{jXDdimT)$e5-Eokpl?2~OBb8Fq8-kw@FT zt)ZV=GJ!NVp~O3o&QVfL+zg*#Q~eZrN|c*6sk~Y?i~3MIqK?Uz)YM*65 zdFF|F-6!;?vBA^Z{1p57Pbv5l0}^L|u^{0M5}^`~Z4X4mbH-Wg^{sZEMN6Da;kwgt z`~CV#v1DmY>Drw0nYr>h==^l(iY1GoL3ZM`lfVmqY?O&%~q$nUyx;1k*}=)xj>Fb()2n?`6ITmUKHB;426_xSjDe}BKPuaAFvuS%oby*=~a z!$Z@+j(lioNZVK7zDmgNlWke~`T4*6fX^Zu%u#8y;U*?HfgBP$~V zxoy!D+eTEbs;DY}1TNr8hKYq08WJKVBO@a&-u%=f?%yS+ps;Presy)dX6-_F`x#?o zrFV8V=A|Gjv;1KzB@7SCN$U#<71fBZ!^a#ihMD;IK#rVWVyJ5Ghz_o<`V{I_*3olE zQa5VIC`<+ICi`o$O@{qh<6mx>np>GHRNCm|grf%x>NSu@`BxFKPtd@}{<21w#G-CUSXk$sp(+j6NH|Z{Srmu z`X1T@?1tvIKWs@oZ|7@n0%@gwnKT}+6~~+zXY1*{*@cp?FsiqzY4#J*5piiOJqi^6 zjL`|AEUF&9>O#|cDel_~oDOdl!b!&*^&qN7pMA}P>2~Vz%i`btHakCN-6$(9o$@;4 z-N)2fv#G9e=bFUfRG$Q10k!BwNhWwOZ~ykDnsY_znrE-x=xTh~dJ4VNf#~el$|uK<|(hQuN{NnR7zR?>_Q>8hrzehW!B5h8`nY*C-FZo zt!VG5kIjXDfiD304w7lMTXkE&BB-Zk9UUF&f&-5Cd4^kqA|KloGK zd(o7ix5}cuX!Z0~^Uo&@u*iG^k=eL=%d6$Jx3{Z-B_3ept|vzp;rHpXRxVgu(iAD#rmmJaCLWV;2=$rXCZIY`IRrDRUHDtvUiW6fnO<5`~(Y z8hTl!aU?lDFei>}`^kfou!u>|I zt4tBgqf%FRu2m*8kf>{HR8>~C%LAiCG)bYSuC7P?`CW`mYCJt1*O)L|y`AS&B8Q!U zw`)C-LtJfFS`8yxSf7pi-5(6YJo*( zc4^Dl)YZ`Cy5lz@LK{6JD*;)w_YJFrLJhC&6dv7m1+oYSg|lfK3rj*mLV%=%L`ZCAdb*U7?~5*> z5`PBSZ_uFbU#qUJE+vnb2fNRUKP=VN)G!x_zxYm0P8Jn?mzjdQ1J$K`PvUYu#Vi~| z$HKxwM)qZrke%YA1-G)Y!W4+FX=%YG+O?1Pv?Fs3M1}8B^~2-i;}a7UQWC<#f#x{w z;>vm7PkyxRSLyA_*qNkIO28%eOMOGf)Z5>(@p)eHIBzytX|Nh~kXb56kDIwxQs_x6 zG};u(_}F9y z@1fvfg=QC54W`+?`Uh=&qGw`gP_wCr^iAl-H3p0Ac%qfCukjQ!(b^O)y5R_yUT|%! zKg!*Ik{xCBb~4XVH9{EtW$|u1IRhc^i_$-nmTQ%sV@K^l&eUNtH?ZR%t|K^3c#CX| zY9w5#B&?XM#JM=xQiC6JL-=cG%kH}pyN-|ZqmtL1#N~jaBbsOn4_QUOar8+PK(cm1 zV`BXw3u9(sLEg(rCq~4vy=tthqwi4r9yQDVr6|r~3jecEGn5!t`zH0gui_#C>oPN3 zZC{K)cHr<93Db|+%H@LT=72V{Gfv;)zI}f;Cv~6H;*hYa9X;<@-_}muv=gT?@C@f# z114o}XEI(>BU4y>EaG14pmqf8{!u>H3&MQpZ2s@)#6pCC#YH05W~8PxDh+-%1_=j^ zj*c!as$HREZywDQa^&a@>WPU#f0nA3Vlw_w2(5_oxD+?#nwMm5hC@7nE+H**9DG^L z&@IIm!?yJVb*9UspE8A7wpS8kNN!M6T?e=rHPwW{Wy8;3m{LYd5oL_Yp@NRt5azk* z8Pv|(FHA`YZAP^3G5lfuGRxuID~J!5YP9B1He^l_mX+=XRw(^hRoB{h1`N~5*cSe2 zSMo}3NtnWcQS)xi86y)$8?AGl+;Fbaf?moNtjPC>cVvp|C)7;8Plab*m)X;F+tRpc ze^Y8|;3?7Z4IvmW3D*CfSil80zJ-K{ov(7%sM*sW=PGl6oEX-sABRd+ zJ?#-yT|U=fc)~ZU>6D*9oI??24r0kUXQcW}wo~9hltLD=P7+seKY~g$epv>)99P#A zMiGAHA%4Fkk-r}!F0$;cIR}?w!gpwmz~ZQ^-K@7x3Z-w*?O|0%hR=iKSHu@|L;zf< zljL8&fY&oRB6gVwuexO81MO3D$yL68fdI#7gU$rKKBW_Cp;1&F-jXR)uDp6aX?TWO zZy2NtgSv&WLUK~QG3LC?)D^_88;2J@`9N;?I%_)qAlBaKA!ZZRVcK6~z713d-^%YA zg$tNRJg%k~kR;;ycNW87$*Bl$qD(uG}Wq2cMwp=RP?;AG+8?Pzd7dc4fK6_>Hw zUYcYw6Fg{*I$ukQjc-0U8Z#R69|P`mUpRW zSS&(%aCl6Nqwak&rd{;Ta(QNzsi6(ib#hBfqx#StkpR}JsCfPE!a$b0mWG?#aiuox zXZJQop%RQ6lk`mnr~BQ@V+DoJed|u)xQLK&et6tvvtCg~(SHaXZN&L^*~UN|Ey8+8)&{M_Q+ z%C)l0$;owcj7@`}`tR)8^%Ox=!PC-MM8!nW>-|qfXKr(TyNgJnMNugMW}0?8_!;%^ z$jIQRcxbeRjkUQMh;w5esqH{)VDnlU4afuQ#;&g*X%}8*XX8P+mKeOCddID<+-}p% zG!{%G?v3Jn;niZ{N|#$2oWsqC_sCfX2Z!10t4$@E3O6uBId+A8>W)Sy_44_>{CtQ? zkVc0r7>)anL!U0%e4k8CvqV-Ux+eSM^(RALBj9TBVIik2~9OCz0>vbjIqqS^ggMSkoz|LR%z z)9kM%+=z8F&|&Fk6!TjUXFzj{1fe*P)nuLbt!u{hOV#3}siPfq8QrZ4 z;WH*hFAuy%JMS-%e1kqZpA)+=ZlKZ;S{>FSbwrGH?B=lf-fBAB2XVwSzPN=yM3-*|Evj2&PY)C0@i!&ao^6}c)U8-_H>1!wZo;vLd@nCr2BnSA!ROK*&|XUw*^Zk z*q_q#=>^Q>xgLjWvS1ESq=E#Bb3hnGgx4S1=O!$vo*k@3IIjybJ#?*$Q?O1EbRaQwd z{#&B15mb`)jMm^85+@kkGo8V664tGx)dv>n{;)2W; zDB3=Lj*N7D<0qL%rpa~waad6u*h^W<$hp~J7};4>?-|5sPjrWT9s^U}NIAYPpEDC{;A+9f(6 zg)@ehG6aQyZ*_uKog5kU2(hwSwyvu%mnu!}-=*8ITr_E1|I2eDjb2evo5iYz^Q@pH ztfV4S;IyNQKK$S4;Vo?=2xVzxBwTW2BoeK;&uL7{3GH&~D2RiC<>3VGw~#kW*}*)| zna{J(8Jo;qo(m>=68g$YY6(@?bxn8)<;Zhzp;W(m>&Q;>%wFE!Sn|HHi8Sx8-Ie0j z$XdwNxtNamhlk#p>1n^wZS~qY-(HSW^4jLk_WW9(ReDa%_zW*s&|81UQ1SH{l*>6? zB}i9IO2mK4QcL@4Heo+~WQb~fh_jBason)u9F7@bCUAqblabN0rrAW%+UuBKRZ({1 zpP0@sF9!=jFXjH`-Ql2)p=+z)yYmUkifS&)TJq9`oz&FS9B)mkw7_|6IFX(1oCWj0 zdaN_6nkEKbF7LpwPpzyfN-bDMQwO{Eb?37iIn&idPK#aahKjfdk`ftsxsgz?IhgfK zX@{0NLAFkcz>1w?sHxwf-eAA$3-*{GI<-9(x4e?I==pmsoluX5w*VD<2EiJsCQNUg24YvS&|JfG2Hs5K6E8$YgEN~aZ-mpJX}DHJJ` zMl~cgF(D5Q7MZfIo$J`VD~6pLA4`c8*|<^DzQcE;KiaIEW_>wGxm;fwqJi0 zb9AX%J#DSKqFX;X6%#KbJ&nZDz&VAQRcXZ9a>2NoK30mPKd&>_SFe(i?wlYq56lu)jv;t$m|hhve)P~p(I5v_f|7FNB;z!e zc9ao@_xZHeS9tqiaLS-z=$b;7f{QvX_>O>SG2M^}$7?1HtDfE_5}s>rkxAm%Z-9ki zRaIWY%I>Me;Cs+SR#v)x>IAVLC<)%GAz31ZU>>gvQZ`D0Cwe{N={Z z4vSt87cCtP4Wi?09!7!_8>{1;3^kqB{$m>WM@vh`*`q4FU-u1n(wO8ysVmQ_=vwj=2oS--#^mI<%Xpk-jTBqa zc4G|3TK8&$w>0ppZ4ZWrDh6!dQAXsVG zI*M;|*K+ajvXay@4_d07*3oG*n91yIS}d9jX&M|%?yXBX3T-+>jnH)x*-kWZW^+b( zaz4RW4h}b}oi9-3Yic)qI6j^rcz&Cq7ob8^H4YZ z#X7ULaN3PzwI@zRqaCg2X4@Y_m)H7QipX;X`QnpfK{aEU+)eMBnLU@6;vNmwYwdhZ zxwoEn#*PSbwEfjgpTX|!2OOiYMN#!QQkM@sthC*cn^0gBhY(&D9H*Otjn6lksWWU_kp;qVKT zOmyT8XswNjh2w0t_(I(OFFk|%!gzadbb3T|g!^$de1?Jh8o%tqV<^Y#L-CF%Q;h@T z4hqS3u010x6%5stf}->3Dz-bbL?IiS5^8T2Pqo_&(ZDo}cWF!T>R9=&Mo9F~tT?@` z@nT;q9Orb&Xs)VjwbLa9#mX+&YZlW5>gVkogFTT@M~bXVp7w!<6W#5_A{0^ zjOvZ{{z66fiIDYY!fbTj+bY;EFQJGsU7hUHD6TYG^WtIK=}v6z#^20{BJ^fa;hme> zl-W?RCz;vPrjm;u<1DMFB-U*A+(TwbMTFT{6A%sKUdu8FAXSLzPCem2wyp&w&O|0O zT3J4AC+eaHAz+C~vO5Tm0)UikL-BLtRQ+TJrrncbkRJVM=Y^V?NsB z5SPr0Da!Bx4L#=DQlJ1?e=no%R@c%$dW%kVBz1wi!(e zpx0sNW?@0#;h+&+{&rQIX_I;MzLnBZi4Wpc=P|1Cz-98^l4mF`9#U@({Gk_<->3Ze zqc|qUq(`u4hj?e2$w49Rn_zUXJ?ru4(VgC_u8Fjeqo-Lv$G8RO=G>I$}U=J`iLOS9G1HBjKP7VL-;gu&MbBKm`Z$1a%x6WTB3&fhCwQR zt{YlkLfjL_yMHO#g4Ah$z=Nm*{AD?0eY66@!X7{sA`8@`g1fGNSve2m$ub_-@9V<11%ygI77c&JMDW$^M6=&#P*`mST3 zY$a^>`0vm7$t|(XV|%TQYYVcQ$9vR1joZ%N!B{x{FTMTd!Nq`6hoyu*v`6vKXGGjk z$q+;y`<%SIyt=BooFZZlR$i)3!sErQrd60+>$;LEW*#D<9~=y13?6!J9DKZtyK1iU z&GBD65PJtmgR(f#2$18lR8>-ve1NoWF|RIpFa+p$F)@fEAZE_}T%1XPK&CnHvlwH# z>n%(!HoWe& zT-I(=COpY^7wua07@2rEe$X^CQ-S`idqLe1{Gh6!92w`p@qW74GJt4Ka61}WaXF2Q z3@fcD9+RG6Pl~nO{I|7u=umHjHdSa~K2oZfvm+ab8zo6I6@6>HT$l1HZl&&|VCZ;w zncGYj*>e4QW~H_FC|t|hxMqoomsOKeps$}37q=rzlJmHCtIVRjck9sb&%_vjrPLB@ zo`@6}Dk_d>ts@FHT=TUjQ^PiBvio#&54_>8JIU9LmNsuYP*g5x5ldPfi0Z!%q#$#b ztTWOWFsox>wKsCVrS&nh>^#fQsJ}*x?9`{ikzcQtP3cxI9cb}-P8@4SVYPR?Ly9ye zd?wGGGj3d>aZqVpF77r;=lME1x1$a_hB$)X=SZ@YsG$1t&97ZY3zj(2daPM+##lk!ew9r#3|tnD zH2E$+ZvK*R~vZ1st_>o1ze&bdGjl(F2?&%wtQQnY(Qco}QoC zTQ~yBe*1G6=I0!+;1k)&QL$zpb86`Ibb`orz{J)AluhnSduCWZ$|Fd zp)l62c=Ab^cEq`G8=8yFcyi4d(#$e}`ZK&_cqT%|UYscBySKsXFV=aqn^D?lZM3UV zF3UJYrVb3c44J0`A41dA%vAd)?WG%d2>Q?0GB}N+8CE&&bA>31n9SR`jb98}HC&ClmiuN#fl?_GSBJeQ{XDDQ4LxdlFULxoi45)bwo zmXhm_5sOu|q0RUkBf%Z+##r9VMh%lc!{_v?lTA#cXf7&VPbWy73a)0K6pjkQrlFw>#-0B%4gUZ*csd( zIg-5b@y(-~y1(Y;PbP8u{Gdn+zOXHMu~00h><9DA2=x==BI{NlZn4iIZLL2&->A3{9u181i6-a)ClnOn!V3nVHs(#CNXRAjt z9nRd`FmvJ!3j9bt84>@-X8l(BIQ_~}i3d;6p;9cjSq2INXD_MxsfDJLOkE0AQ|!ps z!Oj1kl+>0ha`1>1{I2EO(HqYAypmJVq=EZ+=3f?#ZL3$Y(3c}~($}4iuugoR8bqhi z6uTYWg9lTPp={5^<2*y&WA_go<8EB^c39TZ$QXq=@a5g$bV~lP5?i#eQv4sD;<(Cz z$7P*7Z-yICv}VPfXg70vtpS}K zu&U}1_4P}59c)k#^OC>k`nmb`XtQ&a_C^jw^I`pL$v$7Po{O?^jBNn*rP|2!O7)(CTSds7 zh_~*nbC{Wkzt^t_x1|VI#*8Vm6SrVf|3Z`e-y8QUXC5h`PtZ4P<|=`{U(ZKrvnuoG z{QUgz@UV@ae_aKrpn>c0e9#VT+0!wQ+)%&;V3VZ^fKKfY&Zia*Ha3jIJ4sQHniz=n zmDa$}V@hbtE&Tn=1G~$(_Ho_W$@iAVW~4tQKczYWD`Vv^+eCD-RuAjF;buA^G}|{t zMMc^q3-#P0-V%C*;hUQ}3Af@rm$di0;^jt5Yj&+l(e<|nwgiIpm1PrK2$@O;W-^=c z;7;r3eLgzx`}vkU5RcaF!364yndz(Omjms=;}=)?!68<9BxG>C40)E?LeJxXoB;6?nPH41Fh#FIP5A+k!@?p9&d?wWA8VX{$1zK-o3X`bLPTZ z-1vxGpB$|-Mpi024O?Fe`YJnGInO)s=@8wC*$z#|p2f3L7y^QW>8PpcDTql(aBy${ zhJbPmMt)8XF&CGIp&=;}2C#V9dTu=mY;0_e4Nu+zafcuZoA42;ckd#eL*Fov=xzJ? zWh&H6P$%B{bAbs?here5Vbpf;Oug>qA{ag6-@kuzb8{o6pAs7r20E*++8fJXF6Q^^ z2>7(_6HO%Ebxg05#PA8yT(5>Go}ZtOcKai76MnHJ#(33<8aOx^)tM;Lzr8RCZbyR!42rB0Z*UBfv z0cZn@;AA+GbT3XJC&71j&a23uF~2`SCk^B9n46mF%GxkLby#-YE2h$U8qV?Tz_~X) z$>NtjN|@f4Kd<16;dHRM9VV{P2>G8=`P`2i-_C)ZU|Sz{cs(~f>hYG@xUDF;zF~x( zbxL8Cn1@cYdG*WPn<*~Pi4$OBi%Upwx}0lTTU$#=z=#IG-~OCf0wb~<8X6jX1Iian zCgZ(*eL!K&u1<{_I1{LrW@Z9gZQ2_yCV(N+swJ?+4fX015D=K?jM(Gj;~PKLE-sC$ zsHn`(%>@Pq#zcLR3;5K!0yL)e!Rb*Cp$1AyN@`6eD$oWO&@~w8>2+Dt%sRqM*j%jbcQKMozSK&|QcZrt_lXz6gR)pGcFs)nAEK&^Cm*1#s6 z(`A)pRF^*=#66Ivq@;kuz`|nH0q4PH;u2iA*?(JQyELj|7pmM4s$9wI_sx0-*uI^) zIi(iBI5Mzjs!bWN^h@6Ru4!dOBZGs)f1C`HzK8nb!MQ9rBqU_xx$l<%lD3!19z57T zzVL_$Zu?!apFck*S}#;+4MgD?Y#G3)EvWgowQ;Aj+UGc9hD}c^$ow^51RGC`kCy|F zkz?s>Anb93GJt0<$kV*rGPJRwgOSEypPQQM+JDR8F6R`Tv?-0hcUGOwmR%2X+K4`V z@2;k8YizW#u%{{W07-j!k>vIw{N4df(?_NjGJ_E+Lp}7zN@pxeT`Yc`=9>(zeQQq_ zLX??+4LszRR;KQU(-5pU9JmU!XQUIY@gTex~2 z!Xa(M@js_~7ngeHa$)YYksa}HVfLZS`{MT88Lfnf{l#WPbD>I9PscB9eRVbBzNTYO z8t8%f3hrONr&sQG@d%H6iAfraDLJ}7vvfOXC~yH;?t^$%Qh94S%Uvh$`6a(>1}@Ca z0anez%)HqY4)D~nA&gB-2KxJFU6L$tTFl(Bvc{}39C;I1{xdwjx!Ou06I;^*9!G#V z0PrZ9tRHL-CbBR-yfsqYr|#%`=jygK8q*}5*JD*g?u&nMvb>MIR6}0(Yc2~~E)cXo z0B#wjUqb6arbkI>>B{mlZDOMf^zz;rzJlzN^i0Cv%(dSa-M{V}trXH+U?x zt}DyQP0r0ZRkyvSWoz+X_#%34qhviyyuVD)b;f$`k`O#@Lh)fX3kqU5^G^J%w_Kp3iQpR`d7bxTj63i6<$InL7XsI#Xk+fE__|| zsG)Hc{J*E?3b?hNHLTDVXT9uF@ZA>6PPN;3o&5U1S#n7(ozH8gXjs-AkNcILdsKOy z2RtAmWG4aF!69TkV#K3>7+jgx1)tZ2_czeH_o)Fv?$4YeWRv17m?3c(7P&-o@wWSQ zkIsiax{e(@5Fw7dOmQmT>yhj`uo8%c-}}gZ`=J(+0mHvnLM|br0ItONQ5w}Vyp3zY zSBM#x#lehFf%i z9W1HE3`9ABa9t}PC_c!FM&tKY1qB4)vfFNQZ9I+x^qNTu(%nK}3=181Ea3ZT8!zOc zz$8J3k96Lb;U8P7cJ1?i@AKY`(eWE$&HMRm_x)J4^Xaa!6R&x>!;9}1>Q?Ck6Fy@5|Lj1wF@JlRVR z!P~`X3RBTqBF(QNBz=8-q|D7t-IC>27ZBgu4qr|@6e7Oob|^(r09B3&K-3fSi)B0B zwI3v{u{+3ciM>8us@-_#XB&jHv$HGF+g)n+xF3q6062-w-|PSOLco_>SbP zZY$H{d<%8W#34IuCvwVLc_={_e9^&{>PO&>{X&yh#HY^@$1@n_#;`xRn$dZ3Fb*}d zs|cY}1ud?E;5JPF-t1rWWO>dY4w03r=VWeXaw;lV9e4sVVq(9;U+Y)sH(#{`!o`7J1ok75;{6M4o-Mv!B3$;V}re;K7(kU zpfeS`wr{IqbpfS>XaL14w|k~g)`12!qd?*7aP@quj>@_z#|}LM!_>mU0)Xf(1_lP? zTN4w}$wl?`w+|0ZfBnMg`K79=s;$k-%GzI#sb+|CX`uTBO>2|btw*o>U2yA=k!Np^ zUG9sO$S$UHPE1TpG~XLL(0spI=zL>gL$&Ls$bDEYp$){}@~dsuQ__<-ej4TZOBkFH2T5h+E z_jQ`mPtKI$gT!Cfe|Z))C1OI*^~a`Yx|yR%riFh*eFP3<3j1wQ;-Mns2K+HOtRjlZ zcB+ex`*uW*zxA4^ongaYC%Gtl!^wWL)y_k-m9=dhZ@q3N1AXu;cDv8*qARxMQ}`l` z6cmLuHQ!>2ii!@;&&l(fnv#8gqFx4L=16AAYLnV9$I9z-%VUVdDy$-Cgg_ISIiick z`TmS3P8Z^jl^1H`!Nx7xgOTHa*S+x^zYT&9;k-w6GGP)ZEXpd_u0#G8M?#_aljj8p z+i|9H>-_EM{wx%~-TKT3C4Q4|cHzGR$C1A9)67r|9PUtb`wn$~{HJ4KZ$`O43ddXc zqKvkQiu}d0UdM_S8)O3G(O#zpc}3hMJm5ufpZZg=>7O)X{B{p=-cmisNMaN;WA^{@ zlu%D$%&|hS#JSb~oWsDrUfFm{tj#NRrW~{_ZUe)|{0V&uX*)6-BZS8P{>Pb{n-rxp z@#WZ;6pMC_wMlFpI_ttUQD^YKcC0QNX8H z;r@>}819G~KVm0;?w1PpPj~?#gb*6r-)OvhA+@bMRS9jg30qFI<&4X#>v#8YalMJ} z#qkfPw(l*hwGwSbAuwgqN_tM3!WrAH@|^NIXbb(zrDcAQ4oX-mLw2j22fAcuhlfpS>z01=)t%kov?RbV zG=8IDV`Bq(3vm7aWVf808ag_3{}KC5!(w8PW7t0U`WF9F2w)3+KofyULSmbb^ceEL zDIhV2{7-Bk@SoTK9R5GlLTHNgzgzwP&#j7A`_8ScEiIpsfhTT3iYQ(cES#`eEu)6K zbSNn)QPa^u5d%-{eiBl=V&&p$wOFA2ERt*I>e`f-*K1tMks)I!Ym}UsdFS5F?q;fH zVL|mHJzvSg!vk>X@)BiwFzb4pCVH zkYUkU3X_R~f`YNJF}}~sC6Lnw_t+iJ7T47=cR$~Q8a2v+giDt1)e#6VwzgFYO%V|h zH8qSIfe;_!3plG`z?H6`V_)GJQp5#E+nLyU zK@Rlw1snc$c63A}F@AAjD-tP`@UhuV>yzZ*P}G8mg~eh zOqwh{Xy`ysxHe_X*pr=`dwR|KzRMr#Yd}B%Kr+XM3j*Tuu_I@ApWi71v#Vv3qv7wI zoE!j4{Mn|Y1eiaXHl`Bma@6TepIwcIJxWVUaR>+~{-mWzB6_8~fFgT^1t0%Z4-JVw z$rAeonA%Cei=+v5AG56#O0MQUuLD%8u* zJb7MS3TQuD9+IoOSaE6T$mnQ9q5qcaTTEk8guAlr#|$(7Z&~jD*XV&a0L27gWS?(D z^V@Lu4-O(l3<&KxRsp?=BLomlHGch?TkzLP1S&%Oho4cu2GF{we7sErK&2)VnLKve zLOwq4`(tTS%>dILkmT&{8an0x8(Uf$j$cqv5EUJbfsP(Kc5;h=h!|H}T>OKLEvXhL z3;{+1OdKd)6sZFCZe~_I%+15IHZ>KKl_i@z3hX=)5fP9g84_l^07VW!*&|{4HHnIr zmVED@?-!t0YM2WR0ek=@ncCV~6BCo-yUD+TfapZi&eXIBFjO+Kz1^X><6|ZJwJy*pu?`@BsXEPEPlo{>X#z z43dfSwN^IEMSjk1{|8|qp>z%hNQmW5A0Kh?uWkqgyb=3=9s#H{5YYpG28jDxTU&=q z4ih}0`@k`xMF!?bKp-0k6bCdzkn;$0Luvc_`=@^c2=OK&NFKKy;C~aO{0NUdTdohc zn4&xuZ7)iEam`W^{vwvAq_0n`-{1mTFU;~z6`9t(;sfXh%(udLqQE)9!Id8RB`b@_ zQ(Ru2uL}LuFW?)Y67CcZ_}A*C1}hv1fA7sjdGJ?$t?wa0TSHqbMD!2ZfCE4X7F3=) zE6mB!H#R0GBKq6dh~a{y8et9??2wMCYH+78avOt?otfF!qa0(2twdxVfN!4@7#Hjz z3fl~$NeI^qVII_gVPQb{ z3J7!KM~4xM0XyyUT~-W`2}Su1Vgp`d4wMZ8Y(phBTjGB@EjDQ22D3D_;vN;oLnZlO z6En~8(r(pYKN;E0*GTpDyXxkHjgIfYu_zM-EH8#8u>#8_t4opRm{Y-uSKDM=dEdi? zFRZ?B)itkQlVO`0)AoVXb`WdDSo*9cqbSS4Bgy0DJWmEk7-pOce{8<+ez7NQAKU4= zMB}3Zy7u>nTewAIA_51ZYFgGH%PDoL^l8;!!#q)D^*IqJ;O zmQa+^gTJMtI?YAm;MMUoI>jw z#6VypcID0t#EG4|PpK6BFDO+EZg1-Y=f}drVgUXto+wUYQqq^6>Wcr0xJ|^?jW{R- zA*+8hU&9?LP5yUB2%wDH0Q1<{bmSBj75x&EkN}kX{tId4b}?-G}9%y-ykSu554GyL#w~Dx>J1Zo@0la&_ zBk(ILqviB1&Ck!r#(wMlM)OzK$%zF*JP(pqUQJDmSR};{(4FAn;mxx0@RX-shIQAE zr*kN(tA~CmL{Ez5s^<-&%h~ma|37sJByP*qiD9MvC+lVHF*>$ zu97y?)