%3CLINGO-SUB%20id%3D%22lingo-sub-1356632%22%20slang%3D%22en-US%22%3EMonitoring%20Windows%20Virtual%20Desktop%20environments%20(Fall%202019%20release)%20with%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1356632%22%20slang%3D%22en-US%22%3E%3C!--%20%5Bif%20!mso%5D%3E%0A%3Cstyle%3E%0Av%5C%3A*%20%7Bbehavior%3Aurl(%23default%23VML)%3B%7D%0Ao%5C%3A*%20%7Bbehavior%3Aurl(%23default%23VML)%3B%7D%0Aw%5C%3A*%20%7Bbehavior%3Aurl(%23default%23VML)%3B%7D%0A.shape%20%7Bbehavior%3Aurl(%23default%23VML)%3B%7D%0A%3C%2Fstyle%3E%0A%3C!%5Bendif%5D--%3E%3C!--%20%5Bif%20gte%20mso%209%5D%3E%3Cxml%3E%0A%20%3Co%3ADocumentProperties%3E%0A%20%20%3Co%3AAuthor%3ESarah%20Young%3C%2Fo%3AAuthor%3E%0A%20%20%3Co%3ATemplate%3ENormal%3C%2Fo%3ATemplate%3E%0A%20%20%3Co%3ALastAuthor%3ESarah%20Young%3C%2Fo%3ALastAuthor%3E%0A%20%20%3Co%3ARevision%3E2%3C%2Fo%3ARevision%3E%0A%20%20%3Co%3ATotalTime%3E2700%3C%2Fo%3ATotalTime%3E%0A%20%20%3Co%3ACreated%3E2020-05-04T00%3A46%3A00Z%3C%2Fo%3ACreated%3E%0A%20%20%3Co%3ALastSaved%3E2020-05-04T00%3A46%3A00Z%3C%2Fo%3ALastSaved%3E%0A%20%20%3Co%3APages%3E7%3C%2Fo%3APages%3E%0A%20%20%3Co%3AWords%3E2199%3C%2Fo%3AWords%3E%0A%20%20%3Co%3ACharacters%3E12540%3C%2Fo%3ACharacters%3E%0A%20%20%3Co%3ALines%3E104%3C%2Fo%3ALines%3E%0A%20%20%3Co%3AParagraphs%3E29%3C%2Fo%3AParagraphs%3E%0A%20%20%3Co%3ACharactersWithSpaces%3E14710%3C%2Fo%3ACharactersWithSpaces%3E%0A%20%20%3Co%3AVersion%3E16.00%3C%2Fo%3AVersion%3E%0A%20%3C%2Fo%3ADocumentProperties%3E%0A%20%3Co%3ACustomDocumentProperties%3E%0A%20%20%3Co%3AContentTypeId%20dt%3Adt%3D%22string%22%3E0x0101001375AE3D4E6C9D4BA2C69EC322D353A4%3C%2Fo%3AContentTypeId%3E%0A%20%3C%2Fo%3ACustomDocumentProperties%3E%0A%20%3Co%3AOfficeDocumentSettings%3E%0A%20%20%3Co%3AAllowPNG%2F%3E%0A%20%3C%2Fo%3AOfficeDocumentSettings%3E%0A%3C%2Fxml%3E%3C!%5Bendif%5D--%3E%3C!--%20%5Bif%20gte%20mso%209%5D%3E%3Cxml%3E%0A%20%3Cw%3AWordDocument%3E%0A%20%20%3Cw%3ASpellingState%3EClean%3C%2Fw%3ASpellingState%3E%0A%20%20%3Cw%3AGrammarState%3EClean%3C%2Fw%3AGrammarState%3E%0A%20%20%3Cw%3ATrackMoves%3Efalse%3C%2Fw%3ATrackMoves%3E%0A%20%20%3Cw%3ATrackFormatting%2F%3E%0A%20%20%3Cw%3APunctuationKerning%2F%3E%0A%20%20%3Cw%3AValidateAgainstSchemas%2F%3E%0A%20%20%3Cw%3ASaveIfXMLInvalid%3Efalse%3C%2Fw%3ASaveIfXMLInvalid%3E%0A%20%20%3Cw%3AIgnoreMixedContent%3Efalse%3C%2Fw%3AIgnoreMixedContent%3E%0A%20%20%3Cw%3AAlwaysShowPlaceholderText%3Efalse%3C%2Fw%3AAlwaysShowPlaceholderText%3E%0A%20%20%3Cw%3ADoNotPromoteQF%2F%3E%0A%20%20%3Cw%3ALidThemeOther%3EEN-NZ%3C%2Fw%3ALidThemeOther%3E%0A%20%20%3Cw%3ALidThemeAsian%3EX-NONE%3C%2Fw%3ALidThemeAsian%3E%0A%20%20%3Cw%3ALidThemeComplexscript%3EX-NONE%3C%2Fw%3ALidThemeComplexscript%3E%0A%20%20%3Cw%3ACompatibility%3E%0A%20%20%20%3Cw%3ABreakWrappedTables%2F%3E%0A%20%20%20%3Cw%3ASnapToGridInCell%2F%3E%0A%20%20%20%3Cw%3AWrapTextWithPunct%2F%3E%0A%20%20%20%3Cw%3AUseAsianBreakRules%2F%3E%0A%20%20%20%3Cw%3ADontGrowAutofit%2F%3E%0A%20%20%20%3Cw%3ASplitPgBreakAndParaMark%2F%3E%0A%20%20%20%3Cw%3AEnableOpenTypeKerning%2F%3E%0A%20%20%20%3Cw%3ADontFlipMirrorIndents%2F%3E%0A%20%20%20%3Cw%3AOverrideTableStyleHps%2F%3E%0A%20%20%3C%2Fw%3ACompatibility%3E%0A%20%20%3Cm%3AmathPr%3E%0A%20%20%20%3Cm%3AmathFont%20m%3Aval%3D%22Cambria%20Math%22%2F%3E%0A%20%20%20%3Cm%3AbrkBin%20m%3Aval%3D%22before%22%2F%3E%0A%20%20%20%3Cm%3AbrkBinSub%20m%3Aval%3D%22%26%2345%3B-%22%2F%3E%0A%20%20%20%3Cm%3AsmallFrac%20m%3Aval%3D%22off%22%2F%3E%0A%20%20%20%3Cm%3AdispDef%2F%3E%0A%20%20%20%3Cm%3AlMargin%20m%3Aval%3D%220%22%2F%3E%0A%20%20%20%3Cm%3ArMargin%20m%3Aval%3D%220%22%2F%3E%0A%20%20%20%3Cm%3AdefJc%20m%3Aval%3D%22centerGroup%22%2F%3E%0A%20%20%20%3Cm%3AwrapIndent%20m%3Aval%3D%221440%22%2F%3E%0A%20%20%20%3Cm%3AintLim%20m%3Aval%3D%22subSup%22%2F%3E%0A%20%20%20%3Cm%3AnaryLim%20m%3Aval%3D%22undOvr%22%2F%3E%0A%20%20%3C%2Fm%3AmathPr%3E%3C%2Fw%3AWordDocument%3E%0A%3C%2Fxml%3E%3C!%5Bendif%5D--%3E%3C!--%20%5Bif%20gte%20mso%209%5D%3E%3Cxml%3E%0A%20%3Cw%3ALatentStyles%20DefLockedState%3D%22false%22%20DefUnhideWhenUsed%3D%22false%22%0A%20%20DefSemiHidden%3D%22false%22%20DefQFormat%3D%22false%22%20DefPriority%3D%2299%22%0A%20%20LatentStyleCount%3D%22376%22%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%220%22%20QFormat%3D%22true%22%20Name%3D%22Normal%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%229%22%20QFormat%3D%22true%22%20Name%3D%22heading%201%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%229%22%20SemiHidden%3D%22true%22%0A%20%20%20UnhideWhenUsed%3D%22true%22%20QFormat%3D%22true%22%20Name%3D%22heading%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%229%22%20SemiHidden%3D%22true%22%0A%20%20%20UnhideWhenUsed%3D%22true%22%20QFormat%3D%22true%22%20Name%3D%22heading%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%229%22%20SemiHidden%3D%22true%22%0A%20%20%20UnhideWhenUsed%3D%22true%22%20QFormat%3D%22true%22%20Name%3D%22heading%204%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%229%22%20SemiHidden%3D%22true%22%0A%20%20%20UnhideWhenUsed%3D%22true%22%20QFormat%3D%22true%22%20Name%3D%22heading%205%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%229%22%20SemiHidden%3D%22true%22%0A%20%20%20UnhideWhenUsed%3D%22true%22%20QFormat%3D%22true%22%20Name%3D%22heading%206%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%229%22%20SemiHidden%3D%22true%22%0A%20%20%20UnhideWhenUsed%3D%22true%22%20QFormat%3D%22true%22%20Name%3D%22heading%207%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%229%22%20SemiHidden%3D%22true%22%0A%20%20%20UnhideWhenUsed%3D%22true%22%20QFormat%3D%22true%22%20Name%3D%22heading%208%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%229%22%20SemiHidden%3D%22true%22%0A%20%20%20UnhideWhenUsed%3D%22true%22%20QFormat%3D%22true%22%20Name%3D%22heading%209%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22index%201%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22index%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22index%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22index%204%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22index%205%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22index%206%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22index%207%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22index%208%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22index%209%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2239%22%20SemiHidden%3D%22true%22%0A%20%20%20UnhideWhenUsed%3D%22true%22%20Name%3D%22toc%201%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2239%22%20SemiHidden%3D%22true%22%0A%20%20%20UnhideWhenUsed%3D%22true%22%20Name%3D%22toc%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2239%22%20SemiHidden%3D%22true%22%0A%20%20%20UnhideWhenUsed%3D%22true%22%20Name%3D%22toc%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2239%22%20SemiHidden%3D%22true%22%0A%20%20%20UnhideWhenUsed%3D%22true%22%20Name%3D%22toc%204%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2239%22%20SemiHidden%3D%22true%22%0A%20%20%20UnhideWhenUsed%3D%22true%22%20Name%3D%22toc%205%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2239%22%20SemiHidden%3D%22true%22%0A%20%20%20UnhideWhenUsed%3D%22true%22%20Name%3D%22toc%206%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2239%22%20SemiHidden%3D%22true%22%0A%20%20%20UnhideWhenUsed%3D%22true%22%20Name%3D%22toc%207%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2239%22%20SemiHidden%3D%22true%22%0A%20%20%20UnhideWhenUsed%3D%22true%22%20Name%3D%22toc%208%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2239%22%20SemiHidden%3D%22true%22%0A%20%20%20UnhideWhenUsed%3D%22true%22%20Name%3D%22toc%209%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Normal%20Indent%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22footnote%20text%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22annotation%20text%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22header%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22footer%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22index%20heading%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2235%22%20SemiHidden%3D%22true%22%0A%20%20%20UnhideWhenUsed%3D%22true%22%20QFormat%3D%22true%22%20Name%3D%22caption%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22table%20of%20figures%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22envelope%20address%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22envelope%20return%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22footnote%20reference%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22annotation%20reference%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22line%20number%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22page%20number%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22endnote%20reference%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22endnote%20text%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22table%20of%20authorities%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22macro%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22toa%20heading%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22List%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22List%20Bullet%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22List%20Number%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22List%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22List%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22List%204%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22List%205%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22List%20Bullet%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22List%20Bullet%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22List%20Bullet%204%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22List%20Bullet%205%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22List%20Number%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22List%20Number%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22List%20Number%204%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22List%20Number%205%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2210%22%20QFormat%3D%22true%22%20Name%3D%22Title%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Closing%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Signature%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%221%22%20SemiHidden%3D%22true%22%0A%20%20%20UnhideWhenUsed%3D%22true%22%20Name%3D%22Default%20Paragraph%20Font%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Body%20Text%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Body%20Text%20Indent%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22List%20Continue%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22List%20Continue%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22List%20Continue%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22List%20Continue%204%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22List%20Continue%205%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Message%20Header%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2211%22%20QFormat%3D%22true%22%20Name%3D%22Subtitle%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Salutation%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Date%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Body%20Text%20First%20Indent%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Body%20Text%20First%20Indent%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Note%20Heading%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Body%20Text%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Body%20Text%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Body%20Text%20Indent%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Body%20Text%20Indent%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Block%20Text%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Hyperlink%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22FollowedHyperlink%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2222%22%20QFormat%3D%22true%22%20Name%3D%22Strong%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