From 80a4d5bfe4edf99e72c39aa3b01f06e9e6375a7d Mon Sep 17 00:00:00 2001 From: schmurky Date: Wed, 21 Oct 2020 17:33:29 +0800 Subject: [PATCH 01/44] Replace for json --- .../microsoft-defender-atp/linux-support-perf.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index 8390f37105..44a7b84113 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -32,7 +32,7 @@ This article provides some general steps that can be used to narrow down perform Real-time protection (RTP) is a feature of Microsoft Defender ATP for Linux that continuously monitors and protects your device against threats. It consists of file and process monitoring and other heuristics. -Depending on the applications that you are running and your device characteristics, you may experience suboptimal performance when running Microsoft Defender ATP for Linux. In particular, applications or system processes that access many resources over a short timespan can lead to performance issues in Microsoft Defender ATP for Linux. +Depending on the applications that you are running and your device characteristics, you may experience suboptimal performance when running Microsoft Defender ATP for Linux. In particular, applications or system processes that access many resources over a short timespan can lead to performance issues. The following steps can be used to troubleshoot and mitigate these issues: @@ -54,7 +54,7 @@ The following steps can be used to troubleshoot and mitigate these issues: > [!NOTE] > This feature is available in version 100.90.70 or newer. - This feature is enabled by default on the `Dogfood` and `InsisderFast` channels. If you're using a different update channel, this feature can be enabled from the command line: + This feature is enabled by default on the `Dogfood` and `InsiderFast` channels. If you're using a different update channel, this feature can be enabled from the command line: ```bash mdatp config real-time-protection-statistics --value enabled @@ -78,8 +78,10 @@ The following steps can be used to troubleshoot and mitigate these issues: To collect current statistics, run: ```bash - mdatp diagnostic real_time_protection_statistics # you can use ‘> stat.log’ to redirect to file + mdatp diagnostic real-time-protection-statistics --output json > real_time_protection_logs ``` + > [!NOTE] + > Adding ```--output json``` (note the double dash) ensures that the output format is ready for parsing. The output of this command will show all processes and their associated scan activity. To improve the performance of Microsoft Defender ATP for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md). @@ -88,6 +90,7 @@ The following steps can be used to troubleshoot and mitigate these issues: 3. Use the `top` command-line tool and analyze which applications are using the resources on your system. Typical examples include software updaters and compilers. -4. Configure Microsoft Defender ATP for Linux with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection. +4. Configure Microsoft Defender ATP for Linux with exclusions for the processes or disk locations that contribute to the performance issues +5. Re-enable real-time protection. - For more details, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md). + For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md). From 397c7a4c475b6cd473c33ad90e6f64837ff699b2 Mon Sep 17 00:00:00 2001 From: schmurky Date: Wed, 21 Oct 2020 17:37:59 +0800 Subject: [PATCH 02/44] Replace add with use --- .../microsoft-defender-atp/linux-support-perf.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index 44a7b84113..d9b56bf731 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -81,7 +81,7 @@ The following steps can be used to troubleshoot and mitigate these issues: mdatp diagnostic real-time-protection-statistics --output json > real_time_protection_logs ``` > [!NOTE] - > Adding ```--output json``` (note the double dash) ensures that the output format is ready for parsing. + > Using ```--output json``` (note the double dash) ensures that the output format is ready for parsing. The output of this command will show all processes and their associated scan activity. To improve the performance of Microsoft Defender ATP for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md). From cc82b538cccd6c73a28ff5bb36f550a411628a51 Mon Sep 17 00:00:00 2001 From: schmurky Date: Thu, 22 Oct 2020 17:34:09 +0800 Subject: [PATCH 03/44] More details --- .../linux-support-perf.md | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index d9b56bf731..2e16c94605 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -83,14 +83,23 @@ The following steps can be used to troubleshoot and mitigate these issues: > [!NOTE] > Using ```--output json``` (note the double dash) ensures that the output format is ready for parsing. - The output of this command will show all processes and their associated scan activity. To improve the performance of Microsoft Defender ATP for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md). + The output of this command will show all processes and their associated scan activity. +3. You can then run a script to parse the output. + + To do this, in your Windows system, create a folder in ```C:\temp\High_CPU_util_parser_for_Linux```. + + Save the output file ```real_time_protection_logs``` from your Linux system to the created folder. + + You can then use this sample Powershell script to parse the```real_time_protection_logs```. Save this script as ```MDATP_Linux_High_CPU_parser.ps1``` in ```C:\temp\High_CPU_util_parser_for_Linux```. + + Run the Powershell script as admin. The script launches a Microsoft Excel file. The Excel file shows the list of processes with the most activity arranged in descending order. From here you can analyze which processes to exclude. + > [!NOTE] > The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted. -3. Use the `top` command-line tool and analyze which applications are using the resources on your system. Typical examples include software updaters and compilers. +4. Configure Microsoft Defender ATP for Linux with exclusions for the processes or disk locations that contribute to the performance issues. For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md). -4. Configure Microsoft Defender ATP for Linux with exclusions for the processes or disk locations that contribute to the performance issues 5. Re-enable real-time protection. - For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md). + From f2ff564c5c96e7f01321988d4fb0c3971e62e4ee Mon Sep 17 00:00:00 2001 From: schmurky Date: Thu, 22 Oct 2020 17:36:07 +0800 Subject: [PATCH 04/44] PowerShell caps --- .../microsoft-defender-atp/linux-support-perf.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index 2e16c94605..f52e335011 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -91,9 +91,9 @@ The following steps can be used to troubleshoot and mitigate these issues: Save the output file ```real_time_protection_logs``` from your Linux system to the created folder. - You can then use this sample Powershell script to parse the```real_time_protection_logs```. Save this script as ```MDATP_Linux_High_CPU_parser.ps1``` in ```C:\temp\High_CPU_util_parser_for_Linux```. + You can then use this sample PowerShell script to parse the```real_time_protection_logs```. Save this script as ```MDATP_Linux_High_CPU_parser.ps1``` in ```C:\temp\High_CPU_util_parser_for_Linux```. - Run the Powershell script as admin. The script launches a Microsoft Excel file. The Excel file shows the list of processes with the most activity arranged in descending order. From here you can analyze which processes to exclude. + Run the PowerShell script as admin. The script launches a Microsoft Excel file. The Excel file shows the list of processes with the most activity arranged in descending order. From here you can analyze which processes to exclude. > [!NOTE] > The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted. From 6173545dcd0d34dcadf1393c4e10b329f4b0db38 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Thu, 5 Nov 2020 13:15:13 -0800 Subject: [PATCH 05/44] Added ADMX_ControlPanel policies --- windows/client-management/mdm/TOC.md | 1 + .../mdm/policies-in-policy-csp-admx-backed.md | 4 + .../policy-configuration-service-provider.md | 19 +- .../mdm/policy-csp-admx-controlpanel.md | 362 ++++++++++++++++++ 4 files changed, 385 insertions(+), 1 deletion(-) create mode 100644 windows/client-management/mdm/policy-csp-admx-controlpanel.md diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 8ff993ef33..9bb975d40f 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -177,6 +177,7 @@ #### [ADMX_AuditSettings](policy-csp-admx-auditsettings.md) #### [ADMX_CipherSuiteOrder](policy-csp-admx-ciphersuiteorder.md) #### [ADMX_COM](policy-csp-admx-com.md) +#### [ADMX_ControlPanel](policy-csp-admx-controlpanel.md) #### [ADMX_Cpls](policy-csp-admx-cpls.md) #### [ADMX_CtrlAltDel](policy-csp-admx-ctrlaltdel.md) #### [ADMX_DigitalLocker](policy-csp-admx-digitallocker.md) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index a26052c419..1e7cd9e0e9 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -42,6 +42,10 @@ ms.date: 10/08/2020 - [ADMX_AppCompat/AppCompatTurnOffUserActionRecord](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffuseractionrecord) - [ADMX_AppCompat/AppCompatTurnOffProgramInventory](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffprograminventory) - [ADMX_AuditSettings/IncludeCmdLine](./policy-csp-admx-auditsettings.md#admx-auditsettings-includecmdline) +- [ADMX_ControlPanel/DisallowCpls](./policy-csp-admx-controlpanel.md#admx-controlpanel-disallowcpls) +- [ADMX_ControlPanel/ForceClassicControlPanel](./policy-csp-admx-controlpanel.md#admx-controlpanel-forceclassiccontrolpanel) +- [ADMX_ControlPanel/NoControlPanel](./policy-csp-admx-controlpanel.md#admx-controlpanel-nocontrolpanel) +- [ADMX_ControlPanel/RestrictCpls](./policy-csp-admx-controlpanel.md#admx-controlpanel-restrictcpls) - [ADMX_Cpls/UseDefaultTile](./policy-csp-admx-cpls.md#admx-cpls-usedefaulttile) - [ADMX_CtrlAltDel/DisableChangePassword](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disablechangepassword) - [ADMX_CtrlAltDel/DisableLockComputer](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disablelockcomputer) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 475eff78fd..b89a460193 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -245,6 +245,24 @@ The following diagram shows the Policy configuration service provider in tree fo + +### ADMX_ControlPanel policies + +
+
+ ADMX_ControlPanel/DisallowCpls +
+
+ ADMX_ControlPanel/ForceClassicControlPanel +
+
+ ADMX_ControlPanel/NoControlPanel +
+
+ ADMX_ControlPanel/RestrictCpls +
+
+ ### ADMX_Cpls policies
@@ -262,7 +280,6 @@ The following diagram shows the Policy configuration service provider in tree fo
- ### ADMX_CtrlAltDel policies
diff --git a/windows/client-management/mdm/policy-csp-admx-controlpanel.md b/windows/client-management/mdm/policy-csp-admx-controlpanel.md new file mode 100644 index 0000000000..8ae99cefe3 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-controlpanel.md @@ -0,0 +1,362 @@ +--- +title: Policy CSP - ADMX_ControlPanel +description: Policy CSP - ADMX_ControlPanel +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/05/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_ControlPanel +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_ControlPanel policies + +
+
+ ADMX_ControlPanel/DisallowCpls +
+
+ ADMX_ControlPanel/ForceClassicControlPanel +
+
+ ADMX_ControlPanel/NoControlPanel +
+
+ ADMX_ControlPanel/RestrictCpls +
+
+ + +
+ + +**ADMX_ControlPanel/DisallowCpls** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This setting allows you to display or hide specified Control Panel items, such as Mouse, System, or Personalization, from the Control Panel window and the Start screen. The setting affects the Start screen and Control Panel window, as well as other ways to access Control Panel items, such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings. + +If you enable this setting, you can select specific items not to display on the Control Panel window and the Start screen. + +To hide a Control Panel item, enable this policy setting and click Show to access the list of disallowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter Microsoft.Mouse, Microsoft.System, or Microsoft.Personalization. + +> [!NOTE] +> For Windows Vista, Windows Server 2008, and earlier versions of Windows, the module name should be entered, for example timedate.cpl or inetcpl.cpl. If a Control Panel item does not have a CPL file, or the CPL file contains multiple applets, then its module name and string resource identification number should be entered, for example @systemcpl.dll,-1 for System, or @themecpl.dll,-1 for Personalization. A complete list of canonical and module names can be found in MSDN by searching "Control Panel items". + +If both the "Hide specified Control Panel items" setting and the "Show only specified Control Panel items" setting are enabled, the "Show only specified Control Panel items" setting is ignored. + +> [!NOTE] +> The Display Control Panel item cannot be hidden in the Desktop context menu by using this setting. To hide the Display Control Panel item and prevent users from modifying the computer's display settings use the "Disable Display Control Panel" setting instead. Note: To hide pages in the System Settings app, use the "Settings Page Visibility" setting under Computer Configuration. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide specified Control Panel items* +- GP name: *DisallowCpls* +- GP path: *Control Panel* +- GP ADMX file name: *ControlPanel.admx* + + + +
+ + +**ADMX_ControlPanel/ForceClassicControlPanel** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the default Control Panel view, whether by category or icons. + +If this policy setting is enabled, the Control Panel opens to the icon view. + +If this policy setting is disabled, the Control Panel opens to the category view. + +If this policy setting is not configured, the Control Panel opens to the view used in the last Control Panel session. + +> [!NOTE] +> Icon size is dependent upon what the user has set it to in the previous session. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Always open All Control Panel Items when opening Control Panel* +- GP name: *ForceClassicControlPanel* +- GP path: *Control Panel* +- GP ADMX file name: *ControlPanel.admx* + + + +
+ + +**ADMX_ControlPanel/NoControlPanel** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Disables all Control Panel programs and the PC settings app. + +This setting prevents Control.exe and SystemSettings.exe, the program files for Control Panel and PC settings, from starting. As a result, users cannot start Control Panel or PC settings, or run any of their items. + +This setting removes Control Panel from: + +- The Start screen +- File Explorer + +This setting removes PC settings from: + +- The Start screen +- Settings charm +- Account picture +- Search results + +If users try to select a Control Panel item from the Properties item on a context menu, a message appears explaining that a setting prevents the action. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit access to Control Panel and PC settings* +- GP name: *NoControlPanel* +- GP path: *Control Panel* +- GP ADMX file name: *ControlPanel.admx* + + + +
+ + +**ADMX_ControlPanel/RestrictCpls** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls which Control Panel items such as Mouse, System, or Personalization, are displayed on the Control Panel window and the Start screen. The only items displayed in Control Panel are those you specify in this setting. This setting affects the Start screen and Control Panel, as well as other ways to access Control Panel items such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings. + +To display a Control Panel item, enable this policy setting and click Show to access the list of allowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter Microsoft.Mouse, Microsoft.System, or Microsoft.Personalization. + +> [!NOTE] +> For Windows Vista, Windows Server 2008, and earlier versions of Windows, the module name, for example timedate.cpl or inetcpl.cpl, should be entered. If a Control Panel item does not have a CPL file, or the CPL file contains multiple applets, then its module name and string resource identification number should be entered. For example, enter @systemcpl.dll,-1 for System or @themecpl.dll,-1 for Personalization. A complete list of canonical and module names of Control Panel items can be found in MSDN by searching "Control Panel items". + +If both the "Hide specified Control Panel items" setting and the "Show only specified Control Panel items" setting are enabled, the "Show only specified Control Panel items" setting is ignored. + +> [!NOTE] +> The Display Control Panel item cannot be hidden in the Desktop context menu by using this setting. To hide the Display Control Panel item and prevent users from modifying the computer's display settings use the "Disable Display Control Panel" setting instead. +> +> To hide pages in the System Settings app, use the "Settings Page Visibility" setting under Computer Configuration. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Show only specified Control Panel items* +- GP name: *RestrictCpls* +- GP path: *Control Panel* +- GP ADMX file name: *ControlPanel.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + \ No newline at end of file From 3d0264c4c5678927c8690d44141efaf9bfb699f4 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Thu, 5 Nov 2020 15:26:41 -0800 Subject: [PATCH 06/44] Added ADMX_ControlPanelDisplay policies --- windows/client-management/mdm/TOC.md | 1 + .../mdm/policies-in-policy-csp-admx-backed.md | 24 + .../policy-configuration-service-provider.md | 77 + .../policy-csp-admx-controlpaneldisplay.md | 1825 +++++++++++++++++ 4 files changed, 1927 insertions(+) create mode 100644 windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 9bb975d40f..6fa7869867 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -178,6 +178,7 @@ #### [ADMX_CipherSuiteOrder](policy-csp-admx-ciphersuiteorder.md) #### [ADMX_COM](policy-csp-admx-com.md) #### [ADMX_ControlPanel](policy-csp-admx-controlpanel.md) +#### [ADMX_ControlPanelDisplay](policy-csp-admx-controlpaneldisplay.md) #### [ADMX_Cpls](policy-csp-admx-cpls.md) #### [ADMX_CtrlAltDel](policy-csp-admx-ctrlaltdel.md) #### [ADMX_DigitalLocker](policy-csp-admx-digitallocker.md) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 1e7cd9e0e9..e375180809 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -46,6 +46,30 @@ ms.date: 10/08/2020 - [ADMX_ControlPanel/ForceClassicControlPanel](./policy-csp-admx-controlpanel.md#admx-controlpanel-forceclassiccontrolpanel) - [ADMX_ControlPanel/NoControlPanel](./policy-csp-admx-controlpanel.md#admx-controlpanel-nocontrolpanel) - [ADMX_ControlPanel/RestrictCpls](./policy-csp-admx-controlpanel.md#admx-controlpanel-restrictcpls) +- [ADMX_ControlPanelDisplay/CPL_Display_Disable](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-display-disable) +- [ADMX_ControlPanelDisplay/CPL_Display_HideSettings](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-display-hidesettings) +- [ADMX_ControlPanelDisplay/CPL_Personalization_DisableColorSchemeChoice](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-disablecolorschemechoice) +- [ADMX_ControlPanelDisplay/CPL_Personalization_DisableThemeChange](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-disablethemechange) +- [ADMX_ControlPanelDisplay/CPL_Personalization_DisableVisualStyle](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-disablevisualstyle) +- [ADMX_ControlPanelDisplay/CPL_Personalization_EnableScreenSaver](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-enablescreensaver) +- [ADMX_ControlPanelDisplay/CPL_Personalization_ForceDefaultLockScreen](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-forcedefaultlockscreen) +- [ADMX_ControlPanelDisplay/CPL_Personalization_LockFontSize](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-lockfontsize) +- [ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingLockScreen](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nochanginglockscreen) +- [ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingStartMenuBackground](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nochangingstartmenubackground) +- [ADMX_ControlPanelDisplay/CPL_Personalization_NoColorAppearanceUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nocolorappearanceui) +- [ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopBackgroundUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nodesktopbackgroundui) +- [ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopIconsUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nodesktopiconsui) +- [ADMX_ControlPanelDisplay/CPL_Personalization_NoLockScreen](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nolockscreen) +- [ADMX_ControlPanelDisplay/CPL_Personalization_NoMousePointersUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nomousepointersui) +- [ADMX_ControlPanelDisplay/CPL_Personalization_NoScreenSaverUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-noscreensaverui) +- [ADMX_ControlPanelDisplay/CPL_Personalization_NoSoundSchemeUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nosoundschemeui) +- [ADMX_ControlPanelDisplay/CPL_Personalization_PersonalColors](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-personalcolors) +- [ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverIsSecure](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-screensaverissecure) +- [ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverTimeOut](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-screensavertimeout) +- [ADMX_ControlPanelDisplay/CPL_Personalization_SetScreenSaver](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-setscreensaver) +- [ADMX_ControlPanelDisplay/CPL_Personalization_SetTheme](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-settheme) +- [ADMX_ControlPanelDisplay/CPL_Personalization_SetVisualStyle](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-setvisualstyle) +- [ADMX_ControlPanelDisplay/CPL_Personalization_StartBackground](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-startbackground) - [ADMX_Cpls/UseDefaultTile](./policy-csp-admx-cpls.md#admx-cpls-usedefaulttile) - [ADMX_CtrlAltDel/DisableChangePassword](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disablechangepassword) - [ADMX_CtrlAltDel/DisableLockComputer](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disablelockcomputer) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index b89a460193..ce9320d5bb 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -263,6 +263,83 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_ControlPanelDisplay policies + +
+
+ ADMX_ControlPanelDisplay/CPL_Display_Disable +
+
+ ADMX_ControlPanelDisplay/CPL_Display_HideSettings +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_DisableColorSchemeChoice +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_DisableThemeChange +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_DisableVisualStyle +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_EnableScreenSaver +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_ForceDefaultLockScreen +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_LockFontSize +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingLockScreen +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingStartMenuBackground +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_NoColorAppearanceUI +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopBackgroundUI +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopIconsUI +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_NoLockScreen +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_NoMousePointersUI +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_NoScreenSaverUI +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_NoSoundSchemeUI +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_PersonalColors +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverIsSecure +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverTimeOut +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_SetScreenSaver +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_SetTheme +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_SetVisualStyle +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_StartBackground +
+
+ ### ADMX_Cpls policies
diff --git a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md new file mode 100644 index 0000000000..48dc02d6db --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md @@ -0,0 +1,1825 @@ +--- +title: Policy CSP - ADMX_ControlPanelDisplay +description: Policy CSP - ADMX_ControlPanelDisplay +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/05/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_ControlPanelDisplay +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_ControlPanelDisplay policies + +
+
+ ADMX_ControlPanelDisplay/CPL_Display_Disable +
+
+ ADMX_ControlPanelDisplay/CPL_Display_HideSettings +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_DisableColorSchemeChoice +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_DisableThemeChange +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_DisableVisualStyle +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_EnableScreenSaver +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_ForceDefaultLockScreen +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_LockFontSize +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingLockScreen +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingStartMenuBackground +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_NoColorAppearanceUI +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopBackgroundUI +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopIconsUI +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_NoLockScreen +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_NoMousePointersUI +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_NoScreenSaverUI +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_NoSoundSchemeUI +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_PersonalColors +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverIsSecure +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverTimeOut +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_SetScreenSaver +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_SetTheme +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_SetVisualStyle +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_StartBackground +
+
+ + +
+ + +**ADMX_ControlPanelDisplay/CPL_Display_Disable** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Disables the Display Control Panel. + +If you enable this setting, the Display Control Panel does not run. When users try to start Display, a message appears explaining that a setting prevents the action. + +Also, see the "Prohibit access to the Control Panel" (User Configuration\Administrative Templates\Control Panel) and "Remove programs on Settings menu" (User Configuration\Administrative Templates\Start Menu & Taskbar) settings. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disable the Display Control Panel* +- GP name: *CPL_Display_Disable* +- GP path: *Control Panel\Display* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ + +**ADMX_ControlPanelDisplay/CPL_Display_HideSettings** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Removes the Settings tab from Display in Control Panel. + +This setting prevents users from using Control Panel to add, configure, or change the display settings on the computer. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide Settings tab* +- GP name: *CPL_Display_HideSettings* +- GP path: *Control Panel\Display* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ + +**ADMX_ControlPanelDisplay/CPL_Personalization_DisableColorSchemeChoice** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This setting forces the theme color scheme to be the default color scheme. + +If you enable this setting, a user cannot change the color scheme of the current desktop theme. + +If you disable or do not configure this setting, a user may change the color scheme of the current desktop theme. + +For Windows 7 and later, use the "Prevent changing color and appearance" setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent changing color scheme* +- GP name: *CPL_Personalization_DisableColorSchemeChoice* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ + +**ADMX_ControlPanelDisplay/CPL_Personalization_DisableThemeChange** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This setting disables the theme gallery in the Personalization Control Panel. + +If you enable this setting, users cannot change or save a theme. Elements of a theme such as the desktop background, color, sounds, and screen saver can still be changed (unless policies are set to turn them off). + +If you disable or do not configure this setting, there is no effect. + +> [!NOTE] +> If you enable this setting but do not specify a theme using the "load a specific theme" setting, the theme defaults to whatever the user previously set or the system default. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent changing theme* +- GP name: *CPL_Personalization_DisableThemeChange* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ + +**ADMX_ControlPanelDisplay/CPL_Personalization_DisableVisualStyle** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevents users or applications from changing the visual style of the windows and buttons displayed on their screens. + +When enabled on Windows XP, this setting disables the "Windows and buttons" drop-down list on the Appearance tab in Display Properties. + +When enabled on Windows XP and later systems, this setting prevents users and applications from changing the visual style through the command line. Also, a user may not apply a different visual style when changing themes. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent changing visual style for windows and buttons* +- GP name: *CPL_Personalization_DisableVisualStyle* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ + +**ADMX_ControlPanelDisplay/CPL_Personalization_EnableScreenSaver** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Enables desktop screen savers. + +If you disable this setting, screen savers do not run. Also, this setting disables the Screen Saver section of the Screen Saver dialog in the Personalization or Display Control Panel. As a result, users cannot change the screen saver options. + +If you do not configure it, this setting has no effect on the system. + +If you enable it, a screen saver runs, provided the following two conditions hold: First, a valid screen saver on the client is specified through the "Screen Saver executable name" setting or through Control Panel on the client computer. Second, the screen saver timeout is set to a nonzero value through the setting or Control Panel. + +Also, see the "Prevent changing Screen Saver" setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Enable screen saver* +- GP name: *CPL_Personalization_EnableScreenSaver* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ + +**ADMX_ControlPanelDisplay/CPL_Personalization_ForceDefaultLockScreen** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This setting allows you to force a specific default lock screen and logon image by entering the path (location) of the image file. The same image will be used for both the lock and logon screens. + +This setting lets you specify the default lock screen and logon image shown when no user is signed in, and also sets the specified image as the default for all users (it replaces the inbox default image). + +To use this setting, type the fully qualified path and name of the file that stores the default lock screen and logon image. You can type a local path, such as C:\Windows\Web\Screen\img104.jpg or a UNC path, such as `\\Server\Share\Corp.jpg`. + +This can be used in conjunction with the "Prevent changing lock screen and logon image" setting to always force the specified lock screen and logon image to be shown. + +Note: This setting only applies to Enterprise, Education, and Server SKUs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Force a specific default lock screen and logon image* +- GP name: *CPL_Personalization_ForceDefaultLockScreen* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ + +**ADMX_ControlPanelDisplay/CPL_Personalization_LockFontSize** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the size of the font in the windows and buttons displayed on their screens. + +If this setting is enabled, the "Font size" drop-down list on the Appearance tab in Display Properties is disabled. + +If you disable or do not configure this setting, a user may change the font size using the "Font size" drop-down list on the Appearance tab. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit selection of visual style font size* +- GP name: *CPL_Personalization_LockFontSize* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ + +**ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingLockScreen** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the background image shown when the machine is locked or when on the logon screen. + +By default, users can change the background image shown when the machine is locked or displaying the logon screen. + +If you enable this setting, the user will not be able to change their lock screen and logon image, and they will instead see the default image. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent changing lock screen and logon image* +- GP name: *CPL_Personalization_NoChangingLockScreen* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ + +**ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingStartMenuBackground** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the look of their start menu background, such as its color or accent. + +By default, users can change the look of their start menu background, such as its color or accent. + +If you enable this setting, the user will be assigned the default start menu background and colors and will not be allowed to change them. + +If the "Force a specific background and accent color" policy is also set on a supported version of Windows, then those colors take precedence over this policy. + +If the "Force a specific Start background" policy is also set on a supported version of Windows, then that background takes precedence over this policy. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent changing start menu background* +- GP name: *CPL_Personalization_NoChangingStartMenuBackground* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ + +**ADMX_ControlPanelDisplay/CPL_Personalization_NoColorAppearanceUI** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Disables the Color (or Window Color) page in the Personalization Control Panel, or the Color Scheme dialog in the Display Control Panel on systems where the Personalization feature is not available. + +This setting prevents users from using Control Panel to change the window border and taskbar color (on Windows 8), glass color (on Windows Vista and Windows 7), system colors, or color scheme of the desktop and windows. + +If this setting is disabled or not configured, the Color (or Window Color) page or Color Scheme dialog is available in the Personalization or Display Control Panel. + +For systems prior to Windows Vista, this setting hides the Appearance and Themes tabs in the in Display in Control Panel. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent changing color and appearance* +- GP name: *CPL_Personalization_NoColorAppearanceUI* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ + +**ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopBackgroundUI** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from adding or changing the background design of the desktop. + +By default, users can use the Desktop Background page in the Personalization or Display Control Panel to add a background design (wallpaper) to their desktop. + +If you enable this setting, none of the Desktop Background settings can be changed by the user. + +To specify wallpaper for a group, use the "Desktop Wallpaper" setting. + +Note: You must also enable the "Desktop Wallpaper" setting to prevent users from changing the desktop wallpaper. Refer to KB article: Q327998 for more information. + +Also, see the "Allow only bitmapped wallpaper" setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent changing desktop background* +- GP name: *CPL_Personalization_NoDesktopBackgroundUI* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ + +**ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopIconsUI** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the desktop icons. + +By default, users can use the Desktop Icon Settings dialog in the Personalization or Display Control Panel to show, hide, or change the desktop icons. + +If you enable this setting, none of the desktop icons can be changed by the user. + +For systems prior to Windows Vista, this setting also hides the Desktop tab in the Display Control Panel. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent changing desktop icons* +- GP name: *CPL_Personalization_NoDesktopIconsUI* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ + +**ADMX_ControlPanelDisplay/CPL_Personalization_NoLockScreen** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether the lock screen appears for users. + +If you enable this policy setting, users that are not required to press CTRL + ALT + DEL before signing in will see their selected tile after locking their PC. + +If you disable or do not configure this policy setting, users that are not required to press CTRL + ALT + DEL before signing in will see a lock screen after locking their PC. They must dismiss the lock screen using touch, the keyboard, or by dragging it with the mouse. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not display the lock screen* +- GP name: *CPL_Personalization_NoLockScreen* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ + +**ADMX_ControlPanelDisplay/CPL_Personalization_NoMousePointersUI** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the mouse pointers. + +By default, users can use the Pointers tab in the Mouse Control Panel to add, remove, or change the mouse pointers. + +If you enable this setting, none of the mouse pointer scheme settings can be changed by the user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent changing mouse pointers* +- GP name: *CPL_Personalization_NoMousePointersUI* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ + +**ADMX_ControlPanelDisplay/CPL_Personalization_NoScreenSaverUI** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevents the Screen Saver dialog from opening in the Personalization or Display Control Panel. + +This setting prevents users from using Control Panel to add, configure, or change the screen saver on the computer. It does not prevent a screen saver from running. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent changing screen saver* +- GP name: *CPL_Personalization_NoScreenSaverUI* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ + +**ADMX_ControlPanelDisplay/CPL_Personalization_NoSoundSchemeUI** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the sound scheme. + +By default, users can use the Sounds tab in the Sound Control Panel to add, remove, or change the system Sound Scheme. + +If you enable this setting, none of the Sound Scheme settings can be changed by the user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent changing sounds* +- GP name: *CPL_Personalization_NoSoundSchemeUI* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ + +**ADMX_ControlPanelDisplay/CPL_Personalization_PersonalColors** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Forces Windows to use the specified colors for the background and accent. The color values are specified in hex as #RGB. + +By default, users can change the background and accent colors. + +If this setting is enabled, the background and accent colors of Windows will be set to the specified colors and users cannot change those colors. This setting will not be applied if the specified colors do not meet a contrast ratio of 2:1 with white text. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Force a specific background and accent color* +- GP name: *CPL_Personalization_PersonalColors* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ + +**ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverIsSecure** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Determines whether screen savers used on the computer are password protected. + +If you enable this setting, all screen savers are password protected. If you disable this setting, password protection cannot be set on any screen saver. + +This setting also disables the "Password protected" checkbox on the Screen Saver dialog in the Personalization or Display Control Panel, preventing users from changing the password protection setting. + +If you do not configure this setting, users can choose whether or not to set password protection on each screen saver. + +To ensure that a computer will be password protected, enable the "Enable Screen Saver" setting and specify a timeout via the "Screen Saver timeout" setting. + +> [!NOTE] +> To remove the Screen Saver dialog, use the "Prevent changing Screen Saver" setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Password protect the screen saver* +- GP name: *CPL_Personalization_ScreenSaverIsSecure* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ + +**ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverTimeOut** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Specifies how much user idle time must elapse before the screen saver is launched. + +When configured, this idle time can be set from a minimum of 1 second to a maximum of 86,400 seconds, or 24 hours. If set to zero, the screen saver will not be started. + +This setting has no effect under any of the following circumstances: + +- The setting is disabled or not configured. + +- The wait time is set to zero. + +- The "Enable Screen Saver" setting is disabled. + +- Neither the "Screen saver executable name" setting nor the Screen Saver dialog of the client computer's Personalization or Display Control Panel specifies a valid existing screen saver program on the client. + +When not configured, whatever wait time is set on the client through the Screen Saver dialog in the Personalization or Display Control Panel is used. The default is 15 minutes. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Screen saver timeout* +- GP name: *CPL_Personalization_ScreenSaverTimeOut* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ + +**ADMX_ControlPanelDisplay/CPL_Personalization_SetScreenSaver** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Specifies the screen saver for the user's desktop. + +If you enable this setting, the system displays the specified screen saver on the user's desktop. Also, this setting disables the drop-down list of screen savers in the Screen Saver dialog in the Personalization or Display Control Panel, which prevents users from changing the screen saver. + +If you disable this setting or do not configure it, users can select any screen saver. + +If you enable this setting, type the name of the file that contains the screen saver, including the .scr file name extension. If the screen saver file is not in the %Systemroot%\System32 directory, type the fully qualified path to the file. + +If the specified screen saver is not installed on a computer to which this setting applies, the setting is ignored. + +> [!NOTE] +> This setting can be superseded by the "Enable Screen Saver" setting. If the "Enable Screen Saver" setting is disabled, this setting is ignored, and screen savers do not run. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Force specific screen saver* +- GP name: *CPL_Personalization_SetScreenSaver* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ + +**ADMX_ControlPanelDisplay/CPL_Personalization_SetTheme** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Specifies which theme file is applied to the computer the first time a user logs on. + +If you enable this setting, the theme that you specify will be applied when a new user logs on for the first time. This policy does not prevent the user from changing the theme or any of the theme elements such as the desktop background, color, sounds, or screen saver after the first logon. + +If you disable or do not configure this setting, the default theme will be applied at the first logon. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Load a specific theme* +- GP name: *CPL_Personalization_SetTheme* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ + +**ADMX_ControlPanelDisplay/CPL_Personalization_SetVisualStyle** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This setting allows you to force a specific visual style file by entering the path (location) of the visual style file. + +This can be a local computer visual style (aero.msstyles), or a file located on a remote server using a UNC path (\\Server\Share\aero.msstyles). + +If you enable this setting, the visual style file that you specify will be used. Also, a user may not apply a different visual style when changing themes. + +If you disable or do not configure this setting, the users can select the visual style that they want to use by changing themes (if the Personalization Control Panel is available). + +> [!NOTE] +> If this setting is enabled and the file is not available at user logon, the default visual style is loaded. +> +> When running Windows XP, you can select the Luna visual style by typing %windir%\resources\Themes\Luna\Luna.msstyles. +> +> To select the Windows Classic visual style, leave the box blank beside "Path to Visual Style:" and enable this setting. When running Windows 8 or Windows RT, you cannot apply the Windows Classic visual style. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Force a specific visual style file or force Windows Classic* +- GP name: *CPL_Personalization_SetVisualStyle* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ + +**ADMX_ControlPanelDisplay/CPL_Personalization_StartBackground** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Forces the Start screen to use one of the available backgrounds, 1 through 20, and prevents the user from changing it. + +If this setting is set to zero or not configured, then Start uses the default background, and users can change it. + +If this setting is set to a nonzero value, then Start uses the specified background, and users cannot change it. If the specified background is not supported, the default background is used. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Force a specific Start background* +- GP name: *CPL_Personalization_StartBackground* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + \ No newline at end of file From fbc71af39349926c3d17d714dd0111e8ce728dc1 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Mon, 9 Nov 2020 16:28:34 -0800 Subject: [PATCH 07/44] Added winlogon and activexinstallservice policies --- windows/client-management/mdm/TOC.md | 2 + .../mdm/policies-in-policy-csp-admx-backed.md | 9 +- .../policy-configuration-service-provider.md | 31 ++ .../policy-csp-admx-activexinstallservice.md | 119 +++++ .../mdm/policy-csp-admx-winlogon.md | 493 ++++++++++++++++++ 5 files changed, 653 insertions(+), 1 deletion(-) create mode 100644 windows/client-management/mdm/policy-csp-admx-activexinstallservice.md create mode 100644 windows/client-management/mdm/policy-csp-admx-winlogon.md diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index f2de6e5ef5..c5af7336e3 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -172,6 +172,7 @@ #### [AboveLock](policy-csp-abovelock.md) #### [Accounts](policy-csp-accounts.md) #### [ActiveXControls](policy-csp-activexcontrols.md) +#### [ADMX_ActiveXInstallService](policy-csp-admx-activexinstallservice.md) #### [ADMX_AddRemovePrograms](policy-csp-admx-addremoveprograms.md) #### [ADMX_AppCompat](policy-csp-admx-appcompat.md) #### [ADMX_AuditSettings](policy-csp-admx-auditsettings.md) @@ -233,6 +234,7 @@ #### [ADMX_WindowsMediaPlayer](policy-csp-admx-windowsmediaplayer.md) #### [ADMX_WindowsStore](policy-csp-admx-windowsstore.md) #### [ADMX_WinInit](policy-csp-admx-wininit.md) +#### [ADMX_WinLogon](policy-csp-admx-winlogon.md) #### [ADMX_wlansvc](policy-csp-admx-wlansvc.md) #### [ApplicationDefaults](policy-csp-applicationdefaults.md) #### [ApplicationManagement](policy-csp-applicationmanagement.md) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 1ce31e59ba..4215e9c6ec 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -21,7 +21,8 @@ ms.date: 10/08/2020 > - [ActiveXControls/ApprovedInstallationSites](./policy-csp-activexcontrols.md#activexcontrols-approvedinstallationsites) -- [ADMX_AddRemovePrograms/DefaultCategory](/policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-defaultcategory) +- [ADMX_ActiveXInstallService/AxISURLZonePolicies](./policy-csp-admx-activexinstallservice.md#admx-activexinstallservice-axisurlzonepolicies) +- [ADMX_AddRemovePrograms/DefaultCategory](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-defaultcategory) - [ADMX_AddRemovePrograms/NoAddFromCDorFloppy](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddfromcdorfloppy) - [ADMX_AddRemovePrograms/NoAddFromInternet](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddfrominternet) - [ADMX_AddRemovePrograms/NoAddFromNetwork](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddfromnetwork) @@ -819,6 +820,12 @@ ms.date: 10/08/2020 - [ADMX_WinInit/DisableNamedPipeShutdownPolicyDescription](./policy-csp-admx-wininit.md#admx-wininit-disablenamedpipeshutdownpolicydescription) - [ADMX_WinInit/Hiberboot](./policy-csp-admx-wininit.md#admx-wininit-hiberboot) - [ADMX_WinInit/ShutdownTimeoutHungSessionsDescription](./policy-csp-admx-wininit.md#admx-wininit-shutdowntimeouthungsessionsdescription) +- [ADMX_WinLogon/CustomShell](./policy-csp-admx-winlogon.md#admx-winlogon-customshell) +- [ADMX_WinLogon/DisplayLastLogonInfoDescription](./policy-csp-admx-winlogon.md#admx-winlogon-displaylastlogoninfodescription) +- [ADMX_WinLogon/LogonHoursNotificationPolicyDescription](./policy-csp-admx-winlogon.md#admx-winlogon-logonhoursnotificationpolicydescription) +- [ADMX_WinLogon/LogonHoursPolicyDescription](./policy-csp-admx-winlogon.md#admx-winlogon-logonhourspolicydescription) +- [ADMX_WinLogon/ReportCachedLogonPolicyDescription](./policy-csp-admx-winlogon.md#admx-winlogon-reportcachedlogonpolicydescription) +- [ADMX_WinLogon/SoftwareSASGeneration](./policy-csp-admx-winlogon.md#admx-winlogon-softwaresasgeneration) - [ADMX_wlansvc/SetCost](./policy-csp-admx-wlansvc.md#admx-wlansvc-setcost) - [ADMX_wlansvc/SetPINEnforced](./policy-csp-admx-wlansvc.md#admx-wlansvc-setpinenforced) - [ADMX_wlansvc/SetPINPreferred](./policy-csp-admx-wlansvc.md#admx-wlansvc-setpinpreferred) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 70d9a769a7..bd0661bf3e 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -168,6 +168,14 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_ActiveXInstallService policies + +
+
+ ADMX_ActiveXInstallService/AxISURLZonePolicies +
+
+ ### ADMX_AddRemovePrograms policies
@@ -2852,6 +2860,29 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_WinLogon policies + +
+
+ ADMX_WinLogon/CustomShell +
+
+ ADMX_WinLogon/DisplayLastLogonInfoDescription +
+
+ ADMX_WinLogon/LogonHoursNotificationPolicyDescription +
+
+ ADMX_WinLogon/LogonHoursPolicyDescription +
+
+ ADMX_WinLogon/ReportCachedLogonPolicyDescription +
+
+ ADMX_WinLogon/SoftwareSASGeneration +
+
+ ### ADMX_wlansvc policies
diff --git a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md new file mode 100644 index 0000000000..38d15714d4 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md @@ -0,0 +1,119 @@ +--- +title: Policy CSP - ADMX_ActiveXInstallService +description: Policy CSP - ADMX_ActiveXInstallService +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/09/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_ActiveXInstallService +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_ActiveXInstallService policies + +
+
+ ADMX_ActiveXInstallService/AxISURLZonePolicies +
+
+ + +
+ + +**ADMX_ActiveXInstallService/AxISURLZonePolicies** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the installation of ActiveX controls for sites in Trusted zone. + +If you enable this policy setting, ActiveX controls are installed according to the settings defined by this policy setting. + +If you disable or do not configure this policy setting, ActiveX controls prompt the user before installation. + +If the trusted site uses the HTTPS protocol, this policy setting can also control how ActiveX Installer Service responds to certificate errors. By default all HTTPS connections must supply a server certificate that passes all validation criteria. If you are aware that a trusted site has a certificate error but you want to trust it anyway you can select the certificate errors that you want to ignore. + +> [!NOTE] +> This policy setting applies to all sites in Trusted zones. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Establish ActiveX installation policy for sites in Trusted zones* +- GP name: *AxISURLZonePolicies* +- GP path: *Windows Components\ActiveX Installer Service* +- GP ADMX file name: *ActiveXInstallService.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + diff --git a/windows/client-management/mdm/policy-csp-admx-winlogon.md b/windows/client-management/mdm/policy-csp-admx-winlogon.md new file mode 100644 index 0000000000..26187fd26d --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-winlogon.md @@ -0,0 +1,493 @@ +--- +title: Policy CSP - ADMX_WinLogon +description: Policy CSP - ADMX_WinLogon +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/09/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_WinLogon +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_WinLogon policies + +
+
+ ADMX_WinLogon/CustomShell +
+
+ ADMX_WinLogon/DisplayLastLogonInfoDescription +
+
+ ADMX_WinLogon/LogonHoursNotificationPolicyDescription +
+
+ ADMX_WinLogon/LogonHoursPolicyDescription +
+
+ ADMX_WinLogon/ReportCachedLogonPolicyDescription +
+
+ ADMX_WinLogon/SoftwareSASGeneration +
+
+ + +
+ + +**ADMX_WinLogon/CustomShell** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Specifies an alternate user interface. The Explorer program (%windir%\explorer.exe) creates the familiar Windows interface, but you can use this setting to specify an alternate interface. + +If you enable this setting, the system starts the interface you specify instead of Explorer.exe. To use this setting, copy your interface program to a network share or to your system drive. Then, enable this setting, and type the name of the interface program, including the file name extension, in the Shell name text box. If the interface program file is not located in a folder specified in the Path environment variable for your system, enter the fully qualified path to the file. + +If you disable this setting or do not configure it, the setting is ignored and the system displays the Explorer interface. + +> [!TIP] +> To find the folders indicated by the Path environment variable, click System Properties in Control Panel, click the Advanced tab, click the Environment Variables button, and then, in the System variables box, click Path. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Custom User Interface* +- GP name: *CustomShell* +- GP path: *System* +- GP ADMX file name: *WinLogon.admx* + + + +
+ + +**ADMX_WinLogon/DisplayLastLogonInfoDescription** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not the system displays information about previous logons and logon failures to the user. + +For local user accounts and domain user accounts in domains of at least a Windows Server 2008 functional level, if you enable this setting, a message appears after the user logs on that displays the date and time of the last successful logon by that user, the date and time of the last unsuccessful logon attempted with that user name, and the number of unsuccessful logons since the last successful logon by that user. This message must be acknowledged by the user before the user is presented with the Microsoft Windows desktop. + +For domain user accounts in Windows Server 2003, Windows 2000 native, or Windows 2000 mixed functional level domains, if you enable this setting, a warning message will appear that Windows could not retrieve the information and the user will not be able to log on. Therefore, you should not enable this policy setting if the domain is not at the Windows Server 2008 domain functional level. + +If you disable or do not configure this setting, messages about the previous logon or logon failures are not displayed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Display information about previous logons during user logon* +- GP name: *DisplayLastLogonInfoDescription* +- GP path: *Windows Components\Windows Logon Options* +- GP ADMX file name: *WinLogon.admx* + + + +
+ + + +**ADMX_WinLogon/LogonHoursNotificationPolicyDescription** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy controls whether the logged on user should be notified when his logon hours are about to expire. By default, a user is notified before logon hours expire, if actions have been set to occur when the logon hours expire. + +If you enable this setting, warnings are not displayed to the user before the logon hours expire. + +If you disable or do not configure this setting, users receive warnings before the logon hours expire, if actions have been set to occur when the logon hours expire. + +> [!NOTE] +> If you configure this setting, you might want to examine and appropriately configure the “Set action to take when logon hours expire” setting. If “Set action to take when logon hours expire” is disabled or not configured, the “Remove logon hours expiration warnings” setting will have no effect, and users receive no warnings about logon hour expiration + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove logon hours expiration warnings* +- GP name: *LogonHoursNotificationPolicyDescription* +- GP path: *Windows Components\Windows Logon Options* +- GP ADMX file name: *WinLogon.admx* + + + +
+ + +**ADMX_WinLogon/LogonHoursPolicyDescription** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy controls which action will be taken when the logon hours expire for the logged on user. The actions include lock the workstation, disconnect the user, or log the user off completely. + +If you choose to lock or disconnect a session, the user cannot unlock the session or reconnect except during permitted logon hours. + +If you choose to log off a user, the user cannot log on again except during permitted logon hours. If you choose to log off a user, the user might lose unsaved data. If you enable this setting, the system will perform the action you specify when the user’s logon hours expire. + +If you disable or do not configure this setting, the system takes no action when the user’s logon hours expire. The user can continue the existing session, but cannot log on to a new session. + +> [!NOTE] +> If you configure this setting, you might want to examine and appropriately configure the “Remove logon hours expiration warnings” setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set action to take when logon hours expire* +- GP name: *LogonHoursPolicyDescription* +- GP path: *Windows Components\Windows Logon Options* +- GP ADMX file name: *WinLogon.admx* + + + +
+ + +**ADMX_WinLogon/ReportCachedLogonPolicyDescription** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy controls whether the logged on user should be notified if the logon server could not be contacted during logon and he has been logged on using previously stored account information. + +If enabled, a notification popup will be displayed to the user when the user logs on with cached credentials. + +If disabled or not configured, no popup will be displayed to the user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Report when logon server was not available during user logon* +- GP name: *ReportCachedLogonPolicyDescription* +- GP path: *Windows Components\Windows Logon Options* +- GP ADMX file name: *WinLogon.admx* + + + +
+ + +**ADMX_WinLogon/SoftwareSASGeneration** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not software can simulate the Secure Attention Sequence (SAS). + +If you enable this policy setting, you have one of four options: + +- If you set this policy setting to "None," user mode software cannot simulate the SAS. +- If you set this policy setting to "Services," services can simulate the SAS. +- If you set this policy setting to "Ease of Access applications," Ease of Access applications can simulate the SAS. +- If you set this policy setting to "Services and Ease of Access applications," both services and Ease of Access applications can simulate the SAS. + +If you disable or do not configure this setting, only Ease of Access applications running on the secure desktop can simulate the SAS. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disable or enable software Secure Attention Sequence* +- GP name: *SoftwareSASGeneration* +- GP path: *Windows Components\Windows Logon Options* +- GP ADMX file name: *WinLogon.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + \ No newline at end of file From cfa3a8f9972cb33abc1b2c0ec05a7c0520f681b1 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 10 Nov 2020 12:13:12 -0800 Subject: [PATCH 08/44] Added AppXRuntime and AppXPAckageManager policies --- windows/client-management/mdm/TOC.md | 2 + .../mdm/policies-in-policy-csp-admx-backed.md | 5 + .../policy-configuration-service-provider.md | 25 ++ .../mdm/policy-csp-admx-appxpackagemanager.md | 120 +++++++ .../mdm/policy-csp-admx-appxruntime.md | 338 ++++++++++++++++++ 5 files changed, 490 insertions(+) create mode 100644 windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md create mode 100644 windows/client-management/mdm/policy-csp-admx-appxruntime.md diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index c5af7336e3..60a0b0fc6f 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -175,6 +175,8 @@ #### [ADMX_ActiveXInstallService](policy-csp-admx-activexinstallservice.md) #### [ADMX_AddRemovePrograms](policy-csp-admx-addremoveprograms.md) #### [ADMX_AppCompat](policy-csp-admx-appcompat.md) +#### [ADMX_AppxPackageManager](policy-csp-admx-appxpackagemanager.md) +#### [ADMX_AppXRuntime](policy-csp-admx-appxruntime.md) #### [ADMX_AuditSettings](policy-csp-admx-auditsettings.md) #### [ADMX_Bits](policy-csp-admx-bits.md) #### [ADMX_CipherSuiteOrder](policy-csp-admx-ciphersuiteorder.md) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 4215e9c6ec..87d8c00b35 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -42,6 +42,11 @@ ms.date: 10/08/2020 - [ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_2](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffprogramcompatibilityassistant_2) - [ADMX_AppCompat/AppCompatTurnOffUserActionRecord](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffuseractionrecord) - [ADMX_AppCompat/AppCompatTurnOffProgramInventory](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffprograminventory) +- [ADMX_AppxPackageManager/AllowDeploymentInSpecialProfiles](./policy-csp-admx-appxpackagemanager.md#admx-appxpackagemanager-allowdeploymentinspecialprofiles) +- [ADMX_AppXRuntime/AppxRuntimeApplicationContentUriRules](./policy-csp-admx-appxruntime.md#admx-appxruntime-appxruntimeapplicationcontenturirules) +- [ADMX_AppXRuntime/AppxRuntimeBlockFileElevation](./policy-csp-admx-appxruntime.md#admx-appxruntime-appxruntimeblockfileelevation) +- [ADMX_AppXRuntime/AppxRuntimeBlockHostedAppAccessWinRT](./policy-csp-admx-appxruntime.md#admx-appxruntime-appxruntimeblockhostedappaccesswinrt) +- [ADMX_AppXRuntime/AppxRuntimeBlockProtocolElevation](./policy-csp-admx-appxruntime.md#admx-appxruntime-appxruntimeblockprotocolelevation) - [ADMX_AuditSettings/IncludeCmdLine](./policy-csp-admx-auditsettings.md#admx-auditsettings-includecmdline) - [ADMX_Bits/BITS_DisableBranchCache](./policy-csp-admx-bits.md#admx-bits-bits-disablebranchcache) - [ADMX_Bits/BITS_DisablePeercachingClient](./policy-csp-admx-bits.md#admx-bits-bits-disablepeercachingclient) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index bd0661bf3e..515a332e40 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -245,6 +245,31 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_AppxPackageManager policies + +
+
+ ADMX_AppxPackageManager/AllowDeploymentInSpecialProfiles +
+
+ +### ADMX_AppXRuntime policies + +
+
+ ADMX_AppXRuntime/AppxRuntimeApplicationContentUriRules +
+
+ ADMX_AppXRuntime/AppxRuntimeBlockFileElevation +
+
+ ADMX_AppXRuntime/AppxRuntimeBlockHostedAppAccessWinRT +
+
+ ADMX_AppXRuntime/AppxRuntimeBlockProtocolElevation +
+
+ ### ADMX_AuditSettings policies
diff --git a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md new file mode 100644 index 0000000000..44f5d6b6f7 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md @@ -0,0 +1,120 @@ +--- +title: Policy CSP - ADMX_AppxPackageManager +description: Policy CSP - ADMX_AppxPackageManager +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/10/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_AppxPackageManager +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_AppxPackageManager policies + +
+
+ ADMX_AppxPackageManager/AllowDeploymentInSpecialProfiles +
+
+ + +
+ + +**ADMX_AppxPackageManager/AllowDeploymentInSpecialProfiles** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the deployment of Windows Store apps when the user is signed in using a special profile. + +Special profiles are the following user profiles, where changes are discarded after the user signs off: + +- Roaming user profiles to which the "Delete cached copies of roaming profiles" Group Policy setting applies +- Mandatory user profiles and super-mandatory profiles, which are created by an administrator +- Temporary user profiles, which are created when an error prevents the correct profile from loading +- User profiles for the Guest account and members of the Guests group + +If you enable this policy setting, Group Policy allows deployment operations (adding, registering, staging, updating, or removing an app package) of Windows Store apps when using a special profile. + +If you disable or do not configure this policy setting, Group Policy blocks deployment operations of Windows Store apps when using a special profile. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow deployment operations in special profiles* +- GP name: *AllowDeploymentInSpecialProfiles* +- GP path: *Windows Components\App Package Deployment* +- GP ADMX file name: *AppxPackageManager.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-appxruntime.md b/windows/client-management/mdm/policy-csp-admx-appxruntime.md new file mode 100644 index 0000000000..8dcf16d88f --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-appxruntime.md @@ -0,0 +1,338 @@ +--- +title: Policy CSP - ADMX_AppXRuntime +description: Policy CSP - ADMX_AppXRuntime +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/10/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_AppXRuntime +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_AppXRuntime policies + +
+
+ ADMX_AppXRuntime/AppxRuntimeApplicationContentUriRules +
+
+ ADMX_AppXRuntime/AppxRuntimeBlockFileElevation +
+
+ ADMX_AppXRuntime/AppxRuntimeBlockHostedAppAccessWinRT +
+
+ ADMX_AppXRuntime/AppxRuntimeBlockProtocolElevation +
+
+ + +
+ + +**ADMX_AppXRuntime/AppxRuntimeApplicationContentUriRules** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting lets you turn on Content URI Rules to supplement the static Content URI Rules that were defined as part of the app manifest and apply to all Windows Store apps that use the enterpriseAuthentication capability on a computer. + +If you enable this policy setting, you can define additional Content URI Rules that all Windows Store apps that use the enterpriseAuthentication capability on a computer can use. + +If you disable or don't set this policy setting, Windows Store apps will only use the static Content URI Rules. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on dynamic Content URI Rules for Windows store apps* +- GP name: *AppxRuntimeApplicationContentUriRules* +- GP path: *Windows Components\App runtime* +- GP ADMX file name: *AppXRuntime.admx* + + + +
+ + +**ADMX_AppXRuntime/AppxRuntimeBlockFileElevation** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting lets you control whether Windows Store apps can open files using the default desktop app for a file type. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a Windows Store app might compromise the system by opening a file in the default desktop app for a file type. + +If you enable this policy setting, Windows Store apps cannot open files in the default desktop app for a file type; they can open files only in other Windows Store apps. + +If you disable or do not configure this policy setting, Windows Store apps can open files in the default desktop app for a file type. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Block launching desktop apps associated with a file.* +- GP name: *AppxRuntimeBlockFileElevation* +- GP path: *Windows Components\App runtime* +- GP ADMX file name: *AppXRuntime.admx* + + + +
+ + +**ADMX_AppXRuntime/AppxRuntimeBlockHostedAppAccessWinRT** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether Universal Windows apps with Windows Runtime API access directly from web content can be launched. + +If you enable this policy setting, Universal Windows apps which declare Windows Runtime API access in ApplicationContentUriRules section of the manifest cannot be launched; Universal Windows apps which have not declared Windows Runtime API access in the manifest are not affected. + +If you disable or do not configure this policy setting, all Universal Windows apps can be launched. + +> [!WARNING] +> This policy should not be enabled unless recommended by Microsoft as a security response because it can cause severe app compatibility issues. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Block launching Universal Windows apps with Windows Runtime API access from hosted content.* +- GP name: *AppxRuntimeBlockHostedAppAccessWinRT* +- GP path: *Windows Components\App runtime* +- GP ADMX file name: *AppXRuntime.admx* + + + +
+ + +**ADMX_AppXRuntime/AppxRuntimeBlockProtocolElevation** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting lets you control whether Windows Store apps can open URIs using the default desktop app for a URI scheme. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a URI scheme launched by a Windows Store app might compromise the system by launching a desktop app. + +If you enable this policy setting, Windows Store apps cannot open URIs in the default desktop app for a URI scheme; they can open URIs only in other Windows Store apps. + +If you disable or do not configure this policy setting, Windows Store apps can open URIs in the default desktop app for a URI scheme. + +> [!NOTE] +> Enabling this policy setting does not block Windows Store apps from opening the default desktop app for the http, https, and mailto URI schemes. The handlers for these URI schemes are hardened against URI-based vulnerabilities from untrusted sources, reducing the associated risk. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Block launching desktop apps associated with a URI scheme* +- GP name: *AppxRuntimeBlockProtocolElevation* +- GP path: *Windows Components\App runtime* +- GP ADMX file name: *AppXRuntime.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + From ed82ef3409f4fc9c9608fdaac7c4bdd10b004b85 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 10 Nov 2020 13:44:29 -0800 Subject: [PATCH 09/44] Added AttachementManager policies --- windows/client-management/mdm/TOC.md | 1 + .../mdm/policies-in-policy-csp-admx-backed.md | 5 + .../policy-configuration-service-provider.md | 20 + .../mdm/policy-csp-admx-attachmentmanager.md | 422 ++++++++++++++++++ 4 files changed, 448 insertions(+) create mode 100644 windows/client-management/mdm/policy-csp-admx-attachmentmanager.md diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 60a0b0fc6f..4ae9979e4c 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -177,6 +177,7 @@ #### [ADMX_AppCompat](policy-csp-admx-appcompat.md) #### [ADMX_AppxPackageManager](policy-csp-admx-appxpackagemanager.md) #### [ADMX_AppXRuntime](policy-csp-admx-appxruntime.md) +#### [ADMX_AttachmentManager](policy-csp-admx-attachmentmanager.md) #### [ADMX_AuditSettings](policy-csp-admx-auditsettings.md) #### [ADMX_Bits](policy-csp-admx-bits.md) #### [ADMX_CipherSuiteOrder](policy-csp-admx-ciphersuiteorder.md) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 87d8c00b35..f8ae27ab30 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -47,6 +47,11 @@ ms.date: 10/08/2020 - [ADMX_AppXRuntime/AppxRuntimeBlockFileElevation](./policy-csp-admx-appxruntime.md#admx-appxruntime-appxruntimeblockfileelevation) - [ADMX_AppXRuntime/AppxRuntimeBlockHostedAppAccessWinRT](./policy-csp-admx-appxruntime.md#admx-appxruntime-appxruntimeblockhostedappaccesswinrt) - [ADMX_AppXRuntime/AppxRuntimeBlockProtocolElevation](./policy-csp-admx-appxruntime.md#admx-appxruntime-appxruntimeblockprotocolelevation) +- [ADMX_AttachmentManager/AM_EstimateFileHandlerRisk](./policy-csp-admx-attachmentmanager.md#admx-attachmentmanager-am-estimatefilehandlerrisk) +- [ADMX_AttachmentManager/AM_SetFileRiskLevel](./policy-csp-admx-attachmentmanager.md#admx-attachmentmanager-am-setfilerisklevel) +- [ADMX_AttachmentManager/AM_SetHighRiskInclusion](./policy-csp-admx-attachmentmanager.md#admx-attachmentmanager-am-sethighriskinclusion) +- [ADMX_AttachmentManager/AM_SetLowRiskInclusion](./policy-csp-admx-attachmentmanager.md#admx-attachmentmanager-am-setlowriskinclusion) +- [ADMX_AttachmentManager/AM_SetModRiskInclusion](./policy-csp-admx-attachmentmanager.md#admx-attachmentmanager-am-setmodriskinclusion) - [ADMX_AuditSettings/IncludeCmdLine](./policy-csp-admx-auditsettings.md#admx-auditsettings-includecmdline) - [ADMX_Bits/BITS_DisableBranchCache](./policy-csp-admx-bits.md#admx-bits-bits-disablebranchcache) - [ADMX_Bits/BITS_DisablePeercachingClient](./policy-csp-admx-bits.md#admx-bits-bits-disablepeercachingclient) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 515a332e40..3fac6f18b7 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -270,6 +270,26 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_AttachmentManager policies + +
+
+ ADMX_AttachmentManager/AM_EstimateFileHandlerRisk +
+
+ ADMX_AttachmentManager/AM_SetFileRiskLevel +
+
+ ADMX_AttachmentManager/AM_SetHighRiskInclusion +
+
+ ADMX_AttachmentManager/AM_SetLowRiskInclusion +
+
+ ADMX_AttachmentManager/AM_SetModRiskInclusion +
+
+ ### ADMX_AuditSettings policies
diff --git a/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md new file mode 100644 index 0000000000..e43001ae9c --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md @@ -0,0 +1,422 @@ +--- +title: Policy CSP - ADMX_AttachmentManager +description: Policy CSP - ADMX_AttachmentManager +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/10/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_AttachmentManager +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_AttachmentManager policies + +
+
+ ADMX_AttachmentManager/AM_EstimateFileHandlerRisk +
+
+ ADMX_AttachmentManager/AM_SetFileRiskLevel +
+
+ ADMX_AttachmentManager/AM_SetHighRiskInclusion +
+
+ ADMX_AttachmentManager/AM_SetLowRiskInclusion +
+
+ ADMX_AttachmentManager/AM_SetModRiskInclusion +
+
+ + +
+ + +**ADMX_AttachmentManager/AM_EstimateFileHandlerRisk** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the logic that Windows uses to determine the risk for file attachments. + +Preferring the file handler instructs Windows to use the file handler data over the file type data. For example, trust notepad.exe, but don't trust .txt files. + +Preferring the file type instructs Windows to use the file type data over the file handler data. For example, trust .txt files, regardless of the file handler. Using both the file handler and type data is the most restrictive option. Windows chooses the more restrictive recommendation which will cause users to see more trust prompts than choosing the other options. + +If you enable this policy setting, you can choose the order in which Windows processes risk assessment data. + +If you disable this policy setting, Windows uses its default trust logic, which prefers the file handler over the file type. + +If you do not configure this policy setting, Windows uses its default trust logic, which prefers the file handler over the file type. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Trust logic for file attachments* +- GP name: *AM_EstimateFileHandlerRisk* +- GP path: *Windows Components\Attachment Manager* +- GP ADMX file name: *AttachmentManager.admx* + + + +
+ + +**ADMX_AttachmentManager/AM_SetFileRiskLevel** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the default risk level for file types. To fully customize the risk level for file attachments, you may also need to configure the trust logic for file attachments. + +High Risk: If the attachment is in the list of high-risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the file. + +Moderate Risk: If the attachment is in the list of moderate-risk file types and is from the restricted or Internet zone, Windows prompts the user before accessing the file. + +Low Risk: If the attachment is in the list of low-risk file types, Windows will not prompt the user before accessing the file, regardless of the file's zone information. + +If you enable this policy setting, you can specify the default risk level for file types. + +If you disable this policy setting, Windows sets the default risk level to moderate. + +If you do not configure this policy setting, Windows sets the default risk level to moderate. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Default risk level for file attachments* +- GP name: *AM_SetFileRiskLevel* +- GP path: *Windows Components\Attachment Manager* +- GP ADMX file name: *AttachmentManager.admx* + + + +
+ + +**ADMX_AttachmentManager/AM_SetHighRiskInclusion** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the list of high-risk file types. If the file attachment is in the list of high-risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the file. This inclusion list takes precedence over the medium-risk and low-risk inclusion lists (where an extension is listed in more than one inclusion list). + +If you enable this policy setting, you can create a custom list of high-risk file types. + +If you disable this policy setting, Windows uses its built-in list of file types that pose a high risk. + +If you do not configure this policy setting, Windows uses its built-in list of high-risk file types. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Inclusion list for high risk file types* +- GP name: *AM_SetHighRiskInclusion* +- GP path: *Windows Components\Attachment Manager* +- GP ADMX file name: *AttachmentManager.admx* + + + +
+ + +**ADMX_AttachmentManager/AM_SetLowRiskInclusion** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the list of low-risk file types. If the attachment is in the list of low-risk file types, Windows will not prompt the user before accessing the file, regardless of the file's zone information. This inclusion list overrides the list of high-risk file types built into Windows and has a lower precedence than the high-risk or medium-risk inclusion lists (where an extension is listed in more than one inclusion list). + +If you enable this policy setting, you can specify file types that pose a low risk. + +If you disable this policy setting, Windows uses its default trust logic. + +If you do not configure this policy setting, Windows uses its default trust logic. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Inclusion list for low file types* +- GP name: *AM_SetLowRiskInclusion* +- GP path: *Windows Components\Attachment Manager* +- GP ADMX file name: *AttachmentManager.admx* + + + +
+ + +**ADMX_AttachmentManager/AM_SetModRiskInclusion** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the list of moderate-risk file types. If the attachment is in the list of moderate-risk file types and is from the restricted or Internet zone, Windows prompts the user before accessing the file. This inclusion list overrides the list of potentially high-risk file types built into Windows and it takes precedence over the low-risk inclusion list but has a lower precedence than the high-risk inclusion list (where an extension is listed in more than one inclusion list). + +If you enable this policy setting, you can specify file types which pose a moderate risk. + +If you disable this policy setting, Windows uses its default trust logic. + +If you do not configure this policy setting, Windows uses its default trust logic. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Inclusion list for moderate risk file types* +- GP name: *AM_SetModRiskInclusion* +- GP path: *Windows Components\Attachment Manager* +- GP ADMX file name: *AttachmentManager.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + From 488913f75e7cf65ba68596ab3ce94631f70dfbcb Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Wed, 11 Nov 2020 15:47:15 -0800 Subject: [PATCH 10/44] Added new policies --- windows/client-management/mdm/TOC.md | 3 + .../mdm/policies-in-policy-csp-admx-backed.md | 32 + .../policy-configuration-service-provider.md | 111 + .../policy-csp-admx-credentialproviders.md | 412 ++++ .../mdm/policy-csp-admx-credui.md | 185 ++ .../mdm/policy-csp-admx-userprofiles.md | 1997 +++++++++++++++++ 6 files changed, 2740 insertions(+) create mode 100644 windows/client-management/mdm/policy-csp-admx-credentialproviders.md create mode 100644 windows/client-management/mdm/policy-csp-admx-credui.md create mode 100644 windows/client-management/mdm/policy-csp-admx-userprofiles.md diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 4ae9979e4c..19328d6086 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -185,6 +185,8 @@ #### [ADMX_ControlPanel](policy-csp-admx-controlpanel.md) #### [ADMX_ControlPanelDisplay](policy-csp-admx-controlpaneldisplay.md) #### [ADMX_Cpls](policy-csp-admx-cpls.md) +#### [ADMX_CredentialProviders](policy-csp-admx-credentialproviders.md) +#### [ADMX_CredUI](policy-csp-admx-credui.md) #### [ADMX_CtrlAltDel](policy-csp-admx-ctrlaltdel.md) #### [ADMX_DigitalLocker](policy-csp-admx-digitallocker.md) #### [ADMX_DnsClient](policy-csp-admx-dnsclient.md) @@ -227,6 +229,7 @@ #### [ADMX_Thumbnails](policy-csp-admx-thumbnails.md) #### [ADMX_TPM](policy-csp-admx-tpm.md) #### [ADMX_UserExperienceVirtualization](policy-csp-admx-userexperiencevirtualization.md) +#### [ADMX_UserProfiles](policy-csp-admx-userprofiles.md) #### [ADMX_W32Time](policy-csp-admx-w32time.md) #### [ADMX_WCM](policy-csp-admx-wcm.md) #### [ADMX_WinCal](policy-csp-admx-wincal.md) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index f8ae27ab30..d9c44122bd 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -100,6 +100,13 @@ ms.date: 10/08/2020 - [ADMX_ControlPanelDisplay/CPL_Personalization_SetVisualStyle](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-setvisualstyle) - [ADMX_ControlPanelDisplay/CPL_Personalization_StartBackground](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-startbackground) - [ADMX_Cpls/UseDefaultTile](./policy-csp-admx-cpls.md#admx-cpls-usedefaulttile) +- [ADMX_CredentialProviders/AllowDomainDelayLock](./policy-csp-admx-credentialproviders.md#admx-credentialproviders-allowdomaindelaylock) +- [ADMX_CredentialProviders/AllowSecurityKeySignIn](./policy-csp-admx-credentialproviders.md#admx-credentialproviders-allowsecuritykeysignin) +- [ADMX_CredentialProviders/DefaultCredentialProvider](./policy-csp-admx-credentialproviders.md#admx-credentialproviders-defaultcredentialprovider) +- [ADMX_CredentialProviders/DefaultLogonDomain](./policy-csp-admx-credentialproviders.md#admx-credentialproviders-defaultlogondomain) +- [ADMX_CredentialProviders/ExcludedCredentialProviders](./policy-csp-admx-credentialproviders.md#admx-credentialproviders-excludedcredentialproviders) +- [ADMX_CredUI/EnableSecureCredentialPrompting](./policy-csp-admx-credui.md#admx-credui-enablesecurecredentialprompting) +- [ADMX_CredUI/NoLocalPasswordResetQuestions](./policy-csp-admx-credui.md#admx-credui-nolocalpasswordresetquestions) - [ADMX_CtrlAltDel/DisableChangePassword](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disablechangepassword) - [ADMX_CtrlAltDel/DisableLockComputer](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disablelockcomputer) - [ADMX_CtrlAltDel/DisableTaskMgr](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disabletaskmgr) @@ -716,6 +723,31 @@ ms.date: 10/08/2020 - [ADMX_UserExperienceVirtualization/Video](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-video) - [ADMX_UserExperienceVirtualization/Weather](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-weather) - [ADMX_UserExperienceVirtualization/Wordpad](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-wordpad) +- [ADMX_UserProfiles/AddAdminGroupToRUP](./policy-csp-admx-userprofiles.md#admx-userprofiles-addadmingrouptorup) +- [ADMX_UserProfiles/CleanupProfiles](./policy-csp-admx-userprofiles.md#admx-userprofiles-cleanupprofiles) +- [ADMX_UserProfiles/CompatibleRUPSecurity](./policy-csp-admx-userprofiles.md#admx-userprofiles-compatiblerupsecurity) +- [ADMX_UserProfiles/Connect_HomeDir_ToRoot](./policy-csp-admx-userprofiles.md#admx-userprofiles-connect-homedir-toroot) +- [ADMX_UserProfiles/CscSuspendDirectories](./policy-csp-admx-userprofiles.md#admx-userprofiles-cscsuspenddirectories) +- [ADMX_UserProfiles/DeleteRoamingCachedProfiles](./policy-csp-admx-userprofiles.md#admx-userprofiles-deleteroamingcachedprofiles) +- [ADMX_UserProfiles/DontForceUnloadHive](./policy-csp-admx-userprofiles.md#admx-userprofiles-dontforceunloadhive) +- [ADMX_UserProfiles/EnableSlowLinkDetect](./policy-csp-admx-userprofiles.md#admx-userprofiles-enableslowlinkdetect) +- [ADMX_UserProfiles/EnableSlowLinkUI](./policy-csp-admx-userprofiles.md#admx-userprofiles-enableslowlinkui) +- [ADMX_UserProfiles/ExcludeDirectories](./policy-csp-admx-userprofiles.md#admx-userprofiles-excludedirectories) +- [ADMX_UserProfiles/LeaveAppMgmtData](./policy-csp-admx-userprofiles.md#admx-userprofiles-leaveappmgmtdata) +- [ADMX_UserProfiles/LimitSize](./policy-csp-admx-userprofiles.md#admx-userprofiles-limitsize) +- [ADMX_UserProfiles/LocalProfile](./policy-csp-admx-userprofiles.md#admx-userprofiles-localprofile) +- [ADMX_UserProfiles/MachineProfilePath](./policy-csp-admx-userprofiles.md#admx-userprofiles-machineprofilepath) +- [ADMX_UserProfiles/PrimaryComputer_RUP](./policy-csp-admx-userprofiles.md#admx-userprofiles-primarycomputer-rup) +- [ADMX_UserProfiles/ProfileDlgTimeOut](./policy-csp-admx-userprofiles.md#admx-userprofiles-profiledlgtimeout) +- [ADMX_UserProfiles/ProfileErrorAction](./policy-csp-admx-userprofiles.md#admx-userprofiles-profileerroraction) +- [ADMX_UserProfiles/ProfileUnloadTimeout](./policy-csp-admx-userprofiles.md#admx-userprofiles-profileunloadtimeout) +- [ADMX_UserProfiles/Readonlyuserprofile](./policy-csp-admx-userprofiles.md#admx-userprofiles-readonlyuserprofile) +- [ADMX_UserProfiles/SlowLinkDefault](./policy-csp-admx-userprofiles.md#admx-userprofiles-slowlinkdefault) +- [ADMX_UserProfiles/SlowLinkTimeOut](./policy-csp-admx-userprofiles.md#admx-userprofiles-slowlinktimeout) +- [ADMX_UserProfiles/USER_HOME](./policy-csp-admx-userprofiles.md#admx-userprofiles-user-home) +- [ADMX_UserProfiles/UploadHive](./policy-csp-admx-userprofiles.md#admx-userprofiles-uploadhive) +- [ADMX_UserProfiles/UserInfoAccessAction](./policy-csp-admx-userprofiles.md#admx-userprofiles-userinfoaccessaction) +- [ADMX_UserProfiles/WaitForNetwork](./policy-csp-admx-userprofiles.md#admx-userprofiles-waitfornetwork) - [ADMX_W32Time/W32TIME_POLICY_CONFIG](./policy-csp-admx-w32time.md#admx-w32time-policy-config) - [ADMX_W32Time/W32TIME_POLICY_CONFIGURE_NTPCLIENT](./policy-csp-admx-w32time.md#admx-w32time-policy-configure-ntpclient) - [ADMX_W32Time/W32TIME_POLICY_ENABLE_NTPCLIENT](./policy-csp-admx-w32time.md#admx-w32time-policy-enable-ntpclient) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 3fac6f18b7..c4ea4193bf 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -479,6 +479,37 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_CredentialProviders policies + +
+
+ ADMX_CredentialProviders/AllowDomainDelayLock +
+
+ ADMX_CredentialProviders/AllowSecurityKeySignIn +
+
+ ADMX_CredentialProviders/DefaultCredentialProvider +
+
+ ADMX_CredentialProviders/DefaultLogonDomain +
+
+ ADMX_CredentialProviders/ExcludedCredentialProviders +
+
+ +### ADMX_CredUI policies + +
+
+ ADMX_CredUI/EnableSecureCredentialPrompting +
+
+ ADMX_CredUI/NoLocalPasswordResetQuestions +
+
+ ### ADMX_CtrlAltDel policies
@@ -2512,6 +2543,86 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_UserProfiles policies + +
+
+ ADMX_UserProfiles/AddAdminGroupToRUP +
+
+ ADMX_UserProfiles/CleanupProfiles +
+
+ ADMX_UserProfiles/CompatibleRUPSecurity +
+
+ ADMX_UserProfiles/Connect_HomeDir_ToRoot +
+
+ ADMX_UserProfiles/CscSuspendDirectories +
+
+ ADMX_UserProfiles/DeleteRoamingCachedProfiles +
+
+ ADMX_UserProfiles/DontForceUnloadHive +
+
+ ADMX_UserProfiles/EnableSlowLinkDetect +
+
+ ADMX_UserProfiles/EnableSlowLinkUI +
+
+ ADMX_UserProfiles/ExcludeDirectories +
+
+ ADMX_UserProfiles/LeaveAppMgmtData +
+
+ ADMX_UserProfiles/LimitSize +
+
+ ADMX_UserProfiles/LocalProfile +
+
+ ADMX_UserProfiles/MachineProfilePath +
+
+ ADMX_UserProfiles/PrimaryComputer_RUP +
+
+ ADMX_UserProfiles/ProfileDlgTimeOut +
+
+ ADMX_UserProfiles/ProfileErrorAction +
+
+ ADMX_UserProfiles/ProfileUnloadTimeout +
+
+ ADMX_UserProfiles/Readonlyuserprofile +
+
+ ADMX_UserProfiles/SlowLinkDefault +
+
+ ADMX_UserProfiles/SlowLinkTimeOut +
+
+ ADMX_UserProfiles/USER_HOME +
+
+ ADMX_UserProfiles/UploadHive +
+
+ ADMX_UserProfiles/UserInfoAccessAction +
+
+ ADMX_UserProfiles/WaitForNetwork +
+
+ ### ADMX_W32Time policies
diff --git a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md new file mode 100644 index 0000000000..f01336f9ad --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md @@ -0,0 +1,412 @@ +--- +title: Policy CSP - ADMX_CredentialProviders +description: Policy CSP - ADMX_CredentialProviders +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/11/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_CredentialProviders +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_CredentialProviders policies + +
+
+ ADMX_CredentialProviders/AllowDomainDelayLock +
+
+ ADMX_CredentialProviders/AllowSecurityKeySignIn +
+
+ ADMX_CredentialProviders/DefaultCredentialProvider +
+
+ ADMX_CredentialProviders/DefaultLogonDomain +
+
+ ADMX_CredentialProviders/ExcludedCredentialProviders +
+
+ + +
+ + +**ADMX_CredentialProviders/AllowDomainDelayLock** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control whether a user can change the time before a password is required when a Connected Standby device screen turns off. + +If you enable this policy setting, a user on a Connected Standby device can change the amount of time after the device's screen turns off before a password is required when waking the device. The time is limited by any EAS settings or Group Policies that affect the maximum idle time before a device locks. Additionally, if a password is required when a screensaver turns on, the screensaver timeout will limit the options the user may choose. + +If you disable this policy setting, a user cannot change the amount of time after the device's screen turns off before a password is required when waking the device. Instead, a password is required immediately after the screen turns off. + +If you don't configure this policy setting on a domain-joined device, a user cannot change the amount of time after the device's screen turns off before a password is required when waking the device. Instead, a password is required immediately after the screen turns off. + +If you don't configure this policy setting on a workgroup device, a user on a Connected Standby device can change the amount of time after the device's screen turns off before a password is required when waking the device. The time is limited by any EAS settings or Group Policies that affect the maximum idle time before a device locks. Additionally, if a password is required when a screensaver turns on, the screensaver timeout will limit the options the user may choose. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow users to select when a password is required when resuming from connected standby* +- GP name: *AllowDomainDelayLock* +- GP path: *System\Logon* +- GP ADMX file name: *CredentialProviders.admx* + + + +
+ + +**ADMX_CredentialProviders/AllowSecurityKeySignIn** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control whether users can sign in using external security keys. + +If you enable this policy setting, users can sign in with external security keys. + +If you disable or don't configure this policy setting, users can't sign in with external security keys. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on security key sign-in* +- GP name: *AllowSecurityKeySignIn* +- GP path: *System\Logon* +- GP ADMX file name: *CredentialProviders.admx* + + + +
+ + +**ADMX_CredentialProviders/DefaultCredentialProvider** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows the administrator to assign a specified credential provider as the default credential provider. + +If you enable this policy setting, the specified credential provider is selected on other user tile. + +If you disable or do not configure this policy setting, the system picks the default credential provider on other user tile. + +> [!NOTE] +> A list of registered credential providers and their GUIDs can be found in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Assign a default credential provider* +- GP name: *DefaultCredentialProvider* +- GP path: *System\Logon* +- GP ADMX file name: *CredentialProviders.admx* + + + +
+ + +**ADMX_CredentialProviders/DefaultLogonDomain** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies a default logon domain, which might be a different domain than the domain to which the computer is joined. Without this policy setting, at logon, if a user does not specify a domain for logon, the domain to which the computer belongs is assumed as the default domain. For example if the computer belongs to the Fabrikam domain, the default domain for user logon is Fabrikam. + +If you enable this policy setting, the default logon domain is set to the specified domain, which might be different than the domain to which the computer is joined. + +If you disable or do not configure this policy setting, the default logon domain is always set to the domain to which the computer is joined. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Assign a default domain for logon* +- GP name: *DefaultLogonDomain* +- GP path: *System\Logon* +- GP ADMX file name: *CredentialProviders.admx* + + + +
+ + +**ADMX_CredentialProviders/ExcludedCredentialProviders** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows the administrator to exclude the specified credential providers from use during authentication. + +> [!NOTE] +> Credential providers are used to process and validate user credentials during logon or when authentication is required. Windows Vista provides two default credential providers: Password and Smart Card. An administrator can install additional credential providers for different sets of credentials (for example, to support biometric authentication). + +If you enable this policy, an administrator can specify the CLSIDs of the credential providers to exclude from the set of installed credential providers available for authentication purposes. + +If you disable or do not configure this policy, all installed and otherwise enabled credential providers are available for authentication purposes. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Exclude credential providers* +- GP name: *ExcludedCredentialProviders* +- GP path: *System\Logon* +- GP ADMX file name: *CredentialProviders.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + diff --git a/windows/client-management/mdm/policy-csp-admx-credui.md b/windows/client-management/mdm/policy-csp-admx-credui.md new file mode 100644 index 0000000000..9247d038a8 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-credui.md @@ -0,0 +1,185 @@ +--- +title: Policy CSP - ADMX_CredUI +description: Policy CSP - ADMX_CredUI +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/09/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_CredUI +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_CredUI policies + +
+
+ ADMX_CredUI/EnableSecureCredentialPrompting +
+
+ ADMX_CredUI/NoLocalPasswordResetQuestions +
+
+ + +
+ + +**ADMX_CredUI/EnableSecureCredentialPrompting** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting requires the user to enter Microsoft Windows credentials using a trusted path, to prevent a Trojan horse or other types of malicious code from stealing the user’s Windows credentials. + +> [!NOTE] +> This policy affects nonlogon authentication tasks only. As a security best practice, this policy should be enabled. + +If you enable this policy setting, users will be required to enter Windows credentials on the Secure Desktop by means of the trusted path mechanism. + +If you disable or do not configure this policy setting, users will enter Windows credentials within the user’s desktop session, potentially allowing malicious code access to the user’s Windows credentials. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Require trusted path for credential entry* +- GP name: *EnableSecureCredentialPrompting* +- GP path: *Windows Components\Credential User Interface* +- GP ADMX file name: *CredUI.admx* + + + +
+ + +**ADMX_CredUI/NoLocalPasswordResetQuestions** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. If you turn this policy setting on, local users won’t be able to set up and use security questions to reset their passwords. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent the use of security questions for local accounts* +- GP name: *NoLocalPasswordResetQuestions* +- GP path: *Windows Components\Credential User Interface* +- GP ADMX file name: *CredUI.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + diff --git a/windows/client-management/mdm/policy-csp-admx-userprofiles.md b/windows/client-management/mdm/policy-csp-admx-userprofiles.md new file mode 100644 index 0000000000..66677dde93 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-userprofiles.md @@ -0,0 +1,1997 @@ +--- +title: Policy CSP - ADMX_UserProfiles +description: Policy CSP - ADMX_UserProfiles +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/11/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_UserProfiles +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_UserProfiles policies + +
+
+ ADMX_UserProfiles/AddAdminGroupToRUP +
+
+ ADMX_UserProfiles/CleanupProfiles +
+
+ ADMX_UserProfiles/CompatibleRUPSecurity +
+
+ ADMX_UserProfiles/Connect_HomeDir_ToRoot +
+
+ ADMX_UserProfiles/CscSuspendDirectories +
+
+ ADMX_UserProfiles/DeleteRoamingCachedProfiles +
+
+ ADMX_UserProfiles/DontForceUnloadHive +
+
+ ADMX_UserProfiles/EnableSlowLinkDetect +
+
+ ADMX_UserProfiles/EnableSlowLinkUI +
+
+ ADMX_UserProfiles/ExcludeDirectories +
+
+ ADMX_UserProfiles/LeaveAppMgmtData +
+
+ ADMX_UserProfiles/LimitSize +
+
+ ADMX_UserProfiles/LocalProfile +
+
+ ADMX_UserProfiles/MachineProfilePath +
+
+ ADMX_UserProfiles/PrimaryComputer_RUP +
+
+ ADMX_UserProfiles/ProfileDlgTimeOut +
+
+ ADMX_UserProfiles/ProfileErrorAction +
+
+ ADMX_UserProfiles/ProfileUnloadTimeout +
+
+ ADMX_UserProfiles/Readonlyuserprofile +
+
