AttestationReport/AttestationReport.psm1

# Copyright (c) Microsoft Corporation. All rights reserved.
# Licensed under the MIT License.

# Creation of an attestation report class to have meaningful data and formatting
class AttestationReport
{
    [DateTime] $Time
    [string] $HostName
    [string] $AttestationOperationMode
    [string] $AttestationStatus
    [string] $AttestationSubStatus
    [string] $AuthorizedHostGroup
    [string] $EndorsementKeyHash
}

#region Constants
$script:AttestationEventProviderName = "Microsoft-Windows-HostGuardianService-Attestation"

# The telling event that an attestation request passed.
$script:TcgLogValidationEventId = 1203

# AD based attestation status events
$script:AttestationAdStatusEvents = 
@{
    1519 = "Passed";
    1524 = "UnauthorizedHost"
}


$script:AttestationTpmSubStatusEvents = 
@{
        1500 = "NoInformation";
        1508 = "SecureBoot";
        1510 = "DebugMode";
        1513 = "CodeIntegrityPolicy";
        1523 = "NoInformation";
        1533 = "Iommu";
        1534 = "VirtualSecureMode";
        1535 = "PagefileEncryption";
        1536 = "BitLocker";
        1537 = "HypervisorEnforcedCodeIntegrityPolicy";
        1538 = "CodeIntegrityPolicy";
        1539 = "HibernationEnabled";
        1540 = "DumpsEnabled";
        1541 = "DumpEncryption";
        1542 = "DumpEncryptionKey"
}

$script:AttestationTpmStatusEvents =
@{
        1500 = "UnauthorizedHost";
        1508 = "InsecureHostConfiguration";
        1510 = "InsecureHostConfiguration";
        1513 = "InsecureHostConfiguration";
        1523 = "Passed";
        1533 = "InsecureHostConfiguration";
        1534 = "InsecureHostConfiguration";
        1535 = "InsecureHostConfiguration";
        1536 = "InsecureHostConfiguration";
        1537 = "InsecureHostConfiguration";
        1538 = "InsecureHostConfiguration";
        1539 = "InsecureHostConfiguration";
        1540 = "InsecureHostConfiguration";
        1541 = "InsecureHostConfiguration";
        1542 = "InsecureHostConfiguration";
}
#endregion

<#
.Synopsis
   Generates a report of attestation requests done by an HGS server
.DESCRIPTION
   The Get-HgsAttestationReport cmdlet obtains events from the HostGuardianService-Attestation event provider, and parses them to find the past attestation requests handled by this HGS Server.
 
   When running this cmdlet on or target in an HGS server that is a member of a cluster, it will attempt to find relevant events from all nodes.
 
   If -AD or -TPM is not passed through, it will report attestation requests of the current operation mode.
.EXAMPLE
   Get-HgsAttestationReport -AD -Tpm -StartTime (Get-Date).AddDays(-7)
 
   Generates a report of all AD and TPM based attestation requests handled by the targeted HGS server for the past seven days.
.EXAMPLE
   $cred = Get-Credential
   Get-HgsAttestationReport -ComputerName HgsServer.Contoso.Com -Credential $cred
 
   Generates a report of all attestation requests of the current operation mode handled by the targeted HGS server as far back as the event logs go.
#>

function Get-HgsAttestationReport
{
    [CmdletBinding(DefaultParameterSetName = 'LocalComputer')]
    param
    (
        # Specifies the earliest date to look for events
        [Parameter(Mandatory = $false)]
        [Alias("NotBefore")]
        [DateTime]
        $StartTime = [System.DateTime]::MinValue,
        # Specifies the latest date to look for events
        [Parameter(Mandatory = $false)]
        [Alias("NotAfter")]
        [DateTime] 
        $EndTime = [System.DateTime]::MaxValue,
        # Specifies if the parser should look for AD based attestation requests. If both -AD and -Tpm are not present, the search defaults to the target's current Attestation Operation Mode.
        [Alias("ParseADRequests")]
        [Parameter(Mandatory = $false)]
        [Switch]
        $AD,
        # Specifies if the parser should look for Tpm based attestation requests. If both -AD and -Tpm are not present, the search defaults to the target's current Attestation Operation Mode.
        [Parameter(Mandatory = $false)]
        [Alias("ParseTpmRequests")]
        [switch]
        $Tpm,
        # The name of the target computer.
        [Parameter(Mandatory = $true, ParameterSetName = "RemoteComputer")]
        [String]
        $ComputerName,
        # Credentials for invoking commands on the target computer
        [Parameter(Mandatory = $true, ParameterSetName = "RemoteComputer")]
        [PSCredential]
        $Credential,
        # PSSession Configuration Name for invoking commands
        [Parameter(Mandatory = $false)]
        [Alias("ConfigurationName")]
        [String]
        $EndpointName = "Microsoft.PowerShell"
    )
    
    if ($PSCmdlet.ParameterSetName -eq "LocalComputer")
    {
        try 
        {
            $HgsServerInfo = Get-HgsServer -ErrorAction Stop    
        }
        catch [Exception] 
        {
            Write-Error $_
            break
        }
    }

    else
    {
        try 
        {
            $HgsServerInfo = Invoke-Command -ComputerName $ComputerName -Credential $Credential -ConfigurationName $EndpointName -ScriptBlock {Get-HgsServer} -ErrorAction Stop   
        }
        catch [Exception] 
        {
            Write-Error $_
            break
        }
    }

