From c9fb9f514d1f96b6ef6cd001c1590b8caf7bbbf5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Thu, 27 Feb 2020 23:48:36 +0100 Subject: [PATCH 01/64] update regarding modules, lint and expand puppet manifest. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- .../linux-install-with-puppet.md | 89 +++++++++++-------- 1 file changed, 54 insertions(+), 35 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md index a27c84b264..8d3546f71d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md @@ -1,6 +1,6 @@ --- title: Deploy Microsoft Defender ATP for Linux with Puppet -ms.reviewer: +ms.reviewer: description: Describes how to deploy Microsoft Defender ATP for Linux using Puppet. keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos search.product: eADQiWindows 10XVcnh @@ -14,7 +14,7 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual --- @@ -48,7 +48,7 @@ Download the onboarding package from Microsoft Defender Security Center: ![Microsoft Defender Security Center screenshot](images/atp-portal-onboarding-linux-2.png) 4. From a command prompt, verify that you have the file. Extract the contents of the archive: - + ```bash $ ls -l total 8 @@ -60,7 +60,7 @@ Download the onboarding package from Microsoft Defender Security Center: ## Create a Puppet manifest -You need to create a Puppet manifest for deploying Microsoft Defender ATP for Linux to devices managed by a Puppet server. This example makes use of the *apt* module available from puppetlabs, and assumes that the apt module has been installed on your Puppet server. +You need to create a Puppet manifest for deploying Microsoft Defender ATP for Linux to devices managed by a Puppet server. This example makes use of the *apt* and *yumrepo* module available from puppetlabs, and assumes that the modules has been installed on your Puppet server. Create the folders *install_mdatp/files* and *install_mdatp/manifests* under the modules folder of your Puppet installation. This is typically located in */etc/puppetlabs/code/environments/production/modules* on your Puppet server. Copy the mdatp_onboard.json file created above to the *install_mdatp/files* folder. Create an *init.pp* file that contains the deployment instructions: @@ -86,44 +86,63 @@ In order to preview new features and provide early feedback, it is recommended t Note your distribution and version and identify the closest entry for it under `https://packages.microsoft.com/config/`. -In the below commands, replace *[distro]* and *[version]* with the information you've identified: - -> [!NOTE] -> In case of Oracle EL and CentOS 8, replace *[distro]* with “rhel”. - ```puppet -class install_mdatp { +# Puppet manifest to install Microsoft Defender ATP. +# @param channel The release channel based on your environment, insider-fast or prod. +# @param distro The Linux distribution in lowercase. In case of RedHat, Oracle EL and CentOS 8, the distro variable should be 'rhel'. +# @param version The Linux distribution release number, e.g. 7.4. - if ($osfamily == 'Debian') { - apt::source { 'microsoftpackages' : - location => 'https://packages.microsoft.com/[distro]/[version]/prod', # change the version and distro based on your OS - release => '[channel]', - repos => 'main', - key => { - 'id' => 'BC528686B50D79E339D3721CEB3E94ADBE1229CF', - 'server' => 'https://packages.microsoft.com/keys/microsoft.asc', - }, +class install_mdatp ( +$channel = 'insiders-fast', +$distro = undef, +$version = undef +){ + case $::osfamily { + 'Debian' : { + apt::source { 'microsoftpackages' : + location => "https://packages.microsoft.com/${distro}/${version}/prod", + release => $channel, + repos => 'main', + key => { + 'id' => 'BC528686B50D79E339D3721CEB3E94ADBE1229CF', + 'server' => 'keyserver.ubuntu.com', + }, + } } - } - else { - yumrepo { 'microsoftpackages' : - baseurl => 'https://packages.microsoft.com/[distro]/[version]/[channel]', # change the version and distro based on your OS - enabled => 1, - gpgcheck => 1, - gpgkey => 'https://packages.microsoft.com/keys/microsoft.asc' + 'RedHat' : { + yumrepo { 'microsoftpackages' : + baseurl => "https://packages.microsoft.com/${distro}/${version}/${channel}", + enabled => 1, + gpgcheck => 1, + gpgkey => 'https://packages.microsoft.com/keys/microsoft.asc' + } } + default : { fail("${::osfamily} is currently not supported.") } } - package { 'mdatp': - ensure => 'installed', - } + case $::osfamily { + /(Debian|RedHat)/: { + file { ['/etc/opt', '/etc/opt/microsoft', '/etc/opt/microsoft/mdatp']: + ensure => directory, + owner => root, + group => root, + mode => '0755' + } - file { ['/etc', '/etc/opt', '/etc/opt/microsoft', '/etc/opt/microsoft/mdatp']: - ensure => directory, - } - file { '/etc/opt/microsoft/mdatp/mdatp_onboard.json': - mode => "0644", - source => 'puppet:///modules/install_mdatp/mdatp_onboard.json', + file { '/etc/opt/microsoft/mdatp/mdatp_onboard.json': + source => 'puppet:///modules/mdatp/mdatp_onboard.json', + owner => root, + group => root, + mode => '0600', + require => File['/etc/opt/microsoft/mdatp'] + } + + package { 'mdatp': + ensure => 'installed', + require => File['/etc/opt/microsoft/mdatp/mdatp_onboard.json'] + } + } + default : { fail("${::osfamily} is currently not supported.") } } } ``` From 3cd4b978284ae2426ccc99497616efcd1cd58ee7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Mon, 2 Mar 2020 14:38:53 +0100 Subject: [PATCH 02/64] ensure yum repo name is set. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- .../microsoft-defender-atp/linux-install-with-puppet.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md index 8d3546f71d..8df482dee0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md @@ -112,6 +112,7 @@ $version = undef 'RedHat' : { yumrepo { 'microsoftpackages' : baseurl => "https://packages.microsoft.com/${distro}/${version}/${channel}", + descr => "packages-microsoft-com-prod-${channel}", enabled => 1, gpgcheck => 1, gpgkey => 'https://packages.microsoft.com/keys/microsoft.asc' @@ -181,7 +182,7 @@ orgId : "[your organization identifier]" You can check that devices have been correctly onboarded by creating a script. For example, the following script checks enrolled devices for onboarding status: ```bash -$ mdatp --health healthy +mdatp --health healthy ``` The above command prints `1` if the product is onboarded and functioning as expected. From d8d429c7a4ab078e8f875e63719b08aaa2c6d3fa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Tue, 3 Mar 2020 10:16:00 +0100 Subject: [PATCH 03/64] have plural MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- .../microsoft-defender-atp/linux-install-with-puppet.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md index 8df482dee0..dc915e32dd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md @@ -60,7 +60,7 @@ Download the onboarding package from Microsoft Defender Security Center: ## Create a Puppet manifest -You need to create a Puppet manifest for deploying Microsoft Defender ATP for Linux to devices managed by a Puppet server. This example makes use of the *apt* and *yumrepo* module available from puppetlabs, and assumes that the modules has been installed on your Puppet server. +You need to create a Puppet manifest for deploying Microsoft Defender ATP for Linux to devices managed by a Puppet server. This example makes use of the *apt* and *yumrepo* modules available from puppetlabs, and assumes that the modules have been installed on your Puppet server. Create the folders *install_mdatp/files* and *install_mdatp/manifests* under the modules folder of your Puppet installation. This is typically located in */etc/puppetlabs/code/environments/production/modules* on your Puppet server. Copy the mdatp_onboard.json file created above to the *install_mdatp/files* folder. Create an *init.pp* file that contains the deployment instructions: From 0635b72adb2c0810d098b3b793f7bdededcd3c94 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Wed, 4 Mar 2020 10:04:53 +0100 Subject: [PATCH 04/64] the missing comma MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- .../microsoft-defender-atp/linux-install-with-puppet.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md index dc915e32dd..7fc4188c73 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md @@ -89,7 +89,7 @@ Note your distribution and version and identify the closest entry for it under ` ```puppet # Puppet manifest to install Microsoft Defender ATP. # @param channel The release channel based on your environment, insider-fast or prod. -# @param distro The Linux distribution in lowercase. In case of RedHat, Oracle EL and CentOS 8, the distro variable should be 'rhel'. +# @param distro The Linux distribution in lowercase. In case of RedHat, Oracle EL, and CentOS 8, the distro variable should be 'rhel'. # @param version The Linux distribution release number, e.g. 7.4. class install_mdatp ( From 59cc4f4cdcd93867ab7e19b595971db58087ce8a Mon Sep 17 00:00:00 2001 From: Todd Lyon <19413953+tmlyon@users.noreply.github.com> Date: Fri, 13 Mar 2020 12:01:20 -0700 Subject: [PATCH 05/64] Update hololens-cortana.md Add information about the online speech recognition setting. --- devices/hololens/hololens-cortana.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/hololens/hololens-cortana.md b/devices/hololens/hololens-cortana.md index 369602ca12..287a66f1fd 100644 --- a/devices/hololens/hololens-cortana.md +++ b/devices/hololens/hololens-cortana.md @@ -30,7 +30,7 @@ This article teaches you how to control HoloLens and your holographic world with ## Built-in voice commands -Get around HoloLens faster with these basic commands. In order to use these you need to enable Speech during first run of the device or in **Settings** > **Privacy** > **Speech**. You can always check whether speech is enabled by looking at the status at the top of Start menu. +Get around HoloLens faster with these basic commands. In order to use these you need to enable Speech during first run of the device or in **Settings** > **Privacy** > **Speech**. You can always check whether speech is enabled by looking at the status at the top of Start menu. For the best recognition of speech commands, HoloLens 2 will use the Microsoft cloud-bases services, but you can also choose to disable this in Settings under **Online speech recogntion** to only run locally instead. ### General speech commands From b8df317d8039180e29bb5d419b865940e4484144 Mon Sep 17 00:00:00 2001 From: Todd Lyon <19413953+tmlyon@users.noreply.github.com> Date: Fri, 13 Mar 2020 14:24:39 -0700 Subject: [PATCH 06/64] Update devices/hololens/hololens-cortana.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- devices/hololens/hololens-cortana.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/hololens/hololens-cortana.md b/devices/hololens/hololens-cortana.md index 287a66f1fd..6f69d8c6b7 100644 --- a/devices/hololens/hololens-cortana.md +++ b/devices/hololens/hololens-cortana.md @@ -30,7 +30,7 @@ This article teaches you how to control HoloLens and your holographic world with ## Built-in voice commands -Get around HoloLens faster with these basic commands. In order to use these you need to enable Speech during first run of the device or in **Settings** > **Privacy** > **Speech**. You can always check whether speech is enabled by looking at the status at the top of Start menu. For the best recognition of speech commands, HoloLens 2 will use the Microsoft cloud-bases services, but you can also choose to disable this in Settings under **Online speech recogntion** to only run locally instead. +Get around HoloLens faster with these basic commands. In order to use these you need to enable Speech during first run of the device or in **Settings** > **Privacy** > **Speech**. You can always check whether speech is enabled by looking at the status at the top of Start menu. For the best recognition of speech commands, HoloLens 2 will use the Microsoft cloud-bases services, but you can also choose to disable this in Settings, under **Online speech recogntion**, to only run locally instead. ### General speech commands From 9a8157e61034a70798fb30154ea81339a4f2504e Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Wed, 25 Mar 2020 21:04:40 +0500 Subject: [PATCH 07/64] Addition of supported data type Add information for a supported data type which is a string. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/6224 --- windows/client-management/mdm/reboot-csp.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md index 70668fa9de..e7cb92b9c4 100644 --- a/windows/client-management/mdm/reboot-csp.md +++ b/windows/client-management/mdm/reboot-csp.md @@ -45,12 +45,16 @@ Setting a null (empty) date will delete the existing schedule. In accordance wit

The supported operations are Get, Add, Replace, and Delete.

+

The supported data type is "String".

+ **Schedule/DailyRecurrent**

This node will execute a reboot each day at a scheduled time starting at the configured starting time and date. Setting a null (empty) date will delete the existing schedule. The date and time value is ISO8601, and both the date and time are required. The CSP will return the date time in the following format: 2018-06-29T10:00:00+01:00.
Example to configure: 2018-10-25T18:00:00

The supported operations are Get, Add, Replace, and Delete.

+

The supported data type is "String".

+ ## Related topics From 0122e4c86950066ba8b1fab7f790fc29d6d43a48 Mon Sep 17 00:00:00 2001 From: Jreeds001 Date: Mon, 30 Mar 2020 15:06:35 -0700 Subject: [PATCH 08/64] trying to br to make a paragraph break --- .../windows-defender-smartscreen-available-settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md index 0dabbdb3b1..5f698f3d30 100644 --- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md +++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md @@ -40,7 +40,7 @@ SmartScreen uses registry-based Administrative Template policy settings. For mor Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control Windows 10, version 1703 -This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.

This setting does not protect against malicious content from USB devices, network shares or other non-internet sources.

Important: Using a trustworthy browser helps ensure that these protections work as expected. +This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.

This setting does not protect against malicious content from USB devices, network shares or other non-internet sources.

Important: Using a trustworthy browser helps ensure that these protections work as expected. Windows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen

Windows 10, Version 1607 and earlier:
Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen From ad399f5d23bd3bb245fba29b142802c1d6b54131 Mon Sep 17 00:00:00 2001 From: Jreeds001 Date: Mon, 30 Mar 2020 15:18:05 -0700 Subject: [PATCH 09/64] Update windows-defender-smartscreen-available-settings.md --- .../windows-defender-smartscreen-available-settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md index 5f698f3d30..2ca7300134 100644 --- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md +++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md @@ -40,7 +40,7 @@ SmartScreen uses registry-based Administrative Template policy settings. For mor Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control Windows 10, version 1703 -This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.

This setting does not protect against malicious content from USB devices, network shares or other non-internet sources.

Important: Using a trustworthy browser helps ensure that these protections work as expected. +This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.

This setting does not protect against malicious content from USB devices, network shares or other non-internet sources.

Important: Using a trustworthy browser helps ensure that these protections work as expected.

Windows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen

Windows 10, Version 1607 and earlier:
Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen From c47d346ed95aa2dfcb3e1f30406807e7ab7475ca Mon Sep 17 00:00:00 2001 From: Jreeds001 Date: Mon, 30 Mar 2020 15:56:36 -0700 Subject: [PATCH 10/64] Update windows-defender-smartscreen-available-settings.md --- .../windows-defender-smartscreen-available-settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md index 2ca7300134..150df52cc5 100644 --- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md +++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md @@ -40,7 +40,7 @@ SmartScreen uses registry-based Administrative Template policy settings. For mor Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control Windows 10, version 1703 -This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.

This setting does not protect against malicious content from USB devices, network shares or other non-internet sources.

Important: Using a trustworthy browser helps ensure that these protections work as expected.

+This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.

This setting does not protect against malicious content from USB devices, network shares or other non-internet sources.

Important: Using a trustworthy browser helps ensure that these protections work as expected.

Windows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen

Windows 10, Version 1607 and earlier:
Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen From c1c1b30e010d66b1cb98edacfde8829ad186188b Mon Sep 17 00:00:00 2001 From: Todd Lyon <19413953+tmlyon@users.noreply.github.com> Date: Thu, 2 Apr 2020 11:52:35 -0700 Subject: [PATCH 11/64] Update hololens-cortana.md Incorporating feedback to resolve issue. --- devices/hololens/hololens-cortana.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/hololens/hololens-cortana.md b/devices/hololens/hololens-cortana.md index 6f69d8c6b7..ebe1505426 100644 --- a/devices/hololens/hololens-cortana.md +++ b/devices/hololens/hololens-cortana.md @@ -30,7 +30,7 @@ This article teaches you how to control HoloLens and your holographic world with ## Built-in voice commands -Get around HoloLens faster with these basic commands. In order to use these you need to enable Speech during first run of the device or in **Settings** > **Privacy** > **Speech**. You can always check whether speech is enabled by looking at the status at the top of Start menu. For the best recognition of speech commands, HoloLens 2 will use the Microsoft cloud-bases services, but you can also choose to disable this in Settings, under **Online speech recogntion**, to only run locally instead. +Get around HoloLens faster with these basic commands. In order to use these you need to enable Speech during first run of the device or in **Settings** > **Privacy** > **Speech**. You can always check whether speech is enabled by looking at the status at the top of Start menu. For the best speech recognition results, HoloLens 2 uses the Microsoft cloud-based services. However, you can use Settings to disable this feature. To do this, in Settings, turn off *Online speech recognition*. After you change this setting, HoloLens 2 will only process voice data locally to recognize commands and dictation and Cortana will not be available. ### General speech commands From 081f39a9d845738b7fd7749bad552253587ef838 Mon Sep 17 00:00:00 2001 From: Todd Lyon <19413953+tmlyon@users.noreply.github.com> Date: Thu, 2 Apr 2020 12:36:11 -0700 Subject: [PATCH 12/64] Update devices/hololens/hololens-cortana.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- devices/hololens/hololens-cortana.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/hololens/hololens-cortana.md b/devices/hololens/hololens-cortana.md index ebe1505426..5456aa55e7 100644 --- a/devices/hololens/hololens-cortana.md +++ b/devices/hololens/hololens-cortana.md @@ -30,7 +30,7 @@ This article teaches you how to control HoloLens and your holographic world with ## Built-in voice commands -Get around HoloLens faster with these basic commands. In order to use these you need to enable Speech during first run of the device or in **Settings** > **Privacy** > **Speech**. You can always check whether speech is enabled by looking at the status at the top of Start menu. For the best speech recognition results, HoloLens 2 uses the Microsoft cloud-based services. However, you can use Settings to disable this feature. To do this, in Settings, turn off *Online speech recognition*. After you change this setting, HoloLens 2 will only process voice data locally to recognize commands and dictation and Cortana will not be available. +Get around HoloLens faster with these basic commands. In order to use these, you need to enable Speech during the first run of the device or in **Settings** > **Privacy** > **Speech**. You can always check whether speech is enabled by looking at the status at the top of the Start menu. For the best speech recognition results, HoloLens 2 uses the Microsoft cloud-based services. However, you can use Settings to disable this feature. To do this, in Settings, turn off **Online speech recognition**. After you change this setting, HoloLens 2 will only process voice data locally to recognize commands and dictation, and Cortana will not be available. ### General speech commands From f5979798660ece0e408c0dc216256f28d3546dbc Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Sat, 4 Apr 2020 11:41:11 +0300 Subject: [PATCH 13/64] dependencies clarification https://github.com/MicrosoftDocs/windows-itpro-docs/issues/6049 --- .../hello-for-business/hello-planning-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 24172f6859..b51416da63 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -329,7 +329,7 @@ If box **1a** on your planning worksheet reads **cloud only** or **hybrid**, wri If box **1a** on your planning worksheet reads **on-premises**, and box **1f** reads **AD FS with third party**, write **No** in box **6a** on your planning worksheet. Otherwise, write **Yes** in box **6a** as you need an Azure account for per-consumption MFA billing. Write **No** in box **6b** on your planning worksheet—on-premises deployments do not use the cloud directory. -Windows Hello for Business does not require an Azure AD premium subscription. However, some dependencies do. +Windows Hello for Business does not require an Azure AD premium subscription. However, some dependencies, such as [MDM automatic enrollment](https://docs.microsoft.com/ro-ro/mem/intune/enrollment/quickstart-setup-auto-enrollment) and [Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview) do. If box **1a** on your planning worksheet reads **on-premises**, write **No** in box **6c** on your planning worksheet. From bcdda3667786890a4257f30299ecc463c3ec97b1 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 5 Apr 2020 08:18:28 +0500 Subject: [PATCH 14/64] Update bitlocker-how-to-enable-network-unlock.md --- .../bitlocker/bitlocker-how-to-enable-network-unlock.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md index 56c13ecbbe..b943c6dd9c 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md +++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md @@ -80,7 +80,9 @@ The server side configuration to enable Network Unlock also requires provisionin 1. The Windows boot manager detects that a Network Unlock protector exists in the BitLocker configuration. 2. The client computer uses its DHCP driver in the UEFI to obtain a valid IPv4 IP address. -3. The client computer broadcasts a vendor-specific DHCP request that contains the Network Key (a 256-bit intermediate key) and an AES-256 session key for the reply. Both of these keys are encrypted using the 2048-bit RSA Public Key of the Network Unlock certificate from the WDS server. +3. The client computer broadcasts a vendor-specific DHCP request that contains: + 1. Network Key (a 256-bit intermediate key) encrypted using the 2048-bit RSA Public Key of the Network Unlock certificate from the WDS server. + 2. AES-256 session key for the reply. 4. The Network Unlock provider on the WDS server recognizes the vendor-specific request. 5. The provider decrypts it with the WDS server’s BitLocker Network Unlock certificate RSA private key. 6. The WDS provider then returns the network key encrypted with the session key using its own vendor-specific DHCP reply to the client computer. This forms an intermediate key. From c2699835d5f6818b480233372fdf324358c8b193 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 5 Apr 2020 15:12:36 +0500 Subject: [PATCH 15/64] Update windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../bitlocker/bitlocker-how-to-enable-network-unlock.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md index b943c6dd9c..9749ee1793 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md +++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md @@ -81,7 +81,7 @@ The server side configuration to enable Network Unlock also requires provisionin 1. The Windows boot manager detects that a Network Unlock protector exists in the BitLocker configuration. 2. The client computer uses its DHCP driver in the UEFI to obtain a valid IPv4 IP address. 3. The client computer broadcasts a vendor-specific DHCP request that contains: - 1. Network Key (a 256-bit intermediate key) encrypted using the 2048-bit RSA Public Key of the Network Unlock certificate from the WDS server. + 1. A Network Key (a 256-bit intermediate key) encrypted using the 2048-bit RSA Public Key of the Network Unlock certificate from the WDS server. 2. AES-256 session key for the reply. 4. The Network Unlock provider on the WDS server recognizes the vendor-specific request. 5. The provider decrypts it with the WDS server’s BitLocker Network Unlock certificate RSA private key. From a6b2519c6d5179a5df465296104640fec75d77af Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 5 Apr 2020 15:12:43 +0500 Subject: [PATCH 16/64] Update windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../bitlocker/bitlocker-how-to-enable-network-unlock.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md index 9749ee1793..a7a7e7fce7 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md +++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md @@ -82,7 +82,7 @@ The server side configuration to enable Network Unlock also requires provisionin 2. The client computer uses its DHCP driver in the UEFI to obtain a valid IPv4 IP address. 3. The client computer broadcasts a vendor-specific DHCP request that contains: 1. A Network Key (a 256-bit intermediate key) encrypted using the 2048-bit RSA Public Key of the Network Unlock certificate from the WDS server. - 2. AES-256 session key for the reply. + 2. An AES-256 session key for the reply. 4. The Network Unlock provider on the WDS server recognizes the vendor-specific request. 5. The provider decrypts it with the WDS server’s BitLocker Network Unlock certificate RSA private key. 6. The WDS provider then returns the network key encrypted with the session key using its own vendor-specific DHCP reply to the client computer. This forms an intermediate key. From 7a71dbb1fab8ed191f848b047471d3814f2d8111 Mon Sep 17 00:00:00 2001 From: kelleyvice-msft Date: Mon, 6 Apr 2020 13:53:05 -0700 Subject: [PATCH 17/64] Create vpn-office-365-optimization.md --- .../vpn/vpn-office-365-optimization.md | 668 ++++++++++++++++++ 1 file changed, 668 insertions(+) create mode 100644 windows/security/identity-protection/vpn/vpn-office-365-optimization.md diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md new file mode 100644 index 0000000000..54f8217aba --- /dev/null +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -0,0 +1,668 @@ +--- +title: Optimizing Office 365 traffic for remote workers with the native Windows 10 VPN client +description: tbd +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, networking +author: kelleyvice-msft +ms.localizationpriority: medium +ms.date: 04/06/2020 +ms.reviewer: +manager: dansimp +ms.author: jajo +--- + +# Optimizing Office 365 traffic for remote workers with the native Windows 10 VPN client + +As the COVID-19 pandemic has unfolded, the Office 365 Network team have seen a large influx of questions from customers around how best to optimize their Office 365 connectivity as they work diligently to plan for a large amount of their userbase suddenly working from home. As a result, they wrote the following documentation on how to quickly optimize network traffic for Office 365: [Optimize Office 365 connectivity for remote users using VPN split tunnelling](https://docs.microsoft.com/office365/enterprise/office-365-vpn-split-tunnel). + +Customers have consequently asked how to configure these recommendations for the **native Windows 10 VPN client** such that they can optimise Office 365 usage whilst still ensuring that all other traffic goes over the VPN connection and through existing security gateways and tooling. This can be achieved for the native/built-in Windows 10 VPN client using a _Force Tunnelling with Exclusions_ approach. This allows you to define IP-based exclusions **even when using force tunnelling** in order to "split" certain traffic to use the physical interface whilst still forcing all other traffic via the VPN interface. Traffic addressed to specifically defined destinations (like those listed in the Office 365 optimise categories) will therefore follow a much more direct and efficient path, without the need to traverse or "hairpin" via the VPN tunnel and back out of the corporate network. For cloud-services like Office 365, this makes a huge difference to performance and usability for remote users. + +>[!NOTE] +>The term _force tunnelling with exclusions_ is sometimes confusingly called "split tunnels" by other vendors and in some online documentation. For Windows 10 VPN, the term _split tunnelling_ is defined differently as described in the article [VPN routing decisions](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-routing#split-tunnel-configuration). + +## Solution Overview + +The solution is based upon the use of a VPN Configuration Service Provider Reference profile ([VPNv2 CSP](https://docs.microsoft.com/windows/client-management/mdm/vpnv2-csp)) and the embedded [ProfileXML](https://docs.microsoft.com/windows/client-management/mdm/vpnv2-profile-xsd). These are used to configure the VPN profile on the device. Various provisioning approaches can be used to create and deploy the VPN profile as discussed in the article [Step 6. Configure Windows 10 client Always On VPN connections](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files). + +Typically, these VPN profiles are distributed using a Mobile Device Manager solution like Intune, as described in [Configure the VPN client by using Intune](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#configure-the-vpn-client-by-using-intune). + +To enable the use of force tunnelling in Windows 10 VPN, the setting is typically configured with a value of _ForceTunnel_ in your existing Profile XML (or script) by way of the following entry, under the section: + +```xml +ForceTunnel +``` + +In order to define specific force tunnel exclusions, you then need to add the following lines to your existing Profile XML (or script) for each required exclusion, and place them outside of the section as follows: + +```xml + +

[IP addresses or subnet]
+ [IP Prefix] + true + +``` + +Entries defined by the **[IP Addresses or Subnet]** and **[IP Prefix]** references will consequently be added to the routing table as _more specific route entries_ that will use the Internet-connected interface as the default gateway, as opposed to using the VPN interface. You will need to define a unique and separate section for each required exclusion. + +An example of a correctly formatted Profile XML configuration for force tunnel with exclusions is shown below: + +```xml + + + ForceTunnel + + +
203.0.113.0
+ 24 + true + + +
198.51.100.0
+ 22 + true + + +``` + +Note: The above IP addresses and prefixes are used purely as examples only and should not be used. + +## Solution Deployment + +For Office 365, it is therefore necessary to add exclusions for all IP addresses documented within the optimise categories described in [Office 365 URLs and IP address ranges](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges?redirectSourcePath=%252fen-us%252farticle%252fOffice-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2) to ensure that they are excluded from VPN force tunnelling. + +This can be achieved manually by adding the IP addresses defined within the optimise category entries to an existing Profile XML (or script) file, or alternatively the following script can be used which dynamically adds the required entries to an existing PowerShell script, or XML file, based upon directly querying the REST-based web service to ensure the addresses ranges are always used. + +```powershell +# Copyright (c) Microsoft Corporation. All rights reserved. +# +# THIS SAMPLE CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, +# WHETHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED +# WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. +# IF THIS CODE AND INFORMATION IS MODIFIED, THE ENTIRE RISK OF USE OR RESULTS IN +# CONNECTION WITH THE USE OF THIS CODE AND INFORMATION REMAINS WITH THE USER. + +<# +.SYNOPSIS + Applies or updates recommended Office 365 optimise IP address exclusions to an existing force tunnel Windows 10 VPN profile +.DESCRIPTION + Connects to the Office 365 worldwide commercial service instance endpoints to obtain the latest published IP address ranges + Compares the optimized IP addresses with those contained in the supplied VPN Profile (PowerShell or XML file) + Adds or updates IP addresses as necessary and saves the resultant file with "-NEW" appended to the file name +.PARAMETERS + Filename and path for a supplied Windows 10 VPN profile file in either PowerShell or XML format +.NOTES + Requires at least Windows 10 Version 1803 with KB4493437, 1809 with KB4490481, or later +.VERSION + 1.0 +#> + +param ( + [string]$VPNprofilefile +) + +$usage=@" + +This script uses the following parameters: + +VPNprofilefile - The full path and name of the VPN profile PowerShell script or XML file + +EXAMPLES + +To check a VPN profile Powershell script file: + +Update-VPN-Profile-Office365-Exclusion-Routes.ps1 -VPNprofilefile [FULLPATH AND NAME OF POWERSHELL SCRIPT FILE] + +To check a VPN profile XML file: + +Update-VPN-Profile-Office365-Exclusion-Routes.ps1 -VPNprofilefile [FULLPATH AND NAME OF XML FILE] + +"@ + +# Check if filename has been provided # +if ($VPNprofilefile -eq "") +{ + Write-Host "`nWARNING: You must specify either a Powershell script or XML filename!" -ForegroundColor Red + + $usage + exit +} + +$FileExtension = [System.IO.Path]::GetExtension($VPNprofilefile) + +# Check if XML file exists and is a valid XML file # +if ( $VPNprofilefile -ne "" -and $FileExtension -eq ".xml") +{ + if ( Test-Path $VPNprofilefile ) + { + $xml = New-Object System.Xml.XmlDocument + try + { + $xml.Load((Get-ChildItem -Path $VPNprofilefile).FullName) + + } + catch [System.Xml.XmlException] + { + Write-Verbose "$VPNprofilefile : $($_.toString())" + Write-Host "`nWARNING: The VPN profile XML file is not a valid xml file or incorrectly formatted!" -ForegroundColor Red + $usage + exit + } + }else + { + Write-Host "`nWARNING: VPN profile XML file does not exist or cannot be found!" -ForegroundColor Red + $usage + exit + } +} + +# Check if VPN profile PowerShell script file exists and contains a VPNPROFILE XML section # +if ( $VPNprofilefile -ne "" -and $FileExtension -eq ".ps1") +{ + if ( (Test-Path $VPNprofilefile) ) + { + if (-Not $(Select-String -Path $VPNprofilefile -Pattern "") ) + { + Write-Host "`nWARNING: Powershell script file does not contain a valid VPN profile XML section or is incorrectly formatted!" -ForegroundColor Red + $usage + exit + } + }else + { + Write-Host "`nWARNING: Powershell script file does not exist or cannot be found!"-ForegroundColor Red + $usage + exit + } +} + +# Define Office 365 endpoints and service URLs # +$ws = "https://endpoints.office.com" +$baseServiceUrl = "https://endpoints.office.com" + +# Path where client ID and latest version number will be stored # +$datapath = $Env:TEMP + "\endpoints_clientid_latestversion.txt" + +# Fetch client ID and version if data file exists; otherwise create new file # +if (Test-Path $datapath) +{ + $content = Get-Content $datapath + $clientRequestId = $content[0] + $lastVersion = $content[1] + +}else +{ + $clientRequestId = [GUID]::NewGuid().Guid + $lastVersion = "0000000000" + @($clientRequestId, $lastVersion) | Out-File $datapath +} + +# Call version method to check the latest version, and pull new data if version number is different # +$version = Invoke-RestMethod -Uri ($ws + "/version?clientRequestId=" + $clientRequestId) + +if ($version[0].latest -gt $lastVersion) +{ + + Write-Host + Write-Host "A new version of Office 365 worldwide commercial service instance endpoints has been detected!" -ForegroundColor Cyan + + # Write the new version number to the data file # + @($clientRequestId, $version[0].latest) | Out-File $datapath +} + +# Invoke endpoints method to get the new data # +$uri = "$baseServiceUrl" + "/endpoints/worldwide?clientRequestId=$clientRequestId" + +# Invoke endpoints method to get the data for the VPN profile comparison # +$endpointSets = Invoke-RestMethod -Uri ($uri) +$Optimize = $endpointSets | Where-Object { $_.category -eq "Optimize" } +$optimizeIpsv4 = $Optimize.ips | Where-Object { ($_).contains(".") } | Sort-Object -Unique + +# Temporarily include additional IP address until Teams client update is released +$optimizeIpsv4 += "13.107.60.1/32" + +# Process PowerShell script file start # +if ($VPNprofilefile -ne "" -and $FileExtension -eq ".ps1") +{ + Write-host "`nStarting PowerShell script exclusion route check...`n" -ForegroundColor Cyan + + # Clear Variables to allow re-run testing # + + $ARRVPN=$null # Array to hold VPN addresses from VPN profile PowerShell file # + $In_Opt_Only=$null # Variable to hold IP addresses that only appear in the optimise list # + $In_VPN_Only=$null # Variable to hold IP addresses that only appear in the VPN profile Powershell file # + + # Extract the Profile XML from the ps1 file # + + $regex = '(?sm).*^*.\r?\n(.*?)\r?\n.*' + + # Create xml format variable to compare with the optimise list # + + $xmlbody=(Get-Content -Raw $VPNprofilefile) -replace $regex, '$1' + [xml]$VPNprofilexml=""+$xmlbody+"" + + # Loop through each address found in VPNPROFILE XML section # + foreach ($Route in $VPNprofilexml.VPNProfile.Route) + { + $VPNIP=$Route.Address+"/"+$Route.PrefixSize + [array]$ARRVPN=$ARRVPN+$VPNIP + } + + # In optimise address list only # + $In_Opt_Only= $optimizeIpsv4 | Where {$ARRVPN -NotContains $_} + + # In VPN list only # + $In_VPN_only =$ARRVPN | Where {$optimizeIpsv4 -NotContains $_} + [array]$Inpfile = get-content $VPNprofilefile + + if ($In_Opt_Only.Count -gt 0 ) + { + Write-Host "Exclusion route IP addresses are unknown, missing, or need to be updated in the VPN profile`n" -ForegroundColor Red + + [int32]$insline=0 + + for ($i=0; $i -lt $Inpfile.count; $i++) + { + if ($Inpfile[$i] -match "") + { + $insline += $i # Record the position of the line after the NativeProfile section ends # + } + } + $OFS = "`r`n" + foreach ($NewIP in $In_Opt_Only) + { + # Add the missing IP address(es) # + $IPInfo=$NewIP.Split("/") + $InpFile[$insline] += $OFS+" " + $InpFile[$insline] += $OFS+"
"+$IPInfo[0].Trim()+"
" + $InpFile[$insline] += $OFS+" "+$IPInfo[1].Trim()+"" + $InpFile[$insline] += $OFS+" true" + $InpFile[$insline] += $OFS+" " + } + # Update fileName and write new PowerShell file # + $NewFileName=(Get-Item $VPNprofilefile).Basename + "-NEW.ps1" + $OutFile=$(Split-Path $VPNprofilefile -Parent)+"\"+$NewFileName + $InpFile | Set-Content $OutFile + Write-Host "Exclusion routes have been added to VPN profile and output to a separate Powershell script file; the original file has not been modified`n" -ForegroundColor Green + }else + { + Write-Host "Exclusion route IP addresses are correct and up to date in the VPN profile`n" -ForegroundColor Green + $OutFile=$VPNprofilefile + } + +if ( $In_VPN_Only.Count -gt 0 ) +{ + Write-Host "Unknown exclusion route IP addresses have been found in the VPN profile`n" -ForegroundColor Yellow + + foreach ($OldIP in $In_VPN_Only) + { + [array]$Inpfile = get-content $Outfile + $IPInfo=$OldIP.Split("/") + Write-Host "Unknown exclusion route IP address"$IPInfo[0]"has been found in the VPN profile - Do you wish to remove it? (Y/N)`n" -ForegroundColor Yellow + $matchstr="
"+$IPInfo[0].Trim()+"
" + $DelAns=Read-host + if ($DelAns.ToUpper() -eq "Y") + { + [int32]$insline=0 + for ($i=0; $i -lt $Inpfile.count; $i++) + { + if ($Inpfile[$i] -match $matchstr) + { + $insline += $i # Record the position of the line for the string match # + } + } + # Remove entries from XML # + $InpFile[$insline-1]="REMOVETHISLINE" + $InpFile[$insline]="REMOVETHISLINE" + $InpFile[$insline+1]="REMOVETHISLINE" + $InpFile[$insline+2]="REMOVETHISLINE" + $InpFile[$insline+3]="REMOVETHISLINE" + $InpFile=$InpFile | Where-Object {$_ -ne "REMOVETHISLINE"} + + # Update filename and write new PowerShell file # + $NewFileName=(Get-Item $VPNprofilefile).Basename + "-NEW.xml" + $OutFile=$(Split-Path $VPNprofilefile -Parent)+"\"+$NewFileName + $Inpfile | Set-content $OutFile + Write-Host "`nAddress"$IPInfo[0]"exclusion route has been removed from the VPN profile and output to a separate Powershell script file; the original file has not been modified`n" -ForegroundColor Green + + }else + { + Write-Host "`nExclusion route IP address has *NOT* been removed from the VPN profile`n" -ForegroundColor Green + } + } + } +} + +# Process XML file start # +if ($VPNprofilefile -ne "" -and $FileExtension -eq ".xml") +{ + Write-host "`nStarting XML file exclusion route check...`n" -ForegroundColor Cyan + + # Clear variables to allow re-run testing # + $ARRVPN=$null # Array to hold VPN addresses from the XML file # + $In_Opt_Only=$null # Variable to hold IP Addresses that only appear in optimise list # + $In_VPN_Only=$null # Variable to hold IP Addresses that only appear in the VPN profile XML file # + + # Extract the Profile XML from the XML file # + $regex = '(?sm).*^*.\r?\n(.*?)\r?\n.*' + + # Create xml format variable to compare with optimise list # + $xmlbody=(Get-Content -Raw $VPNprofilefile) -replace $regex, '$1' + [xml]$VPNRulesxml="$xmlbody" + + # Loop through each address found in VPNPROFILE file # + foreach ($Route in $VPNRulesxml.VPNProfile.Route) + { + $VPNIP=$Route.Address+"/"+$Route.PrefixSize + [array]$ARRVPN=$ARRVPN+$VPNIP + } + + # In optimise address list only # + $In_Opt_Only= $optimizeIpsv4 | Where {$ARRVPN -NotContains $_} + + # In VPN list only # + $In_VPN_only =$ARRVPN | Where {$optimizeIpsv4 -NotContains $_} + [array]$Inpfile = get-content $VPNprofilefile + + if ($In_Opt_Only.Count -gt 0 ) + { + Write-Host "Exclusion route IP addresses are unknown, missing, or need to be updated in the VPN profile`n" -ForegroundColor Red + + foreach ($NewIP in $In_Opt_Only) + { + # Add the missing IP address(es) # + $IPInfo=$NewIP.Split("/") + $inspoint = $Inpfile[0].IndexOf(""+$IPInfo[0].Trim()+""+""+$IPInfo[1].Trim()+""+"true"+"" + } + $Inpfile = $Inpfile[0].Insert($inspoint,$routes) + + # Update filename and write new XML file # + $NewFileName=(Get-Item $VPNprofilefile).Basename + "-NEW.xml" + $OutFile=$(Split-Path $VPNprofilefile -Parent)+"\"+$NewFileName + $InpFile | Set-Content $OutFile + Write-Host "Exclusion routes have been added to VPN profile and output to a separate XML file; the original file has not been modified`n`n" -ForegroundColor Green + + }else + { + Write-Host "Exclusion route IP addresses are correct and up to date in the VPN profile`n" -ForegroundColor Green + $OutFile=$VPNprofilefile + } + + if ( $In_VPN_Only.Count -gt 0 ) + { + Write-Host "Unknown exclusion route IP addresses found in the VPN profile`n" -ForegroundColor Yellow + + foreach ($OldIP in $In_VPN_Only) + { + [array]$Inpfile = get-content $OutFile + $IPInfo=$OldIP.Split("/") + Write-Host "Unknown exclusion route IP address"$IPInfo[0]"has been found in the VPN profile - Do you wish to remove it? (Y/N)`n" -ForegroundColor Yellow + $matchstr=""+"
"+$IPInfo[0].Trim()+"
"+""+$IPInfo[1].Trim()+""+"true"+"" + $DelAns=Read-host + if ($DelAns.ToUpper() -eq "Y") + { + # Remove unknown IP address(es) # + $inspoint = $Inpfile[0].IndexOf($matchstr) + $Inpfile[0] = $Inpfile[0].Replace($matchstr,"") + + # Update filename and write new XML file # + $NewFileName=(Get-Item $VPNprofilefile).Basename + "-NEW.xml" + $OutFile=$(Split-Path $VPNprofilefile -Parent)+"\"+$NewFileName + $Inpfile | Set-content $OutFile + Write-Host "`nAddress"$IPInfo[0]"exclusion route has been removed from the VPN profile and output to a separate XML file; the original file has not been modified`n" -ForegroundColor Green + + }else + { + Write-Host "`nExclusion route IP address has *NOT* been removed from the VPN profile`n" -ForegroundColor Green + } + } + } +} +``` + +## Version Support + +This solution is supported with the following versions of Windows: + +- Windows 10 1903/1909 and newer: Included, no action needed +- Windows 10 1809: At least [KB4490481](https://support.microsoft.com/help/4490481/windows-10-update-kb4490481) +- Windows 10 1803: At least [KB4493437](https://support.microsoft.com/help/4493437/windows-10-update-kb4493437) +- Windows 10 1709 and lower: Exclusion routes are not supported + +- Windows 10 Enterprise 2019 LTSC: At least [KB4490481](https://support.microsoft.com/help/4490481/windows-10-update-kb4490481) +- Windows 10 Enterprise 2016 LTSC: Exclusion routes are not supported +- Windows 10 Enterprise 2015 LTSC: Exclusion routes are not supported + +Microsoft strongly recommends that the latest Windows 10 cumulative update always be applied. + +## Other Considerations + +You should also be able to adapt this approach to include necessary exclusions for other cloud-services that can be defined by known/static IP addresses; exclusions required for [Cisco WebEx](https://help.webex.com/WBX000028782/Network-Requirements-for-Webex-Teams-Services) or [Zoom](https://support.zoom.us/hc/en-us/articles/201362683) are good examples. + +## Examples + +An example of a PowerShell script that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below: + +```powershell +# Copyright (c) Microsoft Corporation. All rights reserved. +# +# THIS SAMPLE CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, +# WHETHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED +# WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. +# IF THIS CODE AND INFORMATION IS MODIFIED, THE ENTIRE RISK OF USE OR RESULTS IN +# CONNECTION WITH THE USE OF THIS CODE AND INFORMATION REMAINS WITH THE USER. + +<# +.SYNOPSIS + Configures an AlwaysOn IKEv2 VPN Connection using a basic script +.DESCRIPTION + Configures an AlwaysOn IKEv2 VPN Connection with proxy PAC information and force tunnelling +.PARAMETERS + Parameters are defined in a ProfileXML object within the script itself +.NOTES + Requires at least Windows 10 Version 1803 with KB4493437, 1809 with KB4490481, or later +.VERSION + 1.0 +#> + +<#-- Define Key VPN Profile Parameters --#> +$ProfileName = 'Contoso VPN with Office 365 Exclusions' +$ProfileNameEscaped = $ProfileName -replace ' ', '%20' + +<#-- Define VPN ProfileXML --#> +$ProfileXML = ' + true + corp.contoso.com + true + corp.contoso.com + + edge1.contoso.com + ForceTunnel + IKEv2 + + Certificate + + + +
13.107.6.152
+ 31 + true + + +
13.107.18.10
+ 31 + true + + +
13.107.128.0
+ 22 + true + + +
23.103.160.0
+ 20 + true + + +
40.96.0.0
+ 13 + true + + +
40.104.0.0
+ 15 + true + + +
52.96.0.0
+ 14 + true + + +
131.253.33.215
+ 32 + true + + +
132.245.0.0
+ 16 + true + + +
150.171.32.0
+ 22 + true + + +
191.234.140.0
+ 22 + true + + +
204.79.197.215
+ 32 + true + + +
13.107.136.0
+ 22 + true + + +
40.108.128.0
+ 17 + true + + +
52.104.0.0
+ 14 + true + + +
104.146.128.0
+ 17 + true + + +
150.171.40.0
+ 22 + true + + +
13.107.60.1
+ 32 + true + + +
13.107.64.0
+ 18 + true + + +
52.112.0.0
+ 14 + true + + +
52.120.0.0
+ 14 + true + + + http://webproxy.corp.contsoso.com/proxy.pac + +' + +<#-- Convert ProfileXML to Escaped Format --#> +$ProfileXML = $ProfileXML -replace '<', '<' +$ProfileXML = $ProfileXML -replace '>', '>' +$ProfileXML = $ProfileXML -replace '"', '"' + +<#-- Define WMI-to-CSP Bridge Properties --#> +$nodeCSPURI = './Vendor/MSFT/VPNv2' +$namespaceName = "root\cimv2\mdm\dmmap" +$className = "MDM_VPNv2_01" + +<#-- Define WMI Session --#> +$session = New-CimSession + +<#-- Detect and Delete Previous VPN Profile --#> +try +{ + $deleteInstances = $session.EnumerateInstances($namespaceName, $className, $options) + foreach ($deleteInstance in $deleteInstances) + { + $InstanceId = $deleteInstance.InstanceID + if ("$InstanceId" -eq "$ProfileNameEscaped") + { + $session.DeleteInstance($namespaceName, $deleteInstance, $options) + $Message = "Removed $ProfileName profile $InstanceId" + Write-Host "$Message" + } else { + $Message = "Ignoring existing VPN profile $InstanceId" + Write-Host "$Message" + } + } +} +catch [Exception] +{ + $Message = "Unable to remove existing outdated instance(s) of $ProfileName profile: $_" + Write-Host "$Message" + exit +} + +<#-- Create VPN Profile --#> +try +{ + $newInstance = New-Object Microsoft.Management.Infrastructure.CimInstance $className, $namespaceName + $property = [Microsoft.Management.Infrastructure.CimProperty]::Create("ParentID", "$nodeCSPURI", 'String', 'Key') + $newInstance.CimInstanceProperties.Add($property) + $property = [Microsoft.Management.Infrastructure.CimProperty]::Create("InstanceID", "$ProfileNameEscaped", 'String', 'Key') + $newInstance.CimInstanceProperties.Add($property) + $property = [Microsoft.Management.Infrastructure.CimProperty]::Create("ProfileXML", "$ProfileXML", 'String', 'Property') + $newInstance.CimInstanceProperties.Add($property) + + $session.CreateInstance($namespaceName, $newInstance, $options) + $Message = "Created $ProfileName profile." + Write-Host "$Message" + Write-Host "$ProfileName profile summary:" + $session.EnumerateInstances($namespaceName, $className, $options) +} +catch [Exception] +{ + $Message = "Unable to create $ProfileName profile: $_" + Write-Host "$Message" + exit +} + +$Message = "Script Complete" +Write-Host "$Message" + +``` + +An example of an Intune-ready XML file that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below: + +```xml +_truecorp.contoso.comtruecorp.contoso.comedge1.contoso.comForceTunnelIKEv2Certificate
13.107.6.152
31true
13.107.18.10
31true
13.107.128.0
22true
23.103.160.0
20true
40.96.0.0
13true
40.104.0.0
15true
52.96.0.0
14true
131.253.33.215
32true
132.245.0.0
16true
150.171.32.0
22true
191.234.140.0
22true
204.79.197.215
32true
13.107.136.0
22true
40.108.128.0
17true
52.104.0.0
14true
104.146.128.0
17true
150.171.40.0
22true
13.107.60.1
32true
13.107.64.0
18true
52.112.0.0
14true
52.120.0.0
14truehttp://webproxy.corp.contsoso.com/proxy.pac_ +``` From 42f39c854e6c84add34bdd95caaff2602e602852 Mon Sep 17 00:00:00 2001 From: kelleyvice-msft Date: Mon, 6 Apr 2020 15:29:28 -0700 Subject: [PATCH 18/64] Update vpn-office-365-optimization.md Various revisions --- .../vpn/vpn-office-365-optimization.md | 39 ++++++++++--------- 1 file changed, 20 insertions(+), 19 deletions(-) diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md index 54f8217aba..4f6cd4a450 100644 --- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -15,9 +15,9 @@ ms.author: jajo # Optimizing Office 365 traffic for remote workers with the native Windows 10 VPN client -As the COVID-19 pandemic has unfolded, the Office 365 Network team have seen a large influx of questions from customers around how best to optimize their Office 365 connectivity as they work diligently to plan for a large amount of their userbase suddenly working from home. As a result, they wrote the following documentation on how to quickly optimize network traffic for Office 365: [Optimize Office 365 connectivity for remote users using VPN split tunnelling](https://docs.microsoft.com/office365/enterprise/office-365-vpn-split-tunnel). +This article describes how to configure the recommendations in the article [Optimize Office 365 connectivity for remote users using VPN split tunnelling](https://docs.microsoft.com/office365/enterprise/office-365-vpn-split-tunnel) for the **native Windows 10 VPN client**. This guidance enables VPN administrators to optimize Office 365 usage while still ensuring that all other traffic goes over the VPN connection and through existing security gateways and tooling. -Customers have consequently asked how to configure these recommendations for the **native Windows 10 VPN client** such that they can optimise Office 365 usage whilst still ensuring that all other traffic goes over the VPN connection and through existing security gateways and tooling. This can be achieved for the native/built-in Windows 10 VPN client using a _Force Tunnelling with Exclusions_ approach. This allows you to define IP-based exclusions **even when using force tunnelling** in order to "split" certain traffic to use the physical interface whilst still forcing all other traffic via the VPN interface. Traffic addressed to specifically defined destinations (like those listed in the Office 365 optimise categories) will therefore follow a much more direct and efficient path, without the need to traverse or "hairpin" via the VPN tunnel and back out of the corporate network. For cloud-services like Office 365, this makes a huge difference to performance and usability for remote users. +This can be achieved for the native/built-in Windows 10 VPN client using a _Force Tunnelling with Exclusions_ approach. This allows you to define IP-based exclusions **even when using force tunnelling** in order to "split" certain traffic to use the physical interface while still forcing all other traffic via the VPN interface. Traffic addressed to specifically defined destinations (like those listed in the Office 365 optimize categories) will therefore follow a much more direct and efficient path, without the need to traverse or "hairpin" via the VPN tunnel and back out of the corporate network. For cloud-services like Office 365, this makes a huge difference in performance and usability for remote users. >[!NOTE] >The term _force tunnelling with exclusions_ is sometimes confusingly called "split tunnels" by other vendors and in some online documentation. For Windows 10 VPN, the term _split tunnelling_ is defined differently as described in the article [VPN routing decisions](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-routing#split-tunnel-configuration). @@ -66,13 +66,14 @@ An example of a correctly formatted Profile XML configuration for force tunnel w ``` -Note: The above IP addresses and prefixes are used purely as examples only and should not be used. +>[!NOTE] +>The IP addresses and prefix size values in this example are used purely as examples only and should not be used. ## Solution Deployment -For Office 365, it is therefore necessary to add exclusions for all IP addresses documented within the optimise categories described in [Office 365 URLs and IP address ranges](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges?redirectSourcePath=%252fen-us%252farticle%252fOffice-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2) to ensure that they are excluded from VPN force tunnelling. +For Office 365, it is therefore necessary to add exclusions for all IP addresses documented within the optimize categories described in [Office 365 URLs and IP address ranges](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges?redirectSourcePath=%252fen-us%252farticle%252fOffice-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2) to ensure that they are excluded from VPN force tunnelling. -This can be achieved manually by adding the IP addresses defined within the optimise category entries to an existing Profile XML (or script) file, or alternatively the following script can be used which dynamically adds the required entries to an existing PowerShell script, or XML file, based upon directly querying the REST-based web service to ensure the addresses ranges are always used. +This can be achieved manually by adding the IP addresses defined within the **optimize** category entries to an existing Profile XML (or script) file, or alternatively the following script can be used which dynamically adds the required entries to an existing PowerShell script, or XML file, based upon directly querying the REST-based web service to ensure the addresses ranges are always used. ```powershell # Copyright (c) Microsoft Corporation. All rights reserved. @@ -85,7 +86,7 @@ This can be achieved manually by adding the IP addresses defined within the opti <# .SYNOPSIS - Applies or updates recommended Office 365 optimise IP address exclusions to an existing force tunnel Windows 10 VPN profile + Applies or updates recommended Office 365 optimize IP address exclusions to an existing force tunnel Windows 10 VPN profile .DESCRIPTION Connects to the Office 365 worldwide commercial service instance endpoints to obtain the latest published IP address ranges Compares the optimized IP addresses with those contained in the supplied VPN Profile (PowerShell or XML file) @@ -110,7 +111,7 @@ VPNprofilefile - The full path and name of the VPN profile PowerShell script or EXAMPLES -To check a VPN profile Powershell script file: +To check a VPN profile PowerShell script file: Update-VPN-Profile-Office365-Exclusion-Routes.ps1 -VPNprofilefile [FULLPATH AND NAME OF POWERSHELL SCRIPT FILE] @@ -123,7 +124,7 @@ Update-VPN-Profile-Office365-Exclusion-Routes.ps1 -VPNprofilefile [FULLPATH AND # Check if filename has been provided # if ($VPNprofilefile -eq "") { - Write-Host "`nWARNING: You must specify either a Powershell script or XML filename!" -ForegroundColor Red + Write-Host "`nWARNING: You must specify either a PowerShell script or XML filename!" -ForegroundColor Red $usage exit @@ -164,13 +165,13 @@ if ( $VPNprofilefile -ne "" -and $FileExtension -eq ".ps1") { if (-Not $(Select-String -Path $VPNprofilefile -Pattern "") ) { - Write-Host "`nWARNING: Powershell script file does not contain a valid VPN profile XML section or is incorrectly formatted!" -ForegroundColor Red + Write-Host "`nWARNING: PowerShell script file does not contain a valid VPN profile XML section or is incorrectly formatted!" -ForegroundColor Red $usage exit } }else { - Write-Host "`nWARNING: Powershell script file does not exist or cannot be found!"-ForegroundColor Red + Write-Host "`nWARNING: PowerShell script file does not exist or cannot be found!"-ForegroundColor Red $usage exit } @@ -229,14 +230,14 @@ if ($VPNprofilefile -ne "" -and $FileExtension -eq ".ps1") # Clear Variables to allow re-run testing # $ARRVPN=$null # Array to hold VPN addresses from VPN profile PowerShell file # - $In_Opt_Only=$null # Variable to hold IP addresses that only appear in the optimise list # - $In_VPN_Only=$null # Variable to hold IP addresses that only appear in the VPN profile Powershell file # + $In_Opt_Only=$null # Variable to hold IP addresses that only appear in the optimize list # + $In_VPN_Only=$null # Variable to hold IP addresses that only appear in the VPN profile PowerShell file # # Extract the Profile XML from the ps1 file # $regex = '(?sm).*^*.\r?\n(.*?)\r?\n.*' - # Create xml format variable to compare with the optimise list # + # Create xml format variable to compare with the optimize list # $xmlbody=(Get-Content -Raw $VPNprofilefile) -replace $regex, '$1' [xml]$VPNprofilexml=""+$xmlbody+"" @@ -248,7 +249,7 @@ if ($VPNprofilefile -ne "" -and $FileExtension -eq ".ps1") [array]$ARRVPN=$ARRVPN+$VPNIP } - # In optimise address list only # + # In optimize address list only # $In_Opt_Only= $optimizeIpsv4 | Where {$ARRVPN -NotContains $_} # In VPN list only # @@ -283,7 +284,7 @@ if ($VPNprofilefile -ne "" -and $FileExtension -eq ".ps1") $NewFileName=(Get-Item $VPNprofilefile).Basename + "-NEW.ps1" $OutFile=$(Split-Path $VPNprofilefile -Parent)+"\"+$NewFileName $InpFile | Set-Content $OutFile - Write-Host "Exclusion routes have been added to VPN profile and output to a separate Powershell script file; the original file has not been modified`n" -ForegroundColor Green + Write-Host "Exclusion routes have been added to VPN profile and output to a separate PowerShell script file; the original file has not been modified`n" -ForegroundColor Green }else { Write-Host "Exclusion route IP addresses are correct and up to date in the VPN profile`n" -ForegroundColor Green @@ -323,7 +324,7 @@ if ( $In_VPN_Only.Count -gt 0 ) $NewFileName=(Get-Item $VPNprofilefile).Basename + "-NEW.xml" $OutFile=$(Split-Path $VPNprofilefile -Parent)+"\"+$NewFileName $Inpfile | Set-content $OutFile - Write-Host "`nAddress"$IPInfo[0]"exclusion route has been removed from the VPN profile and output to a separate Powershell script file; the original file has not been modified`n" -ForegroundColor Green + Write-Host "`nAddress"$IPInfo[0]"exclusion route has been removed from the VPN profile and output to a separate PowerShell script file; the original file has not been modified`n" -ForegroundColor Green }else { @@ -340,13 +341,13 @@ if ($VPNprofilefile -ne "" -and $FileExtension -eq ".xml") # Clear variables to allow re-run testing # $ARRVPN=$null # Array to hold VPN addresses from the XML file # - $In_Opt_Only=$null # Variable to hold IP Addresses that only appear in optimise list # + $In_Opt_Only=$null # Variable to hold IP Addresses that only appear in optimize list # $In_VPN_Only=$null # Variable to hold IP Addresses that only appear in the VPN profile XML file # # Extract the Profile XML from the XML file # $regex = '(?sm).*^*.\r?\n(.*?)\r?\n.*' - # Create xml format variable to compare with optimise list # + # Create xml format variable to compare with optimize list # $xmlbody=(Get-Content -Raw $VPNprofilefile) -replace $regex, '$1' [xml]$VPNRulesxml="$xmlbody" @@ -357,7 +358,7 @@ if ($VPNprofilefile -ne "" -and $FileExtension -eq ".xml") [array]$ARRVPN=$ARRVPN+$VPNIP } - # In optimise address list only # + # In optimize address list only # $In_Opt_Only= $optimizeIpsv4 | Where {$ARRVPN -NotContains $_} # In VPN list only # From c22a1b44aed424739b1995b64868553304905ef5 Mon Sep 17 00:00:00 2001 From: kelleyvice-msft Date: Mon, 6 Apr 2020 16:00:28 -0700 Subject: [PATCH 19/64] Update vpn-office-365-optimization.md Updates from jajo --- .../identity-protection/vpn/vpn-office-365-optimization.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md index 4f6cd4a450..a8f7c610b6 100644 --- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -26,7 +26,7 @@ This can be achieved for the native/built-in Windows 10 VPN client using a _Forc The solution is based upon the use of a VPN Configuration Service Provider Reference profile ([VPNv2 CSP](https://docs.microsoft.com/windows/client-management/mdm/vpnv2-csp)) and the embedded [ProfileXML](https://docs.microsoft.com/windows/client-management/mdm/vpnv2-profile-xsd). These are used to configure the VPN profile on the device. Various provisioning approaches can be used to create and deploy the VPN profile as discussed in the article [Step 6. Configure Windows 10 client Always On VPN connections](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files). -Typically, these VPN profiles are distributed using a Mobile Device Manager solution like Intune, as described in [Configure the VPN client by using Intune](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#configure-the-vpn-client-by-using-intune). +Typically, these VPN profiles are distributed using a Mobile Device Manager solution like Intune, as described in [VPN profile options](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-profile-options#apply-profilexml-using-intune) and [Configure the VPN client by using Intune](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#configure-the-vpn-client-by-using-intune). To enable the use of force tunnelling in Windows 10 VPN, the setting is typically configured with a value of _ForceTunnel_ in your existing Profile XML (or script) by way of the following entry, under the section: @@ -75,6 +75,8 @@ For Office 365, it is therefore necessary to add exclusions for all IP addresses This can be achieved manually by adding the IP addresses defined within the **optimize** category entries to an existing Profile XML (or script) file, or alternatively the following script can be used which dynamically adds the required entries to an existing PowerShell script, or XML file, based upon directly querying the REST-based web service to ensure the addresses ranges are always used. +An example of a PowerShell script that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the documentation in [Create the ProfileXML configuration files](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the initial script. + ```powershell # Copyright (c) Microsoft Corporation. All rights reserved. # @@ -662,7 +664,7 @@ Write-Host "$Message" ``` -An example of an Intune-ready XML file that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below: +An example of an [Intune-ready XML file](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-profile-options#apply-profilexml-using-intune) that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the initial XML file: ```xml _truecorp.contoso.comtruecorp.contoso.comedge1.contoso.comForceTunnelIKEv2Certificate
13.107.6.152
31true
13.107.18.10
31true
13.107.128.0
22true
23.103.160.0
20true
40.96.0.0
13true
40.104.0.0
15true
52.96.0.0
14true
131.253.33.215
32true
132.245.0.0
16true
150.171.32.0
22true
191.234.140.0
22true
204.79.197.215
32true
13.107.136.0
22true
40.108.128.0
17true
52.104.0.0
14true
104.146.128.0
17true
150.171.40.0
22true
13.107.60.1
32true
13.107.64.0
18true
52.112.0.0
14true
52.120.0.0
14truehttp://webproxy.corp.contsoso.com/proxy.pac_ From df708e9238eb2d996faddcb38a79d53d015188e0 Mon Sep 17 00:00:00 2001 From: "Jason Jones (MSFT)" Date: Tue, 7 Apr 2020 01:07:54 +0100 Subject: [PATCH 20/64] Update vpn-office-365-optimization.md --- .../identity-protection/vpn/vpn-office-365-optimization.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md index a8f7c610b6..4d5d2a8164 100644 --- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -437,7 +437,7 @@ This solution is supported with the following versions of Windows: - Windows 10 Enterprise 2016 LTSC: Exclusion routes are not supported - Windows 10 Enterprise 2015 LTSC: Exclusion routes are not supported -Microsoft strongly recommends that the latest Windows 10 cumulative update always be applied. +Microsoft strongly recommends that the latest available Windows 10 cumulative update always be applied. ## Other Considerations @@ -445,7 +445,7 @@ You should also be able to adapt this approach to include necessary exclusions f ## Examples -An example of a PowerShell script that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below: +An example of a PowerShell script that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the inittial PowerShell script: ```powershell # Copyright (c) Microsoft Corporation. All rights reserved. From d0fa176edf3ac38da54ef1eefc32ccb8e016ee15 Mon Sep 17 00:00:00 2001 From: Tudor Dobrila Date: Mon, 6 Apr 2020 17:11:08 -0700 Subject: [PATCH 21/64] Remove EDR early preview flag from Mac preferences --- .../microsoft-defender-atp/mac-preferences.md | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md index 6c5a04ada0..19065efe0b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md @@ -310,17 +310,6 @@ Manage the preferences of the endpoint detection and response (EDR) component of | **Data type** | Dictionary (nested preference) | | **Comments** | See the following sections for a description of the dictionary contents. | -#### Enable / disable early preview - -Specify whether to enable EDR early preview features. - -||| -|:---|:---| -| **Domain** | `com.microsoft.wdav` | -| **Key** | earlyPreview | -| **Data type** | Boolean | -| **Possible values** | true (default)
false | - #### Device tags Specify a tag name and its value. From 2421f6eb9762f33c9b95288f85d0e2d0b4f643d9 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 7 Apr 2020 08:43:37 -0700 Subject: [PATCH 22/64] Update windows/security/identity-protection/vpn/vpn-office-365-optimization.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../identity-protection/vpn/vpn-office-365-optimization.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md index a8f7c610b6..94d87e5d5d 100644 --- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -19,8 +19,8 @@ This article describes how to configure the recommendations in the article [Opti This can be achieved for the native/built-in Windows 10 VPN client using a _Force Tunnelling with Exclusions_ approach. This allows you to define IP-based exclusions **even when using force tunnelling** in order to "split" certain traffic to use the physical interface while still forcing all other traffic via the VPN interface. Traffic addressed to specifically defined destinations (like those listed in the Office 365 optimize categories) will therefore follow a much more direct and efficient path, without the need to traverse or "hairpin" via the VPN tunnel and back out of the corporate network. For cloud-services like Office 365, this makes a huge difference in performance and usability for remote users. ->[!NOTE] ->The term _force tunnelling with exclusions_ is sometimes confusingly called "split tunnels" by other vendors and in some online documentation. For Windows 10 VPN, the term _split tunnelling_ is defined differently as described in the article [VPN routing decisions](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-routing#split-tunnel-configuration). +> [!NOTE] +> The term _force tunnelling with exclusions_ is sometimes confusingly called "split tunnels" by other vendors and in some online documentation. For Windows 10 VPN, the term _split tunnelling_ is defined differently as described in the article [VPN routing decisions](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-routing#split-tunnel-configuration). ## Solution Overview From 7f59fbfca021838f4ed57d5eed29b243bc88de79 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 7 Apr 2020 08:43:46 -0700 Subject: [PATCH 23/64] Update windows/security/identity-protection/vpn/vpn-office-365-optimization.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../identity-protection/vpn/vpn-office-365-optimization.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md index 94d87e5d5d..5c5d6ccd76 100644 --- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -66,8 +66,8 @@ An example of a correctly formatted Profile XML configuration for force tunnel w ``` ->[!NOTE] ->The IP addresses and prefix size values in this example are used purely as examples only and should not be used. +> [!NOTE] +> The IP addresses and prefix size values in this example are used purely as examples only and should not be used. ## Solution Deployment From 142072d917445e1e6bf7c1150e47000eb0c9c5a4 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 7 Apr 2020 10:03:08 -0700 Subject: [PATCH 24/64] Added a note --- windows/client-management/mdm/policy-csp-restrictedgroups.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 959f35a071..8053b57d73 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 03/24/2020 +ms.date: 04/07/2020 ms.reviewer: manager: dansimp @@ -149,6 +149,8 @@ where: The member SID can be a user account or a group in AD, Azure AD, or on the local machine. Membership is configured using the [NetLocalGroupSetMembers](https://docs.microsoft.com/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API. - In this example, `Group1` and `Group2` are local groups on the device being configured. +> [!Note] +> Currently, the RestrictedGroups/ConfigureGroupMembership policy does not have a MemberOf functionality. However, you can add a local group as a member to another local group by using the member portion, as shown in the above example. From eba04329d98aff2a8161143adbe6a63e3c231c78 Mon Sep 17 00:00:00 2001 From: Tudor Dobrila Date: Tue, 7 Apr 2020 10:22:52 -0700 Subject: [PATCH 25/64] Add note on switching device between rings --- .../microsoft-defender-atp/linux-install-manually.md | 3 +++ .../microsoft-defender-atp/linux-install-with-ansible.md | 3 +++ .../microsoft-defender-atp/linux-install-with-puppet.md | 3 +++ 3 files changed, 9 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md index 1ea46c138a..2c8ed94c40 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md @@ -43,6 +43,9 @@ The choice of the channel determines the type and frequency of updates that are In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use either *insiders-fast* or *insiders-slow*. +> [!WARNING] +> Switching the channel after the initial installation requires the product to be reinstalled. To switch the product channel: uninstall the existing package, re-configure your device to use the new channel, and follow the steps in this document to install the package from the new location. + ### RHEL and variants (CentOS and Oracle Linux) - Note your distribution and version, and identify the closest entry for it under `https://packages.microsoft.com/config/`. diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md index 373d409cfd..d097245cf8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md @@ -139,6 +139,9 @@ Create subtask or role files that contribute to an actual task. First create the In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use either *insiders-fast* or *insiders-slow*. + > [!WARNING] + > Switching the channel after the initial installation requires the product to be reinstalled. To switch the product channel: uninstall the existing package, re-configure your device to use the new channel, and follow the steps in this document to install the package from the new location. + Note your distribution and version and identify the closest entry for it under `https://packages.microsoft.com/config/`. In the following commands, replace *[distro]* and *[version]* with the information you've identified. diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md index 89133920ec..443a2babfb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md @@ -84,6 +84,9 @@ The choice of the channel determines the type and frequency of updates that are In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use either *insiders-fast* or *insiders-slow*. +> [!WARNING] +> Switching the channel after the initial installation requires the product to be reinstalled. To switch the product channel: uninstall the existing package, re-configure your device to use the new channel, and follow the steps in this document to install the package from the new location. + Note your distribution and version and identify the closest entry for it under `https://packages.microsoft.com/config/`. In the below commands, replace *[distro]* and *[version]* with the information you've identified: From 14cf38326b4766666fbc8737b898e1bc3d99361d Mon Sep 17 00:00:00 2001 From: kelleyvice-msft Date: Tue, 7 Apr 2020 14:12:22 -0700 Subject: [PATCH 26/64] Update vpn-office-365-optimization.md Updates per feedback --- .../vpn/vpn-office-365-optimization.md | 133 +++++++++++++++++- 1 file changed, 127 insertions(+), 6 deletions(-) diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md index cc51ad08ac..e5f40a37e2 100644 --- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -7,7 +7,7 @@ ms.sitesec: library ms.pagetype: security, networking author: kelleyvice-msft ms.localizationpriority: medium -ms.date: 04/06/2020 +ms.date: 04/07/2020 ms.reviewer: manager: dansimp ms.author: jajo @@ -28,13 +28,13 @@ The solution is based upon the use of a VPN Configuration Service Provider Refer Typically, these VPN profiles are distributed using a Mobile Device Manager solution like Intune, as described in [VPN profile options](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-profile-options#apply-profilexml-using-intune) and [Configure the VPN client by using Intune](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#configure-the-vpn-client-by-using-intune). -To enable the use of force tunnelling in Windows 10 VPN, the setting is typically configured with a value of _ForceTunnel_ in your existing Profile XML (or script) by way of the following entry, under the section: +To enable the use of force tunnelling in Windows 10 VPN, the `` setting is typically configured with a value of _ForceTunnel_ in your existing Profile XML (or script) by way of the following entry, under the `` section: ```xml ForceTunnel ``` -In order to define specific force tunnel exclusions, you then need to add the following lines to your existing Profile XML (or script) for each required exclusion, and place them outside of the section as follows: +In order to define specific force tunnel exclusions, you then need to add the following lines to your existing Profile XML (or script) for each required exclusion, and place them outside of the `` section as follows: ```xml @@ -44,7 +44,7 @@ In order to define specific force tunnel exclusions, you then need to add the fo ``` -Entries defined by the **[IP Addresses or Subnet]** and **[IP Prefix]** references will consequently be added to the routing table as _more specific route entries_ that will use the Internet-connected interface as the default gateway, as opposed to using the VPN interface. You will need to define a unique and separate section for each required exclusion. +Entries defined by the `[IP Addresses or Subnet]` and `[IP Prefix]` references will consequently be added to the routing table as _more specific route entries_ that will use the Internet-connected interface as the default gateway, as opposed to using the VPN interface. You will need to define a unique and separate `` section for each required exclusion. An example of a correctly formatted Profile XML configuration for force tunnel with exclusions is shown below: @@ -445,7 +445,7 @@ You should also be able to adapt this approach to include necessary exclusions f ## Examples -An example of a PowerShell script that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the inittial PowerShell script: +An example of a PowerShell script that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the initial PowerShell script: ```powershell # Copyright (c) Microsoft Corporation. All rights reserved. @@ -667,5 +667,126 @@ Write-Host "$Message" An example of an [Intune-ready XML file](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-profile-options#apply-profilexml-using-intune) that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the initial XML file: ```xml -_truecorp.contoso.comtruecorp.contoso.comedge1.contoso.comForceTunnelIKEv2Certificate
13.107.6.152
31true
13.107.18.10
31true
13.107.128.0
22true
23.103.160.0
20true
40.96.0.0
13true
40.104.0.0
15true
52.96.0.0
14true
131.253.33.215
32true
132.245.0.0
16true
150.171.32.0
22true
191.234.140.0
22true
204.79.197.215
32true
13.107.136.0
22true
40.108.128.0
17true
52.104.0.0
14true
104.146.128.0
17true
150.171.40.0
22true
13.107.60.1
32true
13.107.64.0
18true
52.112.0.0
14true
52.120.0.0
14truehttp://webproxy.corp.contsoso.com/proxy.pac_ + + true + corp.contoso.com + true + corp.contoso.com + + edge1.contoso.com + ForceTunnel + IKEv2 + + Certificate + + + +
13.107.6.152
+ 31 + true + + +
13.107.18.10
+ 31 + true + + +
13.107.128.0
+ 22 + true + + +
23.103.160.0
+ 20 + true + + +
40.96.0.0
+ 13 + true + + +
40.104.0.0
+ 15 + true + + +
52.96.0.0
+ 14 + true + + +
131.253.33.215
+ 32 + true + + +
132.245.0.0
+ 16 + true + + +
150.171.32.0
+ 22 + true + + +
191.234.140.0
+ 22 + true + + +
204.79.197.215
+ 32 + true + + +
13.107.136.0
+ 22 + true + + +
40.108.128.0
+ 17 + true + + +
52.104.0.0
+ 14 + true + + +
104.146.128.0
+ 17 + true + + +
150.171.40.0
+ 22 + true + + +
13.107.60.1
+ 32 + true + + +
13.107.64.0
+ 18 + true + + +
52.112.0.0
+ 14 + true + + +
52.120.0.0
+ 14 + true + + + http://webproxy.corp.contsoso.com/proxy.pac + + ``` From 0aefce7eb4ccc882a25bfe74b7c1ff2ec2f195d5 Mon Sep 17 00:00:00 2001 From: kelleyvice-msft Date: Tue, 7 Apr 2020 14:19:46 -0700 Subject: [PATCH 27/64] Update vpn-office-365-optimization.md reverted xml for Intune formatting, added note --- .../vpn/vpn-office-365-optimization.md | 128 +----------------- 1 file changed, 5 insertions(+), 123 deletions(-) diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md index e5f40a37e2..381f6eb333 100644 --- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -664,129 +664,11 @@ Write-Host "$Message" ``` -An example of an [Intune-ready XML file](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-profile-options#apply-profilexml-using-intune) that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the initial XML file: +An example of an [Intune-ready XML file](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-profile-options#apply-profilexml-using-intune) that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the initial XML file. + +>[!NOTE] +>This XML is formatted for use with Intune and cannot contain any carriage returns or whitespace. ```xml - - true - corp.contoso.com - true - corp.contoso.com - - edge1.contoso.com - ForceTunnel - IKEv2 - - Certificate - - - -
13.107.6.152
- 31 - true - - -
13.107.18.10
- 31 - true - - -
13.107.128.0
- 22 - true - - -
23.103.160.0
- 20 - true - - -
40.96.0.0
- 13 - true - - -
40.104.0.0
- 15 - true - - -
52.96.0.0
- 14 - true - - -
131.253.33.215
- 32 - true - - -
132.245.0.0
- 16 - true - - -
150.171.32.0
- 22 - true - - -
191.234.140.0
- 22 - true - - -
204.79.197.215
- 32 - true - - -
13.107.136.0
- 22 - true - - -
40.108.128.0
- 17 - true - - -
52.104.0.0
- 14 - true - - -
104.146.128.0
- 17 - true - - -
150.171.40.0
- 22 - true - - -
13.107.60.1
- 32 - true - - -
13.107.64.0
- 18 - true - - -
52.112.0.0
- 14 - true - - -
52.120.0.0
- 14 - true - - - http://webproxy.corp.contsoso.com/proxy.pac - - +_truecorp.contoso.comtruecorp.contoso.comedge1.contoso.comForceTunnelIKEv2Certificate
13.107.6.152
31true
13.107.18.10
31true
13.107.128.0
22true
23.103.160.0
20true
40.96.0.0
13true
40.104.0.0
15true
52.96.0.0
14true
131.253.33.215
32true
132.245.0.0
16true
150.171.32.0
22true
191.234.140.0
22true
204.79.197.215
32true
13.107.136.0
22true
40.108.128.0
17true
52.104.0.0
14true
104.146.128.0
17true
150.171.40.0
22true
13.107.60.1
32true
13.107.64.0
18true
52.112.0.0
14true
52.120.0.0
14truehttp://webproxy.corp.contsoso.com/proxy.pac_ ``` From b77781017a9c44d9d022670a8ff8c5abe3eb8810 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 7 Apr 2020 14:52:38 -0700 Subject: [PATCH 28/64] Update test-scenarios-wd-app-guard.md --- .../test-scenarios-wd-app-guard.md | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md index 6f9c6ff4ff..63d54a2991 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md @@ -8,7 +8,6 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 03/15/2019 ms.reviewer: manager: dansimp ms.custom: asr @@ -28,9 +27,9 @@ We've come up with a list of scenarios that you can use to test hardware-based i You can see how an employee would use standalone mode with Application Guard. -**To test Application Guard in Standalone mode** +### To test Application Guard in Standalone mode -1. [Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard). +1. [Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard). 2. Restart the device, start Microsoft Edge, and then click **New Application Guard window** from the menu. @@ -84,11 +83,11 @@ Before you can use Application Guard in enterprise mode, you must install Window 6. Start Microsoft Edge and type www.microsoft.com. - After you submit the URL, Application Guard determines the URL is trusted because it uses the domain you’ve marked as trusted and shows the site directly on the host PC instead of in Application Guard. + After you submit the URL, Application Guard determines the URL is trusted because it uses the domain you've marked as trusted and shows the site directly on the host PC instead of in Application Guard. ![Trusted website running on Microsoft Edge](images/appguard-turned-on-with-trusted-site.png) -7. In the same Microsoft Edge browser, type any URL that isn’t part of your trusted or neutral site lists. +7. In the same Microsoft Edge browser, type any URL that isn't part of your trusted or neutral site lists. After you submit the URL, Application Guard determines the URL is untrusted and redirects the request to the hardware-isolated environment. @@ -169,7 +168,7 @@ You have the option to change each of these settings to work with your enterpris The previously added site should still appear in your **Favorites** list. >[!NOTE] - >If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren’t shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.