+ ADMX_UserProfiles/SlowLinkDefault +
+
+ ADMX_UserProfiles/SlowLinkTimeOut +
+
+ ADMX_UserProfiles/USER_HOME +
+
+ ADMX_UserProfiles/UploadHive +
+
+ ADMX_UserProfiles/UserInfoAccessAction +
+
+ ADMX_UserProfiles/WaitForNetwork +
+
+ + +
+ + +**ADMX_UserProfiles/AddAdminGroupToRUP** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting adds the Administrator security group to the roaming user profile share. + +Once an administrator has configured a user's roaming profile, the profile will be created at the user's next login. The profile is created at the location that is specified by the administrator. + +For the Windows XP Professional and Windows 2000 Professional operating systems, the default file permissions for the newly generated profile are full control, or read and write access for the user, and no file access for the administrators group. + +By configuring this policy setting, you can alter this behavior. + +If you enable this policy setting, the administrator group is also given full control to the user's profile folder. + +If you disable or do not configure this policy setting, only the user is given full control of their user profile, and the administrators group has no file system access to this folder. + +> [!NOTE] +> If the policy setting is enabled after the profile is created, the policy setting has no effect. +> +> The policy setting must be configured on the client computer, not the server, for it to have any effect, because the client computer sets the file share permissions for the roaming profile at creation time. +> +> In the default case, administrators have no file access to the user's profile, but they may still take ownership of this folder to grant themselves file permissions. +> +> The behavior when this policy setting is enabled is exactly the same behavior as in Windows NT 4.0. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Add the Administrators security group to roaming user profiles* +- GP name: *AddAdminGroupToRUP* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/CleanupProfiles** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows an administrator to automatically delete user profiles on system restart that have not been used within a specified number of days. Note: One day is interpreted as 24 hours after a specific user profile was accessed. + +If you enable this policy setting, the User Profile Service will automatically delete on the next system restart all user profiles on the computer that have not been used within the specified number of days. + +If you disable or do not configure this policy setting, User Profile Service will not automatically delete any profiles on the next system restart. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Delete user profiles older than a specified number of days on system restart* +- GP name: *CleanupProfiles* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/CompatibleRUPSecurity** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting disables the more secure default setting for the user's roaming user profile folder. + +After an administrator has configured a user's roaming profile, the profile will be created at the user's next login. The profile is created at the location that is specified by the administrator. + +For Windows 2000 Professional pre-SP4 and Windows XP pre-SP1 operating systems, the default file permissions for the newly generated profile are full control access for the user and no file access for the administrators group. No checks are made for the correct permissions if the profile folder already exists. For Windows Server 2003 family, Windows 2000 Professional SP4 and Windows XP SP1, the default behavior is to check the folder for the correct permissions if the profile folder already exists, and not copy files to or from the roaming folder if the permissions are not correct. + +By configuring this policy setting, you can alter this behavior. + +If you enable this policy setting Windows will not check the permissions for the folder in the case where the folder exists. + +If you disable or do not configure this policy setting AND the roaming profile folder exists AND the user or administrators group are not the owner of the folder, Windows will not copy files to or from the roaming folder. The user will be shown an error message and an entry will be written to the event log. The user's cached profile will be used, or a temporary profile issued if no cached profile exists. + +> [!NOTE] +> The policy setting must be configured on the client computer not the server for it to have any effect because the client computer sets the file share permissions for the roaming profile at creation time. +> +> The behavior when this policy setting is enabled is exactly the same behavior as in Windows 2000 Professional pre-SP4 and Windows XP Professional. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not check for user ownership of Roaming Profile Folders* +- GP name: *CompatibleRUPSecurity* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/Connect_HomeDir_ToRoot** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting restores the definitions of the %HOMESHARE% and %HOMEPATH% environment variables to those used in Windows NT 4.0 and earlier. Along with %HOMEDRIVE%, these variables define the home directory of a user profile. The home directory is a persistent mapping of a drive letter on the local computer to a local or remote directory. + +If you enable this policy setting, the system uses the Windows NT 4.0 definitions. %HOMESHARE% stores only the network share (such as \\\server\share). %HOMEPATH% stores the remainder of the fully qualified path to the home directory (such as \dir1\dir2\homedir). As a result, users can access any directory on the home share by using the home directory drive letter. + +If you disable or do not configure this policy setting, the system uses the definitions introduced with Windows 2000. %HOMESHARE% stores the fully qualified path to the home directory (such as \\\\server\share\dir1\dir2\homedir). Users can access the home directory and any of its subdirectories from the home drive letter, but they cannot see or access its parent directories. %HOMEPATH% stores a final backslash and is included for compatibility with earlier systems. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Connect home directory to root of the share* +- GP name: *Connect_HomeDir_ToRoot* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/CscSuspendDirectories** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify which network directories will be synchronized only at logon and logoff via Offline Files. This policy setting is meant to be used in conjunction with Folder Redirection, to help resolve issues with applications that do not work well with Offline Files while the user is online. + +If you enable this policy setting, the network paths specified in this policy setting will be synchronized only by Offline Files during user logon and logoff, and will be taken offline while the user is logged on. + +If you disable or do not configure this policy setting, the paths specified in this policy setting will behave like any other cached data via Offline Files and continue to remain online while the user is logged on, if the network paths are accessible. + +> [!NOTE] +> You should not use this policy setting to suspend any of the root redirected folders such as Appdata\Roaming, Start Menu, and Documents. You should suspend only the subfolders of these parent folders. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify network directories to sync at logon/logoff time only* +- GP name: *CscSuspendDirectories* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/DeleteRoamingCachedProfiles** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows keeps a copy of a user's roaming profile on the local computer's hard drive when the user logs off. + +Roaming profiles reside on a network server. By default, when users with roaming profiles log off, the system also saves a copy of their roaming profile on the hard drive of the computer they are using in case the server that stores the roaming profile is unavailable when the user logs on again. The local copy is also used when the remote copy of the roaming user profile is slow to load. + +If you enable this policy setting, any local copies of the user's roaming profile are deleted when the user logs off. The roaming profile still remains on the network server that stores it. + +If you disable or do not configure this policy setting, Windows keeps a copy of a user's roaming profile on the local computer's hard drive when the user logs off. + +> [!IMPORTANT] +> Do not enable this policy setting if you are using the slow link detection feature. To respond to a slow link, the system requires a local copy of the user's roaming profile. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Delete cached copies of roaming profiles* +- GP name: *DeleteRoamingCachedProfiles* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/DontForceUnloadHive** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether Windows forcefully unloads the user's registry at logoff, even if there are open handles to the per-user registry keys. + +Note: This policy setting should only be used for cases where you may be running into application compatibility issues due to this specific Windows behavior. It is not recommended to enable this policy by default as it may prevent users from getting an updated version of their roaming user profile. + +If you enable this policy setting, Windows will not forcefully unload the users registry at logoff, but will unload the registry when all open handles to the per-user registry keys are closed. + +If you disable or do not configure this policy setting, Windows will always unload the users registry at logoff, even if there are any open handles to the per-user registry keys at user logoff. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not forcefully unload the users registry at user logoff* +- GP name: *DontForceUnloadHive* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/EnableSlowLinkDetect** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting disables the detection of slow network connections. + +Slow link detection measures the speed of the connection between a user's computer and the remote server that stores the roaming user profile. When the system detects a slow link, the related policy settings in this folder tell the computer how to respond. + +If you enable this policy setting, the system does not detect slow connections or recognize any connections as being slow. As a result, the system does not respond to slow connections to user profiles, and it ignores the policy settings that tell the system how to respond to a slow connection. + +If you disable this policy setting or do not configure it, slow link detection is enabled. The system measures the speed of the connection between the user's computer and profile server. If the connection is slow (as defined by the "Slow network connection timeout for user profiles" policy setting), the system applies the other policy settings set in this folder to determine how to proceed. By default, when the connection is slow, the system loads the local copy of the user profile. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disable detection of slow network connections* +- GP name: *EnableSlowLinkDetect* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/EnableSlowLinkUI** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting provides users with the ability to download their roaming profile, even when a slow network connection with their roaming profile server is detected. + +If you enable this policy setting, users will be allowed to define whether they want their roaming profile to be downloaded when a slow link with their roaming profile server is detected. + +In operating systems earlier than Microsoft Windows Vista, a dialog box will be shown to the user during logon if a slow network connection is detected. The user then is able to choose to download the remote copy of the user profile. In Microsoft Windows Vista, a check box appears on the logon screen and the user must choose whether to download the remote user profile before Windows detects the network connection speed. + +If you disable or do not configure this policy setting, the system does not consult the user. Instead, the system uses the local copy of the user profile. If you have enabled the "Wait for remote user profile" policy setting, the system downloads the remote copy of the user profile without consulting the user. In Microsoft Windows Vista, the system will ignore the user choice made on the logon screen. + +> [!NOTE] +> This policy setting and related policy settings in this folder define the system's response when roaming user profiles are slow to download. To adjust the time within which the user must respond to this notice in operating systems earlier than Microsoft Windows Vista, use the "Timeout for dialog boxes" policy setting. + +> [!IMPORTANT] +> If the "Do not detect slow network connections" setting is enabled, this policy setting is ignored. Also, if the "Delete cached copies of roaming profiles" policy setting is enabled, there is no local copy of the roaming profile to load when the system detects a slow connection. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prompt user when a slow network connection is detected* +- GP name: *EnableSlowLinkUI* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/ExcludeDirectories** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting lets you exclude folders that are normally included in the user's profile. As a result, these folders do not need to be stored by the network server on which the profile resides and do not follow users to other computers. + +> [!NOTE] +> When excluding content from the profile you should try to exclude the narrowest set of data that will address your needs. For example, if there is one application with data that should not be roamed then add only that application's specific folder under the AppData\Roaming folder rather than all of the AppData\Roaming folder to the exclusion list. + +By default, the Appdata\Local and Appdata\LocalLow folders and all their subfolders such as the History, Temp, and Temporary Internet Files folders are excluded from the user's roaming profile. + +In operating systems earlier than Microsoft Windows Vista, only the History, Local Settings, Temp, and Temporary Internet Files folders are excluded from the user's roaming profile by default. + +If you enable this policy setting, you can exclude additional folders. + +If you disable this policy setting or do not configure it, only the default folders are excluded. + +> [!NOTE] +> You cannot use this policy setting to include the default folders in a roaming user profile. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Exclude directories in roaming profile* +- GP name: *ExcludeDirectories* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/LeaveAppMgmtData** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the system retains a roaming user's Windows Installer and Group Policy based software installation data on their profile deletion. + +By default Windows deletes all information related to a roaming user (which includes the user's settings, data, Windows Installer related data, and the like) when their profile is deleted. As a result, the next time a roaming user whose profile was previously deleted on that client logs on, they will need to reinstall all apps published via policy at logon increasing logon time. You can use this policy setting to change this behavior. + +If you enable this policy setting, Windows will not delete Windows Installer or Group Policy software installation data for roaming users when profiles are deleted from the machine. This will improve the performance of Group Policy based Software Installation during user logon when a user profile is deleted and that user subsequently logs on to the machine. + +If you disable or do not configure this policy setting, Windows will delete the entire profile for roaming users, including the Windows Installer and Group Policy software installation data when those profiles are deleted. + +> [!NOTE] +> If this policy setting is enabled for a machine, local administrator action is required to remove the Windows Installer or Group Policy software installation data stored in the registry and file system of roaming users' profiles on the machine. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Leave Windows Installer and Group Policy Software Installation Data* +- GP name: *LeaveAppMgmtData* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/LimitSize** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting sets the maximum size of each user profile and determines the system's response when a user profile reaches the maximum size. This policy setting affects both local and roaming profiles. + +If you disable this policy setting or do not configure it, the system does not limit the size of user profiles. + +If you enable this policy setting, you can: + +- Set a maximum permitted user profile size. +- Determine whether the registry files are included in the calculation of the profile size. +- Determine whether users are notified when the profile exceeds the permitted maximum size. +- Specify a customized message notifying users of the oversized profile. +- Determine how often the customized message is displayed. + +> [!NOTE] +> In operating systems earlier than Microsoft Windows Vista, Windows will not allow users to log off until the profile size has been reduced to within the allowable limit. In Microsoft Windows Vista, Windows will not block users from logging off. Instead, if the user has a roaming user profile, Windows will not synchronize the user's profile with the roaming profile server if the maximum profile size limit specified here is exceeded. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Limit profile size* +- GP name: *LimitSize* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/LocalProfile** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This setting determines if roaming user profiles are available on a particular computer. By default, when roaming profile users log on to a computer, their roaming profile is copied down to the local computer. If they have already logged on to this computer in the past, the roaming profile is merged with the local profile. Similarly, when the user logs off this computer, the local copy of their profile, including any changes they have made, is merged with the server copy of their profile. + +Using the setting, you can prevent users configured to use roaming profiles from receiving their profile on a specific computer. + +If you enable this setting, the following occurs on the affected computer: At first logon, the user receives a new local profile, rather than the roaming profile. At logoff, changes are saved to the local profile. All subsequent logons use the local profile. + +If you disable this setting or do not configure it, the default behavior occurs, as indicated above. + +If you enable both the "Prevent Roaming Profile changes from propagating to the server" setting and the "Only allow local user profiles" setting, roaming profiles are disabled. + +> [!NOTE] +> This setting only affects roaming profile users. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Only allow local user profiles* +- GP name: *LocalProfile* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/MachineProfilePath** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Windows should use the specified network path as the roaming user profile path for all users logging onto this computer. + +To use this policy setting, type the path to the network share in the form \\\\Computername\Sharename\. It is recommended to use a path such as \\\\Computername\Sharename\%USERNAME% to give each user an individual profile folder. If not specified, all users logging onto this computer will use the same roaming profile folder as specified by this policy. You need to ensure that you have set the appropriate security on the folder to allow all users to access the profile. + +If you enable this policy setting, all users logging on this computer will use the roaming profile path specified in this policy. + +If you disable or do not configure this policy setting, users logging on this computer will use their local profile or standard roaming user profile. + +> [!NOTE] +> There are four ways to configure a roaming profile for a user. Windows reads profile configuration in the following order and uses the first configured policy setting it reads. + +1. Terminal Services roaming profile path specified by Terminal Services policy +2. Terminal Services roaming profile path specified by the user object +3. A per-computer roaming profile path specified in this policy +4. A per-user roaming profile path specified in the user object + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set roaming profile path for all users logging onto this computer* +- GP name: *MachineProfilePath* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/PrimaryComputer_RUP** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls on a per-computer basis whether roaming profiles are downloaded on a user's primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office. + +To designate a user's primary computers, an administrator must use management software or a script to add primary computer attributes to the user's account in Active Directory Domain Services (AD DS). This policy setting also requires the Windows Server 2012 version of the Active Directory schema to function. + +If you enable this policy setting and the user has a roaming profile, the roaming profile is downloaded on the user's primary computer only. + +If you disable or do not configure this policy setting and the user has a roaming profile, the roaming profile is downloaded on every computer that the user logs on to. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Download roaming profiles on primary computers only* +- GP name: *PrimaryComputer_RUP* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/ProfileDlgTimeOut** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls how long Windows waits for a user response before it uses a default user profile for roaming user profiles. + +The default user profile is applied when the user does not respond to messages explaining that any of the following events has occurred: + +- The system detects a slow connection between the user's computer and the server that stores users' roaming user profiles. +- The system cannot access users' server-based profiles when users log on or off. +- Users' local profiles are newer than their server-based profiles. + +If you enable this policy setting, you can override the amount of time Windows waits for user input before using a default user profile for roaming user profiles. The default timeout value is 30 seconds. To use this policy setting, type the number of seconds Windows should wait for user input. The minumum value is 0 seconds, and the maximum is 600 seconds. + +If you disable or do not configure this policy setting, Windows waits 30 seconds for user input before applying the default user profile . + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Establish timeout value for dialog boxes* +- GP name: *ProfileDlgTimeOut* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/ProfileErrorAction** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting will automatically log off a user when Windows cannot load their profile. + +If Windows cannot access the user profile folder or the profile contains errors that prevent it from loading, Windows logs on the user with a temporary profile. This policy setting allows the administrator to disable this behavior, preventing Windows from loggin on the user with a temporary profile. + +If you enable this policy setting, Windows will not log on a user with a temporary profile. Windows logs the user off if their profile cannot be loaded. + +If you disable this policy setting or do not configure it, Windows logs on the user with a temporary profile when Windows cannot load their user profile. + +Also, see the "Delete cached copies of roaming profiles" policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not log users on with temporary profiles* +- GP name: *ProfileErrorAction* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/ProfileUnloadTimeout** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines how many times the system tries to unload and update the registry portion of a user profile. When the number of trials specified by this policy setting is exhausted, the system stops trying. As a result, the user profile might not be current, and local and roaming user profiles might not match. + +When a user logs off of the computer, the system unloads the user-specific section of the registry (HKEY_CURRENT_USER) into a file (NTUSER.DAT) and updates it. However, if another program or service is reading or editing the registry, the system cannot unload it. The system tries repeatedly (at a rate of once per second) to unload and update the registry settings. By default, the system repeats its periodic attempts 60 times (over the course of one minute). + +If you enable this policy setting, you can adjust the number of times the system tries to unload and update the user's registry settings. (You cannot adjust the retry rate.) + +If you disable this policy setting or do not configure it, the system repeats its attempt 60 times. + +If you set the number of retries to 0, the system tries just once to unload and update the user's registry settings. It does not try again. + +> [!NOTE] +> This policy setting is particularly important to servers running Remote Desktop Services. Because Remote Desktop Services edits the users' registry settings when they log off, the system's first few attempts to unload the user settings are more likely to fail. + +This policy setting does not affect the system's attempts to update the files in the user profile. + +> [!TIP] +> Consider increasing the number of retries specified in this policy setting if there are many user profiles stored in the computer's memory. This indicates that the system has not been able to unload the profile. + +Also, check the Application Log in Event Viewer for events generated by Userenv. The system records an event whenever it tries to unload the registry portion of the user profile. The system also records an event when it fails to update the files in a user profile. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Maximum retries to unload and update user profile* +- GP name: *ProfileUnloadTimeout* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/Readonlyuserprofile** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines if the changes a user makes to their roaming profile are merged with the server copy of their profile. + +By default, when a user with a roaming profile logs on to a computer, the roaming profile is copied down to the local computer. If the user has logged on to the computer in the past, the roaming profile is merged with the local profile. Similarly, when the user logs off the computer, the local copy of their profile, including any changes, is merged with the server copy of the profile. + +Using this policy setting, you can prevent changes made to a roaming profile on a particular computer from being persisted. + +If you enable this policy setting, changes a user makes to their roaming profile aren't merged with the server (roaming) copy when the user logs off. + +If you disable or not configure this policy setting, the default behavior occurs, as indicated above. + +> [!NOTE] +> This policy setting only affects roaming profile users. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent Roaming Profile changes from propagating to the server* +- GP name: *Readonlyuserprofile* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/SlowLinkDefault** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting directs the system to wait for the remote copy of the roaming user profile to load, even when loading is slow. Also, the system waits for the remote copy when the user is notified about a slow connection, but does not respond in the time allowed. + +This policy setting and related policy settings in this folder together define the system's response when roaming user profiles are slow to load. + +If you enable this policy setting, the system waits for the remote copy of the roaming user profile to load, even when loading is slow. + +If you disable this policy setting or do not configure it, when a remote profile is slow to load, the system loads the local copy of the roaming user profile. The local copy is also used when the user is consulted (as set in the "Prompt user when slow link is detected" policy setting), but does not respond in the time allowed (as set in the "Timeout for dialog boxes" policy setting). + +Waiting for the remote profile is appropriate when users move between computers frequently and the local copy of their profile is not always current. Using the local copy is desirable when quick logging on is a priority. + +> [!IMPORTANT] +> If the "Do not detect slow network connections" policy setting is enabled, this policy setting is ignored. Also, if the "Delete cached copies of roaming profiles" policy setting is enabled, there is no local copy of the roaming profile to load when the system detects a slow connection. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Wait for remote user profile* +- GP name: *SlowLinkDefault* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/SlowLinkTimeOut** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting defines a slow connection for roaming user profiles and establishes thresholds for two tests of network speed. + +To determine the network performance characteristics, a connection is made to the file share storing the user's profile and 64 kilobytes of data is transfered. From that connection and data transfer, the network's latency and connection speed are determined. + +This policy setting and related policy settings in this folder together define the system's response when roaming user profiles are slow to load. + +If you enable this policy setting, you can change how long Windows waits for a response from the server before considering the connection to be slow. + +If you disable or do not configure this policy setting, Windows considers the network connection to be slow if the server returns less than 500 kilobits of data per second or take 120 milliseconds to respond.Consider increasing this value for clients using DHCP Service-assigned addresses or for computers accessing profiles across dial-up connections.Important: If the "Do not detect slow network connections" policy setting is enabled, this policy setting is ignored. Also, if the "Delete cached copies of roaming profiles" policy setting is enabled, there is no local copy of the roaming profile to load when the system detects a slow connection. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Control slow network connection timeout for user profiles* +- GP name: *SlowLinkTimeOut* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/USER_HOME** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the location and root (file share or local path) of a user's home folder for a logon session. + +If you enable this policy setting, the user's home folder is configured to the specified local or network location, creating a new folder for each user name. + +To use this policy setting, in the Location list, choose the location for the home folder. If you choose “On the network,” enter the path to a file share in the Path box (for example, \\\\ComputerName\ShareName), and then choose the drive letter to assign to the file share. If you choose “On the local computer,” enter a local path (for example, C:\HomeFolder) in the Path box. + +Do not specify environment variables or ellipses in the path. Also, do not specify a placeholder for the user name because the user name will be appended at logon. + +> [!NOTE] +> The Drive letter box is ignored if you choose “On the local computer” from the Location list. If you choose “On the local computer” and enter a file share, the user's home folder will be placed in the network location without mapping the file share to a drive letter. + +If you disable or do not configure this policy setting, the user's home folder is configured as specified in the user's Active Directory Domain Services account. + +If the "Set Remote Desktop Services User Home Directory" policy setting is enabled, the “Set user home folder” policy setting has no effect. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set user home folder* +- GP name: *USER_HOME* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/UploadHive** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting sets the schedule for background uploading of a roaming user profile's registry file (ntuser.dat). This policy setting controls only the uploading of a roaming user profile's registry file (other user data and regular profiles are not be uploaded) and uploads it only if the user is logged on. This policy setting does not stop the roaming user profile's registry file from being uploaded at user logoff. + +If "Run at set interval" is chosen, then an interval must be set, with a value of 1-720 hours. Once set, Windows uploads the profile's registry file at the specified interval after the user logs on. For example, with a value of 6 hours, the registry file of the roaming user profile is uploaded to the server every six hours while the user is logged on. + +If "Run at specified time of day" is chosen, then a time of day must be specified. Once set, Windows uploads the registry file at the same time every day, as long as the user is logged on. + +For both scheduling options, there is a random one hour delay attached per-trigger to avoid overloading the server with simultaneous uploads. For example, if the settings dictate that the user's registry file is to be uploaded at 6pm, it will actually upload at a random time between 6pm and 7pm. + +> [!NOTE] +> If "Run at set interval" is selected, the "Time of day" option is disregarded. Likewise, if "Run at set time of day" is chosen, the "Interval (hours)" option is disregarded. + +If you enable this policy setting, Windows uploads the registry file of the user's roaming user profile in the background according to the schedule set here while the user is logged on. Regular profiles are not affected. + +If this setting is disabled or not configured, the registry file for a roaming user profile will not be uploaded in the background while the user is logged on. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set the schedule for background upload of a roaming user profile's registry file while user is logged on* +- GP name: *UploadHive* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/UserInfoAccessAction** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This setting prevents users from managing the ability to allow apps to access the user name, account picture, and domain information. + +If you enable this policy setting, sharing of user name, picture and domain information may be controlled by setting one of the following options: + +- "Always on" - users will not be able to change this setting and the user's name and account picture will be shared with apps (not desktop apps). In addition apps (not desktop apps) that have the enterprise authentication capability will also be able to retrieve the user's UPN, SIP/URI, and DNS. + +- "Always off" - users will not be able to change this setting and the user's name and account picture will not be shared with apps (not desktop apps). In addition apps (not desktop apps) that have the enterprise authentication capability will not be able to retrieve the user's UPN, SIP/URI, and DNS. Selecting this option may have a negative impact on certain enterprise software and/or line of business apps that depend on the domain information protected by this setting to connect with network resources. + +If you do not configure or disable this policy the user will have full control over this setting and can turn it off and on. Selecting this option may have a negative impact on certain enterprise software and/or line of business apps that depend on the domain information protected by this setting to connect with network resources if users choose to turn the setting off. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *User management of sharing user name, account picture, and domain information with apps (not desktop apps)* +- GP name: *UserInfoAccessAction* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/WaitForNetwork** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls how long Windows waits for a response from the network before logging on a user without a remote home directory and withou synchronizing roaming user profiles. This policy setting is useful for the cases in which a network might take typically longer to initialize, such as with a wireless network. + +> [!NOTE] +> Windows doesn't wait for the network if the physical network connection is not available on the computer (if the media is disconnected or the network adapter is not available). + +If you enable this policy setting, Windows waits for the network to become available up to the maximum wait time specified in this policy setting. Setting the value to zero causes Windows to proceed without waiting for the network. + +If you disable or do not configure this policy setting, Windows waits for the network for a maximum of 30 seconds. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set maximum wait time for the network if a user has a roaming user profile or remote home directory* +- GP name: *WaitForNetwork* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + From 9ee9623a80d2a872729912d4147bd4b646edacf7 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Tue, 17 Nov 2020 22:25:09 +0530 Subject: [PATCH 11/44] updated link for november admx link as per the user report #8655, i so i updated the link --- ...roll-a-windows-10-device-automatically-using-group-policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index a6ac91e10f..a8ec2a4ff2 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -178,7 +178,7 @@ Requirements: - 1903 --> [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495) - 1909 --> [Administrative Templates (.admx) for Windows 10 November 2019 Update (1909)]( -https://www.microsoft.com/download/confirmation.aspx?id=1005915) +https://www.microsoft.com/download/confirmation.aspx?id=100591) - 2004 --> [Administrative Templates (.admx) for Windows 10 May 2020 Update (2004)](https://www.microsoft.com/download/confirmation.aspx?id=101445) From e871dc083061804f5f65d459e6587c99648c6066 Mon Sep 17 00:00:00 2001 From: Max Stein Date: Thu, 19 Nov 2020 17:02:55 -0800 Subject: [PATCH 12/44] Updating MDM section Microsoft Intune ends support for Windows Phone 8.1 and Windows 10 Mobile. See: https://docs.microsoft.com/mem/intune/fundamentals/whats-new#microsoft-intune-ends-support-for-windows-phone-81-and-windows-10-mobile to learn more. --- .../mdm/mdm-enrollment-of-windows-devices.md | 27 ------------------- 1 file changed, 27 deletions(-) diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md index 1c9ca9aba5..5693d6c5f1 100644 --- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md @@ -248,33 +248,6 @@ To create a local account and connect the device: After you complete the flow, your device will be connected to your organization’s MDM. - -### Connect to MDM on a phone (enroll in device management) - -1. Launch the Settings app, and then select **Accounts**. - - ![phone settings](images/unifiedenrollment-rs1-38.png) - -2. Select **Access work or school**. - - ![phone settings](images/unifiedenrollment-rs1-39.png) - -3. Select the **Enroll only in device management** link. This is only available in the servicing build 14393.82 (KB3176934). For older builds, see [Connect your Windows 10-based device to work using a deep link](mdm-enrollment-of-windows-devices.md#connect-your-windows-10-based-device-to-work-using-a-deep-link). - - ![access work or school page](images/unifiedenrollment-rs1-40.png) - -4. Enter your work email address. - - ![enter your email address](images/unifiedenrollment-rs1-41.png) - -5. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for additional authentication information. - - Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. - -6. After you complete the flow, your device will be connected to your organization’s MDM. - - ![completed mdm enrollment](images/unifiedenrollment-rs1-42.png) - ### Help with connecting personally-owned devices There are a few instances where your device may not be able to connect to work. From 4c2f410aedc4aeca348a8c65baa5a2567897fc97 Mon Sep 17 00:00:00 2001 From: Max Stein Date: Thu, 19 Nov 2020 17:08:07 -0800 Subject: [PATCH 13/44] Updating MDM section --- .../mdm/images/unifiedenrollment-rs1-38.png | Bin 76784 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 windows/client-management/mdm/images/unifiedenrollment-rs1-38.png diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-38.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-38.png deleted file mode 100644 index 7ee23eda5dc58b05b3b283879ecb321103a64679..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 76784 zcmXt91yCGKx5eFp26uOYySux)ySs#-8{FL`B*EQ1$YNn}NFaC!?hbGG{(4ijwKaFg zw)=MXIp>}MsjJGNqY$A$K|!G_$V+QNK|yOkLBaSVApntIB0njCFK91KIZ3G6X_5nA z2hL7HMFI+{Aqn-#0v^~$c9%Esf`Y;re)~XYFk=t{K}2r_6&b`oNci|nXq!7V7XO80 z^t~l~yzSjQp}y8m$^#)ZZy+RX<7MUP;O_0<<_d*_Oi2yIQQqQGZtek|4tDn5P}P`| zf(_|G|36I1&BevW)f?(&GP4he zA-o-??cnWf166ebp@)Kc=~a-H(DpYydPe+6I_k3*S2QlLACKHmu`i81DS?Jv21CoV zYG^c*+GFZge|!8=)bkkDb#u}i(&)V6Gyzd;Y^)Mz;#9Jvli11Ui~!EP`sa62W3j!p zE=2Ht5{lvGhpt)4!<<&1Hr>8T!yM@OmC)0O!tkIhyZ7ooVFj_Ue z1}bqF#Pl9e!{z_sAraG``LQiOM91O$C1-OXww;6Dv<}a}%&L`P$Po{7TQ&9HtyZR? znEo*a>y|IS6*OU!6n^_;34ux(Mx~1|s}DX7VDR6Da_crffF{OA8Mw$-THnJ{Wy8|t z)ea3mFc5I-?tg-rYutR2T*Se_QLO6e>4B`SG7Sw4DORSXr7_t_FztUKf#Uic7pFB? zU0t1?nu@(3Xk}%^laJPuW8_YvKXyNu*GteE{)s1@pjFtE5NJPlET-S;7Xw&K=vZvd z4dO4YB_!YQ zTP0D02x9x&2Ouc;2uC3ncpRr4dWlwfx*RrB;J|JF@VrVl5n&xm{bqarG)(t7 z%yy*W1l4j!R08=wKQ?{BywG-jT?Dw1ruu-OaI@mRTj6=mKf<`xENtp*9Hed!_$kA2 zaN!&dU@|OSL*d^v>}S($K36yf7p=XT(54@OSYmusj#Q|>qeUeNloFglZ;1!3B=q;S@*!qSnGL$koNF^ zAh%$w_pUS43LD_%yOd#M1mc;!WBAa4rwAYuzda2+Ne<-M)%y=z#A;8Y=3(}&Z;QJk zMVr&$WAKVRI-OduoB4-D{654FzfIvoCnk@9Sy^9a8%-i#GP5*RXXg4S-sbw7>2Rq| zPl(|re0EmjnN|V`SFW_xqZ_`ye`7E@=o!Xh$T^VzaMYtp_6EGXZH|OLN~LeieEQr{ z4?IRsy{9Q07>XH(t#^u9o$lvGUXfnrc0Wgc&)4q8%|AUDyl(8yqFxntLoSA!JFqs; zq5N)7?wb^6zfcFMB#KE60-pC2M~P1oCfwQ^;iHYj%;%8N+V*uZ{I?@vJ;NP7^*471 zz)fKOaeJ=L*ITE`R%U<$hM?0ktFu49!Q&yVMq-bLgr8pH4 zHR~UNN2ejy*Uf4OCkKZ+C5Q{Q&+-RK$K|vTEj6_jFBRc(B&)MzGK*BOH7u&*JFpnm zz)p9pKhr>_50uCE;~V2n^gtF3{gj^(4UE( z4T6`wkL&pA#0lg2FZ2bls#Q%54(*a8>b>0Z-P_-H^asOiUKf2w8-O%dR3sp*z`Ccz=%DnOR)V4*_5eohI#i**;LF(mc6^Nzi+$2G%sk9Z8uTJ6VlkxieDngLd}y?aOpj2iRq($01-FZeoJiuJ&p_6*=?9 zI3Qq1qPR~bV#6KNmfe{o2yL)n?TQs`n#2aAv#nB+wZ8-3% zH_SG)8~+(t-+!(diH-ot?ImR_2Il;rjzYVrb#tr{8#K$er%VSq##Uv96Jf z%}SXj$M?%ULNGg4mIVT~t;!wn7_IVhzG2{=~z>Lz~-^-;kd_i&v`_ zG)YNFYE_qeiIJ4Z);XAo?+&995S_F6YRo-=WH}^9VkU^aze7wzMnla1pe@%>{q0-o zzkiMkiapYfS%KJEA?B+Y%zEHNQXy|%vgHb;k7guNw@ao$Dxh?|GAfz+L3Vt}-4KBZ zZvhBO=17KfTU5W~{Jv*}fS%y`+4tv8w1fg24*6L#2>U<0iF@E8bKpm;%hi)ipf_%V!-INLQG& zcAUTnqd<2PO!>t(aM1#+dg1QJUJVWb?-UH!`MLw5!5a^l7#QG#xi8lXYNWlyVI*aK zK1??K3c0NW|8l_( zN$%RcV|!M=ZYgjQwYeN=8BM8-G3H+}x8PN+@(+J0*7XP(4GZ1R&bk+&tQTcOYPe`{bFhw`8Fc4-mmEn|mn+Kc=tKcp-^wKK8@yorpY&rcb3*$x!<>3F$KQY)mKQ5g0 zi%21JSe$zRf)b+iKg7ZNHI7H(Zz^Y)I-zmq9z94IqZJg|s~@ifFw@TmGof?TcafEc z3WK(%;jN`A$k9^DJFt*4PIuWb4-5!U!jJJ32w`ksW_p$=Qx7e6dm6nm9zFZ>$Vbht0u6jLgMohfC7X$Ql3I z9z(l?XyFbIXq{=VU?em`;qdzt`-=^?L@)xU8q7KWiQ$?&0v^ep+DG7R~zb zYJSg#3rw$5)S4aYx5ia>DV0thoHo7MlRAil5v;rUv>KJCl(Xvaw53_%)Dl&az$A^= zp&$8Oiyv!-*su2*L=#%9T-9hqahia`l+^D{#fXYTPr!28&zpx@0%JWShbp2t5qr7 z+V#y5_a=$5ec6H1sT)5skptXFg2DL|(+b=5hkswup?p;*jwtzp**$JmA zb|vq!vu^XP4nMX%rF`NiNUlWscHv-iJ5^6A+#N;E%b-xK`|R|1X|a}~X{q^ZA;{4A!|nSN@yI-FMsq)d`}`@GX; z0?;r@jF@G9;;R-s8g3CO8s#}Aj?_^RtZ}Sr{BX=p^;|1gFhf-1+m_~Ymz6>r!h=7G z)K*h6eQMp~)IGgO*UW-gd${oL0(N^wP2mcI-YG9WtaJlym_jl`P;N8Vv|GPla?$M3 zy^8@4pj#wm>QrvlWORDB2_P{nyfQwJz)WnaIMs3?P}P(0zT^)DF#B`n7)Wd0$E9>E zb4jQAau`o{20r&3tXd7Sx8#>_=-m(P+HJ4Wv!1DPz-$H0^fa1=CA#QWSz-ArxBK9) zdj-W;>#dWmT~+t_;FGNJo<*NK%{8BmTs|O@1|K2m8iItrzTU6LoBV3UZQWU#_z+thIt->V`b ztliU?X)n#TzI`4xjE*262;K6JJ^{{SQcWKp8Ue#--F4fjuM=lz&nN)uPCbgdRffo@ zhun(eRj8La`}moio_ntMmh)`Qv#;BBY0wX6IA7Y;Z!up|){QpB3&U>Ns`o#a{=SmkcHRz?jXrmfJ-z+-2vOItw<% z7Y8p`Bf({}gV$30FNjrz7$~^i$uuhY(4a3tA$)_jszwJ!NWD&4a%(@Tx zeMu1H=jVUF6(5=XUI5Y?jz}Io zFC9*;`gVu2kEC|X-sSD>`ipgDb>!7neECO5&LJygFg9`QqFGOeX0L|R`2uC+PM_g? z^EifnhZaRel?1(}e4VG-J^1s-{TRA7yD%s7;A;n8f(FKiRr)-x8iOWTM<*w{=Re>} zdGFtyK8mGP-!5r2(CU!Kk+F-g!U_eui#b-7yGu(8ZjS!^!6Mo&+vegGr28*?8Ii@^M^{x$QUmj3H3MU~cVGj*< z)CPt6uK-?+NEbNcKlhf3k%FxlEaj}<7tLz<%5l%s<%mQFlFO2v9gxfveZJi(mZEGZvXmSeX0EN zgx%}yVhqV?Swbj>uV$IXc4e^JB_UZyMe^G)Vggy2{YtPP zOcbA7^_7bGgVJZzI6J>DWQ2sXci|2;wzl8OOe8z!xfK*tQvPP!6BfN+5_T2@5`u_@ z(1ZMY)9+t}h+d(D#~XY3y|$0yM&XGBPTbGXPRwyKDW292n!O;~`FaH32 z?!iE_ySob(vpbA$T>M@3Ong#o{6pr)YM6#T0wQ8XZLezBcv*L~Ftpz8U|! zTvh25K#99o2HLVChayO3$i;=$`z)=crCHI~s0l)0)qI{J_tgN)cKpOxTV0!`7VGEq z86bDTsY&~SE9H-rl=E0))Cy+h`%Q(ni>Eju%oFer8xxCzpqoj9oLo@6G_)=6!_AA-V?{%QMyvC0stDK!Fwd1=CbML1 zOcF_ER_J9aiHNT@&qC@JcE`a;-p(CpyYce4KroP$h;x`2I{edpa#a>P+fP3!oA@(J z$)$kYuw=Z*oBj~YF;c%@C2EAxXaj}b`D@^FZKg@)^vQT-fhBiU&{atc86@symAGyk zmA$vvu!8rK*ffi>PR-|{v^;7jy}E^6v%|&ev}>oOiD(~U>xIucig&|iN39<2`V7VQ z6830^2Y&W}B_x-)EfY>UUgc(7*itL<%8L13vCa}=B1l=2-KTAS}N=$JXPWyp24wTqNDJM-n%yVm!6bn%wu!~TTts>6bw*(hes+p%dZ z#zFL3IOHLcx-4dtAtE7~hQ{9_N8E+;Whd)l*6hRF`mD=s#zJm?eeu;k`kKr-*!?Q;^8^0m-oDnmB%shKC}LS9+w%LV6${$@=v$Mv|Q$@pNcEm@-5FEL(GDpwi;7O@J z(FoDj*8b9S=#{urhy(vNuZ7t8VBEveYSrRoEPa~Ava$aQ$~z&BKS4qz~~_O^Ki zkC);s=PU-;uh;8CBiPKSM3qGK4F}w#P`g~#c)yzHGV}28Xlj|1sqI9>V1Sp~^9uah zeI>|kI^Hp>KOjC-eD6|v4C0S@_O$kv=7N0iuCf2UB53mc>w(NN=HCwu9`TUtHR+LRdk zV*5K=DnEM++ufJF%QzqRNN^h38w|!@b0W@Zv@hc0A~>Q)5eibkMFhR<@%0&;ndCE6 z)3OmIZi-~=%tWX8a=^5RBgl2|uoBHbHHCiAdJ!%S5z=;OM;x2w->KvH%vYD@y3uM< z6dZJOk`i75ZI;c5Z?lbnq&y0Y9oT0{g&(L=H^t-) z&lAIkvj@3P_q`2~MHi7~surk$wBsMUdBQH$T$m9ui``SI4s`MDi18)!edt6c(FTxk zm;D2&H!Y<*1G{!s2nsXwHvDxEVh}gbr6zyz4?sNJ+ZX#o+#W|{gmBzydkJwX58*0h z!Wy4{z61`j@MG-tWw#fPWXiMFN)Om`96G;*?|Th^&kq6p*Q>(jGS4U4-{5TG=b)%d z&osac9){t2Hk1VW9V<7H_5;JIl>r(c&M*5$PqGoI=rm5THUI)KFc5Po&;2X8fJ3hQ zjXW^J?8mW8Q_q^iOyj@N7Wd8Ilpg?V{u1)WJ|d&@^gZABjdXF&v_ff#wmv{EfPR(5 zLFZ=V$B6*IdIs#_j~dSaGLWec(HGZG{cRg7CmSauKe~GMf^!ov_SRLvZ@k5m!rgbh z5OG0TN`;P+9D@?CLpXfDGZ|FE)cB zsE<9=v1$8JmA;jXT{jL{W%y0s%hGUukgE46l$!4sam6D_>w?(FKy4C4Lur*E{o`yw z#Yw2gpQ=KFtt~U8W6ld`-3M{8zK_yF@4%ASL-EptT*{n=_O0XeI+b)W8O`)^#5V0g zZD`G+R)dx{<#t(Utxt+{(KGLBe2n>I3UWWERQ+WEfmHYyIh&KJ^XFqu8_x=y4%y^L zS771zOGtO80!$&pu%IQ>7@cLYQj zo)g4UT47%$I@MmwloMK%l+lW~vN?$yqpfv>nF1zW^&7v7-JbjuRsNA7Y!|#UPLFuu zb#dLL6kN1EFX~(-k&Ja(J?IoFutYilvU{NgsFy`(NoeT~Hm=oM<{<5dR3)DBG)Zw= z_v_x>Ncr%Kj*NVfxSMYJohU{Ui!&SZPuVot)N+q#-0*@ClsJ{#UM>kL%t;^EGaIu% z4c(=r%eAyjYjIvyv9n!X3{&3HVv7IHZJoymI+(BtY&08rP#sg&zB?t=hyhsQ^Pg9G z(R1X0*T;=I^1&_UPr)>C?YUVS4u-hHPvWVHl`rGf<&iWQn~%%R%iY2Ep7%rSPbCip zqF#pMx&8#@`!TeC%s1ET-LE}>e&UyYC=rZPC;ujtB>nDBkP;jm^=xOS;Pc?dE{(=w zpzM!wg}@bRY@8xyQn^>dhrBSBA=19gl=U7uVOh-!w~WcpqqIDyx(d@PbeswSw)`6` z+fsJc>6;;IN?bp0GKcAG6)a_I&eyD(heE?-W@fTFXWi{Tzy3>l&G_XpN(z~urvV_; z19aB|pkN&_`NS8VvsNvf_GL#WCM0H%@|`3bx%SHZn^{x}GwTa|I%yasoBPrB+vN8H zrBH9?SX;Bg_pcoam2~w>4`UpwPY0tl&CYZy4n+##H=EnWtuDxI7Qw@D?N2KlKv&&c zNXXBJatYvqOkdRK@*u>YK7T0BHh9Q>_c>#;kk2~!tXetI&q+WN#g%X9Y6g5Y{1L77 zb+xM8Bh}P9W>#Ozruj8iIk)6_ez^EtHKY89N0zuIWwuv}%T-?23tf^QCk^M}>$Y0h z)|}_RdB*$Ex~DSX*TKt1zYS9dC%3t}h&|hV@Xhg>&F=@F2jr#oLeuB$js4J9FVCd{ zKLs_nB+6HYj`L{ZU9F;r^iZ92wRXwK;eFH!yTci#ceO@cs*n$J72m!oF4h=*AwS*L zYKp9&`vQJIKfHciHO}8EwVbL0%JoywdAu&EQ$~DB3Lc=Vn_I_D3jH2Hh@l$YeXzce zN%^}=KD|9r9{|y|SH^~9Dt(^iPEfVwo(j~;bRPfq)JzF>JrKQD4 z@NPjZ&6dLfXat>-o%X;@YWthml){POI~J>5d3D2ThXbMb*;)`BS*_ za=iqv>#wRkc+q=fzfM)M;4=wYm)=3J->DjjSV@upUf@dHUtk$)t{kQ-SE!!lh!G5>-ln#TXURC>-me><-1#_6uNOOP zok#hSkec18{4gDA6gd4NPB$W`LTmL*n2(7Rizp){6%qV=Xr@>5?r}Hl3G-E>)pdpG zfbl@F)^FY8OZO9a;-aN4M5PZa@U`dGDZfC-Pw}}U@E)w!M`iZ9x3rtL@laVPcKhUY z(Q_K2);EO-uwfcTf$?-P-Oq}jX;^twdS9PUCzkroea3-t#PfZLfzS%Y-pwuR^&#t3 zr|@Yu4KS0G7THaM!Kq!RoklGSVRvS)6lPC{>`W^`eN)Fk8|-@Q29;ZQ4*AQ*v83;G zUt^ONxi9Di;0mi$afBmOs9dPXV-0Cf15uToz z4*tjUU8l<$X&S2wP!e29VlYTFr_TP)mI=Po(KDmpCz`&GJ}{)uDexyEBgUpMWW9oDDr-0t$|_@cg~UJG z`@~?9XVyKR){XPM+!Lo}6woSVvFaRq1UnlWt{LuLeVx15{u0U}_Hdq5Ue~7%v?VPj1?#F=rpwWFER5Ne5c1}*$ACOmFVOU&}Yl5cvm;hvL(hz{XU(8m}2<)J#60P};y(+Zo^A+18O*2*7XbOPV+~*O0>y7qy zb{G^a?ZTa*37|jiWN`#_`^}gVl8~euxpv63I?G`{oLc)0-zWR5nG_|OJf}lPj(K`k{(~0S1a*F?1$AoI)$nAV&9pD%_goz zKm8FzRq(w2mw4}9#^))uiMv0HAQgt>Nr)V6#ToC1_`1~eqbV*&Yeb_kC+q@_ZjvX$ z0ry-G1s#Yi@GoVHh~%fb-ivS35UrW+C*hR_tC(NG6H|?r_b38>C;9n;A&NZewh+Rb z58iIh&gq{oPz?H9d#0=B678!ObQT)zX2@u_RfzeSa46M z0ZwfTsUV!+pm*pZFESF2mXMo?>ZgT=a%lGzL`jijd2bKK16vE*XE}ZkH&guW*xOq+dYx{5qgn#plc7B3!<6a9`-xYVgPVG^E3kzxq^gHog4^74Iwc#1v++v9ZZTAV74vnlO85>^>Vr zQ)V;_%yF$YsV&703TkZ+MNg*2 zXLb%J|D&fVyW$MtNe_|zVy9^x_^G8>mX+KsWA;Ugi_3j1c{>*L8JUth9EJ#5vlQO8 z6n*o@L#F7gInhX@Mzw?RAR6JfY6VF2rke2%XtW`kuyl6`yQRdxU4uO!*<8;>v+&)kHXoBRrrq_8h#@4efCaVQNf zhMrb_KRA|}UlGOtl6|yRvDY^KOjF64wf=Cbr1-*$?J_MFh#{{yt()f9JS+XGID(M) z7<0CSG5eG5tHak$esbk_HF-6^B*)@R?>E+i5LXH^RB@aw&NZy2guElP4_ddcl%uV= zV;g7akQ;eO95a6u;+lWyq_L^atp1#ojid$Hc*6O;z?hGIXLc> z)kCfrU@b_0zvz{$MvHhTjv%W26)nXXN{FTrx)KTSwI?DMq{Wfik2lMTzadLcSr6HB z;HWweJ|X(V$R-se3uC&EG(WJpDxr@pV{+a31A3L+ciNQDIY0s!Q+x-)H?)KYp>y_m zR$Ky_^uNEnW}UyXLriW>2>ECxhUZ%u8ACF#; zGLX2WLu`{h0rNCa+ola$kaKj-Zr`W){T(!gCR?=68{a~x_9WzdWC=v%+j)=oL%GdF zQCedv{QUA=;(gBuT`B<7)`McR!|~nt$&rxe)QUs@c2KJUYXCDEuHdLNa0QIZkJK7( zq?H4S7v*-^Vp5@0clke7?Czgs9Fba;6;PM|zuFp@T0I<1n}wQaTB zKb#T3QR}|l{1Dxg6}LaNDUYkptk0CsW={(**b1bk)8F16^*enMTg0 zi-6?2JO5{4q$2q1&?;98d0d!Xr6QSB-HT-D(cNsxsb>M(w=)f@*70Z?IH~5WNV$0Z zWuv>+lXJdmY^b_Xo~={N<~Urs8K*Y#Dvsaur5t@y9GAZkkr>pQ0RHX(BEm_U?Cn3o z{N(jkIzsyZlTOuOjY@h!bkN8{}=32bZ|w;PkIWH?lC zYr8*6!}84jpqOosXKfr#{yR!mo0+u1nwsPIDW3^YE3lB!TAIB4_LG_R5Qh*tf*O z5EX4!v{lFM!AG7GrDVge+G+oed=kF<=ZvlLOQlV4u<;1}NS(cz&LH>Doj4rr?Dv4b zq5?dOQc_Y}KgEh&{r&aLFy0f9rEZpN#yMIa5k7}J=VFZNVc$@4aB)$Ih={yfDIg_T zpC}fKPe@SE^UG>(ZkBga`hMkoTeY!JZXdZIU03-D2C1>FOYi1*g}%%0I8&tSc5Hl` zK0{l`P^dYDJvzAk{TJ2z)HHh4f9IA^)Hip_cPtK<=`ENrPlAAUeYQEo#n0`((9#z% zWC?TJR8}KJilFu&r=^v~&Bx=kobictWKPV(f@k)-3U!pUT(q3EXRxLoPP$&YQm8~P zo5EZw4FWMrJ(ehJ-ndr+$q?NF}|$u`U19R-FgT4qQc z16r8+-F&k)BLmA%gsG{C1zLS9Y^e~W#*Pky>4l=SXfJfnqh(G9XM63za_FBAME{6) zhR<;zkY7|*+g6VINY%u{OY_S#^oa%PDjAf%e`F%sJG(k}ug2#*pO!t|5Rtc^-{aU^ zvZIw%8HrG+vTA`~1p%4YP|lnkcMlG|s(g@L7dHC0Vj~&` z2HR@SiH`9nN=xjPqaYaze>OoT!=dZVgg>{wgaDt)!6J%iDGN?8HFet3Bl3)xYj?raI|3*Pzs`xi$ap{ zEE=PflhgO%A3qe#%!+c+e=72jZ#T0(PYEdf*~=F+FD|F@L9J=Tq}+^rB&9RRJqa(9#OX%*EigC|9zbdz@<;8ZrUJ z98GoYVodb0>=?;F*-nh-EN!+~?v@bz*L9$ij?BHs;shD60pq-AQ-(&NdZ2nPAk}Mo z7@+x&|C+%0SdS_{kAh(Jiy7SrI@WICn@*$eZ$ksk7U`|6?fDJIfLYGj)bwl`5Hd*7 zJtrq8P$PSQoQN>>>dKqeU=Xn2v+K8hv_;u0RVnR|>|Y(%l8#gw2m{c#6N4UFg5i+c*X)&J9Ye+85yG z#=LxZ&2e0IvOL7JwYydcMBC(SPOAg7OSBWWJveUxEw`k3mg|IO=T{r=abYCe#vg!L zpW>6|z4MnIqD^{iBT6I2Czb&yS_-kV81J9UTwGk`B_$GeLtUMn)_~6d1V-KQk#~tj z&!cYDL(=)Wvca3oVaPfZa8&8=)qyC6_@jlquWG9*+6o?&t`e>2&S*J)pMAM~vhOqT zAIjollv7=)!(nnF<^b{KW!WyluG+gsOh6|46l#Zzd#MMgM>{)v_C-IMbq#fy91a}f zc;nm7E)+S8#Y?68O%kNRSeZGU@zrQ8UWVf3STrB}ma!=7Ct1o$hzOgtqc6EdH!~J8 zxCA-Beb_@=AxyLyy)u0tJ#C+C9}ARXh*0BDeE5%D2;}1|5QrF>p6m;a?b#jx3yF@B zHGZLr5rwk&eN$u8d?hj{O)tQpLse9RY!WpfDnPOJ9CYq@TaGcGVxzWVu)-8kleMc3 zlxTogCrYj(CILHzPO zN^6v1@%tMiro)^s7FlC6<+)D|f{VqNrb{M*ugjO~GLe*BV?A_b)w^2Q;}1O44IaJ1 zUxjuze~px=P`Dq-4A+>Le(#zB=%AB%b1YSO2Wp;Oxs)%ijIYPT>BhB7R9kWve~n4k z&8LE6f}+KJ*dY)5EUb81b#Yn;_c8cEMS113@%LdQa1O{gr51k^d_UiO){POiFcr@< z9*duhHxOVChsoe1qHrkL)kL_UXC)#O8~mwEDQ`r^hVZhi-O^oIJ$9xZ-1XTK#1S?`=9j@6BY4ow3t{WC!AbniI^xv>70x- z+6A74&h-p4(=Zt)fFqGLBvbzvMVb=@A4g4z1tjJiP; zsPgF`WclB{Ph4+EhZ5>L$LOyW_KWXrvO8x3 zT9DsoMh9Xc_kB0xV>6*vj4YsNh%^A50-{n*r|Ys(SzqhQcUe-(`9}+Zvr}Mg!x3Xf z=&g&>PN(}QMd+ zya8n92qjt#ZjC$i!r>_*G^|F7{-6^P-?t)IAvC$6>dvk3cV;rIDtI&!kRjl5`{UkY znJLX`QChiGjp9VO^oEoN5GPW=IiY<9{-8M&z>mgnT!&OCZzvYZPNAWcYfAYaBfuNL zRX7|yg{MJ*0sUv~3zXp?8=iSUB%SUWrv(l{BnN6uyE1oNJMLus7v8`V_!A5?LyCt2 zYzsf?7(~dth1%E6@s!x<5oq5y4r0t0hf-;#K~L@%(%UYJp11!S^^q9xGyTt8NHxR) z3RIX|5r4z9!P#+`QmfKELl4Xd7fY-cYy%x3*FYQ}T0-IK-%siL7f7VXcGga%iZKMZ zk$X1g9+wN?FdWEeij&-$#m+KjLMHr9!|ByRBmGyK*Q#QeZs##$Rw<0)j05=>{?E6P z30c_vy1W7F>yGA@&BHx_tU+eihF+SknP-7w2okB(WE1leyAUght0C+L}&R1u6q zSqtc2O)KdFl@0Fbf_5Y03dQfg^ll*9^i-(eDvvy8)zQSlidS4adTCc!*z!Q@0k53(HsP#eHm#X;py23 zXhBS<+rX=RJCivdAZu&H?{cu{c|~Qe58B?%paROv=?RSc8~seU4~q)cit(hJF*bR3f1|Fj}c#SH!f z+h{$G{Xc~1{b1|~BpLVwi+5u+lnCnznWaAu+BYNyh0@@*48ZldxA$s*8 z0qPGQtV!VDXJ=*wp^Mi6KytBMmNZ_LB+5juT991yyk*xI_8LmN)V|FBT;Rg|%JFey zxk_I_MOh~Xe**qn?YGRCmlL}RUxS)d_5-P^@-&hn=Vt5eQTkE`r*Oy)18tKI)}*8$r>r^N9I;h4mIy^2VAAd(Nc>@_1^ZJj(@M~X8NL9 zkh+s@ZP4Hug@%SPc6L?|pxALR9y9F+YAwq$tKCc^x0E%vE)$>(!qCyt0a$vd0o^Sr z_)dyk*GLf{KHfgQUqOG?Z+|lzwYg*fDy)N(OIrIK|4L&(oVJecIQp7fGLO?zRZV4g zxA9!nx7yU3L|;N8UQ8rdBRyaYDvkbdEWHZg=TgThpw&2aFZ`IEp3cmhk9eB;_uU6& zJ{qRpO?UllPdOQS1;bg|)GCnL@5aVPYXBk!PDT<%#%_EOJ!f?3p8KMzBoP|^v~Cxs zM(lh2ZNYO6oo{L+DJdyyWJGqQ*(1$)rBMa}5n*>Mg&LaxhrZ}#@=HZ$ry=$h4!0_R z+v5`x!TYa&E*pKX4QsX+S&eo9_g@BJnjBZ0NhNmc)To$3*ms9PI2YqdVVW@)ZpXn& z7oL~p)z!*`>4ixB>qj=m?d-#$dUE21E?o?axS0NT z^`v0fhpi)nV)H-u*O7Pa{tLpG>K!?D^@MvLjt_{y>G&g_KRrUu8P22mh%e)O>m3{ee57`J+czIzC zWAAzHArj>gsko;W6Xj*IvQkdJXUoNY@(ES}W=7mWM%JsTOKy$BT0IW!N)2AOb(W-% zGtQ2K%)D}6nHt9o`+}O98qd2ii+~N0Q>{{w(4%%58oH|IbWkx+X#>B&KI&L010Kgj!2d~6S~)Q@i!s~ye<;7J5FDezPD&A;CU6R3P%cX(}%}LT1Ei{ z*I%J!!FyUoDQaOCbB!LqWd;2I6q5)AD*u~a92e?Z*U+@(ayUKdxd2R9V>NBRn2Mf; z>365sPUcraxTk?C{K3hAZVkbO$db3J?5Ld2ovJ9>C8g1ui=Kt8J7k(E*Vnpg^sWpZ z4-aqr;rh_WHYaM+Ug^$&wW_AZ#l!URid|BTJ){q}`hE!#@E`~A+4@d*bC=%)`5>DX z|9L!fE8$fITPsUpVqGkKbNzQ^qemqzmA`3rutPc^GK8S>0)mB0CfYz(XBQ16o5V@` zB}Tx}=ID;w%Zb|#;OG73gO7)Qz(F>Zva80b!U~yNE6b%$lZ|X^X**CBbI8<7KWwD8 zeWsLKMKn76^RpPB`~P^%Q$(35?VU37XzA&c)XZj%N<)Ad=6+Mt^l@k5F1aqGGtogD z=ly6S^-+m^O3=+|N^KzUpE%G>?%Sv&CqM=w)u^?@SqYp$|<(im%Btl?vJ5 zN0;22_hG~%T5;YUBu&1VX3Tca0@1@R!o(wWDnmfRfIo%W-(&NuaKlls`DlnrN(nvf zvWGElyxg=^RMhMWYc@&S?e<<{#Fsh@pj#Z$pEnc8M6Ds-KbZ zP9fT>S*BUjIgenDS2y!cnTnOy`Q^zoWHwWvl~?yB*#_n(*ci=O$YFIaNstY$*?5n9 zH=#LxEP&j&H6H_m;Qx4f>#!#O|NUD6M9D!6(0URPx+R z9mvZBd0Bt=Qfjq-eb}hXXC%-l(*iN{Gw4v3>wVRW6mPuiy$}R|Fsv5803(2oUbz8a zpd;rM&rZ*@)?lBssFz9p72r0F0vgHJAyKqrCrY! zENkQ$9E*6vQKJAB*EVR@(4Ih!mp zrZ&a4d@%T$!g`c>oRD&g{*{GOAaatWECDF$EK`)_lNG-?wHQB5O8-Wo2Tx>CRoQI$ zQ2zBoG^@(5VEby#QIL&sqsu{?Q%GNP34f zvAEalMYQR2!Wsh4-{f(~Gn|~NgrhEzg>vK%n@LxsIUF*Pn0fjm7U7!AgS!TnwOs| zL1PoBNO^20PL6Q@0(swvn$g2(71b}G zr0&~JiMyKQ+6npsQi;+1<+pd@dMeKYk0N!K)^JO-?+}|m8u*l(nvjyWE_%9-$u!W< zuU$txI5Ki+R}76QJkQ>Ld-_&gh9HH`+S16^n2P;SgW`mK>T9Kf zMiG3u;29mCkZ46bLm$lTXDiyroki9~MLzdm4FhMDC!gm|U%0nezEAVjXpg30rlXeJ zOCjk_`=4mUGqCX5|1{kgTOeU7xR69-S{W4Du8+%^nBuc)YTW|w`if_gV=hHEV#6qy z2v(0*-wOV49(j)7nW00uM^RBW$O51aF|>o-!?*;v<^c2rG`B6;E16&k%;suOvt!?( zZo9a+ZNcPSG^XOkes%rKJ&OdzvCRLgWO1={lup!OO-L;!v9hyKugYg;Al)C1Az)4s zq(am0TOP}2eNj&??~C8VT6 zHWbNDzMpvnJS(fEUzWN8UW3k(bGsx3qqFu$_4U!NS1k z+nFpe8`|M+!Xt1+W{uB}Gs@Z|76<;Kk_6jj4JTIc(q^jHmek0_W0u9EEr=|CXVSM` z)nryzF|GMS^8r1lA9h~9hZn9fprADo>oc1lgN8Ltx*r$v+9B3%xkVpn)YX1YWYz!e zS>cxK{hg!gBFW|pj9;(0A-?R$<7#cMcC!t`lMrXiRTBeQHp`it8o$-x0u<)h8RpJ< zRT@^%p#~mFR5Knq+HB2xap?|LR0P4fF%mV`Ce-Ex3*WGm#d3+Qh-K7TRNHM1SwJ$j zMJ~qt0`oKb3$>~OjN%3)=`Pp1TRSm$7K&SJBp<(^o6+kj>ts1qG9rqol&JkEMrl18 zM0=Q4r83T@OSP$IQ)a8aT`G8Prn|@E9BoDxa=Ka|w<>cG%j4xFOxSXDM>Y;N)0(Q$ z6rYP_8`$`e>zmt*#XwPOVAr9QrB{(cQ;Z+LDWWp@Sfb>HED1UZ)})bS=z<` zb9(+k$;{EZAF&7gv&rC0J7EOP!_JGAZW+VMo3$%nw(b-lGl^h3UH z#n|SmtgFY)D6WNNMU(YCBrwu-WJ;XOl`WRIw<-%bg3oy`wC%U9`)>t*hG_uJpkWnI z+gusqRKl%^8!@?q{rWwGrPQSbx_*>vRG^lm^arsv! zv?%O3@t%jc*RDZaTN962?q-af;&GYho=)GNY|DZ8dtA68?n4OL1zYeAhJI^Zb!_ar z{WG5z62hhyq0d);Mr@7lm+kM&1mYvANrb=yD(}zQQ_etD}Ga0=_jJ z)L7?Pp3Sh0sX<`%)%*hdt_A+&pJ4DVl)SMN?G`Xsc#FBUaG8wf$@q;F*tgLwCv4GyAUIK9eh|an-7|8k<=}R zE*1oLxMJQ<|0}_U(#W-iG%4EF6$VemU$G!w^u7QNRn}1HM>&$1_eNwTc4IWJ-iiI_ zFY34Mm4nEPt?u|3JR``0-eMv|GO zRr{Gsm8^4jl2Nl{5x1bCJ~uW`o<6ROIyYk9`OE%WUq>=wC%uqm9nGDs^5&_rtIAt~ zEy}HF{l*x7@9Fs}?`3;pV)EnKFsF$?w3j;U*qN?2(+pJNrSZDE2ab#4hm4QMua2M$ z{{%-JvP3RZiLBy^j+Oh1edGol?uz4yHJk1kRm}Car`i*sLx%BCW`AbT{DZ-O!_hT0 zaGL|>?C;oPpjQOUa#c8aZoe!X=}1uz+um)+!(83HUqe^eQi;hahR_ir-^5_bk-b-I z$>);Pa{%*TJKrQO9N?Sd_q!@e5g;@NG|@xDHMUrj7P#Sf0y;Qs>x_~ql~{s z$_9{NDU;&s&~_I@B_7eU=A#a?n~iR$zgHJ>zC^(_F?+6yZ9HO%|7Vm!UT1#M^3oES z8^VPBc_7pc77xwc??ho@=TpX_5G-`o3mo`Qrj}b3EJt`VdYTklm$zqGdZ!}nkU~Z# zroiMWtR}_FGoCHSM9eP!K40|`K8S4SqQOr&NnT0kGoKN%s|mCk?=OX|ECi=0u$jCz zuGtJdOS^80xS+gPCs~m%r!m`6kQ!V0J?1DQ5S5E#K~g)GCw`&s^@mEZ1XMebiu7A6Qz&c)T$4 z@1)2;--*N&XDX@m*fqvywzFv3?7NCY)o1au3R8|FWCEUY;~f|sF==&K!!gX8z*WQd zFqyJ2mT_7uGvis^cxFXp_MQFS$c`1mX= zd*7-v#s4B8E7JVIh5kPcOMYsSH&`8J4bd9|dpzW+`iCJs!D>_1EM#%C?ber^R%^WG zm}@=fr0U)a%?{-^SyWC-Jfj7ksh>JJ=sC{MTDeOxVQz27m}~2aCWU$9MB;u7 zIy%zyq~4WJ;-7P#;d(uNQE6xYa8%$|DvoK3Hf+~4k$%Qo5Yg4yGeCnM)M7Kj()y5^ z(a9YRuY6B&DKFuU($Ub3lHL>3HBm^M$kTTgL6sdk4;EW zMbr3q$E&tRQ`-abO``7~?vyFylL~fgsFc3h-uJ~-&D>~NWVd?T?tFz8oCGs@$l!&1 z`_m}Yh{=^*09yU}igP}<+G3_<^zX70#;Q#!T>p}2RYrPA{ZXWI?< zJZDL0A-ps%$g+}}=cBfwMxRUS$0hfQz6oBMi-PGc4jQ1*SyfTvJ=pn zf6&DH?6CE#zxc(42xk2214$j;hPqb%l>_e(5syQ(C~A$A(w+aoH?5uU5Gn{)jNQ|K zo@^LRf+Uu9hf4{#+*}yOrYnr-cfVvl_NK+s( zR3aS}cqGTxk28)-@G!!>u;6M;Ab{X)A$%tn)?z6?(P8z({Qx$CkGQp^yVCzB6=(>1 z3LHW_KLCn?-a8ExSMdKTQ>X8s5{sjYK%ik{|Nq~`7}xdX)4?9GFwp@AFe9G+e>EsH zpc@0Fx81D)4j0HSoKR0zfEVQH;DMh$jEV@g6o%!!dX@Qcik02Kd{c4!>0zlHU1JI} zk4%FP;k||i7KjP7knw!r$rC)oIM}>1{k&0a!?Cl~V)e0r9x$ z*odT0$smsFU-4Qa8Ek~`>5Q&u+@b?3}f29GeToVxRjZlxle~0aKjWke=45_r7mz$Mdmb#>038awh zetfR#v6m8qWoq?$5Pwd}a*QJfBo)r>yy0N(g>bh;azz!1tGN`LstZ$D{p69}ZF_9T zsA;i8e8Iy|$WGk*@4xU|fW@~=0+yxQdwcOfm4uj#Bz`N|ymF<<%VXP-J_2T+eWHqT_N0=|qk9T!7q}s2~ z`2hGgF?)vX)p(RG?edqOwg0C7Bfn6uWpq31Y(l$5@alW0!A%8n@&O$pSCW{!UU-w@r)|K6Zl0%Bpg#LDaOg=t12eXmU&; ziLH)xs;RlDHA&(fE-o$&0MC<q~4WR0o6=uAf2Jw`Y4s?;fG{vJ z$Nl*6;vAN7@{W^6Pgx_&v#0AO;|K6((!{F6=766Nx@h!?3KSa3%R?YzQRr*9LcF|% z;@24&6qBhNFOH4ZOlmuK8?T#j@^Q?!$dlAQT7fR%xm3-6>yjc+J!N`sF5p*3#FIk3 zH;Mx@e;87@de=~fIQSjsEOR7n$ZZoVm#8`T=04$d_OxGqkBFW~IR&T70sT@Fgk?U_P8#&=>llAUrga!{Ck3uN-n@P0=VF*89Q85t>)2IFx^e4=8HMk^Lt z*37Swc$x7}c@3cZ%xkYVbX%wqe_9_(=(zV-cIBtMo<8f5Gy~F+Cw*lcUR>%_ukeFY zcfUVfA0JeYmh@-O!1kCYFiA!g$}@*F}!EX>TzDtanRl=q`j>nkCYiNK<{Kc(7Y zq6_Cr0?1TD$>^CQ_BK?0+ftfvyomy4Dw@J2^gkyhTGL&e_)GdtdN6cDbTP)xWNlU2 zqF**&$f(&Cugt$8-kB*%T^~di%3;){-jG%)FmZLw(y8K6<61;<+m?=85hgp+rB?Wb zMad>5=e~%0rH(ajebn^$Mm*i~^;h)8#%~1}*jVsXbsN*Qo=E3QeRuc@b;x?{v|-#3 z3=E&EwE?kEDbx<29e9fXc@YisXZbq&rBA@9Po|V~%5F4dJQ$M{S>1lBO-w=rHGEi2 za=schnlxB;KfKK~*N$vC+f735%~m@<-e1B~Yi*EW(Lz~0dlnhKl5TC)sy)3u^4w$r zz$u79%f9O;NEu!;#mrk_)?+TKFmx!}Kg9|;?rDd{-@!majT0E#k7cGT*YQ-*5;-gK z(qcN1`1V)jDpl)@DmBN4xgMv>(#QGj;9f&$w!9%%?_)XNgYN0A8TF~VO5MJVdEcWH z?Y$b_vY>CrJB9`PKZ=626(#^D0ZgrzLD#RY5#!T2B>Z#UU%vc&$^aly8qA*{L8Fr3w~)=Mhg8dh53hn;G7w9fI@#Y@5)4euAzh zD-V&0ooUb_-lB}rKiq=?5|6O34DX^uAol9`b3)Z_1i@$eU1xHVN|69mpgBfQsxa!> ziaO7>`>BWz=JLePwo{z)+LNzbApQE*#&V?lXWZ1cEf{s5={nQP`=u{gh^-&XAZx^H z8A-sI2scyhQ&`F_=3fx|02X%K^E&C%EjCY5V;+Bi`grmRYa51-eBU>xZewc*fAShTZPbX5J(tu z9ofHu3CqhbmQ={(XSPttjCJtc)&2C?ujr?eaW#Vn%}nxNLM8yuaFt3aD+2Hja1nK6 zWRS22HOP7m->G=*WW-ha?Pa$jmTmhgcN?g(FsKttSI1RNg1MFxf3GcrPZWz5xjxZ~ zuC7+gH%gfmo-%LqUz6iq*rgCz=8BQ9GGR=Mx`c&=6~7VFVzT<0?`P>D{Zy>Hx$)9x zg+t2^eJ%w~$_{;G4gB`awzu|_V4Hsf(ad)9%c|Cb$(_%(l(!ELHLIV^QM+l*xeTRp ztElLFd~^K9TGi|$`VS$;qwj*}XR0UZ4*pVYw~L1ZV+Ol7hA^Yw5*s$yzuEBEGf zqDYm$bh*i{WbQMS?(28BU6|O|C9Nk9-iJv+T`#XU>f0Fru7rQhu(?zN5X=;re}~yO zL28Ev2jz-@-c#I{J_mqTe^UkMABUdX?c4G5sq5;N)J=9|i_JD$lq+~REw&H>3n?mR zy`3)HQ;I2Umb7oYhus}+TCXQ7k~KnoeC&J5ovxkzrVRsV%?IM4?SEqq0y%^bbY*A{ zFs{QJY=rM!CMKVSjN5rHNT^mUUwcMa%4SGnXp8Aa*P$H*kn&@aJ&D&(?ghg3voCxu z$e0MlNceC4W+ZT;t(@aYaoQ9+JG4<}m{cAXyGXouUr*L#?s`9q7{(#w;d8LGhgAFS|IA zb`PlVZqO7q#x)I`t{#~Jhst*cePs^3tOU-4O|7l9a5**ll;%mH25#lKNek4U3)&sH z#zG>q`OIElJjV2onX3x9MKo2&;kfD9rsdM)Tath115^Pi$!SVusXZpr!=r-SAoc7> zNdd4BEwu@Cb^okm z7sl)|EAhI!jE_tf13K-iHMx{*V`v1y9Q9gYIyAm^7-!QwEKHF@{5~f*8H0-SgnQ_h z=g_O2(BPTzW$N_L=?H;Q8|Rd%StsdOM}zyc)D-B_gTeOBJ~Znc7<}A4=_u?Or5MFX zEarjp?<%OMAi&qP#-ZYH@#+fZVcD_hyNH;a&eLJlVR{)(X>W@VRFcyJt`)kUn{NNy z-y|UXk{u8>L@Fa#$-%zxq4iv`f1>MqE^?9H>We$6d(z1JC5EC`J@0RZRZs1wT(hb{ z>~ni(6ER(R8xXM#4qxH6{ZU~OyKfTEZw}Bcts2eKn&WV(7t&Y-aiTriCuc8&J3eTZ zWDR$ao#b{nl^W2daqW9nT=AZBQlq2|X^x-VdXEF2*;+n-0;jCnFK*FZy+B8gYa_l; zkjIi9NpaXxYBsy1B)WXHCgk5Xf9i?pAaF%#+F&tayRe<|hWNlkR{mKdT!_x7sQ&w^m~SJ49kizbG*!zs>7I zHKl^`A15}Z=E?fg$&!Jb>O|JwQccm1amPdn3-2@IJ0c$y5ODjrmEY7oj}B(eg~P~q z3#cR*6QsAft^t0UB$~2(z%`51pI3>b*R363W%M|Emo#OjwM`dgb|=Y;JLf^UOKHP3 zRYc3?vg~cFgY;!lrp$amd%_gTBSf+Zo9IpOpIG%tFbkEs6og zhOAFh(;q|dRANEv{@o%F5QJj z%lj)Fn3Nr)ts&jGPwuiWr?zN)x)7$+O>TLD?&`XT`UI`&{?Sx`ypgB`3 zYXjn;)0C8yazTmpK4_6zo0osG!>Q*3KC|f!D2tAnk!V(_PNNLrl!?#>?2C7;*FCWF z`YL?%Kc3p zzL^o4UyU7?;e|k6!~(kSy|0eLPXBHNV^aBqYgcKU2}H|Py|!m$cr{_3c+nz(r>dbK z#%PG~C~@TPij1+4?#dYUv&*JK`WJc$Jnam)NHWkdZl?8Xs%nY$oC)^>O?kdAhBIh0Afw8NvXux9HO#I8$ zpY(j@u`I~$qeO(50g$7rIsc&Nv75>Dv$d}BJ$38vA5f0;0BB4ZV?DO=x)9Vbjnve% zPmQyURaT3%lX9&jnF&85cpMf=b+})S82jyha6nj$XL_?@R?AW46+yD;1=3S3dfirv?DVPpy3Vv zI>R`Di-&wRmdY8~>8Q&+a{}Vu8y*~(cy$)UTBcpBSTS{>Q6#KcE+F`x5Px?!&DQ4f zLf4^$V8Abnbjm^Lc2_`PIo5s2Qwop)6(G9>uDd=v?F0eD5PgxGtLwHo2rZf-KE4JY z#C%dcjb0XC-|eA~&kSY0aoe8-$ur9%geO>mw6lrwnX7n7{+;dL`olj$L$LI`VeYgz z-`fj_p+hE=0UN8vlmb6K^B$jLoD;+hl9xvZGIM9-*1N^x^2$c#uZImhxd^9N?W7PzF}(Q*0+2bE)RwSDD6WbSIX;U;Y1fgip-|FJrh zjS_<0=V16y)>3^-uD&u$FY)(VSA(Vhxcu!Sue_Yh#2b39-#~^-Ohgs~_|dkN5?!ps zgK==a0j;-#gDxc!u^)p(zwxlHMO=JFvG#F=5jAs6y)7leyljQ#5v!Esw+DF>Hf9f^ zww4jeFWIP$!1#5et~OJUN$4keG|c(7m(QGx{fJ1&5zgnA=kPy&zPBM{uB}kONgGBo zQHj`GcJU<8sa_li?rYZtwal4nQG^{(rZKX2);e&Qdp`f6UNd{18ffKzRF_P3&X$L7!vN<=XS0z;+7KkMMzh z1bM=!mU<73O+Pk=@h$)B;Bs%QGt8}0ez18c!AU?edbqp~C%!pjOK>pi;#+JnMtUZt zdHOo-rMQrw3h!*YxyzmRF^%nVWI24|dUgNdkdWB8xz*w0zb}l8bL|ThG7onSR}b%>RA(VY6MVmy`L%dp0;UuP_RB{OXPJmguz_Wq0BD4fe9?%}+axD{`s z?xeQvrC}20S(frhW|VutSgULm3$=`xfv^ia<1#@=d9RCmTMol1jh zZoEEtkEGH@SWs$kY1;P4c}-4EUvn8f-Xs4x<~cFo$qt6FA*uw6(u_L94pvRu1r$G` zSA~z~iJ%MR8D7aTK78+@F(qz)rc$6h43CPV7tby*tyoXu;N&xXyG8BJx~Gad#PNCZ zGPZ4H%&3+DK`W?b=@R-H@rNRmwl^l3NhY96~#m)^PGetL2*U;Djd*ZYv74B(D7om7M zF@KO8rZOFnr&yrLh477f6cNHJM+a(`*4l;?>Cvy9B8d-j0ywj}6g1sXGppt%U*(FY zP`NrZ0&ja77FR;Ly7C~-#?12!Fvm1OSZdAH_m=WGpUemST7EL07MaGOIE$z#xy~!< zWXk0^DQVeE{)dK|*fKnh3C-vPr0;om=Bkz6;~<~&)rbKvRAi8nQXY3}_vqZY3&6PkV?#9a z9((&#y1RR4X@iIdwccm8b>$bK3n`CxPMw{)h7Rc{(SiNnPdfw$@#zJ;{rt|f{mYq- zZc?c4Um19k9(<{&Q1TqQ>3T?^)Lq$Uorc^~i=v^f>MOmuonh_MW?0J(ti z_af)4sHg~AHR-0+K4{5{X2RW;hIX?4Q5Ab9k`@V1Wh)l&k(Y0Gh z3dWv#lyT6Lzg>F)C&cKJCz01*zlMnmk=eGzZrF*!#@xONT>~JI0)Wc)Bayj{qW2V3 zUk_&+8hF?H?(Xiig>S^9ae;xavT#ReMKVpX_~kZ3j@<@Pc8j`mqMt%liI7p$VNCqO zI_)A&3dufadl6KpLPg~SEUj`uAf7KkBb29RPTOnhT%(z9At}!%eQbP^5u3b46c+Vg zB7-XGPC)g8m+iw9=FgurmG-n=m)7U`^143<0#8QdMx=F|Q)znWo>0^Q)p}V` zAF&o1T9Ay2G4yaF{8>B?7_7m;$#G8cuctK>zVff)Yl9jtGd;bM0dgq=q#V>jBlC>r zKiapi4ViG&n+vw@-dMpgJpClAl6+NGBNF*Ov)gkaUJz4SCjK^g{Gd@p9G)@eE<|rF&kpW&jQ$IUNja3nk~- zi-{x!KN&;JJWRFBUaa@e-@K~_kX66S@pi_ieT^J{i&Bb#7f7)^)=*_f7=QYarM0fd;1Xos4|!OMIch+b-Q^;u9?-+&KdGvK-yd1vl33b7B;l=_ z2i{2Z%*P)K?uWk6_^&lfVGIyiNL;V*UBiO!^kVU(C{{zEmH0{f}&O1WiU{C##j?*qZSwmv1N&h_8E7QE=d} zJV(C78ItF7)=8PLH)xx1Kbk`c1+B|+DVj2IVFU9LarNqBy9e;%-z?E>ppOQC7R=}? zmi4La5QQ~j|G7Z^!UzcA_$V;=&aL=0S`c|N9+k>|ewOq~O5axR_fKX*EbZORe-+8E z-A4X~Px%i!EoLv)@CRik2A!=#n^z5GoexO1OZ*`^m-m_}L{_m~dzc&uT{_>$cDD3l z*=&py38`L~(JkM0*=+_@<#R~i98;iObDr5@Cfu=?y}z_U(K+!xN`elbm>DZOtdynF zsS=t5^r>4PskCdo65I^3^MMMearPM75T*ES>JCZc?(b&P+lzf@Mxs3lr%n||H6Sr} zhdaNf@1_lZlG&D4QoFhWi?GHocPYJ^A zGi99*(HNd=BvkaAoT{fLS6Bn^fxOZdxu&KjriB@Zb-$ZCVzr~?V$jHe=XbEBFwMrzAMK6fg}?B}0qu2M;M-c%#3Q4}05X1N-0TSF8wjUKJ** z^_Si>n5r)^i0|L#u5C@5mOhr|5-c)Vf$IB2#vM#6&g*IOAYlmSV+;}1lo(_wpc&H! z1@4y*SWf$K)*Qxn0Zr7jR<#~f5;=YgIV!Pv?B}L$AY%WmtpPTA_Wbn6(ZAv{I4%bV z2llf-=7LX12=AqQY*_GumsNS4Tc;3Z#sE9KF??czqAfrEvYoH9ON<8`a&(L7iyVSn zOizNcg^GJrKDWJOfVv(4IH}^?;MsrFlsBOZ-=;rT8Qr65*SVym6$wxS0{m18onyd8 zEZ-VQYr(Y(T)leUpHG`v4XJn{W2JHd!B=W3?2eng%s7;md&u%TZQ1Z|1yFZQ1lRSD zgFiL-KDo?4J>1abU7y3-19il~&KC5k+)oWeT678-qj!f5`&b~Wz67*h;5s!IVEi@8 zbU>HO-t7xsr)2<_1L}etq{P5b#DE_n5DLi{{**A1j5L0j5BP@1t|(Y2?!@Et6~&|aIyJ&t}SL*owTQCBN@N5w3nB+`JpVp zI(7R1eit%S!r`JY7OY>f#K0$6Qf?`C{@1u*4EKJ^$2Y2hmSKuz;P>x{DFw|!?Yk(u zaT=GGct5k7cI*JYPlHv}h$%ik7V1Sb;M5hv;x99x$2wNY;CFq*j5>Qd4TO46L>Hi% zVqp5Drpusg#Z@z~Q*7No+@BZ_@Z8Q+8k;$;2k2xM0IUB=tt3{?IdiKpTo*tn1*$78 zW%?YF#)kb5n<@$;nm!9Z3BLr~qtpQ4Kw*pku0h+Y-C?E!#}U$Dl}JoX&G%d_cV$~& zX#liCqDi7Y{cYPG- zej2aF4dM7F5Z93oRXipS%0&{rAm&L&@Z0_r=a{QsR>~w!%`Zt~d^I8hqt-%92xI&7?a3LW@8#4JZXzBi zesbymczM#@{*a9Y85~E8+v(RH(z@fALnKCNm@bSqPF=uu%hCNSZF*u(1HkSHHQ2&HM4*i_+?m!19}db zJB*?nlWf--Xd0AB*mtMkB>m7&N~2UOE9mx2RS}Mzd6zY?Gu zhirf`d_q23s&~m7_v_}>P+-Z)N+0|C`^Tt+b^h7aFXx*krX*~0`V%=@Sve@5qIK>9 z+>_^i?X=qXCuYV;qua3@sk~nmA|ZvA@faz@pW0hb?LZ0CQqg^~tgT2=XhFfJ=ljd; zhHh=Gs(|%7A!77s>G994*!jKtf-RW{QsWs1O-7KxRBSA}k5v~S<{56ZgUJ>P7# zMRW~Uec^>(TdtnlLW{V4+q${0^e^U9rEC_<+!--;*-`WQWxwWBG_Bv9R?*{=ThHYNZgy;ICvv@e-{+(0x0h?`Z9SV^cRb&Mz-l%<$dN28q+k zd>{;^~R~XiQs-fri^O3tN9SSo0?0W91qOV={(rxdG9V8pP2{`@D z9<%N_*m!?w{^%z;rBD7$kx4RL^?j^TnV6hh{YMwJSnpC=W>Wba$C#s@fGzAvm#1sr z`o-X8NcMkVU>L#4-NK>2LVtPtNc|alNS)Wl9&!KhK%#(syLcD{W>a>JSnbg_%*_eg z0QuMR70h_sE|)I5fj^zcX=9kp1J`<^;q`6j%-2iUZFD(nIdc@q?k)o78E?f5-XfB1 z&JjWCCqa<^U5J0YezW`bPN@I!tbZ1s&+^p<4`4tf(iwOW=h z)J5KonfGN>cEqS=M_}`$U~w=gvsdP?bpunS$zdXDuw+047|#Sb;;w8yGf?4TKH#Fk zi4h4I#O-7=*P^tOc98A~;l~ItC*F4ngHS67_(&&z%Hb>0u;5~Q9c0Ak1_|D?OqIh; z7jo6HD8b$n{zdXJ?vrJhIEuK8OMFNc@5Oj^!ALPdcdC5wwOj?0c9q0_2!{GtM+LQ5 z)yx;0Pd3Opn1gEb%F(}yhwSIhpFg+{k3DM#xKbH2vpk=xPD+iydff03xiD2dtx~Y! z>u{bV=TqmrqC5yC>cn{d?A$`J*?g00iGsvrdYP)cORv0uns}FnEG(wJhtof8cQm!1 zC5}SeZYO~G`kcogDg7|njotLEm00LMK*f3U55QihL*9@$`ii#-B^$3APv{+Qz#L>; zU2CTpK7nPHJWesMCpp_y_W5}Prr#BIz87axFx?SElFGV#6zO`UZCjr1hrpPI(|B)h z$}LC7PTfBixMW^8o$)-V0aG(hnpA2hND;s&G9o;YkL(Y^u@CtLTs~9WcQbtt2xJ2N zo9$V|x1G$qwLX7NBVniz9+=%nL*DF^@|zHM$_5H(G4upBx;WNyag{#toW4Ol5aEBt8n>R~NVj+yOav ze31X~so_?W?8(={X8U{oNH~*lRm?1)Fm)xm9Tqq&MAgyOFDgOtJBiDb{w78fpq@AUiKsL<78{_UcM=E%G_IO*4+&vz`9;^S(CR`To3q8fYp!4e-d+s zD7e|zE%@#3lSB>SF?&0EsR-SNDZ-1_OI-R1CE$B^Ar!YUb1vGnlEenyYut8>JEVKT zZjPb&Nj7dm^kFY(KORv(?-)yDc_fwf!{sJ1)>scQ^QqAG8uk(IL5qSiUqre6eJoqvof*PH)tm=({=91MH49)pPtdEM1TgD8qCaOpscjLhS=biwe2!BW@v z-Iu1!BrUzKw&x{UTZ_#^4H{6;u=2h3KfM?U|U z4S0gJOSfmi{C+15T(w{ZQQV|Eg*4tQY_vpXWw${}rbn-hYl|9kdQ$k%@Kk!jrh$jT zJY1fMPY+9v1sCKJY(!bzW2wfZxneGfV~1u$R?goBG`i=Wj|Trg%jaKk=jOjudi1?s zjAOglRc3!iYVzCM^M8*ZRXlykIZKi;ZIy-xVTjBDt<~&l0msb4f5+&1B21e`RrCr~ zNj?(JnhzO(^0MhH?IG$736D`6G`UUXKc4&aqUl1e)>Chp-(zDKtgK9UxnlPL`=wXg zU9UaAT!TNXr1e-pu>Sakl_vD!|Iry_Pz6UG`X9}NsC}gfTB|5<780^TaGF|nKD(a# zhL8wU)6HcF&o@Cb+h$;_6aR=??m7$V$)f1<8X~!(DtAEravL^jxLHVK*rda{78KTzATZFRc^D^I5+7;u5?o*E?l+ zzcP*QJ>{hE>_}5eAm#0D=8xe2eql|Jt5kHc?OFgG$Zrwioxyq^XwxEjZqdWG>U`QR z&hm*pu=e@^w&S9!j9hcoulpiQOEy zeTHW6=;+j10l=^Uo8Zske;iqDiH4UjvXGlHJQWlHCw~~%FxO^)|CD|$3$ws$K3+ZM z?-s*{&qXVaczzS3Dqz5oeZM5=2uMFNaY!Uvkil3tiOT3SfRjAt8xB>Q4&&-b_(_A@ zd3Y3aVsenm_$(0?9f>f4?bzgPgns}ZVG7xA&II$s<)lNOfJCn8z%OQZ{se@#YzVXt zP*)>CMa=qH-MrqlhZ)ckd4cVUo{SWP(eFMZ-VCV<<8X4EwarGg3?E~+0(Ka9)n9lQ zgHd}3?XMIP51M(qM#JY1qse_w@`%DQ=g-0W=yXb&C^tOI6qW+wnDCVD@lwS3`Xir) zs#XoRx;WSO(NIQlZA7jKgHv2sc(g0Pj(+}c3#NrxseeTXrqRqL)7}xV>t^HkA<6mC zu1I7SL1~L7H9fWYt9h0rygJP9cBe}F?ioz97=Gdl)`4C;+KX90ASA&0}%0t7Da%>xc6t-;U(tV|U zk2KN~WSSj9-W=tSAuo;se`$Q*$obG~ z)D67X9Vuj{A)o=<{s(K6{Q>#@DW8k?6Yy7vA1^&UKX86lEeB19U0@IP4s5J%Kom5h zaQS7r)|sL^y|Ep?w@UqBar!v=8?W|d(}!INOz8~bv+W{f$iQ5w+t6>5@?Zo|IZL&xE9ATbJOB9GR(hJok=7F>TiUpqu9+q8oESoDb3qRibf{n zrkP1@yjsiPNnzjJXH@-ANO*48Y+V+g5D&4@Epel-^DfcXDRH&9R!|m=Wr^QRca;9s zT&_!)gEHTc+wIj0b7;^m{#5J|$oDqO z<{6)GK7fX@5@2?Aqs((RgOB=y0!9|+S~6`VbmNvxhh?_1{`>;--}yM;BG89&!}6)T z(H$r>n-dS&cs8oL`fr?s)7eIG0gJAKQZArXH_LE*SA7qUjQKMFlXD;EA72+Tv zV8f6&vVPi>FinKn65sqkPwcdM+pVuSxB{KkYq)TCnQ&Rx91}S*sVMTXNO4Qfd3zU* z3}S6!?P5#{AwR7P%BAvMKJCB(9oeZk)H=@N4^I3-F!~a}2(UHdis|b0_synp_M7Uz zui=Gio!m~NB8^mX5Fgocxf4Cbz6?k1vSh*67M|~p%}?1Mk||=ObbFjibN^<(nQq7* z?2BucS3PCZ0bM_n<%$nEn+>H&7Cs@vqg>4?YdIGIe3Mo z$vXfhklN1?WY=02yJEcire@4D0s&Pq83uH56n2unMc5=Z6(@XphX0n7gtg@fYTIED4M7c=o8K(dvG|SuqGuwY@3j83N%~YcY{uDCngt0a}$)%XU z#w=fwJgSTUhy zR+zZ=`hNDniOeLuwnX&o_pFV7e}36hhXi-;M%yaZ`|W!%Fno$F2C1tUsQeB;r4p~v zG(i2TNqezL(^8YGHZHzqtT=)|s4TvE`xteA<;#)dRIb;kvO6-b%k*DCnvT$EZx2XN zDJG}11=6*_0547|avN?Pn;$QkU$xV!7p?WEaU~dxBUqnnGi$b=8C1}i*hex9GI16& zLs`~E+x&kS&Tq7U|4SWfRhuo3-@k2OX?dw+pu+;d$73$nZ=c(B&#UVRcX-|>B)y;~ z?DRP>0sl0*6|PY=7|VNz5c(hk7S*n_{TWjxw|cM<;}!Y`t)0NBF-Rl z=g46=spJfYCnoggYD;ZbFbzD3Wf~1@4lk&?BpnAdg0VWb6+`45itrq>pRhHiU+0k?T*!G>W>BlsAIVdSi;HKvzf-$Y-l-HPNW$vyAc7Uc z{QpsPmO*W`ZQCtStZ1Pv?pEC0rMMJmaV_rdRxG#$_X5G8xLa{|hvLDdxXZV>pZCwl z3^RmD$Yc|__H`b|S{2@6#I5g!(p6j4v{LkoJgRg_yt1#I(-DI#;9QG;G|&zq^KOy~ z8oTpwaBzI)742!Imd)zfpw_N&jPg|rZb)LGt$YxKO5aVq^YAKe=ujUXYT7YbN*~p` zr9?UY(z1kD&nWIHS#Pb;BDyw7a}4lfIAbbr=z2h!Z`ha_u8*nyWJkr&2D(Dp&Cg;P zB}VFM<^!z$bYo%xndEHiovy5cTB0)xxeCoc8~5<@F9K>++$C)}44<|o{nsN+2i@ZN zVth0uJ;!9#MiKK3MoI9<73MV`dYto2KCIY)mhnIzXpH+BQ*Kpc=zZjKe_%(A41+Uj zwBB()zEI|y*IaV9GU(EDn1UV@Op(m82;a{HHs=~nC{HxYMtCm~*jY|4E`$bgi7ihl z%4(Ys( zZ11$FUACAcgZ*t-Qg125TDq$=1+%FSrl8roG;D(#I%c1&Uu*1RGL89JpZ*U6%-NxM zSESHFSXL{U3BLql&sI!xty{gEmv+m^+_;*rf`Y<59UTTP5@Hvh^JT29B&=bz52*K)>h!Ca6x&XRo=7l1 z|L|*u>o-`R1`o642_b{a`;@IkD}yCD?(DM{WsIdrtGL*NUs@;_5r8nWE{Y$vO^C(I z@3zyWVLq$!v}BRIyP?cN62!L_TOauH9U;6mdFVU68i3tl9OI%Uz|RvU;_()_CR(B?JXAci|DbXNVEWr0u7|P$y&wQYil0v8 z0+dkIZPCv~lr}b$EHF7jN?F^v7)JUM44JN>Wrs%gK`OG-{O0;BrZ;g^{1;fK4MM)i zQTPpww4Ann4>F4XNJX&azDu;s*z?$zZnsy}X2@WUIJykY+ofhE!dJK*f)5oZBBPp` zHH?Spwj27X3ua@Nn8I_w&OWcw@9gYG+&*qtQ^Q8K*%-|>A~Ye*;=AZyMHjerk8OS4 zIc$FT6+>o17yj)WyeqSYO^WSaFEeV(>4`BLa6 zI|RNf0-hu;9B+yw?mAB&d>!aVgDtLrm8@o(@j38N!z8 zMe_p8@l1{Q>*_xp#gCvbU*$s3-siIBR^{Gl+90WjMo7dDjf{P>LG^nu+wuzgc=4u% zkx_f&ft1))cqp7OsF&%{Ji$CkzDEQ%t-wK+v;h5483EJ{#Yh!rN%>UP7d$O+$L{d4 zZ@8eBl?{_#T$g&6lpLuT&@(J!Izn^0DpT6NotYKVUQ-;C9HxT^oAF+N$yin!jGzWfuOpz z=XY!cO48$6UbOY4{s2X?p7m8IBWUZzKNsj9stbD^`jH#?NGTlmIiK(U00eR90dt~) zRZ3ZcZffIXilA}xG;B5XB8TfC zqT;NB^w9=)8NktgFt2ttwhn`i?@Fg!1_Y4`g7%IoA(WQT%F}zG%*8DUZ4HVFd&k{-Mw;4@a!{1bw(be3iV^^D;sfg-szeu*o~-asCJ!=|DhYYegui&o-%Rt0Qpq^d@3 z0FbhfjosQZGTg_Z`{ox58vpXw0@P2pnkpN(W+ZfK#Gfs4_XwC18#)kb;opYuxZExn zw#C-s?4PD%Ca)9J6ZnlT_fSO_40iY4ioWw+I4-c^9*pSlRp#eq59ZT0pPF!-bfrdL z!rOJNP=4fT*cQz)nlko?WnyJBI7dKR8agkXpVY@8+=hYX=VW;|B{w!SYTB$0{Ia;H z+!4whOG_eSHAWUEHjv#wDe?XRzu>ruyF;Obhi4nlyj>sw{n&VJSRY+rZN4V}G1osR z+@L1za0NVC+cY*y!7Trf{uCVBA8$IgRzZB`ncWft6bHw|%@drn45uylBGo)+%nSbw z*x%UVk?>HdZmmepq4JYq)HkLBNZV;C2HMHc`svSxY2wS3{u`e%2uh~QPh%T=5A68Z z)(rUoQa8gsjIRvIG2*cbf35KEVumWpDg=n2M_L*sK$rYeOIERf|q?K zxSUz|a&H7aa0npfU?T?P1|rmR8`e`Sw_c7jn_cvTjm!@fWj7_QR*LvZf2^)~d)!-A=1|Y@==oHZ!RN=n z7f17(FFyOKf6;w+5H}=y6c8gspm>G}HC0%qq-*fEjqBQO>M%?c+n9BHm`F{%?EHj` zH%?Pt`f-MKL3{ux5(lj2=xsVHEmBRQlU7nAy*|JNf}K~#LKSCA;+LI8}TKw)nNgJDzJrh_})Lyeyq(K5ZZeN^VXku z2G0H|Z%ONHm^i+fIR58tI1MDwkkFaq5QxUG-Ff-85`$@lT^fTtMMwccdd-Pr-1Ig` zuh61{y}xFA#t%nbPg_`FI{V}@l0pSB#Nbzq20Z)cFobEL3fia{=jZ)>WPsw}W@_8@I?zbL2=XXwU8kp`?;GCOFUJmy{ z4u6%FmNvy9YG|1As!~%?QJHzMECKR`i4rWtk*p`o3k1vnP@Z22;8eQe^I`f*bfKZ6 z52do3K?)1a>T81G9DtfF6?GEBNYkA*>d4pnB4A`b5Wmm^8y2k)ms-q9HD!Rd4ljX6 zg2RmAyDoaSutgGIXEiqjjQ4AG0l!oonmIw~ljgeFat}yV_bSBushZ2rSo|&|vOBPI z3!}-Tz+~v3&-D!ipxkR|X+fVbTJ<@10SZuR8W%LAj5g`U6TSdr@qFd}veuczP;qpi zKp`Ev>h&)XyI)Bfu<9js_En(^|FvEj3_thk0-kxMK(x%lFI8@%^2Sj|Cxea_9v-Cr z_z>ne4(L1sH?;O}Wl`Cyz!^>vAIcx-X&3J~X;)7hz-pI2X}wyJ)5R$`C*!fe#!pLE z;M6SIiuUUg4lb@C3JhU#jP@5%nMkE?V9`T4IT=+CX`q;|wfSR{(vw>2N8S%ARx$@J z)TYQ<)LDGq?2NPoKs9hBCwG;f^VX#6Qq*WHEITXBHp`y1rbl+Ukh;)P;5?U5X8g)bT4nNn5(z&y%#KuKCKIwESicFSm!6Rk@cXOjU4c}S6Xe6viRI}nF1 zR2iL5XFmfDd%il&&-#u(s_T)XjUE|z0gjQSra8`e*BXeIr*;0l3O2BYP6YV1$Ar%7 zIXO9{TG*MaX*hFXGp*?mgR5*A6}3d51S~CPSw{(BPTUx4Ft#k~z9B_AWBC~rj}>nW zjFTY1SkdOfNHx+AEPt`zw^PhkbPy9rtL!-hH>+89w+OG)a z06iN0Ht3jp;9>PfNJdr`?6f{~CoTHrAW&8p< zia?ab*w`3w%Ii{N2;Ww|IxDMv9$bryf5(kwDemu|D8sgI)$>D|hiW^C+$@Oz!#$+5 zP;OakdAW0gt|#9-_p(iHO2URb_E5~Q4^Ea$Jk`?B&xy^M~bC~q}3M88)ci-W=)}|L8Vf){phy(L8$yRn2}(pe&>u21@6a$+63?nI1|mPS$+! zy|t&zweRE--GM>UBuxp>4<4IFN&|p}{2M#K;1O7$g`Y&A<9=W zzZ70Fv-WT3!paKc;e18%D>hX{Z|l}->2GQi`rxJjE0h%U)^phxYZ1J zeST;i67A`}3-<2_OpWGZH{wuZ|FG-E6q2D7#uXy_%K;2_D}`3v-2e-IQX(2Z@|8kA z@~W_6a7vRJHK@h-NA35ER20n5L5^Ed+(RTUXC%Y_UY`FA12gy5i!px3{&Kgy*yrPh z)udO+IZ!-L_=?LW{)xHuGQj)lP(QIS+gD2_sc>!;&TD&D_@xPGm`l+meH(}-;)mWP zXC+toJXxJ5R(OAjCK9A>IBNV-&0gaITUwX@-S>Pedw{#+PGOdK@^ND4=6JbqzvFC< z!14EUhOrre2m58cNPIBm8Nbs(r1uuVS}cy9x9F>ZB~@RLf<`GLVJuql?nNPuh>=)|M?1J6XI(fF|~CE1%|5?Qf6ELx2#JIWz@o16WL z!P~EG`$s!H7jKc_RjtCJB4#%(f#fJ~SbPD3od6|Z*C-ieooRoXTmH^}3^b)-15Xt* z1ai0r0c@+RN{j2U%JJzFiF*e=L@rz|!9C8()@rVntQ-QRq#9~}7J7x*q310xFTYxc zXl?-lIEPYgHxM)Z%8p{J#LL(yBu~Aeq$zE8I9EOeC~d}t9?C2$W0ymO9?2M|0mmIB zkZRaQCLki1eM}V)uQ5r9Ps#XPS64R$Bv{eV(AZcwNPXaZRNU$nw`Q1169Ll{P^JH> z`o+ww@Dk%vPV7g(Ysyf5rsXCEIC$`Xr`52xxycm(t_JL&qLQqRV;r>NzV(C6BRj3u zOMl;!+>0G%!$u5c%K>Xx*f7`GmJ3pL$EFe`8K)Frm0H8xi3f=c18=1rtWZMcOsNhA zxX})-YDuH-{F1lLEHXg|SABPKj-p~mAhd@Yc_G_~!jJymTiR=}9e3wz z1Hau|i+92)m|SI#r~o<5f3DEFAs}B0J?ke??*fv36FF{TIsr?WRpMevmfEam$CUB# zK_CRLX$9`VleU)cR%QI^g|q9hV(UHA5&JK}M|LewT(p3EDEsAncWQPvpE@9f#8V^W zQ0WOu`k z=`*@)t{%)X?FUd&!wMSPUk}N9d_8dI9Kah% zVCJ3eppenzoLaj~yUciMA{#Rw)V=ls$Ldl0TnU5y=hWq?0GFX@O6$&V6v*2}!*MGc zn?#`T8x|d=b}mj4cu8GA{p~P7esgn;ia0b_AF0^XA}S#vanJbg#Az%5B`8uu%2{!l z*DXQ*4P>TlJDyxEtZiqIiH}l%Zhjhqg$nwV7=@yoQv7PW9@T0T0r!DC4jlIF@7UiH(%=jv%+u~YYrd20fQc^+*L}Rz{#12c~r>$cNjJr=$!)UBy zFio7CYF?ShgOQp}*5R0IfZJ*2L^cbPqjLM_$g2+vFbo02QWq=~mCO_l!`j83#-TXw zQux^M@$q@UM>utLI5)gA3ILqv%@0;|o8KAD4t-ZqQz;0t3VGq7jv102cE%L~T%!AP zv-5*M)2wf?)uIN=T|ptLwzhsx96@2xa_Xo4rn2t<;NfdSH#HMusyD+e)CzV$eR{^|5vzHA1j}JXybaPRK~?<00GMt0X{|0fhhHh~2(QdR`BikHe%A?t^Dq6#$S8 zM${)QI`K>?NW)1oI9AR2vE5*bD0$52+pC%J zEEU+^lTh76&eRd>j=P=o^C>yzeN>^Ih=OoJ69#%_)rY+e@emiD_FUKCqzmX^yyN+d zjD@XrQfsRK)h@t>lr~i>m;v6RJ;ZWjHEs2ND~cHw3VQ97f$f2YYf?N90CbTec^Y8mH;REB{vA0>_ zQiKf6H!q+(Av0nYhAn{nO>-SbAtEfs<#4W;bO}BH6F&1zzgFLFwx3=|q4QXiNJdYB zL}r@_Eam4gd`5Fq&k^$kZHW8u+JN)}|CHyRaJr#S1D+Z?+`lMx6Hs(~AC0EUd4t^Z zfpB8ajBG0IK1-TvE7?jLNFq7SJ=b;OxnQ@>!7<5Ct(u+$*p<^yXx}k2e}BOYf&IO0 zJRqNXOd$L2!YCO_RQ^{(gZkQ@q4}^1HFR=4*5q?mdU`3BbZD4M-aG81#8fIxUQNCa zwsuy@8*zqhpBXeaVS;xCg9CpxPM8NUs1J>e&XHYD{E4;90qO|&A&xnN=j(x$gX!C< z5dWRX`b7X>o7bHOPR=geVE9gsHW#ddPTk-x5-Vh3NWDjLlpI!ttUCqYxlHwarX_Es zVJAt3@;v|KFHQ;!3)*Sr`d=WyG#g$O$I6*ES{EMVmGY4Fo-}Wm(`s&S?}M;34`mn| zWlyxJOhV2w3Ug~^CFN4pa_pWTTelMj8AcfS?z~3)g)KOvL`hC%jBTIy0%gD4Pt8&N zF$ZZSklWs3Rf;$e@WI7MV<#aq#i34P-h|#w-Mqgf;O(VQnz{^mc;`ZoBoLB2m*as6JG5 z6a+SPiw~%cB?VqAdOLt3!_1y+cuiySe0Bv;9ptgjA_SgmOxS!0vB%Tf)zSTaW`p9n z$C#xW(NJ7p8})F;;TPo4%#)9`{q?Gh)T9%88tjj{=MH(nw%~Tqn)LE>M?y|g167?t z`iHV7_IK3BQr`GQBOJ)DlUd*wzLmc;$sI4coOSrkU z!!p0m0VoLM(U>#dSQX=W1_ zm*q6&aI`$-a?n5Ja(^gks!>1_0(pQ67a{OD!T9U(714KV{1uyjP&uzOapEDlZUzoI zQ_w;B+=~EK9k+o2M1)OON2iI+&08bwB;A=G#5~s zLvcD=+cwM`hG%z<2^&o+OIwT2Rd`VVGD3+7*3TVO4c8Zd`G%a<19;(YWy|i@zmPW# z3p1V%QuEb-8mHf~3z--L3WG!zQcx;&UDc+9>$xWE!q;mnFI>&CX)x?GXQmYIOaY0}TnfJGE zxqx&g{&H#-tXC~L6&ay43?4jV3RA?~YM6@MSHU~30M@MfiIb}o)X|djG7wFvyE^nZ zH`3+zWMj*A?Yfp$mM(2HRvenm-PO!Vh@-CZqno-@RsF7W=#}!3P%d0opRy>3?n%@X-Y61^1Ti7pc&SM-I<8pVN?_X0x>zpvI zX}5LyVlx}N<@4yy_D#d_zRNAyZeqVhTY-1Q=+5rWAqpI!*D}WLI*b0F7`@Sihj52+ zkBH-A?7vL)4cN$Ka5@vc*8rsqYM+i;+s3#h-fz-qRB_4OVF^0u~}fLwLG?NW(jpm?BcNiB{QeVmC86~91LR{T7L1^=9-?Q*q(Olm{$ zLO`^D^|Q{K`aglFiw(7frBc&ItU^{YWH2oqW@?g2_fDClSyNz@OxoSFN~ZX$G=^~X zE*8I|y`EgpDe)|I!Nm_j$A^wij)~ry=)nkO6%~EGsfe=>rUV*dX3SXbbm^MfJb*n< zLhY%98?cE+H`jmAtQns*JEvLruGL09la_=Tr_wd4RZ~yQThH2HSzxYs3RFwAUnTUZ z(1m@wfUuU)B!A?H?aQ4x1y>3a6WyGvSuyc`%?D;)Ud`n&wu>buX2qc9YxH>%CX=c* zH#4tet4`?zfNXdZl^;w!c?r}QsmY{%L>A!0r{~4inhatv zu6smC@1ZqDzf~5ub&F_N$e50%a`FBdmy(%Vp`F8TVLvM6m*p>LQE2#P(;$WR$B1`{ z93F=uh)bi~D`j>x4n7(a7;&*e^Cqvz2kMo!l^TqI*YZ-h3BB_mww<_WEWtcp$I{1U ziFc!D)y+3qURQh=Xy^b=`fsIjSe$}tqiK(Bop<7i$d{%f<{l{mk>}RHak$`lX|kia zXf+??KiX15gY@~{DDO6*)#CN7l3H~T*}-UanXv9C&%oHdX&$6>LSxpzRBZk-zEZk|+(tdmuZ&|7!-M0FF7s6_6T&lLC+J%e2SK7u|f z0H0oq(<`Ss{o`@ZYEdower_k2*@Z{jO-&z*Oy6g1EmpXq{ydz)E^3mi{ul_?iRUKK zGi}uy#Q+)ge>@n%^DLsnmCO-=?W=i=n9839qUMb8< z9PE6bil3SEJH8{~x_d1y+DJGydP_KIY)hE)Ec?7^OG##z^}-A4C3)h-_RfDQjAL#6 z=N{fBn~vXMc>{EoTW@xQA{#|iE~ph(j4k5}O7C3Q9H<`Aa03JRbP<(9X;o&IeB;&{ zvA*44oqYd9YA41}kTM!!BrqaEO;fX2>%$VBoyIRT)%W$yMz^}^>V?#Z=QKp1Ua#xp zNiuFbbp`;oEg_!)DnOVWI{He)7Ia(WruijxE`H?%d26GyGAr|n>?|M`Rz^ln*~7IU zS1%SHWA3@#w;ZuL1>-0%36WzvIK_jsQdO9n?B6nWHpWqv63l)jEhk&gwju0DTtUB& zbQ`JDP=1<|WphGug4J?O_orRmi3b-0rcLIUk~br=ZLDYwB$qd zfcdyD-oCe7vy%79078$j@n$+li;|x%H%XYWswtmfQ0HOE(Yx{0%!Q-9AoE#g4N&bX zqGhAguvl1|8ED_(W4P&gDGNJA_w~eLiFLUaDX~(26JRr!fy99N)CKMskk3fJA$7K6 zU=033!wPvqB~_}Q6?dZ44_!!*Xjt)j$ZSX?T;$EZg~~L0%SWG!G-5JuOO}FuO<={4 z2>(uxsXRl*_&|(c?ra@#GxpmJx;?L_#+cstQ#ZQ^@oo#TDF|0=ybI8UIT9g-0RS3*`}oO}r$VrcXThh75P>hxVKl|i z$TI4~?`KtjAtowA&lVJ`LJgp3O{F{Z*oOZlKr%Sl{x(TbgUDpL-tq_&z2B1Z<2E@r z!6h7dR#A6l`0;tvEh@#>;?P{x2ICl;pFF6$2jf5x+N+ms9(yZZjjD|ooqH_$`Ae^9 zitSP)&%$1%(~=DOX3hL(d~(VzOq^q^77F~25$1 zV>XTg^nn@+qe`8?;!F#8KScr(kO zke-XI69M(kh{?cw9P+*ZzSazB89j&0-nwiCSpmoIoKmP>9<**9*`=t8wu{d}vP7hc zq{WI){WiwKKkD1WP@I&upvyr*J-tNOaRTGZXE+-W+9&Xif9LP-DJ*Y}PuA^=yFE_S z|JgsoV%7QUVf8YihH2fNBkhEK!cJy#7)&fM>Ko|!+7NleJ+SZx$RqBv+KTicETe|C z)2eQnYFI9Szue$Ju(@6?{L$jMM7j;TcK6Qm_y&9I!JrV1(~yyr5ndn~k1j`sC|#Ie z{^d9u6Df_{7n1?{XX29$##g5EpOp6ANWTlmF*imM3W6CcN*mP9&mQ=2hlhk5ztedPd>)duZ2gj*1a6-Yva_ z6;ySTLA;Jlc(QHs^?e}gj3>^BxZLa5gvq$S@ zEwzinyLgZTmmvSqJP$RKLdE`>lukV2u6bDsqx*!2s}{mVf5)OgXh_FPvNM^e!P6OF zIUrbgl;>Gb>Cp5bvb=@T#&dq#P+H<5K}3v@TkH*snpr#^1AnIU?$qs#GNte!s^mV+ z6}#ZjnrNKNm0UJ|}#;U&>p* zfe+%6|LK3VTO6VmI`{UprlX|%Zflc)EHk-4SeOd=r3tOuBgc1Ve3h{N@rVn)Ru5(y z;X1|sd~;z)M57sLl|=o5lvr8NBFC`AqD$%5&+0eJSqb9Xg4?35^%+pJ^IavAfxhhQ zdD^On%%Np2_T#YZFrjoVfZm)8ds1qTCoP&GE=wxcUCRuO}Kp{cj*~+=zF_9|scjJW``2IKjCMau~Ce}B=zC!Ta0NuX+3TG2Gy@*Ol zD(&^cu2aso6tj{ZOGd+?1kryG6dfMAn}EtnY`G2c|Ay;tQ#H;@O3m{gwSYlAaPQBU zFR)l>gncbJuWr>qj3kt{aFc-z?_UT9p|8X3PDJ-f#~;#Ib@)XTO8RJ6rnX zoLO3O5DqI@WhPEj^YME*AJ4tMp%Zt{#xu+%ob3!p$weL%wDZDTKOI5PF7Z70|Jhj%nq6j;` zTVr$Lua6}3P&38-U1F97c1~n;ypt|x1?kHlUR2UtpQ>t)?u;yiZ>a$9r#9G0U3&6f zIKC`AM*5q464}&U911juo}NA)?T|}aOsorD!m@70;H_16Di$AI_}Nb+y}+%F4Fbx3XV6S>y1>EPyNw4}J&e4Z+3dy|pEISN z)ex4~z@NqM{`p4D?AChs*_oPlnHSnn>s3Q=?2-oKL;>2Ou`%`2c^n*A7QjFw61$6R zwF4dNS73Tz2!^bmU&ovUfCfLW>KCSdr8`(_bcil3EkO!fq<~rF_Nv!OVvH{|&vEOT zpiWmQQ-BHxjC_ASY5A8#VArVp4&~jp&I)f>L{vO5d;h5=r)m@rJ`?=cB1PRtL&+qh zDD=`aJ`98`i~*uR8k5B0>Jn4KU+)Nk$J1^V6&-TmJauY$h5lyEuS4L{Kg1ZoBfmn* zfhw`=YHcd;LbN=MK(ia~-eJZK(dB=ph*isg2vKm2^D~E80hm#&lkGwx@ z(s+@8>T=BK%u6uTDpj-cghG~g_a#m1C|YSE^64AL_OCko9<;+>rpFGBj&UqXcf(10C1eZU#>T zTeh=1p2n-KZkPrKhvQ!H5u00E+W;`bU*P5MMYYNBC#tqrit+E?Nv#XH8>TK1Ziny!sWvA8w%AA4i7kgPm2)|GLbNaOT4eQt?InFm>|!~)x6<7q3M(! zGBh^*I*#ViLoN4BKKHD-5fR21L~AtM#|X~MEbso;PwXWRl$cG9m+HXD$%U3aa#j(} zt}a8hcLdpl$&EogRJxnB^$oHB!Er=>bO3q_u}oOtc|f=~wsw?9KtO~5UTJ9l`DPxfz4nykefO`uOl$wZrPRdP`x{*;UB0VFIixVZl*rlghio*V zAUVLPtaj{`omHDwnW6-cv`fI?+t^(KFy=AA^TGo=0c6V!w(}cpnGiZ!TIF;OEi02R z`Tt;YufkOLIXh%4S)UQpJ9tUG&qWUZcKCI8-?XeH0_hfy+s+Uwp!P-6@_Qz<3&_3w z$uMgB^6#g)q4G2!`LLF@R{=ZK%jh`%rbWaz-K#d|jglKGN$Qbj|4VEOF0K-a&nhN| zV8cjL(2~i}INsksKvT`K;{X-d;3S3A_PT%I)WXE)Lp5N>^;+@OY^UVA8E<*`c-t?` z1pfv8JVO6j%ok`=7x`Sc3174v`1NPHNsIdgwq7q;S<*l4NeR;dN@WLHTE@7BH4kkd zJ>#t5dz0xlEG2aL{_c+t$ya__=sTEP9{>h+i}G1^4)r1=B;+-)U+r?CmI>8TtC1JF z?Zl8h4%bR$!^mlNask}Szk^C4hd>OGG{wm^i{2Vgzhj}ynU4uf{Q)kXrE#eSHLWhr~@T#nQ-apDt@ z#9yQ5DMv>a5uFcgP*?`a%PCFcJ>>OAmk?p)niP%od;?Hmz-(_g&PeJ%!xeT)VkVUl zh0%GbnO}a*GaLmR5I-oWxil~6S0YT#Y;im2nE<|C=2yLbF1qO6v{@}>u0Ei$1g;{q z1-?O!{iPuhPX0wENm^6Qn#L6?nX-QChHC5q%Cp^8xcfPbs1*7o+U8@aMlNNI^an3? zWK7b~)x*oxhmqwDmw)X%PWJ!)^24DHjXYy;o$$7l>5i?w)VK;ReWz&$^&v2J1GpJp zzq3}$1^~p~d=xHIzLR8nJaj<_Yy>ck3%+F3*471uAOcxU>K}YH7u(z0^CM$heCRUk z11TiL4hCFlw&gZKK$znEBKt*$fE#7d$lu-~)k2nXi7^v43_-~fKluo(t5U!5lCa@V zZ1H#+li%?KN6`z_Xt_}ry~!4raisf~4CZ{%0<|1Mp4Ul+zOLP^2hDuglx!WlBp?qF z*;gy&yeZIu9V|ex-4vITM}g3GP9;hncE{jfBqx3%oX$Ut;lK0$j2!rP)nAWM{kT3R z`tU6_`^Bvkm(N?D_o>7wn+c{G1L6<$^HuLiB+p01mHV#wpTEz?Nnhrq<~WYu<7 z@#>4=5mtNvb7s~vu}cj*bV1zp6-T~ILiyE4^bBzk9bH;UKc{d?w1mvewZb08ZgU^AP%PZiWowGvXmLz7QHlN>jGyC^R%E*;XKzyx#ChG=h?|e z%O;VgdKU!Qo|U#-eJ3-jYj`v-_nbRU0Q*!3PSK$x!f9vrVSI>uD=r}v#i=Lajw}44 z#a0{C_cfSvwW~L~u3d+qzVPNq*AEIHi zKgYHW5s@ND-e~vSw-6wu2s{R{%uBm&3-%pxnJO(9fB#ES%qwS7v>R~A`Hy?aoSzqC z5MYnnr|?QpDf1(k`PsFbinsRgG6k-v8&^IxPBvpjQa7uHt9y%vt3Riu<(eqTnJPy` z#-I(0JUn#bc}xqUgWMWb*DLJM(cRwVf{T(l?BM;+7h{5g?> z+rg+?H=h2GO#q9Qw%V6$Qh5QPq!e!^pvrS^Ae$hYZtF1jeGq5%=h@;m>Cwp31HD7d zJ&Tqb`*cb;NU@Fma?w;p>Z@4!!vkmj)wIj>(vua~9VOW+m%;G*t)!w(Gb>@|ONEYQ zuHyI`%6v;jt91vDM|_ZQkMYcG!FOLcwR{g76;TJlKGzRt2im7fX=cf7Fln+px0q_?&XAi7k#ZC`> zO8hanLtB)^e`{jLQWc5$uEbsynNjqFT+nfX*F>e}j9Gv-|}c12SBT{p%x z7t<{Ds4zXEdxZ>KbsX|yY@y9^{XPh0#TQ>|IGk*hD}!WVD_YpD{mpe6H5?-|cD9d| zk#vVbLsVW}`FA(lxa*7~LPmZ1@c=LAqI;bg=J^kkEmKZQ->~FvV~!3o@yD{OItxep zly}ydRUI=;%Z2A+$XKNJt59%~s$BDXp4SF%N)Thlk(CrRB5Q?qi{j1D zE-K-#ZQcrrf$thlW}MHvTfl_bcXo3ruxcys&UhO?+P?7=|VUQk5a0)VWqhd*z^Iu z+)fk=B<`w44u>)E;BMB_z!}J--)|B6!+%F{PN&-zU$ocYbP$0MWfCm~@50O6gg-hp zqL^4^7e^(p=+zUFntc*>x^M#(j^&NNw*lM30k$eK0nS;y~`fmuja6#kSoy@5ip8xP16RQSm;P zvD=&Q5iSjw#vi1S2d0AM63fijfzABM!1xERhb#X@$Kba-sl^oyN(A136)5XhhtII< zO54oTR4zv9^woTYuF}}$TN>gt;&L-2)Z9Q+G9hWdjjmvonp{Z|mUA)!Bz!h1BJ;^X z+CjP)oVS#Nuzq961EYh9oSat94#E)VT5k?Bj`%qQE;r~8?=9XBF+D@QoY%?IxR{9) zK{ctxxq;H9lAO#m4qQ-QjYgAoJ~0?}f0Q}90>4R!LcgvX9ULU0&Y+#cj7+6}vAK(P ziid+f30m+VKAbOC&xM*uFV2^hO^W~EG5g8NIDq|Q8-8n@<>SKj;WoJFD2Rr@pwDpg zo$qXoM78X{WHQye76N@Pw0X-IRTvA!gt#2)ecRinCPlC{1v@Qoe-HM92G21y{>CUeg{pEuVpHOy-$2XG$1 zs!#QY*cOOE^Qgmk5KE9eHc(|@e%zn&>guYK9X^^QnW8^>?|Ll=`c^QQWK&T=E^!n5 zgUW6w%-K`ado^6vlUAMlI-!T`b!7CD6n~bxojRpR`h|Kz2=!;tExhz?DwrA=Ms$EyqSHYoOuz_DfqD z&BDaQte9jfzeEC<>6yuL5+e87>Ymsg$wz6XfRG-)G^IG>@ zoz6R=lAZHh95=svnYDcTt}bKgS(1b&P9NEs`*fa57U`3-nEZC>e&I9)y^W={Glip) z*&g^PHavv%La^no#a$Z5k9x3HN`4xDvYW3FX*tx7&&j%=gJWkjr;ev=Gf0GNt4aGE zisBu#SYtURPEf<`f7ycdRB5vaGIuiYC1@BkSajBcOvi{kkVLHo98h3jEW+aa@$0u<&j`O=x;2x7V|8`#4hLppuuzf z#ZMWZgLSBz_O9dAy1<_fFr|>imZ0f47!sZvL-4a7CX3=kJsgVO(UZG-kYQkE;lLT? z4ivPyr=D)VY0nyRXO+SMsE$JeQ`L4hcC*arU)$9!D~bd_1& zhZ0xY)*@cNuJ@GP<*iS1I0ZI;N|`#H$y14M-7b#%a*0cA#6?KRj25$+R*|*(@OA&* z%9*BC?t80%e?BK|IY+*4=d~8Q*ZXTkX4>(ixeqkZmfr*xZz9oj3W3~ElGqEsU3c)0 zcuuKJ_d1A3!Z2@}>Pss7C)p+uF>}}3ZemUIsMf}bM^Zu4N|+@QT}PqJNTL+DnE`?L*9U~U5aCl`z|7{@X~(tGi$Nm8G0w*k|~EK4zjkd1zk%K{fTu&4H}Ga zn|Zu)y(zIySJze(a66&JK}tCh_AoRLx+N1){6${zlWp@$FxRLto>{4*ZAo*wAFz=M zPE9OkOFg3SL*@Tlb4dL3d-g28Kk#a-N3?07krje*oWdqPZR!}21?v9$rB!NU(KBYV z#;_Yf@ZC6F`V6b3UC)KYr0mmf*cf40fWa0=F>5g~+Wq{qTbcdjPliN%a9H2_>KIjO zqcHcvv;8(&90emJ=z9$>ukku6qUK#KP&*H2el=weoL%|9ex|B zZMv!7{cW%CyqF|Vw+d+`>otX;B)fb|3oZm$a=-;gVq$I5_ zy%Zp0&mlF_O@I3K$cCq01AS}mJacyjFa zi&39#fX~z{$CCZ0g+*YU`1}J&YWruxw%mn@E&{tkEgI(ZM4Pa^OF5s{u%~MuvGs2-M(7QcK;9zrW6xhW2YIt>| z16fzy2#xC2(0TMCpNzY!p-^X=e-va%UK~BxOld9L3`Tz#IE}2?iBn1S{Ls0T3T9mMI3K*X^Z7j;vx6;oxDho#g2x-)VXjR{6CJ) zI;_dQ4Z|t|BBg+I!{|-{X#_?~H!t0dba%(-uF>7n64E&u3F!tIoqiABpB!-PSg}37 z`#!Jp`s1({Nad!Dw&d*rRa_$^QeOL!9l@oK)%52}0<%u@iV!uw5!&AVqnUD>4I8yg zs_$l~2(Xh9K#8{qvmE^A3^llpLzjh6O=r$zPjb+V|KMW=*!2nI5v5eivBLb_Q|U_@ zViBw?&9*0CvO`R~`8sN{q}COVYgBGr;EUCSE&J_4=4a+>vvcL>e8xY~oD(YtyA$M7 z2S2+N)|^acAMX)f7G`5#`!{>R+~3{^yzIErMr#R6y4~zr9h;K#lb z1kkr|h@Q-&_IRT8+0!_pW9DTv#^~by(AyvqyI3XQwXj2$o06cAtMKp~zAWzTFEO$7 z#a4lXKvl}hu)Q$3B5EY~ITqacB95t!H8nH9eX}+F;H6FsSEk?tjn`^to}tkhP%XN^ z`KEEQ&Jc`&BjdW{quh4C4&Irsk^Qw>Q@YXSGEOF|aEAbaXjl5iSP{PW-ujuNIf49_ z@Or4A%GermlI4ZlNb5{VJWJ};+H-6 z?%t1a>5~BUbU)vshb~fEEV%bJ+$7bG$Ig%LSH*KO)U1ZhFq+3RD1u8+P!G7{FHKWU z4Nh15v;tBPWe7Dd>q{qbjmNZcsJlexJ%l2Y+_|fav*d z^Zmh!xM&|Otge;CWB-ZOqj_Anf`^B#nFBEm(sS)gdri=hDLA1Km zU}zB--?Nhw0tWI@yt6Ynv`Ox|z4lh&=Yv8lFM4Zcot7a$;r%jehE1d zDkadGZpE#lj>osVO*4%IngZ69ogqy+Z6;-3&Tp~*Z}@+_yC|wF`^GOI0HQdzn)Gjk zkLBDKl|b3Lm2%Ow8UK#9^dEDt{h(?^c(8u*T&-=mneT@X&rQbI+Ot?c_~Pix*`K{!c|TTg%(_WpK^mYA2Q^^3 zUn~dqzwM7%s5A#c1?2Jm)xYInh?#Gb5A{4Utvy16^==E3P}96!XSw=*<#fEyUS?me z5$L`vH96#U)=7Ipaso-oDK`IbeSJ9s`6UYlS{9mSf%XLkl#fEf!Um_mopYIVn&tTU z1(N*hO1#gy9_*HW4Bv8F*jmovy|Wz1b~0W3vnF^m@-o98N}#HDpEjEFf1$sOb1e#A zbps*t`itsp*!(gL5JpJ}?0xehKDJr;@r|Q_L#->HU#re2M0LCZ=3=*6uXduHp`$A4 zs@|NF@Wc24gPxux0bcI}mgV#y#*hCMg~#aO=H@2rq+HLW-6+j4!q^yld39~M=61Hm zOvGaoKPysR9F+QQA^zW~m#eJD*VgTwJ+Quhj*E-SK5E!y`~)H@uC$wC3!#JH3X*1|W2ABXO+=mwG4DP9G^P1@FEeoP93cz{chTRXhrz zn5cu@R-;0hSP34ezY`H1K+dN{fl;CLDFSSvZF0pe(>m$sfLGF_Fy;#LS{6v*jOFqg ztO@_^a&dK&@ziefKAw&n29R55ewV1wQ<gE#)*$1$-l{`-+BFfnnuAG7o!_;S5( z%B}lhRSSy7=)#P{;)VgC&`u&yvRl5VHVQ;1lcXoJ1gZ4&^fvIC zgZjorI;gESK;Lu}n@$dsU-KsXcVZ58BASj4DK=4)HXCLkI6X=UsKy>J+_v(j@y*sW zMACl3B;s{89Q*HvPrOnd@~u(yjn#XF3)s`PeLvd%Wzaz#FK4$V#wf0EP&JSd78mI^G>9OTfSqvbusVrr?VFSK9@J}QHzhWn=M4By9T+Yrq&-6j* zfEo*gmkCr#Okd+;>S=Z=b^UuftJs~Cm=C=o+8(COnf;6A^QvM=M>%A1%8tzU)^MrW zC-a(`+&mN&e@oEsv_rScTMOOs6V9i7=qJH=@i5E-rE%cj{X5p^Zk)k8#oYG0uuvf^ z?Y=1WE?~2Hw+|GeRQ+y|ku(cko~+5KS$)2_?xqDY&$CXSeGVI~GFtCi>pe!zPA2@e zsmP`cQS~W-g9X3u@gE0T%5oaQ7*%uJXv#|BvItG3b=Xli08xUvsA&PcQ*muin4Q4j{v*3Gs23REct4Fp+4rWSeA`b&d*Lx=1$$f-y*Eq@K_C!E~8zNk(WM_{kJc+#dXtF6s$LO{=20UeNce7g;#Gp=F+!}e(1U|(XQHO8vcsFWgUB*EQ7`b zeYj9fzssU=l`(baRL{-&N6~2NNCAk3S<=}S$Od8xKPt_v&rU&?S+VV*J@cHv-sV#y z=V2G#td90Jo}f7_-;1l@02|>Ng0>Q&`3PLCs_RF`n%=w4`WV+`g!Qly;wrU#%_ai}K zmSq8o-KQ(OV6tXW&gVf*(hTf|IVO4|bXsjH*E!Vkty z{k^&FENM9TfUdXrQrPgcBb)l&DB@CNe(aW)m-`6qzPjCYcz3)9oMq7Qh?<=?JTeAD zf%YVbzE{wAKU-Oza3AV9_eEo&QoVqY9{pqOL5{f72Qtn_Aj&$mSLbnL20C|J^OOQV zPB3q-W7@I~}3B#WVpZ^Zk?v?>fCooKFbd5EgSI($M?5tiBZCYV^`_8A7$3G9kQ>nV+hlG0dFHPs?5E}hbrW>PD!}H!> zgk-KiczJjaSs2Y$(`S4CnG0WNSz1{^SpT)KGFldbIA4G5{BI?d;&p|Vz~>bv-AT8- zjaPZL(~qIxq$T4sw>?Yh6bXvZbnsLxw<-Ki~6dXgQ&!5D%!NqjIQR^sLDze~QtyOdFQZ@~l z)=uvcc7&*5A<;xJ^g&Z^!)dd~E@&2RZ&9xl$c-CS-jTwkwpKc=TOP00ADcR^cddIG z(`95o%Qv)2^?@*u!!iNy2VJN9A*UeQA@6rm7N}YX-ftb|sDa*2w`@AXe)O{m#y}Qh zs#Ok-MV5fdWJ&8|&gE^dP>`Is?1;J+Q%ImH`CxP)H$<%s+;+GQxpwxWM>s)-cKdXr zG)z8rkv-aS-c+4|6}K3R8Oh>j0sOVx3mh5~`aXb?6W3;~bHHA4N&W}Vs+0BJO@*r_ zQ4pD|mA>3xbN63Za+*lkq7PXyp`ZoSEro1!B)=YVYPc^YMFGNx?LW=T=|L7ru_CB(4pylwjvK|hb#`_ND; zuGzIvjqeevp66zke9z`E^LIQH6d@@!(-Ys>(0ZUalOFCCnhTu;B$AZ3?uMrDp+U)k z7tm0HJ})15*Rq6bU>Dhnq%{kiElBh+yvm^oIvE+qk9MWoqT)B>n{}SBfT}_4+fKfY z3en%GDN4&|gXv<5zwvZaG$H?saanlIuKpC_B87esi`FzUB+@{QR8QUR9RPL;r} zuGqkXIqb)o);>V7zB386kaubBI2Af@Zk-SOTC`AcPOQeXJ+hd=TT?|z8o>e6Y~>w~ z5E2r+x61j(Hsc{BWa;9Nh5`&v2t~EMMh7_GhtKvW0!5?;Ap$OCFo%EPZ=F(PJbP%i zDE=G!K{3h$oY2kQ-K524&!7GiEc5zjAbU~A3Y;!DIhGA*#aH)=uKEqYzn8j`o@4t4 z&KwEYC5Xl*x0z&w2&AAJ?6`b0=<&Ce>0k@uM~}@wHjfIU{Sdh(Yug>o)}O2@VJ?(7 z9-jqw?Thm)-$%3@I0KvEj;n#u#Cd%kG~N`tO4{SfR*!cB$v8s^mn+{nU<*vPv|V;> z*PXz}H39K4i=W^0>e(Jp* ziN*4 zhkp02_x>UjG2z&MVdCCUWBvs)nD&FR0b@o=<)`$Ybna=DA9Vt=+0!oB5hequEbm55 zYA+gH<~k|FeX1lmS6PP3ie-gUn9@OBMcx;FsgcYEsUyq=$sRi0lo!p9c=Vd^I8c1M z$PY1jNvgYY=##~x2x3gqHx3dI20oMZ# z(niLCD^*TzOK6sj){;{L60-3u<@jxl>vACo5KY#8_CapK~-Q4Oq8eL6sZ&x&7zYdf-9JomGZ41<6HM+Qew(Xhi zjnw}dRn@r~uzqsy)AFhwW}SRv{B-VJDSU+u8O)!vww|}*^V<3RdF7p4)frD8oBZU5 zrh_+TNwP-DftO7kpeH>%muA5wuKA>BtgWc?wzpszw$*-#w%lPW$bM+X06WGs`gcMy zs?ghLGAh=6T2N_S#*Ij$#%uKGr5!a!jf2z7pfHS)9!!kGH|{C-B3Sr(T_(>qg+=*q z8aakiB+Jnkxg6dl?8tQZlj9#5G<`1g*$`&G98^t1k2{u*S%pwK#Sfo_d(ba_4p-db z3H=M5gP{8^?HOnolms0>k(Dt9Eqkr*|60S#EHQQ{l(m_Lcx6-KEe&usZUyV{S&&Rzc%bez{pFzp9}w* z*+nGcWu>MwXcc(@3#X=OF@vOl>WgCQZV`^Cg%Oblc4t3HEEO2~aPg3XK{ncrK38|D z{6hEIVv&rKWEYw%adN=CxRw2QID3#@NnoPvRv(S%LYMFm@16PHM|2k;g4Pz7P4M~M zEBR0-dM2h>>=@0l*Z{QYzwh6_ZzLu_-cF+0{uT<9qw!O}s@relP+432hy*i(g*fx4 z#~TI+pQE8Ss9iD8zXBnux&T;xl}=Q`{*L>>85ItIcf{1z&hh1r$li-H0@@~!> zdmwJNe2Bi$<`3wnY98t~eaZXwXxIDd=xc-d$>7DSye!c2f~)Qu%cX%cv4f6F6-$8& zLE{?*i&Z+`>(T!v9Sc#=C8(7|x~8K)r=`LFtNT3aj1-EL^zJiil34IxTs2l$uf4T( zB5YGxa5@~$$V@+HYnZkFcD_ch=3$y33fj{!gKYE%n`$V)Uu(b1qK6WM+{>!_L#aj7 z^}A~s+6YXDO*-(`(Jh6qtK5r$ATH6^9BZ;UXVmtDDPr3vYdRfJB*Q^j0T{aLRz7X@d+3hp5qXd==-$PQ{QYBv7D%V)#;d_yw zb84T;s&tHg%Z?qkL-D6qo+YqLj9&%MW?K zK}mjjLx*rgTH@)dBVN04iko->ySW{u#DKtjBA-7~uR#I>5`0+*G3etc1+wxAFGM%k z)~AX|r(P~13eb{>$Np+}cn;j&+m;<4Aq4S;`!gpJ3%#)vkpZeMVTq~NWGk#dN%<`D zuq-N^&*?JUD#6-neqWSg4G(uR6u?;Ctr}ggO;)6pB+?vPn)7`$(dMgBzS+a3^$37c zxJzR&r{KLckF59m_gHjMf0pM#aCKwtNnsg|8EB#?@F@ll3H1VuN_h7+*p81c*GXhX zd_E;cNA+Ucg|-Vrr0td~^68dz=Vxo>2i}8#&jkDdm8s0=DU8U{4YuF^`CechAI#uk z`cjN@?oIBqTAG~+Nkq7g(5l^gJ(&K2eBwvz^LS0{Er#IGf8Zb(uI@)!VS@CwcGt|m zIW0b(;lP84nx0w8Gc&IAz*>MxFeVJzo!nG-0b(v0xJARCJT7J*=8X|x_6x#cx=n+o zu9(_!euR$D=zRT7jAJYv%a+))o6H?s({)~+_1Q-(g+-6S&9p@c@qH+&9dbFlxKQouk74;txC8X+eqR@oD5eFa z3vW{dHNs(^z3wYd^M&1>vzBL^{bwo26|^a97Ps)QigZYQr!&Zo@dFo|Z8Pcj-mabm z3$!QSN}wz=Jx?(ugh;;I$fvL8NybBdcvQ?0D%-1dIxSukgu4;Xh2S+Pa$WB&~``c$KvtH z3yGChE~g0WW#-_YqL(LoMlSO?Gmtsy@-rOkhU^v^aGYaScq!LY$Xq+k@Q-(I&x#GF z-{idoCR^PVqM;9jF>>NUGZt)I99%qY?Zgb;yDJ1F7sj~hkK$RD0bIkO$0}h!r!UsIEesP-R z+TGE3Vasz~?{HLz1ks$hBtJj*Y2jeph}Ri%H{w?SrJHUfRK8NIj79@6rng>?B0rm> z-q7hhaXP+wmpzAoU)}e;C)^}D89^(YRe)CKgxoz;oKCpWa40^p@N-#Yx|2SG#$mOE zJ{=~SW$ji^664@|4qg9iO!`1TwR+NA*vcWfKC@8RN4*`w(QmOVN2tm7YPi_E*ji}# z-`JdC*ixh>>sl$b6=UWnw!-Aea7jo>!6+VtXrcqVyAKcX?_NA{J1qS5pr0TX>3 zuyyA2uL4aK_E;tvZ->cJyXM`X=R%o>f!J&DVHX)q7(Fdq0WTf1=UgiaGuAsVCe=qLhMt1xWw+}=kyN(?X!tH^pq-J7mJ9=V#h%C4hH zOb`>!oyhfb1mDWz5y_`-yq3odi%9F9-uO1hPk{R>p3`_BUYHf<=PjsT@+mN$0GA@W z1LvhmB@K-;W7|AqK^h*|o)Z&DU zRD);jKmzHIH;9tr+!8{BS*;jtMDBwa+$)zKn3Dc@%D1Z`7Z^v30chw>9~GGu!a_Bd zgwZCYpNrH9YEWoo52;cyaX^@#wDg71wm9AGR*^*3ys)JRDfSl&KuLU{S?qyfp*>V@ zYULM!@YlwD(ZVktJ%fAwOJL)=`vdxk*-?Zn4Z|jgcrwyqMJEuYWblznpC*tTG@wq9 zLmtyisnxwbI*%u-o*~sJQK-g&?NLV z?FmU9S6?N4dL}YXyP?K|?+&$Thp(wSrl?3l+#Y5bW-uf}wM|MN8l&UVPA$?z0xWq# zrv^fok^iH0JQvuK@)_a=l*uI*jWb+})& z&#(wu{0HM~3n>}pfmjDF-$w@aG+~f9)ga-@!99$*`E5DJcrJ+LIH`ZUGlt0H17^h= zp32{O*7{lqo`+*|eOchdQ0@crs$g*dj)@jr;1R@OUr4Rih1pZEKU5vO`v|$`^}7wq z0#_8L?tSIU_)JfvPFShgCf4L3v@kXmkV58&|3_nV=y7@L+#%>ypQ-sVTYngd>Dx*) zW<2MZeBB|UbK^4rJn1hNo)rQ>o{9)%!zbF`oJYg?W1Phi401+b2UW_()1gSIwHQP_ zahj+COJQEZ>kWBYmbRajbgx{dDVW(-UA!1!E+!&YE(;zuF5^|j0IE^JmYsN_71I0o z`aQC3U~0#_kzHlo4+3gOX1T0yC^(uoIte_}C^&QVcFId1CSA4yOK-2SjFY1S;5Ie1 zt31pz$)c_73Zt5Ja||TJr(EuQSPp*j^4DH(7Jk1nM?Hmd_(SnS|14zapts#Z`{qDl zOK%S0!6_kMq3>g}sbB(85+@CfyRJV^l5hbcj$JFeQxf|ZC4}bv2b}S7AQEj@O=(6p z`Tw}K_y={yE2|Qj0?oxbhNFFuqSp!fK9H+s!}}0{+8JIN;VHGBelri4Jss3Q?a z6>fjIb1SoUyndl(cHea9TJTLdQPY&u9D-D$0YW3FPwh=pIA7g%$cs-Lz&z5hBHB(n zUQmt?&4Z+g5>--vxV{0uXvGkw)fX>l?vAS?eYq{-z}iO(NAw6uN(G{y3FW{I=?10V zbZlGJtoB1*ZkPHmoHW=f=2w#ROR(Fpx~C>W+n61Mb@d*IuR5fm{ei{{yG!b#?UIj zN8tXf(N&0$u#aQ^7JEXJQ0FN0`wORp%xg!kJnokJ9Z|yDeur5X{3D%gN#wAl_rhmO zIc?k@!AVFFbvaCSdg39Vfj~(JHK=MfO(u~D;%7V~K}x~YMLT}BKU5kWgXK2VCy(^j zDksncY8u@A{RDZvhm3%m6?ba^cvNPFchecx(zA+LEjXcEgK9*?>=7h9-9ZqXq10Yb zH`Oo3e=*cWIQZ>EB?%0o>6NKCsYB(-6(--utzPn=fRkF*$*JB~;K}R_TtOC`=ylp9 zCG?O!IZ|IVI;%fZhSzg+d~5@3PiMJ8SAi$p?5%Gs@XS~SPZMsAQ)>)4uUKfJK#UqE zoWSE+6vLLEB=6)B8?%xj>a_!OMX$evis=eZZNnfl+vjn@EPj{v&(gjZyuK>FPYb?! zq(A<>9v&N0Jy9L6omP$swHl2uIIU~3OIb+Z`|_m{X`Bbk#=St#euWc(B^SHzsIv71fHzJ! zeN4m}lLdl;bn@)+4y5G|r*hZxzZ8$(&vI})Zv`xDPIUWNe8qv$7`qlpeJgUc6c+vR z{_{SvXQk)eOh2lc&hw1RYrx`b1Tir;lNI$1Fex@KFSbC5d+2=>qi3Q^svKiF3Eav_ zi>G@@FQ)0x4M#|3UZJDYm)X-^0Vs=C7!Y z+IU>O+m$TcCFdJbtrpkpmChr(;gO;D?bsSJP9tiq^c^l^-Rx8Xeb5CcH!q{cOgM=z zD*QdQFs*Qwubeiy{Dpdw0X3f%-yxY-rWqX1wiI|K22t6guR#qo;1qks0=Yz(k7E4W#iZQ^)nE>--r|tcZT1uTF3fV$Mh6J8;OiW2( zq@L13&x?a|ihwP@v9WOo{%Le)crZ8V;bx6>G=({FG?g{8#j@bI)82lOb+Q5ozXOJJ zZap%e+roP1J%w~20|Ue!Wo3*ay-m)fwiBet5&(;?jEYJk7Y}baaZV=yo?+mCJijfc zY>JS7h#wh|p{J)uX%;oFEMV0jXA5`|fxXkP^AFLCjkaE;N)9z$FTi1MGNDCq(&n6zF) z`V3njp@orC3Up^74T+DbiuPYB7x8Ti%<1r7;&bzjY3aYn1F`E2F8nhUaA<7$zP54jqd;M zhY>#C?d59JZ=w%5E1@?-rPZr->4DHcY-x@j2w}V==;uT<0P{k-+gZw<-*d;~j=@ur z_nv)sp+tBw>YXnDOu&A0-E^J}0}Xms>8q=&PWQ)_bMAZNnY2LfeM?d*AhyUA^itRN zKL6_R)U;4kQ6W3RI0|B>lD~LdwyqhzyV&cq1jgo7dA?pppBFxYXFV^G)7bGhWu&E3 zDkH<7-hJJPmw_>`nai9@?ry5BLcQX4QZ{t1xkmu!*hFSU7+{JSnIN|!Chv|PX#e-O z`f)h-F~a+N-S68V6(yPtm7 zUz}zyqlbp?s*NRfdR>nQ0(twjQ+-hO$3)V$&WNoD8F#={;IsjmhA(SF^UFl9Pu6L( zSF`y~!>@-}S3RT`isMc%mou8$oL$(oBd^Cosvm-Z?oqrIH8Td9%XC%HSs zAz~L|tpIs@E4P!XljSGr!IKf>! zJ{iMq14<(XV|!k4sSZ>e*optB>9~&ccGyR_JCF0LTs_efa2p1M!IxK8U`ueB0uOsx zfB#3|iabg-62wQZMO%YkXlrMia)a5yy8e9KvhyO=_de+M24B4N)87sJdk+0_F=OsR zj1MzmYHF|0pT6x1xe2NwBQafs@cKPk3N69j~HNeeB;wgxoJ1F983q8*8WEYji8>QV1=ifh6^*~I*6=TK?% zgYp&Y8RK=94-$@!btZfGVqB{y`S}zcK#c^ny+nt{p39PLRg1=1A&0*#xZd~4bE(!a zh)KUubM%aC?FrfAtn;Q(AS)+;;|0>KI>oxkk9J*PwJGa z<28^(TE!7XKe&qJk8#{fj^cP^OI3glojdjk80n9lrs zQGNFfL_W7uUH24sjt?x%obrQzrg|wMrB>16kd$_9h8AC~0m*@#5wCv|p`NU11NdyD zTpmV?QdnryyR7$8%C(Cwcbto@iA+=od(aD56wLLS2x~}}4pad|v*9DjE^0j43;kl* zJ7feMOyg4BR*%n35!lSU(x(eQB~nvzXwogy2Nac1$p}f63n-fQZ=fSEo=4jT)C zIKr}CsQ>KQpLhthA)QI1$N&w>D4Kva{m&YZ?ND;{7ibJg!^03r&dRFXwJ*JBuT?Wp z%(&RSw#26DOAg2~pK)?qL%}R|1jMAh`{z&I{Wu`CcU*Z6@ReuHe5)xSqn!|B5X!{? z_eFdK2&NE1W?brO*M5A&v=rm;mA<)5Ms(xWvo zDdpbh$`{32E}a;#%{!`WRZI>z9fi3bGIC7a<)a8Qi3{#QOEydo%Dlix{1~zZN1^~1 zz8a6PRc;J(IvxeSnwt{@topSAyKwtuJ^rIZMO)DKI>H@ZBRr-G>6wVLHo+Hb_+`3t z+qc9veO#rZSv<&+(b;J>#tT_BF%8Im`3ycfm{2);t?O=W{t8WNMokf%OA90cl-{R2 zs(|H&+2@(S@SU*_24Y5$(U%5E^Voh?ZM*;UkpwWUw~C%(G2Mpt|0}erYgNl-*ZXI{ ze(eLBxka_)hl36*eFxtWa5-&`Iw_qtz1{6@3Ey6z%;+Rb49R`}_)In2m{Fs8~kB`Eo<8_298Y}2Y3YGL>S zVbv}B%3)=HlNSfGYlV6pLQ9?z!D!UdR;Mz?cx)(`cjtYgN|52U*HGg0n@{BQu9Z_IRP4{C&zlqHE$f5_RP zkdyN`!o7A$u+fr;L>8b~(!B8OJP1eTrR?Sv3++2WJ^Y*0cEPDkfc7yq?rKD2@FBEZ z64U}Ogh13kMlx!9vlXV|P_(n7KsEL^sQZGR0LrL7I_?_ZUh?5G{=|e_;ax)qR9C%5 zm)TmQO0Dm^hh^)%;pPAq^>e3bZxc^Oog;~OqpQBAusTu&<)RXcHzLbpK* z-Vgb|L<|BoBm>J@US22Naog*VoQ1Xf2G^ff3;F{8?bLn@;C!2QXD%1XftZBInfrms zkX|a;xam7~=jl|rekry|5+0ngXP{<7EZoF=#wDgR;&<1Vi1pj|59eX$p%=@B?(F-h zd;@5;eJ4@FIN-ycBxx6#MrDb5)za>#v`cO>$k^r_M5}S`2X%U+)K;Y0om>ddGZvOI zsKF%_x~B$K?9<^`bd)g-TNZs}d)E40c0}%W{EnrKm42>B=9qYHz?kq8`nvwbs37P3 z%HGc2aC6mf7f}Ip6t}!*@f$1iXHiNf^ZJ`*O>vGp^oPMUs!>#;0m%DjO`aVfd?yC& zZ<6o6BJ0Au0}*q8$-05`d%e{igO+NOblhcMcg!TK_!h4rmn|t=sTIj))1OU?Ml8Mj zpOX7#1BcY0I9yKOflB_)Mf6Vxs&ci*E>9YTI8gY}c55jj3*$Q~Q`x?~o=aqL<;~N-C1W$sthlt}Qy|dU#*D zg}OLN+Th_E!GU>7j*R63v;gIN)UWx?*2FS+hFfkdwXrf}z)F>W;$IBfjUI>Vxplrj z7gbAPgSZ>=^pqCM<+XtQ(MOk0pFZ&m3|3R8AUP^y2?T3e4-?8VH)MU$>TsybagyMx ztJMR;9;f5!w#q%!JTd5G%Pz_HrvI>%0y+VppoFIASJ85nsUAI0h+b--ssuGLN~K=H zBRtq4yeSYfj*LvYOwNiic!xTUE@rMrCtEvpsTmwcqGvo`aJY8YD<*Gl=UPqb5%y)f zR>$)9u5G>JiR9HFgnmAyel()-U|u=#23Spv8*5pn-;Yj?FVu^MGV7q7i;Z-+3>kQO zdb(4+-bj#7%?)|{Wco>a4Vti{-T!M?W0nyf`Nck6#1)!~-SWBJzsaYwv$O3wwNX7u zeP3I%S1AV?LSlBw^_er7Ysp#rtbI>t9Qi81@GUIbZzzES$}9QCBu+p48ok zVDP983l+i%2mgw7R!peT^DOPQCG6*-CAm*Pj$lSg_q;_tD!2* zziGnbX36W||lc1#*ai0&yMreR3} zo>gkTZlf*;A~kx1zq=UbRH^`cGBh5LfY}B4zPtCe)CPLQ0K?S;5$yE6ndAi@!|~k32?YY zDfz}+u1`IR%R1w5e6{yW#j8mD<}pz}=OZh3cw=?G!f@PxNRB#-0ll?GjhYxK0h-l4 z8kva0EJZAzi8F$UykgJ>&Ldp5>qN||xxr|CYB4XkV=qV0Q_&;d{#`O2N(PODY}aRl zpB?XC6kjv3Xd;3ZXKc1o2KR}Lh+&zbM_QZPpy{%PF|+`!n_%|BWON?FQ_i<)ZQ_wu zzIr3`zTe*CdTZB5x&e$_#IStt7X=QEcsN#gRe7U z?M6DZgI7h+;?jUDR=rjzAsuzhZb|!)96|OMM`g?`NpaICdP6>k^xLKN$2)4BNx^0jA+bp*4e}jVBEMGfq z?}%yr6$=aIgPi^83G$rcqJ6rcq*;fa^!1UI`)E0)cbV9vW{{XxXjIMHw%T+H0&3zm zjTH66p1Fscvjy8~i`?Vwf=3-4Z8g$KRNKb#0vX9rNv>St^M#e!O7!qh=k42%f*J7* z1{7ZUI3M_SL|48TPiP7{J_gS&%pV!frCQ4`rCz>*sV;yL;^6>>J={l_cwXHKSa2rwDc5sR1i%=euNiDQGJ^Y6v%1zFFIQUH6+r!b0;_ zoUvL`sY4`c}=fU$GO27O9sS%>OP)u6w z7e@J@yRSze4A`I&+IAcnY!mSYf9Umi19^)GckObhHi!j?T!@mMi+eb@zRIA|X0~$~ z1xJyrgV01~jJ>B&Glle(w^yec^b+ptO!S^IuxWkAS88fUtLwl7YBleGTZb17Ipcn%q;um?77X zOS08rercgLC~vhsyk51#`0MXK%~23t6Wh{jtRha(`7EYnZT1jIT zpi3x3UA+BPbSf=|_h^B~E>rQ80)0~j3*}=tRyLTbe&32Sr!XNl#K_LDP5U{pt4H@D364IazCh1gp;s2zA;O5?tzn8>Q zBlJ=Ox?n~-G|p0W`(AC2ZIzjyxzl0?zKOokDdIz{-~IQ7ShwXICbH(N6LDZQ)>`9a zj{6i`e61UJQGMCyI_AtY*_xa9Ja7KQ;&M_+ZF~(xA<|v9WH^=1rBIxSu@$fYO2&>7 z09OXbl&c6*d+QlbGB$d=-D6A{bQ{2)Mxk}*$@1_q8^J`B=zx4jQz%mVQi(zi4Bnt; zhCvnZ`SWVTDfg<42?wcGL%k$zTKr(ZpvA0(ic4lXTmHvoXI+8^k|X5r_~szBugi;m>+GR;i~=?GZz3i!@i*F zNMmc|M2{2pl^+=wZhHvrKM{1Yhay?!5r!q8gB{ROAY?<>Z~Xu6kDPm84tz=1^>?5% z8R)_vq+(jN9C+M^Bq9@X#XvX=(J%<2_om-XJ56U)4h*3vMDeMRxbfhvN!}r`r zrt1$6mpLvQ>sGSyJka+&f8YGK5;sXMo&wEuAI1)rYXb|*HidVW)JXL~Bth8XDbd!H ziJqeTN?fVlZ9e-B=VDbt^fb(Lc7PUdBIyLxd1a6zcSKOQMk0C+Q>Y z$psdrPdtfs9m^`mZWFJ83VH&Un9Z1fqA&~vO!0en-0CQ)5cDmSAw1Pv9Ns@nTZl56 z#<(%WOT7xn>;;kGl^MrB^ROs)q(0{`vy!Qk{!t*5W_%vThK^Zk4&_B_M);H1j&5B4 zjNyOJ%7XRvUBf^Y?fZyjmft2n*r`3O4H-L_C8Ax2#Z2u^0@~8OezF?gT`g-7_#2E2 z>3j7p!r{wWe(|q@(F0)q6dL}*y$2T@ei^P1LWq0@_e8wk5nibQ!s$6eK4p+~O=q&{ zjPcf=oJfmRn+$@(|ID&Jy>V&iy!++8r9m)&5l9&)xANDiCwAv+hr>0=e>PuATQ7)J zV`CO()Fg9~Cu^9INBnC&ZT~aHajAi6s>#9OHBn6Xn*W6W0HO97LRK4G+?7;`F=4RO}5w`)i;WKB{78 zHP)no>l;%w0LJgc99H7PXux$8)~h0RMr-cTT$J2sx_Q3;UrXm5Pu2g&aUmmQ6(M_X zZn%|Q_KcE!5wgn8c4d?7z4uHu8TV#Jm&&*#vaTy5>zdcN_?_GL=fC@K#y#(IKKFb+ z@AvEdd~K&sKEg6Mv!~dgs7iMV+ymI1V}8ze`lCL5n#P&=C(kMKfI}2Q;n-PDSwrZS ze0Tdf3hNeXHCUsU|B$yHcKHs5`#a*f6izfNnwU|c(W7A4$yG50Di2)FxvqQD{kZZ{ic+&f~mnuk=kMO`Rc*eXAVfX&J zu}Gy#NuBI2AcZh4j@V!^3!_K>{c)a+H&yTDjA@rP_~*UuMcYRDLtI#ufVuk5Ko*a) zZ%BI`pmpfCh%gR)KY1_lgRC2hdJ8Y8$fVIMey>@wK%mF+9~vX4Dw6_TVB%@^&){99 zC(c7(1W)Avlnq2|hh8>wwk7{<8iz@#C?xfWGyez2$coF-@gMm9pDp~Yr74}tve>hs zYj^?0DzgZ6Kr6Cc(;Jlj6R&z`>-(V87Y-5gp7+N~F$4)79bt!UQ>r!x@z+UATdfZ0 zF)YD=RlSW^|43+Z+OTY`Y@(375c=-BWy#g@oP42)s7=ay$74U+}!H( z9(bt%)Z+e1S$&fKz!%v9-{7aYLWA*VPF3bj?|d{6If`j5dHxe`PF0;`FQ_)!fzl=N zB#hEK59D!+88pu)$YcbhNOaUlf9v8_FKEzI%cQ4#-9R!u!_s#*<+kv14NcA1arYs- z^L*d6DH>t> zPNFC1mrr!lGgH$Cq5K<>deyQaUM!7>>~VqAr|)zbFEe>~KPZ{$hnSlsTtps9!GyRk z7y)u=9_Q3r*&gPK+p^WIDk|scUX`Z9%dDgd!mmQ|(w1x&>!tgX4uvUG(m?k&(0Xol zxzn8n&XHudmroE>`Ug9XVo{U$lADP~t!lH2ZGz zA1wg!PyffrLZXiD;31WCB6?nUk=g{sw1)nL!bUshF%wfwW&}?uD?cC0N69a^ca+Bf zLZo>Sz-ag&gn&M!CZY7VR7BNP?KUueeqL<=bZ;RSV(|HNdNFM`XiYYyFjE{4WKRQ1 z3P1}^S!a#e&suZt(8;$j>}86T0qn-Murg} z6=gS+z-kCFbp3_I-HXVPDBv(U_+YnYDQka_@m(lzZ~03Kvxd%BGJQpXPOyeps+7gkx8Z9Ng8lI|?h&dkat zHGjdIV$^6x(j}JbdZ~$ir7?_M&7wrxqEiYo#C&&Q=B<615PwY)Qc`<>a9_ief?YiQ zxS0Gg_tS6_??_okxoO+0IW9a5-fKvYx36geBwCqVOxpnz;r|qL?Iw42KAZvC3FY>` za%-h&XNsi9Wr}I(8z;V+?=`n42S{d8v_IHb2NE52Om98$ zcy^G~u6?c6U^jqAk{9_)dEsfC@qxziH+=y6SZmb{Y1{oJ29(M?mruxp1=BLpwE*6Q z+(D{CS#`ChG;-_PD<@!ycU#-|tL5+Al%{=9@HORH$DH~6dC$L-f~SL4(8o|rIQ!SI z>lAj|IjuFJ3a7FB_}cjAoXI+6})lOdYge$4~4LE&;tH2%+EH z^15zJAKw)2NlWXd1yz=pBh+`UVp1#|)GLW6h_u4+$mufsG6WG;k)!_eWlbKCJ!t)j zuiFCB3-9G^R5V-0?@`1-yTgFzwMhqer9Ky!6X=_$~kXB^bz|sL;`lgW8z{Yyhxuo&d z8Hr+*sd}qL{F!aqt;1foa4uh=>Nenp5*$- zv*LZ?VU8Rnv1nz{1MX-k2m6S|RiHgJFAX|+H6gAmx z*}15w=rob-@IKZ+9Faz5G2NizwH>BxCasL%;NaQFrR*j3ew|NpzzC}2noM{>Tg3>W z)78`a+2D~Z5YK#%^`8MtI}$aelHG3tbbe;>kK5TM#Ma2*J!K@+QB%(^f?~|)=(T|d z^`;jsbh*sIHTL$WES|siHoJgX3H}vZNLo3W?`s)|f46ZkzF7YILv|a9e?5}{lY9zr z;|g#n8h#OWkl2lOU)vJ=kv#fFL+83A4Web)d_2GK6cy^ZBl(sQ|_G7$|u*{l|Mi^C7<^V}ptE`#LbiW(Z+XU*TU)?K$p6oZYX zi~^zt07q&2y^=40fka8yn^ih4!Ni|>v1yA49}$!q!6#cmvf*&_&bxPUD}ARFonMgW z6`olNRSrpI#+xVsC7;M!w{BIDmtD650I30V3Rpfo3n!qYsVa3$$fR%T4h|PHS9u*W; z9}IN3Aq#QOM(+R*mw^6{o{N>#!e=Rdo7+pM`**L$?)N0eUyr=LkMkNGLG?!;S;Wpz z)(>v*8{8)l%QFm_)XwqBR@zvFU7l?M0x??8H|-F2zmd{J1)=Vv(Gcx|%Q@sf$%ewk zhW-dJwyQ`X4)zX$h!^!Wh^}1yVvA)rO*LrizXq} z>80uk!_A`#ANbScPsYLnR?x2il;_$DkNGsMo+c0mGU{VO7<__?=H&;gLk~;YH%^PZ z{7ukm;cQO;-+?sawCKRcW}!pxnOLWZy!*?XI-e|zRt-EIXMI7mUDMuT(!GKi9;qkp z+9C=^HI;91P8wSU8d;f)7>i7^^;(eF-`k%4YEj(+p-K~5O@um<9hPyAWfQ#7iXEqO z{3@|NKuRzkz{Pa#(X+wUut`HaKLuEhZ)Uz``W*Lc$lqUDMryd2`lhD8seik%1WWN7 zAv?bQw5|iQ>NPTsCkmt(K+CYcW>|1>?hsyhDUp-ZPZd@D+!3rKT*s?+z9~tskv7^N zvBg?P{a*UVe^ zQ{&p`vDOD-=g!PT`Qt2T0lL-L3OO2zSuL-9!KBwv`N6g;|7L3Vz8bQ!AYV36??=G{ zVIcF8iAT{yvqJ?e^DSrHJxbX?y|Kk3v5VoP)Fg`L+Yomo$?JS^VNCHLdMI(TIfnSF z*U{|ML)p=WpFK+J1c#-iWI}oQXt0^4V)w=byK!)e3PXxbyd4j>PeJ=38cSMb$Ic^44QNq2Pmn` z{ZGp?=O2!5sz9Ni0exiQSlbnv{mSIGtcupWI=wCQZT(N@>=3Nmn+mp1Gi2HY4DNl$ z+rQIQ;M#c=DkWY{jq+~x8OW{A4xeg&H|Q~X9(X)tej}G21q#1k{Wfj-)kjD0jieQ~ z%R#qcB5HXWFA*R#SoOn}Wbu~NvXE$UY>zcp*=IuVD$u1Te zn&Im5*f!i}(}2)~S2@t+6Ey$u2#fFvxyp0CYBoKnWHTFsmO7QxJV!BwtFw$<{+Jrn zzt-B?is;&fe~?Y}*_o?G54Dz}Ketr3iG~D0%i<(-?ZlEyHA)*+Fa_~eg zN1EyuF(l8{Wm@#MWZwUNeazk5%*=a;gt*gt!|>vWv84Yf+{5k?RzxWLVBdw(ju~O1 znDDrgda!K#(TwouU4pLUgu?rEBiZZ0#oMKK8eoZ%mmO_?yg&l6vs%ve=w1s>I-wC1 zHTB5(`9h{H3wUGA@E!rsZg$*U7ldDq(AO_IY%e!CPl_BFcvn4gbLfPh8a#VC=1>lG>QzhB7n1n-_`#+sH zVUk2r?^@V8Y}WQqDl?UYD(nr=gJk6R6i+Uxy~&wugB^=Rzl(N8Y^@+tABy)i@y`xe zC`lz8cyg;v#~Lb|PW0Q+P5ZrT(`$jlEh#+2jLe2hySuHZSrA{p;Z?ehM3u#(ksigl z*E9|%{%G$5?n!?;h-=Sbo*VCEELsZd>gpsy4f&Z|UbcT(XbuRgTYaTSgH{V;q$NH> z=m$?YQgDS}`@4~`wjucym+IVUGnCpX3~AFa|ARg`@~Uup4M2%21&fhli2WfQ5!+I2 zI)R)h4^VDRpz7e229s=su6KX7#;XVOt}|V}<;FX3WkLMsarhr87WE=9H^q9%U?J){R zXV(dvw}9wLz33^yI~rTuC~lo;+vXu*KHH%^Tc=MJmqj={SV`3A2heOG$wX=v*bXY;dq=8WJ1&u(i=W`U3eDUUX*46M<22Z$ zq1Ze7*X1A@Q)baA3G`0@9MgsfCT$x)yni9WLiOLj+v!o;P3Ne5ljn4;1)>Lo;U-)7 zacq_Zr$#g-yHR z-{3cpt~d1Jet=H&7A-d4WJKIw5P(B1*e;FMb+owJWJ?r2x+_0ZxwK3+xq zkr|0TUhphqr>~kyagx$m1w>9u5-c?FYg~KWWe+#9s@RiF@JSdOF% zAdlmoMb#j;{zs|%< zF#9#F-|Gtj(o#TBtUJDs20}sCf2r~qu>2b7!=Kda8sx{p0XsGoaAR*+*>HIAFFp~7 z`(v}}JO;a4u<84c@cF0htoLi~;q0RPVdOmTNV^Ht^YD8cql^Xkld9~EcL!4J%@woF z{>`mt$VQ@}J&`}(#?1TIlT!TW)u=3Xs3&HL%*Xa?S0!iw-+c8UPHRt*EtXdDOJ6=Ks!jE~bC;w_qM&tl+B z33N1>@O&GlviTBj)#ziwF#x3aqF@vCMwy8Wi1@CiF)kC}hCC+A`I8{I|`; zO;W#k9Hwg~5ST{6u?iW%BJ}$ADZ1zFc2cve&)}>}`l(ojoQ`}N!QiLTzBjnaFJ9h> z({N2?a=Sy(9Sj@n3slU8W7$sTLkmsdd1QQl%N0(zG5t519`WCUhK%os!d#QL@K25y zADW~djs>UWUmSG-7s9Dil1ym5CjUo)u6U4zwgFT^d+!+P5A9Bk#5+c^V7!#1F88_U zGW|l7c^)*Ltma4>5T5LYPXCBAq4nzzq}^acr?0`=E-z5Ph+36-;SrW8Te3%HK_5E; zvk}2T`)x}eKYk1Xfl4wsQk2ABbf|~v((n~v7ATh%AwaOdy;fN!RIF54&eHIKn6|6$ zqocv^Q`Xnls}8Z)5e%lm41|ct_Z43txDq*9(srV=*lr9BC|}FsY&qo$BV+`a0RYEkG^r?c)=*s|@6ZCMPGWicH9{ zT|>DBxsBDs_?s8lVD}Qm`$?l`fmwVjme!jzW}eiZcf+7EFO@$eeK9KKKv zBLW*w{hqY6Tky&c)V-k6-P?BrZ7#_~U%hyJ=L#MvnuJ&eu+3Sr4MEnYTny|czAS?j zEDQT_i{j`a$09tN)&F4C68*z1OQl136TlrmC*shINe_Iv>Y@Iz)iR*-JW13>5_qX^U4c4J)X=xEb*B#0@ z#(=J(kq)o5!^~oW5AZV^?q(IBSk&FKyVKp);ImLn0(e|exy=(FFIcg|8!q_|(2>Rp zG2l6i>vQN3lH}pJ&7s{8&@a=IzP?AiKY-Q`Z7B4TmgiphB7DaK-v&}{teq6d6Y z6^mv9cA;<9+<(DE9JfKbu-|OMhdkp(#NYZkoUfC?zTkcBO1@$5WE<{80L7Zb+)^;J z0Diq-Svm!g;2<8XMhrtG7zR&R1vBG7BFpK2uxM)VZ6+C32r&5V)w>cHW!