!p3O%svPpbBq*MS2Gw|0%a|1Il7xN0OZ09NiDUsaQ1!+A4TTqrQH!WGBo^7 zaE=BsfLa*IJ1vuM^`EXVTVQ^8WqX@A)v#I(7XfM=6YNIU+8TijkS<~>781NL@uz$b z4-Q@kWZcRJBGGj5z?rimy3U_b=hh5M+@XH;Z^gLxQE-|gI&tBpn@Yv3Z8?M!nmkC& zzyCukkm^)63kazJ`Vho)IF6SrsF?p-Sid$s+{+d1Z^x0OzJnt{B}mEqyUK;d#p3_1 zfrakUFAWXA&)ex+^B;PMiUup3I0gUz1%LiuAgBMQx2}G_nQ-qvK>rLFFIKCnjSid; z^M8ZwhWDLnZYo@LY_XFuxxB;VE>}Dktueu-*cUxOUoKoVJe+SmJ12YNEbx*~(6=vF zeMR{It4&1o92h=n#j>YW!i^gEW64XZddt7`B#vqz7Lp%Vl#M;99mwlP_O&!*PHN^N zno}LG#qs9dK=#=$?t&ka*b4dtqNy0uVBcidwBl4ZsK9s1IB77tUxI~7Paqj5ncMd= z>ZkSkXCt`vZP|*lP3FHa-9)6Ot=)yZbEvM#+KSFWOH)ZrOGEb*ZAduPZtYbs`Tr!A z|6c$$U?I7$FXAtqEF7LB;rHi?_L?FZ#q^ROmLtESG$_f_;2Uf^) z7y6>*gik%3n~IgMZH7NG(B7qt*mCB~pcDT(4>8)`(ZTx}AWj4FMD%a~iVf(})5}MS z?3|vSc6a+NSvs@hI(Fvg8yOoHR8&;t<_a3^FV4>ct*9bj;t+y9yodjjv2GN;%s(5PelT!AuAD0GjT9DlRDj zzL(eY9Tv}Q>y`-#6XcTa6>;UR9F*deuC@Yh) z`i$fc1o4UrT9F_a<<|v7pgRKy55Kc%8IVoOIOim5SrfY?DgweqIEecsML1Zk`6EYC z`(5Yg=;*i<5-&qfOy9090XyYNh<;7!JOGT|DF`t{z%k~ASs9Lso8Z}zU@8Y?{Kht! z{?RwiC^zLU2+Wc^uys&>licp0Nw&83Fri;e37{Goh`?>5jZ2izj1u;h9_6*xZMFX93el&?60MT}#Z3g}5N^bxCs^<_Y1 zIkaXz*>V@C8UCw)q}2Gp#EV9o|B(MNZ-&-B6Y^IATJ6QdYCXM619p`xm#+&=$tO)Y3uI*|zMoO~X= zGo2pnoSF;MaOKGHn+jF@^9Z=^*f-(vp;7g#xVUXYV;Y?si2z&mNs9igrS1|vxXVl| zwRvQcvVIkwRb$;|t~^^&XgP_<_op>}V3;3mPywRwRO{VTU_B8i5`APts<9{6(#@&@_%a`u2Kyt|<7})d>;=5h4Y5yOZ7AM^k95+9 z^nwS#E*!6S*{#d|_=hm=7lA(aPT;RC*N=yEE4=88*x!K^me3R#0C!W_B!^q)*%a za{*NdoP(yOMMFm5Z-5>e9uAJ0hUWI}uA#Bf!P(jxIHtK371nxse;XPS(N64}pPrvN zfQEz+s}J7EZ$PTt*C(7IgAwvv9^Iu2E%b7D`y|;JB+{X#uyyI0ObL!Dp742?xOvSw zcdAH%c5hlS$qUVDt-bCp$5ehDAN1Near4>}!@5UWbz|y{t_w zVjBQx0{|b;oF`*aOBxxGSx^JL<}^lj_C-L+k(|7^wx*@5EbIzsEsL~_jrW0Gr<)rG z*5`WYZV>D>4Kp(;j*^zvnE5J@m;rh|M@L6Bwd9$j(cxj@;mg@#MGg)Q0KOXtI&c01 zbKJhz>KPs7r&-`ZMn*;mCZVB;bn1oq`4{M>nE9BPP>e**1%v5>0r)?l>Zw~tB*-o# zEDT1;&cL8r&HL>-%b*efLW@yAk^v|^8GluYow{O*IP(b$3m;n%l97=mQ_BFlR))&& zM)ew44p;R1tcRn=k)0^yfUd)f=c)1H2Ljga56N_b+d6Ua$gmQA-|`%%cHP!=HeyZqHSp z{9L3r0rHhm&a1d?QYi@u4LTjlG4t-Ze|b4GK-U#W`5phz#znPc@p`4wKb51e0czx=e+oVzT~$+q#CyFnp`y?u^+`9SAZ#A z>Ga_%T-5%9Vm3N5vQzNKFEl(dau1z;6P3g95UH>U*7C10-HYi|i(uN-9Rb2q-sIxXz6br4%Wo2|q&_GaEx4qs*ic>O^C04<} z$*p}D)(CemmVyq6_p85wFNa9^B_e&-A={)nI1b;JdKEq--xdQyhHZ8?N0pRQel#}L zQEEp8h6Z7by+_$E(`a1doX5fbl(?4%4*DT`>IWP6$N6vwporLb4G#|2orfO#qMo zDBVALMj>jm#CMZokSh?aNo}*LbqhPF246VC!NMXOPrun*i%9I>vqhNkd&$zcvbU&M z!Iv^XHTmmE_Z!ScQmSa92BW*@`0%;?Ou8fq9a__xweuukiN`KhA@+s~fgC{fWDixZ z0QWi)wP3>>Kj-A+{&!GN5RmTAYUIN57yj;@`xM$#xM<-%Knc(uNXX>g`h%wA1iONQ z)Vuya-F&#TY(`}>~XxzD-JeeV0eyT9t3>izb5zhAHC4H4(9@S93)h$9-cc|!V=amw zE4|np$XNF8Ds9zZxw!As(UD=gG5f*g$m$9I%@x13^6?)Gg8ODfc4^6;z6(y$!7dDx zEwamB6yZh5)7TC;LUc4e8W!{4%~bM5ef-tvjao8q@yGngLH(T%B2~rZ9J4c3RUlK{ zySpE6bvM1H#qSe3=*h6Z4`z9)t!16{lP=0-Y1BqZN?1R&R^?#ZN2pTm}J%=)0F>Qb^ z?rCU9q^r;OfHkboX5_KGy*)VSHo6wvTzl-RLEHslAzzgGsk?hsb@lmN!mgYg_UL&n zbX_&lQK7(uooaN&ojQxCi+{Zy)gT|u2+Qo`=<=a;7HLhR$?1K7VH$`N3Wu2-UlHLiy7)BNh0)H^oga<-%Q z(b3d=MqYr9q2Cz>g=BiV@6-+9d2Sva`B->oMked-wl1_a6%`h?wZpq|yXcm&wzfQV z_lG*4Gr}+Ouh3|FD=HG?4T|WJ0jsX6Lz7aknJI@`=UxDK9-Zj4#%1*L8L>wd2J0RT zeKzehz#_I&v}>ild*@Mal251I!OhISqi(J4Ey<#du&MN!DFORVd%lI6+v}kZRK!1{ zF4?R))q!RI*d~j$;OJ6^%aCBs3@CGouc}37<0?69dN96*|k?B;m>q2!>TvOv=X(?Ye z&O}P^NmN{1Tv}RMSoonZ<7ggoUQ`)wP&j7npZk{mzwM|1u>9+v0tNGUasrdOdtB#w z62rKA^kL;0_P}+nIis5S(0k3|IN-bAkH9sIU*6+`{^NOB1{`X71@MU{YT6lbJY?(^ zcuY|*bCMTqeyG!oMzd~hcsb1SqxAjg0#9^ZmS${Ew)uscF(F}6L4vRv!L+b=dQ85k zw4?YyzP-){l?{IlWZ8_KAKF(X&|h``%!&5#kA|0MZ;ft$G*{zV($>KV-x8;%Fbg5z zp6cpoS1s|BN*i|H~W zc+~q~0}+JC<&@<#G^8@Z9w8ileS92{uC5fow(!l|mPS|+{$DSzTcW0AkW5{M8+tIdcYTJq}w)U*+VCPf44f)dkk!kAPgud7Y4)mu~1Sy`8&gX%a2lQ1IVe_D&p zWhk*z{z~t>=l7D7G@Sf@e2zE&bYLulben0vG;r+Kdt{tVafG?;>E|$T`SI*M`Inky zFbxHG4FFKg;_k};l<Qg3hUZO)|;>s~Smnw_;kkSHiBeiTd2$gmy!HayJB!;@?TI}Zjyt;d(|0D48_ z^real)d0kdl=-8Sl56|UJM55DI`!$6&~Tkj^2O9X+ByWT_tLjn+kd!R7VziQ0juxw zPy?$MHpP_F17GQA)iafK#@F%ByTKz)s*LHzrI4A!?Yw48;=$V(f}Y}H7dkD*gh-}= z(1`|5{@SFR&c4OEz>@&sNDKM-!4fhik#g$#qXb4Krpn1*j@gNg75YdO9Swbb+R0UL zFVqpI#o=cs1wTYMZ3!_UCI~Q(ntmS+q(v{ zRiR=kWQBdfNe^akycf8OV9rLI_PD?9mdv9jgwQlMXXQ?2q2;;Iz2aUd_9Zvm(6+)r zS87}gVQ+HdYT79kT0p-SF0|9e>V4MjYO_?UC~<#z{=vOCdRki0ZeDeh!{VMMr4~B< z=lKnb*8=R8R#r$}NzBv}1qK6B!pSR+fId)U6QL+* zv=6z+=mSf+08AyTgJw>TN*fz zLsD7&j2B~On2)C$CU4_e>+3H|8q*gOVG^}|hzL=BaEZCWzPB^=U_a2>)~+8-;`r2PtnQ_&UE%A|~AA8YQ*5k2(=r$ z@^=#MT8gB)nhWUBUsIzQ3-4|xzsUaMn)g@4J4UMxebSkJ^S&MO=?)s%l9k25LCRkI zDf}=2m8LnXkVrM5Oek8 z{oM?|WrWg9`tM1Nz%^d;!}&hvy`KXzTg@NOIdeBtP@vzGwEm}JjJ`cMuK)3-mih#{ z_%Xa0hIQQ02*6JG*KRbg>C7B;oNL}2GM3pYnLMdpM+I_w|HvQ?*e|MCGWShQNzrm9 z10JfzsDvd3os(W91QHXF)2Gm&{!x&UnygOiEKN;KsroSDI`P9S@M1JI{VomUu0KiI zI(H&^zF z_#uw?0+@j2=hxWM66oPk^ZtEE0#yHy)@OyT_Mq~>G0V%V+GL=utJ_fkeHzf-+oVC@ zc=h-9hjxmz6zP~taMi`lZ7Vxw4~HVkm>GR6JS?oc$|T<9N=#3U+h z9Q@8h!vfCAc-bDC)>2Pn_&ZygmuIhT>6nuWumG zf#_{$8(+>~|i->3T+9-fD4P&)?FjA|1{u6zwC2g1UQSVcvJ zUIj1Wat`5-iSwD%+MLb=z}$L0g@fki09ioe;n2W+r#<=6FO&A~_O<&e&5OMkg{(FF zval=s8^}rfyM9ln%JG%Q?mC;fyAx>-`I=|~_o)$?@N8KV@1)tX*{mOskL z++AN@F3XZA=O05i1duGT)v}__gpb|kVWv@PpQ39v4lNcv%bh2a+q&jWXSN41XJ)f6KUF#o^Iv%;r<;fF#yrSLq8{{U!arf=nQvsD5$Ew zGAp}pks0sN;P2z}Hoy$~O9=;#l5mQ3{ty`+%+Q0P3)m7s=rKm92398f383{4bTl+2 zGZ|h0!YE76-s@(PW|)>mz(d7ivA-t>YeBs5@c7maateM~Zf=;)mNm|c@LkcNtf|1c zTfT`fUldy=pU^Ri*}!=S7!@7<5@3Y?j6nQfybk{pUjlOL^L^8WAc3ZB*Vb%sa)CDy z;3#elN*;dQ{G{Y-R-1)>%2bBMC}YOkIPt7;9NYD5Zf{;@7ksG^nr#D(!MXcKzL|es zWmyFY28>WtnkE&cX=gCEs1V52(L&R-<8##3hG&r*kEQWq0~8kaNO1z-g~HBr34)N; zxy}59onRwwhw)eAYkD$o>w4~JJ@@Mxe3k8}#pXr?WOdLWSs2`o-Qf9c7tg^9O>!D$ zJO8H5Hu>MBOL$r;mD7=)Q|-5}R#)4blF$|u5;AnNvXU0-=!m^^XdJV#k7vZpZyM;o0Qu;;qW7{WdJOfl!Rkqde&urejX;)SzB9!;F*5QHF(E+ zcinJDXA7Kvh)=TnPvwn_7@c4$neDI0n3&24Z5^GJkJ#)dR4ZHHGn11$eetTAcux7f z$dE$0I;u!pSJxX%R}{5#%5B?n&$9tsHTLi2Q~Ji>9Z8?c`Nagu`;?^oDM$Q^Qw-%c ztKo0QcLqxAOi>A(U9L_)Nft`rxWQ~p!wCocE!gLP`UV656b~se=G{$5d%tqE;C?6R z{SlfBFmn`l|C+4LknrS_mVS4br=BhjbF^&l#--=}*0y+SZEJgh>)N$z+}uRudGpAQI$NjkwvKYr%9sgSl8j_&Rj^hkd!nsqZ9C7M;#W$2Fui zx;h}wSBBQjs70@?+GpD_8DAG72AK^)({Rhr>VM40K92!W0_9Cs1H4{3<^*2zAUsTFvHL(tVpP?gB^j3l{cEby9b9_PhX=5>E4al58>`owHk!O zb%J+$cUN$6JrmdE9gv0-w(6CeKI!v zBv`MC*Ewdp(H5=Qm%Ns>of64%klSXcjh8p}6{jn{lQ>-?x$c>Kd2ew_cZ{iD;%C>X z3L(oAfXMChpMRDMriiYdCze<)C@27O40Kb_G54oO?nm4$!q}CdX$n558>76>1zovm z)7z-Xyzt@$(fWA_heepl#B9vlww|B-)WFY%j-lKHF^WVQQi)wAcw8%?8IUep8OMjs z9$zD(*tZxxRix2sI7V%1lL%h*8*IuKIc{k_cRA}aPOnycVX^n2U`pR2AmE>|=dIiF zZ`ewTS=LPm+-REzKUe2Ni-o~c#SC+ZxccxCt9h-P)Y0C`VV|wXn7$|0D#g{dF6*y3 zaViegbUh)JYgua^@iivFn4PVw=3z78MD+0|k?o`02a8kD-wqHy-Lb>fnFVje#y8@S zn!XEkp3i6K7QYqVY=|2wZFKdklPK&|!M1(d3MZ#HP&d{4s{-_8ntIQnD}bt^7uU6J z=C#K1i|n1%z#V?GUu1{3zRX;ijz~c}|J`6kMGk&bbWZm6f{altF}A-d7e~v9T}(_& zfNn`iPS)fPP*YbI41Oa`T$j(5FRBNJNF~xyFhySn4#QBHTSjkcdyj$S?dj=(@JL)* zU0odj14aDwwY9aPl9G!oETv#2VrIU2CvQ0JtH93oHjGk*EgFrmyTkx&9c9Vx?(W!_ zzMxR%viZGxeZYi6%)??eON2TOvFgNaau!6Hf>3I~GXIr3P$s-m9#}cMd#|mpgBEZd zlrTcbvAMaq{hoz3F_wLv7zs4au|B_CJ-Zn->M;Btm34R_g zg>HRJf|4BtC8W=$a&&CWr^#%G<>=?np8!y>VQoO>QKly+vq9Y961t5JXL5Y|TJ%*X z9O{*ztwI7Rc?W~J;IyR!Jdf&qO-=BFO%4vaAkFWAg^^M?WQ;}q+c{=<;zO_>!EVqf zsvD(#`6)q2kU)=;C0i{{Fwz40>38;wJG=RFcKD-r*pWHi^O{R;Ubl>5|GF6ISy`PQ zJ%W?T&cT6+k&)`3Ovtl78(`5YP5wm+;r&M%#$EZ}-bQ#ly(GgV*od>Y5w8wc2Cf;s zJoDdW+PI3^uqUKgkAF*v#diGHzu|XMqhW8!Xj$cG(~!RBu-PN>t}6^!@*?|E$g)z zz4xz#PGfxUZq1 zp{hz!V+|gzh7JYGw%C%I8vUaP;*f#l_;5z3#Gn1H#B|ReSlIShZtkLI2AbHO0CO-L z6D1*rR0dDa=(DHcA`5+H==h4Mxj-F1tn(LQ)bitiVeJNurQ+&0aiWVo;Gi^o3dT8j z#!C@w+&Zt5lD;^8ZU!4BJmlBmL_xG4=aoAqtr#zgyGJ;3F#56I%MD#aHir{eK-qPs0Yya9WyKsjtd;EWuvP>R?q!(&xfM?pNs z#>v||1raGE8l0vkuz~mGrD3h}jI?k}&zb86&UQMe#ni{Ey?(b58!d$|y#0SRw@7>L zm66Dwe9_!gTg;&69$Cz{A?2As(>ZN@p~Go0Vy^-(1^+8ej{-s4I$w%#9SkZf zidz{)q59pkc)k_9T<8&0oS(Q*5mry^og5KbaAL$_L+oH^W@cz$!tuk@$joHxYy|fB z5nd>93u{rR)a941oINIOsjbcBXd7({A4MglP2Xfmgc>Pxs(_wflPtf1-B*!vK7qb# z=fqQiT?)3`iR=Gn^`c@hR(AJQDDwPEOm1>YO6%SaU0m=*je;Qjq6TC!jafb9^Xb~Z znzYf1F_Sln6U1j(g@<0h%*o`*F#)0@gU4zXTaBH)J+X5P7dAYreM;;4S+Q4ZUrc{A zM_@cm%k@#8zM(XkjRDujXc+V z=@J#0O!w~kcGIaR9|QQBr&S)@Zf;#R+0HP*pConp^Y%5T89PH0H(9uz%sG-$}?N<#%Rsb8r=p^dk`qmucOiHU+yBq!J%sViUUByAga`UZ#c)fIASj~e&Bdvpm{S;8iNiL(c1e`em(H{x+#xy+YW_#Dsth1 zP?2x<#^%wFknZYb&n56C(T7sv#WB%?Ct7|j_3Z_-lNW&p!z~RfG0q1aYt7r6GEBT) zXHb)V?{RJ|FhIe+MS2ZC++@;lI__;~!7P~{tglILw#wZ5elk8gaFm$0Be+$A{p0L~ zt(zbJxTf{)fCo45U52t=#LPYb8njvVtb5*-W2kw@x<@%{_ueI?GX69RTwiHfSMhC! z!L3;fIa~UMhDa1josE~*!Nx|h>5EP6Bm?6^M-LBL$Y33k#@pV9OZA739?PHVcK=s`1|(>*>2y&R9SErr+6;1Kt`q$xQk6~ zEO9p4@QQEP=P(hUT#%-RLC~582DsQvN{ZNzleBa8dD5>!+`-^iT~(Fv<_!fISzNzi zXh~HS^>eV4%a=xI6Jf)@#^Da)nwlEuf8DhKIVfK>(bKyL9Zp6@87dYDde+cT)=S+z zElbEqvK`6|)-{^$qA%khl7cUI9|xI6ND78m+?C_7`Ewl|_%AyPz$yQMoTj*_==LGk zbGF%4Em|cfN5@F&er-QDH>znyW@hM;TD7iJ)YW-Cd>E<%2q{*)DvETOSqy?X$gv%X z1SrC#qQIdgT~ ziz{5dt*GmNle{xd%3k)1%Q4|C*qTxg5p$btzEA~i6N1Et?g(l!(PbNrB=l-AX{uB! z;ZWZ`NHj?%N2NgxOW`bOtUk*;f$)1t9i=nYW(@ShvdXx>bRFmh+!qsq<^R>_1BtOS z76X$ha7EY4%S%5%6NbIc5&&tgXbaw9pV;^~R;Ijnj5&wF~)J7g3c+elUC8HD>*M5dN7 z*WU!k|0#X3qfUM#>E1p)o4O%gxz7_QBeg%Db@=r^s#cFLlR4&<@r)Om^YJHi{Qdod zcnQ?W^pzH(1PEqQRz(1}fc5L0k@}6SJ=xezW!>M>J4S7}wPVl@LeggCmy0{1<7Kc%&=DIp%aLLqXWyyiw2)fg? z{AzO|)#USp3ZcB2HtIl%&=-M;U#&*gj%;{%nDL;8B&wHbw)SYFW;7oQ5D7930<_n% z;8~5Cflwisl#!7E6YaS}T0iUVK_;|gS#oDY2e8gV#b4!e;9lociwh0K?+FVJx5~py zByPJo=h0wgWtFbZ8DCgii}}$Sa!s|E#xm>!0GP|yua`hX0Mv|>FU&9lUj7$lJy0Te zB%#tDJq%2MGKF@rxa=P{uX-miF!E)d>l1SCf`jqK7>DM%VlrU5Jg$?3%T?Tuq`%NU z>mu-;UPFz6iSXME9YhAewA@^dMQ!lKKp>&Qi&Wy^>D8z-(qo|kNznXmvp>u)EnO6$ zp`|S(KJ&)V*-jsY+FZVm+8SIs-VGW!{L^lJc@xdDhe(`{ih821PCl72bG%zS+l__6?T)1-W9Z{MwqXWtrkwfXxBW`3e z*=P6q?Mu&op97w|vvS$j@u#WLV$3P6K1oH3+75)p$&1uaBG;i)5+cy>uzaNowoMyEB!F zWLLA}m{Z&w*Xl_|po9A9JDqLl?R(V38n`jFX*fBR(CJdewYwpddbg#xF=%*Y+e?xM z(X{Q;gb#L5y`DS8HV+y~w5cE08t0G%x+o$@257MX@w*R?O#B)WKZp5+46XPQDG5Oe zxI|sPI1x)`radC5TXw(Xqq^<)#Icba2!B;(5}H)?ggTrKBq3|C>*vxp-<$tR$h)F_ zyQI#}-t^#l1Nl&KW78~3Lo$^rZP+Xbv-@B>I&g9?eUxq%LgBOG=VF}t7mSlcFt6L^ zjAL!avu9r6Ov{o+Nws-Y6dy%h`Mt6Wg=%s$ybiA1-~P*BL}eLzA1sBpYzIZnG%q0* zomM!T>(=@;oR5fJIJcx>a3f-v;)o`G?K*hV3qmOEZQtDHHU=XU!Q&HE+)&#DRiKz( znAaKYwax47zo*KDWZF2|lQ~@cbFw|j|2qGe?{zJl6g@pE^E@IV9$>@Jx)pdViPL2( zk>DwIs5W{5j5-_|1;BeIBqU5tnWU@dNjKb9Cvb&`w4EIxu1a22YXy2;Fn-zP76AbP z<(-%LqAdWvwVc3_mj_nYTSXNbX*e382KH&`mSG^~iy!{Le za-qr!zF@c^ymAL*dplrW^&nmJf)u)rWEFae)mcZ_f;mvI&dcxI;GiOkjVgqa%ryb! zY7sp9+Bk|N?T|3bJ_f1?F2-mKcP$qS#$d{;!la|nskWudC;e`Z6&{J$hL(h8@tT;} z&u`cH_{PS^b~a_;4M3vLlpC89MVzXOs@b_-Z#$OE4kY zMe059-)M(JnU=%Bdl-MJ(+xc{8L0i%6Y_v#2~H^%3LZc+RpsSBJR07-c>`lL=HxHW zLPaPWcMxV26HixH*9uJoW_$jUnh5w6*!7F_{3Als>{78kd|R4HKFaR5m>;sqTq%{l z^GvpI4NuG50V-9f3_dUu@zbw|&EjSZ{dZc{YqoOZcmrf6S@DIhQBuKQF(Uyo09XAp z2QwRipQ}d8n?NYwNRSX$YzgFaw!&V+@)y-Q)=h5!^%q+5{=F3(WdQ*JJI2vtXu1b~ zV~9`^$y!P(D&l0#&CMS@dIYR9WE!={Cnt?fP47_`6y@iC?eEW>ECdZHIP)%CQ$4Tp z<40}4f%dC9)~jS#cmv=8!YG^Pyw|R+udcrCN`%|`D_Sr_DON@CA%A&bAxf$GviqSR zJ?V!ZC}`I%`vy(nZe9@x92|zh`*%L`e`*&0Z>D-!rT=D5{`aZS|4*(8->ec(Cxjf2 z{OUhH?{xu5NfR*BWCEZD@cz$_iN_KD2xihi1sagTq^alqO;u1Xi(Rj>n&!`-u|JbXk$J9Wt{$>3s)ZrM$Tcm_4p@VdgE={_CQlz&~15%_IAks@h z??UK=5(pFinR%I6v(`LhCHLmulXFk`&i?kio%VGA?8iO!5y%?y8MkB)$ybk7Iz89_g!8YxZk+(u=DzL zlZIRM(~TS9PhKm^zw=f&q=!qCp>#3{~D z3c?wgJgq*F^NFzQ&x)WY$=4@cXWcgba`+w&NCKWqEmh zP7Z6k9L4$3Q^M7e4i7DVG&D?Bg27-T<(`(w)hrqB5&W^))i?kuyDhksuZ@cIs=_+*J-{-n^-QUcYdtzaJXKwA!#l^80`19lA zW9%6+a1MWgyh6{QP&jNGP)SKi_x*bt!PdQe^-OV(7m1Htq8NXK{v4f@B0QhM1LZgt zplu}_n?XZMdp?sJ!Rpf|A}WfDD_lc2xx*YL1&r!GB$j(GleH{!vQ=kgWwjMJ2j%Wk zsCpD>qAH;|HL+l6zNNa6tj~_P?j!q5DZ4V@XZP!(BRk~v^wO@Z({gj?8`ft#{11v` zKT_lugDykg4g?&`KyinY|1cjLbl!6m^@*St^#?wSv|t>fRksBLtlA7tF`uKIKckvH$8rq7R=%oVV1Z*Ds-+tC7A2zRUWLat{OaNtbg^y(#FOn0M{8tIx#)H z$z>?l3trV-#%0Ph981F ztoC9*VN^~3vuRrRG974=oaMvb^z1Aq*ZW)5W5?o(Tp7E@IDhW`O;(4n|!~Ydc>Z*k*^hWhZWs8CaB!!~84? z)mbHGqMs;g+1Zsy&=PYwEgWr*iaSmT%^z1ZHlF5dsXlGn2Gh>8j1J9;%ub{_*Z&z< zgjo;dp0Lm;`2E!?4k{}PU3h&rjD%WG*{C?=^ zOy>f3{Wr$r;N*n0|#86+w)!