If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.

**To reset the container, follow these steps:**
1. Open a command-line program and navigate to Windows/System32.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data. + >If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.

If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.

**To reset the container, follow these steps:**
1. Open a command-line program and navigate to Windows/System32.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data. **Applies to:** - Windows 10 Enterpise edition, version 1803 From b46e44a835c9becc724243fb81df395f1455cc87 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 7 Apr 2020 15:16:38 -0700 Subject: [PATCH 29/64] update arcsight --- windows/security/threat-protection/TOC.md | 2 +- .../configure-arcsight.md | 26 +++++++++---------- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index cc66e6e688..17bf4fe48e 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -583,7 +583,7 @@ ##### [Learn about different ways to pull detections](microsoft-defender-atp/configure-siem.md) ##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md) ##### [Configure Splunk to pull detections](microsoft-defender-atp/configure-splunk.md) -##### [Configure HP ArcSight to pull detections](microsoft-defender-atp/configure-arcsight.md) +##### [Configure Micro Focus ArcSight to pull detections](microsoft-defender-atp/configure-arcsight.md) ##### [Microsoft Defender ATP detection fields](microsoft-defender-atp/api-portal-mapping.md) ##### [Pull detections using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md) ##### [Troubleshoot SIEM tool integration issues](microsoft-defender-atp/troubleshoot-siem.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md index 0b7d271c77..c714e0a848 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md @@ -1,7 +1,7 @@ --- -title: Configure HP ArcSight to pull Microsoft Defender ATP detections -description: Configure HP ArcSight to receive and pull detections from Microsoft Defender Security Center -keywords: configure hp arcsight, security information and events management tools, arcsight +title: Configure Micro Focus ArcSight to pull Microsoft Defender ATP detections +description: Configure Micro Focus ArcSight to receive and pull detections from Microsoft Defender Security Center +keywords: configure Micro Focus ArcSight, security information and events management tools, arcsight search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -17,7 +17,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Configure HP ArcSight to pull Microsoft Defender ATP detections +# Configure Micro Focus ArcSight to pull Microsoft Defender ATP detections **Applies to:** @@ -28,14 +28,14 @@ ms.topic: article >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configurearcsight-abovefoldlink) -You'll need to install and configure some files and tools to use HP ArcSight so that it can pull Microsoft Defender ATP detections. +You'll need to install and configure some files and tools to use Micro Focus ArcSight so that it can pull Microsoft Defender ATP detections. >[!Note] >- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections >- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details. ## Before you begin -Configuring the HP ArcSight Connector tool requires several configuration files for it to pull and parse detections from your Azure Active Directory (AAD) application. +Configuring the Micro Focus ArcSight Connector tool requires several configuration files for it to pull and parse detections from your Azure Active Directory (AAD) application. This section guides you in getting the necessary information to set and use the required configuration files correctly. @@ -50,7 +50,7 @@ This section guides you in getting the necessary information to set and use the - WDATP-connector.properties - WDATP-connector.jsonparser.properties - You would have saved a .zip file which contains these two files when you chose HP ArcSight as the SIEM type you use in your organization. + You would have saved a .zip file which contains these two files when you chose Micro Focus ArcSight as the SIEM type you use in your organization. - Make sure you generate the following tokens and have them ready: - Access token @@ -58,7 +58,7 @@ This section guides you in getting the necessary information to set and use the You can generate these tokens from the **SIEM integration** setup section of the portal. -## Install and configure HP ArcSight FlexConnector +## Install and configure Micro Focus ArcSight FlexConnector The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin). 1. Install the latest 32-bit Windows FlexConnector installer. You can find this in the HPE Software center. The tool is typically installed in the following default location: `C:\Program Files\ArcSightFlexConnectors\current\bin`.

You can choose where to save the tool, for example C:\\*folder_location*\current\bin where *folder_location* represents the installation location. @@ -117,7 +117,7 @@ The following steps assume that you have completed all the required steps in [Be
7. A browser window is opened by the connector. Login with your application credentials. After you log in, you'll be asked to give permission to your OAuth2 Client. You must give permission to your OAuth 2 Client so that the connector configuration can authenticate.

If the redirect_uri is a https URL, you'll be redirected to a URL on the local host. You'll see a page that requests for you to trust the certificate supplied by the connector running on the local host. You'll need to trust this certificate if the redirect_uri is a https.