_T_iLcDe z&wuoK(e<}}k}uT}LdfYMoPK46Z<+E-$R4Bid-6`|6E{jEzPOsWz` zWCE_Yl*2?fZ!}{U?pF%Qvi&;2#iS)@Oe2*=viH7XyXXhw98rylE7LBF!aEz*ouJpV zbzqpP$OGurIE`)sIHezgS0$>xB@9##c{73NPLz(ua)O8fZ}Hw4rX~x)u1r$$dK#oD7+ZA&g;cd$QGf z-6whH;`nJOxK3lK*AMxq;|oisl}}lFZ9dkw6BBh*!E|E(`$Vb5k9+0|k=y8II+LD3aMCC8jV7?V`2$#&wZam)_`BOjK6^Zm7==>YgjIQ@t{N*0>UT zJcC5i7pSObY%g1Nc&h3ZDzN6OTr1!l2J-4oV78`~`M^2@Cnm)n_xRq+mv5zh^~I9z z-6~>i6pDD0_(z!27t0Q5Xj`sHRxMMI8 z60z%TbKrnRF9dE!e!{_^FdJNhE5vksB{0;yZ2!|fZkiz#aoBejm$u_)e}c+H$PYM? zPqGaU$T!Rl%F!?jka+SQmI)SFkI89ky(@3>ELh3ek-u|~HX(sa&cu(0*jBhhwWN`o zF#c=Ap4!WKk*_1aOjbx=_4D)WzYX@`yedPObL`0oF$lho*XNO0(vP-c*fB;A5zp7p z>cR>rAtBG}*puySGPA7rHv~0V7IqhhTYQq|F82AutroryJVP>*gCD8!SR~Gw6yxk& z3m^KLT^$YL+;qY^u$@GGwv2+ozf4b$86(j9Gal?2E|fkt=TGhg_eRVCh3BQ30h4y- z)IWE$U5)1}qMp#{284H8&tcv&mdOeZxb;Up0oJ}NeUTIs3kz%z{=}@TQzZg3!A(_8 zBn}pY818(?$1G++>`bx^my{{L5%TQwH!l|rDaY5B+_m6nJ~^k}zcuvPV+5-=;+CYz z&ZwfWo$jxzA={5Hld64C5(T1`sFOOv-Jds@j&Ft>GqAjQ%D*W=+dHiKH+)Z32h0WQ z{oWcp2Ydf&c{1cHa!PKGy==HO9rfMI?&>E*c`3<)B3F&Y>JBYVsANW;DCfD@vjXvt z43f(SYgcNV0=@wt+sGRkCn_N_*o8B8-2^J?Fq^u*h4XE0&K&l7O6!XOZZE@#>lUKs z=2wTDXOX{&2Z*e=TII7@UPrIicZVp=%Fd?W&&@S|Mi19o8gzK6T&;LkwM0eWQE?|V zy}!*v$&OgEsxs-$AY;<*JhD|V`M}AJkBdJ#yMjo!6 zSJza+%ZEJ5xu}Y-!iy|v*qDt@gq?KKgQ z`m;pEsC{$ivf+6RybV>q%Dql!=_BzvdEQkHXYcd6vxQAnLr>~FmtrEM6)x~frXtkc zry@n1J~JbS{BakHH1UJ6MRD%_{t3nV0;1cNp!<%U$EBqeSXMc!fw&0PZk)P@`cVIb zRg0?EN9Vc?$i1iOIXMhG2DyNXK@~=s!9cKAC2&sei7$G3GrL#Pp0g7B znm6Y{^le+_SZm*3X?mqc{9GmAI2X8j^zBD?kUJdX1q(nkKliW|04-Gu)iDg2R`5-} ZVmDn@5}d9H!Vv&}nyPv#b&ssW{s%X*Ad&z8 From bd5b22a0bed797a940e968c5ef5aad18f435c465 Mon Sep 17 00:00:00 2001 From: Max Stein Date: Thu, 19 Nov 2020 17:08:12 -0800 Subject: [PATCH 14/44] Updating MDM section --- .../mdm/images/unifiedenrollment-rs1-39.png | Bin 46188 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 windows/client-management/mdm/images/unifiedenrollment-rs1-39.png diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-39.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-39.png deleted file mode 100644 index a1ca65c3f4f503528f2378a3e28965da39ffa164..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 46188 zcmXtgbv)hQF(*8?#}6P#dJ4g!}QeEOy`)3YkInS7+2rvVY>Mp@6Yf1 z2Ojs_*L~e{&g;apj&L;W$DLDPhPxWXBJ5PtNLG&w4U1=cQUH?(q`K|xT8{a>jI)a>q3N;eyODB9~& zod2qD_l~BcrJJXj3lz=B>GtmOXaC*Y#?{=;3|#7hR`;_e78F0ZE7mo0ajDc0N9L~ItXzM5+G9bNHG1hdON-Cj+W z^;Bu}+`XRLJI``$k$wB!H0a|qNKczH#11JFPjhg1$jHhnJ;5VPj#F(pB%w|~Bj2xw z{lOktWj-c6wwD`N#H1LXuf9loleu|z9)aSQAEDoGC>Wri)fU+AK@CI)5Ses)r9^Q( zNRTb{eJ^}IkwiEdYte(cjlG3bKL2uYqXOd-jb$0A8X5Dz#KDA&Cf^M zq*Wcw7~((e-HKsjWHeiD4@pc+RMXP>RA|Gf`V$NP`uPa$OwH?=p;g|%!lTVjHcg@2 zAJ0)6&nAWhECsVI+za0u(9xy!DBpAv$*%0hmF&7r&nY+e%|3?;pQ@K0;F%=OWW}a0 zQX+}0=r}!mu}iXY&Ug^^_)i{e?Cllh<$dh#?k;y9to=NkEtZ|ctgE4;6WW6c*Du(2 zjO^rVw|FA+u0HQ&c2{gldASAEdSQ$mdA=Pvab13cK71%yFO)_;?-O_CSsxstNP3Ix zYTZd#Rc2ZD^A1wsCF-wleBNZS$<>^q@zkWjSH#GuWL$PaW^euGCO{=ybSNC3{>h_{ zHX|ZB*d$UsVq)3RqPGJg zRp>QpNX$4#@pwfMdQLM%B$CB;UH|vM%0)ZhXQr^a93@|~p*i1L(xNz(Wu2O8T)gQc z8NO=eTUoIE916$gUZyi@;BknCZ>(?JM&zQ6B9V$lMr7ZFbXe zN#5#lb=8DMru&stgs1y$&Y|}?@bXPHA`vmC4HjGb7QXX6zHH&g^@Qqt_TlV&RatKC z1qx!5n{fZ<4Ye;4R-F%(Vq~RIvCI(?{E)S?eH2943wHpnfnYB9Je>8bG8KwZP1sFeau%x<@l4%9UMczY7k!Ch$ipl- z0etT^sOGSj$x664eOdENVdR45{_Tg9M`U6F8TTJ!n-a^6U&%|?z~S+}d(Fw9YHmic z+5}|H3U+$DM&5jm^mXX#g^`JU3cW{aMYffsk#0>>%I_Ama4HN2oZ#iGbv@OrR>C&b zBJ_O034cQ}?FAg7L(h)JM#9hIMTAm!D?2Y2l;``#=^AhGCW>sW;3xTld*KMN`C}Cw zT|XphLaN8x4jDtHNf1IU8{@R}Gbn$xEc|hkF+1O!)BU8Rq`U__&OcuKn@vNx1bre7g~r_TmAyJ^9PUzIwA$KQH+Og1 zD3ch30vCz@|c z`2rgd1x(bF(frSuIgCi>E_m=Ktl-}@3*=A4>-|4ZB;j}Q3~@R{YW;XVrnQMTL3ep+ z_+__6@fc73q&3|S-zG2p(oV3#M0nGUs>LWGcWK{?frTYMH#fMwU4lS5d{g(=Mbs7y zs?QM7zBO4!LQHJx<>jR{lP6VEQr# zI}?TlRjx#})1)-?QJX%T;hPi3Qt`D9sYL!REExOv`fhG*y&Fna`AG`~)zXf> zwny^1t`8T0j%{me)2ruve(ck%rK^jN`KZdCR9gLAOHgt4PdLlT-r`7EWs3p>fx_&l zmQwOVzRBYT_xl#?sUeY44>-@gqw$ z+tJ78AKR9SW#rG95prWPAh7bb+6`<>4ihIJzH`^B=jG>sxl zsElUDw(pn7TG8j(@2~G7h~kEe{&rVpl;0@zXiSP3Na+4c4wSuW!#X2!(UcC)-V?NwjEpRASXw<%U1IC-JU+4* z#a~sTpiUd}78lOK&A}mVWo4zKW6|VeWy@*N;Z+`zs;0`sOnK87j<6Bl=?~pc6nQ@2 z51;5+Pv3CljPohNsDl>4d#k_EPu^}GKn)h9D)iyx>Q}d+W}{Hid5@c8S@@h(37bNx$B%EWR1Tp^^YxvG0vGom zwYVBdB7{ago#qaW&6`(teOuvmdZ^oBDFkd(3nL}{0xr@T{wt~6n9pXSK=En_zH?1m zeN?pKsglgT-vR;s$q|*Gw#q+D{5%?q<^1|aJvuhFWSt+o&D3eo;=+#NU_Za_XbI|~ zQPeM{Z?vz)j==}bDBC@i8c>=Zmf{@JQYl>Ijtlp=p08oNxplLlt8VEu*Q8xTxhF$? zhi85WbsJ1seEEA5+4?wF z1IlFlz9g&Y>@bQCeFe$UPcN97@B5^%KNdDz^g8Qc<&eHnzZ>P4CYPqQ$&D2tzO_jn zZnH8FNv?R}GBlN|G_|W_F>xKsE;e5)cRU(K6EW1$HbON;Y&% zg80u-eLlS7A_Mr>M%=5aw&5~js$Iy=osU9U4k)iKORf>_mifN&pM3`;J=_cF0!Bi4 z+4z}zo8%34jpHTb4K~wWTO%h~D!L06`rrE+`X(kPQhQyK|5hXY9E?01J}(sEa|(0S z-^(rDC*krRhPjD#dIeC{-SG1T)VSTetrN4PTSR(YhnA#R>z9-tZCI?F&116;yd>P> zXu$jpX93F{neJpSt3{fn-QG9rH0z~D+S=v=Yq{A$>h7hbFVl7KM99C1UFgT>>ow+P z=V|UMO-N1fK*kzzv#svcj2V1 z2U6vuO5G9-2V75oTl|RY-hLE*%a(v!7ETh+N&dZam+Wij-jj7nHT)Rq}3kD7)x)f_%3bZSh0yseL1EuJix;>v&VLu3C{Bsn zB%d3}Jt?mFR#EHjYMpqj8@hl{79EzSirSR8hQ(1eaC-3Z2gNA+$4n!0Y-0G^2CKfHc_=SWIb=x33%+wIc5>jBkQQ$ z#@)49<>`a2O24@Kk8z@&kDZ~ls|VVb{wNvy*ofG^|G4Rpa5fpgo8sxSzUF-HUKM} zu5X+caF4MZ=Dx@E_bWVl^ysWBp|w}=PXUd*SM!3iO)yk{BQ%Ce7BjDt%gv|<&g%4; zM75#9T!!%isKLT1v9LxB-bQltxqOZhmxpGO(SY9wQ0!)RbU6D)g(7Wb^hx{YeL zew#etuyN4|zE4wnU|CHl{R$WJ-)~f`8S$gKIk#ue*4V$^n2I3G^O%?vZId;Ojbm)m zj*gGVrWg5`1bq_K7&?{t7CMLc=9LT#3+|gO+u1tXak85nwC|+PX4w?D}u?4Pb^{U0q%x#svCp?~WdsBkVQR)!Tk9 zp|$#LB@>5oTACznxEB`}FSR|U$S?kGZAcx6-d5j@uy?r*l~jv^Hc8rSrLN zv(}BfBO=q%((=2d37&?l@qe;MvgkK_k_|j#u(!9bV3j~3_AjsI{7^%KS={Nuf#gWz z`R=J519O840wSWrrTaJB-ke<0Okq0g_$`HxUkE8SoM&7yZ|QqZU{!sLYs3Wf>h`60 zn~wSw?PkA+tNLBx-?eDAmg~8Eyq<6%XL7}l#H0Zo`1={ADPuT{dD^gVZmT}8FyQHf z_51NOuln#>&-WJ5{FHbXta zCKK&kT3X7F*pMPNk0^i(jue;@hrZcad8@->^5#0n$4@{s>ta%~=~QHI^}@Dty{{-s zX{*c$@;J6fQrR6#HkP6Qfq>PuUhnvAH!e~^Fb+pdZmm3aXZ!ZDFGc3(=NVbYiW4p^ zQ1YSoJM>^7Hfc4UHK^a%%B;$qRzJj@L~|J8+R}6pEfSupeCH3(h5!A$|7UIO9kEQm zvGG-nxPIIw5UpBT$n*a;{A#GsZ2SR3E_w)s#X#O|BfiN+NZI-_$J696V2A}=^(_6Q zEn{2mCUyK%plkfj$@&Xa5vH!C*V%Ia((;#h#dg=udjCuJjNZ4?S66$c zk0!)6$s$dW4?5n+1XF)%e-$bd`uk?qXv;z-Or&p`%*s_W=8*9RJUR%sT(_vag&-^3%n($?Hp7&KsUsm`gyq88M3qBI8u-UjU@%%><9J*tKBe$?i&}!xb|I#xoAA1V|t@ zVG^Oubt!tAl9W1uppa0NeYz9BlBy~Wb}CkWaU56Ud*0~i=%Z6BtLID+5@1+dp6ul{ zG`y5nfAT1phlghrxv0oM++L#;5fNEjT)t#?s*h+zkRieLeNjZJs#?#^gCtDDTk3@m zc1M$@ium$|ntf%!0K!Sn`e7H{&)tRQbX{Zb5OK<-Qd4cs>WCE!ByW9v{V%o(S|FC@ ziDc56p`DR<=Mfbmh`uq zYEH&Ef@t{Qz=hXw0WucPcMu}+s(sn1yr{wV)FCZBJ%|Tp4X4f4v1%2y4G*ilefyS5 zj0ziOGdA~Ya4kChJlpCf>}2>vow-n$Joawp$u{A*G>sg49h8&`c0Y-yVMItg|6IR? zH;^s=CPd@EI&S_u?t@2-Y?HbxX-}5>vF``JxaM3r^le^9^v<(&!QU40zM$!eq3A&E ze@SM3myf~5GJIT}Rnn5mHT;E*!}V&tW{aTJ`UKe;Xpdf}y zKf((#e&M-Or>y(9EjY74=-K##%~AX%d9!yk!D4ypGh{L|o6+_ySx-A}*cVzt{gYsG z{HG_3c?ce73-9b!pBpkyB^^GPSCm$P}=pY%H0J+hx77) zLeqPb&)EW}Ub`;dz(a)Gk(M@6>_s?!!@rJS<+pqoWqas7QhNEI0=fBHHdZe)J;}_6 zl~bEj? zE)mk+QS=>?tfz`3_QNcKYzBP_PS@2R1EUAel$~w`p=2AL^~|K$KJ4FWrYU$FukJojB#qc!ptM^26(@%&t62xz1(ij{2%jkvLaY}A?T9HS>f7PR!{nK39_ zj1a1HcW+_N{Q-h2ffLJ;77Ia=`p!Z};-Y--7{S2=Sk)K>w)q>_E}gfCEsOClCHzG+CF1e*8#2MSartG-p5flfrVI5e&xv-du$wQ}w;{`5w~3eXC%-gxg#c&?!EVkRl`Yei*W5cuaEx z$HGKhlZXGJdWju&2cK8R_Qd+DLe1^w5lI5BYfh65WnRl6M4$olqtxh(@_+vP>EvC# zxLOw-nfhkny}6p~1PL>6XbBmZHXg2PIb?-Eupz=fXDX^WbEe$MlqZ05gZAglRgI9a z$C(53qZ-2}8pYy>h@IbOO`-(SZ>HTPa&U2HIvD3+bYQ@_q{Q!D{aRW2P3K)Oo#SH} zlpkFFHEe`Ro(T?9J&#~tVV{=*O*Ib{Oszem)~Yzi-nkT2@j82eAn!)Bd(}ul42r%V z*kgJM$D;J)#($H&$y@Ol7^?e{o<6V`xUyGLSw>$+ncQEhpruVqfKg?7gRWC)tW1e( z+A~b{0R3J?^V-{%f4BZYCN~Gkz#;^^4@cw-H=WmhWhv+5-}$;^fA`B#t>~-;^0krd zk@9$b0QcdRLodM=3+_-gk8L%S)|I4d7;Z)ksXBfI;o(Hm@WMB4W*M`qU z)QuvxucMCsipLX3h=A#S9H_y+PCiWT{a}VWGWUEh&#UbtF}2l(%@yMkrF_ZbR15vJ z!Bp-)Ykv-gFBkj%{o`Q$#tJHn{(ZR=%MTS8_%Wg%!$Nv((<*CizlUNy=P?DaUUwU| z*$xg5o<6ug=Y~@Lv%0#!6L`amBYcLo=fCG$Qc|&Ozvo5Dx9G;5?SEEncRuiRSz-^-p~B`kdYD?xbw zkpArVVn7tp?GY8l%~F^;K}ftlt>5yYi7CLN+l~!cs(~jHbB8g$#i^Pd$*mVq;BB1u zsRp!nWc#O#Tu-cfZB45>AN-PEIR7am;Bw6~cNo|OTPa>(qkD#K! zTb|Q-UkU&Yny&2~*Vob=*K%+~I!)#;ba^tYzcv)UM8fs`H{Uxn?aSOOj46rp~YHOcg#$Jom0n{F9#^HMqZv#RI|H}fL*a1v1=AMZ_@V->#9sl)P z%F2p9$n=AxEH=<-f`NCysFGGXHa9*v5^%#E!v`sLs}*$ z_wAm};`qgjF9y(b^*HTeTd>9+5SoY|4#~tf6R@9AKCE8sSDS|QUig@QKKW>3`s0#4 zk?mHtALfVmWg&$x?WMN%)36TV>qS-9k?Yg%JGJ&rs2EQ*L&GS0WKC`D*y!lb7&0NR zKY?QHwnD}od#BXQj>c^Ak$SbbnX7^?kX7mg5C8NY(M#*}_Vu-8ulH1C{+3{V`V<0Q zn(ehT&-vaq-}UE+|C+1cb(x85JPqfq7G;VA-3rryf)qWH9s>_CgA*?mh-&3>@!*RQ zh3Q{Be#)sF?P7HMDC_JVY~iDM^b-H0 zlC({J?1l>0(@am-X)@0$yH&2Ka$`w-eUguoA9-HCcHa8KxHgp8!;Cau9$~*qMV#<9 zG&WLGAEkxO($=z+8+|Smmjb-s zX#_hWOjTWYPsGcWXoaNw@6QX9H*J5B zqa9Xpgkljoz2eA;xHxZN#_bxGXR$pUV*WST3`{KT9(G$Nll$yqH$-;>C7I%!Yw>KB z@Au7t2j;}mYO={1&^V4xjt|loZ$eL7_pZT`7KU>@6y|lFly-zn^-Jo=D+m5GAM(|_B+QJj)@8kq)r_W9dg9obv z=Uw=%lmN{GH<!nR1*?{A1z<_eCZfgp4T!-o>y&>j&BZX9EO}nAn&uOH22H+bC_P%L~9fClm5i zQ`7n|vW+?mM``J3X&CDaSD|{IY@59=wPj#rTL%39;_`wqRl9vlQDs?Oac=jOpFWBaDT5_UL82g$T{r&wv*3xVln3y8! z$ABWZ?8N`#rQ_-DJP#k=eYRwO6(d~@37G$b3y-me^;c0&LJ>Oc8D+QllVYUEDRp65 zf{~W{U7GD`J%<}XGHTbwHv$#B#p3>Zv!}C#|Xd_<_GXvg$*6genau70F zKOCDHlhJh5q{%ED`!y$p+LS??D%bD0KAlt5^&|os$JMca;Lw19N#VD=Xj6vX>Oj92 zJszVxSe4Vvg}gxfN!i$<L9%oj?E(w^Re)~b?M34;$6B0ppdHoF;YHzsW?Ic<>geX>}8?FYwU&`)V|j{AixK^ zO43Pk?q8NmE-Tm5()7v26G0wpGj~@76O8!smDYWV@1lTyJ+FJ<>!DF~g5021wic*X z*Ak2PE3I=S2k$?}do;3ls#(_>W3U)tJ2*mu5%QgtbSS~6z7*IMg5%%xT$(*ZHJ8`X z<@a$R#YK5H)dVAfII9CD581_Rff%I@^&dibc|t9c5kJ3mO*V zm}|sGLf*vJ9BN3>%HuuHdJs$!MQUQ5n5cT-Hl&zHLy`z_vO~Xik281a6tnq+9Q&v& z2Val=k@M~+fa*%3`!W`ATyNAY`JW8@k?7zq^$JqS3D*&5ptZ z2*5$&PMq-ym)*7MnZ&6?pcYJhN34Qfj5EK#l=Yp2yXKFFjDX_cXGuy%{<=B;3XO$B z8Ucm07^vsm;u=cutQG0~^=kR|D+n@W#Rm|nkkIl!AM&~8W%P7j#nI_%kwFaT>sBnU zpy?d$z|WDY1Hm#Ibqf-GII;B&;l;nc-nB$cIlB4usUI#eWOS_uFPPY`IqJzr6E_2j z?)o9>!6!`OmqFrt4(%Vq3bmx>qn<$t#!7a^6^TPtT5v@F@#-03Szcr+gQiJGJm|%1 zGJLFhJ=2C@r7PRsvUDua%GoazX|F*+tCMjD*<{Z<{_b;(=Ax|x}r%Z1tEA6~PfDXd=e#aWDDI8J1-D}85 zji${P9T!_NLF6eT0Rcuqv=hhR7_}@&^!(gAbwymVJU*c?wXm>gNQXIJB&2Ock`PTU z1l=qI^fUJ}R^uTOX*@TGP13>%4C7jb_6{D}tS zwBGor>1}Csf_$0;_s18H`CZpAmz`4d3##>gSTCoz0pxy>It>U-8*2Z%+qs6HF@>b0 zB-knNFhWucxRXm~w0ZbmyPox$5$M0N`^3o1jOq->-)K+?FcXb@!S>F}D1QQkYOywHnhvH)GzytzA}~vI^;+%P^V%Q@piI`b_U1h&WS=CL zT@Ofs3mn4IXMWTTQn6NR>}G>Z5fe2Lr3BBvUVJ>}$%^^B1_nWXQxil#;Lzx6FGl1G z_S~jiNbH)~-fr_JNi&r!{%|U0!}=Qq8hI*u`Y;#_##u&ABmZvmpnx+FD(m~WNF_7Z za$#dt%l?}^VDV~=`Me%>V9y4!_S82MFpV&AFkL~-cpVnxOjIc%%D=zs!a!3{R0Oyh zNVUQ+F&}b}8Umv0fG!J=H;w)Fr7s>|jPXP-WEu0?&E84(LE;~l%HG)dt}R-lzhR=0 zZ{I$2Svw+uv75w{_x?sGqe^5jA~8n#emV-;59Iq!Krlu`Vo(6J*|Hf)LfvT*<_X!! zu{PbT?k+!3$6vjv3j>V<$iXI^0+R@Oet^t5b3tOe&gH>XuK)zrjI z0x5tkX+B%+v-2LCLU`~n&@ZcC0H(oR8EQ%?2hvBEC%gBb9(_@n{9CGbi84ZuK`nJM zd(G|TGrmmHPD1OAh$^)Cbj(p`rlGG*VjH`-S5#9@(32(5njrp#)kn|D%Q_`4E-s~v zl>p<_09PatYnHmm3PZ*8Fuj8s-?!YY4>XDd$po=@wWdx-#Z8}h`WvFM%1eu@Hq~+W z3$_|W*B-xju(7;tyS7_sN`=F@lsaf|pG4WHfVoS!N(jViwZQLLO~Jwz(uE)e=)OG- z9 zZcTJD{bJq|GX_>4eSyjVnIN>!Pd3`_KL$%-xn3>0e)x|nor<^K!w=nrgJg3v_~yMo z0HdVIc(2$T&Y}sj*}(G`CTA*RGN<-7j!lM-b6MyYTB>0AH~assTvT;7<2*kA}hG zf2qQtV2xk6G9Y8th$xLxz*j9TNH>lps_aQWa?}o}W({8_xfUYE)G#qomG*uJ2#){d ziTc~O3U315j9&m)5>Z;3n3SaK$t}Z4JAa;v@VI#gA}0!#Nu!Hks|pTzriXAVcW1+W z0yn1;ahMiW=Ol8z0FQCDt2PxM<3VtF?-YF+PnLDzU^^br`GcRx7x6>!`br?C@n}0u z2gBf!O{%`p-Wo2MhWK-F)F~v@&O)Ec;%AKH=mPign>D|Z9jC#NVahH}x5)w?Yl*Cch94&Hb;Q4) z&sio?2FcU_dU_baA}<%O?DdZ!p37b6O@4Z6qPFl@iBvpKuz%xIH^+}O&LVf%k}!Tt zHlByh{QgCFC%*DbrWhZ;9Gpo0#8L(1jvkn&WZc*?%|{YVYe@)MMrblUE=ySfYY7`& zZd$VZrHrz(0&PAw^tuV4NTr9HJZuxCLp2=+RNsM(1z;@g7YCoEyoST@wKBaeM)0vm zR%iL>9?ks!S~E0PW@^D6PX^>M11Y>*WATM7*DqN^pp&BLC}WBJ!hDx6dZ-CBzsA-j@t4W4akyT zJb8HjFr`p{E*h$D&Z3P(RI%6&J~e=aKx0LAzg)Hdjv=!RgBs+uWQ%!w*15v3VgGC5{Q2ffakyP%@D;ian@Qi_{+V*a7MDc5w8C(x0WjlN_I=*9Lx~@i zmd2;2lUAFu4zwfez~U2-9hmq}A^wxpT%Y1W@dyG6_~Jir|0=;|a`w8`V-GfcZ+Rsi ztd5`C`zxoHU0>71o$jH!GfTSZRg%q^y1-5DzHam%E_>4v`W;kT-_883(#gb=bR{O{j3B9suYj4&8Mbi*ts8yx;ifq1IFRZcZd6mFqV5u|CT$N8V&SfY%>NTir_N&DA*p z;fowOjLMyWXhj|4_Ss3>{q>6(;N@fgq7YY4WNZ`#F2NRwVUD|C>;s0!Ma`G>-6-OTS!xHtHp|l;LTc-}v4PVGtlnzO>v|g|q56YQ-0`4_$ zIa1s)kR6F|%=7Vh?b&jzBG@Rnxw}h;`($(;scaxi3V?{+!uQmRj$?opDc(~Eus_hV!QSWwc!Zd^y>A8Tn#!=OCc9jL?631o)};x>f2@<%*WF}ceAl2;`|@KwVh zdYiYBpDLHZ4k=-xK$h#+>sou#z?kgX-tauu;+8s7Dqi%cdCP^njq#6II*zN z5F^&3DzDy`!kSCFK%A5yizBWN3o#c;DeOBTL!P(A2K*GiMf03@CL)iO9dsmoGHgzl z>zT(g=DITh0w#(&Cc*Z|zrSlg0*lCkmP=t_adG4|Y2~t2>)D-(I~O=|-BhzmYpFX@ zSpO|mx9Fg&&|iZk;mTIP=wN{3rK1;=GQp_;_1UpP>erY)FH+5>%Ma75eMbm#bU^p@ zx%3VBfboEcWdCgmnhA_1JT2`d*q;Gw(T6cIG6F8wIXDL*f5RC9AI*p>nBoXYVn-5q zqfz`IPBlJ{917Q@SJNhxR{ug1elqLS- zC4Ou;OSS8|igCa>6g}ueS!h|Bg0Y!#x7(O^Mp|LC$nI}o$3kV-0%T;{K&A(iu9@>( z#OGe_ij}@jzR*p#dnAVIk&r&j*~#f|?;x6d{3sTgwz~N{>ohtzRZqhK!oH`!iiH^w z5&?)11rzR|8l=ap*pZ=Z;T^!C(-z-WV1>tPNEO*O;({+uQGt^^c6lwx z{wVoQ0aN0=_n9&h?7b2w!0_8bB$)gaiDuXo-ae1Uc}Dv`6tZGDaHbWU<`$s|k7F_m z2WanElG_EW@3RsKhT|Yx%737c=$=Evzjrer-i_PI2>^Ko%s)6~?G8&Bj_;Ht%3pRy zfFVXndCXI&1S{FzZTk1W8-;JAm+dxvm$?)BqMnFTfi6o>%5@j4=sOvU%4NQ5gvFfQ zuhjmpZiK2whCnSq*i*~n0XjGL1O|kpXg#rUnP*djHbD}FQ0{V6qiPnws@z35^42O z9(#?EH}N!D+Cv*RU{-^?FarY`B{8PTd!YyDZ%&jf>QFXB>JvPSOe`xXic5a5-GK$I zRqTAP>1-u(&I=Vi7r1!65sHmX8PtPXE-?}5nzA?O+h3(&op6SLBwN=3Aux}}k<*c- zrFyWg(xkE{Ard^V`IOTLi7~?TTsL2m-*k5P9dDbg0=)-Bvh#P~ERjNcKN5U*>%$hs z4t)c_dqZ*qZvohII=m`SNO0NlODuutMR+Vy`22f?fq~)mr!4lnGfL)WEvGdnulXae z+N~WN0;;hz^6l^6zb`M%)M7XQ_xcy~m=h~u#P5dtLGV4;6x-^p-}UW3RQ6R0iaw^t z@DYecS$>n5e+-V5K9740maPe{xG$iuVL0M23qWbYVj*law?QpZ?ujqFF@z@})#vQsOFz zs!`%DO}C!E);08gm|WQm5y?M{K`y=l!L~r38&v>ER&Cj>4hx5X{r(&y1Q;&>3Ie_8 z-Tr-r2t|fWZEysdfQSG!vVSMW)JEExPlMCbX$EQDfA@Pfz<#`Unvk3xR`|Z$q%Lc9 zAQ@yF0nr0V2cFpOe@h%`rDhwC@bJpmjfM)b(tAe+=popueaGPRL!Ue^-k#2Be422$ z`c6^*OKpOX>@!w{pgg-~dQ|%rx0>-#Ol)W}OS@X@&d9#cPfZsqIoo=n%gF*T6|FQrjDO0QoSRJOD@dbCO{k3rVtfkYD>#T=|FaEXR z_NlF;YrPr))7c!i=k@5sLSFumOc5}0f) z_DFE{1LQ*|weF6MR*#4%PHfV7{GDr)6}@_{V3p+Z^#%>d&%Y>2i$G$rb#X+M;+E0f z-QBcfVnldoB=ExZE~T?8(m3|3FY_+dMVD+t+6H9t4i2w9-vvdW^xq|wi%a{rl`He! zGg0_#NJ7M%GYS-8F)>u%O6`2zNo8Znqp|+xOTeh_i(>V>w6?b?SoXR<0AtB3Z^9HQ z&+{Sx=#|eMgoNF*SqCC8Rc3VTOd0!od!MA07VNwqh*ttx>L63Jt}>}{!Oll1x$dj$ zt9fDWg0n*ZyhMJ-fPX;%ew7yUf1Z4Y-sZMKCzVyknoty6{8jie%<8;vBp|p4)wX@C zp{Lio;O~3Bd)gXlMhp(Zm-ouSKb7~!jp)}X$5RJrf#|}(07|ce(_?40OUNPcF&OhO zo2r}sV_?g=p8Yce=dsJCD*y<`IKW8Z^E57J(T8cOfFuJWZ!S(;Tj2&l=>~c*Lqs{{ z0N3^XYwNV`OL8v?^4Q0keEN+Ztj+$-HMMn5nL+BoQe(#_!`b&sC#GgdF2mosde>in zJmurTsBLHv1i_;qbv^Gm0Z{Zvy3djlP#eg@?<;~c?6>ri=n#F_%y+Z< z+S=MFh2gmjAPW7Y_3pnwfavdVrVu!g@hnLEr*@u}GHoS?5^3G?oe7vT9A;Ek}g3)LFq;s zL_$EiJETDrghO{ocQ<_N+;{xHcii!gdzCn6pS_=Ft+{@4J_;#vx$XrT1Meg zeWFMdC9^1eoBfabm{Zn=|JMI3;G#GL`UN%y)Ifm%LzPy zz41uz5qV2#ewVH~IvpL9%Wpq)FYJbJY$_t?$gyRz^yFTXzR6cWaHD^g_y;Z_REekc zl(ugZ%=yW~Dx_2%)KeD0So1YrJSOg4@GwK$+otPS=enI$Q$r$)NJ;JbO3M|vg7^32 zv5JcK+tTKTa#5j^ub%{kM4OjiCO4KsdODKcQo!VpUA{S=dwUY?;g0l6mHc% zaLW7@YD9L*c_LydEmnHcm_i@UP9nNnT(J2Df0m3?(5*H?Z*QKXorS zMnPp;>ZLQ3m;KSbuN4SG=<-6>0HK|I))~6asbRwS5DDl;_(}FFI62?LMe0K$V^=}*LKBDyV){3aiDwM13z?-n2|!B3{KP|EfRy*E+7}1W3h@f}%=#j zZrtI1S(b<;KXyg@PJ5sm^hP58U8gqehlS_9yxwsf-+F_PeME|>cUv_xi2Lb%f(Lh{ zm|qrArxVrD_)w>h9{R`R=}R_L=B1C`mC8J}#1jmpyE!oNX2POLY*;Tk;?p-D{rFBC zsQZ5_2QtQf2m+ z{s5?Uad9EBW}L_Xu*b>CJCMNqOlR%*ul^o}^R-}K);7w2oHbVyiCOh-!2_`XiV_yS znU?C3g_FG=wz23MRP88x!4!=!5Emg8z#k#R{;umag9v}1cf%Fi{QSHn^8~lzqzzw& zbQsM;j++SXWZzKP{y`|e`-mBBQ893{_)Kv!iGgI>`$q8#{D6BMf+ zt?U88!3*R4BLgMIGEm!|%(mim^>$xLjEGGG&LX8*{C2&lFi89bTW;`%q4yt|iRaFO z$@zL!giyOPu`cA-g5`3{3 z^V!EkvSFA^1fmBL#1K-eNir?rdg`3R36}JZ0Nso~j z(`bTMDI4Fv^`k{1SnXszTRhXr1l?a0sfIE4faDTNVQ;nKzCxUhAju_5+vdEF`RxZO zYg{l4%22RK+g2ZE?~juer3vt;OSNww!$+Q*OLcwCk>-I#`O~%aBD>mTUBL_0-VHB?y5o&EOVM1bBUMzpSo4wpYS#fd z0S_LP*U3lQ#w(PuhYNOs<^wtCkF&F0sA@hd`r6Rd)3?x5)Rd{#sf0<&9{}FPvbXJ= z052oBd)HklDTJKpSXe?A^I{>%0d7n1u`>6xl>d(S{)$A%>5_8FJt8KiUCY2jYPmOs z#9=EUfL&AILQBS_sqvD(tTW-FbeqUa_ktEIv2>|X3IpA8pxE>Z?lXh5^0NFL?&tQ; zbSYmXe_1>R^3>tYG1pBP#Xr1z_pV01-b86&aBzlq(^dJ~u_$`^*kZT!H{AZxKdGo! z|IzhQIf(As?=qiR;Qp}q!OxA_@ct;vtmrFwm%z{T_TVn2t_%xRHIx*t00zZGWJU_F z^%xWs<>u43w4=u28en)NCnxu?gQ7JywdyZ(4T<}U<;-a1`He<1SFTn5;t@xFY63hP_fBpThfRIc)zo(P7G*Q8j-}B2Hwb?jdy4h?N8*_bH%Fds$Kr+dBM5wN~Sc)5G|0bNP=KABg0DNk~!iR<~8>1hKT4W|Ft&z7=)s#J1 zcB+@)cKs?Q??C>&eFHe{}3zyrY6$v!`i``g2T z!NBwU!RAEe@@^+3BZDAHPkGmLs-mU)6W3{bMqgB{tjy{=f6^iwX;Z4J`M_8*KVx*EHqmZ=y+ehD(=>j3qrf}?R z*VltxDj})tU)5fv{`z_Ic3@!WT$cBwq_!Igk%1FOD;uQ}{OeVvCKs}UwBPI z+AoRFMv)MAkU*9L6ZLtR&5)i#@V4vAt8r zQ=z#(La6w@vYI*FM2EU2AUrsmm1TrG6y7x{-`n3`P_uV_W}?Plk9kPz^7_QGyy86G ztP#)I27_wfw8*5;uD*%Xo6*m$)w35Ec6F1IH5umP<&UeBs$*jEG##X~x!!H9E?4hd zU_AA!KH;B!w~y6$cE+SrY2LkFX0YtD&-Qw2!m*zlOFI^D*uKV-5CPjiV3B{*B%CxC zhq;{nU5vwYkKo8;V-DQ6sOV7K!iTdIWf;e9@rw=#QA})htRL=;(uUguqM4C@M-hfvw#fO3Gu@l7bH+=i(~k*QGt&I4fVmFe$7(Nu{Fh%807&6tt+!#!sGcc*uajEzgIU!mp9vSqXO9Nd>bC<++#_jJh3 zO@HzPf>!`~xb=`j^_Mx?rA4D54A2Ib2xRq z=$Ph?h0k^t)&Z`Q$!6vYuZM6QIw&?FfF*z*R1sAK9V>;`<3G_!_(W7h&x51r-cGzR z7#4NeoR*>{re+brQtV&x)U=H)(2;g?6R?;V0Pl;5$(z^2C{u#2#$h6i{}_tt0W4Ka z;$6&Iw`o~)h;(wmn{auXq0ysxAecu~HSNU&SV&u2+wAeVMeJlqh1E!@%cjo%Ja?JV z(dO`HBiEOLF!6wC&cJv11P*Hyk-m+5zg#K7D#KNZ&wf|UL>`m zf)ghGmB7dHa_*%oGuF-V%8cu=OPuxKyI_6<7`nu8A7#l~Fx9jtj>B`@X*%(o(Db{h zF#qCHWSB^~?2X0BS2nb>I6HfJYzXcjk28uWDR5!QrcEb3qK%7F<;jj}zZ&z>?M#2qhU zQ}e)88txDF!Kg%rIft5OqVwMZP080fG2?zby60yhS!k@2CZ062y_|6U-tRDJ*zvMr zWd9&qnaiu?9T38j(!R4fs;PI*$HRVbC?CAk&H%aH5P{TcXc_H6INo76Gan`aVZ3yer~#Ott3A++3YbA zzrNX4ZTxcQ@)m(c;LB3jPbKRzv|*!b{16UXd$E8s7qX=Iv&Mr-#hVNt<_&m4$7&oI ztHSDHRJ1~jrh#%E%V0#srhMHK%YwAk0EQNqd?|q3I4_dVxR^8xzvgYie#p4z!o~`T2kUszp9}{P-c8Sa{St zo@Rl5yXWy_C$eRZs|YXM<0Mc_%gp>VIjQ@0V(InPQ-~wWJxD+-{>!s%q@kz(OoG$* z?c28xpFZ8$YPi-HbY5vYDOqs4SnZTpe0&d}kM>|9F82fE=N>}ClxZuE^Zo7^FHDeh z-!*?eSe@{PC4O(WK76dq3MZv+1@q@OM-+SaI)nwH7Av*)8ZfEhxxdfkEVHi=6vp39>QYk{{rn@z{+&iqz+0~HepB2wp_fdmsAv4?io%iEb|)B6E5tA$ z0tIlzmswGCDxk_VkNSdE5?k=9dTyL79@ZHH?_-`;e;l*H92Gil+1UkUQ3fU^`Il)v z#!7m%t^u>RDw%r@RuTT0nRHHiG8!66B8TdeHm)Y`s@xAPVblx+W`Pzxh!G5;S^6;| zs%fH=AwB?9ad6;PO@uOcM^ZVuX$xSHa(~M#|0K>XUM@shHK7Q#nmI8QJ_Id5I7UX! zJ(k3Z8|X06eW89gbwtL=i90tJ!X>3WbcM4lRJR@%m6}^o-=`K7OnlS*2f%sAra0P| zk}!HkqnOA&_j;@O#np0AtEqOB1zZ-WEg%vGB)U_#Q>3$NlJ|=DisOhXl6+)i<8A!| zeQ7<>ps}LfHz%g8$bn+zTTbup5X^H38IXc?4qh5y?EqSplsrEEg1>_*t00?cfyk0A zmE3C91$*{Szc+spafzt>I~N}E@eu*-ub_b0-Q5k!T(d7~cTZ32q63H-=;-L&ik3m0 z3u)!$1b=YXWL(S1-qIW^!58PItLkV5nQB8N_&3Lp7E(p+Ym?zW?qi~KcXb6|Uf=bZ z@wJ}#LKJ7L?X0|%v$6da%F5-h?^)r8Ms6g*ItR{+Qs#_D_tu9CjAt4>#aUv_tBZ}B zBb7>WZ4svAPKikWpzFZ5^ zuMWyFE|4-Hb@npW6dF{}4uek=%F4=UmqA1zXIjg1^T%TT%+lHKPMJ0+6l_aD=!qdP6JSoo{>Sj zC_teEcUG%BThpiPNeL$frV1j@>t#E~25Q$sgIO??7#gJ-3NM=M6pwMo=qI?) z_+*SG^E~w9_iN{yBKiRiQYBuO?wSQUpAoD1H0;nCmLG6aChyJK4*w9RK2bv_BXAB} ze<;6nMv z?st9-={sLQ5c>9{LVCHCN_~b2$%5UfST~fEv?>++Ob?Qd(j80uu3s2*LzT69DXnh* z4I=SBj$?L=-%^U15i;TTu8s!%W>)fFfZx6$zUE7$N@e%R8GCtsJOVfT#w%_T3GcQg^-o8bn9uBSm9qC;^;%1r6%cKe*4&EV{{An@cGjitdhqDv((CQp zbX^s1%bLSxb}Y=+pNmcu`&JltuGa@+L)BBi)#{%9G`8MctySuy6d`e+exdKZ;GE3L z2xX`#kka)#0~qzE!%4`7P)T5sz)4SRe(!ekjabwES`Dl5ufx0t`qbhhg?c3R-2q}l z%T|dDxBE!C+^?f8ENK#F5_<7RxUo8;npZSM!K+wWGd z_2=jODc_uxuZA>OFvDVf<$3Nn#WV5{R)+{vZNgYn3L`gv1Anoi3KqZS&k}6^pqn*( zbW45O&ATlvhdE)&E1xnO7Qu%JM{(%M+( zO@Z|TG$lGq&hp&#G#vzL=P#NVdJ-r!ppARP%KGNOIb+woK~hFW#_JzFJ$>@{lKR`c ztJB=t!sz&jF5hTMll8t=ZcC?Tf5}NpI7+IgY?d0i;*P~UsCr5xOag&~$g;QrgCUSt zG=>8B{q%0mZQN8uU?mm6Rqs3;xvKNP3e0>SmdXUDuP7e%wlr3g9|ZcW&Z6owLaE*WPj^T?@C&OE-zaH}|IXy+FP!exvzUdJo~ z0s=6F$;}1*DmRx~(dO59g%$eRQ{BR|({tt?nqL%BJxeU7JFPf!*8&tg&)d@kZV>ao zrbhNO3vN`#qzs;YYdt(8x)N?u0(n|R(kcXv7iaQ`3_RcEmsw%s`@8QS6`9bSS7z|N zJfEAUR@_9^6YhgFpxqh`e$IaM-F+ugZZ#3+<#|?O*Z&MAT~v6(2A{d#qGOA?vJ-vv zehB@WcBu)vf!8HHC>pvB{q)?Hg8{I0_+gSFU7~EgUJ!m%ecbz=MED)MeThBuiQ&zp zs<&BEWrX>uk-J*qDL+-(O9xqPml7 z93MSlrC|{CLn?^+BJU#;61scJ46*>D*C^n^SE4>i&8~Eou*9g<%Ib*OWa`rw)QJtC zlY=)(WZ?C*s&Hz>?Ts=#t+j=K64HwP)yUJbAJ#VOPxC~DDMiCCO^uiqpJ$DyM`RtL z6rC(p)6bsy-cdl%5o0>^OA&F*rNXj(%V~Q&1?q~qU3cUx>}#S^ zxrjwmOt}7SGVr!ZwG%33hGFrKoSdI(bIqVC5~F0WQne3h>0$kBZ)II-Mx~^K;wXKd zX6s@(#c6F6-TNoi>Z_^0B%X)nTXn~xQ0$IYSP_B!=U;4+Z8Nu`9~N1MnzFD|xQ&SH z%-3Fv?34~)d@4Gq+UVeZl~Ri^O#l&Q7W9JGD<}=UYwcXh!oG+(lb&G~On$Q)$Psv~ zb$_MxD@xCQDrZNlJzIKpBrbF8TXpB6FjOlP+M4%CBPurSAq4!cl*VO{FgbpZ=Ti}f za=BnkhWg>|@})kY8dHAGzpvklMl&eQXM~FxK{fLz_u2K;rOJaCv#;JL+OY`&#taCm z1f}uH@>c1g|1$2_FH2T+1=gMyHZ8d$TX(KEy{{MdV#FW8B;Y}Nby8=E!{PHRg%lqW zcDLD&sMWh2WZq1S_h&1-o218wx$gzttKKd=kLPm5hOODfdICHWV`F3Bbs$MHxb5_b z@;*$?mVcO~LWT6zV?$2Rb?x`~p%tw%Z+2@pNL2C1tHS#3tMu%11CeoiqamFqI}13G zCV|#MmAfnW;i`7UAE?}~e%9GG^>prwF3pkP;BSU4b!VrVfcB>AIW!cxy*V%!R|*2+ zR*DmwyLh%$Rbl<*(gd=pVn(Ew*MG@QeV;h^=f}xyFFym$weLp=)cuNG`e1&*!Hvcl4&OcRc+tDO(WXVt+z@a8;YHNF8hq zB{761?VKf#Xg3-OAhH#+J?oCt-!WmosswaBE{^NGVocX{!FdBhgqBm?zVc>Q1ilR8 z;NUpen2yfRhaF1N`3E`wyAM7sK7ZdnMlUTZg>{o!f_*2csT?@YWXB@`Oj7oMBkKuZ zhq6fSb$y}|g*h9F&|qpieS2GHC#`%F*5ZQE!XwrvOP%dv^Fa=2QWoUDMFP?vahv}I z1^&?^=AR3@vjHwIH1&}>3q0VsRJm%7>E_SdzQdLnXnVhJ??I1*g)WB;RDe)q_2-&0 zVIqJVy2S3A{67}JkJ%Fos(Cs-F(SQ@1W{u_=+vh@&-FUO$jJ865@iVg;-g&={YXx6 zsL=XxyglVgKhstb#6>ZcTuej7#AOmp)ks`de5 zyRZKNS{Q0>@S6s|{Z3Nt*ubD5@IsY>I!{MOAZ7TwnnNL#Gv$?S%>yZocV5H$zdcMC zh;ZuSm*0qJD;N8uU+TIvp#$uA78=& zVd7^XOg{A&YW=vL&uL`Hk_$)dfL#ivg?c4ltP1P>2FukOU!72Bh1LeGtgLkTs;Cf< zC;H~(Jn9G|>FL!I0uuClbq=uwZO-Z&5f%#n_#G<#9Kl_(kTh#Av^F3?H$pt!l zAWM-9R%!W~>|~_w4$MlWwdm;qKFR@=IH*`cu3ILXXBGU(*n}QUA68b(ks7_VvTg9l z`r?>&-~91ucW?I+qEEDa{c!#-IdUm@z@&wgGbeL6MBX3W!EZddz=&miMOvZ@bds%l z;OuRrZUC8Vpc`PeimMR7!(mr91v!4{kC6H9pr-g=_#T4hZZvOvWoLSMQ*5_nSNQyQ z8D#As3s%wVdBbH);Sqq zk=TT_{4lCcXJSot?vAr|ENx?dz>wwGXcWb6pdSYdeouKoP|&j|dJlaAbEA(~+n38C zM(M`Y8$msG0(#I-JaNmNOICuCswQ>LDk+Pk#1CGOpAC#?u`MJH4~<$oPcE-yuhH&Y z=YeMIW`AnP7_RQJ*0PmD{?(9X0Aj9< zYKLooHvxM5Pks&Oj@V>raS=3LeZ@HHj^?-+!i+|r_J%0 zZZ$@z6li=@zfaCgP~q|D^a1c9|L~#z%qJ0DGf2Wvz<|U(xfYxe36(Eh_Az&bHn#I8 zU0}9pM%L2I-X!+L=fRN%#vR66JbzM(x`}kuLUKAx&YRSp%U3@TrT@_j8vr-`wY5DTA}Oc!}QECMOv5R&M8EMZR~R- zs%84gpR+7AK9v>jukCB=S>tJD&q^-J5*ZbGT+GlEt5ZFBrRq(Xm=&1hvZwr#7~6%ZW=uC{7aRc$ zMDwnsULOCDGxH#IdIkL`1_lHxllKks3H@;QlTQ&~X*q+Q4=&Glw&A0*;#hOjPlw<% zQsTDcq73i)k91(fi@7bs6KJZZnH$gxXb1k+)<4qu!L2&!Lqs{yMEfj+is2~~aR?e* z9+v3iDZ`7nvdm@MP$N6s3%mye67u)SELaL<>31I)@dJ+$W`?b8m`R@;vf=2TEJ3oU+5^BG5!a!=L!m=RB-Ykr49k@5s0K z-jZZPml|?M-sAe)@B?=kRgx$vqvq8o0z02~fzUVNjAqb_Z5@}Nd(BlRgnZip5?_AQ zYQHbP%!u(U22#gC=N=L#-Fn0q#f(%Iy{FG{z)%>D_M_{S$d^`urf_DI(oA=Mi21!u9{`A}?c|+YSeu zDO%aXRGF^anS0JA%9Tf)6%ZF{+wh0%iu=k;%G5c*iFe9)eM|L?|7Fl;!sJLLE6PAKA=VFSi}@Ia%e7WI%CJrMmh zGP$PI!-Itc20KviN`d};YBJ5}oxnCx$_y3lmeBSav2m3E&rRrl2dzm#lVH%d2LjSU{4}i~O=7c}Wo83SLz#{TZ1-F3JiXb~K4uQlADpI{soY_dJ6K z9cQqV*-1j?*)tfeq(Vz)s;$veYzO|>5nwVZ4w!R(m&-}^|X|- zs4rGo(SBs^epv~d;b^7aVq%u54}~D_eN2$#pKX`9b8REsUdBEsy<_@VHSQNYsQ^%v zhUDf(R+40Wl*|z=rJ-`LS={GV46diD#It^zjLjIQ>wyjN$Uw|J}2n!TBfJo zpL*>ce<6(V^Lak^%7WDfYMSa1BpS))OB=MkJgS4K(`ZLK*%Jdd=LW?}!d zm^oN2@vG0$->%+Xz_RD<_yZiI)5ru9b8)Gt!VA|yw4pwjl~quX1UcX{RR`4${z6!q z+y0XJyC+?Lda(2iR06_+7~qP>$IG(cZ(HA&?!`j!1zkah+ZI^%H0YfNykX$V{rs(@ zq5VUs;J~c=tEVRrUc7)n0#eo{MoG+qh!7CLHCbN4??ygy0dCayVT;w_wGA}YHd!{2 zxfOEtA@w!;3FD;mt>*28;{Ma7TXIqGRx`7*9eO`F61$zs#xmTp6rc#)YFhSkKUjInPHZw9Tz2xNnGdthju`M3i3RCUZJBM5nAn=4 z0E7}f*+#uMFYtC83+Smn3(Aud6bQ5>^6J@V6Q(M?&k`L?mi$|hZ?bLDb*U8WFNL*x zPtKBu{Qark1MooXwkoTtrZ!gTNam_g?d#Yp;BT(Q-J`|295Yt50||C^Qxzlq6^>d_ z(a}g#PwNs^d~6_GW>_O8-))BeP7v}}6titf6ZjBu-+AM2i$a zkVzGrt(tvGAglChUFO>33{0+;_wDPZ()=X{9xK$l(ohJx%+5CZA|KKwlgpNfrxMks z8!X()Hodi2>+yod$T_!Y!`V(-hVtJA8COt++cDUhel}0~BEKfZby_Y?Ne?u6!U9!4Piemf-+4mgF$$A z5FfB@m&rw|*FI-1~ev*04Xur8)rQKu*5#Ww&TvVxY5QhNfFFHm>$L*=( zy(`r1GPnIV1pYpB^0Jkmn7cuBwLe?UMu5WMvNb9Pgb^{113_QYi7*URGi1V-u28p@ zmpJ$kRmui$8rU%;_=x#j$dSxOw;BVoqAnzMzRQ)G*qx=AWIj?z0cahoUhPhsvGUGl z)y$sbcpom&)0b$eZWkoOwz_>*w)N5=6eh5H-Kue`$;`^)G-^Y0*&J20(U#py?9>&;18Qm**8vY=Zm(u}?nsAJ+maQN)q)wS|iUuPZg=*(p?WXPZ$5-zsJv*nkt%gH7Q{9uHu13luLGr=K zEJ`o31W=nltZ6?Vx~&i+byy5bqTew{65`Z9VF+5{{>Ks-yfM=#l4Y~EwxQ)V7efT& z&E`sLKwlevVUC>78xlopMfhj8NQ@tG7m|2lnH}**!wj%<%q;Z}-;8G~2wh+)k>FcF zWa9vQwD9$O>md&dv~k7ONv<lv_2I}>PgGQNe&X;y0^)DMD?S}Ii_o4`8Wxezo0q5&Wn%s?VS~}s zRISSbya-b`qVBaXWP5cpre;cXVuMr*?MhLv*8?u|fu%uSC-a$)ompZX@OC-Q562!- z73E8}S--yi2-8qX&kGf(s9)|O@WxZ8zn1WYEq;8A0~0dsauZyt`s17ZyZwOq%1YMf z=ZC;!^>7T&!0V7cDBZ60kS`)8x*cw1iog!gb{CukwE;p)_1b$}Xint${*WFR2^+oI ze!#x?LhAy{2f2%>IUYu0`0L9WK7BY<=WGU$%V@bh{>#^QunL=w+(oZW7Mc{7KF*#j z+o2dcs}#7#pP8fo_^+Hb)v4BHg*2ap(?NwRw`H-K!=qPjyF)}st!~l5knEvhzOs|v zh_gI#B{J5U1_QlmqKkVC@u1`3$|c zyvS9s$!$;{G~NTCG$1@2P)OAmFF*7wwye4UjAN}+m1bR6iNrn)KC>BpzD3>qxI6pB z)?+|OaLLFp?!i_SmBf%?K?)Rp>WDw#_cRNg%p&Wz49ZErbBFTYt?g#VA8s&{w((K( zvc`f>D1w@S0VS^IK}`*F&n+Hqm2_BnAn(V)fwS-t5v&}NQZf%M@IXMK~d zVj0auyW^8OirQ~5(5vJa>Js{VYF&g8*z{K=;yh9u`iqtF z7?Jh2K%Vcb=aTlgtGV)UBXh0ms*;mBHzc&1yE^^Tk2Dq7s{#m@92+DUWvCV)B!1z1 zy9wegYMr)PmInVYYd3zv@YDbK!&=D{UKo63ugJ14a)f$y`@CO$GiTEG)>G%)V3WnW z>sA9Tq*CP$4`pC-DTfD>pQ>rM;8+$N&Csq9``+Qf0%QPD)r8)L(x4^ogD_lkr-Ab50trKP%EgGMv$jic1Gy z5FE_Dib;IC^YUzaE!Pb{5z3-}f)<&O40LcDYu2P%Z-tg#Pw9gm^Raq*c$ScOPttZ% z0?Vtazl{*gw>b{@SAbJvZY}``2MgB}NWi}!(Hz!}a z$*XyehXxdzHm5+dN&TIxVb~GVB*RlKWRN zzj|J2^IA{0rPBvjFBiTyM`U5aR+WsnCP)4as7%=Y8P5~Hh}-4oe0^u2hx6cdEu9>4 z>lz&$m2EU>^~0jANsOX{US1LG8|M1&MIs)M_~+SNe`oF{ctBKQ)OAH6bd2NVsO>t;o}7chtu-$#ewPsTY%j2=jl(4Zo9mlX@>U>iOAnp zA1hiosNy>uEwe8d2*CM*=|6P-^+3H|e<3_DfIyPy|H+}nsRgg9O5xK~mof$R0j5E6 z(b0*sc7iX9U*DWzxxkiE1HT&3J&asj_}a11E}NK|MgkK3YlsPby5Y_ zU%HM}ThPK|ld9&O1xGYO@%>td;o5Cm3}jD~Y=qqBDjz^~qvGORClzDwlk53h&Ek^y z^!N88yCpd8BjD;TGOy9Q4ew8PcUpcv=E=}iv}wY0!+XcQZpQztmjGuyb8>QOW2>|r zdg67lD^ovx_B{!BHU*F0+ZOw&kQV^JH?)Alm@RiMZqf;S`Ada{LK8Ss$}F=dbNi$C z3OPFTg}J%&I42UFzwq!L%8yrW%3?p_1&|-8+~s2_W-FMG;(E&6t6^+8jWdkoQsgo+ zov4IQF(A_zj)pDif|uCkeldhYg6Zd=0L@se>D>Ogoq3qVxDBy%jEB62n!S0L;5o*# zn(R6EM?pS_)jQ8@qV4{I-3bQZUa4XZz_Y--wChgL&LOR4Zmu)~ZhY41tEOvr3K*BJ zCfSkPdg=*v&EEW8SHml^m;&UP3Xaom%YXwAqsPa_!~hOJN^1J}|Kl|jqW#y-*U@xx z8f`h8N^$#DO%zJW*k&<(rrL#j1oz@p5G6PIw^k&k9c60PleO`cN^yd%_|co($t)9j zwJ%5Qv}4w(3K0*L>@=h_h9uTBwY+auD9vELI*IAQ=%d4k!zUD-s8k{N-jVQT&fnQO zRb!hB&;r#Nk(IRA6%SLfmB9L6msFk+7b#Sd-Y!#Dy)fAh`_#JlS(8uPa?=6}(k zX@6Gsc`!Kip}IOXf37TE8#OwI$S-x={&APFi!#3>-q$zym{bm8c`jNg;kVwyraKyA zU?bMQ`1EE7ZH=LR+Sb}#D~WR0GLSOV(4)HTV~}rTX|w~_n3`3ZKey>m{KG={k5s<+ zB%))BUA1rT9A;74pdc%|eJ^%DUj5_CI2mew!AIhe)+zy^40jH49Da}BYkb6eyJuY@ znkjC_t%8QNe%F85?)6Ud!|4SqdC>jS~Vnjh~W# zQoWBhu>@&u@|npI#S$fN$5C6DJl#S6PdZZ-Ncq9wZC-#8q0VRUAJLMD^UVtSq3jx0=zF6=}E6dPjxZ7@wr?!neNg#@-F2{1cM|g7NIOto5ow%x!s@FY|Pt zK;%o79gL;biN@9>Qk%m^Uhe1WRg$fPZ(a^RN*}61!xaS{#!gsGk2>6hTR)FpM?l^H z6Z}xkfzPbhpNvSSz9Et6lmgz z+17B;O!%9S8hcD+F8%sQQ8vsrPvM1Zx{PR78WIC$r^`wdMK^bR4(2At%opl2<@+O@VUVcgrmwwoI$b}(RIcG3kU3| zfuW&`0NrE(gbE;iX=&NX+bc5&YM|4GPYSd38-x$3DlIk^K+gi2l+Oo^!p&WBhcKiP zt&MMW7&v@**7r<9!(rdi&9is?i`y?d!4!XTd`gE{f|z0p1Ow7D`YVPh&_QNMr_dsi zj-H;wY2^iF%IPE9hEu{^dHQh*Mc}B-bEOSc9tNdJtcJGfi znoF5$T~?n56S5#jf-qr}QKiEprTfdC_HayK?9RarbS%7p;80p%v0-_KF`QCdG*q3X zaEKN7@L=O=s|DQ)i6$Rxu5L_J;pmMBtY${9^f#cw5qJ4|O@whhQmOi$)n~u*9y75R zw`O6L+s=GV>YP@vm*ap0Ef5mRX3y_J5rj)d5e&Wxc1$EV4w)E9RW>NkXh`t!TR&Xg z2AUpJhk2JeNa&;i4e-ksNw5?>dh*x^_IcQ@@CTe}_)Bu)ln=}=@2hK=B9;_EuFA6H zv5|Yy!|7+Zv*o{Sq)k|94J{V7zwda63WPzNdcZx;`ET+evhNT;b;#M#{0kJy+2LlV zv9d7oa^F6~nk}5zHu^=YMht)k^2!{QSC(5$`O){pu{)os!~G|1z>~OM*oY0LH$zfk zFoopnHsJX$iEF4+Rv+JNG&m5kZP+Kw&E?!1h=eYT6Poo&@9oQj?GYfM?98znPxdgr zdRAYo#=mI77{J=bYum?F3}Xn$DXDT`fm zJI*A^Lzk(>sQleAyB9t_$ZM5_C`KHSi~DBBLP^LoLO!9Oe|i5a;q*kI@}mBG2Wp1+ zj%$XfpON*)@9w9tjs8_QI~40FUpvqMtv$=4tCZYQl0rjOBL$VcyXy)&A zUTrmA+K8TCa1}OQSzftyijCD+F)GP)9lp@f{Iyn*C$K%a5BGG2VXL1m=LViCLQTMS z$L(Mf5qHiw)i*Sv_a{Hjj014>TGw@@FHAuQB@rwQwGzc7lwBEmamqiB35?BNQX%eYDo()5H-D&AzW1ru{tv^`{P9FS6x7Bp+1r~&s6)Wle$^7N& z^`koTh`%3xge#b~2R#rz*pU!E9&r5aW`+%d^zztp>f-)sDrk)oI#m{-OMhQbJkb+$ zH3WZ`1#rv%$fx7K6ehQ_INq)bqZ0^Ogq(ZZcPrF|T89XzBrrH69;+Yg;KSE~tL`B)Z1aH^G? z_xnhrheAS$+2XI5$=yDolhy3hmmr4TkdI@PO3La7y%L7cZHz$#dl_p_MfM^_&-OKk z^Iu7T0~AVhS=BD*2q5SntfqR^FKOr0lljVm1F5-y-NHOk8g5sxzVhoS0j&oO79bUH z;F-LV3-<2rE_B9TW5*b#^ro-<8!;v-`_)53lX&+weQdko_3TEqJ8g_cf}V*_hTp?T z<=q0=V3BlzuG8NByL{n*^dmDEz+y+@h#(eycYPasiGuEzMqQ5-^+}yWrjO3@6D1iK z#q+=5dOOO_pp-1@@l4py;)8nG;yM5T)A<5gdTtLA-A~ZoS0h8V^xY00Y$Z8SY3bQN z029w*XR22w9JY=LoFA<9sj*j*Uxb3h*&#PW$~iaE5GMIBW$Ii2gC1=A+EICf{i{x; zjw4D)mIUl?HM2e#qvdY+HK>mLJ89LZ3_;03-eq0)a?`K8-@8&W zN_j40U8rdpAbw+Fw*JYv&B^W%Dx-@j{bEq~Yha(T0yo2X{qP|Jsj(AJVzHZ(RvCjy z^r4DyDW#Ru0xpk3&Ih9DXLp2K9)4qoAMl%9rtd&S<6K5f%2`pv+4=Y<`&8=jx@n8T z$nN^rEn9DI*V-}*G3{7j<49e3=QE2^KdCK$4SHuwZY&-C)Y-XWteG~5X7Ec8k-q!Q zeWfJ-Zs+Kd`NIbvP&UjbKVq=e-{;Ee6SvJL>f|B!w_^`!vOXb$V;}}no(|FC2Hdf0 zL1%=b<5q6gv-@|Tnie%MlFrr!wsfoU+(!89B;(|4qv*CE@<5&j>-YBC4af6yV!|Of z)7LjrC{pfA-lUZd5rxOGwpUxF}Z^vyU&VYyp>!-l7SL{ZT6WixR63#nlRU5{ArK$ z1MTM8iuIi(GTV6{4A!3_O|_`u!dGa#*5jXEx?*K_%witj{{fZq-Hr9(A_)j~*KDY`XO`;53v%_{mDS~mq?JF! zSp@5WfS%RwZwZ}DH8iz`iZ$Xg_KA|fb#BhMK72$otGa)XLy)6^eFg?A!vZ3 z^=@1=i@3s*CrwiLyEB4H-*5WG5>XD(pQLZ^5ZzI6{5MR1Q)}* z>3%^$!OF&38=Lp8JhQtUZfrv>rfvN$N@2|&Y5A6gR6e8M)=NGoMgQC%D~jaRMOhZB zzqRl0WSd=o67qIq+`2q|Ut-*e4bPIu`(tr6p5*sOH7DaEjehW--+t7fv$1#urab31 z=igkhSgzCyxFJp?gPUp;OCm(z1L zH|R`}{wTe&k`ONPM>;ukTiecYXDi(BPWT5oBQqYzl&d~9na1$o~9g9RUXZmw)> zd}8j2=QpH*l{YwRiQ&f260A<6wgB9fjg_|SRPP{&sw~qh7a9(o(`enDQNG|K6sbm2 z7P%z&<^P2?QkGhWP)b7LHcccNsg55T3B{^s>uL?`i8@m91mv5Lqo$aZOi5Ul>%><2sxRy*ynY}C(b{Isx;&N$$+ z;pIrHhaRga?M3Lw3? zI^{aEc}#te+}x2HrFMiu&%dlskgWNIyZch(k>|VJ??fda&4FKEOPEr*ijPK*MT6jO zv-o{PmQpL5&G}uzE3b#3Ci<9j>-9>~+>}$&T6flyv9&D{c=D5&y~u*}j*9prVn_x0 zn)(l5AC27}YhQU1MVN7K-VR8>Pm zIYXhzV6H7pGL59`{tZVo-MvHo?G8u?zn>llO43}C-tm>C!-IcTT@>XwvpY%4l0ug7 zjQ=)03gUM=>i&T3adw(bEacAY>WGo#p+&6oA|95U(OqKvL9?a6n8r9}wCaW{o4-*_#5PY4ebwf?!;C@UyK`>w}cP=50{@M(o zbm7t52PMqSZ#yw5bSlrDE6&ZyP)ZBq%9xp%rHb>8qWgS!O&y>W+vEeO-ALUL&Tw8? zQE2kBY5r0^urDLzL%|-@iq?kw5Ci$6frXm6X#U5lA5~ss6-4ky?*0cb_y(SyEjg z|09BBNjv(v!7B!?cX%p4y6Be{%S%OWKgNx@b)NoPAA{?BEyb)84>yKXOv639QzUO6 zGfPta-i1@NygN1&`{n&1XA0Oa;tX5_l!SLBAz1Ml!O`|1^F8F+0^Rph&X`X(ZYCBQ9^~|o zf~xNL)VKRy!g|8;cT@l?KVSVbgz6hiha$~<=EP)g|}A*;-cjO@LNbIc-pc6_sv z8On^ZS0V?;K1Rsi`*)vTfAzt6&+|U-^E~f;-S>507pmTIF{x5aW=iIiuq~ZZqJBo< zVxr3?U(NQutsc#`R}?3dzkgAo2nz7viE3_Ex5HOZgCNNrYvK2A+Ka1QWh)%U zqn0A^A6h9viM6-C|8-SWRq6`BX44WDU`!y`mv`nS1>R|L^`?9WIs~0?_%rB)q9Z*O zhGj36phGRE#@w#d`>VjHl*pQQr2}{~u*0wdK()AoB~?SwJvtF3(s@vtt?8lR;si=Kn}5{4H;)-D5Kgquh2GyiYICE&}-d@;mb{?)OZV; z77Q5DsWk*d8j75^C6YS#hQUT}ci`K2BggsW@6{{y;lzzrSSSXG@y8->9*dCOWXiOi zub@#wfmUry8{eZmCL{^~5m41jd3ZBP;gT_J|Lr{$4g-o%r*|{KiCt;!#o=uFc;>e} zR;{CXVR$4FtV(CY3P?`B)#U$>{dfZ;%DTkEVbO5NXF}3{-|u_iJ1X!Ur=uVV*kh*x zO&zRI@=Tu;btzBI$~|PAek@B7=C*H8E^agXI9rvRG!tIF+Bx^t5KJNYc@$)-EXqEJ z1%W>wu%)L<-`g{$JybaL?hc=CI&E_HhbxalfI>AHt#u49x2XTWboat$;Auf412Lwn zlCO5$x6T2_UkL3#|bcw(DuaOf+eZcjZM2HD7-%uIFmgROjih|XkcS$D&K zRT{g~eOkrl^9)}qE6w0tndsIj^VB{g8gWoicHOBF2@>7iyXLIgi#fNBR77B9|E^t?e+Zs$w7UKj z_y728bqX?^)67c=3Sp)G3LSt>?f|h8IPm zV?U|g@RxI?S9p^&r&@WVkPzAUd2ML*_Voorvr&XZB&QtPdH-5EEZ0=WlF3x{_?}oc zha`37h}-!n#q~Q^4!3Uk><{I&({wEVypjKYQ2=Y!*SA z%~BOeNO;Wr(WS#6!Tl1b(0*P7t+feNTC9^*)(}0IPd>_fto~;x5*4R(^rdfYZ8&;u z*4BZCor*BvU-kb$X(*(J?rJ!;yqvjyf2(M9%|xXcOvIKJFi@e)tR!JsC@B(d@tgrebC8vR@ic9W9r zad-GuBOQFs&;^JV)}HR_>Pj?}W!*VmhMIO)S#gosWs%S)Q#&UoJ9^ve5}K*k=;7cf z_GmLzTwOhrC}BbAw-;_=dTWW4-L)T;2)jk4`p9aq_v;yzs@dCL7uG+mc6+a6+ITPz z_?L3(cGXihJiC_VgPiUX4yfYi4sE*8f#eB<9q^Oj1P4BBwN9DdF^~P7ZxtAu zot-vV>~!YzT@vr%?TPTKCYfFy(obqCPQ#w?Sgj*>YI7G4M0Yw|)zQ9g(=YV+y)IYM zUCZ~v3{k|8)%fWl1Dm@P4?7J3K6>LllITeSQZY_eymiCJI`X0k=3tIFnH8-J0p4J_ z_eD4bnQ%SrQM1BGsQy}-e+`bXD<``w*u2Yd_Uo;q{1 zaS=KnpXTc3`A@AOYIr+@!OFf&DBx4~Z}Xp-x(jx_nM zV9YsW2Nsb(D^!-H&eY^0_)r4Fts0VP=|c^*mn!MS)t!^o9fb2(($~El*({j!<=Pcv zShGN71~(d)9T&5O{ye?I-=;s~5TrM+72)fOIDX`ZoI2gvS(TGR4$T*@g~EWS6~mXr zTFFIW$*lU0nF1T|J{ewrdK)mjZ+!k_xqq~aDAoU)8k;Y(rNt64(O5QIx#~t|BozMm9P-AOTYg7c_XZy zJrUt)HIen_^5ntzfwG&_@^?_Vy1tc|m&ecgK(MF^_B-A zKb~tUdhsx{A&qf=q^MOzLrwMmTvI$4Df^ZAy!9>jLtYUXyODsLbU#W)8$n>rXMz-~ zV44dTp+ z^S=O3rPK|+ZsGK&`tY#Trwiok;%jP1p(Qk|qv*!bv=@N1*QdFOeTBrd;j)Q~O1H|2 zPpZch22eaPL~g!lQ2+hw8lf0GnPDSB8Vur@9_16N(GvSRkE*CW;jAT2|H7Y7Yaq!t zHML?CA(zv6Q~y7zaL%W%0f#*s-FF?VGgC01FV3~2qh=eDe|A7>KvE?XmMCp|K|PX< z`2N?AN9pQ@f;^pb@w~!HO>ms3F3*MVJrQ(4EBXmiDO!V%A<=zUu~XSvh5_?h&P4;o zBvmOzz^Et(dMKtlyN)HAvSN_G@O>%i{`Dtn*Yn#+iYF?_5)n>3V%6&sRIC!DMn*<2 z#&JcRw)gYH^i;-CnyvJPOW}(1>9~e|8KYykk9Ub)zp`EXaf+GlO ze8?;mL~;-!Ef?D7R@u-vQ@&CCyRdKzyhP14WLokdAlZm!r67H)DbQtyV^K)H^IyF= zw6B7X)a&$gPC%_BcgSCvbqb^Mpkv_wkd#qn3e9`Xec2Ek0ibLJmj}mGVr3_Y3j!&h z-O141g-=B!yQw8E#rdxrp3xPF`7?t`&C;bkGA?$?xj&pD6sI9Lh2tUP;|4^GB5}7s z@fvyr_4Sije=_Oc1ip2REREU|x=3~UMa%~?6LKcCz$+c|dHHJya3((WAO3z?vk6;6 z(Wg)6)6&vrSNJr7`0oB9V zPqmIg_JS9l69c>gjTGMV|&@|FT zI!kHh=2-RbUy6j=Wl%gK%-@#xg@*92ID{dyl>wCyjAopL*XxhDP6g zW57I?uSMr-bH?HVfUrikGe@0c{}_>y7w%XBD&rS2n2U+CavghV;=+S9oe~`IjAHDP ziNKtCj}A-Hjwqwuals#b?fIgWbKbc?2#{B0;+*`0ey@P*?&*QC=(~Zw71`QbW9V@G zP=p24NYQsAi?|;c>$shL$RlE*{%U?$V8NA#9wqEVnW!&`S`2u!IJUBVDu*~?>wsGN zOU`V9?fk3g-1mEt{^_cziGcw8oKnPl;0Ce50iO``^h49XQ|INEVu^q;{}sm5GUY{~ zAb`M_f=hpfN+`9E)5@cLZ%bNYe1qkAu#X6px?>Zz!iwn%m>B#{>^R%-Lk)gg`b4w=zJXpbk0_&sH}UCt`@e;|9sMeu%|Or0Tg2vJ%yEw@ z6ZtqS)oU&-=u?sAdvtF9bd5#nB}**w@xRmyhNUOnFGmzZ|Nk6f6fM(AkjTe(Bj(eN zo}>u^<|kWG0O)S>Pcr_Mz9ipb1V7A8%wqf<_9-ON{COAh$oxN8`n-V4wf;77HCG09AZjSi^$b&Ekz+dN1&r}_z zF_YsNQEdu;VTB_<7Gzpy6tpvFC@Ad&{-V$zl!2aF z{Xt+%wJ!txRp3pe*2~6Mp5#& zl_-A8T*wTiPNf;xxfFC?dN;VTzKcW#>vL=H$ma9%lsd8{z3&_Gto(4F3jUBXm7z5? zzR_7Bk+@sP$Y`BTC%Q7AtlRhMWzf6k#t6%F zT1LKYCxTx^ke;4dG-ogYhH~}+?0@5wKYNA5=PFwHarKZdu23=_CJOt=iuAE9c`V!( z56?nMn#p*dDdsf}xx7K!@#_j;Do6z;)K zkOBocVL%vOrb?Gk?VuZp;)VH_MXhw?FSO{qFWEcw3~@YYD^>otglghNRfnovU_RY77^zLpYKt zwI14&P06_{|ip5&9F<_7=U1nNc-rJEsBUmL@8^|wvaPELW zZYG3}i~^bnB)`JuVSnA{77LCkB)MjqJTuYGGG0tS?Bl%z8W*RqC_WAFd;!#8siOq` zDJ)dCVh)roA%23N^6T<0XaO|9W@ii7=Af=z2o?&<LQ?cVU^0rrC zLH2F@t(M>K+q4}=U2&5$2`0@OJt``{nuPCOt$s?>AcoL&<41uIW!>TWJ;*MZg7FN5 z_FH?IfQ!IoiZ2EeDCCBM3)>M+DUU?JIu(qeRqaMT^#ZSdLWj= zqdzgSf!0#R0QzSxZ9g&baf-M|<0q zbwtrvFf~;*Y*cMYXPT`l3;pL3Q2wc&>5MgG?VYtHLuf9ADZTXmHPm}fzgt=SCLJl1 zmVm8(t8b_~p^G>p;P#OT$vPX6w3latPWeC|m&d%g_~hlH-P@1fU-syvqc~d(nYEGK z*h{_8$4sXtPWkD{=f;}8*-3?qzT`d18+IA=v^i;RY_pw7!Efq~D2zmF5fi$`FR@LW zdLUpG?tkom5|J^o%lNa(OwZ*68z}Y&6=T6VGcyBJ=GGUCS4BmGu|mF_lF-uu526Bd zA@{lE8ORuQrb%9eMe@C!S+sX_lv+RL`r?23iJ%3N?zJv_=-OpMUX@F3#CO^#L?Rp?EQ{wc+tbANoNUY4 zSIrARjrAeo^%|i$>%)gr00)Vvbj*W5t*KzirXI~o{r@DitTz|kwKCmxATRYa?TGDj za(e%}e#M{y&VA>>)s3cq%#1@N(|v_T)sDFOu{W1bc3Tn^+{Hj;Qt_7>+a@Hhp>o=l zA?q+4fiqSp7Hi1K@Cm~(3Yd=UIsqvlIs3U!mq+S)r1r1g0aVP&4e@@#n3%(lo{W}Q2aM|=6{bdpOAR#*vQnhByD<(e2YUm*Jvfd6!oSh>; zDi%q5D&mJrcEu0ZD>wQstazg=yYqJsiU^&W!F5t+G7{7`xcQ#vm2W1WyBJ+pX@#mZqj1i8(3 zkxf6fF6H8@vg*A5A7rrXy`*)$LmAjIRl(v>o|Ch~Jn+i#Vb_ z-wT#+YN#1TCdDzJN?PL;pAxXzZVTS2LT3aaP_6_gaFeYur%J7y;IdJOk@fT|?`-dL zd}oD-t+3$Us!nek{>|EVAWwU06vim$D()ML>BU2x0?`Gf-C^rdu)b%$0 zIyp%%5)A z4%7`JhrG1_Sy+FoHrxfU1tES|B#th}a5JylHn}+pYG$l{Qw9T0*nx#Ad_yM$BYGC$ z4*EN3l_mvm&%;Fpz6qe~hzKAq%y2uYvO^SIY6DmNDV)7$Jxl5n1@XMdlW#Iwv*k(@ zk`U|3*x#G9NV%7>qwWeJ`G56pi>++Pq&G0JWe%DN;mSArtuvKErRY&5Yr|-&4Q@oIaTChj5#uM&hjOvQsnQ zD5?66fGUmz*JcLqIY39#c*Xh0l5>DUL^Qr_H(o03)>|+06_V8EVe5P~M8k)FkXhG^ z8RnISpNL%WBP8{HnNP&9U3?y*f&BQLjp`^W-2Hq70{Y6M6^Uu>G693$36CAn6T_$Pb;>3 zdXLX5EZPYa(Zi2|bqY01AJlIA(}Vc4FT*y_+(@h6i+Axi>cJl$u!rL;yKGyZzQr!O z=vosc>E|F0<_0|*A{n~hD23-HH$PgOD408ceP64RoI#T?H)X+}x*u#@Oi zhgG4e7T%W%bI=dvz@}rja=5v~K5n+lQ-Zm|;&cWA88S2ie7!7q_YBwyD*TO+9%P zwlj~Nw>G>FuKRUNej~y3Y3x0|SQ@FYC3*V0@P@^~75X91CTd&t1tzO~vxpkG!7*Vr zJYHrrD8t}XL=YaYy)-g>acRymkr`#(QIVIbG_V_~?{{Eec#*5ul>^uX27A8D&EeYk ze0+G!=P+2H;u%qTIc%S#GiRS>bq!dGUZQn#aWNl3_DOAwLlO)1J{4O&o_@V(n{u%{ z!vErL5=~@qXoj0+PTfUIZIopYnKrWBqP`D7oXTdHAFHn7T=!uX>`U#y( zw2GF8W?z4U;vh8P|m?qt-?V^WV|$H+O)KI=@p zUYDL(ehQ~N(q>$27{W`3vUa@GW)>}Ke?PQ&B{iAj^PEUn5IEJFHAk@0sr7Cp!@UC6 zn-%wt-j<}+Z4B}!Q{Kvo*c zk0iu;EASbKyfMHe^&j%`&Ouh4q*PpFLPoJ6{OFPpXSC!!evwz;KTELkwp;u0nfGqI z1;kbT{r%5?4#gsE!^EW4#u8`F7Zn8d!1Ev=**i3phw^eq@y6pnZwMgW-Oi~*&p$2e0?srs0g5o zoYi&~s|J1Ta}J41skhQU^~w1uxYyBgegv}AE*b88#Y z1QvJP{ET^v>>3wqjvxNL_+N(E(V>{Z-a2(n^HD^v)SFg*^uEU3b?V0Lo{I92nSPDw z?Y+v&i<@QH)-Y)>FeFreAps8CN{S7L1})Is0X&LnJ+~Gv8^f=4b)2_3T$xA`1A*8D z``Z*S`E0A7ZBG^M(%eH`+K2WC?T^BIzp82{YsS9X?`(Q) z>|YJlWj#FZ8mVL25H|5QFW)=%eU%qEy+89p1-BHgkbqOnAUI!5;l>@XoHG@PlejI& z+V#3wss{=MJLCRDc{#V*bXz*I->mas;)yaaAd-R~i&$iTS68^n$8b}K3HpNyHx>`H z#l{B*2$9Ysb#i4#4M%59E63;9ibuzGjb{+=rGst-Wo;eW{W%HlrP9t-^;D^srmy_h z?qHd+r1XC2{P5EGo_S8c4#MVv&tQ=i=>w>*MYp^of@~2NqfntR@J9jw28$k;9BSU) z)pJ`)!MV@>{`!DeZ{@viKZ4kZHiImR*UQT@v>xtsa!NPr#a|y?CnVd?*JapNlZob( zdh1N?6XZNO2yW@M?Sv-+m39NshEYonM@}opV*cE?j*koJpRKtPGGp&W@*6zr&5+Kt zvse<}?xApe)=Q6KB9`2{Qe@3wiQf^39qORCe6#&I{rqsj@d# zFq%G^33=-jw6*fWx0m!l+zuxrHZrG5asww_)`=}XDaZR4WG~KY7hh=dF(TzY@>(QM z_uXfk7rgSXKE3WlzN+qI?WiSO?4}e!TDIN6voN{PD%DnHeE;y7@V#bRGyfyIRL-(^ z{L^OTx&7VJ`}Ixx@xqsr3snQ|(TPq}+0)ecEf+OpTKPY%YB3`lnf@N8IbWAnQTy`6 zXkS>GLQ1J+Mv`tjH=3=zk-NV?;x>Xkq(BHAA9s_9A8k5Yz^kHTT1H{XBpH;8mo>4R zf1|9`AgsE$aY;{kwn8=wU!JPWuz!pY9`ut*&)OO@UWwQwBnDV2YO`MR_Q%$dJxz8?>z&{PO2gt%(&w~C3 D>I7Vz From 30551a7b11cf67f16bfc068ebb8b29d8392e995e Mon Sep 17 00:00:00 2001 From: Max Stein Date: Thu, 19 Nov 2020 17:08:26 -0800 Subject: [PATCH 15/44] Updating MDM section --- .../mdm/images/unifiedenrollment-rs1-40.png | Bin 73763 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 windows/client-management/mdm/images/unifiedenrollment-rs1-40.png diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-40.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-40.png deleted file mode 100644 index 87f685d460e3d96c14e561f578c97c134b81ba14..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 73763 zcmX_o1z1&0xHXCbigZbfw3Kv%9=bugySp1iy1P3Bq`SL2M7pFKq?>bx@Ba5c&m+j3 zeTLbyXWm)wTI(fPR$2tM{9goYY{r-6W)ctoH3_LWe06j%v9^QxRW>3Dn%+5pCP71c zeLGVd2UBY+7>qY0q@exnbGv}GjjNrhv55mr3Cai;Xhr_7)y`1&`O*&#rj~{R@3AQ+WKF5(ef2jF{k8 z1(&qLbmufop}U66)%F8@2i-L$fU7aK8TgZMMo97(*p#SA=atWvp6O?XmM zsF19pPfca|OvyPj_~@v$4gxpR&X0pA!5()6G4A0V7uO!d!e)|d{p%7JoZlrp;Kx2V)%K26>2{jX9>N3 z2&X4`)l@b$G4Va$l!E{nnTSVJQ4y=CC_s`D6^%wtHDPdc^r!pv@#glnUaeX***Nz zyEd*^pR{vGG>G8E*%i{?I>=NUL=Rxnhs$2S`UG1#`QqrY4YoD_OQ>_t!R~Lz3#Y@m zuZD((E}U<&1+j!k`1vy#_4`n9a6~jU37wh=6Nmj#Ukb^|V!l>QX!VZv;Ds34)x7$o zVkuV0pj}w;v=ec8+ohPVAG~;7PZ_Qs&i&gVQqc>cROe%GJKeBs1rzG12ujy5(NNX- zBVqW+8sF90`nzcblz6KOn^H@p+diD&7i-0m{-^_0VL4O;yl!!&>h<4bWl`0Te^ANA z4)!D)XABm~pDqPFP^09UBD?X4prNiakTw;2-rtFd`9oKm^ zSJ=TdZ~EWHK>;>zb84^aDJ*Jc)#b}Ricv1uwCVazE00^th$QUP7c{o(_an1eE?~Cg zhQf#|$YD}Qrw!~*=AuDZ4m!`MIJC)ejzdvPeh0c0$|jgMIOHgzKAj52NV9}|SYUbS zAHF?IL?ub}lQ{emUFt5|AULkh%?tW@atOT?{Y^Z4XIQZ4RA`<@y|8Uyad&jybb@0U zYY6wmt;tXrD*xrl4W50o)6se$u@^$2sFcq~A})u**_YESrOE9b+GuWL{!FRr`i_3N zwG5vY-eQUw25o1^p4|*%4*WRFI&c$oJ+^LqU4+^%9~>Z&TWS!@c37F>FBWNIf;r|+uJE+FYx#Saz&t*hx4&bOic|{R>uhhIO?dZtr)V$2i^I<^}Nl7KAR=68&Ff_DI z4DXknmE}2wZ0ve^SmB~(o(|VU`E54Dd&OPY>yD^%R@2Ggscv)S+Me3gr+O?IeqvD(zx;{yi-typ_u>%|N2JD7 z1TWItBiirWkB){$|9pG&&+IIF>Zg6&{Y_PNGEUCqo12@=GIwMqCZ;IES#}?t=o( z0)_8hAY=EnzpL$YKJX?GeIb~GO6pnAW=lj9?a=}Gxu@>s+e+;1(GA~>EuB#JDKfeb zqf`SPg~(vF&2#ju-&wSv?4YN&H##O}y|sRR#G_y;c-g9;vJy=!riD4mKs7%*do9T$ zt4+JI?nyjQp6F=p#;Ujr^%H+i?Vkwaa~kxIm9M(dOjTsmO6j!QY+rHBCb%wQ+X~Uh zH&jqUC`?-UOpds(WX9W{cALh0VBt+nO#Xe62KzcUn&(Nbdj7DrJQ;nO1u1cOOLKoL zHi%5@&!0cC^70!}v`fA>saMf#wu`=X3NCA9BE=sb&PmmNz86cUnSB2ETl3?0BPPZE1L+*p*!-f?>?E*7ehsHo>l@<|-Fe>=r3MYZ3B7SS?}U zht4JIL{rYwL5$nDJF*As!Fcdh)w>Ag^EH>h>RF2)+dqz`ZcOt;CTLGJTgrHi-eUfm z#Mrx(C3YxBzpRIN(iqev6OP0n7?TswbhiD-PT7uT`x?0wx=18Wk#>0ydBW^h{rh9B z&f?JTH^Szc^x2zl4Gjq;jD-r#J0BvmOV&*^1i=XJzg{FVBt7_~thQaYwH`F_ubnZe zA#!R+uw6aQIp>Q@rZ%88=L=ju&W@9h& zoq}}Esoe9qpq6(WKZ735Jy<{HZ_akVf?>(!Q&!vOxQ@@3q+ZJE*vi^OnTGgr;ch>( z{K>K7n!|=PGXZxgL#ocEX6B=nC6}d8)=RGv@F1CgmL7+0=b{!t{6Z z_k;DCv@$LyenW+uj!J@Ii4x6U zqNi<6Yo_GSsiO#MMBfkhvMvbR*FS?u{W&BD=2%nTGm^J8Gedv8warc}#{Ddi(ob+|zXW9E7CM8=D`D20ZQTgv?aw%P>L`f<1f00TsZJ*$Mm?=BI7&C68|Hc27adG?hK&3+wa%z;gExch4sY{ zY8Y$5F6Ov(+JT>HdHw_?%@dqqhiRtIOT72sRYPXb|6limVb-BMbFc8{*=@2A-hr1i z8_(mHHuE63)a5@T=twM{OcRyQ<0wah?rpX~1Alv?vF{)i{{d&O0qF$Gc^08WX8etB?YFCNz2 z>3ObNsnQ4qbCE>vp3RRn|IeR4M=j*@Q|?Fn#F!2y^Scj4+hv&htq&32EF>viJX=#b04`%LE7h%POOo%USm?{Ini?7i*j z;ZX=J@?oZ?e$RXB@Mn75y^)@tmyC8(;?!<6VlAF6%Qx3jK7-$>b{#g7q`*ii)2*Hx zIEWK5GNMoljfZoGZFV~8+Or@6htx-A=2#zCIK6L@T0%q!Z{8$s>zyZz#>L0i${xeP z@jJ6fnb$oEvAC!Olu}=(vxT+A!pcfQV;B1JuMNk0 z4xJCN3>hO;hQl_$$~xK<2}{^$3c~rppg3IqePCo{JW3aWgR}fW?|`YgR`n|}IzCy* z($Z4!z{pL_Q>i%q=Efy~UVW(P@}R|$6`e(jl$6(3%vk0lCu_2yL}I1my^^)&AIJ13 z&wFOuE9KD
ADMX_CredentialProviders/AllowDomainDelayLock
-
- ADMX_CredentialProviders/AllowSecurityKeySignIn -
ADMX_CredentialProviders/DefaultCredentialProvider
-
- ADMX_CredentialProviders/DefaultLogonDomain -
ADMX_CredentialProviders/ExcludedCredentialProviders
@@ -2546,81 +2540,30 @@ The following diagram shows the Policy configuration service provider in tree fo ### ADMX_UserProfiles policies
-
- ADMX_UserProfiles/AddAdminGroupToRUP -
ADMX_UserProfiles/CleanupProfiles
-
- ADMX_UserProfiles/CompatibleRUPSecurity -
-
- ADMX_UserProfiles/Connect_HomeDir_ToRoot -
-
- ADMX_UserProfiles/CscSuspendDirectories -
-
- ADMX_UserProfiles/DeleteRoamingCachedProfiles -
ADMX_UserProfiles/DontForceUnloadHive
-
- ADMX_UserProfiles/EnableSlowLinkDetect -
-
- ADMX_UserProfiles/EnableSlowLinkUI -
-
- ADMX_UserProfiles/ExcludeDirectories -
ADMX_UserProfiles/LeaveAppMgmtData
ADMX_UserProfiles/LimitSize
-
- ADMX_UserProfiles/LocalProfile -
-
- ADMX_UserProfiles/MachineProfilePath -
-
- ADMX_UserProfiles/PrimaryComputer_RUP -
-
- ADMX_UserProfiles/ProfileDlgTimeOut -
ADMX_UserProfiles/ProfileErrorAction
-
- ADMX_UserProfiles/ProfileUnloadTimeout -
-
- ADMX_UserProfiles/Readonlyuserprofile -
-
- ADMX_UserProfiles/SlowLinkDefault -
ADMX_UserProfiles/SlowLinkTimeOut
ADMX_UserProfiles/USER_HOME
-
- ADMX_UserProfiles/UploadHive -
ADMX_UserProfiles/UserInfoAccessAction
-
- ADMX_UserProfiles/WaitForNetwork -
### ADMX_W32Time policies diff --git a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md index f01336f9ad..1dcc21ec35 100644 --- a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md +++ b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md @@ -25,15 +25,9 @@ manager: dansimp
ADMX_CredentialProviders/AllowDomainDelayLock
-
- ADMX_CredentialProviders/AllowSecurityKeySignIn -
ADMX_CredentialProviders/DefaultCredentialProvider
-
- ADMX_CredentialProviders/DefaultLogonDomain -
ADMX_CredentialProviders/ExcludedCredentialProviders
@@ -115,75 +109,6 @@ ADMX Info:
- -**ADMX_CredentialProviders/AllowSecurityKeySignIn** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control whether users can sign in using external security keys. - -If you enable this policy setting, users can sign in with external security keys. - -If you disable or don't configure this policy setting, users can't sign in with external security keys. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Turn on security key sign-in* -- GP name: *AllowSecurityKeySignIn* -- GP path: *System\Logon* -- GP ADMX file name: *CredentialProviders.admx* - - - -
- **ADMX_CredentialProviders/DefaultCredentialProvider** @@ -256,74 +181,6 @@ ADMX Info:
- -**ADMX_CredentialProviders/DefaultLogonDomain** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies a default logon domain, which might be a different domain than the domain to which the computer is joined. Without this policy setting, at logon, if a user does not specify a domain for logon, the domain to which the computer belongs is assumed as the default domain. For example if the computer belongs to the Fabrikam domain, the default domain for user logon is Fabrikam. - -If you enable this policy setting, the default logon domain is set to the specified domain, which might be different than the domain to which the computer is joined. - -If you disable or do not configure this policy setting, the default logon domain is always set to the domain to which the computer is joined. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Assign a default domain for logon* -- GP name: *DefaultLogonDomain* -- GP path: *System\Logon* -- GP ADMX file name: *CredentialProviders.admx* - - - -
**ADMX_CredentialProviders/ExcludedCredentialProviders** diff --git a/windows/client-management/mdm/policy-csp-admx-userprofiles.md b/windows/client-management/mdm/policy-csp-admx-userprofiles.md index 66677dde93..f435439049 100644 --- a/windows/client-management/mdm/policy-csp-admx-userprofiles.md +++ b/windows/client-management/mdm/policy-csp-admx-userprofiles.md @@ -22,170 +22,35 @@ manager: dansimp ## ADMX_UserProfiles policies
-
- ADMX_UserProfiles/AddAdminGroupToRUP -
ADMX_UserProfiles/CleanupProfiles
-
- ADMX_UserProfiles/CompatibleRUPSecurity -
-
- ADMX_UserProfiles/Connect_HomeDir_ToRoot -
-
- ADMX_UserProfiles/CscSuspendDirectories -
-
- ADMX_UserProfiles/DeleteRoamingCachedProfiles -
ADMX_UserProfiles/DontForceUnloadHive
-
- ADMX_UserProfiles/EnableSlowLinkDetect -
-
- ADMX_UserProfiles/EnableSlowLinkUI -
-
- ADMX_UserProfiles/ExcludeDirectories -
ADMX_UserProfiles/LeaveAppMgmtData
ADMX_UserProfiles/LimitSize
-
- ADMX_UserProfiles/LocalProfile -
-
- ADMX_UserProfiles/MachineProfilePath -
-
- ADMX_UserProfiles/PrimaryComputer_RUP -
-
- ADMX_UserProfiles/ProfileDlgTimeOut -
ADMX_UserProfiles/ProfileErrorAction
-
- ADMX_UserProfiles/ProfileUnloadTimeout -
-
- ADMX_UserProfiles/Readonlyuserprofile -
-
- ADMX_UserProfiles/SlowLinkDefault -
ADMX_UserProfiles/SlowLinkTimeOut
ADMX_UserProfiles/USER_HOME
-
- ADMX_UserProfiles/UploadHive -
ADMX_UserProfiles/UserInfoAccessAction
-
- ADMX_UserProfiles/WaitForNetwork -
- -**ADMX_UserProfiles/AddAdminGroupToRUP** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting adds the Administrator security group to the roaming user profile share. - -Once an administrator has configured a user's roaming profile, the profile will be created at the user's next login. The profile is created at the location that is specified by the administrator. - -For the Windows XP Professional and Windows 2000 Professional operating systems, the default file permissions for the newly generated profile are full control, or read and write access for the user, and no file access for the administrators group. - -By configuring this policy setting, you can alter this behavior. - -If you enable this policy setting, the administrator group is also given full control to the user's profile folder. - -If you disable or do not configure this policy setting, only the user is given full control of their user profile, and the administrators group has no file system access to this folder. - -> [!NOTE] -> If the policy setting is enabled after the profile is created, the policy setting has no effect. -> -> The policy setting must be configured on the client computer, not the server, for it to have any effect, because the client computer sets the file share permissions for the roaming profile at creation time. -> -> In the default case, administrators have no file access to the user's profile, but they may still take ownership of this folder to grant themselves file permissions. -> -> The behavior when this policy setting is enabled is exactly the same behavior as in Windows NT 4.0. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Add the Administrators security group to roaming user profiles* -- GP name: *AddAdminGroupToRUP* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* - - - -
- **ADMX_UserProfiles/CleanupProfiles** @@ -255,301 +120,6 @@ ADMX Info:
- -**ADMX_UserProfiles/CompatibleRUPSecurity** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting disables the more secure default setting for the user's roaming user profile folder. - -After an administrator has configured a user's roaming profile, the profile will be created at the user's next login. The profile is created at the location that is specified by the administrator. - -For Windows 2000 Professional pre-SP4 and Windows XP pre-SP1 operating systems, the default file permissions for the newly generated profile are full control access for the user and no file access for the administrators group. No checks are made for the correct permissions if the profile folder already exists. For Windows Server 2003 family, Windows 2000 Professional SP4 and Windows XP SP1, the default behavior is to check the folder for the correct permissions if the profile folder already exists, and not copy files to or from the roaming folder if the permissions are not correct. - -By configuring this policy setting, you can alter this behavior. - -If you enable this policy setting Windows will not check the permissions for the folder in the case where the folder exists. - -If you disable or do not configure this policy setting AND the roaming profile folder exists AND the user or administrators group are not the owner of the folder, Windows will not copy files to or from the roaming folder. The user will be shown an error message and an entry will be written to the event log. The user's cached profile will be used, or a temporary profile issued if no cached profile exists. - -> [!NOTE] -> The policy setting must be configured on the client computer not the server for it to have any effect because the client computer sets the file share permissions for the roaming profile at creation time. -> -> The behavior when this policy setting is enabled is exactly the same behavior as in Windows 2000 Professional pre-SP4 and Windows XP Professional. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Do not check for user ownership of Roaming Profile Folders* -- GP name: *CompatibleRUPSecurity* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* - - - -
- - -**ADMX_UserProfiles/Connect_HomeDir_ToRoot** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting restores the definitions of the %HOMESHARE% and %HOMEPATH% environment variables to those used in Windows NT 4.0 and earlier. Along with %HOMEDRIVE%, these variables define the home directory of a user profile. The home directory is a persistent mapping of a drive letter on the local computer to a local or remote directory. - -If you enable this policy setting, the system uses the Windows NT 4.0 definitions. %HOMESHARE% stores only the network share (such as \\\server\share). %HOMEPATH% stores the remainder of the fully qualified path to the home directory (such as \dir1\dir2\homedir). As a result, users can access any directory on the home share by using the home directory drive letter. - -If you disable or do not configure this policy setting, the system uses the definitions introduced with Windows 2000. %HOMESHARE% stores the fully qualified path to the home directory (such as \\\\server\share\dir1\dir2\homedir). Users can access the home directory and any of its subdirectories from the home drive letter, but they cannot see or access its parent directories. %HOMEPATH% stores a final backslash and is included for compatibility with earlier systems. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Connect home directory to root of the share* -- GP name: *Connect_HomeDir_ToRoot* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* - - - -
- - -**ADMX_UserProfiles/CscSuspendDirectories** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify which network directories will be synchronized only at logon and logoff via Offline Files. This policy setting is meant to be used in conjunction with Folder Redirection, to help resolve issues with applications that do not work well with Offline Files while the user is online. - -If you enable this policy setting, the network paths specified in this policy setting will be synchronized only by Offline Files during user logon and logoff, and will be taken offline while the user is logged on. - -If you disable or do not configure this policy setting, the paths specified in this policy setting will behave like any other cached data via Offline Files and continue to remain online while the user is logged on, if the network paths are accessible. - -> [!NOTE] -> You should not use this policy setting to suspend any of the root redirected folders such as Appdata\Roaming, Start Menu, and Documents. You should suspend only the subfolders of these parent folders. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Specify network directories to sync at logon/logoff time only* -- GP name: *CscSuspendDirectories* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* - - - -
- - -**ADMX_UserProfiles/DeleteRoamingCachedProfiles** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows keeps a copy of a user's roaming profile on the local computer's hard drive when the user logs off. - -Roaming profiles reside on a network server. By default, when users with roaming profiles log off, the system also saves a copy of their roaming profile on the hard drive of the computer they are using in case the server that stores the roaming profile is unavailable when the user logs on again. The local copy is also used when the remote copy of the roaming user profile is slow to load. - -If you enable this policy setting, any local copies of the user's roaming profile are deleted when the user logs off. The roaming profile still remains on the network server that stores it. - -If you disable or do not configure this policy setting, Windows keeps a copy of a user's roaming profile on the local computer's hard drive when the user logs off. - -> [!IMPORTANT] -> Do not enable this policy setting if you are using the slow link detection feature. To respond to a slow link, the system requires a local copy of the user's roaming profile. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Delete cached copies of roaming profiles* -- GP name: *DeleteRoamingCachedProfiles* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* - - - -
- **ADMX_UserProfiles/DontForceUnloadHive** @@ -621,233 +191,6 @@ ADMX Info:
- -**ADMX_UserProfiles/EnableSlowLinkDetect** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting disables the detection of slow network connections. - -Slow link detection measures the speed of the connection between a user's computer and the remote server that stores the roaming user profile. When the system detects a slow link, the related policy settings in this folder tell the computer how to respond. - -If you enable this policy setting, the system does not detect slow connections or recognize any connections as being slow. As a result, the system does not respond to slow connections to user profiles, and it ignores the policy settings that tell the system how to respond to a slow connection. - -If you disable this policy setting or do not configure it, slow link detection is enabled. The system measures the speed of the connection between the user's computer and profile server. If the connection is slow (as defined by the "Slow network connection timeout for user profiles" policy setting), the system applies the other policy settings set in this folder to determine how to proceed. By default, when the connection is slow, the system loads the local copy of the user profile. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Disable detection of slow network connections* -- GP name: *EnableSlowLinkDetect* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* - - - -
- - -**ADMX_UserProfiles/EnableSlowLinkUI** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting provides users with the ability to download their roaming profile, even when a slow network connection with their roaming profile server is detected. - -If you enable this policy setting, users will be allowed to define whether they want their roaming profile to be downloaded when a slow link with their roaming profile server is detected. - -In operating systems earlier than Microsoft Windows Vista, a dialog box will be shown to the user during logon if a slow network connection is detected. The user then is able to choose to download the remote copy of the user profile. In Microsoft Windows Vista, a check box appears on the logon screen and the user must choose whether to download the remote user profile before Windows detects the network connection speed. - -If you disable or do not configure this policy setting, the system does not consult the user. Instead, the system uses the local copy of the user profile. If you have enabled the "Wait for remote user profile" policy setting, the system downloads the remote copy of the user profile without consulting the user. In Microsoft Windows Vista, the system will ignore the user choice made on the logon screen. - -> [!NOTE] -> This policy setting and related policy settings in this folder define the system's response when roaming user profiles are slow to download. To adjust the time within which the user must respond to this notice in operating systems earlier than Microsoft Windows Vista, use the "Timeout for dialog boxes" policy setting. - -> [!IMPORTANT] -> If the "Do not detect slow network connections" setting is enabled, this policy setting is ignored. Also, if the "Delete cached copies of roaming profiles" policy setting is enabled, there is no local copy of the roaming profile to load when the system detects a slow connection. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Prompt user when a slow network connection is detected* -- GP name: *EnableSlowLinkUI* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* - - - -
- - -**ADMX_UserProfiles/ExcludeDirectories** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting lets you exclude folders that are normally included in the user's profile. As a result, these folders do not need to be stored by the network server on which the profile resides and do not follow users to other computers. - -> [!NOTE] -> When excluding content from the profile you should try to exclude the narrowest set of data that will address your needs. For example, if there is one application with data that should not be roamed then add only that application's specific folder under the AppData\Roaming folder rather than all of the AppData\Roaming folder to the exclusion list. - -By default, the Appdata\Local and Appdata\LocalLow folders and all their subfolders such as the History, Temp, and Temporary Internet Files folders are excluded from the user's roaming profile. - -In operating systems earlier than Microsoft Windows Vista, only the History, Local Settings, Temp, and Temporary Internet Files folders are excluded from the user's roaming profile by default. - -If you enable this policy setting, you can exclude additional folders. - -If you disable this policy setting or do not configure it, only the default folders are excluded. - -> [!NOTE] -> You cannot use this policy setting to include the default folders in a roaming user profile. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Exclude directories in roaming profile* -- GP name: *ExcludeDirectories* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* - - - -
- **ADMX_UserProfiles/LeaveAppMgmtData** @@ -1000,307 +343,6 @@ ADMX Info:
- -**ADMX_UserProfiles/LocalProfile** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This setting determines if roaming user profiles are available on a particular computer. By default, when roaming profile users log on to a computer, their roaming profile is copied down to the local computer. If they have already logged on to this computer in the past, the roaming profile is merged with the local profile. Similarly, when the user logs off this computer, the local copy of their profile, including any changes they have made, is merged with the server copy of their profile. - -Using the setting, you can prevent users configured to use roaming profiles from receiving their profile on a specific computer. - -If you enable this setting, the following occurs on the affected computer: At first logon, the user receives a new local profile, rather than the roaming profile. At logoff, changes are saved to the local profile. All subsequent logons use the local profile. - -If you disable this setting or do not configure it, the default behavior occurs, as indicated above. - -If you enable both the "Prevent Roaming Profile changes from propagating to the server" setting and the "Only allow local user profiles" setting, roaming profiles are disabled. - -> [!NOTE] -> This setting only affects roaming profile users. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Only allow local user profiles* -- GP name: *LocalProfile* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* - - - -
- - -**ADMX_UserProfiles/MachineProfilePath** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Windows should use the specified network path as the roaming user profile path for all users logging onto this computer. - -To use this policy setting, type the path to the network share in the form \\\\Computername\Sharename\. It is recommended to use a path such as \\\\Computername\Sharename\%USERNAME% to give each user an individual profile folder. If not specified, all users logging onto this computer will use the same roaming profile folder as specified by this policy. You need to ensure that you have set the appropriate security on the folder to allow all users to access the profile. - -If you enable this policy setting, all users logging on this computer will use the roaming profile path specified in this policy. - -If you disable or do not configure this policy setting, users logging on this computer will use their local profile or standard roaming user profile. - -> [!NOTE] -> There are four ways to configure a roaming profile for a user. Windows reads profile configuration in the following order and uses the first configured policy setting it reads. - -1. Terminal Services roaming profile path specified by Terminal Services policy -2. Terminal Services roaming profile path specified by the user object -3. A per-computer roaming profile path specified in this policy -4. A per-user roaming profile path specified in the user object - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Set roaming profile path for all users logging onto this computer* -- GP name: *MachineProfilePath* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* - - - -
- - -**ADMX_UserProfiles/PrimaryComputer_RUP** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting controls on a per-computer basis whether roaming profiles are downloaded on a user's primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office. - -To designate a user's primary computers, an administrator must use management software or a script to add primary computer attributes to the user's account in Active Directory Domain Services (AD DS). This policy setting also requires the Windows Server 2012 version of the Active Directory schema to function. - -If you enable this policy setting and the user has a roaming profile, the roaming profile is downloaded on the user's primary computer only. - -If you disable or do not configure this policy setting and the user has a roaming profile, the roaming profile is downloaded on every computer that the user logs on to. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Download roaming profiles on primary computers only* -- GP name: *PrimaryComputer_RUP* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* - - - -
- - -**ADMX_UserProfiles/ProfileDlgTimeOut** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting controls how long Windows waits for a user response before it uses a default user profile for roaming user profiles. - -The default user profile is applied when the user does not respond to messages explaining that any of the following events has occurred: - -- The system detects a slow connection between the user's computer and the server that stores users' roaming user profiles. -- The system cannot access users' server-based profiles when users log on or off. -- Users' local profiles are newer than their server-based profiles. - -If you enable this policy setting, you can override the amount of time Windows waits for user input before using a default user profile for roaming user profiles. The default timeout value is 30 seconds. To use this policy setting, type the number of seconds Windows should wait for user input. The minumum value is 0 seconds, and the maximum is 600 seconds. - -If you disable or do not configure this policy setting, Windows waits 30 seconds for user input before applying the default user profile . - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Establish timeout value for dialog boxes* -- GP name: *ProfileDlgTimeOut* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* - - - -
- **ADMX_UserProfiles/ProfileErrorAction** @@ -1374,241 +416,6 @@ ADMX Info:
- -**ADMX_UserProfiles/ProfileUnloadTimeout** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting determines how many times the system tries to unload and update the registry portion of a user profile. When the number of trials specified by this policy setting is exhausted, the system stops trying. As a result, the user profile might not be current, and local and roaming user profiles might not match. - -When a user logs off of the computer, the system unloads the user-specific section of the registry (HKEY_CURRENT_USER) into a file (NTUSER.DAT) and updates it. However, if another program or service is reading or editing the registry, the system cannot unload it. The system tries repeatedly (at a rate of once per second) to unload and update the registry settings. By default, the system repeats its periodic attempts 60 times (over the course of one minute). - -If you enable this policy setting, you can adjust the number of times the system tries to unload and update the user's registry settings. (You cannot adjust the retry rate.) - -If you disable this policy setting or do not configure it, the system repeats its attempt 60 times. - -If you set the number of retries to 0, the system tries just once to unload and update the user's registry settings. It does not try again. - -> [!NOTE] -> This policy setting is particularly important to servers running Remote Desktop Services. Because Remote Desktop Services edits the users' registry settings when they log off, the system's first few attempts to unload the user settings are more likely to fail. - -This policy setting does not affect the system's attempts to update the files in the user profile. - -> [!TIP] -> Consider increasing the number of retries specified in this policy setting if there are many user profiles stored in the computer's memory. This indicates that the system has not been able to unload the profile. - -Also, check the Application Log in Event Viewer for events generated by Userenv. The system records an event whenever it tries to unload the registry portion of the user profile. The system also records an event when it fails to update the files in a user profile. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Maximum retries to unload and update user profile* -- GP name: *ProfileUnloadTimeout* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* - - - -
- - -**ADMX_UserProfiles/Readonlyuserprofile** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting determines if the changes a user makes to their roaming profile are merged with the server copy of their profile. - -By default, when a user with a roaming profile logs on to a computer, the roaming profile is copied down to the local computer. If the user has logged on to the computer in the past, the roaming profile is merged with the local profile. Similarly, when the user logs off the computer, the local copy of their profile, including any changes, is merged with the server copy of the profile. - -Using this policy setting, you can prevent changes made to a roaming profile on a particular computer from being persisted. - -If you enable this policy setting, changes a user makes to their roaming profile aren't merged with the server (roaming) copy when the user logs off. - -If you disable or not configure this policy setting, the default behavior occurs, as indicated above. - -> [!NOTE] -> This policy setting only affects roaming profile users. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Prevent Roaming Profile changes from propagating to the server* -- GP name: *Readonlyuserprofile* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* - - - -
- - -**ADMX_UserProfiles/SlowLinkDefault** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting directs the system to wait for the remote copy of the roaming user profile to load, even when loading is slow. Also, the system waits for the remote copy when the user is notified about a slow connection, but does not respond in the time allowed. - -This policy setting and related policy settings in this folder together define the system's response when roaming user profiles are slow to load. - -If you enable this policy setting, the system waits for the remote copy of the roaming user profile to load, even when loading is slow. - -If you disable this policy setting or do not configure it, when a remote profile is slow to load, the system loads the local copy of the roaming user profile. The local copy is also used when the user is consulted (as set in the "Prompt user when slow link is detected" policy setting), but does not respond in the time allowed (as set in the "Timeout for dialog boxes" policy setting). - -Waiting for the remote profile is appropriate when users move between computers frequently and the local copy of their profile is not always current. Using the local copy is desirable when quick logging on is a priority. - -> [!IMPORTANT] -> If the "Do not detect slow network connections" policy setting is enabled, this policy setting is ignored. Also, if the "Delete cached copies of roaming profiles" policy setting is enabled, there is no local copy of the roaming profile to load when the system detects a slow connection. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Wait for remote user profile* -- GP name: *SlowLinkDefault* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* - - - -
- **ADMX_UserProfiles/SlowLinkTimeOut** @@ -1760,84 +567,6 @@ ADMX Info:
- -**ADMX_UserProfiles/UploadHive** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting sets the schedule for background uploading of a roaming user profile's registry file (ntuser.dat). This policy setting controls only the uploading of a roaming user profile's registry file (other user data and regular profiles are not be uploaded) and uploads it only if the user is logged on. This policy setting does not stop the roaming user profile's registry file from being uploaded at user logoff. - -If "Run at set interval" is chosen, then an interval must be set, with a value of 1-720 hours. Once set, Windows uploads the profile's registry file at the specified interval after the user logs on. For example, with a value of 6 hours, the registry file of the roaming user profile is uploaded to the server every six hours while the user is logged on. - -If "Run at specified time of day" is chosen, then a time of day must be specified. Once set, Windows uploads the registry file at the same time every day, as long as the user is logged on. - -For both scheduling options, there is a random one hour delay attached per-trigger to avoid overloading the server with simultaneous uploads. For example, if the settings dictate that the user's registry file is to be uploaded at 6pm, it will actually upload at a random time between 6pm and 7pm. - -> [!NOTE] -> If "Run at set interval" is selected, the "Time of day" option is disregarded. Likewise, if "Run at set time of day" is chosen, the "Interval (hours)" option is disregarded. - -If you enable this policy setting, Windows uploads the registry file of the user's roaming user profile in the background according to the schedule set here while the user is logged on. Regular profiles are not affected. - -If this setting is disabled or not configured, the registry file for a roaming user profile will not be uploaded in the background while the user is logged on. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Set the schedule for background upload of a roaming user profile's registry file while user is logged on* -- GP name: *UploadHive* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* - - - -
- **ADMX_UserProfiles/UserInfoAccessAction** @@ -1909,78 +638,7 @@ ADMX Info: -
- -**ADMX_UserProfiles/WaitForNetwork** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting controls how long Windows waits for a response from the network before logging on a user without a remote home directory and withou synchronizing roaming user profiles. This policy setting is useful for the cases in which a network might take typically longer to initialize, such as with a wireless network. - -> [!NOTE] -> Windows doesn't wait for the network if the physical network connection is not available on the computer (if the media is disconnected or the network adapter is not available). - -If you enable this policy setting, Windows waits for the network to become available up to the maximum wait time specified in this policy setting. Setting the value to zero causes Windows to proceed without waiting for the network. - -If you disable or do not configure this policy setting, Windows waits for the network for a maximum of 30 seconds. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Set maximum wait time for the network if a user has a roaming user profile or remote home directory* -- GP name: *WaitForNetwork* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* - - -
Footnotes: From 2015a7ce2829bbc4b29f754f7d34411494ddc263 Mon Sep 17 00:00:00 2001 From: schmurky Date: Tue, 24 Nov 2020 15:28:16 +0800 Subject: [PATCH 20/44] New updates --- .../linux-support-perf.md | 42 +++++++++++++------ 1 file changed, 29 insertions(+), 13 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index d0a4e97401..86995376ac 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -78,32 +78,48 @@ The following steps can be used to troubleshoot and mitigate these issues: To collect current statistics, run: ```bash - mdatp diagnostic real-time-protection-statistics --output json > real_time_protection_logs + mdatp diagnostic real-time-protection-statistics --output json > real_time_protection.json ``` > [!NOTE] > Using ```--output json``` (note the double dash) ensures that the output format is ready for parsing. The output of this command will show all processes and their associated scan activity. -3. You can then run a script to parse the output. - - To do this, in your Windows system, create a folder in ```C:\temp\High_CPU_util_parser_for_Linux```. +3. On your Linux system, download the sample Python parser **high_cpu_parser.py**. + ```bash + wget -c https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/linux/diagnostic/high_cpu_parser.py + ``` + The output of this command should be something similar to: - Save the output file ```real_time_protection_logs``` from your Linux system to the created folder. + ```Output + --2020-11-14 11:27:27-- https://raw.githubusercontent.com/microsoft.mdatp-xplat/master/linus/diagnostic/high_cpu_parser.py + Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.196.133 + Connecting to raw.githubusercontent.com (raw.githubusercontent.com)| 151.101.196.133| :443... connected. + HTTP request sent, awaiting response... 200 OK + Length: 1020 [text/plain] + Saving to: 'high_cpu_parser.py' - You can then use this sample PowerShell script to parse the```real_time_protection_logs```. Save this script as ```MDATP_Linux_High_CPU_parser.ps1``` in ```C:\temp\High_CPU_util_parser_for_Linux```. - The output of this command will show all processes and their associated scan activity. To improve the performance of Defender for Endpoint for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md). + 100%[===========================================>] 1,020 --.-K/s in 0s + ``` +4. Next, type the following commands: + ```bash + chmod +x high_cpu_parser.py + ``` + ```bash + cat real_time_protection.json | python high_cpu_parser.py > real_time_protection.log + ``` - Run the PowerShell script as admin. The script launches a Microsoft Excel file. The Excel file shows the list of processes with the most activity arranged in descending order. From here you can analyze which processes to exclude. + The output of the above command displays all the processes and their associated scan activity. + + To improve the performance of Defender for Endpoint for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md). + + > [!NOTE] > The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted. -4. Configure Microsoft Defender ATP for Linux with exclusions for the processes or disk locations that contribute to the performance issues. For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md). +5. Configure Microsoft Defender ATP for Linux with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection. -5. Re-enable real-time protection. + For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md). - -4. Configure Defender for Endpoint for Linux with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection. - For more details, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md). From 8d26222842313aa52ee93cccace65e370ac416f3 Mon Sep 17 00:00:00 2001 From: schmurky Date: Tue, 24 Nov 2020 15:30:46 +0800 Subject: [PATCH 21/44] added link to parser --- .../microsoft-defender-atp/linux-support-perf.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index 86995376ac..808117dc1e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -85,7 +85,7 @@ The following steps can be used to troubleshoot and mitigate these issues: The output of this command will show all processes and their associated scan activity. -3. On your Linux system, download the sample Python parser **high_cpu_parser.py**. +3. On your Linux system, download the sample Python parser [**high_cpu_parser.py**](https://github.com/microsoft/mdatp-xplat/blob/master/linux/diagnostic/high_cpu_parser.py). ```bash wget -c https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/linux/diagnostic/high_cpu_parser.py ``` From d99b6ae0b04b5d9d45c0262d567917403fc5b6e9 Mon Sep 17 00:00:00 2001 From: schmurky Date: Tue, 24 Nov 2020 15:35:05 +0800 Subject: [PATCH 22/44] add link --- .../microsoft-defender-atp/linux-support-perf.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index 808117dc1e..da1c943252 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -85,7 +85,7 @@ The following steps can be used to troubleshoot and mitigate these issues: The output of this command will show all processes and their associated scan activity. -3. On your Linux system, download the sample Python parser [**high_cpu_parser.py**](https://github.com/microsoft/mdatp-xplat/blob/master/linux/diagnostic/high_cpu_parser.py). +3. On your Linux system, download the sample Python parser **high_cpu_parser.py**. You can also download it from this link: [**high_cpu_parser.py**](https://github.com/microsoft/mdatp-xplat/blob/master/linux/diagnostic/high_cpu_parser.py). ```bash wget -c https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/linux/diagnostic/high_cpu_parser.py ``` From 00d43db17b9cb9e18d07cb202469d4b22423d064 Mon Sep 17 00:00:00 2001 From: schmurky Date: Tue, 24 Nov 2020 15:36:03 +0800 Subject: [PATCH 23/44] removed link --- .../microsoft-defender-atp/linux-support-perf.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index da1c943252..17e0183fc5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -85,7 +85,8 @@ The following steps can be used to troubleshoot and mitigate these issues: The output of this command will show all processes and their associated scan activity. -3. On your Linux system, download the sample Python parser **high_cpu_parser.py**. You can also download it from this link: [**high_cpu_parser.py**](https://github.com/microsoft/mdatp-xplat/blob/master/linux/diagnostic/high_cpu_parser.py). +3. On your Linux system, download the sample Python parser **high_cpu_parser.py** using the following command: + ```bash wget -c https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/linux/diagnostic/high_cpu_parser.py ``` From 88dfd49ccae54e3fe2e2fd28204e3abfda98555d Mon Sep 17 00:00:00 2001 From: schmurky Date: Tue, 24 Nov 2020 15:37:46 +0800 Subject: [PATCH 24/44] removed pii --- .../microsoft-defender-atp/linux-support-perf.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index 17e0183fc5..b8eacdcd6e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -94,8 +94,8 @@ The following steps can be used to troubleshoot and mitigate these issues: ```Output --2020-11-14 11:27:27-- https://raw.githubusercontent.com/microsoft.mdatp-xplat/master/linus/diagnostic/high_cpu_parser.py - Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.196.133 - Connecting to raw.githubusercontent.com (raw.githubusercontent.com)| 151.101.196.133| :443... connected. + Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.xxx.xxx + Connecting to raw.githubusercontent.com (raw.githubusercontent.com)| 151.101.xxx.xxx| :443... connected. HTTP request sent, awaiting response... 200 OK Length: 1020 [text/plain] Saving to: 'high_cpu_parser.py' From 1432a9f501442e76608446f05e082c66aff6c028 Mon Sep 17 00:00:00 2001 From: schmurky Date: Tue, 24 Nov 2020 15:56:25 +0800 Subject: [PATCH 25/44] minor edits --- .../microsoft-defender-atp/linux-support-perf.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index b8eacdcd6e..9f58beceba 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -85,12 +85,12 @@ The following steps can be used to troubleshoot and mitigate these issues: The output of this command will show all processes and their associated scan activity. -3. On your Linux system, download the sample Python parser **high_cpu_parser.py** using the following command: +3. On your Linux system, download the sample Python parser **high_cpu_parser.py** using the command: ```bash wget -c https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/linux/diagnostic/high_cpu_parser.py ``` - The output of this command should be something similar to: + The output of this command should be similar to the following: ```Output --2020-11-14 11:27:27-- https://raw.githubusercontent.com/microsoft.mdatp-xplat/master/linus/diagnostic/high_cpu_parser.py From 91345fac6f052b0894d5c4ba9827658b9397eb44 Mon Sep 17 00:00:00 2001 From: rogersoMS <44718379+rogersoMS@users.noreply.github.com> Date: Wed, 25 Nov 2020 17:18:01 +1100 Subject: [PATCH 26/44] Removing Intune/MEM specific details (not within scope of CSP docs) Adding clarification on examples regarding Azure AD. Removing Intune specific reporting issues as CSP documentation should be generic. --- windows/client-management/mdm/policy-csp-userrights.md | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md index b6f2c4f536..b1a0a67245 100644 --- a/windows/client-management/mdm/policy-csp-userrights.md +++ b/windows/client-management/mdm/policy-csp-userrights.md @@ -75,9 +75,6 @@ Here are examples of data fields. The encoded 0xF000 is the standard delimiter/s If you use Intune custom profiles to assign UserRights policies, you must use the CDATA tag (``) to wrap the data fields. You can specify one or more user groups within the CDATA tag by using 0xF000 as the delimiter/separator. -> [!NOTE] -> There is currently a reporting issue in the Microsoft Endpoint Manager (MEM) console which results in the setting reporting back a 'Remediation failed' (0x87d1fde8) error, even when the setting is successfully applied. To verify whether the setting has applied successfully, check the local Windows 10 device: Event Viewer>Applications and Services LogsWindows>DeviceManagement-Enterprise-Diagnostics-Provider>Admin>Event ID 814. This issue is the result of the use of the CDATA tags, which are neccesary when more than a single entry is required. If there is only a single entry, the CDATA tags can be omitted - which will resolve the reporting false positive. - > [!NOTE] > `` is the entity encoding of 0xF000. @@ -87,7 +84,7 @@ For example, the following syntax grants user rights to Authenticated Users and ``` -For example, the following syntax grants user rights to two specific users from Contoso, user1 and user2: +For example, the following syntax grants user rights to two specific Azure Active Directory (AAD) users from Contoso, user1 and user2: ```xml From 8a7931d2561dad5f7ffa2ec61008a9b7377e9f20 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Thu, 26 Nov 2020 22:08:59 +0100 Subject: [PATCH 27/44] Client Management/MDM: URL & text correction As outlined in issue ticket #8682 (3rd bullet point in Requirements section is confusing, and linked page is unrelated to the link's text), "The linked page contains basically no information about registering your "enterprise AD" with Azure AD. Instead, that page is a somewhat convoluted set of sections that are sort of unrelated to anything specific." Thanks to Jeremy T. Bradshaw (JeremyTBradshaw) for identifying and reporting this issue. Changes proposed: - change the MDM page link URL to a more precise Azure AD page link - change the 3rd bullet point text to refer to the new page link Whitespace changes: - remove end-of-line redundant whitespace (blanks) Closes #8682 --- ...device-automatically-using-group-policy.md | 78 +++++++++---------- 1 file changed, 39 insertions(+), 39 deletions(-) diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index cb162899d3..0d225aa26a 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -7,20 +7,20 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.date: -ms.reviewer: +ms.reviewer: manager: dansimp --- # Enroll a Windows 10 device automatically using Group Policy -Starting in Windows 10, version 1709, you can use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain-joined devices. +Starting in Windows 10, version 1709, you can use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain-joined devices. The enrollment into Intune is triggered by a group policy created on your local AD and happens without any user interaction. This means you can automatically mass-enroll a large number of domain-joined corporate devices into Microsoft Intune. The enrollment process starts in the background once you sign in to the device with your Azure AD account. Requirements: - AD-joined PC running Windows 10, version 1709 or later -- The enterprise has configured a mobile device management (MDM) service -- The enterprise AD must be [registered with Azure Active Directory (Azure AD)](azure-active-directory-integration-with-mdm.md) +- The enterprise has configured a mobile device management (MDM) service +- The on-premises AD must be [integrated with Azure AD (via Azure AD Connect)](https://docs.microsoft.com/azure/architecture/reference-architectures/identity/azure-ad) - The device should not already be enrolled in Intune using the classic agents (devices managed using agents will fail enrollment with `error 0x80180026`) - The minimum Windows Server version requirement is based on the Hybrid Azure AD join requirement. See [How to plan your hybrid Azure Active Directory join implementation](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan) for more information. @@ -33,7 +33,7 @@ Requirements: The auto-enrollment relies on the presence of an MDM service and the Azure Active Directory registration for the PC. Starting in Windows 10, version 1607, once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically Azure AD–registered. > [!NOTE] -> In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/library/mt221945.aspx). For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation. +> In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/library/mt221945.aspx). For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation. When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page. @@ -42,13 +42,13 @@ In Windows 10, version 1709 or later, when the same policy is configured in GP a For this policy to work, you must verify that the MDM service provider allows the GP triggered MDM enrollment for domain joined devices. ## Verify auto-enrollment requirements and settings -To ensure that the auto-enrollment feature is working as expected, you must verify that various requirements and settings are configured correctly. +To ensure that the auto-enrollment feature is working as expected, you must verify that various requirements and settings are configured correctly. The following steps demonstrate required settings using the Intune service: 1. Verify that the user who is going to enroll the device has a valid Intune license. ![Intune license verification](images/auto-enrollment-intune-license-verification.png) -2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Intune. For additional details, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](https://docs.microsoft.com/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal). +2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Intune. For additional details, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](https://docs.microsoft.com/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal). ![Auto-enrollment activation verification](images/auto-enrollment-activation-verification.png) @@ -80,7 +80,7 @@ The following steps demonstrate required settings using the Intune service: ![Mobility setting MDM intune](images/auto-enrollment-microsoft-intune-setting.png) -7. Verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices which should be enrolled into Intune. +7. Verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices which should be enrolled into Intune. You may contact your domain administrators to verify if the group policy has been deployed successfully. 8. Verify that the device is not enrolled with the old Intune client used on the Intune Silverlight Portal (this is the Intune portal used before the Azure portal). @@ -95,12 +95,12 @@ This procedure is only for illustration purposes to show how the new auto-enroll Requirements: - AD-joined PC running Windows 10, version 1709 or later -- Enterprise has MDM service already configured +- Enterprise has MDM service already configured - Enterprise AD must be registered with Azure AD 1. Run GPEdit.msc - Click Start, then in the text box type gpedit. + Click Start, then in the text box type gpedit. ![GPEdit desktop app search result](images/autoenrollment-gpedit.png) @@ -110,7 +110,7 @@ Requirements: ![MDM policies](images/autoenrollment-mdm-policies.png) -4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** as the Selected Credential Type to use. +4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** as the Selected Credential Type to use. > [!NOTE] > **Device Credential** Credential Type will also work, however, it is not yet supported for MDM solutions (including Intune). We don't recommend using this option until support is announced. @@ -120,11 +120,11 @@ Requirements: 5. Click **Enable**, and select **User Credential** from the dropdown **Select Credential Type to Use**, then click **OK**. > [!NOTE] - > In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later. - > The default behavior for older releases is to revert to **User Credential**. - > **Device Credential** is not supported for enrollment type when you have a ConfigMgr Agent on your device. + > In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later. + > The default behavior for older releases is to revert to **User Credential**. + > **Device Credential** is not supported for enrollment type when you have a ConfigMgr Agent on your device. - When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD." + When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD." To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app). @@ -153,11 +153,11 @@ Requirements: 2. Under **Best match**, click **Task Scheduler** to launch it. -3. In **Task Scheduler Library**, open **Microsoft > Windows** , then click **EnterpriseMgmt**. +3. In **Task Scheduler Library**, open **Microsoft > Windows** , then click **EnterpriseMgmt**. ![Auto-enrollment scheduled task](images/autoenrollment-scheduled-task.png) - To see the result of the task, move the scroll bar to the right to see the **Last Run Result**. Note that **0x80180026** is a failure message (MENROLL\_E_DEVICE\_MANAGEMENT_BLOCKED). You can see the logs in the **History** tab. + To see the result of the task, move the scroll bar to the right to see the **Last Run Result**. Note that **0x80180026** is a failure message (MENROLL\_E_DEVICE\_MANAGEMENT_BLOCKED). You can see the logs in the **History** tab. If the device enrollment is blocked, your IT admin may have enabled the **Disable MDM Enrollment** policy. Note that the GPEdit console does not reflect the status of policies set by your IT admin on your device. It is only used by the user to set policies. @@ -172,39 +172,39 @@ Requirements: > [!IMPORTANT] > If you do not see the policy, it may be because you don't have the ADMX for Windows 10, version 1803, version 1809, or version 1903 installed. To fix the issue, use the following procedures. Note that the latest MDM.admx is backwards compatible. -1. Download: - +1. Download: + - 1803 --> [Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880) - + - 1809 --> [Administrative Templates (.admx) for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576) - + - 1903 --> [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495) - + - 1909 --> [Administrative Templates (.admx) for Windows 10 November 2019 Update (1909)]( https://www.microsoft.com/download/confirmation.aspx?id=1005915) - + - 2004 --> [Administrative Templates (.admx) for Windows 10 May 2020 Update (2004)](https://www.microsoft.com/download/confirmation.aspx?id=101445) - + 2. Install the package on the Domain Controller. - + 3. Navigate, depending on the version to the folder: - + - 1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2** - + - 1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2** - + - 1903 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2019 Update (1903) v3** - + - 1909 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2019 Update (1909)** - - - 2004 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2020 Update (2004)** - + + - 2004 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2020 Update (2004)** + 4. Rename the extracted Policy Definitions folder to **PolicyDefinitions**. - -5. Copy PolicyDefinitions folder to **C:\Windows\SYSVOL\domain\Policies**. - + +5. Copy PolicyDefinitions folder to **C:\Windows\SYSVOL\domain\Policies**. + If this folder does not exist, then be aware that you will be switching to a [central policy store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) for your entire domain. - + 6. Restart the Domain Controller for the policy to be available. This procedure will work for any future version as well. @@ -218,7 +218,7 @@ This procedure will work for any future version as well. 4. Filter using Security Groups. ## Troubleshoot auto-enrollment of devices -Investigate the log file if you have issues even after performing all the mandatory verification steps. The first log file to investigate is the event log on the target Windows 10 device. +Investigate the log file if you have issues even after performing all the mandatory verification steps. The first log file to investigate is the event log on the target Windows 10 device. To collect Event Viewer logs: @@ -254,12 +254,12 @@ To collect Event Viewer logs: Note that the task scheduler log displays event ID 102 (task completed) regardless of the auto-enrollment success or failure. This means that the task scheduler log is only useful to confirm if the auto-enrollment task is triggered or not. It does not indicate the success or failure of auto-enrollment. - If you cannot see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from AAD is initiated, there is possibly issue with the group policy. Immediately run the command `gpupdate /force` in command prompt to get the GPO applied. If this still does not help, further troubleshooting on the Active Directory is required. + If you cannot see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from AAD is initiated, there is possibly issue with the group policy. Immediately run the command `gpupdate /force` in command prompt to get the GPO applied. If this still does not help, further troubleshooting on the Active Directory is required. One frequently seen error is related to some outdated enrollment entries in the registry on the target client device (**HKLM > Software > Microsoft > Enrollments**). If a device has been enrolled (can be any MDM solution and not only Intune), some enrollment information added into the registry is seen: ![Outdated enrollment entries](images/auto-enrollment-outdated-enrollment-entries.png) - By default, these entries are removed when the device is un-enrolled, but occasionally the registry key remains even after un-enrollment. In this case, `gpupdate /force` fails to initiate the auto-enrollment task and error code 2149056522 is displayed in the **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational** event log file under event ID 7016. + By default, these entries are removed when the device is un-enrolled, but occasionally the registry key remains even after un-enrollment. In this case, `gpupdate /force` fails to initiate the auto-enrollment task and error code 2149056522 is displayed in the **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational** event log file under event ID 7016. A resolution to this issue is to remove the registry key manually. If you do not know which registry key to remove, go for the key which displays most entries as the screenshot above. All other keys will display fewer entries as shown in the following screenshot: ![Manually deleted entries](images/auto-enrollment-activation-verification-less-entries.png) From 9bff12a18bed12a9274e378d8111ef966888bbd1 Mon Sep 17 00:00:00 2001 From: schmurky Date: Fri, 27 Nov 2020 15:31:10 +0800 Subject: [PATCH 28/44] Update with sample --- .../linux-support-perf.md | 26 ++++++++++++++++--- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index 9f58beceba..c2520ac1b7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -113,11 +113,29 @@ The following steps can be used to troubleshoot and mitigate these issues: The output of the above command displays all the processes and their associated scan activity. To improve the performance of Defender for Endpoint for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md). - - - > [!NOTE] - > The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted. + The output is list of the top contributors to the performance issues. The 1st column is the process identifier (PID), the 2nd column is te process name, and the last column is the number of scanned files, sorted by impact. + + For example, the output of the command will be something like the below: + + ```Output + mavel@mavel-mac:/Users/mavel > python ~/repo/mdatp-xplat/linux/diagnostic/high_cpu_parser.py <~Downloads/output.json | head -n 10 + 27432 None 76703 + 73467 actool     1249 + 73914 xcodebuild 1081 + 73873 bash 1050 + 27475 None 836 + 1    launchd    407 + 73468 ibtool     344 + 549  telemetryd_v1   325 + 4764 None 228 + 125  CrashPlanService 164 + ``` +  + + +>[!NOTE] +> The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted. 5. Configure Microsoft Defender ATP for Linux with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection. From b5d0b41e62fbbcbead877dbcd5385a7ae8533cdd Mon Sep 17 00:00:00 2001 From: Ben M Schorr <43045782+Beschorr@users.noreply.github.com> Date: Mon, 30 Nov 2020 16:37:54 -0800 Subject: [PATCH 29/44] Update respond-file-alerts.md Text says "Cloud-based protection..." but the in-product UI and other docs refer to it as "Cloud-delivered protection...". Updating text to standardize. --- .../microsoft-defender-atp/respond-file-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md index 336099ffa7..691d1f29c5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md @@ -139,7 +139,7 @@ You can prevent further propagation of an attack in your organization by banning >[!IMPORTANT] > ->- This feature is available if your organization uses Microsoft Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md). +>- This feature is available if your organization uses Microsoft Defender Antivirus and Cloud–delivered protection is enabled. For more information, see [Manage cloud–delivered protection](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md). > >- The Antimalware client version must be 4.18.1901.x or later. >- This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time. From d04f96611266cc8384051c6ae179a42754d0cdb1 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Mon, 30 Nov 2020 19:19:09 -0800 Subject: [PATCH 30/44] Applied `> [NOTE]`, fixed "Migitation", corrected ref link --- .../block-untrusted-fonts-in-enterprise.md | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md index 70362c9d1c..c53dbda7a1 100644 --- a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md +++ b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md @@ -1,6 +1,6 @@ --- title: Block untrusted fonts in an enterprise (Windows 10) -description: To help protect your company from attacks which may originate from untrusted or attacker controlled font files, we’ve created the Blocking Untrusted Fonts feature. +description: To help protect your company from attacks which may originate from untrusted or attacker controlled font files, we've created the Blocking Untrusted Fonts feature. ms.assetid: a3354c8e-4208-4be6-bc19-56a572c361b4 ms.reviewer: manager: dansimp @@ -31,11 +31,14 @@ Blocking untrusted fonts helps improve your network and employee protection agai ## How does this feature work? There are 3 ways to use this feature: -- **On.** Helps stop any font processed using GDI from loading outside of the `%windir%/Fonts` directory. It also turns on event logging. +- **On.** Helps stop any font processed using GDI from loading outside of the `%windir%/Fonts` directory. It also turns on event logging. -- **Audit.** Turns on event logging, but doesn’t block fonts from loading, regardless of location. The name of the apps that use untrusted fonts appear in your event log.