2220%22%20QFormat%3D%22true%22%20Name%3D%22Emphasis%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Document%20Map%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Plain%20Text%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22E-mail%20Signature%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22HTML%20Top%20of%20Form%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22HTML%20Bottom%20of%20Form%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Normal%20(Web)%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22HTML%20Acronym%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22HTML%20Address%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22HTML%20Cite%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22HTML%20Code%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22HTML%20Definition%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22HTML%20Keyboard%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22HTML%20Preformatted%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22HTML%20Sample%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22HTML%20Typewriter%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22HTML%20Variable%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Normal%20Table%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22annotation%20subject%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22No%20List%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Outline%20List%201%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Outline%20List%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Outline%20List%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Table%20Simple%201%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Table%20Simple%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Table%20Simple%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Table%20Classic%201%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Table%20Classic%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Table%20Classic%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Table%20Classic%204%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Table%20Colorful%201%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Table%20Colorful%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Table%20Colorful%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Table%20Columns%201%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Table%20Columns%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Table%20Columns%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Table%20Columns%204%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Table%20Columns%205%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Table%20Grid%201%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Table%20Grid%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Table%20Grid%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Table%20Grid%204%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Table%20Grid%205%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Table%20Grid%206%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Table%20Grid%207%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Table%20Grid%208%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Table%20List%201%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Table%20List%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Table%20List%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Table%20List%204%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Table%20List%205%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Table%20List%206%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Table%20List%207%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Table%20List%208%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Table%203D%20effects%201%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Table%203D%20effects%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Table%203D%20effects%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Table%20Contemporary%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Table%20Elegant%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Table%20Professional%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Table%20Subtle%201%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Table%20Subtle%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Table%20Web%201%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Table%20Web%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Table%20Web%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Balloon%20Text%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2239%22%20Name%3D%22Table%20Grid%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Table%20Theme%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20Name%3D%22Placeholder%20Text%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%221%22%20QFormat%3D%22true%22%20Name%3D%22No%20Spacing%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2260%22%20Name%3D%22Light%20Shading%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2261%22%20Name%3D%22Light%20List%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2262%22%20Name%3D%22Light%20Grid%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2263%22%20Name%3D%22Medium%20Shading%201%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2264%22%20Name%3D%22Medium%20Shading%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2265%22%20Name%3D%22Medium%20List%201%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2266%22%20Name%3D%22Medium%20List%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2267%22%20Name%3D%22Medium%20Grid%201%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2268%22%20Name%3D%22Medium%20Grid%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2269%22%20Name%3D%22Medium%20Grid%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2270%22%20Name%3D%22Dark%20List%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2271%22%20Name%3D%22Colorful%20Shading%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2272%22%20Name%3D%22Colorful%20List%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2273%22%20Name%3D%22Colorful%20Grid%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2260%22%20Name%3D%22Light%20Shading%20Accent%201%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2261%22%20Name%3D%22Light%20List%20Accent%201%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2262%22%20Name%3D%22Light%20Grid%20Accent%201%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2263%22%20Name%3D%22Medium%20Shading%201%20Accent%201%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2264%22%20Name%3D%22Medium%20Shading%202%20Accent%201%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2265%22%20Name%3D%22Medium%20List%201%20Accent%201%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20Name%3D%22Revision%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2234%22%20QFormat%3D%22true%22%0A%20%20%20Name%3D%22List%20Paragraph%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2229%22%20QFormat%3D%22true%22%20Name%3D%22Quote%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2230%22%20QFormat%3D%22true%22%0A%20%20%20Name%3D%22Intense%20Quote%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2266%22%20Name%3D%22Medium%20List%202%20Accent%201%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2267%22%20Name%3D%22Medium%20Grid%201%20Accent%201%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2268%22%20Name%3D%22Medium%20Grid%202%20Accent%201%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2269%22%20Name%3D%22Medium%20Grid%203%20Accent%201%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2270%22%20Name%3D%22Dark%20List%20Accent%201%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2271%22%20Name%3D%22Colorful%20Shading%20Accent%201%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2272%22%20Name%3D%22Colorful%20List%20Accent%201%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2273%22%20Name%3D%22Colorful%20Grid%20Accent%201%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2260%22%20Name%3D%22Light%20Shading%20Accent%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2261%22%20Name%3D%22Light%20List%20Accent%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2262%22%20Name%3D%22Light%20Grid%20Accent%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2263%22%20Name%3D%22Medium%20Shading%201%20Accent%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2264%22%20Name%3D%22Medium%20Shading%202%20Accent%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2265%22%20Name%3D%22Medium%20List%201%20Accent%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2266%22%20Name%3D%22Medium%20List%202%20Accent%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2267%22%20Name%3D%22Medium%20Grid%201%20Accent%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2268%22%20Name%3D%22Medium%20Grid%202%20Accent%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2269%22%20Name%3D%22Medium%20Grid%203%20Accent%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2270%22%20Name%3D%22Dark%20List%20Accent%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2271%22%20Name%3D%22Colorful%20Shading%20Accent%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2272%22%20Name%3D%22Colorful%20List%20Accent%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2273%22%20Name%3D%22Colorful%20Grid%20Accent%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2260%22%20Name%3D%22Light%20Shading%20Accent%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2261%22%20Name%3D%22Light%20List%20Accent%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2262%22%20Name%3D%22Light%20Grid%20Accent%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2263%22%20Name%3D%22Medium%20Shading%201%20Accent%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2264%22%20Name%3D%22Medium%20Shading%202%20Accent%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2265%22%20Name%3D%22Medium%20List%201%20Accent%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2266%22%20Name%3D%22Medium%20List%202%20Accent%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2267%22%20Name%3D%22Medium%20Grid%201%20Accent%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2268%22%20Name%3D%22Medium%20Grid%202%20Accent%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2269%22%20Name%3D%22Medium%20Grid%203%20Accent%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2270%22%20Name%3D%22Dark%20List%20Accent%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2271%22%20Name%3D%22Colorful%20Shading%20Accent%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2272%22%20Name%3D%22Colorful%20List%20Accent%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2273%22%20Name%3D%22Colorful%20Grid%20Accent%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2260%22%20Name%3D%22Light%20Shading%20Accent%204%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2261%22%20Name%3D%22Light%20List%20Accent%204%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2262%22%20Name%3D%22Light%20Grid%20Accent%204%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2263%22%20Name%3D%22Medium%20Shading%201%20Accent%204%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2264%22%20Name%3D%22Medium%20Shading%202%20Accent%204%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2265%22%20Name%3D%22Medium%20List%201%20Accent%204%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2266%22%20Name%3D%22Medium%20List%202%20Accent%204%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2267%22%20Name%3D%22Medium%20Grid%201%20Accent%204%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2268%22%20Name%3D%22Medium%20Grid%202%20Accent%204%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2269%22%20Name%3D%22Medium%20Grid%203%20Accent%204%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2270%22%20Name%3D%22Dark%20List%20Accent%204%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2271%22%20Name%3D%22