If however you specify a http URL for the redirect_uri, you do not need to provide consent in trusting the certificate. -7. Continue with the connector setup by returning to the HP ArcSight Connector Setup window. +7. Continue with the connector setup by returning to the Micro Focus ArcSight Connector Setup window. 8. Select the **ArcSight Manager (encrypted)** as the destination and click **Next**. @@ -137,7 +137,7 @@ The following steps assume that you have completed all the required steps in [Be 16. Finish the installation by selecting **Exit** and **Next**. -## Install and configure the HP ArcSight console +## Install and configure the Micro Focus ArcSight console 1. Follow the installation wizard through the following tasks: - Introduction - License Agreement @@ -158,18 +158,18 @@ The following steps assume that you have completed all the required steps in [Be 7. Click **Done** to quit the installer. -8. Login to the HP ArcSight console. +8. Login to the Micro Focus ArcSight console. 9. Navigate to **Active channel set** > **New Condition** > **Device** > **Device Product**. 10. Set **Device Product = Microsoft Defender ATP**. When you've verified that events are flowing to the tool, stop the process again and go to Windows Services and start the ArcSight FlexConnector REST. -You can now run queries in the HP ArcSight console. +You can now run queries in the Micro Focus ArcSight console. Microsoft Defender ATP detections will appear as discrete events, with "Microsoft” as the vendor and “Windows Defender ATP” as the device name. -## Troubleshooting HP ArcSight connection +## Troubleshooting Micro Focus ArcSight connection **Problem:** Failed to refresh the token. You can find the log located in C:\\*folder_location*\current\logs where *folder_location* represents the location where you installed the tool. Open _agent.log_ and look for `ERROR/FATAL/WARN`. **Symptom:** You get the following error message: From e1d67beba3519bbd6953214fe8adfcb2b3c4a3df Mon Sep 17 00:00:00 2001 From: kelleyvice-msft Date: Tue, 7 Apr 2020 15:22:39 -0700 Subject: [PATCH 30/64] Update vpn-office-365-optimization.md minor edits --- .../identity-protection/vpn/vpn-office-365-optimization.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md index 381f6eb333..e7df3d7fa3 100644 --- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -26,7 +26,7 @@ This can be achieved for the native/built-in Windows 10 VPN client using a _Forc The solution is based upon the use of a VPN Configuration Service Provider Reference profile ([VPNv2 CSP](https://docs.microsoft.com/windows/client-management/mdm/vpnv2-csp)) and the embedded [ProfileXML](https://docs.microsoft.com/windows/client-management/mdm/vpnv2-profile-xsd). These are used to configure the VPN profile on the device. Various provisioning approaches can be used to create and deploy the VPN profile as discussed in the article [Step 6. Configure Windows 10 client Always On VPN connections](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files). -Typically, these VPN profiles are distributed using a Mobile Device Manager solution like Intune, as described in [VPN profile options](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-profile-options#apply-profilexml-using-intune) and [Configure the VPN client by using Intune](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#configure-the-vpn-client-by-using-intune). +Typically, these VPN profiles are distributed using a Mobile Device Management solution like Intune, as described in [VPN profile options](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-profile-options#apply-profilexml-using-intune) and [Configure the VPN client by using Intune](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#configure-the-vpn-client-by-using-intune). To enable the use of force tunnelling in Windows 10 VPN, the `` setting is typically configured with a value of _ForceTunnel_ in your existing Profile XML (or script) by way of the following entry, under the `` section: @@ -664,7 +664,7 @@ Write-Host "$Message" ``` -An example of an [Intune-ready XML file](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-profile-options#apply-profilexml-using-intune) that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the initial XML file. +An example of an [Intune-ready XML file](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-profile-options#apply-profilexml-using-intune) that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the initial XML file. >[!NOTE] >This XML is formatted for use with Intune and cannot contain any carriage returns or whitespace. From 6bba322b67448e7db0f22364c2662c4dfdeeec93 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 7 Apr 2020 15:47:34 -0700 Subject: [PATCH 31/64] Update install-wd-app-guard.md --- .../install-wd-app-guard.md | 24 ++++++++++++++----- 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md index 11045f435f..dc55264dec 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md @@ -28,7 +28,7 @@ See [System requirements for Windows Defender Application Guard](https://docs.mi ## Prepare for Windows Defender Application Guard Before you can install and use Windows Defender Application Guard, you must determine which way you intend to use it in your enterprise. You can use Application Guard in either **Standalone** or **Enterprise-managed** mode. -**Standalone mode** +### Standalone mode Applies to: - Windows 10 Enterprise edition, version 1709 or higher @@ -36,7 +36,7 @@ Applies to: Employees can use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, you must install Application Guard and then the employee must manually start Microsoft Edge in Application Guard while browsing untrusted sites. For an example of how this works, see the [Application Guard in standalone mode](test-scenarios-wd-app-guard.md) testing scenario. -**Enterprise-managed mode** +## Enterprise-managed mode Applies to: - Windows 10 Enterprise edition, version 1709 or higher @@ -47,9 +47,11 @@ The following diagram shows the flow between the host PC and the isolated contai ![Flowchart for movement between Microsoft Edge and Application Guard](images/application-guard-container-v-host.png) ## Install Application Guard -Application Guard functionality is turned off by default. However, you can quickly install it on your employee’s devices through the Control Panel, PowerShell, or your mobile device management (MDM) solution. -**To install by using the Control Panel** +Application Guard functionality is turned off by default. However, you can quickly install it on your employee's devices through the Control Panel, PowerShell, or your mobile device management (MDM) solution. + +### To install by using the Control Panel + 1. Open the **Control Panel**, click **Programs,** and then click **Turn Windows features on or off**. ![Windows Features, turning on Windows Defender Application Guard](images/turn-windows-features-on.png) @@ -58,12 +60,11 @@ Application Guard functionality is turned off by default. However, you can quick Application Guard and its underlying dependencies are all installed. -**To install by using PowerShell** +### To install by using PowerShell >[!NOTE] >Ensure your devices have met all system requirements prior to this step. PowerShell will install the feature without checking system requirements. If your devices don't meet the system requirements, Application Guard may not work. This step is recommended for enterprise managed scenarios only. - 1. Click the **Search** or **Cortana** icon in the Windows 10 taskbar and type **PowerShell**. 2. Right-click **Windows PowerShell**, and then click **Run as administrator**. @@ -79,3 +80,14 @@ Application Guard functionality is turned off by default. However, you can quick Application Guard and its underlying dependencies are all installed. +### To install by using Intune + +> [!IMPORTANT] +> Make sure your organization's devices are [enrolled in Intune](https://docs.microsoft.com/mem/intune/enrollment/device-enrollment). + +1. Go to [https://endpoint.microsoft.com](https://endpoint.microsoft.com) and sign in. + +2. Choose **Devices** > **Configuration profiles** > **+ Create profile**. + +3. + From bc9ff07b62bcb038d3a4efc0670be66bc762be9c Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 7 Apr 2020 15:52:58 -0700 Subject: [PATCH 32/64] Update install-wd-app-guard.md --- .../install-wd-app-guard.md | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md index dc55264dec..2456b17225 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md @@ -87,7 +87,17 @@ Application Guard functionality is turned off by default. However, you can quick 1. Go to [https://endpoint.microsoft.com](https://endpoint.microsoft.com) and sign in. -2. Choose **Devices** > **Configuration profiles** > **+ Create profile**. +2. Choose **Devices** > **Configuration profiles** > **+ Create profile**, and do the following:
-3. + a. In the **Platform** list, select **Windows 10 and later**. + + b. In the **Profile** list, select **Endpoint protection**. + + c. Choose **Create**. + +4. Specify the following settings for the profile: + + - **Name** and **Description** + + - In the **Select a category to configure settings** section, choose **Microsoft Defender Application Guard**. From fdda31c6ce313682464c63c0f9ee813bb9278f8a Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 7 Apr 2020 15:53:41 -0700 Subject: [PATCH 33/64] Create MDAG-EndpointMgr-newprofile.jpg --- .../images/MDAG-EndpointMgr-newprofile.jpg | Bin 0 -> 93564 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 windows/security/threat-protection/windows-defender-application-guard/images/MDAG-EndpointMgr-newprofile.jpg diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/MDAG-EndpointMgr-newprofile.jpg b/windows/security/threat-protection/windows-defender-application-guard/images/MDAG-EndpointMgr-newprofile.jpg new file mode 100644 index 0000000000000000000000000000000000000000..428f96e9b55e4a71bc9514bf9b27e39bb6e02795 GIT binary patch literal 93564 zcmeFZ2RK}P*Dt&oJw$KO86`v)B5EYc5K*G{=)$Pc%OD~mN{kkrsEHPJ^b)-XK^UDO zy6APBx$paVp7(j)?>*(2xD+ku4*!okJECmPv5}M$jaKr z*3RDHrN=8zFK-`Tzt>@J!rw-`i-gA~Bqk+)OiBHeo0nfuSoHZzWmR=eEuyZz;af*% zS9ecuU;o(nkBP~tpVKo-%PXs>we?>co4*eZkB(1H&(1H%F)U-_;DB)O|6myl+Z*!> zBFDjH6UL)>q=o;&jgnm?gn&vRE~lcMkV8~^pW4!Wl!yi_w#51S53c`Y`aj2W=>IFG z|H1P=SiWfk$O*9eKsq2S4EN+%Aabmm8Gsmsg*gF{19HIOd*oJFU80^LK=A+&27n&G zLt6xK5i2T98-v0D83H2FR?0EkMy?0L*?4Hex8ZS9=58 z0pzNkTh~jnPLZ%^fMrI){BTm^a;LRBm~@As{Ctc1`eb269{-;RgD#b}(0+Y4Kp^7m zJJx?a<-aucUl{w};V%LW=annhYyTq`rMy&HFU+=}ku1jf>4}HKD`CzDQW$=yPB|lR*?7LA*YQ z`-7U5<)i<1oKlApE-cE`ev7t%IG%gNP9TcX1XvRwMHi|NFHf$TnoiE})&WO#O$6;8 z*97e~kra&Hf`=qH(~AL@j)6u8g0c%ka3KYhjY;TmMR{K0ywguwl1@f~FSUgzzg zfDJY=A!%y9&Ic9K_Wmj|!k=%l0F+NQeoa|9%ST2H`Va~TPAn<`LRD@3)<*7OsIHPh zuxm9I$P1gnI#k~Aa4_Qcuz$e>d zRgx6sN#Jy-ndHR}8n>w%;P;{6wI}SFV2pn3jPKdkAI@czIxKZ+5V{BVT6CiC34<5z z(v#DBQ%h=N^@?H5Ko*U4sv-w{wKmB)JN4sx4RdL4iD%YngLNJ`3-r@=fNBo%KJ<55 zb}g#;nmiewGnSgaj=W!2Z7@A;>1(9k;^ozlV*vEQl@z6vj6Psr$r|R0C`uRYFj7R6 zv64v>ic)zs^0TQ7KH;MqP1Sohsrd8`@ICh1L$7ETZ#Uodz6e7O$PQf6k}r@XcbMJb ztKK6nXr5KDba%V8$ydJVGuv(^n9g{V$N+8_Eh)A-NOS~LLd3kLyI>&y@Wf`xR#X<2ksB`B*b$lGxC(#-Em*&LRl(UYZ7Yb-SyTK zB7Xc|ac8XMs?dOxI*q zOaG`IEkdEiGSME&EI(}0(0cJ~sScO>P493UQBo@jM@zjy>8`CkalHH(9hrza$!HA< zr{w7~rTu{<5ZgCbHEaf0__AlTdS}G$WP5rWZsYs+zGVcp$%BK#p@KZ0b@6PGagp*C zXKy=bW~j64jZ?VbhN(O&2VMXL4`=+4twsOV`t~;tKI&Nphujw##H}Ri)oRj}!)^@K zAC$5CTuqs$-6%>L!Liq1(K?R`@>uXy!8fkSCdxuZPtUuV#s*_*DS8Ci`cJ|cP?bNU z#_!G>DOwQBPzl|8CIY~(WI~wv{NKN(B($m_C1!|%55at2!XYg$f?Mr~yMXiC-`^yA z2ubqub+EY9CN0g&TQ(TWv%eqI@zRqG9H24h`eB9lRCuZG-1qUr6j{a@Egz}k|!Bs1YBF###l!=Bj@j$`7+Pbqqu}33Vh(Y2E%K1SjI^<&wetw61Qbz z2NMB2!2gyv92uz~895dg^OwM>+OIOCW^|Inatw7;2{~V2s!G&2pO9VBgR7$Cf%)u4 zUu7R$s&VpVO0b(sALzV-PY5EuJsY`MSJ?v9AuY=Puw8rt|5W8SGZ?%3O=ry zP1`xB;09={vkjKwL(qPGn#{k(s|=2AyoDO9KqQBL3FkU&Lb@?rXEzvkr-cT$k+1zA zP9=d; z=k%ccgO|X!?Auu#zrV&fWNVKXD+L#`OS?4;BuB3j7Y*@t(OfxWT~*uo>U_sZP4{RH z_CJO_iz>c*F z8!Rh{r(;r#TI=-}_{b02cwI!z(Gg#Xy%cf~vLj}jtMLxczwVk7FoCW&D(g!&)dg zh3*NxT^%{Okcq;RGB0r;+lH^4EN`q&jJ&x@!xOiIZrX#SJU>1#Wbt&h-lhJl|3sGY0H=D}3-1PMAD`I@^buEMU)$h-uq(yH4 z=Aj$FloTDB*d0^g{_r(v^-%8(U~~gqkmrdMxjtmHd;R){AB)zGJdq8U%wTby!);y0 zV??rT*l*D;AK-g7a++Q%Jn?R0{PPZSyaphV5@O4U@JPaaH><2LEho(MZkPvfcptdV z%?e85W_^Xv{Xy#X>l%Qk&J()yQ$oGH*U8ULvZvM_i+I~t0CH;ebJcs>m-%gGHI}ER zV^}SGP$eKG4`M=@BzUK{_;B58uCfI+Jjo5F;K5E#mnWhNuAh-$6u>Y8lKCBVnhiYb zcV`O0mn8N`w~`z&am%b*$p^$BA;CWxe`lGI2Ccl_d?2j}LVs_wkOKUo*YQCh=@UlM zM?Inpkyyk$?oLmOS3lCJ!(xqX;m(Ey@P{|K%3!o!ZYH)@sHhVC!7vj;y*B z;yOuyyuEE>Ech;-RvY`DIsgrBYgr0BwO8Y%k%4&U@jrTVl1--%w+R|@m z)(}|p<&bib>s59s^*jIdE-6k7{9bSwn|9S}c*nEB$gIuzpQIqUM=MbBiUpZfvlH1RMs_3V0a{i>;7uGXZEdypOXuR{c@K} zuy4Vn+m0^hD3^Zjhly)AOhqnN?X?xV5d9( z#~Kk(YE;Gz+Q*3sxZ^l>6X0_@KTP-BBw#GIz+QbQQ>$|D=>}+ZKvQ+9%cj^lQmTWs z!lKp0Ika76Ds<`UYY2Ad;wa!@Ca6k%Ynave#EiHBd15C_q`Tfr*R?qAkWpx3cDZ=E zzaJu=>Z0fmo@w0qVtuK?wLGIPR^!#^ASG}iM(9w`=wx1*M8D|!Bs!PB=j-YPas1fZ zXAY*_5Qh_U(*{pmZIWqKi5q}oqtz?}GNoGe>d-3kE-g-IM07gL8x)TOwNjHjXuNOR zAVdGjp}4D{u~exn&3e>#i&04^zmmf&n8F8{9!2(Om6>3O&@>O>yx=3zpXSdAt1EP2 z&Un!Gj*XSAa};d-PP8K2$Kt1j5Cm6+mE2f0YUz`z@s;dJ#hmPyDdVy)-Q=Z&-Z3+3 zb7RK$N9RZEMw9LgXgsxnw(**KvCmM!$Ynx)kt#e|%Xyxx(!Ap+wNQ&pmF)5~Hapc* zYq=yfm2F2rjXf&7YjNye#%1(?-tkI@4_Tx=tCJ%4bU)4S^_EjN zhea}dQqk=tu#M(8lpqcbsb{?)WB5UYP}PF+K}yX9n+KqKHif7)g<_icpiO@de?-e< z>y=y_(>DjNv;HjCgBml94&2W0Z*D!Dg*nn=Ds= zLaNbF?6}HrtKeNyQiq1EaEP<14=;{!$Pq`8G)wP=o(Wtnr3;x`g_yT5q&e3~oKh<; z{}4Lxj2kevWAjs-2$#Qz>t$-kZS2-)Wgb?$0M)(J=3U%cVhw9LvjiEDL zR=SqcZ6=HBuiJr%hobLMZr=J0RZwGpB%DSs+x?kXV)#uww2=(VArn?5PA;S z_ni8vC>{aUED2GJ?gX2>x{_wRLmpzep4NNLtzyQXsq)4(5+(SgY8;PDUs;oN74+vN zgtLc*L$t*_kx?iOCy}eRxL*1ZYUijG>%{Szbm#F_I~VSP3-UYPy{8h3=hT!+QApjg znK;RD@)==9XDfn1EshtL!_OI4R|BSjDDolg9P#*?vKjq`Gw+Q;s3+T0L0Y7DrTWZ} zKhkrmCDowmp4fp`h%>}87>i!&tuCl+Y1WfE7M#>nHrX=bj1Is0?RS@dr(pq6bTYQX z;TioYigtLmyAJHB=@$KSRZts?Rwz^$*VpcY?>(u{Tv(lk<&xYFDrtwJM-0yKx&oeL&%`|5)-Fr#%CgIK2 zPATtPxSE;at6vv8r$@W8K2G_}&HC!--R6j}J7&wTx2Flf(#p|qBJqZWqua_&)+5Vp z#LD~l&%OL-PHHb-YSa|^dnh|YC#P!mYA^iaTQXiS@QNUdA*Wd6q0<}HFdBa=$s)~o z^`b`pBR{_r{^7fMtMUGPrGZk3t8dlb5Wn3<>fU*V^CUrDjSL@5%$ylss$Db_8C5nD z^SRWl?_~C^Ui$N7F{k*XXc?Lv@1NGf4r5X0Zc5m>6dM$=>6JyZgr?Isj ze3qSc$UF{oxQLovp(}k!9v@WhE>E4ux^}Lc7!PfxQ1g%+damz12TnTm_oCePbDfKG z$`@`TC%YRT%m^bKVLV-qwUgneEt}LZSHC}QE`Rc2YCf{|)KTqp>e+mr-u^~10r-(K zmWC)XJ254&`{Jj?>&%a=>v&&u3i11wPf?>%=9OOT_g`>&aw6`hLGqhtTGC=K1yUv1 zf8IsbL`3j84~u8s0I$|>fD+f{^b;-b$<5)-$vI>7{*w>p4xITJ6B&E8E%LPuj!L%J zvr1*7Nqlsgo2r#?`BgF{sgt4G>El``ZwIkbZ`-oWjC(|Rch=VQ)Qji)H>OMdV#NJk z9$yNflx6kx=rO$xHe;+-?@FrKa3F_3GmHAgD?d5mOBKNy<_vvPeY0X+RMF2;vFWoY zW4P&el8R6xk;g?i*s5{EvdwoJJYs%3J~`Roe}4W>=k<)57h;QPs@L*yfeKp3at=wP zq8k-l+DfePG$1;iGRj?8eJovH^u3ztxKXjG-)7jC_7;OaiGm@gz4C&n#Cu0mGnCss zgG<6FrcOq(mZsl5LA<7t#q%P13(AFMsZ?Jc&5Xq~zN|T#(l!)pd|;@%9POR)C7`Bz zHwV&0RGd1r% zxK}CmvVt1l`KmXiBaxol4fu}pUOeW7!|Y>%D79wJXpY3EKy`L^hnJSp3c{85@m=0W ztfV1F@3M_Up_WQ2tL%@lEAJK8O9Xe`wOJ)jKj8{yx;yqF1DduyZ^hB?%FafPE$l$L z&qqj=BQ5SDBZ39JceEklL^Fgc@}6OrA}d=Qids^=YRe=#5aGd2OxvKXcq|>Ha4Y8{ zTqowPF+9)L85B-Tl-T{4q}d+J+ktZ>h7G4%yT5?*-4ANvQ2LNI?jZ$yJ^WywUeM|t zX&xK9YJyJ+D#Fa{xOv?o&)NtrM3f$CVt;FRx{r*DMD@db9D{9j!!AIci>DQURZ32%fPe zyxy6qMTa$`CuCR=5L3=u6u*?o69s*AtGUfo^{X&k25a%a9^3eq6q71$JtBtd-2kqv zkw?WeAsr5xDm;%_iPR53T)&6j0MeF!4OIY`B@#A5*Sa?YdjqiitX(+l7Q8&k!Z`m4 zKjP~5d-QeTnI_hMHTnOf#z4u6wJZmJGZ?erZ{BHsPaZg@4vWp>H&{vm)Aenj%!l9c z%g+K~%Z3g&fZ12rulzhwWBY8-f8qxhDNoJzHFA1-8CUHX$Y}OB^&_U}^mB1?b(5!A zo+*38>MC{Z5K-X?rCud<*lQen|1T@n`BX#|Y8Ujf+ERF@f1Y zB? zyr~ODf*kz3-app#LPyl8C+SNcYMY4G;dUonf<|&!)@aAzv(i;REjNcpW>Z!I2b$hEVdH^mRHDOt$4ss_t4)!m=g@&=+i}`|O;-vKS3uZN< z>W5`e6@RL_A$LoI7;?%hv(!s5&`7FaywMSQU!Aj{uaq{88!^hC?Q3m&NYZ9;S-XDv z@lZ$}2cMNGHv}0hEK+`#r^}&tT(5Qd?A1XFN-4~8b-t;u&_A%)13Hg{wb5Ph_I`nz zNWD>d4_1u7wLKfQz3C;mhsRPzDmD?MH~WIxE5A^pv)ryVZT!VUT8OH<*RzKQR{~SU zzWm;I0^}T{bAFOUrBnaw1CQszn%n!ZV8bRFv z8Z1leep)^O?@|UcP2ARdXS9Ag$IZQ)qob4R?Qr3coNME@i!k|Yv~#83@T`xsI?Lt@ zqM$&H_&lu{eg?IjSVhkBHI6P!sXN^O-z1?G>=X|S=B&G)ukoQQ5Cc)MoUY2Ov>K@xyNrbuXYAf zOvUmldU?8oa8bwl9y@*Nlsx-q#MhOHdM2Uu44Dwn-Jbqm2ld12ifuM%&Qw$?Ut#_zGEC$eoN>=#YfXMa| zzf-qAm*0MGc>10(JU_@q!j)HvfL)LA(jV1B`2Y+zHvZ!0jx^q|qxxoG0GUHHUl^M? zZa9BYXLye6k+x(!AyJ$l##mmtPp*JTs8m;=W#Mdmfu+m>@d;DqM3>Ce;A-%P-FLn4x({94tb?zePT7u7dL?Fnw)-2w0J6JS$e17sHVXfO%mzqV++O; zPdK;l9mPVeiae&WRFaZ($~l*e3KeM%uk4br{ZuxtJwNH5kZSa+W?}hIB!-%=t8ZFt zrDj|!>bc*`BfkJy#jG=BXw35P;20r@B|e_LzpM?48E07ni*9@A=qgTYIK*hc^waX# z!e!C;=IG?k-29~rCwP7);3<3sGDq>4xY5hxd@0R=FUgiINSk5JQfVojxrs=tBq2SY zX{pb~Gmt`ktKhwHU`HZte=ecX_*tvj48)nBTlx~&YctDUG5(*dwvJMZtr+ffgNR>`{nyTY&?{x#$G z4rcW1(9x9v-r$sXnk8XmdUo;}gV}fSC1-(!vnNpO5=TCQL=I&IcANMb+=u!4`ZTzEeN5ipTdeBoveO_gofK$y4EbaPCIj z-P-W2b@%px0-jS%lbw}#dy*#blMG}gNIczcBc8!P6~1L3Z~H^)iPpE?M){etxW$#Y z=GwS!K!l;)wRC_k-@4kSFQVl{z!uVf9#hWVJ(e9;!L>8ENJg{+c*ce<#?UFw4uMCN ziG;Ny>%tUksCWhYi37wzA9}zq6oNIlUze^O&^W%!iy8G&%4z^u^%YroiG`GThXK29 zt4pr(jM6O7j3MbLbGr<5k#COlr`)jXg(0E};T`UKqNn1)Mz1?)l1}!V;1A!b=@OSj z_D)8AqNlu7{eY*;Js(2Hhd^Z$K^A{f?Oi_oGQ12?C7>MiOn4fG8%1zZH*7Uy05^yq z0yqmpckYdbYOp2t%Y6(ec?)4rG-ePA^7-)9;;~1j3M(jg?C7kz*rq0W;0vu(mh-ad zj1srKE{iB5kc|~0e}~>&>-;-b;xS7G@PGS9{NO8Hj!V6J9_Way3-Oo0F^u#E=oJ}9 zH(T5QqiQNPfw0b`OvY%l^;d9JH%4+`td7Mu6b?LLtP;MJ&cpc;H2t?qBrKHvv{2-Lud6RbLjiUr0wh9 z^7yL%&kcHUY*@9AUfAKTD*g97V!r7IMDO-{_1HISr86|4^|iIMR&Eqd)7 ztdz7dKH56k#a!K3A95`|D4{IqpFJ!FlohbDZ_R7NUIi%x-+d{O zx{+HwX826!S3KA$%~i%Z7G}b)M(M*$T!i^>M4;$jwzsmLD{o*rq7J-;spHxDN@=@W zvDw+60S(2gH-N}vV&36PYArS42W^@nkdrp)F{IWxM{LdS+B8on?ytyYDgQoxD+FB4 zRxx>}iViwW$l@7s+ap{hgXxDec2?2|8U%xLL;Yc?=4n!L{8G3pKQ)B|^3cC9#F_t+ zlJu@zgB+VYenQq9%ZF@Gzs7ECuO=3X`&4}NrikBT(H^f*3ta(`{oIAo7|@@{SdAm3F^hlBv_~`qbSCA}*Kf^vcOkD0c`y z4%(>|I!G;#19yD@0;56kN^Q0Vn@Op0kL`)S4`I*txJIZqcCQoBm_P-ThpP6R*eYHt zUy*joEu!%XdM}pTrn0kf|A!j?k4%LtwN(ri7nEHgB;%z&K|OctUT0-0B0NuD(hL|> z2$jcH_J)cb81;n1sh@Mv@}`~Z+ID|O1wm70$%@IS6Fv|^SF{;e15dVjuzUW(z->%| z(;dYD^E?l(9lE#xB9U{tsDb!IhGYwFcV`wp;#G3h3y)V5fymf$K~p)3Kn9bFspXjE zHtD3pcBanfbf)aD66!QdHd~t*2z`2qBYO>iZ^bTKEqOP9xmzuT=y$=@yTszkQA=(| zOuw)hQlQ(PeAn+XYUV;X$b^crldQU30q*_$+FYYwQBcZGqoAg^G#5A|+c-a5=V0wp zI%b2aTlA1uRV$J*R9W-3e6caAH4d{)6l^CEBlcjA`5WYpBzqlAGzaoo?J_EqI(YVD z%P{x_JM=kgpQlz5tG1cBV6sb{KNDVYk>RhT_?NW#mWZ0@{KVSTFFfES9U5-X8z4y< zfaHJeD=COMz{wi059lOC^@o5p{U09IymgC@EUo6Gsa28^Wd8PHaER}D^&|y^|Lp*7 z=SgY3c$WCQUZgzMrbNyREW(}VR~GEd<-2qvtOH$;m6Z7&<49fOH9MlZ4UJ!`1` zBm$1&pIDJ)Rd%YhPLjCs+e<-4)R0LO_7a-m%a^l#>LNAS?1>_Z5=k z$lUC8VJX0X`OvG0XVX&X;1MXBLU#kGR7Vn8_rLHmp-+-2{hr>=wJ5ub=Qp~(?(%J^ zHdFtaMB_gK`F|=N{m&a>DWNx+B&p}O7q4g-u{IB*rrmTc&_R^*yX)kn@Z z{bH|&qIhidbe+gldIjnknSJ);?@;=>DvgO)vnR1V_aMV_{gPe9q6ol!Kw?-5OxoQ` zOEGv5BNTDmHbbjdv$YdxoM_m<&cKJ)YsP}+2dZIDjChLfm^R$=Pz&C-3KK{_o)C(tO;TNt| zE{VgUCe=tSXMrg{zDC)y>)4F07p4JEDb}Jm@rT6HAjQ)!x67xE{dXM$7AP7sstNcg6Zzzp)1ubeY?@^SEwKP zs_`dr3AU@d853jENE^=y{(wIA{jP~GU6ocsG4piR(Q7^(zCpHHoRLDmyXi-NVAAux z)nX0#ysdni$<$&ZH77MFxv(}!_0`cb%4&Ed(W(wtrNehYd>fv9X9h3Jqu|?yFP{d7 ztT(N|1I=3kT138KwASaL@g16YI{+1+i6xKwZ*LWWhes@vAETnpJEF^;RcQz&@e}yV zL=wgXc!)LDC4de}xKEAUcN#SKKLJP=F@?;a1&P&#Dk%wT=NX0%^}h(gxATs(ZyjOv zpN%|9>ol@5GLm+i1y4>1oo9bEQZtSy)0Paqn%9XYQ|2YqL7 zlBJJ3E@Iz1R}VzL9G)S#CtwG+r$LobPn4RnyBw2+ceOu9eUR6^{VYg+GGVlCqi1tY&op9SsNpG-^*%^f=qK16J}q!|SwUupD4E-cxWQ#bJx%t*E8zkKN0NKuhAfvSfa zE5~SnrMRb&+nt38`?lL0pynWpa@`F&WiFWU*=;2CRsJ*ihdD-;#T zwCU68A$II61 zT3oRKwey^~2t0jmulXA9i5nntYaFh1^)s_iVByjo1{X&&`EXr!&{Ap?RY9bbEPW?m z`Rw+kA%;j7homKOR0WWld;uf4B;8$ei|#vU{nV7IiR ztU0lLUyUHuXM3?BQZWXtMkt}qnVYk4M;I(lzOVTu^(EsYv*uGq_nhxGS?+cDjol(n?%V2%u1t!v(rXZ%C&^it+p2bmM9;f9?mu-@blFD}>0gaHwg(Y3?O$J) z9&d{u^f%lujhezbeVR-&BEEb}xj`rCE_>|YdGidNsQHHTSG?5`Nsn+;mrGKc z+|_Hvq{4bOq;fm>sS1wu^CPERno`%7Y_`SqPLjSFsXmKm%G}^iBni(Awf&L9E+Nvt zZN>ScOBTAU>l%ZEHk&pU%YNpXYw>PPn>D2!-fG@C4>G3lG!MUc-RB3jMBH`zj9jSK zkCbSMFeCtndctSy6LT9#d_L)<(lhn3v8wfQ`2$VY)bTFU~4$*orNOHaPQ(;#mb zS0h6-i#X;+=~64~@uh-N+%TGA>JmBIai>zw5H8QijU7)cH`kaxib`b|QI>GODBg#> z$gM`V$s1s4d_46Ac(3m5{}zruX=$pxN)0lmJD$ii zIp~M9q>db)?Ckb!BIkBb8(agBsKWQRZ?#Hx3>e4{pG3#sbB2h3*ucF}K{kTP3WnZv zC%k|Y@|DZ!Oz=HT{7AL^O?05DW5#|DwCE)z!zyuC;rOA88<8t;D1F9E^SlkwkhaE+ z4Ik^#w>Y5JZ~ ziIMi}v7{A=(*gCA19Neh-75IT20lxBW7!Ftcd~t7X!u*f?;<`Cu;Cv^ZR^$_3^tr<3sNa{NkwB|LU@LA*6~ z-SSOO$DI0#2-4WdSkyeQV5V~r{I&AA3o+^1w@DN?rI`CuJ=~B*ZxZ6P86~l5N6glZ zhr_h*uk8y7=qO^t-9~-DLE88f%cJ%(~UDcX#Oj-rTw}97M1>eu8+62sNu5S$&b^%6Z)z9z~m__k76CcnV}K5 zwF4I42$Kmq3EAB#I5{uoy!LuJQFrFyci%tlW9W6p#8AAlm>Yi+%tHK~_5O8YzW5fK z9U*o9qr-Pk&D;Zelp0!GGEOdA{P{?~_;b1>A}((LJD{2VUv+sTBlxX_Hojxz^MbTi^Um?kkI_1J!$sRU7lwM4M*2P*O{Uo#~}VGhjQhGp8u-+w>E zKIM|?NfMhU?|e>?OAoG_kwJVS9I>uQX_jkK{)Hx34w-y13r&4*$;^ zFB<}$tM2zgcgh2{-mM-4D>WRFv%GSmd(1LJKk$_X%?I;)Hb=4ga>1`Y6^Wt_DxX&> zI)fIMuu&Noys$CQv%BleV*FOi*x+aPEk)cfbctWHzY-KxtWZ=t4oqL2+i=|gc<`gU z$F*53=%;Y=Na#hX%VMb>gX6%fn##=Owcq(k7ZB>T<{J3^$ZF*fl=m^1+$lzwH4|4D z>kiOiWz0D0IJRoB5lD5pr$H8pSv0VXufm)j?{nfa==IoYNjy>(P(AvD!3Mjn$LO*5|o5Kp5$B^u(p!PZ7bS z{g=!h*ZEMrp9-(qX_I4lzVe|FeZs;CJ?qCVW{#fg=Z79f=w$P=+hL{rm|pX$)Dby3 zviD*wUAwk zxNbhHarrS)x&JmotPd)NbfA!t9llszD%0M4B0-ZZIv|~NDjxL6keh^Sl;`7JptXN^ z;5qc(h0?-n$oVU$;?0@Oy_uPUYrj0pnKRl>P2(O=m+gYhSjkayfs2?4fAeymSg^X& zXy>@`XQA_o!HQlt_OENDjaRd;Fe$Ccn^OaWm~N)8m8SIxI!NJX0RNAsIHnFos>utl z&n|X6iFx7(TK%yBJ9cOc+vR(2qOyo^j>LCVR`kd{RODrS`DsDoDbvJN*<7gzt~8-V~he{WCz{IWEXq0+FsxFthE6vlx?s@p~ny3L0a2yhVkQm2&prwIL5jePvX zJGM=U<#P)jKX_ID!vY?W8b?T(9*4`-I3ukuB~B4k zaC+VFxfK8!P#prX<(BMj6Ty-u6K7f590;!H_HCb)Z`%uH+@)*Bd1L8qqf9SXzIE}7 zW$O6a^PW&E9EXGOVdE~yUeC0QEbh?4?nN7PKJS1B8xN{Vmuo=jPZRH*s##emYhYP| z<@|^f!f0_k1knA+R3d$&8)>86C~qhADS-& zvR-WMV3I|wU}Z2~xBSnA>cggNXRq_H^fz>%_+UxNwjRlKWIkZ{AJ%Zm@L)G1lrTl_ zMc7?{2bYYlEi{iVL<-BMk7(Lt1^@It8_76}o%!A$8d<|gbWXHW?EH+D$XzuID@1Ad zQM^=Q#LrgG2;2;NtZt}@-Km=e@Ce5`y-exW5`?CO?`s>n*IfvXp*}DSO+vNj$hvZiu`OJ5wu=$ zv%TE*S6z*)C2%Tc{pm{4s3nON7J*xf-ld7#rO0FHJ26Cg^*cj5UJ2=e3pR)2X;29P zdxV>*iR$DMH8ELjr~8s&R9L7AT~J8EZ6V2gPU~jF(KqmfwMBR=m?x|AI=g{5-2!D{pE*$936j7hahMT@RVqCo-CE-=1-eBGUM^3Iu* zVfo-&UPL4@dDWM9@>aD9{p&dvKF<>YCZ>PUJjs*6Fw|R64ruDl+uh*`6F!^dImOY6z zIZSN<&kf+)DvZV~#w%YAoyTG-4Ep~@l==T487u?E%WY?u`b`<-8o==XVmabDmpiv^ zsntS6DFg)I6FB$zli-ON~WHa+l7T`7)l?}dn?DeDX@Dm=F`1{Bibr|kC7XIbH@dBesOLu zI30o61%n4UZe{JFSu}=YTz1QQY8tPul`*w+ndWc(PtN^(H@T-ZG{nt^0)?*^dbZBB z23wQlV*O9g{ccS+*JF~E;U|cLtLuPj+U*{+ALP8e4AyuSDECkjBO>$U-r+F|2iiA? zX%C6oSTD-5;fVbQDP<9~0a|8n0rgAJ_GCS4fq4>bo>iU{dX0hm2t@Aw@yIERG@o%{ z&OFw|JgexO<#1qsH_IhCH}DVf(0&8wKrz1azB$E$%e(!Dln|#|-2j>eDf{%g* zm9MHXy3&L-?!@MZdB8k_)1=s z7NY^!Tie#;Vf1I;*~`0_Q;ec^&?AUV7%1(s`1j%A;T73+8b&x~^SOg7^TgOctcNl3 z4X}NQe*IgrwUMP~U}WI8<%!Gr`WeQ8-Xr^F-m?8L%=fXRUc#z&F0!2dlrAePYw_*& z0!F+8^j`AvRY_n1MgxX&_fKyCyM-g>^FMTnfs0_*+bYpBL^{ge-^@3p6xxwH0-b0VH{*pQPLjkg8LFVsS{vtH+?>S2Slk1U@ zk$nv6FkE|KL~AV$(vuy8t>Uc_H71Ox)Pf5?Auh%W2-3nyNezQ|F*)W6t<-9G|d zwoG5d|7G9nAhXba0Wjj%|2l%NivIM4=F6*Q-0k_JA)K`lnNPOLCr%>%xgnv$Elk`0e> z3{3oI58XI9K>T+gd;`cO51I|_jL2OjSD6p2!*rT)FNOa?-XOior|r zzu=`Z$nj6S$Wf+UR$K)%UA5Bu%^fh5ZUEeMkL^6z00y5Y7^9ZayniLEU#Ib$qu~aKq1Dud?~Smx!{!?JPR?QZv*MpXe`4_NMn0@}hRD z3D&c?9rp5J^pTgoxF)-z6v(|woSCPWV|B)LT{X3jX-xlr-GT2jzNA4Jf7 zK>F}eej50V2ID<(CwRua?PVhmkY_e8An)E_>tg-x=@}^(d?Pa zDhz`k3F8N1^rSxNu$eSH;iZ*|U+WzKNMpP9r51RiBR48iZgGItcpP#qu!yu0mpmo= zS2E6q0nz&`3^lpFWL?DZ5wGJL%`|Bj@d$_uJvZN}6MS zoI*x{os|%5h*>kpSg&+M+Uq#gArLRb(x}AXT~v!-_1Z&L?fbfk;}9=;LC`C6#_uL3 zA0v$I^<1eZ`jj20^`2Th<`Ir(7iPaN$=`tslzXo{vZ)i}V~ciu@;sN4Eo@jE`->4t z?u+yt?5Aaed_q9JT$BL+?j4BL!GB}#y~CRN)@|XHP=!bbX-a_5iv*A&2%&{gqzOn< zdXo+sKv6>P5JE3f1Ox$*UIghKq$<)o*yt#N6z}@&ea?6GzGt8BKKK54@A)TB$g|2^ zFUg$mJKizI+1JB)Gezk*@g6M;LekZ8wDr-*ZZ?#wpqqusZIt1a^ zNj2JoIm$MVOctCTS`3BIBZ=egi7aT~7ikD1;)Jkt9tDq*k=vAz^%V*3pR<2rQcc%7TPr`|%MyPq#sF*C|@9bJAUKy|JafVtX7IV{kNdsx)GU6jP(dQ0k}yn^dP`uFiX( zASRC^nU)!1vcTzmJTrP?eQUd1i}v9|Cc82kTF!9uHaVEMjj8lYshvYwSwRh8Jf^4U zpsE{TPmrmcD0Cl{T;&mBHsuKWNUMW0SXP%Pi;CxTZ>KWaOyf ztDb-mqA~S-3v2)qZ_Zq>`{ngWRVhSLqjLypoSQ?A%uK2j?Z8{bCG}qgY}h91M!@A; z4rgZX5f6gW%aP|p3`g?DpikYs^|Wj2sFXyr7`q@HY`!Fkn9c@BI*k)i zYVCf?R@s9Z;Ri!B<`dEWO@W*RG~uqqPKAg4JpCFk^n8i%mvfJ`4`Sd!n)1(_6rFSv z%}nxRwGLLLMEE73m@vjD2X1G;@r?HiGuoPB7*L+%k6RiQlQo4h(r|XMn7fGC&Ct6q zL$50KNT)UIm&7A#8~s-GCeFUyuC1wop;f~&urE1W&_pF9@qp0i>dcR?cB$&|o5)+k z=-C_Hm4%`M>_uG-J43D-T6rCbrV2Y#fZ~c|Q@HoU95P;sLIqm6$X-~jInv`rpdr5t zm+9~j-kF8)EX8N?=ej}#C@_1qNnH7cr^3<@puk#9O&e9`k^; zTeHSuHTq;N530Ks%%qA*ynh2;`JCOunKz7;vE6yxOk{$##%5=fUk$kJu|`vJ@!+Mk z^3KSrJYkzv7*o0p7Y&v0+6cGULEs=d*RR%ucud1LRztuwUI zC%hM9Z%FlmomO~4GUx*)BZH#b<{&!Usv8MB`joJ}JzwbMKR?eu!*zaqf5p%)uGyYx zrz1pa9yhdzyKZ`%s`XCobv>6F!xim8#9jP=ha{4{1n6yYoXI|kHrgu&8KX3Qd%7H% zBF8jY;X*fWmOtUNXT$YnWPHH12y4P(H!%G~_WQ$lIrj#%nxWB*)WPJ9Zv68?^$>Sx zusxBdH#c&J8(`9n*}(UXwMWN!!V?{y8`z(B6B>5f1^yXc9Z@YHd>{}bhb>QMvFD5=_1a&jg-&$S$~UB#k0?u(`}EVP;JBZ+ zgp+b_(H3OvVKY+pi1+0^3 z@y)wSII$#wyaR2#p3PwVc_=JRmT!lEjQ6#J74Qk@h)%_5I8A-M7GXgkRfPLK#=@xYdFu)=nv2z-*J$}*4ta?x*7*ODe=C>$L?~hg9Mdk?~6FCucq%-DS zHovNTRn2sJz%Fi(30@-n4*Qun=o{)MI}L_p_McdztOP-f3Jn#RWp8>ML_ToQas&r& zOd$uv_`LUXkHUa^d9e2eKg$V7c4gm8qd3D#rN;25J<;{Z%0!%wSAy9Tt--qm!rjM~ z)pI(V_~?|KEkf(3iw1rc50mv7lnMPnqebxa=vn2rX_lYur5nX(yC5y(53n7*5pk$^ zMs`7-`=Hs|_Vj9#jI3qtD>)2>w|smkP%KXa6r|=Jww;mv0qUtt0zvzm_Q2(Y(?>tZ z700bqne{J{8P%=Gc2Gxv{*dm;(go2UV2(^!G2;)gthlG~Z01$qXkp+n{U2b~=|657 zlFBjs2iW5{<~(|@b@7xNylC#lq`HXW=fGnSh<0VKyl@05bbo*j>iP$khhI4^i2ndb znX+K_5@dF?2cBB}`>3DRfb9BQ40tiVKS1sHe;$I$c4peyZ}mSwkmC8vc(cHfzwUc6 zEo*%Sq7h&Kf;n72w0)jXJi7!2L(+Tl!uM}CKI#~v-UJ78Msw-_5(pH)Dqvan58(VS zf)O!yu1W?!4w{s2AI!}3&eb-zt_-kAv)rGZomwbb_$4hwL{|ygDg6Ne z#bG^?Odu{F?Zs&%3Qnq*hjJQkp`Wb12Goyap#JyGTrYNd=05pq+wS^IzPaTDS#pf= zdK%M+@7`wNK{F)9u2Vt2kwJ0nl`rT9ON&ly0Fs1PKhKdbb_xFv80+w)l&Z`YF%C?6xLJf6P$@j6okg!S9ebLvX$+{uNp-X_jj>BbWCG8vRTt`vdHMpRdvTw!6~Yp><|fIS7IoAvExTct`u zqn=diX^-D>&ibQW6h-|w--0SL0OMyS%KJKIw~XCJF*uCBb{A#(W+b{F%&4JYBFtji z()QM*tPv6NE2`H&?=m9Jh8e}+)ebxasB&z?XMY%8s7K^F!=-QHe7@{5sd}h z01dFT5_YAF-!%OEJXM=E10uw`zb`VG@0?;U{ITaZe}A7}EPp@ZZb|P<)Bk0XlfcK> zS z)bV@e-r^P(b#0^c`37NArU{t~5{5}~n0$*vgqTjabEiIZ>NI!oH!ZN6Hhh~w^~1na+nZZ#NQj%;I*0*6WGC z93*Z)5zHO;`H6BOjK}N3m4^@l?sR?y0>TfLyRP>0-q4fI>mnbq2o+{5*u-6b6Zx>? z^1{!;XI3>h?VTzHQ##edRt*Z=N#DrLaAxa7)Ro-s$A;FFgC*>5E50l|bBdx9fQ7j5 zcBQyVeO!nukc6b26`x3~#I(5F>|B#zZ%DuF<+k*8>ZUaI z7E{;b7>*NE(Rkr12`S5mcl^f13@ zn$gIY_Cs7x(ypBz(Vgy0hf_ZhsX@m?8@)(W!nrfsL6EIIQi0p%4IXp97Wn=&@OD$i z#JwsVMCQ`3$Y)-ZZ^h^sX9ux6_AsowQGf&hx>>#YYCMR*MvHOBB`42CZqSL_ZuA=; ztjlcI?m%&@Z%5Mj6T3>2!qWJ^tob9u@Zx2!c*r3*IPmPN0g5|Bf1-8{BVWzkK#=b` zZIX>7Aw{!E3;XfkHwEq+HV3rhiCGupPvIoww(I-{7RBNxN)j7eM*jF0>!H5N3{@&P z^1jH2{yMa4j?ctwtOpf(=;%3i_IVlQ-?t(4nuNt64708HAvT>}M9qN%WwlWltaMR} zK!g4wHXJv|2~Pe3z!=fmK53d@mHl+{bc&PZus@wffdftCP(6&Q6Gc5(NPuPo52n9M zNl(XUe=FfX??x{jFveWG1M?d6DC*klf5gw6VKuzZ zVdW!>4i>>)!lmNCeP|PRVzRC|da8Lx<8rc|kf3{4 ztkhS8yO=u3O!S`aLdO}Zj79YetAF1PHyf=jo05K&3JI|Quq*-ei3I!SU2^~NMC&W; z6YVY@N92KL>>|B(f9jg)d>$c73-o9OWWGv8I3op+{gVPbQFP+WGY2}}dY~6!t2E#Q zrQV{Xk&3Lx8R1NM^vcUB#c^x43@7)}NYz$`?8ZpGyYRcQs)u1~w^-4_!zMvt12z~6 z86##Rc7PxH@t-=2{~r~A0doKIPQtIWKY%g=!~uuAkch+W493x zUD>Z;ZqRLN&DWjYqCaTUHCIIQJqzdQHc1;lF&P(|`~F*&^FVfX-9@n+PkAZ7aR$LA4U&<^SDf1SevN0r`Xy2EVtsN*s0|j7zxWso!*~HRlzx|l~Ido%JO~wBvbW$9|My)JbLTS*H3Dx%4ru_9P6-H~XEq z+B)y_!KtpXOp0*XO&fDn^Abr9Cb`058lJZahJ7=92-hR&o)E4O>DI`AAM#{)aayrj ziYZKy?OYt8uEwCVg96a@f$J6r1N-t4vbdQiNz^|DQAcYT` z|AybnJ&C^6Ae5 z-+n1?%%eQYy!tx%#R?G%69=5G4=S!A*4{oO2GhB@ULh@olA!PUZCK)Jn2HpW3)mEW zDMR3qug74HuFKvJs`kN?R8Kt2w}<0$t45)PVTGRIVqqaW-eTI`0TWR1JiD_NK>LDm z^1ctYU#rR&BrhhxQ%q7u6t*S+GG_M-BRKS3aYStfv4?wMdFs9^XD&6nwS0rH|Mj>g zn~vo7&oj{`4LMgh?Tr(slYixxg54iEtT+pm^nctSx10H4y z_XdcW44tf4WZ}T2lXw)%^@xX!MGd0O_9R>p!rhh8T&e-v13+OCUP&ZT$F)@a=3un1qbY>CF-Y|Zir)@PoyrUt?-j-1-*479ifT_d7?XL|wn^_&uy2i0$Pj_m zO^x$!w?j3@#?*$WHA?pQOQ8($CWV5}?1W3Ix!KoYzw#*Vw$g=fVnW?E%+ZE}K}8Gv z8u#s$Rr95y5Z;%R2U&s>@rFj*mXYjzei(E15dv=gM- zPeLbyRX~0-E(_Zwna=U{0K>jc#6-`sf|`r31@3>Dy_b0C;0$;09^x7jtiF;sBq*MX zmzeLD`i=4GjLTyxca@x8k8&MAn+%Va$^~s`jwkhc>c?sv(>*f=a zgholaq<#^-uP3o~B?U-`gY(=xR!MQ(Nu6&4!g=|9&BH*GZ-gKV)uKkff^GPyMf|ry zz}eIp``iEh+Y}xq#TMQE1n!dcoH(KEpX*dOE9meiqV={o zgP=GR|NohM_H#qilE=fJM61w6N{F>otC*7-$ng}uSg?BiW!B>_ElD1G+JlccHRXS@ zMjL-TsZCoQf`?4z7Ap?cOn(|Hd|Q+i`?{OhzE^cTF@1j%w(~73&F@=Q_!gMD&gs>m z4`!W=+I?yVgQ~6tbk){-U86dT<)zxP8Y31dH{mK{E3>M$wU+26+UaMbI+Mb{ZDrv> zV`IdX-=xxDuV8!qqs>klwl;GzPxDPur~Ou@21?pP36Dr!F4kx;X=;riRnq;GT8g(IxlQ#+hYca zY=ND(?9XQc_qae*F@Aj85j5Mu^__tRbRhE)l5hepdsCJRVCn-ERXpClHucQ%7#7%n z>%Y(bzcgxeb6>Ej6XjoCZ>m2pDoQy@CDDK^gliHcVwZExbP6-Q+)Q`v(sETpziCw5 zt=S@+CB8PvV2t>^dknd-!3mF%+V3uL?EC@lV4Mzx(r>KDm7`V2=B};i{3II?9v69| z*Lk(soeX~10FO0b@s^7Vw9;oSk7g76QbewWb;6~Mh`yKXFgCV=*`=^>wB(V-ECkrn z>=?Wmh`xb`aIGvV%I7ByU9Tp_liC|>5rJCuniz9w=SQCR3^YV0Fdw-EIcY6C+c)Ab@GFc5b@0QgCn%0+snOlVsoQ|5<)^a-_i<L|DbU3M6v-0}}jFi6NylWc^2sb?5c^PY)5cx8lTG(IZ zp~DV5y3^{Q*NfJ{nuX3yC~*+?;N50(vT6kE6RZNOzR^eZ(@1d9*!oS8=Ov<&bYbL%ASR8+BLF{gFuQ?A*BrQ?}U+s|K4*1FqsCmVA^ z4VL$wWPQwN>b&Qtxw?w>sO25!mPd7WzdTKA;_1K_7HNkuno2POcs3FgykU<&#w*oB zCP{YaBo~>&!Z=35I>V|~ApmP(1S%gWL-FsKSO&6lxd`Y1@_pV;XO z87vSbOZSAtUJ(1+5?J`q8hS#ck@ZKXh}60H8Up&Bg<7r%HXz7!0ARbB7J+EX5tvd9 z849!UEWvPED10EPVqJfPVoyjMdI`nZT*oQ1U%E16Vi(1&gupas+K|&?+5&E8M4%Ii zmiI~_#U;m>Z(?&jLfxYt?nk?vK}z=6pr}}G{)BXB3WsQ)bsqyH!+%+-*}+l)Njel7 z&rPK)ye%iJN(OlmSA?ceCxz2n^#YQ0OBC;4-)0Yf6vQ3&VmdJ~c>gwinEfL;w)c1H zY8nRFJWVQrkPDi~_mjg1WMP{c#A-TABAU6JNuKC9Y|yp48wPioMH-3jcXch<0?I_bPp$klHBa6yD>)Rb81(P(mYq3^%$RaTzbuJ4SK$8PQ?KC587pqg=Q_9ubkDP31R@ z)gtY*m9oZBnD$u)$ieZ|>Ltf)^G%IHHg0%L%S+6n1xC8X#you}a7c+u!m95OxJ?}# z>Lb(=Ij%0c*J`>T7@nB4P25B$Z{CTXLy;HS;%Ok9dk^u>USA#Tvb*FZF7ZY-WNk3W z@j;c^CAdNFGK1W_f}^PtE!T56fZsiTo_0}c1D?xPwz=5~FZkZlLe z&LLON)JR#2tgY5!Q)il?Eous1S@LvcQN)f%0Cceux#?m=d3!$QUk#jt^(Hj96f;k! z-F1b@kZFP@TU1|s*yDB6UpGYoW&X>KO`?n59?2ox%!3)wQ6K)e3`+%LQ9q^57Nq!| z6z;M~01`oSZ>~?O%UgftY56Ea)pB9Q&ZdTLdPxtUD?UB?=ae zZW|0jRrZ-C^ZLo#T0IcX$m?Z?))MIT+1sHH_iQAlijWyERi8RTlna zF$T00$#3LjPeHAA9O4b^sP>08w%F`r+ZK{}?J3%sc;eTdx3f?#KZ$~kOLj7}n|xMN z@S(0DAGSIvwy$)sUQcWcwahKhBWc)Uc8W%9vY29{XpnYy7`}`bT?V3@Lz4 z1|W5`!_C>tLoqYVZNaWX-O=EMm2KFp?n39LTaOf;Vj0Fr4p{=#1pg^TwxmutPW?Bw zn=`C<)sk}d_$5O_^I*BVg*XY_(+R1vO1ZlT34m%l&ui)(j92s}sZNoQ)W`DOp|`%y zW;?T@pIi_3O*H+cdl?_&yC);47so%tUs!8w_NaRHG@Ij0$XsHB$jj51IE7JX zBFvrjjwiWQw|^PG9&O^CK{SPq3%6d<%DdXC6I~x6kJwAug$^2ymu{ZtwTg$$ZmOs9 zoFH6brD-sTukPN}itM{~72ny%w1dXM-llr$rjfBvs`vK8m35EoFaz(NDBvDt2l9*f z+-=6LhUpbQF>cV}J%-UV>&cGE%upT#+p5W++>eqA(1S#Ss&P_&pa)>iBVqt-a4w99d@)W?=f)&&e$6$J-`?D{gP9X3H=UqjGbiH9pj+us0r1w%#^J|F2pxh$BUS;)MvO?63$-7K5fnmd_z{%GGHfSbq zt;J0y#B~t5jDy&p>Avh0pDaC#{4BT}mJ+Pq=r&jzJ4nk$HA7+;?*y&!>(Y+WNVSSD z<36z!p3@tewBq(5x8u)P)T|C_!T{6}J(;fgrbQ;*N><{-uCXHGrCXLxSmgEt~b>ouPxfxv@!|#NX&0o6=Xw=5{eJTQYCu7&50lQev zd%FiEaJ$bS_ktq|{!9`=J-b3f`TG01)VxM6e#fdTWOCDn;W2>(&_vwf#L;fP2)Da{ zmzxODe$lKX`>0z4DEtE~N+hH|Id{iC*x*IK^+v2?z(_d@ZGvhThU!%3gjvvDPil|q z?fm8qzJHO<1n#fr8vp$H>mu7|sQCD<$K=lsy&NuQ9&O)$J5Mi`NXg9k)kW_7a&)U~ zRBVP`eNF!!dvAJec%FW1SZvT+M}=+~xJm!|y;nfoX=Fgnk(7r3E?FK&bC(bw%xBFN zT$G_gcPS4x;P&XW&Zp_M*(#asMmkX+x0*mSg!A&ns~MVpvf)7!smV;>$>krZT8gJk?&@TwA}N(+B9r$DS6bED_6 zGG-@lAAgB_pS7!LC_|%nI_%A$S_`9`b>R{QQ&xKy!s^hqfvQYYm$Hg?2tRaYEo>GzIb{nf4{DeJN3muBQUm7>_wCy$lXofS|!>`i*W zjavJusTFg5D_eWdFE8Mcs@M${%>=Pj{5|bg^tbiZqY4(fY;ZK|^5iQ@B7>$9 zLcy0x>_MICT|7LLi(H5RuE_$q%E8|-b~g*v_*&)hB6uIp_TbQ@qp$%s;X^@Sh zi|k#y$foNIz6z#})Ts-}st4}@!MX1ZBCZYhU0#fO2ng2i<6e21>3bbA30H+8PnfBs z-3@$D^e#-Z3zPGGWa%_l#5BXn7a$GE#4&P_9@18a_gdXfv1rD0oaipCaQtTM{O zxXYdb?#rd}CdQ>pmUNljoZke;>^l(G;P!Of-<~+%3obV@#fg&rF?ps`?eb8(hj?{A z$O8^KKIzsB+q+fC-ho8+QoLGt=hF^+h#s=2Qn{MS$l2M&Mh?Zm2m<0MddtH1%>%+@ zxBSh3aG6KngP`|L%H_ZNQ+=#QLGN)7H*g?rm~Jdw3Sm1i>VUfg*X=$&^xqX-TdZGo z$QDY6`S3?iBan|W9CB1aIv|BKlyo%|=ej6WM_UED+3mzGG#&&m4=|@tJTD}PDzbAL zkX0iwNklO|Qd%V@I99v%jtoYsDk8YIy5;>LvBlDIsFlGZ4&_xmFI*ptah=%P;LQWJv()ey!=_6i*e+Yr)52@C z7*Y#;zi2Z5H4W{WTlI&Wb$vUZ=;3Ns#E9A~c3OUlwm>1=Y-3e(Ts`lFtV zHX>}z%&N?&eEp16&+b&iaP2As62SLwE6IOKP5vhxu07=_^OxUGyJqGs%6+=JUJmF? z)=E(d+xygp;JOdvTZ~FHzBAXiBuV&$-YeoSo~dnSE>tlk z$P7gox*G;li9L0eY5a(9A}13MVvwK7MiV z2l%4=7ka@LNjIToDf(MITq>0-fyHXo&`bD@3w_&wy_-WD0 zFdIf|!iv7O=$&(Tfd)}wV*lVBwvMO1TD`|)Mhp1+8B#YZqT zW1_6Tng&tXT*+A4I2mzg@0)bIin&+(PeH0-p?j8^bHseHck{Ca*;=o zu?YHiHQG*(R-dk2SZ@{2?OSfTIDdMqkgU<*4?(I^4<|JY&};U~CX`4h=my08V0glE zWEl`Rd@K3%nb6sL%VW%z;^%_ErB`jo3)lYsMAY^QOVNLTzuI>3T^Em~&wpqA0piBD z9A}>HgC8H=**<=ANd4a@{vQQL+~p~D@S9Pv0CoDwY!Tx2G)W{$iV~-i%!ucuZHRudL7ThSK=lZ7x?C`tOwezKK&X?KU7Ndmjz5Cff;25sW(C;wv zZMZ^l;lfn~l7)>rn_yr;RY>9=aLcpOq{B_Tz?2h>-{~6;(khgJzr||{+o@bBE4xYK zKBYFIbxVGuK9F8||I2 zEybXYP1D(eU(Tq_b5V1{6E%xcLB+;#qgs9G-A-k~pEy8`b6s-`&E0v#2AgL#5GjbB zddo#&0?>=P{8|^)*3$N5+996Nq(2n8d=j(XqTpS+@{u<#=J~p$0VC+LEDS3H)6JgW z7Ui!zgC*l=@DrC1U2}uIx@k$9>axa%Ffoe zs2}{3Lu%Tov-#dS8tp`gUwp4_jY`6v{sV7-^nKg!y5B~0xBus^t;>ac+WF>>pGOxh zQ-o8+6|i^xrdfp|(0yrCbgB6J8=uED((<40?5A`_ZNIh>@VaDAWiIem06Q$J6NIRP zujSV6Nzl$iupEs2pP-AF30`r3ZM!sA!SMlkkE*l0kqLjhqQ zbE`uY?oci@GUp$_)1~N*kgdD?(OfOH{=-zK7OkgxRoz&6#B@rh`T^N3%r}6yX5VMQ zR5!rwtSD%lLB1^Ed8dO-ekL`d{_8J+>AcE?5EM-=v&QBLZ5PAqCT=!9MgL5aLlb{> zw;KPYx5;*`;|Fnn0De;6GoFSjox|a1kl$M)MQPeaN4u#0)APFCN#5Y7It?}f2$h?t^2Y<10WuPn6XNkC&NdYF5JWZl?G12c$YKg**{V0w>OatJ10$0m0- zrN2_H_?i_)i;Nto8IHR9><41q77si1U|JBWJrq2-Qyod0jqohviMlMGqi^4J59t6K z!ZSedD3Zt)Ki;5w@H_G$Le$UCc=;DBebaJvKpEwKby z>^ivz)dvy<(}3@{OA+@fDjLZ=B_VDB))H^K7|3^pgL&>CsX=&+>3a$-2SQ<2oTmA# zze7<3Fn{;S-9vKD<-LTBu9rw9vTfwbvrm5Pv5dmS4rkD;&@8_WV7P8S`xCo5YmIz- zNi|dSovf&QLyR&qX>0q+Z~ghAE5g!Vc*;eNeZ$`^Ll5@yJZk!c1__t57MY7qXsb9Q zGXg4?*)`b8s3cI#^%r7oG<7|l=>BoFi~NM0moEM;aa_nu!UX2)YS@H%&$ zfe#_w2lG#xSczCFSlS$e_j|uF>#BIjE%vCWaChJ#+N7O75X}+5HHtL#z(53k(DvBt#f7XNR;GMpy`R z^pmdoW&OHxN8?J`5gk`RmC)x@ZU^P3?XO`u4#;}_=lRTIq^kFCiYskqd9nFB^S$RA zs5drwank8_zTOGC>=@aI4iixTd5dzXh$oXQ2QB!ol=vp^SEBM`>CDQ5&5goHf~hg? zS}U^Y7K6gfhD{azkletS5?193l}@CHH1}bVk_B1J&I7A*Lkl_VW>S??W*k{- zyqVWhE5yQ?qL;( z&GMHYP@<&+^;n2l?Gjs`$fE*r!5tgO94C(w{1u#zO8gRgNHAJyc{wpBG#YsH53A2# zexCn@a@EF#m+D0a@%}zHgGvG`*uD^>F)&nBz-Qp_jyL59&KFCxtp4%T1_yX zBK6oN!gqKCau$rEpDwmTZFYk694hM#Yanc+km;y+wbt@lA_cE5UL;jeAr zsdH&qbSxZT@{m;)5}QR`G2e&n-PCZAr{%1c)-R~ot!=WuL`N7OI1FaQik^=YJ1cSm z1zu}W>rf}R^>A|Dw2^tk{{4>29}-x3C+iKSj^TT>;WI=`(-4mf`U2Jy!t70SbWwkz zY4zqhUurY@r$-H)X{;R?naAJ<2=O)9L|#ApQ0;(E9l=HqF$5XvA>NO4mCh`=q5Pns zW@-DCx;6$26Vusw723mM=qe@!(J17`8pXSLgBWRynNn^w>tD_e>L+$vOJ1m#DX@1o z<6qk5zd|Y3(P~?J!g&-C8L+9w2Z-ZQLS}v+*WHFg=*4J-W2?AG;};^bMA-lq4i^%+ zgXpqU2H<-FdlGk#2P;F=jG4-H68WsYJIwqNd>KwdReR;+f}dseCD#V}QYa7fH9P2xsQ-;zp`8L7RLuk(q#bAzHGr z^jWwa!u$;dy?=Z$J1FgS?N^kYEk`=hvmMj%(wQxk_ zfOu&wp~6hDK_s6)>zS`@OY-H@I({uCt7OO*1_^NfeRulv!Gu237Nw41h8lwIoPz(PQ!J7T(c*X>mJSX2)Ay`eOg=+N%6Qv<(Y za!N`{nz@hqv-d||Kix42knp(8*tW<2{IW)dNg&9o!*Oi>CBU|NP@kE75MD)?lIg^$ z?!D)B9~dB&U4?kXUM~DBe*maV4_}OYYWrOO96aTd;#r0oPO+wL_hh>`aQOzPi{aI` zqTbqma`D7@>G-k_NHt70Av%@24~pk!eJ_YW`;P;ACgA_hD|{0sIOVH0@=pXEGJi|~ zfpdG)=eQ$b-FHZ)5~6-l#VN(pZP4zD75Kq%8I+h2&doo4TKesES2TC!UYqWxJIqht z><|3~be|2kY8_N+V9GK`Ze4^C7#Ow^A&ZaVBh^Y9H?>U z#85Jnv&`5$ikCWQCn)nqhUzzOj*zlB5o0gJst96-yCFOu!sC@0A|4rGr=gf{VQ2MS zB;Rhj15IR655E>^`5~4N75(}8zk5gGl4=2l-UVHu2o^L9#qy-$*6XfWktTnJxk!yf zBYTOHc>)ph6p}cDN8=WwKMU~MYc(BS7rnvla7C=J<1vjrfw=%ZTdpOUB=|hP(HM@T zCuy?{m2-C(u#B7`HSk1DiC;%k>XZp?vgFZpcLizn| zeZdSS7SP-E664(`0eLIzuA+I3-%!HNX0KD;WjL)p@ykczW3O&_)P^R?oD@3S`(vvK zBlaU2%Xo4(dHZ4u#(3ichr|r|dgK1?H>?pS=*|x9Fq6wMgn1aAGG;Y~$$@Qz-V1?< zaCM5@mCS|Hb`!0mS}N;x}yxzIU;H#kO+dVx2G5> zNQyIsKio!j0~vpYuiD^5A+}U0Du1r^UFVi`OD4E zi$Sb0+7!PO9|pFx{ieyIl!Qc;pPwrJKGi*Eyy2ni3=)Aayrjax<&*Mkyt@DOFPuDW z|JLJ#{PzA`6XuB2cbB7bB)rSs`TDEcC#Pu>$G(SNE)%Sj z1-sxr!9I!eINb`eBH%L2eQ>MPRN*_#C5xZ4k7G~u08rx9VaOy4?tLNCtFhzN`&1?m z0*{9?G8$e7V{a?dP845!s89=xyHSKeXoyc6^$*sq*5buw)Mg8u->i@%0bTIo&>r+NIS|8w41L=nI@v-)}c zzRub~y!nUyfnVQI6r5^2!6i0Id_;&KoW^cY`;V*qfFC!W%MG&-pZ- z*-sDRGKgb12*tzG2TTuT(DsH_2jZf)0pptew7Ki4i!z8)`2+@j(2UKRyU$A~jZ}w8 z5&n_^DNHF~KZhs1y=GLE(X;-b(!ZvMO?6{Kg!mN`BJxETT{ABBYKn%Dw=@yz5_SBt zv&30c3w@txxww5u7510GX{x2+9${Tsk>YWx?%VfpDy zDxBeBp)KcL8^}IqQ}_ak=Z1av&O?*fQp2=+S43m%Yd-f~!4qs{273h||Uf;Z$&q+at*#sn(2k6wmS32q@Zr{Momm38pay)`uI>kGz0eO;LrN)z8Lnp4w2d7P-a$W@!`XPy$vr%q- zN1GiZ)4@Ef%?J&@ZCv}Z6~t!myio65Jxc+;*B?9Iicz8(fY1?fq!zJZ_uA{XGJz=Y zDZ8&4vkOJ1=afIM|6Pf2pA!`Dx z&{&Fqyfv%_V7T`)*@27p(49Oo<0X&uBY4K80S*E8A_eX3Rh(4GznTpHmS20xy(ObANs(yNEVZkyr0IT;MHu6}ed`=Z8H7y|do@vDe7I~1Y!a=use@evmN;bLOaq#1ngi?~<< z>#di6fMd!>e}G=+Cjx<>zJw?Ol&@SHxo>&Q5IC&Zu&wyD?E<Ik@@%w9omJ1-S7u07BkkzE6U661bQg5H?{`LS9-v-Mw zhXniUAQ5xf6I8o|%nX5aUTDHe#L;>2xiol|`I`#~_3E@=fqOE62TEHT;DZIJpLLx+ zo4f#l{AH0(e*l((8LiW{V|K+8_>njG)oU-fus&}C7sA`1#D(emA0T#otLS{`jEdt7 z|3ub5a9JM&{{Q(AosJAHb}z`NFEF>VLB26Kx26Yr%mz*do{_x$1FT8@cLe_TBVdqv zA$K~Y1RV@$vcrlH@0Y%r*|bO{+_-O=49O<=F+QN8&Am~lA*6YITWu>#K&?~!U7f~t zf5qBd^uv#XJ}Ljf)rFuK&3YH&we<=9h!>wzMV|!vftoVEq)(ZE&DZ+Gsz>2G4&PLr zE}dY#Q3EFmy1$;?&(TbonY%2ewFLs zHicICL{u`IfSx)h>OPpOSx;?Bv>d-a`7vS@ts2ToC35{{ zq9N^o4J|LQEo>z6%}8Saii5l~gPJIjJIJM_B`#|5@wjbQ6YauIb z#|M^WkAI&A{kD7Z@h{%U&+`X=`5wvoo*SHrHcLFto8DVu3@~Vnxywo#b>y^QM>FJ$ z#Y7=4cmNt`{)y?FY(VK77DdO9K{yD4-S2&Z&h{_RA^ggItnl{Tgz=>D@9Wv!4s>xI zW!5M3@3J?~Km7h}?$Z2y@?8S-OfSvkgSpDbR9bIV)$rB%TwaF+IUI3rOR1Ukox1j3 zNUzVZc>2nhatFrInORZ2%wNkzF1P4rnl)}b{Qb_&Py0#P{~+%z!{XT1ZqdSBgS#~D zO@ah>3&9BlcL?s9&=4TFH0}@}I0V<=(s+O*xLZPSk`RLARMuL1eQU4%?Qfs^?}XMF!<2!snOjzefP@s|dll-q4aceL98^lQ z#ThBXf(O1v^P!BFQBxG`1}Np(1B-f{T2nkL?F!=0oF2}wKS~JFI@X`WzD$K`v+@4jK$Gy;YF zxuh86eJ8k;t85H&*r_igo8h=GYKEIlj;&dSN0Or<_@^LSjCIHw zx6G$}#1gP1SIzn2+K$7d@9HTtbM(%n;u8t+L!e?jY zGiz+f^N2RI(19?a-93Oh>HBAuEHXdVc*n@Y!Lh~Rd);|;DbaGdv)l}v>ePan@)m|h z&t|Xyn-}riU$Lqf1NNwx~W~hlmR%fmRpo4GeWHl8p=si{76XnA|Yf}|K^>Bn{^r^jT1$bWz??U z%K6SvujcdJ`@na729QFpGt@57VwB0d9z{usaL`P_v@%2?wKZF5tgB2^4edE%crJ|_ zGyIsQUY)QroN95y*(}hB&Qq}-P0&R$;Vmw_-MX@ zfw@GNOm8YNbsA!k2mO#FN}}R;LoK6GxIFiCuV7sKdXv||{pJkDm z`0UW6$Zq=tHF`Sdd>1)mWe|{a-BP2D!`8UNIr5F2xh(@mf*5&nR+NJDE%#REZmZ*m#Mq(E6ZXO}KJqyi&u-pvfj7+9O@D{fGW*q8%6e!heHlI&M% z4z+ssXZ> z(+a!GRG@)fL(G5V-l5ib#m2_N97go=)wzd97pqfKg_|G793JKDt9m~4Y1glBYMw>R zzYSt`-1y{T8@`jWhDOX?q6+J1)vORqW5QriSSdb08{&A0lFI~#=UdmN6(oi_UIKqzCDUrY12Otn*XAQqL69Ai6X=a+Kc0F1_h|bq)Ctd z!j1jkiZcExO9`s72)w)J?06_VhWBQZBg6{EDLq1H$fn;WYfEQc(_vyI9LD@`^&Kv&INux05nW$~o>snT zv?L*`X3yZ@ydDWER9de@UYFC4+E_yP?jY*$DjrN9P@nX{I8-*(RgUzhtLIT@Tp0~^ zHF(CG$ALuA)h^xf>azl<0>fphF@WoTtx!?YzR2`|mS@X1voL$ykW9^oja>yU9IvF0 zMAW6E$L45`d~geSzriD}8HEzL^~fugr!R`Hd1_}Hk>?kW%Iv<>M$KIn0+YB;W~<-; zJmSOwJWz-bs4!&=m@?%T5+s(t-PXTtU~0h)%tiL>+N?J|VFwpP(f|+=6B?E2LE8>0VR`&^N8TvtSarl(MY%zHMDdDADn&Dn)AS zSP8D+vsDs*QKrLt>_a2PO$|-6rrAXs6`FoQmZ^GIZMwT1rk}xF>JKnd;<^(gesZul z6*XDp)H-``^eTH&D-yAMtLvTvEY+9d^c6t1U{-hfKFBJBiC&CJl|@)Y7P6=O67VZ|gF(Stug#W7b`0lxJ=nYAtGkn(|Kb{;)Y@k1i5{iVZ zY^2_@zKunuJ}O5F7Aw8zpJ3K$Yf{jAU?9(L5%ZLg*AJ#m3sM-XV3Df2UUaa14283(d4K z<7ie!-f*tvMxbEeGQY{8^K*Og-A!8X<#)3ZnS4&Q)}@Jf&FQI~RQto-rb}7QGN_Dr zId^u@-e@xKwrm06LJ-fi*8-Dw;B$y4q|DSJ9WGjZq$sU`cfP1-06+`R-z6e-yKdm% z;F+2cxn>_im6%#Gc`fA=WpMxPU> zM09nYRpKty17}6Jp@3g_Gogw&%%tVJP02z{<U%P* z+MyU#+@T!X0_B8!H%Pk(Ub0BohRAtY+or16>N5;XgD}q8Np++BJg0xzQfy?Geb3-^ zKs>ON8{-x!Fv-++C%GLanynF@^)TDY!MSqffoq;fl|tXtPA2)m%)kdtbQ&3mx+u~5 zD45g7Erg*rUG!_B3AJL_282& z>6T{iR;bZZcScy0K8ud0tD{BuVgVzUD@GassHy-FOVZTsQ=!~V3rt!2Y6(IV;;>Kb zislV+?lf`X!`Y;RojOJAnzU}C2vtpVP`dh9wR_fT#s$)5Kx|lIduL-e?c=DeLzH&C zc>RMTNttF@TqAxkxtx#pWiD14(ypw%85mh)7%{K@&X;I;m`*dF)7?|R+j2k6qI4W`NSRcKMfqt-U}*Up4`bX$XZ#PC{kHWS zNRzpo@rufo;!>(kmU>uFX&RqQUs^Xyv%VK6efjxE@kJbSb0x+Cy~kv4bx`%83#$2{ z!OqR8`Tmd$WJ!4npvkT6{rG^4f5eyTk}x~)l312b*NCqU$B){DvE=~*o6s8j05`kG z9I2bHe~n>|OHjY02_)1gN|TEeQseSUmOl7so`HeM969}(lZOCt#p?2GY6o+`)P0`*V8qr1 z0N;-Ec+OM<6S>(Q@)jdcfVH+0p?r6z4{do+*OGVI_S;K$g>}T^kMCF^X=F1wd3)Kf zB)t#0i!@c*$3w=Vycvjqi}X3iufN(QT2W+W(IsM68|ks;EaD2kQ~-n@e1E!e)*_Uq zGk!L73YnnUw+{8IrPhw>(#4@EcW29N1ebTcWLH!aGu4w<>FzHlUOhIR@P4({dzYp2 zYoetgn_#C08mNDErq259GD1%geKrxh_M}^-HFnTzjvOfrdufH-V=1PNDhbz}o!ZqF zuSvHB;n}9bKutv->UD@U{(0AA`7-axvI%qyD!j1SBx!VD0_#P!mkmi2{VYxU3nKnc zEDpE!ivg?R{Zf^PWns8dCUYAQ8q%Yn)w_pUC#Cu$h*!6cgpAdjYS;9@vbn)g|6<9; zRcH5?ZbQ8_37#$O%K1}-TIq2me>?S_nj!+ff-~ZG@@?}T*yL+ zqBT|py6+B6R$0;{rb+e3*iEK#D=2cv)~caqPU4C__`%St8yOy+3ZXtm6mdl)339y$xkYR%i`BAyZ!R*=+R|#px${j?lS? zyn1sgjoHFqe{9IiakIYv=vBb;_?)kwrc{9l9>qn&XOr;4bn0do>gXezRdf&CR40Cf z2*iB?Fh=D^Q)W2B+$P$`+-FC!|6`+tWO=psQL0*iO6{NbVJNw$>Vxl_;y=@F+U6|^ z>|6$Z8*wKV(cx@-qAD0PS@P(ZF0%k%QtHl=cCi@8FIVdQ8m@ONR0|%(&x`LZd1puqH41A?X-^Cn|1L ze#yGQo$5w$>2bFZv}&+Ucfn_3AmiB{9$uw1$Jd4lOU_m7r)gK0COZV;jmaDKcRomJ zWl86(J}(4l%!S%cT4IYM=f)U&k-B5>ya+1cIxQKVID8fXM3i34jf3vv+IKL~uT4WRr8puo@okY5m1vv&LR>z^&8Hn>_qna`(kpasB1 z@U<-{JfsR{;rG@wL5a|(Al6F>N(~Wr1YcgflR7c;1##owl#Tws(FsaHQ>#&Hn$08W zEk= z+;GsP%V>&tXjJ!pxV9QIV0|t(%$K9GNEoh(UqgVpCP!E6!W%tU&VEIHYzJ4fQ*ev5 zvBhQ9*>MgRY~)H1cn%(?{dvQuCD8dUIaPkndDPsV-~o=OomYLi`T!~Ug)_JL^X64{ zD|#p{;5Fliy{|5D_qZ|4?9eFt(*upWrq*|wW+Q#&5gQ>{&^3N-%_~g|=o;>|{3qTU zOC`9nvnD-Mvv#|>EQ^vHHFBF@Ro}){@Pd zA|t$!^zQ&$wUb%Bz{0?9h@G_6Z${ZxZga%-+#iyc>g)*UHtWT;hcTri>l#fhl&GaS zOZ(zfk4E>Wbh_?D9k?78m_c`nB8;MNic)z)pz3Z(_tHkvD){mwqkxh)xuRCE=qW`_v+!36ufNxn>yHyisu*4zG zUK;es?f~4wC;0{j7M^9hx72}4!HtdS_|rG9#LVkuMoGC(lx>yx5*iVo7?X%$ce!t= zp1j=`B2O27xk-)1m~LHftUP_`=v9l0!f^-8j@rxCtC8n~GE%U}t|Mi2_p96f1T@>b zUuYU+S-3GJHua_qN(|bo~OKg9L)hq%Sr)8OW%aEF2z@9{Ls<_`#CeTFI|=7 z!H^2ULhMK9*gOjhLg>cHC{khRwcxwPvF~;*Z_cVVy4ySKE#cMl8h73#uZkP;}maUpDP0`@^-fhupe>3_ZSu*V#M_Rlz^00gTItiztnqp5y zK>^+beQ!Y1^CzzUWollFVcJSKSj7nzPp^!SG~g!@M8n+jxzSac{KzoT@1Qw$9GQrY zo`J4n_IAS5Idhtr%95$&H9Ans2f!S@sI8sg>{Nb=4mKT!gSo7P4SjG_n*v7q5yT%=EV zMAMLy-Bk2!uBrr#%rt4)+_Mpe9`O?zlp}VOqTlH=DE~nsax2K>u3zu#pWkUQgYA7SBX=~RCzw}*?u^61>LASYARhdP$<)?^b9`4rg$eb zsyjeBjO?7nBz`!)^Yc|rSB5Pi^sG!?icDv|M~)Rl?jb#=-kV1!7x|oZ!os26HqpXX z>8iix6Id5(p2Cn~*{EUh;sOc6)PWH67!4LzFNleFN6O_q4(grj1^ zqifg4@1vzYu%Qyg3T2S>=fXxajZic`O38@;!WVrs(MnI8@T(&9mzw3xlAy#g{7j0U z1)mENF`KWOhng(F?m2t0R~|CJvPudFIR46?K~MY*PAT- z=&BNcX(Q|>2n#lla8q8dF2S(CXrC@ z>|-9-Bd`1uWcN3P$lq&?Zi97hBvXsKrofD2{ms({4maJWV?S2@Ke}zvkB{E!g)bK(-~Cu&dT0)-ugG5wT8gKX7JT)-(}tzbn1ao~`8eN; zUk3Az^fzC05k!`TAeI|bykU#K%{Fn7lWYZ2EJ4gyu58Dpj=&Oo>oBNdP%2!c2`!O4 zVH}h8aB=~PT%V8uC>LOunE5SfwGgYL^`YPwk}u4ln%x^U9J8NI$%Mr2)Vw5?M+nOz z(Z5-dre0eFlMDN5-XYGLj)jydOGQ;gly;ia!NtKPiXT4X)^cISdUU5ZZWo(VT`V3) zZM96V;;;&nbGZC~hw0Efm~d(#qR$U{5CfShLLR$%S=`q58skpozNtjpOi7a;{djxh zNZRU(zWq+tsJ3$|_}UC_#jf_MZf6<`6U8l{wTl6j!3jUIqLeN*JeIROTTy4?8mel( zz*Unx**_T}VF{tOHgrQF90Wu~#2q&;^JXYE30Ss0jg87175rzU4pwc=nk*ORRXpAD z?QxH+h(>m{Lwm@+_?((1u9_u@gzv`LC~uuIU|s zJRm*J8!)WiYYFGIHDj?z2ud8Y@?cgmv_>s{3E$5R+4) zTxUb)MK3+ISIR+i#4T_*89vpQD02CGf|WGdjyXhi6ES&2?s6v~bc`5_hEc@<@Clxezu_K3S?pD9{w zf}x*A!4_-#u9PEiX_3j~;b!t27N8N@6!+`^k;l}02Jtsm*cpFi)aTtx{OOAE z9g0E@+*n}%3kdIJ7T*%730KtDzR-TMe;(~~Z2RRhXR`5*`$hJ{$?4?xE;VV*pDhje ztXe&Zqln(ik-~*Rsa}}kIut4}{P5<9%|qRp^5_vZmp= zXAn2aY@ye86#ts+4%y{{SfwrYP_@T}Piz{gPzWq5)}u>W4A`m}>f|^-8W@x`&)o8W z34$(0i)IV+s%ctxp(>miTWgf|>0@yw5e7rPsx?=>u`jrlJ@jEzOmoPU9RjPt0g=wV z3g|TcEHG+>pj{wQqkF_cB4$KxxzS_8$dt>Ir4f=0zYAvN6PpNSCG(0sARJ;2-PT0a zG;;i?+0g1>%9fFQry`#T%_h#bW`3YjDx*SWL@~jQ+a9HMW~()N0d0#sC$>$@&uZQY z$?ZO_&%R0l-f!fwKgh=Twp(iNaBK1242_9J@G)8rZPMg)`b;6P_-rkymUhot&|_th zO1%nMo3!34_gE*-Uv;gx(|5q8R>M^Itfh9v>;55d0 zhSmC#C8>JEj`4fy(DL;FiiX@t=*L;ev3NQk)hPPST7V9j^{yhadff(C7unHF0>?zV zcLHrDGaQKrX}9dLNwQRGb{xc+CaDI}`;XkE*%B3#N)ghO>v`P=T%Px9SCTr`xgbdwG}arr)a@e$kHpSxe9Cbh}&sHdyB7*{hmgQhMM@o)>ZVcJ2GljZ?RozN;?vzXD;gg}wSf zD8I}$VL+(Zb7?#xrbO8?cA@efgidV8M|=#Fc#wqt7jYa%#oEvw;!>_ee0)sA7ZHfH zXXsOVq<8;T8R);x_#dHO570T0jwZae#?m3xCG2$-F@Z#8WRI?Z0JX=1Y-4np2!xnM z%ZnyQt*|yTHtx2fqvDP(>)bC*9}-;lLLy&%oY;ia9-DHgcuH2xJ$H9#nHYlZ_q7KnNt&#NrzwTi8*ZCalq;)fewNxb z6Gw=-q`cyST~*xiO2vlfED?W_X^`A+@#>KqLc|HL-wmLliG?BU1EAC}$d3PmasB(B zx~Jz~=s#q{u@wAMRRY>zm9JyHR+|i}hYYG0Lnx-?dOY+#6;OJU;0#JqU3@dU<%JO( z1iC8y1iI@%P|^zswpt31y17aJ3B(kjT+uB}gN`Q$-Pa}n{rtDpgr7h#$j00J2;2@g ze+j<2;`<4ZOJjVKXaSk}YYV~O+X1P%!#DJ|w;+Rb@Ga8+?b9GZ?%TZSh|+rabrMIc z8OrZQ8HpMX742m%yo>bgpI?{)FW;a0-%F{>xQ-m?Q{NxegtxhgM#W?4IUQ*#i)w>8 zDsi)tp``8{jeJTt3uvY%f7zU>4ZHnPiRqbeH&&?~#@WARgr$p+e?3T5gg76B$Y>qr zeIy;FJ*X?>eU7H6JPDZN>vmOs`TZLSsjl8}YY)MAB;lOu(}(xVuZ?%IAl zQT6TBEvsD%rPv2i{B?X`rm*GxKqzvt2R_nWBtvnvQZ@Q)k}k_byGvpv7ClSLUOgP5 zX1_?0Ui@Oa96&!|P`_STHs}O1%Yr+wc$9Oo{yIAQY|N_)IRZ&hWjh=wTfJA0B{tly z!G_L_zHmR=uSP~i=+YwAV_VT^d@**({Vj^G#)qmV6_$t@z0|`=2#UB(rVJ$j{muPh zxk@len(D8QA4&1-M%E7RHd=AG>M&fj(6w{F+e^8BXDzN5S^yiTKt2RtV*kqie^z~c zTl(WEngd_ME$Od!k`7g{>$S&iOK|B+;YvZPcsgh^d5gZh%N0k|oly%2yaSPl=+f*> z7|Sw9=63TXL+G)>i1&ulM(%V9jG7>6?J~-rhu+PT6BbECb#udx&=$6?S;ukQ%yuV9 zCQX79owu`Nb-uq!!ocGqpP1DvNO&Jx{wF<^Mn|4K>!vxG?`qq-U`r9JLAm(kD#hcwGv*(i!g zPgl8uAGr(#Kw50y6O}m|8eyStpsUkp@qFd!7F1WSpP=x8;~S5XO>xWU!L&+4p!|gg z7LoJ_ccqv)AcKII?}=31R9*k34V^^y0c53va?fRZ@)~#1efZ0sR(cBXhNB$C`mc#B z`ZLE9l>A*0I?3_~k8G5K4X%+!+Y9SR7fV$mL7AkNMC$vx{)0;5kDe0)RY1PDz)yfN zS*~d5q4O)dxHOi`nC0<`vI8yXV{>0Y^d8`577lIumljNF+3Ku|lx%1_glMaE%i{+) zTjs;LFe5i+2ri*#y#2R^UsQFgTbVy$+OUD*ZsW!-6VNhhEN_7u&hAjC` zVr7%Y1iWonM6_se3VgHulDcjLN%Sc6XFLj}pYEg@6t7w@Yw|1)G|$L64=f)tJdY0} z4EW0o41b>i)A2QPv)M}W-xac}{?ykN1NF6~{zYH=7a{-GN&i#p|6XVMkJgl-Yl{3V zZ+!(+Hz7=cxf6`ec?KGS!5I{Uh({jI&g*DSf8L)z#*^f-Iw>Kgtz11;q2kO1ZG?+( z!=*_!mCP~m`^RE!tfpJ_@3uGA)kfT=r?87H9`^QH@p3e<%bI zLSil@`J0*Yf3d}o2QQ|6Q(j8@oAQ!=Q^l*OCoZ`UVB%WgxKU|o@=+c$(3fR)Xqg!R z)E9w)jB9YqQRS6iks=3e-_naw z*!BpjGgGLH0JAa2Dik|ZNe_XZ{k>G(NGAw>`5LPT)~I?U4{v8et|)mOG+;j8tB7A5 ziUqKonx+E!ff+qXadwAmD3CpC@XiKm%Hd!L2Re@=;_N z8sDa^xMMT9!@$$TDX{y5%jd8rJMC_+s)XqWvH8?#R+C<9?RYW5QGZmLcn3CbF9-eX zBH@SX!sL#n-e0J?K+*xf5(L#s!tC=o0TyBM}somMo0Z6+c720z{+gKsNlbE~uL z32T8W>$^1`WRyJpbkBYQ$y|&s#b|81n)b*wMH_cJS`7<=S?F}rw(wX#J@AB#w&LG$ z+3r~`HMbk`C6cD1KZ!NG$vl|K&^8?GZ$57wr8E$}2oCY+@M&QQv9)C&4DO?S6?t8v zq_wl8ki=}wQ~RT)ICh=gL*^Wr;pq}NfD0x-1=WeTIcq9HkT(?(m^^)7A#^-1G29r| z;aHaTKum9z7tT&u`Y3hw2V#?1~bH;6xDwiR+NC1({hRJ;_>lFFwUCsh+ zNnO2IrEpqNO^;!|^VXFJCK$KM#>9QOv=FE?jm@*qt~zH)=UiT{ofrUEdIdVm+L&$;Z~YMF1I(mm}95W~08O%ppk6)mXZ7t2pWkb7B!TPBR88jPcZ*$E;{x$EZYmL1(oX@Sr-fkb7t z`ln!dSI93xxUSRRDzGdaeDpsg^Bne>sCc)5oP%jro8_|y`!YiNatxVs9;kS8_D6wi ztMuP#K>4=pWBOlJW8U3Mi9dlUuI_8pR*=Ww_4nWD|4;sGQ}k(iC0E9|CcGb)?26|D z5(AfrdN!G&CQ%7C#9B|$vH<(f4F}YrH62qlqvUs*R(yxd!wQkswa}_EpXijwkfnr{u$ZuY2R>|Dk+5=Q!5JF@d#jQBN&`RW^Q5 zw?HR!TriYhH5A|f(_mm*z_+09QHm!j3KEOHkLoWgyIu_L!S&vxp_7U}5!&7IdAa%W zV2`C?`mEZua#qf>f6mdjbYO%n@ATEM6V0*K+vij6q0dfwkBuo>?|Z+>@z)6&;iPw$?$}hbrZsN?yk`9~$ZizhYvHFHB&s~=@EZ@OB#nC<@7avly)W<}1u=VFj5daJ`xV}*w4XLk) znEZ}2r5{a=(9QDFfWXaLrBf;ZzSytaSa;uvhg0qi4XL5Nf_)|x6Rj1-h3(x%Blo_I z7*A;m$BipC^V!Mo{w_PYmMU8W->P8)rD+DKcN}>i9;8uYt)mprSj>0{GB&JGWX6!5 zZTIbDM%Nylku(T8LtqcdQIKIm-OW6~oog3I8n;X^g2QaHW8s@CaE}%V2Eev+R}(*h zXJCSAlO4ESXu3TQUTc&39t}t}JO97l2J%9uC3ir1P0S9ctZ{?7w@I_ntb4}hg~IsW z{$&Gzlob53zYM_wS1Uu9v_>55q7A8xDBCFTOsz7zQ&9GhAgSFF8JS%k2LA+}Qy3c%&ljdHZ7%q47hi*9vh3ii z8+x!{Na>GmfA8YOxA!luuR&7k8i*5puaL<338a~U3OEeEbulj0TqU))yLJoese?d| z*1_I&{Z;-Y#&2C%{PS=VejDab0P#m31c#LbmzN-ot$P{-oOFL5=-#c&Z+&D0I~xQ~ zO?2Pff>2X*(Qo6FIwSZ$Iny+rRG;*VVhbb?cU}hzX@Qwjmv{c7=fFNGhDDjyVgMJi}nnqoX$yFe&sTCWfEUjFDOrx zVxfo*d>S@;d{h!sDJwadZCu_`rL%lmM`=qLis3&cXM(FLFkA4qQYVpY?YXosOH5L5HpgIoSmnYwz6o=m#p$JEGoHuk#nL^QAl!5 zK=jzaVy6JpgbjB!4Pj$(@k?3N{x>JgMDRmMh^5XhWB6DZB{ot+@#n?xopDW*MQUrf zC=MaS5-z_)A;4KtHeO@tRF{e^L_%nQLZEVrU(XOb=5nFYn%Pn`^f|LIQh|c(Z2_aT z!!yfuP9a{3<;T83(l^kEh9ez}-wq@}(GN0o&d zHv*VJj1dp%T+|08ZM^Lpe6O1eqkWa`&2w1%=+2ONn!LW>q(`jMcqhzH0*W-OB~AX< zY%Rx|YXM`HqTKq?s_9Tnf|g^>W}$SgbCSu!Zhka5LL`s>DYf!Pc@v0P7RE_|?9^Y2 z!F$l9sBRDb`2uHGm6uR8T^+{|6|5JA45Bn2j6PQGaofA_OZDLexRFdA@>&bYl6IjS=>nZcE7+|UQJ-f20B%6Qu* zQ$+za5!7YfG~~e>a2v+o!LH^0u8`QzUCPa5vvgHmmlrf=L!p%{O{}(A8AIN5jy&G5 zU^IFfO8f|}LQ2sWf|WFMGbCPsO#s%qlXcx|Yxg@s>l(An^oDXc-EA(bDItpT8#t)F z?%Zkkk%V_8+IGcxRq@_^Uv^}{J07&c#D>CZN=QKKm*Es z#t@=AiQ7#m#~3q2Udmi#GNSlqMQe=Z0YWvUwz=oEw4E~a$;9R@V%IfH?P3|+l1r;7W=MJk) zi?0Y}7!Ih6+b~4AF2#574fanLJi0v_`|N{kpv9ygzp*N^Hb&p+O*z2qVoe|D=~k$f z&mwczQ}Xy2-)`k*=X1)^1`Ym$_So$AG8O-Hz@~(R|;F zRC1%4`B+8SG~HEmMwI%>1MWu=dMr8g?W8S)k4XOPE%Pg_(4t6*mu5P#zkN{MyXKw& zD={^q2q2cEjC9nV>_!?xK0cjmxn`edVV0R{LIu7uYUKDkW}zk6-fH_i7MDHt7C5E%n9e z3)227xbI1{DZL5k1>Kp`5=R48I~T>@%GOand+VN*Cu!bFfw8+Mz8N7 zOu@xRoKgu%Z)U~_X<`Y>QJu)Ws3>;|>~;8_h$aRkhc3s>!%qa5{ugA1jIZn2bCB#& z{5P@(`zCCXj z#v(Ll?ablO7>c?0y_Z^fNFcPE<139<0cLl@k@%K}RTH$HJ1`-`t+E?Hmee|bEi$z3 z<{1s7EUpM}TQ#zzTM^g7^HgTpnW=2B%~A17~8IfHSXw z`LM0x;XLPBAmo?Gn#z&@xW8q`U;s3} zd;+hBD@pO)$f}VGHFlO~VewMfK-w?<;=hT?@Ku~^He29*YGB1xamEojk}x;C^Lboh z3arP?0}~;E=dA{J&CXh6ad|Y&vWEB=1P@yNFzqn50Dh?P8nVIkde?LOtv2K4%vVTQ z=vd(5h;4k?_o!^A^cs9hxWFx*zr`Q_3G8Wjc-~~?2)Iek@W(5&6j2OVC&4xOL?u)p ze;&@i^Wq$Q(rT|q*qX9-R#onvJXY_BY+r(BEP~?afO3a4F|G)JH&0QNmjC;K{b}@5 zpzu@oxnRD0N>r$!zpeK?W~(f-9C2SSVa>z@Rnjg$-+2qf?V)n8)UE1IU|jScBNCK# zRB<7LBtO(A>*2OKWN_Bh4C#xF9g2%UEJwR1vj6L-5H_<9MoGWCV_<)PlL(D2M5aMX zSp+yeN`XXWunH55D1QPh!MilCZ-cK>LA*1a%B#hf*m&6h>#?pb=N#8-G-6)aZ~zW* zQD*TxOG;Mamik+Zq6g*zH#wydG%MS2hi~TZz-jY$dHJ_P&fWf-;fxGc^>KjVZ^PV3 z>r_Vm6Y7Tt$sw@}kmRsMsLGK2zmC68%wf|c%A(OT$K*_94X&X*97sHnCQ2#Ji~l(I z_sfWH@W*AEx$*(yW=Zh5M!o~$LH~NeneVJd;r8{ShRc$lZ!PN*%cd>l7Su7=0q}ri z&=P(Rl-n}9eDRMNN`4UQhy@|O_daV4ae_8aw)tEhZw`;eKDXFe?F#s-4Spy$nM=`AE)zLhVdo0$CZ5^9a#;xM zza?)uIa6kKULsha%5wRl;zdgke#q!{Ff&qzs!E%@6J?clFTvww2bxL_ zx{m{}D173%mzUAM;b=Sb$&LpWdsT#c%9q;AI$+^bn@rD1I)axj76&LfY}jwc^GO=g z*#~vrPceBZ%Bf>Jjbp!}5>88mBKe%&(pV(9d4mw;D+P@gpx8L33&0jnq&~`2WSDEKZlJ;u?|h z0K-@RY~aC;GU=^BV7zK#yj(1zf2PVoHay{1YzfV08o_#G8{AlzY32|^?Iz7PQt~9t zXYpxMPIz%s%xGrJVdU#LUFGjw%m)k^Z<&WKxtRD6ACV@zBfe&58yl;6LJpmM$*+Sh zjUe95*1Muc0b+yfkJ!9y6{v{?!hnU_kq@YG+#ZcGhL0iV*@WVf@idM%p9@o`3Q+H+0sDruJC|gn+3z!nz_{*X6cV+L?gtpRnpXpB{glVg^&++ zHl6Nws4iPoiZxh4!hG`1v3D9J_RCEnyf-6@Fp?$pxrv$3s{(^9{0RmorE{JVTg-tl z8>S7wVD7?FDtDw0u+iAKaW5o$Qs}(Z94`?gf_(%x8m;PxA{wn~0Q&d^UZ+2um&Vcg zn01P-Z0#4DO%$0#w=G+5+UR~6zNPOM`&KZSl~zW5##z!Fqg1vkvSKd~4JiYLLntaj zgPZ3jLR*Hc`nQGTUwL=O!skB-K7YOUJDI-YMgsSDGX27{t}0OZBJ_V)i~f!maxAa) z+sh(`{V6dkCg*9t74Wn)ZwllIN|OdRSKqLJAR1WnaY}M@igMsVGDahe! zvb^0HzC{7whC?9L>wU~sI{kM7DNvOYM8yBM+ud*E8spx_(01Mfo@%5I0%j4`xu{9} zUKWX?9+=;lV330UM2kLr|AmaJedB{b=$gPm5#$!-`u>M^pL8p)+1nm3d36o5IH}VJ zM%QZddvtRqH~6fsefZ(>X!c&9x-EU<{Ah#1kn%0EuFxC?8U->AN3ZGkib};-RHl=S z#x^rIdWT*=Dyylc(^Z?q<^4a7s7g3bFMe|@YIrZ9<-<{wVauihtf$zR6BKePPk82{ zHUgT+f~b_1B>3Cwp2IrF!yjPCvaxW0R%M-F68txZ4(p>>erYwprwYi*Zi(B4EU~=} z$bSMn{>SrT&~*tu77rBRZ_xtt+oe{`ZZI{$z_!x=w)T`HA|70pAIGS-Mz7ki!;28M zKDtq;R@}k@m)natmulxuXhYIWiKASbhmuOVVPm}K#1YEYT9&aIsHoqNxmnKN_e zyWd^w{>5s#tA4ertE--8@BQp;_=H8<>-x<-kwe9Sda#d=_j#w0{)mKVmncLxx!;zU z2$>vrUUBuks&f6qQapw$IM}v*mhtwWN;-oGDljtuARoM2(CXJFxEFmA4FAhiNAyf} z7()!o-Qo~^hMl%0%*)7M(BPeO>S#gqs@fo*v$dK!9$bw6KAhSwC<4JvuKh5lRTxU# ztmo+E5m*wmUrJx1AP8%Ba!*!4)qCJ^z%e?&;4~?{+4BV?Ye9Bp4F}9xDGwNpd3TH1 z4}!&Hz>7L#u$G|FxF$>lyEJy-${ED9r9^Ts7}!7fs$+#ynaYjB;o|9jSF>0}071I4ABu4Ulk4YHd~bB2)tEiYbFJmzkFobE0Bp4b4x z@^~#=9ts#V4wW&Pk;dd9im8fF9PCe(xcz&TEmIt71y_WGI!WIvONbdE;q42#J zL!NZA2h^3*uX4|0WelM>`{HuCaAS0BZRj4v5<=FWh_1WTD`%9m6CbS zH}?mC;Lf8-o)iIAwCV;qrLy!v$7;hmbX&#FIZ~Pw93m7f(^CXW*JQ>I(^i3m-j~{9 zgHE^}m6jUmN!1;w5muV@;ylz@Md-5eIwcRYQ{(m7P^-d zCLF;WU&Kwjv~Qle30@#y&yKg~C^Bki9e&mlzvnHfOO?+*ahea%AI9aH&cx4(hdL{-~Yg(DncP*l=;Zcu@^> zxXj|#ZfU}{@QN8*H=!)ypu;kgL38=9q zv234WX*l_)OD1!xcC#+03jg$d$>vrg2BF8CcUdSMb8^=deM_Ghnkc=YVsuD~WvpB) zpCVCaW}}Uev82guTuzkCd;6LqRncal)rswRyY)p+eufEM`RPej0B>Q8gh|fN4fgO* zbI(-n(p|b_b5CLcJt{3|X{3UCNVHi|x{SPN*^f)-k5@IPteRSCJ1?Y7ZuhVPmRVDA zIxXs`v0lhn0(eBX43{rBA(b7GrOTa~d-~n9Mhk!KsJBC~n+r0gv;ps> ziz?<~&`FW3WFv*@BmNz_H}a@UVPoZFy(-7L7I*y~>c?5m-j{?!+3+U>ipHc*&M0)Z z#;c3-Hx>n5bW6wUY`<-G+2|gTAJL9=iuWW$7IK-0KM{0(eD!&reXG1~V&-ro^?t<+ zp9|K>DW+l0UHuql`o|S17QBPaW(V>9;{g<|z)H7%$W1mi$FWvaq|xOQu@kd4|_DTPp_80VM(L%?d+)dy4Oc( zK|K5t!Gg?W69dX9UX_AA3?ia#FIo+nb7i%5-`-;`Is*D)KFhZzp-d2^C zaYs-~S~H8{vwl5E8mJOrXl13lQnhtn*K~i4z%>1@=I^gWqv%GXrvc$_ggv}7Ov>{H z&b7F^g=)ktn%CUZr@E|`suCI`l->x|k8zW6hATjEN=}sHNi^6W z2uJvReaZO@I1ED>&K5AG{`3Z7)7sF|mpRMw-|dSy@$($`g8mcEYqG<2If+ zHdK0ZM(0bVVc>}=sr?)LN#fUzcoeh((Svoa1M8X;{sK4Tf5$Vv0%!+kUW zlaPEGHcGal`Yh(HjPPqYZDBkLc?EsTdeY;PVxf}{BKQE2Pn%kX?W++vU7rGFsw7wi zw*xzI*7X2|((yI#CJupHJbGsLjFlUA<-F^Jk2vE$Rg;1WBI&%_cME^x4u1pq9{fJ~u=kVYV*axFd9}zN_wjp22*C-GVYGfu z>n`-E7t~9Gy~v;W``>X7Oz4U~~nk&K?rj4Y76O?^) zE9F#AY!Uf#Tc;48^}gxT?9W}dw!^|7e3$3JC(U3XKJ)$OyvxS*ol80f!;DC7_ZkVuOb!4EWHYc8 zCJ8u}2k7;{j`lS8_F5S{S~7?}{=JRq1%n0P_+~>urE4hx;BogVg2k7FqGb_0&2;YH zjdW^}plB`uq1qkHn+velNZ?c^>U^mn`Tfxx{F33}h{DS}kXop=x2t^$=ic9In2$A_ zLI}D7OQ3?7vj_r5LGWl|{u_Bn#g|!d7WNLYaYZ`noA(K#3fnu#31@8uMYk+)s{fyV zoqr*^(?7W}UE#o|m3sH`^P;@XB*(js!Q`1)$Rm-aivFl!u&?Z+rL32kS+FqlDC4G|go!Pql2N&iyP+XxdVyI>wb+;WL14Qp zWh@nfZM<3Q{>_}eyAf7&e6LW|P}v7H>~x$ktZ_!lnCV9ms+OD~@dN|^4E{iaO45Ta z24JgbAoc1}GsHm;t5kY2pq=o93}ORru(@_vo5}sw>(zO*GEc*&4gItqjsc|>FLU|k z!M>a=^x2vz-=HNuE!I#1nHIMbS(9$w(6;nUK zx(w5otBh8%<;q-@UaNNP=tYte){a{F`ueeQN&E>9Q{|D~0`n&nhE^obqv zjl+~|*Ky&#W2*FAeC`m1{T-+ew*GM%8F2;4fGD>rPERcA@>l=x*l&H@4dUF>K;7Gm=e#(B=`Hn{@quNWEy=YHjl_LDvHh(jQ4m|mIcoP#v5p*9>(4*r) z#=a(?9g@sQe0+2q)NV$?jwRA;Cp-e&+VjAm`n#cZ zVM)jwYC}qoxMdq?9j)8Qy^Q}JQXSl>?zeYyVM!EPkZ`1EkYIb|DtL!BJcRM!4&|j0 zar~`W4B}oSXd&?z$zj_84+)<(JOgb&Zre)Qg#If$YApZ6x6rgoF2_H;H! zDB6}8!2(iL)UoBL9OwpCMDAFUL0H@P0Etp1hc^?s4EGQmAW()K0<;Mr9Tuc(BM^o@ zfuc(sPa~mB2X`t9dcL&!IuG-A(UeZGW?g*%F9&%h8bTs);{Eq_Z%!q$-(@2IgkTb~ zX)|XEnh}zWh`A1t>+8eYlomjvD=vjIegJ~tG-puUR$DHA7+gy;o`t|ON9dIRoetp#oD)~UUml|NZ{rJRg>?Z%lX)k|7RM{gsSDs#( zdtm^3`#H`+GIjF$?)UBylZ37LAF9J?UrW?Oe0P*(?=P-3)_wP2III!Qy*vO(lK{{+ zYVGL{>1u)8lMOJ$`w}{OJKhm6`V}nbLGTZG=awQ2Axby*MhH9 zu|dh?qgzzzTe)Weq|e@&1vxk-#+{C|mBup@UXT`@G8eAb*OxR3eyNVSCT*L$o3>0- zRmPB!VComCbWnN#ZP5_qj;0mNp;Cu@0tZIXh*YZL2UOxUl5680Og!GM<}&D4w8E&T`q&p)Ss}R_}+J`oQdTkndQQjp*hOt zF~!~hmh-g{N1ZvX1x>UwDz_V@(%Olu1XX%ZfAlFi0SLp zKmwL|(iGeJqu%b#u1#lW-VWySNju)+r_DCqR3spEVK1lak{|v=u8Trgg zoI7;940rX)-fqWRL)hCtVRBOWZj?68;|0kp8ZrEU#W&i5R>$s22wlDkcVOzB$TGB{-r^oo%ugWSm~-x_rgn zrMN*6EjmOnuKN+-yJi`G#m=a#g0~kj*WBLH;hVCpgHJ?+$=$nO+2dN+P9q(0@R*8v zM#9}Zy3cl=tG!(k*u5kV*GujSL4GW7w2jZBTm154>%#9>#Oz;+BOec+wr0C*nuta6 z4~P;e^?#Sr)R0zrAWm`gBzhI!gB0)xN}yMKF!Vyv@>_i8Ey*yYRa9Ca8{1l9;up4a z|17th`aG|55c#Ex8b4YUtQ$C4R|HvX1`|fQ z({U-hSkfb4Ick6*sEDan=##dOVl<;mup)%}HwW&GBj`XYN-yvyDy;?HNdyCa;rYwF zV9UO_Eq%42aVrYPyk?n^zP?fX4e$q{RuJI__tONv$}Iv_#Ocx(^8mwPsvTHyoif~< zu>Fqu-;(Sx+`a_4&{nHoLm{BKr3v_AbRyt@l@;p)X6!h&o$~S&{kv_veYZ5zw1=rri zOhbk8qqivb5ZR}eS#32~svWD8b;;nd>M(Kw$FI|EBn&gnV8!doKp|U9fxY&$rQM92 zA|94SL&BV+CnM)Chvqbbq2jqB32(r9aCI75E2pQ>z^};R>P8tLIHydC(eYY9z4YCX zQv=?10Tock7n_4k`67GWB?T75mzAD;AlIdo7bct1IVgc)wC>a<(oXmwQsXZ9p^kgl zOedb8P#En}Y>3qf{D1m{p&+Q%83RP^7Gs(|h&o|1c}!BlR^O`IL4E+5nDNE|r2*%& zzX7tsknd8|zX5R|OXb^g{{`a4{l(6IjnLiFXh8ov%Rb*UX3@(<-)55_hXl!brIE2< zX`%*2_n@RWRux{*PWwt1B_TJCO%=#4`{4-|I_6*cMQz^ zTRUEYb>j`k>}f{8(e%R0FY3IdE~(wxAdm}|ce_nfsMd$2pqF81h2u&yDA7WRDj+HJ zzEyOtS*4zf+Qhi_+oD5Da|ik2kkY=CKIH=uGXJ4=RFfKq1I`&(z4dYSxVu$+YOTF! zk-oG*x~w9lmpIn=byp6YKeOXraK6&Xeq-DaHe0S3@j;aVIoPloetpALVf>iTAxICly!az)qz?y3o~6ri6CmDt@m7acb-?E4VG7{y1iMk;<4j0;kG+=BHXTR}zoKa(G)DJM854AwMi4$9GD=V09X=GX9ZmR`jt7 zuG03p%5s_}y7%EiO*jSDxRq`WONz3!Q<3HIQliZm{wU-PGK!IV4O;sRp#G^I?CqQo z)v%U0jF6|af1<&jlAep|_;iYpx+Hn=BT7m;8p5vA$paR#kr!bZFO7#2Q+a7_0a$Up z*x;)POrG(Ghcx{I+fMeYlc9R7j8oO+lgyUXCvm+$67$1uU{5NTp%Ve2XmfG%wR3X9 z9CjU~sXd|ZixbS=#(mF@!vQytcu$K0$K)f=si27p(uQJ-^A$! zn4?Kgczqb}$E1ioOm)!3mWtId8#t~A!7xUI$<1_P! zVH;#4iJ-o?s#VHv)1;mD^IhiFMds|g)Jf&Z3SUm#RNwhYEKXcRA7?9UO(u=+UN)T6aiP#b&8axcjkijyJsX}h4rJ+s-UcIz&COG@$25}gUF@$qqkJ^#2G zikLth0h$Lx0;I|#t5hKa6`^b_zQ*_*#S7zt?}z*CxuoPvG%u2#eVj;oJn8WLbfBVA zGs(W_c@#%Q&TCwtMw-p~Hf|0CbyZR)$3%4@sPN^(J28 zHJG}hEZbkF#d7CGP4H8VOz%1ELK#^;rA3>|1MA&ccYVKi5@IE$YXh@2gbUHGMNRz2 zLDM9c(YRK=;R~AboJ8fjYYBtzuC&)Dy$;?uw$kwM?0+2g%06&W%>J-&7AIF$nixR7 z&}brM#FNoh{JMP5X3GU5$I_fCH@taVr5Vv(-zQ2%1%r?pP7H1+k_th13X zBWIpX{djyls`+n(J*;ucHIZ8tDg3-N;{KJN%*fMq6T`k|@*$ z$9P$Wkwg&&S&a4hy;mZ-dCPOF|Kmiuq2BrQs$o?9xh4p8Ac6$N=_mdY!usPFTdsGB zp@CTJ_6inl%qOd4;_!YdNE)pbaZWl0LXcGJ@LB^FA(B(U&#X^k6c#Tqh{?F#Nw2=U zcAAI1_N_+Q5ayRj;ZtR4DU9|SifPW1+_$t!MFuf(xt5HC8a`VJeo1z}9(9Pu6jh97 z^40C(66oVKSZZg-Unj!#<;@4e#@W<@09^mh&kbO-hko{N0Mo2>@AEFh zT%{?zA*~vgOVbT$(wI%<^ zKv?rqRqb6GLX)W9r4CD3t4^#Vg+)OOh73{zOz5HGuTYM^fC@F{U&cIOfer(EqO4jHej-&?C%9k+1d_IFp~_ z13KSM@y)4k=PH)PIJ^`tZM$PAD6@L*vIdW_y0|W9T}v5rxAaoz#D%)v)6@N ztDh?URoZqr0gA$aj@L~ojF6@r>+*A?CIH~vvWK;vzek)(k7RwZB5}f7zDf3 zREy`IlaCYE^6*WBWWVybSk^Z*+4FohJx5VAE6mX*N=1LG_b3{hE(LBuIgn5T$+#tH zv^IRr|Ht`g;Kkg~yw_!BL9(FuYJW45%_2fLAf=;O&bg5c~$=?k>=9E71}JUJe5m-+-5`9eC-3re3)|(g))KM_?j>)fCvX zH8Y%VNnd0D(p8QiyhM2QBllVj{9%Zgo*ZD_{M5K*1r5ReqZO_H)r!*r|M7x%EMu57 zkwx-PP>KM;JX##!#h)`W{}wSd`}5?#hH$-aTlerdZkhrln_lLYw@ibs9HGCI4;WZS zEQvFjQ&jJwMvj39s`SFe^*z0IwvB@?w43BvY}8R11lxQ5pC`jR^*#-2cgc4+3uLG- z;w69i(#TdfS?XM%Y>|$mlzD8x+s#P4fx+0Lu80R2#mpF6qix&^?z2!{@sfY!RQ`tf zoH*&qLHJHLaQ`lsGGLX#svp3kgv1iGlz?ESe!{fd1XYJ<-%8i8^x^*F zuND0z$YUaJ)|DyEX%VG{t}o5uxFTw&N3`XcuT`+0FH4TK4pBONTeHUEh0qhD& zBk9yZj5K!Xm~b6V@W=U&3hpwhb`WTY+QZ*dGCvDD1BF!hdm!>iGlL+k5&Z}-*tt9f zq{bE|fETY@ih!#JexUH`fBRz~1`z|O;uZE|(&`Xf{9A^8`1#+Ya{qv&{#CRx3PRxE zbnu0URb7&}?TlfvI~XvCg?uAUqqk-j42jccWUdBqNw>dw6@If{iS8hOgSRb$(QYy= zNda@hOhg9u^`Y4se;I4cOe5w%k9ui+4TBSZoJEsin_=esTvPH& z`>`-uH9J}g!1avk(&*|PfR!;{8jIxe-|rA?wh^bImZ8lftsE%9V_2bij*Q2){>GiR zxS>Jf%l)3!M4`tqzHAf?p-w18A?MMMK zp8M~{)NdeoyWd>|YAUcAOrx3w6Nd*ncc5dh9q1X>`cA`Iv1N&N0ep%a7+@h&XL((E zco`|#&FEqvBDqKT?2$mY<$wUer#e7nQ08lXi|XaNjaSOz2regH2hx~Bp$pFcD1pt> zBnn#6h$bNq=%>njW3I1n_%Q3jr7YnaW&tK5fZ>lw$toO$&vKN|RxhcsHmEp2(w*;6 zJ1K1!>B+ickg*&dT}eFKjzFJ5>1{T~khgH(VGbYyhn5O1BA1~-_9+JE@Pm{X_0ub^ z{x(PGGnw%vX4c+yQ2}EoV0vutZr_IDS2jZG(n2JfnQ%xKX?$k18MYyYR;qhR7)X$~ zTuFCjywny&KX_-Kp6?iLWygyP74GLORoQV0iY%Tr)YI)h0i;ZXOur(BN(E@YTw2J6 z<8m}b&r)K|R8nf`e`ow-iIH?2EeGbwjnErH}HyA#t6(--Ya6NFoqrN?6f z<5Pzl0@Hm}de`1GAKC)mo81bZ@Q@ z@yj3S&m1-g$kVHyx|o^Z3=o32$ z#<8o?7Q!hlXUGmf}(w=xxCxm=v7!xy=HKEJ#3Z>l*YD3Y3A7_N>A@yFKu9PXL9|8Mr zlJ+PP*P_?(GgQ<+1t_9(#kE{$Q~kN9`uj>thaym2l!2YDL+VrG>9!`l-aXVg1OQCb zUiEIl?{I|woBr|c_rI*7|7!LR2k4v-ru;|~Qt$n2hS*AewpK4vOZe%ucBf;oxNKok zRjtetO5s81YEz@%*9;|VOPY5nP@F0Sz>rFXJozjr@C|x0Wic{j3L<;;>DF}~Z=cSF zq`O(MmesGw+1c1a&?Gybg+i_G%^tujf>5|csj*G4*!`kL8@azlL&|m8J7SvT>xg$u zSDCEM&oAZFPEG9Nmat@8le@zfyJ9zi9yb(2YjYPc&r!rsrs3V9=CX>JfIJ3uX(El$ z6_Qm_Pqg^s9Bs&5cvjpk*tKSq)~tOg?=Z3|&-S5O9kS+fmvK2W%OmNqWJQ{WcGk0- z@&(f8m}Ch=Hepr>4c}$52_l~1t}1?|q)G!gD|YmlxO_CLW{P$mx~DVT>CjLp){CBritykJX4zFsoJM6+% zN@LTF_vWGpDCF^vQ)Js|Q4|#5EDp2JO!i>ruA3|qc&w^foB4oufH&<5g7Z`9vaH0=F z;1`T(LTaAl03vZRaE#C2*@2n+=-^yoULLC5kN@Z+C)8$k$W@PUmS2uA`;w~`>nZOW5*1z* zLBGxlynVo=Kl9Rq1LX6Ij2u0iyPXr72GiI}Go*(~Cmg7v_>Q$aJ? z-J}SJY9DsN>7@JI7sJewk9M!v5Q;%>Cgx@%u8-Ghi+_CGPBeQheGEO0>G*(^CmoO0 zoif5DDV$@@Lu_!}Nr5@?h*uU5@r<7SaK?^L;?>FHo$Gl5H<{{*EB>i0REijyPz96?TQb=|D;)- zhe9!o1NBadz4ilQ-9X|@yzOQ6n=alBd7TUZWE`;z69$%VRXvSMr=`W2XP;u7g%J$9 zRokyWv~{K31L`FoSu;iLE;w}h)7m5_Zq;?ZiKz%m})FI4ytw zSoe9<6&EqO9HIYh8n3FqAz3u-s}@~>pvu-&4vZ0$%?OEb^7@YsDDk~SKu2UH6z>ykWwjPY)-qLWDmj?*Z1FrJ2Fn}u{0bz7m%>quj2`QHE_8aXfLsh4i1v{sSbX}hV7gk z$L#iOZJFl_p-7(wOI_wOSeVkPnN1enz-wgSVo=s{nrkVR*uJ|2+vm5pOKV;l1!^~4 zp95@%nIDi(#2&w5C)w7YgU+_0i8Jt?_Kmo@ixm#S%D*TZ9ZeaRJ^iA8qqtj%=`xec za{WQ-+i$=QhG6cF)M4MiX+J7e;lP#D)w6xtit2+p+2rAG*-jsD(+dT~qp|kWmXoO! z<{swZaVEHXOrh$&W*h(Z=-bV%c1W(Ok?C0LhiQo#2T!JFV%B$D8kF#qphJD_`fSqk zE)OEs9gL*wbM!w}6UkdBX?ZfS1OdE@2gLDhJ5onzME8#G%YzGE1t*tBTbFv(fpNc+ zq?N&THb$?k(E}OrsyU#vLHEVP->$6M{HPbJpZRG#UYVhJ;Na@rPx0*$z%P8Z(-YLW8@Vjn!U< z>Nxh!UKw?7CnoaSv?j+CE<1cPfXi(~Gw~c;0GU!ORr&a(4R(@$`bo#^Sy% zY?#uBKAU+hg1Px>^d8(=6sO*cN&g2YufWGTBiNhVOKV24O&F^8gCq8DYz`i{ zMpYe&_#+kd;*3kZ$v6ZeDb`+S{Ly^EkcrsyZ*gVd|FdC(s za1iFMQe+NO(8j4kf@!cs@&Fje`s(Mw1?1KO!99k-TVVdegV9g5rv{!!MkLQ_#I`ZF zgp7yxste7HVFa8>Re%q35Or=>4FIFIt{6bAY#w;4Tw-Yh1GjGCKxOL~s02AASp;LZ zZhJv#*LQZ%;{w|SWP1WEL4^AUS->?~-LC{L>B`f9pE%ODC`O;1@0K(Zk zpdm1b3cfJC4FYu~h?L)eWe|w`e_~yN$Z-zF2+N!Yl9Bx5`x|PQ{laq}lp$^XB{dsZq0Fp2TFLCdJH~W;nEg{8Lr|C zsajx%iMEL4CLV{9lT z!JU_={425;R#YU;{e37J%R9Icc;oV^Heih=6zY*IhD1e2%E+6=;sgl-ELD)yw-*Wv zeW_XLv%`^cRLPbaOtKv)!c`>Do<|qF;vs$8q5x_r zCj*0+U~`)%-FYO?>;zRIkAAvGhU`1|7)iMn zlSJ`IBXhjdLJw_O_|mA+;n|G@eHeXXeimykmv`g$QK2ubR6fC~-YN5?A#tQ#R2eo? zFo;R=USoU!3+bKLjjgWh@7vgB|ziGo!hv!~Tg-QM-XnItw=JDfiSEY4=XA}A(&z$zWGDEJ}2)%nb*I@_*0ynH))N6l&Y z+~`!Qa@xy6x?C71Swz^9R zv^n@;OMswann2QkS1)^?T?%XT?M_;syuT;G>tH;KP*FPa+PYQ0pF8I$nXyqH+h`Ui zf557*$dgK3S<}}b!4#ngPY!ByCUZ@Z@I-VtEI2C|AwK`OpDzbgIA&sUl^C*|ocsoe z=u32Eh9_V5Ak6v|0ZIiMQN@a_`DOeb6Gr2mraFp_%_TFg=*pV4_ zcuS7G@eqg`SP^C5?f)XZ-MHc{m5$qMob$PScJVkM&!es9Hz4(r>d4UOviv|2$w*^1 zP1D4jlGUne#D1CLrAevOS&^nRtn)s<>U3*%bZ~I2!v1a40BAC!fnwY< zHXsU%)C*JUgQ8gxDbj~f1JA(u3TQOC97GS^4%#h(Ljq#JGcw>d34p{V{hUl zspW7atszASs!KrTayk(FlG2uUKV+=vUEP~k-Y6_$ETtM*QR+LfVe=n&HSp-FDbv3S z@l5#dvZ~1-o1_;jc5Hq+IKC0jKihg(?nXWqa2xZ#eV*3b9GK&6f#B<1&2-_g7El>{ zHP^o$Fvw2rn>i?W8ChKP=>h&YT_Gw50i5tceRm?%Ztal-0{!)jl_7~Vj}=MUY^uI3 z;d)QHt@+0wguLx42Opm{Sun*HWjyxoRlEw=Ba$Y86D(^Cl<*<~P#hS$oTP~+c(F7! z%HF87K%U~01n++P0Pj6cdeU`qRW*WvlPDR}RU9CA)vLn$m}4o~61l2Gu1O`5#+ag* z3Vb_ddm89w7fIGaNSXHDX#akqR&HB1Mi(X zlo?|wXAIFtHXf=J*Rw||C2|CV;1Par7mZJ}BQui7+5S9ap@^v=9&1dwWsp)3re{~1 zV<6&%P;*=TZV|e!YTq9#c;P{2Rv&99>&&Y(;CBJG9j*W}yDkxPlUs46>l;f%od^J%OE2GYv{MM8FI~+9?_2?ys5)?d7wV zwuue?!%b&a&a+w0vy;v~BLX?>C@TM4Isd|Fa&qyf+t#m)Y?C&PNu6K1`Bu=abL*Yu z^SuAWh89x3Lpj&QPNyu!ke-JnHR}S3zCk9jb@Cb%o;$T&pT^x@nI3`cQ0=cl9O~`&~RnPfo(}PgP)ILOPSbvxl2^&c+ll z1p`M2++~E|M>SF1D4qHV$FFe&@lI@R0UuWGe=0nFJUfaeNEsY)-5{EF9tlLAy>K_o z`T32*0#o4a50foO3bbBMG%S&(vVp3WLc$$o3_X1RF6BDPQcZdi%Xj&yd{QS27~a)& zQL2yxb24(SUim?9WjkAan7D>*HS6TG2HUp`I@MNdG5N=Cx^nU`s* zJHU}?Y(K*;hg94Mg>_>qy%yy!RYRq%iFJBdCY@#s4Mr5|8KZLSc@|ka$p@w^Gh@Bg z!s*EuJ0)DeBf}c$n0|8^L=lfdF13V~LcLMpZanKdsYx|Mxh4Robn+AIF$vXVS7@Y3 z@-!)w3)DrZSNo*XGsVxow#V|(aZpRIMosEXD#|D17>pSjG0COTMfL0G_rjm3d+B>( z6I0+25-ZBdlc#?(7r-3I=!yXmW7}AsLM{0_j_Mac{dX!}W`2d|#XoO8@8oJcdD%RM zs{f75Vmq926~>OXZRUN zU=49E8s7lc8UZF5INGX?9U~=+b6s*A51_ey0syRCuzH4kp6$jSvMW-C?P-czrbrT$ z`bxb^gyS12X{CP?)^}GWD#j(@R~GAsxhijqGj(NSq+izq)CTT=FnE8NGX!v`2F5k&s=pHP8aW&*LV;^2KWulrlIC38VQ@(a zK|K5MuY|e(0#P01ccC)bIu|PIvauVg>PB%gsIsh2;n#+byToWqJ~Sauv5nAmOd<#B z7sTuYQ;CWtj3refSgm3udn%hFb$M@&i=GjF*^u3VQ_q-2JU)#SX3>@BDmc)#;>YrD z*W~L@ytn(wak=Ww`Wz(7|AjMvwBVuW=uVLLsDIq+&MXh_eq(lpu@{jn?%J)1Fde_v z{uxa4t%CZEJ(S$#Zd^Jyk}V~&DP1FJXvE8jmRxKYuvR;QSlGzb3W@}HQRuN9sK0qA za=Q%nwX;t}cB?s4beinYCZ)tg^7d=|n*=)~yDw{1xivP-mBKgpl5F7J$;vv3aKg-< zR;?Jd*2x^(P~t+Go@qJAv@AL5h*@dz?kD$lQ5B%XVYLUTd;i0nMI9gW02(g$4k}=h zM2vOPF1Q?S{fwiX8|YlQit>|?m`2ms%o438Xy#23XrBpUw6pGUYrul_j!;H!%s zKt@@f2!-k=>nrLth?G>~T#r*hY{O}LLRAH9u;D}%aTf7+Vlk#daV3<<^~L$~bwX{p zHh8*xthLzw3Nk~tK=K6%Dy2o13OF3NWxb*PCqyGVPt za3~jMLur}CZKDbEwWv3E=}MF)h!!1KhiUSriWUL6TNf+Z?7*#ji*&D4c+YEMp18Xr z4%0?p%)4gBOV3}%*XQ96M!h#&ce(reIK3TU?d!<1wtv9E&9WEv1PeE8P!r>(IfmPA zS44=j(o_}>dx;qdiopJedlRNf@m%cx2B+0Tk|RZgr%1F@UK^2bL?MV)O9`X-t`J_$q;rLhL#fb zeeR}CMRs6St!t^1nN^#64115nP|6QZ_x3w^{ZKg{+smfbj7o+1H$FX^_|DdPBupex zTfjVu+E-Q5>s*;H&(hHxeXC{mnvn#LgY6~2M%6DHGk*4TnCtQRS02&*U7ObmJ9GM8 zwZC4SRH{`p+aS|hr|?u>U$;9AIGXKJGO#6MWzI$y_Y<4p2I}>{nnjv^%uUVBUAiJn z2%C$%0eO_s(UV;dO@GBBJl-nYs*6p>`1ZaR>He>gJ3)l6F*Bx@i}w0b3n#Z74}a9I zsg8fY66&~9yTJN+&r`oPlC>dRh*7@XRYhtpdT;Jcx$kWBvD=ru3PH`15?wT^35b!`?8b_&E&=2%J057&(ySD;mdB_ops5q zTQK_AT-8)>q+7!|R6g{CeR6P$nX4XzW(;-T8?VOCDlw|Q;@oK5I$1ofHwCc+ zF8tfiU*Py>0mv%Qqq{e$P$qXmK7~?jPQidlQ;mLj@7>~LU6H#q-^KkFl{@#kGeY*r!#H1C5D&7Y0hi$}EXl4y@yfA_IHeO*mV6CR z;ps(ll7E#0FHLu8_lrKX>vxo95B)@ve_Wl-UVo;Iad>y?a>D53pcGyHT{eQUI1yzj zbc*VytwlPqL10z_oXOzTZsGV$0H~B=x)S%bzj+zja!*xFZ(ZhT1g(W&;fkh-mG-B~ z;Ny4_SAvrM>}Po! zo2O&{cHZ}|q2Iq4>(&0bVq|dLXP&TCg_%ktR~9_6VbA;!EUHCbK=SZh_L>fUqAvt2 z&Jy0Lfgq3b)oq}6?)h0K7|I07yk^0oFVAH2<_2Uo)@HzLii5WAcYMM5K1bJ85Jf#q_Us@_%#$|3@36 zd`)@h>A@cBKoh0QxSUwlNONQaVAvheUsLuZQ;fed;~-1dhea4|81Gs!Qr~N>E;f3KK_f=5>XXkq9Xcg0PqM;s zXPt*REbsx5+#CN8ybl;JdMZo%IXlmMMI?>pdzi zKhTK0e@X3S1G-s}exeO_DE=V6R0K`HUW#2qdC@Km(D+0-vlmup?NN;YBW~Y;pMZoW zY6s^Jz;ev8T`$ZVQCrR9g(^$f>jfF<<(FdK(tpF{G z9||N;f`e9^u7cRxim&e*^DFgjA`jrCf07wsCi(0vXSYRBSxX?tDix!PkfPZm zX>L^p=_ic(b~B>3oa@F#I|bn>^xGW5=NfIEQ`?14ba|8iM||266T*QXK4E5=Jjk{Z0vnbx{a{dCo_14I z(_$oXDq%=HcY6JDUDcPyI|UnuA*7puhai>sacJ5WfUVKLnHG&fIBHb>1a9L+>DPXV zUe^HiLE=70;}tKfUz&KhhnAtA*+J!|Tb+9(@7c2&q$iX_avc{{>`y97Nl3_q1jx}< zv2W6!=jX26cUf`Y3tN>(bXBd`6+T}Z>N#4#6~~YcB^R@nwzK zE$8lviyjp)pQ7Mdi0Bqcc(+~I zh3F2Q8vp34Lyh6b*8-2^3~AtSu4krDrxXF$k=O%%^HU#b5+{QX@G*#Y5tB}Hdl81b z3`s2}Y-b+~OKwW2@7?ZM}V>$Hx0Uu+}V2Ey`b`s#O%n7J&b zzn~+YCh+;k%G-m?=jTeq7TrI0SB;MjqUXG1L*ULys zRT}AH)ZOB&ie&T}?USRzfgY>!Ml@tCK4@Qj(5BrycGu{R$->!I#C=K}C_yAu0KPDA zVN4iGqvGT==^YjOaj2yHu0oFpkwCNEcydl|c-E68tNEm-+D{Szl4tVV|Nd?7&mOUV zbX9|Hk&~Q|psdw9FWQ+bxfWSu?7XJrl}#hO+Hr|m;h-IL4*(GgczOn?l`Js)0iwi? zfz6vSpqD^AAq))xcemzWsHuN^LL<(gG~sH3qWI22(2;IM$_1A`{a{s&6k|4wzC#vA zMBfWAn1WOVg)u<{^=r+uhhMBDK4VGz0>=J->~~22m>xk@tYIOgV{!?j99?&aSLSFx zR^ShEhi?dF7FO;ojeS$8sh=(5$=qE#+*jyU>DvM}p=`*tX zqoz!`qT!d5v#2U|Cxb0s0qW?n%I!GxAxNKSR;5JPjDG#qNIU3h}H_u?A3JiJO0V7!;U3sh+;WP&Zsxp5iCtI}~b%h;br~JZ2KFU42 z$0f0O4spzU{_F2y(CSc7nI%hpP^_IH&ffZ*O0d}-l^S{eR4^YEoFNRH9oPRJzw@6r z*OLIIUw=D68Ndg6F82g_-T36lTOn~7^!z~`{Xyvk-OA*Y`yfnA0OlGYligW_Nv|v` zb(jTt1G!;!X3?$eRGkwRXL9RNi|jo+Mk=o*w|-s9MI@|pIBz}kKHNNH$tV0%F2-sZ z^4;zF3k-tdD-1MbY#4V7856WG&e;x1mB9f}2yP-Z$%MsW6o-L=8E9fSRb3s}Bla$y z2_rRXh^vv@@k2Mx9Jn`ODTp3CkkVc=m5-rJGi5{?1qX)`-x>-8l|xA6oXPV{WU->d zHLF@7a|I9vQ^%*<5Te#}+dG^NitKWnOQdOrRDA~=Z-T?|S|JP;%*t3}Cy-P>H9Q<7 zZiLP2_>P!^SQ9#jzMLkP_iT$oM9evZ9gDT3%_F1%I+V>pb{{T| zM%G;I{P1yU!w$%IeNSXXl|X-SPBZ2$neAZ*wW%gi5u2%o%7Aq1HO@2^7~+#G#LRqT zO_K@6FA&uUV|YaEF+y#E!u0mEdBK-hlqUTMDcet!&v&3~9T~-0s(X}puh{$JQV&sQ zl_$|gl5CbkPG&d$^-`qqyVY~sIjvf>@Y4be4bB_^19O2Y*FD(tx}Ta4YvUUVx0(XB zJ#Q;rS~0Z=>GW)vc{&J7$Y!b=C?5|X4KBu?3F4%v!~o7$zA4|;jI^xqIb9tp9A7uD zhDTQFtD({jrXy#KCr8RRq~b>y-1QfCmfaF>(14M`8>Kv-qoQpGZ7NL2eL#mGyQ?IT zsP&rdf@)c!%U!?Q(_J1B>t}?_RrY;asKw&PV{r>42{n*hlWk8-$ww11T=`c_jCC&}d#|t=nK; zNtKG40+SLmqh7F`77YHHabK;yFJ#dC)dV4|>%vj)_<-)tl_VOI&ZXT#`)l@ZP|3vd zLCVDm(lsy6@<-^wsevQqk z%)eL-*Pss4 z$E7Z}y=T~3!5V$%lI>*!m5DlnvWuM7u-C2bY$b#@isg127c#8YX%y#MH;cQ-F=yuO zW3+QcT~^AcxhgASYpU6E2gWlyH{x{n^(RnW$T8cY{IbGC4{a4w?$e&Zl8)`BVivSg z?`zK1#=Kp%-CK6$_Tb2WJDzg?F3zo*;cWuyuEV1jmJ~@5UWef&q^nH6&f|-7f%`h2 zl(X5IOt-hT_H8^TEwkQ4o0K31_epPCpN-X2xquBnw*U*^^f0QxjDLLr=K`KHQxI6+7@pqT0C@Z$^d}8 z2`+lr10q-F{-{e?cdSdP2IaS9Io745{Z*H;%QM3$8ag77M)B~KxVz5AqKc2^0_r6S z#mOCn-`T-w8SsR8!**b<55L3<$x$ku3Mlabd~O@JyA&C5@J`=oKNk^BBZyaKY zpRZCq`-O+e!t7Q(4&H*7xC64iRl40B5?RRHvuFsX5U(Xi5=4$sx&&Fv)^lPGb2i~B=l-HAhZZb?%kRW^(NOT?tS#*kR zjzMnAeCeGHx038qaoZjNjc2JJYN`a`lF|<5J>w;H!?TZRYWCGp?xj=7F9WnnH^t64 zUvr?nt!3t?-$RzPe@l^6eTl8cT>LiPmX~b0!);0G`!neeP0956vLo*p;ZdqmRYjOa znA+~goEl8TiN)u~?y@xlg3u(CWbk?U48=(1VC>o244$hQMd2cj^LCmRPMDF5gwz5M z%FhqTJgnjf$zY^oCYW}?y5?8A9APtE;ugl_`U-_A$BCvp^oS0SQ}p{1crk4Str5k=L|h zsBM8uhq$*{kouH!TeX#>uTMK_t(#~INBJ`?B&ha1Vd7X2AqOVq8n5yz8P2jAcb&FX z7o1%TlpLsMCGl}wc=T9ijYUKNGVm2JDu31OE~pZKAw^r7F3U_rel6ijp0+lXLd9I{ zDcsHl8Gy)=DVdtDy@b#N<4V$(CFh4)hn5(_zwphP`{*ltE_u8*e7lgsc)UU}`^y_6oMHdNX5bV+@ ziK|A22gEEpw)f%CB{@nG{M>8x2U`!){yD7CjgCdX(lH}Y*HN3iWTQdzeUA$E*X zIVOK)Xs)fEHGWjahT{0n&auv*XyfP{Vpd^U0<}TB1UjZVVg`0zP9MtyUKTIaJeCWT zM!b&gM=XsI_k#F_s0&ASm8gdVhu*7~5Wi>*Zayy~{R(jPKXgwyd?NRD6(KZJ-~R2@ ztNos|{cDq^y1M3UPSBvt8{ZTLN$v+KQE0F9>@n9%i79Gk3eChV-@Dv+56RwPmy-%$ zo&umq;4BSfRFkw_w5uK@3>P7$A4}{rA&Eh20ezem>LD}e5(@;xYEH-lvH@Egpqfq| z{oZ>eFn20`(VY>&-mTV6oVX3%Kn+$fDVueaFJ>f#Lu%Bc9#z}r-D`qV$w9Y4#PN4s zLJH;pqk0&f3&%QxXV?o1n1r%iIiOuurhAFujJw;!`b23lU^)ZvfC_^Ypcdj^QW*UC z*!|e!_?OK06GtyFgv644H}6h}QyA3S>TM@gG6tMWdsxo~MSBaM$0p4=IG}wIDPZym zD?4yZUjA{RF)9L=Qyqh&Mnu0em(q2rr6PEz1u#{Z>)|Eo!bx@tA}=ZSJNw`nH*<^_ z2373cNq%Ifb3{Zq5#}ew@TiWM!^$a5pXi*hOKGYcp!CQ^rs$?{=wVtIHuB7Li;nA? z$AmW*<*C$3n)piXWtfTxz4y#{>$?vgd4NV@O}<-i=Yq|WGfgjf7TagT-iTnq$xLD< z?4^YXJW$#MKl1Lgmg^bzaS`fsge6QbsZ_{1r?iRuT!m?6F0`v?0Tw-T3R)Lc+%-?a3_@n`Vj!`+2NoV0{4yz=4GV;K(_Y<_Oi!J_IuWu~`ws%e2c zWSlS6mlGGO^T$E|Bi;QYoE^Fyrvr&ugSTISg=G_BF!iAOk;)-g?YmdXHX4DuQy%9i zpNA|2Z9IEf$|}4cO{V!&1eyS9_7n0k@klrDTUbRxgjXNEnS%+hOd;tdDKcuk$We6g z0U?`--ZXbFwF3FpnFg;{PPnbt07aU|Y?IX3R4{faDitXjcT5sFV_dO*=rSaqDNWs& zy!y45B&UNe^vxRPj5AV6(h@vokPo%l_{k@mNFlXH*}ZOJ%QHB^p>L90Q?UX~<4;p_ zARVrUOA6!Q&~8e#rIABeju$&Dg`k7`(q}Ai;l0F0L(V3mni9>Uv>xw~7rk)X=RuFy zAJ!mnI`S5Nu4rq@(OJJ5d;z})7SPX2?PY=WRJzJGBE3k3$}1al1^0UTf|u?7S<35n z{fhOla0yBQ(#Dr%R4WId{@j_$FXi_02><=WquYgB5>1Dor@;4B8Yq8P_)Ssn+wcCv zAWRZ=DA6r3YrkxO+OhtooTnq6ue(n_i#FQ1SKs~>AV!_{eqZ<4k*S4t`00|c{!qI& zYbxjNhxAVjDtE0q3?k6<>8I1wt$%q`G|ly%?6q1`x)gBXSyS(HCfH55FY}S z5`Gf{90n=5_P>h(f<#=!-^Bpc0s1?j|3Bp}h{QP73bX=Y8bZ^k4f>ix~C`{opyJpHv0;kh6!`qLE(4v_S#{*%k)WuC+ zzO|Fj_e5!1&I31gNOIW3 z9sDWSjti3MI;$_f;NG6PJ!M zy9^I*$!*YE;xZEWPCja>g`puI`l>LXGs&EhQ@UQttf#N@;KX%?H~1ZOdwRD{1e3i3 zl51g^JXCThazC>Dutj@pW4&VLScJIp{EkK|Pj(qJ13V17(ELL_Uz~`WA&U|?8$uxX zT9WoF;Md9-?XsT;S_IqTufMr;Dhvv2jh}w7T#%uMWg{wm-E<@OcSH(zE&(6y!5{-NCO_?PF^mIuml6I$$=$ zg4zsm@%fG7vFq7jkR0fXlYFbMdm6n*#l8F3t9#1SCUFigz{FR5&J3A*Ge2_q4dm`; zbGgzpA!X!m&V3{mXeJpdYnVUmY!IL3=6s_6ZV8EBAx`~f%`Powofp5zLqi0A{XrI0 zJY{?I^|RL4>}o`v?z{|;5gofs+F3AQ8sq95${Z7@OL38xlfopRVD#-MT z{RgWJXEYPs{XbrGrG34~;d(01sZ)e41U<;81}oOn?9_COk-ttYl=%T|v!By*JtIl5 zE@dQ}cEK;5_D$57pG(35o<tWB2vA2^DS%%5N)Wx~;#m%|S3` zQZs+ynw*->;k?t8eW_bT?}-ninSTB}hE^Ukm4-MEtvM;V2!MP?RMlOrVkKCYe7IZR zIo}m?KBh1eaiwsp`s|ZDBjIrI#mTM4((Z{w&4P`RkJBjPX^U(ee1qzR&ufKfMMU^f zA9tHQ>JUFp<8uCBT6CEoj~PLL^!^KKUtCFgzTABlCnu`M(~q_W9YWSJZ`SBr??)${ z8FN`JA2}pt7``M_6?591n+@-(l&Hs6LVg=A+T)*I1diWba#m`z7L#F~MMu6?BPr^`Rv|ist{WOIo7md2Y8j zNxWdeMl$>&Z8ak15*p0Mp^c97Nan$>z;NY}D`IJze&mDouNsu@U+z&39U$i7c1n&O zXg}9Z{0oki?~f?g3>m%>&A=2CTvt(x>2<3RHtS>5;`45&O1Jg44F-b}viVo2zXCL1 zAcMX7IBRkNm?Zk6#O%4UZTmxzd>fFSpg%ozoSOMQ@rh^I7USIaijGq|x3T)?KNC&o z3cgIip78)z`P$k0g6Lh2R|V)@t=|Q$;NHKhSRqWq_Se9o5eXnwCj!Lp79ciIAOR>+ zVyV3E2yF!l{z!fWVt=5C#WC=r8dil$viPJzJbw+al)`k&V)B({+P>AWBk@=)(t|nD z<2d)M=g}u!v~)3I2yU3WZ{nJVPGXdT29s1jx|4|8l zV9YzHTHnjBiWIh;Pq_NBiux&@AZ4XU1-#RSumm9KtB$09#U_%9Td*@}*-R!XN7lid zHESI1!G?Q{$#}sO5r4ge-Qy-i8OjBRmJ_U*Qg^OTDOR=u?$KKv?f6n3Mq6wpQoMIT`x3iy1GZlaVr|`Pi_#JB`Pm zoxBh%8Js5NFy4Tv_@35?NriJv-c)jwq&qMaa}k~tE0zYQFr76=QKeHJq*4@=_n64L zS5=4TOtHARl2(yXoUyRsGCdmSiFEZ7BwFnBm6~V(h(Z)JhiwQMZ3h~CZyQr|dOSJ$ zfCshpHNMe)PI=0KPRD3Jm5}2BC`t|37r|MB9Zbh1)e#~>BX9Kzfj?J`j?Ps(N5~_20XgKmN!s0 z@GIKEa^ukXAbS>M9)g)p>Q%qFAa(19`dd@R!Bz2>T+lu2-TxVe!aoU%{w?&Me^TGK zN&SZ~Eb5BP>w7UR6MMGI{CL4cKGT>5;Yu8B5T_xgJjPM@KqY!Jy7qtDhGw|(jU)UEQR&l9eB2;H?x zHnmprGJEDzH#fBjYmj4tY}g(B<*Kk7rDfN&btq1^-{N=aJ?IBYB5YoZ3EMUs8qO|5 zsjrm|uj^g+Gos-iH&t|WGKn(1TkQ#t=#=4|2uQukGCL3lYGLnYzp&Ok=MyJb!l|4g z*I{s3vIPEAErPRnHX6zQ1H&0wBuE38ODnm!KH3fz3UPd_qs`Vf>6(>fRSS zvz603U2Zy!OY$vkR+M}qP#y??Rl>bEx7cf7sb_?{NO6S5&4T}tZQe7H*@zZ(8j$A?)9+iKS--6Hbo?2^| zk0>)?#)unpo!;Lr2F<}0&~t47x{v;MUsG4~@Lzo~t0Ds5j}_u$5D)wq5lgplb_K*I zU~_Z^xWy_zAOJj88by{W^8u}6d$IoCX)pe1>p8Ja{F})5lQe9*AZn)H7m!~f1_L~G zx**vb<)4n2z6jF1J(>pUH)4+&-eR-M(|cVAUx3bG+x}po9;9^(-xE68ng$8oNmr=R z`}QD(yq7KnObt*8vd8}?lttl_syI-$w5OD{n@S-551&m=eJlKO&iG9!r@T=~3K`Pc z!+l2o?ldXe%td@q{m|f_bpjtp$TC$#e>k2>HM^3rCOdqk5!RmoApS@6gtO2+isZF7 zmwk4-ScVH`3G;kP?2b-delg=lc6}zPAG;u#H8z+^kDj-0!rq|m%LA-CT(KX2*;!49 zL<&-x#|GA3jJ>+TSsRhI6b8xz)KMR@b6Pu~+CVtlG!dFyi+gns=jj!C^k;C)x#;e0 zBMxTkUk70wJ)HUe3|8~^KaU?L_^lu|0{^Et7Qd9qR%9@;PAqm$;%IYv_L|r1(xZ2v z9~wkQ<8z+fIq>eI3j^np(C1r*RUUI-H1xzT(9&-oa-#C4z8~K`QObDR~P5l0G;Esgz zdl%{bu(lHwfL%bFay$~x8h^iwb+RSLgZ0}N6rC*Z%TeR^VJXtvR|`POePMUS zM09Dta#S$9V$uXA=^+Fao(r`kwp9k%M*e|&_kG9tNs?+dpgk1|YKsQ~e8+$OBPQ*) zjq;D$O8noR|NiRF-h>V!ImTV=_r^fw223JXe6oC|3$#*Zm=CFPm7|7P_xNbumpLgc z`W=-J@2}7w?bgpJMH+OX7rE{t_zwCXe7`HlTpx4PEi!x9wIQ|JF0qt>*aKa6AvBR_ z%{`tae-!sCoN)#)&)TfP73=56HQO)yX&?^?9!ae_3^F%hD!59taul7?%dVaSi(K~-4hscI^x7C^QRo|K)r!8>0 z;aidGnS;%X0{EOJB0^_KE6VK>w`e@H2?axQ;D+KhWEnJ}nV1E$Jpf)_v#tq8HkbNc z9CrMWLmJ<%P#*XPSqKC4HuB=Qi-e9bXa7%5R40HXpl)HUc(k9CBn8)!wZkKTn>py* zy0Ee?E2ktY0Bx90g1klYrwu2_zkTz}pXHHg=tR2kgG{IhLG*1rmeSX!C8?u9uT?O@ zD{7-(aX>7$6cE}U zl-qyVlQ?2Y{>+LVl0(fW)gSEp?<*7AAD5PVfg4M(K_t@_{WvOvPsFBn;Q~``_6K6v z$XB2MERy$yY%1g&P~(Uc9#i1D!qXhFF28Px(e_JCbTS7IT_BFw!_axfvyUKMws(sVOxhcV1-U9sN2EK+fXJp1)c`BqY; z$@>{m5?2bNjV&~s14EvRT-vypXiGJ{nNhnGH?1&RrF7qxLutAU&wFA-?npym|^_)3cjXCLHNwxWpe$4Sxh5!A?=DJt{J zkq$5RRVOdJlW3dgv-cBcuTo;y52IVK&3C|^$bzXrXh_fHU`Y6?xnLwY-yozHuuD#O z>3y@O`qEe6k>HW;1Nm6ZkjRB7MSW3`TzwXbkrIUgmi}yT-wtY)K=smta;~$Wo~DhF zM1sL*C?C4D#Vrht8B%!4lWRm^O=WO>mQgEz9Tw9bO-4b<+W=*rF(lTRZ(gjjDzj4Y zjuS{@D|F4*DIW3bEEcd<&AmiH*~|BE>z%+<+t8&=oN3?Vi2qNPnV(PL;}`zxUPwIZ zoOUS&2Z?;%a~Ntn^vQsXLuZ3wXzpPPpoLO>^UwwG$o?R484!DO{3D&!y|7*+@ue$r zOOiMVPt#GU&>p2*`~8r`%&fy@;BR>We>Pg721X68VGFC2j)?$2Y9D!Uj=FMrOG(DpAl%O*p!`B9CVJGiDhay!&xRq3Pv zl;qjv|B~nB_pRVBybgtdfV(gm^cLbW@Sax^n+<3IC{v;2fH9I#84?Kmr*A>VB}>a+ z6~61t!n%=IjeR9QBD9*7vX#eUnF#P;ZJyr81K~rr!38wkJeBzJ&kWuFR2%+6GyjH1 HzP|ep@nejc literal 0 HcmV?d00001 From ec9edd52819855361595ed880a8bd559baf4970b Mon Sep 17 00:00:00 2001 From: kelleyvice-msft Date: Tue, 7 Apr 2020 16:00:58 -0700 Subject: [PATCH 34/64] Update vpn-office-365-optimization.md --- .../identity-protection/vpn/vpn-office-365-optimization.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md index e7df3d7fa3..0cf4f9d635 100644 --- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -73,9 +73,9 @@ An example of a correctly formatted Profile XML configuration for force tunnel w For Office 365, it is therefore necessary to add exclusions for all IP addresses documented within the optimize categories described in [Office 365 URLs and IP address ranges](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges?redirectSourcePath=%252fen-us%252farticle%252fOffice-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2) to ensure that they are excluded from VPN force tunnelling. -This can be achieved manually by adding the IP addresses defined within the **optimize** category entries to an existing Profile XML (or script) file, or alternatively the following script can be used which dynamically adds the required entries to an existing PowerShell script, or XML file, based upon directly querying the REST-based web service to ensure the addresses ranges are always used. +This can be achieved manually by adding the IP addresses defined within the **optimize** category entries to an existing Profile XML (or script) file, or alternatively the following script can be used which dynamically adds the required entries to an existing PowerShell script, or XML file, based upon directly querying the REST-based web service to ensure the correct IP address ranges are always used. -An example of a PowerShell script that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the documentation in [Create the ProfileXML configuration files](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the initial script. +An example of a PowerShell script that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below. ```powershell # Copyright (c) Microsoft Corporation. All rights reserved. From a6b741c73680a79bd4d35cd173d96e1bdf615231 Mon Sep 17 00:00:00 2001 From: kelleyvice-msft Date: Tue, 7 Apr 2020 16:03:27 -0700 Subject: [PATCH 35/64] Update vpn-office-365-optimization.md --- .../identity-protection/vpn/vpn-office-365-optimization.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md index 0cf4f9d635..9f6582bbc0 100644 --- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -670,5 +670,5 @@ An example of an [Intune-ready XML file](https://docs.microsoft.com/windows/secu >This XML is formatted for use with Intune and cannot contain any carriage returns or whitespace. ```xml -_truecorp.contoso.comtruecorp.contoso.comedge1.contoso.comForceTunnelIKEv2Certificate
13.107.6.152
31true
13.107.18.10
31true
13.107.128.0
22true
23.103.160.0
20true
40.96.0.0
13true
40.104.0.0
15true
52.96.0.0
14true
131.253.33.215
32true
132.245.0.0
16true
150.171.32.0
22true
191.234.140.0
22true
204.79.197.215
32true
13.107.136.0
22true
40.108.128.0
17true
52.104.0.0
14true
104.146.128.0
17true
150.171.40.0
22true
13.107.60.1
32true
13.107.64.0
18true
52.112.0.0
14true
52.120.0.0
14truehttp://webproxy.corp.contsoso.com/proxy.pac_ +truecorp.contoso.comtruecorp.contoso.comedge1.contoso.comForceTunnelIKEv2Certificate
13.107.6.152
31true
13.107.18.10
31true
13.107.128.0
22true
23.103.160.0
20true
40.96.0.0
13true
40.104.0.0
15true
52.96.0.0
14true
131.253.33.215
32true
132.245.0.0
16true
150.171.32.0
22true
191.234.140.0
22true
204.79.197.215
32true
13.107.136.0
22true
40.108.128.0
17true
52.104.0.0
14true
104.146.128.0
17true
150.171.40.0
22true
13.107.60.1
32true
13.107.64.0
18true
52.112.0.0
14true
52.120.0.0
14truehttp://webproxy.corp.contsoso.com/proxy.pac ``` From 847fb01f9279b48eff2936ca15ec5b7899ac054f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 7 Apr 2020 16:05:15 -0700 Subject: [PATCH 36/64] Update install-wd-app-guard.md --- .../install-wd-app-guard.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md index 2456b17225..71e4d63802 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md @@ -85,6 +85,8 @@ Application Guard functionality is turned off by default. However, you can quick > [!IMPORTANT] > Make sure your organization's devices are [enrolled in Intune](https://docs.microsoft.com/mem/intune/enrollment/device-enrollment). +![Profile in Intune](images\MDAG-EndpointMgr-newprofile.jpg) + 1. Go to [https://endpoint.microsoft.com](https://endpoint.microsoft.com) and sign in. 2. Choose **Devices** > **Configuration profiles** > **+ Create profile**, and do the following:
@@ -101,3 +103,20 @@ Application Guard functionality is turned off by default. However, you can quick - In the **Select a category to configure settings** section, choose **Microsoft Defender Application Guard**. + - In the **Application Guard** list, choose **Enabled for Edge**. + + - Choose your preferences for **Clipboard behavior**, **External content**, and the remaining settings. + +5. Choose **OK**, and then choose **OK** again. + +6. Review your settings, and then choose **Create**. + +7. Choose **Assignments**, and then do the following: + + a. On the **Include** tab, in the **Assign to** list, choose an option. + + b. If you have any devices or users you want to exclude from this endpoint protection profile, specify those on the **Exclude** tab. + + c. Click **Save**. + +After the profile is created, any devices to which the policy should apply will have Windows Defender Application Guard enabled. Users might have to restart their devices in order for protection to be in place. \ No newline at end of file From 425de973c4246142b1cb3dfdccd5e268d8bc2072 Mon Sep 17 00:00:00 2001 From: kelleyvice-msft Date: Tue, 7 Apr 2020 16:07:28 -0700 Subject: [PATCH 37/64] Update vpn-office-365-optimization.md --- .../identity-protection/vpn/vpn-office-365-optimization.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md index 9f6582bbc0..537a6d097d 100644 --- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -75,7 +75,7 @@ For Office 365, it is therefore necessary to add exclusions for all IP addresses This can be achieved manually by adding the IP addresses defined within the **optimize** category entries to an existing Profile XML (or script) file, or alternatively the following script can be used which dynamically adds the required entries to an existing PowerShell script, or XML file, based upon directly querying the REST-based web service to ensure the correct IP address ranges are always used. -An example of a PowerShell script that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below. +An example of a PowerShell script that can be used to update a force tunnel VPN connection with Office 365 exclusions is provided below. ```powershell # Copyright (c) Microsoft Corporation. All rights reserved. From 90b3112ce0963be717604bbd802f163b8b77cd7c Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 7 Apr 2020 16:14:07 -0700 Subject: [PATCH 38/64] Recovered first Step 7 and made other fixes There was a "7." in "Install and configure Micro Focus ArcSight FlexConnector" starting the paragraph before the correctly formatted Step 7. I also replaced 'br' tags within that paragraph with paragraph breaks. --- .../configure-arcsight.md | 40 ++++++++++++------- 1 file changed, 26 insertions(+), 14 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md index c714e0a848..70890b48ee 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md @@ -35,6 +35,7 @@ You'll need to install and configure some files and tools to use Micro Focus Arc >- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details. ## Before you begin + Configuring the Micro Focus ArcSight Connector tool requires several configuration files for it to pull and parse detections from your Azure Active Directory (AAD) application. This section guides you in getting the necessary information to set and use the required configuration files correctly. @@ -59,6 +60,7 @@ This section guides you in getting the necessary information to set and use the You can generate these tokens from the **SIEM integration** setup section of the portal. ## Install and configure Micro Focus ArcSight FlexConnector + The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin). 1. Install the latest 32-bit Windows FlexConnector installer. You can find this in the HPE Software center. The tool is typically installed in the following default location: `C:\Program Files\ArcSightFlexConnectors\current\bin`.