&t zn7Tc_9{^u(t-Vt*Hoa`E%k2b7WcIa1+5zCr@L^)bk#tdTSw+Rr{1b_Ii`RH;gYStG zjxe;H%6B+8j+U%!uMV9t=w`Ml!H51RQ`rOl_V)Vv!HkTI3m@}OM8TT=#-t6zHTZ9g zAu$VYzaO-NPF0@nJMB@CGfVDO{P@^t3>sn-#xC(q6hIu7QWCfXH=k(+>rRhrO~_r+k;&$C#y%5L~V-RQC!m# z_c`R~`}C?!K3;-lr=i-*gTmPN@7_%f7pV9l>;>im>UCK-0QU-cc+y~E@RK!Nzy_M1)*$CYWs9)AjBvXXI%I5Q4;VG8%D zX8{GETh=AFwtGQ4QR`r~Ug-9e#nwc5ZJJrYH0f_bkIodTXI_Ze86e^NErC}7SA2dw zzgUpnZ@Q3ZwDA@5Y4l$!HVXv&Pz}wNuDd67$5nOeK#loj!a*yVGhJ~3uuc>}DxYE8 z=#nQmMge}Rk+m^Of(y}H@1B&H^Xe)hk3nt>7x-rl^!3-bR?w1y1@BX9YFdL@9-Yn%Mk)5@#!O6uIXws!l>%MM;TzDjmf+hO%<>~C)|>{6aG>fNN} zS(C-?#_r^V!DW*MPSf3eJC`lXiN)*RuRT{CV+yPAnXX0`>KN@`Uc`Rw>-uTbcih*8 z>Twh4{6HtHCUqK$O(O75nM?Tek_Ys(PuQs1Z&Rt@l{x!keXmzBr!v2&aj9(N43TtOiJT3@lYzf8=DLW*_LTx7%N#d|hQ8%$6S)n1(~K@o$zFwoai(JjcF`6_jr zwG>Tm9XR0ljq|U_`0qC>B8odcEz$*0Xuf{a?d*8hF4#dW<9UCt`_i+M2FGcU-SE0M zi~!jsaytkzM^@Z+fIe3Mfk62C0WK57+5Gn8%}zP|9cP=zL7bCM%M)}dEj;J_8~9CI z8wKCZ1qUNad3C3#=pHU-&st^%|M?*Yug+bkRPb|2c=)<^iipJJJJ|6qmZZu;o;8w* zL~u&-1$Scny>$!EDlTScd#8GA$kq5~1*2^LzB+y7bR~Oy8X23|VD6hXOxVc8rOI|V z8;c0ykGoRM*UMc^HQ0QHwhj5k$0CUAU-MLqs-w3Cy$2LUzQa>H-)>crEo~Ag9I{T- zB>aGpJb1s;i~UZclxiUwJt#51?Yu2o3Uu7m20IqPt<4;9*`Zp7M}>$nl!^Is-{qH4 z59w3=#)`GY{m(x-w+jCwzWsnZ|G{#$LyyUcCmfdN+6CCts4B+mSNKejzw((8-V-yWhoj?@lAdSSVHeYt8PH zcbrpSQceB#mDtvWB;Ta+?Qi{PGJr}Jj1_{0F(Z&T6MFBKlw4y7blJ?vx-+nrF4w!K zNPbCFA>e9oIoN*{LkdC}>H7Q|gGk9J_HZj64#E6Poz} zzR$%$bZ>)%L}4XJzWF8j9d9PPv|H5J+rUqlJc_$hqDQyQ1NHmbtL3!<|0UE<5~4wG z20wU;Q&$uZB|Ui`x!g{t3QrVhSvNCnNLkO)A^}=aVCvgj0`tp()0XXX{zD=)BIOc{ zHTwqquuah1hgF&sQ+jhr;ZO7;PFb1V6qXc}%#oxqntSXr^qoIs{~hU9j+&-ZBBB~v zfUXjm1|NrAo`!r_U4b8cFj3fb)3Rc5Zo_bVq`T#h)vA)X2qF_F^ z*TZdc)YRiR?Wq^Z992RYS@BFG^ozgXi*!(XcB996Pr4Uwq9`}WMp!mQZZJ_ym9HFI zSKZG7X<*PMFM~Idb?B?ElNKdFwZ1J*W#hkHk)=@3h^_{O~J#^C2)%v2q?A^U(L4 zx&TuUO+^O3c{@07(Kc8ucLZ!cASwQr%%;h=NXh&8PE5&F=(@mPpv$sD42Lq!)$bI_ zP}xPmorDdGZ)#U>DI&N}6(4KsximFnTq%T!e{>N4co#||rgJ-t0UBj9Q>Q2fCty=o zZElM@qFHX!9^WTYb6tDbIY;AjlZ8r#V4D{ID8`~!q0>P+flHnKeX}o} zG+@8;hlE|{X>4a`%-u=5>-|ce~ zl(N|MPyV?X!JTTeC4IUdGD|LEBeKmSjlck_hfiYe&Y%9n?pD#68r$xd$v6N5|6q54 zmV<-k4_d4lUjO9GVyNj-*<3<>0DA7!N+B*>= z=hF9dC>tU*Y)ZOHGu0?;RmKhw<*4bLo^ahsxE%EiuqD6jSTBd3(2}Ob!Ah2YmQO@A ztYKM8pYeKhmX6z>?AFEnj1sSr?2;Dg(p|X7H*%iZ@aP>c5&Kg^hRCU1CbMADPPfbJ zBtdLDRztxHjG9^XUIx|t&HGQ8wBIkqnl9zILw*YeSRUsoY)Sj}{8WjrpMa50pi(Tj zQj}743~d_ta-10gW{CdFCzXngy?tNidsUJ#$xZacmsNG$)6hR`N`m?Qwg+fXymhYh z$kQzp0wEr5qns0CsJ1X)?CdmU;eF=qOwBxIJ|4sB+_W!Xba^ffbldw>ZV2zOkI$|<7X>?ZH6KrmOj%}| zXp9}fnthFJz(YBQx245B75PNzebJ{+(ku#kVj7mpzOqOeJE&kCVdcR1sZAX~8602_ zh-a?q@;Gjz!`C@aGBQ>H*h%x0DwE zZ8;<2Yj)zEBKV#)RCh&~lw~jK%nb1}IgY~M(B;lE-S?*U;OxECzT_myG7I+4hzB-NQ`S*OrTsYOnkJ$5(JDwj+8ivG zbd@)HeCO95CFjLAhqjK7eE*o<14iejZT3HOfBqbOsZaF$XCbBdQc*9zybWo+fchYR zTcQLVp8(H3% zo%~YSihD~7+W)w`HWwL278{$2=_bD|(?hAd)B0fj8RJ%cm2X=RV{Ajcr#@IEGw>-< zMW>0TUQ2x)R^R4*IvY~{zn)9;B<5P6ek7(+!pMD2jaGn=k?zcu2Z0x8Z$i21g^1G> zkuY9hB`6K2)_>>Zfjo-O_6<4MR&t+qag7Ss9idFIlokgG3BeC9n|$f>kav^6HBxTT zK=JsJ{ss4M{^b5*xW<^`{G0%fM1%9x4M!_ybThpnDrnz24*_bvg^H3T3%~J-xkWm+ zcyDVqwl?s|6~h0!8*-WBC%WeJ z(AWz;DqFw;KriBFJD)SYTnXa?@-B`V?cgppTa^E8!6k?*7OHh9Wt6zAJk#;-PSP9iEqPh` zzHo7Wea{)-va<`{ow=;cZTv~0&?+&wfJ-+5(jguk(%Tz0ol6< zr98-$xfCNI84Sy*hcy^kXuIaW2Ti&~lTWs-AM8fsT&e^)1e{zTI~`JMwijSM z1hLWAZ_vr*fW~`s26?1g<}m_G?>s%bYZw?in>rv%0%xE^WtU9M+#z*fI~rClW8ZXl zTGv$P153FH78U577Mm^I`P+!jEE~ucFF8Kz?5Wx9c7Acp3Lm_Z13TU8GP|P_N`VZn z3SF3eQgqMnzUafRr1O!{R#C%0N^U~$&3e<_ecC?E3Sw3^c%8`Ryj@-jP#n<=JlDZ> zkO%y20CePD^yf|i2ps0w;>EV_lYpj!-|KrwMaEr^{n;>0UCZ;EJ%D9VA5BlsC4*Ub zud$(f9%hsTN!R_dweO=Hen}L2=@YbDF}l3d(EH?&K7ly;VXZA75Yn9Upq%B5`l^FeL7B%tf* zyH!*MT~77n#4b#yH{M`2j0o5SE`p!0L770_!5Bk0+SJD*nK+UzxswOI580~xedDLY!bK-C4L(@7GyH71nyYY!*-sPkGMQo? zd~6_96lqi}9GMw$G>|%j{_7L)#S9KkOpI8oV8;!|`xp`Iqb>}pDtc+zGL6WgI%(J8 zaYrL@NHxuyG^36_9$Kf8`rM0+w24eTOR@K>6T=ghvl^r{G}hBS-r6wo;B9`(NbEV&56SLD6i`&ds7p?%uE`gWUXg-mFiCPuR+54?Bv{GbR z;Bie#3_ZjHI58tC2)EBeQ!xR5o1xW_RB_Y~>MUyW zuA9o6g8I5+N%_bGm&fHTUCr67NDsVLm))?fQPaorlon6;tSorCN)_b&vF%Okcj}oD z52@H zW2XN5cY*U0c0~?b<+ew!=EDU)9UUKyYND3oK~BAKEG>;_H=K&&TCoUjSf>&-z_W_2 zygCrg6!C<$#GN%Vxo+MPPNv+gDGEFg-QxdQ{rQU@0J^Me<~as)2AR`vDob)Oodnn8 z$9O>H+VQ;Rt81%V9RYEzgvgIk4g7 zbDol9GSS)Dk=UNonTo^Anme2@H)y$sm~8abEp~l2Mt?D+QZSaAzgUy-pJUvG5;Yy8 zO&ugpzs8nC8EGI~Q9iIqWsNJHQfA*wiMI_`I1XI4cM5j5RAa_u^bG{tr-0iI7BMY3e#2vu8 zX0iZvE)`qAMOAERUqgAXAs>oiD`JhT)(DWSZ*%z2*Js)gu`&4ZF*td(`N8H!$>>mV zd`#&kIe&xe>Jk@9CGmk&L|j-;7n_LzywJqb_SW_Hyi$* zW+twy*Rc-qN!rAA>|NlW!g;)_k&N`D2CTbm^a-^a6YFC- zuk1SQ^lSrvot~a!6*6E)2fOC3Idc%Jf+@&7tK-iS8=e%plRG3L;#St;0Eahk6~Rhz zf*3FNN`G7%70|P-L)G0Ev#u#;l|&cN-SY^zm~7yb*F!zwWHX`FFs&gLZcLO6+1C#r zk14D1DjE%AphUs9zDe;cgt}M1UkTrSF>A*p+uHLxDpD*<2IB7AG#{;)oTojTZ3t7)#%<1*)p@g}+ggEjQ9BZGQj1eIHk@xD z-KPS$xvR63!A6TVCFzVTlp@FXKAO8T`5##~U;+R?w?EIyagNzyV4A7q3`-#NCqnLW z4}y*E4YZ>MtJjihyzo29y9Yu3`~f@LvqQKe-X0TkdzSE7<4b*PQV^ZTRC#TpjgZ<@{BUKRyVxjk-GeK4>U27q@L!mqBTu>j~>p z)h-o)s4+_PmlTS^EC+A4tmDsMYlHma?&oT}0x_sU4_^p2KeJp0WDRWCfpz{-b$>Rm zAyGf`b>FIN`GSX+sr}cEiA)cEvf#>ge0;g=N6B=L8Z%fOKyI}7mC129)UD+&LqpGK zJ#1m_-av*u=5N2P(Z^*+-^KNK)SNpdlaZk%^*SHy%)O`ai0WAEEdi29X%(!Lr5iYx z^^*Jn7}^a#M|neA{Q1Ys=XpSo%41en%OFibTd*N#0E6xqOssD@;yI~tiA2k{Uo|Gm z+PZHYJpfx}0M5yPE{1*Wu0Q2PwH*^>^L9GmfoiR?$w2AIk1AQ01GTdiie5{`rGr`S zA+wUsd9m(0C9);lp2~wZjiLaJ8XleADF%R+Tl7!I9yHHTydqIXdLrbED+PLZ;Z5tx z@WNEPxUAip z#V~_5J)>0KrZ|`N)YSL-+6F1H%%W(d9IN|@jC051(jihK2fZ=XKW}2E_dX*W__jr; ze15G;%j>MgqtXgXpmSI$UYOwR!2!)IMsO;?KqVDdSY3`)&BXjh}bG7 z+rc^>ou@|5o=Mc|4C0U>HC|7JXifIK7(T#E4Fn$?rkhApGv@*uAA4uy42~W*aoP3z zqhAX09QvsednCr0p66s#3ytM@1#EM+VAZ_btdBr-rAuFTLc^Zz2Kd>k2dq9O}``bPqR0FiYEXgn3{=D1XNin<=epuB_x#CdR-~#w&ikKCr?p?$;6~EgtQ+Qh zO5Y%6cV^d6Xek}OkxUzjfgE%2kT|X+ws4@WL$+6_RJIxkWtDYcYdRF)a&oAR8Q|Oc zw_Vk`WS{BVr562h0yV>r%F<%BSXPaSSm=eNOp%*%X#2b-XX#fS?9am7gmq`6$+{WmhM#N%(3D^iX0$^ z)w)2J!Y=%Le0(*iZJfajkbL@a0`tHn2SI^qvC`GnU3zlo{iZPZ6|k(FcTIKnJrwT< zr%Be;|6V?vpU0>7)13$eL^5o)-S_gp9Z@XS0M&QZPDDLyQp-o!NNcABjsB8Z6M2$$ z-#Q&p)m)y8Kt|^W%_F@*P*KBGs!%@G!x3O!WvhW#hfek+l1csSR7R`3*2_G z{yxZHYHmQgpWFXbJ!>2F(*@HLuI%Z27hgMab{MOxZDKVXXS?N=ZsKa%$Cx3VwTC!> zAU~5(o%BIQG(M+~^~coAiY5y0zZT$J=^T%euFx^oH&>5U*VTHr^iC3ELj?)`0HoP; zea6MPy}o~l8AM->#66+itV<=Zy~QrU-8O|;FD3Wxb0MPkX2H@J5WZ$2Zo;#X)7AIF zof?zVucYy{vHU}WSl!1dA%LP?grf1rj^jxzyuU9R!OJH)bP*y~?8m&oT%l+DZeh2) zrC{*!ewD9ocvGa2re1`H(o0>_3}-sVjO-7V6`cvrFO~IOG-PP2QzxK+wGS)XGEj?z z-8qjqBm5!=j}~wLI2NW^IeP{?+}@~2!Zuw&iw5;&I->k`DhGQlI+OOedHQPTaxO~5 z!d0fgAdkx9W=S^B%>sCBZ(!k)Ck9oF?&?i^ogR$X-J@izz_$wh)Kq?K2L=| zO$88^^3qc)jV_HeInpe4Cs(@%R}_0qQcZY#rb$+x$1UDRy9aojywR+vc4OY)H0YuW zG=&gscjQ!#+2blp0%*=$p3FN3Ui1b!&hEfD$Ls>fR~=tRLPG@tgzA*je0ArjA@p{& z^d9*llhdEqZ0UMQ-2DBvT}f&ii>m~4q_j8Zw99IT1CCBLA%DKiR{?3&V1;YqpfF0i zFGdc~TcYh%Q(>A*XVjr+ocfWP&DR7Mr#5Hg)Xoy)ZfD?#$7al;S{11R@xGI>;{eN% z@uoe{VNt7sH#?ZH&E}E766?9o?ecjYrIGRRp z#Fcg6m&#t5kL4PDI$bo4YEEj1Ln7IVU@K<` zz<%?>-HrbQIiH4#qS!FPwCK*SD>QIYUkQdgcanQ;rT2B$whF~S#ifFn4$`^mEnBy5 z2-2ecmmq}*JBs?&(uRucy|1|qol+gYmFpZO?=^PIp8OU(p?cm(_Uhr`FZDgg4(VNl zgw|SqPB;9MulkN+Ep@D{X{&n0&@n_^Qtofl_Ob!`a|?NRDDlM|EMUnoKM&do2QA4Q zohl`(sC>5*su8a^>l>K;zaB4dTDzr3Lk@*d^KcR zfXG?jdyi2x6lmp6(Ou9<^3;k;&+zSSz>(&-9bwM-PdB~*O-@1inR;M%E~VCeFaj85sH$x)@wkN@l?o_N=)uN zkRUn|O*aK7ZW6!U2=yGGVWz?^^GnDxA5Jbd@0hs^-ng(~b4rRo_5_4dlzfXVZ1@b& z5IW;$_>kZGs*+m8B5kq9Qr4Q6^#OA|?Ym*mrh#V@g16zU9iMdE)(#)Rv-HDnSwG;r zY0Z5pn!gpRc2X1R+e+A`mLj*Taof1FD6-xLiTtR92EJlx4<7KVvR$Gl^=aptXS>Un zN`B`gpVEy^sfj|t@7HOt4M;hjHJd_JC64*^Hsv*~|LWz3@FT1slWi>+sX@&3UWt^j z+wnL%&q_BiZ>5+0V>^{9;j#*8GBUD>i3w=+z0yXR{NZ96IyxgeJG=Ru6XY~DvK%;P zU&-QB{rRGbpHau!Q{&m|x|=jPgc}Il`<(m?$&b@8pLrZlmq>Yw5JFl6NPM3ZyrQo? z6e*`iD1DB%NHZ79KxX9{HFk%=J%P^is>&CDY~-wsb20=TB|9|nKu?6SLuhgjPTSCXhe%&VxRa1oF3Bti=5f`!nFM+ zTKuTV2N3$+jonlrYjSGp!|Li06_r9{o~FM)9QlF%i~RTSf%G`apl{#HAEaZeEV?eR zIE&*%T3p}NoW+TTU@hejDcA?cJhA51xa!Rb7Kh`Pr;cZb-n#EkCyqdys&C#zBj=+k z<-sX6H8tIzlI&i47DdNGoa`F(>qdPnO`M_(pQO@HRkh)>WU*6La^E7mLFdEqj-!R@ zFoNtY@Iuv~);6}>s9{L+lAWNde4(S01R;oDuo#r*_~AWix4_jVE85*yBRh+!fac>Y zO!;nIEMR84$zNUE$~tH~`$K)ZiFeIz%u#p_Jn~(kgLEMNLMbR0rohuKH2+!kGhglZ zUnQq+5km}4(@iO{KmMZtH}g5OSCM z(oPV~!9H%j1yRgL3$}eI(#Sr*<@z1GM%CCvV`l0RliZi5y&xDtEQoU;$Yq;fkoEsb z;e}tS6<*Pi720${iExxu1j+0nR-A%r66XTw7m`7amFPg`TD{xU^%@YqUm`p=$ro!} zmzB*T+g%oeoj<9mzq)b>y#xatNB6}M1Efao-~ror>$pX6`_HxIKiRkMMTvWEpUIL< zbbTtbduZ|cN8fZU*xyvWF*x_pdDG zdk*dkhy2cYoJCh@wL*9ajV=IqwBmOTLaRUn$PQG)aDtilGc**z4nm1VPwB|5k{U=Du>x^h3C z;Fe`&Z~$%O*w62#n|rYEi*I)_mNxH&r$}(k0EFSU$u=XaBAFg@+*HX2D6q+R{Z-jX zeD}6*~FE+>QB41ULm}BI=$Ucuwp_g_oL00W-RASPrTchsF zd}nm3+6w;S*|TQ{o%d0QZ-HBrl?@D{wxVAt)KCUb;^-~1ZdS3E9imzbPv_~2 zq1>N3&#vW4$V{MTg{P*MmgFvS?{Nb%ibJkL*nGF|i=2d$uccCs(pTbNEMUO7U>U9&o`)SjfJy(Lb?6@mSTGt?L>EUhc%eJGg zb&1CuQIy(>-PY0+0hFo)o%JDC{+BOQs8;XVE3R*^Pu%Rs2(g{!?@qIIRe_fke33DGy z?`hQ&vyWd}U&r0z5yKLPZ{5wwt$a9^y#Js-Vcs~l2Q52nnt4o)!Yq_PeNV$xfir(0 zD6Ck9l*Px%v9};p&j>;C9fngzS+$Fm?3NvcHLBPUX>oKav}MB-Hm|0qZ9Fh=TZS`i z?lax#i=13(8_X?E=dz?3v*VitMf(!Gz|^@!p6`}I6-e(5cgHADV9FVfa>8AFVKnk> z9dzsDh*nzG)y}dBGf0P>zevJdTn#ov(J*!{p6)LPn7(=TisIi`@LNP0OyM;_k$#U9 zBgsHz^9`x+SZu6KOhN)D_((5AWnR+is^+}Tqt}POfFS19;&W2+w!pEG$JVwyO+EGB ze3;$vfs>AytBp!qhbQj|puv{eo>-_1w{LNRjk5oe>gsKBJ2u2T!q3 zM`KQC-{a<-AK!$;;z+q>#$R*azh0j(7R5v}1037)9La4LtAYUI`}-U(t-k{}eiS+I zOob@>J)a|}=M&`;$cJ^ePXcyNE)pKpvH3=5Wf0Wbo%IxKB8tk2RI;SOJ+YIw*BwdOrm_SKrLqzxcI9Um$zRxH=sK?tmY=_N13bPY4jq}lx}3)m z9mP1L@FhQ&sr%0>K=MDm0vvDIuS+BResCR)YMn}68jWoB2gLztvPSxiQc#`IVkQ?N z1!l3xe6ivS7J7cZ`s-3CmgGeIuh?|2@Wq+|(Jcv?Bp>(dC*6&`F2eC%I5$}StI)0W zrQgx;Q}cx9iVuYpo*j}57e`<6MUvkkxfN-qNV*duwMg-_F;8Xj;_UD;%f&dtKavjZ zs$TKid%Jgjg=mlv(c{@Vb1Js7LVVG8CJXWy-2Vt`QsJxO@3!wH;c~pFVUqXBD z<1N0VJ0}bmQjd*Y;CHXua>LFORap0LMKPpJN+q+82z4-qA{rl-wZvr`G9cP?r zYKhaiF+MDTZzK@?APdd;wu z%BLYy79cpuIruaSc|?Q;UkzmAp2{=m(4;NX@GGwxjju$H zKUXbey?9r%>o%W9q3~UFN@IJ~|73POqLjnTf(?5$tiq^_(wW;*6VPRwz!!c1$Qer-z0m0FgV{nwxD z`i7q&e=82SvuEkFK9r4T*gxT9JBy@yXiROPq)uZQvo7Ve_w6Klea+O>vnib~U0h+Q zFw^Oviy+Eh2nk>dUQ9J|+7F=Ah!hvWu~UbKPA25Ydot3;Y5wv1K{m} z7mESByu6o91g&=gofrC^XuP|B4*77n*A2xt&xoj0jj!;y-4oYORV%aXFJ7w|XEt_v zkBQgB`BubNS!AAsZ;&aHzPSRc-L>dzX~DoytzNx?OAqi=b28NRDc#gdGlWK(tLJ!< zy^-2N`{}uCe?^FfaKI z@9kyQ$qEyPYw8KPy`Pl+#h@>Sl6@?$$^{wOi@4cN2|)w)iM3zY#^nw$$Mr3avfxbn z+i%Hj&Yq`8e<(*R*h#e*X5PVa@>zco?yf#Zvzy?ub}pZhFHYGJ!q&<*#I$jK$zhx> zo3*vbw$7PR@*G7 zDg!S37kRp2?tSR9M?GN483yfxBHG|EP5VX_uY}i51b7UNJ8gHGmA>+Jm~ZpPOZ9P6 zvRh9P%k3mOBqX|#Tc`RJK0fSGXa7mTiw1OtME>e@cO^q}@CoQ~bJ!A#hBD%}r>eWm zsHfH#nMpfuR1+A5#@u%b_vJf9-R7hL;W{ z-3^OG`eFpbZxKdiR+sM*EAdN3#>sB7MTFqwYFi_DD9vQi+CBLlZtAtX4Xf>xmJzK%y-Na`W0MqJL+8`HWrM335po)T&n&G zeEbN>VjTTIwvo-=($xR>eLML+g$&c3#Z-IiorQp#?UE8+5*^~CP84bKsM_3%6~Ns5 zFMfR0kO;-?*nvTBv><8j@m~Diy2(P^mixm!M`8xKaSkn*)9k;>sLX{X{dTHGB3B~e zZs4L}G%f!@{)4<%*% zp4!|OX=cA2ieKkyxs7&fZ4dk#Xm;fuVnq-sF_XhWtU91IEuU5{gL3;_wpB$BKjBZl zK6o7bYU;}8mvgA=61ce$gNvP4U7n2yxpFC=f0TcqeP{BwuH2Vw6XD(8cZI41< zAJh{hHP&WsjZY&$3;0V@BLcF$xxM})bi@}y6G7b1@VY7|Yx>F6Q_{$lV?tfnZo`sh z@3h~>Yy~>GII@G-B>`vpRV)`z1%sIAHzaX$yqCM2-ty1y^j0L}1K_A&{XE*I-t)Mi z!w{F(Sod#Xp}!UQO{#V;N3Ld`*ybc2uehi`418ru2uu5O-n&u-6d?%?{1i{LLJ1mU zj{k)!ZV?pc*Vem7ul@r=3g15w(YW^DD3=UhEQ5XE!|?25hr1#2568CD32^OicxyzQ z$kl25)kg0(CKs<8g{>5XD_R97Pl6T|Argna3JU%5|Atbtv$KR`d8dv4zsL9d0#hhy zYMRdRJLqpKFGc(tFBM~g6Ydti^U5eMIWf_~+uJ+fk`VBrM;qF{$K!hC1goXAwDk7& zbS<7fOUk{6Kx9;gDcpgeV1v88vuB6v5P~RyFk+?KcUSt8Oh3Ud4iFRL# zdMG&bt-5-ckO=%21)6VWXJ_LLuPaW^{N01;hZgrrVEfsi^UV427QD)PySlga)capa z(S`7xkx@+$gg~NT3Am&?xAxj|Nl5s|Cnr&Q?dR_WKM@jra619Y@-sj5y_uSw4XM^2 zXgh)Ldhb7qQryPPU$xcO)lIz-gj-)>ov+p|0~W*R1U~;*MWmtdm$=L3>sG6fwI9F~ z7Z+EluzGj15;EG-va+Lk_20jLx9M*F&3h^Cx}*qnS@={b&nRY}JeValI!RPtUq4MI zfi`cLg=YFMlA7&xmNYld*baRC&*cJ=004UB&iXaaF-FetanhQyGQM`Wbw5?h*;*!q zKwjYG{{8#sxWDu}z~s6^Ct2@vsi>7-OT!@@!otE#wK@p>)4HJG70WC&;^yvt z8F1a_#=axE+{aj~&+sh_21CbWc6dg%C_?b77_~sluN=dFF#w@ubi!jKvtG-wrW-B~ z>(vsr*%UUrqo~CpGtcL1AA(M08Z3X4><~@yCh4jAL9eK&D4glV zUhBahUfp-^tjT4M63mJ&sU|z(3C=(q(*LI4P=R>V775`AEcZT1N0##9>O+v8Alx+4 z&j>Ihca8Ixx*`h2>eLH$Xw9MszF@~c$vpN2AIrV5)8NZ>34#Ru`rbUo9}W-1RQ+HC ztj*C~|58jf* z>ydlKHEo655C7FaG=xP|n6x-9c7~an3rAr>?^Bn-U=wa`ZrcQJ>ovWaDe0PjZAq4Y z63+(OnM|iob7y2^2ojpgSk?`tPlV5M45^b2dP z^22o`j{5K4y-K%C zf3b*@qv~X5cI!87(pC+d@ModrDFW}-+Gknqc*>$6Sj_?OKN2xbbD`6gkT~LY`-2cTKR;OX+3J?_saCjalG95hjS7x zdtC|%>x;2F+Fc=igd`|#@T+iF%YA!00;35b0JJvSd(}b?6MSaNAsg~_3#^H*lO~>L z{>1muF>IhY+{;foOrfB$k(JfeGs8?6Ox&o-Jcv$!