**Note**
If you aren’t quite ready to deploy this feature into your organization, you can run it in Audit mode to see if not loading untrusted fonts causes any usability or compatibility issues. +- **Audit.** Turns on event logging, but doesn’t block fonts from loading, regardless of location. The name of the apps that use untrusted fonts appear in your event log. -- **Exclude apps to load untrusted fonts.** You can exclude specific apps, allowing them to load untrusted fonts, even while this feature is turned on. For instructions, see [Fix apps having problems because of blocked fonts](#fix-apps-having-problems-because-of-blocked-fonts). + > [!NOTE] + > If you aren’t quite ready to deploy this feature into your organization, you can run it in Audit mode to see if not loading untrusted fonts causes any usability or compatibility issues. + +- **Exclude apps to load untrusted fonts.** You can exclude specific apps, allowing them to load untrusted fonts, even while this feature is turned on. For instructions, see [Fix apps having problems because of blocked fonts](#fix-apps-having-problems-because-of-blocked-fonts). ## Potential reductions in functionality After you turn this feature on, your employees might experience reduced functionality when: @@ -56,7 +59,7 @@ Use Group Policy or the registry to turn this feature on, off, or to use audit m **To turn on and use the Blocking Untrusted Fonts feature through Group Policy** 1. Open the Group Policy editor (gpedit.msc) and go to `Computer Configuration\Administrative Templates\System\Mitigation Options\Untrusted Font Blocking`. -2. Click **Enabled** to turn the feature on, and then click one of the following **Migitation Options**: +2. Click **Enabled** to turn the feature on, and then click one of the following **Mitigation Options**: - **Block untrusted fonts and log events.** Turns the feature on, blocking untrusted fonts and logging installation attempts to the event log. @@ -139,7 +142,7 @@ After you figure out the problematic fonts, you can try to fix your apps in 2 wa 1. On each computer with the app installed, open regedit.exe and go to `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\`.