You can choose where to save the tool, for example C:\\*folder_location*\current\bin where *folder_location* represents the installation location. @@ -79,8 +81,9 @@ The following steps assume that you have completed all the required steps in [Be - WDATP-connector.properties: C:\\*folder_location*\current\user\agent\flexagent\ - NOTE: - You must put the configuration files in this location, where *folder_location* represents the location where you installed the tool. + > [!NOTE] + > + > You must put the configuration files in this location, where *folder_location* represents the location where you installed the tool. 4. After the installation of the core connector completes, the Connector Setup window opens. In the Connector Setup window, select **Add a Connector**. @@ -114,30 +117,36 @@ The following steps assume that you have completed all the required steps in [Be -
7. A browser window is opened by the connector. Login with your application credentials. After you log in, you'll be asked to give permission to your OAuth2 Client. You must give permission to your OAuth 2 Client so that the connector configuration can authenticate.

- If the redirect_uri is a https URL, you'll be redirected to a URL on the local host. You'll see a page that requests for you to trust the certificate supplied by the connector running on the local host. You'll need to trust this certificate if the redirect_uri is a https.

If however you specify a http URL for the redirect_uri, you do not need to provide consent in trusting the certificate. +
+ +7. A browser window is opened by the connector. Login with your application credentials. After you log in, you'll be asked to give permission to your OAuth2 Client. You must give permission to your OAuth 2 Client so that the connector configuration can authenticate. -7. Continue with the connector setup by returning to the Micro Focus ArcSight Connector Setup window. + If the redirect_uri is a https URL, you'll be redirected to a URL on the local host. You'll see a page that requests for you to trust the certificate supplied by the connector running on the local host. You'll need to trust this certificate if the redirect_uri is a https. + + If however you specify a http URL for the redirect_uri, you do not need to provide consent in trusting the certificate. -8. Select the **ArcSight Manager (encrypted)** as the destination and click **Next**. +8. Continue with the connector setup by returning to the Micro Focus ArcSight Connector Setup window. -9. Type in the destination IP/hostname in **Manager Hostname** and your credentials in the parameters form. All other values in the form should be retained with the default values. Click **Next**. +9. Select the **ArcSight Manager (encrypted)** as the destination and click **Next**. -10. Type in a name for the connector in the connector details form. All other values in the form are optional and can be left blank. Click **Next**. +10. Type in the destination IP/hostname in **Manager Hostname** and your credentials in the parameters form. All other values in the form should be retained with the default values. Click **Next**. -11. The ESM Manager import certificate window is shown. Select **Import the certificate to connector from destination** and click **Next**. The **Add connector Summary** window is displayed and the certificate is imported. +11. Type in a name for the connector in the connector details form. All other values in the form are optional and can be left blank. Click **Next**. -12. Verify that the details in the **Add connector Summary** window is correct, then click **Next**. +12. The ESM Manager import certificate window is shown. Select **Import the certificate to connector from destination** and click **Next**. The **Add connector Summary** window is displayed and the certificate is imported. -13. Select **Install as a service** and click **Next**. +13. Verify that the details in the **Add connector Summary** window is correct, then click **Next**. -14. Type a name in the **Service Internal Name** field. All other values in the form can be retained with the default values or left blank . Click **Next**. +14. Select **Install as a service** and click **Next**. -15. Type in the service parameters and click **Next**. A window with the **Install Service Summary** is shown. Click **Next**. +15. Type a name in the **Service Internal Name** field. All other values in the form can be retained with the default values or left blank . Click **Next**. -16. Finish the installation by selecting **Exit** and **Next**. +16. Type in the service parameters and click **Next**. A window with the **Install Service Summary** is shown. Click **Next**. + +17. Finish the installation by selecting **Exit** and **Next**. ## Install and configure the Micro Focus ArcSight console + 1. Follow the installation wizard through the following tasks: - Introduction - License Agreement @@ -170,6 +179,7 @@ Microsoft Defender ATP detections will appear as discrete events, with "Microsof ## Troubleshooting Micro Focus ArcSight connection + **Problem:** Failed to refresh the token. You can find the log located in C:\\*folder_location*\current\logs where *folder_location* represents the location where you installed the tool. Open _agent.log_ and look for `ERROR/FATAL/WARN`. **Symptom:** You get the following error message: @@ -177,7 +187,9 @@ Microsoft Defender ATP detections will appear as discrete events, with "Microsof `Failed to refresh the token. Set reauthenticate to true: com.arcsight.common.al.e: Failed to refresh access token: status=HTTP/1.1 400 Bad Request FATAL EXCEPTION: Could not refresh the access token` **Solution:** + 1. Stop the process by clicking Ctrl + C on the Connector window. Click **Y** when asked "Terminate batch job Y/N?". + 2. Navigate to the folder where you stored the WDATP-connector.properties file and edit it to add the following value: `reauthenticate=true`. From e389b8a9faee558354dd082d1c52ae356741f928 Mon Sep 17 00:00:00 2001 From: Kelley Vice Date: Tue, 7 Apr 2020 16:37:57 -0700 Subject: [PATCH 39/64] Update TOC.md --- windows/security/identity-protection/TOC.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/TOC.md b/windows/security/identity-protection/TOC.md index 8dc6b27a55..7f7f58c2b8 100644 --- a/windows/security/identity-protection/TOC.md +++ b/windows/security/identity-protection/TOC.md @@ -71,4 +71,5 @@ ### [VPN security features](vpn\vpn-security-features.md) ### [VPN profile options](vpn\vpn-profile-options.md) ### [How to configure Diffie Hellman protocol over IKEv2 VPN connections](vpn\how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md) -### [How to use single sign-on (SSO) over VPN and Wi-Fi connections](vpn\how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md) \ No newline at end of file +### [How to use single sign-on (SSO) over VPN and Wi-Fi connections](vpn\how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md) +### [Optimizing Office 365 traffic with the Windows 10 VPN client](vpn\vpn-office-365-optimization.md) From 1e09c9819810b6cb300159ad7ffb90b7df05bc64 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 7 Apr 2020 16:44:30 -0700 Subject: [PATCH 40/64] Update install-wd-app-guard.md --- .../install-wd-app-guard.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md index 71e4d63802..ba7d091e12 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md @@ -83,9 +83,11 @@ Application Guard functionality is turned off by default. However, you can quick ### To install by using Intune > [!IMPORTANT] -> Make sure your organization's devices are [enrolled in Intune](https://docs.microsoft.com/mem/intune/enrollment/device-enrollment). +> Make sure your organization's devices meet [requirements](reqs-wd-app-guard.md) and are [enrolled in Intune](https://docs.microsoft.com/mem/intune/enrollment/device-enrollment). -![Profile in Intune](images\MDAG-EndpointMgr-newprofile.jpg) +:::image type="complex" source="images/MDAG-EndpointMgr-newprofile.jpg" alt-text="Endpoint protection profile"::: + +:::image-end::: 1. Go to [https://endpoint.microsoft.com](https://endpoint.microsoft.com) and sign in. From c0f05d9ea9ddc5a50ccea23618feb382f5a7369e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 7 Apr 2020 16:45:15 -0700 Subject: [PATCH 41/64] Update install-wd-app-guard.md --- .../windows-defender-application-guard/install-wd-app-guard.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md index ba7d091e12..cdf47d7a4a 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md @@ -121,4 +121,5 @@ Application Guard functionality is turned off by default. However, you can quick c. Click **Save**. -After the profile is created, any devices to which the policy should apply will have Windows Defender Application Guard enabled. Users might have to restart their devices in order for protection to be in place. \ No newline at end of file +After the profile is created, any devices to which the policy should apply will have Windows Defender Application Guard enabled. Users might have to restart their devices in order for protection to be in place. + From 052b071cef95f3df4b5180a5e2f42016431a0a76 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 7 Apr 2020 20:13:41 -0700 Subject: [PATCH 42/64] Added missing metadata Required metadata for all topics: https://review.docs.microsoft.com/en-us/office-authoring-guide/metadata-for-max-content-on-dmc?branch=master#required-metadata-for-all-topics --- .../identity-protection/vpn/vpn-office-365-optimization.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md index 537a6d097d..9f786a363d 100644 --- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -5,6 +5,8 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, networking +audience: ITPro +ms.topic: article author: kelleyvice-msft ms.localizationpriority: medium ms.date: 04/07/2020 From a0ecd213e488b4e3347692187b0c372df0371926 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 7 Apr 2020 20:32:27 -0700 Subject: [PATCH 43/64] Acrolinx: changed "tunnelling" to "tunneling" --- .../vpn/vpn-office-365-optimization.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md index 9f786a363d..ededaad10f 100644 --- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -17,12 +17,12 @@ ms.author: jajo # Optimizing Office 365 traffic for remote workers with the native Windows 10 VPN client -This article describes how to configure the recommendations in the article [Optimize Office 365 connectivity for remote users using VPN split tunnelling](https://docs.microsoft.com/office365/enterprise/office-365-vpn-split-tunnel) for the **native Windows 10 VPN client**. This guidance enables VPN administrators to optimize Office 365 usage while still ensuring that all other traffic goes over the VPN connection and through existing security gateways and tooling. +This article describes how to configure the recommendations in the article [Optimize Office 365 connectivity for remote users using VPN split tunneling](https://docs.microsoft.com/office365/enterprise/office-365-vpn-split-tunnel) for the **native Windows 10 VPN client**. This guidance enables VPN administrators to optimize Office 365 usage while still ensuring that all other traffic goes over the VPN connection and through existing security gateways and tooling. -This can be achieved for the native/built-in Windows 10 VPN client using a _Force Tunnelling with Exclusions_ approach. This allows you to define IP-based exclusions **even when using force tunnelling** in order to "split" certain traffic to use the physical interface while still forcing all other traffic via the VPN interface. Traffic addressed to specifically defined destinations (like those listed in the Office 365 optimize categories) will therefore follow a much more direct and efficient path, without the need to traverse or "hairpin" via the VPN tunnel and back out of the corporate network. For cloud-services like Office 365, this makes a huge difference in performance and usability for remote users. +This can be achieved for the native/built-in Windows 10 VPN client using a _Force Tunneling with Exclusions_ approach. This allows you to define IP-based exclusions **even when using force tunneling** in order to "split" certain traffic to use the physical interface while still forcing all other traffic via the VPN interface. Traffic addressed to specifically defined destinations (like those listed in the Office 365 optimize categories) will therefore follow a much more direct and efficient path, without the need to traverse or "hairpin" via the VPN tunnel and back out of the corporate network. For cloud-services like Office 365, this makes a huge difference in performance and usability for remote users. > [!NOTE] -> The term _force tunnelling with exclusions_ is sometimes confusingly called "split tunnels" by other vendors and in some online documentation. For Windows 10 VPN, the term _split tunnelling_ is defined differently as described in the article [VPN routing decisions](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-routing#split-tunnel-configuration). +> The term _force tunneling with exclusions_ is sometimes confusingly called "split tunnels" by other vendors and in some online documentation. For Windows 10 VPN, the term _split tunneling_ is defined differently as described in the article [VPN routing decisions](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-routing#split-tunnel-configuration). ## Solution Overview @@ -30,7 +30,7 @@ The solution is based upon the use of a VPN Configuration Service Provider Refer Typically, these VPN profiles are distributed using a Mobile Device Management solution like Intune, as described in [VPN profile options](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-profile-options#apply-profilexml-using-intune) and [Configure the VPN client by using Intune](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#configure-the-vpn-client-by-using-intune). -To enable the use of force tunnelling in Windows 10 VPN, the `` setting is typically configured with a value of _ForceTunnel_ in your existing Profile XML (or script) by way of the following entry, under the `` section: +To enable the use of force tunneling in Windows 10 VPN, the `` setting is typically configured with a value of _ForceTunnel_ in your existing Profile XML (or script) by way of the following entry, under the `` section: ```xml ForceTunnel @@ -73,7 +73,7 @@ An example of a correctly formatted Profile XML configuration for force tunnel w ## Solution Deployment -For Office 365, it is therefore necessary to add exclusions for all IP addresses documented within the optimize categories described in [Office 365 URLs and IP address ranges](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges?redirectSourcePath=%252fen-us%252farticle%252fOffice-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2) to ensure that they are excluded from VPN force tunnelling. +For Office 365, it is therefore necessary to add exclusions for all IP addresses documented within the optimize categories described in [Office 365 URLs and IP address ranges](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges?redirectSourcePath=%252fen-us%252farticle%252fOffice-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2) to ensure that they are excluded from VPN force tunneling. This can be achieved manually by adding the IP addresses defined within the **optimize** category entries to an existing Profile XML (or script) file, or alternatively the following script can be used which dynamically adds the required entries to an existing PowerShell script, or XML file, based upon directly querying the REST-based web service to ensure the correct IP address ranges are always used. @@ -462,7 +462,7 @@ An example of a PowerShell script that can be used to create a force tunnel VPN .SYNOPSIS Configures an AlwaysOn IKEv2 VPN Connection using a basic script .DESCRIPTION - Configures an AlwaysOn IKEv2 VPN Connection with proxy PAC information and force tunnelling + Configures an AlwaysOn IKEv2 VPN Connection with proxy PAC information and force tunneling .PARAMETERS Parameters are defined in a ProfileXML object within the script itself .NOTES From 087a48894889b65d950da403d8f268c22f7b51e1 Mon Sep 17 00:00:00 2001 From: Peter Smith Date: Tue, 7 Apr 2020 20:37:01 -0700 Subject: [PATCH 44/64] Update Profile XSD to include ExclusionRoute --- windows/client-management/mdm/vpnv2-profile-xsd.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/client-management/mdm/vpnv2-profile-xsd.md b/windows/client-management/mdm/vpnv2-profile-xsd.md index 1c13aa99ad..eecc7c7075 100644 --- a/windows/client-management/mdm/vpnv2-profile-xsd.md +++ b/windows/client-management/mdm/vpnv2-profile-xsd.md @@ -175,6 +175,7 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro + From 73a2ce8c240b33e148a45875d7e041e61693ac71 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 7 Apr 2020 20:59:31 -0700 Subject: [PATCH 45/64] Corrected bold to Italic for emphasis and special use Formatting common text elements: https://styleguides.azurewebsites.net/Styleguide/Read?id=2700&topicid=36402 --- .../identity-protection/vpn/vpn-office-365-optimization.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md index ededaad10f..22d084bda3 100644 --- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -17,9 +17,9 @@ ms.author: jajo # Optimizing Office 365 traffic for remote workers with the native Windows 10 VPN client -This article describes how to configure the recommendations in the article [Optimize Office 365 connectivity for remote users using VPN split tunneling](https://docs.microsoft.com/office365/enterprise/office-365-vpn-split-tunnel) for the **native Windows 10 VPN client**. This guidance enables VPN administrators to optimize Office 365 usage while still ensuring that all other traffic goes over the VPN connection and through existing security gateways and tooling. +This article describes how to configure the recommendations in the article [Optimize Office 365 connectivity for remote users using VPN split tunneling](https://docs.microsoft.com/office365/enterprise/office-365-vpn-split-tunnel) for the *native Windows 10 VPN client*. This guidance enables VPN administrators to optimize Office 365 usage while still ensuring that all other traffic goes over the VPN connection and through existing security gateways and tooling. -This can be achieved for the native/built-in Windows 10 VPN client using a _Force Tunneling with Exclusions_ approach. This allows you to define IP-based exclusions **even when using force tunneling** in order to "split" certain traffic to use the physical interface while still forcing all other traffic via the VPN interface. Traffic addressed to specifically defined destinations (like those listed in the Office 365 optimize categories) will therefore follow a much more direct and efficient path, without the need to traverse or "hairpin" via the VPN tunnel and back out of the corporate network. For cloud-services like Office 365, this makes a huge difference in performance and usability for remote users. +This can be achieved for the native/built-in Windows 10 VPN client using a _Force Tunneling with Exclusions_ approach. This allows you to define IP-based exclusions *even when using force tunneling* in order to "split" certain traffic to use the physical interface while still forcing all other traffic via the VPN interface. Traffic addressed to specifically defined destinations (like those listed in the Office 365 optimize categories) will therefore follow a much more direct and efficient path, without the need to traverse or "hairpin" via the VPN tunnel and back out of the corporate network. For cloud-services like Office 365, this makes a huge difference in performance and usability for remote users. > [!NOTE] > The term _force tunneling with exclusions_ is sometimes confusingly called "split tunnels" by other vendors and in some online documentation. For Windows 10 VPN, the term _split tunneling_ is defined differently as described in the article [VPN routing decisions](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-routing#split-tunnel-configuration). @@ -75,7 +75,7 @@ An example of a correctly formatted Profile XML configuration for force tunnel w For Office 365, it is therefore necessary to add exclusions for all IP addresses documented within the optimize categories described in [Office 365 URLs and IP address ranges](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges?redirectSourcePath=%252fen-us%252farticle%252fOffice-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2) to ensure that they are excluded from VPN force tunneling. -This can be achieved manually by adding the IP addresses defined within the **optimize** category entries to an existing Profile XML (or script) file, or alternatively the following script can be used which dynamically adds the required entries to an existing PowerShell script, or XML file, based upon directly querying the REST-based web service to ensure the correct IP address ranges are always used. +This can be achieved manually by adding the IP addresses defined within the *optimize* category entries to an existing Profile XML (or script) file, or alternatively the following script can be used which dynamically adds the required entries to an existing PowerShell script, or XML file, based upon directly querying the REST-based web service to ensure the correct IP address ranges are always used. An example of a PowerShell script that can be used to update a force tunnel VPN connection with Office 365 exclusions is provided below. From 49a19c401e1717e953ca63fcdf96cf14fe9a4863 Mon Sep 17 00:00:00 2001 From: Tina Burden Date: Wed, 8 Apr 2020 08:33:42 -0700 Subject: [PATCH 46/64] pencil edits --- .../test-scenarios-wd-app-guard.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md index 63d54a2991..a5eebdf2a2 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md @@ -108,7 +108,7 @@ Application Guard provides the following default behavior for your employees: You have the option to change each of these settings to work with your enterprise from within Group Policy. **Applies to:** -- Windows 10 Enterpise edition, version 1709 or higher +- Windows 10 Enterprise edition, version 1709 or higher - Windows 10 Professional edition, version 1803 #### Copy and paste options @@ -171,7 +171,7 @@ You have the option to change each of these settings to work with your enterpris >If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.

If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.