Colorful%20Shading%20Accent%204%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2272%22%20Name%3D%22Colorful%20List%20Accent%204%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2273%22%20Name%3D%22Colorful%20Grid%20Accent%204%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2260%22%20Name%3D%22Light%20Shading%20Accent%205%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2261%22%20Name%3D%22Light%20List%20Accent%205%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2262%22%20Name%3D%22Light%20Grid%20Accent%205%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2263%22%20Name%3D%22Medium%20Shading%201%20Accent%205%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2264%22%20Name%3D%22Medium%20Shading%202%20Accent%205%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2265%22%20Name%3D%22Medium%20List%201%20Accent%205%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2266%22%20Name%3D%22Medium%20List%202%20Accent%205%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2267%22%20Name%3D%22Medium%20Grid%201%20Accent%205%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2268%22%20Name%3D%22Medium%20Grid%202%20Accent%205%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2269%22%20Name%3D%22Medium%20Grid%203%20Accent%205%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2270%22%20Name%3D%22Dark%20List%20Accent%205%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2271%22%20Name%3D%22Colorful%20Shading%20Accent%205%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2272%22%20Name%3D%22Colorful%20List%20Accent%205%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2273%22%20Name%3D%22Colorful%20Grid%20Accent%205%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2260%22%20Name%3D%22Light%20Shading%20Accent%206%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2261%22%20Name%3D%22Light%20List%20Accent%206%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2262%22%20Name%3D%22Light%20Grid%20Accent%206%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2263%22%20Name%3D%22Medium%20Shading%201%20Accent%206%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2264%22%20Name%3D%22Medium%20Shading%202%20Accent%206%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2265%22%20Name%3D%22Medium%20List%201%20Accent%206%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2266%22%20Name%3D%22Medium%20List%202%20Accent%206%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2267%22%20Name%3D%22Medium%20Grid%201%20Accent%206%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2268%22%20Name%3D%22Medium%20Grid%202%20Accent%206%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2269%22%20Name%3D%22Medium%20Grid%203%20Accent%206%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2270%22%20Name%3D%22Dark%20List%20Accent%206%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2271%22%20Name%3D%22Colorful%20Shading%20Accent%206%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2272%22%20Name%3D%22Colorful%20List%20Accent%206%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2273%22%20Name%3D%22Colorful%20Grid%20Accent%206%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2219%22%20QFormat%3D%22true%22%0A%20%20%20Name%3D%22Subtle%20Emphasis%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2221%22%20QFormat%3D%22true%22%0A%20%20%20Name%3D%22Intense%20Emphasis%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2231%22%20QFormat%3D%22true%22%0A%20%20%20Name%3D%22Subtle%20Reference%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2232%22%20QFormat%3D%22true%22%0A%20%20%20Name%3D%22Intense%20Reference%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2233%22%20QFormat%3D%22true%22%20Name%3D%22Book%20Title%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2237%22%20SemiHidden%3D%22true%22%0A%20%20%20UnhideWhenUsed%3D%22true%22%20Name%3D%22Bibliography%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2239%22%20SemiHidden%3D%22true%22%0A%20%20%20UnhideWhenUsed%3D%22true%22%20QFormat%3D%22true%22%20Name%3D%22TOC%20Heading%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2241%22%20Name%3D%22Plain%20Table%201%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2242%22%20Name%3D%22Plain%20Table%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2243%22%20Name%3D%22Plain%20Table%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2244%22%20Name%3D%22Plain%20Table%204%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2245%22%20Name%3D%22Plain%20Table%205%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2240%22%20Name%3D%22Grid%20Table%20Light%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2246%22%20Name%3D%22Grid%20Table%201%20Light%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2247%22%20Name%3D%22Grid%20Table%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2248%22%20Name%3D%22Grid%20Table%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2249%22%20Name%3D%22Grid%20Table%204%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2250%22%20Name%3D%22Grid%20Table%205%20Dark%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2251%22%20Name%3D%22Grid%20Table%206%20Colorful%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2252%22%20Name%3D%22Grid%20Table%207%20Colorful%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2246%22%0A%20%20%20Name%3D%22Grid%20Table%201%20Light%20Accent%201%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2247%22%20Name%3D%22Grid%20Table%202%20Accent%201%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2248%22%20Name%3D%22Grid%20Table%203%20Accent%201%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2249%22%20Name%3D%22Grid%20Table%204%20Accent%201%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2250%22%20Name%3D%22Grid%20Table%205%20Dark%20Accent%201%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2251%22%0A%20%20%20Name%3D%22Grid%20Table%206%20Colorful%20Accent%201%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2252%22%0A%20%20%20Name%3D%22Grid%20Table%207%20Colorful%20Accent%201%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2246%22%0A%20%20%20Name%3D%22Grid%20Table%201%20Light%20Accent%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2247%22%20Name%3D%22Grid%20Table%202%20Accent%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2248%22%20Name%3D%22Grid%20Table%203%20Accent%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2249%22%20Name%3D%22Grid%20Table%204%20Accent%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2250%22%20Name%3D%22Grid%20Table%205%20Dark%20Accent%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2251%22%0A%20%20%20Name%3D%22Grid%20Table%206%20Colorful%20Accent%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2252%22%0A%20%20%20Name%3D%22Grid%20Table%207%20Colorful%20Accent%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2246%22%0A%20%20%20Name%3D%22Grid%20Table%201%20Light%20Accent%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2247%22%20Name%3D%22Grid%20Table%202%20Accent%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2248%22%20Name%3D%22Grid%20Table%203%20Accent%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2249%22%20Name%3D%22Grid%20Table%204%20Accent%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2250%22%20Name%3D%22Grid%20Table%205%20Dark%20Accent%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2251%22%0A%20%20%20Name%3D%22Grid%20Table%206%20Colorful%20Accent%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2252%22%0A%20%20%20Name%3D%22Grid%20Table%207%20Colorful%20Accent%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2246%22%0A%20%20%20Name%3D%22Grid%20Table%201%20Light%20Accent%204%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2247%22%20Name%3D%22Grid%20Table%202%20Accent%204%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2248%22%20Name%3D%22Grid%20Table%203%20Accent%204%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2249%22%20Name%3D%22Grid%20Table%204%20Accent%204%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2250%22%20Name%3D%22Grid%20Table%205%20Dark%20Accent%204%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2251%22%0A%20%20%20Name%3D%22Grid%20Table%206%20Colorful%20Accent%204%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2252%22%0A%20%20%20Name%3D%22Grid%20Table%207%20Colorful%20Accent%204%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2246%22%0A%20%20%20Name%3D%22Grid%20Table%201%20Light%20Accent%205%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2247%22%20Name%3D%22Grid%20Table%202%20Accent%205%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2248%22%20Name%3D%22Grid%20Table%203%20Accent%205%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2249%22%20Name%3D%22Grid%20Table%204%20Accent%205%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2250%22%20Name%3D%22Grid%20Table%205%20Dark%20Accent%205%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2251%22%0A%20%20%20Name%3D%22Grid%20Table%206%20Colorful%20Accent%205%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2252%22%0A%20%20%20Name%3D%22Grid%20Table%207%20Colorful%20Accent%205%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2246%22%0A%20%20%20Name%3D%22Grid%20Table%201%20Light%20Accent%206%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2247%22%20Name%3D%22Grid%20Table%202%20Accent%206%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2248%22%20Name%3D%22Grid%20Table%203%20Accent%206%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2249%22%20Name%3D%22Grid%20Table%204%20Accent%206%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2250%22%20Name%3D%22Grid%20Table%205%20Dark%20Accent%206%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2251%22%0A%20%20%20Name%3D%22Grid%20Table%206%20Colorful%20Accent%206%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2252%22%0A%20%20%20Name%3D%22Grid%20Table%207%20Colorful%20Accent%206%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2246%22%20Name%3D%22List%20Table%201%20Light%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2247%22%20Name%3D%22List%20Table%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2248%22%20Name%3D%22List%20Table%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2249%22%20Name%3D%22List%20Table%204%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2250%22%20Name%3D%22List%20Table%205%20Dark%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2251%22%20Name%3D%22List%20Table%206%20Colorful%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2252%22%20Name%3D%22List%20Table%207%20Colorful%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2246%22%0A%20%20%20Name%3D%22List%20Table%201%20Light%20Accent%201%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2247%22%20Name%3D%22List%20Table%202%20Accent%201%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2248%22%20Name%3D%22List%20Table%203%20Accent%201%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2249%22%20Name%3D%22List%20Table%204%20Accent%201%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2250%22%20Name%3D%22List%20Table%205%20Dark%20Accent%201%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2251%22%0A%20%20%20Name%3D%22List%20Table%206%20Colorful%20Accent%201%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2252%22%0A%20%20%20Name%3D%22List%20Table%207%20Colorful%20Accent%201%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2246%22%0A%20%20%20Name%3D%22List%20Table%201%20Light%20Accent%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2247%22%20Name%3D%22List%20Table%202%20Accent%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2248%22%20Name%3D%22List%20Table%203%20Accent%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2249%22%20Name%3D%22List%20Table%204%20Accent%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2250%22%20Name%3D%22List%20Table%205%20Dark%20Accent%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2251%22%0A%20%20%20Name%3D%22List%20Table%206%20Colorful%20Accent%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2252%22%0A%20%20%20Name%3D%22List