For example, if you want to exclude Microsoft Word processes, you’d use `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe`. -2. Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts feature on, using the steps in the [Turn on and use the Blocking Untrusted Fonts feature](#turn-on-and-use-the-blocking-untrusted-fonts-feature) section of this topic. +2. Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts feature on, using the steps in [Turn on and use the Blocking Untrusted Fonts feature](#turn-on-and-use-the-blocking-untrusted-fonts-feature), earlier in this article. ## Related content From e38d45ee986b79719dfc20fb4c76a49f136611fb Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Mon, 30 Nov 2020 19:20:17 -0800 Subject: [PATCH 31/44] Hyphenated compound adjective --- .../threat-protection/block-untrusted-fonts-in-enterprise.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md index c53dbda7a1..df9fb54db4 100644 --- a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md +++ b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md @@ -23,7 +23,7 @@ ms.localizationpriority: medium >Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare). -To help protect your company from attacks which may originate from untrusted or attacker controlled font files, we’ve created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are any font installed outside of the `%windir%/Fonts` directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process. +To help protect your company from attacks which may originate from untrusted or attacker-controlled font files, we’ve created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are any font installed outside of the `%windir%/Fonts` directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process. ## What does this mean for me? Blocking untrusted fonts helps improve your network and employee protection against font-processing-related attacks. By default, this feature is not turned on. From f56a7dd035017370ef5ff97c8ad8a265ebe7fa65 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Tue, 1 Dec 2020 12:41:16 +0530 Subject: [PATCH 32/44] Add DISM command to 2 more migration articles as per PR #8700 Added DISM command in these two articles as per: https://github.com/MicrosoftDocs/windows-itpro-docs/pull/8700#pullrequestreview-541269350 (The two articles are this one: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup and this one: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup) --- .../mcafee-to-microsoft-defender-setup.md | 6 ++++++ .../switch-to-microsoft-defender-setup.md | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md index 858c7f0d06..6e55918615 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md @@ -91,6 +91,12 @@ The [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/d `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`
+> [!NOTE] +> When using the DISM command within a task sequence running PS, the following path to cmd.exe is required. +> Example:
+> `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`
+> `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`
+ 3. To verify Microsoft Defender Antivirus is running, use the following PowerShell cmdlet:
`Get-Service -Name windefend` diff --git a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md index b8c66898af..28403de16e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md +++ b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md @@ -87,6 +87,12 @@ The [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/d `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`
+> [!NOTE] +> When using the DISM command within a task sequence running PS, the following path to cmd.exe is required. +> Example:
+> `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`
+> `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`
+ 3. To verify Microsoft Defender Antivirus is running, use the following PowerShell cmdlet:
`Get-Service -Name windefend` From d41fb45e8593df1da4da6bef8a7391b66253c5ab Mon Sep 17 00:00:00 2001 From: Ben Date: Tue, 1 Dec 2020 12:13:34 +0200 Subject: [PATCH 33/44] Update get-started-partner-integration.md --- .../get-started-partner-integration.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md b/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md index 3ab82897fa..fd7da12f88 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md @@ -50,14 +50,14 @@ To have your company listed as a partner in the in-product partner page, you wil 4. Link to the landing page for the customer to complete the integration or blog post that will include sufficient information for customers. Any press release including the Microsoft Defender ATP product name should be reviewed by the marketing and engineering teams. Wait for at least 10 days for the review process to be done. 5. If you use a multi-tenant Azure AD approach, we will need the Azure AD application name to track usage of the application. 6. Include the User-Agent field in each API call made to Microsoft Defender for Endpoint public set of APIs or Graph Security APIs. This will be used for statistical purposes, troubleshooting, and partner recognition. In addition, this step is a requirement for membership in Microsoft Intelligent Security Association (MISA). - Follow these steps: - 1. Identify a name adhering to the following nomenclature that includes your company name and the Microsoft Defender ATP-integrated product with the version of the product that includes this integration. - - ISV Nomenclature: `MdatpPartner-{CompanyName}-{ProductName}/{Version}` - - Security partner Nomenclature: `MdatpPartner-{CompanyName}-{ProductName}/{TenantID}` - 2. Set the User-Agent field in each HTTP request header to the name based on the above nomenclature. - For more information, see [RFC 2616 section-14.43](https://tools.ietf.org/html/rfc2616#section-14.43). For example, User-Agent: `MdatpPartner-Contoso-ContosoCognito/1.0.0` + - Set the User-Agent field in each HTTP request header to the name based on the Following nomenclature. + - `MsdePartner-{CompanyName}-{ProductName}/{Version}` + + - For example, User-Agent: `MdatpPartner-Contoso-ContosoCognito/1.0.0` + + - For more information, see [RFC 2616 section-14.43](https://tools.ietf.org/html/rfc2616#section-14.43). Partnerships with Microsoft Defender for Endpoint help our mutual customers to further streamline, integrate, and orchestrate defenses. We are happy that you chose to become a Microsoft Defender for Endpoint partner and to achieve our common goal of effectively protecting customers and their assets by preventing and responding to modern threats together. From a86bdcca8dda061766281db5f04efe271a66dc6b Mon Sep 17 00:00:00 2001 From: schmurky Date: Tue, 1 Dec 2020 19:58:59 +0800 Subject: [PATCH 34/44] remove alias --- .../microsoft-defender-atp/linux-support-perf.md | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index c2520ac1b7..2281e692f9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -110,16 +110,12 @@ The following steps can be used to troubleshoot and mitigate these issues: cat real_time_protection.json | python high_cpu_parser.py > real_time_protection.log ``` - The output of the above command displays all the processes and their associated scan activity. - - To improve the performance of Defender for Endpoint for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md). - - The output is list of the top contributors to the performance issues. The 1st column is the process identifier (PID), the 2nd column is te process name, and the last column is the number of scanned files, sorted by impact. + The output of the above is a list of the top contributors to performance issues. The first column is the process identifier (PID), the second column is te process name, and the last column is the number of scanned files, sorted by impact. For example, the output of the command will be something like the below: ```Output - mavel@mavel-mac:/Users/mavel > python ~/repo/mdatp-xplat/linux/diagnostic/high_cpu_parser.py <~Downloads/output.json | head -n 10 + ... > python ~/repo/mdatp-xplat/linux/diagnostic/high_cpu_parser.py <~Downloads/output.json | head -n 10 27432 None 76703 73467 actool     1249 73914 xcodebuild 1081 @@ -131,11 +127,11 @@ The following steps can be used to troubleshoot and mitigate these issues: 4764 None 228 125  CrashPlanService 164 ``` -  - +   + To improve the performance of Defender for Endpoint for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md). ->[!NOTE] -> The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted. + >[!NOTE] + > The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted. 5. Configure Microsoft Defender ATP for Linux with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection. From e15a00e7e5a328e635cc204396a9373abfbc0d93 Mon Sep 17 00:00:00 2001 From: schmurky Date: Tue, 1 Dec 2020 20:02:54 +0800 Subject: [PATCH 35/44] removed indent --- .../microsoft-defender-atp/linux-support-perf.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index 2281e692f9..e6585fc97f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -128,7 +128,7 @@ The following steps can be used to troubleshoot and mitigate these issues: 125  CrashPlanService 164 ```   - To improve the performance of Defender for Endpoint for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md). + To improve the performance of Defender for Endpoint for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md). >[!NOTE] > The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted. From d9cbe353e85a8f0e1679c1e9d1a2334ffa0d0132 Mon Sep 17 00:00:00 2001 From: Obi Eze Ajoku <62227226+linque1@users.noreply.github.com> Date: Tue, 1 Dec 2020 09:10:44 -0800 Subject: [PATCH 36/44] Updated new ownership to robsize Updated new ownership to robsize --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index c72bdf03e9..1e031a8873 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -14,7 +14,7 @@ ms.author: obezeajo manager: robsize ms.collection: M365-security-compliance ms.topic: article -ms.date: 7/7/2020 +ms.date: 12/1/2020 --- # Manage connections from Windows 10 operating system components to Microsoft services From 98fa7e0b1080189875ad55c5cc872a4a5a32c04f Mon Sep 17 00:00:00 2001 From: Obi Eze Ajoku <62227226+linque1@users.noreply.github.com> Date: Tue, 1 Dec 2020 10:08:34 -0800 Subject: [PATCH 37/44] Updated msauthor to robsize Updated msauthor to robsize ; obezeajo moving to another project --- ...ndows-operating-system-components-to-microsoft-services.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 1e031a8873..8cb3b4d424 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -10,11 +10,11 @@ ms.sitesec: library ms.localizationpriority: high audience: ITPro author: linque1 -ms.author: obezeajo +ms.author: robsize manager: robsize ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/1/2020 +ms.date: 12/1/2020 --- # Manage connections from Windows 10 operating system components to Microsoft services From 9f0769a350cde5972f9eb280d0c27e58a35f7a94 Mon Sep 17 00:00:00 2001 From: Obi Eze Ajoku <62227226+linque1@users.noreply.github.com> Date: Tue, 1 Dec 2020 10:43:33 -0800 Subject: [PATCH 38/44] Removing space after date Removing space after date --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 8cb3b4d424..4c6e0b8880 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -14,7 +14,7 @@ ms.author: robsize manager: robsize ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/1/2020 +ms.date: 12/1/2020 --- # Manage connections from Windows 10 operating system components to Microsoft services From 05868908dfc5a42def9104331b4ad36498eeae25 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 1 Dec 2020 14:01:32 -0800 Subject: [PATCH 39/44] Various minor fixes, mostly Acrolinx --- .../microsoft-defender-atp/indicator-certificates.md | 2 +- .../microsoft-defender-atp/ios-configure-features.md | 2 +- .../microsoft-defender-atp/mac-install-with-intune.md | 2 +- .../password-must-meet-complexity-requirements.md | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md index 6948f7a392..f0439ebf7f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md +++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md @@ -42,7 +42,7 @@ It's important to understand the following requirements prior to creating indica - This feature is available if your organization uses Windows Defender Antivirus and Cloud-based protection is enabled. For more information, see [Manage cloud-based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md). - The Antimalware client version must be 4.18.1901.x or later. - Supported on machines on Windows 10, version 1703 or later, Windows server 2016 and 2019. -- The virus and threat protection definitions must be up-to-date. +- The virus and threat protection definitions must be up to date. - This feature currently supports entering .CER or .PEM (Base64 ASCII) encoding based certificates. >[!IMPORTANT] diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md index 68c6dfd43f..733c2fdbd1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md +++ b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md @@ -37,7 +37,7 @@ ms.topic: conceptual ## Configure compliance policy against jailbroken devices -To protect corporate data from being accessed on jailbroken iOS devices, we recommend that you setup the following compliance policy on Intune. +To protect corporate data from being accessed on jailbroken iOS devices, we recommend that you set up the following compliance policy on Intune. > [!NOTE] > Currently Defender for Endpoint for iOS does not provide protection against jailbreak scenarios. Some data like your corporate email id and corporate profile picture (if available) will be exposed to the attacker on the jailbroken device. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md index cb1c7d7be7..319d2756e1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md @@ -56,7 +56,7 @@ The following table summarizes the steps you would need to take to deploy and ma | [Grant full disk access to Microsoft Defender for Endpoint](#create-system-configuration-profiles-step-8) | MDATP_tcc_Catalina_or_newer.xml | com.microsoft.wdav.tcc | | [Network Extension policy](#create-system-configuration-profiles-step-9) | MDATP_NetExt.xml | N/A | | [Configure Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-updates#intune) | MDATP_Microsoft_AutoUpdate.xml | com.microsoft.autoupdate2 | -| [Microsoft Defender for Endpoint configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#intune-profile-1)