**To reset the container, follow these steps:**
1. Open a command-line program and navigate to Windows/System32.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data. **Applies to:** -- Windows 10 Enterpise edition, version 1803 +- Windows 10 Enterprise edition, version 1803 - Windows 10 Professional edition, version 1803 #### Download options @@ -201,7 +201,7 @@ You have the option to change each of these settings to work with your enterpris 4. Assess the visual experience and battery performance. **Applies to:** -- Windows 10 Enterpise edition, version 1809 +- Windows 10 Enterprise edition, version 1809 - Windows 10 Professional edition, version 1809 #### File trust options From 02954599b06fd026a7b34588a1fe27f04305d4ff Mon Sep 17 00:00:00 2001 From: Jreeds001 Date: Wed, 8 Apr 2020 11:04:29 -0700 Subject: [PATCH 47/64] Changes to SmartScreen pages --- .../windows-defender-smartscreen-overview.md | 19 +++---- ...ender-smartscreen-set-individual-device.md | 49 ++++++++++--------- 2 files changed, 34 insertions(+), 34 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md index b9d400165d..176974ae38 100644 --- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md +++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md @@ -21,12 +21,13 @@ manager: dansimp - Windows 10 - Windows 10 Mobile +- Microsoft Edge -Windows Defender SmartScreen protects against phishing or malware websites, and the downloading of potentially malicious files. +Windows Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files. **Windows Defender SmartScreen determines whether a site is potentially malicious by:** -- Analyzing visited webpages looking for indications of suspicious behavior. If Windows Defender Smartscreen determines that a page is suspicious, it will show a warning page to advise caution. +- Analyzing visited webpages looking for indications of suspicious behavior. If Windows Defender SmartScreen determines that a page is suspicious, it will show a warning page to advise caution. - Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it finds a match, Windows Defender SmartScreen shows a warning to let the user know that the site might be malicious. @@ -36,16 +37,13 @@ Windows Defender SmartScreen protects against phishing or malware websites, and - Checking downloaded files against a list of files that are well known and downloaded by many Windows users. If the file isn't on that list, Windows Defender SmartScreen shows a warning, advising caution. - >[!NOTE] - >Before Windows 10, version 1703, this feature was called _the SmartScreen filter_ when used within the browser and _Windows SmartScreen_ when used outside of the browser. - ## Benefits of Windows Defender SmartScreen Windows Defender SmartScreen provide an early warning system against websites that might engage in phishing attacks or attempt to distribute malware through a socially-engineered attack. The primary benefits are: -- **Anti-phishing and anti-malware support.** Windows Defender SmartScreen helps to protect your employees from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly-used software. Because drive-by attacks can happen even if the user does not click or download anything on the page, the danger often goes unnoticed. For more info about drive-by attacks, see [Evolving Windows Defender SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/#3B7Bb8bzeAPq8hXE.97) +- **Anti-phishing and anti-malware support.** Windows Defender SmartScreen helps to protect users from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly used software. Because drive-by attacks can happen even if the user does not click or download anything on the page, the danger often goes unnoticed. For more info about drive-by attacks, see [Evolving Windows Defender SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/#3B7Bb8bzeAPq8hXE.97) -- **Reputation-based URL and app protection.** Windows Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, your employees won't see any warnings. If however there's no reputation, the item is marked as a higher risk and presents a warning to the employee. +- **Reputation-based URL and app protection.** Windows Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, users won't see any warnings. If, however, there's no reputation, the item is marked as a higher risk and presents a warning to the user. - **Operating system integration.** Windows Defender SmartScreen is integrated into the Windows 10 operating system, meaning that it checks any files an app (including 3rd-party browsers and email clients) attempts to download and run. @@ -53,14 +51,14 @@ Windows Defender SmartScreen provide an early warning system against websites th - **Management through Group Policy and Microsoft Intune.** Windows Defender SmartScreen supports using both Group Policy and Microsoft Intune settings. For more info about all available settings, see [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen-available-settings.md). -- **Blocking URLs associated with potentially unwanted applications.** In the next major version of Microsoft Edge (based on Chromium), SmartScreen will blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see [Detect and block potentially unwanted applications](../windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md). +- **Blocking URLs associated with potentially unwanted applications.** In Microsoft Edge (based on Chromium), SmartScreen blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see [Detect and block potentially unwanted applications](../windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md). > [!IMPORTANT] > SmartScreen protects against malicious files from the internet. It does not protect against malicious files on internal locations or network shares, such as shared folders with UNC paths or SMB/CIFS shares. ## Viewing Windows Defender SmartScreen anti-phishing events -When Windows Defender SmartScreen warns or blocks an employee from a website, it's logged as [Event 1035 - Anti-Phishing](https://technet.microsoft.com/scriptcenter/dd565657(v=msdn.10).aspx). +When Windows Defender SmartScreen warns or blocks a user from a website, it's logged as [Event 1035 - Anti-Phishing](https://technet.microsoft.com/scriptcenter/dd565657(v=msdn.10).aspx). ## Viewing Windows event logs for Windows Defender SmartScreen Windows Defender SmartScreen events appear in the Microsoft-Windows-SmartScreen/Debug log in Event Viewer. @@ -82,8 +80,5 @@ EventID | Description 1002 | User Decision Windows Defender SmartScreen Event ## Related topics -- [Windows Defender SmartScreen Frequently Asked Questions (FAQ)](https://feedback.smartscreen.microsoft.com/smartscreenfaq.aspx) - -- [SmartScreen Frequently Asked Questions (FAQ)](https://feedback.smartscreen.microsoft.com/smartscreenfaq.aspx) - [Threat protection](../index.md) - [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings) diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md index bdbd3df95e..db0d1aae20 100644 --- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md +++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md @@ -19,60 +19,65 @@ ms.author: macapara **Applies to:** - Windows 10, version 1703 - Windows 10 Mobile +- Microsoft Edge -Windows Defender SmartScreen helps to protect your employees if they try to visit sites previously reported as phishing or malware websites, or if an employee tries to download potentially malicious files. +Windows Defender SmartScreen helps to protect users if they try to visit sites previously reported as phishing or malware websites, or if a user tries to download potentially malicious files. -## How employees can use Windows Security to set up Windows Defender SmartScreen -Starting with Windows 10, version 1703 your employees can use Windows Security to set up Windows Defender SmartScreen for an individual device; unless you've used Group Policy or Microsoft Intune to prevent it. +## How users can use Windows Security to set up Windows Defender SmartScreen +Starting with Windows 10, version 1703, users can use Windows Security to set up Windows Defender SmartScreen for an individual device; unless and administrator has used Group Policy or Microsoft Intune to prevent it. >[!NOTE] >If any of the following settings are managed through Group Policy or mobile device management (MDM) settings, it appears as unavailable to the employee. **To use Windows Security to set up Windows Defender SmartScreen on a device** -1. Open the Windows Security app, and then click **App & browser control**. +1. Open the Windows Security app, and then select **App & browser control** > **Reputation-based protection settings**. -2. In the **App & browser control** screen, choose from the following options: +2. In the **Reputation-based protection** screen, choose from the following options: - In the **Check apps and files** area: - - - **Block.** Stops employees from downloading and running unrecognized apps and files from the web. - - **Warn.** Warns employees that the apps and files being downloaded from the web are potentially dangerous, but allows the action to continue. + - **On.** Warns users that the apps and files being downloaded from the web are potentially dangerous but allows the action to continue. - - **Off.** Turns off Windows Defender SmartScreen, so an employee isn't alerted or stopped from downloading potentially malicious apps and files. + - **Off.** Turns off Windows Defender SmartScreen, so a user isn't alerted or stopped from downloading potentially malicious apps and files. - In the **Windows Defender SmartScreen for Microsoft Edge** area: - - - **Block.** Stops employees from downloading and running unrecognized apps and files from the web, while using Microsoft Edge. - - **Warn.** Warns employees that sites and downloads are potentially dangerous, but allows the action to continue while running in Microsoft Edge. + - **On.** Warns users that sites and downloads are potentially dangerous but allows the action to continue while running in Microsoft Edge. - - **Off.** Turns off Windows Defender SmartScreen, so an employee isn't alerted or stopped from downloading potentially malicious apps and files. + - **Off.** Turns off Windows Defender SmartScreen, so a user isn't alerted or stopped from downloading potentially malicious apps and files. + - In the **Potentially unwanted app blocking** area: + + - **On.** Turns on both the 'Block apps' and 'Block downloads settings. To learn more, see [How Microsoft identifies malware and potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/intelligence/criteria#potentially-unwanted-application-pua). + - **Block apps.** This setting will prevent new apps from installing on the device and warn users of apps that are existing on the device. + + - **Block downloads.** This setting will alert users and stop the downloads of apps in the Microsoft Edge browser (based on Chromium). + + - **Off.** Turns off Potentially unwanted app blocking, so a user isn't alerted or stopped from downloading or installing potentially unwanted apps. - In the **Windows Defender SmartScreen from Microsoft Store apps** area: - - **Warn.** Warns employees that the sites and downloads used by Microsoft Store apps are potentially dangerous, but allows the action to continue. + - **On.** Warns users that the sites and downloads used by Microsoft Store apps are potentially dangerous but allows the action to continue. - - **Off.** Turns off Windows Defender SmartScreen, so an employee isn't alerted or stopped from visiting sites or from downloading potentially malicious apps and files. + - **Off.** Turns off Windows Defender SmartScreen, so a user isn't alerted or stopped from visiting sites or from downloading potentially malicious apps and files. ![Windows Security, Windows Defender SmartScreen controls](images/windows-defender-smartscreen-control.png) -## How Windows Defender SmartScreen works when an employee tries to run an app -Windows Defender SmartScreen checks the reputation of any web-based app the first time it's run from the Internet, checking digital signatures and other factors against a Microsoft-maintained service. If an app has no reputation or is known to be malicious, Windows Defender SmartScreen can warn the employee or block the app from running entirely, depending on how you've configured the feature to run in your organization. +## How Windows Defender SmartScreen works when a user tries to run an app +Windows Defender SmartScreen checks the reputation of any web-based app the first time it's run from the Internet, checking digital signatures and other factors against a Microsoft-maintained service. If an app has no reputation or is known to be malicious, Windows Defender SmartScreen can warn the user or block the app from running entirely, depending on how you've configured the feature to run in your organization. -By default, your employees can bypass Windows Defender SmartScreen protection, letting them run legitimate apps after accepting a warning message prompt. You can also use Group Policy or Microsoft Intune to block employees from using unrecognized apps, or to entirely turn off Windows Defender SmartScreen (not recommended). +By default, users can bypass Windows Defender SmartScreen protection, letting them run legitimate apps after accepting a warning message prompt. You can also use Group Policy or Microsoft Intune to block your employees from using unrecognized apps, or to entirely turn off Windows Defender SmartScreen (not recommended). -## How employees can report websites as safe or unsafe -You can configure Windows Defender SmartScreen to warn employees from going to a potentially dangerous site. Employees can then choose to report a website as safe from the warning message or as unsafe from within Microsoft Edge and Internet Explorer 11. +## How users can report websites as safe or unsafe +Windows Defender SmartScreen can be configured to warn users from going to a potentially dangerous site. Users can then choose to report a website as safe from the warning message or as unsafe from within Microsoft Edge and Internet Explorer 11. **To report a website as safe from the warning message** - On the warning screen for the site, click **More Information**, and then click **Report that this site does not contain threats**. The site info is sent to the Microsoft feedback site, which provides further instructions. **To report a website as unsafe from Microsoft Edge** -- If a site seems potentially dangerous, employees can report it to Microsoft by clicking **More (...)**, clicking **Send feedback**, and then clicking **Report unsafe site**. +- If a site seems potentially dangerous, users can report it to Microsoft by clicking **More (...)**, clicking **Send feedback**, and then clicking **Report unsafe site**. **To report a website as unsafe from Internet Explorer 11** -- If a site seems potentially dangerous, employees can report it to Microsoft by clicking on the **Tools** menu, clicking **Windows Defender SmartScreen**, and then clicking **Report unsafe website**. +- If a site seems potentially dangerous, users can report it to Microsoft by clicking on the **Tools** menu, clicking **Windows Defender SmartScreen**, and then clicking **Report unsafe website**. ## Related topics - [Threat protection](../index.md) From 358c1894a3daf38f490b17bf09622d0ff94150fe Mon Sep 17 00:00:00 2001 From: illfated Date: Wed, 8 Apr 2020 20:52:35 +0200 Subject: [PATCH 48/64] MD-ATP for Linux: typos & code block corrections Description: As reported in issue ticket #6443 (the copy paste fields on this doc are incorrect and can cause errors/confusion), there are 3 lines incorrectly added into the copy-paste blocks in this deployment description. There is also at least 1 copy-paste block in need of moving the actual commands away from the console output and out into their own boxes or monospace command line notation. Thanks to bled1982 for reporting this issue. Changes proposed: - Remove 1 line containing "[your organization identifier]" - Remove 2 occurrences of an unwarranted "1" character line - Split the 'ls -l' command from the console output - Split the 'unzip' command from the console output - Adjust code block indent for 3 double-indented blocks Ticket closure or reference: Closes #6443 --- .../linux-install-manually.md | 41 ++++++++++--------- 1 file changed, 21 insertions(+), 20 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md index 1ea46c138a..17e46f619b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md @@ -201,15 +201,19 @@ Download the onboarding package from Microsoft Defender Security Center: 4. From a command prompt, verify that you have the file. Extract the contents of the archive: - ```bash - ls -l - total 8 - -rw-r--r-- 1 test staff 5752 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip +```bash +ls -l +``` - unzip WindowsDefenderATPOnboardingPackage.zip - Archive: WindowsDefenderATPOnboardingPackage.zip - inflating: WindowsDefenderATPOnboarding.py - ``` +`total 8` +`-rw-r--r-- 1 test staff 5752 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip` + +```bash +unzip WindowsDefenderATPOnboardingPackage.zip +``` + +`Archive: WindowsDefenderATPOnboardingPackage.zip` +`inflating: WindowsDefenderATPOnboarding.py` ## Client configuration @@ -231,14 +235,12 @@ Download the onboarding package from Microsoft Defender Security Center: ```bash mdatp --health orgId - [your organization identifier] ``` 4. A few minutes after you complete the installation, you can see the status by running the following command. A return value of `1` denotes that the product is functioning as expected: ```bash mdatp --health healthy - 1 ``` > [!IMPORTANT] @@ -248,22 +250,21 @@ Download the onboarding package from Microsoft Defender Security Center: - Ensure that real-time protection is enabled (denoted by a result of `1` from running the following command): - ```bash - mdatp --health realTimeProtectionEnabled - 1 - ``` + ```bash + mdatp --health realTimeProtectionEnabled + ``` - Open a Terminal window. Copy and execute the following command: - ``` bash - curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt - ``` + ``` bash + curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt + ``` - The file should have been quarantined by Microsoft Defender ATP for Linux. Use the following command to list all the detected threats: - ```bash - mdatp --threat --list --pretty - ``` + ```bash + mdatp --threat --list --pretty + ``` ## Log installation issues From 095e8194addf58f4dbc3d0e4d983e0858c6a3e07 Mon Sep 17 00:00:00 2001 From: Charles Inglis <32555877+cinglis-msft@users.noreply.github.com> Date: Wed, 8 Apr 2020 12:35:38 -0700 Subject: [PATCH 49/64] update UC config script download location --- .../deployment/update/update-compliance-configuration-script.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/update-compliance-configuration-script.md b/windows/deployment/update/update-compliance-configuration-script.md index d97bb2897a..fd14c25d99 100644 --- a/windows/deployment/update/update-compliance-configuration-script.md +++ b/windows/deployment/update/update-compliance-configuration-script.md @@ -19,7 +19,7 @@ ms.topic: article The Update Compliance Configuration Script is the recommended method of configuring devices to send data to Microsoft for use with Update Compliance. The script configures device policies via Group Policy, ensures that required services are running, and more. -You can [**download the script here**](https://github.com/cinglis-msft/UpdateComplianceConfigurationScript). Keep reading to learn how to configure the script and interpret error codes that are output in logs for troubleshooting. +You can [**download the script here**](https://www.microsoft.com/en-us/download/details.aspx?id=101086). Keep reading to learn how to configure the script and interpret error codes that are output in logs for troubleshooting. ## How the script is organized From 082174f0dafe06583712422097225fdbf640dbb9 Mon Sep 17 00:00:00 2001 From: Charles Inglis <32555877+cinglis-msft@users.noreply.github.com> Date: Wed, 8 Apr 2020 12:51:46 -0700 Subject: [PATCH 50/64] reworded retirement dates Features still in prod, will be removed after COVID situation calms down --- windows/deployment/update/update-compliance-monitor.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md index 9e8f6964b8..74b72061a4 100644 --- a/windows/deployment/update/update-compliance-monitor.md +++ b/windows/deployment/update/update-compliance-monitor.md @@ -19,9 +19,8 @@ ms.topic: article > [!IMPORTANT] > While [Windows Analytics was retired on January 31, 2020](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), support for Update Compliance has continued through the Azure Portal; however, please note the following updates: -> -> * On March 31, 2020, the Windows Defender Antivirus reporting feature of Update Compliance was retired. You can continue to review malware definition status and manage and monitor malware attacks with Microsoft Endpoint Manager's [Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune). Configuration Manager customers can monitor Endpoint Protection with [Endpoint Protection in Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection). -> * The Perspectives feature of Update Compliance was retired on March 31, 2020 in favor of a better experience. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance. +> As of March 31, 2020, The Windows Defender Antivirus reporting feature of Update Compliance is no longer supported and will soon be retired. You can continue to review malware definition status and manage and monitor malware attacks with Microsoft Endpoint Manager's [Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune). Configuration Manager customers can monitor Endpoint Protection with [Endpoint Protection in Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection). +> * As of March 31, 2020, The Perspectives feature of Update Compliance is no longer supported and will soon be retired in favor of a better experience. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance. ## Introduction From 9e234b1c99c345717c6f104bc7c196d1975c7dfd Mon Sep 17 00:00:00 2001 From: pawinfie <59937840+pawinfie@users.noreply.github.com> Date: Wed, 8 Apr 2020 13:18:20 -0700 Subject: [PATCH 51/64] Urgent Changes --- devices/hololens/hololens-faq-security.md | 4 -- devices/hololens/scep-whitepaper.md | 80 ----------------------- 2 files changed, 84 deletions(-) delete mode 100644 devices/hololens/scep-whitepaper.md diff --git a/devices/hololens/hololens-faq-security.md b/devices/hololens/hololens-faq-security.md index 78dacbb581..85f66c8318 100644 --- a/devices/hololens/hololens-faq-security.md +++ b/devices/hololens/hololens-faq-security.md @@ -73,8 +73,6 @@ appliesto: 1. **When a PKI cert is being generated for trusted communication, we want the cert to be generated on the device so that we know it's only on that device, unique to that device, and can't be exported or used to impersonate the device. Is this true on HoloLens? If not is there a potential mitigation?** 1. CSR for SCEP is generated on the device itself. Intune and the on premise SCEP connector help secure the requests themselves by adding and verifying a challenge string that's sent to the client. 1. Since HoloLens (1st Gen and 2nd Gen) have a TPM module, these certs would be stored in the TPM module, and are unable to be extracted. Additionally, even if it could be extracted, the challenge strings couldn't be verified on a different device, rendering the certs/key unusable on different devices. -1. **SCEP is vulnerable. How does Microsoft mitigate the known vulnerabilities of SCEP?** - 1. This [SCEP Whitepaper](scep-whitepaper.md) addresses how Microsoft mitigates SCEP vulnerabilities. ## HoloLens 2nd Gen Security Questions @@ -125,5 +123,3 @@ appliesto: 1. **When a PKI cert is being generated for trusted communication, we want the cert to be generated on the device so that we know it's only on that device, unique to that device, and can't be exported or used to impersonate the device. Is this true on HoloLens? If not is there a potential mitigation?** 1. CSR for SCEP is generated on the device itself. Intune and the on premise SCEP connector help secure the requests themselves by adding and verifying a challenge string that's sent to the client. 1. Since HoloLens (1st Gen and 2nd Gen) have a TPM module, these certs would be stored in the TPM module, and are unable to be extracted. Additionally, even if it could be extracted, the challenge strings couldn't be verified on a different device, rendering the certs/key unusable on different devices. -1. **SCEP is vulnerable. How does Microsoft mitigate the known vulnerabilities of SCEP?** - 1. This [SCEP Whitepaper](scep-whitepaper.md) addresses how Microsoft mitigates SCEP vulnerabilities. diff --git a/devices/hololens/scep-whitepaper.md b/devices/hololens/scep-whitepaper.md deleted file mode 100644 index ee0915b54b..0000000000 --- a/devices/hololens/scep-whitepaper.md +++ /dev/null @@ -1,80 +0,0 @@ ---- -title: SCEP Whitepaper -description: A whitepaper that describes how Microsoft mitigates the vulnerabilities of SCEP. -ms.assetid: bd55ecd1-697a-4b09-8274-48d1499fcb0b -author: pawinfie -ms.author: pawinfie -ms.date: 02/12/2020 -keywords: hololens, Windows Mixed Reality, security -ms.prod: hololens -ms.sitesec: library -ms.topic: article -audience: ITPro -ms.localizationpriority: high -ms.custom: -- CI 111456 -- CSSTroubleshooting -appliesto: -- HoloLens 1 (1st gen) -- HoloLens 2 ---- - -# SCEP whitepaper - -## High Level - -### How the SCEP Challenge PW is secured - -We work around the weakness of the SCEP protocol by generating custom challenges in Intune itself. The challenge string we create is signed/encrypted, and contains the information we've configured in Intune for certificate issuance into the challenge blob. This means the blob used as the challenge string contains the expected CSR information like the Subject Name, Subject Alternative Name, and other attributes. - -We then pass that to the device and then the device generates it's CSR and passes it, and the blob to the SCEP URL it received in the MDM profile. On NDES servers running the Intune SCEP module we perform a custom challenge validation that validates the signature on the blob, decrypts the challenge blob itself, compare it to the CSR received, and then determine if we should issue the cert. If any portion of this check fails then the certificate request is rejected. - -## Behind the scenes - -### Intune Connector has a number of responsibilities - -1. The connector is SCEP policy module which contains a "Certification Registration Point" component which interacts with the Intune service, and is responsible for validating, and securing the SCEP request coming into the NDES server. - -1. The connector will install an App Pool on the NDES IIS server > Microsoft Intune CRP service Pool, and a CertificateRegistrationSvc under the "Default Web Site" on IIS. - -1. **When the Intune NDES connector is first configured/setup on the NDES server, a certificate is issued from the Intune cloud service to the NDES server. This cert is used to securely communicate with the Intune cloud service - customer tenant. The cert is unique to the customers NDES server. Can be viewed in Certlm.msc issued by SC_Online_Issuing. This certs Public key is used by Intune in the cloud to encrypt the challenge blob. In addition, when the connector is configured, Intune's public key is sent to the NDES server.** - >[!NOTE] - >The connector communication with Intune is strictly outbound traffic. - -1. The Intune cloud service combined with the Intune connector/policy module addresses the SCEP protocol challenge password weakness (in the SCEP protocol) by generating a custom challenge. The challenge is generated in Intune itself. - - 1. In the challenge blob, Intune puts information that we expect in the cert request (CSR - Certificate Signing Request) coming from a mobile device like the following: what we expect the Subject and SAN (validated against AAD attributes/properties of the user/device) to be, and specifics contained in the Intune SCEP profile that is created by an Intune admin, i.e., Request Handling, EKU, Renewal, validity period, key size, renewal period. - >[!NOTE] - >The Challenge blob is Encrypted with the Connectors Public Key, and Signed with Intune's (cloud service) Private Key. The device cannot decrypt the challenge - - 1. When an Intune admin creates a SCEP profile in their tenant, Intune will send the SCEP profile payload along with the Encrypted and Signed Challenge to the targeted device. The device generates a CSR, and reaches out to NDES URL (contained in the SCEP profile). The device cert request payload contains the CSR, and the encrypted, signed challenge blob. - - 1. When the device reaches out to the NDES server (via the NDES/SCEP URL provided in the SCEP Profile payload), the SCEP cert request validation is performed by the policy module running on the NDES server. The challenge signature is verified using Intune's public key (which is on the NDES server, when the connector was installed and configured) and decrypted using the connectors private key. The policy module compares the CSR details against the decrypted challenge and determines if a cert should be issued. If the CSR passes validation, the NDES server requests a certificate from the CA on behalf of the user/device. - >[!NOTE] - >The above process takes place on the NDES server running the Policy Module. No interaction with the Intune cloud service takes place. - - 1. The NDES connector notification/reporting of cert delivery takes place after NDES sends the issued cert to the device. This is performed as a separate operation outside the cert request flow. Meaning that once NDES sends the cert to the device via the AAD app proxy (or other publishing firewall/proxy, a log is written with the cert delivery details on the NDES server by the connector (file location \Program Files\Microsoft Intune\CertificateRequestStatus\Succeed\ folder. The connector will look here, and send updates to Intune. - - 1. The mobile device must be enrolled in Intune. If not, we reject the request as well - - 1. The Intune connector disables the standard NDES challenge password request URL on the NDES server. - - 1. The NDES server SCEP URI in most customer deployments is made available to the internet via Azure App Proxy, or an on-prem reverse proxy, i.e. F5. - >[!NOTE] - >The Azure App Proxy is an outbound-only connection over Port 443, from the customers onprem network where the App Proxy connector is running on a server. The AAD app proxy can also be hosted on the NDES server. No inbound ports required when using Azure App Proxy. - - 1. The mobile device talks only to the NDES URI - - 1. Side note: AAD app proxy's role is to make onprem resources (like NDES and other customer onprem web services) securely available to the internet. - - 1. The Intune connector must communicate with the Intune cloud service. The connector communication will not go through the Azure App Proxy. The connector will talk with the Intune cloud service via whatever mechanism a customer has onprem to allow outbound traffic to the internet, i.e. Internal proxy service. - >[!NOTE] - > if a proxy is used by the customer, no SSL packet inspection can take place for the NDES/Connector server going out. - -1. Connector traffic with Intune cloud service consists of the following operations: - - 1. 1st time configuration of the connector: Authentication to AAD during the initial connector setup. - - 1. Connector checks in with Intune, and will process and any cert revocation transactions (i.e, if the Intune tenant admin issues a remote wipe – full or partial, also If a user unenrolls their device from Intune), reporting on issued certs, renewing the connectors' SC_Online_Issuing certificate from Intune. Also note: the NDES Intune connector has shared PKCS cert functionality (if you decide to issue PKCS/PFX based certs) so the connector checks to Intune for PKCS cert requests even though there won't be any requests to process. We are splitting that functionality out, so this connector just handles SCEP, but no ETA yet. - -1. [Here](https://docs.microsoft.com/intune/intune-endpoints#microsoft-intune-certificate-connector) is a reference for Intune NDES connector network communications. From 366120d660f6ba863c2c82908ba02c9ccbfed5d7 Mon Sep 17 00:00:00 2001 From: pawinfie <59937840+pawinfie@users.noreply.github.com> Date: Wed, 8 Apr 2020 13:19:43 -0700 Subject: [PATCH 52/64] TOC --- devices/hololens/TOC.md | 1 - 1 file changed, 1 deletion(-) diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md index 4decd51404..49166b9f72 100644 --- a/devices/hololens/TOC.md +++ b/devices/hololens/TOC.md @@ -65,7 +65,6 @@ ## [Frequently asked security questions](hololens-faq-security.md) ## [Status of the HoloLens services](hololens-status.md) ## [Get support](https://support.microsoft.com/supportforbusiness/productselection?sapid=3ec35c62-022f-466b-3a1e-dbbb7b9a55fb) -## [SCEP whitepaper](scep-whitepaper.md) # [HoloLens release notes](hololens-release-notes.md) # [Give us feedback](hololens-feedback.md) From 12bf2d061329074c8ebfae5f6286ba466425f604 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Wed, 8 Apr 2020 14:23:08 -0700 Subject: [PATCH 53/64] update --- .../windows-autopilot/autopilot-support.md | 28 ++++++++----------- 1 file changed, 11 insertions(+), 17 deletions(-) diff --git a/windows/deployment/windows-autopilot/autopilot-support.md b/windows/deployment/windows-autopilot/autopilot-support.md index 7fd687321a..762aab67e5 100644 --- a/windows/deployment/windows-autopilot/autopilot-support.md +++ b/windows/deployment/windows-autopilot/autopilot-support.md @@ -10,7 +10,6 @@ ms.pagetype: deploy audience: itpro author: greg-lindsay ms.author: greglin -ms.date: 10/31/2018 ms.reviewer: manager: laurawi ms.collection: M365-modern-desktop @@ -25,19 +24,14 @@ The following table displays support information for the Windows Autopilot progr Before contacting the resources listed below for Windows Autopilot-related issues, check the [Windows Autopilot FAQ](autopilot-faq.md). - -| Audience | Support contact | -|---------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| OEM or Channel Partner registering devices as a CSP (via MPC) | Use the help resources available in MPC. Whether you are a named partner or a channel partner (distributor, reseller, SI, etc.), if you’re a CSP registering Autopilot devices through MPC (either manually or through the MPC API), your first-line of support should be the help resources within MPC. | -| OEM registering devices using OEM Direct API | Contact MSOEMOPS@microsoft.com. Response time depends on priority:
Low – 120 hours
Normal – 72 hours
High – 24 hours
Immediate – 4 hours | -| Partners with a Partner Technology Strategist (PTS) | If you have a PTS (whether you’re a CSP or not), you may first try working through your account’s specific Partner Technology Strategist (PTS). | -| Partners with an Ecosystem PM | If you have an Ecosystem PM (whether you’re a CSP or not), you may first try working through your account’s specific Ecosystem PM, especially for technical issues. To learn more about Ecosystem PMs and the services they offer, contact epsoinfo@microsoft.com. | -| Enterprise customers | Contact your Technical Account Manager (TAM), or Account Technology Strategist (ATS), or Customer Service Support (CSS) representative. | -| End-user | Contact your IT administrator. | -| Microsoft Partner Center (MPC) users | Use the [help resources](https://partner.microsoft.com/support) available in MPC. | -| Microsoft Store for Business (MSfB) users | Use the help resources available in MSfB. | -| Intune users | From the Microsoft Azure portal, click [Help + support](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview). | -| Microsoft 365 Business | Support is accessible directly through the Microsoft 365 Business portal when logged in: https://support.microsoft.com/en-us. | -| Queries relating to MDA testing | Contact MDAHelp@microsoft.com. | -| All other queries, or when unsure who to contact | Contact msoemops@microsoft.com. | - +| Audience | Support contact | +|------------|---------------------------------------| +| OEM or Channel Partner registering devices as a CSP (via MPC) | Use the help resources available in MPC. Whether you are a named partner or a channel partner (distributor, reseller, SI, etc.), if you’re a CSP registering Autopilot devices through MPC (either manually or through the MPC API), your first-line of support should be the help resources within MPC. | +| OEM registering devices using OEM Direct API | Contact MSOEMOPS@microsoft.com. Response time depends on priority:
Low – 120 hours
Normal – 72 hours
High – 24 hours
Immediate – 4 hours | +| Enterprise customers | Contact your Technical Account Manager (TAM), or Account Technology Strategist (ATS), or Customer Service Support (CSS) representative. | +| End-user | Contact your IT administrator. | +| Microsoft Partner Center (MPC) users | Use the [help resources](https://partner.microsoft.com/support) available in MPC. | +| Microsoft Store for Business (MSfB) users | Use the help resources available in MSfB. | +| Intune users | From the Microsoft Azure portal, click [Help + support](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview). | +| Microsoft 365 Business | Support is accessible directly through the Microsoft 365 Business portal when logged in: https://support.microsoft.com/en-us. | +| Queries relating to MDA testing | Contact MDAHelp@microsoft.com. | \ No newline at end of file From 303c557a83994e3c1339d912951d4983ee90f6ae Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Wed, 8 Apr 2020 14:40:13 -0700 Subject: [PATCH 54/64] update firmware article --- .../surface/surface-dock-firmware-update.md | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/devices/surface/surface-dock-firmware-update.md b/devices/surface/surface-dock-firmware-update.md index d748891d49..fac67d3f89 100644 --- a/devices/surface/surface-dock-firmware-update.md +++ b/devices/surface/surface-dock-firmware-update.md @@ -12,14 +12,25 @@ ms.reviewer: scottmca manager: dansimp ms.audience: itpro --- -# Microsoft Surface Dock Firmware Update +# Microsoft Surface Dock Firmware Update: Technical information for IT administrators. This article explains how to use Microsoft Surface Dock Firmware Update to update Surface Dock firmware. When installed on your Surface device, it will update any Surface Dock attached to your Surface device. -Microsoft Surface Dock Firmware Update supersedes the earlier Microsoft Surface Dock Updater tool, previously available for download as part of Surface Tools for IT. It was named Surface_Dock_Updater_vx.xx.xxx.x.msi (where x indicates the version number). The earlier tool is no longer available for download and should not be used. +> [!NOTE] +> This article contains technical instructions for IT administrators. If you are a home user, please see [How to update your Surface Dock Firmware](https://support.microsoft.com/help/4023478/surface-update-your-surface-dock) on the Microsoft Support site.
Microsoft Surface Dock Firmware Update supersedes the earlier Microsoft Surface Dock Updater tool, previously available for download as part of Surface Tools for IT. It was named Surface_Dock_Updater_vx.xx.xxx.x.msi (where x indicates the version number). The earlier tool is no longer available for download and should not be used. + +## Install the Surface Dock Firmware Update + +This section describes how to install the firmware update. > [!IMPORTANT] ->Microsoft periodically releases new versions of Surface Dock Firmware Update. The MSI file is not self-updating. If you have deployed the MSI to Surface devices and a new version of the firmware is released, you will need to deploy the new version. +> Microsoft periodically releases new versions of Surface Dock Firmware Update. The MSI file is not self-updating. If you have deployed the MSI to Surface devices and a new version of the firmware is released, you will need to deploy the new version. + +1. Download and install [Microsoft Surface Dock Firmware Update](https://www.microsoft.com/download/details.aspx?id=46703). + - The update requires a Surface device running Windows 10, version 1803 or later. + - Installing the MSI file might prompt you to restart Surface. However, restarting is not required to perform the update. + +2. Disconnect your Surface device from the Surface Dock (using the power adapter), wait ~5 seconds, and then reconnect. The Surface Dock Firmware Update will update the dock silently in background. The process can take a few minutes to complete and will continue even if interrupted. ## Monitor the Surface Dock Firmware Update @@ -39,7 +50,6 @@ To monitor the update: Reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF\Services\SurfaceDockFwUpdate\Parameters" ``` 3. Install the update as described in the [next section](#install-the-surface-dock-firmware-update) of this article. - 4. Event 2007 with the following text indicates a successful update: **Firmware update finished. hr=0 DriverTelementry EventCode = 2007**. - If the update is not successful, then event ID 2007 will be displayed as an **Error** event rather than **Information**. Additionally, the version reported in the Windows Registry will not be current. 5. When the update is complete, updated DWORD values will be displayed in the Windows Registry, corresponding to the current version of the tool. See the [Versions reference](#versions-reference) section in this article for details. For example: @@ -49,16 +59,6 @@ To monitor the update: >[!TIP] >If you see "The description for Event ID xxxx from source SurfaceDockFwUpdate cannot be found" in event text, this is expected and can be ignored. -## Install the Surface Dock Firmware Update - -This section describes how to install the firmware update. - -1. Download and install [Microsoft Surface Dock Firmware Update](https://www.microsoft.com/download/details.aspx?id=46703). - - The update requires a Surface device running Windows 10, version 1803 or later. - - Installing the MSI file might prompt you to restart Surface. However, restarting is not required to perform the update. - -2. Disconnect your Surface device from the Surface Dock (using the power adapter), wait ~5 seconds, and then reconnect. The Surface Dock Firmware Update will update the dock silently in background. The process can take a few minutes to complete and will continue even if interrupted. - ## Network deployment You can use Windows Installer commands (Msiexec.exe) to deploy Surface Dock Firmware Update to multiple devices across your network. When using Microsoft Endpoint Configuration Manager or other deployment tool, enter the following syntax to ensure the installation is silent: From d2dbe8505831f89a7646380440a4810eff5ebfe1 Mon Sep 17 00:00:00 2001 From: Jreeds001 Date: Wed, 8 Apr 2020 14:50:46 -0700 Subject: [PATCH 55/64] added image --- ...ndows-defender-smartscreen-control-2020.png | Bin 0 -> 108152 bytes ...fender-smartscreen-set-individual-device.md | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) create mode 100644 windows/security/threat-protection/windows-defender-smartscreen/images/Windows-defender-smartscreen-control-2020.png diff --git a/windows/security/threat-protection/windows-defender-smartscreen/images/Windows-defender-smartscreen-control-2020.png b/windows/security/threat-protection/windows-defender-smartscreen/images/Windows-defender-smartscreen-control-2020.png new file mode 100644 index 0000000000000000000000000000000000000000..daa96d291d6c77313e05c6d4f4b0e48661b9db50 GIT binary patch literal 108152 zcmYg%1yoeu7cMEG)DS8Sf*{=uLkz9p5P~AzNJw{zz|b+2lnfvs($Xy*QlfM>4Ba{J zqQC!pZ!PX(4fo!2cJKXtXMnv_QzXEr#79FzBT!a?XrQ5C2>}-oE(Y)yvyN*&;1{~H zhN3K5$sqM6@BzzG=7kIzT6xUGV7aF^DZ*|&qC`b>c~byE+mtN3rVctF-#!r;~o8cCWTy>s!@e zhY%E1vBc~>SZe70nsHNGYyDiLruIg+SnMPxr7HSQupG`i?Jhsu=}$GBU4Fz9YmJk; z#U^@09eytph38wCPi{W&g0&y&)w*0Ey=~I&BO7Mz=O^LK=FXQ5dVKSVsJ=62e*IlDZBkXuD)ZF|m=qA4s>E9|;V=X!{K4qF# zA>3{dZ6DMGPeq@$GBlJO|MXZkK#(-GX_Hyko* zpm{SmRWmqjOX}(T;2Q@!AVY?cu~plV^5exZCG)XOw;yK+xYtTTn*!Yacy#f#%>55u?BciC~C-2P)xs;43wpE)ZR9Vn@AjL=krV`d7zvEYq_jL z{(hHJq@$<DZ}w;P_?VkpM;Il8HzzgacPjF8`ZHl%zC!h8t}eZ7 zrVqhINrAqTHQKPGwA1H`oZGJjb|zmnY)o$au;hOzff>Q&Bj&xRSr?J{Ev1^zeWY*Z zqq-TlE<;k~E5}7r@{${m-Rthk_0k?SUq*3PbAi=Dt3J{Zcy~@=jJ#&D`4@>#sTC6Z z7Y73?{irEy+uxi9#TfWBO=S(&8(Q@%7opzr8cjlX%WKFPF?^M?qk>U4K z*)1F@O|VDZZ+lLgO*-4Y>-WwxqZWTuX=;L2deNsiFBy)bp9D0O4zMP)qx}4qI;oo|x2b!& zT@&}qHqxjN4kbg=VwUqfNq9S+riL}8%n#6;Z!9bFP&qHWxo+sTM-8WAYfcJFi@S?l z_&p<) zE6v?WR1M4dZW39>G?Gh|%1TA}nQvFs7X+CPs@W;@@9ClUf1g^;uuYbVt8>Y#V)>Q) zjVz+smV>m?#Y(+ZrIt&0OToKxNZ?&7<|c6ya7BI7!_fyof(_($mL2EHcRl@) zl*_{L;>FwaPqjRP#!#Cd@o-13=jw0MGi%98mxi9dO)-n$CrvVY$`utU6UFi4odEi! zv9-l@{6K9jr&^3&%HtN1Ph}4(u%<9~#!@^}9V048X+QpYPF=$!Nnsqpw@hKy^~8h3 zWahX$g5UI^MHiP+dlyGfuL)8%u~IhCe@##3&AC6C zvzDj$^F>U0GHo5bq?7SIAsau7<0qbJ4*5ed3g9K%v1?=j_T-3e&qgXzcVcNKC9lpg zX0;2vtH=4;lTB%QB=-I{k%adA*yO9Pv4|I`5I_M07XdCsd@0`htP@}(WpJXK41PNwV`tcK~wEI*sR}o&*g*f z(M7m}MDoq$)CTyES#vdI=_KlH+ErH;`vSMk5c8YeZU3&B0sn7m^NnBSlIlFQkE;YH zQM!5uC%-Y9FKh=gp+)BkR;i_u&_4TD-h9r#ex*Jhvat9@p?W3MMB}!c^-H)!*sZ-@ zYi?L=9*yXF$lU(zyZ&R#Y3og@Ealn#=L=-2^BzX0k-AUkm7e%3ayC!L`MVK?n7&a9U^DifNirBVqOTVDsr z-%S}8{W5f<@I8TT6tVmClfB`wS&F*$pe%j-L^dAD&JHAHdZUh@h+6t)PRZM4E)Kpr=g53o)ZKx~Y!F7XdP0X)TWOa10F0Y97J4 z*IqvuO|3+Rg2v7jHI~eW4Z07K^`K6el0?hwow*#+~IU45$!frBO<83)&jnoTrZ| zJ($g+Ji!qUPr=d5Ax7c6v!I{|XIr=E9_)S5T4<0?S;Hr|dw{I%_E9zWJ5kwsI9)k^ z<$RnlHDmVz(|(?Jq1q19{@vq%Q+3LFGqw5>&!5DQRl>REKhADP7^cEMg@xLie{@W$H9Q0B+jcc#3Jhd4 zOSraw8Y3v0uHH5-iqt=|y|UHbdNZ+wS+kv-Z=ViKu%6gY2dPFpI;Li-pZ}m$p5+mC z^&K51z%g}}O#6l2&`jgDQ!(~iU7UY!(X%hb%csH3dh0S&bDV?IXK3hG;k%@~68X&2 ziT17%gHQE`h1JO3R}Ef{TT`Lmex43|VY3(?IDMc$|Lw?TLax*FoBr$<R}(r%&0d}-a5>e^zNE8S6|;LL^7++@$Y1({2bJ8 z#LAK1(U{MCu3tYoMG8C3EVNP(@K>!LSTN@5L8=dI0_oXKA5Wj@GF#J2BSyHSGb^oKwigFadwA;-DJWjamo7{PHG z9PhD-;JQ%tOF5E;mgUoKS$@yC596>wLjF>J37@5#(3mV#rX%|t|LH-yv1w9KljXqj zpJC!5(@-5Luk#c|qN2B-YRp5UGQ1~h!L&jayT&=mG#VHCt-NQ{VirOngfvI{45oXX z+u1qE1k^YCi;4Xv)yF)M(M{`Rj%Ur5*K~w*{Oe^^KXyw$UhLn!Jn$IwnIV%D*DFS^!yVZQ-~(D(g<=Mhe( zFp*nN*%i^_3%w3%F_&8glQ6}5m7xtpbfQ<1PiTt+SShRM_3K#0-JWq!HVjPV6pnFk zYl4d|8l1VWyGfpSg12Lx zz!|klr+%FrquZY^OFJK1nNpXsJisor&)uDQSQnGYm)oi)#a`ym@qJnC=DD@_pUGHL zb;<1sO|UQ0+R|-8jr{6C^~0JNv8!vvgY^w~CD^O41uo>AyJmzsnMjDNx^z5W%l|Bg z`s3&<8n>0ha?`JP;B`2;Q<3myXJYAeBmumA^EREvJDh(ghVGXo*lYBml-H=G{y=Y* zquc0ujO2kKrg%x~Ewh6qmH1|5cZNi6Z3edZDF`j;G%lGlyf0iW|br8dnWiTbh=mtVY#-zKfDXLw%APA)7cb-?7str<2W%}-~ z@PnNYp7PT%p}uIPEbUS|ldm&uS#FLNNWob(L!#n~SvXnyk4;&Agm}0m2}GA$D55Sf zS=ywglWzD`q~2v&_Y)tz7Lal|eCam63IP2s3lxE)&4@wwIe{uGbOAiQdYS^6wM8h;F4x8li3z5kIv zBDIz!<$KH`P?V9 zZF)%F+fh&VIqp{Xo$pq=4vnEf5z&EfeY4KXW;V_rwW3V}E|R znJ5HqJQqPN=2%kuB2&Am&o*VUN(Tsi>BUXd+y)rWLca5=@|h-o(QvnYapUr9{&u_b z>TGYm(jT?Gx9e-V-Yo3C=lyP|xdr)Q$N$~lZO!S9|F21@qk0`%!)9Z<7|Vv~>Y7s| zs(%ja12_yR{U(aT-ofL~7SUnHzXY~r?mW{&H-5t)VGjLrF`UVCZa)r$>_>0gC^ z$VDZuR3GYY&5USF#a#cGGTd9oJ1e0u=XLf_An8ni}>p+|O!0&BjkO7)+-RfV8g~pXTf6f!DSS zpEhw-7dhMc&%8`&GjOPClDD0wYB0K*w!50MojzUv>DdVGq{N)wmUoNa8E9GC;Vj*G zfZlM{RA)Jq*5EEaz53i=@-S2XqAOF_EqtfCRHTO0_pGtOAJu$wH9s3#*`zZie)a@q za1{PS#6p}T@R3&M-lrbIz}F6|mZ{f!yNR~+s1_XT_yTMf0e{71QstQegR_>adFR7@ z^!DAtM;9+koQ$hAwEE%)9x1`I8dK`+ZbFBeCb5^)mj`FB&ZLVsW&%1s)`t>uavF=} zr7(j!3P@xx(b`-&Ls~rYIK#M&K`|`|n@_o#&tE+wJubLv#0F#Yf|0Es z@O}DC0+Q3(``ga$XKdwfRa`Vwd{6IRyenjJDAoyer|;@0)Om^6Iejj{S42Z$FX$kn z%X{C#wQlk4rs%PqPPV69v1MWK1xs0QFA@8MMp}!-ti?y1)xku8u}1!72{#1zyZcb{ zY{MyXrp`fl%KL0*vdMj1O=R`*L5zE8)ojDr?hH)lSM|Zh?krvvx_AEY-06VF>E4_< zzcgBQ)JL~PK{}-QM56Haj43ihvcbsVs@nam;p%LH>D+T?w#s2>u&H5wvhv8z64xrj z-j4T+{>axhl_&y}`&# z4QpL6=u^AEfl!R3zR}sP6w{(WRkwd`JTsdn6mKo}o~{+2ob`55Rkm@>MMw}I@mcvP z+aIpq?COYGP{OjZsy{q>W5{z8wIfeKEvutTYd3vC4BEvjOPVvpdh+>88zKNJk`2*}0 zt&ehD*Ll;{G9icMMp>EIEZN%}Ga6t4)WCYi?zKyoVL*^XHC1$V`}6msQp!& zF{R$`XW@SI)ABuf-cKS5RhJ|llvZ*kJ39p$!+CO(_}QM%c7f*8)sWi~la3GMIZ=Q? z)Gztim=iA!x(3d#DSU%9uKKAdjxA8+^)X+_mwVDNf3!FlKTHLtTChso2fe&R@q zM-0KlvbYSnaw)P?74GwMO>3yANwxUYL#e`jp`)|i*-H1JOv#23TvKF0{~}X>(Nx2k z+$W?EKhIu94QjkML1TTEh9FDO==ewYNGvNtgC6R4Y_jIzE{c+2ar34&v9 zamm^m_Gmr(a*@OHmP1#jE`xF}pVciMIpt8ifjMnoj=8@g;seRg&8)5=h4y$V9T*aX zQD9#)iuETL$OBZySxF zt4#*vi3*5ss=k)L8{V&tmK-v7XCzo<OL zE-|Ti#B}_6bXu7BiX;cs;J&vzdurMP`mKaW_)ko_0O|mUsP$5-KgzDN&cBB+ErUji zMSLj^*@Ha^ji85Ss{39|V!pB6GCqDrjV{xYN z8!