`6atHsvH0F=d(aFLjDGeWs;bg z^_<5jJ;*204tup^+9-F@(=_Jg`fw@SumHHz*hPpUt+~WcyOCeG-uPi?*B>WKlAm;V zquD0c3`2ikrz}k`yf~Wo2vk!jz3O)=)r>8S$W)Vi(bduQcJ0{=*9+^tk_WEAQ>Wj) zO++(3mg^_G(|Px%Vr;^7WSnCvk%Rwl?%*|7@(64al|E4{TVFeFDvKU&=q-a6P1+3yt8q9|4YA0-lX*)?;gHcx4urn^`_q<+cE~a{vUprGb z1@eX*hJq{~X18l+nj|@ps;ps6-e1Si5Xy1xV@_UC>-DU^-oK+Vz$Y*RU+}=QgD&xE znPH;MR$waAP?d!SeK}~@u9t~ZH#y0ok_}U3dD7Ab+p^>zc@0Q_W&Nv(qA`F@MHPB; zx|P9rEV-o8Vap%WJg@)aAaX0du3Xz5vr{kDD_!=J-LZ>A6w^p8K3eLw{p*a?NJJbN zCvEX4_BTI(Swx|zjo%(4>k9Z@QziuLvd`qCb(glo_Zb6MLr0ph#p92{%1de|MY1mx zBOy}LHWIP@wTn*e*R4(@Xg|PD2wbl^T?8LEKb`|^1by@LZ2k|&Sib7muyiUY zU5e7(-O?eoGy)>sAobkq@BE)LbN=(poM+C=ne*cK8aM9Uy}qC8Q};i3BY)3=)R;2Z z<9OqA7ov^*rNy+(1kX^7V=@K6WLDUTLV`b$ zOM?pDP^%ajr!+*?D}7oB@IZJ-AFBUDB}4=T46{{MiJ9AEa`Jj~zL!A0>aPOPGKpgw zA1fgaf^rWEezKFhOLFY*;^N|QH$ws{!KL5ymR`e1%*OV`!Llm@ky$6C6rL=4?VpbH z=v%I)7eoV~1-VUzLtvYfy(BW_jdPse{=F&~ z4vqekCn38_txJUT?A(f7Wze)xQl`CkK@pLW0QLMM@&kGpI>pdGUhO8KF@N>yBb691 zNq{5*eSmy1;T1$SUe?LmETiWQE)h>*Dld%4BMLqeh*JvB;{k)SiMpfEgDl#vnBnlwO`tkakJXVEX0O~)84mE3LHt; z3Y2a}pVII=*?*4&KrQh96@>rqL)!oQXZ8OQ75^_Df|{9LY{{(pX?#mD&Z(`I1d4JS zMW!9`4_gc1)Qv(aEzhcE$K`ijD;`^WjhxQZOe~z8ml~Ckt4lJt4Up6ldkwql>A95} zxn?NuV4sOPtGr+%f3FHuq@ZCs@ZkoLtK9jldl}OV&Ff8m$$2{N%m|^XM_=ngJwJVGRJ-#3Eq@WJTauNe|bkppQzLz`TuO8F&%|O zHlNpj0RZv!B~Z@cnK6>_Y z*DOU?ftKuPSnj^_M6A5s%b|7XY4Xm>>JXI|a!X|X&V5rJw&+LA&;6CK@Pv>%>IVRN zxFsY|09xST;u_d5{QkXyMKMN)lj2A|Iq@6pbKh@4K|wSE^pOTRdeDnGv{~*5SqvT= z763?4A&S}r0Q=H*=;26IQc*G9+fG2vu47?gu{67dj};0Z1lBOyt?~R7^NdkC+ za}RpQOt&A8^Vp_1Co78{)0+kry5Q2S!4$as}mu3IiT?B_a`-?Y;rvB5 zEOFrHIP`cgkpsBc)s`cSOtt)PkuX64LH;Oe$LJB69hR2(?D%-I(Qz7UPvvAJ(>Q%A zwV$A+;JYa4tJkE0m>q&jg%s`%supq;B^IF7-%A zIma5R)vq;H4`8H!1Rg39K^W1neFfcn;1?wpu6Mnr9=7~|hyw0fkRw}~7;o2lAne{MX?UEipu;NT6~9B*13|hN z7zyX@*WCC&K!HHe2O_Hj6`>8)bfHn<62&r0^OPAO9MMDk)E?H~`N4bBb%HgNeeBW;~aY% z9g5tVQ380D;5xEVyhrn2%iYAYdge(OB@HsrXwJP=vz(v8Gt`jeznBgsuk0>r=BNh= zygzi%|IJXYfFF-yP0B|nuUXUdpwHL=@bUqNl_B^c(e`PaFm}n|3UBt1`WVkec&MlmhZoMoP3-z z^Nd*;B=DlGXKMl#rUp$qst_zH;jtt18#Rq5IiJUV`t6BB8CbmELxa`s<+=&#;_69@ z!oxpD4+S{{MU7kX-B|ht$6vCzvG3*=Do_wZZ?oUsvq`5etQe-jI;*?X$_U-mi zg&?1HGSJJjN=D>F+sJa7a{zw;G%X=h3i&QrS+IZeWb;`spg5Y0B&0FoG1r4#AMj2u zTw&hfM{2654ye2z%2DB*;JGF#GhaW$C3b|(?9WT2yFi!;Y3MQO1{G0>y-%_`7#raSR`Lu@P?K94fF1;;>^$0cIa2(ddJ040&qYt&;5Q z71NaC0rN6$HENZBh~pGV5wYRNdG_o?Pro|T%slLXg5%}%S-9W+XlpTEp*{nj&s4W< zVD@7Ab%l|xFm`#2%OBWX5FbI8)A1aok#_-lHLo`fR!L?^&JI-@Oy=3<@%HI;EMd{O zy@5^_Z;TvBgW{`r0&~0;Uzttrk~w_U^YknhlQ8#l^s49ilw$w<-TQgDuPs;e4d4&MdF!93In`JH7$&8(qo%mX>D*z|P>_|?F>#pwAX{n!Wp>}BvFvn0%BT|;{riu;~ zZmOpZE74_86>kP?0P-8{2Ju?|pxre3ch9YLJ7fY_!O^^#beeMS76#2+jV;OsJs%~@ z^=3pn)_@6)t}nCi1gix!%Nr*Iki81#qhZSV5S23MvHs&j4Nwx)$|Efa+DAK2YFkcu zn8Ny<`t*QvaNV!JF@{m<&%3H1EX)wUBi3^c($(Gi)uCK*1Y5PfH>66@-*R1H4M{7+H(@M0JdUpm$24>T21jFtQL`{j%+ zNl!d?GT=GIyba7tc%Ah9BYgco3D(4c}H!~sUHHsAd7O!?{d zv{xg5Ut1z+(8eL3x+CR_5Guoivr^!&MKu6DMJTi#V~CuIWCri(17JikKS!_|1sGn8M&z+A4Q#4K6)#-3rS{wLeD!U_ZRv*B@RzWbd~m|yUa z$pflA#^4!hS|YxH;o4Wsv{&Ku2!3Y#KoDCjrV+q6#6Ft%s!eIig>*+!dHF%!AT3t= z09w-9u#fMO)$v^!EIa9b1&=!Yjk8yzR7?GA%p*mc#T5P2UpV9SH7T|QyH)kMNBUYW z%OlK48X~?>{{*sl92QBdaaN{!{xUS|QNU-B01kd5!tOIP1~g}3ULj>G_u8xPwYIkQ z#(9aCl5sFKw!SHz2714pZWnY~hI+ddE`iB(ZmQfwK2BssfQk6_VGcab%J!T{i13r} zCvhtqz&)|3lqd&9UJM4ynqE`ZJXY8383JJG1bgo0V~7Mu)tcF^VT+x~b*9j2;>)G3 zgbj@dsh7z6UrK)T?T8-L4RQNL$;^NRxiwNOLbn;k!xcIA=U`}N!_{8njhB4Y5lxgN z(oJcX1Rieo$dG*jno$5Fk{)rqMlZmZ)LVh>ZI=Okrm4hWRu*E*6#b7y5P6Jb=W2aYODw8b9L#dCsx__F>0uCPiMZRHv56VMuOfxUs7-#t>zI)6h$0s zxK}-|9oac^vm=$8e2W3YH{sq{dSA!=wQ6#lfH86cvna@>DF3g1@GEM|`%1w|Pvc^i zJ1OgelsWq=6g+L)`}9-SKB`dxy(@&vf(54MSFJLJws%MUw1wOb_0J+S>=9|Q5Ae75 z**aI}Wl!+Ij=t=_U4^IH0?mWuott873IU zox*MnTI=6S*ne=zcyWK4u}l4q?N1Vr%^)z~c%_TVd1U}3!N=-^-NbO$1q*&@*dJ<|5`h|oefOL) zkE0ob6f(Wr6DITfkPDCXvM0I{TPQt zisJ2#La8`{WLNjC4%LZ5)@L#k1S(QC&yi%$N>g2!`DaACl!Mhw11?c zYFnp>3vvRVXDmp`{T6`{$_00~8N3$C#<`q<;@33(b*8R%3%84MP>Nv@BU0 zVQrSF08{1ZApa$>AO~fx$%XhO3l?x-6qacc1I7oDTazq;T?N$fR!s12|h?DhD6m_&?*B#yiXJuG>`Ls_k%PbwFBV7fxzfLM#! zhGl@?{m3h22=>wRtX~AkG4QIj|I^8@wWOb9IRz}nFNf=H`p4C`&FMdLeS03+U0lK0 z+2Ul>vMwIbt^HUK2LWll>5Tsj!%Ds3mRrW&d)-S+L%1Aji$l^I*fV8=ze-qJm;I3- zJ4h*~hVww8j?%6UZ|^bRCF2a04gPK9JN*3sx2JjnQ>B(@-b5SwNQfXG{nRib_qVhT ztyIs|C)gBJT0S1MxX1hVX?=0_A#c(k!rJCW8k0Rd{IDdecFqAzr2}6azG*@nabMVc z0R!=}Gf=*DId&ALR)as_L2<&I8uVMphx#hsat;7ln=K^kNA=oPjtr}XW*Vw< zHog=8#;G`hc$x?Dw4X-}qiOc7Qbr!p+czDCQVHyARz747b?G8TMad3zeWbuE_`t00 z5Y@$4XGUPn8RRk#^SyX9*p-Z=pU1|-u9Zubkfxg;B+tzk;|NybD045-{A?(!!krXF zlZ#Xf>Y0&ahwDM-%cDON&*N>fC0B&h(c)CY<)X<FK_V`D%g`~irZEEY9+Z|%yAr{Kcq=` zVkI4b%z8sMS;B$pCZ*kB6ru1MJT0$A>tLR~o}Cx=z#e3&U`~W&Ls0zmp5#6J7L*(` z#u0SSI^nm1#<{m(x-&@Va79+1SsgEPG0?~6c~CHPMXa?;naqBfL~cZ&OBG`i>=!=K z?m@4}Sx!t(c)hLzwQ=Yqqvkln4sN zT8E?TVqKC_c!N@#ZuK*o;%y2E9v9AP)g&`58%5F8Ue9xLaq&6OO}ptfjgDFvND;k% z2&l#G`%0V!*sMui#%vN3J4(;zeSO+&^*6_kD<=j+se-w4T1eo?^8nzX0A`!$mCAeh zv%y=&tMp#Ibn6E7ccy>U`nZg^D^eBBU+bCwMo|F9;IQBXB`!SL6wM}Fqi?Sm_o}?^ zs;9UI2rjp^xJ=+_46}dzVyhnu&rV-aAz)ol=v%sL6F>~=f?E8HS8qISR4nz%t~%x- zw|(W}Y6{G9eMNwP`Afpq1vPH#h@fH$f2r~PbYMmP`>Iy9DsW^1rV&&A)f0s;s_89L zG`o;U0Fjh_f8de+YQhdh2=m3(u{24(;`y;n7niWx#?vabcP%Y?OBJ|wk-jr^W1zpO z4cL1yfGdl~ve0~%nVd9hKf)ujjhyYP;J)hY&c7X)Pm8ZVORbD(N{tJwO4cnmE-y=FjidY5iojcU}sl2JVzh0NP=EyZPQuSw*n~RSKWofT=5$+{(5>GCN zJ6sB}yIS#JTU_9;HQX5{kSGqxynOuWR-Z2gIO&iC@(y*ZfA z?&6#$SpCIfpE{mhD{2AMG?`Al6Rv-ACORQwzY#LzXLj~?j3iY^viHZa;O<+qu88#I{vSlMGCVT&OBaZ02HOZ7)<47j17+*@sN(F( z>Dzt1A3LL$j9iYJU|@?k@6@wN-h}CKgA#kLcJG}d3T)E%@ zgxH(2MO1uFP84?5|MHy8e~LcyzESYX_H}A~liTd>dfdGp^7rZ4^(W%9!L8Gp)p^&v z7nvGxZ&}2uYj2k~-!s}q)3d%b)5g(&7otWJP9;(s)dYXuB$Gb|ShVL}8uO9g2BYF! z#AW8v-M>2rZvSLqpmfYBs4tvGW7Gn@OklJ8seS=Xu#TvhuWxppBPb!-9GR_2A?Er~ zmAfj;j)|?#cB#45i6Q< z5&w=lozaMGwqBrt$c)fcE6zTiZ6P#Ow<~#Lxp^^{S2jQ+rjSmz=PB=4NRT||N9~k6 zkVp2HEXY3|Xl!mm+l&BX>W#03S1Xxj8DI-21GM>4^MJmy)kr?i5DCB-)C%whKCfQC z-kN?chv-_a%%k-S99%`y2l44%_=0529-65=0+Ur24q{W(<-MXJY}S_gCpjLY<2SoC z+cvQb4Wnz_qr*ZAXFZ4NMub&oh_Aw~y~XVW^uZGzwN=jNbK)Ek7g4TX$#vh6)S$S+ zB${T#Cn!&EZDbbKN?-1Gfva^k(=kwvUj`y`Z#L5|9GN3%^Q0^rcgRnN$kIs?^<}5vmv}pYR~J0#SIB7y$`hDOBcswq`U`dIbUBmzO%8Z3Jt|$ zYVE)1ji$5Y(k`h2_GlEqg6u|%E|x_^+{^sqagBS##bvUDHY!@j_GN($7_B*M(`htgmv+>_qJQ8{Ncf0he+yVRwGi}W>rE0whiN&vD(J*`FaYVO@ zdDVKgus;V7GqwP4w`g=^aHQ!D+-JZiqciVh`rfL92giALvdHRjZmjg@4ER=C*4&^Yy1quZlo*Q?#ytNO}=Ok}W39W3Gf&Cfz@FS+2Q!Pn>M``*2P3Unjs z3aT||boG$0253Sfan=MpwqI!LnBs+HhDT40{gNFz4KvLOi|fZRjoy?Mi~qJh zkVVAR>8=NAIa6OzJi7+Xx3#kb-_&T5K`5o;dj|+z{m-^3z-EJl}y^6APr$47H zMGs5$^42Z6a&*n_UU(JSzh{1M?HZ30B*%$qwSyM1x3FQs?LDJrgUQ^lO*cm}&$o;( z4pyXnpjk>zc}C-OxS(+p=yxTvw4gc_DzFS7>A!mZd@Y27h5;3<=;~U-)K&|yZPSd9 zni=sOGPrd|Fu@`tnZ?YlTD#q?L22$G`*l7R?%aTwlI%Nb;Y4V3-1zL^g zDH}dY%mni(@wI!g`@xFi_6jhd4Dm*ejJUqzmCFy3TjzdmLnOvEOXyq7B-FL|G7QvWjgQqRo=^Z9BRHdU%%+D zxgDI9GZ}Hw?oR#X@2f5Ah!}YOPb-tWXVIi?`(R`lS2NY%a!?3 zmHNcb6%mMn!=uMxgP8e#oy4LSNY%W}79jJvrwW=!p|f5$-3%(3E{8CGkX)FiS>pOf zo8%W(t-*0QS|YvS5jK^Kb&fJ1TEqvpX^tk|+trUtZL!8CsW%tlGX1@Qw$~1RRHed7 zusyO&0rxI1Yk|H=<>%Dztws9El=Y~6#yPD*PQn6ue<$KS&NS+R+{THF6IlClzBPFV zqQfD->U%`Mw?iaM5)A7l;EFLBDbq4fp=jA_*ycsYfA0qSJxmYav@22oBYkS>&Cx3R zC=t(nqzltp$8tDr>zIEP!-IbBwbDC^f_`nJP@ZtjrM27&Hm7@H%R%HLW$Es}=rqn@ zJD$Zz$Ph~CE_*QKZK_n+b)l=tmLb=}zVaUz`i0#3Z`V6ji=;BFSR$R!l?zKePhX|! znQXgCn<%o=i%5*x3CWaq`TC%y4dkS?OxahM04P0uf4PlEAB@IiC+F}XyMx>&87ku^C0!CBEd0yA zK>a16B&>pn(#`T1#tB2PuXCNB!q^wuYQU~DlpWZO{y;}G_E@KVTo{fBHbiAe$V4?% zrEZ)X+Vn0a-Ywp4rq}TvE7I%?6W8&GXg)y( zR?u&GklF#txflN=tzF}&*F3V98y#tuBhlWT+s3Iseu7&ccm?hla z{`5Fkm0L!_hgOmh77FN=KJM978{1R#R<%VAHC&+H-B8h(xuM3`xrF`?lsv;#KfUyJ ztEKRZtlEjE4p7HD6ydsxRj8izm#7Loz#Xlu@8fAkxxH1l7xGNOwM9VW6PhFe=GNA` zvA(!@GSWA5*9iq5s(ztjY@gQb$j&e>>6(@whkTq!y&wvV8+7QA8653`dt;2IMmffn zoIeS20bUoa6-N?hX;|m$k6Q@RO#Q}morlDhI_*39?=nAGmG@AlCf1J3g+49&d&W%I zo%=DK=4{FGD*4Qc6fq){Wk9;XV%6rFFYNrt+1wo?^d80>^;lUd=J9W-j&Y_?JWx+4 zIvn4HFRweri3?}%B*@gK!jkEKSnI-8KUG%Qc@Oo6$FpTX+#d9Lb2opAE?4E-v|r9P zpa0vU=qx$@F)!}lv+WmTCltm^W=vx)33jKCK7WA-OZ9?ZA-QR-DxY?48#@~ZlPz3W zy^Zz?rOQ$QYa#aO&Q@ez2J6RWJU|O?zWn_9qg?9xt>Edv(DVMo7?E(s)Fy zfB2}be|_E>b$AYf@rFIRuOe{HWVG0!;8)!czJAsfJa)FROKv-TGFEdVGjC0Nu2Fq( z0VnJxGoT7$qX{Nk;-le?G&^~eyGh$&3FPIZb8~Ak4Bl*=hK^>tA`KneH8F`Co+PVW zXS>l#4N;qgn@wtty-cwCP$w_DB09Y;CN&CHrZ-DR zk$Cqm@!lDY5oH__Fcn0cp2ZHcgFt3R!5nw5p5zK_w3DmI0;j_q_VmjJc)l%#x#+gPuikc~{yaEsoFdY{P-Rk*bCxER^1Jn@@>9xYLq%zw(54J5Iby-)qWoDDg2F zT%c4lf!8VvJ_sf?xb07yVV7sFG)e6-Hh=59#UXE6L|~mpJ%Ieo9wYDw;}aPTbm1s~ zmUa2s_?j#f%NU6v$ZH)d#z8%e)k-~2n2lgpar1M$X_H`O#1)onvd2?E;0Rq~SI2_P za75tLZXjoCf!Qw#@fS}d%~@X~gf~|+vRP+(NLTMWg3ghwHQ(;D4GR`SkJ z%Rh^I#f!gs=T$re)C{~M5J@Z*|Ftk1*fDcM&sX&QH8-%nd`Nd^q@8fz;<#yaZS;6u(+USzWnY6 z{8MC~C_a&ya)@O{#hE4T(WGz{@GR3`%cZQ~(>zqw)RSfJ8R#xu7XMLH!UwKvl3%3T zPn&CJx;+THHCS|>c9$rdrrRmW6(Ve;RMio>0Raq z>h5&+P>dW(im{eA1C)FPGa8b)XXFqOK&QDHw3J>uHy{D=UZYKr(Jz`8$JIG8s}cLS zSdokNaDCf^5HhR_G+nfc7XW|CVmk+xY;Vg&LdSUsypDeL`<7`aj=?@8bQW|%*zGj}~Y@+k0;k30#ifj1H!9ZYH2ZrXme~#hLy~`7} z4vd)*kf-#Uj5=@a!|vLB^wBmAB*3=h`;IDoj0$s=!fcncY_lYSNpt@tWb48sxc`;| zC+~U8ab(=8m$*}cqoe~}9l`YqRqJeQWeeU1z)Y0=0HC8WH9Am*mz0$Frh@O`khInj z%*#X50&Rn}D(JeNIv6f%FDn3?#iy!5t<~2+&wwpjNVLCe-vmip;zS!gR{utAf(ZXS zLh`7{;x(WgkE8|H%|Tx!yh|$4ev!)xxJ|U8pD~#uaIkCzK@`&EhnInjGAAc62e3LQ z4@d$S(p#mvV4>|S;4S&NpPZQRx4>3tNHn%i8-U3DY21{P#em=IsM^RT-8$Cz+mr7w zvOOH_o?D&E>6wQUnW72b)j8(uB!uMqo}B2?ln}BYIYY`r#(_Q>vrlYpr@P?QKmQEC z)099u&~%8a$o5K#QspGHg*%0jw{X>PAhW*8J{GJ^iZ)o*)f5Q031)K>hEy&*+xU1i zpf8wS_VCX!6w^##jE+~w(!XUO{SV9^1_~@s^$&LtwVR)*b@6~YZ#DO(8B|r8zQuOD z>9}Ie9^V#xD|GHlD0K3hUMaX-=JgEDH1Ti0w5#O|yvi)I$wMISIq?3fxg;o2l7`D&}%uwr0VwjCKAbUtQ30rkYM_jsEThHFsOv#Z!H7& z74l6NlL1!^57a-{0d|6H4&- z%j;L`_NTl2UO-gnI!zByu{ppuFG$Uy0r7A0%-T4gk1MDND3IgPn#C0ST|95u+&qNW z3vNywtq(K@C>~_leS0H2O9p%0Ys5bDhAEyQK4b~F30$B|Y<;U(vZ43t-+)0HY=vu+ zf_v-*`HJlD&oTJuY9s~{Fi$^LgnOF^;U=EEe%TP;W?78i$zEO%mMJILs7tx#6IYBo zLLb4+&q03+X+0DI>z+`)snFj*s#0oV1~k4SSm^^pPhPO?^kroNw`4#kGnj;;Eq`62 z0}r(j>^zoXSP{sn=Ov2)xyaUFsqZP5QI0PVU+}II#ADb`zUa~qIJx)5Khy!PX)*ys zxRmcAudfE@CgEgkR85A@7QV)++ zY*RuLu@^#GEY9|lA4GWfF(vq;~7EVa9^M zAbM%BT5wKB13_+fH8!VJu}!nzhpBzMB}~9TJmlmTpVVQt1M?wQu<=PQ0-$J*CNbsy z=eiDO_AbRJTDuq^5)(}ejCWec__~1dPUDrBiy(h!Crb;rLBk}W%j$dZQr|LvUe`-O z`I4vC-F*;J2upv*TYeB*+sx1>p52eR$D!E_9rxt&-;((y^n_sxzRZf zD)YWkKhO~Bgj9wKKY24QSN@e z=~0286f;LAYPTGYN1$+WjCV{+?kSC4*3KyL7O*hfn??G^{j!;e7HvYadLb* zWo>j1yT}iTAo7wOI$Fo&K-S3U-me=LeelmN>|l(J(2FP0eX+hLEKGjQ z_x|-wb@bR1Wc=%n(k&NwHLO1Ibu_0Eymn0i{FrK@v7p!sMV0s1pk>neWUu zfVH}+CxAS^00Mq91VjJYw(YnjKC703= zK|*dW`ijo#=BYWx+SI+lnlEMos4^~r=YPLdHlNkUzR}Z;CCt;QeDguZ++!l+tk*w* zJU%En#srF$BikRRIZO>=rebra5RQ+ZW1EzOL?U~{H;*F6+BK3yj1L@Rjp#XoOw$Kr zKnyReupn_)(D41o+))rV=^pGg?^S|nSc&FU1<<6!mjz@Df2oGcUFSh%qcK0R=MZB5 zXl9;g1cG1tqUTrv#;qS6>?O%f+A0%XDQVB!8#g@&KG;#CR&ysCHpip4ToD_|+&eJ* z=F#OF??Gk{-Ul~rLWl9d$postj;hq;nc!0M9H2qKD;tc^&BqIIgJU8C@1y*6+@y&C6pv3E72A6sb3mmJ{_R-GpR zF$P(P+r#pjGoD?57fD0LO+Zy}+J=GaK);5A#EPjT?Zmzyrxq`Pn7eYfivZfK(L8Pr z{#vg~(D7pqG2rt^fK@Q^Q=_5NA94`=_>Csp2Tc{P$dBpwkAxNd4tGhe{>r$_eRB#Q zv27l{@bW61Gj$}EP18&b(rK54DPd{Bt@w4s)QQOm*`$NX2qYawL|QMp#aq*QrE$nw z12Bo^4+jEe`Zt{zQQZ2;yXNt%!PE`VxX=ov1_~>_B<8WYpD!$Cm?YE8GMl(i1RRxT z!*#YZ{ZTu-{=8%J9DpcAqY(GafFNyx={swG)FSErxwoT_e-`|p45wNPSj$Qnfrrt* zHO+qlyIQs1n9KG11SlK1l2^?dzh+JdKAq9kT0DkLY&u}PwNdTV&XOV^Hibxo7+R{I zby%j_mx3OstXF-I?ZUBpRieM;g;z#gg`X8o-t2rqLGCSNk?LfH!YSfl>g2h4s{u!` z$H3;^It)}lj*$>>Uy;I9?OXkrxqj=mZSvJG@YF^-Yrs*p0@Ypxtc#i~yC_b!Kqw~e z(fm%FR^tqLxL(n8eZE00N=B28twEDT`Yj#Yp2c$j>iafV&g>a&#aJAq9I;E@5guw= zXOgOmF?CrbXQtZ{#+>v!CbA&skatPtvMay~s43Jq$UI{O!4OoN6SDWuA4QqTOcP7T zFDpV5erF3(d)?2IXhQv(>)t3a^s?5DylL-vhVrRFiA=f9Qc)(&e9vXzHSF2l3!naS zwbKZ3wnJle;%co1qS46o1;=;WNQrF3nsDtgnMkIg5cdgnmX|N54_^PsMJ^A|`~ z>$o~5PY&ql@5@f#pAU)E!BkEA#t*m#tFOL%xI7Ji8RBZc^tVatiHM)`A!?rF%M-Ne zc(Uz#y|=`WbyCW`;JG3^ClpfVqgxMbwnA88l2Xd)HZQWkMR#k9lLa> zy?b&k2v(kmS~f^K#kSozk^=7`*qxA=G!9|EiMcI(NlN)6EA@2!ga2A{`p4J&BNbtH zT1y$EOu^*B^60;Q zJ9mDSkbY_NDCdhMO>|C>huv=vg=)I!Tq~wvFV9M}<=pgbwuZej7y~KqnO6=?pkCsn zPK&pt^vo9!fi%zjZYizN2c8At8DA4!zg02f{$y}?8;fp#kT(m2OSNeZ zlnb-ydn6BM@apl~h2CuW0I3s2^kN|&@*=u^;u&Xii+$q4)wxkc;LiNO-r3UptTpLS zD=OnQ(QgO!FQ%9s=-JE$86K<}zh>sD56pkmI&<&+qVxy~xW(wstYv2P#>PgA)V?