**Note:** If you are planning to run a third party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.xml | com.microsoft.wdav | +| [Microsoft Defender for Endpoint configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#intune-profile-1)

**Note:** If you are planning to run a third-party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.xml | com.microsoft.wdav | | [Configure Microsoft Defender for Endpoint and MS AutoUpdate (MAU) notifications](#create-system-configuration-profiles-step-10) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.autoupdate2 or com.microsoft.wdav.tray | ## Download installation and onboarding packages diff --git a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md index d9e0d8d50b..c1ccd042f6 100644 --- a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md +++ b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md @@ -27,7 +27,7 @@ Describes the best practices, location, values, and security considerations for The **Passwords must meet complexity requirements** policy setting determines whether passwords must meet a series of strong-password guidelines. When enabled, this setting requires passwords to meet the following requirements: -1. Passwords may not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Both checks are not case sensitive. +1. Passwords may not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Both checks are not case-sensitive. The samAccountName is checked in its entirety only to determine whether it is part of the password. If the samAccountName is fewer than three characters long, this check is skipped. The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed not to be included in the password. Tokens that are shorter than three characters are ignored, and substrings of the tokens are not checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Havens". Because the second token is only one character long, it is ignored. Therefore, this user could not have a password that included either "erin" or "havens" as a substring anywhere in the password. From 13803f2d5c754fbfaf0722e7b69295cb3abdec53 Mon Sep 17 00:00:00 2001 From: jaimeo Date: Tue, 1 Dec 2020 15:10:56 -0700 Subject: [PATCH 40/44] safety commit --- .../update/feature-update-mission-critical.md | 4 +- .../update/how-windows-update-works.md | 63 +++++++++---------- .../update/waas-manage-updates-wufb.md | 22 +++---- windows/deployment/update/waas-restart.md | 25 ++++---- .../update/windows-update-errors.md | 19 +++--- .../update/windows-update-troubleshooting.md | 16 ++--- 6 files changed, 74 insertions(+), 75 deletions(-) diff --git a/windows/deployment/update/feature-update-mission-critical.md b/windows/deployment/update/feature-update-mission-critical.md index a36563477b..c44569853e 100644 --- a/windows/deployment/update/feature-update-mission-critical.md +++ b/windows/deployment/update/feature-update-mission-critical.md @@ -31,10 +31,10 @@ Devices and shared workstations that are online and available 24 hours a day, 7 You can use Configuration Manager to deploy feature updates to Windows 10 devices in two ways. The first option is to use the software updates feature. The second option is to use a task sequence to deploy feature updates. There are times when deploying a Windows 10 feature update requires the use of a task sequence—for example: - **Upgrade to the next LTSC release.** With the LTSC servicing branch, feature updates are never provided to the Windows clients themselves. Instead, feature updates must be installed like a traditional in-place upgrade. -- **Additional required tasks.** When deploying a feature update requires additional steps (e.g., suspending disk encryption, updating applications), you can use task sequences to orchestrate the additional steps. Software updates do not have the ability to add steps to their deployments. +- **Additional required tasks.** When deploying a feature update requires additional steps (for example, suspending disk encryption, updating applications), you can use task sequences to orchestrate the additional steps. Software updates do not have the ability to add steps to their deployments. - **Language pack installations.** When deploying a feature update requires the installation of additional language packs, you can use task sequences to orchestrate the installation. Software updates do not have the ability to natively install language packs. -If you need to use a task sequence to deploy feature updates, see [Manage Windows as a service using Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/manage-windows-as-a-service) for more information. If you find that your requirement for a task sequence is based solely on the need to run additional tasks preformed pre-install or pre-commit, see the new [run custom actions](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) functionality first introduced with Windows 10, version 1803. You might find this useful in deploying software updates. +If you need to use a task sequence to deploy feature updates, see [Manage Windows as a service using Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/manage-windows-as-a-service) for more information. If you find that your requirement for a task sequence is based solely on the need to run additional tasks performed pre-install or pre-commit, see the new [run custom actions](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) functionality first introduced with Windows 10, version 1803. You might find this option useful in deploying software updates. Use the following information: diff --git a/windows/deployment/update/how-windows-update-works.md b/windows/deployment/update/how-windows-update-works.md index 6bab8477a5..44bbae9ebf 100644 --- a/windows/deployment/update/how-windows-update-works.md +++ b/windows/deployment/update/how-windows-update-works.md @@ -28,7 +28,7 @@ The Windows Update workflow has four core areas of functionality: ### Download -1. Orchestrator initiates downloads. +1. Orchestrator starts downloads. 2. Windows Update downloads manifest files and provides them to the arbiter. 3. The arbiter evaluates the manifest and tells the Windows Update client to download files. 4. Windows Update client downloads files in a temporary folder. @@ -36,54 +36,54 @@ The Windows Update workflow has four core areas of functionality: ### Install -1. Orchestrator initiates the installation. +1. Orchestrator starts the installation. 2. The arbiter calls the installer to install the package. ### Commit -1. Orchestrator initiates a restart. +1. Orchestrator starts a restart. 2. The arbiter finalizes before the restart. ## How updating works -During the updating process, the Windows Update Orchestrator operates in the background to scan, download, and install updates. It does this automatically, according to your settings, and in a silent manner that doesn't disrupt your computer usage. +During the updating process, the Windows Update Orchestrator operates in the background to scan, download, and install updates. It does these actions automatically, according to your settings, and silently so that doesn't disrupt your computer usage. ## Scanning updates ![Windows Update scanning step](images/update-scan-step.png) The Windows Update Orchestrator on your PC checks the Microsoft Update server or your WSUS endpoint for new updates at random intervals. The randomization ensures that the Windows Update server isn't overloaded with requests all at the same time. The Update Orchestrator searches only for updates that have been added since the last time updates were searched, allowing it to find updates quickly and efficiently. -When checking for updates, the Windows Update Orchestrator evaluates whether the update is appropriate for your computer using guidelines defined by the publisher of the update, for example, Microsoft Office including enterprise group policies. +When checking for updates, the Windows Update Orchestrator evaluates whether the update is appropriate for your device. It uses guidelines defined by the publisher of the update, for example, Microsoft Office including enterprise group policies. Make sure you're familiar with the following terminology related to Windows Update scan: |Term|Definition| |----|----------| -|Update|We use this term to mean a lot of different things, but in this context it's the actual patch or change.| +|Update|We use this term to mean several different things, but in this context it's the actual updated code or change.| |Bundle update|An update that contains 1-N child updates; doesn't contain payload itself.| |Child update|Leaf update that's bundled by another update; contains payload.| -|Detectoid update|A special 'update' that contains "IsInstalled" applicability rule only and no payload. Used for prereq evaluation.| -|Category update|A special 'detectoid' that has always true IsInstalled rule. Used for grouping updates and for client to filter updates. | +|Detector update|A special "update" that contains "IsInstalled" applicability rule only and no payload. Used for prereq evaluation.| +|Category update|A special "detectoid" that has an **IsInstalled** rule that is always true. Used for grouping updates and to allow the device to filter updates. | |Full scan|Scan with empty datastore.| |Delta scan|Scan with updates from previous scan already cached in datastore.| -|Online scan|Scan that hits network and goes against server on cloud. | -|Offline scan|Scan that doesn't hit network and goes against local datastore. Only useful if online scan has been performed before. | -|CatScan|Category scan where caller can specify a categoryId to get updates published under the categoryId.| -|AppCatScan|Category scan where caller can specify an AppCategoryId to get apps published under the appCategoryId.| -|Software sync|Part of the scan that looks at software updates only (OS and apps).| -|Driver sync|Part of the scan that looks at Driver updates only. This is run after Software sync and is optional.| -|ProductSync|Attributes based sync, where client provides a list of device, product and caller attributes ahead of time to allow service to evaluate applicability in the cloud. | +|Online scan|Scan that uses the network and to check an update server. | +|Offline scan|Scan that doesn't use the network and instead checks the local datastore. Only useful if online scan has been performed before. | +|CatScan|Category scan where caller can specify a **categoryId** to get updates published under that **categoryId**.| +|AppCatScan|Category scan where caller can specify an **AppCategoryId** to get apps published under that **appCategoryId**.| +|Software sync|Part of the scan that only checks for software updates (both the apps and the operating system).| +|Driver sync|Part of the scan that checks driver updates only. This sync is optional and runs after the software sync.| +|ProductSync|A sync based on attributes, in which the client provides a list of device, product, and caller attributes ahead of time to allow service to check applicability in the cloud. | ### How Windows Update scanning works -Windows Update takes the following sets of actions when it runs a scan. +Windows Update does the following actions when it runs a scan. #### Starts the scan for updates When users start scanning in Windows Update through the Settings panel, the following occurs: -- The scan first generates a “ComApi” message. The caller (Microsoft Defender Antivirus) tells the WU engine to scan for updates. +- The scan first generates a “ComApi” message. The caller (Microsoft Defender Antivirus) tells the Windows Update engine to scan for updates. - "Agent" messages: queueing the scan, then actually starting the work: - - Updates are identified by the different IDs ("Id = 10", "Id = 11") and from the different thread ID numbers. + - Updates are identified by the different IDs ("ID = 10", "ID = 11") and from the different thread ID numbers. - Windows Update uses the thread ID filtering to concentrate on one particular task. ![Windows Update scan log 1](images/update-scan-log-1.png) @@ -91,20 +91,19 @@ When users start scanning in Windows Update through the Settings panel, the foll #### Identifies service IDs - Service IDs indicate which update source is being scanned. - Note The next screen shot shows Microsoft Update and the Flighting service. - The Windows Update engine treats every service as a separate entity, even though multiple services may contain the same updates. ![Windows Update scan log 2](images/update-scan-log-2.png) - Common service IDs > [!IMPORTANT] - > ServiceId here identifies a client abstraction, not any specific service in the cloud. No assumption should be made of which server a serviceId is pointing to, it's totally controlled by the SLS responses. + > ServiceId here identifies a client abstraction, not any specific service in the cloud. No assumption should be made of which server a serviceId is pointing to. It's totally controlled by responses from the Service Locator Service. |Service|ServiceId| |-------|---------| -|Unspecified / Default|WU, MU or WSUS
00000000-0000-0000-0000-000000000000 | -|WU|9482F4B4-E343-43B6-B170-9A65BC822C77| -|MU|7971f918-a847-4430-9279-4a52d1efe18d| +|Unspecified / Default|WU, MU, or WSUS
00000000-0000-0000-0000-000000000000 | +|Windows Update|9482F4B4-E343-43B6-B170-9A65BC822C77| +|Microsoft Update|7971f918-a847-4430-9279-4a52d1efe18d| |Store|855E8A7C-ECB4-4CA3-B045-1DFA50104289| |OS Flighting|8B24B027-1DEE-BABB-9A95-3517DFB9C552| |WSUS or Configuration Manager|Via ServerSelection::ssManagedServer
3DA21691-E39D-4da6-8A4B-B43877BCB1B7 | @@ -115,33 +114,33 @@ Common update failure is caused due to network issues. To find the root of the i - Look for "ProtocolTalker" messages to see client-server sync network traffic. - "SOAP faults" can be either client- or server-side issues; read the message. -- The WU client uses SLS (Service Locator Service) to discover the configurations and endpoints of Microsoft network update sources – WU, MU, Flighting. +- The Windows Update client uses the Service Locator Service to discover the configurations and endpoints of Microsoft network update sources: Windows update, Microsoft Update, or Flighting. > [!NOTE] - > Warning messages for SLS can be ignored if the search is against WSUS or Configuration Manager. + > If the search is against WSUS or Configuration Manager, you can ignore warning messages for the Service Locator Service. -- On sites that only use WSUS or Configuration Manager, the SLS may be blocked at the firewall. In this case the SLS request will fail, and can’t scan against Windows Update or Microsoft Update but can still scan against WSUS or Configuration Manager, since it’s locally configured. +- On sites that only use WSUS or Configuration Manager, the Service Locator Service might be blocked at the firewall. In this case the request will fail, and though the service can’t scan against Windows Update or Microsoft Update, it can still scan against WSUS or Configuration Manager, since it’s locally configured. ![Windows Update scan log 3](images/update-scan-log-3.png) ## Downloading updates ![Windows Update download step](images/update-download-step.png) -Once the Windows Update Orchestrator determines which updates apply to your computer, it will begin downloading the updates, if you have selected the option to automatically download updates. It does this in the background without interrupting your normal use of the computer. +Once the Windows Update Orchestrator determines which updates apply to your computer, it will begin downloading the updates, if you have selected the option to automatically download updates. It does operation in the background without interrupting your normal use of the device. -To ensure that your other downloads aren't affected or slowed down because updates are downloading, Windows Update uses the Delivery Optimization technology which downloads updates and reduces bandwidth consumption. +To ensure that your other downloads aren't affected or slowed down because updates are downloading, Windows Update uses Delivery Optimization, which downloads updates and reduces bandwidth consumption. -For more information see [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md). +For more information, see [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md). ## Installing updates ![Windows Update install step](images/update-install-step.png) When an update is applicable, the "Arbiter" and metadata are downloaded. Depending on your Windows Update settings, when downloading is complete, the Arbiter will gather details from the device, and compare that with the downloaded metadata to create an "action list". -The action list describes all the files needed from WU, and what the install agent (such as CBS or Setup) should do with them. The action list is provided to the install agent along with the payload to begin the installation. +The action list describes all the files needed from Windows Update, and what the installation agent (such as CBS or Setup) should do with them. The action list is provided to the installation agent along with the payload to begin the installation. ## Committing Updates ![Windows Update commit step](images/update-commit-step.png) -When the option to automatically install updates is configured, the Windows Update Orchestrator, in most cases, automatically restarts the PC for you after installing the updates. This is necessary because your PC may be insecure, or not fully updated, until a restart is completed. You can use Group Policy settings, mobile device management (MDM), or the registry (not recommended) to configure when devices will restart after a Windows 10 update is installed. +When the option to automatically install updates is configured, the Windows Update Orchestrator, in most cases, automatically restarts the device for you after installing the updates. It has to restart the device because it might be insecure, or not fully updated, until it restarts. You can use Group Policy settings, mobile device management (MDM), or the registry (not recommended) to configure when devices will restart after a Windows 10 update is installed. -For more information see [Manage device restarts after updates](waas-restart.md). +For more information, see [Manage device restarts after updates](waas-restart.md). diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md index d1f41bc2bd..00fb15eb81 100644 --- a/windows/deployment/update/waas-manage-updates-wufb.md +++ b/windows/deployment/update/waas-manage-updates-wufb.md @@ -27,7 +27,7 @@ Windows Update for Business is a free service that is available for all premium Windows Update for Business enables IT administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or Mobile Device Management (MDM) solutions such as Microsoft Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. -Specifically, Windows Update for Business allows for control over update offerings and experiences to allow for reliability and performance testing on a subset of devices before deploying updates across the organization as well as a positive update experience for those in your organization. +Specifically, Windows Update for Business lets you control update offerings and experiences to allow for reliability and performance testing on a subset of devices before deploying updates across the organization. It also provides a positive update experience for people in your organization. ## What can I do with Windows Update for Business? @@ -47,9 +47,9 @@ Windows Update for Business enables an IT administrator to receive and manage a Windows Update for Business provides management policies for several types of updates to Windows 10 devices: - **Feature updates:** Previously referred to as "upgrades," feature updates contain not only security and quality revisions, but also significant feature additions and changes. Feature updates are released semi-annually in the fall and in the spring. -- **Quality updates:** These are traditional operating system updates, typically released on the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as quality updates. These non-Windows Updates are known as "Microsoft updates" and you can set devices to receive such updates (or not) along with their Windows updates. -- **Driver updates:** These are non-Microsoft drivers that are applicable to your devices. Driver updates are on by default, but you can use Windows Update for Business policies to turn them off if you prefer. -- **Microsoft product updates**: These are updates for other Microsoft products, such as Office. Product updates are off by default. You can turn them on by using Windows Update for Business policies. +- **Quality updates:** Quality updates are traditional operating system updates, typically released on the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as updates for Microsoft Office or Visual Studio) as quality updates. These non-Windows Updates are known as "Microsoft updates" and you can set devices to receive such updates (or not) along with their Windows updates. +- **Driver updates:** Updates for non-Microsoft drivers that are relevant to your devices. Driver updates are on by default, but you can use Windows Update for Business policies to turn them off if you prefer. +- **Microsoft product updates**: Updates for other Microsoft products, such as Office. Product updates are off by default. You can turn them on by using Windows Update for Business policies. ## Offering @@ -71,7 +71,7 @@ Prior to Windows 10, version 1903, there are two channels for released updates: #### Defer an update -A Windows Update for Business administrator can defer the installation of both feature and quality updates from deploying to devices within a bounded range of time from when those updates are first made available on the Windows Update service. You can use this deferral to allow time to validate deployments as they are pushed to devices. Deferrals work by allowing you to specify the number of days after an update is released before it is offered to a device. That is, if you set a feature update deferral period of 365 days, the device will not install a feature update that has been released for less than 365 days. To defer feature updates use the **Select when Preview Builds and Feature Updates are Received** policy. +A Windows Update for Business administrator can defer the installation of both feature and quality updates from deploying to devices within a bounded range of time from when those updates are first made available on the Windows Update service. You can use this deferral to allow time to validate deployments as they are pushed to devices. Deferrals work by allowing you to specify the number of days after an update is released before it is offered to a device. That is, if you set a feature update deferral period of 365 days, the device will not install a feature update that has been released for less than 365 days. To defer feature updates, use the **Select when Preview Builds and Feature Updates are Received** policy. |Category |Maximum deferral period | @@ -88,10 +88,10 @@ A Windows Update for Business administrator can defer the installation of both f If you discover a problem while deploying a feature or quality update, the IT administrator can pause the update for 35 days from a specified start date to prevent other devices from installing it until the issue is mitigated. If you pause a feature update, quality updates are still offered to devices to ensure they stay secure. The pause period for both feature and quality updates is calculated from a start date that you set. -To pause feature updates use the **Select when Preview Builds and Feature Updates are Received** policy and to pause quality updates use the **Select when Quality Updates are Received** policy. For more information, see [Pause feature updates](waas-configure-wufb.md#pause-feature-updates) and [Pause quality updates](waas-configure-wufb.md#pause-quality-updates). +To pause feature updates, use the **Select when Preview Builds and Feature Updates are Received** policy and to pause quality updates use the **Select when Quality Updates are Received** policy. For more information, see [Pause feature updates](waas-configure-wufb.md#pause-feature-updates) and [Pause quality updates](waas-configure-wufb.md#pause-quality-updates). -Built in benefits: -When updating from Windows Update you get the added benefits of built in compatibility checks to prevent against a poor update experience for your device as well as a check to prevent repeated rollbacks. +Built-in benefits: +When updating from Windows Update, you get the added benefits of built-in compatibility checks to prevent against a poor update experience for your device as well as a check to prevent repeated rollbacks. ### Recommendations @@ -104,13 +104,13 @@ For the best experience with Windows Update, follow these guidelines: ### Manage the end-user experience when receiving Windows Updates -Windows Update for Business provides controls to help meet your organization’s security standards as well as provide a great end-user experience. We do this by enabling you to set automatic updates at times that work well for those in your organization and set deadlines for quality and feature updates. Because Windows Update includes built-in intelligence, it's usually better to use fewer controls to manage the end-user experience. +Windows Update for Business provides controls to help meet your organization’s security standards as well as provide a great end-user experience. We do this by enabling you to set automatic updates at times that work well for people in your organization and set deadlines for quality and feature updates. Because Windows Update includes built-in intelligence, it's better to use fewer controls to manage the user experience. #### Recommended experience settings Features like the smart busy check (which ensure updates don't happen when a user is signed in) and active hours help provide the best experience for end users while keeping devices more secure and up to date. Follow these steps to take advantage of these features: -1. Automatically download, install and restart (default if no restart policies are set up or enabled) +1. Automatically download, install, and restart (default if no restart policies are set up or enabled) 2. Use the default notifications 3. Set update deadlines @@ -118,7 +118,7 @@ Features like the smart busy check (which ensure updates don't happen when a use A compliance deadline policy (released in June 2019) enables you to set separate deadlines and grace periods for feature and quality updates. -This policy enables you to specify the number of days from an update's publication date that it must be installed on the device. The policy also includes a configurable grace period that specifies the number of days from when the update is installed on the device until the device is forced to restart. This is extremely beneficial in a vacation scenario as it allows, for example, users who have been away to have a bit of time before being forced to restart their devices when they return from vacation. +This policy enables you to specify the number of days from an update's publication date that it must be installed on the device. The policy also includes a configurable grace period that specifies the number of days from when the update is installed on the device until the device is forced to restart. This approach is useful in a vacation scenario as it allows, for example, users who have been away to have a bit of time before being forced to restart their devices when they return from vacation. #### Update Baseline The large number of different policies offered for Windows 10 can be overwhelming. Update Baseline provides a clear list of recommended Windows update policy settings for IT administrators who want the best user experience while also meeting their update compliance goals. The Update Baseline for Windows 10 includes policy settings recommendations covering deadline configuration, restart behavior, power policies, and more. diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md index 4f59f66eec..cf357be8c6 100644 --- a/windows/deployment/update/waas-restart.md +++ b/windows/deployment/update/waas-restart.md @@ -1,6 +1,6 @@ --- title: Manage device restarts after updates (Windows 10) -description: Use Group Policy settings, mobile device management (MDM) or Registry to configure when devices will restart after a Windows 10 update is installed. +description: Use Group Policy settings, mobile device management (MDM), or Registry to configure when devices will restart after a Windows 10 update is installed. ms.prod: w10 ms.mktglfcycl: deploy author: jaimeo @@ -23,7 +23,7 @@ ms.custom: > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) -You can use Group Policy settings, mobile device management (MDM) or Registry (not recommended) to configure when devices will restart after a Windows 10 update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts will not occur, or you can do both. +You can use Group Policy settings, mobile device management (MDM), or Registry (not recommended) to configure when devices will restart after a Windows 10 update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts will not occur, or you can do both. ## Schedule update installation @@ -77,11 +77,12 @@ MDM uses the [Update/ActiveHoursStart and Update/ActiveHoursEnd](https://msdn.mi ### Configuring active hours through Registry -This method is not recommended, and should only be used when neither Group Policy or MDM are available. +This method is not recommended, and should only be used when you can't use Group Policy or MDM. Any settings configured through Registry may conflict with any existing configuration that uses any of the methods mentioned above. -You should set a combination of the following registry values, in order to configure active hours. -Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate** use **SetActiveHours** to enable or disable active hours and **ActiveHoursStart**,**ActiveHoursEnd** to specify the range of active hours. +Configure active hours by setting a combination of the following registry values: + +Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate** use **SetActiveHours** to enable or disable active hours and **ActiveHoursStart** and **ActiveHoursEnd** to specify the range of active hours. For a detailed description of these registry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart). @@ -100,7 +101,7 @@ To configure active hours max range through MDM, use [**Update/ActiveHoursMaxRan ## Limit restart delays -After an update is installed, Windows 10 attempts automatic restart outside of active hours. If the restart does not succeed after 7 days (by default), the user will see a notification that restart is required. You can use the **Specify deadline before auto-restart for update installation** policy to change the delay from 7 days to a number of days between 2 and 14. +After an update is installed, Windows 10 attempts automatic restart outside of active hours. If the restart does not succeed after seven days (by default), the user will see a notification that restart is required. You can use the **Specify deadline before auto-restart for update installation** policy to change the delay from seven days to any number of days between two and 14. ## Control restart notifications @@ -137,7 +138,7 @@ In MDM, the warning reminder is configured using [**Update/ScheduleRestartWarnin ### Engaged restart -Engaged restart is the period of time when users are required to schedule a restart. Initially, Windows will auto-restart outside of working hours. Once the set period ends (7 days by default), Windows transitions to user scheduled restarts. +Engaged restart is the period of time when users are required to schedule a restart. Initially, Windows will auto-restart outside of working hours. Once the set period ends (seven days by default), Windows transitions to user scheduled restarts. The following settings can be adjusted for engaged restart: * Period of time before auto-restart transitions to engaged restart. @@ -183,19 +184,19 @@ The following tables list registry values that correspond to the Group Policy se | Registry key | Key type | Value | | --- | --- | --- | -| AlwaysAutoRebootAtScheduledTime | REG_DWORD | 0: disable automatic reboot after update installation at scheduled time
1: enable automatic reboot after update installation at ascheduled time | +| AlwaysAutoRebootAtScheduledTime | REG_DWORD | 0: disable automatic reboot after update installation at scheduled time
1: enable automatic reboot after update installation at a scheduled time | | AlwaysAutoRebootAtScheduledTimeMinutes | REG_DWORD | 15-180: set automatic reboot to occur after given minutes | | AUOptions | REG_DWORD | 2: notify for download and notify for installation of updates
3: automatically download and notify for installation of updates
4: Automatically download and schedule installation of updates
5: allow the local admin to configure these settings
**Note:** To configure restart behavior, set this value to **4** | -| NoAutoRebootWithLoggedOnUsers | REG_DWORD | 0: disable do not reboot if users are logged on
1: do not reboot after an update installation if a user is logged on
**Note:** If disabled : Automatic Updates will notify the user that the computer will automatically restart in 5 minutes to complete the installation | +| NoAutoRebootWithLoggedOnUsers | REG_DWORD | 0: disable do not reboot if users are logged on
1: do not reboot after an update installation if a user is logged on
**Note:** If disabled: Automatic Updates will notify the user that the computer will automatically restart in 5 minutes to complete the installation | | ScheduledInstallTime | REG_DWORD | 0-23: schedule update installation time to a specific hour
starts with 12 AM (0) and ends with 11 PM (23) | -There are 3 different registry combinations for controlling restart behavior: +There are three different registry combinations for controlling restart behavior: - To set active hours, **SetActiveHours** should be **1**, while **ActiveHoursStart** and **ActiveHoursEnd** should define the time range. -- To schedule a specific installation and reboot time, **AUOptions** should be **4**, **ScheduledInstallTime** should specify the installation time, **AlwaysAutoRebootAtScheduledTime** set to **1** and **AlwaysAutoRebootAtScheduledTimeMinutes** should specify number of minutes to wait before rebooting. +- To schedule a specific installation and reboot time, **AUOptions** should be **4**, **ScheduledInstallTime** should specify the installation time, and **AlwaysAutoRebootAtScheduledTime** set to **1** and **AlwaysAutoRebootAtScheduledTimeMinutes** should specify number of minutes to wait before rebooting. - To delay rebooting if a user is logged on, **AUOptions** should be **4**, while **NoAutoRebootWithLoggedOnUsers** is set to **1**. -## Related topics +## Related articles - [Update Windows 10 in the enterprise](index.md) - [Overview of Windows as a service](waas-overview.md) diff --git a/windows/deployment/update/windows-update-errors.md b/windows/deployment/update/windows-update-errors.md index 11dff0bce0..d2cb1994d5 100644 --- a/windows/deployment/update/windows-update-errors.md +++ b/windows/deployment/update/windows-update-errors.md @@ -7,7 +7,6 @@ audience: itpro itproauthor: jaimeo ms.audience: itpro author: jaimeo -ms.date: 09/18/2018 ms.reviewer: manager: laurawi ms.topic: article @@ -23,18 +22,18 @@ The following table provides information about common errors you might run into | Error Code | Message | Description | Mitigation | |------------------------------------------|-----------------------------------|-----------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 0x8024402F | WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS | External cab file processing completed with some errors | One of the reasons we see this issue is due to the design of a software called Lightspeed Rocket for Web filtering.
The IP addresses of the computers you want to get updates successfully on, should be added to the exceptions list of Lightspeed | -| 0x80242006 | WU_E_UH_INVALIDMETADATA | A handler operation could not be completed because the update contains invalid metadata. | Rename Software Redistribution Folder and attempt to download the updates again:
Rename the following folders to \*.BAK:
- %systemroot%\system32\catroot2

To do this, type the following commands at a command prompt. Press ENTER after you type each command.
- Ren %systemroot%\SoftwareDistribution\DataStore \*.bak
- Ren %systemroot%\SoftwareDistribution\Download \*.bak
Ren %systemroot%\system32\catroot2 \*.bak | -| 0x80070BC9 | ERROR_FAIL_REBOOT_REQUIRED | The requested operation failed. A system reboot is required to roll back changes made. | Ensure that we do not have any policies that control the start behavior for the Windows Module Installer. This service should not be hardened to any start value and should be managed by the OS. | -| 0x80200053 | BG_E_VALIDATION_FAILED | NA | Ensure that there is no Firewalls that filter downloads. The Firewall filtering may lead to invalid responses being received by the Windows Update Client.

If the issue still persists, run the [WU reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc). | -| 0x80072EE2 | WININET_E_TIMEOUT | The operation timed out | This error message can be caused if the computer isn't connected to Internet. To fix this issue, following these steps: make sure these URLs are not blocked:
http://.update.microsoft.com
https://.update.microsoft.com


Additionally , you can take a network trace and see what is timing out. \ | +| 0x8024402F | WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS | External cab file processing completed with some errors | One of the reasons we see this issue is due to the design of a software called Lightspeed Rocket for Web filtering.
Add the IP addresses of devices you want to get updates to the exceptions list of Lightspeed | +| 0x80242006 | WU_E_UH_INVALIDMETADATA | A handler operation could not be completed because the update contains invalid metadata. | Rename Software Redistribution Folder and attempt to download the updates again:
Rename the following folders to \*.BAK:
- %systemroot%\system32\catroot2

Type the following commands at a command prompt. Press ENTER after you type each command.
- Ren %systemroot%\SoftwareDistribution\DataStore \*.bak
- Ren %systemroot%\SoftwareDistribution\Download \*.bak
Ren %systemroot%\system32\catroot2 \*.bak | +| 0x80070BC9 | ERROR_FAIL_REBOOT_REQUIRED | The requested operation failed. A system reboot is required to roll back changes made. | Ensure that you don't have any policies that control the start behavior for the Windows Module Installer. This service should be managed by the operating system. | +| 0x80200053 | BG_E_VALIDATION_FAILED | NA | Ensure that there are no firewalls that filter downloads. Such filtering could lead to incorrect responses being received by the Windows Update Client.

If the issue still persists, run the [Windows Update reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc). | +| 0x80072EE2 | WININET_E_TIMEOUT | The operation timed out | This error message can be caused if the computer isn't connected to the Internet. To fix this issue, follow these steps: make sure these URLs are not blocked:
http://.update.microsoft.com
https://.update.microsoft.com


You can also take a network trace to check what is timing out. \ | | 0x80072EFD
0x80072EFE 
0x80D02002 | TIME_OUT_ERRORS | The operation timed out | Make sure there are no firewall rules or proxy to block Microsoft download URLs.
Take a network monitor trace to understand better. \ | | 0X8007000D | ERROR_INVALID_DATA | Indicates invalid data downloaded or corruption occurred. | Attempt to re-download the update and initiate installation. | -| 0x8024A10A | USO_E_SERVICE_SHUTTING_DOWN | Indicates that the WU Service is shutting down. | This may happen due to a very long period of time of inactivity, a system hang leading to the service being idle and leading to the shutdown of the service. Ensure that the system remains active and the connections remain established to complete the upgrade. | -| 0x80240020 | WU_E_NO_INTERACTIVE_USER | Operation did not complete because there is no logged-on interactive user. | Please login to the system to initiate the installation and allow the system to be rebooted. | -| 0x80242014 | WU_E_UH_POSTREBOOTSTILLPENDING | The post-reboot operation for the update is still in progress. | Some Windows Updates require the system to be restarted. Reboot the system to complete the installation of the Updates. | +| 0x8024A10A | USO_E_SERVICE_SHUTTING_DOWN | Indicates that the WU Service is shutting down. | This can occur after a very long period of time of inactivity, the system failing to respond leading to the service being idle and causing the service to shut down. Ensure that the system remains active and the connections remain established to complete the upgrade. | +| 0x80240020 | WU_E_NO_INTERACTIVE_USER | Operation did not complete because there is no logged-on interactive user. | Sign in to the device to start the installation and allow the to restart. | +| 0x80242014 | WU_E_UH_POSTREBOOTSTILLPENDING | The post-restart operation for the update is still in progress. | Some Windows Updates require the device to be restarted. Restart the device to complete update installation. | | 0x80246017 | WU_E_DM_UNAUTHORIZED_LOCAL_USER | The download failed because the local user was denied authorization to download the content. | Ensure that the user attempting to download and install updates has been provided with sufficient privileges to install updates (Local Administrator). | -| 0x8024000B | WU_E_CALL_CANCELLED | Operation was cancelled. | This indicates that the operation was cancelled by the user/service. You may also encounter this error when we are unable to filter the results. Run the [Decline Superseded PowerShell script](https://gallery.technet.microsoft.com/scriptcenter/Cleanup-WSUS-server-4424c9d6) to allow the filtering process to complete. | +| 0x8024000B | WU_E_CALL_CANCELLED | Operation was canceled. | The operation was canceled by the user orservice. You might also receive this error when we are unable to filter the results. Run the [Decline Superseded PowerShell script](https://gallery.technet.microsoft.com/scriptcenter/Cleanup-WSUS-server-4424c9d6) to allow the filtering process to complete. | | 0x8024000E | WU_E_XML_INVALID | Windows Update Agent found invalid information in the update's XML data. | Certain drivers contain additional metadata information in the update.xml, which could lead Orchestrator to understand it as invalid data. Ensure that you have the latest Windows Update Agent installed on the machine. | | 0x8024D009 | WU_E_SETUP_SKIP_UPDATE | An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file. | You may encounter this error when WSUS is not sending the Self-update to the clients.

Review [KB920659](https://support.microsoft.com/help/920659/the-microsoft-windows-server-update-services-wsus-selfupdate-service-d) for instructions to resolve the issue. | | 0x80244007 | WU_E_PT_SOAPCLIENT_SOAPFAULT | SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | This issue occurs because Windows cannot renew the cookies for Windows Update.

Review [KB2883975](https://support.microsoft.com/help/2883975/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-serv) for instructions to resolve the issue. | diff --git a/windows/deployment/update/windows-update-troubleshooting.md b/windows/deployment/update/windows-update-troubleshooting.md index 32a55ed102..92db02e305 100644 --- a/windows/deployment/update/windows-update-troubleshooting.md +++ b/windows/deployment/update/windows-update-troubleshooting.md @@ -53,7 +53,7 @@ The update that is offered to a device depends on several factors. The following If the update you're offered isn't the most current available, it might be because your device is being managed by a WSUS server, and you're being offered the updates available on that server. It's also possible, if your device is part of a deployment group, that your admin is intentionally slowing the rollout of updates. Since the deployment is slow and measured to begin with, all devices will not receive the update on the same day. ## My device is frozen at scan. Why? -The Settings UI communicates with the Update Orchestrator service which in turn communicates with to Windows Update service. If these services stop unexpectedly, then you might see this behavior. In such cases, follow these steps: +The Settings UI communicates with the Update Orchestrator service that in turn communicates with to Windows Update service. If these services stop unexpectedly, then you might see this behavior. In such cases, follow these steps: 1. Close the Settings app and reopen it. @@ -151,7 +151,7 @@ Go to Services.msc and ensure that Windows Firewall Service is enabled. Stopping ## Issues arising from configuration of conflicting policies Windows Update provides a wide range configuration policy to control the behavior of the Windows Update service in a managed environment. While these policies let you configure the settings at a granular level, misconfiguration or setting conflicting policies may lead to unexpected behaviors. -See [How to configure automatic updates by using Group Policy or registry settings](https://support.microsoft.com/help/328010/how-to-configure-automatic-updates-by-using-group-policy-or-registry-s) for more information. +For more information, see [How to configure automatic updates by using Group Policy or registry settings](https://support.microsoft.com/help/328010/how-to-configure-automatic-updates-by-using-group-policy-or-registry-s) for more information. ## Device cannot access update files @@ -183,7 +183,7 @@ Windows 10 devices can receive updates from a variety of sources, including Wind Check the output for the Name and OffersWindowsUPdates parameters, which you can interpret according to this table. -|Output|Interpretation| +|Output|Meaning| |-|-| |- Name: Microsoft Update
-OffersWindowsUpdates: True| - The update source is Microsoft Update, which means that updates for other Microsoft products besides the operating system could also be delivered.
- Indicates that the client is configured to receive updates for all Microsoft Products (Office, etc.) | |- Name: DCat Flighting Prod
- OffersWindowsUpdates: True |- Starting with Windows 10 1709, feature updates are always delivered through the DCAT service.
- Indicates that the client is configured to receive feature updates from Windows Update. | @@ -213,9 +213,9 @@ From Windows Update logs: 2018-08-06 09:33:32:554 480 1118 Agent ** END ** Agent: Finding updates [CallerId = OperationalInsight Id = 49] ``` -In the above log snippet, we see that the Criteria = "IsHidden = 0 AND DeploymentAction=*". "*" means there is nothing specified from the server. So, the scan happens but there is no direction to download or install to the agent. So it just scans the update and provides the results. +In the above log snippet, we see that the `Criteria = "IsHidden = 0 AND DeploymentAction=*"`. "*" means there is nothing specified from the server. So, the scan happens but there is no direction to download or install to the agent. So it just scans the update and provides the results. -Now if you look at the below logs, the Automatic update runs the scan and finds no update approved for it. So it reports there are no updates to install or download. This is due to an incorrect configuration. The WSUS side should approve the updates for Windows Update so that it fetches the updates and installs them at the specified time according to the policy. Since this scenario doesn't include Configuration Manager, there's no way to install unapproved updates. You're expecting the operational insight agent to do the scan and automatically trigger the download and installation but that won’t happen with this configuration. +As shown in the following logs, automatic update runs the scan and finds no update approved for it. So it reports there are no updates to install or download. This is due to an incorrect configuration. The WSUS side should approve the updates for Windows Update so that it fetches the updates and installs them at the specified time according to the policy. Since this scenario doesn't include Configuration Manager, there's no way to install unapproved updates. You're expecting the operational insight agent to do the scan and automatically trigger the download and installation but that won’t happen with this configuration. ```console 2018-08-06 10:58:45:992 480 5d8 Agent ** START ** Agent: Finding updates [CallerId = AutomaticUpdates Id = 57] @@ -231,15 +231,15 @@ Now if you look at the below logs, the Automatic update runs the scan and finds ``` ## High bandwidth usage on Windows 10 by Windows Update -Users may see that Windows 10 is consuming all the bandwidth in the different offices under the system context. This behavior is by design. Components that may consume bandwidth expand beyond Windows Update components. +Users might see that Windows 10 is consuming all the bandwidth in the different offices under the system context. This behavior is by design. Components that might consume bandwidth expand beyond Windows Update components. -The following group policies can help mitigate this: +The following group policies can help mitigate this situation: - Blocking access to Windows Update servers: [Policy Turn off access to all Windows Update features](https://gpsearch.azurewebsites.net/#4728) (Set to enabled) - Driver search: [Policy Specify search order for device driver source locations](https://gpsearch.azurewebsites.net/#183) (Set to "Do not search Windows Update") - Windows Store automatic update: [Policy Turn off Automatic Download and Install of updates](https://gpsearch.azurewebsites.net/#10876) (Set to enabled) -Other components that reach out to the internet: +Other components that connect to the internet: - Windows Spotlight: [Policy Configure Windows spotlight on lock screen](https://gpsearch.azurewebsites.net/#13362) (Set to disabled) - Consumer experiences: [Policy Turn off Microsoft consumer experiences](https://gpsearch.azurewebsites.net/#13329) (Set to enabled) From 07054d11a1db8f179694a651efd228f6cf8e0630 Mon Sep 17 00:00:00 2001 From: jaimeo Date: Tue, 1 Dec 2020 15:31:20 -0700 Subject: [PATCH 41/44] safety commit --- .../update-compliance-configuration-manual.md | 18 +++++----- .../update/windows-update-errors.md | 2 +- .../deployment/update/windows-update-logs.md | 33 +++++++++---------- 3 files changed, 26 insertions(+), 27 deletions(-) diff --git a/windows/deployment/update/update-compliance-configuration-manual.md b/windows/deployment/update/update-compliance-configuration-manual.md index 8911262e12..c03db874bb 100644 --- a/windows/deployment/update/update-compliance-configuration-manual.md +++ b/windows/deployment/update/update-compliance-configuration-manual.md @@ -22,7 +22,7 @@ There are a number of requirements to consider when manually configuring devices The requirements are separated into different categories: 1. Ensuring the [**required policies**](#required-policies) for Update Compliance are correctly configured. -2. Devices in every network topography needs to send data to the [**required endpoints**](#required-endpoints) for Update Compliance, for example both devices in main and satellite offices, which may have different network configurations. +2. Devices in every network topography must send data to the [**required endpoints**](#required-endpoints) for Update Compliance. For example, devices in both main and satellite offices, which might have different network configurations must be able to reach the endpoints. 3. Ensure [**Required Windows services**](#required-services) are running or are scheduled to run. It is recommended all Microsoft and Windows services are set to their out-of-box defaults to ensure proper functionality. 4. [**Run a full Census sync**](#run-a-full-census-sync) on new devices to ensure that all necessary data points are collected. @@ -34,7 +34,7 @@ The requirements are separated into different categories: Update Compliance has a number of policies that must be appropriately configured in order for devices to be processed by Microsoft and visible in Update Compliance. They are enumerated below, separated by whether the policies will be configured via [Mobile Device Management](https://docs.microsoft.com/windows/client-management/mdm/) (MDM) or Group Policy. For both tables: - **Policy** corresponds to the location and name of the policy. -- **Value** Indicates what value the policy must be set to. Update Compliance requires *at least* Basic (or Required) telemetry, but can function off Enhanced or Full (or Optional). +- **Value** Indicates what value the policy must be set to. Update Compliance requires *at least* Basic (or Required) diagnosttic data, but can function off Enhanced or Full (or Optional). - **Function** details why the policy is required and what function it serves for Update Compliance. It will also detail a minimum version the policy is required, if any. ### Mobile Device Management policies @@ -44,8 +44,8 @@ Each MDM Policy links to its documentation in the CSP hierarchy, providing its e | Policy | Value | Function | |---------------------------|-|------------------------------------------------------------| |**Provider/*ProviderID*/**[**CommercialID**](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp#provider-providerid-commercialid) |[Your CommercialID](update-compliance-get-started.md#get-your-commercialid) |Identifies the device as belonging to your organization. | -|**System/**[**AllowTelemetry**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | 1- Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this lower than what the policy defines, see the below policy for more information. | -|**System/**[**ConfigureTelemetryOptInSettingsUx**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) | 1 - Disable Telemetry opt-in Settings | (in Windows 10, version 1803 and later) Determines whether end-users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy or the effective diagnostic data level on devices might not be sufficient. | +|**System/**[**AllowTelemetry**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | 1- Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. For more information, see the following policy. | +|**System/**[**ConfigureTelemetryOptInSettingsUx**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) | 1 - Disable Telemetry opt-in Settings | (in Windows 10, version 1803 and later) Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy or the effective diagnostic data level on devices might not be sufficient. | |**System/**[**AllowDeviceNameInDiagnosticData**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) | 1 - Allowed | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or set to 0 (Disabled), Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. | > [!NOTE] @@ -58,8 +58,8 @@ All Group Policies that need to be configured for Update Compliance are under ** | Policy | Value | Function | |---------------------------|-|-----------------------------------------------------------| |**Configure the Commercial ID** |[Your CommercialID](update-compliance-get-started.md#get-your-commercialid) | Identifies the device as belonging to your organization. | -|**Allow Telemetry** | 1 - Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this lower than what the policy defines. See the following policy for more information. | -|**Configure telemetry opt-in setting user interface** | 1 - Disable telemetry opt-in Settings |(in Windows 10, version 1803 and later) Determines whether end-users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy, otherwise the effective diagnostic data level on devices might not be sufficient. | +|**Allow Telemetry** | 1 - Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. See the following policy for more information. | +|**Configure telemetry opt-in setting user interface** | 1 - Disable diagnostic data opt-in Settings |(in Windows 10, version 1803 and later) Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy, otherwise the effective diagnostic data level on devices might not be sufficient. | |**Allow device name to be sent in Windows diagnostic data** | 1 - Enabled | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or Disabled, Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. | ## Required endpoints @@ -72,9 +72,9 @@ To enable data sharing between devices, your network, and Microsoft's Diagnostic | `https://v10.vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1709 or earlier. | | `https://settings-win.data.microsoft.com` | Required for Windows Update functionality. | | `http://adl.windows.com` | Required for Windows Update functionality. | -| `https://watson.telemetry.microsoft.com` | Windows Error Reporting (WER), used to provide more advanced error reporting in the event of certain Feature Update deployment failures. | +| `https://watson.telemetry.microsoft.com` | Windows Error Reporting (WER), used to provide more advanced error reporting if certain Feature Update deployment failures occur. | | `https://oca.telemetry.microsoft.com` | Online Crash Analysis, used to provide device-specific recommendations and detailed errors in the event of certain crashes. | -| `https://login.live.com` | This endpoint facilitates MSA access and is required to create the primary identifier we use for devices. Without this service, devices will not be visible in the solution. This also requires Microsoft Account Sign-in Assistant service to be running (wlidsvc). | +| `https://login.live.com` | This endpoint facilitates MSA access and is required to create the primary identifier we use for devices. Without this service, devices will not be visible in the solution. The Microsoft Account Sign-in Assistant service must also be running (wlidsvc). | ## Required services @@ -83,7 +83,7 @@ Many Windows and Microsoft services are required to ensure that not only the dev ## Run a full Census sync -Census is a service that runs on a regular schedule on Windows devices. A number of key device attributes, like what operating system edition is installed on the device, are included in the Census payload. However, to save network load and system resources, data that tends to be more static (like edition) is sent approximately once per week rather than on every daily run. Because of this, these attributes can take longer to appear in Update Compliance unless you start a full Census sync. The Update Compliance Configuration Script does this. +Census is a service that runs on a regular schedule on Windows devices. A number of key device attributes, like what operating system edition is installed on the device, are included in the Census payload. However, to save network load and system resources, data that tends to be more static (like edition) is sent approximately once per week rather than on every daily run. Because of this behavior, these attributes can take longer to appear in Update Compliance unless you start a full Census sync. The Update Compliance Configuration Script will do a full sync. A full Census sync adds a new registry value to Census's path. When this registry value is added, Census's configuration is overridden to force a full sync. For Census to work normally, this registry value should be enabled, Census should be started manually, and then the registry value should be disabled. Follow these steps: diff --git a/windows/deployment/update/windows-update-errors.md b/windows/deployment/update/windows-update-errors.md index d2cb1994d5..2747e7d1f7 100644 --- a/windows/deployment/update/windows-update-errors.md +++ b/windows/deployment/update/windows-update-errors.md @@ -29,7 +29,7 @@ The following table provides information about common errors you might run into | 0x80072EE2 | WININET_E_TIMEOUT | The operation timed out | This error message can be caused if the computer isn't connected to the Internet. To fix this issue, follow these steps: make sure these URLs are not blocked:
http://.update.microsoft.com
https://.update.microsoft.com


You can also take a network trace to check what is timing out. \ | | 0x80072EFD
0x80072EFE 
0x80D02002 | TIME_OUT_ERRORS | The operation timed out | Make sure there are no firewall rules or proxy to block Microsoft download URLs.
Take a network monitor trace to understand better. \ | | 0X8007000D | ERROR_INVALID_DATA | Indicates invalid data downloaded or corruption occurred. | Attempt to re-download the update and initiate installation. | -| 0x8024A10A | USO_E_SERVICE_SHUTTING_DOWN | Indicates that the WU Service is shutting down. | This can occur after a very long period of time of inactivity, the system failing to respond leading to the service being idle and causing the service to shut down. Ensure that the system remains active and the connections remain established to complete the upgrade. | +| 0x8024A10A | USO_E_SERVICE_SHUTTING_DOWN | Indicates that the Windows Update Service is shutting down. | This can occur after a very long period of time of inactivity, the system failing to respond leading to the service being idle and causing the service to shut down. Ensure that the system remains active and the connections remain established to complete the upgrade. | | 0x80240020 | WU_E_NO_INTERACTIVE_USER | Operation did not complete because there is no logged-on interactive user. | Sign in to the device to start the installation and allow the to restart. | | 0x80242014 | WU_E_UH_POSTREBOOTSTILLPENDING | The post-restart operation for the update is still in progress. | Some Windows Updates require the device to be restarted. Restart the device to complete update installation. | | 0x80246017 | WU_E_DM_UNAUTHORIZED_LOCAL_USER | The download failed because the local user was denied authorization to download the content. | Ensure that the user attempting to download and install updates has been provided with sufficient privileges to install updates (Local Administrator). | diff --git a/windows/deployment/update/windows-update-logs.md b/windows/deployment/update/windows-update-logs.md index 1e40aac62e..983298729f 100644 --- a/windows/deployment/update/windows-update-logs.md +++ b/windows/deployment/update/windows-update-logs.md @@ -1,13 +1,12 @@ --- title: Windows Update log files -description: Learn about the Windows Update log files and how to merge and convert WU trace files (.etl files) into a single readable WindowsUpdate.log file. +description: Learn about the Windows Update log files and how to merge and convert Windows Update trace files (.etl files) into a single readable WindowsUpdate.log file. ms.prod: w10 ms.mktglfcycl: audience: itpro itproauthor: jaimeo ms.audience: itpro author: jaimeo -ms.date: 09/18/2018 ms.reviewer: manager: laurawi ms.topic: article @@ -21,21 +20,21 @@ ms.custom: seo-marvel-apr2020 The following table describes the log files created by Windows Update. -|Log file|Location|Description|When to Use | +|Log file|Location|Description|When to use | |-|-|-|-| -|windowsupdate.log|C:\Windows\Logs\WindowsUpdate|Starting in Windows 8.1 and continuing in Windows 10, Windows Update client uses Event Tracing for Windows (ETW) to generate diagnostic logs.|If you receive an error message when you run Windows Update (WU), you can use the information that is included in the Windowsupdate.log log file to troubleshoot the issue.| -|UpdateSessionOrchestration.etl|C:\ProgramData\USOShared\Logs|Starting Windows 10, the Update Orchestrator is responsible for sequence of downloading and installing various update types from Windows Update. And the events are logged to these etl files.|When you see that the updates are available but download is not getting triggered.
When Updates are downloaded but installation is not triggered.
When Updates are installed but reboot is not triggered. | -|NotificationUxBroker.etl|C:\ProgramData\USOShared\Logs|Starting Windows 10, the notification toast or the banner is triggered by this NotificationUxBroker.exe . And the logs to check its working is this etl. |When you want to check whether the Notification was triggered or not for reboot or update availability etc. | -|CBS.log|%systemroot%\Logs\CBS|This logs provides insight on the update installation part in the servicing stack.|To troubleshoot the issues related to WU installation.| +|windowsupdate.log|C:\Windows\Logs\WindowsUpdate|Starting in Windows 8.1 and continuing in Windows 10, Windows Update client uses Event Tracing for Windows (ETW) to generate diagnostic logs.|If you receive an error message when you run Windows Update, you can use the information that is included in the Windowsupdate.log log file to troubleshoot the issue.| +|UpdateSessionOrchestration.etl|C:\ProgramData\USOShared\Logs|Starting Windows 10, the Update Orchestrator is responsible for sequence of downloading and installing various update types from Windows Update. And the events are logged to these .etl files.|When you see that the updates are available but download is not getting triggered.
When Updates are downloaded but installation is not triggered.
When Updates are installed but reboot is not triggered. | +|NotificationUxBroker.etl|C:\ProgramData\USOShared\Logs|Starting Windows 10, the notification toast or the banner is triggered by NotificationUxBroker.exe. |When you want to check whether the notification was triggered or not. | +|CBS.log|%systemroot%\Logs\CBS|This log provides insight on the update installation part in the servicing stack.|To troubleshoot the issues related to Windows Update installation.| ## Generating WindowsUpdate.log -To merge and convert WU trace files (.etl files) into a single readable WindowsUpdate.log file, see [Get-WindowsUpdateLog](https://docs.microsoft.com/powershell/module/windowsupdate/get-windowsupdatelog?view=win10-ps&preserve-view=tru). +To merge and convert Windows Update trace files (.etl files) into a single readable WindowsUpdate.log file, see [Get-WindowsUpdateLog](https://docs.microsoft.com/powershell/module/windowsupdate/get-windowsupdatelog?view=win10-ps&preserve-view=tru). >[!NOTE] >When you run the **Get-WindowsUpdateLog** cmdlet, an copy of WindowsUpdate.log file is created as a static log file. It does not update as the old WindowsUpate.log unless you run **Get-WindowsUpdateLog** again. ### Windows Update log components -The WU engine has different component names. The following are some of the most common components that appear in the WindowsUpdate.log file: +The Windows Update engine has different component names. The following are some of the most common components that appear in the WindowsUpdate.log file: - AGENT- Windows Update agent - AU - Automatic Updates is performing this task @@ -93,12 +92,12 @@ The time stamp indicates the time at which the logging occurs. The Process IDs and Thread IDs are random, and they can vary from log to log and even from service session to service session within the same log. - The first four hex digits are the process ID. - The next four hex digits are the thread ID. -- Each component, such as the USO, WU engine, COM API callers, and WU installer handlers, has its own process ID. +- Each component, such as the USO, Windows Update engine, COM API callers, and Windows Update installer handlers, has its own process ID. ![Windows Update process and thread IDs](images/update-process-id.png) #### Component name -Search for and identify the components that are associated with the IDs. Different parts of the WU engine have different component names. Some of them are as follows: +Search for and identify the components that are associated with the IDs. Different parts of the Windows Update engine have different component names. Some of them are as follows: - ProtocolTalker - Client-server sync - DownloadManager - Creates and monitors payload downloads @@ -122,15 +121,15 @@ There are different identifiers for the same update in different contexts. It's ##### Revision ID -- A Revision ID (do no confuse this with "revision number") is a serial number that's issued when an update is initially published or revised on a given service. -- An existing update that's revised keeps the same update ID (GUID), has its revision number incremented (for example, from 100 to 101), but gets a completely new revision ID that is not related to the previous ID. +- A Revision ID (don't confuse this value with "revision number") is a serial number that's issued when an update is initially published or revised on a given service. +- An existing update that's revised keeps the same update ID (GUID), has its revision number incremented (for example, from 100 to 101), but gets a new revision ID that is not related to the previous ID. - Revision IDs are unique on a given update source, but not across multiple sources. -- The same update revision may have completely different revision IDs on WU and WSUS. -- The same revision ID may represent different updates on WU and WSUS. +- The same update revision might have different revision IDs on Windows Update and WSUS. +- The same revision ID might represent different updates on Windows Update and WSUS. ##### Local ID -- Local ID is a serial number issued when an update is received from a service by a given WU client -- Usually seen in debug logs, especially involving the local cache for update info (Datastore) +- Local ID is a serial number issued when an update is received from a service by a given Windows Update client +- Typically seen in debug logs, especially involving the local cache for update info (Datastore) - Different client PCs will assign different Local IDs to the same update - You can find the local IDs that a client is using by getting the client's %WINDIR%\SoftwareDistribution\Datastore\Datastore.edb file From 79ba6f31271c1528d32e1330f2d4b73ba1050f14 Mon Sep 17 00:00:00 2001 From: jaimeo Date: Tue, 1 Dec 2020 15:52:48 -0700 Subject: [PATCH 42/44] typos --- .../update/update-compliance-configuration-manual.md | 2 +- windows/deployment/update/waas-manage-updates-wufb.md | 8 ++++---- windows/deployment/update/windows-update-errors.md | 4 ++-- windows/deployment/update/windows-update-logs.md | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/windows/deployment/update/update-compliance-configuration-manual.md b/windows/deployment/update/update-compliance-configuration-manual.md index c03db874bb..b96d2edfd6 100644 --- a/windows/deployment/update/update-compliance-configuration-manual.md +++ b/windows/deployment/update/update-compliance-configuration-manual.md @@ -34,7 +34,7 @@ The requirements are separated into different categories: Update Compliance has a number of policies that must be appropriately configured in order for devices to be processed by Microsoft and visible in Update Compliance. They are enumerated below, separated by whether the policies will be configured via [Mobile Device Management](https://docs.microsoft.com/windows/client-management/mdm/) (MDM) or Group Policy. For both tables: - **Policy** corresponds to the location and name of the policy. -- **Value** Indicates what value the policy must be set to. Update Compliance requires *at least* Basic (or Required) diagnosttic data, but can function off Enhanced or Full (or Optional). +- **Value** Indicates what value the policy must be set to. Update Compliance requires *at least* Basic (or Required) diagnostic data, but can function off Enhanced or Full (or Optional). - **Function** details why the policy is required and what function it serves for Update Compliance. It will also detail a minimum version the policy is required, if any. ### Mobile Device Management policies diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md index 00fb15eb81..1a27cda457 100644 --- a/windows/deployment/update/waas-manage-updates-wufb.md +++ b/windows/deployment/update/waas-manage-updates-wufb.md @@ -65,9 +65,9 @@ The branch readiness level enables administrators to specify which channel of fe - Windows Insider Fast - Windows Insider Slow - Windows Insider Release Preview -- Semi-annual Channel +- Semi-Annual Channel -Prior to Windows 10, version 1903, there are two channels for released updates: Semi-annual Channel and Semi-annual Channel (Targeted). Deferral days are calculated against the release date of the chosen channel. Starting with Windows 10, version 1903 there is only the one release channel: Semi-annual Channel. All deferral days are calculated against a release’s Semi-annual Channel release date. For exact release dates, see [Windows Release Information](https://docs.microsoft.com/windows/release-information/). You can set the branch readiness level by using the **Select when Preview Builds and Feature Updates are Received** policy. To use this policy to manage pre-release builds, first enable preview builds by using the **Manage preview Builds** policy. +Prior to Windows 10, version 1903, there are two channels for released updates: Semi-Annual Channel and Semi-Annual Channel (Targeted). Deferral days are calculated against the release date of the chosen channel. Starting with Windows 10, version 1903 there is only the one release channel: Semi-Annual Channel. All deferral days are calculated against a release’s Semi-Annual Channel release date. For exact release dates, see [Windows Release Information](https://docs.microsoft.com/windows/release-information/). You can set the branch readiness level by using the **Select when Preview Builds and Feature Updates are Received** policy. To use this policy to manage pre-release builds, first enable preview builds by using the **Manage preview Builds** policy. #### Defer an update @@ -186,9 +186,9 @@ The branch readiness level enables administrators to specify which channel of fe - Windows Insider Fast - Windows Insider Slow - Windows Insider Release Preview -- Semi-annual Channel for released updates + - Semi-Annual Channel for released updates -Prior to Windows 10, version 1903, there are two channels for released updates: Semi-annual Channel and Semi-annual Channel (Targeted). Deferral days are calculated against the release date of the chosen channel. Starting with Windows 10, version 1903 there is only the one release channel: Semi-annual Channel. All deferral days will be calculated against a release's Semi-annual Channel release date. To see release dates, visit [Windows Release Information](https://docs.microsoft.com/windows/release-information/). You can set the branch readiness level by using the **Select when Preview Builds and Feature Updates are Received** policy. In order to use this to manage pre-release builds, first enable preview builds by using the **Manage preview Builds** policy. +Prior to Windows 10, version 1903, there are two channels for released updates: Semi-Annual Channel and Semi-Annual Channel (Targeted). Deferral days are calculated against the release date of the chosen channel. Starting with Windows 10, version 1903 there is only the one release channel: Semi-Annual Channel. All deferral days will be calculated against a release's Semi-Annual Channel release date. To see release dates, visit [Windows Release Information](https://docs.microsoft.com/windows/release-information/). You can set the branch readiness level by using the **Select when Preview Builds and Feature Updates are Received** policy. In order to use this to manage pre-release builds, first enable preview builds by using the **Manage preview Builds** policy. ### Recommendations diff --git a/windows/deployment/update/windows-update-errors.md b/windows/deployment/update/windows-update-errors.md index 2747e7d1f7..0cad11e031 100644 --- a/windows/deployment/update/windows-update-errors.md +++ b/windows/deployment/update/windows-update-errors.md @@ -30,10 +30,10 @@ The following table provides information about common errors you might run into | 0x80072EFD
0x80072EFE 
0x80D02002 | TIME_OUT_ERRORS | The operation timed out | Make sure there are no firewall rules or proxy to block Microsoft download URLs.
Take a network monitor trace to understand better. \ | | 0X8007000D | ERROR_INVALID_DATA | Indicates invalid data downloaded or corruption occurred. | Attempt to re-download the update and initiate installation. | | 0x8024A10A | USO_E_SERVICE_SHUTTING_DOWN | Indicates that the Windows Update Service is shutting down. | This can occur after a very long period of time of inactivity, the system failing to respond leading to the service being idle and causing the service to shut down. Ensure that the system remains active and the connections remain established to complete the upgrade. | -| 0x80240020 | WU_E_NO_INTERACTIVE_USER | Operation did not complete because there is no logged-on interactive user. | Sign in to the device to start the installation and allow the to restart. | +| 0x80240020 | WU_E_NO_INTERACTIVE_USER | Operation did not complete because there is no logged-on interactive user. | Sign in to the device to start the installation and allow the device to restart. | | 0x80242014 | WU_E_UH_POSTREBOOTSTILLPENDING | The post-restart operation for the update is still in progress. | Some Windows Updates require the device to be restarted. Restart the device to complete update installation. | | 0x80246017 | WU_E_DM_UNAUTHORIZED_LOCAL_USER | The download failed because the local user was denied authorization to download the content. | Ensure that the user attempting to download and install updates has been provided with sufficient privileges to install updates (Local Administrator). | -| 0x8024000B | WU_E_CALL_CANCELLED | Operation was canceled. | The operation was canceled by the user orservice. You might also receive this error when we are unable to filter the results. Run the [Decline Superseded PowerShell script](https://gallery.technet.microsoft.com/scriptcenter/Cleanup-WSUS-server-4424c9d6) to allow the filtering process to complete. | +| 0x8024000B | WU_E_CALL_CANCELLED | Operation was canceled. | The operation was canceled by the user or service. You might also receive this error when we are unable to filter the results. Run the [Decline Superseded PowerShell script](https://gallery.technet.microsoft.com/scriptcenter/Cleanup-WSUS-server-4424c9d6) to allow the filtering process to complete. | | 0x8024000E | WU_E_XML_INVALID | Windows Update Agent found invalid information in the update's XML data. | Certain drivers contain additional metadata information in the update.xml, which could lead Orchestrator to understand it as invalid data. Ensure that you have the latest Windows Update Agent installed on the machine. | | 0x8024D009 | WU_E_SETUP_SKIP_UPDATE | An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file. | You may encounter this error when WSUS is not sending the Self-update to the clients.

Review [KB920659](https://support.microsoft.com/help/920659/the-microsoft-windows-server-update-services-wsus-selfupdate-service-d) for instructions to resolve the issue. | | 0x80244007 | WU_E_PT_SOAPCLIENT_SOAPFAULT | SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | This issue occurs because Windows cannot renew the cookies for Windows Update.

Review [KB2883975](https://support.microsoft.com/help/2883975/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-serv) for instructions to resolve the issue. | diff --git a/windows/deployment/update/windows-update-logs.md b/windows/deployment/update/windows-update-logs.md index 983298729f..ed776f86d0 100644 --- a/windows/deployment/update/windows-update-logs.md +++ b/windows/deployment/update/windows-update-logs.md @@ -113,7 +113,7 @@ Search for and identify the components that are associated with the IDs. Differe ##### Update ID and revision number There are different identifiers for the same update in different contexts. It's important to know the identifier schemes. -- Update ID: A GUID (indicated in the previous screen shot) that's assigned to a given update at publication time +- Update ID: A GUID (indicated in the previous screenshot) that's assigned to a given update at publication time - Revision number: A number incremented every time that a given update (that has a given update ID) is modified and republished on a service - Revision numbers are reused from one update to another (not a unique identifier). - The update ID and revision number are often shown together as "{GUID}.revision." From 084cb840b0d326f585e0610562b33564d534f28b Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 2 Dec 2020 22:08:18 +0500 Subject: [PATCH 43/44] Update enable-exploit-protection.md --- .../microsoft-defender-atp/enable-exploit-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md index 4530161e10..7b1c044a64 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md @@ -226,7 +226,7 @@ This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that |Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall |Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess |Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available\[2\] | -||Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available\[2\] | +|Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available\[2\] | |Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available\[2\] | |Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available\[2\] | |Validate handle usage | App-level only | StrictHandle | Audit not available | From 132bc8e0fed87e9c1f0cc44af7d1f23422110396 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Wed, 2 Dec 2020 14:36:56 -0800 Subject: [PATCH 44/44] Fixed typo --- windows/client-management/mdm/policy-csp-admx-userprofiles.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-userprofiles.md b/windows/client-management/mdm/policy-csp-admx-userprofiles.md index f435439049..3f00b44db1 100644 --- a/windows/client-management/mdm/policy-csp-admx-userprofiles.md +++ b/windows/client-management/mdm/policy-csp-admx-userprofiles.md @@ -389,7 +389,7 @@ ADMX Info: Available in the latest Windows 10 Insider Preview Build. This policy setting will automatically log off a user when Windows cannot load their profile. -If Windows cannot access the user profile folder or the profile contains errors that prevent it from loading, Windows logs on the user with a temporary profile. This policy setting allows the administrator to disable this behavior, preventing Windows from loggin on the user with a temporary profile. +If Windows cannot access the user profile folder or the profile contains errors that prevent it from loading, Windows logs on the user with a temporary profile. This policy setting allows the administrator to disable this behavior, preventing Windows from logging on the user with a temporary profile. If you enable this policy setting, Windows will not log on a user with a temporary profile. Windows logs the user off if their profile cannot be loaded. @@ -462,7 +462,7 @@ ADMX Info: Available in the latest Windows 10 Insider Preview Build. This policy setting defines a slow connection for roaming user profiles and establishes thresholds for two tests of network speed. -To determine the network performance characteristics, a connection is made to the file share storing the user's profile and 64 kilobytes of data is transfered. From that connection and data transfer, the network's latency and connection speed are determined. +To determine the network performance characteristics, a connection is made to the file share storing the user's profile and 64 kilobytes of data is transferred. From that connection and data transfer, the network's latency and connection speed are determined. This policy setting and related policy settings in this folder together define the system's response when roaming user profiles are slow to load.