%20Table%207%20Colorful%20Accent%202%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2246%22%0A%20%20%20Name%3D%22List%20Table%201%20Light%20Accent%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2247%22%20Name%3D%22List%20Table%202%20Accent%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2248%22%20Name%3D%22List%20Table%203%20Accent%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2249%22%20Name%3D%22List%20Table%204%20Accent%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2250%22%20Name%3D%22List%20Table%205%20Dark%20Accent%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2251%22%0A%20%20%20Name%3D%22List%20Table%206%20Colorful%20Accent%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2252%22%0A%20%20%20Name%3D%22List%20Table%207%20Colorful%20Accent%203%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2246%22%0A%20%20%20Name%3D%22List%20Table%201%20Light%20Accent%204%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2247%22%20Name%3D%22List%20Table%202%20Accent%204%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2248%22%20Name%3D%22List%20Table%203%20Accent%204%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2249%22%20Name%3D%22List%20Table%204%20Accent%204%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2250%22%20Name%3D%22List%20Table%205%20Dark%20Accent%204%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2251%22%0A%20%20%20Name%3D%22List%20Table%206%20Colorful%20Accent%204%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2252%22%0A%20%20%20Name%3D%22List%20Table%207%20Colorful%20Accent%204%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2246%22%0A%20%20%20Name%3D%22List%20Table%201%20Light%20Accent%205%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2247%22%20Name%3D%22List%20Table%202%20Accent%205%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2248%22%20Name%3D%22List%20Table%203%20Accent%205%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2249%22%20Name%3D%22List%20Table%204%20Accent%205%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2250%22%20Name%3D%22List%20Table%205%20Dark%20Accent%205%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2251%22%0A%20%20%20Name%3D%22List%20Table%206%20Colorful%20Accent%205%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2252%22%0A%20%20%20Name%3D%22List%20Table%207%20Colorful%20Accent%205%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2246%22%0A%20%20%20Name%3D%22List%20Table%201%20Light%20Accent%206%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2247%22%20Name%3D%22List%20Table%202%20Accent%206%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2248%22%20Name%3D%22List%20Table%203%20Accent%206%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2249%22%20Name%3D%22List%20Table%204%20Accent%206%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2250%22%20Name%3D%22List%20Table%205%20Dark%20Accent%206%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2251%22%0A%20%20%20Name%3D%22List%20Table%206%20Colorful%20Accent%206%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20Priority%3D%2252%22%0A%20%20%20Name%3D%22List%20Table%207%20Colorful%20Accent%206%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Mention%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Smart%20Hyperlink%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Hashtag%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Unresolved%20Mention%22%2F%3E%0A%20%20%3Cw%3ALsdException%20Locked%3D%22false%22%20SemiHidden%3D%22true%22%20UnhideWhenUsed%3D%22true%22%0A%20%20%20Name%3D%22Smart%20Link%22%2F%3E%0A%20%3C%2Fw%3ALatentStyles%3E%0A%3C%2Fxml%3E%3C!%5Bendif%5D--%3E%0A%3CP%3E%3CEM%3E%3CFONT%20size%3D%223%22%3EWith%20thanks%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293861%22%20target%3D%22_blank%22%3E%40aprakash13%3C%2FA%3E%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F185177%22%20target%3D%22_blank%22%3E%40Yaniv%20Shasha%3C%2FA%3E%26nbsp%3Band%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F185349%22%20target%3D%22_blank%22%3E%40Yoshiaki%20Oi%3C%2FA%3E%26nbsp%3Bfor%20their%20contributions%20to%20this%20blog%20post.%3C%2FFONT%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1354405678%22%20id%3D%22toc-hId--1354405678%22%3E%3CFONT%20size%3D%223%22%20color%3D%22%23FF0000%22%3E%3CEM%3ENOTE%3A%20This%20blog%20post%20covers%20monitoring%20resources%20using%20the%20Windows%20Virtual%20Desktop%20Fall%202019%20release%20without%20Azure%20Resource%20Manager%20objects.%20If%20you%20are%20using%20the%20Windows%20Virtual%20Desktop%20Spring%202020%20release%20with%20Azure%20Resource%20Manager%20objects%20(in%20Public%20Preview%20at%20the%20time%20of%20writing)%20then%20click%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Fdiagnostics-log-analytics%23push-diagnostics-data-to-your-workspace%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E%20for%20details%20about%20how%20to%20connect%20this%20to%20your%20Sentinel%20workspace%20as%20the%20process%20and%20logs%20differ.%20Queries%20found%20in%20this%20blog%20will%20%3CU%3Enot%3C%2FU%3E%20work%20if%20you%20are%20using%20the%20WVD%20Spring%202020%20deployment%20as%20tables%20and%20logs%20have%20changed.%3C%2FEM%3E%3C%2FFONT%3E%3C%2FH2%3E%0A%3CDIV%20class%3D%22WordSection1%22%3E%0A%3CP%20class%3D%22MsoNormal%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%3EDue%26nbsp%3Bto%20the%20COVID-19%20health%20crisis%2C%20there%20has%20been%20an%20exponential%20increase%20in%20employees%20working%20from%20home%20and%20this%20has%20led%20to%20new%20challenges%20in%20the%20security%20monitoring%20space%20for%20SOC%20teams.%20We%20covered%20in%20two%20previous%20Tech%20Community%20articles%20how%20to%20monitor%20popular%20collaboration%20software%20%E2%80%93%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fprotecting-your-teams-with-azure-sentinel%2Fba-p%2F1265761%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3ETeams%3C%2FA%3E%20and%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fmonitoring-zoom-with-azure-sentinel%2Fba-p%2F1341516%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3EZoom%3C%2FA%3E%20-%20using%20Azure%20Sentinel.%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%3EAs%20part%20of%20this%20shift%20to%20remote%20work%2C%20some%20organizations%20have%20had%20to%20make%20rapid%20and%20sweeping%20changes%20to%20their%20endpoints.%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Foverview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EWindows%20Virtual%20Desktop%20(WVD)%3C%2FA%3E%20has%20enabled%20our%20customers%20to%20quickly%20provision%20Windows%2010%20virtual%20desktops%20to%20enable%20people%20who%20have%20traditionally%20not%20been%20remote%20workers%20to%20access%20a%20virtualized%20work%20desktop%20from%20home%2C%20and%20thus%20has%20enabled%20businesses%20to%20keep%20functioning.%20However%2C%20these%20new%20endpoints%20also%20need%20to%20be%20monitored%20to%20maintain%20an%20organization%E2%80%99s%20security%20posture%20and%20so%20in%20this%20blog%2C%20we%20will%20explore%20how%20you%20can%20use%20Azure%20Sentinel%20to%20monitor%20your%20WVD%20environment.%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%3E%3CSTRONG%3E%3CSPAN%20style%3D%22font-size%3A%2016.0pt%3B%20line-height%3A%20107%25%3B%22%3EOverview%20of%20telemetry%20available%20in%20WVD%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%3EYou%20can%20collect%20several%20types%20of%20telemetry%20signals%20from%20a%20WVD%20environment%20that%20can%20be%20ingested%20into%20Azure%20Sentinel%20for%20security%20monitoring%3A%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EWindows%20event%20logs.%3C%2FLI%3E%0A%3CLI%3EMicrosoft%20Defender%20Advanced%20Threat%20Protection%20(MDATP)%20alerts.%3C%2FLI%3E%0A%3CLI%3ELogs%20from%20the%20WVD%20PaaS%20service%20itself%20(aka.%20WVD%20diagnostics).%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBelow%20is%20a%20summary%20of%20how%20WVD%20logs%20are%20ingested%20into%20Log%20Analytics.%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22WVD.PNG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F188547iD2BFC36627FB0A1A%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22WVD.PNG%22%20alt%3D%22WVD.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%3E%3CI%3EWVD%20diagnostic%20logs%20being%20ingested%20to%20Sentinel%20via%20Log%20Analytics.%20Diagram%20by%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F185349%22%20target%3D%22_blank%22%3E%40Yoshiaki%20Oi%3C%2FA%3E.%3C%2FI%3E%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%3E%3CSTRONG%3EWindows%20event%20logs%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%3EWindows%20event%20logs%20from%20the%20WVD%20environment%20are%20ingested%20into%20Azure%20Sentinel%20in%20the%20same%20manner%20as%20Windows%20event%20logs%20from%20other%20Windows%20machines%20outside%20of%20the%20WVD%20environment%2C%20so%20we%20%3CSPAN%20class%3D%22GramE%22%3Ewon%E2%80%99t%3C%2FSPAN%3E%20be%20covering%20this%20in%20detail%20in%20the%20blog%20post.%20In%20brief%2C%20you%20will%20need%20to%20install%20the%20Log%20Analytics%20agent%20(previously%20known%20as%20the%20OMS%20agent%20or%20the%20MMA%20agent)%20onto%20your%20Windows%20machine%20and%20configure%20the%20Windows%20event%20logs%20to%20be%20sent%20to%20the%20Log%20Analytics%20workspace.%20Click%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fagent-windows%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E%20for%20further%20information%20about%20how%20to%20install%20the%20Log%20Analytics%20agent%3B%20and%20for%20more%20information%20about%20how%20to%20configure%20Windows%20event%20logs%20to%20be%20forwarded%20to%20a%20Log%20Analytics%20workspace%2C%20click%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-sources-windows-events%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%3E%3CSTRONG%3EMDATP%20alerts%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%3ELike%20Windows%20event%20logs%2C%20to%20configure%20MDATP%20for%20WVD%20you%20would%20follow%20the%20same%20onboarding%20procedure%20as%20you%20would%20with%20any%20other%20Windows%20endpoint.%20There%20is%20a%20detailed%20walkthrough%20on%20how%20to%20onboard%20endpoints%20to%20MDATP%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fproduction-deployment%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%20For%20further%20information%20about%20how%20to%20send%20MDATP%20alerts%20to%20Azure%20Sentinel%20using%20the%20product%E2%80%99s%20pre-wired%20connectors%2C%20click%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-microsoft-defender-advanced-threat-protection%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere.%3C%2FA%3E%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%3E%3CSTRONG%3EWVD%20diagnostics%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%3EWVD%20diagnostics%20is%20a%20feature%20of%20the%20WVD%20PaaS%20service%20that%20logs%20information%20whenever%20someone%20assigned%20Windows%20Virtual%20Desktop%20role%20uses%20the%20service.%20Each%20log%20contains%20information%20about%20which%20Windows%20Virtual%20Desktop%20role%20was%20involved%20in%20the%20activity%2C%20any%20error%20messages%20that%20appear%20during%20the%20session%2C%20tenant%20information%2C%20and%20user%20information.%20The%20diagnostics%20feature%20creates%20activity%20logs%20for%20both%20user%20and%20administrative%20actions.%20For%20more%20information%20about%20WVD%20diagnostic%20logs%20for%20the%20Fall%202019%20release%20of%20WVD%2C%20click%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Fvirtual-desktop-fall-2019%2Fdiagnostics-log-analytics-2019%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%3E%3CSTRONG%3E%3CSPAN%20style%3D%22font-size%3A%2016.0pt%3B%20line-height%3A%20107%25%3B%22%3EIngesting%20WVD%20diagnostic%20logs%20into%20Azure%20Sentinel%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%3E%3CSTRONG%3EBefore%20you%20start%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%3EWe%20need%20to%20configure%20WVD%20to%20send%20diagnostics%20to%20a%20Log%20Analytics%20workspace.