    # In the case of multiple nodes
    $HgsServerNodeNames = @()
    switch ($PSCmdlet.ParameterSetName)
    {
        "LocalComputer" { $HgsServerNodeNames += (Get-ClusterNode | Where-Object {$_.State -eq "Up"}).Name }
        "RemoteComputer" {$HgsServerNodeNames += (Invoke-Command -ComputerName $ComputerName -Credential $Credential -ConfigurationName $EndpointName -ScriptBlock {Get-ClusterNode}).Name}
    }

    if ($HgsServerNodeNames.Count -gt 1)
    {
        switch ($PSCmdlet.ParameterSetName)
        {
            "LocalComputer" { 
                Write-Warning ("This host is not the only member of the Host Guardian Service instance '{0}'. To collect all attestation requests handled by this instance, run this script targeting all of the machines of this instance: {1}" -f $HgsServerInfo.AttestationUrl[0].Host, ($HgsServerNodeNames -join "; "))
            }
            "RemoteComputer" 
            {
                # This will still give the netBIOS name even if the input computername is the netBIOS
                Write-Warning ("The host '{0}' is not the only member of the Host Guardian Service instance '{1}'. To collect all attestation requests handled by this instance, run this script targeting all of the machines of this instance: {2}" -f $ComputerName,$HgsServerInfo.AttestationUrl[0].Host, ($HgsServerNodeNames -join "; "))
            }
        }
    }

    if (!$Tpm -and !$AD)
    {
        # If we can get the current attestation operation mode, use that.
        if ($HgsServerInfo.AttestationOperationMode.Value -eq "Tpm" -or $HgsServerInfo.AttestationOperationMode -eq "Tpm")
        {
            $Tpm = $true
        }
        else 
        {
            $AD = $true    
        }
    }

    $EventIds = @()

    if ($AD)
    {
        $EventIds += $script:AttestationAdStatusEvents.Keys
    }

    if ($Tpm) 
    {
        $TpmEventIDs = $script:AttestationTpmStatusEvents.Keys + $script:TcgLogValidationEventId
        $EventIds += $TpmEventIds
    }

    $AttestationEvents = @()
    switch ($PSCmdlet.ParameterSetName)
    {
        "LocalComputer" {
                            $AttestationEvents += Get-WinEvent -ProviderName $script:AttestationEventProviderName -ErrorAction Stop| Where-Object {($EventIds -contains $_.Id) -and ($_.TimeCreated -gt $StartTime) -and ($_.TimeCreated -le $EndTime)} 
                        }
        "RemoteComputer" {
                            $AttestationEvents += Get-WinEvent -ProviderName $script:AttestationEventProviderName -ComputerName $ComputerName -Credential $Credential -ErrorAction Stop| Where-Object {($EventIds -contains $_.Id) -and ($_.TimeCreated -gt $StartTime) -and ($_.TimeCreated -le $EndTime)} 
                        }
    }

    $AttestationRequests = @()

    if ($Tpm)
    {
        $TpmEvents = $AttestationEvents | Where-Object {$TpmEventIds -contains $_.Id}
        
        if ($PSCmdlet.ParameterSetName -eq "RemoteComputer")
        {
            $TpmBasedAttestationRequests = FindTpmRequests -Events $TpmEvents -ComputerName $ComputerName -Credential $Credential -ConfigurationName $EndpointName -UseRemote
        }
        else 
        {
            $TpmBasedAttestationRequests = FindTpmRequests -Events $TpmEvents    
        }

        $AttestationRequests += $TpmBasedAttestationRequests
    }

    if ($AD)
    {
        $AdEvents = $AttestationEvents | Where-Object {$script:AttestationAdStatusEvents.Keys -contains $_.Id}
        if ($PSCmdlet.ParameterSetName -eq "RemoteComputer")
        {
            $AdBasedAttestationRequests = FindADRequests -Events $AdEvents -ComputerName $ComputerName -Credential $Credential -ConfigurationName $EndpointName -UseRemote
        }
        else 
        {
            $AdBasedAttestationRequests = FindADRequests -Events $AdEvents    
        }

        $AttestationRequests += $AdBasedAttestationRequests
    }

    # Re-sort by time
    $AttestationRequests = $AttestationRequests | Sort-Object -Property Time -Descending
    
    Write-Output $AttestationRequests
}

<#
 Parse events into AD based attestation requests
#>

function FindADRequests
{
    param(
        [System.Array] 
        $Events, 
        [switch] 
        $UseRemote, 
        [string]
        $ComputerName, 
        [PSCredential]
        $Credential, 
        [String]
        $ConfigurationName
    )

    if ($UseRemote)
    {
        $AuthorizedADHostGroups = Invoke-Command -ComputerName $ComputerName -Credential $Credential -ConfigurationName $ConfigurationName -ScriptBlock {Get-HgsAttestationHostGroup -WarningAction Ignore -ErrorAction Stop} -ErrorAction Stop
    }
    else 
    {
        $AuthorizedADHostGroups = Get-HgsAttestationHostGroup -WarningAction Ignore
    }
    