zeTzAH`eoKpLD6!?V%9Oes|%9gSsO+}-~3~1mA;^)q(lg%C5MVCq^s^|G0NcDq0~yV zd6K#w13m;rwxK+Vul4@3*OJSK5p!rFeg2INqfu<5Do+({we>3BwigeM)RdY^9y)rF z1bH8}K*3mg6uCax_f7^xlBLvBLnDJK^J{u8r$bQ>4Uajc0sw&%6RQp8(fcylGRD%m zs?A0}l?dhw`lC`+L1tUZ;^GtKzNvM^Cu$D{p7R+zULUkNx~V*UcDvpm9h#EdR?}>_q!JHcfTcb3>9kWRWRJ*^s&p`JSvzsNN+JUoWz91>%UL+23fv=Tj zlkIKX@FXi??0iqck@{Stx$yu_!2y?TrR~MZawcK3a~7B4@xAwTwglHWAC%Vd((!pM z$8v^^%LC{xNm4C9QFLCwXoMZ=Uo`ZIEHCOB|NX-f;6fIu@dksi#>dLAt6!@|Wq^5SKi*eXjJV=Fvgi6%gkyWD^ zsVTq|OZG<)CSR_UWQLc$UEn^sg$kB16q(|QiHT`&-F_2}AQ%jVxC>Y|pxRvey`lvEM&nSuf?wD-rC4-!m(>+;4V{zTD- z?OISYwU?(HsU_L!@M*R5DZ)^j;rx?;qI~5irK{uR;j-ms*;Iun5^#5Pi*-@)(L&=y zytlhkkrVza+n43F!ut1)=Cv=y>`+`M6w^UcCuxL{%5I%sR24FqDA{MhDzB(IZJ}+W z?T1Q6L6&3oNotIuFPyMHWST})Tyi~4Z0GYvJZ=~PV~lxOTYzz5A zwYpz_laqV#opw+`QF(H14&nPpn!c3{xONk8Ak@~@dO*9c!EIP=-=p|Vn;C*dqXpZ? zY)k$P1VToVXbJijza#FtYQ3$u=<66Zru6IU>!LDJ1vj#cV!>hrrMw~3D}q)|^gqde zHYngMH#>_Y7>Gy2`B{7=LV-x%`*oyF6QdMM%sMjtX5L*b=P$~yG9D+gYQ0s$rq>7> zG{~{eY~wjUWG*bilfB(*l2%j0LkNnDED%tG=S#aLDR{@@-}>5}(_t4CC*2th_73H5 zy6Q=V@kz$^DT4EfhnpH#YtwZO2uK2&u!`}DadC+gob}9_+|B@9=|0m1Qq0?X_z&w* zHZq^YL`6S%i}LyV`ybLQ;G90rK3w6sUF{AoIGX3$nVO~uo0)w|Z+3vgwHj)AQ#?8p zf<+^1;2%2H9)zRq6>Y2EH%XEUiyixV^k=2>i57^-APyTX<9+({sX}G3On@5IC!qsT zxVrPohpqTLvZhrQ)Bo}QnmG#!lP{SJ5i@;r-kvmGC@;dO+x5!K%bA0{T| zI`YI~!Py%+4e^lV!DqKJnE3mZWe#6f5lcv^uzprvP0ftzo3A!z743#yW77Sk##qaXe7iTlR0M^dzW#irJ$wwUE)y|74Ga2)+)F<)u`ojJ1Q3bqf5>72t|BNn z_$z`B?XbmMg-?0=Q%XQUKoB}$R(dG=MaV0R_X`U8D}McYqd8kSZ())WFtrzEmH;XI z`3R9RjyIgAgFV(7wjbjPq+w`|x!!K+PYi8y82+~rMy|=6ask&a2`LprdqWXRy^kxA zammOd@CJ>4l*g`70|ZBF;#cTNQby&`>wEK&6jEX_6|;+`Rq$Fe-TWn#Parq|rk%LF z&8AU)wGlwt{MKD#=_q}J zR;K=UZUAgQ+#%$jzf4ClO%R$A0MJ(FpE(J7`pz2++2D-BgaUxAU-)S$|2gMA9JGcwXw@hGsBEbl%lN6(&qGqf46SXAqWy>9TQD zeKSO2^r@DwFzJ=)erZ~hkvy`Xb7_5r#MMYiSTFR)|sP!k!^ z5{rqJ6(cRGUc8NQc$gJ=AV0NVK*wJYAsW|f?~^WpvlOEue1E#0bfk3a7m?Sa7dkB9 z7)SaFAzN4C&_^%Eq)0>J_KIJ>DqmjviWLD#!h%w=4%uYP417(}=O)z%2X`Hvx2v=; z<49Pr-($ff(kgz<0QL@8rz*7Am_nRur1WXhln{iHnF;PPVc#8GEY(g6M!rJ0$;kyS zv~R(6&9C3?x?!A}>JQ-Eyo1C{I#PyEW7q2P$5?#bmHI<)H*mxdKYDDR0$Zy~{EPSa z!_VPMs(g<9VQl%TTeL6m)Ky>MK|%!dqJ^I{TU%Q!ENl-Yw6%2*d(*tU{AYZsRH`Z@ zCN}s+T|*7Qr))2b%MtU9?HiBgGtlt&s66-U6iZBO3@*1DEfyA5iB|nWGxHChuVj9B zW4MI`LM(G_%a7R*kr>RFW-S@{Wv3zMr|^L8Ou5QSMl%VVA7r^n@}gsWkr(u{`VzZH zF=113((^O@zxY3g?&s7O(z^IJgfUl=qkNe?j3$5F&|<*Rc44euO&tXy8_mWHtTyZo8MWW&b)>Mp4nu&d%j3*|_nz=>UWi%B2Oi8$-0R zmRG5r4iM!!90)nRBUxQf8^Qd;hg$e{LB>HVa||E4JTrl6v9zb*Q z>-w6>gQoTbXB|)ad-N)^4(?>|Eq&@;4;9i)=ttel=MSAwIMStAGzFd}x$0DCk9pHr z60g&Yxm8e7@?Gl5uBLqf7 zs|6Pot((|oC9_CU#Ii?vp0Ch!M^!)Vft z`tpIs79l(K_mPpqC6$y&{Rcn9Sk~AQ5{7l2ruZsC@4l@P3dVZ^raS)N1%;u>N9b3j z_0Q_eqQ`D@2@Uinj_%Q9h)p(V(kI*m$YZyooOuO5&(CNW>}PtaZ$|T0|BW@DWc5&I zbq}nOHeM#E4~`5O9PQV({2RxyDMT)7e&C`{_n;R2w=TiJ1P#5tIGRd?UN=KU>dTf@ znw{vNZX4PF8Gd$|(6MT~#pW_{HUK#S&-twJb0+KT{1D*?`|aQ1bA^S{Hv}abwFzok63%LPBjIQ}Fv2|J z$`<~6&waClhTFbWu^^d_6$8p#0l3w&2ke5WJxea=nzQ!@Zkkl@ksEj*cz{#ygu=5s z;N8X;_wh4?2I%MX_edhhODHiYB@KS7#;R0%fzDkRGsmH6GSKT^*WFPuFx3pXP5QbQ@QFW#|@9jaOq4zAt7&x9;b5W@Q*+eHpYMA;pIMUO-)C))!5E2 z@>TZ*1R(&0cx>5uNeW=L#X3vwzr6ZZM)cDi!arYS@v}^iGjL`(?5DytKCmO7c&HF zi6M}J?G6I75aZa1H3x(FfV?>n!!U!BjpZB9ImMlM!cpn-KJ&?G&Y~gEb3k9F6~z`n z&sYEwOk-W61&Fng|L9_O()Xaendm>Ydn+5BXuZXLynAv}XQJb)hWll0Pj8xTtb*>rIYxcg{a*!1Hhr)54-U{8Qdf~KktEw}nA)Ms zC)8ZBfbMY z$uw7(rMR!2i4eK?rCK!w13V9sJAZnICa1lj#q##iUK|ZcLq&4w0u0p{Q#%$$gMX-F z$qvY@BIZeUdzi6TjMPbLTy;03 zDGrFg6MZYn6tR%rLyr7KN$)G0zQmz#s~)Qe%9zlulYu;BPC-$Tyxg8BS0sG9*ibvW zkwvLQrBhK^Q^+mQ;nk1T)kk-{LnICN?%Kn}dK8eBo9fGKT&Y{{)Us=D$jCgrQB9cC zz`I_tXXqArw-eEPqH~l|>u@j=KGm1j=YG;IA}x)a`FO&t<#8(%f`Sax2t=^#2|-TP~0sc6-DT|(Ac)-#njhb zzf@%gKb?UNl8eL1Sl#Xb#`B-aX@(7#fm8um3<9J$7vp=+ydr zula-Yz9n7Fu_$O7t|cP6t~KHe97YApJE}WkSNpS?&)U>%Q|)Bf(;H{FQVh3g3ESB* z$cPyGkp@)YSeG!Di8NBX5IP5?-*S##7{-ZD(6`$-+CZV9LbUu1! zU6DkmMf{UY3{V~AEmv>B4I6bnyl%NWE50~fj%}FZ5EqwFY1idte8V`WXCYd(=-li+ zZsl~i;KMp5J}OtwnjRl7lt`~RSLcZjLP(PSNXcSDL{$|Nz+z%jj_L*Oh*x?MtkvZv z#3JGm@0&lruc4j{)8(raS8ztpWJ`;qSC&`(_x5KhQIA|Zj#%B_!bRz$HJJgt3j)*D zCs9a$=pgPbv1EdQ8S>Z*)vvRJ3Mbx)0tY8w>d2yIjsyT*7v zG27`F_eq7t9+Q^q7FM0r;*fRu9bJkX!?9p{`q$M>Sq3;)%reu+4iM(yR?8lEVEWhXWltwrODvOr;}hPskaSZrso+h zj!avUG4zVIe#rrGR@=R`en&0A5G?)FdMgSV($Ks-vNp|Ix>Ppn9PM_mIOVu%*F~c% ztRn$MMd3^?yjr>5JqISe8w6w`E>R(&*CB(;!DJFu_1!{KtVV5YvHAHF86JmXOw3HS z97|Fl#hskka0!`~o~XkfJKm|u6!r>3Y$2)V zF&5cvdgOyrB2hLdRrNiaA8IHRY6C*jy#?$Q&@=hqR5>w31Q@p#Gjo1z!();o$CAHJ zEXH0d5@PI?Q#^Z}Qj9#0iNhi_{gcUIK(;Rue|)&SWn?6oxw1#iW+DCJXf|js|Lcx-dayKTe=_82+*8hX!1>~%qMz2eTG+3X}Vt+4IM5=kzRU^9ipZoBGv zUFkBfx30G_*X+#Th`8TyaMfI~Q1VO?Hp}xZAB+Xi%Cf#8EzSV@cKpz zA}z7U&5P=lj9!#fFP-H8$Go5Ur;|&OH=D6Cb5)LrAvym}DT(dD)S?j+NA{YnjWCaI zKI4_O3<&sT&l~DBxdam+YM%qQ`D~ftm3y`8#hQrgIy9qW%|VALxv-?j03ex`i!O-~ z7h5>MLvD7RGZ<|2g?l^<_G>uJ8_vpqbShO^B#1y%0s=yKc(@10wSbn((`&8t+fU8TN834w z40^)}bRM-2G$Em(jcWn;F6XuEstqP21({x4j*gBVkE63HbV{^Fh!k6|+<(3E!V=_? z)_RcSc>p>Q6KJ!tvc3mn zP}mJo7gU&SeQMLVAUB^W>(r~VS>fCP4|T9eu~_A4)D8f{@d*+EPRk`zl@V;dr%nAK znxV$KqGHa2l4^k6b}IXc^)H*IB^zDd;%L~s0POX{qksGP)8Tb0(kNO}$IqtSq^W3Y zWsl($NAsY_P)e}9Ux#8>0Kv--wM4D`eup7KDSiM*C<+4YaqjDm$ez)!=+{gFIuK%>gtvi=~d|HQirEnC9A-9QK~?2N0i5 zd!}S$fh3dN4MyvRRgh-)cB3ys|0JW8=VrjSM722pgfestjQJW@419J=!Dy`RPrQSG z#Y&v=AKnU~qHSH1)Y77~p)1gXLbv59y2C5{%Ap!K0 z%ZP6Eb}wFS&r2*MBqX#qKyeR}i9o@Zo+VV#Z;k~aT|&M{b{%~$L5NjE!}br38_;8GV%u&h)ljqUx?d3p5`2?DN`xnT+yj)C>0o25g&IM{UR^Ts|_i) zySzWT&2lvW09E&!Dt~|s>r3_N~*^E0ULWVz}au7<__nJCI1_D?eI=vooZd}Lr zy)#%ShV1atDdkWK&HwUGc{HiW?|N%(>*fDP96AaEGy#r&_>UH2^*bXds&zSRgn0&w z&mhNM5_vG)J9KzDD8I2{E@tqM9ZAB&`P0={*3|^%vA>7|q5CD=C+GGsz2L7gC1}*L zS;^2z9N@qtG~TUzrip%pLB)9kXF4ZQcS| zZI8F~<&9}T#EA{nc*D0y+Ldi?7h}ln>Phr0^M_S$vpm{iKo6BK5edDgLe}OP-*Vvk znlo>IyAz&6wbHdmlL=O{SRD>kRD^ z5_P6RyGIS~l3o6iN0CKI?v}yf(I`c&+((i*@DQ8pX@9DN`rpO)JK*sq9+E%>87X~_ z^M1KuR2^1A-VJwmbYxw=`j+71bpH?4uA=qibM(fZc8mdYL;xhh!tMK9jU3sQmZ1LN zw|#N!tj36MwL6)4POTBS@GAvv4sVKD--{tHyFOE_s7TpyrXRZ0a{ArL3BVw6VD)0kc;0@)qf!2Ar$jnPA>ac@+8WNM^w?6fG2%!^K>-r6w=vX2egS3N zDRea@rr{+0&zHQfAAmC7SZ(*OOxX82OAxOw13?D%l=%|(am*?t zz}0v5=Z+fDN1|BVc8~y(3qc(tUeHS`oaDBCo{%)1sWsTEF_GV-&+}u$v{sIx&a#tB zSo-{~4r(8zTaL0l6X=6OPO#{{%ZV0u)a{vQjuySt8o-s%QF->AP{OZir08-dJQKyz zMlT)lZi(*ehr)mUdv1vE34&Y1Z++6%bIDb6R-GaGzsvk&n@IvK$ME_7^Tho1 zTVk3w8N&xp;y$;JdJ(wgS>|3_9^t5)#JCvtKN1Y-hJnK7JCWo}M0?UM%Gb`&nrv&-#78fqxR6 z%zIRGCpr&@Dd({8$Oa2Frkk6aHaGut$y7hGu_d&$@H{;|thyeQ)<-l;_QR?sfPgPG z_3^EB^}Gqtm5hHy5G!lBl8ZzT+&WUriLHZ_F{`TRtcO}o{hfTiq;BVr*8%9^F``Iy zzyrkmcZE51&&6iNb?5Ytyo@dIS6H`SvOP0JcL8oq&L?Ake#ryJwlvH+0qx1aHBl_-Oy}unkOCIN=E&sX@ zb-Ulb0z+O44Cg0+AB-SwpZV3tAGpIcxd;6gRC9YQBb!-xGHh+R8I6vE(;pkjF9we5 zah`KYh3oCDEk?Z_gmsK{)p{#JZs$XbtLb>MU~pjW@9zW0aHlUkGl%!*`_QXuyI%1$ z=>ql=+Tou5etC6u2?*pRkd!|F#-Vt&#OS{6=mj{JqzwNQ$^qkXh1D`woz*hlXAKVz zp2xdO{lC<()O6H_(?yB^%wrJa$N(J?ctn<#G+3l^D=VX$nwqd}$;il}lH-GOsCp=S zV$;*Zff+SFzYo99sCu%%n)vMeoYU=s%3P^*?Qga($+>KTA+Y%tmX})_u~LUXz<7XE zJKFb-CIkXHkB^UEIS2I`?{@h+9zC{xmZ(=p{QmvhXfH{ULQhYxu(&u^-%3Q9a|@I0 zu_CxT5CuMN*r+->DM?gSRaNx%#j`;M2&g zm@IBSI~^|#mT5Ns=rdK8b;t^0HJ_1{*PNma>($GaS>=0&&lZ-;Dsp?= zd;%QG2rr$}0e>tOvpZFf0=SlfO`A6W>=Oc$INk49!(`AOlShwD2{z5aO!Kfq1><5m zm!lq-S76nxwA~P{vs}C?uG#gDaJkSE%`6POdWu1M&+&ayU)X-yx;*42BQ6dz|CdpynW@Lc>804TovU81%Zr}MHaPGAH9 z5IL6I4oXW@s{{Ipz0-iD*{wUB?TIBH>d3Vf53B+TQAtq)boEPJ=H;z@t~+V{NtODd zl9HPY;}8CKcWx`tlY5Xd74$O8G&;PU)pDi-ihRDvHPOY%VkUGHN(@ri7accK{me&` zrY23os-^%F#Rn35B!Oh<-;VJUfh;5Jroqm?!Gg?xV1u6S6=b@Nqu{Xw)vvgP;#)QN zoU}uUU{qro&&Rm;CUfDhmz{~5%9z0ed>$f5nSf%WVyX0Wb-3zsKFaR;bi31fiZn(% z0(;Hhkszi1p3&}AQPEksGPD<@4eD`~V25aVKRVV~uJ*;s@Vy}k`HPD&_BT6_2!f9O z)9_~!oe`1Ot}Zr%7J$S&8;VM?Ud+MvMi#m^Mx%f8g;=uZ1_ zei5M4$797yj-^OGPP&yf9^>KR~DiMI|WTT*Gbtj5oRr~=^x<4cLnEz2Gi~w0`Ydix z59;%nW4+pjwt7CMei8(Gj}jEh(53=XJQA^(_dF&QN$l1cDpd}_14BdT-$CI5#_QLw zb8NJ;T^@q_g|xIXV0!$RDT01q=Q?EewF*j*9exf{sMDJhXmb3S&}1GHsJ)jf2}U?-?j zzdz)sL}JM7(`Cv4aSQ{O<1rZwqshdF=i&}V^BLO7Vr7OG2$0aLjFt;5 zBqXoH*hxsfdYty+=xvWALlO*6ZuuYgWFQD6M6NezCygZ|w3U_zY_{D<> zd^*yS-d0W5x4=!(v+TS|hm1{(>AdP$f4x$<(H{~MgI;Me`H|6Ti6c5LX_HPq6o&!( zr0u>8M$iM&@;t3Ke|=E|jf{*2>^?ip$;zq7QmuF$SWf1Opq$uidp};T4@8r$pYrn_ zBLUH(9DT9Q8Y8q#gDhV<{S!JmhG1fu=F2{FrsSRyXX9WLzK0HVqcg6ZVBn}Ms{m4& zG4baw77t#zH`l39Y_MIizl%ysW9#=vV6ml2!K_a!Yh!^;wcd-PjS0%Ln`mAoY4~BpSz8;QU9k-xQA_MbMhv^}cqC&B;)V(6x(rYjy+78aN& zyf?CQE*R+Og0{Am4ItdYY9$(~wlJMzfz_H5b>cMBT-^i67$Jxrr1~5@-^{rRUEhJx zQLOI`0L%1dw7U0zJ6G>vG&+1Qr>RKSmw8;)u+blh1NbeyF26T)UC6jhf&^S1qLS%M zir>|L;fu30@oSU2O-Zo_|M#5jM_K9O3YGWP1Fg#+PQm_%)0`sBDCP&j0vJ+mZH@!! z%HreVDm?F5J$++x(G>lfJ<(1(3Zt5O3KxUaL`6Z~~!xyg|R$o~!} zD}>)csCjvOn)?0v!F4C2|LSOQzQPMuY*6fCe>wE>UnbV|S5m@$X7x9F46GWru!qD2?jhVxhXa2}d|l7O*=;!p=*qkSRmZY`&#B*q z`+YG{-6Jb$+FU6x3?~bqv3MF~yZfVh`~3lVb%&O#lhw@XF}_fsyu7=!;uV--D_Q-b zX=$%K^ur%9C_I?FUY{POe$|OvB7qjj5lD3F^KFjY`0c9$9rAE5Kd+6v@c^9xbO6?s zR4Uu^svs1Qb)mg z)^Q}mYj+bgo4G5YuTT2S!zD^L#__M5_hY9+dV|Y9s+|g@D zulohhao@yX0Hw9M1MTYtk-S#zp0+MevL4EbR(Iz*Ym_C#<51dR62s@LMRD3lUjz2j zig(|k%uLwmaxYR#WT#()Fszo-4gD2u~~u2%DyE<*i4slyaAwMuu# zvqY<~-;pkB+{UBGV2uVrAUaXYEtrVc?cX}Tmf#c%8JZhxb!Lo3a+a~3zcuc=t0!Pg zd=vZzI2Ax?Z;^bjQSED~aRVk@>#F8q?<|NFYSb6fxF4G5 zX2Pf*00a~h7yrmg&ieQA1uUGbx-w!-ujY0$gCj^Mypq${HyZ1nT)}~jVb=zYAiEp4zb*(}~a&mGQ z5pT-R&_qzdb9;AC&gs6s_p%P*|GWV6Ac3euNR5i>z%@<-nKa_kDUGhP5c^HE>^1rf55~Q{ zJ&)Q8nk>(_-DBQn)n+TY>xWY!ko~1-N&v$u`|Qz9QDNb;-n-zc0}V^wN|XY zyd+RZ?jFl)u~1Z`$CfN6Eq#^2t>zxbfa5v1DM2|^uHA05W+=1`4)_h=csZP#`HizD zVQb6SG;urH*sj~_Ow+PKd3`wVJG`Yg5JfTqwQF;}Q35+05r@uTD31CaAyoq8pHFJ`Z!=!J2 zu)D%Ow4Amf1{^v_V5{vx(SNT26DY`peEs_3+2!)^1bxgHDM=W5_fkFU$)#jGnPJ@E zZeADPrnQDs*BS2c4Lp0?UXjeI*^f}tAUL)z;I5%Qq_=1t% zG;EtznM5y-u3TF%_kaJCaNS%Jak+>Vd3Mm_&sb&ww=z%}^`%AJE_OS+gb<%S|5Tqo zt)DPFq=OQLxVS%8YO!I%4DgQ&%qtN}{Vm*WEyz0YwCe%S){{F40iHQyX^Z;~{_V)JDYBsUx@ck+h zH&vyMrIaz!UgPt+S%XjTu1*7LW_p|F-Pv}k^;z!&!yF*~34e2cwp|yjva4!1C~G#c z^UE;z28zPAH)Ey* z>n_e%g0*G8a=W8jsp4|nxYIIfCo{z#<&TSxe=xclj?Zp4&U^iQN1*W9Wj&a(u(TA3 z>O3sbXrfibdByAA^4i{dUeHOH4Pz|ri&`Mdal;XE`F#hdb;8HTpXqw-JnynSJ}#@Q z-QQGuASx!kRzLfY&>M;)?~yf^eierMZj^W^jnn>SGgoF#y&}=;@m`lHHR-8-4|q?2 z_x}6L&;Oz6E5oYHy1xxX1XMz4LAtvH38ke=Is^&nlnzH)N<_L_TBSicl$P%9?vi@f z{ao*VJ~1?pZi!X@Kp8S}PK5BrkY`4Ex)bhL0ac|-VeVu`TG3e*VVs`>1T2@ zxQGn}z#?XoY^d6b{C*c=mqq=&WzVLyokF0CplR+p9Z4VB!dLVb>zX&(+3SG2q!@y zixj3x5v)1c{q27B2Oh#N1L&JUC--)(Ka2URVX(oH)cd3@Y0UvHv;WIvmR5H^f zPdr!M{Xb;!z0uv;F1w9)Yj?`4tK(q@{>?XKm4Cj)h2WSUZr&cPHRWZje=jVlr$-77 ztJ3dnZ!OsuojQ!iei}~`YUZmKX9HlhlH^W0~@W()HsxjL-4Hq+Di^;9K|fzqPJdFR1d7wz*pJX34y?Q7GWUm5uf z!`GLI@sW#}0iQ|Hu(Uq-qKMp+qwmi`{}lM>rP8NASw7Mc>8e@u;xF?)*uMNsB#rhN zMFcG~LgJQL=7`G4PWZu+loZ{+65AcYUMR-q$7t%g)M?HKB+ z%5jh274_8Lo5yNUNHB0G4wzpF&D{$U`zXe6rn2xjxHYhK9v|l~mQ2eZBaTD<%M`V- z;8w#-4*HLJE+(-YahSQPpR@|ERI(qpcNsnXAaQxI@;RX$n>^1hJ|<`;T!V>*jxG?M zIMG&^T7Fh#B|(yWfGPtuD{DA>8Mj%#%^xZ}MZ2YS6zmzus{Hp#T5s^pJMM8)z5J2- zQ=Ku>*8Gt*rHy1E)}vyP9Cs(`eaTZn*L3*1wJROb^pOpv{N$7v?{ck3iKBUgTB(1s z0x70rHKuZx9(fL{dkL}*-LkQ4d-Xj7sJZ!85BD>{z-i56(BvC*jh9?eBPn-#XSc;V zMIo|{mrx0pM)soOpwucNg{L)lT;e_V9Yc;}8sz`COs<;9X{R-Z$qu(STg&+>oGF;| zf4{{fd3Y#b<=eBkklcH?G*{}U8G_s9LQ0YPgYcs?dHdh&G$VfwaK28|^G`yTi)AyI z-bnlymS0yNgtMMq)ZUDPpKtM|?6r^*DtUhGev9LOp8_?xV&?*bej-6D>3_c=iza6I z;5a>CWi<$SftG7@Ze}Joj}Mns6Fvfjf&Y6CtV)sQmkVtNW(yL%NB{rFa1<=w3sn)X zVmxHJOmeAoXEXYPWzv(_{>NEDIY&OpoBtKf6>7EPnn>|rg8%Y2|9X~n@_*VVKHl!p3+9DQ5v>@VkK>0V|RD=4MZ!Aj*eao zwEvS?8~lL_FEA7~F*eaxqhRw0{mza1#5|dBGzE&YhMJvCT};=m=zpTU|KNd1TL_^? z#nN-+P-4mmsk~*$1RfU`H-hk2R5(n`%-BKVZP!)>R-dJ_ z0>up%?fGzWech&yLd>GujZjcg`YY|;wtSh{pZfj#uCQ>uxtUFW>AkC~tG4hhJ1(O8 zP`5rHUZ`ft2e(u6RMV7mFOwc6Jn=6!R-|v)*ubch{=04lRo++l#HL z;-iQ_!&i@Ckf>H#kbo=_)hd08h}oSL1<>z={+^#-7=>xaEs69c79BnP%ice zyoJ4qxXq0OXriP-&-%V8QO5I_nG4WH2P(x9_qe*dkHqE(2?><~Xe=YsY1(#wc46{Uz^vtN{QJKhX(ure*uscO2obHL8aYuYhLk5YkwitWL%g=;M~^`>FtHi3X6 z8z~E^PH<%#erH|kx9@?x0rjuIbYSb`WO9BoadvgSL&)_G3pPfE^;GrdR7p(nh1o5}=4R|+AC*VK83!Oy>m+&26*HbP5WwSllH_dn{yjCTaJa6!lihAZqxl&Zkcc{y zI;(?qxDgQ%1$s5{L1gk&m7Z)IK_P6yDYb7h6Z7t3##3%7Z7* z-y4Cj+QrRHSyQPU!Hgo9}T8# zXnZ`N+l8mZ4t+8auX%`k&fB&9EZ;;71CaCpmqg-#;Sfe9+=C3Y`9r@Bwx0t#Lx$mi zQKxnG7;vZjV@v+p2Oq>S@Uij9;NPEPq1;Rww!Nr5nQk5)j*iM#GqkbkJyghEfQ1Q7 zdyUs*>s89JI!1}y1dj*k%POm@zW`07o?k~H#F9MM?7y(S{;4)YaBIA5VYfFRC_H>6 zG|gsqZK)mh67rz;_V*D)u=L&ZEei{aI=yRdcc-1Smp-WABu;_XBMQAPv30UD>Byu% zJwJP!Rywn<31w#K z%Mfv!A#Ih$(GUZ)1V9nyz(h4VKJn9i#2TE|7lWrYN2_g>>GY^tY8VqGRW|ky*A=Ms@-rn7?xWfDwcF}bBnTljDE-F*B&bD zoePV9^|9Au9vvMWwgpRnO2c#dej3X#F)?e@dGJAv7omwH)Zw~~nl`e*=Xi>xU180w z_LcRy!ar%UGpT%nzIdLT>wL*gV-7-lPQHqCo11S;Oe7L`tiJ#JIS-J9n1n<>a1)54 zw%+6-xYXSYp+tdQ{^8bbE}tmyp9ak3}|_gAhfkS1Jc`r$Wetlf{Ga?M}9J>$LVB zJD7AEbXRkSknnwheThX(9IQ&y+SK$BK+6)axl&M2!*=I@h!k%RXuVGf|_B{6aVU8tz%PjbN=K^+S|KCgEkH6;=z?MPT}p5v*sJTMl9hM;nfGc=wrLJt(tJ_Fv9z*m@9HvI|E&`D+=eA% z`blf9N)7>^J(X^?5;s7g1SI&JmS;-#uAPk@@ocEOIxvJ6-2vL^mz~S(2 z@;kdt{UwilSrVIi?Ay0*MIqB`>|)DAK1Imt7Y`I=LAOJsnF09%L3oA5L>O{t!BEA( z!1zt2;z6{uj4H!p&?6kKj`_qsXP=a*3(#Sa%ozS#qizGoZKcDxeAMB$A@d@g+9sd# zhiJ7V&^V!!DV!1HYIMMucoR~qknJE8>XAp-*U=%(;;S=zadvP6r5s(1A)3Sb@Y$k? zy@#jg-pL8A5ILzjzPg*^PGb+5Gkh%I-N^d-`YdPao_v7y&{t-mK27is6?EMquX8!- zY+y!_&Jrmep^R*o`jzk}jLi9S^cRVk9$h+m=DB>~ zsHyx5jY(6HZ$v_Z46NZXXb)j7?`3+x5QQEp@%FS(tq-7bEt3kPv3+AGJcg#GlJL-8 z^-7t-?5`24{kO>KIX{Z?H$$<@%L}{rc3E*YoX}8)E8HgIci!&$S3IJkqti9Ss2&s? zOv%C$_W3iG{FU36mYN_VW7D~bNqlH>K-2l7tZb=}ccv*V`nG(S{4;+3FEKGEgB__f zAmI!T4#u#-bie)l`SZ!iN!$1D#S4`kpe79$YD)q=;*7h4<3|4oK9jY?6ygXg+Ze{d zC%fAK876xL3+-c{OTIpe`3qaNXr@x$+tMJ)ci*(cw5AD_5Irrk zO}CM_jfGA6UtuV7<3tT}>+>2p$2H-M(l6TdVl zddkckYBf=j*7xqzzBLAuSO^o|DIBi;8cZgzn53w1bf$F8ChE3i-iqm$HlAh*dKjdv z>KjXy5iv(cM{`*k?XDp-7Fe^FyHf(x@>{#QFbgGQz(jHEbnN2lV#jyLA-u_UDg#H1 zvgVPle2XFbfT^tMKiUC$CWb|~#rF&yjBq$K_4E{dN<*==b!=#B%hs|`dy$%1iE`Kd zuE3OFmBaaifCo<~7&(L6RcI)mBBWVcI2jDmCOwmU0$tvJ;4F^gc2_GK*G^M>8X@($ z9kcE=bP8Nra#0pgO+!}5a+F^K?iw~HO&k)je8;!y36kEfna%==3Zss14my2*u%Z z^HMldnSOeDny%~7V9{%0)`zS(3%Ef+L38^{ogt*0@ypEdNDd6_2c@m5WO0CAzyB`Rlyr0#p+eP?d`KGNM?95V>Y)+HxVHxCnpuotEl1cdc~3q z>>iN-j(&}bHZU;z?=7<=mEk>>GTmLrlSQ|d_tuk@d*_^o)N@K+0x+YV?$zgMv!dOC zPGSid^!dg1NZ6~l{PET@{(Dp_ub^ayts<2CQL9jb3Wq$3=nG4fbSUel9gHo69PiK& z2{aUxrK79jw^mkifL8-I8RFqiWnf?c#mtC<(C(fc2)PDIU#Vp5NK)Y_X=zFKG?Qe@ zCrG=x^6hFj0*PWcK4^xhqk8c?+Mpo-K+(9Z-h^#2l-#3cPy2Xhs&^{0=5>E|sWMT` zzY6P_bkp!;4Gj%NJ-x7m1mfHJWPkdNW%30hHJEsWDv&xhfa~zw{|sZ9_&_9QfIPC} z^lT;NzIT9^$^2d1u{zJ^oTgow(3nI2^2W?8s4SFQ`1*nqo+;#8A`=VPG{eeB*i|l; zKYf;>Y7+odj)&~m^-b8;(1oy7WdEz!^l%Eup2ulod+}MP>BmmmPc^I0O z$mgE@iFMCTA9+t#(Va`1lU0$@uc?8zH{4%r2PwNER5p;104yE3S53tRV5#_iiL4PmqHYz84Km?Y>%V=ive^ zANk_u@$qugpWBVl&`9_l1B;5CkecJG`=A*LiChBj51Sn! zq4PsdB3`o)Rf?s>+(>{N_s}`=-5#OQ1lcnwB%V z(K?2Dgvahcn#6w|(^+&C{wtRL2Z4rJxKbR48Pa$rmkIG0au(7aSK$aWqzjW~fybuplsnaM?)4K4xh{FtWED_%Znh9w5K#Q z{z#~;VJkW)f5Z#5%3wWlhxO!SW-F>`wL$enh)K7ky78K?uZ;cw>nfbktg@$ueF+qP zJg-Ghe3?b^M%Zc1SuKykEe{5qpxwj6mW~c|Xu&j?+Io5(ROwh3m_h3T;@EY4H3ywK zk2oN?85r+R`3DAq>_oTO=kCLA1qF-H{Qb$~=<4o%Rh`gMW-+3et194e`WaNu9i1Jo z zanT4=uKuBA_dh7*4DV4^&8+9ZIvXV&CU4(wp9CKf1jF?5<0);RAnP0DiA06 zO8P=M1e8su)-4Js3}}quU;ZrFi-?Ny+0MQwTVY_LqXK3InhIqVa$@9%s&aJfFy9JuV*n|X!>nqPD zmH;IkWm#Bw71mS8_>J}vS%q*!!hD?yVLrx}$4L_sBhr7WupW@{$vQf6o!vQuhfE)q**aBK@vPxwLpOldB6&%Sh#K4ekH{Wv4aKX^d&M7U|My2k2`?;l+ z6@)jv*{Ux48vT_hd$0`MsB@S(HZCqADhd&7wRd)k<`1N^sl2ha?m5~RK~6)V`<}Z; zN5&_~Q*DIzZ&X!PA-%elu^hPLg*Q(dPdDL9*12DA?ucz{Vq(A2^JIVj0IeQR{*~Q5 zXhD4g0vzDD0k-j#le|-uY5uowPr11t=gKz3livA1Er7I^IZ-=(`(&k;4;YYPduR0R z&Nkk*CtLpF#2UJq(D$c%vCaMwF781;6R)>w8bHZ_!$Ly-sa4`^gkS;uPG;tATfzUM zYoLt%kFNPxQNfFchu4+>cmSXCcH*2U&<0}M2o=_ffgdWd=2~hqk_^Kz$3^$tBRo7c zzLlMo-k(dIi0rTL$sW^%_P>SY^)}E$UMr5vT?`*YOHrZRxr3aso1tc0L~ngW8KPjG zFeRDwTwlGQtZz8*KtVVQ+u5A;!c9}CzasNfEkyW1kO>$O`}uV8)kSz<9btFq#&wks z7b_+ATJTkoYdWh8?gWq`YTJ`l&7e88*qoxKre=S;9AaJ~p4=AcWrFK1q(DsRw%pLa z5F3(r57(PTD=8YJ>O{S3j@3EIoO>tAkz&&e^>PzFz;ZN+-4~$my5Q17zlj5cMXXDl zYkVD@Ky#pwwcj;<%|4tA><9Xs`cmX8cBFFQyH?9G84{s-T0vYg7&6t)8}b0BU9V-v zx}d@VxX}DixMgzkB1Im(xb~O`e&4t3nK+H>2>MW7V@O|qXIsg>2YE`m8Z9F_4NB6 z6`bFW2a9wQK#eoIx_bIBr=z6==|%u-cBc<{2fKp+#^)6ChqrFsg0ZLhf3L~SO=2-_ zv4+jfa_&LoZ6TwIGKd91K1Cc;831@7lB~Uj-^8@FSEMaCKa|poXt;<%?c!Dr`ceI( zr}Com=@{q@L3c9wsmf1KK zt>C_XAi!EsPZXhHq(iq?(Q?8oG_fF{S(GA{Kcq&S=B=i6z3KoM{h`Q_qkvvHpzrWC zvQmLt-X+;ZFI3{7rbXw9CAn<#V9z4CX7gZ&f{qT&Lfb;eyasEKCJ=nIKfGtWAoVn& z-3ZaQ00R--RUiunf>$7bx{dmvp(2hIS11;lKh63p?~#*}!{InPKi`zEtG_hb_x91F zM}KQ4lz9%TACbt89|H71ZwnxF1sJ@KE!MyTwY#A7~68I@$?}J zJ~I1cAlK9J4-dB{@FO&Q0}}3r5^>LiNt1-n9!2ag$cPKRs+GPQz7?SLU~{Twq>`#M zT7`L%(pmw&mIN4H2Alfs!CVTvdh9^HGb_?&iJ4qD z`+Wpm-kj=05SjM{cCB77bO?QGj+PVUp*2CMPyT~BpA#(EkCxG)pJ{_Y#ha^;)8F{y ztupL|a`q{ur=r9?zPfZ^TM% zTve5of9piuc$1V-(m{bCZ?5Yu+t6o+ii-OI0)l3=iqJDsx5imXNA<#E zVfUfpz;Ju-eD2g4E%UbiSk}%+4q1MkmY)>UJPfGW^2yQ=DsnUSxSgx|{YG1mzQTta zDmk*^0GII6#sI?llhjBFm<`Y=gyhY^yEEus=LSX&pzgLqvw=O^gH+Mq54z&HgMCj? zM0))G0+$%gs{MdKEwDhh7LS;b7%~?BuDyT9tyNG^c)H)oYBrJ0Ebb?+;OWo46Gl!$ z)AsHKnIuCLhgm-r>V1-yAq({?*8`f!99fgaKM_(bI3SPj_*HcPie+kYq5r6ZW3UJa z&~ABD&#JW5^Cpj0YA7o!pI#jFnn8_&9mS;a{RZH1VWiKc-)y`Py4+NO;oqk2jK*Q5 z3;6|%2I_ymaXosB7m*U902z_S)W*;F_}Pv7A5H2^DKbPAXxD^!d7j%{{(H}*bzh(9 z>K0H7Bu_{*f4yUeK~$YZA6a{rz#jMW~{p-7=bu@#o2o6v_+Z99>`m|+ZKU@7LiAX%EXR~KhU%1P!T z6$dBh7-(gV)`v1caW8xIj$?$fm^fxZC`>umX!$U%?PuRFSBK^9xB!tf@Ei!wf^UeH zf#DNONr>QRg7W@3+I=wNqz=Dqv!(Ioieu0CePeg~oAVhwC)d+m@`oH`7kF_uJl#*I z*`8v3XuN&5#BIoY;YtR(8vt8}BB+vCkBoqngs1 z!ZQ!ayM~HDt_4l*Nq z;RUa#bBPdwMo5XQw7t63SCQVg_I`AH{HN`lNcZ zC=CfVwe2lIxK)JjBlFdZIAH8YsGS=ClyiDHd^dTlE0jsYn#k7X*5I&g2s8w-oh{j5$`jnmKVku>T`E3RMMjy58aBlH&d z6do#|J|OrL62}=*C`Btt>yJs;1QS?@UhxVra0oMVhq97yd2b&r zN$od0yfG-%VHf9Uu=bZ?GU{zNW8O}NR0HQwhY-w-KB$rUZ?N#eI4|(WqXD#s_xSLe z0K2xcb$nW>%f=BGvfLey`{YTeT0SD~zc?IFkfK%|udoQOsd>)-GN7!G`<^o{bh>)X za&UkxDX&uhJ6sbLb3uWrZ@%q_7@4-z3blT`+oR}76uSKa*d>f**4b0m-=I}4?yns( zFKe?d(92oT`NQXRTDN}8O`Syz(2#%m*7*L8_cig3+jQc6KBP7K)7eY8?1YKWs*41z zkvwxmhUXi$SM#nsR+D12|Bn8emmzjp*8{lWTL!AeSv5( zL@h}yr{c305OMwu?o*C^sA~Us|DCD;Q5#@9T3u$a__5sGle)TVT z#y>CMr$Eu(IzIj{j-@OnVx>sK?MuDGoq-H%R)Vjl0210c+P3rzhlM5a_rq}wM<$Fl zU5h5DPn2>WF=jp1G(wt$*_S@|tjR*;EmnI<&EAe`)3fqE{Gkz2pCSzFgtHA7hC|rT z25&70UJB#ehkcS3JrT_rP@2f%(bZdPn%MbuDSI2;_Poccv>GB|@uKlEv$Jp2eSOOyxj-NkE&}vB3n4h5g-NL}YShx1*kfI0!fo$m%CJBLmc5@>_Hz6?-0WF?qkCkScExW5U^V1=PI;T=K1Y#g!bhSo%`UR-;(W9|^ki{)F@5;k-tn=-Uku;Ghvcln zy{84h?t;kq>njzS*PN+0uQ5yEh{UlWjd(PiHzXUU}9pT z1_bNF$PU7ClsFxU(Wvj{c58P8!44)NYzFcUP|;;Y;SduiFvQ;ko*GD`U==G`IFIwt zS^$%X1QaxjsSfj3V9MD;E7cQcIXkz*9|HfF@qz*Rr-43TC|`}!zC}u+&T3Te4QQ=3 zw6!U5f(-SRQ z4DF(FiB0S|Vc^$1IpT+lwF2ww>-Tiz3J(D2!ong@G!`w9R8>=(*BwcaxbHoYSzwh= zJ~}p87R;%n#g|?CVKNn4|)+RR_!aptlFzy0DP$E=C%usdad` zyrawSxA;$S3Z>BWu{Vm8GT_(%+p(CWBtq1;D6_-*p;$CT1A+lEg$yhXCajCgk}N1i z5bgS7W_h-+%^(sN(mo}`ZBzJW$FB$_B5o|Mt?kAK5ZnMp)Ax-#kb0iMc-;;_u3n&h z5$)E^tDBgF9KKK-U?LxRMmf7Ty_PWpiv^0Ff$`;pN$8c=)ieHQUm}x4#a+c8i)R8! zHb1wvH`sA%Jilk^`DKQi|61L7<1xB;lv<(=%kQS9r`E(|_`QH4MRYC!AhWQz*aEWz zW?6-F_h)j^(OP$2xcJV<*cdUH0huk~r6-h3n#^@*_Gg|tn4X!@_{hAu%^GNV=s2g{ zHkb`}TGEv)6zLwl7SiDKBZM7id1j4a7!iAagO_dY@*bD@AX@#hS68B7Ne5>l2A`yD zz#A|Yb%4 zF!`TqQ{fl@JpuTb@DFbY6h|HHTw4@3$LAYgD^8dCpW{W~ta?UqS{tB+>| z*Cv7=pRz%8-h)ly7r-0EJ>($dccg>HKLdbO$JNosO4rn?sxy_)FHoHzv=NZ=p9amS zaFrN*1*d1{KWzI%00`7Bw=(Ehq<{1XPf=AvtXQZP;mMh~?}Ji~p=~2#az2dA2|;H2 zS)=#C5l+;Gb`=hX;WO8NR1hPz5b#78IG}cD3V(Xl&Q&onGexvp@cb*T`^NwZK~PF5 z>Z!>iF^;S{i$F5ZcRtqN@7&V|CKyt&fe{1FGTP0 zd2b6KmK6v!3`t>2hBP^88R@laH}9rmKNTI-kg6)zvf4jaW>;K-O78CG3}id{xwLsh z?;wYX&AJcJ!9QJHivXGfYPqnvDSLp|4f?Pp_zT#IDyphtz(>l(bFt^eN{UNH08ShA zoe=`sBF~;iLfZ$gkuk6VQAOezeNe+bB;*s1*yxx7{SK@gd{cmCzV5f(nHFTxtCj-t z8l(eI9$wxklhC!&zWoyG8JRt4gp^oP_50o3!v;9O0i3m#AWqzZRnKM9M?yovM} z8yJ=s!0Bmfz7jL?{V`EAWd2G1-~GY(C-GK z08$2ph0zF7CV{LyRXKn6;Gns+)ejaLO!&D>#hFFUx}T&!0nwBBwElxOdj%aMV@73V z?4Lj>&_rON{FmND0W9WAfK0&m%e80qv9OT&qJU8=>rXSWBJ@Zk`=+qIgJsrk)2&+fTAJFZ7*6eOAm6OMwNj^}O`=#6-e(MgyeP z1*phjq3!I6^bpP10D=$Z3UUgHTOf;n@#01gOOMVo z@Bhf02=+OkRfXDIYCeRn&Z}-cUD@ueT_>79ls>S5=~lMJ9Zq|ZBv4oL5&CH0C3uco zuD>ULgZ5xA8xXL#L$T|-5mMBz#k|~))>~_K>N;b8yww}0XW-szYmEc3lb+z z5LSNt_%W9Kt$+K6cozl*?QgpR>dOwE>Am&^@uxdEncsY6@LBq3z9Hb9<+ayyPzqc- z{?sF=)l&eR`nmU{nU27lrj`R2Z1CCg1u|_~wj*I#ZlhDuNB~9coJVMm4#|!Fdl|iSP-(pU6uv^(xUl@)pgzA_B1j zz&5N?zKiiN+*ejs4r-V{SFWU0TZuE=DF)aqNLmV=bf|C$otrNyfo0g;-~T82#U6?| zu{QC-VOh*QQ_~gve?r%|-*O-STTDD#VVI~7nK}g>2B+yU$>!EpimPskN%u2|O6gAE zy-rX*UO~=3`0w{ER`uGZ_t zd$w=f*1Hyc=?np|FqaR#OHBy?ZFMjni`yC%W|lHN;`ME4xOwfUe8r_#N`6K*gwx&G zx$vhxTv1c=tZM@_X7cj#+}r7^v$GA*YwR8s)}^oXwgKtvhk@V!%`Rg_{{jW*A+PtWXz-zaw~=RSr_bRX;) zizb8J!jHmbSu&zk3W<*HCQGWB;N5*dl3H-M6mL!kCsawrd2c>bO4E*J?wK+s6Mfg? zrvyelMBG*_fQEq%Ck@adP_^4##4NnyB7&^9_V)JN`C_Y?B0*Tb%UxBRUt^*&)basX z1ajHZ(sFe$4VQzHFh?N;H5EulB!li7vH!h|AudsNf^qqz=Y)PVq`AD@7SkagqHl_U z+xW5ZXYEKSD!NDL|C8O7if0Vjt`E|~VF7cV5#;z#(a`MAUfl+8Eu!5R1o3}=X*z%^ zl8%X~rL!~GX=?(>;se1zNTeG#kzA-&BuW)TTDROZ`S^J{DEz)P}xx8MMYPmv56A34Pnw<+1Aj`k~>5q4jTqeTm}V!#&Z~#ZHurzn}IT2*7x^I+{k= z{;FN4)@i8H@+9KxREBX)I1yVo%`mU!=x0D+K7UCRF&3vb42lKk`2fh`<&y<8#c}5m z4SNcz5a^B_HjbG=AV%Cfbdsx(Fl>d$w4r{p{xUw)Z;$NMNm`sYTYR}oNMw!d^O9xffEtb?>X!>Xnn28BMju>`qB2-v*PK5cDn2%gya z3!o%KigZI4n5vc!z{LabiMCDmkV2=9+~`v<^F8?`C=(`yV(C?~XIEB!?^gJ$s49v@ zO2`p#I$>hqvn)29VU(Ip_(L{`?|#2M>9U~Fn#dQ_NM^Zwk(7GkfFs3sT!$~`LlB6H;JS7*tQi-8jI z6ZU*&%G}kX)J<02{LaA;Y6Z#K-MEME`U>uV$D>R-bW*kla+UUScYIRukx2Ff{H`20 zhhyoxMt`-ZdT>E*4H4J72Iwpaxooi*)e6Asp6ADp0f@PSskQ38J_87-A2f^@55gXN3=R&4h*L_$ zR{9ZImA_zJB4-hje>adF`WJSz!NzgnM=1szx8rsC3mCpX)&$gms>$!>?Yn4wycu`k zFoc=p94#lYcwFrL z{@5f-4)ZC7J!jQl80qK0f-VAk0_6o7CgvmgB!22rOiTK~e07CCy}kGVRFgxqmIi>N zNY@rY8XP|#V`5@#fyP8a#y&#XhI5u?vff*tK)~pGsv@0l^cAyT;4WI4eu~#eIB-aw zJn<_r?Ll`i?R|{=8C11%5Y$unMFJF?a}&%n2n#%J^IIIPGnxgLr)Y)_B#AF!DZP~l z#|F4H5auO%5Acp6GG!D6R)t2eqat@M+fr|S0;3gmWla?ZTq})zadC+PVDQ|0Rxn`^ z(c1rM0Yt#kiUL-RIoP3j|00z4zkbd5&(qYli z(n5dkw2igglf-zVsZEa954Ld&R=oz56xA07*Z#csjO0vAvMx(e>L@=nm@2EP?$LS+ z{_pdB%*e>Vdh&#s>D2K*pq6M*P*KrWdQ`KnQadWOaW?CMPy3M&|ZI3iEB?s8k( z0I0r?wY9YXurqFsR*53va-vhqD z2BX8#{}HZ4V~UDKRvR33^gy@Dfk+X{d?=4vY$^~3+Dvt3c~CMpj*V&B<}FcmosM7{ z0J41RDUv}1&cyN?XrNsL^^JE>t?PJ-6ctC?RGp{0!Nuub6Ub$K?H1bZAvspaPELd9 z@ur6VZu`MrAlz}MS50(udtwmN{Kq|35`Y8e$ZZ@VB56%c!n3n8q)}64xIc9${g@*+ zMB+ZN9Xu+8?b|paxja#7qQu-tYNcQ|FB|_R>I#}oxXch97z}%V&EBK>CD1zFfX^WA zq{gFNVVMPzWvIgDQSm?}5D#`lez_4C7&t4x`2=AlG$?35X$0mBkOsgV=t2D=LH*LN zU??Xl^oIla?a01b7c=Oako;SgA{H?*F@&E0K@=kMY#*TA%UgJzA&mdxbuPt{H9DAe zO~J)9=u{L6HkFLF(9v2OUMNHG^A9dP0#T2M{{9e^gcy6NN(+tWx_Wx@U4;ZJy47N@ zUfm-+;RNU|E6ntXz@*^r{-GfNHwZ~i$Z7JoPS-sVG8FePKE43V6+mhb5WsK@@&hVr zT5KYsPeAHyR+T(@M5OhJsH|=D7EW+0@}Ry%Mk?jL1~w%Kj_EW-klOZ~Ow>yjs;NMR zV7TzrJ4^bu=`e&S>`LUrWmPCPuTyvCb%q%dWH=Hlur!*bh^Q&hT% zE&k~#9iC#*o!0!Pa#_KSEe`@eHQc$w^r-l7n*6IGjtKv~HP3$@-d#z}vK;ig_fUS$ ztjv)+^u#$Fn^_!BTNKW$v(S4d1qn2#Hu`|X36bEvHYcqWAl5K@obx>N_2b`puiu@F z8I>jw!xG3+b%gHL*4epYqK6^XkS8JQu1K2V*Du5+5I>T}IXdFO{x;gWw6x2pTtL92 z^EPdaW=OIQO9g@Hf!rF;1m9%(M~Y6>#_Mu%iQF?m&ShoR46Ad5Vy!w@ArNq3gIp|A zNOxF0%Ieaed9Ln6P}+@jKib_j$bsfBpKExlv)Xh9jTC*A1GFGf24r z2~nwPd9&M-!t73+q$g(O>_AmFJ;jc%VUEh=j!QhP7d7*fB*PAzxS^-~ck%YeS?1%prmo;170Jf@> z_civ14ri3|>%3a~DiWXR28a(40RbN%U*I(1I8x{~;UxANdjSFoSc{AKaG`M-dvV&x z+Sa(vev%!Pm=PCY)(#AWj&8cSWWQ!VzmbWHm0@Snsl+1FCnI&AXNTe{6T`Fwk{t+b zO9Zg?VBDe@_VCj8sn6_yea6 z=)O3+V5JtLx@qOhc zNG`KZ7Haw2Ht9?v$F@ld;5b#vFu8wqy6|w>gFgUNMe`sOi^z~9;J2i!^Q!w}Y@h74 zYzBp_1)6p{XNL;7hU&F+4S{5omLKQ{K=1sF?>Wd&8o;am8%XG`ndet5OC)fevWvT` zN{y3M!+z7Z*Sse=igecNfec@rP`ifd=pUi0ng<_%CeR1KjN5=!0yRN!HZNs10q*7R z-~=)0O_mG&Or)IqkP&Ee$9FUT-Mq~-#|=bs*87R!P2unQZpoI^XM^Tt&B=8V889a6 z^A|~H{d8w36mA&yjPEvq1^Df;7DTX(94sgZ_ZOIP)_7W!X~79B7gMAQdrEREGh6$_ z8szX$;YK0#1h8PsQ{&r6$SWu>qNgh$1q~{&bR>`lD{Q0RXgH7hti(FOYQe^~Rf{PiXApsa@1qgx%7z$DW z*!ou1E)*6hFGt#`ngArYRgq0$9(iA^~rXJok0zra_xw3>pnVb&^t%ET0sRO9s1@C+S%pgv8C zQ$QcPfJ~-f3k7hi1gzRn-%Ll~-Q1-)JzWTo6ZRHzJ#z(MT!yt?A|qmP`KN;o!vQ`X z-Z-Bxq?=~By`1sB79{gL#16(|6;UZ5XQx-nqhW(_6V|m-{?O)hjrRV9HZmv=n98p# z#pq{)E(g@OC16axD%lnW8EeGXL@GfH_|^{(9RuW}F;-YL)>Y(^njoAEz;&h}JqsH? za`OKG0aB^=@|?b&^@OMQO*4ar*n8^T$N+ajHv$NPylEGHy*>9a1Auve0pI*kTz7>C zdyt!a0ECAu0_4(-mey7~@P#T5D8t#JQ{^FET@Hb&(Q}u{f{q*0p~(0QAOX})&2mdZ zBwl-MMaGPv538hI7Ni9SLJ7Yi6;{g9l1Va*G-5nQl>r(UO#3(zV2=m0=#VrrAhzz^ zyVsQ<9F7nNaFy`+DNHVqanO6=dJv=#_uE8t@TeWSd73eES$;ei6; zNCr*<6jf5PQY~-TknoIn9;;8_3IS6GT!&RWC|Eu6jNu_P*1sTYvIJ)2=M;V`OG|!Z zmNcxa594J0Q&Lj0FvShXK@s5X?G4U0Hlk2~WIjhG_>37zxfjSi#4Uno0 z4<4{+K*?U@41i1%Salj&+PglDA0i`hp>{z1&G@>4^^}e7^K9yy5D7|pdU_=4NG<;! z21avxJEBB?wWE}!41#1C@GH92l9p+OrlgPoe*>){oQ+2t+7xKO76L;2rKeRI$XQ@h zKpcUbsPOyHvu+9N3&VQaYO(|55hAI9TfYk{7c#kwo+3r;bqOANmIzKRs*FSg$f}`- zQQm2HtG)TFwifWtFO3f{Fe0-hz-F1XWqEJ+;nSyVAK*j5w+MxkoRJZuWGqBFt7&Q~ z36%YllT)^Kfe?r&zWy=nL6iifF zEn@QvolHZJU-ATbN%JzGx3r5gME*;uPZ1CN=k4G&yqoqV%k43`Ush#W32xB6p#DSO z_v_7htNI!mQjjhIdV2y)R3I`K1@R&4+gNA;P+O#q0(7jStK0tPPs2N|`9-53esD;D zb2K8>Rz-UNkO&wL32F1C9Kb9I15lK-xP}G+2ptxemLopLzM;3meMGfpke!*SsG;#E z$3fV*b^kE{XFWw$+!li^BfVc5aLCA5r)==m@tfBD4R{iQg2P2wB4u{!wF;xXM&Y4@ z0lj77H*u1LOsrNba5rr{GU;g-H&i4E%!VC&ZIfe|>&ZYdwAYKM>Pw@s}>l{^#R7^=yh&BlMd{S}K5| zUy|uGLcWz9sPqS_1sMk{y)CwSJQUI3C9f(*WP|?HNiNoIQ#hv^`ceG>!3I16XZ1f{%Zr-GaDvoSL8fa z(=FNE3ES^ENj37)@!Bq5yjob3ip}iseRdD!*2~uoJUr7pOC<%dXZAi@etVD5P=-Q3 zPn zxDNlTjtQGz&RS1h^8Ar^C^jT-4w(!soC-0+Hivshb6M(o=}uGQ#$NSMn?qbZyOJ!^ zMNx&Ge+I?j%+bPh@h`UdJCFn7TAVP41uNL?WV;*EZwMgJ1JI*F#gSvZgUtrhwIdDI zH3um3XY-w`8kM%>z^&$&l4RybWfY8R>Z^A#ouLO)jNFV^HcOaejD6ZXKpT!&SB7P=c5Ndn zu#pfcNm05bq(eX&X=wzJPAO>+0TGezmTu{i5|J(e>5xXcrQuuie8;>0>_hY(X6Bx` zuC>lum`}qfg#m}cmXBj=Gv@}vOSxc2_s@(z$bV$I>q;!)Fku$Mx%QA{2b2hu(_r68 zEh;MVn5pE17pk*2)};n;B2S)UF64U{Wz~i16{gu~x*I?e>faDT=_a9x9oc(P_^1Dp z?0{N4v#Dt;*t_meX^v`jOVIl;p}uzof+n35N!OOXzUS_)&^gJ=hWSb=Jj)ym2e;p# zc{J+K<;5i=oVFXY=;p$ph;V3v>n|K)6F zB%h$5@O!}nO%-)z9SLIFb;9V2S5V7d zG@PxfPSw|b`=Xk^*=+_DFjyX6<=Vg>caIKenYlKaFvKdixOJ*14wwMq?5A~&e!c&o|m3(^8v&sM{x$AlUhm0O-qN)7fhXR_J7N+45WpL z=Np3R&w9qFOKclL@S$dCo9Id~dd>kUcsVePYS(?fH=f@Qgx8Pax{$h0g?O_K8)^=c z^L{Oen;EolV$o^%2$kGHXJ*)A>%WhU9Y|oogVJi~i`dPV_xDg?F@-cGkVHxVXM0zAa?x8W!kn9yb`dRr`u(dqoXf<>{M+z^v@-K|ps?*RKgIV@Qh?d)}Yk z`4}2%3NfDCHbVr^^Fg5i+7+|2$~B0eK<;IG6BiM$CNJm^cmEx({F;|2(yO}%7d`8B ztPeX*x-!%MV)`_TSZZ3oj9A#2+Fjal1*o>5@Ay0gnBv!ZrQwG(@3SDlO@G1Rdbm^y ziJ*yNd0DP?_6kHapYLB>AdQ{mC^{*amjV=Ov=P)y)5HR2{iUeKhH zrg?xp{YNpELwNsCF+9eIk!!oUd438>W7!893#dxQIFbrO%@CQfIz?JrBh0 zZBEn&vd4LK!O-3N+^%<_=!R;x?A0Y2@-+g#3T?Fgv6C4v`^#1s)(qX&dV+aol>i@F1Vb`>Bz%F727}nw1 z40_byGYD<5R~4LJUT#}rj6ymK&=?pw3({Oh6*$m-Ra^MCl_Y|MC|xnoTA@MC3y;r zn{pn3km!Qj+nvci5Sny`HoJ_^dvhtIJ6|2Ea3Jjp~9?uJ@5t8 z(BVl*Jurq2Nu)+Hha>{A0mBaXpDzdI-=+x;|e+aebpDdx}0t1FWo_b=g$bd z0wAxO2S+_5K~3!TpaBRk|LobVFyX8FC=il~WDW!Vj7LE56Ig$gzZ04C1K8f7BcfkT z`#1TyEyq8?@VSNc^=@f3Q84mzfU?1RV)qV+!qeqf+47>9;1r|`4XMDFu@d;eXAXLS zY%s{1h~&b01YTLtVtfZM8QHnPFRA&`D`0!(TZPk_s%c-mq?`jL2q!^#i4fu^xa|O$ zw06H>&i?(p6szQq$BwY~^_B~rQc5rQmRJ*XAxXBAI&8P&fzM;dQ3a^1VPN#LY*mi! zKa1w~2gAX1zdKX&XYa=y_FrGU1O*^wUGVjvR~u=%$P!96YKP4E1Nh?}C1wBVoz;oD z*Yv9csb;4xJ*O)@cD1QaptRaR-32Wl(s2VVkN}T>nPOU*pbJ2l_>HMhfuK?O<(>&k zK5NBjI$LKRy=eFV(m~}4jpv9z9+F2-55hzznrsA91Y8#KuawHpR!5MP9NNefV0nL0 zWr!t=)fK4DMz09(1igfXtl_0V_)!ld8eQy^G^fJcrG{9I4)C766;1 z+-<8mv2xm)je*-&0gpd~vbt4{Wr9ZXkT}#Lt((ZG9tss#mC; zG6Tqca$IGt>#FA8f#L+5FN%@>CLsYegp_9i))E>6CDYmWZdre1=)s9?z;k63Vb7HS z>YxnWFYIymGy^vt8LYPDS4*a&VhoCCBG z_zvuMc1`CW;QM%C*^DcEco!nkmpanCZ-wvoLG~6IukF&bc8^B z`C!9s;cv%ZH2QS(f~(Al0gErSIG|HZ75ML|k@zFloWV%sZ z9P6$;JBuWvEJ}wBuLgDkTwGj(5!r~L3#Kb9zufQ;Gs$JOWBj>hyVtSfqg-gpiVWfgJnD3# zq}lakKG5xNdf-Qa2hgCmn?E-CrMrTe@>>zW+Rt>s>6I(TV+Gp52nIm<0RaP|jn^vV zvK{gm>kL~^LAj@RoqJwkyCneJ7{_{u`KKq5wFpvF=%d40)%x!}69J|yW(kdHRKi6= z(t#}i5dg5lUFNl&E={sx9VO6R$0KWRwiLj#nGpn+LCt@P$e>N`0(gGNCK27c82sR4Rn zBLCe)lO0oxT;x5hUED8uwLdQkKQkF<)EV=sY46Bpizjar!3voRJU8;_LqJOu#9*Ka zalQNIyzT(LcVGzQVpQEvTO2BiaQ&-LCiA&+|4vlUV^fo&@*Xi4CuV6ZIn=c#{(QS+A6XI$Fdo9cc{fbwukH+o0v(%!n5tAO;Bt^x_^<&Ruu>> zZqIQ}(PN_rFFr7jdrSEe8tV4_O9WcUEUS!50n zD(cOw+3FTU!`_Y8Sz3+oaimKHn5MIpJnDeZCDs$GX{;AW&rSUy zY;N_5XocZCYJaM*6~`uL5C7!4bnNe-Du?Y&{?yHL8c@Lxz5V+2D^c;ly>D6YR0A2U zN}YuUiV)M5jN9M)h*k0{$E2!6nE5C8f8QyTh6+5(V=B*{8ipOft_@w)o23&xk%X)N zqH+`$hTYO2KVKa7P(XJXM@$QG@(X+V9+YJ)JPJ+alS`_$$udE9YcTyjI&v?dQQyJ{ z5O0A@Ht?XMlKD(^0(j{k7e_46*sqBA15%e(mccC_sG7gzaA+cu_zw>`v7z6x<4RegRNnVkk=&p4)cXt!?7fp;I;S&ElY9wC{b{>9Y!#{CU3OcDRwPPoC!Fa31nGu3*_x+LDX9CyUlx$O1Tb z?Y?LbuRy0!q}5WrHT8G4STKrC(P)CWr?achq6ief`eCqrYDJEL#_Jx`9+kaY0{pLd zw4+a8$0%vMB5j&&`dw%c#;RK*lNef!xcH9S8#|yj%t~D(Ht=e>7+9%r>QV)=a_v|8 zO;BMz5)ny-+?u`d*I~#QsB*{he9dM`dZkpBsy~2Ws%fcrUIZKj2~h;e6&rzf4iP)0 z4`658x3*XAjHmv16ilO6mNU+l(Za*@BNh~%9MH}YvFUUM7V9?pqQ&BIa zQTGiNIV9c`N=O+l@QK$2gYa=>DR=9L?8G*e4yv6EJq%3%s$%U zwYw6UbvvdI5*Fe}WXXQqbh<(Y+AX;r4OWsTmeDDi)8^c&>RQGnsdkS!z0RDP&K8*e zm!PS`1aN^73=~u)kmxGN(73p~bc3O6j7%&U0E1aiS4Mz88p<$4BnDbH=;0A(Hl0!e z1kmF_-MpMqwllY|WW?B`qSpyh*YR&A%t}WdpJ1fXo1^s?uzElTOAnj>*ACk$=HF{h z@Xc|zk$V5R5CruYoe&E-w4m@z{3$t`y?44NiiwGtRO%T#!5Zxt|?$G_hAN&IYqN0){KyCu~C{)ks!)x%_Y?H#+Ter}{Vh~)wUuvm|ej*!yZ)!h}L381=&8wJ8L3|L2H zEp-{A3`vxU0#VCgSSmp2_I+$1j?99W#e~lISJ`W6h=B|Gb|2_IDq8;Ab`R`8(wXJ( z2!L1!uod`ieRQ;!?H0TOsgU7sg+o9nvADkQY4%IpR~1;5P-J9fLBI1E47oCiDZnrR zx&wVQFhHs=WTsZ7zJ?>Tmgl8cP}99Wm)11SbBm@M{Y;D;{L!^eTEi4j z1DU2h$9a#WD!(ltPLh?ry0?9*HT5qFH4u|L#Ep+Lh6_T985CfxYL}@Q=Mpm{Fpy2+ z#`5|{aG)_TbS`i+Gv(M1xA!JI31n2ueFIIa$Ba-Q?C(fl3w>C;sLxfStzuQ?BWg=R zlj_jOVyVjM`34#v1IZ!L2hX7B0pnvPnAkeQVOj+sP&Yf2$V+zXU%q^)kjkAfH)j~j zrpttthYfogOkew$doCKHN7uo^bpQp5!-Z?x*wIUX*!eyF6}95|&TTKs{OiX%7W$e0 z4XJ;Cr!&7hh=S{a3uQBf=?ouOKi=(VdMWAXOkN98uZgu9mZ~=h!IBMk83=|ys)>t@ z-+=>yZI4NCy4Y5oXG!+{Ak#aTMv56XgX!Mbq`sLqM<1fWP;K;x8w-h( zkHJUInw?*%(7cnx=)Bl#kAY@&DBF=({5{1+FcipY-9QT4zk);p=&JI5zlBR{xEShz z{^9zy4Krj_&4qB-$vh%Ac~u-manFc9m&a!EvD=U_us+*bQ@7ru$9x(}msh1766q1A zi}EFLnjEU@sF4TpWiT--T|?^Y#j#>tUQn^#n(plyBa^eDnuQ<=2r)~_l-}0sO@Gp$ zz{Y&d1H)1{d}cknzUU4gSRW+aMipCT$fwuY--*1|{BOt8)s=4m*MoA2N}?U~WY9IX z00IM6goDDvxpJ&THtX-oAP~fbA9v3@;+lh)7LU z1Ra<|Lh_Z;amUynVt6bCZ|B1k{ro(1YjER8ui;GucC$4VxOb7!WI&whRGI^gZUl*f zV6IAr%>h8{@7;vV0moXq-&GyX%FAPfv)B|Rzg`Fig_Yo1@D81rw6X)Sd;q!^)L74D zoGpR7bHv|)h1uKRH3G#vl^;maxx6Nw%DE~gs!hlM$%BE0SU^1i@VRAqRB1l=9+%$p zqXOIF(6T&~Z4UE4ZbL1&If)0R$&vU%BqIwdI;6D(8&4zURvVZlJ~k5}j!h)ccH4IQ z^R=N6BAI|1-IH%#0%9wBt{TrN{^=D1tAzwJLotOQ9RoO?vHkjj`1kL2(m(JLhsHzq zdR$J$K0?w0J=jpHRSNsm@CW)|>@(H%Ibao`V|%l=Aj#OqS^1X1*>ddFasSLS?vI9} zz1py6!nBS70Co64V*)dT=89|nWB`u?-3yn=KEY(QRnNcX>fsE@JHSl`1?Hk(Uv4xb z4aAsq^A+xlz3-QGm7)F^b!#Roub96Bpm-$KF3& zd2AQ2R29Au^^v17#k^M5~MpD(Fg2vp(9Ivr6 zVB`oJw<=5Kb3=v16#x+d3;k)#xd#JZ?EmgQ#Gw#*1|W|3dx?+1VHLkq1~>Nh4q8U~ zVqgw32H^*p#5oCjq(AKTi?b9R0l~z4wbxV- zfzVkI@w>zz4T4gj&TI$KtgM2JG03tJ=jW5cF^H*D_#MCig2(;q#t~GpnA{@%!ARj@ z)z;HbLaHv2Af(!d;j)fPGBOxQqHUPyH5GX2c1x4`AHt!rOmCv&l7p1;7bKy|CJlibxbBBT0l45};=}Vm)JJp)lOMDlakmmF)*QQ+h@MLq79bL_ ze1`PvJaxmz_hl61mOxmGbh3!U09o2W%D)H+d-Rjcnp%hS*>7;_ihl1(QMrcK&Y0=A zQ}4V`$eS=$Dc%7e!R*Uf2(y;pWJ2@v1zQgyA5ksI9jZ|>VAF5<38|D&xgaTB2>bK% z=d*84TjJ{K1R%!#0{t+z#iYN|s&_YZ8VwfxRG^7o?NY-=_z0dHxC@}I4vNbqMnD2|916qv_W=O30gCYP^XDuWTzR-T z7zN)Km&>*u@VW4o|J;o}HVIRL%ZIi22968d)w__l00@vNL2 zBt8=~Pl#$2ibcI92kjw!78Vv7NZE!~1Q|66&Oy4UpcVnx*yDhZ8OO55_%`m8$nZRX+1ArM7J#Qd5 zY3@36d;WRmb2TqWX7E9r2@^I(k~&Q-*R|G{GWYlBtd(5h_g%Nt)SQq`uFVP}-QD2&yA6awEx=Aa>G0&rk3>q7QhU1X{`LRG3{en?5pOG-*Q z%!WMC85LobjnWzx>aFc<+uTH3NxCSAxm$UYqEp;%%o$U#h!Z>S)8)=X+q{v-qloNH z5D~=CSyTCXx_%M78fK@TmT_uaoSkES57_MO?&g)EeXG*^o7ZPrQKu^EWLZU;Ehnpz zzDT-6sG>o3>-{;QtnxFqTwwWeBonaF{AjuxfEVjEt$4k2Q7pB2jjw*VAjlbMXkn$j z(arVVB*rGM*M;I0C|z%20)%e!YF`Em02v6<&cN z9Oz9{334=?@ZL(S3$mc(2 z-lZ?pFZv~DFcc40CFcBv(|NUrqCZaWRejmxoc~=G>~!Uu28bRdmTe z@WnXI_bfYD{O<f>`&{Cutzsoh4>MN5Q>r}0XxdU z;@*bu*Ky#`u?!q-H|L%mT;vn~8XgrDCE?^$8D9?fjlU)-+alL`hhbvYm~%$uCYS53 zp$H5@QpY63%w7nk$fYr@An|MY{&l9_6?6fx*STzsqe2<ZAa4)|Ro<^{`ccW+F889k{2~4gDY!usV)RX%>h3g8B%U*kj}Py{Gtf7~QpWGN z^5$@SQ1ESXButgk;kNRPsuf;eRtW!K|sBloj-_a zf7Na%*X04if4K`!21B?WNY2b>8%`T-V}DZPii$7Nh3q(UL2rYqE3x+1PM4`jklj5? zxln`Ev^TK@Au*xTdYr^ECXrrC^8AZ3)8FYbF2FzV>6Mh#)o;Cn`UnaqP?6x_;k8V3 zRv4R_peloc8S@V2e-KkhMfDCA2AI8)?S+PpjzA0jDWYJ@_@ti%Jk!U*BxZmL5ox(}3(bNG{X7{*j2?5SxaE>60NgMWbhKgfP-xZXM5J3P$N((L`b#>MA4M+Hz4vcJQ~;S6=AQ;R+&(1ZMfeHv;Z z^O17G2cEk(U}rd9clhrXE_ZdoF)UCEspihobWwXCRdrlBB;h7~o__@2qCzrv1TY}b zH>(4n42hYGt^YmXv^-=0pu*yJ9v(7(3A#s9$c^K+8vP8Z5js`YlF-RP@%ikjAqtcu zt3aTE+A{3;>XH(Y23E#Gn)feuSKYvY#b>{HYbV4bjP&6X*VBn{?j7yX z((!!gBjb%qOmxTn8vS(FP*sI~zlkRUuyCQh6Z~ZGJb>zNd)%JDK{A23+*V7U((MEf z4ToF?++`?;l$O2W1XZr;UZdE+nZc+d;KL|ywT1wz>8|3#X|5nJ2#l(C~6jjmUTfQ_W zV87tJBc5M*5en+{{X6>{_px9?7z%<_BDDfg1%O0S7AppKSwDhk6Lmp#rV)Kv^}869 z>f{rG(zKCGzwue?{0f8~Fhz9%P+RS|JN@6)`IwKzY!N^7mDCXbh{Dd!4mela(eDjV zqwFb%1!iqYHwt0$n(<=k+{6qJ=ZrSwh#j>mP-dWMrH|?Yxg;MyKOPB5SIl4L%@YrF z*qTfRGbEG2DI6V50AjYkg&<`lw|J@7e;fENgFkm@}gi^FD;n@%yYvzLSmy8JfKhJ}+pR7epZEX|6aTv;Z= zLIax_ia<)gZ3;{^$X9oOFAXee1IZJP;~s|W&XyzdPdh>^KYf~L408#R`Bet!yUzCD^2)fgyyQJxl# za5}atKyJVdEf~KG!^Bz#{)DM@DA|ML3I#g4)3JD;!6G*tW-~a&w zXoGh8CGjvQsmQy01>~MGsbLP_y=X-9g6;{*%3=)<&Cs~SM4g<~^X_G4&{Svt-ak2U ztsl@>#s3aw=B(!DbWz54i^&B%JLk(578a3?Qda}O1JED#*fhf`>}4%aKcV^+ub8P3 zz;P*%I>SO1X~Y#GMJ*;K2GHXm3}=P&07?0~?4ls>gLOtwL%zjqPY!HfkQj%PbIzt% zDHTErB$q6SFq+>D5O)EQ0+agSC-Y0jD#npL%b-S%7-PGOai!8tNX2O7SMc~VZ&IK2 zY(w2|2arm`i`WTcf7jkL!gf5(7W!d3G>4BFi=~K3!d)63GKd$?e${~d9b@;9CL8Z~ zQ-N9xHvFKrnQ=hP?z~Qwk?jTl&wQqu=kRYt)s49+M)cpykq#Dowm}R3-!Ta%BFekF zHM>7*j1*-<5!-bBPmoQo_DxCBBX}rDUgS)!UL!brEQ`KFNzz03*^L+nmY9Hem;b3v z%LSqd`-5T$ncYQ?l#z-^gK?mJf{A~EX-b0je+b_ffjI{Me9r%5mPu6x&*4L;9yfJ4 z!>*ce?eAgSdhhdoUm&FVLq(Qfel%XAW}}i-(0sil@S{?hDhk^0ujfW{*_m0pJv&n5 zIOTCJKH^cEk9;F!idpZc*zma@A~iiT{oftjis57Ae2Arus0oi0Ddgr~ymdHA%b;pT zfnD6Hr1`B9X0fD{)TcTFsGyjr^UL4vq{g97R9fI`zW%CXiG5ijutKrw(*a>4Q0L2u z4>Z$>Sw@(UbM=rkk;)3SWSJSOLyELrC6!V0`bX!QIWDs*#!YZL)p_L< z&1S0!QXgj_wNOrj-swKMq6yPf@I&NV;(J>(<^5Ip-A_w}05L+SxHy+dV7!JZ1IkK|lePc{M z&B-$4lHc#=SE2;%b|V)cvsl4I0L#Aok$=Mf%IbzUxpFZIZ)tqlk>d}2iF$x3$2KJsew(Rfv?zs5c04 z|JYe6s`Eu7zi~<9hj7o63=J{UR|?1_X0p(p%dG`X+On+3{_oF1&zB>4%GA@peR|6P z7Y#-KkYI6-yz2a$m&i#l$CUZT?Dq%%|C6v*FYJBO1RXb2K3Z7SSOlE60YrrpB(MtBE;sIKw3TB7>|pIz*-az@zsd9TC9gD9tz90x-(UF7Y8TLrkrxF8i{|dLj}upno)U!N~_j##MEb0TJjD zAC^4cc`#$<#t;)bW%c;J94qLSVfnPse&>S%wbKf$zYTlsWG=-aAdJt-QjH>%ej&Rh>oTJ z(21ua`u@kl57iBT?=8l@rp#~$!t4(4thrPKp|;!~ z$)7NW76SvTRQDyQB>)q@p@r2x;b;bsWYI1kkR?=EQW#R1c<6=0OGO*1$r!yYyWI@s?*gHP^N8mTOnH!x1NpxwR5UcVV6TK_R{@kZ`6`)cC;+yA zHM?BBK8A^Q=G)uW;bHuDAh!uk<5O(?fDMz6XoZFKC#!+({avg^4EnAK>lL_hP_DgL zKf}1?^1k~-(RQLtUA5~}aq%x7;?gJ?i;9V%WhH~`4oF<2YNkqCqz^kVACTsFWdy;E z$-*9^^G*7CdafINHOQPi5P2ns2@K#X35fyAY}b6m13@%cuBIqRxa(9$lDqT9V3nih z)$AVcgU{C}UcRaH?xHP42^F2dDvJNU4O6tl^u);#xe|c&LuD^L=OsZP-+ffMK`!9% z5#$(|BNqP^Qkaenzx7Y5CkrNK%dyhzDVq_VSsTi~1DCl7cM65udOE!A4l!al_4PtG zpD3XHy8Tt*;>{z7AIbusA%xqeefdsxC?yORIS2Oufm_>~MN{E{1}9Yl%*gz$XnA#c z)eJ2bqHG1<)B!|E-`xF)uY~kX$QVQoR$Tz}WVBKq1K<1DWSszLGwLcq8XA8RF0)?{ zO^z_&&^1At;U;7c11)}Vq-jubTGNMeao*^2(4D8r=e@}XDqW$`4Gxj}*Ef8wPR*7n z34G^p<{0Wa6RRxhpLe+pIfR&NM-{pRqhXUizKmMCSQWjVKiOMEfrPYAZSq71!?>ax zb}b0S4;I|=&u)58G+Ox_rUJEKO0wTiw65cCGupPti0;1+~ir`yLn7B!&l-i5r zaFrx^FCUns;kyY$g4jT@EGHh+EQod4%u)39a(7ITPSq#)32+K0F!DW~!wU`El;VXW zL+M`VBIlc28s5#3AQFp=i0}nT415PjvNyyGf0=gNzE<~fKiq7A*pl%oD`Mc#5a(cG zBIZ+s2_#~91Ozz}3k8h*?%_T%^d1?7+i$=(Fi#!0HdD`wOw-cRMS4w!Q39C#G!XQf zKK@{h9HtHT0UmA0nUs}U39}B_nn{jKxk=Z4HQfXg7eMZ@C;qMwSrE_vnl4S@+#ggu z@}jn&naO|_0paSvdHI@~)MBIn@j+)pKrM@YIYH^+KLhg9M}Isov610pKo^6jcl=TY z^VV_VzQd{=S)hM_?yaJpJe z4*bHD+buBUqZhh!xx(0D*Sro1&%-@wnBf4+BMi3EDmA~6#(t^i9t$h>p!t)Fqho`i zLn)Ba14#J8CfjQk8}hx;GLc!Rz42>D=IqE|P+(vg7#L7k()l4-kRHMnK{Q1H=Ctqo z`yOr{^NSl2z@1T$sxZHteR=3!NsPGiz?x1(DWz<9SLCG#1Py~6;WIEFKm1UT970ga zegq&{*RIioSb*T(J@MjSI<9UWH)894!Dr>ret(*WKYlxI~^r{ksVt9sc!r&0w`2pc268k`9Xmm3!_-7CnF#j z8B7pL*?7<|?mMTb`bw#?A#OA6CwNZ*MZkK%LH-WWJVX4^OZQXSSg$69NyW@TWU)a; zXPf;6T{Q#|n^#S8hV88vmT>-0E{Gc5vji+O%JT@ciY`6dk|}VUb4G(hhS?-OBQq0n z-+`hB!cjuZ+qd;{X?6KE_x+wm95d-liXmXQv%6osu%bC<)a_AB6m9D0$OvIY*Jlm2vq`Jqs=uF{ zhmQLCyH`L%^%y)wuxPddi<$7mjEFuos1v27G5e8A+-phxIxoH; zRv+7l&wjbN^hh!wNJCV2+TlxMBP6pF4ushG$J>qey~$6aQhauv6%IzmrAar_pARRL^W!=Y~4{(D((&i23S6%`6$c1!vv zOjX^sGizMAB)gj^;4A9uVQ=g`bKXF33hPtH9?>CF-?_J?Rc_0TqA{^Q>WT9sX~}9p zP!HVnZhKNJ7AaV0VfO??Y-x2hDj~t*ctBum^&^PuXkl!%v(+df0(jX(tM|9=)xiAr zHd_FTcG)F4K7K3IGj4h3NP=XnfGyxO1O_`o8;{!_Fxl+f9KkjT`#YjswD;+ZAc8i$~;yZsg=IS&dX?#J!~OliyMhw+&+KHn`?t>dvM#9lPq;=WCiTSpkDuh-*;q?1lp5D5+frgHz5|g06+vWLhIBhvvO>zD#O<(Cz#M~!b z12L+*bECSpw+&m*urD^vL>KG-oU`SoxeK^VJELE{OAGT}%B-xa*~@14vUpUCWM)J# zi~M+@Y0w6wVeQU?KyVxboC|mGsg`!7Smkh4tslC8(b+t`&KzBS0tKzj80)@xaHa)$79we3p`kc%SRSbl$0eBS8(Wz*C2=dUrrgh8!{Op{xiIYE>P&4F10p@(9i&@t%FOiJ+L|)6Hj0$XL9V{BvF(Ksz~n|#qc*qv z#Na&@b1uBt@b$4D(|6fR9BcXjj;%qhzfFMaPN+n8Pjm9yuz1_jW_s!gLT!V@@qJbR26+@9>bhr@1# z!=vN#L!sKm^>pFL{q$_CssH;NipTLLZH(OD@83TqcWOU^z|66YP_w~U7e#=N+$z+y zZRoJ=7zby#%d}#1ZM>DZc~=r5B=%gBV^@eKYibVCalJaVW0rP5t@vw~E$!~NRoi$U zZ2Z|h_P7omSY>9Le}W|?Ep70teH@-!zcuFA_EkT{wCuz8Z|xo4@R5HA3=FHmz`)=!?t$eqvWCJft>eoD^LE0i>OFP2=MVWOx}O+G|^@; zf_hfT>1@^w2mUK@YWG-(a{lA=dcXABK@?#=9Ne!JkL}!vMHzyq124%3g;a9McHkG3 zrcHc1d2|1!yrSkTkW%TL)@Q%|vs{F~`F@A@KCVD1_o)x^5lzlv`k@Ch#}vQl*PW)2 ztN7GQMCx{-6`3=ciZ317wuYQ-%mm$(Qpa8poEIOtzeK=iA8jU;3ALcj;)KiOdh#}1 zX^!yx);)2I{~mUs*F6=NSr6`gCjJqhOCf%fNdmj_-EgbN1gE|mrA$JqvRZOOw!FE( zRjNt+NE}ffv1A>_>&os0${iUaoD*sxEBLbFX;I@5LW^E>HL5>0Y%F z$4FZY>*l>YoX6kSj;m?%8?73nmQ7t`{nV;rRDE>#Cf;`)hey?!J3s!MGEwoWdC6$& z*}sc_@5bCNLTZIyRHQndTJFZO-Pf&lFQRegBhbl7a~<%~GPNB&Sc}M2;Sy$N3iI@& zmtw>E7etKSyIe@E+=TU0tjInPKhdvEE3pU{H~$%KmRA^0c_Eg;1gF&Tv~1}a%OejT z-sR;tw-fD8$p#%?S%2rO3UVx{A#y1ttO$R4kIj1V>AahX=dygbo>-B1qFxcj6c1kH zr!2GxV_Y^n?9<;Oz2Zi4XR#3yM*SB0N>S0nx!(^rS->^pbGrIe1-P2BI6qieIabcS^>->bdAzOO^j z)48zEJHO9sM8fY-#$!DduOc_1894RlW5~0I!@;Q(@opixq&?l4?gc6hBlqiG?Y}N( z+;*^@5o|PLIHVwb~*)*rtW^j#kbGn++6KiQr$H zjapJTcIFSub5VPKcS=r`vf8lt;LZ+3-7QZNe~Tfn^m<*^x=>jm)9JtRdMshVcd_fq zdkPexBEx=TegBT}0u)4Iqo2Hdmz}#dacHA6(3J4>C?Ttr3RoUlU2qGTk!$6vipc5jrHO!9-5u z@?T%BC+;g*EvXN?U(=$JvYwG?cw;M>i_|UI8Z{oj))jb8?}OjkN#*Z9#T(d<{h;HQ zl!eG8x|S5Bu;{bWGll&<;doP`ho6@3Pr9>~%{DKx>nhH4mt-uXiw(>dYV|3fhjr!( zBsiXht$D9knCB}_x776tpA$O?@9lJcy?eymq(JxWw%vs6(qjGEloO$$Vkc9V$a<_7 z-Y>k!J0oh(kGTw_2L37KhkaX4Ytj9dtYFL~e(zR+qM3O|$j@&(S)Q{d{-piV^3G8> zcHbFj@^t_4PhUyx=Qo}(kA+jXg*LJNG3(DC3;)}kHZNR*@~d{`+&D9dqY{rP@lSgb zc3OtfRd#e=UAVO|S3!wyi_O@*B9WMoyjw(XkPpu?rB1ieZp&fq~WaRkAG=egbwM${D9nr<3QVA4E!x_TC- z)_JJvIMj?^#81XL;#*?$>1`*o}8Neb>2Uu!=Low`s^` z{eV6J8MZF*BTcA|n^B+(+{6Y2+pRP@=r7_)z5h$z9H-aub;X4=Kv! zK0A6XXF88DpU>i!4`$1kd-Xl2_pW>*WjAS*%OVGbuX}#=la&_dkEX1%Ny{+#>6Wna z{LM~luf}puJrhDHHk*-=9VR20IY)s?{9Xh4kjYpZy&9+M^0!>Dg z^mg8P9G)_}*5=nsA23FnL)&8vURNHx_0O7PwMbvh_mKH8rq;YJw;t=0sx>f!(G^fc zNTW{$-_#J7u5MSo6Qxa+BJd zj(^?PhY3{m)!8o?jtZMT+mN}+$0<)b-4Ir~G;rveQD<#-z5MC|Vm4~>1yy&Vq}lpdLg z;2J-aHvJFmd|^x9Gu!;Fqx7sdioEm6M}rxS(HXM--GCLEn#7xYLNhE}eW;A*k+4rI z=fUu|&NexD93chRm}t)PEE{i)XiE3VrhR$aMISLk3#T7JD0+IL7KY|=>oH>91&Gv3(3)|DWb9_pNueP z+1FmjnZyf{*~Su<<`e{x_oOXR~HFrDaO_u#VBn^Jb>LPkSf!jc`g& za_v23)q0{Srf`xOSd_8fc^V0pGk*-%mz1|Fx+-N=9qjw7lcjYW!8#u6OV1bg^vL3; z$F+*JsA+8PE}Au$V8uhsAic_z-@n{Z4yRGvzowO+9hCJ7$$bgr5hHSLm|XqQNxkLWIl_`XCcYL_} zp+DC6yYHO)TCbaOC+??xrS|uyabqxcmkkqwmr^D~C@^-LHT2${G6Nx5G^I=`M@c_Z~w{W3eThVbU<4xIB>%ylGMP=N2+SJ(~?_=s3 zU3Wlv)&Z~j{vVgI#I|2|$4x1<{}Jd*?`7cD*`BWMp6HTHo^tI6=|>NEJP?0NT`zIp z-C@C2@?Qpnx3%@Hdmo5sDJDMBYHn#_7;Xwh3Eaq;z@NX$voG zpl@|r=|)TN`001u@uTlkGKW`wAF|Whehp(xWn`^kGi*Ct5YppY)}lNlz+(LrOYtRZ z-cwzPHZ?K;UVdx~B6;qiQ!^o7DY=5NjM^TkgCt8=p4?xfqv)lKHL6a$|?=v9+%n+pcpXdl=FcT=DNc_8IyOMJ0xWBg*FZF5j@4?S=%Ad=Hv}9J)#8wiK)90*Z9O6gt zSkq>G7=1;eJ$=5)%%+Xghl0ycFPvNM{d4u$j6kWC{*(eC-7e)^^mfqadXhGkI)y} z&-coDl*C|FcWXo~sKn{NmdUYR0oLy7=R)ZLw+fXc?BnnYe1x|nPe1>gmMDG8iW+tJ zYY}R?HnkuckFK`k1y*gD<%Z*oZ_IB_Nk7@5wJANs&pAFV%-8*A!9?sufD%^{VQnNh zF~~}l-*!VqxYc}h>z36(3tZ%gnq=Nuh^suYk*>h07Fj_(sdbXV690Zan?si{{>_&- z9jRRv(K%!>9bP%*q{&J~OWGOwHA<&mZ&tB?mwdZt%zLSO75t6RAjfpp#5i+maH!FE zvA*;()=gcXr;A;GG8(SDIm@>G25`e~=OXZFIJe82wM-nSMbrL&RlNmNmCqY3jG!R! z1L>4*1f-F!LxXfT91xK16p-%jMmnTHTIrII<`7cS-F=7u`o6o?WwBhx!-<)BXWn_9 z{p{IWg<*pVa=9o;+k)GxD#Ox2Je=yo_mQ^4^pEBWZQB{G-ebA;?Z3O43#Ml4H|@lo zqAWET)+WB|;GAo7&*Q|km~Ee39f7jW*Vyl1-7?=eb*w(oxnujq)hXtOF9fbtn3-Jv!IMid(BI zn3Cg+OCIRJz8W9i$CIFVARf20VV>b>7LdG~n}30op6pAg>&jOBz*m3$v5Vif=%Qjz z>&xo8MJefNn4m?PLA^5)f^Jow)vrxXmYcUX^1^r7kDSdt27lsyQ{O&?*_fATUwXuM zU47E}|G5ANF>!A_Gj9uXzSZ7j^@PmE5xC&RNo#G_P6jYU!7C{D0vzEa##x!)X?Mz0hfi&j*Q1Gz42gl#!1i_tW9 z+c)EM4Oy0WR4QJO8j-AfD#1@=z`**Q@Qlw}MIQcajMumoi#-k{tKNY&*ks->i(FKL zun69*e@TP7(U@IqeJgC0k;=}VPRjGNdOcG?Lue4AER9E2%jL2#yIAKd$RcpO+euv};_lAL>9s&2xDT7hZt3r=^Iur!ru)88PEHgvb?=-ap*r^`UeLTeZoF^nvGm3D&k<)htWS~ID4~xHfi)$U=}Ml zQ$%V*5*Z5#b6sJRDNDm?g&EYV@#t8k+x;FI^Hij5NgJ7i8~jiEqI7Jc5oHc1C(f)O z)OCgT;C`gJtu(IKcw@)17N_V|gt`3#tNKX&b&U3|RlLjLJKbo0RwU+W8SP1!l8?f< zpzn0#J@Dt4h70DF<>Yos*Q1z}2P0DT$Ek+>YNibYNWY(e!{11e%+0B_K7<2ZJl%X zh?977J(?-zr?<8HG${wBxd&2EseMMi) za@NTP=L)t4g7z_Q%xO*3BL7Rulpemfymf?8NGJ*3bE=sJWn5?I?*;!A>~K~gp6j{y zv5)P{X}nP7Kjv&QjWUBym=nHq{_sWK)rQn!ek;<0GL7VMUwMWt z4ba|xU(UcZwQM{%CfS<;NTac9CV|{DSQ+vwBD`jUUh5fTrd#TB-TJ^1;6;;@zVz5N;7lt(XvWO?L2gP*SGIKE#p zyLU(VHA=u=%ERW9-8;4q+x`cF%A@Os@#%a157DfvoDmqm8Ke(s`746_3|Y4QNvpU+ z-&hu?Fv}V3_}_;)NB7)jM%LkGgLfl@kjnFIY~TNq%IT*~4i)rjK;Wsjue$?Lzy=2aX zIjI7x1H?;iNI(=*+pS2_z!{`entCNPl)fCij}ixfh{vs}F2kDOp_`OHots_+Hv`JU zW2-$|ucAg{R@`$xQ1-`*Y!ao<=tX7kNJ+EAuhL1Q3vgpPUTINKzsXyullf0D+=eiu zU{}2( za9E52Y1c#X=^@sC*8oL=anQg--z~Zq9$zaNJvo@VwPxhuq#KjnD8L5yNY(o_h3PJb z=`4OL^s-`$dLGU1-JGoU9u0I2#&+6$hg*vAI&b8)=DR=vObXQjTk81;vyE!H-VaE> zrlgP7`%Rxvk!3E82+auc0Y8c;w*`UgKy((YK@MuGq5Y_V-!+AM;Q~#NL{! zl;~)q{c%54hj<;*a9v{*Mu9l8Bl9>q1E9@cpj>`yD0x5Rs+lr=RnF#a-72?VOjX^Z zG$u(UKWyK;MzEPR*^y!VrymT{45&y}9k^TtM!41gOu{BuO&lkMG$O7$_wXs!3)0OW>6)c z3$@WF^3}^H3N0r@t_UGX+8QL)2+U=N2b@B+hV7@n3~3>i#SX8wVxz4Q%l+u;F`7EV zCPtrV7F_7Qi=a+N2uD+kIB3R_&JP@a&u|FAQ{_E+n3E)$2ko65IL=;)e|wEz))}^t z@JK@O62K99&cv%(JOG|dLKT8ob`uZK@heS{Xa9ZcnbR3QvW+K8ye#6eN3*SilTw@x z#ziuM zTC3>eLG9SrG$|E2%%;u|^UZUwMEf>p zARLJT%BtYWV;H3!ns-Z7qJK&To|_zJZ6IiN=dW4zx@zLp!MvgVw#cK@5*ncKt})fCGECyOtYQGCR~a|>eDT33%% z*fJ*EA!m>`JPD@$HkL1~MvH83@JkJExMVZl_e@O|Nb#sNY@15-*8CO6iNC8p$H@!k z!6@@3q4Kgbt3KdsD~u@7IadxW_~X6n76(oG)kwxR^@YTLR}~aGJmBte%js?0QBRhA zG4|SHKtK;5Q^NTN;?tT+>{G4eU^BB){o9<-8vmg9;4`*Us%yrNd9H)LSbHrIzifml zaSaqF88lbXN5vhJFe-%5C`#d^zmxweQ^geP#Z48L*z=mGGnV9k!iS|>DFp3~(WrT$ zQ+e5%IUkW(3f&MVa<^sYfsY~l5)LLIMPMW~j!HnxMAHro(t4B+aLwby5vc*8A>EZI zOFV+bODe}2*D`zqgGBKXkRUNGPkJC-40nQA_F8e!r0kz>sKu7yGm<6d>UWy#2C%o- zrNSwe8ywKR@y;C>NGwWp?0H`k`d%=+{5->6dp8^Dx+MBgR;8ligePt@8yD3u;eMJl zV1?|zFsn4-$+mjHgX2Y5n^DV)?~efzQbMlrk@3sDFaVzc93y0{oNmU4r*xGL!~zl( zR~@B-aSw{G{eqJWK|aVncZrSI^zc&C;zfh$Sj)cx#lOg-rqu^@kjuy9)8vR_&C2YB zL-{DJtEG)~m<+m*tozpQ$o&Tr7DN4$`_w|qG$Q}9$&$<~p)QymSe;EZHVJ=pW54eF}^CSqD9T0SC5ttidR`okYE)v&KMkth;gIB@Pw=wiMxkD3+*|C$v z5hN%Rhho9r`vOUBrGfKU#Y2hN{EdXx>LQm{rh-?L(D#Q%@4zpMBHFjCCe``dj}>Bp z04yU|pa&P3M(CP#`H#e0aA@z43|FcP)@bLv8Z&#!95b;XjyASw* z@&Gcc-iMEGLYdc%(3ZyDxkdo^aoTF}V6-juveSFdFRAC_o=hAO`z+teF4_lb!}*mI zWe#)zI?)Pcsa-3MB{71IF@sy}$@1MmZ{s>zy^#eb$_=Yd3$`k8mi>}^U!y#=CPR2< zvVWy;LF}QZoEz5s9X}(O#7)k~0NnR){5<|=X=4pWXmQ78PQfckaW4O+1y5@D{F|BQ zAWfs`?wuE;(S{;0xAx*0=N;CRtG={87sJuC5K2x0br}ZBA8^`e@gz&9CM$>`>pj*Q z+pF6@yLB#kc_&Q$F;H~8`3Gh6ndx;(Zmw;2Q+%@hZDynOD~z;X)$jl8aY@eZZIp-3 zN7%r$61@E-X(P=FL|<1k|7Y_A=O3#U7)w|2dl1xbBISj_ULZBQM%}$P;Ur#?U6w!Q zdfJdi8n`bWNen33C6~8qAk_qu;*le3Fh42*Y6Sn?vf}EH|%Z z$N$P!X!h;LXQjo>9|6op8Lwq1W<0zmc;5Bk2v;jhAH1*278$z)sNJw?)Edh>ouT;f zq?lOJFNh!|YD6~GD8l$Nrw4V}*AnXCq$QR)F~zMVxQTlZ&hP;J-mUE8KC>wG!7e`c zewk9`DkY~50w zYh!q;&{Yy1xY(!$Rqibk`a|~rn1k0?irZGY z8D7Y4wFOLk@5Gw-BF_FRR)%NrLX3iVMFJpKvADuTaSScgixeWUVK(A&E?DzU#GYT= znPhm3Ct&#w?j5;Q z5}*qxFxm)KYM*|&XCT#fhYshB`%WfGK%Au!&1FIgRMN&QJ}Kv^zyFcxZF045DT`tf z{|C>+SDSi1C`th!JoC6FB@e+eSGZ>KQ35hn8!}cYUxNSqYvPwZ#|=%j$lwsCCz<&9 zr>2XZ`b0CUFLN?trpOEmvO0z7{1|W*rG7l{>3n=*D^#!}by|QW^0X8BTD+(&2L%Ad zr!!4si*M()w|LKSjpdSumO0{};h6oM3tXxv-sGI{P~}#z@)Y~OY#$DBep^bCWmbvr z0OYdzcuQT@ny7Xy1J~91C5V5n>wfm0NDvmHBu5WL9EcW*DJ`zHiMXk{;cDK-Q}Rg- zqHeS?A@Tr|5B)fg9hG4u3=`UFu{3Y0QD|dI#LGk_XLXFpsPq1pF8iB#b^kn?>PV)> zQd0}$%T_G;NHG*p_lRjy=Dm7IRLh1B$JdWB*5!+9?<}rAbQuxe;zk+t`5_(=7f4J2 z#R_S}4Ir;aLrBFp}%CwaNd_YaHk^E=6w)D#=6 zqetQfxyPu};4_SP{6XCOqZ_+#TT%cPmt3kHQ<^#UtY2is!zzMeqR@+31 zwOkj+NsYyPMeA<0rB$j4m#FH*rsDUbc?W4dq$K|Q&A2y3DKK0KVZ+3xj>j=1g{Ds7 zF4NZf|8l$jL#$y!m5DE@sOZ^b)RBy*o|v7Ll9EDd`Ep)thjU7`fkk4G_5~o2r-MEg zI|j8US=4uj2rz1r`M~5DqjX+bD?@STm7MAtOp&MLqXd%AZ8tq1Yfnh7hf|aX&N;>} zscI)|;5JkQ!JT5xTv>ZQ`6I4}8q`!Qq0jM1&tFrpCkE-ILarT9=9je}yqlqP&2z5SR8cmt4J$mJIc34za>8hDX3@tEE@PKLZ z=}Cc6Hv1?2pHSpl>Ceqd^ZGs4Ki!HZy9|rjM2o*PD6@Qx>(AcLjZ(&?(5wd+l$CMv z@TjV*bDgvr6F}>|ej{m6Q!_Z_~#JUJ^9gkS#;+us{Fyb|~=j##l=w zrv`9);6l(--_J&}c1m1&xOn;QvZs(vZ?g%;F*Mfdi;(wTuTU^51T$I^go11=wdQ*6 z9tSP@kD{Bj(CJvE*l9U$76@g}jXp~%hU#ZpN7>&gvegFkv%bktyGC~Wc2Ll@7p*VU zPY9bLuzo`BI8_IbH+$O))d*6%nrM`o!&X|v9I$Snlw%}zac@7`_eJ#u9OMXi_*rIl zFZe+PCa}9G8<qdTyw)qEQSwz#*Ndm{#^Pc0&iZK6DYfHp(wM{fvclt!}r@-xqSgPm@S1^XYp$ zqbwYg{Xu;$Ymo$U(Y4M1vq>HD?+Z85aeFjca`|L52;P=7l6Su1|D7M2+Y+#}55S{i zt5uO(yBYsN1ntadn*Y(@lC+bytw&Y=$3#P@Q!q_$i{Hupb~b4mI>NpBKVT?nVB^;X zf`S|0hQNgQ4dj`jW)StZLQ2Rq99urh%1vNx{F!gpHuaWi^nRo8X!7E31#ztW;pmuo z$Nz`@{C@8_H!Sp~-~)*n_|jw9EhCLBQKV#am(}Z|=iXL9(HnBMjqOC(VTgtQYuK^X zziOZSb^L&DAHWwHWW7Da8KX+KK62iA{%`5Xzo*Pm%p*F!FO$~3WC{TE03m4hxR^j; zgz`faIXc6F@j6SIV(;P=C_Ep=zq&3T{a|G|e25~O!2;2cL*Mh1L0fxg7*z1mz&=~7 zBye}d@7;%^S4&4|%zY%*9=~q*KeS=-jz8v2;!}`Z{`|8+9OIHAq~t@3I@TEwwDpiJ zQFUiXr0M;N!Yjt$HtBO}-EGDIUN$N8{*QwR$Acr3rR^J z>HP;qnG>b`%lfN)AN#>?*XHM@ozSw$hql+|s__YKRs6A}nbUNh zxx_K*ZUz@>@iDe^ZD;0zv49mbXa2ZtMlK^=iwZ|E_w{5||(Bl6KbZ*rU$=+p@HoIOi?0oJ_F@Cjb;>MM3$$o;RiAqCAM zq%3RUha=Mva{Lv5Vb?HpdJZSAGU!G#K^JK%Q*{!-!tI?>eOWdJaY$K5uFo%Q4ZT>7 zXu5|ErN4(05i@~~9gVXu8Nucnc@4;`E42%ie9+WJeTBv7U(buz?^SK&!<5=x)EYZN zyjzIfEJ(x41Kp2=!5;An+`5DJ8H=q}_oUBP6e%W=L;%Au4*GuLJB;o$b_xT~ZbGkw z{f1YhCH816(nJ^iX`x&q^?T@`8o~iROB^X~yIAr=F7nSutf_>D11LHuE<1RX{|a6e z?0g|Z0jM=vSAu>~`zXq6M=EQASGk^_+3H{Gl%YQ3J8LXyNMe-4^N@-yQjqc^1CCj& z9*&A&r1L$gwNJSGV|aqYO@_mbmGZ*{$gD-jr08>;Fr^t!I_?Jl6ZVhQOKfOEwHp+` zV4vUSHd%6`EG>Nb*$`C&-M4q}b+35E))9c0DFVfA7TwkvwBhD9OkiQI4-MCu_fb#bh=tz}qAa2inB;s`yG<*kV~ zomj*ilH!Rxze1jb`*%HGm{lH0zV=s_X05&A9ubTGQ`BUVK?K%4$} zu1$7(K@NQbpo5r=^xb#r0-Jyc^HxUX6N{MaOlI6J8!EGEIn07TmIF_)MkR_)A5f4fsGlFSIWvfBduh>avA1jBk*Da+f_TqF4NSpXS(8@ z-T5L&V^f+xE&a???G)#3A@r9&V_1>U2mlN|TVHHY=@{&HQ|a8`0K7bj0n%N~FF`{d zWaNOB=r6WjRz(Hn0esbzrtI_Mgbi#j3q2ni8ka4~K(Vv*qrWJPu_(g+AY0jtBvVqU zYt+J*dqgnowTcgjp}nc|i%G=8%7rz9Qh;X~i6Pb1XoOLZ8d>wX9KU<8o)zpps$4!-^C@nAOy!X`N{NIss9e%5W4U@p?jsb3Gz#K2@N%L#N=NkEgSggdUEL5@ltNAL^G+q_) z7}eY4kdo{tiu@%v6AL!U%llwwcflJqI_6LJuX|OaZFB+1ZKbS&5TnHQq|$XTi&-M@ zDy1_Hvf`u4QClf<`WofNn9|FZ0(<_Y$R44vsA~{w)JPArS(Kfa%EP(9qurc&w4OB* z&2KyS@ENDvTP8$qUvLhFpUUft_?hL3RQw`XynUKA@nCe+I6DKT#@BJ!+sUb!#Kkql zL8-pzsM#(Sr7CBj>a;-7n22{x-?x{Y3uFn{6~Zw9DG79lAg#7ZP;(aqEXQycEhp}@ zIc^idt9TUQFqmP;+IJB-H_YWPg7Iq-X!U=Qe^Y^1%=a9PpBV?cE=!wVGyI_%8+ZKY z@&mroA}s4an@&>g3w&l_O|VW#{L|}>lbMbCg_r%brDF*_(#vMtOm&H}{|d-vEX&V2 z8Peg~_0#uQ=$w%xieS$no;-$xx~yn3t+&Yy_Ai89ElJTfCZ$V|^=+1S8+rf=1%e>p z{0&QE9&}`!{%gwpAq$pioWC$8nO70upj{6qbF>`A0OX21FP3!K-d$mNHL$m~f@;^F zOkwLUs-!dvfEwAWPckM)=b&p|)s-eZe;UtTn{__1r7WUFMjaw;akQNkJv8Y6cIazG zd(sx}|K7H#s3~%RmQ{~DbcmJ5ie0F^fM-G-$$#r<9xGo#Leb|PFGkKlny>Gsv~bTY zuvvbrnI&p-_{m{CRw?P|1Om!kM)0QuX zQdHTF1l8(05GYy!#ao{FW80QNS&DZ&z-HZL6-_L*#)=1WuZaeG7K-VW{QjhKoFr#K zx`(RBsb2xA2}=hOMd=)HinStye$%CmZjh%NjH7$Oit11=|EAG~vh|$>-%Z9q85t9? z3>przJB9HM;kmP24Ur8tj6Ih6O*|2F)KXYP17WVnpBjlZ>c8x9cxsvDqsayvR!0Ek z(S0BTxBMxldyJxNv3SAl8~c+RWMo0%50`D!_0DgC_UCF!0Wte$qk?x{0$@Joec4RG z@GH0;%zXvJgo7iEmVt<>74wCgH7TH&vS7f$2J-1UYN+*J8-&IztU`<%50233E*C|8 z@+VtQ`bUHrd-lJ`Qiy0o$o4j-?)qT7R>oOjKLeOyo0%NIGY~{nWUJ4a0F*he+Gw~+ z(f6p(OW#9ZDjWk)6Zw1E)_3DwiqT<|2b#9=kr<5FLrT)*P81?7G-bC4sSk6b0$kTgeiJ%5CT?; zB$#*kG*@fL%#sEUnv!YZJkW5t1N;b`uU!Z zL>fLx-|2)S%*^Sa`0bDR~$w-LHV|zBg=jU%?>G_-M{Yo}D>LPvrG__Fk$_O`h$xN-j4K<~T zR5KTyqO`~BsM!33&ceWntMu5@JE?e`AuZ-P_%R1;#);~+a!{Xu#4qI{0wA5kNWtq+ z)eK)uGF~4Lk;G&UK3nKqps~k&id{6bn5O_N(%+}#SH;GA+C#eU0T@jQI3J~SpA3%d z#W;L8AMLjWhX0=fYXH9ipLefLbQq&i8s9t= zX@25&sw5HfQbhJn7G*#j8HHdird=N&Gh`+k!2q$+D~gfdNXvIIfu(v9 z2`)vLK^Zo>z)6?qvXI3ystZEffnM|IS{OK9K_(%0(9O=}xU*d2TsPO~pG-oVGsnhe z^vXz=C~e~R%Q8h8wYub_rUR$kas9X4>?=w$s4y66V z%f>^oCjND5gaxYQmnpxaNkl~M>_KN_uqu!g4gcB3Nm2Us4`-z*4I^?QZRHw)1Y(8} zIo>rh0m|Di{C9`@XE&EVZbiPCpKM(ZJP3>YMzeC4EM>cka3x5eQpYi?-U9zqvN==S!SiKW z7|%qF5i{PK$5*xZF@M(v-n06wk`Fc4(Qm%b|8PNST@LqCvh+hx*X9a^?+JYio^4+| z*A+Sc1v;%{cK`Wx2EExBImZbeAKpr2N1<B{Q@6Q3bELG@%5i4?Hj7IYAe@uM<={VW`>eJ4Ko)Vwp}0 z1UrHrAHVRFBoCX(D=Kz3+7JZ$TXRRm#l@vPz|Ex>tpYp1{#vtPC6*Lp0z_`x#n4x% zcz~V-UZ!d2gX?v5D8Zd!GtI>~aZY^>nazCf&5Q-qhDH_1D@fD}%AZ^-+BQF5|4q6x z57y+0E21&~uE5^M8K?7A)&Z-r%i^UlRRe|wuO^p}<|MySsy;nF?Jmn16Pje%n*}y`?lPB@) z;hYwp(rC0a*RP`=sg)|^i!r(NCfH6|Ex?n1A}Ja0NvZQouq&}C_wueDNm9cQ zU2b@~i&ZS|wLjsXx;X#EP=4U!L_fEer_9?K@QNlzz~o z>R6ZldnNsLwuRYwsL{Rxr{lwG%n9$>?=#WrR;zh(tC*O*{yeA`{T;bP9%r^t2xO|S zElVaJHwy}X#IFd!krI8!%dm8yiYG#-6-HlnpS6RwL>kDE6iRPOqz#*RRf zUs8UB-oLL!Nhx-Ww!6Elg(YF6u@^=k{nf-!q5Z6423vV?n(JdCAw6cV%w$TJDWWVy zxj3DPF$%kK(+>hsE=U)cnc^S&37+1}DV!QN@;Z9);ERnp!KASj7Wy(>C+m|4P5uu{ zD;J?{Hp=`G%OMr_5uq^pQKIjo5$Hdk->3O`zuYnuyZj7-qt4hAf?w%5=8zA8#9krX zgm~RHp|-(_hh#!S^U1flPh4D>JlvqqjnK4<*P4W<{;vpvbA}S^6WeloRzQo6kN<4mB!M zhDYSOZz(V)d2SI3gwgNb*Nnk3ccz9UYLuEy!~7FN^GAHe`Hr5Dm{Ey7^bC5f)4Bp> zsmwr{=+QG-o-$KBS%?ExB4_Zjn?WPh);P9u=Jk3OQ>j{d%}aYeaFsH)JI+O-P-9tR zu`s7=;E>BtAUOD0Fe%)t+pj#H*gf*rA@ii* zv&r|O+#WB{+pbg$`~pMihahPdbKG#V*ff;zjR^2xODuYX%FiJ5Vww(r zTm-A5{6gu`?>{qyxH7#m27};$lPKc&Jjj8<|EBA4vaQB&FqIQu_VOxIrYX&{ZNq`7 zqa?Ss?IS?3_;uSqu@ccWZN>SJzN{E8+{Jl<6OCJX}KQnVf?Mf&SxyA9yPz**) zO47KP>Y55UcqU#n{x@>rH!otn~Of6Smpml=sLHTroHk0N(D=hj)N`~ zk$LFtmd7~|lI=^b)II(q_kMNj>ETQRpAIYey)IAycl|rF(urHDhLT=H5hrbA;th|4 zP71d_Kc?TT=PK+5sG{IB`>E5MJg5QuxN^E$1M;-)0Dm{uPQF_l2%&NZ(Eo8EQb*w3 zQ74(~)?{=cdumEDn zXG`p;NhD8qcLG?WO*c?B2+g^_rmJN6STNTZrBaGhJ{l2|(0bHCT&$RbzMq+qnc4HM zs_m-+G0$()!G9@F*{AvZq)5u7Ya2&t;o{`_onHh=-T%J0-_`8wLVdar13Ln5OA%F) zY;*e|T&y(p;^nBC)P)mzH>(i=qI1^X7N^PPPuaG+<<>mdrX%lv6$GgvSPjV~SArIp zSfB37xRtf>zr01OB<>o`;;(tyd~gSTvql8Lr=Lw=+;#6>r4+NQr+E2>0d2FL!qs47m`g!LTqg8N_tmloA+NcCfyb$=T_X=s-LY#AxJP+ z^|2nxPxOg4uxZh$PBEGB_LOhd#w%h1r*C46e*Yx`ibRW^dzC|izlto^j_uy8hX~(O zI5sbGu~>Qy|EqOhkK!3$nm%Y8v`i0HDGdbj^M9jw%5$77(h-Mi&4bsKmJIHGe}1m& z)Yw{(EDJKA$2ToHqCQI@2;4?VZ8bZe_45l&b^ZwT+;5I;ow<9@u2;|D1opsM5tu=cs;a7v=jL%N0WAoB zAc;|+!mu5TuAlSp-d6bE?|R@p?d@@wa&oC_w+@tsCG(U@Jih>UG}jku4GbL4hi!Gr zZxPH=^@Kv~zMN&u)i@!M-VTXB3##??_37wWH1co@1xu0n;K*=BZALJY+j}^A{ z=Rg>Yx$k93#y&|{q2G#U{>S;Vc#$PMT-^*2+M73~dzY0TPG>Nm4a%MP_Sa<1m@Hyj zX0W47bAN+A-PiO#PqpjwV&SNzR=1`WX`8V|8+iqV<|k4?p75q+&*6uwuywlQ2z+1v z>CYP7oC+X5J!jtS*7xu2RQ$htUsy7)r(2u*{E77$b-p{+D`{U`VS4OJ9h9+F({X1-L~Y7&qIr0E<2tUO zGz)^~AZ-Z3kqTXxC`34zd){*Ys!a#1W%%Zq+j&o!DGq#;gy7KR@2kuRZ~T@f8Cr*! z#b9DKv{t{8hL9+rTV_}&%?w6@aD%dBhkd(4Zq$@ZLCE|$+C|nef^bp}=0qWWrz3J! zq0Fa`>lOAbPH?0h;s)VMKsE7n7++S~`fhVF0Vd{Gd~)Q44y!&DrG6|;5G<9Tq*vlJ z#vJ$psw)1pAA{1SpA zAPpLm97MtKOJ2)2x_D$;^;$wI(7bsxTQ}rX4-A( zMLxkKk)b6dgC^-i_KG|8iePM<_@ciaUY3fbh6OJ<1%{R^4SFt1_)mMtXJt6wXN4h-)rsd;&Y&D}Ppg<3vEhy#W* z45M&Ypzb4OctUO}-LOzQ>|GVzZVtQz1jnq*fu){r%t`>WH_mE*J(7kpydjq&lkpvI z(5O~?C9^DKYE;cM!vekiYUK~;E*)jQEB+KJ8Ev(x%oK4i?jcA9z7{!qHl3i1KqQb% zK4F8)f<2~oWWP^_MWZ*LZ7T5`l-lH9xMq(vD`%C^g}+D&&8M|Mo2af(1JOKJR_NOI znGXaXK5|+xf}jp(+GoW>N~vMF6Ae?j^%PM~+pA=Vc_TNh`27Do&kvM4GjG-sU0_qEl2|2Xu7sVs=LaAp6 zW%Wtnq}XQP9`iIR{$TftGyA+BH68sTO7;3{I)jUTh%v#qOFJWadJ(ezY@9T;5kcSn zW&T%KV-&CrzRd#_TOcyEO}xWMOsTmjN5sfJq;Zm4W>=uOk!_O=Lc<5Y*6bs+%( z=l0IdudlCAjna!++nqyI!KO0A4IDB9fjW}By!=$AS=qT~*wA0!$X|){fXuJ%TV3%< zES6pf$cr)Q{itSKopd4DaVBcCp^B5v)naOawWe7#>jj%>k8`3W$-V+x8rYw~<7BhE z)>dM0s6?7J;jq{JN!8}~qJ!YEv;EtP`}YKx%FGEuYW+E$F#xSWL`1AM`t`N!A(OGg zG9A1=75w;&-k5rOzn!<9K{Ek+^1!B}Ee24Y|8es#!=W3Er$paIL{uW?4kj3INs)hD zTBx}sGXSOXhm5`W2^9KkJkHEhix_O)|Aw*?5EEzkjNDLV{9gN0C`Z8^-}|3#D3vM~Ek%U$n>i&=-ueQh^iG(Tcn7yW*lrlsJ` z;S^w0oTpN1G#F1qKtv?Qm?Q>eePV}F)!IVb$qnFkI^Pzy|6;u|7l%Ql6rw5*Q(dxIw*yqR#> zMWW$l^QqOP7bBm++%@E>@$AANti$)WK-2ae6<^g5TjsKTH)|lWDsw+Jng{!T2w>U) zy*e>BHy*!TKTGXom{g)Pb*yY*?C_@j_3>&M9LhDjaz7f+qTlZf9)#4L1|+{ixfGL& z-D&CK$wOqYjEXD|pT_z_ei7EucD!WQi;AE-P?o6z8;#67o9MeDQ`29M( zc1*ppO7z=N#6Aa=SI6=?w`r$mK*2tjieNNHi&T9McB&dJEcEevlYFfyZ)T&SU6LS} zQ^3p)`1yf63@kM8FB1COpLyaT|K5rdK)4jTfhQ~5hY#D?1GP-&mzO3+MsNTsUO{ZsBpI=p#->>`*ri}Gr&4v$?! z2DzU_FGZ8pSBM#OwYc@(Co#dEC{)`2n1pT=9xhMiFmjc;I6CAVLNYcyhy0_S(UzDp4Cw#`%=} z2<5$$U%qXgQ|S#ePTz0JhC(b0tTvYnajpZFKTY>bY+*lOOy8}KTN`hpdS;#-)xdkg|#8DK!{`8WVsO79{op*jo1hb9saqG6D$6^U$<= za%p_m+d=nrgfBazv`W|DVptLM7t2WA&3LP^c|pp*9i{fbS_jRjNt{MKh)zWACjx zUGVS#eH2*x^aHWn#hO!pvp_KnmkK>zzh{nM3(aiaw{P9;BEz*HyF;|OG|K1s`Cy2a zzQtx^-klb4Zcu-gdDdh{2fH-*xj!>{0@u2`n<>2HWWj+{^XaK#!OE5Y%JJX$U$1Xj zj+TdHe)Qt6j9|%EOzNvIs%=RTVp85MO;%cG2YGv`^pOCPZZ86jICQg#3yWW<|#leAZnmX_19~#4L z&zN#Y18IYRM#^vzQL^wN{qKnSXU^dW16xi%>>uI#==vNkN3;`h`+v^jKuC5*aWpFR zf}C5h0ayfN`7~3a%d%YxlIMTpEEk_hcouFsEUKx1;k(B)3{%rTKe#DMq(9}H`edBEO8ebK zqh3q|ugDDZ&73}MnYkn7JYD`Rb)zGhywu=;VdFVrL!2~ZjnUxXqEl@9V=%4k3F){6 Wm&IK_Xd4dv$VhyId>1qN`hNiQQ47%k From 90d6b4006c0614c5fd8db71f582c5e9da7306a4c Mon Sep 17 00:00:00 2001 From: Max Stein Date: Thu, 19 Nov 2020 17:08:31 -0800 Subject: [PATCH 16/44] Updating MDM section --- .../mdm/images/unifiedenrollment-rs1-41.png | Bin 73781 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 windows/client-management/mdm/images/unifiedenrollment-rs1-41.png diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-41.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-41.png deleted file mode 100644 index 1832454fbc14380b0b06e3127ae0eba4dcefdf89..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 73781 zcmYg%byQT}7cVN(A<``(Ac)dAgmg$ZNJw{gj?z8S-QA5e!q5#v_b_w}&Coo){@z>b z{c+b__jC5y`}8?`pU(|bQjo&NAj3dHLc*4j7FR(+dZCPj^wJ&;M2M z5=E*Uqu6`?KsFbV7ePX*0b$-7zJC5jcaYY0Mnb~r`R{p=@Ck?f8ANrFk(WSSMSSz+bomr;@c+cb>}_pL z?Oc$qMiM)pF_izr)GS?WOp%J=Qw&H*j~z1NB5EG`hwZPk>H1yi?*+}wf(<2QXw4FB zzL|Y@JN%#zz)G`mi#zOGz~*;*3y3xj{XA%t7@U%_gZ(UPcH3EXdzI$r4);EnOeGzh zdf2{PhVPfE7Aa)#yOy@JEbdf2?pO7(iA91y#x^!sd3kv!2!zzvuSh;VK5wX~qN}S} zo&D%SgMHCd3sRyJtE#FFM*J&ny{-iHmY}(&Pm73Uuuaq2Il)d|aLQS+N4J{e%AQB= zLB8SIA22e)n!!c~jwr%FZ1nxD>_0$9w770FrWqYX`5jq5v=lk-K%&jT4?4do9Tw4g zNvWtL&CMBtgM;OK^bR_*va*_wGsj&{WMpMiW46OBe*Adn@9!UZ8V`*O4P{MPG;Dm4 zhGR5M6zh8w{b|y%umRI13t$+s^s@fksn5BvZv4pLZdt(`O!_2SZP{d8dXn;2uwu+M zvl0a|S#!(>YwAY??rn^GXeZ{OauYOAl+!$hBhs(BR^GLomskTj^l%>d$7dchc5V}B z=hxOiF)?_?(o0KAQ8Y7`>+9LgRURC_cvHCx*^^@8yG8~ESVP8oBU>G74Glh3U_)`72}1-@=sxc#I7wWX2V;!#Jz{)t;UqL$BVMk0o!0Si5a^v;bdj0O%bv=gnwF-lu5Rjg zcY7;0pO8&aG$NsI=HkM+J(3cjU1vsm3>j1EyfWmdbY@t_bmZ#mM`xfk*LQ2Wt726r zV<^Nx1g1RLT5!7)mn#J z2uCG012&+29qSL2vAu{_wM!6J(QySf?=U_`YG2CPec8lAxD46VNsf*#;=F3$Xa{`0 z^J3zK@j)=J1iK)mU=3a>WH9BamRA2!bcXWu_MkO)f|hu)lLcRp7<>>;ioIdnEaZ2>4ur> z`NxAw`-^bqbVT}|*-J&vWkX2YTSd)owY`-+0Bn?Cte!eBI@^U?U~=ksCVs8GT(xVg zKbYZGK`6b6%rBku(8Vn|qmyF<-CO|S&Aoi=$@HXV`MTG=Td=caEaQ356*WK^M-*Tb zP&C!a+VP@X(~yOot14fMF|}Z|%o3Zd3=lwki@joU*<3?|2;OmLmtRywPR|KsWo7-b zjje`;eQGM6@wzs}$y~pa+r^gSfH|FG%*6rZPRBoHjo?)+sIlCyhM~bv)05$u_+uU% z1-4*SouIvHPq$!2R78{8ZOM8h%Lr%GdgKlke&IJ^LbKRyt6lxi?Ij*_mul=OGE}OD zE%ll3(R}?wcC;2Z+;ik2DBhvK;l0Z|PAJC+zFrWfn}A|9IKxq}i`$O7qGV&ifh8o{ z1;f2iQ`_X2>C>l}tSnGvWhJ_Py3(Oc4twOn!a~z=$6e%$ggM5I+nM~bAHrR=hFJj2 zGG_)c1rH2FPdebx1^&EF@Ku?M&XLYVA2Vj{{n+7)<2(+j^o0j%bF%fkI8M!SHl)}R1N8G z7LsK;xCMF}_T(k{A0Fj~t;qEl(t~FjJ^gJm4l`|~TU%RMhQ&(gMNK^8Vq;HEz_@8N zZD_XT&sgd z!sL$c8;A3TPFTLq{FXBO!bSw`oYu=p> zXLP)KUK?F~E{MYJhV>g+PMeNHV|pcl?@6z=S>TEFhp`WHFo;e?SW~;Zplr6RAK4&5baFc zZVHFFl7WFRR2L(*Rwf5k=6q+o9|jV(%j_Qh7@mxFFwu50bZfull6V`sS^UesqcMv(hK%c}%1_o4+ zz!_R@Zmyh>>ARO#%~-{mV_8DJixiZUl=ywBh;|QP^%g)?*Vc!n?Zn7x{z!)Qw5f@g zS-)-GqtO2-X2`+n;`6}o#Z?PMMG#@(llVI}wn^mO;5K<}ZPR!2L|SpBo}Qk4uM%FU zZ&SMkG$p%-x_>~xXj(d12IefKD37VQ=~s!r zW-6WRsb233u;M3C8UNmul$VVj2b}Pz>Xr#qCY-H?vKxFBICT*uKWO;frN&uV;8R6d z0eYo)tVvy&M72i>vdN&LC}F-bB$opiwEyND#3$VJ9QwNdCVoKSUEbpCteIa`u&1J< zAo@)J+Gaq0JCVcolb;Ff3+O;Olbj|mWgA-ZXdZr`hclVQ1hP)~1E@IAuG|}PsW9Ae z=DJz9b;$E*d%MXx6f<347{|bn#eYb7h-@r=MAK@w7+3PVt_<)GvoGPsnqdH7p9~96 zh4!0>wyxiCE)!06Ji5kIF+8q-D;Yi%;fiUvWzLnA9~a4~p0ZPd+=Px9gb|!PwW}*M zfTEDy#?J)ySB3`G7}FhB30yNDN|seccudr6HPzoJ?*tU4tm~jdWnB*aeY89}Zw#zE z1P2ENK?fztbGZU=PM0IBRwBJW#w^_KkRrErEJ(BMar%v1 zLQzdTdp?Bi(vNHnl`$WGE<76lxJclbc#f9EJ=M+BKt^LuEKy&Vlw;07XYXcCt!KFH zOekAmd9xi=1X_`-9kN!IfAE&S=F6#QA})W;!n)-&)Tm}BV)?$T=0j&R1k0GTqN%LTnE z5I1%<3?a6ov*p|V?r{|tG^bJ%-`UP2=Dfl0;#=TM>BYY1SIG-M6_|7=bPWcKUmjq& z3m3}f8BG3x0AS7Mhi%7^JP_v{8d3$#tT|EY4A)~ncv~h0N0@UvDxwyZl8*;8|nV`@o z@kzi1o}cHCf$8Sc#VrlrX|eC0teV=-j4M3X4dL)%@;h{3z~%M@bWp;_K)#g*1;jQT zW-li@i5%vdLH=KWN*|A{>9Y158a#EQKP;2>3uWym%TSm$^WF3#H%W{Ngnl0pA?RGfgoB-*?J z2R-9gT4PoBCh;4fc1rCh-Iy$G$u_t}T)7G!g38Zp=tkVjqVwIsD@&dJzUS=7S5QA& z;e?C-NCA6y4!y?;c@ENjq3QpTtE`xRi^I& z?Pb7rdS|=DlkmqXve;L(b1Zbs+Pvvm4%*vK$(}i8E~3g8tLl|Ih79j%`>!-Ya0mYA z+F#FTAG;U(Z`tfXH=`JQ>!EUu4h7vyE5fGT@n@2=NajoSfInGQj zE{5y1y5;2O_q2WTqO&j#9vF}g3=EtgYkm2zqIRsik15As%O}ttR<7V#VqI~&7!iwp zjrSf0}#u63@Fw3VKL;<^tRfziMkQL`GVe znbAL9dOwA?9=CfNnSXq4?d}M2bke@YEAIOp;3Gq(@0IrX0-}U911|yUf)JND=n2D5 zinMTYIy04=-U}Prhc7ofZ%cC0;;%ieB2MRxL0xO(Yk+*jbHmwvG{NGkm|t87KL$SC z^@Un}8ZU8Z$SkH9j$=?HqqRc0=YGMk3>N53!AK2JGP~shnsj@6;2uK-?WPTvGQ!qy ze|{?HJgjMpEQrQUt@+nQRe((_FMmi$x`}uZdwQec<$uHA#E6}qRC(#urB}{#HwF=N zfK9=k|J4PP#S91JoC`nkD*D&+cwTRT1tlZHk;M=#uN{%+K8R3cH`@^Kx)47C2j4aP zXCjE0s4yM>5(oOPhbkjUg|*Je)c&>1Fw{{&Erebz;{<2tU+S0s`u}IBu>S+?K4&`r zpLWG1!2egOJH|HOd56xc|H^sYWL)TGFRM5mJm=x{Y$!{-3G}z9HYmw6SC(^TjP9TH zEHyc<0=}&Px~`S~J4a$2X26~dZGDjcROJ6)^5($@@D|`Dyl%w(S1b_6@=-d(W8a70 znE%M(`Bd}YoWUX0LL`CGn+~HHjv)t8|IBfE)COg)Pqz78OF{tDcQG%^z*Au$gLaGL zD`khbJz%-*wYDaXgGv33+2D$yA zeRuyz)ZGC07Ud3ldvc~OVtPWhW{o^MJn)0Xs_fIm@mF(7tZv47T}|zmiyuR+xbpE=AI$;>+2U= zrV`h8z-g>BQ2+>T5SsdD2Ji+g4!@=>kBBr7ZH2?)eG$UsWZ zJ>*O!?EnrJwUx(42}X&u=v`ugcbOO5w1V7>*xO7*nNalMLoBn4h-0)v3JMaQtGhta1lN^1?;36{U%$G2HSkC->H%8$1=*JDE@|i<73vh(+bHWOyJOrftTUSgt5W7i>COeO)&ai zGRHFMIL>(>>EyQKf-ip1jwBC-;jLqzb3ojA@hzUHR7_ zM>VxlmO+9QT>k;|sGyqt@F^wS{ys%e^ zx@>u%V_G-NLrJgw4G@FFP>FgzBr2KTo`-+X2$ygWr+~LQV-t<1gp+ zB*$|rzjLH{fs1vO+g^rkn_;`Vf6&(?o5O2tynC=G>aK{pzrQ~*vl4Z6<#us_-6T*v zxb+s_*f?*OnvC;aZdrquv|z40JJvAm00(q%AvgS%UGT%HYqp~@t)8LCWO+F6!c)oV%h3~U^O zSWR-EH|nkYqe2X}a^u6MVPxCI?@DNbzK(GF+nHYgxlqO>x<$$rN)j@1sNm{W)^6H8 zrK8+qKtQ5GGOy4HY{JpR11&?&ez#hGjMef|Syv&21>;{&aWm*tA^-x5y@x zrvhxGb9L%(!1UC1jrJ10YP2Ggx~TCvj$CeG<}N8;khXA~Y7W@$UBW-v82U35Qna zagJxgdNJ7|`gH9btW=(HR-7`9r$J<Z~p5lLfLRYewis4mBUTr%k zlrH3q!7!E{0{rnYHg<#U@6i1H?68M9%xo19fI~JByWzw+jcYuc?h=TM+7f82o(MW7 zVH(D$-dSht>7k=xdOy94FqHIF8?yymWtZn*Ym*M1nD%B0w%`(%?c=TU1cSZZjdtL^ zyq+7#3YkI?*%J;u{rxSOKfIA{l5$EbnY#+Hj}7NKUhz8LVntH}e&JD{X8rsMG{}43 z=(TT>exonoN^pluEhXnf_8#0F$=uhEqU?4`f|K=0)W(SYy??;q9~Ljhamuu{f^Gy2 z-RA_?{gB&5S(~Mn*GrAZJwfN@j@Kv3)3ZD^BaY0@O>FF7=HoreB_*xz{gRWQ%j1ry zl{*|-R%Vo(9I%`-8e5$mc*s*5t*~qN(57oOw8Z%lQZ>KFO_}nN&l%InGvYeT9pmAQSvf*m)ehr(28uFd7 z%-$R^DWxUu$n+5cmqspQ#Hz1WvlUm%VrsSLxdsJoR9-o;@Y6fDjlqlV2j=!4eV;3$ zc)flQ&)P1Bx7F=9-tXe+ek}d!VS+r2Z@UpHLt6Z0X!oK<%wwnhl7cV;JP7M|yz+Sg zlYGzpC6!xD(haM(x0l!P>;t^@*e}0ktgi$SXQ+pJ)c~D#obq-TRLBsD!tamH&acIB zL=Ou!d}Ju~D zlNbAGf+U}wp;q;jZJZH@Vm{>ZfV+BiOj#3@Q{99$=~&J)n=!+Oy)p6lz$>peHk4zh zgxgceUr<=cZ?jg5_e;buR57yX1!Z?;JE}uRHL@}7tNBJx{Bt4E75>P=M1>FZ3^ebj zsYeq$J$5qOt8K?$OgA)6NnUJh1VzMaGryfzC{OKVS3_lohu~0llP(7Q`t@QiW7u$i z^z}klPmlPA4P^6ahpyv{UNgK@g2lIU$7Vj_rVwz3znbd^{3 zhdSVbTLHcj&NJ68GOkV7mXsOJ;{VdO+I~&pe(mXQj<-)Tch&7ZIcmOI#wC}>L$kq; zheXOlZPYhZZ+~+1HZE5~W`m6Of+Ew2>*Za){ zVkKog>v-FrTY_h+0FS*OgZ17dpu{ULw4ef03k$0Pp7&fe>ZTNeg0}PRzOPn2>}lIC zmC4A52XxKE2V420sGruePM5#gXP0(hvrSI!?%DJNBlN+zz{hK3Omy4*W->5lF^#p{Yqa=y7 zb&$`WctO;Dh~ty)GG?GP;Qf2CNiBn@IL{y(v;fX}zulcs(}UXvkH>*h_H3<5^$;!!wPnQ{yZg$M|yg@2Nr*CoXsaD7X4=%-5`|; zI~k4Xy!@Jpde^&u*DkGpd^bk)IS59UovDDx$%ukbh0i_X=Vs~*+ke#&W1I$!`{8^e z9u@JCi??K*8ll1oaVz)6H&vIv-nV~bvuicQ>-K+eJl|Kp{`2hEX>62T4?jJIT+cpT zla~v4qO9Hh0fOg%FmkOrGi*T^FWG?-Y$cViuxE_uzwUgz{XA=Lz%kdj{6^b!-RyL5^AZ-BwA zeEtW9cbpTrpERrb+@Ijo)kzs$XA*U9hJ*Qrnt};qPcAV<Zkr=!X!f;IBT9l`#!{60qqYki;pl;`4MO996N zc!6hVeiw(IJY0{=?xFUA#+#q2nwz6gAUp(52P{t*ju&qC53ej)-{WnJ=ak9Oy;WgfC@1D-DdBNK*+X_y2^ zvb@e9`CB19P15z#Kf&`<>06;&ijNoLAN#k^uyOv@ZVjJwKHWZTT=J~-#onZZ;+*%# z2$DPeT%8vL`Qj)Fc@W3q!&up;LEc|}@+v*Lu#;Ec^7o^0KZ(RoW zUGA&^o+R30$DvA4Z8U3MrC{qH;|F-2$3_VY6ux9HBI-jy86y&X7=8i<-f7-%?2NyE zsCq&z?(R#YDoo-V3^1dNs_kxR@g5O-kKe=Eg1l>ED<-fs0RgRnOwN`)j%_`*l7xF2 zZNEDpR@{Gd#onFV0aF8iLV+T__AHN^&%U3DsVR*Rf9Ccoe56WnwJIYmHt)cYS5V|8 z-+X(+{c&CKWMoG;Ahj0r8ZP`ueSb|no|D}cdleTI!8NlyA$@%OF>%#}oM_}5EsXY% z6!o{bY0J}WuSEr;$j;w4Zz1e4@#)=$5^q*c#YZv|BBt|8LKX_4X{)Lg=WhurInUm? z+Esc|y(NeSXsm??J%<B&t%)YTRhb1G7qBC8K0FCX z-h*pgdNC++iI-MqY=Z?+qcbGFenm5*gIv!fIC*$ud^^77)L3)DoZ{ug#zmKMl10%d zZ$ba$q{=G}2rRt%0%^X3D7{7v;ecmoHT|HeotnavfAkpyVHLNe!=!LF+D8G^x0R@; zd;Qdgw4n^0aa%>-BSa8ox#^(zXEbTpQX?ZzGIgikkFRk%G3Vm$+?BXn*1doSkoRN`X(GqT6 zC>!9t%bUoYwsL}yu>@$%xNv~?aR)Z(;9%&FqKw$|=#dMxp}{rIi-`e?<*NZm(@`Ur z^wyg%{Ol;s=Hp$t%bZw$5{%-{>}WvtQ|k-`=CHkfc)$NLg?Ny}!~_G>%x!w@v5#2U zAQ99Zi!seJZM?Gh=S^JvuW=xpLyHsmCHMV%JbBvcSf{5A&5mHR=+f|raP1_pMoeLV zI1K-1{f)H);sNoV%)}x&gljHomXp30C@My_8n^HlPxT;M`c?XuSRlJhBI;H=raZ3p}5E5%VqEJmE^Rz z2dqYoSmJ1r=^I!qBh#q#r1jP?Ve&9Q}bIX z(ynnnkX2rlCYuxw!oj_{f zInNXIW9QR3@MQeytZKev2dQ+w<+p)wWQXBsQ8Y=FRUlWnzS9UB!3Ek%hbV!3H0Zb4 zayi|=puE((?+x*yA=_fk#LJ@Uq*9vRuVDMo$kzK}S1Lor`@QKUs z?A&0($MQ4EuHZg2UKL**wRCyn}FOy5(vmAgIU>2_wg>1NFP^tG4f;Dws6^f09rXRJ55=RPS( zS8g-s`wNS$jPC-GG`!3dq$#8%xqk%y2GbpTTX+OwGa#R{<9{?Tm|NyOa4R8-~6~u!QaAHUZBY(GzE%Y^udZmFxnir7m|naRE_*8I?;hq_vtC_(h%O$zt;gE+@M- z$6vjrc<%EcH6Ak+6c`X=Lv`&drKj)akglE|Hv$RD&aQ4SbqNd^bi7ckv!c`WhKROA zq%NMHNs+_hi1@N%wM0TF>eH>@{d!TSxT7{oaII@^lossh0-O#G-?>$FB`46 zGX8h0NMVepoZMfXt#Jj(&qmql=>us}!P<;XjO@6hw$V5)d7Q`Z$Ze8Nu{JEesxzsY z;VK1?=N0k7@q1##2Tadqh9cj2`D0L-P`xd}!Jd1WlBNA<3Km<5tTXKIDT1c0-54*s z_mA?n*aJe=fI&M3o@rtWL|E8Y#@X!{Fev&7I;fiIFGUhWh4FrGbgx6tOeA>PW8v*o zb)@sVdoh(_;&SW0c5#KLnmp)JY6RuhXwK=I>(}CE9ReQTIwP^Ji*RIx)TvdAI7c!dkggu>O^ba6 zQFZ_uf8hMI?ra3rOYI=8`_rr`Hv}YEr6a}B5N*om5ByUs->K9aK|~Cj!Srl{iv36O zh#u27f}e6;dGX7^>^z(cARtLA{{n_+aW~FK9trL_WQ`68SZ>er=Z+Gpndp7MS9(RU z7tUiC6y#JzDj$q5E8I6Gxz3ecd|0r}h!c1y98b}&Xa95rbUw8Ldk~!nU!P;|HIB|F zQTq$~r!$1(!7{Q&%V<>rL1wdNacLl;gn*Vd;Bc=#d##e5`_t6``%AY`ZKrI1*DGah z21KaJP*)|tHp&@km$#LNhA1h$pujHN4!l$)5aCRGc1pf>Pt+a?{44zMAiREHaLZi# zb^)zeyfMd3G~tK*ZNDqjWc`3ze4BA8M?Y~iq4QGcsS-}3 z>u_lQXX91?O2`yiHiB<41e)nI+n@bu`S#h>&42Ira#y_u_eTl}EBn0V{!BE3Rq2LE zLdFhf4d-f-DS))CN})WG7POP;{UXIV3EKGt>Rb;!YP~M&yysZ<9H(>EeN`_A{v|{!BTIYjKgpBrH zmp@s7mmGEHJ7m&;{Jta5`hl8PvY4WtV9k2LT($GvpFyn+s-__!gNgJy>FOrtG@|sD{=8?S$I_O8N{5F1rR4c6s;&K^(RLwFf{(F{*e;Rc zvo0sFDha_Z{}-jpn=ke7*7 zjm-)B!_xGXxF~mCO3E(3aP*Mg@|IsB(k^Te?5qi%x%%qr5ehg@)WBn&C@gj=jZvEDtWwEw@{xNQQ}&LE8Aj>m8sWgiuKU^2(ed`q%@*9jVcK+)c=tQzcXmx! zLf9*j7cZovqa>`Y$*rucCKhM?H*!U7bX)Q08f;05P>luV8Q%~Qg_*`nST7+Bd*js+ zRd63Tih*g_yiaA*JC(v;6_LmAnUji&iD^THq=(X@mh7~HRK0l&?-D7CODnh{Cd;0K zq24=R2xi=&UHzHjDn87F>gR4`eR@KaG*$K<7NM?OfxW|tFyOb8kTVgWZLT+dJlu$Rb@d10xwxz31%J@C;3d>v?p}#(n6w zG|zRH!fXm(X3%IO)>*#K;BOC7JYlS8P(*)H$B8!C2vJ+RCGpv}q3k50)U>b|B2@}GLEYA-+P%IkCTZgt5O3sZ9?y1vJwZtS}8yXGW-y02xlRY_Od za&e;9|7BZ)AMGMP|7ThzY~#s`w(b#og)fCr0|}l^0d%Z0DHT~>uUmd)`F2}NYxeVI zjZt9z-!plAn<`Nc9UB7;$%33*1=FaE!&x3`^Q#3eym)7Q-s#)K2c01^eg|+Q;VC2oQ6|F z4Y;|J(KiWWh{CfiKj=^QY$JZ#a~1|H6P*bO3=Dbq!v_f!=deF0mtAebd;X6#pnb?A z5=C<2XVFGwS|ZyR>ln3gX!L~EwQ358a$f3{ev}w0?hnK-<76?GBXWZqW);id=@_|^ zvYnA)m0x>;QEQ2XC3-)L>tRP7|9Vwi6vE5EL1q}X(DYE45Sp!7=*j4AdJ6rmV&6%S zK5w`^=?AkOf5-7T2zvws731}G;UQ!}Uc0|diV@Arr}0pdCQ*S*O={@{KZM|ry=EyG zxvKS%Qp^IUdQ*c{6$QfQ2c)qsuiiiH8eU9(T=VPC2%X>;-yUWXRrGGx)+80)F)L5a z3ObA=7#UOO&GGeCR$K88!X&2s5`KE*AK{w$>8bwWnMyv#I-W7W@=?-M0{sfU9R8|* ze7$f9-UU$<>Z^|-p`hq#ZWD01bb&!bsB?ITxpJ(NTsPV-E-A%a2l?*r6#ahX6^-S! z<&${39esRXy_>ImrHP6-Eu`9N(kAl4 zm9+hPvlCZsU0n%Y;utQ@747k~<2K<}&*i9r0TQp260{T2?n+94!`X=T^sE|m;?Z}$ z-k4=-o4NZ>$0=5=N~|;(*D-8b`-yFT3WuVIihFuyV;35r^~aLj2;%%49DKyyG|4CR zEjMb9cbs-+*vd>VFHlM%7_fK=xT~&Ky7)8qgIbC(fpCTw2nqgxMxBt5*U3S6X-nT^OfP(`Fw?ZUZo)-N+Jhi< zztkaKvc0W^NFwNl*WsGPOY#+zgWG>;cG+rsvLSb!t70u?dZM)jzg=*lTni8?_CE$!FT#vcBHr8+WN`{{eCR()dTCKuf<^ z5_!sTiGDHS$d|-Y7sX|3C}BIS(rZo2OHM{c4Fx9Z+%!bxvon@K;b+P5^ApS9z`(#? zM8}<=z+(>#ZQ?^4q*Ts76A3pjw|oGr*=kSE&3XRQF_YluII()V`+^(?K6IyPGIDJw zgJKF->|*k}Xev>&F&i8`Vw%METxv{SIABatT^4GYbI(e+Ltn047br$bMj@}vckq)q zwMxKwANdOrk)g#jY6@wJRJgw zN~m7ORq|e{Y67NV}^>DKLM`63t zuT9lraD0f24(mWPWlXjP6_FyAK0iuZA>q+&`8lQH{sI`jvWcI;wzZHIC?g*%5ZqKeCNt zp4g@}G&g#};)*v0#J{D!jg4gk?pZNsq>0(rkiQOkJuo!J71dYCKN^#iNTAXPO9t3? zcs3QKwF^=LK3JFWk=9~n8IStXsV1CHT zuYo|U%@2}k1*T_LrA$L3-^Iy%BkSJA#ZFbb+&GP7Wmsc@C%*EWSyGHY$Fxf;R?2B+ zAYSdw35g{A_db&glm4P!@x{398L^VUjYEAG0#9k)$HO5seg84s&anLPY;lJlvT6`|rJPpXG&@ z!~Qk;rrv;*v^W90^G<&;KrIhn6FJX z9Ahr&{~OL+nSinV;yn%oWZL3lA}J(3;+H2Anrt@mSElf z%}%f)$*F9@PmO?sS*74iQT27ZZ#xMUDVM&@&-!nK+p|;>I-F8cAtSo6+mCXqFGM~V zUGy-&+OxH1mAqJX`1p7RdO}9$6!P5^u?*O2MvXPkyXUTgE76c>3i_`uE1|v_@aYy4 z?foKY@>4fzC}8v*v+?^pGa^_V13(x3V!}Coj}Xo&aEk|`WiojB`Me{1wHFKo>j`h$ zcyK$W1lQj@iNjcPa_KsJFWyO=VrxSjIHd|G8_Oqy3D@war7zr)_vMDi?o)uQ2R&Ig zi>}sACIWF;-$@IRk3o^xq_|?kb@`Y%u?!Hh7A7)Ft3}Dhrzmjjy)+E@(u|9PT@!t;+tS-q zSSg|BDtkjhl^k-Gn!9XMJ_1>k5?QsBb||)1n3?j9P~5Vtu$(O$)=25%{_EpeY^Tl? zhk6qyRiMe!5Gn8a)?`Rz)nlngS({YqlKHWK=hyxZLaD>n>-I{w;1gkN<3Slg?(26E-du{< zpTg}0(q3hgF_UOqeSdXSd1>?tV`60o-!FKVPPz80#t`Ihu@4EqkL0{;#3auny&AT5 zWh~5QC3PL7=VYDliOOeqn~hR@pV8JLmJ+d@jN2{RjeSh>OXT89#brvPiu`A{GCUAR zd&+6Xo5@Ke=ea@5^J_T==D}{n_z+=lQhcXh{2`V5FPkqEE5qB3%xJK z_|0Dw%HG@BO)8rxyYi(ZQl&2GpZB2*&XugM!_0@?$7g0+NCaxPSY3=KR8h`d{4KBg z!R^<})gtXHaCsdNOmU;fx(qs zY}zv2ZEDC(Y$1N(2v*VyLIe6QxO-7l%-`(0E#t9O)OX^jLojk(a5 zoHf4$abqb82qd`ckVX3(wVBI_*&JjZs3;A6J7s`4hP3)r@jo&CPyy^QmGoa=IrnfR zReHGb2|P2{gUwMtr)5g9R?3V~?Z`Ts>)J`J^8dMUSG3)2?#)Q=Pw-4@DVID;0^`jU zZs~skmwivhMmQku?LWl-!77epaQAI+Ouwp;2pPI=I_r;%T z`?XuLn-4OT>$gO<^9V{ONmmAUM3rqF=yZ)Czysf#^lua=T=f)#tWyx;nHeb2U+Mn!hZP+#*#_87s0jUh`FU;SN zzO@RzY}*UpdL~2P^NTf(t!S$)xd$&eH^8r@v37*_f3se?=mM6-gRI1G!bh#Ywx4Vm zzbcDTw1X(T+V>j|duHO=#@Ob|H`5MC5$SDRQ#jrUh^6;k@Kvut_DldS}~-fzxcbc z3w8ODF}7{$oU5O=_Y8QjEtJ$BoIK>O_nx*iU zCZH`DBU3<0@#-X8^5WL3FtZctB9HawdOPdJtcCDv%WM^~KH3z=d4>CdmFV$>x4g>< z8F+9`Dxu#xj9gn%G0&k0T7Pq5@*e|#4)T+%u%K!4EA_yilxdLAqHx@?pf@slXy(l_ zV;?K$@_5@th7C1V6xR71;W62|r20w2&!LBdp5v&$yYpx$lEEHkuGKK1X&EZ9JTa2| zN+s*^P-?>8{cO|`Ws|4MSl_C8>s%4WuM?bSocHEHsL zh7w}=L$Ek}-_k6ZKQpeNWS8%TDzB@&oLS6IM92%(OG!y95=Q)Omn1SpQh-tlGWhVY zoc1LOu&TKle=~9N4(CwV|43>q7etv_r7@HeYWV`1x^Nk?3iz!+URFB{v*D~-&@!D z2qP;Ir|Q9i+^eK2joTia2EeI{BWJbj0Y`NsXMLIX1b}U-3F4rc^QyVH7|IkdB_?Kp zm(Ii^{b70D%DUR$Sh6Ymua3WdpF`Rn&4~J){nhK$t2R5S@8-`MuVu?o00R7>P&S-# znQwD>0@ReS{{zB6J--l#o@irZ6FU0(F+y*nzpoP`G{$3$*xx^h5uQ*T3?BwO_3<4? zZ(ldsI@-|F-)n|=iqFEE`+faACjZXf9uqb`Hi(LXrDRz2er6R`m4s7++RdshsVmobBkRhd$1ZYixX&4Y|Wr_CAwd7@~*N zsko%yKiF?Nxe=DXlO2e{B&RVlVd`CJd`3}TRDhrS{5hO2u0S6fo~Ag4M+QlU^qHo! zr`z(YU3u70{SQ*6J1d~d_h6KX^bags54}3W!$6<$o)kQwv@U*o zdTE$k#$|-%8)0fmK>voR6T@U$=|)Becs)S5^ixjV*6^C)gM)qOpo~n}DKpi+EQsPL ztebKllSSb%#(L_atc^?=*W|)m*1_T8z#zKGk6&O2<}JG&58Qnx!b3yR*Vo6R->L)F zZ7;9Q*B;2T@>hLyP!>bvXI#a$L}g&=$j7Q<#p`j_8_UUUkb95HqABx@@-QMJA`I^XLza5Z>6+xOwk^3^ z(-_@7uDaqq%?<1RDE|#I|L$IwJXyb{zUX*py2N*(EDo{~Mo zS&#jcq1s!!^qP7io(y=>H_(e#jv(9HJJ8$9dSE%F%O5suJLpN?ejHZ+O#~|?B_##^ z{{BWVAt50M4-Yp(ZYAz#qbx5kM;nLTQwh$AsHiAB^x#97J9jSpeEeLYm&4C55TTLb zC^&x_b?t))@%O{#^;@v|t_QH@mQ^%>UD&aG2lnpWi?e6Xps>6ek#PwK3G~6)Bl}U` z*o>sq6pXXNE}q(lmbM;5$HY?M0x)YsBsw0Wtmrpi ze+hdI9>b`A1VR(ikr)%nva(mA%z9}Yw`|{zLkABaFE0?4&gM1&lmFx5fvMY z(9l2>Ud%&tTNmOI;*GI7Mf%lkLx>6i3Xbl;IhOB2{zViPm0-*-2!3q*2X=15p8W@K z_WT8mv3!Y%acHb9r%bov_=yv^SX_g!*d#=R`lH~?VQk&82d7WxVZ_IuI-Z08m-jPF zV|MoR8I(14;GuhN!!UKcuB8ouf&Msj_$Yk*L$Kzi<+yPEJWeuwW=5JR_r5(lu#ZFi z3l|H}hY%zu#UYR~R?{*Mso1%fo;`|fJ1B=!XHZ>Ji}>VZ_yzdl(9zQzVO_-OV~26- z^eGxE4$(^ru$%RncP<~1v2iqzp(wt15t}z{U|1gY{yaN{ASA?wp{3-!8C6Ba#-p^N z8eL<4xOwqhgarngjzQ%z&@T;nQT{o4)!V2)r%_s3ftdJs1O*4-H1+A&@iRDc@;Hv4 zJc0azLQ@B!VIj!RFTe@P<<#*LtjD7`f8iox;$mqJLU4g?aPy`uOn(}!^xiYGvJe~; zJlU`?Z#|2+!1~#=X%qR+BaH(11xFx)^v@nUM)@8>aX~(guq_m^Q%_1sMMOjx8k=gd zQSI>faTHUpj-5P@h}3L6eESMSkZ2Lx&ErU7W$dfI3~zaMG0>OiWBf zLPCONBY4Q}Y1FA-J#&#w)HLDn@bJ{0sFUdRf<&K`oQ8)Vd;s}*$MD|TbwETs?z&?Q z0%+V0?%arX-&=>ss94O(Ovl9&2l3o1Z=;F^<>2;pROp@b68kXF--%;;*Wx%U-7ml& z_uP9Y7Gx$OfDO|}73`>EL6`DIWnh{c8}QFx=aQw`d^GR@R`Yxe0H* z_A1U-G$SWx7J6E$@Y-ANqMb%6H7Nn{u`#A$Mu!GdkeBjNPd^qAj9IhiB514+YhV2( zYS@@+s><=J7hgaVJ?&Yu<{>pT8Dk@T*tcUn-dVdIk&)4uo0EmOh+s6=RpC|U-8UA9 zoa}6zJ9ZH3x9&#Sg*>c%=>=9)0Orq`hopo!w9p%V?x#OTdq+R!%$|+-s0i|74}Zqt zN8=a~8H1ppFeD_Wu#<~K(Sg4=MvmL*D z{#oofmdC~vPp7sQYu|Yp=Su33o0E;+)=CbE-$qGUDK>7~gfjAwJ9`clFdoBH;QhO{ z7~>rgpM+T~Tgk-}c9jB*F&;KHa%DWFAG@h3~8;KtqQa%m%ORv04FS?taX&1I_dI#GM zpG8_`4nlqV@a8+Op|GOXc;*`Qa}N33a`Wt8;_D4=uHZC4NfOj@*Lk0Ee)mLA` zy3IQgpO}R1)*5{8yZ?ZLr;FGIQgDGzz{{`v3XL>QEu9?kgoI-@9f7WhzJSb$gd5f#yP+Kw&-f$?u}kn6^h^<>AHdW1hB_nxO6p=Lw#`a_+i|2-#y5n z2h-l#icK50V9w%|c=*vraNh$D;lA+hu)P&tfFCvHvEyJT;_srov=?_tXaJh z0~|`N-?|5jSKmn4o}H9_&6%mQoIv?hx`YLoCZ35*mf#Gbh;*oTRriXvmGwXqA-} z;(RSfL~+S9@-Z|5LD;=*7dksSs7H~QzwB1rcITb=)Mr0~*pvh;UUN6@zUy{;`mXsH zZ?EDgU=#}%&cQ9KmYb14N8d2=OB>KLI7Hqkm*EkY&R>F&p;ajUTIKSQ=be^?xwA4c zHq?)ifo?Q4)|d`skoB9Gy$JU{zAMo2ZlJx z8b)|TEN;K;R@`yxEm)M|k4BDQYUyO`JA9J-Jd6j((_Q!9iv?^4?^Kv}{U2LeQvG%>S zIGbO>-ZL7sL8fx00gG1O6po~BA1-MbxY>7my*wIVY)ft|`? zJoDeafy%N1{NyJ;#^IBvk&uyv@BGehqQ9%2`Ti7p4jjPX$Pi^imW(J2W9G-tKLDe= z*H&MKM0$5|F*FF|BQ_x!K4I~w=wu@sp~+AZm+Kaho{P+ROAtxf3=EH=t$zfCh3Bw# z-FvuDT#j@a`lQ56Jn{JFFxJt8=YRQMcxTIAdR46$>TX7MY6A0#=8!EKajEpKMnh58 zLj`qte1=aR{(e4}rV@BBk-VkS@=H{MOzf1HO*z)DUyB1rjw2;L(eNleU_$EhFh+WsSa)?eb#N!;vlb2Q z9US4L(ddRElJ%Q4cfQdv4HeU~GU%-)Qoo~+keZ2b8fSH?`?qh#ubzJ%+xHx#0rF=p z1jsCMgy3(<%lx~Q+JXlM}S>`PuEkh^fP z87)LaM6sjJ!mwW`hG{@UsoV=zEksfh@3G^KN#?zPPy{8U;x~T(PZ1LxhUcDr7V9}8 z=w>IW&RWA;!5CD^udlZoJ2tGtubz9(OnD9ag~3--OXSg)Z9FWRZH%L(h{!Our(m{) z0W%WmqOne;tfQl&IC6+W7~6u;->KU3b%t#`#rJe}agq^rCc0r@R?04rl^etg2!12tDk%+q-%$Jy@a=cG1h)yz3xpdjjz3r$3MT?!3dyH{G=o}@#$j`7ZX)p&sb$}E9i=-u}` zjIV#=xA1#^_(%BTKl@{3XQv`(b}s(gx4(`1Z(WWZYu}_yn-HCpf#S+KQ|7j|Ce)T* zKtj+Ea-;k(GUkiQIu2i3+d1-RMst0IsUzhoZ**j2#4K5pf`ms$(11pwsi^jXJy@HDBX80H* zB;9a%ygZ~7y4HiqQC<(T6PYu29u{TAW9yC`C@3i>A7h9NiolYkx8Vz4`5M0SyT6CO z{OiBK-FMt#j5&K`vPs>y)|$7-G_ND0SAOvgIL zdNFzP5O1w*G=3bur)ST>7e4niZe6j6ZG*fr-MHb;@)r6D_? zSA@FyCgZtYIJyh|y{(9ooYQjg%rjrZ!}r{Z0|$1Yvc3WB9jez>!=E}6e-1C2>+7*$ z+fK})PJaHgPh-WxSu}>^m;8@Wwkm^BNtQzoeMczs;E+Isu+3M|BW-PMGc=pqn=mYS znHu|OKs>wSGEelwf_k&y$Vl^qa(r|gvFx><{L~YuD9FQm@2$gz_3N?izzHn5^dsO42Lv0#H~}{NfZ!PRjxGa018wyWszK)I8;G1)Ihdaj ziuc}rjUL7Z?A*Q;)paebXdoso0juXE;q=jcI7b71=Hw|_y(iLNs-8s2&=F#MBI|Sb010PaVa(Yd287>#=V89?Z_2i&T1)DJj_~$~%cIn>Jz3 z&YdV>M`q?DX_Nx!{pbOqc@cwk8beQc&4Z8O%!wm-n>=saupWh_C78Ql4pz;J!=b|m zaqb-XIe7xjU7hIdZo-j6`%qL;f$mXyJFKq|HdK51K#oEn%cIecpS)1!;V=Dg$txvm zE*^aBQ|PNLz^kvnX$;VVt8-CXco=8%@^JRd859=e%KY7TFm6nb%tX1q50T z3;ijhK+31Br5Vq^_!5p@CU&k>PBARQx)&xh?cGRbT6OpWx`{Hu!SHxN*Z;oIaI@_VzY2jpRSl zkBzVW3fp(>=ZH=(Em-+$m>)v@tE?zR3CnPr^&(?$Mvnmj9BBm@`Rnjy+mr#0k7dVv z%W`brNAhR6Opw z^HzEZ%gj?XDWqf~Ws8lE!)y+rVmL&IiH^qX%nXDF2T5xD8$)gvZF{z zj^_}un|v(7;<>XicUCTkcUn@^W9Ex8GIMC8(hwRJ1Aoe9m`azJmW2cwPE~b)e<0FR z6A>2VOWp>Nm6d}#ZodP$IkSWgmyBm?Q$+(}!CNnM7 z424vmGKE?Nk(`!H54xX2?%}Rnk@|l)B7f(L+2-1@iU9xd0m1Gzjg9W+i zhzkv5xxi=G9&3bRayv{lALc6zN%4XCPbL_kP{nNM4_bUsp3(-0dKYF>62qc?!#ZVvew8X6=WdD;F9o6X^3Bu5mr^t9U$MFae)CmzGR+zi+BhB^d4 zgs?0*Ogn%6EEFR15q|!*|GEOwpW~HYhaHP|8Ah)eqgY={X zQ+FCgY5E{FA&Nt54!HwEv1ZLJSas7a#yL61&Nd(>8M(Y#wekw|3AmiNu}vK4hj@Hg4ICxhrmA9b_6OLeq1h z93^JwWU&l=rbAk`>L%Q@Y6az=MUR~Ak#d|fdzN{|5E>SZtl5h&XZ}L-u+^6pBzqIj zHgL-=x8mmIi!nPR*-V*PlNd9{)jXXS>=C%?Q+CAI64rqryQin~Y8Q&pOpfTUIWm0o6KDHd+abW-^2d@6X;- zX|(`aQwYJqp){!Ka75Ii+dt4pdc*WU15MBCJMQXCv?i5GGD2SDX@vv^i(!^?h-n5* zlpvNffIMqSl-7r8xTE28XmFUi2eX#WgfV@1NVpji_R-jyFs2Km7h+Z=On~R)X>6Rb zWaS6aO9&u6HMc$v?Z!BS4q#ZAc~BtHO-?IbRX!s(^6Ep+pr82}nJ^%P>HK(KPlE?o zAM(^gLnsq)&d(np*1V=`p_wlS6sp#0k@uCwZc}DI%fl#k5XTgmql6b)q(;B=)?U z(I=ybR-x1Yf>e<_bZ$q`kA}{=XN(jZljux9ad@p^kGW)gdstw{GnLleg5BHKV>5>& zT2FZ9Vi|ki+i~CRw;-H~CB;x>>On@3D%QoLYDq>=4N1d6cLdN-1d}%zaCydpWUF%O zo*w3if14ZesrVX(>s(Cg~R-QotG|)UOUX+S)*p>`m;?)&js|4oGnTsfT(zYxtdX|1mR#tsj?L#kWl$Mnv zG&%ummT_bg7VhE$G>{{xtgc1?hxMx#@?L1Tr7LU$B5CQgOUB}nGS8)_9?Q|9$=3xH z$2ekozm6vHQQNB8S&~>6S^+c^0F4%F5OnqGPDlM35Reo-V;5--X>j`_KJSOSGrMMqeOfJ0x zA2sG(BKCl(?_3%54B6wQWzE7Jcie^h@4W{rmM%hkWP}7TiSk4xUxxR`nP+;QQ+SH& zF>Kl#ZM@%fm*Z-AnCjltvYi^9Qp{9N9~3i{*Y(KT2}7NF>b~k^GA8pN&nhD|66E9^$KN_&{eLke^)%dH}a^yrv1pEA?V!NemUnxE0q80**nn)3ER zaH-C$4nk`L6*R-*d2xeboCUQk8A)AFQ%~M1ygE!doL9q`X@mbjV8b(Si}28MpT53M zT)21+J$>5Ug#kCHRhp;5%I_L>uVP)pr{Vr?oIAP?<>i&i$aQyWNZ}@|xg7SNTyIh1%LWG4AG39ZpQX zrvRY4yA6#k4dyKn_cZpkrF71FHjPV%#gJ?GuFk>V7d_og*#748IC1Q>*}hESm*QRy z-bGhOGj?uSi@*Q7|A!y^`w#GMKlmQL`;%u;-q5N?+7mP`9yJ^J3L1^b1=w~=j3q1mKRgciMlJHeSNLqqK=l9M!fpY zTI@Yti1zLtn029j`W-a;5NeI+h)Z|K1`pmJ=tYm#1+sTlm^*9Qp;CKO_G`g&e=pC6 z+1Oo?XnY3f;dL{Q{-FV0`e2yX=gu9+roB7S+|f!ys(niJDyP!$OuI7ipR`Ger%gq4 zE>BFa9_kfN?TcvE7cw8JIL3Hi{AsVo!GU3Px3`*oD)n?zpQRWcRUU4P>ze7bE7i93 zZ{xMKTaml)CVbr{cE`UmQ@H3w3aoEu}oSUsl4@`ym>sUsSqCGcVMW`$jH9O zyVe>#-!b&*9{JUW7Zg5G7L!Kw1`Rp!Bl&9mr}mHRrQEeUenWEuo`2&l96VQ!uKr;p zre@>*d+tG2QVdzp>xe4ffZ?xyNU!M{VkRHm6JL_o5M`j@rByYTWFZ-k`>HJ3SY^o2 zF?#{9L)F?`rC0bwLuP#K$0}J!Uz|GIH`r&wRo6;y3dBQl8gS9lJMjv(JnM1l4bxB# z1MDm&ASD|c$H*|fZABJT9-|GcNy(lPm5dC3d;=GM&6{WeR3toLGrA%t=(*2t!->u zOy{e0rsUCH9diVOLL=;|9nd_p{e0=3S}DzMhUoj!9OXD{TVRwr8J;EZQ(A(OKciw#y$Ij*>G%N}uJ#A=hZbEEgqFFn4^vDsjMm8=! z8hvebC@v~MM07M7YHP4>?;i4a0R;s`l+yqbwFTVpFwR^k!ui576kRNa?@$jaE*wPs ztkpgt=#n^FP(KrzEgD=Lx4 z@H1!fXk3PooSX=4cv4edf&=^Z;_P|SYiKfiNNPcK2RoI62lnCQsnaMguP|H|ojrrs z*ztAu4W#QKVv?*5fK@U=*UP6(Ku;=^5G*#QA%26 zr8Q`5>OoRc9P7|pr>gef+uMnY7cZiU-mYGKJbCJr*-B3DTo;@>WA^E6YHBt06C4zT z)|O`MKX3qN$X7{88G^`nR7?a~Xzcgy-EUsm)jpgd5s?TB3qegy4bD+c7tWqT-kHVds)Zd36tr zAtYc7`FW>t;K(uL=jR(4Ml-Fp6+CnH0vcL7kr*F~aT=iWr;ebxr5oW<;gnM;@{3B@ ziC?7N_)>pjS&x3`VyAohn6`EdrH+Q6zP1vl^2^MNFk>`|CypPZ=~bsNhNFj%;3VZ* zP*jN8rVePo*5Dw2)Rh;Zu(%WjJO+k+P*z-qhNfY*%~j}VYs4{*jN-IcXjqtO_r_SW zwN;lDVb8vUICuV>sdK%K9TgFZcFOJa$>S)iC`L_P6A}`W5JdT#iu(vc9nS|{Cu)aJ zw@&mjBdW++Y%e8IWEndpxRyp#(EOv6p}aUB`%j%mcuYJN%*sS06=vPWt!V8XL3pqq z@=hMYxzZ{uUpya;l?8a=)mJba7y%!8nFkK+M?h2xGSZUG8y%wA+SZI8{`0?J`>w-C zNlrj}Yc<~8x*MspmLb${7;nAyGR_uOBQ`1wr>Te+Dm%<;hJ^*^(cGmyDQ97@yT!cY zt?j=0yF2i=fBz3CuByY5`Ezh`_cmQ)-@YB0v*sCP z{O%9`gM9OzWE&NT%KT%9O<#(hwpzTqX){tXbC8>zHOYv|U(~B|d$ghR(LDUtH@}9t zjHCCNrKeh)KSFPD@7DM5#`-M?jEJKG4`cVvE$EOzVgTy!h--QPbRRUW3&;@J&5~NKS~u zuFdPQe)CrIT4pdip@^s$v^B8-=AEMvOT)bEO!y6VVD08DlwCF|PMyTR{_Lmdhd;uC z1F(PZ4iwb1W5L{P6rDegpFjT!J2SmK#JYIp4IDmRi+k_C32`yuW*wt8u&Ajm#6SGY z4^UCxMvs$T7dzXXo7Q3f!J}rQ3cc0x-aG3N6q&+wp;-Uk+t`2nEcuP4kv)Z@C(mQy z;sx{yJCRpVM%@_4(S6%dLLJVXm5YPyM1TI=iwF*9$2`zJ#~l+koXOZo&}j_2)0Xj--riloy<0eXm1wY#hd^ zJ3DvoLQB6NbvhDU4t)Y+{P+Jgy~_gC@HDLc@`}{ASEwybQP9{UBDXTFC}Rmnk?5t8c#tpZ?5K z`0^LO$ew-}we4*<%HFoHWgPS8Ex_#g3(&yc{?)fOpsl0RHH6`CV`LOPy?sc^nTrP= zdmQ&a@+tImwBg*zqbR;`7Q6NxKyGdhY0O4uv=8!+ZbVR6Anv&5POQA?CfsrR8q8a? zoE}vJJ-T8vSC+t+WAnD=4)e-fMQb;b<}5=OmAsWaeep|QG`r+{_6wg!dPV|vpD937 zdncOP+A(+Dd_4NteaOhoSHX5#bAAS^TZeGpCZS8M40rEdWxwLlbb<%Kz z1qQKWaMgk0jr*Xpr<23zi^yGZH=cg#DSVE{L-*Z}eMj=xKsqqcKS<*mkNY2b2oFE< zI1)kvaBSZZvzfyXz3QBKOYz`CkKprP{5+Bq!|9ncp{}9`c_mfIS+D~0Dc87!WNbQ4 zkG8NF#}4kn-48x#%J;;lp2YIyOR)5oTiC%Y!R_}wjO8mAv7?mt*lTv^F|UITjWGX* z@%Uqp;r3_l#6CKfH2hh+=W&{BII zot>y!XpnqfX6=dX=JnG+_C2z8XMctSYL;b z=mevaw=Q3VNE&U`$;j|1jZrLe=gq;XlZVmRP)m>eEPDG#5y{T}?JWlon6eO0Q5QbP zLpQcYn5gZYX z`1EX?DXc_ub1N$9+Bh`#LuE}Z8fyv>9}|X93}DB)^;mJ!9nAN$_{>wE!9#22q2lab z^mMkF*K#9LvT)yhcVphHGQbi%3R5ZV+WJJwbf!L%J#Kf{^_Z`DXufE&TMZ??5Vay@CMQ`m~ zc{Ng#V@JUu+ z(-=1-nC$Zb#5q zFDh!P&G31_q7{gaibn5f02Z#kogHb0*@kb<>>T*^cVmd<*6vGssl$LeqgNXxKdlIf z;D~SevPB#<(bK2?sjgM&VPWA|IyVPB)fZ7&bO8Yo>9}>_e4IRd!hG5zDLt2Z?TgyB z9%Rm*Z+6F*Tvy(*9MREw9d!)Bfq_`La2C=yYSJFP0e<83rZ1qfu7;i51DHE!Hq2|o zroHQd;V9eLFmhI`MixgEvC(m6lbQ^lK6ExW81|z`Gb1s9iQoC%-@~8(ufM?`{`vnl zpKFk3(9<_a&tixTFpNX31=zQH7fzhX$KsW@A&Wzo9fwY#X($94=}Cy@(6OH$hCI%J z;X!n<=O5^-$E?%{gmU<2-Xjmv)_gR4^1A)Pux9m52tXe;?>~v^)((b`&|_*h^R5=} z+Wa5{D^@N?LSh*99yyB2+FJ9FY-nTv?b^+1G=#=A0OyM;=?Qny1MH#a+ltWGD0)pC z?vvIit&+;F>KtcUeL&7or;H{%2j0^|1;zCbVkeN6P0#-`MlOHx=l>ml|LxCW)!Y=y zB9I<#6MA~IF~op**rA7GgG0l{>y_6ezOB~*tvvW2%Vx4Li@MbjXv5{`FnV6?_2^+a z#CLmFtGVygEK^rv+|2k<7fh(aEV?#SLV0yEJlf#+kw+fGx4!)y{NW${Iez!|{*0Y+ z5MJH92ca1Y@s+Q96}K)~2yH_sJ<%f|WAk0Qq0x&vncz^?(S48O_kZvAuqZto@4Uic zZA~3~1FQ~WoLZTXmV@+!C~V%c6NUA?Sh;F7jcXXj26|9g$WE4{6>U^eFAp>%j2%u8 zLPrPC&pMK~-qqcUrcTwT=vn2|cb_znGR1ZwfS&lAWvk)O4tUe26`HPkyIxd!V9*oweMs)XdqpPC>r58)k*QJl_S#@G|Ng!>NdvJJ+9&9d_&Q8UF z!v|4PQDGi{>Or0!sA*~`nAbJ=7wEAzm91OKq z;bLJahg}UQFDayUjIhDj^R70p{B<=rYZH$UkSx-&voL>lg85KaU2PpI%PUY%g&wD> z1^We};PgctI>sT|&=_(SF2HbqA6h%Qk<3OjpPo=_V;w!!ctpj-BWv-^2=e!