|4|1W7>cxh6{>R@XDU=bFxDuKwsbD6fp{iF>tOUpO>fJe^7tvI|Gx64)M}PCF>J z&#LxfR#miYS$=)zjFokCvz*RwbhAzX#0RO@6^v(BKI#q$2Ad`dloQ84W^gR zV1sVP%zd8|o)Vrfp|sMy4eig7NL=TK%t4UHlY}q~UySK0?=$he#&?sVmV@c+CAB8& zgBiHf^{(vj)|K7_^FQ4F7yS_}J_lUlOwzI6=d>nU=yqDJSGgP9tE6&9>ts!i)_x9y zrZPpHzkC;uv;OtPRsPLCzhU$#A_AmiscWUsUm>VH4?B=8D0MZaaNisq0Y(|bcPUpB zT1f9UsbF35;Q;>-tv9k9bh>Sbx@1rGUk!T_9n1B-Pv3nOn}$)Jere@}cg$*r`&`?0 z^p5y-O}J|bsgA+5r)@GKR(_cc_iVnzvqv-k|Pww(pd4Hzsf9t&)=TbYy|1q*I}3LqoD}iAkYV; zu53j{CK^5Y(}irnU(gP4mvk0n0=8G$gqU=HV^c20HE?;zt34hSQi#JZ-RQIUtd3;D zl&B{T8BP@XSJ*OS>y*jpm$3e`oa15em}twOG~$6TtM~(uxqVkM>nWE?Hss(K#tmJV zta>+ov2OT&-uEm!LWM?SEu6jNe0I<8Y$ZW`Yc`SFXYqan1*hzCifQ!4%(_%)SH0^t zU+M!&b;*-4KnVj-&BjagQG2MH7XR~5|A6b*m{YOKjU4E(!(@d#BkCdx^&0<@ z$ah1IO30QtU!uZkT;H8RSHg)Oi$DoOK#R$W3Vrw0`r+7_bU=bpsV-R1sN`x(^JrK?evDb}7ZGhtI6yGKU-}6HQ$_8hvutl>4`$mEjl;&|HgfRk&2Uz!lB2 z#*eaI)OCNb*8hgXGs~Bi9w27#-EYX@$;ri-6$P#VZLSx2{`8>Lty+k+_Oo4ol{j50 z<)2t@vxrBrYx@V5-v0H|>I0i3CRjXb*f@^0Jpn2y^h{4@t z@IVIvCd(BLtdMWkzg2ZN*FroCSq6ViAk&)R42dP|2MFRrPe}3 zhm_z}=hr!+j@$|c9wYkC=CiEb5dJy(RE#m*pBlqd=e}nX1U+Kps zvW^T-j+BXx?0b?hschkF(?f5)HWIJSnj7f8cD$HsncgBTZ&W#83h_KkZZ9N_a9(vR zSMDKZSfOwG&6J$E{Wm(`;DWbvzE?d7Pt969bdK{lzqS7qIP}oxVxO9qt<5%MfT@Ld_=Lj1D|t>MNTZd4E-V-6Q`B zF;l_D4b>ec9)0*8qqCjhZ}`A56%dV*8yyFjsFnt&SXMc@fd}47Oe%xQ@I49diHF>F z-zG<2>S!9y59=Bl>ged`>**xaOqq$ZQsQowE?kN!&1jp+)HFBG>F;SAGCgdg;ot>VnttxOm&$IWHI@z(D6F;2Vc~SNA1wmBQi=R;hQ3VL2 z6M~l*EF?-!8L)X5`SfM{T~WLCju3coOb>t)giENyjt`Wban)ePaSz)E~+N~%I{$@=kA zu5a1IQh4lbSi`;Wg`jZKm_VH5i@By^I`_p~SZCcoo$=YB13JQ)@0e5wLFNp&X^G^X_` zUIew9tHJ)p!(7K;O^k@O?D1YpG(9v#GNlT{EN)|9@1h6lWF?JbeU&cqt_dgcSeaMS=YK<^zSTuc7v&z~M2N%i9xEuxFl_rtl$*uE@e7zM|w z1^#Cy5E%ym{{7F2TckWqw$cqP2OC&~k!>@$EKr0Bic5unNu^kYj9qQ)&>b47;;2nx zz@R2%KU3>*V8Rj1wUwKcM1c#!i|tb;A!5j_|2zGAr!5cd04a?~kzNRKxd7irvQ4&43E+=ryDkb@cGcI7K`!+C-ULG~G* zJJU=Uuq;olR-m035}6Q(h~TZQ?Mq@Jth+&3Dzwg4|W%<}v9?=ap} zT!xHb|Kk4}f)~#11j0UNNqW!Ujf=;!)-AfPM?yS#)}>rL{QgKq#M49Rx#*z-nnz!V z`7S$N$wY0BJNzA-??$}YdRK?$3yT*o2)=j!Db_3c`gIt$bt6;Kn@3eEd`u%acJK!q znF`rm&Ky6bhkltC@kM1e0bNd$#S&S`I(LR(Qi4+^vYz|%=Bqy^A9IPylyS_5YCM3*VkG~`Ek+Nuc%H>&IGaKbRTvtIdi{3gHQ5==U^mJjir_`; zBf+(ZmtSwMT2NQH32H&76BVBQr#sV7D(&t}ewoSdcGK142Hpgv8zyAVix8gJN3uOK zCgk}4B@`(zzm|bkxf!9O#Q;= zt4kbo5KswymYpg$4dqsQegeVWG?~#>`LA|>)#L(SPce=13#b#dux0 znEE77i>NFu6$d#Fn^+YPpO<)-AObMK0>UTINR#rKSFKbIjpgS3NqP=VC$-Db)3uII zRG6X9JQDlxQbc5x#y{&k{?8%zn<0-~wmOdMP^1KcAZDOB3)mP4co{EIH373$M1sOQ zg{+Aon(CpnN4XL~PhVHrXlrVcO0Xs#>%H``6_m%_G&{aT{O6AB{U`%~M!QvCYxF*r z3(Xlh%3+-6+G7eY)qo&A(*}_Rs*JEK8+z|l0jf2sWH9X=#`h^pClim7Z!jzTXD(S1 zU{ZDSRD$zHXl&AzsLxi|ygXOnzB-9IRN!Wp+_zC>)FhY5($dk9%bnoseMX9I=LnLm zr~F^|#xwWv#IZUvKr5Od*0zbPA!6)M{LI8Nt?wX*S{S3+V20f7 z;Rr$&$()?9eSe@JLY!`YTxk8GRn;y)WREoQL{gIIAMHBNo0Qok$xVOM02_mD|JdtN>8! zA`z{`#Q$BA37{)r1`3E3eCEC_X@v9#U6@HT8M88iNg7y4_*WLQN~29M-(yiHGtq}| z*2(hr4;+&KlY{p-M5`nVCp2aN;EY^v_yX>VuM#5=17mDZ3mBwVo2w_96V4ii2g=(o zqRJqV^`cdQi+sQ#>au#Ry%j#QA<`31gA>gJ*dyd`15##EM$Bxh!rul$3iBWUe2{^G z@-@w*AIiW+sh%D5E8sG$w1z3e=cN%^53&-e@L-2M=&EG0N|TFRm$x#ouW_I}pU-#k z11fu1ksH;(n#U9l1u`%Am~o|Vj|E;png1d!WJJ_?t=5m$V?~+#eFupmy)D2m*>l7w z;TGOblXBa%x#Ht}b%sSg$uR;rIeyE*j&NPo5H*oSERUHo`D=7Qiw*P##;8LIkpP9I zMYKqj9{@kHWf4x}mv*ivE6X&JBj+SKgpS+Zq9@{p$6oFdORNcsxfvAS8?zO8-$8aI zfGw(eK!eanCIiH#k|Io%Y|qit5W(^6DRk=@6n9g;Cvje#^_3t307`g4d}MhnUp~ur z&O^uw5t76d5*0xV=XqL*%nRrm%U#PPXf4}hOFHXlCYW}x@$b?K=<%kw_j?Hs*k}db z2G7zG=LOQJ=$Jn*Lojv+*^1btGESofVqv^DA@dW+-N5lW?+m{(*+>$|_P>=WL+`;8 zS=Rf=^72_cv7acB5_^6pfnJ&3r008jk0`n@Caj9@Psza5i%URLqNc_J$u~djyn>Xz zMAWK;5|7@GV{gfd)fJQlD-lqVHJ^*)vTUi1*U&%0=GrgP?ohH=!5a(v)8W@hHe8~q zgfNP|4%C!pd+tbcpCX=3v|!MDg#Hmz3F{?RsSLDaovjCxh@#W@-ulaFH`M|8GmAnYrmYPR}LLrV0N2;X~gZ6J}>^Lki3ChvPjDUsh5E)tol&UujVAiLt&kLAe*w}W_awiPDJR2(jRg-)C7}!CK2jGkQGRidYK`Gdl>>-XC9oc+A3Q54FUVQg*=R7SeNUq)5F@tI8 zw`hH5pW|d>OUdqVcNUi(+tUlQ5MpBL`&#G{x`a7BAvtBR`-7Dn1hB+{FDv(;)`hUT z(L_l&vC|_?H#H!zT;Q^>ig{(Y^Eb%jOCvWCrao$RC`BG0ct#oqjQxrw*M72%HgHr0 zt$zbyy4{j&!q`%T@}&YG;&+BSFe!V+rz z>FP)sak$cyeV*oac-}jAT+R~1+K5rGFT^&fdK53=cSs&dAfX zeT+4Td3zy=VKe+8U#`lb{40qkPj1X(v=&@@(o_Rvul2Lqn-%7-de1(^4WDqvgWqF_ zkP_jD!@Bzs2fxV2F`bainH8~m#LWn~8eLJYw7uaN?IBLou4ja_9%931tZbim2p6 z1kSb50U3KKX~Z7rz{v^34B<7yq=!CLmL(7FJd9AoEHMl=^7^c+LcgA!l1Y-P^Pe!v z0Fd|!!E1i_|CvNYE0`6BD6+#FJMS4(P^EBdep~tkPyKoh*DR9mo>|E?&bf4+QZH49 zs_T7*#rd#S2$H~vRfLt=RsxUs+0yudQqYnJbiL>4a=lVKPMe0YY3IWGGKy%D3(SLn zg;5rYqFO(3pb93Q%QDjV8q;SkB;AK(JnxQmp8VOqC+4}Lbb=EY@;uVvQKpGy@5xc? z6YwXKJ8BhZFp^xTKc6*O%m=St2z)<@GPvuAG(blrdD)IFXc(&WtyonPVFTghA}@Yb zv>&D-QwM8->Eeb3OXqgr?zh7Zb^6@33ige{{}jq(6Rl*1&_xP;dDvjgSjePHBop*I zW*nsa{_T54>1gb>C3T4?Mpq_-cudJtX(6=phz#B59afD?+=2FZsyTrf6DJOFbT|ed z2*T*{dx$=`#1S-n_IYz-y+y?OGFvIyG?>nliGh*Xl0JB;g<*nc$|-z-`(IfgdjdVZ z0OtJbg7#hxzmSyCU2hfbBLVwx)@EqGc&$482jxaKHmQ}!VZo0{N%goPz7~$a7hOm-Y;7buBZnA z=|}$2R`eAUF{AU@x3~+6H67ekK*1%1vO)*W5Y(mFF&O(V=lg-@=cW4Q$|#K!kzY zB)AOsv)dIAxkCUOu_0M!TnPY5LI`4lG6%EPn%R+@0-#G{*;^D_6AhjlZCFO|ce}GP@a#4o4NAw} z4d{wwe);16djpu!mk-I?Ewv-lGpKx}LD-3q(D%Pome@D|%z3v<0DDtPEAa*Tiy*K< zSfCUPNAoXdauaL@bDDFgXa`thE#AY$@R1m;$k!=U-3@@b@a}Rf94``>4`tKQpij|u zJedC5P$`}@;Txo`)TASeP2p!@K{^ghgV+8UaMu^T?$A3J5}197Mc^XrFo$fJ?GOD+ zY;3Z0F!#kVLPO?-jaK9^BO$4Vyly0SuVCH1Qrn7qtZe;1-ytBq52`@sV@ULzb;3uO zu!>rfYd)z6StUd1l51LY9WQ#GmDKao4N{<~-cbysCZN@wCu*rFVrS!znfv0PJOq2Nr@BU!^8Ve|8+d(zB?MwJg6zcNnOD9m4JzxfRnw&@%3}& zmio9@DPT^M#K7umllv!~=aM@#TEf-DYr~=9$t{o3SUY*nx`pCUgaWrxi~$6g3;wCK zwY2csVCAS;2|!M3(qoHz4S(tRCVf5XbHP`6*zk0(Y1Jr(fkgJy{S6{K_sugREv7r6{nzdh(LNv&Sqvt%7)*c0 zD@6&m9Hj2}>0M7eK zsS=C=gua;exL@`_;*?>dd6GDcJs>M1s)^jpc9R33aP+ik?$P+r; zE4N$^=F2bLn%VD@wHLY(AUq#zM2;?o96~#m?bb?M0)byfir4klqYNj~M0Njj6xu9# zY+WaliZ~G@cEyYEh5+;H9n+>SQvne@6Hd)OGY^#{lR-oZfS6wZKAH!@*bl?TO6wGm zLR&o996*Lnm<;>vAHu0WdR)^+z)w=hXSSu;3dcWaF%rf8JdxbT5vJv)M5E7k_8hDQ z?Mo_=tK)*0RTPOJO!!NfCybu&Oa7kzY)arW_0a;g*y$lKfY)*x@`tuqb1|NKH7M=);T_ajjASB?9fNgK35&t{NpxGU#{Ul=859Wl1 z!|1Iv_GV{>_KtUj;{Rj$)YEL|H%>y4VUs}m5IkzIS_oDoT0BD#j|v0jF)ILrl8n83 z)jq^uTz2Wh^nH3RT8t(1PNwk2PWI;D1$CLt82jrC9mgqdDB*%MB(x`o8@+<-ORW^c z4eeW!+bptx`?;tYTX>5@$uGwh_3&0O2ZTBNtcf+@mz+Np0ZPukqrDCqv%=I_%FigbX#Lv9L0rd-2B_0gz}!fh2{Uj~F} z6im#(^>=?nts29@b?~wCd--Ew7zn(Asep=zytaFGn&kxaqy*Lrhh(rmQy-o46S~3Z zPgGH#9J1tJ&#*z?=E>o1e!K%atzaj|xX&HzNRtERJ{RT`_TJ^m1zS=WoJB5t7UR&m z1tJ=N`HYu2Gb`4Qumtz*!xGbMh$v4zE9a&>nG{!x1FFIQvCAcVV1Hf)VWv0`JrGK$ z2e6Q?IYlnOkqhyi`_2`)xIl1^kNO<9Xl&lfv_tn;w#Yf&V8CpL5Ex(RHCWgVFeU!K zUBW(>5i;RVg`sc3!MLOM{2Jd*$u4nX*X=xmduSGLg$G;pdlv*n^{yhtujr)^ao5TtB8S# zykbyZxtpq~ubrH!rgKiA$5y1^AH8?1Jb(F=n_KkTxQGa>Re-jD1fbyZO; z{2u$lpLICt9e(L;M@K*L<6|d%a_sXaE{yy z;>qW>F#67#YyM}Sx5x3r!%~H^_|8x-68-m(W>=tMja=!aMSA(C9>X zne2XU(uFN>hlaFhgE6Ib+>|awVIXGVE#O2S_*MW=qUXB%uMLW1@zb5}1cT<7-b)COV^vGHAAfDy5G|)*mW|63^y?2gYKzuuzB9aM5F>NZ?#nBeQ$eC z=r_^Dg9J=vcDvaR3+^Lfs7a=q1T2`7*DY7yKGw%hB}zXWU-5f-F} z^40#c)&k-^w`GS=T#Z9_!Rarrsfa!>qoucjM=|1!Sh><;MOmM!aBS_pwTbX>WxV~I zxv>$b1YHvQ$h5|i3;w_^yX}hp5PnP3`a9QdKBoG5wXNuFfS-&ZM#sj-7=`PYR)Dp0 zd>RD(9J*N}$RgqAw2=Q>64&oxl!%E*^69%@jDvxN+P~IoNj% zYM&c%oe*;`-0AuqK`wEq)B!4rjA_o*#E1(6jn9g0C6FZ(|1)1JF^CalccVjXBCUmg zYurU=sQi(~Bld*}*@HHsAo-E^Bow)_4_*Zt63N&^(}P+~HLJI!%}fDWsvIaNdhg{o z61f&WjhfKpTxQ*SzgR%m13|rs$j5Ij$U;xHd5btNy065Z>{&*gK4s@@&5`SGd2OVx zh6SVL*mn;KLCWCP2jeOrkVi~?YEPh}?S7U_eRqs)j9C=qwJcz8y0*Utr+S8p9!%xO z(H5ykLs2iy>!9Y<QAE4R@7aqa#OQ{Np=^%wtduL#$S;^JPe zJ)f-;V2}u^x80(>Wwq9b#jbf+WMo z@Ej$S6NTE3Lldm#8^*tB;}Im3tmXm3|2&Rd-(acyk?4`Z6x367+i^QIL8%EGHI1S5 z+kfamO~Ez;>dAl;1#nDz8t|D&Jx1xpT}zA(B558xxbuY1-_3sQOGMpu1_=050cXg6 zmfW30vBH^_q&b7R=i_U!UX^)2p5DTC$l(5e`F2Q6el!5Ajb~&q?xriVTjctM9W+bo zf8l7&0Fkx7EeTl6OVn@m|5JTfiQ^G}An+b4@{pbUIY>rZ7{o0=9iAm(n30x>cs(YI z<;z4B-%UouJ=QF!sHi9|W-JGV=@Pk~0|g?RaT({s`UY97P8wk4dz9fAdwXkYW=KJ9 z<7C>9SVRL<{wScz^7{1|30f_+PZ?qiqK{6){yphByoXs5>kD=*Q0bWCDuJ=Qlm%yJ z8ja>GF_9r6UsNam#PLHtBI~nl)^@w!Wj!e97~fCvoS!Q z6Llfam~Xih=x*&M`b9qaY3tE^##&g2jcU7*=@>-jkAss#xDKPEHIixA5}v((hGvhP=JuKhNd&;>C+;RL%3}bjCDm z(@rOlmI*?d=v&`q0?7>w-m?Hn?20^@4M?rY@}c)X<8(;kd}qa8Wb(vWgI)VhDXO>v z(hdcZX|-;B&WebGh?JBR3!6ZnG37kt8xJ?zAN;Jnbwt`<)Qof;siZBx=(~#K(R>Vu z*q>mrlE016d^CozB#fOr?6t|hAmsDYy4Wi?`@(wY@J8fdoRBKjp)t8;)$z&S67fNR2LEG>@ zPijOZ)FZ+TvolW})sGj^(>)1vX#PgaH4CCO>RHcl<2-%r*A_q((b}pO1vDNkahHMa z=ObS5vJuZ%&D}_~r|Q9K4&7n2C!pxbhrd2X3IsTV=E-Z}13N8Mp=zq#j$sKV0Xuz= zBBT{zkgYc1BeiIlCfDM_AmsM%!)e2#)nce{khr%ORhEyUduqAt7k+fed{}_@9Bl8J z&%-fq5)joh#XC)P6}cXky~=+`-M+QKm42HudGTripxufhtZRoZhhRdzey@()6DBJu zfGDBmVk0V>Vu=YX#{Zf1gN~#zYqR2&FU5zXC5v&SZdzl`{$94LXIAyq>Un9YxeEXf zxekwhxcDj=F_O^K_oPl;CBP5_A#g+5ANtJNKZX=c0=`Vc8jsj9B&JzPuq<%*{9d~V z=4UdPp4VPGX+(D&CY`zH3*}AJnjGKh5{ZAfm6V+chDkX0iX6F9Rhj-fW38$4sbJA7 zt5d9j3j6UpWl1z)9MlLbI@n2e1Kv}1|H*|wjQjA1)viBz39s`8;vG5(1O%S#?9Psn zxVawE2I;I+qf`T^%f1Yi<4f!NCG)+hF`@}7-WqW^1LNb&j^y!q&#Hc!iq7kU(mHii zXtEgH5|bN-lO}(w)T-7v>;AY0eH$dxZ|6Of2&03>pMyu>)o}IOWRilCjjMoG?=;w& zfZ&}Fjon2O9f0EK6g<9Hw%hQbRI+#gPeJ33Ote2uL2g;K`}+tUz=sE;YFS@a0{PFQ z?_6$0KxZUvS&fWy{q{;IwKot9!^4B6LKXLM#6kXLoUlZzE}Ti{4a?;)A(vh$tdy`R z>M3%vh;MTYP4s72vj4kJqHhg7H{9DFDu*HsCJ%RNrXI>~AcV0wHynnW6!Q$z{741z z`U@DOE}TPX9toiOgx@kfKz>dOX`cWhnE5}n5V#+=HVkw5vNUH`wcA+k1t{GIFVV9L zfmTlq=q9``WPNnHBVGRPH=nAcdFeO6x~o2)(I=pw%Fz>GP9c>&m>43AHu)(w7cu-q z?ZTYg`=--B;y4E_JjiL?XXen3Bs#y^lh=-5 zSdu2=bk7}hNdiFYwETT_(f{S$?J$%cErj+qkTLPVq92$yR{|YsO26q{ke%F42xxl!+NHIerbR0p5oV_Hnj1KQecEdXS2BlTWbc;df*fm ztGWj^>V>eao%4$7@(@R(P?UVyx^{(4oE;pK=g(cx{xIvIR-l$lY7#w`EyCB$O`0>t z^tfLvs@v%`gyM=-_P1?X!=e}n1m4fZ@U!2V(_f5ND3Jf}HnZePdLR-lLDLXzhvg_B zzjK&wD`__Zr;$wqY5yumK;)}HFoY}}FvAW{LJEkU?w=kmZV*@Z3KmNEPk;vUbKF4z z5On~_q0#BjpMO^DMMpC&;t%Qq5FAD9H1ApELo5_4%4D*XYp(TkotnK}Gy{a>(?HSv zMOg{g6aO2{X<(`@6v+GE>rjPRo^DP>;Ed-eVA112o8m&)=y|dH%uwWr1p@m7Qx^l| z+-cFe0;tedHk`4U**lL}eamXs&~08h+h#C@gtV3KPBP=j^Bm1y6t=v4y9?4lw0_J8 zG(zY7a8x)a9ZNVW^>Gf62`a^2tHayeo ztBXq3j{QOQ@xI`%jDzAU-vz~gNT}a?bxwbFR-vcuk`6+X(ovGu_2dTLUhSGf?Lxv zhtEWc@I59(nhe!f61DUiHv_xjsc#MGH9{?k9cw`W8*^GI(<-@{?YL=uPGeCd*WN;d zxlfUaV?@!3tM|wqJSAQ!U3cy>NhX@E?QSib@evF|76JYKtA)?ogaZZVa)-{J>8J$6 zm-O`2Gh7VJHbKpCejYvc+xMdB%OUm(*QYtjI^FFf8N&BuarjtWJ5 zds66KQs6@1ja*bQZ{S_uIqIkEuNCtaoFsTq_B^Qs1R#tQ`0^`G&7ig!nT;KQqTbKV zUAdwkCVZalg+K$Jw!MZWdmz=nN1zFaEs3|3CvH3b*dZahGJExt7n$$9f4u(4qpV@5 zkD6QR>hyJPhu_D&bqLBpS)&}LHb%DTuOlEc!0wtj<4*HoW+IAIN4Z2*b@oGTgNSr> z(Lw0xbRr|I!Sch4Dt6J$Iy+>AS6G?*WGy-s0F?(6YYj0ofkX=roNym;&)m%HjmK<9dOF|!Z=Jve znhCPbs)vShBTq8=G27s0@;DVJ`lUBC4^N+x%~y5Ks_V!zxNXdN*snX4d$s&?XM0?P1EQ zvy6Nfz~8GNI_QMZ{ec!Xofhr!^lKlSp{cuhjAC3oP%m#Y3kmLWh8p)pOzEV#B8RB< zm-4=s%NWKDxUGEe3d=+~tV;J(zg)T&>o0){pL{#lW^?%XYaQVS`=-)jF6UeLM zIIN{OcNTY!eZ6l`xfyl&WYaU55Y zM&_B#Kh8A3L3M*rapLuCs*{+^-AGVpDXs5T)|j*{-(G=gZtxg!Ml~#*V2R@Bg0!`S z%jkq#A|ByoTCEQ*(f4pR9c)TU=d`B`8_#e$5N+bbH}=jSN?d0ALK`&@aANOixb0p6 zin>yML{4EZqhcpRk9P|8939d2ZXen_m7FQ)B2xHir$%TmM%bYDvcrZ-9>?JawE#}a zmgrHP_v#ku%2D)uxR)4%Oh{qbx4zz~SJj7~V-D5!9%xBiYZp7G9p&<4e^=!Du1L%w z)#-1Xm$K`s=>8bCPburLiv&%x=6*jmI9vJ6kVZXxdYw}1$P+XXd_ezWNF1*UE>8lm zN>hvuY2a^_c?auGsvOS;YJJDYK|Xm!oMNWTM&d8OEqC?j*4*9aU=*T{uit*~BV`(N2fh1aNP&r$(1gL?DiPwoEmUl$r}AxYlVIxo?}Q5Hc6rQTP0Zgv`@ee~z0|Uh z3@JPr_J9G&FW39@SO^HQ9KPF_6vv z9R0p<+eHI%{sC`dM9zbxILb|WTT?K?KWJFgfm??_2b?dmJ=>?u$%6V}y`|iy$EfbO zbo)jg$MKnH#&~msfCg$vyF?6|<(X5Xhij$!qQ7cIxBgUwr&w4@&p+&}*h#z?HhIXoZuW z@lbApapNn5l=<&RKLaGPTvnLHMC{R#Er#TstR{^PgZDS%m1u(RQn;|Q9T&86PDD&+ zCqc=-T9klT*CZPFLL32DrCrO|>v<*_VYfdfe$o=kRiJg>0!SYs{(fC!4a*qb9P6eO z3A$*Q_(T}wg;Ep&ZsgM5D<$+TKYMEGDqf>LsGGq7^GeI3BS!fWqUDO2D}R{a(p{-@ z?=i3R+6nLV&Q?KV4j9ApHd22@l4hl=l^7x%QcnBevUwsL#+;)%)zy#uO-S#!-m7y@ z|JeL>;^@<17ZkTTKBrA-hZgLx;Afb% z;|+I9D)l_qdFG#_;{KX`DGN_ zDpN5Dd^qBF*4(vqlU<6Y;Oh`p35reL&(|n6ua5e-8Xh;F<>CvlYWYpYmg2WO7rTT% z{-w#!82aqW@wTwR7*b)HZJLvHBOa}BU7c>|A(mG(SOJLko` z4TyW^0)@}nFc%t1eFAz)Do}WM(IjJx;%Kdljc8wXST${kU=W;S%35;(_(UMe?$?)p=t9CzR?Y>xR=YG9y5i8tRDrbW;odvj-_Cb^1;v9 z(0T?-Q4#qXOa*v`Pz44{;Cu~OEvf|M{TI?m68VT zn)}{oIWp~`-6oK#lD){q(sc3S*3o#;dB6&HTm|sFEaoB%Q=~IGEcRb_pU)qQ&2) zpG-m%v449lU~Nebl*esNDn38S8z>0FC~bXr-flp{G3jL9_3$5F1cZVQc;+Wb)`We~ zqsK7mH_%TJ>zWl;+t<6Lgz&oR+Y`dW+QIvp%;(P zrKo?;eG3%3qrh>s{#rz!D=q+LS=)>zY{ol@38bOqXJ90yn`9)6?H^nK0PaiMKN%p7 z+ak3+k83ORJ!b_!`WO+T;M6$HWKHyye@#7*T`oMpY62$eKK7v`a+{G{PVUag93DkJ zEcadN`*m2YJ<9Nt)h5E)JrZ|FLE@CDor4@cK_B}55-1#Ms;$(D6us2}fP(xh_VAuY z;rrMH5cl~3yqHV7iTEdb51Ie|-VLhTmEqz!FJ~5!dOtb^=LRR@oA!U3m`7e)WkXTWfA%MdNzPjLSG3=a7kK7ev?8;kIs8oeg_c6>a2Cj*|KPz*1g9?uMv#Bx_)UzxX zlRQB{c#x^|KzlzpfylvBI)YGd0q;SNUA=A+VMO_Jz(aQMj0J0pSsSj3-s)4TwG+}fMC!^xQya1B-hJ)pjsNxqdT5ZgnAr0mh7I~EFI`C4Ow3X|iB?epV z#1l?E81qEEA*YC6z-=uJp=5|c+JsWN?FnaQFx>LBxA+kq936D8s_(B|t|N6#T z2x?YZmE0`;hoFV@tnyJ$@3CQE*>jYBDj6iLG*3}rEhV(!MRlwSO+L9lRG{$1WZA^d z=knu-XBYGeGD2-yNlD?pGuN3C7bpAsFYT$H3w~c`Cx_+3*_syqDP$-Psro)VoA^F8 z`*~@Z787LI%4J2owZkEDWAXdm{s6Ke7*z>xIM^KAU>&+keSB38#*a1ti}_vHARu+V zUSm%{dEfn9YOz&-^cBnm!By@pm-G9;3YW?X#4QnN9R97PLVPGHVwTtj3~ka;fwX z+R`(J(dH&M`ImL&T0{22Ukg<|m2;-|_l`{a`Ny#&AR-3q>XS2+U~WNQM-0w)3xjzI zgfy8s-~~^o^i$->^YshKS?|V9+@?Dg<8|mDw7nnr1-&@T+bzP_F5;{zd?+$F^jNh{ zrCnV;i2wDr73HOUoE}(Z7HnYa;2zfwMV)F=y7;}q0XJv|M+Mq*d}yeUl*OX5hd+P* z`sK^#;j|h*4LpN1_lMSO*FEb2hl*|{8ohBXhVy9hk9NK+x>t~9L!|V6Q?_+0mqF{R zZjZuc_@1?8?wb_n4SUm3b+TASeKNLhfhu+XOQ~qUE@&8=u=NNmKlQnv1RisKJx7@sFq zXj5Gor0P(_c>2nJ9~}SxEb(7`uD-v0IRKHTaanV@#lr+0Me{j10bv z=LSy`yB!9Xlx`FnW--02^#8R0U;wQ6<;y=?0>pD4Lb4v=sXM?jIJpcf?xrC)8lUNi zaq@mM{QH*Br0fDA=k|8}bEhkb2;)J$2~kH-4*CVV7@+v~PKa-aeDh)AuoF6O(6Zk1 zy;;OEk-1Bj(t;BBQF z4xdYubI!xg6otdU!6^ykNhXRSPC9u4AL{B6`VVoH*I}4IYae;wQ5+s09H&aA+TU!Z zX0-zTi%0>_MPN00=D+YXj$dVF=Xr+vh3$T=@0|!cJZ1Fb_)i>zmq4{Vrjan0YFAX0 zU!>_%;7FYQdgHn{RTdDQJAsh-20UG0uVkErt{S|#p@Nl=Vz<3odoqa8ql z1=d6!u6}Fazfr&=ZW(-hQYXfDNfP9C^3_B6nqXVcv|W-BK0DojSkDZhef9i31&Beu~%(4)HZ2s$qqyxl~uaOX?3%w6) zG^nEBX0t3C*cu1$2dpejYQO3=S_(&|hcP^c6U>>*ktSQzvBJzS^QRPAIL2_6J!@Ev zxMfXrwWx-c$Uy%`0-BfkX0+3LCpih0y`9r`+Q;O<$dfL1K&NiJ4=D??@DbKouuBo$ z9H0oHs~hZ4gYz4^IOTNv@Iyi(P8Xl!^625j4a0|Joq5LkRTZ>@9Vj=bpFV!v{{=^J zqGk5NWCWaf)A`TX5JisRF$oHd8j#sSUu6q{RX%!#1ca643}n7Y@l#)1qsj@KLV&xH zlZKMJJPbpFOWf~{(8L)Ff-s2~zBmm(rD2uf;bHfQI<8=jH7~@==GTtB+z4)^9OG!c z1iK)h*aye3yDpPR1Cz0*_@_G_GBKP{6v2}H?NUor(tG$XvPYycP6wof@?OC?6LoxM z;*@z{*^4A07i!bUW*<9F{V1QqYZ^Q^E9IfDNuvXEm0ft(=cv|c+fZ-X5mvlwm_fn^ zN(jYF$t-6#zKNqsUV>JId{lT}s$m#9+(ScLdan`0wkyKwz&XGm zBm3h6Pb`@>x zR{KzT?e)Frjpc*xS;_}zj4^eF!R_Ts)THHFrM){gr9JB?qpV*)w85#C zN`<3})+2Psm!N8&SM2Qq-U^v*YG#(_>gM7yQeoe@QvR+H;LVRde@VY6;ivsztlEtX zl9PacHmdZ+3yAtXM*3!`Y$ua|@|`3`FHQQTUm z@IG_0TB|aS!1cRzoigAJQ1rwc)*GrnH-Rx3if)Imc%L%T@DvLLwBp_TC{%4<5+X){ zBZUh?s56EXl$ABs)h%qiXVsP8K3FN&ibF=Gy{fzL&Jt`yFbP_wxmWK`Cf$EH;y`Dq zdmdPQ!;WpId}^eO9^Y{)r6TE20DMRL+leOn#R7=-l;QgT9`ESCTGCNqHZtJCB`QN4 zpMeMl0ML(_5?w=4p-^DMxqbU~ysBrveY`Y}#*F=X3~ztOqJ8`&W#|5!(b4PP;VL2U zu;nQpitF`xpT3NV3-k7KvEF#Y6lt>_2aRu|*raKWpTnQ#v*p4du&z|}+?pY-#;Sa> zL8~l=Bd`Rn*LkvLc?JH3(w_R_$ z-)@`^JJEQwQ%fE@)5XQbE-o$_%)%LKktfF-=y(W^IKPa3!Cb&2M(Lb8;nB*- zis)-wdqY@*17d9aegc+Dz@`;8GXitMpH5{cJ(R_siua5Jgvbz{xt`;;mDJvTHO z1hPaKH~J`y=5r!JuP{cW87u+uv3? z0BWAqZ@NT}6GTQ~Y)Xv*vo|UY}}JCjIgnU+Qbn-1y$Mc>YJG2y0J_Sd>8< zxO8EI1#{cGAnx|J@~$@_bU|xRlp~N0RwtJ|^~zQ{HZ7PJUZ^sVDy!o6*k=zW#c*6D zOYE^#WwYY+ZVWBnRXZ?Su1n`Di&!&TAewl=1PQDXfB!3>=HF)c-TI$Qz$O+oB8Vo4 zKgBjh0<C4v_KsDeRcDA_`<>Kx>QtkF<;iDxGct4n9*PZko zTO)JZ-+E=6NXsSVGhAyHfW8D7P=ZR%{a$^SYQV_vJIiL24kTm!+abY8yb`X2)}SmF zls1~*vBHM(kB=hhND9hv*vdx(KiiD@DA;LJarL~w-fRrj+yHNzejqD8{}MzywK@6% z4^3jT;7(1#TR4o6siqN>6&2BRW#Y=c)s`T%ihY?E*d;+kgeY0^V~+`Fn*iBlvpjR6 zQay%N5a1yUu73#lX&vk7GnvvegBzYd3bwZyw=_IKOTp<4%y4Ps0_K?OpN$eoNYVzfnuUIYXOeKT=ad zCD7FQCuZ8~Lg3zt?LC{#@zpl-C-|h?ST+vT(8NCkMJRokt@`3p()DCu1!=aLX;c@5jr7W zT>By7>d0PqrG9W5j>fWI$eZZo*-$~-Y=skD0!pmNS4?yhvEE#5UF_XO0%!R`zai7w zC|IaxzEa2DW!$SDtgS3+%gI$g;o42d_wZ(tpCLNl_WyjWqk}5F;@l=ZmL}P=w|$*f zNvn_Gwc_!tZ#Tpf5G8YC^DhBtUd?qStHK;7JQWjWQDvEKsq8jd6?Aw&7AJs=tEu4K ziTi?HALM_4SgZ&ZeyINS>(|rMKbT1Ni*41u&)14Vd7RN4jja9jU;0NH2!|P*)b5TA zLS}2r-`!3p`C)NXZj{MH2yOYjFJCiiTv}pe=5&EMoBV|1iK)Yh@}M0_Z+RLIyZ4#~ z9ja)0tH?H>$Dt4TKYtU5H-~|E^Oo+%7rctfG?5kpE61UoQAIyC4bP?#kzVTBNd^WZXI+P==f_+| zGAyZm@FAP%*o-^Ck)|kHR7BD$+sbvFCxKWGqB1-hD{h_%;}^1@JhM zDxF)me(MuDKoFZUo^9~gKgdcP2t>ha04H#xET|5hG<;X>ME;HiufH(@yJ{kKlHXY_ zTiDfuj1CD~{CB#I5Fw5S-eOp~EDsH*xpxDLkpSRy>XZhOE56GQRnw~~&4^0e7|#1A z+SB~4ZtUn~X>dj-Aq=zT*u{kMFD6L-C$MtGO=+Lq2kM11S?yCzu!}7iLN`DT zY42lQIfe42@c;g+9wFM(`ET<_-+eUCcg%yoQE*h9AyG@(Xm|Z%iQGDi#ncv`+**0zSU}8@U^{@u03}Z z99zl@gh-1VSBNxU4&a-HIdgEPY_w2*#=lSgcl!9>Z2v}IX)o{z$S4XiQ`&k2#LGS7 zwp741xp!ERon4^7G?=jlZpp2yO8(luw*jUpA4ug_12)u_fB(UNxVjC;&_Nu9VLcop z#a9GNQJWq&07&(3^L-9#E?~FZ^v8JyiQ@)~AO!=dh{=rFOeOKQI3P=6|Gz&Z>@=+B zTcn~rNPaTB_Vm*6Q_}@8e&Z>dEChC2gU}Hnnv7WRPinw;5ZlN}MgKDjOH{_i!&~#c z)}0DK8U)e=>kZkTU$ZJa1HJVyw{kwk(w*^B$Z9Y!VwYv_=6L)bxmDv|M|DrY!QDb6 zgY!aN_emk$NAp%qO(0T3E%0XhTQD#`P_x`Rv#CAS1n1=;32d25siX{+?-vAqyoLz- zFEwc5$={XkO<5#WuR+|Ffog{hg@vYnxpBOcK!gjFzkhH-RX2|-mH0*4Gbj1i~{aZ~b`CSLZyvca3ZI$AYNTC&R0BxWuPb!iw{HHbmD7puGka z_ah}`pspW60P2OH1R`D*E`Za0khV%3+pis)lh6p%{m;>{HY1XrHky-&$04u#)cDIG zvW`_%p^Z;5t)$QGtPXXh2+P)zHj3EWX|fV9olzY9d^j#$S9v`6ldV_Og9R<+HUPgL)x-_q*g$|>T^?#c>_$<&vKF*w;;pqBy*+OP{lkS=bPY2K@mFAH^A}Hd5un5dkD2)f2#!A8G*fjsN=%a~xvx-jtiZ zAEZO*6?lI36olTmV>F$*%EV;zNN+!e;v?(y*BO3)Zv+E%6yYPZsq7@%!rf*Y{ldL9 zJ9@5ZS+RW|q2rCiS?!SQp1$cn2{c-Rzwa~jrwAP*z$X_DQX={2he!*lowLS8mh1lD zaJ^#hkX?DHC4PIXrFQH7;4V6VyIoZ#o1Z7xN==W5^ejT*iaFEj6R6G#v-o`=)Lq~L zr;aq6g!7&}nZ5qIVbq1>(9srYU~w4!JWAtF2R>q%L3F`&Gd$xOZfh1D#(S8HH^T1Z zn|}^-GG`OF91N`fkwfLpMYH$`p0U7F_;W~|JI7jGVDV;;3wt54cgY)^9PnYeN)^J{CbxfeF$%8EF>*^z*9u=sByvql<)Qw`??o#!__ z4of+Lc1?fnk2Y;i>?vOgHGkJEdn;TnhgOEf%Ow_d*H~mzqBCq_nE*x_%HPk79QBl% zp*&KPf6++=Aj4H%q@@B)G0lX4g8djniivcF#+Z$!aeGqRz(?nx?6xe5bB9@XAeU&` z<74|Yd2+s61rk64i%4Gs^x{H1xM9UO`PbkqckeE7PR0);Q;{RYfF<#_#{Pv`%Ng%3 zP(AprzuOJkdoTFO>GipR!c5PeiThKBAgQp_vgTwS9u8;)3BwTaJm5$Q|DP>P<1C|5 z_-*lGxC;f7V{rzh!k+vQUYP5Z`DEkojnrmCHc_`n`&=)xh46?L(L*#?AuA66F^SxY zGQ21A;ML;6pIuh5uF?tH_s$~mRRbG+O~G{iI&?Jp5G4xL0BH21T0{0%^xYh;#*Dtg zG%ZmHWldLFvIX*6C+`ie{vP}0aJLgf2n5+`_pu%0ch$Z9JbY&=$LBh|OtLv~TVV-^ zyfWZHtws{(%$PF!`S7RN_yS5CwigEgXmQ$*fwn>7rZHI z=d_kD+LNEK8IGrMeot-Hw5QSDGRd~|b+K!9ohj#KcX-&1`lFNcrWE`$$|7zd;z6Fw zEg~Eqp8a$RkK``VoICWPJ;onq$CMU%?QDc+bt%iekR--YT86`e`WgzNKAC2+sW* z1fcEe52wmIqgZ0-JBhlSr>T$@h0X%jO6Ty6OfV*f$;ISTfi}LY?`y#ZpCr(G`C7t7 z^@f7R=b8i^rJmR`n&hxn^ko0z?;x&Bt75v)bE{h{FGi>~*v@lA z2Bg~jZT<0{ZRM9QvJ+|#bBor*Xl7oPgCxA~vs=M|2gAcrPr=ZYu=hQZ3fNe~X za@yHD+zXQ+=c(+9-8AX1&X{5If1dsb@|Zw3L(>E+8!Fs{^?ZC@4k;K+MM%Ep0p{jt zeNKj0QcdpWM{hHZtS7W9uVEEvd384kU#wf7wtmbd9noCRx&A##rlAzA=$C|F- z1;y;zoiCQTdN%@h%n}eeb#(_IFsn&YQc^pPLi`!c4~a74joAc?;rW@RARr)?ZU0{k zBPP&FO%$s$nI!PbNa?0W3F`dRL!Ue}VPy+a(EZmqP-;+IQc_-A{P-k$oCj#gvVBKg z?tCeAaaZ0oLlIREw}-O#+QfqPdu=r9a!Ld*xDH;!39tXrw9M)OnQZcHlj^wCtqoou z7xsA0pJ8*)D zsh&sa@=#T#WMfprf?p+?3;>&K^T(wrE1 zlYQ$kdn5SJr}!z=*|4(di(Jx;*c*QypCutji8}d5Un*~8Mhz%fOFVFiDZ^JA5R_*I zxZ&ZU$un+7_)gTT)O^P+Z*2W#o?&UPBUT9-kXEZln)tDc_-O>fxy($O>VpTA*&{ z^wFGOD{>^6C|RtjhRg&Q_!jQ+y9IL@XhgJyvt$NX9UW0Vk8w!!yT;CW@$}&CzrGK2 z84FsGlE-W~)YCoZ4n4w`TiEMxObiJ1TPOzI$<;ex!MnSY^W(^2%E2IPw;seMgXpLI zQE-H959*WS{_Z#a%6fnDBD3QrF#r1g9ACl|!l-az;)v3~{8wLk#&mnV;Q|p$#x1FM zM0%U-O3df&O}IC}8XwlVBWqx8AGTVYX7njWGFCv4)-lZaDqB1k`_ctK`v1clG>8um z!d5|b;Nhh(%X2Fe`!! zuhiU~lF8n66rH>Kj3Etz<|HfxwY4Qm+oAw0)R!wRzK48?|N zQQ+uTWNEy|TJ-wYXg4(H4e34uHN&ehnA($4#Quwo)c@lQ$KOA}beC*v9Vm35ZI z>hPoxTu{R~jf(d|fvo>pG&enhu3{4CMYCg9YkE6j(OjZUOOo}>bY9hyL&!iC>Mq7Ni$1p`o~y$E<1sQNLLr<(w8p*YG_zsT;8zNlOkecqYr5`J=f_HN@p%#G*D--JbLNvxA& zXCDVHQ5=pP2L|T?yXfo=%@gc_!n)f+O`?7;*KXnI} z>RM9Oag@r8k?l1~HGX2)~*ODNV&j8|dWP0=oj>4eb&i(}MPN)!E zqrIa|0NL{lKqU3|ZM?aPriHLpo#u0FVr4@dNLHln+fSjuN?G?b4K?C3cMae}mv}YE zFpvK@hHwkyUUx*)fs_5uOg`6@f+z(ts7C+ai7Z3u^RSO8@thH-C;tyyfCx?)0G@9B z!qyPDFIAN-F5{Nkr#pj8zdmmjz@uxEz^)O#e^S?Fq^=9v1LW+u2OtLY$$xL9h8V{- z)*CWQf22N@XZ=)$yJ?*r*2(#q*}1DUXM2}pnT>B|^X|^##UT>&w^!$Gf-EJi7r|_K zhQY_*UL42+prx|R35vq$5hipW9<+MT3o6bE;6A+Gx`Hx!)?*N;?4<$HOU|a(+&}xK z2mn#=@++}qOcE*q4;IlT=n+xutbgq$rMaN(0lP{drYc&fHd5p3Z9@VWUU0a#36T3+eb3zlGlR4 zDeY89!I-lN5m@35!L1A-qAje8z;^x!q@Lg*G!R<1;)Md=-DE~Ss0>A|VlB{;W+fRra?O6Pw3h;r~0p5_aO#dCk_l5<~{*_Ey6Acvu*L*}(AL zsJ=dDSK=V0YQdvD8a|{EyKsR&NKWVp^ppFl;^$hLmxfBHHehTEp=gp48vAuwfyR(G z^V_qgP$Y5hL@_Gi%!`|~wtZplTE5z7VPFde_C4L81K`1@CvN_li@Whu+?;6jwwfBE z{W#hU?2QZ{&V@!i3WOC_0}A#>^gsbzc4a99ptm$2%nZB*4bqdQhSO-V6V7z|e$~90 zDxZ05&iF1o8d}h_;#b7Gp)ws#0lS~28j9LXJu#EO@zl|0rGJZd&J{4k@1%zhhQ&oPg)bm%yfQP5eDeL&Unt>SI^@W(+r&zXd#{oW8NfAU0Jzh^y(dQjlxC~?PNoA<{z2M zfqvLt?Ej+8Ufi-FlKhOGG3IU>8y<#zZf3A&;@e6ki8TkY(j^ceG0_qMPVaXoYq#pN z$&(~g+T$37Pvi-pv!iocDzmQt!eTk+k|Oft9914jl1#Y;duZgf;{7Q16SsO@&?V^| z7312VSdjhV{LEHJ`X{@{l_dMzX*%{VVS+3)y{}dLK7V95rzDlz35h*`Djpf@3xr%d z$LcQCl+uP)US)dV^`1M}^b3`<7={ywY(ySty;qOa;Q5ew-o%iBK^ey~&Dkwv%g^gW z{b>8Vk^di2L+OvS;{Dd0!Y_dQb(S8XJp*G>sOP~Q!x~Xv;)-znFz*8D6L(Vt50v5FZ z#bXzvUeT}_E?SweO$$adg&W^BzOsy^3w)MVWn)IPXz!zUq;gOxFi40Hm(a$F0Ic+p zS_0ph&8|Gh8ty~mas3wQ6W!+Q&n0NR;B+hw6vBSqSi<@_Zi56Yj*xqfS5wY>^Q))* z{+o?xI2%Bec#AZf%jVc%)Kss$D6SAu8mgpki8K^?@DemLLmedE!kX$qKSvl#PD$Yj zw@otTMG5jgqfjHS{}hp|IVG{He=}2j6!oimU>Ku*{DrhgZt(s(+*wAao6C zYs9u%l-z(iR`?m|z%F}97zW@|%xD8g^xIuKj;_sZg|;o(x37sMqzGD5``!I^3O> zyo{D>JL`1}o}B5hCp2%L&{|(&Y+j!sbli=#HKj7WWc(DA5H3mY{^XD)r2;*MrnoI{ z@9!_1`N(5MMII~TXLW`iVNASHMEr#tqd0U{T zX20o0)g<{KDvvUez<_k!)>XDzA# zlwQ145D3y`i0sf~HvzBkCAGAe839`{x0Ei=80s0yV8MzDb!kQ2F?0Lq2*N3vMH8f( z)j#8Jp35fg&LrZ%K(PZ|(Ysrh`Q^UnjO_u{`2QKRCGli zKEz|0Vw6#fNX|C@J0o}=imt$nDJ*>FuO#O>%dDE% zu6>%i2U3aiUpD9Q>o~bd?hUPr;f928VMAuF$CT&9h&`j6(PR<07&zCux9_h#{EK|6 zn#z0JG>1h$^sy(AIZpYl{OZQCPl47C?d|Q8qByo!;=bDINNxH2Le}xV7%Hy7x~QBL z5&{R`E1sY}=q@FOftk&;8JG`kUlpV=unXl23n7#86qNZ2@-Z5(jPg1XGYq>2TymgoDLS_P2@dS!Lds3=Eo*Qi5C9T2647O|4}eR zywbmZ*g(nQya9pYn*M0CK|=N9#X*t8dGL$o>9&_Cas1q@C`i1{T5r4`)i7`;cUPx8|1PjM7E}l@5z8v3t#25KFDyjX z9^bt2vI~tr)p7T3Vp@@^do0_aBS`!SM?a3!G{Uw1ym}Nx8A8Wox0$yh)+xn^mLlZd1l)tsjD4A5>gbt^8q^Pvmdkffaj`M0C&t{S zy4pJ>@q9(iF#y~~loyqN#-4SaHPdmFc9Gmzj0g=zUA0h-uNK9LfaRz0weOU7Meu}J zv&7z4?UPJm{l~@MGn++TlQj?_K#&!;^|M}=1tj+9a`5DfT}pXsr#4WsIJ+ec!qWT2 zF6$KM+yQAOg_Lz|MJJ0Rsa7vGou1LiFXCJRnbjaXASpcWtH4qPWs zxb1uGg!YkN*h_3)le4m#GI0+C+GdB&&bFdKWo}h3Fwu7tD-7%FW7N{TU z;t;sVeXJd@<2MYH45%dvgZmB$2M2VBB<&b(n}DSPP`N}vf!-#o`Z27UaVVrUnD0#*Zx2DR4tdM*u_o z=<;YfUjh`*vBM_wQCfP;=&Jhh_%DDb^Mm`|04pwk)!Ldxj0y|8wAscXc(f6DfA!lY z=~rKjB9_Q|cIYIIs7-pr$RQVfaP?A@EdMH$WxBHb$f9Gr_gQ6@y!NiUz-#nVkBgGFT#mw1>bX=uaPr5tv-=cJEf zz&Qmhsd8=4)6<;mV!1{Ncbmw$)c;4+TSrCpz3<<2cb9YwASI<@AxGyZSrC73$n zBY`J>r_F<|FLuhAL>=@1=wE*A8}1y)B#=zKD?bIE)Z_rBkq@AVxV#iwJelFtNovw$ zM10Wss`jqbldma|kCCEP$1Fxy5r@tgb%){}rd=+tGZWu1aLkoE`T&azd{^%3sk)&Y zL4p{Xbys!xL(%(CXrJODL7Emy1cv*Ha79S{L-ET`rpJ`BG7O-8IHh3zm1PhM>a2fNP!?gYUfGHze zxx!{p!3U~4!AV_{+;ByXk|=V*VjE}6Js!VeqaI@IW(QOL6rm<#^8BGmc(jC2LoHN} zk+A*#EKSxy7K-L#MJ7~1xGNv`I=}rT2UdOtQ-w}Z%=d1iqb)(jdiE%$8f%favpEe4 z!(ows@F+}(EL7q-aFVmx-@lSUSCJH!-Nd@=coxK>L*TdkpGZvr5DYs?RVcnM(u4fG zG>ExoD&#P)>yP`J-zL={3aL}@AT-Q6lnE@T#zxXF|OBC;IOdYfCUGG;c0-YLNrinScF^l0CL*QRSxJBW^B?G+&P z4Et|JQ`adz(cfpmIOiC5!Ra{(^OEF(|F7Z&6ogn{smWerOdEN&@3eueqve9V99BnQ zvB8XYUk^@y1x+5AuceKRfZccxgx26w-EZEl{#sHxoWBp6NhDk!MUMx(?UL@IW7Jdc zhxDarMu1QId)EN<=d>jpp!)_Msy3iI{ufop)(T}$trBb78LCcRj8fH#3HC33a{t5o}Ew81WRiP0|*l#T-ln)V7$;lXEsL?G~GOo^Q? z5MDtZAZW^p=~2Z&5|7crDSBT8iQ!X;%G?(tY3C>=LUP|ZxSk=VEhsl7fTW`T#s;_f z7Z#eTw$r2F^;*76M15#@230?cMKn{fUwhz$`EwaNbw(Y!|0`n(3&Gtc5(NBS!`?^p zKeJifs{57(F#)GSI+F~#j9jgZeHoBhwfNM~1e;dJ#8G+?A1%MJk@f;(5F;A1XWan* zR{`MX^s^m~aslcF>Cfl9AJK@EkSK_H8pXF}lIW*kC2 zZoV5JuO2ncs2~WHkg=^;cg!uULrW7~1$S~i6r0^Aqf)SSg({m?5V4z!ce?Zd|h^n@CBTCDlMlS4X7gLiwuwV3a z^`fG{awu9SqEILzA_iIxucg6qj%6?QULs%WZfB;z4BO`s*Mg?bBo*rq;jCcbjM9ud zYa@@G*Zxm2{Eut2|K~JtV+A#NL+?ol)aQX;hwyC7ly%$HvwBcOe+?V*Yl*F`WZEnQ zA~1jI=pSMsX29h)ZsQ1Vr7K}3m)>o~vMHhcDllQw;#-oncGG6~4lUMZPEhOL z6B6uKM0Zh0S4XCAKsS7vG#R2y2qbbp6iMOLO`z-<|25P0j!mQQ0hVgO+BJGFd}mPr z+ZVXuqJU^}oM#k>pHRHJqbQ<|(w)tYhEMI0Gq6=jgVub$mLWFU@n%Alv(A2Zb?nKS%I^_OC zyutNUS{Y>j0(Oy&%M;{Ujv_ZVj4m@z!?>+sY=BIwu$J(~`BfQfEiKS`lAJW{(H4A+ zPE*$T;aCN^4Ka@lCcu3Fd(a<8U3_K}y%dAJSkY5OQ51Tk91ukLkfV`A0Hdm@Et*+* zQ{p5S!}a1ZDp{Ch`5xtN6=6&956 z!stI)UX^z;5vHcX)0R<%8-4HA8LiYqO5Qw?IwL)>nn{~|Esww z2efVs%`k)1ecfL1WPMe*GiQ3DFVvxQuevCVyx%dIFmi$&hk<#pPWCi$ukAk`)WGI&74Gw<=gn%LkaPP86Cr~O5ws!68Q^nzC`Zv-#s5)OBrt#Tm z%bx>CNvy=LX<3~()q%nuJCZP1aAXd71&)G3($2G8W%1QM^iLcfY zb2sC!9GV$IYZHyStQ&lB&up_K*p_2?IuhCD z!|a#3Elbv`m3`)!YE2|2Ae5vwuIBIe_GkPlX&WO&k=>VWE#-PH_elZuuVnq`-4(V2 z%HNV0>8QrNGpmo^ptZe3x9FGoErHMc!E0~c4vheJ(0ED>^S5VmF$l?>^%!u}x$WWANs z0VBb_ifUAR0Vry$#aXpei4Iyy*D9F0SL0k!V|sy%9A;T8O3^$)#3+`5jT^}i!=)^^ z>?|f0-(Q53b2yvgZ^0-YOSu1$Y-7l_mW?gK^o@-Y@WMeuOMo_DS5irqTM6$V;hW^` z6||wl*dO#{1+xOvU(RsNNY1%2V#KONdNKN~kX1`%|6#JIbpC{txi>&QgxOTsUFT22 zoG4#e&iLYL*HT5RjvqTg?pl`X;$1-W@6q@)_Hkgp(;E#D zshE|b<%5W2#c8=*aa6nER!~MJKBlqMNt-g1S*)Zp`YC=oGUl@{DcjNy6t%qV6KHkW zDO2}jOoN1PqGbc0L_Z80#@6*;I@MB_!p2@jPC0bjYmuL}IG7LGiI zf~q!Qo+ z7h#*S%)Iw1Wch|7B}+&p6TE1SW{SbQa4bbOl2ki3+6C>pHA0aYmtoE7?T!fL;|9;@ z5&eF@y9Sl`>Or{S=J5&B6)UN{${XChyCWCv-`|HI)DKGqQDgvLK}0zleMmUvJ#*gx zhVhquW~WkNWyQ}r!m)m_m$_USV{;JAiIwC&*9}Ee=QZunD(rW&>y8mNWlfI~d`HG5 z&F+`l$iaE>X0;(8^q#}?`{pS(@;9G&v20~=ix4R4D*rv*Nc>cVtQYHV3y|pk5GU1{ z>yONge}a+yX4SukTU5+H(ozn+PCp}B6+&aZ9zNUr5r2Bhc9wWUYKg~M_YeSrfF_eKncGC`hmJh9#P=u0hjwslC6}9LqXITD;I9ne_ z4M~1rP5e~|MkY4RxYQ+=29a|00Pe)KN~Fc#4ppVt?)>GEN$!rLTwaS*ndv=N8s`J_ z>{4tFc~Mz&-)#`L{hs? z$fF+Q8Kij2pl0$sbQs-9wsW-iV=d-S$$erCG4jP`rZBy4^Q~6IP4cgZ!uVI5)xsDN zjJX(>CgboM%L|#8ib+e7>ajt+E4o+C{qIPv(Pck4$}e%j+HS0m`!>1s)^d+tVSHlM z4Q{hsYCd1YFrrhv`tLi{3Z3O5TdzhXr`qI{%E)$LSJPx4EM$cRTCl4r{7k*5XOI3( zCO=5@dL0B+qQP+F?k#HSZ6dg4GAmHP!e%Q-X43{rnK_A&FAIKC>*&1#rRhgB>}r2P zKg2>C&(5RO%?UWvvd`~=?3yJ8c**s-eY9{PRyf-)?>2V~1OZQxOP|U1%E9KTVMU#y z7DOD_u@4?*B|@||`Hhn=-C*$X;M-CcyAtsV6oHKxhHUAokwKFbd2T>*wW#m|1>i9* zj_78NPg(2aECo!YX%Gc|riaTgUf6p;z(a+*sU|_~dvi8>i<){jBuaGvl(wSg7yGRY zQa4K*R)&l-NcdU@+W(O)fBsVr&;X>=d+01W{E$)wftsAQ`RxtVr*}coC=CMpl}Voo zf^i+`8{`V3p!T1r;X1ZAi-z1~WE^r?C~RK$?+CYayPp458+yITdOS{dzo{eoc)yt& zxpoLsZt#Q6wLLHF?a?2kNXBbd(Mge)U5-`?*`lvUFa$gg#RTSgD_3}W{@v04Nq64; zTRv$8m&c+9;y1sUzx%TPZnw5>HfGvJU={~n-Jy!`RY4g4y;5~Hb#6(7eDpK^RhmiX zpl?0%L3a(6avq;Uts3-2Jw*R^HaH}+Q35P&7#J(TgRvi=)=vFt$n41JXuWQ%XD44> zyhukA`D|Xht*$k%zO|~jzKIGbWPOx%t-4N{`1pwt^u zG|+`EjW1~~DztQTSBML^u)eG#ZuS_Ka{N`&Kyz&A@_u4cbYfy^QZ9^Qi~KK5izt^K zMeJ8yNO?}*o$6g|LqdRf_cVYj=+p;ye{*F?hPv*1+l6tf;k+ji8v8*T^|R0C8<~$? z8xDUi!|{)?UvU!O_~Aa@>H8Um_>A$&b-<FS?rE4bh#RBHtbYv&&2OCb_pjR7teOM@qiWQDq0 zreuZg+mRd>lHi5v4?=4PCyBebOb_wp8pszc!p5OwNGUM;sGCReFCqq?f@5y_P6nN0 z2Hnok>0m>%#8TvDeuXs5w56`KxNyN=PR(7zIY3|E)6|(yL|IoMAlXl{a3Q01eL)T9 zhI3^S_b%SG3Cle@4X~+Qn~Y^Bcx6@JY;}%CFho{3N}_37z{&gX=W?VWbVHenRRT8NSUx)2YrDP4ec7e`94mYP8eCp*NUoM1 z?EKipwT+=zY;E60cqXM)9G7vnIa{w%ytW6o07MgodT$Q0`MtWg z_htN8nX@K1OFu5r`77#0CTaZArKe1f819kYl6Ac;*T(Dq8>;2Wxb-ob>4rx==vPkF zs^Z#FH+1NmgG{aEQRVdgx828(tNg#Ox1L3Ot||y$!S4CSH+S(k_iWS1?bnF0+Z-f} zsd$s`q2dbIO{235z(6#vWya%0kPw=A7@h)g9O5D}ZxSl~m&W~ThmMY(E;A1L?&kTg z-ZTe#I&=GSmzN-wXGlCCVzVZ#HJu$sm*KGU zE1zDhpnM*sth%MKs+e>fnb+93o^r2(fI*O1?ZfwCgVApV-(iRWo0@k|dVO?@A<R0xliD;VfnpSI1ySZ~?EToh+huQLH(81ZY3u+vsP8N@a<{xy0 zf*JJljPXjLDH{csWI7LU~m?>JzMWBH*;7d>M)5l7KhmOCiRkwJJ-o{-qIyyRE zjTZEIC>#t|B99FAVerC?>9U0IQd%o7a(SUdw+Ir9$`_m?n0IHG8NVok9_QL6G43}2tf@8bvP!bdRqN~WF)Bhq|jp8k)uHaX)& zI48LuzG*Rfh$;okpyc2DQiE&sj#&D6JrCNJugguOk)KvJaM|3(d{7W2{Lnv0#_sH$ zt9CWA+wLiAKev#q7Uo=_{BPv)hw%usPz8n9t51^^fc8SOi|TxxmiCOjc;JM5)mnOlw+v;w z8{MaWBXs*Q>>Bcr|7`t9?9de(&r=23cipbY0je<=)5r~o}x4^omWR8-A4sGBo3Ze2{|dy?QGxP91v zqqOHDO&W_9L=0vVvp1Q|h_uIRCegJA;Apj3(XUAkKYaG*feIo`7Zw7odJS`Mbf1=S z;ZSQ)qxeV)i4Q@?o@;O|te$mJtB9$m&Y$`9MLwjnblaFD%#iy%6j{ry`C>RD z!U#0_-t4?4Q)UXN{psd#akTv{1w)DJN&1pRw^e@vOZJTdkU%~=`x&n%7MK|ROF6nH zm*=n}fkHL#XOT@Zx0uyyl~6Z9(&DRUeJj-Z{cr;B6n(TSH*H)Zxi1I#RMGdUozT@U z^KYVkcSF6x@|7M7wYBA(EhOOK7V740z|w(MW8o$^HVusqZ(B=b)Eld;=2>QjTQYdjuFK)=P3Rl zRgS^qx{bu-W@zJ|^9j+Qav)Ldy|~yYD*8QNpFisIGV%kiFM711^aMUx?+Jc`)+HGAe3j;u(&*0ifgv`c+ zJr?acyJc3z_XbuU!>=-WE5=D8S=yS$t5xwt?}5g)XoaDP-(=bTS`AUzSj0h*xw{grCpxEx$BuGW+zSwqAA^Bu_`(u#e_7l&8HHig* z^u4}?D;lXBU+oPFze@mEL}$6ZKX{b+a?bX`@9o9rS1hwik=J9Z+X6D#t={?<<1!xv zOmc1pd-aaY-vg6T@Yct&vSG8+XQe>4O*|w%r-i2!;&`lz{+xs;;CU-EV7cc}$nCd> zpdb9YEHoh~et!_HW-N(KtoJ5$8d9f-wCj39R!H;E6afKw9YcOZdXkWrD0oG=Z^u}e z6;py~yr1$#-e+CE+LKnc%*l8M3~P1Ab* z;}q&R=zuITwz0Loim?-^k9^iruaA_?pZNeoLQHIr;PzdsNAMJglK)daRx->C_T+&j z(LFK3E4C2B0~G~1(pViD!Yz#3dq&^`A+i?UYNYOHgWFYl7E_Gx^OuHBh5x+J^a*lF zpUk216Mx`r`Wl6`DfhL$k!o`-2N#_RL|2eU;eq<-YA0lF-!7dvi>zY)J0ZFT8rKx& zN*bYxv0Txrezup{4rd7C+i=xP1mB4SmviuguN8lN??HGkE#E;_Iy?t)VWc3i$K_Uo z%~jiZ)w~x3Abh#GxdthEVrJYh-+O1U!4XZIrh>0P3ezg39B@;uAYhc$;_dV6IWLUg zB(sTuY&~L$9}n_5W<0$uMhApw=<8G3)Qr-OQvWGeK}RS_ZNMLKKmX2*%Wv#n!?Dee zH#e?bOGKs0tjVm{i1>;mgqo^cmlX=nmEfTXVuWTH2l49cIFfZ+;EGtoj@8A>l{{`) zB}eO4{}hotpU5v3T+>R-Qo-5v#(C~hF0xJ|fl1I3#1o`fDUDft?QLdwKsNJFtV%&0a{vuIBm|=6M5tAoF zZZCIv7u;tL70SJfR!TPA4PE+8YlL3^F52}p!3WHY253gEQuXu~TNs^5y&O_j_pX@& zU|c{tRZJ_iF$GUy->8S%Dj{dS+_5P>+a2&!cX#_%ce{k;dMKHwIR}&dsECItsC&MR zocfL;RDw!T{H>5rRGcbQm=QN&>XhwCNstV#Y^;;)sNh=KwT0dko|3*gPKR5142?+W zs{T@}%e)K><&h_GprD)D(`U%7DvUR{f;^AMu>L)7bZ|8z2ivRbg|I)*wz%{KMBtB? z4g=ju@1B<9KAzDuHR)ehttt6U7jaRsswSNZ43?|EKr?k zF_Y91EN&%H&aS;duv~Yx%KC-ZUpZ>jCaKxTpp&co(V_leZz))yzkhN!i3*~{?`Ffi z;=^<4gt)D7V?T3;=+fA#6k28e6DJm$sC86Q;t~wCzvBqx*O!B3 zx5Jh_>Id<_qKthVmV0SI@xYJhj(F?}yLnkISOMzLkt77M-dFtbYV^=J*u2ES83#`3 z58OC$PCa-pt-mXVl;Gcyg7_}#LQrZCqT&6;nb0oAcVF`IOchzfR`mscxoEZDAK=_l z#R*N+J^7SLab<-|M7~8!MDz~9_5UyfOF5ct8K;Tz299>czJ+mv`nIYpyw2U|_Ls*E zh+Q4*zV8mCyIL^o@|_v)yDkbdd?RF02C{}oGLCj4#FtH%A$5LKZqX%6?tre6zN?&; zK-t5MN*BMjGDa!1R>8{rq-G#cwkml8J1jS*-a5h4(;$Hm*x0qwo{XW7$>* zh~G)`=`JsEi}iYYMS1z>mtDd1W^@k&zOslnYvGu5=(xiMj4EFXv_e_r@34$xk&7isXii4!qjbiyjj=gZwP8sC zDy`3m*wvn6R&?M!U-HP74<$&4B+C6J`p{M`!=ub%Dnb%z5%gDK#1JOcZrUS`;)gb+0xA zb~@{ERd>lLPU0=_Ch%u6sMEm>mzMRe1Nj z5^}3iK^G>NBu9Ux0Miersmb6K)Xliy9s_r3DnTFtcl3hdJJ%Y}0+aH?3b-kq#WyGr z@R9KB$vB$a$=@+6PdAei6o9=au& z6Q2CC)RxRuOQ|poq~-pZsx`6i9-2Zr#Mwx*2}hQGD?!A%)H_AVehf6_ zrkz?*V`Ko&vqD^p-RY6aPz1mhzL+OXcaV$oB_?Pa`!Se(_!qe`u2b}VYIod6!5 z3$5&?aGx-04_F5YKwUvahD%$BgdL{H@)a)pHWHVPf#Kn(N)ROdEq^4&LD%Y@T06~Gc&PD<&7w-n#S+Cxbh&WdrO z5|#8*&If%awA=&~9g0!(+JWmpr7=DdF`Yzc=M%?G#&+{uRHTy~rJqNqD9j=naXb?n z8;yk$0!6(E6d_kIV>gv|^R9H?A0`3YjHdFSUeRWpFtitDr?>1UJI%78n#6%2AfAXPLH71^7nnD+Ts`$#G&L%37uft~i4VPMIg});qp|D+>2As?RNvA_#kmSb3(m&By#E&T ztK_JiANh5V+TRUXC;w7t( zec}yz;ISJaRdHn!%q))zIkme*J1-K5-`|NB~x1oPN(51H$@7o8qR*d5!Luj43# zy1Slco=VT@%T}0A!8;3cxI7F_2z>jmXzU^VQ7)`RZ){L>OHCmQrCP3ZCf9qi-26NG zlSEb%_vkhZoyArCu&}Ja5(}KbZC3QTmDn&Noeq5C>^|}BO=ShOpvDpOE3wf@eHM(U zKb@s*n^1Orf0^h%M&MNnVGdhV?7GDT#x=QigH_Gv`|Q!%67WOolcdRa73J#Y=g%*G zX>2<-6qTRuAw__g4OP5+1gJ7`;(4|Z8%0=`ijZS(XR$?|_@@4VLMvTes~R7S9?1yS zcJ5QHXV1(&F4ZaARV*0)qr*7LHo`k6fT<1r=3zP#_u2|k&yV2`XU%_VO3Yxw zSJlMCN$4$jPhp&JUn@#e*?&c~OTJZR>$yQDS&xioI+4tayg1L}1k!xoBs9=kd_CeP z8ldRpmwrp~)tr=e#2XTOkB-!fP20X~ zCB}PAx@>TUAMqB@=ob+2!}_DwP;`#fDDjuZ$QaH{DeAl;--WJw;K`aq22XXMR{MfA z>Mv*3{peA=73F0a(3tMa3{k5Gy%-+tgI( z>#lzMm2Z;Xe9oBOw2lAuYSXYMVdk$)$4ujTXGi;_kz+Ttt|)SkpEZY`SeI`FuvypK zTXJ=>c4R>fy+A5`r}<5=%9fZb8Xv~9yD;wY*JGUx*9ZgZY|Z(Pg-APe|?21M&^;niDzK4n60*?$i~b&;heL zAzOAe(}-k^on0rWK|-f!x2s?4yHNAM(3vi0-b6tJj0181r|B*UX$7jxj>MbX@bGhdzl zh||aN;?l)SC0&gGtFlQhC170-VC_j!3Qu_7_iR%t9DGE$f0)|d1|kk+=RO_^74Y=L zL$PWVxm2F6{3hK(H7A?F;1BD^wU3cbthb|~qzS#xqG`XwnP^@gVkpHgljo%0@TR`| zPB~d1a(M#cFE?8ymeAa(IsAGg5+RK{4!kezLZPz>H)Frploqv3zia=jENfanZWA$d zaS?GVEcaEvF7iB{%%rCSt+y9@#WZZ;2z>DNu&j_NDn|9A+v9)S&?h)cY;8wT`KSQA zD@e=MU+o^|%N9MKqenRe*DA{0MKf~`?9OJF!uvdd?w&*^3v>s7KVT(ka<(Ev+}EaJ zA*-dH(=Q-Q1tF^Zwza;z*MIoAslxY@iwsVj#9rr(^RtXH!ei0*&@mUeJ3DNw;It1h z>BQE@U42Fi6-;WnYe#8qyI+h?EcXW#9#R~!}eMh$(>2~S?j#5NSWFlSM zM|4Vj&(3aPYINd<9iy)}F)~VefF8VHHsOum{Gvc;<_%#2)Pw6VdL5;ns@TLq}OagaXm*9exm%e?ek^qS#tn(xUe})O;M!_tb*|Q0U0G(O}Zw$Bu zXte#iM6Uldp4m%{t&fW@KR|JhWGhp>NF(bPR1Wmxh;`1NW9g0_+jg)y=c|9v~Am1YHt}{-C zDT~|A&CY{2stIRJLg@#&v}dL;Zh0X%t5A8e;r((e(iGOMKoT|wsCEQM$pV)^aB{*< z=-_TF?1K)8kg>YV{2i7%#NqjJhFl6DhT5kRQ`DcT#nQT><*n#N-vd*W`u}>JR`PIG zmm@q5H4P6d2+Tnr*+1VXneu!%MIk)l@IQ7GxV2bdqY%!5(jJ{xybv&^HEoh;ax?Wf z?q!GTQ~){OeOwN;Rt+3(g@0@0KSZG_f>-$a`&fR*3aBg79HqFt3hjTpYrwDrUCFRn^%`~*XIAwE;sZyM zLJPR-$GZFvqBpb<;I}`=13UR6HiGm&AJ{sa9Mj)HI*KVxJA;Xl1R-pNR=J!wh#KMp z*$2`831NjmTE^pH@Ow@xPD{YaG~z)45!fIMvOfDku*+a{^yh^<;U2jE8)Lv48iD1s zRj(kqYSJpcJ*(k&|J^%uoS9GWh@_3fBr9Y=KI^BDCI)vrGz$Xu(Sj_D3jMbu3puj0`q{RfL4-+9oPG#l z5o?EGs7ZLul?ukl_U^>DNwKA+ z|ev3GYdIlQ0EH zqY_0{^0AV$_-*wuL7%9I#O}H3Z0Qr zPs0C=*Z^sZEr^$Hl?k+BK;2?F0SC0>hE#!iR1%@$0VE9)>K}?Cd$1 zZIZETW_T^zA0pi&?{Rx5t#+6rer7pw8Bo@L@0pK4*$d+%9(}an*S}M^%j)=51!@F~ zhA=(7io_flYV}w6J6?7LkWV(I8utQh*wkFObC@;44ZY(Ff)-l?z(CGy$yvKLefjdG ziNwmc(((4@+Mk+(F9&Mv#xc?u74?K@BEmob4d13d;CSE=;Vc4Vwe+!KB~K7f?DEBq z-RT%HTVr1wIQ-3xYjLt73({%(`nT&LacW3MJ=SiW7}nG6Sj`|a3;Jxa_v-7OHXrJE z58rq<^EDcV*AEkT375&ybYadnekS;WSL-ZEe-ld+sZmdOa)G}_cg3+^QubSbFM}k_ z$}l`|J|&y)lo9Dny;9LcwXTf7{~qP$Ne0U(pZ#9z6tr5sphn7ZUT7AuEGj7YP{ade z0HcRQ%y#7c&mTX2%*@P8Oo;II3`bH(BK>aJkk+Bxx(k~s4ZIY0PG zoS*#BawuJ=@k)}(@3^kg4K~N!=x}lh;~)=GY&68C8PZ=SiQ(sLiC8YUq0{&S^BSRo2Dk$O^;TTi4>Vbr+y@J+9y?;#r=a}Jc$=9S=e zM^fv}`}d3miFtW>fBw8wB5ln_+me$xSurU3uD1@zM%MK#PLcOk@4_RNo`UzYCu~Qe zUY(p)_ung5P_^=~;R#F*N-5L9^np(i8d6 zV;cp5M9k7!V#ZpYMLmcAJtLd4AT#eYrZ23|`5`v8G^~&S9=;Z8OGgBcPh=aH^pFM&idP~K``F@Uh9KYYNF&$nHq{8&Qcn0OZHWR3= z^x1Eh!)L+ax~ems>b>qU6QMB%Pe-CiA*&{5JM&TbvxFkWJJ|tuepc3GI3}xfBF&hNrO{Ah5<4B=TjA1N2|`lJk~xc_0e%eTtvNncFBZZXsOnHbH4pz zK8m{-44wM3S-S$*fB!NjwSBaE5nFp1rt4n8H`0LW_lPF>@|^Gl$;9;N6Iv!u6MAn2 ztsrO9oBH5`1qEWqey^!iC#cV*kzwoh_$DcguG~M*b=yk`Vf6JY_`a-tX}q|QhgSJ_ z4!5=flcV_y(UI!cDhW?41g}NS-w@rCmth?QVDul8lMw=HZ&?Vey54e3?7*NtAh}pb zb!KZ%IrAX_D%NLwCvx=N7HSL>MzpIx0^d{{4^WcBe-`SdJ;wNo)3Qxlg`Y-p()iU< z=7S=AcD<%M;61Kb`92G^tt}-f*7-Nrt>w>SLdU5)mP)k{@qrb`HGy@eTYWEH8pWE5 z#eT55j_wG2(FPY1qa;2^DL?3%i8>5(uI~6-J#n%*$X6l6GPk?NVxYSE)LegF>fp0e zCav=q42B&6Y_{J#C~RX^=%bZ3uT*c;oYRMc1BZz1D*L(wcN%OguD$Rozb@<75K89X zduu61cD>s4CcT>~HZp+U0ilR^yUrV#{Cj%w=7ZsT@7W7>2lLlh0!h5pkZq9nrc$a zPdYi`F7JOUavfsrc%KBv)nc(hn}pA4DU~RW1YhjGdMh#$L0se(*v*u~$Q&m?u57fAkLygbbSk+eb=QGPySqFC=*woBr4hLccTDuq7nqLgl=`EN6 zkw(@d_fDmz^R;BHLvdfBrhRO~ak#r)6y)PiK4O$e*MgMevna17cXs3wNiSJgz7q{I z)>9tl*uG^;HvK;&k7EuTQED4ij+A3Y;vhHsyMu})9b8~ctmpDxHAFYlee4M+lSx71 z=rOFeys2C1-zW8d!a7*JUXkx}RtF=svFAo2E_V*w{X3&VrKJ^dM{M8! z18Zd?^Zs;L_UW`v`s9J+(=Lmfqb<@g+Kz8M2?>5UMT%joaU(PqY2?TG!s1AjjqV|@ zN!Hb#e|PPhcjC9VC63oCVoHj+jG<0Qujoc_T50eU+W5k#&#{6y{w-u+1Sw+v{gI>3 zdDH{#i#RhX7@%u~-ikl;=)`S1nMl@RN!~YUrqT4(wKKWZ)si|c5^sUK*yDjOD*DxY> zOEglOT!DbXy<)IPE!H`1@)scT^3XrN@onmQ?NzuJWr31JK%@~^LG4#LApUf;*UVb( zMar{}-(XXjkOV;#8r~IJEPstXaZ;@DW!#fj&6XcJRJ({yr7YHosxVDRI$3r*_-TZZ zGeh+jPu5pc`#T)guTSFSCu45jM+z4$x===a$`j(taxtfGbFShjvD{{Z-UgYq~YZ*Rj5(A z5~5U$E67wD4lx~`-nceJkibZU6O_jNL!XAm+wbGN3%?)DoO5&(-o`%?_~-Bwxz)ob zLsI!cr)mA(|MrSeDv2p@2-p3&3B72D#=EF$@o4Z#vwx^+zMR?myq_M2t9v(5GeLM< zf)W-RKyNZb^@#J|!p5p&{VwY8q^4Z*VEoucg>{fB2BJ|IRqe`-Jc_?CLWm?=%pa=u z)0iE;SJ|d-L6K@a2j48M!z}8q2C>_#)u8Fia{Vv#sV^UWoAxu<>(wK63gCFc$I8ko z%0~`c@R~{zH#_{1#VaNz@N?XM_*)SX6!FIix~jKP(%8$~X0juu=f3$FZ+5!l_*)?4 zng2o0>b36rm12vf)!}T8q4-H=Xx?BOt9P^Yi&^tri+hPSyu?2~VPL zKeWPhlqnxg#WLPbe~;gkFS?K1mv2|52=biW(tmr8RWT6``QUFcK+o_0;$)pZDXN-) z)W$`ab#SwWv`~vwvEYP#LfNZ(Eu(@mv0msp1_ znbSr01Abj9*ek00WYjBcY82%qSFsQz#qg``imxWnN9XA3FU*gIKJkhTMY9e5eC!XE z+fNUTLNXbUzI!_0F0J9k;O(iiD05IjZs@dg-PpRS4lSY>eAeZg)+1r_)$S;Fkqh;v zG-yVJh39ERoR@@d=K^gMp2twIrBjW>CJc5xTvIdLaPKN)cbWU@il*Ii08gpnhq=86 zWurJM;inMi_umZC7c#A>H}mYS%{;I__g5zVsUuhHoG8Sc=l;ytxxBUPyk^$PAB!y_ zKfQ(dSGIjtVH(k0-;_uW`(`}uaUeWw4}DkXWM~H6)`yZ7>w~+#N5n+?ekMoeyzBBr zs`-){JIK|0DP?->EbPn5!0p-2WoM%zv96l-s6vtJkIPcq(S3F~z!F00XsUM5# zorfb$4W!U7oJ;QCkBoR2>6%@?X?jIO}fqwMX2Z0MLpn!B0}t= zAh}Vj52}(j{Uxp%+P2>wb_uoJ?6+PuD4WSVU}#Bm`_pjQ*;)k<8Jy7^wuRvQt>Wp= z661^D_$){1=viqKtfF_kF*O{l@hv#AqCUW8k2=}L&pBJ{Lv~uWSdd=Cd=V4z4H?f5 zjK^7F=cH0M9$QDYLzF*J8CIxQxkP3!?UgMB=NO6mB%cz~5imAGzUX)%mt9=|VVMU) z4lD7a?zuHZsDe@b?CXoS?jDD9h>f*Z z?PAnAN8*Wxqy>u!gvZFu=Y+-#Xs#%}W;SLYArn&@4ZEpK?BxE;^JJa)^fSS3-S^oP zCGogQ>KI)52b#(yQIG+Fdj?=e6W`6~7pB6NGLYLt0pd5R!Y3_98B9KdY4vaJQ6BIi zDwmma_TwnT49cIq3&elg6^e=fP!`G_x-#jo_|f16N$)( zbPEilzlb2pK=>lo)a)!=%&SlV3RRN3j^;^qrl@X}@8K^E`2OIt({P-EcCm7gL{apM z7nz=dF)!*}nO~pxtaYk9PJI<6Ls|*3rC+_am|ye#Y+Q~y&XV#H%_7Z|lN|pQHBoJJ z+hN2RC7KobW;eT7UZ0}dL9o!w+P3%S--lmiGf&@Sws$yL(FRge#~uWtHhVGJd{^UV zf<=yHe2xlDi=xoHSkek(4azqZC5<5Lv^WYUBqinIDS}NPX*kR?xKIoIp{PUXmig>Y z5O}8CkMT<^Ys)y_QYA--Eyb7%Ea5kae(M;9fZi?2IfCZ8=%ySo(0kPPx36I&rev1F%I2ywREgXjTtUCCb2McB zE-ybcpO%)S*zio15}_cxyg4xhFQ?v(tB)dBOw|0znVq7BR8Hty5@3PH7yDyf71>80 z`tHHxrDYdd_YV1MHnV$H&zmZy@U%o z?QvN8HrCfcjJ&eE{0QI5%+eBdew}xzP7!?f-AJj0rmY`cvX@7b`_`!R>0x#%-;Ku`MIJvVT01QgP5>`*&S-O_FA06rmv{}_{yxutz4k1*$(J1 z6Qw|*@jz1YaC0((P}Im{TRxL2^pVW+#zwOuGk_@WxpvBfuM6g(L}(ljaJ=Vpe|vxl zEBZMat$^;PKrrxP_5wlR`r()zLwY|e^O!vd=IMEz*;86tdFA0v<>oz;q87|`w@9rm zh^;#<$F~%?Su{rk03tzfInskcL))QvMUzd% zi~P-PIJ(ZK?xL;^>A_Rw|1sBxc1IbwVMQyuxnG;)OV5)pv?|;K<(HVL5^{+KG zdqzvFi=DX6H_S-Aga+;9oVUxM^J{Cz z`ls&T-@nqr!hgoctK1LY`bC1qVUy=!lSg47A!d?tvEMYDORAO&ylLP%AA8lTO!jhD zc2;1H=AxZHiz-SvT516-Td2IK2OSF?qJNzPV!l@a^Q`h@lMT^2G0a2Su-D{TTOO=Q zSTh^>PWe>&sO`*z@NbNktS)D#Zmg}rBQAAaGvkde_l*=oACVWx4kcKmj7%8|t1 zn>z6AMC%jS4>%caRkucTf}L_q#( zUscU@>@{sU)z}9@9&@dI)6>G3mx*s9E-GLzHj~UD9H***F-FW|Lqh{YLmez|<&{)+ z43m^S1%lw)EX&0-i@v_z<$>L0X;sy2UGtt4X{9@|M|I@LtFCWcvd3))>)0s$>fcgtdrk{e7k9}Ym9If{4`1+?oo6~+_dcKKvhb+!1kS2x{sESF}RR*m_0!R0FC(%WQMVKv*pNvp4%*&dP#>^qx}Nd-o4|u=Rh(`66Ck}r^lFnvc;hsMO53j_^lC; z8gq?0-N}!!`6e3FHI=>ZV(8JR79s1ulXrQNHw@3nCfbeliiI{c|(?}HCX5C_)d;(e|!n8Ocf|?becOo?N8u*wcQlz<>JgnEhL(T{B0WN2WK`%_L@@b zmhjtvINm;;yuA3KUk3epb%I^z0;KA2iS3V-9wjS9_DIww-;CcLZ;c-^S zlu7Pm`L5vLLDThcB$Gd(jGjSARj%g`69F%`J=9XDw}uy$g#vjCBOi|nL`T4>And}@ zVXd7nRH%ro`r%=WqO*6h<**c;@nP^`<1E5(7;)=I9Bp(JL9m98XrKvh(wMz#ENyBS zY{>*WsrgOeWC{?{nZ~z!;;A=`_aDGN$aXk;?9H~-%b}sI7Q||;TgEOllR?UBmEJ-- zTb4T{kZTpg2j_jd0@Qg_WE_+dua)8S8eoi+;2_*7;`c&==&2~qCZ$9;4Avn8F~1WA zBO;7GR6prA5=km1Bs^veJk~GIPgeMJaf9#IRGHUl*|8W?lqTrn>DL9!{fdUE72?Rb z5E0LRH@i7>ynRKydP6tIvoHTuyg;HRRr#9ztENz9FA_@iCDk{3rv{*pSg_^mq?@!I zrRw1U)Y}(SNM@!c!NIMw)|cWCyOM3LFnH?CQ(+Si#|D$mri_8qR?V3fRgr&jfB(E$ zX``0YlZogcb84qo-c`dfWCEg^8-~W5bs<97FI6tj_QA|(MSASvw?av_ctjJG_M<^S z(Qgt0NP0=YY4&aT?aw^W`R5oJ6p86B6i4KtA;)mabGFk-^r z#bH?M^v88FG%{4QU?ts3{xqWUrgZ(~g}pwjy|N9yMtm6T$g%}vGJ7s1laMyK!Oke& zKH15`v=LvYE*lY8g%mB8AZ4*7<1}#3YC26M{8aZ=uUNGiEwu=R-j{gN62XnZ!4CR1 z@Cpb#OY^ardg^Clvo+01%USmfK_y7Zh;aFtA9c@J6MnB1j%EYNb@i+BTzSUC_{v_7 zzXuD}2g3ZD!5|AXg!}lgW6)Y8cih${UEO0rHnBX^f>(rUa!@)2YwS&-xquJ z^_YVla%x!beLF8d6R;U2aW$}!dkgn*3@6BIePGMXG(Y?3fvAbl5jK%gs+ZoWBC@&5 zQmWe=AIFxlb{?@GvN$Sk2$^?b|A*2KH$}l(@x|M2*QVg@ zWECmdD*wyEw@@HHQP}Vs$K=6~M;E;!4}QBOi8@zS@iZ8ZAn6XFkw;l^A+XwQDd68f zpl7k6F9wZmg3K>Pl_i(Vh20qHDSu^Z%J7dIfJza40mK06G;vzdVo!UGZ3*I}1-uij zoa^1vPVCM<0~v@`MgLU@wL);;J3?&Wr{!uC!-u(60U1t6)}CtMByupCl3x|7(hyC{ zu*;@0?~I5xi-M!~uvK_AcO14V%6|nZFeuD0)oW0?-B5tYzj<**JSrJ%O`@L@=%}R+ zvXyW%{);;s?05ifBQ`O{84>rK1@Yvyi2^kGrX@aAl~YvWYT_G=sn-0!0L)^5e4GGgTxL+^qc{DVvA4Z7NWfpPa%ATjpUhx8vHw`{Jo0f zn_|OYTwcc8YauBKVW>h!>syF8R*a*C7tOp5ltduu$F2Y^uGT;yBIw4*Go8YP2XxJInSG4F17>ns}@G| z&~_d;`o5RJ#W0%+fG@tq{_j3Mu(!di;KbkuTly3TK3%NK@orH(*svXm*xGZ!#OdNP zhpOD1r;M`t?{=sa(HWsIP0d$u$kl&>jRQQ-b1?B;D>cNnYz1-lL4 z2BAkMU_yXg@5MR`<%b&I)q8u#THoOP~sq}o-!F&+4;pBQ&_(^3E4G=dLvhk5I?LI6j?XY*&;U<>!{ zPx@!kfO!^(pAiiMLj zRzf)OQR`*OTd&A9Tb{qml%+Wr_hU1E-5vsaQ8|stwlJvvc^8g0=u(C+KLx-k(Lae^ z44!|9Jk_&_IOr26{jRQ+F|q5mdub+3(v*1Ee?qAVOdX$OUR{CHbp}ycg+kn=IrdLo zkFRIXu#R=`L~W3si_+PKTQuh<2(q5`nOZj#yu9^5@RKdJxZ{yN#5_QiO=V|j9;|8c zkL%Mzn#Z;C?`fnYtf!0ARmFr28c>CK$D*QrtU{2Pi5?zlCEiX>CsKdTN##09vWQj=)`w9 z{9>xBCxo5Q4vHvFe0%^w9JOkMZw>cEfenRVCgv)aVbx!X;cwARE?Qr8SGe|X6u~=U zn=)24;^%#(11mhXty?Sp7D<0rVobXLXIts1BG`%#+LodK1=lZ)&9R1_CU%Frp&fS##<0A`%3M8wBKN!}@RaNEkDCt3@W96FKNw1)*)Ec1 zGFx<`R807LD9rM`hj1(}j(b5!vJ-188_B2>s#A>y0pQCIN38(9Oxf{idQX#^T(Wii zCCAY6x0@uiJ(qgCNM_S(+5VCa;(wf(ZNdIQz(FAO2o()P6`8%YF5zksPgEcY#?yUQ zk$L2gqqZ4bvz+%#P4`k0|2uYrCnJLHkPa&)eYBn$DW@xyXx8j@@lNve3db8Y|L>#eBml2-|M_M zGX_1p6p&0=c7G~hOLR*UKp|nGsxy@du4oQG{fXy{iChg1N zwnCskjJ!y<3Z2=XfW*D3Qo_UbW7RpvsSe6t2TBrE)>^wUTNtn z&#JcWt1f}7gFoE2n`jR=#w$SOy3Jc`X_#FKd!Tl_LbudzC*c*CMJ(C82|73a0XWxi z^E0586UN4naIGvYU1x+2uwG@~SH~A4LgRGGd~?ZV&DO}}WNvk+Y^-!utXfoHv)X6S z{R|krqoS*=`Um1OsT8Ohqvyh6`Zb%_eAci)n43*>I&rojW;arpRa8W|K3?Hm13(yh z1_ppg*V8d8w+YX)V$>9ZWL+WG243ytvufe|1B3uPZ3K1y&@{fMY9q)sXRxcn`st|w zc64J@WV1Tu_;S`b0o6Z*9SDrP3cxCU2W(xQrgA@883z6S02-b5d*%C8(xh}(zwE92 zEEsMH`zai+DB8g3Dd9{%bp2iLL~v+1B>fjCoJDj9VLDHTF|I?>7Z;od8OQK`ESj|YK@HZ#+d&NTI8bS zr0c5wWU!m(!P*E{ip$Jl^`Z0}4QOsXH&uzM$1!zaBUxZyGw+c;9BYVL^P2J@>TNgx z2;*JZ0NXt_)wGuC{TudFCk+9s8fM8n zUi~?`%>M~e=H<~G*+z#pSTaV93M$|6;e-I3a0$o zqSpoO>A?mTbm){=O!6IN@IS5gJT-Kgz9u}e9qxR#6)4NZz)-&oveFC`p4wd#Hvbi= zVA$6qL~l_TGzHgt#G7p!V*48B1`d;HiOhpzK9bk@Blb#;e6={M@CGQsm%;>BnxB5_ zj!Jk9!#x!BF(1`Cwo3(8TVA;kM;gTbPhSQiwEIA_;&uyBEp-c_7lY~-Ih>H8MVuUx z?QzK()}v;;UNYaEpQ@ANui4uHhANAl2}RaJKjRJEtbigJ#Q}yFs^IACyg6P`R#a33 ze8$0;vz+t>K0)ttX<{anDVD+qV%GVP^IX<;> z5hVs%Sa1!GWNd%(6H?46aqZ3j8_X1OwJfi6H9HXVSt~I+TivRn{e$k(ir=F^=D0Z` z_y9vn8Vksl=x5P07I&7Jm>#Q)R9PQdWha*c#kyHU>iL=lKrznrCr`9Prx@8Tw`DI{ z{^q>6Tm`e``}3TOQ?JX-Gp9TonYMtquZ3KWm|QNJy%r{fI2~EdkeQ^dsCA_Ljl{_I zuriZAmsB+YR;S}CXv>}de_1YYUYUK%qpNJ4oysN$WN#q|2T=EWWg|gfC^M=`o~%9A zFYJ?>AGW6IR6$P*kaCTKwW z*HqxXO=h7r1%3Q~Bi9Ep{{%6gh#x=|zR~YkF|dL!TUA&96k>gM|T z>hkjVuXh8$;6A3TdVfx=a+>UGx!3v-a=nc!bq#D3tE+OB$BkSv@36LI0L)wsm)tlC zsX4mQNR7;(UEw0FRa~G{>G*!<`xg7E4T1~2)0r89ztOO~(Z7Q~#JO=UHC+;-Z4iWU*cb`!vV zoX70v$UIONu(2^xW_L-B+|sl|?j}abmA)PSZPE|`dSU>#aM_(!Hl@3;=!>Dt6Qi$1 zno`?vkF(LC>Qajy=IU=BJ?dGKEyP&|pZmFu2Y-0=L$l2t2FOpG#6I21Ikmf&Zwa%> zBwxP4BV_vPee*YtR0(9Xb5RBGmLJi0cWnVo&un=W@y#G%A< z)oB!v6MaFuI!8eG4dnN$H3elhrRM3F!aEBuP?@e|&3TuWn0Uy0~M z&Trr0W*@=c|0f;DN`ScJn2e09dSZ8>r8z&PON#ef5LWwW4p_;m8U&4tqyNKd~o1}pIp{(YmPD@by_Vsfq{#E1K6zK)26w2E>%x2U_m z^N6l=cWNM55Z2P*#0#f-36U8;;yE>c(VUn>?X-x1C-?yE#GkRRl?}~*+#EOg9q^+; zlIeFJVs2{)FBgNO`zv6qn7tEc1R>#oNAw&?W8_M-QlvVY)#D&Z`8k(N@(baIBJ)_(86Tu^-=hSHB@O93n@Bc#U>|T(k0-ob<<~VU8s5(EB$XJ#)4g zagN$vhZyzF@+^@vax4Ltu-4c41|#oH^j4>5B+55&OGkhoUl=V>WLLAGH{si;AB_{( z=`SpIg>*IG$5-J9D@Mv|l$XDFEErWN2}ghF1Bp(LJUVknnN3BOjbv9j)-KKu_Uf_S zy-}*DSpZE8;7k)7Vefx|ddddhzX_|Z4pyLho;P6f6Q4z~<^+W>-`KHc`Bux}o+?mPnd8x~l5 zWMZ5^r-k>}`{NPupq_hcioP!_EKFoM3nV-leLZ0_eoF=TeWqoqnKp3UHdG;R80>UZ zQ4w9WY`1q$9=)gk`=maRYnj{gl06K@njzrsvc`3=Rp#<&NnJkipP@n1VW)4qGE+=DbRdoINJv92#Db0ZyQQ57El{LENhBL9m8 zqp8lX*$fs{9@thITn`vA$2*bG z6i)AoaSyw1`aBqxGlMGpFwIscS)yu6gsAe%FAi zv(xSio<5^7<$%o5l<%(x#kROek79v`KO(HB6UoJUy`Iu5U?_Jp>Qqe$Va}^M1ny3J zx$S)P7D1fTK6DMt(ok9tU*D>Bhu}K-lHYw6;8prOj z=QB|scbk4M-f&|<zPmJG&Zr^hLGJ6?k~dEoh_xVAk$vP576GKp=%b zSV+CXyJ2311cmGwVa&ydt?8O4U*~j+)AvY;(7`r)#!|p4Tve7^)=S}8;7h`rkFxjQ zzxL>?R(<#>_35;IF2Q1nc^Zp#GoKeviz%)p&Wo9NpAS1Kf{b744LjSa=$cIh1Mq)I zjS<{LO;w5$-0+@@9?UhlIbHlIFlNf$=2d7G)r2&kuXOn@7hwU`xH-9-Q}#UMWT6GB zI4KWom{!T)vI;Z7TY|@bQXHeRsMJ2e4aw6%Yn3{(X)T<^CELFRZrO%U<4l#z2KVAjTso*m$H8cP5Fv)mUiit_gUANbIdut(Lfn9sc8!AF_Zx}9nW1EM0o_xAJV;d${ z;8I#3U~{6E`tGCjOV-z0?+Xve7+nRp{KER#Y4Bkyjq0u8ZS}=cBIJjMlmG)`u@ycu zX!`PFaro^WzL80&(@ga{%9ztUg8aI%`5FQ57bX_dCHC`;DQmO=ErJk9zr%r^AP#wm zzx6I{$cHZjewuvzMfJ21RFi^mD)gFo`z!qa@erQOTc%Ra&X62mFUo@=LMfhXysS>` zYof99uy_l{mHZZ%;K{X6fQoi!y)QHmN6YHJJgI;s>f2!_oEB3K+>ATCzh4KJrQKguU+*qX!i z!2au#AdJ1)v)UaG){R{`8YlUV*VD|gt)&iwt8p2qoL8(JPG}|<7vb!{5dVAxvPo|K!$zf{|YB(VJ9luZAG$ zawEC`Q+ort*EZ2(cYJW2Fb>wc&cAkOBmVdSVrGQYTfN%D24|AxcYpVo(8sWd=KMgr z%3&NYzMmBQ0Yss5oQ4MqM5Cq(RQdSZGdA;3lBtI_Cpj_n+(3P^8;#nrISpgf0})h} zry|xMdHv9->s-(4EnFE?USB>mIw`b|b`5Kcm}_~eHTH}LlJIKTSGMcPkHWFNOTAEa z?l*1mZ_z*gJ~>OLWRsxFZ!;JHw4n;s2X^wk&1N%IP2VUw3Q?_>W_)Y&cn$@TT?VX+ zbKWm?e2o-}t;8ejUVMrXh`3#kH<~vPj4VF?TwrzM;Vj)-<6(Ojg_PT=oYjwf5()@A zWRYqF=cV;)0tZK`t>2{xD+;%Lhw3S}w`}%yoIlOJf9I`4^Tv(E4!+_mk2a@4TwrGg z^1MpVzmWaNDJvbXE;|2N^?q|b<*>xZ22L*?S*;pf?H?TmGuM@YM12FBwtubH^)fF3 z1<8BQJ(m@Drs@@}2&uj;5nZTCFpMQiGkyOC$DQ9)&e~+Fm#TH5c^z`_%E564t~(qO zF&uK%z#Q>GlwpK=G|5DgP0#HAJQ?0Ep(Oh4{+f(iKj;%nz0K~rhOo*;pFyQ3=xdDq zD49Yua{Y{yMg$4}&(m=_)8_eewWpw6h;6V(JU1zVJeoa+;*_M@z&;uyJMJ<*dcY_L zx2mwVJFOajU-NmFFE|3GtP->v6pd2a&Ll^&rmgHyGmav@t*DBHKb#cwzr`Z0 z&H0*~h&h&*gY5$TwW;stmZwTzVF9~i-02sdJySbSd2hHuQqElQLig$gm5Z=->;9yB zuTfu2MzGuH*QfNzG*1G z3F4;Syb7J~g9#PawIcn?;8WR4u8%3 zzenm%^wmo`<2XvdO)O2>o_Lso=UX-PjKGW-1~tI}+LbV`6$H z7U^Fx4)uUDu9iIvkrTiVcqi)RM2P({L-nWLs z-M^7NUixFcd;EvZU;ursjwB8bL+X1T8PnG4&%KOy~2;MdNc7AQ+ zuh$x?sU#Z|g69o}l?vQ$Fk02M?1X<{y<}xF{UzouZo)yzdeq9C>*tI6)FfH^DMRRV zISv^&eE~gh;+ad*_2*wM4?j$hZOqgE@NVXF9DPo~FI92RSHvtH^24?A{jD!e`T0?= z#EXj`E^Y6c3hDK@*rnCTSNdFZ5ixaZLXAb$n4L27MYS)7JFtvZ-|7>Y3?xM}_(QKp zv=_SC)94Fn`(Lc7m-6e?8uN&_2XcFDqfng$iv6JZW8B=``(Af7qFyB$r#CqV zw{HK3Q~=+Jw{*7=8(kqVA|j%INST1>%;-#X-!Xxkn;T%*dySuf6ISCfxx;neU{F+z zpV+A3K@}Ag{U0k$08+a7FI`udfFp=0swY6ZYfzJZ6lTZ<;W&SXmdT8`>Ng2=OGg)n zHUGdDSDGD01_lkO?Zy~QnPULAonvdxu|tOLw!l+C>24^uOqhTYKHpOuoG&kx;g6oB zdIO1gqsspnbOvtB8j7vG4Y1!rm^&(PS=2`lA6kZ1=G8&zGRr>9u|;PMXoJfFFq4!& zlmK38;zz!lsC12g>Co1lED5X{$brHXU4H_oQc#cbAF>@Tg4yGQG+q4m*l`bB=S9!) zM%Dp{%`ZC@c~Vt#IYI8ZB!{90FA6Xpt1BxH08U<0ZVkGndR+jN7$8GL(!R^&Ir+%o z|3_8;z>F^hcDv(+8Q@TaF^*qAN}4Vh4m+1ycIT4z^lW9S%Cg%AvVJC}lM*BMS$SH+ zJzB4ATDh#$$IHvhBNfj4Uc%QBLG?a-HYW9K4nWYeUeIg3qHB=<^9F#p{bXpK7c-_E z43pTz0EK2vQ%-gn5I^7EbXh!Dm!yya=uTk7Rkz-?ks<(9FK_yY0h!$2Ro%%a4PytGG0e+=hM4|k;CqbHPL{PvUh`hnuh?0HZ4;0PL zn}#0nOVDWbIHAWQz%Fx6g_G}*?qpwIohZYs`rYd|PDj6{;DBjy9R75D9;#w4PCyhu z7G?V1yc2nV+0qn)Vx;tgVUh!=e(75XK(MGlRVKfp?h6Q@a{KM{5)X&UF(&vG%qhyA^Z}(SPEWhg`eo1MSx;M9-J|N{{(*sA zpi#g%fKSyIpMNWW#<3Sc-m> z8b^a=)g^Y5GKAEQuQq}5wKoFC7xhu27T$)-(bmYpvpS-Hc>7oOo?XtGkH`Zo-9pF( z%pl*;;ztjXv~*jP&izMknerK_cg82mVY?XPDA5QLzt(P3$ThNx2a-$`YrlWJ){jm0 zFM7u@#XrIspK!IOgFo`-UIx_}rpHldfCme4(7c5xWdow+_!poYAs23_*_NgWHHkTy6huK2w-j=(DOm&bwu z+MN)T2tAy9_*oP1u)UD7pHWE4V8r)7rbY`Xl=J(jMaDuOW^v1n*ff->LQs~X$#wA=Qa?2TarQu90*`oDP*q}g)p<*QaVu5@3yi6By_ac zYM|!4?DAkbkVU~w`KD@mRHA0B%JKDJJM@%|1)I-$7*xgS9(t$zLuKluB9$?h4k4=k zp_B9zbvSExbCGF$1Ppmj^Al49f~PKI$$e80+U@;1-Ke-y!vi8f#71(=zl8-9@1J4^ zQ(i^LUWjXum4^twOn>28Stk(Q67+bep#Hp0s^xvWxNpK|#<$LN-IAM?y^`wT)69nM z>m^5PfuL3_LAZqyLHHh+8rbd3?gBC7@3lhz)Qdd{07B;f$vv zpRiO#Wt8DwtwR*I+!&mio7(gs$74pH!cSCkT_@>Jvkn~h3ss>pr9T1bfpr?F^vd>M zTXrcZH^mfDF3c4}LC!1v1d%SG~p{d#Sf>- z@a)n`f=_3UNof}E!Qt%^0jNUsKNv057j(avTly)e|8PItU}R!C z>$H%0KWdddjyzo_m)`3I#wV4Yrw5=Gglh4$Yx1lM(8n@|WAAHD{^o7fP^7!vD@Yl$ zJB$WL>7x`-##wYVxW@ z7Ny0+JT0YY968rTy`UBC4}m(J#NxCVr{u4bm>b@fDNF@kJo6XfK1Q;e#P-Tb?R=>Y z{I~+7LvM?=*PO&`UguLkUSc@^R`;zu-iBXM;q1K5XGwWT=FN6_s(Sw4$Byf@Na5kl zZRCm7Iub9A!A&Ujwy+D2Y_w7IIMY~g@4WpjeMV7WT)>0les+It!+#z9Ax`q!e#1gn zq8#`95GjKEb?LV=_0mKuF`q&_IE~;NW>G31e`|XP4dUdYFws1yNcV_ul+Esx!shI(e$1)d#0GlsH^03 zoB4DdV~;A~_HgV57MFEznYA)M6Ooc%Q1L#x-W17~fgY&;yV(+Zd_ zsVg*$inH0>baS9xASX!r9MWi9b5CEu4sVg&=A_=Mi%AncT>%5(GaVw5Kicem zwBQN(?FWAb28sX~IY)-9pk+XD$exb$YzZdRO(Qn!<Ok@ts9RV;vdp^E8Dnwzfb3~$rQpWzu)9an|zI;0o^g{ zjU7)+N{#vTq(&>r{i>4E+pT+~ufksFPRDL+2t2YIyxt$ z*9!G*v++BP&y9&r5~>`y_hu!Cv6e^NB_;r$XRuyroM9Uk<@uHl6m@_s+RMj~%tM0N zg&nMuzfy)NJu@EhX>QjJZ8Ve>|89wEszY@m;>~-X+nJWrgzG0{*F{?f(^a(l62gZc zb94>M$-wjwSt2zy%j(p?-OwrS_jH=7dU!u%+kyc3nN%{PNioo6>9CALl2cELkSqJ$ zFEJbO@*!qhtzs#x8QU#SCmVY=OT6>pkbrUe1B>UsR4s>xxELwZ55iR$Xnf#qa_S!~vz^{6fUd2+_NGDZpN-8)cA2_F6V=G8He8&U@Pg+g7D& zlVK7M+Pc2x5xiKlc<>(x*U z`#!Ap%vd)|6?v~=AU%q=dyT5khpt(!u(0CSYi9lFhh7rZ>+;;iU3&{*=)_-UlBSMC zYK}_R#IGs-^Mp0B+BJAD>Ya*Ryp(7N-;b29M$oWy*?g}&u#CaXAFB)B^Kud&j%fQS zAQ>Rg&)+=xUUnic@Jz`|UYvk!)qG?xAYRA!E! z^gPJv!Rx-t-w-86T!|A2NTCgo>^V0Twu1AbW9OTDgze(ytF@0?v*LUyu0Or8C7{F{+chct|QKJxM z&#Q_84A6_avKR<&hFD{33S|x%t9USb_kfZc^Iwi9is?KDC2>8nf1PeaRnD$Hu=WCo ztr7oEn1gbV$ChZ88XkJAs_SF#DWKDz?4Xp^uSXzpGrcw?FYQua)EXVQoz>8m?63^; zUB67U1yS-SiPuke%v;s{BeB+VBf(UsU$TEaM01#&Y|gURj?`DQ~E133GB7SvwTNwg0=;;=Od!g*u=hb=bFRkT9ul<5u2{u)S`M{@EQ_ z^Qld_;+5C_jhh>AMN4edlY0ewnwOYVaeXx zBYI59q5)(eW`^kU>lLgXBae!UkWnUG(*o0kjj}(l}ooRr;fGc&?WIY}A7>ADlTaEXlSy1e|=t zX$gzE_OUL-wj4UtL*$l628QJ(FB5C{Yzo5yc&TkGB`L|8lGT8 zS47+TN;~-JYFQl=`eE(Uq?WNk8+ivL$2($tk>yf%uYbP9}uiYNCZ> zDx}?(Wg%zxF&rlMyzpJ)EIU8h2n@bXb(^xWoT92`0nQ`*&*@%2O;`&9R*-3_AqA>( z*)^u36GmUU6p-Wgei# zQ?GK9OuM-nzWX7QAD7r&!gpF1x^xI>im3bfHM}v2De1OVjM=K{_X`Tr2E!TF>aR`n zMV!qD8~D93n$G5mMLRZjZtfppizOxU_EZNayC)^bqUckqsf?12X_uK-YxQlSeW)*m zl2gy=w5JtDbbEaT&rs^Q!SO-N4}EP0CP}R6l14WKG@@Rbz3JqxM=-S^!HmxaxMPu@ zqE~x*^W!RNQ7!Gi>DPBfz6Rp*&?AzLNj`z*u#E&p*R;KfZ9o0+J1cKp=nOAb&W~Qg z`_?YkYuB(wVYI2&_j1GO`7hp2VP%kt;X9HL6BF^d0l1cJJ~qyg5r9t zX+-BvX(j7dce)iqRDo~kZ$kZ+D(^ZOX|p0}17B{7_D6MN#((d%LdbIX*NpfKc=#Eq|&JNxz{vdP$yb5_3 zADJcDdb;IYeAZh0hj|}^j3SOw`xkGifJTaRRE?@=gas&-N$ScY>s`3-ErjLdA`;GR z8MLz}0qWk@D8f_q&;kipC8zl(Z|UOZ$m{4T5Z?R712^G}YnXi6VM6R&(h*8@6CdmS z^i(j3gr$#pH`wLQ@R?NaARAQ6q7c$_`Qdo5-zeVhYO^N?OOX?{^W+8YN`CQI#=AQ< zv`6(fOnWIswdkzOIk-g&M|2pXsl6a;g+-Y+=yi#Y=+AyyvLB4H16_wHHfM(-RJkWE zDZJNeA2#~S^g>Uk=9YW=c%0?)PYLHzH_|9$iYRm82ldrd?q{PoyGKWR(~wpdwaNd-*qaAZ zxqofrN$C{QMhH=aUFI?sQQBxiTS+n}A!Fv525eJ~Y^jjilFajzsZwMPWuDm~^E_?* z*1g&1d!FZcfA9PJasD{E_kDlH^;w^_u614KMufXrJaY1I7uTzT&_Nvvn>RWg8}hq= zA@5g=RlYM)q7?A2gKceu;A)`Txfrn^ENyLG;;NF2)ICv-OCanT<<|39jeKpsS-skP z)7l&hLvf07?w#PNel0WR z$?tikjF*MNv_Csz$;E+R&YYBs4ne2ZwB~rN6t+a=@pX&vy z+Pg=71qqA#Iu2bViCo@jAVA{apFc)$V3jwO)6b^n$D`s`N+&|{ZCpAl)7i&+rGJn& zW6<&tIsAJQ@Nd(Eyr%-4r8%YR6%!NEQ`TiB25YI^6VCID{{z_RMiuau zw7W_NMi)hG{sMlWh0?-&WJGBxZDGR77k{u?3BQCXG*?+mI%|*2(BAEy%%b?Lcz_*~ zH9mD7N>gp-HDEz;P|7KQqKMb~;|y=mu>P6^&*ibpkcAKXSdNf`V%}vOz&?d!PH}_6 zV_cJ6dCT)Cr@XX3mPpwfhsP`uCf+9)fG&^Q_$bFyJ!;^=f+GGL%a3*%eEM87CNj=v`Jeyw#_kC_);FKfK=PJ}Yb;4)iH zs<7mWcr&8nC*B{n$_FH`qe16{ImY}lZ}oAQvD{#FFO-J`$ewRFmrUKxEixK?KIlI;^W4Et$x~%TrveW#&7PS{ zUL#XUg+Qj_=X=2y(otx#naklzHjegoj5b`hX~Hc@;9; zG>6YCA76J|ks)*ycpf8k^+RMS-@$3rJ;$8fhD-RiJpj))Z0OtLo0GN zSTsJSHqze{)0n|MNgB>bKQlMnV1w2!v@;nw2)|2=fYtdGH|x=P8LB3a61wyQ(E`Xu z&4S~qaC1?*8|x+WyOp~qa&z(fn2KNAl1BZylR=yGbD$={WDcd=XgdI}IX(mxkToSh zd9DOyAvl0yPVmDNtTKWJ)atgb#?AF~cmZ1fm}?1=##v{Cta`F@V$ zmMOZ0C)Zgr{C3l_*!sZ4UiBm4vMe1i+Q{-1MVy2{POMNM=78SshS*RVnjH! zd(Y=)m8mW(bZ57QlIDAt{0<+~TnW(!;=hHpQdl