%20If%20you%20have%20multiple%20Log%20Analytics%20workspaces%20in%20your%20environment%2C%20you%20will%20need%20decide%20which%20one%20you%20are%20going%20to%20send%20WVD%20diagnostic%20logs%20to.%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%3E%3CI%3ENOTE%3A%20Different%20WVD%20tenants%20can%20be%20configured%20to%20send%20their%20diagnostics%20to%20different%20workspaces%2C%20so%20if%20you%20have%20multiple%20WVD%20tenants%20and%20Log%20Analytics%20workspaces%20within%20your%20environment%20%E2%80%93%20e.g.%20workspaces%20in%20different%20Azure%20regions%20for%20data%20sovereignty%20%E2%80%93%20this%20posture%20can%20be%20maintained.%3C%2FI%3E%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin-bottom%3A%20.0001pt%3B%20line-height%3A%20normal%3B%20background%3A%20white%3B%22%3E%3CSPAN%20style%3D%22color%3A%20black%3B%20mso-color-alt%3A%20windowtext%3B%22%3EObtain%20your%20chosen%20Log%20Analytics%20workspace%20ID%20and%20the%20primary%20key%3B%20you%20will%20need%20this%20later%20in%20our%20setup.%20If%20you%20have%20never%20obtained%20your%20Log%20Analytics%20workspace%20ID%20and%20primary%20key%20before%2C%20details%20about%20how%20to%20get%20this%20workspace%20information%20can%20be%20found%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fagent-windows%23obtain-workspace-id-and-key%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%3E%3CSTRONG%3EPushing%20WVD%20diagnostics%20to%20the%20Log%20Analytics%20workspace%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%3EIf%20%3CSPAN%20class%3D%22GramE%22%3Eyou%E2%80%99ve%3C%2FSPAN%3E%20already%20created%20your%20WVD%20tenant%2C%20run%20the%20following%20PowerShell%20command%20to%20link%20the%20WVD%20tenant%20to%20your%20chosen%20Log%20Analytics%20workspace%3A%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3ESet-RdsTenant%20-Name%20%3CTENANTNAME%3E%20-AzureSubscriptionId%20%3CSUBSCRIPTIONID%3E%20-LogAnalyticsWorkspaceId%20%3CSTRING%3E%20-LogAnalyticsPrimaryKey%20%3CSTRING%3E%3C%2FSTRING%3E%3C%2FSTRING%3E%3C%2FSUBSCRIPTIONID%3E%3C%2FTENANTNAME%3E%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%20class%3D%22MsoNormal%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%3EIf%20you%E2%80%99re%20creating%20a%20new%20WVD%20tenant%2C%20you%20can%20link%20it%20to%20your%20chosen%20Log%20Analytics%20workspace%20by%20running%20the%20following%20cmdlet%20to%20sign%20%3CSPAN%20class%3D%22GramE%22%3Ein%20to%3C%2FSPAN%3E%20Windows%20Virtual%20Desktop%20with%20your%20%3CSPAN%20class%3D%22SpellE%22%3ETenantCreator%3C%2FSPAN%3E%20user%20account%3A%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3EAdd-RdsAccount%20-DeploymentUrl%20https%3A%2F%2Frdbroker.wvd.microsoft.com%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%20class%3D%22MsoNormal%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%3E%3CI%3ENOTE%3A%20As%20per%20the%20note%20above%2C%20you%20will%20need%20to%20complete%20one%20of%20the%20following%20operations%20for%20every%20WVD%20tenant%20individually%20to%20link%20it%20to%20a%20Log%20Analytics%20workspace.%20%3C%2FI%3E%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%3E%3CI%3E%26nbsp%3B%3C%2FI%3E%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%3E%3CSTRONG%3E%3CSPAN%20style%3D%22font-size%3A%2016.0pt%3B%20line-height%3A%20107%25%3B%22%3EUsing%20WVD%20diagnostics%20in%20Azure%20Sentinel%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%20style%3D%22line-height%3A%2012.0pt%3B%20background%3A%20%23FFFFFE%3B%22%3EWVD%20diagnostic%20logs%20are%20stored%20in%20tables%20called%20%3CSPAN%20style%3D%22font-size%3A%2010.5pt%3B%20font-family%3A%20Consolas%3B%20color%3A%20%23171717%3B%20background%3A%20%23FAFAFA%3B%22%3EWVDActivityV1_CL%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-size%3A%2010.5pt%3B%20font-family%3A%20Consolas%3B%20color%3A%20black%3B%22%3EWVDErrorV1_CL%20%3C%2FSPAN%3Eand%26nbsp%3B%3CSPAN%20style%3D%22font-size%3A%2010.0pt%3B%20font-family%3A%20Consolas%3B%20mso-fareast-font-family%3A%20'Times%20New%20Roman'%3B%20mso-bidi-font-family%3A%20'Courier%20New'%3B%20color%3A%20%23171717%3B%20border%3A%20none%20windowtext%201.0pt%3B%20mso-border-alt%3A%20none%20windowtext%200cm%3B%20padding%3A%200cm%3B%20mso-fareast-language%3A%20EN-NZ%3B%22%3EWVDCheckpointV1_CL.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%20style%3D%22line-height%3A%2012.0pt%3B%20background%3A%20%23FFFFFE%3B%22%3E%3CSPAN%20style%3D%22font-size%3A%2010.5pt%3B%20font-family%3A%20Consolas%3B%20color%3A%20black%3B%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%20style%3D%22line-height%3A%2012.0pt%3B%20background%3A%20%23FFFFFE%3B%22%3E%3CSTRONG%3E%3CSPAN%20style%3D%22color%3A%20black%3B%20mso-color-alt%3A%20windowtext%3B%22%3EExample%20queries%20of%20WVD%20diagnostic%20logs%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EThis%20section%20will%20give%20you%20some%20examples%20of%20the%20kind%20of%20queries%20you%20could%20run%20for%20your%20WVD%20environment.%20These%20queries%20can%20be%20turned%20into%20either%20analytics%20rules%20or%20hunting%20queries%20(covered%20later%20in%20this%20blog%20post).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20first%20example%20shows%20connection%20activities%20initiated%20by%20users%20with%20supported%20remote%20desktop%20clients%3A%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-sql%22%3E%3CCODE%3EWVDActivityV1_CL%20%0A%7C%20where%20Type_s%20%3D%3D%20%22Connection%22%20%0A%7C%20join%20kind%3Dleftouter%20(%20%0A%E2%80%AF%E2%80%AF%E2%80%AF%20WVDErrorV1_CL%20%0A%E2%80%AF%E2%80%AF%E2%80%AF%20%7C%20summarize%20Errors%20%3D%20makelist(pack('Time'%2C%20Time_t%2C%20'Code'%2C%20ErrorCode_s%20%2C%20'CodeSymbolic'%2C%20ErrorCodeSymbolic_s%2C%20'Message'%2C%20ErrorMessage_s%2C%20'ReportedBy'%2C%20ReportedBy_s%20%2C%20'Internal'%2C%20ErrorInternal_s%20))%20by%20ActivityId_g%20%0A%E2%80%AF%E2%80%AF%E2%80%AF%20)%20on%20%24left.Id_g%E2%80%AF%20%3D%3D%20%24right.ActivityId_g%E2%80%AF%20%20%0A%7C%20join%E2%80%AF%20kind%3Dleftouter%20(%20%20%0A%E2%80%AF%E2%80%AF%E2%80%AF%E2%80%AFWVDCheckpointV1_CL%20%0A%E2%80%AF%E2%80%AF%E2%80%AF%20%7C%20summarize%20Checkpoints%20%3D%20makelist(pack('Time'%2C%20Time_t%2C%20'ReportedBy'%2C%20ReportedBy_s%2C%20'Name'%2C%20Name_s%2C%20'Parameters'%2C%20Parameters_s)%20)%20by%20ActivityId_g%20%0A%E2%80%AF%E2%80%AF%E2%80%AF%20)%20on%20%24left.Id_g%E2%80%AF%20%3D%3D%20%24right.ActivityId_g%20%20%0A%7Cproject-away%20ActivityId_g%2C%20ActivityId_g1%20%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin-bottom%3A%20.0001pt%3B%20line-height%3A%2012.0pt%3B%20background%3A%20%23FFFFFE%3B%22%3E%3CSPAN%20style%3D%22font-size%3A%2010.5pt%3B%20font-family%3A%20Consolas%3B%20mso-fareast-font-family%3A%20'Times%20New%20Roman'%3B%20mso-bidi-font-family%3A%20'Times%20New%20Roman'%3B%20color%3A%20black%3B%20mso-fareast-language%3A%20EN-NZ%3B%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EThis%20next%20example%20query%20shows%20management%20activities%20by%20admins%20on%20tenants%3A%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-sql%22%3E%3CCODE%3EWVDActivityV1_CL%20%0A%7C%20where%20Type_s%20%3D%3D%20%22Management%22%20%0A%7C%20join%20kind%3Dleftouter%20(%20%0A%E2%80%AF%E2%80%AF%E2%80%AF%20WVDErrorV1_CL%20%0A%E2%80%AF%E2%80%AF%E2%80%AF%20%7C%20summarize%20Errors%20%3D%20makelist(pack('Time'%2C%20Time_t%2C%20'Code'%2C%20ErrorCode_s%20%2C%20'CodeSymbolic'%2C%20ErrorCodeSymbolic_s%2C%20'Message'%2C%20ErrorMessage_s%2C%20'ReportedBy'%2C%20ReportedBy_s%20%2C%20'Internal'%2C%20ErrorInternal_s%20))%20by%20ActivityId_g%20%0A%E2%80%AF%E2%80%AF%E2%80%AF%20)%20on%20%24left.Id_g%E2%80%AF%20%3D%3D%20%24right.ActivityId_g%E2%80%AF%20%20%0A%7C%20join%E2%80%AF%20kind%3Dleftouter%20(%20%20%0A%E2%80%AF%E2%80%AF%E2%80%AF%E2%80%AFWVDCheckpointV1_CL%20%0A%E2%80%AF%E2%80%AF%E2%80%AF%20%7C%20summarize%20Checkpoints%20%3D%20makelist(pack('Time'%2C%20Time_t%2C%20'ReportedBy'%2C%20ReportedBy_s%2C%20'Name'%2C%20Name_s%2C%20'Parameters'%2C%20Parameters_s)%20)%20by%20ActivityId_g%20%0A%E2%80%AF%E2%80%AF%E2%80%AF%20)%20on%20%24left.Id_g%E2%80%AF%20%3D%3D%20%24right.ActivityId_g%20%20%0A%7Cproject-away%20ActivityId_g%2C%20ActivityId_g1%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%20class%3D%22MsoNormal%22%20style%3D%22line-height%3A%2012.0pt%3B%20background%3A%20%23FFFFFE%3B%22%3E%3CSPAN%20style%3D%22font-family%3A%20'Segoe%20UI'%2Csans-serif%3B%20color%3A%20%23171717%3B%20background%3A%20white%3B%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EQuerying%20Azure%20AD%20for%20the%20number%20of%20WVD%20sign%20ins%20per%20user%3A%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin-bottom%3A%20.0001pt%3B%20line-height%3A%2012.0pt%3B%20background%3A%20%23FFFFFE%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-sql%22%3E%3CCODE%3ESigninLogs%0A%7C%20where%20TimeGenerated%20%26gt%3B%20ago(14d)%0A%7C%20where%20AppDisplayName%20contains%20%22Windows%20Virtual%20Desktop%22%20%20%0A%7C%20summarize%20count()%20by%20Identity%0A%7C%20sort%20by%20count_%20desc%20%20%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin-bottom%3A%20.0001pt%3B%20line-height%3A%20normal%3B%20background%3A%20%23FFFFFE%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%20style%3D%22line-height%3A%2012.0pt%3B%20background%3A%20%23FFFFFE%3B%22%3E%3CSTRONG%3E%3CSPAN%20style%3D%22color%3A%20black%3B%20mso-color-alt%3A%20windowtext%3B%22%3EOther%20useful%20queries%20in%20a%20WVD%20environment%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EThis%20next%20set%20of%20queries%20lean%20towards%20the%20more%20operational%20side%20of%20WVD%2C%20but%20can%20be%20useful%20for%20exploring%20platform%20behavior%20and%20can%20be%20tuned%20to%20your%20specific%20environment.%20These%20queries%20could%20also%20be%20used%20to%20create%20Workbooks%20for%20monitoring%20your%20WVD%20environment.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22xxxxmsonormal%22%3E%3CSTRONG%3ECount%20of%20Host%20pools%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-sql%22%3E%3CCODE%3EWVDActivityV1_CL%20%0A%7C%20summarize%20HostPools%3Ddcount(SessionHostPoolName_s)%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin-bottom%3A%20.0001pt%3B%20line-height%3A%2012.0pt%3B%20background%3A%20%23FFFFFE%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22xxxxmsonormal%22%3E%3CSTRONG%3EUnique%20users%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-sql%22%3E%3CCODE%3EWVDActivityV1_CL%20%0A%7C%20summarize%20Sessions%3Ddcount(UserName_s)%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22xxxxmsonormal%22%3E%3CSTRONG%3ESession%20error%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-sql%22%3E%3CCODE%3EWVDActivityV1_CL%20%0A%7C%20where%20(Error_Message_s%20contains%20%22User%20Profile%20Disk%20setup%20failed%20for%22)%20or%20(Error_Message_s%20contains%20%22There%20are%20currently%20no%20resources%20available%20to%20connect%20to%22)%20or%20(Error_Message_s%20contains%20%22PreAuthLogonFailed%22)%20or%20(Error_Message_s%20contains%20%22GatewayProtocolError%22)%20or%20(Error_Message_s%20contains%20%22User%20Profile%20Disk%20setup%20failed%20at%20stage%22)%20or%20(Error_Message_s%20contains%20%22Orchestration%20request%20failed%20Exception%22)%20or%20(Error_Message_s%20contains%20%22failed%22)%20or%20(Error_Message_s%20contains%20%22fail%22)%20or%20(Error_Message_s%20contains%20%22One%20or%20more%20errors%20occurred%22)%20%7C%20project%20UserName%3DUserName_s%2C%20Error%3DError_Message_s%2C%20Time%3DTimeGenerated%20%7C%20top%2010%20by%20UserName%20desc%20%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%20class%3D%22xxxxmsonormal%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22xxxxmsonormal%22%3E%3CSTRONG%3EHost%20pool%20usage%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-sql%22%3E%3CCODE%3EWVDActivityV1_CL%20%0A%7C%20where%20ActivityType_s%20%3D%3D%20%22Connection%22%20%20and%20Status_d%20%3D%3D%20'1'%20%7C%20distinct%20StartTime_t%2C%20EndTime_t%2C%20UserName_s%2C%20Details_SessionHostName_s%2C%20Details_SessionHostPoolName_s%20%7C%20extend%20Seconds%20%3D%20datetime_diff('second'%2C%20EndTime_t%2C%20StartTime_t)%20%7C%20extend%20Hours%20%3D%20Seconds%20%2F%203600.00%20%7C%20summarize%20sum(Hours)%20by%20Details_SessionHostName_s%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin-bottom%3A%20.0001pt%3B%20line-height%3A%2012.0pt%3B%20background%3A%20%23FFFFFE%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22xxxxmsonormal%22%3E%3CSTRONG%3EUsage%20over%20time%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-sql%22%3E%3CCODE%3EWVDActivityV1_CL%20%0A%7C%20where%20ActivityType_s%20%3D%3D%20%22Connection%22%20%20and%20Status_d%20%3D%3D%20'1'%20%7C%20distinct%20StartTime_t%2C%20EndTime_t%2C%20UserName_s%2C%20Details_SessionHostName_s%2C%20Details_SessionHostPoolName_s%20%7C%20extend%20Seconds%20%3D%20datetime_diff('second'%2C%20EndTime_t%2C%20StartTime_t)%20%7C%20extend%20Hours%20%3D%20Seconds%20%2F%203600.00%20%7C%20summarize%20sum(Hours)%20by%20UserName_s%2C%20Host%3DDetails_SessionHostName_s%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin-bottom%3A%20.0001pt%3B%20line-height%3A%2012.0pt%3B%20background%3A%20%23FFFFFE%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22xxxxmsonormal%22%3E%3CSTRONG%3EUsage%20b%3CSPAN%20class%3D%22GramE%22%3Ey%3C%2FSPAN%3E%26nbsp%3Buser%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-sql%22%3E%3CCODE%3EWVDActivityV1_CL%20%0A%7C%20where%20ActivityType_s%20%3D%3D%20%22Connection%22%20%20and%20Status_d%20%3D%3D%20'1'%20%7C%20distinct%20StartTime_t%2C%20EndTime_t%2C%20UserName_s%2C%20Details_SessionHostName_s%2C%20Details_SessionHostPoolName_s%20%7C%20extend%20Seconds%20%3D%20datetime_diff('second'%2C%20EndTime_t%2C%20StartTime_t)%20%7C%20extend%20Hours%20%3D%20Seconds%20%2F%203600.00%20%7C%20summarize%20sum(Hours)%20by%20UserName_s%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%20class%3D%22xxxxmsonormal%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22xxxxmsonormal%22%3E%3CSTRONG%3ECPU%20by%20VM%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-sql%22%3E%3CCODE%3EPerf%20%0A%7C%20where%20ObjectName%20%3D%3D%20%22Processor%22%20and%20InstanceName%20%3D%3D%20%22_Total%22%20%7C%20summarize%20AvgCPU%20%3D%20avg(CounterValue)%20by%20Computer%2C%20bin(TimeGenerated%2C%201h)%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%20class%3D%22xxxxmsonormal%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22xxxxmsonormal%22%3E%3CSTRONG%3EMemory%20usage%20in%20the%20last%2024%20hours%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-sql%22%3E%3CCODE%3EPerf%20%0A%7C%20where%20ObjectName%20%3D%3D%20%22Memory%22%20%20and%20CounterName%20%3D%3D%20%22%25%20Committed%20Bytes%20In%20Use%22%20%7C%20summarize%20AvgRAM%20%3D%20toint(avg(CounterValue))%20by%20Computer%2C%20bin(TimeGenerated%2C%201h)%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%20class%3D%22xxxxmsonormal%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22xxxxmsonormal%22%3E%3CSTRONG%3EWVD%20disk%20space%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-sql%22%3E%3CCODE%3EPerf%20%0A%7C%20where%20ObjectName%20%3D%3D%20%22LogicalDisk%22%20and%20CounterName%20%3D%3D%20%22%25%20Free%20Space%22%20%7C%20summarize%20avg(CounterValue)%20by%20Computer%2C%20bin(TimeGenerated%2C%201h)%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%20class%3D%22xxxxmsonormal%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%20style%3D%22line-height%3A%2012.0pt%3B%20background%3A%20%23FFFFFE%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%20style%3D%22mso-line-height-alt%3A%2012.0pt%3B%20background%3A%20%23FFFFFE%3B%22%3E%3CSTRONG%3E%3CSPAN%20style%3D%22font-size%3A%2016.0pt%3B%20color%3A%20black%3B%20mso-color-alt%3A%20windowtext%3B%22%3EExample%20detections%20for%20WVD%20environments%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin-bottom%3A%20.0001pt%3B%20line-height%3A%20normal%3B%22%3EAccess%20attempts%20to%20Windows%20Virtual%20Desktop%20by%20an%20unauthorized%20user%2C%20bad%20password%2C%20incorrect%20MFA%20or%20from%20a%20user%20account%20that%20does%20not%20exist.%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin-bottom%3A%20.0001pt%3B%20line-height%3A%20normal%3B%22%3E%3CSPAN%20style%3D%22mso-ascii-font-family%3A%20Calibri%3B%20mso-fareast-font-family%3A%20Calibri%3B%20mso-hansi-font-family%3A%20Calibri%3B%20mso-bidi-font-family%3A%20Calibri%3B%20color%3A%20black%3B%20background%3A%20white%3B%20mso-fareast-language%3A%20EN-NZ%3B%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-sql%22%3E%3CCODE%3Elet%20timeRange%3Dago(7d)%3B%0A%20%20SigninLogs%0A%20%20%7C%20where%20TimeGenerated%20%26gt%3B%3D%20timeRange%0A%20%20%7C%20where%20AppDisplayName%20contains%20%22Windows%20Virtual%20Desktop%22%0A%20%20%7C%20where%20ResultType%20in%20(%20%2250126%22%20%2C%20%2250020%22%2C%20%2250034%22%2C%20%2250074%22%2C%20%2250076%22%2C%20%2250131%22)%0A%20%20%7C%20extend%20OS%20%3D%20DeviceDetail.operatingSystem%2C%20Browser%20%3D%20DeviceDetail.browser%0A%20%20%7C%20extend%20StatusCode%20%3D%20tostring(Status.errorCode)%2C%20StatusDetails%20%3D%20tostring(Status.additionalDetails)%0A%20%20%7C%20extend%20State%20%3D%20tostring(LocationDetails.state)%2C%20City%20%3D%20tostring(LocationDetails.city)%0A%20%20%7C%20summarize%20StartTimeUtc%20%3D%20min(TimeGenerated)%2C%20EndTimeUtc%20%3D%20max(TimeGenerated)%2C%20IPAddresses%20%3D%20makeset(IPAddress)%2C%20DistinctIPCount%20%3D%20dcount(IPAddress)%2C%20%0A%20%20makeset(OS)%2C%20makeset(Browser)%2C%20makeset(City)%2C%20AttemptCount%20%3D%20count()%20%0A%20%20by%20UserDisplayName%2C%20UserPrincipalName%2C%20AppDisplayName%2C%20ResultType%2C%20ResultDescription%2C%20StatusCode%2C%20StatusDetails%2C%20Location%2C%20State%0A%20%20%7C%20extend%20timestamp%20%3D%20StartTimeUtc%2C%20AccountCustomEntity%20%3D%20UserPrincipalName%0A%20%20%7C%20sort%20by%20AttemptCount%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin-bottom%3A%20.0001pt%3B%20line-height%3A%20normal%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin-bottom%3A%20.0001pt%3B%20line-height%3A%20normal%3B%22%3EUser%20trying%20to%20log%20on%20to%20multiple%20host%20pools%20(more%20than%20the%20defined%20threshold%20of%20pools%20a%20user%20is%20expected%20to%20be%20a%20part%20of)%20within%20a%20%3CSPAN%20class%3D%22GramE%22%3Eone%20hour%3C%2FSPAN%3E%20period.%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin-bottom%3A%20.0001pt%3B%20line-height%3A%20normal%3B%22%3E%3CSPAN%20style%3D%22font-size%3A%209.0pt%3B%20font-family%3A%20Consolas%3B%20mso-fareast-font-family%3A%20Calibri%3B%20mso-bidi-font-family%3A%20'Times%20New%20Roman'%3B%20color%3A%20%2324292e%3B%20background%3A%20white%3B%20mso-fareast-language%3A%20EN-NZ%3B%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-sql%22%3E%3CCODE%3Elet%20timeRange%3Dago(1h)%3B%0Alet%20Threshold%20%3D%205%3B%0Alet%20Userlogintomultihostpool%20%3D%0AWVDActivityV1_CL%0A%7C%20where%20TimeGenerated%20%26gt%3B%3D%20timeRange%20%0A%7C%20where%20Type_s%20%3D%3D%20%22Connection%22%20%0A%7C%20summarize%20dcount(SessionHostPoolName_s)%20%20by%20UserName_s%20%0A%7C%20where%20dcount_SessionHostPoolName_s%20%20%26gt%3B%20Threshold%0A%7C%20project%20UserName_s%20%3B%0AWVDActivityV1_CL%0A%7C%20where%20TimeGenerated%20%26gt%3B%3D%20timeRange%20%0A%7C%20where%20Type_s%20%3D%3D%20%22Connection%22%20%0A%7C%20where%20UserName_s%20in%20(Userlogintomultihostpool)%0A%7C%20project%20SessionHostPoolName_s%2C%20UserName_s%20%2C%20ClientIPAddress_s%20%2C%20ClientType_s%20%2C%20TenantId_s%20%2C%20TimeGenerated%20%2C%20Id_g%20%2C%20Type_s%20%2C%20SessionHostIPAddress_s%20%2C%20SessionHostName_s%20%2C%20Outcome_s%0A%7C%20sort%20by%20UserName_s%20asc%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin-bottom%3A%20.0001pt%3B%20line-height%3A%20normal%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin-bottom%3A%20.0001pt%3B%20line-height%3A%20normal%3B%22%3EAzure%20Audit%20Logs%20provide%20a%20wealth%20of%20information%20on%20the%20operations%20on%20your%20Azure%20resources.%20This%20query%20will%20help%20you%20look%20at%20some%20relatively%20interesting%20operations%20related%20to%20Windows%20Virtual%20Desktop%20in%20your%20environment%3A%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin-bottom%3A%20.0001pt%3B%20line-height%3A%20normal%3B%22%3E%3CSPAN%20style%3D%22mso-ascii-font-family%3A%20Calibri%3B%20mso-fareast-font-family%3A%20Calibri%3B%20mso-hansi-font-family%3A%20Calibri%3B%20mso-bidi-font-family%3A%20Calibri%3B%20color%3A%20black%3B%20background%3A%20white%3B%20mso-fareast-language%3A%20EN-NZ%3B%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-sql%22%3E%3CCODE%3Elet%20timeRange%3Dago(7d)%3B%0Alet%20RareOperations%20%3D%20dynamic(%5B%22Consent%20to%20application%22%20%2C%20%20%22Add%20delegated%20permission%20grant%22%5D)%3B%0AAuditLogs%20%0A%7C%20where%20TimeGenerated%20%26gt%3B%3D%20timeRange%0A%20%20%20%20%20%20%7C%20extend%20ModProps%20%3D%20TargetResources.%5B0%5D.modifiedProperties%0A%20%20%20%20%20%20%7C%20extend%20IpAddress%20%3D%20iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress))%2C%20%0A%20%20%20%20%20%20tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)%2C%20tostring(parse_json(tostring(InitiatedBy.app)).ipAddress))%0A%20%20%20%20%20%20%7C%20extend%20InitiatedBy%20%3D%20iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))%2C%20%0A%20%20%20%20%20%20tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)%2C%20tostring(parse_json(tostring(InitiatedBy.app)).displayName))%0A%20%20%20%20%20%20%7C%20extend%20TargetResourceName%20%3D%20tolower(tostring(TargetResources.%5B0%5D.displayName))%0A%20%20%20%20%20%20%7C%20mvexpand%20ModProps%0A%20%20%20%20%20%20%7C%20extend%20PropertyName%20%3D%20tostring(ModProps.displayName)%2C%20newValue%20%3D%20replace(%22%5C%22%22%2C%22%22%2Ctostring(ModProps.newValue))%0A%20%20%20%20%20%20%7C%20where%20OperationName%20in%20(RareOperations)%0A%20%20%20%20%20%20%7C%20where%20TargetResourceName%20contains%20%22windows%20virtual%20desktop%22%0A%20%20%20%20%20%20%7C%20summarize%20StartTimeUtc%20%3D%20min(TimeGenerated)%2C%20EndTimeUtc%20%3D%20max(TimeGenerated)%2C%20OperationCount%20%3D%20count()%20%0A%20%20by%20Type%2C%20InitiatedBy%2C%20IpAddress%2C%20TargetResourceName%2C%20Category%2C%20OperationName%2C%20PropertyName%2C%20newValue%2C%20CorrelationId%2C%20Id%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%20class%3D%22MsoNormal%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%3E%3CFONT%20size%3D%224%22%3E%3CSTRONG%3EHow%20are%20you%20monitoring%20your%20WVD%20environment%3F%20Whilst%20the%20queries%20included%20here%20are%20starting%20points%20for%20detection%20and%20hunting%2C%20we%20are%20sure%20that%20are%20plenty%20more%20ideas%20out%20there%20and%20we%20would%20love%20to%20see%20the%20community%20submitting%20things%20to%20our%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EGitHub%26nbsp%3Brepo%3C%2FA%3E.%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1356632%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20order%20to%20enable%20remote%20work%2C%20some%20organizations%20have%20had%20to%20make%20rapid%20and%20sweeping%20changes%20to%20their%20endpoints.%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Foverview%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3EWindows%20Virtual%20Desktop%20(WVD)%3C%2FA%3E%20has%20enabled%20our%20customers%20to%20quickly%20provision%20Windows%2010%20virtual%20desktops%20to%20enable%20people%20who%20have%20traditionally%20not%20been%20remote%20workers%20to%20access%20a%20virtualized%20work%20desktop%20from%20home.%20However%2C%20these%20new%20endpoints%20also%20need%20to%20be%20monitored%20to%20maintain%20an%20organization%E2%80%99s%20security%20posture%20and%20so%20in%20this%20blog%2C%20we%20will%20explore%20how%20you%20can%20use%20Azure%20Sentinel%20to%20monitor%20your%20WVD%20environment.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1356632%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Sentinel%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EDetection%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHunting%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EInvestigation%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