{O zzxghTvCnn$@YC>JVFOvxYu4sAV{LTI<#+(l+tXaOr)D*LkH{r_{#Ip1ATQ~)i*!tY z@IGa|DMeT}%VxcGF-1+XVCzWpKrbPJVdWH6%2&B8`x z{R2+{N#|x#{lxcbQ&_&V9=KYY4mwUUEkJljG1RzGq1a7wYTs0YYfLPum%|VPr zd`>+kS*p%M&rTJ^jpVA>#H_`xdL?jiFYg$^0>pnC#pO$I~ifs^$vlDfkeCP~l=m{{E%v#zD6!lF z<{~g=o;=azT=lyvZ#5$jlMVBVTwOvq3_k03abS{}jjnUE1#+PBiS^|m4M82jXEt++ z(ns-;x%83ku_NRLo-iKG(dFifr~1@D%K+6V#j;21{;sx)oieL=TUueA@DOMl(7g68vb=P|WwE&$f_JIiK&ZiH}>sL&4v* zTrX^PpSV2Mj3%>Ap;Fx?%^&~qLxl-bEQ~5vYvqc)m-8ji(CO96&sz6{J9`i-#QWKN+@b- znvZIx@6?JG8={+ zlH>ZB#3QE-wM@78^LQ#WIVG(Q{SJ})6`d!9L%IEe68gDr0|{aAPJ?AOQRaQuG9B2} zDD9cIXPmbt_1o0oX)P6SllQ8;NnW}Lyjd~GtX8t`@~yV2w=I=2R&{GxSy=m$UpXW# ze(rj;l6*I{PuO;0Y7_JwP9#8hr8$9!d%@bsW~zmy9*PWl`%IbJ=P_F677;}mEj_oo ztI6(Hc`vk6yFr1{PR^(-o!7Oyf0^XcC9Bz~y1|(D^qxQ-hoBu1vsLU#c)X>bp!tc4 z8^PjGOn#tuh{G3GE9ez_310zC&bL0E+WDiH6EbjKzN}4L*x@4NMG-j_7M_aPzHo^F z&t%FKnI>;+PfpF@Z}md^7UQd7`pVO=ny)scNkkE1mtGGc%zVktt8hOmgF97Cwj26COQX^cy{4ea+e~Yqg^rk*5mFo>c52$iK2&Fr5g~D0{MI zIcv|`u++NaTxd%k6zQPQ_v0^)mZN&;eG85Rn|f5ThZQj&K>j?0X8+AbVMJI?RjDgW78k?dAcq@yW=R?OvX`LkAAi*<5S9zT#IRJWd(X)t&U9DwmL;0PYiqCMTQGUEKDAexJ z(MGa;h4)gPEl%_#n6K`uEe;&X_}*D><9GqERW#FuQY{~2{7kD;6dThalMzeyLAO0_ zPDn?L5IDcv5Z8}ga~??p+9+D_X=}y{t^u?9BHtPQ&m7>$3|7h#QAx(grXKFAT5W=J zadDQXIh>&o&mR7M6?I_@71q6GG5k%YdWC;Bf$bl_3W3*UJ3hz>wX5+S$me3?x!qz2 zEXej^TXKSkG;vyg^WUp(lJz8TV8mX-6;`Lu-K5V6&u~f$@tqx)kxHYrSQ^*42x1ZThWP}luv}1byB_BAS;}Ah3W)%9$pw41c z!jWxq*UL=J7-H($YO+wRwXRKZ=_^=7fn$deZ7-}YkP#mwQWD*YY*>~=$ISE@tuD8A zPj6CpT3YXp?hl_%SpbLdM8@9{`=L{XVu-NhML?U}3{<_KKKoQ!Sa}jG;EMytJq#*a zkqjog0`mgq_MC{*HYsL;_K>U&d+S2*lSw#i_y9k<=drh|S-W2hET&FW8XIp-4Dd86`g`Yysciso%k=3U(5wM3jI9;a+X*@d&%f)U+4K>5DN-y zDcd3{?evfO55glg{NnQ|B+|Rm^9J{T=f8*RtC@# z0Kf{AbKXfO8twr(c(>WF4bcQl-`<-wBEO_=-!85FjhQ8WOotZcmm?>OL%A!A6PB^ zXI0t%{4!^ckB_@QfBt;w3;K5vjPW&|JCFB2zYXl%|Kmr3ZF+WxzmNQ4?MjDThynal Mexi;jfg1<@4;``fAOHXW literal 24652 zcmZsD19)6PzjtigX`F0q+vdi$Z8mDG#%k;|Xl&a~8Z}9S#x}lf-}`*`!+oCJ*@HcE zX6DSy|A*O)Qc;pdMj$`{0|P^rm61>b1A{;T0|Qrqg8&`TZZdHPeSo{ENsEEiOcVV9 z?Lb+HDvE-E)h8gnnm~j0;hkl4+`zz4`v1Pcv1#Q#gMk_C$V!N6c>g@jwbB4;Wsf|u z*iDr^C35Q6QC|==s10Y_Pupev>B=a?Otv=ljg6wC%u3ZZ8^Q6rFi@>8{2UpA5E7{& zX+y3JR^nB><##x;IqjoE>x*ti`>}1h>9J~+cX;YH-8B;=?6=)P+EQcC(GE`*hNkGO zL;W=zO)QeSwHi-S3~o*#nxBODUdJd6Ap%W|BdPu+m6Fl$n^oo5xHrSgqu z=0s1nT`X*DkJHuq@$vCAc}a^nhmh@x8|d_CfUV{iiz)bNU9_)Fk21|O^+YZ2LhKL= zKPxp>*%$1c-aF2gg4_gx^!kqtLs8n0Z{4yrnX%)G2U9M(Ur@Ye)-5i7^;K!rD#^*2 z@(T#$^e-+h#>OHIvkvt4+uGW$%E-uw;E|J)V_;%>U2JuEU+u;ba-Xl(i`$Y(@Fzy6 zq+kiHSj~L%c>R!QNkaBb_Wu0!D~4~f6bX}ICmtG_^X?!#UwW&-1Y|~_RaJ-*Bf03y zmF3md6=QmI@^|B~9JjcUm<)uDMS{tE(wcvrom9FKKr6>QfZG?4Kd;SiOE4N;( zQJluV;ZNkqfAWzgdEo)IeE`=vg+3Q&Q13G0<92zP&Y&X}WU|%ib2K<#BEL4o?W}4{ zB7A`dl_|D`Y&{SHjp!YO=Io5M1AReac;|yzNGt=54k->-rTJaA(HfmE*e!$Ki%D>F zbW{ccBSFBn-eH|<17b<(n?RIIwLwQ(R)ghKVcne!^m}x-lfFLD)bz}Z zQ=7)5u=jxx%%cx+*JWS(?`{9-)l<(e#X@%qS8(G*KdAZ~J{z63?Kab4mvC{B5*6gGrDnKC^G8xb!NOvC%qtp8B(y+Wq|VN&z&yh7Mgic6RrbUq zQ0CfD^x45XB%(G$3Y!M z#Qhhu7)|NVFY>7U_Ugf(Q;=_Lxh5l%D`p^%MulzA3pZt;NzLt8+U8O`D2%|(s$+W=7CFS z%6jN-mCP@{Eg-z<>cP2$s`XVflZiP*kg>Bj>Gdo;+m}XBIo)CSp#T>Z&iU69JYh;H^Kp%zhO!7lPi2s?X0q@dqWMS4J z6KYqe|ISfji@}lock<3wVGP(Sh#)!s*+gF(sgNPK=L zd2RU|Hp~bW4NgX>pY_3#`akWb3qSsX)ELa7=Z?tMs)C|Roo`>jByC#s%6EkIVy~%@lQGSSl`JxB&04M2*E4+zlq3sPpy{rXMMZ z$Bwi4q9i0FPMud@qL36=f)_q^B1lKITtVXdbQ7i)=GeB<#HxtN%cO*Hdg9O6 z#X1)r<^_>VaKt)z>Y&5GRM^}8n7AVhThlTMxa$ICbiZchlG2EbNL|_nn#UP>{0-1F z_G;Hy(g&*QMfj(}Z)(>hW!(Z;hudnly8L<`cVkvrrP_IXcEWL2Q%H z$K?R(mFaJGeBnTW(q{X${@}Nl2byhkAviL!GLoHs!H12|sk@Vv572XM3|4lUL01vt>Jt}Hmj#Wx6C5J2egx=?~PTW&Se${Kev5BzxZaumX8C9Cau=bH(k z85(j``>7xhq1fDJ6A7Dcyf`Y;K@Xm+I%O326mBJI7sY8~wcQ=SOR*o84aYldBaA!L zTDIeh zM(mPhQU|HMwNWV9Sgyf%G++6JV$66EsCs?KAbGCfF{zR8SiqLZ$S}4Jr}-}i<4mIs z?DtCR6?jq5v7hc%jFNEfcZsCq2qcBGq|}l%$>eViXQYR>0$&_XDI|$x*z4--*VqJv zeD6WMQIA4v&dDdo5g*o%_rm_B5Tz*?+h@P(X1ETJ7aHi(gin`xNHt z^Ov?dJ4PmvI}((M7%94k<4O@qE8R2a~!;N|jqo7u!}Ye}o!X=FcaC`{=d`nQYMepY%U<_J;nt-U|8%a5dghmURqI z7?|08WRXlyM(Z0SYP};9|DqEAF?1b^&wlCBN>UucwZ~ zmTl(ZqdjoATWJjjsVN~G^m+w*)|ZQpY`@i+IZ$zVHA1@Q>|#z7uA}DfhM?u!(aPH? zAn2|E?i6!4^s#GhLy6zt#*yWqSfW2LP?!|EIfr+SmxPI9O?aLv#FIYr_Pd`K+F^hp zkjQIBRh#;!h&6szN6i4IRo@SERld6%6!d-quh3z)T9#?LR!JV;dkj3X%nbw%806M- zWY&UJ(8v!z!l*`LbFK2BrA0$cc~OoQpSDYZFOmNKF=sq30XHX9((gZtPhDsgcWBWF zzVgwdbTqnWbgB3Vog<{%{~6|6N&&n^aM08d0t#GhSZ@YCG)#24@~Z zeFiN#{x--B)+|N!HmFVkEm2-= zTgkt^T?Hf$&voe9~NfTtHK;vmiPPhD+jEhr(?1NOq!^$Lj_rf`?h+30D z{g^hjeEb8hA8`RlY`G%oM3Uy|9wYh@&%@Q3wpC3;H&QYB6A={7>=wza#nov;_hlp#1)K zB4L*l4dOu2(FmKwe{+```m<1GHJLFdw(#`ygv)HW$cQ5rc~6H;M@I*Wj>|piOa|@O zG98=K^d}iB%geeSx~Wm}{{H@*ot>4Hl?rXxr5u%Oqxql$Hj`n4=J+fw2VEVVH4xBU zsWlQd=?|OA=FSuFnO|RD*WhtGKq7EHnk~?2uvGjez$+j?)TiC;|J3erQcgrfq_3uS z{r0f^aI!M9z5UT2j@SUABfM_ZNph~PY+psDsN~Za3_HCCz90|(x<6aT#K5=}0HF^? z*`eD%3-a>vFSma}i(1y~-43TE0o00F8U_Xq0)Fo9w?8Zw_A%bS~`{>2LQ1XAH?DN9T0J_OE}`?CqUStJT}H48 z&BZrCKZXej8tcCicCtsCo{6dSAdOM)mIaixq8v1ZWT`obfeb<&PUq@1SRy;-g45=_ zFMro_xrK&?o>V}iXV7gNoewQ6Bww@u5w}-)&WY=2Z2Cl4`Cu_IF}y|HE?>_27?Lk& zVvST4GIDYR!h!ytp7)(THwv;MA|kf707A3jSbR3~$fV@CBIz5sM3>tmRRBAo34q;9 z6s{i%CW3-Yg765O&Fxn&I7|^7PX-(-C%(I@mlqAkTr%j;$HSw`LT z5W~>UK*Sv-sM2w=LyVA|yLPIP5#Rm|gc=B=atoPefy`t79w$C`DU%Vj=k|LsuLnMdBl=>io=(TDFC$hu20rd35)7w*-d zsUC3q43a~#I>FIJGR5fV=%P%>(xI;b%T=JJv6P3l8~pK;UY1T9j*FEwsZ*-e;CeZ! zAaZFG9Roqu9v2I%(eq4q{A#nBd)l|LT3Ja6@wg7+6a5^BdWWWt>GV=?ai#f7S2M~4 z1Qx_Clo8;p8t1yj6LZ<)A)^1d{$z*pgN2c>S~609=SU|tZ9K!&LodQ@O&2OwERFBb zS(DT1Nlcf`bPx`MsidsT&30TiRTN&@BoBLTZ*NZr(`%*1ASb-4D5qMEa{iMJCZO;k z7$ni?0h}uspkjK4r5E%_h5UJ== zV(>n}dpo;UxbnbMgdQhWKs4CbrMr7S+NsqP!dCNiIBg559n_Ox@eLZzYyBF8=Un|2 zTaI$wd%T|^HZYwhEbMuztww1Aj?Yp&&BmSO1AAGktVEdX!keJMr{8 zh}ud(ByoozH6nnE4|6n9g`rKQA(($wdaE}Z8RZSO&j;txWK+wBwT5{XO$@GmxVsxl z$gZc5yPQJ;pPMQ}R94(zt;u{G*qQW{=FVdhekZ<&Jt^B$P7w)s6~b99?Mawd2~OtA ziAgR(jzmLd5wp+~l@8Qi&-oR4pBSH=?8;Y&Kp70<=4l?aY#OHiN#h9ZI5jm@QocOO zSY=d)jg2i*m}RA*2D%DGG;jfXeXe$3=* zkny_pr4#~!ozcXQaPAWAdk|9?T2R`5x-k#H?hM#8Mbg)@M!e+lAy8SW;2$reuRO* z0>zE*S^zjW%WxbtqS&qUml&t}_(!#wR@3c4Hcv)4=39Bdx_7nteBbL3y5t{dPRM`; zRYZgpX`Ecf>M@3jyVX3>WMC6jxBJh65D<@fAG4@3i@q7>^kWD^JCgx?el+$mp9^k` zek+^sqD~_R8->Kc@Gaey@C2GmQ3Xk$#xmEVrvp8j%Pp-;@gWtV(~n=1C!V$1Dg!F+h=w`Y+l28~^4i>6n-f%5?FG@dCf)BqvjV=9WlmlRjvi1K#yu z6CcDtmr1#bzbv|yuX>>FZe%1D>?k>{VEiyKeHr`$MR{2 z@YacYn`{Wyiy0b{NEZ-gj89Hdg3v^EvCaSrIF#q;FIlp6_sg*vPrI6Q#NVB92>*(2 zt1)N2N3b>~<0%_B`DI^g%E>agLW-RfIYE-^k#6IAn_+)GJ>uW5x-i~$AVjzwOZNPo ztf@`Rqvi?_iSgKDEe~4$oyX1)Fn*=^4mq#^zrgtYx66M+v;S}FJ)w&q^}2HW9L!OT z+6BN=M475#@n)u=xKv#FL($SyZEsS;wz}d`S}j@Cs52v0mPM2+T-<@ z`>_l*9|*otb50tq$I^SI!cp9-JFPXewC#U9nZ48q{>$8@+IToCx69Dz<9PRMb+@^N zYvX2XI7VtoP}u3@ZGlTrAYkF8D%)JCax0kTTW(iV;QD)uOKeVu$JiHx|H|RlKvpUJ z@OM8Cmpw(N8d6@niKD0W^PJULFSUW>hGvDDEtefc53lYflkst4xf%z1pGw=4OJ2RQ zTF1)XXiDJU%4zjI8f%_SU&#~XWp{W?h76YwdYZ(z#1LHdNuOlVFl-B%p3{WFYp<;8 zW(xeLs?u*qp$pFyhg5*7%JlhKgVn?N=1BZ_Q>xTD z2XA9@bE#|~zCS0{AGh+5&&FVt!Bi^=3ut^m-5);=_6`tf_H)y56rq zi$F$67odvtTB-zw$u8omZaOlGi(ztm{g@1|-QUb($J z-|6ZffY9>6WM+f;*w+&I^zQfPlZiA<<+m&;=>CUA}k6f5ja~exmV>Hn&_u(8%ia zX6<*22$Ssuq1D25y%xuPoT#5~5n+Ucgg}Ylr<=nGEs{`}TH0zxEVuCTiu<2>K7O2a z(#XG?H^2L~jj2!qV-UU=FzYtT1g7Y;I-3Lp1Vk1V6o?k_8^kw%idz>;U&#OqPldH=^v8~5fVyrRsVV}MztE|ba%2qr-H1RC zzoxSC86+zGl{P32r?P2A9zX*id;H3x@i>lqO9Uea>#F-^nqQyAM&4~?p;U3NqpfZF zO})lw&lQ$JD%LsRW34+i#-~fI9`+ zjGj~1epc!l~y|BWKIa>i@^F$2A597u0?0|_vRuYOeJtxnD3)2R>1XodlIK!Rzg z$k8@Z|4Z<5N{%R&$LJ88*Q25Y{{>oP$^!JvIwxTYWZU9rEalB6YQ@!77Ydv5)->P( z2x5b{q_@pZWG!bPO@f zcgbAGjW+Qis^Rf8`@PWs@!(sD*WySJbSFc!;aq$xmi0sI!d_M-e!S5^`Wo%rsu9K( zE^Sthl&v$*_4VSmAeLU;6!*dCob37QbGEPG&&6D8eVeD0j2d;AEfZPzrlzJGNi^+S z4g*nG90!g3MC9z@1X5DUzL$uyJy~SpqdF)H%X+Bu^2T%a`Z_&m_h;uab!Qk}S{B#e zGFGgxN)4ep9YxTa+Rp>@lGu~rGNW@@fKiRj&U;C+bEEoM)~TsUptCOgV2N`6c;z3g z!esRWlFUX8^0S8qkz8%41`E-_iQYGVkZ?&$LdNbn*>_*!!cwB9mX!?@kq*Phi3ONK zP{PRZ5fedCYxr;$a1#x-W5hOm1)yXDOaaMx7E4g_(?m=c!v|3YLiHn^qEw;nq`}e* z5wPR?6biz!x?4^|{F2slPo_wS$6}_tA zdU5z>l!xzk!lneg=ga1wqpj&|OA++sjOQlxOH?SxS|LQyBil!?a^#1Q;M<0fqN;$O z6g5%c02`KYiF~rwxHhiK2qtrb$>(MRWC^r)%kB&e* z=8I>R%5y6H4--*2R%ImY=eWO97Efj5$R4&Fc0VPQKxCL++TU5e2uewNRzorYK%P?- z_T2s~{!ZD=bBu~lS0%BlExupvCcp!P8^O^w(9=^_Z>cZst|$#0ISfcyEA)5RMGVPd zba-h+4!duWe^C;p!WhYSo3&#G11>H)=(PAhmiinz=6qDe3uhm^`48+0ae5#(HF>P{ zMxb=TxCPW}wymMfR?X4QYc!}V_Ex8u9 z{C|F{DCl@T_aytg)>@#i zh$D-lhoJ1AZh3wxnbE7Cj6dMOl%P*wyU^m~dChv(>xk47Jd8ftabfsk^utrci8}yG z7=Ios9|e@Of#VhnZLLWIrW-Gq8?a)D-4wue(Wr7-nV5^EtqOxSyA2UP~V) z;k*}eBP^0mXnqrieKrUdgUQ}ryN<*OhY_|w3p*RNvO69+e?>w-%0}oZbvZL%nI0kD`-D8@fXHBJ zolV_O$@CN^3rEZWt+@^PYy+5q-0@A88tIo#01wPwcHx<~Nc2XaHA#_yf z)~Yp>xF4lRpuLe|DlJX1Fra+4zXe6vGc za@;;!pmMdrN?A_EI#p9=qqOwc@BQh}?gz-0LW35%Up3esXF9$}n<-Fu$BN}_;fsQ#|E`}MK(XnMCzj}wVU_nMA#a%)Q``q^3-;G?cq z&xg8^oI5cvOu69dkx&qom~XK)xY342S~m1ag71^GnW`6jyya*j8Cz3|W{ja4S$?TI z-TfN%a9=2Fl|9G>sSkHVzBBu6Pl$h1v;hjP9BCM!IJp!GgZwo=4TBcbZMHYtsaxkx z7JgqNe|bl2qjqHdo@yuPt z!(T)Ww1{F>(1KH9ynz+L@1vf0E6T=MqB_)jEN5c=DW8{8xfm*N38;n6fZ|;Eg{5=0 z?`*S!`&?C9h(4ydZm+9`-6JlucUKkKG(+$>McPsDDm6kW@U|IK8ilXIc9Cvf_|ZIU zE*|hmfD%43QWZAZODU5UqPF~U-jUFnNlNyWdZ1{8U_d#PxzMWRxwCk(pBSiSHNp`o z-v$w4^7`yP2#7F|$4v)}W2&?k`g%;|SP0preXq=Ha#x(h^Fjwou&Y|P%M@pQYCcH& zWqr#Um41H$#aqeQ6q)C^q@3+K!Zi^7xm%dcc;MNwF9uMU+{dd%NgYk{YCbkPKt@oK zE>38~1Rlf_o*)9~rUT^0o|{11664Mw7YG8oLDpYW(eV7){#U$|Z)uiG!9a>GE#v@@ zr%K3Jfbhkpcsf7B+{MbhBN7lxsU4jJ1&qo>3ZP>v7G}GnG0h)#D71Pm0xKKbb8&AC zE(bYfYEr+kzKbO3FPDqeYQ-565imiU4NO$ zxt6%Vltvbk4dkzk{Khu33vs2y?T8Yd^?skP*9{K-A(Q$R(+CkwXK$_3=+`6Rh6v6 z3YJHsP)5f%0OySBSr{24@?1I;-7wz(94X>XB!uw|A!<=-;8RJ&x=u=r*a2SMttH`g z!^Xceh^7XN_z~36A<{6hRjgX|6tG}ibzQ4lt7B_POJOKle+*}5#Hi_66yG(>w| z>jTAF2^J(KDGlc_x99}4;qcQlekaz}iC>-3hLf2H#WnIWjZ=tTk&AW|?1t`oR9a`PIV=&DO$Y3pkj6bdEB3tqTe!X&1npfdQp{hcNmYv%Z4kUV+PQT zSW57T1(1_d&65>HGHL6H@oH1OYS>?p2*>c({&a*G?_79(ej|-Sw(IbO0A&41{`g*- zfWj6$658sDrZG4fHd*8ktu#xzyGq{JUhQYm6qQ)!+Np!@u%r#n>ynfx8!j9bhhuLQ z3n1}`dSTXTAfm-Cl=0=6Rr_fxwx+$Sq64(X<)<2Gc8Rrs#bey1u^EXXyN9cehEVOc zHw`b2PV?Cu-twBCnSS03dfU42KhzsBdR)Lv96ahHR+WT03{U^qNV6tXU0~w6QXz75 zp~#OP2O%BuImzPrHptyw)uF9~cENy^sE=!}k)V%@gpc!AGZQ-iNT5z-K?Rb3vQq1sd)tTV-q#Z{Li)`UKdrZv~kd z?Aye(pQXV%zhw$7cy@b~PocY|koZcc;4wS#En!mH2V3S~&u~rVWlapw9>C`IJB`P( zk*r1GsPrmJ6RZ88o!JioERrwo=0{q=A8(0fPD^H4gIMKNN!l;YsSQ%{* z?bB2*<4~*%R241#Y=7$Pq#bbH6+;z#=I%tZ?%Q-bN=hKxq7&6Ug8qo7bcR7duiiyK zKs@63+{+X>qEl~wA;fp9w|Q9G<95LAy9&8uObi=v zkRefGQaT`w`$MeeBR{hy@2@ffbYHHDTTU@_Sk(7*Qyn3-Xx^`i>!t+C*fR&e3a&cY z+9Ko`2Bx7AYG>6&i(et!5>rX^w}|gNQ0-zp&4bnw+=Kk3-1;%=6#EgXzui-9$V5eQ zcT^Qx>wHb&wBW=fuu}no-ub+q(DO13mR)<$EPJ(p77j|%4VFqR zJ((6}N2&kHAeB5sm9yKi#>Io^U=Wctf@A9|>ecD>;RZ2h6b?J1pmhdLuyXO;O-(@A zY!%lBO#)rJ5P9d&5=!kp44l_s!W;~Kb_Di@h<(l#eTr>WdR453iCW?*`&a-YS>5XJ zg+oPu21T||QaMzegeV`jA~vg2Hk8Lw=4%z z1>2lE!;w4(c4}@$y~KHizXIF{Ij}n5xI1%O$YlEAqj+y7BFJy|nm#CLUO=Id>&(t( zW93H|gizeeeUo`8h{-WaVV_6|=-+KR-c0iaY$f!t9!?57JS6Gxxj&z>zn4Eh8>P)$ zD*zwkd@jX%5`NB4Sgt47#K-yE)ZcKU__VwyRoEpwTaEsH9+T%jr>R}mbZOKylZhE* zIZuj=Ak|%NNbHB#*(l)ow)2ddkaRnK}LZ?J`>E$0W~~MYZf1@A2iz=K}Xd+S#L8z`kNuZ*iySz!t@Wh9dd5?9u(EbcLvmjxxUV(RQwCRUp4V ze>>i5pAoJ(3@Q5fQ~!EPGSK2so~s*z#^Cpi(1)S0U&ghI%OSllVL?RB!%(Y)&WQ7d z3U1~;Z+S<(aq4Ct!5RTYtIoJHs@W(5CmsJC(53`#lU5+}i?D3LQ239Vg{G!HQH$La zGUAWruSE$f41C4J;bZWLZZd(byx%JXR9WcnexQ{Rkl#kl*3xU9Mj2x;kkIiW_}P+W63mn`xJm$5xJqZyW^!8g7ONB zhC+lTtvY@aSEFKrivoD^Vlzqwx9Vh-*sL84T^e;Ij^LA40$H_AgdA8Q%F2wFq8@$! zz6361q6iXA{i_>nt#?zKhX(F=!urdNpsbgH9-c&iwRxUUK(!#wo)h|7(~9B5MC9%W zDVC!-JWjlh#4?E76y#B!yx}NejoVm!c4MT7^wQNv`-KL?M6yK={-kQtF28JqU&*t# z0~~p~2-&OAbH5c{seT+eF{-XL{M@jKxA50@WIR;5lGtwViTB`Xl7M6LdN+0eIT*X9%Sj$g9{;s%M@?pPU=Zl#1u>7`^f zUy>siODK5)f)2?geup6G`wV$Q`cjRqhmc_v(vQs>tQq|xru-(Hf@mkJOzkO_+ve9xSQ=BM~pT$yOeP%#5=;67ZkCgV&?O z4J=P3{X%R+4_{8+rFcv?m0cyrMi?VJPN_2tFwgypmt9GWy?@uLse5Jdixq+xj{HuJ~W(5K{H5e=mHdbX8=U*aNF@zaz)lW1)7^N@e zS={b4?AsVz@d60a!75XDIk%Rga}NE8l(#6nCEH#TI4ojuamaY!BKG3Ybd)2wesW zXv~BMCqR9gSo}(g6ZYa+R29)>Y0ddF7@Xg|=h{qugCgcsefzw`nDPypYd{0eKFHQj!