g~?h(!Z7Q94PFWP88M}*`Bn> z3~ib=H+ZQffn<6M23w}gtso3X`n4W0atGw>3QF1Ua3c!fW3lOw;ub7RxAoBeQh>o+lYCk$Rk7t?4E$(m@69P$Pm zRS(fut~QO;C+O1w#VE42NA>U$gkw_#F@gkQMM~i-u^e1yWfG_2qYLgt&BB7dsCof& z+RmY%7VelV`Z<_-U_M}-K#T?^`87WmRCIY(aL7C`e}Y|#_(b33B(!Ov+Z4+2twCH z8bn!gdwKTwv*tR$KEY;%M*1uALhk z-bn0!6f2>-e5+hZT|zf2!X_R7K$O12ec0*Rq?Zh7!j3`z&7Sz}!qFW8H$?k&GG zXfnnw+WVux3<*q}r35ev!5DT}q;q>t81yWvu*TYMDAegsH&+C;Na<&#&1BJsM3()? zF+--{pWkQ$69B8pvX;PRFKeCr(w^*k@03x3qiUq3*~f9;_ci&F!X1e)rwkOo3kVlQ z4L&~&-<g|gRs=NNrvqGvtZZCmxxuSN=)af+7%)CbV(OLHUXJ&TpJJq3Mh*`g%upi-!$ z{w!wD#DYWAptay4I20ljhvF$6LlN#|Fc2s!Xxk1bF}${|D$f>iw_GHu*X!pvEj}B* zC))kt-+hSdRRTWsL)?0Dn?Yms1zt6y(o?6`pRb#Cb+}hdP@8tSUi-Jl0?dH9i<_qX z=2{9ZtG>e>Hf=p#&6A6oYroSbU%Gc92im{Ja}=$FFXYy3v#T=}jx_*F{yZ-NN)&sV zy=pcVb=?2GT2BZNJVs_=&C4~_SHi0! z!<@10V{c!xxX)Mi9|M`@_r#9j+iAv__GYKKjl5qa^r{B*C=)}(al46BNF$Cf>|UU| zQ_s;|^Qdvu(XnZ3cQZEatkVOYrDwP%Ah6XKq_{L*m_olP0+1CZ&FkTnq0SN6I!xO; zK~eEgeFz%dH0cRsrEqWiT^0}wR^zQErnbuUfVrtlmA14gNt_>?4F=u}Qqn^&4F2`C zDKL@$Tr7C1E$kH>lxngh6FiN&&0B5EwF~2j@6QTDk9+Q;h)l4XBq`X12n@b|Mj0W$ zLR<0HB7Tw;a5z2UR zZx&w^(E^9&Sh(V^bpQ7D%adMlN7^9d${hbOHHQz^g!d}QDPszmP$r|FK5bCJ9Ct8p z&vDWTLKg%;ku!MfmIKI{8rIh}0q79Oas9jDz{7NiPnwYP4iyjB5i7)Q9Nlh^=4nC> z521?_W*iAY{(Hu8=yG0E`~q!5u6|jrBT)^5mx9lK{3nVD9FoO^Ur?tNCEIB|dcP>u z252ggm!wdxW-zn-7{8SJusI*6oRMP{{Z$i z0DThGDQ^3)9#pc4f(8?`ufz(6&PP7xOIhv^RIX*Dj4~A1-NuZP-3qvpZ*>4XNvL$~ zO8WQc8>`@T*vO0bp93c8502mrW?hjo$55q^lh)OeWHZnBpG$2Qt_hjObjmcskcz-S zpP>x&EE%VULrWh+#XD*yfB{+WL#QNpG;RSAyqh~Cwgt-Zk`Y_6`=9dzXzF}iCNjnQ+*TO??$=hoPe7N&t>Eq-VN_PD0C~M?_IdspYd_J&Vw<-wB+26^-bLt#0z}g{5 z%oZe!#IQW1e)fhTqK;Kc(2Q3`nVdL|gidi6zbfGm!U8K-!Jkb{UP2~dul&k&hJ$V3 zwPK&3c&c3li`}P6SWi6(33zy$EnQNjbauc;1b_a&%G>Qo2 z>vnNlcYe4v#k#e-rDbQ^>zZgwY7UCa)GMC4{p&&fO&$KBI|s2~-!R8c!e(?e9TRrH zZPVTBRs@5l*9WA*SqoiIDeR%0_h7IBprLCpfQka-x}!T(!$2puYhq~PM5AGj>q{Bh4q6r=!?J!!zmP^T z`4bw2ifQ{?MAH1F{{TN$Yze(1QX*7YCiqR#(6&va`w|DD?lLPoxr1I7bwggOP-jns z0`DiAwn6IVuVS^2n@!UBv=*BELT>n`8$DJJ@3yb4GMSzm z7#`j!#x`M=ZbkT<=pqoe7W{Goqq~>A@exq>2r3YSkbQjJV>UrQPi~e^vNL5T)}@~} zNyO0CzoRBeT*61`#A;)J(Xu+*8SSfU*@hkxK4-gvF8!!_eYZ){;?_{+nIX1M{HC8Y z;tm~Q56%~*l$u{={5#^%{gc*&3F(KDB7wyjF~=p2ohM zF{0z^?3q9FNrjtE*srIp=sFA|X;G3l7mQ zW@l>5gA_#V0jZO=mNycOPr0X|``=Vr@2t7D|C34%R(+6nOfRLfL%Yj@mTgYgr*6dV zgtzi7kGXJb!m9h#!X<^<0_h#{HD)RXG@sl}TzNH!IZi9TJm`(-v6f;^OglnG?3ufH ztXI6g33<+Gwqh<|FVYlE-%+1AtL?O4pPBD2gpk3Bm+YkQlnzGbAn z;o{AOrQSEqzcI461*VIo)bAEI6HYl7E6}nR>|0ck3D$}%IoM^f-pK!eN)FYDW!~j* zZ|X7bqWB8VP9_9BC;!o`hqX0NFMlH^0&Z$h(~7v^o`|72fmccS@WroOBUqF5ZnCl^ zVY$Kwr`g{g4uVCVu91fa)t{UR^&JGc!jL$h&DE!_GDmJ}N<@Y71q+Th_=b5I`PA(j zCX56x%F{frd&Cw#eRh}7CxKm-1GnanY317S^~Rig?4EpDD`)RW;`E`DEHUjfpOOc)Ntvkq<&v`;IRuB#B~F$(mvnci->?=RsqNW= z3cCY|&Sr&=%k!dVn>P-EmnJM7!BZWB?4pOTi;}N#WsanfR8Rh$%8qR?DNFrc^IAfu z$E0$ZDYIj4Y6TN-m6J4X`9Y@eVoF|@0)gqNk|(#6M(N~}5nbjOR6^gH)W~qwq44Rj zsXGtYrl=?7q>m<*k=qWYuPq|xRG@O$i7D?J&Gx}1M!tCs_n18$m6D=cM9N;J8&xnY zs*Kk>OTcLaPSkZD>p}Oh^h%LP%CVxLEplQFVP=L6C`lRr&tMsdJ(v3Qz~Sf zpz!3^Ywq$TDvx#cDx}f<#Zc!Zv&*>cUhc4Zb;-@mmCrs-4$3U)?KWA}icfaPva+|O z*op+!f2aK#^Ene3>7V|vSqd!oxKt;YD|@}JFe^W8*7S)q)V;s>94oCsTwn6HSJTZp z>`S$A;M2ai^t6i+%^h?jUq$FLN1I7Zs*h6@VTEcOzaQ2)U5g=XH_;yt`myYZc1f(e_JXk6@`5g5noqO!}zySlqOt zQC-I?z9W4KMkAk($sEW%TzO&fUHk0Q&74p!&iW2^|2O{bg<|t>sLX8TEY43qe)zat zd0!AlKt$kA!xwf^q3zLY{kr(Gyw-oI`MWdbHP14iJ&<=rA@>nimuA-)x{S3?RKKDH z-N!0O!P9}ZXU4xJX6|_Xy`JMUot(LyN_DUIRSWxBX0}=?pSt-!;qG73MMSc6@sCa< zK%oluTdSD$Q#~&`@g<;AzgHm=tWws!OU<_g?6-2%6IF*htkMtS+vb<(+sdhUcy2>| zX`kJHD#I=NRYX)5EnD!yn?2m(r%f|%i?Ij8jP_+&)gA29EoONwm?Rr#k6jFwJG^fU zOuXw}>RaN2!OOinl#dskB6qY+yZ_Xq>^6OGg>}2x6m9$GC7GP8LV2w`KiD7?{QVbioOJ)j;OMb&fl3|usgQ1J-3I}Y)jyR(m&sF|mZ!6n*W1(Wr9~#YgHXg(d1hbIC1Qqf_&F3GYw4fmyuE!v)8p9< ziwc)Sc{DuQaZN~&sFLCv!{<(2+4iQv)4zL>@Z^HgtuvFES4{R!x6|{ zKPB^U33GaYw|eXWW(JDqfOjGwo|<}X5Bct^u^l#Qo$e>$PD%%$3(FcI(XdAT$Lo}s zl4o3NmImhKQsXzE68q?NVN5j`4S*=*n!`%@h&+K)?aTozOWpdHW-9~jSdbFXX(|&* zhar_lm?*kDm%6zfxV%X-8OF*T9~}j)72DWC=Kz2Wp&@#XN~$?SDyEZ~yO)IqF-CD- z^mKH6_q^6Rd-r$d253DD1(n*ntH+@72PsPW?R6L1IUEaeZy**_C>(&E*w`X*)S7*v z&V*q$jM}{_{*IZ`*SNgGg*laU<~Q!-(Q8-Lon+qL4n}LHwR@j!74bN9E9;D(={tGr zM>ytdvs%~zh8DT8+^WFKr`o&qAKWoxLY%FEVqq&Ha0x)$jGCudu(wcmn22GZz9JPM$>ay@KC;?3 z!ZdI9t!Y2;4Y|RFzjI^S4TY428+z4*_8l87Bik{xv-ZEyxtHUQFrj}61bI(|!mq2h);6J!FazlYX{imn%sDp?xVnmT}vEvG9dm-rmX z#qkhwx_xo83$PTBczWLa=UA@NS2Md=I>-0iP$+fUWuUb3j5b?aq3z)Y#*fI_z&2z0 z^-h~|`JYo+=5YsC!$uljzsjgdZ!vJp5v%nB4vV1NJYni6smGZM*C*LBE`h)gA(>jo zRf2IW=TdddU;fj-?@pCX%vKWi3=iat4EqSxBexAi1o9zMCinOsLQT#$%mgl#9taZd zQ}6E&Ab4fy$#gYDAAaepG<&Ou&zpK;j!~7i`1FQ6-Z*?mGPPogd>E$ zgG%`3G7_2D>;gtRH=Ec}-y-|5V{+2Q3`uc%l2QBBZwAEQN?%9adGYJ&&=np|Gd|`d zK{bYTUOdGtHZuGvlZGXG~}}}!Z?m;yy%@tv`#<#Xl$W!Cxa0OJ>5BmifP_6>#pH77ia2K66UDs zmI(beMX7tjBiD|tN*Rd_?~*-H_;_+-@Bk-{h9<*EELi%)8S|Xcw+hke^JzhzpV@TI zIdSRG(e$DB*8ms20>)Xgq*Ygdm%t%v{oJF;L(a( zb(ppsYAl!bw}3OplXmaTUP;0e+yuWQ%J`jy&QYb*X4G7km>yH{&T(N%tv;dV-Sk(5 z?LBYxAHTn32|nqnPjPrEma@9W9Wu|VGr8Dt)JeF)Kt?_AbMyh;Ox8J5g;3_0{d-m$ zaQ;SKj2r<>D;G%dD^hQ)c-OI2haK|S%WaRavwiaG|MeCXBhhh8pS_ZrCd0}=?0r{` z&$s2|3jU`dHZho^q)PQ2fI7RQ)zwZbmbd4FTM#jLt=E78zdt;1EXMc8e${Ea?2MZ{wE z8%Gr_Yku~UrA_OOMftC_k2i_c-g~+~Kx*%vj&|`KRvs8xcPE8Zdg|bQqA_1ffbyd5 z-yVkx(phRBhc@za{Oa0;)Lk-RH!Q10K%EhETjr%DAYynIVrRFXg8QV@?)7*ZxG6W2J zoorXfr-n~PH>VWsn7XZU4tB8noE?g^A|3nHyJ_~W?AFc9c6%lNzIV|~Bqb`p_GdCW zzOpaf&(!{{7X8W7SfE1&CHr~x^Xdb`95uCX1D)~~#rnzL3u*e!oW7JpOUl`>#Yxeh zaTVHQ>$P^dPo&SVPpl|k%CykLC7MOd-a%`fUoGq@`yg^&;4hL^U|BV3jn6eZi`!+~N2skwm6jcjj)=N}=x z&!Z89klib%Kb;n-Hp1XfrRhjBVy$~SowS@gOK|AT3*c=12BDMSjHw%mp^7(o9Oqs_ z#5?TJZq)9h@mDeJ2-3lZQrea^1=N$-^U`jqK+MXsfTl3~siF_^RI4fDouJXHKWHxj>onVuRrf zExK+Lci$J>L>`Sjc0ARU@Lv}>3#d5zqE%iAe+i<(kbeDpQ>0q!wRzEla`Svk^TJe+ zRziXSh=$gqKjD(-6Iv|kq{r=jb2J?nk63o@=#!q#7&5^aF|_rYW$dxLVg*_(Z1Wk< z_+_8WWz*}@bb85|qFYDfBR0Rgc?j3jW=6!-dErF3&+3*DscNfSWfa~M4a;0Ui7Z|i zx!gXylf>tv=Nl66`>p`y%E{;->N+b;KKb9$zF4ECg}%;=_v;VDBV_%>-go7dRKx5KpWOlmX#3@{KJ zT~@l69<(lZd~N;s_^q-NSD#9?QnMM(8As-de@d$f{p{*WaCpf(_H{=mro2LBI4jpx z_mpjTGEpqgUXkj%)%z~EL_h!)A9TeeNjETvO@2eMnOj&4`9Xj{}B>iZ^?H^+cxD<>e6byHW z9O7N~WfMBWuI|Mp#Ji+MZsTyZ$S?2G?`pRvn+OdtRjq@Oc|HV$LvBHq}1)_8F5@XY`?ii~j$6RmZTKuo3M%|`*b+d-o zMB>cEft=K1yURus0{d*ACsah{`B1wm&l`)$K1|rp!6$7?5X?i50+U}$z z<|mk6GsE;KRpDa;|Hp^?C3sumMpd!KT-z6^U#EYT_NIO4idO=ZDSO_DPdQGNAit#O zUDa5!P*j~tH7L$+2~yD#nYgA*9x$~{xRb0XVxDlS^CWDu?1|*=39`A}ZtDCuo;SVs zuL}ysb+B5=9!tttzn4=}t}S+MhLA2o}?b86PCN^FDDr@46J>{lGw z_h(<9v-6O3H*ajWVxo@{_^5I9k>006KEp(Q^}9u4QF{pI_&+cO{M+C6Kv=9&+0W}A%C&AX)=sOgxBk=IInAQb<~q<%=Xn}y ztr<*3t(8$=0~QZAt$C(s6dU_{M z4^Dmbp6h%J9|KGY8LFxz`3K+_yegrk9gD+}`8}n1>!k|`-o|62yPY zADMFNSLVuIEp6(_PrXm*u+eFCTB^u%m&)(XFPTU#>L|@az@uE-utuRJk!rirAcO}y z*Lx+?S-XWdv&rrTg*zKvC(#eez4OPhH&$4M1Yi?spc1TSJ$es{s*;pEre z!+%)Siag!NV%-0Yy#YE`Ztb?kl}fdu$wcR#g2|tn;4+lNFXSBtMqwnzL_wbbEyXb~ zz5oQuOLa*h)~Lri4bBNCOXa5Zv^aI9Ey~VklSAEGkXVymrI$-@Yjk9xq;<9W2Ar?*O$%1`a-@#>r;J3XH$h$@L*Q0n1!_kK33vcxY!nZ#NcjF~17AKNiOiW z4<&NujgbdUW@3$hC}DlIi$SlkX~w07H5QN>AOX3U(^G2j?_~f`EUlD_vVOx}%Yk`B zi`!-MS8M1wZd>o`9f>zMBcvff*4_X%ZBh|h<(V^9KWZsVup`}bC+q^ZdyzoAa1FRk|VwCU)$*McK-x{>o&ORPk8eM44kl&#B3_ zX1B5WMcKvr60$GLMOHb&U3>_&ur-_ZGo8=nXP=77dHxBhN}qe>t}=XRX`WQkx(9K4 z&Les|0B5_!Payq?*(4J3h1|^QzxcC@c$(G!Qr}pOlrC9VwMyuEheSGQtF|N{4cig5 zdJ&K2c!d|))BS#eTvoSo-W$z?t6qtX$+dip7=w$5t`RD1C#b(TM?200M6TP`e*v^x z=6j>Y>mgTOTiyQX)sn@EEEZ_Q|5M057X(%HJ;!2oCEPzVyb|@yF>eH=kk>XJK{lnS zE~J$V;obw1&)p!szOe4>tSoMcdB zeHr*YqoTMKnE3)PxpfyU#@k+o?<7hRd8^egqf9&pn^Z%zw$X4cRT_k(Fx|2_JyheH$!1YeUv%SuI~ zbpR=QA7pV0#X`^u*2M!L;X;GKCj+z-sxu%KM)SXhGl!rP@F4a?NML7CXtpKV(`#8- z7Pyh2g%^RqY#OM5WUCn}Nvq{+v%Ord>)&nX^{WeeCu!FzvhLNrLO+j=*vA38?WC_A zZ*}zUUW?NCFh9Z95H@DS;OSvhL8)gt;r!Twtf!02>sIIviob4ot#RsCvFXBOhOrRf zs{zuyR<3*rX!5{)$jd?z8I|$5^jDw`!6Xsc(0WKq#KvCjT|2)L>Fp|W^;PCnd@Jeu z_0pWP;~#J~Z-L=x<%!L^j7&RX^}Nm}c1T`)g0vCO$wSp1ae&s;f_wh`AatxErac|* zig6GtXJh1Pk zep2jY`Xdu=)4(K>vZ&L}j#WF=q2W5@bL0Sm>=YnY{fvFsID39CoU$vrLrwC7QO}7HkWK0G~ zVkWc$=D&1vGJsUb>>ji7%d>KNT@PNTfd&njWNpM~#{)IwzbYMM0}oYByEXjje(~pF z>aUG0@#w5B+)3F0bm%)2@#Xt4+^iNXNJ-J{&_goB2tE!}0c0$h4GZk#fIOze7odE2 zLk~e?2PuNka!<+?ZWxxt_k7T*1-|X)g`k+~9!49i===F8a;;Oq5Qu95G&JLZGV{8l zYZ!YZA}R>E+UKw)fsw91y+#@t(*nwKKrAj$i4)R=%gTY-V ztKz}w0m%QC+RuhP&d6mAvu@Y2JSYLV*R$&5n~`F^@RnLSXymCYv(f7Q#@_`zN&v0$ z-~Wzw2_8H69x1wbX>^PXczQ{NycCmYtegHn9(F_?{%+r*Z7M1Ac4?#$U|#76m;4R- zY(z}g=mN420>D*io-ja+ZT8SN1TfH7Ek4>!n^BbqxHu@| zhWPzfN0z^1R~#2NK@CvU-}Ca`>q9fB-J^;~<-)uDAfA+i94tBradZtwgh8#q@`xn}j2a zK2vZK^-WHMcU}C*>Db@f<&?PSg1iHpv}eiY11ku%*o&RiTQQLQv!=p>+H}{QhD# zwTfB+7vJNvM^3$&7ciKNn;2AK6JPbe`a%P@&Vuz>x8%55kjB4$38PJh zz9MtDwJnseV58tLP6^yP`<(v||CGdAjnpi;AynM(fk8Llr_iUlo@Z)+?5E{fq zaX+Jw4Fa22b|05!X^(fl*Bj8HxO*@01mTzhIdRQO+2NIcYy7vpy}?n^G|`2dEhY~Q z#iv};#_xt*?nkiz#Q5jR*g!#)d8{Ka&t(?l~!qeBr^ja z+>*lpH1Ta5+8fgL*F!F0T#-UgHHt+gs^E9`zH}T7eZ?Y9kb`|6{b&o9P!`8eTjkCJP#cnF&Q5~iKJb|}8T?IV=QZr*AgJ&gJ7 z*}H?9kX;8E&HvmM0sM9ZgZ~zcw%|xdunMf(_c2h369Q*341~>>V}92(;p|MHq?248 z^`9G?D;k53habA8Wg_8uh!>HKbP8`F%7luy+8AO7Q!p!VL%co}cDBr=HK`k9r-R29 zit;C1?`)Pm*_uN%2Uf%pd?uvJp9Q@C9KImmKL(DqA7zS(9Wn$Vw-ocLa8*DhA$A@C z`-<-4`ezxi2@>QUZmT8&X1D}RHmzhk{1zC)pk4(LROJ58KmA{TXn^Mdxj?1indwyi3VEmU;VCj^^WvI(}a=z zun^KH3rnr{v?+@W?klefO(>K4dRKmsEK`- z0nYXinxI>lXPyY(E7|%U&gKNz_wiq%Wt*zC3`#Dj@-rxFexx%svodg+x^>21OjLh#zA|Zn)Hd zjvMAxVZL}`n0$()qzDLBdp@>N{X2dqegnI}(Dse0UGD(jzS@S1pDcYs$AKzY^8xGr zp(o2`D(5ARcC_OL_UusqdTBh^41h#;7%~+s--!vELIvq@#I-b~0)!R0sN@eFe2O)G ze-NMX@9j_RkvMR%Ef1(U4GQ8y41H*lJ(BxQ@4Yvu&-q%Xy0hO$T=o#a-9`6wSZ*BCDYDDm%1$CBwmGZ60a=JwK_G!_gTBCqR7#{4^$Xv! z=W^%*EG}Gg!Z2~iwMc(docH%9+K<{o+bwsjwM%Ur$SZ%^D46N7Q%<%MJ9Msm4^7TX zzUjtiGz@Re#AH30shoE5=SKlWWu0yqI4e||9N0AdbmXwx+M3gjqt1J_P9w5;2O{k2 zx)}4jn8N#d$YBlPB!vaSPw_OZ7mDz}J-_NH!ZDP|Uf#gct=i>SH|!s_R>7-B!ETcrr71TCVpF=z_F8@ekVgBs9^kCaf} z0j%Wbo z_>&KrgJnUFaI=+{FfSb&Ll0nIiFhZGBOfi&dJB)B9cL+#Jn)>uk>Tv$ZkH>{&ByV?_cgIr z`Z=YpRU^(=n9Tdk+c7~PBKUR@b9zd)j+X0w@z6|#1VKXhcJJNoJUpeilsr=23quMY z4V~Dr>>^$%Gfe^)myy%DzbS!TRJ0_hX*nc@ ze#u&H<$BHPp4HX0)&J7pc$A3?luL`P6;DZtE@R92EZ9ZeKhDfLss>3(=oJ>eo$)?N zaG2+fLrz8h?UFKI+{y7?rPHMQj97Vp+^j7Qt(9VNo0F&dso$CuxN1J74OiYNQ>yJG z2+Pjc4d{NU?c#80t4Du%NThsYfvr{Z!3Ig;o;HtP&;8yXz&;m1DcSt%BTz7=lC|DZ z7VHtHHJgoAm(tCHx>6{zY!yJo&y><9c-&t(xA}Ra^dY&H?h-e7x)DX}vCZ47A^HlI z1tX1qL0mQk%K?5tv51`Xg}KeHc9-6Y>+&(mWRjj&2+7>w5~wa_I0Tg_PW^Nnc9h*1 zlV0=>G5$3ZcU1REo2}TX-wcR%X_o@G{^dxU^#<13GfUi2^_vNPwBAj&jmALjFf{5{ z^V;ggf`YSDcm9l3tiHGm;wB}7r|I@4WwSPawN2T$`1o$BPy4x9qemJ`%0S%dtu7{! z&cE+d24YNze4v3of}8b@RT#_O{IOiPhl7PAFuklPXc7Yo*5}Qo>dGjelOac(Sy&BN}0YX6dv@ zxR-F)jCPt0E5=Z1sMgz%XFwyB8p8Sy8+7sJq?*Tk|Gub=%W(bsqY3OCq}Ybo7z}<& zT6fxZwnU%wcE#6%AqQ`0}A0D&hhez5Jhfthmbm3X7@a*~jkW=p^IR?)acC?}RL^ z>EPv023e{iaJVcX@q7t_N6`wD=@$2?(6eq7^be?ThRcldJh=CH4N#bSYC8B8^Y^s4~_WR%RIuinlTF#-7_@YPy)g z{CU^2Nlv5kwmb`};Nd5Y?Wx?PewfjPI-Y7MOK-h`A{I|c>Q7%A^bM8JB{lnjQ7IU| zguz?EB;-P*BthjyWK?z74#_jr!SS?t5Afb^J(hNt_?JkPsScR(?l->pm!50bUZKFh z^&+QKqG$&PsEUM)m!;Y+#br~ADs)0rU8AxIs_Y$Ch=&EAO;}nbSd^xc1*~wJn2Amd*Zd~;g%UMFK+Dgo&N`EGSU%xfWYu!@Bo`JAeIDWz3HM(x@_h)CWfMGrynm2 z3dxD>+skH2D+ZD`5|&m@EF3g!eXXG;_F4{3=NJ|TZs{b!q1}xLYK!d4NU+@E0r2#w zPw-7|JZq3bUE@%CYbJal`<7`$18eW2BRTEnl>_gjDnNEVe%j)a2VK2`kfbM>K5y^+WG!-^@P~*J};&rde zO5Y1XSO*~lp4@<~(2$YloXBNfs1Lmahx6jhR-6fnf@TZh_&`!vse@a& zh+9zdw^zxU8%2v=ilN5=j3^5TZA)4L(v~7p(^7Ol0X$J^a_g?_=TYTSaeF24ykTaG4>a}JJ(J~OzU zNF;HU6C(d{xF&=crD%C8vvL!{Zoe^j?O-(PP;n4a6iDtrzAlF-3$``v3EnkU{r)V8er9|NO|FjXrRcS7e59saJ zB3TACp6V3_xYPgSkS9m!d?O$;cU=*)@*3{xp`dDjWQ5?9Cg*LwBuNo;!Sj$T3F6V1 zqqNwiM`;^J=9|Txcz2! z6^yyVb~u#s^nISo5Jlc*m)N?SXMixdD%Afz!r5iP_k<~9p{asTKs*&HN<%?Jpu?f+ z)%zO6W8As@SMXm zRJ#H*jzPt{%O*KcZ=nRxud4+32qG8gM`Ok%12H7v% zekq6&@tmTiG&2O9jdbSV_Wz$?#lBKli-D4Pa?Rc@N*_6~?1#vs_=jfuPvn3iWnNyO z;;~55{xzj1FrLPRxRdw|?~?U(&r!kdSy9w+&h2^EG{KnHDl-o;A&w@cub{YA1`}h5 z(T2)}0vPa^zU>7Mo}~+`$!B$TQ3Qm{O6ey^P!97DNH|pd=zr-SRERZrB+PViOL$oa z;A$2S7I!fZ|)@ zDB1D^DPIUiZ~jE07^ak$!?2H?>NN+xkF{3ff7yib3V|Asc}7-;)^hZf^+L#b4L8L0 z{`g@Fg}#1iqmLtsr#z=GKUSiN4;r(;HA*9&l1W`1RP&85#FBHKR+n zIR2=K(22dzAHL4ezY8>7ne!6%_F7FxpasWorwgHu9kINM zR%UJ?zO|4bh3;8wxrynIe8`~JE*dPV10{@2b6zeB|Mkj9-6e3i6;8#Z@of&hCJ- zPeUKG60L;)J;!YgEGoZ)TDC%5&^WRl=B*x(NkwrtR=BhTwNRsd;|@)hEa|U(-XY=9 zSQR&JTYGPgjc#y>6pUzw|CYY~FqJ+dz?|D-`n>Mpj=UWT^0(Qb8aj6xw3$ZA66tsw z16CUQ;>D@)MUHGQqsuexjWnIAWUff;W%$ZQLl;aZt2{{OkzSS7VMr`=&t_WX(5R#T zI=p+(HE0@THE+whl3X70l ze_8hVI%A-rrc6+`2ubwgrfwWlLf>T>{*T5lIAaR-^*H4mb#D;&F$nkBn;oVJl?gX+ z=sIK={b3l5g>~LG4d~x6XLE&W^=wAPs0Ehl<2ThlWPYKF|9IdmTSJ(k3DcOGxAIS& zf5a?>wCs$$)O^b`8KYaDKlDmDR7A?;4Bh>PN;klOrlm^oo8^mr?&1PVci2L|vF-1h z9WQG{MYH-FQvI#l^hz>C^|bKs{$nznQEbK$f>T_PpI__h%CWyVaAnq4^#7t|sagAC z7q#tu2{D0s6Vu^|-Cpg6qWqPHwN+Fv4#Xg$W8z$Gk2U$6GioEzenxb_(od&A+s5I^ zVtbMJZHH7%HE)pZS09(KRe|f27KZy9Cl;*-Oy|ig~QO zf+;GPAsHfM)4*1(!)_72#_)FFe8ginL7lEQ+$r1#x%TLc?){Mbq@WyX0g2#|)UFd7J3tr)gU}!})jR^;B`TO*R2O3wuaHSnM zwR~FpnqP?A3ntL>V+^8Vb{ycpTY1;$_Ul*vYij{gZa+e$*f-MdkX7vtM2_2_WFPbv z1XQhS?QAogoHbzkl$?=0eY?Q!j`|`k?<4a}n&7XMBUfmD*l4N#5~8sx+gseW&p=VT zaai0=iy-*ySOR^3VjLhP$o_|bSSbf4$2QV z@0O%bI>)Sxb{`v)K5%AfEUVv_iH z;PbjKXOk{l5oKuEOK8%!$8JUQ7zUcabL27F_y-BG*=Ie6hIJ^b9g*tt!MjamgM zkHxi+*fpcU-Juft%gyhDT9HmtLnmo94_`rVhGwRPV- z#y1HcKDoT{mgY}7ayIy@Pe#}PkG+v7>)*6RmgjO5>#L{=Gib_!&6;hwdeg)NjJRZ< z#Ah2Mq-Xz6tw?-L+t=D#kBPe!_#b)c7&)=IllX%78XQIUX41*Z-kWaKAl@Ow`8XfZ zVhejHX?XTK+lxTw3I=7_GrO0G5k($pPppm!ZVc|^>J$%8#eIKJ4G23%Z2e(ymLrkw z?3N!^BFjXcP?k+1WSA3CE06ZdPzT4AYEC5CQPKw7%HyFo7`d;mwI6v3VJ#qT-MHBC{ zsN&Ul$gGJ{YII~=5CT|BLNoyEX}D*_cUiBfU1~j~-|=y^(jSwjbUM1reY$|w0P2pD zi;a2!)lu#X7X1kTw5&8G1zAz4VcBmPQI7G-NC40FJM*tjID(>T&gRdXGly?f!&^$v zNQ1Pwh`V#Ssu3}F>TS9G@u>hNrL7^6h~Be}->YkiXLI`LY3oYcSihFiIuzgna{Tea zY_Ik4aH+QjmcdiO?Py^BS7X2U7pQwQa)r)Ls>funi~{^-LosA!|A>q3ffjK5_ohPW z?ts-4C59tkI=;7qX@gN$^s&qA;M)fi2ocTxP@i`w<##tPoWsdzme(;^X)k_M;9Nvj ztClRH`=tS#;RLSRv|UycJkP#{T?TB zMQtbVrHoof|9=5Rn$YzA#``azNLD!l*44(R-8k>gs_hz7;(p#t{qU%1oE(hss~I_9 zTQx2paDeRM%u)*J)Wqz5bew2Qpal>z@c__I^$$4Wb*~`tCj6?jg5CZP^=M|fzsuEp z^;5zULgRn+*y6;(;^+||4Vj5)0fLwh?44Zp#1L&ytAq&J`ky|y__JxI4+3 zJa}N2_8T*B8?@zNgKR`4!5!$B5YhlqTHw~=+}vthab&0u5M|Hcm9@utrX4mvD@+!?@D5PjF+LVZ*6%00gEL64_M?{UTW~S z=8jgeyou7OP?ct!-=P*d=9OW)d~kty_kS=@)$zhduCf0YSft63UW7C6+s@V3ayT}f z9)4es&aN^DT6#xnP5H0BM>y#F8yi-ckYOCUE$6#+Kcfgn&WWmBD)n?y?UD+iQG8c@ zH)SM(j=yotppRjX759CTk(aRgwTi#18_u`ok$DoLblubi=n>J{Kk0HHEP9I{5;aF^ z#sv?t18zTPPc(xl?j1o~z%l1@1~irYK+!1=VuQ}MW$9BluK&FQ4F=rpp8oqQN&<5K z<`|gx!-2CF+{Z$R>A()CjJ1ju(HdMX<32uo_;2_`B?_E#alFr%&;KW~ z0QOc`fpaYPLF2c7V>JXcMK8xUcdG^SZ)3cF8zW*t&i9@D8@2ghVK!FaGst`zHUlw@$i|LIGDp6#aOd%0ulA*0S#8a};_jFiOvE}ZZ`T_0ZxEt` zGRd$d&B~?V`pvm4n=1d60Kh_x1qq|kce-ImnWjih z2?%I8p|^d3;5VMl*i6UCG(Q%rnoM=IoiOIXh%s$5HLRwM(^8fdpyVb#ANZMMy|1e* zl&xBFm&ExQ`vy*y`0=$Klh?m*?k0l``c`f^1Lv!OlZwgzs@@t&g(!rCfo}D0aCVS4 z#B67a;|b34)HBXT>{7YBi8u-g3XKFpIP{mzSD+LY)1U4tnbUtb5TQv6#O^1OD~$w# ze*2&9cQt_G%nE{1GVBGUEF_8W6~HUhCC_V+i==N-=h`oOzXm>Zrf{G*k{k>`V2g7d zcwk)~E?t-PznOpeAtVdQwYj>Q!oBAF1gC<>HlG5zd&-Ft*CFT&t}+m-3PcT@eZI75a7t~7!*oO!2><6Dhb`33B0weTwJ-0+2?RSGR&NQm(p&Q-NTE$yZhSv)blp-X{w3fp@voAH}O>% zhB$Kn$YGJyU)FXeDIiDhxl_ep^^g!aLo8~FK#ZucszUl(h!A3*Tl6-zitNh#+BK@@ zw3>^km1CD`5|^F{IN%2ULIbDMakzfRC)Y)TkdNCQ|~f*UHI3S z>W{2c!L0#dIVAMY@E)nW`}sz^?lG9ofoCu|wYkrPVtsk*L6)K5g+|_3_X+V-cfVjv zNv%@E=UOAAgFjaJAU$yh4;D2`CJrWipeUgF65TY-h!kUX9w?n(o*w>?t$#t}Y!;R& ztS|P{fkUP5Xu`0W{@^QpLvN>Wj9t5?p{PCXMPh&vlGQZL?hOTR_(qjqv$r2zzkOjP z3Wm7b9g5A$W1k<)yJ+nyVBsl|YMqTs%HhMlGrQ*J8RQ=67nYA)Wb32lmI+;|!XFCh z%7g&GRI1$`6l-t*Hdo=kJhMO`Fnjs!ikj0Sfk)fSHPz^k&aVZ*Q^`njC3Dr2VtCDtpWGg8>i}=1C5}KB})5QJLg)o-BUHMCL@m4cmkh3 zNS-==umMq>lDDW!USCj^Y#$)xmS`#n>DWB&wCymi@u=~n$MP1IPMys5#^E`*TULZhYuL;=P%DsV<_XBJKd-)6)a7rDHIC2 zc8MWa!%>w#1qDSRzj(BYwD(X$P+p7GU~)~cip`7fe|?0J`r$nDV2)QcJ0m@{)I_tpp#YxJb(p&Azfm#E-(!n`@V)OyDFQbjA-eYxAkqir*tW7q5YsSI3?uwe^%DXD0XVzt!_s>c7}jNf&F@d}2; zC=k1Q@=QwA$}4VUCB;7%I|zh^R!C|0WpfKN{mY-^;9w%jxXf=i!Vj{{-Y02o$^_{? zxjGu*r$_KL#gH+KNwOhB{t%-p5Z+8HI@4RhU$pRTQYzE2lQ!T&LH8xXiNGBAvxV^?Lqb5lx*EjL_rvt? zJ4r&WV{3s^I@G=*jz_676`e2<`e})v_ykXTBiX2^4w&Pepmi1fcu>5RNeovkAw)9W zL_};>FNLxO6cQt9mJ^RH^c$E68*!$-1N#Q?on+ny8}`TDH$l#of|@}q48#F4K^y@K zRpA@~jHh^1YE_Clh0zH37^wa^VW|qQYjzOWz<)+Uq`+_FB_893N=Hr%m?_B>dF2!M z>ew%t%PW&RJx_zUN;Olh{4Uqif!(YyyjSUCJ1Ex?o&V>Xf>K-*`ICbH_18!#ngOEm zL0=a&F+@Zant`4q1({3ve@%qpbVVNZxOaq}?N-w(p*T`4Vn_hpryFmN%Isq+(I4Z4WTFrn2bvr?Vn zI+q>i^V77IG~Xb~?SfX%(CR1eOP^r4OJaZ2d>}2)dL?B~j0W)OI+!M_rC$cov3kp@ zm%uf~BYgMjSZYWy)rNovJw5x5YZG)FqDY8VkA6XW-&Ug9b%f++%%F)a^QX=!f&Jvz`WQ20IQsaKh9@W=`A2Smk&6tzSia#ZMDbdi|ljuWwQ#ZqGNoR;-8Cut5ObJ2o ziL>L%kI~)q2Jae;Dw!c-Q(2KW1p)6^P%Q68BhL)ehux#vYwt1gaeA91{juf8_!8*MW~feeWUv@>Q=pC}X$On&Q!nza22w9lh&A2x zhAFBFBT_1VE|66S+zXRU@VS!#^-#(WGv?EyC^KUrx^9KBl2(TF4hzvvNx#VJL`9S5 zOrm(bN6Y2J(cUn*>ce}xqpH9b6ZHOJ5X+_>3A(>9auXSW6i=yIMN7u~5Rm^VMxPy5 z#B+&PnKe19B`3Jtu%@XNGcBmJ=Rmt~l~=JNEAhFS)A8}DVtv%=gS*dLMx(uXss8@? zC0wHlYCDU8OURwfX9_863yN$>30*m0zFI9cbY{@2V-w`Mcsr+j}QNl5VkV(@H z#^-NDhh#Q|HC?FSFbc%&Iz!|gV#;xUST*26uqfL#EnxaqFf2;89tpOP@jPfC7<++@ zF(knen+u0dNiRjG3_49eWK}!^AI>FIKl%Gq8ZgZJ zds(ymhx488jOj~-7dO2XUd==2RMn%ivt!WP8LUs55>Gxi(4#H)+;m^BI494Lt&(^vDnAyQ7Xdvy@R-IoL z!gryB0U|%Z_@AKyC;xV%$KlMge&lvS;%nW_-d+-$Tl*p4Pf*7E{RCeXEXEK*_3D&r zP_K(_iqRmv-ad?$rJ!y|5^m!)rMOIhy7jpJ`!YfP^( zL1y?KE|V(}%eU9Tn>a5JMx?kO_M`Ev$JarwtYnh-eCW5FyCH;pDD392xBAgl zM%;=i`YHU5S4O1zq>yb=KrkV+dMWy^PPq|;2OH`97EfQhC!%P{Cmb{E3m^BJ~n(3Ydb!ktbBRLLRlxBq7ih+R#9s_{f+=#J*AJitn(5*eecKr|k8MS0IAA=># zC!yl!`2)@6g48|2j-(?PMuq3gPNS4X^tF9#ZX8ClH|k|jy?)abq*H>i3G97~~V!y9Tl2uL{wsN!+Ki|sB41FfX%QXuR~03w*dfnU!5uj6DPFv%4Yc^OjKg7^ZuDX zc1c79&RZH-VH!7-O=_2AI1Z8To|S7})ZqBE@X!`Jj?|XaZ!bk@sn3tphSQ%=TImEr0pG1qKBv_zo5f>@##4WRj?mJl3A;}u|{eJZ&^l4+#&{s}(a zZQ!t4oFkH5F;V}nl4Uaj2_vwy@2HWgl$1)t9#-23Yd8(YztuypM^7WhwEVEwz6w9p z2F;ND<||)1-%2aVOzjSKB5x-XIpzlg9PW5oH2~w3Hg)ZgY@*5SyIbL zzNz1F)7Y3&3|A7HcLLFE}1(iLf+osAF`ntOuK+j3qD-SM`zB;5=e6p;$XF zEs-8>e~1${MhRb1#qLoour1Vq3(1_g+L ziRxGa2EcjY~nD%PC>K$AY3wfAaqZRZd1uf7R&JfPu6=(9B zG=gD0c)?8DGL-B!pVJ%ZN;6KqT7N#ybUi27V~B{(^G8{^TvAIWAEyg%b%Z(Z_!?j+ zUq;zqvm(pJl(rs8E76dQ@%^2yVh)iQLKi97B!YG;ntQ=NUQU{x(JW8FnV736Df3Rr zq4O51#n8YuN;X`;zNz-U0++NZT`!@6KaEU5_(OiXB*4qyj7TMBw0adRDkizl+^>X~ z<#nWT0DivIB4-gKU(44e6(YQ6E785#kE2Br;b0Qofr1|@_U2_1X4<29GjqCpN$dEe zHiAZq+0 z8`&Jq-RME_ajDA$(%c~r^`;grYlj5~IY&6Il?%84m={{0Jj|^}7Z10#5d&j6uPa|J zxfd`n@t@A3`bR8<<&{PkKk!Oe4oWx6*con;{PZ#KX^09n?znJX*Kh433kX*F5@7QM@6F-jJ^LK?6Q4vFVpx#UxC8|!65tyki=czXXD*sO zlS;xno0oV`5R$}`QY@hP-UY|iBrf@}OKHMKsF(Fv5NNofTvs4}=qA|!cl1>Ojyn5zXuS_ywU(9=() z!Lk`y%Y9+QzMnJ)dOj|Sk+7?(-rPmlBulH`oys6-Xb~M0hkj#qkxRd&C`qDx!WI_f zA4#(}=VrJ`*?O6dtReHymd8++&G9oxaeXJ)SI}#gZ{Tl59US&crN`9xDaG7cr#K<2_Zhcki`RWYHX*u-fUaaRV8T#E1`zX zON@&&r#Toi)=dNR%3K~BTY7M2EMW>D(sr$k4X0_r_`y(idE9k!Gex!_n(xfYapplk zs?8|S&9a01XF40!cxvghG7NE$r7o-;EKT1F7F6j^t-QYWBE>P01*Z?p-iVO25*&|T z=az|SpgI{AHCW71whBuECP#{Kljbt%feV%q*6>y!j$>=5WDbS@;5Yxa0I*h8nBjZx zw*$v5+LHEEhx}yioa{=5`(p31G%x!)3KqHb6%5(1g9_MZ7>Q5yPI9pJ9$E4wG{ltf z3PO5h0s#FR8MJ#sC8NT<50~h8T{5>ElOO`&ifRVQK6=O)5`+5iE9ix8^e7ZC;YLi? zEf|4dc6W|q+^3$I3v=j2e*f2Y=Y|-l!d;UX@NormdP5-8XY|QMjH1z!zih$6 zA}W&%K;w`Y;Z!6~R4wT1R}lBTudwp)Kb~5&eoELH=gY0{2O81G+Yh)D+0)cNmgAMf zKR7w&WYaYF4is4i_wZMkOc*uu6R8{~u^^xN{ux zlGJQy5|y|8c8A({^CnnsF@E3EBI4@U^dPT<)&kk$+Lwc}l=ih;6Q`(ak)Z>+ZOu&xWy?nO1{L94m>+;K2++i>i{iFS`JpTiX zC-(w2|AtFZI+c74!v+YycyJh9BX=*qzOlQ$!=~xNvg$kXcaR1WQH=Q#fl$3)l`RBx zYt@TX(R>5CDIRY-;LP_)6N0(V^tcPxo5@7JcRwc6v|DB`ZTx;m--l18uV70so^N^I z;D-FwuV8QQC8fZ^5;?|otSM0Gy-`*Dn*kgt6TpFI6^I(_ij$NY?C z%mgtsmDoR%40xn6z^pE$&Tcl7O+;)>Qtp1n^ERmP`y3MFT%~L5U#FLRiD(J^%_Fv? zx*AK$UTWMr z))qD%h4!t<(D%;-hyi6#Mgrq3+T;e+TyvWA?*tj<#an$T2JBBi`V91MUeW&?GyY1x z_TYY=IQ1)XS^CIa9RYGE4r&sSBgOp^qkJZDyNh~ydEoyrnt1WhR?NezIC|IYyRExF1D%AmRYxs5lcv*wCsH%}Ik(9rJMjpUv_e3y6GFO^ zaMznbmqom~(Qg1KK`uqHigaLkI0nsb=M9FoMc?^#Vj;I=4Kc7MB?JP1vLN>P7d+@l z8M}LZ0mQQJrz-mTa^A(f-Hm&@M~xBfv^({+E1JT@ecsh65|xK2MG4Yl`Md5)_fX}4 z&BXR`9q)k7FF?evm%)D980AzAq+KrX$y1PoqFcFtw}nVDePQ?j&8^l z!I1&bSbR>KUXe-}0cw*}t7iWat7TvG1DNPq?lMQcj~ z2FoPsYwLNCr-}p)KKSuMUH3HT@qV8e-7~F7ITN~d?Qtx?AKn3{5p~03HQOF9I%emk z_>(Z?rSLtV4LF~54m$!-ol@wVS-MO0$Uxk@xDStK+uN2y2f-evx8L64K}`I1eO+o- zUe>m^-!F1TS1I#oVuEovmvM`b11o@d@)Y9%Iz<)3quzZuc-XLc{;R2+!bzT?_g<~v zcQvj@j4K$^TleE(tc|Y*QTXW;Ks)X@^ip=Xj%!IC81Mm|wLzr}_b?HoKMpi7QfX?`sq+rdiPYtKRQ@rzzG2hw zo}cwq^rxuS1P^#vGidQaeqAU zTA~7SS@HHuE9w|4Nf1x|k|KuzDawYo@LXqtp>?9Ec#!quV$5>MBY>nl+rDzpQuG8O7CAg@*$P`&KG(nq zV-m|g!D{;eM7}k^&Ulg>-O`sq1Mmj{Z90w%y%Q|t=tc*`rVxj`%Oe>`65|XW9X{}A z*>Bo8yy)j2l9vkNDOwK%6Ddi{w+7ougps573{l-m<#VVpX@>l=c`t_Jr-e=gbY~WW zjkF^tTS1-BO)<8Cc@EQ(o}9mu?NwpK>iTl_T;J()G3pm<8i+{C~Z#ZtxUQaBqzwx<+7XrbW$i*k#OYz zTgqS62V4LUCDD4uGu#esq$4j#yH9DL&t{T`{w06>!As4qhQAt|+SVDc1ow7Kyp10Q zys;bJ(9T1jcAcwZzeV6>ZiK^_zy3||ABEa8weq*u2hmQk`YA@g;50Sl1!W=7ul{sh zx+#42`G6?l|EI%ooHnpy9CN3|F%JT_F{93#d`(TPof|=>_ixln@IOxy-s-2|($BiX z#^JkVmatMH1#U$GU{Ti+)CvDp#SrTV1QJa*+DQQ$09~jBt;hF2Yy+Hs+CV$N=HFXT zDtHwb#WyDc+N-*lEfnprw!0?Db&;NF(?x$kbeDLFvn z9H-lP@eQvg(dMS6!Sss0a~D_0ypfUiV6hMpq?>M63uP@ko347``if_Jwuk~OCtQMD zbYdaNJcSasI2DgsF0Cub3y)4ZfSIJf?R9TE*m3cgIet=ahe(87Z<$dE}eR)qqjM!}f~0p8}8wVE{Vl*e!tZ$`u8mc(_kqmhaOE zkyyZ@BzD&NZsIDwriy+}e8%J<^5yrVHv^rZ;_8wU!wq5ElVSLHv24OCW@|%hniby4 zO7%#5qlb)^#lVh~6B9FoN2n&}WjxKXKZ{w?cik_CUd+!Kg6iPM4b-|CK4;CnZ(#kv z8F6IOOPvCKi?X0%3(4Mz71g&PVP9T? zNwA8qHCWYPc~u$%gs)3=x1L`O(V!3!zcPM|w5if3gMI!^03^AV7U!&89bcjPHKHv% z$6$7UXcN_@%4)*TZ_kA&IqIK3+P!Uqda^BC%%tq3x!qM2Qp?d@rgnyCe*36@-i2BxYK$ zzN)Z!a!v*2*crq7?Dd?Mx9MJMsA!d=t@F(V<>TWae+6^vS|L136KS0ZQhm!_BMT-i z>s2g_UB_REafCW(vda_5ca7J|wi|E1Ks z?wy?$E#5e}qW(y`o+N2TO3u?Q9yVVTw4>6SN!h(G7e3&a?vHs36MnUFbwMHHiMLuDQ`;v38A z_TziFD26zS6-b;EUGa;g8Z2~Cgt%a{-Fb>6!ft86OM z1&0M|FNOw16`PT&zQf;YHyCOrQ zOSVatML+iRHvShIl6)2H^|>s1Q`rVS%!+;&Qpeyso~u5qyR)mJyX~+`odt)D)XBwX zYqRbz0r4pG*%8dMhtxxKsOI0C#%eCMm?I7WjB!&K?Usq3vm;@VyU|gsLGgHsrjxK9 z&SJUuAn@N$)=J{)n1Edyv;k7`bw!QG{+ z^8m@ws|PP7I$j!XLX4oj_2D!rlQsm}V*aRo2VbI*XLn;qO3WVrQm!rD2;z>rLk zPwKdJn@O!@<*{gB{>JMu^W%%!&@|si@u@DJ!syP`9l3U?ir1O`m;M#F++VaOrB1Zc zBHNmBb*);e+C=V-B|o2VoKAcKJ$6}GyW=K92nscVJqMt5WoH`smt7pit-B@WWM+`$ zGM>AN;kiEKXs1VJn=^C&XV=H=AH*+*!j;nqpm(0{ zH>2*J+Z;z=XPqzJu$#*W@tKg!CMn_~OFCN90 z@5v=gEAx&D6u3hDKROL4t3SQ;-*pi_r7tu&`uQcxZ>@GQ2;6uYwl-38JJSEKcP_Zs z=Q2gd8x<(;;hdEwb|Q7!pD{u(n`bB2ezDrCLbLb>=ihatYa-z<}Pxcsl@v#ha2HOX+R2G)|q7$?)%qDl~d zZ#ce|b_zLh%Y)s#M}m5^QFQO(K22~Rb*ed|PG`;}dd^b`=oD`Ae;r+4l^XfPWWKH@ z_0H>Uv=)mM8F-2mJoUk3{y4OD&!Z*{3j^|W;^CT0Pcpsz%ZU`y@egwZv^7ai0wRPI zTd#Z;30=SSx;8A5J%6{l@j_o=dYyteUvd1ogXh43_~zEPr$xgSXucZ(6MiN~?)Z|} zE(aZ&Ac_>uA4aLqDNE0OmdMIr)9FyLbXNE}nwJso)mE*oUBlO|qeHQ3UL@75aU_>2 zMwvgkE>RDjsOqpX8C|lm&oyM(GINLT}@B4t2}wMG4S`lMoc z!E9^6qj!IE-)JODG*8s+!_Q_n==rY7`(18Jt3);G`BwfWXE~Q^x58POiqA943O1bE zzxGDBXOlDPHz+9B>p_}rVD!s`M{P+JkjBt9ZF2J7m^!1hV!(TNU$Ff6SS6{7@EQ?22ZhJqAi*DKH z3@l!(tcKBdO@c{$ufrRu{cl38hE$u5LRV*bWyj8-&T%r%2FaevXBx(3y>NU}nA4Ek zn%`;PX8JjtJ~J*`BFh%|_j)pYsDHd#bP-8{eR^@UdSnXJ24{_@RiG2iEZuSNdgf_XVsYZepQ<}YSL9x`*ia) z?8Z`Ve*|AlR(4PJOV{_W-G6?|8#YtD15PFc^;D=I&BUog3`tW&lWN2J zdi(knz4ztmLh*GNdrO(;4$ZRa|1g}8)&RFJewzE;5;5niMitgVk3U;becq0s55zZ6 z&>J@{jr)N<`&*#wp-wc2xQvcRAWfYSrA}CX-g@FKi@DWfO{u-$kxn&(;$NGeeob+B zeKG%FcIDz#*;Op;wUki!R^~UR0rBQ1ZBEjt6i$35VKOT1Pnf6$(u-i*s882n(&u!F zrD})cW@H{cOqACaG`YnimRcHL38lma^jP>hbZbXJUz4h0UudaSZL3v{vKu>sj3tBw zx;Q^3k;R(3Jl$Y#=OaU~j(#w}7hrj$+o7@Q$ zP+b&4i5SNk1k!h7(D!1{uLA1_{d{;ds@bQB8A}yodyKT)YO}=NjhdJ*_8pnOj%GO$ zmv#S>cTwKjn#jaWokBS_3ovTQq*v^+3A?2&NXR}>6ER$4{{<)ZTGY& zFZE+mBrkDejxJSudR&4!9Rd|~N+RH%Bcg7_fflWf{t)0+4s(*NSSQDmI)Tn=^|q)T z&FOG}UTkQAp3UrUr6LfYmgn}0R;yYP4s6_{JT2c_i$3p_ShpxP-jd@tE-symNsD$# z-edtaZb3^ZVm^a;5uONDjn<{-^BPqB%HAWE#W21L0X+~ll*B0F*9|%sJZHCyTzPPRU>^eKY zk`^#arnby(E{-maOh>NrM!bYZlOS3Ov?}IfOQzu*4Zr;gdL0H2hkowmxsH_o>Yk*f z#}N1Gx7vf1JQ;b?$v8PQq6wmp`{g2IGo$gz7A-to%!#@F%<>&Kof0RJxD&H$ez>wd zTtLO{C(s{MSr$!M~7B)xb17%YS){)$w5m|T3AN__auuAx8^y>;ZieeAvs zCovOioc5Qj5DWwM?xF&aF577Ez+_Y*~u{8BY+G)hv`U2$j73@hsEV)(wf^ zC^qJdiQ(k8R?)6u=G1ro@DQgjV$`_)fF|9=MGXe>MhkaJ-E7pKHnMx^@3?~Jn&pR_Tc~>^|v6IhRrD%@& zf$&{^N`Q#x@%Ok{iqy#_y6g91GtXq|i`@#V(!TJGzT_-wGFQc$Z}FDb=bB-OBKOn> z&FHBd-H2;9m$^YzL^(lW}21O@1u; zgRd66kIwzb{SW3>n-A98yjeZ3_B^O#5E&!y$41`2fDZ`yw!J0DqqOt0i-@Xk5f*}G zsQ$N-p1yk9@+VfUjy_{$)G&F#9zAOuepsVTu5$U5F2h(=usw0sNo4xMD@JsIP17AlOn$sS{+uJ(E|WBH;sy^*V<9sDy^a7KOmYW-Xn$@sO81yHcO;axKXUTY?I*yZi$5vTz)@H;n+Gsj|Zhe0auigBSCKB0r z$j`jmz*p&rokWDXiCLeG;?{_1?-fb+))uvUy1OOjlas*>qMdVft2;8%HZ4o@MdBL4 z{*SG%kmjNN-*AcJYl~sgyoxYJbvH5j3NOT{dI78F=>NqljVCjki|Wrx?y)aZxk61G{I52Q`#s zL3-Blm|uQi?PCcRv25VQd&+@~-{A+aey@5cD!KViXqe&(UrA}Ji zHKZx|95Pfgdq++%gE=*|6oerUC$Wg5Iq!f*$w(DbS8)LgDYu=Y{u|Q8u}m#Z80*Hn zydN4Wt~%(nid9Y3*il;U`NzR5=3~Sod&)<9v1*#bQWbNL7g5O8*y>+U&A&})Ze<6{ z%zw6aX{vp;vGaZuvFOuN%udE6+lZs@^Hk4=L9YfZI5XK!{#ieFhI(kRP*L;bi~={& z_u2FM+14k{<9+XgZq;@Y@jqkZ@O&P04!*|~1V%@7?ig&>+3^~VWIUJ*?er!r;ZOaK ziP!CBGtOWvxAGnNjjXDz8SfX1SsKZNd&l(kJWyIr z*X(hxpwwkWwRue;y7{Y@>ej3}OyI-$liF>N@WdQz?uf}TAt0ZO=ji1o)bZ4EV=}*Jg=5=N$>(zMHL^CdK09P-X*q9gAGeH2%jIFlJ<TsDXQqM#&bY#)i(AlTA20*D+QoW++dZd91%* zv@CDMEt;e`Jlfgjq$GmMq6KnSmAbTcsV}BQn7d9gq_&TN+$}Od3S{2qdCfCUvR0kX z7dPYT6x>~Xjw*w}Smhbes$jqJAB{AWRn70AN)R>8uNuT{ut!@!Xg^pW-wS9d5PD@m-7Os%B{z@GwCMW!6`D(L?J Dk&(A6 literal 0 HcmV?d00001 diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md index db0d1aae20..1bdb879cd4 100644 --- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md +++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md @@ -60,7 +60,7 @@ Starting with Windows 10, version 1703, users can use Windows Security to set up - **Off.** Turns off Windows Defender SmartScreen, so a user isn't alerted or stopped from visiting sites or from downloading potentially malicious apps and files. - ![Windows Security, Windows Defender SmartScreen controls](images/windows-defender-smartscreen-control.png) + ![Windows Security, Windows Defender SmartScreen controls](images/windows-defender-smartscreen-control-2020.png) ## How Windows Defender SmartScreen works when a user tries to run an app Windows Defender SmartScreen checks the reputation of any web-based app the first time it's run from the Internet, checking digital signatures and other factors against a Microsoft-maintained service. If an app has no reputation or is known to be malicious, Windows Defender SmartScreen can warn the user or block the app from running entirely, depending on how you've configured the feature to run in your organization. From e5be8292b649cc99dfd98679142ce1067bbcb59a Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Wed, 8 Apr 2020 15:13:48 -0700 Subject: [PATCH 56/64] a few minor changes --- devices/surface/surface-dock-firmware-update.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/devices/surface/surface-dock-firmware-update.md b/devices/surface/surface-dock-firmware-update.md index fac67d3f89..d83ed2c6be 100644 --- a/devices/surface/surface-dock-firmware-update.md +++ b/devices/surface/surface-dock-firmware-update.md @@ -14,16 +14,16 @@ ms.audience: itpro --- # Microsoft Surface Dock Firmware Update: Technical information for IT administrators. -This article explains how to use Microsoft Surface Dock Firmware Update to update Surface Dock firmware. When installed on your Surface device, it will update any Surface Dock attached to your Surface device. +This article explains how to use Microsoft Surface Dock Firmware Update to update Surface Dock firmware. When installed on your Surface device, it will update any Surface Dock attached to your Surface device. This tool supersedes the earlier Microsoft Surface Dock Updater tool, previously available for download as part of Surface Tools for IT. The earlier tool was named Surface_Dock_Updater_vx.xx.xxx.x.msi (where x indicates the version number) and is no longer available for download and should not be used. -> [!NOTE] -> This article contains technical instructions for IT administrators. If you are a home user, please see [How to update your Surface Dock Firmware](https://support.microsoft.com/help/4023478/surface-update-your-surface-dock) on the Microsoft Support site.
Microsoft Surface Dock Firmware Update supersedes the earlier Microsoft Surface Dock Updater tool, previously available for download as part of Surface Tools for IT. It was named Surface_Dock_Updater_vx.xx.xxx.x.msi (where x indicates the version number). The earlier tool is no longer available for download and should not be used. +> [!IMPORTANT] +> This article contains technical instructions for IT administrators. If you are a home user, please see [How to update your Surface Dock Firmware](https://support.microsoft.com/help/4023478/surface-update-your-surface-dock) on the Microsoft Support site. The instructions at the support site are the same as the general installation steps below, but this article has additional information for monitoring, verifying, and deploying the update to multiple devices on a network. ## Install the Surface Dock Firmware Update -This section describes how to install the firmware update. +This section describes how to manually install the firmware update. -> [!IMPORTANT] +> [!NOTE] > Microsoft periodically releases new versions of Surface Dock Firmware Update. The MSI file is not self-updating. If you have deployed the MSI to Surface devices and a new version of the firmware is released, you will need to deploy the new version. 1. Download and install [Microsoft Surface Dock Firmware Update](https://www.microsoft.com/download/details.aspx?id=46703). From 17c237f770741dbe052a02c030e978d59132bd76 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Wed, 8 Apr 2020 15:29:43 -0700 Subject: [PATCH 57/64] yet another tweak --- devices/surface/surface-dock-firmware-update.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/devices/surface/surface-dock-firmware-update.md b/devices/surface/surface-dock-firmware-update.md index d83ed2c6be..ec2048bd6d 100644 --- a/devices/surface/surface-dock-firmware-update.md +++ b/devices/surface/surface-dock-firmware-update.md @@ -1,5 +1,5 @@ --- -title: Microsoft Surface Dock Firmware Update +title: Microsoft Surface Dock Firmware Update: Technical information for IT administrators description: This article explains how to use Microsoft Surface Dock Firmware Update to update Surface Dock firmware. When installed on your Surface device, it will update any Surface Dock attached to your Surface device. ms.localizationpriority: medium ms.prod: w10 @@ -14,11 +14,13 @@ ms.audience: itpro --- # Microsoft Surface Dock Firmware Update: Technical information for IT administrators. -This article explains how to use Microsoft Surface Dock Firmware Update to update Surface Dock firmware. When installed on your Surface device, it will update any Surface Dock attached to your Surface device. This tool supersedes the earlier Microsoft Surface Dock Updater tool, previously available for download as part of Surface Tools for IT. The earlier tool was named Surface_Dock_Updater_vx.xx.xxx.x.msi (where x indicates the version number) and is no longer available for download and should not be used. - > [!IMPORTANT] > This article contains technical instructions for IT administrators. If you are a home user, please see [How to update your Surface Dock Firmware](https://support.microsoft.com/help/4023478/surface-update-your-surface-dock) on the Microsoft Support site. The instructions at the support site are the same as the general installation steps below, but this article has additional information for monitoring, verifying, and deploying the update to multiple devices on a network. +This article explains how to use Microsoft Surface Dock Firmware Update to update Surface Dock firmware. When installed on your Surface device, it will update any Surface Dock attached to your Surface device. + +This tool supersedes the earlier Microsoft Surface Dock Updater tool, previously available for download as part of Surface Tools for IT. The earlier tool was named Surface_Dock_Updater_vx.xx.xxx.x.msi (where x indicates the version number) and is no longer available for download and should not be used. + ## Install the Surface Dock Firmware Update This section describes how to manually install the firmware update. From c0ec8d21495b547c0690ca23fcbd9b0e9c8fa55e Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 8 Apr 2020 15:54:07 -0700 Subject: [PATCH 58/64] Removed "/en-us" and "/ro-ro" from Microsoft URLs --- .../hello-for-business/hello-planning-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index b51416da63..9369ea8370 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -329,7 +329,7 @@ If box **1a** on your planning worksheet reads **cloud only** or **hybrid**, wri If box **1a** on your planning worksheet reads **on-premises**, and box **1f** reads **AD FS with third party**, write **No** in box **6a** on your planning worksheet. Otherwise, write **Yes** in box **6a** as you need an Azure account for per-consumption MFA billing. Write **No** in box **6b** on your planning worksheet—on-premises deployments do not use the cloud directory. -Windows Hello for Business does not require an Azure AD premium subscription. However, some dependencies, such as [MDM automatic enrollment](https://docs.microsoft.com/ro-ro/mem/intune/enrollment/quickstart-setup-auto-enrollment) and [Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview) do. +Windows Hello for Business does not require an Azure AD premium subscription. However, some dependencies, such as [MDM automatic enrollment](https://docs.microsoft.com/mem/intune/enrollment/quickstart-setup-auto-enrollment) and [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) do. If box **1a** on your planning worksheet reads **on-premises**, write **No** in box **6c** on your planning worksheet. From 69fa11f8dff839c66f2cceaa9d0caa9f1fc295e2 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Wed, 8 Apr 2020 15:54:36 -0700 Subject: [PATCH 59/64] oops no colons in metadata --- devices/surface/surface-dock-firmware-update.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface/surface-dock-firmware-update.md b/devices/surface/surface-dock-firmware-update.md index ec2048bd6d..2fb3da6526 100644 --- a/devices/surface/surface-dock-firmware-update.md +++ b/devices/surface/surface-dock-firmware-update.md @@ -1,5 +1,5 @@ --- -title: Microsoft Surface Dock Firmware Update: Technical information for IT administrators +title: Microsoft Surface Dock Firmware Update - Technical information for IT administrators description: This article explains how to use Microsoft Surface Dock Firmware Update to update Surface Dock firmware. When installed on your Surface device, it will update any Surface Dock attached to your Surface device. ms.localizationpriority: medium ms.prod: w10 From 47004e7b3e4e6d32df9e47e4a41ab8ea85b3d350 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Wed, 8 Apr 2020 16:09:50 -0700 Subject: [PATCH 60/64] gah remove period --- devices/surface/surface-dock-firmware-update.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface/surface-dock-firmware-update.md b/devices/surface/surface-dock-firmware-update.md index 2fb3da6526..5b79a9606f 100644 --- a/devices/surface/surface-dock-firmware-update.md +++ b/devices/surface/surface-dock-firmware-update.md @@ -12,7 +12,7 @@ ms.reviewer: scottmca manager: dansimp ms.audience: itpro --- -# Microsoft Surface Dock Firmware Update: Technical information for IT administrators. +# Microsoft Surface Dock Firmware Update: Technical information for IT administrators > [!IMPORTANT] > This article contains technical instructions for IT administrators. If you are a home user, please see [How to update your Surface Dock Firmware](https://support.microsoft.com/help/4023478/surface-update-your-surface-dock) on the Microsoft Support site. The instructions at the support site are the same as the general installation steps below, but this article has additional information for monitoring, verifying, and deploying the update to multiple devices on a network. From bf152c764e805b9f8d7abe8d3695816a9c174c69 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Wed, 8 Apr 2020 16:12:06 -0700 Subject: [PATCH 61/64] fix section reorder issue --- devices/surface/surface-dock-firmware-update.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface/surface-dock-firmware-update.md b/devices/surface/surface-dock-firmware-update.md index 5b79a9606f..16353fbb20 100644 --- a/devices/surface/surface-dock-firmware-update.md +++ b/devices/surface/surface-dock-firmware-update.md @@ -36,7 +36,7 @@ This section describes how to manually install the firmware update. ## Monitor the Surface Dock Firmware Update -This section is optional and provides an overview of how to monitor installation of the firmware update. When you are ready to install the update, see [Install the Surface Dock Firmware Update](#install-the-surface-dock-firmware-update) below. For more detailed information about monitoring the update process, see the following sections in this article: +This section is optional and provides an overview of how to monitor installation of the firmware update. See the following sections in this article: - [How to verify completion of firmware update](#how-to-verify-completion-of-the-firmware-update) - [Event logging](#event-logging) - [Troubleshooting tips](#troubleshooting-tips) From 800c1af03b8d0ae5c3cb69dd81ed6fa6853324a4 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Wed, 8 Apr 2020 16:18:55 -0700 Subject: [PATCH 62/64] another tweak --- devices/surface/surface-dock-firmware-update.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/devices/surface/surface-dock-firmware-update.md b/devices/surface/surface-dock-firmware-update.md index 16353fbb20..f1fa0e58fa 100644 --- a/devices/surface/surface-dock-firmware-update.md +++ b/devices/surface/surface-dock-firmware-update.md @@ -36,11 +36,7 @@ This section describes how to manually install the firmware update. ## Monitor the Surface Dock Firmware Update -This section is optional and provides an overview of how to monitor installation of the firmware update. See the following sections in this article: - - [How to verify completion of firmware update](#how-to-verify-completion-of-the-firmware-update) - - [Event logging](#event-logging) - - [Troubleshooting tips](#troubleshooting-tips) - - [Versions reference](#versions-reference) +This section is optional and provides an overview of how to monitor installation of the firmware update. To monitor the update: @@ -61,6 +57,12 @@ To monitor the update: >[!TIP] >If you see "The description for Event ID xxxx from source SurfaceDockFwUpdate cannot be found" in event text, this is expected and can be ignored. +Also see the following sections in this article: + - [How to verify completion of firmware update](#how-to-verify-completion-of-the-firmware-update) + - [Event logging](#event-logging) + - [Troubleshooting tips](#troubleshooting-tips) + - [Versions reference](#versions-reference) + ## Network deployment You can use Windows Installer commands (Msiexec.exe) to deploy Surface Dock Firmware Update to multiple devices across your network. When using Microsoft Endpoint Configuration Manager or other deployment tool, enter the following syntax to ensure the installation is silent: From 2931ef9ac50efaf62d0bd3b164fef952ccdc96ae Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Wed, 8 Apr 2020 16:18:57 -0700 Subject: [PATCH 63/64] Updated scope for start/hidefrequentlyusedapps --- windows/client-management/mdm/policy-csp-start.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md index a55e6716ff..c5e74893fc 100644 --- a/windows/client-management/mdm/policy-csp-start.md +++ b/windows/client-management/mdm/policy-csp-start.md @@ -1025,6 +1025,7 @@ To validate on Desktop, do the following: [Scope](./policy-configuration-service-provider.md#policy-scope): > [!div class = "checklist"] +> * User > * Device