    $ADAttestationEventGroups = GroupEvents $Events

    $AdBasedAttestationRequests = @()
    foreach ($ActivityId in $ADAttestationEventGroups.Keys)
    {
        $AttestationRequest = [AttestationReport]::new()
        $AttestationRequest.AttestationOperationMode = "AD"
        $AttestationRequest.EndorsementKeyHash = "NotApplicable"
        $EventList = $ADAttestationEventGroups[$ActivityId] | Sort-Object TimeCreated

        # Use time of earliest event
        $AttestationRequest.Time = ($EventList)[0].TimeCreated
        
        foreach ($event in $EventList)
        {
            if ($AttestationAdStatusEvents.ContainsKey($event.Id))
            {
                $AttestationRequest.AttestationStatus = $script:AttestationAdStatusEvents[$event.Id]
                if ($AttestationRequest.AttestationStatus -eq "Passed")
                {
                    $AttestationRequest.AttestationSubStatus = "NoInformation"
                    $AttestationRequest.HostName = $event.Properties.Value

                    # Check if it can't be cast into a SID. If it can, then its the HostGroup Identifier. Otherwise, it should be used as the Host Name
                    # Known issue with this approach: if the SAM account name is somehow in the form of a SID, but this should not be possible.
                    foreach ($prop in $Event.Properties)
                    {
                        try
                        {
                            $sid = New-Object System.Security.Principal.SecurityIdentifier -ArgumentList $prop.Value
                            $hostGroup = $AuthorizedADHostGroups | Where-Object {$_.Identifier -eq $sid.Value}
                            if ($hostGroup -ne $null) 
                            {
                                $AttestationRequest.AuthorizedHostGroup = $hostGroup.Name     
                            }
                            else 
                            {
                                $AttestationRequest.AuthorizedHostGroup = $sid.Value
                            }
                        }
                        catch
                        {
                            $AttestationRequest.HostName = $prop.Value
                        }
                    }
                }
                else
                {
                    # Otherwise, the only property associated with this event is the machine SID of the attesting client
                    $AttestationRequest.HostName = $event.Properties.Value
                    $AttestationRequest.AuthorizedHostGroup = "NotApplicable"
                }

                $AdBasedAttestationRequests += ,$AttestationRequest
            }
        }
    }

    return $AdBasedAttestationRequests
}

<#
 Parse events into TPM requests
#>

function FindTpmRequests
{
    param(
        [System.Array] $Events, 
        [switch] $UseRemote,
        [string] $ComputerName,
        [PSCredential] $Credential,
        [string] $ConfigurationName
        )

    if ($UseRemote)
    {
        # Only need to get settings from one node
        $AuthorizedTpmHosts = Invoke-Command -ComputerName $ComputerName -Credential $Credential -ConfigurationName $ConfigurationName -ScriptBlock {Get-HgsAttestationTpmHost -WarningAction Ignore -ErrorAction Stop} -ErrorAction Stop
    }
    else 
    {
        $AuthorizedTpmHosts = Get-HgsAttestationTpmHost -WarningAction Ignore -ErrorAction Stop
    }

    $TpmAttestationEventGroups = GroupEvents $Events

    $TpmBasedAttestationRequests = @()

    # Iterate through attestation groups, generating an AttestationReport object
    foreach ($ActivityId in $TpmAttestationEventGroups.Keys)
    {
        $AttestationRequest = [AttestationReport]::new()
        $AttestationRequest.AttestationOperationMode = "Tpm"
        $AttestationRequest.AuthorizedHostGroup = "NotApplicable"
        $tpmEventList = $TpmAttestationEventGroups[$ActivityId] | Sort-Object TimeCreated
        # Get earliest event
        $AttestationRequest.Time = ($tpmEventList)[0].TimeCreated
        $HostNameFound = $false
        foreach ($event in $tpmEventList)
        {
            # Not all attestation failure events have the host EK attached to it. Instead, use the ID from the event corresponding to starting the TCG log verification
            if ($event.Id -eq $script:TcgLogValidationEventId -and -not $HostNameFound)
            {
                $AttestationRequest.EndorsementKeyHash = $Event.Properties.Value
                $Hostname = ($AuthorizedTpmHosts | Where-Object {$_.Identifier -eq $event.Properties.value}).Name
                if ($Hostname)
                {
                    $AttestationRequest.HostName = $HostName
                }

                $HostNameFound = $true
            }

            if($AttestationTpmStatusEvents.ContainsKey($Event.Id))
            {
                $AttestationRequest.AttestationStatus = $AttestationTpmStatusEvents[$event.Id]

                # Account for multiple substatus reasons
                if ($AttestationRequest.AttestationSubStatus -ne $AttestationTpmSubStatusEvents[$event.Id])
                {
                    $AttestationRequest.AttestationSubStatus += $AttestationTpmSubStatusEvents[$event.Id]
                }

                if (-not $HostNameFound -and $AttestationRequest.AttestationStatus -eq "UnauthorizedHost")
                {
                    $AttestationRequest.HostName = 'UnauthorizedHost'
                    $AttestationRequest.EndorsementKeyHash = $Event.Properties.Value
                    $HostNameFound = $true
                }
            }
        }