With thanks to @aprakash13@Yaniv Shasha and @Yoshiaki Oi for their contributions to this blog post.

 

NOTE: This blog post covers monitoring resources using the Windows Virtual Desktop Fall 2019 release without Azure Resource Manager objects. If you are using the Windows Virtual Desktop Spring 2020 release with Azure Resource Manager objects (in Public Preview at the time of writing) then click here for details about how to connect this to your Sentinel workspace as the process and logs differ. Queries found in this blog will not work if you are using the WVD Spring 2020 deployment as tables and logs have changed.

 

Due to the COVID-19 health crisis, there has been an exponential increase in employees working from home and this has led to new challenges in the security monitoring space for SOC teams. We covered in two previous Tech Community articles how to monitor popular collaboration software – Teams and Zoom - using Azure Sentinel.

 

As part of this shift to remote work, some organizations have had to make rapid and sweeping changes to their endpoints. Windows Virtual Desktop (WVD) has enabled our customers to quickly provision Windows 10 virtual desktops to enable people who have traditionally not been remote workers to access a virtualized work desktop from home, and thus has enabled businesses to keep functioning. However, these new endpoints also need to be monitored to maintain an organization’s security posture and so in this blog, we will explore how you can use Azure Sentinel to monitor your WVD environment.

 

Overview of telemetry available in WVD

You can collect several types of telemetry signals from a WVD environment that can be ingested into Azure Sentinel for security monitoring:

 

  • Windows event logs.
  • Microsoft Defender Advanced Threat Protection (MDATP) alerts.
  • Logs from the WVD PaaS service itself (aka. WVD diagnostics).

 

Below is a summary of how WVD logs are ingested into Log Analytics.

WVD.PNG

WVD diagnostic logs being ingested to Sentinel via Log Analytics. Diagram by @Yoshiaki Oi.

 

Windows event logs

Windows event logs from the WVD environment are ingested into Azure Sentinel in the same manner as Windows event logs from other Windows machines outside of the WVD environment, so we won’t be covering this in detail in the blog post. In brief, you will need to install the Log Analytics agent (previously known as the OMS agent or the MMA agent) onto your Windows machine and configure the Windows event logs to be sent to the Log Analytics workspace. Click here for further information about how to install the Log Analytics agent; and for more information about how to configure Windows event logs to be forwarded to a Log Analytics workspace, click here.

 

MDATP alerts

Like Windows event logs, to configure MDATP for WVD you would follow the same onboarding procedure as you would with any other Windows endpoint. There is a detailed walkthrough on how to onboard endpoints to MDATP here. For further information about how to send MDATP alerts to Azure Sentinel using the product’s pre-wired connectors, click here.