From a9b50390589a5f24fdefa96d915972f97b3858ec Mon Sep 17 00:00:00 2001 From: Charles Inglis <32555877+cinglis-msft@users.noreply.github.com> Date: Thu, 9 Apr 2020 10:05:06 -0700 Subject: [PATCH 64/64] remove editorial mistake remove reference to jaime --- .../deployment/update/update-compliance-schema-wudostatus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/update-compliance-schema-wudostatus.md b/windows/deployment/update/update-compliance-schema-wudostatus.md index 7a9adf27cd..f3d6dc0e2a 100644 --- a/windows/deployment/update/update-compliance-schema-wudostatus.md +++ b/windows/deployment/update/update-compliance-schema-wudostatus.md @@ -36,7 +36,7 @@ These fields are briefly described in this article, to learn more about Delivery |**BytesFromGroupPeers** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`523132` |Total number of bytes downloaded from Group Peers. | |**BytesFromIntPeers** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`328350` |Total number of bytes downloaded from Internet Peers. | |**BytesFromPeers** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`43145` |Total number of bytes downloaded from peers. | -|**ContentDownloadMode** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`0` |Device's Delivery Optimization [Download Mode](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization-reference#download-mode)**@JAIME** configuration for this content. | +|**ContentDownloadMode** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`0` |Device's Delivery Optimization [Download Mode](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization-reference#download-mode) configuration for this content. | |**ContentType** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`Quality Updates` |The type of content being downloaded. | |**DOStatusDescription** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) | |A short description of DO's status, if any. | |**DownloadMode** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`HTTP+LAN (1)` |Device's Delivery Optimization [Download Mode](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization-reference#download-mode) configuration for this device. |