        $TpmBasedAttestationRequests += ,$AttestationRequest
    }

    return $TpmBasedAttestationRequests
}


# Group an array of events into a dictionary based on their Activity ID's.
function GroupEvents([System.Array] $Events)
{
    $EventGroups = [ordered] @{}

    # Form groups based on the correlation Activity ID (on the HGS server, these all properly map to identical attestation requests)
    foreach ($event in $Events)
    {
        if ($EventGroups.Contains($event.ActivityId))
        {
            $EventGroups[$event.ActivityId] += ($event)
        }
        else
        {
            $EventGroups.Add($event.ActivityId, @($event))
        }
    }

    return $EventGroups
}
# SIG # Begin signature block
# MIIkegYJKoZIhvcNAQcCoIIkazCCJGcCAQExDzANBglghkgBZQMEAgEFADB5Bgor
# BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG
# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCCn1XrRfqS8kb1V
# yw/L7Vj0Y0m7xigSh+9DCeqkFl1YQKCCDYEwggX/MIID56ADAgECAhMzAAABA14l
# HJkfox64AAAAAAEDMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD
# VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy
# b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p
# bmcgUENBIDIwMTEwHhcNMTgwNzEyMjAwODQ4WhcNMTkwNzI2MjAwODQ4WjB0MQsw
# CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u
# ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy
# b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
# AQDRlHY25oarNv5p+UZ8i4hQy5Bwf7BVqSQdfjnnBZ8PrHuXss5zCvvUmyRcFrU5
# 3Rt+M2wR/Dsm85iqXVNrqsPsE7jS789Xf8xly69NLjKxVitONAeJ/mkhvT5E+94S
# nYW/fHaGfXKxdpth5opkTEbOttU6jHeTd2chnLZaBl5HhvU80QnKDT3NsumhUHjR
# hIjiATwi/K+WCMxdmcDt66VamJL1yEBOanOv3uN0etNfRpe84mcod5mswQ4xFo8A
# DwH+S15UD8rEZT8K46NG2/YsAzoZvmgFFpzmfzS/p4eNZTkmyWPU78XdvSX+/Sj0
# NIZ5rCrVXzCRO+QUauuxygQjAgMBAAGjggF+MIIBejAfBgNVHSUEGDAWBgorBgEE
# AYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQUR77Ay+GmP/1l1jjyA123r3f3QP8w
# UAYDVR0RBEkwR6RFMEMxKTAnBgNVBAsTIE1pY3Jvc29mdCBPcGVyYXRpb25zIFB1
# ZXJ0byBSaWNvMRYwFAYDVQQFEw0yMzAwMTIrNDM3OTY1MB8GA1UdIwQYMBaAFEhu
# ZOVQBdOCqhc3NyK1bajKdQKVMFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6Ly93d3cu
# bWljcm9zb2Z0LmNvbS9wa2lvcHMvY3JsL01pY0NvZFNpZ1BDQTIwMTFfMjAxMS0w
# Ny0wOC5jcmwwYQYIKwYBBQUHAQEEVTBTMFEGCCsGAQUFBzAChkVodHRwOi8vd3d3
# Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY0NvZFNpZ1BDQTIwMTFfMjAx
# MS0wNy0wOC5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAgEAn/XJ
# Uw0/DSbsokTYDdGfY5YGSz8eXMUzo6TDbK8fwAG662XsnjMQD6esW9S9kGEX5zHn
# wya0rPUn00iThoj+EjWRZCLRay07qCwVlCnSN5bmNf8MzsgGFhaeJLHiOfluDnjY
# DBu2KWAndjQkm925l3XLATutghIWIoCJFYS7mFAgsBcmhkmvzn1FFUM0ls+BXBgs
# 1JPyZ6vic8g9o838Mh5gHOmwGzD7LLsHLpaEk0UoVFzNlv2g24HYtjDKQ7HzSMCy
# RhxdXnYqWJ/U7vL0+khMtWGLsIxB6aq4nZD0/2pCD7k+6Q7slPyNgLt44yOneFuy
# bR/5WcF9ttE5yXnggxxgCto9sNHtNr9FB+kbNm7lPTsFA6fUpyUSj+Z2oxOzRVpD