&!aO*F)}8W#pF z$iUOYM|vPqR?iHlJW5V$Bg-%R!x4qrm(ih_z^h}bt}+ICr0UHJT=@^j#s1t-rQJy0 z%Mr;NVPVHBt6FXS^2*fKn@eiB%ftj8eBDVE|LYNHCV}49r(aL}sc<&dNy0GPdkOC| zNUycHH*uhVtymb{?U$YWIMA1;&G!3t_&9IHDCkeLQ7lUxOV8VDc|)F%D@c1RAEZ_r z>iyYpVJ~2%wC8AsbC4#ZosqS!N`7mwpF%5qK3Hq1l0`m&4m}_4vnwUu)^z_#paXyIJf#Z*!^j zVM+dZbB*V9E8U#L=c7{H$)H{xiTN*27{tj3wLUj`sPZ;*W*18aOF>tk2lgwu!Y0oS zg$YE2SrtAZJ*AxAg>x}`rr9ncRmQkw1G};{&h%@u4)cP<^)EbiDa&BfD~(py2w3iO z_zwgqvntY-!Q#v+rZF9z8~h9PA;~7AuJfm&QYK;J-T9ltn%A*vn2`&GDngfS`2a^< zN1UB7d}chfMxg`%rfurZc9v^js+OdhO#t-I`o;y;H4`07f z^a0#qM$3S&*IjyAcnaR1zV!-@DAk(%WF!CMa`yEhPUA0CFpW`>)XT%sFmcVxL)wOU z2kWGMbIxOJP}i|y-(q9N^xxpZTG(v6Q0?QFF9k`Sjoo1zVz_+fru$a0xk zTE+SzSWegTC$98nw~MsHTy!CJsLm?;8`sgB^xISwJB~A$+*OGa&oh%L)4F(tcH^*&K_Yy0?WasE>P2I~d&aCa5zHkJGls{tjmH_@?iN6o%6RKWBFWtfTr^?;(8jzBn8 z-qn@b4G~9_aeCjxI{K^>nWEndXNqSR!@j;5Zl-!sb?E->pXZ{OAD!A_$ZUJMAbmFX zUN**Sd-+H2!sy)FjxK9JL40S!3ITZ2@=>2_E%sR`nTeA3uX-*ww8w=PzugDT%< zvV1;n4z3SDF4dO>Tg}^6Th#=+y!H1ydYt$mbB}HiTbSdml(C2G92>rWt~y!nY~B=p zAJz*R`yThttAE;w^RP1tI$Pqb?fG}g=%4GXCW%kZt)TeN#-A!g*fRa+p@YcZZa^g* zjTy=CGzGPsH=%q&Z4$<-39;WFyJC(WR;4WAGM|Hg=C+1vg@%bv)KF+zsh%)xApAZP zbvNf1(>(1|^3c>MH3oW@#?NzF^z#15m1yr!K|Ig4$a40f3|N8o2F6Lz`_$9x__2X1 ziVv3kI;JJu>D&Uq4yOK$lCT?ly`KW=?L5O zv9_=7m*+a{LpL>5fG|uBj#lC7qIe13q%^dyJeM@zQoxELf)_%D5H@sVjwq$Y8ttr& zq{+6rroG6({X+-emPeE;6c!byT{Til94$CdQo$tDHUhvGi$Ea{+SYfeEHO01x~Pb)tnrf!A-4r1N5lbgEoQK`}H~Qw(L56!|sQK_V>G?%}}!r;~<6hx&#t6 z7ctAGn5jhhPwm_>pEv{zD(eyKT+4l?m-hoYBCi=Lyt>{)6_uxynjZ69ni!8{8{_kE zhJtG0JYuW4u7j_u#HeTZPJ_w|`}=_UCG*;HCbDKcB-r8xfc4{g?227dp`H)J7gE({ z_Y)V1o7$_VTj7AakvAs5=8#gMokH0l5yQaq6!&&D&d+fDlwOb-pAd;JORk?kUW}>{;u!2CAP}_Q&a-Gltm6kAq0di49xI z4$0M-_>$=e`)f4ynFKmggUmrNEQv^Y|BCSIB8QNDqI)iexl3Ms=jTx#U4k1E-4_a5=)^y{s)qXbz{s}gPc@M;K>Kv?cV z+;C~wp6YKpR0LL7%hyURGFD&S-=RtZdG}T-RGu#RI?{1og3%fSq7>bQCBF)!Ndp$` zbI{$OfdC9VA^%p}{9=L_&w@^=r(*>LSd5O8d<6(flWKhalXA;zytk@gD2zU3LFpET zc54f3*mEKvp2+EY$(Emgn^(&l%1QHuiQgTMf2fAZ2mI1RhgQAze5MMXG7D@BuLrx! zu7uX%WTx3X5a!L|PBxbiM7-i|NTSdjV%JNvyVgZu{b+cUgVjtk1Jad-@bSa0y zeC0$#oqdL{rIvvQwlb{6UBDg`}qVq?wY;wvXyx{ahaDU;DHJ?`#3%qx} zrhwxHkHd1;2Gj2mG|D}jrKKe@<;z#=$G~av$Wch%yD{c$30`D3i`m~@k)U5>v045U zn95@~1FECXDzqkAGyAIY0ikNXI5S4=pkJ$yV@9{4QMfAY7>J>4g?JA7D%`Q6V+uu0 zWw7r3m|&tv^A`O}%;ZWC1nMtD1HKrsRgaKKd#!&&p2G&3)k1b}fjkQ2Sy)x{B^ohR zNe#BIf*-FpOW6IU;$;bNy3npsqvlnEqDS!(*uH$vUfu>RNn*Dlx1V#o1NdSA987(r zhISUR+Gu`D3PFnCO@>8K&+)GAbfs_Dauh4snW|7-rJM5&#Rb5LQ>Nq34PZ9b_m%YM zsa7USCG0Z->L+^?(mM1I2Bi;DZcjJkC8LWiyT+h^f+ufRQtDyZBBw3wYjLcdG19?S*l9#pS+7z1FqHs3h3Q8*q z!l&F!TR_SHq>!H~`T0N128UMGbRW+Xl5|{bp9d9xIDO;!oxdOvVzG zF9zT43nHpiq)?|*B@st3RS_(qGz#hfjDCOIB+I+%Z4fv|*m~_T_#MemA+Cs82F*o$ z#ENbnI(Zhi9>KAoFh3=%3eD4lekw*#n(^%U1&ghr-=#{u9jDaunk?>ix4$YZv1Rs)-1VDJM00+Ml!bosd7=HNf;Zh>etK?H@cX{jT5hgC^ zmXW?oDo~<6=&d+97$M}C)s~Vf*GB$VLwM=h0^{_b(pCqPZ^xba>M)C;ys@$l;JDf#JRgP3g6`(F>vuzCA6uE@p|!a z-bK5i}hJW*I_LYA8EF(i2Dx~?;f{iHhI3*CY4yx7Kx`h|})v0wKTV9R@qgNdeR@GhI^T42<8R_DXs3pPz^n zKF#rJvKUZrrWE;b-RNcvEUFy&@=k^AA<_8*h!kI5>*1o9$S9S$CXTIZka*jEkL{f6 zL}{Qq9uX|GB5*UzH1r9mL3;h6u! zBvU2P^X<_n>AzI>GeG~5u=@p3fAIFB}DTk98k6~*2goMRE7YIXOXKn{?G`+ zJm=og?za<@4dqJ7%2%oOv7v(s@l~zBg8Ce)nExFRl1`G2O}R5l7DxG(n53hk`mfa> zH0GAepn)oa?)ZmdDaQ;T%0<*A%)D(imI86l@b^z_cXQ7fBb9NXE(kFjqv zyRm8!g9g{$cDF*$>G0{mRNb%^gevoZ7d7tFiMAYO;CzJxUP}lwL%X4hbDZ zq)YETq4zGm_aX=iL_n0@J0vubDxFC09i&JTX(}C*`Yz9VW`5_HIq#hJpPf6COg8tu zyVqX3`~7~RcNUIgkVQU$ioMgqSDsY#t?q5SUK=%BOnode<;wD5LS;&k+x@x(PLo5vQHH{ute9T3>5DDX~FNBw2tUI6K zI{k6G-`4$qo{^fitc9UgmyK}Ok4BKMf;)i4EARc2v+H7Old#U{4q#l#bzdvqdLlNH<czW=0Pj8hKZR03*Nlb>P4NK=-{)HTr8;Alc>Bk7 zBn=8|$yJ$zbE0)^-Wt#5?=7s*22#-K*_CV?HYz`pFprRVyIfG2sxMGy))6-AA?1rF z`3CD2S(}0agQP9CiWkI}*=J|L=3}&B!*gz_Ku*nqY0COUN=6wCA{Uu=@*DLF?uZg? zsaLqmY%I-}p+XK(3T#CR*5pZ#_iA2D$OuCcgM!@J?3l@4j>|#%*;lPJ!lvBckCu`@*c8I zHmNmB#Y+F-{eY3^MAc4>MWPZ$M2Q&|4Y@SOWMuKEdD~|{3tUcnGryDWI(&Gf${QLi zzVX`;G$aEGfx@vV_EgvfI0$_v8$TQb!rv7s7=n8o~MfXqw~JzI(nOj0mflWTRh8o>L=Xb$i?XSi>(-)6E`1 z6t1afDoMqdmsiqa!4bW-BNvnwe0dh%4J4>+ZL|7-a6leiC3?41@W*{q*A8q2W1pdU zSOwb;pf;?S%!__uCl%^f{9p^%!jPg<&nL9Kef(~tT_7eJ`VIWf(?ZXbuhm z6Bmw(v!pdaXnc!ceXkrw+i_=r|5J>Tc%Zk1>cdB+rJf)0}_ zDtr0K(-xAAF;mQFxmxY?;{!Ve$&XXYQ_6vk>G1FE7U`1bx~7>Lk8urMU~IlF(ZcU4 z*vr*X-3T>>AUeFQZ?TRrY3oGTdBHM+O44$aJsr!a$h|I9Ee$_17`=?>uShu)T3v06(_Uj!Ecu@-?OB=+W=K z#{XfftSD<*3OsK~o^C!IPphA4J$7E(adG*@%QmDSi(|WaTry-5U2j&iqUt9=mM2(v z4lxcfT3S#}nDC}cWY*h$%Y{%4+!9A+7fqz&b)l@Gmb00UIHW}6=?z*9Yn+lN4ZCzT z*W;yJx_?>Yy7VtiY_ic^e)W@O!=2(@Y?}UiO!8$9C`)VKzr4x_@Oo!0N0lIcTJn(RA{u8mOI7Fz_i-ys;&LcHqH3HuzK6rEU$>I{1>1pSI*KuXb<>q+puA{Vv zwQIMbEKjq){u4EhZ_cg3hW=D%?DxzOA=&RG9OZS|V;&Cl>yK5R6*_Ggmi4)`&;~)I zA$Fb#Eq=oa$x@bb?=FtX8>%mVXt-~QK9Du+_W0G?o+oSJsI8M1t`)dB?NWRjxmp_W zTC%6i&+6o25#J$%-)G7Tlk)cx%RkP6JWiNVc0NDMO(XXzOuTZq#jQhJr1E_6veboY zZny+QT_zF{0%3k#H$C${LGjj$H|K4hLodBTd`p7c#}HS3Utq-ZyPdrQo_23o?ow0r zD4PP+`d5ARPFi1)DG>5Y*id^yHGP=&eS$vvI+`3doj7Kz08=3uG@PVdr$VB)QjrK{CUX&rZo#7 zOOjXK^X(Wv2s~hOvy9MtX5TG=E6otYO)EWm^{o9fwrUmDlLYZoKJ~qa7v_$kYD94~ z>!%OJZHH-v;_~lc5{H|=Tj{jx-b1%gzoiGyvyK{W)au$+q#u1Efw;%^gy6z^i;IG_ zDEC$oF7htO>j82?feD%dHK}-X>{!pTRD2?Fw^gr1Vs{7Z-C2YM!oi8XW)W=P zd+pF6J20|M`#ih0Ent%yk*)UP=2mt8*&(~xssS(lJy-uT_1~y0Zo0!idv5=>)x3w+ z(J|OGjH)|XZ?4khC*gIv$Cb-iq{~%3poxz3AYQcO_Jsgwh@6!NV$?9t5pHD8m=J_e zDv@C#a<^;EL~&ZCZ#Wu%8>eWqj`U4;BXcb8x^@hao|q-e$()8Z8X#C}4xiJDFpAH2 z_x6iplj|ZCipY{`CL_t7#wwE2O0zwm|0MrRA^+k6*69x2F(*kd74{q zG5Wz0X44o1{yZ&R*ER7gq(Yd4l0q07=N|+EkMFk#()e!<_V!HCtlV##U1PvPKSyr& z^F|g$TFnJL$9@7t8;jn=bU|L3kj%{;5UTJQnya>*4VW?Z(HzZ}iy=XH0P~5`w!=?y8(pgPsiW{kf-_Uo1qzi6)xr-w z&LgYO>qoD&A{E}+-fmut6~UDZc6ZG;#+f7~)bBwXquzLWuKt}YOd0*as?MUf8a*_R zr)neEtt;_B)N1Xe;`P$EOhHA>pAHWtxH~AfLhOk`mD%hYZrx`1grq|}`+1JRfcptI zk}cga?_SBzbcS9!0{-^DGS|PiM3Pf)9X-l*%X0CAS=m}!!)>guvKAUW4y*zQMWrH? zluZ4%m?0Jm7m2kYpOg3}iq(_nuMQ`#liWW#GN*o%y?lilq%5neJRSLJKp*%}8R9TO zOIf!}u^wU!{e8f_G>&ZUPa|fOV(^DO zQK9i?_d=sAep|J-e_lzxNIJY)%}?j>4Bh2!<^kxLbT`GEGL2_T{yXKsb=@B= zi=YrHU9iU(Q=axd+8i6Sc3?^BfXBhab_YTZ&YOZqRE`y|&Uf2(jdf$zyqPXcsxWGg znIz%TyLQBgcjb=->|qg^Gs^M{E*9G24Lyh~e)-=WPfC{l;XY8Xg<69nzRkB?r0d z4Dt!(pi5hWWBkE)N~IVO!A>E$i%|NFU-#Ubs`PV7cClYD_(?)vo(MdyRClsiVnUAQVQE+Kd;!rmKk_@%UOo+LzNd3RekHJWwnJFdbKeIPKj?)=DAjnUX)Z;~APSiu zOiGROS9WvO(2|P=CCJ;QQ{%;R;lYv$egoW5Qlrha;^*;91_D0G4aFDc`x%L$_N2-s z9Bv=(kPJT}A<(BMa9f9^|rvVm_3?^wt)$#rExgD1JM^ zyUx+S?^Tb-WScFLc{={$!>zspU#M8cl=kwj7|Rx>+#Xpj#f^%#BvgsV?@0S%Q63kc z_h3GOvq0@$FEg^l-Ro0m^+6~YYh(ED-@@Ch5(0hqyD0n02@+^bLN7Git>P{3#_ro- z!`KP&7n`TPdQEJ|jg+$+3qH0w-@dn#ErxZ6|Gp;nwO@6|l-AacA~)VPV~rG(7BR4? znk#pet?QD?2J!eEEAA zpGM}V173W`+h3%3&EI0AedA5)F{aU8Q3iw;kVSUa{J!$S`qh8~2Kf!XiPq*^hPyvqicn-|$Ln(H|11q||Vpkcp;7 zYI{L0?t)U3^K_c#e$7F%ns16$?lS`>ORa%CG3~!B%H<6_F_vMIlWfd6ghlAVSETRO*(R~d2lt;ImD=h zJ=rofiuLSEvj&?`bUF|9+vr~Yb@DhzCF*3R!Vx4xvNK8+{>xDQK?Y4y&Y#4C_Z>JC z=q0!&Uu&~-25L1$)VL#|Ut^X-kh)3o|k!j7{aZL|Dd zp9Q^0$s?6mll{G@R0-fPp|QA@KFQ%ggdcdlBH^bncFi3Nsxa$x=ypieS}J9k1rk4h|o(Q*k_CAK@{zd8&x1*)#|S~O%F zv_%aw<`k=TIYG@ejWC||I-#15+94&UwBG6Y@Zqe;g+XD#H^y^L$~_Y{h2AZ7i&K<@ z{yiQ5DQVa^^VkjIE@T+Rv%AYk9sX5cg!9; zqSxl;(se1rC8mhGAwI;3LG!=9wZ52O2{?(qD8R70+t$p!>f7P*` za9Uu`=l6mlea-2w4d?t50H3Vd^~@ua(#?M&EuY(+@K8ip7;7TN>YU(Au_&hlr zf2cu?hJUdc$e+3=YFp&9XVG&*!ifwtq0ZN~TA`2`Odc+)NaPPH0N{D3%I~`AT~l9A zV+W0(<7u%Zl56XDi(Nl_t7@#Jgr@+ldr$mz3W0glA@H$ojAZ-Bi!=C`9xy&P(E^XS z1h#O$h*w3IiB$UkG`bcs60{@Hzl%{}Epy|t+HzgcETXXAf3T$nj-eNyIw~0|z?1Y< z;6Yzrt(f5CfVZtG0O&@l;NL|kxJRk^EA zdGYbD)=9VA(zWDZapn70t%u)ht&DK#3G9*2f{_7-W4A(1tFC_@ixo4FgU$Yi!qv_~ z=X@1Rx&&$Orh7Yg6aJNgV7vc<$50j6&D7QrBxj z8sHeF0=GwCaI(7uU?Q{Y1IaE64Q~6ZU4bXR7e%akiH0`er8=7NKnggNDdN)+hCMe8 z{MXD(C+|!eTvy&RD?2`G0boP1fD-`J+5EG=c2#QG6-_>0=Tt3QQ(c$o?BFmDpgF+3 z3%Em0r*@yLnl>9N_c%YjIBF?Go9Y0P5jPlSRD(Q6Dt|wFY$!ni_o1hA;w6CUjARHM z&Q@81bUB|;lzI@@n)%MOi&TVMm)k)_$lggDF)=X?R5gIM&EP+N>X<^c+27!{CKvk< zaskX$zoc3Kz3uv|k|^%`YnPxW1*@xFh%Awt+G;$#yvj{l40O%L3lz`p1Ok70-@=Zq zO15~W2ropMc4bjCs4%21G?)u@*{zP_2e~D&3Zd`Cw zJk7n1?MkbtJNkKY1%FELhn&0G~XU;N9_u&UtK{d`F&w$XQ>jc5;oS zj96GW5n8NaB$P2t($PRd=<>S4Vx@Ipqw*+Y_vc3S$(!Ly^^16S!1sCeCb(eL|Fk^r zzN!A@aERlWTk zi{lDlAAi~oXZ!`wIgo7Le|;5)a|1mD@Iik-7Xb0}96AVm{9Hy2bfR~z0m8!_bn3P3 zkiDt>&L~o~eV;_LbvhEYC?0!aG-eUXRabY0_6k*Ou;sYRviAI!Xh#M-GoYUGeEsZr zXBdBXvj{EdqB%5V!+-R;%-r^-99lvu*ZU!&zb?L1#xJ;^&T_o1h;2&|I~7e;6Z=`ZRv)`Ec*6AWD5K=fW!7QL%pjQn3}d9mmOS%)$3L-c~l?TQkT4ags9U_q?Hk|Geq` z?p!UR*3D@Vd+PW1lA_|uFhyAi=@(`z?9G|w15Y2tcSK`4;*pXl*{Nn_=AN}GgGaS$ zgaxFr0Fp5G$@*^n^htLNO=<%`4F{es`ur>|GsBAj(1*A?BA%N>k4>8bGzE`$?0k-5 ze{+4gZwdt;uD9&D_kbt(;txP7gzRE8! zfKz9jWOV_GAnPW5#qRj7qr_W)PPQw!6!-;o;3l-Q#TMAs-}x~ZAS1IT;IY5axnfYf zg|u8}XdMWAfT7qkMRmG|o{Z7^+p5SW8~^uOoiEbY0HT9{&u^p8tOs>{hH;70-?4hgMBX|KxEvrJ za_RoWB1#lw{Tgl#*rgscDp{iXT)1?PTj>9$&(WY?CE$~57`|KAauQgBIn}AuuA344 z1&GcVYZn(6-F%1k&y_G-x{q~qujr&^_^?%0Q1DW!uYfbR*~C+3v23#&KIU-ayj@UU zw8dJ?^vk6fj2zG>(D}6VRD@lU>Ifr+jwK?(iyPft$6?x<@rwfQ($YjBHh}l6HCltD z0AY9R;Odtp9+dVY$`u6Atmt;%Wgu)(j2Mt*k7<1%8PA#4m9>Oc`9KXIEus#Fd%SoJqzS8uHV&Bzz|SMwhtdvp)JHn!la7i9x8 z&d1C*Hk&OH{VS@;Wamny5YE1GaZ4{6ugzfrx`Ts=IA7FSQOh#BkAPq}@|(jBL3ad? z0#1$|*HpDXrohL1zTj^!6K9&I(x#iI7`|5?oH)rKzHg4@ryXwdRriwF(IPZ>OysAsW~bO&Mmw14k*t27Z?8YCk=@DUyjHsWHvLVES&6Z#&wO-57ZY7Zg` z6mivG#0w`yk36^3(ArqRKKYJTu7ouy!5ot({miQNnH0#=)tAv<$x=DTD}0(y^j1PN!EA4L);5YfLK3`SSCTFK3_*Wt6*`BJY9z`F;OUT> zs-|_Mky@7lM>n!}okfjZ(GPbx;f<+iXuZI7c%AsMy}y$a0B{W>Aefm{U_P z8MJFvB|;je-!y8f;!O&t1+!M{c#}(etf)k|oWa5i?T>lL51(t_Rjn;4fm(@a@vBt{ z1VL43@AQ+dI2ah#2z=3`*4m#8R~l-WSy16u;e5gtj#NY_nIXv11FkDp#b;Q-95P|I z;8CmPThpt)_y0}JFY*gl0X+F!7tBCB7*?xG8ZPQc!I$K3z&`+B0CK%dg_K#?e*qkn BId1>} From c47436b8425093af113fd111aec9db67107dfa63 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Mon, 25 Jul 2016 13:34:29 -0700 Subject: [PATCH 39/59] Updated terminology for classic apps --- windows/keep-secure/create-wip-policy-using-intune.md | 2 +- windows/keep-secure/create-wip-policy-using-sccm.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index c207992e98..8b959cf4cb 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -41,7 +41,7 @@ After you’ve set up Intune for your organization, you must create an WIP-speci ### Add app rules to your policy During the policy-creation process in Intune, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. -The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed desktop app (also known as a Classic Windows app), or an AppLocker policy file. +The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file. >**Important**
WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App Rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. diff --git a/windows/keep-secure/create-wip-policy-using-sccm.md b/windows/keep-secure/create-wip-policy-using-sccm.md index 2792e078bc..1df152a129 100644 --- a/windows/keep-secure/create-wip-policy-using-sccm.md +++ b/windows/keep-secure/create-wip-policy-using-sccm.md @@ -59,7 +59,7 @@ The **Configure Windows Information Protection settings** page appears, where yo ### Add app rules to your policy During the policy-creation process in System Center Configuration Manager, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. -The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed desktop app (also known as a Classic Windows app), or an AppLocker policy file. +The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file. >**Important**
WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. From 544eb1be3b5f98677349e0dddbbac29a57614dc5 Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Mon, 25 Jul 2016 14:13:17 -0700 Subject: [PATCH 40/59] updates for Account info move --- ...age-settings-windows-store-for-business.md | 2 +- ...ows-store-for-business-account-settings.md | 20 +++++++++++++------ 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/windows/manage/manage-settings-windows-store-for-business.md b/windows/manage/manage-settings-windows-store-for-business.md index 9949754977..704d4d4401 100644 --- a/windows/manage/manage-settings-windows-store-for-business.md +++ b/windows/manage/manage-settings-windows-store-for-business.md @@ -37,7 +37,7 @@ You can add users and groups, as well as update some of the settings associated