%N4pmL z_8-8mom){}--bJuEkI;wh%p4(T}drtY*Zd(ES9gj3txNUb`&1jf{okvqp+Y5FTd~t zic8BW2utpYn?7q19((Lb9N4uT&prP#4(vaOUE8?N&TSh;i&Vxl5w=tfL~v0-&2RyE7xv!rT4jY2VF(`F-rGCY3jJnHKkQA!W1y{;N5 zSvgp?YBAQm^E!6y*n$0fcA=u8OjZX$BYil&cc*z+F*>R@zGT)^pP<)cWhvDeXQpFg z{)nen`ss)6K-t-&*u85HjvhHoSsz7@IuI9s28KN)RKw?CXjq5!pCFpP7^K$}lbC|# zOXjmq&!CP5ucopR7fV|)G&G7p4AN*fptYq1$MY_ttxKyTEHdV)w2PVySTM`q+c$v2 zr!JzQrHfevAdF#tsuw#A8PfN@Rxe$Nio7F;jETgooFt^g$Kc^x7ozO=E^Obr1AAB} zo3`%6;+t+mdU_geT9|>}h9Z{v7>=-GtZ(n7Vb*q!5)%Jd&WWNCI@J*o9);u(U+QX& z*$6zAW$o)~Mt%1PQt9byba49}H(}5Ab=1FI*t2^#JNh%!&07%`VL2A2oXUg$X~(MA zq(x5}b zPTqVOz{&8(7`9EE&JIrbV99}8doFNa?X*%Rkxq#`D89F2A~@_D_YcNW?VXsLVZP^+N)M=!L!%1v(mxE`b>E|A|HBYk675bjKQ|kRk@QAs z=rw7dHGdiA&*yNK>Og5pVe5k*JU8m()A=h%rqb^DQaqN;ZQvW zOBXM}Yz`FzXducf*$Ff?BQtw0o_gX@^JG^IQy;cl#G#;`cx%caGj|^5&Yxp;G|J@A zKiRAbkgR->o|=WMv{a;Vh+kV>LAh45Mc&RT%^Mjo@! z&`^sC%A={J6)BY6{8{Npj|pY{RH3=G)9B*r)i-0#yan{GgDI;-%*{+Azs6TH!|*wC zQp^`f^9wFwXxtwUJ^m@9GuAeM(pewo?Tdkqb{fOuxaY~wV(Ef;2xfhy(pZKE`kD{9 zX`VSFdk&ud^pi+WOG6xo+QUOVsA0!H;uC}gb8~SMJ=j^Zv&}9`=^0r_q5M@PmIhn@ z>G?n$M;KvoSy-`r6-QiQhzSco_PiBXv3MRLDI0B$Jk(Dwn4O14Me~=g#-k5EVD{lv z-N&b78bhwP-qd5Jq@?1myH;a1hwI&}&y>tu4%?$7bmpneuM=3miKwowG#{=D3=YQ^ zzwl)`FxjlTafERgzhKES^J(dcQO!pb*XqHNbWg`s?I)_aEQN`Hw#RE>Pp&7=GNej$ zC0xyZqVfmK_tm?5jPcN(mfBa*+J4Lo+MsWa2eDwf9?=?47C=3$;zWkg*pp8aSA`|b zL9P4aa5~5s&~dXy(4UP(yvUe!n!Q6u%)FGoBV#^b#&|uwogA*v0|<>Ug3>xho>+UB zN^q=@02&EvC4hJvLswTPje+*|)Si`*W@sj58`55)OlK;GMnP*)_0>(K8`C1@wz!Qw64{FgAuO1DVhJ^Krgf*wV*k^2&2@@mpn@bfo8iq zdLN{rL9w@z=rY4K&2NT1NN(A)^^Evh|SH*Q#m;PgfK zy{~^B@vKK{7%wkTpS>71Tg_>RX$>B=K2dvry7q=09>6$xR~*Sh-`qD(N*P~swn40K zedAwxCEFaTePCJ7eoSwzrKODI35qg#A7((Hzc2c09ZNZ6J+fL}(a8C0lDxTCLU89V1>=;5OX7UhHP zC#u8V9#nR*yPGoMuXN10pXiiERO=EIS;zG>qAIN^fDT4eT+1NRnz;&Q86v5sRmpaN zO_&GL69Q4|;i*$VR$k`Pg7P%+NY~a2UW=|8r@7>{&g^TuJfbC@F41@8p+j-`Yo)Z} z3KKk7S0-PR|7Ec5>7UK7$ydB7l)O4=D!NHx^XQ`K_NSN-sp$Fra)C*~-He#5mS}=Gu;@YyPu&wZrVZgbDs9=vem!b#fi` zmDu?1YdBF z3O6y8l`EZL#c^%Job%64#{i3zsSMpRR|d|s_PH)iI*(9>yibL_L|?(KM(#>G5iU4+ zR2=6u;XD_tYx{h1UM8Msn46dKxA3aw zyYNSU^ru*|XaRiem&0th(z#A8*mPYXhOVy7C4Z?qHjj#H#hEN4o90AX!RC>NMaoIX z#4u2FUwYFiIdkyjXTOXG?_7h>02)wR2~}R6dP-}vXx-EKrTi!H;sKZLlZrd9f=(uA zyYe-%cXdK0t->bfWuLq5PJ*J?^rRCLG+b#6{f`+YIu#dmZ68;{6|JQ$?3obzATSJH zQjKXbQ9#%A)nXz&4<|f@%>?f^op7aeHf>MwrV4+*xZ1o-nCtvXkn<87mx#OWxd)&A z^iz1`;Rmr`-W)Sr_SllI8lHLg6gE9P)6ohGtslMh-bZlzZEFx6uA%zn24%YZtb4AD zYmDjgeLt}2T}zrDWlVGwF4%U@wtdsd;W8ttM9zmtHUalcJ`7x`Fz*K+l%_40nMlWy zqwC_=5FbQVCKbybsCn;@F!MW3PiJDv;F{xF>xv%J_#h}S1OYzwhv}{h%U-h zQo3nfUKKtHcHvs!gUEHlh+e6IT#w4TYN(>GF&}1Q5|Vts3Z$tI&6jDqX-XQ(f_!U3 z4L#U$x1_@l0n68#4iKZ|G&JFjVZNz19DnlrXHopH~`p6kDAsE$cY#|>!@hH+Ou zI#>R#GP&b@mx(ZCvHq?Kl7p@PH$ogARZNn)tspk+YiHPp1rrO@>|t zq&Oo(Lnt_Z5vApo^oTBb-!p|2NAJ2fHaDAB9jDYIDt>EYEzX}kZ`LAO6aH2iBwJl; zqYC?B%JqUMo0SZ%b%9p{$)~=q8dbG*u)aO@{&CF>kYq;L>5VQULyV!Jwi4&_E}AcO zO5BQK4wj=sUw7^7nwZc1NWzp!hEcN8F^=~75|kF4HxGB65|qw#c3Q6`PqkzHR8U>? z^mL=JtP;J`>97YVtv>19*hu{!yz&F*Uq`5nS89`&8BuqL$V>=*5ZHNGhZUymCc>yl z+H!8+!Gl=4{}{Rl^(q}B+K~+|&0W~X1W0UBxc*49v#TAiKKm@zZ`x|MhBMxaqnOS# zCY@WDK51NESB&>IZbEfahaTZhx^Ev^(o}Hb5T5(5=h4{GX`d< z->(KgsY+a!Oi$Kul6)q@UCg_Mn|lgo!v5}dbhI{33`Zx$Q>4r2Dw?(r?8DKc`?2%j zG4xXYmcdto%XtwIbI%cG!d>wNXSliN7Uqsg_w0-fEE#Hxy1MF0^BG|+gFAU}2cG}M zOK5NJG;1VfjP$g2Xo%%Fv=cjyoJOCPL>WEuoVR>*4IyX>S-!YVz72>rw)}yweooVHfUY=IAV^Ww$ zhCWjGuL%FwoA+A~rw0g7E!u-O-riZnE;HG(5(>u5)F zN0(V=sI{Q-PA4iwzuJG&MQ7aAIM|#`h3gTpUY*olnMQdSUp;z#O*NWYT1a1S7b%>X zGl`Zq=$-zNF}ZEXn#u=^;%DBb8bfbq zJM*f=@KCQ=Zz{T?;YTH|EXu=AfA}*hWIbbE4tbBGW5Y%k+8b4#t>KeKT>0p=(@}+~ z@hF&O*M`=TpYD$-nDK`Pdr^2|2lnjTgpO_+eTK;?)uDYNjhcuqX-&|jY|VPlu~GAi zYHLTQSwE;~f<$lL>Bp!^W7gIZlCKu@o4qH=x5{gIRg5noseU2;SdYBan?c$aQ?fH} zZ}GnBPCTjnTGJ}}Bje25&@tSae6%FCp*kP0KmTLY)Yh0az+Ln<>#FL_+ElF*HtCp5 z-@TtbcL|ox$wG+sW+iRqZPBORXu5^*tbC<|R=I}xt5=VWCr?5$HsaNiksi5Uf}QqK zoB@_qubNu*qkDe-z8IrU4)VU%tx6O(*LMb}wi`owPR$Uo!xrh_$zoovWZYZDO!67uYwvt!I zC6A)1y0Ghp&4OiTLM0M0{;6&yhor<5+;zuINQjFvI-xSEeOS6`z0Pd(*QJXi{8jxc z?nenKizk@6b{$U0sM>~g(i=-^)Ox67zp-Qr%fwm>b*;C;Gaz4sL;Wbo&o_HdR&b~u z5EzEY$WU~3HskcE(`H}C`uZmG=1N6nCF(l+5$-dLijrb9G`1loCI-PFL1uff{0rxC zhC^n3BVRknNAsRGX&CJ5K*7bc=AOQ}-Pb>a=-6oV_w{1$_8o|zBCNUPCWNwqSr|8K zW6Npu3JUX4SX5*btiP`lr%#?FjS3paK(nERj=i3UK0No|z)h=F;80 zeFzN>L|s`CPMj-5T1E=$Xt-6@kcdcTHH>YW-^06`H^nuh=__tpuZ1V8mj1BG@zI=x^$w7~Xf!p{ zV$-{?;N*oe#HVH>iuttDldfesOIRkopy0>!+Q(IUj%qK^CVI|ctWRHdP(=k7&_5Q0 z z&4g8z7bCx*5Y6q~?9c{r;rv+?6cn4czw|A0ty|Xm()LzuFmjx6i_yX%YeZBe^nHFQ zkQ%Lql)JZVzv zyn-EA5%S4XA7vF48)p{8ceJj@DVp255E>a}UN7xvsx@!BNKY@E&o{3YM^bF?!t4&`eoJ(TE1n1Es+W2t^cS+|=BF6UVi` zXc5}Xc6>3`ey#jxi~)70ma;#=_ElL`gKCzmyr~^)ZeEG_upl(nmh;{z@?VOsp)u-X zC@L$f%xkkz;i2Sk49#`axz;YT8z!J?FfW zC#b&#Y|E;LFtc%uF#y*Q>a1q^#*$zgO6MC(c9?1BSK3ch@8MeB70hlw3bT!<5?pg5 zO5XHl#Id7C@xz}yZwy*rZ$I;mL!jR$w5kN7>?~;kLO?4&Q61akdFAM5FFdJ7B9WM5gmQQ^iC?U zedjhrC8i;Q#`n;!JqSxo#;v!kHXDWr>M^%%--#bT|B}hSjE3}`weO&;ycFG?U2Iq< za9A6YES!f{dIm4B@y?x>gN}wW{QRf?iNfj@4A9^n=8$slp%YlSbTN7wYq5FfZg9ZP z2GWV`JGP>txeqxR$vAWTAeHt!5?Kdx=gdM}e4LTHChVJO5MTP`k8t2j0ln`LbdCfd zF*O`Z!a zVBb#EwsaveEf&mh2%@=W) z9h2S$I&p9pI@z#i(enyoM<&D7+t-H!tZ!}B9G9Gm+4JV1t-cI9_V0sFpdUvtZCJNq zBU-wBkeL>Xqx&|aw5|map@De$C*Q@(?`$-kK}AIgJF{I#%AAL&P(Qr$_Ul-;X)E<~ z6lc$!#hY)uNv}5!(cymh>3{qiYU`WLn`1%#G6C)9?X zj#lj5yBCf9KyGRb^7g%ppFH;hdIm>OQ&Wj88`qotM6PYz*ycKM^7IL`vFCd5j+-&qUXPbwegXOAO=xef!J*^F zjPXByU@HzB&%@HCi!d_OgO{G=$f-_Wpctn9Z^yy~v(V1A@Si^+-J&wnDGqcGAUP=- z+txOQOYX!oUwwwh zS1>Cz6|cXsmOXZ>F;p79UK;GkxR23;?8TUWBp!e4QGDr(Pa)F32csbgc;eGf;R}!7 zhnDj5^h{cz&ntJ*u=aL#va(L1X(Za@|J5&j0kp<3FfZ2 z1GnCOyV(eM)2>6PrDvyyajL7R$S~Y{*G*WlI1`_K@)4vZ#+vuZ!|9bh{N!iwxu-vi z<=O144sNA!(q~$F%-)$p9Ok#THzG1736Fj1X?%ut>&GE;!I@*ID$U1{eTVU>PkkQW z_>JGh=bwHGgEV^DPO-nE39Z^McHwe7@bF`}<@S5%4F;PArYWB`j$+H7B-g7^m zc=%StLen0-MpQ;}IzwrX|F0EfwnBnK zaqCU1uwq_3D|REjzg=iHD^eCL!HVSzkdlx<&nzARK^$t*`&qE&7G&jSA&DMG zct|ulOB*rBA=r3q3hui94)(g4$jMB{n%PMht}CLa(1{Rwb`RcnD`sbAAe+b1Sy^b} zP;+R2%1k3FgFXo?s@@M?wtNXPGt!aHGz*u^!|J8;k*>`;lH-sP&N2Kb-7YGE-Y=Gt z_6!eUu{JE8JqwxXnOL@TIZ~37%#f39o!&q!a>8ykK^lD@L z`r$|U$k3Uci|EDrv!l#R(SDwamyCHaAqXAoLnHa@=o!Jng_L7Pn%TG`G9ntp9f7+7D$!nmv6(I9u6`tOcu#=bc7fxQWIvE1I=4q-_xcFgw@! z`mSEgU3oKRanzHZo`v}fZ=yaV(AyeE zQ+o@Yi#qJyz7-ocZb4mh3r0qIkdT_gan2adoz-VmE+9BE0ofS|%#%7ST^$-hZPx(i z-h4Od&P4)sH8wg7gH45Kt}4QrqlfYC+wb7OF?!OYe(cETSg5EH+OIjL^hDip%?rzV z)yzP~yoLDAAO9Jie)MjfJ+cuyIpiJp2|#OeJH4b%GwD7|#U0hoAVfg0wc&(}uzGBL zIzw7F#9p+iQM-AMuty(4W9KNw=sEiM>YGIUsA139KQhAM=MXx2hY%E=z{W)5H^O*k zio(?*3DaTl2=KEz79HBifv&u{uMquH8vEr0a>QP_wORW~_M44Gn(AxN+tY1^Eb=ZD zYi!JVS}LO|#TN9?Mh{u^Yu(h39yZY6(PL>RJ-ufxuS;76Y6I&)dJf(6eg_8!F~lKD zLqj9ID-Ji55A)NWtTyD>8t0ZYW$Z;`gaMl0Q#2o1Bb75KRGWzeF)wYFLApa6(l^#) zjGm(}(`tREEgM1Se!hXY>GnJE=YRg^ShFY#Yu|jHL*IPz9f|s;4s@`=>H$L+JtY6& zK(k$+WT|lRFg7X!#JjxKq3GfVK0{`c4h`e_>AjAQ z43q8%hu$%G{Hd?tTlCa5h4bpGFQC1%o&0OF6dF>0A4G(Vp}&XvNZE~!45F>61s&bi zL$`5eYV84FK@U@PIAK_3Jk7W2L7o{aF^w7in!DPX#7bwyl}twv77>X@p8690=nuYw zn1F6P_tPJsx~kSZXf#?Y88hoPO*8cLVX(i~Onqp+Up)Ew1tBGK4jz5tDSYj#U&r74 z&Huw6|H1FlF_^>A;u0L;aQx7TGgz{MBN=w+;?3y4*ynG1i}s$iKFBzrWl!wXVv>?@ z=iT>lME7O<<~M#DfBmPwi=}jOMzm=)9S>8sk0_?HdkVMjU1mg0Bk_Q#!rwPcU5=x? zvKHkvEr^JYM|7~SS-Y8x|cy zkesCj12kj-$j+IEg1i&hzH2{DojQf>Teq6+*_O^qA&p@K_*iQaEm_I{+F!aG~hON|@la$3_8p>8PLg{CRt%oE5WMWpj zyfJowGK#do>eyqWBk;%_E0BNk5Dp(cijz#gVe1}5q%TBRWH_CIA(oGMiWlaoG)A{f zVF>=pAp3+wqOoTf2lEOzWbS1!%QT_?;$7*idN%b!z3J;8#D$^?QwOPuDOw=n(C=}C zaip_sRyrE<58=?kqd3F5*|v2%np;{C7#M_w*;xo4=s-&wWz0^M<8dU$MI$yY4l7o! zMB&A=IA2_arP>}coW7~#Nd6WO+rE+3WGCPd{cp zBG%X2haB=bZ{BR{J#JMd5AAdx86Aze+3EC3^aQvcscCFj97>JTNNL&C+=a^!78XVy z(gzC`E#%NB9bN^xrLm5NH{X28G9_y^ zKJ%$hBQYV4vM1W7bH@tBhlVnw6eG!xxIe;u3WB4kI%y4Z;2+NXc1@j4T?f z&~PNCXzr_qbPHG~RftN-!Dl}GDWr<-;1FVB6U|pg&Gv!haCl@0=g;L~@4nrrtf|M` z1xxYB!}pV3CW3qh&6DjC)?x1eNaxd7I5)?5cKV9tDtb0yVL@ieP7H^Ci|1u?_)2~$ z>og8CweP7`5X6QDv-}sS3#BNhSEW@9nVHr@7#Tz}R1FM88@=B0s%oTX=O88`obr#s z(v{1p&q2oH3XY98ALi50Hzq!ropmyY*F#9lozME4#WMM_f%hPF_FP^sMp{xb`Ol{( zSA~I59~6`~VgBOPn3o-ky?b}kU>9O|JP3C`@EC{ZxinZBWpD%&7>uOUOfw3RKC10R z$0p-*U-$xt;;d_yH!L~@v**q;`AIrByw|So4U}0$(+P!96hujCr_P3Yga$+yze2bSia0`ohRP> z{ezI0lnCE}cJsWTuAvEu8M&Cl@-AJvggTspP~QPuV7(O;7o$-Rf#`+C#Kgj%n~UT7YC`MJEhYl$26VCh5M3Qzs8+fT+7r#&F4jFiy;jb3oDHVg*(hX>7a znL!%$mR5Rr!}MnQx^VvRR^*j8<4^zmFOd`{Uwnsk1R1EW_jt zN>TNMTnG*dG5j$a8+o7gfR1&hZwzS}m<)})u>OI;iM>&^_ExhsA*_GNT8qd1C2P&| z@mh<`_2gdlp}Asxe<*}rlc`%1L;qkN7>RDA_B{2YqO&73@+Pk%S|dC>Vm3iGT+>LY zyqXH}@eO3S@*bmsqdfcr&77o`ZZ$Ty8kttr*5Vg0uf-Rh`EPjaw)w2zPUD&Tv0U1q zTOS=XOt>J9ddW|ptKsTHHGRZ-mt0K>IT>SSIzgi) z?QI(9KW@&0f-bEE)yD?|`~!?PH#Y8zAkx#rCABMgvvP*Cib1@Iwv4SV`l+A2Im+_%$~qyG^(-Bfz369Nst;WcxawR8U|1wO zW-ZEZ@8~dXS@|ivmQK^wJ^S#5&wUP=v_IGU?J<(m$n{$6Cn{)K<*N1*)wit`rpP+3 z=YFC_X;^WBiKpR#s#=B8J^eCV!v-r%23GVmXK42lQVr3WEDR0b%oT6A-y5gW>YoHH z$hcfm-%D|=%5~+%Q7UZs z*E(^P%Z5AMOLgL;V?p7P&1HO8LYk-}L&ufRrMNDBZMu`{m2`ATnCPlQ{fa)rojeE= zeCS+sTzOda%1c*0>z_p^~rKE5gqkm>6{(M(s6TYFi|E2vK+RCx~FrN!<5g?m)R+6NxM0OqH7f=Um+PLZ_!HL?;imF*_wsv6r2F=@=s98X z;-OGGFNFyTvy7hwDT=(8`1DM~r6$n>>Ol~_j;Fu)bv*gdy$GXcIYw8@Hkc-j=t~ie zyd7nAg-w9x%GSD1Z-a-8i8QXmqRsfOYrFi`gA}VQ6S5F5;(_OOxop_qa!=`aEm-j;mq~}}z{tP>PrRA9Mh3j8e4ODfIQhAZ2a}dzj&ycf6K5jKn$wMp ziAV0N+1JN_UL)8#aV1=4L?sZrVr&8u!c2&LP`KwYaqS3qM$vs|nyJo(>EgM^wc!k% zj-DXJh|ijh2cLKvU;o$vnpVy~Nsmq=Yo>yFFlPGEAL!c&2ZgCvv&hSg;mwq+p|4}udg6y6SC)}@v%Z#WeNC2J^f0W=}u{RnL zkCY-bBplI^F^CM)w}^b%A?b!Czbnb`!zjZ{`1<5Q4cy1Pfu#Asn8;}JnyKbwt-Bvx z*!B7AP^Z6+dZ#w(-cF}9qV9(C!!}aWf~;BdIM$ruhXu*V%#~_Lsi6#6F>>TR&Cl5L zukO%&ZBJ+B%5JEb$EW4%6AxC*#ITg-QY}3cl)OHQtwBvxZNNTEfEVu@raeoJ4tTOJ z)3zR`;ruA~8d?NhUtNxt)@E18hkzf)--@-cn2+2#V zsQv~9y3yL+f@Zb@9ePS{9xQpQ_I<%_6VA5mJhw4nL`~!Vkfd!Z>Lq10p_3|K_nh3B zxJu(6V0MYw{OXUff8TBljJUSCbH(!n_xuFqE*iYthluz3%pQY<%|}oH%<{?V}z6f1L$5R*~(!%6>9%vE@wc_xXvgsM<#rmzA zv3CDS^bQSMdd8d1)Hcn_!gWmCv%+jR)99bw4lm_z9TUtupdfk1LxbJewf-gi%lG~f z|N3wLhJX3jf5WCt+s(2*OP?;$n!pq?`Xs`W?XzX#e$V~-GEdZ*P=|eey@V{fS`VmC zXIP)luv}=r01ZhjKFsjM|I!dj?>_6*80}%H_xeU?!0O8i(9+aomSE`<3i=MbC!VEn zT5l?&q0%cqlLr+|*9zAfM+wG~ff7;4cwdH5ex&i{{I$QRrF>fSt)&kQ4Na(QYBAgJ z>2*~f@+<_0gdl779K^=Nnss-2|3J>5xENQt_1*opYSdJgK%27Acd+skPmZQ2UL*^p z7oSXN)@llpiSksKc^9A8S~vOLyBqN0#slaY(CeYyIK1UmY~TD2x@b&8LV~P?)NzTd z1APzO-z+p%J!oG|?RhBb@AmxeiUwG z$F!#YBxA`>a?qPxrp_2w;gqu(HtSrpco-dEIGamQF|>FdNC#)YPM3t?;h(8%wG)Ef}t; zu0ml^p?NzZFd&qS52LoW$-H70z)J4nP`IJK5y4@hW>@&8raBZB6hM0%YEuh;4CBI) z9q@}vMRaT&s;X)+%%N&{WVmVQHng;)xvmDqB_-xHw6?Ym1hcF`fdOX2;iBR~R8&-& zE%UTsJ222P#KQxvZ$b7$yAxHEl`yYTbaZqfDmvQGZ*HzPGO4bqH7^`!56D*X@Ux#jixM{aRSU8) zHqeE4U-&5stC}%u{xU>I$C17-Vxq|x^J#5uB|ohwEiOS#T`k6Z1IU{eRr{c|sTKvI zUt4Poy`}&Hf`dSfL2XSX3JQzNwr_gnv6PgQG|{2S?rEP2+o+0`bk@9m=Waw5$u^><2V(*mQ7yE; z*87R7XFi*E8bA8!b2Nw*XklZEj*drNO(}l-lQ%JI_5#F41>)qkt$6~gEiSvhd;;i;Z92mi|W5=*({{ebga}ggOC+lg-p*KjjZ`+6? z$4}7MRAJZ7?dTd0LtIQa-g)~iY}m2~t!>R{=ov+JMh1;uh-pk6Z8doP#s5M#!V#Yk zjU)Ru3%b(%Y*>k9@D96D)dytS2kKT?3yz|~B=G%wN zq!JkaZLh6@lkpdKUYRokDeGCHC*$fwQHxSh8dx z2D+Q^;?IAGy(cfAxv2r?P9HK;7xT4GYD+DC@!~7UFVe=)-H1xfL1J{c94GUp)xllc z@Wy)^DXYaaVu3hya5pyW*oD;Oc!_Mv7@WRWlqp_)x{M92ZDG_5mE!ehe z2l7kGaP-JQoXRi9!g;gNQD1={{^V!KFR!8j&&Q7czrFVkvLw0hJHPF{_jbJZcE_y4 zF1RFs#bOD7@E}Bjca$jIDJa8>3&lk+^v5wMP&(-pCxR3lA(8^X1+dEn*8AP@-p}+* zk8d;6-uv$ReY0Nnem9Da~zV*wjs;pOEM*l<#mM&Q+7Zi%K zv`snYT^-H%ezm~^}$D|U%X1JzYJ-2 zyYRuD{kXt6Twi<3Je;4EorWL(?f<}wvY$6wnsDUc2iSMy7*?)ci{!~6y!6u_;a6{e zgqtG%r%oQmt8c!Ag-cc-J8cSY|LUiB^TU1Sb>M^h_h2MB8};=yQqJ&m%CkhfaNzw{ zk(6D5B`a1ST`q80SveS!^X1i_|5)nzeKgAj?a;w}QqTLaXxR!mmxl1~|HEJ4t@n2s zL#3{+*1Txr3iQLworov})c@M2E20m~e4>1Z`1s+&Xl%HOEsyNL^UrfW%^EWstA2}jIe;wE4O4QYH6W2Qjkk5%Fh6cg; z-k*K;)A+)dziQq9duR7i^8vA&QvR-h}4!-pH&q;6K3NFjZefq>v9KYI+&wT!?_~zHYjtwgoqV?Kk4E6Sk zb<>D*&Fy$(=MFsgnNMSJMKO}3!LjSkS5X%&suwG&6=yCt$wjXVAMQPffuvlt%LV71 z!)LMSiBIEqfA^o@Yv1^~SYm_t$9IpQt#<$|Z8y;;SNU-^V%dG3@J*6NZ$DpY_1Yt^ z&(}n-Ui#TDv2oKQ_$UA5_wbEx{x0S(SZF5Xe)^eDZN*o=@?|`>buCVwJ&xYN0kJ69^AZbsd1rw-^MpS_i2>o z<(OA@GcvO9nP;EF7r*p1a}vFGX&8TyW|4ZYUUJpYkvbC{f+1GyWjjKo_u5z`r2-YWj%^!u?%1Q;27#w zZN(E$Jb{X$9Q@=LFPj^e9Imm1>~UH{vNDEUa*_Jp_x?Nn^1I*1q2rCXcJ&J0I&cQ- zcYaFh`Sar@$HIjRy~J#y35@OO#G-o}zfacqd)Dvpn(AYImbyL#}}8}Fl7ER=-{ z7NDZ60)+)d=4!!rm{)KP&DvUN4D&=VY9$@M>n)bE5h3O|D&5lS_~^ZN@$#=<#kq^k z=x*vlepV))+PVULmk;0rDMzz(aZKJO4n(ALuztk?^jtqDCt?eRFJ&A^6 zyHF~^kt5wR>7!!d#%-vRlb8*YlT0+VHks!G&W$Z?V`cB<_2$_?94FYT|gwq7n&CAfT}1ATqHxNznqUY8!k z>#x3!p;68{Hg4K)fgIzFk8H<+1&dH!yF`vlF|N0Do7W!mY8GSj`c+sc`@dw>dMsJG z0DMb|y^Cwtu3_H?@8FeR{R&4HcWy>2~f>*}RDFD3vRoHC7H z_qgsC)>%dLZd;(!@R&=dZ29`F_&5LO|AlR97U0!i{0-iE`vY@QC#TT#_GV2P76CD{ z4zegxV&23V8=o}eP#lw#K;Zkh6dJ-ZCz~#CXux0m_(8av7f<7bzx^vrrDotaKlL28 zY}hC#=@fGE3h?}wzKQ?s559$o-X{F#zxa>1DBV4K#ZS-3!LkjHNcSiSAH4S#@(OG5 zI!L}b3~0&tqOTL(f8fC$5+6li>WObW)+!FZc6 zyw$<-P&KC5wX}jEc>9rp4PtTq+kf@Hqbx5KfAv>?iQT8JBQ-q-H8pkEwta`3JWt|V zVsZTLbDu_G9;aQSH6NPlO%h?=#2)Aftk zvu`i5^UATPuGAbOj%N=KkDAPB@h2ro_~IOM6Qplo7+t;nBFaOi%$z=t!#^&}!?aJa zz$RIr+!1koeVusijeo?E^Vg(K9>u4g`UFY~VyzmOLOXlHozx@SlT)9*(QY;&9Bqf>2 zw!L;CdGa~p&@o{8qf&O>j2aplG`%y4#L}RU;=6G(9((i&eCaFS#2^2Qe}Vd%ax;Ws z;xm5Ln&{N?3mn+s=ZT80=ioYS|>utR#uB^kR_3JS{Hh|u~KGQH6pZ^!+m!L8?6MOa? z#F7WOtIs%FZA z44X zXvJEj^fu$2mw$;>D_5EEriz*c80+i8uiyLtryCk@=JW|%Yi`DGKD`+w1=;9tx`vNl ze@F6q8>dd4!hr)HVPvpf1j}p4BuxZh$?}D$DVxBXuf1kIl-D5EV9(8F^hh^4C8q#o zWhEHov#_#T=8nACPpMn^dHNFkE# z@u$1%;D>S1Rp%u%!X-eYn?@ec$`< zqT%8-Io4??F0DXOZn~-4dg*2_UN8@f7StgnbyB+QAL8t#>*jdcCjgi>XEb9QIX`sEz^)$8v|J)e`hJdUf<7M^)*1B#@llQhbUEZdpgeESwV4MDbx9ZIq#1V{604-H zY91c_#3xZbZxK4%_!Y*3=1wRdh5euS(Th%HMQP&5r+q) z8_PSTrzBqMjhoWhPnEouVcog~(lFl_w;NZkwP5x7O>!mQf!xrCv4Hc)76@9W7| zkz7Eop{jlXp8xby=5r`~Lg4U`!?`Sh{Kr>gwyH8{LZq3m2ojsL*^yw@FUE<;$ha^QzF_dKJe`oxtVG zS4DhB&BNx8J@y2K`)=SDzkJ!uSd}donlC>09F{McFUQ@p!U(OOQ-_b>s-*X=Z+#QB zRn=m-XQ3c{%FIQ|FS?#Ne+lyzuf%7bc^nnR`ACrq+2!-6aHZk2Sa~bKd9wU!p;;pB0DPs zeM4hdwtR(|ptxTymi=;Z+puy43S}FU<)>PTN{Wy=-h(5@T{u7kOxpxHxG+zE97E6 zVV)LPuwWrpN*bwSz2-UH%a<>k=@ogyV*SQ#m{(tetO+^Zl7GYb3pjO_^;?X55x(8K zKfpvr5$4rYf?r?YWtOw&x3^wLdF?VRU$MeW>_J`3mWz8)Iz*(8kA!*=);y z%*@O-&k6D~x#Mzjb#!zZ%crcYT;ffl?Pfd8G8Bsd@v|2h5}uFm42wXdr)Qa`0nC>o z<=AkpNjXDtL%ORYw7R56aN*F0c;&qV_*eh#-%IzhOt#&WE~)n+K0XVZYPzxfC;!O> z?ds)=_`zTP6()+R@W+4jZRuJUnl>>$K7`KB9`K8$d~}Il8Yq;yWZkiA+tba@pLp|P zX5~tETrS9*tCXJ>W^I_`BNflb8wB`4ZXcZ2Qa&FTsbKzqfVY%7vhll#)IC0L_F*6=rT3jIQp94!N$dcp8aD7ro z{LDw=l$rE9>dVcm{_10-si!YPj8P{_*v3!v!t|a8?3SkbIv5CWSBW! zy_28y@6Dyk$N5;#DN@h;JTpJ7%unO=_79jx!uZ&jsnd8tcAY(sxlDy;b;?eKw`R>6 zqc?=T4^D;0U;5dp@TeIxM3jLjqIObdMzA8vyNP#8L<#+whk1xN6oiUz{Kb!ALT}To zWq|_EbyF^J3`c*)@zU_RPOK1y;dXB0x@9_DMhsad<;$S$|uWAmqP@Shk4*RR0K0-DREg&Z>lgaFS9OjEe!5GaBj{T z<+e7)-dSV)$KkJ<1$lku5J1$+#{rizuR&2hDvroE{ z#f!G$pZ@+=&4=@tAJbqQb|<-P5RXfZ=kfZ>|A-S}&3)sa{V}#~SdA1BdJ|sKH+95i z3G0=a(q!w}yNH|pFnjN%FaJz)#at;IMAYJ?%W?98>Yc?(i|soCczNq!F>sB{HKxqH~Z+XXNHmT zOImiF^%OTqrLo@cWIj=fD6LZZQ5Sp7B=O#SqD;$*=yc0tKo>Vr>+Uwpg9ndSL>A77 zQ79iaYK|kB?*)an6PAiX!=2)38GZ=O7orCqn_`mtp-k3EIj zs42U|VW~{HOrBDP(4Q@X2^&h^ASd|*Z}>=F9FL+zU98@L@kxB)tKY!-l}nHk+9h*bBtITsdrbIiwz2L)<>W=%x!Q3Bz@9EQ6^7*$-PE zHXl=~qIO0Pq#SUy*J=HewRT)hR~{^r+FQCed1oHS`kI#PdjABfo( zNzY#qYYv%(wL}AFwzonTBzW`-@_$$eE4wTkD?;2{_h~NS zZ{-p4xJ_)H_pAPSqO;NDN|BqHWvoW!{u9*JB5B67h?2N!q#?ND6am>e<2WA1=k}(=%ZydU zD0Eg#nBHt+z+toGROZ3_#N#&WmB)j5a$JVLclG#4T9MMDzum_D<<*$Krd!IB+-#En zShrG#tddBW?xKwoC0sDJeBPMeY;|DD9a<)4a*dEB@gQQVLki6Lv2_%A@05=dws-3+ z?m6MYQ+!tZi9I}UKzIcGL;c{Wm-Lv-`}3zy9LMp~d}E^r14BdHV!}p(b;qu2-#{Pu zh0gF()raIUGBSjQlP7WH$Z5$>y1-_@f9_B;Mn{Ly+}U?U1^RFe}@C;b@a_oE^xw!OpZ*{G?B!qM!w=ub>u>Edj~Y?1rsF#KF)IoV zKNb7RE3aVR!DHt0v~C!d+>}YYCML&lVE0G(vp@R}_|f0Lh#MV!W=cGkXS%#$`xg$= zvSpz5UcY<+fBoP7vw0@gyx|lQ35#17{PWj_U32rKsPNGoPT9vdXl}tq!|!X$wvj=T z7a#rln;-l)y!ZawQh(lCFN8Oo2D+N1Zr{MM^UdZhEZ&;-${|GAM~mH0KgM6uN={7^ zYf|#*X*JXLU2SSMcl0GdVEUZ!gk!fXK!0Bke)e}iz^{Jwk~wz%db2fS^LOjVE_vI$ zOJ=09D)Ehb%-vG<}_@a672Y~ec1Nclla&Bq&Ha*Y zsaN7@Og)75(<=wX0_g4S!;zC`(AC{*ENMO-NRO`L5>~k)qBk^ z%~+2=eeq@N5=(hZMAJjcBf>bw$v57A9q+&Ss))~^v4D>pI)p2iub8g6&BKUNaw;-2 z(vh1f=}KJYXUlJNePuut-}m=dQIrzt2Bo_@MOeC)?hffr1q39PrMqM4Zl#fKkd~J2 z?j?L?{XK90?{;QqZk&5+&ga~7S>>=6BYspl%r{kiXGwAMdZ5Oj<>H)-M%z)&Yx$8J zP#AsZ2CwB85D4dbCE9hs*7j%l1qoSKjalfgUru97=negliN>lg>VxEH_wruoMbRY; zBy&y5%m)=ta_d;KNLKb(mGBi`dcXL_c@Lx=i3_spYfK_2?9mcuVL{Jn&m}Ka=t9b> z=*7**?!=lXSEz-=#!G!$``)k`bPKvI$!71Mi{Pwy`<;m?zKEe_LA#ZD@+Oy$ZoE9E z`9&BPwq;-~wNMMDIpd=~yzTd&bd8V5_!I?*S)B~!#xnP}`lUbIhOg~kkyIN`JfDg@ zI(Fb%V>4>{)(1`g#bC-ODi9S#GUrrx$5_f(rlO`75HW(g)Vgk=aXSQx9dG<$=tvRT7q_#+}!BY{%of} zlwSzDH?fNMyF9^?@H;l^Q;}0m(J!o;mctEFt<;pwH-EtOo*vcf3WQOs9h4`3`r*N^{NwK&$77sM4oB@MM&Sa8hwZ0zLoI^gQp z+*G8+mzH(jw6C%l-G66K3AePGNAXbK(=V{QyE|H}=Fe9PbmKLB z7dxlRCx73DzM<&qWl|g%X6sGhUO##2|NFIjXZ+7)lk4qio2T>cA&6PGl`!>-=WT`2 zdU91Ogi1O(^;LqJtGtR~M)XDK&3eE8g)b?;A97@J)%%8OVurRzAT-XWqOKW?x#ExM z*nU+R_M2L+bbC#|+dIR0uj^qSo7>3tC+5?(V~y3SUxt7$@?$2FcC{BdXV2vN;Nrw` z@X6yN8+#J?TVMpZ^;GN$wdIDQ?@W#EY&+fY&*T-!_SKZ{XOGm>gywr`6+^A)vs}N2 z-B)5iS03+y^8y)K-{0N5p)omw`Ir-*751huKA#Dv_!~{JaXQh>?`F(*O)dhZkxw=; zEgm0P=Mv@)V{)kl&Qo0EcPZphC&0P=Gn2hu#MTxVZ$(o5`6hJo$nkBi(Ko-E1;5+j zITaP1=*ceT3=v=A)yK1O6`i!u;i8+h0<9JHXsZN*EwiVGyQ%0OnS#!wY^|qi`VKbn zf@R{~I#?bZH?+E-FdsPlG$8EYeaUKpd{WBUq*2E`Yj|1N#N0~w$>XkL&B;&E5~!s) zu4Ybct4x&tt}$8ynQk$XZ-v)mh1Tg<=x1O9xFM;qGqF5A+sFO}rrTrB4rn)B)LLsj znp8vl+iXE^ba^d%N##Y2hwv+$b9@HtLR%SGHGwwH=^(>%(HV_ zN64;WpLEMge|yj?=cgqdh8=QXYc|uTBXW*9eP?W|V`aOdR2MO0$32HJx}pB7L#_sn zQ97F@t7We{lDOmbtmPJ`O(!Ie<1g4oPm?<}Uz{sjVz@h8BH(}klnbw8#nscJwJ6jQ^sb-T!nA+2^;tlph#omQ+q3Vvs1>u+&JEbsO3~Ek{ zUQh41XZf<$wBvMqDA3xr!_SX(QPMZOi>eqn!Q}39+=GIyV4mZ5rKHZR9dM*98pN{r z9h#WwaQvnYt<9U#GN4^BEEIMU9$4?Krn>kJQLJK6oUaMb+jBmPloL2T1YrBp4~A9l+DYjsipfd}0lD+g50mw0A>H>bv_1E0!kJuV8X4&s zt5~eoE}y3v)-?9hL}n!yj<~+2)wi?n78qk^rR$l$n44fWb>4Wux~w)8`dFTT@d8> z4SsB*^p5ARUZ97UkP>WQV3st*#hGHIN{_rCOaJaD>8to&s+V&Z2d$l5OzXT@GOnBg zCqTR1JXqU7zSl<|((iZSy@^Ng$L5Az>Z7$QeSicOk_g%Fx&x%vjuZAYAE{qULQx!8 zC}T*?_7|31f4915hE*~$p?R;a!?!%}Ei`y;H_g&(5-z~3MgiyH#9!QY8}GCYeLgX# z^v48>yl)H4-*hv-;G#**D9S+(4hB)GTuJ+*XXmVjP`LI??zc;YUpSERs zTd5t?a(&zPDz%w09HoIAoXml$e+Q5Df@_F8xI!%*wjOl;rTOVn;1|1iH z!cq5XWR_DxSoSO}EpzC_Fz=e0=o#?QQeMeEBr~T)0|!SjXK6tcdCX*p4nAHKAal7+ z&oD(Iiqno6HAk#5oGfZSv_HUk%0?avGcIYRv2}Q>Rz{|D>Wq1i1%>jHCr=t6M0{ll zUhm_Kk@wbo>m*U=3|Fe{Up;La{gqeWQd;X5yY)ZY4sGFJeQKS&phZO+W$2KK3CVZ! z`y1@~emj+~6mU|`Zq+&h93P+fz?5`PyMOY5vPmVK(>e~$wc{%e!?j^tE#+>w&hR>= z5pp>{BFgeF(P`}CDw3~ox|zWWbv?~nY+_8EDE6teWzgukUlY$sDXc^pXmKt=q8~Oy zQxnXEDwbkn#ar*ol27?o|2|XYI~{Y0jgB`|mM}Tq;#5d*g(JV1BZ47NOSBI6O;DQF8=cvhS1)5TEysSOW^kgE(CXY^ zo83;x8sDY4-_H48h87QG{Ji-K?^w5D>wt*viAG*L7sp9B+xiQEn2-uKl8E_k+2>p0 znch?Badf1`n?#td)M5aKYCPen#OyOm#Zobgeo>pz`szvtqW{aCvg_s0MQ_o}kh545#y z{PrxJcdX>Vl-2vLywmH;^<-Ih{&pjis`K}Ta$wgeBdjnsWXV99*n9jZy~|K(0ZA(! zo=#q)+gikHOKf;(NX_40@3{>dzoKF6{1OxnbYJ|Q!(a7$-V~guG2R~{P2PD;rdQ+J zEvL@1`fYlW@c~|OGg5DN_|X&7H4A)_X^D!@^flf$1xGQ7fjZCSV*&JZ6a8jmj_rXI zfM5C&%jTTVmfRyCz2;-I0nZ0LXNi*OaOgC)KMyEa$xUtwPTh1xlJrMcRxHzXOE^qWa1BlEh9jietM?D-uD<^O#9A93%# zAWcWNuYsi}eHfA1R$*L0`ovglL9j*AiMI7-*1~_}N!B+iQdUF> zigGYn77g3?v0G^;3nnt-_k8$IS2wL%xqSWj38>m)Cz0{BanBMhB)+a1Fs=!BxUh!g zWTYD2`&Y49YF{g&?eI-T`UK)cMqLSKy^!p>soUV3kH##^C4m&_YXxczh6zONuPCrNXl4XtQQT4 zDaFtiW~O{Mi+aT-h0{3s`zzpTc0`4iK)|_ zI$W>iNuP3Iv8}|CXDam40SI?^uZ#E2l@>d@fSqXUPuBIW0(rn13kQWynnt+k^YF2I z{kZIb;A|TJn}ky1V}p@eRyt(`fUpdGOFr^T>y1w*hrOj3i}`w}+>j4rdbLtR+F?nv z=`y2({j-VCn#R)C{Ys>L6B~3+Kuv)8IcjDDQRQZc=`(pUbVzZwi2opoF8y#{3pQDS8VjiLsLt=^IEUzSJ6m-c3vOw zd!N6U?1dTBe+t-x*Hu)L22D1sxSrC7(5b2D889rbN&&~SpaXkZacPLVX8P2Mb(&Eu zw(z#2ZiX!6e>p#5`@!o7oTXlTRv3C3;mYpP_9t0cuERW-tK^N>R7>Ii#yL3$%~P$k zolA3WyKB}ySNmPp5R)e#H4*?I05FqBgOxL>+iTs9B*MrPhxL z`H5+~6<#nfGQe%m8$9(ic#%gq2{GryQJ7iC&J_B`J z?Aai2x`eaV4i3%b$r@ka=4NV)l(shYoo2$udX~X$N5=)(m$m4p*Ycn++CI9-fn;0) zSI3Ffser<5{F)`H{QIon{ZboTe0-TktfiRvinf+lgC#_&QFjBQGEyCGe{WM!j{Zm;_+^Z#o6p+Z z8!j(9p1`RE(+4o|MWA$(!3%Z4wK&TX(qZ+46mKcDR(otVY32?=f!XWlLm_;^!tVlo zHE=cdRnCcH1m(v^I0-cU3iE!HDVDc?v}PmPJ=(F#6-bz5!+*fzs-nLbiiZwLfF3tMo4Mv)B-6muvBU_6a!}aHvQg4O*=EiDVJePp=A7^w0 zXV;h4GQPMe8-3D!$f5lzOp5}Q4u_vgBt)Njlrf{j-SxHfLMMJbR6mq+S8TOcrpw5U za)^A(oe<|Xu*F6)`Ss;*X>Icx(BzxjJrimxN;Wp5g(<>?Em)to-re1X3Dyiy+8LJs zPp0Llr#b_T6#GwO^ZD2Jiji%l+H~*U<4S)A3q6BmqDFTOW)be-6g-{jJJY>us-lz| z`P2FuLn2>JTOne-r{(0&_|u}%y8olt6WMo1LpE!#K(qe6ks0w;`c_%e*td=zZQ3aH z`3g7k->ErTUu;I=cpRC77?WH%hCJq_%EEqI4>j7mglC7x2yc#SFB>KW-o*Uii_Y`> z+FH`z%E6_{JZE9GC5d;i_$^P4HvLQM8P^~e1c!XlD>wh;Y>*-s=&8}6&w<9DTqcUi z<=iAG$TQEIZ#iL#G*86<2<-cDpO~cE#|4y-vl&4cy8dj9dfqFxL91P}nb8ks*s9u9 zrDUU{jVC5ez3oJP`|_va1BDrwzyZm_@zRl7X=dB^LjT~Sfu=lxNR`9HK zo(6Bt_m$j`>7=o@#Gag&A-@7y$dGkZ?(OF-6J|;a3j-N`a{uqixZml{ZlcI#O zhXz;;eJ??7vpO02c7Z*%JvWuHDkHaJ#&P_-*9=&JADf!}O?Td?;}e8e51}yAeZxaG zb@-w%AlvPULDP=+EGeEYEZMO55PLSuu2y_KxKEOXQQ1^*y?1MHC$V>v;QQjr;4TWc zqmuWYmqxE}tGm=1q!(w>oHMhsJk<^KrDwdv6zL$~EJbX1xJD>Gi=X`G8CW)mV%|zM zx7iq*Rz#2B+*ax7Ejk^s$@&>G&J@RUs*k;b+>80lthl;tS#&wu+k`iZB@$fy1@mIE zx(|14ly&5#Ehr4OK2rF+_NyTlR~m24e2A%1YL!=#aU!zf~4!DMCzMBuxz`A25$M z=8spsBJ}S=aikuSK#%r+>nGwiCz})247sCPLQBbZo|KvYFigPGnd}EdQs3cMWL)*F zYLKxi^*ayAbv@GLKrFkxtR+{9{&2Ho@om7T&Z@>EPLhU0&bi2F>m4Q&x%UW4>_%J# zv*x$+kL{=)8Z0*d9`h3LDdGq+M?m&iLUN+hvmkWVP8sf&yQi0X3SlZuU5{;UMSn4a z-+O%KS87sJ@lVk^;2Jh|PLeQT=2g^-IQ5c)VbjBI2=;~w3aNhN&`(EBhrp{%nfrg$ z!i0Al3HF-aYDhZrO$Y^fPr?&e6V6p!{THHPBbnL}Jm0MrgPb9Zu$ytz>3C&uLTHeV zBQsV5JuV1hbu77I*;XUzrmqT4@S=_D>!qyZh=i2Vl+w#ln)c4v7{~k;%`t<8!{{j} z>WISqINX7TfGY_4s!|#T9vB2p&61my>8pHH(1}eTd<2 z_VbvxfiV@=dFaXt8%j zjP=!?NlsX)6EJ}hZt4o2eSp-wG2taJdO7}C$_6<9K_pGbK4N;rWV#SbS=ZEhC)vNPThG%kEk zluuJMI*@Q6J19#?Ox|_ZcR@%>%B@9cmb$XT6bYlp#FygVq5zdQml8M3G}NJzcheP7 z=hYSAtlmLS{)CD>yl-x9{zziAj%sdcNjqDv6VzZk_wjP#R_(^;GXN?)3JM81pZ*a? zM@N?=0Mja9**iLRlu^p1I7n-~TJgHaP~*qXC=LV27a{|I_WV+PQq>-#x_0yRG_Xnq zS47!f?1rfRUL8M1SgrYDZ z(q6a=0YqcRj{j+4OJ_Xv)z&vl2D{F-u23T)hr89Ts~?L??&)3i1$Ztd{7)<2RhYB= zfAij9tm2;+(j+HDT&MFn-~JLO74X9*U^D2v3qdAb>HunCWL=V{#=K@$b80Hr*k!@N zSz!)7$-Z)XjJRmEDvz&rnuQcB&CExMghuDq`Ts75dTOW0G@2-=ogc-Y-2{%ECj0jV z+h1tnZB=5Ijm=+7(x^zzYg15bn`xWWkW3ryWyNeq0K~rXf+84l%w#F~l z+)<>0jQ4c+?>~b0I5-?8iIRLT-wY=txT`nRjgs|`3KOmZiZOVJ2Gk+o7?iaCr=E+R;};(zD2F(Q2(U;cwS+~CCu1vsNbUO1`sl<+Qg-lV_SrG$c+0NM7A*Al-YzFDJjze15XQlOl()h zs>wW08|2i>4I+kTZ*OhoHa9N_|LwsL5D>`876|C6sktBmi(26^fRh6Qp9^1*j2rJw z7RbcLzk8i!Ea8G})cOUhsi~>Bq9oIgcDO@A|KQ-LD>a_ZX@6RWTmDCFPBo!Us&(VU zWJI2HG%R;5@b<@hHZckT9irWXM#QF@Un{c#TvlT_4R!s8s|6Q3&g(tEPU5JX;>H(y z)+L08C!MKk{WSI{o*T61sOPcinf5Qv_qXI}AJHNSfHRWKt|Oh(SdHGIos$YKE;_+4 ziS+F)Qc+_wQv*=2%7CO5=i32i{ia#whKvwc*Yk)s7=H$y+6dF-dWW{;e*vJMR+XW& z^k*SpUzZA4hrwFT7dH{s$WB3p-7Y@lx8B3R-B3@-MTc2J*xjT?#~#SNxn-I6;{cg> zjE|CukD`r?&*?I3y7vxk7dw`fp7EpZ`HM;;;m}$9!Gj^Z3L*kH$XdIi7FZj1o0eWt|rotZ*J&f1{>DGt-aWUo9SaVER_ z5ZVY0gHfIK-dw?$@{sc}R+*yfL9ruIe}h5AMTPMSle}xNkM{EVX02z<*Cn=*5~ddT z6qWw_V$ET%-DB4^yx&>(GgQHq_4(jSq}aB`$ls@1*}x{+JZ1r ztCEC+VOY7pVH^L#_@pUb+IfHJCDs*X1je=TYNY|C)8nV)`fCdQh{6L!exK8KmAnlQ zr)XG3lLoO;2-cr?Y|oB_+#ik~t~YQ!PK2m6%{lvC-Jk7O8TNm^S9(t)f@Z*{ce?Vq zg}TG>0y`^hrmMQVH71E$mkTweq^9EzXMH4H9~kLJm6{30)L< zk2S;2x0EPc74kYw0ek>h3FvCswI}00Jc`CdHA^NJ746dh7a<7n}QGK{lb)W zBf(BZwd^Gzpa&9`qE%DTHH^ACm<@Nb_>-RzAu-Uo%@S>Vv90K3w?jpEY=;lFPK+|+ zbU8<>F&)({*J(k%7;@p5b;T)5X6svUKZr?2)yG3C$;%__A2W~ygCezc8j7nbK74ki za`?X7qf_$*b?BhR`vBh#`(~ify^&VaKw7J+i5L&+RFzoIXQv;^!gRnPu*5*Q5DBC- zzZYR5K*JxAXmgwI-$eD;))j&y_ZKWR4JauSpuv%Cc33{NX?tuX&J19iC?`TClq&V# z^@W0pTbws{Wr37q`KJA9CqFV|Nl72%{^~EIKKV+Q!`I!rUQk+!`witBm%xz)$o45&cBmL)zOn~v%O|ZJmDJ;c3n62#F=DFaQU#4F^7T?>J zca<6Jg3%0D`#lQUt=1qBnO^Whw%FPnrnC#CLY>8#m%q1jFl#pwHe6lABqn{E>W@xm z-dmN~Prwo=F`evU*EK8s-Q;dE*fiF#=WBv1 zD#HM4aZl|QQ?>UZFM}D1%S9bng~y0h_@Ksh2iZJ7(pZJHbmiSw*b+%`K&5NLggf;J zc0=Rv4Nlc*`~bfEN$luBOd@v#W-q7R+cIZ!H_|-WJ^IuRbP%N_k&X^M1M5c%6J*-n zZ#(4X@;}-e-w}A5vLq&N=Tc`cYw9E)Tbo={tM(&HnoCWrhy>2gl1yfbLAJlMVrBT$ z7;>?v#YLUJgo5dp*X^)6!eP&Gm9Ndds-HyTqg?hn_FUneUjJn0|RdX3s*n z+Z0e|rL^`CEG5f?naYrA*&3a+kl=>Wmyec_mJu>|#(~wJE`v2eLPmxIwUcWu16khL z*uGkDtY5EBI9Q+2+{BY7Z)z&k(`UVR-~GcujW;f>qw}&)@`Zq1&F67ZuGU|R%VvER zTc0Qmn&}$wf(wTYwG-F~!m+0lck({W%0pej3CWak+}8Uo`pg^Q=h$kVFN4qZR6??H z!Caa{4jOR}QHo9q9?v5QNSrmBw;8O7iYv`A#VZx!`tsf8>5zqLWO_Qv>v4&Qhz5q_ zq>Yp@n-_dk!1@t^Uy?xI{MWEAAq8T>0>R8B|5pp4so38BmFSjM-6h!$7dHC$}3?X7wdGvRBjU*<;lsM<+1C$x9u zjYiBXDJrCp5c&q;$S5f$Yq#EUp}bimE(_MgH+b#n*?WyuC5%;Q!K6tH^|+7fuf8}d z+RSH3U_E~a7hD`|TI#tD{%aWyx5SY}cs4$|(-)X?lq3Z=>N4aG41rRDdYIeJ7nV4S=WtvN4r~kg%x?p2oQ~>+% z!e?#W;&-Dr+IPoQNPm_WX#=HZJ@I{kt-c;O&>8EX{g}1hKpU%Ac?WE#A! zT+SN1TqJVA-SSscuSX~j0>=!*VM0 z8;BQsbbZhFtg7vI@+^;oCnmrs$$=%)3iUUaxklw`QB;vbAT}y0HC7KImxz3Fi%h;u zpJu_BM8RNm*=&N5P4n?S^h9-3x_%kb*wORsZ(O$FE+=OPFgzs!*KH>x5+CaK1^z0V z(a^IqXZ>~;jphlFJ|9`xE#nj1Z7n>LOGA=&vD6;rtTU{*1Ql?JvMp-OPCh~^@ z9*Z@DwHoK~p$ewa&fbfa(d5}#%ca9zUQG=HooAJNq}?S`biM0>Pyicx-{MiC{pn>2 zA$GAIWwxV z{aN{PBZ>wdXqVu?Z6=M!lng&tyLo3Ae|CL;Yq(JVh|e(x)I1aP_{jem&JCyII=zio zes5h&(yyGwHSVaScvk6|t(}{>dw3Yb8TWCZW)xU7DQQC&Yz=Yj+AcdopEgaB? zM&Pvj)6aFIsIXN=QauW(d+=p`YdL99CQGBs9rnWF!UQux&;&%biT`rr_AGvPk3wAM z>N&Ro0DehFA+ld;;@I9(RlPt<9_x3mDOb)EuwvdZla4kC&?l_rn%d$I9ooiI3-5CY zznGrl2MSs(RsESQrFW%^y9P~)g#2)JNVUX#xActakIVWcaLU9$ClbH+6Q@m5rL=)P z%Ql-%$Y}a(Zp9ww_2FXl6Gs?L6PX3&M{AwC;^I;sgZa%(+)aWcSZ(RTlDE99V!VSb z24hd0nO5ekdf#-hx8_CT>#aWnDMaMjZGJdOY&u`jtdur>cIL%dKJ#!`45zG7y?~|| zMuyp^C2;8UG^#YuTTC{L_b*_OR2Ns`0_6n~y+S8gG-+839rPL;kdW`2o%hc15|Wei zRGC#pi8VAegGWi`%)|{6vC0){qWJ8WqvA4fNkzW=7rOae9L+(dyu1C_f!U}X{epn? zXUG*(EH}s3hjSZdy*5+~%Ijn{qwdyyUFPB{P~oApi8IalIcfw?YFtLtdM)wA3*_t@ zh2as9#g(ubNVQ0ANWP$5+IjQz{be}b-7QXZZn@+>mk5T2>TE>4!iZ5l;UaGpK|n`X z+vgkLsK(Lh&fQb`N^Yoyuy7RI8?DCuk+@#JDGbTQZehWJQjhrn*#0RIsb3#OAwuu& ztJ%CSU!7$(UE9&?vc$g`M~N51NFb*)s0}s@ARRmIt%bVl=^8>57?=up8@-u^+5&uV zsY~m|=;W++aN6F@4z{JBR@K&GFMfC6GP4?4ZDaIuF4}xS#%mzq0djS@7>OiwNY5bb z|Eg_8WwtReG=}9oU`ajoXsI*BRVSH$OS=2IuNTf8FE)G~8*3uVGgy9M`I=&lD8YgG zWzt?zQSdfaLZ#>5pI>YAT{k7i$HuT@Q`sF!Cv1j{;i~$&xf`n2mu`Ed#7=#mfeKBlQol3Sm7v;p%Ew$TGe5t8icM_1Oj-7``hJT2xBLFbqk|)!`wW^{ z;hWf`zd5f(4!$X?oc_MNx;9aGaHU4?t|4um?-j(;NkEg2O5hmP9?dgdmWL*wW#1H& zWgl&^-OwdQr^)z6M?{6^$P-bM(QwGbeg}?4F)!@eD8HuYSNF<59v930q^ul$S3ohf zuI}{+6ER_#P#g$80Hb}uG)eumrNaHGDKR-w360)19HynMA9x;)>Kfm_h*WZ0k8ZxR z33=BD=qEqze6wJs-(3`k!(087cEGvv<7@wsTU0`Zp|GWOB(09lFF=@|rppHQ=9OEG3 z!{_I6o6p}bYuByTI&Qg`43E4$dkba%k@MjV^^H8WAdNwf$m(mxm#yXH=)tujLdq|U zB*k>z@V`u2R1hx^<=iywMyYO_aT}x>&)=CT(bvu=*SQYtdeFN{jbr?nVo@%6js9sO z`Il-!?UuZ#!m#!OW%C|o&XNgv`npOAscd`zVe%|Tw1rNS_IDtL{JU0rRdp`4*8kg8 z8ck%XdosDrz;>gBMcG%z8$8!BA%!1O$_lN0hnSb|KA_DA>avge)-s{5vb6rE+Bj?4qIEkFEMNaTC+M_>A<#JDRG_Q73KO_t5fhxW=BQ`}Z=i($h2 z3ee)uwYN2qaKH6!iW>T3WTSWfcaO4-2PTVM=NN{(1I-6`Jmo*(9-zKy{|}9)+(-Uz z#(cE1a)CpD|9;my$of5jhlgi!*Y$EhPM(7x?zgk+MU}T?Ddu07Up^{6;VxBYKct}o zT4Y^t5bsBoo@nTO>doUTckC8!NC^QTTVZM-FJ?v zjI19a%No==n%Mn+y|xzuOYd(pJ%wA5%aoRp*62|+eLgB)8amOz@u!yWKHudw&#n5A z33v-=H`pZ(uCAD?;DR{17%JQH$bhP=J+M3I@#3=gm{q6MYzZVFTVbWq*(@c@MU##R z_N8a7L`sHG@;3tncIE{iOgP14W4`x%P?{@p=Qjc6=mr#1xEOy%*rCd3MryJv?Lp>1B<&LAZ zTB$?XWQEYPfZ^bqrO+d!4k1TmX9*NvQiUBlq2X{a5H4(<*H?J%Lx3^~`s?%C73RjP zsdG=E^9@oQ`BUhel`#hhgL8?0logvR-ejZeIXf^((QOW> z$U&y51VYjDw++8KMDv7BK61Ff)Bu9@6V-w;4{dJP8j=-G3omeiuzIXE4=cTXN*Ja z7W~;WE4E&~iay*$p1*>&8BXY3uMUh*{8TSlle$6$J0v$R+kn=Da$h;@7Dp9;H~0W} zqf1i#r5YG_D{00WWB5}uKMPD80T;+on)SxR31wxh+;$!VDiDN%VaL-9eE@dLBYqpZ z{}OHB-YGc^!_#Vz0tSrx&}`Mq9rghWW4}vUUJ~dRE9}<$EmN9@S$*;m0&c+QVAmC? z@5^hD3yP4AWHz}cN=av7iZc25f6e6XdJk3zzjhHirbFa$S!C|6u8(QIZkt_;vXY<1dh zKXLl;b@g%Um0RyLMmYjXcwuewC#9Gq#?K}fSexrOC@86xXec_0)Ur~)EJlduY#cqnLi*eK{n zf=_?$=iCoVryn*OA=1S>&GIdPyIy_!1~JIz$)+}BsS}x=RB$8&NJCY5+@$T_fjqhD zfJTbbfVK1$fjG%=v!LUEZQVJm4QLq)fyacziLH2IoaWoF_x8sL6d^mzcYc!$f}orYL+Uvx_~kQo&0D-0Vqw4>UZQiN9E_aV#Ac^0&9YK{T~0OZS^qn_dR{Wv6Oraf}>mi?CWt?)JYY(n}>ugV6ck& zA;u&XgFm)A_Nt^Bfk@GlYtmJ)hCmP^0mG@-Av0I$qlPU2bVKmhj-O-J2!Q7~Qz4gB z0Z#~jY`d^E*b5tPKW}E>CkMF0>395i+9|0G1RKYYKwI_(5Omc0HLqynOyYfcABr0ZjiKphx&;*72x5Sk?!wpW25Ji3?qVpG^DM6?aQ=Z2T%abE3peuTqaQkJ(A;=sO zWXs2`z$hu-PG1yKV8|R$aOa~dQeWH|1R&-*3q|2rtcTx0@T))v3S**v*{3ewv2a;qXE7CnTAG$>4vcE2CP z+#k_)>N^&6TrkNm-5i8i#nG!A1g^x=iKh|L!yNuYjF)bpD?fWx%u;?DJ0T1h7!2E7 z9{{Lf_y|=wmbt61j@5ut1_BmK7^kd#zU8`-cFYEXjW8k*t3d83Kk+BO&P>3Zu9pIf z6(`d;TiCnO;Q5jl7Pj!817Onu9s=r=;PJ~uBG?(P%zO5$8xOk-n$^)57uJ1gJkY1` zdU#&PjXl7@TH1M~c_hC^5e6x?TKALtFT9x)MFp*3;9cBkb}aYAB<-~b?mP(Mt+(dX z@QQJSD_{$Yo2NwRS|k9Fu7diR?vDW=H_%<`CrVj;=rmg+cxFPwxIqpuJJiL#mCyE2 zE0{_F)9T=qyJ{y_K_7lzy>63j^s0h`Xj3L7teFHs^_N=rOBNlC$hkq80BNzDUM4mU z4SB0KO#4f7Ue1iD#TGj#WJRGqNsB9HqDz z!N`)>iej3t3??E0MLwa9O9OVg8bdYb#&84iDM;p(I5RW;8;O}ayXGkL6QsFV10f^W z`Tms!#9+ypbKsQ;NH1mNAU42x;J^ulfKdyJ&lWCP{CE+pCJzWKs5($UWR?gnTr2y`l=xCn#J>{Fa(!`;VG1PSANw!m=@fydWwF=_a4CtlxeX8_8y;A z_{ng9_M4EpB&Rj>0lN1d1TSVaKDsw>meTAa>^MYgX-!V+-LeIsbW9@YVd4RZr6tq4 zIIO~(d?$jAGa(ae{~RHIa?~sl)(X>At%wULYBC_30%2+-RaI3#%6E#mCF`_YApUyM zzy?6y_4s2MhWFH(>N9{e(`21tT8x1%U{R0-cRW>~10q}YF{u%XQZ&jWbYTALsqf4< zEwK=!u*9Z?O(^IdjWGc%4rCulq~VuESNczLAk?K~u~)CuwSaP0Iy-=*-A=Hb^B2m`zavb>I!0M&rFL8~PRuP5j+Q#`2sX+-p!h4Kbp1KiG|3)dz{XI0unt@icljkV~l=n^nv1KZ>TO{SbMl8xT6-!(I{!LFq)|f0Mk(Q zdxftdnpO9Qr~=vYS50@Se;y6NvE&Z0x;#1+IZ|9^i18(A2fNSuHRGuv2o?}x_KPV? zTmkwiM*Dxnaca@!V}bc~)(<0m`CjKal1b zAW~Q0OxOA=9&8=Os8aua_IH!9m=^HaF@XH zU`U$EQvOnj6OcLY7!=NTkF)eBob*MYX{8VQp?+>PevSwwMqa(JW9rD<1QW^=qImHb z^gVCrYbJ&t(9^l;sY*WE%inEUM*y0>({A6a!`fHwXi( z(**(HbW0+1LzBDmfTK6^p84;TV%^O-fa3{th{+UJBYaIn3$t-YIDNN{ z_0k^^(wFf1h5ObcB5ekC8wL_)`In{jOyvVZ;VkGQ2$)OntCtB5V|+<~C?%YxA8M*l zag>FP6?P#w;C1kHn*>FPJcWiNL(W9sbA-4B2u(DxV_AH3FhzVZQgb>e3#(QMD@YQ_ zw44Cf#5KEFs{{4_-yq}J0)>~|lMR4eGK9zS=>^1s8u;+)KwPbxeBQ3R8UrMG)=dML zCCx<2aJ41y`6zM`1|Gmrhy&V^vMYD`)w2d8PeB{ZBAwWvmh!PPs5i82mU9|JC<2TUa|Y^aXG){c%dqW*H5RQn*GBwX(MFqugx)9ism?;l!JfNZr8JU=B z9F_(13kpn3O`q#$^EqaHxIFRw@4t6MvXbKJsWT8n?p0MgoRL+(@oP;@jmq@E^vukf zkpC0em+krScPs+-A#YtX@%wjo>2)2xr>uUqzhcD11d=p>D$>FAqcK2IA69I}W`eof zwcEOo{~6iCX(#{@YiWJjP$+*=Nw2M|17J@4a)TE9l9H0XXyTcbm8jTQtSMHZ|K(j> z-rPtNfRPJZoHzQG3BXu8xw-H4KeZbB#m8w#;$*3CF)%WI^feHfoSGUHr0bi2mUGf= z)5E^mkKloAD6brOu`=EN3rD#HomRfzd5Na<>?#^sA}?&U@SKb!1okCDvRP)4mnbqt z>dcyFh3Qb%46Tf{CUcIyl>&6vcuEp(2dyEFu3OPYe4u+4vi*6ZDPuL&SxiZsfLNkd zEb4^IJY-!0hz`qyc7irU$?3>ClW{009PgKQ$_#cS2$DEZy%Lv+Hc=6TbDsi*(cdJ= z!11BSAYAaxaQ5+!ZuMC4MAj%Ts;=%G>H!oH+*KxJ)K0JYQcCLJ|@_nDxFU>5u3zr}LxGu`Gu>d+BVq zzjU;8J*r0%j{Y53Gk&Z$SK)6lA-~^{02Q_m2uu>uGN{*ufDqP5?7OxWdwKOHJq7VY zMQR#4DzPe+k#Q6((B3Tc4^cqk2A2Rwlp&TfJOLMvN{kNe(bPIBQu!Sh4_-G?kQDQ) z5b2n#tbmL|J7=AN!9j6xhc~Kfo2MLYzoQy}#rO|zB0AtQLSYlSi-B=%=4IZazjn(f zDj5ELZ{M{&&}8p8I!f_t9v#l4@;G*`g1q8KE3H?ms$8*52YZy|Zq_B%mRU$#%U@B8 zVM`oO$HL=a|71~YFlajCFt;b63A@s1Ucg&MSzcPX%B{O!V%e!i!#b_7u#hl0DJdZE zfzmv`hy;xnq<=n5ts2(@%XGmkCC3CcrN3}r4tfX-8^n&};phzz?3eEDDa}8nDaxl5 z6T^((=q4m4W>24zWai3;W+lW?QlS*Z=vjGV#F6e_QI=z5-zfSbA_p=c0p6cuLa?%qH|g{SNqUtHfvD4?Sw z#qC<_8j}>~(0q004It~;$y#4qm+ay{Sr&d{W0X{qYL=bbE}$Pea-|C~mBgC)k#LMY zYoMFvHpj&&Axe(htAI6J|0`m?wKE|#)}$xld0K3e<+j$=vX=)9A?=K8=tjN{HY*dC zL{eljz^pRV5)(GY+!CDo)&pU)46Z@$eMrXNCQHP^3s+ak>0O5Z&UV%QU z(9W&rsQ;&SW`V(`;Dp3PoZjaX6d)5l6QPlT0rpiGpR$kjl*)E^efs~QnvH88Ev&4} z4rVK)aMUEmT`%Nur^TPbEz|axFv*3(o}QlWnP8VcP6`>r(b%eEnV*4D6I+;Jd3kw_ z-WQfRVSQiB_6)f{6@uta?B&={WCW*T^crrcRMmS@hS|7l_R9C4Vezm}UBHsGft zT$#6nKm{IKAmE|;zZi3a;8E>?G-Y_PSPtTEEJdU|T^MhiEo5wlGO@hv)zw`o%HLqr zJS8AhebYS}VzjYzH9whh)`z`{TT)#7^Wp9y^6lj4Rb&CY+2`Rd`%%C{^!rr4fEE_8 zl1*lkH@8WXH|;kf54+N0X;UQfK!Ly1SxNYrV!`#b$Hg{w_sYeb=*7kP|10Ubj_auJtqTrP62k#X&nkr_gDjhky^d~RK&%(ybTMy{{b zMRD!8pL5=4pXYd;4Xm_IlwlGmKR;BaA6UdirH^d+w|{*E*ktsPYFvE0 zzEkw8F$c~C-x45_Eg(8itU8_EXJER>nB*;Cy7k@8wR@kw1bpV_uf4r`VPUOj5ZIKR zOfe5}lJG^bO!xO7Jy-0<@G$2jSBKyO0D0m@RNQ-j=En6D|Pwd@*6g4cG+oEb!Jw z@gvP1)SR7{GOjQvXS(s*7gznL-D@;{?V*mkg5lC{sIVxX|95yjm-<@ zswsZIp>D};;QmAHChhl^HAJVep0YV-8qs!S-g1l9<`u+uNRIn+JJ{I$%nC4jvan_8y#!OXX&x+>+qZk)aKRiSS7(W$`uh5>@-||9p$CT9@WI6DLtrMF4vpyY;l)Lw*Y}66 zLLi{Jj-8kJT&A?e!JlTXLt48+C;P;`r9Bde80l3K!CP{?>a{U?-y*;GQdPGL}Ug)x2zgXy- zGsw|H&CF`wK+#Z|M}1gy29bN>-H&>=7zh83VF6TK3`qXs!mys_@5m+HGVamE2L=p3 zO&nca1LQ1Izjy3WlVA!qj{3dRhL2PTJbFK>eX4gLfAct=-1q0$d4Jc`^d5)oOGAsK zpeNp!CLJah+l^JcLpR;2)PUS;PYqA+ySzZ%{A$ZJuIA!icf`QJaK`{;l*s(K;rvJS z>YAGFC7shyy6Qmq?|;26WKX{MIy98_i-m=y|7LKd>2-4~8^z{v*!5N*&ieY4+PwD) z{cF5OPilVCogVxLa+P^FW$2cfMy;sUQ=WVG?u8-R*ijd~9>MsoY6UK`0X_wNC(;dG z+5tNszu>2QvKMu8k&8xJtE9uMfyeWttaqzpH0$__x4%tI`F&mrpm9oLDmM&VTttdb zr|5gfv!@XRLetMpK*J-p|0c@2-rU}<-FJ5+Ns(XIc(mt}dsLdj26Ot`-s^QviWr=J z6Y-s0-OJkY(5`D*(`>I=cxBrT2zrXp)<**G$LLdTP&yu8_iS5M6>-EE96{*QyuMgG zPOt^E2w2646;sqZbvJ1La+rD^LX*=9+;x1oQ;_9UGyH`I1e&M09;z2V`(@H#zF}r=@_AyJ z&n0X{GO*LgUJON&g!?dICE@K$e?ig>AKAN=(PV66P>8aQ&3JMEp3};FTg% z?;pCM3`AfHAN*&@0)4QoEt|pBZpWg`V@(0nqW83dlae8t4U)>MD13_pJ%X;VtpeXt7Z*Rlm}L? zmnEs^-Jsu-lD4+Cl=H3O~zTqtO2x4~ngH6}!(w^BeeMl$31-~$V zk8oSfk93gg6-^iv$Y{7BUxt;*%XkR2^f=T~9JU7AaFld+^*bV-a~Qjkq3+nW(>E1$MM`6idS% z%t79TddN$vb+`8otV{m>(LgJo(kA!=7dIqB+klsLXL_PynEJCW33*ZX0=?|2-h^Mw zm;m?SEsFo}j1WdugtUT3HG|7N${IRZzm0f~#GdxrnN8EzG!i|_9P<^>S`8j$JKCIc zf4Gq8+ueWG^Qvd;6VJ(32z5HOcwbe3{`&|gwXox+;nDH5FyG_bGnHhq-daiNPd`1( zd(uQ9A-DHG_kUtwO8F_G8T9SBm$)`!i&4R)Jz@ApN2y`V(yiZwK(_4d6Vi~25^pt2 zwUGqpLW-n74({gIiwN`V?XOLJUfI{m+|pF@y*4G3#<_ukWLz(Tiq8Y_6?YNPTs0Th znQ$Rs$MC4;o+$F%#s*ib!OGJa1#^AmWr>Dmj)6-a+Zk6Yct2Wa=1?K5LUEE(lM4%@*XwsRt zt#@JMf0azLp#W=;Z6L<`N+N?4`=-)0LtGv}8zsa5qN#H$*)Zb_s69X4Quv)qvUcQc zDS(A8w@mM;IhE;hoDJ9oE+qCpd}rgfoca>T zDn!fAZ1fb^w>`w1;p-cBREmc! zjrB}$3U|n@KAb7p#<(+%mV?`tPn=nDT->LKCOTHstaO{e5jola08jy7L#hMOHG$_L zmIlzHU#tJ0N+(-vmH?z+Fg6AIV_bXfy`V#lIZ*E}y!F)INeVn?c?%?|fnUzMYyrW! zS_1rgYD{Y?XN+=UW$#&T;==~Fq)b(Qq)3#J-kkAP6^P+vlfLBjc8uKFnL*@(lR9Xu zs4CL2J0(X~#pbL+CK4)qM!T+bjd3CUo!rCMjx4=|hp&1v5` zB9O^TT)&qj12HIg-gWOw2>|W(cHT`d{-F2OQ(dBOH1@dbNGji4nj3rBcQKaTo>pZbMqs8Md zzw^O+7qD|nv;Z`4<~DzqGwJMUIZKLjL{cRZh+)h^vs?Ti0Z;>*_4DJpZL8yV04+qb z82>eQ0wYlQA{TIj({HQ*76hoFmsdQ#)xn1e3iTQRZU(eyOW>S%mWS&wqw+rhR};Jh zEqk-&d=ucILcb+EVjIzU$>{^o2Vew7D&y!ZwL8(zGtr}}#KHZ}IP9{sAp#uxU%TPm z`QH`qBbChz;9|PHG}tBI|7wCY@Rpc-)O4t9W=7WtEVwNnDEyR#^IBr1hb=>SY(9W= zOInL<0d_=B>MRU@GF+%rh=~B7G7Stg7IOTpyU^<7-?ZgL5gC{^aVCa;W4=z0Sv~UH zshh2BSg}7kSr3zNE+39t7}uIYIm1-P1L6`|8z_`We@2iLtfd7 z8nd|QILH)L`gB?z;&jjePg`7+Fsbg$V2F)N#nEy4%E+Q+~0>+(_m` zR5Kz(MgadDI0nwex6bR##sraS+fD$>GH871t;aB_EtH=Vsl_*pd`_8G3hYh^*I1b{ znE@tKh0%*dzJqZSm6W+AZ%S7F&*kN6e%8h)C@7_r)WQf)@Oa@@)^xTj@Y`%SNW@a?tn&oF^lr;7`Cw^H%Kv%=7PZyR{Cv*3R zyMnvxI}2&SSe=I_=TGXh$B*Cczb@&RG$(Ft1wDH7D9^K?c4hEpI{O!6z)eifx#m{U z-mWQLso;OkS&Uh@^KiZeoebiEWDs|0qn4JI8}tYWi-mLP5IBGS{GC_jSc)HMX;#|_1&l#T_hoZC-zm?ySE|-a zISSCnxPdF5JcR`EAptXNAgk0UYlG0-nV0n)9UW3ibLwrIJj2_xaf^c1ehC?IQh#() z&-J{Fku%Qcj>^4Fk521ZnbJ|n$pQX?Bzbvx`L>f2g^;jmK3w96pO3sIoLf^mf_u&1 zXW;!S=f#VBU7ME;I~TGCZUcSEEh^ereqPlJK!(8qGs!?$vwO6nZWj6NbW$i4FetVK z!w;}hcN>^LCA@g?!oC5PV&!?E)O)Z*XEr(3u`iQ(Sg!*xJpo>D#P%Z@J9gjk#%rDPxzzp7 zf&qM{L9HU)_j1$c|4ITWg0aefarX@j+~QZd>9k^&-WL-S1LKRFuM#pkR+Y0}{Iuja zKXBmL@!tH{9uxjC0W%F&p#?xIP)Cx%PU%FUgh%>vVU*5DMCHxZ*MwSl;7&sXcKKN?v9AF~QYPHs4;Ho2eCuEsGoGm|Up z5_e_#*yt$VRnKU!IL+8{4z3z9x!thWY1mmgCoKb|?s6mwUK{Y9_yevT=u{ZG)nU9x z4y5B5vCGp}WQvRrVf5y{u3D#~4YAjr2r_=PFv~}8OJE1aq=bJoA zANaj&-1*DlNW(q%Si`G%5~;vc(>9ng4@|Uu>xxAw9>;##UE9rvot`wg6J)OOTv=>M zAGq17jk4Oh9oX4&Xza&FRcPBgh6|juoDk&Ys@VHnF=4u0TyZTccMe`RAb(OhJP^mz zv&JnO9@u&RBpwB8sPeN4IGS&)#I9lwT&Qz#qs~a&+P=V_u%?hf;w(rFH(P6kHnq%6 zd6GOSU?_%!RA+5WOA8K0BKcnt!i-Mi0JFIc`dM5gSEXus6Msg|@_Wy|{vy=%TilP_ zWN=fq&dz@QZgGw0=j)v8cX#JM4)o-FJ?M742ob`-)w^8qxOz^=GhAr@1#+o}c5uCs$Kr0C6W|+8D3IXzA_U|o z1ks^+ksJGVa?xlE2vVHHF36LM4%V`M#wE|5lp;zPuplT6Z`QYjIv8bCd^e$G>1R7j z@6=ROR!S9Wgea`yEkKI`dE(s}3^hr-^2%jj<9ZpFTg-0eirww$U&fW*pt98F4tbpg7KqOy2$~q81KtsbPBrcpQzkk?ISW2h8M*cfWfl|Lcs`Xkp0aGun_D3Pu6FY2 zzbo@w$#39^AU56By1M;jZ5@p|yd*U1{>xmsurOIf!P?Q~8E+?rmj?(b_MNj+&7JR{ z(PjW{^3@sCQ(~zVUo|gZfQr^}#n@Bhu)MPe4o5336Dnn~SN&Uz-4=VN&14gdS11vZ z4GW@hV!oN>meWeOAphr-fcbk&bjS2&KF6k&FgH@)6WIt+^Rnj6Oe9Tov%$?heuFPQ zv_U?6!Q+P}W;suEJ7p-^r5!aKw6?}xX*}^joMaGs6AQ_`e*L-`L>mHOdQ&#$vSp(7 zA$o4qI&JLvHdAIx8G7MOPXplM%}o@Q4o{0m zEk)?&rdX9;%14z|DTeMBL~w`Y-il@mp9_XeR!!KWV7?Q7B9+eA$CAp^QS5b z_9+&-^@KFF1A~-M#(7s=GXRl6ZKFh!CbwYXW1DIdq>}H!)J%prxQ%-3&!7Cp!p~QXqw;oD$ lDN3ptJ`PZavHf+bb8hP*Q>z#D;$Ohe#L(QJR_|f-{{h9#tnvT= From 0bb832736f57ba56a874f30a76207a2d692134ca Mon Sep 17 00:00:00 2001 From: Max Stein Date: Thu, 19 Nov 2020 17:08:44 -0800 Subject: [PATCH 17/44] Updating MDM section --- .../mdm/images/unifiedenrollment-rs1-42.png | Bin 42711 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 windows/client-management/mdm/images/unifiedenrollment-rs1-42.png diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-42.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-42.png deleted file mode 100644 index c85e74d141af4ba50b148aed25f81276e0effb03..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 42711 zcmXt?!n!qxE2D%wdj}UUF-XimCT-F zYbNK+eXe~^q^hzEDiRSA6ciMyoGd^c3hI*@6cn@_0vsd)@JXnKe0_3Nmyv*~ogo23 z4qz?CmBgW-8sd>(O+Q195uIf9T%n-QhW`6}N@YSLh6Lf=Ye1h8;5cd>SIvvzcV!bYT|hQyKni%U8>dAnF!TDd`0 zqfZGyqG%V0SCqod+TH@{>mxcMg0L&6CEg>_6_9IPEIq56scghOKg8=8iryNkI6)cr^B+5Z=lbhNj(aBzcq zm`dw|#Nhs`s%hV}7p77?~<49a#m1=o|z#Ha0IWum0tI`tww?>I0hzGlDm66d~O9UUCfTxI6|)l6tvfJZSx&$0lnQDu#{x3_90CTzF4f}XWTy)zOeo{XMi zVo)xwu9&#Ev~)H!Uw;DBE^%b|uw-@Gle#Nm1f%ofTW9H4a`$X*4GJCcS+bW4PqnR= ze@UI31HH81LeIeTh9;gN&IZ=G?5)!oajMpc%V;gtbBh>00$edidMLt>?b#-+)$quP$X%p6v`%zw1 zmAscbV1cP5E8D-;V7^g3J2E28&CNXqR~0tjC@{VhmLU!{5+=m;@orW;IU+uYovc(A zRxSkHb%5-Q!uLsXaTwWHG>C+AqjdaDnFk3j8Ep)VLQmNp(k0@#9Ln@W%!&MS|Jdl+ zXHQ&~qY9+Nv6s4k{fLFS7q@)0_FNaCw#l!u=c#3?1|bS7-{)ruN*=XSkctoQW#p3UzOx60hwLr+?^7KQtYCeHijko7OP z(q}%R`h^qow`Zm{wG-;5Hks@W(M3M@LO=Y?w0pTUdzl8*LwfeG2v2j#fm!(^3!?AJ7(nt%B)h2Cf*QG2HGtyF1_ZC$|Qz3u; zM4NS(`T2RT{YW|tJiM@^BrLs8s6$D_Dyeg8^jgZ;rmdeUe=(vK63Lg3oL$3)f=Md{ zW|4Zxnr^1%&gKeztkm6!7Qsi0hAoq7JwJ{r?igp(0z&hok2EGL4MVGrDmoE+>_BP( zsp0IUTxkk?>(auxXeG-VX4M+Qn3aZAjS);08@hF;=D0s%c!B9fPAPe+7DO)zPB>*w zw6SqEMf$x-0`4&u?F-t}&%N#;+YVKYZZSudLO8W5ILbsaK9AR<Z%CNTs}9s>FD=?^a9M=wR{B^(NeWpG%}HdVY$`0i9g;DqDbID}RDM?xen9*wtT4X}28WD9`wc^X} zY%)Q(r*IunbkQlGZQn~_O&y&Ljh1j1&$Xg>p&JA^6atFnbfQWmO)B}bkhZoqw=;$r zujKIvt@b#M*mXXn)ibS(lGVYf8-hZfDj$R%<dX z762QH_Qm{4-+wLS+=PaNjO|Uui#*Hz;gB%cxUk9)aA$PrI_EL$_EM|W7?97^GB5x1 z{d8q%X&16ejZID_Po^lBsG(Bb#X7;3Xq3mQ-!F7#o$cuabM)D?Q7`deRtnqb6_%-; zSl8id=IQk?Dh@AhR?pr&5Zsm@oqb-GJJ%RpPc3MjZ?9H$SIu$Wn0g*1{Bd6VT4|>< zp?=6+fJU3L~f;;TH<2Tqip(;mb#D|W6*VsEV$7Rql?04=c8PpKyq zjQ`adbsd_kN?ReX>nnqvHeF}s&XNF$1)y?@b=|D0(NE?5H3n_Kf&#HpbAm9i!(31P zFBo{B=jHYdbZxczg5ZJ(mX1E%7WKCOqY>EsEJ5i7W`l~|`{w)M;bB2{clUW^$xA{%61McWc6w1CW0rWn(a?&lmQ91mJUIsPB^s=BE%lOu96COVTo z0!?=#ZqMKG98kDw4MO>|YiVYem615{RB{DqLlg5t=^8Xw==7@PH5p>6brwXQLzB@` zSAImY8g=3{G&D4dG5!om;lytKdwCh}ezsyd9EHmnGe5x+ z^oHVnL&e8?a(v@n#dkO=5(;NF2)DuLBK61h^E|RiX=z_rlsYp3cwe?6)g6Syo#~Ww z`m?^;9tt=Md*<{u@FJ~NDqRFX8^)iXO&lCZ3q80wq#PVeU(i*F0G)7U4s!3JX%_@Y zaaC%Cg*#G`lBia3?Wu@xaANAZ_s^>6LLnPM$fs6kJD?EX2=n8$>qVMou}b7R+1NE;KBvq zRd$+RGNwFA_X-%fB(8f<=h?-@E!Y0-BL0`rfmQq6*P&RXU}tKPEk*X@u23;3 z&R{{hQ=@KC8L$i>mLgmpQ2x9i`FLuop`!vVe=NUV1qPUJv$=%3c^K4L8W?R^>LA%G z=s2k8q|~H?PaAx`X51%MHdVFF64n;G(@v+}6>`Kk`E&y7aEb$IfX~+jfD{T_ZYnBJ z?~fvuG(UgZf|SfD?awt;91FGmYmovo0#g~QYI?lTJ}j%b1Tk#S|VJW5%0z;>CrTVb_UO;vu0?w)v-Z>OiN zZe{i!ODn{tf+XkIO%H^FZjVMXp`Nmi`PrSPM$42&zvqo8=Zt=DpM@^-s0LPuxVq~( zmrQbd(#A@lyW*%2q~G5?H-Z=y(cAQUiE4R1T864wc-3D7q64ZIJs_7`(}y<8CxCH7 z*El;uKwvzAOJeL+;q(-FGN~rBU zm4?_-?O2vK!W`q&T%GPtOK=N5B5sIsO_3SZ6KJw;UpVKKaQAF|t93|cn)5ImZ!PC( zPij*F)DQ)<#J1~~=dd-tGaW^j_i?=yugmBdq{ja_Jyme6vPjjbQyIpdNwdCSjE)C{+l zZIO+i9<}8BFK174SQ_|oR5PtI`43}kucB*e+!vd04wlr41$~x9fIDP$F6WsyEGe|e zvJ%u1u4P^<&MRx(*C(;ne%V|$FKil}N+mP@@sEB=&HKlj`LgBA1m|F?(2sjHvh~%F zCjT{YK&T4bSI1yf#uNDD`CvWB}qdJX7xxY?Jk-u!IYPvpa5wR>5vn>{{ zmj~!nFU&P&-LW4u=EZ?xy<@S5t9-0;(`qJkz{`zMtE;hljKb6RoYu9DbSxU}S@eoW z8kae4LoIwOIm`389B28q^Oia==a#3gS%%gM8wNQiZMSzcBBUg+!Z!dNYsQG$_PYte z=W`*g{&swM5-XD`3-fj?^p)iI^CH^#iVFarxVyvg`V1s{E(Jj zk+vI#n)!Z}npK!-#zh!WD`gC{ZE3hYRVC+Xq?H~n5Pygr<)F5_>ju`E!n&w7&}PbT zK26_Z3HjUJcY={E=R^B!>w?-uz{^+Uax58K4wOMR9TLLm+LJs5stIb9rWfAuzts*h*z3V6E+>#Msd~y_7qfBXdp+q4uH`gBBf*`EJ zXDW=}eceoseVl0d?Sl;jUGjLJsT7BBhdxA&E*fkOZ)bqH_R5MN~8Aid&i{ByX!eKUqpsB45 zY;Rx7YZMOX4ImJ5Vn-tp`WZEWL?Y;+=nxKC9K;Uz6>wuwMd;6oflC@1braQ!uX;9j zOm=d#bSD@2vj7Sf4tB!AA9w}z0hQTWSU8ZEY}$$Mmgng~1rzc|$NZaK?AKFOQt2sB z?dK7f`aiozeAh zERlfQN;R8OdP7%Djq(6&V7L^9%cMQV2UG&kDP_^Hw49#W=+PtMN7DB^M2eia3j^Fv z?<%ey??+|G{lBAkOjYwYvHSk96S`m0c)&Og2@40Bd<0zGT!C7rH-^GmsaSc?@&$ZXI^LsSC($#wsG$X;u-h!##U?SzM@NP3ANNmYGg z#!xjqL+yl!L_EVzH#wxKf3C;Z3kqz7rKKZzps#;s^Vw>;pF+G+(o*-?0^gBO&+H`R zrg8=Gi=^WvG|aJ)kdd!f``)!|X3XP7zl46JrTy&KeGjJ{(7KR!aLR!_KM)MB@Jr`y zUly>@ar<2_(N~@@_Tu$-lcn?P(>1I6aRsVdiGbHhf$&i4ue*C`m%caX*Wy%bzx;ec z&6$KkNvGOfl84K!c;|!BJ*JOqT*VB&PaGT^d_H&dHnz6s74~xvNuMvyj-#gycqW5s zEx(~9B`1|wslQk$3#NwQhoO;1Ny?y)!$g^OV!M%Ct~J2Cy*!Ry6%Hn*R210K6}_HsRU2JE99B-Kn4xlh7S3B$-=kI|i;PE21%b>3l!dF&G4c3Q+D%Y#~f zKgH6@T=<0(E4U5MtA*01Uf7K3YbI>4zoh;4x&hO1xIQQ{e|+yyFi)U)_HTNT_dL+t zW)OOs3-&q%mtDR4ULJrg^G0^^Kf1cJGN^b=?#1i2d)TdZDefjO!vDVi9-A4Lp7}{a zLqjv>tbI!SY@TreN7|LBmU#0%STGQL$evXsM}z~KMngkPdqf;7y1jj9O8-MtO!>Vd zi9Vj_E0WZ4)S-7qQdUsI!H8LZ|EIN{Kwjm%Mt@j`^Ys=4Bvc7Abt;kfCv!rN*EQ$E z<6~-pFZ#76Om6;X)hjIwr4FX*@KyY{^ur)Bj~)t2-;=%Yt7*%=NF`$4@dibgBkQpN zLN~1v%7|n-<^7AU%aQWLqN_2<_-`*O=U%V#qu0s#@33HN@WT?RTJBnxr=vI2{Bl<5 z=0JxFFjxMd4rMX7&^51`zmrhmg3((?8+&;1Eomi9TT@GCFO9!Vmb$3v?qZo(Md%-F z?_CIoheC;HM=dXMMr&^|%~3Z`*NDF-6PVxR$%V8JYX}3C8Jc z)8M+sF%TKDzkk{geGhvM^Lf2y3k1A_{e012%#yW^Nd>$RHd-A9^MrkieLvccKf?N6 zkJ#24y`!6x7;+u>xfDIc5kGgFxXsJ~Cbg5J$_{cbQmdc+Qt$2rkWmre|5}O;>hwKp z-H}toB1~aQy$(3Si(@%rHuxu3-aEK$FF^lwy&@-_lKhju{ zaC1Msg~|8~PcTo; zrhljU!U5u=uoJnl_Yp1%p%5%(A*I*-PMz8BMvL~xcVCOlW>+^WU)Sg3vFo(^v(I2x&hv2osCc!8f05fKP6BqHi)Zux?q%3&Oep1&@{;Njs8)*{W<`W!_)&bMiW zSr_HJe!5{t32`lin+}GJXLmQ(ipHPE6!cRt>vzlQH}g)n%h{l8?Ue~$B$p|Ubh@7% zdNFK;Q&7gn#ipsi;+imyJVhRa27ThPoJq0Y>a?%wS*jYP&sc)PvMq5h{&hNn)w1Pf zUJ)EoNzCi!nFk0Ki2d`u)AN4t;m)nUcsw~FG4I#flWw(cFSM&eW^mzP*n~&*)A!FS zj=GL2TbP}lUueF_KK=w`Ogvo$qnB)md19#?=Z|D?m>){M&;Z?1mkVF-`ae$Qi;mDr zgDr;2F(cw*)2$sLfB}VE#Bke?NW_lM%*?#rd-2DAuuFQ@Njt-8l7s51n&e}Y zEo+2(|<>iv^AFfHOI=a>NIrnx&SMUEaoV%Q{?)WXs3*o1gEoW83C_ zNo**4)4zc>@PInfY}NWrNcpu-n#P*+acDnpk7qrt^C1$kg&tE2ANIb!$7eHn#{E90 z+;3BzIa|c84v-QO#z{opN{9J&n5^Pc{B7=lggPv~zcD`Tw8Qs?wsrZnjurO>?p217@UlOp)KFGp*xgS_W6Rj zRlGM&KhwD3=Ya(M&E>Xo`__pSwtKf_73EUmWykah!c02}u;$WM@c!LRx8=R1X|{d5 z4g{{7*UU?$Y?~<7ooP_X6UmDDyXyhK_bMqFfRv%+3)T59fjR)-0LzYz=RY}`my(jQ zn^~5ZI6LsZf819eo+T+EM~_)zIRGxXs?`UQjsT2E70*#L;Z%gKhZgTMaGq~c3vL9N zMsG0bBp7a&dBRKyO1s2FpXa~MTImus_zgw=k>-Fj4Mt4((^2W07S9LPF0Y+{C~e_S zjk1WA&z20ps2O_BL3TyY!E(oud*w)aS{|mKEc0w(5BTi885~ph{a$(ef|mjj_K5UrBBetXF!HWo53^Q$Xo0+H`O`Mjq?A8ZP4 zPBbW;5fKT#Izan{{Pa&0)uKh_78WKI{TQF+uw1b-?9_x+iT7eQz9Q-UAU6q$r!&&* zZ1rEFyQ45roXrpA`|OAnzI}g>Yp}bT*UMhxpk8 z{8@i&rLS7$tIC_5>-xp_7vZb#Z+L$cN#iHvk9XX_cCK>tM4|N4Sxr#0AA4;OEh^pf zcK*If%y0q}rW~Lo5Vqk~S6823px_y!hU!^x<#7APBlJD1c7yH)^asq)XD7B&-yHHe z7S$agPIf@2_d)peuV6gYmnGt_?yt7oBf{-Oxn~qWnmnIhMi!x1hplPpIirsGA55jp z-7s9zDAH2i9o5OzgWBjSo45VyfM&csmDvx;?^lW55qJy%vFZ`afb-Hn>sgM(wzO)T z59lS-k48u#PHJyKz=Wi%XmjFiDZOziQ|Et^d*DFj(Yh#}{ph z|NFiXs%4*+-kRH5)m)A9wS{N0yQPJ2`RfsVT{(`w*@iUJ*imcCPdhC0^T7>^K3;yJBl?dRmiH~#5CB6v^J@b)yY?5pi7cFkqyOlkxjWz6IoF=%~(pU6tl0dH(Oh5y#i^-{QbPws%fM_^h{*3fx@R7LCZe5;tumE~}R3SspzDS{sM zumJK+wkC4*P+G-}y3L2QKhl(qwB@*DFh&RfWDCAQH_Ih&&l0yMRnpw=u>NJa%A8mz z&!wv3;^Jk!4`2q^px#Y6@J8e>xX?wWTX{BI-~csryl@MSflhC%@aPO^k&VFQ?INCo zeH}(2-v>!)`E-Do(HS;62R^I&UhJt{x4Ff=@ehdDzUx-Yx0nHuG_jyU@#%i@<}v9LLOSM2_7^r4@v)Ji((VvWS) zM5VMdcDLB^6J-hQ7Ws!8;IO`Q$VFI4OPg$RTJnS)qG4K~i{}>uG}CaRq9tQ-ocexJ z#E^;-@~Y&=4Frc#c+QE1z&`IER`@mKzp*>)!%pQ2%QV|V`T4zJe0ebap%0COJX?hK zDT6bB9;83BTa=ous((!VJaHp1#co1y$0I<5RdnmHIHL5RYU>sYL|>kt%owXz-HQ{^ zJYFFDMjNyWjcz*r8TNU1TIW43*^>BbipwNS74eRc8ybC!AHMJHNF^b#5NqJqyA>An zDfl4XGXI4&?_-hN=`yzsxgmZuBa(M-RP_CGz)f;KH7h4psunIN_I@BHn|x@t_rARz zFZ6y{OuM-LIV2%OdSu`7<3%*Xa}ltlqkXX10qyrv);F}r6^d|on~0zE`4)fQvhRuX zqQjA)_xA6q^N#SN8R*1N6A@of*cCS5&ZG~tn&$(p=ikI`15$bd2Y#UJ82a=jWPVv% zX9Eb(e9JT5Znxgfefm8c`0M4eos@yWI>Tkr@Kw87)aQ|EBiFIvKp@&}Z+MuJ$&$JE z@gpFLj;xnl&wqi#`UXWPAYWHGLP|;t*Y6F+X;v70ced{h6>l~-GGqKsB%Vzx#^fp~zgodQU3QB9m{}P$@AXn*md>L&2RP3l@ z9xH%5UyGwkOm>Bhr{aB$__(foC+xBW7at?2sBSm@*Vn*acyuDHg4rIP;w5 zr`6#7pzG!_UwC8vR=l>YH`?N1sVJXe+`43=ZF<1;EH6~sY<}=SkGXRj{p~zm-Vlt0 z;$^@y)0#^o)F%lsI+ZTmcws+sk$`j04DU%2A=YQ-NZGD~D+a$?(cZ9-2nxRg(YyiR z@a>U8`;On+R}?~FEOe27BymS304G(bQ(}EJlXHd;O}<;Z5Kafs@=4C(;;zjovf&`| zI|%yq`|q8G$E(k;*D7q^u7?JmmS=n8k<)EL6d3+?jlhM3$?Qdr=J(S%c86Go4r|dd zuS8s_dU5maA9$LKJbvtWI&UNivKIvM*iN84nY5b8lBWe1mR0Tq`N# zbnK5l?vf?-Pr!Iv#HzM#_@%Drr|A2AK7C!S3;+Oo8tPTI*=nLYYfO-(xbvwkR>=cy zUF!S%3le%?LkHY4ux=L|Sy}0Fm@5(rOi~{jrQ1vU-Q@h|(DZdxC6JAkXc{3JMRI%o z?ddW5vWS%(Q?jW^m2UIB$#Pa9y+qy+WhS3L90WA8ru6mli9pt1A_|>pOB(Py8YLZU zM`hIm8nF~>hWGW6&*aVwnta@&qmT$7(aL!2va$6<*PqaL3Q_?oaK(Qi5+q?pYZ>rP z`psh|?hoNXlMqDg{)8g=-6v~fTXY6L*#$-FSJpW0eUB71)-is8YEM^jI z_0M`b=iQN(`y3K_y3v}*^4?&Du~KwpXnzK>(MY)RhKK#ti<5g|*#sT>1F`(AwQCWH zNV0hE6BB94d5IFMz12vj0A+bfUkC0sunj8|!~11~%JamHIY$&9vMmJFxDLJk;is>w z292QF?op@6UUFssRc;r_+8JH=M!kEChEyDG^a0L=3JKXaOS?5dSo@ zy&h*EZx(0uSgqIOd{%SI z?)Qz6)p#@dwNc?Ji8l)17|Em2wM-K{#IwB2Thys*rxFZL*oCrq&{3!ia|7%#kb^Q% zTcc2W1Sx<$}$`dst!7Zc;lP_jM$(Axwnt8}N zC>fDM7ujS!52Qo!8v=MUxJEl=vZb!>kF}<@JHC6Frp65}WtV=Nh+)VOvgiCWlN~Jj z3P!)#(Bv^~qLgZ`Ae0P?1@Y#;5#6BKj~aQhfQGC!oL(f+_Z%JlBYd7FOcab5L`1f) z?#glT^8?NH_BXCZ1G{4=i|7v0ML#}EqY?hhTG#)_x7_8}8>3bfZVpa%A2 zv-4uneKmmQ{EMPW&mvgK&4;h(Etb0F{OP$(!{E5#Y6c170B2hWh4>5h|3 zT~;V$k~wQdyM-@u*hF&LI|o8$_c{hcs=$X; z>2!X&Ua+N8hC!qGet327FD85euk^3M(5g=F%-ul?&a<1pBM?x3w#AFW#b!jjT=t^= z3aGKNYry!VR@at}K|^lh`?EZsd7;#YWb=t54&Qgbp{zH)Ft`bmh$QGLLiP}aB+9x8 zpOTSPt^H4{JXQGlk}|qauwMdLlWzo0c#%B%v~+#>B%4T2P?fH&csFN;30nbb(RlYP$Zb(-&h5 z9>3|>ZGZZ%n8o*5!67#&r5(e$u)Z%uYKat=Ffyc_01y%$*(sI%3d8XOM59RXm8f^y zQ8*DY7qV)Sy)_PcfY~;yVV7Mw(2M*tBVze zP8i;P#o7IGE$Lxj!{8{IsgTR?uEe za;%&maS?W$TxeqSkdHfPsaqJX7npH29SrM!qsh8cP=C+G?y8E9{UV|AT;FdI_Mi3gmGl8 zp7cPYw`f{Yd2{S+yqqb)$a6u@g3eNX-FTj}=zUqflRsmp%lUhU9cEt0rl`o#61GOP zD>Z)Tq96BcYKCgmA$*#}j{q$xL>|ZOsAvl<1OybRggSVhnl}`-*E2`HfKn)UG%`$} z8f9A@>b#~(Vp}&5#rNSt8iFI6QI?n17a|5E~z~b7k#Y8T5)fx2T2}L8yN7^4DXn{;w$Hf zFg-Jnd|k#}>#;??xj_yoA*Ns@D+I;Xf!3Fqu5XCRckeZBbcN4rY=fKhZV&hh0yIE~d!;0F29Pr22Ij81 zoY6P}K*(RWxP*=3ZPmYvZdUr4g6F8vGeRsZ#y(HBz#{uG6?3;Ei;}~G!JSo=C^dgq zWRS!l1_iU~x)rGPx}}`HE-b&V4x>?dk3 zgQt|$_25R+)6-&@EaesW%DY_D*{W|SHY6pP;z;6}+RRf_*{T1x&!?deI;3FX@`MsDGihG2fL>(*^2c;f5Jg%IhRvJ^K3h1h%0 zkxvA@IJjbfTkojFKF7y8JknwX?b*IVNq1agIoeG#oXgI>d5il7fGWBP#9>e zqW*=YtU)-}KEFn()xPBvn=$^OigAN6moa+5&;cg&_k^l5iYvAFsD-7JCh06}B>mfA zW^)24H?q9s#xIdBe4RkXzCO4A(9D+~Qx)_Dhnq0EJL|l-yYhV|MIz{op<2+OYvY)^ zwXEs9sb##iMq719O-L^zZlR)ay=||tz@yb3Wzk5L2*4*eLmE{+QH?(aNpa64T!6!J zxZav@)F#TmSjta9SgjGqY4(B;Z2>nws4xPHxd3Ibol81V6I9VWn+d0n9zpmGLK#cx z3YurMBo_)JPBUX|rvEb#Bs?%oFV?7YkwnoW(?Osk?)~=(Ed$^T(tp;38C`1wH@O4?IuWm~6IjGpq|MXc>u3 z!#Vk%wW4W(tUhX-N5`V?2cqv?tbr1aZd;fOHuyBQQz7#R)D)kLK@1LTN$})8s=W)h$D&<6m?fUD8r=$P z6!S{j`r6q4q17PnDO^J(88e%(ql|Lr|G6Ld76#C$_NN? zV7^8%T(m9kVO-&ThzVm+N$t6;+eJpYMB#Kyn*m~xh)R|1Gz-O2mP&!t%*cZS=dl*V z4W+!fK@1Yy($UGVDPioXpTJWIZgPN{y!iimyC9HCg4M!TmC>f37YE!!aANc+^c=IXlCvEFm(22F|9c5Sdh z3WBSgx8S^cy8SUQNs-CP$$iHxAYMRBLQ)t}QBmIr*AwFB0r6i5$TuzF>=(hj>WeQF zw6szrm)j5Q)OiRt;p+Km)0p7QwLQsHUrC*qL~~coDnj zw!}+T?6!ZC^Q!&gU)v?J-IWc8!K=NFhlDr?+ubd#Sj613^`|gWFw^kad#CG*+wS4| zOPL<2pg6Kn_6`FBhgKiXN5@XD+Z@P^r!?Li&MvSm;V0m#)|p5kVoKC|U32;EVzUDQ z4Xrht=qkGZF#DL2QiN>4RLyI*fsNAhM9lkdS5)A4tRJ&EVM|Z4z7h01d^j3qDv~aK z+VM{ z{Z&!)ye=t_lqZa&B6|DPYwx++f{~AtNP+AXYe7T(oH89TI-+0rQ8c7iPY+@|czSv= zeJwZK6M2FQJzzp-lW6w*3dz;SPE^|X#(e5?ipdqihFBvd z0D}!r7hQ>qeRX_~f3I2RPWNKN^Pk}^jD+9^-g(fiPyc#*-Bie6Vq;tQ8WAsA*UAFw z(sAYg8va9rhIwN@PSbPQV&g;72+4SQ`AosfZx~jBN`UACvlE5BlYTbea6LxK2@3;% zNWr-2VR4zB8)^R12CVP?l+J~6UV>ZZ#dLH9 zy{&ktsI7eDCMI{&GXn+UF!M|-|6DczqGctP-+q?U3A5mmO~;nk;1d^M;t>4`DV~&2 z8iXI0i;Re>zgOz6_p$bMadE+5Q^pB8Rlu>PDzdYF1#Dm?C1a9cF*{<7NQXvw3{f{Z zngFDv#<-(?_KV$N?yFe*xCe()d`u1^Q<^54y}*y1%VN?A+J}cbiE5}X+WBYY#$GuY z^=wW+%|6DC9XMFbPv<1;R>Zw|D` zYHto`f4r{Si}NMJILBjc=wS}c52Wz9A5XDANluJ`5+(02a^}F~;nlu#?dJOeEV4hs zbdHoG;Im3NdC6(z(ct%go@+&y7IpT6gbx>YkHxipYv#W#KP~(Q!wA z*f#MQpUy8VFz1I=RMm(}M#BTmurUsgH$0|7WQHUB^JrLHsqdxet}dcTGemB+i|K|V zFdR2~zM(xh8pWH_-CAUY9BLk-5d0hf#ztPJj7S?Aq6EQcW||3NnJa~-fvC-fMWQ8s z{7B=Ifr~Z=H!d^ze75f49QNi{{rmXI{`iNTA~R6J?(NUs5z~4;Rrof-=}SxqB=y}j z?=;L*R&)*DoRF6nmym$LfRqxsJt!j>-7=Qf3*{_MrrYX= z%jrsI{wD#D!^SM(ri+kPw-F^s?gb0esD8a8`ocvuBz}L#Wis6Vu6IJG{8NqErQUu+ zc}dd{wDPrT4>v2y(f@6d&)z3+1W=~wO*qC&q;zBf|ExEuk$4L263 zyWyUm2wUS4judcyV>ms%hkj6@V+m3|NduJOl;CnFxL-?CQrxi z+e>^krw3*{<_>Jn&0Yd$;LaD7JQ`RUV)E`6yf{+9u*|lp!K7h@gtVj(!~>av+Dd|d zpF;^aeX#Pp>=-!JlM|BW(al}BoWXa>-F@30{n&4Cu^=PQ&Dj0qm!StuV<&%SrB-D|ozb)DG8 zBz2*Oek$fHLEHvwe>F92h>p8`SpO-KnW^iw;pa?+GBP$_G#q&p3=lnp?7!Ayoe0>N94ju5w$5Q|s3FgvGH!e8TllbKDcsc=%$Ob7M_*#j>~?#?%43{e&jImk1Y zkUcjW2wm3`JrSi2CC>u!S3Wq4za^s|v<`@NMeV9Wp5X z{eY5NCvSAzwZzJrYpA>a>Y|Lp6(nnFMPoh@lS#numT9M?_TW-*-*wi!&>7l)IO)n)y~Jg3B5okqGc3g!%1y8N2Mo5>xC#o^U?bH zgk%_6;-y3>{)C_;{zP#x4b7J?6Y1<4e0sn;2equljIS(<90g8Zj#EN5N2i^b2?=lJhi|~I(1!W?9y4WI%7f*778Z*&)*=kNznSN z4yB4+xUz*5VQaNXv}d}1#L5-Ul(7qMP_P7t=_yMFhc``Y?F+19&poRL8HF?6#=})G z0_xR}ZC!7aiilApXhDCf+nel1{N(VAJJZz!v18FX7XdOp3n0H8)-<)a$n#R2KKemWb8}e^zhmjDueXlXWIG9lt)75R5wO-eBr%2oH z29X)hn<0n`u91q0!=#VGA;n_| zeoq&IPv3rz@;Tpde^Krs^knNmO`kc6wD%^pU2z0NJ2hOkzlhMtJnt2G8jmKvMrUx@ z#?kx2lIi(~K9@=#1bc4x-^^+kDK=Y!snN}fF=}upw}mN`2;df?>phvgdZ zn6LJl6Y$$XNuw#kplzO&##qn~mo}})Qq%Fqtm}DWb?CiSczRxp|Mt7(Py8gIM z>=+q6F3a3u!I-&Bz#*h#*ey{^kkS)1? zToL@k?pELjvg!MDyY~czsjya2W2b%&H;{7=q^+f;aF$w*@%D0U$<*Mth~{_qN8ayw z@6!|S3-D>*n?%?j?FEfwkUXQ zzl<^(2&^WNl1fhybR&R6IiZIAkgVQmM1_Ai$9QQc7!2L;_Zx+Kz5RIq)${UTe!f19 z5T!JlpjH%OwMs=nqf3IXW#s@1N#!~3N7OqR2q$a_qH5vC7c~}R$b`BZ>1o9)IyW$4 zubg*icuN30fme5!^Ss&4Uqn^zRQM}HKg(^X7?Yl-+swn?7}{zuKM%*?`wi!Ly-lyq z6JZ3kKk3F~uoLD03EAzFa+TlP_%#cdz(;dRUjwX2PTJ4^9sV){P+!c2TRB7axW z4SA{eeZlL#Uh&QNTF90ZN~y;9TqdoX3~<$;mY-l$HQ1qFrw#t=1+48(D- zvghI2R1Ii48VM0J`4NDc2oi{Xum)J^){kuvi=b*f-Ohes)6M3z9OGm$)xL9uWWOJf z`;kV1K-RcG4MTNkHWd|`Vp`@Rj*%@BVCwed;mhhVIvYmW&v=L>~SRxx8r`D^jF)*2&<=8J9mzxd6+ zJNb3)yE-R%4{9LD_V78;f|{%FFU(`>LEYUwyWn#sWlaOqnrWpg-0LN6PIwyymBLP| z{Fp_^PHRN+aWjsNyhHL%hu~DcO4Zmfc9%U65QSY++WWS*&wx`>@k&Aziooz16f}o} z!OW_k9-qB3BK;H*^#%hYHaIsx2Hg4U%u*wALs4@7gQG5iS`mj5wy_*(e@gmiJHfx` z=+ysX=_&)F`kwYrq>=9K?h+&gmd>TSTM&>&LSkX*?(RlPNc$Q8 z^IkaL{y)rB?4MuZIPrP$p`|_rVeJeP7|Vg+;eu(`Nr~9u^>v4h(REK385i382>tI8 zO|}kW=S&BxJ-1q&{3z4y%5P>l10o4m4Fg@KKlTSaorLY=&Ki&jTcX^fDgJ)jsj#(o zf_E=th@}5#f*7U5v8z$}D)@&u7xH$@QFl7;Hn&fo+(_D6^zR-YrMe-JJgX4{d!Jka z7h*ht_<|lknI~!>leDkZP{-37Ij^`}hUnGmX8YNfuCGA%4`B#9+crhP3VEG(F+G35 z$|t0|@H6|r{Zw2$IFN7EWjKSTq_bL|$lBI_%FIMm4v6-=9)_az9S2-EhRDinC@LQJ z9%UQEF>=HSkhm$eRrno_qXrHgDEWP*ua4$lXtohQx|!0!Uh%>ptmv2E>^lj*7Vq}M z6pb?a?U7g3rblK%aid1oqGi5arC$f<)N#(ybf6zL9esH0^^aUMYV@QO7Ey_HJq~a4?#=W?W-u2&_K>?j73GI@1AycDJ zYX{v{#Q4B`q7`v8lwZtgeBLy7jIvPNMigOz;~iX+ZM8`<|u38|2v;u5gi&p5`5TBVH?lnnSIG{WL z!NIK3ZI#GsR3_qez#2e53hR6wYId@ok9=`W_-*?7!vofi>~IL?LqEdLLDdC|9-fNI zuhK<=r#Kdcf0UUJjMg(MhE7&1pL2$6L()ML?b zlmVw3{oxwLKZ&{EJ9wu4He}KvTVltMh+<6l`xn z!=k#38W~JnSd7i(e8XgxeHlu*LWgr7+PNn6TV`DO{vHW=)7Bjy&TY}F|ZL!$D)dTwll;0oESklomS{xL~-`GB)*md0B z%9`DzEt-GF<@VTnV|lTMetgy09`aEgF~ZL&@(k}1DWVB+^GAy3q+%B4bbnng5oN4f zosplb>{fKM0E(zxci0C^i?JRj-LPngC=WpmL4hKo1KOo8UTc{m5TV5a1O27J+tb4x5L$=yX`0kw)*Y+H7&o>20 z?Pq@`TQ;iV~6EW!*75Ti&_>c>u$v_X4s@;NajJ!KuwP3lo>oy)k(zf zKvf{sQD@(QwYtuvl)?3ic-Kx&UI|oYgMW3f8g==ZV}ZmnZ0U%UILy0wq;K2l5jXRS zoRGtroh7rK%YRw$&B$(KwS~1(n&WTC;>4ldq3>g={|F3_0%)HDQ!l;~117Ap( z!OB|eH!eZNhmAWB)t#5+FSnZOe@@z|mVN)1K6 z>PB%Ps~}Z;wYiYR?TDDdrWeBJva!_cPO9x&4@an2Im!5e3h`oGrfEUPjn{cN6x}?x zJ+?wfHHut-VrvjJUs16a(opJha${E%=_hEugGGH1Y)N^z+V)B-IXO+p5mhFZJb0rw zjE0$;075us7J(HBiTp@7D96I_5AFK-{4Ws?9bxmDyFfk9ecsL=aFzZo^AMysWtx>3 z36rwB`+-LD?Onn1di+jma`-{k6Ex<{V8wWf#dfC!a95-|oc6Pto)J*LsjvI6Pe3N@ z1BYOP>T(@?-CKA-XYBRYJxObBeGU@I?QLn|y`_X6wo_zzDfL+FD(L?QnWPV)xwwYx zRSz!FJD+;r9`g{vuRX!9PnrqWe)RW9-az_HduB4@6H;OV{id-Q+M8mA;wQ|E@LvKcN!BF!#4*5bwu@9nw1U7VEY*aZEMsAKE zmpuA;Rc%n`x%P@0C)6XH)hIU#-jGQ!kY&SPE`*f-(=y0q3R4;^A=dO!KepF9b;Y|! zb>^M<0qD(fY6v=M)8@~*Y1=B+#8?Vx5dCI~ffIqYO=4AZV+l(CHX3N<5(-u68%dwW z{<94^GkB#sboK1n~3TK}z& zSzTVQF5Qc5agKD=?K$hnr?GZkS7E!8i+D)tMg$V^euP8Zwj8S4bKe&zs4WAD5%B3D zf7FztYI0l&$^L%*i)W`T`<*El1M;iyOz_t?8-9{_70%`D+AZVUC$@Hyb|~nWUbJj{ z3Nf!zv{TR`2PvmZRgs7%Dz&R+>{>^I^Qa@1HwrKZq9k`AaMU-s8(Fn8Q0iV8lnu&| zo`%x6R1+$WMhFu}Q*t)18$3h!Tg@aR9P?(>?J*OOt>&8&mF$R_8z!=)?~1w)zyBs8 zw$cumF7Lz_#46Ug?^~0-^TE-37t94lmbTF1ep_u4{d#b`Ky~d2b}tFILHI5HP8Qj< zGF2d9lLky5vpdC-$tr3-0{@0QE1H)vcKxDNGE4L`MR9R56fft!yL5PMyFq+bMhMU3 z9O|b*prQ79J0MoH(zy4z<4&xCRKHK!m5C-;w9aqapSq3wcq(kL?^Vz5{JM35QFih) zVL05uSZS?W`YPiN#9JHG18#~mp)KoM=;|2z2kDj6Ke#;jd&_mWq^VJDdpw%jTJjsv za79UFt#T{{oKLDzIfB?*G8lt;bxz`s4)hUC}` zwy8nyHsdA|_P`++$@&s;E_*Uc`8-L{djX%2;Imb8e>4!XZ0URa{3vim*7|Tmx|LRg z1-_dl^9x?RNc=VAFbm$V!1?F172enAuqI&G{^hzr2y8D9)dy?<@pSDxG22s9Oj$Pno)VW@hm<9S{er-Ru z`!4%EjT4a<{lFP0*bMPl)lmMWC#-efC&=PF@;d+G5)ebS8ry*sn}194oDtUQA&3Wt z;HY}+1ILj|(-NR$G*wrA<~9Y;V{q@EQP$A95P!DyUFPEuV|F7qqVM=-8~K}Ad;y5F zIy#e?-)?@g`hO8{kql_=|>p;Gb-|CBf6^Fg3E6YuTMt5 zJ$Cxlg(9C%_}loTRZ?E34s>GTjz4$FSUB-t0;Obrg*~s}xODs2?!G1x_aO3B@~5BE zsKrsY@Iq453@_nGGosIVE5fyxBFpvhK=VWNKgm+W5$f|ToQOlsU2okkYBoKptt{K7t1X(rV3yUQ!DGw#%n z%=6Tps{FpWWwB0M#qU$@=pacJ6dd%2w>qS>d*sIaX9kzF#0_io}|40nT_1KXOj z`||WsR_3d*oV*H1&KYZnb*SHCY18-dVY1moysy9io2ag09|K*X=U2B||H*%CpJw=* zXt;nQyu-+yGC97tGx=jr923woB1BO!ujAt>~^^7E|dXCQ)qb`VjuKuKPckbqkk1cLq<)pv$uD^%$ar?w(GjR zz5msiKjW$AXG!$8RHrmvi-3M(IR&w>xmpnCiNa*nP8I9y?Fj$YCvi4}25w~s-CWwh-f4}eQ?GSbL#0fHdn9R@I_)tjb&(tzLpr=Xw>Fys9N76jC!XIT- zc}b90S{WzYlYf(AzNh2VcR7nf+DStbR+GH=8DUaI$^gW0?v0<~ovKemY{xe!S;C(O zuE_Fg)e_a!A@56RMCg$DwUWme5F$-ScnimiodUy86%(b|i%uvq)`Msi--Zm2ny+WwNcM zD`Fl@Z;;b-kh%E|M*7JP`nzh}Td=&-`XjFtQW`5j;k)zkV66j<^zGsML|YBdKlTB2 zpz*$GEF8PMLKC)c;blI#OjZES)24iv?%vdOIBMv4CuQ%HRA7n^ki(JlmMGzoc1lq2 zxuz~h@8ZhRGFKCp#E`~HeQ&0+SvI^y{W?Bhh1)6`@_`>amMuN-+kTVj`hvID&g!ik z9-!Dg@LBi;n(E$q$UFV0?`Q|sbLb=g#G(zvq<@inW*`&vK@Hse(s})asqoH-12;7O+ zgo*}z;k9^xMd5WKQAAH~dcEogRUPjO`kYELGmc9*p4%(x z$=-JuxsAH<6OXW1ziy3Fe3_gg^9w{VWI;6>y1FUJZ{Fw3ru8mF=BFYaT5X*&(lkpwiJrWgZJkum!Iz{07ITM++*U!O9bYS%2Qy|XYdszblrlvLO*%iYoT=cO|JoFeBeo&E z={)behfodl>KL{LoE$QOU7nc4j8BQx?=XG@_}vqy%Sim5T3U+o`|M%bUs{PplKkb^ zcT4`(BR_MSy~po*H86UA-gIS&UogWH75lW@YqOj&4re!7Rs8WyX7eG)v68c7+#twc zd#tAdpVI7iO>i35wZ{lH<8<6I^-Y5FWmA(kDERS#|m9*2vJA--feK6}H51139g zsl2wxAHQD`w5|%<#9;;1ot!%W$3V-G<+!ru-vqIn4woTMJ;jd+z>P{Xh)RYCzQsUP zf_INO4wwHw5#Vky)tbGy&6UG#I?fWIO$Zk=(0BIkxJg>qd0&ZasTnP|+7N;qe;qHI zN<%M-Py86RHK*4QSYdu34*o(t{VxL71>+3!cyQ016q`6R3W7#R#ZLc9x#vv8bFam> ze6V;(W?3izBlJR5%G}3^O}Cz?E}r_#rZ^D0uI2IRb9@F_u<K{jD3ApJ3VlYs>l@9BnHq0*;(mu@3V(c{0pPc4J+)-wqe! zO8qDOIM{Aah>vexEJ?m;dF@s1><6(}W?lnQdmg%0l}LdgvT%!gMk(i)sm5Uolr<{Yoh zCxg5N+XG?+Da2)6P&%IT9&ZGHWoG^SW{=t9#4l>6p1 zK-3^eufZwE#H+Do({lam^R>uk0+P9;2U85$JDRWW=?PUVrm8aY0{-R|x1yBBkPWs* zrea|eGlcZw)|LDH*+2N0DU9xYKet)!xjHz}KNifV~L7I;&}<-65-Y&!j~TKAg= zl1J8A_loCOaF>oK2VOGt>NP}*9jZ8rb7W3EX2g`zg;vAT_QmM?6`D>1!8Y13HU)W@ z0yW784-@}WBzN!C(?m(Nx8~bpD+MttXR~(AO2hqovBm^*SBSpAv7Xn{AwQJFgLSij zBS4>)^H@;KumK<2FO*t{hRm+R)%om(`9R#C!nM@WY<~MWiBsWe=h5@@>8<`2#B!jr8oC)ORysd-#AV@ymV`2p5t=vq_A@Rt*a)OJE#w0Z-$R9NWj=q}p$U4ZbK1r*#2ZXj(NMGe4){i)cEr*g4z45FQq35HG{X$(iRLcZBON` z`fsO>1`=||yo(B7FkZB(ah9k#!Rx}cHOJD<$&#>7>&C|L~fJ|^L4c=2XSodsV z-g*0BQ4Sg@boemh()SB5Xi?)WX9&ep^PC<$MO_POV;&c9o<27dY}%0Pc( zxzQbVcs9KK)c^!m$ZWG7S;+JG;Iq{8F3e?w+xXjJyFIH`rK_Wt6$cTs*lL?QyIz4;-PG-(;&m1%qYZ!aV^Fm#pCY2o9(E&pI~ghH*Xul(@O^`^ z>HZN@XGrK{jyrGXUGgB8^&iul&p!DjjfPM|+V5bv>D?W zN)IXWY3H}x&^)x0Zcy$7D+2WkL)~xi?%%(be#Lt)ZRbMmf78{~6WUQ)yK^Lal5CSB zqo5unIybOv@Uc5Jbv4#37!evNgT_)h^k*K|R<~Tm(7BS8gHoruNBPYK-Wg}j&@AD2 zVg1S3XZ_3&CK&_-^L~TpA5PCFjC9tPn+9u793`l+J&Mz*|Msa}#{qpTl|Qe&?N$0|{#muM)(o?Uen>L|x?%M}4z$LPuE5$* zj21y=w!`=a0fDyfiCM2gKu}OgpNaW(=&!`B!+GOwn@a6M`94V4k{DU@?ldNLHa~@l z_k~%N_u$oT96_vkBRo9y@lT2N=cCVF*N>_vJ!{6P!Iu%H8``U%2D1gfeHLCdxxz-} z&>D)(;75M7;FgEi;aW;7`VPaz1qB)r-kZL4k4;G&B5V_rxR#(A9xIb3_)GgxFtlLG z{$Qbz;21cjnyc|5?ca`tN=?5Op7V`LUGqi5e$8NdR3L2GVKDC(nrh;MJ-NH6>w8Sg zqa=~i^;MM>(Xx;F?FiCEeQq|w>QC|j)=dkV_;^v|2F5E{%Uk251(VGx!Q22c*$}NJ zugPpV3_Bcxd7&f}Ghub?@TaZg_n&;`f?vjF(~`Tp>(lb_oJJG?2>~*}lu- z*zdQ<@pz0LdCt3!N;#NpoL~DE_XsYC-y%xg6;lhneI@0J)YEL7S|$1X^^O_c)?F#X!Zh< z8MXOmUk5)4M^vo8yM){UlQx(1HvOl!G;fcF2g|}6;&bMnaF=iyW29S5c(to_L)nEf z)GPnoOYg2qS=u{oNdJxKL>??-cEwJa!u)_apI23d;o{d2FYJrFNz=>ie4+f4h>zq$ z?Cdb1H044Eao5x1`KCTjZ24B`FP$ak9a@)2Yn7fH^52llXE7EQ#lQFZyB(Dhn`DJg z7YP;n;c*kDW?3N-PfM|i?qX?N9!2f)LJl)@7xMe89RF6`4)Nqia7(W~78vXhFd9tFm^@D6~`#%=YPd z=Fis(5={%M#(oWPqF!-WUDIB>e|21L+}$y!$YkW@+{-Nj6GH}02v>uV@ z@?YG^B?#^*{9X5?Mh!HdusSWjp%4LO{V?kZ5=LKJ*Yv%ula1r0BE8h2*ZuzRI!km7 zI!N&uYfI)Is^V9iT>nmO=-|iCk+$1>XxHL!&7+yr(mwO6!GdunF)oP==5i_~Z%D=9 z;-5x!Pls~r?m_pN$d^5%m*>%aBkx>morZbZuWvmxwPy1gCoy|vqPlAX^@!en;-h)U zsD1brV7gUPxG9MnRVRgLs@A1cWQp;<5-W5xmlMe8G=7fA^|!j()LEF^>m<$2&lWV! z;dX#>V@P@51c$}QsJqdLJ?}VH8FnGq`F&cSRSzRKf1bFpbn)iD3-8S4`-nHCuEFiU zOcWA&vss8K-UBJHx4as~4odv;sv{xfuWnfKep6oCB4r&nctIj}N>JlVT9Pp`%Eh2R zxTIN-p(8}vy*!_omv9-t>+5XM)P@{9Jz}$k)GD-`bDx&)%rc@8|6=axaqPQtGypsA z(M_6FUabJ^6`sye(;p}4H#nx5v7>a z?=X9mc}og+d?}2*w~Q>&Nn+>~Q>aQ!Qm`%<99G*gkYaN{g^%H1O4@vG`E~ESjIDF| z{#ci8{Cs-6ahS&V6GH(>M8bqdj&tzweWOt%>*|;F+;ZL6ydNks|M!RcEW7#Q;{r1E zT(18a_tk{6K4I4Rd~oHhnvtZWN%O2>@o)`qM)0SnD&)1WKgNC`A3DjMI!+n19T#YqAMN97^g7x7rz`LU?VnZD zl(q1i9F~H#bKh?)Aq^kjlL`4EYb{v_Me`>Mb~-V((^`alHwcMc3sBT8Vs(~C0#k#W zkGl(}3eIe6dIKN7|4kL~JY1$<+mN%G(qY*}lnmU7?HyF5<`YrJW9hRPG(LFeg@aDv z4^>ov*l37~`R!ZzUM&jUAXCe!$S1@a`aP@~=r$cl8CWdYO6z%ZkLmCs3;ZU%_jDXE zn;g)v;iOT@lKU%-;B`DYUuQoIbcJ5UEm&SE4u1anjK+w@fim5MViQZ*_v>N$jJvEt zk+Ak4ySdh9Ut(jgx!@$JwgB?q?G4iUdX4f~^!@$SfrOPb38YLhZo%Xv5y8S8J$?&-?u;v`s?vsJH zxRs?07a@i0%u-E^lakI?ci&U`h4y+wTD&%BFphpl0yuvKot+W~v1o#I0fb|OS@F4c z@4SyhhWcM+r3NVY7i<+cdseaxyKMA$J1o~rb>@rySi}4d!N1x-qNF+2?DYNRm2WH1 zT8sa;c%kDn=GD<6bC)M5_9wZB7uGjPZYfDP=@sFVyZx_QBa3LZWnX*c>yB0N@lhlk z6Jk*g#oh2^&&L`?hvsIMQP<++K>Y(72ftq5tgi?-(>z!CarF$GYLtTY!K_u zmi%N7^WTQXkOb$hG-HY1%~GDUo(!b1ZrQIgDkR=f;1kCb_mJkl>&VN=AvXbVTBB%} z5WSK%NwoB2wR)C`K=dVMPn-SFYo~rz&Q9N6WF~C3_KaPD(E-=BJB*yCv)(f1jxU79 zKG6s>D&BhUFtSA0*@k0;tJ^AY!a`)#oVsoY-Pp4y`5PL^m%Tp)Ad}$EuG|7Ae2Shq zkc)vp4lk|Z)RSAAT=V(-#H$I?;JrP4JQTwA+MR+2-+@f0j^JrXYFF^=biN4{`8#h^ z#<47^?8hvPnb|qy)UN*+$4ru>P)3qn_$>-#JaY`aG7=d`20`q{W0_|7W4_#)hHYQ? zS;hNT3ri2E1u#ZOl?B~QIgLMGuIWB4W;7k6alaiJ9^Kq0VK~99Z?wxprYI9%Wz&CuTjdQ)Lmiy5a5D;tiLbRk>BVtzm*UHm=mD#JGtU7ay?*aqTd% zy?kgpbSSZNAZca8c0dR@M60hs0fq^6(ULo{br;L6Bo3U1ztzt3MoTgEvZkvDN&qfcP#vt);Zp-0Avf`yWO<>bx|=LfTJDKP*uHmTf@qEB+d`@|x&0Tm5AD{Z&H_Xo4<@rf97m5$_jvy~{Cjf0> z?Y*HnD#hnN5?-_T=Cj-T0Nw$O$gVojsu??|^qTX&+oLL^o|R3lKBr5mh8Z z#N)C=N%H+Ky}TFoy`WtgL!as-I$O3ni*-*Yk-Xd&Q5|%#Sc|9VvOZk-2TKgf@-jX=lC|6Xb3xC_ZnUbc}6xwX{%m)=k-kiI; z=GtRJ1PcE;Au|3nYc%!rIWlSt7Ydi8$(F2_Rm!uBDX<>1B|IMUkNd`Z9RwH>j zb)WJ|x7^3v0(YB8wEb>g*=K(FFM!f61_>UCsxW}lLA0!cR>J|U19kL!lVlN^w1NW8 z7@7E&wZ}UFK~DzEuG_<7=W=Rf6Yr}`ue}Z7^}!UT-U}wT(P@aLiFRWHh&eDP{hyD7 z5q(jr%2B^lz%8%CIA?$G+7ok-FR9v+VbB*Wao>w81Fz#p%+q1dUz3W1$&hfjf-C6(=kjSP2ADYi^v6O&*qBGUQzaQE6~!|l)UhK^U;lwEgDeGJ80 zi`$*irMW(EegHuDYRBi3v>iq!tQyfm~McLgU`v< zu`2l4lF|6~-sBIOA10+B)KwZE&|{E=5k3$fL<7j1`33C&>iFT{X?uejJJ5{(1Hdq- z^&UkvWNTQFX6^9O?o4dh*+j_V6pVi0wE;SM6`iX4frcsRn|HubGbVeEKQuC2CeV2c zlj2>(=8!^PA0v(EI}{|3n=x6>|l^F*gfM-h+lA)XnDosGsdev**#k z5Eh8Gi%-Uf==3i*qssFt?@=1A1xOH*OkY{0}$=Fp*xwi>n^`$<{Xk1nl76li_+S}Db|9a^CbVmFckX`R^Un?7&z+DQg8_A2l~4`!}<~!3Rm?|>;R92yF)y} z!vnO?zpfz)i{YEN7)Z#N5$e`v0vhB|j0DMdb9bZZlO=NZdjKT;EtNF8%yj3yyE0o` zu&6q_Mz_66Efn~6V<|AnAw<1;pJo`=X}=>=#HzchOA}S_3jpAc65f>C&q4u)CV+!@ zb_kd@Dp+^{+w56&p)xN60bU;@od|TDmq26`wMw(0EDf`I3@{fupzu7>qrBp+V4IRw ztpQL0rwxPUk=MTPZ!~?OX+}5;j95}j+dqW`$Z?C`$Y8r`0-iET*sR#odI=b-pk=M~ zrPE;qfDG6gBjO)d(p4S=p)~Zp;Ehg+Td4{4PG##%)a%=r!QcW+8S>gV_R{nV21eL& z0D7>>xM+qJ@-WTTPe~L~=(n8<4Jg1Uk8i|2gprotG<+5OM0B}@Iw2qq=w#o_O*I)q-{F0QidJ+5z zxCS`b%frV=qEe39>!=9Sfc?UaHI5OjNdVT10{}AsFl7PR_<82m&+^S}8@~n*7y&S? z!DU}i4%P1tf|1$$ujBVkh%g@5W9y}Ne_A4p#=cQRPZRjdE)GLzN-UKP%x~kF1GL)% zMKl?Szp#l2K72a+W(~sQfWH~Q-->HgE#@r|zz0`K>cOTNFvnpe{9|5em=f2(=4bGb zE{8Sd)5b(eO^NZh(iJGMG1m?K*GTd2Sfbkb}Nk_YPrJz|kBy26X3JYy27&%NCqK2Su2&J!cG_fK98Un}yHOwx> ztvFghI0(|zG1Y?hw2T3)j1ioAZ;@6`uMqCmuazE^4y**gd}Vgu8$8J zs-Pk`C1jCR3}xX>0iw22vl+4CFzXCJoS5U)_4x&cVW<=}X?8iu?)LWK^j#lL5KyS2|Ammu?mXK%BNsRagK1`8x_n7*BJQ2QVb58U?S&TVztt~6)xe(JhM72Y)<<4mj_jCl7G0SB%TG)&*cD_T z^O6JPGkQO2+;bpj3e#m)?IoGJQih(rzZZ@)_6%u08v{`=vPRW-H#%Haw|X44E7&sR z;90*I(wMX-o?n|E{le5_2^e2U@rswck%x{vf{A^9zeY@;A23QrRMET#myl%sB^3}ew(NrnQt zEST-)BImX*R6$Zq!eKp~fh50(EG;lj20ke#SiPqlJ~PbLbMKjELRnaoCLoDws1C(2CwCN*-d*;gNF|eH4^AFo zqU~s4x?T&GWv<{Cn(npPMA0%CmuB19MQN4=E#LrlXN7BzqMDVOKFfR4G2haP1Z^6P zTf-72aZ=vPL!_Sn0)_e5lgsMAzZu&_ToxV0&(|BYa~@=UHv%LsmL!h+2Zm175Hn z>MnC?n^(S@UtVVGwcU%G6FbgpA990XhVL?MXv!3;WJ33bDy7o()Buq#XF}K1)h`GE z%U$-p$gC)WtSZAd4dn*etc!3Mdz__zSBbb6u!q9Wuu<#f!JvXJ+-62SXdNr$;p`hh zT8OeRl1^v4Se2<0Ctyg=3@y1Oy=dNhp|Us1h1x>+U>wy#$cvwd`!{J>5^ik`43Ho%aEQg>aON1ho(p zV7N9usMaz?V7K4lOw#HM$#VFnZ_{A!=h(R`aT`aq@I~@mMaEarE^7#S(a*L{W(oQg z4JLBFUcf5%EW%ht&P@WfMl1xYxo1T%e<@%< z*i>;eGe$%{h0zRghyeC;^jm3olzgH45<`J@&@ag$z`zfrE3PpVSa0RD?bW9NQh`f- zsBzRz?3i!gp2!18XL?fFi&LG>o{R?Z4r{cYTQ_P*)2CEm8R-IhTgEQz+zq8OW2g{v z1mK5ef0Pr$!lf40wxh}VBlpCscV|7qx&_v#4psv&<;2U13C96eE?L3T0Q)(Ox_Y_a zl1zc0wzVXAD`Ch*+0I(OnX=QV7h$G=B|f>|&T0&%O}q+(ziMZq6$_N{nFGP`b}MOt zFE(kPhMm;CUKzw36r!nD!~%Gv62^izav6yn`rey|lJb1+!_&6eQ$Sd*r21ZfiG0I3 zE)jK7diI5n%jo=w6)DwGa$yx^1_f=vihw01u{v3SGTP4DOaadii>~0b^|uq~?Nj7X zSiheEPrxT#SM!a>v#K^~$gn0R!vL2&`{PrUgY0LdE$%S(%2;dEUzDz2VSA)X6-UFu zCyarCnL{~7Ne`wXeLI2ELU#F5ib*ul#3)UG-!^j)Yy>6usMGM5yT3ePt0&Z(Pp^>H zdc+d7;sc|zPRNYHv(ViU9E+N=B_yNu1|}R|j@((R+MP-TQkY($F#s-u*y=qAwWFJl zML5n51FKcRn}dNDORb-wK$wgn^bO?Bglna?;ZO`S08}d)iNr7xjpDE(0PY#MAFaYJ zFXG;itR|3(OaO#~%j8qSg~KYkyC%R5<$Tmhv_>8q7}pVOt^>(db=Bi^D?)q_VKcK_ zJb&8q@e*mJO)Bu?gLxy9Och~hQtxfv40u$?(UhYVgI!?XBtPpEw%}?~l;8WHX`xB^|fIb zVq0TOqsJRG-sL^En&#@M?I~AI$r=@dvV1ca$ z>Suoeg79O~$ZLh=8xI?MvbvR<<|{xqzDs1tCgLa;B9hDl35!(|%tme0gK7{(e7y*}F_( zI+Dtr?8d-FN<|qkcy{yG5n!T35mq)e3ChyfJ%$=BUnD39N2&NTkULvcM6~T?SeXM{ zCamI%xlpyELMd0UQF3A_U}>22gQY}3THF}RwMQOaIweCM_S6b?iGIl~@c#}ZVz5Z? z+tUDOW%5i~lAN4hJ$hd9+V5t?ALz1*Aao@$jbDSIEU$`N!S0K|a66bQ&FWDC;yN}U z<+RxFeR+TH(9le;`_>dx$}?vI%^X-Dk!SA^4t z>unO)t|S_R9b5<$J^;eXz@EtuBX*wzECVjAS|EzT+o2(3ORznG!*5d-F=XEJLW$ zwS-2YEQkyi{R7!3AC0>xpM60w6qY4TCsJ={ZkCVF)&rn@B)BhYDsr`!DO^NL9hpi8 zq@e8IOGwU_)KWpJWDTd#7+#k1g=fFV4o?dvq&*{QeADk=ayNVW6j;y)=s;UZPZGaE z;?vJWATkgFj!Ry0o0WWSFnwN8fc?im^`C?!bj)Gjmm!Yfi$98g(wmgPPu>(7f<@^^ zOqJ6^a9S;v`t^B$!qxyo$00myvqeCuB^sp+jvt8rFZiPFY-S`i6g5>Xi#q{wh@!Ac zP0@QATUk@XVkYViUi)l)0bKQAQbqVkm=#5La&pqB!s1V|aESt2ng3U6_rXF?uXI05(EiMRfIGTytT^k!l%Yw%7 zkuorU|}ba zRl&O#d5ucPNH_wwB+E3pZjUBuR~z8}fCV~bu~W<&bV-PNWPg-EZg}~k}EK{wKVJn>p$X~fTzs-w<_%bDw zQTdA=`&&>yP=xZ7nHT(4)u)l4GTPUu471vT>K3qk0}2QLp$g2QFJl)wYLk@qkozA_ zvoxg3zZAUU2rA^OzyBHAPe{xg22iKQp9mF&UkAopvxXZW+0p^DV=5jq#Q^#bvhgx+<+noy?P3u zw@Rvm@f1x!{SBL)6o6?w20Vy>;Uqs$rLY5nr2&vbG|cxHMh7mafU;4T(16_cC=@6& zF4-p609861!)QquyI&W@YU?j_XERpeG{A)aKZ(bHnGfdaOz{-_ zR)Fy{H1gr2JX|l455*o}ongV5OgA6H+hLf9V(bLTCw>G?8O92jGrw&2l@ZaXn;N0^ zw;EvoERw2uHb8-77ezO`I2pEWR(u9sC1B4wZX0~|6r=7yK`_5q_$whGS<@O+qZ*P5 zJHytE;Y?;Jb-XaHy9u~SO%A2GfrPR739Rvybx>ii`v}m-c5kc_F8cpVlu}EwiIdQo z)M%jv;Mya1qC(X_A6V22Y(vIoUkIqEN)X%fL@@j>=Usuil>{FS0HF&|+G*=APr2mc zRT_Nx6IEt-sths@0%_5+H3D?zZOhYVC*^kEuI7QIYFkHfPwoRG{2g^gy*u)t~=NF#1zBVYK?c*${RCr9<06oB2^xN#R- z>F|Bk5J-8+G(3~yGW1HVfpo|^XxIM5Y?JFm%V=QJ1C~hXB@jhb0A=syOv6fkM4qxJ z45QHmWxSCy0Ebu(ssNv!2BiF+H9o5VmL~+J3WG`_c1IC$^+09tO=12USsipaz`Kl8 z{AU!t$O1Ec6YitQRRAN=zm^TfNOZ!{t~qe{I{EvzM2j>O@kFyC<^Q35-W3>0a0S=wggOKNvVr6-~j*A z0Rp_xU6q{ynq4yG8j^$(8vEq%7t1FV&XE5hSKp)Lb4p5C5NzoKBtWfF!wR-f>1H82 zJpqdB-8?{nIlsWlZ=QW4TOPA$0G9KB+O!|M_b$X-qNiiS4965ymvOjisl|3Y{Z+xbfpHfafa=tOUxE(%^U|QcW2UhZ6;=B zLcV>P)<%xSw)3p_adC8 zj?Ql>;*xViPHdn8ot<8*6CC!a$`Ltm-j|r+fP{ca&TS&%_NIwE5d&5$RFl~I(y5K~ zHhFq#$vm^U@uW}VcM+u%fUUhQr$jEcY1xObb;PF0pej-xZq{i#Bb^l^tMB1q2-MMr zlq@u1%!o*r+gpv}9WM)(+PDLe`!&>+ghv3i1MOUx@KgMfHgFt_x4C;W@q#3 z>QF{UA9@i&TfucWa`gY#(RBwx`Ty~6WRHIKZjep(4B6unXPzxx_KpjOl(rK#HS*NZzS_ptW=+OjmSdH&Gj!?Gr|ZXU z)hae%1DT^&e(lD~6Ic;VKcsDOiCWF6!JWafIyROqJw2U)V>jMH6n1|md#}32bFe-n z=mGvB@qb$j3G4sE!Pz(FSM~M59m5!w z-kBizcc7#yhm9mEi-Vp0=}7Zkt3N-MlpU);#wL-)8%m%Z%a>uhM>oz6I-g(p=0A=6y(%Q;J4oONkSc{S zZm&%S?%_b`;$BY}w^#~ri{~7-c6AZwD}BNit}FAX6<8un?B}8)6LE3$w0%kL8UJHi zPQG)o-Wa@|1^fQ)s5NeaJNnYat7xvTPmhim#T-x79DdIwT6K7kuJFOrveRRnW_&ar zy8TCgO*P>N%UDr`hA+N+hUN5b>i+W-T<&2x1`|y-qc(ke^+2{Iv~OjBI$d&~X}z9i zAmt;hrhiQb1IOVFH=#SpC^ELFXzNtIAsWB$<~+Q8ebe)^aj!OM{I|A*&0!X$-+o+` z#bsU>S0$qge-t&`##`qYK^QfBU-O$!(b1gT@dnl_L3%7JpmnfJiviaF9b_3MIr$&S zeA0YA=j_KhR8a4;_R#6DAFO-*`&xR?`Q6mFFW9vyg3CMGE=i?58-^TddE3+3sCF-} zuZuUp938I(hmw9#Yp8B)P#+i|$z&<&Pe@gJzthsJM-ny1} z5O%fzLS7}7|Ge?hnL(3&3i^JXZ=t(-;t zkdfb4rMebzXZLG6xkML1q>DFQ%Imv&X5pRZy%!fHiV=s5`M1`bCeLwh%u9QG@7uTf z$h;N;D6`~FJ~i#jgmpe*YCgX*__ojsxj{vTK>YS0jluKUvA`hwEZAN2*t>V{j>>$I z#s1^@a&!A2V>^^jL>iL4cgr$!PjiO)nv)VaRbu-4hMJ~JXf(f@n^#OpNr@lM+ey67 zJ2gIDC$9GjL_5sDy~A%Id|jqg?TdpZx92o(!ZGV;kJ^``yeXs!`M}W7!1U8g5C~+g z|Cf2?ZR_$DaSNPyR=n7sEwsC*+<*=3JSAe zPQRwURJZD=)_%*#HfP$rR)Tu~T=nS4=-WdO5m1USeHcP5cbvO&yTZdN zVCoqPONa;T8~OKLlD3?PD(cIkI3R^P5g)UiZk5S<+Ov>kqF(9mS{SkbG_ycM0Jyd23IT-O%d>tvRnNjl&up!ohdw+jDAa zYGLJ)l`XQbOS6l!yq70yC1FOc#Z3H}SML=mv-HPa$&t_zbTgWa#}>BKm6wy0gdN2v z@rmhVUX@4dxp!(3Az&vbOlOudUI<@;Rc16kKcpDPJL7d3_9O*7oOwE><%vjjX*yPh z%5~lql&sJP99E zD*uC_Ea(Uz69S_^JRu4KP3{BWBLMYaR!Wo`pPxt1d9B-1u-t`Y+d~Ur3!j@?)`36i znmwb4a(2E=xrcP$1Hj=1Ef1IReQNd02_NSawMY4(==0Iug5^k()_S%F0`=e_tiWsg z+Gk*1&U4T6qZOVrx*)z%svE$%7z;(@)Vt=;v6#bC9Us)Et;rw0qEsdxVTsEtVL`wzta>h8a=yG%ho zN@Hdgz;uhnp^wYA=NT4j8Y*(86OUq?1PCqf3B0DPOyg?K`uh4_PtzKI<+UkI8=HJ) z3Wz>2*;}C$sv$c$IXRTZr#D{{Xp902H+Un@buGRiC&%@QGlu;9#iwuYo=e?-`yXL@ ziH4MdF7tts-#2w)-gCP%*i~iSK^h^)^TkEGwY9alzC1t1eQFAz7#SUrQVfzDOud#0n&3WMdDS7KOOr8iTv1Wc7Q1b5 zTz$o@=nJjR&>|Rm?ab{2$|{2frcR~0p)=-ccnR`cn336p&k=3UIj(W#gJ4N!BnKB;V$a1n@9o>Roq2=-YvqkC^-8$Oc%G>1yWeC- zkp!aMw>#)-KS-8O3z7x_iw*t0PkwQknJBuQDn86I6I!V zs%c3{v??dFW{O!s)Dah>jwTl4x7Ki)LuQRh4(w8oE;BMQq1l)j8F@F?`Z8#AU}5>3 z+gxi^Z`{lMj#6xF2AYOBkpojY!a;7gKqulQd9TH%^PCHkS2Z@n4E(A79BuaMCyE96 z`K0nh$ZwZ%@E~=K>+4>kG#5FPr%QrYsFX4fe;-exDk}%C_S?~Im)E~<#$b$$S`3}G z-{QoL!ZCkxMd6D-{F@ukcE8MgY}D1)H@F{qwx9g;?SG-wp=Gj0bIReLSwL=ucu<>q z5U;8@51836YgD8h9r1hhnpo)^JEtQxJ+-ctmDK_>C#Q(7(9fSg4MtnURm57BR3xuM zQ}9x-!6_##=WAH9QHGx(Kac*zm86!azQ1q}YLf4G%P!Yc6t~TRYz}5z8&v5cIPHFZ zL(%*9;$YpPpyTmWlckka+|rvM_|PfOrw+L5LS}@>wav+*9Lsd6l*&EZ*P|H=dH+d% z1pViXI2_K+Tk5qY3*n}=0ho7Lz`1v0KQ<3)%1-ArRoDW(=K`%3(*QowdhyNyW7bQ_ zcWU$s)qZ><#XHpWjfn(NY>oVS4w4JHe-W}5?olvU>rQ+pyhJF6r++)11oe!xrM9jP z?+vv}#P&(W42s$+iiE_(^&hT=fwW!SpxJ}Z!tV3~iTEv%!OzF8p}UF~IL%GvrLkXU zy?>LtLr>?mZXeB*Trlr^Z0r}j7S4MX|3+gdixGl$J?ArGHe%ZWX=}rKg7*T?<1#us z>+}k@uJgZ6w3|oir9Q5n;-N~V90F0&kk^M(%UZ-i9*2bgHRIMc4=DcrCv|qx4?4H! zRY~3jMq!Rny2*Vj{E6%KNMxA%*7q`YwJ^mlmG1xX@FaJP?Coxe-0gX7X65Y{%_@O;cF}Wmc+ko(4_qpT6 zIn3%6GP#TN?_$8@GF$I&vJHts3Gtb)zc&;S6PQp7f%I;puGB?kzW)B6Iw^r*a{r-P`o=oP<$icA7?iOyqIU76V16&CCxs`*5D# zr)!+*ks6ia$4@%xyp;OVJkQ%j%WP-dLSWWhOv%>=6-8?=dkTN#O05^nAsmgYb6 z0I>WBBg|4EvhRL7a?yzMsjrvM`7bbO`v?{n_2 zu9pxgjApBg3GzUpK|XLE*?w6%@At8Wn5lF?fp%i**$RAL9U5h_>9#bj^mT#}A&~x0 z0~*oL zI3{p9xVIYY>MJ!{51_Od+b1OaOIqrt8{!xyCb!JZH3klM{bk z3txx{(v{*D8e{iS5~!W(KS{8%1JG<=C|qXd4%(kEL8~{vX|6pkP2}SFT$J^lEYI~@ zxR~VntuOsM4Rq*Wi0eyc0CAU+_%m~xfg@*?o*l6Z32f+3=I3FB01(WubTo_DuN5P`nf%mZ&DP%jW=a?hpxfg*4gA?m4v%mKMRmYl-pU!llykT7ALP>mYHR0HQ4ILK(I zm%lOQ)gsEM)&4TJ)u zA0-ggWAuC3!(UoNIxtDM)E^iX^zZqK<*~TEXNe|aTAvqfc=8GvRdCAYPjRox#0tSh zBGnZSAc{6EHE0t>o_OKqgw}r;A3iH>BY0t!p$V*-zGeoiKLq&$Wd%IYBSg5atb1eD z1hAun)#1RYlH}L6U(G-~E)AI+3rte+W5HauaM~!cO%O`F2^K|)$r&ZePei;z(nj6` z1(J)yl+Zkukx81@V8A)F3D~2)u#543W>UZ4joAu zMq$Hy$`#LD@Cyrd0@X=_n&Z@PBE}c$pRV?|%%6K#G&fCSN+wDGd~WW393Kx~svVnA z*2ml-AY}H{Qa718{W}9bZy9PZLkEzDrVmCc{uzj$w~SlxHO=tWer;0dBT6UxeK_`b za8bep5~dEY#7ac8NQyeyeIauu7?>XNm%L10f<-rDZ=zYff!WT>6KIpUQ=@LdK8|ZP z2?1}bQ>JqQFVrxj8emUz;;eI<0j+QEo=i0LEOMYjEFIdxUoe^UrTJ~M3foqJ*T0Qn z2eu;fjx!81F+a;5s#_`ppJIVGJ&#N0sB^7whEW5(7w==m5$9qoYVDM78ehprlS#BY zcZx!KK}7^CO&som<>uE}_7kXIA&4d0&8f&L9`>;Cl5WaO?F>U#&oNlPU2s#bBlMH1UQz%1QCqin^B$@eXM+2(bP-82l^Y z6(NI;VoK$pBxjoG#Mz6W+H1Rz94^ZuW78GbnhyWZib@G@=J7V!OL@&c%wzM9#Ra0R z3-b#H3hu$uhrG7wb6bDu7AJYjV;u1nBPQ&txHU?&YgBP|_K70uEh8|yvaReIsj}1x zv|=P_U`{ClSw`c@qk|tz7I8*%&ASts2-N+LZJtuXV=J?3Vqd&E(^Xu|g5K6IDI7iY zdgXrs5wu9@V{a6Q_AioTvW6?8qjme6i!^Pli)u-_)u{szrdvD6F45&Eq6~bdU9`Df zs9-zSKfBoO)rK*SGJ#T2^G#P6;LEerz%t}ZoT*Q*(~$cTXVK08n~|cO3HM)Dfw>b} z2E$sO@N?>h=qo1Ae{xz<3!;L_kI;_HeWsh9;oRx|SUv&vgy_#oPx#N_Vnet`Sq^yr z7DEybG1NV6E-tRUyYfkS_U=gx5LA`fy4AW|C75Vv3D%GQwWQ5n7R>fDhhotXA-Z*` zwtg|+f;d(dmUjyawztgsHa1*345vB)ZL}U^EjRLsvMvU1m4)srS_c*_S53~cKuvM3 zlh{&8Rq?W+v{wB3I)DFgQI(QADmC>=Sa`T|A<)4&MLj({nj1e;Ub&JJEkq!kH_H%W zL|P6|C#OR z(Caav?JLp%%EZX{KUP+Oxsw)4_EA3b{^Xw)s?0u?ZA2DeKN(BgmquPK8`V=UImk6? zy7N#-S4XGSx^#PxG2Zk3{p+B2SD8H*crbmwnvvVw0&(m#d~<4witNNj#+}O+-`r4? zEWT|fNC(v-Ya70aZBVa=!YfHJZqHdNI6y-I5~<9~$A^a2zWHu05ii<7co@&h$~xi) z)ZAj#P*zZNc(0b{+_Km7_HM9)t)iF&4AmbzD7O=s)kRp&3YC1hQ6#Q6IVzd-D*zpn zQ9Nk~Xg>h~0dfHAv*E=fPtB*4qvvL4zY*{=r%*0$UK>Y8i3Vd+yL^51#KgpfK@DNG zTes+GSjApg3TtH9dUMOA3#cYr*hHIf7omwC&iz?(z`LX|*cXtHkoX;sD~vjgc6KUr z=n7313UJbN2OsiMQ&aCY$#2QeT=7bLv0D0YLZqa(tIMudCYj=e9OUq3MK|&!oy@}0 zawL#=PiOu35j<9M$I;^&N8-(TNMM!@WJg0o!|IhwGGQJuA1~B#JUu;qbc>`w4ARd?kCMl-05?%vfhGD@KZHw^W#GWyW8*>bYvPHI8| zweZUkm3@f*u6w%%-ERk9w@uDQ%UM>{BL zqQy02pFFOU=UC9)iLzkNDm$ebw|LUs%Um1Ahy1LYbW(TJFf|JE?!=xd*53W7>HiEiDG|m% zsDezmb7vOQq4f$K!cQ!S!?a^|poz+}hWqDn415(4(v?-2ji!_aBA@h4r$`UxA>;?%G&50J6gyz9>b7@^WA2ODHfBI~ zs9B!0T4kYL4^St}Ev(mz!I7HL9LJrecbpz~b)*{)nIK^cP6JsR77Oq!$FDx{62{EQ zT*m`G8vz2s0<@QoScFh!r9#)Y50Sn2^{w^vo~)UxWWyQ(rIUK5rV$jFGpC zuVujbc~ti_4LWNYqxzUdz;=OOrtW@4x!P%A9reW_+B%$B7baoyh?I~;oSyqY6h&f1%T47R}=v?qZy-oD4Ke=%=lG$Zb{Y6=2(2)8KOg3uOt)RXw zbsN?0`OJZ>Y_6(pl-AW-wmfGYf)uSEnO@Lh-;o>?LqH6o= zc?N^wTyFM=YDm?=^~jG@Sw@Z@`^|s4?D>&(JBaA{7WiZ45ORp^t&}cntMzWh{P!irQy0y-Lbf8xF z=oAB4t$vdARcs;-C7ZGh-SW?L*t>IblQCW}diu|egM7OmfCz?z#_LnN4d^(%t+B!j za$5H5IawAER`z5VC|Yt!gykFRzGiVMXgBN>dABtUKELbOizS_8m?iJNhbdJqDV4`B z=q}5`Mr+4m3y<~oWE0JtWaoA)of14h-|AlE;^-cK&-QuW)8w^(XdvMT*Q0Qi)UsMO z(}AZSX^*sWh5npvwqCH{WO22KEp|kk47FHyP|I-}1Yl($jYlskr-Oy@pD^}s{JwwF z2)*T5El}01&TF8M?N*;D0#higUK!=ux*_5dk+BLXlP*L=MPhRi%_3S~rw3bFw($6Q z4d-YNlr;~MYxWdcs2n%{dVm!Z%OO=M^-(8xKsX71(uVgob!I?vm*v#tEYrd}khhbn zTh8s4!H4g4I2(cCvBi9=pTIZ;+FSfr){9E;W|a}YI%+o=kCgr z1)Z<;DsYa=>k2dnv@p|{?u*I=mo=M~X%=ms%3rHUTm&6H#j;eTw`du{`OHFOn}MYY z8T--Q^ugUdHwLqsmx={Z7B+lh6B(Nj?Xj$7|Kqto9=NM!!%x7dT-^ZAS1Q-LyS!G* zTkfc;L`4f07;vc<+`oO_dt7k3d7Nr>zsl}hHz)~ae?Jk$PmO;ng;LL|nxqQ1E^FrM zZ;;G(YBS2kq56_S3Z1fhUOC%I__RDW360}wYE*uX=ygyVx&>!_d|?v)HRc2PCqu4H zN{U9h@X^_92TL07l0>o*Jx(0}2CezETMQ~#A{-q0&}WS9w_C7OZ~s!9t#$~m7kowk P2fhq+jI=SD_apxg@N04< From ec65ac251b5d9d8ed9e0202257951baa44a44d74 Mon Sep 17 00:00:00 2001 From: Max Stein Date: Thu, 19 Nov 2020 17:16:27 -0800 Subject: [PATCH 18/44] Updating MDM section --- .../client-management/mdm/mdm-enrollment-of-windows-devices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md index 5693d6c5f1..f74caeda09 100644 --- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md @@ -12,7 +12,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: manikadhiman -ms.date: 11/15/2017 +ms.date: 11/19/2020 --- # MDM enrollment of Windows 10-based devices From 9a60e56f3611913ea93c87acb3b6023c8d38d885 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Fri, 20 Nov 2020 11:36:43 -0800 Subject: [PATCH 19/44] Removed deprecated policies --- .../mdm/policies-in-policy-csp-admx-backed.md | 19 - .../policy-configuration-service-provider.md | 57 - .../policy-csp-admx-credentialproviders.md | 143 -- .../mdm/policy-csp-admx-userprofiles.md | 1342 ----------------- 4 files changed, 1561 deletions(-) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index d9c44122bd..1f50c812bc 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -101,9 +101,7 @@ ms.date: 10/08/2020 - [ADMX_ControlPanelDisplay/CPL_Personalization_StartBackground](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-startbackground) - [ADMX_Cpls/UseDefaultTile](./policy-csp-admx-cpls.md#admx-cpls-usedefaulttile) - [ADMX_CredentialProviders/AllowDomainDelayLock](./policy-csp-admx-credentialproviders.md#admx-credentialproviders-allowdomaindelaylock) -- [ADMX_CredentialProviders/AllowSecurityKeySignIn](./policy-csp-admx-credentialproviders.md#admx-credentialproviders-allowsecuritykeysignin) - [ADMX_CredentialProviders/DefaultCredentialProvider](./policy-csp-admx-credentialproviders.md#admx-credentialproviders-defaultcredentialprovider) -- [ADMX_CredentialProviders/DefaultLogonDomain](./policy-csp-admx-credentialproviders.md#admx-credentialproviders-defaultlogondomain) - [ADMX_CredentialProviders/ExcludedCredentialProviders](./policy-csp-admx-credentialproviders.md#admx-credentialproviders-excludedcredentialproviders) - [ADMX_CredUI/EnableSecureCredentialPrompting](./policy-csp-admx-credui.md#admx-credui-enablesecurecredentialprompting) - [ADMX_CredUI/NoLocalPasswordResetQuestions](./policy-csp-admx-credui.md#admx-credui-nolocalpasswordresetquestions) @@ -723,31 +721,14 @@ ms.date: 10/08/2020 - [ADMX_UserExperienceVirtualization/Video](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-video) - [ADMX_UserExperienceVirtualization/Weather](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-weather) - [ADMX_UserExperienceVirtualization/Wordpad](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-wordpad) -- [ADMX_UserProfiles/AddAdminGroupToRUP](./policy-csp-admx-userprofiles.md#admx-userprofiles-addadmingrouptorup) - [ADMX_UserProfiles/CleanupProfiles](./policy-csp-admx-userprofiles.md#admx-userprofiles-cleanupprofiles) -- [ADMX_UserProfiles/CompatibleRUPSecurity](./policy-csp-admx-userprofiles.md#admx-userprofiles-compatiblerupsecurity) -- [ADMX_UserProfiles/Connect_HomeDir_ToRoot](./policy-csp-admx-userprofiles.md#admx-userprofiles-connect-homedir-toroot) -- [ADMX_UserProfiles/CscSuspendDirectories](./policy-csp-admx-userprofiles.md#admx-userprofiles-cscsuspenddirectories) -- [ADMX_UserProfiles/DeleteRoamingCachedProfiles](./policy-csp-admx-userprofiles.md#admx-userprofiles-deleteroamingcachedprofiles) - [ADMX_UserProfiles/DontForceUnloadHive](./policy-csp-admx-userprofiles.md#admx-userprofiles-dontforceunloadhive) -- [ADMX_UserProfiles/EnableSlowLinkDetect](./policy-csp-admx-userprofiles.md#admx-userprofiles-enableslowlinkdetect) -- [ADMX_UserProfiles/EnableSlowLinkUI](./policy-csp-admx-userprofiles.md#admx-userprofiles-enableslowlinkui) -- [ADMX_UserProfiles/ExcludeDirectories](./policy-csp-admx-userprofiles.md#admx-userprofiles-excludedirectories) - [ADMX_UserProfiles/LeaveAppMgmtData](./policy-csp-admx-userprofiles.md#admx-userprofiles-leaveappmgmtdata) - [ADMX_UserProfiles/LimitSize](./policy-csp-admx-userprofiles.md#admx-userprofiles-limitsize) -- [ADMX_UserProfiles/LocalProfile](./policy-csp-admx-userprofiles.md#admx-userprofiles-localprofile) -- [ADMX_UserProfiles/MachineProfilePath](./policy-csp-admx-userprofiles.md#admx-userprofiles-machineprofilepath) -- [ADMX_UserProfiles/PrimaryComputer_RUP](./policy-csp-admx-userprofiles.md#admx-userprofiles-primarycomputer-rup) -- [ADMX_UserProfiles/ProfileDlgTimeOut](./policy-csp-admx-userprofiles.md#admx-userprofiles-profiledlgtimeout) - [ADMX_UserProfiles/ProfileErrorAction](./policy-csp-admx-userprofiles.md#admx-userprofiles-profileerroraction) -- [ADMX_UserProfiles/ProfileUnloadTimeout](./policy-csp-admx-userprofiles.md#admx-userprofiles-profileunloadtimeout) -- [ADMX_UserProfiles/Readonlyuserprofile](./policy-csp-admx-userprofiles.md#admx-userprofiles-readonlyuserprofile) -- [ADMX_UserProfiles/SlowLinkDefault](./policy-csp-admx-userprofiles.md#admx-userprofiles-slowlinkdefault) - [ADMX_UserProfiles/SlowLinkTimeOut](./policy-csp-admx-userprofiles.md#admx-userprofiles-slowlinktimeout) - [ADMX_UserProfiles/USER_HOME](./policy-csp-admx-userprofiles.md#admx-userprofiles-user-home) -- [ADMX_UserProfiles/UploadHive](./policy-csp-admx-userprofiles.md#admx-userprofiles-uploadhive) - [ADMX_UserProfiles/UserInfoAccessAction](./policy-csp-admx-userprofiles.md#admx-userprofiles-userinfoaccessaction) -- [ADMX_UserProfiles/WaitForNetwork](./policy-csp-admx-userprofiles.md#admx-userprofiles-waitfornetwork) - [ADMX_W32Time/W32TIME_POLICY_CONFIG](./policy-csp-admx-w32time.md#admx-w32time-policy-config) - [ADMX_W32Time/W32TIME_POLICY_CONFIGURE_NTPCLIENT](./policy-csp-admx-w32time.md#admx-w32time-policy-configure-ntpclient) - [ADMX_W32Time/W32TIME_POLICY_ENABLE_NTPCLIENT](./policy-csp-admx-w32time.md#admx-w32time-policy-enable-ntpclient) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index c4ea4193bf..99fad505b6 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -485,15 +485,9 @@ The following diagram shows the Policy configuration service provider in tree fo