# MYLa2ISuubAfdfX2HX1RETcn6LU1hHH3V6qu+olxyZjSnlpkdr6Mw30VapHxFPTy
# 2TUxuNty+rR1yIibar+YRcdmstf/zpKQdeTr5obSyBvbJ8BblW9Jb1hdaSreU0v4
# 6Mp79mwV+QMZDxGFqk+av6pX3WDG9XEg9FGomsrp0es0Rz11+iLsVT9qGTlrEOla
# P470I3gwsvKmOMs1jaqYWSRAuDpnpAdfoP7YO0kT+wzh7Qttg1DO8H8+4NkI6Iwh
# SkHC3uuOW+4Dwx1ubuZUNWZncnwa6lL2IsRyP64wggd6MIIFYqADAgECAgphDpDS
# AAAAAAADMA0GCSqGSIb3DQEBCwUAMIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMK
# V2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0
# IENvcnBvcmF0aW9uMTIwMAYDVQQDEylNaWNyb3NvZnQgUm9vdCBDZXJ0aWZpY2F0
# ZSBBdXRob3JpdHkgMjAxMTAeFw0xMTA3MDgyMDU5MDlaFw0yNjA3MDgyMTA5MDla
# MH4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdS
# ZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMT
# H01pY3Jvc29mdCBDb2RlIFNpZ25pbmcgUENBIDIwMTEwggIiMA0GCSqGSIb3DQEB
# AQUAA4ICDwAwggIKAoICAQCr8PpyEBwurdhuqoIQTTS68rZYIZ9CGypr6VpQqrgG
# OBoESbp/wwwe3TdrxhLYC/A4wpkGsMg51QEUMULTiQ15ZId+lGAkbK+eSZzpaF7S
# 35tTsgosw6/ZqSuuegmv15ZZymAaBelmdugyUiYSL+erCFDPs0S3XdjELgN1q2jz
# y23zOlyhFvRGuuA4ZKxuZDV4pqBjDy3TQJP4494HDdVceaVJKecNvqATd76UPe/7
# 4ytaEB9NViiienLgEjq3SV7Y7e1DkYPZe7J7hhvZPrGMXeiJT4Qa8qEvWeSQOy2u
# M1jFtz7+MtOzAz2xsq+SOH7SnYAs9U5WkSE1JcM5bmR/U7qcD60ZI4TL9LoDho33
# X/DQUr+MlIe8wCF0JV8YKLbMJyg4JZg5SjbPfLGSrhwjp6lm7GEfauEoSZ1fiOIl
# XdMhSz5SxLVXPyQD8NF6Wy/VI+NwXQ9RRnez+ADhvKwCgl/bwBWzvRvUVUvnOaEP
# 6SNJvBi4RHxF5MHDcnrgcuck379GmcXvwhxX24ON7E1JMKerjt/sW5+v/N2wZuLB
# l4F77dbtS+dJKacTKKanfWeA5opieF+yL4TXV5xcv3coKPHtbcMojyyPQDdPweGF
# RInECUzF1KVDL3SV9274eCBYLBNdYJWaPk8zhNqwiBfenk70lrC8RqBsmNLg1oiM
# CwIDAQABo4IB7TCCAekwEAYJKwYBBAGCNxUBBAMCAQAwHQYDVR0OBBYEFEhuZOVQ
# BdOCqhc3NyK1bajKdQKVMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMAsGA1Ud
# DwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFHItOgIxkEO5FAVO
# 4eqnxzHRI4k0MFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9jcmwubWljcm9zb2Z0
# LmNvbS9wa2kvY3JsL3Byb2R1Y3RzL01pY1Jvb0NlckF1dDIwMTFfMjAxMV8wM18y
# Mi5jcmwwXgYIKwYBBQUHAQEEUjBQME4GCCsGAQUFBzAChkJodHRwOi8vd3d3Lm1p
# Y3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY1Jvb0NlckF1dDIwMTFfMjAxMV8wM18y
# Mi5jcnQwgZ8GA1UdIASBlzCBlDCBkQYJKwYBBAGCNy4DMIGDMD8GCCsGAQUFBwIB
# FjNodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2RvY3MvcHJpbWFyeWNw
# cy5odG0wQAYIKwYBBQUHAgIwNB4yIB0ATABlAGcAYQBsAF8AcABvAGwAaQBjAHkA
# XwBzAHQAYQB0AGUAbQBlAG4AdAAuIB0wDQYJKoZIhvcNAQELBQADggIBAGfyhqWY
# 4FR5Gi7T2HRnIpsLlhHhY5KZQpZ90nkMkMFlXy4sPvjDctFtg/6+P+gKyju/R6mj
# 82nbY78iNaWXXWWEkH2LRlBV2AySfNIaSxzzPEKLUtCw/WvjPgcuKZvmPRul1LUd
# d5Q54ulkyUQ9eHoj8xN9ppB0g430yyYCRirCihC7pKkFDJvtaPpoLpWgKj8qa1hJ
# Yx8JaW5amJbkg/TAj/NGK978O9C9Ne9uJa7lryft0N3zDq+ZKJeYTQ49C/IIidYf
# wzIY4vDFLc5bnrRJOQrGCsLGra7lstnbFYhRRVg4MnEnGn+x9Cf43iw6IGmYslmJ
# aG5vp7d0w0AFBqYBKig+gj8TTWYLwLNN9eGPfxxvFX1Fp3blQCplo8NdUmKGwx1j
# NpeG39rz+PIWoZon4c2ll9DuXWNB41sHnIc+BncG0QaxdR8UvmFhtfDcxhsEvt9B
# xw4o7t5lL+yX9qFcltgA1qFGvVnzl6UJS0gQmYAf0AApxbGbpT9Fdx41xtKiop96
# eiL6SJUfq/tHI4D1nvi/a7dLl+LrdXga7Oo3mXkYS//WsyNodeav+vyL6wuA6mk7
# r/ww7QRMjt/fdW1jkT3RnVZOT7+AVyKheBEyIXrvQQqxP/uozKRdwaGIm1dxVk5I
# RcBCyZt2WwqASGv9eZ/BvW1taslScxMNelDNMYIWTzCCFksCAQEwgZUwfjELMAkG
# A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQx
# HjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEoMCYGA1UEAxMfTWljcm9z
# b2Z0IENvZGUgU2lnbmluZyBQQ0EgMjAxMQITMwAAAQNeJRyZH6MeuAAAAAABAzAN
# BglghkgBZQMEAgEFAKCB0DAZBgkqhkiG9w0BCQMxDAYKKwYBBAGCNwIBBDAcBgor
# BgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQxIgQgYseyI1yj
# BerDQ8JSzbivcCwU/cRSV1/8dmfUKrexDMswZAYKKwYBBAGCNwIBDDFWMFSgNIAy
# AEcAdQBhAHIAZABlAGQARgBhAGIAcgBpAGMAVABvAG8AbABzACAAdgAxACAAMQAg
# ADChHIAaaHR0cHM6Ly93d3cubWljcm9zb2Z0LmNvbSAwDQYJKoZIhvcNAQEBBQAE
# ggEAAi4qqSXut8+b3CuKTBn/JNO7s++83FIhuYRM2hujN8qCqeqsWceLPEBpT8uj
# AcmP/vpAk6lLBRKixqgX5F8YHEdmP0SX01qdZrhtVsDiiLnzYk4+r2wvMQBl2Pnv
# tDLUtSJorFCsTpu7J28v5qTyeHyrxkqaE5m7LO+z7MfHOqFwEy7A1JksTtgVcfd3
# 7cWhQ57+EAymX88zLDv3Lui6VEFb8Z9NKIHoz68j98HTSccYRNJaJVCHgTkuFlGZ
# MuMQth0S7Av2K4Qy67uaan1uHeLbZlk77WsbWac9yRVqEWTrYyh7bFRvZuDDCNnZ
# EHlBugZ6jys99yW8gH3yrOyOL6GCE7cwghOzBgorBgEEAYI3AwMBMYITozCCE58G
# CSqGSIb3DQEHAqCCE5AwghOMAgEDMQ8wDQYJYIZIAWUDBAIBBQAwggFYBgsqhkiG
# 9w0BCRABBKCCAUcEggFDMIIBPwIBAQYKKwYBBAGEWQoDATAxMA0GCWCGSAFlAwQC
# AQUABCAZ1nAu8eanVdibZd8fu0W1yzHMUf2V1oULPvnMjlI1pAIGXJQNKkJaGBMy
# MDE5MDMyNjAwMTE1Ny4xMjNaMAcCAQGAAgH0oIHUpIHRMIHOMQswCQYDVQQGEwJV
# UzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UE
# ChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSkwJwYDVQQLEyBNaWNyb3NvZnQgT3Bl
# cmF0aW9ucyBQdWVydG8gUmljbzEmMCQGA1UECxMdVGhhbGVzIFRTUyBFU046RjUy
# OC0zNzc3LThBNzYxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNlcnZp
# Y2Wggg8fMIIE9TCCA92gAwIBAgITMwAAANGYz+Q8mSVkhAAAAAAA0TANBgkqhkiG
# 9w0BAQsFADB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4G
# A1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYw
# JAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDAeFw0xODA4MjMy
# MDI2MzNaFw0xOTExMjMyMDI2MzNaMIHOMQswCQYDVQQGEwJVUzETMBEGA1UECBMK
# V2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0
# IENvcnBvcmF0aW9uMSkwJwYDVQQLEyBNaWNyb3NvZnQgT3BlcmF0aW9ucyBQdWVy
# dG8gUmljbzEmMCQGA1UECxMdVGhhbGVzIFRTUyBFU046RjUyOC0zNzc3LThBNzYx
# JTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNlcnZpY2UwggEiMA0GCSqG
# SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDvAM7ETIap9pIpCoQ98wrtAq2TUf6yP+TJ
# OefqRC1uLKS1QEtieYvaSJhffy/oQlgdflQAa9TumeyS7HC8jUB/YfuNubg8P4/T
# Yr2XHWIUB0uWl1Bq5YPoQSNOKk3VV1RYi8+0JznTgkFlk9+MbsIgxUk1N6TQ98wU
# 1M4LRxtgx7mfSmAgQUCOYfg6aUk6yJdoazaItodOPLevPpMws2W8bXAweSXb5z5J
# ZiVtHomgVDSw0ASfqorEaBHuSl11CW73BUoeNEtTxxeYSkkjGtnc7Cvu1OzfUlzJ