[Update Windows Store for Business account settings](update-windows-store-for-business-account-settings.md)

-

The Account information page in Windows Store for Business shows information about your organization that you can update, including: country or region, organization name, default domain, and language preference. These are settings in the Azure AD directory that you used when signing up for Store for Business

+

The Account information page in Windows Store for Business shows information about your organization that you can update, including: organization information, payment options, and offline licensing settings.

[Manage user accounts in Windows Store for Business](manage-users-and-groups-windows-store-for-business.md)

diff --git a/windows/manage/update-windows-store-for-business-account-settings.md b/windows/manage/update-windows-store-for-business-account-settings.md index 38f4bd0b54..90469e91a6 100644 --- a/windows/manage/update-windows-store-for-business-account-settings.md +++ b/windows/manage/update-windows-store-for-business-account-settings.md @@ -110,7 +110,7 @@ Not all cards available in all countries. When you add a payment option, Store f **To add a new payment option** 1. Sign in to [Store for Business](http://businessstore.microsoft.com). -2. Click **Settings**, and then click **Account information**. +2. Click **Manage**, and then click **Account information**. 3. Under **My payment options**, tap or click **Show my payment options**, and then select the type of credit card that you want to add. 4. Add information to any required fields, and then click **Next**. @@ -118,13 +118,13 @@ Once you click Next, the information you provided will be validated with a tes **Note**: 
When adding credit or debit cards, you may be prompted to enter a CVV . The CVV is only used for verification purposes and is not stored in our systems after validation. -**To update a payment option**: +**To update a payment option** 1. Sign in to [Store for Business](http://businessstore.microsoft.com). -2. Click **Settings**, and then click **Account information**. -3. Under My payment options > Credit Cards, select the payment option that you want to update, and then click Update. -4. Enter any updated information in the appropriate fields, and then click Next. -Once you click Next, the information you provided will be validated with a test authorization transaction and, if validated, the payment option will be added to your list of available payment options. Otherwise, you will be prompted for additional information or notified if there are any problems. +2. Click **Manage**, and then click **Account information**. +3. Under **My payment options** > **Credit Cards**, select the payment option that you want to update, and then click **Update**. +4. Enter any updated information in the appropriate fields, and then click **Next**. +Once you click **Next**, the information you provided will be validated with a test authorization transaction and, if validated, the payment option will be added to your list of available payment options. Otherwise, you will be prompted for additional information or notified if there are any problems. **Note**:
 Certain actions, like updating or adding a payment option, require temporary “test authorization” transactions to validate the payment option. These may appear on your statement as $0.00 authorizations or as small pending transactions. These transactions are temporary and should not impact your account unless you make several changes in a short period of time or have a low balance. @@ -132,6 +132,14 @@ Once you click Next, the information you provided will be validated with a tes Offline licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Store for Business. This model means organizations can deploy apps when users or devices do not have connectivity to the Store. +Admins can decide whether or not offline licenses are shown for apps in Windows Store for Business. + +**To set offline license visibility** + +1. Sign in to [Store for Business](http://businessstore.microsoft.com). +2. Click **Manage**, and then click **Account information**. +3. Under **Offline licensing**, click **Show offline licensed apps to people shopping in the store** to show availability for both online and offline licenses. + You have the following distribution options for offline-licensed apps: - Include the app in a provisioning package, and then use it as part of imaging a device. - Distribute the app through a management tool. From 509a4731c8b42c5423a332a14442531f4cda36ae Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 26 Jul 2016 14:24:48 -0700 Subject: [PATCH 41/59] Changed from Mobile Preview to just Mobile --- .../keep-secure/add-apps-to-protected-list-using-custom-uri.md | 2 +- windows/keep-secure/create-and-verify-an-efs-dra-certificate.md | 2 +- windows/keep-secure/create-vpn-and-wip-policy-using-intune.md | 2 +- windows/keep-secure/create-wip-policy-using-intune.md | 2 +- windows/keep-secure/create-wip-policy-using-sccm.md | 2 +- windows/keep-secure/deploy-wip-policy-using-intune.md | 2 +- windows/keep-secure/enlightened-microsoft-apps-and-wip.md | 2 +- windows/keep-secure/guidance-and-best-practices-wip.md | 2 +- windows/keep-secure/mandatory-settings-for-wip.md | 2 +- windows/keep-secure/overview-create-wip-policy.md | 2 +- windows/keep-secure/protect-enterprise-data-using-wip.md | 2 +- windows/keep-secure/testing-scenarios-for-wip.md | 2 +- 12 files changed, 12 insertions(+), 12 deletions(-) diff --git a/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md b/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md index 74316d36c2..23f75d7089 100644 --- a/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md +++ b/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md @@ -14,7 +14,7 @@ author: eross-msft **Applies to:** - Windows 10, version 1607 -- Windows 10 Mobile Preview +- Windows 10 Mobile You can add apps to your Windows Information Protection (WIP) protected app list using the Microsoft Intune custom URI functionality and AppLocker. For more info about how to create a custom URI using Intune, [Windows 10 custom policy settings in Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkID=691330). diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md index c7453f6ae7..efe9a2b7a9 100644 --- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -12,7 +12,7 @@ ms.pagetype: security **Applies to:** - Windows 10, version 1607 -- Windows 10 Mobile Preview +- Windows 10 Mobile If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you. diff --git a/windows/keep-secure/create-vpn-and-wip-policy-using-intune.md b/windows/keep-secure/create-vpn-and-wip-policy-using-intune.md index bbc18a1b86..4cd28d1adc 100644 --- a/windows/keep-secure/create-vpn-and-wip-policy-using-intune.md +++ b/windows/keep-secure/create-vpn-and-wip-policy-using-intune.md @@ -14,7 +14,7 @@ author: eross-msft **Applies to:** - Windows 10, version 1607 -- Windows 10 Mobile Preview +- Windows 10 Mobile After you've created and deployed your Windows Information Protection (WIP) policy, you can use Microsoft Intune to create and deploy your Virtual Private Network (VPN) policy, linking it to your WIP policy. diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index 8b959cf4cb..01d0136664 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -13,7 +13,7 @@ author: eross-msft **Applies to:** - Windows 10, version 1607 -- Windows 10 Mobile Preview +- Windows 10 Mobile Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. diff --git a/windows/keep-secure/create-wip-policy-using-sccm.md b/windows/keep-secure/create-wip-policy-using-sccm.md index 1df152a129..3ae03d160b 100644 --- a/windows/keep-secure/create-wip-policy-using-sccm.md +++ b/windows/keep-secure/create-wip-policy-using-sccm.md @@ -14,7 +14,7 @@ author: eross-msft **Applies to:** - Windows 10, version 1607 -- Windows 10 Mobile Preview +- Windows 10 Mobile - System Center Configuration Manager 2016 System Center Configuration Manager 2016 helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network. diff --git a/windows/keep-secure/deploy-wip-policy-using-intune.md b/windows/keep-secure/deploy-wip-policy-using-intune.md index 7764b128bd..757e51c6bf 100644 --- a/windows/keep-secure/deploy-wip-policy-using-intune.md +++ b/windows/keep-secure/deploy-wip-policy-using-intune.md @@ -14,7 +14,7 @@ author: eross-msft **Applies to:** - Windows 10, version 1607 -- Windows 10 Mobile Preview +- Windows 10 Mobile After you’ve created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices. Enrollment can be done for business or personal devices, allowing the devices to use your managed apps and to sync with your managed content and information. diff --git a/windows/keep-secure/enlightened-microsoft-apps-and-wip.md b/windows/keep-secure/enlightened-microsoft-apps-and-wip.md index cd22a1751b..95b0cbd677 100644 --- a/windows/keep-secure/enlightened-microsoft-apps-and-wip.md +++ b/windows/keep-secure/enlightened-microsoft-apps-and-wip.md @@ -15,7 +15,7 @@ author: eross-msft **Applies to:** - Windows 10, version 6017 -- Windows 10 Mobile Preview +- Windows 10 Mobile Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list. diff --git a/windows/keep-secure/guidance-and-best-practices-wip.md b/windows/keep-secure/guidance-and-best-practices-wip.md index fc2a63266c..28eb875c28 100644 --- a/windows/keep-secure/guidance-and-best-practices-wip.md +++ b/windows/keep-secure/guidance-and-best-practices-wip.md @@ -14,7 +14,7 @@ author: eross-msft **Applies to:** - Windows 10, version 1607 -- Windows 10 Mobile Preview +- Windows 10 Mobile This section includes info about the enlightened Microsoft apps, including how to add them to your allowed apps list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with Windows Information Protection (WIP). diff --git a/windows/keep-secure/mandatory-settings-for-wip.md b/windows/keep-secure/mandatory-settings-for-wip.md index 62f17352a0..97d8e1c456 100644 --- a/windows/keep-secure/mandatory-settings-for-wip.md +++ b/windows/keep-secure/mandatory-settings-for-wip.md @@ -12,7 +12,7 @@ ms.pagetype: security **Applies to:** - Windows 10, version 1607 -- Windows 10 Mobile Preview +- Windows 10 Mobile This list provides all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise. diff --git a/windows/keep-secure/overview-create-wip-policy.md b/windows/keep-secure/overview-create-wip-policy.md index 4c419a1aa0..3bf1ce04f2 100644 --- a/windows/keep-secure/overview-create-wip-policy.md +++ b/windows/keep-secure/overview-create-wip-policy.md @@ -13,7 +13,7 @@ author: eross-msft **Applies to:** - Windows 10, version 1607 -- Windows 10 Mobile Preview +- Windows 10 Mobile Microsoft Intune and System Center Configuration Manager 2016 helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. diff --git a/windows/keep-secure/protect-enterprise-data-using-wip.md b/windows/keep-secure/protect-enterprise-data-using-wip.md index 49c6d501f9..8d3a590aae 100644 --- a/windows/keep-secure/protect-enterprise-data-using-wip.md +++ b/windows/keep-secure/protect-enterprise-data-using-wip.md @@ -14,7 +14,7 @@ author: eross-msft **Applies to:** - Windows 10, version 1607 -- Windows 10 Mobile Preview +- Windows 10 Mobile With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures to their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. diff --git a/windows/keep-secure/testing-scenarios-for-wip.md b/windows/keep-secure/testing-scenarios-for-wip.md index 75f3ba3987..125cf80953 100644 --- a/windows/keep-secure/testing-scenarios-for-wip.md +++ b/windows/keep-secure/testing-scenarios-for-wip.md @@ -14,7 +14,7 @@ author: eross-msft **Applies to:** - Windows 10, version 1607 -- Windows 10 Mobile Preview +- Windows 10 Mobile We've come up with a list of suggested testing scenarios that you can use to test Windows Information Protection (WIP) in your company. From 44f94289d734a85a3cdd31c7ca86646a8c5e386e Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 27 Jul 2016 09:32:10 -0700 Subject: [PATCH 42/59] Updated the important note so it doesn't have to be changed with each version --- windows/keep-secure/create-wip-policy-using-sccm.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/create-wip-policy-using-sccm.md b/windows/keep-secure/create-wip-policy-using-sccm.md index 3ae03d160b..e8b8dbf122 100644 --- a/windows/keep-secure/create-wip-policy-using-sccm.md +++ b/windows/keep-secure/create-wip-policy-using-sccm.md @@ -20,7 +20,7 @@ author: eross-msft System Center Configuration Manager 2016 helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network. >**Important**
-If you previously created an WIP policy using System Center Configuration Manager version 1511 or 1602 in the Insider Preview program, you’ll need to recreate it using version 1605 Tech Preview or later. Editing an WIP policy created in version 1511 or 1602 is not supported in version 1605 Tech Preview. There is no migration path between WIP policies across these versions. +If you previously created an EDP policy using System Center Configuration Manager version 1511 or 1602, you’ll need to recreate it using version 1605 Tech Preview or later. Editing an EDP policy created in version 1511 or 1602 is not supported in later versions and there is no migration path between older and newer EDP policies. ## Add an WIP policy After you’ve installed and set up System Center Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy. From 12d7c1ba7bbe49a1bd5afa577276910817ff25d9 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 27 Jul 2016 12:18:09 -0700 Subject: [PATCH 43/59] Updated important note with newer version number --- windows/keep-secure/create-wip-policy-using-sccm.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/create-wip-policy-using-sccm.md b/windows/keep-secure/create-wip-policy-using-sccm.md index e8b8dbf122..f1bad6a10c 100644 --- a/windows/keep-secure/create-wip-policy-using-sccm.md +++ b/windows/keep-secure/create-wip-policy-using-sccm.md @@ -20,7 +20,7 @@ author: eross-msft System Center Configuration Manager 2016 helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network. >**Important**
-If you previously created an EDP policy using System Center Configuration Manager version 1511 or 1602, you’ll need to recreate it using version 1605 Tech Preview or later. Editing an EDP policy created in version 1511 or 1602 is not supported in later versions and there is no migration path between older and newer EDP policies. +If you previously created an EDP policy using System Center Configuration Manager version 1511 or 1602, you’ll need to recreate it using version 1606 or later. Editing an EDP policy created in version 1511 or 1602 is not supported in later versions and there is no migration path between older and newer EDP policies. ## Add an WIP policy After you’ve installed and set up System Center Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy. From fb1c95e35ee22c0195187848a548534c514e9102 Mon Sep 17 00:00:00 2001 From: Dolcita Date: Thu, 28 Jul 2016 05:56:09 +1000 Subject: [PATCH 44/59] reverted back to previous state --- ...bleshoot-windows-defender-in-windows-10.md | 33 ------------------- 1 file changed, 33 deletions(-) diff --git a/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md b/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md index 5f67f61c7a..1f4cd6f3f3 100644 --- a/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md +++ b/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md @@ -1014,39 +1014,6 @@ Description of the error.
Signature Version: <Definition version>
Engine Version: <Antimalware Engine version>
-

NOTE: Whenever Windows Defender, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services which the malware might have changed:

    -
  • Default Internet Explorer or Edge setting
    • -
  • User Access Control settings
    • -
  • Chrome settings
    • -
  • Boot Control Data
    • -
  • Regedit and Task Manager registry settings
    • -
  • Windows Update, Background Intelligent Transfer Service, and Remote Procedure Call service
    • -
  • Windows Operating System files
-The above context applies to the following client and server versions: - - - - - - - - - - - - - -

- -

From 0aca69d131139bd9ec809bb72a31f1d982109d5c Mon Sep 17 00:00:00 2001 From: Dolcita Date: Thu, 28 Jul 2016 17:04:15 +1000 Subject: [PATCH 45/59] Updated with bug fix --- ...bleshoot-windows-defender-in-windows-10.md | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md b/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md index 1f4cd6f3f3..1c23b5ab8d 100644 --- a/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md +++ b/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md @@ -1013,6 +1013,39 @@ Result code associated with threat status. Standard HRESULT values. Description of the error.
Signature Version: <Definition version>
Engine Version: <Antimalware Engine version>
+

NOTE +

Whenever Windows Defender, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services which the malware might have changed:

    +
  • Default Internet Explorer or Edge setting
    • +
  • User Access Control settings
    • +
  • Chrome settings
    • +
  • Boot Control Data
    • +
  • Regedit and Task Manager registry settings
    • +
  • Windows Update, Background Intelligent Transfer Service, and Remote Procedure Call service
    • +
  • Windows Operating System files
+The above context applies to the following client and server versions: +
Operating systemOperating system version
-

Client Operating System

-		 -

Windows Vista (Service Pack 1, or Service Pack 2), Windows 7 and later

-
-

Server Operating System

-		 -

Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2016

-
+ + + + + + + + + + + + +
Operating systemOperating system version
+

Client Operating System

+		 +

Windows Vista (Service Pack 1, or Service Pack 2), Windows 7 and later

+
+

Server Operating System

+		 +

Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2016

+
+

From ea5a652fc567844f8d9ab488ac028184349770b0 Mon Sep 17 00:00:00 2001 From: Dolcita Date: Thu, 28 Jul 2016 17:09:53 +1000 Subject: [PATCH 46/59] Updated with bug fix 7699825 --- .../keep-secure/troubleshoot-windows-defender-in-windows-10.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md b/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md index 1c23b5ab8d..a53f073958 100644 --- a/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md +++ b/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md @@ -1013,7 +1013,7 @@ Result code associated with threat status. Standard HRESULT values. Description of the error.
Signature Version: <Definition version>
Engine Version: <Antimalware Engine version>
-

NOTE +

NOTE:

Whenever Windows Defender, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services which the malware might have changed:

  • Default Internet Explorer or Edge setting
  • User Access Control settings
    • @@ -2695,6 +2695,7 @@ Description of the error. + ## Windows Defender client error codes If Windows Defender experiences any issues it will usually give you an error code to help you troubleshoot the issue. Most often an error means there was a problem installing an update. This section provides the following information about Windows Defender client errors. From 62e4c2ca04d5ac314eda94f392f45ed0b77ce078 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 28 Jul 2016 06:48:46 -0700 Subject: [PATCH 47/59] Added note about ltsb use --- browsers/edge/hardware-and-software-requirements.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/browsers/edge/hardware-and-software-requirements.md b/browsers/edge/hardware-and-software-requirements.md index e7467694cc..3ea72fa32a 100644 --- a/browsers/edge/hardware-and-software-requirements.md +++ b/browsers/edge/hardware-and-software-requirements.md @@ -19,6 +19,8 @@ title: Microsoft Edge requirements and language support (Microsoft Edge for IT P Microsoft Edge is pre-installed on all Windows 10-capable devices that meet the minimum system requirements and are on the supported language list. +**Note**
    The Long-Term Servicing Branch (LTSB) versions of Windows, including Windows Server 2016, don't include Microsoft Edge or many other Universal Windows Platform (UWP) apps. These apps and their services are frequently updated with new functionality, and can't be supported on systems running the LTSB operating systems. For customers who require the LTSB for specialized devices, we recommend using Internet Explorer 11. + ## Minimum system requirements Some of the components in this table might also need additional system resources. Check the component's documentation for more information. From 1aec20b855f7601d4072d51583c97d03770d5af2 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 28 Jul 2016 07:00:35 -0700 Subject: [PATCH 48/59] Added blue bar to note --- browsers/edge/hardware-and-software-requirements.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/browsers/edge/hardware-and-software-requirements.md b/browsers/edge/hardware-and-software-requirements.md index 3ea72fa32a..21dca118cf 100644 --- a/browsers/edge/hardware-and-software-requirements.md +++ b/browsers/edge/hardware-and-software-requirements.md @@ -19,7 +19,7 @@ title: Microsoft Edge requirements and language support (Microsoft Edge for IT P Microsoft Edge is pre-installed on all Windows 10-capable devices that meet the minimum system requirements and are on the supported language list. -**Note**
    The Long-Term Servicing Branch (LTSB) versions of Windows, including Windows Server 2016, don't include Microsoft Edge or many other Universal Windows Platform (UWP) apps. These apps and their services are frequently updated with new functionality, and can't be supported on systems running the LTSB operating systems. For customers who require the LTSB for specialized devices, we recommend using Internet Explorer 11. +>**Note**
    The Long-Term Servicing Branch (LTSB) versions of Windows, including Windows Server 2016, don't include Microsoft Edge or many other Universal Windows Platform (UWP) apps. These apps and their services are frequently updated with new functionality, and can't be supported on systems running the LTSB operating systems. For customers who require the LTSB for specialized devices, we recommend using Internet Explorer 11. ## Minimum system requirements Some of the components in this table might also need additional system resources. Check the component's documentation for more information. From cbaf7404b7faec2533fb477be770412cf44d37e7 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 28 Jul 2016 07:28:23 -0700 Subject: [PATCH 49/59] Changed EDP to WIP in new note --- windows/keep-secure/create-wip-policy-using-sccm.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/create-wip-policy-using-sccm.md b/windows/keep-secure/create-wip-policy-using-sccm.md index f1bad6a10c..373a196ebf 100644 --- a/windows/keep-secure/create-wip-policy-using-sccm.md +++ b/windows/keep-secure/create-wip-policy-using-sccm.md @@ -20,7 +20,7 @@ author: eross-msft System Center Configuration Manager 2016 helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network. >**Important**
    -If you previously created an EDP policy using System Center Configuration Manager version 1511 or 1602, you’ll need to recreate it using version 1606 or later. Editing an EDP policy created in version 1511 or 1602 is not supported in later versions and there is no migration path between older and newer EDP policies. +If you previously created an WIP policy using System Center Configuration Manager version 1511 or 1602, you’ll need to recreate it using version 1606 or later. Editing a WIP policy created in version 1511 or 1602 is not supported in later versions and there is no migration path between older and newer WIP policies. ## Add an WIP policy After you’ve installed and set up System Center Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy. From 013241011bcc902f815c2f86d20a53b1e2f9669a Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 28 Jul 2016 08:03:59 -0700 Subject: [PATCH 50/59] Removed the 2016 from System Center Configuration Manager --- windows/keep-secure/create-wip-policy-using-sccm.md | 4 ++-- windows/keep-secure/overview-create-wip-policy.md | 6 +++--- windows/keep-secure/protect-enterprise-data-using-wip.md | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/keep-secure/create-wip-policy-using-sccm.md b/windows/keep-secure/create-wip-policy-using-sccm.md index 373a196ebf..0f91219ae8 100644 --- a/windows/keep-secure/create-wip-policy-using-sccm.md +++ b/windows/keep-secure/create-wip-policy-using-sccm.md @@ -15,9 +15,9 @@ author: eross-msft - Windows 10, version 1607 - Windows 10 Mobile -- System Center Configuration Manager 2016 +- System Center Configuration Manager -System Center Configuration Manager 2016 helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network. +System Center Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network. >**Important**
    If you previously created an WIP policy using System Center Configuration Manager version 1511 or 1602, you’ll need to recreate it using version 1606 or later. Editing a WIP policy created in version 1511 or 1602 is not supported in later versions and there is no migration path between older and newer WIP policies. diff --git a/windows/keep-secure/overview-create-wip-policy.md b/windows/keep-secure/overview-create-wip-policy.md index 3bf1ce04f2..786a59475d 100644 --- a/windows/keep-secure/overview-create-wip-policy.md +++ b/windows/keep-secure/overview-create-wip-policy.md @@ -1,6 +1,6 @@ --- title: Create a Windows Information Protection (WIP) policy (Windows 10) -description: Microsoft Intune and System Center Configuration Manager 2016 helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. +description: Microsoft Intune and System Center Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6 ms.prod: w10 ms.mktglfcycl: explore @@ -15,11 +15,11 @@ author: eross-msft - Windows 10, version 1607 - Windows 10 Mobile -Microsoft Intune and System Center Configuration Manager 2016 helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. +Microsoft Intune and System Center Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. ## In this section |Topic |Description | |------|------------| |[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Intune helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. | -|[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) |System Center Configuration Manager 2016 helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. | +|[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) |System Center Configuration Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. | |[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)] |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. | \ No newline at end of file diff --git a/windows/keep-secure/protect-enterprise-data-using-wip.md b/windows/keep-secure/protect-enterprise-data-using-wip.md index 8d3a590aae..18a94c54b1 100644 --- a/windows/keep-secure/protect-enterprise-data-using-wip.md +++ b/windows/keep-secure/protect-enterprise-data-using-wip.md @@ -25,7 +25,7 @@ You’ll need this software to run WIP in your enterprise: |Operating system | Management solution | |-----------------|---------------------| -|Windows 10, version 1607 | Microsoft Intune
    -OR-
    System Center Configuration Manager 2016
    -OR-
    Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt697634.aspx) documentation.| +|Windows 10, version 1607 | Microsoft Intune
    -OR-
    System Center Configuration Manager
    -OR-
    Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt697634.aspx) documentation.| ## How WIP works EDP helps address your everyday challenges in the enterprise. Including: From c12f3726f8088f56b8c4c1d3694f0e12e471921a Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 28 Jul 2016 13:30:56 -0700 Subject: [PATCH 51/59] Updated to include Server 2016 support --- browsers/edge/available-policies.md | 5 +++-- browsers/edge/emie-to-improve-compatibility.md | 4 +++- browsers/edge/hardware-and-software-requirements.md | 7 ++++--- browsers/edge/security-enhancements-microsoft-edge.md | 7 +++++++ 4 files changed, 17 insertions(+), 6 deletions(-) diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md index c56c47624b..8b2cf5059e 100644 --- a/browsers/edge/available-policies.md +++ b/browsers/edge/available-policies.md @@ -12,8 +12,9 @@ title: Available policies for Microsoft Edge (Microsoft Edge for IT Pros) **Applies to:** -- Windows 10 Insider Preview -- Windows 10 Mobile +- Windows 10 +- Windows 10 Mobile +- Windows Server 2016 [Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] diff --git a/browsers/edge/emie-to-improve-compatibility.md b/browsers/edge/emie-to-improve-compatibility.md index adb462310e..32cc1d9d2d 100644 --- a/browsers/edge/emie-to-improve-compatibility.md +++ b/browsers/edge/emie-to-improve-compatibility.md @@ -13,7 +13,9 @@ title: Use Enterprise Mode to improve compatibility (Microsoft Edge for IT Pros) **Applies to:** -- Windows 10 +- Windows 10 +- Windows 10 Mobile +- Windows Server 2016 If you have specific web sites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the web sites will automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work properly with Microsoft Edge, you can set all intranet sites to automatically open using IE11. diff --git a/browsers/edge/hardware-and-software-requirements.md b/browsers/edge/hardware-and-software-requirements.md index 21dca118cf..ad9c6edfba 100644 --- a/browsers/edge/hardware-and-software-requirements.md +++ b/browsers/edge/hardware-and-software-requirements.md @@ -13,8 +13,9 @@ title: Microsoft Edge requirements and language support (Microsoft Edge for IT P **Applies to:** -- Windows 10 -- Windows 10 Mobile +- Windows 10 +- Windows 10 Mobile +- Windows Server 2016 Microsoft Edge is pre-installed on all Windows 10-capable devices that meet the minimum system requirements and are on the supported language list. @@ -28,7 +29,7 @@ Some of the components in this table might also need additional system resources | Item | Minimum requirements | | ------------------ | -------------------------------------------- | | Computer/processor | 1 gigahertz (GHz) or faster (32-bit (x86) or 64-bit (x64)) | -| Operating system |
    • Windows 10 (32-bit or 64-bit)
    • Windows 10 Mobile