 

WVD diagnostics

WVD diagnostics is a feature of the WVD PaaS service that logs information whenever someone assigned Windows Virtual Desktop role uses the service. Each log contains information about which Windows Virtual Desktop role was involved in the activity, any error messages that appear during the session, tenant information, and user information. The diagnostics feature creates activity logs for both user and administrative actions. For more information about WVD diagnostic logs for the Fall 2019 release of WVD, click here.

 

 

Ingesting WVD diagnostic logs into Azure Sentinel

 

Before you start

We need to configure WVD to send diagnostics to a Log Analytics workspace. If you have multiple Log Analytics workspaces in your environment, you will need decide which one you are going to send WVD diagnostic logs to.

 

NOTE: Different WVD tenants can be configured to send their diagnostics to different workspaces, so if you have multiple WVD tenants and Log Analytics workspaces within your environment – e.g. workspaces in different Azure regions for data sovereignty – this posture can be maintained.

 

Obtain your chosen Log Analytics workspace ID and the primary key; you will need this later in our setup. If you have never obtained your Log Analytics workspace ID and primary key before, details about how to get this workspace information can be found here.

 

Pushing WVD diagnostics to the Log Analytics workspace

If you’ve already created your WVD tenant, run the following PowerShell command to link the WVD tenant to your chosen Log Analytics workspace:

 

Set-RdsTenant -Name <TenantName> -AzureSubscriptionId <SubscriptionID> -LogAnalyticsWorkspaceId <String> -LogAnalyticsPrimaryKey <String>

 

If you’re creating a new WVD tenant, you can link it to your chosen Log Analytics workspace by running the following cmdlet to sign in to Windows Virtual Desktop with your TenantCreator user account:

Add-RdsAccount -DeploymentUrl https://rdbroker.wvd.microsoft.com

 

NOTE: As per the note above, you will need to complete one of the following operations for every WVD tenant individually to link it to a Log Analytics workspace.

 

Using WVD diagnostics in Azure Sentinel

 

WVD diagnostic logs are stored in tables called WVDActivityV1_CL, WVDErrorV1_CL and WVDCheckpointV1_CL.

 

Example queries of WVD diagnostic logs

This section will give you some examples of the kind of queries you could run for your WVD environment. These queries can be turned into either analytics rules or hunting queries (covered later in this blog post).

 

This first example shows connection activities initiated by users with supported remote desktop clients:

WVDActivityV1_CL 
| where Type_s == "Connection" 
| join kind=leftouter ( 
    WVDErrorV1_CL 
    | summarize Errors = makelist(pack('Time', Time_t, 'Code', ErrorCode_s , 'CodeSymbolic', ErrorCodeSymbolic_s, 'Message', ErrorMessage_s, 'ReportedBy', ReportedBy_s , 'Internal', ErrorInternal_s )) by ActivityId_g 
    ) on $left.Id_g  == $right.ActivityId_g   
| join  kind=leftouter (  
    WVDCheckpointV1_CL 
    | summarize Checkpoints = makelist(pack('Time', Time_t, 'ReportedBy', ReportedBy_s, 'Name', Name_s, 'Parameters', Parameters_s) ) by ActivityId_g 
    ) on $left.Id_g  == $right.ActivityId_g  
|project-away ActivityId_g, ActivityId_g1 

 

This next example query shows management activities by admins on tenants:

WVDActivityV1_CL 
| where Type_s == "Management" 
| join kind=leftouter ( 
    WVDErrorV1_CL 
    | summarize Errors = makelist(pack('Time', Time_t, 'Code', ErrorCode_s , 'CodeSymbolic', ErrorCodeSymbolic_s, 'Message', ErrorMessage_s, 'ReportedBy', ReportedBy_s , 'Internal', ErrorInternal_s )) by ActivityId_g 
    ) on $left.Id_g  == $right.ActivityId_g   
| join  kind=leftouter (  
    WVDCheckpointV1_CL 
    | summarize Checkpoints = makelist(pack('Time', Time_t, 'ReportedBy', ReportedBy_s, 'Name', Name_s, 'Parameters', Parameters_s) ) by ActivityId_g 
    ) on $left.Id_g  == $right.ActivityId_g  
|project-away ActivityId_g, ActivityId_g1

 

Querying Azure AD for the number of WVD sign ins per user:

 

SigninLogs
| where TimeGenerated > ago(14d)
| where AppDisplayName contains "Windows Virtual Desktop"  
| summarize count() by Identity
| sort by count_ desc  

 

Other useful queries in a WVD environment

This next set of queries lean towards the more operational side of WVD, but can be useful for exploring platform behavior and can be tuned to your specific environment. These queries could also be used to create Workbooks for monitoring your WVD environment.

 

Count of Host pools

WVDActivityV1_CL 
| summarize HostPools=dcount(SessionHostPoolName_s)

 

Unique users

WVDActivityV1_CL 
| summarize Sessions=dcount(UserName_s)

 

Session error

WVDActivityV1_CL 
| where (Error_Message_s contains "User Profile Disk setup failed for") or (Error_Message_s contains "There are currently no resources available to connect to") or (Error_Message_s contains "PreAuthLogonFailed") or (Error_Message_s contains "GatewayProtocolError") or (Error_Message_s contains "User Profile Disk setup failed at stage") or (Error_Message_s contains "Orchestration request failed Exception") or (Error_Message_s contains "failed") or (Error_Message_s contains "fail") or (Error_Message_s contains "One or more errors occurred") | project UserName=UserName_s, Error=Error_Message_s, Time=TimeGenerated | top 10 by UserName desc 

 

Host pool usage

WVDActivityV1_CL 
| where ActivityType_s == "Connection"  and Status_d == '1' | distinct StartTime_t, EndTime_t, UserName_s, Details_SessionHostName_s, Details_SessionHostPoolName_s | extend Seconds = datetime_diff('second', EndTime_t, StartTime_t) | extend Hours = Seconds / 3600.00 | summarize sum(Hours) by Details_SessionHostName_s

 

Usage over time

WVDActivityV1_CL 
| where ActivityType_s == "Connection"  and Status_d == '1' | distinct StartTime_t, EndTime_t, UserName_s, Details_SessionHostName_s, Details_SessionHostPoolName_s | extend Seconds = datetime_diff('second', EndTime_t, StartTime_t) | extend Hours = Seconds / 3600.00 | summarize sum(Hours) by UserName_s, Host=Details_SessionHostName_s

 

Usage by user

WVDActivityV1_CL 
| where ActivityType_s == "Connection"  and Status_d == '1' | distinct StartTime_t, EndTime_t, UserName_s, Details_SessionHostName_s, Details_SessionHostPoolName_s | extend Seconds = datetime_diff('second', EndTime_t, StartTime_t) | extend Hours = Seconds / 3600.00 | summarize sum(Hours) by UserName_s

 

CPU by VM

Perf 
| where ObjectName == "Processor" and InstanceName == "_Total" | summarize AvgCPU = avg(CounterValue) by Computer, bin(TimeGenerated, 1h)

 

Memory usage in the last 24 hours

Perf 
| where ObjectName == "Memory"  and CounterName == "% Committed Bytes In Use" | summarize AvgRAM = toint(avg(CounterValue)) by Computer, bin(TimeGenerated, 1h)

 

WVD disk space

Perf 
| where ObjectName == "LogicalDisk" and CounterName == "% Free Space" | summarize avg(CounterValue) by Computer, bin(TimeGenerated, 1h)

 

 

Example detections for WVD environments

Access attempts to Windows Virtual Desktop by an unauthorized user, bad password, incorrect MFA or from a user account that does not exist.

 

let timeRange=ago(7d);
  SigninLogs
  | where TimeGenerated >= timeRange
  | where AppDisplayName contains "Windows Virtual Desktop"
  | where ResultType in ( "50126" , "50020", "50034", "50074", "50076", "50131")
  | extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser
  | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)
  | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), IPAddresses = makeset(IPAddress), DistinctIPCount = dcount(IPAddress), 
  makeset(OS), makeset(Browser), makeset(City), AttemptCount = count() 
  by UserDisplayName, UserPrincipalName, AppDisplayName, ResultType, ResultDescription, StatusCode, StatusDetails, Location, State
  | extend timestamp = StartTimeUtc, AccountCustomEntity = UserPrincipalName
  | sort by AttemptCount

 

User trying to log on to multiple host pools (more than the defined threshold of pools a user is expected to be a part of) within a one hour period.

 

let timeRange=ago(1h);
let Threshold = 5;
let Userlogintomultihostpool =
WVDActivityV1_CL
| where TimeGenerated >= timeRange 
| where Type_s == "Connection" 
| summarize dcount(SessionHostPoolName_s)  by UserName_s 
| where dcount_SessionHostPoolName_s  > Threshold
| project UserName_s ;
WVDActivityV1_CL
| where TimeGenerated >= timeRange 
| where Type_s == "Connection" 
| where UserName_s in (Userlogintomultihostpool)
| project SessionHostPoolName_s, UserName_s , ClientIPAddress_s , ClientType_s , TenantId_s , TimeGenerated , Id_g , Type_s , SessionHostIPAddress_s , SessionHostName_s , Outcome_s
| sort by UserName_s asc

 

Azure Audit Logs provide a wealth of information on the operations on your Azure resources. This query will help you look at some relatively interesting operations related to Windows Virtual Desktop in your environment:

 

let timeRange=ago(7d);
let RareOperations = dynamic(["Consent to application" ,  "Add delegated permission grant"]);
AuditLogs 
| where TimeGenerated >= timeRange
      | extend ModProps = TargetResources.[0].modifiedProperties
      | extend IpAddress = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)), 
      tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), tostring(parse_json(tostring(InitiatedBy.app)).ipAddress))
      | extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), 
      tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))
      | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))
      | mvexpand ModProps
      | extend PropertyName = tostring(ModProps.displayName), newValue = replace("\"","",tostring(ModProps.newValue))
      | where OperationName in (RareOperations)
      | where TargetResourceName contains "windows virtual desktop"
      | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() 
  by Type, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, PropertyName, newValue, CorrelationId, Id

 

 

How are you monitoring your WVD environment? Whilst the queries included here are starting points for detection and hunting, we are sure that are plenty more ideas out there and we would love to see the community submitting things to our GitHub repo.