# WuVmDhrIWUg/Tiojc0duIuoDWMR8dqq5HsVuo9jPzgo/M3KTKsf/AgMBAAGjggEb
# MIIBFzAdBgNVHQ4EFgQUg/sSRXA2/2eJulCL3cnGPVTzagwwHwYDVR0jBBgwFoAU
# 1WM6XIoxkPNDe3xGG8UzaFqFbVUwVgYDVR0fBE8wTTBLoEmgR4ZFaHR0cDovL2Ny
# bC5taWNyb3NvZnQuY29tL3BraS9jcmwvcHJvZHVjdHMvTWljVGltU3RhUENBXzIw
# MTAtMDctMDEuY3JsMFoGCCsGAQUFBwEBBE4wTDBKBggrBgEFBQcwAoY+aHR0cDov
# L3d3dy5taWNyb3NvZnQuY29tL3BraS9jZXJ0cy9NaWNUaW1TdGFQQ0FfMjAxMC0w
# Ny0wMS5jcnQwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDCDANBgkq
# hkiG9w0BAQsFAAOCAQEAOuAy59qkBPSJHpgZ0SV6DT2fItlGpi/Uss59pBEcFbgW
# eJa5TY13HcxhBcCqZ8bcOJx28HcmlMQ39ujbtH3BgNPvGCaop8VuUbvK9Li225/+
# QwhIZ6Av3hhLUJIEFQtqaYrpWvlJOUUk6vwPdMZ0++I5yIBkLgvbabcy5styx2AR
# jm2jAj8RWlZHmvQS/O6cZ5PKRhRf9OvTRSGRm+TozAiYJKssnBxG/ipPh/yU9H7q
# snZJ/Al5PJa1fzHoZWvoxHBi1tg0gXTPRKavOGZ+MsM1PbNkYutyn3jQEX75CzU1
# og0cD4aIFezujumNe9ftWzqOEYIFhXXwF/yVpZrKKDCCBnEwggRZoAMCAQICCmEJ
# gSoAAAAAAAIwDQYJKoZIhvcNAQELBQAwgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
# EwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3Nv
# ZnQgQ29ycG9yYXRpb24xMjAwBgNVBAMTKU1pY3Jvc29mdCBSb290IENlcnRpZmlj
# YXRlIEF1dGhvcml0eSAyMDEwMB4XDTEwMDcwMTIxMzY1NVoXDTI1MDcwMTIxNDY1
# NVowfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT
# B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UE
# AxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTAwggEiMA0GCSqGSIb3DQEB
# AQUAA4IBDwAwggEKAoIBAQCpHQ28dxGKOiDs/BOX9fp/aZRrdFQQ1aUKAIKF++18
# aEssX8XD5WHCdrc+Zitb8BVTJwQxH0EbGpUdzgkTjnxhMFmxMEQP8WCIhFRDDNdN
# uDgIs0Ldk6zWczBXJoKjRQ3Q6vVHgc2/JGAyWGBG8lhHhjKEHnRhZ5FfgVSxz5NM
# ksHEpl3RYRNuKMYa+YaAu99h/EbBJx0kZxJyGiGKr0tkiVBisV39dx898Fd1rL2K
# Qk1AUdEPnAY+Z3/1ZsADlkR+79BL/W7lmsqxqPJ6Kgox8NpOBpG2iAg16HgcsOmZ
# zTznL0S6p/TcZL2kAcEgCZN4zfy8wMlEXV4WnAEFTyJNAgMBAAGjggHmMIIB4jAQ
# BgkrBgEEAYI3FQEEAwIBADAdBgNVHQ4EFgQU1WM6XIoxkPNDe3xGG8UzaFqFbVUw
# GQYJKwYBBAGCNxQCBAweCgBTAHUAYgBDAEEwCwYDVR0PBAQDAgGGMA8GA1UdEwEB
# /wQFMAMBAf8wHwYDVR0jBBgwFoAU1fZWy4/oolxiaNE9lJBb186aGMQwVgYDVR0f
# BE8wTTBLoEmgR4ZFaHR0cDovL2NybC5taWNyb3NvZnQuY29tL3BraS9jcmwvcHJv
# ZHVjdHMvTWljUm9vQ2VyQXV0XzIwMTAtMDYtMjMuY3JsMFoGCCsGAQUFBwEBBE4w
# TDBKBggrBgEFBQcwAoY+aHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraS9jZXJ0
# cy9NaWNSb29DZXJBdXRfMjAxMC0wNi0yMy5jcnQwgaAGA1UdIAEB/wSBlTCBkjCB
# jwYJKwYBBAGCNy4DMIGBMD0GCCsGAQUFBwIBFjFodHRwOi8vd3d3Lm1pY3Jvc29m
# dC5jb20vUEtJL2RvY3MvQ1BTL2RlZmF1bHQuaHRtMEAGCCsGAQUFBwICMDQeMiAd
# AEwAZQBnAGEAbABfAFAAbwBsAGkAYwB5AF8AUwB0AGEAdABlAG0AZQBuAHQALiAd
# MA0GCSqGSIb3DQEBCwUAA4ICAQAH5ohRDeLG4Jg/gXEDPZ2joSFvs+umzPUxvs8F
# 4qn++ldtGTCzwsVmyWrf9efweL3HqJ4l4/m87WtUVwgrUYJEEvu5U4zM9GASinbM
# QEBBm9xcF/9c+V4XNZgkVkt070IQyK+/f8Z/8jd9Wj8c8pl5SpFSAK84Dxf1L3mB
# ZdmptWvkx872ynoAb0swRCQiPM/tA6WWj1kpvLb9BOFwnzJKJ/1Vry/+tuWOM7ti
# X5rbV0Dp8c6ZZpCM/2pif93FSguRJuI57BlKcWOdeyFtw5yjojz6f32WapB4pm3S
# 