    **Note**
    For specific Windows 10 Mobile requirements, see the [Minimum hardware requirements for Windows 10 Mobile](http://go.microsoft.com/fwlink/p/?LinkID=699266) topic. | +| Operating system |

    • Windows 10 (32-bit or 64-bit)
    • Windows 10 Mobile
    • Windows Server 2016

    **Note**
    For specific Windows 10 Mobile requirements, see the [Minimum hardware requirements for Windows 10 Mobile](http://go.microsoft.com/fwlink/p/?LinkID=699266) topic. | | Memory |

    • Windows 10 (32-bit) - 1 GB
    • Windows 10 (64-bit) - 2 GB
    | | Hard drive space |
    • Windows 10 (32-bit) - 16 GB
    • Windows 10 (64-bit) - 20 GB
    | | DVD drive | DVD-ROM drive (if installing from a DVD-ROM) | diff --git a/browsers/edge/security-enhancements-microsoft-edge.md b/browsers/edge/security-enhancements-microsoft-edge.md index 653cf175fc..b5911b3f4c 100644 --- a/browsers/edge/security-enhancements-microsoft-edge.md +++ b/browsers/edge/security-enhancements-microsoft-edge.md @@ -8,6 +8,13 @@ title: Security enhancements for Microsoft Edge (Microsoft Edge for IT Pros) --- # Security enhancements for Microsoft Edge + +**Applies to:** + +- Windows 10 +- Windows 10 Mobile +- Windows Server 2016 + Microsoft Edge is designed with significant security improvements, helping to defend people from increasingly sophisticated and prevalent web-based attacks against Windows. ## Help to protect against web-based security threats From 2f7a6d35144fd2594cdb4f7c88ff19ed3e42ed55 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Thu, 28 Jul 2016 13:48:00 -0700 Subject: [PATCH 52/59] updated reboot reqs --- windows/deploy/images/check_blu.png | Bin 0 -> 20441 bytes windows/deploy/windows-10-edition-upgrades.md | 17 +++++++++++------ 2 files changed, 11 insertions(+), 6 deletions(-) create mode 100644 windows/deploy/images/check_blu.png diff --git a/windows/deploy/images/check_blu.png b/windows/deploy/images/check_blu.png new file mode 100644 index 0000000000000000000000000000000000000000..d5c703760fb073475c417f8a730a8ded321ae830 GIT binary patch literal 20441 zcmeI4c|4Ts`^O(CYedl|ov|dzn8i91BgUF7jL>S#JjR5XF(zvZm25>)*&-?tQBgWV zsU%UPO+t>4D4a-&@O^A0qdDh%f8XEo`n_geui38a{#^Hczn^=#?&psuY@?;Ih|qE& z002ZxO$=2A~3czgiBLXF&6_jKI#WsY> zq}EAV-xfDCoGVqH63QDH8F*OIT6uoB&`bVSnKO|G&W46p3^fOwb$d}X@b=NjwOU;J z#lEDxYW@;|`6o?OtOp)rDe^nD(i!UeNtKvzE+8-;Kw5_euL0%;08Zs{a=yU9ctFCa*IxVM+8nWVC5Tjf zu6BVu#xQ7$0Nj(`-d<&;VwLHVwGtY{ImCqZDtG+im!X5y7W~oo5CBr5C86H-4f|G! z=2TT_MCOa`fOp>F8&?yCV0@f;cb-hx9h^A-=v?)mYO;jI4DW9STFR9G)Oqyhfb3X z(?7Q6-l`{~Q+&98W+rJYyS)_p{k*F$Y%3n*jjmEu`OmrYOK0=z5^J z+Gn&!ci1>(6%goRddw35wj0Q+5GwL??+XBcK}wL)Wj(1+x0foH@U6H#ui>`vHz$pQ z`tqfB^u_dr$bl=EPHQgi*H=9B=(4nu6XMx=X|)n-*F!N3QI$J(zl-WH77P*vl5Z;( z1qsg8D;HQqlzA1(;~efF7b&nLKKP5wZIihRBjjNZLM5za&7##!P&VNNn4O7quMTq# zCS!S}NuGBMeFn6$gX_5h3A+IL>N>Edf_n`Hi)v_@eW>*z%h<`0z>WoH(IG8BQ zy;vBv2q6{_iZ9iaUl@i*uP!(`$MniM!jpwhjGoYJ)D-6uxZRlC5Wp> zZPw3D&9}K^9g?v~ZC3*3(SgOLW@*`HPCQ-iy2N#Wdg&eOhIr$Nm6oxO?VnV37{7~s z$NR}=zQ`fT1NTEIipvt0@-L+<^I3W+&iwqcrxDBU6Ofvy_i^p<3*zZ^4odk-yCtJ5 zgidTYp>RS<2|>7!c|P-Xrm$U~T_qvv!gkv|IYxG>wk;O~pPkII%S_t%-d4(%a$#LY zNG2tNPS8EK*Ks(E&+)GLT`T-K>y#@yT8heG!lY$+zREIgB3Xxa1*w-RTzOQt+gqtH zZdkf7LMQV=Dh98*LDfFbrti3mE`Lj$=a*9~OTl)<^w_?=;jbln*1TCGbzaT900nM! z%RCu-(jm(v%R0;WeX&MPS9;Rs+yP7Zd+&Dm@bsQ*g^-} zpQDoLmL`>2Xy9{;mfjtgd~ z-&6ObYfB^U*MGFeZ@ar5pGG`EjBP#`T~MQa_PNm!qXmblWm{Y1TRh4<%FZhADaa_8 zS#(--C)ijNoL_T(o%uTR`;Q(zI`im7yn3Pzsutaz*q&IM*mT`#v+ri*{EYnHLDSsU z&F3Av^NVP~n=y`Q4tATj>nc+My9xU`q3Tq(?w)&} zPIe$D4%K4SFI8Le7geq)r6$=XJ~gH+p%i!>=nIVqGuvOO5{pwwlqzd1FK*qy>i68% z?Ej=cDKRhcPFF_#rEZOGYIjJ(>4$2k*CactdOf~dj{n2DtwvY)^a-R})5X13c&i}F zwRSlK2@!3dU3>X@nos5cv1bYHGmd$>1=pgj`5OJ&amPc=lI!KyE3NL*lXnC+;rGdn zl1KeVYk>5?RXh~lupqslEpvvx`0tjv6{(A@2S4Z5b?F^WDbSPDi`t*PzwLImjBELa zquDY8?QvDnRaDX7jeFm{c+5|HON_X?cmC?&kYM{mx{-`fhvhY>SaqM82E133!JxrO zgV%`^lojR@e1p0YE>mTv_AAXBYBzMtR9qY%K6glRFm*Rufl*P)(V)5CZ2H#K7xE_Q zjc`lAk~l>9Hilnn)tyhl>5DI@EL6sxTyGv~sdfBMJu#(>#fMk*F7jCwDdcxY`VK`F zQKL~4`VzlYX{BYaiIRo?u@BKj>VER~RMV8(3J$KmaJ0x=#Jn*Po4h!|8|H!5!4{(q z9E(2csh=rh5tC2pq`Yv$t5m-@+|u`|XPTx3BTIy%)96SMf7B5 z?AusTnn>NNt0GOCu6Ff*Hmpa)K2oeNJdlqsID1R`_aZR;LDi#mx`cCtPlQ2&M)#A( zYsA_ww3=?IfTGW8AD-85DH<5YJ-AtK$75&l+~qkqWIB{Lpqmqx+41G%kjJ)cOApVk z`@Bzhhxz41^J@#9J(qr>L$HZ@vG%>O=>6YrjwJQ?z(q7f?2eo&dn3m%@N4ZD5NsM) zDT00FeK_D^Gyl`yyrn79h@JWgy$ME%wh2R9oVVPtdWfre(fQi{n{oYb3r?wNJNj+t zBRrtK>e&A@hSFPoIO#;vp1mqx8=UITLf99F1sSSG2BbYwz!@ z-rV}OMfShjCtSkr@aSZ9YLCP`wYpz;sxTp^V5?g}w}0`q0GELdsbtNn#!tn59~Y0l zc%F>WX)NyZrw`m4=xj&JGsYI3zg@{*A=Bb7Nz z79;k4dH%k(swS=`HMTc4=9b6qwBgQ@_scHTm)$8_dGmp|8AOsB$bvb86e>+ewx{rxER0Ilk+oO1Kw2>HpexnHp9$LfTM|hAZX^s@ zRu?Cv?Tdv1cz`S-%-6%6=7sguksXhVg?^8j5wfuHA}lu@S-r6eVGb4>VR$+dgsH2j z!%0Xq3Z{usL8+@@P$*>>8i`UxppXbO2982u)ikjv4cO#M7AFM#(q@ufur>xplhr~0 zbYxvwECv>V@bU3c@ljQwGbsoZ27^H$(Fime4wZm=`O#QJUpUQ6ZX(E390Smc#H2D< zR5}ed7MJKu-^J3Al^v_-`)jga9t;bM?^V&fCh0*O5xztQ0;PgPcz7UYQ+lxsy`i9! zjht2KMet*Q2piCgzKcl$4ZT4cOK$d1HsFu`{*6#j@mT|rN#7g9*u``oXGSI=KzGms zs@n_d4rMvwto(b9b zn3}lM+ECjpEU*T2(ylQGrUp25HGMP&t&hgzjSRKaP$+#A9;2$Ng-7e7kZKxwXl(?W zPuDaHJ*{ ziJS^GUh3CDyyz}0A0iXfqdCc`I zWOVXB$$BOlG)*#FMEbvzolHcYMf#(LDZ&OnKu+7tw8k|i!tk*8;dcm1Aic z8Sf9BNubl+|9+zLy?c|wX)(vLd#veLQeaOdvs`f+V@cOc9(2WCm@dD+(`8W-Nz=>xMrq( zrp{sPpy0l1qLo@&NazLK27q3Z`sx0eTF1Z8PWR8${*cF}Bbh77#a8e41%y>2Y`t22|)EI$nt?X0nQzj#-6{(}WPf z@wSZ%r#U8t6N7BpeUS0-KVgOLvOqU@5Z~|c{5&;gWHSG;zdw5P9}CGIh+7Fe6Al(G zE)H`XXVxVSjLVRvzHu`}Ud;o{-|huy`+#mh6Al(GE)HVv%nUCK`4QN*I! zj}Na3TvK+0mF}PSRX8P6coR(0pv6XT^Im@U+@Op_)wNRh;1bK_@XxePmkN5?STF26 z7uM9EdBi;CxV}WKH!k7X$CuZ1T8OAM1nb3O&{HO|9B;;-4R~GLeu|pwQMf6quKIey zhtV_3BX-7Ld)N}1gN<@LZytOt*B?M!XxN^=6^?PQZOo#kKk0}d-AXPx_Gjp`sGz&Y z?NSWSDVpGxuINhMUfB(bZuPKDy6)?@v+L30KTwYJ6Rb@>Mq!X&Y0{bSWM?^(AEw7tyS*NsZ@Z*T*d|Y&{0}06pe=B}< zk;9_5-6tvx2L`UWpO{0+3bh&}C)t(AES`7ma}Ujc5-wsL7T#YPL`E_?M-J@Y4AZ`K ztWv`u(L8I=)LnAds%7)E=3kt1QAp9Gs$an?_=C7)4LbYrhrz+_=AK&Rp}aqrcUlgn zQ9|2HVcMr3P?E!qx|&jRdd}%CFYM{K(HI}6^J!7)$1WF{j=Lq!6-tb)JQDKK&0o!N z0S5h}*pK(Kn#?g3%-q$fIxn$|ZUqU;jK@m0>1KSq3(Mfr4X#lX2|s+4ux z>N=M?8fiBZoKT>ht9ZX{s=+82(d@yUNe24aYxlX~_@`XYeu|9u!z`?n96iYIW z+of96Y+m(B>elaaw=ITL%4U(VlNcJFXf&aon}fPRuIjypcy` zv9h@1R+{KST|PeEEI`iflJVf~+|L6$d*zV{%u{vhgr{n{k!9kys#Qa7uYG?QqN#j- zWl-|hovu&I>vq-Zd7N>Jvh0^HI#WetD7@&%wW#^FFn+6=yJn}Dp@f3BxYf7bZN{Hh z6dUgDjrh}$6m7F^OxfteW>1O+ME_1y&=8N%6nwACFAVK3IHui(2?4CP=4$Q ODW-;&208jp`~L;FEFlm8 literal 0 HcmV?d00001 diff --git a/windows/deploy/windows-10-edition-upgrades.md b/windows/deploy/windows-10-edition-upgrades.md index cbc6ee73c5..ab1e629231 100644 --- a/windows/deploy/windows-10-edition-upgrades.md +++ b/windows/deploy/windows-10-edition-upgrades.md @@ -17,17 +17,22 @@ author: greg-lindsay With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. For information on what edition of Windows 10 is right for you, see [Compare Windows 10 Editions](http://go.microsoft.com/fwlink/p/?LinkID=690882). For a comprehensive list of all possible upgrade paths to Windows 10, see [Windows 10 upgrade paths](windows-10-upgrade-paths.md). -The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer. +The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer. **Note**: The reboot requirement for upgrading from Pro to Enterprise was removed in version 1607. + +X = unsupported
    +✔ (green) = supported; reboot required
    +✔ (blue) = supported; no reboot required. + |Method |Home > Pro |Home > Education |Pro > Education |Pro > Enterprise |Ent > Education |Mobile > Mobile Enterprise | |-------|-----------|-----------------|----------------|-----------------|----------------|--------| -| Using mobile device management (MDM) |![unsupported](images/x_blk.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) | -| Using a provisioning package |![unsupported](images/x_blk.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) | -| Using a command-line tool |![unsupported](images/x_blk.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![unsupported](images/x_blk.png) | -| Entering a product key manually |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![unsupported](images/x_blk.png) | +| Using mobile device management (MDM) |![unsupported](images/x_blk.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_blu.png) |![supported](images/check_grn.png) |![supported](images/check_blu.png) | +| Using a provisioning package |![unsupported](images/x_blk.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_blu.png) | +| Using a command-line tool |![unsupported](images/x_blk.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_blu.png) |![supported](images/check_grn.png) |![unsupported](images/x_blk.png) | +| Entering a product key manually |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_blu.png) |![supported](images/check_grn.png) |![unsupported](images/x_blk.png) | | Purchasing a license from the Windows Store |![supported](images/check_grn.png) |![unsupported](images/x_blk.png) |![unsupported](images/x_blk.png) |![unsupported](images/x_blk.png) |![unsupported](images/x_blk.png) |![unsupported](images/x_blk.png) | -**Note**
    Each desktop edition in the table also has an N and KN edition. These editions have had media-related functionality removed. Devices with N or KN editions installed can be upgraded to corresponding N or KN editions using the same methods. +>**Note**: Each desktop edition in the table also has an N and KN edition. These editions have had media-related functionality removed. Devices with N or KN editions installed can be upgraded to corresponding N or KN editions using the same methods. ## Upgrade using mobile device management (MDM) - To upgrade desktop editions of Windows 10 using MDM, you'll need to enter the product key for the upgraded edition in the **UpgradeEditionWithProductKey** policy setting of the **WindowsLicensing** CSP. For more info, see [WindowsLicensing CSP](http://go.microsoft.com/fwlink/p/?LinkID=690907). From 1068f8cb4de395a7b269bf79799d149a0d2cca64 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 28 Jul 2016 13:50:09 -0700 Subject: [PATCH 53/59] Updated to include WIP changes --- windows/keep-secure/change-history-for-keep-windows-10-secure.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 13dd970533..9ffa767e4b 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -16,6 +16,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md |New or changed topic | Description | |----------------------|-------------| +|[Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) |Updated various topics throughout this section for new name and new UI in Microsoft Intune and System Center Configuration Manager. | |[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |New | |[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |New | |[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |New | From c5d0d6421319802a14786baf75ecc446f481431b Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 28 Jul 2016 13:52:44 -0700 Subject: [PATCH 54/59] Updated to include new os support --- browsers/edge/change-history-for-microsoft-edge.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/browsers/edge/change-history-for-microsoft-edge.md b/browsers/edge/change-history-for-microsoft-edge.md index b7f837c69b..8295d7bbd5 100644 --- a/browsers/edge/change-history-for-microsoft-edge.md +++ b/browsers/edge/change-history-for-microsoft-edge.md @@ -11,6 +11,11 @@ This topic lists new and updated topics in the Microsoft Edge documentation for For a detailed feature list of what's in the current Microsoft Edge releases, the Windows Insider Preview builds, and what was introduced in previous releases, see the [Microsoft Edge changelog](https://developer.microsoft.com/microsoft-edge/platform/changelog/). +## July 2016 +|New or changed topic | Description | +|----------------------|-------------| +|[Microsoft Edge - Deployment Guide for IT Pros](index.md)| Updated to include support for Windows Server 2016 and a note about the Long Term Servicing Branch (LTSB) | + ## June 2016 |New or changed topic | Description | From f9f1a26c0770241501f408347766f2d0c9ac7800 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 28 Jul 2016 13:59:33 -0700 Subject: [PATCH 55/59] Fixed references from EDP to WIP --- windows/keep-secure/enlightened-microsoft-apps-and-wip.md | 2 +- windows/keep-secure/protect-enterprise-data-using-wip.md | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/keep-secure/enlightened-microsoft-apps-and-wip.md b/windows/keep-secure/enlightened-microsoft-apps-and-wip.md index 95b0cbd677..33d2044176 100644 --- a/windows/keep-secure/enlightened-microsoft-apps-and-wip.md +++ b/windows/keep-secure/enlightened-microsoft-apps-and-wip.md @@ -1,5 +1,5 @@ --- -title: List of enlightened Microsoft apps for use with Windows Information Protection(WIP) (Windows 10) +title: List of enlightened Microsoft apps for use with Windows Information Protection (WIP) (Windows 10) description: Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your Protected Apps list. ms.assetid: 17c85ea3-9b66-4b80-b511-8f277cb4345f keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection diff --git a/windows/keep-secure/protect-enterprise-data-using-wip.md b/windows/keep-secure/protect-enterprise-data-using-wip.md index 18a94c54b1..a2e1d5ffd9 100644 --- a/windows/keep-secure/protect-enterprise-data-using-wip.md +++ b/windows/keep-secure/protect-enterprise-data-using-wip.md @@ -18,7 +18,7 @@ author: eross-msft With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures to their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. -Windows Information Protection (WIP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. EDP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. Finally, another data protection technology, Azure Rights Management also works alongside EDP to extend data protection for data that leaves the device, such as when email attachments are sent from an enterprise aware version of a rights management mail client. +Windows Information Protection (WIP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. Finally, another data protection technology, Azure Rights Management also works alongside WIP to extend data protection for data that leaves the device, such as when email attachments are sent from an enterprise aware version of a rights management mail client. ## Prerequisites You’ll need this software to run WIP in your enterprise: @@ -28,7 +28,7 @@ You’ll need this software to run WIP in your enterprise: |Windows 10, version 1607 | Microsoft Intune
    -OR-
    System Center Configuration Manager
    -OR-
    Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt697634.aspx) documentation.| ## How WIP works -EDP helps address your everyday challenges in the enterprise. Including: +WIP helps address your everyday challenges in the enterprise. Including: - Helping to prevent enterprise data leaks, even on employee-owned devices that can't be locked down. @@ -46,7 +46,7 @@ You can set WIP to 1 of 4 protection and management modes: |Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.| |Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459). | |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.| -|Off |WIP is turned off and doesn't help to protect or audit your data.

    After you turn off EDP, an attempt is made to decrypt any closed EDP-tagged files on the locally attached drives. | +|Off |WIP is turned off and doesn't help to protect or audit your data.

    After you turn off WIP, an attempt is made to decrypt any closed WIP-tagged files on the locally attached drives. |

    **Note**
    For more info about setting your WIP-protection modes, see either [Create a Windows Information Protection (WIP) policy using Intune](create-wip-policy-using-intune.md) or [Create and deploy a Windows Information Protection (WIP) policy using Configuration Manager](create-wip-policy-using-sccm.md), depending on your management solution. ## Why use WIP? From 052d609933aa0ee36b0b604824d7bb1b80b02f46 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 28 Jul 2016 14:06:19 -0700 Subject: [PATCH 56/59] Updated incorrect image --- windows/keep-secure/create-vpn-and-wip-policy-using-intune.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/create-vpn-and-wip-policy-using-intune.md b/windows/keep-secure/create-vpn-and-wip-policy-using-intune.md index 4cd28d1adc..2a00c62a6d 100644 --- a/windows/keep-secure/create-vpn-and-wip-policy-using-intune.md +++ b/windows/keep-secure/create-vpn-and-wip-policy-using-intune.md @@ -80,7 +80,7 @@ The final step to making your VPN configuration work with WIP, is to link your t 3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. - ![Microsoft Intune: Fill in the required Name and optional Description for your policy](images/intune-vpn-edpmodeid.png) + ![Microsoft Intune: Fill in the required Name and optional Description for your policy](images/intune-vpn-wipmodeid.png) 4. In the **OMA-URI Settings** area, click **Add** to add your **WIPModeID** info. From ed816c18bb11ad2031d27f9d40d491cdb6ec911a Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 28 Jul 2016 14:12:31 -0700 Subject: [PATCH 57/59] fix typo --- education/windows/windows-editions-for-education-customers.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/education/windows/windows-editions-for-education-customers.md b/education/windows/windows-editions-for-education-customers.md index 5b0d194629..9eccc9be96 100644 --- a/education/windows/windows-editions-for-education-customers.md +++ b/education/windows/windows-editions-for-education-customers.md @@ -30,7 +30,7 @@ Existing devices running Windows 10 Pro, currently activated with the original O Customers with Academic Volume Licensing agreements with rights for Windows can get Windows 10 Pro Education through the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx), available at a later date. -Customers that deploy Windows 10 Pro are able to configure the product to have similar feature settings to Windows 10 Pro Education using policies. More detailed information on these policies and the configuration steps required is available in [MManage Windows 10 and Windows Store tips, tricks and suggestions](http://go.microsoft.com/fwlink/?LinkId=822627). We recommend that K-12 customers using commercial Windows 10 Pro read the [document](http://go.microsoft.com/fwlink/?LinkId=822627) and apply desired settings for your environment. +Customers that deploy Windows 10 Pro are able to configure the product to have similar feature settings to Windows 10 Pro Education using policies. More detailed information on these policies and the configuration steps required is available in [Manage Windows 10 and Windows Store tips, tricks and suggestions](http://go.microsoft.com/fwlink/?LinkId=822627). We recommend that K-12 customers using commercial Windows 10 Pro read the [document](http://go.microsoft.com/fwlink/?LinkId=822627) and apply desired settings for your environment. ## Windows 10 Education From bcafff5b7e8e95348d7920d77e2d98761b57b8d7 Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Thu, 28 Jul 2016 14:13:38 -0700 Subject: [PATCH 58/59] updates from techreview --- .../app-inventory-management-windows-store-for-business.md | 2 +- .../manage/roles-and-permissions-windows-store-for-business.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/manage/app-inventory-management-windows-store-for-business.md b/windows/manage/app-inventory-management-windows-store-for-business.md index 7d5d242912..2472c4a967 100644 --- a/windows/manage/app-inventory-management-windows-store-for-business.md +++ b/windows/manage/app-inventory-management-windows-store-for-business.md @@ -19,7 +19,7 @@ author: TrudyHa You can manage all apps that you've acquired on your **Inventory** page. -The **Inventory** page in Windows Store for Business shows all apps in your inventory. This includes all apps that you've acquired from Store for Business, and the line-of-business (LOB) apps that you've accepted into your inventory. After LOB apps are submitted to your organization, you'll see a notification on your **Inventory** page. On the **New line-of-business apps** page, you can accept, or reject the LOB apps. For more information on LOB apps, see [Working with line-of-business apps](working-with-line-of-business-apps.md). +The **Inventory** page in Windows Store for Business shows all apps in your inventory. This includes all apps that you've acquired from Store for Business, and the line-of-business (LOB) apps that you've accepted into your inventory. After LOB apps are submitted to your organization, you'll see a notification on your **Inventory** page. On the **New line-of-business apps** page, you can accept, or reject the LOB apps. For more information on LOB apps, see [Working with line-of-business apps](working-with-line-of-business-apps.md). The inventory page includes apps acquired by all people in your organization with the Store for Business Admin role. All of these apps are treated the same once they are in your inventory and you can perform app lifecycle tasks for them: distribute apps, add apps to private store, review license details, and reclaim app licenses. diff --git a/windows/manage/roles-and-permissions-windows-store-for-business.md b/windows/manage/roles-and-permissions-windows-store-for-business.md index 6cdeba16db..9542529fbe 100644 --- a/windows/manage/roles-and-permissions-windows-store-for-business.md +++ b/windows/manage/roles-and-permissions-windows-store-for-business.md @@ -97,7 +97,7 @@ This table lists the global user accounts and the permissions they have in the S ### Store for Business roles and permissions -Store for Businesshas a set of roles that help IT admins and employees manage access to apps and tasks for the Store for Business. Employees with these roles will need to use their Azure AD account to access the Store for Business. +Store for Business has a set of roles that help IT admins and employees manage access to apps and tasks for the Store for Business. Employees with these roles will need to use their Azure AD account to access the Store for Business. This table lists the roles and their permissions. From 5fe01fab0cd7cb1ec91ea0d6bf307242127665b7 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Thu, 28 Jul 2016 17:22:17 -0700 Subject: [PATCH 59/59] added link at bottom --- windows/plan/windows-10-servicing-options.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/plan/windows-10-servicing-options.md b/windows/plan/windows-10-servicing-options.md index 6ac55f7ffc..de610fd342 100644 --- a/windows/plan/windows-10-servicing-options.md +++ b/windows/plan/windows-10-servicing-options.md @@ -72,6 +72,7 @@ Windows 10 enables organizations to fulfill the desire to provide users with the ## Related topics +[Windows 10 release information](https://technet.microsoft.com/windows/release-info)
    [Windows 10 deployment considerations](windows-10-deployment-considerations.md)
    [Windows 10 compatibility](windows-10-compatibility.md)
    [Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md) \ No newline at end of file