4Zz5Hfw42JT0xqUKloakvZ4argRCg7i1gJsiOCC1JeVk7Pf0v35jWSUPei45V3ai
# caoGig+JFrphpxHLmtgOR5qAxdDNp9DvfYPw4TtxCd9ddJgiCGHasFAeb73x4QDf
# 5zEHpJM692VHeOj4qEir995yfmFrb3epgcunCaw5u+zGy9iCtHLNHfS4hQEegPsb
# iSpUObJb2sgNVZl6h3M7COaYLeqN4DMuEin1wC9UJyH3yKxO2ii4sanblrKnQqLJ
# zxlBTeCG+SqaoxFmMNO7dDJL32N79ZmKLxvHIa9Zta7cRDyXUHHXodLFVeNp3lfB
# 0d4wwP3M5k37Db9dT+mdHhk4L7zPWAUu7w2gUDXa7wknHNWzfjUeCLraNtvTX4/e
# dIhJEqGCA60wggKVAgEBMIH+oYHUpIHRMIHOMQswCQYDVQQGEwJVUzETMBEGA1UE
# CBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9z
# b2Z0IENvcnBvcmF0aW9uMSkwJwYDVQQLEyBNaWNyb3NvZnQgT3BlcmF0aW9ucyBQ
# dWVydG8gUmljbzEmMCQGA1UECxMdVGhhbGVzIFRTUyBFU046RjUyOC0zNzc3LThB
# NzYxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNlcnZpY2WiJQoBATAJ
# BgUrDgMCGgUAAxUASlzM0k6v6WsRAnqGl11RuXa2VPGggd4wgdukgdgwgdUxCzAJ
# BgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25k
# MR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKTAnBgNVBAsTIE1pY3Jv
# c29mdCBPcGVyYXRpb25zIFB1ZXJ0byBSaWNvMScwJQYDVQQLEx5uQ2lwaGVyIE5U
# UyBFU046NERFOS0wQzVFLTNFMDkxKzApBgNVBAMTIk1pY3Jvc29mdCBUaW1lIFNv
# dXJjZSBNYXN0ZXIgQ2xvY2swDQYJKoZIhvcNAQEFBQACBQDgQ0rQMCIYDzIwMTkw
# MzI1MjA0MDQ4WhgPMjAxOTAzMjYyMDQwNDhaMHQwOgYKKwYBBAGEWQoEATEsMCow
# CgIFAOBDStACAQAwBwIBAAICGiMwBwIBAAICGlMwCgIFAOBEnFACAQAwNgYKKwYB
# BAGEWQoEAjEoMCYwDAYKKwYBBAGEWQoDAaAKMAgCAQACAxbjYKEKMAgCAQACAweh
# IDANBgkqhkiG9w0BAQUFAAOCAQEAVJ9tkyRZM5pHn6OMEixYX1d1GknqbrdGDN/w
# iKYD9ROQJ8K9E0s3Gc+YVb7Moxw+sHMQplzCqg/XGBIvcM+/hXeG5lwhEgoZCjAp
# KAjvKwtprEIPzCiDyOBnpyRv+S5aHcfMkQaMyMFcd0eYrIcjFjTWXHzoORBKl9yF
# AOcXV2EtkRDj9lGtqgXIRRBtSzkjJ2uxgKIMt6vRVUCfRZxXlEb2uBdvwfqrPyVs
# DARpfkyWk3EIF65p36q50e8zNXsF9ObUzC6mFmsholfeJ25l8PsgyC11jG86tkuH
# OKZ4ZeE9bvqrOFy4GweJ50ADqdJT6A+gCdt9o7VB7wZzVHE5lzGCAvUwggLxAgEB
# MIGTMHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQH
# EwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNV
# BAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwAhMzAAAA0ZjP5DyZJWSE
# AAAAAADRMA0GCWCGSAFlAwQCAQUAoIIBMjAaBgkqhkiG9w0BCQMxDQYLKoZIhvcN
# AQkQAQQwLwYJKoZIhvcNAQkEMSIEIH9HifiVp6VJDCaXCXVkGBlZnUMvcr1N30xF
# WizN7uamMIHiBgsqhkiG9w0BCRACDDGB0jCBzzCBzDCBsQQUSlzM0k6v6WsRAnqG
# l11RuXa2VPEwgZgwgYCkfjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGlu
# Z3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBv
# cmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMAIT
# MwAAANGYz+Q8mSVkhAAAAAAA0TAWBBQqp8vz0agfwingiHuELPZrsGF+mjANBgkq
# hkiG9w0BAQsFAASCAQBnD6BfO/a1iGihiB3F70ejLdRZOGKSj+Atd0VljvN5lRXp
# 0fOR9Y80h/16ZGy16Dii0xt6VrP1I7FSe3zp1Mpre9ux1dp+11idi5N8WGZxRtfr
# g7/gW5wA5E7FaM177z1LfK98M1TznKri3wk2xYjq9leUIBafuxebqcQuWH2+b839
# g30uKPwWkZ/YfRplYB12PcNzoA87TaElI4YfYspd6QltRvTvp5+GRdDGPuPyA5gj
# PWT1fFdDIuJeMzkSELguXxtxjbjk3qzPPu+NzMZTtAaTbneOM5PlFWMGiTLXV240
# B7cOd8X2RQui/SjWD/iaGbm7FoGr4Oe0mTVpSUZV
# SIG # End signature block